From d652e878540936e6b676189863553337fa037b98 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Apr 12 2011 14:58:28 +0000 Subject: Policy files should not be in repository --- diff --git a/policy/constraints b/policy/constraints deleted file mode 100644 index 155883b..0000000 --- a/policy/constraints +++ /dev/null @@ -1,245 +0,0 @@ - -# -# Define the constraints -# -# constrain class_set perm_set expression ; -# -# expression : ( expression ) -# | not expression -# | expression and expression -# | expression or expression -# | u1 op u2 -# | r1 role_op r2 -# | t1 op t2 -# | u1 op names -# | u2 op names -# | r1 op names -# | r2 op names -# | t1 op names -# | t2 op names -# -# op : == | != -# role_op : == | != | eq | dom | domby | incomp -# -# names : name | { name_list } -# name_list : name | name_list name -# - -define(`basic_ubac_conditions',` - ifdef(`enable_ubac',` - u1 == u2 - or u1 == system_u - or u2 == system_u - or t1 != ubac_constrained_type - or t2 != ubac_constrained_type - ') -') - -define(`basic_ubac_constraint',` - ifdef(`enable_ubac',` - constrain $1 all_$1_perms - ( - basic_ubac_conditions - ); - ') -') - -define(`exempted_ubac_constraint',` - ifdef(`enable_ubac',` - constrain $1 all_$1_perms - ( - basic_ubac_conditions - or t1 == $2 - ); - ') -') - -######################################## -# -# File rules -# - -exempted_ubac_constraint(dir, ubacfile) -exempted_ubac_constraint(file, ubacfile) -exempted_ubac_constraint(lnk_file, ubacfile) -exempted_ubac_constraint(fifo_file, ubacfile) -exempted_ubac_constraint(sock_file, ubacfile) -exempted_ubac_constraint(chr_file, ubacfile) -exempted_ubac_constraint(blk_file, ubacfile) - -# SELinux object identity change constraint: -constrain dir_file_class_set { create relabelto relabelfrom } -( - u1 == u2 - or t1 == can_change_object_identity -); - -######################################## -# -# Process rules -# - -ifdef(`enable_ubac',` - constrain process { sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setrlimit } - ( - basic_ubac_conditions - or t1 == ubacproc - ); -') - -constrain process { transition noatsecure siginh rlimitinh } -( - u1 == u2 - or ( t1 == can_change_process_identity and t2 == process_user_target ) - or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) ) - or ( t1 == can_system_change and u2 == system_u ) - or ( t1 == process_uncond_exempt ) -); - -constrain process { transition noatsecure siginh rlimitinh } -( - r1 == r2 - or ( t1 == can_change_process_role and t2 == process_user_target ) - or ( t1 == cron_source_domain and t2 == cron_job_domain ) - or ( t1 == can_system_change and r2 == system_r ) - or ( t1 == process_uncond_exempt ) -); - -constrain process dyntransition -( - u1 == u2 and r1 == r2 -); - -# These permissions do not have ubac constraints: -# fork -# setexec -# setfscreate -# setcurrent -# execmem -# execstack -# execheap -# setkeycreate -# setsockcreate - -######################################## -# -# File descriptor rules -# - -exempted_ubac_constraint(fd, ubacfd) - -######################################## -# -# Socket rules -# - -exempted_ubac_constraint(socket, ubacsock) -exempted_ubac_constraint(tcp_socket, ubacsock) -exempted_ubac_constraint(udp_socket, ubacsock) -exempted_ubac_constraint(rawip_socket, ubacsock) -exempted_ubac_constraint(netlink_socket, ubacsock) -exempted_ubac_constraint(packet_socket, ubacsock) -exempted_ubac_constraint(key_socket, ubacsock) -exempted_ubac_constraint(unix_stream_socket, ubacsock) -exempted_ubac_constraint(unix_dgram_socket, ubacsock) -exempted_ubac_constraint(netlink_route_socket, ubacsock) -exempted_ubac_constraint(netlink_firewall_socket, ubacsock) -exempted_ubac_constraint(netlink_tcpdiag_socket, ubacsock) -exempted_ubac_constraint(netlink_nflog_socket, ubacsock) -exempted_ubac_constraint(netlink_xfrm_socket, ubacsock) -exempted_ubac_constraint(netlink_selinux_socket, ubacsock) -exempted_ubac_constraint(netlink_audit_socket, ubacsock) -exempted_ubac_constraint(netlink_ip6fw_socket, ubacsock) -exempted_ubac_constraint(netlink_dnrt_socket, ubacsock) -exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock) -exempted_ubac_constraint(appletalk_socket, ubacsock) -exempted_ubac_constraint(dccp_socket, ubacsock) - -constrain socket_class_set { create relabelto relabelfrom } -( - u1 == u2 - or t1 == can_change_object_identity -); - -######################################## -# -# SysV IPC rules - -exempted_ubac_constraint(sem, ubacipc) -exempted_ubac_constraint(msg, ubacipc) -exempted_ubac_constraint(msgq, ubacipc) -exempted_ubac_constraint(shm, ubacipc) -exempted_ubac_constraint(ipc, ubacipc) - -######################################## -# -# SE-X Windows rules -# - -exempted_ubac_constraint(x_drawable, ubacxwin) -exempted_ubac_constraint(x_screen, ubacxwin) -exempted_ubac_constraint(x_gc, ubacxwin) -exempted_ubac_constraint(x_font, ubacxwin) -exempted_ubac_constraint(x_colormap, ubacxwin) -exempted_ubac_constraint(x_property, ubacxwin) -exempted_ubac_constraint(x_selection, ubacxwin) -exempted_ubac_constraint(x_cursor, ubacxwin) -exempted_ubac_constraint(x_client, ubacxwin) -exempted_ubac_constraint(x_device, ubacxwin) -exempted_ubac_constraint(x_server, ubacxwin) -exempted_ubac_constraint(x_extension, ubacxwin) -exempted_ubac_constraint(x_resource, ubacxwin) -exempted_ubac_constraint(x_event, ubacxwin) -exempted_ubac_constraint(x_synthetic_event, ubacxwin) -exempted_ubac_constraint(x_application_data, ubacxwin) - -######################################## -# -# D-BUS rules -# - -exempted_ubac_constraint(dbus, ubacdbus) - -######################################## -# -# Key rules -# - -exempted_ubac_constraint(key, ubackey) - -######################################## -# -# Database rules -# - -exempted_ubac_constraint(db_database, ubacdb) -exempted_ubac_constraint(db_table, ubacdb) -exempted_ubac_constraint(db_procedure, ubacdb) -exempted_ubac_constraint(db_column, ubacdb) -exempted_ubac_constraint(db_tuple, ubacdb) -exempted_ubac_constraint(db_blob, ubacdb) - - - -basic_ubac_constraint(association) -basic_ubac_constraint(peer) - - -# these classes have no UBAC restrictions -#class security -#class system -#class capability -#class memprotect -#class passwd # userspace -#class node -#class netif -#class packet -#class capability2 -#class nscd # userspace -#class context # userspace - - - -undefine(`basic_ubac_constraint') -undefine(`basic_ubac_conditions') -undefine(`exempted_ubac_constraint') diff --git a/policy/flask/Makefile b/policy/flask/Makefile deleted file mode 100644 index 17dc174..0000000 --- a/policy/flask/Makefile +++ /dev/null @@ -1,51 +0,0 @@ -PYTHON ?= python - -# flask needs to know where to export the libselinux headers. -LIBSELINUX_D ?= ../../libselinux - -# flask needs to know where to export the kernel headers. -LINUX_D ?= ../../../linux-2.6 - -ACCESS_VECTORS_F = access_vectors -INITIAL_SIDS_F = initial_sids -SECURITY_CLASSES_F = security_classes - -USER_D = userspace -KERN_D = kernel - -LIBSELINUX_INCLUDE_H = flask.h av_permissions.h -LIBSELINUX_SOURCE_H = class_to_string.h av_inherit.h common_perm_to_string.h av_perm_to_string.h - -FLASK_H = class_to_string.h flask.h initial_sid_to_string.h -ACCESS_VECTORS_H = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h -ALL_H = $(FLASK_H) $(ACCESS_VECTORS_H) - -USER_H = $(addprefix $(USER_D)/, $(ALL_H)) -KERN_H = $(addprefix $(KERN_D)/, $(ALL_H)) - -FLASK_NOWARNINGS = --nowarnings - -all: $(USER_H) $(KERN_H) - -$(USER_H): flask.py $(ACCESS_VECTORS_F) $(INITIAL_SIDS_F) $(SECURITY_CLASSES_F) - mkdir -p $(USER_D) - $(PYTHON) flask.py -a $(ACCESS_VECTORS_F) -i $(INITIAL_SIDS_F) -s $(SECURITY_CLASSES_F) -o $(USER_D) -u $(FLASK_NOWARNINGS) - -$(KERN_H): flask.py $(ACCESS_VECTORS_F) $(INITIAL_SIDS_F) $(SECURITY_CLASSES_F) - mkdir -p $(KERN_D) - $(PYTHON) flask.py -a $(ACCESS_VECTORS_F) -i $(INITIAL_SIDS_F) -s $(SECURITY_CLASSES_F) -o $(KERN_D) -k $(FLASK_NOWARNINGS) - -tolib: all - install -m 644 $(addprefix $(USER_D)/, $(LIBSELINUX_INCLUDE_H)) $(LIBSELINUX_D)/include/selinux - install -m 644 $(addprefix $(USER_D)/, $(LIBSELINUX_SOURCE_H)) $(LIBSELINUX_D)/src - -tokern: all - install -m 644 $(KERN_H) $(LINUX_D)/security/selinux/include - -install: all - -relabel: - -clean: - rm -fr userspace - rm -fr kernel diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors deleted file mode 100644 index 6760c95..0000000 --- a/policy/flask/access_vectors +++ /dev/null @@ -1,818 +0,0 @@ -# -# Define common prefixes for access vectors -# -# common common_name { permission_name ... } - - -# -# Define a common prefix for file access vectors. -# - -common file -{ - ioctl - read - write - create - getattr - setattr - lock - relabelfrom - relabelto - append - unlink - link - rename - execute - swapon - quotaon - mounton -} - - -# -# Define a common prefix for socket access vectors. -# - -common socket -{ -# inherited from file - ioctl - read - write - create - getattr - setattr - lock - relabelfrom - relabelto - append -# socket-specific - bind - connect - listen - accept - getopt - setopt - shutdown - recvfrom - sendto - recv_msg - send_msg - name_bind -} - -# -# Define a common prefix for ipc access vectors. -# - -common ipc -{ - create - destroy - getattr - setattr - read - write - associate - unix_read - unix_write -} - -# -# Define a common prefix for userspace database object access vectors. -# - -common database -{ - create - drop - getattr - setattr - relabelfrom - relabelto -} - -# -# Define a common prefix for pointer and keyboard access vectors. -# - -common x_device -{ - getattr - setattr - use - read - write - getfocus - setfocus - bell - force_cursor - freeze - grab - manage - list_property - get_property - set_property - add - remove - create - destroy -} - -# -# Define the access vectors. -# -# class class_name [ inherits common_name ] { permission_name ... } - - -# -# Define the access vector interpretation for file-related objects. -# - -class filesystem -{ - mount - remount - unmount - getattr - relabelfrom - relabelto - transition - associate - quotamod - quotaget -} - -class dir -inherits file -{ - add_name - remove_name - reparent - search - rmdir - open -} - -class file -inherits file -{ - execute_no_trans - entrypoint - execmod - open -} - -class lnk_file -inherits file - -class chr_file -inherits file -{ - execute_no_trans - entrypoint - execmod - open -} - -class blk_file -inherits file -{ - open -} - -class sock_file -inherits file -{ - open -} - -class fifo_file -inherits file -{ - open -} - -class fd -{ - use -} - - -# -# Define the access vector interpretation for network-related objects. -# - -class socket -inherits socket - -class tcp_socket -inherits socket -{ - connectto - newconn - acceptfrom - node_bind - name_connect -} - -class udp_socket -inherits socket -{ - node_bind -} - -class rawip_socket -inherits socket -{ - node_bind -} - -class node -{ - tcp_recv - tcp_send - udp_recv - udp_send - rawip_recv - rawip_send - enforce_dest - dccp_recv - dccp_send - recvfrom - sendto -} - -class netif -{ - tcp_recv - tcp_send - udp_recv - udp_send - rawip_recv - rawip_send - dccp_recv - dccp_send - ingress - egress -} - -class netlink_socket -inherits socket - -class packet_socket -inherits socket - -class key_socket -inherits socket - -class unix_stream_socket -inherits socket -{ - connectto - newconn - acceptfrom -} - -class unix_dgram_socket -inherits socket - -# -# Define the access vector interpretation for process-related objects -# - -class process -{ - fork - transition - sigchld # commonly granted from child to parent - sigkill # cannot be caught or ignored - sigstop # cannot be caught or ignored - signull # for kill(pid, 0) - signal # all other signals - ptrace - getsched - setsched - getsession - getpgid - setpgid - getcap - setcap - share - getattr - setexec - setfscreate - noatsecure - siginh - setrlimit - rlimitinh - dyntransition - setcurrent - execmem - execstack - execheap - setkeycreate - setsockcreate -} - - -# -# Define the access vector interpretation for ipc-related objects -# - -class ipc -inherits ipc - -class sem -inherits ipc - -class msgq -inherits ipc -{ - enqueue -} - -class msg -{ - send - receive -} - -class shm -inherits ipc -{ - lock -} - - -# -# Define the access vector interpretation for the security server. -# - -class security -{ - compute_av - compute_create - compute_member - check_context - load_policy - compute_relabel - compute_user - setenforce # was avc_toggle in system class - setbool - setsecparam - setcheckreqprot -} - - -# -# Define the access vector interpretation for system operations. -# - -class system -{ - ipc_info - syslog_read - syslog_mod - syslog_console - module_request -} - -# -# Define the access vector interpretation for controling capabilies -# - -class capability -{ - # The capabilities are defined in include/linux/capability.h - # Capabilities >= 32 are defined in the capability2 class. - # Care should be taken to ensure that these are consistent with - # those definitions. (Order matters) - - chown - dac_override - dac_read_search - fowner - fsetid - kill - setgid - setuid - setpcap - linux_immutable - net_bind_service - net_broadcast - net_admin - net_raw - ipc_lock - ipc_owner - sys_module - sys_rawio - sys_chroot - sys_ptrace - sys_pacct - sys_admin - sys_boot - sys_nice - sys_resource - sys_time - sys_tty_config - mknod - lease - audit_write - audit_control - setfcap -} - -class capability2 -{ - mac_override # unused by SELinux - mac_admin # unused by SELinux -} - -# -# Define the access vector interpretation for controlling -# changes to passwd information. -# -class passwd -{ - passwd # change another user passwd - chfn # change another user finger info - chsh # change another user shell - rootok # pam_rootok check (skip auth) - crontab # crontab on another user -} - -# -# SE-X Windows stuff -# -class x_drawable -{ - create - destroy - read - write - blend - getattr - setattr - list_child - add_child - remove_child - list_property - get_property - set_property - manage - override - show - hide - send - receive -} - -class x_screen -{ - getattr - setattr - hide_cursor - show_cursor - saver_getattr - saver_setattr - saver_hide - saver_show -} - -class x_gc -{ - create - destroy - getattr - setattr - use -} - -class x_font -{ - create - destroy - getattr - add_glyph - remove_glyph - use -} - -class x_colormap -{ - create - destroy - read - write - getattr - add_color - remove_color - install - uninstall - use -} - -class x_property -{ - create - destroy - read - write - append - getattr - setattr -} - -class x_selection -{ - read - write - getattr - setattr -} - -class x_cursor -{ - create - destroy - read - write - getattr - setattr - use -} - -class x_client -{ - destroy - getattr - setattr - manage -} - -class x_device -inherits x_device - -class x_server -{ - getattr - setattr - record - debug - grab - manage -} - -class x_extension -{ - query - use -} - -class x_resource -{ - read - write -} - -class x_event -{ - send - receive -} - -class x_synthetic_event -{ - send - receive -} - -# -# Extended Netlink classes -# -class netlink_route_socket -inherits socket -{ - nlmsg_read - nlmsg_write -} - -class netlink_firewall_socket -inherits socket -{ - nlmsg_read - nlmsg_write -} - -class netlink_tcpdiag_socket -inherits socket -{ - nlmsg_read - nlmsg_write -} - -class netlink_nflog_socket -inherits socket - -class netlink_xfrm_socket -inherits socket -{ - nlmsg_read - nlmsg_write -} - -class netlink_selinux_socket -inherits socket - -class netlink_audit_socket -inherits socket -{ - nlmsg_read - nlmsg_write - nlmsg_relay - nlmsg_readpriv - nlmsg_tty_audit -} - -class netlink_ip6fw_socket -inherits socket -{ - nlmsg_read - nlmsg_write -} - -class netlink_dnrt_socket -inherits socket - -# Define the access vector interpretation for controlling -# access and communication through the D-BUS messaging -# system. -# -class dbus -{ - acquire_svc - send_msg -} - -# Define the access vector interpretation for controlling -# access through the name service cache daemon (nscd). -# -class nscd -{ - getpwd - getgrp - gethost - getstat - admin - shmempwd - shmemgrp - shmemhost - getserv - shmemserv -} - -# Define the access vector interpretation for controlling -# access to IPSec network data by association -# -class association -{ - sendto - recvfrom - setcontext - polmatch -} - -# Updated Netlink class for KOBJECT_UEVENT family. -class netlink_kobject_uevent_socket -inherits socket - -class appletalk_socket -inherits socket - -class packet -{ - send - recv - relabelto - flow_in # deprecated - flow_out # deprecated - forward_in - forward_out -} - -class key -{ - view - read - write - search - link - setattr - create -} - -class context -{ - translate - contains -} - -class dccp_socket -inherits socket -{ - node_bind - name_connect -} - -class memprotect -{ - mmap_zero -} - -class db_database -inherits database -{ - access - install_module - load_module - get_param # deprecated - set_param # deprecated -} - -class db_table -inherits database -{ - use # deprecated - select - update - insert - delete - lock -} - -class db_procedure -inherits database -{ - execute - entrypoint - install -} - -class db_column -inherits database -{ - use # deprecated - select - update - insert -} - -class db_tuple -{ - relabelfrom - relabelto - use # deprecated - select - update - insert - delete -} - -class db_blob -inherits database -{ - read - write - import - export -} - -# network peer labels -class peer -{ - recv -} - -class x_application_data -{ - paste - paste_after_confirm - copy -} - -class kernel_service -{ - use_as_override - create_files_as -} - -class tun_socket -inherits socket - -class x_pointer -inherits x_device - -class x_keyboard -inherits x_device diff --git a/policy/flask/flask.py b/policy/flask/flask.py deleted file mode 100644 index 8b4be50..0000000 --- a/policy/flask/flask.py +++ /dev/null @@ -1,536 +0,0 @@ -#!/usr/bin/python -E -# -# Author(s): Caleb Case -# -# Adapted from the bash/awk scripts mkflask.sh and mkaccess_vector.sh -# - -import getopt -import os -import sys -import re - -class ParseError(Exception): - def __init__(self, type, file, line): - self.type = type - self.file = file - self.line = line - def __str__(self): - typeS = self.type - if type(self.type) is not str: typeS = Flask.CONSTANT_S[self.type] - return "Parse Error: Unexpected %s on line %d of %s." % (typeS, self.line, self.file) - -class DuplicateError(Exception): - def __init__(self, type, file, line, symbol): - self.type = type - self.file = file - self.line = line - self.symbol = symbol - def __str__(self): - typeS = self.type - if type(self.type) is not str: typeS = Flask.CONSTANT_S[self.type] - return "Duplicate Error: Duplicate %s '%s' on line %d of %s." % (typeS, self.symbol, self.line, self.file) - -class UndefinedError(Exception): - def __init__(self, type, file, line, symbol): - self.type = type - self.file = file - self.line = line - self.symbol = symbol - def __str__(self): - typeS = self.type - if type(self.type) is not str: typeS = Flask.CONSTANT_S[self.type] - return "Undefined Error: %s '%s' is not defined but used on line %d of %s." % (typeS, self.symbol, self.line, self.file) - -class UnusedError(Exception): - def __init__(self, info): - self.info = info - def __str__(self): - return "Unused Error: %s" % self.info - -class Flask: - ''' - FLASK container class with utilities for parsing definition - files and creating c header files. - ''' - - #Constants used in definitions parsing. - WHITE = re.compile(r'^\s*$') - COMMENT = re.compile(r'^\s*#') - USERFLAG = re.compile(r'# userspace') - CLASS = re.compile(r'^class (?P\w+)') - COMMON = re.compile(r'^common (?P\w+)') - INHERITS = re.compile(r'^inherits (?P\w+)') - OPENB = re.compile(r'^{') - VECTOR = re.compile(r'^\s*(?P\w+)') - CLOSEB = re.compile(r'^}') - SID = re.compile(r'^sid (?P\w+)') - EOF = "end of file" - - #Constants used in header generation. - USERSPACE = 0 - KERNEL = 1 - - CONSTANT_S = { \ - #parsing constants - WHITE : "whitespace", \ - COMMENT : "comment", \ - USERFLAG : "userspace flag", \ - CLASS : "class definition", \ - COMMON : "common definition", \ - INHERITS : "inherits definition", \ - OPENB : "'{'", \ - VECTOR : "access vector definition", \ - CLOSEB : "'}'", \ - SID : "security identifier", \ - EOF : "end of file", \ - #generation constants - USERSPACE : "userspace mode", \ - KERNEL : "kernel mode", \ - } - - def __init__(self, warn = True): - self.WARN = warn - self.autogen = "/* This file is automatically generated. Do not edit. */\n" - self.commons = [] - self.user_commons = [] - self.common = {} - self.classes = [] - self.vectors = [] - self.vector = {} - self.userspace = {} - self.sids = [] - self.inherits = {} - - def warning(self, msg): - ''' - Prints a warning message out to stderr if warnings are enabled. - ''' - if self.WARN: sys.stderr.write("Warning: %s\n" % msg) - - def parseClasses(self, path): - ''' - Parses security class definitions from the given path. - ''' - classes = [] - input = open(path, 'r') - - number = 0 - for line in input: - number += 1 - m = self.COMMENT.search(line) - if m: continue - - m = self.WHITE.search(line) - if m: continue - - m = self.CLASS.search(line) - if m: - g = m.groupdict() - c = g['name'] - if c in classes: raise DuplicateError, (self.CLASS, path, number, c) - classes.append(c) - if self.USERFLAG.search(line): - self.userspace[c] = True - else: - self.userspace[c] = False - continue - - raise ParseError, ("data. Was expecting either a comment, whitespace, or class definition. ", path, number) - - self.classes = classes - return classes - - def parseSids(self, path): - ''' - Parses initial SID definitions from the given path. - ''' - - sids = [] - input = open(path, 'r') - for line in input: - m = self.COMMENT.search(line) - if m: continue - - m = self.WHITE.search(line) - if m: continue - - m = self.SID.search(line) - if m: - g = m.groupdict() - s = g['name'] - if s in sids: raise DuplicateError, (self.SID, path, number, s) - sids.append(s) - continue - - raise ParseError, ("data. Was expecting either a comment, whitespace, or security identifier. ", path, number) - - self.sids = sids - return sids - - def parseVectors(self, path): - ''' - Parses access vector definitions from the given path. - ''' - vectors = [] - vector = {} - commons = [] - common = {} - inherits = {} - user_commons = {} - input = open(path, 'r') - - # states - NONE = 0 - COMMON = 1 - CLASS = 2 - INHERIT = 3 - OPEN = 4 - - state = NONE - state2 = NONE - number = 0 - for line in input: - number += 1 - m = self.COMMENT.search(line) - if m: continue - - m = self.WHITE.search(line) - if m: - if state == INHERIT: - state = NONE - continue - - m = self.COMMON.search(line) - if m: - if state != NONE: raise ParseError, (self.COMMON, path, number) - g = m.groupdict() - c = g['name'] - if c in commons: raise DuplicateError, (self.COMMON, path, number, c) - commons.append(c) - common[c] = [] - user_commons[c] = True - state = COMMON - continue - - m = self.CLASS.search(line) - if m: - if state != NONE: raise ParseError, (self.CLASS, number) - g = m.groupdict() - c = g['name'] - if c in vectors: raise DuplicateError, (self.CLASS, path, number, c) - if c not in self.classes: raise UndefinedError, (self.CLASS, path, number, c) - vectors.append(c) - vector[c] = [] - state = CLASS - continue - - m = self.INHERITS.search(line) - if m: - if state != CLASS: raise ParseError, (self.INHERITS, number) - g = m.groupdict() - i = g['name'] - if c in inherits: raise DuplicateError, (self.INHERITS, path, number, c) - if i not in common: raise UndefinedError, (self.COMMON, path, number, i) - inherits[c] = i - state = INHERIT - if not self.userspace[c]: user_commons[i] = False - continue - - m = self.OPENB.search(line) - if m: - if (state != CLASS \ - and state != INHERIT \ - and state != COMMON) \ - or state2 != NONE: - raise ParseError, (self.OPENB, path, number) - state2 = OPEN - continue - - m = self.VECTOR.search(line) - if m: - if state2 != OPEN: raise ParseError, (self.VECTOR, path, number) - g = m.groupdict() - v = g['name'] - if state == CLASS or state == INHERIT: - if v in vector[c]: raise DuplicateError, (self.VECTOR, path, number, v) - vector[c].append(v) - elif state == COMMON: - if v in common[c]: raise DuplicateError, (self.VECTOR, path, number, v) - common[c].append(v) - continue - - m = self.CLOSEB.search(line) - if m: - if state2 != OPEN: raise ParseError, (self.CLOSEB, path, number) - state = NONE - state2 = NONE - c = None - continue - - raise ParseError, ("data", path, number) - - if state != NONE and state2 != NONE: raise ParseError, (self.EOF, path, number) - - cvdiff = set(self.classes) - set(vectors) - if cvdiff: raise UnusedError, "Not all security classes were used in access vectors: %s" % cvdiff # the inverse of this will be caught as an undefined class error - - self.commons = commons - self.user_commons = user_commons - self.common = common - self.vectors = vectors - self.vector = vector - self.inherits = inherits - return vector - - def createHeaders(self, path, mode = USERSPACE): - ''' - Creates the C header files in the specified MODE and outputs - them to give PATH. - ''' - headers = { \ - 'av_inherit.h' : self.createAvInheritH(mode), \ - 'av_perm_to_string.h' : self.createAvPermToStringH(mode), \ - 'av_permissions.h' : self.createAvPermissionsH(mode), \ - 'class_to_string.h' : self.createClassToStringH(mode), \ - 'common_perm_to_string.h' : self.createCommonPermToStringH(mode), \ - 'flask.h' : self.createFlaskH(mode), \ - 'initial_sid_to_string.h' : self.createInitialSidToStringH(mode) \ - } - - for key, value in headers.items(): - of = open(os.path.join(path, key), 'w') - of.writelines(value) - of.close() - - def createUL(self, count): - fields = [1, 2, 4, 8] - return "0x%08xUL" % (fields[count % 4] << 4 * (count / 4)) - - def createAvInheritH(self, mode = USERSPACE): - ''' - ''' - results = [] - results.append(self.autogen) - for c in self.vectors: - if self.inherits.has_key(c): - i = self.inherits[c] - count = len(self.common[i]) - if not (mode == self.KERNEL and self.userspace[c]): - results.append(" S_(SECCLASS_%s, %s, %s)\n" % (c.upper(), i, self.createUL(count))) - return results - - def createAvPermToStringH(self, mode = USERSPACE): - ''' - ''' - results = [] - results.append(self.autogen) - for c in self.vectors: - for p in self.vector[c]: - if not (mode == self.KERNEL and self.userspace[c]): - results.append(" S_(SECCLASS_%s, %s__%s, \"%s\")\n" % (c.upper(), c.upper(), p.upper(), p)) - - return results - - def createAvPermissionsH(self, mode = USERSPACE): - ''' - ''' - results = [] - results.append(self.autogen) - - width = 57 - count = 0 - for common in self.commons: - count = 0 - shift = 0 - for p in self.common[common]: - if not (mode == self.KERNEL and self.user_commons[common]): - columnA = "#define COMMON_%s__%s " % (common.upper(), p.upper()) - columnA += "".join([" " for i in range(width - len(columnA))]) - results.append("%s%s\n" % (columnA, self.createUL(count))) - count += 1 - - width = 50 # broken for old tools whitespace - for c in self.vectors: - count = 0 - - ps = [] - if self.inherits.has_key(c): - ps += self.common[self.inherits[c]] - ps += self.vector[c] - for p in ps: - columnA = "#define %s__%s " % (c.upper(), p.upper()) - columnA += "".join([" " for i in range(width - len(columnA))]) - if not (mode == self.KERNEL and self.userspace[c]): - results.append("%s%s\n" % (columnA, self.createUL(count))) - count += 1 - - return results - - def createClassToStringH(self, mode = USERSPACE): - ''' - ''' - results = [] - results.append(self.autogen) - results.append("/*\n * Security object class definitions\n */\n") - - if mode == self.KERNEL: - results.append(" S_(NULL)\n") - else: - results.append(" S_(\"null\")\n") - - for c in self.classes: - if mode == self.KERNEL and self.userspace[c]: - results.append(" S_(NULL)\n") - else: - results.append(" S_(\"%s\")\n" % c) - return results - - def createCommonPermToStringH(self, mode = USERSPACE): - ''' - ''' - results = [] - results.append(self.autogen) - for common in self.commons: - if not (mode == self.KERNEL and self.user_commons[common]): - results.append("TB_(common_%s_perm_to_string)\n" % common) - for p in self.common[common]: - results.append(" S_(\"%s\")\n" % p) - results.append("TE_(common_%s_perm_to_string)\n\n" % common) - return results - - def createFlaskH(self, mode = USERSPACE): - ''' - ''' - results = [] - results.append(self.autogen) - results.append("#ifndef _SELINUX_FLASK_H_\n") - results.append("#define _SELINUX_FLASK_H_\n") - results.append("\n") - results.append("/*\n") - results.append(" * Security object class definitions\n") - results.append(" */\n") - - count = 0 - width = 57 - for c in self.classes: - count += 1 - columnA = "#define SECCLASS_%s " % c.upper() - columnA += "".join([" " for i in range(width - len(columnA))]) - if not (mode == self.KERNEL and self.userspace[c]): - results.append("%s%d\n" % (columnA, count)) - - results.append("\n") - results.append("/*\n") - results.append(" * Security identifier indices for initial entities\n") - results.append(" */\n") - - count = 0 - width = 56 # broken for old tools whitespace - for s in self.sids: - count += 1 - columnA = "#define SECINITSID_%s " % s.upper() - columnA += "".join([" " for i in range(width - len(columnA))]) - results.append("%s%d\n" % (columnA, count)) - - results.append("\n") - columnA = "#define SECINITSID_NUM " - columnA += "".join([" " for i in range(width - len(columnA))]) - results.append("%s%d\n" % (columnA, count)) - - results.append("\n") - results.append("#endif\n") - return results - - - - def createInitialSidToStringH(self, mode = USERSPACE): - ''' - ''' - results = [] - results.append(self.autogen) - results.append("static char *initial_sid_to_string[] =\n") - results.append("{\n") - results.append(" \"null\",\n") - for s in self.sids: - results.append(" \"%s\",\n" % s) - results.append("};\n") - results.append("\n") - - return results - -def usage(): - ''' - Returns the usage string. - ''' - usage = 'Usage: %s -a ACCESS_VECTORS -i INITIAL_SIDS -s SECURITY_CLASSES -o OUTPUT_DIRECTORY -k|-u [-w]\n' % os.path.basename(sys.argv[0]) - usage += '\n' - usage += ' -a --access_vectors\taccess vector definitions\n' - usage += ' -i --initial_sids\tinitial sid definitions\n' - usage += ' -s --security_classes\tsecurity class definitions\n' - usage += ' -o --output\toutput directory for generated files\n' - usage += ' -k --kernel\toutput mode set to kernel (kernel headers contain empty blocks for all classes specified with # userspace in the security_classes file)\n' - usage += ' -u --user\toutput mode set to userspace\n' - usage += ' -w --nowarnings\tsupresses output of warning messages\n' - return usage - -########## MAIN ########## -if __name__ == '__main__': - - # Parse command line args - try: - opts, args = getopt.getopt(sys.argv[1:], 'a:i:s:o:kuwh', ['access_vectors=', 'initial_sids=', 'security_classes=', 'output=', 'kernel', 'user', 'nowarnings', 'help']) - except getopt.GetoptError: - print(usage()) - sys.exit(2) - - avec = None - isid = None - secc = None - outd = None - mode = None - warn = True - for o, a in opts: - if o in ('-h', '--help'): - print(usage()) - sys.exit(0) - elif o in ('-a', '--access_vectors'): - avec = a - elif o in ('-i', '--initial_sids'): - isid = a - elif o in ('-s', '--security_classes'): - secc = a - elif o in ('-o', '--output'): - outd = a - elif o in ('-k', '--kernel'): - if mode != None: - print(usage()) - sys.exit(2) - mode = Flask.KERNEL - elif o in ('-u', '--user'): - if mode != None: - print(usage()) - sys.exit(2) - mode = Flask.USERSPACE - elif o in ('-w', '--nowarnings'): - warn = False - else: - print(usage()) - sys.exit(2) - - if avec == None or \ - isid == None or \ - secc == None or \ - outd == None: - print(usage()) - sys.exit(2) - - try: - f = Flask(warn) - f.parseSids(isid) - f.parseClasses(secc) - f.parseVectors(avec) - f.createHeaders(outd, mode) - except Exception, e: - print(e) - sys.exit(2) diff --git a/policy/flask/initial_sids b/policy/flask/initial_sids deleted file mode 100644 index 95894eb..0000000 --- a/policy/flask/initial_sids +++ /dev/null @@ -1,35 +0,0 @@ -# FLASK - -# -# Define initial security identifiers -# - -sid kernel -sid security -sid unlabeled -sid fs -sid file -sid file_labels -sid init -sid any_socket -sid port -sid netif -sid netmsg -sid node -sid igmp_packet -sid icmp_socket -sid tcp_socket -sid sysctl_modprobe -sid sysctl -sid sysctl_fs -sid sysctl_kernel -sid sysctl_net -sid sysctl_net_unix -sid sysctl_vm -sid sysctl_dev -sid kmod -sid policy -sid scmp_packet -sid devnull - -# FLASK diff --git a/policy/flask/security_classes b/policy/flask/security_classes deleted file mode 100644 index fa65db2..0000000 --- a/policy/flask/security_classes +++ /dev/null @@ -1,128 +0,0 @@ -# FLASK - -# -# Define the security object classes -# - -# Classes marked as userspace are classes -# for userspace object managers - -class security -class process -class system -class capability - -# file-related classes -class filesystem -class file -class dir -class fd -class lnk_file -class chr_file -class blk_file -class sock_file -class fifo_file - -# network-related classes -class socket -class tcp_socket -class udp_socket -class rawip_socket -class node -class netif -class netlink_socket -class packet_socket -class key_socket -class unix_stream_socket -class unix_dgram_socket - -# sysv-ipc-related classes -class sem -class msg -class msgq -class shm -class ipc - -# -# userspace object manager classes -# - -# passwd/chfn/chsh -class passwd # userspace - -# SE-X Windows stuff (more classes below) -class x_drawable # userspace -class x_screen # userspace -class x_gc # userspace -class x_font # userspace -class x_colormap # userspace -class x_property # userspace -class x_selection # userspace -class x_cursor # userspace -class x_client # userspace -class x_device # userspace -class x_server # userspace -class x_extension # userspace - -# extended netlink sockets -class netlink_route_socket -class netlink_firewall_socket -class netlink_tcpdiag_socket -class netlink_nflog_socket -class netlink_xfrm_socket -class netlink_selinux_socket -class netlink_audit_socket -class netlink_ip6fw_socket -class netlink_dnrt_socket - -class dbus # userspace -class nscd # userspace - -# IPSec association -class association - -# Updated Netlink class for KOBJECT_UEVENT family. -class netlink_kobject_uevent_socket - -class appletalk_socket - -class packet - -# Kernel access key retention -class key - -class context # userspace - -class dccp_socket - -class memprotect - -class db_database # userspace -class db_table # userspace -class db_procedure # userspace -class db_column # userspace -class db_tuple # userspace -class db_blob # userspace - -# network peer labels -class peer - -# Capabilities >= 32 -class capability2 - -# More SE-X Windows stuff -class x_resource # userspace -class x_event # userspace -class x_synthetic_event # userspace -class x_application_data # userspace - -# kernel services that need to override task security, e.g. cachefiles -class kernel_service - -class tun_socket - -# Still More SE-X Windows stuff -class x_pointer # userspace -class x_keyboard # userspace - -# FLASK diff --git a/policy/global_booleans b/policy/global_booleans deleted file mode 100644 index 111d004..0000000 --- a/policy/global_booleans +++ /dev/null @@ -1,30 +0,0 @@ -# -# This file is for the declaration of global booleans. -# To change the default value at build time, the booleans.conf -# file should be used. -# - -## -##

-## Enabling secure mode disallows programs, such as -## newrole, from transitioning to administrative -## user domains. -##

-##
-gen_bool(secure_mode,false) - -## -##

-## Disable transitions to insmod. -##

-##
-gen_bool(secure_mode_insmod,false) - -## -##

-## boolean to determine whether the system permits loading policy, setting -## enforcing mode, and changing boolean values. Set this to true and you -## have to reboot to set it back -##

-##
-gen_bool(secure_mode_policyload,false) diff --git a/policy/global_tunables b/policy/global_tunables deleted file mode 100644 index 6e82b1e..0000000 --- a/policy/global_tunables +++ /dev/null @@ -1,112 +0,0 @@ -# -# This file is for the declaration of global tunables. -# To change the default value at build time, the booleans.conf -# file should be used. -# - -## -##

-## Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla -##

-##
-gen_tunable(allow_execheap,false) - -## -##

-## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla -##

-##
-gen_tunable(allow_execmem,false) - -## -##

-## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t -##

-##
-gen_tunable(allow_execmod,false) - -## -##

-## Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla -##

-##
-gen_tunable(allow_execstack,false) - -## -##

-## Enable polyinstantiated directory support. -##

-##
-gen_tunable(allow_polyinstantiation,false) - -## -##

-## Allow system to run with NIS -##

-##
-gen_tunable(allow_ypbind,false) - -## -##

-## Enable reading of urandom for all domains. -##

-##

-## This should be enabled when all programs -## are compiled with ProPolice/SSP -## stack smashing protection. All domains will -## be allowed to read from /dev/urandom. -##

-##
-gen_tunable(global_ssp,false) - -## -##

-## Allow any files/directories to be exported read/write via NFS. -##

-##
-gen_tunable(nfs_export_all_rw,false) - -## -##

-## Allow any files/directories to be exported read/only via NFS. -##

-##
-gen_tunable(nfs_export_all_ro,false) - -## -##

-## Support NFS home directories -##

-##
-gen_tunable(use_nfs_home_dirs,false) - -## -##

-## Support SAMBA home directories -##

-##
-gen_tunable(use_samba_home_dirs,false) - -## -##

-## Support fusefs home directories -##

-##
-gen_tunable(use_fusefs_home_dirs,false) - -## -##

-## Allow users to run TCP servers (bind to ports and accept connection from -## the same domain and outside users) disabling this forces FTP passive mode -## and may change other protocols. -##

-##
-gen_tunable(user_tcp_server,false) - -## -##

-## Allow direct login to the console device. Required for System 390 -##

-##
-gen_tunable(allow_console_login,false) - diff --git a/policy/mcs b/policy/mcs deleted file mode 100644 index 9fef0f8..0000000 --- a/policy/mcs +++ /dev/null @@ -1,138 +0,0 @@ -ifdef(`enable_mcs',` -# -# Define sensitivities -# -# MCS is single-sensitivity. - -gen_sens(1) - -# -# Define the categories -# -# Generate declarations - -gen_cats(mcs_num_cats) - -# -# Each MCS level specifies a sensitivity and zero or more categories which may -# be associated with that sensitivity. -# - -gen_levels(1,mcs_num_cats) - -# -# Define the MCS policy -# -# mlsconstrain class_set perm_set expression ; -# -# mlsvalidatetrans class_set expression ; -# -# expression : ( expression ) -# | not expression -# | expression and expression -# | expression or expression -# | u1 op u2 -# | r1 role_mls_op r2 -# | t1 op t2 -# | l1 role_mls_op l2 -# | l1 role_mls_op h2 -# | h1 role_mls_op l2 -# | h1 role_mls_op h2 -# | l1 role_mls_op h1 -# | l2 role_mls_op h2 -# | u1 op names -# | u2 op names -# | r1 op names -# | r2 op names -# | t1 op names -# | t2 op names -# | u3 op names (NOTE: this is only available for mlsvalidatetrans) -# | r3 op names (NOTE: this is only available for mlsvalidatetrans) -# | t3 op names (NOTE: this is only available for mlsvalidatetrans) -# -# op : == | != -# role_mls_op : == | != | eq | dom | domby | incomp -# -# names : name | { name_list } -# name_list : name | name_list name -# - -# -# MCS policy for the file classes -# -# Constrain file access so that the high range of the process dominates -# the high range of the file. We use the high range of the process so -# that processes can always simply run at s0. -# -# Note: -# - getattr on dirs/files is not constrained. -# - /proc/pid operations are not constrained. - -mlsconstrain file { read ioctl lock execute execute_no_trans } - (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); - -mlsconstrain file { write setattr append unlink link rename } - (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); - -mlsconstrain dir { search read ioctl lock } - (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); - -mlsconstrain dir { write setattr append unlink link rename add_name remove_name } - (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); - -# New filesystem object labels must be dominated by the relabeling subject -# clearance, also the objects are single-level. -mlsconstrain file { create relabelto } - (( h1 dom h2 ) and ( l2 eq h2 )); - -# new file labels must be dominated by the relabeling subject clearance -mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file file } { relabelfrom } - ( h1 dom h2 ); - -mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file file } { create relabelto } - (( h1 dom h2 ) and ( l2 eq h2 )); - -mlsconstrain process { transition dyntransition } - (( h1 dom h2 ) or ( t1 == mcssetcats )); - -mlsconstrain process { ptrace } - (( h1 dom h2) or ( t1 == mcsptraceall )); - -mlsconstrain process { sigkill sigstop } - (( h1 dom h2 ) or ( t1 == mcskillall )); - -mlsconstrain process { signal } - (( h1 dom h2 ) or ( t1 != mcsuntrustedproc )); - -# -# MCS policy for SELinux-enabled databases -# - -# Any database object must be dominated by the relabeling subject -# clearance, also the objects are single-level. -mlsconstrain { db_database db_table db_procedure db_column db_blob } { create relabelto } - (( h1 dom h2 ) and ( l2 eq h2 )); - -mlsconstrain { db_tuple } { insert relabelto } - (( h1 dom h2 ) and ( l2 eq h2 )); - -# Access control for any database objects based on MCS rules. -mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param } - ( h1 dom h2 ); - -mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock } - ( h1 dom h2 ); - -mlsconstrain db_column { drop getattr setattr relabelfrom select update insert use } - ( h1 dom h2 ); - -mlsconstrain db_tuple { relabelfrom select update delete use } - ( h1 dom h2 ); - -mlsconstrain db_procedure { drop getattr setattr execute install } - ( h1 dom h2 ); - -mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export } - ( h1 dom h2 ); - -') dnl end enable_mcs diff --git a/policy/mls b/policy/mls deleted file mode 100644 index b9f0a3e..0000000 --- a/policy/mls +++ /dev/null @@ -1,830 +0,0 @@ -ifdef(`enable_mls',` -# -# Define sensitivities -# -# Domination of sensitivities is in increasin -# numerical order, with s0 being the lowest - -gen_sens(mls_num_sens) - -# -# Define the categories -# -# Generate declarations - -gen_cats(mls_num_cats) - -# -# Each MLS level specifies a sensitivity and zero or more categories which may -# be associated with that sensitivity. -# -# Generate levels from all sensitivities -# with all categories - -gen_levels(mls_num_sens,mls_num_cats) - -# -# Define the MLS policy -# -# mlsconstrain class_set perm_set expression ; -# -# mlsvalidatetrans class_set expression ; -# -# expression : ( expression ) -# | not expression -# | expression and expression -# | expression or expression -# | u1 op u2 -# | r1 role_mls_op r2 -# | t1 op t2 -# | l1 role_mls_op l2 -# | l1 role_mls_op h2 -# | h1 role_mls_op l2 -# | h1 role_mls_op h2 -# | l1 role_mls_op h1 -# | l2 role_mls_op h2 -# | u1 op names -# | u2 op names -# | r1 op names -# | r2 op names -# | t1 op names -# | t2 op names -# | u3 op names (NOTE: this is only available for mlsvalidatetrans) -# | r3 op names (NOTE: this is only available for mlsvalidatetrans) -# | t3 op names (NOTE: this is only available for mlsvalidatetrans) -# -# op : == | != -# role_mls_op : == | != | eq | dom | domby | incomp -# -# names : name | { name_list } -# name_list : name | name_list name -# - -# -# MLS policy for the file classes -# - -# make sure these file classes are "single level" -mlsconstrain { file lnk_file fifo_file } { create relabelto } - ( l2 eq h2 ); - -# new file labels must be dominated by the relabeling subjects clearance -mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto - ( h1 dom h2 ); - -# the file "read" ops (note the check is dominance of the low level) -mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute } - (( l1 dom l2 ) or - (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsfileread ) or - ( t2 == mlstrustedobject )); - -mlsconstrain dir search - (( l1 dom l2 ) or - (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsfileread ) or - ( t2 == mlstrustedobject )); - -# the "single level" file "write" ops -mlsconstrain { file lnk_file fifo_file dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton } - (( l1 eq l2 ) or - (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - (( t2 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or - ( t1 == mlsfilewrite ) or - ( t2 == mlstrustedobject )); - -# Directory "write" ops -mlsconstrain dir { add_name remove_name reparent rmdir } - (( l1 eq l2 ) or - (( t1 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( l1 domby h2 )) or - (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsfilewrite ) or - ( t2 == mlstrustedobject )); - -# these access vectors have no MLS restrictions -# { dir file lnk_file chr_file blk_file sock_file fifo_file } { ioctl lock swapon quotaon } -# -# { file chr_file } { execute_no_trans entrypoint execmod } - -# the file upgrade/downgrade rule -mlsvalidatetrans { dir file lnk_file chr_file blk_file sock_file fifo_file } - ((( l1 eq l2 ) or - (( t3 == mlsfileupgrade ) and ( l1 domby l2 )) or - (( t3 == mlsfiledowngrade ) and ( l1 dom l2 )) or - (( t3 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and - (( h1 eq h2 ) or - (( t3 == mlsfileupgrade ) and ( h1 domby h2 )) or - (( t3 == mlsfiledowngrade ) and ( h1 dom h2 )) or - (( t3 == mlsfiledowngrade ) and ( h1 incomp h2 )))); - -# create can also require the upgrade/downgrade checks if the creating process -# has used setfscreate (note that both the high and low level of the object -# default to the process sensitivity level) -mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create - ((( l1 eq l2 ) or - (( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or - (( t1 == mlsfiledowngrade ) and ( l1 dom l2 )) or - (( t1 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and - (( l1 eq h2 ) or - (( t1 == mlsfileupgrade ) and ( l1 domby h2 )) or - (( t1 == mlsfiledowngrade ) and ( l1 dom h2 )) or - (( t1 == mlsfiledowngrade ) and ( l1 incomp h2 )))); - - - - -# -# MLS policy for the filesystem class -# - -# new filesystem labels must be dominated by the relabeling subjects clearance -mlsconstrain filesystem relabelto - ( h1 dom h2 ); - -# the filesystem "read" ops (implicit single level) -mlsconstrain filesystem { getattr quotaget } - (( l1 dom l2 ) or - (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsfileread )); - -# all the filesystem "write" ops (implicit single level) -mlsconstrain filesystem { mount remount unmount relabelfrom quotamod } - (( l1 eq l2 ) or - (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsfilewrite )); - -# these access vectors have no MLS restrictions -# filesystem { transition associate } - - - - -# -# MLS policy for the socket classes -# - -# new socket labels must be dominated by the relabeling subjects clearance -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto - ( h1 dom h2 ); - -# the socket "read+write" ops -# (Socket FDs are generally bidirectional, equivalent to open(..., O_RDWR), -# require equal levels for unprivileged subjects, or read *and* write overrides) -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { accept connect } - (( l1 eq l2 ) or - (((( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsnetread )) and - ((( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or - (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsnetwrite )))); - - -# the socket "read" ops (note the check is dominance of the low level) -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg } - (( l1 dom l2 ) or - (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsnetread )); - -mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_read - (( l1 dom l2 ) or - (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsnetread )); - -# the socket "write" ops -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown } - (( l1 eq l2 ) or - (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or - (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsnetwrite )); - -# used by netlabel to restrict normal domains to same level connections -mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom - (( l1 eq l2 ) or - (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsnetread )); - -# UNIX domain socket ops -mlsconstrain unix_stream_socket connectto - (( l1 eq l2 ) or - (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or - (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsnetwrite ) or - ( t2 == mlstrustedobject )); - -mlsconstrain unix_dgram_socket sendto - (( l1 eq l2 ) or - (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or - (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsnetwrite ) or - ( t2 == mlstrustedobject )); - -# these access vectors have no MLS restrictions -# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind } -# -# { tcp_socket udp_socket rawip_socket } node_bind -# -# { tcp_socket unix_stream_socket } { connectto newconn acceptfrom } -# -# tcp_socket name_connect -# -# { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write -# -# netlink_audit_socket { nlmsg_relay nlmsg_readpriv } -# -# netlink_kobject_uevent_socket * -# - - - - -# -# MLS policy for the ipc classes -# - -# the ipc "read" ops (implicit single level) -mlsconstrain { ipc sem msgq shm } { getattr read unix_read } - (( l1 dom l2 ) or - (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsipcread )); - -mlsconstrain msg receive - (( l1 dom l2 ) or - (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsipcread )); - -# the ipc "write" ops (implicit single level) -mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write } - (( l1 eq l2 ) or - (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsipcwrite )); - -mlsconstrain msgq enqueue - (( l1 eq l2 ) or - (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsipcwrite )); - -mlsconstrain shm lock - (( l1 eq l2 ) or - (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsipcwrite )); - -mlsconstrain msg send - (( l1 eq l2 ) or - (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsipcwrite )); - -# these access vectors have no MLS restrictions -# { ipc sem msgq shm } associate - - - - -# -# MLS policy for the fd class -# - -# No sharing of open file descriptors between levels unless -# the process type is authorized to use fds created by -# other levels (mlsfduse) or the fd type is authorized to -# shared among levels (mlsfdshare). -mlsconstrain fd use ( - l1 eq l2 - or t1 == mlsfduse - or t2 == mlsfdshare -); - -# -# MLS policy for the network object classes -# - -# the netif/node "read" ops (implicit single level socket doing the read) -# (note the check is dominance of the low level) -mlsconstrain { node netif } { tcp_recv udp_recv rawip_recv } - (( l1 dom l2 ) or ( t1 == mlsnetrecvall )); - -# the netif/node "write" ops (implicit single level socket doing the write) -mlsconstrain { netif node } { tcp_send udp_send rawip_send } - (( l1 eq l2 ) or - (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 ))); - -# these access vectors have no MLS restrictions -# node enforce_dest - - - - -# -# MLS policy for the network ingress/egress controls -# - -# the netif ingress/egress ops, the ingress permission is a "write" operation -# because the subject in this particular case is the remote domain which is -# writing data out the network interface which is acting as the object -mlsconstrain { netif } { ingress } - ((( l1 dom l2 ) and ( l1 domby h2 )) or - ( t1 == mlsnetinbound ) or - ( t1 == unlabeled_t )); -mlsconstrain { netif } { egress } - ((( l1 dom l2 ) and ( l1 domby h2 )) or - ( t1 == mlsnetoutbound )); - -# the node recvfrom/sendto ops, the recvfrom permission is a "write" operation -# because the subject in this particular case is the remote domain which is -# writing data out the network node which is acting as the object -mlsconstrain { node } { recvfrom } - ((( l1 dom l2 ) and ( l1 domby h2 )) or - ( t1 == mlsnetinbound ) or - ( t1 == unlabeled_t )); -mlsconstrain { node } { sendto } - ((( l1 dom l2 ) and ( l1 domby h2 )) or - ( t1 == mlsnetoutbound )); - -# the forward ops, the forward_in permission is a "write" operation because the -# subject in this particular case is the remote domain which is writing data -# to the network with a secmark label, the object in this case -mlsconstrain { packet } { forward_in } - ((( l1 dom l2 ) and ( l1 domby h2 )) or - ( t1 == mlsnetinbound ) or - ( t1 == unlabeled_t )); -mlsconstrain { packet } { forward_out } - ((( l1 dom l2 ) and ( l1 domby h2 )) or - ( t1 == mlsnetoutbound ) or - ( t1 == unlabeled_t )); - -# -# MLS policy for the secmark and peer controls -# - -# the peer/packet recv op -mlsconstrain { peer packet } { recv } - (( l1 dom l2 ) or - (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsnetread )); - - - - -# -# MLS policy for the process class -# - -# new process labels must be dominated by the relabeling subjects clearance -# and sensitivity level changes require privilege -mlsconstrain process transition - (( h1 dom h2 ) and - (( l1 eq l2 ) or ( t1 == mlsprocsetsl ) or - (( t1 == privrangetrans ) and ( t2 == mlsrangetrans )))); -mlsconstrain process dyntransition - (( h1 dom h2 ) and - (( l1 eq l2 ) or ( t1 == mlsprocsetsl ))); - -# all the process "read" ops -mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share } - (( l1 dom l2 ) or - (( t1 == mlsprocreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsprocread )); - -# all the process "write" ops (note the check is equality on the low level) -mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec setfscreate setcurrent ptrace share } - (( l1 eq l2 ) or - (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsprocwrite )); - -# these access vectors have no MLS restrictions -# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh execmem execstack execheap } - - - - -# -# MLS policy for the security class -# - -# these access vectors have no MLS restrictions -# security * - - - - -# -# MLS policy for the system class -# - -# these access vectors have no MLS restrictions -# system * - - - - -# -# MLS policy for the capability class -# - -# these access vectors have no MLS restrictions -# capability * - - - - -# -# MLS policy for the passwd class -# - -# these access vectors have no MLS restrictions -# passwd * - - - - -# -# MLS policy for the x_drawable class -# - -# the x_drawable "read" ops (implicit single level) -mlsconstrain x_drawable { read blend getattr list_child list_property get_property receive } - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinread )); - -# the x_drawable "write" ops (implicit single level) -mlsconstrain x_drawable { create destroy write setattr add_child remove_child send manage } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwrite )); - -# No MLS restrictions: x_drawable { show hide override } - - -# -# MLS policy for the x_gc class -# - -# the x_gc "read" ops (implicit single level) -mlsconstrain x_gc { getattr use } - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinread )); - -# the x_gc "write" ops (implicit single level) -mlsconstrain x_gc { create destroy setattr } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwrite )); - - -# -# MLS policy for the x_font class -# - -# the x_font "read" ops (implicit single level) -mlsconstrain x_font { use } - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinread )); - -# the x_font "write" ops (implicit single level) -mlsconstrain x_font { create destroy add_glyph remove_glyph } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwrite )); - -# these access vectors have no MLS restrictions -# font use - - -# -# MLS policy for the x_colormap class -# - -# the x_colormap "read" ops (implicit single level) -mlsconstrain x_colormap { read getattr use } - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinreadcolormap ) or - ( t1 == mlsxwinread )); - -# the x_colormap "write" ops (implicit single level) -mlsconstrain x_colormap { create destroy write add_color remove_color install uninstall } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwritecolormap ) or - ( t1 == mlsxwinwrite )); - - -# -# MLS policy for the x_property class -# - -# the x_property "read" ops (implicit single level) -mlsconstrain x_property { read getattr } - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinreadproperty ) or - ( t1 == mlsxwinread )); - -# the x_property "write" ops (implicit single level) -mlsconstrain x_property { create destroy write append setattr } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwriteproperty ) or - ( t1 == mlsxwinwrite )); - - -# -# MLS policy for the x_selection class -# - -# the x_selection "read" ops (implicit single level) -mlsconstrain x_selection { read getattr } - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinreadselection ) or - ( t1 == mlsxwinread )); - -# the x_selection "write" ops (implicit single level) -mlsconstrain x_selection { write setattr } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwriteselection ) or - ( t1 == mlsxwinwrite )); - - -# -# MLS policy for the x_cursor class -# - -# the x_cursor "read" ops (implicit single level) -mlsconstrain x_cursor { read getattr use } - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinread )); - -# the x_cursor "write" ops (implicit single level) -mlsconstrain x_cursor { create destroy write setattr } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwrite )); - - -# -# MLS policy for the x_client class -# - -# the x_client "read" ops (implicit single level) -mlsconstrain x_client { getattr } - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinread )); - -# the x_client "write" ops (implicit single level) -mlsconstrain x_client { destroy setattr manage } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwrite )); - - -# -# MLS policy for the x_device class -# - -# the x_device "read" ops (implicit single level) -mlsconstrain x_device { getattr use read getfocus grab } - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinread )); - -# the x_device "write" ops (implicit single level) -mlsconstrain x_device { setattr write setfocus bell force_cursor freeze manage } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwritexinput ) or - ( t1 == mlsxwinwrite )); - - -# -# MLS policy for the x_server class -# - -# these access vectors have no MLS restrictions -# x_server * - - -# -# MLS policy for the x_extension class -# - -# these access vectors have no MLS restrictions -# x_extension { query use } - - -# -# MLS policy for the x_resource class -# - -# the x_resource "read" ops (implicit single level) -mlsconstrain x_resource { read } - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinread )); - -# the x_resource "write" ops (implicit single level) -mlsconstrain x_resource { write } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwritexinput ) or - ( t1 == mlsxwinwrite )); - - -# -# MLS policy for the x_event class -# - -# the x_event "read" ops (implicit single level) -mlsconstrain x_event { receive } - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinread )); - -# the x_event "write" ops (implicit single level) -mlsconstrain x_event { send } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwritexinput ) or - ( t1 == mlsxwinwrite )); - - -# -# MLS policy for the x_application_data class -# - -# the x_application_data "paste" ops -mlsconstrain x_application_data { paste } - ( l1 domby l2 ); - -# the x_application_data "paste_after_confirm" ops -mlsconstrain x_application_data { paste_after_confirm } - ( l1 dom l2 ); - - - -# -# MLS policy for the dbus class -# - -mlsconstrain dbus { send_msg } - (( l1 eq l2 ) or - ( t1 == mlsdbussend ) or - ( t2 == mlsdbusrecv )); - -# these access vectors have no MLS restrictions -# dbus { acquire_svc } - - - - -# -# MLS policy for the nscd class -# - -# these access vectors have no MLS restrictions -# nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost } - - - - -# -# MLS policy for the association class -# - -mlsconstrain association { recvfrom } - ((( l1 dom l2 ) and ( l1 domby h2 )) or - (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsnetread ) or - ( t2 == unlabeled_t )); - -mlsconstrain association { sendto } - (( l1 eq l2 ) or - (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or - ( t2 == unlabeled_t )); - -mlsconstrain association { polmatch } - (( l1 dom l2 ) and ( h1 domby h2 )); - - - -# -# MLS policy for the context class -# - -mlsconstrain context translate - (( h1 dom h2 ) or ( t1 == mlstranslate )); - -mlsconstrain context contains - ( h1 dom h2 ); - -# -# MLS policy for database classes -# - -# make sure these database classes are "single level" -mlsconstrain { db_database db_table db_procedure db_column db_blob } { create relabelto } - ( l2 eq h2 ); -mlsconstrain { db_tuple } { insert relabelto } - ( l2 eq h2 ); - -# new database labels must be dominated by the relabeling subjects clearance -mlsconstrain { db_database db_table db_procedure db_column db_tuple db_blob } { relabelto } - ( h1 dom h2 ); - -# the database "read" ops (note the check is dominance of the low level) -mlsconstrain { db_database } { getattr access get_param } - (( l1 dom l2 ) or - (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsdbread ) or - ( t2 == mlstrustedobject )); - -mlsconstrain { db_table } { getattr use select lock } - (( l1 dom l2 ) or - (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsdbread ) or - ( t2 == mlstrustedobject )); - -mlsconstrain { db_column } { getattr use select } - (( l1 dom l2 ) or - (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsdbread ) or - ( t2 == mlstrustedobject )); - -mlsconstrain { db_procedure } { getattr execute install } - (( l1 dom l2 ) or - (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsdbread ) or - ( t2 == mlstrustedobject )); - -mlsconstrain { db_blob } { getattr read export } - (( l1 dom l2 ) or - (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsdbread ) or - ( t2 == mlstrustedobject )); - -mlsconstrain { db_tuple } { use select } - (( l1 dom l2 ) or - (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsdbread ) or - ( t2 == mlstrustedobject )); - -# the "single level" file "write" ops -mlsconstrain { db_database } { create drop setattr relabelfrom install_module load_module set_param } - (( l1 eq l2 ) or - (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or - ( t1 == mlsdbwrite ) or - ( t2 == mlstrustedobject )); - -mlsconstrain { db_table } { create drop setattr relabelfrom update insert delete } - (( l1 eq l2 ) or - (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or - ( t1 == mlsdbwrite ) or - ( t2 == mlstrustedobject )); - -mlsconstrain { db_column } { create drop setattr relabelfrom update insert } - (( l1 eq l2 ) or - (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or - ( t1 == mlsdbwrite ) or - ( t2 == mlstrustedobject )); - -mlsconstrain { db_procedure } { create drop setattr relabelfrom } - (( l1 eq l2 ) or - (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or - ( t1 == mlsdbwrite ) or - ( t2 == mlstrustedobject )); - -mlsconstrain { db_blob } { create drop setattr relabelfrom write import } - (( l1 eq l2 ) or - (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or - ( t1 == mlsdbwrite ) or - ( t2 == mlstrustedobject )); - -mlsconstrain { db_tuple } { relabelfrom update insert delete } - (( l1 eq l2 ) or - (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or - ( t1 == mlsdbwrite ) or - ( t2 == mlstrustedobject )); - -# the database upgrade/downgrade rule -mlsvalidatetrans { db_database db_table db_procedure db_column db_tuple db_blob } - ((( l1 eq l2 ) or - (( t3 == mlsdbupgrade ) and ( l1 domby l2 )) or - (( t3 == mlsdbdowngrade ) and ( l1 dom l2 )) or - (( t3 == mlsdbdowngrade ) and ( l1 incomp l2 ))) and - (( l1 eq h2 ) or - (( t3 == mlsdbupgrade ) and ( h1 domby h2 )) or - (( t3 == mlsdbdowngrade ) and ( h1 dom h2 )) or - (( t3 == mlsdbdowngrade ) and ( h1 incomp h2 )))); - -') dnl end enable_mls diff --git a/policy/modules/admin/acct.fc b/policy/modules/admin/acct.fc deleted file mode 100644 index e81367c..0000000 --- a/policy/modules/admin/acct.fc +++ /dev/null @@ -1,9 +0,0 @@ - -/etc/cron\.(daily|monthly)/acct -- gen_context(system_u:object_r:acct_exec_t,s0) - -/sbin/accton -- gen_context(system_u:object_r:acct_exec_t,s0) - -/usr/sbin/accton -- gen_context(system_u:object_r:acct_exec_t,s0) - -/var/account(/.*)? gen_context(system_u:object_r:acct_data_t,s0) -/var/log/account(/.*)? gen_context(system_u:object_r:acct_data_t,s0) diff --git a/policy/modules/admin/acct.if b/policy/modules/admin/acct.if deleted file mode 100644 index e66c296..0000000 --- a/policy/modules/admin/acct.if +++ /dev/null @@ -1,80 +0,0 @@ -## Berkeley process accounting - -######################################## -## -## Transition to the accounting management domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`acct_domtrans',` - gen_require(` - type acct_t, acct_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, acct_exec_t, acct_t) -') - -######################################## -## -## Execute accounting management tools in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`acct_exec',` - gen_require(` - type acct_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, acct_exec_t) -') - -######################################## -## -## Execute accounting management data in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -# cjp: this is added for logrotate, and does -# not make sense to me. -interface(`acct_exec_data',` - gen_require(` - type acct_data_t; - ') - - files_search_var($1) - can_exec($1, acct_data_t) -') - -######################################## -## -## Create, read, write, and delete process accounting data. -## -## -## -## Domain allowed access. -## -## -# -interface(`acct_manage_data',` - gen_require(` - type acct_data_t; - ') - - files_search_var($1) - manage_files_pattern($1, acct_data_t, acct_data_t) - manage_lnk_files_pattern($1, acct_data_t, acct_data_t) -') diff --git a/policy/modules/admin/acct.te b/policy/modules/admin/acct.te deleted file mode 100644 index 321798e..0000000 --- a/policy/modules/admin/acct.te +++ /dev/null @@ -1,89 +0,0 @@ -policy_module(acct, 1.4.1) - -######################################## -# -# Declarations -# - -type acct_t; -type acct_exec_t; -init_system_domain(acct_t, acct_exec_t) - -type acct_data_t; -logging_log_file(acct_data_t) - -######################################## -# -# Local Policy -# - -# gzip needs chown capability for some reason -allow acct_t self:capability { sys_pacct chown fsetid }; -# not sure why we need kill, the command "last" is reported as using it -dontaudit acct_t self:capability { kill sys_tty_config }; - -allow acct_t self:fifo_file rw_fifo_file_perms; -allow acct_t self:process signal_perms; - -manage_files_pattern(acct_t, acct_data_t, acct_data_t) -manage_lnk_files_pattern(acct_t, acct_data_t, acct_data_t) - -can_exec(acct_t, acct_exec_t) - -kernel_list_proc(acct_t) -kernel_read_system_state(acct_t) -kernel_read_kernel_sysctls(acct_t) - -dev_read_sysfs(acct_t) -# for SSP -dev_read_urand(acct_t) - -fs_search_auto_mountpoints(acct_t) -fs_getattr_xattr_fs(acct_t) - -term_dontaudit_use_console(acct_t) -term_dontaudit_use_generic_ptys(acct_t) - -corecmd_exec_bin(acct_t) -corecmd_exec_shell(acct_t) - -domain_use_interactive_fds(acct_t) - -files_read_etc_files(acct_t) -files_read_etc_runtime_files(acct_t) -files_list_usr(acct_t) -# for nscd -files_dontaudit_search_pids(acct_t) - -init_use_fds(acct_t) -init_use_script_ptys(acct_t) -init_exec_script_files(acct_t) - -logging_send_syslog_msg(acct_t) - -miscfiles_read_localization(acct_t) - -userdom_dontaudit_use_unpriv_user_fds(acct_t) -userdom_dontaudit_search_user_home_dirs(acct_t) - -optional_policy(` - optional_policy(` - # for monthly cron job - auth_log_filetrans_login_records(acct_t) - auth_manage_login_records(acct_t) - ') - - cron_system_entry(acct_t, acct_exec_t) -') - -optional_policy(` - nscd_socket_use(acct_t) -') - -optional_policy(` - seutil_sigchld_newrole(acct_t) -') - -optional_policy(` - udev_read_db(acct_t) -') diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc deleted file mode 100644 index 72a0458..0000000 --- a/policy/modules/admin/alsa.fc +++ /dev/null @@ -1,18 +0,0 @@ -HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0) - -/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0) - -/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) -/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) -/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) -/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) - -/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) -/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0) - -/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0) - -/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0) -/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) - -/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if deleted file mode 100644 index 20d51d0..0000000 --- a/policy/modules/admin/alsa.if +++ /dev/null @@ -1,170 +0,0 @@ -## Ainit ALSA configuration tool. - -######################################## -## -## Execute a domain transition to run Alsa. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`alsa_domtrans',` - gen_require(` - type alsa_t, alsa_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, alsa_exec_t, alsa_t) -') - -######################################## -## -## Execute a domain transition to run -## Alsa, and allow the specified role -## the Alsa domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`alsa_run',` - gen_require(` - type alsa_t; - ') - - alsa_domtrans($1) - role $2 types alsa_t; -') - -######################################## -## -## Read and write Alsa semaphores. -## -## -## -## Domain allowed access. -## -## -# -interface(`alsa_rw_semaphores',` - gen_require(` - type alsa_t; - ') - - allow $1 alsa_t:sem rw_sem_perms; -') - -######################################## -## -## Read and write Alsa shared memory. -## -## -## -## Domain allowed access. -## -## -# -interface(`alsa_rw_shared_mem',` - gen_require(` - type alsa_t; - ') - - allow $1 alsa_t:shm rw_shm_perms; -') - -######################################## -## -## Read writable Alsa config files. -## -## -## -## Domain allowed access. -## -## -# -interface(`alsa_read_rw_config',` - gen_require(` - type alsa_etc_rw_t; - ') - - files_search_etc($1) - allow $1 alsa_etc_rw_t:dir list_dir_perms; - read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) - read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) - - ifdef(`distro_debian',` - files_search_usr($1) - ') -') - -######################################## -## -## Manage writable Alsa config files. -## -## -## -## Domain allowed access. -## -## -# -interface(`alsa_manage_rw_config',` - gen_require(` - type alsa_etc_rw_t; - ') - - files_search_etc($1) - allow $1 alsa_etc_rw_t:dir list_dir_perms; - manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) - read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) - - ifdef(`distro_debian',` - files_search_usr($1) - ') -') - -######################################## -## -## Read Alsa home files. -## -## -## -## Domain allowed access. -## -## -# -interface(`alsa_read_home_files',` - gen_require(` - type alsa_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 alsa_home_t:file read_file_perms; -') - -######################################## -## -## Read Alsa lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`alsa_read_lib',` - gen_require(` - type alsa_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t) -') diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te deleted file mode 100644 index 0f227f1..0000000 --- a/policy/modules/admin/alsa.te +++ /dev/null @@ -1,76 +0,0 @@ -policy_module(alsa, 1.9.2) - -######################################## -# -# Declarations -# - -type alsa_t; -type alsa_exec_t; -init_system_domain(alsa_t, alsa_exec_t) -role system_r types alsa_t; - -type alsa_etc_rw_t; -files_type(alsa_etc_rw_t) - -type alsa_var_lib_t; -files_type(alsa_var_lib_t) - -type alsa_home_t; -userdom_user_home_content(alsa_home_t) - -######################################## -# -# Local policy -# - -allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner }; -dontaudit alsa_t self:capability sys_admin; -allow alsa_t self:sem create_sem_perms; -allow alsa_t self:shm create_shm_perms; -allow alsa_t self:unix_stream_socket create_stream_socket_perms; -allow alsa_t self:unix_dgram_socket create_socket_perms; - -allow alsa_t alsa_home_t:file read_file_perms; - -manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t) -manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t) -files_etc_filetrans(alsa_t, alsa_etc_rw_t, file) - -can_exec(alsa_t, alsa_exec_t) - -manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) -manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) -files_search_var_lib(alsa_t) - -kernel_read_system_state(alsa_t) - -dev_read_sound(alsa_t) -dev_write_sound(alsa_t) -dev_read_sysfs(alsa_t) - -corecmd_exec_bin(alsa_t) - -files_read_etc_files(alsa_t) -files_read_usr_files(alsa_t) - -term_dontaudit_use_console(alsa_t) -term_dontaudit_use_generic_ptys(alsa_t) -term_dontaudit_use_all_ptys(alsa_t) - -auth_use_nsswitch(alsa_t) - -init_use_fds(alsa_t) - -logging_send_syslog_msg(alsa_t) - -miscfiles_read_localization(alsa_t) - -userdom_manage_unpriv_user_semaphores(alsa_t) -userdom_manage_unpriv_user_shared_mem(alsa_t) -userdom_search_user_home_dirs(alsa_t) - -optional_policy(` - hal_use_fds(alsa_t) - hal_write_log(alsa_t) -') diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc deleted file mode 100644 index e3e0701..0000000 --- a/policy/modules/admin/amanda.fc +++ /dev/null @@ -1,26 +0,0 @@ -/etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0) -/etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0) -/etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0) -/etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0) -# empty m4 string so the index macro is not invoked -/etc/amanda/.*/index`'(/.*)? gen_context(system_u:object_r:amanda_data_t,s0) - -/root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0) - -/usr/lib(64)?/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0) -/usr/lib(64)?/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0) -/usr/lib(64)?/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) -/usr/lib(64)?/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) -/usr/lib(64)?/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) - -/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) - -/var/lib/amanda -d gen_context(system_u:object_r:amanda_var_lib_t,s0) -/var/lib/amanda/[^/]+(/.*)? gen_context(system_u:object_r:amanda_data_t,s0) -/var/lib/amanda/[^/]*/log(/.*)? gen_context(system_u:object_r:amanda_log_t,s0) -/var/lib/amanda/\.amandahosts -- gen_context(system_u:object_r:amanda_config_t,s0) -/var/lib/amanda/gnutar-lists(/.*)? gen_context(system_u:object_r:amanda_gnutarlists_t,s0) -# the null string in here because index is a m4 builtin function -/var/lib/amanda/[^/]+/index`'(/.*)? gen_context(system_u:object_r:amanda_var_lib_t,s0) - -/var/log/amanda(/.*)? gen_context(system_u:object_r:amanda_log_t,s0) diff --git a/policy/modules/admin/amanda.if b/policy/modules/admin/amanda.if deleted file mode 100644 index 8498e97..0000000 --- a/policy/modules/admin/amanda.if +++ /dev/null @@ -1,161 +0,0 @@ -## Advanced Maryland Automatic Network Disk Archiver. - -######################################## -## -## Execute a domain transition to run -## Amanda recover. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`amanda_domtrans_recover',` - gen_require(` - type amanda_recover_t, amanda_recover_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, amanda_recover_exec_t, amanda_recover_t) -') - -######################################## -## -## Execute a domain transition to run -## Amanda recover, and allow the specified -## role the Amanda recover domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`amanda_run_recover',` - gen_require(` - type amanda_recover_t; - ') - - amanda_domtrans_recover($1) - role $2 types amanda_recover_t; -') - -######################################## -## -## Search Amanda library directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`amanda_search_lib',` - gen_require(` - type amanda_usr_lib_t; - ') - - files_search_usr($1) - allow $1 amanda_usr_lib_t:dir search_dir_perms; -') - -######################################## -## -## Do not audit attempts to read /etc/dumpdates. -## -## -## -## Domain to not audit. -## -## -# -interface(`amanda_dontaudit_read_dumpdates',` - gen_require(` - type amanda_dumpdates_t; - ') - - dontaudit $1 amanda_dumpdates_t:file { getattr read }; -') - -######################################## -## -## Read and write /etc/dumpdates. -## -## -## -## Domain allowed access. -## -## -# -interface(`amanda_rw_dumpdates_files',` - gen_require(` - type amanda_dumpdates_t; - ') - - files_search_etc($1) - allow $1 amanda_dumpdates_t:file rw_file_perms; -') - -######################################## -## -## Search Amanda library directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`amanda_manage_lib',` - gen_require(` - type amanda_usr_lib_t; - ') - - files_search_usr($1) - allow $1 amanda_usr_lib_t:dir manage_dir_perms; -') - -######################################## -## -## Read and append amanda logs. -## -## -## -## Domain allowed access. -## -## -# -interface(`amanda_append_log_files',` - gen_require(` - type amanda_log_t; - ') - - logging_search_logs($1) - allow $1 amanda_log_t:file { read_file_perms append_file_perms }; -') - -####################################### -## -## Search Amanda var library directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`amanda_search_var_lib',` - gen_require(` - type amanda_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 amanda_var_lib_t:dir search_dir_perms; -') diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te deleted file mode 100644 index a05f32f..0000000 --- a/policy/modules/admin/amanda.te +++ /dev/null @@ -1,211 +0,0 @@ -policy_module(amanda, 1.12.1) - -####################################### -# -# Declarations -# - -type amanda_t; -type amanda_inetd_exec_t; -inetd_service_domain(amanda_t, amanda_inetd_exec_t) -role system_r types amanda_t; - -type amanda_exec_t; -domain_entry_file(amanda_t, amanda_exec_t) - -type amanda_log_t; -logging_log_file(amanda_log_t) - -type amanda_config_t; -files_type(amanda_config_t) - -type amanda_usr_lib_t; -files_type(amanda_usr_lib_t) - -type amanda_var_lib_t; -files_type(amanda_var_lib_t) - -type amanda_gnutarlists_t; -files_type(amanda_gnutarlists_t) - -type amanda_tmp_t; -files_tmp_file(amanda_tmp_t) - -type amanda_amandates_t; -files_type(amanda_amandates_t) - -type amanda_dumpdates_t; -files_type(amanda_dumpdates_t) - -type amanda_data_t; -files_type(amanda_data_t) - -type amanda_recover_t; -type amanda_recover_exec_t; -application_domain(amanda_recover_t, amanda_recover_exec_t) -role system_r types amanda_recover_t; - -type amanda_recover_dir_t; -files_type(amanda_recover_dir_t) - -optional_policy(` - prelink_object_file(amanda_usr_lib_t) -') - -######################################## -# -# Amanda local policy -# - -allow amanda_t self:capability { chown dac_override setuid kill }; -allow amanda_t self:process { setpgid signal }; -allow amanda_t self:fifo_file rw_fifo_file_perms; -allow amanda_t self:unix_stream_socket create_stream_socket_perms; -allow amanda_t self:unix_dgram_socket create_socket_perms; -allow amanda_t self:tcp_socket create_stream_socket_perms; -allow amanda_t self:udp_socket create_socket_perms; - -allow amanda_t amanda_amandates_t:file rw_file_perms; - -allow amanda_t amanda_config_t:file read_file_perms; - -manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t) -manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t) -filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir }) - -allow amanda_t amanda_dumpdates_t:file rw_file_perms; - -can_exec(amanda_t, amanda_exec_t) -can_exec(amanda_t, amanda_inetd_exec_t) - -allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms; -allow amanda_t amanda_gnutarlists_t:file manage_file_perms; -allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms; - -manage_dirs_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t) -manage_files_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t) - -manage_files_pattern(amanda_t, amanda_log_t, amanda_log_t) -manage_dirs_pattern(amanda_t, amanda_log_t, amanda_log_t) -logging_log_filetrans(amanda_t, amanda_log_t, { file dir }) - -manage_files_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t) -manage_dirs_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t) -files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir }) - -kernel_read_system_state(amanda_t) -kernel_read_kernel_sysctls(amanda_t) -kernel_dontaudit_getattr_unlabeled_files(amanda_t) -kernel_dontaudit_read_proc_symlinks(amanda_t) - -corecmd_exec_shell(amanda_t) -corecmd_exec_bin(amanda_t) - -corenet_all_recvfrom_unlabeled(amanda_t) -corenet_all_recvfrom_netlabel(amanda_t) -corenet_tcp_sendrecv_generic_if(amanda_t) -corenet_udp_sendrecv_generic_if(amanda_t) -corenet_raw_sendrecv_generic_if(amanda_t) -corenet_tcp_sendrecv_generic_node(amanda_t) -corenet_udp_sendrecv_generic_node(amanda_t) -corenet_raw_sendrecv_generic_node(amanda_t) -corenet_tcp_sendrecv_all_ports(amanda_t) -corenet_udp_sendrecv_all_ports(amanda_t) -corenet_tcp_bind_generic_node(amanda_t) -corenet_udp_bind_generic_node(amanda_t) -corenet_tcp_bind_all_rpc_ports(amanda_t) -corenet_tcp_bind_generic_port(amanda_t) -corenet_dontaudit_tcp_bind_all_ports(amanda_t) - -dev_getattr_all_blk_files(amanda_t) -dev_getattr_all_chr_files(amanda_t) - -files_read_etc_files(amanda_t) -files_read_etc_runtime_files(amanda_t) -files_list_all(amanda_t) -files_read_all_files(amanda_t) -files_read_all_symlinks(amanda_t) -files_read_all_blk_files(amanda_t) -files_read_all_chr_files(amanda_t) -files_getattr_all_pipes(amanda_t) -files_getattr_all_sockets(amanda_t) - -fs_getattr_xattr_fs(amanda_t) -fs_list_all(amanda_t) - -storage_raw_read_fixed_disk(amanda_t) -storage_read_tape(amanda_t) -storage_write_tape(amanda_t) - -auth_use_nsswitch(amanda_t) -auth_read_shadow(amanda_t) - -logging_send_syslog_msg(amanda_t) - -######################################## -# -# Amanda recover local policy -# - -allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override }; -allow amanda_recover_t self:process { sigkill sigstop signal }; -allow amanda_recover_t self:fifo_file rw_fifo_file_perms; -allow amanda_recover_t self:unix_stream_socket { connect create read write }; -allow amanda_recover_t self:tcp_socket create_stream_socket_perms; -allow amanda_recover_t self:udp_socket create_socket_perms; - -manage_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t) -manage_lnk_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t) - -manage_dirs_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) -manage_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) -manage_lnk_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) -manage_fifo_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) -manage_sock_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) -userdom_user_home_dir_filetrans(amanda_recover_t, amanda_recover_dir_t, { dir file lnk_file sock_file fifo_file }) - -manage_dirs_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t) -manage_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t) -manage_lnk_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t) -manage_fifo_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t) -manage_sock_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t) -files_tmp_filetrans(amanda_recover_t, amanda_tmp_t, { dir file lnk_file sock_file fifo_file }) - -kernel_read_system_state(amanda_recover_t) -kernel_read_kernel_sysctls(amanda_recover_t) - -corecmd_exec_shell(amanda_recover_t) -corecmd_exec_bin(amanda_recover_t) - -corenet_all_recvfrom_unlabeled(amanda_recover_t) -corenet_all_recvfrom_netlabel(amanda_recover_t) -corenet_tcp_sendrecv_generic_if(amanda_recover_t) -corenet_udp_sendrecv_generic_if(amanda_recover_t) -corenet_tcp_sendrecv_generic_node(amanda_recover_t) -corenet_udp_sendrecv_generic_node(amanda_recover_t) -corenet_tcp_sendrecv_all_ports(amanda_recover_t) -corenet_udp_sendrecv_all_ports(amanda_recover_t) -corenet_tcp_bind_generic_node(amanda_recover_t) -corenet_udp_bind_generic_node(amanda_recover_t) -corenet_tcp_bind_reserved_port(amanda_recover_t) -corenet_tcp_connect_amanda_port(amanda_recover_t) -corenet_sendrecv_amanda_client_packets(amanda_recover_t) - -domain_use_interactive_fds(amanda_recover_t) - -files_read_etc_files(amanda_recover_t) -files_read_etc_runtime_files(amanda_recover_t) -files_search_tmp(amanda_recover_t) -files_search_pids(amanda_recover_t) - -auth_use_nsswitch(amanda_recover_t) - -fstools_domtrans(amanda_t) -fstools_signal(amanda_t) - -logging_search_logs(amanda_recover_t) - -miscfiles_read_localization(amanda_recover_t) - -userdom_use_user_terminals(amanda_recover_t) -userdom_search_user_home_content(amanda_recover_t) diff --git a/policy/modules/admin/amtu.fc b/policy/modules/admin/amtu.fc deleted file mode 100644 index d97160e..0000000 --- a/policy/modules/admin/amtu.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/amtu -- gen_context(system_u:object_r:amtu_exec_t,s0) diff --git a/policy/modules/admin/amtu.if b/policy/modules/admin/amtu.if deleted file mode 100644 index be82315..0000000 --- a/policy/modules/admin/amtu.if +++ /dev/null @@ -1,46 +0,0 @@ -## Abstract Machine Test Utility. - -######################################## -## -## Execute a domain transition to run Amtu. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`amtu_domtrans',` - gen_require(` - type amtu_t, amtu_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, amtu_exec_t, amtu_t) -') - -######################################## -## -## Execute a domain transition to run -## Amtu, and allow the specified role -## the Amtu domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`amtu_run',` - gen_require(` - type amtu_t; - ') - - amtu_domtrans($1) - role $2 types amtu_t; -') diff --git a/policy/modules/admin/amtu.te b/policy/modules/admin/amtu.te deleted file mode 100644 index 057abb0..0000000 --- a/policy/modules/admin/amtu.te +++ /dev/null @@ -1,34 +0,0 @@ -policy_module(amtu, 1.2.0) - -######################################## -# -# Declarations -# - -type amtu_t; -type amtu_exec_t; -domain_type(amtu_t) -domain_entry_file(amtu_t, amtu_exec_t) - -######################################## -# -# amtu local policy -# - -kernel_read_system_state(amtu_t) - -files_manage_boot_files(amtu_t) -files_read_etc_runtime_files(amtu_t) -files_read_etc_files(amtu_t) - -logging_send_audit_msgs(amtu_t) - -userdom_use_user_terminals(amtu_t) - -optional_policy(` - nscd_dontaudit_search_pid(amtu_t) -') - -optional_policy(` - seutil_use_newrole_fds(amtu_t) -') diff --git a/policy/modules/admin/anaconda.fc b/policy/modules/admin/anaconda.fc deleted file mode 100644 index b098089..0000000 --- a/policy/modules/admin/anaconda.fc +++ /dev/null @@ -1 +0,0 @@ -# No file context specifications. diff --git a/policy/modules/admin/anaconda.if b/policy/modules/admin/anaconda.if deleted file mode 100644 index 14a61b7..0000000 --- a/policy/modules/admin/anaconda.if +++ /dev/null @@ -1 +0,0 @@ -## Anaconda installer. diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te deleted file mode 100644 index 9a9526a..0000000 --- a/policy/modules/admin/anaconda.te +++ /dev/null @@ -1,60 +0,0 @@ -policy_module(anaconda, 1.5.1) - -######################################## -# -# Declarations -# - -type anaconda_t; -type anaconda_exec_t; -domain_type(anaconda_t) -domain_obj_id_change_exemption(anaconda_t) -role system_r types anaconda_t; - -######################################## -# -# Local policy -# - -allow anaconda_t self:process execmem; - -kernel_domtrans_to(anaconda_t, anaconda_exec_t) - -init_domtrans_script(anaconda_t) - -libs_domtrans_ldconfig(anaconda_t) - -logging_send_syslog_msg(anaconda_t) - -modutils_domtrans_insmod(anaconda_t) -modutils_domtrans_depmod(anaconda_t) - -seutil_domtrans_semanage(anaconda_t) -seutil_domtrans_setsebool(anaconda_t) - -userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file }) - -optional_policy(` - kudzu_domtrans(anaconda_t) -') - -optional_policy(` - rpm_domtrans(anaconda_t) - rpm_domtrans_script(anaconda_t) -') - -optional_policy(` - ssh_domtrans_keygen(anaconda_t) -') - -optional_policy(` - udev_domtrans(anaconda_t) -') - -optional_policy(` - unconfined_domain_noaudit(anaconda_t) -') - -optional_policy(` - usermanage_domtrans_admin_passwd(anaconda_t) -') diff --git a/policy/modules/admin/apt.fc b/policy/modules/admin/apt.fc deleted file mode 100644 index e4f4850..0000000 --- a/policy/modules/admin/apt.fc +++ /dev/null @@ -1,21 +0,0 @@ -/usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0) -# apt-shell is redhat specific -/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0) -# other package managers -/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0) -/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0) - -# package cache repository -/var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0) - -# package list repository -/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) -/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) - -# aptitude lock -/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0) -# aptitude log -/var/log/aptitude gen_context(system_u:object_r:apt_var_log_t,s0) - -# dpkg terminal log -/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0) diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if deleted file mode 100644 index e696b80..0000000 --- a/policy/modules/admin/apt.if +++ /dev/null @@ -1,225 +0,0 @@ -## APT advanced package tool. - -######################################## -## -## Execute apt programs in the apt domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`apt_domtrans',` - gen_require(` - type apt_t, apt_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, apt_exec_t, apt_t) -') - -######################################## -## -## Execute apt programs in the apt domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the apt domain. -## -## -## -# -interface(`apt_run',` - gen_require(` - type apt_t; - ') - - apt_domtrans($1) - role $2 types apt_t; - # TODO: likely have to add dpkg_run here. -') - -######################################## -## -## Inherit and use file descriptors from apt. -## -## -## -## Domain allowed access. -## -## -# -interface(`apt_use_fds',` - gen_require(` - type apt_t; - ') - - allow $1 apt_t:fd use; - # TODO: enforce dpkg_use_fd? -') - -######################################## -## -## Do not audit attempts to use file descriptors from apt. -## -## -## -## Domain to not audit. -## -## -# -interface(`apt_dontaudit_use_fds',` - gen_require(` - type apt_t; - ') - - dontaudit $1 apt_t:fd use; -') - -######################################## -## -## Read from an unnamed apt pipe. -## -## -## -## Domain allowed access. -## -## -# -interface(`apt_read_pipes',` - gen_require(` - type apt_t; - ') - - allow $1 apt_t:fifo_file read_fifo_file_perms; - # TODO: enforce dpkg_read_pipes? -') - -######################################## -## -## Read and write an unnamed apt pipe. -## -## -## -## Domain allowed access. -## -## -# -interface(`apt_rw_pipes',` - gen_require(` - type apt_t; - ') - - allow $1 apt_t:fifo_file rw_file_perms; - # TODO: enforce dpkg_rw_pipes? -') - -######################################## -## -## Read from and write to apt ptys. -## -## -## -## Domain allowed access. -## -## -# -interface(`apt_use_ptys',` - gen_require(` - type apt_devpts_t; - ') - - allow $1 apt_devpts_t:chr_file rw_term_perms; -') - -######################################## -## -## Read the apt package cache. -## -## -## -## Domain allowed access. -## -## -# -interface(`apt_read_cache',` - gen_require(` - type apt_var_cache_t; - ') - - files_search_var($1) - allow $1 apt_var_cache_t:dir list_dir_perms; - dontaudit $1 apt_var_cache_t:dir write; - allow $1 apt_var_cache_t:file read_file_perms; -') - -######################################## -## -## Read the apt package database. -## -## -## -## Domain allowed access. -## -## -# -interface(`apt_read_db',` - gen_require(` - type apt_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 apt_var_lib_t:dir list_dir_perms; - read_files_pattern($1, apt_var_lib_t, apt_var_lib_t) - read_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t) -') - -######################################## -## -## Create, read, write, and delete the apt package database. -## -## -## -## Domain allowed access. -## -## -# -interface(`apt_manage_db',` - gen_require(` - type apt_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, apt_var_lib_t, apt_var_lib_t) - # cjp: shouldnt this be manage_lnk_files? - rw_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t) - delete_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t) -') - -######################################## -## -## Do not audit attempts to create, read, -## write, and delete the apt package database. -## -## -## -## Domain to not audit. -## -## -# -interface(`apt_dontaudit_manage_db',` - gen_require(` - type apt_var_lib_t; - ') - - dontaudit $1 apt_var_lib_t:dir rw_dir_perms; - dontaudit $1 apt_var_lib_t:file manage_file_perms; - dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_file_perms; -') diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te deleted file mode 100644 index 4044710..0000000 --- a/policy/modules/admin/apt.te +++ /dev/null @@ -1,162 +0,0 @@ -policy_module(apt, 1.6.0) - -######################################## -# -# Declarations -# - -type apt_t; -type apt_exec_t; -init_system_domain(apt_t, apt_exec_t) -domain_system_change_exemption(apt_t) -role system_r types apt_t; - -# pseudo terminal for running dpkg -type apt_devpts_t; -term_pty(apt_devpts_t) - -# aptitude lock file -type apt_lock_t; -files_lock_file(apt_lock_t) - -type apt_tmp_t; -files_tmp_file(apt_tmp_t) - -type apt_tmpfs_t; -files_tmpfs_file(apt_tmpfs_t) - -# package cache -type apt_var_cache_t alias var_cache_apt_t; -files_type(apt_var_cache_t) - -# status files -type apt_var_lib_t alias var_lib_apt_t; -files_type(apt_var_lib_t) - -# aptitude log file -type apt_var_log_t; -logging_log_file(apt_var_log_t) - -######################################## -# -# apt Local policy -# - -allow apt_t self:capability { chown dac_override fowner fsetid }; -allow apt_t self:process { signal setpgid fork }; -allow apt_t self:fd use; -allow apt_t self:fifo_file rw_fifo_file_perms; -allow apt_t self:unix_dgram_socket create_socket_perms; -allow apt_t self:unix_stream_socket rw_stream_socket_perms; -allow apt_t self:unix_dgram_socket sendto; -allow apt_t self:unix_stream_socket connectto; -allow apt_t self:udp_socket { connect create_socket_perms }; -allow apt_t self:tcp_socket create_stream_socket_perms; -allow apt_t self:shm create_shm_perms; -allow apt_t self:sem create_sem_perms; -allow apt_t self:msgq create_msgq_perms; -allow apt_t self:msg { send receive }; -# Run update -allow apt_t self:netlink_route_socket r_netlink_socket_perms; - -# lock files -allow apt_t apt_lock_t:dir manage_dir_perms; -allow apt_t apt_lock_t:file manage_file_perms; -files_lock_filetrans(apt_t, apt_lock_t, {dir file}) - -manage_dirs_pattern(apt_t, apt_tmp_t, apt_tmp_t) -manage_files_pattern(apt_t, apt_tmp_t, apt_tmp_t) -files_tmp_filetrans(apt_t, apt_tmp_t, { file dir }) - -manage_dirs_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) -manage_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) -manage_lnk_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) -manage_fifo_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) -manage_sock_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) -fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -# Access /var/cache/apt files -manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t) -files_var_filetrans(apt_t, apt_var_cache_t, dir) - -# Access /var/lib/apt files -manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t) -files_var_lib_filetrans(apt_t, apt_var_lib_t, dir) - -# log files -allow apt_t apt_var_log_t:file manage_file_perms; -logging_log_filetrans(apt_t, apt_var_log_t, file) - -kernel_read_system_state(apt_t) -kernel_read_kernel_sysctls(apt_t) - -# to launch dpkg-preconfigure -corecmd_exec_bin(apt_t) -corecmd_exec_shell(apt_t) - -corenet_all_recvfrom_unlabeled(apt_t) -corenet_all_recvfrom_netlabel(apt_t) -corenet_tcp_sendrecv_generic_if(apt_t) -corenet_udp_sendrecv_generic_if(apt_t) -corenet_tcp_sendrecv_generic_node(apt_t) -corenet_udp_sendrecv_generic_node(apt_t) -corenet_tcp_sendrecv_all_ports(apt_t) -corenet_udp_sendrecv_all_ports(apt_t) -# TODO: really allow all these? -corenet_tcp_bind_generic_node(apt_t) -corenet_udp_bind_generic_node(apt_t) -corenet_tcp_connect_all_ports(apt_t) -corenet_sendrecv_all_client_packets(apt_t) - -dev_read_urand(apt_t) - -domain_getattr_all_domains(apt_t) -domain_use_interactive_fds(apt_t) - -files_exec_usr_files(apt_t) -files_read_etc_files(apt_t) -files_read_etc_runtime_files(apt_t) - -fs_getattr_all_fs(apt_t) - -term_create_pty(apt_t, apt_devpts_t) -term_list_ptys(apt_t) -term_use_all_terms(apt_t) - -libs_exec_ld_so(apt_t) -libs_exec_lib_files(apt_t) - -logging_send_syslog_msg(apt_t) - -miscfiles_read_localization(apt_t) - -seutil_use_newrole_fds(apt_t) - -sysnet_read_config(apt_t) - -userdom_use_user_terminals(apt_t) - -# with boolean, for cron-apt and such? -#optional_policy(` -# cron_system_entry(apt_t,apt_exec_t) -#') - -optional_policy(` - # dpkg interaction - dpkg_read_db(apt_t) - dpkg_domtrans(apt_t) - dpkg_lock_db(apt_t) -') - -optional_policy(` - nis_use_ypbind(apt_t) -') - -optional_policy(` - rpm_read_db(apt_t) - rpm_domtrans(apt_t) -') - -optional_policy(` - unconfined_domain(apt_t) -') diff --git a/policy/modules/admin/backup.fc b/policy/modules/admin/backup.fc deleted file mode 100644 index 223b7f2..0000000 --- a/policy/modules/admin/backup.fc +++ /dev/null @@ -1,13 +0,0 @@ -# backup -# label programs that do backups to other files on disk (IE a cron job that -# calls tar) in backup_exec_t and label the directory for storing them as -# backup_store_t, Debian uses /var/backups - -#/usr/local/bin/backup-script -- gen_context(system_u:object_r:backup_exec_t,s0) - -ifdef(`distro_debian',` -/etc/cron.daily/aptitude -- gen_context(system_u:object_r:backup_exec_t,s0) -/etc/cron.daily/standard -- gen_context(system_u:object_r:backup_exec_t,s0) -') - -/var/backups(/.*)? gen_context(system_u:object_r:backup_store_t,s0) diff --git a/policy/modules/admin/backup.if b/policy/modules/admin/backup.if deleted file mode 100644 index 1017b7a..0000000 --- a/policy/modules/admin/backup.if +++ /dev/null @@ -1,45 +0,0 @@ -## System backup scripts - -######################################## -## -## Execute backup in the backup domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`backup_domtrans',` - gen_require(` - type backup_t, backup_exec_t; - ') - - domtrans_pattern($1, backup_exec_t, backup_t) -') - -######################################## -## -## Execute backup in the backup domain, and -## allow the specified role the backup domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`backup_run',` - gen_require(` - type backup_t; - ') - - backup_domtrans($1) - role $2 types backup_t; -') diff --git a/policy/modules/admin/backup.te b/policy/modules/admin/backup.te deleted file mode 100644 index 0bfc958..0000000 --- a/policy/modules/admin/backup.te +++ /dev/null @@ -1,85 +0,0 @@ -policy_module(backup, 1.5.0) - -######################################## -# -# Declarations -# - -type backup_t; -type backup_exec_t; -domain_type(backup_t) -domain_entry_file(backup_t, backup_exec_t) -role system_r types backup_t; - -type backup_store_t; -files_type(backup_store_t) - -######################################## -# -# Local policy -# - -allow backup_t self:capability dac_override; -allow backup_t self:process signal; -allow backup_t self:fifo_file rw_fifo_file_perms; -allow backup_t self:tcp_socket create_socket_perms; -allow backup_t self:udp_socket create_socket_perms; - -allow backup_t backup_store_t:file setattr; -manage_files_pattern(backup_t, backup_store_t, backup_store_t) -rw_files_pattern(backup_t, backup_store_t, backup_store_t) -read_lnk_files_pattern(backup_t, backup_store_t, backup_store_t) - -kernel_read_system_state(backup_t) -kernel_read_kernel_sysctls(backup_t) - -corecmd_exec_bin(backup_t) -corecmd_exec_shell(backup_t) - -corenet_all_recvfrom_unlabeled(backup_t) -corenet_all_recvfrom_netlabel(backup_t) -corenet_tcp_sendrecv_generic_if(backup_t) -corenet_udp_sendrecv_generic_if(backup_t) -corenet_raw_sendrecv_generic_if(backup_t) -corenet_tcp_sendrecv_generic_node(backup_t) -corenet_udp_sendrecv_generic_node(backup_t) -corenet_raw_sendrecv_generic_node(backup_t) -corenet_tcp_sendrecv_all_ports(backup_t) -corenet_udp_sendrecv_all_ports(backup_t) -corenet_tcp_connect_all_ports(backup_t) -corenet_sendrecv_all_client_packets(backup_t) - -dev_getattr_all_blk_files(backup_t) -dev_getattr_all_chr_files(backup_t) -# for SSP -dev_read_urand(backup_t) - -domain_use_interactive_fds(backup_t) - -files_read_all_files(backup_t) -files_read_all_symlinks(backup_t) -files_getattr_all_pipes(backup_t) -files_getattr_all_sockets(backup_t) - -fs_getattr_xattr_fs(backup_t) -fs_list_all(backup_t) - -auth_read_shadow(backup_t) - -logging_send_syslog_msg(backup_t) - -sysnet_read_config(backup_t) - -userdom_use_user_terminals(backup_t) - -optional_policy(` - cron_system_entry(backup_t, backup_exec_t) -') - -optional_policy(` - hostname_exec(backup_t) -') - -optional_policy(` - nis_use_ypbind(backup_t) -') diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc deleted file mode 100644 index 7a6f06f..0000000 --- a/policy/modules/admin/bootloader.fc +++ /dev/null @@ -1,9 +0,0 @@ - -/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) -/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) - -/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) -/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) -/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) - -/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if deleted file mode 100644 index ebe8570..0000000 --- a/policy/modules/admin/bootloader.if +++ /dev/null @@ -1,129 +0,0 @@ -## Policy for the kernel modules, kernel image, and bootloader. - -######################################## -## -## Execute bootloader in the bootloader domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`bootloader_domtrans',` - gen_require(` - type bootloader_t, bootloader_exec_t; - ') - - domtrans_pattern($1, bootloader_exec_t, bootloader_t) -') - -######################################## -## -## Execute bootloader interactively and do -## a domain transition to the bootloader domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`bootloader_run',` - gen_require(` - type bootloader_t; - ') - - bootloader_domtrans($1) - - role $2 types bootloader_t; - - ifdef(`distro_redhat',` - # for mke2fs - mount_run(bootloader_t, $2) - ') -') - -######################################## -## -## Read the bootloader configuration file. -## -## -## -## Domain allowed access. -## -## -# -interface(`bootloader_read_config',` - gen_require(` - type bootloader_etc_t; - ') - - allow $1 bootloader_etc_t:file read_file_perms; -') - -######################################## -## -## Read and write the bootloader -## configuration file. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`bootloader_rw_config',` - gen_require(` - type bootloader_etc_t; - ') - - allow $1 bootloader_etc_t:file rw_file_perms; -') - -######################################## -## -## Read and write the bootloader -## temporary data in /tmp. -## -## -## -## Domain allowed access. -## -## -# -interface(`bootloader_rw_tmp_files',` - gen_require(` - type bootloader_tmp_t; - ') - - # FIXME: read tmp_t dir - allow $1 bootloader_tmp_t:file rw_file_perms; -') - -######################################## -## -## Read and write the bootloader -## temporary data in /tmp. -## -## -## -## Domain allowed access. -## -## -# -interface(`bootloader_create_runtime_file',` - gen_require(` - type boot_runtime_t; - ') - - allow $1 boot_runtime_t:file { create_file_perms rw_file_perms }; - files_boot_filetrans($1, boot_runtime_t, file) -') diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te deleted file mode 100644 index a9bc854..0000000 --- a/policy/modules/admin/bootloader.te +++ /dev/null @@ -1,215 +0,0 @@ -policy_module(bootloader, 1.11.0) - -######################################## -# -# Declarations -# - -# -# boot_runtime_t is the type for /boot/kernel.h, -# which is automatically generated at boot time. -# only for Red Hat -# -type boot_runtime_t; -files_type(boot_runtime_t) - -type bootloader_t; -type bootloader_exec_t; -application_domain(bootloader_t, bootloader_exec_t) -role system_r types bootloader_t; - -# -# bootloader_etc_t is the configuration file, -# grub.conf, lilo.conf, etc. -# -type bootloader_etc_t alias etc_bootloader_t; -files_type(bootloader_etc_t) - -# -# The temp file is used for initrd creation; -# it consists of files and device nodes -# -type bootloader_tmp_t; -files_tmp_file(bootloader_tmp_t) -dev_node(bootloader_tmp_t) - -# -# /var/log/ksyms -# cjp: this probably can be removed, I do not -# think it is used on 2.6 kernels -type var_log_ksyms_t; -logging_log_file(var_log_ksyms_t) - -######################################## -# -# bootloader local policy -# - -allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown }; -allow bootloader_t self:process { sigkill sigstop signull signal execmem }; -allow bootloader_t self:fifo_file rw_fifo_file_perms; - -allow bootloader_t bootloader_etc_t:file read_file_perms; -# uncomment the following lines if you use "lilo -p" -#allow bootloader_t bootloader_etc_t:file manage_file_perms; -#files_etc_filetrans(bootloader_t,bootloader_etc_t,file) - -manage_dirs_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t) -manage_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t) -manage_lnk_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t) -manage_blk_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t) -manage_chr_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t) -files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file blk_file }) -# for tune2fs (cjp: ?) -files_root_filetrans(bootloader_t, bootloader_tmp_t, file) - -kernel_getattr_core_if(bootloader_t) -kernel_read_network_state(bootloader_t) -kernel_read_system_state(bootloader_t) -kernel_read_software_raid_state(bootloader_t) -kernel_read_kernel_sysctls(bootloader_t) - -storage_raw_read_fixed_disk(bootloader_t) -storage_raw_write_fixed_disk(bootloader_t) -storage_raw_read_removable_device(bootloader_t) -storage_raw_write_removable_device(bootloader_t) - -dev_getattr_all_chr_files(bootloader_t) -dev_getattr_all_blk_files(bootloader_t) -dev_dontaudit_rw_generic_dev_nodes(bootloader_t) -dev_read_rand(bootloader_t) -dev_read_urand(bootloader_t) -dev_read_sysfs(bootloader_t) -# needed on some hardware -dev_rw_nvram(bootloader_t) - -fs_getattr_xattr_fs(bootloader_t) -fs_getattr_tmpfs(bootloader_t) -fs_read_tmpfs_symlinks(bootloader_t) -#Needed for ia64 -fs_manage_dos_files(bootloader_t) - -mls_file_read_all_levels(bootloader_t) -mls_file_write_all_levels(bootloader_t) - -term_getattr_all_ttys(bootloader_t) -term_dontaudit_manage_pty_dirs(bootloader_t) - -corecmd_exec_all_executables(bootloader_t) - -domain_use_interactive_fds(bootloader_t) - -files_create_boot_dirs(bootloader_t) -files_manage_boot_files(bootloader_t) -files_manage_boot_symlinks(bootloader_t) -files_read_etc_files(bootloader_t) -files_exec_etc_files(bootloader_t) -files_read_usr_src_files(bootloader_t) -files_read_usr_files(bootloader_t) -files_read_var_files(bootloader_t) -files_read_kernel_modules(bootloader_t) -# for nscd -files_dontaudit_search_pids(bootloader_t) -# for blkid.tab -files_manage_etc_runtime_files(bootloader_t) -files_etc_filetrans_etc_runtime(bootloader_t, file) -files_dontaudit_search_home(bootloader_t) - -init_getattr_initctl(bootloader_t) -init_use_script_ptys(bootloader_t) -init_use_script_fds(bootloader_t) -init_rw_script_pipes(bootloader_t) - -libs_read_lib_files(bootloader_t) -libs_exec_lib_files(bootloader_t) - -logging_send_syslog_msg(bootloader_t) -logging_rw_generic_logs(bootloader_t) - -miscfiles_read_localization(bootloader_t) - -modutils_domtrans_insmod_uncond(bootloader_t) - -seutil_read_bin_policy(bootloader_t) -seutil_read_loadpolicy(bootloader_t) -seutil_dontaudit_search_config(bootloader_t) - -userdom_use_user_terminals(bootloader_t) -userdom_dontaudit_search_user_home_dirs(bootloader_t) - -ifdef(`distro_debian',` - allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto }; - fs_list_tmpfs(bootloader_t) - - files_relabel_kernel_modules(bootloader_t) - files_relabelfrom_boot_files(bootloader_t) - files_delete_kernel_modules(bootloader_t) - files_relabelto_usr_files(bootloader_t) - files_search_var_lib(bootloader_t) - # for /usr/share/initrd-tools/scripts - files_exec_usr_files(bootloader_t) - - fstools_manage_entry_files(bootloader_t) - fstools_relabelto_entry_files(bootloader_t) - - libs_relabelto_lib_files(bootloader_t) -') - -ifdef(`distro_redhat',` - # for memlock - allow bootloader_t self:capability ipc_lock; - - # new file system defaults to file_t, granting file_t access is still bad. - allow bootloader_t boot_runtime_t:file { read_file_perms unlink }; - - # new file system defaults to file_t, granting file_t access is still bad. - files_manage_isid_type_dirs(bootloader_t) - files_manage_isid_type_files(bootloader_t) - files_manage_isid_type_symlinks(bootloader_t) - files_manage_isid_type_blk_files(bootloader_t) - files_manage_isid_type_chr_files(bootloader_t) - - # for mke2fs - mount_domtrans(bootloader_t) - - optional_policy(` - unconfined_domain(bootloader_t) - ') -') - -optional_policy(` - fstools_exec(bootloader_t) -') - -optional_policy(` - hal_dontaudit_append_lib_files(bootloader_t) - hal_write_log(bootloader_t) -') - -optional_policy(` - kudzu_domtrans(bootloader_t) -') - -optional_policy(` - dev_rw_lvm_control(bootloader_t) - - lvm_domtrans(bootloader_t) - lvm_read_config(bootloader_t) -') - -optional_policy(` - modutils_exec_insmod(bootloader_t) - modutils_read_module_deps(bootloader_t) - modutils_read_module_config(bootloader_t) - modutils_exec_insmod(bootloader_t) - modutils_exec_depmod(bootloader_t) - modutils_exec_update_mods(bootloader_t) -') - -optional_policy(` - nscd_socket_use(bootloader_t) -') - -optional_policy(` - rpm_rw_pipes(bootloader_t) -') diff --git a/policy/modules/admin/brctl.fc b/policy/modules/admin/brctl.fc deleted file mode 100644 index 642f67e..0000000 --- a/policy/modules/admin/brctl.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0) diff --git a/policy/modules/admin/brctl.if b/policy/modules/admin/brctl.if deleted file mode 100644 index fdb453c..0000000 --- a/policy/modules/admin/brctl.if +++ /dev/null @@ -1,38 +0,0 @@ -## Utilities for configuring the linux ethernet bridge - -######################################## -## -## Execute a domain transition to run brctl. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`brctl_domtrans',` - gen_require(` - type brctl_t, brctl_exec_t; - ') - - domtrans_pattern($1, brctl_exec_t, brctl_t) -') - -##################################### -## -## Execute brctl in the brctl domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`brctl_run',` - gen_require(` - type brctl_t, brctl_exec_t; - ') - - brctl_domtrans($1) - role $2 types brctl_t; -') diff --git a/policy/modules/admin/brctl.te b/policy/modules/admin/brctl.te deleted file mode 100644 index 0ff3679..0000000 --- a/policy/modules/admin/brctl.te +++ /dev/null @@ -1,45 +0,0 @@ -policy_module(brctl, 1.5.0) - -######################################## -# -# Declarations -# - -type brctl_t; -type brctl_exec_t; -domain_type(brctl_t) -init_system_domain(brctl_t, brctl_exec_t) - -######################################## -# -# brctl local policy -# - -allow brctl_t self:capability net_admin; -allow brctl_t self:fifo_file rw_file_perms; -allow brctl_t self:unix_stream_socket create_stream_socket_perms; -allow brctl_t self:unix_dgram_socket create_socket_perms; -allow brctl_t self:tcp_socket create_socket_perms; - -kernel_request_load_module(brctl_t) -kernel_read_network_state(brctl_t) -kernel_read_sysctl(brctl_t) - -corenet_rw_tun_tap_dev(brctl_t) - -dev_rw_sysfs(brctl_t) -dev_write_sysfs_dirs(brctl_t) - -# Init script handling -domain_use_interactive_fds(brctl_t) - -files_read_etc_files(brctl_t) - -term_dontaudit_use_console(brctl_t) - -miscfiles_read_localization(brctl_t) - -optional_policy(` - xen_append_log(brctl_t) - xen_dontaudit_rw_unix_stream_sockets(brctl_t) -') diff --git a/policy/modules/admin/certwatch.fc b/policy/modules/admin/certwatch.fc deleted file mode 100644 index b8a3414..0000000 --- a/policy/modules/admin/certwatch.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/certwatch -- gen_context(system_u:object_r:certwatch_exec_t,s0) diff --git a/policy/modules/admin/certwatch.if b/policy/modules/admin/certwatch.if deleted file mode 100644 index 953451a..0000000 --- a/policy/modules/admin/certwatch.if +++ /dev/null @@ -1,78 +0,0 @@ -## Digital Certificate Tracking - -######################################## -## -## Domain transition to certwatch. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`certwatch_domtrans',` - gen_require(` - type certwatch_exec_t, certwatch_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, certwatch_exec_t, certwatch_t) -') - -######################################## -## -## Execute certwatch in the certwatch domain, and -## allow the specified role the certwatch domain, -## and use the caller's terminal. Has a sigchld -## backchannel. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`certwatch_run',` - gen_require(` - type certwatch_t; - ') - - certwatch_domtrans($1) - role $2 types certwatch_t; -') - -######################################## -## -## Execute certwatch in the certwatch domain, and -## allow the specified role the certwatch domain, -## and use the caller's terminal. Has a sigchld -## backchannel. (Deprecated) -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -## -## The type of the terminal allow the certwatch domain to use. -## -## -## -# -interface(`certwatach_run',` - refpolicywarn(`$0($*) has been deprecated, please use certwatch_run() instead.') - certwatch_run($*) -') diff --git a/policy/modules/admin/certwatch.te b/policy/modules/admin/certwatch.te deleted file mode 100644 index cec5c56..0000000 --- a/policy/modules/admin/certwatch.te +++ /dev/null @@ -1,53 +0,0 @@ -policy_module(certwatch, 1.5.2) - -######################################## -# -# Declarations -# - -type certwatch_t; -type certwatch_exec_t; -application_domain(certwatch_t, certwatch_exec_t) -role system_r types certwatch_t; - -######################################## -# -# Local policy -# -allow certwatch_t self:capability sys_nice; -allow certwatch_t self:process { setsched getsched }; - -dev_read_urand(certwatch_t) - -files_read_etc_files(certwatch_t) -files_read_usr_files(certwatch_t) -files_read_usr_symlinks(certwatch_t) -files_list_tmp(certwatch_t) - -fs_list_inotifyfs(certwatch_t) - -auth_manage_cache(certwatch_t) -auth_var_filetrans_cache(certwatch_t) - -logging_send_syslog_msg(certwatch_t) - -miscfiles_read_generic_certs(certwatch_t) -miscfiles_read_localization(certwatch_t) - -userdom_use_user_terminals(certwatch_t) -userdom_dontaudit_list_admin_dir(certwatch_t) - -optional_policy(` - apache_exec_modules(certwatch_t) - apache_read_config(certwatch_t) -') - -optional_policy(` - cron_system_entry(certwatch_t, certwatch_exec_t) -') - -optional_policy(` - pcscd_domtrans(certwatch_t) - pcscd_stream_connect(certwatch_t) - pcscd_read_pub_files(certwatch_t) -') diff --git a/policy/modules/admin/consoletype.fc b/policy/modules/admin/consoletype.fc deleted file mode 100644 index b7f053b..0000000 --- a/policy/modules/admin/consoletype.fc +++ /dev/null @@ -1,2 +0,0 @@ - -/sbin/consoletype -- gen_context(system_u:object_r:consoletype_exec_t,s0) diff --git a/policy/modules/admin/consoletype.if b/policy/modules/admin/consoletype.if deleted file mode 100644 index 0f57d3b..0000000 --- a/policy/modules/admin/consoletype.if +++ /dev/null @@ -1,71 +0,0 @@ -## -## Determine of the console connected to the controlling terminal. -## - -######################################## -## -## Execute consoletype in the consoletype domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`consoletype_domtrans',` - gen_require(` - type consoletype_t, consoletype_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, consoletype_exec_t, consoletype_t) - - ifdef(`hide_broken_symptoms', ` - dontaudit consoletype_t $1:socket_class_set { read write }; - ') -') - -######################################## -## -## Execute consoletype in the consoletype domain, and -## allow the specified role the consoletype domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`consoletype_run',` - gen_require(` - type consoletype_t; - ') - - consoletype_domtrans($1) - role $2 types consoletype_t; -') - -######################################## -## -## Execute consoletype in the caller domain. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`consoletype_exec',` - gen_require(` - type consoletype_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, consoletype_exec_t) -') diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te deleted file mode 100644 index a370656..0000000 --- a/policy/modules/admin/consoletype.te +++ /dev/null @@ -1,118 +0,0 @@ -policy_module(consoletype, 1.9.1) - -######################################## -# -# Declarations -# - -type consoletype_t; -type consoletype_exec_t; -application_executable_file(consoletype_exec_t) -init_domain(consoletype_t, consoletype_exec_t) -init_system_domain(consoletype_t, consoletype_exec_t) -role system_r types consoletype_t; - -######################################## -# -# Local declarations -# - -allow consoletype_t self:capability { sys_admin sys_tty_config }; -allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow consoletype_t self:fd use; -allow consoletype_t self:fifo_file rw_fifo_file_perms; -allow consoletype_t self:sock_file read_sock_file_perms; -allow consoletype_t self:unix_dgram_socket create_socket_perms; -allow consoletype_t self:unix_stream_socket create_stream_socket_perms; -allow consoletype_t self:unix_dgram_socket sendto; -allow consoletype_t self:unix_stream_socket connectto; -allow consoletype_t self:shm create_shm_perms; -allow consoletype_t self:sem create_sem_perms; -allow consoletype_t self:msgq create_msgq_perms; -allow consoletype_t self:msg { send receive }; - -kernel_use_fds(consoletype_t) -kernel_dontaudit_read_system_state(consoletype_t) - -fs_getattr_all_fs(consoletype_t) -fs_search_auto_mountpoints(consoletype_t) -fs_write_nfs_files(consoletype_t) -fs_list_inotifyfs(consoletype_t) - -mls_file_read_all_levels(consoletype_t) -mls_file_write_all_levels(consoletype_t) - -term_use_all_terms(consoletype_t) - -init_use_fds(consoletype_t) -init_use_script_ptys(consoletype_t) -init_use_script_fds(consoletype_t) -init_rw_script_pipes(consoletype_t) - -domain_use_interactive_fds(consoletype_t) - -files_dontaudit_read_root_files(consoletype_t) -files_list_usr(consoletype_t) - -userdom_use_user_terminals(consoletype_t) - -ifdef(`distro_redhat',` - fs_rw_tmpfs_chr_files(consoletype_t) -') - -optional_policy(` - apm_use_fds(consoletype_t) - apm_write_pipes(consoletype_t) -') - -optional_policy(` - auth_read_pam_pid(consoletype_t) -') - -optional_policy(` - cron_read_pipes(consoletype_t) - cron_use_system_job_fds(consoletype_t) -') - -optional_policy(` - files_read_etc_files(consoletype_t) - firstboot_use_fds(consoletype_t) - firstboot_rw_pipes(consoletype_t) -') - -optional_policy(` - hal_dontaudit_leaks(consoletype_t) -') - -optional_policy(` - hotplug_dontaudit_use_fds(consoletype_t) -') - -optional_policy(` - logrotate_dontaudit_use_fds(consoletype_t) -') - -optional_policy(` - lpd_read_config(consoletype_t) -') - -optional_policy(` - nis_use_ypbind(consoletype_t) -') - -optional_policy(` - # Commonly used from postinst scripts - rpm_read_pipes(consoletype_t) -') - -optional_policy(` - userdom_use_unpriv_users_fds(consoletype_t) -') - -optional_policy(` - kernel_read_xen_state(consoletype_t) - kernel_write_xen_state(consoletype_t) - xen_append_log(consoletype_t) - xen_dontaudit_rw_unix_stream_sockets(consoletype_t) - xen_dontaudit_use_fds(consoletype_t) -') diff --git a/policy/modules/admin/ddcprobe.fc b/policy/modules/admin/ddcprobe.fc deleted file mode 100644 index 49e6a25..0000000 --- a/policy/modules/admin/ddcprobe.fc +++ /dev/null @@ -1,4 +0,0 @@ -# -# /usr -# -/usr/sbin/ddcprobe -- gen_context(system_u:object_r:ddcprobe_exec_t,s0) diff --git a/policy/modules/admin/ddcprobe.if b/policy/modules/admin/ddcprobe.if deleted file mode 100644 index 9868652..0000000 --- a/policy/modules/admin/ddcprobe.if +++ /dev/null @@ -1,45 +0,0 @@ -## ddcprobe retrieves monitor and graphics card information - -######################################## -## -## Execute ddcprobe in the ddcprobe domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ddcprobe_domtrans',` - gen_require(` - type ddcprobe_t, ddcprobe_exec_t; - ') - - domtrans_pattern($1, ddcprobe_exec_t, ddcprobe_t) -') - -######################################## -## -## Execute ddcprobe in the ddcprobe domain, and -## allow the specified role the ddcprobe domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role to be authenticated for ddcprobe domain. -## -## -## -# -interface(`ddcprobe_run',` - gen_require(` - type ddcprobe_t; - ') - - ddcprobe_domtrans($1) - role $2 types ddcprobe_t; -') diff --git a/policy/modules/admin/ddcprobe.te b/policy/modules/admin/ddcprobe.te deleted file mode 100644 index 5e062bc..0000000 --- a/policy/modules/admin/ddcprobe.te +++ /dev/null @@ -1,51 +0,0 @@ -policy_module(ddcprobe, 1.2.0) - -######################################## -# -# Declarations -# - -type ddcprobe_t; -type ddcprobe_exec_t; -application_domain(ddcprobe_t, ddcprobe_exec_t) -role system_r types ddcprobe_t; - -######################################## -# -# Local policy -# - -allow ddcprobe_t self:capability { sys_rawio sys_admin }; -allow ddcprobe_t self:process execmem; - -kernel_read_system_state(ddcprobe_t) -kernel_read_kernel_sysctls(ddcprobe_t) -kernel_change_ring_buffer_level(ddcprobe_t) - -files_search_kernel_modules(ddcprobe_t) - -corecmd_list_bin(ddcprobe_t) -corecmd_exec_bin(ddcprobe_t) - -dev_read_urand(ddcprobe_t) -dev_read_raw_memory(ddcprobe_t) -dev_wx_raw_memory(ddcprobe_t) - -files_read_etc_files(ddcprobe_t) -files_read_etc_runtime_files(ddcprobe_t) -files_read_usr_files(ddcprobe_t) - -term_use_all_ttys(ddcprobe_t) -term_use_all_ptys(ddcprobe_t) - -libs_read_lib_files(ddcprobe_t) - -miscfiles_read_localization(ddcprobe_t) - -modutils_read_module_deps(ddcprobe_t) - -userdom_use_user_terminals(ddcprobe_t) -userdom_use_all_users_fds(ddcprobe_t) - -#reh why? this does not seem even necessary to function properly -kudzu_getattr_exec_files(ddcprobe_t) diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc deleted file mode 100644 index d6cc2d9..0000000 --- a/policy/modules/admin/dmesg.fc +++ /dev/null @@ -1,2 +0,0 @@ - -/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if deleted file mode 100644 index e1973c7..0000000 --- a/policy/modules/admin/dmesg.if +++ /dev/null @@ -1,40 +0,0 @@ -## Policy for dmesg. - -######################################## -## -## Execute dmesg in the dmesg domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`dmesg_domtrans',` - gen_require(` - type dmesg_t, dmesg_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dmesg_exec_t, dmesg_t) -') - -######################################## -## -## Execute dmesg in the caller domain. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`dmesg_exec',` - gen_require(` - type dmesg_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, dmesg_exec_t) -') diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te deleted file mode 100644 index 5421065..0000000 --- a/policy/modules/admin/dmesg.te +++ /dev/null @@ -1,64 +0,0 @@ -policy_module(dmesg, 1.3.0) - -######################################## -# -# Declarations -# - -type dmesg_t; -type dmesg_exec_t; -init_system_domain(dmesg_t, dmesg_exec_t) - -######################################## -# -# Local policy -# - -allow dmesg_t self:capability sys_admin; -dontaudit dmesg_t self:capability sys_tty_config; - -allow dmesg_t self:process signal_perms; - -kernel_read_kernel_sysctls(dmesg_t) -kernel_read_ring_buffer(dmesg_t) -kernel_clear_ring_buffer(dmesg_t) -kernel_change_ring_buffer_level(dmesg_t) -kernel_list_proc(dmesg_t) -kernel_read_proc_symlinks(dmesg_t) - -dev_read_sysfs(dmesg_t) - -fs_search_auto_mountpoints(dmesg_t) - -term_dontaudit_use_console(dmesg_t) - -domain_use_interactive_fds(dmesg_t) - -files_list_etc(dmesg_t) -# for when /usr is not mounted: -files_dontaudit_search_isid_type_dirs(dmesg_t) - -init_use_fds(dmesg_t) -init_use_script_ptys(dmesg_t) - -logging_send_syslog_msg(dmesg_t) -logging_write_generic_logs(dmesg_t) - -miscfiles_read_localization(dmesg_t) - -userdom_dontaudit_use_unpriv_user_fds(dmesg_t) -userdom_use_user_terminals(dmesg_t) - -optional_policy(` - abrt_cache_append(dmesg_t) - abrt_rw_fifo_file(dmesg_t) - abrt_manage_pid_files(dmesg_t) -') - -optional_policy(` - seutil_sigchld_newrole(dmesg_t) -') - -optional_policy(` - udev_read_db(dmesg_t) -') diff --git a/policy/modules/admin/dmidecode.fc b/policy/modules/admin/dmidecode.fc deleted file mode 100644 index 016e6b8..0000000 --- a/policy/modules/admin/dmidecode.fc +++ /dev/null @@ -1,4 +0,0 @@ - -/usr/sbin/dmidecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0) -/usr/sbin/ownership -- gen_context(system_u:object_r:dmidecode_exec_t,s0) -/usr/sbin/vpddecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0) diff --git a/policy/modules/admin/dmidecode.if b/policy/modules/admin/dmidecode.if deleted file mode 100644 index 4bf435c..0000000 --- a/policy/modules/admin/dmidecode.if +++ /dev/null @@ -1,50 +0,0 @@ -## Decode DMI data for x86/ia64 bioses. - -######################################## -## -## Execute dmidecode in the dmidecode domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`dmidecode_domtrans',` - gen_require(` - type dmidecode_t, dmidecode_exec_t; - ') - - domain_auto_trans($1, dmidecode_exec_t, dmidecode_t) - - allow $1 dmidecode_t:fd use; - allow dmidecode_t $1:fd use; - allow dmidecode_t $1:fifo_file rw_file_perms; - allow dmidecode_t $1:process sigchld; -') - -######################################## -## -## Execute dmidecode in the dmidecode domain, and -## allow the specified role the dmidecode domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`dmidecode_run',` - gen_require(` - type dmidecode_t; - ') - - dmidecode_domtrans($1) - role $2 types dmidecode_t; -') diff --git a/policy/modules/admin/dmidecode.te b/policy/modules/admin/dmidecode.te deleted file mode 100644 index d6356b5..0000000 --- a/policy/modules/admin/dmidecode.te +++ /dev/null @@ -1,30 +0,0 @@ -policy_module(dmidecode, 1.4.0) - -######################################## -# -# Declarations -# - -type dmidecode_t; -type dmidecode_exec_t; -application_domain(dmidecode_t, dmidecode_exec_t) -role system_r types dmidecode_t; - -######################################## -# -# Local policy -# - -allow dmidecode_t self:capability sys_rawio; - -dev_read_sysfs(dmidecode_t) -# Allow dmidecode to read /dev/mem -dev_read_raw_memory(dmidecode_t) - -mls_file_read_all_levels(dmidecode_t) - -files_list_usr(dmidecode_t) - -locallogin_use_fds(dmidecode_t) - -userdom_use_user_terminals(dmidecode_t) diff --git a/policy/modules/admin/dpkg.fc b/policy/modules/admin/dpkg.fc deleted file mode 100644 index 6d0f9ee..0000000 --- a/policy/modules/admin/dpkg.fc +++ /dev/null @@ -1,12 +0,0 @@ -# Debian package manager -/usr/bin/debsums -- gen_context(system_u:object_r:dpkg_exec_t,s0) -/usr/bin/dpkg -- gen_context(system_u:object_r:dpkg_exec_t,s0) -# not sure if dselect should be in apt instead? -/usr/bin/dselect -- gen_context(system_u:object_r:dpkg_exec_t,s0) - -/var/lib/dpkg(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0) -# lockfile is treated specially, since used by apt, too -/var/lib/dpkg/(meth)?lock -- gen_context(system_u:object_r:dpkg_lock_t,s0) - -/usr/sbin/dpkg-preconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0) -/usr/sbin/dpkg-reconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0) diff --git a/policy/modules/admin/dpkg.if b/policy/modules/admin/dpkg.if deleted file mode 100644 index 9317171..0000000 --- a/policy/modules/admin/dpkg.if +++ /dev/null @@ -1,226 +0,0 @@ -## Policy for the Debian package manager. -# TODO: need debconf policy -# TODO: need install-menu policy - -######################################## -## -## Execute dpkg programs in the dpkg domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`dpkg_domtrans',` - gen_require(` - type dpkg_t, dpkg_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, dpkg_exec_t, dpkg_t) -') - -######################################## -## -## Execute dpkg_script programs in the dpkg_script domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`dpkg_domtrans_script',` - gen_require(` - type dpkg_script_t; - ') - - # transition to dpkg script: - corecmd_shell_domtrans($1, dpkg_script_t) - allow dpkg_script_t $1:fd use; - allow dpkg_script_t $1:fifo_file rw_file_perms; - allow dpkg_script_t $1:process sigchld; -') - -######################################## -## -## Execute dpkg programs in the dpkg domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the dpkg domain. -## -## -## -# -interface(`dpkg_run',` - gen_require(` - type dpkg_t, dpkg_script_t; - ') - - dpkg_domtrans($1) - role $2 types dpkg_t; - role $2 types dpkg_script_t; - seutil_run_loadpolicy(dpkg_script_t, $2) -') - -######################################## -## -## Inherit and use file descriptors from dpkg. -## -## -## -## Domain allowed access. -## -## -# -interface(`dpkg_use_fds',` - gen_require(` - type dpkg_t; - ') - - allow $1 dpkg_t:fd use; -') - -######################################## -## -## Read from an unnamed dpkg pipe. -## -## -## -## Domain allowed access. -## -## -# -interface(`dpkg_read_pipes',` - gen_require(` - type dpkg_t; - ') - - allow $1 dpkg_t:fifo_file read_fifo_file_perms; -') - -######################################## -## -## Read and write an unnamed dpkg pipe. -## -## -## -## Domain allowed access. -## -## -# -interface(`dpkg_rw_pipes',` - gen_require(` - type dpkg_t; - ') - - allow $1 dpkg_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## -## Inherit and use file descriptors from dpkg scripts. -## -## -## -## Domain allowed access. -## -## -# -interface(`dpkg_use_script_fds',` - gen_require(` - type dpkg_script_t; - ') - - allow $1 dpkg_script_t:fd use; -') - -######################################## -## -## Read the dpkg package database. -## -## -## -## Domain allowed access. -## -## -# -interface(`dpkg_read_db',` - gen_require(` - type dpkg_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 dpkg_var_lib_t:dir list_dir_perms; - read_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t) - read_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t) -') - -######################################## -## -## Create, read, write, and delete the dpkg package database. -## -## -## -## Domain allowed access. -## -## -# -interface(`dpkg_manage_db',` - gen_require(` - type dpkg_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t) - manage_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t) -') - -######################################## -## -## Do not audit attempts to create, read, -## write, and delete the dpkg package database. -## -## -## -## Domain to not audit. -## -## -# -interface(`dpkg_dontaudit_manage_db',` - gen_require(` - type dpkg_var_lib_t; - ') - - dontaudit $1 dpkg_var_lib_t:dir rw_dir_perms; - dontaudit $1 dpkg_var_lib_t:file manage_file_perms; - dontaudit $1 dpkg_var_lib_t:lnk_file manage_lnk_file_perms; -') - -######################################## -## -## Lock the dpkg package database. -## -## -## -## Domain allowed access. -## -## -# -interface(`dpkg_lock_db',` - gen_require(` - type dpkg_lock_t, dpkg_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 dpkg_var_lib_t:dir list_dir_perms; - allow $1 dpkg_lock_t:file manage_file_perms; -') diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te deleted file mode 100644 index 6776b69..0000000 --- a/policy/modules/admin/dpkg.te +++ /dev/null @@ -1,338 +0,0 @@ -policy_module(dpkg, 1.7.0) - -######################################## -# -# Declarations -# - -type dpkg_t; -type dpkg_exec_t; -# dpkg can start/stop services -init_system_domain(dpkg_t, dpkg_exec_t) -# dpkg can change file labels, roles, IO -domain_obj_id_change_exemption(dpkg_t) -domain_role_change_exemption(dpkg_t) -domain_system_change_exemption(dpkg_t) -domain_interactive_fd(dpkg_t) -role system_r types dpkg_t; - -# lockfile -type dpkg_lock_t; -files_type(dpkg_lock_t) - -type dpkg_tmp_t; -files_tmp_file(dpkg_tmp_t) - -type dpkg_tmpfs_t; -files_tmpfs_file(dpkg_tmpfs_t) - -# status files -type dpkg_var_lib_t alias var_lib_dpkg_t; -files_type(dpkg_var_lib_t) - -# package scripts -type dpkg_script_t; -domain_type(dpkg_script_t) -domain_entry_file(dpkg_t, dpkg_var_lib_t) -corecmd_shell_entry_type(dpkg_script_t) -domain_obj_id_change_exemption(dpkg_script_t) -domain_system_change_exemption(dpkg_script_t) -domain_interactive_fd(dpkg_script_t) -role system_r types dpkg_script_t; - -type dpkg_script_tmp_t; -files_tmp_file(dpkg_script_tmp_t) - -type dpkg_script_tmpfs_t; -files_tmpfs_file(dpkg_script_tmpfs_t) - -######################################## -# -# dpkg Local policy -# - -allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable }; -allow dpkg_t self:process { setpgid fork getsched setfscreate }; -allow dpkg_t self:fd use; -allow dpkg_t self:fifo_file rw_fifo_file_perms; -allow dpkg_t self:unix_dgram_socket create_socket_perms; -allow dpkg_t self:unix_stream_socket rw_stream_socket_perms; -allow dpkg_t self:unix_dgram_socket sendto; -allow dpkg_t self:unix_stream_socket connectto; -allow dpkg_t self:udp_socket { connect create_socket_perms }; -allow dpkg_t self:tcp_socket create_stream_socket_perms; -allow dpkg_t self:shm create_shm_perms; -allow dpkg_t self:sem create_sem_perms; -allow dpkg_t self:msgq create_msgq_perms; -allow dpkg_t self:msg { send receive }; - -allow dpkg_t dpkg_lock_t:file manage_file_perms; - -manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t) -manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t) -files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir }) - -manage_dirs_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) -manage_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) -manage_lnk_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) -manage_sock_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) -manage_fifo_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) -fs_tmpfs_filetrans(dpkg_t, dpkg_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -# Access /var/lib/dpkg files -manage_files_pattern(dpkg_t, dpkg_var_lib_t, dpkg_var_lib_t) -files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir) - -kernel_read_system_state(dpkg_t) -kernel_read_kernel_sysctls(dpkg_t) - -corecmd_exec_all_executables(dpkg_t) - -# TODO: do we really need all networking? -corenet_all_recvfrom_unlabeled(dpkg_t) -corenet_all_recvfrom_netlabel(dpkg_t) -corenet_tcp_sendrecv_generic_if(dpkg_t) -corenet_raw_sendrecv_generic_if(dpkg_t) -corenet_udp_sendrecv_generic_if(dpkg_t) -corenet_tcp_sendrecv_generic_node(dpkg_t) -corenet_raw_sendrecv_generic_node(dpkg_t) -corenet_udp_sendrecv_generic_node(dpkg_t) -corenet_tcp_sendrecv_all_ports(dpkg_t) -corenet_udp_sendrecv_all_ports(dpkg_t) -corenet_tcp_connect_all_ports(dpkg_t) -corenet_sendrecv_all_client_packets(dpkg_t) - -dev_list_sysfs(dpkg_t) -dev_list_usbfs(dpkg_t) -dev_read_urand(dpkg_t) -#devices_manage_all_device_types(dpkg_t) - -domain_read_all_domains_state(dpkg_t) -domain_getattr_all_domains(dpkg_t) -domain_dontaudit_ptrace_all_domains(dpkg_t) -domain_use_interactive_fds(dpkg_t) -domain_dontaudit_getattr_all_pipes(dpkg_t) -domain_dontaudit_getattr_all_tcp_sockets(dpkg_t) -domain_dontaudit_getattr_all_udp_sockets(dpkg_t) -domain_dontaudit_getattr_all_packet_sockets(dpkg_t) -domain_dontaudit_getattr_all_raw_sockets(dpkg_t) -domain_dontaudit_getattr_all_stream_sockets(dpkg_t) -domain_dontaudit_getattr_all_dgram_sockets(dpkg_t) - -fs_manage_nfs_dirs(dpkg_t) -fs_manage_nfs_files(dpkg_t) -fs_manage_nfs_symlinks(dpkg_t) -fs_getattr_all_fs(dpkg_t) -fs_search_auto_mountpoints(dpkg_t) - -mls_file_read_all_levels(dpkg_t) -mls_file_write_all_levels(dpkg_t) -mls_file_upgrade(dpkg_t) - -selinux_get_fs_mount(dpkg_t) -selinux_validate_context(dpkg_t) -selinux_compute_access_vector(dpkg_t) -selinux_compute_create_context(dpkg_t) -selinux_compute_relabel_context(dpkg_t) -selinux_compute_user_contexts(dpkg_t) - -storage_raw_write_fixed_disk(dpkg_t) -# for installing kernel packages -storage_raw_read_fixed_disk(dpkg_t) - -auth_relabel_all_files_except_shadow(dpkg_t) -auth_manage_all_files_except_shadow(dpkg_t) -auth_dontaudit_read_shadow(dpkg_t) - -files_exec_etc_files(dpkg_t) - -init_domtrans_script(dpkg_t) -init_use_script_ptys(dpkg_t) - -libs_exec_ld_so(dpkg_t) -libs_exec_lib_files(dpkg_t) -libs_domtrans_ldconfig(dpkg_t) - -logging_send_syslog_msg(dpkg_t) - -# allow compiling and loading new policy -seutil_manage_src_policy(dpkg_t) -seutil_manage_bin_policy(dpkg_t) - -sysnet_read_config(dpkg_t) - -userdom_use_user_terminals(dpkg_t) -userdom_use_unpriv_users_fds(dpkg_t) - -# transition to dpkg script: -dpkg_domtrans_script(dpkg_t) -# since the scripts aren't labeled correctly yet... -allow dpkg_t dpkg_var_lib_t:file mmap_file_perms; - -optional_policy(` - apt_use_ptys(dpkg_t) -') - -# TODO: allow? -#optional_policy(` -# cron_system_entry(dpkg_t,dpkg_exec_t) -#') - -optional_policy(` - nis_use_ypbind(dpkg_t) -') - -optional_policy(` - unconfined_domain(dpkg_t) -') - -# TODO: the following was copied from dpkg_script_t, and could probably -# be removed again when dpkg_script_t is actually used... -domain_signal_all_domains(dpkg_t) -domain_signull_all_domains(dpkg_t) -files_read_etc_runtime_files(dpkg_t) -files_exec_usr_files(dpkg_t) -miscfiles_read_localization(dpkg_t) -modutils_domtrans_depmod(dpkg_t) -modutils_domtrans_insmod(dpkg_t) -seutil_domtrans_loadpolicy(dpkg_t) -seutil_domtrans_setfiles(dpkg_t) -userdom_use_all_users_fds(dpkg_t) -optional_policy(` - mta_send_mail(dpkg_t) -') -optional_policy(` - usermanage_domtrans_groupadd(dpkg_t) - usermanage_domtrans_useradd(dpkg_t) -') - -######################################## -# -# dpkg-script Local policy -# -# TODO: actually use dpkg_script_t - -allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill }; -allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow dpkg_script_t self:fd use; -allow dpkg_script_t self:fifo_file rw_fifo_file_perms; -allow dpkg_script_t self:unix_dgram_socket create_socket_perms; -allow dpkg_script_t self:unix_stream_socket rw_stream_socket_perms; -allow dpkg_script_t self:unix_dgram_socket sendto; -allow dpkg_script_t self:unix_stream_socket connectto; -allow dpkg_script_t self:shm create_shm_perms; -allow dpkg_script_t self:sem create_sem_perms; -allow dpkg_script_t self:msgq create_msgq_perms; -allow dpkg_script_t self:msg { send receive }; - -allow dpkg_script_t dpkg_tmp_t:file read_file_perms; - -allow dpkg_script_t dpkg_script_tmp_t:dir { manage_dir_perms mounton }; -allow dpkg_script_t dpkg_script_tmp_t:file manage_file_perms; -files_tmp_filetrans(dpkg_script_t, dpkg_script_tmp_t, { file dir }) - -allow dpkg_script_t dpkg_script_tmpfs_t:dir manage_dir_perms; -allow dpkg_script_t dpkg_script_tmpfs_t:file manage_file_perms; -allow dpkg_script_t dpkg_script_tmpfs_t:lnk_file manage_lnk_file_perms; -allow dpkg_script_t dpkg_script_tmpfs_t:sock_file manage_sock_file_perms; -allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_fifo_file_perms; -fs_tmpfs_filetrans(dpkg_script_t, dpkg_script_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -kernel_read_kernel_sysctls(dpkg_script_t) -kernel_read_system_state(dpkg_script_t) - -corecmd_exec_all_executables(dpkg_script_t) - -dev_list_sysfs(dpkg_script_t) -# ideally we would not need this -dev_manage_generic_blk_files(dpkg_script_t) -dev_manage_generic_chr_files(dpkg_script_t) -dev_manage_all_blk_files(dpkg_script_t) -dev_manage_all_chr_files(dpkg_script_t) - -domain_read_all_domains_state(dpkg_script_t) -domain_getattr_all_domains(dpkg_script_t) -domain_dontaudit_ptrace_all_domains(dpkg_script_t) -domain_use_interactive_fds(dpkg_script_t) -domain_signal_all_domains(dpkg_script_t) -domain_signull_all_domains(dpkg_script_t) - -files_exec_etc_files(dpkg_script_t) -files_read_etc_runtime_files(dpkg_script_t) -files_exec_usr_files(dpkg_script_t) - -fs_manage_nfs_files(dpkg_script_t) -fs_getattr_nfs(dpkg_script_t) -# why is this not using mount? -fs_getattr_xattr_fs(dpkg_script_t) -fs_mount_xattr_fs(dpkg_script_t) -fs_unmount_xattr_fs(dpkg_script_t) -fs_search_auto_mountpoints(dpkg_script_t) - -mls_file_read_all_levels(dpkg_script_t) -mls_file_write_all_levels(dpkg_script_t) - -selinux_get_fs_mount(dpkg_script_t) -selinux_validate_context(dpkg_script_t) -selinux_compute_access_vector(dpkg_script_t) -selinux_compute_create_context(dpkg_script_t) -selinux_compute_relabel_context(dpkg_script_t) -selinux_compute_user_contexts(dpkg_script_t) - -storage_raw_read_fixed_disk(dpkg_script_t) -storage_raw_write_fixed_disk(dpkg_script_t) - -term_use_all_terms(dpkg_script_t) - -auth_dontaudit_getattr_shadow(dpkg_script_t) -# ideally we would not need this -auth_manage_all_files_except_shadow(dpkg_script_t) - -init_domtrans_script(dpkg_script_t) -init_use_script_fds(dpkg_script_t) - -libs_exec_ld_so(dpkg_script_t) -libs_exec_lib_files(dpkg_script_t) -libs_domtrans_ldconfig(dpkg_script_t) - -logging_send_syslog_msg(dpkg_script_t) - -miscfiles_read_localization(dpkg_script_t) - -modutils_domtrans_depmod(dpkg_script_t) -modutils_domtrans_insmod(dpkg_script_t) - -seutil_domtrans_loadpolicy(dpkg_script_t) -seutil_domtrans_setfiles(dpkg_script_t) - -userdom_use_all_users_fds(dpkg_script_t) - -tunable_policy(`allow_execmem',` - allow dpkg_script_t self:process execmem; -') - -optional_policy(` - apt_rw_pipes(dpkg_script_t) - apt_use_fds(dpkg_script_t) -') - -optional_policy(` - bootloader_domtrans(dpkg_script_t) -') - -optional_policy(` - mta_send_mail(dpkg_script_t) -') - -optional_policy(` - nis_use_ypbind(dpkg_script_t) -') - -optional_policy(` - unconfined_domain(dpkg_script_t) -') - -optional_policy(` - usermanage_domtrans_groupadd(dpkg_script_t) - usermanage_domtrans_useradd(dpkg_script_t) -') diff --git a/policy/modules/admin/firstboot.fc b/policy/modules/admin/firstboot.fc deleted file mode 100644 index ba614e4..0000000 --- a/policy/modules/admin/firstboot.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0) - -/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0) diff --git a/policy/modules/admin/firstboot.if b/policy/modules/admin/firstboot.if deleted file mode 100644 index 8fa451c..0000000 --- a/policy/modules/admin/firstboot.if +++ /dev/null @@ -1,157 +0,0 @@ -## -## Final system configuration run during the first boot -## after installation of Red Hat/Fedora systems. -## - -######################################## -## -## Execute firstboot in the firstboot domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`firstboot_domtrans',` - gen_require(` - type firstboot_t, firstboot_exec_t; - ') - - domtrans_pattern($1, firstboot_exec_t, firstboot_t) -') - -######################################## -## -## Execute firstboot in the firstboot domain, and -## allow the specified role the firstboot domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`firstboot_run',` - gen_require(` - type firstboot_t; - ') - - firstboot_domtrans($1) - role $2 types firstboot_t; -') - -######################################## -## -## Inherit and use a file descriptor from firstboot. -## -## -## -## Domain allowed access. -## -## -# -interface(`firstboot_use_fds',` - gen_require(` - type firstboot_t; - ') - - allow $1 firstboot_t:fd use; -') - -######################################## -## -## Do not audit attempts to inherit a -## file descriptor from firstboot. -## -## -## -## Domain to not audit. -## -## -# -interface(`firstboot_dontaudit_use_fds',` - gen_require(` - type firstboot_t; - ') - - dontaudit $1 firstboot_t:fd use; -') - -######################################## -## -## Write to a firstboot unnamed pipe. -## -## -## -## Domain allowed access. -## -## -# -interface(`firstboot_write_pipes',` - gen_require(` - type firstboot_t; - ') - - allow $1 firstboot_t:fifo_file write; -') - -######################################## -## -## Read and Write to a firstboot unnamed pipe. -## -## -## -## Domain allowed access. -## -## -# -interface(`firstboot_rw_pipes',` - gen_require(` - type firstboot_t; - ') - - allow $1 firstboot_t:fifo_file { read write }; -') - -######################################## -## -## Do not audit attemps to read and write to a firstboot unnamed pipe. -## -## -## -## Domain to not audit. -## -## -# -interface(`firstboot_dontaudit_rw_pipes',` - gen_require(` - type firstboot_t; - ') - - dontaudit $1 firstboot_t:fifo_file { read write }; -') - -######################################## -## -## Do not audit attemps to read and write to a firstboot -## unix domain stream socket. -## -## -## -## Domain to not audit. -## -## -# -interface(`firstboot_dontaudit_rw_stream_sockets',` - gen_require(` - type firstboot_t; - ') - - dontaudit $1 firstboot_t:unix_stream_socket { read write }; -') diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te deleted file mode 100644 index bfda8e9..0000000 --- a/policy/modules/admin/firstboot.te +++ /dev/null @@ -1,140 +0,0 @@ -policy_module(firstboot, 1.11.2) - -gen_require(` - class passwd rootok; -') - -######################################## -# -# Declarations -# - -type firstboot_t; -type firstboot_exec_t; -init_system_domain(firstboot_t, firstboot_exec_t) -domain_obj_id_change_exemption(firstboot_t) -domain_subj_id_change_exemption(firstboot_t) -role system_r types firstboot_t; - -type firstboot_etc_t; -files_config_file(firstboot_etc_t) - -######################################## -# -# Local policy -# - -allow firstboot_t self:capability { dac_override setgid }; -allow firstboot_t self:process setfscreate; -allow firstboot_t self:fifo_file rw_fifo_file_perms; -allow firstboot_t self:tcp_socket create_stream_socket_perms; -allow firstboot_t self:unix_stream_socket { connect create }; -allow firstboot_t self:passwd rootok; - -allow firstboot_t firstboot_etc_t:file read_file_perms; - -kernel_read_system_state(firstboot_t) -kernel_read_kernel_sysctls(firstboot_t) - -corenet_all_recvfrom_unlabeled(firstboot_t) -corenet_all_recvfrom_netlabel(firstboot_t) -corenet_tcp_sendrecv_generic_if(firstboot_t) -corenet_tcp_sendrecv_generic_node(firstboot_t) -corenet_tcp_sendrecv_all_ports(firstboot_t) - -dev_read_urand(firstboot_t) - -selinux_get_fs_mount(firstboot_t) -selinux_validate_context(firstboot_t) -selinux_compute_access_vector(firstboot_t) -selinux_compute_create_context(firstboot_t) -selinux_compute_relabel_context(firstboot_t) -selinux_compute_user_contexts(firstboot_t) - -auth_dontaudit_getattr_shadow(firstboot_t) - -corecmd_exec_all_executables(firstboot_t) - -files_exec_etc_files(firstboot_t) -files_manage_etc_files(firstboot_t) -files_manage_etc_runtime_files(firstboot_t) -files_read_usr_files(firstboot_t) -files_manage_var_dirs(firstboot_t) -files_manage_var_files(firstboot_t) -files_manage_var_symlinks(firstboot_t) - -init_domtrans_script(firstboot_t) -init_rw_utmp(firstboot_t) - -libs_exec_ld_so(firstboot_t) -libs_exec_lib_files(firstboot_t) - -locallogin_use_fds(firstboot_t) - -logging_send_syslog_msg(firstboot_t) - -miscfiles_read_localization(firstboot_t) - -modutils_domtrans_insmod(firstboot_t) -modutils_domtrans_depmod(firstboot_t) -modutils_read_module_config(firstboot_t) -modutils_read_module_deps(firstboot_t) - -userdom_use_user_terminals(firstboot_t) -# Add/remove user home directories -userdom_manage_user_home_content_dirs(firstboot_t) -userdom_manage_user_home_content_files(firstboot_t) -userdom_manage_user_home_content_symlinks(firstboot_t) -userdom_manage_user_home_content_pipes(firstboot_t) -userdom_manage_user_home_content_sockets(firstboot_t) -userdom_home_filetrans_user_home_dir(firstboot_t) -userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file }) - -optional_policy(` - consoletype_domtrans(firstboot_t) -') - -optional_policy(` - dbus_system_bus_client(firstboot_t) - - optional_policy(` - hal_dbus_chat(firstboot_t) - ') -') - -optional_policy(` - iptables_domtrans(firstboot_t) -') - -optional_policy(` - nis_use_ypbind(firstboot_t) -') - -optional_policy(` - samba_rw_config(firstboot_t) -') - -optional_policy(` - unconfined_domtrans(firstboot_t) - # The big hammer - unconfined_domain(firstboot_t) -') - -optional_policy(` - usermanage_domtrans_chfn(firstboot_t) - usermanage_domtrans_groupadd(firstboot_t) - usermanage_domtrans_passwd(firstboot_t) - usermanage_domtrans_useradd(firstboot_t) - usermanage_domtrans_admin_passwd(firstboot_t) -') - -optional_policy(` - gnome_admin_home_gconf_filetrans(firstboot_t, dir) - gnome_manage_config(firstboot_t) -') - -optional_policy(` - xserver_domtrans(firstboot_t) - xserver_rw_shm(firstboot_t) - xserver_unconfined(firstboot_t) -') diff --git a/policy/modules/admin/kismet.fc b/policy/modules/admin/kismet.fc deleted file mode 100644 index dae60e5..0000000 --- a/policy/modules/admin/kismet.fc +++ /dev/null @@ -1,6 +0,0 @@ -HOME_DIR/\.kismet(/.*)? gen_context(system_u:object_r:kismet_home_t,s0) - -/usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0) -/var/lib/kismet(/.*)? gen_context(system_u:object_r:kismet_var_lib_t,s0) -/var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0) -/var/run/kismet_server.pid -- gen_context(system_u:object_r:kismet_var_run_t,s0) diff --git a/policy/modules/admin/kismet.if b/policy/modules/admin/kismet.if deleted file mode 100644 index c18c920..0000000 --- a/policy/modules/admin/kismet.if +++ /dev/null @@ -1,247 +0,0 @@ -## Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. - -######################################## -## -## Execute a domain transition to run kismet. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`kismet_domtrans',` - gen_require(` - type kismet_t, kismet_exec_t; - ') - - domtrans_pattern($1, kismet_exec_t, kismet_t) - allow kismet_t $1:process signull; -') - -######################################## -## -## Execute kismet in the kismet domain, and -## allow the specified role the kismet domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`kismet_run',` - gen_require(` - type kismet_t; - ') - - kismet_domtrans($1) - role $2 types kismet_t; -') - -######################################## -## -## Read kismet PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`kismet_read_pid_files',` - gen_require(` - type kismet_var_run_t; - ') - - allow $1 kismet_var_run_t:file read_file_perms; - files_search_pids($1) -') - -######################################## -## -## Manage kismet var_run files. -## -## -## -## Domain allowed access. -## -## -# -interface(`kismet_manage_pid_files',` - gen_require(` - type kismet_var_run_t; - ') - - allow $1 kismet_var_run_t:file manage_file_perms; - files_search_pids($1) -') - -######################################## -## -## Search kismet lib directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`kismet_search_lib',` - gen_require(` - type kismet_var_lib_t; - ') - - allow $1 kismet_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## Read kismet lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`kismet_read_lib_files',` - gen_require(` - type kismet_var_lib_t; - ') - - allow $1 kismet_var_lib_t:file read_file_perms; - allow $1 kismet_var_lib_t:dir list_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## Create, read, write, and delete -## kismet lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`kismet_manage_lib_files',` - gen_require(` - type kismet_var_lib_t; - ') - - manage_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t) - files_search_var_lib($1) -') - -######################################## -## -## Manage kismet var_lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`kismet_manage_lib',` - gen_require(` - type kismet_var_lib_t; - ') - - manage_dirs_pattern($1, kismet_var_lib_t, kismet_var_lib_t) - manage_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t) - manage_lnk_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t) -') - -######################################## -## -## Allow the specified domain to read kismet's log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kismet_read_log',` - gen_require(` - type kismet_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, kismet_log_t, kismet_log_t) -') - -######################################## -## -## Allow the specified domain to append -## kismet log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`kismet_append_log',` - gen_require(` - type kismet_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, kismet_log_t, kismet_log_t) -') - -######################################## -## -## Allow domain to manage kismet log files -## -## -## -## Domain allowed access. -## -## -# -interface(`kismet_manage_log',` - gen_require(` - type kismet_log_t; - ') - - manage_dirs_pattern($1, kismet_log_t, kismet_log_t) - manage_files_pattern($1, kismet_log_t, kismet_log_t) - manage_lnk_files_pattern($1, kismet_log_t, kismet_log_t) - logging_search_logs($1) -') - -######################################## -## -## All of the rules required to administrate an kismet environment -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kismet_admin',` - gen_require(` - type kismet_t; - ') - - ps_process_pattern($1, kismet_t) - allow $1 kismet_t:process { ptrace signal_perms }; - - kismet_manage_pid_files($1) - kismet_manage_lib($1) - kismet_manage_log($1) -') diff --git a/policy/modules/admin/kismet.te b/policy/modules/admin/kismet.te deleted file mode 100644 index 908622a..0000000 --- a/policy/modules/admin/kismet.te +++ /dev/null @@ -1,101 +0,0 @@ -policy_module(kismet, 1.5.1) - -######################################## -# -# Declarations -# - -type kismet_t; -type kismet_exec_t; -application_domain(kismet_t, kismet_exec_t) -role system_r types kismet_t; - -type kismet_home_t; -userdom_user_home_content(kismet_home_t) - -type kismet_log_t; -logging_log_file(kismet_log_t) - -type kismet_tmp_t; -files_tmp_file(kismet_tmp_t) - -type kismet_tmpfs_t; -files_tmp_file(kismet_tmpfs_t) - -type kismet_var_lib_t; -files_type(kismet_var_lib_t) - -type kismet_var_run_t; -files_pid_file(kismet_var_run_t) - -######################################## -# -# kismet local policy -# - -allow kismet_t self:capability { dac_override kill net_admin net_raw setuid setgid }; -allow kismet_t self:process signal_perms; -allow kismet_t self:fifo_file rw_file_perms; -allow kismet_t self:packet_socket create_socket_perms; -allow kismet_t self:unix_dgram_socket { create_socket_perms sendto }; -allow kismet_t self:unix_stream_socket create_stream_socket_perms; -allow kismet_t self:tcp_socket create_stream_socket_perms; - -manage_dirs_pattern(kismet_t, kismet_home_t, kismet_home_t) -manage_files_pattern(kismet_t, kismet_home_t, kismet_home_t) -manage_lnk_files_pattern(kismet_t, kismet_home_t, kismet_home_t) -userdom_user_home_dir_filetrans(kismet_t, kismet_home_t, { file dir }) -userdom_search_user_home_dirs(kismet_t) - -manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t) -allow kismet_t kismet_log_t:dir setattr; -logging_log_filetrans(kismet_t, kismet_log_t, { file dir }) - -manage_dirs_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t) -manage_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t) -manage_sock_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t) -files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir sock_file }) - -manage_dirs_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t) -manage_files_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t) -fs_tmpfs_filetrans(kismet_t, kismet_tmpfs_t, { dir file }) - -allow kismet_t kismet_var_lib_t:file manage_file_perms; -allow kismet_t kismet_var_lib_t:dir manage_dir_perms; -files_var_lib_filetrans(kismet_t, kismet_var_lib_t, { file dir }) - -allow kismet_t kismet_var_run_t:file manage_file_perms; -allow kismet_t kismet_var_run_t:dir manage_dir_perms; -files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir }) - -kernel_search_debugfs(kismet_t) -kernel_read_system_state(kismet_t) -kernel_read_network_state(kismet_t) - -corecmd_exec_bin(kismet_t) - -corenet_all_recvfrom_unlabeled(kismet_t) -corenet_all_recvfrom_netlabel(kismet_t) -corenet_tcp_sendrecv_generic_if(kismet_t) -corenet_tcp_sendrecv_generic_node(kismet_t) -corenet_tcp_sendrecv_all_ports(kismet_t) -corenet_tcp_bind_generic_node(kismet_t) -corenet_tcp_bind_kismet_port(kismet_t) -corenet_tcp_connect_kismet_port(kismet_t) -corenet_tcp_connect_pulseaudio_port(kismet_t) - -auth_use_nsswitch(kismet_t) - -files_read_etc_files(kismet_t) -files_read_usr_files(kismet_t) - -miscfiles_read_localization(kismet_t) - -userdom_use_user_terminals(kismet_t) -userdom_read_user_tmpfs_files(kismet_t) - -optional_policy(` - dbus_system_bus_client(kismet_t) - - networkmanager_dbus_chat(kismet_t) -') diff --git a/policy/modules/admin/kudzu.fc b/policy/modules/admin/kudzu.fc deleted file mode 100644 index dd88f74..0000000 --- a/policy/modules/admin/kudzu.fc +++ /dev/null @@ -1,5 +0,0 @@ - -/sbin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0) -/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0) - -/usr/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0) diff --git a/policy/modules/admin/kudzu.if b/policy/modules/admin/kudzu.if deleted file mode 100644 index 65bcaff..0000000 --- a/policy/modules/admin/kudzu.if +++ /dev/null @@ -1,64 +0,0 @@ -## Hardware detection and configuration tools - -######################################## -## -## Execute kudzu in the kudzu domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`kudzu_domtrans',` - gen_require(` - type kudzu_t, kudzu_exec_t; - ') - - domtrans_pattern($1, kudzu_exec_t, kudzu_t) -') - -######################################## -## -## Execute kudzu in the kudzu domain, and -## allow the specified role the kudzu domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`kudzu_run',` - gen_require(` - type kudzu_t; - ') - - kudzu_domtrans($1) - role $2 types kudzu_t; -') - -######################################## -## -## Get attributes of kudzu executable. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for ddcprobe -interface(`kudzu_getattr_exec_files',` - gen_require(` - type kudzu_exec_t; - ') - - allow $1 kudzu_exec_t:file getattr; -') diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te deleted file mode 100644 index 4f7bd3c..0000000 --- a/policy/modules/admin/kudzu.te +++ /dev/null @@ -1,145 +0,0 @@ -policy_module(kudzu, 1.8.0) - -######################################## -# -# Declarations -# - -type kudzu_t; -type kudzu_exec_t; -init_system_domain(kudzu_t, kudzu_exec_t) - -type kudzu_tmp_t; -files_tmp_file(kudzu_tmp_t) - -type kudzu_var_run_t; -files_pid_file(kudzu_var_run_t) - -######################################## -# -# Local policy -# - -allow kudzu_t self:capability { dac_override sys_admin sys_ptrace sys_rawio net_admin sys_tty_config mknod }; -dontaudit kudzu_t self:capability sys_tty_config; -allow kudzu_t self:process { signal_perms execmem }; -allow kudzu_t self:fifo_file rw_fifo_file_perms; -allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow kudzu_t self:unix_dgram_socket create_socket_perms; -allow kudzu_t self:udp_socket { create ioctl }; - -manage_dirs_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t) -manage_files_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t) -manage_chr_files_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t) -files_tmp_filetrans(kudzu_t, kudzu_tmp_t, { file dir chr_file }) - -manage_dirs_pattern(kudzu_t, kudzu_var_run_t, kudzu_var_run_t) -manage_files_pattern(kudzu_t, kudzu_var_run_t, kudzu_var_run_t) -files_pid_filetrans(kudzu_t, kudzu_var_run_t, file) - -kernel_change_ring_buffer_level(kudzu_t) -kernel_list_proc(kudzu_t) -kernel_read_device_sysctls(kudzu_t) -kernel_read_kernel_sysctls(kudzu_t) -kernel_read_proc_symlinks(kudzu_t) -kernel_read_network_state(kudzu_t) -kernel_read_system_state(kudzu_t) -kernel_rw_hotplug_sysctls(kudzu_t) -kernel_rw_kernel_sysctl(kudzu_t) - -files_read_kernel_modules(kudzu_t) - -dev_list_sysfs(kudzu_t) -dev_read_usbfs(kudzu_t) -dev_read_sysfs(kudzu_t) -dev_rx_raw_memory(kudzu_t) -dev_wx_raw_memory(kudzu_t) -dev_rw_mouse(kudzu_t) -dev_rwx_zero(kudzu_t) - -fs_search_auto_mountpoints(kudzu_t) -fs_search_ramfs(kudzu_t) -fs_write_ramfs_sockets(kudzu_t) - -mls_file_read_all_levels(kudzu_t) -mls_file_write_all_levels(kudzu_t) - -storage_read_scsi_generic(kudzu_t) -storage_read_tape(kudzu_t) -storage_raw_write_fixed_disk(kudzu_t) -storage_raw_write_removable_device(kudzu_t) -storage_raw_read_fixed_disk(kudzu_t) -storage_raw_read_removable_device(kudzu_t) - -term_dontaudit_use_console(kudzu_t) -# so it can write messages to the console -term_use_unallocated_ttys(kudzu_t) - -corecmd_exec_all_executables(kudzu_t) - -domain_use_interactive_fds(kudzu_t) - -files_search_var(kudzu_t) -files_search_locks(kudzu_t) -files_manage_etc_files(kudzu_t) -files_manage_etc_runtime_files(kudzu_t) -files_etc_filetrans_etc_runtime(kudzu_t, file) -files_manage_mnt_files(kudzu_t) -files_manage_mnt_symlinks(kudzu_t) -files_dontaudit_search_src(kudzu_t) -# Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux -files_read_usr_files(kudzu_t) -# for /etc/sysconfig/hwconf - probably need a new type -files_rw_etc_runtime_files(kudzu_t) -# for file systems that are not yet mounted -files_dontaudit_search_isid_type_dirs(kudzu_t) - -init_use_fds(kudzu_t) -init_use_script_ptys(kudzu_t) -init_stream_connect_script(kudzu_t) -init_read_state(kudzu_t) -init_ptrace(kudzu_t) -# kudzu will telinit to make init re-read -# the inittab after configuring serial consoles -init_telinit(kudzu_t) - -# Read /usr/lib/gconv/gconv-modules.* -libs_read_lib_files(kudzu_t) - -logging_send_syslog_msg(kudzu_t) - -miscfiles_read_hwdata(kudzu_t) -miscfiles_read_localization(kudzu_t) - -modutils_read_module_config(kudzu_t) -modutils_read_module_deps(kudzu_t) -modutils_rename_module_config(kudzu_t) -modutils_delete_module_config(kudzu_t) -modutils_domtrans_insmod(kudzu_t) - -sysnet_read_config(kudzu_t) - -userdom_use_user_terminals(kudzu_t) -userdom_dontaudit_use_unpriv_user_fds(kudzu_t) -userdom_search_user_home_dirs(kudzu_t) - -optional_policy(` - gpm_getattr_gpmctl(kudzu_t) -') - -optional_policy(` - nscd_socket_use(kudzu_t) -') - -optional_policy(` - seutil_sigchld_newrole(kudzu_t) -') - -optional_policy(` - udev_read_db(kudzu_t) -') - -optional_policy(` - unconfined_domtrans(kudzu_t) - unconfined_domain(kudzu_t) -') diff --git a/policy/modules/admin/logrotate.fc b/policy/modules/admin/logrotate.fc deleted file mode 100644 index 36c8de7..0000000 --- a/policy/modules/admin/logrotate.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0) - -/usr/sbin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0) - -ifdef(`distro_debian', ` -/var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0) -', ` -/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0) -') diff --git a/policy/modules/admin/logrotate.if b/policy/modules/admin/logrotate.if deleted file mode 100644 index 6672183..0000000 --- a/policy/modules/admin/logrotate.if +++ /dev/null @@ -1,118 +0,0 @@ -## Rotate and archive system logs - -######################################## -## -## Execute logrotate in the logrotate domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`logrotate_domtrans',` - gen_require(` - type logrotate_t, logrotate_exec_t; - ') - - domtrans_pattern($1, logrotate_exec_t, logrotate_t) -') - -######################################## -## -## Execute logrotate in the logrotate domain, and -## allow the specified role the logrotate domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`logrotate_run',` - gen_require(` - type logrotate_t; - ') - - logrotate_domtrans($1) - role $2 types logrotate_t; -') - -######################################## -## -## Execute logrotate in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`logrotate_exec',` - gen_require(` - type logrotate_exec_t; - ') - - can_exec($1, logrotate_exec_t) -') - -######################################## -## -## Inherit and use logrotate file descriptors. -## -## -## -## Domain allowed access. -## -## -# -interface(`logrotate_use_fds',` - gen_require(` - type logrotate_t; - ') - - allow $1 logrotate_t:fd use; -') - -######################################## -## -## Do not audit attempts to inherit logrotate file descriptors. -## -## -## -## Domain to not audit. -## -## -# -interface(`logrotate_dontaudit_use_fds',` - gen_require(` - type logrotate_t; - ') - - dontaudit $1 logrotate_t:fd use; -') - -######################################## -## -## Read a logrotate temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`logrotate_read_tmp_files',` - gen_require(` - type logrotate_tmp_t; - ') - - files_search_tmp($1) - allow $1 logrotate_tmp_t:file read_file_perms; -') diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te deleted file mode 100644 index d64682f..0000000 --- a/policy/modules/admin/logrotate.te +++ /dev/null @@ -1,236 +0,0 @@ -policy_module(logrotate, 1.13.0) - -######################################## -# -# Declarations -# - -type logrotate_t; -domain_type(logrotate_t) -domain_obj_id_change_exemption(logrotate_t) -domain_system_change_exemption(logrotate_t) -role system_r types logrotate_t; - -type logrotate_exec_t; -domain_entry_file(logrotate_t, logrotate_exec_t) - -type logrotate_lock_t; -files_lock_file(logrotate_lock_t) - -type logrotate_tmp_t; -files_tmp_file(logrotate_tmp_t) - -type logrotate_var_lib_t; -files_type(logrotate_var_lib_t) - -######################################## -# -# Local policy -# - -# Change ownership on log files. -allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice }; -# for mailx -dontaudit logrotate_t self:capability { setuid setgid sys_ptrace }; - -allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - -# Set a context other than the default one for newly created files. -allow logrotate_t self:process setfscreate; - -allow logrotate_t self:fd use; -allow logrotate_t self:fifo_file rw_fifo_file_perms; -allow logrotate_t self:unix_dgram_socket create_socket_perms; -allow logrotate_t self:unix_stream_socket create_stream_socket_perms; -allow logrotate_t self:unix_dgram_socket sendto; -allow logrotate_t self:unix_stream_socket connectto; -allow logrotate_t self:shm create_shm_perms; -allow logrotate_t self:sem create_sem_perms; -allow logrotate_t self:msgq create_msgq_perms; -allow logrotate_t self:msg { send receive }; - -allow logrotate_t logrotate_lock_t:file manage_file_perms; -files_lock_filetrans(logrotate_t, logrotate_lock_t, file) - -can_exec(logrotate_t, logrotate_tmp_t) - -manage_dirs_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t) -manage_files_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t) -files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir }) - -# for /var/lib/logrotate.status and /var/lib/logcheck -create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) -manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) -files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file) - -kernel_read_system_state(logrotate_t) -kernel_read_kernel_sysctls(logrotate_t) - -dev_read_urand(logrotate_t) - -fs_search_auto_mountpoints(logrotate_t) -fs_getattr_xattr_fs(logrotate_t) -fs_list_inotifyfs(logrotate_t) - -mls_file_read_all_levels(logrotate_t) -mls_file_write_all_levels(logrotate_t) -mls_file_upgrade(logrotate_t) - -selinux_get_fs_mount(logrotate_t) -selinux_get_enforce_mode(logrotate_t) - -auth_manage_login_records(logrotate_t) -auth_use_nsswitch(logrotate_t) - -# Run helper programs. -corecmd_exec_bin(logrotate_t) -corecmd_exec_shell(logrotate_t) - -domain_signal_all_domains(logrotate_t) -domain_use_interactive_fds(logrotate_t) -domain_getattr_all_entry_files(logrotate_t) -# Read /proc/PID directories for all domains. -domain_read_all_domains_state(logrotate_t) - -files_read_usr_files(logrotate_t) -files_read_etc_files(logrotate_t) -files_read_etc_runtime_files(logrotate_t) -files_read_all_pids(logrotate_t) -files_search_all(logrotate_t) -files_read_var_lib_files(logrotate_t) -# Write to /var/spool/slrnpull - should be moved into its own type. -files_manage_generic_spool(logrotate_t) -files_manage_generic_spool_dirs(logrotate_t) -files_getattr_generic_locks(logrotate_t) - -# cjp: why is this needed? -init_domtrans_script(logrotate_t) - -logging_manage_all_logs(logrotate_t) -logging_send_syslog_msg(logrotate_t) -logging_send_audit_msgs(logrotate_t) -# cjp: why is this needed? -logging_exec_all_logs(logrotate_t) - -miscfiles_read_localization(logrotate_t) - -seutil_dontaudit_read_config(logrotate_t) - -userdom_use_user_terminals(logrotate_t) -userdom_list_user_home_dirs(logrotate_t) -userdom_use_unpriv_users_fds(logrotate_t) -userdom_dontaudit_list_admin_dir(logrotate_t) - -cron_system_entry(logrotate_t, logrotate_exec_t) -cron_search_spool(logrotate_t) - -#mta_send_mail(logrotate_t) -mta_base_mail_template(logrotate) -mta_sendmail_domtrans(logrotate_t, logrotate_mail_t) -role system_r types logrotate_mail_t; -logging_read_all_logs(logrotate_mail_t) -manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) - -ifdef(`distro_debian', ` - allow logrotate_t logrotate_tmp_t:file relabel_file_perms; - # for savelog - can_exec(logrotate_t, logrotate_exec_t) - - # for syslogd-listfiles - logging_read_syslog_config(logrotate_t) - - # for "test -x /sbin/syslogd" - logging_check_exec_syslog(logrotate_t) -') - -optional_policy(` - abrt_cache_manage(logrotate_t) -') - -optional_policy(` - acct_domtrans(logrotate_t) - acct_manage_data(logrotate_t) - acct_exec_data(logrotate_t) -') - -optional_policy(` - apache_read_config(logrotate_t) - apache_domtrans(logrotate_t) - apache_signull(logrotate_t) -') - -optional_policy(` - asterisk_domtrans(logrotate_t) -') - -optional_policy(` - bind_manage_cache(logrotate_t) -') - -optional_policy(` - consoletype_exec(logrotate_t) -') - -optional_policy(` - cups_domtrans(logrotate_t) -') - -optional_policy(` - fail2ban_stream_connect(logrotate_t) -') - -optional_policy(` - hostname_exec(logrotate_t) -') - -optional_policy(` - icecast_signal(logrotate_t) -') - -optional_policy(` - mailman_domtrans(logrotate_t) - mailman_search_data(logrotate_t) - mailman_manage_log(logrotate_t) -') - -optional_policy(` - munin_read_config(logrotate_t) - munin_stream_connect(logrotate_t) - munin_search_lib(logrotate_t) -') - -optional_policy(` - mysql_read_config(logrotate_t) - mysql_search_db(logrotate_t) - mysql_stream_connect(logrotate_t) -') - -optional_policy(` - psad_domtrans(logrotate_t) -') - - -optional_policy(` - samba_exec_log(logrotate_t) -') - -optional_policy(` - sssd_domtrans(logrotate_t) -') - -optional_policy(` - slrnpull_manage_spool(logrotate_t) -') - -optional_policy(` - squid_domtrans(logrotate_t) -') - -optional_policy(` - #Red Hat bug 564565 - su_exec(logrotate_t) -') - -optional_policy(` - varnishd_manage_log(logrotate_t) -') diff --git a/policy/modules/admin/logwatch.fc b/policy/modules/admin/logwatch.fc deleted file mode 100644 index 1e155f5..0000000 --- a/policy/modules/admin/logwatch.fc +++ /dev/null @@ -1,11 +0,0 @@ -/usr/sbin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0) -/usr/sbin/epylog -- gen_context(system_u:object_r:logwatch_exec_t,s0) - -/usr/share/logwatch/scripts/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t, s0) - -/var/cache/logwatch(/.*)? gen_context(system_u:object_r:logwatch_cache_t, s0) -/var/lib/logcheck(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0) -/var/lib/epylog(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0) -/var/log/logcheck/.+ -- gen_context(system_u:object_r:logwatch_lock_t,s0) - -/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0) diff --git a/policy/modules/admin/logwatch.if b/policy/modules/admin/logwatch.if deleted file mode 100644 index d878e75..0000000 --- a/policy/modules/admin/logwatch.if +++ /dev/null @@ -1,38 +0,0 @@ -## System log analyzer and reporter - -######################################## -## -## Read logwatch temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`logwatch_read_tmp_files',` - gen_require(` - type logwatch_tmp_t; - ') - - files_search_tmp($1) - allow $1 logwatch_tmp_t:file read_file_perms; -') - -######################################## -## -## Search logwatch cache directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`logwatch_search_cache_dir',` - gen_require(` - type logwatch_cache_t; - ') - - allow $1 logwatch_cache_t:dir search_dir_perms; -') diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te deleted file mode 100644 index b845467..0000000 --- a/policy/modules/admin/logwatch.te +++ /dev/null @@ -1,161 +0,0 @@ -policy_module(logwatch, 1.11.0) - -################################# -# -# Declarations -# - -type logwatch_t; -type logwatch_exec_t; -application_domain(logwatch_t, logwatch_exec_t) -role system_r types logwatch_t; - -type logwatch_cache_t; -files_type(logwatch_cache_t) - -type logwatch_lock_t; -files_lock_file(logwatch_lock_t) - -type logwatch_tmp_t; -files_tmp_file(logwatch_tmp_t) - -type logwatch_var_run_t; -files_pid_file(logwatch_var_run_t) - -######################################## -# -# Local policy -# - -allow logwatch_t self:capability { dac_override dac_read_search setgid }; -allow logwatch_t self:process signal; -allow logwatch_t self:fifo_file rw_file_perms; -allow logwatch_t self:unix_stream_socket create_stream_socket_perms; - -manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) -manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) - -allow logwatch_t logwatch_lock_t:file manage_file_perms; -files_lock_filetrans(logwatch_t, logwatch_lock_t, file) - -manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t) -manage_files_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t) -files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir }) - -allow logwatch_t logwatch_var_run_t:file manage_file_perms; -files_pid_filetrans(logwatch_t, logwatch_var_run_t, file) - -kernel_read_fs_sysctls(logwatch_t) -kernel_read_kernel_sysctls(logwatch_t) -kernel_read_system_state(logwatch_t) -kernel_read_net_sysctls(logwatch_t) -kernel_read_network_state(logwatch_t) - -corecmd_exec_bin(logwatch_t) -corecmd_exec_shell(logwatch_t) - -dev_read_urand(logwatch_t) -dev_read_sysfs(logwatch_t) - -# Read /proc/PID directories for all domains. -domain_read_all_domains_state(logwatch_t) - -files_list_var(logwatch_t) -files_read_var_symlinks(logwatch_t) -files_read_etc_files(logwatch_t) -files_read_etc_runtime_files(logwatch_t) -files_read_usr_files(logwatch_t) -files_search_spool(logwatch_t) -files_search_mnt(logwatch_t) -files_dontaudit_search_home(logwatch_t) -files_dontaudit_search_boot(logwatch_t) -# Execs df and if file system mounted with a context avc raised -files_dontaudit_search_all_dirs(logwatch_t) - -fs_getattr_all_fs(logwatch_t) -fs_dontaudit_list_auto_mountpoints(logwatch_t) -fs_list_inotifyfs(logwatch_t) - -term_dontaudit_getattr_pty_dirs(logwatch_t) -term_dontaudit_list_ptys(logwatch_t) - -auth_use_nsswitch(logwatch_t) -auth_dontaudit_read_shadow(logwatch_t) - -init_read_utmp(logwatch_t) -init_dontaudit_write_utmp(logwatch_t) - -libs_read_lib_files(logwatch_t) - -logging_read_all_logs(logwatch_t) -logging_send_syslog_msg(logwatch_t) - -miscfiles_read_localization(logwatch_t) - -selinux_dontaudit_getattr_dir(logwatch_t) - -sysnet_dns_name_resolve(logwatch_t) -sysnet_exec_ifconfig(logwatch_t) - -userdom_dontaudit_search_user_home_dirs(logwatch_t) -userdom_dontaudit_list_admin_dir(logwatch_t) - -#mta_send_mail(logwatch_t) -mta_base_mail_template(logwatch) -mta_sendmail_domtrans(logwatch_t, logwatch_mail_t) -role system_r types logwatch_mail_t; -logging_read_all_logs(logwatch_mail_t) -manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t) -allow logwatch_mail_t self:capability { dac_read_search dac_override }; -mta_read_home(logwatch_mail_t) - -ifdef(`distro_redhat',` - files_search_all(logwatch_t) - files_getattr_all_file_type_fs(logwatch_t) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_list_nfs(logwatch_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_list_cifs(logwatch_t) -') - -optional_policy(` - apache_read_log(logwatch_t) -') - -optional_policy(` - avahi_dontaudit_search_pid(logwatch_t) -') - -optional_policy(` - bind_read_config(logwatch_t) - bind_read_zone(logwatch_t) -') - -optional_policy(` - cron_system_entry(logwatch_t, logwatch_exec_t) -') - -optional_policy(` - hostname_exec(logwatch_t) -') - -optional_policy(` - mta_getattr_spool(logwatch_t) -') - -optional_policy(` - ntp_domtrans(logwatch_t) -') - -optional_policy(` - rpc_search_nfs_state_data(logwatch_t) -') - -optional_policy(` - samba_read_log(logwatch_t) - samba_read_share_files(logwatch_t) -') diff --git a/policy/modules/admin/mcelog.fc b/policy/modules/admin/mcelog.fc deleted file mode 100644 index 56c43c0..0000000 --- a/policy/modules/admin/mcelog.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0) diff --git a/policy/modules/admin/mcelog.if b/policy/modules/admin/mcelog.if deleted file mode 100644 index 3d4cb1a..0000000 --- a/policy/modules/admin/mcelog.if +++ /dev/null @@ -1,20 +0,0 @@ -## policy for mcelog - -######################################## -## -## Execute a domain transition to run mcelog. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`mcelog_domtrans',` - gen_require(` - type mcelog_t, mcelog_exec_t; - ') - - domtrans_pattern($1, mcelog_exec_t, mcelog_t) -') - diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te deleted file mode 100644 index 5a9cebf..0000000 --- a/policy/modules/admin/mcelog.te +++ /dev/null @@ -1,32 +0,0 @@ -policy_module(mcelog, 1.0.1) - -######################################## -# -# Declarations -# - -type mcelog_t; -type mcelog_exec_t; -application_domain(mcelog_t, mcelog_exec_t) -cron_system_entry(mcelog_t, mcelog_exec_t) - -######################################## -# -# mcelog local policy -# - -allow mcelog_t self:capability sys_admin; - -kernel_read_system_state(mcelog_t) - -dev_read_raw_memory(mcelog_t) -dev_read_kmsg(mcelog_t) - -files_read_etc_files(mcelog_t) - -# for /dev/mem access -mls_file_read_all_levels(mcelog_t) - -logging_send_syslog_msg(mcelog_t) - -miscfiles_read_localization(mcelog_t) diff --git a/policy/modules/admin/metadata.xml b/policy/modules/admin/metadata.xml deleted file mode 100644 index bd8d174..0000000 --- a/policy/modules/admin/metadata.xml +++ /dev/null @@ -1,3 +0,0 @@ - - Policy modules for administrative functions, such as package management. - diff --git a/policy/modules/admin/mrtg.fc b/policy/modules/admin/mrtg.fc deleted file mode 100644 index 37fb953..0000000 --- a/policy/modules/admin/mrtg.fc +++ /dev/null @@ -1,18 +0,0 @@ -# -# /etc -# -/etc/mrtg.* gen_context(system_u:object_r:mrtg_etc_t,s0) - -# -# /usr -# -/usr/bin/mrtg -- gen_context(system_u:object_r:mrtg_exec_t,s0) -/etc/mrtg/mrtg\.ok -- gen_context(system_u:object_r:mrtg_lock_t,s0) - -# -# /var -# -/var/lib/mrtg(/.*)? gen_context(system_u:object_r:mrtg_var_lib_t,s0) -/var/lock/mrtg(/.*)? gen_context(system_u:object_r:mrtg_lock_t,s0) -/var/log/mrtg(/.*)? gen_context(system_u:object_r:mrtg_log_t,s0) -/var/run/mrtg\.pid gen_context(system_u:object_r:mrtg_var_run_t,s0) diff --git a/policy/modules/admin/mrtg.if b/policy/modules/admin/mrtg.if deleted file mode 100644 index 5970b9c..0000000 --- a/policy/modules/admin/mrtg.if +++ /dev/null @@ -1,20 +0,0 @@ -## Network traffic graphing - -######################################## -## -## Create and append mrtg logs. -## -## -## -## Domain allowed access. -## -## -# -interface(`mrtg_append_create_logs',` - gen_require(` - type mrtg_log_t; - ') - - append_files_pattern($1, mrtg_log_t, mrtg_log_t) - create_files_pattern($1, mrtg_log_t, mrtg_log_t) -') diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te deleted file mode 100644 index 9d58abe..0000000 --- a/policy/modules/admin/mrtg.te +++ /dev/null @@ -1,161 +0,0 @@ -policy_module(mrtg, 1.8.0) - -######################################## -# -# Declarations -# - -type mrtg_t; -type mrtg_exec_t; -init_system_domain(mrtg_t, mrtg_exec_t) - -type mrtg_etc_t; -files_config_file(mrtg_etc_t) - -type mrtg_lock_t; -files_lock_file(mrtg_lock_t) - -type mrtg_log_t; -logging_log_file(mrtg_log_t) - -type mrtg_var_lib_t; -files_type(mrtg_var_lib_t) - -type mrtg_var_run_t; -files_pid_file(mrtg_var_run_t) - -######################################## -# -# Local policy -# - -allow mrtg_t self:capability { setgid setuid chown }; -dontaudit mrtg_t self:capability sys_tty_config; -allow mrtg_t self:process signal_perms; -allow mrtg_t self:fifo_file rw_fifo_file_perms; -allow mrtg_t self:unix_stream_socket create_socket_perms; -allow mrtg_t self:tcp_socket create_socket_perms; -allow mrtg_t self:udp_socket create_socket_perms; - -allow mrtg_t mrtg_etc_t:dir list_dir_perms; -read_files_pattern(mrtg_t, mrtg_etc_t, mrtg_etc_t) -read_lnk_files_pattern(mrtg_t, mrtg_etc_t, mrtg_etc_t) -dontaudit mrtg_t mrtg_etc_t:dir write; -dontaudit mrtg_t mrtg_etc_t:file { write ioctl }; - -manage_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t) -manage_lnk_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t) - -manage_files_pattern(mrtg_t, mrtg_log_t, mrtg_log_t) -logging_log_filetrans(mrtg_t, mrtg_log_t, { file dir }) - -manage_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t) -manage_lnk_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t) - -allow mrtg_t mrtg_var_run_t:file manage_file_perms; -files_pid_filetrans(mrtg_t, mrtg_var_run_t, file) - -kernel_read_system_state(mrtg_t) -kernel_read_network_state(mrtg_t) -kernel_read_kernel_sysctls(mrtg_t) - -corecmd_exec_bin(mrtg_t) -corecmd_exec_shell(mrtg_t) - -corenet_all_recvfrom_unlabeled(mrtg_t) -corenet_all_recvfrom_netlabel(mrtg_t) -corenet_tcp_sendrecv_generic_if(mrtg_t) -corenet_udp_sendrecv_generic_if(mrtg_t) -corenet_tcp_sendrecv_generic_node(mrtg_t) -corenet_udp_sendrecv_generic_node(mrtg_t) -corenet_tcp_sendrecv_all_ports(mrtg_t) -corenet_udp_sendrecv_all_ports(mrtg_t) -corenet_tcp_connect_all_ports(mrtg_t) -corenet_sendrecv_all_client_packets(mrtg_t) - -dev_read_sysfs(mrtg_t) -dev_read_urand(mrtg_t) - -domain_use_interactive_fds(mrtg_t) -domain_dontaudit_search_all_domains_state(mrtg_t) - -files_read_usr_files(mrtg_t) -files_search_var(mrtg_t) -files_search_locks(mrtg_t) -files_search_var_lib(mrtg_t) -files_search_spool(mrtg_t) -files_getattr_tmp_dirs(mrtg_t) -# for uptime -files_read_etc_runtime_files(mrtg_t) -# read config files -files_read_etc_files(mrtg_t) - -fs_search_auto_mountpoints(mrtg_t) -fs_getattr_xattr_fs(mrtg_t) -fs_list_inotifyfs(mrtg_t) - -term_dontaudit_use_console(mrtg_t) - -init_use_fds(mrtg_t) -init_use_script_ptys(mrtg_t) -# for uptime -init_read_utmp(mrtg_t) -init_dontaudit_write_utmp(mrtg_t) - -auth_use_nsswitch(mrtg_t) - -libs_read_lib_files(mrtg_t) - -logging_send_syslog_msg(mrtg_t) - -miscfiles_read_localization(mrtg_t) - -selinux_dontaudit_getattr_dir(mrtg_t) - -userdom_use_user_terminals(mrtg_t) -userdom_dontaudit_read_user_home_content_files(mrtg_t) -userdom_dontaudit_use_unpriv_user_fds(mrtg_t) -userdom_dontaudit_list_admin_dir(mrtg_t) - -netutils_domtrans_ping(mrtg_t) - -ifdef(`enable_mls',` - corenet_udp_sendrecv_lo_if(mrtg_t) -') - -ifdef(`distro_redhat',` - allow mrtg_t mrtg_lock_t:file manage_file_perms; - filetrans_pattern(mrtg_t, mrtg_etc_t, mrtg_lock_t, file) -') - -optional_policy(` - apache_manage_sys_content(mrtg_t) -') - -optional_policy(` - cron_system_entry(mrtg_t, mrtg_exec_t) -') - -optional_policy(` - hostname_exec(mrtg_t) -') - -optional_policy(` - hddtemp_domtrans(mrtg_t) -') - -optional_policy(` - seutil_sigchld_newrole(mrtg_t) -') - -optional_policy(` - quota_dontaudit_getattr_db(mrtg_t) -') - -optional_policy(` - snmp_read_snmp_var_lib_files(mrtg_t) -') - -optional_policy(` - udev_read_db(mrtg_t) -') diff --git a/policy/modules/admin/ncftool.fc b/policy/modules/admin/ncftool.fc deleted file mode 100644 index ae4045e..0000000 --- a/policy/modules/admin/ncftool.fc +++ /dev/null @@ -1,2 +0,0 @@ - -/usr/bin/ncftool -- gen_context(system_u:object_r:ncftool_exec_t,s0) diff --git a/policy/modules/admin/ncftool.if b/policy/modules/admin/ncftool.if deleted file mode 100644 index 8c2e044..0000000 --- a/policy/modules/admin/ncftool.if +++ /dev/null @@ -1,78 +0,0 @@ - -## policy for ncftool - -######################################## -## -## Execute a domain transition to run ncftool. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ncftool_domtrans',` - gen_require(` - type ncftool_t, ncftool_exec_t; - ') - - domtrans_pattern($1, ncftool_exec_t, ncftool_t) -') - -######################################## -## -## Execute ncftool in the ncftool domain, and -## allow the specified role the ncftool domain. -## -## -## -## Domain allowed access -## -## -## -## -## The role to be allowed the ncftool domain. -## -## -# -interface(`ncftool_run',` - gen_require(` - type ncftool_t; - ') - - ncftool_domtrans($1) - role $2 types ncftool_t; - - optional_policy(` - brctl_run(ncftool_t, $2) - ') -') - -######################################## -## -## Role access for ncftool -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`ncftool_role',` - gen_require(` - type ncftool_t; - ') - - role $1 types ncftool_t; - - ncftool_domtrans($2) - - ps_process_pattern($2, ncftool_t) - allow $2 ncftool_t:process signal; -') - diff --git a/policy/modules/admin/ncftool.te b/policy/modules/admin/ncftool.te deleted file mode 100644 index eef0c87..0000000 --- a/policy/modules/admin/ncftool.te +++ /dev/null @@ -1,91 +0,0 @@ -policy_module(ncftool, 1.0.0) - -######################################## -# -# Declarations -# - -type ncftool_t; -type ncftool_exec_t; -application_domain(ncftool_t, ncftool_exec_t) -domain_obj_id_change_exemption(ncftool_t) -domain_system_change_exemption(ncftool_t) -role system_r types ncftool_t; - -permissive ncftool_t; - -######################################## -# -# ncftool local policy -# - -allow ncftool_t self:capability { net_admin sys_ptrace }; - -allow ncftool_t self:process signal; - -allow ncftool_t self:fifo_file manage_fifo_file_perms; -allow ncftool_t self:unix_stream_socket create_stream_socket_perms; - -allow ncftool_t self:netlink_route_socket create_netlink_socket_perms; -allow ncftool_t self:tcp_socket create_stream_socket_perms; - -kernel_read_kernel_sysctls(ncftool_t) -kernel_read_modprobe_sysctls(ncftool_t) -kernel_read_network_state(ncftool_t) -kernel_read_system_state(ncftool_t) -kernel_request_load_module(ncftool_t) -kernel_rw_net_sysctls(ncftool_t) - -corecmd_exec_bin(ncftool_t) -corecmd_exec_shell(ncftool_t) - -domain_read_all_domains_state(ncftool_t) - -dev_read_sysfs(ncftool_t) - -files_manage_system_conf_files(ncftool_t) -files_relabelto_system_conf_files(ncftool_t) -files_read_etc_files(ncftool_t) -files_read_etc_runtime_files(ncftool_t) -files_read_usr_files(ncftool_t) - -term_use_all_terms(ncftool_t) - -miscfiles_read_localization(ncftool_t) - -modutils_list_module_config(ncftool_t) -modutils_read_module_config(ncftool_t) -modutils_domtrans_insmod(ncftool_t) - -sysnet_delete_dhcpc_pid(ncftool_t) -sysnet_domtrans_dhcpc(ncftool_t) -sysnet_domtrans_ifconfig(ncftool_t) -sysnet_etc_filetrans_config(ncftool_t) -sysnet_manage_config(ncftool_t) -sysnet_read_dhcpc_state(ncftool_t) -sysnet_relabelfrom_net_conf(ncftool_t) -sysnet_relabelto_net_conf(ncftool_t) -sysnet_read_dhcpc_pid(ncftool_t) -sysnet_signal_dhcpc(ncftool_t) - -userdom_read_user_tmp_files(ncftool_t) - -optional_policy(` - consoletype_exec(ncftool_t) -') - -optional_policy(` - dbus_system_bus_client(ncftool_t) -') - -optional_policy(` - iptables_initrc_domtrans(ncftool_t) -') - -optional_policy(` - iptables_initrc_domtrans(ncftool_t) -') - -optional_policy(` - netutils_domtrans(ncftool_t) -') diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc deleted file mode 100644 index 407078f..0000000 --- a/policy/modules/admin/netutils.fc +++ /dev/null @@ -1,15 +0,0 @@ -/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0) -/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) -/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) - -/sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) - -/usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0) -/usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0) -/usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) - -/usr/sbin/fping -- gen_context(system_u:object_r:ping_exec_t,s0) -/usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) -/usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0) -/usr/sbin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0) -/usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0) diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if deleted file mode 100644 index a005782..0000000 --- a/policy/modules/admin/netutils.if +++ /dev/null @@ -1,301 +0,0 @@ -## Network analysis utilities - -######################################## -## -## Execute network utilities in the netutils domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`netutils_domtrans',` - gen_require(` - type netutils_t, netutils_exec_t; - ') - - domtrans_pattern($1, netutils_exec_t, netutils_t) -') - -######################################## -## -## Execute network utilities in the netutils domain, and -## allow the specified role the netutils domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`netutils_run',` - gen_require(` - type netutils_t; - ') - - netutils_domtrans($1) - role $2 types netutils_t; -') - -######################################## -## -## Execute network utilities in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`netutils_exec',` - gen_require(` - type netutils_exec_t; - ') - - can_exec($1, netutils_exec_t) -') - -######################################## -## -## Send generic signals to network utilities. -## -## -## -## Domain allowed access. -## -## -# -interface(`netutils_signal',` - gen_require(` - type netutils_t; - ') - - allow $1 netutils_t:process signal; -') - -######################################## -## -## Execute ping in the ping domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`netutils_domtrans_ping',` - gen_require(` - type ping_t, ping_exec_t; - ') - - domtrans_pattern($1, ping_exec_t, ping_t) -') - -######################################## -## -## Send a kill (SIGKILL) signal to ping. -## -## -## -## Domain allowed access. -## -## -# -interface(`netutils_kill_ping',` - gen_require(` - type ping_t; - ') - - allow $1 ping_t:process sigkill; -') - -######################################## -## -## Send generic signals to ping. -## -## -## -## Domain allowed access. -## -## -# -interface(`netutils_signal_ping',` - gen_require(` - type ping_t; - ') - - allow $1 ping_t:process signal; -') - -######################################## -## -## Execute ping in the ping domain, and -## allow the specified role the ping domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`netutils_run_ping',` - gen_require(` - type ping_t; - ') - - netutils_domtrans_ping($1) - role $2 types ping_t; -') - -######################################## -## -## Conditionally execute ping in the ping domain, and -## allow the specified role the ping domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`netutils_run_ping_cond',` - gen_require(` - type ping_t; - bool user_ping; - ') - - role $2 types ping_t; - - if ( user_ping ) { - netutils_domtrans_ping($1) - } -') - -######################################## -## -## Execute ping in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`netutils_exec_ping',` - gen_require(` - type ping_exec_t; - ') - - can_exec($1, ping_exec_t) -') - -######################################## -## -## Execute traceroute in the traceroute domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`netutils_domtrans_traceroute',` - gen_require(` - type traceroute_t, traceroute_exec_t; - ') - - domtrans_pattern($1, traceroute_exec_t, traceroute_t) -') - -######################################## -## -## Execute traceroute in the traceroute domain, and -## allow the specified role the traceroute domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`netutils_run_traceroute',` - gen_require(` - type traceroute_t; - ') - - netutils_domtrans_traceroute($1) - role $2 types traceroute_t; -') - -######################################## -## -## Conditionally execute traceroute in the traceroute domain, and -## allow the specified role the traceroute domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`netutils_run_traceroute_cond',` - gen_require(` - type traceroute_t; - bool user_ping; - ') - - role $2 types traceroute_t; - - if( user_ping ) { - netutils_domtrans_traceroute($1) - } -') - -######################################## -## -## Execute traceroute in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`netutils_exec_traceroute',` - gen_require(` - type traceroute_exec_t; - ') - - can_exec($1, traceroute_exec_t) -') diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te deleted file mode 100644 index 4f38995..0000000 --- a/policy/modules/admin/netutils.te +++ /dev/null @@ -1,240 +0,0 @@ -policy_module(netutils, 1.10.1) - -######################################## -# -# Declarations -# - -## -##

-## Control users use of ping and traceroute -##

-##
-gen_tunable(user_ping, false) - -type netutils_t; -type netutils_exec_t; -init_system_domain(netutils_t, netutils_exec_t) -role system_r types netutils_t; - -type netutils_tmp_t; -files_tmp_file(netutils_tmp_t) - -type ping_t; -type ping_exec_t; -init_system_domain(ping_t, ping_exec_t) -role system_r types ping_t; - -type traceroute_t; -type traceroute_exec_t; -init_system_domain(traceroute_t, traceroute_exec_t) -role system_r types traceroute_t; - -######################################## -# -# Netutils local policy -# - -# Perform network administration operations and have raw access to the network. -allow netutils_t self:capability { net_admin net_raw setuid setgid }; -dontaudit netutils_t self:capability sys_tty_config; -allow netutils_t self:process { sigkill sigstop signull signal }; -allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write }; -allow netutils_t self:packet_socket create_socket_perms; -allow netutils_t self:udp_socket create_socket_perms; -allow netutils_t self:tcp_socket create_stream_socket_perms; -allow netutils_t self:socket create_socket_perms; - -manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) -manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) -files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) - -kernel_search_proc(netutils_t) -kernel_read_all_sysctls(netutils_t) -kernel_read_network_state(netutils_t) -kernel_request_load_module(netutils_t) - -corenet_all_recvfrom_unlabeled(netutils_t) -corenet_all_recvfrom_netlabel(netutils_t) -corenet_tcp_sendrecv_generic_if(netutils_t) -corenet_raw_sendrecv_generic_if(netutils_t) -corenet_udp_sendrecv_generic_if(netutils_t) -corenet_tcp_sendrecv_generic_node(netutils_t) -corenet_raw_sendrecv_generic_node(netutils_t) -corenet_udp_sendrecv_generic_node(netutils_t) -corenet_tcp_sendrecv_all_ports(netutils_t) -corenet_udp_sendrecv_all_ports(netutils_t) -corenet_tcp_connect_all_ports(netutils_t) -corenet_sendrecv_all_client_packets(netutils_t) -corenet_udp_bind_generic_node(netutils_t) - -dev_read_sysfs(netutils_t) -dev_read_usbmon_dev(netutils_t) -dev_write_usbmon_dev(netutils_t) -dev_rw_generic_usb_dev(netutils_t) - -fs_getattr_xattr_fs(netutils_t) - -domain_use_interactive_fds(netutils_t) - -files_read_etc_files(netutils_t) -# for nscd -files_dontaudit_search_var(netutils_t) - -init_use_fds(netutils_t) -init_use_script_ptys(netutils_t) - -auth_use_nsswitch(netutils_t) - -logging_send_syslog_msg(netutils_t) - -miscfiles_read_localization(netutils_t) - -term_dontaudit_use_console(netutils_t) -userdom_use_user_terminals(netutils_t) -userdom_use_all_users_fds(netutils_t) - -optional_policy(` - nis_use_ypbind(netutils_t) -') - -optional_policy(` - vmware_append_log(netutils_t) -') - -optional_policy(` - xen_append_log(netutils_t) -') - -######################################## -# -# Ping local policy -# - -allow ping_t self:capability { setuid net_raw }; -dontaudit ping_t self:capability sys_tty_config; -allow ping_t self:tcp_socket create_socket_perms; -allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; -allow ping_t self:packet_socket { create ioctl read write bind getopt setopt }; -allow ping_t self:netlink_route_socket create_netlink_socket_perms; - -corenet_all_recvfrom_unlabeled(ping_t) -corenet_all_recvfrom_netlabel(ping_t) -corenet_tcp_sendrecv_generic_if(ping_t) -corenet_raw_sendrecv_generic_if(ping_t) -corenet_raw_sendrecv_generic_node(ping_t) -corenet_tcp_sendrecv_generic_node(ping_t) -corenet_raw_bind_generic_node(ping_t) -corenet_tcp_sendrecv_all_ports(ping_t) - -fs_dontaudit_getattr_xattr_fs(ping_t) - -domain_use_interactive_fds(ping_t) - -files_read_etc_files(ping_t) -files_dontaudit_search_var(ping_t) - -kernel_read_system_state(ping_t) - -auth_use_nsswitch(ping_t) - -logging_send_syslog_msg(ping_t) - -miscfiles_read_localization(ping_t) - -ifdef(`hide_broken_symptoms',` - init_dontaudit_use_fds(ping_t) - - optional_policy(` - nagios_dontaudit_rw_log(ping_t) - nagios_dontaudit_rw_pipes(ping_t) - ') -') - -term_use_all_terms(ping_t) - -tunable_policy(`user_ping',` - term_use_all_ttys(ping_t) - term_use_all_ptys(ping_t) -',` - term_dontaudit_use_all_ttys(ping_t) - term_dontaudit_use_all_ptys(ping_t) -') - -optional_policy(` - munin_append_log(ping_t) -') - -optional_policy(` - nagios_rw_inerited_tmp_files(ping_t) -') - -optional_policy(` - pcmcia_use_cardmgr_fds(ping_t) -') - -optional_policy(` - hotplug_use_fds(ping_t) -') - -######################################## -# -# Traceroute local policy -# - -allow traceroute_t self:capability { net_admin net_raw setuid setgid }; -allow traceroute_t self:rawip_socket create_socket_perms; -allow traceroute_t self:packet_socket create_socket_perms; -allow traceroute_t self:udp_socket create_socket_perms; - -kernel_read_system_state(traceroute_t) -kernel_read_network_state(traceroute_t) - -corenet_all_recvfrom_unlabeled(traceroute_t) -corenet_all_recvfrom_netlabel(traceroute_t) -corenet_tcp_sendrecv_generic_if(traceroute_t) -corenet_udp_sendrecv_generic_if(traceroute_t) -corenet_raw_sendrecv_generic_if(traceroute_t) -corenet_tcp_sendrecv_generic_node(traceroute_t) -corenet_udp_sendrecv_generic_node(traceroute_t) -corenet_raw_sendrecv_generic_node(traceroute_t) -corenet_tcp_sendrecv_all_ports(traceroute_t) -corenet_udp_sendrecv_all_ports(traceroute_t) -corenet_udp_bind_generic_node(traceroute_t) -corenet_tcp_bind_generic_node(traceroute_t) -# traceroute needs this but not tracepath -corenet_raw_bind_generic_node(traceroute_t) -corenet_udp_bind_traceroute_port(traceroute_t) -corenet_tcp_connect_all_ports(traceroute_t) -corenet_sendrecv_all_client_packets(traceroute_t) -corenet_sendrecv_traceroute_server_packets(traceroute_t) - -fs_dontaudit_getattr_xattr_fs(traceroute_t) - -domain_use_interactive_fds(traceroute_t) - -files_read_etc_files(traceroute_t) -files_read_usr_files(traceroute_t) -files_dontaudit_search_var(traceroute_t) - -init_use_fds(traceroute_t) - -auth_use_nsswitch(traceroute_t) - -logging_send_syslog_msg(traceroute_t) - -miscfiles_read_localization(traceroute_t) - -#rules needed for nmap -dev_read_rand(traceroute_t) -dev_read_urand(traceroute_t) - -term_use_all_terms(traceroute_t) - -tunable_policy(`user_ping',` - term_use_all_ttys(traceroute_t) - term_use_all_ptys(traceroute_t) -',` - term_dontaudit_use_all_ttys(traceroute_t) - term_dontaudit_use_all_ptys(traceroute_t) -') diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc deleted file mode 100644 index db46387..0000000 --- a/policy/modules/admin/portage.fc +++ /dev/null @@ -1,24 +0,0 @@ -/etc/make\.conf -- gen_context(system_u:object_r:portage_conf_t,s0) -/etc/make\.globals -- gen_context(system_u:object_r:portage_conf_t,s0) -/etc/portage(/.*)? gen_context(system_u:object_r:portage_conf_t,s0) - -/usr/bin/gcc-config -- gen_context(system_u:object_r:gcc_config_exec_t,s0) -/usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) - -/usr/lib(64)?/portage/bin/ebuild -- gen_context(system_u:object_r:portage_exec_t,s0) -/usr/lib(64)?/portage/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0) -/usr/lib(64)?/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0) -/usr/lib(64)?/portage/bin/ebuild\.sh -- gen_context(system_u:object_r:portage_exec_t,s0) -/usr/lib(64)?/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0) -/usr/lib(64)?/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) - -/usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) - -/var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0) -/var/cache/edb(/.*)? gen_context(system_u:object_r:portage_cache_t,s0) -/var/log/emerge\.log.* -- gen_context(system_u:object_r:portage_log_t,s0) -/var/log/emerge-fetch.log -- gen_context(system_u:object_r:portage_log_t,s0) -/var/log/portage(/.*)? gen_context(system_u:object_r:portage_log_t,s0) -/var/lib/portage(/.*)? gen_context(system_u:object_r:portage_cache_t,s0) -/var/tmp/portage(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) -/var/tmp/portage-pkg(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if deleted file mode 100644 index 8aaa46d..0000000 --- a/policy/modules/admin/portage.if +++ /dev/null @@ -1,283 +0,0 @@ -## -## Portage Package Management System. The primary package management and -## distribution system for Gentoo. -## - -######################################## -## -## Execute emerge in the portage domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`portage_domtrans',` - gen_require(` - type portage_t, portage_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - - # transition to portage - domtrans_pattern($1, portage_exec_t, portage_t) -') - -######################################## -## -## Execute emerge in the portage domain, and -## allow the specified role the portage domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the portage domain. -## -## -## -# -interface(`portage_run',` - gen_require(` - type portage_t, portage_fetch_t, portage_sandbox_t; - ') - - portage_domtrans($1) - role $2 types { portage_t portage_fetch_t portage_sandbox_t }; -') - -######################################## -## -## Template for portage sandbox. -## -## -##

-## Template for portage sandbox. Portage -## does all compiling in the sandbox. -##

-##
-## -## -## Domain Allowed Access -## -## -# -interface(`portage_compile_domain',` - - gen_require(` - class dbus send_msg; - type portage_devpts_t, portage_log_t, portage_tmp_t; - type portage_tmpfs_t; - ') - - allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw }; - dontaudit $1 self:capability sys_chroot; - allow $1 self:process { setpgid setsched setrlimit signal_perms execmem }; - allow $1 self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow $1 self:fd use; - allow $1 self:fifo_file rw_fifo_file_perms; - allow $1 self:shm create_shm_perms; - allow $1 self:sem create_sem_perms; - allow $1 self:msgq create_msgq_perms; - allow $1 self:msg { send receive }; - allow $1 self:unix_dgram_socket create_socket_perms; - allow $1 self:unix_stream_socket create_stream_socket_perms; - allow $1 self:unix_dgram_socket sendto; - allow $1 self:unix_stream_socket connectto; - # really shouldnt need this - allow $1 self:tcp_socket create_stream_socket_perms; - allow $1 self:udp_socket create_socket_perms; - # misc networking stuff (esp needed for compiling perl): - allow $1 self:rawip_socket { create ioctl }; - # needed for merging dbus: - allow $1 self:netlink_selinux_socket { bind create read }; - allow $1 self:dbus send_msg; - - allow $1 portage_devpts_t:chr_file { rw_chr_file_perms setattr }; - term_create_pty($1, portage_devpts_t) - - # write compile logs - allow $1 portage_log_t:dir setattr; - allow $1 portage_log_t:file { write_file_perms setattr }; - - # run scripts out of the build directory - can_exec(portage_sandbox_t, portage_tmp_t) - - manage_dirs_pattern($1, portage_tmp_t, portage_tmp_t) - manage_files_pattern($1, portage_tmp_t, portage_tmp_t) - manage_lnk_files_pattern($1, portage_tmp_t, portage_tmp_t) - manage_fifo_files_pattern($1, portage_tmp_t, portage_tmp_t) - manage_sock_files_pattern($1, portage_tmp_t, portage_tmp_t) - files_tmp_filetrans($1, portage_tmp_t, { dir file lnk_file sock_file fifo_file }) - # SELinux-enabled programs running in the sandbox - allow $1 portage_tmp_t:file relabel_file_perms; - - manage_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) - manage_lnk_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) - manage_fifo_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) - manage_sock_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) - fs_tmpfs_filetrans($1, portage_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - - kernel_read_system_state($1) - kernel_read_network_state($1) - kernel_read_software_raid_state($1) - kernel_getattr_core_if($1) - kernel_getattr_message_if($1) - kernel_read_kernel_sysctls($1) - - corecmd_exec_all_executables($1) - - # really shouldnt need this but some packages test - # network access, such as during configure - # also distcc--need to reinvestigate confining distcc client - corenet_all_recvfrom_unlabeled($1) - corenet_all_recvfrom_netlabel($1) - corenet_tcp_sendrecv_generic_if($1) - corenet_udp_sendrecv_generic_if($1) - corenet_raw_sendrecv_generic_if($1) - corenet_tcp_sendrecv_generic_node($1) - corenet_udp_sendrecv_generic_node($1) - corenet_raw_sendrecv_generic_node($1) - corenet_tcp_sendrecv_all_ports($1) - corenet_udp_sendrecv_all_ports($1) - corenet_tcp_connect_all_reserved_ports($1) - corenet_tcp_connect_distccd_port($1) - - dev_read_sysfs($1) - dev_read_rand($1) - dev_read_urand($1) - - domain_use_interactive_fds($1) - domain_dontaudit_read_all_domains_state($1) - # SELinux-aware installs doing relabels in the sandbox - domain_obj_id_change_exemption($1) - - files_exec_etc_files($1) - files_exec_usr_src_files($1) - - fs_getattr_xattr_fs($1) - fs_list_noxattr_fs($1) - fs_read_noxattr_fs_files($1) - fs_read_noxattr_fs_symlinks($1) - fs_search_auto_mountpoints($1) - - selinux_validate_context($1) - # needed for merging dbus: - selinux_compute_access_vector($1) - - auth_read_all_dirs_except_shadow($1) - auth_read_all_files_except_shadow($1) - auth_read_all_symlinks_except_shadow($1) - - libs_exec_lib_files($1) - # some config scripts use ldd - libs_exec_ld_so($1) - # this violates the idea of sandbox, but - # regular sandbox allows it - libs_domtrans_ldconfig($1) - - logging_send_syslog_msg($1) - - userdom_use_user_terminals($1) - - # SELinux-enabled programs running in the sandbox - seutil_libselinux_linked($1) - - ifdef(`TODO',` - # some gui ebuilds want to interact with X server, like xawtv - optional_policy(` - allow $1 xdm_xserver_tmp_t:dir { add_name remove_name write }; - allow $1 xdm_xserver_tmp_t:sock_file { create getattr unlink write }; - ') - ') dnl end TODO -') - -######################################## -## -## Execute gcc-config in the gcc_config domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`portage_domtrans_gcc_config',` - gen_require(` - type gcc_config_t, gcc_config_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - - domtrans_pattern($1, gcc_config_exec_t, gcc_config_t) -') - -######################################## -## -## Execute gcc-config in the gcc_config domain, and -## allow the specified role the gcc_config domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the gcc_config domain. -## -## -## -# -interface(`portage_run_gcc_config',` - gen_require(` - type gcc_config_t; - ') - - portage_domtrans_gcc_config($1) - role $2 types gcc_config_t; -') - -######################################## -## -## Do not audit attempts to search the -## portage temporary directories. -## -## -## -## Domain to not audit. -## -## -# -interface(`portage_dontaudit_search_tmp',` - gen_require(` - type portage_tmp_t; - ') - - dontaudit $1 portage_tmp_t:dir search_dir_perms; -') - -######################################## -## -## Do not audit attempts to read and write -## the portage temporary files. -## -## -## -## Domain to not audit. -## -## -# -interface(`portage_dontaudit_rw_tmp_files',` - gen_require(` - type portage_tmp_t; - ') - - dontaudit $1 portage_tmp_t:file rw_file_perms; -') diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te deleted file mode 100644 index c633aea..0000000 --- a/policy/modules/admin/portage.te +++ /dev/null @@ -1,276 +0,0 @@ -policy_module(portage, 1.10.0) - -######################################## -# -# Declarations -# - -type gcc_config_t; -type gcc_config_exec_t; -application_domain(gcc_config_t, gcc_config_exec_t) - -# constraining type -type portage_t; -type portage_exec_t; -application_domain(portage_t, portage_exec_t) -domain_obj_id_change_exemption(portage_t) -rsync_entry_type(portage_t) -corecmd_shell_entry_type(portage_t) - -# portage compile sandbox domain -type portage_sandbox_t; -application_domain(portage_sandbox_t, portage_exec_t) -# the shell is the entrypoint if regular sandbox is disabled -# portage_exec_t is the entrypoint if regular sandbox is enabled -corecmd_shell_entry_type(portage_sandbox_t) - -# portage package fetching domain -type portage_fetch_t; -application_type(portage_fetch_t) -corecmd_shell_entry_type(portage_fetch_t) -rsync_entry_type(portage_fetch_t) - -type portage_devpts_t; -term_pty(portage_devpts_t) - -type portage_ebuild_t; -files_type(portage_ebuild_t) - -type portage_fetch_tmp_t; -files_tmp_file(portage_fetch_tmp_t) - -type portage_db_t; -files_type(portage_db_t) - -type portage_conf_t; -files_type(portage_conf_t) - -type portage_cache_t; -files_type(portage_cache_t) - -type portage_log_t; -logging_log_file(portage_log_t) - -type portage_tmp_t; -files_tmp_file(portage_tmp_t) - -type portage_tmpfs_t; -files_tmpfs_file(portage_tmpfs_t) - -######################################## -# -# gcc-config policy -# - -allow gcc_config_t self:capability { chown fsetid }; -allow gcc_config_t self:fifo_file rw_file_perms; - -manage_files_pattern(gcc_config_t, portage_cache_t, portage_cache_t) - -read_files_pattern(gcc_config_t, portage_conf_t, portage_conf_t) - -allow gcc_config_t portage_ebuild_t:dir list_dir_perms; -read_files_pattern(gcc_config_t, portage_ebuild_t, portage_ebuild_t) - -allow gcc_config_t portage_exec_t:file mmap_file_perms; - -kernel_read_system_state(gcc_config_t) -kernel_read_kernel_sysctls(gcc_config_t) - -corecmd_exec_shell(gcc_config_t) -corecmd_exec_bin(gcc_config_t) -corecmd_manage_bin_files(gcc_config_t) - -domain_use_interactive_fds(gcc_config_t) - -files_manage_etc_files(gcc_config_t) -files_rw_etc_runtime_files(gcc_config_t) -files_read_usr_files(gcc_config_t) -files_search_var_lib(gcc_config_t) -files_search_pids(gcc_config_t) -# complains loudly about not being able to list -# the directory it is being run from -files_list_all(gcc_config_t) - -# seems to be ok without this -init_dontaudit_read_script_status_files(gcc_config_t) - -libs_read_lib_files(gcc_config_t) -libs_domtrans_ldconfig(gcc_config_t) -libs_manage_shared_libs(gcc_config_t) -# gcc-config creates a temp dir for the libs -libs_manage_lib_dirs(gcc_config_t) - -logging_send_syslog_msg(gcc_config_t) - -miscfiles_read_localization(gcc_config_t) - -userdom_use_user_terminals(gcc_config_t) - -consoletype_exec(gcc_config_t) - -optional_policy(` - seutil_use_newrole_fds(gcc_config_t) -') - -######################################## -# -# Portage Merging Rules -# - -# - setfscreate for merging to live fs -# - setexec to run portage fetch -allow portage_t self:process { setfscreate setexec }; -# - kill for mysql merging, at least -allow portage_t self:capability { sys_nice kill }; - -# user post-sync scripts -can_exec(portage_t, portage_conf_t) - -allow portage_t portage_log_t:file manage_file_perms; -logging_log_filetrans(portage_t, portage_log_t, file) - -allow portage_t { portage_fetch_t portage_sandbox_t }:process signal; - -# transition for rsync and wget -corecmd_shell_spec_domtrans(portage_t, portage_fetch_t) -rsync_entry_domtrans(portage_t, portage_fetch_t) -allow portage_fetch_t portage_t:fd use; -allow portage_fetch_t portage_t:fifo_file rw_file_perms; -allow portage_fetch_t portage_t:process sigchld; - -# transition to sandbox for compiling -domain_trans(portage_t, portage_exec_t, portage_sandbox_t) -corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t) -allow portage_sandbox_t portage_t:fd use; -allow portage_sandbox_t portage_t:fifo_file rw_file_perms; -allow portage_sandbox_t portage_t:process sigchld; - -# run scripts out of the build directory -can_exec(portage_t, portage_tmp_t) - -# merging baselayout will need this: -kernel_write_proc_files(portage_t) - -domain_dontaudit_read_all_domains_state(portage_t) - -# modify any files in the system -files_manage_all_files(portage_t) - -selinux_get_fs_mount(portage_t) - -auth_manage_shadow(portage_t) - -# merging baselayout will need this: -init_exec(portage_t) - -# run setfiles -r -seutil_domtrans_setfiles(portage_t) -# run semodule -seutil_domtrans_semanage(portage_t) - -portage_domtrans_gcc_config(portage_t) -# if sesandbox is disabled, compiling is performed in this domain -portage_compile_domain(portage_t) - -optional_policy(` - bootloader_domtrans(portage_t) -') - -optional_policy(` - modutils_domtrans_depmod(portage_t) - modutils_domtrans_update_mods(portage_t) - #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms; -') - -optional_policy(` - usermanage_domtrans_groupadd(portage_t) - usermanage_domtrans_useradd(portage_t) -') - -ifdef(`TODO',` -# seems to work ok without these -dontaudit portage_t device_t:{ blk_file chr_file } getattr; -dontaudit portage_t proc_t:dir setattr; -dontaudit portage_t device_type:chr_file read_chr_file_perms; -dontaudit portage_t device_type:blk_file read_blk_file_perms; -') - -########################################## -# -# Portage fetch domain -# - for rsync and distfile fetching -# - -allow portage_fetch_t self:capability { dac_override fowner fsetid }; -allow portage_fetch_t self:process signal; -allow portage_fetch_t self:unix_stream_socket create_socket_perms; -allow portage_fetch_t self:tcp_socket create_stream_socket_perms; - -allow portage_fetch_t portage_conf_t:dir list_dir_perms; -read_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t) - -manage_dirs_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t) -manage_files_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t) - -manage_dirs_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t) -manage_files_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t) -files_tmp_filetrans(portage_fetch_t, portage_fetch_tmp_t, { file dir }) - -# portage makes home dir the portage tmp dir, so -# wget looks for .wgetrc there -dontaudit portage_fetch_t portage_tmp_t:dir search_dir_perms; -# rsync server timestamp check -allow portage_fetch_t portage_tmp_t:file { read_file_perms delete_file_perms }; - -kernel_read_system_state(portage_fetch_t) -kernel_read_kernel_sysctls(portage_fetch_t) - -corecmd_exec_bin(portage_fetch_t) - -corenet_all_recvfrom_unlabeled(portage_fetch_t) -corenet_all_recvfrom_netlabel(portage_fetch_t) -corenet_tcp_sendrecv_generic_if(portage_fetch_t) -corenet_tcp_sendrecv_generic_node(portage_fetch_t) -corenet_tcp_sendrecv_all_ports(portage_fetch_t) -# would rather not connect to unspecified ports, but -# it occasionally comes up -corenet_tcp_connect_all_reserved_ports(portage_fetch_t) -corenet_tcp_connect_generic_port(portage_fetch_t) - -dev_dontaudit_read_rand(portage_fetch_t) - -domain_use_interactive_fds(portage_fetch_t) - -files_read_etc_files(portage_fetch_t) -files_read_etc_runtime_files(portage_fetch_t) -files_search_var(portage_fetch_t) -files_dontaudit_search_pids(portage_fetch_t) - -term_search_ptys(portage_fetch_t) - -miscfiles_read_localization(portage_fetch_t) - -sysnet_read_config(portage_fetch_t) -sysnet_dns_name_resolve(portage_fetch_t) - -userdom_use_user_terminals(portage_fetch_t) -userdom_dontaudit_read_user_home_content_files(portage_fetch_t) - -ifdef(`hide_broken_symptoms',` - dontaudit portage_fetch_t portage_cache_t:file read; -') - -########################################## -# -# Portage sandbox domain -# - SELinux-enforced sandbox -# - -portage_compile_domain(portage_sandbox_t) - -ifdef(`hide_broken_symptoms',` - # leaked descriptors - dontaudit portage_sandbox_t portage_cache_t:dir { setattr }; - dontaudit portage_sandbox_t portage_cache_t:file { setattr write }; -') diff --git a/policy/modules/admin/prelink.fc b/policy/modules/admin/prelink.fc deleted file mode 100644 index ec0e76a..0000000 --- a/policy/modules/admin/prelink.fc +++ /dev/null @@ -1,11 +0,0 @@ -/etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0) - -/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0) - -/usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0) - -/var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0) -/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0) - -/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0) -/var/lib/prelink(/.*)? gen_context(system_u:object_r:prelink_var_lib_t,s0) diff --git a/policy/modules/admin/prelink.if b/policy/modules/admin/prelink.if deleted file mode 100644 index 93ec175..0000000 --- a/policy/modules/admin/prelink.if +++ /dev/null @@ -1,204 +0,0 @@ -## Prelink ELF shared library mappings. - -######################################## -## -## Execute the prelink program in the prelink domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`prelink_domtrans',` - gen_require(` - type prelink_t, prelink_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, prelink_exec_t, prelink_t) - - ifdef(`hide_broken_symptoms', ` - dontaudit prelink_t $1:socket_class_set { read write }; - dontaudit prelink_t $1:fifo_file setattr; - ') -') - -######################################## -## -## Execute the prelink program in the current domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`prelink_exec',` - gen_require(` - type prelink_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, prelink_exec_t) -') - -######################################## -## -## Execute the prelink program in the prelink domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the prelink domain. -## -## -## -# -interface(`prelink_run',` - gen_require(` - type prelink_t; - ') - - prelink_domtrans($1) - role $2 types prelink_t; -') - -######################################## -## -## Make the specified file type prelinkable. -## -## -## -## File type to be prelinked. -## -## -# -# cjp: added for misc non-entrypoint objects -interface(`prelink_object_file',` - gen_require(` - attribute prelink_object; - ') - - typeattribute $1 prelink_object; -') - -######################################## -## -## Read the prelink cache. -## -## -## -## Domain allowed access. -## -## -# -interface(`prelink_read_cache',` - gen_require(` - type prelink_cache_t; - ') - - files_search_etc($1) - allow $1 prelink_cache_t:file read_file_perms; -') - -######################################## -## -## Delete the prelink cache. -## -## -## -## Domain allowed access. -## -## -# -interface(`prelink_delete_cache',` - gen_require(` - type prelink_cache_t; - ') - - allow $1 prelink_cache_t:file unlink; - files_rw_etc_dirs($1) -') - -######################################## -## -## Create, read, write, and delete -## prelink log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`prelink_manage_log',` - gen_require(` - type prelink_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, prelink_log_t, prelink_log_t) -') - -######################################## -## -## Create, read, write, and delete -## prelink var_lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`prelink_manage_lib',` - gen_require(` - type prelink_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) -') - -######################################## -## -## Relabel from files in the /boot directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`prelink_relabelfrom_lib',` - gen_require(` - type prelink_var_lib_t; - ') - - files_search_var_lib($1) - relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) -') - -######################################## -## -## Relabel from files in the /boot directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`prelink_relabel_lib',` - gen_require(` - type prelink_var_lib_t; - ') - - files_search_var_lib($1) - relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) -') diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te deleted file mode 100644 index 0faba2a..0000000 --- a/policy/modules/admin/prelink.te +++ /dev/null @@ -1,182 +0,0 @@ -policy_module(prelink, 1.9.1) - -######################################## -# -# Declarations - -attribute prelink_object; - -type prelink_t; -type prelink_exec_t; -init_system_domain(prelink_t, prelink_exec_t) -domain_obj_id_change_exemption(prelink_t) - -type prelink_cache_t; -files_type(prelink_cache_t) - -type prelink_cron_system_t; -type prelink_cron_system_exec_t; -domain_type(prelink_cron_system_t) -domain_entry_file(prelink_cron_system_t, prelink_cron_system_exec_t) - -type prelink_log_t; -logging_log_file(prelink_log_t) - -type prelink_tmp_t; -files_tmp_file(prelink_tmp_t) - -type prelink_tmpfs_t; -files_tmpfs_file(prelink_tmpfs_t) - -type prelink_var_lib_t; -files_type(prelink_var_lib_t) - -######################################## -# -# Local policy -# - -allow prelink_t self:capability { chown dac_override fowner fsetid sys_resource }; -allow prelink_t self:process { execheap execmem execstack signal }; -allow prelink_t self:fifo_file rw_fifo_file_perms; - -allow prelink_t prelink_cache_t:file manage_file_perms; -files_etc_filetrans(prelink_t, prelink_cache_t, file) - -allow prelink_t prelink_log_t:dir setattr; -create_files_pattern(prelink_t, prelink_log_t, prelink_log_t) -append_files_pattern(prelink_t, prelink_log_t, prelink_log_t) -read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t) -logging_log_filetrans(prelink_t, prelink_log_t, file) - -allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod }; -files_tmp_filetrans(prelink_t, prelink_tmp_t, file) - -allow prelink_t prelink_tmpfs_t:file { manage_file_perms execute relabelfrom execmod }; -fs_tmpfs_filetrans(prelink_t, prelink_tmpfs_t, file) - -manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) -manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) -relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) -files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file }) -files_search_var_lib(prelink_t) - -# prelink misc objects that are not system -# libraries or entrypoints -allow prelink_t prelink_object:file { manage_file_perms execute relabel_file_perms }; - -kernel_read_system_state(prelink_t) -kernel_read_kernel_sysctls(prelink_t) - -corecmd_manage_all_executables(prelink_t) -corecmd_relabel_all_executables(prelink_t) -corecmd_mmap_all_executables(prelink_t) -corecmd_read_bin_symlinks(prelink_t) - -dev_read_urand(prelink_t) -dev_getattr_all_chr_files(prelink_t) - -files_list_all(prelink_t) -files_getattr_all_files(prelink_t) -files_write_non_security_dirs(prelink_t) -files_read_etc_files(prelink_t) -files_read_etc_runtime_files(prelink_t) -files_dontaudit_read_all_symlinks(prelink_t) -files_manage_usr_files(prelink_t) -files_manage_var_files(prelink_t) -files_relabelfrom_usr_files(prelink_t) - -fs_getattr_xattr_fs(prelink_t) - -storage_getattr_fixed_disk_dev(prelink_t) - -selinux_get_enforce_mode(prelink_t) - -libs_exec_ld_so(prelink_t) -libs_legacy_use_shared_libs(prelink_t) -libs_manage_ld_so(prelink_t) -libs_relabel_ld_so(prelink_t) -libs_manage_shared_libs(prelink_t) -libs_relabel_shared_libs(prelink_t) -libs_delete_lib_symlinks(prelink_t) - -miscfiles_read_localization(prelink_t) - -userdom_use_user_terminals(prelink_t) -userdom_manage_user_home_content(prelink_t) -userdom_execmod_user_home_files(prelink_t) - -optional_policy(` - amanda_manage_lib(prelink_t) -') - -optional_policy(` - cron_system_entry(prelink_t, prelink_exec_t) -') - -optional_policy(` - nsplugin_manage_rw_files(prelink_t) -') - -optional_policy(` - rpm_manage_tmp_files(prelink_t) -') - -optional_policy(` - unconfined_domain(prelink_t) -') - -######################################## -# -# Prelink Cron system Policy -# - -optional_policy(` - allow prelink_cron_system_t self:capability setuid; - allow prelink_cron_system_t self:process { setsched setfscreate signal }; - allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms; - allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt }; - - read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t) - allow prelink_cron_system_t prelink_cache_t:file unlink; - files_delete_etc_dir_entry(prelink_cron_system_t) - - domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) - allow prelink_cron_system_t prelink_t:process noatsecure; - - manage_files_pattern(prelink_cron_system_t, prelink_log_t, prelink_log_t) - - manage_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t) - files_var_lib_filetrans(prelink_cron_system_t, prelink_var_lib_t, file) - allow prelink_cron_system_t prelink_var_lib_t:file { relabelfrom relabelto }; - - kernel_read_system_state(prelink_cron_system_t) - - corecmd_exec_bin(prelink_cron_system_t) - corecmd_exec_shell(prelink_cron_system_t) - - files_dontaudit_search_all_mountpoints(prelink_cron_system_t) - files_read_etc_files(prelink_cron_system_t) - files_search_var_lib(prelink_cron_system_t) - - init_telinit(prelink_cron_system_t) - - libs_exec_ld_so(prelink_cron_system_t) - - logging_search_logs(prelink_cron_system_t) - - miscfiles_read_localization(prelink_cron_system_t) - - cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t) - - userdom_dontaudit_list_admin_dir(prelink_cron_system_t) - - optional_policy(` - rpm_read_db(prelink_cron_system_t) - ') -') -ifdef(`hide_broken_symptoms', ` - optional_policy(` - dbus_read_config(prelink_t) - ') -') diff --git a/policy/modules/admin/quota.fc b/policy/modules/admin/quota.fc deleted file mode 100644 index f387230..0000000 --- a/policy/modules/admin/quota.fc +++ /dev/null @@ -1,19 +0,0 @@ -HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - -/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - -/boot/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - -/etc/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - -/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0) - -/var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) -/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0) -/var/spool/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - -ifdef(`distro_redhat',` -/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0) -',` -/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0) -') diff --git a/policy/modules/admin/quota.if b/policy/modules/admin/quota.if deleted file mode 100644 index 6382d3c..0000000 --- a/policy/modules/admin/quota.if +++ /dev/null @@ -1,84 +0,0 @@ -## File system quota management - -######################################## -## -## Execute quota management tools in the quota domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`quota_domtrans',` - gen_require(` - type quota_t, quota_exec_t; - ') - - domtrans_pattern($1, quota_exec_t, quota_t) -') - -######################################## -## -## Execute quota management tools in the quota domain, and -## allow the specified role the quota domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`quota_run',` - gen_require(` - type quota_t; - ') - - quota_domtrans($1) - role $2 types quota_t; -') - -######################################## -## -## Do not audit attempts to get the attributes -## of filesystem quota data files. -## -## -## -## Domain to not audit. -## -## -# -interface(`quota_dontaudit_getattr_db',` - gen_require(` - type quota_db_t; - ') - - dontaudit $1 quota_db_t:file getattr; -') - -######################################## -## -## Create, read, write, and delete quota -## flag files. -## -## -## -## Domain allowed access. -## -## -# -interface(`quota_manage_flags',` - gen_require(` - type quota_flag_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, quota_flag_t, quota_flag_t) -') diff --git a/policy/modules/admin/quota.te b/policy/modules/admin/quota.te deleted file mode 100644 index d47698a..0000000 --- a/policy/modules/admin/quota.te +++ /dev/null @@ -1,84 +0,0 @@ -policy_module(quota, 1.4.1) - -######################################## -# -# Declarations -# - -type quota_t; -type quota_exec_t; -init_system_domain(quota_t, quota_exec_t) - -type quota_db_t; -files_type(quota_db_t) - -type quota_flag_t; -files_type(quota_flag_t) - -######################################## -# -# Local policy -# - -allow quota_t self:capability { sys_admin dac_override }; -dontaudit quota_t self:capability sys_tty_config; -allow quota_t self:process signal_perms; - -# for /quota.* -allow quota_t quota_db_t:file { manage_file_perms quotaon }; -files_root_filetrans(quota_t, quota_db_t, file) -files_boot_filetrans(quota_t, quota_db_t, file) -files_etc_filetrans(quota_t, quota_db_t, file) -files_tmp_filetrans(quota_t, quota_db_t, file) -files_home_filetrans(quota_t, quota_db_t, file) -files_usr_filetrans(quota_t, quota_db_t, file) -files_var_filetrans(quota_t, quota_db_t, file) -files_spool_filetrans(quota_t, quota_db_t, file) - -kernel_list_proc(quota_t) -kernel_read_proc_symlinks(quota_t) -kernel_read_kernel_sysctls(quota_t) -kernel_setsched(quota_t) - -dev_read_sysfs(quota_t) -dev_getattr_all_blk_files(quota_t) -dev_getattr_all_chr_files(quota_t) - -fs_get_xattr_fs_quotas(quota_t) -fs_set_xattr_fs_quotas(quota_t) -fs_getattr_xattr_fs(quota_t) -fs_remount_xattr_fs(quota_t) -fs_search_auto_mountpoints(quota_t) - -mls_file_read_all_levels(quota_t) - -storage_raw_read_fixed_disk(quota_t) - -term_dontaudit_use_console(quota_t) - -domain_use_interactive_fds(quota_t) - -files_list_all(quota_t) -files_read_all_files(quota_t) -files_read_all_symlinks(quota_t) -files_getattr_all_pipes(quota_t) -files_getattr_all_sockets(quota_t) -files_getattr_all_file_type_fs(quota_t) -# Read /etc/mtab. -files_read_etc_runtime_files(quota_t) - -init_use_fds(quota_t) -init_use_script_ptys(quota_t) - -logging_send_syslog_msg(quota_t) - -userdom_use_user_terminals(quota_t) -userdom_dontaudit_use_unpriv_user_fds(quota_t) - -optional_policy(` - seutil_sigchld_newrole(quota_t) -') - -optional_policy(` - udev_read_db(quota_t) -') diff --git a/policy/modules/admin/readahead.fc b/policy/modules/admin/readahead.fc deleted file mode 100644 index 7077413..0000000 --- a/policy/modules/admin/readahead.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) -/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) -/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0) diff --git a/policy/modules/admin/readahead.if b/policy/modules/admin/readahead.if deleted file mode 100644 index 47c4723..0000000 --- a/policy/modules/admin/readahead.if +++ /dev/null @@ -1 +0,0 @@ -## Readahead, read files into page cache for improved performance diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te deleted file mode 100644 index c1aaa79..0000000 --- a/policy/modules/admin/readahead.te +++ /dev/null @@ -1,103 +0,0 @@ -policy_module(readahead, 1.11.1) - -######################################## -# -# Declarations -# - -type readahead_t; -type readahead_exec_t; -init_daemon_domain(readahead_t, readahead_exec_t) -application_domain(readahead_t, readahead_exec_t) - -type readahead_var_lib_t; -files_type(readahead_var_lib_t) -typealias readahead_var_lib_t alias readahead_etc_rw_t; - -type readahead_var_run_t; -files_pid_file(readahead_var_run_t) - -######################################## -# -# Local policy -# - -allow readahead_t self:capability { fowner dac_override dac_read_search }; -dontaudit readahead_t self:capability { net_admin sys_tty_config }; -allow readahead_t self:process { setsched signal_perms }; - -manage_dirs_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t) -manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t) -files_search_var_lib(readahead_t) - -manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t) -files_pid_filetrans(readahead_t, readahead_var_run_t, file) - -kernel_read_all_sysctls(readahead_t) -kernel_read_system_state(readahead_t) -kernel_dontaudit_getattr_core_if(readahead_t) - -dev_read_sysfs(readahead_t) -dev_getattr_generic_chr_files(readahead_t) -dev_getattr_generic_blk_files(readahead_t) -dev_getattr_all_chr_files(readahead_t) -dev_getattr_all_blk_files(readahead_t) -dev_dontaudit_read_all_blk_files(readahead_t) -dev_dontaudit_getattr_memory_dev(readahead_t) -dev_dontaudit_getattr_nvram_dev(readahead_t) -# Early devtmpfs, before udev relabel -dev_dontaudit_rw_generic_chr_files(readahead_t) - -domain_use_interactive_fds(readahead_t) -domain_read_all_domains_state(readahead_t) - -files_list_non_security(readahead_t) -files_read_non_security_files(readahead_t) -files_dontaudit_read_security_files(readahead_t) -files_create_boot_flag(readahead_t) -files_getattr_all_pipes(readahead_t) -files_dontaudit_getattr_all_sockets(readahead_t) -files_dontaudit_getattr_non_security_blk_files(readahead_t) - -fs_getattr_all_fs(readahead_t) -fs_search_auto_mountpoints(readahead_t) -fs_getattr_all_pipes(readahead_t) -fs_getattr_all_files(readahead_t) -fs_read_cgroup_files(readahead_t) -fs_read_tmpfs_files(readahead_t) -fs_read_tmpfs_symlinks(readahead_t) -fs_list_inotifyfs(readahead_t) -fs_dontaudit_read_tmpfs_blk_dev(readahead_t) -fs_dontaudit_search_ramfs(readahead_t) -fs_dontaudit_read_ramfs_pipes(readahead_t) -fs_dontaudit_read_ramfs_files(readahead_t) -fs_dontaudit_use_tmpfs_chr_dev(readahead_t) - -mls_file_read_all_levels(readahead_t) - -storage_raw_read_fixed_disk(readahead_t) - -term_dontaudit_use_console(readahead_t) - -auth_dontaudit_read_shadow(readahead_t) - -init_use_fds(readahead_t) -init_use_script_ptys(readahead_t) -init_getattr_initctl(readahead_t) - -logging_send_syslog_msg(readahead_t) -logging_set_audit_parameters(readahead_t) -logging_dontaudit_search_audit_config(readahead_t) - -miscfiles_read_localization(readahead_t) - -userdom_dontaudit_use_unpriv_user_fds(readahead_t) -userdom_dontaudit_search_user_home_dirs(readahead_t) - -optional_policy(` - cron_system_entry(readahead_t, readahead_exec_t) -') - -optional_policy(` - seutil_sigchld_newrole(readahead_t) -') diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc deleted file mode 100644 index 48922c9..0000000 --- a/policy/modules/admin/rpm.fc +++ /dev/null @@ -1,58 +0,0 @@ - -/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) - -/usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0) -/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0) - -/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) - -/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) - -/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0) - -/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) - -/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0) - -ifdef(`distro_redhat', ` -/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0) -') - -/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) - -/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) - -/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0) -/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) - -/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) - -/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) -/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) - -# SuSE -ifdef(`distro_suse', ` -/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) -/sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0) -/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0) -') - -ifdef(`enable_mls',` -/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) -') diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if deleted file mode 100644 index ddbb3af..0000000 --- a/policy/modules/admin/rpm.if +++ /dev/null @@ -1,690 +0,0 @@ -## Policy for the RPM package manager. - -######################################## -## -## Execute rpm programs in the rpm domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rpm_domtrans',` - gen_require(` - type rpm_t, rpm_exec_t; - attribute rpm_transition_domain; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, rpm_exec_t, rpm_t) - typeattribute $1 rpm_transition_domain; - rpm_debuginfo_domtrans($1) -') - -######################################## -## -## Execute debuginfo_install programs in the rpm domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rpm_debuginfo_domtrans',` - gen_require(` - type rpm_t; - type debuginfo_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, debuginfo_exec_t, rpm_t) -') - -######################################## -## -## Execute rpm_script programs in the rpm_script domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rpm_domtrans_script',` - gen_require(` - type rpm_script_t; - ') - - # transition to rpm script: - corecmd_shell_domtrans($1, rpm_script_t) - allow rpm_script_t $1:fd use; - allow rpm_script_t $1:fifo_file rw_file_perms; - allow rpm_script_t $1:process sigchld; -') - -######################################## -## -## Execute RPM programs in the RPM domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the RPM domain. -## -## -## -# -interface(`rpm_run',` - gen_require(` - type rpm_t, rpm_script_t; - ') - - rpm_domtrans($1) - role $2 types rpm_t; - role $2 types rpm_script_t; - - domain_system_change_exemption($1) - role_transition $2 rpm_exec_t system_r; - allow $2 system_r; - - seutil_run_loadpolicy(rpm_script_t, $2) - seutil_run_semanage(rpm_script_t, $2) - seutil_run_setfiles(rpm_script_t, $2) -') - -######################################## -## -## Execute the rpm client in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_exec',` - gen_require(` - type rpm_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, rpm_exec_t) -') - -######################################## -## -## Send a null signal to rpm. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_signull',` - gen_require(` - type rpm_t; - ') - - allow $1 rpm_t:process signull; -') - -######################################## -## -## Inherit and use file descriptors from RPM. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_use_fds',` - gen_require(` - type rpm_t; - ') - - allow $1 rpm_t:fd use; -') - -######################################## -## -## Read from an unnamed RPM pipe. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_read_pipes',` - gen_require(` - type rpm_t; - ') - - allow $1 rpm_t:fifo_file read_fifo_file_perms; -') - -######################################## -## -## Read and write an unnamed RPM pipe. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_rw_pipes',` - gen_require(` - type rpm_t; - ') - - allow $1 rpm_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## -## dontaudit read and write an leaked file descriptors -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_dontaudit_leaks',` - gen_require(` - type rpm_t, rpm_var_cache_t; - type rpm_script_t, rpm_var_run_t, rpm_tmp_t; - type rpm_tmpfs_t, rpm_script_tmp_t, rpm_var_lib_t; - ') - - dontaudit $1 rpm_t:fifo_file rw_inherited_fifo_file_perms; - dontaudit $1 rpm_t:tcp_socket { read write }; - dontaudit $1 rpm_t:unix_dgram_socket { read write }; - dontaudit $1 rpm_t:shm rw_shm_perms; - - dontaudit $1 rpm_script_t:fd use; - dontaudit $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms; - - dontaudit $1 rpm_var_run_t:file rw_inherited_file_perms; - - dontaudit $1 rpm_tmp_t:file rw_inherited_file_perms; - dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms; - dontaudit $1 rpm_tmpfs_t:file rw_inherited_file_perms; - dontaudit $1 rpm_script_tmp_t:file rw_inherited_file_perms; - dontaudit $1 rpm_var_lib_t:file rw_inherited_file_perms; - dontaudit $1 rpm_var_cache_t:file rw_inherited_file_perms; -') - -######################################## -## -## Send and receive messages from -## rpm over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_dbus_chat',` - gen_require(` - type rpm_t; - class dbus send_msg; - ') - - allow $1 rpm_t:dbus send_msg; - allow rpm_t $1:dbus send_msg; -') - -######################################## -## -## Do not audit attempts to send and -## receive messages from rpm over dbus. -## -## -## -## Domain to not audit. -## -## -# -interface(`rpm_dontaudit_dbus_chat',` - gen_require(` - type rpm_t; - class dbus send_msg; - ') - - dontaudit $1 rpm_t:dbus send_msg; - dontaudit rpm_t $1:dbus send_msg; -') - -######################################## -## -## Send and receive messages from -## rpm_script over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_script_dbus_chat',` - gen_require(` - type rpm_script_t; - class dbus send_msg; - ') - - allow $1 rpm_script_t:dbus send_msg; - allow rpm_script_t $1:dbus send_msg; -') - -######################################## -## -## Search RPM log directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_search_log',` - gen_require(` - type rpm_log_t; - ') - - allow $1 rpm_log_t:dir search_dir_perms; -') - -##################################### -## -## Allow the specified domain to append -## to rpm log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_append_log',` - gen_require(` - type rpm_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, rpm_log_t, rpm_log_t) -') - -######################################## -## -## Create, read, write, and delete the RPM log. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_manage_log',` - gen_require(` - type rpm_log_t; - ') - - logging_rw_generic_log_dirs($1) - allow $1 rpm_log_t:file manage_file_perms; -') - -######################################## -## -## Inherit and use file descriptors from RPM scripts. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_use_script_fds',` - gen_require(` - type rpm_script_t; - ') - - allow $1 rpm_script_t:fd use; -') - -######################################## -## -## Create, read, write, and delete RPM -## script temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_manage_script_tmp_files',` - gen_require(` - type rpm_script_tmp_t; - ') - - files_search_tmp($1) - manage_dirs_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) - manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) - manage_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) -') - -##################################### -## -## Allow the specified domain to append -## to rpm tmp files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_append_tmp_files',` - gen_require(` - type rpm_tmp_t; - ') - - files_search_tmp($1) - append_files_pattern($1, rpm_tmp_t, rpm_tmp_t) -') - -######################################## -## -## Create, read, write, and delete RPM -## temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_manage_tmp_files',` - gen_require(` - type rpm_tmp_t; - ') - - files_search_tmp($1) - manage_dirs_pattern($1, rpm_tmp_t, rpm_tmp_t) - manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t) - manage_lnk_files_pattern($1, rpm_tmp_t, rpm_tmp_t) -') - -######################################## -## -## Read RPM script temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_read_script_tmp_files',` - gen_require(` - type rpm_script_tmp_t; - ') - - read_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) - read_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) -') - -######################################## -## -## Read the RPM cache. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_read_cache',` - gen_require(` - type rpm_var_cache_t; - ') - - files_search_var($1) - allow $1 rpm_var_cache_t:dir list_dir_perms; - read_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) - read_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) -') - -######################################## -## -## Create, read, write, and delete the RPM package database. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_manage_cache',` - gen_require(` - type rpm_var_cache_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, rpm_var_cache_t, rpm_var_cache_t) - manage_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) - manage_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) -') - -######################################## -## -## Read the RPM package database. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_read_db',` - gen_require(` - type rpm_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 rpm_var_lib_t:dir list_dir_perms; - read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) - read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) - rpm_read_cache($1) -') - -######################################## -## -## Delete the RPM package database. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_delete_db',` - gen_require(` - type rpm_var_lib_t; - ') - - delete_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) -') - -######################################## -## -## Create, read, write, and delete the RPM package database. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_manage_db',` - gen_require(` - type rpm_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) - manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) -') - -######################################## -## -## Do not audit attempts to create, read, -## write, and delete the RPM package database. -## -## -## -## Domain to not audit. -## -## -# -interface(`rpm_dontaudit_manage_db',` - gen_require(` - type rpm_var_lib_t; - ') - - dontaudit $1 rpm_var_lib_t:dir rw_dir_perms; - dontaudit $1 rpm_var_lib_t:file manage_file_perms; - dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; -') - -##################################### -## -## Read rpm pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_read_pid_files',` - gen_require(` - type rpm_var_run_t; - ') - - read_files_pattern($1, rpm_var_run_t, rpm_var_run_t) - files_search_pids($1) -') - -##################################### -## -## Create, read, write, and delete rpm pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_manage_pid_files',` - gen_require(` - type rpm_var_run_t; - ') - - manage_files_pattern($1, rpm_var_run_t, rpm_var_run_t) - files_search_pids($1) -') - -###################################### -## -## Create files in /var/run with the rpm pid file type. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_pid_filetrans',` - gen_require(` - type rpm_var_run_t; - ') - - files_pid_filetrans($1, rpm_var_run_t, file) -') - -######################################## -## -## Send a null signal to rpm. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_inherited_fifo',` - gen_require(` - attribute rpm_transition_domain; - ') - - allow $1 rpm_transition_domain:fifo_file rw_inherited_fifo_file_perms; -') - - -######################################## -## -## Make rpm_exec_t an entry point for -## the specified domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_entry_type',` - gen_require(` - type rpm_exec_t; - ') - - domain_entry_file($1, rpm_exec_t) -') - -######################################## -## -## Allow application to transition to rpm_script domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_transition_script',` - gen_require(` - type rpm_script_t; - attribute rpm_transition_domain; - ') - - typeattribute $1 rpm_transition_domain; - allow $1 rpm_script_t:process transition; - - allow $1 rpm_script_t:fd use; - allow rpm_script_t $1:fd use; - allow rpm_script_t $1:fifo_file rw_fifo_file_perms; - allow rpm_script_t $1:process sigchld; -') diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te deleted file mode 100644 index bdba9c5..0000000 --- a/policy/modules/admin/rpm.te +++ /dev/null @@ -1,404 +0,0 @@ -policy_module(rpm, 1.11.1) - -attribute rpm_transition_domain; - -######################################## -# -# Declarations -# -type debuginfo_exec_t; -domain_entry_file(rpm_t, debuginfo_exec_t) - -type rpm_t; -type rpm_exec_t; -init_system_domain(rpm_t, rpm_exec_t) -domain_obj_id_change_exemption(rpm_t) -domain_role_change_exemption(rpm_t) -domain_system_change_exemption(rpm_t) -domain_interactive_fd(rpm_t) -role system_r types rpm_t; - -type rpm_file_t; -files_type(rpm_file_t) - -type rpm_tmp_t; -files_tmp_file(rpm_tmp_t) - -type rpm_tmpfs_t; -files_tmpfs_file(rpm_tmpfs_t) - -type rpm_log_t; -logging_log_file(rpm_log_t) - -type rpm_var_lib_t; -files_type(rpm_var_lib_t) -typealias rpm_var_lib_t alias var_lib_rpm_t; - -type rpm_var_cache_t; -files_type(rpm_var_cache_t) - -type rpm_var_run_t; -files_pid_file(rpm_var_run_t) - -type rpm_script_t; -type rpm_script_exec_t; -domain_obj_id_change_exemption(rpm_script_t) -domain_system_change_exemption(rpm_script_t) -corecmd_shell_entry_type(rpm_script_t) -corecmd_bin_entry_type(rpm_script_t) -domain_type(rpm_script_t) -domain_entry_file(rpm_t, rpm_script_exec_t) -domain_interactive_fd(rpm_script_t) -role system_r types rpm_script_t; - -type rpm_script_tmp_t; -files_tmp_file(rpm_script_tmp_t) - -type rpm_script_tmpfs_t; -files_tmpfs_file(rpm_script_tmpfs_t) - -######################################## -# -# rpm Local policy -# - -allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod }; - -allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap }; -allow rpm_t self:process { getattr setexec setfscreate setrlimit }; -allow rpm_t self:fd use; -allow rpm_t self:fifo_file rw_fifo_file_perms; -allow rpm_t self:unix_dgram_socket create_socket_perms; -allow rpm_t self:unix_stream_socket rw_stream_socket_perms; -allow rpm_t self:unix_dgram_socket sendto; -allow rpm_t self:unix_stream_socket connectto; -allow rpm_t self:udp_socket { connect }; -allow rpm_t self:udp_socket create_socket_perms; -allow rpm_t self:tcp_socket create_stream_socket_perms; -allow rpm_t self:shm create_shm_perms; -allow rpm_t self:sem create_sem_perms; -allow rpm_t self:msgq create_msgq_perms; -allow rpm_t self:msg { send receive }; -allow rpm_t self:dir search; -allow rpm_t self:file rw_file_perms;; - -allow rpm_t rpm_log_t:file manage_file_perms; -logging_log_filetrans(rpm_t, rpm_log_t, file) - -manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t) -manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t) -files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir }) -can_exec(rpm_t, rpm_tmp_t) - -manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) -manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) -manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) -manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) -manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) -fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) -can_exec(rpm_t, rpm_tmpfs_t) - -manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) -manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) -files_var_filetrans(rpm_t, rpm_var_cache_t, dir) - -# Access /var/lib/rpm files -manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t) -files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir) - -manage_dirs_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t) -manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t) -files_pid_filetrans(rpm_t, rpm_var_run_t, { file dir }) - -kernel_read_network_state(rpm_t) -kernel_read_system_state(rpm_t) -kernel_read_kernel_sysctls(rpm_t) -kernel_read_network_state_symlinks(rpm_t) - -corecmd_exec_all_executables(rpm_t) - -corenet_all_recvfrom_unlabeled(rpm_t) -corenet_all_recvfrom_netlabel(rpm_t) -corenet_tcp_sendrecv_generic_if(rpm_t) -corenet_raw_sendrecv_generic_if(rpm_t) -corenet_udp_sendrecv_generic_if(rpm_t) -corenet_tcp_sendrecv_generic_node(rpm_t) -corenet_raw_sendrecv_generic_node(rpm_t) -corenet_udp_sendrecv_generic_node(rpm_t) -corenet_tcp_sendrecv_all_ports(rpm_t) -corenet_udp_sendrecv_all_ports(rpm_t) -corenet_tcp_connect_all_ports(rpm_t) -corenet_sendrecv_all_client_packets(rpm_t) - -dev_list_sysfs(rpm_t) -dev_list_usbfs(rpm_t) -dev_read_urand(rpm_t) -dev_read_raw_memory(rpm_t) -#devices_manage_all_device_types(rpm_t) - -fs_getattr_all_dirs(rpm_t) -fs_list_inotifyfs(rpm_t) -fs_manage_nfs_dirs(rpm_t) -fs_manage_nfs_files(rpm_t) -fs_manage_nfs_symlinks(rpm_t) -fs_getattr_all_fs(rpm_t) -fs_search_auto_mountpoints(rpm_t) - -mls_file_read_all_levels(rpm_t) -mls_file_write_all_levels(rpm_t) -mls_file_upgrade(rpm_t) -mls_file_downgrade(rpm_t) - -selinux_get_fs_mount(rpm_t) -selinux_validate_context(rpm_t) -selinux_compute_access_vector(rpm_t) -selinux_compute_create_context(rpm_t) -selinux_compute_relabel_context(rpm_t) -selinux_compute_user_contexts(rpm_t) - -storage_raw_write_fixed_disk(rpm_t) -# for installing kernel packages -storage_raw_read_fixed_disk(rpm_t) - -term_list_ptys(rpm_t) - -auth_relabel_all_files_except_shadow(rpm_t) -auth_manage_all_files_except_shadow(rpm_t) -auth_dontaudit_read_shadow(rpm_t) -auth_use_nsswitch(rpm_t) - -# transition to rpm script: -rpm_domtrans_script(rpm_t) - -domain_read_all_domains_state(rpm_t) -domain_getattr_all_domains(rpm_t) -domain_dontaudit_ptrace_all_domains(rpm_t) -domain_use_interactive_fds(rpm_t) -domain_dontaudit_getattr_all_pipes(rpm_t) -domain_dontaudit_getattr_all_tcp_sockets(rpm_t) -domain_dontaudit_getattr_all_udp_sockets(rpm_t) -domain_dontaudit_getattr_all_packet_sockets(rpm_t) -domain_dontaudit_getattr_all_raw_sockets(rpm_t) -domain_dontaudit_getattr_all_stream_sockets(rpm_t) -domain_dontaudit_getattr_all_dgram_sockets(rpm_t) - -files_exec_etc_files(rpm_t) - -init_domtrans_script(rpm_t) -init_use_script_ptys(rpm_t) - -libs_exec_ld_so(rpm_t) -libs_exec_lib_files(rpm_t) -libs_domtrans_ldconfig(rpm_t) - -logging_send_syslog_msg(rpm_t) - -# allow compiling and loading new policy -seutil_manage_src_policy(rpm_t) -seutil_manage_bin_policy(rpm_t) - -userdom_use_user_terminals(rpm_t) -userdom_use_unpriv_users_fds(rpm_t) - -optional_policy(` - cron_system_entry(rpm_t, rpm_exec_t) -') - -optional_policy(` - dbus_system_domain(rpm_t, rpm_exec_t) - dbus_system_domain(rpm_t, debuginfo_exec_t) - - optional_policy(` - hal_dbus_chat(rpm_t) - ') - - optional_policy(` - networkmanager_dbus_chat(rpm_t) - ') - -') - -optional_policy(` - prelink_domtrans(rpm_t) -') - -optional_policy(` - unconfined_domain_noaudit(rpm_t) - # yum-updatesd requires this - unconfined_dbus_chat(rpm_t) - unconfined_dbus_chat(rpm_script_t) -') - -######################################## -# -# rpm-script Local policy -# - -allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_rawio sys_nice mknod kill net_admin }; -allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap }; -allow rpm_script_t self:fd use; -allow rpm_script_t self:fifo_file rw_fifo_file_perms; -allow rpm_script_t self:unix_dgram_socket create_socket_perms; -allow rpm_script_t self:unix_stream_socket rw_stream_socket_perms; -allow rpm_script_t self:unix_dgram_socket sendto; -allow rpm_script_t self:unix_stream_socket connectto; -allow rpm_script_t self:shm create_shm_perms; -allow rpm_script_t self:sem create_sem_perms; -allow rpm_script_t self:msgq create_msgq_perms; -allow rpm_script_t self:msg { send receive }; -allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms; - -allow rpm_script_t rpm_tmp_t:file read_file_perms; - -allow rpm_script_t rpm_script_tmp_t:dir mounton; -manage_dirs_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) -manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) -manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) -manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) -files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir }) - -manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) -manage_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) -manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) -manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) -manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) -fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -kernel_read_kernel_sysctls(rpm_script_t) -kernel_read_system_state(rpm_script_t) -kernel_read_network_state(rpm_script_t) -kernel_list_all_proc(rpm_script_t) -kernel_read_software_raid_state(rpm_script_t) - -dev_list_sysfs(rpm_script_t) - -# ideally we would not need this -dev_manage_generic_blk_files(rpm_script_t) -dev_manage_generic_chr_files(rpm_script_t) -dev_manage_all_blk_files(rpm_script_t) -dev_manage_all_chr_files(rpm_script_t) - -fs_manage_nfs_files(rpm_script_t) -fs_getattr_nfs(rpm_script_t) -fs_search_all(rpm_script_t) -fs_getattr_all_fs(rpm_script_t) -# why is this not using mount? -fs_getattr_xattr_fs(rpm_script_t) -fs_mount_xattr_fs(rpm_script_t) -fs_unmount_xattr_fs(rpm_script_t) -fs_search_auto_mountpoints(rpm_script_t) - -mcs_killall(rpm_script_t) -mcs_ptrace_all(rpm_script_t) - -mls_file_read_all_levels(rpm_script_t) -mls_file_write_all_levels(rpm_script_t) - -selinux_get_fs_mount(rpm_script_t) -selinux_validate_context(rpm_script_t) -selinux_compute_access_vector(rpm_script_t) -selinux_compute_create_context(rpm_script_t) -selinux_compute_relabel_context(rpm_script_t) -selinux_compute_user_contexts(rpm_script_t) - -storage_raw_read_fixed_disk(rpm_script_t) -storage_raw_write_fixed_disk(rpm_script_t) - -term_getattr_unallocated_ttys(rpm_script_t) -term_list_ptys(rpm_script_t) -term_use_all_terms(rpm_script_t) - -auth_dontaudit_getattr_shadow(rpm_script_t) -auth_use_nsswitch(rpm_script_t) -# ideally we would not need this -auth_manage_all_files_except_shadow(rpm_script_t) -auth_relabel_shadow(rpm_script_t) - -corecmd_exec_all_executables(rpm_script_t) -can_exec(rpm_script_t, rpm_script_tmp_t) -can_exec(rpm_script_t, rpm_script_tmpfs_t) - -domain_read_all_domains_state(rpm_script_t) -domain_getattr_all_domains(rpm_script_t) -domain_dontaudit_ptrace_all_domains(rpm_script_t) -domain_use_interactive_fds(rpm_script_t) -domain_signal_all_domains(rpm_script_t) -domain_signull_all_domains(rpm_script_t) - -files_exec_etc_files(rpm_script_t) -files_read_etc_runtime_files(rpm_script_t) -files_exec_usr_files(rpm_script_t) -files_relabel_all_files(rpm_script_t) - -init_domtrans_script(rpm_script_t) -init_telinit(rpm_script_t) - -libs_exec_ld_so(rpm_script_t) -libs_exec_lib_files(rpm_script_t) -libs_domtrans_ldconfig(rpm_script_t) - -logging_send_syslog_msg(rpm_script_t) - -miscfiles_read_localization(rpm_script_t) - -modutils_domtrans_depmod(rpm_script_t) -modutils_domtrans_insmod(rpm_script_t) - -seutil_domtrans_loadpolicy(rpm_script_t) -seutil_domtrans_setfiles(rpm_script_t) -seutil_domtrans_semanage(rpm_script_t) -seutil_domtrans_setsebool(rpm_script_t) - -userdom_use_all_users_fds(rpm_script_t) -userdom_exec_admin_home_files(rpm_script_t) - -ifdef(`distro_redhat',` - optional_policy(` - mta_send_mail(rpm_script_t) - mta_system_content(rpm_var_run_t) - ') -') - -tunable_policy(`allow_execmem',` - allow rpm_script_t self:process execmem; -') - -optional_policy(` - bootloader_domtrans(rpm_script_t) -') - -optional_policy(` - dbus_system_bus_client(rpm_script_t) -') - -optional_policy(` - lvm_domtrans(rpm_script_t) -') - -optional_policy(` - tzdata_domtrans(rpm_t) - tzdata_domtrans(rpm_script_t) -') - -optional_policy(` - udev_domtrans(rpm_script_t) -') - -optional_policy(` - unconfined_domain_noaudit(rpm_script_t) - unconfined_domtrans(rpm_script_t) - unconfined_execmem_domtrans(rpm_script_t) - - optional_policy(` - java_domtrans_unconfined(rpm_script_t) - ') - - optional_policy(` - mono_domtrans(rpm_script_t) - ') -') - -optional_policy(` - usermanage_domtrans_groupadd(rpm_script_t) - usermanage_domtrans_useradd(rpm_script_t) -') diff --git a/policy/modules/admin/sectoolm.fc b/policy/modules/admin/sectoolm.fc deleted file mode 100644 index 1ed6870..0000000 --- a/policy/modules/admin/sectoolm.fc +++ /dev/null @@ -1,4 +0,0 @@ -/usr/libexec/sectool-mechanism\.py -- gen_context(system_u:object_r:sectoolm_exec_t,s0) - -/var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0) -/var/log/sectool\.log -- gen_context(system_u:object_r:sectool_var_log_t,s0) diff --git a/policy/modules/admin/sectoolm.if b/policy/modules/admin/sectoolm.if deleted file mode 100644 index 9007451..0000000 --- a/policy/modules/admin/sectoolm.if +++ /dev/null @@ -1,2 +0,0 @@ -## Sectool security audit tool - diff --git a/policy/modules/admin/sectoolm.te b/policy/modules/admin/sectoolm.te deleted file mode 100644 index c8ef84b..0000000 --- a/policy/modules/admin/sectoolm.te +++ /dev/null @@ -1,106 +0,0 @@ -policy_module(sectoolm, 1.0.0) - -######################################## -# -# Declarations -# - -type sectoolm_t; -type sectoolm_exec_t; -dbus_system_domain(sectoolm_t, sectoolm_exec_t) - -type sectool_var_lib_t; -files_type(sectool_var_lib_t) - -type sectool_var_log_t; -logging_log_file(sectool_var_log_t) - -type sectool_tmp_t; -files_tmp_file(sectool_tmp_t) - -######################################## -# -# sectool local policy -# - -allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace }; -allow sectoolm_t self:process { getcap getsched signull setsched }; -dontaudit sectoolm_t self:process { execstack execmem }; -allow sectoolm_t self:fifo_file rw_fifo_file_perms; -allow sectoolm_t self:unix_dgram_socket { create_socket_perms sendto }; - -manage_dirs_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t) -manage_files_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t) -files_tmp_filetrans(sectoolm_t, sectool_tmp_t, { file dir }) - -manage_files_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t) -manage_dirs_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t) -files_var_lib_filetrans(sectoolm_t, sectool_var_lib_t, { file dir }) - -manage_files_pattern(sectoolm_t, sectool_var_log_t, sectool_var_log_t) -logging_log_filetrans(sectoolm_t, sectool_var_log_t, file) - -kernel_read_net_sysctls(sectoolm_t) -kernel_read_network_state(sectoolm_t) -kernel_read_kernel_sysctls(sectoolm_t) - -corecmd_exec_bin(sectoolm_t) -corecmd_exec_shell(sectoolm_t) - -dev_read_sysfs(sectoolm_t) -dev_read_urand(sectoolm_t) -dev_getattr_all_blk_files(sectoolm_t) -dev_getattr_all_chr_files(sectoolm_t) - -domain_getattr_all_domains(sectoolm_t) -domain_read_all_domains_state(sectoolm_t) - -files_getattr_all_pipes(sectoolm_t) -files_getattr_all_sockets(sectoolm_t) -files_read_all_files(sectoolm_t) -files_read_all_symlinks(sectoolm_t) - -fs_getattr_all_fs(sectoolm_t) -fs_list_noxattr_fs(sectoolm_t) - -selinux_validate_context(sectoolm_t) - -# tcp_wrappers test -application_exec_all(sectoolm_t) - -auth_use_nsswitch(sectoolm_t) - -# tests related to network -hostname_exec(sectoolm_t) - -# tests related to network -iptables_domtrans(sectoolm_t) - -libs_exec_ld_so(sectoolm_t) - -logging_send_syslog_msg(sectoolm_t) - -# tests related to network -sysnet_domtrans_ifconfig(sectoolm_t) - -userdom_manage_user_tmp_sockets(sectoolm_t) - -optional_policy(` - mount_exec(sectoolm_t) -') - -optional_policy(` - policykit_dbus_chat(sectoolm_t) -') - -# suid test using -# rpm -Vf option -optional_policy(` - prelink_domtrans(sectoolm_t) -') - -optional_policy(` - rpm_exec(sectoolm_t) - rpm_dontaudit_manage_db(sectoolm_t) -') - diff --git a/policy/modules/admin/shorewall.fc b/policy/modules/admin/shorewall.fc deleted file mode 100644 index 029cb7e..0000000 --- a/policy/modules/admin/shorewall.fc +++ /dev/null @@ -1,14 +0,0 @@ -/etc/rc\.d/init\.d/shorewall -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0) -/etc/rc\.d/init\.d/shorewall-lite -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0) - -/etc/shorewall(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0) -/etc/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0) - -/sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0) -/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0) - -/var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) -/var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) -/var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) - -/var/log/shorewall.* gen_context(system_u:object_r:shorewall_log_t,s0) diff --git a/policy/modules/admin/shorewall.if b/policy/modules/admin/shorewall.if deleted file mode 100644 index f198119..0000000 --- a/policy/modules/admin/shorewall.if +++ /dev/null @@ -1,202 +0,0 @@ -## Shoreline Firewall high-level tool for configuring netfilter - -######################################## -## -## Execute a domain transition to run shorewall. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`shorewall_domtrans',` - gen_require(` - type shorewall_t, shorewall_exec_t; - ') - - domtrans_pattern($1, shorewall_exec_t, shorewall_t) -') - -###################################### -## -## Execute a domain transition to run shorewall. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`shorewall_domtrans_lib',` - gen_require(` - type shorewall_t, shorewall_var_lib_t; - ') - - domtrans_pattern($1, shorewall_var_lib_t, shorewall_t) -') - -####################################### -## -## Read shorewall etc configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`shorewall_read_config',` - gen_require(` - type shorewall_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, shorewall_etc_t, shorewall_etc_t) -') - -####################################### -## -## Read shorewall PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`shorewall_read_pid_files',` - gen_require(` - type shorewall_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t) -') - -####################################### -## -## Read and write shorewall PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`shorewall_rw_pid_files',` - gen_require(` - type shorewall_var_run_t; - ') - - files_search_pids($1) - rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t) -') - -###################################### -## -## Read shorewall /var/lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`shorewall_read_lib_files',` - gen_require(` - type shorewall_t; - ') - - files_search_var_lib($1) - search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) - read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) -') - -####################################### -## -## Read and write shorewall /var/lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`shorewall_rw_lib_files',` - gen_require(` - type shorewall_var_lib_t; - ') - - files_search_var_lib($1) - search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) - rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) -') - -####################################### -## -## Read shorewall tmp files. -## -## -## -## Domain allowed access. -## -## -# -interface(`shorewall_read_tmp_files',` - gen_require(` - type shorewall_tmp_t; - ') - - files_search_tmp($1) - read_files_pattern($1, shorewall_tmp_t, shorewall_tmp_t) -') - -####################################### -## -## All of the rules required to administrate -## an shorewall environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the syslog domain. -## -## -## -# -interface(`shorewall_admin',` - gen_require(` - type shorewall_t, shorewall_lock_t; - type shorewall_log_t; - type shorewall_initrc_exec_t, shorewall_var_lib_t; - type shorewall_tmp_t, shorewall_etc_t; - ') - - allow $1 shorewall_t:process { ptrace signal_perms }; - ps_process_pattern($1, shorewall_t) - - init_labeled_script_domtrans($1, shorewall_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 shorewall_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, shorewall_etc_t) - - files_list_locks($1) - admin_pattern($1, shorewall_lock_t) - - files_list_var_lib($1) - admin_pattern($1, shorewall_var_lib_t) - - logging_list_logs($1) - admin_pattern($1, shorewall_log_t) - - files_list_tmp($1) - admin_pattern($1, shorewall_tmp_t) -') diff --git a/policy/modules/admin/shorewall.te b/policy/modules/admin/shorewall.te deleted file mode 100644 index ffc0571..0000000 --- a/policy/modules/admin/shorewall.te +++ /dev/null @@ -1,113 +0,0 @@ -policy_module(shorewall, 1.1.1) - -######################################## -# -# Declarations -# - -type shorewall_t; -type shorewall_exec_t; -init_daemon_domain(shorewall_t, shorewall_exec_t) - -type shorewall_initrc_exec_t; -init_script_file(shorewall_initrc_exec_t) - -# etc files -type shorewall_etc_t; -files_config_file(shorewall_etc_t) - -# lock files -type shorewall_lock_t; -files_lock_file(shorewall_lock_t) - -# tmp files -type shorewall_tmp_t; -files_tmp_file(shorewall_tmp_t) - -# var/lib files -type shorewall_var_lib_t; -files_type(shorewall_var_lib_t) - -type shorewall_log_t; -logging_log_file(shorewall_log_t) - -######################################## -# -# shorewall local policy -# - -allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace }; -dontaudit shorewall_t self:capability sys_tty_config; -allow shorewall_t self:fifo_file rw_fifo_file_perms; - -read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t) -list_dirs_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t) - -manage_files_pattern(shorewall_t, shorewall_lock_t, shorewall_lock_t) -files_lock_filetrans(shorewall_t, shorewall_lock_t, file) - -manage_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) -manage_dirs_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) -logging_log_filetrans(shorewall_t, shorewall_log_t, { file dir }) - -manage_dirs_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t) -manage_files_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t) -files_tmp_filetrans(shorewall_t, shorewall_tmp_t, { file dir }) - -exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) -manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) -manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) -files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file }) -allow shorewall_t shorewall_var_lib_t:file entrypoint; - -allow shorewall_t shorewall_initrc_exec_t:file read_file_perms; - -kernel_read_kernel_sysctls(shorewall_t) -kernel_read_network_state(shorewall_t) -kernel_read_system_state(shorewall_t) -kernel_rw_net_sysctls(shorewall_t) - -corecmd_exec_bin(shorewall_t) -corecmd_exec_shell(shorewall_t) - -dev_read_urand(shorewall_t) - -domain_read_all_domains_state(shorewall_t) - -files_getattr_kernel_modules(shorewall_t) -files_read_etc_files(shorewall_t) -files_read_usr_files(shorewall_t) -files_search_kernel_modules(shorewall_t) - -fs_getattr_all_fs(shorewall_t) - -init_rw_utmp(shorewall_t) - -logging_read_generic_logs(shorewall_t) -logging_send_syslog_msg(shorewall_t) - -miscfiles_read_localization(shorewall_t) - -sysnet_domtrans_ifconfig(shorewall_t) - -userdom_dontaudit_list_admin_dir(shorewall_t) - -optional_policy(` - brctl_domtrans(shorewall_t) -') - -optional_policy(` - hostname_exec(shorewall_t) -') - -optional_policy(` - iptables_domtrans(shorewall_t) -') - -optional_policy(` - modutils_domtrans_insmod(shorewall_t) -') - -optional_policy(` - ulogd_search_log(shorewall_t) -') diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc deleted file mode 100644 index 09c3771..0000000 --- a/policy/modules/admin/shutdown.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/nologin -- gen_context(system_u:object_r:shutdown_etc_t,s0) - -/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) - -/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) - -/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) diff --git a/policy/modules/admin/shutdown.if b/policy/modules/admin/shutdown.if deleted file mode 100644 index 914e1ac..0000000 --- a/policy/modules/admin/shutdown.if +++ /dev/null @@ -1,135 +0,0 @@ -## System shutdown command - -######################################## -## -## Execute a domain transition to run shutdown. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`shutdown_domtrans',` - gen_require(` - type shutdown_t, shutdown_exec_t; - ') - - domtrans_pattern($1, shutdown_exec_t, shutdown_t) - - ifdef(`hide_broken_symptoms', ` - dontaudit shutdown_t $1:socket_class_set { read write }; - dontaudit shutdown_t $1:fifo_file rw_inherited_fifo_file_perms; - ') -') - - -######################################## -## -## Execute shutdown in the shutdown domain, and -## allow the specified role the shutdown domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`shutdown_run',` - gen_require(` - type shutdown_t; - ') - - shutdown_domtrans($1) - role $2 types shutdown_t; -') - -######################################## -## -## Role access for shutdown -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`shutdown_role',` - gen_require(` - type shutdown_t; - ') - - role $1 types shutdown_t; - - shutdown_domtrans($2) - - ps_process_pattern($2, shutdown_t) - allow $2 shutdown_t:process signal; -') - -######################################## -## -## Recieve sigchld from shutdown -## -## -## -## Domain allowed access -## -## -# -interface(`shutdown_send_sigchld',` - gen_require(` - type shutdown_t; - ') - - allow shutdown_t $1:process signal; -') - -######################################## -## -## Send and receive messages from -## shutdown over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`shutdown_dbus_chat',` - gen_require(` - type shutdown_t; - class dbus send_msg; - ') - - allow $1 shutdown_t:dbus send_msg; - allow shutdown_t $1:dbus send_msg; -') - -######################################## -## -## Get attributes of shutdown executable. -## -## -## -## Domain allowed access. -## -## -# -interface(`shutdown_getattr_exec_files',` - gen_require(` - type shutdown_exec_t; - ') - - allow $1 shutdown_exec_t:file getattr; -') diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te deleted file mode 100644 index eb63a79..0000000 --- a/policy/modules/admin/shutdown.te +++ /dev/null @@ -1,66 +0,0 @@ -policy_module(shutdown, 1.0.0) - -######################################## -# -# Declarations -# - -type shutdown_t; -type shutdown_exec_t; -application_domain(shutdown_t, shutdown_exec_t) -role system_r types shutdown_t; - -type shutdown_etc_t; -files_config_file(shutdown_etc_t) - -type shutdown_var_run_t; -files_pid_file(shutdown_var_run_t) - -######################################## -# -# shutdown local policy -# - -allow shutdown_t self:capability { dac_override kill setuid sys_tty_config }; -allow shutdown_t self:process { fork signal signull }; - -allow shutdown_t self:fifo_file manage_fifo_file_perms; -allow shutdown_t self:unix_stream_socket create_stream_socket_perms; - -manage_files_pattern(shutdown_t, shutdown_etc_t, shutdown_etc_t) -files_etc_filetrans(shutdown_t, shutdown_etc_t, file) - -manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t) -files_pid_filetrans(shutdown_t, shutdown_var_run_t, file) - -files_read_etc_files(shutdown_t) -files_read_generic_pids(shutdown_t) - -mls_file_write_to_clearance(shutdown_t) - -term_use_all_terms(shutdown_t) - -auth_use_nsswitch(shutdown_t) -auth_write_login_records(shutdown_t) - -init_rw_utmp(shutdown_t) -init_telinit(shutdown_t) - -logging_search_logs(shutdown_t) -logging_send_audit_msgs(shutdown_t) - -miscfiles_read_localization(shutdown_t) - -optional_policy(` - dbus_system_bus_client(shutdown_t) - dbus_connect_system_bus(shutdown_t) -') - -optional_policy(` - oddjob_dontaudit_rw_fifo_file(shutdown_t) - oddjob_sigchld(shutdown_t) -') - -optional_policy(` - xserver_dontaudit_write_log(shutdown_t) -') diff --git a/policy/modules/admin/smoltclient.fc b/policy/modules/admin/smoltclient.fc deleted file mode 100644 index 47cc440..0000000 --- a/policy/modules/admin/smoltclient.fc +++ /dev/null @@ -1,2 +0,0 @@ -/usr/share/smolt/client/sendProfile.py -- gen_context(system_u:object_r:smoltclient_exec_t,s0) - diff --git a/policy/modules/admin/smoltclient.if b/policy/modules/admin/smoltclient.if deleted file mode 100644 index a54079b..0000000 --- a/policy/modules/admin/smoltclient.if +++ /dev/null @@ -1 +0,0 @@ -## The Fedora hardware profiler client diff --git a/policy/modules/admin/smoltclient.te b/policy/modules/admin/smoltclient.te deleted file mode 100644 index f48e9dd..0000000 --- a/policy/modules/admin/smoltclient.te +++ /dev/null @@ -1,68 +0,0 @@ -policy_module(smoltclient, 1.0.1) - -######################################## -# -# Declarations -# - -type smoltclient_t; -type smoltclient_exec_t; -application_domain(smoltclient_t, smoltclient_exec_t) -cron_system_entry(smoltclient_t, smoltclient_exec_t) - -type smoltclient_tmp_t; -files_tmp_file(smoltclient_tmp_t) - -######################################## -# -# Local policy -# - -allow smoltclient_t self:process { setsched getsched }; - -allow smoltclient_t self:fifo_file rw_fifo_file_perms; -allow smoltclient_t self:tcp_socket create_socket_perms; -allow smoltclient_t self:udp_socket create_socket_perms; - -can_exec(smoltclient_t, smoltclient_tmp_t) -manage_dirs_pattern(smoltclient_t, smoltclient_tmp_t, smoltclient_tmp_t) -manage_files_pattern(smoltclient_t, smoltclient_tmp_t, smoltclient_tmp_t) -files_tmp_filetrans(smoltclient_t, smoltclient_tmp_t, { dir file }) - -kernel_read_system_state(smoltclient_t) -kernel_read_network_state(smoltclient_t) -kernel_read_kernel_sysctls(smoltclient_t) - -corecmd_exec_bin(smoltclient_t) -corecmd_exec_shell(smoltclient_t) - -corenet_tcp_connect_http_port(smoltclient_t) - -dev_read_sysfs(smoltclient_t) - -fs_getattr_all_fs(smoltclient_t) -fs_getattr_all_dirs(smoltclient_t) -fs_list_auto_mountpoints(smoltclient_t) - -files_getattr_generic_locks(smoltclient_t) -files_read_etc_files(smoltclient_t) -files_read_usr_files(smoltclient_t) - -auth_use_nsswitch(smoltclient_t) - -logging_send_syslog_msg(smoltclient_t) - -miscfiles_read_localization(smoltclient_t) - -optional_policy(` - dbus_system_bus_client(smoltclient_t) -') - -optional_policy(` - hal_dbus_chat(smoltclient_t) -') - -optional_policy(` - rpm_exec(smoltclient_t) - rpm_read_db(smoltclient_t) -') diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc deleted file mode 100644 index 688abc2..0000000 --- a/policy/modules/admin/su.fc +++ /dev/null @@ -1,5 +0,0 @@ - -/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) - -/usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) -/usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if deleted file mode 100644 index 1b60ad8..0000000 --- a/policy/modules/admin/su.if +++ /dev/null @@ -1,339 +0,0 @@ -## Run shells with substitute user and group - -####################################### -## -## Restricted su domain template. -## -## -##

-## This template creates a derived domain which is allowed -## to change the linux user id, to run shells as a different -## user. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The type of the user domain. -## -## -## -## -## The role associated with the user domain. -## -## -# -template(`su_restricted_domain_template', ` - gen_require(` - type su_exec_t; - ') - - type $1_su_t; - domain_entry_file($1_su_t, su_exec_t) - domain_type($1_su_t) - domain_interactive_fd($1_su_t) - role $3 types $1_su_t; - - allow $2 $1_su_t:process signal; - - allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; - dontaudit $1_su_t self:capability sys_tty_config; - allow $1_su_t self:key { search write }; - allow $1_su_t self:process { setexec setsched setrlimit }; - allow $1_su_t self:fifo_file rw_fifo_file_perms; - allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; - allow $1_su_t self:unix_stream_socket create_stream_socket_perms; - - # Transition from the user domain to this domain. - domtrans_pattern($2, su_exec_t, $1_su_t) - - # By default, revert to the calling domain when a shell is executed. - corecmd_shell_domtrans($1_su_t,$2) - allow $2 $1_su_t:fd use; - allow $2 $1_su_t:fifo_file rw_file_perms; - allow $2 $1_su_t:process sigchld; - - kernel_read_system_state($1_su_t) - kernel_read_kernel_sysctls($1_su_t) - kernel_search_key($1_su_t) - kernel_link_key($1_su_t) - - # for SSP - dev_read_urand($1_su_t) - - files_read_etc_files($1_su_t) - files_read_etc_runtime_files($1_su_t) - files_search_var_lib($1_su_t) - files_dontaudit_getattr_tmp_dirs($1_su_t) - - # for the rootok check - selinux_compute_access_vector($1_su_t) - - auth_domtrans_chk_passwd($1_su_t) - auth_dontaudit_read_shadow($1_su_t) - auth_use_nsswitch($1_su_t) - auth_rw_faillog($1_su_t) - - domain_use_interactive_fds($1_su_t) - - init_dontaudit_use_fds($1_su_t) - init_dontaudit_use_script_ptys($1_su_t) - # Write to utmp. - init_rw_utmp($1_su_t) - - logging_send_syslog_msg($1_su_t) - - miscfiles_read_localization($1_su_t) - - ifdef(`distro_redhat',` - # RHEL5 and possibly newer releases incl. Fedora - auth_domtrans_upd_passwd($1_su_t) - - optional_policy(` - locallogin_search_keys($1_su_t) - ') - ') - - ifdef(`distro_rhel4',` - domain_role_change_exemption($1_su_t) - domain_subj_id_change_exemption($1_su_t) - domain_obj_id_change_exemption($1_su_t) - - selinux_get_fs_mount($1_su_t) - selinux_validate_context($1_su_t) - selinux_compute_access_vector($1_su_t) - selinux_compute_create_context($1_su_t) - selinux_compute_relabel_context($1_su_t) - selinux_compute_user_contexts($1_su_t) - - seutil_read_config($1_su_t) - seutil_read_default_contexts($1_su_t) - - # Only allow transitions to unprivileged user domains. - userdom_spec_domtrans_unpriv_users($1_su_t) - ') - - ifdef(`hide_broken_symptoms',` - # dontaudit leaked sockets from parent - dontaudit $1_su_t $2:socket_class_set { read write }; - ') - - optional_policy(` - cron_read_pipes($1_su_t) - ') - - optional_policy(` - kerberos_use($1_su_t) - ') - - optional_policy(` - # used when the password has expired - usermanage_read_crack_db($1_su_t) - ') - - ifdef(`TODO',` - # Caused by su - init scripts - dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl }; - ') dnl end TODO -') - -####################################### -## -## The role template for the su module. -## -## -## -## The prefix of the user role (e.g., user -## is the prefix for user_r). -## -## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# -template(`su_role_template',` - gen_require(` - attribute su_domain_type; - type su_exec_t; - bool secure_mode; - ') - - type $1_su_t, su_domain_type; - domain_entry_file($1_su_t, su_exec_t) - domain_type($1_su_t) - domain_interactive_fd($1_su_t) - ubac_constrained($1_su_t) - role $2 types $1_su_t; - - allow $3 $1_su_t:process signal; - - allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; - dontaudit $1_su_t self:capability sys_tty_config; - allow $1_su_t self:process { setexec setsched setrlimit }; - allow $1_su_t self:fifo_file rw_fifo_file_perms; - allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; - allow $1_su_t self:key { search write }; - - # Transition from the user domain to this domain. - domtrans_pattern($3, su_exec_t, $1_su_t) - - ps_process_pattern($3, $1_su_t) - - # By default, revert to the calling domain when a shell is executed. - corecmd_shell_domtrans($1_su_t, $3) - allow $3 $1_su_t:fd use; - allow $3 $1_su_t:fifo_file rw_file_perms; - allow $3 $1_su_t:process sigchld; - - kernel_read_system_state($1_su_t) - kernel_read_kernel_sysctls($1_su_t) - kernel_search_key($1_su_t) - kernel_link_key($1_su_t) - - # for SSP - dev_read_urand($1_su_t) - - fs_search_auto_mountpoints($1_su_t) - - # needed for pam_rootok - selinux_compute_access_vector($1_su_t) - - auth_domtrans_chk_passwd($1_su_t) - auth_dontaudit_read_shadow($1_su_t) - auth_use_pam($1_su_t) - auth_rw_faillog($1_su_t) - - corecmd_search_bin($1_su_t) - - domain_use_interactive_fds($1_su_t) - - files_read_etc_files($1_su_t) - files_read_etc_runtime_files($1_su_t) - files_search_var_lib($1_su_t) - files_dontaudit_getattr_tmp_dirs($1_su_t) - - init_dontaudit_use_fds($1_su_t) - # Write to utmp. - init_rw_utmp($1_su_t) - - mls_file_write_all_levels($1_su_t) - - logging_send_syslog_msg($1_su_t) - - miscfiles_read_localization($1_su_t) - - userdom_use_user_terminals($1_su_t) - userdom_search_user_home_dirs($1_su_t) - userdom_search_admin_dir($1_su_t) - - ifdef(`distro_redhat',` - # RHEL5 and possibly newer releases incl. Fedora - auth_domtrans_upd_passwd($1_su_t) - - optional_policy(` - locallogin_search_keys($1_su_t) - ') - ') - - ifdef(`distro_rhel4',` - domain_role_change_exemption($1_su_t) - domain_subj_id_change_exemption($1_su_t) - domain_obj_id_change_exemption($1_su_t) - - selinux_get_fs_mount($1_su_t) - selinux_validate_context($1_su_t) - selinux_compute_create_context($1_su_t) - selinux_compute_relabel_context($1_su_t) - selinux_compute_user_contexts($1_su_t) - - # Relabel ttys and ptys. - term_relabel_all_ttys($1_su_t) - term_relabel_all_ptys($1_su_t) - # Close and re-open ttys and ptys to get the fd into the correct domain. - term_use_all_ttys($1_su_t) - term_use_all_ptys($1_su_t) - - seutil_read_config($1_su_t) - seutil_read_default_contexts($1_su_t) - - if(secure_mode) { - # Only allow transitions to unprivileged user domains. - userdom_spec_domtrans_unpriv_users($1_su_t) - } else { - # Allow transitions to all user domains - userdom_spec_domtrans_all_users($1_su_t) - } - - optional_policy(` - unconfined_domtrans($1_su_t) - unconfined_signal($1_su_t) - ') - ') - - ifdef(`hide_broken_symptoms',` - # dontaudit leaked sockets from parent - dontaudit $1_su_t $3:socket_class_set { read write }; - ') - - tunable_policy(`allow_polyinstantiation',` - fs_mount_xattr_fs($1_su_t) - fs_unmount_xattr_fs($1_su_t) - ') - - tunable_policy(`use_nfs_home_dirs',` - fs_search_nfs($1_su_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_search_cifs($1_su_t) - ') - - optional_policy(` - cron_read_pipes($1_su_t) - ') - - optional_policy(` - kerberos_use($1_su_t) - ') - - optional_policy(` - # used when the password has expired - usermanage_read_crack_db($1_su_t) - ') - - # Modify .Xauthority file (via xauth program). - optional_policy(` - xserver_user_home_dir_filetrans_user_xauth($1_su_t) - xserver_domtrans_xauth($1_su_t) - ') -') - -####################################### -## -## Execute su in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`su_exec',` - gen_require(` - type su_exec_t; - ') - - can_exec($1, su_exec_t) -') diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te deleted file mode 100644 index b62353a..0000000 --- a/policy/modules/admin/su.te +++ /dev/null @@ -1,11 +0,0 @@ -policy_module(su, 1.10.1) - -######################################## -# -# Declarations -# - -attribute su_domain_type; - -type su_exec_t; -corecmd_executable_file(su_exec_t) diff --git a/policy/modules/admin/sudo.fc b/policy/modules/admin/sudo.fc deleted file mode 100644 index 2b59ed0..0000000 --- a/policy/modules/admin/sudo.fc +++ /dev/null @@ -1,4 +0,0 @@ - -/usr/bin/sudo(edit)? -- gen_context(system_u:object_r:sudo_exec_t,s0) - -/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if deleted file mode 100644 index bb95e79..0000000 --- a/policy/modules/admin/sudo.if +++ /dev/null @@ -1,191 +0,0 @@ -## Execute a command with a substitute user - -####################################### -## -## The role template for the sudo module. -## -## -##

-## This template creates a derived domain which is allowed -## to change the linux user id, to run commands as a different -## user. -##

-##
-## -## -## The prefix of the user role (e.g., user -## is the prefix for user_r). -## -## -## -## -## The user role. -## -## -## -## -## The user domain associated with the role. -## -## -# -template(`sudo_role_template',` - - gen_require(` - type sudo_exec_t; - type sudo_db_t; - attribute sudodomain; - ') - - ############################## - # - # Declarations - # - - type $1_sudo_t, sudodomain; - application_domain($1_sudo_t, sudo_exec_t) - domain_interactive_fd($1_sudo_t) - domain_role_change_exemption($1_sudo_t) - ubac_constrained($1_sudo_t) - role $2 types $1_sudo_t; - - manage_dirs_pattern($1_sudo_t, sudo_db_t, sudo_db_t) - manage_files_pattern($1_sudo_t, sudo_db_t, sudo_db_t) - - ############################## - # - # Local Policy - # - - # Use capabilities. - allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource }; - allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow $1_sudo_t self:process { setexec setrlimit }; - allow $1_sudo_t self:fd use; - allow $1_sudo_t self:fifo_file rw_fifo_file_perms; - allow $1_sudo_t self:shm create_shm_perms; - allow $1_sudo_t self:sem create_sem_perms; - allow $1_sudo_t self:msgq create_msgq_perms; - allow $1_sudo_t self:msg { send receive }; - allow $1_sudo_t self:unix_dgram_socket create_socket_perms; - allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms; - allow $1_sudo_t self:unix_dgram_socket sendto; - allow $1_sudo_t self:unix_stream_socket connectto; - allow $1_sudo_t self:key manage_key_perms; - - allow $1_sudo_t $3:key search; - - # Enter this derived domain from the user domain - domtrans_pattern($3, sudo_exec_t, $1_sudo_t) - - # By default, revert to the calling domain when a shell is executed. - corecmd_shell_domtrans($1_sudo_t, $3) - corecmd_bin_domtrans($1_sudo_t, $3) - userdom_domtrans_user_home($1_sudo_t, $3) - userdom_domtrans_user_tmp($1_sudo_t, $3) - allow $3 $1_sudo_t:fd use; - allow $3 $1_sudo_t:fifo_file rw_file_perms; - allow $3 $1_sudo_t:process signal_perms; - - kernel_read_kernel_sysctls($1_sudo_t) - kernel_read_system_state($1_sudo_t) - kernel_link_key($1_sudo_t) - - corecmd_read_bin_symlinks($1_sudo_t) - corecmd_exec_all_executables($1_sudo_t) - - dev_read_urand($1_sudo_t) - dev_rw_generic_usb_dev($1_sudo_t) - dev_read_sysfs($1_sudo_t) - - domain_use_interactive_fds($1_sudo_t) - domain_sigchld_interactive_fds($1_sudo_t) - domain_getattr_all_entry_files($1_sudo_t) - - files_read_etc_files($1_sudo_t) - files_read_var_files($1_sudo_t) - files_read_usr_symlinks($1_sudo_t) - files_getattr_usr_files($1_sudo_t) - # for some PAM modules and for cwd - files_dontaudit_search_home($1_sudo_t) - files_list_tmp($1_sudo_t) - - fs_search_auto_mountpoints($1_sudo_t) - fs_getattr_xattr_fs($1_sudo_t) - - selinux_validate_context($1_sudo_t) - selinux_compute_relabel_context($1_sudo_t) - - term_relabel_all_ttys($1_sudo_t) - term_relabel_all_ptys($1_sudo_t) - term_getattr_pty_fs($1_sudo_t) - - auth_run_chk_passwd($1_sudo_t, $2) - # sudo stores a token in the pam_pid directory - auth_manage_pam_pid($1_sudo_t) - auth_use_nsswitch($1_sudo_t) - - application_signal($1_sudo_t) - - init_rw_utmp($1_sudo_t) - - logging_send_audit_msgs($1_sudo_t) - logging_send_syslog_msg($1_sudo_t) - - miscfiles_read_localization($1_sudo_t) - - seutil_search_default_contexts($1_sudo_t) - seutil_libselinux_linked($1_sudo_t) - - userdom_spec_domtrans_all_users($1_sudo_t) - userdom_manage_user_home_content_files($1_sudo_t) - userdom_manage_user_home_content_symlinks($1_sudo_t) - userdom_manage_user_tmp_files($1_sudo_t) - userdom_manage_user_tmp_symlinks($1_sudo_t) - userdom_use_user_terminals($1_sudo_t) - userdom_signal_unpriv_users($1_sudo_t) - # for some PAM modules and for cwd - userdom_search_user_home_content($1_sudo_t) - userdom_search_admin_dir($1_sudo_t) - userdom_manage_all_users_keys($1_sudo_t) - - ifdef(`hide_broken_symptoms', ` - dontaudit $1_sudo_t $3:socket_class_set { read write }; - ') - - mta_role($2, $1_sudo_t) - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files($1_sudo_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files($1_sudo_t) - ') - - optional_policy(` - dbus_system_bus_client($1_sudo_t) - ') - - optional_policy(` - fprintd_dbus_chat($1_sudo_t) - ') - -') - -######################################## -## -## Send a SIGCHLD signal to the sudo domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`sudo_sigchld',` - gen_require(` - attribute sudodomain; - ') - - allow $1 sudodomain:process sigchld; -') diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te deleted file mode 100644 index c927b85..0000000 --- a/policy/modules/admin/sudo.te +++ /dev/null @@ -1,13 +0,0 @@ -policy_module(sudo, 1.6.1) - -######################################## -# -# Declarations -attribute sudodomain; - -type sudo_exec_t; -application_executable_file(sudo_exec_t) - -type sudo_db_t; -files_type(sudo_db_t) - diff --git a/policy/modules/admin/sxid.fc b/policy/modules/admin/sxid.fc deleted file mode 100644 index bc3797b..0000000 --- a/policy/modules/admin/sxid.fc +++ /dev/null @@ -1,6 +0,0 @@ -/usr/bin/sxid -- gen_context(system_u:object_r:sxid_exec_t,s0) -/usr/sbin/checksecurity\.se -- gen_context(system_u:object_r:sxid_exec_t,s0) - -/var/log/setuid.* -- gen_context(system_u:object_r:sxid_log_t,s0) -/var/log/setuid\.today.* -- gen_context(system_u:object_r:sxid_log_t,s0) -/var/log/sxid\.log.* -- gen_context(system_u:object_r:sxid_log_t,s0) diff --git a/policy/modules/admin/sxid.if b/policy/modules/admin/sxid.if deleted file mode 100644 index dd8ac62..0000000 --- a/policy/modules/admin/sxid.if +++ /dev/null @@ -1,22 +0,0 @@ -## SUID/SGID program monitoring - -######################################## -## -## Allow the specified domain to read -## sxid log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`sxid_read_log',` - gen_require(` - type sxid_log_t; - ') - - logging_search_logs($1) - allow $1 sxid_log_t:file read_file_perms; -') diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te deleted file mode 100644 index d5aaf0e..0000000 --- a/policy/modules/admin/sxid.te +++ /dev/null @@ -1,97 +0,0 @@ -policy_module(sxid, 1.5.0) - -######################################## -# -# Declarations -# - -type sxid_t; -type sxid_exec_t; -application_domain(sxid_t, sxid_exec_t) - -type sxid_log_t; -logging_log_file(sxid_log_t) - -type sxid_tmp_t; -files_tmp_file(sxid_tmp_t) - -######################################## -# -# Local policy -# - -allow sxid_t self:capability { dac_override dac_read_search fsetid }; -dontaudit sxid_t self:capability { setuid setgid sys_tty_config }; -allow sxid_t self:process signal_perms; -allow sxid_t self:fifo_file rw_fifo_file_perms; -allow sxid_t self:tcp_socket create_stream_socket_perms; -allow sxid_t self:udp_socket create_socket_perms; - -allow sxid_t sxid_log_t:file manage_file_perms; -logging_log_filetrans(sxid_t, sxid_log_t, file) - -manage_dirs_pattern(sxid_t, sxid_tmp_t, sxid_tmp_t) -manage_files_pattern(sxid_t, sxid_tmp_t, sxid_tmp_t) -files_tmp_filetrans(sxid_t, sxid_tmp_t, { file dir }) - -kernel_read_system_state(sxid_t) -kernel_read_kernel_sysctls(sxid_t) - -corecmd_exec_bin(sxid_t) -corecmd_exec_shell(sxid_t) - -corenet_all_recvfrom_unlabeled(sxid_t) -corenet_all_recvfrom_netlabel(sxid_t) -corenet_tcp_sendrecv_generic_if(sxid_t) -corenet_udp_sendrecv_generic_if(sxid_t) -corenet_tcp_sendrecv_generic_node(sxid_t) -corenet_udp_sendrecv_generic_node(sxid_t) -corenet_tcp_sendrecv_all_ports(sxid_t) -corenet_udp_sendrecv_all_ports(sxid_t) - -dev_read_sysfs(sxid_t) -dev_getattr_all_blk_files(sxid_t) -dev_getattr_all_chr_files(sxid_t) - -domain_use_interactive_fds(sxid_t) - -files_list_all(sxid_t) -files_getattr_all_symlinks(sxid_t) -files_getattr_all_pipes(sxid_t) -files_getattr_all_sockets(sxid_t) - -fs_getattr_xattr_fs(sxid_t) -fs_search_auto_mountpoints(sxid_t) -fs_list_all(sxid_t) - -term_dontaudit_use_console(sxid_t) - -auth_read_all_files_except_shadow(sxid_t) -auth_dontaudit_getattr_shadow(sxid_t) - -init_use_fds(sxid_t) -init_use_script_ptys(sxid_t) - -logging_send_syslog_msg(sxid_t) - -miscfiles_read_localization(sxid_t) - -mount_exec(sxid_t) - -sysnet_read_config(sxid_t) - -userdom_dontaudit_use_unpriv_user_fds(sxid_t) - -cron_system_entry(sxid_t, sxid_exec_t) - -optional_policy(` - mta_send_mail(sxid_t) -') - -optional_policy(` - seutil_sigchld_newrole(sxid_t) -') - -optional_policy(` - udev_read_db(sxid_t) -') diff --git a/policy/modules/admin/tmpreaper.fc b/policy/modules/admin/tmpreaper.fc deleted file mode 100644 index 81077db..0000000 --- a/policy/modules/admin/tmpreaper.fc +++ /dev/null @@ -1,2 +0,0 @@ -/usr/sbin/tmpreaper -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) -/usr/sbin/tmpwatch -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) diff --git a/policy/modules/admin/tmpreaper.if b/policy/modules/admin/tmpreaper.if deleted file mode 100644 index 8dfbd80..0000000 --- a/policy/modules/admin/tmpreaper.if +++ /dev/null @@ -1,21 +0,0 @@ -## Manage temporary directory sizes and file ages - -######################################## -## -## Execute tmpreaper in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`tmpreaper_exec',` - gen_require(` - type tmpreaper_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - can_exec($1, tmpreaper_exec_t) -') diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te deleted file mode 100644 index 50cd538..0000000 --- a/policy/modules/admin/tmpreaper.te +++ /dev/null @@ -1,87 +0,0 @@ -policy_module(tmpreaper, 1.5.0) - -######################################## -# -# Declarations -# - -type tmpreaper_t; -type tmpreaper_exec_t; -application_domain(tmpreaper_t, tmpreaper_exec_t) -role system_r types tmpreaper_t; - -######################################## -# -# Local Policy -# - -allow tmpreaper_t self:process { fork sigchld }; -allow tmpreaper_t self:capability { dac_override dac_read_search fowner }; - -dev_read_urand(tmpreaper_t) - -fs_getattr_xattr_fs(tmpreaper_t) - -files_read_etc_files(tmpreaper_t) -files_read_var_lib_files(tmpreaper_t) -files_purge_tmp(tmpreaper_t) -files_delete_usr_dirs(tmpreaper_t) -files_delete_usr_files(tmpreaper_t) -# why does it need setattr? -files_setattr_all_tmp_dirs(tmpreaper_t) -files_setattr_usr_dirs(tmpreaper_t) -files_getattr_all_dirs(tmpreaper_t) -files_getattr_all_files(tmpreaper_t) - -mls_file_read_all_levels(tmpreaper_t) -mls_file_write_all_levels(tmpreaper_t) - -logging_send_syslog_msg(tmpreaper_t) - -miscfiles_read_localization(tmpreaper_t) -miscfiles_delete_man_pages(tmpreaper_t) - -cron_system_entry(tmpreaper_t, tmpreaper_exec_t) - -ifdef(`distro_redhat',` - userdom_list_user_home_content(tmpreaper_t) - userdom_delete_user_home_content_dirs(tmpreaper_t) - userdom_delete_user_home_content_files(tmpreaper_t) - userdom_delete_user_home_content_symlinks(tmpreaper_t) -') - -optional_policy(` - amavis_manage_spool_files(tmpreaper_t) -') - -optional_policy(` - apache_delete_sys_content_rw(tmpreaper_t) - apache_list_cache(tmpreaper_t) - apache_delete_cache_dirs(tmpreaper_t) - apache_delete_cache_files(tmpreaper_t) - apache_setattr_cache_dirs(tmpreaper_t) -') - -optional_policy(` - kismet_manage_log(tmpreaper_t) -') - -optional_policy(` - lpd_manage_spool(tmpreaper_t) -') - -optional_policy(` - sandbox_list(tmpreaper_t) - sandbox_delete_dirs(tmpreaper_t) - sandbox_delete_files(tmpreaper_t) - sandbox_delete_sock_files(tmpreaper_t) - sandbox_setattr_dirs(tmpreaper_t) -') - -optional_policy(` - rpm_manage_cache(tmpreaper_t) -') - -optional_policy(` - unconfined_domain(tmpreaper_t) -') diff --git a/policy/modules/admin/tripwire.fc b/policy/modules/admin/tripwire.fc deleted file mode 100644 index 962662f..0000000 --- a/policy/modules/admin/tripwire.fc +++ /dev/null @@ -1,10 +0,0 @@ - -/etc/tripwire(/.*)? gen_context(system_u:object_r:tripwire_etc_t,s0) - -/usr/sbin/siggen -- gen_context(system_u:object_r:siggen_exec_t,s0) -/usr/sbin/tripwire -- gen_context(system_u:object_r:tripwire_exec_t,s0) -/usr/sbin/twadmin -- gen_context(system_u:object_r:twadmin_exec_t,s0) -/usr/sbin/twprint -- gen_context(system_u:object_r:twprint_exec_t,s0) - -/var/lib/tripwire(/.*)? gen_context(system_u:object_r:tripwire_var_lib_t,s0) -/var/lib/tripwire/report(/.*)? gen_context(system_u:object_r:tripwire_report_t,s0) diff --git a/policy/modules/admin/tripwire.if b/policy/modules/admin/tripwire.if deleted file mode 100644 index 27abd88..0000000 --- a/policy/modules/admin/tripwire.if +++ /dev/null @@ -1,190 +0,0 @@ -## Tripwire file integrity checker. -## -##

-## Tripwire file integrity checker. -##

-##

-## NOTE: Tripwire creates temp file in its current working directory. -## This policy does not allow write access to home directories, so -## users will need to either cd to a directory where they have write -## permission, or set the TEMPDIRECTORY variable in the tripwire config -## file. The latter is preferable, as then the file_type_auto_trans -## rules will kick in and label the files as private to tripwire. -##

-##
- -######################################## -## -## Execute tripwire in the tripwire domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`tripwire_domtrans_tripwire',` - gen_require(` - type tripwire_t, tripwire_exec_t; - ') - - domtrans_pattern($1, tripwire_exec_t, tripwire_t) -') - -######################################## -## -## Execute tripwire in the tripwire domain, and -## allow the specified role the tripwire domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`tripwire_run_tripwire',` - gen_require(` - type tripwire_t; - ') - - tripwire_domtrans_tripwire($1) - role $2 types tripwire_t; -') - -######################################## -## -## Execute twadmin in the twadmin domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`tripwire_domtrans_twadmin',` - gen_require(` - type twadmin_t, twadmin_exec_t; - ') - - domtrans_pattern($1, twadmin_exec_t, twadmin_t) -') - -######################################## -## -## Execute twadmin in the twadmin domain, and -## allow the specified role the twadmin domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`tripwire_run_twadmin',` - gen_require(` - type twadmin_t; - ') - - tripwire_domtrans_twadmin($1) - role $2 types twadmin_t; -') - -######################################## -## -## Execute twprint in the twprint domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`tripwire_domtrans_twprint',` - gen_require(` - type twprint_t, twprint_exec_t; - ') - - domtrans_pattern($1, twprint_exec_t, twprint_t) -') - -######################################## -## -## Execute twprint in the twprint domain, and -## allow the specified role the twprint domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`tripwire_run_twprint',` - gen_require(` - type twprint_t; - ') - - tripwire_domtrans_twprint($1) - role $2 types twprint_t; -') - -######################################## -## -## Execute siggen in the siggen domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`tripwire_domtrans_siggen',` - gen_require(` - type siggen_t, siggen_exec_t; - ') - - domtrans_pattern($1, siggen_exec_t, siggen_t) -') - -######################################## -## -## Execute siggen in the siggen domain, and -## allow the specified role the siggen domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`tripwire_run_siggen',` - gen_require(` - type siggen_t; - ') - - tripwire_domtrans_siggen($1) - role $2 types siggen_t; -') diff --git a/policy/modules/admin/tripwire.te b/policy/modules/admin/tripwire.te deleted file mode 100644 index 2ae8b62..0000000 --- a/policy/modules/admin/tripwire.te +++ /dev/null @@ -1,146 +0,0 @@ -policy_module(tripwire, 1.2.0) - -######################################## -# -# Declarations -# - -type siggen_t; -type siggen_exec_t; -application_domain(siggen_t, siggen_exec_t) - -type tripwire_t; -type tripwire_exec_t; -application_domain(tripwire_t, tripwire_exec_t) -role system_r types tripwire_t; - -type tripwire_etc_t; -files_config_file(tripwire_etc_t) - -type tripwire_report_t; -files_type(tripwire_report_t) - -type tripwire_tmp_t; -files_tmp_file(tripwire_tmp_t) - -type tripwire_var_lib_t; -files_type(tripwire_var_lib_t) - -type twadmin_t; -type twadmin_exec_t; -application_domain(twadmin_t, twadmin_exec_t) - -type twprint_t; -type twprint_exec_t; -application_domain(twprint_t, twprint_exec_t) - -######################################## -# -# Tripwire local policy -# - -allow tripwire_t self:capability { setgid setuid dac_override }; - -allow tripwire_t tripwire_etc_t:dir list_dir_perms; -read_files_pattern(tripwire_t, tripwire_etc_t, tripwire_etc_t) -read_lnk_files_pattern(tripwire_t, tripwire_etc_t, tripwire_etc_t) -files_search_etc(tripwire_t) - -# Tripwire report files -manage_dirs_pattern(tripwire_t, tripwire_report_t, tripwire_report_t) -manage_files_pattern(tripwire_t, tripwire_report_t, tripwire_report_t) -manage_lnk_files_pattern(tripwire_t, tripwire_report_t, tripwire_report_t) - -manage_dirs_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t) -manage_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t) -manage_lnk_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t) -manage_fifo_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t) -manage_sock_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t) -files_tmp_filetrans(tripwire_t, tripwire_tmp_t,{ dir file lnk_file sock_file fifo_file }) - -manage_files_pattern(tripwire_t, tripwire_var_lib_t, tripwire_var_lib_t) -files_var_lib_filetrans(tripwire_t, tripwire_var_lib_t, file) - -kernel_read_system_state(tripwire_t) -kernel_read_network_state(tripwire_t) -kernel_read_software_raid_state(tripwire_t) -kernel_getattr_core_if(tripwire_t) -kernel_getattr_message_if(tripwire_t) -kernel_read_kernel_sysctls(tripwire_t) - -corecmd_exec_shell(tripwire_t) -corecmd_exec_bin(tripwire_t) - -domain_use_interactive_fds(tripwire_t) - -files_read_all_files(tripwire_t) -files_read_all_symlinks(tripwire_t) -files_getattr_all_pipes(tripwire_t) -files_getattr_all_sockets(tripwire_t) - -logging_send_syslog_msg(tripwire_t) - -userdom_use_user_terminals(tripwire_t) - -optional_policy(` - cron_system_entry(tripwire_t, tripwire_exec_t) -') - -######################################## -# -# Twadmin local policy -# - -manage_dirs_pattern(twadmin_t, tripwire_etc_t, tripwire_etc_t) -manage_files_pattern(twadmin_t, tripwire_etc_t, tripwire_etc_t) -manage_lnk_files_pattern(twadmin_t, tripwire_etc_t, tripwire_etc_t) - -domain_use_interactive_fds(twadmin_t) - -logging_send_syslog_msg(twadmin_t) - -miscfiles_read_localization(twadmin_t) - -userdom_use_user_terminals(twadmin_t) - -######################################## -# -# Twprint local policy -# - -allow twprint_t tripwire_etc_t:dir list_dir_perms; -read_files_pattern(twprint_t, tripwire_etc_t, tripwire_etc_t) -read_lnk_files_pattern(twprint_t, tripwire_etc_t, tripwire_etc_t) - -allow twprint_t tripwire_report_t:dir list_dir_perms; -read_files_pattern(twprint_t, tripwire_report_t, tripwire_report_t) -read_lnk_files_pattern(twprint_t, tripwire_report_t, tripwire_report_t) - -allow twprint_t tripwire_var_lib_t:dir list_dir_perms; -read_files_pattern(twprint_t, tripwire_var_lib_t, tripwire_var_lib_t) -read_lnk_files_pattern(twprint_t, tripwire_var_lib_t, tripwire_var_lib_t) -files_search_var_lib(twprint_t) - -domain_use_interactive_fds(twprint_t) - -logging_send_syslog_msg(twprint_t) - -miscfiles_read_localization(twprint_t) - -userdom_use_user_terminals(twprint_t) - -######################################## -# -# Siggen local policy -# - -domain_use_interactive_fds(siggen_t) - -# Need permission to read files -files_read_all_files(siggen_t) - -logging_send_syslog_msg(siggen_t) - -miscfiles_read_localization(siggen_t) - -userdom_use_user_terminals(siggen_t) diff --git a/policy/modules/admin/tzdata.fc b/policy/modules/admin/tzdata.fc deleted file mode 100644 index 04b8548..0000000 --- a/policy/modules/admin/tzdata.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/tzdata-update -- gen_context(system_u:object_r:tzdata_exec_t,s0) diff --git a/policy/modules/admin/tzdata.if b/policy/modules/admin/tzdata.if deleted file mode 100644 index 7747b16..0000000 --- a/policy/modules/admin/tzdata.if +++ /dev/null @@ -1,44 +0,0 @@ -## Time zone updater - -######################################## -## -## Execute a domain transition to run tzdata. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`tzdata_domtrans',` - gen_require(` - type tzdata_t, tzdata_exec_t; - ') - - domtrans_pattern($1, tzdata_exec_t, tzdata_t) -') - -######################################## -## -## Execute the tzdata program in the tzdata domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the tzdata domain. -## -## -## -# -interface(`tzdata_run',` - gen_require(` - type tzdata_t; - ') - - tzdata_domtrans($1) - role $2 types tzdata_t; -') diff --git a/policy/modules/admin/tzdata.te b/policy/modules/admin/tzdata.te deleted file mode 100644 index 7851643..0000000 --- a/policy/modules/admin/tzdata.te +++ /dev/null @@ -1,36 +0,0 @@ -policy_module(tzdata, 1.3.0) - -######################################## -# -# Declarations -# - -type tzdata_t; -type tzdata_exec_t; -init_daemon_domain(tzdata_t, tzdata_exec_t) -application_domain(tzdata_t, tzdata_exec_t) - -######################################## -# -# tzdata local policy -# - -files_read_config_files(tzdata_t) -files_search_spool(tzdata_t) - -fs_getattr_xattr_fs(tzdata_t) - -term_dontaudit_list_ptys(tzdata_t) - -locallogin_dontaudit_use_fds(tzdata_t) - -miscfiles_read_localization(tzdata_t) -miscfiles_manage_localization(tzdata_t) -miscfiles_etc_filetrans_localization(tzdata_t) - -userdom_use_user_terminals(tzdata_t) - -# tzdata looks for /var/spool/postfix/etc/localtime. -optional_policy(` - postfix_search_spool(tzdata_t) -') diff --git a/policy/modules/admin/updfstab.fc b/policy/modules/admin/updfstab.fc deleted file mode 100644 index e534c88..0000000 --- a/policy/modules/admin/updfstab.fc +++ /dev/null @@ -1,3 +0,0 @@ - -/usr/sbin/fstab-sync -- gen_context(system_u:object_r:updfstab_exec_t,s0) -/usr/sbin/updfstab -- gen_context(system_u:object_r:updfstab_exec_t,s0) diff --git a/policy/modules/admin/updfstab.if b/policy/modules/admin/updfstab.if deleted file mode 100644 index 4d4b60e..0000000 --- a/policy/modules/admin/updfstab.if +++ /dev/null @@ -1,21 +0,0 @@ -## Red Hat utility to change /etc/fstab. - -######################################## -## -## Execute updfstab in the updfstab domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`updfstab_domtrans',` - gen_require(` - type updfstab_t, updfstab_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, updfstab_exec_t, updfstab_t) -') diff --git a/policy/modules/admin/updfstab.te b/policy/modules/admin/updfstab.te deleted file mode 100644 index ef12ed5..0000000 --- a/policy/modules/admin/updfstab.te +++ /dev/null @@ -1,116 +0,0 @@ -policy_module(updfstab, 1.5.0) - -######################################## -# -# Declarations -# - -type updfstab_t; -type updfstab_exec_t; -init_system_domain(updfstab_t, updfstab_exec_t) - -######################################## -# -# Local policy -# - -allow updfstab_t self:capability dac_override; -dontaudit updfstab_t self:capability { sys_admin sys_tty_config }; -allow updfstab_t self:process signal_perms; -allow updfstab_t self:fifo_file rw_fifo_file_perms; - -kernel_use_fds(updfstab_t) -kernel_read_kernel_sysctls(updfstab_t) -kernel_dontaudit_write_kernel_sysctl(updfstab_t) -# for /proc/partitions -kernel_read_system_state(updfstab_t) -# cjp: why is this required -kernel_change_ring_buffer_level(updfstab_t) - -dev_read_sysfs(updfstab_t) -dev_manage_generic_symlinks(updfstab_t) - -fs_getattr_xattr_fs(updfstab_t) -fs_getattr_tmpfs(updfstab_t) -fs_getattr_tmpfs_dirs(updfstab_t) -fs_search_auto_mountpoints(updfstab_t) - -selinux_get_fs_mount(updfstab_t) -selinux_validate_context(updfstab_t) -selinux_compute_access_vector(updfstab_t) -selinux_compute_create_context(updfstab_t) -selinux_compute_relabel_context(updfstab_t) -selinux_compute_user_contexts(updfstab_t) - -storage_raw_read_fixed_disk(updfstab_t) -storage_raw_write_fixed_disk(updfstab_t) -storage_raw_read_removable_device(updfstab_t) -storage_raw_write_removable_device(updfstab_t) -storage_read_scsi_generic(updfstab_t) -storage_write_scsi_generic(updfstab_t) - -term_dontaudit_use_console(updfstab_t) - -corecmd_exec_bin(updfstab_t) - -domain_use_interactive_fds(updfstab_t) - -files_manage_mnt_files(updfstab_t) -files_manage_mnt_dirs(updfstab_t) -files_manage_mnt_symlinks(updfstab_t) -files_manage_etc_files(updfstab_t) -files_dontaudit_search_home(updfstab_t) -# for /etc/mtab -files_read_etc_runtime_files(updfstab_t) - -init_use_fds(updfstab_t) -init_use_script_ptys(updfstab_t) - -logging_send_syslog_msg(updfstab_t) -logging_search_logs(updfstab_t) - -miscfiles_read_localization(updfstab_t) - -seutil_read_config(updfstab_t) -seutil_read_default_contexts(updfstab_t) -seutil_read_file_contexts(updfstab_t) - -userdom_dontaudit_search_user_home_content(updfstab_t) -userdom_dontaudit_use_unpriv_user_fds(updfstab_t) - -optional_policy(` - auth_domtrans_pam_console(updfstab_t) -') - -optional_policy(` - init_dbus_chat_script(updfstab_t) - - dbus_system_bus_client(updfstab_t) -') - -optional_policy(` - fstools_getattr_swap_files(updfstab_t) -') - -optional_policy(` - hal_stream_connect(updfstab_t) - hal_dbus_chat(updfstab_t) -') - -optional_policy(` - modutils_read_module_config(updfstab_t) - modutils_exec_insmod(updfstab_t) - modutils_read_module_deps(updfstab_t) -') - -optional_policy(` - nscd_socket_use(updfstab_t) -') - -optional_policy(` - seutil_sigchld_newrole(updfstab_t) -') - -optional_policy(` - udev_read_db(updfstab_t) -') diff --git a/policy/modules/admin/usbmodules.fc b/policy/modules/admin/usbmodules.fc deleted file mode 100644 index a008efb..0000000 --- a/policy/modules/admin/usbmodules.fc +++ /dev/null @@ -1,9 +0,0 @@ -# -# /sbin -# -/sbin/usbmodules -- gen_context(system_u:object_r:usbmodules_exec_t,s0) - -# -# /usr -# -/usr/sbin/usbmodules -- gen_context(system_u:object_r:usbmodules_exec_t,s0) diff --git a/policy/modules/admin/usbmodules.if b/policy/modules/admin/usbmodules.if deleted file mode 100644 index b7eade3..0000000 --- a/policy/modules/admin/usbmodules.if +++ /dev/null @@ -1,46 +0,0 @@ -## List kernel modules of USB devices - -######################################## -## -## Execute usbmodules in the usbmodules domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`usbmodules_domtrans',` - gen_require(` - type usbmodules_t, usbmodules_exec_t; - ') - - domtrans_pattern($1, usbmodules_exec_t, usbmodules_t) -') - -######################################## -## -## Execute usbmodules in the usbmodules domain, and -## allow the specified role the usbmodules domain, -## and use the caller's terminal. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`usbmodules_run',` - gen_require(` - type usbmodules_t; - ') - - usbmodules_domtrans($1) - role $2 types usbmodules_t; -') diff --git a/policy/modules/admin/usbmodules.te b/policy/modules/admin/usbmodules.te deleted file mode 100644 index 74354da..0000000 --- a/policy/modules/admin/usbmodules.te +++ /dev/null @@ -1,47 +0,0 @@ -policy_module(usbmodules, 1.2.0) - -######################################## -# -# Declarations -# - -type usbmodules_t; -type usbmodules_exec_t; -init_system_domain(usbmodules_t, usbmodules_exec_t) -role system_r types usbmodules_t; - -######################################## -# -# Local policy -# - -kernel_list_proc(usbmodules_t) - -files_list_kernel_modules(usbmodules_t) - -dev_list_usbfs(usbmodules_t) -# allow usb device access -dev_rw_usbfs(usbmodules_t) - -files_list_etc(usbmodules_t) -# needs etc_t read access for the hotplug config, maybe should have a new type -files_read_etc_files(usbmodules_t) - -term_read_console(usbmodules_t) -term_write_console(usbmodules_t) - -init_use_fds(usbmodules_t) - -miscfiles_read_hwdata(usbmodules_t) - -modutils_read_module_deps(usbmodules_t) - -userdom_use_user_terminals(usbmodules_t) - -optional_policy(` - hotplug_read_config(usbmodules_t) -') - -optional_policy(` - logging_send_syslog_msg(usbmodules_t) -') diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc deleted file mode 100644 index c467144..0000000 --- a/policy/modules/admin/usermanage.fc +++ /dev/null @@ -1,33 +0,0 @@ -ifdef(`distro_gentoo',` -/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0) -') - -/usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0) -/usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0) -/usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0) -/usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0) -/usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0) -/usr/bin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) -/usr/bin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) - -/usr/lib(64)?/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0) - -/usr/sbin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) -/usr/sbin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) -/usr/sbin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0) -/usr/sbin/groupadd -- gen_context(system_u:object_r:groupadd_exec_t,s0) -/usr/sbin/groupdel -- gen_context(system_u:object_r:groupadd_exec_t,s0) -/usr/sbin/groupmod -- gen_context(system_u:object_r:groupadd_exec_t,s0) -/usr/sbin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) -/usr/sbin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) -/usr/sbin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) -/usr/sbin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) -/usr/sbin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0) -/usr/sbin/userdel -- gen_context(system_u:object_r:useradd_exec_t,s0) -/usr/sbin/usermod -- gen_context(system_u:object_r:useradd_exec_t,s0) -/usr/sbin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) -/usr/sbin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) - -/usr/share/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0) - -/var/cache/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0) diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if deleted file mode 100644 index 0b5e634..0000000 --- a/policy/modules/admin/usermanage.if +++ /dev/null @@ -1,319 +0,0 @@ -## Policy for managing user accounts. - -######################################## -## -## Execute chfn in the chfn domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`usermanage_domtrans_chfn',` - gen_require(` - type chfn_t, chfn_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, chfn_exec_t, chfn_t) - - ifdef(`hide_broken_symptoms',` - dontaudit chfn_t $1:socket_class_set { read write }; - ') -') - -######################################## -## -## Execute chfn in the chfn domain, and -## allow the specified role the chfn domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`usermanage_run_chfn',` - gen_require(` - type chfn_t; - ') - - usermanage_domtrans_chfn($1) - role $2 types chfn_t; -') - -######################################## -## -## Execute groupadd in the groupadd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`usermanage_domtrans_groupadd',` - gen_require(` - type groupadd_t, groupadd_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, groupadd_exec_t, groupadd_t) - - ifdef(`hide_broken_symptoms',` - dontaudit groupadd_t $1:socket_class_set { read write }; - ') -') - -######################################## -## -## Execute groupadd in the groupadd domain, and -## allow the specified role the groupadd domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`usermanage_run_groupadd',` - gen_require(` - type groupadd_t; - ') - - usermanage_domtrans_groupadd($1) - role $2 types groupadd_t; - - optional_policy(` - nscd_run(groupadd_t, $2) - ') -') - -######################################## -## -## Execute passwd in the passwd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`usermanage_domtrans_passwd',` - gen_require(` - type passwd_t, passwd_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, passwd_exec_t, passwd_t) - - ifdef(`hide_broken_symptoms',` - dontaudit passwd_t $1:socket_class_set { read write }; - ') -') - -######################################## -## -## Send sigkills to passwd. -## -## -## -## Domain allowed access. -## -## -# -interface(`usermanage_kill_passwd',` - gen_require(` - type passwd_t; - ') - - allow $1 passwd_t:process sigkill; -') - -######################################## -## -## Execute passwd in the passwd domain, and -## allow the specified role the passwd domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`usermanage_run_passwd',` - gen_require(` - type passwd_t; - ') - - usermanage_domtrans_passwd($1) - role $2 types passwd_t; - auth_run_chk_passwd(passwd_t, $2) -') - -######################################## -## -## Execute password admin functions in -## the admin passwd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`usermanage_domtrans_admin_passwd',` - gen_require(` - type sysadm_passwd_t, admin_passwd_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, admin_passwd_exec_t, sysadm_passwd_t) -') - -######################################## -## -## Execute passwd admin functions in the admin -## passwd domain, and allow the specified role -## the admin passwd domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`usermanage_run_admin_passwd',` - gen_require(` - type sysadm_passwd_t; - ') - - usermanage_domtrans_admin_passwd($1) - role $2 types sysadm_passwd_t; - - optional_policy(` - nscd_run(sysadm_passwd_t, $2) - ') -') - -######################################## -## -## Do not audit attempts to use useradd fds. -## -## -## -## Domain to not audit. -## -## -# -interface(`usermanage_dontaudit_use_useradd_fds',` - gen_require(` - type useradd_t; - ') - - dontaudit $1 useradd_t:fd use; -') - -######################################## -## -## Execute useradd in the useradd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`usermanage_domtrans_useradd',` - gen_require(` - type useradd_t, useradd_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, useradd_exec_t, useradd_t) - - ifdef(`hide_broken_symptoms',` - dontaudit useradd_t $1:socket_class_set { read write }; - ') -') - -######################################## -## -## Execute useradd in the useradd domain, and -## allow the specified role the useradd domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`usermanage_run_useradd',` - gen_require(` - type useradd_t; - ') - - usermanage_domtrans_useradd($1) - role $2 types useradd_t; - - # Add/remove user home directories - userdom_manage_home_role($2, useradd_t) - - seutil_run_semanage(useradd_t, $2) - - optional_policy(` - nscd_run(useradd_t, $2) - ') -') - -######################################## -## -## Read the crack database. -## -## -## -## Domain allowed access. -## -## -# -interface(`usermanage_read_crack_db',` - gen_require(` - type crack_db_t; - ') - - read_files_pattern($1, crack_db_t, crack_db_t) -') diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te deleted file mode 100644 index b1a841a..0000000 --- a/policy/modules/admin/usermanage.te +++ /dev/null @@ -1,540 +0,0 @@ -policy_module(usermanage, 1.15.1) - -######################################## -# -# Declarations -# - -type admin_passwd_exec_t; -files_type(admin_passwd_exec_t) - -type chfn_t; -type chfn_exec_t; -domain_obj_id_change_exemption(chfn_t) -application_domain(chfn_t, chfn_exec_t) -role system_r types chfn_t; - -type crack_t; -type crack_exec_t; -application_domain(crack_t, crack_exec_t) -role system_r types crack_t; - -type crack_db_t; -files_type(crack_db_t) - -type crack_tmp_t; -files_tmp_file(crack_tmp_t) - -type groupadd_t; -type groupadd_exec_t; -domain_obj_id_change_exemption(groupadd_t) -init_system_domain(groupadd_t, groupadd_exec_t) -role system_r types groupadd_t; - -type passwd_t; -type passwd_exec_t; -domain_obj_id_change_exemption(passwd_t) -application_domain(passwd_t, passwd_exec_t) -role system_r types passwd_t; - -type sysadm_passwd_t; -domain_obj_id_change_exemption(sysadm_passwd_t) -application_domain(sysadm_passwd_t, admin_passwd_exec_t) -role system_r types sysadm_passwd_t; - -type sysadm_passwd_tmp_t; -files_tmp_file(sysadm_passwd_tmp_t) - -type useradd_t; -type useradd_exec_t; -domain_obj_id_change_exemption(useradd_t) -init_system_domain(useradd_t, useradd_exec_t) -role system_r types useradd_t; - -######################################## -# -# Chfn local policy -# - -allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resource }; -allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; -allow chfn_t self:process { setrlimit setfscreate }; -allow chfn_t self:fd use; -allow chfn_t self:fifo_file rw_fifo_file_perms; -allow chfn_t self:sock_file read_sock_file_perms; -allow chfn_t self:shm create_shm_perms; -allow chfn_t self:sem create_sem_perms; -allow chfn_t self:msgq create_msgq_perms; -allow chfn_t self:msg { send receive }; -allow chfn_t self:unix_dgram_socket create_socket_perms; -allow chfn_t self:unix_stream_socket create_stream_socket_perms; -allow chfn_t self:unix_dgram_socket sendto; -allow chfn_t self:unix_stream_socket connectto; - -kernel_read_system_state(chfn_t) -kernel_read_kernel_sysctls(chfn_t) - -selinux_get_fs_mount(chfn_t) -selinux_validate_context(chfn_t) -selinux_compute_access_vector(chfn_t) -selinux_compute_create_context(chfn_t) -selinux_compute_relabel_context(chfn_t) -selinux_compute_user_contexts(chfn_t) - -term_use_all_ttys(chfn_t) -term_use_all_ptys(chfn_t) - -fs_getattr_xattr_fs(chfn_t) -fs_search_auto_mountpoints(chfn_t) - -# for SSP -dev_read_urand(chfn_t) - -auth_use_pam(chfn_t) - -# allow checking if a shell is executable -corecmd_check_exec_shell(chfn_t) - -domain_use_interactive_fds(chfn_t) - -files_manage_etc_files(chfn_t) -files_read_etc_runtime_files(chfn_t) -files_dontaudit_search_var(chfn_t) -files_dontaudit_search_home(chfn_t) - -# /usr/bin/passwd asks for w access to utmp, but it will operate -# correctly without it. Do not audit write denials to utmp. -init_dontaudit_rw_utmp(chfn_t) - -miscfiles_read_localization(chfn_t) - -logging_send_syslog_msg(chfn_t) - -# uses unix_chkpwd for checking passwords -seutil_dontaudit_search_config(chfn_t) - -userdom_use_unpriv_users_fds(chfn_t) -# user generally runs this from their home directory, so do not audit a search -# on user home dir -userdom_dontaudit_search_user_home_content(chfn_t) - -######################################## -# -# Crack local policy -# - -allow crack_t self:process { sigkill sigstop signull signal }; -allow crack_t self:fifo_file rw_fifo_file_perms; - -manage_files_pattern(crack_t, crack_db_t, crack_db_t) -manage_lnk_files_pattern(crack_t, crack_db_t, crack_db_t) -files_search_var(crack_t) - -manage_dirs_pattern(crack_t, crack_tmp_t, crack_tmp_t) -manage_files_pattern(crack_t, crack_tmp_t, crack_tmp_t) -files_tmp_filetrans(crack_t, crack_tmp_t, { file dir }) - -kernel_read_system_state(crack_t) - -# for SSP -dev_read_urand(crack_t) - -fs_getattr_xattr_fs(crack_t) - -files_read_etc_files(crack_t) -files_read_etc_runtime_files(crack_t) -# for dictionaries -files_read_usr_files(crack_t) - -corecmd_exec_bin(crack_t) - -logging_send_syslog_msg(crack_t) - -userdom_dontaudit_search_user_home_dirs(crack_t) - -ifdef(`distro_debian',` - # the package cracklib-runtime on Debian contains a daily maintenance - # script /etc/cron.daily/cracklib-runtime, that calls - # update-cracklib and that calls crack_mkdict, which is a shell script. - corecmd_exec_shell(crack_t) -') - -optional_policy(` - cron_system_entry(crack_t, crack_exec_t) -') - -######################################## -# -# Groupadd local policy -# - -allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write }; -dontaudit groupadd_t self:capability { fsetid sys_tty_config }; -allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; -allow groupadd_t self:process { setrlimit setfscreate }; -allow groupadd_t self:fd use; -allow groupadd_t self:fifo_file rw_fifo_file_perms; -allow groupadd_t self:shm create_shm_perms; -allow groupadd_t self:sem create_sem_perms; -allow groupadd_t self:msgq create_msgq_perms; -allow groupadd_t self:msg { send receive }; -allow groupadd_t self:unix_dgram_socket create_socket_perms; -allow groupadd_t self:unix_stream_socket create_stream_socket_perms; -allow groupadd_t self:unix_dgram_socket sendto; -allow groupadd_t self:unix_stream_socket connectto; - -fs_getattr_xattr_fs(groupadd_t) -fs_search_auto_mountpoints(groupadd_t) - -# Allow access to context for shadow file -selinux_get_fs_mount(groupadd_t) -selinux_validate_context(groupadd_t) -selinux_compute_access_vector(groupadd_t) -selinux_compute_create_context(groupadd_t) -selinux_compute_relabel_context(groupadd_t) -selinux_compute_user_contexts(groupadd_t) - -term_use_all_ttys(groupadd_t) -term_use_all_ptys(groupadd_t) - -init_use_fds(groupadd_t) -init_read_utmp(groupadd_t) -init_dontaudit_write_utmp(groupadd_t) - -domain_use_interactive_fds(groupadd_t) - -files_manage_etc_files(groupadd_t) -files_relabel_etc_files(groupadd_t) -files_read_etc_runtime_files(groupadd_t) -files_read_usr_symlinks(groupadd_t) - -# Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}. -corecmd_exec_bin(groupadd_t) - -logging_send_audit_msgs(groupadd_t) -logging_send_syslog_msg(groupadd_t) - -miscfiles_read_localization(groupadd_t) - -auth_domtrans_chk_passwd(groupadd_t) -auth_rw_lastlog(groupadd_t) -auth_use_nsswitch(groupadd_t) -# these may be unnecessary due to the above -# domtrans_chk_passwd() call. -auth_manage_shadow(groupadd_t) -auth_relabel_shadow(groupadd_t) -auth_etc_filetrans_shadow(groupadd_t) - -seutil_read_config(groupadd_t) - -userdom_use_unpriv_users_fds(groupadd_t) -# for when /root is the cwd -userdom_dontaudit_search_user_home_dirs(groupadd_t) - -optional_policy(` - dpkg_use_fds(groupadd_t) - dpkg_rw_pipes(groupadd_t) -') - -optional_policy(` - nscd_domtrans(groupadd_t) -') - -optional_policy(` - puppet_rw_tmp(groupadd_t) -') - -optional_policy(` - rpm_use_fds(groupadd_t) - rpm_rw_pipes(groupadd_t) -') - -######################################## -# -# Passwd local policy -# - -allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource }; -dontaudit passwd_t self:capability sys_tty_config; -allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow passwd_t self:process { setrlimit setfscreate }; -allow passwd_t self:fd use; -allow passwd_t self:fifo_file rw_fifo_file_perms; -allow passwd_t self:sock_file read_sock_file_perms; -allow passwd_t self:unix_dgram_socket create_socket_perms; -allow passwd_t self:unix_stream_socket create_stream_socket_perms; -allow passwd_t self:unix_dgram_socket sendto; -allow passwd_t self:unix_stream_socket connectto; -allow passwd_t self:shm create_shm_perms; -allow passwd_t self:sem create_sem_perms; -allow passwd_t self:msgq create_msgq_perms; -allow passwd_t self:msg { send receive }; - -allow passwd_t crack_db_t:dir list_dir_perms; -read_files_pattern(passwd_t, crack_db_t, crack_db_t) - -kernel_read_kernel_sysctls(passwd_t) - -# for SSP -dev_read_urand(passwd_t) - -fs_getattr_xattr_fs(passwd_t) -fs_search_auto_mountpoints(passwd_t) - -mls_file_write_all_levels(passwd_t) -mls_file_downgrade(passwd_t) - -selinux_get_fs_mount(passwd_t) -selinux_validate_context(passwd_t) -selinux_compute_access_vector(passwd_t) -selinux_compute_create_context(passwd_t) -selinux_compute_relabel_context(passwd_t) -selinux_compute_user_contexts(passwd_t) - -term_use_all_terms(passwd_t) - -auth_manage_shadow(passwd_t) -auth_relabel_shadow(passwd_t) -auth_etc_filetrans_shadow(passwd_t) -auth_use_pam(passwd_t) - -# allow checking if a shell is executable -corecmd_check_exec_shell(passwd_t) -corecmd_exec_bin(passwd_t) - -corenet_tcp_connect_kerberos_password_port(passwd_t) - -domain_use_interactive_fds(passwd_t) - -files_read_etc_runtime_files(passwd_t) -files_manage_etc_files(passwd_t) -files_search_var(passwd_t) -files_dontaudit_search_pids(passwd_t) -files_relabel_etc_files(passwd_t) - -# /usr/bin/passwd asks for w access to utmp, but it will operate -# correctly without it. Do not audit write denials to utmp. -init_dontaudit_rw_utmp(passwd_t) -init_use_fds(passwd_t) - -logging_send_audit_msgs(passwd_t) -logging_send_syslog_msg(passwd_t) - -miscfiles_read_localization(passwd_t) - -seutil_dontaudit_search_config(passwd_t) - -userdom_use_user_terminals(passwd_t) -userdom_use_unpriv_users_fds(passwd_t) -# make sure that getcon succeeds -userdom_getattr_all_users(passwd_t) -userdom_read_all_users_state(passwd_t) -userdom_read_user_tmp_files(passwd_t) -# user generally runs this from their home directory, so do not audit a search -# on user home dir -userdom_dontaudit_search_user_home_content(passwd_t) -userdom_stream_connect(passwd_t) - -optional_policy(` - nscd_domtrans(passwd_t) -') - -######################################## -# -# Password admin local policy -# - -allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource }; -allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow sysadm_passwd_t self:process { setrlimit setfscreate }; -allow sysadm_passwd_t self:fd use; -allow sysadm_passwd_t self:fifo_file rw_fifo_file_perms; -allow sysadm_passwd_t self:sock_file read_sock_file_perms; -allow sysadm_passwd_t self:unix_dgram_socket create_socket_perms; -allow sysadm_passwd_t self:unix_stream_socket create_stream_socket_perms; -allow sysadm_passwd_t self:unix_dgram_socket sendto; -allow sysadm_passwd_t self:unix_stream_socket connectto; -allow sysadm_passwd_t self:shm create_shm_perms; -allow sysadm_passwd_t self:sem create_sem_perms; -allow sysadm_passwd_t self:msgq create_msgq_perms; -allow sysadm_passwd_t self:msg { send receive }; - -# allow vipw to create temporary files under /var/tmp/vi.recover -manage_dirs_pattern(sysadm_passwd_t, sysadm_passwd_tmp_t, sysadm_passwd_tmp_t) -manage_files_pattern(sysadm_passwd_t, sysadm_passwd_tmp_t, sysadm_passwd_tmp_t) -files_tmp_filetrans(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir }) -files_search_var(sysadm_passwd_t) -files_dontaudit_search_home(sysadm_passwd_t) - -kernel_read_kernel_sysctls(sysadm_passwd_t) -# for /proc/meminfo -kernel_read_system_state(sysadm_passwd_t) - -selinux_get_fs_mount(sysadm_passwd_t) -selinux_validate_context(sysadm_passwd_t) -selinux_compute_access_vector(sysadm_passwd_t) -selinux_compute_create_context(sysadm_passwd_t) -selinux_compute_relabel_context(sysadm_passwd_t) -selinux_compute_user_contexts(sysadm_passwd_t) - -# for SSP -dev_read_urand(sysadm_passwd_t) - -fs_getattr_xattr_fs(sysadm_passwd_t) -fs_search_auto_mountpoints(sysadm_passwd_t) - -term_use_all_ttys(sysadm_passwd_t) -term_use_all_ptys(sysadm_passwd_t) - -auth_manage_shadow(sysadm_passwd_t) -auth_relabel_shadow(sysadm_passwd_t) -auth_etc_filetrans_shadow(sysadm_passwd_t) -auth_use_nsswitch(sysadm_passwd_t) - -# allow vipw to exec the editor -corecmd_exec_bin(sysadm_passwd_t) -corecmd_exec_shell(sysadm_passwd_t) -files_read_usr_files(sysadm_passwd_t) - -domain_use_interactive_fds(sysadm_passwd_t) - -files_manage_etc_files(sysadm_passwd_t) -files_relabel_etc_files(sysadm_passwd_t) -files_read_etc_runtime_files(sysadm_passwd_t) -# for nscd lookups -files_dontaudit_search_pids(sysadm_passwd_t) - -# /usr/bin/passwd asks for w access to utmp, but it will operate -# correctly without it. Do not audit write denials to utmp. -init_dontaudit_rw_utmp(sysadm_passwd_t) - -miscfiles_read_localization(sysadm_passwd_t) - -logging_send_syslog_msg(sysadm_passwd_t) - -seutil_dontaudit_search_config(sysadm_passwd_t) - -userdom_use_unpriv_users_fds(sysadm_passwd_t) -# user generally runs this from their home directory, so do not audit a search -# on user home dir -userdom_dontaudit_search_user_home_content(sysadm_passwd_t) - -optional_policy(` - nscd_domtrans(sysadm_passwd_t) -') - -######################################## -# -# Useradd local policy -# - -allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource sys_ptrace }; -dontaudit useradd_t self:capability sys_tty_config; -allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow useradd_t self:process setfscreate; -allow useradd_t self:fd use; -allow useradd_t self:fifo_file rw_fifo_file_perms; -allow useradd_t self:shm create_shm_perms; -allow useradd_t self:sem create_sem_perms; -allow useradd_t self:msgq create_msgq_perms; -allow useradd_t self:msg { send receive }; -allow useradd_t self:unix_dgram_socket create_socket_perms; -allow useradd_t self:unix_stream_socket create_stream_socket_perms; -allow useradd_t self:unix_dgram_socket sendto; -allow useradd_t self:unix_stream_socket connectto; - -# for getting the number of groups -kernel_read_kernel_sysctls(useradd_t) - -corecmd_exec_shell(useradd_t) -# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. -corecmd_exec_bin(useradd_t) - -domain_use_interactive_fds(useradd_t) -domain_read_all_domains_state(useradd_t) - -files_manage_etc_files(useradd_t) -files_search_var_lib(useradd_t) -files_relabel_etc_files(useradd_t) -files_read_etc_runtime_files(useradd_t) - -fs_search_auto_mountpoints(useradd_t) -fs_getattr_xattr_fs(useradd_t) - -mls_file_upgrade(useradd_t) - -# Allow access to context for shadow file -selinux_get_fs_mount(useradd_t) -selinux_validate_context(useradd_t) -selinux_compute_access_vector(useradd_t) -selinux_compute_create_context(useradd_t) -selinux_compute_relabel_context(useradd_t) -selinux_compute_user_contexts(useradd_t) - -term_use_all_ttys(useradd_t) -term_use_all_ptys(useradd_t) - -auth_domtrans_chk_passwd(useradd_t) -auth_rw_lastlog(useradd_t) -auth_rw_faillog(useradd_t) -auth_use_nsswitch(useradd_t) -# these may be unnecessary due to the above -# domtrans_chk_passwd() call. -auth_manage_shadow(useradd_t) -auth_relabel_shadow(useradd_t) -auth_etc_filetrans_shadow(useradd_t) - -init_use_fds(useradd_t) -init_rw_utmp(useradd_t) - -logging_send_audit_msgs(useradd_t) -logging_send_syslog_msg(useradd_t) - -miscfiles_read_localization(useradd_t) - -seutil_read_config(useradd_t) -seutil_read_file_contexts(useradd_t) -seutil_read_default_contexts(useradd_t) -seutil_domtrans_semanage(useradd_t) -seutil_domtrans_setfiles(useradd_t) - -userdom_use_unpriv_users_fds(useradd_t) -# Add/remove user home directories -userdom_home_filetrans_user_home_dir(useradd_t) -userdom_manage_home_role(system_r, useradd_t) - -mta_manage_spool(useradd_t) - -ifdef(`distro_redhat',` - optional_policy(` - unconfined_domain(useradd_t) - ') -') - -optional_policy(` - apache_manage_all_user_content(useradd_t) -') - -optional_policy(` - dpkg_use_fds(useradd_t) - dpkg_rw_pipes(useradd_t) -') - -optional_policy(` - nscd_domtrans(useradd_t) -') - -optional_policy(` - puppet_rw_tmp(useradd_t) -') - -optional_policy(` - tunable_policy(`samba_domain_controller',` - samba_append_log(useradd_t) - ') -') - -optional_policy(` - rpm_use_fds(useradd_t) - rpm_rw_pipes(useradd_t) -') diff --git a/policy/modules/admin/vbetool.fc b/policy/modules/admin/vbetool.fc deleted file mode 100644 index d00970f..0000000 --- a/policy/modules/admin/vbetool.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/vbetool -- gen_context(system_u:object_r:vbetool_exec_t,s0) diff --git a/policy/modules/admin/vbetool.if b/policy/modules/admin/vbetool.if deleted file mode 100644 index f46ab17..0000000 --- a/policy/modules/admin/vbetool.if +++ /dev/null @@ -1,45 +0,0 @@ -## run real-mode video BIOS code to alter hardware state - -######################################## -## -## Execute vbetool application in the vbetool domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`vbetool_domtrans',` - gen_require(` - type vbetool_t, vbetool_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, vbetool_exec_t, vbetool_t) -') - -######################################## -## -## Execute vbetool in the vbetool domain, and -## allow the specified role the vbetool domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`vbetool_run',` - gen_require(` - type vbetool_t; - ') - - vbetool_domtrans($1) - role $2 types vbetool_t; -') diff --git a/policy/modules/admin/vbetool.te b/policy/modules/admin/vbetool.te deleted file mode 100644 index 2758c8f..0000000 --- a/policy/modules/admin/vbetool.te +++ /dev/null @@ -1,51 +0,0 @@ -policy_module(vbetool, 1.5.2) - -######################################## -# -# Declarations -# - -## -##

-## Ignore vbetool mmap_zero errors. -##

-##
-gen_tunable(vbetool_mmap_zero_ignore, false) - -type vbetool_t; -type vbetool_exec_t; -init_system_domain(vbetool_t, vbetool_exec_t) - -######################################## -# -# Local policy -# - -allow vbetool_t self:capability { dac_override sys_tty_config sys_admin }; -allow vbetool_t self:process execmem; - -dev_wx_raw_memory(vbetool_t) -dev_read_raw_memory(vbetool_t) -dev_rwx_zero(vbetool_t) -dev_rw_sysfs(vbetool_t) -dev_rw_xserver_misc(vbetool_t) -dev_rw_mtrr(vbetool_t) - -domain_mmap_low(vbetool_t) - -mls_file_read_all_levels(vbetool_t) -mls_file_write_all_levels(vbetool_t) - -term_use_unallocated_ttys(vbetool_t) - -miscfiles_read_localization(vbetool_t) - -tunable_policy(`vbetool_mmap_zero_ignore',` - dontaudit vbetool_t self:memprotect mmap_zero; -') - -optional_policy(` - hal_rw_pid_files(vbetool_t) - hal_write_log(vbetool_t) - hal_dontaudit_append_lib_files(vbetool_t) -') diff --git a/policy/modules/admin/vpn.fc b/policy/modules/admin/vpn.fc deleted file mode 100644 index 076dcc3..0000000 --- a/policy/modules/admin/vpn.fc +++ /dev/null @@ -1,13 +0,0 @@ -# -# sbin -# -/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) - -# -# /usr -# -/usr/bin/openconnect -- gen_context(system_u:object_r:vpnc_exec_t,s0) - -/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) - -/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0) diff --git a/policy/modules/admin/vpn.if b/policy/modules/admin/vpn.if deleted file mode 100644 index 64f8cdc..0000000 --- a/policy/modules/admin/vpn.if +++ /dev/null @@ -1,139 +0,0 @@ -## Virtual Private Networking client - -######################################## -## -## Execute VPN clients in the vpnc domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`vpn_domtrans',` - gen_require(` - type vpnc_t, vpnc_exec_t; - ') - - domtrans_pattern($1, vpnc_exec_t, vpnc_t) -') - -######################################## -## -## Execute VPN clients in the vpnc domain, and -## allow the specified role the vpnc domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`vpn_run',` - gen_require(` - type vpnc_t; - ') - - vpn_domtrans($1) - role $2 types vpnc_t; - sysnet_run_ifconfig(vpnc_t, $2) -') - -######################################## -## -## Send VPN clients the kill signal. -## -## -## -## Domain allowed access. -## -## -# -interface(`vpn_kill',` - gen_require(` - type vpnc_t; - ') - - allow $1 vpnc_t:process sigkill; -') - -######################################## -## -## Send generic signals to VPN clients. -## -## -## -## Domain allowed access. -## -## -# -interface(`vpn_signal',` - gen_require(` - type vpnc_t; - ') - - allow $1 vpnc_t:process signal; -') - -######################################## -## -## Send signull to VPN clients. -## -## -## -## Domain allowed access. -## -## -# -interface(`vpn_signull',` - gen_require(` - type vpnc_t; - ') - - allow $1 vpnc_t:process signull; -') - -######################################## -## -## Send and receive messages from -## Vpnc over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`vpn_dbus_chat',` - gen_require(` - type vpnc_t; - class dbus send_msg; - ') - - allow $1 vpnc_t:dbus send_msg; - allow vpnc_t $1:dbus send_msg; -') - -######################################## -## -## Relabelfrom from vpnc socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`vpn_relabelfrom_tun_socket',` - gen_require(` - type vpnc_t; - ') - - allow $1 vpnc_t:tun_socket relabelfrom; -') diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te deleted file mode 100644 index 6067b85..0000000 --- a/policy/modules/admin/vpn.te +++ /dev/null @@ -1,122 +0,0 @@ -policy_module(vpn, 1.13.1) - -######################################## -# -# Declarations -# - -type vpnc_t; -type vpnc_exec_t; -application_domain(vpnc_t, vpnc_exec_t) -role system_r types vpnc_t; - -type vpnc_tmp_t; -files_tmp_file(vpnc_tmp_t) - -type vpnc_var_run_t; -files_pid_file(vpnc_var_run_t) - -######################################## -# -# Local policy -# - -allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw }; -allow vpnc_t self:process { getsched signal }; -allow vpnc_t self:fifo_file rw_fifo_file_perms; -allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms; -allow vpnc_t self:tcp_socket create_stream_socket_perms; -allow vpnc_t self:udp_socket create_socket_perms; -allow vpnc_t self:rawip_socket create_socket_perms; -allow vpnc_t self:unix_dgram_socket create_socket_perms; -allow vpnc_t self:unix_stream_socket create_socket_perms; -allow vpnc_t self:tun_socket { create_socket_perms relabelfrom }; -# cjp: this needs to be fixed -allow vpnc_t self:socket create_socket_perms; - -manage_dirs_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t) -manage_files_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t) -files_tmp_filetrans(vpnc_t, vpnc_tmp_t, { file dir }) - -manage_dirs_pattern(vpnc_t, vpnc_var_run_t, vpnc_var_run_t) -manage_files_pattern(vpnc_t, vpnc_var_run_t, vpnc_var_run_t) -files_pid_filetrans(vpnc_t, vpnc_var_run_t, { file dir}) - -kernel_read_system_state(vpnc_t) -kernel_read_network_state(vpnc_t) -kernel_read_all_sysctls(vpnc_t) -kernel_request_load_module(vpnc_t) -kernel_rw_net_sysctls(vpnc_t) - -corenet_all_recvfrom_unlabeled(vpnc_t) -corenet_all_recvfrom_netlabel(vpnc_t) -corenet_tcp_sendrecv_generic_if(vpnc_t) -corenet_udp_sendrecv_generic_if(vpnc_t) -corenet_raw_sendrecv_generic_if(vpnc_t) -corenet_tcp_sendrecv_generic_node(vpnc_t) -corenet_udp_sendrecv_generic_node(vpnc_t) -corenet_raw_sendrecv_generic_node(vpnc_t) -corenet_tcp_sendrecv_all_ports(vpnc_t) -corenet_udp_sendrecv_all_ports(vpnc_t) -corenet_udp_bind_generic_node(vpnc_t) -corenet_udp_bind_generic_port(vpnc_t) -corenet_udp_bind_isakmp_port(vpnc_t) -corenet_udp_bind_ipsecnat_port(vpnc_t) -corenet_tcp_connect_all_ports(vpnc_t) -corenet_sendrecv_all_client_packets(vpnc_t) -corenet_sendrecv_isakmp_server_packets(vpnc_t) -corenet_sendrecv_generic_server_packets(vpnc_t) -corenet_rw_tun_tap_dev(vpnc_t) - -dev_read_rand(vpnc_t) -dev_read_urand(vpnc_t) -dev_read_sysfs(vpnc_t) - -domain_use_interactive_fds(vpnc_t) - -fs_getattr_xattr_fs(vpnc_t) -fs_getattr_tmpfs(vpnc_t) - -term_use_all_ptys(vpnc_t) -term_use_all_ttys(vpnc_t) - -corecmd_exec_all_executables(vpnc_t) - -files_exec_etc_files(vpnc_t) -files_read_etc_runtime_files(vpnc_t) -files_read_etc_files(vpnc_t) -files_dontaudit_search_home(vpnc_t) - -auth_use_nsswitch(vpnc_t) - -libs_exec_ld_so(vpnc_t) -libs_exec_lib_files(vpnc_t) - -locallogin_use_fds(vpnc_t) - -logging_send_syslog_msg(vpnc_t) -logging_dontaudit_search_logs(vpnc_t) - -miscfiles_read_localization(vpnc_t) - -seutil_dontaudit_search_config(vpnc_t) -seutil_use_newrole_fds(vpnc_t) - -sysnet_etc_filetrans_config(vpnc_t) -sysnet_manage_config(vpnc_t) - -userdom_use_all_users_fds(vpnc_t) -userdom_read_home_certs(vpnc_t) -userdom_search_admin_dir(vpnc_t) - -optional_policy(` - dbus_system_bus_client(vpnc_t) - - optional_policy(` - networkmanager_dbus_chat(vpnc_t) - ') -') - -optional_policy(` - networkmanager_attach_tun_iface(vpnc_t) -') diff --git a/policy/modules/apps/ada.fc b/policy/modules/apps/ada.fc deleted file mode 100644 index e802ed5..0000000 --- a/policy/modules/apps/ada.fc +++ /dev/null @@ -1,7 +0,0 @@ -# -# /usr -# -/usr/bin/gnatbind -- gen_context(system_u:object_r:ada_exec_t,s0) -/usr/bin/gnatls -- gen_context(system_u:object_r:ada_exec_t,s0) -/usr/bin/gnatmake -- gen_context(system_u:object_r:ada_exec_t,s0) -/usr/libexec/gcc(/.*)?/gnat1 -- gen_context(system_u:object_r:ada_exec_t,s0) diff --git a/policy/modules/apps/ada.if b/policy/modules/apps/ada.if deleted file mode 100644 index 43ba21d..0000000 --- a/policy/modules/apps/ada.if +++ /dev/null @@ -1,45 +0,0 @@ -## GNAT Ada95 compiler - -######################################## -## -## Execute the ada program in the ada domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ada_domtrans',` - gen_require(` - type ada_t, ada_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ada_exec_t, ada_t) -') - -######################################## -## -## Execute ada in the ada domain, and -## allow the specified role the ada domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`ada_run',` - gen_require(` - type ada_t; - ') - - ada_domtrans($1) - role $2 types ada_t; -') diff --git a/policy/modules/apps/ada.te b/policy/modules/apps/ada.te deleted file mode 100644 index 39c75fb..0000000 --- a/policy/modules/apps/ada.te +++ /dev/null @@ -1,24 +0,0 @@ -policy_module(ada, 1.4.0) - -######################################## -# -# Declarations -# - -type ada_t; -type ada_exec_t; -application_domain(ada_t, ada_exec_t) -role system_r types ada_t; - -######################################## -# -# Local policy -# - -allow ada_t self:process { execstack execmem }; - -userdom_use_user_terminals(ada_t) - -optional_policy(` - unconfined_domain(ada_t) -') diff --git a/policy/modules/apps/authbind.fc b/policy/modules/apps/authbind.fc deleted file mode 100644 index 48cf11b..0000000 --- a/policy/modules/apps/authbind.fc +++ /dev/null @@ -1,3 +0,0 @@ -/etc/authbind(/.*)? gen_context(system_u:object_r:authbind_etc_t,s0) - -/usr/lib(64)?/authbind/helper -- gen_context(system_u:object_r:authbind_exec_t,s0) diff --git a/policy/modules/apps/authbind.if b/policy/modules/apps/authbind.if deleted file mode 100644 index d28020f..0000000 --- a/policy/modules/apps/authbind.if +++ /dev/null @@ -1,20 +0,0 @@ -## Tool for non-root processes to bind to reserved ports - -######################################## -## -## Use authbind to bind to a reserved port. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`authbind_domtrans',` - gen_require(` - type authbind_t, authbind_exec_t; - ') - - domtrans_pattern($1, authbind_exec_t, authbind_t) - allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms; -') diff --git a/policy/modules/apps/authbind.te b/policy/modules/apps/authbind.te deleted file mode 100644 index b4285f7..0000000 --- a/policy/modules/apps/authbind.te +++ /dev/null @@ -1,31 +0,0 @@ -policy_module(authbind, 1.1.0) - -######################################## -# -# Declarations -# - -type authbind_t; -type authbind_exec_t; -application_domain(authbind_t, authbind_exec_t) -role system_r types authbind_t; - -type authbind_etc_t; -files_config_file(authbind_etc_t) - -######################################## -# -# Local policy -# - -allow authbind_t self:capability net_bind_service; - -allow authbind_t authbind_etc_t:dir list_dir_perms; -exec_files_pattern(authbind_t, authbind_etc_t, authbind_etc_t) -read_lnk_files_pattern(authbind_t, authbind_etc_t, authbind_etc_t) - -files_list_etc(authbind_t) - -term_use_console(authbind_t) - -logging_send_syslog_msg(authbind_t) diff --git a/policy/modules/apps/awstats.fc b/policy/modules/apps/awstats.fc deleted file mode 100644 index 5f0fa49..0000000 --- a/policy/modules/apps/awstats.fc +++ /dev/null @@ -1,5 +0,0 @@ -/usr/share/awstats/tools/.+\.pl -- gen_context(system_u:object_r:awstats_exec_t,s0) -/usr/share/awstats/wwwroot(/.*)? gen_context(system_u:object_r:httpd_awstats_content_t,s0) -/usr/share/awstats/wwwroot/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_awstats_script_exec_t,s0) - -/var/lib/awstats(/.*)? gen_context(system_u:object_r:awstats_var_lib_t,s0) diff --git a/policy/modules/apps/awstats.if b/policy/modules/apps/awstats.if deleted file mode 100644 index 283ff0d..0000000 --- a/policy/modules/apps/awstats.if +++ /dev/null @@ -1,42 +0,0 @@ -## -## AWStats is a free powerful and featureful tool that generates advanced -## web, streaming, ftp or mail server statistics, graphically. -## - -######################################## -## -## Read and write awstats unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`awstats_rw_pipes',` - gen_require(` - type awstats_t; - ') - - allow $1 awstats_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## -## Execute awstats cgi scripts in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`awstats_cgi_exec',` - gen_require(` - type httpd_awstats_script_exec_t, httpd_awstats_content_t; - ') - - allow $1 httpd_awstats_content_t:dir search_dir_perms; - allow $1 httpd_awstats_script_exec_t:dir search_dir_perms; - can_exec($1, httpd_awstats_script_exec_t) -') diff --git a/policy/modules/apps/awstats.te b/policy/modules/apps/awstats.te deleted file mode 100644 index 25b6f5a..0000000 --- a/policy/modules/apps/awstats.te +++ /dev/null @@ -1,81 +0,0 @@ -policy_module(awstats, 1.2.1) - -######################################## -# -# Declarations -# - -type awstats_t; -type awstats_exec_t; -domain_type(awstats_t) -domain_entry_file(awstats_t, awstats_exec_t) -role system_r types awstats_t; - -type awstats_tmp_t; -files_tmp_file(awstats_tmp_t) - -type awstats_var_lib_t; -files_type(awstats_var_lib_t) - -apache_content_template(awstats) - -######################################## -# -# awstats policy -# - -awstats_rw_pipes(awstats_t) -awstats_cgi_exec(awstats_t) - -can_exec(awstats_t, awstats_exec_t) - -manage_dirs_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t) -manage_files_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t) -files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file }) - -manage_files_pattern(awstats_t, awstats_var_lib_t, awstats_var_lib_t) -files_var_lib_filetrans(awstats_t, awstats_var_lib_t, file) - -# dontaudit access to /proc/meminfo -kernel_dontaudit_read_system_state(awstats_t) - -corecmd_exec_bin(awstats_t) -corecmd_exec_shell(awstats_t) - -dev_read_urand(awstats_t) - -files_read_etc_files(awstats_t) -# e.g. /usr/share/awstats/lang/awstats-en.txt -files_read_usr_files(awstats_t) -files_dontaudit_search_all_mountpoints(awstats_t) - -fs_list_inotifyfs(awstats_t) - -libs_read_lib_files(awstats_t) - -logging_read_generic_logs(awstats_t) - -miscfiles_read_localization(awstats_t) - -sysnet_dns_name_resolve(awstats_t) - -apache_read_log(awstats_t) - -optional_policy(` - cron_system_entry(awstats_t, awstats_exec_t) -') - -optional_policy(` - # dontaudit searching nscd pid directory - nscd_dontaudit_search_pid(awstats_t) -') - -######################################## -# -# awstats cgi script policy -# - -allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms; - -read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t) -files_search_var_lib(httpd_awstats_script_t) diff --git a/policy/modules/apps/calamaris.fc b/policy/modules/apps/calamaris.fc deleted file mode 100644 index 9cbd0a0..0000000 --- a/policy/modules/apps/calamaris.fc +++ /dev/null @@ -1,10 +0,0 @@ -# -# /etc -# -/etc/cron\.daily/calamaris -- gen_context(system_u:object_r:calamaris_exec_t,s0) - -# -# /var -# -/var/log/calamaris(/.*)? gen_context(system_u:object_r:calamaris_log_t,s0) -/var/www/calamaris(/.*)? gen_context(system_u:object_r:calamaris_www_t,s0) diff --git a/policy/modules/apps/calamaris.if b/policy/modules/apps/calamaris.if deleted file mode 100644 index df183be..0000000 --- a/policy/modules/apps/calamaris.if +++ /dev/null @@ -1,21 +0,0 @@ -## Squid log analysis - -####################################### -## -## Allow domain to read calamaris www files. -## -## -## -## Domain allowed access. -## -## -# -interface(`calamaris_read_www_files',` - gen_require(` - type calamaris_www_t; - ') - - allow $1 calamaris_www_t:dir list_dir_perms; - read_files_pattern($1, calamaris_www_t, calamaris_www_t) - read_lnk_files_pattern($1, calamaris_www_t, calamaris_www_t) -') diff --git a/policy/modules/apps/calamaris.te b/policy/modules/apps/calamaris.te deleted file mode 100644 index 47d81d1..0000000 --- a/policy/modules/apps/calamaris.te +++ /dev/null @@ -1,81 +0,0 @@ -policy_module(calamaris, 1.6.0) - -######################################## -# -# Declarations -# - -type calamaris_t; -type calamaris_exec_t; -init_system_domain(calamaris_t, calamaris_exec_t) - -type calamaris_www_t; -files_type(calamaris_www_t) - -type calamaris_log_t; -logging_log_file(calamaris_log_t) - -######################################## -# -# Local policy -# - -# for when squid has a different UID -allow calamaris_t self:capability dac_override; -allow calamaris_t self:process { fork signal_perms setsched }; -allow calamaris_t self:fifo_file rw_fifo_file_perms; -allow calamaris_t self:unix_stream_socket create_stream_socket_perms; -allow calamaris_t self:tcp_socket create_stream_socket_perms; -allow calamaris_t self:udp_socket create_socket_perms; - -manage_files_pattern(calamaris_t, calamaris_www_t, calamaris_www_t) -manage_lnk_files_pattern(calamaris_t, calamaris_www_t, calamaris_www_t) - -manage_files_pattern(calamaris_t, calamaris_log_t, calamaris_log_t) -logging_log_filetrans(calamaris_t, calamaris_log_t, { file dir }) - -kernel_read_all_sysctls(calamaris_t) -kernel_read_system_state(calamaris_t) - -corecmd_exec_bin(calamaris_t) - -corenet_all_recvfrom_unlabeled(calamaris_t) -corenet_all_recvfrom_netlabel(calamaris_t) -corenet_tcp_sendrecv_generic_if(calamaris_t) -corenet_udp_sendrecv_generic_if(calamaris_t) -corenet_tcp_sendrecv_generic_node(calamaris_t) -corenet_udp_sendrecv_generic_node(calamaris_t) -corenet_tcp_sendrecv_all_ports(calamaris_t) -corenet_udp_sendrecv_all_ports(calamaris_t) - -dev_read_urand(calamaris_t) - -files_search_pids(calamaris_t) -files_read_etc_files(calamaris_t) -files_read_usr_files(calamaris_t) -files_read_var_files(calamaris_t) -files_read_etc_runtime_files(calamaris_t) - -libs_read_lib_files(calamaris_t) - -auth_use_nsswitch(calamaris_t) - -logging_send_syslog_msg(calamaris_t) - -miscfiles_read_localization(calamaris_t) - -userdom_dontaudit_list_user_home_dirs(calamaris_t) - -squid_read_log(calamaris_t) - -optional_policy(` - apache_search_sys_content(calamaris_t) -') - -optional_policy(` - cron_system_entry(calamaris_t, calamaris_exec_t) -') - -optional_policy(` - mta_send_mail(calamaris_t) -') diff --git a/policy/modules/apps/cdrecord.fc b/policy/modules/apps/cdrecord.fc deleted file mode 100644 index 91697cc..0000000 --- a/policy/modules/apps/cdrecord.fc +++ /dev/null @@ -1,6 +0,0 @@ -# -# /usr -# -/usr/bin/cdrecord -- gen_context(system_u:object_r:cdrecord_exec_t,s0) -/usr/bin/growisofs -- gen_context(system_u:object_r:cdrecord_exec_t,s0) -/usr/bin/wodim -- gen_context(system_u:object_r:cdrecord_exec_t,s0) diff --git a/policy/modules/apps/cdrecord.if b/policy/modules/apps/cdrecord.if deleted file mode 100644 index 1582faf..0000000 --- a/policy/modules/apps/cdrecord.if +++ /dev/null @@ -1,33 +0,0 @@ -## Policy for cdrecord - -######################################## -## -## Role access for cdrecord -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`cdrecord_role',` - gen_require(` - type cdrecord_t, cdrecord_exec_t; - ') - - role $1 types cdrecord_t; - - # Transition from the user domain to the derived domain. - domtrans_pattern($2, cdrecord_exec_t, cdrecord_t) - - allow cdrecord_t $2:unix_stream_socket { getattr read write ioctl }; - - # allow ps to show cdrecord and allow the user to kill it - ps_process_pattern($2, cdrecord_t) - allow $2 cdrecord_t:process signal; -') diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te deleted file mode 100644 index 1403835..0000000 --- a/policy/modules/apps/cdrecord.te +++ /dev/null @@ -1,120 +0,0 @@ -policy_module(cdrecord, 2.3.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow cdrecord to read various content. -## nfs, samba, removable devices, user temp -## and untrusted content files -##

-##
-gen_tunable(cdrecord_read_content, false) - -type cdrecord_t; -type cdrecord_exec_t; -typealias cdrecord_t alias { user_cdrecord_t staff_cdrecord_t sysadm_cdrecord_t }; -typealias cdrecord_t alias { auditadm_cdrecord_t secadm_cdrecord_t }; -application_domain(cdrecord_t, cdrecord_exec_t) -ubac_constrained(cdrecord_t) - -######################################## -# -# Local policy -# - -allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio }; -allow cdrecord_t self:process { getcap getsched setsched sigkill }; -allow cdrecord_t self:unix_dgram_socket create_socket_perms; -allow cdrecord_t self:unix_stream_socket create_stream_socket_perms; - -# growisofs uses mkisofs -corecmd_exec_bin(cdrecord_t) - -# allow searching for cdrom-drive -dev_list_all_dev_nodes(cdrecord_t) -dev_read_sysfs(cdrecord_t) - -domain_interactive_fd(cdrecord_t) -domain_use_interactive_fds(cdrecord_t) - -files_read_etc_files(cdrecord_t) - -term_use_controlling_term(cdrecord_t) -term_list_ptys(cdrecord_t) - -# allow cdrecord to write the CD -storage_raw_read_removable_device(cdrecord_t) -storage_raw_write_removable_device(cdrecord_t) -storage_write_scsi_generic(cdrecord_t) - -logging_send_syslog_msg(cdrecord_t) - -miscfiles_read_localization(cdrecord_t) - -# write to the user domain tty. -userdom_use_user_terminals(cdrecord_t) -userdom_read_user_home_content_files(cdrecord_t) - -# Handle nfs home dirs -tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',` - fs_list_auto_mountpoints(cdrecord_t) - files_list_home(cdrecord_t) - fs_read_nfs_files(cdrecord_t) - fs_read_nfs_symlinks(cdrecord_t) - -',` - files_dontaudit_list_home(cdrecord_t) - fs_dontaudit_list_auto_mountpoints(cdrecord_t) - fs_dontaudit_read_nfs_files(cdrecord_t) - fs_dontaudit_list_nfs(cdrecord_t) -') -# Handle samba home dirs -tunable_policy(`cdrecord_read_content && use_samba_home_dirs',` - fs_list_auto_mountpoints(cdrecord_t) - files_list_home(cdrecord_t) - fs_read_cifs_files(cdrecord_t) - fs_read_cifs_symlinks(cdrecord_t) -',` - files_dontaudit_list_home(cdrecord_t) - fs_dontaudit_list_auto_mountpoints(cdrecord_t) - fs_dontaudit_read_cifs_files(cdrecord_t) - fs_dontaudit_list_cifs(cdrecord_t) -') - -# Handle removable media, /tmp, and /home -tunable_policy(`cdrecord_read_content',` - userdom_list_user_tmp(cdrecord_t) - userdom_read_user_tmp_files(cdrecord_t) - userdom_read_user_tmp_symlinks(cdrecord_t) - userdom_read_user_home_content_files(cdrecord_t) - userdom_read_user_home_content_symlinks(cdrecord_t) - - ifndef(`enable_mls',` - fs_search_removable(cdrecord_t) - fs_read_removable_files(cdrecord_t) - fs_read_removable_symlinks(cdrecord_t) - ') -',` - files_dontaudit_list_tmp(cdrecord_t) - files_dontaudit_list_home(cdrecord_t) - fs_dontaudit_list_removable(cdrecord_t) - fs_dontaudit_read_removable_files(cdrecord_t) - userdom_dontaudit_list_user_tmp(cdrecord_t) - userdom_dontaudit_read_user_tmp_files(cdrecord_t) - userdom_dontaudit_list_user_home_dirs(cdrecord_t) - userdom_dontaudit_read_user_home_content_files(cdrecord_t) -') - -tunable_policy(`use_nfs_home_dirs',` - files_search_mnt(cdrecord_t) - fs_read_nfs_files(cdrecord_t) - fs_read_nfs_symlinks(cdrecord_t) -') - -optional_policy(` - resmgr_stream_connect(cdrecord_t) -') diff --git a/policy/modules/apps/chrome.fc b/policy/modules/apps/chrome.fc deleted file mode 100644 index 432fb25..0000000 --- a/policy/modules/apps/chrome.fc +++ /dev/null @@ -1,3 +0,0 @@ - /opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) - -/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if deleted file mode 100644 index 5ef90cd..0000000 --- a/policy/modules/apps/chrome.if +++ /dev/null @@ -1,90 +0,0 @@ - -## policy for chrome - -######################################## -## -## Execute a domain transition to run chrome_sandbox. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`chrome_domtrans_sandbox',` - gen_require(` - type chrome_sandbox_t, chrome_sandbox_exec_t; - ') - - domtrans_pattern($1,chrome_sandbox_exec_t,chrome_sandbox_t) - ps_process_pattern(chrome_sandbox_t, $1) -ifdef(`hide_broken_symptoms', ` - dontaudit chrome_sandbox_t $1:socket_class_set { read write }; - fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t) -') -') - - -######################################## -## -## Execute chrome_sandbox in the chrome_sandbox domain, and -## allow the specified role the chrome_sandbox domain. -## -## -## -## Domain allowed access -## -## -## -## -## The role to be allowed the chrome_sandbox domain. -## -## -# -interface(`chrome_run_sandbox',` - gen_require(` - type chrome_sandbox_t; - ') - - chrome_domtrans_sandbox($1) - role $2 types chrome_sandbox_t; -') - -######################################## -## -## Role access for chrome sandbox -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`chrome_role',` - gen_require(` - type chrome_sandbox_t; - type chrome_sandbox_tmpfs_t; - ') - - role $1 types chrome_sandbox_t; - - chrome_domtrans_sandbox($2) - - ps_process_pattern($2, chrome_sandbox_t) - allow $2 chrome_sandbox_t:process signal_perms; - - allow chrome_sandbox_t $2:unix_dgram_socket { read write }; - allow $2 chrome_sandbox_t:unix_dgram_socket { read write }; - allow chrome_sandbox_t $2:unix_stream_socket { read write }; - allow $2 chrome_sandbox_t:unix_stream_socket { read write }; - - allow $2 chrome_sandbox_t:shm rw_shm_perms; - - allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms; -') - diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te deleted file mode 100644 index 4e92e87..0000000 --- a/policy/modules/apps/chrome.te +++ /dev/null @@ -1,92 +0,0 @@ -policy_module(chrome,1.0.0) - -######################################## -# -# Declarations -# - -type chrome_sandbox_t; -type chrome_sandbox_exec_t; -application_domain(chrome_sandbox_t, chrome_sandbox_exec_t) -role system_r types chrome_sandbox_t; - -type chrome_sandbox_tmp_t; -files_tmp_file(chrome_sandbox_tmp_t) - -type chrome_sandbox_tmpfs_t; -files_tmpfs_file(chrome_sandbox_tmpfs_t) -ubac_constrained(chrome_sandbox_tmpfs_t) - -######################################## -# -# chrome_sandbox local policy -# -allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace }; -allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack }; -allow chrome_sandbox_t self:fifo_file manage_file_perms; -allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms; -allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto }; -allow chrome_sandbox_t self:shm create_shm_perms; - -manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t) -manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t) -files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file }) - -manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t) -fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, file) - -kernel_read_system_state(chrome_sandbox_t) -kernel_read_kernel_sysctls(chrome_sandbox_t) - -fs_manage_cgroup_dirs(chrome_sandbox_t) -fs_manage_cgroup_files(chrome_sandbox_t) - -corecmd_exec_bin(chrome_sandbox_t) - -domain_dontaudit_read_all_domains_state(chrome_sandbox_t) - -dev_read_urand(chrome_sandbox_t) -dev_read_sysfs(chrome_sandbox_t) -dev_rwx_zero(chrome_sandbox_t) - -files_read_etc_files(chrome_sandbox_t) -files_read_usr_files(chrome_sandbox_t) - -fs_dontaudit_getattr_all_fs(chrome_sandbox_t) - -userdom_rw_user_tmpfs_files(chrome_sandbox_t) -userdom_use_user_ptys(chrome_sandbox_t) -userdom_write_inherited_user_tmp_files(chrome_sandbox_t) -userdom_read_inherited_user_home_content_files(chrome_sandbox_t) -userdom_dontaudit_use_user_terminals(chrome_sandbox_t) - -miscfiles_read_localization(chrome_sandbox_t) -miscfiles_read_fonts(chrome_sandbox_t) - -sysnet_dontaudit_read_config(chrome_sandbox_t) - -optional_policy(` - execmem_exec(chrome_sandbox_t) -') - -optional_policy(` - gnome_rw_inherited_config(chrome_sandbox_t) - gnome_list_home_config(chrome_sandbox_t) -') - -optional_policy(` - xserver_use_user_fonts(chrome_sandbox_t) - xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_search_nfs(chrome_sandbox_t) - fs_read_inherited_nfs_files(chrome_sandbox_t) - fs_read_nfs_symlinks(chrome_sandbox_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_search_cifs(chrome_sandbox_t) - fs_read_inherited_cifs_files(chrome_sandbox_t) - fs_dontaudit_append_cifs_files(chrome_sandbox_t) -') diff --git a/policy/modules/apps/cpufreqselector.fc b/policy/modules/apps/cpufreqselector.fc deleted file mode 100644 index b187f0f..0000000 --- a/policy/modules/apps/cpufreqselector.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/cpufreq-selector -- gen_context(system_u:object_r:cpufreqselector_exec_t,s0) diff --git a/policy/modules/apps/cpufreqselector.if b/policy/modules/apps/cpufreqselector.if deleted file mode 100644 index ed94975..0000000 --- a/policy/modules/apps/cpufreqselector.if +++ /dev/null @@ -1 +0,0 @@ -## Command-line CPU frequency settings. diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te deleted file mode 100644 index 899e234..0000000 --- a/policy/modules/apps/cpufreqselector.te +++ /dev/null @@ -1,52 +0,0 @@ -policy_module(cpufreqselector, 1.1.1) - -######################################## -# -# Declarations -# - -type cpufreqselector_t; -type cpufreqselector_exec_t; -application_domain(cpufreqselector_t, cpufreqselector_exec_t) - -######################################## -# -# cpufreq-selector local policy -# - -allow cpufreqselector_t self:capability { sys_nice sys_ptrace }; -allow cpufreqselector_t self:fifo_file rw_fifo_file_perms; - -files_read_etc_files(cpufreqselector_t) -files_read_usr_files(cpufreqselector_t) - -corecmd_search_bin(cpufreqselector_t) - -dev_rw_sysfs(cpufreqselector_t) - -miscfiles_read_localization(cpufreqselector_t) - -userdom_read_all_users_state(cpufreqselector_t) -userdom_dontaudit_search_admin_dir(cpufreqselector_t) - -optional_policy(` - dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) - - optional_policy(` - consolekit_dbus_chat(cpufreqselector_t) - ') - - optional_policy(` - policykit_dbus_chat(cpufreqselector_t) - ') -') - -optional_policy(` - nscd_dontaudit_search_pid(cpufreqselector_t) -') - -optional_policy(` - policykit_domtrans_auth(cpufreqselector_t) - policykit_read_lib(cpufreqselector_t) - policykit_read_reload(cpufreqselector_t) -') diff --git a/policy/modules/apps/evolution.fc b/policy/modules/apps/evolution.fc deleted file mode 100644 index c011277..0000000 --- a/policy/modules/apps/evolution.fc +++ /dev/null @@ -1,21 +0,0 @@ -# -# HOME_DIR/ -# - -HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:evolution_home_t,s0) -HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0) - -# -# /tmp -# -/tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:evolution_exchange_tmp_t,s0) - -# -# /usr -# -/usr/bin/evolution.* -- gen_context(system_u:object_r:evolution_exec_t,s0) - -/usr/libexec/evolution/.*evolution-alarm-notify.* -- gen_context(system_u:object_r:evolution_alarm_exec_t,s0) -/usr/libexec/evolution/.*evolution-exchange-storage.* -- gen_context(system_u:object_r:evolution_exchange_exec_t,s0) -/usr/libexec/evolution-data-server.* -- gen_context(system_u:object_r:evolution_server_exec_t,s0) -/usr/libexec/evolution-webcal.* -- gen_context(system_u:object_r:evolution_webcal_exec_t,s0) diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if deleted file mode 100644 index 1cb204c..0000000 --- a/policy/modules/apps/evolution.if +++ /dev/null @@ -1,153 +0,0 @@ -## Evolution email client - -######################################## -## -## Role access for evolution -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`evolution_role',` - gen_require(` - type evolution_t, evolution_exec_t, evolution_home_t; - type evolution_alarm_t, evolution_alarm_exec_t; - type evolution_exchange_t, evolution_exchange_exec_t; - type evolution_exchange_orbit_tmp_t; - type evolution_server_t, evolution_server_exec_t; - type evolution_webcal_t, evolution_webcal_exec_t; - ') - - role $1 types { evolution_t evolution_alarm_t evolution_exchange_t }; - role $1 types { evolution_server_t evolution_webcal_t }; - - domtrans_pattern($2, evolution_exec_t, evolution_t) - domtrans_pattern($2, evolution_alarm_exec_t, evolution_alarm_t) - domtrans_pattern($2, evolution_exchange_exec_t, evolution_exchange_t) - domtrans_pattern($2, evolution_server_exec_t, evolution_server_t) - domtrans_pattern($2, evolution_webcal_exec_t, evolution_webcal_t) - - ps_process_pattern($2, evolution_t) - ps_process_pattern($2, evolution_alarm_t) - ps_process_pattern($2, evolution_exchange_t) - ps_process_pattern($2, evolution_server_t) - ps_process_pattern($2, evolution_webcal_t) - - allow evolution_t $2:dir search; - allow evolution_t $2:file read; - allow evolution_t $2:lnk_file read; - allow evolution_t $2:unix_stream_socket connectto; - - allow $2 evolution_t:unix_stream_socket connectto; - allow $2 evolution_t:process noatsecure; - allow $2 evolution_t:process signal_perms; - - # Access .evolution - allow $2 evolution_home_t:dir manage_dir_perms; - allow $2 evolution_home_t:file manage_file_perms; - allow $2 evolution_home_t:lnk_file manage_lnk_file_perms; - allow $2 evolution_home_t:{ dir file lnk_file } { relabelfrom relabelto }; - - allow evolution_exchange_t $2:unix_stream_socket connectto; - - # Clock applet talks to exchange (FIXME: Needs policy) - allow $2 evolution_exchange_t:unix_stream_socket connectto; - allow $2 evolution_exchange_orbit_tmp_t:sock_file write; -') - -######################################## -## -## Create objects in users evolution home folders. -## -## -## -## Domain allowed access. -## -## -## -## -## Private file type. -## -## -## -## -## The object class of the object being created. -## -## -# -interface(`evolution_home_filetrans',` - gen_require(` - type evolution_home_t; - ') - - allow $1 evolution_home_t:dir rw_dir_perms; - type_transition $1 evolution_home_t:$3 $2; -') - -######################################## -## -## Connect to evolution unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`evolution_stream_connect',` - gen_require(` - type evolution_t, evolution_home_t; - ') - - allow $1 evolution_t:unix_stream_socket connectto; - allow $1 evolution_home_t:dir search; -') - -######################################## -## -## Send and receive messages from -## evolution over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`evolution_dbus_chat',` - gen_require(` - type evolution_t; - class dbus send_msg; - ') - - allow $1 evolution_t:dbus send_msg; - allow evolution_t $1:dbus send_msg; -') - -######################################## -## -## Send and receive messages from -## evolution_alarm over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`evolution_alarm_dbus_chat',` - gen_require(` - type evolution_alarm_t; - class dbus send_msg; - ') - - allow $1 evolution_alarm_t:dbus send_msg; - allow evolution_alarm_t $1:dbus send_msg; -') diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te deleted file mode 100644 index e15a20c..0000000 --- a/policy/modules/apps/evolution.te +++ /dev/null @@ -1,618 +0,0 @@ -policy_module(evolution, 2.1.2) - -######################################## -# -# Declarations -# - -type evolution_t; -type evolution_exec_t; -typealias evolution_t alias { user_evolution_t staff_evolution_t sysadm_evolution_t }; -typealias evolution_t alias { auditadm_evolution_t secadm_evolution_t }; -application_domain(evolution_t, evolution_exec_t) -ubac_constrained(evolution_t) - -type evolution_alarm_t; -type evolution_alarm_exec_t; -typealias evolution_alarm_t alias { user_evolution_alarm_t staff_evolution_alarm_t sysadm_evolution_alarm_t }; -typealias evolution_alarm_t alias { auditadm_evolution_alarm_t secadm_evolution_alarm_t }; -application_domain(evolution_alarm_t, evolution_alarm_exec_t) -ubac_constrained(evolution_alarm_t) - -type evolution_alarm_tmpfs_t; -typealias evolution_alarm_tmpfs_t alias { user_evolution_alarm_tmpfs_t staff_evolution_alarm_tmpfs_t sysadm_evolution_alarm_tmpfs_t }; -typealias evolution_alarm_tmpfs_t alias { auditadm_evolution_alarm_tmpfs_t secadm_evolution_alarm_tmpfs_t }; -files_tmpfs_file(evolution_alarm_tmpfs_t) -ubac_constrained(evolution_alarm_tmpfs_t) - -type evolution_alarm_orbit_tmp_t; -typealias evolution_alarm_orbit_tmp_t alias { user_evolution_alarm_orbit_tmp_t staff_evolution_alarm_orbit_tmp_t sysadm_evolution_alarm_orbit_tmp_t }; -typealias evolution_alarm_orbit_tmp_t alias { auditadm_evolution_alarm_orbit_tmp_t secadm_evolution_alarm_orbit_tmp_t }; -files_tmp_file(evolution_alarm_orbit_tmp_t) -ubac_constrained(evolution_alarm_orbit_tmp_t) - -type evolution_exchange_t; -type evolution_exchange_exec_t; -typealias evolution_exchange_t alias { user_evolution_exchange_t staff_evolution_exchange_t sysadm_evolution_exchange_t }; -typealias evolution_exchange_t alias { auditadm_evolution_exchange_t secadm_evolution_exchange_t }; -application_domain(evolution_exchange_t, evolution_exchange_exec_t) -ubac_constrained(evolution_exchange_t) - -type evolution_exchange_tmpfs_t; -typealias evolution_exchange_tmpfs_t alias { user_evolution_exchange_tmpfs_t staff_evolution_exchange_tmpfs_t sysadm_evolution_exchange_tmpfs_t }; -typealias evolution_exchange_tmpfs_t alias { auditadm_evolution_exchange_tmpfs_t secadm_evolution_exchange_tmpfs_t }; -files_tmpfs_file(evolution_exchange_tmpfs_t) -ubac_constrained(evolution_exchange_tmpfs_t) - -type evolution_exchange_tmp_t; -typealias evolution_exchange_tmp_t alias { user_evolution_exchange_tmp_t staff_evolution_exchange_tmp_t sysadm_evolution_exchange_tmp_t }; -typealias evolution_exchange_tmp_t alias { auditadm_evolution_exchange_tmp_t secadm_evolution_exchange_tmp_t }; -files_tmp_file(evolution_exchange_tmp_t) -ubac_constrained(evolution_exchange_tmp_t) - -type evolution_exchange_orbit_tmp_t; -typealias evolution_exchange_orbit_tmp_t alias { user_evolution_exchange_orbit_tmp_t staff_evolution_exchange_orbit_tmp_t sysadm_evolution_exchange_orbit_tmp_t }; -typealias evolution_exchange_orbit_tmp_t alias { auditadm_evolution_exchange_orbit_tmp_t secadm_evolution_exchange_orbit_tmp_t }; -files_tmp_file(evolution_exchange_orbit_tmp_t) -ubac_constrained(evolution_exchange_orbit_tmp_t) - -type evolution_home_t; -typealias evolution_home_t alias { user_evolution_home_t staff_evolution_home_t sysadm_evolution_home_t }; -typealias evolution_home_t alias { auditadm_evolution_home_t secadm_evolution_home_t }; -userdom_user_home_content(evolution_home_t) - -type evolution_orbit_tmp_t; -typealias evolution_home_t alias { user_evolution_orbit_tmp_t staff_evolution_orbit_tmp_t sysadm_evolution_orbit_tmp_t }; -typealias evolution_home_t alias { auditadm_evolution_orbit_tmp_t secadm_evolution_orbit_tmp_t }; -files_tmp_file(evolution_orbit_tmp_t) -ubac_constrained(evolution_orbit_tmp_t) - -type evolution_server_t; -type evolution_server_exec_t; -typealias evolution_server_t alias { user_evolution_server_t staff_evolution_server_t sysadm_evolution_server_t }; -typealias evolution_server_t alias { auditadm_evolution_server_t secadm_evolution_server_t }; -application_domain(evolution_server_t, evolution_server_exec_t) -ubac_constrained(evolution_server_t) - -type evolution_server_orbit_tmp_t; -typealias evolution_server_orbit_tmp_t alias { user_evolution_server_orbit_tmp_t staff_evolution_server_orbit_tmp_t sysadm_evolution_server_orbit_tmp_t }; -typealias evolution_server_orbit_tmp_t alias { auditadm_evolution_server_orbit_tmp_t secadm_evolution_server_orbit_tmp_t }; -files_tmp_file(evolution_server_orbit_tmp_t) -ubac_constrained(evolution_server_orbit_tmp_t) - -type evolution_tmpfs_t; -typealias evolution_tmpfs_t alias { user_evolution_tmpfs_t staff_evolution_tmpfs_t sysadm_evolution_tmpfs_t }; -typealias evolution_tmpfs_t alias { auditadm_evolution_tmpfs_t secadm_evolution_tmpfs_t }; -files_tmpfs_file(evolution_tmpfs_t) -ubac_constrained(evolution_tmpfs_t) - -type evolution_webcal_t; -type evolution_webcal_exec_t; -typealias evolution_webcal_t alias { user_evolution_webcal_t staff_evolution_webcal_t sysadm_evolution_webcal_t }; -typealias evolution_webcal_t alias { auditadm_evolution_webcal_t secadm_evolution_webcal_t }; -application_domain(evolution_webcal_t, evolution_webcal_exec_t) -ubac_constrained(evolution_webcal_t) - -type evolution_webcal_tmpfs_t; -typealias evolution_webcal_tmpfs_t alias { user_evolution_webcal_tmpfs_t staff_evolution_webcal_tmpfs_t sysadm_evolution_webcal_tmpfs_t }; -typealias evolution_webcal_tmpfs_t alias { auditadm_evolution_webcal_tmpfs_t secadm_evolution_webcal_tmpfs_t }; -files_tmpfs_file(evolution_webcal_tmpfs_t) -ubac_constrained(evolution_webcal_tmpfs_t) - -######################################## -# -# Evolution local policy -# - -allow evolution_t self:capability { setuid setgid sys_nice }; -allow evolution_t self:process { signal getsched setsched }; -allow evolution_t self:fifo_file rw_file_perms; -allow evolution_t self:tcp_socket create_socket_perms; -allow evolution_t self:udp_socket create_socket_perms; - -allow evolution_t evolution_alarm_t:dir search_dir_perms; -allow evolution_t evolution_alarm_t:file read; - -allow evolution_t evolution_alarm_t:unix_stream_socket connectto; -allow evolution_t evolution_alarm_orbit_tmp_t:sock_file write; - -can_exec(evolution_t, evolution_alarm_exec_t) - -allow evolution_t evolution_exchange_t:unix_stream_socket connectto; -allow evolution_t evolution_exchange_orbit_tmp_t:sock_file write; - -allow evolution_t evolution_home_t:dir manage_dir_perms; -allow evolution_t evolution_home_t:file manage_file_perms; -allow evolution_t evolution_home_t:lnk_file manage_lnk_file_perms; -userdom_search_user_home_dirs(evolution_t) - -allow evolution_t evolution_orbit_tmp_t:dir manage_dir_perms; -allow evolution_t evolution_orbit_tmp_t:file manage_file_perms; -files_tmp_filetrans(evolution_t, evolution_orbit_tmp_t, { dir file }) - -allow evolution_server_t evolution_orbit_tmp_t:dir manage_dir_perms; -allow evolution_server_t evolution_orbit_tmp_t:file manage_file_perms; -files_tmp_filetrans(evolution_server_t, evolution_orbit_tmp_t, { dir file }) - -allow evolution_t evolution_server_t:dir search_dir_perms; -allow evolution_t evolution_server_t:file read; - -allow evolution_t evolution_server_t:unix_stream_socket connectto; -allow evolution_t evolution_server_orbit_tmp_t:sock_file write; - -can_exec(evolution_t, evolution_server_exec_t) - -allow evolution_t evolution_tmpfs_t:dir rw_dir_perms; -allow evolution_t evolution_tmpfs_t:file manage_file_perms; -allow evolution_t evolution_tmpfs_t:lnk_file manage_lnk_file_perms; -allow evolution_t evolution_tmpfs_t:sock_file manage_sock_file_perms; -allow evolution_t evolution_tmpfs_t:fifo_file manage_fifo_file_perms; -fs_tmpfs_filetrans(evolution_t, evolution_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -#FIXME check to see if really needed -kernel_read_kernel_sysctls(evolution_t) -kernel_read_system_state(evolution_t) -# Allow netstat -kernel_read_network_state(evolution_t) -kernel_read_net_sysctls(evolution_t) - -corecmd_exec_shell(evolution_t) -# Run various programs -corecmd_exec_bin(evolution_t) - -corenet_all_recvfrom_unlabeled(evolution_t) -corenet_all_recvfrom_netlabel(evolution_t) -corenet_tcp_sendrecv_generic_if(evolution_t) -corenet_udp_sendrecv_generic_if(evolution_t) -corenet_raw_sendrecv_generic_if(evolution_t) -corenet_tcp_sendrecv_generic_node(evolution_t) -corenet_udp_sendrecv_generic_node(evolution_t) -corenet_tcp_sendrecv_pop_port(evolution_t) -corenet_udp_sendrecv_pop_port(evolution_t) -corenet_tcp_sendrecv_smtp_port(evolution_t) -corenet_udp_sendrecv_smtp_port(evolution_t) -corenet_tcp_sendrecv_innd_port(evolution_t) -corenet_udp_sendrecv_innd_port(evolution_t) -corenet_tcp_sendrecv_ldap_port(evolution_t) -corenet_udp_sendrecv_ldap_port(evolution_t) -corenet_tcp_sendrecv_ipp_port(evolution_t) -corenet_udp_sendrecv_ipp_port(evolution_t) -corenet_tcp_connect_pop_port(evolution_t) -corenet_tcp_connect_smtp_port(evolution_t) -corenet_tcp_connect_innd_port(evolution_t) -corenet_tcp_connect_ldap_port(evolution_t) -corenet_tcp_connect_ipp_port(evolution_t) -corenet_sendrecv_pop_client_packets(evolution_t) -corenet_sendrecv_smtp_client_packets(evolution_t) -corenet_sendrecv_innd_client_packets(evolution_t) -corenet_sendrecv_ldap_client_packets(evolution_t) -corenet_sendrecv_ipp_client_packets(evolution_t) -# not sure about this bind -corenet_udp_bind_generic_node(evolution_t) -corenet_udp_bind_generic_port(evolution_t) - -dev_read_urand(evolution_t) - -domain_dontaudit_read_all_domains_state(evolution_t) - -files_read_etc_files(evolution_t) -files_read_usr_files(evolution_t) -files_read_usr_symlinks(evolution_t) -files_read_var_files(evolution_t) - -fs_search_auto_mountpoints(evolution_t) - -logging_send_syslog_msg(evolution_t) - -miscfiles_read_localization(evolution_t) - -sysnet_read_config(evolution_t) -sysnet_dns_name_resolve(evolution_t) - -udev_read_state(evolution_t) - -userdom_rw_user_tmp_files(evolution_t) -userdom_manage_user_tmp_dirs(evolution_t) -userdom_manage_user_tmp_sockets(evolution_t) -userdom_manage_user_tmp_files(evolution_t) -userdom_use_user_terminals(evolution_t) -# FIXME: suppress access to .local/.icons/.themes until properly implemented -# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) -# until properly implemented -userdom_dontaudit_read_user_home_content_files(evolution_t) - -mta_read_config(evolution_t) - -xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t) -xserver_read_xdm_tmp_files(evolution_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(evolution_t) - fs_manage_nfs_files(evolution_t) - fs_manage_nfs_symlinks(evolution_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(evolution_t) - fs_manage_cifs_files(evolution_t) - fs_manage_cifs_symlinks(evolution_t) -') - -tunable_policy(`mail_read_content && use_nfs_home_dirs',` - fs_list_auto_mountpoints(evolution_t) - files_list_home(evolution_t) - fs_read_nfs_files(evolution_t) - fs_read_nfs_symlinks(evolution_t) - -',` - files_dontaudit_list_home(evolution_t) - fs_dontaudit_list_auto_mountpoints(evolution_t) - fs_dontaudit_read_nfs_files(evolution_t) - fs_dontaudit_list_nfs(evolution_t) -') - -tunable_policy(`mail_read_content && use_samba_home_dirs',` - fs_list_auto_mountpoints(evolution_t) - files_list_home(evolution_t) - fs_read_cifs_files(evolution_t) - fs_read_cifs_symlinks(evolution_t) -',` - files_dontaudit_list_home(evolution_t) - fs_dontaudit_list_auto_mountpoints(evolution_t) - fs_dontaudit_read_cifs_files(evolution_t) - fs_dontaudit_list_cifs(evolution_t) -') - -tunable_policy(`mail_read_content',` - userdom_list_user_tmp(evolution_t) - userdom_read_user_tmp_files(evolution_t) - userdom_read_user_tmp_symlinks(evolution_t) - userdom_read_user_home_content_files(evolution_t) - userdom_read_user_home_content_symlinks(evolution_t) - - ifndef(`enable_mls',` - fs_search_removable(evolution_t) - fs_read_removable_files(evolution_t) - fs_read_removable_symlinks(evolution_t) - ') -',` - files_dontaudit_list_tmp(evolution_t) - files_dontaudit_list_home(evolution_t) - fs_dontaudit_list_removable(evolution_t) - fs_dontaudit_read_removable_files(evolution_t) - userdom_dontaudit_list_user_tmp(evolution_t) - userdom_dontaudit_read_user_tmp_files(evolution_t) - userdom_dontaudit_list_user_home_dirs(evolution_t) - userdom_dontaudit_read_user_home_content_files(evolution_t) -') - -optional_policy(` - automount_read_state(evolution_t) -') - -# Allow printing the mail -optional_policy(` - cups_read_rw_config(evolution_t) -') - -optional_policy(` - dbus_system_bus_client(evolution_t) - dbus_session_bus_client(evolution_t) -') - -optional_policy(` - gnome_stream_connect_gconf(evolution_t) -') - -# Encrypt mail -optional_policy(` - gpg_domtrans(evolution_t) - gpg_signal(evolution_t) -') - -optional_policy(` - lpd_domtrans_lpr(evolution_t) -') - -optional_policy(` - mozilla_read_user_home_files(evolution_t) - mozilla_domtrans(evolution_t) -') - -# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing) -optional_policy(` - nis_use_ypbind(evolution_t) -') - -optional_policy(` - nscd_socket_use(evolution_t) -') - -### Junk mail filtering (start spamd) -optional_policy(` - spamassassin_exec_spamd(evolution_t) - spamassassin_domtrans_client(evolution_t) - spamassassin_domtrans_local_client(evolution_t) - # Allow evolution to signal the daemon - # FIXME: Now evolution can read spamd temp files - spamassassin_read_spamd_tmp_files(evolution_t) - spamassassin_signal_spamd(evolution_t) - spamassassin_dontaudit_getattr_spamd_tmp_sockets(evolution_t) -') - -######################################## -# -# Evolution alarm local policy -# - -allow evolution_alarm_t self:process { signal getsched }; -allow evolution_alarm_t self:fifo_file rw_fifo_file_perms; - -allow evolution_alarm_t evolution_t:unix_stream_socket connectto; -allow evolution_alarm_t evolution_orbit_tmp_t:sock_file write; - -allow evolution_alarm_t evolution_alarm_tmpfs_t:dir rw_dir_perms; -allow evolution_alarm_t evolution_alarm_tmpfs_t:file manage_file_perms; -allow evolution_alarm_t evolution_alarm_tmpfs_t:lnk_file manage_lnk_file_perms; -allow evolution_alarm_t evolution_alarm_tmpfs_t:sock_file manage_sock_file_perms; -allow evolution_alarm_t evolution_alarm_tmpfs_t:fifo_file manage_fifo_file_perms; -fs_tmpfs_filetrans(evolution_alarm_t, evolution_alarm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -allow evolution_alarm_t evolution_exchange_t:unix_stream_socket connectto; -allow evolution_alarm_t evolution_exchange_orbit_tmp_t:sock_file write; - -# Access evolution home -allow evolution_alarm_t evolution_home_t:dir manage_dir_perms; -allow evolution_alarm_t evolution_home_t:file manage_file_perms; -allow evolution_alarm_t evolution_home_t:lnk_file manage_lnk_file_perms; - -allow evolution_alarm_t evolution_server_t:unix_stream_socket connectto; -allow evolution_alarm_t evolution_server_orbit_tmp_t:sock_file write; - -dev_read_urand(evolution_alarm_t) - -files_read_etc_files(evolution_alarm_t) -files_read_usr_files(evolution_alarm_t) - -fs_search_auto_mountpoints(evolution_alarm_t) - -miscfiles_read_localization(evolution_alarm_t) - -# Access evolution home -userdom_search_user_home_dirs(evolution_alarm_t) -# FIXME: suppress access to .local/.icons/.themes until properly implemented -# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) -# until properly implemented -userdom_dontaudit_read_user_home_content_files(evolution_alarm_t) - -xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t) - -# Access evolution home -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files(evolution_alarm_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files(evolution_alarm_t) -') - -optional_policy(` - dbus_session_bus_client(evolution_alarm_t) -') - -optional_policy(` - gnome_stream_connect_gconf(evolution_alarm_t) -') - -optional_policy(` - nscd_socket_use(evolution_alarm_t) -') - -######################################## -# -# Evolution exchange connector local policy -# - -allow evolution_exchange_t self:process getsched; -allow evolution_exchange_t self:fifo_file rw_fifo_file_perms; - -allow evolution_exchange_t self:tcp_socket create_socket_perms; -allow evolution_exchange_t self:udp_socket create_socket_perms; - -allow evolution_exchange_t evolution_t:unix_stream_socket connectto; -allow evolution_exchange_t evolution_orbit_tmp_t:sock_file write; - -allow evolution_exchange_t evolution_alarm_t:unix_stream_socket connectto; -allow evolution_exchange_t evolution_alarm_orbit_tmp_t:sock_file write; - -# Access evolution home -allow evolution_exchange_t evolution_home_t:dir manage_dir_perms; -allow evolution_exchange_t evolution_home_t:file manage_file_perms; -allow evolution_exchange_t evolution_home_t:lnk_file manage_lnk_file_perms; - -allow evolution_exchange_t evolution_server_t:unix_stream_socket connectto; -allow evolution_exchange_t evolution_server_orbit_tmp_t:sock_file write; - -# /tmp/.exchange-$USER -allow evolution_exchange_t evolution_exchange_tmp_t:dir manage_dir_perms; -allow evolution_exchange_t evolution_exchange_tmp_t:file manage_file_perms; -files_tmp_filetrans(evolution_exchange_t, evolution_exchange_tmp_t, { file dir }) - -allow evolution_exchange_t evolution_exchange_tmpfs_t:dir rw_dir_perms; -allow evolution_exchange_t evolution_exchange_tmpfs_t:file manage_file_perms; -allow evolution_exchange_t evolution_exchange_tmpfs_t:lnk_file manage_lnk_file_perms; -allow evolution_exchange_t evolution_exchange_tmpfs_t:sock_file manage_sock_file_perms; -allow evolution_exchange_t evolution_exchange_tmpfs_t:fifo_file manage_fifo_file_perms; -fs_tmpfs_filetrans(evolution_exchange_t, evolution_exchange_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -kernel_read_network_state(evolution_exchange_t) -kernel_read_net_sysctls(evolution_exchange_t) - -# Allow netstat -corecmd_exec_bin(evolution_exchange_t) - -dev_read_urand(evolution_exchange_t) - -files_read_etc_files(evolution_exchange_t) -files_read_usr_files(evolution_exchange_t) - -# Access evolution home -fs_search_auto_mountpoints(evolution_exchange_t) - -miscfiles_read_localization(evolution_exchange_t) - -userdom_write_user_tmp_sockets(evolution_exchange_t) -# Access evolution home -userdom_search_user_home_dirs(evolution_exchange_t) -# FIXME: suppress access to .local/.icons/.themes until properly implemented -# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) -# until properly implemented -userdom_dontaudit_read_user_home_content_files(evolution_exchange_t) - -xserver_user_x_domain_template(evolution_exchange, evolution_exchange_t, evolution_exchange_tmpfs_t) - -# Access evolution home -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files(evolution_exchange_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files(evolution_exchange_t) -') - -optional_policy(` - gnome_stream_connect_gconf(evolution_exchange_t) -') - -optional_policy(` - nscd_socket_use(evolution_exchange_t) -') - -######################################## -# -# Evolution data server local policy -# - -allow evolution_server_t self:process { getsched signal }; - -allow evolution_server_t self:fifo_file { read write }; -allow evolution_server_t self:unix_stream_socket { accept connectto }; -# Talk to ldap (address book), -# Obtain weather data via http (read server name from xml file in /usr) -allow evolution_server_t self:tcp_socket create_socket_perms; - -allow evolution_server_t evolution_t:unix_stream_socket connectto; -allow evolution_server_t evolution_orbit_tmp_t:sock_file write; - -allow evolution_server_t evolution_exchange_t:unix_stream_socket connectto; -allow evolution_server_t evolution_exchange_orbit_tmp_t:sock_file write; - -# Access evolution home -allow evolution_server_t evolution_home_t:dir manage_dir_perms; -allow evolution_server_t evolution_home_t:file manage_file_perms; -allow evolution_server_t evolution_home_t:lnk_file manage_lnk_file_perms; - -allow evolution_server_t evolution_alarm_t:unix_stream_socket connectto; -allow evolution_server_t evolution_alarm_orbit_tmp_t:sock_file write; - -kernel_read_system_state(evolution_server_t) - -corecmd_exec_shell(evolution_server_t) - -# Obtain weather data via http (read server name from xml file in /usr) -corenet_all_recvfrom_unlabeled(evolution_server_t) -corenet_all_recvfrom_netlabel(evolution_server_t) -corenet_tcp_sendrecv_generic_if(evolution_server_t) -corenet_tcp_sendrecv_generic_node(evolution_server_t) -corenet_tcp_sendrecv_http_port(evolution_server_t) -corenet_tcp_sendrecv_http_cache_port(evolution_server_t) -corenet_tcp_connect_http_cache_port(evolution_server_t) -corenet_tcp_connect_http_port(evolution_server_t) -corenet_sendrecv_http_client_packets(evolution_server_t) -corenet_sendrecv_http_cache_client_packets(evolution_server_t) - -dev_read_urand(evolution_server_t) - -files_read_etc_files(evolution_server_t) -# Obtain weather data via http (read server name from xml file in /usr) -files_read_usr_files(evolution_server_t) - -fs_search_auto_mountpoints(evolution_server_t) - -miscfiles_read_localization(evolution_server_t) -# Look in /etc/pki -miscfiles_read_generic_certs(evolution_server_t) - -# Talk to ldap (address book) -sysnet_read_config(evolution_server_t) -sysnet_dns_name_resolve(evolution_server_t) -sysnet_use_ldap(evolution_server_t) - -# Access evolution home -userdom_search_user_home_dirs(evolution_server_t) -# FIXME: suppress access to .local/.icons/.themes until properly implemented -# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) -# until properly implemented -userdom_dontaudit_read_user_home_content_files(evolution_server_t) - -# Access evolution home -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files(evolution_server_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files(evolution_server_t) -') - -optional_policy(` - gnome_stream_connect_gconf(evolution_server_t) -') - -optional_policy(` - nscd_socket_use(evolution_server_t) -') - -######################################## -# -# Evolution webcal local policy -# - -allow evolution_webcal_t self:tcp_socket create_socket_perms; - -# X/evolution common stuff -allow evolution_webcal_t evolution_webcal_tmpfs_t:dir rw_dir_perms; -allow evolution_webcal_t evolution_webcal_tmpfs_t:file manage_file_perms; -allow evolution_webcal_t evolution_webcal_tmpfs_t:lnk_file manage_lnk_file_perms; -allow evolution_webcal_t evolution_webcal_tmpfs_t:sock_file manage_sock_file_perms; -allow evolution_webcal_t evolution_webcal_tmpfs_t:fifo_file manage_fifo_file_perms; -fs_tmpfs_filetrans(evolution_webcal_t, evolution_webcal_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -corenet_all_recvfrom_unlabeled(evolution_webcal_t) -corenet_all_recvfrom_netlabel(evolution_webcal_t) -corenet_tcp_sendrecv_generic_if(evolution_webcal_t) -corenet_raw_sendrecv_generic_if(evolution_webcal_t) -corenet_tcp_sendrecv_generic_node(evolution_webcal_t) -corenet_raw_sendrecv_generic_node(evolution_webcal_t) -corenet_tcp_sendrecv_http_port(evolution_webcal_t) -corenet_tcp_sendrecv_http_cache_port(evolution_webcal_t) -corenet_tcp_connect_http_cache_port(evolution_webcal_t) -corenet_tcp_connect_http_port(evolution_webcal_t) -corenet_sendrecv_http_client_packets(evolution_webcal_t) -corenet_sendrecv_http_cache_client_packets(evolution_webcal_t) - -# Networking capability - connect to website and handle ics link -sysnet_read_config(evolution_webcal_t) -sysnet_dns_name_resolve(evolution_webcal_t) - -# Search home directory (?) -userdom_search_user_home_dirs(evolution_webcal_t) -# FIXME: suppress access to .local/.icons/.themes until properly implemented -# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) -# until properly implemented -userdom_dontaudit_read_user_home_content_files(evolution_webcal_t) - -xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t) - -optional_policy(` - nscd_socket_use(evolution_webcal_t) -') diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc deleted file mode 100644 index 9bd4f45..0000000 --- a/policy/modules/apps/execmem.fc +++ /dev/null @@ -1,48 +0,0 @@ - -/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0) -/usr/bin/compiz -- gen_context(system_u:object_r:execmem_exec_t,s0) -/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0) -/usr/bin/dosbox -- gen_context(system_u:object_r:execmem_exec_t,s0) -/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0) -/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0) -/usr/bin/plasma-desktop -- gen_context(system_u:object_r:execmem_exec_t,s0) -/usr/bin/runghc -- gen_context(system_u:object_r:execmem_exec_t,s0) -/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0) -/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0) -/usr/bin/skype -- gen_context(system_u:object_r:execmem_exec_t,s0) -/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0) -/usr/sbin/vboxadd-service -- gen_context(system_u:object_r:execmem_exec_t,s0) -/usr/sbin/VBox.* -- gen_context(system_u:object_r:execmem_exec_t,s0) - -ifdef(`distro_gentoo',` -/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -') -/usr/lib(64)?/chromium-browser/chromium-browser gen_context(system_u:object_r:execmem_exec_t,s0) -/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) -/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) -/usr/lib64/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0) -/usr/lib/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0) - -/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -/usr/libexec/ghc-[^/]+/ghc.* -- gen_context(system_u:object_r:execmem_exec_t,s0) -/usr/lib(64)?/ghc-[^/]+/ghc.* -- gen_context(system_u:object_r:execmem_exec_t,s0) -/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:execmem_exec_t,s0) -/usr/lib(64)/virtualbox/VirtualBox -- gen_context(system_u:object_r:execmem_exec_t,s0) - -/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) - -/opt/real/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) - -/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) - -/usr/lib/wingide-[^/]+/bin/PyCore/python -- gen_context(system_u:object_r:execmem_exec_t,s0) -/usr/lib/thunderbird-[^/]+/thunderbird-bin -- gen_context(system_u:object_r:execmem_exec_t,s0) - -/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Updater -- gen_context(system_u:object_r:execmem_exec_t,s0) -/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Application -- gen_context(system_u:object_r:execmem_exec_t,s0) - -/opt/likewise/bin/domainjoin-cli -- gen_context(system_u:object_r:execmem_exec_t,s0) - -/opt/google/chrome/chrome -- gen_context(system_u:object_r:execmem_exec_t,s0) -/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:execmem_exec_t,s0) -/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0) diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if deleted file mode 100644 index 06ed3de..0000000 --- a/policy/modules/apps/execmem.if +++ /dev/null @@ -1,110 +0,0 @@ -## execmem domain - -######################################## -## -## Execute the execmem program in the execmem domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`execmem_exec',` - gen_require(` - type execmem_exec_t; - ') - - can_exec($1, execmem_exec_t) -') - -####################################### -## -## The role template for the execmem module. -## -## -##

-## This template creates a derived domains which are used -## for execmem applications. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# -template(`execmem_role_template',` - gen_require(` - type execmem_exec_t; - ') - - type $1_execmem_t; - domain_type($1_execmem_t) - domain_entry_file($1_execmem_t, execmem_exec_t) - role $2 types $1_execmem_t; - - userdom_unpriv_usertype($1, $1_execmem_t) - userdom_manage_tmp_role($2, $1_execmem_t) - userdom_manage_tmpfs_role($2, $1_execmem_t) - - allow $1_execmem_t self:process { execmem execstack }; - allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms }; - domtrans_pattern($3, execmem_exec_t, $1_execmem_t) -ifdef(`hide_broken_symptoms', ` - dontaudit $1_execmem_t $3:socket_class_set { read write }; -') - files_execmod_tmp($1_execmem_t) - - optional_policy(` - chrome_role($2, $1_execmem_t) - ') - - optional_policy(` - mozilla_execmod_user_home_files($1_execmem_t) - ') - - optional_policy(` - nsplugin_rw_shm($1_execmem_t) - nsplugin_rw_semaphores($1_execmem_t) - ') - - optional_policy(` - xserver_role($2, $1_execmem_t) - ') -') - -######################################## -## -## Execute a execmem_exec file -## in the specified domain. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the new process. -## -## -# -interface(`execmem_domtrans',` - gen_require(` - type execmem_exec_t; - ') - - domtrans_pattern($1, execmem_exec_t, $2) -') diff --git a/policy/modules/apps/execmem.te b/policy/modules/apps/execmem.te deleted file mode 100644 index a7d37e2..0000000 --- a/policy/modules/apps/execmem.te +++ /dev/null @@ -1,10 +0,0 @@ -policy_module(execmem, 1.0.0) - -######################################## -# -# Declarations -# - -type execmem_exec_t alias unconfined_execmem_exec_t; -application_executable_file(execmem_exec_t) - diff --git a/policy/modules/apps/firewallgui.fc b/policy/modules/apps/firewallgui.fc deleted file mode 100644 index ce498b3..0000000 --- a/policy/modules/apps/firewallgui.fc +++ /dev/null @@ -1,3 +0,0 @@ - -/usr/share/system-config-firewall/system-config-firewall-mechanism.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0) - diff --git a/policy/modules/apps/firewallgui.if b/policy/modules/apps/firewallgui.if deleted file mode 100644 index 7fe26f3..0000000 --- a/policy/modules/apps/firewallgui.if +++ /dev/null @@ -1,41 +0,0 @@ - -## policy for firewallgui - -######################################## -## -## Send and receive messages from -## firewallgui over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`firewallgui_dbus_chat',` - gen_require(` - type firewallgui_t; - class dbus send_msg; - ') - - allow $1 firewallgui_t:dbus send_msg; - allow firewallgui_t $1:dbus send_msg; -') - -######################################## -## -## Read and write firewallgui unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`firewallgui_dontaudit_rw_pipes',` - gen_require(` - type firewallgui_t; - ') - - dontaudit $1 firewallgui_t:fifo_file rw_inherited_fifo_file_perms; -') diff --git a/policy/modules/apps/firewallgui.te b/policy/modules/apps/firewallgui.te deleted file mode 100644 index 0bbd523..0000000 --- a/policy/modules/apps/firewallgui.te +++ /dev/null @@ -1,66 +0,0 @@ -policy_module(firewallgui,1.0.0) - -######################################## -# -# Declarations -# - -type firewallgui_t; -type firewallgui_exec_t; -dbus_system_domain(firewallgui_t, firewallgui_exec_t) - -type firewallgui_tmp_t; -files_tmp_file(firewallgui_tmp_t) - -######################################## -# -# firewallgui local policy -# - -allow firewallgui_t self:capability { net_admin sys_rawio } ; -allow firewallgui_t self:fifo_file rw_fifo_file_perms; - -manage_files_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t) -manage_dirs_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t) -files_tmp_filetrans(firewallgui_t,firewallgui_tmp_t, { file dir }) - -kernel_read_system_state(firewallgui_t) -kernel_read_network_state(firewallgui_t) -kernel_rw_net_sysctls(firewallgui_t) -kernel_rw_kernel_sysctl(firewallgui_t) -kernel_rw_vm_sysctls(firewallgui_t) - -corecmd_exec_shell(firewallgui_t) -corecmd_exec_bin(firewallgui_t) -consoletype_exec(firewallgui_t) - -dev_read_urand(firewallgui_t) -dev_read_sysfs(firewallgui_t) - -files_manage_system_conf_files(firewallgui_t) -files_etc_filetrans_system_conf(firewallgui_t) -files_read_etc_files(firewallgui_t) -files_read_usr_files(firewallgui_t) -files_search_kernel_modules(firewallgui_t) -files_list_kernel_modules(firewallgui_t) - -iptables_domtrans(firewallgui_t) -iptables_initrc_domtrans(firewallgui_t) - -modutils_getattr_module_deps(firewallgui_t) - -miscfiles_read_localization(firewallgui_t) - -userdom_dontaudit_search_user_home_dirs(firewallgui_t) - -nscd_dontaudit_search_pid(firewallgui_t) -nscd_socket_use(firewallgui_t) - -optional_policy(` - gnome_read_gconf_home_files(firewallgui_t) -') - -optional_policy(` - policykit_dbus_chat(firewallgui_t) -') - diff --git a/policy/modules/apps/games.fc b/policy/modules/apps/games.fc deleted file mode 100644 index 78dc515..0000000 --- a/policy/modules/apps/games.fc +++ /dev/null @@ -1,66 +0,0 @@ -# -# /usr -# -/usr/lib/games(/.*)? gen_context(system_u:object_r:games_exec_t,s0) -/usr/games/.* -- gen_context(system_u:object_r:games_exec_t,s0) - -# -# /var -# -/var/lib/games(/.*)? gen_context(system_u:object_r:games_data_t,s0) -/var/games(/.*)? gen_context(system_u:object_r:games_data_t,s0) - -ifndef(`distro_debian',` -/usr/bin/micq -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/blackjack -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/gataxx -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/glines -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/gnect -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/gnibbles -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/gnobots2 -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/gnome-stones -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/gnomine -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/gnotravex -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/gnotski -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/gtali -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/iagno -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/mahjongg -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/same-gnome -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/sol -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/atlantik -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kasteroids -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/katomic -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kbackgammon -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kbattleship -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kblackbox -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kbounce -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kenolaba -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kfouleggs -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kgoldrunner -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kjumpingcube -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/klickety -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/klines -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kmahjongg -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kmines -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kolf -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/konquest -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kpat -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kpoker -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kreversi -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/ksame -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kshisen -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/ksirtet -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/ksmiletris -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/ksnake -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/ksokoban -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kspaceduel -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/ktron -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/ktuberling -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kwin4 -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kwin4proc -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/lskat -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/lskatproc -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/Maelstrom -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/civclient.* -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/civserver.* -- gen_context(system_u:object_r:games_exec_t,s0) -')dnl end non-Debian section diff --git a/policy/modules/apps/games.if b/policy/modules/apps/games.if deleted file mode 100644 index 7ac736d..0000000 --- a/policy/modules/apps/games.if +++ /dev/null @@ -1,51 +0,0 @@ -## Games - -############################################################ -## -## Role access for games -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`games_role',` - gen_require(` - type games_t, games_exec_t; - ') - - role $1 types games_t; - - domtrans_pattern($2, games_exec_t, games_t) - allow $2 games_t:unix_stream_socket connectto; - allow games_t $2:unix_stream_socket connectto; - - # Allow the user domain to signal/ps. - ps_process_pattern($2, games_t) - allow $2 games_t:process signal_perms; -') - -######################################## -## -## Allow the specified domain to read/write -## games data. -## -## -## -## Domain allowed access. -## -## -# -interface(`games_rw_data',` - gen_require(` - type games_data_t; - ') - - rw_files_pattern($1, games_data_t, games_data_t) -') diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te deleted file mode 100644 index ac4f509..0000000 --- a/policy/modules/apps/games.te +++ /dev/null @@ -1,181 +0,0 @@ -policy_module(games, 2.1.0) - -######################################## -# -# Declarations -# - -type games_t; -type games_exec_t; -typealias games_t alias { user_games_t staff_games_t sysadm_games_t }; -typealias games_t alias { auditadm_games_t secadm_games_t }; -application_domain(games_t, games_exec_t) -ubac_constrained(games_t) - -type games_data_t; -typealias games_data_t alias { user_games_data_t staff_games_data_t sysadm_games_data_t }; -typealias games_data_t alias { auditadm_games_data_t secadm_games_data_t }; -files_type(games_data_t) -ubac_constrained(games_data_t) - -type games_devpts_t; -typealias games_devpts_t alias { user_games_devpts_t staff_games_devpts_t sysadm_games_devpts_t }; -typealias games_devpts_t alias { auditadm_games_devpts_t secadm_games_devpts_t }; -term_pty(games_devpts_t) -ubac_constrained(games_devpts_t) - -# games_srv_t is for system operation of games, generic games daemons and -# games recovery scripts -type games_srv_t; -init_system_domain(games_srv_t, games_exec_t) - -type games_srv_var_run_t; -files_pid_file(games_srv_var_run_t) - -type games_tmp_t; -typealias games_tmp_t alias { user_games_tmp_t staff_games_tmp_t sysadm_games_tmp_t }; -typealias games_tmp_t alias { auditadm_games_tmp_t secadm_games_tmp_t }; -files_tmp_file(games_tmp_t) -ubac_constrained(games_tmp_t) - -type games_tmpfs_t; -typealias games_tmpfs_t alias { user_games_tmpfs_t staff_games_tmpfs_t sysadm_games_tmpfs_t }; -typealias games_tmpfs_t alias { auditadm_games_tmpfs_t secadm_games_tmpfs_t }; -files_tmpfs_file(games_tmpfs_t) -ubac_constrained(games_tmpfs_t) - -######################################## -# -# Server local policy -# - -dontaudit games_srv_t self:capability sys_tty_config; -allow games_srv_t self:process signal_perms; - -manage_files_pattern(games_srv_t, games_data_t, games_data_t) -manage_lnk_files_pattern(games_srv_t, games_data_t, games_data_t) - -manage_files_pattern(games_srv_t, games_srv_var_run_t, games_srv_var_run_t) -files_pid_filetrans(games_srv_t, games_srv_var_run_t, file) - -can_exec(games_srv_t, games_exec_t) - -kernel_read_kernel_sysctls(games_srv_t) -kernel_list_proc(games_srv_t) -kernel_read_proc_symlinks(games_srv_t) - -dev_read_sysfs(games_srv_t) - -fs_getattr_all_fs(games_srv_t) -fs_search_auto_mountpoints(games_srv_t) - -term_dontaudit_use_console(games_srv_t) - -domain_use_interactive_fds(games_srv_t) - -init_use_fds(games_srv_t) -init_use_script_ptys(games_srv_t) - -logging_send_syslog_msg(games_srv_t) - -miscfiles_read_localization(games_srv_t) - -userdom_dontaudit_use_unpriv_user_fds(games_srv_t) - -userdom_dontaudit_search_user_home_dirs(games_srv_t) - -optional_policy(` - seutil_sigchld_newrole(games_srv_t) -') - -optional_policy(` - udev_read_db(games_srv_t) -') - -######################################## -# -# Local policy -# - -allow games_t self:sem create_sem_perms; -allow games_t self:tcp_socket create_stream_socket_perms; -allow games_t self:udp_socket create_socket_perms; - -manage_files_pattern(games_t, games_data_t, games_data_t) -manage_lnk_files_pattern(games_t, games_data_t, games_data_t) - -allow games_t games_devpts_t:chr_file { rw_chr_file_perms setattr }; -term_create_pty(games_t, games_devpts_t) - -manage_dirs_pattern(games_t, games_tmp_t, games_tmp_t) -manage_files_pattern(games_t, games_tmp_t, games_tmp_t) -files_tmp_filetrans(games_t, games_tmp_t, { file dir }) - -manage_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t) -manage_lnk_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t) -manage_fifo_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t) -manage_sock_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t) -fs_tmpfs_filetrans(games_t, games_tmpfs_t, { file lnk_file sock_file fifo_file }) - -can_exec(games_t, games_exec_t) - -kernel_read_system_state(games_t) - -corecmd_exec_bin(games_t) - -corenet_all_recvfrom_unlabeled(games_t) -corenet_all_recvfrom_netlabel(games_t) -corenet_tcp_sendrecv_generic_if(games_t) -corenet_udp_sendrecv_generic_if(games_t) -corenet_tcp_sendrecv_generic_node(games_t) -corenet_udp_sendrecv_generic_node(games_t) -corenet_tcp_sendrecv_all_ports(games_t) -corenet_udp_sendrecv_all_ports(games_t) -corenet_tcp_bind_generic_node(games_t) -corenet_tcp_bind_generic_port(games_t) -corenet_tcp_connect_generic_port(games_t) -corenet_sendrecv_generic_client_packets(games_t) -corenet_sendrecv_generic_server_packets(games_t) - -dev_read_sound(games_t) -dev_write_sound(games_t) -dev_read_input(games_t) -dev_read_mouse(games_t) -dev_read_urand(games_t) - -files_list_var(games_t) -files_search_var_lib(games_t) -files_dontaudit_search_var(games_t) -files_read_etc_files(games_t) -files_read_usr_files(games_t) -files_read_var_files(games_t) - -init_dontaudit_rw_utmp(games_t) - -logging_dontaudit_search_logs(games_t) - -miscfiles_read_man_pages(games_t) -miscfiles_read_localization(games_t) - -sysnet_read_config(games_t) - -userdom_manage_user_tmp_dirs(games_t) -userdom_manage_user_tmp_files(games_t) -userdom_manage_user_tmp_symlinks(games_t) -userdom_manage_user_tmp_sockets(games_t) -# Suppress .icons denial until properly implemented -userdom_dontaudit_read_user_home_content_files(games_t) - -tunable_policy(`allow_execmem',` - allow games_t self:process execmem; -') - -optional_policy(` - nscd_socket_use(games_t) -') - -optional_policy(` - xserver_user_x_domain_template(games, games_t, games_tmpfs_t) - xserver_create_xdm_tmp_sockets(games_t) - xserver_read_xdm_lib_files(games_t) -') diff --git a/policy/modules/apps/gift.fc b/policy/modules/apps/gift.fc deleted file mode 100644 index df7ced4..0000000 --- a/policy/modules/apps/gift.fc +++ /dev/null @@ -1,6 +0,0 @@ -HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:gift_home_t,s0) - -/usr/(local/)?bin/apollon -- gen_context(system_u:object_r:gift_exec_t,s0) -/usr/(local/)?bin/giftd -- gen_context(system_u:object_r:giftd_exec_t,s0) -/usr/(local/)?bin/giftui -- gen_context(system_u:object_r:gift_exec_t,s0) -/usr/(local/)?bin/giFToxic -- gen_context(system_u:object_r:gift_exec_t,s0) diff --git a/policy/modules/apps/gift.if b/policy/modules/apps/gift.if deleted file mode 100644 index c9b90d3..0000000 --- a/policy/modules/apps/gift.if +++ /dev/null @@ -1,42 +0,0 @@ -## giFT peer to peer file sharing tool - -############################################################ -## -## Role access for gift -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`gift_role',` - gen_require(` - type gift_t, gift_exec_t; - type giftd_t, giftd_exec_t; - type gift_home_t; - ') - - role $1 types { gift_t giftd_t }; - - # transition from user domain - domtrans_pattern($2, gift_exec_t, gift_t) - domtrans_pattern($2, giftd_exec_t, giftd_t) - - # user managed content - manage_dirs_pattern($2, gift_home_t, gift_home_t) - manage_files_pattern($2, gift_home_t, gift_home_t) - manage_lnk_files_pattern($2, gift_home_t, gift_home_t) - relabel_dirs_pattern($2, gift_home_t, gift_home_t) - relabel_files_pattern($2, gift_home_t, gift_home_t) - relabel_lnk_files_pattern($2, gift_home_t, gift_home_t) - - # Allow the user domain to signal/ps. - ps_process_pattern($2, { gift_t giftd_t }) - allow $2 { gift_t giftd_t }:process signal_perms; -') diff --git a/policy/modules/apps/gift.te b/policy/modules/apps/gift.te deleted file mode 100644 index f378681..0000000 --- a/policy/modules/apps/gift.te +++ /dev/null @@ -1,147 +0,0 @@ -policy_module(gift, 2.1.1) - -######################################## -# -# Declarations -# - -type gift_t; -type gift_exec_t; -typealias gift_t alias { user_gift_t staff_gift_t sysadm_gift_t }; -typealias gift_t alias { auditadm_gift_t secadm_gift_t }; -application_domain(gift_t, gift_exec_t) -ubac_constrained(gift_t) - -type gift_home_t; -typealias gift_home_t alias { user_gift_home_t staff_gift_home_t sysadm_gift_home_t }; -typealias gift_home_t alias { auditadm_gift_home_t secadm_gift_home_t }; -userdom_user_home_content(gift_home_t) - -type gift_tmpfs_t; -typealias gift_tmpfs_t alias { user_gift_tmpfs_t staff_gift_tmpfs_t sysadm_gift_tmpfs_t }; -typealias gift_tmpfs_t alias { auditadm_gift_tmpfs_t secadm_gift_tmpfs_t }; -files_tmpfs_file(gift_tmpfs_t) -ubac_constrained(gift_tmpfs_t) - -type giftd_t; -type giftd_exec_t; -typealias giftd_t alias { user_giftd_t staff_giftd_t sysadm_giftd_t }; -typealias giftd_t alias { auditadm_giftd_t secadm_giftd_t }; -application_domain(giftd_t, giftd_exec_t) -ubac_constrained(giftd_t) - -############################## -# -# giFT user interface local policy -# - -allow gift_t self:tcp_socket create_socket_perms; - -manage_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t) -manage_lnk_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t) -manage_fifo_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t) -manage_sock_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t) -fs_tmpfs_filetrans(gift_t, gift_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -manage_dirs_pattern(gift_t, gift_home_t, gift_home_t) -manage_files_pattern(gift_t, gift_home_t, gift_home_t) -manage_lnk_files_pattern(gift_t, gift_home_t, gift_home_t) -userdom_user_home_dir_filetrans(gift_t, gift_home_t, dir) - -# Launch gift daemon -domtrans_pattern(gift_t, giftd_exec_t, giftd_t) - -# Read /proc/meminfo -kernel_read_system_state(gift_t) - -# Connect to gift daemon -corenet_all_recvfrom_unlabeled(gift_t) -corenet_all_recvfrom_netlabel(gift_t) -corenet_tcp_sendrecv_generic_if(gift_t) -corenet_tcp_sendrecv_generic_node(gift_t) -corenet_tcp_sendrecv_giftd_port(gift_t) -corenet_tcp_connect_giftd_port(gift_t) -corenet_sendrecv_giftd_client_packets(gift_t) - -fs_search_auto_mountpoints(gift_t) - -sysnet_read_config(gift_t) - -# giftui looks in .icons, .themes. -userdom_dontaudit_read_user_home_content_files(gift_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(gift_t) - fs_manage_nfs_files(gift_t) - fs_manage_nfs_symlinks(gift_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(gift_t) - fs_manage_cifs_files(gift_t) - fs_manage_cifs_symlinks(gift_t) -') - -optional_policy(` - nscd_socket_use(gift_t) -') - -optional_policy(` - xserver_user_x_domain_template(gift, gift_t, gift_tmpfs_t) -') - -############################## -# -# giFT server local policy -# - -allow giftd_t self:process { signal setsched }; -allow giftd_t self:unix_stream_socket create_socket_perms; -allow giftd_t self:tcp_socket create_stream_socket_perms; -allow giftd_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(giftd_t, gift_home_t, gift_home_t) -manage_files_pattern(giftd_t, gift_home_t, gift_home_t) -manage_lnk_files_pattern(giftd_t, gift_home_t, gift_home_t) -userdom_user_home_dir_filetrans(giftd_t, gift_home_t, dir) - -kernel_read_system_state(giftd_t) -kernel_read_kernel_sysctls(giftd_t) - -# Serve content on various p2p networks. Ports can be random. -corenet_all_recvfrom_unlabeled(giftd_t) -corenet_all_recvfrom_netlabel(giftd_t) -corenet_tcp_sendrecv_generic_if(giftd_t) -corenet_udp_sendrecv_generic_if(giftd_t) -corenet_tcp_sendrecv_generic_node(giftd_t) -corenet_udp_sendrecv_generic_node(giftd_t) -corenet_tcp_sendrecv_all_ports(giftd_t) -corenet_udp_sendrecv_all_ports(giftd_t) -corenet_tcp_bind_generic_node(giftd_t) -corenet_udp_bind_generic_node(giftd_t) -corenet_tcp_bind_all_ports(giftd_t) -corenet_udp_bind_all_ports(giftd_t) -corenet_tcp_connect_all_ports(giftd_t) -corenet_sendrecv_all_client_packets(giftd_t) - -files_read_usr_files(giftd_t) -# Read /etc/mtab -files_read_etc_runtime_files(giftd_t) - -miscfiles_read_localization(giftd_t) - -sysnet_read_config(giftd_t) - -userdom_use_user_terminals(giftd_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(giftd_t) - fs_manage_nfs_files(giftd_t) - fs_manage_nfs_symlinks(giftd_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(giftd_t) - fs_manage_cifs_files(giftd_t) - fs_manage_cifs_symlinks(giftd_t) -') diff --git a/policy/modules/apps/gitosis.fc b/policy/modules/apps/gitosis.fc deleted file mode 100644 index 7e90e45..0000000 --- a/policy/modules/apps/gitosis.fc +++ /dev/null @@ -1,5 +0,0 @@ -/usr/bin/gitosis-serve -- gen_context(system_u:object_r:gitosis_exec_t,s0) -/usr/bin/gl-auth-command -- gen_context(system_u:object_r:gitosis_exec_t,s0) - -/var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0) -/var/lib/gitolite(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0) diff --git a/policy/modules/apps/gitosis.if b/policy/modules/apps/gitosis.if deleted file mode 100644 index e898b91..0000000 --- a/policy/modules/apps/gitosis.if +++ /dev/null @@ -1,86 +0,0 @@ -## Tools for managing and hosting git repositories. - -####################################### -## -## Execute a domain transition to run gitosis. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`gitosis_domtrans',` - gen_require(` - type gitosis_t, gitosis_exec_t; - ') - - domtrans_pattern($1, gitosis_exec_t, gitosis_t) -') - -####################################### -## -## Execute gitosis-serve in the gitosis domain, and -## allow the specified role the gitosis domain. -## -## -## -## Domain allowed access -## -## -## -## -## Role allowed access. -## -## -# -interface(`gitosis_run',` - gen_require(` - type gitosis_t; - ') - - gitosis_domtrans($1) - role $2 types gitosis_t; -') - -####################################### -## -## Allow the specified domain to read -## gitosis lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`gitosis_read_lib_files',` - gen_require(` - type gitosis_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) - read_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) - list_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) -') - -###################################### -## -## Allow the specified domain to manage -## gitosis lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`gitosis_manage_lib_files',` - gen_require(` - type gitosis_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) -') diff --git a/policy/modules/apps/gitosis.te b/policy/modules/apps/gitosis.te deleted file mode 100644 index df1c189..0000000 --- a/policy/modules/apps/gitosis.te +++ /dev/null @@ -1,41 +0,0 @@ -policy_module(gitosis, 1.1.1) - -######################################## -# -# Declarations -# - -type gitosis_t; -type gitosis_exec_t; -application_domain(gitosis_t, gitosis_exec_t) -role system_r types gitosis_t; - -type gitosis_var_lib_t; -files_type(gitosis_var_lib_t) - -######################################## -# -# gitosis local policy -# - -allow gitosis_t self:fifo_file rw_fifo_file_perms; - -exec_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t) -manage_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t) -manage_lnk_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t) -manage_dirs_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t) - -kernel_read_system_state(gitosis_t) - -corecmd_exec_bin(gitosis_t) -corecmd_exec_shell(gitosis_t) - -dev_read_urand(gitosis_t) - -files_read_etc_files(gitosis_t) -files_read_usr_files(gitosis_t) -files_search_var_lib(gitosis_t) - -miscfiles_read_localization(gitosis_t) - -sysnet_read_config(gitosis_t) diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc deleted file mode 100644 index 46db5ff..0000000 --- a/policy/modules/apps/gnome.fc +++ /dev/null @@ -1,30 +0,0 @@ -HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0) -HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0) -HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) -HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) -HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) -HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0) -HOME_DIR/\.local/share(.*)? gen_context(system_u:object_r:data_home_t,s0) -/HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0) -/HOME_DIR/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0) - -/root/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0) -/root/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0) -/root/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) -/root/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) -/root/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) -/root/\.local.* gen_context(system_u:object_r:gconf_home_t,s0) -/root/\.local/share(.*)? gen_context(system_u:object_r:data_home_t,s0) -/root/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0) - -/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) - -/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0) - -# Don't use because toolchain is broken -#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) - -/usr/libexec/gconf-defaults-mechanism -- gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0) - -/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) - diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if deleted file mode 100644 index 91737d4..0000000 --- a/policy/modules/apps/gnome.if +++ /dev/null @@ -1,602 +0,0 @@ -## GNU network object model environment (GNOME) - -############################################################ -## -## Role access for gnome -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`gnome_role',` - gen_require(` - type gconfd_t, gconfd_exec_t; - type gconf_tmp_t; - ') - - role $1 types gconfd_t; - - domain_auto_trans($2, gconfd_exec_t, gconfd_t) - allow gconfd_t $2:fd use; - allow gconfd_t $2:fifo_file write; - allow gconfd_t $2:unix_stream_socket connectto; - - ps_process_pattern($2, gconfd_t) - - #gnome_stream_connect_gconf_template($1, $2) - read_files_pattern($2, gconf_tmp_t, gconf_tmp_t) - allow $2 gconfd_t:unix_stream_socket connectto; -') - -######################################## -## -## gconf connection template. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_stream_connect_gconf',` - gen_require(` - type gconfd_t, gconf_tmp_t; - ') - - read_files_pattern($1, gconf_tmp_t, gconf_tmp_t) - allow $1 gconfd_t:unix_stream_socket connectto; -') - -######################################## -## -## Run gconfd in gconfd domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_domtrans_gconfd',` - gen_require(` - type gconfd_t, gconfd_exec_t; - ') - - domtrans_pattern($1, gconfd_exec_t, gconfd_t) -') - -######################################## -## -## Dontaudit search gnome homedir content (.config) -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_dontaudit_search_config',` - gen_require(` - attribute gnome_home_type; - ') - - dontaudit $1 gnome_home_type:dir search_dir_perms; -') - -######################################## -## -## manage gnome homedir content (.config) -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_manage_config',` - gen_require(` - attribute gnome_home_type; - ') - - allow $1 gnome_home_type:dir manage_dir_perms; - allow $1 gnome_home_type:file manage_file_perms; - allow $1 gnome_home_type:lnk_file manage_lnk_file_perms; - userdom_search_user_home_dirs($1) -') - -######################################## -## -## Send general signals to all gconf domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_signal_all',` - gen_require(` - attribute gnomedomain; - ') - - allow $1 gnomedomain:process signal; -') - -######################################## -## -## Create objects in a Gnome cache home directory -## with an automatic type transition to -## a specified private type. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to create. -## -## -## -## -## The class of the object to be created. -## -## -# -interface(`gnome_cache_filetrans',` - gen_require(` - type cache_home_t; - ') - - filetrans_pattern($1, cache_home_t, $2, $3) - userdom_search_user_home_dirs($1) -') - -######################################## -## -## Read generic cache home files (.cache) -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_read_generic_cache_files',` - gen_require(` - type cache_home_t; - ') - - read_files_pattern($1, cache_home_t, cache_home_t) - userdom_search_user_home_dirs($1) -') - -######################################## -## -## Set attributes of cache home dir (.cache) -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_setattr_cache_home_dir',` - gen_require(` - type cache_home_t; - ') - - setattr_dirs_pattern($1, cache_home_t, cache_home_t) - userdom_search_user_home_dirs($1) -') - -######################################## -## -## append to generic cache home files (.cache) -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_append_generic_cache_files',` - gen_require(` - type cache_home_t; - ') - - append_files_pattern($1, cache_home_t, cache_home_t) - userdom_search_user_home_dirs($1) -') - -######################################## -## -## write to generic cache home files (.cache) -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_write_generic_cache_files',` - gen_require(` - type cache_home_t; - ') - - write_files_pattern($1, cache_home_t, cache_home_t) - userdom_search_user_home_dirs($1) -') - -######################################## -## -## read gnome homedir content (.config) -## -## -## -## Domain allowed access. -## -## -# -template(`gnome_read_config',` - gen_require(` - attribute gnome_home_type; - ') - - list_dirs_pattern($1, gnome_home_type, gnome_home_type) - read_files_pattern($1, gnome_home_type, gnome_home_type) - read_lnk_files_pattern($1, gnome_home_type, gnome_home_type) -') - -######################################## -## -## Create objects in a Gnome gconf home directory -## with an automatic type transition to -## a specified private type. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to create. -## -## -## -## -## The class of the object to be created. -## -## -# -interface(`gnome_data_filetrans',` - gen_require(` - type data_home_t; - ') - - filetrans_pattern($1, data_home_t, $2, $3) - gnome_search_gconf($1) -') - -######################################## -## -## Create gconf_home_t objects in the /root directory -## -## -## -## Domain allowed access. -## -## -## -## -## The class of the object to be created. -## -## -# -interface(`gnome_admin_home_gconf_filetrans',` - gen_require(` - type gconf_home_t; - ') - - userdom_admin_home_dir_filetrans($1, gconf_home_t, $2) -') - -######################################## -## -## read gconf config files -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_read_gconf_config',` - gen_require(` - type gconf_etc_t; - ') - - allow $1 gconf_etc_t:dir list_dir_perms; - read_files_pattern($1, gconf_etc_t, gconf_etc_t) -') - -####################################### -## -## Manage gconf config files -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_manage_gconf_config',` - gen_require(` - type gconf_etc_t; - ') - - allow $1 gconf_etc_t:dir list_dir_perms; - manage_files_pattern($1, gconf_etc_t, gconf_etc_t) -') - -######################################## -## -## Execute gconf programs in -## in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_exec_gconf',` - gen_require(` - type gconfd_exec_t; - ') - - can_exec($1, gconfd_exec_t) -') - -######################################## -## -## Read gconf home files -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_read_gconf_home_files',` - gen_require(` - type gconf_home_t; - type data_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 gconf_home_t:dir list_dir_perms; - allow $1 data_home_t:dir list_dir_perms; - read_files_pattern($1, gconf_home_t, gconf_home_t) - read_files_pattern($1, data_home_t, data_home_t) -') - -######################################## -## -## search gconf homedir (.local) -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_search_gconf',` - gen_require(` - type gconf_home_t; - ') - - allow $1 gconf_home_t:dir search_dir_perms; - userdom_search_user_home_dirs($1) -') - -######################################## -## -## Set attributes of Gnome config dirs. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_setattr_config_dirs',` - gen_require(` - type gnome_home_t; - ') - - setattr_dirs_pattern($1, gnome_home_t, gnome_home_t) - files_search_home($1) -') - -######################################## -## -## Append gconf home files -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_append_gconf_home_files',` - gen_require(` - type gconf_home_t; - ') - - append_files_pattern($1, gconf_home_t, gconf_home_t) -') - -######################################## -## -## manage gconf home files -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_manage_gconf_home_files',` - gen_require(` - type gconf_home_t; - ') - - allow $1 gconf_home_t:dir list_dir_perms; - manage_files_pattern($1, gconf_home_t, gconf_home_t) -') - -######################################## -## -## Connect to gnome over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the user domain. -## -## -# -interface(`gnome_stream_connect',` - gen_require(` - attribute gnome_home_type; - ') - - # Connect to pulseaudit server - stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2) -') - -######################################## -## -## list gnome homedir content (.config) -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_list_home_config',` - gen_require(` - type config_home_t; - ') - - allow $1 config_home_t:dir list_dir_perms; -') - -######################################## -## -## Set attributes of gnome homedir content (.config) -## -## -## -## Domain allowed access. -## -## -# -template(`gnome_setattr_home_config',` - gen_require(` - type config_home_t; - ') - - setattr_dirs_pattern($1, config_home_t, config_home_t) - userdom_search_user_home_dirs($1) -') - -######################################## -## -## read gnome homedir content (.config) -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_read_home_config',` - gen_require(` - type config_home_t; - ') - - read_files_pattern($1, config_home_t, config_home_t) -') - -######################################## -## -## manage gnome homedir content (.config) -## -## -## -## Domain allowed access. -## -## -# -template(`gnome_manage_home_config',` - gen_require(` - type config_home_t; - ') - - manage_files_pattern($1, config_home_t, config_home_t) -') - -######################################## -## -## Read/Write all inherited gnome home config -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_rw_inherited_config',` - gen_require(` - attribute gnome_home_type; - ') - - allow $1 gnome_home_type:file rw_inherited_file_perms; -') - -######################################## -## -## Send and receive messages from -## gconf system service over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_dbus_chat_gconfdefault',` - gen_require(` - type gconfdefaultsm_t; - class dbus send_msg; - ') - - allow $1 gconfdefaultsm_t:dbus send_msg; - allow gconfdefaultsm_t $1:dbus send_msg; -') diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te deleted file mode 100644 index 26852d2..0000000 --- a/policy/modules/apps/gnome.te +++ /dev/null @@ -1,186 +0,0 @@ -policy_module(gnome, 2.0.1) - -############################## -# -# Declarations -# - -attribute gnomedomain; -attribute gnome_home_type; - -type gconf_etc_t; -files_config_file(gconf_etc_t) - -type data_home_t, gnome_home_type; -userdom_user_home_content(data_home_t) - -type config_home_t, gnome_home_type; -userdom_user_home_content(config_home_t) - -type cache_home_t, gnome_home_type; -userdom_user_home_content(cache_home_t) - -type gstreamer_home_t, gnome_home_type; -userdom_user_home_content(gstreamer_home_t) - -type gconf_home_t, gnome_home_type; -typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t }; -typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t }; -typealias gconf_home_t alias unconfined_gconf_home_t; -userdom_user_home_content(gconf_home_t) - -type gconf_tmp_t; -typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t }; -typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t }; -typealias gconf_tmp_t alias unconfined_gconf_tmp_t; -files_tmp_file(gconf_tmp_t) -ubac_constrained(gconf_tmp_t) - -type gconfd_t, gnomedomain; -type gconfd_exec_t; -typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t }; -typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t }; -application_domain(gconfd_t, gconfd_exec_t) -ubac_constrained(gconfd_t) - -type gnome_home_t, gnome_home_type; -typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t }; -typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t }; -typealias gnome_home_t alias unconfined_gnome_home_t; -userdom_user_home_content(gnome_home_t) - -type gconfdefaultsm_t; -type gconfdefaultsm_exec_t; -dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t) - -type gnomesystemmm_t; -type gnomesystemmm_exec_t; -dbus_system_domain(gnomesystemmm_t, gnomesystemmm_exec_t) - -############################## -# -# Local Policy -# - -allow gconfd_t self:process getsched; -allow gconfd_t self:fifo_file rw_fifo_file_perms; - -manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t) -manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t) -userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir) - -manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) -manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) -userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) - -allow gconfd_t gconf_etc_t:dir list_dir_perms; -read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t) - -dev_read_urand(gconfd_t) - -files_read_etc_files(gconfd_t) - -miscfiles_read_localization(gconfd_t) - -logging_send_syslog_msg(gconfd_t) - -userdom_manage_user_tmp_sockets(gconfd_t) -userdom_manage_user_tmp_dirs(gconfd_t) -userdom_tmp_filetrans_user_tmp(gconfd_t, dir) - -optional_policy(` - nscd_dontaudit_search_pid(gconfd_t) -') - -optional_policy(` - xserver_use_xdm_fds(gconfd_t) - xserver_rw_xdm_pipes(gconfd_t) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(gconfdefaultsm_t) - fs_manage_nfs_files(gconfdefaultsm_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(gconfdefaultsm_t) - fs_manage_cifs_files(gconfdefaultsm_t) -') - -####################################### -# -# gconf-defaults-mechanisms local policy -# - -allow gconfdefaultsm_t self:capability { dac_override sys_nice sys_ptrace }; -allow gconfdefaultsm_t self:process getsched; -allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms; - -corecmd_search_bin(gconfdefaultsm_t) - -files_read_etc_files(gconfdefaultsm_t) -files_read_usr_files(gconfdefaultsm_t) - -miscfiles_read_localization(gconfdefaultsm_t) - -gnome_manage_gconf_home_files(gconfdefaultsm_t) -gnome_manage_gconf_config(gconfdefaultsm_t) - -userdom_read_all_users_state(gconfdefaultsm_t) -userdom_search_user_home_dirs(gconfdefaultsm_t) - -userdom_dontaudit_search_admin_dir(gconfdefaultsm_t) - -optional_policy(` - consolekit_dbus_chat(gconfdefaultsm_t) -') - -optional_policy(` - nscd_dontaudit_search_pid(gconfdefaultsm_t) -') - -optional_policy(` - policykit_domtrans_auth(gconfdefaultsm_t) - policykit_dbus_chat(gconfdefaultsm_t) - policykit_read_lib(gconfdefaultsm_t) - policykit_read_reload(gconfdefaultsm_t) -') - -####################################### -# -# gnome-system-monitor-mechanisms local policy -# - -allow gnomesystemmm_t self:capability { sys_nice sys_ptrace }; -allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms; - -corecmd_search_bin(gnomesystemmm_t) - -domain_kill_all_domains(gnomesystemmm_t) -domain_search_all_domains_state(gnomesystemmm_t) -domain_setpriority_all_domains(gnomesystemmm_t) -domain_signal_all_domains(gnomesystemmm_t) -domain_sigstop_all_domains(gnomesystemmm_t) - -files_read_etc_files(gnomesystemmm_t) -files_read_usr_files(gnomesystemmm_t) - -miscfiles_read_localization(gnomesystemmm_t) - -userdom_read_all_users_state(gnomesystemmm_t) -userdom_dontaudit_search_admin_dir(gnomesystemmm_t) - -optional_policy(` - consolekit_dbus_chat(gnomesystemmm_t) -') - -optional_policy(` - nscd_dontaudit_search_pid(gnomesystemmm_t) -') - -optional_policy(` - policykit_dbus_chat(gnomesystemmm_t) - policykit_domtrans_auth(gnomesystemmm_t) - policykit_read_lib(gnomesystemmm_t) - policykit_read_reload(gnomesystemmm_t) -') diff --git a/policy/modules/apps/gpg.fc b/policy/modules/apps/gpg.fc deleted file mode 100644 index 717d163..0000000 --- a/policy/modules/apps/gpg.fc +++ /dev/null @@ -1,10 +0,0 @@ -HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) -/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) - -/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) -/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) -/usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0) -/usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0) - -/usr/lib(64)?/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) -/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if deleted file mode 100644 index 13d939a..0000000 --- a/policy/modules/apps/gpg.if +++ /dev/null @@ -1,202 +0,0 @@ -## Policy for GNU Privacy Guard and related programs. - -############################################################ -## -## Role access for gpg -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`gpg_role',` - gen_require(` - type gpg_t, gpg_exec_t; - type gpg_agent_t, gpg_agent_exec_t; - type gpg_agent_tmp_t; - type gpg_helper_t, gpg_pinentry_t; - type gpg_pinentry_tmp_t; - ') - - role $1 types { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }; - - # transition from the userdomain to the derived domain - domtrans_pattern($2, gpg_exec_t, gpg_t) - - # allow ps to show gpg - ps_process_pattern($2, gpg_t) - allow $2 gpg_t:process { signull sigstop signal sigkill }; - - # communicate with the user - allow gpg_helper_t $2:fd use; - allow gpg_helper_t $2:fifo_file write; - - # allow ps to show gpg-agent - ps_process_pattern($2, gpg_agent_t) - - # Allow the user shell to signal the gpg-agent program. - allow $2 gpg_agent_t:process { signal sigkill }; - - manage_dirs_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) - manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) - manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) - files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) - - # Transition from the user domain to the agent domain. - domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t) - - manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) - relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) - - allow gpg_pinentry_t $2:fifo_file { read write }; - - optional_policy(` - gpg_pinentry_dbus_chat($2) - ') - - ifdef(`hide_broken_symptoms',` - #Leaked File Descriptors - dontaudit gpg_t $2:socket_class_set { getattr read write }; - dontaudit gpg_t $2:fifo_file rw_fifo_file_perms; - dontaudit gpg_agent_t $2:socket_class_set { getattr read write }; - dontaudit gpg_agent_t $2:fifo_file rw_fifo_file_perms; - ') -') - -######################################## -## -## Transition to a user gpg domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`gpg_domtrans',` - gen_require(` - type gpg_t, gpg_exec_t; - ') - - domtrans_pattern($1, gpg_exec_t, gpg_t) -') - -###################################### -## -## Transition to a gpg web domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`gpg_domtrans_web',` - gen_require(` - type gpg_web_t, gpg_exec_t; - ') - - domtrans_pattern($1, gpg_exec_t, gpg_web_t) -') - -###################################### -## -## Make gpg an entrypoint for -## the specified domain. -## -## -## -## The domain for which cifs_t is an entrypoint. -## -## -# -interface(`gpg_entry_type',` - gen_require(` - type gpg_exec_t; - ') - - domain_entry_file($1, gpg_exec_t) -') - -######################################## -## -## Send generic signals to user gpg processes. -## -## -## -## Domain allowed access. -## -## -# -interface(`gpg_signal',` - gen_require(` - type gpg_t; - ') - - allow $1 gpg_t:process signal; -') - -######################################## -## -## Read and write GPG agent pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`gpg_rw_agent_pipes',` - # Just wants read/write could this be a leak? - gen_require(` - type gpg_agent_t; - ') - - allow $1 gpg_agent_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## -## Send messages to and from GPG -## Pinentry over DBUS. -## -## -## -## Domain allowed access. -## -## -# -interface(`gpg_pinentry_dbus_chat',` - gen_require(` - type gpg_pinentry_t; - class dbus send_msg; - ') - - allow $1 gpg_pinentry_t:dbus send_msg; - allow gpg_pinentry_t $1:dbus send_msg; -') - -######################################## -## -## List Gnu Privacy Guard user secrets. -## -## -## -## Domain allowed access. -## -## -# -interface(`gpg_list_user_secrets',` - gen_require(` - type gpg_secret_t; - ') - - list_dirs_pattern($1, gpg_secret_t, gpg_secret_t) - userdom_search_user_home_dirs($1) -') diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te deleted file mode 100644 index e9a7937..0000000 --- a/policy/modules/apps/gpg.te +++ /dev/null @@ -1,414 +0,0 @@ -policy_module(gpg, 2.3.1) - -######################################## -# -# Declarations -# -attribute gpgdomain; - -## -##

-## Allow usage of the gpg-agent --write-env-file option. -## This also allows gpg-agent to manage user files. -##

-##
-gen_tunable(gpg_agent_env_file, false) - -## -##

-## Allow gpg web domain to modify public files -## used for public file transfer services. -##

-##
-gen_tunable(gpg_web_anon_write, false) - -type gpg_t, gpgdomain; -type gpg_exec_t; -typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t }; -typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t }; -application_domain(gpg_t, gpg_exec_t) -ubac_constrained(gpg_t) -role system_r types gpg_t; - -type gpg_agent_t; -type gpg_agent_exec_t; -typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t }; -typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t }; -application_domain(gpg_agent_t, gpg_agent_exec_t) -ubac_constrained(gpg_agent_t) - -type gpg_agent_tmp_t; -typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t }; -typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t }; -files_tmp_file(gpg_agent_tmp_t) -ubac_constrained(gpg_agent_tmp_t) - -type gpg_secret_t; -typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t }; -typealias gpg_secret_t alias { auditadm_gpg_secret_t secadm_gpg_secret_t }; -userdom_user_home_content(gpg_secret_t) - -type gpg_helper_t; -type gpg_helper_exec_t; -typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t }; -typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t }; -application_domain(gpg_helper_t, gpg_helper_exec_t) -ubac_constrained(gpg_helper_t) -role system_r types gpg_helper_t; - -type gpg_pinentry_t; -type pinentry_exec_t; -typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t }; -typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t }; -application_domain(gpg_pinentry_t, pinentry_exec_t) -ubac_constrained(gpg_pinentry_t) - -type gpg_pinentry_tmp_t; -files_tmp_file(gpg_pinentry_tmp_t) -ubac_constrained(gpg_pinentry_tmp_t) - -type gpg_pinentry_tmpfs_t; -files_tmpfs_file(gpg_pinentry_tmpfs_t) -ubac_constrained(gpg_pinentry_tmpfs_t) - -type gpg_web_t; -domain_type(gpg_web_t) -gpg_entry_type(gpg_web_t) -role system_r types gpg_web_t; - -######################################## -# -# GPG local policy -# - -allow gpgdomain self:capability { ipc_lock setuid }; -allow gpgdomain self:process { getsched setsched }; -#at setrlimit is for ulimit -c 0 -allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid }; - -allow gpgdomain self:fifo_file rw_fifo_file_perms; -allow gpgdomain self:tcp_socket create_stream_socket_perms; - -manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) -manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) -files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file }) - -domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) - -# transition from the gpg domain to the helper domain -domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) - -allow gpg_t gpg_secret_t:dir create_dir_perms; -manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) -manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) -userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir) - -kernel_read_sysctl(gpg_t) - -corecmd_exec_shell(gpg_t) -corecmd_exec_bin(gpg_t) - -corenet_all_recvfrom_unlabeled(gpg_t) -corenet_all_recvfrom_netlabel(gpg_t) -corenet_tcp_sendrecv_generic_if(gpg_t) -corenet_udp_sendrecv_generic_if(gpg_t) -corenet_tcp_sendrecv_generic_node(gpg_t) -corenet_udp_sendrecv_generic_node(gpg_t) -corenet_tcp_sendrecv_all_ports(gpg_t) -corenet_udp_sendrecv_all_ports(gpg_t) -corenet_tcp_connect_all_ports(gpg_t) -corenet_sendrecv_all_client_packets(gpg_t) - -dev_read_rand(gpg_t) -dev_read_urand(gpg_t) -dev_read_generic_usb_dev(gpg_t) - -fs_getattr_xattr_fs(gpg_t) -fs_list_inotifyfs(gpg_t) - -domain_use_interactive_fds(gpg_t) - -files_read_etc_files(gpg_t) -files_read_usr_files(gpg_t) -files_dontaudit_search_var(gpg_t) - -auth_use_nsswitch(gpg_t) - -logging_send_syslog_msg(gpg_t) - -miscfiles_read_localization(gpg_t) - -userdom_use_user_terminals(gpg_t) -# sign/encrypt user files -userdom_manage_user_tmp_files(gpg_t) -userdom_manage_user_home_content_files(gpg_t) -userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) -userdom_stream_connect(gpg_t) - -mta_write_config(gpg_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(gpg_t) - fs_manage_nfs_files(gpg_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(gpg_t) - fs_manage_cifs_files(gpg_t) -') - -optional_policy(` - gnome_read_config(gpg_t) -') - -optional_policy(` - mozilla_read_user_home_files(gpg_t) - mozilla_write_user_home_files(gpg_t) -') - -optional_policy(` - xserver_use_xdm_fds(gpg_t) - xserver_rw_xdm_pipes(gpg_t) -') - -#optional_policy(` -# cron_system_entry(gpg_t, gpg_exec_t) -# cron_read_system_job_tmp_files(gpg_t) -#') - -######################################## -# -# GPG helper local policy -# - -allow gpg_helper_t self:process { getsched setsched }; - -# for helper programs (which automatically fetch keys) -# Note: this is only tested with the hkp interface. If you use eg the -# mail interface you will likely need additional permissions. - -allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms; -allow gpg_helper_t self:tcp_socket { connect connected_socket_perms }; -allow gpg_helper_t self:udp_socket { connect connected_socket_perms }; - -dontaudit gpg_helper_t gpg_secret_t:file read; - -corenet_all_recvfrom_unlabeled(gpg_helper_t) -corenet_all_recvfrom_netlabel(gpg_helper_t) -corenet_tcp_sendrecv_generic_if(gpg_helper_t) -corenet_raw_sendrecv_generic_if(gpg_helper_t) -corenet_udp_sendrecv_generic_if(gpg_helper_t) -corenet_tcp_sendrecv_generic_node(gpg_helper_t) -corenet_udp_sendrecv_generic_node(gpg_helper_t) -corenet_raw_sendrecv_generic_node(gpg_helper_t) -corenet_tcp_sendrecv_all_ports(gpg_helper_t) -corenet_udp_sendrecv_all_ports(gpg_helper_t) -corenet_tcp_bind_generic_node(gpg_helper_t) -corenet_udp_bind_generic_node(gpg_helper_t) -corenet_tcp_connect_all_ports(gpg_helper_t) - -files_read_etc_files(gpg_helper_t) - -auth_use_nsswitch(gpg_helper_t) - -userdom_use_user_terminals(gpg_helper_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_dontaudit_rw_nfs_files(gpg_helper_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_dontaudit_rw_cifs_files(gpg_helper_t) -') - -######################################## -# -# GPG agent local policy -# -domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) - -# rlimit: gpg-agent wants to prevent coredumps -allow gpg_agent_t self:process setrlimit; - -allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ; -allow gpg_agent_t self:fifo_file rw_fifo_file_perms; - -# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) -manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) -manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) -manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) - -# Allow the gpg-agent to manage its tmp files (socket) -manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) -manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) -manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) -files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) - -# allow gpg to connect to the gpg agent -stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t) - -corecmd_read_bin_symlinks(gpg_agent_t) -corecmd_search_bin(gpg_agent_t) -corecmd_exec_shell(gpg_agent_t) - -dev_read_urand(gpg_agent_t) - -domain_use_interactive_fds(gpg_agent_t) - -fs_dontaudit_list_inotifyfs(gpg_agent_t) - -miscfiles_read_localization(gpg_agent_t) - -# Write to the user domain tty. -userdom_use_user_terminals(gpg_agent_t) -# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) -userdom_search_user_home_dirs(gpg_agent_t) - -ifdef(`hide_broken_symptoms',` - userdom_dontaudit_read_user_tmp_files(gpg_agent_t) - userdom_dontaudit_write_user_tmp_files(gpg_agent_t) -') - -tunable_policy(`gpg_agent_env_file',` - # write ~/.gpg-agent-info or a similar to the users home dir - # or subdir (gpg-agent --write-env-file option) - # - userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file) - userdom_manage_user_home_content_dirs(gpg_agent_t) - userdom_manage_user_home_content_files(gpg_agent_t) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(gpg_agent_t) - fs_manage_nfs_files(gpg_agent_t) - fs_manage_nfs_symlinks(gpg_agent_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(gpg_agent_t) - fs_manage_cifs_files(gpg_agent_t) - fs_manage_cifs_symlinks(gpg_agent_t) -') - -optional_policy(` - mozilla_dontaudit_rw_user_home_files(gpg_agent_t) -') - -############################## -# -# Pinentry local policy -# - -allow gpg_pinentry_t self:process { getcap getsched setsched signal }; -allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms; -allow gpg_pinentry_t self:netlink_route_socket create_netlink_socket_perms; -allow gpg_pinentry_t self:shm create_shm_perms; -allow gpg_pinentry_t self:tcp_socket create_stream_socket_perms; -allow gpg_pinentry_t self:unix_dgram_socket sendto; -allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; - -can_exec(gpg_pinentry_t, pinentry_exec_t) - -# we need to allow gpg-agent to call pinentry so it can get the passphrase -# from the user. -domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t) - -manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) -userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file) - -manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) -manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) -fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) - -# read /proc/meminfo -kernel_read_system_state(gpg_pinentry_t) - -corecmd_exec_bin(gpg_pinentry_t) - -corenet_all_recvfrom_netlabel(gpg_pinentry_t) -corenet_all_recvfrom_unlabeled(gpg_pinentry_t) -corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t) -corenet_tcp_bind_generic_node(gpg_pinentry_t) -corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t) -corenet_tcp_sendrecv_generic_if(gpg_pinentry_t) -corenet_tcp_sendrecv_generic_node(gpg_pinentry_t) -corenet_tcp_sendrecv_generic_port(gpg_pinentry_t) - -dev_read_urand(gpg_pinentry_t) -dev_read_rand(gpg_pinentry_t) - -files_read_usr_files(gpg_pinentry_t) -# read /etc/X11/qtrc -files_read_etc_files(gpg_pinentry_t) - -fs_dontaudit_list_inotifyfs(gpg_pinentry_t) -fs_getattr_tmpfs(gpg_pinentry_t) - -auth_use_nsswitch(gpg_pinentry_t) - -logging_send_syslog_msg(gpg_pinentry_t) - -miscfiles_read_fonts(gpg_pinentry_t) -miscfiles_read_localization(gpg_pinentry_t) - -# for .Xauthority -userdom_read_user_home_content_files(gpg_pinentry_t) -userdom_read_user_tmpfs_files(gpg_pinentry_t) -# Bug: user pulseaudio files need open,read and unlink: -allow gpg_pinentry_t user_tmpfs_t:file unlink; -userdom_signull_unpriv_users(gpg_pinentry_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(gpg_pinentry_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(gpg_pinentry_t) -') - -optional_policy(` - dbus_session_bus_client(gpg_pinentry_t) - dbus_system_bus_client(gpg_pinentry_t) -') - -optional_policy(` - gnome_write_generic_cache_files(gpg_pinentry_t) - gnome_read_generic_cache_files(gpg_pinentry_t) - gnome_read_gconf_home_files(gpg_pinentry_t) -') - -optional_policy(` - pulseaudio_exec(gpg_pinentry_t) - pulseaudio_rw_home_files(gpg_pinentry_t) - pulseaudio_setattr_home_dir(gpg_pinentry_t) - pulseaudio_stream_connect(gpg_pinentry_t) - pulseaudio_signull(gpg_pinentry_t) -') - -optional_policy(` - xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t) - -') - -############################# -# -# gpg web local policy -# - -allow gpg_web_t self:process setrlimit; - -dev_read_rand(gpg_web_t) -dev_read_urand(gpg_web_t) - -can_exec(gpg_web_t, gpg_exec_t) - -files_read_usr_files(gpg_web_t) - -miscfiles_read_localization(gpg_web_t) - -apache_dontaudit_rw_tmp_files(gpg_web_t) -apache_manage_sys_content_rw(gpg_web_t) - -tunable_policy(`gpg_web_anon_write',` - miscfiles_manage_public_files(gpg_web_t) -') diff --git a/policy/modules/apps/irc.fc b/policy/modules/apps/irc.fc deleted file mode 100644 index 6bfdfd3..0000000 --- a/policy/modules/apps/irc.fc +++ /dev/null @@ -1,15 +0,0 @@ -# -# /home -# -HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0) -HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irssi_home_t,s0) - -/etc/irssi\.conf -- gen_context(system_u:object_r:irssi_etc_t,s0) - -# -# /usr -# -/usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0) -/usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0) -/usr/bin/irssi -- gen_context(system_u:object_r:irssi_exec_t,s0) -/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0) diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if deleted file mode 100644 index 8dc8a5f..0000000 --- a/policy/modules/apps/irc.if +++ /dev/null @@ -1,46 +0,0 @@ -## IRC client policy - -######################################## -## -## Role access for IRC -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`irc_role',` - gen_require(` - type irc_t, irc_exec_t; - type irssi_t, irssi_exec_t, irssi_home_t; - ') - - role $1 types irc_t; - role $1 types irssi_t; - - # Transition from the user domain to the derived domain. - domtrans_pattern($2, irc_exec_t, irc_t) - - # allow ps to show irc - ps_process_pattern($2, irc_t) - allow $2 irc_t:process signal; - - domtrans_pattern($2, irssi_exec_t, irssi_t) - - allow $2 irssi_t:process { ptrace signal_perms }; - ps_process_pattern($2, irssi_t) - - manage_dirs_pattern($2, irssi_home_t, irssi_home_t) - manage_files_pattern($2, irssi_home_t, irssi_home_t) - manage_lnk_files_pattern($2, irssi_home_t, irssi_home_t) - - relabel_dirs_pattern($2, irssi_home_t, irssi_home_t) - relabel_files_pattern($2, irssi_home_t, irssi_home_t) - relabel_lnk_files_pattern($2, irssi_home_t, irssi_home_t) -') diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te deleted file mode 100644 index b7c6502..0000000 --- a/policy/modules/apps/irc.te +++ /dev/null @@ -1,207 +0,0 @@ -policy_module(irc, 2.1.0) - -######################################## -# -# Declarations -# - -type irc_t; -type irc_exec_t; -typealias irc_t alias { user_irc_t staff_irc_t sysadm_irc_t }; -typealias irc_t alias { auditadm_irc_t secadm_irc_t }; -application_domain(irc_t, irc_exec_t) -ubac_constrained(irc_t) - -type irc_home_t; -typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t }; -typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t }; -userdom_user_home_content(irc_home_t) - -type irc_tmp_t; -typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t }; -typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t }; -userdom_user_home_content(irc_tmp_t) - -######################################## -# -# Irssi personal declarations. -# - -## -##

-## Allow the Irssi IRC Client to connect to any port, -## and to bind to any unreserved port. -##

-##
-gen_tunable(irssi_use_full_network, false) - -type irssi_t; -type irssi_exec_t; -application_domain(irssi_t, irssi_exec_t) -ubac_constrained(irssi_t) - -type irssi_etc_t; -files_config_file(irssi_etc_t) - -type irssi_home_t; -userdom_user_home_content(irssi_home_t) - -######################################## -# -# Local policy -# - -allow irc_t self:unix_stream_socket create_stream_socket_perms; -allow irc_t self:tcp_socket create_socket_perms; -allow irc_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(irc_t, irc_home_t, irc_home_t) -manage_files_pattern(irc_t, irc_home_t, irc_home_t) -manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t) -userdom_user_home_dir_filetrans(irc_t, irc_home_t, { dir file lnk_file }) - -# access files under /tmp -manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t) -manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) -manage_lnk_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) -manage_fifo_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) -manage_sock_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) -files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file }) - -kernel_read_proc_symlinks(irc_t) - -corenet_all_recvfrom_unlabeled(irc_t) -corenet_all_recvfrom_netlabel(irc_t) -corenet_tcp_sendrecv_generic_if(irc_t) -corenet_udp_sendrecv_generic_if(irc_t) -corenet_tcp_sendrecv_generic_node(irc_t) -corenet_udp_sendrecv_generic_node(irc_t) -corenet_tcp_sendrecv_all_ports(irc_t) -corenet_udp_sendrecv_all_ports(irc_t) -corenet_sendrecv_ircd_client_packets(irc_t) -# cjp: this seems excessive: -corenet_tcp_connect_all_ports(irc_t) -corenet_sendrecv_all_client_packets(irc_t) - -domain_use_interactive_fds(irc_t) - -files_dontaudit_search_pids(irc_t) -files_search_var(irc_t) -files_read_etc_files(irc_t) -files_read_usr_files(irc_t) - -fs_getattr_xattr_fs(irc_t) -fs_search_auto_mountpoints(irc_t) - -term_use_controlling_term(irc_t) -term_list_ptys(irc_t) - -# allow utmp access -init_read_utmp(irc_t) -init_dontaudit_lock_utmp(irc_t) - -miscfiles_read_localization(irc_t) - -# Inherit and use descriptors from newrole. -seutil_use_newrole_fds(irc_t) - -sysnet_read_config(irc_t) - -# Write to the user domain tty. -userdom_use_user_terminals(irc_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(irc_t) - fs_manage_nfs_files(irc_t) - fs_manage_nfs_symlinks(irc_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(irc_t) - fs_manage_cifs_files(irc_t) - fs_manage_cifs_symlinks(irc_t) -') - -optional_policy(` - nis_use_ypbind(irc_t) -') - -######################################## -# -# Irssi personal declarations. -# - -allow irssi_t self:process { signal sigkill }; -allow irssi_t self:fifo_file rw_fifo_file_perms; -allow irssi_t self:netlink_route_socket create_netlink_socket_perms; -allow irssi_t self:tcp_socket create_stream_socket_perms; -allow irssi_t self:udp_socket create_socket_perms; - -read_files_pattern(irssi_t, irssi_etc_t, irssi_etc_t) - -manage_dirs_pattern(irssi_t, irssi_home_t, irssi_home_t) -manage_files_pattern(irssi_t, irssi_home_t, irssi_home_t) -manage_lnk_files_pattern(irssi_t, irssi_home_t, irssi_home_t) -userdom_user_home_dir_filetrans(irssi_t, irssi_home_t, { dir file lnk_file }) -userdom_search_user_home_dirs(irssi_t) - -corecmd_search_bin(irssi_t) -corecmd_read_bin_symlinks(irssi_t) - -corenet_tcp_connect_ircd_port(irssi_t) -corenet_sendrecv_ircd_client_packets(irssi_t) - -# Privoxy -corenet_tcp_connect_http_cache_port(irssi_t) -corenet_sendrecv_http_cache_client_packets(irssi_t) - -corenet_all_recvfrom_netlabel(irssi_t) -corenet_all_recvfrom_unlabeled(irssi_t) -corenet_tcp_sendrecv_generic_if(irssi_t) -corenet_tcp_sendrecv_generic_node(irssi_t) -corenet_tcp_sendrecv_generic_port(irssi_t) -corenet_tcp_bind_generic_node(irssi_t) -corenet_udp_bind_generic_node(irssi_t) - -dev_read_urand(irssi_t) -# irssi-otr genkey. -dev_read_rand(irssi_t) - -files_read_etc_files(irssi_t) -files_read_usr_files(irssi_t) - -fs_search_auto_mountpoints(irssi_t) - -miscfiles_read_localization(irssi_t) - -sysnet_read_config(irssi_t) - -userdom_use_user_terminals(irssi_t) - -tunable_policy(`irssi_use_full_network', ` - corenet_tcp_bind_all_unreserved_ports(irssi_t) - corenet_tcp_connect_all_ports(irssi_t) - corenet_sendrecv_generic_server_packets(irssi_t) - corenet_sendrecv_all_client_packets(irssi_t) -') - -tunable_policy(`use_nfs_home_dirs', ` - fs_manage_nfs_dirs(irssi_t) - fs_manage_nfs_files(irssi_t) - fs_manage_nfs_symlinks(irssi_t) -') - -tunable_policy(`use_samba_home_dirs', ` - fs_manage_cifs_dirs(irssi_t) - fs_manage_cifs_files(irssi_t) - fs_manage_cifs_symlinks(irssi_t) -') - -optional_policy(` - automount_dontaudit_getattr_tmp_dirs(irssi_t) -') - -optional_policy(` - nis_use_ypbind(irssi_t) -') - diff --git a/policy/modules/apps/java.fc b/policy/modules/apps/java.fc deleted file mode 100644 index 87d560b..0000000 --- a/policy/modules/apps/java.fc +++ /dev/null @@ -1,42 +0,0 @@ -# -# /opt -# -/opt/(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) -/opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) -/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) -/opt/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) - -# -# /usr -# -/usr/Aptana[^/]*/AptanaStudio -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/bin/gij -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/bin/gjarsigner -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/bin/gkeytool -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) - -/usr/lib(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/lib/eclipse/eclipse -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) - -/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) - -/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) - -/opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) -/opt/ibm(/.*)?/eclipse/plugins(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) - -ifdef(`distro_redhat',` -/usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0) -') diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if deleted file mode 100644 index f0c4777..0000000 --- a/policy/modules/apps/java.if +++ /dev/null @@ -1,202 +0,0 @@ -## Java virtual machine - -######################################## -## -## Role access for java -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`java_role',` - gen_require(` - type java_t, java_exec_t; - ') - - role $1 types java_t; - - # The user role is authorized for this domain. - domtrans_pattern($2, java_exec_t, java_t) - allow java_t $2:process signull; - # Unrestricted inheritance from the caller. - allow $2 java_t:process { noatsecure siginh rlimitinh }; - - allow java_t $2:unix_stream_socket connectto; - allow java_t $2:unix_stream_socket { read write }; - allow java_t $2:tcp_socket { read write }; -') - -####################################### -## -## The role template for the java module. -## -## -##

-## This template creates a derived domains which are used -## for java applications. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# -template(`java_role_template',` - gen_require(` - type java_exec_t; - ') - - type $1_java_t; - domain_type($1_java_t) - domain_entry_file($1_java_t, java_exec_t) - role $2 types $1_java_t; - - domain_interactive_fd($1_java_t) - - userdom_unpriv_usertype($1, $1_java_t) - userdom_manage_tmpfs_role($2, $1_java_t) - - allow $1_java_t self:process { ptrace signal getsched execmem execstack }; - - dontaudit $1_java_t $3:tcp_socket { read write }; - - allow $3 $1_java_t:process { getattr ptrace noatsecure signal_perms }; - - domtrans_pattern($3, java_exec_t, $1_java_t) - - corecmd_bin_domtrans($1_java_t, $1_t) - - dev_dontaudit_append_rand($1_java_t) - - files_execmod_all_files($1_java_t) - - fs_dontaudit_rw_tmpfs_files($1_java_t) - - optional_policy(` - xserver_role($2, $1_java_t) - ') -') - -######################################## -## -## Run java in javaplugin domain. -## -## -## -## Domain allowed to transition. -## -## -# -template(`java_domtrans',` - gen_require(` - type java_t, java_exec_t; - ') - - domtrans_pattern($1, java_exec_t, java_t) -') - -######################################## -## -## Execute java in the java domain, and -## allow the specified role the java domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`java_run',` - gen_require(` - type java_t; - ') - - java_domtrans($1) - role $2 types java_t; -') - -######################################## -## -## Execute the java program in the unconfined java domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`java_domtrans_unconfined',` - gen_require(` - type unconfined_java_t, java_exec_t; - ') - - domtrans_pattern($1, java_exec_t, unconfined_java_t) - corecmd_search_bin($1) -') - -######################################## -## -## Execute the java program in the unconfined java domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`java_run_unconfined',` - gen_require(` - type unconfined_java_t; - ') - - java_domtrans_unconfined($1) - role $2 types unconfined_java_t; - nsplugin_role_notrans($2, unconfined_java_t) -') - -######################################## -## -## Execute the java program in the java domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`java_exec',` - gen_require(` - type java_exec_t; - ') - - can_exec($1, java_exec_t) -') diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te deleted file mode 100644 index 90ce46a..0000000 --- a/policy/modules/apps/java.te +++ /dev/null @@ -1,159 +0,0 @@ -policy_module(java, 2.3.1) - -######################################## -# -# Declarations -# - -## -##

-## Allow java executable stack -##

-##
-gen_tunable(allow_java_execstack, false) - -type java_t; -type java_exec_t; -application_domain(java_t, java_exec_t) -ubac_constrained(java_t) -typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t }; -typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t }; -role system_r types java_t; - -type java_tmp_t; -files_tmp_file(java_tmp_t) -ubac_constrained(java_tmp_t) -typealias java_tmp_t alias { staff_javaplugin_tmp_t user_javaplugin_tmp_t sysadm_javaplugin_tmp_t }; -typealias java_tmp_t alias { auditadm_tmp_javaplugin_t secadm_javaplugin_tmp_t }; - -type java_tmpfs_t; -ubac_constrained(java_tmpfs_t) -files_tmpfs_file(java_tmpfs_t) -typealias java_tmpfs_t alias { staff_javaplugin_tmpfs_t user_javaplugin_tmpfs_t sysadm_javaplugin_tmpfs_t }; -typealias java_tmpfs_t alias { auditadm_tmpfs_javaplugin_t secadm_tmpfs_javaplugin_t }; - -type unconfined_java_t; -init_system_domain(unconfined_java_t, java_exec_t) - -######################################## -# -# Local policy -# - -allow java_t self:process { signal_perms getsched setsched execmem }; -allow java_t self:fifo_file rw_fifo_file_perms; -allow java_t self:tcp_socket create_socket_perms; -allow java_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(java_t, java_tmp_t, java_tmp_t) -manage_files_pattern(java_t, java_tmp_t, java_tmp_t) -files_tmp_filetrans(java_t, java_tmp_t, { file dir }) - -manage_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t) -manage_lnk_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t) -manage_fifo_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t) -manage_sock_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t) -fs_tmpfs_filetrans(java_t, java_tmpfs_t, { file lnk_file sock_file fifo_file }) - -can_exec(java_t, java_exec_t) - -kernel_read_all_sysctls(java_t) -kernel_search_vm_sysctl(java_t) -kernel_read_network_state(java_t) -kernel_read_system_state(java_t) - -# Search bin directory under java for java executable -corecmd_search_bin(java_t) - -corenet_all_recvfrom_unlabeled(java_t) -corenet_all_recvfrom_netlabel(java_t) -corenet_tcp_sendrecv_generic_if(java_t) -corenet_udp_sendrecv_generic_if(java_t) -corenet_tcp_sendrecv_generic_node(java_t) -corenet_udp_sendrecv_generic_node(java_t) -corenet_tcp_sendrecv_all_ports(java_t) -corenet_udp_sendrecv_all_ports(java_t) -corenet_tcp_connect_all_ports(java_t) -corenet_sendrecv_all_client_packets(java_t) - -dev_read_sound(java_t) -dev_write_sound(java_t) -dev_read_urand(java_t) -dev_read_rand(java_t) -dev_dontaudit_append_rand(java_t) - -files_read_etc_files(java_t) -files_read_usr_files(java_t) -files_search_home(java_t) -files_search_var_lib(java_t) -files_read_etc_runtime_files(java_t) -# Read global fonts and font config - -fs_getattr_xattr_fs(java_t) -fs_dontaudit_rw_tmpfs_files(java_t) - -logging_send_syslog_msg(java_t) - -miscfiles_read_localization(java_t) -# Read global fonts and font config -miscfiles_read_fonts(java_t) - -sysnet_read_config(java_t) - -userdom_dontaudit_use_user_terminals(java_t) -userdom_dontaudit_setattr_user_home_content_files(java_t) -userdom_dontaudit_exec_user_home_content_files(java_t) -userdom_manage_user_home_content_dirs(java_t) -userdom_manage_user_home_content_files(java_t) -userdom_manage_user_home_content_symlinks(java_t) -userdom_manage_user_home_content_pipes(java_t) -userdom_manage_user_home_content_sockets(java_t) -userdom_user_home_dir_filetrans_user_home_content(java_t, { file lnk_file sock_file fifo_file }) -userdom_write_user_tmp_sockets(java_t) - -tunable_policy(`allow_java_execstack',` - allow java_t self:process execstack; - - allow java_t java_tmp_t:file execute; - - libs_legacy_use_shared_libs(java_t) - libs_legacy_use_ld_so(java_t) - - miscfiles_legacy_read_localization(java_t) -') - -optional_policy(` - nis_use_ypbind(java_t) -') - -optional_policy(` - nscd_socket_use(java_t) -') - -optional_policy(` - xserver_user_x_domain_template(java, java_t, java_tmpfs_t) -') - -######################################## -# -# Unconfined java local policy -# - -optional_policy(` - # execheap is needed for itanium/BEA jrocket - allow unconfined_java_t self:process { execstack execmem execheap }; - - init_dbus_chat_script(unconfined_java_t) - - files_execmod_all_files(unconfined_java_t) - - init_dbus_chat_script(unconfined_java_t) - - unconfined_domain_noaudit(unconfined_java_t) - unconfined_dbus_chat(unconfined_java_t) - userdom_unpriv_usertype(unconfined, unconfined_java_t) - - optional_policy(` - rpm_domtrans(unconfined_java_t) - ') -') diff --git a/policy/modules/apps/kdumpgui.fc b/policy/modules/apps/kdumpgui.fc deleted file mode 100644 index 250679c..0000000 --- a/policy/modules/apps/kdumpgui.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/share/system-config-kdump/system-config-kdump-backend\.py -- gen_context(system_u:object_r:kdumpgui_exec_t,s0) diff --git a/policy/modules/apps/kdumpgui.if b/policy/modules/apps/kdumpgui.if deleted file mode 100644 index d6af9b0..0000000 --- a/policy/modules/apps/kdumpgui.if +++ /dev/null @@ -1,2 +0,0 @@ -## system-config-kdump GUI - diff --git a/policy/modules/apps/kdumpgui.te b/policy/modules/apps/kdumpgui.te deleted file mode 100644 index 3812a46..0000000 --- a/policy/modules/apps/kdumpgui.te +++ /dev/null @@ -1,67 +0,0 @@ -policy_module(kdumpgui, 1.0.0) - -######################################## -# -# Declarations -# - -type kdumpgui_t; -type kdumpgui_exec_t; -dbus_system_domain(kdumpgui_t, kdumpgui_exec_t) - -###################################### -# -# system-config-kdump local policy -# - -allow kdumpgui_t self:capability { net_admin sys_admin sys_rawio }; -allow kdumpgui_t self:fifo_file rw_fifo_file_perms; -allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms; - -kernel_read_system_state(kdumpgui_t) -kernel_read_network_state(kdumpgui_t) - -corecmd_exec_bin(kdumpgui_t) -corecmd_exec_shell(kdumpgui_t) - -dev_dontaudit_getattr_all_chr_files(kdumpgui_t) -dev_read_sysfs(kdumpgui_t) - -files_manage_boot_files(kdumpgui_t) -files_manage_boot_symlinks(kdumpgui_t) -# Needed for running chkconfig -files_manage_etc_symlinks(kdumpgui_t) -# for blkid.tab -files_manage_etc_runtime_files(kdumpgui_t) -files_etc_filetrans_etc_runtime(kdumpgui_t, file) -files_read_usr_files(kdumpgui_t) - -storage_raw_read_fixed_disk(kdumpgui_t) -storage_raw_write_fixed_disk(kdumpgui_t) - -auth_use_nsswitch(kdumpgui_t) - -consoletype_exec(kdumpgui_t) - -kdump_manage_config(kdumpgui_t) -kdump_initrc_domtrans(kdumpgui_t) - -logging_send_syslog_msg(kdumpgui_t) - -miscfiles_read_localization(kdumpgui_t) - -init_dontaudit_read_all_script_files(kdumpgui_t) - -userdom_dontaudit_search_admin_dir(kdumpgui_t) - -optional_policy(` - dev_rw_lvm_control(kdumpgui_t) -') - -optional_policy(` - gnome_dontaudit_search_config(kdumpgui_t) -') - -optional_policy(` - policykit_dbus_chat(kdumpgui_t) -') diff --git a/policy/modules/apps/livecd.fc b/policy/modules/apps/livecd.fc deleted file mode 100644 index 34937fc..0000000 --- a/policy/modules/apps/livecd.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0) diff --git a/policy/modules/apps/livecd.if b/policy/modules/apps/livecd.if deleted file mode 100644 index b67cf26..0000000 --- a/policy/modules/apps/livecd.if +++ /dev/null @@ -1,124 +0,0 @@ -## Livecd tool for building alternate livecd for different os and policy versions. - -######################################## -## -## Execute a domain transition to run livecd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`livecd_domtrans',` - gen_require(` - type livecd_t, livecd_exec_t; - ') - - domtrans_pattern($1, livecd_exec_t, livecd_t) -') - -######################################## -## -## Execute livecd in the livecd domain, and -## allow the specified role the livecd domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`livecd_run',` - gen_require(` - type livecd_t; - ') - - livecd_domtrans($1) - role $2 types livecd_t; - - seutil_run_setfiles_mac(livecd_t, $2) - - optional_policy(` - mount_run(livecd_t, $2) - ') -') - -######################################## -## -## Dontaudit read/write to a livecd leaks -## -## -## -## Domain allowed access. -## -## -# -interface(`livecd_dontaudit_leaks',` - gen_require(` - type livecd_t; - ') - - dontaudit $1 livecd_t:unix_dgram_socket { read write }; -') - -######################################## -## -## Read livecd temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`livecd_read_tmp_files',` - gen_require(` - type livecd_tmp_t; - ') - - files_search_tmp($1) - read_files_pattern($1, livecd_tmp_t, livecd_tmp_t) -') - -######################################## -## -## Read and write livecd temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`livecd_rw_tmp_files',` - gen_require(` - type livecd_tmp_t; - ') - - files_search_tmp($1) - rw_files_pattern($1, livecd_tmp_t, livecd_tmp_t) -') - -######################################## -## -## Allow read and write access to livecd semaphores. -## -## -## -## Domain allowed access. -## -## -# -interface(`livecd_rw_semaphores',` - gen_require(` - type livecd_t; - ') - - allow $1 livecd_t:sem { unix_read unix_write associate read write }; -') diff --git a/policy/modules/apps/livecd.te b/policy/modules/apps/livecd.te deleted file mode 100644 index 47a193c..0000000 --- a/policy/modules/apps/livecd.te +++ /dev/null @@ -1,35 +0,0 @@ -policy_module(livecd, 1.0.0) - -######################################## -# -# Declarations -# - -type livecd_t; -type livecd_exec_t; -application_domain(livecd_t, livecd_exec_t) -role system_r types livecd_t; - -type livecd_tmp_t; -files_tmp_file(livecd_tmp_t) - -######################################## -# -# livecd local policy -# - -dontaudit livecd_t self:capability2 mac_admin; - -domain_ptrace_all_domains(livecd_t) - -manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) -manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) -files_tmp_filetrans(livecd_t, livecd_tmp_t, { dir file }) - -optional_policy(` - unconfined_domain_noaudit(livecd_t) -') - -optional_policy(` - hal_dbus_chat(livecd_t) -') diff --git a/policy/modules/apps/loadkeys.fc b/policy/modules/apps/loadkeys.fc deleted file mode 100644 index 8549f9f..0000000 --- a/policy/modules/apps/loadkeys.fc +++ /dev/null @@ -1,3 +0,0 @@ - -/bin/loadkeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0) -/bin/unikeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0) diff --git a/policy/modules/apps/loadkeys.if b/policy/modules/apps/loadkeys.if deleted file mode 100644 index b55edd0..0000000 --- a/policy/modules/apps/loadkeys.if +++ /dev/null @@ -1,67 +0,0 @@ -## Load keyboard mappings. - -######################################## -## -## Execute the loadkeys program in the loadkeys domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`loadkeys_domtrans',` - gen_require(` - type loadkeys_t, loadkeys_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, loadkeys_exec_t, loadkeys_t) - - ifdef(`hide_broken_symptoms',` - dontaudit loadkeys_t $1:socket_class_set { read write }; - ') -') - -######################################## -## -## Execute the loadkeys program in the loadkeys domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the loadkeys domain. -## -## -## -# -interface(`loadkeys_run',` - gen_require(` - type loadkeys_t; - ') - - loadkeys_domtrans($1) - role $2 types loadkeys_t; -') - -######################################## -## -## Execute the loadkeys program in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`loadkeys_exec',` - gen_require(` - type loadkeys_exec_t; - ') - - can_exec($1, loadkeys_exec_t) -') diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te deleted file mode 100644 index a076ebb..0000000 --- a/policy/modules/apps/loadkeys.te +++ /dev/null @@ -1,50 +0,0 @@ -policy_module(loadkeys, 1.7.1) - -######################################## -# -# Declarations -# - -# cjp: this should probably be rewritten -# per user domain, since it can rw -# all user domain ttys -type loadkeys_t; -type loadkeys_exec_t; -init_system_domain(loadkeys_t, loadkeys_exec_t) - -######################################## -# -# Local policy -# - -allow loadkeys_t self:capability { dac_override dac_read_search setuid sys_tty_config }; -allow loadkeys_t self:fifo_file rw_fifo_file_perms; - -kernel_read_system_state(loadkeys_t) - -corecmd_exec_bin(loadkeys_t) -corecmd_exec_shell(loadkeys_t) - -files_read_etc_files(loadkeys_t) -files_read_etc_runtime_files(loadkeys_t) - -term_dontaudit_use_console(loadkeys_t) -term_use_unallocated_ttys(loadkeys_t) - -init_dontaudit_use_fds(loadkeys_t) -init_dontaudit_use_script_ptys(loadkeys_t) - -locallogin_use_fds(loadkeys_t) - -miscfiles_read_localization(loadkeys_t) - -userdom_use_user_ttys(loadkeys_t) -userdom_list_user_home_content(loadkeys_t) - -ifdef(`hide_broken_symptoms',` - dev_dontaudit_rw_lvm_control(loadkeys_t) -') - -optional_policy(` - nscd_dontaudit_search_pid(loadkeys_t) -') diff --git a/policy/modules/apps/lockdev.fc b/policy/modules/apps/lockdev.fc deleted file mode 100644 index 8b5ce03..0000000 --- a/policy/modules/apps/lockdev.fc +++ /dev/null @@ -1,2 +0,0 @@ - -/usr/sbin/lockdev -- gen_context(system_u:object_r:lockdev_exec_t,s0) diff --git a/policy/modules/apps/lockdev.if b/policy/modules/apps/lockdev.if deleted file mode 100644 index 8e7d279..0000000 --- a/policy/modules/apps/lockdev.if +++ /dev/null @@ -1,33 +0,0 @@ -## device locking policy for lockdev - -######################################## -## -## Role access for lockdev -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`lockdev_role',` - gen_require(` - type lockdev_t, lockdev_exec_t; - type lockdev_lock_t; - ') - - role $1 types lockdev_t; - - # Transition from the user domain to the derived domain. - domtrans_pattern($2, lockdev_exec_t, lockdev_t) - allow lockdev_t $2:process signull; - - # allow ps to show lockdev - ps_process_pattern($2, lockdev_t) - allow $2 lockdev_t:process signal; -') diff --git a/policy/modules/apps/lockdev.te b/policy/modules/apps/lockdev.te deleted file mode 100644 index 0bac996..0000000 --- a/policy/modules/apps/lockdev.te +++ /dev/null @@ -1,39 +0,0 @@ -policy_module(lockdev, 1.3.0) - -######################################## -# -# Declarations -# - -type lockdev_t; -type lockdev_exec_t; -typealias lockdev_t alias { user_lockdev_t staff_lockdev_t sysadm_lockdev_t }; -typealias lockdev_t alias { auditadm_lockdev_t secadm_lockdev_t }; -application_domain(lockdev_t, lockdev_exec_t) -ubac_constrained(lockdev_t) - -type lockdev_lock_t; -typealias lockdev_lock_t alias { user_lockdev_lock_t staff_lockdev_lock_t sysadm_lockdev_lock_t }; -typealias lockdev_lock_t alias { auditadm_lockdev_lock_t secadm_lockdev_lock_t }; -files_lock_file(lockdev_lock_t) -ubac_constrained(lockdev_lock_t) - -######################################## -# -# Local policy -# - -# Use capabilities. -allow lockdev_t self:capability setgid; - -allow lockdev_t lockdev_lock_t:file manage_file_perms; -files_lock_filetrans(lockdev_t, lockdev_lock_t, file) - -files_read_all_locks(lockdev_t) - -fs_getattr_xattr_fs(lockdev_t) - -logging_send_syslog_msg(lockdev_t) - -userdom_use_user_terminals(lockdev_t) - diff --git a/policy/modules/apps/mediawiki.fc b/policy/modules/apps/mediawiki.fc deleted file mode 100644 index bf872ef..0000000 --- a/policy/modules/apps/mediawiki.fc +++ /dev/null @@ -1,10 +0,0 @@ - -/usr/lib(64)?/mediawiki/math/texvc -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0) -/usr/lib(64)?/mediawiki/math/texvc_tex -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0) -/usr/lib(64)?/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0) - -/var/www/wiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0) - -/var/www/wiki/.*\.php -- gen_context(system_u:object_r:httpd_mediawiki_content_t,s0) - -/usr/share/mediawiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_content_t,s0) diff --git a/policy/modules/apps/mediawiki.if b/policy/modules/apps/mediawiki.if deleted file mode 100644 index 1c1d012..0000000 --- a/policy/modules/apps/mediawiki.if +++ /dev/null @@ -1,40 +0,0 @@ -## Mediawiki policy - -####################################### -## -## Allow the specified domain to read -## mediawiki tmp files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mediawiki_read_tmp_files',` - gen_require(` - type httpd_mediawiki_tmp_t; - ') - - files_search_tmp($1) - read_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t) - read_lnk_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t) -') - -####################################### -## -## Delete mediawiki tmp files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mediawiki_delete_tmp_files',` - gen_require(` - type httpd_mediawiki_tmp_t; - ') - - delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t) -') diff --git a/policy/modules/apps/mediawiki.te b/policy/modules/apps/mediawiki.te deleted file mode 100644 index b7f569d..0000000 --- a/policy/modules/apps/mediawiki.te +++ /dev/null @@ -1,35 +0,0 @@ - -policy_module(mediawiki, 1.0.0) - -######################################## -# -# Declarations -# - -apache_content_template(mediawiki) - -type httpd_mediawiki_tmp_t; -files_tmp_file(httpd_mediawiki_tmp_t) - -permissive httpd_mediawiki_script_t; - -######################################## -# -# mediawiki local policy -# - -manage_dirs_pattern(httpd_mediawiki_script_t, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t) -manage_files_pattern(httpd_mediawiki_script_t, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t) -manage_lnk_files_pattern(httpd_mediawiki_script_t, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t) -files_tmp_filetrans(httpd_mediawiki_script_t, httpd_mediawiki_tmp_t, { file dir lnk_file }) - -files_search_var_lib(httpd_mediawiki_script_t) - -userdom_read_user_tmp_files(httpd_mediawiki_script_t) - -miscfiles_read_tetex_data(httpd_mediawiki_script_t) - -optional_policy(` - apache_dontaudit_rw_tmp_files(httpd_mediawiki_script_t) -') - diff --git a/policy/modules/apps/metadata.xml b/policy/modules/apps/metadata.xml deleted file mode 100644 index a5ad4c0..0000000 --- a/policy/modules/apps/metadata.xml +++ /dev/null @@ -1 +0,0 @@ -Policy modules for applications diff --git a/policy/modules/apps/mono.fc b/policy/modules/apps/mono.fc deleted file mode 100644 index b01bc91..0000000 --- a/policy/modules/apps/mono.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/mono.* -- gen_context(system_u:object_r:mono_exec_t,s0) diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if deleted file mode 100644 index 9c9e6c1..0000000 --- a/policy/modules/apps/mono.if +++ /dev/null @@ -1,142 +0,0 @@ -## Run .NET server and client applications on Linux. - -####################################### -## -## The role template for the mono module. -## -## -##

-## This template creates a derived domains which are used -## for mono applications. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# -template(`mono_role_template',` - gen_require(` - type mono_exec_t; - ') - - type $1_mono_t; - domain_type($1_mono_t) - domain_entry_file($1_mono_t, mono_exec_t) - role $2 types $1_mono_t; - - domain_interactive_fd($1_mono_t) - application_type($1_mono_t) - - allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack }; - allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms }; - - domtrans_pattern($3, mono_exec_t, $1_mono_t) - - fs_dontaudit_rw_tmpfs_files($1_mono_t) - corecmd_bin_domtrans($1_mono_t, $1_t) - - userdom_unpriv_usertype($1, $1_mono_t) - userdom_manage_tmpfs_role($2, $1_mono_t) - - ifdef(`hide_broken_symptoms', ` - dontaudit $1_t $1_mono_t:socket_class_set { read write }; - ') - - optional_policy(` - xserver_role($1_r, $1_mono_t) - ') -') - -######################################## -## -## Execute the mono program in the mono domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`mono_domtrans',` - gen_require(` - type mono_t, mono_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, mono_exec_t, mono_t) -') - -######################################## -## -## Execute mono in the mono domain, and -## allow the specified role the mono domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`mono_run',` - gen_require(` - type mono_t; - ') - - mono_domtrans($1) - role $2 types mono_t; -') - -######################################## -## -## Execute the mono program in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`mono_exec',` - gen_require(` - type mono_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, mono_exec_t) -') - -######################################## -## -## Read and write to mono shared memory. -## -## -## -## Domain allowed access. -## -## -# -interface(`mono_rw_shm',` - gen_require(` - type mono_t; - ') - - allow $1 mono_t:shm rw_shm_perms; -') diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te deleted file mode 100644 index c101631..0000000 --- a/policy/modules/apps/mono.te +++ /dev/null @@ -1,52 +0,0 @@ -policy_module(mono, 1.7.1) - -######################################## -# -# Declarations -# - -type mono_t; -type mono_exec_t; -application_type(mono_t) -init_system_domain(mono_t, mono_exec_t) - -######################################## -# -# Local policy -# - -allow mono_t self:process { ptrace signal getsched execheap execmem execstack }; - -init_dbus_chat_script(mono_t) - -userdom_user_home_dir_filetrans_user_home_content(mono_t, { dir file lnk_file fifo_file sock_file }) - -optional_policy(` - avahi_dbus_chat(mono_t) -') - -optional_policy(` - cups_dbus_chat(mono_t) -') - -optional_policy(` - hal_dbus_chat(mono_t) -') - -optional_policy(` - networkmanager_dbus_chat(mono_t) -') - -optional_policy(` - rpm_dbus_chat(mono_t) -') - -optional_policy(` - unconfined_domain(mono_t) - unconfined_dbus_chat(mono_t) - unconfined_dbus_connect(mono_t) -') - -optional_policy(` - xserver_rw_shm(mono_t) -') diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc deleted file mode 100644 index aafece7..0000000 --- a/policy/modules/apps/mozilla.fc +++ /dev/null @@ -1,31 +0,0 @@ -HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) - -# -# /bin -# -/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) - -# -# /lib -# -/usr/lib(64)?/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib(64)?/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib(64)?/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib(64)?/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib(64)?/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib(64)?/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib(64)?/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if deleted file mode 100644 index b0c1197..0000000 --- a/policy/modules/apps/mozilla.if +++ /dev/null @@ -1,296 +0,0 @@ -## Policy for Mozilla and related web browsers - -######################################## -## -## Role access for mozilla -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`mozilla_role',` - gen_require(` - type mozilla_t, mozilla_exec_t, mozilla_home_t; - ') - - role $1 types mozilla_t; - - domain_auto_trans($2, mozilla_exec_t, mozilla_t) - # Unrestricted inheritance from the caller. - allow $2 mozilla_t:process { noatsecure siginh rlimitinh }; - allow mozilla_t $2:fd use; - allow mozilla_t $2:process { sigchld signull }; - allow mozilla_t $2:unix_stream_socket connectto; - - mozilla_run_plugin(mozilla_t, $2) - - # Allow the user domain to signal/ps. - ps_process_pattern($2, mozilla_t) - allow $2 mozilla_t:process signal_perms; - - allow $2 mozilla_t:fd use; - allow $2 mozilla_t:shm { associate getattr }; - allow $2 mozilla_t:shm { unix_read unix_write }; - allow $2 mozilla_t:unix_stream_socket connectto; - - # X access, Home files - manage_dirs_pattern($2, mozilla_home_t, mozilla_home_t) - manage_files_pattern($2, mozilla_home_t, mozilla_home_t) - manage_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t) - relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t) - relabel_files_pattern($2, mozilla_home_t, mozilla_home_t) - relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t) - - mozilla_dbus_chat($2) - - userdom_manage_tmp_role($1, mozilla_t) - - optional_policy(` - nsplugin_role($1, mozilla_t) - ') - - optional_policy(` - pulseaudio_role($1, mozilla_t) - ') -') - -######################################## -## -## Read mozilla home directory content -## -## -## -## Domain allowed access. -## -## -# -interface(`mozilla_read_user_home_files',` - gen_require(` - type mozilla_home_t; - ') - - allow $1 mozilla_home_t:dir list_dir_perms; - allow $1 mozilla_home_t:file read_file_perms; - allow $1 mozilla_home_t:lnk_file read_lnk_file_perms; - userdom_search_user_home_dirs($1) -') - -######################################## -## -## Write mozilla home directory content -## -## -## -## Domain allowed access. -## -## -# -interface(`mozilla_write_user_home_files',` - gen_require(` - type mozilla_home_t; - ') - - write_files_pattern($1, mozilla_home_t, mozilla_home_t) - userdom_search_user_home_dirs($1) -') - -######################################## -## -## Dontaudit attempts to read/write mozilla home directory content -## -## -## -## Domain to not audit. -## -## -# -interface(`mozilla_dontaudit_rw_user_home_files',` - gen_require(` - type mozilla_home_t; - ') - - dontaudit $1 mozilla_home_t:file rw_inherited_file_perms; -') - -######################################## -## -## Dontaudit attempts to write mozilla home directory content -## -## -## -## Domain to not audit. -## -## -# -interface(`mozilla_dontaudit_manage_user_home_files',` - gen_require(` - type mozilla_home_t; - ') - - dontaudit $1 mozilla_home_t:dir manage_dir_perms; - dontaudit $1 mozilla_home_t:file manage_file_perms; -') - -######################################## -## -## Execute mozilla home directory content. -## -## -## -## Domain allowed access. -## -## -# -interface(`mozilla_execute_user_home_files',` - gen_require(` - type mozilla_home_t; - ') - - can_exec($1, mozilla_home_t) -') - -######################################## -## -## Execmod mozilla home directory content. -## -## -## -## Domain allowed access. -## -## -# -interface(`mozilla_execmod_user_home_files',` - gen_require(` - type mozilla_home_t; - ') - - allow $1 mozilla_home_t:file execmod; -') - -######################################## -## -## Run mozilla in the mozilla domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`mozilla_domtrans',` - gen_require(` - type mozilla_t, mozilla_exec_t; - ') - - domtrans_pattern($1, mozilla_exec_t, mozilla_t) -') - -######################################## -## -## Execute a domain transition to run mozilla_plugin. -## -## -## -## Domain allowed access. -## -## -# -interface(`mozilla_domtrans_plugin',` - gen_require(` - type mozilla_plugin_t, mozilla_plugin_exec_t; - ') - - domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t) - allow mozilla_plugin_t $1:process signull; -') - - -######################################## -## -## Execute mozilla_plugin in the mozilla_plugin domain, and -## allow the specified role the mozilla_plugin domain. -## -## -## -## Domain allowed access -## -## -## -## -## The role to be allowed the mozilla_plugin domain. -## -## -# -interface(`mozilla_run_plugin',` - gen_require(` - type mozilla_plugin_t; - ') - - mozilla_domtrans_plugin($1) - role $2 types mozilla_plugin_t; - allow $1 mozilla_plugin_t:unix_stream_socket connectto; -') - -######################################## -## -## Execute qemu unconfined programs in the role. -## -## -## -## The role to allow the mozilla_plugin domain. -## -## -# -interface(`mozilla_role_plugin',` - gen_require(` - type mozilla_plugin_t; - ') - - role $1 types mozilla_plugin_t; -') - -######################################## -## -## Send and receive messages from -## mozilla over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`mozilla_dbus_chat',` - gen_require(` - type mozilla_t; - class dbus send_msg; - ') - - allow $1 mozilla_t:dbus send_msg; - allow mozilla_t $1:dbus send_msg; -') - -######################################## -## -## read/write mozilla per user tcp_socket -## -## -## -## Domain allowed access. -## -## -# -interface(`mozilla_rw_tcp_sockets',` - gen_require(` - type mozilla_t; - ') - - allow $1 mozilla_t:tcp_socket rw_socket_perms; -') diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te deleted file mode 100644 index d4cb9c4..0000000 --- a/policy/modules/apps/mozilla.te +++ /dev/null @@ -1,415 +0,0 @@ -policy_module(mozilla, 2.2.2) - -######################################## -# -# Declarations -# - -## -##

-## Control mozilla content access -##

-##
-gen_tunable(mozilla_read_content, false) - -type mozilla_t; -type mozilla_exec_t; -typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t }; -typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; -application_domain(mozilla_t, mozilla_exec_t) -ubac_constrained(mozilla_t) - -type mozilla_conf_t; -files_config_file(mozilla_conf_t) - -type mozilla_home_t; -typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t }; -typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t }; -files_poly_member(mozilla_home_t) -userdom_user_home_content(mozilla_home_t) - -type mozilla_tmpfs_t; -typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sysadm_mozilla_tmpfs_t }; -typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t }; -files_tmpfs_file(mozilla_tmpfs_t) -ubac_constrained(mozilla_tmpfs_t) - -type mozilla_plugin_t; -type mozilla_plugin_exec_t; -application_domain(mozilla_plugin_t, mozilla_plugin_exec_t) -role system_r types mozilla_plugin_t; - -type mozilla_plugin_tmp_t; -files_tmp_file(mozilla_plugin_tmp_t) - -type mozilla_plugin_tmpfs_t; -files_tmpfs_file(mozilla_plugin_tmpfs_t) -ubac_constrained(mozilla_plugin_tmpfs_t) - -permissive mozilla_plugin_t; - -######################################## -# -# Local policy -# - -allow mozilla_t self:capability { sys_nice setgid setuid }; -allow mozilla_t self:process { sigkill signal setsched getsched setrlimit }; -allow mozilla_t self:fifo_file rw_fifo_file_perms; -allow mozilla_t self:shm { unix_read unix_write read write destroy create }; -allow mozilla_t self:sem create_sem_perms; -allow mozilla_t self:socket create_socket_perms; -allow mozilla_t self:unix_stream_socket { listen accept }; -# Browse the web, connect to printer -allow mozilla_t self:tcp_socket create_socket_perms; -allow mozilla_t self:netlink_route_socket r_netlink_socket_perms; - -# for bash - old mozilla binary -can_exec(mozilla_t, mozilla_exec_t) - -# X access, Home files -manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) -manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) -manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) -userdom_search_user_home_dirs(mozilla_t) -userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir) - -# Mozpluggerrc -allow mozilla_t mozilla_conf_t:file read_file_perms; - -manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) -manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) -manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) -manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) -fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file }) - -kernel_read_kernel_sysctls(mozilla_t) -kernel_read_network_state(mozilla_t) -# Access /proc, sysctl -kernel_read_system_state(mozilla_t) -kernel_read_net_sysctls(mozilla_t) - -# Look for plugins -corecmd_list_bin(mozilla_t) -# for bash - old mozilla binary -corecmd_exec_shell(mozilla_t) -corecmd_exec_bin(mozilla_t) - -# Browse the web, connect to printer -corenet_all_recvfrom_unlabeled(mozilla_t) -corenet_all_recvfrom_netlabel(mozilla_t) -corenet_tcp_sendrecv_generic_if(mozilla_t) -corenet_raw_sendrecv_generic_if(mozilla_t) -corenet_tcp_sendrecv_generic_node(mozilla_t) -corenet_raw_sendrecv_generic_node(mozilla_t) -corenet_tcp_sendrecv_http_port(mozilla_t) -corenet_tcp_sendrecv_http_cache_port(mozilla_t) -corenet_tcp_sendrecv_squid_port(mozilla_t) -corenet_tcp_connect_flash_port(mozilla_t) -corenet_tcp_sendrecv_ftp_port(mozilla_t) -corenet_tcp_sendrecv_ipp_port(mozilla_t) -corenet_tcp_connect_http_port(mozilla_t) -corenet_tcp_connect_http_cache_port(mozilla_t) -corenet_tcp_connect_squid_port(mozilla_t) -corenet_tcp_connect_ftp_port(mozilla_t) -corenet_tcp_connect_ipp_port(mozilla_t) -corenet_tcp_connect_generic_port(mozilla_t) -corenet_tcp_connect_soundd_port(mozilla_t) -corenet_sendrecv_http_client_packets(mozilla_t) -corenet_sendrecv_http_cache_client_packets(mozilla_t) -corenet_sendrecv_squid_client_packets(mozilla_t) -corenet_sendrecv_ftp_client_packets(mozilla_t) -corenet_sendrecv_ipp_client_packets(mozilla_t) -corenet_sendrecv_generic_client_packets(mozilla_t) -# Should not need other ports -corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t) -corenet_dontaudit_tcp_bind_generic_port(mozilla_t) -corenet_tcp_connect_speech_port(mozilla_t) - -dev_read_urand(mozilla_t) -dev_read_rand(mozilla_t) -dev_write_sound(mozilla_t) -dev_read_sound(mozilla_t) -dev_dontaudit_rw_dri(mozilla_t) -dev_getattr_sysfs_dirs(mozilla_t) - -domain_dontaudit_read_all_domains_state(mozilla_t) - -files_read_etc_runtime_files(mozilla_t) -files_read_usr_files(mozilla_t) -files_read_etc_files(mozilla_t) -# /var/lib -files_read_var_lib_files(mozilla_t) -# interacting with gstreamer -files_read_var_files(mozilla_t) -files_read_var_symlinks(mozilla_t) -files_dontaudit_getattr_boot_dirs(mozilla_t) - -fs_search_auto_mountpoints(mozilla_t) -fs_list_inotifyfs(mozilla_t) -fs_rw_tmpfs_files(mozilla_t) - -term_dontaudit_getattr_pty_dirs(mozilla_t) - -logging_send_syslog_msg(mozilla_t) - -miscfiles_read_fonts(mozilla_t) -miscfiles_read_localization(mozilla_t) -miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) - -# Browse the web, connect to printer -sysnet_dns_name_resolve(mozilla_t) - -userdom_use_user_ptys(mozilla_t) - -xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) -xserver_dontaudit_read_xdm_tmp_files(mozilla_t) -xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t) - -tunable_policy(`allow_execmem',` - allow mozilla_t self:process { execmem execstack }; -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(mozilla_t) - fs_manage_nfs_files(mozilla_t) - fs_manage_nfs_symlinks(mozilla_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(mozilla_t) - fs_manage_cifs_files(mozilla_t) - fs_manage_cifs_symlinks(mozilla_t) -') - -# Uploads, local html -tunable_policy(`mozilla_read_content && use_nfs_home_dirs',` - fs_list_auto_mountpoints(mozilla_t) - files_list_home(mozilla_t) - fs_read_nfs_files(mozilla_t) - fs_read_nfs_symlinks(mozilla_t) - -',` - files_dontaudit_list_home(mozilla_t) - fs_dontaudit_list_auto_mountpoints(mozilla_t) - fs_dontaudit_read_nfs_files(mozilla_t) - fs_dontaudit_list_nfs(mozilla_t) -') - -tunable_policy(`mozilla_read_content && use_samba_home_dirs',` - fs_list_auto_mountpoints(mozilla_t) - files_list_home(mozilla_t) - fs_read_cifs_files(mozilla_t) - fs_read_cifs_symlinks(mozilla_t) -',` - files_dontaudit_list_home(mozilla_t) - fs_dontaudit_list_auto_mountpoints(mozilla_t) - fs_dontaudit_read_cifs_files(mozilla_t) - fs_dontaudit_list_cifs(mozilla_t) -') - -tunable_policy(`mozilla_read_content',` - userdom_list_user_tmp(mozilla_t) - userdom_read_user_tmp_files(mozilla_t) - userdom_read_user_tmp_symlinks(mozilla_t) - userdom_read_user_home_content_files(mozilla_t) - userdom_read_user_home_content_symlinks(mozilla_t) - - ifdef(`enable_mls',`',` - fs_search_removable(mozilla_t) - fs_read_removable_files(mozilla_t) - fs_read_removable_symlinks(mozilla_t) - ') -',` - files_dontaudit_list_tmp(mozilla_t) - files_dontaudit_list_home(mozilla_t) - fs_dontaudit_list_removable(mozilla_t) - fs_dontaudit_read_removable_files(mozilla_t) - userdom_dontaudit_list_user_tmp(mozilla_t) - userdom_dontaudit_read_user_tmp_files(mozilla_t) - userdom_dontaudit_list_user_home_dirs(mozilla_t) - userdom_dontaudit_read_user_home_content_files(mozilla_t) -') - -optional_policy(` - apache_read_user_scripts(mozilla_t) - apache_read_user_content(mozilla_t) -') - -optional_policy(` - automount_dontaudit_getattr_tmp_dirs(mozilla_t) -') - -optional_policy(` - cups_read_rw_config(mozilla_t) - cups_dbus_chat(mozilla_t) -') - -optional_policy(` - dbus_system_bus_client(mozilla_t) - dbus_session_bus_client(mozilla_t) - - optional_policy(` - networkmanager_dbus_chat(mozilla_t) - ') -') - -optional_policy(` - gnome_stream_connect_gconf(mozilla_t) - gnome_manage_config(mozilla_t) - gnome_manage_gconf_home_files(mozilla_t) -') - -optional_policy(` - java_domtrans(mozilla_t) -') - -optional_policy(` - lpd_domtrans_lpr(mozilla_t) -') - -optional_policy(` - mplayer_domtrans(mozilla_t) - mplayer_read_user_home_files(mozilla_t) -') - -optional_policy(` - nscd_socket_use(mozilla_t) -') - -optional_policy(` - nsplugin_manage_rw(mozilla_t) - nsplugin_manage_home_files(mozilla_t) -') - -optional_policy(` - pulseaudio_exec(mozilla_t) - pulseaudio_stream_connect(mozilla_t) - pulseaudio_manage_home_files(mozilla_t) -') - -optional_policy(` - thunderbird_domtrans(mozilla_t) -') - -######################################## -# -# mozilla_plugin local policy -# -allow mozilla_plugin_t self:process { setsched signal_perms execmem }; -allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms; -allow mozilla_plugin_t self:tcp_socket create_socket_perms; -allow mozilla_plugin_t self:udp_socket create_socket_perms; - -allow mozilla_plugin_t self:sem create_sem_perms; -allow mozilla_plugin_t self:shm create_shm_perms; -allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms; -allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; - -can_exec(mozilla_plugin_t, mozilla_home_t) -read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) - -manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) -manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) -files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file }) -can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t) - -manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) -manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) -manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) -manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) -fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) - -can_exec(mozilla_plugin_t, mozilla_exec_t) - -kernel_read_kernel_sysctls(mozilla_plugin_t) -kernel_read_system_state(mozilla_plugin_t) -kernel_request_load_module(mozilla_plugin_t) - -corecmd_exec_bin(mozilla_plugin_t) -corecmd_exec_shell(mozilla_plugin_t) - -corenet_tcp_connect_flash_port(mozilla_plugin_t) -corenet_tcp_connect_streaming_port(mozilla_plugin_t) -corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t) -corenet_tcp_connect_http_port(mozilla_plugin_t) -corenet_tcp_connect_http_cache_port(mozilla_plugin_t) -corenet_tcp_connect_squid_port(mozilla_plugin_t) -corenet_tcp_connect_ipp_port(mozilla_plugin_t) -corenet_tcp_connect_speech_port(mozilla_plugin_t) - -dev_read_urand(mozilla_plugin_t) -dev_read_video_dev(mozilla_plugin_t) -dev_write_video_dev(mozilla_plugin_t) -dev_read_sysfs(mozilla_plugin_t) -dev_read_sound(mozilla_plugin_t) -dev_write_sound(mozilla_plugin_t) -dev_dontaudit_rw_dri(mozilla_plugin_t) - -domain_use_interactive_fds(mozilla_plugin_t) -domain_dontaudit_read_all_domains_state(mozilla_plugin_t) - -files_read_config_files(mozilla_plugin_t) -files_read_usr_files(mozilla_plugin_t) - -fs_getattr_tmpfs(mozilla_plugin_t) - -miscfiles_read_localization(mozilla_plugin_t) -miscfiles_read_fonts(mozilla_plugin_t) - -sysnet_dns_name_resolve(mozilla_plugin_t) - -term_getattr_all_ttys(mozilla_plugin_t) -term_getattr_all_ptys(mozilla_plugin_t) - -userdom_rw_user_tmpfs_files(mozilla_plugin_t) -userdom_delete_user_tmpfs_files(mozilla_plugin_t) -userdom_stream_connect(mozilla_plugin_t) -userdom_dontaudit_use_user_ptys(mozilla_plugin_t) -userdom_manage_user_tmp_sockets(mozilla_plugin_t) - -userdom_list_user_tmp(mozilla_plugin_t) -userdom_manage_user_tmp_dirs(mozilla_plugin_t) -userdom_read_user_tmp_files(mozilla_plugin_t) -userdom_read_user_tmp_symlinks(mozilla_plugin_t) -userdom_read_user_home_content_files(mozilla_plugin_t) -userdom_read_user_home_content_files(mozilla_plugin_t) -userdom_read_user_home_content_symlinks(mozilla_plugin_t) - -optional_policy(` - alsa_read_rw_config(mozilla_plugin_t) - alsa_read_home_files(mozilla_plugin_t) -') - -optional_policy(` - dbus_session_bus_client(mozilla_plugin_t) - dbus_read_lib_files(mozilla_plugin_t) -') - -optional_policy(` - gnome_manage_config(mozilla_plugin_t) - gnome_setattr_home_config(mozilla_plugin_t) -') - -optional_policy(` - nsplugin_domtrans(mozilla_plugin_t) - nsplugin_rw_exec(mozilla_plugin_t) - nsplugin_manage_home_dirs(mozilla_plugin_t) - nsplugin_manage_home_files(mozilla_plugin_t) - nsplugin_user_home_dir_filetrans(mozilla_plugin_t, dir) - nsplugin_signal(mozilla_plugin_t) -') - -optional_policy(` - pulseaudio_exec(mozilla_plugin_t) - pulseaudio_stream_connect(mozilla_plugin_t) - pulseaudio_setattr_home_dir(mozilla_plugin_t) - pulseaudio_manage_home_files(mozilla_plugin_t) -') - -optional_policy(` - xserver_read_xdm_pid(mozilla_plugin_t) - xserver_stream_connect(mozilla_plugin_t) - xserver_use_user_fonts(mozilla_plugin_t) - xserver_read_user_iceauth(mozilla_plugin_t) -') diff --git a/policy/modules/apps/mplayer.fc b/policy/modules/apps/mplayer.fc deleted file mode 100644 index 5a37c50..0000000 --- a/policy/modules/apps/mplayer.fc +++ /dev/null @@ -1,14 +0,0 @@ -# -# /etc -# -/etc/mplayer(/.*)? gen_context(system_u:object_r:mplayer_etc_t,s0) - -# -# /usr -# -/usr/bin/mplayer -- gen_context(system_u:object_r:mplayer_exec_t,s0) -/usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0) -/usr/bin/vlc -- gen_context(system_u:object_r:mplayer_exec_t,s0) -/usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0) - -HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:mplayer_home_t,s0) diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if deleted file mode 100644 index 8bdc526..0000000 --- a/policy/modules/apps/mplayer.if +++ /dev/null @@ -1,140 +0,0 @@ -## Mplayer media player and encoder - -######################################## -## -## Role access for mplayer -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`mplayer_role',` - gen_require(` - type mencoder_t, mencoder_exec_t; - type mplayer_t, mplayer_exec_t; - type mplayer_home_t; - ') - - role $1 types { mencoder_t mplayer_t }; - - # domain transition - domtrans_pattern($2, mencoder_exec_t, mencoder_t) - - # Allow the user domain to signal/ps. - ps_process_pattern($2, mencoder_t) - allow $2 mencoder_t:process signal_perms; - - # Home access - manage_dirs_pattern($2, mplayer_home_t, mplayer_home_t) - manage_files_pattern($2, mplayer_home_t, mplayer_home_t) - manage_lnk_files_pattern($2, mplayer_home_t, mplayer_home_t) - relabel_dirs_pattern($2, mplayer_home_t, mplayer_home_t) - relabel_files_pattern($2, mplayer_home_t, mplayer_home_t) - relabel_lnk_files_pattern($2, mplayer_home_t, mplayer_home_t) - - # domain transition - domtrans_pattern($2, mplayer_exec_t, mplayer_t) - - # Allow the user domain to signal/ps. - ps_process_pattern($2, mplayer_t) - allow $2 mplayer_t:process signal_perms; -') - -######################################## -## -## Run mplayer in mplayer domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`mplayer_domtrans',` - gen_require(` - type mplayer_t, mplayer_exec_t; - ') - - domtrans_pattern($1, mplayer_exec_t, mplayer_t) -') - -######################################## -## -## Execute mplayer in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -# -interface(`mplayer_exec',` - gen_require(` - type mplayer_exec_t; - ') - - can_exec($1, mplayer_exec_t) -') - -######################################## -## -## Read mplayer per user homedir -## -## -## -## Domain allowed access. -## -## -# -interface(`mplayer_read_user_home_files',` - gen_require(` - type mplayer_home_t; - ') - - read_files_pattern($1, mplayer_home_t, mplayer_home_t) - userdom_search_user_home_dirs($1) -') - -######################################## -## -## Execute mplayer_exec_t -## in the specified domain. -## -## -##

-## Execute a mplayer_exec_t -## in the specified domain. -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-##
-## -## -## Domain allowed access. -## -## -## -## -## The type of the new process. -## -## -# -interface(`mplayer_exec_domtrans',` - gen_require(` - type mplayer_exec_t; - ') - - allow $2 mplayer_exec_t:file entrypoint; - domtrans_pattern($1, mplayer_exec_t, $2) -') diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te deleted file mode 100644 index 192d54e..0000000 --- a/policy/modules/apps/mplayer.te +++ /dev/null @@ -1,319 +0,0 @@ -policy_module(mplayer, 2.1.2) - -######################################## -# -# Declarations -# - -## -##

-## Allow mplayer executable stack -##

-##
-gen_tunable(allow_mplayer_execstack, false) - -type mencoder_t; -type mencoder_exec_t; -typealias mencoder_t alias { user_mencoder_t staff_mencoder_t sysadm_mencoder_t }; -typealias mencoder_t alias { auditadm_mencoder_t secadm_mencoder_t }; -application_domain(mencoder_t, mencoder_exec_t) -ubac_constrained(mencoder_t) - -type mplayer_t; -type mplayer_exec_t; -typealias mplayer_t alias { user_mplayer_t staff_mplayer_t sysadm_mplayer_t }; -typealias mplayer_t alias { auditadm_mplayer_t secadm_mplayer_t }; -application_domain(mplayer_t, mplayer_exec_t) -ubac_constrained(mplayer_t) - -type mplayer_etc_t; -files_config_file(mplayer_etc_t) - -type mplayer_home_t; -typealias mplayer_home_t alias { user_mplayer_home_t staff_mplayer_home_t sysadm_mplayer_home_t }; -typealias mplayer_home_t alias { auditadm_mplayer_home_t secadm_mplayer_home_t }; -files_poly_member(mplayer_home_t) -userdom_user_home_content(mplayer_home_t) - -type mplayer_tmpfs_t; -typealias mplayer_tmpfs_t alias { user_mplayer_tmpfs_t staff_mplayer_tmpfs_t sysadm_mplayer_tmpfs_t }; -typealias mplayer_tmpfs_t alias { auditadm_mplayer_tmpfs_t secadm_mplayer_tmpfs_t }; -files_tmpfs_file(mplayer_tmpfs_t) -ubac_constrained(mplayer_tmpfs_t) - -######################################## -# -# mencoder local policy -# - -manage_dirs_pattern(mencoder_t, mplayer_home_t, mplayer_home_t) -manage_files_pattern(mencoder_t, mplayer_home_t, mplayer_home_t) -manage_lnk_files_pattern(mencoder_t, mplayer_home_t, mplayer_home_t) - -# Read global config -allow mencoder_t mplayer_etc_t:dir list_dir_perms; -read_files_pattern(mencoder_t, mplayer_etc_t, mplayer_etc_t) -read_lnk_files_pattern(mencoder_t, mplayer_etc_t, mplayer_etc_t) - -# Read /proc files and directories -# Necessary for /proc/meminfo, /proc/cpuinfo, etc.. -kernel_read_system_state(mencoder_t) -# Sysctl on kernel version -kernel_read_kernel_sysctls(mencoder_t) - -# Required for win32 binary loader -dev_rwx_zero(mencoder_t) -# Access to DVD/CD/V4L -dev_read_video_dev(mencoder_t) - -# Read data in /usr/share (fonts, icons..) -files_read_usr_files(mencoder_t) -files_read_usr_symlinks(mencoder_t) - -fs_search_auto_mountpoints(mencoder_t) - -# Access to DVD/CD/V4L -storage_raw_read_removable_device(mencoder_t) - -miscfiles_read_localization(mencoder_t) - -userdom_use_user_terminals(mencoder_t) -# Handle removable media, /tmp, and /home -userdom_list_user_tmp(mencoder_t) -userdom_read_user_tmp_files(mencoder_t) -userdom_read_user_tmp_symlinks(mencoder_t) -userdom_read_user_home_content_files(mencoder_t) -userdom_read_user_home_content_symlinks(mencoder_t) - -# Read content to encode -ifndef(`enable_mls',` - fs_search_removable(mencoder_t) - fs_read_removable_files(mencoder_t) - fs_read_removable_symlinks(mencoder_t) -') - -tunable_policy(`allow_execmem',` - allow mencoder_t self:process execmem; -') - -tunable_policy(`allow_execmod',` - dev_execmod_zero(mencoder_t) -') - -tunable_policy(`allow_mplayer_execstack',` - allow mencoder_t self:process { execmem execstack }; -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(mencoder_t) - fs_manage_nfs_files(mencoder_t) - fs_manage_nfs_symlinks(mencoder_t) - -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(mencoder_t) - fs_manage_cifs_files(mencoder_t) - fs_manage_cifs_symlinks(mencoder_t) - -') - -# Read content to encode -tunable_policy(`use_nfs_home_dirs',` - fs_list_auto_mountpoints(mencoder_t) - files_list_home(mencoder_t) - fs_read_nfs_files(mencoder_t) - fs_read_nfs_symlinks(mencoder_t) - -',` - files_dontaudit_list_home(mencoder_t) - fs_dontaudit_list_auto_mountpoints(mencoder_t) - fs_dontaudit_read_nfs_files(mencoder_t) - fs_dontaudit_list_nfs(mencoder_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_list_auto_mountpoints(mencoder_t) - files_list_home(mencoder_t) - fs_read_cifs_files(mencoder_t) - fs_read_cifs_symlinks(mencoder_t) -',` - files_dontaudit_list_home(mencoder_t) - fs_dontaudit_list_auto_mountpoints(mencoder_t) - fs_dontaudit_read_cifs_files(mencoder_t) - fs_dontaudit_list_cifs(mencoder_t) -') - -######################################## -# -# mplayer local policy -# - -allow mplayer_t self:process { signal_perms getsched }; -allow mplayer_t self:fifo_file rw_fifo_file_perms; -allow mplayer_t self:sem create_sem_perms; -allow mplayer_t self:netlink_route_socket create_netlink_socket_perms; -allow mplayer_t self:tcp_socket create_socket_perms; -allow mplayer_t self:unix_dgram_socket sendto; - -manage_dirs_pattern(mplayer_t, mplayer_home_t, mplayer_home_t) -manage_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t) -manage_lnk_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t) -userdom_user_home_dir_filetrans(mplayer_t, mplayer_home_t, dir) -userdom_search_user_home_dirs(mplayer_t) - -manage_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) -manage_lnk_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) -manage_fifo_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) -manage_sock_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) -fs_tmpfs_filetrans(mplayer_t, mplayer_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) - -# Read global config -allow mplayer_t mplayer_etc_t:dir list_dir_perms; -read_files_pattern(mplayer_t, mplayer_etc_t, mplayer_etc_t) -read_lnk_files_pattern(mplayer_t, mplayer_etc_t, mplayer_etc_t) - -kernel_dontaudit_list_unlabeled(mplayer_t) -kernel_dontaudit_getattr_unlabeled_files(mplayer_t) -kernel_dontaudit_read_unlabeled_files(mplayer_t) -# Necessary for /proc/meminfo, /proc/cpuinfo, etc.. -kernel_read_system_state(mplayer_t) -# Sysctl on kernel version -kernel_read_kernel_sysctls(mplayer_t) - -corenet_all_recvfrom_netlabel(mplayer_t) -corenet_all_recvfrom_unlabeled(mplayer_t) -corenet_tcp_sendrecv_generic_if(mplayer_t) -corenet_tcp_sendrecv_generic_node(mplayer_t) -corenet_tcp_bind_generic_node(mplayer_t) -corenet_tcp_connect_pulseaudio_port(mplayer_t) -corenet_sendrecv_pulseaudio_client_packets(mplayer_t) - -# Run bash/sed (??) -corecmd_exec_bin(mplayer_t) -corecmd_exec_shell(mplayer_t) - -dev_read_rand(mplayer_t) -dev_read_urand(mplayer_t) -# Required for win32 binary loader -dev_rwx_zero(mplayer_t) -# Access to DVD/CD/V4L -dev_read_video_dev(mplayer_t) -# Audio, alsa.conf -dev_read_sound_mixer(mplayer_t) -dev_write_sound_mixer(mplayer_t) -# RTC clock -dev_read_realtime_clock(mplayer_t) - -# Access to DVD/CD/V4L -storage_raw_read_removable_device(mplayer_t) - -files_read_etc_files(mplayer_t) -files_dontaudit_list_non_security(mplayer_t) -files_dontaudit_getattr_non_security_files(mplayer_t) -files_read_non_security_files(mplayer_t) -# Unfortunately the ancient file dialog starts in / -files_list_home(mplayer_t) -# Read /etc/mtab -files_read_etc_runtime_files(mplayer_t) -# Read data in /usr/share (fonts, icons..) -files_read_usr_files(mplayer_t) -files_read_usr_symlinks(mplayer_t) - -fs_dontaudit_getattr_all_fs(mplayer_t) -fs_search_auto_mountpoints(mplayer_t) -fs_list_inotifyfs(mplayer_t) - -logging_send_syslog_msg(mplayer_t) - -miscfiles_read_localization(mplayer_t) -miscfiles_read_fonts(mplayer_t) - -userdom_use_user_terminals(mplayer_t) -# Read media files -userdom_list_user_tmp(mplayer_t) -userdom_read_user_tmp_files(mplayer_t) -userdom_read_user_tmp_symlinks(mplayer_t) -userdom_read_user_home_content_files(mplayer_t) -userdom_read_user_home_content_symlinks(mplayer_t) -userdom_write_user_tmp_sockets(mplayer_t) - -xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t) - -# Read songs -ifdef(`enable_mls',`',` - fs_search_removable(mplayer_t) - fs_read_removable_files(mplayer_t) - fs_read_removable_symlinks(mplayer_t) -') - -tunable_policy(`allow_execmem',` - allow mplayer_t self:process execmem; -') - -tunable_policy(`allow_execmod',` - dev_execmod_zero(mplayer_t) -') - -tunable_policy(`allow_mplayer_execstack',` - allow mplayer_t self:process { execmem execstack }; -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(mplayer_t) - fs_manage_nfs_files(mplayer_t) - fs_manage_nfs_symlinks(mplayer_t) -') -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(mplayer_t) - fs_manage_cifs_files(mplayer_t) - fs_manage_cifs_symlinks(mplayer_t) -') - -# Legacy domain issues -tunable_policy(`allow_mplayer_execstack',` - allow mplayer_t mplayer_tmpfs_t:file execute; -') - -# Read songs -tunable_policy(`use_nfs_home_dirs',` - fs_list_auto_mountpoints(mplayer_t) - files_list_home(mplayer_t) - fs_read_nfs_files(mplayer_t) - fs_read_nfs_symlinks(mplayer_t) - -',` - files_dontaudit_list_home(mplayer_t) - fs_dontaudit_list_auto_mountpoints(mplayer_t) - fs_dontaudit_read_nfs_files(mplayer_t) - fs_dontaudit_list_nfs(mplayer_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_list_auto_mountpoints(mplayer_t) - files_list_home(mplayer_t) - fs_read_cifs_files(mplayer_t) - fs_read_cifs_symlinks(mplayer_t) -',` - files_dontaudit_list_home(mplayer_t) - fs_dontaudit_list_auto_mountpoints(mplayer_t) - fs_dontaudit_read_cifs_files(mplayer_t) - fs_dontaudit_list_cifs(mplayer_t) -') - -optional_policy(` - alsa_read_rw_config(mplayer_t) -') - -optional_policy(` - gnome_setattr_config_dirs(mplayer_t) -') - -optional_policy(` - nscd_socket_use(mplayer_t) -') - -optional_policy(` - pulseaudio_exec(mplayer_t) - pulseaudio_stream_connect(mplayer_t) -') diff --git a/policy/modules/apps/nsplugin.fc b/policy/modules/apps/nsplugin.fc deleted file mode 100644 index 717eb3f..0000000 --- a/policy/modules/apps/nsplugin.fc +++ /dev/null @@ -1,11 +0,0 @@ -HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) -HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) -HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) -HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) -HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) - -/usr/bin/nspluginscan -- gen_context(system_u:object_r:nsplugin_exec_t,s0) -/usr/bin/nspluginviewer -- gen_context(system_u:object_r:nsplugin_exec_t,s0) -/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0) -/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0) -/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if deleted file mode 100644 index 4dbb161..0000000 --- a/policy/modules/apps/nsplugin.if +++ /dev/null @@ -1,436 +0,0 @@ - -## policy for nsplugin - -######################################## -## -## Create, read, write, and delete -## nsplugin rw files. -## -## -## -## Domain allowed access. -## -## -# -interface(`nsplugin_manage_rw_files',` - gen_require(` - type nsplugin_rw_t; - ') - - allow $1 nsplugin_rw_t:file manage_file_perms; - allow $1 nsplugin_rw_t:dir rw_dir_perms; -') - -######################################## -## -## Manage nsplugin rw files. -## -## -## -## Domain allowed access. -## -## -# -interface(`nsplugin_manage_rw',` - gen_require(` - type nsplugin_rw_t; - ') - - manage_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t) - manage_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) - manage_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) -') - -####################################### -## -## The per role template for the nsplugin module. -## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# -interface(`nsplugin_role_notrans',` - gen_require(` - type nsplugin_rw_t; - type nsplugin_home_t; - type nsplugin_exec_t; - type nsplugin_config_exec_t; - type nsplugin_t; - type nsplugin_config_t; - class x_drawable all_x_drawable_perms; - class x_resource all_x_resource_perms; - class dbus send_msg; - ') - - role $1 types nsplugin_t; - role $1 types nsplugin_config_t; - - allow nsplugin_t $2:process signull; - allow nsplugin_t $2:dbus send_msg; - allow $2 nsplugin_t:dbus send_msg; - - list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t) - read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t) - read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t) - can_exec($2, nsplugin_rw_t) - - #Leaked File Descriptors -ifdef(`hide_broken_symptoms', ` - dontaudit nsplugin_t $2:socket_class_set { read write }; - dontaudit nsplugin_t $2:fifo_file rw_inherited_fifo_file_perms; - dontaudit nsplugin_config_t $2:socket_class_set { read write }; - dontaudit nsplugin_config_t $2:fifo_file rw_inherited_fifo_file_perms; -') - allow nsplugin_t $2:unix_stream_socket connectto; - dontaudit nsplugin_t $2:process ptrace; - allow nsplugin_t $2:sem rw_sem_perms; - allow nsplugin_t $2:shm rw_shm_perms; - dontaudit nsplugin_t $2:shm destroy; - allow $2 nsplugin_t:sem rw_sem_perms; - - allow $2 nsplugin_t:process { getattr ptrace signal_perms }; - allow $2 nsplugin_t:unix_stream_socket connectto; - - # Connect to pulseaudit server - stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2) - gnome_stream_connect(nsplugin_t, $2) - - userdom_use_user_terminals(nsplugin_t) - userdom_use_user_terminals(nsplugin_config_t) - userdom_dontaudit_setattr_user_home_content_files(nsplugin_t) - userdom_manage_tmpfs_role($1, nsplugin_t) - - optional_policy(` - pulseaudio_role($1, nsplugin_t) - ') -') - -####################################### -## -## Role access for nsplugin -## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# -interface(`nsplugin_role',` - gen_require(` - type nsplugin_exec_t; - type nsplugin_config_exec_t; - type nsplugin_t; - type nsplugin_config_t; - ') - - nsplugin_role_notrans($1, $2) - - domtrans_pattern($2, nsplugin_exec_t, nsplugin_t) - domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t) - -') - -####################################### -## -## The per role template for the nsplugin module. -## -## -## -## The type of the user domain. -## -## -# -interface(`nsplugin_domtrans',` - gen_require(` - type nsplugin_exec_t; - type nsplugin_t; - ') - - domtrans_pattern($1, nsplugin_exec_t, nsplugin_t) - allow $1 nsplugin_t:unix_stream_socket connectto; - allow nsplugin_t $1:process signal; -') - -####################################### -## -## The per role template for the nsplugin module. -## -## -## -## The type of the user domain. -## -## -# -interface(`nsplugin_domtrans_config',` - gen_require(` - type nsplugin_config_exec_t; - type nsplugin_config_t; - ') - - domtrans_pattern($1, nsplugin_config_exec_t, nsplugin_config_t) -') - -######################################## -## -## Search nsplugin rw directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`nsplugin_search_rw_dir',` - gen_require(` - type nsplugin_rw_t; - ') - - allow $1 nsplugin_rw_t:dir search_dir_perms; -') - -######################################## -## -## Read nsplugin rw files. -## -## -## -## Domain allowed access. -## -## -# -interface(`nsplugin_read_rw_files',` - gen_require(` - type nsplugin_rw_t; - ') - - list_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t) - read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) - read_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) -') - -######################################## -## -## Read nsplugin home files. -## -## -## -## Domain allowed access. -## -## -# -interface(`nsplugin_read_home',` - gen_require(` - type nsplugin_home_t; - ') - - list_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t) - read_files_pattern($1, nsplugin_home_t, nsplugin_home_t) - read_lnk_files_pattern($1, nsplugin_home_t, nsplugin_home_t) -') - -######################################## -## -## Exec nsplugin rw files. -## -## -## -## Domain allowed access. -## -## -# -interface(`nsplugin_rw_exec',` - gen_require(` - type nsplugin_rw_t; - ') - - can_exec($1, nsplugin_rw_t) -') - -######################################## -## -## Create, read, write, and delete -## nsplugin home files. -## -## -## -## Domain allowed access. -## -## -# -interface(`nsplugin_manage_home_files',` - gen_require(` - type nsplugin_home_t; - ') - - manage_files_pattern($1, nsplugin_home_t, nsplugin_home_t) -') - -######################################## -## -## manage nnsplugin home dirs. -## -## -## -## Domain allowed access. -## -## -# -interface(`nsplugin_manage_home_dirs',` - gen_require(` - type nsplugin_home_t; - ') - - manage_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t) -') - -######################################## -## -## Allow attempts to read and write to -## nsplugin named pipes. -## -## -## -## Domain to not audit. -## -## -# -interface(`nsplugin_rw_pipes',` - gen_require(` - type nsplugin_home_t; - ') - - allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## -## Read and write to nsplugin shared memory. -## -## -## -## Domain allowed access. -## -## -# -interface(`nsplugin_rw_shm',` - gen_require(` - type nsplugin_t; - ') - - allow $1 nsplugin_t:shm rw_shm_perms; -') - -##################################### -## -## Allow read and write access to nsplugin semaphores. -## -## -## -## Domain allowed access. -## -## -# -interface(`nsplugin_rw_semaphores',` - gen_require(` - type nsplugin_t; - ') - - allow $1 nsplugin_t:sem rw_sem_perms; -') - -######################################## -## -## Execute nsplugin_exec_t -## in the specified domain. -## -## -##

-## Execute a nsplugin_exec_t -## in the specified domain. -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-##
-## -## -## Domain allowed access. -## -## -## -## -## The type of the new process. -## -## -# -interface(`nsplugin_exec_domtrans',` - gen_require(` - type nsplugin_exec_t; - ') - - allow $2 nsplugin_exec_t:file entrypoint; - domtrans_pattern($1, nsplugin_exec_t, $2) -') - -######################################## -## -## Send generic signals to user nsplugin processes. -## -## -## -## Domain allowed access. -## -## -# -interface(`nsplugin_signal',` - gen_require(` - type nsplugin_t; - ') - - allow $1 nsplugin_t:process signal; -') - -######################################## -## -## Create objects in a user home directory -## with an automatic type transition to -## the nsplugin home file type. -## -## -## -## Domain allowed access. -## -## -## -## -## The class of the object to be created. -## -## -# -interface(`nsplugin_user_home_dir_filetrans',` - gen_require(` - type nsplugin_home_t; - ') - - userdom_user_home_content_filetrans($1, nsplugin_home_t, $2) -') diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te deleted file mode 100644 index 1ca0e76..0000000 --- a/policy/modules/apps/nsplugin.te +++ /dev/null @@ -1,313 +0,0 @@ -policy_module(nsplugin, 1.0.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow nsplugin code to execmem/execstack -##

-##
-gen_tunable(allow_nsplugin_execmem, false) - -## -##

-## Allow nsplugin code to connect to unreserved ports -##

-##
-gen_tunable(nsplugin_can_network, true) - -type nsplugin_exec_t; -application_executable_file(nsplugin_exec_t) - -type nsplugin_config_exec_t; -application_executable_file(nsplugin_config_exec_t) - -type nsplugin_rw_t; -files_poly_member(nsplugin_rw_t) -files_type(nsplugin_rw_t) - -type nsplugin_tmp_t; -files_tmp_file(nsplugin_tmp_t) - -type nsplugin_home_t; -files_poly_member(nsplugin_home_t) -userdom_user_home_content(nsplugin_home_t) -typealias nsplugin_home_t alias user_nsplugin_home_t; - -type nsplugin_t; -domain_type(nsplugin_t) -domain_entry_file(nsplugin_t, nsplugin_exec_t) - -type nsplugin_config_t; -domain_type(nsplugin_config_t) -domain_entry_file(nsplugin_config_t, nsplugin_config_exec_t) - -application_executable_file(nsplugin_exec_t) -application_executable_file(nsplugin_config_exec_t) - - -######################################## -# -# nsplugin local policy -# -dontaudit nsplugin_t self:capability { sys_nice sys_tty_config }; -allow nsplugin_t self:fifo_file rw_file_perms; -allow nsplugin_t self:process { ptrace setpgid getsched setsched signal_perms }; - -allow nsplugin_t self:sem create_sem_perms; -allow nsplugin_t self:shm create_shm_perms; -allow nsplugin_t self:msgq create_msgq_perms; -allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow nsplugin_t self:unix_dgram_socket { sendto create_socket_perms }; -allow nsplugin_t nsplugin_rw_t:dir list_dir_perms; -read_lnk_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t) -read_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t) - -tunable_policy(`allow_nsplugin_execmem',` - allow nsplugin_t self:process { execstack execmem }; - allow nsplugin_config_t self:process { execstack execmem }; -') - -tunable_policy(`nsplugin_can_network',` - corenet_tcp_connect_all_unreserved_ports(nsplugin_t) -') - -manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) -exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) -manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) -manage_fifo_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) -manage_sock_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) -manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) -userdom_user_home_dir_filetrans(nsplugin_t, nsplugin_home_t, {file dir}) -userdom_user_home_content_filetrans(nsplugin_t, nsplugin_home_t, {file dir}) -userdom_dontaudit_getattr_user_home_content(nsplugin_t) -userdom_dontaudit_search_user_bin_dirs(nsplugin_t) -userdom_dontaudit_write_user_home_content_files(nsplugin_t) -userdom_dontaudit_search_admin_dir(nsplugin_t) - -corecmd_exec_bin(nsplugin_t) -corecmd_exec_shell(nsplugin_t) - -corenet_all_recvfrom_unlabeled(nsplugin_t) -corenet_all_recvfrom_netlabel(nsplugin_t) -corenet_tcp_connect_flash_port(nsplugin_t) -corenet_tcp_connect_streaming_port(nsplugin_t) -corenet_tcp_connect_pulseaudio_port(nsplugin_t) -corenet_tcp_connect_http_port(nsplugin_t) -corenet_tcp_connect_http_cache_port(nsplugin_t) -corenet_tcp_connect_squid_port(nsplugin_t) -corenet_tcp_sendrecv_generic_if(nsplugin_t) -corenet_tcp_sendrecv_generic_node(nsplugin_t) -corenet_tcp_connect_ipp_port(nsplugin_t) -corenet_tcp_connect_speech_port(nsplugin_t) - -domain_dontaudit_read_all_domains_state(nsplugin_t) - -dev_read_rand(nsplugin_t) -dev_read_sound(nsplugin_t) -dev_write_sound(nsplugin_t) -dev_read_video_dev(nsplugin_t) -dev_write_video_dev(nsplugin_t) -dev_getattr_dri_dev(nsplugin_t) -dev_rwx_zero(nsplugin_t) -dev_search_sysfs(nsplugin_t) - -kernel_read_kernel_sysctls(nsplugin_t) -kernel_read_system_state(nsplugin_t) - -files_dontaudit_getattr_lost_found_dirs(nsplugin_t) -files_dontaudit_list_home(nsplugin_t) -files_read_etc_files(nsplugin_t) -files_read_usr_files(nsplugin_t) -files_read_config_files(nsplugin_t) - -fs_getattr_tmpfs(nsplugin_t) -fs_getattr_xattr_fs(nsplugin_t) -fs_search_auto_mountpoints(nsplugin_t) -fs_rw_anon_inodefs_files(nsplugin_t) -fs_list_inotifyfs(nsplugin_t) -fs_dontaudit_list_fusefs(nsplugin_t) - -storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t) -storage_dontaudit_getattr_removable_dev(nsplugin_t) - -term_dontaudit_getattr_all_ptys(nsplugin_t) -term_dontaudit_getattr_all_ttys(nsplugin_t) - -auth_use_nsswitch(nsplugin_t) - -libs_exec_ld_so(nsplugin_t) - -miscfiles_read_localization(nsplugin_t) -miscfiles_read_fonts(nsplugin_t) -miscfiles_dontaudit_write_fonts(nsplugin_t) -miscfiles_setattr_fonts_cache_dirs(nsplugin_t) - -userdom_manage_user_tmp_dirs(nsplugin_t) -userdom_manage_user_tmp_files(nsplugin_t) -userdom_manage_user_tmp_sockets(nsplugin_t) -userdom_tmp_filetrans_user_tmp(nsplugin_t, { file dir sock_file }) -userdom_rw_semaphores(nsplugin_t) -userdom_dontaudit_rw_user_tmp_pipes(nsplugin_t) - -userdom_read_user_home_content_symlinks(nsplugin_t) -userdom_read_user_home_content_files(nsplugin_t) -userdom_read_user_tmp_files(nsplugin_t) -userdom_write_user_tmp_sockets(nsplugin_t) -userdom_dontaudit_append_user_home_content_files(nsplugin_t) - -optional_policy(` - alsa_read_rw_config(nsplugin_t) - alsa_read_home_files(nsplugin_t) -') - -optional_policy(` - cups_stream_connect(nsplugin_t) -') - -optional_policy(` - dbus_session_bus_client(nsplugin_t) - dbus_connect_session_bus(nsplugin_t) - dbus_system_bus_client(nsplugin_t) -') - -optional_policy(` - gnome_exec_gconf(nsplugin_t) - gnome_manage_config(nsplugin_t) - gnome_read_gconf_home_files(nsplugin_t) -') - -optional_policy(` - mozilla_execute_user_home_files(nsplugin_t) - mozilla_read_user_home_files(nsplugin_t) - mozilla_write_user_home_files(nsplugin_t) -') - -optional_policy(` - mplayer_exec(nsplugin_t) - mplayer_read_user_home_files(nsplugin_t) -') - -optional_policy(` - unconfined_execmem_signull(nsplugin_t) -') - -optional_policy(` - sandbox_read_tmpfs_files(nsplugin_t) -') - -optional_policy(` - gen_require(` - type user_tmpfs_t; - ') - xserver_user_x_domain_template(nsplugin, nsplugin_t, user_tmpfs_t) - xserver_rw_shm(nsplugin_t) - xserver_read_xdm_pid(nsplugin_t) - xserver_read_xdm_tmp_files(nsplugin_t) - xserver_read_user_xauth(nsplugin_t) - xserver_read_user_iceauth(nsplugin_t) - xserver_use_user_fonts(nsplugin_t) - xserver_rw_inherited_user_fonts(nsplugin_t) -') - -######################################## -# -# nsplugin_config local policy -# - -allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid }; -allow nsplugin_config_t self:process { setsched signal_perms getsched execmem }; -#execing pulseaudio -dontaudit nsplugin_t self:process { getcap setcap }; - -allow nsplugin_config_t self:fifo_file rw_file_perms; -allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms; - -dev_dontaudit_read_rand(nsplugin_config_t) -dev_dontaudit_rw_dri(nsplugin_config_t) - -fs_search_auto_mountpoints(nsplugin_config_t) -fs_list_inotifyfs(nsplugin_config_t) - -can_exec(nsplugin_config_t, nsplugin_rw_t) -manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) -manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) -manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) - -manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t) -manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t) -manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t) - -corecmd_exec_bin(nsplugin_config_t) -corecmd_exec_shell(nsplugin_config_t) - -kernel_read_system_state(nsplugin_config_t) -kernel_request_load_module(nsplugin_config_t) - -files_read_etc_files(nsplugin_config_t) -files_read_usr_files(nsplugin_config_t) -files_dontaudit_search_home(nsplugin_config_t) -files_list_tmp(nsplugin_config_t) - -auth_use_nsswitch(nsplugin_config_t) - -miscfiles_read_localization(nsplugin_config_t) -miscfiles_read_fonts(nsplugin_config_t) - -userdom_search_user_home_content(nsplugin_config_t) -userdom_read_user_home_content_symlinks(nsplugin_config_t) -userdom_read_user_home_content_files(nsplugin_config_t) -userdom_dontaudit_search_admin_dir(nsplugin_config_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_getattr_nfs(nsplugin_t) - fs_manage_nfs_dirs(nsplugin_t) - fs_manage_nfs_files(nsplugin_t) - fs_read_nfs_symlinks(nsplugin_t) - fs_manage_nfs_named_pipes(nsplugin_t) - fs_manage_nfs_dirs(nsplugin_config_t) - fs_manage_nfs_files(nsplugin_config_t) - fs_manage_nfs_named_pipes(nsplugin_config_t) - fs_read_nfs_symlinks(nsplugin_config_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_getattr_cifs(nsplugin_t) - fs_manage_cifs_dirs(nsplugin_t) - fs_manage_cifs_files(nsplugin_t) - fs_read_cifs_symlinks(nsplugin_t) - fs_manage_cifs_named_pipes(nsplugin_t) - fs_manage_cifs_dirs(nsplugin_config_t) - fs_manage_cifs_files(nsplugin_config_t) - fs_manage_cifs_named_pipes(nsplugin_config_t) - fs_read_cifs_symlinks(nsplugin_config_t) -') - -domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t) - -optional_policy(` - xserver_use_user_fonts(nsplugin_config_t) -') - -optional_policy(` - mozilla_read_user_home_files(nsplugin_config_t) - mozilla_write_user_home_files(nsplugin_config_t) -') - -application_signull(nsplugin_t) - -optional_policy(` - pulseaudio_exec(nsplugin_t) - pulseaudio_stream_connect(nsplugin_t) - pulseaudio_manage_home_files(nsplugin_t) - pulseaudio_setattr_home_dir(nsplugin_t) -') - -optional_policy(` - unconfined_execmem_exec(nsplugin_t) -') - - diff --git a/policy/modules/apps/openoffice.fc b/policy/modules/apps/openoffice.fc deleted file mode 100644 index 0c53a12..0000000 --- a/policy/modules/apps/openoffice.fc +++ /dev/null @@ -1,4 +0,0 @@ -/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) -/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) -/opt/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) - diff --git a/policy/modules/apps/openoffice.if b/policy/modules/apps/openoffice.if deleted file mode 100644 index 6863365..0000000 --- a/policy/modules/apps/openoffice.if +++ /dev/null @@ -1,129 +0,0 @@ -## Openoffice - -####################################### -## -## The per role template for the openoffice module. -## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# -interface(`openoffice_plugin_role',` - gen_require(` - type openoffice_exec_t; - type openoffice_t; - ') - - ######################################## - # - # Local policy - # - - domtrans_pattern($1, openoffice_exec_t, openoffice_t) - allow $1 openoffice_t:process { signal sigkill }; -') - -####################################### -## -## role for openoffice -## -## -##

-## This template creates a derived domains which are used -## for java applications. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# -interface(`openoffice_role_template',` - gen_require(` - type openoffice_exec_t; - ') - - role $2 types $1_openoffice_t; - - type $1_openoffice_t; - domain_type($1_openoffice_t) - domain_entry_file($1_openoffice_t, openoffice_exec_t) - domain_interactive_fd($1_openoffice_t) - - userdom_unpriv_usertype($1, $1_openoffice_t) - userdom_exec_user_home_content_files($1_openoffice_t) - - allow $1_openoffice_t self:process { getsched sigkill execheap execmem execstack }; - - allow $3 $1_openoffice_t:process { getattr ptrace signal_perms noatsecure siginh rlimitinh }; - allow $1_openoffice_t $3:tcp_socket { read write }; - - domtrans_pattern($3, openoffice_exec_t, $1_openoffice_t) - - dev_read_urand($1_openoffice_t) - dev_read_rand($1_openoffice_t) - - fs_dontaudit_rw_tmpfs_files($1_openoffice_t) - - allow $3 $1_openoffice_t:process { signal sigkill }; - allow $1_openoffice_t $3:unix_stream_socket connectto; - - optional_policy(` - xserver_role($2, $1_openoffice_t) - ') -') - -######################################## -## -## Execute openoffice_exec_t -## in the specified domain. -## -## -##

-## Execute a openoffice_exec_t -## in the specified domain. -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-##
-## -## -## Domain allowed access. -## -## -## -## -## The type of the new process. -## -## -# -interface(`openoffice_exec_domtrans',` - gen_require(` - type openoffice_exec_t; - ') - - allow $2 openoffice_exec_t:file entrypoint; - domtrans_pattern($1, openoffice_exec_t, $2) -') diff --git a/policy/modules/apps/openoffice.te b/policy/modules/apps/openoffice.te deleted file mode 100644 index a842371..0000000 --- a/policy/modules/apps/openoffice.te +++ /dev/null @@ -1,16 +0,0 @@ -policy_module(openoffice, 1.0.0) - -######################################## -# -# Declarations -# - -type openoffice_t; -type openoffice_exec_t; -application_domain(openoffice_t, openoffice_exec_t) - -######################################## -# -# Unconfined java local policy -# - diff --git a/policy/modules/apps/podsleuth.fc b/policy/modules/apps/podsleuth.fc deleted file mode 100644 index 6fbc01c..0000000 --- a/policy/modules/apps/podsleuth.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/bin/podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0) -/usr/libexec/hal-podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0) -/var/cache/podsleuth(/.*)? gen_context(system_u:object_r:podsleuth_cache_t,s0) diff --git a/policy/modules/apps/podsleuth.if b/policy/modules/apps/podsleuth.if deleted file mode 100644 index d6d80a0..0000000 --- a/policy/modules/apps/podsleuth.if +++ /dev/null @@ -1,45 +0,0 @@ -## Podsleuth is a tool to get information about an Apple (TM) iPod (TM) - -######################################## -## -## Execute a domain transition to run podsleuth. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`podsleuth_domtrans',` - gen_require(` - type podsleuth_t, podsleuth_exec_t; - ') - - domtrans_pattern($1, podsleuth_exec_t, podsleuth_t) - allow $1 podsleuth_t:process signal; -') - -######################################## -## -## Execute podsleuth in the podsleuth domain, and -## allow the specified role the podsleuth domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`podsleuth_run',` - gen_require(` - type podsleuth_t; - ') - - podsleuth_domtrans($1) - role $2 types podsleuth_t; -') diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te deleted file mode 100644 index 815d35d..0000000 --- a/policy/modules/apps/podsleuth.te +++ /dev/null @@ -1,89 +0,0 @@ -policy_module(podsleuth, 1.3.1) - -######################################## -# -# Declarations -# - -type podsleuth_t; -type podsleuth_exec_t; -application_domain(podsleuth_t, podsleuth_exec_t) -role system_r types podsleuth_t; - -type podsleuth_cache_t; -files_type(podsleuth_cache_t) -ubac_constrained(podsleuth_cache_t) - -type podsleuth_tmp_t; -files_tmp_file(podsleuth_tmp_t) -ubac_constrained(podsleuth_tmp_t) - -type podsleuth_tmpfs_t; -files_tmpfs_file(podsleuth_tmpfs_t) -ubac_constrained(podsleuth_tmpfs_t) - -######################################## -# -# podsleuth local policy -# -allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio }; -allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack }; -allow podsleuth_t self:fifo_file rw_file_perms; -allow podsleuth_t self:unix_stream_socket create_stream_socket_perms; -allow podsleuth_t self:sem create_sem_perms; -allow podsleuth_t self:tcp_socket create_stream_socket_perms; -allow podsleuth_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t) -manage_files_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t) -files_var_filetrans(podsleuth_t, podsleuth_cache_t, { file dir }) - -allow podsleuth_t podsleuth_tmp_t:dir mounton; -manage_dirs_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t) -manage_files_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t) -files_tmp_filetrans(podsleuth_t, podsleuth_tmp_t, { file dir }) - -manage_dirs_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t) -manage_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t) -manage_lnk_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t) -fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file }) - -kernel_read_system_state(podsleuth_t) -kernel_request_load_module(podsleuth_t) - -corecmd_exec_bin(podsleuth_t) - -corenet_tcp_connect_http_port(podsleuth_t) - -dev_read_urand(podsleuth_t) - -files_read_etc_files(podsleuth_t) - -fs_mount_dos_fs(podsleuth_t) -fs_unmount_dos_fs(podsleuth_t) -fs_getattr_dos_fs(podsleuth_t) -fs_read_dos_files(podsleuth_t) -fs_search_dos(podsleuth_t) -fs_getattr_tmpfs(podsleuth_t) -fs_list_tmpfs(podsleuth_t) -fs_rw_removable_blk_files(podsleuth_t) - -miscfiles_read_localization(podsleuth_t) - -sysnet_dns_name_resolve(podsleuth_t) - -userdom_signal_unpriv_users(podsleuth_t) -userdom_signull_unpriv_users(podsleuth_t) -userdom_read_user_tmpfs_files(podsleuth_t) - -optional_policy(` - dbus_system_bus_client(podsleuth_t) - - optional_policy(` - hal_dbus_chat(podsleuth_t) - ') -') - -optional_policy(` - mono_exec(podsleuth_t) -') diff --git a/policy/modules/apps/ptchown.fc b/policy/modules/apps/ptchown.fc deleted file mode 100644 index 9fc398e..0000000 --- a/policy/modules/apps/ptchown.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/libexec/pt_chown -- gen_context(system_u:object_r:ptchown_exec_t,s0) diff --git a/policy/modules/apps/ptchown.if b/policy/modules/apps/ptchown.if deleted file mode 100644 index 96cc023..0000000 --- a/policy/modules/apps/ptchown.if +++ /dev/null @@ -1,44 +0,0 @@ -## helper function for grantpt(3), changes ownship and permissions of pseudotty - -######################################## -## -## Execute a domain transition to run ptchown. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ptchown_domtrans',` - gen_require(` - type ptchown_t, ptchown_exec_t; - ') - - domtrans_pattern($1, ptchown_exec_t, ptchown_t) -') - -######################################## -## -## Execute ptchown in the ptchown domain, and -## allow the specified role the ptchown domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`ptchown_run',` - gen_require(` - type ptchown_t; - ') - - ptchown_domtrans($1) - role $2 types ptchown_t; -') diff --git a/policy/modules/apps/ptchown.te b/policy/modules/apps/ptchown.te deleted file mode 100644 index d90245a..0000000 --- a/policy/modules/apps/ptchown.te +++ /dev/null @@ -1,31 +0,0 @@ -policy_module(ptchown, 1.1.0) - -######################################## -# -# Declarations -# - -type ptchown_t; -type ptchown_exec_t; -application_domain(ptchown_t, ptchown_exec_t) -role system_r types ptchown_t; - -######################################## -# -# ptchown local policy -# - -allow ptchown_t self:capability { chown fowner fsetid setuid }; -allow ptchown_t self:process { getcap setcap }; - -files_read_etc_files(ptchown_t) - -fs_rw_anon_inodefs_files(ptchown_t) - -term_setattr_generic_ptys(ptchown_t) -term_getattr_all_ptys(ptchown_t) -term_setattr_all_ptys(ptchown_t) -term_use_generic_ptys(ptchown_t) -term_use_ptmx(ptchown_t) - -miscfiles_read_localization(ptchown_t) diff --git a/policy/modules/apps/pulseaudio.fc b/policy/modules/apps/pulseaudio.fc deleted file mode 100644 index 84f23dc..0000000 --- a/policy/modules/apps/pulseaudio.fc +++ /dev/null @@ -1,7 +0,0 @@ -HOME_DIR/\.pulse-cookie gen_context(system_u:object_r:pulseaudio_home_t,s0) -HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) - -/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) - -/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0) -/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0) diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if deleted file mode 100644 index 9f12b51..0000000 --- a/policy/modules/apps/pulseaudio.if +++ /dev/null @@ -1,264 +0,0 @@ -## Pulseaudio network sound server. - -######################################## -## -## Role access for pulseaudio -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`pulseaudio_role',` - gen_require(` - type pulseaudio_t, pulseaudio_exec_t; - class dbus { acquire_svc send_msg }; - ') - - role $1 types pulseaudio_t; - - # Transition from the user domain to the derived domain. - domtrans_pattern($2, pulseaudio_exec_t, pulseaudio_t) - - ps_process_pattern($2, pulseaudio_t) - - allow pulseaudio_t $2:process { signal signull }; - allow $2 pulseaudio_t:process { signal signull sigkill }; - ps_process_pattern(pulseaudio_t, $2) - - allow pulseaudio_t $2:unix_stream_socket connectto; - allow $2 pulseaudio_t:unix_stream_socket connectto; - - userdom_manage_home_role($1, pulseaudio_t) - userdom_manage_tmp_role($1, pulseaudio_t) - userdom_manage_tmpfs_role($1, pulseaudio_t) - - allow $2 pulseaudio_t:dbus send_msg; - allow pulseaudio_t $2:dbus { acquire_svc send_msg }; -') - -######################################## -## -## Execute a domain transition to run pulseaudio. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`pulseaudio_domtrans',` - gen_require(` - type pulseaudio_t, pulseaudio_exec_t; - ') - - domtrans_pattern($1, pulseaudio_exec_t, pulseaudio_t) -') - -######################################## -## -## Execute pulseaudio in the pulseaudio domain, and -## allow the specified role the pulseaudio domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`pulseaudio_run',` - gen_require(` - type pulseaudio_t; - ') - - pulseaudio_domtrans($1) - role $2 types pulseaudio_t; -') - -######################################## -## -## Execute a pulseaudio in the current domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`pulseaudio_exec',` - gen_require(` - type pulseaudio_exec_t; - ') - - can_exec($1, pulseaudio_exec_t) -') - -######################################## -## -## Do not audit to execute a pulseaudio. -## -## -## -## Domain to not audit. -## -## -# -interface(`pulseaudio_dontaudit_exec',` - gen_require(` - type pulseaudio_exec_t; - ') - - dontaudit $1 pulseaudio_exec_t:file exec_file_perms; -') - -######################################## -## -## Send signull signal to pulseaudio -## processes. -## -## -## -## Domain allowed access. -## -## -# -interface(`pulseaudio_signull',` - gen_require(` - type pulseaudio_t; - ') - - allow $1 pulseaudio_t:process signull; -') - -##################################### -## -## Connect to pulseaudio over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`pulseaudio_stream_connect',` - gen_require(` - type pulseaudio_t, pulseaudio_var_run_t; - ') - - files_search_pids($1) - allow $1 pulseaudio_t:process signull; - allow pulseaudio_t $1:process signull; - stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t) -') - -######################################## -## -## Send and receive messages from -## pulseaudio over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`pulseaudio_dbus_chat',` - gen_require(` - type pulseaudio_t; - class dbus send_msg; - ') - - allow $1 pulseaudio_t:dbus send_msg; - allow pulseaudio_t $1:dbus send_msg; -') - -######################################## -## -## Set the attributes of the pulseaudio homedir. -## -## -## -## Domain allowed access. -## -## -# -interface(`pulseaudio_setattr_home_dir',` - gen_require(` - type pulseaudio_home_t; - ') - - allow $1 pulseaudio_home_t:dir setattr; -') - -######################################## -## -## Read pulseaudio homedir files. -## -## -## -## Domain allowed access. -## -## -# -interface(`pulseaudio_read_home_files',` - gen_require(` - type pulseaudio_home_t; - ') - - userdom_search_user_home_dirs($1) - read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) - read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) -') - -######################################## -## -## Read and write Pulse Audio files. -## -## -## -## Domain allowed access. -## -## -# -interface(`pulseaudio_rw_home_files',` - gen_require(` - type pulseaudio_home_t; - ') - - rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) - read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) - userdom_search_user_home_dirs($1) -') - -######################################## -## -## Create, read, write, and delete pulseaudio -## home directory files. -## -## -## -## Domain allowed access. -## -## -# -interface(`pulseaudio_manage_home_files',` - gen_require(` - type pulseaudio_home_t; - ') - - userdom_search_user_home_dirs($1) - manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) - read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) -') diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te deleted file mode 100644 index db96581..0000000 --- a/policy/modules/apps/pulseaudio.te +++ /dev/null @@ -1,158 +0,0 @@ -policy_module(pulseaudio, 1.2.3) - -######################################## -# -# Declarations -# - -type pulseaudio_t; -type pulseaudio_exec_t; -init_daemon_domain(pulseaudio_t, pulseaudio_exec_t) -application_domain(pulseaudio_t, pulseaudio_exec_t) -ubac_constrained(pulseaudio_t) -role system_r types pulseaudio_t; - -type pulseaudio_home_t; -userdom_user_home_content(pulseaudio_home_t) - -type pulseaudio_tmpfs_t; -files_tmpfs_file(pulseaudio_tmpfs_t) -ubac_constrained(pulseaudio_tmpfs_t) - -type pulseaudio_var_lib_t; -files_type(pulseaudio_var_lib_t) -ubac_constrained(pulseaudio_var_lib_t) - -type pulseaudio_var_run_t; -files_pid_file(pulseaudio_var_run_t) -ubac_constrained(pulseaudio_var_run_t) - -######################################## -# -# pulseaudio local policy -# - -allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config }; -allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull }; -allow pulseaudio_t self:fifo_file rw_file_perms; -allow pulseaudio_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms }; -allow pulseaudio_t self:tcp_socket create_stream_socket_perms; -allow pulseaudio_t self:udp_socket create_socket_perms; -allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; - -manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) -manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) -userdom_search_user_home_dirs(pulseaudio_t) -userdom_search_admin_dir(pulseaudio_t) - -manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) -manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) -manage_lnk_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) -files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file }) - -manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) -manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) -manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) -files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { file dir }) - -can_exec(pulseaudio_t, pulseaudio_exec_t) - -kernel_getattr_proc(pulseaudio_t) -kernel_read_system_state(pulseaudio_t) -kernel_read_kernel_sysctls(pulseaudio_t) - -corecmd_exec_bin(pulseaudio_t) - -corenet_all_recvfrom_unlabeled(pulseaudio_t) -corenet_all_recvfrom_netlabel(pulseaudio_t) -corenet_tcp_bind_pulseaudio_port(pulseaudio_t) -corenet_tcp_bind_soundd_port(pulseaudio_t) -corenet_tcp_sendrecv_generic_if(pulseaudio_t) -corenet_tcp_sendrecv_generic_node(pulseaudio_t) -corenet_udp_bind_sap_port(pulseaudio_t) -corenet_udp_sendrecv_generic_if(pulseaudio_t) -corenet_udp_sendrecv_generic_node(pulseaudio_t) - -dev_read_sound(pulseaudio_t) -dev_write_sound(pulseaudio_t) -dev_read_sysfs(pulseaudio_t) -dev_read_urand(pulseaudio_t) - -files_read_etc_files(pulseaudio_t) -files_read_usr_files(pulseaudio_t) - -fs_rw_anon_inodefs_files(pulseaudio_t) -fs_getattr_tmpfs(pulseaudio_t) -fs_list_inotifyfs(pulseaudio_t) - -term_use_all_ttys(pulseaudio_t) -term_use_all_ptys(pulseaudio_t) - -auth_use_nsswitch(pulseaudio_t) - -logging_send_syslog_msg(pulseaudio_t) - -miscfiles_read_localization(pulseaudio_t) - -optional_policy(` - alsa_read_rw_config(pulseaudio_t) -') - -optional_policy(` - bluetooth_stream_connect(pulseaudio_t) -') - -optional_policy(` - dbus_system_domain(pulseaudio_t, pulseaudio_exec_t) - dbus_system_bus_client(pulseaudio_t) - dbus_session_bus_client(pulseaudio_t) - dbus_connect_session_bus(pulseaudio_t) - - optional_policy(` - consolekit_dbus_chat(pulseaudio_t) - ') - - optional_policy(` - hal_dbus_chat(pulseaudio_t) - ') - - optional_policy(` - policykit_dbus_chat(pulseaudio_t) - ') - - optional_policy(` - rpm_dbus_chat(pulseaudio_t) - ') -') - -optional_policy(` - rtkit_scheduled(pulseaudio_t) -') - -optional_policy(` - mpd_read_tmpfs_files(pulseaudio_t) -') - -optional_policy(` - policykit_domtrans_auth(pulseaudio_t) - policykit_read_lib(pulseaudio_t) - policykit_read_reload(pulseaudio_t) -') - -optional_policy(` - udev_read_state(pulseaudio_t) - udev_read_db(pulseaudio_t) -') - -optional_policy(` - xserver_stream_connect(pulseaudio_t) - xserver_manage_xdm_tmp_files(pulseaudio_t) - xserver_read_xdm_lib_files(pulseaudio_t) - xserver_read_xdm_pid(pulseaudio_t) - xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t) -') - -optional_policy(` - sandbox_manage_tmpfs_files(pulseaudio_t) -') diff --git a/policy/modules/apps/qemu.fc b/policy/modules/apps/qemu.fc deleted file mode 100644 index 64d877e..0000000 --- a/policy/modules/apps/qemu.fc +++ /dev/null @@ -1,4 +0,0 @@ -/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) -/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0) -/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) -/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if deleted file mode 100644 index f4e1572..0000000 --- a/policy/modules/apps/qemu.if +++ /dev/null @@ -1,410 +0,0 @@ -## QEMU machine emulator and virtualizer - -######################################## -## -## Creates types and rules for a basic -## qemu process domain. -## -## -## -## Prefix for the domain. -## -## -# -template(`qemu_domain_template',` - - ############################## - # - # Local Policy - # - - type $1_t; - domain_type($1_t) - - type $1_tmp_t; - files_tmp_file($1_tmp_t) - - ############################## - # - # Local Policy - # - - allow $1_t self:capability { dac_read_search dac_override }; - allow $1_t self:process { execstack execmem signal getsched }; - allow $1_t self:fifo_file rw_file_perms; - allow $1_t self:shm create_shm_perms; - allow $1_t self:unix_stream_socket create_stream_socket_perms; - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:tun_socket create; - - manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) - manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) - files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) - - kernel_read_system_state($1_t) - - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) - corenet_tcp_sendrecv_generic_if($1_t) - corenet_tcp_sendrecv_generic_node($1_t) - corenet_tcp_sendrecv_all_ports($1_t) - corenet_tcp_bind_generic_node($1_t) - corenet_tcp_bind_vnc_port($1_t) - corenet_rw_tun_tap_dev($1_t) - -# dev_rw_kvm($1_t) - - domain_use_interactive_fds($1_t) - - files_read_etc_files($1_t) - files_read_usr_files($1_t) - files_read_var_files($1_t) - files_search_all($1_t) - - fs_list_inotifyfs($1_t) - fs_rw_anon_inodefs_files($1_t) - fs_rw_tmpfs_files($1_t) - - storage_raw_write_removable_device($1_t) - storage_raw_read_removable_device($1_t) - - term_use_ptmx($1_t) - term_getattr_pty_fs($1_t) - term_use_generic_ptys($1_t) - - miscfiles_read_localization($1_t) - - sysnet_read_config($1_t) - - userdom_use_user_terminals($1_t) - userdom_attach_admin_tun_iface($1_t) - - optional_policy(` - samba_domtrans_smbd($1_t) - ') - - optional_policy(` - virt_manage_images($1_t) - virt_read_config($1_t) - virt_read_lib_files($1_t) - virt_attach_tun_iface($1_t) - ') - - optional_policy(` - xserver_stream_connect($1_t) - xserver_read_xdm_tmp_files($1_t) - xserver_read_xdm_pid($1_t) -# xserver_xdm_rw_shm($1_t) - ') -') - -####################################### -## -## The per role template for the qemu module. -## -## -##

-## This template creates a derived domains which are used -## for qemu web browser. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# -template(`qemu_role',` - gen_require(` - type qemu_t, qemu_exec_t; - type qemu_config_t, qemu_config_exec_t; - ') - - role $1 types { qemu_t qemu_config_t }; - - domtrans_pattern($2, qemu_exec_t, qemu_t) - domtrans_pattern($2, qemu_config_exec_t, qemu_config_t) - allow qemu_t $2:process signull; -') - -######################################## -## -## Execute a domain transition to run qemu. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`qemu_domtrans',` - gen_require(` - type qemu_t, qemu_exec_t; - ') - - domtrans_pattern($1, qemu_exec_t, qemu_t) -') - -######################################## -## -## Execute a qemu in the callers domain -## -## -## -## Domain allowed access. -## -## -# -interface(`qemu_exec',` - gen_require(` - type qemu_exec_t; - ') - - can_exec($1, qemu_exec_t) -') - -######################################## -## -## Execute qemu in the qemu domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the qemu domain. -## -## -# -interface(`qemu_run',` - gen_require(` - type qemu_t; - ') - - qemu_domtrans($1) - role $2 types qemu_t; - - optional_policy(` - samba_run_smb(qemu_t, $2, $3) - ') -') - -######################################## -## -## Allow the domain to read state files in /proc. -## -## -## -## Domain to allow access. -## -## -# -interface(`qemu_read_state',` - gen_require(` - type qemu_t; - ') - - read_files_pattern($1, qemu_t, qemu_t) -') - -######################################## -## -## Set the schedule on qemu. -## -## -## -## Domain allowed access. -## -## -# -interface(`qemu_setsched',` - gen_require(` - type qemu_t; - ') - - allow $1 qemu_t:process setsched; -') - -######################################## -## -## Send a signal to qemu. -## -## -## -## Domain allowed access. -## -## -# -interface(`qemu_signal',` - gen_require(` - type qemu_t; - ') - - allow $1 qemu_t:process signal; -') - -######################################## -## -## Send a sigill to qemu -## -## -## -## Domain allowed access. -## -## -# -interface(`qemu_kill',` - gen_require(` - type qemu_t; - ') - - allow $1 qemu_t:process sigkill; -') - -######################################## -## -## Execute a domain transition to run qemu unconfined. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`qemu_domtrans_unconfined',` - gen_require(` - type unconfined_qemu_t, qemu_exec_t; - ') - - domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t) -') - -######################################## -## -## Execute qemu_exec_t -## in the specified domain but do not -## do it automatically. This is an explicit -## transition, requiring the caller to use setexeccon(). -## -## -##

-## Execute qemu_exec_t -## in the specified domain. This allows -## the specified domain to qemu programs -## on these filesystems in the specified -## domain. -##

-##
-## -## -## Domain allowed access. -## -## -## -## -## The type of the new process. -## -## -# -interface(`qemu_spec_domtrans',` - gen_require(` - type qemu_exec_t; - ') - - read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t) - domain_transition_pattern($1, qemu_exec_t, $2) - domain_entry_file($2,qemu_exec_t) - can_exec($1,qemu_exec_t) - - allow $2 $1:fd use; - allow $2 $1:fifo_file rw_fifo_file_perms; - allow $2 $1:process sigchld; -') - -######################################## -## -## Execute qemu unconfined programs in the role. -## -## -## -## The role to allow the qemu unconfined domain. -## -## -# -interface(`qemu_unconfined_role',` - gen_require(` - type unconfined_qemu_t; - type qemu_t; - ') - role $1 types unconfined_qemu_t; - role $1 types qemu_t; -') - -######################################## -## -## Manage qemu temporary dirs. -## -## -## -## Domain allowed access. -## -## -# -interface(`qemu_manage_tmp_dirs',` - gen_require(` - type qemu_tmp_t; - ') - - manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t) -') - -######################################## -## -## Manage qemu temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`qemu_manage_tmp_files',` - gen_require(` - type qemu_tmp_t; - ') - - manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) -') - -######################################## -## -## Make qemu_exec_t an entrypoint for -## the specified domain. -## -## -## -## The domain for which qemu_exec_t is an entrypoint. -## -## -# -interface(`qemu_entry_type',` - gen_require(` - type qemu_exec_t; - ') - - domain_entry_file($1, qemu_exec_t) -') - - diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te deleted file mode 100644 index 7551020..0000000 --- a/policy/modules/apps/qemu.te +++ /dev/null @@ -1,124 +0,0 @@ -policy_module(qemu, 1.4.1) - -######################################## -# -# Declarations -# - -## -##

-## Allow qemu to connect fully to the network -##

-##
-gen_tunable(qemu_full_network, false) - -## -##

-## Allow qemu to use cifs/Samba file systems -##

-##
-gen_tunable(qemu_use_cifs, true) - -## -##

-## Allow qemu to user serial/parallel communication ports -##

-##
-gen_tunable(qemu_use_comm, false) - -## -##

-## Allow qemu to use nfs file systems -##

-##
-gen_tunable(qemu_use_nfs, true) - -## -##

-## Allow qemu to use usb devices -##

-##
-gen_tunable(qemu_use_usb, true) - -type qemu_exec_t; -virt_domain_template(qemu) -application_domain(qemu_t, qemu_exec_t) -role system_r types qemu_t; - -######################################## -# -# qemu local policy -# - -storage_raw_write_removable_device(qemu_t) -storage_raw_read_removable_device(qemu_t) - -userdom_search_user_home_content(qemu_t) -userdom_read_user_tmpfs_files(qemu_t) - -tunable_policy(`qemu_full_network',` - allow qemu_t self:udp_socket create_socket_perms; - - corenet_udp_sendrecv_all_if(qemu_t) - corenet_udp_sendrecv_all_nodes(qemu_t) - corenet_udp_sendrecv_all_ports(qemu_t) - corenet_udp_bind_all_nodes(qemu_t) - corenet_udp_bind_all_ports(qemu_t) - corenet_tcp_bind_all_ports(qemu_t) - corenet_tcp_connect_all_ports(qemu_t) -') - -tunable_policy(`qemu_use_cifs',` - fs_manage_cifs_dirs(qemu_t) - fs_manage_cifs_files(qemu_t) -') - -tunable_policy(`qemu_use_comm',` - term_use_unallocated_ttys(qemu_t) - dev_rw_printer(qemu_t) -') - -tunable_policy(`qemu_use_nfs',` - fs_manage_nfs_dirs(qemu_t) - fs_manage_nfs_files(qemu_t) -') - -tunable_policy(`qemu_use_usb',` - dev_rw_usbfs(qemu_t) - fs_manage_dos_dirs(qemu_t) - fs_manage_dos_files(qemu_t) -') - -optional_policy(` - samba_domtrans_smbd(qemu_t) -') - -optional_policy(` - virt_manage_images(qemu_t) - virt_append_log(qemu_t) -') - -optional_policy(` - xen_rw_image_files(qemu_t) -') - -optional_policy(` - xen_rw_image_files(qemu_t) -') - -######################################## -# -# Unconfined qemu local policy -# - -optional_policy(` - type unconfined_qemu_t; - typealias unconfined_qemu_t alias qemu_unconfined_t; - application_type(unconfined_qemu_t) - unconfined_domain(unconfined_qemu_t) - userdom_manage_tmpfs_role(unconfined_r, unconfined_qemu_t) - userdom_unpriv_usertype(unconfined, unconfined_qemu_t) - - allow unconfined_qemu_t self:process { execstack execmem }; - allow unconfined_qemu_t qemu_exec_t:file execmod; -') diff --git a/policy/modules/apps/rssh.fc b/policy/modules/apps/rssh.fc deleted file mode 100644 index 4c091ca..0000000 --- a/policy/modules/apps/rssh.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/rssh -- gen_context(system_u:object_r:rssh_exec_t,s0) diff --git a/policy/modules/apps/rssh.if b/policy/modules/apps/rssh.if deleted file mode 100644 index 7cdac1e..0000000 --- a/policy/modules/apps/rssh.if +++ /dev/null @@ -1,66 +0,0 @@ -## Restricted (scp/sftp) only shell - -######################################## -## -## Role access for rssh -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`rssh_role',` - gen_require(` - type rssh_t; - ') - - role $1 types rssh_t; - - # allow ps to show irc - ps_process_pattern($2, rssh_t) - allow $2 rssh_t:process signal; -') - -######################################## -## -## Transition to all user rssh domains. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rssh_spec_domtrans',` - gen_require(` - type rssh_t, rssh_exec_t; - ') - - spec_domtrans_pattern($1, rssh_exec_t, rssh_t) -') - -######################################## -## -## Read all users rssh read-only content. -## -## -## -## Domain allowed access. -## -## -# -interface(`rssh_read_ro_content',` - gen_require(` - type rssh_ro_t; - ') - - allow $1 rssh_ro_t:dir list_dir_perms; - read_files_pattern($1, rssh_ro_t, rssh_ro_t) - read_lnk_files_pattern($1, rssh_ro_t, rssh_ro_t) -') diff --git a/policy/modules/apps/rssh.te b/policy/modules/apps/rssh.te deleted file mode 100644 index c605046..0000000 --- a/policy/modules/apps/rssh.te +++ /dev/null @@ -1,80 +0,0 @@ -policy_module(rssh, 2.0.0) - -######################################## -# -# Declarations -# - -type rssh_t; -type rssh_exec_t; -typealias rssh_t alias { user_rssh_t staff_rssh_t sysadm_rssh_t }; -typealias rssh_t alias { auditadm_rssh_t secadm_rssh_t }; -application_domain(rssh_t, rssh_exec_t) -domain_user_exemption_target(rssh_t) -domain_interactive_fd(rssh_t) -ubac_constrained(rssh_t) -role system_r types rssh_t; - -type rssh_devpts_t; -typealias rssh_devpts_t alias { user_rssh_devpts_t staff_rssh_devpts_t sysadm_rssh_devpts_t }; -typealias rssh_devpts_t alias { auditadm_rssh_devpts_t secadm_rssh_devpts_t }; -term_user_pty(rssh_t, rssh_devpts_t) -ubac_constrained(rssh_devpts_t) - -type rssh_ro_t; -typealias rssh_ro_t alias { user_rssh_ro_t staff_rssh_ro_t sysadm_rssh_ro_t }; -typealias rssh_ro_t alias { auditadm_rssh_ro_t secadm_rssh_ro_t }; -userdom_user_home_content(rssh_ro_t) - -type rssh_rw_t; -typealias rssh_rw_t alias { user_rssh_rw_t staff_rssh_rw_t sysadm_rssh_rw_t }; -typealias rssh_rw_t alias { auditadm_rssh_rw_t secadm_rssh_rw_t }; -userdom_user_home_content(rssh_rw_t) - -############################## -# -# Local policy -# - -allow rssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow rssh_t self:fd use; -allow rssh_t self:fifo_file rw_fifo_file_perms; -allow rssh_t self:unix_dgram_socket create_socket_perms; -allow rssh_t self:unix_stream_socket create_stream_socket_perms; -allow rssh_t self:unix_dgram_socket sendto; -allow rssh_t self:unix_stream_socket connectto; -allow rssh_t self:shm create_shm_perms; -allow rssh_t self:sem create_sem_perms; -allow rssh_t self:msgq create_msgq_perms; -allow rssh_t self:msg { send receive }; - -allow rssh_t rssh_devpts_t:chr_file { rw_file_perms setattr }; -term_create_pty(rssh_t, rssh_devpts_t) - -allow rssh_t rssh_ro_t:dir list_dir_perms; -read_files_pattern(rssh_t, rssh_ro_t, rssh_ro_t) - -manage_dirs_pattern(rssh_t, rssh_rw_t, rssh_rw_t) -manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t) - -kernel_read_system_state(rssh_t) -kernel_read_kernel_sysctls(rssh_t) - -files_read_etc_files(rssh_t) -files_read_etc_runtime_files(rssh_t) -files_list_home(rssh_t) -files_read_usr_files(rssh_t) -files_list_var(rssh_t) - -fs_search_auto_mountpoints(rssh_t) - -logging_send_syslog_msg(rssh_t) - -miscfiles_read_localization(rssh_t) - -ssh_rw_tcp_sockets(rssh_t) -ssh_rw_stream_sockets(rssh_t) - -optional_policy(` - nis_use_ypbind(rssh_t) -') diff --git a/policy/modules/apps/sambagui.fc b/policy/modules/apps/sambagui.fc deleted file mode 100644 index c13d607..0000000 --- a/policy/modules/apps/sambagui.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0) diff --git a/policy/modules/apps/sambagui.if b/policy/modules/apps/sambagui.if deleted file mode 100644 index b31ed10..0000000 --- a/policy/modules/apps/sambagui.if +++ /dev/null @@ -1,2 +0,0 @@ -## system-config-samba dbus service policy - diff --git a/policy/modules/apps/sambagui.te b/policy/modules/apps/sambagui.te deleted file mode 100644 index 26bb71c..0000000 --- a/policy/modules/apps/sambagui.te +++ /dev/null @@ -1,63 +0,0 @@ -policy_module(sambagui, 1.0.0) - -######################################## -# -# Declarations -# - -type sambagui_t; -type sambagui_exec_t; -dbus_system_domain(sambagui_t, sambagui_exec_t) - -######################################## -# -# system-config-samba local policy -# - -allow sambagui_t self:capability dac_override; -allow sambagui_t self:fifo_file rw_fifo_file_perms; -allow sambagui_t self:unix_dgram_socket create_socket_perms; - -# read meminfo -kernel_read_system_state(sambagui_t) - -# execut apps of system-config-samba -corecmd_exec_shell(sambagui_t) -corecmd_exec_bin(sambagui_t) - -dev_dontaudit_read_urand(sambagui_t) - -files_read_etc_files(sambagui_t) -files_search_var_lib(sambagui_t) -files_read_usr_files(sambagui_t) - -auth_use_nsswitch(sambagui_t) - -logging_send_syslog_msg(sambagui_t) - -miscfiles_read_localization(sambagui_t) - -nscd_dontaudit_search_pid(sambagui_t) - -userdom_dontaudit_search_admin_dir(sambagui_t) - -# handling with samba conf files -samba_append_log(sambagui_t) -samba_manage_config(sambagui_t) -samba_manage_var_files(sambagui_t) -samba_read_secrets(sambagui_t) -samba_initrc_domtrans(sambagui_t) -samba_domtrans_smbd(sambagui_t) -samba_domtrans_nmbd(sambagui_t) - -optional_policy(` - consoletype_exec(sambagui_t) -') - -optional_policy(` - gnome_dontaudit_search_config(sambagui_t) -') - -optional_policy(` - policykit_dbus_chat(sambagui_t) -') diff --git a/policy/modules/apps/sandbox.fc b/policy/modules/apps/sandbox.fc deleted file mode 100644 index 15778fd..0000000 --- a/policy/modules/apps/sandbox.fc +++ /dev/null @@ -1 +0,0 @@ -# No types are sandbox_exec_t diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if deleted file mode 100644 index 587c440..0000000 --- a/policy/modules/apps/sandbox.if +++ /dev/null @@ -1,339 +0,0 @@ - -## policy for sandbox - -######################################## -## -## Execute sandbox in the sandbox domain, and -## allow the specified role the sandbox domain. -## -## -## -## Domain allowed access -## -## -## -## -## The role to be allowed the sandbox domain. -## -## -# -interface(`sandbox_transition',` - gen_require(` - type sandbox_xserver_t; - attribute sandbox_domain; - attribute sandbox_x_domain; - attribute sandbox_file_type; - attribute sandbox_tmpfs_type; - ') - - allow $1 sandbox_domain:process transition; - dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh }; - role $2 types sandbox_domain; - allow sandbox_domain $1:process { sigchld signull }; - allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms; - - allow $1 sandbox_x_domain:process { signal_perms transition }; - dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh }; - allow sandbox_x_domain $1:process { sigchld signull }; - dontaudit sandbox_domain $1:process signal; - role $2 types sandbox_x_domain; - role $2 types sandbox_xserver_t; - allow $1 sandbox_xserver_t:process signal_perms; - dontaudit sandbox_xserver_t $1:fifo_file rw_inherited_fifo_file_perms; - dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms; - dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms; - allow sandbox_xserver_t $1:unix_stream_socket { connectto rw_socket_perms }; - allow sandbox_x_domain sandbox_x_domain:process signal; - # Dontaudit leaked file descriptors - dontaudit sandbox_x_domain $1:fifo_file { read write }; - dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms; - dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms; - dontaudit sandbox_x_domain $1:unix_stream_socket { read write }; - dontaudit sandbox_x_domain $1:process signal; - - allow $1 sandbox_tmpfs_type:file manage_file_perms; - dontaudit $1 sandbox_tmpfs_type:file manage_file_perms; - - can_exec($1, sandbox_file_type) - manage_files_pattern($1, sandbox_file_type, sandbox_file_type); - manage_dirs_pattern($1, sandbox_file_type, sandbox_file_type); - manage_sock_files_pattern($1, sandbox_file_type, sandbox_file_type); - manage_fifo_files_pattern($1, sandbox_file_type, sandbox_file_type); - manage_lnk_files_pattern($1, sandbox_file_type, sandbox_file_type); - relabel_dirs_pattern($1, sandbox_file_type, sandbox_file_type) - relabel_files_pattern($1, sandbox_file_type, sandbox_file_type) - relabel_lnk_files_pattern($1, sandbox_file_type, sandbox_file_type) - relabel_fifo_files_pattern($1, sandbox_file_type, sandbox_file_type) - relabel_sock_files_pattern($1, sandbox_file_type, sandbox_file_type) -') - -######################################## -## -## Creates types and rules for a basic -## qemu process domain. -## -## -## -## Prefix for the domain. -## -## -# -template(`sandbox_domain_template',` - - gen_require(` - attribute sandbox_domain; - attribute sandbox_file_type; - attribute sandbox_x_type; - ') - - type $1_t, sandbox_domain, sandbox_x_type; - application_type($1_t) - - mls_rangetrans_target($1_t) - mcs_untrusted_proc($1_t) - - type $1_file_t, sandbox_file_type; - files_type($1_file_t) - - can_exec($1_t, $1_file_t) - manage_dirs_pattern($1_t, $1_file_t, $1_file_t) - manage_files_pattern($1_t, $1_file_t, $1_file_t) - manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t) - manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t) - manage_sock_files_pattern($1_t, $1_file_t, $1_file_t) -') - -######################################## -## -## Creates types and rules for a basic -## qemu process domain. -## -## -## -## Prefix for the domain. -## -## -# -template(`sandbox_x_domain_template',` - gen_require(` - type xserver_exec_t, sandbox_devpts_t; - type sandbox_xserver_t; - attribute sandbox_domain, sandbox_x_domain; - attribute sandbox_file_type, sandbox_tmpfs_type; - ') - - type $1_t, sandbox_x_domain; - application_type($1_t) - mcs_untrusted_proc($1_t) - - type $1_file_t, sandbox_file_type; - files_type($1_file_t) - - can_exec($1_t, $1_file_t) - manage_dirs_pattern($1_t, $1_file_t, $1_file_t) - manage_files_pattern($1_t, $1_file_t, $1_file_t) - manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t) - manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t) - manage_sock_files_pattern($1_t, $1_file_t, $1_file_t) - - type $1_devpts_t; - term_pty($1_devpts_t) - term_create_pty($1_t, $1_devpts_t) - allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr }; - - # window manager - miscfiles_setattr_fonts_cache_dirs($1_t) - allow $1_t self:capability setuid; - - type $1_client_t, sandbox_x_domain; - application_type($1_client_t) - mcs_untrusted_proc($1_t) - - type $1_client_tmpfs_t, sandbox_tmpfs_type; - files_tmpfs_file($1_client_tmpfs_t) - - term_search_ptys($1_t) - allow $1_client_t sandbox_devpts_t:chr_file { rw_term_perms setattr }; - term_create_pty($1_client_t,sandbox_devpts_t) - - manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t) - fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file ) - # Pulseaudio tmpfs files with different MCS labels - dontaudit $1_client_t $1_client_tmpfs_t:file { read write }; - allow sandbox_xserver_t $1_client_tmpfs_t:file { read write }; - - domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t) - allow $1_t sandbox_xserver_t:process signal_perms; - - domtrans_pattern($1_t, $1_file_t, $1_client_t) - domain_entry_file($1_client_t, $1_file_t) - - # Random tmpfs_t that gets created when you run X. - fs_rw_tmpfs_files($1_t) - - manage_dirs_pattern(sandbox_xserver_t, $1_file_t, $1_file_t) - manage_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t) - manage_sock_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t) - allow sandbox_xserver_t $1_file_t:sock_file create_sock_file_perms; - ps_process_pattern(sandbox_xserver_t, $1_client_t) - ps_process_pattern(sandbox_xserver_t, $1_t) - allow sandbox_xserver_t $1_client_t:shm rw_shm_perms; - allow sandbox_xserver_t $1_t:shm rw_shm_perms; - allow $1_client_t $1_t:unix_stream_socket connectto; - allow $1_t $1_client_t:unix_stream_socket connectto; - - can_exec($1_client_t, $1_file_t) - manage_dirs_pattern($1_client_t, $1_file_t, $1_file_t) - manage_files_pattern($1_client_t, $1_file_t, $1_file_t) - manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t) - manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t) - manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t) -') - -######################################## -## -## allow domain to read, -## write sandbox_xserver tmp files -## -## -## -## Domain allowed access -## -## -# -interface(`sandbox_rw_xserver_tmpfs_files',` - gen_require(` - type sandbox_xserver_tmpfs_t; - ') - - allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms; -') - -######################################## -## -## allow domain to read -## sandbox tmpfs files -## -## -## -## Domain allowed access -## -## -# -interface(`sandbox_read_tmpfs_files',` - gen_require(` - attribute sandbox_tmpfs_type; - ') - - allow $1 sandbox_tmpfs_type:file read_file_perms; -') - -######################################## -## -## allow domain to manage -## sandbox tmpfs files -## -## -## -## Domain allowed access -## -## -# -interface(`sandbox_manage_tmpfs_files',` - gen_require(` - attribute sandbox_tmpfs_type; - ') - - allow $1 sandbox_tmpfs_type:file manage_file_perms; -') - -######################################## -## -## Delete sandbox files -## -## -## -## Domain allowed access -## -## -# -interface(`sandbox_delete_files',` - gen_require(` - attribute sandbox_file_type; - ') - - delete_files_pattern($1, sandbox_file_type, sandbox_file_type) -') - -######################################## -## -## Delete sandbox sock files -## -## -## -## Domain allowed access -## -## -# -interface(`sandbox_delete_sock_files',` - gen_require(` - attribute sandbox_file_type; - ') - - delete_sock_files_pattern($1, sandbox_file_type, sandbox_file_type) -') - -######################################## -## -## Allow domain to set the attributes -## of the sandbox directory. -## -## -## -## Domain allowed access -## -## -# -interface(`sandbox_setattr_dirs',` - gen_require(` - attribute sandbox_file_type; - ') - - allow $1 sandbox_file_type:dir setattr; -') - -######################################## -## -## allow domain to delete sandbox files -## -## -## -## Domain allowed access -## -## -# -interface(`sandbox_delete_dirs',` - gen_require(` - attribute sandbox_file_type; - ') - - delete_dirs_pattern($1, sandbox_file_type, sandbox_file_type) -') - -######################################## -## -## allow domain to list sandbox dirs -## -## -## -## Domain allowed access -## -## -# -interface(`sandbox_list',` - gen_require(` - attribute sandbox_file_type; - ') - - allow $1 sandbox_file_type:dir list_dir_perms; -') diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te deleted file mode 100644 index 89fcce3..0000000 --- a/policy/modules/apps/sandbox.te +++ /dev/null @@ -1,408 +0,0 @@ -policy_module(sandbox,1.0.0) -dbus_stub() -attribute sandbox_domain; -attribute sandbox_x_domain; -attribute sandbox_file_type; -attribute sandbox_web_type; -attribute sandbox_tmpfs_type; -attribute sandbox_x_type; - -######################################## -# -# Declarations -# - -sandbox_domain_template(sandbox) -sandbox_x_domain_template(sandbox_min) -sandbox_x_domain_template(sandbox_x) -sandbox_x_domain_template(sandbox_web) -sandbox_x_domain_template(sandbox_net) - -type sandbox_xserver_t; -domain_type(sandbox_xserver_t) -xserver_user_x_domain_template(sandbox_xserver, sandbox_xserver_t, sandbox_xserver_tmpfs_t) - -type sandbox_xserver_tmpfs_t; -files_tmpfs_file(sandbox_xserver_tmpfs_t) - -type sandbox_devpts_t; -term_pty(sandbox_devpts_t) -files_type(sandbox_devpts_t) - -######################################## -# -# sandbox xserver policy -# -allow sandbox_xserver_t self:process { execmem execstack }; -allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms; -allow sandbox_xserver_t self:shm create_shm_perms; -allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms; - -manage_dirs_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) -manage_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) -manage_lnk_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) -manage_fifo_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) -manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) -fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -kernel_dontaudit_request_load_module(sandbox_xserver_t) - -corecmd_exec_bin(sandbox_xserver_t) -corecmd_exec_shell(sandbox_xserver_t) - -corenet_all_recvfrom_unlabeled(sandbox_xserver_t) -corenet_all_recvfrom_netlabel(sandbox_xserver_t) -corenet_tcp_sendrecv_all_if(sandbox_xserver_t) -corenet_udp_sendrecv_all_if(sandbox_xserver_t) -corenet_tcp_sendrecv_all_nodes(sandbox_xserver_t) -corenet_udp_sendrecv_all_nodes(sandbox_xserver_t) -corenet_tcp_sendrecv_all_ports(sandbox_xserver_t) -corenet_udp_sendrecv_all_ports(sandbox_xserver_t) -corenet_tcp_bind_all_nodes(sandbox_xserver_t) -corenet_tcp_bind_xserver_port(sandbox_xserver_t) -corenet_sendrecv_xserver_server_packets(sandbox_xserver_t) -corenet_sendrecv_all_client_packets(sandbox_xserver_t) - -dev_rwx_zero(sandbox_xserver_t) - -files_read_config_files(sandbox_xserver_t) -files_read_usr_files(sandbox_xserver_t) -files_search_home(sandbox_xserver_t) -fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t) -fs_list_inotifyfs(sandbox_xserver_t) - -miscfiles_read_fonts(sandbox_xserver_t) -miscfiles_read_localization(sandbox_xserver_t) - -kernel_read_system_state(sandbox_xserver_t) - -selinux_validate_context(sandbox_xserver_t) -selinux_compute_access_vector(sandbox_xserver_t) -selinux_compute_create_context(sandbox_xserver_t) - -auth_use_nsswitch(sandbox_xserver_t) - -logging_send_syslog_msg(sandbox_xserver_t) -logging_send_audit_msgs(sandbox_xserver_t) - -userdom_use_user_terminals(sandbox_xserver_t) -userdom_dontaudit_search_user_home_content(sandbox_xserver_t) - -xserver_entry_type(sandbox_xserver_t) - -optional_policy(` - dbus_system_bus_client(sandbox_xserver_t) - - optional_policy(` - hal_dbus_chat(sandbox_xserver_t) - ') -') - -######################################## -# -# sandbox local policy -# - -## internal communication is often done using fifo and unix sockets. -allow sandbox_domain self:fifo_file manage_file_perms; -allow sandbox_domain self:sem create_sem_perms; -allow sandbox_domain self:shm create_shm_perms; -allow sandbox_domain self:msgq create_msgq_perms; -allow sandbox_domain self:unix_stream_socket create_stream_socket_perms; -allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms }; -dontaudit sandbox_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; - -dev_rw_all_inherited_chr_files(sandbox_domain) -dev_rw_all_inherited_blk_files(sandbox_domain) - -gen_require(` - type usr_t, lib_t, locale_t; - type var_t, var_run_t, rpm_log_t, locale_t; - attribute exec_type, configfile; -') - -files_rw_all_inherited_files(sandbox_domain, -exec_type -configfile -usr_t -lib_t -locale_t -var_t -var_run_t -device_t -rpm_log_t ) -files_entrypoint_all_files(sandbox_domain) - -files_read_config_files(sandbox_domain) -files_read_usr_files(sandbox_domain) -files_read_var_files(sandbox_domain) -files_dontaudit_search_all_dirs(sandbox_domain) - -miscfiles_read_localization(sandbox_domain) - -kernel_dontaudit_read_system_state(sandbox_domain) -corecmd_exec_all_executables(sandbox_domain) - -userdom_dontaudit_use_user_terminals(sandbox_domain) - -mta_dontaudit_read_spool_symlinks(sandbox_domain) - -######################################## -# -# sandbox_x_domain local policy -# -allow sandbox_x_domain self:fifo_file manage_file_perms; -allow sandbox_x_domain self:sem create_sem_perms; -allow sandbox_x_domain self:shm create_shm_perms; -allow sandbox_x_domain self:msgq create_msgq_perms; -allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms; -allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms }; - -allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms; - -allow sandbox_x_domain self:process { signal_perms getsched setpgid execstack execmem }; -dontaudit sandbox_x_domain self:process signal; - -allow sandbox_x_domain self:shm create_shm_perms; -allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms }; -allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms }; -allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto; -dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; - -domain_dontaudit_read_all_domains_state(sandbox_x_domain) - -files_search_home(sandbox_x_domain) -files_dontaudit_list_tmp(sandbox_x_domain) - -kernel_getattr_proc(sandbox_x_domain) -kernel_read_network_state(sandbox_x_domain) -kernel_read_system_state(sandbox_x_domain) - -corecmd_exec_all_executables(sandbox_x_domain) - -dev_read_urand(sandbox_x_domain) -dev_dontaudit_read_rand(sandbox_x_domain) -dev_read_sysfs(sandbox_x_domain) - -files_entrypoint_all_files(sandbox_x_domain) -files_read_config_files(sandbox_x_domain) -files_read_usr_files(sandbox_x_domain) -files_read_usr_symlinks(sandbox_x_domain) - -fs_getattr_tmpfs(sandbox_x_domain) -fs_getattr_xattr_fs(sandbox_x_domain) -fs_list_inotifyfs(sandbox_x_domain) - -auth_dontaudit_read_login_records(sandbox_x_domain) -auth_dontaudit_write_login_records(sandbox_x_domain) -auth_use_nsswitch(sandbox_x_domain) -auth_search_pam_console_data(sandbox_x_domain) - -init_read_utmp(sandbox_x_domain) -init_dontaudit_write_utmp(sandbox_x_domain) - -miscfiles_read_localization(sandbox_x_domain) -miscfiles_dontaudit_setattr_fonts_cache_dirs(sandbox_x_domain) - -term_getattr_pty_fs(sandbox_x_domain) -term_use_ptmx(sandbox_x_domain) - -logging_send_syslog_msg(sandbox_x_domain) -logging_dontaudit_search_logs(sandbox_x_domain) - -miscfiles_read_fonts(sandbox_x_domain) - -storage_dontaudit_rw_fuse(sandbox_x_domain) - -optional_policy(` - cups_stream_connect(sandbox_x_domain) - cups_read_rw_config(sandbox_x_domain) -') - -optional_policy(` - dbus_system_bus_client(sandbox_x_domain) -') - -optional_policy(` - gnome_read_gconf_config(sandbox_x_domain) -') - -optional_policy(` - nscd_dontaudit_search_pid(sandbox_x_domain) -') - -optional_policy(` - sssd_dontaudit_search_lib(sandbox_x_domain) -') - -optional_policy(` - udev_read_db(sandbox_x_domain) -') - -userdom_dontaudit_use_user_terminals(sandbox_x_domain) -userdom_read_user_home_content_symlinks(sandbox_x_domain) -userdom_search_user_home_content(sandbox_x_domain) - -files_search_home(sandbox_x_t) -userdom_use_user_ptys(sandbox_x_t) - -######################################## -# -# sandbox_x_client_t local policy -# -allow sandbox_x_client_t self:tcp_socket create_stream_socket_perms; -allow sandbox_x_client_t self:udp_socket create_socket_perms; -allow sandbox_x_client_t self:dbus { acquire_svc send_msg }; -allow sandbox_x_client_t self:netlink_selinux_socket create_socket_perms; - -dev_read_rand(sandbox_x_client_t) - -corenet_tcp_connect_ipp_port(sandbox_x_client_t) - -auth_use_nsswitch(sandbox_x_client_t) - -selinux_get_fs_mount(sandbox_x_client_t) -selinux_validate_context(sandbox_x_client_t) -selinux_compute_access_vector(sandbox_x_client_t) -selinux_compute_create_context(sandbox_x_client_t) -selinux_compute_relabel_context(sandbox_x_client_t) -selinux_compute_user_contexts(sandbox_x_client_t) -seutil_read_default_contexts(sandbox_x_client_t) - -optional_policy(` - hal_dbus_chat(sandbox_x_client_t) -') - - -allow sandbox_web_t self:process setsched; - -optional_policy(` - nsplugin_read_rw_files(sandbox_web_t) -') - -######################################## -# -# sandbox_web_client_t local policy -# -typeattribute sandbox_web_client_t sandbox_web_type; - -allow sandbox_web_type self:capability { setuid setgid }; -allow sandbox_web_type self:netlink_audit_socket nlmsg_relay; -allow sandbox_web_type self:process setsched; -dontaudit sandbox_web_type self:process setrlimit; - -allow sandbox_web_type self:tcp_socket create_stream_socket_perms; -allow sandbox_web_type self:udp_socket create_socket_perms; -allow sandbox_web_type self:dbus { acquire_svc send_msg }; -allow sandbox_web_type self:netlink_selinux_socket create_socket_perms; - -kernel_dontaudit_search_kernel_sysctl(sandbox_web_type) -kernel_request_load_module(sandbox_web_type) - -dev_read_rand(sandbox_web_type) -dev_write_sound(sandbox_web_type) -dev_read_sound(sandbox_web_type) - -corenet_all_recvfrom_unlabeled(sandbox_web_type) -corenet_all_recvfrom_netlabel(sandbox_web_type) -corenet_tcp_sendrecv_all_if(sandbox_web_type) -corenet_raw_sendrecv_all_if(sandbox_web_type) -corenet_tcp_sendrecv_all_nodes(sandbox_web_type) -corenet_raw_sendrecv_all_nodes(sandbox_web_type) -corenet_tcp_sendrecv_http_port(sandbox_web_type) -corenet_tcp_sendrecv_http_cache_port(sandbox_web_type) -corenet_tcp_sendrecv_squid_port(sandbox_web_type) -corenet_tcp_sendrecv_ftp_port(sandbox_web_type) -corenet_tcp_sendrecv_ipp_port(sandbox_web_type) -corenet_tcp_connect_http_port(sandbox_web_type) -corenet_tcp_connect_http_cache_port(sandbox_web_type) -corenet_tcp_connect_squid_port(sandbox_web_type) -corenet_tcp_connect_flash_port(sandbox_web_type) -corenet_tcp_connect_ftp_port(sandbox_web_type) -corenet_tcp_connect_ipp_port(sandbox_web_type) -corenet_tcp_connect_streaming_port(sandbox_web_type) -corenet_tcp_connect_pulseaudio_port(sandbox_web_type) -corenet_tcp_connect_speech_port(sandbox_web_type) -corenet_tcp_connect_generic_port(sandbox_web_type) -corenet_tcp_connect_soundd_port(sandbox_web_type) -corenet_tcp_connect_speech_port(sandbox_web_type) -corenet_sendrecv_http_client_packets(sandbox_web_type) -corenet_sendrecv_http_cache_client_packets(sandbox_web_type) -corenet_sendrecv_squid_client_packets(sandbox_web_type) -corenet_sendrecv_ftp_client_packets(sandbox_web_type) -corenet_sendrecv_ipp_client_packets(sandbox_web_type) -corenet_sendrecv_generic_client_packets(sandbox_web_type) - -corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_type) -corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type) - -files_dontaudit_getattr_all_dirs(sandbox_web_type) -files_dontaudit_list_mnt(sandbox_web_type) - -fs_dontaudit_rw_anon_inodefs_files(sandbox_web_type) -fs_dontaudit_getattr_all_fs(sandbox_web_type) - -storage_dontaudit_getattr_fixed_disk_dev(sandbox_web_type) - -auth_use_nsswitch(sandbox_web_type) - -dbus_system_bus_client(sandbox_web_type) -dbus_read_config(sandbox_web_type) -selinux_get_fs_mount(sandbox_web_type) -selinux_validate_context(sandbox_web_type) -selinux_compute_access_vector(sandbox_web_type) -selinux_compute_create_context(sandbox_web_type) -selinux_compute_relabel_context(sandbox_web_type) -selinux_compute_user_contexts(sandbox_web_type) -seutil_read_default_contexts(sandbox_web_type) - -userdom_rw_user_tmpfs_files(sandbox_web_type) -userdom_delete_user_tmpfs_files(sandbox_web_type) - -optional_policy(` - bluetooth_dontaudit_dbus_chat(sandbox_web_type) -') - -optional_policy(` - consolekit_dbus_chat(sandbox_web_type) -') - -optional_policy(` - hal_dbus_chat(sandbox_web_type) -') - -optional_policy(` - nsplugin_read_rw_files(sandbox_web_type) - nsplugin_rw_exec(sandbox_web_type) -') - -optional_policy(` - pulseaudio_stream_connect(sandbox_web_type) - allow sandbox_web_type self:netlink_kobject_uevent_socket create_socket_perms; -') - -optional_policy(` - rtkit_daemon_dontaudit_dbus_chat(sandbox_web_type) -') - -optional_policy(` - networkmanager_dontaudit_dbus_chat(sandbox_web_type) -') - -optional_policy(` - udev_read_state(sandbox_web_type) -') - -######################################## -# -# sandbox_net_client_t local policy -# -typeattribute sandbox_net_client_t sandbox_web_type; - -corenet_all_recvfrom_unlabeled(sandbox_net_client_t) -corenet_all_recvfrom_netlabel(sandbox_net_client_t) -corenet_tcp_sendrecv_all_if(sandbox_net_client_t) -corenet_udp_sendrecv_all_if(sandbox_net_client_t) -corenet_tcp_sendrecv_all_nodes(sandbox_net_client_t) -corenet_udp_sendrecv_all_nodes(sandbox_net_client_t) -corenet_tcp_sendrecv_all_ports(sandbox_net_client_t) -corenet_udp_sendrecv_all_ports(sandbox_net_client_t) -corenet_tcp_connect_all_ports(sandbox_net_client_t) -corenet_sendrecv_all_client_packets(sandbox_net_client_t) - -optional_policy(` - mozilla_dontaudit_rw_user_home_files(sandbox_x_t) - mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t) - mozilla_dontaudit_rw_user_home_files(sandbox_x_domain) -') diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc deleted file mode 100644 index 1f2cde4..0000000 --- a/policy/modules/apps/screen.fc +++ /dev/null @@ -1,14 +0,0 @@ -# -# /home -# -HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0) - -# -# /usr -# -/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) - -# -# /var -# -/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if deleted file mode 100644 index 320df26..0000000 --- a/policy/modules/apps/screen.if +++ /dev/null @@ -1,157 +0,0 @@ -## GNU terminal multiplexer - -####################################### -## -## The role template for the screen module. -## -## -## -## The prefix of the user role (e.g., user -## is the prefix for user_r). -## -## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# -template(`screen_role_template',` - gen_require(` - type screen_exec_t, screen_tmp_t; - type screen_home_t, screen_var_run_t; - ') - - ######################################## - # - # Declarations - # - - type $1_screen_t; - application_domain($1_screen_t, screen_exec_t) - domain_interactive_fd($1_screen_t) - ubac_constrained($1_screen_t) - role $2 types $1_screen_t; - - ######################################## - # - # Local policy - # - - allow $1_screen_t self:capability { setuid setgid fsetid }; - allow $1_screen_t self:process signal_perms; - allow $1_screen_t self:fifo_file rw_fifo_file_perms; - allow $1_screen_t self:tcp_socket create_stream_socket_perms; - allow $1_screen_t self:udp_socket create_socket_perms; - # Internal screen networking - allow $1_screen_t self:fd use; - allow $1_screen_t self:unix_stream_socket create_socket_perms; - allow $1_screen_t self:unix_dgram_socket create_socket_perms; - - manage_dirs_pattern($1_screen_t, screen_tmp_t, screen_tmp_t) - manage_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t) - manage_fifo_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t) - files_tmp_filetrans($1_screen_t, screen_tmp_t, { file dir }) - - # Create fifo - manage_fifo_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t) - manage_dirs_pattern($1_screen_t, screen_var_run_t, screen_var_run_t) - files_pid_filetrans($1_screen_t, screen_var_run_t, dir) - - allow $1_screen_t screen_home_t:dir list_dir_perms; - read_files_pattern($1_screen_t, screen_home_t, screen_home_t) - read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t) - - allow $1_screen_t $3:process signal; - - domtrans_pattern($3, screen_exec_t, $1_screen_t) - allow $3 $1_screen_t:process { signal sigchld }; - allow $1_screen_t $3:process signal; - - manage_dirs_pattern($3, screen_home_t, screen_home_t) - manage_files_pattern($3, screen_home_t, screen_home_t) - manage_lnk_files_pattern($3, screen_home_t, screen_home_t) - relabel_dirs_pattern($3, screen_home_t, screen_home_t) - relabel_files_pattern($3, screen_home_t, screen_home_t) - relabel_lnk_files_pattern($3, screen_home_t, screen_home_t) - - manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t) - manage_files_pattern($3, screen_var_run_t, screen_var_run_t) - manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t) - manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t) - - kernel_read_system_state($1_screen_t) - kernel_read_kernel_sysctls($1_screen_t) - - corecmd_list_bin($1_screen_t) - corecmd_read_bin_files($1_screen_t) - corecmd_read_bin_symlinks($1_screen_t) - corecmd_read_bin_pipes($1_screen_t) - corecmd_read_bin_sockets($1_screen_t) - # Revert to the user domain when a shell is executed. - corecmd_shell_domtrans($1_screen_t, $3) - corecmd_bin_domtrans($1_screen_t, $3) - - corenet_all_recvfrom_unlabeled($1_screen_t) - corenet_all_recvfrom_netlabel($1_screen_t) - corenet_tcp_sendrecv_generic_if($1_screen_t) - corenet_udp_sendrecv_generic_if($1_screen_t) - corenet_tcp_sendrecv_generic_node($1_screen_t) - corenet_udp_sendrecv_generic_node($1_screen_t) - corenet_tcp_sendrecv_all_ports($1_screen_t) - corenet_udp_sendrecv_all_ports($1_screen_t) - corenet_tcp_connect_all_ports($1_screen_t) - - dev_dontaudit_getattr_all_chr_files($1_screen_t) - dev_dontaudit_getattr_all_blk_files($1_screen_t) - # for SSP - dev_read_urand($1_screen_t) - - domain_use_interactive_fds($1_screen_t) - - files_search_tmp($1_screen_t) - files_search_home($1_screen_t) - files_list_home($1_screen_t) - files_read_usr_files($1_screen_t) - files_read_etc_files($1_screen_t) - - fs_search_auto_mountpoints($1_screen_t) - fs_getattr_xattr_fs($1_screen_t) - - auth_domtrans_chk_passwd($1_screen_t) - auth_use_nsswitch($1_screen_t) - auth_dontaudit_read_shadow($1_screen_t) - auth_dontaudit_exec_utempter($1_screen_t) - - # Write to utmp. - init_rw_utmp($1_screen_t) - - logging_send_syslog_msg($1_screen_t) - - miscfiles_read_localization($1_screen_t) - - seutil_read_config($1_screen_t) - - userdom_use_user_terminals($1_screen_t) - userdom_create_user_pty($1_screen_t) - userdom_user_home_domtrans($1_screen_t, $3) - userdom_setattr_user_ptys($1_screen_t) - userdom_setattr_user_ttys($1_screen_t) - - tunable_policy(`use_samba_home_dirs',` - fs_cifs_domtrans($1_screen_t, $3) - fs_read_cifs_symlinks($1_screen_t) - fs_list_cifs($1_screen_t) - ') - - tunable_policy(`use_nfs_home_dirs',` - fs_nfs_domtrans($1_screen_t, $3) - fs_list_nfs($1_screen_t) - fs_read_nfs_symlinks($1_screen_t) - ') -') diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te deleted file mode 100644 index 8c65cc6..0000000 --- a/policy/modules/apps/screen.te +++ /dev/null @@ -1,26 +0,0 @@ -policy_module(screen, 2.3.0) - -######################################## -# -# Declarations -# - -type screen_exec_t; -application_executable_file(screen_exec_t) - -type screen_home_t; -typealias screen_home_t alias { user_screen_home_t staff_screen_home_t sysadm_screen_home_t }; -typealias screen_home_t alias { auditadm_screen_home_t secadm_screen_home_t }; -userdom_user_home_content(screen_home_t) - -type screen_tmp_t; -typealias screen_tmp_t alias { user_screen_tmp_t staff_screen_tmp_t sysadm_screen_tmp_t }; -typealias screen_tmp_t alias { auditadm_screen_tmp_t secadm_screen_tmp_t }; -files_tmp_file(screen_tmp_t) -ubac_constrained(screen_tmp_t) - -type screen_var_run_t; -typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t }; -typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t }; -files_pid_file(screen_var_run_t) -ubac_constrained(screen_var_run_t) diff --git a/policy/modules/apps/seunshare.fc b/policy/modules/apps/seunshare.fc deleted file mode 100644 index 30a4b9f..0000000 --- a/policy/modules/apps/seunshare.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/seunshare -- gen_context(system_u:object_r:seunshare_exec_t,s0) diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if deleted file mode 100644 index 7455c19..0000000 --- a/policy/modules/apps/seunshare.if +++ /dev/null @@ -1,99 +0,0 @@ -## Filesystem namespacing/polyinstantiation application. - -######################################## -## -## Execute a domain transition to run seunshare. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`seunshare_domtrans',` - gen_require(` - type seunshare_t, seunshare_exec_t; - ') - - domtrans_pattern($1, seunshare_exec_t, seunshare_t) -') - -######################################## -## -## Execute seunshare in the seunshare domain, and -## allow the specified role the seunshare domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`seunshare_run',` - gen_require(` - type seunshare_t; - ') - - seunshare_domtrans($1) - role $2 types seunshare_t; - - allow $1 seunshare_t:process signal_perms; - - ifdef(`hide_broken_symptoms', ` - dontaudit seunshare_t $1:tcp_socket rw_socket_perms; - dontaudit seunshare_t $1:udp_socket rw_socket_perms; - dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms; - ') -') - -######################################## -## -## The role template for the seunshare module. -## -## -## -## The prefix of the user role (e.g., user -## is the prefix for user_r). -## -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# -interface(`seunshare_role_template',` - gen_require(` - attribute seunshare_domain; - type seunshare_exec_t; - ') - - type $1_seunshare_t, seunshare_domain; - application_domain($1_seunshare_t, seunshare_exec_t) - role $2 types $1_seunshare_t; - - mls_process_set_level($1_seunshare_t) - - domtrans_pattern($3, seunshare_exec_t, $1_seunshare_t) - sandbox_transition($1_seunshare_t, $2) - - ps_process_pattern($3, $1_seunshare_t) - allow $3 $1_seunshare_t:process signal_perms; - - allow $1_seunshare_t $3:process transition; - dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh }; - - ifdef(`hide_broken_symptoms', ` - dontaudit $1_seunshare_t $3:socket_class_set { read write }; - ') -') diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te deleted file mode 100644 index e5ef7b3..0000000 --- a/policy/modules/apps/seunshare.te +++ /dev/null @@ -1,49 +0,0 @@ -policy_module(seunshare, 1.1.0) - -######################################## -# -# Declarations -# - -attribute seunshare_domain; -type seunshare_exec_t; - -######################################## -# -# seunshare local policy -# -allow seunshare_domain self:capability { fowner setuid dac_override setpcap sys_admin sys_nice }; -allow seunshare_domain self:process { fork setexec signal getcap setcap setsched }; - -allow seunshare_domain self:fifo_file rw_file_perms; -allow seunshare_domain self:unix_stream_socket create_stream_socket_perms; - -kernel_read_system_state(seunshare_domain) - -corecmd_exec_shell(seunshare_domain) -corecmd_exec_bin(seunshare_domain) - -files_search_all(seunshare_domain) -files_read_etc_files(seunshare_domain) -files_mounton_all_poly_members(seunshare_domain) - -fs_manage_cgroup_dirs(seunshare_domain) -fs_manage_cgroup_files(seunshare_domain) - -auth_use_nsswitch(seunshare_domain) - -logging_send_syslog_msg(seunshare_domain) - -miscfiles_read_localization(seunshare_domain) - -userdom_use_user_terminals(seunshare_domain) - -ifdef(`hide_broken_symptoms', ` - fs_dontaudit_rw_anon_inodefs_files(seunshare_domain) - fs_dontaudit_list_inotifyfs(seunshare_domain) - - optional_policy(` - mozilla_dontaudit_manage_user_home_files(seunshare_domain) - ') -') - diff --git a/policy/modules/apps/slocate.fc b/policy/modules/apps/slocate.fc deleted file mode 100644 index 1951c4b..0000000 --- a/policy/modules/apps/slocate.fc +++ /dev/null @@ -1,2 +0,0 @@ -/usr/bin/updatedb -- gen_context(system_u:object_r:locate_exec_t, s0) -/var/lib/[sm]locate(/.*)? gen_context(system_u:object_r:locate_var_lib_t,s0) diff --git a/policy/modules/apps/slocate.if b/policy/modules/apps/slocate.if deleted file mode 100644 index b7505a0..0000000 --- a/policy/modules/apps/slocate.if +++ /dev/null @@ -1,41 +0,0 @@ -## Update database for mlocate - -######################################## -## -## Create the locate log with append mode. -## -## -## -## Domain allowed access. -## -## -# -interface(`slocate_create_append_log',` - gen_require(` - type locate_log_t; - ') - - logging_search_logs($1) - create_files_pattern($1, locate_log_t, locate_log_t) - append_files_pattern($1, locate_log_t, locate_log_t) -') - -######################################## -## -## Read locate lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`locate_read_lib_files',` - gen_require(` - type locate_var_lib_t; - ') - - read_files_pattern($1, locate_var_lib_t, locate_var_lib_t) - allow $1 locate_var_lib_t:dir list_dir_perms; - files_search_var_lib($1) -') diff --git a/policy/modules/apps/slocate.te b/policy/modules/apps/slocate.te deleted file mode 100644 index 3d2ef30..0000000 --- a/policy/modules/apps/slocate.te +++ /dev/null @@ -1,70 +0,0 @@ -policy_module(slocate, 1.9.1) - -################################# -# -# Declarations -# - -type locate_t; -type locate_exec_t; -init_system_domain(locate_t, locate_exec_t) - -type locate_log_t; -logging_log_file(locate_log_t) - -type locate_var_lib_t; -files_type(locate_var_lib_t) - -######################################## -# -# Local policy -# - -allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid }; -allow locate_t self:process { execmem execheap execstack signal }; -allow locate_t self:fifo_file rw_fifo_file_perms; -allow locate_t self:unix_stream_socket create_socket_perms; - -manage_dirs_pattern(locate_t, locate_var_lib_t, locate_var_lib_t) -manage_files_pattern(locate_t, locate_var_lib_t, locate_var_lib_t) - -kernel_read_system_state(locate_t) -kernel_dontaudit_search_network_state(locate_t) -kernel_dontaudit_search_sysctl(locate_t) - -corecmd_exec_bin(locate_t) - -dev_getattr_all_blk_files(locate_t) -dev_getattr_all_chr_files(locate_t) - -files_list_all(locate_t) -files_dontaudit_read_all_symlinks(locate_t) -files_getattr_all_files(locate_t) -files_getattr_all_pipes(locate_t) -files_getattr_all_sockets(locate_t) -files_read_etc_runtime_files(locate_t) -files_read_etc_files(locate_t) - -fs_getattr_all_fs(locate_t) -fs_getattr_all_files(locate_t) -fs_getattr_all_pipes(locate_t) -fs_getattr_all_symlinks(locate_t) -fs_getattr_all_blk_files(locate_t) -fs_getattr_all_chr_files(locate_t) -fs_list_all(locate_t) -fs_list_inotifyfs(locate_t) -fs_read_noxattr_fs_symlinks(locate_t) - -# getpwnam -auth_use_nsswitch(locate_t) - -miscfiles_read_localization(locate_t) - -ifdef(`enable_mls',` - # On MLS machines will not be allowed to getattr Anything but SystemLow - files_dontaudit_getattr_all_dirs(locate_t) -') - -optional_policy(` - cron_system_entry(locate_t, locate_exec_t) -') diff --git a/policy/modules/apps/telepathy.fc b/policy/modules/apps/telepathy.fc deleted file mode 100644 index 809bb65..0000000 --- a/policy/modules/apps/telepathy.fc +++ /dev/null @@ -1,15 +0,0 @@ -HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0) -HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0) -HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0) -HOME_DIR/.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t, s0) - -/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t, s0) - -/usr/libexec/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0) -/usr/libexec/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t, s0) -/usr/libexec/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0) -/usr/libexec/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t, s0) -/usr/libexec/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t, s0) -/usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t, s0) -/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0) -/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0) diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if deleted file mode 100644 index 3d12484..0000000 --- a/policy/modules/apps/telepathy.if +++ /dev/null @@ -1,188 +0,0 @@ - -## Telepathy framework. - -####################################### -## -## Creates basic types for telepathy -## domain -## -## -## -## Prefix for the domain. -## -## -# -# -template(`telepathy_domain_template',` - - gen_require(` - attribute telepathy_domain; - attribute telepathy_executable; - ') - - type telepathy_$1_t, telepathy_domain; - type telepathy_$1_exec_t, telepathy_executable; - application_domain(telepathy_$1_t, telepathy_$1_exec_t) - ubac_constrained(telepathy_$1_t) - - type telepathy_$1_tmp_t; - files_tmp_file(telepathy_$1_tmp_t) - ubac_constrained(telepathy_$1_tmp_t) - - dbus_session_domain(telepathy_$1_t, telepathy_$1_exec_t) -') - -####################################### -## -## Role access for telepathy domains -### that executes via dbus-session -## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# -template(`telepathy_dbus_session_role', ` - gen_require(` - attribute telepathy_domain; - ') - - role $1 types telepathy_domain; - - allow $2 telepathy_domain:process { ptrace signal_perms }; - ps_process_pattern($2, telepathy_domain) - - optional_policy(` - telepathy_dbus_chat($2) - ') - - telepathy_gabble_stream_connect($2) - telepathy_msn_stream_connect($2) - telepathy_salut_stream_connect($2) -') - -######################################## -## -## Send DBus messages to and from -## all Telepathy domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`telepathy_dbus_chat', ` - gen_require(` - attribute telepathy_domain; - class dbus send_msg; - ') - - allow $1 telepathy_domain:dbus send_msg; - allow telepathy_domain $1:dbus send_msg; -') - -######################################## -## -## Send DBus messages to and from -## Telepathy Gabble. -## -## -## -## Domain allowed access. -## -## -# -interface(`telepathy_gabble_dbus_chat', ` - gen_require(` - type telepathy_gabble_t; - class dbus send_msg; - ') - - allow $1 telepathy_gabble_t:dbus send_msg; - allow telepathy_gabble_t $1:dbus send_msg; -') - -######################################## -## -## Read and write Telepathy Butterfly -## temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`telepathy_butterfly_rw_tmp_files', ` - gen_require(` - type telepathy_butterfly_tmp_t; - ') - - allow $1 telepathy_butterfly_tmp_t:file rw_file_perms; - files_search_tmp($1) -') - -######################################## -## -## Stream connect to Telepathy Gabble -## -## -## -## Domain allowed access. -## -## -# -interface(`telepathy_gabble_stream_connect', ` - gen_require(` - type telepathy_gabble_t, telepathy_gabble_tmp_t; - ') - - stream_connect_pattern($1, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t, telepathy_gabble_t) - files_search_tmp($1) -') - -####################################### -## -## Stream connect to telepathy MSN managers -## -## -## -## Domain allowed access. -## -## -# -interface(`telepathy_msn_stream_connect', ` - gen_require(` - type telepathy_msn_t, telepathy_msn_tmp_t; - ') - - stream_connect_pattern($1, telepathy_msn_tmp_t, telepathy_msn_tmp_t, telepathy_msn_t) - files_search_tmp($1) -') - - -######################################## -## -## Stream connect to Telepathy Salut -## -## -## -## Domain allowed access. -## -## -# -interface(`telepathy_salut_stream_connect', ` - gen_require(` - type telepathy_salut_t, telepathy_salut_tmp_t; - ') - - stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t) - files_search_tmp($1) -') diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te deleted file mode 100644 index 0b28cf8..0000000 --- a/policy/modules/apps/telepathy.te +++ /dev/null @@ -1,329 +0,0 @@ - -policy_module(telepathy, 1.0.0) - -######################################## -# -# Declarations. -# - -## -##

-## Allow the Telepathy connection managers -## to connect to any generic TCP port. -##

-##
-gen_tunable(telepathy_tcp_connect_generic_network_ports, false) - -attribute telepathy_domain; -attribute telepathy_executable; - -telepathy_domain_template(gabble) - -type telepathy_gabble_cache_home_t; -userdom_user_home_content(telepathy_gabble_cache_home_t) - -telepathy_domain_template(idle) -telepathy_domain_template(mission_control) - -type telepathy_mission_control_home_t; -userdom_user_home_content(telepathy_mission_control_home_t) - -type telepathy_mission_control_cache_home_t; -userdom_user_home_content(telepathy_mission_control_cache_home_t) - -type telepathy_sunshine_home_t; -userdom_user_home_content(telepathy_sunshine_home_t) - -telepathy_domain_template(msn) -telepathy_domain_template(salut) -telepathy_domain_template(sofiasip) -telepathy_domain_template(stream_engine) -telepathy_domain_template(sunshine) - -####################################### -# -# Telepathy Butterfly and Haze local policy. -# - -allow telepathy_msn_t self:process setsched; -allow telepathy_msn_t self:netlink_route_socket create_netlink_socket_perms; -allow telepathy_msn_t self:unix_dgram_socket { write create connect }; - -manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) -manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) -manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) -exec_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) -files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file }) -userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file }) -userdom_dontaudit_setattr_user_tmp(telepathy_msn_t) -can_exec(telepathy_msn_t, telepathy_msn_tmp_t) - -corenet_sendrecv_http_client_packets(telepathy_msn_t) -corenet_sendrecv_mmcc_client_packets(telepathy_msn_t) -corenet_sendrecv_msnp_client_packets(telepathy_msn_t) -corenet_tcp_connect_http_port(telepathy_msn_t) -corenet_tcp_connect_mmcc_port(telepathy_msn_t) -corenet_tcp_connect_msnp_port(telepathy_msn_t) -corenet_tcp_connect_sametime_port(telepathy_msn_t) - -corecmd_exec_bin(telepathy_msn_t) -corecmd_exec_shell(telepathy_msn_t) -corecmd_read_bin_symlinks(telepathy_msn_t) - -dev_read_urand(telepathy_msn_t) - -files_read_etc_files(telepathy_msn_t) -files_read_usr_files(telepathy_msn_t) - -auth_use_nsswitch(telepathy_msn_t) - -init_read_state(telepathy_msn_t) - -libs_exec_ldconfig(telepathy_msn_t) - -logging_send_syslog_msg(telepathy_msn_t) - -miscfiles_read_all_certs(telepathy_msn_t) - -sysnet_read_config(telepathy_msn_t) - -optional_policy(` - dbus_system_bus_client(telepathy_msn_t) - optional_policy(` - networkmanager_dbus_chat(telepathy_msn_t) - ') -') - -optional_policy(` - gnome_read_gconf_home_files(telepathy_msn_t) -') - -####################################### -# -# Telepathy Gabble local policy. -# - -allow telepathy_gabble_t self:netlink_route_socket create_netlink_socket_perms; -allow telepathy_gabble_t self:tcp_socket { listen accept }; -allow telepathy_gabble_t self:unix_dgram_socket { write read create getattr sendto }; - -manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t) -manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t) -files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file }) - -# ~/.cache/gabble/caps-cache.db-journal -optional_policy(` - manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) - manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) - gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_cache_home_t, { dir file }) -') - -corenet_sendrecv_commplex_client_packets(telepathy_gabble_t) -corenet_sendrecv_http_client_packets(telepathy_gabble_t) -corenet_sendrecv_jabber_client_client_packets(telepathy_gabble_t) -corenet_sendrecv_vnc_client_packets(telepathy_gabble_t) - -corenet_tcp_connect_commplex_port(telepathy_gabble_t) -corenet_tcp_connect_http_port(telepathy_gabble_t) -corenet_tcp_connect_jabber_client_port(telepathy_gabble_t) -corenet_tcp_connect_vnc_port(telepathy_gabble_t) - -dev_read_rand(telepathy_gabble_t) -dev_read_urand(telepathy_gabble_t) - -files_read_config_files(telepathy_gabble_t) -files_read_usr_files(telepathy_gabble_t) - -miscfiles_read_all_certs(telepathy_gabble_t) - -sysnet_read_config(telepathy_gabble_t) - -optional_policy(` - dbus_system_bus_client(telepathy_gabble_t) -') - -tunable_policy(`use_nfs_home_dirs', ` - fs_manage_nfs_dirs(telepathy_gabble_t) - fs_manage_nfs_files(telepathy_gabble_t) -') - -tunable_policy(`use_samba_home_dirs', ` - fs_manage_cifs_dirs(telepathy_gabble_t) - fs_manage_cifs_files(telepathy_gabble_t) -') - -####################################### -# -# Telepathy Idle local policy. -# - -allow telepathy_idle_t self:netlink_route_socket create_netlink_socket_perms; - -corenet_sendrecv_ircd_client_packets(telepathy_idle_t) -corenet_tcp_connect_ircd_port(telepathy_idle_t) - -files_read_etc_files(telepathy_idle_t) - -sysnet_read_config(telepathy_idle_t) - -####################################### -# -# Telepathy Mission-Control local policy. -# - -manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) -manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) -userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file }) -userdom_search_user_home_dirs(telepathy_mission_control_t) - -dev_read_rand(telepathy_mission_control_t) - -files_read_etc_files(telepathy_mission_control_t) -files_read_usr_files(telepathy_mission_control_t) - -tunable_policy(`use_nfs_home_dirs', ` - fs_manage_nfs_dirs(telepathy_mission_control_t) - fs_manage_nfs_files(telepathy_mission_control_t) -') - -tunable_policy(`use_samba_home_dirs', ` - fs_manage_cifs_dirs(telepathy_mission_control_t) - fs_manage_cifs_files(telepathy_mission_control_t) -') - -auth_use_nsswitch(telepathy_mission_control_t) - -# ~/.cache/.mc_connections. -optional_policy(` - manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t) - gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file) -') - -optional_policy(` - gnome_read_gconf_home_files(telepathy_mission_control_t) - gnome_setattr_cache_home_dir(telepathy_mission_control_t) - gnome_read_generic_cache_files(telepathy_mission_control_t) -') - -####################################### -# -# Telepathy Salut local policy. -# - -allow telepathy_salut_t self:netlink_route_socket create_netlink_socket_perms; -allow telepathy_salut_t self:tcp_socket { accept listen }; - -manage_sock_files_pattern(telepathy_salut_t, telepathy_salut_tmp_t, telepathy_salut_tmp_t) -files_tmp_filetrans(telepathy_salut_t, telepathy_salut_tmp_t, sock_file) - -corenet_sendrecv_presence_server_packets(telepathy_salut_t) -corenet_tcp_bind_presence_port(telepathy_salut_t) -corenet_tcp_connect_presence_port(telepathy_salut_t) - -dev_read_urand(telepathy_salut_t) - -files_read_etc_files(telepathy_salut_t) - -sysnet_read_config(telepathy_salut_t) - -optional_policy(` - dbus_system_bus_client(telepathy_salut_t) - - optional_policy(` - avahi_dbus_chat(telepathy_salut_t) - ') -') - -####################################### -# -# Telepathy Sofiasip local policy. -# - -allow telepathy_sofiasip_t self:netlink_route_socket create_netlink_socket_perms; -allow telepathy_sofiasip_t self:rawip_socket { create_socket_perms listen }; -allow telepathy_sofiasip_t self:tcp_socket { listen }; - -corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t) -corenet_tcp_connect_sip_port(telepathy_sofiasip_t) - -dev_read_urand(telepathy_sofiasip_t) - -kernel_request_load_module(telepathy_sofiasip_t) - -sysnet_read_config(telepathy_sofiasip_t) - -####################################### -# -# Telepathy Sunshine local policy. -# -manage_dirs_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t) -manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t) -userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, { dir file }) -userdom_search_user_home_dirs(telepathy_sunshine_t) - -manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t) -exec_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t) -files_tmp_filetrans(telepathy_sunshine_t, telepathy_sunshine_tmp_t, file) - -corecmd_exec_bin(telepathy_sunshine_t) - -dev_read_urand(telepathy_sunshine_t) - -files_read_etc_files(telepathy_sunshine_t) -files_read_usr_files(telepathy_sunshine_t) - -optional_policy(` - xserver_read_xdm_pid(telepathy_sunshine_t) - xserver_stream_connect(telepathy_sunshine_t) -') - -####################################### -# -# telepathy domains common policy -# - -allow telepathy_domain self:process { getsched signal sigkill }; -allow telepathy_domain self:fifo_file rw_fifo_file_perms; -allow telepathy_domain self:tcp_socket create_socket_perms; -allow telepathy_domain self:udp_socket create_socket_perms; - -corenet_all_recvfrom_netlabel(telepathy_domain) -corenet_all_recvfrom_unlabeled(telepathy_domain) -corenet_raw_bind_generic_node(telepathy_domain) -corenet_raw_sendrecv_generic_if(telepathy_domain) -corenet_raw_sendrecv_generic_node(telepathy_domain) -corenet_tcp_bind_generic_node(telepathy_domain) -corenet_tcp_sendrecv_generic_if(telepathy_domain) -corenet_tcp_sendrecv_generic_node(telepathy_domain) -corenet_udp_bind_generic_node(telepathy_domain) - -kernel_read_system_state(telepathy_domain) - -fs_search_auto_mountpoints(telepathy_domain) - -miscfiles_read_localization(telepathy_domain) - -# This interface does not facilitate files_search_tmp which appears to be a bug. -userdom_stream_connect(telepathy_domain) -userdom_use_user_terminals(telepathy_domain) - -tunable_policy(`telepathy_tcp_connect_generic_network_ports', ` - corenet_tcp_connect_generic_port(telepathy_domain) - corenet_sendrecv_generic_client_packets(telepathy_domain) -') - -optional_policy(` - automount_dontaudit_getattr_tmp_dirs(telepathy_domain) -') - -optional_policy(` - nis_use_ypbind(telepathy_domain) -') - -optional_policy(` - telepathy_dbus_chat(telepathy_domain) -') - -optional_policy(` - xserver_rw_xdm_pipes(telepathy_domain) -') diff --git a/policy/modules/apps/thunderbird.fc b/policy/modules/apps/thunderbird.fc deleted file mode 100644 index fb43a7b..0000000 --- a/policy/modules/apps/thunderbird.fc +++ /dev/null @@ -1,6 +0,0 @@ -# -# /usr -# -/usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0) - -HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:thunderbird_home_t,s0) diff --git a/policy/modules/apps/thunderbird.if b/policy/modules/apps/thunderbird.if deleted file mode 100644 index a76e9f9..0000000 --- a/policy/modules/apps/thunderbird.if +++ /dev/null @@ -1,63 +0,0 @@ -## Thunderbird email client - -######################################## -## -## Role access for thunderbird -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`thunderbird_role',` - gen_require(` - type thunderbird_t, thunderbird_exec_t; - type thunderbird_home_t, thunderbird_tmpfs_t; - ') - - role $1 types thunderbird_t; - - domain_auto_trans($2, thunderbird_exec_t, thunderbird_t) - allow $2 thunderbird_t:fd use; - allow $2 thunderbird_t:shm { associate getattr }; - allow $2 thunderbird_t:unix_stream_socket connectto; - allow thunderbird_t $2:fd use; - allow thunderbird_t $2:process sigchld; - allow thunderbird_t $2:unix_stream_socket connectto; - - # allow ps to show thunderbird and allow the user to kill it - ps_process_pattern($2, thunderbird_t) - allow $2 thunderbird_t:process signal; - - # Access ~/.thunderbird - manage_dirs_pattern($2, thunderbird_home_t, thunderbird_home_t) - manage_files_pattern($2, thunderbird_home_t, thunderbird_home_t) - manage_lnk_files_pattern($2, thunderbird_home_t, thunderbird_home_t) - relabel_dirs_pattern($2, thunderbird_home_t, thunderbird_home_t) - relabel_files_pattern($2, thunderbird_home_t, thunderbird_home_t) - relabel_lnk_files_pattern($2, thunderbird_home_t, thunderbird_home_t) -') - -######################################## -## -## Run thunderbird in the user thunderbird domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`thunderbird_domtrans',` - gen_require(` - type thunderbird_t, thunderbird_exec_t; - ') - - domtrans_pattern($1, thunderbird_exec_t, thunderbird_t) -') diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te deleted file mode 100644 index 794c0be..0000000 --- a/policy/modules/apps/thunderbird.te +++ /dev/null @@ -1,210 +0,0 @@ -policy_module(thunderbird, 2.1.1) - -######################################## -# -# Declarations -# - -type thunderbird_t; -type thunderbird_exec_t; -typealias thunderbird_t alias { user_thunderbird_t staff_thunderbird_t sysadm_thunderbird_t }; -typealias thunderbird_t alias { auditadm_thunderbird_t secadm_thunderbird_t }; -application_domain(thunderbird_t, thunderbird_exec_t) -ubac_constrained(thunderbird_t) - -type thunderbird_home_t; -typealias thunderbird_home_t alias { user_thunderbird_home_t staff_thunderbird_home_t sysadm_thunderbird_home_t }; -typealias thunderbird_home_t alias { auditadm_thunderbird_home_t secadm_thunderbird_home_t }; -userdom_user_home_content(thunderbird_home_t) - -type thunderbird_tmpfs_t; -typealias thunderbird_tmpfs_t alias { user_thunderbird_tmpfs_t staff_thunderbird_tmpfs_t sysadm_thunderbird_tmpfs_t }; -typealias thunderbird_tmpfs_t alias { auditadm_thunderbird_tmpfs_t secadm_thunderbird_tmpfs_t }; -files_tmpfs_file(thunderbird_tmpfs_t) -ubac_constrained(thunderbird_tmpfs_t) - -######################################## -# -# Local policy -# - -allow thunderbird_t self:capability sys_nice; -allow thunderbird_t self:process { signal_perms setsched getsched execheap execmem execstack }; -allow thunderbird_t self:fifo_file { ioctl read write getattr }; -allow thunderbird_t self:unix_dgram_socket { create connect }; -allow thunderbird_t self:unix_stream_socket { create accept connect write getattr read listen bind }; -allow thunderbird_t self:tcp_socket create_socket_perms; -allow thunderbird_t self:shm { read write create destroy unix_read unix_write }; - -# Access ~/.thunderbird -manage_dirs_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t) -manage_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t) -manage_lnk_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t) -userdom_search_user_home_dirs(thunderbird_t) - -manage_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) -manage_lnk_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) -manage_fifo_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) -manage_sock_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) -fs_tmpfs_filetrans(thunderbird_t, thunderbird_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) - -# Allow netstat -kernel_read_network_state(thunderbird_t) -kernel_read_net_sysctls(thunderbird_t) -kernel_read_system_state(thunderbird_t) - -# Startup shellscript -corecmd_exec_shell(thunderbird_t) - -corenet_all_recvfrom_unlabeled(thunderbird_t) -corenet_all_recvfrom_netlabel(thunderbird_t) -corenet_tcp_sendrecv_generic_if(thunderbird_t) -corenet_tcp_sendrecv_generic_node(thunderbird_t) -corenet_tcp_sendrecv_ipp_port(thunderbird_t) -corenet_tcp_sendrecv_ldap_port(thunderbird_t) -corenet_tcp_sendrecv_innd_port(thunderbird_t) -corenet_tcp_sendrecv_smtp_port(thunderbird_t) -corenet_tcp_sendrecv_pop_port(thunderbird_t) -corenet_tcp_sendrecv_http_port(thunderbird_t) -corenet_tcp_connect_ipp_port(thunderbird_t) -corenet_tcp_connect_ldap_port(thunderbird_t) -corenet_tcp_connect_innd_port(thunderbird_t) -corenet_tcp_connect_smtp_port(thunderbird_t) -corenet_tcp_connect_pop_port(thunderbird_t) -corenet_tcp_connect_http_port(thunderbird_t) -corenet_sendrecv_ipp_client_packets(thunderbird_t) -corenet_sendrecv_ldap_client_packets(thunderbird_t) -corenet_sendrecv_innd_client_packets(thunderbird_t) -corenet_sendrecv_smtp_client_packets(thunderbird_t) -corenet_sendrecv_pop_client_packets(thunderbird_t) -corenet_sendrecv_http_client_packets(thunderbird_t) - -dev_read_urand(thunderbird_t) -dev_dontaudit_search_sysfs(thunderbird_t) - -files_list_tmp(thunderbird_t) -files_read_usr_files(thunderbird_t) -files_read_etc_files(thunderbird_t) -files_read_etc_runtime_files(thunderbird_t) -files_read_var_files(thunderbird_t) -files_read_var_symlinks(thunderbird_t) -files_dontaudit_getattr_all_tmp_files(thunderbird_t) -files_dontaudit_getattr_boot_dirs(thunderbird_t) -files_dontaudit_getattr_lost_found_dirs(thunderbird_t) -files_dontaudit_search_mnt(thunderbird_t) - -fs_getattr_xattr_fs(thunderbird_t) -fs_list_inotifyfs(thunderbird_t) -# Access ~/.thunderbird -fs_search_auto_mountpoints(thunderbird_t) - -auth_use_nsswitch(thunderbird_t) - -miscfiles_read_fonts(thunderbird_t) -miscfiles_read_localization(thunderbird_t) - -userdom_manage_user_tmp_dirs(thunderbird_t) -userdom_read_user_tmp_files(thunderbird_t) -userdom_manage_user_tmp_sockets(thunderbird_t) -# .kde/....gtkrc -userdom_read_user_home_content_files(thunderbird_t) - -xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t) -xserver_read_xdm_tmp_files(thunderbird_t) -xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t) - -# Access ~/.thunderbird -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(thunderbird_t) - fs_manage_nfs_files(thunderbird_t) - fs_manage_nfs_symlinks(thunderbird_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(thunderbird_t) - fs_manage_cifs_files(thunderbird_t) - fs_manage_cifs_symlinks(thunderbird_t) -') - -tunable_policy(`mail_read_content && use_nfs_home_dirs',` - files_list_home(thunderbird_t) - - fs_list_auto_mountpoints(thunderbird_t) - fs_read_nfs_files(thunderbird_t) - fs_read_nfs_symlinks(thunderbird_t) -',` - files_dontaudit_list_home(thunderbird_t) - - fs_dontaudit_list_auto_mountpoints(thunderbird_t) - fs_dontaudit_list_nfs(thunderbird_t) - fs_dontaudit_read_nfs_files(thunderbird_t) -') - -tunable_policy(`mail_read_content && use_samba_home_dirs',` - files_list_home(thunderbird_t) - - fs_list_auto_mountpoints(thunderbird_t) - fs_read_cifs_files(thunderbird_t) - fs_read_cifs_symlinks(thunderbird_t) -',` - files_dontaudit_list_home(thunderbird_t) - - fs_dontaudit_list_auto_mountpoints(thunderbird_t) - fs_dontaudit_read_cifs_files(thunderbird_t) - fs_dontaudit_list_cifs(thunderbird_t) -') - -tunable_policy(`mail_read_content',` - userdom_list_user_tmp(thunderbird_t) - userdom_read_user_tmp_files(thunderbird_t) - userdom_read_user_tmp_symlinks(thunderbird_t) - userdom_search_user_home_dirs(thunderbird_t) - userdom_read_user_home_content_files(thunderbird_t) - - ifndef(`enable_mls',` - fs_search_removable(thunderbird_t) - fs_read_removable_files(thunderbird_t) - fs_read_removable_symlinks(thunderbird_t) - ') -',` - files_dontaudit_list_tmp(thunderbird_t) - files_dontaudit_list_home(thunderbird_t) - - fs_dontaudit_list_removable(thunderbird_t) - fs_dontaudit_read_removable_files(thunderbird_t) - - userdom_dontaudit_list_user_tmp(thunderbird_t) - userdom_dontaudit_read_user_tmp_files(thunderbird_t) - userdom_dontaudit_list_user_home_dirs(thunderbird_t) - userdom_dontaudit_read_user_home_content_files(thunderbird_t) -') - -optional_policy(` - dbus_system_bus_client(thunderbird_t) - dbus_session_bus_client(thunderbird_t) -') - -optional_policy(` - cups_read_rw_config(thunderbird_t) - cups_dbus_chat(thunderbird_t) -') - -optional_policy(` - gnome_stream_connect_gconf(thunderbird_t) - gnome_domtrans_gconfd(thunderbird_t) - gnome_manage_config(thunderbird_t) -') - -optional_policy(` - gpg_domtrans(thunderbird_t) -') - -optional_policy(` - lpd_domtrans_lpr(thunderbird_t) -') - -optional_policy(` - mozilla_read_user_home_files(thunderbird_t) - mozilla_domtrans(thunderbird_t) - mozilla_dbus_chat(thunderbird_t) -') diff --git a/policy/modules/apps/tvtime.fc b/policy/modules/apps/tvtime.fc deleted file mode 100644 index 8698a61..0000000 --- a/policy/modules/apps/tvtime.fc +++ /dev/null @@ -1,5 +0,0 @@ -# -# /usr -# -/usr/bin/tvtime -- gen_context(system_u:object_r:tvtime_exec_t,s0) - diff --git a/policy/modules/apps/tvtime.if b/policy/modules/apps/tvtime.if deleted file mode 100644 index 8d89f21..0000000 --- a/policy/modules/apps/tvtime.if +++ /dev/null @@ -1,40 +0,0 @@ -## tvtime - a high quality television application - -######################################## -## -## Role access for tvtime -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`tvtime_role',` - gen_require(` - type tvtime_t, tvtime_exec_t; - type tvtime_home_t, tvtime_tmpfs_t; - ') - - role $1 types tvtime_t; - - # Type transition - domtrans_pattern($2, tvtime_exec_t, tvtime_t) - - # X access, Home files - manage_dirs_pattern($2, tvtime_home_t, tvtime_home_t) - manage_files_pattern($2, tvtime_home_t, tvtime_home_t) - manage_lnk_files_pattern($2, tvtime_home_t, tvtime_home_t) - relabel_dirs_pattern($2, tvtime_home_t, tvtime_home_t) - relabel_files_pattern($2, tvtime_home_t, tvtime_home_t) - relabel_lnk_files_pattern($2, tvtime_home_t, tvtime_home_t) - - # Allow the user domain to signal/ps. - ps_process_pattern($2, tvtime_t) - allow $2 tvtime_t:process signal_perms; -') diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te deleted file mode 100644 index e926470..0000000 --- a/policy/modules/apps/tvtime.te +++ /dev/null @@ -1,93 +0,0 @@ -policy_module(tvtime, 2.0.1) - -######################################## -# -# Declarations -# - -type tvtime_t; -type tvtime_exec_t; -typealias tvtime_t alias { user_tvtime_t staff_tvtime_t sysadm_tvtime_t }; -typealias tvtime_t alias { auditadm_tvtime_t secadm_tvtime_t }; -application_domain(tvtime_t, tvtime_exec_t) -ubac_constrained(tvtime_t) - -type tvtime_home_t alias tvtime_rw_t; -typealias tvtime_home_t alias { user_tvtime_home_t staff_tvtime_home_t sysadm_tvtime_home_t }; -typealias tvtime_home_t alias { auditadm_tvtime_home_t secadm_tvtime_home_t }; -userdom_user_home_content(tvtime_home_t) - -type tvtime_tmp_t; -typealias tvtime_tmp_t alias { user_tvtime_tmp_t staff_tvtime_tmp_t sysadm_tvtime_tmp_t }; -typealias tvtime_tmp_t alias { auditadm_tvtime_tmp_t secadm_tvtime_tmp_t }; -files_tmp_file(tvtime_tmp_t) -ubac_constrained(tvtime_tmp_t) - -type tvtime_tmpfs_t; -typealias tvtime_tmpfs_t alias { user_tvtime_tmpfs_t staff_tvtime_tmpfs_t sysadm_tvtime_tmpfs_t }; -typealias tvtime_tmpfs_t alias { auditadm_tvtime_tmpfs_t secadm_tvtime_tmpfs_t }; -files_tmpfs_file(tvtime_tmpfs_t) -ubac_constrained(tvtime_tmpfs_t) - -######################################## -# -# Local policy -# - -allow tvtime_t self:capability { setuid sys_nice sys_resource }; -allow tvtime_t self:process setsched; -allow tvtime_t self:unix_dgram_socket rw_socket_perms; -allow tvtime_t self:unix_stream_socket rw_stream_socket_perms; - -# X access, Home files -manage_dirs_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) -manage_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) -manage_lnk_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) -userdom_user_home_dir_filetrans(tvtime_t, tvtime_home_t, dir) - -manage_dirs_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t) -manage_files_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t) -files_tmp_filetrans(tvtime_t, tvtime_tmp_t,{ file dir }) - -manage_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t) -manage_lnk_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t) -manage_fifo_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t) -manage_sock_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t) -fs_tmpfs_filetrans(tvtime_t, tvtime_tmpfs_t,{ file lnk_file sock_file fifo_file }) - -kernel_read_all_sysctls(tvtime_t) -kernel_get_sysvipc_info(tvtime_t) - -dev_read_urand(tvtime_t) -dev_read_realtime_clock(tvtime_t) -dev_read_sound(tvtime_t) - -files_read_usr_files(tvtime_t) -files_search_pids(tvtime_t) -# Read /etc/tvtime -files_read_etc_files(tvtime_t) - -# X access, Home files -fs_search_auto_mountpoints(tvtime_t) - -miscfiles_read_localization(tvtime_t) -miscfiles_read_fonts(tvtime_t) - -userdom_use_user_terminals(tvtime_t) -userdom_read_user_home_content_files(tvtime_t) - -# X access, Home files -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(tvtime_t) - fs_manage_nfs_files(tvtime_t) - fs_manage_nfs_symlinks(tvtime_t) -') -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(tvtime_t) - fs_manage_cifs_files(tvtime_t) - fs_manage_cifs_symlinks(tvtime_t) -') - -optional_policy(` - xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t) -') diff --git a/policy/modules/apps/uml.fc b/policy/modules/apps/uml.fc deleted file mode 100644 index b8b9520..0000000 --- a/policy/modules/apps/uml.fc +++ /dev/null @@ -1,14 +0,0 @@ -# -# HOME_DIR/ -# -HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:uml_rw_t,s0) - -# -# /usr -# -/usr/bin/uml_switch -- gen_context(system_u:object_r:uml_switch_exec_t,s0) - -# -# /var -# -/var/run/uml-utilities(/.*)? gen_context(system_u:object_r:uml_switch_var_run_t,s0) diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if deleted file mode 100644 index d2ab7cb..0000000 --- a/policy/modules/apps/uml.if +++ /dev/null @@ -1,99 +0,0 @@ -## Policy for UML - -######################################## -## -## Role access for uml -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`uml_role',` - gen_require(` - type uml_t, uml_exec_t; - type uml_ro_t, uml_rw_t, uml_tmp_t; - type uml_devpts_t, uml_tmpfs_t; - ') - - role $1 types uml_t; - - # Transition from the user domain to this domain. - domtrans_pattern($2, uml_exec_t, uml_t) - - # for mconsole - allow $2 uml_t:unix_dgram_socket sendto; - allow uml_t $2:unix_dgram_socket sendto; - - # allow ps, ptrace, signal - ps_process_pattern($2, uml_t) - allow $2 uml_t:process { ptrace signal_perms }; - - allow $2 uml_ro_t:dir list_dir_perms; - read_files_pattern($2, uml_ro_t, uml_ro_t) - read_lnk_files_pattern($2, uml_ro_t, uml_ro_t) - - manage_dirs_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) - manage_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) - manage_lnk_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) - manage_fifo_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) - manage_sock_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) - relabel_dirs_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) - relabel_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) - relabel_lnk_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) - relabel_fifo_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) - relabel_sock_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) - - manage_dirs_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t }) - manage_files_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t }) - relabel_dirs_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t }) - relabel_files_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t }) - - manage_dirs_pattern($2, uml_tmp_t, uml_tmp_t) - manage_files_pattern($2, uml_tmp_t, uml_tmp_t) - manage_lnk_files_pattern($2, uml_tmp_t, uml_tmp_t) - manage_sock_files_pattern($2, uml_tmp_t, uml_tmp_t) -') - -######################################## -## -## Set attributes on uml utility socket files. -## -## -## -## Domain allowed access. -## -## -# -interface(`uml_setattr_util_sockets',` - gen_require(` - type uml_switch_var_run_t; - ') - - allow $1 uml_switch_var_run_t:sock_file setattr; -') - -######################################## -## -## Manage uml utility files. -## -## -## -## Domain allowed access. -## -## -# -interface(`uml_manage_util_files',` - gen_require(` - type uml_switch_var_run_t; - ') - - manage_files_pattern($1, uml_switch_var_run_t, uml_switch_var_run_t) - manage_lnk_files_pattern($1, uml_switch_var_run_t, uml_switch_var_run_t) -') diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te deleted file mode 100644 index 2df1343..0000000 --- a/policy/modules/apps/uml.te +++ /dev/null @@ -1,191 +0,0 @@ -policy_module(uml, 2.1.0) - -######################################## -# -# Declarations -# - -type uml_t; -type uml_exec_t; -typealias uml_t alias { user_uml_t staff_uml_t sysadm_uml_t }; -typealias uml_t alias { auditadm_uml_t secadm_uml_t }; -application_domain(uml_t, uml_exec_t) -ubac_constrained(uml_t) - -type uml_ro_t; -typealias uml_ro_t alias { user_uml_ro_t staff_uml_ro_t sysadm_uml_ro_t }; -typealias uml_ro_t alias { auditadm_uml_ro_t secadm_uml_ro_t }; -userdom_user_home_content(uml_ro_t) - -type uml_rw_t; -typealias uml_rw_t alias { user_uml_rw_t staff_uml_rw_t sysadm_uml_rw_t }; -typealias uml_rw_t alias { auditadm_uml_rw_t secadm_uml_rw_t }; -userdom_user_home_content(uml_rw_t) - -type uml_tmp_t; -typealias uml_tmp_t alias { user_uml_tmp_t staff_uml_tmp_t sysadm_uml_tmp_t }; -typealias uml_tmp_t alias { auditadm_uml_tmp_t secadm_uml_tmp_t }; -files_tmp_file(uml_tmp_t) -ubac_constrained(uml_tmp_t) - -type uml_tmpfs_t; -typealias uml_tmpfs_t alias { user_uml_tmpfs_t staff_uml_tmpfs_t sysadm_uml_tmpfs_t }; -typealias uml_tmpfs_t alias { auditadm_uml_tmpfs_t secadm_uml_tmpfs_t }; -files_tmpfs_file(uml_tmpfs_t) -ubac_constrained(uml_tmpfs_t) - -type uml_devpts_t; -typealias uml_devpts_t alias { user_uml_devpts_t staff_uml_devpts_t sysadm_uml_devpts_t }; -typealias uml_devpts_t alias { auditadm_uml_devpts_t secadm_uml_devpts_t }; -term_pty(uml_devpts_t) -ubac_constrained(uml_devpts_t) - -type uml_switch_t; -type uml_switch_exec_t; -init_daemon_domain(uml_switch_t, uml_switch_exec_t) - -type uml_switch_var_run_t; -files_pid_file(uml_switch_var_run_t) - -######################################## -# -# Local policy -# - -allow uml_t self:fifo_file rw_fifo_file_perms; -allow uml_t self:process { signal_perms ptrace }; -allow uml_t self:unix_stream_socket create_stream_socket_perms; -allow uml_t self:unix_dgram_socket create_socket_perms; -# Use the network. -allow uml_t self:tcp_socket create_stream_socket_perms; -allow uml_t self:udp_socket create_socket_perms; -allow uml_t self:tun_socket create; -# for mconsole -allow uml_t self:unix_dgram_socket sendto; - -# allow the UML thing to happen -allow uml_t uml_devpts_t:chr_file { rw_file_perms setattr }; -term_create_pty(uml_t, uml_devpts_t) - -manage_dirs_pattern(uml_t, uml_tmp_t, uml_tmp_t) -manage_files_pattern(uml_t, uml_tmp_t, uml_tmp_t) -files_tmp_filetrans(uml_t, uml_tmp_t, { file dir }) -can_exec(uml_t, uml_tmp_t) - -manage_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t) -manage_lnk_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t) -manage_fifo_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t) -manage_sock_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t) -fs_tmpfs_filetrans(uml_t, uml_tmpfs_t, { file lnk_file sock_file fifo_file }) -can_exec(uml_t, uml_tmpfs_t) - -# access config files -allow uml_t { uml_ro_t uml_ro_t }:dir list_dir_perms; -read_files_pattern(uml_t, { uml_ro_t uml_ro_t }, { uml_ro_t uml_ro_t }) -read_lnk_files_pattern(uml_t, { uml_ro_t uml_ro_t }, { uml_ro_t uml_ro_t }) - -manage_dirs_pattern(uml_t, uml_rw_t, uml_rw_t) -manage_files_pattern(uml_t, uml_rw_t, uml_rw_t) -manage_lnk_files_pattern(uml_t, uml_rw_t, uml_rw_t) -manage_fifo_files_pattern(uml_t, uml_rw_t, uml_rw_t) -manage_sock_files_pattern(uml_t, uml_rw_t, uml_rw_t) -userdom_user_home_dir_filetrans(uml_t, uml_rw_t, { file lnk_file sock_file fifo_file }) - -can_exec(uml_t, { uml_exec_t uml_exec_t }) - -kernel_read_system_state(uml_t) -# for SKAS - need something better -kernel_write_proc_files(uml_t) - -# for xterm -corecmd_exec_bin(uml_t) - -corenet_all_recvfrom_unlabeled(uml_t) -corenet_all_recvfrom_netlabel(uml_t) -corenet_tcp_sendrecv_generic_if(uml_t) -corenet_udp_sendrecv_generic_if(uml_t) -corenet_tcp_sendrecv_generic_node(uml_t) -corenet_udp_sendrecv_generic_node(uml_t) -corenet_tcp_sendrecv_all_ports(uml_t) -corenet_udp_sendrecv_all_ports(uml_t) -corenet_tcp_connect_all_ports(uml_t) -corenet_sendrecv_all_client_packets(uml_t) -corenet_rw_tun_tap_dev(uml_t) - -domain_use_interactive_fds(uml_t) - -# for xterm -files_read_etc_files(uml_t) -files_dontaudit_read_etc_runtime_files(uml_t) -# putting uml data under /var is usual... -files_search_var(uml_t) - -fs_getattr_xattr_fs(uml_t) - -init_read_utmp(uml_t) -init_dontaudit_write_utmp(uml_t) - -# for xterm -libs_exec_lib_files(uml_t) - -# Inherit and use descriptors from newrole. -seutil_use_newrole_fds(uml_t) - -# Use the network. -sysnet_read_config(uml_t) - -userdom_use_user_terminals(uml_t) -userdom_attach_admin_tun_iface(uml_t) - -optional_policy(` - nis_use_ypbind(uml_t) -') - -optional_policy(` - virt_attach_tun_iface(uml_t) -') - -######################################## -# -# Local policy -# - -dontaudit uml_switch_t self:capability sys_tty_config; -allow uml_switch_t self:process signal_perms; -allow uml_switch_t self:unix_dgram_socket create_socket_perms; -allow uml_switch_t self:unix_stream_socket create_stream_socket_perms; - -manage_files_pattern(uml_switch_t, uml_switch_var_run_t, uml_switch_var_run_t) -manage_sock_files_pattern(uml_switch_t, uml_switch_var_run_t, uml_switch_var_run_t) -files_pid_filetrans(uml_switch_t, uml_switch_var_run_t, file) - -kernel_read_kernel_sysctls(uml_switch_t) -kernel_list_proc(uml_switch_t) -kernel_read_proc_symlinks(uml_switch_t) - -dev_read_sysfs(uml_switch_t) - -domain_use_interactive_fds(uml_switch_t) - -fs_getattr_all_fs(uml_switch_t) -fs_search_auto_mountpoints(uml_switch_t) - -term_dontaudit_use_console(uml_switch_t) - -init_use_fds(uml_switch_t) -init_use_script_ptys(uml_switch_t) - -logging_send_syslog_msg(uml_switch_t) - -miscfiles_read_localization(uml_switch_t) - -userdom_dontaudit_use_unpriv_user_fds(uml_switch_t) -userdom_dontaudit_search_user_home_dirs(uml_switch_t) - -optional_policy(` - seutil_sigchld_newrole(uml_switch_t) -') - -optional_policy(` - udev_read_db(uml_switch_t) -') diff --git a/policy/modules/apps/userhelper.fc b/policy/modules/apps/userhelper.fc deleted file mode 100644 index cd83b89..0000000 --- a/policy/modules/apps/userhelper.fc +++ /dev/null @@ -1,10 +0,0 @@ -# -# /etc -# -/etc/security/console\.apps(/.*)? gen_context(system_u:object_r:userhelper_conf_t,s0) - -# -# /usr -# -/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0) -/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0) diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if deleted file mode 100644 index 2e50976..0000000 --- a/policy/modules/apps/userhelper.if +++ /dev/null @@ -1,317 +0,0 @@ -## SELinux utility to run a shell with a new role - -####################################### -## -## The role template for the userhelper module. -## -## -## -## The prefix of the user role (e.g., user -## is the prefix for user_r). -## -## -## -## -## The user role. -## -## -## -## -## The user domain associated with the role. -## -## -# -template(`userhelper_role_template',` - gen_require(` - attribute userhelper_type; - type userhelper_exec_t, userhelper_conf_t; - class dbus send_msg; - ') - - ######################################## - # - # Declarations - # - - type $1_userhelper_t, userhelper_type; - application_domain($1_userhelper_t, userhelper_exec_t) - domain_role_change_exemption($1_userhelper_t) - domain_obj_id_change_exemption($1_userhelper_t) - domain_interactive_fd($1_userhelper_t) - domain_subj_id_change_exemption($1_userhelper_t) - ubac_constrained($1_userhelper_t) - role $2 types $1_userhelper_t; - - ######################################## - # - # Local policy - # - allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config }; - allow $1_userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow $1_userhelper_t self:process setexec; - allow $1_userhelper_t self:fd use; - allow $1_userhelper_t self:fifo_file rw_fifo_file_perms; - allow $1_userhelper_t self:shm create_shm_perms; - allow $1_userhelper_t self:sem create_sem_perms; - allow $1_userhelper_t self:msgq create_msgq_perms; - allow $1_userhelper_t self:msg { send receive }; - allow $1_userhelper_t self:unix_dgram_socket create_socket_perms; - allow $1_userhelper_t self:unix_stream_socket create_stream_socket_perms; - allow $1_userhelper_t self:unix_dgram_socket sendto; - allow $1_userhelper_t self:unix_stream_socket connectto; - allow $1_userhelper_t self:sock_file read_sock_file_perms; - - #Transition to the derived domain. - domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t) - - allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms; - rw_files_pattern($1_userhelper_t, userhelper_conf_t, userhelper_conf_t) - - can_exec($1_userhelper_t, userhelper_exec_t) - - dontaudit $3 $1_userhelper_t:process signal; - - kernel_read_all_sysctls($1_userhelper_t) - kernel_getattr_debugfs($1_userhelper_t) - kernel_read_system_state($1_userhelper_t) - - # Execute shells - corecmd_exec_shell($1_userhelper_t) - # By default, revert to the calling domain when a program is executed - corecmd_bin_domtrans($1_userhelper_t, $3) - - # Inherit descriptors from the current session. - domain_use_interactive_fds($1_userhelper_t) - # for when the user types "exec userhelper" at the command line - domain_sigchld_interactive_fds($1_userhelper_t) - - dev_read_urand($1_userhelper_t) - # Read /dev directories and any symbolic links. - dev_list_all_dev_nodes($1_userhelper_t) - - files_list_var_lib($1_userhelper_t) - # Read the /etc/security/default_type file - files_read_etc_files($1_userhelper_t) - # Read /var. - files_read_var_files($1_userhelper_t) - files_read_var_symlinks($1_userhelper_t) - # for some PAM modules and for cwd - files_search_home($1_userhelper_t) - - fs_search_auto_mountpoints($1_userhelper_t) - fs_read_nfs_files($1_userhelper_t) - fs_read_nfs_symlinks($1_userhelper_t) - - # Allow $1_userhelper to obtain contexts to relabel TTYs - selinux_get_fs_mount($1_userhelper_t) - selinux_validate_context($1_userhelper_t) - selinux_compute_access_vector($1_userhelper_t) - selinux_compute_create_context($1_userhelper_t) - selinux_compute_relabel_context($1_userhelper_t) - selinux_compute_user_contexts($1_userhelper_t) - - # Read the devpts root directory. - term_list_ptys($1_userhelper_t) - # Relabel terminals. - term_relabel_all_ttys($1_userhelper_t) - term_relabel_all_ptys($1_userhelper_t) - # Access terminals. - term_use_all_ttys($1_userhelper_t) - term_use_all_ptys($1_userhelper_t) - - auth_domtrans_chk_passwd($1_userhelper_t) - auth_manage_pam_pid($1_userhelper_t) - auth_manage_var_auth($1_userhelper_t) - auth_search_pam_console_data($1_userhelper_t) - - # Inherit descriptors from the current session. - init_use_fds($1_userhelper_t) - # Write to utmp. - init_manage_utmp($1_userhelper_t) - init_pid_filetrans_utmp($1_userhelper_t) - - miscfiles_read_localization($1_userhelper_t) - - seutil_read_config($1_userhelper_t) - seutil_read_default_contexts($1_userhelper_t) - - # Allow $1_userhelper_t to transition to user domains. - userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t) - userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t) - - ifdef(`distro_redhat',` - optional_policy(` - # Allow transitioning to rpm_t, for up2date - rpm_domtrans($1_userhelper_t) - ') - ') - - optional_policy(` - logging_send_syslog_msg($1_userhelper_t) - ') - - optional_policy(` - nis_use_ypbind($1_userhelper_t) - ') - - optional_policy(` - nscd_socket_use($1_userhelper_t) - ') - - optional_policy(` - tunable_policy(`! secure_mode',` - #if we are not in secure mode then we can transition to sysadm_t - sysadm_bin_spec_domtrans($1_userhelper_t) - sysadm_entry_spec_domtrans($1_userhelper_t) - ') - ') -') - -######################################## -## -## Search the userhelper configuration directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`userhelper_search_config',` - gen_require(` - type userhelper_conf_t; - ') - - allow $1 userhelper_conf_t:dir search_dir_perms; -') - -######################################## -## -## Do not audit attempts to search -## the userhelper configuration directory. -## -## -## -## Domain to not audit. -## -## -# -interface(`userhelper_dontaudit_search_config',` - gen_require(` - type userhelper_conf_t; - ') - - dontaudit $1 userhelper_conf_t:dir search_dir_perms; -') - -######################################## -## -## Allow domain to use userhelper file descriptor. -## -## -## -## Domain allowed access. -## -## -# -interface(`userhelper_use_fd',` - gen_require(` - attribute userhelper_type; - ') - - allow $1 userhelper_type:fd use; -') - -######################################## -## -## Allow domain to send sigchld to userhelper. -## -## -## -## Domain allowed access. -## -## -# -interface(`userhelper_sigchld',` - gen_require(` - attribute userhelper_type; - ') - - allow $1 userhelper_type:process sigchld; -') - -######################################## -## -## Execute the userhelper program in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`userhelper_exec',` - gen_require(` - type userhelper_exec_t; - ') - - can_exec($1, userhelper_exec_t) -') - -####################################### -## -## The role template for the consolehelper module. -## -## -##

-## This template creates a derived domains which are used -## for consolehelper applications. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# -template(`userhelper_console_role_template',` - gen_require(` - type consolehelper_exec_t; - attribute consolehelper_domain; - class dbus send_msg; - ') - type $1_consolehelper_t, consolehelper_domain; - domain_type($1_consolehelper_t) - domain_entry_file($1_consolehelper_t, consolehelper_exec_t) - role $2 types $1_consolehelper_t; - - domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t) - - allow $3 $1_consolehelper_t:dbus send_msg; - allow $1_consolehelper_t $3:dbus send_msg; - - auth_use_pam($1_consolehelper_t) - - userdom_manage_tmpfs_role($2, $1_consolehelper_t) - - optional_policy(` - shutdown_run($1_consolehelper_t, $2) - shutdown_send_sigchld($3) - ') - - optional_policy(` - xserver_run_xauth($1_consolehelper_t, $2) - xserver_read_xdm_pid($1_consolehelper_t) - ') -') diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te deleted file mode 100644 index b46a20e..0000000 --- a/policy/modules/apps/userhelper.te +++ /dev/null @@ -1,66 +0,0 @@ -policy_module(userhelper, 1.5.1) - -######################################## -# -# Declarations -# - -attribute userhelper_type; -attribute consolehelper_domain; - -type userhelper_conf_t; -files_type(userhelper_conf_t) - -type userhelper_exec_t; -application_executable_file(userhelper_exec_t) - -type consolehelper_exec_t; -application_executable_file(consolehelper_exec_t) - -######################################## -# -# consolehelper local policy -# - -allow consolehelper_domain self:shm create_shm_perms; -allow consolehelper_domain self:capability { setgid setuid }; - -dontaudit consolehelper_domain userhelper_conf_t:file write; -read_files_pattern(consolehelper_domain, userhelper_conf_t, userhelper_conf_t) - -# Init script handling -domain_use_interactive_fds(consolehelper_domain) - -# internal communication is often done using fifo and unix sockets. -allow consolehelper_domain self:fifo_file rw_fifo_file_perms; -allow consolehelper_domain self:unix_stream_socket create_stream_socket_perms; - -kernel_read_kernel_sysctls(consolehelper_domain) - -corecmd_exec_bin(consolehelper_domain) - -files_read_config_files(consolehelper_domain) -files_read_usr_files(consolehelper_domain) - -auth_search_pam_console_data(consolehelper_domain) -auth_read_pam_pid(consolehelper_domain) - -init_read_utmp(consolehelper_domain) - -miscfiles_read_localization(consolehelper_domain) -miscfiles_read_fonts(consolehelper_domain) - -userhelper_exec(consolehelper_domain) - -userdom_use_user_ptys(consolehelper_domain) -userdom_use_user_ttys(consolehelper_domain) -userdom_read_user_home_content_files(consolehelper_domain) - -optional_policy(` - gnome_read_gconf_home_files(consolehelper_domain) -') - -optional_policy(` - xserver_read_home_fonts(consolehelper_domain) - xserver_stream_connect(consolehelper_domain) -') diff --git a/policy/modules/apps/usernetctl.fc b/policy/modules/apps/usernetctl.fc deleted file mode 100644 index aa07e1e..0000000 --- a/policy/modules/apps/usernetctl.fc +++ /dev/null @@ -1,2 +0,0 @@ - -/usr/sbin/usernetctl -- gen_context(system_u:object_r:usernetctl_exec_t,s0) diff --git a/policy/modules/apps/usernetctl.if b/policy/modules/apps/usernetctl.if deleted file mode 100644 index ba9b9d6..0000000 --- a/policy/modules/apps/usernetctl.if +++ /dev/null @@ -1,64 +0,0 @@ -## User network interface configuration helper - -######################################## -## -## Execute usernetctl in the usernetctl domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`usernetctl_domtrans',` - gen_require(` - type usernetctl_t, usernetctl_exec_t; - ') - - domtrans_pattern($1, usernetctl_exec_t, usernetctl_t) -') - -######################################## -## -## Execute usernetctl in the usernetctl domain, and -## allow the specified role the usernetctl domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`usernetctl_run',` - gen_require(` - type usernetctl_t; - ') - - usernetctl_domtrans($1) - role $2 types usernetctl_t; - - sysnet_run_ifconfig(usernetctl_t, $2) - sysnet_run_dhcpc(usernetctl_t, $2) - - optional_policy(` - consoletype_run(usernetctl_t, $2) - ') - - optional_policy(` - iptables_run(usernetctl_t, $2) - ') - - optional_policy(` - modutils_run_insmod(usernetctl_t, $2) - ') - - optional_policy(` - ppp_run(usernetctl_t, $2) - ') -') diff --git a/policy/modules/apps/usernetctl.te b/policy/modules/apps/usernetctl.te deleted file mode 100644 index 9586818..0000000 --- a/policy/modules/apps/usernetctl.te +++ /dev/null @@ -1,69 +0,0 @@ -policy_module(usernetctl, 1.5.0) - -######################################## -# -# Declarations -# - -type usernetctl_t; -type usernetctl_exec_t; -application_domain(usernetctl_t, usernetctl_exec_t) -domain_interactive_fd(usernetctl_t) - -######################################## -# -# Local policy -# - -allow usernetctl_t self:capability { setuid setgid dac_override }; -allow usernetctl_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow usernetctl_t self:fd use; -allow usernetctl_t self:fifo_file rw_fifo_file_perms; -allow usernetctl_t self:shm create_shm_perms; -allow usernetctl_t self:sem create_sem_perms; -allow usernetctl_t self:msgq create_msgq_perms; -allow usernetctl_t self:msg { send receive }; -allow usernetctl_t self:unix_dgram_socket create_socket_perms; -allow usernetctl_t self:unix_stream_socket create_stream_socket_perms; -allow usernetctl_t self:unix_dgram_socket sendto; -allow usernetctl_t self:unix_stream_socket connectto; - -can_exec(usernetctl_t, usernetctl_exec_t) - -kernel_read_system_state(usernetctl_t) -kernel_read_kernel_sysctls(usernetctl_t) - -corecmd_list_bin(usernetctl_t) -corecmd_exec_bin(usernetctl_t) -corecmd_exec_shell(usernetctl_t) - -domain_dontaudit_read_all_domains_state(usernetctl_t) - -files_read_etc_files(usernetctl_t) -files_exec_etc_files(usernetctl_t) -files_read_etc_runtime_files(usernetctl_t) -files_list_pids(usernetctl_t) -files_list_home(usernetctl_t) -files_read_usr_files(usernetctl_t) - -fs_search_auto_mountpoints(usernetctl_t) - -auth_use_nsswitch(usernetctl_t) - -logging_send_syslog_msg(usernetctl_t) - -miscfiles_read_localization(usernetctl_t) - -seutil_read_config(usernetctl_t) - -sysnet_read_config(usernetctl_t) - -userdom_use_user_terminals(usernetctl_t) - -optional_policy(` - hostname_exec(usernetctl_t) -') - -optional_policy(` - nis_use_ypbind(usernetctl_t) -') diff --git a/policy/modules/apps/vmware.fc b/policy/modules/apps/vmware.fc deleted file mode 100644 index 028c994..0000000 --- a/policy/modules/apps/vmware.fc +++ /dev/null @@ -1,71 +0,0 @@ -# -# HOME_DIR/ -# -HOME_DIR/\.vmware(/.*)? gen_context(system_u:object_r:vmware_file_t,s0) -HOME_DIR/\.vmware[^/]*/.*\.cfg -- gen_context(system_u:object_r:vmware_conf_t,s0) -HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:vmware_file_t,s0) - -# -# /etc -# -/etc/vmware.*(/.*)? gen_context(system_u:object_r:vmware_sys_conf_t,s0) - -# -# /usr -# -/usr/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/bin/vmnet-dhcpd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/bin/vmnet-netifup -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/bin/vmnet-sniffer -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/bin/vmware-network -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/bin/vmware-ping -- gen_context(system_u:object_r:vmware_exec_t,s0) -/usr/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0) -/usr/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0) - -/usr/lib/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0) -/usr/lib/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0) -/usr/lib/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0) -/usr/lib/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0) -/usr/lib/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0) - -ifdef(`distro_redhat',` -/usr/lib/vmware-tools/sbin32/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/lib/vmware-tools/sbin64/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -') - -/usr/lib64/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0) -/usr/lib64/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0) -/usr/lib64/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0) -/usr/lib64/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0) -/usr/lib64/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0) - -/usr/sbin/vmware-guest.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/sbin/vmware-serverd -- gen_context(system_u:object_r:vmware_exec_t,s0) - -ifdef(`distro_gentoo',` -/opt/vmware/(workstation|player)/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/opt/vmware/(workstation|player)/bin/vmnet-dhcpd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/opt/vmware/(workstation|player)/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/opt/vmware/(workstation|player)/bin/vmnet-netifup -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/opt/vmware/(workstation|player)/bin/vmnet-sniffer -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/opt/vmware/(workstation|player)/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/opt/vmware/(workstation|player)/bin/vmware-ping -- gen_context(system_u:object_r:vmware_exec_t,s0) -/opt/vmware/(workstation|player)/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/opt/vmware/(workstation|player)/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/opt/vmware/(workstation|player)/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/opt/vmware/(workstation|player)/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0) -/opt/vmware/(workstation|player)/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0) -') - -/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0) -/var/log/vnetlib.* -- gen_context(system_u:object_r:vmware_log_t,s0) - -/var/run/vmnet.* gen_context(system_u:object_r:vmware_var_run_t,s0) -/var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0) -/var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0) diff --git a/policy/modules/apps/vmware.if b/policy/modules/apps/vmware.if deleted file mode 100644 index 853f575..0000000 --- a/policy/modules/apps/vmware.if +++ /dev/null @@ -1,104 +0,0 @@ -## VMWare Workstation virtual machines - -######################################## -## -## Role access for vmware -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`vmware_role',` - gen_require(` - type vmware_t, vmware_exec_t; - ') - - role $1 types vmware_t; - - # Transition from the user domain to the derived domain. - domtrans_pattern($2, vmware_exec_t, vmware_t) - - # allow ps to show vmware and allow the user to kill it - ps_process_pattern($2, vmware_t) - allow $2 vmware_t:process signal; -') - -######################################## -## -## Execute vmware host executables -## -## -## -## Domain allowed access. -## -## -# -interface(`vmware_exec_host',` - gen_require(` - type vmware_host_exec_t; - ') - - can_exec($1, vmware_host_exec_t) -') - -######################################## -## -## Read VMWare system configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`vmware_read_system_config',` - gen_require(` - type vmware_sys_conf_t; - ') - - allow $1 vmware_sys_conf_t:file { getattr read }; -') - -######################################## -## -## Append to VMWare system configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`vmware_append_system_config',` - gen_require(` - type vmware_sys_conf_t; - ') - - allow $1 vmware_sys_conf_t:file append; -') - -######################################## -## -## Append to VMWare log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`vmware_append_log',` - gen_require(` - type vmware_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, vmware_log_t, vmware_log_t) -') diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te deleted file mode 100644 index 4bdcbe3..0000000 --- a/policy/modules/apps/vmware.te +++ /dev/null @@ -1,295 +0,0 @@ -policy_module(vmware, 2.2.1) - -######################################## -# -# Declarations -# - -# VMWare user program -type vmware_t; -type vmware_exec_t; -typealias vmware_t alias { user_vmware_t staff_vmware_t sysadm_vmware_t }; -typealias vmware_t alias { auditadm_vmware_t secadm_vmware_t }; -application_domain(vmware_t, vmware_exec_t) -ubac_constrained(vmware_t) - -type vmware_conf_t; -typealias vmware_conf_t alias { user_vmware_conf_t staff_vmware_conf_t sysadm_vmware_conf_t }; -typealias vmware_conf_t alias { auditadm_vmware_conf_t secadm_vmware_conf_t }; -userdom_user_home_content(vmware_conf_t) - -type vmware_file_t; -typealias vmware_file_t alias { user_vmware_file_t staff_vmware_file_t sysadm_vmware_file_t }; -typealias vmware_file_t alias { auditadm_vmware_file_t secadm_vmware_file_t }; -userdom_user_home_content(vmware_file_t) - -# VMWare host programs -type vmware_host_t; -type vmware_host_exec_t; -init_daemon_domain(vmware_host_t, vmware_host_exec_t) - -type vmware_host_pid_t alias vmware_var_run_t; -files_pid_file(vmware_host_pid_t) - -type vmware_host_tmp_t; -files_tmp_file(vmware_host_tmp_t) -ubac_constrained(vmware_host_tmp_t) - -type vmware_log_t; -typealias vmware_log_t alias { user_vmware_log_t staff_vmware_log_t sysadm_vmware_log_t }; -typealias vmware_log_t alias { auditadm_vmware_log_t secadm_vmware_log_t }; -logging_log_file(vmware_log_t) -ubac_constrained(vmware_log_t) - -type vmware_pid_t; -typealias vmware_pid_t alias { user_vmware_pid_t staff_vmware_pid_t sysadm_vmware_pid_t }; -typealias vmware_pid_t alias { auditadm_vmware_pid_t secadm_vmware_pid_t }; -files_pid_file(vmware_pid_t) -ubac_constrained(vmware_pid_t) - -# Systemwide configuration files -type vmware_sys_conf_t; -files_type(vmware_sys_conf_t) - -type vmware_tmp_t; -typealias vmware_tmp_t alias { user_vmware_tmp_t staff_vmware_tmp_t sysadm_vmware_tmp_t }; -typealias vmware_tmp_t alias { auditadm_vmware_tmp_t secadm_vmware_tmp_t }; -files_tmp_file(vmware_tmp_t) -ubac_constrained(vmware_tmp_t) - -type vmware_tmpfs_t; -typealias vmware_tmpfs_t alias { user_vmware_tmpfs_t staff_vmware_tmpfs_t sysadm_vmware_tmpfs_t }; -typealias vmware_tmpfs_t alias { auditadm_vmware_tmpfs_t secadm_vmware_tmpfs_t }; -files_tmpfs_file(vmware_tmpfs_t) -ubac_constrained(vmware_tmpfs_t) - -ifdef(`enable_mcs',` - init_ranged_daemon_domain(vmware_host_t, vmware_host_exec_t, s0 - mcs_systemhigh) -') - -######################################## -# -# VMWare host local policy -# - -allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override }; -dontaudit vmware_host_t self:capability sys_tty_config; -allow vmware_host_t self:process { execstack execmem signal_perms }; -allow vmware_host_t self:fifo_file rw_fifo_file_perms; -allow vmware_host_t self:unix_stream_socket create_stream_socket_perms; -allow vmware_host_t self:rawip_socket create_socket_perms; -allow vmware_host_t self:tcp_socket create_socket_perms; - -can_exec(vmware_host_t, vmware_host_exec_t) - -# cjp: the ro and rw files should be split up -manage_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t) -manage_lnk_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t) - -manage_dirs_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t) -manage_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t) -manage_sock_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t) -files_tmp_filetrans(vmware_host_t, vmware_host_tmp_t, { file dir }) - -manage_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t) -manage_sock_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t) -files_pid_filetrans(vmware_host_t, vmware_var_run_t, { file sock_file }) - -manage_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t) -logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir }) - -kernel_read_kernel_sysctls(vmware_host_t) -kernel_read_system_state(vmware_host_t) -kernel_read_network_state(vmware_host_t) - -corenet_all_recvfrom_unlabeled(vmware_host_t) -corenet_all_recvfrom_netlabel(vmware_host_t) -corenet_tcp_sendrecv_generic_if(vmware_host_t) -corenet_udp_sendrecv_generic_if(vmware_host_t) -corenet_raw_sendrecv_generic_if(vmware_host_t) -corenet_tcp_sendrecv_generic_node(vmware_host_t) -corenet_udp_sendrecv_generic_node(vmware_host_t) -corenet_raw_sendrecv_generic_node(vmware_host_t) -corenet_tcp_sendrecv_all_ports(vmware_host_t) -corenet_udp_sendrecv_all_ports(vmware_host_t) -corenet_raw_bind_generic_node(vmware_host_t) -corenet_tcp_bind_generic_node(vmware_host_t) -corenet_udp_bind_generic_node(vmware_host_t) -corenet_tcp_connect_all_ports(vmware_host_t) -corenet_sendrecv_all_client_packets(vmware_host_t) -corenet_sendrecv_all_server_packets(vmware_host_t) - -corecmd_exec_bin(vmware_host_t) -corecmd_exec_shell(vmware_host_t) - -dev_getattr_all_blk_files(vmware_host_t) -dev_read_sysfs(vmware_host_t) -dev_read_urand(vmware_host_t) -dev_rw_vmware(vmware_host_t) -dev_rw_generic_chr_files(vmware_host_t) - -domain_use_interactive_fds(vmware_host_t) -domain_dontaudit_read_all_domains_state(vmware_host_t) - -files_list_tmp(vmware_host_t) -files_read_etc_files(vmware_host_t) -files_read_etc_runtime_files(vmware_host_t) -files_read_usr_files(vmware_host_t) - -fs_getattr_all_fs(vmware_host_t) -fs_search_auto_mountpoints(vmware_host_t) - -storage_getattr_fixed_disk_dev(vmware_host_t) - -term_dontaudit_use_console(vmware_host_t) - -init_use_fds(vmware_host_t) -init_use_script_ptys(vmware_host_t) - -libs_exec_ld_so(vmware_host_t) - -logging_send_syslog_msg(vmware_host_t) - -miscfiles_read_localization(vmware_host_t) - -sysnet_dns_name_resolve(vmware_host_t) -sysnet_domtrans_ifconfig(vmware_host_t) - -userdom_dontaudit_use_unpriv_user_fds(vmware_host_t) -userdom_dontaudit_search_user_home_dirs(vmware_host_t) - -netutils_domtrans_ping(vmware_host_t) - -optional_policy(` - hostname_exec(vmware_host_t) -') - -optional_policy(` - modutils_domtrans_insmod(vmware_host_t) -') - -optional_policy(` - seutil_sigchld_newrole(vmware_host_t) -') - -optional_policy(` - shutdown_domtrans(vmware_host_t) -') - -optional_policy(` - udev_read_db(vmware_host_t) -') - -optional_policy(` - xserver_read_tmp_files(vmware_host_t) - xserver_read_xdm_pid(vmware_host_t) -') - -ifdef(`TODO',` -# VMWare need access to pcmcia devices for network -optional_policy(` -allow kernel_t cardmgr_var_lib_t:dir { getattr search }; -allow kernel_t cardmgr_var_lib_t:file { getattr ioctl read }; -') -# Vmware create network devices -allow kernel_t self:capability net_admin; -allow kernel_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write }; -allow kernel_t self:socket create; -') - -############################## -# -# VMWare guest local policy -# - -allow vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown }; -dontaudit vmware_t self:capability sys_tty_config; -allow vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow vmware_t self:process { execmem execstack }; -allow vmware_t self:fd use; -allow vmware_t self:fifo_file rw_fifo_file_perms; -allow vmware_t self:unix_dgram_socket { create_socket_perms sendto }; -allow vmware_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow vmware_t self:shm create_shm_perms; -allow vmware_t self:sem create_sem_perms; -allow vmware_t self:msgq create_msgq_perms; -allow vmware_t self:msg { send receive }; - -can_exec(vmware_t, vmware_exec_t) - -# User configuration files -allow vmware_t vmware_conf_t:file manage_file_perms; - -# VMWare disks -manage_files_pattern(vmware_t, vmware_file_t, vmware_file_t) -manage_lnk_files_pattern(vmware_t, vmware_file_t, vmware_file_t) - -allow vmware_t vmware_tmp_t:file execute; -manage_dirs_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t) -manage_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t) -manage_sock_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t) -files_tmp_filetrans(vmware_t, vmware_tmp_t, { file dir }) - -manage_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t) -manage_lnk_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t) -manage_fifo_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t) -manage_sock_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t) -fs_tmpfs_filetrans(vmware_t, vmware_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -# Read clobal configuration files -allow vmware_t vmware_sys_conf_t:dir list_dir_perms; -read_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t) -read_lnk_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t) - -manage_dirs_pattern(vmware_t, vmware_pid_t, vmware_pid_t) -manage_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t) -manage_lnk_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t) -manage_sock_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t) -files_pid_filetrans(vmware_t, vmware_pid_t, { dir file lnk_file }) - -kernel_read_system_state(vmware_t) -kernel_read_network_state(vmware_t) -kernel_read_kernel_sysctls(vmware_t) - -# startup scripts -corecmd_exec_bin(vmware_t) -corecmd_exec_shell(vmware_t) - -dev_read_raw_memory(vmware_t) -dev_write_raw_memory(vmware_t) -dev_read_mouse(vmware_t) -dev_write_sound(vmware_t) -dev_read_realtime_clock(vmware_t) -dev_rwx_vmware(vmware_t) -dev_rw_usbfs(vmware_t) -dev_search_sysfs(vmware_t) - -domain_use_interactive_fds(vmware_t) - -files_read_etc_files(vmware_t) -files_read_etc_runtime_files(vmware_t) -files_read_usr_files(vmware_t) -files_list_home(vmware_t) - -fs_getattr_all_fs(vmware_t) -fs_search_auto_mountpoints(vmware_t) - -storage_raw_read_removable_device(vmware_t) -storage_raw_write_removable_device(vmware_t) - -# startup scripts run ldd -libs_exec_ld_so(vmware_t) -# Access X11 config files -libs_read_lib_files(vmware_t) - -miscfiles_read_localization(vmware_t) - -userdom_use_user_terminals(vmware_t) -userdom_list_user_home_dirs(vmware_t) -# cjp: why? -userdom_read_user_home_content_files(vmware_t) - -sysnet_dns_name_resolve(vmware_t) -sysnet_read_config(vmware_t) - -xserver_user_x_domain_template(vmware, vmware_t, vmware_tmpfs_t) diff --git a/policy/modules/apps/webalizer.fc b/policy/modules/apps/webalizer.fc deleted file mode 100644 index e4f7d30..0000000 --- a/policy/modules/apps/webalizer.fc +++ /dev/null @@ -1,10 +0,0 @@ - -# -# /usr -# -/usr/bin/webalizer -- gen_context(system_u:object_r:webalizer_exec_t,s0) - -# -# /var -# -/var/lib/webalizer(/.*)? gen_context(system_u:object_r:webalizer_var_lib_t,s0) diff --git a/policy/modules/apps/webalizer.if b/policy/modules/apps/webalizer.if deleted file mode 100644 index 3c78e7c..0000000 --- a/policy/modules/apps/webalizer.if +++ /dev/null @@ -1,45 +0,0 @@ -## Web server log analysis - -######################################## -## -## Execute webalizer in the webalizer domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`webalizer_domtrans',` - gen_require(` - type webalizer_t, webalizer_exec_t; - ') - - domtrans_pattern($1, webalizer_exec_t, webalizer_t) -') - -######################################## -## -## Execute webalizer in the webalizer domain, and -## allow the specified role the webalizer domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`webalizer_run',` - gen_require(` - type webalizer_t; - ') - - webalizer_domtrans($1) - role $2 types webalizer_t; -') diff --git a/policy/modules/apps/webalizer.te b/policy/modules/apps/webalizer.te deleted file mode 100644 index f79314b..0000000 --- a/policy/modules/apps/webalizer.te +++ /dev/null @@ -1,105 +0,0 @@ -policy_module(webalizer, 1.10.0) - -######################################## -# -# Declarations -# - -type webalizer_t; -type webalizer_exec_t; -application_domain(webalizer_t, webalizer_exec_t) -role system_r types webalizer_t; - -type webalizer_etc_t; -files_config_file(webalizer_etc_t) - -type webalizer_usage_t; -files_type(webalizer_usage_t) - -type webalizer_tmp_t; -files_tmp_file(webalizer_tmp_t) - -type webalizer_var_lib_t; -files_type(webalizer_var_lib_t) - -type webalizer_write_t; -files_type(webalizer_write_t) - -######################################## -# -# Local policy -# - -allow webalizer_t self:capability dac_override; -allow webalizer_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow webalizer_t self:fd use; -allow webalizer_t self:fifo_file rw_fifo_file_perms; -allow webalizer_t self:sock_file read_sock_file_perms; -allow webalizer_t self:shm create_shm_perms; -allow webalizer_t self:sem create_sem_perms; -allow webalizer_t self:msgq create_msgq_perms; -allow webalizer_t self:msg { send receive }; -allow webalizer_t self:unix_dgram_socket create_socket_perms; -allow webalizer_t self:unix_stream_socket create_stream_socket_perms; -allow webalizer_t self:unix_dgram_socket sendto; -allow webalizer_t self:unix_stream_socket connectto; -allow webalizer_t self:tcp_socket connected_stream_socket_perms; -allow webalizer_t self:udp_socket { connect connected_socket_perms }; -allow webalizer_t self:netlink_route_socket r_netlink_socket_perms; - -allow webalizer_t webalizer_etc_t:file read_file_perms; - -manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t) -manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t) -files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir }) - -manage_files_pattern(webalizer_t, webalizer_var_lib_t, webalizer_var_lib_t) -files_var_lib_filetrans(webalizer_t, webalizer_var_lib_t, file) - -kernel_read_kernel_sysctls(webalizer_t) -kernel_read_system_state(webalizer_t) - -corenet_all_recvfrom_unlabeled(webalizer_t) -corenet_all_recvfrom_netlabel(webalizer_t) -corenet_tcp_sendrecv_generic_if(webalizer_t) -corenet_tcp_sendrecv_generic_node(webalizer_t) -corenet_tcp_sendrecv_all_ports(webalizer_t) - -fs_search_auto_mountpoints(webalizer_t) -fs_getattr_xattr_fs(webalizer_t) -fs_rw_anon_inodefs_files(webalizer_t) - -files_read_etc_files(webalizer_t) -files_read_etc_runtime_files(webalizer_t) - -logging_list_logs(webalizer_t) -logging_send_syslog_msg(webalizer_t) - -miscfiles_read_localization(webalizer_t) -miscfiles_read_public_files(webalizer_t) - -sysnet_dns_name_resolve(webalizer_t) -sysnet_read_config(webalizer_t) - -userdom_use_user_terminals(webalizer_t) -userdom_use_unpriv_users_fds(webalizer_t) -userdom_dontaudit_search_user_home_content(webalizer_t) - -apache_read_log(webalizer_t) -apache_manage_sys_content(webalizer_t) - -optional_policy(` - cron_system_entry(webalizer_t, webalizer_exec_t) -') - -optional_policy(` - ftp_read_log(webalizer_t) -') - -optional_policy(` - nis_use_ypbind(webalizer_t) -') - -optional_policy(` - nscd_socket_use(webalizer_t) -') diff --git a/policy/modules/apps/wine.fc b/policy/modules/apps/wine.fc deleted file mode 100644 index 9782698..0000000 --- a/policy/modules/apps/wine.fc +++ /dev/null @@ -1,22 +0,0 @@ -HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0) - -/opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) - -/opt/google/picasa(/.*)?/Picasa3/.*exe -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/google/picasa(/.*)?/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/google/picasa(/.*)?/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/google/picasa(/.*)?/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/google/picasa(/.*)?/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/google/picasa(/.*)?/bin/wdi -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) - -/opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) - -/usr/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0) -/usr/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0) -/usr/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0) -/usr/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0) -/usr/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0) -/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if deleted file mode 100644 index e10101a..0000000 --- a/policy/modules/apps/wine.if +++ /dev/null @@ -1,186 +0,0 @@ -## Wine Is Not an Emulator. Run Windows programs in Linux. - -####################################### -## -## The per role template for the wine module. -## -## -##

-## This template creates a derived domains which are used -## for wine applications. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The type of the user domain. -## -## -## -## -## The role associated with the user domain. -## -## -# -template(`wine_role',` - gen_require(` - type wine_t; - type wine_home_t; - type wine_exec_t; - ') - - role $1 types wine_t; - - domain_auto_trans($2, wine_exec_t, wine_t) - # Unrestricted inheritance from the caller. - allow $2 wine_t:process { noatsecure siginh rlimitinh }; - allow wine_t $2:fd use; - allow wine_t $2:process { sigchld signull }; - allow wine_t $2:unix_stream_socket connectto; - - # Allow the user domain to signal/ps. - ps_process_pattern($2, wine_t) - allow $2 wine_t:process signal_perms; - - allow $2 wine_t:fd use; - allow $2 wine_t:shm { associate getattr unix_read unix_write }; - allow $2 wine_t:unix_stream_socket connectto; - - # X access, Home files - manage_dirs_pattern($2, wine_home_t, wine_home_t) - manage_files_pattern($2, wine_home_t, wine_home_t) - manage_lnk_files_pattern($2, wine_home_t, wine_home_t) - relabel_dirs_pattern($2, wine_home_t, wine_home_t) - relabel_files_pattern($2, wine_home_t, wine_home_t) - relabel_lnk_files_pattern($2, wine_home_t, wine_home_t) -') - -####################################### -## -## The role template for the wine module. -## -## -##

-## This template creates a derived domains which are used -## for wine applications. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# -template(`wine_role_template',` - gen_require(` - type wine_t; - type wine_exec_t; - ') - - type $1_wine_t; - domain_type($1_wine_t) - domain_entry_file($1_wine_t, wine_exec_t) - ubac_constrained($1_wine_t) - role $2 types $1_wine_t; - - allow $1_wine_t self:process { execmem execstack }; - allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms }; - domtrans_pattern($3, wine_exec_t, $1_wine_t) - corecmd_bin_domtrans($1_wine_t, $1_t) - - userdom_unpriv_usertype($1, $1_wine_t) - userdom_manage_tmpfs_role($2, $1_wine_t) - - domain_mmap_low($1_wine_t) - - tunable_policy(`wine_mmap_zero_ignore',` - dontaudit $1_wine_t self:memprotect mmap_zero; - ') - - tunable_policy(`wine_mmap_zero_ignore',` - dontaudit $1_wine_t self:memprotect mmap_zero; - ') - - optional_policy(` - xserver_role($1_r, $1_wine_t) - ') -') - -######################################## -## -## Execute the wine program in the wine domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`wine_domtrans',` - gen_require(` - type wine_t, wine_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, wine_exec_t, wine_t) -') - -######################################## -## -## Execute wine in the wine domain, and -## allow the specified role the wine domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`wine_run',` - gen_require(` - type wine_t; - ') - - wine_domtrans($1) - role $2 types wine_t; -') - -######################################## -## -## Read and write wine Shared -## memory segments. -## -## -## -## Domain allowed access. -## -## -# -interface(`wine_rw_shm',` - gen_require(` - type wine_t; - ') - - allow $1 wine_t:shm rw_shm_perms; -') diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te deleted file mode 100644 index 277543a..0000000 --- a/policy/modules/apps/wine.te +++ /dev/null @@ -1,64 +0,0 @@ -policy_module(wine, 1.7.2) - -######################################## -# -# Declarations -# - -## -##

-## Ignore wine mmap_zero errors. -##

-##
-gen_tunable(wine_mmap_zero_ignore, false) - -type wine_t; -type wine_exec_t; -application_domain(wine_t, wine_exec_t) -ubac_constrained(wine_t) -role system_r types wine_t; - -type wine_tmp_t; -files_tmp_file(wine_tmp_t) -ubac_constrained(wine_tmp_t) - -######################################## -# -# Local policy -# - -allow wine_t self:process { execstack execmem execheap }; -allow wine_t self:fifo_file manage_fifo_file_perms; - -can_exec(wine_t, wine_exec_t) - -manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t) -manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t) -files_tmp_filetrans(wine_t, wine_tmp_t, { file dir }) - -domain_mmap_low(wine_t) - -files_execmod_all_files(wine_t) - -userdom_use_user_terminals(wine_t) - -tunable_policy(`wine_mmap_zero_ignore',` - dontaudit wine_t self:memprotect mmap_zero; -') - -optional_policy(` - hal_dbus_chat(wine_t) -') - -optional_policy(` - policykit_dbus_chat(wine_t) -') - -optional_policy(` - unconfined_domain(wine_t) -') - -optional_policy(` - xserver_read_xdm_pid(wine_t) - xserver_rw_shm(wine_t) -') diff --git a/policy/modules/apps/wireshark.fc b/policy/modules/apps/wireshark.fc deleted file mode 100644 index 96844ae..0000000 --- a/policy/modules/apps/wireshark.fc +++ /dev/null @@ -1,3 +0,0 @@ -HOME_DIR/\.wireshark(/.*)? gen_context(system_u:object_r:wireshark_home_t,s0) - -/usr/bin/wireshark -- gen_context(system_u:object_r:wireshark_exec_t,s0) diff --git a/policy/modules/apps/wireshark.if b/policy/modules/apps/wireshark.if deleted file mode 100644 index ea6ffe6..0000000 --- a/policy/modules/apps/wireshark.if +++ /dev/null @@ -1,55 +0,0 @@ -## Wireshark packet capture tool. - -############################################################ -## -## Role access for wireshark -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`wireshark_role',` - gen_require(` - type wireshark_t, wireshark_exec_t; - type wireshark_home_t, wireshark_tmp_t; - type wireshark_tmpfs_t; - ') - - role $1 types wireshark_t; - - domain_auto_trans($2, wireshark_exec_t, wireshark_t) - allow wireshark_t $2:fd use; - allow wireshark_t $2:process sigchld; - - manage_dirs_pattern($2, wireshark_home_t, wireshark_home_t) - manage_files_pattern($2, wireshark_home_t, wireshark_home_t) - manage_lnk_files_pattern($2, wireshark_home_t, wireshark_home_t) - relabel_dirs_pattern($2, wireshark_home_t, wireshark_home_t) - relabel_files_pattern($2, wireshark_home_t, wireshark_home_t) - relabel_lnk_files_pattern($2, wireshark_home_t, wireshark_home_t) -') - -######################################## -## -## Run wireshark in wireshark domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`wireshark_domtrans',` - gen_require(` - type wireshark_t, wireshark_exec_t; - ') - - domtrans_pattern($1, wireshark_exec_t, wireshark_t) -') diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te deleted file mode 100644 index 7c05189..0000000 --- a/policy/modules/apps/wireshark.te +++ /dev/null @@ -1,123 +0,0 @@ -policy_module(wireshark, 2.1.1) - -######################################## -# -# Declarations -# - -type wireshark_t; -type wireshark_exec_t; -typealias wireshark_t alias { user_wireshark_t staff_wireshark_t sysadm_wireshark_t }; -typealias wireshark_t alias { auditadm_wireshark_t secadm_wireshark_t }; -application_domain(wireshark_t, wireshark_exec_t) -ubac_constrained(wireshark_t) - -type wireshark_home_t; -typealias wireshark_home_t alias { user_wireshark_home_t staff_wireshark_home_t sysadm_wireshark_home_t }; -typealias wireshark_home_t alias { auditadm_wireshark_home_t secadm_wireshark_home_t }; -files_poly_member(wireshark_home_t) -userdom_user_home_content(wireshark_home_t) - -type wireshark_tmp_t; -typealias wireshark_tmp_t alias { user_wireshark_tmp_t staff_wireshark_tmp_t sysadm_wireshark_tmp_t }; -typealias wireshark_tmp_t alias { auditadm_wireshark_tmp_t secadm_wireshark_tmp_t }; -files_tmp_file(wireshark_tmp_t) -ubac_constrained(wireshark_tmp_t) - -type wireshark_tmpfs_t; -typealias wireshark_tmpfs_t alias { user_wireshark_tmpfs_t staff_wireshark_tmpfs_t sysadm_wireshark_tmpfs_t }; -typealias wireshark_tmpfs_t alias { auditadm_wireshark_tmpfs_t secadm_wireshark_tmpfs_t }; -files_tmpfs_file(wireshark_tmpfs_t) -ubac_constrained(wireshark_tmpfs_t) - -############################## -# -# Local Policy -# - -allow wireshark_t self:capability { net_admin net_raw setgid }; -allow wireshark_t self:process { signal getsched }; -allow wireshark_t self:fifo_file { getattr read write }; -allow wireshark_t self:shm destroy; -allow wireshark_t self:shm create_shm_perms; -allow wireshark_t self:netlink_route_socket { nlmsg_read create_socket_perms }; -allow wireshark_t self:packet_socket { setopt bind ioctl getopt create read }; -allow wireshark_t self:tcp_socket create_socket_perms; -allow wireshark_t self:udp_socket create_socket_perms; - -# Re-execute itself (why?) -can_exec(wireshark_t, wireshark_exec_t) -corecmd_search_bin(wireshark_t) - -# /home/.wireshark -manage_dirs_pattern(wireshark_t, wireshark_home_t, wireshark_home_t) -manage_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t) -manage_lnk_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t) -userdom_user_home_dir_filetrans(wireshark_t, wireshark_home_t, dir) - -# Store temporary files -manage_dirs_pattern(wireshark_t, wireshark_tmp_t, wireshark_tmp_t) -manage_files_pattern(wireshark_t, wireshark_tmp_t, wireshark_tmp_t) -files_tmp_filetrans(wireshark_t, wireshark_tmp_t, { dir file }) - -manage_dirs_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t) -manage_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t) -manage_lnk_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t) -manage_sock_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t) -manage_fifo_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t) -fs_tmpfs_filetrans(wireshark_t, wireshark_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) - -kernel_read_kernel_sysctls(wireshark_t) -kernel_read_system_state(wireshark_t) -kernel_read_sysctl(wireshark_t) - -corecmd_search_bin(wireshark_t) - -corenet_tcp_connect_generic_port(wireshark_t) -corenet_tcp_sendrecv_generic_if(wireshark_t) - -dev_read_urand(wireshark_t) - -files_read_etc_files(wireshark_t) -files_read_usr_files(wireshark_t) - -fs_list_inotifyfs(wireshark_t) -fs_search_auto_mountpoints(wireshark_t) - -libs_read_lib_files(wireshark_t) - -miscfiles_read_fonts(wireshark_t) -miscfiles_read_localization(wireshark_t) - -seutil_use_newrole_fds(wireshark_t) - -sysnet_read_config(wireshark_t) - -userdom_manage_user_home_content_files(wireshark_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(wireshark_t) - fs_manage_nfs_files(wireshark_t) - fs_manage_nfs_symlinks(wireshark_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(wireshark_t) - fs_manage_cifs_files(wireshark_t) - fs_manage_cifs_symlinks(wireshark_t) -') - -optional_policy(` - nscd_socket_use(wireshark_t) -') - -# Manual transition from userhelper -optional_policy(` - userhelper_use_fd(wireshark_t) - userhelper_sigchld(wireshark_t) -') - -optional_policy(` - xserver_user_x_domain_template(wireshark, wireshark_t, wireshark_tmpfs_t) - xserver_create_xdm_tmp_sockets(wireshark_t) -') diff --git a/policy/modules/apps/wm.fc b/policy/modules/apps/wm.fc deleted file mode 100644 index be30d55..0000000 --- a/policy/modules/apps/wm.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0) -/usr/bin/openbox -- gen_context(system_u:object_r:wm_exec_t,s0) -/usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0) diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if deleted file mode 100644 index 369c3b5..0000000 --- a/policy/modules/apps/wm.if +++ /dev/null @@ -1,113 +0,0 @@ -## X Window Managers - -####################################### -## -## The role template for the wm module. -## -## -##

-## This template creates a derived domains which are used -## for window manager applications. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# -template(`wm_role_template',` - gen_require(` - type wm_exec_t; - class dbus send_msg; - ') - - type $1_wm_t; - domain_type($1_wm_t) - domain_entry_file($1_wm_t, wm_exec_t) - role $2 types $1_wm_t; - - allow $1_wm_t self:fifo_file rw_fifo_file_perms; - allow $1_wm_t self:process getsched; - allow $1_wm_t self:shm create_shm_perms; - - allow $1_wm_t $3:unix_stream_socket connectto; - allow $3 $1_wm_t:unix_stream_socket connectto; - allow $3 $1_wm_t:process { signal sigchld }; - allow $1_wm_t $3:process { signull sigkill }; - - allow $1_wm_t $3:dbus send_msg; - allow $3 $1_wm_t:dbus send_msg; - - domtrans_pattern($3, wm_exec_t, $1_wm_t) - - kernel_read_system_state($1_wm_t) - - corecmd_bin_domtrans($1_wm_t, $3) - corecmd_shell_domtrans($1_wm_t, $3) - - dev_read_urand($1_wm_t) - - files_read_etc_files($1_wm_t) - files_read_usr_files($1_wm_t) - - fs_getattr_tmpfs($1_wm_t) - - mls_file_read_all_levels($1_wm_t) - mls_file_write_all_levels($1_wm_t) - mls_xwin_read_all_levels($1_wm_t) - mls_xwin_write_all_levels($1_wm_t) - mls_fd_use_all_levels($1_wm_t) - - auth_use_nsswitch($1_wm_t) - - miscfiles_read_fonts($1_wm_t) - miscfiles_read_localization($1_wm_t) - - userdom_manage_home_role($2, $1_wm_t) - userdom_manage_tmpfs_role($2, $1_wm_t) - userdom_manage_tmp_role($2, $1_wm_t) - - optional_policy(` - dbus_system_bus_client($1_wm_t) - dbus_session_bus_client($1_wm_t) - ') - - optional_policy(` - pulseaudio_stream_connect($1_wm_t) - ') - - optional_policy(` - xserver_role($2, $1_wm_t) - xserver_manage_core_devices($1_wm_t) - ') -') - -######################################## -## -## Execute the wm program in the wm domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`wm_exec',` - gen_require(` - type wm_exec_t; - ') - - can_exec($1, wm_exec_t) -') diff --git a/policy/modules/apps/wm.te b/policy/modules/apps/wm.te deleted file mode 100644 index aeea34d..0000000 --- a/policy/modules/apps/wm.te +++ /dev/null @@ -1,9 +0,0 @@ -policy_module(wm, 1.0.2) - -######################################## -# -# Declarations -# - -type wm_exec_t; -corecmd_executable_file(wm_exec_t) diff --git a/policy/modules/apps/xscreensaver.fc b/policy/modules/apps/xscreensaver.fc deleted file mode 100644 index 29396da..0000000 --- a/policy/modules/apps/xscreensaver.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/xscreensaver -- gen_context(system_u:object_r:xscreensaver_exec_t,s0) diff --git a/policy/modules/apps/xscreensaver.if b/policy/modules/apps/xscreensaver.if deleted file mode 100644 index 1067bd1..0000000 --- a/policy/modules/apps/xscreensaver.if +++ /dev/null @@ -1,30 +0,0 @@ -## X Screensaver - -######################################## -## -## Role access for xscreensaver -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`xscreensaver_role',` - gen_require(` - type xscreensaver_t, xscreensaver_exec_t; - ') - - role $1 types xscreensaver_t; - - domtrans_pattern($2, xscreensaver_exec_t, xscreensaver_t) - - # Allow the user domain to signal/ps. - ps_process_pattern($2, xscreensaver_t) - allow $2 xscreensaver_t:process signal_perms; -') diff --git a/policy/modules/apps/xscreensaver.te b/policy/modules/apps/xscreensaver.te deleted file mode 100644 index 1bdeb16..0000000 --- a/policy/modules/apps/xscreensaver.te +++ /dev/null @@ -1,44 +0,0 @@ -policy_module(xscreensaver, 1.0.0) - -######################################## -# -# Declarations -# - -type xscreensaver_t; -type xscreensaver_exec_t; -application_domain(xscreensaver_t, xscreensaver_exec_t) -ubac_constrained(xscreensaver_t) - -type xscreensaver_tmpfs_t; -files_tmpfs_file(xscreensaver_tmpfs_t) -ubac_constrained(xscreensaver_tmpfs_t) - -######################################## -# -# Local policy -# - -allow xscreensaver_t self:fifo_file rw_fifo_file_perms; -allow xscreensaver_t self:process signal; - -kernel_read_system_state(xscreensaver_t) - -files_read_usr_files(xscreensaver_t) - -auth_use_nsswitch(xscreensaver_t) -auth_domtrans_chk_passwd(xscreensaver_t) - -#/var/run/utmp -init_read_utmp(xscreensaver_t) - -logging_send_audit_msgs(xscreensaver_t) -logging_send_syslog_msg(xscreensaver_t) - -miscfiles_read_localization(xscreensaver_t) - -userdom_use_user_ptys(xscreensaver_t) -#access to .icons and ~/.xscreensaver -userdom_read_user_home_content_files(xscreensaver_t) - -xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t) diff --git a/policy/modules/apps/yam.fc b/policy/modules/apps/yam.fc deleted file mode 100644 index 4ec6ede..0000000 --- a/policy/modules/apps/yam.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/yam\.conf -- gen_context(system_u:object_r:yam_etc_t,s0) - -/usr/bin/yam -- gen_context(system_u:object_r:yam_exec_t,s0) - -/var/yam(/.*)? gen_context(system_u:object_r:yam_content_t,s0) -/var/www/yam(/.*)? gen_context(system_u:object_r:yam_content_t,s0) diff --git a/policy/modules/apps/yam.if b/policy/modules/apps/yam.if deleted file mode 100644 index 07015a2..0000000 --- a/policy/modules/apps/yam.if +++ /dev/null @@ -1,66 +0,0 @@ -## Yum/Apt Mirroring - -######################################## -## -## Execute yam in the yam domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`yam_domtrans',` - gen_require(` - type yam_t, yam_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, yam_exec_t, yam_t) -') - -######################################## -## -## Execute yam in the yam domain, and -## allow the specified role the yam domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`yam_run',` - gen_require(` - type yam_t; - ') - - yam_domtrans($1) - role $2 types yam_t; -') - -######################################## -## -## Read yam content. -## -## -## -## Domain allowed access. -## -## -# -interface(`yam_read_content',` - gen_require(` - type yam_content_t; - ') - - allow $1 yam_content_t:dir list_dir_perms; - read_files_pattern($1, yam_content_t, yam_content_t) - read_lnk_files_pattern($1, yam_content_t, yam_content_t) -') diff --git a/policy/modules/apps/yam.te b/policy/modules/apps/yam.te deleted file mode 100644 index 223ad43..0000000 --- a/policy/modules/apps/yam.te +++ /dev/null @@ -1,124 +0,0 @@ -policy_module(yam, 1.4.0) - -######################################## -# -# Declarations -# - -type yam_t alias yam_crond_t; -type yam_exec_t; -application_domain(yam_t, yam_exec_t) - -type yam_content_t; -files_mountpoint(yam_content_t) - -type yam_etc_t; -files_config_file(yam_etc_t) - -type yam_tmp_t; -files_tmp_file(yam_tmp_t) - -######################################## -# -# Local policy -# - -allow yam_t self:capability { chown fowner fsetid dac_override }; -allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow yam_t self:process execmem; -allow yam_t self:fd use; -allow yam_t self:fifo_file rw_fifo_file_perms; -allow yam_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow yam_t self:unix_dgram_socket { create_socket_perms sendto }; -allow yam_t self:shm create_shm_perms; -allow yam_t self:sem create_sem_perms; -allow yam_t self:msgq create_msgq_perms; -allow yam_t self:msg { send receive }; -allow yam_t self:tcp_socket create_socket_perms; - -# Update the content being managed by yam. -manage_dirs_pattern(yam_t, yam_content_t, yam_content_t) -manage_files_pattern(yam_t, yam_content_t, yam_content_t) -manage_lnk_files_pattern(yam_t, yam_content_t, yam_content_t) - -allow yam_t yam_etc_t:file read_file_perms; -files_search_etc(yam_t) - -manage_files_pattern(yam_t, yam_tmp_t, yam_tmp_t) -manage_dirs_pattern(yam_t, yam_tmp_t, yam_tmp_t) -files_tmp_filetrans(yam_t, yam_tmp_t, { file dir }) - -kernel_read_kernel_sysctls(yam_t) -kernel_read_proc_symlinks(yam_t) -# Python works fine without reading /proc/meminfo -kernel_dontaudit_read_system_state(yam_t) - -corecmd_exec_shell(yam_t) -corecmd_exec_bin(yam_t) - -# Rsync and lftp need to network. They also set files attributes to -# match whats on the remote server. -corenet_all_recvfrom_unlabeled(yam_t) -corenet_all_recvfrom_netlabel(yam_t) -corenet_tcp_sendrecv_generic_if(yam_t) -corenet_tcp_sendrecv_generic_node(yam_t) -corenet_tcp_sendrecv_all_ports(yam_t) -corenet_tcp_connect_http_port(yam_t) -corenet_tcp_connect_rsync_port(yam_t) -corenet_sendrecv_http_client_packets(yam_t) -corenet_sendrecv_rsync_client_packets(yam_t) - -# mktemp -dev_read_urand(yam_t) - -files_read_etc_files(yam_t) -files_read_etc_runtime_files(yam_t) -# /usr/share/createrepo/genpkgmetadata.py: -files_exec_usr_files(yam_t) -# Programs invoked to build package lists need various permissions. -# genpkglist creates tmp files in /var/cache/apt/genpkglist -files_rw_var_files(yam_t) - -fs_search_auto_mountpoints(yam_t) -# Content can also be on ISO image files. -fs_read_iso9660_files(yam_t) - -logging_send_syslog_msg(yam_t) - -miscfiles_read_localization(yam_t) - -seutil_read_config(yam_t) - -sysnet_dns_name_resolve(yam_t) -sysnet_read_config(yam_t) - -userdom_use_user_terminals(yam_t) -userdom_use_unpriv_users_fds(yam_t) -# Reading dotfiles... -# cjp: ? -userdom_search_user_home_dirs(yam_t) - -# The whole point of this program is to make updates available on a -# local web server. Need to go through /var to get to /var/yam -# Go through /var/www to get to /var/www/yam -apache_search_sys_content(yam_t) - -optional_policy(` - cron_system_entry(yam_t, yam_exec_t) -') - -optional_policy(` - mount_domtrans(yam_t) -') - -optional_policy(` - nis_use_ypbind(yam_t) -') - -optional_policy(` - nscd_socket_use(yam_t) -') - -optional_policy(` - rsync_exec(yam_t) -') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc deleted file mode 100644 index 46af2a4..0000000 --- a/policy/modules/kernel/corecommands.fc +++ /dev/null @@ -1,392 +0,0 @@ - -# -# /bin -# -/bin -d gen_context(system_u:object_r:bin_t,s0) -/bin/.* gen_context(system_u:object_r:bin_t,s0) -/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) -/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) -/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) -/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) -/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) -/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) -/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) -/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) -/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) -/bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0) -/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0) - -# -# /dev -# -/dev/MAKEDEV -- gen_context(system_u:object_r:bin_t,s0) - -# -# /emul -# -ifdef(`distro_redhat',` -/emul/ia32-linux/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -/emul/ia32-linux/sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) -/emul/ia32-linux/usr(/.*)?/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -/emul/ia32-linux/usr(/.*)?/Bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -/emul/ia32-linux/usr(/.*)?/sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) -/emul/ia32-linux/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0) -') - -# -# /etc -# -/etc/acpi/actions(/.*)? gen_context(system_u:object_r:bin_t,s0) - -/etc/apcupsd/apccontrol -- gen_context(system_u:object_r:bin_t,s0) -/etc/apcupsd/changeme -- gen_context(system_u:object_r:bin_t,s0) -/etc/apcupsd/commfailure -- gen_context(system_u:object_r:bin_t,s0) -/etc/apcupsd/commok -- gen_context(system_u:object_r:bin_t,s0) -/etc/apcupsd/masterconnect -- gen_context(system_u:object_r:bin_t,s0) -/etc/apcupsd/mastertimeout -- gen_context(system_u:object_r:bin_t,s0) -/etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0) -/etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0) - -/etc/avahi/.*\.action -- gen_context(system_u:object_r:bin_t,s0) - -/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0) -/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0) - -/etc/ConsoleKit/run-seat\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) -/etc/ConsoleKit/run-session\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) - -/etc/cron.daily(/.*)? gen_context(system_u:object_r:bin_t,s0) -/etc/cron.hourly(/.*)? gen_context(system_u:object_r:bin_t,s0) -/etc/cron.weekly(/.*)? gen_context(system_u:object_r:bin_t,s0) -/etc/cron.monthly(/.*)? gen_context(system_u:object_r:bin_t,s0) - -/etc/dhcp/dhclient\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) - -/etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0) -/etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0) -/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0) -/etc/hotplug\.d/default/default.* gen_context(system_u:object_r:bin_t,s0) - -/etc/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) - -/etc/mail/make -- gen_context(system_u:object_r:bin_t,s0) -/etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0) - -/etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) - -/etc/PackageKit/events(/.*)? gen_context(system_u:object_r:bin_t,s0) - -/etc/pm/power\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) -/etc/pm/sleep\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) - -/etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0) -/etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0) -/etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0) -/etc/ppp/ipv6-down\..* -- gen_context(system_u:object_r:bin_t,s0) - -/etc/racoon/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) - -/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) - -/etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0) - -/etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0) -/etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0) -/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0) -/etc/sysconfig/netconsole -- gen_context(system_u:object_r:bin_t,s0) -/etc/sysconfig/readonly-root -- gen_context(system_u:object_r:bin_t,s0) - -/etc/sysconfig/network-scripts/ifup.* gen_context(system_u:object_r:bin_t,s0) -/etc/sysconfig/network-scripts/ifdown.* gen_context(system_u:object_r:bin_t,s0) -/etc/sysconfig/network-scripts/net.* gen_context(system_u:object_r:bin_t,s0) -/etc/sysconfig/network-scripts/init.* gen_context(system_u:object_r:bin_t,s0) - -/etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0) -/etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0) -/etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0) -/etc/X11/xinit(/.*)? gen_context(system_u:object_r:bin_t,s0) - -/etc/pki/tls/certs/make-dummy-cert -- gen_context(system_u:object_r:bin_t,s0) -/etc/pki/tls/misc(/.*)? -- gen_context(system_u:object_r:bin_t,s0) - -/etc/profile.d(/.*)? gen_context(system_u:object_r:bin_t,s0) -/etc/xen/qemu-ifup -- gen_context(system_u:object_r:bin_t,s0) -/etc/xen/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) - -ifdef(`distro_debian',` -/etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0) -') - -/etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0) - -# -# /lib -# - -/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0) -/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0) -/lib64/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0) - -ifdef(`distro_gentoo',` -/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) -/lib64/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) - -/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0) -/lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0) -/lib/rcscripts/net\.modules\.d/helpers\.d/dhclient-.* -- gen_context(system_u:object_r:bin_t,s0) -/lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0) -') -/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0) -/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0) - -# -# /sbin -# -/sbin -d gen_context(system_u:object_r:bin_t,s0) -/sbin/.* gen_context(system_u:object_r:bin_t,s0) -/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) -/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) -/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) - -# -# /opt -# -/opt/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) - -/opt/(.*/)?libexec(/.*)? gen_context(system_u:object_r:bin_t,s0) - -/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) - -/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0) - -/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) - -/opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) - -ifdef(`distro_gentoo',` -/opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0) -/opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0) -/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) -') - -# -# /usr -# -/usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) -/usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) -/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0) - -/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) - -/usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) - -/usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/cups(/.*)? gen_context(system_u:object_r:bin_t,s0) - -/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/sftp-server -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0) - -/usr/lib(64)?/debug/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) - -/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) - -/usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) - -/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) -/usr/libexec/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) - -/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) - -/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) -/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) - -/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) -/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) -/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) - -/usr/share/ajaxterm/qweb.py.* -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/ajaxterm/ajaxterm.py.* -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/dayplanner/dayplanner -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/share/denyhosts/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) -/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/gitolite/hooks/gitolite-admin/post-update -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/hal/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/Modules/init(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0) -/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) - -/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) - -ifdef(`distro_gentoo', ` -/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/.*-.*-linux-gnu/binutils-bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -') - -ifdef(`distro_redhat', ` -/etc/gdm/XKeepsCrashing[^/]* -- gen_context(system_u:object_r:bin_t,s0) -/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) -/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) - -/usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/cvs/contrib/rcs2log -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/rhn/rhn_applet/needed-packages\.py -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/system-config-keyboard/system-config-keyboard -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/system-config-language/system-config-language -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/system-config-lvm/system-config-lvm\.py -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/system-config-mouse/system-config-mouse -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/system-config-netboot/system-config-netboot\.py -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/system-config-netboot/pxeos\.py -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/system-config-netboot/pxeboot\.py -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/system-config-network(/netconfig)?/[^/]+\.py -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/system-config-network/neat-control\.py -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/system-config-nfs/nfs-export\.py -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/system-config-nfs/system-config-nfs\.py -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/system-config-printer/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/system-config-services/gui\.py -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/system-config-services/serviceconf\.py -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/system-config-services/system-config-services -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/system-config-soundcard/system-config-soundcard -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/system-config-users/system-config-users -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/system-logviewer/system-logviewer\.py -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/texmf/texconfig/tcfmgr -- gen_context(system_u:object_r:bin_t,s0) -') - -ifdef(`distro_suse', ` -/usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/ssh/.* -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0) -') - -# -# /var -# -/var/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) - -/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) - -/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib64/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) - -/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) -/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -/var/qmail/rc -- gen_context(system_u:object_r:bin_t,s0) - -ifdef(`distro_suse',` -/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) -') -/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0) - -/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) -/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) - -/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0) - -/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0) - -/usr/lib(64)?/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0) - -/usr/lib/wicd/monitor.py -- gen_context(system_u:object_r:bin_t, s0) - -/usr/lib(64)?/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0) - -/usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0) - -/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) - -/etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0) -/etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if deleted file mode 100644 index ae853de..0000000 --- a/policy/modules/kernel/corecommands.if +++ /dev/null @@ -1,1094 +0,0 @@ -## -## Core policy for shells, and generic programs -## in /bin, /sbin, /usr/bin, and /usr/sbin. -## -## -## Contains the base bin and sbin directory types -## which need to be searched for the kernel to -## run init. -## - -######################################## -## -## Make the specified type usable for files -## that are exectuables, such as binary programs. -## This does not include shared libraries. -## -## -## -## Type to be used for files. -## -## -# -interface(`corecmd_executable_file',` - gen_require(` - attribute exec_type; - ') - - typeattribute $1 exec_type; - - files_type($1) -') - -######################################## -## -## Create a aliased type to generic bin files. (Deprecated) -## -## -##

-## Create a aliased type to generic bin files. (Deprecated) -##

-##

-## This is added to support targeted policy. Its -## use should be limited. It has no effect -## on the strict policy. -##

-##
-## -## -## Alias type for bin_t. -## -## -# -interface(`corecmd_bin_alias',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Make general progams in bin an entrypoint for -## the specified domain. -## -## -## -## The domain for which bin_t is an entrypoint. -## -## -# -interface(`corecmd_bin_entry_type',` - gen_require(` - type bin_t; - ') - - domain_entry_file($1, bin_t) -') - -######################################## -## -## Make general progams in sbin an entrypoint for -## the specified domain. (Deprecated) -## -## -## -## The domain for which sbin programs are an entrypoint. -## -## -# -interface(`corecmd_sbin_entry_type',` - corecmd_bin_entry_type($1) - refpolicywarn(`$0() has been deprecated, please use corecmd_bin_entry_type() instead.') -') - -######################################## -## -## Make the shell an entrypoint for the specified domain. -## -## -## -## The domain for which the shell is an entrypoint. -## -## -# -interface(`corecmd_shell_entry_type',` - gen_require(` - type shell_exec_t; - ') - - domain_entry_file($1, shell_exec_t) -') - -######################################## -## -## Search the contents of bin directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`corecmd_search_bin',` - gen_require(` - type bin_t; - ') - - search_dirs_pattern($1, bin_t, bin_t) -') - -######################################## -## -## Do not audit attempts to search the contents of bin directories. -## -## -## -## Domain to not audit. -## -## -# -interface(`corecmd_dontaudit_search_bin',` - gen_require(` - type bin_t; - ') - - dontaudit $1 bin_t:dir search_dir_perms; -') - -######################################## -## -## List the contents of bin directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`corecmd_list_bin',` - gen_require(` - type bin_t; - ') - - list_dirs_pattern($1, bin_t, bin_t) -') - -######################################## -## -## Do not audit attempts to write bin directories. -## -## -## -## Domain to not audit. -## -## -# -interface(`corecmd_dontaudit_write_bin_dirs',` - gen_require(` - type bin_t; - ') - - dontaudit $1 bin_t:dir write; -') - -######################################## -## -## Do not audit attempts to write bin files. -## -## -## -## Domain to not audit. -## -## -# -interface(`corecmd_dontaudit_write_bin_files',` - gen_require(` - type bin_t; - ') - - dontaudit $1 bin_t:file write; -') - -######################################## -## -## Get the attributes of files in bin directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`corecmd_getattr_bin_files',` - gen_require(` - type bin_t; - ') - - getattr_files_pattern($1, bin_t, bin_t) -') - -######################################## -## -## Get the attributes of files in bin directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`corecmd_dontaudit_getattr_bin_files',` - gen_require(` - type bin_t; - ') - - dontaudit $1 bin_t:dir search_dir_perms; - dontaudit $1 bin_t:file getattr_file_perms; -') - -######################################## -## -## Read files in bin directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`corecmd_read_bin_files',` - gen_require(` - type bin_t; - ') - - read_files_pattern($1, bin_t, bin_t) -') - -######################################## -## -## Read symbolic links in bin directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`corecmd_read_bin_symlinks',` - gen_require(` - type bin_t; - ') - - read_lnk_files_pattern($1, bin_t, bin_t) -') - -######################################## -## -## Read pipes in bin directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`corecmd_read_bin_pipes',` - gen_require(` - type bin_t; - ') - - read_fifo_files_pattern($1, bin_t, bin_t) -') - -######################################## -## -## Read named sockets in bin directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`corecmd_read_bin_sockets',` - gen_require(` - type bin_t; - ') - - read_sock_files_pattern($1, bin_t, bin_t) -') - -######################################## -## -## Execute generic programs in bin directories, -## in the caller domain. -## -## -##

-## Allow the specified domain to execute generic programs -## in system bin directories (/bin, /sbin, /usr/bin, -## /usr/sbin) a without domain transition. -##

-##

-## Typically, this interface should be used when the domain -## executes general system progams within the privileges -## of the source domain. Some examples of these programs -## are ls, cp, sed, python, and tar. This does not include -## shells, such as bash. -##

-##

-## Related interface: -##

-##
    -##
  • corecmd_exec_shell()
  • -##
-##
-## -## -## Domain allowed access. -## -## -# -interface(`corecmd_exec_bin',` - gen_require(` - type bin_t; - ') - - read_lnk_files_pattern($1, bin_t, bin_t) - list_dirs_pattern($1, bin_t, bin_t) - can_exec($1, bin_t) -') - -######################################## -## -## Create, read, write, and delete bin files. -## -## -## -## Domain allowed access. -## -## -# -interface(`corecmd_manage_bin_files',` - gen_require(` - type bin_t; - ') - - manage_files_pattern($1, bin_t, bin_t) -') - -######################################## -## -## Relabel to and from the bin type. -## -## -## -## Domain allowed access. -## -## -# -interface(`corecmd_relabel_bin_files',` - gen_require(` - type bin_t; - ') - - relabel_files_pattern($1, bin_t, bin_t) -') - -######################################## -## -## Mmap a bin file as executable. -## -## -## -## Domain allowed access. -## -## -# -interface(`corecmd_mmap_bin_files',` - gen_require(` - type bin_t; - ') - - mmap_files_pattern($1, bin_t, bin_t) -') - -######################################## -## -## Execute a file in a bin directory -## in the specified domain but do not -## do it automatically. This is an explicit -## transition, requiring the caller to use setexeccon(). -## -## -##

-## Execute a file in a bin directory -## in the specified domain. This allows -## the specified domain to execute any file -## on these filesystems in the specified -## domain. This is not suggested. -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-##

-## This interface was added to handle -## the userhelper policy. -##

-##
-## -## -## Domain allowed to transition. -## -## -## -## -## The type of the new process. -## -## -# -interface(`corecmd_bin_spec_domtrans',` - gen_require(` - type bin_t; - ') - - read_lnk_files_pattern($1, bin_t, bin_t) - domain_transition_pattern($1, bin_t, $2) -') - -######################################## -## -## Execute a file in a bin directory -## in the specified domain. -## -## -##

-## Execute a file in a bin directory -## in the specified domain. This allows -## the specified domain to execute any file -## on these filesystems in the specified -## domain. This is not suggested. -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-##

-## This interface was added to handle -## the ssh-agent policy. -##

-##
-## -## -## Domain allowed to transition. -## -## -## -## -## The type of the new process. -## -## -# -interface(`corecmd_bin_domtrans',` - gen_require(` - type bin_t; - ') - - corecmd_bin_spec_domtrans($1, $2) - type_transition $1 bin_t:process $2; -') - -######################################## -## -## Search the contents of sbin directories. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`corecmd_search_sbin',` - corecmd_search_bin($1) - refpolicywarn(`$0() has been deprecated, please use corecmd_search_bin() instead.') -') - -######################################## -## -## Do not audit attempts to search -## sbin directories. (Deprecated) -## -## -## -## Domain to not audit. -## -## -# -interface(`corecmd_dontaudit_search_sbin',` - corecmd_dontaudit_search_bin($1) - refpolicywarn(`$0() has been deprecated, please use corecmd_dontaudit_search_bin() instead.') -') - -######################################## -## -## List the contents of sbin directories. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`corecmd_list_sbin',` - corecmd_list_bin($1) - refpolicywarn(`$0() has been deprecated, please use corecmd_list_bin() instead.') -') - -######################################## -## -## Do not audit attempts to write -## sbin directories. (Deprecated) -## -## -## -## Domain to not audit. -## -## -# -interface(`corecmd_dontaudit_write_sbin_dirs',` - corecmd_dontaudit_write_bin_dirs($1) - refpolicywarn(`$0() has been deprecated, please use corecmd_dontaudit_write_bin_dirs() instead.') -') - -######################################## -## -## Get the attributes of sbin files. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`corecmd_getattr_sbin_files',` - corecmd_getattr_bin_files($1) - refpolicywarn(`$0() has been deprecated, please use corecmd_getattr_bin_files() instead.') -') - -######################################## -## -## Do not audit attempts to get the attibutes -## of sbin files. (Deprecated) -## -## -## -## Domain to not audit. -## -## -# -interface(`corecmd_dontaudit_getattr_sbin_files',` - corecmd_dontaudit_getattr_bin_files($1) - refpolicywarn(`$0() has been deprecated, please use corecmd_dontaudit_getattr_bin_files() instead.') -') - -######################################## -## -## Read files in sbin directories. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`corecmd_read_sbin_files',` - corecmd_read_bin_files($1) - refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_files() instead.') -') - -######################################## -## -## Read symbolic links in sbin directories. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`corecmd_read_sbin_symlinks',` - corecmd_read_bin_symlinks($1) - refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_symlinks() instead.') -') - -######################################## -## -## Read named pipes in sbin directories. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`corecmd_read_sbin_pipes',` - corecmd_read_bin_pipes($1) - refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_pipes() instead.') -') - -######################################## -## -## Read named sockets in sbin directories. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`corecmd_read_sbin_sockets',` - corecmd_read_bin_sockets($1) - refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_sockets() instead.') -') - -######################################## -## -## Execute generic programs in sbin directories, -## in the caller domain. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`corecmd_exec_sbin',` - corecmd_exec_bin($1) - refpolicywarn(`$0() has been deprecated, please use corecmd_exec_bin() instead.') -') - -######################################## -## -## Create, read, write, and delete sbin files. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for prelink -interface(`corecmd_manage_sbin_files',` - corecmd_manage_bin_files($1) - refpolicywarn(`$0() has been deprecated, please use corecmd_manage_bin_files() instead.') -') - -######################################## -## -## Relabel to and from the sbin type. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for prelink -interface(`corecmd_relabel_sbin_files',` - corecmd_relabel_bin_files($1) - refpolicywarn(`$0() has been deprecated, please use corecmd_relabel_bin_files() instead.') -') - -######################################## -## -## Mmap a sbin file as executable. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for prelink -interface(`corecmd_mmap_sbin_files',` - corecmd_mmap_bin_files($1) - refpolicywarn(`$0() has been deprecated, please use corecmd_mmap_bin_files() instead.') -') - -######################################## -## -## Execute a file in a sbin directory -## in the specified domain. (Deprecated) -## -## -##

-## Execute a file in a sbin directory -## in the specified domain. This allows -## the specified domain to execute any file -## on these filesystems in the specified -## domain. This is not suggested. (Deprecated) -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-##

-## This interface was added to handle -## the ssh-agent policy. -##

-##
-## -## -## Domain allowed to transition. -## -## -## -## -## The type of the new process. -## -## -# -interface(`corecmd_sbin_domtrans',` - corecmd_bin_domtrans($1, $2) - refpolicywarn(`$0() has been deprecated, please use corecmd_bin_domtrans() instead.') -') - -######################################## -## -## Execute a file in a sbin directory -## in the specified domain but do not -## do it automatically. This is an explicit -## transition, requiring the caller to use setexeccon(). (Deprecated) -## -## -##

-## Execute a file in a sbin directory -## in the specified domain. This allows -## the specified domain to execute any file -## on these filesystems in the specified -## domain. This is not suggested. (Deprecated) -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-##

-## This interface was added to handle -## the userhelper policy. -##

-##
-## -## -## Domain allowed to transition. -## -## -## -## -## The type of the new process. -## -## -# -interface(`corecmd_sbin_spec_domtrans',` - corecmd_bin_spec_domtrans($1, $2) - refpolicywarn(`$0() has been deprecated, please use corecmd_bin_spec_domtrans() instead.') -') - -######################################## -## -## Check if a shell is executable (DAC-wise). -## -## -## -## Domain allowed access. -## -## -# -interface(`corecmd_check_exec_shell',` - gen_require(` - type bin_t, shell_exec_t; - ') - - list_dirs_pattern($1, bin_t, bin_t) - read_lnk_files_pattern($1, bin_t, bin_t) - allow $1 shell_exec_t:file execute; -') - -######################################## -## -## Execute shells in the caller domain. -## -## -##

-## Allow the specified domain to execute shells without -## a domain transition. -##

-##

-## Typically, this interface should be used when the domain -## executes shells within the privileges -## of the source domain. Some examples of these programs -## are bash, tcsh, and zsh. -##

-##

-## Related interface: -##

-##
    -##
  • corecmd_exec_bin()
  • -##
-##
-## -## -## Domain allowed access. -## -## -# -interface(`corecmd_exec_shell',` - gen_require(` - type bin_t, shell_exec_t; - ') - - list_dirs_pattern($1, bin_t, bin_t) - read_lnk_files_pattern($1, bin_t, bin_t) - can_exec($1, shell_exec_t) -') - -######################################## -## -## Execute ls in the caller domain. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`corecmd_exec_ls',` - corecmd_exec_bin($1) - refpolicywarn(`$0() has been deprecated, please use corecmd_exec_bin() instead.') -') - -######################################## -## -## Execute a shell in the target domain. This -## is an explicit transition, requiring the -## caller to use setexeccon(). -## -## -##

-## Execute a shell in the target domain. This -## is an explicit transition, requiring the -## caller to use setexeccon(). -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-##
-## -## -## Domain allowed to transition. -## -## -## -## -## The type of the shell process. -## -## -# -interface(`corecmd_shell_spec_domtrans',` - gen_require(` - type bin_t, shell_exec_t; - ') - - list_dirs_pattern($1, bin_t, bin_t) - read_lnk_files_pattern($1, bin_t, bin_t) - domain_transition_pattern($1, shell_exec_t, $2) -') - -######################################## -## -## Execute a shell in the specified domain. -## -## -##

-## Execute a shell in the specified domain. -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-##
-## -## -## Domain allowed to transition. -## -## -## -## -## The type of the shell process. -## -## -# -interface(`corecmd_shell_domtrans',` - gen_require(` - type shell_exec_t; - ') - - corecmd_shell_spec_domtrans($1, $2) - type_transition $1 shell_exec_t:process $2; -') - -######################################## -## -## Execute chroot in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`corecmd_exec_chroot',` - gen_require(` - type chroot_exec_t; - ') - - read_lnk_files_pattern($1, bin_t, bin_t) - can_exec($1, chroot_exec_t) - allow $1 self:capability sys_chroot; -') - -######################################## -## -## Get the attributes of all executable files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corecmd_getattr_all_executables',` - gen_require(` - attribute exec_type; - type bin_t; - ') - - allow $1 bin_t:dir list_dir_perms; - getattr_files_pattern($1, bin_t, exec_type) -') - -######################################## -## -## Read all executable files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corecmd_read_all_executables',` - gen_require(` - attribute exec_type; - ') - - read_files_pattern($1, exec_type, exec_type) -') - -######################################## -## -## Execute all executable files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corecmd_exec_all_executables',` - gen_require(` - attribute exec_type; - type bin_t; - ') - - can_exec($1, exec_type) - list_dirs_pattern($1, bin_t, bin_t) - read_lnk_files_pattern($1, bin_t, exec_type) -') - -######################################## -## -## Do not audit attempts to execute all executables. -## -## -## -## Domain to not audit. -## -## -# -interface(`corecmd_dontaudit_exec_all_executables',` - gen_require(` - attribute exec_type; - ') - - dontaudit $1 exec_type:file { execute execute_no_trans }; -') - -######################################## -## -## Create, read, write, and all executable files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corecmd_manage_all_executables',` - gen_require(` - attribute exec_type; - type bin_t; - ') - - manage_dirs_pattern($1, bin_t, exec_type) - manage_files_pattern($1, bin_t, exec_type) - manage_lnk_files_pattern($1, bin_t, bin_t) -') - -######################################## -## -## Relabel to and from the bin type. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corecmd_relabel_all_executables',` - gen_require(` - attribute exec_type; - type bin_t; - ') - - relabel_files_pattern($1, bin_t, exec_type) -') - -######################################## -## -## Mmap all executables as executable. -## -## -## -## Domain allowed access. -## -## -# -interface(`corecmd_mmap_all_executables',` - gen_require(` - attribute exec_type; - type bin_t; - ') - - mmap_files_pattern($1, bin_t, exec_type) -') diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te deleted file mode 100644 index e1963dd..0000000 --- a/policy/modules/kernel/corecommands.te +++ /dev/null @@ -1,27 +0,0 @@ -policy_module(corecommands, 1.13.2) - -######################################## -# -# Declarations -# - -# -# Types with the exec_type attribute are executable files. -# -attribute exec_type; - -# -# bin_t is the type of files in the system bin/sbin directories. -# -type bin_t alias { ls_exec_t sbin_t }; -corecmd_executable_file(bin_t) -dev_associate(bin_t) #For /dev/MAKEDEV - -# -# shell_exec_t is the type of user shells such as /bin/bash. -# -type shell_exec_t; -corecmd_executable_file(shell_exec_t) - -type chroot_exec_t; -corecmd_executable_file(chroot_exec_t) diff --git a/policy/modules/kernel/corenetwork.fc b/policy/modules/kernel/corenetwork.fc deleted file mode 100644 index 953e0e8..0000000 --- a/policy/modules/kernel/corenetwork.fc +++ /dev/null @@ -1,10 +0,0 @@ - -/dev/ippp.* -c gen_context(system_u:object_r:ppp_device_t,s0) -/dev/ppp -c gen_context(system_u:object_r:ppp_device_t,s0) -/dev/pppox.* -c gen_context(system_u:object_r:ppp_device_t,s0) -/dev/tap.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) - -/dev/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) - -/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0) -/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in deleted file mode 100644 index b06df19..0000000 --- a/policy/modules/kernel/corenetwork.if.in +++ /dev/null @@ -1,3044 +0,0 @@ -## Policy controlling access to network objects -## -## Contains the initial SIDs for network objects. -## - -######################################## -## -## Define type to be a network port type -## -## -##

-## Define type to be a network port type -##

-##

-## This is for supporting third party modules and its -## use is not allowed in upstream reference policy. -##

-##
-## -## -## Type to be used for network ports. -## -## -# -interface(`corenet_port',` - gen_require(` - attribute port_type; - ') - - typeattribute $1 port_type; -') - -######################################## -## -## Define network type to be a reserved port (lt 1024) -## -## -##

-## Define network type to be a reserved port (lt 1024) -##

-##

-## This is for supporting third party modules and its -## use is not allowed in upstream reference policy. -##

-##
-## -## -## Type to be used for network ports. -## -## -# -interface(`corenet_reserved_port',` - gen_require(` - attribute reserved_port_type; - ') - - typeattribute $1 reserved_port_type; -') - -######################################## -## -## Define network type to be a rpc port ( 512 lt PORT lt 1024) -## -## -##

-## Define network type to be a rpc port ( 512 lt PORT lt 1024) -##

-##

-## This is for supporting third party modules and its -## use is not allowed in upstream reference policy. -##

-##
-## -## -## Type to be used for network ports. -## -## -# -interface(`corenet_rpc_port',` - gen_require(` - attribute rpc_port_type; - ') - - typeattribute $1 rpc_port_type; -') - -######################################## -## -## Define type to be a network client packet type -## -## -##

-## Define type to be a network client packet type -##

-##

-## This is for supporting third party modules and its -## use is not allowed in upstream reference policy. -##

-##
-## -## -## Type to be used for a network client packet. -## -## -# -interface(`corenet_client_packet',` - gen_require(` - attribute packet_type, client_packet_type; - ') - - typeattribute $1 client_packet_type, packet_type; -') - -######################################## -## -## Define type to be a network server packet type -## -## -##

-## Define type to be a network server packet type -##

-##

-## This is for supporting third party modules and its -## use is not allowed in upstream reference policy. -##

-##
-## -## -## Type to be used for a network server packet. -## -## -# -interface(`corenet_server_packet',` - gen_require(` - attribute packet_type, server_packet_type; - ') - - typeattribute $1 server_packet_type, packet_type; -') - -######################################## -## -## Send and receive TCP network traffic on generic interfaces. -## -## -##

-## Allow the specified domain to send and receive TCP network -## traffic on generic network interfaces. -##

-##

-## Related interface: -##

-##
    -##
  • corenet_all_recvfrom_unlabeled()
  • -##
  • corenet_tcp_sendrecv_generic_node()
  • -##
  • corenet_tcp_sendrecv_all_ports()
  • -##
  • corenet_tcp_connect_all_ports()
  • -##
-##

-## Example client being able to connect to all ports over -## generic nodes, without labeled networking: -##

-##

-## allow myclient_t self:tcp_socket create_stream_socket_perms; -## corenet_tcp_sendrecv_generic_if(myclient_t) -## corenet_tcp_sendrecv_generic_node(myclient_t) -## corenet_tcp_sendrecv_all_ports(myclient_t) -## corenet_tcp_connect_all_ports(myclient_t) -## corenet_all_recvfrom_unlabeled(myclient_t) -##

-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_tcp_sendrecv_generic_if',` - gen_require(` - type netif_t; - ') - - allow $1 netif_t:netif { tcp_send tcp_recv egress ingress }; -') - -######################################## -## -## Send UDP network traffic on generic interfaces. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_udp_send_generic_if',` - gen_require(` - type netif_t; - ') - - allow $1 netif_t:netif { udp_send egress }; -') - -######################################## -## -## Dontaudit attempts to send UDP network traffic -## on generic interfaces. -## -## -## -## Domain to not audit. -## -## -# -interface(`corenet_dontaudit_udp_send_generic_if',` - gen_require(` - type netif_t; - ') - - dontaudit $1 netif_t:netif { udp_send egress }; -') - -######################################## -## -## Receive UDP network traffic on generic interfaces. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_udp_receive_generic_if',` - gen_require(` - type netif_t; - ') - - allow $1 netif_t:netif { udp_recv ingress }; -') - -######################################## -## -## Do not audit attempts to receive UDP network -## traffic on generic interfaces. -## -## -## -## Domain to not audit. -## -## -# -interface(`corenet_dontaudit_udp_receive_generic_if',` - gen_require(` - type netif_t; - ') - - dontaudit $1 netif_t:netif { udp_recv ingress }; -') - -######################################## -## -## Send and receive UDP network traffic on generic interfaces. -## -## -##

-## Allow the specified domain to send and receive UDP network -## traffic on generic network interfaces. -##

-##

-## Related interface: -##

-##
    -##
  • corenet_all_recvfrom_unlabeled()
  • -##
  • corenet_udp_sendrecv_generic_node()
  • -##
  • corenet_udp_sendrecv_all_ports()
  • -##
-##

-## Example client being able to send to all ports over -## generic nodes, without labeled networking: -##

-##

-## allow myclient_t self:udp_socket create_socket_perms; -## corenet_udp_sendrecv_generic_if(myclient_t) -## corenet_udp_sendrecv_generic_node(myclient_t) -## corenet_udp_sendrecv_all_ports(myclient_t) -## corenet_all_recvfrom_unlabeled(myclient_t) -##

-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_udp_sendrecv_generic_if',` - corenet_udp_send_generic_if($1) - corenet_udp_receive_generic_if($1) -') - -######################################## -## -## Do not audit attempts to send and receive UDP network -## traffic on generic interfaces. -## -## -## -## Domain to not audit. -## -## -# -interface(`corenet_dontaudit_udp_sendrecv_generic_if',` - corenet_dontaudit_udp_send_generic_if($1) - corenet_dontaudit_udp_receive_generic_if($1) -') - -######################################## -## -## Send raw IP packets on generic interfaces. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_raw_send_generic_if',` - gen_require(` - type netif_t; - ') - - allow $1 netif_t:netif { rawip_send egress }; -') - -######################################## -## -## Receive raw IP packets on generic interfaces. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_raw_receive_generic_if',` - gen_require(` - type netif_t; - ') - - allow $1 netif_t:netif { rawip_recv ingress }; -') - -######################################## -## -## Send and receive raw IP packets on generic interfaces. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_raw_sendrecv_generic_if',` - corenet_raw_send_generic_if($1) - corenet_raw_receive_generic_if($1) -') - -######################################## -## -## Allow outgoing network traffic on the generic interfaces. -## -## -## -## The peer label of the outgoing network traffic. -## -## -## -# -interface(`corenet_out_generic_if',` - gen_require(` - type netif_t; - ') - - allow $1 netif_t:netif egress; -') - -######################################## -## -## Allow incoming traffic on the generic interfaces. -## -## -## -## The peer label of the incoming network traffic. -## -## -## -# -interface(`corenet_in_generic_if',` - gen_require(` - type netif_t; - ') - - allow $1 netif_t:netif ingress; -') - -######################################## -## -## Allow incoming and outgoing network traffic on the generic interfaces. -## -## -## -## The peer label of the network traffic. -## -## -## -# -interface(`corenet_inout_generic_if',` - corenet_in_generic_if($1) - corenet_out_generic_if($1) -') - -######################################## -## -## Send and receive TCP network traffic on all interfaces. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_tcp_sendrecv_all_if',` - gen_require(` - attribute netif_type; - ') - - allow $1 netif_type:netif { tcp_send tcp_recv egress ingress }; -') - -######################################## -## -## Send UDP network traffic on all interfaces. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_udp_send_all_if',` - gen_require(` - attribute netif_type; - ') - - allow $1 netif_type:netif { udp_send egress }; -') - -######################################## -## -## Receive UDP network traffic on all interfaces. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_udp_receive_all_if',` - gen_require(` - attribute netif_type; - ') - - allow $1 netif_type:netif { udp_recv ingress }; -') - -######################################## -## -## Send and receive UDP network traffic on all interfaces. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_udp_sendrecv_all_if',` - corenet_udp_send_all_if($1) - corenet_udp_receive_all_if($1) -') - -######################################## -## -## Send raw IP packets on all interfaces. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_raw_send_all_if',` - gen_require(` - attribute netif_type; - ') - - allow $1 netif_type:netif { rawip_send egress }; -') - -######################################## -## -## Receive raw IP packets on all interfaces. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_raw_receive_all_if',` - gen_require(` - attribute netif_type; - ') - - allow $1 netif_type:netif { rawip_recv ingress }; -') - -######################################## -## -## Send and receive raw IP packets on all interfaces. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_raw_sendrecv_all_if',` - corenet_raw_send_all_if($1) - corenet_raw_receive_all_if($1) -') - -######################################## -## -## Send and receive TCP network traffic on generic nodes. -## -## -##

-## Allow the specified domain to send and receive TCP network -## traffic to/from generic network nodes (hostnames/networks). -##

-##

-## Related interface: -##

-##
    -##
  • corenet_all_recvfrom_unlabeled()
  • -##
  • corenet_tcp_sendrecv_generic_if()
  • -##
  • corenet_tcp_sendrecv_all_ports()
  • -##
  • corenet_tcp_connect_all_ports()
  • -##
-##

-## Example client being able to connect to all ports over -## generic nodes, without labeled networking: -##

-##

-## allow myclient_t self:tcp_socket create_stream_socket_perms; -## corenet_tcp_sendrecv_generic_if(myclient_t) -## corenet_tcp_sendrecv_generic_node(myclient_t) -## corenet_tcp_sendrecv_all_ports(myclient_t) -## corenet_tcp_connect_all_ports(myclient_t) -## corenet_all_recvfrom_unlabeled(myclient_t) -##

-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_tcp_sendrecv_generic_node',` - gen_require(` - type node_t; - ') - - allow $1 node_t:node { tcp_send tcp_recv sendto recvfrom }; -') - -######################################## -## -## Send UDP network traffic on generic nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_udp_send_generic_node',` - gen_require(` - type node_t; - ') - - allow $1 node_t:node { udp_send sendto }; -') - -######################################## -## -## Receive UDP network traffic on generic nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_udp_receive_generic_node',` - gen_require(` - type node_t; - ') - - allow $1 node_t:node { udp_recv recvfrom }; -') - -######################################## -## -## Send and receive UDP network traffic on generic nodes. -## -## -##

-## Allow the specified domain to send and receive UDP network -## traffic to/from generic network nodes (hostnames/networks). -##

-##

-## Related interface: -##

-##
    -##
  • corenet_all_recvfrom_unlabeled()
  • -##
  • corenet_udp_sendrecv_generic_if()
  • -##
  • corenet_udp_sendrecv_all_ports()
  • -##
-##

-## Example client being able to send to all ports over -## generic nodes, without labeled networking: -##

-##

-## allow myclient_t self:udp_socket create_socket_perms; -## corenet_udp_sendrecv_generic_if(myclient_t) -## corenet_udp_sendrecv_generic_node(myclient_t) -## corenet_udp_sendrecv_all_ports(myclient_t) -## corenet_all_recvfrom_unlabeled(myclient_t) -##

-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_udp_sendrecv_generic_node',` - corenet_udp_send_generic_node($1) - corenet_udp_receive_generic_node($1) -') - -######################################## -## -## Send raw IP packets on generic nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_raw_send_generic_node',` - gen_require(` - type node_t; - ') - - allow $1 node_t:node { rawip_send sendto }; -') - -######################################## -## -## Receive raw IP packets on generic nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_raw_receive_generic_node',` - gen_require(` - type node_t; - ') - - allow $1 node_t:node { rawip_recv recvfrom }; -') - -######################################## -## -## Send and receive raw IP packets on generic nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_raw_sendrecv_generic_node',` - corenet_raw_send_generic_node($1) - corenet_raw_receive_generic_node($1) -') - -######################################## -## -## Bind TCP sockets to generic nodes. -## -## -##

-## Bind TCP sockets to generic nodes. This is -## necessary for binding a socket so it -## can be used for servers to listen -## for incoming connections. -##

-##

-## Related interface: -##

-##
    -##
  • corenet_udp_bind_generic_node()
  • -##
-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_tcp_bind_generic_node',` - gen_require(` - type node_t; - ') - - allow $1 node_t:tcp_socket node_bind; -') - -######################################## -## -## Bind UDP sockets to generic nodes. -## -## -##

-## Bind UDP sockets to generic nodes. This is -## necessary for binding a socket so it -## can be used for servers to listen -## for incoming connections. -##

-##

-## Related interface: -##

-##
    -##
  • corenet_tcp_bind_generic_node()
  • -##
-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_udp_bind_generic_node',` - gen_require(` - type node_t; - ') - - allow $1 node_t:udp_socket node_bind; -') - -######################################## -## -## Bind raw sockets to genric nodes. -## -## -## -## Domain allowed access. -## -## -# rawip_socket node_bind does not make much sense. -# cjp: vmware hits this too -interface(`corenet_raw_bind_generic_node',` - gen_require(` - type node_t; - ') - - allow $1 node_t:rawip_socket node_bind; -') - -######################################## -## -## Allow outgoing network traffic to generic nodes. -## -## -## -## The peer label of the outgoing network traffic. -## -## -## -# -interface(`corenet_out_generic_node',` - gen_require(` - type node_t; - ') - - allow $1 node_t:node sendto; -') - -######################################## -## -## Allow incoming network traffic from generic nodes. -## -## -## -## The peer label of the incoming network traffic. -## -## -## -# -interface(`corenet_in_generic_node',` - gen_require(` - type node_t; - ') - - allow $1 node_t:node recvfrom; -') - -######################################## -## -## Allow incoming and outgoing network traffic with generic nodes. -## -## -## -## The peer label of the network traffic. -## -## -## -# -interface(`corenet_inout_generic_node',` - corenet_in_generic_node($1) - corenet_out_generic_node($1) -') - -######################################## -## -## Send and receive TCP network traffic on all nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_tcp_sendrecv_all_nodes',` - gen_require(` - attribute node_type; - ') - - allow $1 node_type:node { tcp_send tcp_recv sendto recvfrom }; -') - -######################################## -## -## Send UDP network traffic on all nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_udp_send_all_nodes',` - gen_require(` - attribute node_type; - ') - - allow $1 node_type:node { udp_send sendto }; -') - -######################################## -## -## Do not audit attempts to send UDP network -## traffic on any nodes. -## -## -## -## Domain to not audit. -## -## -# -interface(`corenet_dontaudit_udp_send_all_nodes',` - gen_require(` - attribute node_type; - ') - - dontaudit $1 node_type:node { udp_send sendto }; -') - -######################################## -## -## Receive UDP network traffic on all nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_udp_receive_all_nodes',` - gen_require(` - attribute node_type; - ') - - allow $1 node_type:node { udp_recv recvfrom }; -') - -######################################## -## -## Do not audit attempts to receive UDP -## network traffic on all nodes. -## -## -## -## Domain to not audit. -## -## -# -interface(`corenet_dontaudit_udp_receive_all_nodes',` - gen_require(` - attribute node_type; - ') - - dontaudit $1 node_type:node { udp_recv recvfrom }; -') - -######################################## -## -## Send and receive UDP network traffic on all nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_udp_sendrecv_all_nodes',` - corenet_udp_send_all_nodes($1) - corenet_udp_receive_all_nodes($1) -') - -######################################## -## -## Do not audit attempts to send and receive UDP -## network traffic on any nodes nodes. -## -## -## -## Domain to not audit. -## -## -# -interface(`corenet_dontaudit_udp_sendrecv_all_nodes',` - corenet_dontaudit_udp_send_all_nodes($1) - corenet_dontaudit_udp_receive_all_nodes($1) -') - -######################################## -## -## Send raw IP packets on all nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_raw_send_all_nodes',` - gen_require(` - attribute node_type; - ') - - allow $1 node_type:node { rawip_send sendto }; -') - -######################################## -## -## Receive raw IP packets on all nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_raw_receive_all_nodes',` - gen_require(` - attribute node_type; - ') - - allow $1 node_type:node { rawip_recv recvfrom }; -') - -######################################## -## -## Send and receive raw IP packets on all nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_raw_sendrecv_all_nodes',` - corenet_raw_send_all_nodes($1) - corenet_raw_receive_all_nodes($1) -') - -######################################## -## -## Bind TCP sockets to all nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_tcp_bind_all_nodes',` - gen_require(` - attribute node_type; - ') - - allow $1 node_type:tcp_socket node_bind; -') - -######################################## -## -## Bind UDP sockets to all nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_udp_bind_all_nodes',` - gen_require(` - attribute node_type; - ') - - allow $1 node_type:udp_socket node_bind; -') - -######################################## -## -## Bind raw sockets to all nodes. -## -## -## -## Domain allowed access. -## -## -# rawip_socket node_bind does not make much sense. -# cjp: vmware hits this too -interface(`corenet_raw_bind_all_nodes',` - gen_require(` - attribute node_type; - ') - - allow $1 node_type:rawip_socket node_bind; -') - -######################################## -## -## Send and receive TCP network traffic on generic ports. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_tcp_sendrecv_generic_port',` - gen_require(` - type port_t; - ') - - allow $1 port_t:tcp_socket { send_msg recv_msg }; -') - -######################################## -## -## Do not audit send and receive TCP network traffic on generic ports. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_dontaudit_tcp_sendrecv_generic_port',` - gen_require(` - type port_t; - ') - - dontaudit $1 port_t:tcp_socket { send_msg recv_msg }; -') - -######################################## -## -## Send UDP network traffic on generic ports. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_udp_send_generic_port',` - gen_require(` - type port_t; - ') - - allow $1 port_t:udp_socket send_msg; -') - -######################################## -## -## Receive UDP network traffic on generic ports. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_udp_receive_generic_port',` - gen_require(` - type port_t; - ') - - allow $1 port_t:udp_socket recv_msg; -') - -######################################## -## -## Send and receive UDP network traffic on generic ports. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_udp_sendrecv_generic_port',` - corenet_udp_send_generic_port($1) - corenet_udp_receive_generic_port($1) -') - -######################################## -## -## Bind TCP sockets to generic ports. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_tcp_bind_generic_port',` - gen_require(` - type port_t; - attribute port_type; - ') - - allow $1 port_t:tcp_socket name_bind; - dontaudit $1 { port_type -port_t }:tcp_socket name_bind; -') - -######################################## -## -## Do not audit bind TCP sockets to generic ports. -## -## -## -## Domain to not audit. -## -## -# -interface(`corenet_dontaudit_tcp_bind_generic_port',` - gen_require(` - type port_t; - ') - - dontaudit $1 port_t:tcp_socket name_bind; -') - -######################################## -## -## Bind UDP sockets to generic ports. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_udp_bind_generic_port',` - gen_require(` - type port_t; - attribute port_type; - ') - - allow $1 port_t:udp_socket name_bind; - dontaudit $1 { port_type -port_t }:udp_socket name_bind; -') - -######################################## -## -## Connect TCP sockets to generic ports. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_tcp_connect_generic_port',` - gen_require(` - type port_t; - ') - - allow $1 port_t:tcp_socket name_connect; -') - -######################################## -## -## Send and receive TCP network traffic on all ports. -## -## -##

-## Send and receive TCP network traffic on all ports. -## Related interfaces: -##

-##
    -##
  • corenet_all_recvfrom_unlabeled()
  • -##
  • corenet_tcp_sendrecv_generic_if()
  • -##
  • corenet_tcp_sendrecv_generic_node()
  • -##
  • corenet_tcp_connect_all_ports()
  • -##
  • corenet_tcp_bind_all_ports()
  • -##
-##

-## Example client being able to connect to all ports over -## generic nodes, without labeled networking: -##

-##

-## allow myclient_t self:tcp_socket create_stream_socket_perms; -## corenet_tcp_sendrecv_generic_if(myclient_t) -## corenet_tcp_sendrecv_generic_node(myclient_t) -## corenet_tcp_sendrecv_all_ports(myclient_t) -## corenet_tcp_connect_all_ports(myclient_t) -## corenet_all_recvfrom_unlabeled(myclient_t) -##

-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_tcp_sendrecv_all_ports',` - gen_require(` - attribute port_type; - ') - - allow $1 port_type:tcp_socket { send_msg recv_msg }; -') - -######################################## -## -## Send UDP network traffic on all ports. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_udp_send_all_ports',` - gen_require(` - attribute port_type; - ') - - allow $1 port_type:udp_socket send_msg; -') - -######################################## -## -## Receive UDP network traffic on all ports. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_udp_receive_all_ports',` - gen_require(` - attribute port_type; - ') - - allow $1 port_type:udp_socket recv_msg; -') - -######################################## -## -## Send and receive UDP network traffic on all ports. -## -## -##

-## Send and receive UDP network traffic on all ports. -## Related interfaces: -##

-##
    -##
  • corenet_all_recvfrom_unlabeled()
  • -##
  • corenet_udp_sendrecv_generic_if()
  • -##
  • corenet_udp_sendrecv_generic_node()
  • -##
  • corenet_udp_bind_all_ports()
  • -##
-##

-## Example client being able to send to all ports over -## generic nodes, without labeled networking: -##

-##

-## allow myclient_t self:udp_socket create_socket_perms; -## corenet_udp_sendrecv_generic_if(myclient_t) -## corenet_udp_sendrecv_generic_node(myclient_t) -## corenet_udp_sendrecv_all_ports(myclient_t) -## corenet_all_recvfrom_unlabeled(myclient_t) -##

-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_udp_sendrecv_all_ports',` - corenet_udp_send_all_ports($1) - corenet_udp_receive_all_ports($1) -') - -######################################## -## -## Bind TCP sockets to all ports. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_tcp_bind_all_ports',` - gen_require(` - attribute port_type; - ') - - allow $1 port_type:tcp_socket name_bind; - allow $1 self:capability net_bind_service; -') - -######################################## -## -## Do not audit attepts to bind TCP sockets to any ports. -## -## -## -## Domain to not audit. -## -## -# -interface(`corenet_dontaudit_tcp_bind_all_ports',` - gen_require(` - attribute port_type; - ') - - dontaudit $1 port_type:tcp_socket name_bind; -') - -######################################## -## -## Bind UDP sockets to all ports. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_udp_bind_all_ports',` - gen_require(` - attribute port_type; - ') - - allow $1 port_type:udp_socket name_bind; - allow $1 self:capability net_bind_service; -') - -######################################## -## -## Do not audit attepts to bind UDP sockets to any ports. -## -## -## -## Domain to not audit. -## -## -# -interface(`corenet_dontaudit_udp_bind_all_ports',` - gen_require(` - attribute port_type; - ') - - dontaudit $1 port_type:udp_socket name_bind; -') - -######################################## -## -## Connect TCP sockets to all ports. -## -## -##

-## Connect TCP sockets to all ports -##

-##

-## Related interfaces: -##

-##
    -##
  • corenet_all_recvfrom_unlabeled()
  • -##
  • corenet_tcp_sendrecv_generic_if()
  • -##
  • corenet_tcp_sendrecv_generic_node()
  • -##
  • corenet_tcp_sendrecv_all_ports()
  • -##
  • corenet_tcp_bind_all_ports()
  • -##
-##

-## Example client being able to connect to all ports over -## generic nodes, without labeled networking: -##

-##

-## allow myclient_t self:tcp_socket create_stream_socket_perms; -## corenet_tcp_sendrecv_generic_if(myclient_t) -## corenet_tcp_sendrecv_generic_node(myclient_t) -## corenet_tcp_sendrecv_all_ports(myclient_t) -## corenet_tcp_connect_all_ports(myclient_t) -## corenet_all_recvfrom_unlabeled(myclient_t) -##

-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_tcp_connect_all_ports',` - gen_require(` - attribute port_type; - ') - - allow $1 port_type:tcp_socket name_connect; -') - -######################################## -## -## Do not audit attempts to connect TCP sockets -## to all ports. -## -## -## -## Domain to not audit. -## -## -# -interface(`corenet_dontaudit_tcp_connect_all_ports',` - gen_require(` - attribute port_type; - ') - - dontaudit $1 port_type:tcp_socket name_connect; -') - -######################################## -## -## Send and receive TCP network traffic on generic reserved ports. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_tcp_sendrecv_reserved_port',` - gen_require(` - type reserved_port_t; - ') - - allow $1 reserved_port_t:tcp_socket { send_msg recv_msg }; -') - -######################################## -## -## Send UDP network traffic on generic reserved ports. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_udp_send_reserved_port',` - gen_require(` - type reserved_port_t; - ') - - allow $1 reserved_port_t:udp_socket send_msg; -') - -######################################## -## -## Receive UDP network traffic on generic reserved ports. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_udp_receive_reserved_port',` - gen_require(` - type reserved_port_t; - ') - - allow $1 reserved_port_t:udp_socket recv_msg; -') - -######################################## -## -## Send and receive UDP network traffic on generic reserved ports. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_udp_sendrecv_reserved_port',` - corenet_udp_send_reserved_port($1) - corenet_udp_receive_reserved_port($1) -') - -######################################## -## -## Bind TCP sockets to generic reserved ports. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_tcp_bind_reserved_port',` - gen_require(` - type reserved_port_t; - ') - - allow $1 reserved_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; -') - -######################################## -## -## Bind UDP sockets to generic reserved ports. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_udp_bind_reserved_port',` - gen_require(` - type reserved_port_t; - ') - - allow $1 reserved_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; -') - -######################################## -## -## Connect TCP sockets to generic reserved ports. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_tcp_connect_reserved_port',` - gen_require(` - type reserved_port_t; - ') - - allow $1 reserved_port_t:tcp_socket name_connect; -') - -######################################## -## -## Send and receive TCP network traffic on all reserved ports. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_tcp_sendrecv_all_reserved_ports',` - gen_require(` - attribute reserved_port_type; - ') - - allow $1 reserved_port_type:tcp_socket { send_msg recv_msg }; -') - -######################################## -## -## Send UDP network traffic on all reserved ports. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_udp_send_all_reserved_ports',` - gen_require(` - attribute reserved_port_type; - ') - - allow $1 reserved_port_type:udp_socket send_msg; -') - -######################################## -## -## Receive UDP network traffic on all reserved ports. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_udp_receive_all_reserved_ports',` - gen_require(` - attribute reserved_port_type; - ') - - allow $1 reserved_port_type:udp_socket recv_msg; -') - -######################################## -## -## Send and receive UDP network traffic on all reserved ports. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_udp_sendrecv_all_reserved_ports',` - corenet_udp_send_all_reserved_ports($1) - corenet_udp_receive_all_reserved_ports($1) -') - -######################################## -## -## Bind TCP sockets to all reserved ports. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_tcp_bind_all_reserved_ports',` - gen_require(` - attribute reserved_port_type; - ') - - allow $1 reserved_port_type:tcp_socket name_bind; - allow $1 self:capability net_bind_service; -') - -######################################## -## -## Do not audit attempts to bind TCP sockets to all reserved ports. -## -## -## -## Domain to not audit. -## -## -# -interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',` - gen_require(` - attribute reserved_port_type; - ') - - dontaudit $1 reserved_port_type:tcp_socket name_bind; -') - -######################################## -## -## Bind UDP sockets to all reserved ports. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_udp_bind_all_reserved_ports',` - gen_require(` - attribute reserved_port_type; - ') - - allow $1 reserved_port_type:udp_socket name_bind; - allow $1 self:capability net_bind_service; -') - -######################################## -## -## Do not audit attempts to bind UDP sockets to all reserved ports. -## -## -## -## Domain to not audit. -## -## -# -interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` - gen_require(` - attribute reserved_port_type; - ') - - dontaudit $1 reserved_port_type:udp_socket name_bind; -') - -######################################## -## -## Bind TCP sockets to all ports > 1024. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_tcp_bind_all_unreserved_ports',` - gen_require(` - attribute port_type, reserved_port_type; - ') - - allow $1 { port_type -reserved_port_type }:tcp_socket name_bind; -') - -######################################## -## -## Bind UDP sockets to all ports > 1024. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_udp_bind_all_unreserved_ports',` - gen_require(` - attribute port_type, reserved_port_type; - ') - - allow $1 { port_type -reserved_port_type }:udp_socket name_bind; -') - -######################################## -## -## Connect TCP sockets to reserved ports. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_tcp_connect_all_reserved_ports',` - gen_require(` - attribute reserved_port_type; - ') - - allow $1 reserved_port_type:tcp_socket name_connect; -') - -######################################## -## -## Connect TCP sockets to all ports > 1024. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_tcp_connect_all_unreserved_ports',` - gen_require(` - attribute port_type, reserved_port_type; - ') - - allow $1 { port_type -reserved_port_type }:tcp_socket name_connect; -') - -######################################## -## -## Do not audit attempts to connect TCP sockets -## all reserved ports. -## -## -## -## Domain to not audit. -## -## -# -interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',` - gen_require(` - attribute reserved_port_type; - ') - - dontaudit $1 reserved_port_type:tcp_socket name_connect; -') - -######################################## -## -## Connect TCP sockets to rpc ports. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_tcp_connect_all_rpc_ports',` - gen_require(` - attribute rpc_port_type; - ') - - allow $1 rpc_port_type:tcp_socket name_connect; -') - -######################################## -## -## Do not audit attempts to connect TCP sockets -## all rpc ports. -## -## -## -## Domain to not audit. -## -## -# -interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',` - gen_require(` - attribute rpc_port_type; - ') - - dontaudit $1 rpc_port_type:tcp_socket name_connect; -') - -######################################## -## -## Read and write the TUN/TAP virtual network device. -## -## -## -## The domain allowed access. -## -## -# -interface(`corenet_rw_tun_tap_dev',` - gen_require(` - type tun_tap_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 tun_tap_device_t:chr_file rw_chr_file_perms; -') - -######################################## -## -## Do not audit attempts to read or write the TUN/TAP -## virtual network device. -## -## -## -## Domain to not audit. -## -## -# -interface(`corenet_dontaudit_rw_tun_tap_dev',` - gen_require(` - type tun_tap_device_t; - ') - - dontaudit $1 tun_tap_device_t:chr_file { read write }; -') - -######################################## -## -## Getattr the point-to-point device. -## -## -## -## The domain allowed access. -## -## -# -interface(`corenet_getattr_ppp_dev',` - gen_require(` - type ppp_device_t; - ') - - allow $1 ppp_device_t:chr_file getattr; -') - -######################################## -## -## Read and write the point-to-point device. -## -## -## -## The domain allowed access. -## -## -# -interface(`corenet_rw_ppp_dev',` - gen_require(` - type ppp_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 ppp_device_t:chr_file rw_chr_file_perms; -') - -######################################## -## -## Bind TCP sockets to all RPC ports. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_tcp_bind_all_rpc_ports',` - gen_require(` - attribute rpc_port_type; - ') - - allow $1 rpc_port_type:tcp_socket name_bind; - allow $1 self:capability net_bind_service; -') - -######################################## -## -## Do not audit attempts to bind TCP sockets to all RPC ports. -## -## -## -## Domain to not audit. -## -## -# -interface(`corenet_dontaudit_tcp_bind_all_rpc_ports',` - gen_require(` - attribute rpc_port_type; - ') - - dontaudit $1 rpc_port_type:tcp_socket name_bind; -') - -######################################## -## -## Bind UDP sockets to all RPC ports. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_udp_bind_all_rpc_ports',` - gen_require(` - attribute rpc_port_type; - ') - - allow $1 rpc_port_type:udp_socket name_bind; - allow $1 self:capability net_bind_service; -') - -######################################## -## -## Do not audit attempts to bind UDP sockets to all RPC ports. -## -## -## -## Domain to not audit. -## -## -# -interface(`corenet_dontaudit_udp_bind_all_rpc_ports',` - gen_require(` - attribute rpc_port_type; - ') - - dontaudit $1 rpc_port_type:udp_socket name_bind; -') - -######################################## -## -## Send and receive messages on a -## non-encrypted (no IPSEC) network -## session. -## -## -##

-## Send and receive messages on a -## non-encrypted (no IPSEC) network -## session. (Deprecated) -##

-##

-## The corenet_all_recvfrom_unlabeled() interface should be used instead -## of this one. -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`corenet_non_ipsec_sendrecv',` - refpolicywarn(`$0($*) has been deprecated, use corenet_all_recvfrom_unlabeled() instead.') - corenet_all_recvfrom_unlabeled($1) -') - -######################################## -## -## Do not audit attempts to send and receive -## messages on a non-encrypted (no IPSEC) network -## session. -## -## -##

-## Do not audit attempts to send and receive -## messages on a non-encrypted (no IPSEC) network -## session. -##

-##

-## The corenet_dontaudit_all_recvfrom_unlabeled() interface should be -## used instead of this one. -##

-##
-## -## -## Domain to not audit. -## -## -# -interface(`corenet_dontaudit_non_ipsec_sendrecv',` - refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_all_recvfrom_unlabeled() instead.') - corenet_dontaudit_all_recvfrom_unlabeled($1) -') - -######################################## -## -## Receive TCP packets from a NetLabel connection. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_tcp_recv_netlabel',` - refpolicywarn(`$0($*) has been deprecated, use corenet_tcp_recvfrom_netlabel() instead.') - corenet_tcp_recvfrom_netlabel($1) -') - -######################################## -## -## Receive TCP packets from a NetLabel connection. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_tcp_recvfrom_netlabel',` - gen_require(` - type netlabel_peer_t; - ') - - allow $1 netlabel_peer_t:peer recv; - allow $1 netlabel_peer_t:tcp_socket recvfrom; -') - -######################################## -## -## Receive TCP packets from an unlabled connection. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_tcp_recvfrom_unlabeled',` - kernel_tcp_recvfrom_unlabeled($1) - kernel_recvfrom_unlabeled_peer($1) - - # XXX - at some point the oubound/send access check will be removed - # but for right now we need to keep this in place so as not to break - # older systems - kernel_sendrecv_unlabeled_association($1) -') - -######################################## -## -## Do not audit attempts to receive TCP packets from a NetLabel -## connection. -## -## -## -## Domain to not audit. -## -## -# -interface(`corenet_dontaudit_tcp_recv_netlabel',` - refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_tcp_recvfrom_netlabel() instead.') - corenet_dontaudit_tcp_recvfrom_netlabel($1) -') - -######################################## -## -## Do not audit attempts to receive TCP packets from a NetLabel -## connection. -## -## -## -## Domain to not audit. -## -## -# -interface(`corenet_dontaudit_tcp_recvfrom_netlabel',` - gen_require(` - type netlabel_peer_t; - ') - - dontaudit $1 netlabel_peer_t:peer recv; - dontaudit $1 netlabel_peer_t:tcp_socket recvfrom; -') - -######################################## -## -## Do not audit attempts to receive TCP packets from an unlabeled -## connection. -## -## -## -## Domain to not audit. -## -## -# -interface(`corenet_dontaudit_tcp_recvfrom_unlabeled',` - kernel_dontaudit_tcp_recvfrom_unlabeled($1) - kernel_dontaudit_recvfrom_unlabeled_peer($1) - - # XXX - at some point the oubound/send access check will be removed - # but for right now we need to keep this in place so as not to break - # older systems - kernel_dontaudit_sendrecv_unlabeled_association($1) -') - -######################################## -## -## Receive UDP packets from a NetLabel connection. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_udp_recv_netlabel',` - refpolicywarn(`$0($*) has been deprecated, use corenet_udp_recvfrom_netlabel() instead.') - corenet_udp_recvfrom_netlabel($1) -') - -######################################## -## -## Receive UDP packets from a NetLabel connection. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_udp_recvfrom_netlabel',` - gen_require(` - type netlabel_peer_t; - ') - - allow $1 netlabel_peer_t:peer recv; - allow $1 netlabel_peer_t:udp_socket recvfrom; -') - -######################################## -## -## Receive UDP packets from an unlabeled connection. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_udp_recvfrom_unlabeled',` - kernel_udp_recvfrom_unlabeled($1) - kernel_recvfrom_unlabeled_peer($1) - - # XXX - at some point the oubound/send access check will be removed - # but for right now we need to keep this in place so as not to break - # older systems - kernel_sendrecv_unlabeled_association($1) -') - -######################################## -## -## Do not audit attempts to receive UDP packets from a NetLabel -## connection. -## -## -## -## Domain to not audit. -## -## -# -interface(`corenet_dontaudit_udp_recv_netlabel',` - refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_udp_recvfrom_netlabel($1) instead.') - corenet_dontaudit_udp_recvfrom_netlabel($1) -') - -######################################## -## -## Do not audit attempts to receive UDP packets from a NetLabel -## connection. -## -## -## -## Domain to not audit. -## -## -# -interface(`corenet_dontaudit_udp_recvfrom_netlabel',` - gen_require(` - type netlabel_peer_t; - ') - - dontaudit $1 netlabel_peer_t:peer recv; - dontaudit $1 netlabel_peer_t:udp_socket recvfrom; -') - -######################################## -## -## Do not audit attempts to receive UDP packets from an unlabeled -## connection. -## -## -## -## Domain to not audit. -## -## -# -interface(`corenet_dontaudit_udp_recvfrom_unlabeled',` - kernel_dontaudit_udp_recvfrom_unlabeled($1) - kernel_dontaudit_recvfrom_unlabeled_peer($1) - - # XXX - at some point the oubound/send access check will be removed - # but for right now we need to keep this in place so as not to break - # older systems - kernel_dontaudit_sendrecv_unlabeled_association($1) -') - -######################################## -## -## Receive Raw IP packets from a NetLabel connection. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_raw_recv_netlabel',` - refpolicywarn(`$0($*) has been deprecated, use corenet_raw_recvfrom_netlabel() instead.') - corenet_raw_recvfrom_netlabel($1) -') - -######################################## -## -## Receive Raw IP packets from a NetLabel connection. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_raw_recvfrom_netlabel',` - gen_require(` - type netlabel_peer_t; - ') - - allow $1 netlabel_peer_t:peer recv; - allow $1 netlabel_peer_t:rawip_socket recvfrom; -') - -######################################## -## -## Receive Raw IP packets from an unlabeled connection. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_raw_recvfrom_unlabeled',` - kernel_raw_recvfrom_unlabeled($1) - kernel_recvfrom_unlabeled_peer($1) - - # XXX - at some point the oubound/send access check will be removed - # but for right now we need to keep this in place so as not to break - # older systems - kernel_sendrecv_unlabeled_association($1) -') - -######################################## -## -## Do not audit attempts to receive Raw IP packets from a NetLabel -## connection. -## -## -## -## Domain to not audit. -## -## -# -interface(`corenet_dontaudit_raw_recv_netlabel',` - refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_raw_recvfrom_netlabel() instead.') - corenet_dontaudit_raw_recvfrom_netlabel($1) -') - -######################################## -## -## Do not audit attempts to receive Raw IP packets from a NetLabel -## connection. -## -## -## -## Domain to not audit. -## -## -# -interface(`corenet_dontaudit_raw_recvfrom_netlabel',` - gen_require(` - type netlabel_peer_t; - ') - - dontaudit $1 netlabel_peer_t:peer recv; - dontaudit $1 netlabel_peer_t:rawip_socket recvfrom; -') - -######################################## -## -## Do not audit attempts to receive Raw IP packets from an unlabeled -## connection. -## -## -## -## Domain to not audit. -## -## -# -interface(`corenet_dontaudit_raw_recvfrom_unlabeled',` - kernel_dontaudit_raw_recvfrom_unlabeled($1) - kernel_dontaudit_recvfrom_unlabeled_peer($1) - - # XXX - at some point the oubound/send access check will be removed - # but for right now we need to keep this in place so as not to break - # older systems - kernel_dontaudit_sendrecv_unlabeled_association($1) -') - -######################################## -## -## Receive packets from an unlabeled connection. -## -## -##

-## Allow the specified domain to receive packets from an -## unlabeled connection. On machines that do not utilize -## labeled networking, this will be required on all -## networking domains. On machines tha do utilize -## labeled networking, this will be required for any -## networking domain that is allowed to receive -## network traffic that does not have a label. -##

-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_all_recvfrom_unlabeled',` - kernel_tcp_recvfrom_unlabeled($1) - kernel_udp_recvfrom_unlabeled($1) - kernel_raw_recvfrom_unlabeled($1) - kernel_recvfrom_unlabeled_peer($1) - - # XXX - at some point the oubound/send access check will be removed - # but for right now we need to keep this in place so as not to break - # older systems - kernel_sendrecv_unlabeled_association($1) -') - -######################################## -## -## Receive packets from a NetLabel connection. -## -## -##

-## Allow the specified domain to receive NetLabel -## network traffic, which utilizes the Commercial IP -## Security Option (CIPSO) to set the MLS level -## of the network packets. This is required for -## all networking domains that receive NetLabel -## network traffic. -##

-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_all_recvfrom_netlabel',` - gen_require(` - type netlabel_peer_t; - ') - - allow $1 netlabel_peer_t:peer recv; - allow $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom; -') - -######################################## -## -## Do not audit attempts to receive packets from an unlabeled connection. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_dontaudit_all_recvfrom_unlabeled',` - kernel_dontaudit_tcp_recvfrom_unlabeled($1) - kernel_dontaudit_udp_recvfrom_unlabeled($1) - kernel_dontaudit_raw_recvfrom_unlabeled($1) - kernel_dontaudit_recvfrom_unlabeled_peer($1) - - # XXX - at some point the oubound/send access check will be removed - # but for right now we need to keep this in place so as not to break - # older systems - kernel_dontaudit_sendrecv_unlabeled_association($1) -') - -######################################## -## -## Do not audit attempts to receive packets from a NetLabel -## connection. -## -## -## -## Domain to not audit. -## -## -# -interface(`corenet_dontaudit_all_recvfrom_netlabel',` - gen_require(` - type netlabel_peer_t; - ') - - dontaudit $1 netlabel_peer_t:peer recv; - dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom; -') - -######################################## -## -## Rules for receiving labeled TCP packets. -## -## -##

-## Rules for receiving labeled TCP packets. -##

-##

-## Due to the nature of TCP, this is bidirectional. -##

-##
-## -## -## Domain allowed access. -## -## -## -## -## Peer domain. -## -## -# -interface(`corenet_tcp_recvfrom_labeled',` - allow { $1 $2 } self:association sendto; - allow $1 $2:{ association tcp_socket } recvfrom; - allow $2 $1:{ association tcp_socket } recvfrom; - - allow $1 $2:peer recv; - allow $2 $1:peer recv; - - # allow receiving packets from MLS-only peers using NetLabel - corenet_tcp_recvfrom_netlabel($1) - corenet_tcp_recvfrom_netlabel($2) -') - -######################################## -## -## Rules for receiving labeled UDP packets. -## -## -## -## Domain allowed access. -## -## -## -## -## Peer domain. -## -## -# -interface(`corenet_udp_recvfrom_labeled',` - allow $2 self:association sendto; - allow $1 $2:{ association udp_socket } recvfrom; - - allow $1 $2:peer recv; - - # allow receiving packets from MLS-only peers using NetLabel - corenet_udp_recvfrom_netlabel($1) -') - -######################################## -## -## Rules for receiving labeled raw IP packets. -## -## -## -## Domain allowed access. -## -## -## -## -## Peer domain. -## -## -# -interface(`corenet_raw_recvfrom_labeled',` - allow $2 self:association sendto; - allow $1 $2:{ association rawip_socket } recvfrom; - - allow $1 $2:peer recv; - - # allow receiving packets from MLS-only peers using NetLabel - corenet_raw_recvfrom_netlabel($1) -') - -######################################## -## -## Rules for receiving labeled packets via TCP, UDP and raw IP. -## -## -##

-## Rules for receiving labeled packets via TCP, UDP and raw IP. -##

-##

-## Due to the nature of TCP, the rules (for TCP -## networking only) are bidirectional. -##

-##
-## -## -## Domain allowed access. -## -## -## -## -## Peer domain. -## -## -# -interface(`corenet_all_recvfrom_labeled',` - corenet_tcp_recvfrom_labeled($1,$2) - corenet_udp_recvfrom_labeled($1,$2) - corenet_raw_recvfrom_labeled($1,$2) -') - -######################################## -## -## Send generic client packets. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_send_generic_client_packets',` - gen_require(` - type client_packet_t; - ') - - allow $1 client_packet_t:packet send; -') - -######################################## -## -## Receive generic client packets. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_receive_generic_client_packets',` - gen_require(` - type client_packet_t; - ') - - allow $1 client_packet_t:packet recv; -') - -######################################## -## -## Send and receive generic client packets. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_sendrecv_generic_client_packets',` - corenet_send_generic_client_packets($1) - corenet_receive_generic_client_packets($1) -') - -######################################## -## -## Relabel packets to the generic client packet type. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_relabelto_generic_client_packets',` - gen_require(` - type client_packet_t; - ') - - allow $1 client_packet_t:packet relabelto; -') - -######################################## -## -## Send generic server packets. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_send_generic_server_packets',` - gen_require(` - type server_packet_t; - ') - - allow $1 server_packet_t:packet send; -') - -######################################## -## -## Receive generic server packets. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_receive_generic_server_packets',` - gen_require(` - type server_packet_t; - ') - - allow $1 server_packet_t:packet recv; -') - -######################################## -## -## Send and receive generic server packets. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_sendrecv_generic_server_packets',` - corenet_send_generic_server_packets($1) - corenet_receive_generic_server_packets($1) -') - -######################################## -## -## Relabel packets to the generic server packet type. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_relabelto_generic_server_packets',` - gen_require(` - type server_packet_t; - ') - - allow $1 server_packet_t:packet relabelto; -') - -######################################## -## -## Send and receive unlabeled packets. -## -## -##

-## Send and receive unlabeled packets. -## These packets do not match any netfilter -## SECMARK rules. -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`corenet_sendrecv_unlabeled_packets',` - kernel_sendrecv_unlabeled_packets($1) -') - -######################################## -## -## Send all client packets. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_send_all_client_packets',` - gen_require(` - attribute client_packet_type; - ') - - allow $1 client_packet_type:packet send; -') - -######################################## -## -## Receive all client packets. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_receive_all_client_packets',` - gen_require(` - attribute client_packet_type; - ') - - allow $1 client_packet_type:packet recv; -') - -######################################## -## -## Send and receive all client packets. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_sendrecv_all_client_packets',` - corenet_send_all_client_packets($1) - corenet_receive_all_client_packets($1) -') - -######################################## -## -## Relabel packets to any client packet type. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_relabelto_all_client_packets',` - gen_require(` - attribute client_packet_type; - ') - - allow $1 client_packet_type:packet relabelto; -') - -######################################## -## -## Send all server packets. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_send_all_server_packets',` - gen_require(` - attribute server_packet_type; - ') - - allow $1 server_packet_type:packet send; -') - -######################################## -## -## Receive all server packets. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_receive_all_server_packets',` - gen_require(` - attribute server_packet_type; - ') - - allow $1 server_packet_type:packet recv; -') - -######################################## -## -## Send and receive all server packets. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_sendrecv_all_server_packets',` - corenet_send_all_server_packets($1) - corenet_receive_all_server_packets($1) -') - -######################################## -## -## Relabel packets to any server packet type. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_relabelto_all_server_packets',` - gen_require(` - attribute server_packet_type; - ') - - allow $1 server_packet_type:packet relabelto; -') - -######################################## -## -## Send all packets. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_send_all_packets',` - gen_require(` - attribute packet_type; - ') - - allow $1 packet_type:packet send; -') - -######################################## -## -## Receive all packets. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_receive_all_packets',` - gen_require(` - attribute packet_type; - ') - - allow $1 packet_type:packet recv; -') - -######################################## -## -## Send and receive all packets. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_sendrecv_all_packets',` - corenet_send_all_packets($1) - corenet_receive_all_packets($1) -') - -######################################## -## -## Relabel packets to any packet type. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_relabelto_all_packets',` - gen_require(` - attribute packet_type; - ') - - allow $1 packet_type:packet relabelto; -') - -######################################## -## -## Unconfined access to network objects. -## -## -## -## The domain allowed access. -## -## -# -interface(`corenet_unconfined',` - gen_require(` - attribute corenet_unconfined_type; - ') - - typeattribute $1 corenet_unconfined_type; -') diff --git a/policy/modules/kernel/corenetwork.if.m4 b/policy/modules/kernel/corenetwork.if.m4 deleted file mode 100644 index 8e0f9cd..0000000 --- a/policy/modules/kernel/corenetwork.if.m4 +++ /dev/null @@ -1,853 +0,0 @@ -# -# shiftn(num,list...) -# -# shift the list num times -# -define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')') - -######################################## -# -# Network Interface generated macros -# -######################################## - -define(`create_netif_interfaces',`` -######################################## -## -## Send and receive TCP network traffic on the $1 interface. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_tcp_sendrecv_$1_if',` - gen_require(` - $3 $1_$2; - ') - - allow dollarsone $1_$2:netif { tcp_send tcp_recv egress ingress }; -') - -######################################## -## -## Send UDP network traffic on the $1 interface. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_udp_send_$1_if',` - gen_require(` - $3 $1_$2; - ') - - allow dollarsone $1_$2:netif { udp_send egress }; -') - -######################################## -## -## Receive UDP network traffic on the $1 interface. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_udp_receive_$1_if',` - gen_require(` - $3 $1_$2; - ') - - allow dollarsone $1_$2:netif { udp_recv ingress }; -') - -######################################## -## -## Send and receive UDP network traffic on the $1 interface. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_udp_sendrecv_$1_if',` - corenet_udp_send_$1_if(dollarsone) - corenet_udp_receive_$1_if(dollarsone) -') - -######################################## -## -## Send raw IP packets on the $1 interface. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_raw_send_$1_if',` - gen_require(` - $3 $1_$2; - ') - - allow dollarsone $1_$2:netif { rawip_send egress }; -') - -######################################## -## -## Receive raw IP packets on the $1 interface. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_raw_receive_$1_if',` - gen_require(` - $3 $1_$2; - ') - - allow dollarsone $1_$2:netif { rawip_recv ingress }; -') - -######################################## -## -## Send and receive raw IP packets on the $1 interface. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_raw_sendrecv_$1_if',` - corenet_raw_send_$1_if(dollarsone) - corenet_raw_receive_$1_if(dollarsone) -') -'') dnl end create_netif_interfaces - -# create confined network interfaces controlled by the network_enabled boolean -# do not call this macro for loop back -define(`create_netif_interfaces_controlled',`` -######################################## -## -## Send and receive TCP network traffic on the $1 interface. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_tcp_sendrecv_$1_if',` - gen_require(` - $3 $1_$2; - ') - - if (network_enabled) { - allow dollarsone $1_$2:netif { tcp_send tcp_recv egress ingress }; - } -') - -######################################## -## -## Send UDP network traffic on the $1 interface. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_udp_send_$1_if',` - gen_require(` - $3 $1_$2; - ') - - if (network_enabled) { - allow dollarsone $1_$2:netif { udp_send egress }; - } -') - -######################################## -## -## Receive UDP network traffic on the $1 interface. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_udp_receive_$1_if',` - gen_require(` - $3 $1_$2; - ') - - if (network_enabled) { - allow dollarsone $1_$2:netif { udp_recv ingress }; - } -') - -######################################## -## -## Send and receive UDP network traffic on the $1 interface. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_udp_sendrecv_$1_if',` - corenet_udp_send_$1_if(dollarsone) - corenet_udp_receive_$1_if(dollarsone) -') - -######################################## -## -## Send raw IP packets on the $1 interface. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_raw_send_$1_if',` - gen_require(` - $3 $1_$2; - ') - - if (network_enabled) { - allow dollarsone $1_$2:netif { rawip_send egress }; - } -') - -######################################## -## -## Receive raw IP packets on the $1 interface. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_raw_receive_$1_if',` - gen_require(` - $3 $1_$2; - ') - - if (network_enabled) { - allow dollarsone $1_$2:netif { rawip_recv ingress }; - } -') - -######################################## -## -## Send and receive raw IP packets on the $1 interface. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_raw_sendrecv_$1_if',` - corenet_raw_send_$1_if(dollarsone) - corenet_raw_receive_$1_if(dollarsone) -') -'') dnl end create_netif_interfaces_controlled - -######################################## -# -# Network node generated macros -# -######################################## - -define(`create_node_interfaces',`` -######################################## -## -## Send and receive TCP traffic on the $1 node. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_tcp_sendrecv_$1_node',` - gen_require(` - $3 $1_$2; - ') - - allow dollarsone $1_$2:node { tcp_send tcp_recv sendto recvfrom }; -') - -######################################## -## -## Send UDP traffic on the $1 node. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_udp_send_$1_node',` - gen_require(` - $3 $1_$2; - ') - - allow dollarsone $1_$2:node { udp_send sendto }; -') - -######################################## -## -## Receive UDP traffic on the $1 node. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_udp_receive_$1_node',` - gen_require(` - $3 $1_$2; - ') - - allow dollarsone $1_$2:node { udp_recv recvfrom }; -') - -######################################## -## -## Send and receive UDP traffic on the $1 node. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_udp_sendrecv_$1_node',` - corenet_udp_send_$1_node(dollarsone) - corenet_udp_receive_$1_node(dollarsone) -') - -######################################## -## -## Send raw IP packets on the $1 node. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_raw_send_$1_node',` - gen_require(` - $3 $1_$2; - ') - - allow dollarsone $1_$2:node { rawip_send sendto }; -') - -######################################## -## -## Receive raw IP packets on the $1 node. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_raw_receive_$1_node',` - gen_require(` - $3 $1_$2; - ') - - allow dollarsone $1_$2:node { rawip_recv recvfrom }; -') - -######################################## -## -## Send and receive raw IP packets on the $1 node. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_raw_sendrecv_$1_node',` - corenet_raw_send_$1_node(dollarsone) - corenet_raw_receive_$1_node(dollarsone) -') - -######################################## -## -## Bind TCP sockets to node $1. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_tcp_bind_$1_node',` - gen_require(` - $3 $1_$2; - ') - - allow dollarsone $1_$2:tcp_socket node_bind; -') - -######################################## -## -## Bind UDP sockets to the $1 node. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_udp_bind_$1_node',` - gen_require(` - $3 $1_$2; - ') - - allow dollarsone $1_$2:udp_socket node_bind; -') -'') dnl end create_node_interfaces - -######################################## -# -# Network port generated macros -# -######################################## - -define(`create_port_interfaces',`` -######################################## -## -## Send and receive TCP traffic on the $1 port. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_tcp_sendrecv_$1_port',` - gen_require(` - $3 $1_$2; - ') - - allow dollarsone $1_$2:tcp_socket { send_msg recv_msg }; -') - -######################################## -## -## Send UDP traffic on the $1 port. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_udp_send_$1_port',` - gen_require(` - $3 $1_$2; - ') - - allow dollarsone $1_$2:udp_socket send_msg; -') - -######################################## -## -## Do not audit attempts to send UDP traffic on the $1 port. -## -## -## -## Domain to not audit. -## -## -## -# -interface(`corenet_dontaudit_udp_send_$1_port',` - gen_require(` - $3 $1_$2; - ') - - dontaudit dollarsone $1_$2:udp_socket send_msg; -') - -######################################## -## -## Receive UDP traffic on the $1 port. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_udp_receive_$1_port',` - gen_require(` - $3 $1_$2; - ') - - allow dollarsone $1_$2:udp_socket recv_msg; -') - -######################################## -## -## Do not audit attempts to receive UDP traffic on the $1 port. -## -## -## -## Domain to not audit. -## -## -## -# -interface(`corenet_dontaudit_udp_receive_$1_port',` - gen_require(` - $3 $1_$2; - ') - - dontaudit dollarsone $1_$2:udp_socket recv_msg; -') - -######################################## -## -## Send and receive UDP traffic on the $1 port. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_udp_sendrecv_$1_port',` - corenet_udp_send_$1_port(dollarsone) - corenet_udp_receive_$1_port(dollarsone) -') - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the $1 port. -## -## -## -## Domain to not audit. -## -## -## -# -interface(`corenet_dontaudit_udp_sendrecv_$1_port',` - corenet_dontaudit_udp_send_$1_port(dollarsone) - corenet_dontaudit_udp_receive_$1_port(dollarsone) -') - -######################################## -## -## Bind TCP sockets to the $1 port. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_tcp_bind_$1_port',` - gen_require(` - $3 $1_$2; - ') - - allow dollarsone $1_$2:tcp_socket name_bind; - $4 -') - -######################################## -## -## Bind UDP sockets to the $1 port. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_udp_bind_$1_port',` - gen_require(` - $3 $1_$2; - ') - - allow dollarsone $1_$2:udp_socket name_bind; - $4 -') - -######################################## -## -## Make a TCP connection to the $1 port. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_tcp_connect_$1_port',` - gen_require(` - $3 $1_$2; - ') - - allow dollarsone $1_$2:tcp_socket name_connect; -') -'') dnl end create_port_interfaces - -define(`create_packet_interfaces',`` -######################################## -## -## Send $1 packets. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_send_$1_packets',` - gen_require(` - type $1_packet_t; - ') - - allow dollarsone $1_packet_t:packet send; -') - -######################################## -## -## Do not audit attempts to send $1 packets. -## -## -## -## Domain to not audit. -## -## -## -# -interface(`corenet_dontaudit_send_$1_packets',` - gen_require(` - type $1_packet_t; - ') - - dontaudit dollarsone $1_packet_t:packet send; -') - -######################################## -## -## Receive $1 packets. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_receive_$1_packets',` - gen_require(` - type $1_packet_t; - ') - - allow dollarsone $1_packet_t:packet recv; -') - -######################################## -## -## Do not audit attempts to receive $1 packets. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_dontaudit_receive_$1_packets',` - gen_require(` - type $1_packet_t; - ') - - dontaudit dollarsone $1_packet_t:packet recv; -') - -######################################## -## -## Send and receive $1 packets. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`corenet_sendrecv_$1_packets',` - corenet_send_$1_packets(dollarsone) - corenet_receive_$1_packets(dollarsone) -') - -######################################## -## -## Do not audit attempts to send and receive $1 packets. -## -## -## -## Domain to not audit. -## -## -## -# -interface(`corenet_dontaudit_sendrecv_$1_packets',` - corenet_dontaudit_send_$1_packets(dollarsone) - corenet_dontaudit_receive_$1_packets(dollarsone) -') - -######################################## -## -## Relabel packets to $1 the packet type. -## -## -## -## Domain allowed access. -## -## -# -interface(`corenet_relabelto_$1_packets',` - gen_require(` - type $1_packet_t; - ') - - allow dollarsone $1_packet_t:packet relabelto; -') -'') dnl end create_port_interfaces - -# -# create_netif_*_interfaces(linux_interfacename) -# -define(`create_netif_type_interfaces',` -create_netif_interfaces($1,netif_t,type) -') -define(`create_netif_type_interfaces_controlled',` -create_netif_interfaces_controlled($1,netif_t,type) -') -define(`create_netif_attrib_interfaces',` -create_netif_interfaces($1,netif,attribute) -') -define(`create_netif_attrib_interfaces_controlled',` -create_netif_interfaces_controlled($1,netif,attribute) -') - -# -# network_interface(linux_interfacename,mls_sensitivity) -# -define(`network_interface',` -create_netif_type_interfaces($1) -') - -define(`network_interface_controlled',` -create_netif_type_interfaces_controlled($1) -') - -# -# create_node_*_interfaces(node_name) -# -define(`create_node_type_interfaces',` -create_node_interfaces($1,node_t,type) -') -define(`create_node_attrib_interfaces',` -create_node_interfaces($1,node,attribute) -') - -# -# network_node(node_name,mls_sensitivity,address,netmask) -# -define(`network_node',` -create_node_type_interfaces($1) -') - -# These next three macros have formatting, and should not me indented -define(`determine_reserved_capability',`dnl -ifelse($2,`',`',`dnl -ifelse(eval($2 < 1024),1,``allow' dollarsone self:capability net_bind_service;',`dnl -determine_reserved_capability(shiftn(3,$*))dnl -')dnl end inner ifelse -')dnl end outer ifelse -') dnl end determine reserved capability - -# -# create_port_*_interfaces(port_name, protocol,portnum,mls_sensitivity [,protocol portnum mls_sensitivity[,...]]) -# (these wrap create_port_interfaces to handle attributes and types) -define(`create_port_type_interfaces',`create_port_interfaces($1,port_t,type,determine_reserved_capability(shift($*)))') -define(`create_port_attrib_interfaces',`create_port_interfaces($1,port,attribute,determine_reserved_capability(shift($*)))') - -# -# network_port(port_name,protocol portnum mls_sensitivity [,protocol,portnum,mls_sensitivity[,...]]) -# -define(`network_port',` -create_port_type_interfaces($*) -create_packet_interfaces($1_client) -create_packet_interfaces($1_server) -') - -# -# network_packet(packet_name) -# -define(`network_packet',` -create_packet_interfaces($1_client) -create_packet_interfaces($1_server) -') diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in deleted file mode 100644 index f15e5ba..0000000 --- a/policy/modules/kernel/corenetwork.te.in +++ /dev/null @@ -1,299 +0,0 @@ -policy_module(corenetwork, 1.14.1) - -######################################## -# -# Declarations -# - -attribute client_packet_type; -attribute netif_type; -attribute node_type; -attribute packet_type; -attribute port_type; -attribute reserved_port_type; -attribute rpc_port_type; -attribute server_packet_type; - -attribute corenet_unconfined_type; - -type ppp_device_t; -dev_node(ppp_device_t) - -# -# tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/* -# -type tun_tap_device_t; -dev_node(tun_tap_device_t) -mls_trusted_object(tun_tap_device_t) - -######################################## -# -# Ports and packets -# - -# -# client_packet_t is the default type of IPv4 and IPv6 client packets. -# -type client_packet_t, packet_type, client_packet_type; - -# -# The netlabel_peer_t is used by the kernel's NetLabel subsystem for network -# connections using NetLabel which do not carry full SELinux contexts. -# -type netlabel_peer_t; -sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh) - -# -# port_t is the default type of INET port numbers. -# -type port_t, port_type; -sid port gen_context(system_u:object_r:port_t,s0) - -# -# reserved_port_t is the type of INET port numbers below 1024. -# -type reserved_port_t, port_type, reserved_port_type; - -# -# hi_reserved_port_t is the type of INET port numbers between 512-1023. -# -type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type; - -# -# server_packet_t is the default type of IPv4 and IPv6 server packets. -# -type server_packet_t, packet_type, server_packet_type; - -network_port(afs_bos, udp,7007,s0) -network_port(afs_client, udp,7001,s0) -network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0) -network_port(afs_ka, udp,7004,s0) -network_port(afs_pt, udp,7002,s0) -network_port(afs_vl, udp,7003,s0) -network_port(agentx, udp,705,s0, tcp,705,s0) -network_port(ajaxterm, tcp,8022,s0) -network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0) -network_port(amavisd_recv, tcp,10024,s0) -network_port(amavisd_send, tcp,10025,s0) -network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0) -network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0) -network_port(apcupsd, tcp,3551,s0, udp,3551,s0) -network_port(apertus_ldp, tcp,539,s0, udp,539,s0) -network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0) -network_port(audit, tcp,60,s0) -network_port(auth, tcp,113,s0) -network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0) -network_port(boinc, tcp,31416,s0) -type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict -network_port(certmaster, tcp,51235,s0) -network_port(chronyd, udp,323,s0) -network_port(clamd, tcp,3310,s0) -network_port(clockspeed, udp,4041,s0) -network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0) -network_port(cobbler, tcp,25151,s0) -network_port(commplex, tcp,5000,s0, udp,5000,s0, tcp,5001,s0, udp,5001,s0) -network_port(comsat, udp,512,s0) -network_port(cvs, tcp,2401,s0, udp,2401,s0) -network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) -network_port(dbskkd, tcp,1178,s0) -network_port(dcc, udp,6276,s0, udp,6277,s0) -network_port(dccm, tcp,5679,s0, udp,5679,s0) -network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0) -network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) -network_port(dict, tcp,2628,s0) -network_port(distccd, tcp,3632,s0) -network_port(dns, udp,53,s0, tcp,53,s0) -network_port(epmap, tcp,135,s0, udp,135,s0) -network_port(festival, tcp,1314,s0) -network_port(fingerd, tcp,79,s0) -network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0) -network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0) -network_port(ftp_data, tcp,20,s0) -network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) -network_port(giftd, tcp,1213,s0) -network_port(git, tcp,9418,s0, udp,9418,s0) -network_port(gopher, tcp,70,s0, udp,70,s0) -network_port(gpsd, tcp,2947,s0) -network_port(hddtemp, tcp,7634,s0) -network_port(howl, tcp,5335,s0, udp,5353,s0) -network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) -network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port -network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy -network_port(i18n_input, tcp,9010,s0) -network_port(imaze, tcp,5323,s0, udp,5323,s0) -network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) -network_port(innd, tcp,119,s0) -network_port(ipmi, udp,623,s0, udp,664,s0) -network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0) -network_port(ipsecnat, tcp,4500,s0, udp,4500,s0) -network_port(ircd, tcp,6667,s0) -network_port(isakmp, udp,500,s0) -network_port(iscsi, tcp,3260,s0) -network_port(isns, tcp,3205,s0, udp,3205,s0) -network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) -network_port(jabber_interserver, tcp,5269,s0) -network_port(jabber_router, tcp,5347,s0) -network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0) -network_port(kerberos_admin, tcp,749,s0) -network_port(kerberos_master, tcp,4444,s0, udp,4444,s0) -network_port(kerberos_password, tcp,464,s0, udp,464,s0) -network_port(kismet, tcp,2501,s0) -network_port(kprop, tcp,754,s0) -network_port(ktalkd, udp,517,s0, udp,518,s0) -network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) -network_port(lirc, tcp,8765,s0) -network_port(luci, tcp,8084,s0) -network_port(lmtp, tcp,24,s0, udp,24,s0) -type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon -network_port(mail, tcp,2000,s0, tcp,3905,s0) -network_port(memcache, tcp,11211,s0, udp,11211,s0) -network_port(mmcc, tcp,5050,s0, udp,5050,s0) -network_port(monopd, tcp,1234,s0) -network_port(mpd, tcp,6600,s0) -network_port(msnp, tcp,1863,s0, udp,1863,s0) -network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) -network_port(munin, tcp,4949,s0, udp,4949,s0) -network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) -network_port(mysqlmanagerd, tcp,2273,s0) -network_port(nessus, tcp,1241,s0) -network_port(netport, tcp,3129,s0, udp,3129,s0) -network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) -network_port(nmbd, udp,137,s0, udp,138,s0) -network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0) -network_port(ntp, udp,123,s0) -network_port(ocsp, tcp,9080,s0) -network_port(openvpn, tcp,1194,s0, udp,1194,s0) -network_port(pegasus_http, tcp,5988,s0) -network_port(pegasus_https, tcp,5989,s0) -network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) -network_port(pingd, tcp,9125,s0) -network_port(piranha, tcp,3636,s0) -network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443, s0, tcp, 9444, s0, tcp, 9445, s0) -network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443, s0, tcp, 10444, s0, tcp, 10445, s0) -network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443, s0, tcp, 11444, s0, tcp, 11445, s0) -network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443, s0, tcp, 13444, s0, tcp, 13445, s0) -network_port(pki_ra, tcp,12888-12889,s0) -network_port(pki_tps, tcp,7888-7889,s0) -network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) -network_port(portmap, udp,111,s0, tcp,111,s0) -network_port(postfix_policyd, tcp,10031,s0) -network_port(postgresql, tcp,5432,s0) -network_port(postgrey, tcp,60000,s0) -network_port(prelude, tcp,4690,s0, udp,4690,s0) -network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) -network_port(printer, tcp,515,s0) -network_port(ptal, tcp,5703,s0) -network_port(pulseaudio, tcp,4713,s0) -network_port(puppet, tcp, 8140, s0) -network_port(pxe, udp,4011,s0) -network_port(pyzor, udp,24441,s0) -network_port(radacct, udp,1646,s0, udp,1813,s0) -network_port(radius, udp,1645,s0, udp,1812,s0) -network_port(radsec, tcp,2083,s0) -network_port(razor, tcp,2703,s0) -network_port(ricci, tcp,11111,s0, udp,11111,s0) -network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) -network_port(rlogind, tcp,513,s0) -network_port(rndc, tcp,953,s0) -network_port(router, udp,520-521,s0, tcp,521,s0) -network_port(rsh, tcp,514,s0) -network_port(rsync, tcp,873,s0, udp,873,s0) -network_port(rwho, udp,513,s0) -network_port(sap, tcp,9875,s0, udp,9875,s0) -network_port(sametime, tcp,1533,s0, udp,1533,s0) -network_port(sieve, tcp,4190,s0) -network_port(sip, tcp,5060-5061,s0, udp,5060-5061,s0) -network_port(sixxsconfig, tcp,3874,s0, udp,3874,s0) -network_port(smbd, tcp,137-139,s0, tcp,445,s0) -network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) -network_port(snmp, tcp,161-162,s0, udp,161-162,s0, tcp,199,s0, tcp, 1161, s0) -type socks_port_t, port_type; dnl network_port(socks) # no defined portcon -network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0) -network_port(spamd, tcp,783,s0) -network_port(speech, tcp,8036,s0) -network_port(squid, tcp,3128,s0, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp -network_port(ssh, tcp,22,s0) -network_port(streaming, tcp, 1755, s0, udp, 1755, s0) -type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict -network_port(swat, tcp,901,s0) -network_port(sype, tcp,9911,s0, udp,9911,s0) -network_port(syslogd, udp,514,s0) -network_port(telnetd, tcp,23,s0) -network_port(tftp, udp,69,s0) -network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0) -network_port(traceroute, udp,64000-64010,s0) -network_port(transproxy, tcp,8081,s0) -network_port(ups, tcp,3493,s0) -type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon -network_port(uucpd, tcp,540,s0) -network_port(varnishd, tcp,6081-6082,s0) -network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) -network_port(virt_migration, tcp,49152-49216,s0) -network_port(vnc, tcp,5900-5999,s0) -network_port(wccp, udp,2048,s0) -network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 ) -network_port(xdmcp, udp,177,s0, tcp,177,s0) -network_port(xen, tcp,8002,s0) -network_port(xfs, tcp,7100,s0) -network_port(xserver, tcp,6000-6150,s0) -network_port(zarafa, tcp,236,s0) -network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0) -network_port(zope, tcp,8021,s0) - -# Defaults for reserved ports. Earlier portcon entries take precedence; -# these entries just cover any remaining reserved ports not otherwise declared. - -portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) -portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) -portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) -portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) - -######################################## -# -# Network nodes -# - -# -# node_t is the default type of network nodes. -# The node_*_t types are used for specific network -# nodes in net_contexts or net_contexts.mls. -# -type node_t, node_type; -typealias node_t alias { compat_ipv4_node_t lo_node_t link_local_node_t inaddr_any_node_t unspec_node_t }; -sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh) - -# network_node examples: -#network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255) -#network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::) - -######################################## -# -# Network Interfaces -# - -# -# netif_t is the default type of network interfaces. -# -type netif_t, netif_type; -sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) - -build_option(`enable_mls',` -network_interface(lo, lo, s0 - mls_systemhigh) -',` -typealias netif_t alias { lo_netif_t netif_lo_t }; -') - -######################################## -# -# Unconfined access to this module -# - -allow corenet_unconfined_type node_type:node *; -allow corenet_unconfined_type netif_type:netif *; -allow corenet_unconfined_type packet_type:packet *; -allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect }; -allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg }; - -# Bind to any network address. -allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind; -allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind; diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4 deleted file mode 100644 index 35fed4f..0000000 --- a/policy/modules/kernel/corenetwork.te.m4 +++ /dev/null @@ -1,105 +0,0 @@ -# -# shiftn(num,list...) -# -# shift the list num times -# -define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')') - -# -# range_start(num) -# -# return the low port in a range. -# -# range_start(600) returns "600" -# range_start(1200-1600) returns "1200" -# -define(`range_start',`ifelse(-1,index(`$1', `-'),$1,substr($1,0,index(`$1', `-')))') - -# -# build_option(option_name,true,[false]) -# -# makes an ifdef. hacky quoting changes because with -# regular quoting, the macros in $2 and $3 will not be expanded -# -define(`build_option',`dnl -changequote([,])dnl -[ifdef(`$1',`] -changequote(`,')dnl -$2 -changequote([,])dnl -[',`] -changequote(`,')dnl -$3 -changequote([,])dnl -[')] -changequote(`,')dnl -') - -define(`declare_netifs',`dnl -netifcon $2 gen_context(system_u:object_r:$1,$3) gen_context(system_u:object_r:unlabeled_t,$3) -ifelse(`$4',`',`',`declare_netifs($1,shiftn(3,$*))')dnl -') - -# -# network_interface(if_name,linux_interface,mls_sensitivity) -# -define(`network_interface',` -gen_require(``type unlabeled_t;'') -type $1_netif_t alias netif_$1_t, netif_type; -declare_netifs($1_netif_t,shift($*)) -') - -define(`network_interface_controlled',` -ifdef(`__network_enabled_declared__',`',` -## -##

-## Enable network traffic on all controlled interfaces. -##

-##
-gen_bool(network_enabled, true) -define(`__network_enabled_declared__') -') -gen_require(``type unlabeled_t;'') -type $1_netif_t alias netif_$1_t, netif_type; -declare_netifs($1_netif_t,shift($*)) -') - -define(`declare_nodes',`dnl -nodecon $3 $4 gen_context(system_u:object_r:$1,$2) -ifelse(`$5',`',`',`declare_nodes($1,shiftn(4,$*))')dnl -') - -# -# network_node(node_name,mls_sensitivity,address,netmask[, mls_sensitivity,address,netmask, [...]]) -# -define(`network_node',` -type $1_node_t alias node_$1_t, node_type; -declare_nodes($1_node_t,shift($*)) -') - -# bindresvport in glibc starts searching for reserved ports at 512 -define(`declare_ports',`dnl -ifelse(eval(range_start($3) < 1024),1,`typeattribute $1 reserved_port_type; -ifelse(eval(range_start($3) >= 512),1,`typeattribute $1 rpc_port_type;',`dnl') -',`dnl') -portcon $2 $3 gen_context(system_u:object_r:$1,$4) -ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl -') - -# -# network_port(port_name,protocol portnum mls_sensitivity [,protocol portnum mls_sensitivity[,...]]) -# -define(`network_port',` -type $1_port_t, port_type; -type $1_client_packet_t, packet_type, client_packet_type; -type $1_server_packet_t, packet_type, server_packet_type; -declare_ports($1_port_t,shift($*))dnl -') - -# -# network_packet(packet_name) -# -define(`network_packet',` -type $1_client_packet_t, packet_type, client_packet_type; -type $1_server_packet_t, packet_type, server_packet_type; -') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc deleted file mode 100644 index 7c29e17..0000000 --- a/policy/modules/kernel/devices.fc +++ /dev/null @@ -1,198 +0,0 @@ - -/dev -d gen_context(system_u:object_r:device_t,s0) -/dev/.* gen_context(system_u:object_r:device_t,s0) - -/dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0) -/dev/[0-9].* -c gen_context(system_u:object_r:usb_device_t,s0) -/dev/3dfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -/dev/admmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) -/dev/adsp.* -c gen_context(system_u:object_r:sound_device_t,s0) -/dev/(misc/)?agpgart -c gen_context(system_u:object_r:agp_device_t,s0) -/dev/aload.* -c gen_context(system_u:object_r:sound_device_t,s0) -/dev/amidi.* -c gen_context(system_u:object_r:sound_device_t,s0) -/dev/amixer.* -c gen_context(system_u:object_r:sound_device_t,s0) -/dev/apm_bios -c gen_context(system_u:object_r:apm_bios_t,s0) -/dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0) -/dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0) -/dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0) -/dev/beep -c gen_context(system_u:object_r:sound_device_t,s0) -/dev/btrfs-control -c gen_context(system_u:object_r:lvm_control_t,s0) -/dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -/dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0) -/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0) -/dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) -/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0) -/dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0) -/dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0) -/dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0) -/dev/etherd/.+ -c gen_context(system_u:object_r:lvm_control_t,s0) -/dev/event.* -c gen_context(system_u:object_r:event_device_t,s0) -/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) -/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0) -/dev/full -c gen_context(system_u:object_r:null_device_t,s0) -/dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0) -/dev/gfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -/dev/graphics -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -/dev/gtrsc.* -c gen_context(system_u:object_r:clock_device_t,s0) -/dev/hfmodem -c gen_context(system_u:object_r:sound_device_t,s0) -/dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0) -/dev/hidraw.* -c gen_context(system_u:object_r:usb_device_t,s0) -/dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0) -/dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0) -/dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0) -/dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0) -/dev/inportbm -c gen_context(system_u:object_r:mouse_device_t,s0) -/dev/ipmi[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0) -/dev/ipmi/[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0) -/dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0) -/dev/jbm -c gen_context(system_u:object_r:mouse_device_t,s0) -/dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) -/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) -/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) -/dev/kqemu -c gen_context(system_u:object_r:qemu_device_t,s0) -/dev/ksm -c gen_context(system_u:object_r:ksm_device_t,s0) -/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0) -/dev/lik.* -c gen_context(system_u:object_r:event_device_t,s0) -/dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0) -/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0) -/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0) -/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) -/dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) -/dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) -/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) -/dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -/dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0) -/dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0) -/dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0) -/dev/misc/dlm.* -c gen_context(system_u:object_r:dlm_control_device_t,s0) -/dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0) -/dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0) -/dev/modem -c gen_context(system_u:object_r:modem_device_t,s0) -/dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0) -/dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0) -/dev/net/vhost -c gen_context(system_u:object_r:vhost_device_t,s0) -/dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0) -/dev/network_throughput -c gen_context(system_u:object_r:netcontrol_device_t,s0) -/dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0) -/dev/null -c gen_context(system_u:object_r:null_device_t,s0) -/dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -/dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh) -/dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) -/dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -/dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0) -/dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0) -/dev/pc110pad -c gen_context(system_u:object_r:mouse_device_t,s0) -/dev/pcfclock.* -c gen_context(system_u:object_r:clock_device_t,s0) -/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0) -/dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) -/dev/pps.* -c gen_context(system_u:object_r:clock_device_t,s0) -/dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0) -/dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) -/dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0) -/dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0) -/dev/random -c gen_context(system_u:object_r:random_device_t,s0) -/dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0) -/dev/rfkill -c gen_context(system_u:object_r:wireless_device_t,s0) -/dev/(misc/)?rtc[0-9]* -c gen_context(system_u:object_r:clock_device_t,s0) -/dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0) -/dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0) -/dev/smpte.* -c gen_context(system_u:object_r:sound_device_t,s0) -/dev/smu -c gen_context(system_u:object_r:power_device_t,s0) -/dev/srnd[0-7] -c gen_context(system_u:object_r:sound_device_t,s0) -/dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0) -/dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0) -/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) -/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) -/dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0) -/dev/uinput -c gen_context(system_u:object_r:event_device_t,s0) -/dev/uio[0-9]+ -c gen_context(system_u:object_r:userio_device_t,s0) -/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) -/dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0) -/dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0) -/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) -/dev/usbmon.+ -c gen_context(system_u:object_r:usbmon_device_t,s0) -ifdef(`distro_suse', ` -/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) -') -/dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0) -/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) -/dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -/dev/vga_arbiter -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -/dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0) -/dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0) -/dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0) -/dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0) -/dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) -/dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) -/dev/watchdog -c gen_context(system_u:object_r:watchdog_device_t,s0) -/dev/winradio. -c gen_context(system_u:object_r:v4l_device_t,s0) -/dev/z90crypt -c gen_context(system_u:object_r:crypt_device_t,s0) -/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) - -/dev/bus/usb/.*/[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0) - -/dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) - -/dev/cpu_dma_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0) -/dev/cpu.* -c gen_context(system_u:object_r:cpu_device_t,s0) -/dev/cpu/mtrr -c gen_context(system_u:object_r:mtrr_device_t,s0) - -/dev/biometric/sensor.* -c gen_context(system_u:object_r:event_device_t,s0) - -/dev/dri/.+ -c gen_context(system_u:object_r:dri_device_t,s0) - -/dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0) - -/dev/input/.* -c gen_context(system_u:object_r:event_device_t,s0) -/dev/input/m.* -c gen_context(system_u:object_r:mouse_device_t,s0) -/dev/input/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0) -/dev/input/keyboard.* -c gen_context(system_u:object_r:event_device_t,s0) -/dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0) -/dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0) -/dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) -/dev/input/uinput -c gen_context(system_u:object_r:event_device_t,s0) - -/dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0) - -/dev/mfpports/.* -c gen_context(system_u:object_r:printer_device_t,s0) - -/dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) - -/dev/mqueue(/.*)? <> -/dev/pts(/.*)? <> - -/dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0) - -/dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0) -/dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0) - -/dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0) -/dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) -/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) -/dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0) - -/dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0) -/dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) - -/etc/udev/devices -d gen_context(system_u:object_r:device_t,s0) - -/lib/udev/devices(/.*) gen_context(system_u:object_r:device_t,s0) - -# used by init scripts to initally populate udev /dev -/lib/udev/devices/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) -/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) -/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) - -ifdef(`distro_redhat',` -# originally from named.fc -/var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0) -/var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0) -/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0) -/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) -') - -# -# /sys -# -/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if deleted file mode 100644 index b92327e..0000000 --- a/policy/modules/kernel/devices.if +++ /dev/null @@ -1,5402 +0,0 @@ -## -## Device nodes and interfaces for many basic system devices. -## -## -##

-## This module creates the device node concept and provides -## the policy for many of the device files. Notable exceptions are -## the mass storage and terminal devices that are covered by other -## modules. -##

-##

-## This module creates the concept of a device node. That is a -## char or block device file, usually in /dev. All types that -## are used to label device nodes should use the dev_node macro. -##

-##

-## Additionally, this module controls access to three things: -##

    -##
  • the device directories containing device nodes
  • -##
  • device nodes as a group
  • -##
  • individual access to specific device nodes covered by -## this module.
  • -##
-##

-##
-## -## Depended on by other required modules. -## - -######################################## -## -## Make the specified type usable for device -## nodes in a filesystem. -## -## -##

-## Make the specified type usable for device nodes -## in a filesystem. Types used for device nodes that -## do not use this interface, or an interface that -## calls this one, will have unexpected behaviors -## while the system is running. -##

-##

-## Example: -##

-##

-## type mydev_t; -## dev_node(mydev_t) -## allow mydomain_t mydev_t:chr_file read_chr_file_perms; -##

-##

-## Related interfaces: -##

-##
    -##
  • term_tty()
  • -##
  • term_pty()
  • -##
-##
-## -## -## Type to be used for device nodes. -## -## -## -# -interface(`dev_node',` - gen_require(` - attribute device_node; - ') - - typeattribute $1 device_node; -') - -######################################## -## -## Associate the specified file type with device filesystem. -## -## -## -## The type of the file to be associated. -## -## -# -interface(`dev_associate',` - gen_require(` - type device_t; - ') - - allow $1 device_t:filesystem associate; - fs_associate_tmpfs($1) #For backwards compatibility -') - -######################################## -## -## Mount a filesystem on /dev -## -## -## -## Domain allow access. -## -## -# -interface(`dev_mounton',` - gen_require(` - type device_t; - ') - - allow $1 device_t:dir mounton; -') - -######################################## -## -## Allow full relabeling (to and from) of all device nodes. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`dev_relabel_all_dev_nodes',` - gen_require(` - attribute device_node; - type device_t; - ') - - relabelfrom_dirs_pattern($1, device_t, device_node) - relabelfrom_files_pattern($1, device_t, device_node) - relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node }) - relabelfrom_fifo_files_pattern($1, device_t, device_node) - relabelfrom_sock_files_pattern($1, device_t, device_node) - relabel_blk_files_pattern($1, device_t, { device_t device_node }) - relabel_chr_files_pattern($1, device_t, { device_t device_node }) -') - -######################################## -## -## List all of the device nodes in a device directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_list_all_dev_nodes',` - gen_require(` - type device_t; - ') - - list_dirs_pattern($1, device_t, device_t) - read_lnk_files_pattern($1, device_t, device_t) -') - -######################################## -## -## Set the attributes of /dev directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_setattr_generic_dirs',` - gen_require(` - type device_t; - ') - - setattr_dirs_pattern($1, device_t, device_t) -') - -######################################## -## -## Dontaudit attempts to list all device nodes. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_list_all_dev_nodes',` - gen_require(` - type device_t; - ') - - dontaudit $1 device_t:dir list_dir_perms; -') - -######################################## -## -## Add entries to directories in /dev. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_add_entry_generic_dirs',` - gen_require(` - type device_t; - ') - - allow $1 device_t:dir add_entry_dir_perms; -') - -######################################## -## -## Add entries to directories in /dev. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_remove_entry_generic_dirs',` - gen_require(` - type device_t; - ') - - allow $1 device_t:dir del_entry_dir_perms; -') - -######################################## -## -## Create a directory in the device directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_create_generic_dirs',` - gen_require(` - type device_t; - ') - - allow $1 device_t:dir list_dir_perms; - create_dirs_pattern($1, device_t, device_t) -') - -######################################## -## -## Delete a directory in the device directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_delete_generic_dirs',` - gen_require(` - type device_t; - ') - - delete_dirs_pattern($1, device_t, device_t) -') - -######################################## -## -## Manage of directories in /dev. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_manage_generic_dirs',` - gen_require(` - type device_t; - ') - - manage_dirs_pattern($1, device_t, device_t) -') - -######################################## -## -## Allow full relabeling (to and from) of directories in /dev. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_relabel_generic_dev_dirs',` - gen_require(` - type device_t; - ') - - relabel_dirs_pattern($1, device_t, device_t) -') - -######################################## -## -## dontaudit getattr generic files in /dev. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_getattr_generic_files',` - gen_require(` - type device_t; - ') - - dontaudit $1 device_t:file getattr; -') - -######################################## -## -## read generic files in /dev. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_read_generic_files',` - gen_require(` - type device_t; - ') - - read_files_pattern($1, device_t, device_t) -') - -######################################## -## -## Read and write generic files in /dev. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_generic_files',` - gen_require(` - type device_t; - ') - - rw_files_pattern($1, device_t, device_t) -') - -######################################## -## -## Delete generic files in /dev. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_delete_generic_files',` - gen_require(` - type device_t; - ') - - delete_files_pattern($1, device_t, device_t) -') - -######################################## -## -## Create a file in the device directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_manage_generic_files',` - gen_require(` - type device_t; - ') - - manage_files_pattern($1, device_t, device_t) -') - -######################################## -## -## Dontaudit getattr on generic pipes. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_getattr_generic_pipes',` - gen_require(` - type device_t; - ') - - dontaudit $1 device_t:fifo_file getattr; -') - -######################################## -## -## Allow getattr on generic block devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_getattr_generic_blk_files',` - gen_require(` - type device_t; - ') - - getattr_blk_files_pattern($1, device_t, device_t) -') - -######################################## -## -## Dontaudit getattr on generic block devices. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_getattr_generic_blk_files',` - gen_require(` - type device_t; - ') - - dontaudit $1 device_t:blk_file getattr; -') - -######################################## -## -## Dontaudit setattr on generic block devices. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_setattr_generic_blk_files',` - gen_require(` - type device_t; - ') - - dontaudit $1 device_t:blk_file setattr; -') - -######################################## -## -## Create generic block device files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_create_generic_blk_files',` - gen_require(` - type device_t; - ') - - create_blk_files_pattern($1, device_t, device_t) -') - -######################################## -## -## Delete generic block device files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_delete_generic_blk_files',` - gen_require(` - type device_t; - ') - - delete_blk_files_pattern($1, device_t, device_t) -') - -######################################## -## -## Allow getattr for generic character device files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_getattr_generic_chr_files',` - gen_require(` - type device_t; - ') - - getattr_chr_files_pattern($1, device_t, device_t) -') - -######################################## -## -## Allow relablefrom for generic character device files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_relabelfrom_generic_chr_files',` - gen_require(` - type device_t; - ') - - allow $1 device_t:chr_file relabelfrom; -') - -######################################## -## -## Dontaudit getattr for generic character device files. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_getattr_generic_chr_files',` - gen_require(` - type device_t; - ') - - dontaudit $1 device_t:chr_file getattr; -') - -######################################## -## -## Dontaudit setattr for generic character device files. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_setattr_generic_chr_files',` - gen_require(` - type device_t; - ') - - dontaudit $1 device_t:chr_file setattr; -') - -######################################## -## -## Read generic character device files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_read_generic_chr_files',` - gen_require(` - type device_t; - ') - - allow $1 device_t:chr_file read_chr_file_perms; -') - -######################################## -## -## Read and write generic character device files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_generic_chr_files',` - gen_require(` - type device_t; - ') - - allow $1 device_t:chr_file rw_chr_file_perms; -') - -######################################## -## -## Read and write generic block device files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_generic_blk_files',` - gen_require(` - type device_t; - ') - - allow $1 device_t:blk_file rw_chr_file_perms; -') - -######################################## -## -## Dontaudit attempts to read/write generic character device files. -## -## -## -## Domain to dontaudit access. -## -## -# -interface(`dev_dontaudit_rw_generic_chr_files',` - gen_require(` - type device_t; - ') - - dontaudit $1 device_t:chr_file rw_chr_file_perms; -') - -######################################## -## -## Create generic character device files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_create_generic_chr_files',` - gen_require(` - type device_t; - ') - - create_chr_files_pattern($1, device_t, device_t) -') - -######################################## -## -## Delete generic character device files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_delete_generic_chr_files',` - gen_require(` - type device_t; - ') - - delete_chr_files_pattern($1, device_t, device_t) -') - -######################################## -## -## Do not audit attempts to set the attributes -## of symbolic links in device directories (/dev). -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_setattr_generic_symlinks',` - gen_require(` - type device_t; - ') - - dontaudit $1 device_t:lnk_file setattr; -') - -######################################## -## -## Create symbolic links in device directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_create_generic_symlinks',` - gen_require(` - type device_t; - ') - - create_lnk_files_pattern($1, device_t, device_t) -') - -######################################## -## -## Delete symbolic links in device directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_delete_generic_symlinks',` - gen_require(` - type device_t; - ') - - delete_lnk_files_pattern($1, device_t, device_t) -') - -######################################## -## -## Read symbolic links in device directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_read_generic_symlinks',` - gen_require(` - type device_t; - ') - - allow $1 device_t:lnk_file read_lnk_file_perms; -') - -######################################## -## -## Create, delete, read, and write symbolic links in device directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_manage_generic_symlinks',` - gen_require(` - type device_t; - ') - - manage_lnk_files_pattern($1, device_t, device_t) -') - -######################################## -## -## Relabel symbolic links in device directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_relabel_generic_symlinks',` - gen_require(` - type device_t; - ') - - relabel_lnk_files_pattern($1, device_t, device_t) -') - -######################################## -## -## Create, delete, read, and write device nodes in device directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_manage_all_dev_nodes',` - gen_require(` - attribute device_node, memory_raw_read, memory_raw_write; - type device_t; - ') - - manage_dirs_pattern($1, device_t, device_t) - manage_sock_files_pattern($1, device_t, device_t) - manage_lnk_files_pattern($1, device_t, device_t) - manage_chr_files_pattern($1, device_t, { device_t device_node }) - manage_blk_files_pattern($1, device_t, { device_t device_node }) - relabel_dirs_pattern($1, device_t, device_t) - relabel_chr_files_pattern($1, device_t, { device_t device_node }) - relabel_blk_files_pattern($1, device_t, { device_t device_node }) - - # these next rules are to satisfy assertions broken by the above lines. - # the permissions hopefully can be cut back a lot - storage_raw_read_fixed_disk($1) - storage_raw_write_fixed_disk($1) - storage_read_scsi_generic($1) - storage_write_scsi_generic($1) - - typeattribute $1 memory_raw_read; - typeattribute $1 memory_raw_write; -') - -######################################## -## -## Dontaudit getattr for generic device files. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_rw_generic_dev_nodes',` - gen_require(` - type device_t; - ') - - dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl }; -') - -######################################## -## -## Create, delete, read, and write block device files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_manage_generic_blk_files',` - gen_require(` - type device_t; - ') - - manage_blk_files_pattern($1, device_t, device_t) -') - -######################################## -## -## Create, delete, read, and write character device files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_manage_generic_chr_files',` - gen_require(` - type device_t; - ') - - manage_chr_files_pattern($1, device_t, device_t) -') - -######################################## -## -## Create, read, and write device nodes. The node -## will be transitioned to the type provided. -## -## -## -## Domain allowed access. -## -## -## -## -## Type to which the created node will be transitioned. -## -## -## -## -## Object class(es) (single or set including {}) for which this -## the transition will occur. -## -## -# -interface(`dev_filetrans',` - gen_require(` - type device_t; - ') - - filetrans_pattern($1, device_t, $2, $3) - - dev_associate($2) - files_associate_tmp($2) -') - -######################################## -## -## Create, read, and write device nodes. The node -## will be transitioned to the type provided. This is -## a temporary interface until devtmpfs functionality -## fixed. -## -## -## -## Domain allowed access. -## -## -## -## -## Object class(es) (single or set including {}) for which this -## the transition will occur. -## -## -# -interface(`dev_tmpfs_filetrans_dev',` - gen_require(` - type device_t; - ') - - fs_tmpfs_filetrans($1, device_t, $2) -') - -######################################## -## -## Getattr on all block file device nodes. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`dev_getattr_all_blk_files',` - gen_require(` - attribute device_node; - type device_t; - ') - - getattr_blk_files_pattern($1, device_t, device_node) -') - -######################################## -## -## Dontaudit getattr on all block file device nodes. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_getattr_all_blk_files',` - gen_require(` - attribute device_node; - type device_t; - ') - - dontaudit $1 { device_t device_node }:blk_file getattr; -') - -######################################## -## -## Getattr on all character file device nodes. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`dev_getattr_all_chr_files',` - gen_require(` - attribute device_node; - ') - - getattr_chr_files_pattern($1, device_t, device_node) -') - -######################################## -## -## Dontaudit getattr on all character file device nodes. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_getattr_all_chr_files',` - gen_require(` - attribute device_node; - type device_t; - ') - - dontaudit $1 { device_t device_node }:chr_file getattr; -') - -######################################## -## -## Setattr on all block file device nodes. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`dev_setattr_all_blk_files',` - gen_require(` - attribute device_node; - ') - - setattr_blk_files_pattern($1, device_t, device_node) -') - -######################################## -## -## Setattr on all character file device nodes. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`dev_setattr_all_chr_files',` - gen_require(` - attribute device_node; - ') - - setattr_chr_files_pattern($1, device_t, device_node) -') - -######################################## -## -## Dontaudit read on all block file device nodes. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_read_all_blk_files',` - gen_require(` - attribute device_node; - ') - - dontaudit $1 device_node:blk_file { getattr read }; -') - -######################################## -## -## Dontaudit write on all block file device nodes. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_write_all_blk_files',` - gen_require(` - attribute device_node; - ') - - dontaudit $1 device_node:blk_file write; -') - -######################################## -## -## Dontaudit read on all character file device nodes. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_read_all_chr_files',` - gen_require(` - attribute device_node; - ') - - dontaudit $1 device_node:chr_file { getattr read }; -') - -######################################## -## -## Dontaudit write on all character file device nodes. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_write_all_chr_files',` - gen_require(` - attribute device_node; - ') - - dontaudit $1 device_node:chr_file write; -') - -######################################## -## -## Create all block device files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_create_all_blk_files',` - gen_require(` - attribute device_node; - ') - - create_blk_files_pattern($1, device_t, device_node) -') - -######################################## -## -## Create all character device files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_create_all_chr_files',` - gen_require(` - attribute device_node; - ') - - create_chr_files_pattern($1, device_t, device_node) -') - -######################################## -## -## rw all inherited character device files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_all_inherited_chr_files',` - gen_require(` - attribute device_node; - ') - - allow $1 device_node:chr_file rw_inherited_chr_file_perms; -') - -######################################## -## -## rw all inherited blk device files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_all_inherited_blk_files',` - gen_require(` - attribute device_node; - ') - - allow $1 device_node:blk_file rw_inherited_blk_file_perms; -') - -######################################## -## -## Delete all block device files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_delete_all_blk_files',` - gen_require(` - attribute device_node; - ') - - delete_blk_files_pattern($1, device_t, device_node) -') - -######################################## -## -## Delete all character device files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_delete_all_chr_files',` - gen_require(` - attribute device_node; - ') - - delete_chr_files_pattern($1, device_t, device_node) -') - -######################################## -## -## Rename all block device files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rename_all_blk_files',` - gen_require(` - attribute device_node; - ') - - rename_blk_files_pattern($1, device_t, device_node) -') - -######################################## -## -## Rename all character device files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rename_all_chr_files',` - gen_require(` - attribute device_node; - ') - - rename_chr_files_pattern($1, device_t, device_node) -') - -######################################## -## -## Read, write, create, and delete all block device files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_manage_all_blk_files',` - gen_require(` - attribute device_node; - ') - - manage_blk_files_pattern($1, device_t, device_node) - - # these next rules are to satisfy assertions broken by the above lines. - storage_raw_read_fixed_disk($1) - storage_raw_write_fixed_disk($1) - storage_read_scsi_generic($1) - storage_write_scsi_generic($1) -') - -######################################## -## -## Read, write, create, and delete all character device files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_manage_all_chr_files',` - gen_require(` - attribute device_node, memory_raw_read, memory_raw_write; - ') - - manage_chr_files_pattern($1, device_t, device_node) - - typeattribute $1 memory_raw_read, memory_raw_write; -') - -######################################## -## -## Getattr the agp devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_getattr_agp_dev',` - gen_require(` - type device_t, agp_device_t; - ') - - getattr_chr_files_pattern($1, device_t, agp_device_t) -') - -######################################## -## -## Read and write the agp devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_agp',` - gen_require(` - type device_t, agp_device_t; - ') - - rw_chr_files_pattern($1, device_t, agp_device_t) -') - -######################################## -## -## Get the attributes of the apm bios device node. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_getattr_apm_bios_dev',` - gen_require(` - type device_t, apm_bios_t; - ') - - getattr_chr_files_pattern($1, device_t, apm_bios_t) -') - -######################################## -## -## Do not audit attempts to get the attributes of -## the apm bios device node. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_getattr_apm_bios_dev',` - gen_require(` - type apm_bios_t; - ') - - dontaudit $1 apm_bios_t:chr_file getattr; -') - -######################################## -## -## Set the attributes of the apm bios device node. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_setattr_apm_bios_dev',` - gen_require(` - type device_t, apm_bios_t; - ') - - setattr_chr_files_pattern($1, device_t, apm_bios_t) -') - -######################################## -## -## Do not audit attempts to set the attributes of -## the apm bios device node. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_setattr_apm_bios_dev',` - gen_require(` - type apm_bios_t; - ') - - dontaudit $1 apm_bios_t:chr_file setattr; -') - -######################################## -## -## Read and write the apm bios. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_apm_bios',` - gen_require(` - type device_t, apm_bios_t; - ') - - rw_chr_files_pattern($1, device_t, apm_bios_t) -') - -######################################## -## -## Get the attributes of the autofs device node. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_getattr_autofs_dev',` - gen_require(` - type device_t, autofs_device_t; - ') - - getattr_chr_files_pattern($1, device_t, autofs_device_t) -') - -######################################## -## -## Relable the autofs device node. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_relabel_autofs_dev',` - gen_require(` - type autofs_device_t; - ') - - allow $1 autofs_device_t:chr_file relabel_chr_file_perms; -') - -######################################## -## -## Do not audit attempts to get the attributes of -## the autofs device node. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_getattr_autofs_dev',` - gen_require(` - type autofs_device_t; - ') - - dontaudit $1 autofs_device_t:chr_file getattr; -') - -######################################## -## -## Set the attributes of the autofs device node. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_setattr_autofs_dev',` - gen_require(` - type device_t, autofs_device_t; - ') - - setattr_chr_files_pattern($1, device_t, autofs_device_t) -') - -######################################## -## -## Do not audit attempts to set the attributes of -## the autofs device node. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_setattr_autofs_dev',` - gen_require(` - type autofs_device_t; - ') - - dontaudit $1 autofs_device_t:chr_file setattr; -') - -######################################## -## -## Read and write the autofs device. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_autofs',` - gen_require(` - type device_t, autofs_device_t; - ') - - rw_chr_files_pattern($1, device_t, autofs_device_t) -') - -######################################## -## -## Read and write the PCMCIA card manager device. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_cardmgr',` - gen_require(` - type cardmgr_dev_t; - ') - - rw_chr_files_pattern($1, device_t, cardmgr_dev_t) -') - -######################################## -## -## Do not audit attempts to read and -## write the PCMCIA card manager device. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_rw_cardmgr',` - gen_require(` - type cardmgr_dev_t; - ') - - dontaudit $1 cardmgr_dev_t:chr_file { read write }; -') - -######################################## -## -## Create, read, write, and delete -## the PCMCIA card manager device -## with the correct type. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_create_cardmgr_dev',` - gen_require(` - type device_t, cardmgr_dev_t; - ') - - create_chr_files_pattern($1, device_t, cardmgr_dev_t) - create_blk_files_pattern($1, device_t, cardmgr_dev_t) -') - -######################################## -## -## Create, read, write, and delete -## the PCMCIA card manager device. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_manage_cardmgr_dev',` - gen_require(` - type device_t, cardmgr_dev_t; - ') - - manage_chr_files_pattern($1, device_t, cardmgr_dev_t) - manage_blk_files_pattern($1, device_t, cardmgr_dev_t) -') - -######################################## -## -## Automatic type transition to the type -## for PCMCIA card manager device nodes when -## created in /dev. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_filetrans_cardmgr',` - gen_require(` - type device_t, cardmgr_dev_t; - ') - - filetrans_pattern($1, device_t, cardmgr_dev_t, { chr_file blk_file }) -') - -######################################## -## -## Get the attributes of the CPU -## microcode and id interfaces. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_getattr_cpu_dev',` - gen_require(` - type device_t, cpu_device_t; - ') - - getattr_chr_files_pattern($1, device_t, cpu_device_t) -') - -######################################## -## -## Set the attributes of the CPU -## microcode and id interfaces. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_setattr_cpu_dev',` - gen_require(` - type device_t, cpu_device_t; - ') - - setattr_chr_files_pattern($1, device_t, cpu_device_t) -') - -######################################## -## -## Read the CPU identity. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_read_cpuid',` - gen_require(` - type device_t, cpu_device_t; - ') - - read_chr_files_pattern($1, device_t, cpu_device_t) -') - -######################################## -## -## Read and write the the CPU microcode device. This -## is required to load CPU microcode. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_cpu_microcode',` - gen_require(` - type device_t, cpu_device_t; - ') - - rw_chr_files_pattern($1, device_t, cpu_device_t) -') - -######################################## -## -## Read and write the the hardware SSL accelerator. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_crypto',` - gen_require(` - type device_t, crypt_device_t; - ') - - rw_chr_files_pattern($1, device_t, crypt_device_t) -') - -####################################### -## -## Set the attributes of the dlm control devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_setattr_dlm_control',` - gen_require(` - type device_t, kvm_device_t; - ') - - setattr_chr_files_pattern($1, device_t, dlm_control_device_t) -') - -####################################### -## -## Read and write the the dlm control device -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_dlm_control',` - gen_require(` - type device_t, dlm_control_device_t; - ') - - rw_chr_files_pattern($1, device_t, dlm_control_device_t) -') - -######################################## -## -## getattr the dri devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_getattr_dri_dev',` - gen_require(` - type device_t, dri_device_t; - ') - - getattr_chr_files_pattern($1, device_t, dri_device_t) -') - -######################################## -## -## Setattr the dri devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_setattr_dri_dev',` - gen_require(` - type device_t, dri_device_t; - ') - - setattr_chr_files_pattern($1, device_t, dri_device_t) -') - -######################################## -## -## Read and write the dri devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_dri',` - gen_require(` - type device_t, dri_device_t; - ') - - rw_chr_files_pattern($1, device_t, dri_device_t) -') - -######################################## -## -## Dontaudit read and write on the dri devices. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_rw_dri',` - gen_require(` - type dri_device_t; - ') - - dontaudit $1 dri_device_t:chr_file rw_chr_file_perms; -') - -######################################## -## -## Create, read, write, and delete the dri devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_manage_dri_dev',` - gen_require(` - type device_t, dri_device_t; - ') - - manage_chr_files_pattern($1, device_t, dri_device_t) -') - -######################################## -## -## Automatic type transition to the type -## for DRI device nodes when created in /dev. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_filetrans_dri',` - gen_require(` - type device_t, dri_device_t; - ') - - filetrans_pattern($1, device_t, dri_device_t, chr_file) -') - -######################################## -## -## Get the attributes of the event devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_getattr_input_dev',` - gen_require(` - type device_t, event_device_t; - ') - - allow $1 device_t:dir list_dir_perms; - allow $1 event_device_t:chr_file getattr; -') - -######################################## -## -## Set the attributes of the event devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_setattr_input_dev',` - gen_require(` - type device_t, event_device_t; - ') - - allow $1 device_t:dir list_dir_perms; - allow $1 event_device_t:chr_file setattr; -') - -######################################## -## -## Read input event devices (/dev/input). -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_read_input',` - gen_require(` - type device_t, event_device_t; - ') - - read_chr_files_pattern($1, device_t, event_device_t) -') - -######################################## -## -## Read input event devices (/dev/input). -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_input_dev',` - gen_require(` - type device_t, event_device_t; - ') - - rw_chr_files_pattern($1, device_t, event_device_t) -') - -######################################## -## -## Get the attributes of the framebuffer device node. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_getattr_framebuffer_dev',` - gen_require(` - type device_t, framebuf_device_t; - ') - - getattr_chr_files_pattern($1, device_t, framebuf_device_t) -') - -######################################## -## -## Set the attributes of the framebuffer device node. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_setattr_framebuffer_dev',` - gen_require(` - type device_t, framebuf_device_t; - ') - - setattr_chr_files_pattern($1, device_t, framebuf_device_t) -') - -######################################## -## -## Dot not audit attempts to set the attributes -## of the framebuffer device node. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_setattr_framebuffer_dev',` - gen_require(` - type framebuf_device_t; - ') - - dontaudit $1 framebuf_device_t:chr_file setattr; -') - -######################################## -## -## Read the framebuffer. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_read_framebuffer',` - gen_require(` - type framebuf_device_t; - ') - - read_chr_files_pattern($1, device_t, framebuf_device_t) -') - -######################################## -## -## Do not audit attempts to read the framebuffer. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_read_framebuffer',` - gen_require(` - type framebuf_device_t; - ') - - dontaudit $1 framebuf_device_t:chr_file { getattr read }; -') - -######################################## -## -## Write the framebuffer. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_write_framebuffer',` - gen_require(` - type device_t, framebuf_device_t; - ') - - write_chr_files_pattern($1, device_t, framebuf_device_t) -') - -######################################## -## -## Read and write the framebuffer. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_framebuffer',` - gen_require(` - type device_t, framebuf_device_t; - ') - - rw_chr_files_pattern($1, device_t, framebuf_device_t) -') - -######################################## -## -## Read the kernel messages -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_read_kmsg',` - gen_require(` - type device_t, kmsg_device_t; - ') - - read_chr_files_pattern($1, device_t, kmsg_device_t) -') - -######################################## -## -## Write to the kernel messages device -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_write_kmsg',` - gen_require(` - type device_t, kmsg_device_t; - ') - - write_chr_files_pattern($1, device_t, kmsg_device_t) -') - -######################################## -## -## Get the attributes of the ksm devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_getattr_ksm_dev',` - gen_require(` - type device_t, ksm_device_t; - ') - - getattr_chr_files_pattern($1, device_t, ksm_device_t) -') - -######################################## -## -## Set the attributes of the ksm devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_setattr_ksm_dev',` - gen_require(` - type device_t, ksm_device_t; - ') - - setattr_chr_files_pattern($1, device_t, ksm_device_t) -') - -######################################## -## -## Read the ksm devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_read_ksm',` - gen_require(` - type device_t, ksm_device_t; - ') - - read_chr_files_pattern($1, device_t, ksm_device_t) -') - -######################################## -## -## Read and write to ksm devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_ksm',` - gen_require(` - type device_t, ksm_device_t; - ') - - rw_chr_files_pattern($1, device_t, ksm_device_t) -') - -######################################## -## -## Get the attributes of the kvm devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_getattr_kvm_dev',` - gen_require(` - type device_t, kvm_device_t; - ') - - getattr_chr_files_pattern($1, device_t, kvm_device_t) -') - -######################################## -## -## Set the attributes of the kvm devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_setattr_kvm_dev',` - gen_require(` - type device_t, kvm_device_t; - ') - - setattr_chr_files_pattern($1, device_t, kvm_device_t) -') - -######################################## -## -## Read the kvm devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_read_kvm',` - gen_require(` - type device_t, kvm_device_t; - ') - - read_chr_files_pattern($1, device_t, kvm_device_t) -') - -######################################## -## -## Read and write to kvm devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_kvm',` - gen_require(` - type device_t, kvm_device_t; - ') - - rw_chr_files_pattern($1, device_t, kvm_device_t) -') - -###################################### -## -## Read the lirc device. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_read_lirc',` - gen_require(` - type device_t, lirc_device_t; - ') - - read_chr_files_pattern($1, device_t, lirc_device_t) -') - -###################################### -## -## Read and write the lirc device. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_lirc',` - gen_require(` - type device_t, lirc_device_t; - ') - - rw_chr_files_pattern($1, device_t, lirc_device_t) -') - -###################################### -## -## Automatic type transition to the type -## for lirc device nodes when created in /dev. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_filetrans_lirc',` - gen_require(` - type device_t, lirc_device_t; - ') - - filetrans_pattern($1, device_t, lirc_device_t, chr_file) -') - -######################################## -## -## Get the attributes of the lvm comtrol device. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_getattr_lvm_control',` - gen_require(` - type device_t, lvm_control_t; - ') - - getattr_chr_files_pattern($1, device_t, lvm_control_t) -') - -######################################## -## -## Read the lvm comtrol device. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_read_lvm_control',` - gen_require(` - type device_t, lvm_control_t; - ') - - read_chr_files_pattern($1, device_t, lvm_control_t) -') - -######################################## -## -## Read and write the lvm control device. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_lvm_control',` - gen_require(` - type device_t, lvm_control_t; - ') - - rw_chr_files_pattern($1, device_t, lvm_control_t) -') - -######################################## -## -## Do not audit attempts to read and write lvm control device. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_rw_lvm_control',` - gen_require(` - type lvm_control_t; - ') - - dontaudit $1 lvm_control_t:chr_file rw_file_perms; -') - -######################################## -## -## Delete the lvm control device. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_delete_lvm_control_dev',` - gen_require(` - type device_t, lvm_control_t; - ') - - delete_chr_files_pattern($1, device_t, lvm_control_t) -') - -######################################## -## -## dontaudit getattr raw memory devices (e.g. /dev/mem). -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_getattr_memory_dev',` - gen_require(` - type memory_device_t; - ') - - dontaudit $1 memory_device_t:chr_file getattr; -') - -######################################## -## -## Read raw memory devices (e.g. /dev/mem). -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_read_raw_memory',` - gen_require(` - type device_t, memory_device_t; - attribute memory_raw_read; - ') - - read_chr_files_pattern($1, device_t, memory_device_t) - - allow $1 self:capability sys_rawio; - typeattribute $1 memory_raw_read; -') - -######################################## -## -## Do not audit attempts to read raw memory devices -## (e.g. /dev/mem). -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_read_raw_memory',` - gen_require(` - type memory_device_t; - ') - - dontaudit $1 memory_device_t:chr_file read_chr_file_perms; -') - -######################################## -## -## Write raw memory devices (e.g. /dev/mem). -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_write_raw_memory',` - gen_require(` - type device_t, memory_device_t; - attribute memory_raw_write; - ') - - write_chr_files_pattern($1, device_t, memory_device_t) - - allow $1 self:capability sys_rawio; - typeattribute $1 memory_raw_write; -') - -######################################## -## -## Read and execute raw memory devices (e.g. /dev/mem). -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rx_raw_memory',` - gen_require(` - type device_t, memory_device_t; - ') - - dev_read_raw_memory($1) - allow $1 memory_device_t:chr_file execute; -') - -######################################## -## -## Write and execute raw memory devices (e.g. /dev/mem). -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_wx_raw_memory',` - gen_require(` - type device_t, memory_device_t; - ') - - dev_write_raw_memory($1) - allow $1 memory_device_t:chr_file execute; -') - -######################################## -## -## Get the attributes of miscellaneous devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_getattr_misc_dev',` - gen_require(` - type device_t, misc_device_t; - ') - - getattr_chr_files_pattern($1, device_t, misc_device_t) -') - -######################################## -## -## Do not audit attempts to get the attributes -## of miscellaneous devices. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_getattr_misc_dev',` - gen_require(` - type misc_device_t; - ') - - dontaudit $1 misc_device_t:chr_file getattr; -') - -######################################## -## -## Set the attributes of miscellaneous devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_setattr_misc_dev',` - gen_require(` - type device_t, misc_device_t; - ') - - setattr_chr_files_pattern($1, device_t, misc_device_t) -') - -######################################## -## -## Do not audit attempts to set the attributes -## of miscellaneous devices. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_setattr_misc_dev',` - gen_require(` - type misc_device_t; - ') - - dontaudit $1 misc_device_t:chr_file setattr; -') - -######################################## -## -## Read miscellaneous devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_read_misc',` - gen_require(` - type device_t, misc_device_t; - ') - - read_chr_files_pattern($1, device_t, misc_device_t) -') - -######################################## -## -## Write miscellaneous devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_write_misc',` - gen_require(` - type device_t, misc_device_t; - ') - - write_chr_files_pattern($1, device_t, misc_device_t) -') - -######################################## -## -## Do not audit attempts to read and write miscellaneous devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_dontaudit_rw_misc',` - gen_require(` - type misc_device_t; - ') - - dontaudit $1 misc_device_t:chr_file rw_file_perms; -') - -######################################## -## -## Get the attributes of the modem devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_getattr_modem_dev',` - gen_require(` - type device_t, modem_device_t; - ') - - getattr_chr_files_pattern($1, device_t, modem_device_t) -') - -######################################## -## -## Set the attributes of the modem devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_setattr_modem_dev',` - gen_require(` - type device_t, modem_device_t; - ') - - setattr_chr_files_pattern($1, device_t, modem_device_t) -') - -######################################## -## -## Read the modem devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_read_modem',` - gen_require(` - type device_t, modem_device_t; - ') - - read_chr_files_pattern($1, device_t, modem_device_t) -') - -######################################## -## -## Read and write to modem devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_modem',` - gen_require(` - type device_t, modem_device_t; - ') - - rw_chr_files_pattern($1, device_t, modem_device_t) -') - -######################################## -## -## Get the attributes of the mouse devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_getattr_mouse_dev',` - gen_require(` - type device_t, mouse_device_t; - ') - - getattr_chr_files_pattern($1, device_t, mouse_device_t) -') - -######################################## -## -## Set the attributes of the mouse devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_setattr_mouse_dev',` - gen_require(` - type device_t, mouse_device_t; - ') - - setattr_chr_files_pattern($1, device_t, mouse_device_t) -') - -######################################## -## -## Read the mouse devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_read_mouse',` - gen_require(` - type device_t, mouse_device_t; - ') - - read_chr_files_pattern($1, device_t, mouse_device_t) -') - -######################################## -## -## Read and write to mouse devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_mouse',` - gen_require(` - type device_t, mouse_device_t; - ') - - rw_chr_files_pattern($1, device_t, mouse_device_t) -') - -######################################## -## -## Get the attributes of the memory type range -## registers (MTRR) device. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_getattr_mtrr_dev',` - gen_require(` - type device_t, mtrr_device_t; - ') - - getattr_files_pattern($1, device_t, mtrr_device_t) - getattr_chr_files_pattern($1, device_t, mtrr_device_t) -') - -######################################## -## -## Read the memory type range -## registers (MTRR). (Deprecated) -## -## -##

-## Read the memory type range -## registers (MTRR). This interface has -## been deprecated, dev_rw_mtrr() should be -## used instead. -##

-##

-## The MTRR device ioctls can be used for -## reading and writing; thus, read access to the -## device cannot be separated from write access. -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`dev_read_mtrr',` - refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().') - dev_rw_mtrr($1) -') - -######################################## -## -## Write the memory type range -## registers (MTRR). (Deprecated) -## -## -##

-## Write the memory type range -## registers (MTRR). This interface has -## been deprecated, dev_rw_mtrr() should be -## used instead. -##

-##

-## The MTRR device ioctls can be used for -## reading and writing; thus, write access to the -## device cannot be separated from read access. -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`dev_write_mtrr',` - refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().') - dev_rw_mtrr($1) -') - -######################################## -## -## Do not audit attempts to write the memory type -## range registers (MTRR). -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_write_mtrr',` - gen_require(` - type mtrr_device_t; - ') - - dontaudit $1 mtrr_device_t:file write; - dontaudit $1 mtrr_device_t:chr_file write; -') - -######################################## -## -## Read and write the memory type range registers (MTRR). -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_mtrr',` - gen_require(` - type device_t, mtrr_device_t; - ') - - rw_files_pattern($1, device_t, mtrr_device_t) - rw_chr_files_pattern($1, device_t, mtrr_device_t) -') - -######################################## -## -## Get the attributes of the network control device -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_getattr_netcontrol_dev',` - gen_require(` - type device_t, netcontrol_device_t; - ') - - getattr_chr_files_pattern($1, device_t, netcontrol_device_t) -') - -######################################## -## -## Read the network control identity. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_read_netcontrol',` - gen_require(` - type device_t, netcontrol_device_t; - ') - - read_chr_files_pattern($1, device_t, netcontrol_device_t) -') - -######################################## -## -## Read and write the the network control device. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_netcontrol',` - gen_require(` - type device_t, netcontrol_device_t; - ') - - rw_chr_files_pattern($1, device_t, netcontrol_device_t) -') - -######################################## -## -## Get the attributes of the null device nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_getattr_null_dev',` - gen_require(` - type device_t, null_device_t; - ') - - getattr_chr_files_pattern($1, device_t, null_device_t) -') - -######################################## -## -## Set the attributes of the null device nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_setattr_null_dev',` - gen_require(` - type device_t, null_device_t; - ') - - setattr_chr_files_pattern($1, device_t, null_device_t) -') - -######################################## -## -## Delete the null device (/dev/null). -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_delete_null',` - gen_require(` - type device_t, null_device_t; - ') - - delete_chr_files_pattern($1, device_t, null_device_t) -') - -######################################## -## -## Read and write to the null device (/dev/null). -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_null',` - gen_require(` - type device_t, null_device_t; - ') - - rw_chr_files_pattern($1, device_t, null_device_t) -') - -######################################## -## -## Create the null device (/dev/null). -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_create_null_dev',` - gen_require(` - type device_t, null_device_t; - ') - - create_chr_files_pattern($1, device_t, null_device_t) -') - -######################################## -## -## Do not audit attempts to get the attributes -## of the BIOS non-volatile RAM device. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_getattr_nvram_dev',` - gen_require(` - type nvram_device_t; - ') - - dontaudit $1 nvram_device_t:chr_file getattr; -') - -######################################## -## -## Read and write BIOS non-volatile RAM. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_nvram',` - gen_require(` - type nvram_device_t; - ') - - rw_chr_files_pattern($1, device_t, nvram_device_t) -') - -######################################## -## -## Get the attributes of the printer device nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_getattr_printer_dev',` - gen_require(` - type device_t, printer_device_t; - ') - - getattr_chr_files_pattern($1, device_t, printer_device_t) -') - -######################################## -## -## Set the attributes of the printer device nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_setattr_printer_dev',` - gen_require(` - type device_t, printer_device_t; - ') - - setattr_chr_files_pattern($1, device_t, printer_device_t) -') - -######################################## -## -## Append the printer device. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for lpd/checkpc_t -interface(`dev_append_printer',` - gen_require(` - type device_t, printer_device_t; - ') - - append_chr_files_pattern($1, device_t, printer_device_t) -') - -######################################## -## -## Read and write the printer device. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_printer',` - gen_require(` - type device_t, printer_device_t; - ') - - rw_chr_files_pattern($1, device_t, printer_device_t) -') - -######################################## -## -## Read printk devices (e.g., /dev/kmsg /dev/mcelog) -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_read_printk',` - gen_require(` - type device_t, printk_device_t; - ') - - read_chr_files_pattern($1, device_t, printk_device_t) -') - -######################################## -## -## Get the attributes of the QEMU -## microcode and id interfaces. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_getattr_qemu_dev',` - gen_require(` - type device_t, qemu_device_t; - ') - - getattr_chr_files_pattern($1, device_t, qemu_device_t) -') - -######################################## -## -## Set the attributes of the QEMU -## microcode and id interfaces. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_setattr_qemu_dev',` - gen_require(` - type device_t, qemu_device_t; - ') - - setattr_chr_files_pattern($1, device_t, qemu_device_t) -') - -######################################## -## -## Read the QEMU device -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_read_qemu',` - gen_require(` - type device_t, qemu_device_t; - ') - - read_chr_files_pattern($1, device_t, qemu_device_t) -') - -######################################## -## -## Read and write the the QEMU device. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_qemu',` - gen_require(` - type device_t, qemu_device_t; - ') - - rw_chr_files_pattern($1, device_t, qemu_device_t) -') - -######################################## -## -## Read from random number generator -## devices (e.g., /dev/random). -## -## -##

-## Allow the specified domain to read from random number -## generator devices (e.g., /dev/random). Typically this is -## used in situations when a cryptographically secure random -## number is needed. -##

-##

-## Related interface: -##

-##
    -##
  • dev_read_urand()
  • -##
-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`dev_read_rand',` - gen_require(` - type device_t, random_device_t; - ') - - read_chr_files_pattern($1, device_t, random_device_t) -') - -######################################## -## -## Do not audit attempts to read from random -## number generator devices (e.g., /dev/random) -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_read_rand',` - gen_require(` - type random_device_t; - ') - - dontaudit $1 random_device_t:chr_file { getattr read }; -') - -######################################## -## -## Do not audit attempts to append to random -## number generator devices (e.g., /dev/random) -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_append_rand',` - gen_require(` - type random_device_t; - ') - - dontaudit $1 random_device_t:chr_file append_chr_file_perms; -') - -######################################## -## -## Write to the random device (e.g., /dev/random). This adds -## entropy used to generate the random data read from the -## random device. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_write_rand',` - gen_require(` - type device_t, random_device_t; - ') - - write_chr_files_pattern($1, device_t, random_device_t) -') - -######################################## -## -## Read the realtime clock (/dev/rtc). -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_read_realtime_clock',` - gen_require(` - type device_t, clock_device_t; - ') - - read_chr_files_pattern($1, device_t, clock_device_t) -') - -######################################## -## -## Set the realtime clock (/dev/rtc). -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_write_realtime_clock',` - gen_require(` - type device_t, clock_device_t; - ') - - write_chr_files_pattern($1, device_t, clock_device_t) - - allow $1 clock_device_t:chr_file setattr; -') - -######################################## -## -## Read and set the realtime clock (/dev/rtc). -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_realtime_clock',` - dev_read_realtime_clock($1) - dev_write_realtime_clock($1) -') - -######################################## -## -## Get the attributes of the scanner device. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_getattr_scanner_dev',` - gen_require(` - type device_t, scanner_device_t; - ') - - getattr_chr_files_pattern($1, device_t, scanner_device_t) -') - -######################################## -## -## Do not audit attempts to get the attributes of -## the scanner device. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_getattr_scanner_dev',` - gen_require(` - type scanner_device_t; - ') - - dontaudit $1 scanner_device_t:chr_file getattr; -') - -######################################## -## -## Set the attributes of the scanner device. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_setattr_scanner_dev',` - gen_require(` - type device_t, scanner_device_t; - ') - - setattr_chr_files_pattern($1, device_t, scanner_device_t) -') - -######################################## -## -## Do not audit attempts to set the attributes of -## the scanner device. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_setattr_scanner_dev',` - gen_require(` - type scanner_device_t; - ') - - dontaudit $1 scanner_device_t:chr_file setattr; -') - -######################################## -## -## Read and write the scanner device. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_scanner',` - gen_require(` - type device_t, scanner_device_t; - ') - - rw_chr_files_pattern($1, device_t, scanner_device_t) -') - -######################################## -## -## Get the attributes of the sound devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_getattr_sound_dev',` - gen_require(` - type device_t, sound_device_t; - ') - - getattr_chr_files_pattern($1, device_t, sound_device_t) -') - -######################################## -## -## Set the attributes of the sound devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_setattr_sound_dev',` - gen_require(` - type device_t, sound_device_t; - ') - - setattr_chr_files_pattern($1, device_t, sound_device_t) -') - -######################################## -## -## Read the sound devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_read_sound',` - gen_require(` - type device_t, sound_device_t; - ') - - read_chr_files_pattern($1, device_t, sound_device_t) -') - -######################################## -## -## Write the sound devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_write_sound',` - gen_require(` - type device_t, sound_device_t; - ') - - write_chr_files_pattern($1, device_t, sound_device_t) -') - -######################################## -## -## Read the sound mixer devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_read_sound_mixer',` - gen_require(` - type device_t, sound_device_t; - ') - - read_chr_files_pattern($1, device_t, sound_device_t) -') - -######################################## -## -## Write the sound mixer devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_write_sound_mixer',` - gen_require(` - type device_t, sound_device_t; - ') - - write_chr_files_pattern($1, device_t, sound_device_t) -') - -######################################## -## -## Get the attributes of the the power management device. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_getattr_power_mgmt_dev',` - gen_require(` - type device_t, power_device_t; - ') - - getattr_chr_files_pattern($1, device_t, power_device_t) -') - -######################################## -## -## Set the attributes of the the power management device. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_setattr_power_mgmt_dev',` - gen_require(` - type device_t, power_device_t; - ') - - setattr_chr_files_pattern($1, device_t, power_device_t) -') - -######################################## -## -## Read and write the the power management device. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_power_management',` - gen_require(` - type device_t, power_device_t; - ') - - rw_chr_files_pattern($1, device_t, power_device_t) -') - -######################################## -## -## Getattr on smartcard devices -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_getattr_smartcard_dev',` - gen_require(` - type smartcard_device_t; - ') - - allow $1 smartcard_device_t:chr_file getattr; - -') - -######################################## -## -## dontaudit getattr on smartcard devices -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_getattr_smartcard_dev',` - gen_require(` - type smartcard_device_t; - ') - - dontaudit $1 smartcard_device_t:chr_file getattr; - -') - -######################################## -## -## Read and write smartcard devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_smartcard',` - gen_require(` - type device_t, smartcard_device_t; - ') - - rw_chr_files_pattern($1, device_t, smartcard_device_t) -') - -######################################## -## -## Create, read, write, and delete smartcard devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_manage_smartcard',` - gen_require(` - type device_t, smartcard_device_t; - ') - - manage_chr_files_pattern($1, device_t, smartcard_device_t) -') - -######################################## -## -## Associate a file to a sysfs filesystem. -## -## -## -## The type of the file to be associated to sysfs. -## -## -# -interface(`dev_associate_sysfs',` - gen_require(` - type sysfs_t; - ') - - allow $1 sysfs_t:filesystem associate; -') - -######################################## -## -## Get the attributes of sysfs directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_getattr_sysfs_dirs',` - gen_require(` - type sysfs_t; - ') - - allow $1 sysfs_t:dir getattr_dir_perms; -') - -######################################## -## -## Search the sysfs directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_search_sysfs',` - gen_require(` - type sysfs_t; - ') - - search_dirs_pattern($1, sysfs_t, sysfs_t) -') - -######################################## -## -## Do not audit attempts to search sysfs. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_search_sysfs',` - gen_require(` - type sysfs_t; - ') - - dontaudit $1 sysfs_t:dir search_dir_perms; -') - -######################################## -## -## List the contents of the sysfs directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_list_sysfs',` - gen_require(` - type sysfs_t; - ') - - list_dirs_pattern($1, sysfs_t, sysfs_t) -') - -######################################## -## -## Write in a sysfs directories. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for cpuspeed -interface(`dev_write_sysfs_dirs',` - gen_require(` - type sysfs_t; - ') - - allow $1 sysfs_t:dir write; -') - -######################################## -## -## Read hardware state information. -## -## -##

-## Allow the specified domain to read the contents of -## the sysfs filesystem. This filesystem contains -## information, parameters, and other settings on the -## hardware installed on the system. -##

-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`dev_read_sysfs',` - gen_require(` - type sysfs_t; - ') - - read_files_pattern($1, sysfs_t, sysfs_t) - read_lnk_files_pattern($1, sysfs_t, sysfs_t) - - list_dirs_pattern($1, sysfs_t, sysfs_t) -') - -######################################## -## -## Allow caller to modify hardware state information. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_sysfs',` - gen_require(` - type sysfs_t; - ') - - rw_files_pattern($1, sysfs_t, sysfs_t) - read_lnk_files_pattern($1, sysfs_t, sysfs_t) - - list_dirs_pattern($1, sysfs_t, sysfs_t) -') - -######################################## -## -## Allow caller to modify hardware state information. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_manage_sysfs_dirs',` - gen_require(` - type sysfs_t; - ') - - manage_dirs_pattern($1, sysfs_t, sysfs_t) -') - -######################################## -## -## Read from pseudo random number generator devices (e.g., /dev/urandom). -## -## -##

-## Allow the specified domain to read from pseudo random number -## generator devices (e.g., /dev/urandom). Typically this is -## used in situations when a cryptographically secure random -## number is not necessarily needed. One example is the Stack -## Smashing Protector (SSP, formerly known as ProPolice) support -## that may be compiled into programs. -##

-##

-## Related interface: -##

-##
    -##
  • dev_read_rand()
  • -##
-##

-## Related tunable: -##

-##
    -##
  • global_ssp
  • -##
-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`dev_read_urand',` - gen_require(` - type device_t, urandom_device_t; - ') - - read_chr_files_pattern($1, device_t, urandom_device_t) -') - -######################################## -## -## Do not audit attempts to read from pseudo -## random devices (e.g., /dev/urandom) -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_read_urand',` - gen_require(` - type urandom_device_t; - ') - - dontaudit $1 urandom_device_t:chr_file { getattr read }; -') - -######################################## -## -## Write to the pseudo random device (e.g., /dev/urandom). This -## sets the random number generator seed. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_write_urand',` - gen_require(` - type device_t, urandom_device_t; - ') - - write_chr_files_pattern($1, device_t, urandom_device_t) -') - -######################################## -## -## Getattr generic the USB devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_getattr_generic_usb_dev',` - gen_require(` - type usb_device_t; - ') - - getattr_chr_files_pattern($1, device_t, usb_device_t) -') - -######################################## -## -## Setattr generic the USB devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_setattr_generic_usb_dev',` - gen_require(` - type usb_device_t; - ') - - setattr_chr_files_pattern($1, device_t, usb_device_t) -') - -######################################## -## -## Read generic the USB devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_read_generic_usb_dev',` - gen_require(` - type usb_device_t; - ') - - read_chr_files_pattern($1, device_t, usb_device_t) -') - -######################################## -## -## Read and write generic the USB devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_generic_usb_dev',` - gen_require(` - type device_t, usb_device_t; - ') - - rw_chr_files_pattern($1, device_t, usb_device_t) -') - -######################################## -## -## Read USB monitor devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_read_usbmon_dev',` - gen_require(` - type device_t, usbmon_device_t; - ') - - read_chr_files_pattern($1, device_t, usbmon_device_t) -') - -######################################## -## -## Write USB monitor devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_write_usbmon_dev',` - gen_require(` - type device_t, usbmon_device_t; - ') - - write_chr_files_pattern($1, device_t, usbmon_device_t) -') - -######################################## -## -## Mount a usbfs filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_mount_usbfs',` - gen_require(` - type usbfs_t; - ') - - allow $1 usbfs_t:filesystem mount; -') - -######################################## -## -## Associate a file to a usbfs filesystem. -## -## -## -## The type of the file to be associated to usbfs. -## -## -# -interface(`dev_associate_usbfs',` - gen_require(` - type usbfs_t; - ') - - allow $1 usbfs_t:filesystem associate; -') - -######################################## -## -## Get the attributes of a directory in the usb filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_getattr_usbfs_dirs',` - gen_require(` - type usbfs_t; - ') - - allow $1 usbfs_t:dir getattr_dir_perms; -') - -######################################## -## -## Do not audit attempts to get the attributes -## of a directory in the usb filesystem. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_getattr_usbfs_dirs',` - gen_require(` - type usbfs_t; - ') - - dontaudit $1 usbfs_t:dir getattr_dir_perms; -') - -######################################## -## -## Search the directory containing USB hardware information. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_search_usbfs',` - gen_require(` - type usbfs_t; - ') - - search_dirs_pattern($1, usbfs_t, usbfs_t) -') - -######################################## -## -## Allow caller to get a list of usb hardware. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_list_usbfs',` - gen_require(` - type usbfs_t; - ') - - read_lnk_files_pattern($1, usbfs_t, usbfs_t) - getattr_files_pattern($1, usbfs_t, usbfs_t) - - list_dirs_pattern($1, usbfs_t, usbfs_t) -') - -######################################## -## -## Set the attributes of usbfs filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_setattr_usbfs_files',` - gen_require(` - type usbfs_t; - ') - - setattr_files_pattern($1, usbfs_t, usbfs_t) - list_dirs_pattern($1, usbfs_t, usbfs_t) -') - -######################################## -## -## Read USB hardware information using -## the usbfs filesystem interface. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_read_usbfs',` - gen_require(` - type usbfs_t; - ') - - read_files_pattern($1, usbfs_t, usbfs_t) - read_lnk_files_pattern($1, usbfs_t, usbfs_t) - list_dirs_pattern($1, usbfs_t, usbfs_t) -') - -######################################## -## -## Allow caller to modify usb hardware configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_usbfs',` - gen_require(` - type usbfs_t; - ') - - list_dirs_pattern($1, usbfs_t, usbfs_t) - rw_files_pattern($1, usbfs_t, usbfs_t) - read_lnk_files_pattern($1, usbfs_t, usbfs_t) -') - -######################################## -## -## Get the attributes of video4linux devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_getattr_video_dev',` - gen_require(` - type device_t, v4l_device_t; - ') - - getattr_chr_files_pattern($1, device_t, v4l_device_t) -') - -###################################### -## -## Read and write userio device. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_userio_dev',` - gen_require(` - type device_t, userio_device_t; - ') - - rw_chr_files_pattern($1, device_t, userio_device_t) -') - -######################################## -## -## Do not audit attempts to get the attributes -## of video4linux device nodes. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_getattr_video_dev',` - gen_require(` - type v4l_device_t; - ') - - dontaudit $1 v4l_device_t:chr_file getattr; -') - -######################################## -## -## Set the attributes of video4linux device nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_setattr_video_dev',` - gen_require(` - type device_t, v4l_device_t; - ') - - setattr_chr_files_pattern($1, device_t, v4l_device_t) -') - -######################################## -## -## Do not audit attempts to set the attributes -## of video4linux device nodes. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_setattr_video_dev',` - gen_require(` - type v4l_device_t; - ') - - dontaudit $1 v4l_device_t:chr_file setattr; -') - -######################################## -## -## Read the video4linux devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_read_video_dev',` - gen_require(` - type device_t, v4l_device_t; - ') - - read_chr_files_pattern($1, device_t, v4l_device_t) -') - -######################################## -## -## Write the video4linux devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_write_video_dev',` - gen_require(` - type device_t, v4l_device_t; - ') - - write_chr_files_pattern($1, device_t, v4l_device_t) -') - -######################################## -## -## Allow read/write the vhost net device -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_vhost',` - gen_require(` - type device_t, vhost_device_t; - ') - - rw_chr_files_pattern($1, device_t, vhost_device_t) -') - -######################################## -## -## Read and write VMWare devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_vmware',` - gen_require(` - type device_t, vmware_device_t; - ') - - rw_chr_files_pattern($1, device_t, vmware_device_t) -') - -######################################## -## -## Read, write, and mmap VMWare devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rwx_vmware',` - gen_require(` - type device_t, vmware_device_t; - ') - - dev_rw_vmware($1) - allow $1 vmware_device_t:chr_file execute; -') - -######################################## -## -## Write to watchdog devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_write_watchdog',` - gen_require(` - type device_t, watchdog_device_t; - ') - - write_chr_files_pattern($1, device_t, watchdog_device_t) -') - -######################################## -## -## Read and write the the wireless device. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_wireless',` - gen_require(` - type device_t, wireless_device_t; - ') - - rw_chr_files_pattern($1, device_t, wireless_device_t) -') - -######################################## -## -## Read and write Xen devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_xen',` - gen_require(` - type device_t, xen_device_t; - ') - - rw_chr_files_pattern($1, device_t, xen_device_t) -') - -######################################## -## -## Create, read, write, and delete Xen devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_manage_xen',` - gen_require(` - type device_t, xen_device_t; - ') - - manage_chr_files_pattern($1, device_t, xen_device_t) -') - -######################################## -## -## Automatic type transition to the type -## for xen device nodes when created in /dev. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_filetrans_xen',` - gen_require(` - type device_t, xen_device_t; - ') - - filetrans_pattern($1, device_t, xen_device_t, chr_file) -') - -######################################## -## -## Get the attributes of X server miscellaneous devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_getattr_xserver_misc_dev',` - gen_require(` - type device_t, xserver_misc_device_t; - ') - - getattr_chr_files_pattern($1, device_t, xserver_misc_device_t) -') - -######################################## -## -## Set the attributes of X server miscellaneous devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_setattr_xserver_misc_dev',` - gen_require(` - type device_t, xserver_misc_device_t; - ') - - setattr_chr_files_pattern($1, device_t, xserver_misc_device_t) -') - -######################################## -## -## Read and write X server miscellaneous devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_xserver_misc',` - gen_require(` - type device_t, xserver_misc_device_t; - ') - - rw_chr_files_pattern($1, device_t, xserver_misc_device_t) -') - -######################################## -## -## Read and write to the zero device (/dev/zero). -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_zero',` - gen_require(` - type device_t, zero_device_t; - ') - - rw_chr_files_pattern($1, device_t, zero_device_t) -') - -######################################## -## -## Read, write, and execute the zero device (/dev/zero). -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rwx_zero',` - gen_require(` - type zero_device_t; - ') - - dev_rw_zero($1) - allow $1 zero_device_t:chr_file execute; -') - -######################################## -## -## Execmod the zero device (/dev/zero). -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_execmod_zero',` - gen_require(` - type zero_device_t; - ') - - dev_rw_zero($1) - allow $1 zero_device_t:chr_file execmod; -') - -######################################## -## -## Create the zero device (/dev/zero). -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_create_zero_dev',` - gen_require(` - type device_t, zero_device_t; - ') - - create_chr_files_pattern($1, device_t, zero_device_t) -') - -######################################## -## -## Unconfined access to devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_unconfined',` - gen_require(` - attribute devices_unconfined_type; - ') - - typeattribute $1 devices_unconfined_type; -') - -######################################## -## -## Automatic type transition to the type -## for xen device nodes when created in /dev. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_filetrans_named_dev',` - -gen_require(` - type device_t; - type usb_device_t; - type xserver_misc_device_t; - type sound_device_t; - type apm_bios_t; - type mouse_device_t; - type autofs_device_t; - type lvm_control_t; - type clock_device_t; - type v4l_device_t; - type event_device_t; - type xen_device_t; - type framebuf_device_t; - type null_device_t; - type random_device_t; - type dri_device_t; - type ipmi_device_t; - type printer_device_t; - type memory_device_t; - type kmsg_device_t; - type qemu_device_t; - type ksm_device_t; - type kvm_device_t; - type lirc_device_t; - type cpu_device_t; - type dlm_control_device_t; - type scanner_device_t; - type modem_device_t; - type vhost_device_t; - type netcontrol_device_t; - type nvram_device_t; - type power_device_t; - type wireless_device_t; - type tpm_device_t; - type userio_device_t; - type urandom_device_t; - type usbmon_device_t; - type vmware_device_t; - type watchdog_device_t; - type crypt_device_t; - type zero_device_t; - type smartcard_device_t; - type mtrr_device_t; -') - - filetrans_pattern($1, device_t, usb_device_t, chr_file, 0) - filetrans_pattern($1, device_t, usb_device_t, chr_file, 1) - filetrans_pattern($1, device_t, usb_device_t, chr_file, 2) - filetrans_pattern($1, device_t, usb_device_t, chr_file, 3) - filetrans_pattern($1, device_t, usb_device_t, chr_file, 4) - filetrans_pattern($1, device_t, usb_device_t, chr_file, 5) - filetrans_pattern($1, device_t, usb_device_t, chr_file, 6) - filetrans_pattern($1, device_t, usb_device_t, chr_file, 7) - filetrans_pattern($1, device_t, usb_device_t, chr_file, 8) - filetrans_pattern($1, device_t, usb_device_t, chr_file, 9) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, 3dfx) - filetrans_pattern($1, device_t, sound_device_t, chr_file, admmidi0) - filetrans_pattern($1, device_t, sound_device_t, chr_file, admmidi1) - filetrans_pattern($1, device_t, sound_device_t, chr_file, admmidi2) - filetrans_pattern($1, device_t, sound_device_t, chr_file, admmidi3) - filetrans_pattern($1, device_t, sound_device_t, chr_file, admmidi4) - filetrans_pattern($1, device_t, sound_device_t, chr_file, admmidi5) - filetrans_pattern($1, device_t, sound_device_t, chr_file, admmidi6) - filetrans_pattern($1, device_t, sound_device_t, chr_file, admmidi7) - filetrans_pattern($1, device_t, sound_device_t, chr_file, admmidi8) - filetrans_pattern($1, device_t, sound_device_t, chr_file, admmidi9) - filetrans_pattern($1, device_t, sound_device_t, chr_file, adsp0) - filetrans_pattern($1, device_t, sound_device_t, chr_file, adsp1) - filetrans_pattern($1, device_t, sound_device_t, chr_file, adsp2) - filetrans_pattern($1, device_t, sound_device_t, chr_file, adsp3) - filetrans_pattern($1, device_t, sound_device_t, chr_file, adsp4) - filetrans_pattern($1, device_t, sound_device_t, chr_file, adsp5) - filetrans_pattern($1, device_t, sound_device_t, chr_file, adsp6) - filetrans_pattern($1, device_t, sound_device_t, chr_file, adsp7) - filetrans_pattern($1, device_t, sound_device_t, chr_file, adsp8) - filetrans_pattern($1, device_t, sound_device_t, chr_file, adsp9) - filetrans_pattern($1, device_t, sound_device_t, chr_file, aload0) - filetrans_pattern($1, device_t, sound_device_t, chr_file, aload1) - filetrans_pattern($1, device_t, sound_device_t, chr_file, aload2) - filetrans_pattern($1, device_t, sound_device_t, chr_file, aload3) - filetrans_pattern($1, device_t, sound_device_t, chr_file, aload4) - filetrans_pattern($1, device_t, sound_device_t, chr_file, aload5) - filetrans_pattern($1, device_t, sound_device_t, chr_file, aload6) - filetrans_pattern($1, device_t, sound_device_t, chr_file, aload7) - filetrans_pattern($1, device_t, sound_device_t, chr_file, aload8) - filetrans_pattern($1, device_t, sound_device_t, chr_file, aload9) - filetrans_pattern($1, device_t, sound_device_t, chr_file, amidi0) - filetrans_pattern($1, device_t, sound_device_t, chr_file, amidi1) - filetrans_pattern($1, device_t, sound_device_t, chr_file, amidi2) - filetrans_pattern($1, device_t, sound_device_t, chr_file, amidi3) - filetrans_pattern($1, device_t, sound_device_t, chr_file, amidi4) - filetrans_pattern($1, device_t, sound_device_t, chr_file, amidi5) - filetrans_pattern($1, device_t, sound_device_t, chr_file, amidi6) - filetrans_pattern($1, device_t, sound_device_t, chr_file, amidi7) - filetrans_pattern($1, device_t, sound_device_t, chr_file, amidi8) - filetrans_pattern($1, device_t, sound_device_t, chr_file, amidi9) - filetrans_pattern($1, device_t, sound_device_t, chr_file, amixer0) - filetrans_pattern($1, device_t, sound_device_t, chr_file, amixer1) - filetrans_pattern($1, device_t, sound_device_t, chr_file, amixer2) - filetrans_pattern($1, device_t, sound_device_t, chr_file, amixer3) - filetrans_pattern($1, device_t, sound_device_t, chr_file, amixer4) - filetrans_pattern($1, device_t, sound_device_t, chr_file, amixer5) - filetrans_pattern($1, device_t, sound_device_t, chr_file, amixer6) - filetrans_pattern($1, device_t, sound_device_t, chr_file, amixer7) - filetrans_pattern($1, device_t, sound_device_t, chr_file, amixer8) - filetrans_pattern($1, device_t, sound_device_t, chr_file, amixer9) - filetrans_pattern($1, device_t, apm_bios_t, chr_file, apm_bios) - filetrans_pattern($1, device_t, mouse_device_t, chr_file, atibm) - filetrans_pattern($1, device_t, sound_device_t, chr_file, audio0) - filetrans_pattern($1, device_t, sound_device_t, chr_file, audio1) - filetrans_pattern($1, device_t, sound_device_t, chr_file, audio2) - filetrans_pattern($1, device_t, sound_device_t, chr_file, audio3) - filetrans_pattern($1, device_t, sound_device_t, chr_file, audio4) - filetrans_pattern($1, device_t, sound_device_t, chr_file, audio5) - filetrans_pattern($1, device_t, sound_device_t, chr_file, audio6) - filetrans_pattern($1, device_t, sound_device_t, chr_file, audio7) - filetrans_pattern($1, device_t, sound_device_t, chr_file, audio8) - filetrans_pattern($1, device_t, sound_device_t, chr_file, audio9) - filetrans_pattern($1, device_t, autofs_device_t, chr_file, autofs0) - filetrans_pattern($1, device_t, autofs_device_t, chr_file, autofs1) - filetrans_pattern($1, device_t, autofs_device_t, chr_file, autofs2) - filetrans_pattern($1, device_t, autofs_device_t, chr_file, autofs3) - filetrans_pattern($1, device_t, autofs_device_t, chr_file, autofs4) - filetrans_pattern($1, device_t, autofs_device_t, chr_file, autofs5) - filetrans_pattern($1, device_t, autofs_device_t, chr_file, autofs6) - filetrans_pattern($1, device_t, autofs_device_t, chr_file, autofs7) - filetrans_pattern($1, device_t, autofs_device_t, chr_file, autofs8) - filetrans_pattern($1, device_t, autofs_device_t, chr_file, autofs9) - filetrans_pattern($1, device_t, sound_device_t, chr_file, beep) - filetrans_pattern($1, device_t, lvm_control_t, chr_file, btrfs-control) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, controlD64) - filetrans_pattern($1, device_t, sound_device_t, chr_file, dmfm) - filetrans_pattern($1, device_t, sound_device_t, chr_file, dmmidi0) - filetrans_pattern($1, device_t, sound_device_t, chr_file, dmmidi1) - filetrans_pattern($1, device_t, sound_device_t, chr_file, dmmidi2) - filetrans_pattern($1, device_t, sound_device_t, chr_file, dmmidi3) - filetrans_pattern($1, device_t, sound_device_t, chr_file, dmmidi4) - filetrans_pattern($1, device_t, sound_device_t, chr_file, dmmidi5) - filetrans_pattern($1, device_t, sound_device_t, chr_file, dmmidi6) - filetrans_pattern($1, device_t, sound_device_t, chr_file, dmmidi7) - filetrans_pattern($1, device_t, sound_device_t, chr_file, dmmidi8) - filetrans_pattern($1, device_t, sound_device_t, chr_file, dmmidi9) - filetrans_pattern($1, device_t, sound_device_t, chr_file, dsp0) - filetrans_pattern($1, device_t, sound_device_t, chr_file, dsp1) - filetrans_pattern($1, device_t, sound_device_t, chr_file, dsp2) - filetrans_pattern($1, device_t, sound_device_t, chr_file, dsp3) - filetrans_pattern($1, device_t, sound_device_t, chr_file, dsp4) - filetrans_pattern($1, device_t, sound_device_t, chr_file, dsp5) - filetrans_pattern($1, device_t, sound_device_t, chr_file, dsp6) - filetrans_pattern($1, device_t, sound_device_t, chr_file, dsp7) - filetrans_pattern($1, device_t, sound_device_t, chr_file, dsp8) - filetrans_pattern($1, device_t, sound_device_t, chr_file, dsp9) - filetrans_pattern($1, device_t, clock_device_t, chr_file, efirtc) - filetrans_pattern($1, device_t, mouse_device_t, chr_file, e2201) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, em83000) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, em83001) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, em83002) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, em83003) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, em83004) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, em83005) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, em83006) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, em83007) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, em83008) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, em83009) - filetrans_pattern($1, device_t, event_device_t, chr_file, event0) - filetrans_pattern($1, device_t, event_device_t, chr_file, event1) - filetrans_pattern($1, device_t, event_device_t, chr_file, event2) - filetrans_pattern($1, device_t, event_device_t, chr_file, event3) - filetrans_pattern($1, device_t, event_device_t, chr_file, event4) - filetrans_pattern($1, device_t, event_device_t, chr_file, event5) - filetrans_pattern($1, device_t, event_device_t, chr_file, event6) - filetrans_pattern($1, device_t, event_device_t, chr_file, event7) - filetrans_pattern($1, device_t, event_device_t, chr_file, event8) - filetrans_pattern($1, device_t, event_device_t, chr_file, event9) - filetrans_pattern($1, device_t, xen_device_t, chr_file, evtchn) - filetrans_pattern($1, device_t, framebuf_device_t, chr_file, fb0) - filetrans_pattern($1, device_t, framebuf_device_t, chr_file, fb1) - filetrans_pattern($1, device_t, framebuf_device_t, chr_file, fb2) - filetrans_pattern($1, device_t, framebuf_device_t, chr_file, fb3) - filetrans_pattern($1, device_t, framebuf_device_t, chr_file, fb4) - filetrans_pattern($1, device_t, framebuf_device_t, chr_file, fb5) - filetrans_pattern($1, device_t, framebuf_device_t, chr_file, fb6) - filetrans_pattern($1, device_t, framebuf_device_t, chr_file, fb7) - filetrans_pattern($1, device_t, framebuf_device_t, chr_file, fb8) - filetrans_pattern($1, device_t, framebuf_device_t, chr_file, fb9) - filetrans_pattern($1, device_t, null_device_t, chr_file, full) - filetrans_pattern($1, device_t, usb_device_t, chr_file, fw0) - filetrans_pattern($1, device_t, usb_device_t, chr_file, fw1) - filetrans_pattern($1, device_t, usb_device_t, chr_file, fw2) - filetrans_pattern($1, device_t, usb_device_t, chr_file, fw3) - filetrans_pattern($1, device_t, usb_device_t, chr_file, fw4) - filetrans_pattern($1, device_t, usb_device_t, chr_file, fw5) - filetrans_pattern($1, device_t, usb_device_t, chr_file, fw6) - filetrans_pattern($1, device_t, usb_device_t, chr_file, fw7) - filetrans_pattern($1, device_t, usb_device_t, chr_file, fw8) - filetrans_pattern($1, device_t, usb_device_t, chr_file, fw9) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, gfx) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, graphics) - filetrans_pattern($1, device_t, clock_device_t, chr_file, gtrsc0) - filetrans_pattern($1, device_t, clock_device_t, chr_file, gtrsc1) - filetrans_pattern($1, device_t, clock_device_t, chr_file, gtrsc2) - filetrans_pattern($1, device_t, clock_device_t, chr_file, gtrsc3) - filetrans_pattern($1, device_t, clock_device_t, chr_file, gtrsc4) - filetrans_pattern($1, device_t, clock_device_t, chr_file, gtrsc5) - filetrans_pattern($1, device_t, clock_device_t, chr_file, gtrsc6) - filetrans_pattern($1, device_t, clock_device_t, chr_file, gtrsc7) - filetrans_pattern($1, device_t, clock_device_t, chr_file, gtrsc8) - filetrans_pattern($1, device_t, clock_device_t, chr_file, gtrsc9) - filetrans_pattern($1, device_t, sound_device_t, chr_file, hfmodem) - filetrans_pattern($1, device_t, usb_device_t, chr_file, hiddev0) - filetrans_pattern($1, device_t, usb_device_t, chr_file, hiddev1) - filetrans_pattern($1, device_t, usb_device_t, chr_file, hiddev2) - filetrans_pattern($1, device_t, usb_device_t, chr_file, hiddev3) - filetrans_pattern($1, device_t, usb_device_t, chr_file, hiddev4) - filetrans_pattern($1, device_t, usb_device_t, chr_file, hiddev5) - filetrans_pattern($1, device_t, usb_device_t, chr_file, hiddev6) - filetrans_pattern($1, device_t, usb_device_t, chr_file, hiddev7) - filetrans_pattern($1, device_t, usb_device_t, chr_file, hiddev8) - filetrans_pattern($1, device_t, usb_device_t, chr_file, hiddev9) - filetrans_pattern($1, device_t, usb_device_t, chr_file, hidraw0) - filetrans_pattern($1, device_t, usb_device_t, chr_file, hidraw1) - filetrans_pattern($1, device_t, usb_device_t, chr_file, hidraw2) - filetrans_pattern($1, device_t, usb_device_t, chr_file, hidraw3) - filetrans_pattern($1, device_t, usb_device_t, chr_file, hidraw4) - filetrans_pattern($1, device_t, usb_device_t, chr_file, hidraw5) - filetrans_pattern($1, device_t, usb_device_t, chr_file, hidraw6) - filetrans_pattern($1, device_t, usb_device_t, chr_file, hidraw7) - filetrans_pattern($1, device_t, usb_device_t, chr_file, hidraw8) - filetrans_pattern($1, device_t, usb_device_t, chr_file, hidraw9) - filetrans_pattern($1, device_t, clock_device_t, chr_file, hpet) - filetrans_pattern($1, device_t, random_device_t, chr_file, hw_random) - filetrans_pattern($1, device_t, random_device_t, chr_file, hwrng) - filetrans_pattern($1, device_t, dri_device_t, chr_file, i915) - filetrans_pattern($1, device_t, mouse_device_t, chr_file, inportbm) - filetrans_pattern($1, device_t, ipmi_device_t, chr_file, ipmi0) - filetrans_pattern($1, device_t, ipmi_device_t, chr_file, ipmi1) - filetrans_pattern($1, device_t, ipmi_device_t, chr_file, ipmi2) - filetrans_pattern($1, device_t, ipmi_device_t, chr_file, ipmi3) - filetrans_pattern($1, device_t, ipmi_device_t, chr_file, ipmi4) - filetrans_pattern($1, device_t, ipmi_device_t, chr_file, ipmi5) - filetrans_pattern($1, device_t, ipmi_device_t, chr_file, ipmi6) - filetrans_pattern($1, device_t, ipmi_device_t, chr_file, ipmi7) - filetrans_pattern($1, device_t, ipmi_device_t, chr_file, ipmi8) - filetrans_pattern($1, device_t, ipmi_device_t, chr_file, ipmi9) - filetrans_pattern($1, device_t, ipmi_device_t, chr_file, 0) - filetrans_pattern($1, device_t, ipmi_device_t, chr_file, 1) - filetrans_pattern($1, device_t, ipmi_device_t, chr_file, 2) - filetrans_pattern($1, device_t, ipmi_device_t, chr_file, 3) - filetrans_pattern($1, device_t, ipmi_device_t, chr_file, 4) - filetrans_pattern($1, device_t, ipmi_device_t, chr_file, 5) - filetrans_pattern($1, device_t, ipmi_device_t, chr_file, 6) - filetrans_pattern($1, device_t, ipmi_device_t, chr_file, 7) - filetrans_pattern($1, device_t, ipmi_device_t, chr_file, 8) - filetrans_pattern($1, device_t, ipmi_device_t, chr_file, 9) - filetrans_pattern($1, device_t, printer_device_t, chr_file, irlpt0) - filetrans_pattern($1, device_t, printer_device_t, chr_file, irlpt1) - filetrans_pattern($1, device_t, printer_device_t, chr_file, irlpt2) - filetrans_pattern($1, device_t, printer_device_t, chr_file, irlpt3) - filetrans_pattern($1, device_t, printer_device_t, chr_file, irlpt4) - filetrans_pattern($1, device_t, printer_device_t, chr_file, irlpt5) - filetrans_pattern($1, device_t, printer_device_t, chr_file, irlpt6) - filetrans_pattern($1, device_t, printer_device_t, chr_file, irlpt7) - filetrans_pattern($1, device_t, printer_device_t, chr_file, irlpt8) - filetrans_pattern($1, device_t, printer_device_t, chr_file, irlpt9) - filetrans_pattern($1, device_t, mouse_device_t, chr_file, jbm) - filetrans_pattern($1, device_t, mouse_device_t, chr_file, js0) - filetrans_pattern($1, device_t, mouse_device_t, chr_file, js1) - filetrans_pattern($1, device_t, mouse_device_t, chr_file, js2) - filetrans_pattern($1, device_t, mouse_device_t, chr_file, js3) - filetrans_pattern($1, device_t, mouse_device_t, chr_file, js4) - filetrans_pattern($1, device_t, mouse_device_t, chr_file, js5) - filetrans_pattern($1, device_t, mouse_device_t, chr_file, js6) - filetrans_pattern($1, device_t, mouse_device_t, chr_file, js7) - filetrans_pattern($1, device_t, mouse_device_t, chr_file, js8) - filetrans_pattern($1, device_t, mouse_device_t, chr_file, js9) - filetrans_pattern($1, device_t, memory_device_t, chr_file, kmem) - filetrans_pattern($1, device_t, kmsg_device_t, chr_file, kmsg) - filetrans_pattern($1, device_t, qemu_device_t, chr_file, kqemu) - filetrans_pattern($1, device_t, ksm_device_t, chr_file, ksm) - filetrans_pattern($1, device_t, kvm_device_t, chr_file, kvm) - filetrans_pattern($1, device_t, event_device_t, chr_file, lik0) - filetrans_pattern($1, device_t, event_device_t, chr_file, lik1) - filetrans_pattern($1, device_t, event_device_t, chr_file, lik2) - filetrans_pattern($1, device_t, event_device_t, chr_file, lik3) - filetrans_pattern($1, device_t, event_device_t, chr_file, lik4) - filetrans_pattern($1, device_t, event_device_t, chr_file, lik5) - filetrans_pattern($1, device_t, event_device_t, chr_file, lik6) - filetrans_pattern($1, device_t, event_device_t, chr_file, lik7) - filetrans_pattern($1, device_t, event_device_t, chr_file, lik8) - filetrans_pattern($1, device_t, event_device_t, chr_file, lik9) - filetrans_pattern($1, device_t, lirc_device_t, chr_file, lirc0) - filetrans_pattern($1, device_t, lirc_device_t, chr_file, lirc1) - filetrans_pattern($1, device_t, lirc_device_t, chr_file, lirc2) - filetrans_pattern($1, device_t, lirc_device_t, chr_file, lirc3) - filetrans_pattern($1, device_t, lirc_device_t, chr_file, lirc4) - filetrans_pattern($1, device_t, lirc_device_t, chr_file, lirc5) - filetrans_pattern($1, device_t, lirc_device_t, chr_file, lirc6) - filetrans_pattern($1, device_t, lirc_device_t, chr_file, lirc7) - filetrans_pattern($1, device_t, lirc_device_t, chr_file, lirc8) - filetrans_pattern($1, device_t, lirc_device_t, chr_file, lirc9) - filetrans_pattern($1, device_t, mouse_device_t, chr_file, lircm) - filetrans_pattern($1, device_t, mouse_device_t, chr_file, logibm) - filetrans_pattern($1, device_t, printer_device_t, chr_file, lp0) - filetrans_pattern($1, device_t, printer_device_t, chr_file, lp1) - filetrans_pattern($1, device_t, printer_device_t, chr_file, lp2) - filetrans_pattern($1, device_t, printer_device_t, chr_file, lp3) - filetrans_pattern($1, device_t, printer_device_t, chr_file, lp4) - filetrans_pattern($1, device_t, printer_device_t, chr_file, lp5) - filetrans_pattern($1, device_t, printer_device_t, chr_file, lp6) - filetrans_pattern($1, device_t, printer_device_t, chr_file, lp7) - filetrans_pattern($1, device_t, printer_device_t, chr_file, lp8) - filetrans_pattern($1, device_t, printer_device_t, chr_file, lp9) - filetrans_pattern($1, device_t, kmsg_device_t, chr_file, mcelog) - filetrans_pattern($1, device_t, memory_device_t, chr_file, mem) - filetrans_pattern($1, device_t, memory_device_t, chr_file, mergemem) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, mga_vid0) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, mga_vid1) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, mga_vid2) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, mga_vid3) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, mga_vid4) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, mga_vid5) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, mga_vid6) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, mga_vid7) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, mga_vid8) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, mga_vid9) - filetrans_pattern($1, device_t, mouse_device_t, chr_file, mice) - filetrans_pattern($1, device_t, cpu_device_t, chr_file, microcode) - filetrans_pattern($1, device_t, sound_device_t, chr_file, midi0) - filetrans_pattern($1, device_t, sound_device_t, chr_file, midi1) - filetrans_pattern($1, device_t, sound_device_t, chr_file, midi2) - filetrans_pattern($1, device_t, sound_device_t, chr_file, midi3) - filetrans_pattern($1, device_t, sound_device_t, chr_file, midi4) - filetrans_pattern($1, device_t, sound_device_t, chr_file, midi5) - filetrans_pattern($1, device_t, sound_device_t, chr_file, midi6) - filetrans_pattern($1, device_t, sound_device_t, chr_file, midi7) - filetrans_pattern($1, device_t, sound_device_t, chr_file, midi8) - filetrans_pattern($1, device_t, sound_device_t, chr_file, midi9) - filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, dlm0) - filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, dlm1) - filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, dlm2) - filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, dlm3) - filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, dlm4) - filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, dlm5) - filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, dlm6) - filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, dlm7) - filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, dlm8) - filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, dlm9) - filetrans_pattern($1, device_t, sound_device_t, chr_file, mixer0) - filetrans_pattern($1, device_t, sound_device_t, chr_file, mixer1) - filetrans_pattern($1, device_t, sound_device_t, chr_file, mixer2) - filetrans_pattern($1, device_t, sound_device_t, chr_file, mixer3) - filetrans_pattern($1, device_t, sound_device_t, chr_file, mixer4) - filetrans_pattern($1, device_t, sound_device_t, chr_file, mixer5) - filetrans_pattern($1, device_t, sound_device_t, chr_file, mixer6) - filetrans_pattern($1, device_t, sound_device_t, chr_file, mixer7) - filetrans_pattern($1, device_t, sound_device_t, chr_file, mixer8) - filetrans_pattern($1, device_t, sound_device_t, chr_file, mixer9) - filetrans_pattern($1, device_t, scanner_device_t, chr_file, mmetfgrab) - filetrans_pattern($1, device_t, modem_device_t, chr_file, modem) - filetrans_pattern($1, device_t, sound_device_t, chr_file, mpu4010) - filetrans_pattern($1, device_t, sound_device_t, chr_file, mpu4011) - filetrans_pattern($1, device_t, sound_device_t, chr_file, mpu4012) - filetrans_pattern($1, device_t, sound_device_t, chr_file, mpu4013) - filetrans_pattern($1, device_t, sound_device_t, chr_file, mpu4014) - filetrans_pattern($1, device_t, sound_device_t, chr_file, mpu4015) - filetrans_pattern($1, device_t, sound_device_t, chr_file, mpu4016) - filetrans_pattern($1, device_t, sound_device_t, chr_file, mpu4017) - filetrans_pattern($1, device_t, sound_device_t, chr_file, mpu4018) - filetrans_pattern($1, device_t, sound_device_t, chr_file, mpu4019) - filetrans_pattern($1, device_t, cpu_device_t, chr_file, msr0) - filetrans_pattern($1, device_t, cpu_device_t, chr_file, msr1) - filetrans_pattern($1, device_t, cpu_device_t, chr_file, msr2) - filetrans_pattern($1, device_t, cpu_device_t, chr_file, msr3) - filetrans_pattern($1, device_t, cpu_device_t, chr_file, msr4) - filetrans_pattern($1, device_t, cpu_device_t, chr_file, msr5) - filetrans_pattern($1, device_t, cpu_device_t, chr_file, msr6) - filetrans_pattern($1, device_t, cpu_device_t, chr_file, msr7) - filetrans_pattern($1, device_t, cpu_device_t, chr_file, msr8) - filetrans_pattern($1, device_t, cpu_device_t, chr_file, msr9) - filetrans_pattern($1, device_t, vhost_device_t, chr_file, vhost) - filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, network_latency) - filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, network_throughput) - filetrans_pattern($1, device_t, modem_device_t, chr_file, noz0) - filetrans_pattern($1, device_t, modem_device_t, chr_file, noz1) - filetrans_pattern($1, device_t, modem_device_t, chr_file, noz2) - filetrans_pattern($1, device_t, modem_device_t, chr_file, noz3) - filetrans_pattern($1, device_t, modem_device_t, chr_file, noz4) - filetrans_pattern($1, device_t, modem_device_t, chr_file, noz5) - filetrans_pattern($1, device_t, modem_device_t, chr_file, noz6) - filetrans_pattern($1, device_t, modem_device_t, chr_file, noz7) - filetrans_pattern($1, device_t, modem_device_t, chr_file, noz8) - filetrans_pattern($1, device_t, modem_device_t, chr_file, noz9) - filetrans_pattern($1, device_t, null_device_t, chr_file, null) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia0) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia1) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia2) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia3) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia4) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia5) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia6) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia7) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia8) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia9) - filetrans_pattern($1, device_t, nvram_device_t, chr_file, nvram) - filetrans_pattern($1, device_t, memory_device_t, chr_file, oldmem) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, opengl) - filetrans_pattern($1, device_t, printer_device_t, chr_file, par0) - filetrans_pattern($1, device_t, printer_device_t, chr_file, par1) - filetrans_pattern($1, device_t, printer_device_t, chr_file, par2) - filetrans_pattern($1, device_t, printer_device_t, chr_file, par3) - filetrans_pattern($1, device_t, printer_device_t, chr_file, par4) - filetrans_pattern($1, device_t, printer_device_t, chr_file, par5) - filetrans_pattern($1, device_t, printer_device_t, chr_file, par6) - filetrans_pattern($1, device_t, printer_device_t, chr_file, par7) - filetrans_pattern($1, device_t, printer_device_t, chr_file, par8) - filetrans_pattern($1, device_t, printer_device_t, chr_file, par9) - filetrans_pattern($1, device_t, sound_device_t, chr_file, patmgr[01]) - filetrans_pattern($1, device_t, mouse_device_t, chr_file, pc110pad) - filetrans_pattern($1, device_t, clock_device_t, chr_file, pcfclock0) - filetrans_pattern($1, device_t, clock_device_t, chr_file, pcfclock1) - filetrans_pattern($1, device_t, clock_device_t, chr_file, pcfclock2) - filetrans_pattern($1, device_t, clock_device_t, chr_file, pcfclock3) - filetrans_pattern($1, device_t, clock_device_t, chr_file, pcfclock4) - filetrans_pattern($1, device_t, clock_device_t, chr_file, pcfclock5) - filetrans_pattern($1, device_t, clock_device_t, chr_file, pcfclock6) - filetrans_pattern($1, device_t, clock_device_t, chr_file, pcfclock7) - filetrans_pattern($1, device_t, clock_device_t, chr_file, pcfclock8) - filetrans_pattern($1, device_t, clock_device_t, chr_file, pcfclock9) - filetrans_pattern($1, device_t, power_device_t, chr_file, pmu) - filetrans_pattern($1, device_t, memory_device_t, chr_file, port) - filetrans_pattern($1, device_t, clock_device_t, chr_file, pps0) - filetrans_pattern($1, device_t, clock_device_t, chr_file, pps1) - filetrans_pattern($1, device_t, clock_device_t, chr_file, pps2) - filetrans_pattern($1, device_t, clock_device_t, chr_file, pps3) - filetrans_pattern($1, device_t, clock_device_t, chr_file, pps4) - filetrans_pattern($1, device_t, clock_device_t, chr_file, pps5) - filetrans_pattern($1, device_t, clock_device_t, chr_file, pps6) - filetrans_pattern($1, device_t, clock_device_t, chr_file, pps7) - filetrans_pattern($1, device_t, clock_device_t, chr_file, pps8) - filetrans_pattern($1, device_t, clock_device_t, chr_file, pps9) - filetrans_pattern($1, device_t, sound_device_t, chr_file, rmidi0) - filetrans_pattern($1, device_t, sound_device_t, chr_file, rmidi1) - filetrans_pattern($1, device_t, sound_device_t, chr_file, rmidi2) - filetrans_pattern($1, device_t, sound_device_t, chr_file, rmidi3) - filetrans_pattern($1, device_t, sound_device_t, chr_file, rmidi4) - filetrans_pattern($1, device_t, sound_device_t, chr_file, rmidi5) - filetrans_pattern($1, device_t, sound_device_t, chr_file, rmidi6) - filetrans_pattern($1, device_t, sound_device_t, chr_file, rmidi7) - filetrans_pattern($1, device_t, sound_device_t, chr_file, rmidi8) - filetrans_pattern($1, device_t, sound_device_t, chr_file, rmidi9) - filetrans_pattern($1, device_t, dri_device_t, chr_file, radeon) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, radio0) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, radio1) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, radio2) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, radio3) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, radio4) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, radio5) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, radio6) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, radio7) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, radio8) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, radio9) - filetrans_pattern($1, device_t, random_device_t, chr_file, random) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, raw13940) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, raw13941) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, raw13942) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, raw13943) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, raw13944) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, raw13945) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, raw13946) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, raw13947) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, raw13948) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, raw13949) - filetrans_pattern($1, device_t, wireless_device_t, chr_file, rfkill) - filetrans_pattern($1, device_t, sound_device_t, chr_file, sequencer) - filetrans_pattern($1, device_t, sound_device_t, chr_file, sequencer2) - filetrans_pattern($1, device_t, sound_device_t, chr_file, smpte0) - filetrans_pattern($1, device_t, sound_device_t, chr_file, smpte1) - filetrans_pattern($1, device_t, sound_device_t, chr_file, smpte2) - filetrans_pattern($1, device_t, sound_device_t, chr_file, smpte3) - filetrans_pattern($1, device_t, sound_device_t, chr_file, smpte4) - filetrans_pattern($1, device_t, sound_device_t, chr_file, smpte5) - filetrans_pattern($1, device_t, sound_device_t, chr_file, smpte6) - filetrans_pattern($1, device_t, sound_device_t, chr_file, smpte7) - filetrans_pattern($1, device_t, sound_device_t, chr_file, smpte8) - filetrans_pattern($1, device_t, sound_device_t, chr_file, smpte9) - filetrans_pattern($1, device_t, power_device_t, chr_file, smu) - filetrans_pattern($1, device_t, sound_device_t, chr_file, srnd[0-7]) - filetrans_pattern($1, device_t, apm_bios_t, chr_file, snapshot) - filetrans_pattern($1, device_t, sound_device_t, chr_file, sndstat) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, sonypi) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, tlk[0-3]) - filetrans_pattern($1, device_t, tpm_device_t, chr_file, tpm0) - filetrans_pattern($1, device_t, tpm_device_t, chr_file, tpm1) - filetrans_pattern($1, device_t, tpm_device_t, chr_file, tpm2) - filetrans_pattern($1, device_t, tpm_device_t, chr_file, tpm3) - filetrans_pattern($1, device_t, tpm_device_t, chr_file, tpm4) - filetrans_pattern($1, device_t, tpm_device_t, chr_file, tpm5) - filetrans_pattern($1, device_t, tpm_device_t, chr_file, tpm6) - filetrans_pattern($1, device_t, tpm_device_t, chr_file, tpm7) - filetrans_pattern($1, device_t, tpm_device_t, chr_file, tpm8) - filetrans_pattern($1, device_t, tpm_device_t, chr_file, tpm9) - filetrans_pattern($1, device_t, event_device_t, chr_file, uinput) - filetrans_pattern($1, device_t, userio_device_t, chr_file, uio0) - filetrans_pattern($1, device_t, userio_device_t, chr_file, uio1) - filetrans_pattern($1, device_t, userio_device_t, chr_file, uio2) - filetrans_pattern($1, device_t, userio_device_t, chr_file, uio3) - filetrans_pattern($1, device_t, userio_device_t, chr_file, uio4) - filetrans_pattern($1, device_t, userio_device_t, chr_file, uio5) - filetrans_pattern($1, device_t, userio_device_t, chr_file, uio6) - filetrans_pattern($1, device_t, userio_device_t, chr_file, uio7) - filetrans_pattern($1, device_t, userio_device_t, chr_file, uio8) - filetrans_pattern($1, device_t, userio_device_t, chr_file, uio9) - filetrans_pattern($1, device_t, urandom_device_t, chr_file, urandom) - filetrans_pattern($1, device_t, usb_device_t, chr_file, ub[a-c]) - filetrans_pattern($1, device_t, usb_device_t, chr_file, usb.+) - filetrans_pattern($1, device_t, printer_device_t, chr_file, usblp0) - filetrans_pattern($1, device_t, printer_device_t, chr_file, usblp1) - filetrans_pattern($1, device_t, printer_device_t, chr_file, usblp2) - filetrans_pattern($1, device_t, printer_device_t, chr_file, usblp3) - filetrans_pattern($1, device_t, printer_device_t, chr_file, usblp4) - filetrans_pattern($1, device_t, printer_device_t, chr_file, usblp5) - filetrans_pattern($1, device_t, printer_device_t, chr_file, usblp6) - filetrans_pattern($1, device_t, printer_device_t, chr_file, usblp7) - filetrans_pattern($1, device_t, printer_device_t, chr_file, usblp8) - filetrans_pattern($1, device_t, printer_device_t, chr_file, usblp9) - filetrans_pattern($1, device_t, usbmon_device_t, chr_file, usbmon.+) - filetrans_pattern($1, device_t, scanner_device_t, chr_file, usbscanner) - filetrans_pattern($1, device_t, vhost_device_t, chr_file, vhost-net) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, vbi0) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, vbi1) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, vbi2) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, vbi3) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, vbi4) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, vbi5) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, vbi6) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, vbi7) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, vbi8) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, vbi9) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, vbox0) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, vbox1) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, vbox2) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, vbox3) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, vbox4) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, vbox5) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, vbox6) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, vbox7) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, vbox8) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, vbox9) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, vga_arbiter) - filetrans_pattern($1, device_t, vmware_device_t, chr_file, vmmon) - filetrans_pattern($1, device_t, vmware_device_t, chr_file, vmnet0) - filetrans_pattern($1, device_t, vmware_device_t, chr_file, vmnet1) - filetrans_pattern($1, device_t, vmware_device_t, chr_file, vmnet2) - filetrans_pattern($1, device_t, vmware_device_t, chr_file, vmnet3) - filetrans_pattern($1, device_t, vmware_device_t, chr_file, vmnet4) - filetrans_pattern($1, device_t, vmware_device_t, chr_file, vmnet5) - filetrans_pattern($1, device_t, vmware_device_t, chr_file, vmnet6) - filetrans_pattern($1, device_t, vmware_device_t, chr_file, vmnet7) - filetrans_pattern($1, device_t, vmware_device_t, chr_file, vmnet8) - filetrans_pattern($1, device_t, vmware_device_t, chr_file, vmnet9) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, video0) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, video1) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, video2) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, video3) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, video4) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, video5) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, video6) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, video7) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, video8) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, video9) - filetrans_pattern($1, device_t, mouse_device_t, chr_file, vrtpanel) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, vttuner) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, vtx0) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, vtx1) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, vtx2) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, vtx3) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, vtx4) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, vtx5) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, vtx6) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, vtx7) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, vtx8) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, vtx9) - filetrans_pattern($1, device_t, watchdog_device_t, chr_file, watchdog) - filetrans_pattern($1, device_t, v4l_device_t, chr_file, winradio.) - filetrans_pattern($1, device_t, crypt_device_t, chr_file, z90crypt) - filetrans_pattern($1, device_t, zero_device_t, chr_file, zero) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, card0) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, card1) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, card2) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, card3) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, card4) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, card5) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, card6) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, card7) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, card8) - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, card9) - filetrans_pattern($1, device_t, smartcard_device_t, chr_file, cmx0) - filetrans_pattern($1, device_t, smartcard_device_t, chr_file, cmx1) - filetrans_pattern($1, device_t, smartcard_device_t, chr_file, cmx2) - filetrans_pattern($1, device_t, smartcard_device_t, chr_file, cmx3) - filetrans_pattern($1, device_t, smartcard_device_t, chr_file, cmx4) - filetrans_pattern($1, device_t, smartcard_device_t, chr_file, cmx5) - filetrans_pattern($1, device_t, smartcard_device_t, chr_file, cmx6) - filetrans_pattern($1, device_t, smartcard_device_t, chr_file, cmx7) - filetrans_pattern($1, device_t, smartcard_device_t, chr_file, cmx8) - filetrans_pattern($1, device_t, smartcard_device_t, chr_file, cmx9) - filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, cpu_dma_latency) - filetrans_pattern($1, device_t, cpu_device_t, chr_file, cpu0) - filetrans_pattern($1, device_t, cpu_device_t, chr_file, cpu1) - filetrans_pattern($1, device_t, cpu_device_t, chr_file, cpu2) - filetrans_pattern($1, device_t, cpu_device_t, chr_file, cpu3) - filetrans_pattern($1, device_t, cpu_device_t, chr_file, cpu4) - filetrans_pattern($1, device_t, cpu_device_t, chr_file, cpu5) - filetrans_pattern($1, device_t, cpu_device_t, chr_file, cpu6) - filetrans_pattern($1, device_t, cpu_device_t, chr_file, cpu7) - filetrans_pattern($1, device_t, cpu_device_t, chr_file, cpu8) - filetrans_pattern($1, device_t, cpu_device_t, chr_file, cpu9) - filetrans_pattern($1, device_t, mtrr_device_t, chr_file, mtrr) - filetrans_pattern($1, device_t, event_device_t, chr_file, sensor0) - filetrans_pattern($1, device_t, event_device_t, chr_file, sensor1) - filetrans_pattern($1, device_t, event_device_t, chr_file, sensor2) - filetrans_pattern($1, device_t, event_device_t, chr_file, sensor3) - filetrans_pattern($1, device_t, event_device_t, chr_file, sensor4) - filetrans_pattern($1, device_t, event_device_t, chr_file, sensor5) - filetrans_pattern($1, device_t, event_device_t, chr_file, sensor6) - filetrans_pattern($1, device_t, event_device_t, chr_file, sensor7) - filetrans_pattern($1, device_t, event_device_t, chr_file, sensor8) - filetrans_pattern($1, device_t, event_device_t, chr_file, sensor9) - filetrans_pattern($1, device_t, mouse_device_t, chr_file, m0) - filetrans_pattern($1, device_t, mouse_device_t, chr_file, m1) - filetrans_pattern($1, device_t, mouse_device_t, chr_file, m2) - filetrans_pattern($1, device_t, mouse_device_t, chr_file, m3) - filetrans_pattern($1, device_t, mouse_device_t, chr_file, m4) - filetrans_pattern($1, device_t, mouse_device_t, chr_file, m5) - filetrans_pattern($1, device_t, mouse_device_t, chr_file, m6) - filetrans_pattern($1, device_t, mouse_device_t, chr_file, m7) - filetrans_pattern($1, device_t, mouse_device_t, chr_file, m8) - filetrans_pattern($1, device_t, mouse_device_t, chr_file, m9) - filetrans_pattern($1, device_t, event_device_t, chr_file, keyboard0) - filetrans_pattern($1, device_t, event_device_t, chr_file, keyboard1) - filetrans_pattern($1, device_t, event_device_t, chr_file, keyboard2) - filetrans_pattern($1, device_t, event_device_t, chr_file, keyboard3) - filetrans_pattern($1, device_t, event_device_t, chr_file, keyboard4) - filetrans_pattern($1, device_t, event_device_t, chr_file, keyboard5) - filetrans_pattern($1, device_t, event_device_t, chr_file, keyboard6) - filetrans_pattern($1, device_t, event_device_t, chr_file, keyboard7) - filetrans_pattern($1, device_t, event_device_t, chr_file, keyboard8) - filetrans_pattern($1, device_t, event_device_t, chr_file, keyboard9) - filetrans_pattern($1, device_t, lvm_control_t, chr_file, control) - filetrans_pattern($1, device_t, mouse_device_t, chr_file, ucb1x00) - filetrans_pattern($1, device_t, mouse_device_t, chr_file, mk712) - filetrans_pattern($1, device_t, scanner_device_t, chr_file, dc2xx0) - filetrans_pattern($1, device_t, scanner_device_t, chr_file, dc2xx1) - filetrans_pattern($1, device_t, scanner_device_t, chr_file, dc2xx2) - filetrans_pattern($1, device_t, scanner_device_t, chr_file, dc2xx3) - filetrans_pattern($1, device_t, scanner_device_t, chr_file, dc2xx4) - filetrans_pattern($1, device_t, scanner_device_t, chr_file, dc2xx5) - filetrans_pattern($1, device_t, scanner_device_t, chr_file, dc2xx6) - filetrans_pattern($1, device_t, scanner_device_t, chr_file, dc2xx7) - filetrans_pattern($1, device_t, scanner_device_t, chr_file, dc2xx8) - filetrans_pattern($1, device_t, scanner_device_t, chr_file, dc2xx9) - filetrans_pattern($1, device_t, scanner_device_t, chr_file, mdc8000) - filetrans_pattern($1, device_t, scanner_device_t, chr_file, mdc8001) - filetrans_pattern($1, device_t, scanner_device_t, chr_file, mdc8002) - filetrans_pattern($1, device_t, scanner_device_t, chr_file, mdc8003) - filetrans_pattern($1, device_t, scanner_device_t, chr_file, mdc8004) - filetrans_pattern($1, device_t, scanner_device_t, chr_file, mdc8005) - filetrans_pattern($1, device_t, scanner_device_t, chr_file, mdc8006) - filetrans_pattern($1, device_t, scanner_device_t, chr_file, mdc8007) - filetrans_pattern($1, device_t, scanner_device_t, chr_file, mdc8008) - filetrans_pattern($1, device_t, scanner_device_t, chr_file, mdc8009) - filetrans_pattern($1, device_t, scanner_device_t, chr_file, scanner0) - filetrans_pattern($1, device_t, scanner_device_t, chr_file, scanner1) - filetrans_pattern($1, device_t, scanner_device_t, chr_file, scanner2) - filetrans_pattern($1, device_t, scanner_device_t, chr_file, scanner3) - filetrans_pattern($1, device_t, scanner_device_t, chr_file, scanner4) - filetrans_pattern($1, device_t, scanner_device_t, chr_file, scanner5) - filetrans_pattern($1, device_t, scanner_device_t, chr_file, scanner6) - filetrans_pattern($1, device_t, scanner_device_t, chr_file, scanner7) - filetrans_pattern($1, device_t, scanner_device_t, chr_file, scanner8) - filetrans_pattern($1, device_t, scanner_device_t, chr_file, scanner9) - filetrans_pattern($1, device_t, xen_device_t, chr_file, blktap0) - filetrans_pattern($1, device_t, xen_device_t, chr_file, blktap1) - filetrans_pattern($1, device_t, xen_device_t, chr_file, blktap2) - filetrans_pattern($1, device_t, xen_device_t, chr_file, blktap3) - filetrans_pattern($1, device_t, xen_device_t, chr_file, blktap4) - filetrans_pattern($1, device_t, xen_device_t, chr_file, blktap5) - filetrans_pattern($1, device_t, xen_device_t, chr_file, blktap6) - filetrans_pattern($1, device_t, xen_device_t, chr_file, blktap7) - filetrans_pattern($1, device_t, xen_device_t, chr_file, blktap8) - filetrans_pattern($1, device_t, xen_device_t, chr_file, blktap9) -') diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te deleted file mode 100644 index 20c2d34..0000000 --- a/policy/modules/kernel/devices.te +++ /dev/null @@ -1,309 +0,0 @@ -policy_module(devices, 1.10.2) - -######################################## -# -# Declarations -# - -attribute device_node; -attribute memory_raw_read; -attribute memory_raw_write; -attribute devices_unconfined_type; - -# -# device_t is the type of /dev. -# -type device_t; -fs_associate_tmpfs(device_t) -files_type(device_t) -files_mountpoint(device_t) -files_associate_tmp(device_t) -fs_type(device_t) -fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0); - -# -# Type for /dev/agpgart -# -type agp_device_t; -dev_node(agp_device_t) - -# -# Type for /dev/apm_bios -# -type apm_bios_t; -dev_node(apm_bios_t) - -# -# Type for /dev/autofs -# -type autofs_device_t; -dev_node(autofs_device_t) - -type cardmgr_dev_t; -dev_node(cardmgr_dev_t) -files_tmp_file(cardmgr_dev_t) - -# -# clock_device_t is the type of -# /dev/rtc. -# -type clock_device_t; -dev_node(clock_device_t) - -# -# cpu control devices /dev/cpu/0/* -# -type cpu_device_t; -dev_node(cpu_device_t) - -# for the IBM zSeries z90crypt hardware ssl accelorator -type crypt_device_t; -dev_node(crypt_device_t) - -# -# dlm_misc_device_t is the type of /dev/misc/dlm.* -# -type dlm_control_device_t; -dev_node(dlm_control_device_t) - -type dri_device_t; -dev_node(dri_device_t) - -type event_device_t; -dev_node(event_device_t) - -# -# Type for framebuffer /dev/fb/* -# -type framebuf_device_t; -dev_node(framebuf_device_t) - -# -# Type for /dev/ipmi/0 -# -type ipmi_device_t; -dev_node(ipmi_device_t) - -# -# Type for /dev/kmsg -# -type kmsg_device_t; -dev_node(kmsg_device_t) - -# -# ksm_device_t is the type of /dev/ksm -# -type ksm_device_t; -dev_node(ksm_device_t) - -# -# kvm_device_t is the type of -# /dev/kvm -# -type kvm_device_t; -dev_node(kvm_device_t) -mls_trusted_object(kvm_device_t) - -# -# Type for /dev/lirc -# -type lirc_device_t; -dev_node(lirc_device_t) - -# -# Type for /dev/mapper/control -# -type lvm_control_t; -dev_node(lvm_control_t) - -# -# memory_device_t is the type of /dev/kmem, -# /dev/mem and /dev/port. -# -type memory_device_t; -dev_node(memory_device_t) - -neverallow ~{ memory_raw_read devices_unconfined_type } memory_device_t:{ chr_file blk_file } read; -neverallow ~{ memory_raw_write devices_unconfined_type } memory_device_t:{ chr_file blk_file } { append write }; - -type misc_device_t; -dev_node(misc_device_t) - -# -# A general type for modem devices. -# -type modem_device_t; -dev_node(modem_device_t) - -# -# A more general type for mouse devices. -# -type mouse_device_t; -dev_node(mouse_device_t) - -# -# Type for /dev/cpu/mtrr and /proc/mtrr -# -type mtrr_device_t; -dev_node(mtrr_device_t) -genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0) - -# -# network control devices -# -type netcontrol_device_t; -dev_node(netcontrol_device_t) - -# -# null_device_t is the type of /dev/null. -# -type null_device_t; -dev_node(null_device_t) -mls_trusted_object(null_device_t) -sid devnull gen_context(system_u:object_r:null_device_t,s0) - -# -# Type for /dev/nvram -# -type nvram_device_t; -dev_node(nvram_device_t) - -# -# Type for /dev/pmu -# -type power_device_t; -dev_node(power_device_t) - -type printer_device_t; -dev_node(printer_device_t) -mls_file_write_within_range(printer_device_t) - -# -# qemu control devices -# -type qemu_device_t; -dev_node(qemu_device_t) - -# -# random_device_t is the type of /dev/random -# -type random_device_t; -dev_node(random_device_t) - -type scanner_device_t; -dev_node(scanner_device_t) - -# -# Type for smartcards -# -type smartcard_device_t; -dev_node(smartcard_device_t) - -# -# Type for sound devices and mixers -# -type sound_device_t; -dev_node(sound_device_t) - -# -# sysfs_t is the type for the /sys pseudofs -# -type sysfs_t; -files_mountpoint(sysfs_t) -fs_type(sysfs_t) -genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0) - -# -# Type for /dev/tpm -# -type tpm_device_t; -dev_node(tpm_device_t) - -# -# urandom_device_t is the type of /dev/urandom -# -type urandom_device_t; -dev_node(urandom_device_t) - -# -# usbfs_t is the type for the /proc/bus/usb pseudofs -# -type usbfs_t alias usbdevfs_t; -files_mountpoint(usbfs_t) -fs_noxattr_type(usbfs_t) -genfscon usbfs / gen_context(system_u:object_r:usbfs_t,s0) -genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0) - -# -# usb_device_t is the type for /dev/bus/usb/[0-9]+/[0-9]+ -# -type usb_device_t; -dev_node(usb_device_t) - -# -# usb_device_t is the type for /dev/usbmon -# -type usbmon_device_t; -dev_node(usbmon_device_t) - -# -# userio_device_t is the type for /dev/uio[0-9]+ -# -type userio_device_t; -dev_node(userio_device_t) - -type v4l_device_t; -dev_node(v4l_device_t) - -# -# vhost_device_t is the type for /dev/vhost-net -# -type vhost_device_t; -dev_node(vhost_device_t) - -# Type for vmware devices. -type vmware_device_t; -dev_node(vmware_device_t) - -type watchdog_device_t; -dev_node(watchdog_device_t) - -# -# wireless control devices -# -type wireless_device_t; -dev_node(wireless_device_t) - -type xen_device_t; -dev_node(xen_device_t) - -type xserver_misc_device_t; -dev_node(xserver_misc_device_t) - -# -# zero_device_t is the type of /dev/zero. -# -type zero_device_t; -dev_node(zero_device_t) -mls_trusted_object(zero_device_t) - -######################################## -# -# Rules for all device nodes -# - -allow device_node device_t:filesystem associate; - -fs_associate(device_node) -fs_associate_tmpfs(device_node) - -files_associate_tmp(device_node) - -######################################## -# -# Unconfined access to this module -# - -allow devices_unconfined_type self:capability sys_rawio; -allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; -allow devices_unconfined_type mtrr_device_t:file *; diff --git a/policy/modules/kernel/domain.fc b/policy/modules/kernel/domain.fc deleted file mode 100644 index 7be4ddf..0000000 --- a/policy/modules/kernel/domain.fc +++ /dev/null @@ -1 +0,0 @@ -# This module currently does not have any file contexts. diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if deleted file mode 100644 index 0d8458a..0000000 --- a/policy/modules/kernel/domain.if +++ /dev/null @@ -1,1513 +0,0 @@ -## Core policy for domains. -## -## Contains the concept of a domain. -## - -######################################## -## -## Make the specified type usable as a basic domain. -## -## -##

-## Make the specified type usable as a basic domain. -##

-##

-## This is primarily used for kernel threads; -## generally the domain_type() interface is -## more appropriate for userland processes. -##

-##
-## -## -## Type to be used as a basic domain type. -## -## -# -interface(`domain_base_type',` - gen_require(` - attribute domain; - ') - - typeattribute $1 domain; -') - -######################################## -## -## Make the specified type usable as a domain. -## -## -##

-## Make the specified type usable as a domain. This, -## or an interface that calls this interface, must be -## used on all types that are used as domains. -##

-##

-## Related interfaces: -##

-##
    -##
  • application_domain()
  • -##
  • init_daemon_domain()
  • -##
  • init_domaion()
  • -##
  • init_ranged_daemon_domain()
  • -##
  • init_ranged_domain()
  • -##
  • init_ranged_system_domain()
  • -##
  • init_script_domain()
  • -##
  • init_system_domain()
  • -##
-##

-## Example: -##

-##

-## type mydomain_t; -## domain_type(mydomain_t) -## type myfile_t; -## files_type(myfile_t) -## allow mydomain_t myfile_t:file read_file_perms; -##

-##
-## -## -## Type to be used as a domain type. -## -## -## -# -interface(`domain_type',` - # start with basic domain - domain_base_type($1) - - ifdef(`distro_redhat',` - optional_policy(` - unconfined_use_fds($1) - ') - ') - - # send init a sigchld and signull - optional_policy(` - init_sigchld($1) - init_signull($1) - ') - - # these seem questionable: - - optional_policy(` - rpm_use_fds($1) - rpm_read_pipes($1) - ') - - optional_policy(` - selinux_dontaudit_getattr_fs($1) - selinux_dontaudit_read_fs($1) - ') - - optional_policy(` - seutil_dontaudit_read_config($1) - ') -') - -######################################## -## -## Make the specified type usable as -## an entry point for the domain. -## -## -## -## Domain to be entered. -## -## -## -## -## Type of program used for entering -## the domain. -## -## -# -interface(`domain_entry_file',` - gen_require(` - attribute entry_type; - ') - - allow $1 $2:file entrypoint; - allow $1 $2:file { mmap_file_perms ioctl lock }; - - typeattribute $2 entry_type; - - corecmd_executable_file($2) -') - -######################################## -## -## Make the file descriptors of the specified -## domain for interactive use (widely inheritable) -## -## -## -## Domain allowed access. -## -## -# -interface(`domain_interactive_fd',` - gen_require(` - attribute privfd; - ') - - typeattribute $1 privfd; -') - -######################################## -## -## Allow the specified domain to perform -## dynamic transitions. -## -## -##

-## Allow the specified domain to perform -## dynamic transitions. -##

-##

-## This violates process tranquility, and it -## is strongly suggested that this not be used. -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`domain_dyntrans_type',` - gen_require(` - attribute set_curr_context; - ') - - typeattribute $1 set_curr_context; -') - -######################################## -## -## Makes caller and execption to the constraint -## preventing changing to the system user -## identity and system role. -## -## -## -## Domain allowed access. -## -## -# -interface(`domain_system_change_exemption',` - gen_require(` - attribute can_system_change; - ') - - typeattribute $1 can_system_change; -') - -######################################## -## -## Makes caller an exception to the constraint preventing -## changing of user identity. -## -## -## -## The process type to make an exception to the constraint. -## -## -# -interface(`domain_subj_id_change_exemption',` - gen_require(` - attribute can_change_process_identity; - ') - - typeattribute $1 can_change_process_identity; -') - -######################################## -## -## Makes caller an exception to the constraint preventing -## changing of role. -## -## -## -## The process type to make an exception to the constraint. -## -## -# -interface(`domain_role_change_exemption',` - gen_require(` - attribute can_change_process_role; - ') - - typeattribute $1 can_change_process_role; -') - -######################################## -## -## Makes caller an exception to the constraint preventing -## changing the user identity in object contexts. -## -## -## -## The process type to make an exception to the constraint. -## -## -## -# -interface(`domain_obj_id_change_exemption',` - gen_require(` - attribute can_change_object_identity; - ') - - typeattribute $1 can_change_object_identity; -') - -######################################## -## -## Make the specified domain the target of -## the user domain exception of the -## SELinux role and identity change -## constraints. -## -## -##

-## Make the specified domain the target of -## the user domain exception of the -## SELinux role and identity change -## constraints. -##

-##

-## This interface is needed to decouple -## the user domains from the base module. -## It should not be used other than on -## user domains. -##

-##
-## -## -## Domain target for user exemption. -## -## -# -interface(`domain_user_exemption_target',` - gen_require(` - attribute process_user_target; - ') - - typeattribute $1 process_user_target; -') - -######################################## -## -## Make the specified domain the source of -## the cron domain exception of the -## SELinux role and identity change -## constraints. -## -## -##

-## Make the specified domain the source of -## the cron domain exception of the -## SELinux role and identity change -## constraints. -##

-##

-## This interface is needed to decouple -## the cron domains from the base module. -## It should not be used other than on -## cron domains. -##

-##
-## -## -## Domain target for user exemption. -## -## -# -interface(`domain_cron_exemption_source',` - gen_require(` - attribute cron_source_domain; - ') - - typeattribute $1 cron_source_domain; -') - -######################################## -## -## Make the specified domain the target of -## the cron domain exception of the -## SELinux role and identity change -## constraints. -## -## -##

-## Make the specified domain the target of -## the cron domain exception of the -## SELinux role and identity change -## constraints. -##

-##

-## This interface is needed to decouple -## the cron domains from the base module. -## It should not be used other than on -## user cron jobs. -##

-##
-## -## -## Domain target for user exemption. -## -## -# -interface(`domain_cron_exemption_target',` - gen_require(` - attribute cron_job_domain; - ') - - typeattribute $1 cron_job_domain; -') - -######################################## -## -## Inherit and use file descriptors from -## domains with interactive programs. -## -## -##

-## Allow the specified domain to inherit and use file -## descriptors from domains with interactive programs. -## This does not allow access to the objects being referenced -## by the file descriptors. -##

-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`domain_use_interactive_fds',` - gen_require(` - attribute privfd; - ') - - allow $1 privfd:fd use; -') - -######################################## -## -## Do not audit attempts to inherit file -## descriptors from domains with interactive -## programs. -## -## -## -## Domain to not audit. -## -## -# -interface(`domain_dontaudit_use_interactive_fds',` - gen_require(` - attribute privfd; - ') - - dontaudit $1 privfd:fd use; -') - -######################################## -## -## Send a SIGCHLD signal to domains whose file -## discriptors are widely inheritable. -## -## -## -## Domain allowed access. -## -## -# -# cjp: this was added because of newrole -interface(`domain_sigchld_interactive_fds',` - gen_require(` - attribute privfd; - ') - - allow $1 privfd:process sigchld; -') - -######################################## -## -## Set the nice level of all domains. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`domain_setpriority_all_domains',` - gen_require(` - attribute domain; - ') - - allow $1 domain:process setsched; -') - -######################################## -## -## Send general signals to all domains. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`domain_signal_all_domains',` - gen_require(` - attribute domain; - ') - - allow $1 domain:process signal; -') - -######################################## -## -## Dontaudit sending general signals to all domains. -## -## -## -## Domain to not audit. -## -## -## -# -interface(`domain_dontaudit_signal_all_domains',` - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:process signal; -') - -######################################## -## -## Send a null signal to all domains. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`domain_signull_all_domains',` - gen_require(` - attribute domain; - ') - - allow $1 domain:process signull; -') - -######################################## -## -## Send a stop signal to all domains. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`domain_sigstop_all_domains',` - gen_require(` - attribute domain; - ') - - allow $1 domain:process sigstop; -') - -######################################## -## -## Send a child terminated signal to all domains. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`domain_sigchld_all_domains',` - gen_require(` - attribute domain; - ') - - allow $1 domain:process sigchld; -') - -######################################## -## -## Send a kill signal to all domains. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`domain_kill_all_domains',` - gen_require(` - attribute domain; - ') - - allow $1 domain:process sigkill; - allow $1 self:capability kill; -') - -######################################## -## -## Search the process state directory (/proc/pid) of all domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`domain_search_all_domains_state',` - gen_require(` - attribute domain; - ') - - kernel_search_proc($1) - allow $1 domain:dir search_dir_perms; -') - -######################################## -## -## Do not audit attempts to search the process -## state directory (/proc/pid) of all domains. -## -## -## -## Domain to not audit. -## -## -# -interface(`domain_dontaudit_search_all_domains_state',` - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:dir search_dir_perms; -') - -######################################## -## -## Read the process state (/proc/pid) of all domains. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`domain_read_all_domains_state',` - gen_require(` - attribute domain; - ') - - kernel_search_proc($1) - allow $1 domain:dir list_dir_perms; - read_files_pattern($1, domain, domain) - read_lnk_files_pattern($1, domain, domain) -') - -######################################## -## -## Get the attributes of all domains. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`domain_getattr_all_domains',` - gen_require(` - attribute domain; - ') - - allow $1 domain:process getattr; -') - -######################################## -## -## Dontaudit geting the attributes of all domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`domain_dontaudit_getattr_all_domains',` - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:process getattr; -') - -######################################## -## -## Read the process state (/proc/pid) of all confined domains. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`domain_read_confined_domains_state',` - gen_require(` - attribute domain, unconfined_domain_type; - ') - - kernel_search_proc($1) - allow $1 { domain -unconfined_domain_type }:dir list_dir_perms; - read_files_pattern($1, { domain -unconfined_domain_type }, { domain -unconfined_domain_type }) - read_lnk_files_pattern($1, { domain -unconfined_domain_type }, { domain -unconfined_domain_type }) - - dontaudit $1 unconfined_domain_type:dir search_dir_perms; - dontaudit $1 unconfined_domain_type:file read_file_perms; - dontaudit $1 unconfined_domain_type:lnk_file read_lnk_file_perms; -') - -######################################## -## -## Get the attributes of all confined domains. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`domain_getattr_confined_domains',` - gen_require(` - attribute domain, unconfined_domain_type; - ') - - allow $1 { domain -unconfined_domain_type }:process getattr; -') - -######################################## -## -## Ptrace all domains. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`domain_ptrace_all_domains',` - gen_require(` - attribute domain; - ') - - allow $1 domain:process ptrace; - allow domain $1:process sigchld; -') - -######################################## -## -## Do not audit attempts to ptrace all domains. -## -## -##

-## Do not audit attempts to ptrace all domains. -##

-##

-## Generally this needs to be suppressed because procps tries to access -## /proc/pid/environ and this now triggers a ptrace check in recent kernels -## (2.4 and 2.6). -##

-##
-## -## -## Domain to not audit. -## -## -# -interface(`domain_dontaudit_ptrace_all_domains',` - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:process ptrace; -') - -######################################## -## -## Do not audit attempts to ptrace confined domains. -## -## -##

-## Do not audit attempts to ptrace confined domains. -##

-##

-## Generally this needs to be suppressed because procps tries to access -## /proc/pid/environ and this now triggers a ptrace check in recent kernels -## (2.4 and 2.6). -##

-##
-## -## -## Domain to not audit. -## -## -# -interface(`domain_dontaudit_ptrace_confined_domains',` - gen_require(` - attribute domain, unconfined_domain_type; - ') - - dontaudit $1 { domain -unconfined_domain_type }:process ptrace; -') - -######################################## -## -## Do not audit attempts to read the process -## state (/proc/pid) of all domains. -## -## -## -## Domain to not audit. -## -## -# -interface(`domain_dontaudit_read_all_domains_state',` - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:dir list_dir_perms; - dontaudit $1 domain:lnk_file read_lnk_file_perms; - dontaudit $1 domain:file read_file_perms; - - # cjp: these should be removed: - dontaudit $1 domain:sock_file read_sock_file_perms; - dontaudit $1 domain:fifo_file read_fifo_file_perms; -') - -######################################## -## -## Do not audit attempts to read the process state -## directories of all domains. -## -## -## -## Domain to not audit. -## -## -# -interface(`domain_dontaudit_list_all_domains_state',` - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:dir list_dir_perms; -') - -######################################## -## -## Get the session ID of all domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`domain_getsession_all_domains',` - gen_require(` - attribute domain; - ') - - allow $1 domain:process getsession; -') - -######################################## -## -## Do not audit attempts to get the -## session ID of all domains. -## -## -## -## Domain to not audit. -## -## -# -interface(`domain_dontaudit_getsession_all_domains',` - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:process getsession; -') - -######################################## -## -## Get the process group ID of all domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`domain_getpgid_all_domains',` - gen_require(` - attribute domain; - ') - - allow $1 domain:process getpgid; -') - -######################################## -## -## Get the scheduler information of all domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`domain_getsched_all_domains',` - gen_require(` - attribute domain; - ') - - allow $1 domain:process getsched; -') - -######################################## -## -## Get the attributes of all domains -## sockets, for all socket types. -## -## -##

-## Get the attributes of all domains -## sockets, for all socket types. -##

-##

-## This is commonly used for domains -## that can use lsof on all domains. -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`domain_getattr_all_sockets',` - gen_require(` - attribute domain; - ') - - allow $1 domain:socket_class_set getattr; -') - -######################################## -## -## Do not audit attempts to get the attributes -## of all domains sockets, for all socket types. -## -## -##

-## Do not audit attempts to get the attributes -## of all domains sockets, for all socket types. -##

-##

-## This interface was added for PCMCIA cardmgr -## and is probably excessive. -##

-##
-## -## -## Domain to not audit. -## -## -# -interface(`domain_dontaudit_getattr_all_sockets',` - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:socket_class_set getattr; -') - -######################################## -## -## Do not audit attempts to get the attributes -## of all domains TCP sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`domain_dontaudit_getattr_all_tcp_sockets',` - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:tcp_socket getattr; -') - -######################################## -## -## Do not audit attempts to get the attributes -## of all domains UDP sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`domain_dontaudit_getattr_all_udp_sockets',` - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:udp_socket getattr; -') - -######################################## -## -## Do not audit attempts to read or write -## all domains UDP sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`domain_dontaudit_rw_all_udp_sockets',` - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:udp_socket { read write }; -') - -######################################## -## -## Do not audit attempts to get attribues of -## all domains IPSEC key management sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`domain_dontaudit_getattr_all_key_sockets',` - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:key_socket getattr; -') - -######################################## -## -## Do not audit attempts to get attribues of -## all domains packet sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`domain_dontaudit_getattr_all_packet_sockets',` - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:packet_socket getattr; -') - -######################################## -## -## Do not audit attempts to get attribues of -## all domains raw sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`domain_dontaudit_getattr_all_raw_sockets',` - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:rawip_socket getattr; -') - -######################################## -## -## Do not audit attempts to read or write -## all domains key sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`domain_dontaudit_rw_all_key_sockets',` - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:key_socket { read write }; -') - -######################################## -## -## Do not audit attempts to get the attributes -## of all domains unix datagram sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`domain_dontaudit_getattr_all_dgram_sockets',` - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:unix_dgram_socket getattr; -') - -######################################## -## -## Get the attributes -## of all domains unix datagram sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`domain_getattr_all_stream_sockets',` - gen_require(` - attribute domain; - ') - - allow $1 domain:unix_stream_socket getattr; -') - -######################################## -## -## Do not audit attempts to get the attributes -## of all domains unix datagram sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`domain_dontaudit_getattr_all_stream_sockets',` - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:unix_stream_socket getattr; -') - -######################################## -## -## Get the attributes of all domains -## unnamed pipes. -## -## -##

-## Get the attributes of all domains -## unnamed pipes. -##

-##

-## This is commonly used for domains -## that can use lsof on all domains. -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`domain_getattr_all_pipes',` - gen_require(` - attribute domain; - ') - - allow $1 domain:fifo_file getattr; -') - -######################################## -## -## Do not audit attempts to get the attributes -## of all domains unnamed pipes. -## -## -## -## Domain to not audit. -## -## -# -interface(`domain_dontaudit_getattr_all_pipes',` - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:fifo_file getattr; -') - -######################################## -## -## Allow specified type to set context of all -## domains IPSEC associations. -## -## -## -## Domain allowed access. -## -## -# -interface(`domain_ipsec_setcontext_all_domains',` - gen_require(` - attribute domain; - ') - - allow $1 domain:association setcontext; -') - -######################################## -## -## Get the attributes of entry point -## files for all domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`domain_getattr_all_entry_files',` - gen_require(` - attribute entry_type; - ') - - allow $1 entry_type:lnk_file read_lnk_file_perms; - allow $1 entry_type:file getattr; -') - -######################################## -## -## Read the entry point files for all domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`domain_read_all_entry_files',` - gen_require(` - attribute entry_type; - ') - - allow $1 entry_type:lnk_file read_lnk_file_perms; - allow $1 entry_type:file read_file_perms; -') - -######################################## -## -## Execute the entry point files for all -## domains in the caller domain. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`domain_exec_all_entry_files',` - gen_require(` - attribute entry_type; - ') - - can_exec($1, entry_type) -') - -######################################## -## -## dontaudit checking for execute on all entry point files -## -## -## -## Domain to not audit. -## -## -# -interface(`domain_dontaudit_exec_all_entry_files',` - gen_require(` - attribute entry_type; - ') - - dontaudit $1 entry_type:file exec_file_perms; -') - -######################################## -## -## Create, read, write, and delete all -## entrypoint files. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for prelink -interface(`domain_manage_all_entry_files',` - gen_require(` - attribute entry_type; - ') - - allow $1 entry_type:file manage_file_perms; -') - -######################################## -## -## Relabel to and from all entry point -## file types. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for prelink -interface(`domain_relabel_all_entry_files',` - gen_require(` - attribute entry_type; - ') - - allow $1 entry_type:file relabel_file_perms; -') - -######################################## -## -## Mmap all entry point files as executable. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for prelink -interface(`domain_mmap_all_entry_files',` - gen_require(` - attribute entry_type; - ') - - allow $1 entry_type:file mmap_file_perms; -') - -######################################## -## -## Execute an entry_type in the specified domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The type of the new process. -## -## -# -# cjp: added for userhelper -interface(`domain_entry_file_spec_domtrans',` - gen_require(` - attribute entry_type; - ') - - domain_transition_pattern($1, entry_type, $2) -') - -######################################## -## -## Ability to mmap a low area of the address -## space conditionally, as configured by -## /proc/sys/kernel/mmap_min_addr. -## Preventing such mappings helps protect against -## exploiting null deref bugs in the kernel. -## -## -## -## Domain allowed access. -## -## -# -interface(`domain_mmap_low',` - gen_require(` - attribute mmap_low_domain_type; - bool mmap_low_allowed; - ') - - typeattribute $1 mmap_low_domain_type; - - if ( mmap_low_allowed ) { - allow $1 self:memprotect mmap_zero; - } -') - -######################################## -## -## Ability to mmap a low area of the address -## space unconditionally, as configured -## by /proc/sys/kernel/mmap_min_addr. -## Preventing such mappings helps protect against -## exploiting null deref bugs in the kernel. -## -## -## -## Domain allowed access. -## -## -# -interface(`domain_mmap_low_uncond',` - gen_require(` - attribute mmap_low_domain_type; - ') - - typeattribute $1 mmap_low_domain_type; - - allow $1 self:memprotect mmap_zero; -') - -######################################## -## -## Allow specified type to receive labeled -## networking packets from all domains, over -## all protocols (TCP, UDP, etc) -## -## -## -## Domain allowed access. -## -## -# -interface(`domain_all_recvfrom_all_domains',` - gen_require(` - attribute domain; - ') - - corenet_all_recvfrom_labeled($1, domain) -') - -######################################## -## -## Send generic signals to the unconfined domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`domain_unconfined_signal',` - gen_require(` - attribute unconfined_domain_type; - ') - - allow $1 unconfined_domain_type:process signal; -') - -######################################## -## -## Unconfined access to domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`domain_unconfined',` - gen_require(` - attribute set_curr_context; - attribute can_change_object_identity; - attribute unconfined_domain_type; - attribute process_uncond_exempt; - ') - - typeattribute $1 unconfined_domain_type; - - # pass constraints - typeattribute $1 can_change_object_identity; - typeattribute $1 set_curr_context; - typeattribute $1 process_uncond_exempt; -') - -######################################## -## -## Do not audit attempts to read or write -## all leaked sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`domain_dontaudit_leaks',` - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:socket_class_set { read write }; -') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te deleted file mode 100644 index 5843cad..0000000 --- a/policy/modules/kernel/domain.te +++ /dev/null @@ -1,277 +0,0 @@ -policy_module(domain, 1.8.1) - -######################################## -# -# Declarations -# -## -##

-## Allow all domains to use other domains file descriptors -##

-##
-# -gen_tunable(allow_domain_fd_use, true) - -## -##

-## Allow all domains to have the kernel load modules -##

-##
-# -gen_tunable(domain_kernel_load_modules, false) - -## -##

-## Control the ability to mmap a low area of the address space, -## as configured by /proc/sys/kernel/mmap_min_addr. -##

-##
-gen_tunable(mmap_low_allowed, false) - -# Mark process types as domains -attribute domain; - -# Transitions only allowed from domains to other domains -neverallow domain ~domain:process { transition dyntransition }; - -# Domains that are unconfined -attribute unconfined_domain_type; - -# Domains that can mmap low memory. -attribute mmap_low_domain_type; -neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero; - -# Domains that can set their current context -# (perform dynamic transitions) -attribute set_curr_context; - -# enabling setcurrent breaks process tranquility. If you do not -# know what this means or do not understand the implications of a -# dynamic transition, you should not be using it!!! -neverallow { domain -set_curr_context } self:process setcurrent; - -# entrypoint executables -attribute entry_type; - -# widely-inheritable file descriptors -attribute privfd; - -# -# constraint related attributes -# - -# [1] types that can change SELinux identity on transition -attribute can_change_process_identity; - -# [2] types that can change SELinux role on transition -attribute can_change_process_role; - -# [3] types that can change the SELinux identity on a filesystem -# object or a socket object on a create or relabel -attribute can_change_object_identity; - -# [3] types that can change to system_u:system_r -attribute can_system_change; - -# [4] types that have attribute 1 can change the SELinux -# identity only if the target domain has this attribute. -# Types that have attribute 2 can change the SELinux role -# only if the target domain has this attribute. -attribute process_user_target; - -# For cron jobs -# [5] types used for cron daemons -attribute cron_source_domain; -# [6] types used for cron jobs -attribute cron_job_domain; - -# [7] types that are unconditionally exempt from -# SELinux identity and role change constraints -attribute process_uncond_exempt; # add userhelperdomain to this one - -neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *; -neverallow ~{ domain unlabeled_t } *:process *; - -######################################## -# -# Rules applied to all domains -# - -# read /proc/(pid|self) entries -allow domain self:dir list_dir_perms; -allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; -allow domain self:file rw_file_perms; -kernel_read_proc_symlinks(domain) -kernel_read_crypto_sysctls(domain) - -# Every domain gets the key ring, so we should default -# to no one allowed to look at it; afs kernel support creates -# a keyring -kernel_dontaudit_search_key(domain) -kernel_dontaudit_link_key(domain) -kernel_dontaudit_search_debugfs(domain) - -# create child processes in the domain -allow domain self:process { fork getsched sigchld }; - -# Use trusted objects in /dev -dev_rw_null(domain) -dev_rw_zero(domain) -term_use_controlling_term(domain) - -# list the root directory -files_list_root(domain) -# allow all domains to search through default_t directory, since users sometimes -# place labels within these directories. (samba_share_t) for example. -files_search_default(domain) - -# All executables should be able to search the directory they are in -corecmd_search_bin(domain) - -tunable_policy(`domain_kernel_load_modules',` - kernel_request_load_module(domain) -') - -tunable_policy(`global_ssp',` - # enable reading of urandom for all domains: - # this should be enabled when all programs - # are compiled with ProPolice/SSP - # stack smashing protection. - dev_read_urand(domain) -') - -optional_policy(` - afs_rw_cache(domain) -') - -optional_policy(` - libs_use_ld_so(domain) - libs_use_shared_libs(domain) - libs_read_lib_files(domain) -') - -optional_policy(` - setrans_translate_context(domain) -') - -# xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains. -optional_policy(` - xserver_dontaudit_use_xdm_fds(domain) - xserver_dontaudit_rw_xdm_pipes(domain) - xserver_dontaudit_append_xdm_home_files(domain) - xserver_dontaudit_write_log(domain) -') - -######################################## -# -# Unconfined access to this module -# - -# unconfined access also allows constraints, but this -# is handled in the interface as typeattribute cannot -# be used on an attribute. - -# Use/sendto/connectto sockets created by any domain. -allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; - -# Use descriptors and pipes created by any domain. -allow unconfined_domain_type domain:fd use; -allow unconfined_domain_type domain:fifo_file rw_file_perms; - -allow unconfined_domain_type unconfined_domain_type:dbus send_msg; - -# Act upon any other process. -allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; - -# Create/access any System V IPC objects. -allow unconfined_domain_type domain:{ sem msgq shm } *; -allow unconfined_domain_type domain:msg { send receive }; - -# For /proc/pid -allow unconfined_domain_type domain:dir list_dir_perms; -allow unconfined_domain_type domain:file rw_file_perms; -allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; - -# act on all domains keys -allow unconfined_domain_type domain:key *; - -# receive from all domains over labeled networking -domain_all_recvfrom_all_domains(unconfined_domain_type) - -selinux_getattr_fs(domain) -selinux_search_fs(domain) -selinux_dontaudit_read_fs(domain) - -seutil_dontaudit_read_config(domain) - -init_sigchld(domain) -init_signull(domain) - -ifdef(`distro_redhat',` - files_search_mnt(domain) - optional_policy(` - unconfined_use_fds(domain) - ') -') - -# these seem questionable: - -optional_policy(` - abrt_domtrans_helper(domain) - abrt_read_pid_files(domain) - abrt_read_state(domain) - abrt_signull(domain) - abrt_stream_connect(domain) -') - -optional_policy(` - rpm_use_fds(domain) - rpm_read_pipes(domain) - rpm_search_log(domain) - rpm_append_tmp_files(domain) - rpm_dontaudit_leaks(domain) - rpm_read_script_tmp_files(domain) - rpm_inherited_fifo(domain) -') - -optional_policy(` - sosreport_append_tmp_files(domain) -') - -tunable_policy(`allow_domain_fd_use',` - # Allow all domains to use fds past to them - allow domain domain:fd use; -') - -optional_policy(` - cron_dontaudit_write_system_job_tmp_files(domain) - cron_rw_pipes(domain) - cron_rw_system_job_pipes(domain) -') - -ifdef(`hide_broken_symptoms',` - dontaudit domain self:udp_socket listen; - allow domain domain:key { link search }; -') - -optional_policy(` - hal_dontaudit_read_pid_files(domain) -') - -optional_policy(` - ifdef(`hide_broken_symptoms',` - afs_rw_udp_sockets(domain) - ') -') - -optional_policy(` - ssh_rw_pipes(domain) -') - -optional_policy(` - unconfined_dontaudit_rw_pipes(domain) - unconfined_sigchld(domain) -') - -# broken kernel -dontaudit can_change_object_identity can_change_object_identity:key link; diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc deleted file mode 100644 index bd4c23d..0000000 --- a/policy/modules/kernel/files.fc +++ /dev/null @@ -1,272 +0,0 @@ - -# -# / -# -/.* gen_context(system_u:object_r:default_t,s0) -/ -d gen_context(system_u:object_r:root_t,s0) -/\.journal <> -/afs -d gen_context(system_u:object_r:mnt_t,s0) -/initrd\.img.* -l gen_context(system_u:object_r:boot_t,s0) -/vmlinuz.* -l gen_context(system_u:object_r:boot_t,s0) - -ifdef(`distro_redhat',` -/\.autofsck -- gen_context(system_u:object_r:etc_runtime_t,s0) -/\.autorelabel -- gen_context(system_u:object_r:etc_runtime_t,s0) -/\.suspended -- gen_context(system_u:object_r:etc_runtime_t,s0) -/fastboot -- gen_context(system_u:object_r:etc_runtime_t,s0) -/forcefsck -- gen_context(system_u:object_r:etc_runtime_t,s0) -/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0) -/halt -- gen_context(system_u:object_r:etc_runtime_t,s0) -/poweroff -- gen_context(system_u:object_r:etc_runtime_t,s0) -/[^/]+ -- gen_context(system_u:object_r:etc_runtime_t,s0) -') - -ifdef(`distro_suse',` -/success -- gen_context(system_u:object_r:etc_runtime_t,s0) -') - -# -# /boot -# -/boot -d gen_context(system_u:object_r:boot_t,s0) -/boot/.* gen_context(system_u:object_r:boot_t,s0) -/boot/\.journal <> -/boot/efi(/.*)?/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0) -/boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) -/boot/lost\+found/.* <> -/boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0) - -# -# /emul -# -/emul -d gen_context(system_u:object_r:usr_t,s0) -/emul/.* gen_context(system_u:object_r:usr_t,s0) - -# -# /etc -# -/etc -d gen_context(system_u:object_r:etc_t,s0) -/etc/.* gen_context(system_u:object_r:etc_t,s0) -/etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/cmtab -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/HOSTNAME -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/issue -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/issue\.net -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/localtime -l gen_context(system_u:object_r:etc_t,s0) -/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/motd -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/reader\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/smartd\.conf.* -- gen_context(system_u:object_r:etc_runtime_t,s0) - -/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0) -/etc/sysconfig/ebtables.* -- gen_context(system_u:object_r:system_conf_t,s0) -/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0) -/etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0) -/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0) - - -/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0) - -/etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0) - -/etc/network/ifstate -- gen_context(system_u:object_r:etc_runtime_t,s0) - -/etc/ptal/ptal-printd-like -- gen_context(system_u:object_r:etc_runtime_t,s0) - -/etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) - -/etc/xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0) - -ifdef(`distro_gentoo', ` -/etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/csh\.env -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0) -') - -ifdef(`distro_redhat',` -/etc/rhgb(/.*)? -d gen_context(system_u:object_r:mnt_t,s0) -') - -ifdef(`distro_suse',` -/etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0) -') - -# -# HOME_ROOT -# expanded by genhomedircon -# -HOME_ROOT gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh) -HOME_ROOT/\.journal <> -HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) -HOME_ROOT/lost\+found/.* <> - -# -# /initrd -# -# initrd mount point, only used during boot -/initrd -d gen_context(system_u:object_r:root_t,s0) - -# -# /lib(64)? -# -/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0) -/lib64/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0) - -# -# /lost+found -# -/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) -/lost\+found/.* <> - -# -# /media -# -# Mount points; do not relabel subdirectories, since -# we don't want to change any removable media by default. -/media(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0) -/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) -/media/[^/]*/.* <> -/media/\.hal-.* -- gen_context(system_u:object_r:mnt_t,s0) - -# -# /misc -# -/misc -d gen_context(system_u:object_r:mnt_t,s0) - -# -# /mnt -# -/mnt(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0) -/mnt(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) -/mnt/[^/]*/.* <> - -# -# /net -# -/net -d gen_context(system_u:object_r:mnt_t,s0) - -# -# /opt -# -/opt -d gen_context(system_u:object_r:usr_t,s0) -/opt/.* gen_context(system_u:object_r:usr_t,s0) - -/opt/(.*/)?var/lib(64)?(/.*)? gen_context(system_u:object_r:var_lib_t,s0) - -# -# /proc -# -/proc -d <> -/proc/.* <> - -ifdef(`distro_redhat',` -/rhev -d gen_context(system_u:object_r:mnt_t,s0) -/rhev(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) -/rhev/[^/]*/.* <> -') - -# -# /selinux -# -/selinux -d <> -/selinux/.* <> - -# -# /srv -# -/srv -d gen_context(system_u:object_r:var_t,s0) -/srv/.* gen_context(system_u:object_r:var_t,s0) - -# -# /tmp -# -/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) -/tmp/.* <> -/tmp/\.journal <> - -/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) -/tmp/lost\+found/.* <> - -# -# /usr -# -/usr -d gen_context(system_u:object_r:usr_t,s0) -/usr/.* gen_context(system_u:object_r:usr_t,s0) -/usr/\.journal <> - -/usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) - -/usr/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) - -/usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0) - -/usr/local/\.journal <> - -/usr/local/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) - -/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) -/usr/local/lost\+found/.* <> - -/usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) -/usr/lost\+found/.* <> - -/usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0) - -/usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) -/usr/tmp/.* <> - -ifndef(`distro_redhat',` -/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0) -/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) -/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) -') - -# -# /var -# -/var -d gen_context(system_u:object_r:var_t,s0) -/var/.* gen_context(system_u:object_r:var_t,s0) -/var/\.journal <> - -/var/db/.*\.db -- gen_context(system_u:object_r:etc_t,s0) - -/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) - -/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) - -/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) - -/var/lib/nfs/rpc_pipefs(/.*)? <> - -/var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0) - -/var/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) -/var/lost\+found/.* <> - -/var/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh) -/var/run/.* gen_context(system_u:object_r:var_run_t,s0) -/var/run/.*\.*pid <> - -/var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0) -/var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) - -/var/tmp gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) -/var/tmp/.* <> -/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) -/var/tmp/lost\+found/.* <> -/var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0) - -ifdef(`distro_debian',` -/var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0) -') -/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) -/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if deleted file mode 100644 index a738502..0000000 --- a/policy/modules/kernel/files.if +++ /dev/null @@ -1,6383 +0,0 @@ -## -## Basic filesystem types and interfaces. -## -## -##

-## This module contains basic filesystem types and interfaces. This -## includes: -##

    -##
  • The concept of different file types including basic -## files, mount points, tmp files, etc.
  • -##
  • Access to groups of files and all files.
  • -##
  • Types and interfaces for the basic filesystem layout -## (/, /etc, /tmp, /usr, etc.).
  • -##
-##

-##
-## -## Contains the concept of a file. -## Comains the file initial SID. -## - -######################################## -## -## Make the specified type usable for files -## in a filesystem. -## -## -##

-## Make the specified type usable for files -## in a filesystem. Types used for files that -## do not use this interface, or an interface that -## calls this one, will have unexpected behaviors -## while the system is running. If the type is used -## for device nodes (character or block files), then -## the dev_node() interface is more appropriate. -##

-##

-## Related interfaces: -##

-##
    -##
  • application_domain()
  • -##
  • application_executable_file()
  • -##
  • corecmd_executable_file()
  • -##
  • init_daemon_domain()
  • -##
  • init_domaion()
  • -##
  • init_ranged_daemon_domain()
  • -##
  • init_ranged_domain()
  • -##
  • init_ranged_system_domain()
  • -##
  • init_script_file()
  • -##
  • init_script_domain()
  • -##
  • init_system_domain()
  • -##
  • files_config_files()
  • -##
  • files_lock_file()
  • -##
  • files_mountpoint()
  • -##
  • files_pid_file()
  • -##
  • files_security_file()
  • -##
  • files_security_mountpoint()
  • -##
  • files_tmp_file()
  • -##
  • files_tmpfs_file()
  • -##
  • logging_log_file()
  • -##
  • userdom_user_home_content()
  • -##
-##

-## Example: -##

-##

-## type myfile_t; -## files_type(myfile_t) -## allow mydomain_t myfile_t:file read_file_perms; -##

-##
-## -## -## Type to be used for files. -## -## -## -# -interface(`files_type',` - gen_require(` - attribute file_type, non_security_file_type; - ') - - typeattribute $1 file_type, non_security_file_type; -') - -######################################## -## -## Make the specified type a file that -## should not be dontaudited from -## browsing from user domains. -## -## -## -## Type of the file to be used as a -## member directory. -## -## -# -interface(`files_security_file',` - gen_require(` - attribute file_type, security_file_type; - ') - - typeattribute $1 file_type, security_file_type; -') - -######################################## -## -## Make the specified type usable for -## lock files. -## -## -## -## Type to be used for lock files. -## -## -# -interface(`files_lock_file',` - gen_require(` - attribute lockfile; - ') - - files_type($1) - typeattribute $1 lockfile; -') - -######################################## -## -## Make the specified type usable for -## filesystem mount points. -## -## -## -## Type to be used for mount points. -## -## -# -interface(`files_mountpoint',` - gen_require(` - attribute mountpoint; - ') - - files_type($1) - typeattribute $1 mountpoint; -') - -######################################## -## -## Make the specified type usable for -## security file filesystem mount points. -## -## -## -## Type to be used for mount points. -## -## -# -interface(`files_security_mountpoint',` - gen_require(` - attribute mountpoint; - ') - - files_security_file($1) - typeattribute $1 mountpoint; -') - -######################################## -## -## Make the specified type usable for -## runtime process ID files. -## -## -##

-## Make the specified type usable for runtime process ID files, -## typically found in /var/run. -## This will also make the type usable for files, making -## calls to files_type() redundant. Failure to use this interface -## for a PID file type may result in problems with starting -## or stopping services. -##

-##

-## Related interfaces: -##

-##
    -##
  • files_pid_filetrans()
  • -##
-##

-## Example usage with a domain that can create and -## write its PID file with a private PID file type in the -## /var/run directory: -##

-##

-## type mypidfile_t; -## files_pid_file(mypidfile_t) -## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; -## files_pid_filetrans(mydomain_t, mypidfile_t, file) -##

-##
-## -## -## Type to be used for PID files. -## -## -## -# -interface(`files_pid_file',` - gen_require(` - attribute pidfile; - ') - - files_type($1) - typeattribute $1 pidfile; -') - -######################################## -## -## Make the specified type a -## configuration file. -## -## -##

-## Make the specified type usable for configuration files. -## This will also make the type usable for files, making -## calls to files_type() redundant. Failure to use this interface -## for a temporary file may result in problems with -## configuration management tools. -##

-##

-## Example usage with a domain that can read -## its configuration file /etc: -##

-##

-## type myconffile_t; -## files_config_file(myconffile_t) -## allow mydomain_t myconffile_t:file read_file_perms; -## files_search_etc(mydomain_t) -##

-##
-## -## -## Type to be used as a configuration file. -## -## -## -# -interface(`files_config_file',` - gen_require(` - attribute configfile; - ') - files_type($1) - typeattribute $1 configfile; -') - -######################################## -## -## Make the specified type a -## polyinstantiated directory. -## -## -## -## Type of the file to be used as a -## polyinstantiated directory. -## -## -# -interface(`files_poly',` - gen_require(` - attribute polydir; - ') - - files_type($1) - typeattribute $1 polydir; -') - -######################################## -## -## Make the specified type a parent -## of a polyinstantiated directory. -## -## -## -## Type of the file to be used as a -## parent directory. -## -## -# -interface(`files_poly_parent',` - gen_require(` - attribute polyparent; - ') - - files_type($1) - typeattribute $1 polyparent; -') - -######################################## -## -## Make the specified type a -## polyinstantiation member directory. -## -## -## -## Type of the file to be used as a -## member directory. -## -## -# -interface(`files_poly_member',` - gen_require(` - attribute polymember; - ') - - files_type($1) - typeattribute $1 polymember; -') - -######################################## -## -## Make the domain use the specified -## type of polyinstantiated directory. -## -## -## -## Domain using the polyinstantiated -## directory. -## -## -## -## -## Type of the file to be used as a -## member directory. -## -## -# -interface(`files_poly_member_tmp',` - gen_require(` - type tmp_t; - ') - - type_member $1 tmp_t:dir $2; -') - -######################################## -## -## Make the specified type a file -## used for temporary files. -## -## -##

-## Make the specified type usable for temporary files. -## This will also make the type usable for files, making -## calls to files_type() redundant. Failure to use this interface -## for a temporary file may result in problems with -## purging temporary files. -##

-##

-## Related interfaces: -##

-##
    -##
  • files_tmp_filetrans()
  • -##
-##

-## Example usage with a domain that can create and -## write its temporary file in the system temporary file -## directories (/tmp or /var/tmp): -##

-##

-## type mytmpfile_t; -## files_tmp_file(mytmpfile_t) -## allow mydomain_t mytmpfile_t:file { create_file_perms write_file_perms }; -## files_tmp_filetrans(mydomain_t, mytmpfile_t, file) -##

-##
-## -## -## Type of the file to be used as a -## temporary file. -## -## -## -# -interface(`files_tmp_file',` - gen_require(` - attribute tmpfile; - type tmp_t; - ') - - files_type($1) - files_poly_member($1) - typeattribute $1 tmpfile; -') - -######################################## -## -## Transform the type into a file, for use on a -## virtual memory filesystem (tmpfs). -## -## -## -## The type to be transformed. -## -## -# -interface(`files_tmpfs_file',` - gen_require(` - attribute tmpfsfile; - ') - - files_type($1) - typeattribute $1 tmpfsfile; -') - -######################################## -## -## Get the attributes of all directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_getattr_all_dirs',` - gen_require(` - attribute file_type; - ') - - getattr_dirs_pattern($1, file_type, file_type) -') - -######################################## -## -## Do not audit attempts to get the attributes -## of all directories. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_getattr_all_dirs',` - gen_require(` - attribute file_type; - ') - - dontaudit $1 file_type:dir getattr; -') - -######################################## -## -## List all non-security directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_list_non_security',` - gen_require(` - attribute non_security_file_type; - ') - - list_dirs_pattern($1, non_security_file_type, non_security_file_type) -') - -######################################## -## -## Do not audit attempts to list all -## non-security directories. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_list_non_security',` - gen_require(` - attribute non_security_file_type; - ') - - dontaudit $1 non_security_file_type:dir list_dir_perms; -') - -######################################## -## -## Mount a filesystem on all non-security -## directories and files. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_mounton_non_security',` - gen_require(` - attribute non_security_file_type; - ') - - allow $1 non_security_file_type:dir mounton; - allow $1 non_security_file_type:file mounton; -') - -######################################## -## -## Allow attempts to modify any directory -## -## -## -## Domain allowed access. -## -## -# -interface(`files_write_non_security_dirs',` - gen_require(` - attribute non_security_file_type; - ') - - allow $1 non_security_file_type:dir write; -') - -######################################## -## -## Allow attempts to manage non-security directories -## -## -## -## Domain allowed access. -## -## -# -interface(`files_manage_non_security_dirs',` - gen_require(` - attribute non_security_file_type; - ') - - allow $1 non_security_file_type:dir manage_dir_perms; -') - -######################################## -## -## Get the attributes of all files. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_getattr_all_files',` - gen_require(` - attribute file_type; - ') - - getattr_files_pattern($1, file_type, file_type) - getattr_lnk_files_pattern($1, file_type, file_type) -') - -######################################## -## -## Do not audit attempts to get the attributes -## of all files. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_getattr_all_files',` - gen_require(` - attribute file_type; - ') - - dontaudit $1 file_type:file getattr; -') - -######################################## -## -## Do not audit attempts to get the attributes -## of non security files. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_getattr_non_security_files',` - gen_require(` - attribute non_security_file_type; - ') - - dontaudit $1 non_security_file_type:file getattr; -') - -######################################## -## -## Read all files. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_read_all_files',` - gen_require(` - attribute file_type; - ') - - allow $1 file_type:dir list_dir_perms; - read_files_pattern($1, file_type, file_type) - - optional_policy(` - auth_read_shadow($1) - ') -') - -######################################## -## -## Allow shared library text relocations in all files. -## -## -##

-## Allow shared library text relocations in all files. -##

-##

-## This is added to support WINE policy. -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`files_execmod_all_files',` - gen_require(` - attribute file_type; - ') - - allow $1 file_type:file execmod; -') - -######################################## -## -## Read all non-security files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`files_read_non_security_files',` - gen_require(` - attribute non_security_file_type; - ') - - read_files_pattern($1, non_security_file_type, non_security_file_type) - read_lnk_files_pattern($1, non_security_file_type, non_security_file_type) -') - -######################################## -## -## Read all directories on the filesystem, except -## the listed exceptions. -## -## -## -## Domain allowed access. -## -## -## -## -## The types to be excluded. Each type or attribute -## must be negated by the caller. -## -## -# -interface(`files_read_all_dirs_except',` - gen_require(` - attribute file_type; - ') - - allow $1 { file_type $2 }:dir list_dir_perms; -') - -######################################## -## -## Read all files on the filesystem, except -## the listed exceptions. -## -## -## -## Domain allowed access. -## -## -## -## -## The types to be excluded. Each type or attribute -## must be negated by the caller. -## -## -# -interface(`files_read_all_files_except',` - gen_require(` - attribute file_type; - ') - - read_files_pattern($1, { file_type $2 }, { file_type $2 }) -') - -######################################## -## -## Read all symbolic links on the filesystem, except -## the listed exceptions. -## -## -## -## Domain allowed access. -## -## -## -## -## The types to be excluded. Each type or attribute -## must be negated by the caller. -## -## -# -interface(`files_read_all_symlinks_except',` - gen_require(` - attribute file_type; - ') - - read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) -') - -######################################## -## -## Get the attributes of all symbolic links. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_getattr_all_symlinks',` - gen_require(` - attribute file_type; - ') - - getattr_lnk_files_pattern($1, file_type, file_type) -') - -######################################## -## -## Do not audit attempts to get the attributes -## of all symbolic links. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_getattr_all_symlinks',` - gen_require(` - attribute file_type; - ') - - dontaudit $1 file_type:lnk_file getattr; -') - -######################################## -## -## Do not audit attempts to read all symbolic links. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_read_all_symlinks',` - gen_require(` - attribute file_type; - ') - - dontaudit $1 file_type:lnk_file read; -') - -######################################## -## -## Do not audit attempts to get the attributes -## of non security symbolic links. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_getattr_non_security_symlinks',` - gen_require(` - attribute non_security_file_type; - ') - - dontaudit $1 non_security_file_type:lnk_file getattr; -') - -######################################## -## -## Do not audit attempts to get the attributes -## of non security block devices. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_getattr_non_security_blk_files',` - gen_require(` - attribute non_security_file_type; - ') - - dontaudit $1 non_security_file_type:blk_file getattr; -') - -######################################## -## -## Do not audit attempts to get the attributes -## of non security character devices. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_getattr_non_security_chr_files',` - gen_require(` - attribute non_security_file_type; - ') - - dontaudit $1 non_security_file_type:chr_file getattr; -') - -######################################## -## -## Read all symbolic links. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`files_read_all_symlinks',` - gen_require(` - attribute file_type; - ') - - allow $1 file_type:dir list_dir_perms; - read_lnk_files_pattern($1, file_type, file_type) -') - -######################################## -## -## Get the attributes of all named pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_getattr_all_pipes',` - gen_require(` - attribute file_type; - ') - - allow $1 file_type:dir list_dir_perms; - getattr_fifo_files_pattern($1, file_type, file_type) -') - -######################################## -## -## Do not audit attempts to get the attributes -## of all named pipes. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_getattr_all_pipes',` - gen_require(` - attribute file_type; - ') - - dontaudit $1 file_type:fifo_file getattr; -') - -######################################## -## -## Do not audit attempts to get the attributes -## of non security named pipes. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_getattr_non_security_pipes',` - gen_require(` - attribute non_security_file_type; - ') - - dontaudit $1 non_security_file_type:fifo_file getattr; -') - -######################################## -## -## Get the attributes of all named sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_getattr_all_sockets',` - gen_require(` - attribute file_type; - ') - - allow $1 file_type:dir list_dir_perms; - getattr_sock_files_pattern($1, file_type, file_type) -') - -######################################## -## -## Do not audit attempts to get the attributes -## of all named sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_getattr_all_sockets',` - gen_require(` - attribute file_type; - ') - - dontaudit $1 file_type:sock_file getattr; -') - -######################################## -## -## Do not audit attempts to get the attributes -## of non security named sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_getattr_non_security_sockets',` - gen_require(` - attribute non_security_file_type; - ') - - dontaudit $1 non_security_file_type:sock_file getattr; -') - -######################################## -## -## Read all block nodes with file types. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_read_all_blk_files',` - gen_require(` - attribute file_type; - ') - - read_blk_files_pattern($1, file_type, file_type) -') - -######################################## -## -## Read all character nodes with file types. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_read_all_chr_files',` - gen_require(` - attribute file_type; - ') - - read_chr_files_pattern($1, file_type, file_type) -') - -######################################## -## -## Relabel all files on the filesystem, except -## the listed exceptions. -## -## -## -## Domain allowed access. -## -## -## -## -## The types to be excluded. Each type or attribute -## must be negated by the caller. -## -## -## -# -interface(`files_relabel_all_files',` - gen_require(` - attribute file_type; - ') - - allow $1 { file_type $2 }:dir list_dir_perms; - relabel_dirs_pattern($1, { file_type $2 }, { file_type $2 }) - relabel_files_pattern($1, { file_type $2 }, { file_type $2 }) - relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) - relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) - relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) - relabel_blk_files_pattern($1, { file_type $2 }, { file_type $2 }) - relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 }) - - # satisfy the assertions: - seutil_relabelto_bin_policy($1) -') - -######################################## -## -## rw all files on the filesystem, except -## the listed exceptions. -## -## -## -## Domain allowed access. -## -## -## -## -## The types to be excluded. Each type or attribute -## must be negated by the caller. -## -## -## -# -interface(`files_rw_all_files',` - gen_require(` - attribute file_type; - ') - - rw_files_pattern($1, { file_type $2 }, { file_type $2 }) -') - -######################################## -## -## Manage all files on the filesystem, except -## the listed exceptions. -## -## -## -## Domain allowed access. -## -## -## -## -## The types to be excluded. Each type or attribute -## must be negated by the caller. -## -## -## -# -interface(`files_manage_all_files',` - gen_require(` - attribute file_type; - ') - - manage_dirs_pattern($1, { file_type $2 }, { file_type $2 }) - manage_files_pattern($1, { file_type $2 }, { file_type $2 }) - manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) - manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) - manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) - - # satisfy the assertions: - seutil_create_bin_policy($1) - files_manage_kernel_modules($1) -') - -######################################## -## -## Search the contents of all directories on -## extended attribute filesystems. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_search_all',` - gen_require(` - attribute file_type; - ') - - allow $1 file_type:dir search_dir_perms; -') - -######################################## -## -## List the contents of all directories on -## extended attribute filesystems. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_list_all',` - gen_require(` - attribute file_type; - ') - - allow $1 file_type:dir list_dir_perms; -') - -######################################## -## -## Do not audit attempts to search the -## contents of any directories on extended -## attribute filesystems. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_search_all_dirs',` - gen_require(` - attribute file_type; - ') - - dontaudit $1 file_type:dir search_dir_perms; -') - -######################################## -## -## Get the attributes of all filesystems -## with the type of a file. -## -## -## -## Domain allowed access. -## -## -# -# dwalsh: This interface is to allow quotacheck to work on a -# a filesystem mounted with the --context switch -# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212957 -# -interface(`files_getattr_all_file_type_fs',` - gen_require(` - attribute file_type; - ') - - allow $1 file_type:filesystem getattr; -') - -######################################## -## -## Relabel a filesystem to the type of a file. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_relabelto_all_file_type_fs',` - gen_require(` - attribute file_type; - ') - - allow $1 file_type:filesystem relabelto; -') - -######################################## -## -## Relabel a filesystem to the type of a file. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_relabel_all_file_type_fs',` - gen_require(` - attribute file_type; - ') - - allow $1 file_type:filesystem { relabelfrom relabelto }; -') - -######################################## -## -## Mount all filesystems with the type of a file. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_mount_all_file_type_fs',` - gen_require(` - attribute file_type; - ') - - allow $1 file_type:filesystem mount; -') - -######################################## -## -## Unmount all filesystems with the type of a file. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_unmount_all_file_type_fs',` - gen_require(` - attribute file_type; - ') - - allow $1 file_type:filesystem unmount; -') - -############################################# -## -## Manage all configuration directories on filesystem -## -## -## -## Domain allowed access. -## -## -## -# -interface(`files_manage_config_dirs',` - gen_require(` - attribute configfile; - ') - - manage_dirs_pattern($1, configfile, configfile) -') - -######################################### -## -## Relabel configuration directories -## -## -## -## Domain allowed access. -## -## -## -# -interface(`files_relabel_config_dirs',` - gen_require(` - attribute configfile; - ') - - relabel_dirs_pattern($1, configfile, configfile) -') - -######################################## -## -## Read config files in /etc. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_read_config_files',` - gen_require(` - attribute configfile; - ') - - allow $1 configfile:dir list_dir_perms; - read_files_pattern($1, configfile, configfile) - read_lnk_files_pattern($1, configfile, configfile) -') - -########################################### -## -## Manage all configuration files on filesystem -## -## -## -## Domain allowed access. -## -## -## -# -interface(`files_manage_config_files',` - gen_require(` - attribute configfile; - ') - - manage_files_pattern($1, configfile, configfile) -') - -####################################### -## -## Relabel configuration files -## -## -## -## Domain allowed access. -## -## -## -# -interface(`files_relabel_config_files',` - gen_require(` - attribute configfile; - ') - - relabel_files_pattern($1, configfile, configfile) -') - -######################################## -## -## Mount a filesystem on all mount points. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_mounton_all_mountpoints',` - gen_require(` - attribute mountpoint; - ') - - allow $1 mountpoint:dir { search_dir_perms mounton }; - allow $1 mountpoint:file { getattr mounton }; -') - -######################################## -## -## Get the attributes of all mount points. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_getattr_all_mountpoints',` - gen_require(` - attribute mountpoint; - ') - - allow $1 mountpoint:dir getattr; -') - -######################################## -## -## Search all mount points. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_search_all_mountpoints',` - gen_require(` - attribute mountpoint; - ') - - allow $1 mountpoint:dir search_dir_perms; -') - -######################################## -## -## Do not audit searching of all mount points. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_search_all_mountpoints',` - gen_require(` - attribute mountpoint; - ') - - dontaudit $1 mountpoint:dir search_dir_perms; -') - -######################################## -## -## Do not audit listing of all mount points. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_list_all_mountpoints',` - gen_require(` - attribute mountpoint; - ') - - dontaudit $1 mountpoint:dir list_dir_perms; -') - -######################################## -## -## Write all mount points. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_write_all_mountpoints',` - gen_require(` - attribute mountpoint; - ') - - allow $1 mountpoint:dir write; -') - -######################################## -## -## List the contents of the root directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_list_root',` - gen_require(` - type root_t; - ') - - allow $1 root_t:dir list_dir_perms; - allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock }; -') - -######################################## -## -## Do not audit attempts to write -## files in the root directory. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_rw_root_dir',` - gen_require(` - type root_t; - ') - - dontaudit $1 root_t:dir rw_dir_perms; -') - -######################################## -## -## Create an object in the root directory, with a private -## type using a type transition. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -# -interface(`files_root_filetrans',` - gen_require(` - type root_t; - ') - - filetrans_pattern($1, root_t, $2, $3) -') - -######################################## -## -## Do not audit attempts to read files in -## the root directory. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_read_root_files',` - gen_require(` - type root_t; - ') - - dontaudit $1 root_t:file { getattr read }; -') - -######################################## -## -## Do not audit attempts to read or write -## files in the root directory. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_rw_root_files',` - gen_require(` - type root_t; - ') - - dontaudit $1 root_t:file { read write }; -') - -######################################## -## -## Do not audit attempts to read or write -## character device nodes in the root directory. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_rw_root_chr_files',` - gen_require(` - type root_t; - ') - - dontaudit $1 root_t:chr_file { read write }; -') - -######################################## -## -## Delete files in the root directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_delete_root_files',` - gen_require(` - type root_t; - ') - - allow $1 root_t:file unlink; -') - -######################################## -## -## Remove entries from the root directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_delete_root_dir_entry',` - gen_require(` - type root_t; - ') - - allow $1 root_t:dir rw_dir_perms; -') - -######################################## -## -## Unmount a rootfs filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_unmount_rootfs',` - gen_require(` - type root_t; - ') - - allow $1 root_t:filesystem unmount; -') - -######################################## -## -## Get attributes of the /boot directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_getattr_boot_dirs',` - gen_require(` - type boot_t; - ') - - allow $1 boot_t:dir getattr; -') - -######################################## -## -## Do not audit attempts to get attributes -## of the /boot directory. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_getattr_boot_dirs',` - gen_require(` - type boot_t; - ') - - dontaudit $1 boot_t:dir getattr; -') - -######################################## -## -## Search the /boot directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_search_boot',` - gen_require(` - type boot_t; - ') - - allow $1 boot_t:dir search_dir_perms; -') - -######################################## -## -## Do not audit attempts to search the /boot directory. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_search_boot',` - gen_require(` - type boot_t; - ') - - dontaudit $1 boot_t:dir search_dir_perms; -') - -######################################## -## -## List the /boot directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_list_boot',` - gen_require(` - type boot_t; - ') - - allow $1 boot_t:dir list_dir_perms; -') - -######################################## -## -## Create directories in /boot -## -## -## -## Domain allowed access. -## -## -# -interface(`files_create_boot_dirs',` - gen_require(` - type boot_t; - ') - - allow $1 boot_t:dir { create rw_dir_perms }; -') - -######################################## -## -## Create, read, write, and delete -## directories in /boot. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_manage_boot_dirs',` - gen_require(` - type boot_t; - ') - - allow $1 boot_t:dir manage_dir_perms; -') - -######################################## -## -## Create a private type object in boot -## with an automatic type transition -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -# -interface(`files_boot_filetrans',` - gen_require(` - type boot_t; - ') - - filetrans_pattern($1, boot_t, $2, $3) -') - -######################################## -## -## read files in the /boot directory. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`files_read_boot_files',` - gen_require(` - type boot_t; - ') - - read_files_pattern($1, boot_t, boot_t) -') - -######################################## -## -## Create, read, write, and delete files -## in the /boot directory. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`files_manage_boot_files',` - gen_require(` - type boot_t; - ') - - manage_files_pattern($1, boot_t, boot_t) -') - -######################################## -## -## Relabel from files in the /boot directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_relabelfrom_boot_files',` - gen_require(` - type boot_t; - ') - - relabelfrom_files_pattern($1, boot_t, boot_t) -') - -######################################## -## -## Read and write symbolic links -## in the /boot directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_rw_boot_symlinks',` - gen_require(` - type boot_t; - ') - - allow $1 boot_t:dir list_dir_perms; - rw_lnk_files_pattern($1, boot_t, boot_t) -') - -######################################## -## -## Create, read, write, and delete symbolic links -## in the /boot directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_manage_boot_symlinks',` - gen_require(` - type boot_t; - ') - - manage_lnk_files_pattern($1, boot_t, boot_t) -') - -######################################## -## -## Read kernel files in the /boot directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_read_kernel_img',` - gen_require(` - type boot_t; - ') - - allow $1 boot_t:dir list_dir_perms; - read_files_pattern($1, boot_t, boot_t) - read_lnk_files_pattern($1, boot_t, boot_t) -') - -######################################## -## -## Install a kernel into the /boot directory. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`files_create_kernel_img',` - gen_require(` - type boot_t; - ') - - allow $1 boot_t:file { create_file_perms rw_file_perms }; - manage_lnk_files_pattern($1, boot_t, boot_t) -') - -######################################## -## -## Delete a kernel from /boot. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`files_delete_kernel',` - gen_require(` - type boot_t; - ') - - delete_files_pattern($1, boot_t, boot_t) -') - -######################################## -## -## Getattr of directories with the default file type. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_getattr_default_dirs',` - gen_require(` - type default_t; - ') - - allow $1 default_t:dir getattr; -') - -######################################## -## -## Do not audit attempts to get the attributes of -## directories with the default file type. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_getattr_default_dirs',` - gen_require(` - type default_t; - ') - - dontaudit $1 default_t:dir getattr; -') - -######################################## -## -## Search the contents of directories with the default file type. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_search_default',` - gen_require(` - type default_t; - ') - - allow $1 default_t:dir search_dir_perms; -') - -######################################## -## -## List contents of directories with the default file type. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_list_default',` - gen_require(` - type default_t; - ') - - allow $1 default_t:dir list_dir_perms; -') - -######################################## -## -## Do not audit attempts to list contents of -## directories with the default file type. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_list_default',` - gen_require(` - type default_t; - ') - - dontaudit $1 default_t:dir list_dir_perms; -') - -######################################## -## -## Create, read, write, and delete directories with -## the default file type. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_manage_default_dirs',` - gen_require(` - type default_t; - ') - - manage_dirs_pattern($1, default_t, default_t) -') - -######################################## -## -## Mount a filesystem on a directory with the default file type. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_mounton_default',` - gen_require(` - type default_t; - ') - - allow $1 default_t:dir { search_dir_perms mounton }; -') - -######################################## -## -## Do not audit attempts to get the attributes of -## files with the default file type. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_getattr_default_files',` - gen_require(` - type default_t; - ') - - dontaudit $1 default_t:file getattr; -') - -######################################## -## -## Read files with the default file type. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_read_default_files',` - gen_require(` - type default_t; - ') - - allow $1 default_t:file read_file_perms; -') - -######################################## -## -## Do not audit attempts to read files -## with the default file type. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_read_default_files',` - gen_require(` - type default_t; - ') - - dontaudit $1 default_t:file read_file_perms; -') - -######################################## -## -## Create, read, write, and delete files with -## the default file type. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_manage_default_files',` - gen_require(` - type default_t; - ') - - manage_files_pattern($1, default_t, default_t) -') - -######################################## -## -## Read symbolic links with the default file type. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_read_default_symlinks',` - gen_require(` - type default_t; - ') - - allow $1 default_t:lnk_file read_lnk_file_perms; -') - -######################################## -## -## Read sockets with the default file type. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_read_default_sockets',` - gen_require(` - type default_t; - ') - - allow $1 default_t:sock_file read_sock_file_perms; -') - -######################################## -## -## Read named pipes with the default file type. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_read_default_pipes',` - gen_require(` - type default_t; - ') - - allow $1 default_t:fifo_file read_fifo_file_perms; -') - -######################################## -## -## Search the contents of /etc directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_search_etc',` - gen_require(` - type etc_t; - ') - - allow $1 etc_t:dir search_dir_perms; -') - -######################################## -## -## Set the attributes of the /etc directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_setattr_etc_dirs',` - gen_require(` - type etc_t; - ') - - allow $1 etc_t:dir setattr; -') - -######################################## -## -## List the contents of /etc directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_list_etc',` - gen_require(` - type etc_t; - ') - - allow $1 etc_t:dir list_dir_perms; -') - -######################################## -## -## Do not audit attempts to write to /etc dirs. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_write_etc_dirs',` - gen_require(` - type etc_t; - ') - - dontaudit $1 etc_t:dir write; -') - -######################################## -## -## Add and remove entries from /etc directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_rw_etc_dirs',` - gen_require(` - type etc_t; - ') - - allow $1 etc_t:dir rw_dir_perms; -') - -########################################## -## -## Manage generic directories in /etc -## -## -## -## Domain allowed access -## -## -## -# -interface(`files_manage_etc_dirs',` - gen_require(` - type etc_t; - ') - - manage_dirs_pattern($1, etc_t, etc_t) -') - -######################################## -## -## Read generic files in /etc. -## -## -##

-## Allow the specified domain to read generic -## files in /etc. These files are typically -## general system configuration files that do -## not have more specific SELinux types. Some -## examples of these files are: -##

-##
    -##
  • /etc/fstab
  • -##
  • /etc/passwd
  • -##
  • /etc/services
  • -##
  • /etc/shells
  • -##
-##

-## This interface does not include access to /etc/shadow. -##

-##

-## Generally, it is safe for many domains to have -## this access. However, since this interface provides -## access to the /etc/passwd file, caution must be -## exercised, as user account names can be leaked -## through this access. -##

-##

-## Related interfaces: -##

-##
    -##
  • auth_read_shadow()
  • -##
  • files_read_etc_runtime_files()
  • -##
  • seutil_read_config()
  • -##
-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`files_read_etc_files',` - gen_require(` - type etc_t; - ') - - allow $1 etc_t:dir list_dir_perms; - read_files_pattern($1, etc_t, etc_t) - read_lnk_files_pattern($1, etc_t, etc_t) -') - -######################################## -## -## Do not audit attempts to write generic files in /etc. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_dontaudit_write_etc_files',` - gen_require(` - type etc_t; - ') - - dontaudit $1 etc_t:file write; -') - -######################################## -## -## Read and write generic files in /etc. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`files_rw_etc_files',` - gen_require(` - type etc_t; - ') - - allow $1 etc_t:dir list_dir_perms; - rw_files_pattern($1, etc_t, etc_t) - read_lnk_files_pattern($1, etc_t, etc_t) -') - -######################################## -## -## Create, read, write, and delete generic -## files in /etc. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`files_manage_etc_files',` - gen_require(` - type etc_t; - ') - - manage_files_pattern($1, etc_t, etc_t) - read_lnk_files_pattern($1, etc_t, etc_t) -') - -######################################## -## -## Delete system configuration files in /etc. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_delete_etc_files',` - gen_require(` - type etc_t; - ') - - delete_files_pattern($1, etc_t, etc_t) -') - -######################################## -## -## Remove entries from the etc directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_delete_etc_dir_entry',` - gen_require(` - type etc_t; - ') - - allow $1 etc_t:dir del_entry_dir_perms; -') - -######################################## -## -## Execute generic files in /etc. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_exec_etc_files',` - gen_require(` - type etc_t; - ') - - allow $1 etc_t:dir list_dir_perms; - read_lnk_files_pattern($1, etc_t, etc_t) - exec_files_pattern($1, etc_t, etc_t) -') - -####################################### -## -## Relabel from and to generic files in /etc. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_relabel_etc_files',` - gen_require(` - type etc_t; - ') - - allow $1 etc_t:dir list_dir_perms; - relabel_files_pattern($1, etc_t, etc_t) -') - -######################################## -## -## Read symbolic links in /etc. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_read_etc_symlinks',` - gen_require(` - type etc_t; - ') - - read_lnk_files_pattern($1, etc_t, etc_t) -') - -######################################## -## -## Create, read, write, and delete symbolic links in /etc. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_manage_etc_symlinks',` - gen_require(` - type etc_t; - ') - - manage_lnk_files_pattern($1, etc_t, etc_t) -') - -######################################## -## -## Create objects in /etc with a private -## type using a type_transition. -## -## -## -## Domain allowed access. -## -## -## -## -## Private file type. -## -## -## -## -## Object classes to be created. -## -## -# -interface(`files_etc_filetrans',` - gen_require(` - type etc_t; - ') - - filetrans_pattern($1, etc_t, $2, $3) -') - -######################################## -## -## Create a boot flag. -## -## -##

-## Create a boot flag, such as -## /.autorelabel and /.autofsck. -##

-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`files_create_boot_flag',` - gen_require(` - type root_t, etc_runtime_t; - ') - - allow $1 etc_runtime_t:file manage_file_perms; - filetrans_pattern($1, root_t, etc_runtime_t, file) -') - -######################################## -## -## Read files in /etc that are dynamically -## created on boot, such as mtab. -## -## -##

-## Allow the specified domain to read dynamically created -## configuration files in /etc. These files are typically -## general system configuration files that do -## not have more specific SELinux types. Some -## examples of these files are: -##

-##
    -##
  • /etc/motd
  • -##
  • /etc/mtab
  • -##
  • /etc/nologin
  • -##
-##

-## This interface does not include access to /etc/shadow. -##

-##
-## -## -## Domain allowed access. -## -## -## -## -# -interface(`files_read_etc_runtime_files',` - gen_require(` - type etc_t, etc_runtime_t; - ') - - allow $1 etc_t:dir list_dir_perms; - read_files_pattern($1, etc_t, etc_runtime_t) - read_lnk_files_pattern($1, etc_t, etc_runtime_t) -') - -######################################## -## -## Do not audit attempts to read files -## in /etc that are dynamically -## created on boot, such as mtab. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_read_etc_runtime_files',` - gen_require(` - type etc_runtime_t; - ') - - dontaudit $1 etc_runtime_t:file { getattr read }; -') - -######################################## -## -## Read and write files in /etc that are dynamically -## created on boot, such as mtab. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`files_rw_etc_runtime_files',` - gen_require(` - type etc_t, etc_runtime_t; - ') - - allow $1 etc_t:dir list_dir_perms; - rw_files_pattern($1, etc_t, etc_runtime_t) -') - -######################################## -## -## Create, read, write, and delete files in -## /etc that are dynamically created on boot, -## such as mtab. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`files_manage_etc_runtime_files',` - gen_require(` - type etc_t, etc_runtime_t; - ') - - manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) -') - -######################################## -## -## Create, etc runtime objects with an automatic -## type transition. -## -## -## -## Domain allowed access. -## -## -## -## -## The class of the object being created. -## -## -# -interface(`files_etc_filetrans_etc_runtime',` - gen_require(` - type etc_t, etc_runtime_t; - ') - - filetrans_pattern($1, etc_t, etc_runtime_t, $2) -') - -######################################## -## -## Getattr of directories on new filesystems -## that have not yet been labeled. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_getattr_isid_type_dirs',` - gen_require(` - type file_t; - ') - - allow $1 file_t:dir getattr; -') - -######################################## -## -## Do not audit attempts to search directories on new filesystems -## that have not yet been labeled. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_search_isid_type_dirs',` - gen_require(` - type file_t; - ') - - dontaudit $1 file_t:dir search_dir_perms; -') - -######################################## -## -## List the contents of directories on new filesystems -## that have not yet been labeled. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_list_isid_type_dirs',` - gen_require(` - type file_t; - ') - - allow $1 file_t:dir list_dir_perms; -') - -######################################## -## -## Read and write directories on new filesystems -## that have not yet been labeled. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_rw_isid_type_dirs',` - gen_require(` - type file_t; - ') - - allow $1 file_t:dir rw_dir_perms; -') - -######################################## -## -## Delete directories on new filesystems -## that have not yet been labeled. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_delete_isid_type_dirs',` - gen_require(` - type file_t; - ') - - delete_dirs_pattern($1, file_t, file_t) -') - -######################################## -## -## Create, read, write, and delete directories -## on new filesystems that have not yet been labeled. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_manage_isid_type_dirs',` - gen_require(` - type file_t; - ') - - allow $1 file_t:dir manage_dir_perms; -') - -######################################## -## -## Mount a filesystem on a directory on new filesystems -## that has not yet been labeled. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_mounton_isid_type_dirs',` - gen_require(` - type file_t; - ') - - allow $1 file_t:dir { search_dir_perms mounton }; -') - -######################################## -## -## Read files on new filesystems -## that have not yet been labeled. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_read_isid_type_files',` - gen_require(` - type file_t; - ') - - allow $1 file_t:file read_file_perms; -') - -######################################## -## -## Delete files on new filesystems -## that have not yet been labeled. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_delete_isid_type_files',` - gen_require(` - type file_t; - ') - - delete_files_pattern($1, file_t, file_t) -') - -######################################## -## -## Delete symbolic links on new filesystems -## that have not yet been labeled. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_delete_isid_type_symlinks',` - gen_require(` - type file_t; - ') - - delete_lnk_files_pattern($1, file_t, file_t) -') - -######################################## -## -## Delete named pipes on new filesystems -## that have not yet been labeled. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_delete_isid_type_fifo_files',` - gen_require(` - type file_t; - ') - - delete_fifo_files_pattern($1, file_t, file_t) -') - -######################################## -## -## Delete named sockets on new filesystems -## that have not yet been labeled. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_delete_isid_type_sock_files',` - gen_require(` - type file_t; - ') - - delete_sock_files_pattern($1, file_t, file_t) -') - -######################################## -## -## Delete block files on new filesystems -## that have not yet been labeled. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_delete_isid_type_blk_files',` - gen_require(` - type file_t; - ') - - delete_blk_files_pattern($1, file_t, file_t) -') - -######################################## -## -## Do not audit attempts to write to character -## files that have not yet been labeled. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_write_isid_chr_files',` - gen_require(` - type file_t; - ') - - dontaudit $1 file_t:chr_file write; -') - -######################################## -## -## Delete chr files on new filesystems -## that have not yet been labeled. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_delete_isid_type_chr_files',` - gen_require(` - type file_t; - ') - - delete_chr_files_pattern($1, file_t, file_t) -') - -######################################## -## -## Create, read, write, and delete files -## on new filesystems that have not yet been labeled. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_manage_isid_type_files',` - gen_require(` - type file_t; - ') - - allow $1 file_t:file manage_file_perms; -') - -######################################## -## -## Create, read, write, and delete symbolic links -## on new filesystems that have not yet been labeled. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_manage_isid_type_symlinks',` - gen_require(` - type file_t; - ') - - allow $1 file_t:lnk_file manage_lnk_file_perms; -') - -######################################## -## -## Read and write block device nodes on new filesystems -## that have not yet been labeled. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_rw_isid_type_blk_files',` - gen_require(` - type file_t; - ') - - allow $1 file_t:blk_file rw_blk_file_perms; -') - -######################################## -## -## Create, read, write, and delete block device nodes -## on new filesystems that have not yet been labeled. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_manage_isid_type_blk_files',` - gen_require(` - type file_t; - ') - - allow $1 file_t:blk_file manage_blk_file_perms; -') - -######################################## -## -## Create, read, write, and delete character device nodes -## on new filesystems that have not yet been labeled. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_manage_isid_type_chr_files',` - gen_require(` - type file_t; - ') - - allow $1 file_t:chr_file manage_chr_file_perms; -') - -######################################## -## -## Get the attributes of the home directories root -## (/home). -## -## -## -## Domain allowed access. -## -## -# -interface(`files_getattr_home_dir',` - gen_require(` - type home_root_t; - ') - - allow $1 home_root_t:dir getattr; - allow $1 home_root_t:lnk_file getattr; -') - -######################################## -## -## Do not audit attempts to get the -## attributes of the home directories root -## (/home). -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_getattr_home_dir',` - gen_require(` - type home_root_t; - ') - - dontaudit $1 home_root_t:dir getattr; - dontaudit $1 home_root_t:lnk_file getattr; -') - -######################################## -## -## Search home directories root (/home). -## -## -## -## Domain allowed access. -## -## -# -interface(`files_search_home',` - gen_require(` - type home_root_t; - ') - - allow $1 home_root_t:dir search_dir_perms; - allow $1 home_root_t:lnk_file read_lnk_file_perms; -') - -######################################## -## -## Do not audit attempts to search -## home directories root (/home). -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_search_home',` - gen_require(` - type home_root_t; - ') - - dontaudit $1 home_root_t:dir search_dir_perms; - dontaudit $1 home_root_t:lnk_file read_lnk_file_perms; -') - -######################################## -## -## Do not audit attempts to list -## home directories root (/home). -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_list_home',` - gen_require(` - type home_root_t; - ') - - dontaudit $1 home_root_t:dir list_dir_perms; - dontaudit $1 home_root_t:lnk_file read_lnk_file_perms; -') - -######################################## -## -## Get listing of home directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_list_home',` - gen_require(` - type home_root_t; - ') - - allow $1 home_root_t:dir list_dir_perms; - allow $1 home_root_t:lnk_file read_lnk_file_perms; -') - -######################################## -## -## Relabel to user home root (/home). -## -## -## -## Domain allowed access. -## -## -# -interface(`files_relabelto_home',` - gen_require(` - type home_root_t; - ') - - allow $1 home_root_t:dir relabelto; -') - -######################################## -## -## Create objects in /home. -## -## -## -## Domain allowed access. -## -## -## -## -## The private type. -## -## -## -## -## The class of the object being created. -## -## -# -interface(`files_home_filetrans',` - gen_require(` - type home_root_t; - ') - - filetrans_pattern($1, home_root_t, $2, $3) -') - -######################################## -## -## Get the attributes of lost+found directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_getattr_lost_found_dirs',` - gen_require(` - type lost_found_t; - ') - - allow $1 lost_found_t:dir getattr; -') - -######################################## -## -## Do not audit attempts to get the attributes of -## lost+found directories. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_getattr_lost_found_dirs',` - gen_require(` - type lost_found_t; - ') - - dontaudit $1 lost_found_t:dir getattr; -') - -######################################## -## -## Create, read, write, and delete objects in -## lost+found directories. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`files_manage_lost_found',` - gen_require(` - type lost_found_t; - ') - - manage_dirs_pattern($1, lost_found_t, lost_found_t) - manage_files_pattern($1, lost_found_t, lost_found_t) - manage_lnk_files_pattern($1, lost_found_t, lost_found_t) - manage_fifo_files_pattern($1, lost_found_t, lost_found_t) - manage_sock_files_pattern($1, lost_found_t, lost_found_t) -') - -######################################## -## -## Search the contents of /mnt. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_search_mnt',` - gen_require(` - type mnt_t; - ') - - allow $1 mnt_t:dir search_dir_perms; -') - -######################################## -## -## Do not audit attempts to search /mnt. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_search_mnt',` - gen_require(` - type mnt_t; - ') - - dontaudit $1 mnt_t:dir search_dir_perms; -') - -######################################## -## -## List the contents of /mnt. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_list_mnt',` - gen_require(` - type mnt_t; - ') - - allow $1 mnt_t:dir list_dir_perms; -') - -###################################### -## -## dontaudit List the contents of /mnt. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_dontaudit_list_mnt',` - gen_require(` - type mnt_t; - ') - - dontaudit $1 mnt_t:dir list_dir_perms; -') - -######################################## -## -## Mount a filesystem on /mnt. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_mounton_mnt',` - gen_require(` - type mnt_t; - ') - - allow $1 mnt_t:dir { search_dir_perms mounton }; -') - -######################################## -## -## Create, read, write, and delete directories in /mnt. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`files_manage_mnt_dirs',` - gen_require(` - type mnt_t; - ') - - allow $1 mnt_t:dir manage_dir_perms; -') - -######################################## -## -## Create, read, write, and delete files in /mnt. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_manage_mnt_files',` - gen_require(` - type mnt_t; - ') - - manage_files_pattern($1, mnt_t, mnt_t) -') - -######################################## -## -## read files in /mnt. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_read_mnt_files',` - gen_require(` - type mnt_t; - ') - - read_files_pattern($1, mnt_t, mnt_t) -') - -###################################### -## -## Read symbolic links in /mnt. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_read_mnt_symlinks',` - gen_require(` - type mnt_t; - ') - - read_lnk_files_pattern($1, mnt_t, mnt_t) -') - -######################################## -## -## Create, read, write, and delete symbolic links in /mnt. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_manage_mnt_symlinks',` - gen_require(` - type mnt_t; - ') - - manage_lnk_files_pattern($1, mnt_t, mnt_t) -') - -######################################## -## -## Search the contents of the kernel module directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_search_kernel_modules',` - gen_require(` - type modules_object_t; - ') - - allow $1 modules_object_t:dir search_dir_perms; - read_lnk_files_pattern($1, modules_object_t, modules_object_t) -') - -######################################## -## -## List the contents of the kernel module directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_list_kernel_modules',` - gen_require(` - type modules_object_t; - ') - - allow $1 modules_object_t:dir list_dir_perms; -') - -######################################## -## -## Get the attributes of kernel module files. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_getattr_kernel_modules',` - gen_require(` - type modules_object_t; - ') - - getattr_files_pattern($1, modules_object_t, modules_object_t) -') - -######################################## -## -## Read kernel module files. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_read_kernel_modules',` - gen_require(` - type modules_object_t; - ') - - allow $1 modules_object_t:dir list_dir_perms; - read_files_pattern($1, modules_object_t, modules_object_t) - read_lnk_files_pattern($1, modules_object_t, modules_object_t) -') - -######################################## -## -## Write kernel module files. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_write_kernel_modules',` - gen_require(` - type modules_object_t; - ') - - allow $1 modules_object_t:dir list_dir_perms; - write_files_pattern($1, modules_object_t, modules_object_t) -') - -######################################## -## -## Delete kernel module files. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_delete_kernel_modules',` - gen_require(` - type modules_object_t; - ') - - delete_files_pattern($1, modules_object_t, modules_object_t) -') - -######################################## -## -## Create, read, write, and delete -## kernel module files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`files_manage_kernel_modules',` - gen_require(` - type modules_object_t; - ') - - manage_files_pattern($1, modules_object_t, modules_object_t) -') - -######################################## -## -## Relabel from and to kernel module files. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_relabel_kernel_modules',` - gen_require(` - type modules_object_t; - ') - - relabel_files_pattern($1, modules_object_t, modules_object_t) - allow $1 modules_object_t:dir list_dir_perms; -') - -######################################## -## -## Create objects in the kernel module directories -## with a private type via an automatic type transition. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -# -interface(`files_kernel_modules_filetrans',` - gen_require(` - type modules_object_t; - ') - - filetrans_pattern($1, modules_object_t, $2, $3) -') - -######################################## -## -## List world-readable directories. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`files_list_world_readable',` - gen_require(` - type readable_t; - ') - - allow $1 readable_t:dir list_dir_perms; -') - -######################################## -## -## Read world-readable files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`files_read_world_readable_files',` - gen_require(` - type readable_t; - ') - - allow $1 readable_t:file read_file_perms; -') - -######################################## -## -## Read world-readable symbolic links. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`files_read_world_readable_symlinks',` - gen_require(` - type readable_t; - ') - - allow $1 readable_t:lnk_file read_lnk_file_perms; -') - -######################################## -## -## Read world-readable named pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_read_world_readable_pipes',` - gen_require(` - type readable_t; - ') - - allow $1 readable_t:fifo_file read_fifo_file_perms; -') - -######################################## -## -## Read world-readable sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_read_world_readable_sockets',` - gen_require(` - type readable_t; - ') - - allow $1 readable_t:sock_file read_sock_file_perms; -') - -####################################### -## -## Read manageable system configuration files in /etc -## -## -## -## Domain allowed access. -## -## -## -# -interface(`files_read_system_conf_files',` - gen_require(` - type etc_t, system_conf_t; - ') - - allow $1 etc_t:dir list_dir_perms; - read_files_pattern($1, etc_t, system_conf_t) - read_lnk_files_pattern($1, etc_t, system_conf_t) -') - -###################################### -## -## Manage manageable system configuration files in /etc. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_manage_system_conf_files',` - gen_require(` - type etc_t, system_conf_t; - ') - - manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t) -') - -###################################### -## -## Relabel manageable system configuration files in /etc. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_relabelto_system_conf_files',` - gen_require(` - type usr_t; - ') - - relabelto_files_pattern($1, system_conf_t, system_conf_t) -') - -###################################### -## -## Relabel manageable system configuration files in /etc. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_relabelfrom_system_conf_files',` - gen_require(` - type usr_t; - ') - - relabelfrom_files_pattern($1, system_conf_t, system_conf_t) -') - -################################### -## -## Create files in /etc with the type used for -## the manageable system config files. -## -## -## -## The type of the process performing this action. -## -## -# -interface(`files_etc_filetrans_system_conf',` - gen_require(` - type etc_t, system_conf_t; - ') - - filetrans_pattern($1, etc_t, system_conf_t, file) -') - -######################################## -## -## Allow the specified type to associate -## to a filesystem with the type of the -## temporary directory (/tmp). -## -## -## -## Type of the file to associate. -## -## -# -interface(`files_associate_tmp',` - gen_require(` - type tmp_t; - ') - - allow $1 tmp_t:filesystem associate; -') - -######################################## -## -## Get the attributes of the tmp directory (/tmp). -## -## -## -## Domain allowed access. -## -## -# -interface(`files_getattr_tmp_dirs',` - gen_require(` - type tmp_t; - ') - - allow $1 tmp_t:dir getattr; -') - -######################################## -## -## Do not audit attempts to get the -## attributes of the tmp directory (/tmp). -## -## -## -## Domain allowed access. -## -## -# -interface(`files_dontaudit_getattr_tmp_dirs',` - gen_require(` - type tmp_t; - ') - - dontaudit $1 tmp_t:dir getattr; -') - -######################################## -## -## Search the tmp directory (/tmp). -## -## -## -## Domain allowed access. -## -## -# -interface(`files_search_tmp',` - gen_require(` - type tmp_t; - ') - - allow $1 tmp_t:dir search_dir_perms; -') - -######################################## -## -## Do not audit attempts to search the tmp directory (/tmp). -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_search_tmp',` - gen_require(` - type tmp_t; - ') - - dontaudit $1 tmp_t:dir search_dir_perms; -') - -######################################## -## -## Read the tmp directory (/tmp). -## -## -## -## Domain allowed access. -## -## -# -interface(`files_list_tmp',` - gen_require(` - type tmp_t; - ') - - allow $1 tmp_t:dir list_dir_perms; -') - -######################################## -## -## Do not audit listing of the tmp directory (/tmp). -## -## -## -## Domain not to audit. -## -## -# -interface(`files_dontaudit_list_tmp',` - gen_require(` - type tmp_t; - ') - - dontaudit $1 tmp_t:dir list_dir_perms; -') - -######################################## -## -## Remove entries from the tmp directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_delete_tmp_dir_entry',` - gen_require(` - type tmp_t; - ') - - allow $1 tmp_t:dir del_entry_dir_perms; -') - -######################################## -## -## Read files in the tmp directory (/tmp). -## -## -## -## Domain allowed access. -## -## -# -interface(`files_read_generic_tmp_files',` - gen_require(` - type tmp_t; - ') - - read_files_pattern($1, tmp_t, tmp_t) -') - -######################################## -## -## Manage temporary directories in /tmp. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_manage_generic_tmp_dirs',` - gen_require(` - type tmp_t; - ') - - manage_dirs_pattern($1, tmp_t, tmp_t) -') - -######################################## -## -## Allow shared library text relocations in tmp files. -## -## -##

-## Allow shared library text relocations in tmp files. -##

-##

-## This is added to support java policy. -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`files_execmod_tmp',` - gen_require(` - attribute tmpfile; - ') - - allow $1 tmpfile:file execmod; -') - -######################################## -## -## Manage temporary files and directories in /tmp. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_manage_generic_tmp_files',` - gen_require(` - type tmp_t; - ') - - manage_files_pattern($1, tmp_t, tmp_t) -') - -######################################## -## -## Read symbolic links in the tmp directory (/tmp). -## -## -## -## Domain allowed access. -## -## -# -interface(`files_read_generic_tmp_symlinks',` - gen_require(` - type tmp_t; - ') - - read_lnk_files_pattern($1, tmp_t, tmp_t) -') - -######################################## -## -## Read and write generic named sockets in the tmp directory (/tmp). -## -## -## -## Domain allowed access. -## -## -# -interface(`files_rw_generic_tmp_sockets',` - gen_require(` - type tmp_t; - ') - - rw_sock_files_pattern($1, tmp_t, tmp_t) -') - -######################################## -## -## Set the attributes of all tmp directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_setattr_all_tmp_dirs',` - gen_require(` - attribute tmpfile; - ') - - allow $1 tmpfile:dir { search_dir_perms setattr }; -') - -######################################## -## -## List all tmp directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_list_all_tmp',` - gen_require(` - attribute tmpfile; - ') - - allow $1 tmpfile:dir list_dir_perms; -') - -######################################## -## -## Do not audit attempts to get the attributes -## of all tmp files. -## -## -## -## Domain not to audit. -## -## -# -interface(`files_dontaudit_getattr_all_tmp_files',` - gen_require(` - attribute tmpfile; - ') - - dontaudit $1 tmpfile:file getattr; -') - -######################################## -## -## Allow attempts to get the attributes -## of all tmp files. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_getattr_all_tmp_files',` - gen_require(` - attribute tmpfile; - ') - - allow $1 tmpfile:file getattr; -') - -######################################## -## -## Do not audit attempts to get the attributes -## of all tmp sock_file. -## -## -## -## Domain not to audit. -## -## -# -interface(`files_dontaudit_getattr_all_tmp_sockets',` - gen_require(` - attribute tmpfile; - ') - - dontaudit $1 tmpfile:sock_file getattr; -') - -######################################## -## -## Read all tmp files. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_read_all_tmp_files',` - gen_require(` - attribute tmpfile; - ') - - read_files_pattern($1, tmpfile, tmpfile) -') - -######################################## -## -## Create an object in the tmp directories, with a private -## type using a type transition. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -# -interface(`files_tmp_filetrans',` - gen_require(` - type tmp_t; - ') - - filetrans_pattern($1, tmp_t, $2, $3) -') - -######################################## -## -## Delete the contents of /tmp. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_purge_tmp',` - gen_require(` - attribute tmpfile; - ') - - allow $1 tmpfile:dir list_dir_perms; - delete_dirs_pattern($1, tmpfile, tmpfile) - delete_files_pattern($1, tmpfile, tmpfile) - delete_lnk_files_pattern($1, tmpfile, tmpfile) - delete_fifo_files_pattern($1, tmpfile, tmpfile) - delete_sock_files_pattern($1, tmpfile, tmpfile) - files_delete_isid_type_dirs($1) - files_delete_isid_type_files($1) - files_delete_isid_type_symlinks($1) - files_delete_isid_type_fifo_files($1) - files_delete_isid_type_sock_files($1) - files_delete_isid_type_blk_files($1) - files_delete_isid_type_chr_files($1) -') - -######################################## -## -## Set the attributes of the /usr directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_setattr_usr_dirs',` - gen_require(` - type usr_t; - ') - - allow $1 usr_t:dir setattr; -') - -######################################## -## -## Search the content of /etc. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_search_usr',` - gen_require(` - type usr_t; - ') - - allow $1 usr_t:dir search_dir_perms; -') - -######################################## -## -## List the contents of generic -## directories in /usr. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_list_usr',` - gen_require(` - type usr_t; - ') - - allow $1 usr_t:dir list_dir_perms; -') - -######################################## -## -## Do not audit write of /usr dirs -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_write_usr_dirs',` - gen_require(` - type usr_t; - ') - - dontaudit $1 usr_t:dir write; -') - -######################################## -## -## Add and remove entries from /usr directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_rw_usr_dirs',` - gen_require(` - type usr_t; - ') - - allow $1 usr_t:dir rw_dir_perms; -') - -######################################## -## -## Do not audit attempts to add and remove -## entries from /usr directories. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_rw_usr_dirs',` - gen_require(` - type usr_t; - ') - - dontaudit $1 usr_t:dir rw_dir_perms; -') - -######################################## -## -## Delete generic directories in /usr in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_delete_usr_dirs',` - gen_require(` - type usr_t; - ') - - delete_dirs_pattern($1, usr_t, usr_t) -') - -######################################## -## -## Delete generic files in /usr in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_delete_usr_files',` - gen_require(` - type usr_t; - ') - - delete_files_pattern($1, usr_t, usr_t) -') - -######################################## -## -## Get the attributes of files in /usr. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_getattr_usr_files',` - gen_require(` - type usr_t; - ') - - getattr_files_pattern($1, usr_t, usr_t) -') - -######################################## -## -## Read generic files in /usr. -## -## -##

-## Allow the specified domain to read generic -## files in /usr. These files are various program -## files that do not have more specific SELinux types. -## Some examples of these files are: -##

-##
    -##
  • /usr/include/*
  • -##
  • /usr/share/doc/*
  • -##
  • /usr/share/info/*
  • -##
-##

-## Generally, it is safe for many domains to have -## this access. -##

-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`files_read_usr_files',` - gen_require(` - type usr_t; - ') - - allow $1 usr_t:dir list_dir_perms; - read_files_pattern($1, usr_t, usr_t) - read_lnk_files_pattern($1, usr_t, usr_t) -') - -######################################## -## -## Execute generic programs in /usr in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_exec_usr_files',` - gen_require(` - type usr_t; - ') - - allow $1 usr_t:dir list_dir_perms; - exec_files_pattern($1, usr_t, usr_t) - read_lnk_files_pattern($1, usr_t, usr_t) -') - -######################################## -## -## dontaudit write of /usr files -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_write_usr_files',` - gen_require(` - type usr_t; - ') - - dontaudit $1 usr_t:file write; -') - -######################################## -## -## Create, read, write, and delete files in the /usr directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_manage_usr_files',` - gen_require(` - type usr_t; - ') - - manage_files_pattern($1, usr_t, usr_t) -') - -######################################## -## -## Relabel a file to the type used in /usr. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_relabelto_usr_files',` - gen_require(` - type usr_t; - ') - - relabelto_files_pattern($1, usr_t, usr_t) -') - -######################################## -## -## Relabel a file from the type used in /usr. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_relabelfrom_usr_files',` - gen_require(` - type usr_t; - ') - - relabelfrom_files_pattern($1, usr_t, usr_t) -') - -######################################## -## -## Read symbolic links in /usr. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_read_usr_symlinks',` - gen_require(` - type usr_t; - ') - - read_lnk_files_pattern($1, usr_t, usr_t) -') - -######################################## -## -## Create objects in the /usr directory -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created -## -## -## -## -## The object class. -## -## -# -interface(`files_usr_filetrans',` - gen_require(` - type usr_t; - ') - - filetrans_pattern($1, usr_t, $2, $3) -') - -######################################## -## -## Do not audit attempts to search /usr/src. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_search_src',` - gen_require(` - type src_t; - ') - - dontaudit $1 src_t:dir search_dir_perms; -') - -######################################## -## -## Get the attributes of files in /usr/src. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_getattr_usr_src_files',` - gen_require(` - type usr_t, src_t; - ') - - getattr_files_pattern($1, src_t, src_t) - - # /usr/src/linux symlink: - read_lnk_files_pattern($1, usr_t, src_t) -') - -######################################## -## -## Read files in /usr/src. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_read_usr_src_files',` - gen_require(` - type usr_t, src_t; - ') - - allow $1 usr_t:dir search_dir_perms; - read_files_pattern($1, { usr_t src_t }, src_t) - read_lnk_files_pattern($1, { usr_t src_t }, src_t) - allow $1 src_t:dir list_dir_perms; -') - -######################################## -## -## Execute programs in /usr/src in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_exec_usr_src_files',` - gen_require(` - type usr_t, src_t; - ') - - list_dirs_pattern($1, usr_t, src_t) - exec_files_pattern($1, src_t, src_t) - read_lnk_files_pattern($1, src_t, src_t) -') - -######################################## -## -## Install a system.map into the /boot directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_create_kernel_symbol_table',` - gen_require(` - type boot_t, system_map_t; - ') - - allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; - allow $1 system_map_t:file { create_file_perms rw_file_perms }; -') - -######################################## -## -## Read system.map in the /boot directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_read_kernel_symbol_table',` - gen_require(` - type boot_t, system_map_t; - ') - - allow $1 boot_t:dir list_dir_perms; - read_files_pattern($1, boot_t, system_map_t) -') - -######################################## -## -## Delete a system.map in the /boot directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_delete_kernel_symbol_table',` - gen_require(` - type boot_t, system_map_t; - ') - - allow $1 boot_t:dir list_dir_perms; - delete_files_pattern($1, boot_t, system_map_t) -') - -######################################## -## -## Search the contents of /var. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_search_var',` - gen_require(` - type var_t; - ') - - allow $1 var_t:dir search_dir_perms; -') - -######################################## -## -## Do not audit attempts to write to /var. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_write_var_dirs',` - gen_require(` - type var_t; - ') - - dontaudit $1 var_t:dir write; -') - -######################################## -## -## Allow attempts to write to /var.dirs -## -## -## -## Domain allowed access. -## -## -# -interface(`files_write_var_dirs',` - gen_require(` - type var_t; - ') - - allow $1 var_t:dir write; -') - -######################################## -## -## Do not audit attempts to search -## the contents of /var. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_search_var',` - gen_require(` - type var_t; - ') - - dontaudit $1 var_t:dir search_dir_perms; -') - -######################################## -## -## List the contents of /var. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_list_var',` - gen_require(` - type var_t; - ') - - allow $1 var_t:dir list_dir_perms; -') - -######################################## -## -## Create, read, write, and delete directories -## in the /var directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_manage_var_dirs',` - gen_require(` - type var_t; - ') - - allow $1 var_t:dir manage_dir_perms; -') - -######################################## -## -## Read files in the /var directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_read_var_files',` - gen_require(` - type var_t; - ') - - read_files_pattern($1, var_t, var_t) -') - -######################################## -## -## Append files in the /var directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_append_var_files',` - gen_require(` - type var_t; - ') - - append_files_pattern($1, var_t, var_t) -') - -######################################## -## -## Read and write files in the /var directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_rw_var_files',` - gen_require(` - type var_t; - ') - - rw_files_pattern($1, var_t, var_t) -') - -######################################## -## -## Do not audit attempts to read and write -## files in the /var directory. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_rw_var_files',` - gen_require(` - type var_t; - ') - - dontaudit $1 var_t:file rw_file_perms; -') - -######################################## -## -## Create, read, write, and delete files in the /var directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_manage_var_files',` - gen_require(` - type var_t; - ') - - manage_files_pattern($1, var_t, var_t) -') - -######################################## -## -## Read symbolic links in the /var directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_read_var_symlinks',` - gen_require(` - type var_t; - ') - - read_lnk_files_pattern($1, var_t, var_t) -') - -######################################## -## -## Create, read, write, and delete symbolic -## links in the /var directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_manage_var_symlinks',` - gen_require(` - type var_t; - ') - - manage_lnk_files_pattern($1, var_t, var_t) -') - -######################################## -## -## Create objects in the /var directory -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created -## -## -## -## -## The object class. -## -## -# -interface(`files_var_filetrans',` - gen_require(` - type var_t; - ') - - filetrans_pattern($1, var_t, $2, $3) -') - -######################################## -## -## Get the attributes of the /var/lib directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_getattr_var_lib_dirs',` - gen_require(` - type var_t, var_lib_t; - ') - - getattr_dirs_pattern($1, var_t, var_lib_t) -') - -######################################## -## -## Search the /var/lib directory. -## -## -##

-## Search the /var/lib directory. This is -## necessary to access files or directories under -## /var/lib that have a private type. For example, a -## domain accessing a private library file in the -## /var/lib directory: -##

-##

-## allow mydomain_t mylibfile_t:file read_file_perms; -## files_search_var_lib(mydomain_t) -##

-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`files_search_var_lib',` - gen_require(` - type var_t, var_lib_t; - ') - - search_dirs_pattern($1, var_t, var_lib_t) -') - -######################################## -## -## Do not audit attempts to search the -## contents of /var/lib. -## -## -## -## Domain to not audit. -## -## -## -# -interface(`files_dontaudit_search_var_lib',` - gen_require(` - type var_lib_t; - ') - - dontaudit $1 var_lib_t:dir search_dir_perms; -') - -######################################## -## -## List the contents of the /var/lib directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_list_var_lib',` - gen_require(` - type var_t, var_lib_t; - ') - - list_dirs_pattern($1, var_t, var_lib_t) -') - -########################################### -## -## Read-write /var/lib directories -## -## -## -## Domain allowed access. -## -## -# -interface(`files_rw_var_lib_dirs',` - gen_require(` - type var_lib_t; - ') - - rw_dirs_pattern($1, var_lib_t, var_lib_t) -') - -######################################## -## -## Create objects in the /var/lib directory -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created -## -## -## -## -## The object class. -## -## -# -interface(`files_var_lib_filetrans',` - gen_require(` - type var_t, var_lib_t; - ') - - allow $1 var_t:dir search_dir_perms; - filetrans_pattern($1, var_lib_t, $2, $3) -') - -######################################## -## -## Read generic files in /var/lib. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_read_var_lib_files',` - gen_require(` - type var_t, var_lib_t; - ') - - allow $1 var_lib_t:dir list_dir_perms; - read_files_pattern($1, { var_t var_lib_t }, var_lib_t) -') - -######################################## -## -## Read generic symbolic links in /var/lib -## -## -## -## Domain allowed access. -## -## -# -interface(`files_read_var_lib_symlinks',` - gen_require(` - type var_t, var_lib_t; - ') - - read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) -') - -# cjp: the next two interfaces really need to be fixed -# in some way. They really neeed their own types. - -######################################## -## -## Create, read, write, and delete the -## pseudorandom number generator seed. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_manage_urandom_seed',` - gen_require(` - type var_t, var_lib_t; - ') - - allow $1 var_t:dir search_dir_perms; - manage_files_pattern($1, var_lib_t, var_lib_t) -') - -######################################## -## -## Allow domain to manage mount tables -## necessary for rpcd, nfsd, etc. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_manage_mounttab',` - gen_require(` - type var_t, var_lib_t; - ') - - allow $1 var_t:dir search_dir_perms; - manage_files_pattern($1, var_lib_t, var_lib_t) -') - -######################################## -## -## List generic lock directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_list_locks',` - gen_require(` - type var_t, var_lock_t; - ') - - list_dirs_pattern($1, var_t, var_lock_t) -') - -######################################## -## -## Search the locks directory (/var/lock). -## -## -## -## Domain allowed access. -## -## -# -interface(`files_search_locks',` - gen_require(` - type var_t, var_lock_t; - ') - - search_dirs_pattern($1, var_t, var_lock_t) -') - -######################################## -## -## Do not audit attempts to search the -## locks directory (/var/lock). -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_search_locks',` - gen_require(` - type var_lock_t; - ') - - dontaudit $1 var_lock_t:dir search_dir_perms; -') - -######################################## -## -## Add and remove entries in the /var/lock -## directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_rw_lock_dirs',` - gen_require(` - type var_t, var_lock_t; - ') - - rw_dirs_pattern($1, var_t, var_lock_t) -') - -######################################## -## -## Get the attributes of generic lock files. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_getattr_generic_locks',` - gen_require(` - type var_t, var_lock_t; - ') - - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:dir list_dir_perms; - getattr_files_pattern($1, var_lock_t, var_lock_t) -') - -######################################## -## -## Delete generic lock files. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_delete_generic_locks',` - gen_require(` - type var_t, var_lock_t; - ') - - allow $1 var_t:dir search_dir_perms; - delete_files_pattern($1, var_lock_t, var_lock_t) -') - -######################################## -## -## Create, read, write, and delete generic -## lock files. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_manage_generic_locks',` - gen_require(` - type var_t, var_lock_t; - ') - - allow $1 var_t:dir search_dir_perms; - manage_files_pattern($1, var_lock_t, var_lock_t) -') - -######################################## -## -## Delete all lock files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`files_delete_all_locks',` - gen_require(` - attribute lockfile; - type var_t; - ') - - allow $1 var_t:dir search_dir_perms; - delete_files_pattern($1, lockfile, lockfile) -') - -######################################## -## -## Read all lock files. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_read_all_locks',` - gen_require(` - attribute lockfile; - type var_t, var_lock_t; - ') - - allow $1 { var_t var_lock_t }:dir search_dir_perms; - allow $1 lockfile:dir list_dir_perms; - read_files_pattern($1, lockfile, lockfile) - read_lnk_files_pattern($1, lockfile, lockfile) -') - -######################################## -## -## manage all lock files. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_manage_all_locks',` - gen_require(` - attribute lockfile; - type var_t, var_lock_t; - ') - - allow $1 { var_t var_lock_t }:dir search_dir_perms; - manage_dirs_pattern($1, lockfile, lockfile) - manage_files_pattern($1, lockfile, lockfile) - manage_lnk_files_pattern($1, lockfile, lockfile) -') - -######################################## -## -## Create an object in the locks directory, with a private -## type using a type transition. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -# -interface(`files_lock_filetrans',` - gen_require(` - type var_t, var_lock_t; - ') - - allow $1 var_t:dir search_dir_perms; - filetrans_pattern($1, var_lock_t, $2, $3) -') - -######################################## -## -## Do not audit attempts to get the attributes -## of the /var/run directory. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_getattr_pid_dirs',` - gen_require(` - type var_run_t; - ') - - dontaudit $1 var_run_t:dir getattr; -') - -######################################## -## -## Set the attributes of the /var/run directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_setattr_pid_dirs',` - gen_require(` - type var_run_t; - ') - - allow $1 var_run_t:dir setattr; -') - -######################################## -## -## Search the contents of runtime process -## ID directories (/var/run). -## -## -## -## Domain allowed access. -## -## -# -interface(`files_search_pids',` - gen_require(` - type var_t, var_run_t; - ') - - search_dirs_pattern($1, var_t, var_run_t) -') - -###################################### -## -## Add and remove entries from pid directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_rw_pid_dirs',` - gen_require(` - type var_run_t; - ') - - allow $1 var_run_t:dir rw_dir_perms; -') - -####################################### -## -## Create generic pid directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_create_var_run_dirs',` - gen_require(` - type var_t, var_run_t; - ') - - allow $1 var_t:dir search_dir_perms; - allow $1 var_run_t:dir create_dir_perms; -') - -######################################## -## -## Do not audit attempts to search -## the /var/run directory. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_search_pids',` - gen_require(` - type var_run_t; - ') - - dontaudit $1 var_run_t:dir search_dir_perms; -') - -######################################## -## -## List the contents of the runtime process -## ID directories (/var/run). -## -## -## -## Domain allowed access. -## -## -# -interface(`files_list_pids',` - gen_require(` - type var_t, var_run_t; - ') - - list_dirs_pattern($1, var_t, var_run_t) -') - -######################################## -## -## Read generic process ID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_read_generic_pids',` - gen_require(` - type var_t, var_run_t; - ') - - list_dirs_pattern($1, var_t, var_run_t) - read_files_pattern($1, var_run_t, var_run_t) -') - -######################################## -## -## Write named generic process ID pipes -## -## -## -## Domain allowed access. -## -## -# -interface(`files_write_generic_pid_pipes',` - gen_require(` - type var_run_t; - ') - - allow $1 var_run_t:fifo_file write; -') - -######################################## -## -## Create an object in the process ID directory, with a private type. -## -## -##

-## Create an object in the process ID directory (e.g., /var/run) -## with a private type. Typically this is used for creating -## private PID files in /var/run with the private type instead -## of the general PID file type. To accomplish this goal, -## either the program must be SELinux-aware, or use this interface. -##

-##

-## Related interfaces: -##

-##
    -##
  • files_pid_file()
  • -##
-##

-## Example usage with a domain that can create and -## write its PID file with a private PID file type in the -## /var/run directory: -##

-##

-## type mypidfile_t; -## files_pid_file(mypidfile_t) -## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; -## files_pid_filetrans(mydomain_t, mypidfile_t, file) -##

-##
-## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -## -# -interface(`files_pid_filetrans',` - gen_require(` - type var_t, var_run_t; - ') - - allow $1 var_t:dir search_dir_perms; - filetrans_pattern($1, var_run_t, $2, $3) -') - -######################################## -## -## Read and write generic process ID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_rw_generic_pids',` - gen_require(` - type var_t, var_run_t; - ') - - list_dirs_pattern($1, var_t, var_run_t) - rw_files_pattern($1, var_run_t, var_run_t) -') - -######################################## -## -## Do not audit attempts to get the attributes of -## daemon runtime data files. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_getattr_all_pids',` - gen_require(` - attribute pidfile; - ') - - dontaudit $1 pidfile:file getattr; -') - -######################################## -## -## Do not audit attempts to write to daemon runtime data files. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_write_all_pids',` - gen_require(` - attribute pidfile; - ') - - dontaudit $1 pidfile:file write; -') - -######################################## -## -## Do not audit attempts to ioctl daemon runtime data files. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_ioctl_all_pids',` - gen_require(` - attribute pidfile; - ') - - dontaudit $1 pidfile:file ioctl; -') - -######################################## -## -## manage all pidfile directories -## in the /var/run directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_manage_all_pids_dirs',` - gen_require(` - attribute pidfile; - ') - - manage_dirs_pattern($1,pidfile,pidfile) -') - - -######################################## -## -## Read all process ID files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`files_read_all_pids',` - gen_require(` - attribute pidfile; - type var_t; - ') - - list_dirs_pattern($1, var_t, pidfile) - read_files_pattern($1, pidfile, pidfile) - read_lnk_files_pattern($1, pidfile, pidfile) -') - -######################################## -## -## Mount filesystems on all polyinstantiation -## member directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_mounton_all_poly_members',` - gen_require(` - attribute polymember; - ') - - allow $1 polymember:dir mounton; -') - -######################################## -## -## Delete all process IDs. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`files_delete_all_pids',` - gen_require(` - attribute pidfile; - type var_t, var_run_t; - ') - - allow $1 var_t:dir search_dir_perms; - allow $1 var_run_t:dir rmdir; - allow $1 var_run_t:lnk_file delete_lnk_file_perms; - delete_files_pattern($1, pidfile, pidfile) - delete_fifo_files_pattern($1, pidfile, pidfile) - delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) -') - -######################################## -## -## Delete all process ID directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_delete_all_pid_dirs',` - gen_require(` - attribute pidfile; - type var_t; - ') - - allow $1 var_t:dir search_dir_perms; - delete_dirs_pattern($1, pidfile, pidfile) -') - -######################################## -## -## Search the contents of generic spool -## directories (/var/spool). -## -## -## -## Domain allowed access. -## -## -# -interface(`files_search_spool',` - gen_require(` - type var_t, var_spool_t; - ') - - search_dirs_pattern($1, var_t, var_spool_t) -') - -######################################## -## -## Do not audit attempts to search generic -## spool directories. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_search_spool',` - gen_require(` - type var_spool_t; - ') - - dontaudit $1 var_spool_t:dir search_dir_perms; -') - -######################################## -## -## List the contents of generic spool -## (/var/spool) directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_list_spool',` - gen_require(` - type var_t, var_spool_t; - ') - - list_dirs_pattern($1, var_t, var_spool_t) -') - -######################################## -## -## Create, read, write, and delete generic -## spool directories (/var/spool). -## -## -## -## Domain allowed access. -## -## -# -interface(`files_manage_generic_spool_dirs',` - gen_require(` - type var_t, var_spool_t; - ') - - allow $1 var_t:dir search_dir_perms; - manage_dirs_pattern($1, var_spool_t, var_spool_t) -') - -######################################## -## -## Read generic spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_read_generic_spool',` - gen_require(` - type var_t, var_spool_t; - ') - - list_dirs_pattern($1, var_t, var_spool_t) - read_files_pattern($1, var_spool_t, var_spool_t) -') - -######################################## -## -## Create, read, write, and delete generic -## spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_manage_generic_spool',` - gen_require(` - type var_t, var_spool_t; - ') - - allow $1 var_t:dir search_dir_perms; - manage_files_pattern($1, var_spool_t, var_spool_t) -') - -######################################## -## -## Create objects in the spool directory -## with a private type with a type transition. -## -## -## -## Domain allowed access. -## -## -## -## -## Type to which the created node will be transitioned. -## -## -## -## -## Object class(es) (single or set including {}) for which this -## the transition will occur. -## -## -# -interface(`files_spool_filetrans',` - gen_require(` - type var_t, var_spool_t; - ') - - allow $1 var_t:dir search_dir_perms; - filetrans_pattern($1, var_spool_t, $2, $3) -') - -######################################## -## -## Allow access to manage all polyinstantiated -## directories on the system. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_polyinstantiate_all',` - gen_require(` - attribute polydir, polymember, polyparent; - type poly_t; - ') - - # Need to give access to /selinux/member - selinux_compute_member($1) - - # Need sys_admin capability for mounting - allow $1 self:capability { chown fsetid sys_admin fowner }; - - # Need to give access to the directories to be polyinstantiated - allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; - - # Need to give access to the polyinstantiated subdirectories - allow $1 polymember:dir search_dir_perms; - - # Need to give access to parent directories where original - # is remounted for polyinstantiation aware programs (like gdm) - allow $1 polyparent:dir { getattr mounton }; - - # Need to give permission to create directories where applicable - allow $1 self:process setfscreate; - allow $1 polymember: dir { create setattr relabelto }; - allow $1 polydir: dir { write add_name open }; - allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; - - # Default type for mountpoints - allow $1 poly_t:dir { create mounton }; - fs_unmount_xattr_fs($1) - - fs_mount_tmpfs($1) - fs_unmount_tmpfs($1) - - ifdef(`distro_redhat',` - # namespace.init - files_search_tmp($1) - files_search_home($1) - corecmd_exec_bin($1) - seutil_domtrans_setfiles($1) - ') -') - -######################################## -## -## Unconfined access to files. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_unconfined',` - gen_require(` - attribute files_unconfined_type; - ') - - typeattribute $1 files_unconfined_type; -') - -######################################## -## -## Create a core files in / -## -## -##

-## Create a core file in /, -##

-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`files_manage_root_files',` - gen_require(` - type root_t; - ') - - manage_files_pattern($1, root_t, root_t) -') - -######################################## -## -## Create a default directory -## -## -##

-## Create a default_t direcrory -##

-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`files_create_default_dir',` - gen_require(` - type default_t; - ') - - allow $1 default_t:dir create; -') - -######################################## -## -## Create, default_t objects with an automatic -## type transition. -## -## -## -## Domain allowed access. -## -## -## -## -## The class of the object being created. -## -## -# -interface(`files_root_filetrans_default',` - gen_require(` - type root_t, default_t; - ') - - filetrans_pattern($1, root_t, default_t, $2) -') - -######################################## -## -## manage generic symbolic links -## in the /var/run directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_manage_generic_pids_symlinks',` - gen_require(` - type var_run_t; - ') - - manage_lnk_files_pattern($1,var_run_t,var_run_t) -') - -######################################## -## -## Do not audit attempts to getattr -## all tmpfs files. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_getattr_tmpfs_files',` - gen_require(` - attribute tmpfsfile; - ') - - allow $1 tmpfsfile:file getattr; -') - -######################################## -## -## Allow read write all tmpfs files -## -## -## -## Domain to not audit. -## -## -# -interface(`files_rw_tmpfs_files',` - gen_require(` - attribute tmpfsfile; - ') - - allow $1 tmpfsfile:file { read write }; -') - -######################################## -## -## Do not audit attempts to read security files -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_read_security_files',` - gen_require(` - attribute security_file_type; - ') - - dontaudit $1 security_file_type:file read_file_perms; -') - -######################################## -## -## rw any files inherited from another process -## -## -## -## Domain allowed access. -## -## -## -# -interface(`files_rw_all_inherited_files',` - gen_require(` - attribute file_type; - ') - - allow $1 { file_type $2 }:file rw_inherited_file_perms; - allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms; - allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms; - allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms; -') - -######################################## -## -## Allow any file point to be the entrypoint of this domain -## -## -## -## Domain allowed access. -## -## -## -# -interface(`files_entrypoint_all_files',` - gen_require(` - attribute file_type; - ') - allow $1 file_type:file entrypoint; -') - -######################################## -## -## Do not audit attempts to rw inherited file perms -## of non security files. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_all_non_security_leaks',` - gen_require(` - attribute non_security_file_type; - ') - - dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms; -') - -######################################## -## -## Do not audit attempts to read or write -## all leaked files. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_dontaudit_leaks',` - gen_require(` - attribute file_type; - ') - - dontaudit $1 file_type:file rw_inherited_file_perms; - dontaudit $1 file_type:lnk_file { read }; -') - -######################################## -## -## Allow domain to create_file_ass all types -## -## -## -## Domain allowed access. -## -## -# -interface(`files_create_as_is_all_files',` - gen_require(` - attribute file_type; - class kernel_service create_files_as; - ') - - allow $1 file_type:kernel_service create_files_as; -') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te deleted file mode 100644 index 12e9ecf..0000000 --- a/policy/modules/kernel/files.te +++ /dev/null @@ -1,238 +0,0 @@ -policy_module(files, 1.13.1) - -######################################## -# -# Declarations -# - -attribute file_type; -attribute files_unconfined_type; -attribute lockfile; -attribute mountpoint; -attribute pidfile; -attribute configfile; -attribute etcfile; - -# For labeling types that are to be polyinstantiated -attribute polydir; - -# And for labeling the parent directories of those polyinstantiated directories -# This is necessary for remounting the original in the parent to give -# security aware apps access -attribute polyparent; - -# And labeling for the member directories -attribute polymember; - -# sensitive security files whose accesses should -# not be dontaudited for uses -attribute security_file_type; -# and its opposite -attribute non_security_file_type; - -attribute tmpfile; -attribute tmpfsfile; - -# this attribute is not currently used and will be removed in the future. -# unfortunately, this attribute can not be removed yet because it may cause -# some policies to fail to link if it is still required. -attribute usercanread; - -# -# boot_t is the type for files in /boot -# -type boot_t; -files_mountpoint(boot_t) - -# default_t is the default type for files that do not -# match any specification in the file_contexts configuration -# other than the generic /.* specification. -type default_t; -files_mountpoint(default_t) - -# -# etc_t is the type of the system etc directories. -# -type etc_t, configfile; -files_type(etc_t) -# compatibility aliases for removed types: -typealias etc_t alias automount_etc_t; -typealias etc_t alias snmpd_etc_t; - -# system_conf_t is a new type of various -# files in /etc/ that can be managed and -# created by several domains. -# -type system_conf_t, configfile; -files_type(system_conf_t) -# compatibility aliases for removed type: -typealias system_conf_t alias iptables_conf_t; - -# -# etc_runtime_t is the type of various -# files in /etc that are automatically -# generated during initialization. -# -type etc_runtime_t, configfile; -files_type(etc_runtime_t) -#Temporarily in policy until FC5 dissappears -typealias etc_runtime_t alias firstboot_rw_t; - -# -# file_t is the default type of a file that has not yet been -# assigned an extended attribute (EA) value (when using a filesystem -# that supports EAs). -# -type file_t; -files_mountpoint(file_t) -kernel_rootfs_mountpoint(file_t) -sid file gen_context(system_u:object_r:file_t,s0) - -# -# home_root_t is the type for the directory where user home directories -# are created -# -type home_root_t; -files_mountpoint(home_root_t) -files_poly_parent(home_root_t) - -# -# lost_found_t is the type for the lost+found directories. -# -type lost_found_t; -files_type(lost_found_t) - -# -# mnt_t is the type for mount points such as /mnt/cdrom -# -type mnt_t; -files_mountpoint(mnt_t) - -# -# modules_object_t is the type for kernel modules -# -type modules_object_t; -files_type(modules_object_t) - -type no_access_t; -files_type(no_access_t) - -type poly_t; -files_type(poly_t) - -type readable_t; -files_type(readable_t) - -# -# root_t is the type for rootfs and the root directory. -# -type root_t; -files_mountpoint(root_t) -files_poly_parent(root_t) -kernel_rootfs_mountpoint(root_t) -genfscon rootfs / gen_context(system_u:object_r:root_t,s0) - -# -# src_t is the type of files in the system src directories. -# -type src_t; -files_mountpoint(src_t) - -# -# system_map_t is for the system.map files in /boot -# -type system_map_t; -files_type(system_map_t) -genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0) - -# -# tmp_t is the type of the temporary directories -# -type tmp_t; -files_tmp_file(tmp_t) -files_mountpoint(tmp_t) -files_poly(tmp_t) -files_poly_parent(tmp_t) - -# -# usr_t is the type for /usr. -# -type usr_t; -files_mountpoint(usr_t) - -# -# var_t is the type of /var -# -type var_t; -files_mountpoint(var_t) - -# -# var_lib_t is the type of /var/lib -# -type var_lib_t; -files_mountpoint(var_lib_t) - -# -# var_lock_t is tye type of /var/lock -# -type var_lock_t; -files_lock_file(var_lock_t) - -# -# var_run_t is the type of /var/run, usually -# used for pid and other runtime files. -# -type var_run_t; -files_pid_file(var_run_t) -files_mountpoint(var_run_t) - -# -# var_spool_t is the type of /var/spool -# -type var_spool_t; -files_tmp_file(var_spool_t) - -######################################## -# -# Rules for all file types -# - -allow file_type self:filesystem associate; - -fs_associate(file_type) -fs_associate_noxattr(file_type) -fs_associate_tmpfs(file_type) -fs_associate_ramfs(file_type) -fs_associate_hugetlbfs(file_type) - -######################################## -# -# Rules for all tmp file types -# - -allow file_type tmp_t:filesystem associate; - -fs_associate_tmpfs(tmpfile) - -######################################## -# -# Rules for all tmpfs file types -# - -fs_associate_tmpfs(tmpfsfile) - -######################################## -# -# Unconfined access to this module -# - -# Create/access any file in a labeled filesystem; -allow files_unconfined_type file_type:{ file chr_file } ~execmod; -allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *; - -# Mount/unmount any filesystem with the context= option. -allow files_unconfined_type file_type:filesystem *; - -tunable_policy(`allow_execmod',` - allow files_unconfined_type file_type:file execmod; -') diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc deleted file mode 100644 index 16f0f9e..0000000 --- a/policy/modules/kernel/filesystem.fc +++ /dev/null @@ -1,11 +0,0 @@ -/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) -/dev/shm/.* <> - -/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) -/cgroup/.* <> - -/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) -/sys/fs/cgroup(/.*)? <> - -/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) -/dev/hugepages(/.*)? <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if deleted file mode 100644 index 51d47a0..0000000 --- a/policy/modules/kernel/filesystem.if +++ /dev/null @@ -1,4858 +0,0 @@ -## Policy for filesystems. -## -## Contains the initial SID for the filesystems. -## - -######################################## -## -## Transform specified type into a filesystem type. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_type',` - gen_require(` - attribute filesystem_type; - ') - - typeattribute $1 filesystem_type; -') - -######################################## -## -## Transform specified type into a filesystem -## type which does not have extended attribute -## support. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_noxattr_type',` - gen_require(` - attribute noxattrfs; - ') - - fs_type($1) - - typeattribute $1 noxattrfs; -') - -######################################## -## -## Associate the specified file type to persistent -## filesystems with extended attributes. This -## allows a file of this type to be created on -## a filesystem such as ext3, JFS, and XFS. -## -## -## -## The type of the to be associated. -## -## -# -interface(`fs_associate',` - gen_require(` - type fs_t; - ') - - allow $1 fs_t:filesystem associate; -') - -######################################## -## -## Associate the specified file type to -## filesystems which lack extended attributes -## support. This allows a file of this type -## to be created on a filesystem such as -## FAT32, and NFS. -## -## -## -## The type of the to be associated. -## -## -# -interface(`fs_associate_noxattr',` - gen_require(` - attribute noxattrfs; - ') - - allow $1 noxattrfs:filesystem associate; -') - -######################################## -## -## Execute files on a filesystem that does -## not support extended attributes. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fs_exec_noxattr',` - gen_require(` - attribute noxattrfs; - ') - - can_exec($1, noxattrfs) -') - -######################################## -## -## Mount a persistent filesystem which -## has extended attributes, such as -## ext3, JFS, or XFS. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_mount_xattr_fs',` - gen_require(` - type fs_t; - ') - - allow $1 fs_t:filesystem mount; -') - -######################################## -## -## Remount a persistent filesystem which -## has extended attributes, such as -## ext3, JFS, or XFS. This allows -## some mount options to be changed. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_remount_xattr_fs',` - gen_require(` - type fs_t; - ') - - allow $1 fs_t:filesystem remount; -') - -######################################## -## -## Unmount a persistent filesystem which -## has extended attributes, such as -## ext3, JFS, or XFS. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_unmount_xattr_fs',` - gen_require(` - type fs_t; - ') - - allow $1 fs_t:filesystem unmount; -') - -######################################## -## -## Get the attributes of persistent -## filesystems which have extended -## attributes, such as ext3, JFS, or XFS. -## -## -##

-## Allow the specified domain to -## get the attributes of a persistent -## filesystems which have extended -## attributes, such as ext3, JFS, or XFS. -## Example attributes: -##

-##
    -##
  • Type of the file system (e.g., ext3)
  • -##
  • Size of the file system
  • -##
  • Available space on the file system
  • -##
-##
-## -## -## Domain allowed access. -## -## -## -## -# -interface(`fs_getattr_xattr_fs',` - gen_require(` - type fs_t; - ') - - allow $1 fs_t:filesystem getattr; -') - -######################################## -## -## Do not audit attempts to -## get the attributes of a persistent -## filesystem which has extended -## attributes, such as ext3, JFS, or XFS. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_getattr_xattr_fs',` - gen_require(` - type fs_t; - ') - - dontaudit $1 fs_t:filesystem getattr; -') - -######################################## -## -## Allow changing of the label of a -## filesystem with extended attributes -## using the context= mount option. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_relabelfrom_xattr_fs',` - gen_require(` - type fs_t; - ') - - allow $1 fs_t:filesystem relabelfrom; -') - -######################################## -## -## Get the filesystem quotas of a filesystem -## with extended attributes. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fs_get_xattr_fs_quotas',` - gen_require(` - type fs_t; - ') - - allow $1 fs_t:filesystem quotaget; -') - -######################################## -## -## Set the filesystem quotas of a filesystem -## with extended attributes. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fs_set_xattr_fs_quotas',` - gen_require(` - type fs_t; - ') - - allow $1 fs_t:filesystem quotamod; -') - -######################################## -## -## Read files on anon_inodefs file systems. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_read_anon_inodefs_files',` - gen_require(` - type anon_inodefs_t; - - ') - - read_files_pattern($1, anon_inodefs_t, anon_inodefs_t) -') - -######################################## -## -## Read and write files on anon_inodefs -## file systems. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_rw_anon_inodefs_files',` - gen_require(` - type anon_inodefs_t; - - ') - - rw_files_pattern($1, anon_inodefs_t, anon_inodefs_t) -') - -######################################## -## -## Do not audit attempts to read or write files on -## anon_inodefs file systems. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_rw_anon_inodefs_files',` - gen_require(` - type anon_inodefs_t; - - ') - - dontaudit $1 anon_inodefs_t:file rw_file_perms; -') - -######################################## -## -## Mount an automount pseudo filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_mount_autofs',` - gen_require(` - type autofs_t; - ') - - allow $1 autofs_t:filesystem mount; -') - -######################################## -## -## Remount an automount pseudo filesystem -## This allows some mount options to be changed. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_remount_autofs',` - gen_require(` - type autofs_t; - ') - - allow $1 autofs_t:filesystem remount; -') - -######################################## -## -## Unmount an automount pseudo filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_unmount_autofs',` - gen_require(` - type autofs_t; - ') - - allow $1 autofs_t:filesystem unmount; -') - -######################################## -## -## Get the attributes of an automount -## pseudo filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_getattr_autofs',` - gen_require(` - type autofs_t; - ') - - allow $1 autofs_t:filesystem getattr; -') - -######################################## -## -## Search automount filesystem to use automatically -## mounted filesystems. -## -## -## Allow the specified domain to search mount points -## that have filesystems that are mounted by -## the automount service. Generally this will -## be required for any domain that accesses objects -## on these filesystems. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fs_search_auto_mountpoints',` - gen_require(` - type autofs_t; - ') - - allow $1 autofs_t:dir search_dir_perms; -') - -######################################## -## -## Read directories of automatically -## mounted filesystems. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fs_list_auto_mountpoints',` - gen_require(` - type autofs_t; - ') - - allow $1 autofs_t:dir list_dir_perms; -') - -######################################## -## -## Do not audit attempts to list directories of automatically -## mounted filesystems. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_list_auto_mountpoints',` - gen_require(` - type autofs_t; - ') - - dontaudit $1 autofs_t:dir list_dir_perms; -') - -######################################## -## -## Create, read, write, and delete symbolic links -## on an autofs filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_manage_autofs_symlinks',` - gen_require(` - type autofs_t; - ') - - manage_lnk_files_pattern($1, autofs_t, autofs_t) -') - -######################################## -## -## Get the attributes of directories on -## binfmt_misc filesystems. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_getattr_binfmt_misc_dirs',` - gen_require(` - type binfmt_misc_fs_t; - ') - - allow $1 binfmt_misc_fs_t:dir getattr; - -') - -######################################## -## -## Register an interpreter for new binary -## file types, using the kernel binfmt_misc -## support. -## -## -##

-## Register an interpreter for new binary -## file types, using the kernel binfmt_misc -## support. -##

-##

-## A common use for this is to -## register a JVM as an interpreter for -## Java byte code. Registered binaries -## can be directly executed on a command line -## without specifying the interpreter. -##

-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`fs_register_binary_executable_type',` - gen_require(` - type binfmt_misc_fs_t; - ') - - rw_files_pattern($1, binfmt_misc_fs_t, binfmt_misc_fs_t) -') - -######################################## -## -## Mount cgroup filesystems. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_mount_cgroup', ` - gen_require(` - type cgroup_t; - ') - - allow $1 cgroup_t:filesystem mount; -') - -######################################## -## -## Remount cgroup filesystems. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_remount_cgroup', ` - gen_require(` - type cgroup_t; - ') - - allow $1 cgroup_t:filesystem remount; -') - -######################################## -## -## Unmount cgroup filesystems. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_unmount_cgroup', ` - gen_require(` - type cgroup_t; - ') - - allow $1 cgroup_t:filesystem unmount; -') - -######################################## -## -## Get attributes of cgroup filesystems. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_getattr_cgroup',` - gen_require(` - type cgroup_t; - ') - - allow $1 cgroup_t:filesystem getattr; -') - -######################################## -## -## Search cgroup directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_search_cgroup_dirs',` - gen_require(` - type cgroup_t; - - ') - - search_dirs_pattern($1, cgroup_t, cgroup_t) - fs_search_tmpfs($1) - dev_search_sysfs($1) -') - -######################################## -## -## list cgroup directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_list_cgroup_dirs', ` - gen_require(` - type cgroup_t; - ') - - list_dirs_pattern($1, cgroup_t, cgroup_t) - fs_search_tmpfs($1) - dev_search_sysfs($1) -') - -######################################## -## -## Delete cgroup directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_delete_cgroup_dirs', ` - gen_require(` - type cgroup_t; - ') - - delete_dirs_pattern($1, cgroup_t, cgroup_t) - fs_search_tmpfs($1) - dev_search_sysfs($1) -') - -######################################## -## -## Manage cgroup directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_manage_cgroup_dirs',` - gen_require(` - type cgroup_t; - - ') - - manage_dirs_pattern($1, cgroup_t, cgroup_t) - fs_search_tmpfs($1) - dev_search_sysfs($1) -') - -######################################## -## -## Read cgroup files. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_read_cgroup_files',` - gen_require(` - type cgroup_t; - - ') - - read_files_pattern($1, cgroup_t, cgroup_t) - fs_search_tmpfs($1) - dev_search_sysfs($1) -') - -######################################## -## -## Write cgroup files. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_write_cgroup_files', ` - gen_require(` - type cgroup_t; - ') - - write_files_pattern($1, cgroup_t, cgroup_t) - fs_search_tmpfs($1) - dev_search_sysfs($1) -') - -######################################## -## -## Read and write cgroup files. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_rw_cgroup_files',` - gen_require(` - type cgroup_t; - - ') - - rw_files_pattern($1, cgroup_t, cgroup_t) - fs_search_tmpfs($1) - dev_search_sysfs($1) -') - -######################################## -## -## Do not audit attempts to open, -## get attributes, read and write -## cgroup files. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_rw_cgroup_files',` - gen_require(` - type cgroup_t; - ') - - dontaudit $1 cgroup_t:file rw_file_perms; -') - -######################################## -## -## Manage cgroup files. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_manage_cgroup_files',` - gen_require(` - type cgroup_t; - - ') - - manage_files_pattern($1, cgroup_t, cgroup_t) - fs_search_tmpfs($1) - dev_search_sysfs($1) -') - -######################################## -## -## Mount on cgroup directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_mounton_cgroup', ` - gen_require(` - type cgroup_t; - ') - - allow $1 cgroup_t:dir mounton; -') - -######################################## -## -## Do not audit attempts to read -## dirs on a CIFS or SMB filesystem. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_list_cifs_dirs',` - gen_require(` - type cifs_t; - ') - - dontaudit $1 cifs_t:dir list_dir_perms; -') - -######################################## -## -## Mount a CIFS or SMB network filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_mount_cifs',` - gen_require(` - type cifs_t; - ') - - allow $1 cifs_t:filesystem mount; -') - -######################################## -## -## Remount a CIFS or SMB network filesystem. -## This allows some mount options to be changed. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_remount_cifs',` - gen_require(` - type cifs_t; - ') - - allow $1 cifs_t:filesystem remount; -') - -######################################## -## -## Unmount a CIFS or SMB network filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_unmount_cifs',` - gen_require(` - type cifs_t; - ') - - allow $1 cifs_t:filesystem unmount; -') - -######################################## -## -## Get the attributes of a CIFS or -## SMB network filesystem. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fs_getattr_cifs',` - gen_require(` - type cifs_t; - ') - - allow $1 cifs_t:filesystem getattr; -') - -######################################## -## -## Search directories on a CIFS or SMB filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_search_cifs',` - gen_require(` - type cifs_t; - ') - - allow $1 cifs_t:dir search_dir_perms; -') - -######################################## -## -## List the contents of directories on a -## CIFS or SMB filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_list_cifs',` - gen_require(` - type cifs_t; - ') - - allow $1 cifs_t:dir list_dir_perms; -') - -######################################## -## -## Do not audit attempts to list the contents -## of directories on a CIFS or SMB filesystem. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_list_cifs',` - gen_require(` - type cifs_t; - ') - - dontaudit $1 cifs_t:dir list_dir_perms; -') - -######################################## -## -## Mounton a CIFS filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_mounton_cifs',` - gen_require(` - type cifs_t; - ') - - allow $1 cifs_t:dir mounton; -') - -######################################## -## -## Read files on a CIFS or SMB filesystem. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fs_read_cifs_files',` - gen_require(` - type cifs_t; - ') - - allow $1 cifs_t:dir list_dir_perms; - read_files_pattern($1, cifs_t, cifs_t) -') - -######################################## -## -## Get the attributes of filesystems that -## do not have extended attribute support. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fs_getattr_noxattr_fs',` - gen_require(` - attribute noxattrfs; - ') - - allow $1 noxattrfs:filesystem getattr; -') - -######################################## -## -## Read all noxattrfs directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_list_noxattr_fs',` - gen_require(` - attribute noxattrfs; - ') - - allow $1 noxattrfs:dir list_dir_perms; -') - -######################################## -## -## Create, read, write, and delete all noxattrfs directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_manage_noxattr_fs_dirs',` - gen_require(` - attribute noxattrfs; - ') - - allow $1 noxattrfs:dir manage_dir_perms; -') - -######################################## -## -## Read all noxattrfs files. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_read_noxattr_fs_files',` - gen_require(` - attribute noxattrfs; - ') - - read_files_pattern($1, noxattrfs, noxattrfs) -') - -######################################## -## -## Dont audit attempts to write to noxattrfs files. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_write_noxattr_fs_files',` - gen_require(` - attribute noxattrfs; - ') - - dontaudit $1 noxattrfs:file write; -') - -######################################## -## -## Create, read, write, and delete all noxattrfs files. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_manage_noxattr_fs_files',` - gen_require(` - attribute noxattrfs; - ') - - manage_files_pattern($1, noxattrfs, noxattrfs) -') - -######################################## -## -## Read all noxattrfs symbolic links. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_read_noxattr_fs_symlinks',` - gen_require(` - attribute noxattrfs; - ') - - read_lnk_files_pattern($1, noxattrfs, noxattrfs) -') - -######################################## -## -## Relabel all objets from filesystems that -## do not support extended attributes. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_relabelfrom_noxattr_fs',` - gen_require(` - attribute noxattrfs; - ') - - allow $1 noxattrfs:dir list_dir_perms; - relabelfrom_dirs_pattern($1, noxattrfs, noxattrfs) - relabelfrom_files_pattern($1, noxattrfs, noxattrfs) - relabelfrom_lnk_files_pattern($1, noxattrfs, noxattrfs) - relabelfrom_fifo_files_pattern($1, noxattrfs, noxattrfs) - relabelfrom_sock_files_pattern($1, noxattrfs, noxattrfs) - relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs) - relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs) -') - -######################################## -## -## Do not audit attempts to read -## files on a CIFS or SMB filesystem. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_read_cifs_files',` - gen_require(` - type cifs_t; - ') - - dontaudit $1 cifs_t:file read_file_perms; -') - -######################################## -## -## Append files -## on a CIFS filesystem. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fs_append_cifs_files',` - gen_require(` - type cifs_t; - ') - - append_files_pattern($1, cifs_t, cifs_t) -') - -######################################## -## -## dontaudit Append files -## on a CIFS filesystem. -## -## -## -## Domain to not audit. -## -## -## -# -interface(`fs_dontaudit_append_cifs_files',` - gen_require(` - type cifs_t; - ') - - dontaudit $1 cifs_t:file append_file_perms; -') - -######################################## -## -## Read inherited files on a CIFS or SMB filesystem. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_read_inherited_cifs_files',` - gen_require(` - type cifs_t; - ') - - allow $1 cifs_t:file read_inherited_file_perms; -') - -######################################## -## -## Do not audit attempts to read or -## write files on a CIFS or SMB filesystem. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_rw_cifs_files',` - gen_require(` - type cifs_t; - ') - - dontaudit $1 cifs_t:file rw_inherited_file_perms; -') - -######################################## -## -## Read symbolic links on a CIFS or SMB filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_read_cifs_symlinks',` - gen_require(` - type cifs_t; - ') - - allow $1 cifs_t:dir list_dir_perms; - read_lnk_files_pattern($1, cifs_t, cifs_t) -') - -######################################## -## -## Read named pipes -## on a CIFS or SMB network filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_read_cifs_named_pipes',` - gen_require(` - type cifs_t; - ') - - read_fifo_files_pattern($1, cifs_t, cifs_t) -') - -######################################## -## -## Read named pipes -## on a CIFS or SMB network filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_read_cifs_named_sockets',` - gen_require(` - type cifs_t; - ') - - read_sock_files_pattern($1, cifs_t, cifs_t) -') - -######################################## -## -## Execute files on a CIFS or SMB -## network filesystem, in the caller -## domain. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fs_exec_cifs_files',` - gen_require(` - type cifs_t; - ') - - allow $1 cifs_t:dir list_dir_perms; - exec_files_pattern($1, cifs_t, cifs_t) -') - -######################################## -## -## Create, read, write, and delete directories -## on a CIFS or SMB network filesystem. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fs_manage_cifs_dirs',` - gen_require(` - type cifs_t; - ') - - allow $1 cifs_t:dir manage_dir_perms; -') - -######################################## -## -## Do not audit attempts to create, read, -## write, and delete directories -## on a CIFS or SMB network filesystem. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_manage_cifs_dirs',` - gen_require(` - type cifs_t; - ') - - dontaudit $1 cifs_t:dir manage_dir_perms; -') - -######################################## -## -## Create, read, write, and delete files -## on a CIFS or SMB network filesystem. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fs_manage_cifs_files',` - gen_require(` - type cifs_t; - ') - - manage_files_pattern($1, cifs_t, cifs_t) -') - -######################################## -## -## Do not audit attempts to create, read, -## write, and delete files -## on a CIFS or SMB network filesystem. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_manage_cifs_files',` - gen_require(` - type cifs_t; - ') - - dontaudit $1 cifs_t:file manage_file_perms; -') - -######################################## -## -## Create, read, write, and delete symbolic links -## on a CIFS or SMB network filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_manage_cifs_symlinks',` - gen_require(` - type cifs_t; - ') - - manage_lnk_files_pattern($1, cifs_t, cifs_t) -') - -######################################## -## -## Create, read, write, and delete named pipes -## on a CIFS or SMB network filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_manage_cifs_named_pipes',` - gen_require(` - type cifs_t; - ') - - manage_fifo_files_pattern($1, cifs_t, cifs_t) -') - -######################################## -## -## Create, read, write, and delete named sockets -## on a CIFS or SMB network filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_manage_cifs_named_sockets',` - gen_require(` - type cifs_t; - ') - - manage_sock_files_pattern($1, cifs_t, cifs_t) -') - -######################################## -## -## Execute a file on a CIFS or SMB filesystem -## in the specified domain. -## -## -##

-## Execute a file on a CIFS or SMB filesystem -## in the specified domain. This allows -## the specified domain to execute any file -## on these filesystems in the specified -## domain. This is not suggested. -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-##

-## This interface was added to handle -## home directories on CIFS/SMB filesystems, -## in particular used by the ssh-agent policy. -##

-##
-## -## -## Domain allowed to transition. -## -## -## -## -## The type of the new process. -## -## -# -interface(`fs_cifs_domtrans',` - gen_require(` - type cifs_t; - ') - - allow $1 cifs_t:dir search_dir_perms; - domain_auto_transition_pattern($1, cifs_t, $2) -') - -######################################## -## -## Make general progams in cifs an entrypoint for -## the specified domain. -## -## -## -## The domain for which cifs_t is an entrypoint. -## -## -# -interface(`fs_cifs_entry_type',` - gen_require(` - type cifs_t; - ') - - domain_entry_file($1, cifs_t) -') - -####################################### -## -## Create, read, write, and delete dirs -## on a configfs filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_manage_configfs_dirs',` - gen_require(` - type configfs_t; - ') - - manage_dirs_pattern($1, configfs_t, configfs_t) -') - -####################################### -## -## Create, read, write, and delete files -## on a configfs filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_manage_configfs_files',` - gen_require(` - type configfs_t; - ') - - manage_files_pattern($1, configfs_t, configfs_t) -') - -######################################## -## -## Mount a DOS filesystem, such as -## FAT32 or NTFS. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_mount_dos_fs',` - gen_require(` - type dosfs_t; - ') - - allow $1 dosfs_t:filesystem mount; -') - -######################################## -## -## Remount a DOS filesystem, such as -## FAT32 or NTFS. This allows -## some mount options to be changed. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_remount_dos_fs',` - gen_require(` - type dosfs_t; - ') - - allow $1 dosfs_t:filesystem remount; -') - -######################################## -## -## Unmount a DOS filesystem, such as -## FAT32 or NTFS. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_unmount_dos_fs',` - gen_require(` - type dosfs_t; - ') - - allow $1 dosfs_t:filesystem unmount; -') - -######################################## -## -## Get the attributes of a DOS -## filesystem, such as FAT32 or NTFS. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fs_getattr_dos_fs',` - gen_require(` - type dosfs_t; - ') - - allow $1 dosfs_t:filesystem getattr; -') - -######################################## -## -## Allow changing of the label of a -## DOS filesystem using the context= mount option. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_relabelfrom_dos_fs',` - gen_require(` - type dosfs_t; - ') - - allow $1 dosfs_t:filesystem relabelfrom; -') - -######################################## -## -## Search dosfs filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_search_dos',` - gen_require(` - type dosfs_t; - ') - - allow $1 dosfs_t:dir search_dir_perms; -') - -######################################## -## -## Create, read, write, and delete dirs -## on a DOS filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_manage_dos_dirs',` - gen_require(` - type dosfs_t; - ') - - manage_dirs_pattern($1, dosfs_t, dosfs_t) -') - -######################################## -## -## Read files on a DOS filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_read_dos_files',` - gen_require(` - type dosfs_t; - ') - - read_files_pattern($1, dosfs_t, dosfs_t) -') - -######################################## -## -## Create, read, write, and delete files -## on a DOS filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_manage_dos_files',` - gen_require(` - type dosfs_t; - ') - - manage_files_pattern($1, dosfs_t, dosfs_t) -') - -######################################## -## -## Read eventpollfs files. -## -## -##

-## Read eventpollfs files -##

-##

-## This interface has been deprecated, and will -## be removed in the future. -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`fs_read_eventpollfs',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Mount a FUSE filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_mount_fusefs',` - gen_require(` - type fusefs_t; - ') - - allow $1 fusefs_t:filesystem mount; -') - -######################################## -## -## Unmount a FUSE filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_unmount_fusefs',` - gen_require(` - type fusefs_t; - ') - - allow $1 fusefs_t:filesystem unmount; -') - -######################################## -## -## Search directories -## on a FUSEFS filesystem. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fs_search_fusefs',` - gen_require(` - type fusefs_t; - ') - - allow $1 fusefs_t:dir search_dir_perms; -') - -######################################## -## -## Do not audit attempts to list the contents -## of directories on a FUSEFS filesystem. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_list_fusefs',` - gen_require(` - type fusefs_t; - ') - - dontaudit $1 fusefs_t:dir list_dir_perms; -') - -######################################## -## -## Create, read, write, and delete directories -## on a FUSEFS filesystem. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fs_manage_fusefs_dirs',` - gen_require(` - type fusefs_t; - ') - - allow $1 fusefs_t:dir manage_dir_perms; -') - -######################################## -## -## Do not audit attempts to create, read, -## write, and delete directories -## on a FUSEFS filesystem. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_manage_fusefs_dirs',` - gen_require(` - type fusefs_t; - ') - - dontaudit $1 fusefs_t:dir manage_dir_perms; -') - -######################################## -## -## Read, a FUSEFS filesystem. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fs_read_fusefs_files',` - gen_require(` - type fusefs_t; - ') - - read_files_pattern($1, fusefs_t, fusefs_t) -') - -######################################## -## -## Create, read, write, and delete files -## on a FUSEFS filesystem. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fs_manage_fusefs_files',` - gen_require(` - type fusefs_t; - ') - - manage_files_pattern($1, fusefs_t, fusefs_t) -') - -######################################## -## -## Do not audit attempts to create, -## read, write, and delete files -## on a FUSEFS filesystem. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_manage_fusefs_files',` - gen_require(` - type fusefs_t; - ') - - dontaudit $1 fusefs_t:file manage_file_perms; -') - -######################################## -## -## Read symbolic links on a FUSEFS filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_read_fusefs_symlinks',` - gen_require(` - type fusefs_t; - ') - - allow $1 fusefs_t:dir list_dir_perms; - read_lnk_files_pattern($1, fusefs_t, fusefs_t) -') - -######################################## -## -## Get the attributes of an hugetlbfs -## filesystem; -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_getattr_hugetlbfs',` - gen_require(` - type hugetlbfs_t; - ') - - allow $1 hugetlbfs_t:filesystem getattr; -') - -######################################## -## -## R/W hugetlbfs files. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_rw_hugetlbfs_files',` - gen_require(` - type hugetlbfs_t; - ') - - rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) -') -######################################## -## -## Manage hugetlbfs dirs. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_manage_hugetlbfs_dirs',` - gen_require(` - type hugetlbfs_t; - ') - - manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) -') - -######################################## -## -## List hugetlbfs dirs -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_list_hugetlbfs',` - gen_require(` - type hugetlbfs_t; - ') - - allow $1 hugetlbfs_t:dir list_dir_perms; -') - -######################################## -## -## Allow the type to associate to hugetlbfs filesystems. -## -## -## -## The type of the object to be associated. -## -## -# -interface(`fs_associate_hugetlbfs',` - gen_require(` - type hugetlbfs_t; - ') - - allow $1 hugetlbfs_t:filesystem associate; -') - -######################################## -## -## Search inotifyfs filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_search_inotifyfs',` - gen_require(` - type inotifyfs_t; - ') - - allow $1 inotifyfs_t:dir search_dir_perms; -') - -######################################## -## -## List inotifyfs filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_list_inotifyfs',` - gen_require(` - type inotifyfs_t; - ') - - allow $1 inotifyfs_t:dir list_dir_perms; - fs_read_anon_inodefs_files($1) -') - -######################################## -## -## Dontaudit List inotifyfs filesystem. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_list_inotifyfs',` - gen_require(` - type inotifyfs_t; - ') - - dontaudit $1 inotifyfs_t:dir list_dir_perms; -') - -######################################## -## -## Create an object in a hugetlbfs filesystem, with a private -## type using a type transition. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -# -interface(`fs_hugetlbfs_filetrans',` - gen_require(` - type hugetlbfs_t; - ') - - allow $2 hugetlbfs_t:filesystem associate; - filetrans_pattern($1, hugetlbfs_t, $2, $3) -') - -######################################## -## -## Mount an iso9660 filesystem, which -## is usually used on CDs. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_mount_iso9660_fs',` - gen_require(` - type iso9660_t; - ') - - allow $1 iso9660_t:filesystem mount; -') - -######################################## -## -## Remount an iso9660 filesystem, which -## is usually used on CDs. This allows -## some mount options to be changed. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_remount_iso9660_fs',` - gen_require(` - type iso9660_t; - ') - - allow $1 iso9660_t:filesystem remount; -') - -######################################## -## -## Unmount an iso9660 filesystem, which -## is usually used on CDs. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_unmount_iso9660_fs',` - gen_require(` - type iso9660_t; - ') - - allow $1 iso9660_t:filesystem unmount; -') - -######################################## -## -## Get the attributes of an iso9660 -## filesystem, which is usually used on CDs. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fs_getattr_iso9660_fs',` - gen_require(` - type iso9660_t; - ') - - allow $1 iso9660_t:filesystem getattr; -') - -######################################## -## -## Read files on an iso9660 filesystem, which -## is usually used on CDs. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_getattr_iso9660_files',` - gen_require(` - type iso9660_t; - ') - - allow $1 iso9660_t:dir list_dir_perms; - allow $1 iso9660_t:file getattr; -') - -######################################## -## -## Read files on an iso9660 filesystem, which -## is usually used on CDs. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_read_iso9660_files',` - gen_require(` - type iso9660_t; - ') - - allow $1 iso9660_t:dir list_dir_perms; - read_files_pattern($1, iso9660_t, iso9660_t) - read_lnk_files_pattern($1, iso9660_t, iso9660_t) -') - -######################################## -## -## Mount a NFS filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_mount_nfs',` - gen_require(` - type nfs_t; - ') - - allow $1 nfs_t:filesystem mount; -') - -######################################## -## -## Remount a NFS filesystem. This allows -## some mount options to be changed. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_remount_nfs',` - gen_require(` - type nfs_t; - ') - - allow $1 nfs_t:filesystem remount; -') - -######################################## -## -## Unmount a NFS filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_unmount_nfs',` - gen_require(` - type nfs_t; - ') - - allow $1 nfs_t:filesystem unmount; -') - -######################################## -## -## Get the attributes of a NFS filesystem. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fs_getattr_nfs',` - gen_require(` - type nfs_t; - ') - - allow $1 nfs_t:filesystem getattr; -') - -######################################## -## -## Search directories on a NFS filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_search_nfs',` - gen_require(` - type nfs_t; - ') - - allow $1 nfs_t:dir search_dir_perms; -') - -######################################## -## -## List NFS filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_list_nfs',` - gen_require(` - type nfs_t; - ') - - allow $1 nfs_t:dir list_dir_perms; -') - -######################################## -## -## Do not audit attempts to list the contents -## of directories on a NFS filesystem. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_list_nfs',` - gen_require(` - type nfs_t; - ') - - dontaudit $1 nfs_t:dir list_dir_perms; -') - -######################################## -## -## Mounton a NFS filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_mounton_nfs',` - gen_require(` - type nfs_t; - ') - - allow $1 nfs_t:dir mounton; -') - -######################################## -## -## Read files on a NFS filesystem. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fs_read_nfs_files',` - gen_require(` - type nfs_t; - ') - - allow $1 nfs_t:dir list_dir_perms; - read_files_pattern($1, nfs_t, nfs_t) -') - -######################################## -## -## Do not audit attempts to read -## files on a NFS filesystem. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_read_nfs_files',` - gen_require(` - type nfs_t; - ') - - dontaudit $1 nfs_t:file read_file_perms; -') - -######################################## -## -## Read files on a NFS filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_write_nfs_files',` - gen_require(` - type nfs_t; - ') - - allow $1 nfs_t:dir list_dir_perms; - write_files_pattern($1, nfs_t, nfs_t) -') - -######################################## -## -## Execute files on a NFS filesystem. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fs_exec_nfs_files',` - gen_require(` - type nfs_t; - ') - - allow $1 nfs_t:dir list_dir_perms; - exec_files_pattern($1, nfs_t, nfs_t) -') - -######################################## -## -## Make general progams in nfs an entrypoint for -## the specified domain. -## -## -## -## The domain for which nfs_t is an entrypoint. -## -## -# -interface(`fs_nfs_entry_type',` - gen_require(` - type nfs_t; - ') - - domain_entry_file($1, nfs_t) -') - -######################################## -## -## Append files -## on a NFS filesystem. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fs_append_nfs_files',` - gen_require(` - type nfs_t; - ') - - append_files_pattern($1, nfs_t, nfs_t) -') - -######################################## -## -## dontaudit Append files -## on a NFS filesystem. -## -## -## -## Domain to not audit. -## -## -## -# -interface(`fs_dontaudit_append_nfs_files',` - gen_require(` - type nfs_t; - ') - - dontaudit $1 nfs_t:file append_file_perms; -') - -######################################## -## -## Read inherited files on a NFS filesystem. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_read_inherited_nfs_files',` - gen_require(` - type nfs_t; - ') - - allow $1 nfs_t:file read_inherited_file_perms; -') - -######################################## -## -## Do not audit attempts to read or -## write files on a NFS filesystem. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_rw_nfs_files',` - gen_require(` - type nfs_t; - ') - - dontaudit $1 nfs_t:file rw_inherited_file_perms; -') - -######################################## -## -## Read symbolic links on a NFS filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_read_nfs_symlinks',` - gen_require(` - type nfs_t; - ') - - allow $1 nfs_t:dir list_dir_perms; - read_lnk_files_pattern($1, nfs_t, nfs_t) -') - -######################################## -## -## Dontaudit read symbolic links on a NFS filesystem. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_read_nfs_symlinks',` - gen_require(` - type nfs_t; - ') - - dontaudit $1 nfs_t:lnk_file read_lnk_file_perms; -') - -######################################### -## -## Read named sockets on a NFS filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_read_nfs_named_sockets',` - gen_require(` - type nfs_t; - ') - - read_sock_files_pattern($1, nfs_t, nfs_t) -') - -######################################### -## -## Read named pipes on a NFS network filesystem. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fs_read_nfs_named_pipes',` - gen_require(` - type nfs_t; - ') - - read_fifo_files_pattern($1, nfs_t, nfs_t) -') - -######################################## -## -## Read directories of RPC file system pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_getattr_rpc_dirs',` - gen_require(` - type rpc_pipefs_t; - ') - - allow $1 rpc_pipefs_t:dir getattr; - -') - -######################################## -## -## Search directories of RPC file system pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_search_rpc',` - gen_require(` - type rpc_pipefs_t; - ') - - allow $1 rpc_pipefs_t:dir search_dir_perms; -') - -######################################## -## -## Search removable storage directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_search_removable',` - gen_require(` - type removable_t; - ') - - allow $1 removable_t:dir search_dir_perms; -') - -######################################## -## -## Do not audit attempts to list removable storage directories. -## -## -## -## Domain not to audit. -## -## -# -interface(`fs_dontaudit_list_removable',` - gen_require(` - type removable_t; - ') - - dontaudit $1 removable_t:dir list_dir_perms; -') - -######################################## -## -## Read removable storage files. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_read_removable_files',` - gen_require(` - type removable_t; - ') - - read_files_pattern($1, removable_t, removable_t) -') - -######################################## -## -## Do not audit attempts to read removable storage files. -## -## -## -## Domain not to audit. -## -## -# -interface(`fs_dontaudit_read_removable_files',` - gen_require(` - type removable_t; - ') - - dontaudit $1 removable_t:file read_file_perms; -') - -######################################## -## -## Do not audit attempts to write removable storage files. -## -## -## -## Domain not to audit. -## -## -# -interface(`fs_dontaudit_write_removable_files',` - gen_require(` - type removable_t; - ') - - dontaudit $1 removable_t:file write_file_perms; -') - -######################################## -## -## Read removable storage symbolic links. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_read_removable_symlinks',` - gen_require(` - type removable_t; - ') - - read_lnk_files_pattern($1, removable_t, removable_t) -') - -######################################## -## -## Read and write block nodes on removable filesystems. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_rw_removable_blk_files',` - gen_require(` - type removable_t; - ') - - allow $1 removable_t:dir list_dir_perms; - rw_blk_files_pattern($1, removable_t, removable_t) -') - -######################################## -## -## Read directories of RPC file system pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_list_rpc',` - gen_require(` - type rpc_pipefs_t; - ') - - allow $1 rpc_pipefs_t:dir list_dir_perms; -') - -######################################## -## -## Read files of RPC file system pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_read_rpc_files',` - gen_require(` - type rpc_pipefs_t; - ') - - read_files_pattern($1, rpc_pipefs_t, rpc_pipefs_t) -') - -######################################## -## -## Read symbolic links of RPC file system pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_read_rpc_symlinks',` - gen_require(` - type rpc_pipefs_t; - ') - - read_lnk_files_pattern($1, rpc_pipefs_t, rpc_pipefs_t) -') - -######################################## -## -## Read sockets of RPC file system pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_read_rpc_sockets',` - gen_require(` - type rpc_pipefs_t; - ') - - allow $1 rpc_pipefs_t:sock_file read; -') - -######################################## -## -## Read and write sockets of RPC file system pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_rw_rpc_sockets',` - gen_require(` - type rpc_pipefs_t; - ') - - allow $1 rpc_pipefs_t:sock_file { read write }; -') - -######################################## -## -## Create, read, write, and delete directories -## on a NFS filesystem. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fs_manage_nfs_dirs',` - gen_require(` - type nfs_t; - ') - - allow $1 nfs_t:dir manage_dir_perms; -') - -######################################## -## -## Do not audit attempts to create, read, -## write, and delete directories -## on a NFS filesystem. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_manage_nfs_dirs',` - gen_require(` - type nfs_t; - ') - - dontaudit $1 nfs_t:dir manage_dir_perms; -') - -######################################## -## -## Create, read, write, and delete files -## on a NFS filesystem. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fs_manage_nfs_files',` - gen_require(` - type nfs_t; - ') - - manage_files_pattern($1, nfs_t, nfs_t) -') - -######################################## -## -## Do not audit attempts to create, -## read, write, and delete files -## on a NFS filesystem. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_manage_nfs_files',` - gen_require(` - type nfs_t; - ') - - dontaudit $1 nfs_t:file manage_file_perms; -') - -######################################### -## -## Create, read, write, and delete symbolic links -## on a NFS network filesystem. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fs_manage_nfs_symlinks',` - gen_require(` - type nfs_t; - ') - - manage_lnk_files_pattern($1, nfs_t, nfs_t) -') - -######################################### -## -## Create, read, write, and delete named pipes -## on a NFS filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_manage_nfs_named_pipes',` - gen_require(` - type nfs_t; - ') - - manage_fifo_files_pattern($1, nfs_t, nfs_t) -') - -######################################### -## -## Create, read, write, and delete named sockets -## on a NFS filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_manage_nfs_named_sockets',` - gen_require(` - type nfs_t; - ') - - manage_sock_files_pattern($1, nfs_t, nfs_t) -') - -######################################## -## -## Execute a file on a NFS filesystem -## in the specified domain. -## -## -##

-## Execute a file on a NFS filesystem -## in the specified domain. This allows -## the specified domain to execute any file -## on a NFS filesystem in the specified -## domain. This is not suggested. -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-##

-## This interface was added to handle -## home directories on NFS filesystems, -## in particular used by the ssh-agent policy. -##

-##
-## -## -## Domain allowed to transition. -## -## -## -## -## The type of the new process. -## -## -# -interface(`fs_nfs_domtrans',` - gen_require(` - type nfs_t; - ') - - allow $1 nfs_t:dir search_dir_perms; - domain_auto_transition_pattern($1, nfs_t, $2) -') - -######################################## -## -## Mount a NFS server pseudo filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_mount_nfsd_fs',` - gen_require(` - type nfsd_fs_t; - ') - - allow $1 nfsd_fs_t:filesystem mount; -') - -######################################## -## -## Mount a NFS server pseudo filesystem. -## This allows some mount options to be changed. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_remount_nfsd_fs',` - gen_require(` - type nfsd_fs_t; - ') - - allow $1 nfsd_fs_t:filesystem remount; -') - -######################################## -## -## Unmount a NFS server pseudo filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_unmount_nfsd_fs',` - gen_require(` - type nfsd_fs_t; - ') - - allow $1 nfsd_fs_t:filesystem unmount; -') - -######################################## -## -## Get the attributes of a NFS server -## pseudo filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_getattr_nfsd_fs',` - gen_require(` - type nfsd_fs_t; - ') - - allow $1 nfsd_fs_t:filesystem getattr; -') - -######################################## -## -## Search NFS server directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_search_nfsd_fs',` - gen_require(` - type nfsd_fs_t; - ') - - allow $1 nfsd_fs_t:dir search_dir_perms; -') - -######################################## -## -## List NFS server directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_list_nfsd_fs',` - gen_require(` - type nfsd_fs_t; - ') - - allow $1 nfsd_fs_t:dir list_dir_perms; -') - -######################################## -## -## Getattr files on an nfsd filesystem -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_getattr_nfsd_files',` - gen_require(` - type nfsd_fs_t; - ') - - getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) -') - -######################################## -## -## Read and write NFS server files. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_rw_nfsd_fs',` - gen_require(` - type nfsd_fs_t; - ') - - rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t) -') - -######################################## -## -## Allow the type to associate to ramfs filesystems. -## -## -## -## The type of the object to be associated. -## -## -# -interface(`fs_associate_ramfs',` - gen_require(` - type ramfs_t; - ') - - allow $1 ramfs_t:filesystem associate; -') - -######################################## -## -## Mount a RAM filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_mount_ramfs',` - gen_require(` - type ramfs_t; - ') - - allow $1 ramfs_t:filesystem mount; -') - -######################################## -## -## Remount a RAM filesystem. This allows -## some mount options to be changed. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_remount_ramfs',` - gen_require(` - type ramfs_t; - ') - - allow $1 ramfs_t:filesystem remount; -') - -######################################## -## -## Unmount a RAM filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_unmount_ramfs',` - gen_require(` - type ramfs_t; - ') - - allow $1 ramfs_t:filesystem unmount; -') - -######################################## -## -## Get the attributes of a RAM filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_getattr_ramfs',` - gen_require(` - type ramfs_t; - ') - - allow $1 ramfs_t:filesystem getattr; -') - -######################################## -## -## Search directories on a ramfs -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_search_ramfs',` - gen_require(` - type ramfs_t; - ') - - allow $1 ramfs_t:dir search_dir_perms; -') - -######################################## -## -## Dontaudit Search directories on a ramfs -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_search_ramfs',` - gen_require(` - type ramfs_t; - ') - - dontaudit $1 ramfs_t:dir search_dir_perms; -') - -######################################## -## -## Create, read, write, and delete -## directories on a ramfs. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_manage_ramfs_dirs',` - gen_require(` - type ramfs_t; - ') - - allow $1 ramfs_t:dir manage_dir_perms; -') - -######################################## -## -## Dontaudit read on a ramfs files. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_read_ramfs_files',` - gen_require(` - type ramfs_t; - ') - - dontaudit $1 ramfs_t:file read; -') - -######################################## -## -## Dontaudit read on a ramfs fifo_files. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_read_ramfs_pipes',` - gen_require(` - type ramfs_t; - ') - - dontaudit $1 ramfs_t:fifo_file read; -') - -######################################## -## -## Create, read, write, and delete -## files on a ramfs filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_manage_ramfs_files',` - gen_require(` - type ramfs_t; - ') - - manage_files_pattern($1, ramfs_t, ramfs_t) -') - -######################################## -## -## Write to named pipe on a ramfs filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_write_ramfs_pipes',` - gen_require(` - type ramfs_t; - ') - - write_fifo_files_pattern($1, ramfs_t, ramfs_t) -') - -######################################## -## -## Do not audit attempts to write to named -## pipes on a ramfs filesystem. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_write_ramfs_pipes',` - gen_require(` - type ramfs_t; - ') - - dontaudit $1 ramfs_t:fifo_file write; -') - -######################################## -## -## Read and write a named pipe on a ramfs filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_rw_ramfs_pipes',` - gen_require(` - type ramfs_t; - ') - - rw_fifo_files_pattern($1, ramfs_t, ramfs_t) -') - -######################################## -## -## Create, read, write, and delete -## named pipes on a ramfs filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_manage_ramfs_pipes',` - gen_require(` - type ramfs_t; - ') - - manage_fifo_files_pattern($1, ramfs_t, ramfs_t) -') - -######################################## -## -## Write to named socket on a ramfs filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_write_ramfs_sockets',` - gen_require(` - type ramfs_t; - ') - - write_sock_files_pattern($1, ramfs_t, ramfs_t) -') - -######################################## -## -## Create, read, write, and delete -## named sockets on a ramfs filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_manage_ramfs_sockets',` - gen_require(` - type ramfs_t; - ') - - manage_sock_files_pattern($1, ramfs_t, ramfs_t) -') - -######################################## -## -## Mount a ROM filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_mount_romfs',` - gen_require(` - type romfs_t; - ') - - allow $1 romfs_t:filesystem mount; -') - -######################################## -## -## Remount a ROM filesystem. This allows -## some mount options to be changed. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_remount_romfs',` - gen_require(` - type romfs_t; - ') - - allow $1 romfs_t:filesystem remount; -') - -######################################## -## -## Unmount a ROM filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_unmount_romfs',` - gen_require(` - type romfs_t; - ') - - allow $1 romfs_t:filesystem unmount; -') - -######################################## -## -## Get the attributes of a ROM -## filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_getattr_romfs',` - gen_require(` - type romfs_t; - ') - - allow $1 romfs_t:filesystem getattr; -') - -######################################## -## -## Mount a RPC pipe filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_mount_rpc_pipefs',` - gen_require(` - type rpc_pipefs_t; - ') - - allow $1 rpc_pipefs_t:filesystem mount; -') - -######################################## -## -## Remount a RPC pipe filesystem. This -## allows some mount option to be changed. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_remount_rpc_pipefs',` - gen_require(` - type rpc_pipefs_t; - ') - - allow $1 rpc_pipefs_t:filesystem remount; -') - -######################################## -## -## Unmount a RPC pipe filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_unmount_rpc_pipefs',` - gen_require(` - type rpc_pipefs_t; - ') - - allow $1 rpc_pipefs_t:filesystem unmount; -') - -######################################## -## -## Get the attributes of a RPC pipe -## filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_getattr_rpc_pipefs',` - gen_require(` - type rpc_pipefs_t; - ') - - allow $1 rpc_pipefs_t:filesystem getattr; -') - -######################################### -## -## Read and write RPC pipe filesystem named pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_rw_rpc_named_pipes',` - gen_require(` - type rpc_pipefs_t; - ') - - allow $1 rpc_pipefs_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## -## Mount a tmpfs filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_mount_tmpfs',` - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:filesystem mount; -') - -######################################## -## -## Remount a tmpfs filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_remount_tmpfs',` - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:filesystem remount; -') - -######################################## -## -## Unmount a tmpfs filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_unmount_tmpfs',` - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:filesystem unmount; -') - -######################################## -## -## Get the attributes of a tmpfs -## filesystem. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fs_getattr_tmpfs',` - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:filesystem getattr; -') - -######################################## -## -## Allow the type to associate to tmpfs filesystems. -## -## -## -## The type of the object to be associated. -## -## -# -interface(`fs_associate_tmpfs',` - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:filesystem associate; -') - -######################################## -## -## Get the attributes of tmpfs directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_getattr_tmpfs_dirs',` - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:dir getattr; -') - -######################################## -## -## Do not audit attempts to get the attributes -## of tmpfs directories. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_getattr_tmpfs_dirs',` - gen_require(` - type tmpfs_t; - ') - - dontaudit $1 tmpfs_t:dir getattr; -') - -######################################## -## -## Set the attributes of tmpfs directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_setattr_tmpfs_dirs',` - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:dir setattr; -') - -######################################## -## -## Search tmpfs directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_search_tmpfs',` - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:dir search_dir_perms; -') - -######################################## -## -## List the contents of generic tmpfs directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_list_tmpfs',` - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:dir list_dir_perms; -') - -######################################## -## -## Do not audit attempts to list the -## contents of generic tmpfs directories. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_list_tmpfs',` - gen_require(` - type tmpfs_t; - ') - - dontaudit $1 tmpfs_t:dir list_dir_perms; -') - -######################################## -## -## Create, read, write, and delete -## tmpfs directories -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_manage_tmpfs_dirs',` - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:dir manage_dir_perms; -') - -######################################## -## -## Create an object in a tmpfs filesystem, with a private -## type using a type transition. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -# -interface(`fs_tmpfs_filetrans',` - gen_require(` - type tmpfs_t; - ') - - allow $2 tmpfs_t:filesystem associate; - filetrans_pattern($1, tmpfs_t, $2, $3) -') - -######################################## -## -## Do not audit attempts to getattr -## generic tmpfs files. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_getattr_tmpfs_files',` - gen_require(` - type tmpfs_t; - ') - - dontaudit $1 tmpfs_t:file getattr; -') - -######################################## -## -## Do not audit attempts to read or write -## generic tmpfs files. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_rw_tmpfs_files',` - gen_require(` - type tmpfs_t; - ') - - dontaudit $1 tmpfs_t:file rw_file_perms; -') - -######################################## -## -## Create, read, write, and delete -## auto moutpoints. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_manage_auto_mountpoints',` - gen_require(` - type autofs_t; - ') - - allow $1 autofs_t:dir manage_dir_perms; -') - -######################################## -## -## Read generic tmpfs files. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_read_tmpfs_files',` - gen_require(` - type tmpfs_t; - ') - - read_files_pattern($1, tmpfs_t, tmpfs_t) -') - -######################################## -## -## Read and write generic tmpfs files. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_rw_tmpfs_files',` - gen_require(` - type tmpfs_t; - ') - - rw_files_pattern($1, tmpfs_t, tmpfs_t) -') - -######################################## -## -## Read tmpfs link files. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_read_tmpfs_symlinks',` - gen_require(` - type tmpfs_t; - ') - - read_lnk_files_pattern($1, tmpfs_t, tmpfs_t) -') - -######################################## -## -## Read and write character nodes on tmpfs filesystems. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_rw_tmpfs_chr_files',` - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:dir list_dir_perms; - rw_chr_files_pattern($1, tmpfs_t, tmpfs_t) -') - -######################################## -## -## dontaudit Read and write character nodes on tmpfs filesystems. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_use_tmpfs_chr_dev',` - gen_require(` - type tmpfs_t; - ') - - dontaudit $1 tmpfs_t:dir list_dir_perms; - dontaudit $1 tmpfs_t:chr_file rw_chr_file_perms; -') - -######################################## -## -## dontaudit Read and write block nodes on tmpfs filesystems. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_dontaudit_read_tmpfs_blk_dev',` - gen_require(` - type tmpfs_t; - ') - - dontaudit $1 tmpfs_t:blk_file read_blk_file_perms; -') - -######################################## -## -## Relabel character nodes on tmpfs filesystems. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_relabel_tmpfs_chr_file',` - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:dir list_dir_perms; - relabel_chr_files_pattern($1, tmpfs_t, tmpfs_t) -') - -######################################## -## -## Read and write block nodes on tmpfs filesystems. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_rw_tmpfs_blk_files',` - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:dir list_dir_perms; - rw_blk_files_pattern($1, tmpfs_t, tmpfs_t) -') - -######################################## -## -## Relabel block nodes on tmpfs filesystems. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_relabel_tmpfs_blk_file',` - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:dir list_dir_perms; - relabel_blk_files_pattern($1, tmpfs_t, tmpfs_t) -') - -######################################## -## -## Read and write, create and delete generic -## files on tmpfs filesystems. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_manage_tmpfs_files',` - gen_require(` - type tmpfs_t; - ') - - manage_files_pattern($1, tmpfs_t, tmpfs_t) -') - -######################################## -## -## Read and write, create and delete symbolic -## links on tmpfs filesystems. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_manage_tmpfs_symlinks',` - gen_require(` - type tmpfs_t; - ') - - manage_lnk_files_pattern($1, tmpfs_t, tmpfs_t) -') - -######################################## -## -## Read and write, create and delete socket -## files on tmpfs filesystems. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_manage_tmpfs_sockets',` - gen_require(` - type tmpfs_t; - ') - - manage_sock_files_pattern($1, tmpfs_t, tmpfs_t) -') - -######################################## -## -## Read and write, create and delete character -## nodes on tmpfs filesystems. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_manage_tmpfs_chr_files',` - gen_require(` - type tmpfs_t; - ') - - manage_chr_files_pattern($1, tmpfs_t, tmpfs_t) -') - -######################################## -## -## Read and write, create and delete block nodes -## on tmpfs filesystems. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_manage_tmpfs_blk_files',` - gen_require(` - type tmpfs_t; - ') - - manage_blk_files_pattern($1, tmpfs_t, tmpfs_t) -') - -######################################## -## -## Mount a XENFS filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_mount_xenfs',` - gen_require(` - type xenfs_t; - ') - - allow $1 xenfs_t:filesystem mount; -') - -######################################## -## -## Search the XENFS filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_search_xenfs',` - gen_require(` - type xenfs_t; - ') - - allow $1 xenfs_t:dir search_dir_perms; -') - -######################################## -## -## Create, read, write, and delete directories -## on a XENFS filesystem. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fs_manage_xenfs_dirs',` - gen_require(` - type xenfs_t; - ') - - allow $1 xenfs_t:dir manage_dir_perms; -') - -######################################## -## -## Do not audit attempts to create, read, -## write, and delete directories -## on a XENFS filesystem. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_manage_xenfs_dirs',` - gen_require(` - type xenfs_t; - ') - - dontaudit $1 xenfs_t:dir manage_dir_perms; -') - -######################################## -## -## Create, read, write, and delete files -## on a XENFS filesystem. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fs_manage_xenfs_files',` - gen_require(` - type xenfs_t; - ') - - manage_files_pattern($1, xenfs_t, xenfs_t) -') - -######################################## -## -## Do not audit attempts to create, -## read, write, and delete files -## on a XENFS filesystem. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_manage_xenfs_files',` - gen_require(` - type xenfs_t; - ') - - dontaudit $1 xenfs_t:file manage_file_perms; -') - -######################################## -## -## Mount all filesystems. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_mount_all_fs',` - gen_require(` - attribute filesystem_type; - ') - - allow $1 filesystem_type:filesystem mount; -') - -######################################## -## -## Remount all filesystems. This -## allows some mount options to be changed. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_remount_all_fs',` - gen_require(` - attribute filesystem_type; - ') - - allow $1 filesystem_type:filesystem remount; -') - -######################################## -## -## Unmount all filesystems. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_unmount_all_fs',` - gen_require(` - attribute filesystem_type; - ') - - allow $1 filesystem_type:filesystem unmount; -') - -######################################## -## -## Get the attributes of all filesystems. -## -## -##

-## Allow the specified domain to -## et the attributes of all filesystems. -## Example attributes: -##

-##
    -##
  • Type of the file system (e.g., ext3)
  • -##
  • Size of the file system
  • -##
  • Available space on the file system
  • -##
-##
-## -## -## Domain allowed access. -## -## -## -## -# -interface(`fs_getattr_all_fs',` - gen_require(` - attribute filesystem_type; - ') - - allow $1 filesystem_type:filesystem getattr; - files_getattr_all_file_type_fs($1) -') - -######################################## -## -## Do not audit attempts to get the attributes -## all filesystems. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_getattr_all_fs',` - gen_require(` - attribute filesystem_type; - ') - - dontaudit $1 filesystem_type:filesystem getattr; -') - -######################################## -## -## Get the quotas of all filesystems. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fs_get_all_fs_quotas',` - gen_require(` - attribute filesystem_type; - ') - - allow $1 filesystem_type:filesystem quotaget; -') - -######################################## -## -## Set the quotas of all filesystems. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fs_set_all_quotas',` - gen_require(` - attribute filesystem_type; - ') - - allow $1 filesystem_type:filesystem quotamod; -') - -######################################## -## -## Relabelfrom all filesystems. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_relabelfrom_all_fs',` - gen_require(` - attribute filesystem_type; - ') - - allow $1 filesystem_type:filesystem relabelfrom; -') - -######################################## -## -## Get the attributes of all directories -## with a filesystem type. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_getattr_all_dirs',` - gen_require(` - attribute filesystem_type; - ') - - allow $1 filesystem_type:dir getattr; -') - -######################################## -## -## Search all directories with a filesystem type. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_search_all',` - gen_require(` - attribute filesystem_type; - ') - - allow $1 filesystem_type:dir search_dir_perms; -') - -######################################## -## -## List all directories with a filesystem type. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_list_all',` - gen_require(` - attribute filesystem_type; - ') - - allow $1 filesystem_type:dir list_dir_perms; -') - -######################################## -## -## Get the attributes of all files with -## a filesystem type. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_getattr_all_files',` - gen_require(` - attribute filesystem_type; - ') - - getattr_files_pattern($1, filesystem_type, filesystem_type) -') - -######################################## -## -## Do not audit attempts to get the attributes -## of all files with a filesystem type. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_getattr_all_files',` - gen_require(` - attribute filesystem_type; - ') - - dontaudit $1 filesystem_type:file getattr; -') - -######################################## -## -## Get the attributes of all symbolic links with -## a filesystem type. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_getattr_all_symlinks',` - gen_require(` - attribute filesystem_type; - ') - - getattr_lnk_files_pattern($1, filesystem_type, filesystem_type) -') - -######################################## -## -## Do not audit attempts to get the attributes -## of all symbolic links with a filesystem type. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_getattr_all_symlinks',` - gen_require(` - attribute filesystem_type; - ') - - dontaudit $1 filesystem_type:lnk_file getattr; -') - -######################################## -## -## Get the attributes of all named pipes with -## a filesystem type. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_getattr_all_pipes',` - gen_require(` - attribute filesystem_type; - ') - - getattr_fifo_files_pattern($1, filesystem_type, filesystem_type) -') - -######################################## -## -## Do not audit attempts to get the attributes -## of all named pipes with a filesystem type. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_getattr_all_pipes',` - gen_require(` - attribute filesystem_type; - ') - - dontaudit $1 filesystem_type:fifo_file getattr; -') - -######################################## -## -## Get the attributes of all named sockets with -## a filesystem type. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_getattr_all_sockets',` - gen_require(` - attribute filesystem_type; - ') - - getattr_sock_files_pattern($1, filesystem_type, filesystem_type) -') - - -######################################## -## -## Do not audit attempts to get the attributes -## of all named sockets with a filesystem type. -## -## -## -## Domain to not audit. -## -## -# -interface(`fs_dontaudit_getattr_all_sockets',` - gen_require(` - attribute filesystem_type; - ') - - dontaudit $1 filesystem_type:sock_file getattr; -') - -######################################## -## -## Get the attributes of all block device nodes with -## a filesystem type. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_getattr_all_blk_files',` - gen_require(` - attribute filesystem_type; - ') - - getattr_blk_files_pattern($1, filesystem_type, filesystem_type) -') - -######################################## -## -## Get the attributes of all character device nodes with -## a filesystem type. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_getattr_all_chr_files',` - gen_require(` - attribute filesystem_type; - ') - - getattr_chr_files_pattern($1, filesystem_type, filesystem_type) -') - -######################################## -## -## Unconfined access to filesystems -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_unconfined',` - gen_require(` - attribute filesystem_unconfined_type; - ') - - typeattribute $1 filesystem_unconfined_type; -') - -######################################## -## -## Do not audit attempts to read or write -## all leaked filesystems files. -## -## -## -## Domain allowed access. -## -## -# -interface(`fs_dontaudit_leaks',` - gen_require(` - attribute filesystem_type; - ') - - dontaudit $1 filesystem_type:file rw_inherited_file_perms; - dontaudit $1 filesystem_type:lnk_file { read }; -') - diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te deleted file mode 100644 index a09ab47..0000000 --- a/policy/modules/kernel/filesystem.te +++ /dev/null @@ -1,315 +0,0 @@ -policy_module(filesystem, 1.13.3) - -######################################## -# -# Declarations -# - -attribute filesystem_type; -attribute filesystem_unconfined_type; -attribute noxattrfs; - -############################## -# -# fs_t is the default type for persistent -# filesystems with extended attributes -# -type fs_t; -fs_type(fs_t) -sid fs gen_context(system_u:object_r:fs_t,s0) - -# Use xattrs for the following filesystem types. -# Requires that a security xattr handler exist for the filesystem. -fs_use_xattr btrfs gen_context(system_u:object_r:fs_t,s0); -fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0); -fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); -fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0); -fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0); -fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0); -fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0); -fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0); -fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0); -fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); -fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0); -fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0); -fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0); - -# Use the allocating task SID to label inodes in the following filesystem -# types, and label the filesystem itself with the specified context. -# This is appropriate for pseudo filesystems that represent objects -# like pipes and sockets, so that these objects are labeled with the same -# type as the creating task. -fs_use_task eventpollfs gen_context(system_u:object_r:fs_t,s0); -fs_use_task pipefs gen_context(system_u:object_r:fs_t,s0); -fs_use_task sockfs gen_context(system_u:object_r:fs_t,s0); - -############################## -# -# Non-persistent/pseudo filesystems -# - -type anon_inodefs_t; -fs_type(anon_inodefs_t) -files_mountpoint(anon_inodefs_t) -genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0) -mls_trusted_object(anon_inodefs_t) - -type bdev_t; -fs_type(bdev_t) -genfscon bdev / gen_context(system_u:object_r:bdev_t,s0) - -type binfmt_misc_fs_t; -fs_type(binfmt_misc_fs_t) -files_mountpoint(binfmt_misc_fs_t) -genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0) - -type capifs_t; -fs_type(capifs_t) -files_mountpoint(capifs_t) -genfscon capifs / gen_context(system_u:object_r:capifs_t,s0) - -type cgroup_t alias cgroupfs_t; -fs_type(cgroup_t) -files_type(cgroup_t) -files_mountpoint(cgroup_t) -dev_associate_sysfs(cgroup_t) -genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0) - -type configfs_t; -fs_type(configfs_t) -genfscon configfs / gen_context(system_u:object_r:configfs_t,s0) - -type cpusetfs_t; -fs_type(cpusetfs_t) -allow cpusetfs_t self:filesystem associate; -genfscon cpuset / gen_context(system_u:object_r:cpusetfs_t,s0) - -type ecryptfs_t; -fs_noxattr_type(ecryptfs_t) -files_mountpoint(ecryptfs_t) -genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0) - -type eventpollfs_t; -fs_type(eventpollfs_t) -# change to task SID 20060628 -#genfscon eventpollfs / gen_context(system_u:object_r:eventpollfs_t,s0) - -type futexfs_t; -fs_type(futexfs_t) -genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0) - -type hugetlbfs_t; -fs_type(hugetlbfs_t) -files_mountpoint(hugetlbfs_t) -fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); -dev_associate(hugetlbfs_t) - -type ibmasmfs_t; -fs_type(ibmasmfs_t) -allow ibmasmfs_t self:filesystem associate; -genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0) - -# -# infinibandeventfs fs -# - -type infinibandeventfs_t; -fs_type(infinibandeventfs_t) -allow infinibandeventfs_t self:filesystem associate; -genfscon infinibandeventfs / gen_context(system_u:object_r:infinibandeventfs_t,s0) - -type inotifyfs_t; -fs_type(inotifyfs_t) -genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0) - -type mvfs_t; -fs_noxattr_type(mvfs_t) -allow mvfs_t self:filesystem associate; -genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) - -type nfsd_fs_t; -fs_type(nfsd_fs_t) -genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) - -type oprofilefs_t; -fs_type(oprofilefs_t) -genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0) - -type ramfs_t; -fs_type(ramfs_t) -files_mountpoint(ramfs_t) -genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0) - -type romfs_t; -fs_type(romfs_t) -genfscon romfs / gen_context(system_u:object_r:romfs_t,s0) -genfscon cramfs / gen_context(system_u:object_r:romfs_t,s0) - -type rpc_pipefs_t; -fs_type(rpc_pipefs_t) -genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0) -files_mountpoint(rpc_pipefs_t) - -type spufs_t; -fs_type(spufs_t) -genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) -files_mountpoint(spufs_t) - -type squash_t; -fs_type(squash_t) -genfscon squash / gen_context(system_u:object_r:squash_t,s0) -files_mountpoint(squash_t) - -type sysv_t; -fs_noxattr_type(sysv_t) -files_mountpoint(sysv_t) -genfscon sysv / gen_context(system_u:object_r:sysv_t,s0) -genfscon v7 / gen_context(system_u:object_r:sysv_t,s0) - -type vmblock_t; -fs_noxattr_type(vmblock_t) -files_mountpoint(vmblock_t) -genfscon vmblock / gen_context(system_u:object_r:vmblock_t,s0) -genfscon vboxsf / gen_context(system_u:object_r:vmblock_t,s0) -genfscon vmhgfs / gen_context(system_u:object_r:vmblock_t,s0) - -type vxfs_t; -fs_noxattr_type(vxfs_t) -files_mountpoint(vxfs_t) -genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0) - -# -# tmpfs_t is the type for tmpfs filesystems -# -type tmpfs_t; -fs_type(tmpfs_t) -files_type(tmpfs_t) -files_mountpoint(tmpfs_t) -files_poly_parent(tmpfs_t) -dev_associate(tmpfs_t) - -# Use a transition SID based on the allocating task SID and the -# filesystem SID to label inodes in the following filesystem types, -# and label the filesystem itself with the specified context. -# This is appropriate for pseudo filesystems like devpts and tmpfs -# where we want to label objects with a derived type. -fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0); -fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0); -fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0); - -allow tmpfs_t noxattrfs:filesystem associate; - -type xenfs_t; -fs_noxattr_type(xenfs_t) -files_mountpoint(xenfs_t) -genfscon xenfs / gen_context(system_u:object_r:xenfs_t,s0) - -############################## -# -# Filesystems without extended attribute support -# - -type autofs_t; -fs_noxattr_type(autofs_t) -files_mountpoint(autofs_t) -genfscon autofs / gen_context(system_u:object_r:autofs_t,s0) -genfscon automount / gen_context(system_u:object_r:autofs_t,s0) - -# -# cifs_t is the type for filesystems and their -# files shared from Windows servers -# -type cifs_t alias sambafs_t; -fs_noxattr_type(cifs_t) -files_mountpoint(cifs_t) -genfscon cifs / gen_context(system_u:object_r:cifs_t,s0) -genfscon smbfs / gen_context(system_u:object_r:cifs_t,s0) - -# -# dosfs_t is the type for fat and vfat -# filesystems and their files. -# -type dosfs_t; -fs_noxattr_type(dosfs_t) -files_mountpoint(dosfs_t) -allow dosfs_t fs_t:filesystem associate; -genfscon fat / gen_context(system_u:object_r:dosfs_t,s0) -genfscon hfs / gen_context(system_u:object_r:dosfs_t,s0) -genfscon hfsplus / gen_context(system_u:object_r:dosfs_t,s0) -genfscon msdos / gen_context(system_u:object_r:dosfs_t,s0) -genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0) -genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0) -genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0) - -type fusefs_t; -fs_noxattr_type(fusefs_t) -files_mountpoint(fusefs_t) -allow fusefs_t self:filesystem associate; -allow fusefs_t fs_t:filesystem associate; -genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0) -genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0) -genfscon fusectl / gen_context(system_u:object_r:fusefs_t,s0) - -# -# iso9660_t is the type for CD filesystems -# and their files. -# -type iso9660_t; -fs_noxattr_type(iso9660_t) -files_mountpoint(iso9660_t) -genfscon iso9660 / gen_context(system_u:object_r:iso9660_t,s0) -genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) - -# -# removable_t is the default type of all removable media -# -type removable_t; -allow removable_t noxattrfs:filesystem associate; -fs_noxattr_type(removable_t) -files_type(removable_t) -files_mountpoint(removable_t) - -# -# nfs_t is the default type for NFS file systems -# and their files. -# -type nfs_t; -fs_noxattr_type(nfs_t) -files_mountpoint(nfs_t) -genfscon nfs / gen_context(system_u:object_r:nfs_t,s0) -genfscon nfs4 / gen_context(system_u:object_r:nfs_t,s0) -genfscon afs / gen_context(system_u:object_r:nfs_t,s0) -genfscon dazukofs / gen_context(system_u:object_r:nfs_t,s0) -genfscon coda / gen_context(system_u:object_r:nfs_t,s0) -genfscon lustre / gen_context(system_u:object_r:nfs_t,s0) -genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) -genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) -genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) -genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) - -######################################## -# -# Rules for all filesystem types -# - -allow filesystem_type self:filesystem associate; - -######################################## -# -# Rules for filesystems without xattr support -# - -# Allow me to mv from one noxattrfs to another nfs_t to dosfs_t for example -fs_associate_noxattr(noxattrfs) - -######################################## -# -# Unconfined access to this module -# - -allow filesystem_unconfined_type filesystem_type:filesystem *; - -# Create/access other files. fs_type is to pick up various -# pseudo filesystem types that are applied to both the filesystem -# and its files. -allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *; diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc deleted file mode 100644 index 7be4ddf..0000000 --- a/policy/modules/kernel/kernel.fc +++ /dev/null @@ -1 +0,0 @@ -# This module currently does not have any file contexts. diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if deleted file mode 100644 index 10c14fe..0000000 --- a/policy/modules/kernel/kernel.if +++ /dev/null @@ -1,2958 +0,0 @@ -## -## Policy for kernel threads, proc filesystem, -## and unlabeled processes and objects. -## -## -## This module has initial SIDs. -## - -######################################## -## -## Allows to start userland processes -## by transitioning to the specified domain. -## -## -## -## The process type entered by kernel. -## -## -## -## -## The executable type for the entrypoint. -## -## -# -interface(`kernel_domtrans_to',` - gen_require(` - type kernel_t; - ') - - domtrans_pattern(kernel_t, $2, $1) -') - -######################################## -## -## Allows to start userland processes -## by transitioning to the specified domain, -## with a range transition. -## -## -## -## The process type entered by kernel. -## -## -## -## -## The executable type for the entrypoint. -## -## -## -## -## Range for the domain. -## -## -# -interface(`kernel_ranged_domtrans_to',` - gen_require(` - type kernel_t; - ') - - kernel_domtrans_to($1, $2) - - ifdef(`enable_mcs',` - range_transition kernel_t $2:process $3; - ') - - ifdef(`enable_mls',` - range_transition kernel_t $2:process $3; - mls_rangetrans_target($1) - ') -') - -######################################## -## -## Allows the kernel to mount filesystems on -## the specified directory type. -## -## -## -## The type of the directory to use as a mountpoint. -## -## -# -interface(`kernel_rootfs_mountpoint',` - gen_require(` - type kernel_t; - ') - - allow kernel_t $1:dir mounton; -') - -######################################## -## -## Set the process group of kernel threads. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_setpgid',` - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:process setpgid; -') - -######################################## -## -## Set the priority of kernel threads. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_setsched',` - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:process setsched; -') - -######################################## -## -## Send a SIGCHLD signal to kernel threads. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_sigchld',` - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:process sigchld; -') - -######################################## -## -## Send a kill signal to kernel threads. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_kill',` - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:process sigkill; -') - -######################################## -## -## Send a generic signal to kernel threads. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_signal',` - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:process signal; -') - -######################################## -## -## Allows the kernel to share state information with -## the caller. -## -## -## -## The type of the process with which to share state information. -## -## -# -interface(`kernel_share_state',` - gen_require(` - type kernel_t; - ') - - allow kernel_t $1:process share; -') - -######################################## -## -## Permits caller to use kernel file descriptors. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_use_fds',` - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:fd use; -') - -######################################## -## -## Do not audit attempts to use -## kernel file descriptors. -## -## -## -## Domain to not audit. -## -## -# -interface(`kernel_dontaudit_use_fds',` - gen_require(` - type kernel_t; - ') - - dontaudit $1 kernel_t:fd use; -') - -######################################## -## -## Read and write kernel unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_rw_pipes',` - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:fifo_file { read write }; -') - -######################################## -## -## Read and write kernel unix datagram sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_rw_unix_dgram_sockets',` - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:unix_dgram_socket { read write ioctl }; -') - -######################################## -## -## Send messages to kernel unix datagram sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_dgram_send',` - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:unix_dgram_socket sendto; -') - -######################################## -## -## Receive messages from kernel TCP sockets. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_tcp_recvfrom',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Send UDP network traffic to the kernel. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_udp_send',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Receive messages from kernel UDP sockets. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_udp_recvfrom',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Allows caller to load kernel modules -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_load_module',` - gen_require(` - attribute can_load_kernmodule; - ') - - allow $1 self:capability sys_module; - typeattribute $1 can_load_kernmodule; - - # load_module() calls stop_machine() which - # calls sched_setscheduler() - allow $1 self:capability sys_nice; - kernel_setsched($1) -') - -######################################## -## -## Allow search the kernel key ring. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_search_key',` - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:key search; -') - -######################################## -## -## dontaudit search the kernel key ring. -## -## -## -## Domain to not audit. -## -## -# -interface(`kernel_dontaudit_search_key',` - gen_require(` - type kernel_t; - ') - - dontaudit $1 kernel_t:key search; -') - -######################################## -## -## Allow link to the kernel key ring. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_link_key',` - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:key link; -') - -######################################## -## -## dontaudit link to the kernel key ring. -## -## -## -## Domain to not audit. -## -## -# -interface(`kernel_dontaudit_link_key',` - gen_require(` - type kernel_t; - ') - - dontaudit $1 kernel_t:key link; -') - -######################################## -## -## Allows caller to read the ring buffer. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_read_ring_buffer',` - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:system syslog_read; -') - -######################################## -## -## Do not audit attempts to read the ring buffer. -## -## -## -## Domain to not audit. -## -## -# -interface(`kernel_dontaudit_read_ring_buffer',` - gen_require(` - type kernel_t; - ') - - dontaudit $1 kernel_t:system syslog_read; -') - -######################################## -## -## Change the level of kernel messages logged to the console. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_change_ring_buffer_level',` - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:system syslog_console; -') - -######################################## -## -## Allows the caller to clear the ring buffer. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_clear_ring_buffer',` - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:system syslog_mod; -') - -######################################## -## -## Allows caller to request the kernel to load a module -## -## -##

-## Allow the specified domain to request that the kernel -## load a kernel module. An example of this is the -## auto-loading of network drivers when doing an -## ioctl() on a network interface. -##

-##

-## In the specific case of a module loading request -## on a network interface, the domain will also -## need the net_admin capability. -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`kernel_request_load_module',` - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:system module_request; -') - -######################################## -## -## Do not audit requests to the kernel to load a module. -## -## -## -## Domain to not audit. -## -## -# -interface(`kernel_dontaudit_request_load_module',` - gen_require(` - type kernel_t; - ') - - dontaudit $1 kernel_t:system module_request; -') - -######################################## -## -## Get information on all System V IPC objects. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_get_sysvipc_info',` - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:system ipc_info; -') - -######################################## -## -## Get the attributes of a kernel debugging filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_getattr_debugfs',` - gen_require(` - type debugfs_t; - ') - - allow $1 debugfs_t:filesystem getattr; -') - -######################################## -## -## Mount a kernel debugging filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_mount_debugfs',` - gen_require(` - type debugfs_t; - ') - - allow $1 debugfs_t:filesystem mount; -') - -######################################## -## -## Unmount a kernel debugging filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_unmount_debugfs',` - gen_require(` - type debugfs_t; - ') - - allow $1 debugfs_t:filesystem unmount; -') - -######################################## -## -## Remount a kernel debugging filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_remount_debugfs',` - gen_require(` - type debugfs_t; - ') - - allow $1 debugfs_t:filesystem remount; -') - -######################################## -## -## Search the contents of a kernel debugging filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_search_debugfs',` - gen_require(` - type debugfs_t; - ') - - search_dirs_pattern($1, debugfs_t, debugfs_t) -') - -######################################## -## -## Do not audit attempts to search the kernel debugging filesystem. -## -## -## -## Domain to not audit. -## -## -# -interface(`kernel_dontaudit_search_debugfs',` - gen_require(` - type debugfs_t; - ') - - dontaudit $1 debugfs_t:dir search_dir_perms; -') - -######################################## -## -## Read information from the debugging filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_read_debugfs',` - gen_require(` - type debugfs_t; - ') - - read_files_pattern($1, debugfs_t, debugfs_t) - read_lnk_files_pattern($1, debugfs_t, debugfs_t) - list_dirs_pattern($1, debugfs_t, debugfs_t) -') - -######################################## -## -## Read/Write information from the debugging filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_rw_debugfs',` - gen_require(` - type debugfs_t; - ') - - rw_files_pattern($1, debugfs_t, debugfs_t) - read_lnk_files_pattern($1, debugfs_t, debugfs_t) - list_dirs_pattern($1, debugfs_t, debugfs_t) -') - -######################################## -## -## Manage information from the debugging filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_manage_debugfs',` - gen_require(` - type debugfs_t; - ') - - manage_files_pattern($1, debugfs_t, debugfs_t) - read_lnk_files_pattern($1, debugfs_t, debugfs_t) - list_dirs_pattern($1, debugfs_t, debugfs_t) -') - -######################################## -## -## Mount a kernel VM filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_mount_kvmfs',` - gen_require(` - type kvmfs_t; - ') - - allow $1 kvmfs_t:filesystem mount; -') - -######################################## -## -## Unmount the proc filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_unmount_proc',` - gen_require(` - type proc_t; - ') - - allow $1 proc_t:filesystem unmount; -') - -######################################## -## -## Get the attributes of the proc filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_getattr_proc',` - gen_require(` - type proc_t; - ') - - allow $1 proc_t:filesystem getattr; -') - -######################################## -## -## Search directories in /proc. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_search_proc',` - gen_require(` - type proc_t; - ') - - search_dirs_pattern($1, proc_t, proc_t) -') - -######################################## -## -## List the contents of directories in /proc. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_list_proc',` - gen_require(` - type proc_t; - ') - - list_dirs_pattern($1, proc_t, proc_t) -') - -######################################## -## -## Do not audit attempts to list the -## contents of directories in /proc. -## -## -## -## Domain to not audit. -## -## -# -interface(`kernel_dontaudit_list_proc',` - gen_require(` - type proc_t; - ') - - dontaudit $1 proc_t:dir list_dir_perms; -') - -######################################## -## -## Get the attributes of files in /proc. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_getattr_proc_files',` - gen_require(` - type proc_t; - ') - - getattr_files_pattern($1, proc_t, proc_t) -') - -######################################## -## -## Read generic symbolic links in /proc. -## -## -##

-## Allow the specified domain to read (follow) generic -## symbolic links (symlinks) in the proc filesystem (/proc). -## This interface does not include access to the targets of -## these links. An example symlink is /proc/self. -##

-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_read_proc_symlinks',` - gen_require(` - type proc_t; - ') - - read_lnk_files_pattern($1, proc_t, proc_t) -') - -######################################## -## -## Allows caller to read system state information in /proc. -## -## -##

-## Allow the specified domain to read general system -## state information from the proc filesystem (/proc). -##

-##

-## Generally it should be safe to allow this access. Some -## example files that can be read based on this interface: -##

-##
    -##
  • /proc/cpuinfo
  • -##
  • /proc/meminfo
  • -##
  • /proc/uptime
  • -##
-##

-## This does not allow access to sysctl entries (/proc/sys/*) -## nor process state information (/proc/pid). -##

-##
-## -## -## Domain allowed access. -## -## -## -## -# -interface(`kernel_read_system_state',` - gen_require(` - type proc_t; - ') - - read_files_pattern($1, proc_t, proc_t) - read_lnk_files_pattern($1, proc_t, proc_t) - - list_dirs_pattern($1, proc_t, proc_t) -') - -######################################## -## -## Write to generic proc entries. -## -## -## -## Domain allowed access. -## -## -## -# -# cjp: this should probably go away. any -# file thats writable in proc should really -# have its own label. -# -interface(`kernel_write_proc_files',` - gen_require(` - type proc_t; - ') - - write_files_pattern($1, proc_t, proc_t) -') - -######################################## -## -## Do not audit attempts by caller to -## read system state information in proc. -## -## -## -## Domain to not audit. -## -## -# -interface(`kernel_dontaudit_read_system_state',` - gen_require(` - type proc_t; - ') - - dontaudit $1 proc_t:file read_file_perms; -') - -######################################## -## -## Do not audit attempts by caller to -## read system state information in proc. -## -## -## -## Domain to not audit. -## -## -# -interface(`kernel_dontaudit_read_proc_symlinks',` - gen_require(` - type proc_t; - ') - - dontaudit $1 proc_t:lnk_file read; -') - -####################################### -## -## Allow caller to read and write state information for AFS. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_rw_afs_state',` - gen_require(` - type proc_t, proc_afs_t; - ') - - list_dirs_pattern($1, proc_t, proc_t) - rw_files_pattern($1, proc_afs_t, proc_afs_t) -') - -####################################### -## -## Allow caller to read the state information for software raid. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_read_software_raid_state',` - gen_require(` - type proc_t, proc_mdstat_t; - ') - - read_files_pattern($1, proc_t, proc_mdstat_t) - - list_dirs_pattern($1, proc_t, proc_t) -') - -####################################### -## -## Allow caller to read and set the state information for software raid. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_rw_software_raid_state',` - gen_require(` - type proc_t, proc_mdstat_t; - ') - - rw_files_pattern($1, proc_t, proc_mdstat_t) - - list_dirs_pattern($1, proc_t, proc_t) -') - -######################################## -## -## Allows caller to get attribues of core kernel interface. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_getattr_core_if',` - gen_require(` - type proc_t, proc_kcore_t; - ') - - getattr_files_pattern($1, proc_t, proc_kcore_t) - - list_dirs_pattern($1, proc_t, proc_t) -') - -######################################## -## -## Do not audit attempts to get the attributes of -## core kernel interfaces. -## -## -## -## Domain to not audit. -## -## -# -interface(`kernel_dontaudit_getattr_core_if',` - gen_require(` - type proc_kcore_t; - ') - - dontaudit $1 proc_kcore_t:file getattr; -') - -######################################## -## -## Allows caller to read the core kernel interface. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_read_core_if',` - gen_require(` - type proc_t, proc_kcore_t; - attribute can_dump_kernel; - ') - - allow $1 self:capability sys_rawio; - read_files_pattern($1, proc_t, proc_kcore_t) - list_dirs_pattern($1, proc_t, proc_t) - - typeattribute $1 can_dump_kernel; -') - -######################################## -## -## Allow caller to read kernel messages -## using the /proc/kmsg interface. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_read_messages',` - gen_require(` - attribute can_receive_kernel_messages; - type proc_kmsg_t, proc_t; - ') - - read_files_pattern($1, proc_t, proc_kmsg_t) - - typeattribute $1 can_receive_kernel_messages; -') - -######################################## -## -## Allow caller to get the attributes of kernel message -## interface (/proc/kmsg). -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_getattr_message_if',` - gen_require(` - type proc_kmsg_t, proc_t; - ') - - getattr_files_pattern($1, proc_t, proc_kmsg_t) -') - -######################################## -## -## Do not audit attempts by caller to get the attributes of kernel -## message interfaces. -## -## -## -## Domain to not audit. -## -## -# -interface(`kernel_dontaudit_getattr_message_if',` - gen_require(` - type proc_kmsg_t, proc_t; - ') - - dontaudit $1 proc_kmsg_t:file getattr; -') - -######################################## -## -## Do not audit attempts to search the network -## state directory. -## -## -## -## Domain to not audit. -## -## -## -# -interface(`kernel_dontaudit_search_network_state',` - gen_require(` - type proc_net_t; - ') - - dontaudit $1 proc_net_t:dir search; -') - -######################################## -## -## Allow searching of network state directory. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_search_network_state',` - gen_require(` - type proc_net_t; - ') - - search_dirs_pattern($1, proc_t, proc_net_t) -') - -######################################## -## -## Read the network state information. -## -## -##

-## Allow the specified domain to read the networking -## state information. This includes several pieces -## of networking information, such as network interface -## names, netfilter (iptables) statistics, protocol -## information, routes, and remote procedure call (RPC) -## information. -##

-##
-## -## -## Domain allowed access. -## -## -## -## -# -interface(`kernel_read_network_state',` - gen_require(` - type proc_t, proc_net_t; - ') - - read_files_pattern($1, { proc_t proc_net_t }, proc_net_t) - read_lnk_files_pattern($1, { proc_t proc_net_t }, proc_net_t) - - list_dirs_pattern($1, proc_t, proc_net_t) -') - -######################################## -## -## Allow caller to read the network state symbolic links. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_read_network_state_symlinks',` - gen_require(` - type proc_t, proc_net_t; - ') - - read_lnk_files_pattern($1, { proc_t proc_net_t }, proc_net_t) - - list_dirs_pattern($1, proc_t, proc_net_t) -') - -######################################## -## -## Allow searching of xen state directory. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_search_xen_state',` - gen_require(` - type proc_t, proc_xen_t; - ') - - search_dirs_pattern($1, proc_t, proc_xen_t) -') - -######################################## -## -## Do not audit attempts to search the xen -## state directory. -## -## -## -## Domain to not audit. -## -## -## -# -interface(`kernel_dontaudit_search_xen_state',` - gen_require(` - type proc_xen_t; - ') - - dontaudit $1 proc_xen_t:dir search; -') - -######################################## -## -## Allow caller to read the xen state information. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_read_xen_state',` - gen_require(` - type proc_t, proc_xen_t; - ') - - read_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t) - read_lnk_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t) - - list_dirs_pattern($1, proc_t, proc_xen_t) -') - -######################################## -## -## Allow caller to read the xen state symbolic links. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_read_xen_state_symlinks',` - gen_require(` - type proc_t, proc_xen_t; - ') - - read_lnk_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t) - - list_dirs_pattern($1, proc_t, proc_xen_t) -') - -######################################## -## -## Allow caller to write xen state information. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_write_xen_state',` - gen_require(` - type proc_t, proc_xen_t; - ') - - write_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t) -') - -######################################## -## -## Allow attempts to list all proc directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_list_all_proc',` - gen_require(` - attribute proc_type; - ') - - allow $1 proc_type:dir list_dir_perms; - allow $1 proc_type:file getattr; -') - -######################################## -## -## Do not audit attempts to list all proc directories. -## -## -## -## Domain to not audit. -## -## -# -interface(`kernel_dontaudit_list_all_proc',` - gen_require(` - attribute proc_type; - ') - - dontaudit $1 proc_type:dir list_dir_perms; - dontaudit $1 proc_type:file getattr; -') - -######################################## -## -## Do not audit attempts by caller to search -## the base directory of sysctls. -## -## -## -## Domain to not audit. -## -## -## -# -interface(`kernel_dontaudit_search_sysctl',` - gen_require(` - type sysctl_t; - ') - - dontaudit $1 sysctl_t:dir search; -') - -######################################## -## -## Allow access to read sysctl directories. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_read_sysctl',` - gen_require(` - type sysctl_t, proc_t; - ') - - list_dirs_pattern($1, proc_t, sysctl_t) - read_files_pattern($1, sysctl_t, sysctl_t) -') - -######################################## -## -## Allow caller to read the device sysctls. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_read_device_sysctls',` - gen_require(` - type proc_t, sysctl_t, sysctl_dev_t; - ') - - read_files_pattern($1, { proc_t sysctl_t sysctl_dev_t }, sysctl_dev_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_dev_t) -') - -######################################## -## -## Read and write device sysctls. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_rw_device_sysctls',` - gen_require(` - type proc_t, sysctl_t, sysctl_dev_t; - ') - - rw_files_pattern($1, { proc_t sysctl_t sysctl_dev_t }, sysctl_dev_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_dev_t) -') - -######################################## -## -## Allow caller to search virtual memory sysctls. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_search_vm_sysctl',` - gen_require(` - type proc_t, sysctl_t, sysctl_vm_t; - ') - - search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_t) -') - -######################################## -## -## Allow caller to read virtual memory sysctls. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_read_vm_sysctls',` - gen_require(` - type proc_t, sysctl_t, sysctl_vm_t; - ') - - read_files_pattern($1, { proc_t sysctl_t sysctl_vm_t }, sysctl_vm_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_t) -') - -######################################## -## -## Read and write virtual memory sysctls. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_rw_vm_sysctls',` - gen_require(` - type proc_t, sysctl_t, sysctl_vm_t; - ') - - rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_t }, sysctl_vm_t) - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_t) - - # hal needs this - allow $1 sysctl_vm_t:dir write; -') - -######################################## -## -## Search network sysctl directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_search_network_sysctl',` - gen_require(` - type proc_t, sysctl_t, sysctl_net_t; - ') - - search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) -') - -######################################## -## -## Do not audit attempts by caller to search network sysctl directories. -## -## -## -## Domain to not audit. -## -## -# -interface(`kernel_dontaudit_search_network_sysctl',` - gen_require(` - type sysctl_net_t; - ') - - dontaudit $1 sysctl_net_t:dir search; -') - -######################################## -## -## Allow caller to read network sysctls. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_read_net_sysctls',` - gen_require(` - type proc_t, sysctl_t, sysctl_net_t; - ') - - read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) -') - -######################################## -## -## Allow caller to modiry contents of sysctl network files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_rw_net_sysctls',` - gen_require(` - type proc_t, sysctl_t, sysctl_net_t; - ') - - rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) -') - -######################################## -## -## Allow caller to read unix domain -## socket sysctls. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_read_unix_sysctls',` - gen_require(` - type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t; - ') - - read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) -') - -######################################## -## -## Read and write unix domain -## socket sysctls. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_rw_unix_sysctls',` - gen_require(` - type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t; - ') - - rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) -') - -######################################## -## -## Read the hotplug sysctl. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_read_hotplug_sysctls',` - gen_require(` - type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t; - ') - - read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_hotplug_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) -') - -######################################## -## -## Read and write the hotplug sysctl. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_rw_hotplug_sysctls',` - gen_require(` - type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t; - ') - - rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_hotplug_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) -') - -######################################## -## -## Read the modprobe sysctl. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_read_modprobe_sysctls',` - gen_require(` - type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t; - ') - - read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) -') - -######################################## -## -## Read and write the modprobe sysctl. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_rw_modprobe_sysctls',` - gen_require(` - type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t; - ') - - rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) -') - -######################################## -## -## Do not audit attempts to search generic kernel sysctls. -## -## -## -## Domain to not audit. -## -## -# -interface(`kernel_dontaudit_search_kernel_sysctl',` - gen_require(` - type sysctl_kernel_t; - ') - - dontaudit $1 sysctl_kernel_t:dir search; -') - -######################################## -## -## Read generic crypto sysctls. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_read_crypto_sysctls',` - gen_require(` - type proc_t, sysctl_t, sysctl_crypto_t; - ') - - read_files_pattern($1, { proc_t sysctl_t sysctl_crypto_t }, sysctl_crypto_t) - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_crypto_t) -') - -######################################## -## -## Read general kernel sysctls. -## -## -##

-## Allow the specified domain to read general -## kernel sysctl settings. These settings are typically -## read using the sysctl program. The settings -## that are included by this interface are prefixed -## with "kernel.", for example, kernel.sysrq. -##

-##

-## This does not include access to the hotplug -## handler setting (kernel.hotplug) -## nor the module installer handler setting -## (kernel.modprobe). -##

-##

-## Related interfaces: -##

-##
    -##
  • kernel_rw_kernel_sysctl()
  • -##
-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_read_kernel_sysctls',` - gen_require(` - type proc_t, sysctl_t, sysctl_kernel_t; - ') - - read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_kernel_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) -') - -######################################## -## -## Do not audit attempts to write generic kernel sysctls. -## -## -## -## Domain to not audit. -## -## -# -interface(`kernel_dontaudit_write_kernel_sysctl',` - gen_require(` - type sysctl_kernel_t; - ') - - dontaudit $1 sysctl_kernel_t:file write; -') - -######################################## -## -## Read and write generic kernel sysctls. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_rw_kernel_sysctl',` - gen_require(` - type proc_t, sysctl_t, sysctl_kernel_t; - ') - - rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_kernel_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) -') - -######################################## -## -## Read filesystem sysctls. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_read_fs_sysctls',` - gen_require(` - type proc_t, sysctl_t, sysctl_fs_t; - ') - - read_files_pattern($1, { proc_t sysctl_t sysctl_fs_t }, sysctl_fs_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t) -') - -######################################## -## -## Read and write fileystem sysctls. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_rw_fs_sysctls',` - gen_require(` - type proc_t, sysctl_t, sysctl_fs_t; - ') - - rw_files_pattern($1, { proc_t sysctl_t sysctl_fs_t }, sysctl_fs_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t) -') - -######################################## -## -## Read IRQ sysctls. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_read_irq_sysctls',` - gen_require(` - type proc_t, sysctl_irq_t; - ') - - read_files_pattern($1, { proc_t sysctl_irq_t }, sysctl_irq_t) - - list_dirs_pattern($1, proc_t, sysctl_irq_t) -') - -######################################## -## -## Read and write IRQ sysctls. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_rw_irq_sysctls',` - gen_require(` - type proc_t, sysctl_irq_t; - ') - - rw_files_pattern($1, { proc_t sysctl_irq_t }, sysctl_irq_t) - - list_dirs_pattern($1, proc_t, sysctl_irq_t) -') - -######################################## -## -## Read RPC sysctls. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_read_rpc_sysctls',` - gen_require(` - type proc_t, proc_net_t, sysctl_rpc_t; - ') - - read_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t) - - list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t) -') - -######################################## -## -## Read and write RPC sysctls. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_rw_rpc_sysctls',` - gen_require(` - type proc_t, proc_net_t, sysctl_rpc_t; - ') - - rw_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t) - - list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t) -') - -######################################## -## -## Do not audit attempts to list all sysctl directories. -## -## -## -## Domain to not audit. -## -## -# -interface(`kernel_dontaudit_list_all_sysctls',` - gen_require(` - attribute sysctl_type; - ') - - dontaudit $1 sysctl_type:dir list_dir_perms; - dontaudit $1 sysctl_type:file read_file_perms; -') - -######################################## -## -## Allow caller to read all sysctls. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_read_all_sysctls',` - gen_require(` - attribute sysctl_type; - type proc_t, proc_net_t; - ') - - # proc_net_t for /proc/net/rpc sysctls - read_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type) - - list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_type) -') - -######################################## -## -## Read and write all sysctls. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kernel_rw_all_sysctls',` - gen_require(` - attribute sysctl_type; - type proc_t, proc_net_t; - ') - - # proc_net_t for /proc/net/rpc sysctls - rw_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type) - - allow $1 sysctl_type:dir list_dir_perms; - # why is setattr needed? - allow $1 sysctl_type:file setattr; -') - -######################################## -## -## Send a kill signal to unlabeled processes. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_kill_unlabeled',` - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:process sigkill; -') - -######################################## -## -## Mount a kernel unlabeled filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_mount_unlabeled',` - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:filesystem mount; -') - -######################################## -## -## Unmount a kernel unlabeled filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_unmount_unlabeled',` - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:filesystem unmount; -') - -######################################## -## -## Send general signals to unlabeled processes. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_signal_unlabeled',` - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:process signal; -') - -######################################## -## -## Send a null signal to unlabeled processes. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_signull_unlabeled',` - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:process signull; -') - -######################################## -## -## Send a stop signal to unlabeled processes. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_sigstop_unlabeled',` - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:process sigstop; -') - -######################################## -## -## Send a child terminated signal to unlabeled processes. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_sigchld_unlabeled',` - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:process sigchld; -') - -######################################## -## -## List unlabeled directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_list_unlabeled',` - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:dir list_dir_perms; -') - -######################################## -## -## Read the process state (/proc/pid) of all unlabeled_t. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_read_unlabeled_state',` - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:dir list_dir_perms; - read_files_pattern($1, unlabeled_t, unlabeled_t) - read_lnk_files_pattern($1, unlabeled_t, unlabeled_t) -') - -######################################## -## -## Do not audit attempts to list unlabeled directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_dontaudit_list_unlabeled',` - gen_require(` - type unlabeled_t; - ') - - dontaudit $1 unlabeled_t:dir list_dir_perms; -') - -######################################## -## -## Read and write unlabeled directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_rw_unlabeled_dirs',` - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:dir rw_dir_perms; -') - -######################################## -## -## Read and write unlabeled files. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_rw_unlabeled_files',` - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:file rw_file_perms; -') - -######################################## -## -## Do not audit attempts by caller to get the -## attributes of an unlabeled file. -## -## -## -## Domain to not audit. -## -## -# -interface(`kernel_dontaudit_getattr_unlabeled_files',` - gen_require(` - type unlabeled_t; - ') - - dontaudit $1 unlabeled_t:file getattr; -') - -######################################## -## -## Do not audit attempts by caller to -## read an unlabeled file. -## -## -## -## Domain to not audit. -## -## -# -interface(`kernel_dontaudit_read_unlabeled_files',` - gen_require(` - type unlabeled_t; - ') - - dontaudit $1 unlabeled_t:file { getattr read }; -') - -######################################## -## -## Do not audit attempts by caller to get the -## attributes of unlabeled symbolic links. -## -## -## -## Domain to not audit. -## -## -# -interface(`kernel_dontaudit_getattr_unlabeled_symlinks',` - gen_require(` - type unlabeled_t; - ') - - dontaudit $1 unlabeled_t:lnk_file getattr; -') - -######################################## -## -## Do not audit attempts by caller to get the -## attributes of unlabeled named pipes. -## -## -## -## Domain to not audit. -## -## -# -interface(`kernel_dontaudit_getattr_unlabeled_pipes',` - gen_require(` - type unlabeled_t; - ') - - dontaudit $1 unlabeled_t:fifo_file getattr; -') - -######################################## -## -## Do not audit attempts by caller to get the -## attributes of unlabeled named sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`kernel_dontaudit_getattr_unlabeled_sockets',` - gen_require(` - type unlabeled_t; - ') - - dontaudit $1 unlabeled_t:sock_file getattr; -') - -######################################## -## -## Do not audit attempts by caller to get attributes for -## unlabeled block devices. -## -## -## -## Domain to not audit. -## -## -# -interface(`kernel_dontaudit_getattr_unlabeled_blk_files',` - gen_require(` - type unlabeled_t; - ') - - dontaudit $1 unlabeled_t:blk_file getattr; -') - -######################################## -## -## Read and write unlabeled block device nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_rw_unlabeled_blk_files',` - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:blk_file getattr; -') - -######################################## -## -## Read and write unlabeled sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_rw_unlabeled_socket',` - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:socket rw_socket_perms; -') - -######################################## -## -## Do not audit attempts by caller to get attributes for -## unlabeled character devices. -## -## -## -## Domain to not audit. -## -## -# -interface(`kernel_dontaudit_getattr_unlabeled_chr_files',` - gen_require(` - type unlabeled_t; - ') - - dontaudit $1 unlabeled_t:chr_file getattr; -') - -######################################## -## -## Allow caller to relabel unlabeled directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_relabelfrom_unlabeled_dirs',` - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:dir { list_dir_perms relabelfrom }; -') - -######################################## -## -## Allow caller to relabel unlabeled files. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_relabelfrom_unlabeled_files',` - gen_require(` - type unlabeled_t; - ') - - kernel_list_unlabeled($1) - allow $1 unlabeled_t:file { getattr relabelfrom }; -') - -######################################## -## -## Allow caller to relabel unlabeled symbolic links. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_relabelfrom_unlabeled_symlinks',` - gen_require(` - type unlabeled_t; - ') - - kernel_list_unlabeled($1) - allow $1 unlabeled_t:lnk_file { getattr relabelfrom }; -') - -######################################## -## -## Allow caller to relabel unlabeled named pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_relabelfrom_unlabeled_pipes',` - gen_require(` - type unlabeled_t; - ') - - kernel_list_unlabeled($1) - allow $1 unlabeled_t:fifo_file { getattr relabelfrom }; -') - -######################################## -## -## Allow caller to relabel unlabeled named sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_relabelfrom_unlabeled_sockets',` - gen_require(` - type unlabeled_t; - ') - - kernel_list_unlabeled($1) - allow $1 unlabeled_t:sock_file { getattr relabelfrom }; -') - -######################################## -## -## Send and receive messages from an -## unlabeled IPSEC association. -## -## -##

-## Send and receive messages from an -## unlabeled IPSEC association. Network -## connections that are not protected -## by IPSEC have use an unlabeled -## assocation. -##

-##

-## The corenetwork interface -## corenet_non_ipsec_sendrecv() should -## be used instead of this one. -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`kernel_sendrecv_unlabeled_association',` - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:association { sendto recvfrom }; - - # temporary hack until labeling on packets is supported - allow $1 unlabeled_t:packet { send recv }; -') - -######################################## -## -## Do not audit attempts to send and receive messages -## from an unlabeled IPSEC association. -## -## -##

-## Do not audit attempts to send and receive messages -## from an unlabeled IPSEC association. Network -## connections that are not protected -## by IPSEC have use an unlabeled -## assocation. -##

-##

-## The corenetwork interface -## corenet_dontaudit_non_ipsec_sendrecv() should -## be used instead of this one. -##

-##
-## -## -## Domain to not audit. -## -## -# -interface(`kernel_dontaudit_sendrecv_unlabeled_association',` - gen_require(` - type unlabeled_t; - ') - - dontaudit $1 unlabeled_t:association { sendto recvfrom }; -') - -######################################## -## -## Receive TCP packets from an unlabeled connection. -## -## -##

-## Receive TCP packets from an unlabeled connection. -##

-##

-## The corenetwork interface corenet_tcp_recv_unlabeled() should -## be used instead of this one. -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`kernel_tcp_recvfrom_unlabeled',` - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:tcp_socket recvfrom; -') - -######################################## -## -## Do not audit attempts to receive TCP packets from an unlabeled -## connection. -## -## -##

-## Do not audit attempts to receive TCP packets from an unlabeled -## connection. -##

-##

-## The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled() -## should be used instead of this one. -##

-##
-## -## -## Domain to not audit. -## -## -# -interface(`kernel_dontaudit_tcp_recvfrom_unlabeled',` - gen_require(` - type unlabeled_t; - ') - - dontaudit $1 unlabeled_t:tcp_socket recvfrom; -') - -######################################## -## -## Receive UDP packets from an unlabeled connection. -## -## -##

-## Receive UDP packets from an unlabeled connection. -##

-##

-## The corenetwork interface corenet_udp_recv_unlabeled() should -## be used instead of this one. -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`kernel_udp_recvfrom_unlabeled',` - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:udp_socket recvfrom; -') - -######################################## -## -## Do not audit attempts to receive UDP packets from an unlabeled -## connection. -## -## -##

-## Do not audit attempts to receive UDP packets from an unlabeled -## connection. -##

-##

-## The corenetwork interface corenet_dontaudit_udp_recv_unlabeled() -## should be used instead of this one. -##

-##
-## -## -## Domain to not audit. -## -## -# -interface(`kernel_dontaudit_udp_recvfrom_unlabeled',` - gen_require(` - type unlabeled_t; - ') - - dontaudit $1 unlabeled_t:udp_socket recvfrom; -') - -######################################## -## -## Receive Raw IP packets from an unlabeled connection. -## -## -##

-## Receive Raw IP packets from an unlabeled connection. -##

-##

-## The corenetwork interface corenet_raw_recv_unlabeled() should -## be used instead of this one. -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`kernel_raw_recvfrom_unlabeled',` - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:rawip_socket recvfrom; -') - -######################################## -## -## Do not audit attempts to receive Raw IP packets from an unlabeled -## connection. -## -## -##

-## Do not audit attempts to receive Raw IP packets from an unlabeled -## connection. -##

-##

-## The corenetwork interface corenet_dontaudit_raw_recv_unlabeled() -## should be used instead of this one. -##

-##
-## -## -## Domain to not audit. -## -## -# -interface(`kernel_dontaudit_raw_recvfrom_unlabeled',` - gen_require(` - type unlabeled_t; - ') - - dontaudit $1 unlabeled_t:rawip_socket recvfrom; -') - -######################################## -## -## Send and receive unlabeled packets. -## -## -##

-## Send and receive unlabeled packets. -## These packets do not match any netfilter -## SECMARK rules. -##

-##

-## The corenetwork interface -## corenet_sendrecv_unlabeled_packets() should -## be used instead of this one. -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`kernel_sendrecv_unlabeled_packets',` - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:packet { send recv }; -') - -######################################## -## -## Receive packets from an unlabeled peer. -## -## -##

-## Receive packets from an unlabeled peer, these packets do not have any -## peer labeling information present. -##

-##

-## The corenetwork interface corenet_recvfrom_unlabeled_peer() should -## be used instead of this one. -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`kernel_recvfrom_unlabeled_peer',` - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:peer recv; -') - -######################################## -## -## Do not audit attempts to receive packets from an unlabeled peer. -## -## -##

-## Do not audit attempts to receive packets from an unlabeled peer, -## these packets do not have any peer labeling information present. -##

-##

-## The corenetwork interface corenet_dontaudit_*_recvfrom_unlabeled() -## should be used instead of this one. -##

-##
-## -## -## Domain to not audit. -## -## -# -interface(`kernel_dontaudit_recvfrom_unlabeled_peer',` - gen_require(` - type unlabeled_t; - ') - - dontaudit $1 unlabeled_t:peer recv; -') - -######################################## -## -## Relabel from unlabeled database objects. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_relabelfrom_unlabeled_database',` - gen_require(` - type unlabeled_t; - class db_database { setattr relabelfrom }; - class db_table { setattr relabelfrom }; - class db_procedure { setattr relabelfrom }; - class db_column { setattr relabelfrom }; - class db_tuple { update relabelfrom }; - class db_blob { setattr relabelfrom }; - ') - - allow $1 unlabeled_t:db_database { setattr relabelfrom }; - allow $1 unlabeled_t:db_table { setattr relabelfrom }; - allow $1 unlabeled_t:db_procedure { setattr relabelfrom }; - allow $1 unlabeled_t:db_column { setattr relabelfrom }; - allow $1 unlabeled_t:db_tuple { update relabelfrom }; - allow $1 unlabeled_t:db_blob { setattr relabelfrom }; -') - -######################################## -## -## Relabel to unlabeled context . -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_relabelto_unlabeled',` - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:dir_file_class_set relabelto; -') - -######################################## -## -## Unconfined access to kernel module resources. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_unconfined',` - gen_require(` - attribute kern_unconfined; - ') - - typeattribute $1 kern_unconfined; -') - -######################################## -## -## Allow the specified domain to connect to -## the kernel with a unix socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`kernel_stream_connect',` - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:unix_stream_socket connectto; -') - diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te deleted file mode 100644 index 17eb1ca..0000000 --- a/policy/modules/kernel/kernel.te +++ /dev/null @@ -1,405 +0,0 @@ -policy_module(kernel, 1.12.2) - -######################################## -# -# Declarations -# - -# assertion related attributes -attribute can_load_kernmodule; -attribute can_receive_kernel_messages; -attribute can_dump_kernel; - -neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module; - -# domains with unconfined access to kernel resources -attribute kern_unconfined; - -# regular entries in proc -attribute proc_type; - -# sysctls -attribute sysctl_type; - -role system_r; -role sysadm_r; -role staff_r; -role user_r; - -# here until order dependence is fixed: -role unconfined_r; - -ifdef(`enable_mls',` - role secadm_r; - role auditadm_r; -') - -# -# kernel_t is the domain of kernel threads. -# It is also the target type when checking permissions in the system class. -# -type kernel_t, can_load_kernmodule; -domain_base_type(kernel_t) -mls_rangetrans_source(kernel_t) -role system_r types kernel_t; -sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) - -# -# DebugFS -# - -type debugfs_t; -fs_type(debugfs_t) -allow debugfs_t self:filesystem associate; -genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) - -# -# kvmFS -# - -type kvmfs_t; -fs_type(kvmfs_t) -genfscon kvmfs / gen_context(system_u:object_r:kvmfs_t,s0) - -# -# Procfs types -# - -type proc_t, proc_type; -files_mountpoint(proc_t) -fs_type(proc_t) -genfscon proc / gen_context(system_u:object_r:proc_t,s0) -genfscon proc /sysvipc gen_context(system_u:object_r:proc_t,s0) - -type proc_afs_t, proc_type; -genfscon proc /fs/openafs gen_context(system_u:object_r:proc_afs_t,s0) - -# kernel message interface -type proc_kmsg_t, proc_type; -genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,mls_systemhigh) -neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~getattr; - -# /proc kcore: inaccessible -type proc_kcore_t, proc_type; -neverallow ~{ can_dump_kernel kern_unconfined } proc_kcore_t:file ~getattr; -genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh) - -type proc_mdstat_t, proc_type; -genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0) - -type proc_net_t, proc_type; -genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0) - -type proc_xen_t, proc_type; -files_mountpoint(proc_xen_t) -genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0) - -# -# Sysctl types -# - -# /proc/sys directory, base directory of sysctls -type sysctl_t, sysctl_type; -files_mountpoint(sysctl_t) -sid sysctl gen_context(system_u:object_r:sysctl_t,s0) -genfscon proc /sys gen_context(system_u:object_r:sysctl_t,s0) - -# /proc/irq directory and files -type sysctl_irq_t, sysctl_type; -genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0) - -# /proc/net/rpc directory and files -type sysctl_rpc_t, sysctl_type; -genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0) - -# /proc/sys/crypto directory and files -type sysctl_crypto_t, sysctl_type; -genfscon proc /sys/crypto gen_context(system_u:object_r:sysctl_crypto_t,s0) - -# /proc/sys/fs directory and files -type sysctl_fs_t, sysctl_type; -files_mountpoint(sysctl_fs_t) -genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0) - -# /proc/sys/kernel directory and files -type sysctl_kernel_t, sysctl_type; -genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0) - -# /proc/sys/kernel/modprobe file -type sysctl_modprobe_t, sysctl_type; -genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:sysctl_modprobe_t,s0) - -# /proc/sys/kernel/hotplug file -type sysctl_hotplug_t, sysctl_type; -genfscon proc /sys/kernel/hotplug gen_context(system_u:object_r:sysctl_hotplug_t,s0) - -# /proc/sys/net directory and files -type sysctl_net_t, sysctl_type; -genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0) - -# /proc/sys/net/unix directory and files -type sysctl_net_unix_t, sysctl_type; -genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0) - -# /proc/sys/vm directory and files -type sysctl_vm_t, sysctl_type; -genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0) - -# /proc/sys/dev directory and files -type sysctl_dev_t, sysctl_type; -genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) - -# -# unlabeled_t is the type of unlabeled objects. -# Objects that have no known labeling information or that -# have labels that are no longer valid are treated as having this type. -# -type unlabeled_t; -sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -fs_associate(unlabeled_t) - -# These initial sids are no longer used, and can be removed: -sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -sid file_labels gen_context(system_u:object_r:unlabeled_t,s0) -sid icmp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -sid igmp_packet gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -sid init gen_context(system_u:object_r:unlabeled_t,s0) -sid kmod gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -sid policy gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -sid scmp_packet gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -sid sysctl_modprobe gen_context(system_u:object_r:unlabeled_t,s0) -sid sysctl_fs gen_context(system_u:object_r:unlabeled_t,s0) -sid sysctl_kernel gen_context(system_u:object_r:unlabeled_t,s0) -sid sysctl_net gen_context(system_u:object_r:unlabeled_t,s0) -sid sysctl_net_unix gen_context(system_u:object_r:unlabeled_t,s0) -sid sysctl_vm gen_context(system_u:object_r:unlabeled_t,s0) -sid sysctl_dev gen_context(system_u:object_r:unlabeled_t,s0) -sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) - -######################################## -# -# kernel local policy -# - -allow kernel_t self:capability *; -allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow kernel_t self:shm create_shm_perms; -allow kernel_t self:sem create_sem_perms; -allow kernel_t self:msg { send receive }; -allow kernel_t self:msgq create_msgq_perms; -allow kernel_t self:unix_dgram_socket create_socket_perms; -allow kernel_t self:unix_stream_socket create_stream_socket_perms; -allow kernel_t self:unix_dgram_socket sendto; -allow kernel_t self:unix_stream_socket connectto; -allow kernel_t self:fifo_file rw_fifo_file_perms; -allow kernel_t self:sock_file read_sock_file_perms; -allow kernel_t self:fd use; - -allow kernel_t debugfs_t:dir search_dir_perms; - -allow kernel_t proc_t:dir list_dir_perms; -allow kernel_t proc_t:file read_file_perms; -allow kernel_t proc_t:lnk_file read_lnk_file_perms; - -allow kernel_t proc_net_t:dir list_dir_perms; -allow kernel_t proc_net_t:file read_file_perms; - -allow kernel_t proc_mdstat_t:file read_file_perms; - -allow kernel_t proc_kcore_t:file getattr; - -allow kernel_t proc_kmsg_t:file getattr; - -allow kernel_t sysctl_kernel_t:dir list_dir_perms; -allow kernel_t sysctl_kernel_t:file read_file_perms; -allow kernel_t sysctl_t:dir list_dir_perms; - -# Other possible mount points for the root fs are in files -allow kernel_t unlabeled_t:dir mounton; -# Kernel-generated traffic e.g., TCP resets on -# connections with invalidated labels: -allow kernel_t unlabeled_t:packet send; - -# Allow unlabeled network traffic -allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; -corenet_in_generic_if(unlabeled_t) -corenet_in_generic_node(unlabeled_t) - -corenet_all_recvfrom_unlabeled(kernel_t) -corenet_all_recvfrom_netlabel(kernel_t) -# Kernel-generated traffic e.g., ICMP replies: -corenet_raw_sendrecv_all_if(kernel_t) -corenet_raw_sendrecv_all_nodes(kernel_t) -corenet_raw_send_generic_if(kernel_t) -# Kernel-generated traffic e.g., TCP resets: -corenet_tcp_sendrecv_all_if(kernel_t) -corenet_tcp_sendrecv_all_nodes(kernel_t) -corenet_raw_send_generic_node(kernel_t) -corenet_send_all_packets(kernel_t) - -dev_read_sysfs(kernel_t) -dev_search_usbfs(kernel_t) -# devtmpfs handling: -dev_create_generic_dirs(kernel_t) -dev_delete_generic_dirs(kernel_t) -dev_create_generic_blk_files(kernel_t) -dev_delete_generic_blk_files(kernel_t) -dev_create_generic_chr_files(kernel_t) -dev_delete_generic_chr_files(kernel_t) -dev_mounton(kernel_t) -dev_filetrans_named_dev(kernel_t) - -# Mount root file system. Used when loading a policy -# from initrd, then mounting the root filesystem -fs_mount_all_fs(kernel_t) -fs_unmount_all_fs(kernel_t) - -selinux_load_policy(kernel_t) - -term_use_all_terms(kernel_t) -term_use_ptmx(kernel_t) - -corecmd_exec_shell(kernel_t) -corecmd_list_bin(kernel_t) -# /proc/sys/kernel/modprobe is set to /bin/true if not using modules. -corecmd_exec_bin(kernel_t) - -domain_signal_all_domains(kernel_t) -domain_search_all_domains_state(kernel_t) - -files_list_root(kernel_t) -files_list_etc(kernel_t) -files_list_home(kernel_t) -files_read_usr_files(kernel_t) -files_manage_mounttab(kernel_t) -files_manage_generic_spool_dirs(kernel_t) - -mcs_process_set_categories(kernel_t) -mcs_file_read_all(kernel_t) -mcs_file_write_all(kernel_t) - -mls_process_read_up(kernel_t) -mls_process_write_down(kernel_t) -mls_file_write_all_levels(kernel_t) -mls_file_read_all_levels(kernel_t) -mls_socket_write_all_levels(kernel_t) -mls_fd_share_all_levels(kernel_t) - -logging_manage_generic_logs(kernel_t) - -ifdef(`distro_redhat',` - # Bugzilla 222337 - fs_rw_tmpfs_chr_files(kernel_t) -') - -userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir }) - -optional_policy(` - hotplug_search_config(kernel_t) -') - -optional_policy(` - init_sigchld(kernel_t) -') - -optional_policy(` - libs_use_ld_so(kernel_t) - libs_use_shared_libs(kernel_t) -') - -optional_policy(` - logging_send_syslog_msg(kernel_t) -') - -optional_policy(` - nis_use_ypbind(kernel_t) -') - -optional_policy(` - # nfs kernel server needs kernel UDP access. It is less risky and painful - # to just give it everything. - allow kernel_t self:tcp_socket create_stream_socket_perms; - allow kernel_t self:udp_socket create_socket_perms; - - # nfs kernel server needs kernel UDP access. It is less risky and painful - # to just give it everything. - corenet_udp_sendrecv_generic_if(kernel_t) - corenet_udp_sendrecv_generic_node(kernel_t) - corenet_udp_sendrecv_all_ports(kernel_t) - corenet_udp_bind_generic_node(kernel_t) - corenet_sendrecv_portmap_client_packets(kernel_t) - corenet_sendrecv_generic_server_packets(kernel_t) - - fs_getattr_xattr_fs(kernel_t) - - auth_dontaudit_getattr_shadow(kernel_t) - - sysnet_read_config(kernel_t) - - rpc_manage_nfs_ro_content(kernel_t) - rpc_manage_nfs_rw_content(kernel_t) - rpc_udp_rw_nfs_sockets(kernel_t) - - tunable_policy(`nfs_export_all_ro',` - fs_getattr_noxattr_fs(kernel_t) - fs_list_noxattr_fs(kernel_t) - fs_read_noxattr_fs_files(kernel_t) - fs_read_noxattr_fs_symlinks(kernel_t) - - auth_read_all_dirs_except_shadow(kernel_t) - auth_read_all_files_except_shadow(kernel_t) - auth_read_all_symlinks_except_shadow(kernel_t) - ') - - tunable_policy(`nfs_export_all_rw',` - fs_getattr_noxattr_fs(kernel_t) - fs_list_noxattr_fs(kernel_t) - fs_read_noxattr_fs_files(kernel_t) - fs_read_noxattr_fs_symlinks(kernel_t) - - auth_manage_all_files_except_shadow(kernel_t) - ') -') - -optional_policy(` - seutil_read_config(kernel_t) - seutil_read_bin_policy(kernel_t) -') - -optional_policy(` - unconfined_domain_noaudit(kernel_t) -') - -optional_policy(` - xserver_xdm_manage_spool(kernel_t) -') - -######################################## -# -# Unlabeled process local policy -# - -optional_policy(` - # If you load a new policy that removes active domains, processes can - # get stuck if you do not allow unlabeled processes to signal init. - # If you load an incompatible policy, you should probably reboot, - # since you may have compromised system security. - init_sigchld(unlabeled_t) -') - -######################################## -# -# Rules for unconfined acccess to this module -# - -allow kern_unconfined proc_type:{ dir file lnk_file } *; - -allow kern_unconfined sysctl_type:{ dir file } *; - -allow kern_unconfined kernel_t:system *; - -allow kern_unconfined unlabeled_t:dir_file_class_set *; -allow kern_unconfined unlabeled_t:filesystem *; -allow kern_unconfined unlabeled_t:association *; -allow kern_unconfined unlabeled_t:packet *; -allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap }; diff --git a/policy/modules/kernel/mcs.fc b/policy/modules/kernel/mcs.fc deleted file mode 100644 index fa8a4b1..0000000 --- a/policy/modules/kernel/mcs.fc +++ /dev/null @@ -1 +0,0 @@ -# no MCS file contexts diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if deleted file mode 100644 index 3d62385..0000000 --- a/policy/modules/kernel/mcs.if +++ /dev/null @@ -1,131 +0,0 @@ -## Multicategory security policy -## -## Contains attributes used in MCS policy. -## - -######################################## -## -## This domain is allowed to read files and directories -## regardless of their MCS category set. -## -## -## -## Domain target for user exemption. -## -## -## -# -interface(`mcs_file_read_all',` - gen_require(` - attribute mcsreadall; - ') - - typeattribute $1 mcsreadall; -') - -######################################## -## -## This domain is allowed to write files and directories -## regardless of their MCS category set. -## -## -## -## Domain target for user exemption. -## -## -## -# -interface(`mcs_file_write_all',` - gen_require(` - attribute mcswriteall; - ') - - typeattribute $1 mcswriteall; -') - -######################################## -## -## This domain is allowed to sigkill and sigstop -## all domains regardless of their MCS category set. -## -## -## -## Domain target for user exemption. -## -## -## -# -interface(`mcs_killall',` - gen_require(` - attribute mcskillall; - ') - - typeattribute $1 mcskillall; -') - -######################################## -## -## This domain is allowed to ptrace -## all domains regardless of their MCS -## category set. -## -## -## -## Domain target for user exemption. -## -## -# -interface(`mcs_ptrace_all',` - gen_require(` - attribute mcsptraceall; - ') - - typeattribute $1 mcsptraceall; -') - -######################################## -## -## Make specified domain MCS trusted -## for setting any category set for -## the processes it executes. -## -## -## -## Domain target for user exemption. -## -## -# -interface(`mcs_process_set_categories',` - gen_require(` - attribute mcssetcats; - ') - - typeattribute $1 mcssetcats; -') - -######################################## -## -## Make specified process type MCS untrusted. -## -## -##

-## Make specified process type MCS untrusted. This -## prevents this process from sending signals to other processes -## with different mcs labels -## object. -##

-##
-## -## -## The type of the process. -## -## -# -interface(`mcs_untrusted_proc',` - gen_require(` - attribute mcsuntrustedproc; - ') - - typeattribute $1 mcsuntrustedproc; -') - diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te deleted file mode 100644 index dbf577f..0000000 --- a/policy/modules/kernel/mcs.te +++ /dev/null @@ -1,14 +0,0 @@ -policy_module(mcs, 1.2.0) - -######################################## -# -# Declarations -# - -attribute mcskillall; -attribute mcsptraceall; -attribute mcssetcats; -attribute mcswriteall; -attribute mcsreadall; -attribute mcsuntrustedproc; - diff --git a/policy/modules/kernel/metadata.xml b/policy/modules/kernel/metadata.xml deleted file mode 100644 index d1da3a2..0000000 --- a/policy/modules/kernel/metadata.xml +++ /dev/null @@ -1 +0,0 @@ -Policy modules for kernel resources. diff --git a/policy/modules/kernel/mls.fc b/policy/modules/kernel/mls.fc deleted file mode 100644 index 13df19e..0000000 --- a/policy/modules/kernel/mls.fc +++ /dev/null @@ -1 +0,0 @@ -# No MLS file contexts. diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if deleted file mode 100644 index d178478..0000000 --- a/policy/modules/kernel/mls.if +++ /dev/null @@ -1,984 +0,0 @@ -## Multilevel security policy -## -##

-## This module contains interfaces for handling multilevel -## security. The interfaces allow the specified subjects -## and objects to be allowed certain privileges in the -## MLS rules. -##

-##
-## -## Contains attributes used in MLS policy. -## - -######################################## -## -## Make specified domain MLS trusted -## for reading from files up to its clearance. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_file_read_to_clearance',` - gen_require(` - attribute mlsfilereadtoclr; - ') - - typeattribute $1 mlsfilereadtoclr; -') - -######################################## -## -## Make specified domain MLS trusted -## for reading from files at all levels. (Deprecated) -## -## -##

-## Make specified domain MLS trusted -## for reading from files at all levels. -##

-##

-## This interface has been deprecated, please use -## mls_file_read_all_levels() instead. -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`mls_file_read_up',` - refpolicywarn(`$0($*) has been deprecated, please use mls_file_read_all_levels() instead.') - mls_file_read_all_levels($1) -') - -######################################## -## -## Make specified domain MLS trusted -## for reading from files at all levels. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_file_read_all_levels',` - gen_require(` - attribute mlsfileread; - ') - - typeattribute $1 mlsfileread; -') - -######################################## -## -## Make specified domain MLS trusted -## for write to files up to its clearance. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_file_write_to_clearance',` - gen_require(` - attribute mlsfilewritetoclr; - ') - - typeattribute $1 mlsfilewritetoclr; -') - -######################################## -## -## Make specified domain MLS trusted -## for writing to files at all levels. (Deprecated) -## -## -##

-## Make specified domain MLS trusted -## for writing to files at all levels. -##

-##

-## This interface has been deprecated, please use -## mls_file_write_all_levels() instead. -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`mls_file_write_down',` - refpolicywarn(`$0($*) has been deprecated, please use mls_file_write_all_levels() instead.') - mls_file_write_all_levels($1) -') - -######################################## -## -## Make specified domain MLS trusted -## for writing to files at all levels. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_file_write_all_levels',` - gen_require(` - attribute mlsfilewrite; - ') - - typeattribute $1 mlsfilewrite; -') - -######################################## -## -## Make specified domain MLS trusted -## for raising the level of files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_file_upgrade',` - gen_require(` - attribute mlsfileupgrade; - ') - - typeattribute $1 mlsfileupgrade; -') - -######################################## -## -## Make specified domain MLS trusted -## for lowering the level of files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_file_downgrade',` - gen_require(` - attribute mlsfiledowngrade; - ') - - typeattribute $1 mlsfiledowngrade; -') - -######################################## -## -## Make specified domain trusted to -## be written to within its MLS range. -## The subject's MLS range must be a -## proper subset of the object's MLS range. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_file_write_within_range',` - gen_require(` - attribute mlsfilewriteinrange; - ') - - typeattribute $1 mlsfilewriteinrange; -') - -######################################## -## -## Make specified domain MLS trusted -## for reading from sockets at any level. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_socket_read_all_levels',` - gen_require(` - attribute mlsnetread; - ') - - typeattribute $1 mlsnetread; -') - -######################################## -## -## Make specified domain MLS trusted -## for reading from sockets at any level -## that is dominated by the process clearance. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_socket_read_to_clearance',` - gen_require(` - attribute mlsnetreadtoclr; - ') - - typeattribute $1 mlsnetreadtoclr; -') - -######################################## -## -## Make specified domain MLS trusted -## for writing to sockets up to -## its clearance. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_socket_write_to_clearance',` - gen_require(` - attribute mlsnetwritetoclr; - ') - - typeattribute $1 mlsnetwritetoclr; -') - -######################################## -## -## Make specified domain MLS trusted -## for writing to sockets at any level. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_socket_write_all_levels',` - gen_require(` - attribute mlsnetwrite; - ') - - typeattribute $1 mlsnetwrite; -') - -######################################## -## -## Make specified domain MLS trusted -## for receiving network data from -## network interfaces or hosts at any level. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_net_receive_all_levels',` - gen_require(` - attribute mlsnetrecvall; - ') - - typeattribute $1 mlsnetrecvall; -') - -######################################## -## -## Make specified domain trusted to -## write to network objects within its MLS range. -## The subject's MLS range must be a -## proper subset of the object's MLS range. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_net_write_within_range',` - gen_require(` - attribute mlsnetwriteranged; - ') - - typeattribute $1 mlsnetwriteranged; -') - -######################################## -## -## Make specified domain trusted to -## write inbound packets regardless of the -## network's or node's MLS range. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_net_inbound_all_levels',` - gen_require(` - attribute mlsnetinbound; - ') - - typeattribute $1 mlsnetinbound; -') - -######################################## -## -## Make specified domain trusted to -## write outbound packets regardless of the -## network's or node's MLS range. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_net_outbound_all_levels',` - gen_require(` - attribute mlsnetoutbound; - ') - - typeattribute $1 mlsnetoutbound; -') - -######################################## -## -## Make specified domain MLS trusted -## for reading from System V IPC objects -## up to its clearance. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_sysvipc_read_to_clearance',` - gen_require(` - attribute mlsipcreadtoclr; - ') - - typeattribute $1 mlsipcreadtoclr; -') - -######################################## -## -## Make specified domain MLS trusted -## for reading from System V IPC objects -## at any level. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_sysvipc_read_all_levels',` - gen_require(` - attribute mlsipcread; - ') - - typeattribute $1 mlsipcread; -') - -######################################## -## -## Make specified domain MLS trusted -## for writing to System V IPC objects -## up to its clearance. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_sysvipc_write_to_clearance',` - gen_require(` - attribute mlsipcwritetoclr; - ') - - typeattribute $1 mlsipcwritetoclr; -') - -######################################## -## -## Make specified domain MLS trusted -## for writing to System V IPC objects -## at any level. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_sysvipc_write_all_levels',` - gen_require(` - attribute mlsipcwrite; - ') - - typeattribute $1 mlsipcwrite; -') - -######################################## -## -## Allow the specified domain to do a MLS -## range transition that changes -## the current level. -## -## -## -## Domain allowed access. -## -## -# -interface(`mls_rangetrans_source',` - gen_require(` - attribute privrangetrans; - ') - - typeattribute $1 privrangetrans; -') - -######################################## -## -## Make specified domain a target domain -## for MLS range transitions that change -## the current level. -## -## -## -## Domain allowed access. -## -## -# -interface(`mls_rangetrans_target',` - gen_require(` - attribute mlsrangetrans; - ') - - typeattribute $1 mlsrangetrans; -') - -######################################## -## -## Make specified domain MLS trusted -## for reading from processes up to -## its clearance. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_process_read_to_clearance',` - gen_require(` - attribute mlsprocreadtoclr; - ') - - typeattribute $1 mlsprocreadtoclr; -') - -######################################## -## -## Make specified domain MLS trusted -## for reading from processes at all levels. (Deprecated) -## -## -##

-## Make specified domain MLS trusted -## for reading from processes at all levels. -##

-##

-## This interface has been deprecated, please use -## mls_process_read_all_levels() instead. -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`mls_process_read_up',` -# refpolicywarn(`$0($*) has been deprecated, please use mls_process_read_all_levels() instead.') - mls_process_read_all_levels($1) -') - -######################################## -## -## Make specified domain MLS trusted -## for reading from processes at all levels. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_process_read_all_levels',` - gen_require(` - attribute mlsprocread; - ') - - typeattribute $1 mlsprocread; -') - -######################################## -## -## Make specified domain MLS trusted -## for writing to processes up to -## its clearance. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_process_write_to_clearance',` - gen_require(` - attribute mlsprocwritetoclr; - ') - - typeattribute $1 mlsprocwritetoclr; -') - -######################################## -## -## Make specified domain MLS trusted -## for writing to processes at all levels. (Deprecated) -## -## -##

-## Make specified domain MLS trusted -## for writing to processes at all levels. -##

-##

-## This interface has been deprecated, please use -## mls_process_write_all_levels() instead. -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`mls_process_write_down',` -# refpolicywarn(`$0($*) has been deprecated, please use mls_process_write_all_levels() instead.') - mls_process_write_all_levels($1) -') - -######################################## -## -## Make specified domain MLS trusted -## for writing to processes at all levels. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_process_write_all_levels',` - gen_require(` - attribute mlsprocwrite; - ') - - typeattribute $1 mlsprocwrite; -') - -######################################## -## -## Make specified domain MLS trusted -## for setting the level of processes -## it executes. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_process_set_level',` - gen_require(` - attribute mlsprocsetsl; - ') - - typeattribute $1 mlsprocsetsl; -') - -######################################## -## -## Make specified domain MLS trusted -## for reading from X objects up to its clearance. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_xwin_read_to_clearance',` - gen_require(` - attribute mlsxwinreadtoclr; - ') - - typeattribute $1 mlsxwinreadtoclr; -') - -######################################## -## -## Make specified domain MLS trusted -## for reading from X objects at any level. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_xwin_read_all_levels',` - gen_require(` - attribute mlsxwinread; - ') - - typeattribute $1 mlsxwinread; -') - -######################################## -## -## Make specified domain MLS trusted -## for write to X objects up to its clearance. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_xwin_write_to_clearance',` - gen_require(` - attribute mlsxwinwritetoclr; - ') - - typeattribute $1 mlsxwinwritetoclr; -') - -######################################## -## -## Make specified domain MLS trusted -## for writing to X objects at any level. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_xwin_write_all_levels',` - gen_require(` - attribute mlsxwinwrite; - ') - - typeattribute $1 mlsxwinwrite; -') - -######################################## -## -## Make specified domain MLS trusted -## for reading from X colormaps at any level. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_colormap_read_all_levels',` - gen_require(` - attribute mlsxwinreadcolormap; - ') - - typeattribute $1 mlsxwinreadcolormap; -') - -######################################## -## -## Make specified domain MLS trusted -## for writing to X colormaps at any level. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_colormap_write_all_levels',` - gen_require(` - attribute mlsxwinwritecolormap; - ') - - typeattribute $1 mlsxwinwritecolormap; -') - -######################################## -## -## Make specified object MLS trusted. -## -## -##

-## Make specified object MLS trusted. This -## allows all levels to read and write the -## object. -##

-##

-## This currently only applies to filesystem -## objects, for example, files and directories. -##

-##
-## -## -## The type of the object. -## -## -# -interface(`mls_trusted_object',` - gen_require(` - attribute mlstrustedobject; - ') - - typeattribute $1 mlstrustedobject; -') - -######################################## -## -## Make the specified domain trusted -## to inherit and use file descriptors -## from all levels. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_fd_use_all_levels',` - gen_require(` - attribute mlsfduse; - ') - - typeattribute $1 mlsfduse; -') - -######################################## -## -## Make the file descriptors from the -## specifed domain inheritable by -## all levels. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_fd_share_all_levels',` - gen_require(` - attribute mlsfdshare; - ') - - typeattribute $1 mlsfdshare; -') - -######################################## -## -## Make specified domain MLS trusted -## for translating contexts at all levels. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_context_translate_all_levels',` - gen_require(` - attribute mlstranslate; - ') - - typeattribute $1 mlstranslate; -') - -######################################## -## -## Make specified domain MLS trusted -## for reading from databases at any level. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_db_read_all_levels',` - gen_require(` - attribute mlsdbread; - ') - - typeattribute $1 mlsdbread; -') - -######################################## -## -## Make specified domain MLS trusted -## for writing to databases at any level. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_db_write_all_levels',` - gen_require(` - attribute mlsdbwrite; - ') - - typeattribute $1 mlsdbwrite; -') - -######################################## -## -## Make specified domain MLS trusted -## for raising the level of databases. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_db_upgrade',` - gen_require(` - attribute mlsdbupgrade; - ') - - typeattribute $1 mlsdbupgrade; -') - -######################################## -## -## Make specified domain MLS trusted -## for lowering the level of databases. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_db_downgrade',` - gen_require(` - attribute mlsdbdowngrade; - ') - - typeattribute $1 mlsdbdowngrade; -') -######################################## -## -## Make specified domain MLS trusted -## for sending dbus messages to -## all levels. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_dbus_send_all_levels',` - gen_require(` - attribute mlsdbussend; - ') - - typeattribute $1 mlsdbussend; -') - -######################################## -## -## Make specified domain MLS trusted -## for receiving dbus messages from -## all levels. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_dbus_recv_all_levels',` - gen_require(` - attribute mlsdbusrecv; - ') - - typeattribute $1 mlsdbusrecv; -') diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te deleted file mode 100644 index 8c7bd90..0000000 --- a/policy/modules/kernel/mls.te +++ /dev/null @@ -1,69 +0,0 @@ -policy_module(mls, 1.8.0) - -######################################## -# -# Declarations -# - -attribute mlsfileread; -attribute mlsfilereadtoclr; -attribute mlsfilewrite; -attribute mlsfilewritetoclr; -attribute mlsfilewriteinrange; -attribute mlsfileupgrade; -attribute mlsfiledowngrade; - -attribute mlsnetread; -attribute mlsnetreadtoclr; -attribute mlsnetwrite; -attribute mlsnetwritetoclr; -attribute mlsnetwriteranged; -attribute mlsnetupgrade; -attribute mlsnetdowngrade; -attribute mlsnetrecvall; -attribute mlsnetinbound; -attribute mlsnetoutbound; - -attribute mlsipcread; -attribute mlsipcreadtoclr; -attribute mlsipcwrite; -attribute mlsipcwritetoclr; - -attribute mlsprocread; -attribute mlsprocreadtoclr; -attribute mlsprocwrite; -attribute mlsprocwritetoclr; -attribute mlsprocsetsl; - -attribute mlsxwinread; -attribute mlsxwinreadtoclr; -attribute mlsxwinwrite; -attribute mlsxwinwritetoclr; -attribute mlsxwinreadproperty; -attribute mlsxwinwriteproperty; -attribute mlsxwinreadselection; -attribute mlsxwinwriteselection; -attribute mlsxwinreadcolormap; -attribute mlsxwinwritecolormap; -attribute mlsxwinwritexinput; - -attribute mlsdbread; -attribute mlsdbreadtoclr; -attribute mlsdbwrite; -attribute mlsdbwritetoclr; -attribute mlsdbwriteinrange; -attribute mlsdbupgrade; -attribute mlsdbdowngrade; - -attribute mlstrustedobject; - -attribute privrangetrans; -attribute mlsrangetrans; - -attribute mlsfduse; -attribute mlsfdshare; - -attribute mlstranslate; - -attribute mlsdbusrecv; -attribute mlsdbussend; diff --git a/policy/modules/kernel/selinux.fc b/policy/modules/kernel/selinux.fc deleted file mode 100644 index 7be4ddf..0000000 --- a/policy/modules/kernel/selinux.fc +++ /dev/null @@ -1 +0,0 @@ -# This module currently does not have any file contexts. diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if deleted file mode 100644 index bc1ed0f..0000000 --- a/policy/modules/kernel/selinux.if +++ /dev/null @@ -1,686 +0,0 @@ -## -## Policy for kernel security interface, in particular, selinuxfs. -## -## -## Contains the policy for the kernel SELinux security interface. -## - -######################################## -## -## Make the specified type used for labeling SELinux Booleans. -## This interface is only usable in the base module. -## -## -##

-## Make the specified type used for labeling SELinux Booleans. -##

-##

-## This makes use of genfscon statements, which are only -## available in the base module. Thus any module which calls this -## interface must be included in the base module. -##

-##
-## -## -## Type used for labeling a Boolean. -## -## -## -## -## Name of the Boolean. -## -## -# -interface(`selinux_labeled_boolean',` - gen_require(` - attribute boolean_type; - ') - - typeattribute $1 boolean_type; - - # because of this statement, any module which - # calls this interface must be in the base module: -# genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0) -') - -######################################## -## -## Get the mountpoint of the selinuxfs filesystem. -## -## -## -## Domain allowed access. -## -## -# -interface(`selinux_get_fs_mount',` - gen_require(` - type security_t; - ') - - # starting in libselinux 2.0.5, init_selinuxmnt() will - # attempt to short circuit by checking if SELINUXMNT - # (/selinux) is already a selinuxfs - allow $1 security_t:filesystem getattr; - - # read /proc/filesystems to see if selinuxfs is supported - # then read /proc/self/mount to see where selinuxfs is mounted - kernel_read_system_state($1) -') - -######################################## -## -## Do not audit attempts to get the mountpoint -## of the selinuxfs filesystem. -## -## -## -## Domain to not audit. -## -## -# -interface(`selinux_dontaudit_get_fs_mount',` - gen_require(` - type security_t; - ') - - # starting in libselinux 2.0.5, init_selinuxmnt() will - # attempt to short circuit by checking if SELINUXMNT - # (/selinux) is already a selinuxfs - dontaudit $1 security_t:filesystem getattr; - - # read /proc/filesystems to see if selinuxfs is supported - # then read /proc/self/mount to see where selinuxfs is mounted - kernel_dontaudit_read_system_state($1) -') - -######################################## -## -## Get the attributes of the selinuxfs filesystem -## -## -## -## Domain allowed access. -## -## -# -interface(`selinux_getattr_fs',` - gen_require(` - type security_t; - ') - - allow $1 security_t:filesystem getattr; -') - -######################################## -## -## Do not audit attempts to get the -## attributes of the selinuxfs filesystem -## -## -## -## Domain to not audit. -## -## -# -interface(`selinux_dontaudit_getattr_fs',` - gen_require(` - type security_t; - ') - - dontaudit $1 security_t:filesystem getattr; -') - -######################################## -## -## Do not audit attempts to get the -## attributes of the selinuxfs directory. -## -## -## -## Domain to not audit. -## -## -# -interface(`selinux_dontaudit_getattr_dir',` - gen_require(` - type security_t; - ') - - dontaudit $1 security_t:dir getattr; -') - -######################################## -## -## Search selinuxfs. -## -## -## -## Domain allowed access. -## -## -# -interface(`selinux_search_fs',` - gen_require(` - type security_t; - ') - - allow $1 security_t:dir search_dir_perms; -') - -######################################## -## -## Do not audit attempts to search selinuxfs. -## -## -## -## Domain to not audit. -## -## -# -interface(`selinux_dontaudit_search_fs',` - gen_require(` - type security_t; - ') - - dontaudit $1 security_t:dir search_dir_perms; -') - -######################################## -## -## Do not audit attempts to read -## generic selinuxfs entries -## -## -## -## Domain to not audit. -## -## -# -interface(`selinux_dontaudit_read_fs',` - gen_require(` - type security_t; - ') - - selinux_dontaudit_getattr_fs($1) - dontaudit $1 security_t:dir search_dir_perms; - dontaudit $1 security_t:file read_file_perms; -') - - -######################################## -## -## Do not audit attempts to write -## generic selinuxfs entries -## -## -## -## Domain to not audit. -## -## -# -interface(`selinux_dontaudit_write_fs',` - gen_require(` - type security_t; - ') - - dontaudit $1 security_t:dir write; -') - -######################################## -## -## Allows the caller to get the mode of policy enforcement -## (enforcing or permissive mode). -## -## -## -## Domain allowed access. -## -## -## -# -interface(`selinux_get_enforce_mode',` - gen_require(` - type security_t; - ') - - selinux_get_fs_mount($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file read_file_perms; -') - -######################################## -## -## Allow caller to set the mode of policy enforcement -## (enforcing or permissive mode). -## -## -##

-## Allow caller to set the mode of policy enforcement -## (enforcing or permissive mode). -##

-##

-## Since this is a security event, this action is -## always audited. -##

-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`selinux_set_enforce_mode',` - gen_require(` - type security_t; - attribute can_setenforce; - bool secure_mode_policyload; - ') - - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - typeattribute $1 can_setenforce; - - if(!secure_mode_policyload) { - allow $1 security_t:security setenforce; - - ifdef(`distro_rhel4',` - # needed for systems without audit support - auditallow $1 security_t:security setenforce; - ') - } -') - -######################################## -## -## Allow caller to load the policy into the kernel. -## -## -## -## Domain allowed access. -## -## -# -interface(`selinux_load_policy',` - gen_require(` - type security_t; - attribute can_load_policy; - bool secure_mode_policyload; - ') - - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - typeattribute $1 can_load_policy; - - if(!secure_mode_policyload) { - allow $1 security_t:security load_policy; - - ifdef(`distro_rhel4',` - # needed for systems without audit support - auditallow $1 security_t:security load_policy; - ') - } -') - -######################################## -## -## Allow caller to set the state of Booleans to -## enable or disable conditional portions of the policy. (Deprecated) -## -## -##

-## Allow caller to set the state of Booleans to -## enable or disable conditional portions of the policy. -##

-##

-## Since this is a security event, this action is -## always audited. -##

-##

-## This interface has been deprecated. Please use -## selinux_set_generic_booleans() or selinux_set_all_booleans() -## instead. -##

-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`selinux_set_boolean',` - refpolicywarn(`$0($*) has been deprecated, use selinux_set_generic_booleans() instead.') - selinux_set_generic_booleans($1) -') - -######################################## -## -## Allow caller to set the state of generic Booleans to -## enable or disable conditional portions of the policy. -## -## -##

-## Allow caller to set the state of generic Booleans to -## enable or disable conditional portions of the policy. -##

-##

-## Since this is a security event, this action is -## always audited. -##

-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`selinux_set_generic_booleans',` - gen_require(` - type security_t; - bool secure_mode_policyload; - ') - - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - - if(!secure_mode_policyload) { - allow $1 security_t:security setbool; - - ifdef(`distro_rhel4',` - # needed for systems without audit support - auditallow $1 security_t:security setbool; - ') - } -') - -######################################## -## -## Allow caller to set the state of all Booleans to -## enable or disable conditional portions of the policy. -## -## -##

-## Allow caller to set the state of all Booleans to -## enable or disable conditional portions of the policy. -##

-##

-## Since this is a security event, this action is -## always audited. -##

-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`selinux_set_all_booleans',` - gen_require(` - type security_t; - attribute boolean_type; - bool secure_mode_policyload; - ') - - allow $1 security_t:dir list_dir_perms; - allow $1 boolean_type:dir list_dir_perms; - allow $1 boolean_type:file rw_file_perms; - - if(!secure_mode_policyload) { - allow $1 security_t:security setbool; - - ifdef(`distro_rhel4',` - # needed for systems without audit support - auditallow $1 security_t:security setbool; - ') - } -') - -######################################## -## -## Allow caller to set SELinux access vector cache parameters. -## -## -##

-## Allow caller to set SELinux access vector cache parameters. -## The allows the domain to set performance related parameters -## of the AVC, such as cache threshold. -##

-##

-## Since this is a security event, this action is -## always audited. -##

-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`selinux_set_parameters',` - gen_require(` - type security_t; - attribute can_setsecparam; - ') - - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security setsecparam; - auditallow $1 security_t:security setsecparam; - typeattribute $1 can_setsecparam; -') - -######################################## -## -## Allows caller to validate security contexts. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`selinux_validate_context',` - gen_require(` - type security_t; - ') - - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security check_context; -') - -######################################## -## -## Do not audit attempts to validate security contexts. -## -## -## -## Domain to not audit. -## -## -## -# -interface(`selinux_dontaudit_validate_context',` - gen_require(` - type security_t; - ') - - dontaudit $1 security_t:dir list_dir_perms; - dontaudit $1 security_t:file rw_file_perms; - dontaudit $1 security_t:security check_context; -') - -######################################## -## -## Allows caller to compute an access vector. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`selinux_compute_access_vector',` - gen_require(` - type security_t; - ') - - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_av; -') - -######################################## -## -## Calculate the default type for object creation. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`selinux_compute_create_context',` - gen_require(` - type security_t; - ') - - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_create; -') - -######################################## -## -## Allows caller to compute polyinstatntiated -## directory members. -## -## -## -## Domain allowed access. -## -## -# -interface(`selinux_compute_member',` - gen_require(` - type security_t; - ') - - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_member; -') - -######################################## -## -## Calculate the context for relabeling objects. -## -## -##

-## Calculate the context for relabeling objects. -## This is determined by using the type_change -## rules in the policy, and is generally used -## for determining the context for relabeling -## a terminal when a user logs in. -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`selinux_compute_relabel_context',` - gen_require(` - type security_t; - ') - - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_relabel; -') - -######################################## -## -## Allows caller to compute possible contexts for a user. -## -## -## -## Domain allowed access. -## -## -# -interface(`selinux_compute_user_contexts',` - gen_require(` - type security_t; - ') - - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_user; -') - -######################################## -## -## Unconfined access to the SELinux kernel security server. -## -## -## -## Domain allowed access. -## -## -# -interface(`selinux_unconfined',` - gen_require(` - attribute selinux_unconfined_type; - ') - - typeattribute $1 selinux_unconfined_type; -') - -######################################## -## -## Generate a file context for a boolean type -## -## -## -## Domain allowed access. -## -## -# -interface(`selinux_genbool',` - gen_require(` - attribute boolean_type; - ') - - type $1, boolean_type; - fs_type($1) - mls_trusted_object($1) -') - -######################################## -## -## Unmount a security filesystem. -## -## -## -## The type of the domain unmounting the filesystem. -## -## -# -interface(`selinux_unmount_fs',` - gen_require(` - type security_t; - ') - - allow $1 security_t:filesystem unmount; -') - diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te deleted file mode 100644 index 499e997..0000000 --- a/policy/modules/kernel/selinux.te +++ /dev/null @@ -1,51 +0,0 @@ -policy_module(selinux, 1.8.0) - -######################################## -# -# Declarations -# - -attribute boolean_type; -attribute can_load_policy; -attribute can_setenforce; -attribute can_setsecparam; -attribute selinux_unconfined_type; - -# -# security_t is the target type when checking -# the permissions in the security class. It is also -# applied to selinuxfs inodes. -# -type security_t, boolean_type; -fs_type(security_t) -mls_trusted_object(security_t) -sid security gen_context(system_u:object_r:security_t,mls_systemhigh) -genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0) -genfscon securityfs / gen_context(system_u:object_r:security_t,s0) - -neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy; -neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce; -neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam; - -######################################## -# -# Unconfined access to this module -# - -# use SELinuxfs -allow selinux_unconfined_type security_t:dir list_dir_perms; -allow selinux_unconfined_type security_t:file rw_file_perms; -allow selinux_unconfined_type boolean_type:file read_file_perms; - -# Access the security API. -allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool }; - -if(!secure_mode_policyload) { - allow selinux_unconfined_type boolean_type:file rw_file_perms; - allow selinux_unconfined_type security_t:security { load_policy setenforce setbool }; - - ifdef(`distro_rhel4',` - # needed for systems without audit support - auditallow selinux_unconfined_type security_t:security { load_policy setenforce setbool }; - ') -} diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc deleted file mode 100644 index 811b859..0000000 --- a/policy/modules/kernel/storage.fc +++ /dev/null @@ -1,82 +0,0 @@ - -/dev/n?(raw)?[qr]ft[0-3] -c gen_context(system_u:object_r:tape_device_t,s0) -/dev/n?[hs]t[0-9].* -c gen_context(system_u:object_r:tape_device_t,s0) -/dev/n?z?qft[0-3] -c gen_context(system_u:object_r:tape_device_t,s0) -/dev/n?osst[0-3].* -c gen_context(system_u:object_r:tape_device_t,s0) -/dev/n?pt[0-9]+ -c gen_context(system_u:object_r:tape_device_t,s0) -/dev/n?tpqic[12].* -c gen_context(system_u:object_r:tape_device_t,s0) -/dev/[shmxv]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -/dev/aztcd -b gen_context(system_u:object_r:removable_device_t,s0) -/dev/bpcd -b gen_context(system_u:object_r:removable_device_t,s0) -/dev/bsg/.+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0) -/dev/cdu.* -b gen_context(system_u:object_r:removable_device_t,s0) -/dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0) -/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -/dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -/dev/drbd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -/dev/etherd/.+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -/dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0) -/dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -/dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0) -/dev/hitcd -b gen_context(system_u:object_r:removable_device_t,s0) -/dev/ht[0-1] -b gen_context(system_u:object_r:tape_device_t,s0) -/dev/hwcdrom -b gen_context(system_u:object_r:removable_device_t,s0) -/dev/initrd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -/dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -/dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -/dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -/dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -/dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0) -/dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0) -/dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0) -/dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0) -/dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -/dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0) -/dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0) -/dev/pcd[0-3] -b gen_context(system_u:object_r:removable_device_t,s0) -/dev/pd[a-d][^/]* -b gen_context(system_u:object_r:removable_device_t,s0) -/dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0) -/dev/ps3d.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -/dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -/dev/(raw/)?rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -/dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -ifdef(`distro_redhat', ` -/dev/root -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -') -/dev/s(cd|r)[^/]* -b gen_context(system_u:object_r:removable_device_t,s0) -/dev/sbpcd.* -b gen_context(system_u:object_r:removable_device_t,s0) -/dev/sg[0-9]+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0) -/dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0) -/dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0) -/dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0) -/dev/tw[a-z][^/]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -/dev/ub[a-z][^/]+ -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh) -/dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -/dev/vd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -/dev/xvd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - -/dev/ataraid/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - -/dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - -/dev/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) -/dev/floppy/[^/]* -b gen_context(system_u:object_r:removable_device_t,s0) - -/dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - -/dev/ida/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - -/dev/md/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -/dev/mapper/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - -/dev/device-mapper -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - -/dev/raw/raw[0-9]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - -/dev/scramdisk/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - -/dev/usb/rio500 -c gen_context(system_u:object_r:removable_device_t,s0) - -/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if deleted file mode 100644 index bde6daa..0000000 --- a/policy/modules/kernel/storage.if +++ /dev/null @@ -1,813 +0,0 @@ -## Policy controlling access to storage devices - -######################################## -## -## Allow the caller to get the attributes of fixed disk -## device nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`storage_getattr_fixed_disk_dev',` - gen_require(` - type fixed_disk_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 fixed_disk_device_t:blk_file getattr; -') - -######################################## -## -## Do not audit attempts made by the caller to get -## the attributes of fixed disk device nodes. -## -## -## -## Domain to not audit. -## -## -# -interface(`storage_dontaudit_getattr_fixed_disk_dev',` - gen_require(` - type fixed_disk_device_t; - ') - - dontaudit $1 fixed_disk_device_t:blk_file getattr; - dontaudit $1 fixed_disk_device_t:chr_file getattr; # /dev/rawctl -') - -######################################## -## -## Allow the caller to set the attributes of fixed disk -## device nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`storage_setattr_fixed_disk_dev',` - gen_require(` - type fixed_disk_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 fixed_disk_device_t:blk_file setattr; -') - -######################################## -## -## Do not audit attempts made by the caller to set -## the attributes of fixed disk device nodes. -## -## -## -## Domain to not audit. -## -## -# -interface(`storage_dontaudit_setattr_fixed_disk_dev',` - gen_require(` - type fixed_disk_device_t; - ') - - dontaudit $1 fixed_disk_device_t:blk_file setattr; -') - -######################################## -## -## Allow the caller to directly read from a fixed disk. -## This is extremly dangerous as it can bypass the -## SELinux protections for filesystem objects, and -## should only be used by trusted domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`storage_raw_read_fixed_disk',` - gen_require(` - attribute fixed_disk_raw_read; - type fixed_disk_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 fixed_disk_device_t:blk_file read_blk_file_perms; - allow $1 fixed_disk_device_t:chr_file read_chr_file_perms; - #577012 - allow $1 fixed_disk_device_t:lnk_file read_lnk_file_perms; - typeattribute $1 fixed_disk_raw_read; -') - -######################################## -## -## Do not audit attempts made by the caller to read -## fixed disk device nodes. -## -## -## -## Domain to not audit. -## -## -# -interface(`storage_dontaudit_read_fixed_disk',` - gen_require(` - type fixed_disk_device_t; - - ') - - dontaudit $1 fixed_disk_device_t:blk_file read_blk_file_perms; - dontaudit $1 fixed_disk_device_t:chr_file read_chr_file_perms; -') - -######################################## -## -## Allow the caller to directly write to a fixed disk. -## This is extremly dangerous as it can bypass the -## SELinux protections for filesystem objects, and -## should only be used by trusted domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`storage_raw_write_fixed_disk',` - gen_require(` - attribute fixed_disk_raw_write; - type fixed_disk_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 fixed_disk_device_t:blk_file write_blk_file_perms; - allow $1 fixed_disk_device_t:chr_file write_chr_file_perms; - typeattribute $1 fixed_disk_raw_write; -') - -######################################## -## -## Do not audit attempts made by the caller to write -## fixed disk device nodes. -## -## -## -## Domain to not audit. -## -## -# -interface(`storage_dontaudit_write_fixed_disk',` - gen_require(` - type fixed_disk_device_t; - - ') - - dontaudit $1 fixed_disk_device_t:blk_file write_blk_file_perms; -') - -######################################## -## -## Allow the caller to directly read and write to a fixed disk. -## This is extremly dangerous as it can bypass the -## SELinux protections for filesystem objects, and -## should only be used by trusted domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`storage_raw_rw_fixed_disk',` - storage_raw_read_fixed_disk($1) - storage_raw_write_fixed_disk($1) -') - -######################################## -## -## Allow the caller to create fixed disk device nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`storage_create_fixed_disk_dev',` - gen_require(` - type fixed_disk_device_t; - ') - - allow $1 self:capability mknod; - - allow $1 fixed_disk_device_t:blk_file create_blk_file_perms; - dev_add_entry_generic_dirs($1) -') - -######################################## -## -## Allow the caller to create fixed disk device nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`storage_delete_fixed_disk_dev',` - gen_require(` - type fixed_disk_device_t; - ') - - allow $1 fixed_disk_device_t:blk_file delete_blk_file_perms; - dev_remove_entry_generic_dirs($1) -') - -######################################## -## -## Create, read, write, and delete fixed disk device nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`storage_manage_fixed_disk',` - gen_require(` - attribute fixed_disk_raw_read, fixed_disk_raw_write; - type fixed_disk_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 self:capability mknod; - allow $1 fixed_disk_device_t:blk_file manage_blk_file_perms; - allow $1 fixed_disk_device_t:chr_file manage_chr_file_perms; - typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write; -') - -######################################## -## -## Create block devices in /dev with the fixed disk type -## via an automatic type transition. -## -## -## -## Domain allowed access. -## -## -# -interface(`storage_dev_filetrans_fixed_disk',` - gen_require(` - type fixed_disk_device_t; - ') - - dev_filetrans($1, fixed_disk_device_t, blk_file) -') - -######################################## -## -## Create block devices in on a tmpfs filesystem with the -## fixed disk type via an automatic type transition. -## -## -## -## Domain allowed access. -## -## -# -interface(`storage_tmpfs_filetrans_fixed_disk',` - gen_require(` - type fixed_disk_device_t; - ') - - fs_tmpfs_filetrans($1, fixed_disk_device_t, blk_file) -') - -######################################## -## -## Relabel fixed disk device nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`storage_relabel_fixed_disk',` - gen_require(` - type fixed_disk_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 fixed_disk_device_t:blk_file relabel_blk_file_perms; -') - -######################################## -## -## Enable a fixed disk device as swap space -## -## -## -## Domain allowed access. -## -## -# -interface(`storage_swapon_fixed_disk',` - gen_require(` - type fixed_disk_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 fixed_disk_device_t:blk_file { getattr swapon }; -') - -######################################## -## -## Allow the caller to get the attributes -## of device nodes of fuse devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`storage_getattr_fuse_dev',` - gen_require(` - type fuse_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 fuse_device_t:chr_file getattr; -') - -######################################## -## -## read or write fuse device interfaces. -## -## -## -## Domain allowed access. -## -## -# -interface(`storage_rw_fuse',` - gen_require(` - type fuse_device_t; - ') - - allow $1 fuse_device_t:chr_file rw_file_perms; -') - -######################################## -## -## Do not audit attempts to read or write -## fuse device interfaces. -## -## -## -## Domain to not audit. -## -## -# -interface(`storage_dontaudit_rw_fuse',` - gen_require(` - type fuse_device_t; - ') - - dontaudit $1 fuse_device_t:chr_file rw_file_perms; -') - -######################################## -## -## Allow the caller to get the attributes of -## the generic SCSI interface device nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`storage_getattr_scsi_generic_dev',` - gen_require(` - type scsi_generic_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 scsi_generic_device_t:chr_file getattr; -') - -######################################## -## -## Allow the caller to set the attributes of -## the generic SCSI interface device nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`storage_setattr_scsi_generic_dev',` - gen_require(` - type scsi_generic_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 scsi_generic_device_t:chr_file setattr; -') - -######################################## -## -## Allow the caller to directly read, in a -## generic fashion, from any SCSI device. -## This is extremly dangerous as it can bypass the -## SELinux protections for filesystem objects, and -## should only be used by trusted domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`storage_read_scsi_generic',` - gen_require(` - attribute scsi_generic_read; - type scsi_generic_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 scsi_generic_device_t:chr_file read_chr_file_perms; - typeattribute $1 scsi_generic_read; -') - -######################################## -## -## Allow the caller to directly write, in a -## generic fashion, from any SCSI device. -## This is extremly dangerous as it can bypass the -## SELinux protections for filesystem objects, and -## should only be used by trusted domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`storage_write_scsi_generic',` - gen_require(` - attribute scsi_generic_write; - type scsi_generic_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 scsi_generic_device_t:chr_file write_chr_file_perms; - typeattribute $1 scsi_generic_write; -') - -######################################## -## -## Set attributes of the device nodes -## for the SCSI generic inerface. -## -## -## -## Domain allowed access. -## -## -# -interface(`storage_setattr_scsi_generic_dev_dev',` - gen_require(` - type scsi_generic_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 scsi_generic_device_t:chr_file setattr; -') - -######################################## -## -## Do not audit attempts to read or write -## SCSI generic device interfaces. -## -## -## -## Domain to not audit. -## -## -# -interface(`storage_dontaudit_rw_scsi_generic',` - gen_require(` - type scsi_generic_device_t; - ') - - dontaudit $1 scsi_generic_device_t:chr_file rw_file_perms; -') - -######################################## -## -## Allow the caller to get the attributes of removable -## devices device nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`storage_getattr_removable_dev',` - gen_require(` - type removable_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 removable_device_t:blk_file getattr; -') - -######################################## -## -## Do not audit attempts made by the caller to get -## the attributes of removable devices device nodes. -## -## -## -## Domain to not audit. -## -## -# -interface(`storage_dontaudit_getattr_removable_dev',` - gen_require(` - type removable_device_t; - ') - - dontaudit $1 removable_device_t:blk_file getattr; -') - -######################################## -## -## Do not audit attempts made by the caller to read -## removable devices device nodes. -## -## -## -## Domain to not audit. -## -## -# -interface(`storage_dontaudit_read_removable_device',` - gen_require(` - type removable_device_t; - - ') - - dontaudit $1 removable_device_t:blk_file read_blk_file_perms; -') - -######################################## -## -## Do not audit attempts made by the caller to write -## removable devices device nodes. -## -## -## -## Domain to not audit. -## -## -# -interface(`storage_dontaudit_write_removable_device',` - gen_require(` - type removable_device_t; - ') - - dontaudit $1 removable_device_t:blk_file write_blk_file_perms; -') - -######################################## -## -## Allow the caller to set the attributes of removable -## devices device nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`storage_setattr_removable_dev',` - gen_require(` - type removable_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 removable_device_t:blk_file setattr; -') - -######################################## -## -## Do not audit attempts made by the caller to set -## the attributes of removable devices device nodes. -## -## -## -## Domain to not audit. -## -## -# -interface(`storage_dontaudit_setattr_removable_dev',` - gen_require(` - type removable_device_t; - ') - - dontaudit $1 removable_device_t:blk_file setattr; -') - -######################################## -## -## Allow the caller to directly read from -## a removable device. -## This is extremly dangerous as it can bypass the -## SELinux protections for filesystem objects, and -## should only be used by trusted domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`storage_raw_read_removable_device',` - gen_require(` - type removable_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 removable_device_t:blk_file read_blk_file_perms; -') - -######################################## -## -## Do not audit attempts to directly read removable devices. -## -## -## -## Domain to not audit. -## -## -# -interface(`storage_dontaudit_raw_read_removable_device',` - gen_require(` - type removable_device_t; - ') - - dontaudit $1 removable_device_t:blk_file read_blk_file_perms; -') - -######################################## -## -## Allow the caller to directly write to -## a removable device. -## This is extremly dangerous as it can bypass the -## SELinux protections for filesystem objects, and -## should only be used by trusted domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`storage_raw_write_removable_device',` - gen_require(` - type removable_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 removable_device_t:blk_file write_blk_file_perms; -') - -######################################## -## -## Do not audit attempts to directly write removable devices. -## -## -## -## Domain to not audit. -## -## -# -interface(`storage_dontaudit_raw_write_removable_device',` - gen_require(` - type removable_device_t; - ') - - dontaudit $1 removable_device_t:blk_file write_blk_file_perms; -') - -######################################## -## -## Allow the caller to directly read -## a tape device. -## -## -## -## Domain allowed access. -## -## -# -interface(`storage_read_tape',` - gen_require(` - type tape_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 tape_device_t:chr_file read_chr_file_perms; -') - -######################################## -## -## Allow the caller to directly read -## a tape device. -## -## -## -## Domain allowed access. -## -## -# -interface(`storage_write_tape',` - gen_require(` - type tape_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 tape_device_t:chr_file write_chr_file_perms; -') - -######################################## -## -## Allow the caller to get the attributes -## of device nodes of tape devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`storage_getattr_tape_dev',` - gen_require(` - type tape_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 tape_device_t:chr_file getattr; -') - -######################################## -## -## Allow the caller to set the attributes -## of device nodes of tape devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`storage_setattr_tape_dev',` - gen_require(` - type tape_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 tape_device_t:chr_file setattr; -') - -######################################## -## -## Unconfined access to storage devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`storage_unconfined',` - gen_require(` - attribute storage_unconfined_type; - ') - - typeattribute $1 storage_unconfined_type; -') diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te deleted file mode 100644 index b80b3e9..0000000 --- a/policy/modules/kernel/storage.te +++ /dev/null @@ -1,59 +0,0 @@ -policy_module(storage, 1.8.2) - -######################################## -# -# Declarations -# - -attribute fixed_disk_raw_read; -attribute fixed_disk_raw_write; -attribute scsi_generic_read; -attribute scsi_generic_write; -attribute storage_unconfined_type; - -# -# fixed_disk_device_t is the type of -# /dev/hd* and /dev/sd*. -# -type fixed_disk_device_t; -dev_node(fixed_disk_device_t) - -neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } read; -neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write }; - -# -# fuse_device_t is the type of /dev/fuse -# -type fuse_device_t; -dev_node(fuse_device_t) - -# -# scsi_generic_device_t is the type of /dev/sg* -# it gives access to ALL SCSI devices (both fixed and removable) -# -type scsi_generic_device_t; -dev_node(scsi_generic_device_t) - -neverallow ~{ scsi_generic_read storage_unconfined_type } scsi_generic_device_t:{ chr_file blk_file } read; -neverallow ~{ scsi_generic_write storage_unconfined_type } scsi_generic_device_t:{ chr_file blk_file } { append write }; - -# -# removable_device_t is the type of -# /dev/scd* and /dev/fd*. -# -type removable_device_t; -dev_node(removable_device_t) - -# -# tape_device_t is the type of -# -type tape_device_t; -dev_node(tape_device_t) - -######################################## -# -# Unconfined access to this module -# - -allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:blk_file *; -allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file *; diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc deleted file mode 100644 index 3994e57..0000000 --- a/policy/modules/kernel/terminal.fc +++ /dev/null @@ -1,42 +0,0 @@ - -/dev/.*tty[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) -/dev/[pt]ty[a-ep-z][0-9a-f] -c gen_context(system_u:object_r:bsdpty_device_t,s0) -/dev/adb.* -c gen_context(system_u:object_r:tty_device_t,s0) -/dev/capi.* -c gen_context(system_u:object_r:tty_device_t,s0) -/dev/console -c gen_context(system_u:object_r:console_device_t,s0) -/dev/cu.* -c gen_context(system_u:object_r:tty_device_t,s0) -/dev/dcbri[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) -/dev/hvc.* -c gen_context(system_u:object_r:tty_device_t,s0) -/dev/hvsi.* -c gen_context(system_u:object_r:tty_device_t,s0) -/dev/i2c[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) -/dev/ircomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) -/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) -/dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0) -/dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) -/dev/pts/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) -/dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) -/dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) -/dev/tty -c gen_context(system_u:object_r:devtty_t,s0) -/dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0) -/dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) - -/dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0) - -/dev/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) - -/dev/tts/[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) - -/dev/usb/tty.* -c gen_context(system_u:object_r:usbtty_device_t,s0) - -/dev/vcc?/.* -c gen_context(system_u:object_r:tty_device_t,s0) - -/dev/vcs[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) - -/dev/xvc[0-9]* -c gen_context(system_u:object_r:tty_device_t,s0) - -ifdef(`distro_gentoo',` -/dev/tts/[0-9]* -c gen_context(system_u:object_r:tty_device_t,s0) - -# used by init scripts to initally populate udev /dev -/lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0) -') diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if deleted file mode 100644 index 87a6942..0000000 --- a/policy/modules/kernel/terminal.if +++ /dev/null @@ -1,1476 +0,0 @@ -## Policy for terminals. -## -## Depended on by other required modules. -## - -######################################## -## -## Transform specified type into a pty type. -## -## -## -## An object type that will applied to a pty. -## -## -# -interface(`term_pty',` - gen_require(` - attribute ptynode; - type devpts_t; - ') - - dev_node($1) - allow $1 devpts_t:filesystem associate; - typeattribute $1 ptynode; -') - -######################################## -## -## Transform specified type into an user -## pty type. This allows it to be relabeled via -## type change by login programs such as ssh. -## -## -## -## The type of the user domain associated with -## this pty. -## -## -## -## -## An object type that will applied to a pty. -## -## -# -interface(`term_user_pty',` - gen_require(` - attribute server_ptynode; - ') - - term_pty($2) - type_change $1 server_ptynode:chr_file $2; -') - -######################################## -## -## Transform specified type into a pty type -## used by login programs, such as sshd. -## -## -## -## An object type that will applied to a pty. -## -## -# -interface(`term_login_pty',` - gen_require(` - attribute server_ptynode; - ') - - term_pty($1) - typeattribute $1 server_ptynode; -') - -######################################## -## -## Transform specified type into a tty type. -## -## -## -## An object type that will applied to a tty. -## -## -# -interface(`term_tty',` - gen_require(` - attribute ttynode, serial_device; - type tty_device_t; - ') - - typeattribute $1 ttynode, serial_device; - - dev_node($1) -') - -######################################## -## -## Transform specified type into a user tty type. -## -## -## -## User domain that is related to this tty. -## -## -## -## -## An object type that will applied to a tty. -## -## -# -interface(`term_user_tty',` - gen_require(` - attribute ttynode; - type tty_device_t; - ') - - term_tty($2) - - type_change $1 tty_device_t:chr_file $2; - - # Debian login is from shadow utils and does not allow resetting the perms. - # have to fix this! - ifdef(`distro_debian',` - type_change $1 ttynode:chr_file $2; - ') -') - -######################################## -## -## Create a pty in the /dev/pts directory. -## -## -## -## The type of the process creating the pty. -## -## -## -## -## The type of the pty. -## -## -# -interface(`term_create_pty',` - gen_require(` - type bsdpty_device_t, devpts_t, ptmx_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 ptmx_t:chr_file rw_file_perms; - - allow $1 devpts_t:dir list_dir_perms; - allow $1 devpts_t:filesystem getattr; - dontaudit $1 bsdpty_device_t:chr_file { getattr read write }; - type_transition $1 devpts_t:chr_file $2; -') - -######################################## -## -## Write the console, all -## ttys and all ptys. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`term_write_all_terms',` - gen_require(` - attribute ttynode, ptynode; - type console_device_t, devpts_t, tty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir list_dir_perms; - allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file write_chr_file_perms; -') - -######################################## -## -## Read and write the console, all -## ttys and all ptys. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`term_use_all_terms',` - gen_require(` - attribute ttynode, ptynode; - type console_device_t, devpts_t, tty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir list_dir_perms; - allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms; -') - -######################################## -## -## Write to the console. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`term_write_console',` - gen_require(` - type console_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 console_device_t:chr_file write_chr_file_perms; -') - -######################################## -## -## Read from the console. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`term_read_console',` - gen_require(` - type console_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 console_device_t:chr_file read_chr_file_perms; -') - -######################################## -## -## Do not audit attempts to read from the console. -## -## -## -## Domain to not audit. -## -## -## -# -interface(`term_dontaudit_read_console',` - gen_require(` - type console_device_t; - ') - - dontaudit $1 console_device_t:chr_file read_chr_file_perms; -') - -######################################## -## -## Read from and write to the console. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`term_use_console',` - gen_require(` - type console_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 console_device_t:chr_file rw_chr_file_perms; -') - -######################################## -## -## Do not audit attemtps to read from -## or write to the console. -## -## -## -## Domain to not audit. -## -## -# -interface(`term_dontaudit_use_console',` - gen_require(` - type console_device_t; - type tty_device_t; - ') - - dontaudit $1 console_device_t:chr_file rw_inherited_chr_file_perms; - dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms; -') - -######################################## -## -## Set the attributes of the console -## device node. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`term_setattr_console',` - gen_require(` - type console_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 console_device_t:chr_file setattr; -') - -######################################## -## -## Relabel from and to the console type. -## -## -## -## Domain allowed access. -## -## -# -interface(`term_relabel_console',` - gen_require(` - type console_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 console_device_t:chr_file relabel_chr_file_perms; -') - -######################################## -## -## Create the console device (/dev/console). -## -## -## -## Domain allowed access. -## -## -# -interface(`term_create_console_dev',` - gen_require(` - type console_device_t; - ') - - dev_add_entry_generic_dirs($1) - allow $1 console_device_t:chr_file create; - allow $1 self:capability mknod; -') - -######################################## -## -## Get the attributes of a pty filesystem -## -## -## -## Domain allowed access. -## -## -# -interface(`term_getattr_pty_fs',` - gen_require(` - type devpts_t; - ') - - allow $1 devpts_t:filesystem getattr; -') - -######################################## -## -## Do not audit attempts to get the -## attributes of the /dev/pts directory. -## -## -## -## Domain to not audit. -## -## -# -interface(`term_dontaudit_getattr_pty_dirs',` - gen_require(` - type devpts_t; - ') - - dontaudit $1 devpts_t:dir getattr; -') - -######################################## -## -## Search the contents of the /dev/pts directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`term_search_ptys',` - gen_require(` - type devpts_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir search_dir_perms; -') - -######################################## -## -## Do not audit attempts to search the -## contents of the /dev/pts directory. -## -## -## -## Domain to not audit. -## -## -# -interface(`term_dontaudit_search_ptys',` - gen_require(` - type devpts_t; - ') - - dev_dontaudit_list_all_dev_nodes($1) - dontaudit $1 devpts_t:dir search_dir_perms; -') - -######################################## -## -## Read the /dev/pts directory to -## list all ptys. -## -## -## -## Domain allowed access. -## -## -# -interface(`term_list_ptys',` - gen_require(` - type devpts_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir list_dir_perms; -') - -######################################## -## -## Do not audit attempts to read the -## /dev/pts directory. -## -## -## -## Domain to not audit. -## -## -# -interface(`term_dontaudit_list_ptys',` - gen_require(` - type devpts_t; - ') - - dontaudit $1 devpts_t:dir { getattr search read }; -') - -######################################## -## -## Do not audit attempts to create, read, -## write, or delete the /dev/pts directory. -## -## -## -## Domain to not audit. -## -## -# -interface(`term_dontaudit_manage_pty_dirs',` - gen_require(` - type devpts_t; - ') - - dontaudit $1 devpts_t:dir manage_dir_perms; -') - -######################################## -## -## Do not audit attempts to get the attributes -## of generic pty devices. -## -## -## -## Domain to not audit. -## -## -# -interface(`term_dontaudit_getattr_generic_ptys',` - gen_require(` - type devpts_t; - ') - - dontaudit $1 devpts_t:chr_file getattr; -') -######################################## -## -## ioctl of generic pty devices. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for ppp -interface(`term_ioctl_generic_ptys',` - gen_require(` - type devpts_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir search; - allow $1 devpts_t:chr_file ioctl; -') - -######################################## -## -## Allow setting the attributes of -## generic pty devices. -## -## -## -## Domain allowed access. -## -## -# -# dwalsh: added for rhgb -interface(`term_setattr_generic_ptys',` - gen_require(` - type devpts_t; - ') - - allow $1 devpts_t:chr_file setattr; -') - -######################################## -## -## Dontaudit setting the attributes of -## generic pty devices. -## -## -## -## Domain to not audit. -## -## -# -# dwalsh: added for rhgb -interface(`term_dontaudit_setattr_generic_ptys',` - gen_require(` - type devpts_t; - ') - - dontaudit $1 devpts_t:chr_file setattr; -') - -######################################## -## -## Read and write the generic pty -## type. This is generally only used in -## the targeted policy. -## -## -## -## Domain allowed access. -## -## -# -interface(`term_use_generic_ptys',` - gen_require(` - type devpts_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir list_dir_perms; - allow $1 devpts_t:chr_file { rw_term_perms lock append }; -') - -######################################## -## -## Dot not audit attempts to read and -## write the generic pty type. This is -## generally only used in the targeted policy. -## -## -## -## Domain to not audit. -## -## -# -interface(`term_dontaudit_use_generic_ptys',` - gen_require(` - type devpts_t; - ') - - dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; -') - -####################################### -## -## Set the attributes of the tty device -## -## -## -## Domain allowed access. -## -## -# -interface(`term_setattr_controlling_term',` - gen_require(` - type devtty_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devtty_t:chr_file setattr; -') - -######################################## -## -## Read and write the controlling -## terminal (/dev/tty). -## -## -## -## Domain allowed access. -## -## -# -interface(`term_use_controlling_term',` - gen_require(` - type devtty_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devtty_t:chr_file { rw_term_perms lock append }; -') - -######################################## -## -## Do not audit attempts to get attributes -## on the pty multiplexor (/dev/ptmx). -## -## -## -## Domain to not audit. -## -## -# -interface(`term_dontaudit_getattr_ptmx',` - gen_require(` - type ptmx_t; - ') - - dontaudit $1 ptmx_t:chr_file getattr; -') - -######################################## -## -## Read and write the pty multiplexor (/dev/ptmx). -## -## -## -## Domain allowed access. -## -## -# -interface(`term_use_ptmx',` - gen_require(` - type ptmx_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 ptmx_t:chr_file rw_file_perms; -') - -######################################## -## -## Do not audit attempts to read and -## write the pty multiplexor (/dev/ptmx). -## -## -## -## Domain to not audit. -## -## -# -interface(`term_dontaudit_use_ptmx',` - gen_require(` - type ptmx_t; - ') - - dontaudit $1 ptmx_t:chr_file { getattr read write }; -') - -######################################## -## -## Get the attributes of all -## pty device nodes. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`term_getattr_all_ptys',` - gen_require(` - attribute ptynode; - type devpts_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir list_dir_perms; - allow $1 ptynode:chr_file getattr; -') - -######################################## -## -## Do not audit attempts to get the -## attributes of any pty -## device nodes. -## -## -## -## Domain to not audit. -## -## -# -interface(`term_dontaudit_getattr_all_ptys',` - gen_require(` - attribute ptynode; - ') - - dontaudit $1 ptynode:chr_file getattr; -') - -######################################## -## -## Set the attributes of all -## pty device nodes. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`term_setattr_all_ptys',` - gen_require(` - attribute ptynode; - type devpts_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir list_dir_perms; - allow $1 ptynode:chr_file setattr; -') - -######################################## -## -## Relabel to all ptys. -## -## -## -## Domain allowed access. -## -## -# -interface(`term_relabelto_all_ptys',` - gen_require(` - attribute ptynode; - ') - - allow $1 ptynode:chr_file relabelto; -') - -######################################## -## -## Write to all ptys. -## -## -## -## Domain allowed access. -## -## -# -interface(`term_write_all_ptys',` - gen_require(` - attribute ptynode; - ') - - dev_list_all_dev_nodes($1) - allow $1 ptynode:chr_file write_chr_file_perms; -') - -######################################## -## -## Read and write all ptys. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`term_use_all_ptys',` - gen_require(` - attribute ptynode; - type devpts_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir list_dir_perms; - allow $1 ptynode:chr_file { rw_term_perms lock append }; -') - -######################################## -## -## Do not audit attempts to read or write any ptys. -## -## -## -## Domain to not audit. -## -## -# -interface(`term_dontaudit_use_all_ptys',` - gen_require(` - attribute ptynode; - ') - - dontaudit $1 ptynode:chr_file { rw_inherited_term_perms lock append }; -') - -######################################## -## -## Relabel from and to all pty device nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`term_relabel_all_ptys',` - gen_require(` - attribute ptynode; - type devpts_t; - ') - - dev_list_all_dev_nodes($1) - relabel_chr_files_pattern($1, devpts_t, ptynode) -') - -######################################## -## -## Get the attributes of all user -## pty device nodes. (Deprecated) -## -## -## -## Domain allowed access. -## -## -## -# -interface(`term_getattr_all_user_ptys',` - refpolicywarn(`$0 has been deprecated, use term_getattr_all_ptys() instead.') - term_getattr_all_ptys($1) -') - -######################################## -## -## Do not audit attempts to get the -## attributes of any user pty -## device nodes. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`term_dontaudit_getattr_all_user_ptys',` - refpolicywarn(`$0 has been deprecated, use term_dontaudit_getattr_all_ptys() instead.') - term_dontaudit_getattr_all_ptys($1) -') - -######################################## -## -## Set the attributes of all user -## pty device nodes. (Deprecated) -## -## -## -## Domain allowed access. -## -## -## -# -interface(`term_setattr_all_user_ptys',` - refpolicywarn(`$0 has been deprecated, use term_setattr_all_ptys() instead.') - term_setattr_all_ptys($1) -') - -######################################## -## -## Relabel to all user ptys. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`term_relabelto_all_user_ptys',` - refpolicywarn(`$0 has been deprecated, use term_relabelto_all_ptys() instead.') - term_relabelto_all_ptys($1) -') - -######################################## -## -## Write to all user ptys. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`term_write_all_user_ptys',` - refpolicywarn(`$0 has been deprecated, use term_write_all_ptys() instead.') - term_write_all_ptys($1) -') - -######################################## -## -## Read and write all user ptys. (Deprecated) -## -## -## -## Domain allowed access. -## -## -## -# -interface(`term_use_all_user_ptys',` - refpolicywarn(`$0 has been deprecated, use term_use_all_ptys() instead.') - term_use_all_ptys($1) -') - -######################################## -## -## Do not audit attempts to read any -## user ptys. (Deprecated) -## -## -## -## Domain to not audit. -## -## -# -interface(`term_dontaudit_use_all_user_ptys',` - refpolicywarn(`$0 has been deprecated, use term_dontaudit_use_all_ptys() instead.') - term_dontaudit_use_all_ptys($1) -') - -######################################## -## -## Relabel from and to all user -## user pty device nodes. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`term_relabel_all_user_ptys',` - refpolicywarn(`$0 has been deprecated, use term_relabel_all_ptys() instead.') - term_relabel_all_ptys($1) -') - -######################################## -## -## Get the attributes of all unallocated -## tty device nodes. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`term_getattr_unallocated_ttys',` - gen_require(` - type tty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 tty_device_t:chr_file getattr; -') - -######################################## -## -## Do not audit attempts to get the attributes -## of all unallocated tty device nodes. -## -## -## -## Domain to not audit. -## -## -# -interface(`term_dontaudit_getattr_unallocated_ttys',` - gen_require(` - type tty_device_t; - ') - - dontaudit $1 tty_device_t:chr_file getattr; -') - -######################################## -## -## Set the attributes of all unallocated -## tty device nodes. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`term_setattr_unallocated_ttys',` - gen_require(` - type tty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 tty_device_t:chr_file setattr; -') - -######################################## -## -## Do not audit attempts to set the attributes -## of unallocated tty device nodes. -## -## -## -## Domain to not audit. -## -## -# -interface(`term_dontaudit_setattr_unallocated_ttys',` - gen_require(` - type tty_device_t; - ') - - dontaudit $1 tty_device_t:chr_file setattr; -') - -######################################## -## -## Do not audit attempts to ioctl -## unallocated tty device nodes. -## -## -## -## Domain to not audit. -## -## -# -interface(`term_dontaudit_ioctl_unallocated_ttys',` - gen_require(` - type tty_device_t; - ') - - dontaudit $1 tty_device_t:chr_file ioctl; -') - -######################################## -## -## Relabel from and to the unallocated -## tty type. -## -## -## -## Domain allowed access. -## -## -# -interface(`term_relabel_unallocated_ttys',` - gen_require(` - type tty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 tty_device_t:chr_file relabel_chr_file_perms; -') - -######################################## -## -## Relabel from all user tty types to -## the unallocated tty type. -## -## -## -## Domain allowed access. -## -## -# -interface(`term_reset_tty_labels',` - gen_require(` - attribute ttynode; - type tty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 ttynode:chr_file relabelfrom; - allow $1 tty_device_t:chr_file relabelto; -') - -######################################## -## -## Append to unallocated ttys. -## -## -## -## Domain allowed access. -## -## -# -interface(`term_append_unallocated_ttys',` - gen_require(` - type tty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 tty_device_t:chr_file append_chr_file_perms; -') - -######################################## -## -## Write to unallocated ttys. -## -## -## -## Domain allowed access. -## -## -# -interface(`term_write_unallocated_ttys',` - gen_require(` - type tty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 tty_device_t:chr_file write_chr_file_perms; -') - -######################################## -## -## Read and write unallocated ttys. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`term_use_unallocated_ttys',` - gen_require(` - type tty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 tty_device_t:chr_file rw_chr_file_perms; -') - -######################################## -## -## Do not audit attempts to read or -## write unallocated ttys. -## -## -## -## Domain to not audit. -## -## -# -interface(`term_dontaudit_use_unallocated_ttys',` - gen_require(` - type tty_device_t; - ') - - dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms; -') - -######################################## -## -## Get the attributes of all tty device nodes. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`term_getattr_all_ttys',` - gen_require(` - type tty_device_t; - attribute ttynode; - ') - - dev_list_all_dev_nodes($1) - allow $1 ttynode:chr_file getattr; - allow $1 tty_device_t:chr_file getattr; -') - -######################################## -## -## Do not audit attempts to get the -## attributes of any tty device nodes. -## -## -## -## Domain to not audit. -## -## -# -interface(`term_dontaudit_getattr_all_ttys',` - gen_require(` - attribute ttynode; - type tty_device_t; - ') - - dev_list_all_dev_nodes($1) - dontaudit $1 ttynode:chr_file getattr; - dontaudit $1 tty_device_t:chr_file getattr; -') - -######################################## -## -## Set the attributes of all tty device nodes. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`term_setattr_all_ttys',` - gen_require(` - attribute ttynode; - ') - - dev_list_all_dev_nodes($1) - allow $1 ttynode:chr_file setattr; -') - -######################################## -## -## Relabel from and to all tty device nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`term_relabel_all_ttys',` - gen_require(` - attribute ttynode; - ') - - dev_list_all_dev_nodes($1) - allow $1 ttynode:chr_file relabel_chr_file_perms; -') - -######################################## -## -## Write to all ttys. -## -## -## -## Domain allowed access. -## -## -# -interface(`term_write_all_ttys',` - gen_require(` - attribute ttynode; - ') - - dev_list_all_dev_nodes($1) - allow $1 ttynode:chr_file write_chr_file_perms; -') - -######################################## -## -## Read and write all ttys. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`term_use_all_ttys',` - gen_require(` - attribute ttynode; - ') - - dev_list_all_dev_nodes($1) - allow $1 ttynode:chr_file rw_chr_file_perms; -') - -######################################## -## -## Do not audit attempts to read or write -## any ttys. -## -## -## -## Domain to not audit. -## -## -# -interface(`term_dontaudit_use_all_ttys',` - gen_require(` - attribute ttynode; - ') - - dontaudit $1 ttynode:chr_file rw_inherited_chr_file_perms; -') - -######################################## -## -## Get the attributes of all user tty -## device nodes. (Deprecated) -## -## -## -## Domain allowed access. -## -## -## -# -interface(`term_getattr_all_user_ttys',` - refpolicywarn(`$0() is deprecated, use term_getattr_all_ttys() instead.') - term_getattr_all_ttys($1) -') - -######################################## -## -## Do not audit attempts to get the -## attributes of any user tty -## device nodes. (Deprecated) -## -## -## -## Domain to not audit. -## -## -# -interface(`term_dontaudit_getattr_all_user_ttys',` - refpolicywarn(`$0() is deprecated, use term_dontaudit_getattr_all_ttys() instead.') - term_dontaudit_getattr_all_ttys($1) -') - -######################################## -## -## Set the attributes of all user tty -## device nodes. (Deprecated) -## -## -## -## Domain allowed access. -## -## -## -# -interface(`term_setattr_all_user_ttys',` - refpolicywarn(`$0() is deprecated, use term_setattr_all_ttys() instead.') - term_setattr_all_ttys($1) -') - -######################################## -## -## Relabel from and to all user -## user tty device nodes. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`term_relabel_all_user_ttys',` - refpolicywarn(`$0() is deprecated, use term_relabel_all_ttys() instead.') - term_relabel_all_ttys($1) -') - -######################################## -## -## Write to all user ttys. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`term_write_all_user_ttys',` - refpolicywarn(`$0() is deprecated, use term_write_all_ttys() instead.') - term_write_all_ttys($1) -') - -######################################## -## -## Read and write all user to all user ttys. (Deprecated) -## -## -## -## Domain allowed access. -## -## -## -# -interface(`term_use_all_user_ttys',` - refpolicywarn(`$0() is deprecated, use term_use_all_ttys() instead.') - term_use_all_ttys($1) -') - -######################################## -## -## Do not audit attempts to read or write -## any user ttys. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`term_dontaudit_use_all_user_ttys',` - refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.') - term_dontaudit_use_all_ttys($1) -') diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te deleted file mode 100644 index a5deade..0000000 --- a/policy/modules/kernel/terminal.te +++ /dev/null @@ -1,59 +0,0 @@ -policy_module(terminal, 1.8.1) - -######################################## -# -# Declarations -# -attribute ttynode; -attribute ptynode; -attribute server_ptynode; -attribute serial_device; - -# -# bsdpty_device_t is the type of /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f] -type bsdpty_device_t; -dev_node(bsdpty_device_t) - -# -# console_device_t is the type of /dev/console. -# -type console_device_t; -dev_node(console_device_t) - -# -# devpts_t is the type of the devpts file system and -# the type of the root directory of the file system. -# -type devpts_t; -files_mountpoint(devpts_t) -fs_associate_tmpfs(devpts_t) -fs_type(devpts_t) -fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0); -dev_associate(devpts_t) - -# -# devtty_t is the type of /dev/tty. -# -type devtty_t; -dev_node(devtty_t) -mls_trusted_object(devtty_t) - -# -# ptmx_t is the type for /dev/ptmx. -# -type ptmx_t; -dev_node(ptmx_t) -mls_trusted_object(ptmx_t) -allow ptmx_t devpts_t:filesystem associate; - -# -# tty_device_t is the type of /dev/*tty* -# -type tty_device_t, serial_device; -dev_node(tty_device_t) - -# -# usbtty_device_t is the type of /dev/usr/tty* -# -type usbtty_device_t, serial_device; -dev_node(usbtty_device_t) diff --git a/policy/modules/kernel/ubac.fc b/policy/modules/kernel/ubac.fc deleted file mode 100644 index 778366f..0000000 --- a/policy/modules/kernel/ubac.fc +++ /dev/null @@ -1 +0,0 @@ -# no UBAC file contexts diff --git a/policy/modules/kernel/ubac.if b/policy/modules/kernel/ubac.if deleted file mode 100644 index 464f759..0000000 --- a/policy/modules/kernel/ubac.if +++ /dev/null @@ -1,197 +0,0 @@ -## User-based access control policy -## -## Contains attributes used in UBAC policy. -## - -######################################## -## -## Constrain by user-based access control (UBAC). -## -## -##

-## Constrain the specified type by user-based -## access control (UBAC). Typically, these are -## user processes or user files that need to be -## differentiated by SELinux user. Normally this -## does not include administrative or privileged -## programs. For the UBAC rules to be enforced, -## both the subject (source) type and the object -## (target) types must be UBAC constrained. -##

-##
-## -## -## Type to be constrained by UBAC. -## -## -## -# -interface(`ubac_constrained',` - gen_require(` - attribute ubac_constrained_type; - ') - - typeattribute $1 ubac_constrained_type; -') - -######################################## -## -## Exempt user-based access control for files. -## -## -## -## Domain to be exempted. -## -## -# -interface(`ubac_file_exempt',` - gen_require(` - attribute ubacfile; - ') - - typeattribute $1 ubacfile; -') - -######################################## -## -## Exempt user-based access control for processes. -## -## -## -## Domain to be exempted. -## -## -# -interface(`ubac_process_exempt',` - gen_require(` - attribute ubacproc; - ') - - typeattribute $1 ubacproc; -') - -######################################## -## -## Exempt user-based access control for file descriptors. -## -## -## -## Domain to be exempted. -## -## -# -interface(`ubac_fd_exempt',` - gen_require(` - attribute ubacfd; - ') - - typeattribute $1 ubacfd; -') - -######################################## -## -## Exempt user-based access control for sockets. -## -## -## -## Domain to be exempted. -## -## -# -interface(`ubac_socket_exempt',` - gen_require(` - attribute ubacsock; - ') - - typeattribute $1 ubacsock; -') - -######################################## -## -## Exempt user-based access control for SysV IPC. -## -## -## -## Domain to be exempted. -## -## -# -interface(`ubac_sysvipc_exempt',` - gen_require(` - attribute ubacipc; - ') - - typeattribute $1 ubacipc; -') - -######################################## -## -## Exempt user-based access control for X Windows. -## -## -## -## Domain to be exempted. -## -## -# -interface(`ubac_xwin_exempt',` - gen_require(` - attribute ubacxwin; - ') - - typeattribute $1 ubacxwin; -') - -######################################## -## -## Exempt user-based access control for dbus. -## -## -## -## Domain to be exempted. -## -## -# -interface(`ubac_dbus_exempt',` - gen_require(` - attribute ubacdbus; - ') - - typeattribute $1 ubacdbus; -') - -######################################## -## -## Exempt user-based access control for keys. -## -## -## -## Domain to be exempted. -## -## -# -interface(`ubac_key_exempt',` - gen_require(` - attribute ubackey; - ') - - typeattribute $1 ubackey; -') - -######################################## -## -## Exempt user-based access control for databases. -## -## -## -## Domain to be exempted. -## -## -# -interface(`ubac_db_exempt',` - gen_require(` - attribute ubacdb; - ') - - typeattribute $1 ubacdb; -') diff --git a/policy/modules/kernel/ubac.te b/policy/modules/kernel/ubac.te deleted file mode 100644 index 0a57c41..0000000 --- a/policy/modules/kernel/ubac.te +++ /dev/null @@ -1,19 +0,0 @@ -policy_module(ubac, 1.0.0) - -######################################## -# -# Declarations -# - -attribute ubac_constrained_type; - -attribute ubacfile; -attribute ubacproc; -attribute ubacsock; -attribute ubacfd; -attribute ubacipc; -attribute ubacxwin; -attribute ubacdbus; -attribute ubackey; -attribute ubacdb; - diff --git a/policy/modules/roles/auditadm.fc b/policy/modules/roles/auditadm.fc deleted file mode 100644 index 601a7b0..0000000 --- a/policy/modules/roles/auditadm.fc +++ /dev/null @@ -1 +0,0 @@ -# file contexts handled by userdomain and genhomedircon diff --git a/policy/modules/roles/auditadm.if b/policy/modules/roles/auditadm.if deleted file mode 100644 index d320022..0000000 --- a/policy/modules/roles/auditadm.if +++ /dev/null @@ -1,50 +0,0 @@ -## Audit administrator role - -######################################## -## -## Change to the audit administrator role. -## -## -## -## Role allowed access. -## -## -## -# -interface(`auditadm_role_change',` - gen_require(` - role auditadm_r; - ') - - allow $1 auditadm_r; -') - -######################################## -## -## Change from the audit administrator role. -## -## -##

-## Change from the audit administrator role to -## the specified role. -##

-##

-## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-##
-## -## -## Role allowed access. -## -## -## -# -interface(`auditadm_role_change_to',` - gen_require(` - role auditadm_r; - ') - - allow auditadm_r $1; -') diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te deleted file mode 100644 index a1bbe8f..0000000 --- a/policy/modules/roles/auditadm.te +++ /dev/null @@ -1,65 +0,0 @@ -policy_module(auditadm, 2.1.0) - -######################################## -# -# Declarations -# - -role auditadm_r; - -userdom_unpriv_user_template(auditadm) - -######################################## -# -# Local policy -# - -allow auditadm_t self:capability { dac_read_search dac_override }; - -kernel_read_ring_buffer(auditadm_t) - -corecmd_exec_shell(auditadm_t) - -domain_kill_all_domains(auditadm_t) - -logging_send_syslog_msg(auditadm_t) -logging_read_generic_logs(auditadm_t) -logging_manage_audit_log(auditadm_t) -logging_manage_audit_config(auditadm_t) -logging_run_auditctl(auditadm_t, auditadm_r) -logging_run_auditd(auditadm_t, auditadm_r) -logging_stream_connect_syslog(auditadm_t) - -seutil_run_runinit(auditadm_t, auditadm_r) -seutil_read_bin_policy(auditadm_t) - -userdom_dontaudit_search_admin_dir(auditadm_t) - -optional_policy(` - consoletype_exec(auditadm_t) -') - -optional_policy(` - dmesg_exec(auditadm_t) -') - -optional_policy(` - screen_role_template(auditadm, auditadm_r, auditadm_t) -') - -optional_policy(` - secadm_role_change(auditadm_r) -') - -optional_policy(` - su_role_template(auditadm, auditadm_r, auditadm_t) -') - -optional_policy(` - sudo_role_template(auditadm, auditadm_r, auditadm_t) -') - -optional_policy(` - sysadm_role_change(auditadm_r) -') - diff --git a/policy/modules/roles/dbadm.fc b/policy/modules/roles/dbadm.fc deleted file mode 100644 index e6aa2fb..0000000 --- a/policy/modules/roles/dbadm.fc +++ /dev/null @@ -1 +0,0 @@ -# No dbadm file contexts diff --git a/policy/modules/roles/dbadm.if b/policy/modules/roles/dbadm.if deleted file mode 100644 index 56f2af7..0000000 --- a/policy/modules/roles/dbadm.if +++ /dev/null @@ -1,50 +0,0 @@ -## Database administrator role - -######################################## -## -## Change to the database administrator role. -## -## -## -## Role allowed access. -## -## -## -# -interface(`dbadm_role_change',` - gen_require(` - role dbadm_r; - ') - - allow $1 dbadm_r; -') - -######################################## -## -## Change from the database administrator role. -## -## -##

-## Change from the database administrator role to -## the specified role. -##

-##

-## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-##
-## -## -## Role allowed access. -## -## -## -# -interface(`dbadm_role_change_to',` - gen_require(` - role dbadm_r; - ') - - allow dbadm_r $1; -') diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te deleted file mode 100644 index e9c9277..0000000 --- a/policy/modules/roles/dbadm.te +++ /dev/null @@ -1,65 +0,0 @@ -policy_module(dbadm, 1.0.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow dbadm to manage files in users home directories -##

-##
-gen_tunable(dbadm_manage_user_files, false) - -## -##

-## Allow dbadm to read files in users home directories -##

-##
-gen_tunable(dbadm_read_user_files, false) - -role dbadm_r; - -userdom_base_user_template(dbadm) - -######################################## -# -# database admin local policy -# - -allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace }; - -files_dontaudit_search_all_dirs(dbadm_t) -files_delete_generic_locks(dbadm_t) -files_list_var(dbadm_t) - -selinux_get_enforce_mode(dbadm_t) - -logging_send_syslog_msg(dbadm_t) -logging_send_audit_msgs(dbadm_t) - -userdom_dontaudit_search_user_home_dirs(dbadm_t) - -tunable_policy(`dbadm_manage_user_files',` - userdom_manage_user_home_content_files(dbadm_t) - userdom_read_user_tmp_files(dbadm_t) - userdom_write_user_tmp_files(dbadm_t) -') - -tunable_policy(`dbadm_read_user_files',` - userdom_read_user_home_content_files(dbadm_t) - userdom_read_user_tmp_files(dbadm_t) -') - -optional_policy(` - mysql_admin(dbadm_t, dbadm_r) -') - -optional_policy(` - postgresql_admin(dbadm_t, dbadm_r) -') - -optional_policy(` - sudo_role_template(dbadm, dbadm_r, dbadm_t) -') diff --git a/policy/modules/roles/guest.fc b/policy/modules/roles/guest.fc deleted file mode 100644 index 601a7b0..0000000 --- a/policy/modules/roles/guest.fc +++ /dev/null @@ -1 +0,0 @@ -# file contexts handled by userdomain and genhomedircon diff --git a/policy/modules/roles/guest.if b/policy/modules/roles/guest.if deleted file mode 100644 index 8906a32..0000000 --- a/policy/modules/roles/guest.if +++ /dev/null @@ -1,50 +0,0 @@ -## Least privledge terminal user role - -######################################## -## -## Change to the guest role. -## -## -## -## Role allowed access. -## -## -## -# -interface(`guest_role_change',` - gen_require(` - role guest_r; - ') - - allow $1 guest_r; -') - -######################################## -## -## Change from the guest role. -## -## -##

-## Change from the guest role to -## the specified role. -##

-##

-## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-##
-## -## -## Role allowed access. -## -## -## -# -interface(`guest_role_change_to',` - gen_require(` - role guest_r; - ') - - allow guest_r $1; -') diff --git a/policy/modules/roles/guest.te b/policy/modules/roles/guest.te deleted file mode 100644 index f332441..0000000 --- a/policy/modules/roles/guest.te +++ /dev/null @@ -1,23 +0,0 @@ -policy_module(guest, 1.1.1) - -######################################## -# -# Declarations -# - -role guest_r; - -userdom_restricted_user_template(guest) - -kernel_read_system_state(guest_t) - -######################################## -# -# Local policy -# - -optional_policy(` - apache_role(guest_r, guest_t) -') - -gen_user(guest_u, user, guest_r, s0, s0) diff --git a/policy/modules/roles/logadm.fc b/policy/modules/roles/logadm.fc deleted file mode 100644 index 601a7b0..0000000 --- a/policy/modules/roles/logadm.fc +++ /dev/null @@ -1 +0,0 @@ -# file contexts handled by userdomain and genhomedircon diff --git a/policy/modules/roles/logadm.if b/policy/modules/roles/logadm.if deleted file mode 100644 index c9740e5..0000000 --- a/policy/modules/roles/logadm.if +++ /dev/null @@ -1,50 +0,0 @@ -## Log administrator role - -######################################## -## -## Change to the log administrator role. -## -## -## -## Role allowed access. -## -## -## -# -interface(`logadm_role_change',` - gen_require(` - role logadm_r; - ') - - allow $1 logadm_r; -') - -######################################## -## -## Change from the log administrator role. -## -## -##

-## Change from the log administrator role to -## the specified role. -##

-##

-## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-##
-## -## -## Role allowed access. -## -## -## -# -interface(`logadm_role_change_to',` - gen_require(` - role logadm_r; - ') - - allow logadm_r $1; -') diff --git a/policy/modules/roles/logadm.te b/policy/modules/roles/logadm.te deleted file mode 100644 index 3a45a3e..0000000 --- a/policy/modules/roles/logadm.te +++ /dev/null @@ -1,19 +0,0 @@ -policy_module(logadm, 1.0.0) - -######################################## -# -# Declarations -# - -role logadm_r; - -userdom_base_user_template(logadm) - -######################################## -# -# logadmin local policy -# - -allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; - -logging_admin(logadm_t, logadm_r) diff --git a/policy/modules/roles/metadata.xml b/policy/modules/roles/metadata.xml deleted file mode 100644 index ba002e8..0000000 --- a/policy/modules/roles/metadata.xml +++ /dev/null @@ -1 +0,0 @@ -Policy modules for user roles. diff --git a/policy/modules/roles/secadm.fc b/policy/modules/roles/secadm.fc deleted file mode 100644 index 601a7b0..0000000 --- a/policy/modules/roles/secadm.fc +++ /dev/null @@ -1 +0,0 @@ -# file contexts handled by userdomain and genhomedircon diff --git a/policy/modules/roles/secadm.if b/policy/modules/roles/secadm.if deleted file mode 100644 index bb6a5fe..0000000 --- a/policy/modules/roles/secadm.if +++ /dev/null @@ -1,51 +0,0 @@ -## Security administrator role - -######################################## -## -## Change to the security administrator role. -## -## -## -## Role allowed access. -## -## -## -# -interface(`secadm_role_change',` - gen_require(` - role secadm_r; - ') - - allow $1 secadm_r; -') - -######################################## -## -## Change from the security administrator role. -## -## -##

-## Change from the security administrator role to -## the specified role. -##

-##

-## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-##
-## -## -## Role allowed access. -## -## -## -# -interface(`secadm_role_change_to_template',` - gen_require(` - role secadm_r; - ') - - allow secadm_r $1; -') - diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te deleted file mode 100644 index e3a1987..0000000 --- a/policy/modules/roles/secadm.te +++ /dev/null @@ -1,75 +0,0 @@ -policy_module(secadm, 2.1.0) - -######################################## -# -# Declarations -# - -role secadm_r; - -userdom_unpriv_user_template(secadm) -userdom_security_admin_template(secadm_t, secadm_r) -userdom_inherit_append_admin_home_files(secadm_t) -userdom_read_admin_home_files(secadm_t) - -######################################## -# -# Local policy -# - -allow secadm_t self:capability { dac_read_search dac_override }; - -corecmd_exec_shell(secadm_t) - -dev_relabel_all_dev_nodes(secadm_t) - -domain_obj_id_change_exemption(secadm_t) - -mls_process_read_up(secadm_t) -mls_file_read_all_levels(secadm_t) -mls_file_write_all_levels(secadm_t) -mls_file_upgrade(secadm_t) -mls_file_downgrade(secadm_t) - -auth_role(secadm_r, secadm_t) -auth_relabel_all_files_except_shadow(secadm_t) -auth_relabel_shadow(secadm_t) - -init_exec(secadm_t) - -logging_read_audit_log(secadm_t) -logging_read_generic_logs(secadm_t) -logging_read_audit_config(secadm_t) - -optional_policy(` - aide_run(secadm_t, secadm_r) -') - -optional_policy(` - auditadm_role_change(secadm_r) -') - -optional_policy(` - dmesg_exec(secadm_t) -') - -optional_policy(` - netlabel_run_mgmt(secadm_t, secadm_r) -') - -optional_policy(` - screen_role_template(secadm, secadm_r, secadm_t) -') - -optional_policy(` - su_role_template(secadm, secadm_r, secadm_t) -') - -optional_policy(` - sudo_role_template(secadm, secadm_r, secadm_t) -') - -optional_policy(` - sysadm_role_change(secadm_r) -') - diff --git a/policy/modules/roles/staff.fc b/policy/modules/roles/staff.fc deleted file mode 100644 index 601a7b0..0000000 --- a/policy/modules/roles/staff.fc +++ /dev/null @@ -1 +0,0 @@ -# file contexts handled by userdomain and genhomedircon diff --git a/policy/modules/roles/staff.if b/policy/modules/roles/staff.if deleted file mode 100644 index 234a940..0000000 --- a/policy/modules/roles/staff.if +++ /dev/null @@ -1,50 +0,0 @@ -## Administrator's unprivileged user role - -######################################## -## -## Change to the staff role. -## -## -## -## Role allowed access. -## -## -## -# -interface(`staff_role_change',` - gen_require(` - role staff_r; - ') - - allow $1 staff_r; -') - -######################################## -## -## Change from the staff role. -## -## -##

-## Change from the staff role to -## the specified role. -##

-##

-## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-##
-## -## -## Role allowed access. -## -## -## -# -interface(`staff_role_change_to',` - gen_require(` - role staff_r; - ') - - allow staff_r $1; -') diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te deleted file mode 100644 index 571c76e..0000000 --- a/policy/modules/roles/staff.te +++ /dev/null @@ -1,279 +0,0 @@ -policy_module(staff, 2.1.2) - -######################################## -# -# Declarations -# - -role staff_r; - -userdom_unpriv_user_template(staff) -fs_exec_noxattr(staff_t) - -# needed for sandbox -allow staff_t self:process setexec; - -######################################## -# -# Local policy -# - -kernel_read_ring_buffer(staff_usertype) -kernel_getattr_core_if(staff_usertype) -kernel_getattr_message_if(staff_usertype) -kernel_read_software_raid_state(staff_usertype) -kernel_read_fs_sysctls(staff_usertype) - -domain_read_all_domains_state(staff_usertype) -domain_getattr_all_domains(staff_usertype) -domain_obj_id_change_exemption(staff_t) - -files_read_kernel_modules(staff_usertype) - -seutil_read_module_store(staff_t) -seutil_run_newrole(staff_t, staff_r) - -term_use_unallocated_ttys(staff_usertype) - -auth_domtrans_pam_console(staff_t) - -init_dbus_chat(staff_t) -init_dbus_chat_script(staff_t) - -miscfiles_read_hwdata(staff_usertype) - -modutils_read_module_config(staff_usertype) -modutils_read_module_deps(staff_usertype) - -netutils_run_ping(staff_t, staff_r) -netutils_signal_ping(staff_t) - -optional_policy(` - apache_role(staff_r, staff_t) -') - -optional_policy(` - auditadm_role_change(staff_r) -') - -optional_policy(` - dbadm_role_change(staff_r) -') - -optional_policy(` - accountsd_dbus_chat(staff_t) - accountsd_read_lib_files(staff_t) -') - -optional_policy(` - gnomeclock_dbus_chat(staff_t) -') - -optional_policy(` - firewallgui_dbus_chat(staff_t) -') - -optional_policy(` - lpd_list_spool(staff_t) -') - -optional_policy(` - kerneloops_dbus_chat(staff_t) -') - -optional_policy(` - logadm_role_change(staff_r) -') - -optional_policy(` - mozilla_run_plugin(staff_t, staff_r) -') - -optional_policy(` - oident_manage_user_content(staff_t) - oident_relabel_user_content(staff_t) -') - -optional_policy(` - postgresql_role(staff_r, staff_t) -') - -optional_policy(` - rtkit_scheduled(staff_t) -') - -optional_policy(` - rpm_dbus_chat(staff_usertype) -') - -optional_policy(` - secadm_role_change(staff_r) -') - -optional_policy(` - sandbox_transition(staff_t, staff_r) -') - -optional_policy(` - screen_role_template(staff, staff_r, staff_t) -') - -optional_policy(` - sysadm_role_change(staff_r) - userdom_dontaudit_use_user_terminals(staff_t) -') -optional_policy(` - setroubleshoot_stream_connect(staff_t) - setroubleshoot_dbus_chat(staff_t) - setroubleshoot_dbus_chat_fixit(staff_t) -') - -optional_policy(` - ssh_role_template(staff, staff_r, staff_t) -') - -optional_policy(` - sudo_role_template(staff, staff_r, staff_t) -') - -optional_policy(` - telepathy_dbus_session_role(staff_r, staff_t) -') - -optional_policy(` - userhelper_console_role_template(staff, staff_r, staff_usertype) -') - -optional_policy(` - unconfined_role_change(staff_r) -') - -optional_policy(` - virt_stream_connect(staff_t) -') - -optional_policy(` - vnstatd_read_lib_files(staff_t) -') - -optional_policy(` - webadm_role_change(staff_r) -') - -optional_policy(` - xserver_role(staff_r, staff_t) -') - -ifndef(`distro_redhat',` - optional_policy(` - auth_role(staff_r, staff_t) - ') - - optional_policy(` - bluetooth_role(staff_r, staff_t) - ') - - optional_policy(` - cdrecord_role(staff_r, staff_t) - ') - - optional_policy(` - cron_role(staff_r, staff_t) - ') - - optional_policy(` - dbus_role_template(staff, staff_r, staff_t) - ') - - optional_policy(` - evolution_role(staff_r, staff_t) - ') - - optional_policy(` - games_role(staff_r, staff_t) - ') - - optional_policy(` - gift_role(staff_r, staff_t) - ') - - optional_policy(` - gnome_role(staff_r, staff_t) - ') - - optional_policy(` - gpg_role(staff_r, staff_t) - ') - - optional_policy(` - irc_role(staff_r, staff_t) - ') - - optional_policy(` - java_role(staff_r, staff_t) - ') - - optional_policy(` - lockdev_role(staff_r, staff_t) - ') - - optional_policy(` - lpd_role(staff_r, staff_t) - ') - - optional_policy(` - mozilla_role(staff_r, staff_t) - ') - - optional_policy(` - mplayer_role(staff_r, staff_t) - ') - - optional_policy(` - mta_role(staff_r, staff_t) - ') - - optional_policy(` - pyzor_role(staff_r, staff_t) - ') - - optional_policy(` - razor_role(staff_r, staff_t) - ') - - optional_policy(` - rssh_role(staff_r, staff_t) - ') - - optional_policy(` - spamassassin_role(staff_r, staff_t) - ') - - optional_policy(` - su_role_template(staff, staff_r, staff_t) - ') - - optional_policy(` - thunderbird_role(staff_r, staff_t) - ') - - optional_policy(` - tvtime_role(staff_r, staff_t) - ') - - optional_policy(` - uml_role(staff_r, staff_t) - ') - - optional_policy(` - userhelper_role_template(staff, staff_r, staff_t) - ') - - optional_policy(` - vmware_role(staff_r, staff_t) - ') - - optional_policy(` - wireshark_role(staff_r, staff_t) - ') -') diff --git a/policy/modules/roles/sysadm.fc b/policy/modules/roles/sysadm.fc deleted file mode 100644 index 601a7b0..0000000 --- a/policy/modules/roles/sysadm.fc +++ /dev/null @@ -1 +0,0 @@ -# file contexts handled by userdomain and genhomedircon diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if deleted file mode 100644 index ff92430..0000000 --- a/policy/modules/roles/sysadm.if +++ /dev/null @@ -1,238 +0,0 @@ -## General system administration role - -######################################## -## -## Change to the system administrator role. -## -## -## -## Role allowed access. -## -## -## -# -interface(`sysadm_role_change',` - gen_require(` - role sysadm_r; - ') - - allow $1 sysadm_r; -') - -######################################## -## -## Change from the system administrator role. -## -## -##

-## Change from the system administrator role to -## the specified role. -##

-##

-## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-##
-## -## -## Role allowed access. -## -## -## -# -interface(`sysadm_role_change_to',` - gen_require(` - role sysadm_r; - ') - - allow sysadm_r $1; -') - -######################################## -## -## Execute a shell in the sysadm domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`sysadm_shell_domtrans',` - gen_require(` - type sysadm_t; - ') - - corecmd_shell_domtrans($1, sysadm_t) - allow sysadm_t $1:fd use; - allow sysadm_t $1:fifo_file rw_file_perms; - allow sysadm_t $1:process sigchld; -') - -######################################## -## -## Execute a generic bin program in the sysadm domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`sysadm_bin_spec_domtrans',` - gen_require(` - type sysadm_t; - ') - - corecmd_bin_spec_domtrans($1, sysadm_t) - allow sysadm_t $1:fd use; - allow sysadm_t $1:fifo_file rw_file_perms; - allow sysadm_t $1:process sigchld; -') - -######################################## -## -## Execute all entrypoint files in the sysadm domain. This -## is an explicit transition, requiring the -## caller to use setexeccon(). -## -## -## -## Domain allowed access. -## -## -# -interface(`sysadm_entry_spec_domtrans',` - gen_require(` - type sysadm_t; - ') - - domain_entry_file_spec_domtrans($1, sysadm_t) - allow sysadm_t $1:fd use; - allow sysadm_t $1:fifo_file rw_file_perms; - allow sysadm_t $1:process sigchld; -') - -######################################## -## -## Allow sysadm to execute all entrypoint files in -## a specified domain. This is an explicit transition, -## requiring the caller to use setexeccon(). -## -## -##

-## Allow sysadm to execute all entrypoint files in -## a specified domain. This is an explicit transition, -## requiring the caller to use setexeccon(). -##

-##

-## This is a interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`sysadm_entry_spec_domtrans_to',` - gen_require(` - type sysadm_t; - ') - - domain_entry_file_spec_domtrans(sysadm_t, $1) - allow $1 sysadm_t:fd use; - allow $1 sysadm_t:fifo_file rw_file_perms; - allow $1 sysadm_t:process sigchld; -') - -######################################## -## -## Allow sysadm to execute a generic bin program in -## a specified domain. This is an explicit transition, -## requiring the caller to use setexeccon(). -## -## -##

-## Allow sysadm to execute a generic bin program in -## a specified domain. -##

-##

-## This is a interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-##
-## -## -## Domain to execute in. -## -## -# -interface(`sysadm_bin_spec_domtrans_to',` - gen_require(` - type sysadm_t; - ') - - corecmd_bin_spec_domtrans(sysadm_t, $1) - allow $1 sysadm_t:fd use; - allow $1 sysadm_t:fifo_file rw_file_perms; - allow $1 sysadm_t:process sigchld; -') - -######################################## -## -## Send a SIGCHLD signal to sysadm users. -## -## -## -## Domain allowed access. -## -## -# -interface(`sysadm_sigchld',` - gen_require(` - type sysadm_t; - ') - - allow $1 sysadm_t:process sigchld; -') - -######################################## -## -## Inherit and use sysadm file descriptors -## -## -## -## Domain allowed access. -## -## -# -interface(`sysadm_use_fds',` - gen_require(` - type sysadm_t; - ') - - allow $1 sysadm_t:fd use; -') - -######################################## -## -## Read and write sysadm user unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`sysadm_rw_pipes',` - gen_require(` - type sysadm_t; - ') - - allow $1 sysadm_t:fifo_file rw_fifo_file_perms; -') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te deleted file mode 100644 index 1a95085..0000000 --- a/policy/modules/roles/sysadm.te +++ /dev/null @@ -1,515 +0,0 @@ -policy_module(sysadm, 2.1.1) - -######################################## -# -# Declarations -# - -## -##

-## Allow sysadm to debug or ptrace all processes. -##

-##
-gen_tunable(allow_ptrace, false) - -role sysadm_r; - -userdom_admin_user_template(sysadm) - -ifndef(`enable_mls',` - userdom_security_admin_template(sysadm_t, sysadm_r) -') - -######################################## -# -# Local policy -# -kernel_read_fs_sysctls(sysadm_t) - -corecmd_exec_shell(sysadm_t) - -domain_dontaudit_read_all_domains_state(sysadm_t) - -files_read_kernel_modules(sysadm_t) - -mls_process_read_up(sysadm_t) -mls_file_read_to_clearance(sysadm_t) -mls_process_write_to_clearance(sysadm_t) - -ubac_process_exempt(sysadm_t) -ubac_file_exempt(sysadm_t) -ubac_fd_exempt(sysadm_t) - -application_exec(sysadm_t) - -init_exec(sysadm_t) -init_exec_script_files(sysadm_t) -init_dbus_chat(sysadm_t) -init_script_role_transition(sysadm_r) - -modutils_read_module_deps(sysadm_t) - -miscfiles_read_hwdata(sysadm_t) - -# Add/remove user home directories -userdom_manage_user_home_dirs(sysadm_t) -userdom_home_filetrans_user_home_dir(sysadm_t) -userdom_manage_user_tmp_dirs(sysadm_t) -userdom_manage_user_tmp_files(sysadm_t) -userdom_manage_user_tmp_symlinks(sysadm_t) -userdom_manage_user_tmp_chr_files(sysadm_t) -userdom_manage_user_tmp_blk_files(sysadm_t) - -ifdef(`direct_sysadm_daemon',` - optional_policy(` - init_run_daemon(sysadm_t, sysadm_r) - ') -',` - ifdef(`distro_gentoo',` - optional_policy(` - seutil_init_script_run_runinit(sysadm_t, sysadm_r) - ') - ') -') - -ifndef(`enable_mls',` - logging_manage_audit_log(sysadm_t) - logging_manage_audit_config(sysadm_t) - logging_run_auditctl(sysadm_t, sysadm_r) - logging_stream_connect_syslog(sysadm_t) -') - -tunable_policy(`allow_ptrace',` - domain_ptrace_all_domains(sysadm_t) -') - -optional_policy(` - amanda_run_recover(sysadm_t, sysadm_r) -') - -optional_policy(` - apache_run_helper(sysadm_t, sysadm_r) - #apache_run_all_scripts(sysadm_t, sysadm_r) - #apache_domtrans_sys_script(sysadm_t) -') - -optional_policy(` - # cjp: why is this not apm_run_client - apm_domtrans_client(sysadm_t) -') - -optional_policy(` - apt_run(sysadm_t, sysadm_r) -') - -optional_policy(` - auditadm_role_change(sysadm_r) -') - -optional_policy(` - backup_run(sysadm_t, sysadm_r) -') - -optional_policy(` - bind_run_ndc(sysadm_t, sysadm_r) -') - -optional_policy(` - bootloader_run(sysadm_t, sysadm_r) -') - -optional_policy(` - certmonger_dbus_chat(sysadm_t) -') - -optional_policy(` - certwatch_run(sysadm_t, sysadm_r) -') - -optional_policy(` - clock_run(sysadm_t, sysadm_r) -') - -optional_policy(` - clockspeed_run_cli(sysadm_t, sysadm_r) -') - -optional_policy(` - consoletype_run(sysadm_t, sysadm_r) -') - -optional_policy(` - daemonstools_run_start(sysadm_t, sysadm_r) -') - -optional_policy(` - dcc_run_cdcc(sysadm_t, sysadm_r) - dcc_run_client(sysadm_t, sysadm_r) - dcc_run_dbclean(sysadm_t, sysadm_r) -') - -optional_policy(` - ddcprobe_run(sysadm_t, sysadm_r) -') - -optional_policy(` - dmesg_exec(sysadm_t) -') - -optional_policy(` - dmidecode_run(sysadm_t, sysadm_r) -') - -optional_policy(` - dpkg_run(sysadm_t, sysadm_r) -') - -optional_policy(` - firstboot_run(sysadm_t, sysadm_r) -') - -optional_policy(` - fstools_run(sysadm_t, sysadm_r) -') - -optional_policy(` - hostname_run(sysadm_t, sysadm_r) -') - -optional_policy(` - # allow system administrator to use the ipsec script to look - # at things (e.g., ipsec auto --status) - # probably should create an ipsec_admin role for this kind of thing - ipsec_exec_mgmt(sysadm_t) - ipsec_stream_connect(sysadm_t) - # for lsof - ipsec_getattr_key_sockets(sysadm_t) - ipsec_run_setkey(sysadm_t, sysadm_r) - ipsec_run_racoon(sysadm_t, sysadm_r) - ipsec_stream_connect_racoon(sysadm_t) - - optional_policy(` - ipsec_mgmt_dbus_chat(sysadm_t) - ') -') - -optional_policy(` - iptables_run(sysadm_t, sysadm_r) -') - -optional_policy(` - kerberos_exec_kadmind(sysadm_t) -') - -optional_policy(` - kudzu_run(sysadm_t, sysadm_r) -') - -optional_policy(` - libs_run_ldconfig(sysadm_t, sysadm_r) -') - -optional_policy(` - logrotate_run(sysadm_t, sysadm_r) -') - -optional_policy(` - lpd_run_checkpc(sysadm_t, sysadm_r) - lpd_role(sysadm_r, sysadm_t) -') - -optional_policy(` - lvm_run(sysadm_t, sysadm_r) -') - -optional_policy(` - modutils_run_depmod(sysadm_t, sysadm_r) - modutils_run_insmod(sysadm_t, sysadm_r) - modutils_run_update_mods(sysadm_t, sysadm_r) -') - -optional_policy(` - mount_run(sysadm_t, sysadm_r) - mount_run_showmount(sysadm_t, sysadm_r) -') - -optional_policy(` - mta_role(sysadm_r, sysadm_t) -') - -optional_policy(` - munin_stream_connect(sysadm_t) -') - -optional_policy(` - mysql_stream_connect(sysadm_t) -') - -optional_policy(` - ncftool_run(sysadm_t, sysadm_r) -') - -optional_policy(` - netutils_run(sysadm_t, sysadm_r) - netutils_run_ping(sysadm_t, sysadm_r) - netutils_run_traceroute(sysadm_t, sysadm_r) -') - -optional_policy(` - ntp_stub() - corenet_udp_bind_ntp_port(sysadm_t) -') - -optional_policy(` - oav_run_update(sysadm_t, sysadm_r) -') - -optional_policy(` - oident_manage_user_content(sysadm_t) - oident_relabel_user_content(sysadm_t) -') - -optional_policy(` - pcmcia_run_cardctl(sysadm_t, sysadm_r) -') - -optional_policy(` - portage_run(sysadm_t, sysadm_r) - portage_run_gcc_config(sysadm_t, sysadm_r) -') - -optional_policy(` - portmap_run_helper(sysadm_t, sysadm_r) -') - -optional_policy(` - prelink_run(sysadm_t, sysadm_r) -') - -optional_policy(` - quota_run(sysadm_t, sysadm_r) -') - -optional_policy(` - raid_domtrans_mdadm(sysadm_t) -') - -optional_policy(` - rpc_domtrans_nfsd(sysadm_t) -') - -optional_policy(` - rpm_run(sysadm_t, sysadm_r) -') - - -optional_policy(` - rsync_exec(sysadm_t) -') - -optional_policy(` - samba_run_net(sysadm_t, sysadm_r) - samba_run_winbind_helper(sysadm_t, sysadm_r) -') - -optional_policy(` - screen_role_template(sysadm, sysadm_r, sysadm_t) -') - -optional_policy(` - secadm_role_change(sysadm_r) -') - -optional_policy(` - seutil_run_setfiles(sysadm_t, sysadm_r) - seutil_run_runinit(sysadm_t, sysadm_r) -') - -optional_policy(` - shutdown_run(sysadm_t, sysadm_r) -') - - -optional_policy(` - ssh_role_template(sysadm, sysadm_r, sysadm_t) -') - -optional_policy(` - staff_role_change(sysadm_r) -') - -optional_policy(` - su_role_template(sysadm, sysadm_r, sysadm_t) -') - -optional_policy(` - sudo_role_template(sysadm, sysadm_r, sysadm_t) -') - -optional_policy(` - sysnet_run_ifconfig(sysadm_t, sysadm_r) - sysnet_run_dhcpc(sysadm_t, sysadm_r) -') - -optional_policy(` - tripwire_run_siggen(sysadm_t, sysadm_r) - tripwire_run_tripwire(sysadm_t, sysadm_r) - tripwire_run_twadmin(sysadm_t, sysadm_r) - tripwire_run_twprint(sysadm_t, sysadm_r) -') - -optional_policy(` - tzdata_domtrans(sysadm_t) -') - -optional_policy(` - unconfined_domtrans(sysadm_t) -') - -optional_policy(` - unprivuser_role_change(sysadm_r) -') - -optional_policy(` - usbmodules_run(sysadm_t, sysadm_r) -') - -optional_policy(` - usermanage_run_admin_passwd(sysadm_t, sysadm_r) - usermanage_run_groupadd(sysadm_t, sysadm_r) - usermanage_run_useradd(sysadm_t, sysadm_r) -') - - -optional_policy(` - vpn_run(sysadm_t, sysadm_r) -') - -optional_policy(` - vpn_run(sysadm_t, sysadm_r) -') - -optional_policy(` - webalizer_run(sysadm_t, sysadm_r) -') - -optional_policy(` - virt_stream_connect(sysadm_t) -') - -optional_policy(` - yam_run(sysadm_t, sysadm_r) -') - -optional_policy(` - zebra_stream_connect(sysadm_t) -') - -ifndef(`distro_redhat',` - optional_policy(` - apache_role(sysadm_r, sysadm_t) - ') - optional_policy(` - auth_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - bluetooth_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - cdrecord_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - cron_admin_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - dbus_role_template(sysadm, sysadm_r, sysadm_t) - ') - - optional_policy(` - evolution_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - games_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - gift_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - gnome_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - gpg_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - irc_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - java_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - lockdev_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - mozilla_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - mplayer_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - pyzor_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - razor_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - rssh_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - spamassassin_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - thunderbird_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - tvtime_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - uml_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - userhelper_role_template(sysadm, sysadm_r, sysadm_t) - ') - - optional_policy(` - vmware_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - wireshark_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - xserver_role(sysadm_r, sysadm_t) - ') -') diff --git a/policy/modules/roles/unconfineduser.fc b/policy/modules/roles/unconfineduser.fc deleted file mode 100644 index 0e8654b..0000000 --- a/policy/modules/roles/unconfineduser.fc +++ /dev/null @@ -1,8 +0,0 @@ -# Add programs here which should not be confined by SELinux -# e.g.: -# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) -# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t -/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) - -/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0) -/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0) diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if deleted file mode 100644 index 8b2cdf3..0000000 --- a/policy/modules/roles/unconfineduser.if +++ /dev/null @@ -1,687 +0,0 @@ -## Unconfiend user role - -######################################## -## -## Change from the unconfineduser role. -## -## -##

-## Change from the unconfineduser role to -## the specified role. -##

-##

-## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-##
-## -## -## Role allowed access. -## -## -## -# -interface(`unconfined_role_change_to',` - gen_require(` - role unconfined_r; - ') - - allow unconfined_r $1; -') - -######################################## -## -## Transition to the unconfined domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_domtrans',` - gen_require(` - type unconfined_t, unconfined_exec_t; - ') - - domtrans_pattern($1,unconfined_exec_t,unconfined_t) -') - -######################################## -## -## Execute specified programs in the unconfined domain. -## -## -## -## The type of the process performing this action. -## -## -## -## -## The role to allow the unconfined domain. -## -## -# -interface(`unconfined_run',` - gen_require(` - type unconfined_t; - ') - - unconfined_domtrans($1) - role $2 types unconfined_t; -') - -######################################## -## -## Transition to the unconfined domain by executing a shell. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_shell_domtrans',` - gen_require(` - attribute unconfined_login_domain; - ') - typeattribute $1 unconfined_login_domain; -') - -######################################## -## -## Allow unconfined to execute the specified program in -## the specified domain. -## -## -##

-## Allow unconfined to execute the specified program in -## the specified domain. -##

-##

-## This is a interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-##
-## -## -## Domain to execute in. -## -## -## -## -## Domain entry point file. -## -## -# -interface(`unconfined_domtrans_to',` - gen_require(` - type unconfined_t; - ') - - domtrans_pattern(unconfined_t,$2,$1) -') - -######################################## -## -## Allow unconfined to execute the specified program in -## the specified domain. Allow the specified domain the -## unconfined role and use of unconfined user terminals. -## -## -##

-## Allow unconfined to execute the specified program in -## the specified domain. Allow the specified domain the -## unconfined role and use of unconfined user terminals. -##

-##

-## This is a interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-##
-## -## -## Domain to execute in. -## -## -## -## -## Domain entry point file. -## -## -# -interface(`unconfined_run_to',` - gen_require(` - type unconfined_t; - role unconfined_r; - ') - - domtrans_pattern(unconfined_t,$2,$1) - role unconfined_r types $1; - userdom_use_user_terminals($1) -') - -######################################## -## -## Inherit file descriptors from the unconfined domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_use_fds',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:fd use; -') - -######################################## -## -## Send a SIGCHLD signal to the unconfined domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_sigchld',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:process sigchld; -') - -######################################## -## -## Send a SIGNULL signal to the unconfined domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_signull',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:process signull; -') - -######################################## -## -## Send a SIGNULL signal to the unconfined execmem domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_execmem_signull',` - gen_require(` - type unconfined_execmem_t; - ') - - allow $1 unconfined_execmem_t:process signull; -') - -######################################## -## -## Send a signal to the unconfined execmem domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_execmem_signal',` - gen_require(` - type unconfined_execmem_t; - ') - - allow $1 unconfined_execmem_t:process signal; -') - -######################################## -## -## Send generic signals to the unconfined domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_signal',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:process signal; -') - -######################################## -## -## Read unconfined domain unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_read_pipes',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:fifo_file read_fifo_file_perms; -') - -######################################## -## -## Do not audit attempts to read unconfined domain unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_dontaudit_read_pipes',` - gen_require(` - type unconfined_t; - ') - - dontaudit $1 unconfined_t:fifo_file read; -') - -######################################## -## -## Read and write unconfined domain unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_rw_pipes',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## -## Do not audit attempts to read and write -## unconfined domain unnamed pipes. -## -## -## -## Domain to not audit. -## -## -# -interface(`unconfined_dontaudit_rw_pipes',` - gen_require(` - type unconfined_t; - ') - - dontaudit $1 unconfined_t:fifo_file rw_file_perms; -') - -######################################## -## -## Do not audit attempts to read and write -## unconfined domain stream. -## -## -## -## Domain to not audit. -## -## -# -interface(`unconfined_dontaudit_rw_stream',` - gen_require(` - type unconfined_t; - ') - - dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms; -') - -######################################## -## -## Connect to the unconfined domain using -## a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_stream_connect',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:unix_stream_socket connectto; -') - -######################################## -## -## Do not audit attempts to read or write -## unconfined domain tcp sockets. -## -## -##

-## Do not audit attempts to read or write -## unconfined domain tcp sockets. -##

-##

-## This interface was added due to a broken -## symptom in ldconfig. -##

-##
-## -## -## Domain to not audit. -## -## -# -interface(`unconfined_dontaudit_rw_tcp_sockets',` - gen_require(` - type unconfined_t; - ') - - dontaudit $1 unconfined_t:tcp_socket { read write }; -') - -######################################## -## -## Do not audit attempts to read or write -## unconfined domain packet sockets. -## -## -##

-## Do not audit attempts to read or write -## unconfined domain packet sockets. -##

-##

-## This interface was added due to a broken -## symptom. -##

-##
-## -## -## Domain to not audit. -## -## -# -interface(`unconfined_dontaudit_rw_packet_sockets',` - gen_require(` - type unconfined_t; - ') - - dontaudit $1 unconfined_t:packet_socket { read write }; -') - -######################################## -## -## Create keys for the unconfined domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_create_keys',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:key create; -') - -######################################## -## -## Send messages to the unconfined domain over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_dbus_send',` - gen_require(` - type unconfined_t; - class dbus send_msg; - ') - - allow $1 unconfined_t:dbus send_msg; -') - -######################################## -## -## Send and receive messages from -## unconfined_t over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_dbus_chat',` - gen_require(` - type unconfined_t; - class dbus send_msg; - ') - - allow $1 unconfined_t:dbus send_msg; - allow unconfined_t $1:dbus send_msg; -') - -######################################## -## -## Connect to the the unconfined DBUS -## for service (acquire_svc). -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_dbus_connect',` - gen_require(` - type unconfined_t; - class dbus acquire_svc; - ') - - allow $1 unconfined_t:dbus acquire_svc; -') - -######################################## -## -## Allow ptrace of unconfined domain -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_ptrace',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:process ptrace; -') - -######################################## -## -## Read and write to unconfined shared memory. -## -## -## -## The type of the process performing this action. -## -## -# -interface(`unconfined_rw_shm',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:shm rw_shm_perms; -') - -######################################## -## -## Read and write to unconfined execmem shared memory. -## -## -## -## The type of the process performing this action. -## -## -# -interface(`unconfined_execmem_rw_shm',` - gen_require(` - type unconfined_execmem_t; - ') - - allow $1 unconfined_execmem_t:shm rw_shm_perms; -') - -######################################## -## -## Transition to the unconfined_execmem domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_execmem_domtrans',` - - gen_require(` - type unconfined_execmem_t; - ') - - execmem_domtrans($1, unconfined_execmem_t) -') - -######################################## -## -## execute the execmem applications -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_execmem_exec',` - - gen_require(` - type execmem_exec_t; - ') - - can_exec($1, execmem_exec_t) -') - -######################################## -## -## Allow apps to set rlimits on userdomain -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_set_rlimitnh',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:process rlimitinh; -') - -######################################## -## -## Get the process group of unconfined. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_getpgid',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:process getpgid; -') - -######################################## -## -## Change to the unconfined role. -## -## -## -## Role allowed access. -## -## -## -# -interface(`unconfined_role_change',` - gen_require(` - role unconfined_r; - ') - - allow $1 unconfined_r; -') - -######################################## -## -## Allow domain to attach to TUN devices created by unconfined_t users. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_attach_tun_iface',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:tun_socket relabelfrom; - allow $1 self:tun_socket relabelto; -') - diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te deleted file mode 100644 index cad536c..0000000 --- a/policy/modules/roles/unconfineduser.te +++ /dev/null @@ -1,491 +0,0 @@ -policy_module(unconfineduser, 1.0.0) - -######################################## -# -# Declarations -# -attribute unconfined_login_domain; - -## -##

-## Transition unconfined user to the nsplugin domains when running nspluginviewer -##

-##
-gen_tunable(allow_unconfined_nsplugin_transition, false) - -## -##

-## Transition unconfined user to the mozilla plugin domain when running xulrunner plugin-container. -##

-##
-gen_tunable(unconfined_mozilla_plugin_transition, false) - -## -##

-## Allow vidio playing tools to tun unconfined -##

-##
-gen_tunable(unconfined_mplayer, false) - -## -##

-## Allow a user to login as an unconfined domain -##

-##
-gen_tunable(unconfined_login, true) - -## -##

-## Transition to confined qemu domains from unconfined user -##

-##
-gen_tunable(allow_unconfined_qemu_transition, false) - -# usage in this module of types created by these -# calls is not correct, however we dont currently -# have another method to add access to these types -userdom_base_user_template(unconfined) -userdom_manage_home_role(unconfined_r, unconfined_t) -userdom_manage_tmp_role(unconfined_r, unconfined_t) -userdom_manage_tmpfs_role(unconfined_r, unconfined_t) -userdom_unpriv_usertype(unconfined, unconfined_t) - -type unconfined_exec_t; -init_system_domain(unconfined_t, unconfined_exec_t) -role unconfined_r types unconfined_t; -role_transition system_r unconfined_exec_t unconfined_r; -allow system_r unconfined_r; - -domain_user_exemption_target(unconfined_t) -allow system_r unconfined_r; -allow unconfined_r system_r; -init_script_role_transition(unconfined_r) -role system_r types unconfined_t; -typealias unconfined_t alias unconfined_crontab_t; - -type unconfined_notrans_t; -type unconfined_notrans_exec_t; -init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t) -role unconfined_r types unconfined_notrans_t; - -######################################## -# -# Local policy -# - -dontaudit unconfined_t self:dir write; -dontaudit unconfined_t self:file setattr; - -allow unconfined_t self:system syslog_read; -dontaudit unconfined_t self:capability sys_module; - -files_create_boot_flag(unconfined_t) -files_create_default_dir(unconfined_t) -files_root_filetrans_default(unconfined_t, dir) - -mcs_killall(unconfined_t) -mcs_ptrace_all(unconfined_t) -mls_file_write_all_levels(unconfined_t) - -init_run_daemon(unconfined_t, unconfined_r) -init_domtrans_script(unconfined_t) -init_telinit(unconfined_t) - -libs_run_ldconfig(unconfined_t, unconfined_r) - -logging_send_syslog_msg(unconfined_t) -logging_run_auditctl(unconfined_t, unconfined_r) - -mount_run_unconfined(unconfined_t, unconfined_r) -# Unconfined running as system_r -mount_domtrans_unconfined(unconfined_t) - -seutil_run_setsebool(unconfined_t, unconfined_r) -seutil_run_setfiles(unconfined_t, unconfined_r) -seutil_run_semanage(unconfined_t, unconfined_r) - -unconfined_domain_noaudit(unconfined_t) - -userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file }) - -usermanage_run_passwd(unconfined_t, unconfined_r) -usermanage_run_chfn(unconfined_t, unconfined_r) - -tunable_policy(`allow_execmem',` - allow unconfined_t self:process execmem; -') - -tunable_policy(`allow_execmem && allow_execstack',` - allow unconfined_t self:process execstack; -') - -dev_filetrans_named_dev(unconfined_usertype) - -tunable_policy(`allow_execmod',` - userdom_execmod_user_home_files(unconfined_usertype) -') - -tunable_policy(`unconfined_login',` - corecmd_shell_domtrans(unconfined_login_domain,unconfined_t) - allow unconfined_t unconfined_login_domain:fd use; - allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms; - allow unconfined_t unconfined_login_domain:process sigchld; -') - -optional_policy(` - gen_require(` - attribute unconfined_usertype; - ') - - nsplugin_role_notrans(unconfined_r, unconfined_usertype) - optional_policy(` - tunable_policy(`allow_unconfined_nsplugin_transition',` - nsplugin_domtrans(unconfined_usertype) - nsplugin_domtrans_config(unconfined_usertype) - ') - ') - - optional_policy(` - abrt_dbus_chat(unconfined_usertype) - abrt_run_helper(unconfined_usertype, unconfined_r) - ') - - optional_policy(` - avahi_dbus_chat(unconfined_usertype) - ') - - optional_policy(` - certmonger_dbus_chat(unconfined_usertype) - ') - - optional_policy(` - devicekit_dbus_chat(unconfined_usertype) - devicekit_dbus_chat_disk(unconfined_usertype) - devicekit_dbus_chat_power(unconfined_usertype) - ') - - optional_policy(` - hal_dbus_chat(unconfined_usertype) - ') - - optional_policy(` - networkmanager_dbus_chat(unconfined_usertype) - ') - - optional_policy(` - policykit_role(unconfined_r, unconfined_usertype) - ') - - optional_policy(` - rtkit_scheduled(unconfined_usertype) - ') - - optional_policy(` - setroubleshoot_dbus_chat(unconfined_usertype) - setroubleshoot_dbus_chat_fixit(unconfined_t) - ') - - optional_policy(` - sandbox_transition(unconfined_usertype, unconfined_r) - ') - - optional_policy(` - shutdown_run(unconfined_t, unconfined_r) - ') - - optional_policy(` - tzdata_run(unconfined_usertype, unconfined_r) - ') - - optional_policy(` - gen_require(` - type user_tmpfs_t; - ') - - xserver_rw_session(unconfined_usertype, user_tmpfs_t) - xserver_run_xauth(unconfined_usertype, unconfined_r) - xserver_dbus_chat_xdm(unconfined_usertype) - ') -') - -ifdef(`distro_gentoo',` - seutil_run_runinit(unconfined_t, unconfined_r) - seutil_init_script_run_runinit(unconfined_t, unconfined_r) -') - -optional_policy(` - accountsd_dbus_chat(unconfined_t) -') - -optional_policy(` - ada_run(unconfined_t, unconfined_r) -') - -optional_policy(` - alsa_run(unconfined_t, unconfined_r) -') - -optional_policy(` - apache_run_helper(unconfined_t, unconfined_r) -') - -optional_policy(` - bind_run_ndc(unconfined_t, unconfined_r) -') - -optional_policy(` - bootloader_run(unconfined_t, unconfined_r) -') - -optional_policy(` - cron_unconfined_role(unconfined_r, unconfined_t) -') - -optional_policy(` - chrome_role(unconfined_r, unconfined_usertype) -') - -optional_policy(` - dbus_role_template(unconfined, unconfined_r, unconfined_t) - - optional_policy(` - unconfined_domain(unconfined_dbusd_t) - unconfined_execmem_domtrans(unconfined_dbusd_t) - - optional_policy(` - xserver_rw_shm(unconfined_dbusd_t) - ') - ') - - init_dbus_chat(unconfined_usertype) - init_dbus_chat_script(unconfined_usertype) - - dbus_stub(unconfined_t) - - optional_policy(` - bluetooth_dbus_chat(unconfined_usertype) - ') - - optional_policy(` - consolekit_dbus_chat(unconfined_usertype) - ') - - optional_policy(` - cups_dbus_chat_config(unconfined_usertype) - ') - - optional_policy(` - fprintd_dbus_chat(unconfined_usertype) - ') - - optional_policy(` - gnomeclock_dbus_chat(unconfined_usertype) - gnome_dbus_chat_gconfdefault(unconfined_usertype) - ') - - optional_policy(` - ipsec_mgmt_dbus_chat(unconfined_usertype) - ') - - optional_policy(` - kerneloops_dbus_chat(unconfined_usertype) - ') - - optional_policy(` - oddjob_dbus_chat(unconfined_usertype) - ') - - optional_policy(` - vpn_dbus_chat(unconfined_usertype) - ') -') - -optional_policy(` - firewallgui_dbus_chat(unconfined_usertype) -') - -optional_policy(` - firstboot_run(unconfined_t, unconfined_r) -') - -optional_policy(` - ftp_run_ftpdctl(unconfined_t, unconfined_r) -') - -optional_policy(` - gpsd_run(unconfined_t, unconfined_r) -') - -optional_policy(` - java_run_unconfined(unconfined_t, unconfined_r) -') - -optional_policy(` - livecd_run(unconfined_t, unconfined_r) -') - -optional_policy(` - lpd_run_checkpc(unconfined_t, unconfined_r) -') - -optional_policy(` - modutils_run_update_mods(unconfined_t, unconfined_r) -') - -optional_policy(` - mono_role_template(unconfined, unconfined_r, unconfined_t) - unconfined_domain_noaudit(unconfined_mono_t) - role system_r types unconfined_mono_t; -') - - -optional_policy(` - mozilla_role_plugin(unconfined_r) - - tunable_policy(`unconfined_mozilla_plugin_transition', ` - mozilla_domtrans_plugin(unconfined_usertype) - ') -') - -optional_policy(` - ncftool_run(unconfined_t, unconfined_r) -') - -optional_policy(` - oddjob_run_mkhomedir(unconfined_t, unconfined_r) -') - -optional_policy(` - prelink_run(unconfined_t, unconfined_r) -') - -optional_policy(` - portmap_run_helper(unconfined_t, unconfined_r) -') - -#optional_policy(` -# ppp_run(unconfined_t, unconfined_r) -#') - -optional_policy(` - qemu_unconfined_role(unconfined_r) - - tunable_policy(`allow_unconfined_qemu_transition',` - qemu_domtrans(unconfined_t) - ',` - qemu_domtrans_unconfined(unconfined_t) - ') -') - -optional_policy(` - rpm_run(unconfined_t, unconfined_r) - # Allow SELinux aware applications to request rpm_script execution - rpm_transition_script(unconfined_t) - rpm_dbus_chat(unconfined_t) -') - -optional_policy(` - optional_policy(` - samba_run_unconfined_net(unconfined_t, unconfined_r) - ') - - samba_role_notrans(unconfined_r) -# samba_run_winbind_helper(unconfined_t, unconfined_r) - samba_run_smbcontrol(unconfined_t, unconfined_r) -') - -optional_policy(` - sendmail_run_unconfined(unconfined_t, unconfined_r) -') - -optional_policy(` - sysnet_run_dhcpc(unconfined_t, unconfined_r) - sysnet_dbus_chat_dhcpc(unconfined_t) - sysnet_role_transition_dhcpc(unconfined_r) -') - -optional_policy(` - telepathy_dbus_session_role(unconfined_r, unconfined_t) -') - -optional_policy(` - vbetool_run(unconfined_t, unconfined_r) -') - -optional_policy(` - virt_transition_svirt(unconfined_t, unconfined_r) -') - -optional_policy(` - vpn_run(unconfined_t, unconfined_r) -') - -optional_policy(` - webalizer_run(unconfined_t, unconfined_r) -') - -optional_policy(` - wine_run(unconfined_t, unconfined_r) -') - -optional_policy(` - xserver_run(unconfined_t, unconfined_r) -') - -######################################## -# -# Unconfined Execmem Local policy -# - -optional_policy(` - execmem_role_template(unconfined, unconfined_r, unconfined_t) - typealias unconfined_execmem_t alias execmem_t; - typealias unconfined_execmem_t alias unconfined_openoffice_t; - unconfined_domain_noaudit(unconfined_execmem_t) - allow unconfined_execmem_t unconfined_t:process transition; - rpm_transition_script(unconfined_execmem_t) - role system_r types unconfined_execmem_t; - - optional_policy(` - init_dbus_chat_script(unconfined_execmem_t) - dbus_system_bus_client(unconfined_execmem_t) - unconfined_dbus_chat(unconfined_execmem_t) - unconfined_dbus_connect(unconfined_execmem_t) - ') - - optional_policy(` - tunable_policy(`allow_unconfined_nsplugin_transition',`', ` - nsplugin_exec_domtrans(unconfined_t, unconfined_execmem_t) - ') - ') - - optional_policy(` - tunable_policy(`unconfined_login',` - mplayer_exec_domtrans(unconfined_t, unconfined_execmem_t) - ') - ') - - optional_policy(` - openoffice_exec_domtrans(unconfined_t, unconfined_execmem_t) - ') -') - -######################################## -# -# Unconfined notrans Local policy -# - -allow unconfined_notrans_t self:process { execstack execmem }; -unconfined_domain_noaudit(unconfined_notrans_t) -userdom_unpriv_usertype(unconfined, unconfined_notrans_t) -domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t) -# Allow SELinux aware applications to request rpm_script execution -rpm_transition_script(unconfined_notrans_t) -domain_ptrace_all_domains(unconfined_notrans_t) - -######################################## -# -# Unconfined mount local policy -# - -gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff --git a/policy/modules/roles/unprivuser.fc b/policy/modules/roles/unprivuser.fc deleted file mode 100644 index 601a7b0..0000000 --- a/policy/modules/roles/unprivuser.fc +++ /dev/null @@ -1 +0,0 @@ -# file contexts handled by userdomain and genhomedircon diff --git a/policy/modules/roles/unprivuser.if b/policy/modules/roles/unprivuser.if deleted file mode 100644 index 3835596..0000000 --- a/policy/modules/roles/unprivuser.if +++ /dev/null @@ -1,50 +0,0 @@ -## Generic unprivileged user role - -######################################## -## -## Change to the generic user role. -## -## -## -## Role allowed access. -## -## -## -# -interface(`unprivuser_role_change',` - gen_require(` - role user_r; - ') - - allow $1 user_r; -') - -######################################## -## -## Change from the generic user role. -## -## -##

-## Change from the generic user role to -## the specified role. -##

-##

-## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-##
-## -## -## Role allowed access. -## -## -## -# -interface(`unprivuser_role_change_to',` - gen_require(` - role user_r; - ') - - allow user_r $1; -') diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te deleted file mode 100644 index 2932c13..0000000 --- a/policy/modules/roles/unprivuser.te +++ /dev/null @@ -1,182 +0,0 @@ -policy_module(unprivuser, 2.1.2) - -# this module should be named user, but that is -# a compile error since user is a keyword. - -######################################## -# -# Declarations -# - -role user_r; - -userdom_unpriv_user_template(user) - -fs_exec_noxattr(user_t) - -optional_policy(` - apache_role(user_r, user_t) -') - -optional_policy(` - oident_manage_user_content(user_t) - oident_relabel_user_content(user_t) -') - -optional_policy(` - mozilla_run_plugin(user_t, user_r) -') - -optional_policy(` - rpm_dontaudit_dbus_chat(user_t) -') - -optional_policy(` - rtkit_scheduled(user_t) -') - -optional_policy(` - sandbox_transition(user_t, user_r) -') - -optional_policy(` - screen_role_template(user, user_r, user_t) -') - -optional_policy(` - setroubleshoot_dontaudit_stream_connect(user_t) -') - -optional_policy(` - telepathy_dbus_session_role(user_r, user_t) -') - -optional_policy(` - xserver_role(user_r, user_t) -') - -ifndef(`distro_redhat',` - optional_policy(` - auth_role(user_r, user_t) - ') - - optional_policy(` - bluetooth_role(user_r, user_t) - ') - - optional_policy(` - cdrecord_role(user_r, user_t) - ') - - optional_policy(` - cron_role(user_r, user_t) - ') - - optional_policy(` - dbus_role_template(user, user_r, user_t) - ') - - optional_policy(` - evolution_role(user_r, user_t) - ') - - optional_policy(` - games_role(user_r, user_t) - ') - - optional_policy(` - gift_role(user_r, user_t) - ') - - optional_policy(` - gnome_role(user_r, user_t) - ') - - optional_policy(` - gpg_role(user_r, user_t) - ') - - optional_policy(` - irc_role(user_r, user_t) - ') - - optional_policy(` - java_role(user_r, user_t) - ') - - optional_policy(` - lockdev_role(user_r, user_t) - ') - - optional_policy(` - lpd_role(user_r, user_t) - ') - - optional_policy(` - mozilla_role(user_r, user_t) - ') - - optional_policy(` - mplayer_role(user_r, user_t) - ') - - optional_policy(` - mta_role(user_r, user_t) - ') - - optional_policy(` - postgresql_role(user_r, user_t) - ') - - optional_policy(` - pyzor_role(user_r, user_t) - ') - - optional_policy(` - razor_role(user_r, user_t) - ') - - optional_policy(` - rssh_role(user_r, user_t) - ') - - optional_policy(` - spamassassin_role(user_r, user_t) - ') - - optional_policy(` - ssh_role_template(user, user_r, user_t) - ') - - optional_policy(` - su_role_template(user, user_r, user_t) - ') - - optional_policy(` - sudo_role_template(user, user_r, user_t) - ') - - optional_policy(` - thunderbird_role(user_r, user_t) - ') - - optional_policy(` - tvtime_role(user_r, user_t) - ') - - optional_policy(` - uml_role(user_r, user_t) - ') - - optional_policy(` - userhelper_role_template(user, user_r, user_t) - ') - - optional_policy(` - vmware_role(user_r, user_t) - ') - - optional_policy(` - wireshark_role(user_r, user_t) - ') -') diff --git a/policy/modules/roles/webadm.fc b/policy/modules/roles/webadm.fc deleted file mode 100644 index d46378a..0000000 --- a/policy/modules/roles/webadm.fc +++ /dev/null @@ -1 +0,0 @@ -# No webadm file contexts. diff --git a/policy/modules/roles/webadm.if b/policy/modules/roles/webadm.if deleted file mode 100644 index cc34f8b..0000000 --- a/policy/modules/roles/webadm.if +++ /dev/null @@ -1,50 +0,0 @@ -## Web administrator role - -######################################## -## -## Change to the web administrator role. -## -## -## -## Role allowed access. -## -## -## -# -interface(`webadm_role_change',` - gen_require(` - role webadm_r; - ') - - allow $1 webadm_r; -') - -######################################## -## -## Change from the web administrator role. -## -## -##

-## Change from the web administrator role to -## the specified role. -##

-##

-## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-##
-## -## -## Role allowed access. -## -## -## -# -interface(`webadm_role_change_to',` - gen_require(` - role webadm_r; - ') - - allow webadm_r $1; -') diff --git a/policy/modules/roles/webadm.te b/policy/modules/roles/webadm.te deleted file mode 100644 index dbf2710..0000000 --- a/policy/modules/roles/webadm.te +++ /dev/null @@ -1,56 +0,0 @@ -policy_module(webadm, 1.1.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow webadm to manage files in users home directories -##

-##
-gen_tunable(webadm_manage_user_files, false) - -## -##

-## Allow webadm to read files in users home directories -##

-##
-gen_tunable(webadm_read_user_files, false) - -role webadm_r; - -userdom_base_user_template(webadm) - -######################################## -# -# webadmin local policy -# - -allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; - -files_dontaudit_search_all_dirs(webadm_t) -files_manage_generic_locks(webadm_t) -files_list_var(webadm_t) - -selinux_get_enforce_mode(webadm_t) -seutil_domtrans_setfiles(webadm_t) - -logging_send_syslog_msg(webadm_t) -logging_send_audit_msgs(webadm_t) - -userdom_dontaudit_search_user_home_dirs(webadm_t) - -apache_admin(webadm_t, webadm_r) - -tunable_policy(`webadm_manage_user_files',` - userdom_manage_user_home_content_files(webadm_t) - userdom_read_user_tmp_files(webadm_t) - userdom_write_user_tmp_files(webadm_t) -') - -tunable_policy(`webadm_read_user_files',` - userdom_read_user_home_content_files(webadm_t) - userdom_read_user_tmp_files(webadm_t) -') diff --git a/policy/modules/roles/xguest.fc b/policy/modules/roles/xguest.fc deleted file mode 100644 index 601a7b0..0000000 --- a/policy/modules/roles/xguest.fc +++ /dev/null @@ -1 +0,0 @@ -# file contexts handled by userdomain and genhomedircon diff --git a/policy/modules/roles/xguest.if b/policy/modules/roles/xguest.if deleted file mode 100644 index d2234e3..0000000 --- a/policy/modules/roles/xguest.if +++ /dev/null @@ -1,50 +0,0 @@ -## Least privledge xwindows user role - -######################################## -## -## Change to the xguest role. -## -## -## -## Role allowed access. -## -## -## -# -interface(`xguest_role_change',` - gen_require(` - role xguest_r; - ') - - allow $1 xguest_r; -') - -######################################## -## -## Change from the xguest role. -## -## -##

-## Change from the xguest role to -## the specified role. -##

-##

-## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-##
-## -## -## Role allowed access. -## -## -## -# -interface(`xguest_role_change_to',` - gen_require(` - role xguest_r; - ') - - allow xguest_r $1; -') diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te deleted file mode 100644 index e76f7a7..0000000 --- a/policy/modules/roles/xguest.te +++ /dev/null @@ -1,173 +0,0 @@ -policy_module(xguest, 1.1.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow xguest users to mount removable media -##

-##
-gen_tunable(xguest_mount_media, true) - -## -##

-## Allow xguest to configure Network Manager and connect to apache ports -##

-##
-gen_tunable(xguest_connect_network, true) - -## -##

-## Allow xguest to use blue tooth devices -##

-##
-gen_tunable(xguest_use_bluetooth, true) - -role xguest_r; - -userdom_restricted_xwindows_user_template(xguest) -sysnet_dns_name_resolve(xguest_t) - -######################################## -# -# Local policy -# -ifndef(`enable_mls',` - fs_exec_noxattr(xguest_t) - - tunable_policy(`user_rw_noexattrfile',` - fs_manage_noxattr_fs_files(xguest_t) - fs_manage_noxattr_fs_dirs(xguest_t) - # Write floppies - storage_raw_read_removable_device(xguest_t) - storage_raw_write_removable_device(xguest_t) - ',` - storage_raw_read_removable_device(xguest_t) - ') -') -# Dontaudit fusermount -mount_dontaudit_exec_fusermount(xguest_t) - -allow xguest_t self:process execmem; -kernel_dontaudit_request_load_module(xguest_t) - -tunable_policy(`allow_execstack',` - allow xguest_t self:process execstack; -') - -# Allow mounting of file systems -optional_policy(` - tunable_policy(`xguest_mount_media',` - kernel_read_fs_sysctls(xguest_t) - kernel_request_load_module(xguest_t) - files_dontaudit_getattr_boot_dirs(xguest_t) - files_search_mnt(xguest_t) - - fs_manage_noxattr_fs_files(xguest_t) - fs_manage_noxattr_fs_dirs(xguest_t) - fs_manage_noxattr_fs_dirs(xguest_t) - fs_getattr_noxattr_fs(xguest_t) - fs_read_noxattr_fs_symlinks(xguest_t) - fs_mount_fusefs(xguest_t) - - auth_list_pam_console_data(xguest_t) - ') -') - -optional_policy(` - tunable_policy(`xguest_use_bluetooth',` - bluetooth_dbus_chat(xguest_t) - ') -') - -optional_policy(` - chrome_role(xguest_r, xguest_usertype) -') - - -optional_policy(` - hal_dbus_chat(xguest_t) -') - -optional_policy(` - apache_role(xguest_r, xguest_t) -') - -optional_policy(` - gnomeclock_dontaudit_dbus_chat(xguest_t) -') - -optional_policy(` - java_role_template(xguest, xguest_r, xguest_t) -') - -optional_policy(` - mono_role_template(xguest, xguest_r, xguest_t) -') - -optional_policy(` - mozilla_run_plugin(xguest_t, xguest_r) -') - -optional_policy(` - nsplugin_role(xguest_r, xguest_t) -') - -optional_policy(` - tunable_policy(`xguest_connect_network',` - kernel_read_network_state(xguest_usertype) - - networkmanager_dbus_chat(xguest_t) - networkmanager_read_lib_files(xguest_t) - corenet_tcp_connect_pulseaudio_port(xguest_usertype) - corenet_all_recvfrom_unlabeled(xguest_usertype) - corenet_all_recvfrom_netlabel(xguest_usertype) - corenet_tcp_sendrecv_generic_if(xguest_usertype) - corenet_raw_sendrecv_generic_if(xguest_usertype) - corenet_tcp_sendrecv_generic_node(xguest_usertype) - corenet_raw_sendrecv_generic_node(xguest_usertype) - corenet_tcp_sendrecv_http_port(xguest_usertype) - corenet_tcp_sendrecv_http_cache_port(xguest_usertype) - corenet_tcp_sendrecv_squid_port(xguest_usertype) - corenet_tcp_sendrecv_ftp_port(xguest_usertype) - corenet_tcp_sendrecv_ipp_port(xguest_usertype) - corenet_tcp_connect_http_port(xguest_usertype) - corenet_tcp_connect_http_cache_port(xguest_usertype) - corenet_tcp_connect_squid_port(xguest_usertype) - corenet_tcp_connect_flash_port(xguest_usertype) - corenet_tcp_connect_ftp_port(xguest_usertype) - corenet_tcp_connect_ipp_port(xguest_usertype) - corenet_tcp_connect_generic_port(xguest_usertype) - corenet_tcp_connect_soundd_port(xguest_usertype) - corenet_sendrecv_http_client_packets(xguest_usertype) - corenet_sendrecv_http_cache_client_packets(xguest_usertype) - corenet_sendrecv_squid_client_packets(xguest_usertype) - corenet_sendrecv_ftp_client_packets(xguest_usertype) - corenet_sendrecv_ipp_client_packets(xguest_usertype) - corenet_sendrecv_generic_client_packets(xguest_usertype) - # Should not need other ports - corenet_dontaudit_tcp_sendrecv_generic_port(xguest_usertype) - corenet_dontaudit_tcp_bind_generic_port(xguest_usertype) - corenet_tcp_connect_speech_port(xguest_usertype) - corenet_tcp_sendrecv_transproxy_port(xguest_usertype) - corenet_tcp_connect_transproxy_port(xguest_usertype) - ') - - optional_policy(` - telepathy_dbus_session_role(xguest_r, xguest_t) - ') -') - -optional_policy(` - gen_require(` - type mozilla_t; - ') - - allow xguest_t mozilla_t:process transition; - role xguest_r types mozilla_t; -') - -gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc deleted file mode 100644 index 3b3ba64..0000000 --- a/policy/modules/services/abrt.fc +++ /dev/null @@ -1,21 +0,0 @@ -/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) -/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) - -/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) - -/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) -/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) - -/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0) - -/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) -/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) - -/var/log/abrt-logger -- gen_context(system_u:object_r:abrt_var_log_t,s0) - -/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) -/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) -/var/run/abrtd?\.socket -- gen_context(system_u:object_r:abrt_var_run_t,s0) -/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) - -/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if deleted file mode 100644 index 8961dba..0000000 --- a/policy/modules/services/abrt.if +++ /dev/null @@ -1,343 +0,0 @@ -## ABRT - automated bug-reporting tool - -###################################### -## -## Execute abrt in the abrt domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`abrt_domtrans',` - gen_require(` - type abrt_t, abrt_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, abrt_exec_t, abrt_t) -') - -###################################### -## -## Execute abrt in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`abrt_exec',` - gen_require(` - type abrt_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, abrt_exec_t) -') - -######################################## -## -## Send a null signal to abrt. -## -## -## -## Domain allowed access. -## -## -# -interface(`abrt_signull',` - gen_require(` - type abrt_t; - ') - - allow $1 abrt_t:process signull; -') - -######################################## -## -## Allow the domain to read abrt state files in /proc. -## -## -## -## Domain allowed access. -## -## -# -interface(`abrt_read_state',` - gen_require(` - type abrt_t; - ') - - kernel_search_proc($1) - ps_process_pattern($1, abrt_t) -') - -######################################## -## -## Connect to abrt over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`abrt_stream_connect',` - gen_require(` - type abrt_t, abrt_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, abrt_var_run_t, abrt_var_run_t, abrt_t) -') - -######################################## -## -## Send and receive messages from -## abrt over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`abrt_dbus_chat',` - gen_require(` - type abrt_t; - class dbus send_msg; - ') - - allow $1 abrt_t:dbus send_msg; - allow abrt_t $1:dbus send_msg; -') - -##################################### -## -## Execute abrt-helper in the abrt-helper domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`abrt_domtrans_helper',` - gen_require(` - type abrt_helper_t, abrt_helper_exec_t; - ') - - domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t) - - ifdef(`hide_broken_symptoms', ` - dontaudit abrt_helper_t $1:socket_class_set { read write }; - ') -') - -######################################## -## -## Execute abrt helper in the abrt_helper domain, and -## allow the specified role the abrt_helper domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`abrt_run_helper',` - gen_require(` - type abrt_helper_t; - ') - - abrt_domtrans_helper($1) - role $2 types abrt_helper_t; -') - -######################################## -## -## Append abrt cache -## -## -## -## Domain allowed access. -## -## -# -interface(`abrt_cache_append',` - gen_require(` - type abrt_var_cache_t; - ') - - append_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) -') - -######################################## -## -## Manage abrt cache -## -## -## -## Domain allowed access. -## -## -# -interface(`abrt_cache_manage',` - gen_require(` - type abrt_var_cache_t; - ') - - manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) -') - -#################################### -## -## Read abrt configuration file. -## -## -## -## Domain allowed access. -## -## -# -interface(`abrt_read_config',` - gen_require(` - type abrt_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, abrt_etc_t, abrt_etc_t) -') - -###################################### -## -## Read abrt logs. -## -## -## -## Domain allowed access. -## -## -# -interface(`abrt_read_log',` - gen_require(` - type abrt_var_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, abrt_var_log_t, abrt_var_log_t) -') - -###################################### -## -## Read abrt PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`abrt_read_pid_files',` - gen_require(` - type abrt_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, abrt_var_run_t, abrt_var_run_t) -') - -###################################### -## -## Create, read, write, and delete abrt PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`abrt_manage_pid_files',` - gen_require(` - type abrt_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t) -') - -######################################## -## -## Read and write abrt fifo files. -## -## -## -## Domain allowed access. -## -## -# -interface(`abrt_rw_fifo_file',` - gen_require(` - type abrt_t; - ') - - allow $1 abrt_t:fifo_file rw_inherited_fifo_file_perms; -') - -##################################### -## -## All of the rules required to administrate -## an abrt environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the abrt domain. -## -## -## -# -interface(`abrt_admin',` - gen_require(` - type abrt_t, abrt_etc_t; - type abrt_var_cache_t, abrt_var_log_t; - type abrt_var_run_t, abrt_tmp_t; - type abrt_initrc_exec_t; - ') - - allow $1 abrt_t:process { ptrace signal_perms }; - ps_process_pattern($1, abrt_t) - - init_labeled_script_domtrans($1, abrt_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 abrt_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, abrt_etc_t) - - logging_list_logs($1) - admin_pattern($1, abrt_var_log_t) - - files_list_var($1) - admin_pattern($1, abrt_var_cache_t) - - files_list_pids($1) - admin_pattern($1, abrt_var_run_t) - - files_list_tmp($1) - admin_pattern($1, abrt_tmp_t) -') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te deleted file mode 100644 index 5be7dc8..0000000 --- a/policy/modules/services/abrt.te +++ /dev/null @@ -1,274 +0,0 @@ -policy_module(abrt, 1.1.1) - -######################################## -# -# Declarations -# - -## -##

-## Allow ABRT to modify public files -## used for public file transfer services. -##

-##
-gen_tunable(abrt_anon_write, false) - -type abrt_t; -type abrt_exec_t; -init_daemon_domain(abrt_t, abrt_exec_t) - -type abrt_initrc_exec_t; -init_script_file(abrt_initrc_exec_t) - -# etc files -type abrt_etc_t; -files_config_file(abrt_etc_t) - -# log files -type abrt_var_log_t; -logging_log_file(abrt_var_log_t) - -# tmp files -type abrt_tmp_t; -files_tmp_file(abrt_tmp_t) - -# var/cache files -type abrt_var_cache_t; -files_type(abrt_var_cache_t) - -# pid files -type abrt_var_run_t; -files_pid_file(abrt_var_run_t) - -# type needed to allow all domains -# to handle /var/cache/abrt -type abrt_helper_t; -type abrt_helper_exec_t; -application_domain(abrt_helper_t, abrt_helper_exec_t) -role system_r types abrt_helper_t; - -ifdef(`enable_mcs',` - init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) -') - -######################################## -# -# abrt local policy -# - -allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override }; -dontaudit abrt_t self:capability sys_rawio; -allow abrt_t self:process { sigkill signal signull setsched getsched }; - -allow abrt_t self:fifo_file rw_fifo_file_perms; -allow abrt_t self:tcp_socket create_stream_socket_perms; -allow abrt_t self:udp_socket create_socket_perms; -allow abrt_t self:unix_dgram_socket create_socket_perms; -allow abrt_t self:netlink_route_socket r_netlink_socket_perms; - -# abrt etc files -rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t) - -# log file -manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t) -logging_log_filetrans(abrt_t, abrt_var_log_t, file) - -# abrt tmp files -manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) -manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) -files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) -can_exec(abrt_t, abrt_tmp_t) - -# abrt var/cache files -manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) -manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) -manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) -files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir }) -files_spool_filetrans(abrt_t, abrt_var_cache_t, dir) - -# abrt pid files -manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) -manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) -manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) -manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) -files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file }) - -kernel_read_ring_buffer(abrt_t) -kernel_read_system_state(abrt_t) -kernel_rw_kernel_sysctl(abrt_t) - -corecmd_exec_bin(abrt_t) -corecmd_exec_shell(abrt_t) -corecmd_read_all_executables(abrt_t) - -corenet_all_recvfrom_netlabel(abrt_t) -corenet_all_recvfrom_unlabeled(abrt_t) -corenet_tcp_sendrecv_generic_if(abrt_t) -corenet_tcp_sendrecv_generic_node(abrt_t) -corenet_tcp_sendrecv_generic_port(abrt_t) -corenet_tcp_bind_generic_node(abrt_t) -corenet_tcp_connect_http_port(abrt_t) -corenet_tcp_connect_ftp_port(abrt_t) -corenet_tcp_connect_all_ports(abrt_t) -corenet_sendrecv_http_client_packets(abrt_t) - -dev_getattr_all_chr_files(abrt_t) -dev_read_urand(abrt_t) -dev_rw_sysfs(abrt_t) -dev_dontaudit_read_raw_memory(abrt_t) - -domain_getattr_all_domains(abrt_t) -domain_read_all_domains_state(abrt_t) -domain_signull_all_domains(abrt_t) - -files_getattr_all_files(abrt_t) -files_read_etc_files(abrt_t) -files_read_var_symlinks(abrt_t) -files_read_var_lib_files(abrt_t) -files_read_usr_files(abrt_t) -files_read_generic_tmp_files(abrt_t) -files_read_kernel_modules(abrt_t) -files_dontaudit_list_default(abrt_t) -files_dontaudit_read_default_files(abrt_t) -files_dontaudit_read_all_symlinks(abrt_t) -files_dontaudit_getattr_all_sockets(abrt_t) - -fs_list_inotifyfs(abrt_t) -fs_getattr_all_fs(abrt_t) -fs_getattr_all_dirs(abrt_t) -fs_read_fusefs_files(abrt_t) -fs_read_noxattr_fs_files(abrt_t) -fs_read_nfs_files(abrt_t) -fs_read_nfs_symlinks(abrt_t) -fs_search_all(abrt_t) - -sysnet_dns_name_resolve(abrt_t) - -logging_read_generic_logs(abrt_t) -logging_send_syslog_msg(abrt_t) - -miscfiles_read_generic_certs(abrt_t) -miscfiles_read_localization(abrt_t) - -userdom_dontaudit_read_user_home_content_files(abrt_t) -userdom_dontaudit_read_admin_home_files(abrt_t) - -tunable_policy(`abrt_anon_write',` - miscfiles_manage_public_files(abrt_t) -') - -optional_policy(` - apache_read_modules(abrt_t) -') - -optional_policy(` - dbus_system_domain(abrt_t, abrt_exec_t) -') - -optional_policy(` - nis_use_ypbind(abrt_t) -') - -optional_policy(` - nsplugin_read_rw_files(abrt_t) - nsplugin_read_home(abrt_t) -') - -optional_policy(` - policykit_dbus_chat(abrt_t) - policykit_domtrans_auth(abrt_t) - policykit_read_lib(abrt_t) - policykit_read_reload(abrt_t) -') - -optional_policy(` - prelink_exec(abrt_t) - libs_exec_ld_so(abrt_t) - corecmd_exec_all_executables(abrt_t) -') - -# to install debuginfo packages -optional_policy(` - rpm_exec(abrt_t) - rpm_dontaudit_manage_db(abrt_t) - rpm_manage_cache(abrt_t) - rpm_manage_pid_files(abrt_t) - rpm_read_db(abrt_t) - rpm_signull(abrt_t) -') - -# to run mailx plugin -optional_policy(` - sendmail_domtrans(abrt_t) -') - -optional_policy(` - sosreport_domtrans(abrt_t) - sosreport_read_tmp_files(abrt_t) - sosreport_delete_tmp_files(abrt_t) -') - -optional_policy(` - sssd_stream_connect(abrt_t) -') - -######################################## -# -# abrt-helper local policy -# - -allow abrt_helper_t self:capability { chown setgid sys_nice }; -allow abrt_helper_t self:process signal; - -read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t) - -files_search_spool(abrt_helper_t) -manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) -manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) -manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) -files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) - -read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) - -domain_read_all_domains_state(abrt_helper_t) - -files_read_etc_files(abrt_helper_t) -files_dontaudit_all_non_security_leaks(abrt_helper_t) - -fs_list_inotifyfs(abrt_helper_t) -fs_getattr_all_fs(abrt_helper_t) - -auth_use_nsswitch(abrt_helper_t) - -logging_send_syslog_msg(abrt_helper_t) - -miscfiles_read_localization(abrt_helper_t) - -term_dontaudit_use_all_ttys(abrt_helper_t) -term_dontaudit_use_all_ptys(abrt_helper_t) - -ifdef(`hide_broken_symptoms',` - domain_dontaudit_leaks(abrt_helper_t) - userdom_dontaudit_read_user_home_content_files(abrt_helper_t) - userdom_dontaudit_read_user_tmp_files(abrt_helper_t) - dev_dontaudit_read_all_blk_files(abrt_helper_t) - dev_dontaudit_read_all_chr_files(abrt_helper_t) - dev_dontaudit_write_all_chr_files(abrt_helper_t) - dev_dontaudit_write_all_blk_files(abrt_helper_t) - fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) - - optional_policy(` - rpm_dontaudit_leaks(abrt_helper_t) - ') -') - -ifdef(`hide_broken_symptoms',` - gen_require(` - attribute domain; - ') - - allow abrt_t self:capability sys_resource; - allow abrt_t domain:file write; - allow abrt_t domain:process setrlimit; -') diff --git a/policy/modules/services/accountsd.fc b/policy/modules/services/accountsd.fc deleted file mode 100644 index 1adca53..0000000 --- a/policy/modules/services/accountsd.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0) - -/var/lib/AccountsService(/.*)? gen_context(system_u:object_r:accountsd_var_lib_t,s0) diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if deleted file mode 100644 index d639ae0..0000000 --- a/policy/modules/services/accountsd.if +++ /dev/null @@ -1,145 +0,0 @@ -## AccountsService and daemon for manipulating user account information via D-Bus - -######################################## -## -## Execute a domain transition to run accountsd. -## -## -## -## Domain allowed access. -## -## -# -interface(`accountsd_domtrans',` - gen_require(` - type accountsd_t, accountsd_exec_t; - ') - - domtrans_pattern($1, accountsd_exec_t, accountsd_t) -') - -######################################## -## -## Do not audit attempts to read and write Accounts Daemon -## fifo file. -## -## -## -## Domain to not audit. -## -## -# -interface(`accountsd_dontaudit_rw_fifo_file',` - gen_require(` - type accountsd_t; - ') - - dontaudit $1 accountsd_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## -## Send and receive messages from -## accountsd over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`accountsd_dbus_chat',` - gen_require(` - type accountsd_t; - class dbus send_msg; - ') - - allow $1 accountsd_t:dbus send_msg; - allow accountsd_t $1:dbus send_msg; -') - -######################################## -## -## Search accountsd lib directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`accountsd_search_lib',` - gen_require(` - type accountsd_var_lib_t; - ') - - allow $1 accountsd_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## Read accountsd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`accountsd_read_lib_files',` - gen_require(` - type accountsd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) -') - -######################################## -## -## Create, read, write, and delete -## accountsd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`accountsd_manage_lib_files',` - gen_require(` - type accountsd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) -') - -######################################## -## -## All of the rules required to administrate -## an accountsd environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`accountsd_admin',` - gen_require(` - type accountsd_t; - ') - - allow $1 accountsd_t:process { ptrace signal_perms }; - ps_process_pattern($1, accountsd_t) - - accountsd_manage_lib_files($1) -') diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te deleted file mode 100644 index 2724c11..0000000 --- a/policy/modules/services/accountsd.te +++ /dev/null @@ -1,64 +0,0 @@ -policy_module(accountsd, 1.0.0) - -######################################## -# -# Declarations -# - -type accountsd_t; -type accountsd_exec_t; -dbus_system_domain(accountsd_t, accountsd_exec_t) -init_daemon_domain(accountsd_t, accountsd_exec_t) -role system_r types accountsd_t; - -type accountsd_var_lib_t; -files_type(accountsd_var_lib_t) - -######################################## -# -# accountsd local policy -# - -allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace }; -allow accountsd_t self:fifo_file rw_fifo_file_perms; - -manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t) -manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t) -files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, { file dir }) - -kernel_read_kernel_sysctls(accountsd_t) - -corecmd_exec_bin(accountsd_t) - -files_read_usr_files(accountsd_t) -files_read_mnt_files(accountsd_t) - -fs_list_inotifyfs(accountsd_t) -fs_read_noxattr_fs_files(accountsd_t) - -auth_use_nsswitch(accountsd_t) -auth_read_shadow(accountsd_t) - -miscfiles_read_localization(accountsd_t) - -logging_send_syslog_msg(accountsd_t) -logging_set_loginuid(accountsd_t) - -userdom_read_user_tmp_files(accountsd_t) -userdom_read_user_home_content_files(accountsd_t) - -usermanage_domtrans_useradd(accountsd_t) -usermanage_domtrans_passwd(accountsd_t) - -optional_policy(` - consolekit_read_log(accountsd_t) -') - -optional_policy(` - policykit_dbus_chat(accountsd_t) -') - -optional_policy(` - xserver_dbus_chat_xdm(accountsd_t) - xserver_manage_xdm_etc_files(accountsd_t) -') diff --git a/policy/modules/services/afs.fc b/policy/modules/services/afs.fc deleted file mode 100644 index eaea138..0000000 --- a/policy/modules/services/afs.fc +++ /dev/null @@ -1,32 +0,0 @@ -/etc/rc\.d/init\.d/openafs-client -- gen_context(system_u:object_r:afs_initrc_exec_t,s0) -/etc/rc\.d/init\.d/afs -- gen_context(system_u:object_r:afs_initrc_exec_t,s0) - -/usr/afs/bin/bosserver -- gen_context(system_u:object_r:afs_bosserver_exec_t,s0) -/usr/afs/bin/fileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) -/usr/afs/bin/kaserver -- gen_context(system_u:object_r:afs_kaserver_exec_t,s0) -/usr/afs/bin/ptserver -- gen_context(system_u:object_r:afs_ptserver_exec_t,s0) -/usr/afs/bin/salvager -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) -/usr/afs/bin/volserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) -/usr/afs/bin/vlserver -- gen_context(system_u:object_r:afs_vlserver_exec_t,s0) - -/usr/afs/db -d gen_context(system_u:object_r:afs_dbdir_t,s0) -/usr/afs/db/pr.* -- gen_context(system_u:object_r:afs_pt_db_t,s0) -/usr/afs/db/ka.* -- gen_context(system_u:object_r:afs_ka_db_t,s0) -/usr/afs/db/vl.* -- gen_context(system_u:object_r:afs_vl_db_t,s0) - -/usr/afs/etc(/.*)? gen_context(system_u:object_r:afs_config_t,s0) - -/usr/afs/local(/.*)? gen_context(system_u:object_r:afs_config_t,s0) - -/usr/afs/logs(/.*)? gen_context(system_u:object_r:afs_logfile_t,s0) - -/usr/sbin/afsd -- gen_context(system_u:object_r:afs_exec_t,s0) - -/usr/vice/cache(/.*)? gen_context(system_u:object_r:afs_cache_t,s0) -/usr/vice/etc/afsd -- gen_context(system_u:object_r:afs_exec_t,s0) - -/var/cache/afs(/.*)? gen_context(system_u:object_r:afs_cache_t,s0) - -/vicepa gen_context(system_u:object_r:afs_files_t,s0) -/vicepb gen_context(system_u:object_r:afs_files_t,s0) -/vicepc gen_context(system_u:object_r:afs_files_t,s0) diff --git a/policy/modules/services/afs.if b/policy/modules/services/afs.if deleted file mode 100644 index 49c0cc8..0000000 --- a/policy/modules/services/afs.if +++ /dev/null @@ -1,109 +0,0 @@ -## Andrew Filesystem server - -######################################## -## -## Execute a domain transition to run the -## afs client. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`afs_domtrans',` - gen_require(` - type afs_t, afs_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, afs_exec_t, afs_t) -') - -######################################## -## -## Read and write afs client UDP sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`afs_rw_udp_sockets',` - gen_require(` - type afs_t; - ') - - allow $1 afs_t:udp_socket { read write }; -') - -######################################## -## -## read/write afs cache files -## -## -## -## Domain allowed access. -## -## -# -interface(`afs_rw_cache',` - gen_require(` - type afs_cache_t; - ') - - files_search_var($1) - allow $1 afs_cache_t:file { read write }; -') - -######################################## -## -## Execute afs server in the afs domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`afs_initrc_domtrans',` - gen_require(` - type afs_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, afs_initrc_exec_t) -') - -######################################## -## -## All of the rules required to administrate -## an afs environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the afs domain. -## -## -## -# -interface(`afs_admin',` - gen_require(` - type afs_t, afs_initrc_exec_t; - ') - - allow $1 afs_t:process { ptrace signal_perms }; - ps_process_pattern($1, afs_t) - - # Allow afs_admin to restart the afs service - afs_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 afs_initrc_exec_t system_r; - allow $2 system_r; - -') diff --git a/policy/modules/services/afs.te b/policy/modules/services/afs.te deleted file mode 100644 index 7e2cdf2..0000000 --- a/policy/modules/services/afs.te +++ /dev/null @@ -1,359 +0,0 @@ -policy_module(afs, 1.6.1) - -######################################## -# -# Declarations -# - -type afs_t; -type afs_exec_t; -init_daemon_domain(afs_t, afs_exec_t) - -type afs_bosserver_t; -type afs_bosserver_exec_t; -init_daemon_domain(afs_bosserver_t, afs_bosserver_exec_t) - -type afs_cache_t; -files_type(afs_cache_t) - -type afs_config_t; -files_type(afs_config_t) - -type afs_dbdir_t; -files_type(afs_dbdir_t) - -# exported files -type afs_files_t; -files_type(afs_files_t) - -type afs_fsserver_t; -type afs_fsserver_exec_t; -domain_type(afs_fsserver_t) -domain_entry_file(afs_fsserver_t, afs_fsserver_exec_t) -role system_r types afs_fsserver_t; - -type afs_initrc_exec_t; -init_script_file(afs_initrc_exec_t) - -type afs_ka_db_t; -files_type(afs_ka_db_t) - -type afs_kaserver_t; -type afs_kaserver_exec_t; -domain_type(afs_kaserver_t) -domain_entry_file(afs_kaserver_t, afs_kaserver_exec_t) -role system_r types afs_kaserver_t; - -type afs_logfile_t; -logging_log_file(afs_logfile_t) - -type afs_pt_db_t; -files_type(afs_pt_db_t) - -type afs_ptserver_t; -type afs_ptserver_exec_t; -domain_type(afs_ptserver_t) -domain_entry_file(afs_ptserver_t, afs_ptserver_exec_t) -role system_r types afs_ptserver_t; - -type afs_vl_db_t; -files_type(afs_vl_db_t) - -type afs_vlserver_t; -type afs_vlserver_exec_t; -domain_type(afs_vlserver_t) -domain_entry_file(afs_vlserver_t, afs_vlserver_exec_t) -role system_r types afs_vlserver_t; - -######################################## -# -# afs client local policy -# - -allow afs_t self:capability { sys_admin sys_nice sys_tty_config }; -allow afs_t self:process { setsched signal }; -allow afs_t self:udp_socket create_socket_perms; -allow afs_t self:fifo_file rw_file_perms; -allow afs_t self:unix_stream_socket create_stream_socket_perms; - -manage_files_pattern(afs_t, afs_cache_t, afs_cache_t) -manage_dirs_pattern(afs_t, afs_cache_t, afs_cache_t) -files_var_filetrans(afs_t, afs_cache_t, { file dir }) - -kernel_rw_afs_state(afs_t) - -corenet_all_recvfrom_unlabeled(afs_t) -corenet_all_recvfrom_netlabel(afs_t) -corenet_tcp_sendrecv_generic_if(afs_t) -corenet_udp_sendrecv_generic_if(afs_t) -corenet_tcp_sendrecv_generic_node(afs_t) -corenet_udp_sendrecv_generic_node(afs_t) -corenet_tcp_sendrecv_all_ports(afs_t) -corenet_udp_sendrecv_all_ports(afs_t) -corenet_udp_bind_generic_node(afs_t) - -files_mounton_mnt(afs_t) -files_read_etc_files(afs_t) -files_read_usr_files(afs_t) -files_rw_etc_runtime_files(afs_t) - -fs_getattr_xattr_fs(afs_t) -fs_mount_nfs(afs_t) -fs_read_nfs_symlinks(afs_t) - -logging_send_syslog_msg(afs_t) - -miscfiles_read_localization(afs_t) - -sysnet_dns_name_resolve(afs_t) - -ifdef(`hide_broken_symptoms',` - kernel_rw_unlabeled_files(afs_t) -') - -######################################## -# -# AFS bossserver local policy -# - -allow afs_bosserver_t self:process { setsched signal_perms }; -allow afs_bosserver_t self:tcp_socket create_stream_socket_perms; -allow afs_bosserver_t self:udp_socket create_socket_perms; - -can_exec(afs_bosserver_t, afs_bosserver_exec_t) - -manage_dirs_pattern(afs_bosserver_t, afs_config_t, afs_config_t) -manage_files_pattern(afs_bosserver_t, afs_config_t, afs_config_t) - -allow afs_bosserver_t afs_dbdir_t:dir list_dir_perms; - -allow afs_bosserver_t afs_fsserver_t:process signal_perms; -domtrans_pattern(afs_bosserver_t, afs_fsserver_exec_t, afs_fsserver_t) - -allow afs_bosserver_t afs_kaserver_t:process signal_perms; -domtrans_pattern(afs_bosserver_t, afs_kaserver_exec_t, afs_kaserver_t) - -allow afs_bosserver_t afs_logfile_t:file manage_file_perms; -allow afs_bosserver_t afs_logfile_t:dir manage_dir_perms; - -allow afs_bosserver_t afs_ptserver_t:process signal_perms; -domtrans_pattern(afs_bosserver_t, afs_ptserver_exec_t, afs_ptserver_t) - -allow afs_bosserver_t afs_vlserver_t:process signal_perms; -domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t) - -kernel_read_kernel_sysctls(afs_bosserver_t) - -corenet_all_recvfrom_unlabeled(afs_bosserver_t) -corenet_all_recvfrom_netlabel(afs_bosserver_t) -corenet_tcp_sendrecv_generic_if(afs_bosserver_t) -corenet_udp_sendrecv_generic_if(afs_bosserver_t) -corenet_tcp_sendrecv_generic_node(afs_bosserver_t) -corenet_udp_sendrecv_generic_node(afs_bosserver_t) -corenet_tcp_sendrecv_all_ports(afs_bosserver_t) -corenet_udp_sendrecv_all_ports(afs_bosserver_t) -corenet_udp_bind_generic_node(afs_bosserver_t) -corenet_udp_bind_afs_bos_port(afs_bosserver_t) -corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t) - -files_read_etc_files(afs_bosserver_t) -files_list_home(afs_bosserver_t) -files_read_usr_files(afs_bosserver_t) - -miscfiles_read_localization(afs_bosserver_t) - -seutil_read_config(afs_bosserver_t) - -sysnet_read_config(afs_bosserver_t) - -######################################## -# -# fileserver local policy -# - -allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice }; -dontaudit afs_fsserver_t self:capability fsetid; -allow afs_fsserver_t self:process { setsched signal_perms }; -allow afs_fsserver_t self:fifo_file rw_fifo_file_perms; -allow afs_fsserver_t self:tcp_socket create_stream_socket_perms; -allow afs_fsserver_t self:udp_socket create_socket_perms; - -read_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t) -allow afs_fsserver_t afs_config_t:dir list_dir_perms; - -manage_dirs_pattern(afs_fsserver_t, afs_config_t, afs_config_t) -manage_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t) - -allow afs_fsserver_t afs_files_t:filesystem getattr; -manage_dirs_pattern(afs_fsserver_t, afs_files_t, afs_files_t) -manage_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t) -manage_lnk_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t) -manage_fifo_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t) -manage_sock_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t) -filetrans_pattern(afs_fsserver_t, afs_config_t, afs_files_t, { file lnk_file sock_file fifo_file }) - -can_exec(afs_fsserver_t, afs_fsserver_exec_t) - -manage_dirs_pattern(afs_fsserver_t, afs_logfile_t, afs_logfile_t) -manage_files_pattern(afs_fsserver_t, afs_logfile_t, afs_logfile_t) - -kernel_read_system_state(afs_fsserver_t) -kernel_read_kernel_sysctls(afs_fsserver_t) - -corenet_tcp_sendrecv_generic_if(afs_fsserver_t) -corenet_udp_sendrecv_generic_if(afs_fsserver_t) -corenet_tcp_sendrecv_generic_node(afs_fsserver_t) -corenet_udp_sendrecv_generic_node(afs_fsserver_t) -corenet_tcp_sendrecv_all_ports(afs_fsserver_t) -corenet_udp_sendrecv_all_ports(afs_fsserver_t) -corenet_all_recvfrom_unlabeled(afs_fsserver_t) -corenet_all_recvfrom_netlabel(afs_fsserver_t) -corenet_tcp_bind_generic_node(afs_fsserver_t) -corenet_udp_bind_generic_node(afs_fsserver_t) -corenet_tcp_bind_afs_fs_port(afs_fsserver_t) -corenet_udp_bind_afs_fs_port(afs_fsserver_t) -corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t) - -files_read_etc_files(afs_fsserver_t) -files_read_etc_runtime_files(afs_fsserver_t) -files_list_home(afs_fsserver_t) -files_read_usr_files(afs_fsserver_t) -files_list_pids(afs_fsserver_t) -files_dontaudit_search_mnt(afs_fsserver_t) - -fs_getattr_xattr_fs(afs_fsserver_t) - -term_dontaudit_use_console(afs_fsserver_t) - -init_dontaudit_use_script_fds(afs_fsserver_t) - -logging_send_syslog_msg(afs_fsserver_t) - -miscfiles_read_localization(afs_fsserver_t) - -seutil_read_config(afs_fsserver_t) - -sysnet_read_config(afs_fsserver_t) - -userdom_dontaudit_use_user_terminals(afs_fsserver_t) - -######################################## -# -# kaserver local policy -# - -allow afs_kaserver_t self:unix_stream_socket create_stream_socket_perms; -allow afs_kaserver_t self:tcp_socket create_stream_socket_perms; -allow afs_kaserver_t self:udp_socket create_socket_perms; - -manage_files_pattern(afs_kaserver_t, afs_config_t, afs_config_t) - -manage_files_pattern(afs_kaserver_t, afs_dbdir_t, afs_ka_db_t) -filetrans_pattern(afs_kaserver_t, afs_dbdir_t, afs_ka_db_t, file) - -manage_dirs_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t) -manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t) - -kernel_read_kernel_sysctls(afs_kaserver_t) - -corenet_all_recvfrom_unlabeled(afs_kaserver_t) -corenet_all_recvfrom_netlabel(afs_kaserver_t) -corenet_tcp_sendrecv_generic_if(afs_kaserver_t) -corenet_udp_sendrecv_generic_if(afs_kaserver_t) -corenet_tcp_sendrecv_generic_node(afs_kaserver_t) -corenet_udp_sendrecv_generic_node(afs_kaserver_t) -corenet_tcp_sendrecv_all_ports(afs_kaserver_t) -corenet_udp_sendrecv_all_ports(afs_kaserver_t) -corenet_udp_bind_generic_node(afs_kaserver_t) -corenet_udp_bind_afs_ka_port(afs_kaserver_t) -corenet_udp_bind_kerberos_port(afs_kaserver_t) -corenet_sendrecv_afs_ka_server_packets(afs_kaserver_t) -corenet_sendrecv_kerberos_server_packets(afs_kaserver_t) - -files_read_etc_files(afs_kaserver_t) -files_list_home(afs_kaserver_t) -files_read_usr_files(afs_kaserver_t) - -miscfiles_read_localization(afs_kaserver_t) - -seutil_read_config(afs_kaserver_t) - -sysnet_read_config(afs_kaserver_t) - -userdom_dontaudit_use_user_terminals(afs_kaserver_t) - -######################################## -# -# ptserver local policy -# - -allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms; -allow afs_ptserver_t self:tcp_socket create_stream_socket_perms; -allow afs_ptserver_t self:udp_socket create_socket_perms; - -read_files_pattern(afs_ptserver_t, afs_config_t, afs_config_t) -allow afs_ptserver_t afs_config_t:dir list_dir_perms; - -manage_dirs_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t) -manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t) - -manage_files_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t) -filetrans_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t, file) - -corenet_all_recvfrom_unlabeled(afs_ptserver_t) -corenet_all_recvfrom_netlabel(afs_ptserver_t) -corenet_tcp_sendrecv_generic_if(afs_ptserver_t) -corenet_udp_sendrecv_generic_if(afs_ptserver_t) -corenet_tcp_sendrecv_generic_node(afs_ptserver_t) -corenet_udp_sendrecv_generic_node(afs_ptserver_t) -corenet_tcp_sendrecv_all_ports(afs_ptserver_t) -corenet_udp_sendrecv_all_ports(afs_ptserver_t) -corenet_udp_bind_generic_node(afs_ptserver_t) -corenet_udp_bind_afs_pt_port(afs_ptserver_t) -corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t) - -files_read_etc_files(afs_ptserver_t) - -miscfiles_read_localization(afs_ptserver_t) - -sysnet_read_config(afs_ptserver_t) - -userdom_dontaudit_use_user_terminals(afs_ptserver_t) - -######################################## -# -# vlserver local policy -# - -allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms; -allow afs_vlserver_t self:tcp_socket create_stream_socket_perms; -allow afs_vlserver_t self:udp_socket create_socket_perms; - -read_files_pattern(afs_vlserver_t, afs_config_t, afs_config_t) -allow afs_vlserver_t afs_config_t:dir list_dir_perms; - -manage_dirs_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t) -manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t) - -manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t) -filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file) - -corenet_all_recvfrom_unlabeled(afs_vlserver_t) -corenet_all_recvfrom_netlabel(afs_vlserver_t) -corenet_tcp_sendrecv_generic_if(afs_vlserver_t) -corenet_udp_sendrecv_generic_if(afs_vlserver_t) -corenet_tcp_sendrecv_generic_node(afs_vlserver_t) -corenet_udp_sendrecv_generic_node(afs_vlserver_t) -corenet_tcp_sendrecv_all_ports(afs_vlserver_t) -corenet_udp_sendrecv_all_ports(afs_vlserver_t) -corenet_udp_bind_generic_node(afs_vlserver_t) -corenet_udp_bind_afs_vl_port(afs_vlserver_t) -corenet_sendrecv_afs_vl_server_packets(afs_vlserver_t) - -files_read_etc_files(afs_vlserver_t) - -miscfiles_read_localization(afs_vlserver_t) - -sysnet_read_config(afs_vlserver_t) - -userdom_dontaudit_use_user_terminals(afs_vlserver_t) diff --git a/policy/modules/services/aiccu.fc b/policy/modules/services/aiccu.fc deleted file mode 100644 index 069518f..0000000 --- a/policy/modules/services/aiccu.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/aiccu.conf -- gen_context(system_u:object_r:aiccu_etc_t,s0) -/etc/rc\.d/init\.d/aiccu -- gen_context(system_u:object_r:aiccu_initrc_exec_t,s0) - -/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0) - -/var/run/aiccu\.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0) diff --git a/policy/modules/services/aiccu.if b/policy/modules/services/aiccu.if deleted file mode 100644 index 6bf0ad6..0000000 --- a/policy/modules/services/aiccu.if +++ /dev/null @@ -1,116 +0,0 @@ -## Automatic IPv6 Connectivity Client Utility. - -######################################## -## -## Execute a domain transition to run aiccu. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`aiccu_domtrans',` - gen_require(` - type aiccu_t, aiccu_exec_t; - ') - - domtrans_pattern($1, aiccu_exec_t, aiccu_t) - corecmd_search_bin($1) -') - -######################################## -## -## Execute aiccu server in the aiccu domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`aiccu_initrc_domtrans',` - gen_require(` - type aiccu_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, aiccu_initrc_exec_t) -') - -######################################## -## -## Read aiccu PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`aiccu_read_pid_files',` - gen_require(` - type aiccu_var_run_t; - ') - - allow $1 aiccu_var_run_t:file read_file_perms; - files_search_pids($1) -') - -######################################## -## -## Manage aiccu PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`aiccu_manage_var_run',` - gen_require(` - type aiccu_var_run_t; - ') - - manage_dirs_pattern($1, aiccu_var_run_t, aiccu_var_run_t) - manage_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t) - manage_lnk_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t) - files_search_pids($1) -') - -######################################## -## -## All of the rules required to administrate -## an aiccu environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`aiccu_admin',` - gen_require(` - type aiccu_t, aiccu_initrc_exec_t, aiccu_etc_t; - type aiccu_var_run_t; - ') - - allow $1 aiccu_t:process { ptrace signal_perms }; - ps_process_pattern($1, aiccu_t) - - aiccu_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 aiccu_initrc_exec_t system_r; - allow $2 system_r; - - admin_pattern($1, aiccu_etc_t) - files_list_etc($1) - - admin_pattern($1, aiccu_var_run_t) - files_list_pids($1) -') diff --git a/policy/modules/services/aiccu.te b/policy/modules/services/aiccu.te deleted file mode 100644 index 4b9dc88..0000000 --- a/policy/modules/services/aiccu.te +++ /dev/null @@ -1,71 +0,0 @@ -policy_module(aiccu, 1.0.0) - -######################################## -# -# Declarations -# - -type aiccu_t; -type aiccu_exec_t; -init_daemon_domain(aiccu_t, aiccu_exec_t) - -type aiccu_initrc_exec_t; -init_script_file(aiccu_initrc_exec_t) - -type aiccu_etc_t; -files_config_file(aiccu_etc_t) - -type aiccu_var_run_t; -files_pid_file(aiccu_var_run_t) - -######################################## -# -# aiccu local policy -# - -allow aiccu_t self:capability { kill net_admin net_raw }; -dontaudit aiccu_t self:capability sys_tty_config; -allow aiccu_t self:process signal; -allow aiccu_t self:fifo_file rw_fifo_file_perms; -allow aiccu_t self:netlink_route_socket create_netlink_socket_perms; -allow aiccu_t self:tcp_socket create_stream_socket_perms; -allow aiccu_t self:tun_socket create_socket_perms; -allow aiccu_t self:udp_socket create_stream_socket_perms; -allow aiccu_t self:unix_stream_socket create_stream_socket_perms; - -allow aiccu_t aiccu_etc_t:file read_file_perms; - -manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t) -manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t) -files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir }) - -kernel_read_system_state(aiccu_t) - -corecmd_exec_shell(aiccu_t) - -corenet_all_recvfrom_netlabel(aiccu_t) -corenet_all_recvfrom_unlabeled(aiccu_t) -corenet_tcp_bind_generic_node(aiccu_t) -corenet_tcp_sendrecv_generic_if(aiccu_t) -corenet_tcp_sendrecv_generic_node(aiccu_t) -corenet_tcp_sendrecv_generic_port(aiccu_t) -corenet_sendrecv_sixxsconfig_client_packets(aiccu_t) -corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t) -corenet_tcp_connect_sixxsconfig_port(aiccu_t) -corenet_rw_tun_tap_dev(aiccu_t) - -domain_use_interactive_fds(aiccu_t) - -dev_read_rand(aiccu_t) -dev_read_urand(aiccu_t) - -files_read_etc_files(aiccu_t) - -logging_send_syslog_msg(aiccu_t) - -miscfiles_read_localization(aiccu_t) - -modutils_domtrans_insmod(aiccu_t) - -sysnet_domtrans_ifconfig(aiccu_t) -sysnet_dns_name_resolve(aiccu_t) diff --git a/policy/modules/services/aide.fc b/policy/modules/services/aide.fc deleted file mode 100644 index 7798464..0000000 --- a/policy/modules/services/aide.fc +++ /dev/null @@ -1,6 +0,0 @@ -/usr/sbin/aide -- gen_context(system_u:object_r:aide_exec_t,mls_systemhigh) - -/var/lib/aide(/.*) gen_context(system_u:object_r:aide_db_t,mls_systemhigh) - -/var/log/aide(/.*)? gen_context(system_u:object_r:aide_log_t,mls_systemhigh) -/var/log/aide\.log -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh) diff --git a/policy/modules/services/aide.if b/policy/modules/services/aide.if deleted file mode 100644 index 0b0db39..0000000 --- a/policy/modules/services/aide.if +++ /dev/null @@ -1,72 +0,0 @@ -## Aide filesystem integrity checker - -######################################## -## -## Execute aide in the aide domain -## -## -## -## Domain allowed to transition. -## -## -# -interface(`aide_domtrans',` - gen_require(` - type aide_t, aide_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, aide_exec_t, aide_t) -') - -######################################## -## -## Execute aide programs in the AIDE domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the AIDE domain. -## -## -## -# -interface(`aide_run',` - gen_require(` - type aide_t; - ') - - aide_domtrans($1) - role $2 types aide_t; -') - -######################################## -## -## All of the rules required to administrate -## an aide environment -## -## -## -## Domain allowed access. -## -## -## -# -interface(`aide_admin',` - gen_require(` - type aide_t, aide_db_t, aide_log_t; - ') - - allow $1 aide_t:process { ptrace signal_perms }; - ps_process_pattern($1, aide_t) - - files_list_etc($1) - admin_pattern($1, aide_db_t) - - logging_list_logs($1) - admin_pattern($1, aide_log_t) -') diff --git a/policy/modules/services/aide.te b/policy/modules/services/aide.te deleted file mode 100644 index 4f37ca6..0000000 --- a/policy/modules/services/aide.te +++ /dev/null @@ -1,40 +0,0 @@ -policy_module(aide, 1.5.0) - -######################################## -# -# Declarations -# - -type aide_t; -type aide_exec_t; -application_domain(aide_t, aide_exec_t) - -# log files -type aide_log_t; -logging_log_file(aide_log_t) - -# aide database -type aide_db_t; -files_type(aide_db_t) - -######################################## -# -# aide local policy -# - -allow aide_t self:capability { dac_override fowner }; - -# database actions -manage_files_pattern(aide_t, aide_db_t, aide_db_t) - -# logs -manage_files_pattern(aide_t, aide_log_t, aide_log_t) -logging_log_filetrans(aide_t, aide_log_t, file) - -files_read_all_files(aide_t) - -logging_send_audit_msgs(aide_t) - -seutil_use_newrole_fds(aide_t) - -userdom_use_user_terminals(aide_t) diff --git a/policy/modules/services/aisexec.fc b/policy/modules/services/aisexec.fc deleted file mode 100644 index 7b4f4b9..0000000 --- a/policy/modules/services/aisexec.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:aisexec_initrc_exec_t,s0) - -/usr/sbin/aisexec -- gen_context(system_u:object_r:aisexec_exec_t,s0) - -/var/lib/openais(/.*)? gen_context(system_u:object_r:aisexec_var_lib_t,s0) - -/var/log/cluster/aisexec\.log -- gen_context(system_u:object_r:aisexec_var_log_t,s0) - -/var/run/aisexec\.pid -- gen_context(system_u:object_r:aisexec_var_run_t,s0) diff --git a/policy/modules/services/aisexec.if b/policy/modules/services/aisexec.if deleted file mode 100644 index af5d229..0000000 --- a/policy/modules/services/aisexec.if +++ /dev/null @@ -1,106 +0,0 @@ -## Aisexec Cluster Engine - -######################################## -## -## Execute a domain transition to run aisexec. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`aisexec_domtrans',` - gen_require(` - type aisexec_t, aisexec_exec_t; - ') - - domtrans_pattern($1, aisexec_exec_t, aisexec_t) -') - -##################################### -## -## Connect to aisexec over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`aisexec_stream_connect',` - gen_require(` - type aisexec_t, aisexec_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, aisexec_var_run_t, aisexec_var_run_t, aisexec_t) -') - -####################################### -## -## Allow the specified domain to read aisexec's log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`aisexec_read_log',` - gen_require(` - type aisexec_var_log_t; - ') - - logging_search_logs($1) - list_dirs_pattern($1, aisexec_var_log_t, aisexec_var_log_t) - read_files_pattern($1, aisexec_var_log_t, aisexec_var_log_t) -') - -###################################### -## -## All of the rules required to administrate -## an aisexec environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the aisexecd domain. -## -## -## -# -interface(`aisexecd_admin',` - gen_require(` - type aisexec_t, aisexec_var_lib_t, aisexec_var_log_t; - type aisexec_var_run_t, aisexec_tmp_t, aisexec_tmpfs_t; - type aisexec_initrc_exec_t; - ') - - allow $1 aisexec_t:process { ptrace signal_perms }; - ps_process_pattern($1, aisexec_t) - - init_labeled_script_domtrans($1, aisexec_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 aisexec_initrc_exec_t system_r; - allow $2 system_r; - - files_list_var_lib($1) - admin_pattern($1, aisexec_var_lib_t) - - logging_list_logs($1) - admin_pattern($1, aisexec_var_log_t) - - files_list_pids($1) - admin_pattern($1, aisexec_var_run_t) - - files_list_tmp($1) - admin_pattern($1, aisexec_tmp_t) - - admin_pattern($1, aisexec_tmpfs_t) -') diff --git a/policy/modules/services/aisexec.te b/policy/modules/services/aisexec.te deleted file mode 100644 index c24bd66..0000000 --- a/policy/modules/services/aisexec.te +++ /dev/null @@ -1,102 +0,0 @@ -policy_module(aisexec, 1.0.0) - -######################################## -# -# Declarations -# - -type aisexec_t; -type aisexec_exec_t; -init_daemon_domain(aisexec_t, aisexec_exec_t) - -type aisexec_initrc_exec_t; -init_script_file(aisexec_initrc_exec_t); - -type aisexec_tmp_t; -files_tmp_file(aisexec_tmp_t) - -type aisexec_tmpfs_t; -files_tmpfs_file(aisexec_tmpfs_t) - -type aisexec_var_lib_t; -files_type(aisexec_var_lib_t) - -type aisexec_var_log_t; -logging_log_file(aisexec_var_log_t) - -type aisexec_var_run_t; -files_pid_file(aisexec_var_run_t) - -######################################## -# -# aisexec local policy -# - -allow aisexec_t self:capability { sys_nice sys_resource ipc_lock ipc_owner }; -allow aisexec_t self:process { setrlimit setsched signal }; -allow aisexec_t self:fifo_file rw_fifo_file_perms; -allow aisexec_t self:sem create_sem_perms; -allow aisexec_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow aisexec_t self:unix_dgram_socket create_socket_perms; -allow aisexec_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t) -manage_files_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t) -files_tmp_filetrans(aisexec_t, aisexec_tmp_t, { file dir }) - -manage_dirs_pattern(aisexec_t, aisexec_tmpfs_t, aisexec_tmpfs_t) -manage_files_pattern(aisexec_t, aisexec_tmpfs_t, aisexec_tmpfs_t) -fs_tmpfs_filetrans(aisexec_t, aisexec_tmpfs_t, { dir file }) - -manage_files_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t) -manage_dirs_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t) -manage_sock_files_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t) -files_var_lib_filetrans(aisexec_t, aisexec_var_lib_t, { file dir sock_file }) - -manage_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t) -manage_sock_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t) -logging_log_filetrans(aisexec_t, aisexec_var_log_t, { sock_file file }) - -manage_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t) -manage_sock_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t) -files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file }) - -kernel_read_system_state(aisexec_t) - -corecmd_exec_bin(aisexec_t) - -corenet_udp_bind_netsupport_port(aisexec_t) -corenet_tcp_bind_reserved_port(aisexec_t) -corenet_udp_bind_cluster_port(aisexec_t) - -dev_read_urand(aisexec_t) - -files_manage_mounttab(aisexec_t) - -auth_use_nsswitch(aisexec_t) - -init_rw_script_tmp_files(aisexec_t) - -logging_send_syslog_msg(aisexec_t) - -miscfiles_read_localization(aisexec_t) - -userdom_rw_semaphores(aisexec_t) -userdom_rw_unpriv_user_shared_mem(aisexec_t) - -optional_policy(` - ccs_stream_connect(aisexec_t) -') - -optional_policy(` - # to communication with RHCS - rhcs_rw_dlm_controld_semaphores(aisexec_t) - - rhcs_rw_fenced_semaphores(aisexec_t) - - rhcs_rw_gfs_controld_semaphores(aisexec_t) - rhcs_rw_gfs_controld_shm(aisexec_t) - - rhcs_rw_groupd_semaphores(aisexec_t) - rhcs_rw_groupd_shm(aisexec_t) -') diff --git a/policy/modules/services/ajaxterm.fc b/policy/modules/services/ajaxterm.fc deleted file mode 100644 index aeb1888..0000000 --- a/policy/modules/services/ajaxterm.fc +++ /dev/null @@ -1,6 +0,0 @@ - -/etc/rc\.d/init\.d/ajaxterm -- gen_context(system_u:object_r:ajaxterm_initrc_exec_t,s0) - -/usr/share/ajaxterm/ajaxterm\.py -- gen_context(system_u:object_r:ajaxterm_exec_t,s0) - -/var/run/ajaxterm\.pid -- gen_context(system_u:object_r:ajaxterm_var_run_t,s0) diff --git a/policy/modules/services/ajaxterm.if b/policy/modules/services/ajaxterm.if deleted file mode 100644 index 8e6e2c3..0000000 --- a/policy/modules/services/ajaxterm.if +++ /dev/null @@ -1,68 +0,0 @@ -## policy for ajaxterm - -######################################## -## -## Execute a domain transition to run ajaxterm. -## -## -## -## Domain allowed access. -## -## -# -interface(`ajaxterm_domtrans',` - gen_require(` - type ajaxterm_t, ajaxterm_exec_t; - ') - - domtrans_pattern($1, ajaxterm_exec_t, ajaxterm_t) -') - -######################################## -## -## Execute ajaxterm server in the ajaxterm domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ajaxterm_initrc_domtrans',` - gen_require(` - type ajaxterm_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, ajaxterm_initrc_exec_t) -') - -######################################## -## -## All of the rules required to administrate -## an ajaxterm environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`ajaxterm_admin',` - gen_require(` - type ajaxterm_t, ajaxterm_initrc_exec_t; - ') - - allow $1 ajaxterm_t:process { ptrace signal_perms }; - ps_process_pattern($1, ajaxterm_t) - - ajaxterm_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 ajaxterm_initrc_exec_t system_r; - allow $2 system_r; -') diff --git a/policy/modules/services/ajaxterm.te b/policy/modules/services/ajaxterm.te deleted file mode 100644 index cf6af13..0000000 --- a/policy/modules/services/ajaxterm.te +++ /dev/null @@ -1,56 +0,0 @@ -policy_module(ajaxterm, 1.0.0) - -######################################## -# -# Declarations -# - -type ajaxterm_t; -type ajaxterm_exec_t; -init_daemon_domain(ajaxterm_t, ajaxterm_exec_t) - -type ajaxterm_initrc_exec_t; -init_script_file(ajaxterm_initrc_exec_t) - -type ajaxterm_var_run_t; -files_pid_file(ajaxterm_var_run_t) - -type ajaxterm_devpts_t; -term_login_pty(ajaxterm_devpts_t) - -permissive ajaxterm_t; - -######################################## -# -# ajaxterm local policy -# -allow ajaxterm_t self:capability setuid; -allow ajaxterm_t self:process setpgid; -allow ajaxterm_t self:fifo_file rw_fifo_file_perms; -allow ajaxterm_t self:unix_stream_socket create_stream_socket_perms; -allow ajaxterm_t self:tcp_socket create_stream_socket_perms; - -allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms relabelfrom }; -term_create_pty(ajaxterm_t, ajaxterm_devpts_t) - -manage_dirs_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t) -manage_files_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t) -files_pid_filetrans(ajaxterm_t, ajaxterm_var_run_t, { file dir }) - -kernel_read_system_state(ajaxterm_t) - -corecmd_exec_bin(ajaxterm_t) - -corenet_tcp_bind_generic_node(ajaxterm_t) -corenet_tcp_bind_ajaxterm_port(ajaxterm_t) - -dev_read_urand(ajaxterm_t) - -domain_use_interactive_fds(ajaxterm_t) - -files_read_etc_files(ajaxterm_t) -files_read_usr_files(ajaxterm_t) - -miscfiles_read_localization(ajaxterm_t) - -sysnet_dns_name_resolve(ajaxterm_t) diff --git a/policy/modules/services/amavis.fc b/policy/modules/services/amavis.fc deleted file mode 100644 index d96fdfa..0000000 --- a/policy/modules/services/amavis.fc +++ /dev/null @@ -1,18 +0,0 @@ - -/etc/amavis\.conf -- gen_context(system_u:object_r:amavis_etc_t,s0) -/etc/amavisd(/.*)? gen_context(system_u:object_r:amavis_etc_t,s0) -/etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0) - -/usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0) -/usr/lib(64)?/AntiVir/antivir -- gen_context(system_u:object_r:amavis_exec_t,s0) - -ifdef(`distro_debian',` -/usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0) -') - -/var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) -/var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) -/var/log/amavisd\.log -- gen_context(system_u:object_r:amavis_var_log_t,s0) -/var/run/amavis(d)?(/.*)? gen_context(system_u:object_r:amavis_var_run_t,s0) -/var/spool/amavisd(/.*)? gen_context(system_u:object_r:amavis_spool_t,s0) -/var/virusmails(/.*)? gen_context(system_u:object_r:amavis_quarantine_t,s0) diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if deleted file mode 100644 index e31d92a..0000000 --- a/policy/modules/services/amavis.if +++ /dev/null @@ -1,261 +0,0 @@ -## -## Daemon that interfaces mail transfer agents and content -## checkers, such as virus scanners. -## - -######################################## -## -## Execute a domain transition to run amavis. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`amavis_domtrans',` - gen_require(` - type amavis_t, amavis_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, amavis_exec_t, amavis_t) -') - -######################################## -## -## Execute amavis server in the amavis domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`amavis_initrc_domtrans',` - gen_require(` - type amavis_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, amavis_initrc_exec_t) -') - -######################################## -## -## Read amavis spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`amavis_read_spool_files',` - gen_require(` - type amavis_spool_t; - ') - - files_search_spool($1) - read_files_pattern($1, amavis_spool_t, amavis_spool_t) -') - -######################################## -## -## Manage amavis spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`amavis_manage_spool_files',` - gen_require(` - type amavis_spool_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, amavis_spool_t, amavis_spool_t) - manage_files_pattern($1, amavis_spool_t, amavis_spool_t) -') - -######################################## -## -## Create objects in the amavis spool directories -## with a private type. -## -## -## -## Domain allowed access. -## -## -## -## -## Private file type. -## -## -## -## -## Class of the object being created. -## -## -# -interface(`amavis_spool_filetrans',` - gen_require(` - type amavis_spool_t; - ') - - files_search_spool($1) - filetrans_pattern($1, amavis_spool_t, $2, $3) -') - -######################################## -## -## Search amavis lib directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`amavis_search_lib',` - gen_require(` - type amavis_var_lib_t; - ') - - allow $1 amavis_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## Read amavis lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`amavis_read_lib_files',` - gen_require(` - type amavis_var_lib_t; - ') - - read_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t) - allow $1 amavis_var_lib_t:dir list_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## Create, read, write, and delete -## amavis lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`amavis_manage_lib_files',` - gen_require(` - type amavis_var_lib_t; - ') - - manage_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t) - files_search_var_lib($1) -') - -######################################## -## -## Set the attributes of amavis pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`amavis_setattr_pid_files',` - gen_require(` - type amavis_var_run_t; - ') - - allow $1 amavis_var_run_t:file setattr_file_perms; - files_search_pids($1) -') - -######################################## -## -## Create of amavis pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`amavis_create_pid_files',` - gen_require(` - type amavis_var_run_t; - ') - - allow $1 amavis_var_run_t:file create_file_perms; - files_search_pids($1) -') - -######################################## -## -## All of the rules required to administrate -## an amavis environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`amavis_admin',` - gen_require(` - type amavis_t, amavis_tmp_t, amavis_var_log_t; - type amavis_spool_t, amavis_var_lib_t, amavis_var_run_t; - type amavis_etc_t, amavis_quarantine_t; - type amavis_initrc_exec_t; - ') - - allow $1 amavis_t:process { ptrace signal_perms }; - ps_process_pattern($1, amavis_t) - - amavis_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 amavis_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, amavis_etc_t) - - admin_pattern($1, amavis_quarantine_t) - - files_list_spool($1) - admin_pattern($1, amavis_spool_t) - - files_list_tmp($1) - admin_pattern($1, amavis_tmp_t) - - files_list_var_lib($1) - admin_pattern($1, amavis_var_lib_t) - - logging_list_logs($1) - admin_pattern($1, amavis_var_log_t) - - files_list_pids($1) - admin_pattern($1, amavis_var_run_t) -') diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te deleted file mode 100644 index ec40291..0000000 --- a/policy/modules/services/amavis.te +++ /dev/null @@ -1,189 +0,0 @@ -policy_module(amavis, 1.11.0) - -######################################## -# -# Declarations -# - -type amavis_t; -type amavis_exec_t; -domain_type(amavis_t) -init_daemon_domain(amavis_t, amavis_exec_t) - -# configuration files -type amavis_etc_t; -files_config_file(amavis_etc_t) - -type amavis_initrc_exec_t; -init_script_file(amavis_initrc_exec_t) - -# pid files -type amavis_var_run_t; -files_pid_file(amavis_var_run_t) - -# var/lib files -type amavis_var_lib_t; -files_type(amavis_var_lib_t) - -# log files -type amavis_var_log_t; -logging_log_file(amavis_var_log_t) - -# tmp files -type amavis_tmp_t; -files_tmp_file(amavis_tmp_t) - -# virus quarantine -type amavis_quarantine_t; -files_type(amavis_quarantine_t) - -type amavis_spool_t; -files_type(amavis_spool_t) - -######################################## -# -# amavis local policy -# - -allow amavis_t self:capability { kill chown dac_override setgid setuid }; -dontaudit amavis_t self:capability sys_tty_config; -allow amavis_t self:process { signal sigchld signull }; -allow amavis_t self:fifo_file rw_fifo_file_perms; -allow amavis_t self:unix_stream_socket create_stream_socket_perms; -allow amavis_t self:unix_dgram_socket create_socket_perms; -allow amavis_t self:tcp_socket { listen accept }; -allow amavis_t self:netlink_route_socket r_netlink_socket_perms; - -# configuration files -allow amavis_t amavis_etc_t:dir list_dir_perms; -read_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t) -read_lnk_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t) - -can_exec(amavis_t, amavis_exec_t) - -# mail quarantine -manage_dirs_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t) -manage_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t) -manage_sock_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t) - -# Spool Files -manage_dirs_pattern(amavis_t, amavis_spool_t, amavis_spool_t) -manage_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) -manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) -manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) -filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file) -files_search_spool(amavis_t) - -# tmp files -manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t) -allow amavis_t amavis_tmp_t:dir setattr_dir_perms; -files_tmp_filetrans(amavis_t, amavis_tmp_t, file) - -# var/lib files for amavis -manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) -manage_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) -manage_sock_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) -files_search_var_lib(amavis_t) - -# log files -allow amavis_t amavis_var_log_t:dir setattr_dir_perms; -manage_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t) -manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t) -logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir }) - -# pid file -manage_dirs_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t) -manage_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t) -manage_sock_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t) -files_pid_filetrans(amavis_t, amavis_var_run_t, { dir file sock_file }) - -kernel_read_kernel_sysctls(amavis_t) -# amavis tries to access /proc/self/stat, /etc/shadow and /root - perl... -kernel_dontaudit_list_proc(amavis_t) -kernel_dontaudit_read_proc_symlinks(amavis_t) -kernel_dontaudit_read_system_state(amavis_t) - -# find perl -corecmd_exec_bin(amavis_t) - -corenet_all_recvfrom_unlabeled(amavis_t) -corenet_all_recvfrom_netlabel(amavis_t) -corenet_tcp_sendrecv_generic_if(amavis_t) -corenet_tcp_sendrecv_generic_node(amavis_t) -corenet_tcp_bind_generic_node(amavis_t) -corenet_udp_bind_generic_node(amavis_t) -# amavis uses well-defined ports -corenet_tcp_sendrecv_amavisd_recv_port(amavis_t) -corenet_tcp_sendrecv_amavisd_send_port(amavis_t) -# just the other side not. ;-) -corenet_tcp_sendrecv_all_ports(amavis_t) -# connect to backchannel port -corenet_tcp_connect_amavisd_send_port(amavis_t) -# bind to incoming port -corenet_tcp_bind_amavisd_recv_port(amavis_t) -corenet_udp_bind_generic_port(amavis_t) -corenet_dontaudit_udp_bind_all_ports(amavis_t) -corenet_tcp_connect_razor_port(amavis_t) - -dev_read_rand(amavis_t) -dev_read_urand(amavis_t) - -domain_use_interactive_fds(amavis_t) - -files_read_etc_files(amavis_t) -files_read_etc_runtime_files(amavis_t) -files_read_usr_files(amavis_t) - -fs_getattr_xattr_fs(amavis_t) - -auth_dontaudit_read_shadow(amavis_t) - -# uses uptime which reads utmp - redhat bug 561383 -init_read_utmp(amavis_t) -init_stream_connect_script(amavis_t) - -logging_send_syslog_msg(amavis_t) - -miscfiles_read_generic_certs(amavis_t) -miscfiles_read_localization(amavis_t) - -sysnet_dns_name_resolve(amavis_t) -sysnet_use_ldap(amavis_t) - -userdom_dontaudit_search_user_home_dirs(amavis_t) - -# Cron handling -cron_use_fds(amavis_t) -cron_use_system_job_fds(amavis_t) -cron_rw_pipes(amavis_t) - -mta_read_config(amavis_t) - -optional_policy(` - clamav_stream_connect(amavis_t) - clamav_domtrans_clamscan(amavis_t) -') - -optional_policy(` - dcc_domtrans_client(amavis_t) - dcc_stream_connect_dccifd(amavis_t) -') - -optional_policy(` - postfix_read_config(amavis_t) -') - -optional_policy(` - pyzor_domtrans(amavis_t) - pyzor_signal(amavis_t) -') - -optional_policy(` - razor_domtrans(amavis_t) -') - -optional_policy(` - spamassassin_exec(amavis_t) - spamassassin_exec_client(amavis_t) - spamassassin_read_lib_files(amavis_t) -') diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc deleted file mode 100644 index 8603d4d..0000000 --- a/policy/modules/services/apache.fc +++ /dev/null @@ -1,123 +0,0 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) - -/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -/etc/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0) -/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0) -/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0) -/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) -/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) - -/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) -/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) - -/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - -/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0) -/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0) - -/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) -/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) -/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) -/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) -/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) -/usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) -/usr/lib(64)?/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) - -/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) -/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) -/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0) -/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) -/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) -/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) - -ifdef(`distro_suse', ` -/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) -') - -/usr/share/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) - -/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) - -/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/var/lib/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) - -/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) -/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) - -ifdef(`distro_debian', ` -/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -') - -/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) -/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) -/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) -/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0) -/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0) - -/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0) -/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) - -/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) - -/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) - -/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) - -/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) - -/var/lib/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) - -/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if deleted file mode 100644 index 6918ff2..0000000 --- a/policy/modules/services/apache.if +++ /dev/null @@ -1,1407 +0,0 @@ -## Apache web server - -######################################## -## -## Create a set of derived types for apache -## web content. -## -## -## -## The prefix to be used for deriving type names. -## -## -# -template(`apache_content_template',` - gen_require(` - attribute httpd_exec_scripts, httpd_script_exec_type; - type httpd_t, httpd_suexec_t, httpd_log_t; - type httpd_sys_content_t; - ') - - #This type is for webpages - type httpd_$1_content_t; # customizable; - typealias httpd_$1_content_t alias httpd_$1_script_ro_t; - files_type(httpd_$1_content_t) - - # This type is used for .htaccess files - type httpd_$1_htaccess_t; # customizable; - files_type(httpd_$1_htaccess_t) - - # Type that CGI scripts run as - type httpd_$1_script_t; - domain_type(httpd_$1_script_t) - role system_r types httpd_$1_script_t; - - search_dirs_pattern(httpd_$1_script_t, httpd_sys_content_t, httpd_script_exec_type) - - # This type is used for executable scripts files - type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable; - corecmd_shell_entry_type(httpd_$1_script_t) - domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t) - - type httpd_$1_rw_content_t; # customizable - typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t }; - files_type(httpd_$1_rw_content_t) - - type httpd_$1_ra_content_t; # customizable - typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t }; - files_type(httpd_$1_ra_content_t) - - read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t) - - allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms; - allow httpd_suexec_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms; - - allow httpd_$1_script_t self:fifo_file rw_file_perms; - allow httpd_$1_script_t self:unix_stream_socket connectto; - - allow httpd_$1_script_t httpd_t:fifo_file write; - # apache should set close-on-exec - dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write }; - - # Allow the script process to search the cgi directory, and users directory - allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms; - - append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t) - logging_search_logs(httpd_$1_script_t) - - can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) - allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms; - - allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms }; - read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) - append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) - read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) - - allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms; - read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) - read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) - - manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - - kernel_dontaudit_search_sysctl(httpd_$1_script_t) - kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t) - - dev_read_rand(httpd_$1_script_t) - dev_read_urand(httpd_$1_script_t) - - corecmd_exec_all_executables(httpd_$1_script_t) - application_exec_all(httpd_$1_script_t) - - files_exec_etc_files(httpd_$1_script_t) - files_read_etc_files(httpd_$1_script_t) - files_search_home(httpd_$1_script_t) - - libs_exec_ld_so(httpd_$1_script_t) - libs_exec_lib_files(httpd_$1_script_t) - - miscfiles_read_fonts(httpd_$1_script_t) - miscfiles_read_public_files(httpd_$1_script_t) - - seutil_dontaudit_search_config(httpd_$1_script_t) - - # Allow the web server to run scripts and serve pages - tunable_policy(`httpd_builtin_scripting',` - manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - - allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms }; - read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) - append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) - read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) - - allow httpd_t httpd_$1_content_t:dir list_dir_perms; - read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) - read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) - - allow httpd_t httpd_$1_content_t:dir list_dir_perms; - read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) - read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) - allow httpd_t httpd_$1_script_t:unix_stream_socket connectto; - ') - - tunable_policy(`httpd_enable_cgi',` - allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint; - - domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) - - # privileged users run the script: - domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) - - allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms; - - # apache runs the script: - domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) - - allow httpd_t httpd_$1_script_exec_t:file read_file_perms; - - allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop }; - allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms; - - allow httpd_$1_script_t self:process { setsched signal_perms }; - allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms; - allow httpd_$1_script_t self:unix_dgram_socket create_socket_perms; - - allow httpd_$1_script_t httpd_t:fd use; - allow httpd_$1_script_t httpd_t:process sigchld; - - dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write }; - - kernel_read_system_state(httpd_$1_script_t) - - dev_read_urand(httpd_$1_script_t) - - fs_getattr_xattr_fs(httpd_$1_script_t) - - files_read_etc_runtime_files(httpd_$1_script_t) - files_read_usr_files(httpd_$1_script_t) - - libs_read_lib_files(httpd_$1_script_t) - - miscfiles_read_localization(httpd_$1_script_t) - allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms; - ') - - optional_policy(` - tunable_policy(`httpd_enable_cgi && allow_ypbind',` - nis_use_ypbind_uncond(httpd_$1_script_t) - ') - ') - - optional_policy(` - postgresql_unpriv_client(httpd_$1_script_t) - ') - - optional_policy(` - nscd_socket_use(httpd_$1_script_t) - ') -') - -######################################## -## -## Role access for apache -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`apache_role',` - gen_require(` - attribute httpdcontent; - type httpd_user_content_t, httpd_user_htaccess_t, httpd_user_script_t; - type httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t; - ') - - role $1 types httpd_user_script_t; - - allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom }; - - allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms }; - - manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) - manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) - manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) - relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) - relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) - relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) - - manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) - manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t) - manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) - relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) - relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t) - relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) - - manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) - manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) - manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) - relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) - relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) - relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) - - manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) - manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) - manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) - relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) - relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) - relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) - - apache_exec_modules($2) - - tunable_policy(`httpd_enable_cgi',` - # If a user starts a script by hand it gets the proper context - domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t) - ') - - tunable_policy(`httpd_enable_cgi && httpd_unified',` - domtrans_pattern($2, httpdcontent, httpd_user_script_t) - ') -') - -######################################## -## -## Read httpd user scripts executables. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_read_user_scripts',` - gen_require(` - type httpd_user_script_exec_t; - ') - - allow $1 httpd_user_script_exec_t:dir list_dir_perms; - read_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t) - read_lnk_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t) -') - -######################################## -## -## Read user web content. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_read_user_content',` - gen_require(` - type httpd_user_content_t; - ') - - allow $1 httpd_user_content_t:dir list_dir_perms; - read_files_pattern($1, httpd_user_content_t, httpd_user_content_t) - read_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t) -') - -######################################## -## -## Transition to apache. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`apache_domtrans',` - gen_require(` - type httpd_t, httpd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, httpd_exec_t, httpd_t) -') - -###################################### -## -## Allow the specified domain to execute apache -## in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_exec',` - gen_require(` - type httpd_exec_t; - ') - - can_exec($1, httpd_exec_t) -') - -####################################### -## -## Send a generic signal to apache. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_signal',` - gen_require(` - type httpd_t; - ') - - allow $1 httpd_t:process signal; -') - -######################################## -## -## Send a null signal to apache. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_signull',` - gen_require(` - type httpd_t; - ') - - allow $1 httpd_t:process signull; -') - -######################################## -## -## Send a SIGCHLD signal to apache. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_sigchld',` - gen_require(` - type httpd_t; - ') - - allow $1 httpd_t:process sigchld; -') - -######################################## -## -## Inherit and use file descriptors from Apache. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_use_fds',` - gen_require(` - type httpd_t; - ') - - allow $1 httpd_t:fd use; -') - -######################################## -## -## Do not audit attempts to read and write Apache -## unnamed pipes. -## -## -## -## Domain to not audit. -## -## -# -interface(`apache_dontaudit_rw_fifo_file',` - gen_require(` - type httpd_t; - ') - - dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms; -') - -######################################## -## -## Do not audit attempts to read and write Apache -## unix domain stream sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`apache_dontaudit_rw_stream_sockets',` - gen_require(` - type httpd_t; - ') - - dontaudit $1 httpd_t:unix_stream_socket { read write }; -') - -######################################## -## -## Do not audit attempts to read and write Apache -## TCP sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`apache_dontaudit_rw_tcp_sockets',` - gen_require(` - type httpd_t; - ') - - dontaudit $1 httpd_t:tcp_socket { read write }; -') - -######################################## -## -## Create, read, write, and delete all web content. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`apache_manage_all_content',` - gen_require(` - attribute httpdcontent, httpd_script_exec_type; - ') - - manage_dirs_pattern($1, httpdcontent, httpdcontent) - manage_files_pattern($1, httpdcontent, httpdcontent) - manage_lnk_files_pattern($1, httpdcontent, httpdcontent) - - manage_dirs_pattern($1, httpd_script_exec_type, httpd_script_exec_type) - manage_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) - manage_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) -') - -######################################## -## -## Allow domain to set the attributes -## of the APACHE cache directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_setattr_cache_dirs',` - gen_require(` - type httpd_cache_t; - ') - - allow $1 httpd_cache_t:dir setattr_dir_perms; -') - -######################################## -## -## Allow the specified domain to list -## Apache cache. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_list_cache',` - gen_require(` - type httpd_cache_t; - ') - - list_dirs_pattern($1, httpd_cache_t, httpd_cache_t) -') - -######################################## -## -## Allow the specified domain to read -## and write Apache cache files. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_rw_cache_files',` - gen_require(` - type httpd_cache_t; - ') - - allow $1 httpd_cache_t:file rw_file_perms; -') - -######################################## -## -## Allow the specified domain to delete -## Apache cache dirs. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_delete_cache_dirs',` - gen_require(` - type httpd_cache_t; - ') - - delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t) -') - -######################################## -## -## Allow the specified domain to delete -## Apache cache. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_delete_cache_files',` - gen_require(` - type httpd_cache_t; - ') - - delete_files_pattern($1, httpd_cache_t, httpd_cache_t) -') - -######################################## -## -## Allow the specified domain to search -## apache configuration dirs. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`apache_search_config',` - gen_require(` - type httpd_config_t; - ') - - files_search_etc($1) - allow $1 httpd_config_t:dir search_dir_perms; -') - -######################################## -## -## Allow the specified domain to read -## apache configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`apache_read_config',` - gen_require(` - type httpd_config_t; - ') - - files_search_etc($1) - allow $1 httpd_config_t:dir list_dir_perms; - read_files_pattern($1, httpd_config_t, httpd_config_t) - read_lnk_files_pattern($1, httpd_config_t, httpd_config_t) -') - -######################################## -## -## Allow the specified domain to manage -## apache configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_manage_config',` - gen_require(` - type httpd_config_t; - ') - - files_search_etc($1) - manage_dirs_pattern($1, httpd_config_t, httpd_config_t) - manage_files_pattern($1, httpd_config_t, httpd_config_t) - read_lnk_files_pattern($1, httpd_config_t, httpd_config_t) -') - -######################################## -## -## Execute the Apache helper program with -## a domain transition. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_domtrans_helper',` - gen_require(` - type httpd_helper_t, httpd_helper_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, httpd_helper_exec_t, httpd_helper_t) -') - -######################################## -## -## Execute the Apache helper program with -## a domain transition, and allow the -## specified role the Apache helper domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`apache_run_helper',` - gen_require(` - type httpd_helper_t; - ') - - apache_domtrans_helper($1) - role $2 types httpd_helper_t; -') - -######################################## -## -## Allow the specified domain to read -## apache log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`apache_read_log',` - gen_require(` - type httpd_log_t; - ') - - logging_search_logs($1) - allow $1 httpd_log_t:dir list_dir_perms; - read_files_pattern($1, httpd_log_t, httpd_log_t) - read_lnk_files_pattern($1, httpd_log_t, httpd_log_t) -') - -######################################## -## -## Allow the specified domain to append -## to apache log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_append_log',` - gen_require(` - type httpd_log_t; - ') - - logging_search_logs($1) - allow $1 httpd_log_t:dir list_dir_perms; - append_files_pattern($1, httpd_log_t, httpd_log_t) -') - -######################################## -## -## Do not audit attempts to append to the -## Apache logs. -## -## -## -## Domain to not audit. -## -## -# -interface(`apache_dontaudit_append_log',` - gen_require(` - type httpd_log_t; - ') - - dontaudit $1 httpd_log_t:file append_file_perms; -') - -######################################## -## -## Allow the specified domain to manage -## to apache log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_manage_log',` - gen_require(` - type httpd_log_t; - ') - - logging_search_logs($1) - manage_dirs_pattern($1, httpd_log_t, httpd_log_t) - manage_files_pattern($1, httpd_log_t, httpd_log_t) - read_lnk_files_pattern($1, httpd_log_t, httpd_log_t) -') - -######################################## -## -## Do not audit attempts to search Apache -## module directories. -## -## -## -## Domain to not audit. -## -## -# -interface(`apache_dontaudit_search_modules',` - gen_require(` - type httpd_modules_t; - ') - - dontaudit $1 httpd_modules_t:dir search_dir_perms; -') - -######################################## -## -## Allow the specified domain to read -## the apache module directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_read_modules',` - gen_require(` - type httpd_modules_t; - ') - - read_files_pattern($1, httpd_modules_t, httpd_modules_t) -') - -######################################## -## -## Allow the specified domain to list -## the contents of the apache modules -## directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_list_modules',` - gen_require(` - type httpd_modules_t; - ') - - allow $1 httpd_modules_t:dir list_dir_perms; - read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t) -') - -######################################## -## -## Allow the specified domain to execute -## apache modules. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_exec_modules',` - gen_require(` - type httpd_modules_t; - ') - - allow $1 httpd_modules_t:dir list_dir_perms; - allow $1 httpd_modules_t:lnk_file read_lnk_file_perms; - can_exec($1, httpd_modules_t) -') - -######################################## -## -## Execute a domain transition to run httpd_rotatelogs. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`apache_domtrans_rotatelogs',` - gen_require(` - type httpd_rotatelogs_t, httpd_rotatelogs_exec_t; - ') - - domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) -') - -######################################## -## -## Allow the specified domain to list -## apache system content files. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_list_sys_content',` - gen_require(` - type httpd_sys_content_t; - ') - - list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) - read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) - files_search_var($1) -') - -######################################## -## -## Allow the specified domain to manage -## apache system content files. -## -## -## -## Domain allowed access. -## -## -## -# -# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr -interface(`apache_manage_sys_content',` - gen_require(` - type httpd_sys_content_t; - ') - - files_search_var($1) - manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) - manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) - manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) -') - -###################################### -## -## Allow the specified domain to read -## apache system content rw files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`apache_read_sys_content_rw_files',` - gen_require(` - type httpd_sys_rw_content_t; - ') - - read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) -') - -###################################### -## -## Allow the specified domain to manage -## apache system content rw files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`apache_manage_sys_content_rw',` - gen_require(` - type httpd_sys_rw_content_t; - ') - - files_search_var($1) - manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) - manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) - manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) -') - -######################################## -## -## Allow the specified domain to delete -## apache system content rw files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`apache_delete_sys_content_rw',` - gen_require(` - type httpd_sys_rw_content_t; - ') - - files_search_tmp($1) - delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) - delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) - delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) - delete_fifo_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) - delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) -') - -######################################## -## -## Execute all web scripts in the system -## script domain. -## -## -## -## Domain allowed to transition. -## -## -# -# cjp: this interface specifically added to allow -# sysadm_t to run scripts -interface(`apache_domtrans_sys_script',` - gen_require(` - attribute httpdcontent; - type httpd_sys_script_t, httpd_sys_content_t; - ') - - tunable_policy(`httpd_enable_cgi',` - domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t) - ') - - tunable_policy(`httpd_enable_cgi && httpd_unified',` - domtrans_pattern($1, httpdcontent, httpd_sys_script_t) - ') -') - -######################################## -## -## Do not audit attempts to read and write Apache -## system script unix domain stream sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`apache_dontaudit_rw_sys_script_stream_sockets',` - gen_require(` - type httpd_sys_script_t; - ') - - dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write }; -') - -######################################## -## -## Execute all user scripts in the user -## script domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`apache_domtrans_all_scripts',` - gen_require(` - attribute httpd_exec_scripts; - ') - - typeattribute $1 httpd_exec_scripts; -') - -######################################## -## -## Execute all user scripts in the user -## script domain. Add user script domains -## to the specified role. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`apache_run_all_scripts',` - gen_require(` - attribute httpd_exec_scripts, httpd_script_domains; - ') - - role $2 types httpd_script_domains; - apache_domtrans_all_scripts($1) -') - -######################################## -## -## Allow the specified domain to read -## apache squirrelmail data. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_read_squirrelmail_data',` - gen_require(` - type httpd_squirrelmail_t; - ') - - read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t) -') - -######################################## -## -## Allow the specified domain to append -## apache squirrelmail data. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_append_squirrelmail_data',` - gen_require(` - type httpd_squirrelmail_t; - ') - - allow $1 httpd_squirrelmail_t:file append_file_perms; -') - -######################################## -## -## Search apache system content. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_search_sys_content',` - gen_require(` - type httpd_sys_content_t; - ') - - allow $1 httpd_sys_content_t:dir search_dir_perms; -') - -######################################## -## -## Read apache system content. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_read_sys_content',` - gen_require(` - type httpd_sys_content_t; - ') - - allow $1 httpd_sys_content_t:dir list_dir_perms; - read_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) - read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) -') - -######################################## -## -## Search apache system CGI directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_search_sys_scripts',` - gen_require(` - type httpd_sys_content_t, httpd_sys_script_exec_t; - ') - - search_dirs_pattern($1, httpd_sys_content_t, httpd_sys_script_exec_t) -') - -######################################## -## -## Create, read, write, and delete all user web content. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`apache_manage_all_user_content',` - gen_require(` - attribute httpd_user_content_type, httpd_user_script_exec_type; - ') - - manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type) - manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type) - manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type) - - manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) - manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) - manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) -') - -######################################## -## -## Search system script state directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_search_sys_script_state',` - gen_require(` - type httpd_sys_script_t; - ') - - allow $1 httpd_sys_script_t:dir search_dir_perms; -') - -######################################## -## -## Allow the specified domain to read -## apache tmp files. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_read_tmp_files',` - gen_require(` - type httpd_tmp_t; - ') - - files_search_tmp($1) - read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) -') - -###################################### -## -## Dontaudit attempts to read and write -## apache tmp files. -## -## -## -## Domain to not audit. -## -## -# -interface(`apache_dontaudit_rw_tmp_files',` - gen_require(` - type httpd_tmp_t; - ') - - dontaudit $1 httpd_tmp_t:file { read write }; -') - -######################################## -## -## Dontaudit attempts to write -## apache tmp files. -## -## -## -## Domain to not audit. -## -## -# -interface(`apache_dontaudit_write_tmp_files',` - gen_require(` - type httpd_tmp_t; - ') - - dontaudit $1 httpd_tmp_t:file write; -') - -######################################## -## -## Execute CGI in the specified domain. -## -## -##

-## Execute CGI in the specified domain. -##

-##

-## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-##
-## -## -## Domain run the cgi script in. -## -## -## -## -## Type of the executable to enter the cgi domain. -## -## -# -interface(`apache_cgi_domain',` - gen_require(` - type httpd_t, httpd_sys_script_exec_t; - ') - - domtrans_pattern(httpd_t, $2, $1) - apache_search_sys_scripts($1) - - allow httpd_t $1:process signal; -') - -######################################## -## -## All of the rules required to administrate an apache environment -## -## -## -## Prefix of the domain. Example, user would be -## the prefix for the uder_t domain. -## -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`apache_admin',` - gen_require(` - attribute httpdcontent, httpd_script_exec_type; - type httpd_t, httpd_config_t, httpd_log_t; - type httpd_modules_t, httpd_lock_t, httpd_bool_t; - type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t; - type httpd_suexec_tmp_t, httpd_tmp_t; - ') - - allow $1 httpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, httpd_t) - - init_labeled_script_domtrans($1, httpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 httpd_initrc_exec_t system_r; - allow $2 system_r; - - apache_manage_all_content($1) - miscfiles_manage_public_files($1) - - files_list_etc($1) - admin_pattern($1, httpd_config_t) - - logging_list_logs($1) - admin_pattern($1, httpd_log_t) - - admin_pattern($1, httpd_modules_t) - - admin_pattern($1, httpd_lock_t) - files_lock_filetrans($1, httpd_lock_t, file) - - admin_pattern($1, httpd_var_run_t) - files_pid_filetrans($1, httpd_var_run_t, file) - - admin_pattern($1, httpdcontent) - admin_pattern($1, httpd_script_exec_type) - - seutil_domtrans_setfiles($1) - - files_list_tmp($1) - admin_pattern($1, httpd_tmp_t) - admin_pattern($1, httpd_php_tmp_t) - admin_pattern($1, httpd_suexec_tmp_t) - - ifdef(`TODO',` - apache_set_booleans($1, $2, $3, httpd_bool_t) - seutil_setsebool_role_template($1, $3, $2) - allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms; - allow httpd_setsebool_t httpd_bool_t:file rw_file_perms; - ') -') - -######################################## -## -## dontaudit read and write an leaked file descriptors -## -## -## -## Domain to not audit. -## -## -# -interface(`apache_dontaudit_leaks',` - gen_require(` - type httpd_t; - ') - - dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms; - dontaudit $1 httpd_t:tcp_socket { read write }; - dontaudit $1 httpd_t:unix_dgram_socket { read write }; - dontaudit $1 httpd_t:unix_stream_socket { read write }; -') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te deleted file mode 100644 index 410ff39..0000000 --- a/policy/modules/services/apache.te +++ /dev/null @@ -1,1192 +0,0 @@ -policy_module(apache, 2.2.0) - -# -# NOTES: -# This policy will work with SUEXEC enabled as part of the Apache -# configuration. However, the user CGI scripts will run under the -# system_u:system_r:httpd_user_script_t. -# -# The user CGI scripts must be labeled with the httpd_user_script_exec_t -# type, and the directory containing the scripts should also be labeled -# with these types. This policy allows the user role to perform that -# relabeling. If it is desired that only admin role should be able to relabel -# the user CGI scripts, then relabel rule for user roles should be removed. -# - -######################################## -# -# Declarations -# - -selinux_genbool(httpd_bool_t) - -## -##

-## Allow Apache to modify public files -## used for public file transfer services. Directories/Files must -## be labeled public_content_rw_t. -##

-##
-gen_tunable(allow_httpd_anon_write, false) - -## -##

-## Allow Apache to use mod_auth_pam -##

-##
-gen_tunable(allow_httpd_mod_auth_pam, false) - -## -##

-## Allow Apache to use mod_auth_pam -##

-##
-gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false) - -## -##

-## Allow httpd scripts and modules execmem/execstack -##

-##
-gen_tunable(httpd_execmem, false) - -## -##

-## Allow httpd daemon to change system limits -##

-##
-gen_tunable(httpd_setrlimit, false) - -## -##

-## Allow httpd to use built in scripting (usually php) -##

-##
-gen_tunable(httpd_builtin_scripting, false) - -## -##

-## Allow HTTPD scripts and modules to connect to the network using any TCP port. -##

-##
-gen_tunable(httpd_can_network_connect, false) - -## -##

-## Allow HTTPD scripts and modules to connect to cobbler over the network. -##

-##
-gen_tunable(httpd_can_network_connect_cobbler, false) - -## -##

-## Allow HTTPD scripts and modules to connect to databases over the network. -##

-##
-gen_tunable(httpd_can_network_connect_db, false) - -## -##

-## Allow httpd to connect to memcache server -##

-##
-gen_tunable(httpd_can_network_memcache, false) - -## -##

-## Allow httpd to act as a relay -##

-##
-gen_tunable(httpd_can_network_relay, false) - -## -##

-## Allow http daemon to send mail -##

-##
-gen_tunable(httpd_can_sendmail, false) - -## -##

-## Allow http daemon to check spam -##

-##
-gen_tunable(httpd_can_check_spam, false) - -## -##

-## Allow Apache to communicate with avahi service via dbus -##

-##
-gen_tunable(httpd_dbus_avahi, false) - -## -##

-## Allow httpd to execute cgi scripts -##

-##
-gen_tunable(httpd_enable_cgi, false) - -## -##

-## Allow httpd to act as a FTP server by -## listening on the ftp port. -##

-##
-gen_tunable(httpd_enable_ftp_server, false) - -## -##

-## Allow httpd to read home directories -##

-##
-gen_tunable(httpd_enable_homedirs, false) - -## -##

-## Allow httpd to read user content -##

-##
-gen_tunable(httpd_read_user_content, false) - -## -##

-## Allow HTTPD to run SSI executables in the same domain as system CGI scripts. -##

-##
-gen_tunable(httpd_ssi_exec, false) - -## -##

-## Allow Apache to execute tmp content. -##

-##
-gen_tunable(httpd_tmp_exec, false) - -## -##

-## Unify HTTPD to communicate with the terminal. -## Needed for entering the passphrase for certificates at -## the terminal. -##

-##
-gen_tunable(httpd_tty_comm, false) - -## -##

-## Unify HTTPD handling of all content files. -##

-##
-gen_tunable(httpd_unified, false) - -## -##

-## Allow httpd to access cifs file systems -##

-##
-gen_tunable(httpd_use_cifs, false) - -## -##

-## Allow httpd to run gpg in gpg-web domain -##

-##
-gen_tunable(httpd_use_gpg, false) - -## -##

-## Allow httpd to access nfs file systems -##

-##
-gen_tunable(httpd_use_nfs, false) - -## -##

-## Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t. -##

-##
-gen_tunable(allow_httpd_sys_script_anon_write, false) - -attribute httpdcontent; -attribute httpd_user_content_type; - -# domains that can exec all users scripts -attribute httpd_exec_scripts; - -attribute httpd_script_exec_type; -attribute httpd_user_script_exec_type; - -# user script domains -attribute httpd_script_domains; - -type httpd_t; -type httpd_exec_t; -init_daemon_domain(httpd_t, httpd_exec_t) -role system_r types httpd_t; - -# httpd_cache_t is the type given to the /var/cache/httpd -# directory and the files under that directory -type httpd_cache_t; -files_type(httpd_cache_t) - -# httpd_config_t is the type given to the configuration files -type httpd_config_t; -files_type(httpd_config_t) - -type httpd_helper_t; -type httpd_helper_exec_t; -domain_type(httpd_helper_t) -domain_entry_file(httpd_helper_t, httpd_helper_exec_t) -role system_r types httpd_helper_t; - -type httpd_initrc_exec_t; -init_script_file(httpd_initrc_exec_t) - -type httpd_lock_t; -files_lock_file(httpd_lock_t) - -type httpd_log_t; -logging_log_file(httpd_log_t) - -# httpd_modules_t is the type given to module files (libraries) -# that come with Apache /etc/httpd/modules and /usr/lib/apache -type httpd_modules_t; -files_type(httpd_modules_t) - -type httpd_php_t; -type httpd_php_exec_t; -domain_type(httpd_php_t) -domain_entry_file(httpd_php_t, httpd_php_exec_t) -role system_r types httpd_php_t; - -type httpd_php_tmp_t; -files_tmp_file(httpd_php_tmp_t) - -type httpd_rotatelogs_t; -type httpd_rotatelogs_exec_t; -init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) - -type httpd_squirrelmail_t; -files_type(httpd_squirrelmail_t) - -# SUEXEC runs user scripts as their own user ID -type httpd_suexec_t; #, daemon; -type httpd_suexec_exec_t; -domain_type(httpd_suexec_t) -domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t) -role system_r types httpd_suexec_t; - -type httpd_suexec_tmp_t; -files_tmp_file(httpd_suexec_tmp_t) - -# setup the system domain for system CGI scripts -apache_content_template(sys) - -typeattribute httpd_sys_content_t httpdcontent; # customizable -typeattribute httpd_sys_rw_content_t httpdcontent; # customizable -typeattribute httpd_sys_ra_content_t httpdcontent; # customizable - -# Removal of fastcgi, will cause problems without the following -typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t; -typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t }; -typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t }; -typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t; -typealias httpd_sys_script_t alias httpd_fastcgi_script_t; - -type httpd_tmp_t; -files_tmp_file(httpd_tmp_t) - -type httpd_tmpfs_t; -files_tmpfs_file(httpd_tmpfs_t) - -apache_content_template(user) -ubac_constrained(httpd_user_script_t) -typeattribute httpd_user_content_t httpdcontent; -typeattribute httpd_user_rw_content_t httpdcontent; -typeattribute httpd_user_ra_content_t httpdcontent; - -userdom_user_home_content(httpd_user_content_t) -userdom_user_home_content(httpd_user_htaccess_t) -userdom_user_home_content(httpd_user_script_exec_t) -userdom_user_home_content(httpd_user_ra_content_t) -userdom_user_home_content(httpd_user_rw_content_t) -typeattribute httpd_user_script_t httpd_script_domains; -typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; -typealias httpd_user_content_t alias httpd_unconfined_content_t; -typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; -typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; -typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t }; -typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t }; -typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t }; -typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t }; -typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t }; -typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t }; -typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t }; -typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t }; -typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t }; -typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t }; - -# for apache2 memory mapped files -type httpd_var_lib_t; -files_type(httpd_var_lib_t) - -type httpd_var_run_t; -files_pid_file(httpd_var_run_t) - -# Removal of fastcgi, will cause problems without the following -typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; - -# File Type of squirrelmail attachments -type squirrelmail_spool_t; -files_tmp_file(squirrelmail_spool_t) - -optional_policy(` - prelink_object_file(httpd_modules_t) -') - -######################################## -# -# Apache server local policy -# - -allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config }; -dontaudit httpd_t self:capability { net_admin sys_tty_config }; -allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow httpd_t self:fd use; -allow httpd_t self:sock_file read_sock_file_perms; -allow httpd_t self:fifo_file rw_fifo_file_perms; -allow httpd_t self:shm create_shm_perms; -allow httpd_t self:sem create_sem_perms; -allow httpd_t self:msgq create_msgq_perms; -allow httpd_t self:msg { send receive }; -allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; -allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow httpd_t self:tcp_socket create_stream_socket_perms; -allow httpd_t self:udp_socket create_socket_perms; -dontaudit httpd_t self:netlink_audit_socket create_socket_perms; - -# Allow httpd_t to put files in /var/cache/httpd etc -manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) -manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) -manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) -files_var_filetrans(httpd_t, httpd_cache_t, { file dir }) - -# Allow the httpd_t to read the web servers config files -allow httpd_t httpd_config_t:dir list_dir_perms; -read_files_pattern(httpd_t, httpd_config_t, httpd_config_t) -read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t) - -can_exec(httpd_t, httpd_exec_t) - -allow httpd_t httpd_lock_t:file manage_file_perms; -files_lock_filetrans(httpd_t, httpd_lock_t, file) - -allow httpd_t httpd_log_t:dir setattr; -create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) -append_files_pattern(httpd_t, httpd_log_t, httpd_log_t) -read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) -read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) -# cjp: need to refine create interfaces to -# cut this back to add_name only -logging_log_filetrans(httpd_t, httpd_log_t, file) - -allow httpd_t httpd_modules_t:dir list_dir_perms; -mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) -read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) -read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) - -apache_domtrans_rotatelogs(httpd_t) -# Apache-httpd needs to be able to send signals to the log rotate procs. -allow httpd_t httpd_rotatelogs_t:process signal_perms; - -manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) -manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) -manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) - -allow httpd_t httpd_suexec_exec_t:file read_file_perms; - -allow httpd_t httpd_sys_content_t:dir list_dir_perms; -read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) -read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) - -allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; - -manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file }) - -manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -manage_lnk_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) -files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file) - -setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir }) - -manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) -manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) -manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) - -kernel_read_kernel_sysctls(httpd_t) -# for modules that want to access /proc/meminfo -kernel_read_system_state(httpd_t) -kernel_search_network_sysctl(httpd_t) - -corenet_all_recvfrom_unlabeled(httpd_t) -corenet_all_recvfrom_netlabel(httpd_t) -corenet_tcp_sendrecv_generic_if(httpd_t) -corenet_udp_sendrecv_generic_if(httpd_t) -corenet_tcp_sendrecv_generic_node(httpd_t) -corenet_udp_sendrecv_generic_node(httpd_t) -corenet_tcp_sendrecv_all_ports(httpd_t) -corenet_udp_sendrecv_all_ports(httpd_t) -corenet_tcp_bind_generic_node(httpd_t) -corenet_udp_bind_generic_node(httpd_t) -corenet_tcp_bind_http_port(httpd_t) -corenet_tcp_bind_http_cache_port(httpd_t) -corenet_tcp_bind_ntop_port(httpd_t) -corenet_sendrecv_http_server_packets(httpd_t) -# Signal self for shutdown -corenet_tcp_connect_http_port(httpd_t) - -dev_read_sysfs(httpd_t) -dev_read_rand(httpd_t) -dev_read_urand(httpd_t) -dev_rw_crypto(httpd_t) - -fs_getattr_all_fs(httpd_t) -fs_search_auto_mountpoints(httpd_t) -fs_read_iso9660_files(httpd_t) -fs_read_anon_inodefs_files(httpd_t) - -auth_use_nsswitch(httpd_t) - -application_exec_all(httpd_t) - -domain_use_interactive_fds(httpd_t) - -files_dontaudit_getattr_all_pids(httpd_t) -files_read_usr_files(httpd_t) -files_list_mnt(httpd_t) -files_search_spool(httpd_t) -files_read_var_lib_files(httpd_t) -files_search_home(httpd_t) -files_getattr_home_dir(httpd_t) -# for modules that want to access /etc/mtab -files_read_etc_runtime_files(httpd_t) -# Allow httpd_t to have access to files such as nisswitch.conf -files_read_etc_files(httpd_t) -# for tomcat -files_read_var_lib_symlinks(httpd_t) - -fs_search_auto_mountpoints(httpd_sys_script_t) -# php uploads a file to /tmp and then execs programs to acton them -manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) -manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) -files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file }) - -libs_read_lib_files(httpd_t) - -logging_send_syslog_msg(httpd_t) - -miscfiles_read_localization(httpd_t) -miscfiles_read_fonts(httpd_t) -miscfiles_read_public_files(httpd_t) -miscfiles_read_generic_certs(httpd_t) - -seutil_dontaudit_search_config(httpd_t) - -userdom_use_unpriv_users_fds(httpd_t) - -tunable_policy(`httpd_setrlimit',` - allow httpd_t self:process setrlimit; -') - -tunable_policy(`allow_httpd_anon_write',` - miscfiles_manage_public_files(httpd_t) -') - -# -# We need optionals to be able to be within booleans to make this work -# -tunable_policy(`allow_httpd_mod_auth_pam',` - auth_domtrans_chkpwd(httpd_t) - logging_send_audit_msgs(httpd_t) -') - -optional_policy(` - tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',` - samba_domtrans_winbind_helper(httpd_t) - ') -') - -tunable_policy(`httpd_can_network_connect',` - corenet_tcp_connect_all_ports(httpd_t) -') - -tunable_policy(`httpd_can_network_connect_db',` - corenet_tcp_connect_mssql_port(httpd_t) - corenet_sendrecv_mssql_client_packets(httpd_t) -') - -tunable_policy(`httpd_can_network_memcache',` - corenet_tcp_connect_memcache_port(httpd_t) -') - -tunable_policy(`httpd_can_network_relay',` - # allow httpd to work as a relay - corenet_tcp_connect_gopher_port(httpd_t) - corenet_tcp_connect_ftp_port(httpd_t) - corenet_tcp_connect_http_port(httpd_t) - corenet_tcp_connect_http_cache_port(httpd_t) - corenet_tcp_connect_squid_port(httpd_t) - corenet_tcp_connect_memcache_port(httpd_t) - corenet_sendrecv_gopher_client_packets(httpd_t) - corenet_sendrecv_ftp_client_packets(httpd_t) - corenet_sendrecv_http_client_packets(httpd_t) - corenet_sendrecv_http_cache_client_packets(httpd_t) - corenet_sendrecv_squid_client_packets(httpd_t) -') - -tunable_policy(`httpd_execmem',` - allow httpd_t self:process { execmem execstack }; - allow httpd_sys_script_t self:process { execmem execstack }; - allow httpd_suexec_t self:process { execmem execstack }; -') - -tunable_policy(`httpd_enable_cgi && httpd_unified',` - allow httpd_sys_script_t httpd_sys_content_t:file entrypoint; - filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file }) - can_exec(httpd_sys_script_t, httpd_sys_content_t) -') - -tunable_policy(`allow_httpd_sys_script_anon_write',` - miscfiles_manage_public_files(httpd_sys_script_t) -') - -tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` - fs_nfs_domtrans(httpd_t, httpd_sys_script_t) -') - -tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` - fs_cifs_domtrans(httpd_t, httpd_sys_script_t) -') - -tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` - domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) - filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file }) - manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t) - manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t) - manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t) - - manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) - manage_files_pattern(httpd_t, httpdcontent, httpdcontent) - manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent) -') - -tunable_policy(`httpd_enable_ftp_server',` - corenet_tcp_bind_ftp_port(httpd_t) -') - -tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',` - can_exec(httpd_t, httpd_tmp_t) -') - -tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',` - can_exec(httpd_sys_script_t, httpd_tmp_t) -') - -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` - fs_read_nfs_files(httpd_t) - fs_read_nfs_symlinks(httpd_t) -') - -tunable_policy(`httpd_use_nfs',` - fs_manage_nfs_dirs(httpd_t) - fs_manage_nfs_files(httpd_t) - fs_manage_nfs_symlinks(httpd_t) -') - -tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` - fs_read_cifs_files(httpd_t) - fs_read_cifs_symlinks(httpd_t) -') - -tunable_policy(`httpd_can_sendmail',` - # allow httpd to connect to mail servers - corenet_tcp_connect_smtp_port(httpd_t) - corenet_sendrecv_smtp_client_packets(httpd_t) - corenet_tcp_connect_pop_port(httpd_t) - corenet_sendrecv_pop_client_packets(httpd_t) - mta_send_mail(httpd_t) - mta_signal_system_mail(httpd_t) -') - -tunable_policy(`httpd_use_cifs',` - fs_manage_cifs_dirs(httpd_t) - fs_manage_cifs_files(httpd_t) - fs_manage_cifs_symlinks(httpd_t) -') - -tunable_policy(`httpd_ssi_exec',` - corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) - allow httpd_sys_script_t httpd_t:fd use; - allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms; - allow httpd_sys_script_t httpd_t:process sigchld; -') - -# When the admin starts the server, the server wants to access -# the TTY or PTY associated with the session. The httpd appears -# to run correctly without this permission, so the permission -# are dontaudited here. -tunable_policy(`httpd_tty_comm',` - userdom_use_user_terminals(httpd_t) - userdom_use_user_terminals(httpd_suexec_t) -',` - userdom_dontaudit_use_user_terminals(httpd_t) - userdom_dontaudit_use_user_terminals(httpd_suexec_t) -') - -optional_policy(` - calamaris_read_www_files(httpd_t) -') - -optional_policy(` - ccs_read_config(httpd_t) -') - -optional_policy(` - cobbler_list_config(httpd_t) - cobbler_read_config(httpd_t) - cobbler_read_lib_files(httpd_t) - - tunable_policy(`httpd_can_network_connect_cobbler',` - corenet_tcp_connect_cobbler_port(httpd_t) - ') -') - -optional_policy(` - cron_system_entry(httpd_t, httpd_exec_t) -') - -optional_policy(` - cvs_read_data(httpd_t) -') - -optional_policy(` - daemontools_service_domain(httpd_t, httpd_exec_t) -') - -optional_policy(` - dbus_system_bus_client(httpd_t) - - tunable_policy(`httpd_dbus_avahi',` - avahi_dbus_chat(httpd_t) - ') -') - -optional_policy(` - gitosis_read_lib_files(httpd_t) -') - -optional_policy(` - tunable_policy(`httpd_enable_cgi && httpd_use_gpg',` - gpg_domtrans_web(httpd_t) - ') -') - -optional_policy(` - kerberos_keytab_template(httpd, httpd_t) -') - -optional_policy(` - mailman_signal_cgi(httpd_t) - mailman_domtrans_cgi(httpd_t) - mailman_read_data_files(httpd_t) - # should have separate types for public and private archives - mailman_search_data(httpd_t) - mailman_read_archive(httpd_t) -') - -optional_policy(` - mediawiki_read_tmp_files(httpd_t) - mediawiki_delete_tmp_files(httpd_t) -') - -optional_policy(` - # Allow httpd to work with mysql - mysql_read_config(httpd_t) - mysql_stream_connect(httpd_t) - mysql_rw_db_sockets(httpd_t) - - tunable_policy(`httpd_can_network_connect_db',` - mysql_tcp_connect(httpd_t) - ') -') - -optional_policy(` - nagios_read_config(httpd_t) - nagios_read_log(httpd_t) -') - -optional_policy(` - openca_domtrans(httpd_t) - openca_signal(httpd_t) - openca_sigstop(httpd_t) - openca_kill(httpd_t) -') - -optional_policy(` - passenger_domtrans(httpd_t) - passenger_manage_pid_content(httpd_t) - passenger_read_lib_files(httpd_t) -') - -optional_policy(` - rpc_search_nfs_state_data(httpd_t) -') - -optional_policy(` - # Allow httpd to work with postgresql - postgresql_stream_connect(httpd_t) - postgresql_unpriv_client(httpd_t) - - tunable_policy(`httpd_can_network_connect_db',` - postgresql_tcp_connect(httpd_t) - ') -') - -optional_policy(` - seutil_sigchld_newrole(httpd_t) -') - -optional_policy(` - smokeping_read_lib_files(httpd_t) -') - -optional_policy(` - files_dontaudit_rw_usr_dirs(httpd_t) - snmp_dontaudit_read_snmp_var_lib_files(httpd_t) - snmp_dontaudit_write_snmp_var_lib_files(httpd_t) -') - -optional_policy(` - udev_read_db(httpd_t) -') - -optional_policy(` - yam_read_content(httpd_t) -') - -optional_policy(` - zarafa_stream_connect_server(httpd_t) -') - -######################################## -# -# Apache helper local policy -# - -domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t) - -allow httpd_helper_t httpd_config_t:file read_file_perms; - -allow httpd_helper_t httpd_log_t:file append_file_perms; - -logging_send_syslog_msg(httpd_helper_t) - -userdom_use_user_terminals(httpd_helper_t) - -tunable_policy(`httpd_tty_comm',` - userdom_use_user_terminals(httpd_helper_t) -') - -######################################## -# -# Apache PHP script local policy -# - -allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow httpd_php_t self:fd use; -allow httpd_php_t self:fifo_file rw_fifo_file_perms; -allow httpd_php_t self:sock_file read_sock_file_perms; -allow httpd_php_t self:unix_dgram_socket create_socket_perms; -allow httpd_php_t self:unix_stream_socket create_stream_socket_perms; -allow httpd_php_t self:unix_dgram_socket sendto; -allow httpd_php_t self:unix_stream_socket connectto; -allow httpd_php_t self:shm create_shm_perms; -allow httpd_php_t self:sem create_sem_perms; -allow httpd_php_t self:msgq create_msgq_perms; -allow httpd_php_t self:msg { send receive }; - -domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t) - -# allow php to read and append to apache logfiles -allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms }; - -manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t) -manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t) -files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir }) - -fs_search_auto_mountpoints(httpd_php_t) - -auth_use_nsswitch(httpd_php_t) - -libs_exec_lib_files(httpd_php_t) - -userdom_use_unpriv_users_fds(httpd_php_t) - -tunable_policy(`httpd_can_network_connect_db',` - corenet_tcp_connect_mssql_port(httpd_php_t) - corenet_sendrecv_mssql_client_packets(httpd_php_t) -') - -optional_policy(` - mysql_stream_connect(httpd_php_t) - mysql_rw_db_sockets(httpd_php_t) - mysql_read_config(httpd_php_t) - - tunable_policy(`httpd_can_network_connect_db',` - mysql_tcp_connect(httpd_php_t) - ') -') - -optional_policy(` - postgresql_stream_connect(httpd_php_t) - postgresql_unpriv_client(httpd_php_t) - - tunable_policy(`httpd_can_network_connect_db',` - postgresql_tcp_connect(httpd_php_t) - ') -') - -######################################## -# -# Apache suexec local policy -# - -allow httpd_suexec_t self:capability { setuid setgid }; -allow httpd_suexec_t self:process signal_perms; -allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; - -domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) - -create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) -append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) -read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) - -allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms; - -manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) -manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) -files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) - -can_exec(httpd_suexec_t, httpd_sys_script_exec_t) - -read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t) -read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t) -read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t) - -kernel_read_kernel_sysctls(httpd_suexec_t) -kernel_list_proc(httpd_suexec_t) -kernel_read_proc_symlinks(httpd_suexec_t) - -dev_read_urand(httpd_suexec_t) - -fs_read_iso9660_files(httpd_suexec_t) -fs_search_auto_mountpoints(httpd_suexec_t) - -application_exec_all(httpd_suexec_t) - -files_read_etc_files(httpd_suexec_t) -files_read_usr_files(httpd_suexec_t) -files_dontaudit_search_pids(httpd_suexec_t) -files_search_home(httpd_suexec_t) - -auth_use_nsswitch(httpd_suexec_t) - -logging_search_logs(httpd_suexec_t) -logging_send_syslog_msg(httpd_suexec_t) - -miscfiles_read_localization(httpd_suexec_t) -miscfiles_read_public_files(httpd_suexec_t) - -tunable_policy(`httpd_can_network_connect',` - allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; - allow httpd_suexec_t self:udp_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled(httpd_suexec_t) - corenet_all_recvfrom_netlabel(httpd_suexec_t) - corenet_tcp_sendrecv_generic_if(httpd_suexec_t) - corenet_udp_sendrecv_generic_if(httpd_suexec_t) - corenet_tcp_sendrecv_generic_node(httpd_suexec_t) - corenet_udp_sendrecv_generic_node(httpd_suexec_t) - corenet_tcp_sendrecv_all_ports(httpd_suexec_t) - corenet_udp_sendrecv_all_ports(httpd_suexec_t) - corenet_tcp_connect_all_ports(httpd_suexec_t) - corenet_sendrecv_all_client_packets(httpd_suexec_t) -') - -tunable_policy(`httpd_can_network_connect_db',` - corenet_tcp_connect_mssql_port(httpd_suexec_t) - corenet_sendrecv_mssql_client_packets(httpd_suexec_t) -') - -domain_entry_file(httpd_sys_script_t, httpd_sys_content_t) - -tunable_policy(`httpd_enable_cgi && httpd_unified',` - allow httpd_sys_script_t httpdcontent:file entrypoint; - domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) - manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) - manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) - manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) - manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) -') - -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` - fs_read_nfs_files(httpd_suexec_t) - fs_read_nfs_symlinks(httpd_suexec_t) - fs_exec_nfs_files(httpd_suexec_t) -') - -tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` - fs_read_cifs_files(httpd_suexec_t) - fs_read_cifs_symlinks(httpd_suexec_t) - fs_exec_cifs_files(httpd_suexec_t) -') - -optional_policy(` - mailman_domtrans_cgi(httpd_suexec_t) -') - -optional_policy(` - mta_stub(httpd_suexec_t) - - # apache should set close-on-exec - dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; -') - -optional_policy(` - mysql_stream_connect(httpd_suexec_t) - mysql_rw_db_sockets(httpd_suexec_t) - mysql_read_config(httpd_suexec_t) - - tunable_policy(`httpd_can_network_connect_db',` - mysql_tcp_connect(httpd_suexec_t) - ') -') - -optional_policy(` - postgresql_stream_connect(httpd_suexec_t) - postgresql_unpriv_client(httpd_suexec_t) - - tunable_policy(`httpd_can_network_connect_db',` - postgresql_tcp_connect(httpd_suexec_t) - ') -') - -######################################## -# -# Apache system script local policy -# - -allow httpd_sys_script_t self:process getsched; - -allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; -allow httpd_sys_script_t httpd_t:tcp_socket { read write }; - -dontaudit httpd_sys_script_t httpd_config_t:dir search; - -allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms }; - -allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; -read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) -read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) - -kernel_read_kernel_sysctls(httpd_sys_script_t) - -files_search_var_lib(httpd_sys_script_t) -files_search_spool(httpd_sys_script_t) - -logging_inherit_append_all_logs(httpd_sys_script_t) - -# Should we add a boolean? -apache_domtrans_rotatelogs(httpd_sys_script_t) - -auth_use_nsswitch(httpd_sys_script_t) - -ifdef(`distro_redhat',` - allow httpd_sys_script_t httpd_log_t:file append_file_perms; -') - -tunable_policy(`httpd_can_sendmail',` - mta_send_mail(httpd_sys_script_t) -') - -optional_policy(` - tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',` - spamassassin_domtrans_client(httpd_t) - ') -') - -tunable_policy(`httpd_can_network_connect_db',` - corenet_tcp_connect_mssql_port(httpd_sys_script_t) - corenet_sendrecv_mssql_client_packets(httpd_sys_script_t) -') - -fs_cifs_entry_type(httpd_sys_script_t) -fs_read_iso9660_files(httpd_sys_script_t) -fs_nfs_entry_type(httpd_sys_script_t) - -tunable_policy(`httpd_use_nfs',` - fs_manage_nfs_dirs(httpd_sys_script_t) - fs_manage_nfs_files(httpd_sys_script_t) - fs_manage_nfs_symlinks(httpd_sys_script_t) - fs_exec_nfs_files(httpd_sys_script_t) - - fs_manage_nfs_dirs(httpd_suexec_t) - fs_manage_nfs_files(httpd_suexec_t) - fs_manage_nfs_symlinks(httpd_suexec_t) - fs_exec_nfs_files(httpd_suexec_t) -') - -tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` - allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; - allow httpd_sys_script_t self:udp_socket create_socket_perms; - - corenet_tcp_bind_all_nodes(httpd_sys_script_t) - corenet_udp_bind_all_nodes(httpd_sys_script_t) - corenet_all_recvfrom_unlabeled(httpd_sys_script_t) - corenet_all_recvfrom_netlabel(httpd_sys_script_t) - corenet_tcp_sendrecv_all_if(httpd_sys_script_t) - corenet_udp_sendrecv_all_if(httpd_sys_script_t) - corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t) - corenet_udp_sendrecv_all_nodes(httpd_sys_script_t) - corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) - corenet_udp_sendrecv_all_ports(httpd_sys_script_t) - corenet_tcp_connect_all_ports(httpd_sys_script_t) - corenet_sendrecv_all_client_packets(httpd_sys_script_t) -') - -tunable_policy(`httpd_enable_homedirs',` - userdom_search_user_home_dirs(httpd_sys_script_t) -') - -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` - fs_read_nfs_files(httpd_sys_script_t) - fs_read_nfs_symlinks(httpd_sys_script_t) -') - -tunable_policy(`httpd_read_user_content',` - userdom_read_user_home_content_files(httpd_sys_script_t) -') - -tunable_policy(`httpd_use_cifs',` - fs_manage_cifs_dirs(httpd_sys_script_t) - fs_manage_cifs_files(httpd_sys_script_t) - fs_manage_cifs_symlinks(httpd_sys_script_t) - fs_manage_cifs_dirs(httpd_suexec_t) - fs_manage_cifs_files(httpd_suexec_t) - fs_manage_cifs_symlinks(httpd_suexec_t) - fs_exec_cifs_files(httpd_suexec_t) -') - -tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` - fs_read_cifs_files(httpd_sys_script_t) - fs_read_cifs_symlinks(httpd_sys_script_t) -') - -optional_policy(` - clamav_domtrans_clamscan(httpd_sys_script_t) -') - -optional_policy(` - mysql_stream_connect(httpd_sys_script_t) - mysql_rw_db_sockets(httpd_sys_script_t) - mysql_read_config(httpd_sys_script_t) - - tunable_policy(`httpd_can_network_connect_db',` - mysql_tcp_connect(httpd_sys_script_t) - ') -') - -optional_policy(` - postgresql_stream_connect(httpd_sys_script_t) - postgresql_unpriv_client(httpd_sys_script_t) - - tunable_policy(`httpd_can_network_connect_db',` - postgresql_tcp_connect(httpd_sys_script_t) - ') -') - -######################################## -# -# httpd_rotatelogs local policy -# - -allow httpd_rotatelogs_t self:capability dac_override; - -manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) - -kernel_read_kernel_sysctls(httpd_rotatelogs_t) -kernel_dontaudit_list_proc(httpd_rotatelogs_t) -kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t) - -files_read_etc_files(httpd_rotatelogs_t) - -logging_search_logs(httpd_rotatelogs_t) - -miscfiles_read_localization(httpd_rotatelogs_t) - -######################################## -# -# Unconfined script local policy -# - -optional_policy(` - type httpd_unconfined_script_t; - type httpd_unconfined_script_exec_t; - domain_type(httpd_unconfined_script_t) - domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t) - domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) - unconfined_domain(httpd_unconfined_script_t) - - role system_r types httpd_unconfined_script_t; - allow httpd_t httpd_unconfined_script_t:process signal_perms; -') - -######################################## -# -# User content local policy -# - -tunable_policy(`httpd_enable_cgi && httpd_unified',` - allow httpd_user_script_t httpdcontent:file entrypoint; - manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t) - manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t) - manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t) - manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t) -') - -# allow accessing files/dirs below the users home dir -tunable_policy(`httpd_enable_homedirs',` - userdom_search_user_home_content(httpd_t) - userdom_search_user_home_content(httpd_suexec_t) - userdom_search_user_home_content(httpd_user_script_t) -') - -tunable_policy(`httpd_read_user_content',` - userdom_read_user_home_content_files(httpd_t) - userdom_read_user_home_content_files(httpd_suexec_t) - userdom_read_user_home_content_files(httpd_user_script_t) -') diff --git a/policy/modules/services/apcupsd.fc b/policy/modules/services/apcupsd.fc deleted file mode 100644 index cd07b96..0000000 --- a/policy/modules/services/apcupsd.fc +++ /dev/null @@ -1,15 +0,0 @@ -/etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0) - -/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) - -/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) - -/var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) -/var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) - -/var/run/apcupsd\.pid -- gen_context(system_u:object_r:apcupsd_var_run_t,s0) - -/var/www/apcupsd/multimon\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) -/var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) -/var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) -/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) diff --git a/policy/modules/services/apcupsd.if b/policy/modules/services/apcupsd.if deleted file mode 100644 index d3451b8..0000000 --- a/policy/modules/services/apcupsd.if +++ /dev/null @@ -1,166 +0,0 @@ -## APC UPS monitoring daemon - -######################################## -## -## Execute a domain transition to run apcupsd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`apcupsd_domtrans',` - gen_require(` - type apcupsd_t, apcupsd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, apcupsd_exec_t, apcupsd_t) -') - -######################################## -## -## Execute apcupsd server in the apcupsd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`apcupsd_initrc_domtrans',` - gen_require(` - type apcupsd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, apcupsd_initrc_exec_t) -') - -######################################## -## -## Read apcupsd PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`apcupsd_read_pid_files',` - gen_require(` - type apcupsd_var_run_t; - ') - - files_search_pids($1) - allow $1 apcupsd_var_run_t:file read_file_perms; -') - -######################################## -## -## Allow the specified domain to read apcupsd's log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`apcupsd_read_log',` - gen_require(` - type apcupsd_log_t; - ') - - logging_search_logs($1) - allow $1 apcupsd_log_t:dir list_dir_perms; - allow $1 apcupsd_log_t:file read_file_perms; -') - -######################################## -## -## Allow the specified domain to append -## apcupsd log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`apcupsd_append_log',` - gen_require(` - type apcupsd_log_t; - ') - - logging_search_logs($1) - allow $1 apcupsd_log_t:dir list_dir_perms; - allow $1 apcupsd_log_t:file append_file_perms; -') - -######################################## -## -## Execute a domain transition to run httpd_apcupsd_cgi_script. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`apcupsd_cgi_script_domtrans',` - gen_require(` - type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t; - ') - - optional_policy(` - apache_search_sys_content($1) - ') - - files_search_var($1) - domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t) -') - -######################################## -## -## All of the rules required to administrate -## an apcupsd environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the apcupsd domain. -## -## -## -# -interface(`apcupsd_admin',` - gen_require(` - type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t; - type apcupsd_lock_t, apcupsd_var_run_t, apcupsd_initrc_exec_t; - ') - - allow $1 apcupsd_t:process { ptrace signal_perms }; - ps_process_pattern($1, apcupsd_t) - - apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 apcupsd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_var($1) - admin_pattern($1, apcupsd_lock_t) - - logging_list_logs($1) - admin_pattern($1, apcupsd_log_t) - - files_list_tmp($1) - admin_pattern($1, apcupsd_tmp_t) - - files_list_pids($1) - admin_pattern($1, apcupsd_var_run_t) -') diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te deleted file mode 100644 index 472ddad..0000000 --- a/policy/modules/services/apcupsd.te +++ /dev/null @@ -1,127 +0,0 @@ -policy_module(apcupsd, 1.7.0) - -######################################## -# -# Declarations -# - -type apcupsd_t; -type apcupsd_exec_t; -init_daemon_domain(apcupsd_t, apcupsd_exec_t) - -type apcupsd_lock_t; -files_lock_file(apcupsd_lock_t) - -type apcupsd_initrc_exec_t; -init_script_file(apcupsd_initrc_exec_t) - -type apcupsd_log_t; -logging_log_file(apcupsd_log_t) - -type apcupsd_tmp_t; -files_tmp_file(apcupsd_tmp_t) - -type apcupsd_var_run_t; -files_pid_file(apcupsd_var_run_t) - -######################################## -# -# apcupsd local policy -# - -allow apcupsd_t self:capability { dac_override setgid sys_tty_config }; -allow apcupsd_t self:process signal; -allow apcupsd_t self:fifo_file rw_file_perms; -allow apcupsd_t self:unix_stream_socket create_stream_socket_perms; -allow apcupsd_t self:tcp_socket create_stream_socket_perms; - -allow apcupsd_t apcupsd_lock_t:file manage_file_perms; -files_lock_filetrans(apcupsd_t, apcupsd_lock_t, file) - -allow apcupsd_t apcupsd_log_t:dir setattr; -manage_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t) -logging_log_filetrans(apcupsd_t, apcupsd_log_t, { file dir }) - -manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t) -files_tmp_filetrans(apcupsd_t, apcupsd_tmp_t, file) - -manage_files_pattern(apcupsd_t, apcupsd_var_run_t, apcupsd_var_run_t) -files_pid_filetrans(apcupsd_t, apcupsd_var_run_t, file) - -kernel_read_system_state(apcupsd_t) - -corecmd_exec_bin(apcupsd_t) -corecmd_exec_shell(apcupsd_t) - -corenet_all_recvfrom_unlabeled(apcupsd_t) -corenet_all_recvfrom_netlabel(apcupsd_t) -corenet_tcp_sendrecv_generic_if(apcupsd_t) -corenet_tcp_sendrecv_generic_node(apcupsd_t) -corenet_tcp_sendrecv_all_ports(apcupsd_t) -corenet_tcp_bind_generic_node(apcupsd_t) -corenet_tcp_bind_apcupsd_port(apcupsd_t) -corenet_sendrecv_apcupsd_server_packets(apcupsd_t) -corenet_tcp_connect_apcupsd_port(apcupsd_t) - -dev_rw_generic_usb_dev(apcupsd_t) - -# Init script handling -domain_use_interactive_fds(apcupsd_t) - -files_read_etc_files(apcupsd_t) -files_search_locks(apcupsd_t) -# Creates /etc/nologin -files_manage_etc_runtime_files(apcupsd_t) -files_etc_filetrans_etc_runtime(apcupsd_t, file) - -# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240805 -term_use_unallocated_ttys(apcupsd_t) - -#apcupsd runs shutdown, probably need a shutdown domain -init_rw_utmp(apcupsd_t) -init_telinit(apcupsd_t) - -logging_send_syslog_msg(apcupsd_t) - -miscfiles_read_localization(apcupsd_t) - -sysnet_dns_name_resolve(apcupsd_t) - -userdom_use_user_ttys(apcupsd_t) - -optional_policy(` - hostname_exec(apcupsd_t) -') - -optional_policy(` - shutdown_domtrans(apcupsd_t) -') - -optional_policy(` - mta_send_mail(apcupsd_t) - mta_system_content(apcupsd_tmp_t) -') - -######################################## -# -# apcupsd_cgi Declarations -# - -optional_policy(` - apache_content_template(apcupsd_cgi) - - allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms; - allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t) - corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t) - corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t) - corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t) - corenet_tcp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t) - corenet_tcp_connect_apcupsd_port(httpd_apcupsd_cgi_script_t) - corenet_udp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t) - corenet_udp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t) - corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t) - - sysnet_dns_name_resolve(httpd_apcupsd_cgi_script_t) -') diff --git a/policy/modules/services/apm.fc b/policy/modules/services/apm.fc deleted file mode 100644 index 0123777..0000000 --- a/policy/modules/services/apm.fc +++ /dev/null @@ -1,23 +0,0 @@ - -# -# /usr -# -/usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0) - -/usr/sbin/acpid -- gen_context(system_u:object_r:apmd_exec_t,s0) -/usr/sbin/apmd -- gen_context(system_u:object_r:apmd_exec_t,s0) -/usr/sbin/powersaved -- gen_context(system_u:object_r:apmd_exec_t,s0) - -# -# /var -# -/var/log/acpid.* -- gen_context(system_u:object_r:apmd_log_t,s0) - -/var/run/\.?acpid\.socket -s gen_context(system_u:object_r:apmd_var_run_t,s0) -/var/run/apmd\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0) -/var/run/powersaved\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0) -/var/run/powersave_socket -s gen_context(system_u:object_r:apmd_var_run_t,s0) - -ifdef(`distro_suse',` -/var/lib/acpi(/.*)? gen_context(system_u:object_r:apmd_var_lib_t,s0) -') diff --git a/policy/modules/services/apm.if b/policy/modules/services/apm.if deleted file mode 100644 index 49e6c74..0000000 --- a/policy/modules/services/apm.if +++ /dev/null @@ -1,112 +0,0 @@ -## Advanced power management daemon - -######################################## -## -## Execute APM in the apm domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`apm_domtrans_client',` - gen_require(` - type apm_t, apm_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, apm_exec_t, apm_t) -') - -######################################## -## -## Use file descriptors for apmd. -## -## -## -## Domain allowed access. -## -## -# -interface(`apm_use_fds',` - gen_require(` - type apmd_t; - ') - - allow $1 apmd_t:fd use; -') - -######################################## -## -## Write to apmd unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`apm_write_pipes',` - gen_require(` - type apmd_t; - ') - - allow $1 apmd_t:fifo_file write_fifo_file_perms; -') - -######################################## -## -## Read and write to an apm unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`apm_rw_stream_sockets',` - gen_require(` - type apmd_t; - ') - - allow $1 apmd_t:unix_stream_socket { read write }; -') - -######################################## -## -## Append to apm's log file. -## -## -## -## Domain allowed access. -## -## -# -interface(`apm_append_log',` - gen_require(` - type apmd_log_t; - ') - - logging_search_logs($1) - allow $1 apmd_log_t:file append_file_perms; -') - -######################################## -## -## Connect to apmd over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`apm_stream_connect',` - gen_require(` - type apmd_t, apmd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t) -') diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te deleted file mode 100644 index 62bc936..0000000 --- a/policy/modules/services/apm.te +++ /dev/null @@ -1,243 +0,0 @@ -policy_module(apm, 1.11.0) - -######################################## -# -# Declarations -# - -type apmd_t; -type apmd_exec_t; -init_daemon_domain(apmd_t, apmd_exec_t) - -type apm_t; -type apm_exec_t; -application_domain(apm_t, apm_exec_t) -role system_r types apm_t; - -type apmd_log_t; -logging_log_file(apmd_log_t) - -type apmd_tmp_t; -files_tmp_file(apmd_tmp_t) - -type apmd_var_run_t; -files_pid_file(apmd_var_run_t) - -ifdef(`distro_redhat',` - type apmd_lock_t; - files_lock_file(apmd_lock_t) -') - -ifdef(`distro_suse',` - type apmd_var_lib_t; - files_type(apmd_var_lib_t) -') - -######################################## -# -# apm client Local policy -# - -allow apm_t self:capability { dac_override sys_admin }; - -kernel_read_system_state(apm_t) - -dev_rw_apm_bios(apm_t) - -fs_getattr_xattr_fs(apm_t) - -term_use_all_terms(apm_t) - -domain_use_interactive_fds(apm_t) - -logging_send_syslog_msg(apm_t) - -######################################## -# -# apm daemon Local policy -# - -# mknod: controlling an orderly resume of PCMCIA requires creating device -# nodes 254,{0,1,2} for some reason. -allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod }; -dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config }; -allow apmd_t self:process { signal_perms getsession }; -allow apmd_t self:fifo_file rw_fifo_file_perms; -allow apmd_t self:netlink_socket create_socket_perms; -allow apmd_t self:unix_dgram_socket create_socket_perms; -allow apmd_t self:unix_stream_socket create_stream_socket_perms; - -allow apmd_t apmd_log_t:file manage_file_perms; -logging_log_filetrans(apmd_t, apmd_log_t, file) - -manage_dirs_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t) -manage_files_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t) -files_tmp_filetrans(apmd_t, apmd_tmp_t, { file dir }) - -manage_files_pattern(apmd_t, apmd_var_run_t, apmd_var_run_t) -manage_sock_files_pattern(apmd_t, apmd_var_run_t, apmd_var_run_t) -files_pid_filetrans(apmd_t, apmd_var_run_t, { file sock_file }) - -kernel_read_kernel_sysctls(apmd_t) -kernel_rw_all_sysctls(apmd_t) -kernel_read_system_state(apmd_t) -kernel_write_proc_files(apmd_t) - -dev_read_input(apmd_t) -dev_read_realtime_clock(apmd_t) -dev_read_urand(apmd_t) -dev_rw_apm_bios(apmd_t) -dev_rw_sysfs(apmd_t) -dev_dontaudit_getattr_all_chr_files(apmd_t) # Excessive? -dev_dontaudit_getattr_all_blk_files(apmd_t) # Excessive? - -fs_dontaudit_list_tmpfs(apmd_t) -fs_getattr_all_fs(apmd_t) -fs_search_auto_mountpoints(apmd_t) -fs_dontaudit_getattr_all_files(apmd_t) # Excessive? -fs_dontaudit_getattr_all_symlinks(apmd_t) # Excessive? -fs_dontaudit_getattr_all_pipes(apmd_t) # Excessive? -fs_dontaudit_getattr_all_sockets(apmd_t) # Excessive? - -selinux_search_fs(apmd_t) - -corecmd_exec_all_executables(apmd_t) - -domain_read_all_domains_state(apmd_t) -domain_dontaudit_ptrace_all_domains(apmd_t) -domain_use_interactive_fds(apmd_t) -domain_dontaudit_getattr_all_sockets(apmd_t) -domain_dontaudit_getattr_all_key_sockets(apmd_t) # Excessive? -domain_dontaudit_list_all_domains_state(apmd_t) # Excessive? - -files_exec_etc_files(apmd_t) -files_read_etc_runtime_files(apmd_t) -files_dontaudit_getattr_all_files(apmd_t) # Excessive? -files_dontaudit_getattr_all_symlinks(apmd_t) # Excessive? -files_dontaudit_getattr_all_pipes(apmd_t) # Excessive? -files_dontaudit_getattr_all_sockets(apmd_t) # Excessive? - -init_domtrans_script(apmd_t) -init_rw_utmp(apmd_t) -init_telinit(apmd_t) - -libs_exec_ld_so(apmd_t) -libs_exec_lib_files(apmd_t) - -logging_send_syslog_msg(apmd_t) -logging_send_audit_msgs(apmd_t) - -miscfiles_read_localization(apmd_t) -miscfiles_read_hwdata(apmd_t) - -modutils_domtrans_insmod(apmd_t) -modutils_read_module_config(apmd_t) - -seutil_dontaudit_read_config(apmd_t) - -userdom_dontaudit_use_unpriv_user_fds(apmd_t) -userdom_dontaudit_search_user_home_dirs(apmd_t) -userdom_dontaudit_search_user_home_content(apmd_t) # Excessive? - -ifdef(`distro_redhat',` - allow apmd_t apmd_lock_t:file manage_file_perms; - files_lock_filetrans(apmd_t, apmd_lock_t, file) - - can_exec(apmd_t, apmd_var_run_t) - - optional_policy(` - fstools_domtrans(apmd_t) - ') - - optional_policy(` - iptables_domtrans(apmd_t) - ') - - optional_policy(` - netutils_domtrans(apmd_t) - ') - - # ifconfig_exec_t needs to be run in its own domain for Red Hat - optional_policy(` - sssd_search_lib(apmd_t) - ') - - optional_policy(` - sysnet_domtrans_ifconfig(apmd_t) - ') - -',` - # for ifconfig which is run all the time - kernel_dontaudit_search_sysctl(apmd_t) -') - -ifdef(`distro_suse',` - manage_dirs_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t) - manage_files_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t) - files_var_lib_filetrans(apmd_t, apmd_var_lib_t, file) -') - -optional_policy(` - automount_domtrans(apmd_t) -') - -optional_policy(` - clock_domtrans(apmd_t) - clock_rw_adjtime(apmd_t) -') - -optional_policy(` - cron_system_entry(apmd_t, apmd_exec_t) - cron_anacron_domtrans_system_job(apmd_t) -') - -optional_policy(` - dbus_system_bus_client(apmd_t) - - optional_policy(` - consolekit_dbus_chat(apmd_t) - ') - - optional_policy(` - networkmanager_dbus_chat(apmd_t) - ') -') - -optional_policy(` - logrotate_use_fds(apmd_t) -') - -optional_policy(` - mta_send_mail(apmd_t) -') - -optional_policy(` - nscd_socket_use(apmd_t) -') - -optional_policy(` - pcmcia_domtrans_cardmgr(apmd_t) - pcmcia_domtrans_cardctl(apmd_t) -') - -optional_policy(` - seutil_sigchld_newrole(apmd_t) -') - -optional_policy(` - udev_read_db(apmd_t) - udev_read_state(apmd_t) #necessary? -') - -optional_policy(` - unconfined_domain(apmd_t) -') - -optional_policy(` - vbetool_domtrans(apmd_t) -') - -# cjp: related to sleep/resume (?) -optional_policy(` - xserver_domtrans(apmd_t) -') diff --git a/policy/modules/services/arpwatch.fc b/policy/modules/services/arpwatch.fc deleted file mode 100644 index a86a6c7..0000000 --- a/policy/modules/services/arpwatch.fc +++ /dev/null @@ -1,12 +0,0 @@ -/etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0) - -# -# /usr -# -/usr/sbin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0) - -# -# /var -# -/var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0) -/var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0) diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if deleted file mode 100644 index bdefbe1..0000000 --- a/policy/modules/services/arpwatch.if +++ /dev/null @@ -1,156 +0,0 @@ -## Ethernet activity monitor. - -######################################## -## -## Execute arpwatch server in the arpwatch domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`arpwatch_initrc_domtrans',` - gen_require(` - type arpwatch_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, arpwatch_initrc_exec_t) -') - -######################################## -## -## Search arpwatch's data file directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`arpwatch_search_data',` - gen_require(` - type arpwatch_data_t; - ') - - files_search_var_lib($1) - allow $1 arpwatch_data_t:dir search_dir_perms; -') - -######################################## -## -## Create arpwatch data files. -## -## -## -## Domain allowed access. -## -## -# -interface(`arpwatch_manage_data_files',` - gen_require(` - type arpwatch_data_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, arpwatch_data_t, arpwatch_data_t) -') - -######################################## -## -## Read and write arpwatch temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`arpwatch_rw_tmp_files',` - gen_require(` - type arpwatch_tmp_t; - ') - - files_search_tmp($1) - allow $1 arpwatch_tmp_t:file rw_file_perms; -') - -######################################## -## -## Read and write arpwatch temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`arpwatch_manage_tmp_files',` - gen_require(` - type arpwatch_tmp_t; - ') - - files_search_tmp($1) - allow $1 arpwatch_tmp_t:file manage_file_perms; -') - -######################################## -## -## Do not audit attempts to read and write -## arpwatch packet sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`arpwatch_dontaudit_rw_packet_sockets',` - gen_require(` - type arpwatch_t; - ') - - dontaudit $1 arpwatch_t:packet_socket { read write }; -') - -######################################## -## -## All of the rules required to administrate -## an arpwatch environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the arpwatch domain. -## -## -## -# -interface(`arpwatch_admin',` - gen_require(` - type arpwatch_t, arpwatch_tmp_t; - type arpwatch_data_t, arpwatch_var_run_t; - type arpwatch_initrc_exec_t; - ') - - allow $1 arpwatch_t:process { ptrace signal_perms }; - ps_process_pattern($1, arpwatch_t) - - arpwatch_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 arpwatch_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, arpwatch_tmp_t) - - files_list_var($1) - admin_pattern($1, arpwatch_data_t) - - files_list_pids($1) - admin_pattern($1, arpwatch_var_run_t) -') diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te deleted file mode 100644 index 3be8b9b..0000000 --- a/policy/modules/services/arpwatch.te +++ /dev/null @@ -1,98 +0,0 @@ -policy_module(arpwatch, 1.9.1) - -######################################## -# -# Declarations -# - -type arpwatch_t; -type arpwatch_exec_t; -init_daemon_domain(arpwatch_t, arpwatch_exec_t) - -type arpwatch_data_t; -files_type(arpwatch_data_t) - -type arpwatch_initrc_exec_t; -init_script_file(arpwatch_initrc_exec_t) - -type arpwatch_tmp_t; -files_tmp_file(arpwatch_tmp_t) - -type arpwatch_var_run_t; -files_pid_file(arpwatch_var_run_t) - -######################################## -# -# Local policy -# -allow arpwatch_t self:capability { net_admin net_raw setgid setuid }; -dontaudit arpwatch_t self:capability sys_tty_config; -allow arpwatch_t self:process signal_perms; -allow arpwatch_t self:unix_dgram_socket create_socket_perms; -allow arpwatch_t self:unix_stream_socket create_stream_socket_perms; -allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms }; -allow arpwatch_t self:udp_socket create_socket_perms; -allow arpwatch_t self:packet_socket create_socket_perms; -allow arpwatch_t self:socket create_socket_perms; - -manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) -manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) -manage_lnk_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) - -manage_dirs_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t) -manage_files_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t) -files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir }) - -manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t) -files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file) - -kernel_read_network_state(arpwatch_t) -kernel_read_kernel_sysctls(arpwatch_t) -kernel_list_proc(arpwatch_t) -kernel_read_proc_symlinks(arpwatch_t) -kernel_request_load_module(arpwatch_t) - -corenet_all_recvfrom_unlabeled(arpwatch_t) -corenet_all_recvfrom_netlabel(arpwatch_t) -corenet_tcp_sendrecv_generic_if(arpwatch_t) -corenet_udp_sendrecv_generic_if(arpwatch_t) -corenet_raw_sendrecv_generic_if(arpwatch_t) -corenet_tcp_sendrecv_generic_node(arpwatch_t) -corenet_udp_sendrecv_generic_node(arpwatch_t) -corenet_raw_sendrecv_generic_node(arpwatch_t) -corenet_tcp_sendrecv_all_ports(arpwatch_t) -corenet_udp_sendrecv_all_ports(arpwatch_t) - -dev_read_sysfs(arpwatch_t) -dev_read_usbmon_dev(arpwatch_t) -dev_rw_generic_usb_dev(arpwatch_t) - -fs_getattr_all_fs(arpwatch_t) -fs_search_auto_mountpoints(arpwatch_t) - -corecmd_read_bin_symlinks(arpwatch_t) - -domain_use_interactive_fds(arpwatch_t) - -files_read_etc_files(arpwatch_t) -files_read_usr_files(arpwatch_t) -files_search_var_lib(arpwatch_t) - -auth_use_nsswitch(arpwatch_t) - -logging_send_syslog_msg(arpwatch_t) - -miscfiles_read_localization(arpwatch_t) - -userdom_dontaudit_search_user_home_dirs(arpwatch_t) -userdom_dontaudit_use_unpriv_user_fds(arpwatch_t) - -mta_send_mail(arpwatch_t) - -optional_policy(` - seutil_sigchld_newrole(arpwatch_t) -') - -optional_policy(` - udev_read_db(arpwatch_t) -') diff --git a/policy/modules/services/asterisk.fc b/policy/modules/services/asterisk.fc deleted file mode 100644 index b4889d4..0000000 --- a/policy/modules/services/asterisk.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/asterisk(/.*)? gen_context(system_u:object_r:asterisk_etc_t,s0) -/etc/rc\.d/init\.d/asterisk -- gen_context(system_u:object_r:asterisk_initrc_exec_t,s0) - -/usr/sbin/asterisk -- gen_context(system_u:object_r:asterisk_exec_t,s0) - -/var/lib/asterisk(/.*)? gen_context(system_u:object_r:asterisk_var_lib_t,s0) -/var/log/asterisk(/.*)? gen_context(system_u:object_r:asterisk_log_t,s0) -/var/run/asterisk(/.*)? gen_context(system_u:object_r:asterisk_var_run_t,s0) -/var/spool/asterisk(/.*)? gen_context(system_u:object_r:asterisk_spool_t,s0) diff --git a/policy/modules/services/asterisk.if b/policy/modules/services/asterisk.if deleted file mode 100644 index c1a2b96..0000000 --- a/policy/modules/services/asterisk.if +++ /dev/null @@ -1,92 +0,0 @@ -## Asterisk IP telephony server - -###################################### -## -## Execute asterisk in the asterisk domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`asterisk_domtrans',` - gen_require(` - type asterisk_t, asterisk_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, asterisk_exec_t, asterisk_t) -') - -##################################### -## -## Connect to asterisk over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`asterisk_stream_connect',` - gen_require(` - type asterisk_t, asterisk_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t) -') - -######################################## -## -## All of the rules required to administrate -## an asterisk environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the asterisk domain. -## -## -## -# -interface(`asterisk_admin',` - gen_require(` - type asterisk_t, asterisk_var_run_t, asterisk_spool_t; - type asterisk_etc_t, asterisk_tmp_t, asterisk_log_t; - type asterisk_var_lib_t; - type asterisk_initrc_exec_t; - ') - - allow $1 asterisk_t:process { ptrace signal_perms }; - ps_process_pattern($1, asterisk_t) - - init_labeled_script_domtrans($1, asterisk_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 asterisk_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, asterisk_tmp_t) - - files_list_etc($1) - admin_pattern($1, asterisk_etc_t) - - logging_list_logs($1) - admin_pattern($1, asterisk_log_t) - - files_list_spool($1) - admin_pattern($1, asterisk_spool_t) - - files_list_var_lib($1) - admin_pattern($1, asterisk_var_lib_t) - - files_list_pids($1) - admin_pattern($1, asterisk_var_run_t) -') diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te deleted file mode 100644 index 608e3a1..0000000 --- a/policy/modules/services/asterisk.te +++ /dev/null @@ -1,170 +0,0 @@ -policy_module(asterisk, 1.8.0) - -######################################## -# -# Declarations -# - -type asterisk_t; -type asterisk_exec_t; -init_daemon_domain(asterisk_t, asterisk_exec_t) - -type asterisk_etc_t; -files_config_file(asterisk_etc_t) - -type asterisk_initrc_exec_t; -init_script_file(asterisk_initrc_exec_t) - -type asterisk_log_t; -logging_log_file(asterisk_log_t) - -type asterisk_spool_t; -files_type(asterisk_spool_t) - -type asterisk_tmp_t; -files_tmp_file(asterisk_tmp_t) - -type asterisk_tmpfs_t; -files_tmpfs_file(asterisk_tmpfs_t) - -type asterisk_var_lib_t; -files_type(asterisk_var_lib_t) - -type asterisk_var_run_t; -files_pid_file(asterisk_var_run_t) - -######################################## -# -# Local policy -# - -# dac_override for /var/run/asterisk -allow asterisk_t self:capability { dac_override setgid setuid sys_nice net_admin }; -dontaudit asterisk_t self:capability sys_tty_config; -allow asterisk_t self:process { getsched setsched signal_perms getcap setcap }; -allow asterisk_t self:fifo_file rw_fifo_file_perms; -allow asterisk_t self:sem create_sem_perms; -allow asterisk_t self:shm create_shm_perms; -allow asterisk_t self:unix_stream_socket connectto; -allow asterisk_t self:tcp_socket create_stream_socket_perms; -allow asterisk_t self:udp_socket create_socket_perms; - -allow asterisk_t asterisk_etc_t:dir list_dir_perms; -read_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t) -read_lnk_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t) -files_search_etc(asterisk_t) - -can_exec(asterisk_t, asterisk_exec_t) - -manage_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t) -logging_log_filetrans(asterisk_t, asterisk_log_t, { file dir }) - -manage_dirs_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t) -manage_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t) -manage_lnk_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t) - -manage_dirs_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t) -manage_files_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t) -files_tmp_filetrans(asterisk_t, asterisk_tmp_t, { file dir }) - -manage_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t) -manage_lnk_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t) -manage_fifo_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t) -manage_sock_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t) -fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t) -files_var_lib_filetrans(asterisk_t, asterisk_var_lib_t, file) - -manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) -manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) -manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) -files_pid_filetrans(asterisk_t, asterisk_var_run_t, file) - -kernel_read_system_state(asterisk_t) -kernel_read_kernel_sysctls(asterisk_t) -kernel_request_load_module(asterisk_t) - -corecmd_exec_bin(asterisk_t) -corecmd_exec_shell(asterisk_t) - -corenet_all_recvfrom_unlabeled(asterisk_t) -corenet_all_recvfrom_netlabel(asterisk_t) -corenet_tcp_sendrecv_generic_if(asterisk_t) -corenet_udp_sendrecv_generic_if(asterisk_t) -corenet_tcp_sendrecv_generic_node(asterisk_t) -corenet_udp_sendrecv_generic_node(asterisk_t) -corenet_tcp_sendrecv_all_ports(asterisk_t) -corenet_udp_sendrecv_all_ports(asterisk_t) -corenet_tcp_bind_generic_node(asterisk_t) -corenet_udp_bind_generic_node(asterisk_t) -corenet_tcp_bind_asterisk_port(asterisk_t) -corenet_tcp_bind_sip_port(asterisk_t) -corenet_udp_bind_asterisk_port(asterisk_t) -corenet_udp_bind_sip_port(asterisk_t) -corenet_sendrecv_asterisk_server_packets(asterisk_t) -# for VOIP voice channels. -corenet_tcp_bind_generic_port(asterisk_t) -corenet_udp_bind_generic_port(asterisk_t) -corenet_dontaudit_udp_bind_all_ports(asterisk_t) -corenet_sendrecv_generic_server_packets(asterisk_t) -corenet_tcp_connect_postgresql_port(asterisk_t) -corenet_tcp_connect_snmp_port(asterisk_t) -corenet_tcp_connect_sip_port(asterisk_t) - -dev_rw_generic_usb_dev(asterisk_t) -dev_read_sysfs(asterisk_t) -dev_read_sound(asterisk_t) -dev_write_sound(asterisk_t) -dev_read_urand(asterisk_t) - -domain_use_interactive_fds(asterisk_t) - -files_read_etc_files(asterisk_t) -files_search_spool(asterisk_t) -# demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm -# are labeled usr_t -files_read_usr_files(asterisk_t) - -fs_getattr_all_fs(asterisk_t) -fs_list_inotifyfs(asterisk_t) -fs_read_anon_inodefs_files(asterisk_t) -fs_search_auto_mountpoints(asterisk_t) - -auth_use_nsswitch(asterisk_t) - -logging_send_syslog_msg(asterisk_t) - -miscfiles_read_localization(asterisk_t) - -userdom_dontaudit_use_unpriv_user_fds(asterisk_t) -userdom_dontaudit_search_user_home_dirs(asterisk_t) - -optional_policy(` - mysql_stream_connect(asterisk_t) -') - -optional_policy(` - mta_send_mail(asterisk_t) -') - -optional_policy(` - postfix_domtrans_postdrop(asterisk_t) -') - -optional_policy(` - postgresql_stream_connect(asterisk_t) -') - -optional_policy(` - seutil_sigchld_newrole(asterisk_t) -') - -optional_policy(` - snmp_read_snmp_var_lib_files(asterisk_t) - snmp_stream_connect(asterisk_t) -') - -optional_policy(` - udev_read_db(asterisk_t) -') diff --git a/policy/modules/services/audioentropy.fc b/policy/modules/services/audioentropy.fc deleted file mode 100644 index 001235e..0000000 --- a/policy/modules/services/audioentropy.fc +++ /dev/null @@ -1,6 +0,0 @@ -# -# /usr -# -/usr/sbin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0) - -/var/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0) diff --git a/policy/modules/services/audioentropy.if b/policy/modules/services/audioentropy.if deleted file mode 100644 index 67906f0..0000000 --- a/policy/modules/services/audioentropy.if +++ /dev/null @@ -1 +0,0 @@ -## Generate entropy from audio input diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te deleted file mode 100644 index 2b348c7..0000000 --- a/policy/modules/services/audioentropy.te +++ /dev/null @@ -1,68 +0,0 @@ -policy_module(audioentropy, 1.6.0) - -######################################## -# -# Declarations -# - -type entropyd_t; -type entropyd_exec_t; -init_daemon_domain(entropyd_t, entropyd_exec_t) - -type entropyd_var_run_t; -files_pid_file(entropyd_var_run_t) - -######################################## -# -# Local policy -# - -allow entropyd_t self:capability { dac_override ipc_lock sys_admin }; -dontaudit entropyd_t self:capability sys_tty_config; -allow entropyd_t self:process signal_perms; - -manage_files_pattern(entropyd_t, entropyd_var_run_t, entropyd_var_run_t) -files_pid_filetrans(entropyd_t, entropyd_var_run_t, file) - -kernel_read_kernel_sysctls(entropyd_t) -kernel_list_proc(entropyd_t) -kernel_read_proc_symlinks(entropyd_t) - -dev_read_sysfs(entropyd_t) -dev_read_urand(entropyd_t) -dev_write_urand(entropyd_t) -dev_read_rand(entropyd_t) -dev_write_rand(entropyd_t) -dev_read_sound(entropyd_t) -# set sound card parameters such as -# sample format, number of channels -# and sample rate. -dev_write_sound(entropyd_t) - -files_read_etc_files(entropyd_t) -files_read_usr_files(entropyd_t) - -fs_getattr_all_fs(entropyd_t) -fs_search_auto_mountpoints(entropyd_t) - -domain_use_interactive_fds(entropyd_t) - -logging_send_syslog_msg(entropyd_t) - -miscfiles_read_localization(entropyd_t) - -userdom_dontaudit_use_unpriv_user_fds(entropyd_t) -userdom_dontaudit_search_user_home_dirs(entropyd_t) - -optional_policy(` - alsa_read_lib(entropyd_t) - alsa_read_rw_config(entropyd_t) -') - -optional_policy(` - seutil_sigchld_newrole(entropyd_t) -') - -optional_policy(` - udev_read_db(entropyd_t) -') diff --git a/policy/modules/services/automount.fc b/policy/modules/services/automount.fc deleted file mode 100644 index f16ab68..0000000 --- a/policy/modules/services/automount.fc +++ /dev/null @@ -1,16 +0,0 @@ -# -# /etc -# -/etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0) -/etc/rc\.d/init\.d/autofs -- gen_context(system_u:object_r:automount_initrc_exec_t,s0) - -# -# /usr -# -/usr/sbin/automount -- gen_context(system_u:object_r:automount_exec_t,s0) - -# -# /var -# - -/var/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0) diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if deleted file mode 100644 index a43e006..0000000 --- a/policy/modules/services/automount.if +++ /dev/null @@ -1,168 +0,0 @@ -## Filesystem automounter service. - -######################################## -## -## Execute automount in the automount domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`automount_domtrans',` - gen_require(` - type automount_t, automount_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, automount_exec_t, automount_t) -') - -######################################## -## -## Send automount a signal -## -## -## -## Domain allowed access. -## -## -# -interface(`automount_signal',` - gen_require(` - type automount_t; - ') - - allow $1 automount_t:process signal; -') - -######################################## -## -## Execute automount in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`automount_exec_config',` - refpolicywarn(`$0(): has been deprecated, please use files_exec_etc_files() instead.') - files_exec_etc_files($1) -') - -######################################## -## -## Allow the domain to read state files in /proc. -## -## -## -## Domain to allow access. -## -## -# -interface(`automount_read_state',` - gen_require(` - type automount_t; - ') - - kernel_search_proc($1) - ps_process_pattern($1, automount_t) -') - -######################################## -## -## Do not audit attempts to file descriptors for automount. -## -## -## -## Domain to not audit. -## -## -# -interface(`automount_dontaudit_use_fds',` - gen_require(` - type automount_t; - ') - - dontaudit $1 automount_t:fd use; -') - -######################################## -## -## Do not audit attempts to write automount daemon unnamed pipes. -## -## -## -## Domain to not audit. -## -## -# -interface(`automount_dontaudit_write_pipes',` - gen_require(` - type automount_t; - ') - - dontaudit $1 automount_t:fifo_file write; -') - -######################################## -## -## Do not audit attempts to get the attributes -## of automount temporary directories. -## -## -## -## Domain to not audit. -## -## -# -interface(`automount_dontaudit_getattr_tmp_dirs',` - gen_require(` - type automount_tmp_t; - ') - - dontaudit $1 automount_tmp_t:dir getattr_dir_perms; -') - -######################################## -## -## All of the rules required to administrate -## an automount environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the automount domain. -## -## -## -# -interface(`automount_admin',` - gen_require(` - type automount_t, automount_lock_t, automount_tmp_t; - type automount_var_run_t, automount_initrc_exec_t; - ') - - allow $1 automount_t:process { ptrace signal_perms }; - ps_process_pattern($1, automount_t) - - init_labeled_script_domtrans($1, automount_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 automount_initrc_exec_t system_r; - allow $2 system_r; - - files_list_var($1) - admin_pattern($1, automount_lock_t) - - files_list_tmp($1) - admin_pattern($1, automount_tmp_t) - - files_list_pids($1) - admin_pattern($1, automount_var_run_t) -') diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te deleted file mode 100644 index 6189565..0000000 --- a/policy/modules/services/automount.te +++ /dev/null @@ -1,183 +0,0 @@ -policy_module(automount, 1.13.0) - -######################################## -# -# Declarations -# - -type automount_t; -type automount_exec_t; -init_daemon_domain(automount_t, automount_exec_t) - -type automount_initrc_exec_t; -init_script_file(automount_initrc_exec_t) - -type automount_var_run_t; -files_pid_file(automount_var_run_t) - -type automount_lock_t; -files_lock_file(automount_lock_t) - -type automount_tmp_t; -files_tmp_file(automount_tmp_t) -files_mountpoint(automount_tmp_t) - -######################################## -# -# Local policy -# - -allow automount_t self:capability { net_bind_service setgid setuid sys_nice sys_resource dac_override sys_admin }; -dontaudit automount_t self:capability sys_tty_config; -allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit }; -allow automount_t self:fifo_file rw_fifo_file_perms; -allow automount_t self:unix_stream_socket create_socket_perms; -allow automount_t self:unix_dgram_socket create_socket_perms; -allow automount_t self:tcp_socket create_stream_socket_perms; -allow automount_t self:udp_socket create_socket_perms; -allow automount_t self:rawip_socket create_socket_perms; - -can_exec(automount_t, automount_exec_t) - -allow automount_t automount_lock_t:file manage_file_perms; -files_lock_filetrans(automount_t, automount_lock_t, file) - -manage_dirs_pattern(automount_t, automount_tmp_t, automount_tmp_t) -manage_files_pattern(automount_t, automount_tmp_t, automount_tmp_t) -files_tmp_filetrans(automount_t, automount_tmp_t, { file dir }) - -# Allow automount to create and delete directories in / and /home -allow automount_t automount_tmp_t:dir manage_dir_perms; -files_home_filetrans(automount_t, automount_tmp_t, dir) -files_root_filetrans(automount_t, automount_tmp_t, dir) - -manage_files_pattern(automount_t, automount_var_run_t, automount_var_run_t) -manage_fifo_files_pattern(automount_t, automount_var_run_t, automount_var_run_t) -files_pid_filetrans(automount_t, automount_var_run_t, { file fifo_file }) - -kernel_read_kernel_sysctls(automount_t) -kernel_read_irq_sysctls(automount_t) -kernel_read_fs_sysctls(automount_t) -kernel_read_proc_symlinks(automount_t) -kernel_read_system_state(automount_t) -kernel_read_network_state(automount_t) -kernel_list_proc(automount_t) -kernel_dontaudit_search_xen_state(automount_t) - -files_search_boot(automount_t) -# Automount is slowly adding all mount functionality internally -files_search_all(automount_t) -files_mounton_all_mountpoints(automount_t) -files_mount_all_file_type_fs(automount_t) -files_unmount_all_file_type_fs(automount_t) -files_manage_non_security_dirs(automount_t) - -fs_mount_all_fs(automount_t) -fs_unmount_all_fs(automount_t) -fs_search_all(automount_t) - -corecmd_exec_bin(automount_t) -corecmd_exec_shell(automount_t) - -corenet_all_recvfrom_unlabeled(automount_t) -corenet_all_recvfrom_netlabel(automount_t) -corenet_tcp_sendrecv_generic_if(automount_t) -corenet_udp_sendrecv_generic_if(automount_t) -corenet_tcp_sendrecv_generic_node(automount_t) -corenet_udp_sendrecv_generic_node(automount_t) -corenet_tcp_sendrecv_all_ports(automount_t) -corenet_udp_sendrecv_all_ports(automount_t) -corenet_tcp_bind_generic_node(automount_t) -corenet_udp_bind_generic_node(automount_t) -corenet_tcp_connect_portmap_port(automount_t) -corenet_tcp_connect_all_ports(automount_t) -corenet_dontaudit_tcp_connect_all_reserved_ports(automount_t) -corenet_sendrecv_all_client_packets(automount_t) -# Automount execs showmount when you browse /net. This is required until -# Someone writes a showmount policy -corenet_tcp_bind_reserved_port(automount_t) -corenet_tcp_bind_all_rpc_ports(automount_t) -corenet_udp_bind_reserved_port(automount_t) -corenet_udp_bind_all_rpc_ports(automount_t) - -dev_read_sysfs(automount_t) -dev_rw_autofs(automount_t) -# for SSP -dev_read_rand(automount_t) -dev_read_urand(automount_t) - -domain_use_interactive_fds(automount_t) -domain_dontaudit_read_all_domains_state(automount_t) - -files_dontaudit_write_var_dirs(automount_t) -files_getattr_all_dirs(automount_t) -files_list_mnt(automount_t) -files_getattr_home_dir(automount_t) -files_read_etc_files(automount_t) -files_read_etc_runtime_files(automount_t) -# for if the mount point is not labelled -files_getattr_isid_type_dirs(automount_t) -files_getattr_default_dirs(automount_t) -# because config files can be shell scripts -files_exec_etc_files(automount_t) -files_mounton_mnt(automount_t) - -fs_getattr_all_fs(automount_t) -fs_getattr_all_dirs(automount_t) -fs_search_auto_mountpoints(automount_t) -fs_manage_auto_mountpoints(automount_t) -fs_unmount_autofs(automount_t) -fs_mount_autofs(automount_t) -fs_manage_autofs_symlinks(automount_t) -fs_read_nfs_files(automount_t) - -storage_rw_fuse(automount_t) - -term_dontaudit_getattr_pty_dirs(automount_t) - -auth_use_nsswitch(automount_t) - -logging_send_syslog_msg(automount_t) -logging_search_logs(automount_t) - -miscfiles_read_localization(automount_t) -miscfiles_read_generic_certs(automount_t) - -# Run mount in the mount_t domain. -mount_domtrans(automount_t) -mount_domtrans_showmount(automount_t) -mount_signal(automount_t) - -userdom_dontaudit_use_unpriv_user_fds(automount_t) -userdom_dontaudit_search_user_home_dirs(automount_t) - -optional_policy(` - bind_search_cache(automount_t) -') - -optional_policy(` - fstools_domtrans(automount_t) -') - -optional_policy(` - kerberos_keytab_template(automount, automount_t) - kerberos_read_config(automount_t) - kerberos_dontaudit_write_config(automount_t) -') - -optional_policy(` - rpc_search_nfs_state_data(automount_t) -') - -optional_policy(` - samba_read_config(automount_t) - samba_manage_var_files(automount_t) -') - -optional_policy(` - seutil_sigchld_newrole(automount_t) -') - -optional_policy(` - udev_read_db(automount_t) -') diff --git a/policy/modules/services/avahi.fc b/policy/modules/services/avahi.fc deleted file mode 100644 index 7e36549..0000000 --- a/policy/modules/services/avahi.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0) - -/usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0) -/usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0) -/usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0) - -/var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0) - -/var/lib/avahi-autoipd(/.*)? gen_context(system_u:object_r:avahi_var_lib_t,s0) diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if deleted file mode 100644 index 11e1ba9..0000000 --- a/policy/modules/services/avahi.if +++ /dev/null @@ -1,167 +0,0 @@ -## mDNS/DNS-SD daemon implementing Apple ZeroConf architecture - -######################################## -## -## Execute avahi server in the avahi domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`avahi_domtrans',` - gen_require(` - type avahi_exec_t, avahi_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, avahi_exec_t, avahi_t) -') - -######################################## -## -## Send avahi a signal -## -## -## -## Domain allowed access. -## -## -# -interface(`avahi_signal',` - gen_require(` - type avahi_t; - ') - - allow $1 avahi_t:process signal; -') - -######################################## -## -## Send avahi a kill signal. -## -## -## -## Domain allowed access. -## -## -# -interface(`avahi_kill',` - gen_require(` - type avahi_t; - ') - - allow $1 avahi_t:process sigkill; -') - -######################################## -## -## Send avahi a signull -## -## -## -## Domain allowed access. -## -## -# -interface(`avahi_signull',` - gen_require(` - type avahi_t; - ') - - allow $1 avahi_t:process signull; -') - -######################################## -## -## Send and receive messages from -## avahi over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`avahi_dbus_chat',` - gen_require(` - type avahi_t; - class dbus send_msg; - ') - - allow avahi_t $1:file read; - allow $1 avahi_t:dbus send_msg; - allow avahi_t $1:dbus send_msg; -') - -######################################## -## -## Connect to avahi using a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`avahi_stream_connect',` - gen_require(` - type avahi_t, avahi_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, avahi_var_run_t, avahi_var_run_t, avahi_t) -') - -######################################## -## -## Do not audit attempts to search the avahi pid directory. -## -## -## -## Domain to not audit. -## -## -# -interface(`avahi_dontaudit_search_pid',` - gen_require(` - type avahi_var_run_t; - ') - - dontaudit $1 avahi_var_run_t:dir search_dir_perms; -') - -######################################## -## -## All of the rules required to administrate -## an avahi environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the avahi domain. -## -## -## -# -interface(`avahi_admin',` - gen_require(` - type avahi_t, avahi_var_run_t, avahi_initrc_exec_t; - ') - - allow $1 avahi_t:process { ptrace signal_perms }; - ps_process_pattern($1, avahi_t) - - init_labeled_script_domtrans($1, avahi_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 avahi_initrc_exec_t system_r; - allow $2 system_r; - - files_list_pids($1) - admin_pattern($1, avahi_var_run_t) -') diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te deleted file mode 100644 index 52dcf09..0000000 --- a/policy/modules/services/avahi.te +++ /dev/null @@ -1,112 +0,0 @@ -policy_module(avahi, 1.12.0) - -######################################## -# -# Declarations -# - -type avahi_t; -type avahi_exec_t; -init_daemon_domain(avahi_t, avahi_exec_t) - -type avahi_initrc_exec_t; -init_script_file(avahi_initrc_exec_t) - -type avahi_var_lib_t; -files_pid_file(avahi_var_lib_t) - -type avahi_var_run_t; -files_pid_file(avahi_var_run_t) - -######################################## -# -# Local policy -# - -allow avahi_t self:capability { dac_override setgid chown fowner kill net_admin net_raw setuid sys_chroot }; -dontaudit avahi_t self:capability sys_tty_config; -allow avahi_t self:process { setrlimit signal_perms getcap setcap }; -allow avahi_t self:fifo_file rw_fifo_file_perms; -allow avahi_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow avahi_t self:unix_dgram_socket create_socket_perms; -allow avahi_t self:tcp_socket create_stream_socket_perms; -allow avahi_t self:udp_socket create_socket_perms; -allow avahi_t self:packet_socket create_socket_perms; - -manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) -manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) -files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file }) - -manage_dirs_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) -manage_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) -manage_sock_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) -allow avahi_t avahi_var_run_t:dir setattr_dir_perms; -files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file }) - -kernel_read_system_state(avahi_t) -kernel_read_kernel_sysctls(avahi_t) -kernel_read_network_state(avahi_t) - -corecmd_exec_bin(avahi_t) -corecmd_exec_shell(avahi_t) - -corenet_all_recvfrom_unlabeled(avahi_t) -corenet_all_recvfrom_netlabel(avahi_t) -corenet_tcp_sendrecv_generic_if(avahi_t) -corenet_udp_sendrecv_generic_if(avahi_t) -corenet_tcp_sendrecv_generic_node(avahi_t) -corenet_udp_sendrecv_generic_node(avahi_t) -corenet_tcp_sendrecv_all_ports(avahi_t) -corenet_udp_sendrecv_all_ports(avahi_t) -corenet_tcp_bind_generic_node(avahi_t) -corenet_udp_bind_generic_node(avahi_t) -corenet_tcp_bind_howl_port(avahi_t) -corenet_udp_bind_howl_port(avahi_t) -corenet_send_howl_client_packets(avahi_t) -corenet_receive_howl_server_packets(avahi_t) - -dev_read_sysfs(avahi_t) -dev_read_urand(avahi_t) - -fs_getattr_all_fs(avahi_t) -fs_search_auto_mountpoints(avahi_t) -fs_list_inotifyfs(avahi_t) - -domain_use_interactive_fds(avahi_t) - -files_read_etc_files(avahi_t) -files_read_etc_runtime_files(avahi_t) -files_read_usr_files(avahi_t) - -auth_use_nsswitch(avahi_t) - -init_signal_script(avahi_t) -init_signull_script(avahi_t) - -logging_send_syslog_msg(avahi_t) - -miscfiles_read_localization(avahi_t) -miscfiles_read_generic_certs(avahi_t) - -sysnet_domtrans_ifconfig(avahi_t) -sysnet_manage_config(avahi_t) -sysnet_etc_filetrans_config(avahi_t) - -userdom_dontaudit_use_unpriv_user_fds(avahi_t) -userdom_dontaudit_search_user_home_dirs(avahi_t) - -optional_policy(` - dbus_system_domain(avahi_t, avahi_exec_t) - dbus_system_bus_client(avahi_t) - dbus_connect_system_bus(avahi_t) - - init_dbus_chat_script(avahi_t) -') - -optional_policy(` - seutil_sigchld_newrole(avahi_t) -') - -optional_policy(` - udev_read_db(avahi_t) -') diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc deleted file mode 100644 index 59aa54f..0000000 --- a/policy/modules/services/bind.fc +++ /dev/null @@ -1,63 +0,0 @@ -/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) -/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) - -/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0) -/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) -/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0) - -/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0) -/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) -/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) -/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0) -/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0) - -/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) - -/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0) -/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) -/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) -/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) - -ifdef(`distro_debian',` -/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) -/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) -/etc/bind/named\.conf\.local -- gen_context(system_u:object_r:named_conf_t,s0) -/etc/bind/named\.conf\.options -- gen_context(system_u:object_r:named_conf_t,s0) -/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) -/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -') - -ifdef(`distro_gentoo',` -/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) -/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) -/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) -/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0) -') - -ifdef(`distro_redhat',` -/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0) -/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0) -/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) -/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0) -/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) -/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0) -/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0) -/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) -/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) -/var/named/chroot/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0) -/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0) -/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0) -/var/named/chroot/proc(/.*)? <> -/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0) -/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) -/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -/var/named/chroot/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0) -/var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) -/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -') diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if deleted file mode 100644 index 7e9d2fb..0000000 --- a/policy/modules/services/bind.if +++ /dev/null @@ -1,418 +0,0 @@ -## Berkeley internet name domain DNS server. - -######################################## -## -## Execute bind server in the bind domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`bind_initrc_domtrans',` - gen_require(` - type named_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, named_initrc_exec_t) -') - -######################################## -## -## Execute ndc in the ndc domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`bind_domtrans_ndc',` - gen_require(` - type ndc_t, ndc_exec_t; - ') - - domtrans_pattern($1, ndc_exec_t, ndc_t) -') - -######################################## -## -## Send generic signals to BIND. -## -## -## -## Domain allowed access. -## -## -# -interface(`bind_signal',` - gen_require(` - type named_t; - ') - - allow $1 named_t:process signal; -') - -######################################## -## -## Send null sigals to BIND. -## -## -## -## Domain allowed access. -## -## -# -interface(`bind_signull',` - gen_require(` - type named_t; - ') - - allow $1 named_t:process signull; -') - -######################################## -## -## Send BIND the kill signal -## -## -## -## Domain allowed access. -## -## -# -interface(`bind_kill',` - gen_require(` - type named_t; - ') - - allow $1 named_t:process sigkill; -') - -######################################## -## -## Execute ndc in the ndc domain, and -## allow the specified role the ndc domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`bind_run_ndc',` - gen_require(` - type ndc_t; - ') - - bind_domtrans_ndc($1) - role $2 types ndc_t; -') - -######################################## -## -## Execute bind in the named domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`bind_domtrans',` - gen_require(` - type named_t, named_exec_t; - ') - - domtrans_pattern($1, named_exec_t, named_t) -') - -######################################## -## -## Read DNSSEC keys. -## -## -## -## Domain allowed access. -## -## -# -interface(`bind_read_dnssec_keys',` - gen_require(` - type named_conf_t, named_zone_t, dnssec_t; - ') - - read_files_pattern($1, { named_conf_t named_zone_t }, dnssec_t) -') - -######################################## -## -## Read BIND named configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`bind_read_config',` - gen_require(` - type named_conf_t; - ') - - read_files_pattern($1, named_conf_t, named_conf_t) -') - -######################################## -## -## Write BIND named configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`bind_write_config',` - gen_require(` - type named_conf_t; - ') - - write_files_pattern($1, named_conf_t, named_conf_t) - allow $1 named_conf_t:file setattr_file_perms; -') - -######################################## -## -## Create, read, write, and delete -## BIND configuration directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`bind_manage_config_dirs',` - gen_require(` - type named_conf_t; - ') - - manage_dirs_pattern($1, named_conf_t, named_conf_t) -') - -######################################## -## -## Search the BIND cache directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`bind_search_cache',` - gen_require(` - type named_conf_t, named_cache_t, named_zone_t; - ') - - files_search_var($1) - allow $1 named_conf_t:dir search_dir_perms; - allow $1 named_zone_t:dir search_dir_perms; - allow $1 named_cache_t:dir search_dir_perms; -') - -######################################## -## -## Create, read, write, and delete -## BIND cache files. -## -## -## -## Domain allowed access. -## -## -# -interface(`bind_manage_cache',` - gen_require(` - type named_cache_t, named_zone_t; - ') - - files_search_var($1) - allow $1 named_zone_t:dir search_dir_perms; - manage_files_pattern($1, named_cache_t, named_cache_t) - manage_lnk_files_pattern($1, named_cache_t, named_cache_t) -') - -######################################## -## -## Set the attributes of the BIND pid directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`bind_setattr_pid_dirs',` - gen_require(` - type named_var_run_t; - ') - - allow $1 named_var_run_t:dir setattr_dir_perms; -') - -######################################## -## -## Set the attributes of the BIND zone directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`bind_setattr_zone_dirs',` - gen_require(` - type named_zone_t; - ') - - allow $1 named_zone_t:dir setattr_dir_perms; -') - -######################################## -## -## Read BIND zone files. -## -## -## -## Domain allowed access. -## -## -# -interface(`bind_read_zone',` - gen_require(` - type named_zone_t; - ') - - files_search_var($1) - read_files_pattern($1, named_zone_t, named_zone_t) -') - -######################################## -## -## Read BIND zone files. -## -## -## -## Domain allowed access. -## -## -# -interface(`bind_read_log',` - gen_require(` - type named_zone_t; - type named_log_t; - ') - - files_search_var($1) - allow $1 named_zone_t:dir search_dir_perms; - read_files_pattern($1, named_log_t, named_log_t) -') - -######################################## -## -## Manage BIND zone files. -## -## -## -## Domain allowed access. -## -## -# -interface(`bind_manage_zone',` - gen_require(` - type named_zone_t; - ') - - files_search_var($1) - manage_files_pattern($1, named_zone_t, named_zone_t) -') - -######################################## -## -## Send and receive datagrams to and from named. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`bind_udp_chat_named',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## All of the rules required to administrate -## an bind environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the bind domain. -## -## -## -# -interface(`bind_admin',` - gen_require(` - type named_t, named_tmp_t, named_log_t; - type named_conf_t, named_var_run_t, named_cache_t; - type named_zone_t, named_initrc_exec_t; - type dnssec_t, ndc_t, named_keytab_t; - ') - - allow $1 named_t:process { ptrace signal_perms }; - ps_process_pattern($1, named_t) - - allow $1 ndc_t:process { ptrace signal_perms }; - ps_process_pattern($1, ndc_t) - - bind_run_ndc($1, $2) - - init_labeled_script_domtrans($1, named_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 named_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, named_tmp_t) - - logging_list_logs($1) - admin_pattern($1, named_log_t) - - files_list_etc($1) - admin_pattern($1, named_conf_t) - - admin_pattern($1, named_cache_t) - admin_pattern($1, named_zone_t) - admin_pattern($1, dnssec_t) - - admin_pattern($1, named_keytab_t) - - files_list_pids($1) - admin_pattern($1, named_var_run_t) -') diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te deleted file mode 100644 index 0bde225..0000000 --- a/policy/modules/services/bind.te +++ /dev/null @@ -1,261 +0,0 @@ -policy_module(bind, 1.11.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow BIND to write the master zone files. -## Generally this is used for dynamic DNS or zone transfers. -##

-##
-gen_tunable(named_write_master_zones, false) - -# for DNSSEC key files -type dnssec_t; -files_security_file(dnssec_t) - -type named_t; -type named_exec_t; -init_daemon_domain(named_t, named_exec_t) -role system_r types named_t; - -type named_checkconf_exec_t; -init_system_domain(named_t, named_checkconf_exec_t) - -# A type for configuration files of named. -type named_conf_t; -files_type(named_conf_t) -files_mountpoint(named_conf_t) - -# for secondary zone files -type named_cache_t; -files_type(named_cache_t) - -type named_initrc_exec_t; -init_script_file(named_initrc_exec_t) - -type named_log_t; -logging_log_file(named_log_t) - -type named_tmp_t; -files_tmp_file(named_tmp_t) - -type named_var_run_t; -files_pid_file(named_var_run_t) - -# for primary zone files -type named_zone_t; -files_type(named_zone_t) - -type ndc_t; -type ndc_exec_t; -init_system_domain(ndc_t, ndc_exec_t) -role system_r types ndc_t; - -######################################## -# -# Named local policy -# - -allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource }; -dontaudit named_t self:capability sys_tty_config; -allow named_t self:process { setsched getcap setcap setrlimit signal_perms }; -allow named_t self:fifo_file rw_fifo_file_perms; -allow named_t self:unix_stream_socket create_stream_socket_perms; -allow named_t self:unix_dgram_socket create_socket_perms; -allow named_t self:tcp_socket create_stream_socket_perms; -allow named_t self:udp_socket create_socket_perms; - -allow named_t dnssec_t:file read_file_perms; - -# read configuration -allow named_t named_conf_t:dir list_dir_perms; -read_files_pattern(named_t, named_conf_t, named_conf_t) -read_lnk_files_pattern(named_t, named_conf_t, named_conf_t) - -# write cache for secondary zones -manage_files_pattern(named_t, named_cache_t, named_cache_t) -manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t) - -can_exec(named_t, named_exec_t) - -manage_files_pattern(named_t, named_log_t, named_log_t) -logging_log_filetrans(named_t, named_log_t, { file dir }) - -manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t) -manage_files_pattern(named_t, named_tmp_t, named_tmp_t) -files_tmp_filetrans(named_t, named_tmp_t, { file dir }) - -manage_dirs_pattern(named_t, named_var_run_t, named_var_run_t) -manage_files_pattern(named_t, named_var_run_t, named_var_run_t) -manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t) -files_pid_filetrans(named_t, named_var_run_t, { file sock_file dir }) - -# read zone files -allow named_t named_zone_t:dir list_dir_perms; -read_files_pattern(named_t, named_zone_t, named_zone_t) -read_lnk_files_pattern(named_t, named_zone_t, named_zone_t) - -kernel_read_kernel_sysctls(named_t) -kernel_read_system_state(named_t) -kernel_read_network_state(named_t) - -corecmd_search_bin(named_t) - -corenet_all_recvfrom_unlabeled(named_t) -corenet_all_recvfrom_netlabel(named_t) -corenet_tcp_sendrecv_generic_if(named_t) -corenet_udp_sendrecv_generic_if(named_t) -corenet_tcp_sendrecv_generic_node(named_t) -corenet_udp_sendrecv_generic_node(named_t) -corenet_tcp_sendrecv_all_ports(named_t) -corenet_udp_sendrecv_all_ports(named_t) -corenet_tcp_bind_generic_node(named_t) -corenet_udp_bind_generic_node(named_t) -corenet_tcp_bind_dns_port(named_t) -corenet_udp_bind_dns_port(named_t) -corenet_tcp_bind_rndc_port(named_t) -corenet_tcp_connect_all_ports(named_t) -corenet_sendrecv_dns_server_packets(named_t) -corenet_sendrecv_dns_client_packets(named_t) -corenet_sendrecv_rndc_server_packets(named_t) -corenet_sendrecv_rndc_client_packets(named_t) -corenet_dontaudit_udp_bind_all_reserved_ports(named_t) -corenet_udp_bind_all_unreserved_ports(named_t) - -dev_read_sysfs(named_t) -dev_read_rand(named_t) -dev_read_urand(named_t) - -domain_use_interactive_fds(named_t) - -files_read_etc_files(named_t) -files_read_etc_runtime_files(named_t) - -fs_getattr_all_fs(named_t) -fs_search_auto_mountpoints(named_t) - -auth_use_nsswitch(named_t) - -logging_send_syslog_msg(named_t) - -miscfiles_read_localization(named_t) -miscfiles_read_generic_certs(named_t) - -userdom_dontaudit_use_unpriv_user_fds(named_t) -userdom_dontaudit_search_user_home_dirs(named_t) - -tunable_policy(`named_write_master_zones',` - manage_dirs_pattern(named_t, named_zone_t, named_zone_t) - manage_files_pattern(named_t, named_zone_t, named_zone_t) - manage_lnk_files_pattern(named_t, named_zone_t, named_zone_t) -') - -optional_policy(` - init_dbus_chat_script(named_t) - - sysnet_dbus_chat_dhcpc(named_t) - - dbus_system_bus_client(named_t) - dbus_connect_system_bus(named_t) - - optional_policy(` - networkmanager_dbus_chat(named_t) - ') -') - -optional_policy(` - kerberos_keytab_template(named, named_t) -') - -optional_policy(` - # this seems like fds that arent being - # closed. these should probably be - # dontaudits instead. - networkmanager_rw_udp_sockets(named_t) - networkmanager_rw_packet_sockets(named_t) - networkmanager_rw_routing_sockets(named_t) -') - -optional_policy(` - seutil_sigchld_newrole(named_t) -') - -optional_policy(` - udev_read_db(named_t) -') - -######################################## -# -# NDC local policy -# - -# cjp: why net_admin?! -allow ndc_t self:capability { dac_override net_admin }; -allow ndc_t self:process { fork signal_perms }; -allow ndc_t self:fifo_file rw_fifo_file_perms; -allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms }; -allow ndc_t self:tcp_socket create_socket_perms; -allow ndc_t self:netlink_route_socket r_netlink_socket_perms; - -allow ndc_t dnssec_t:file read_file_perms; -allow ndc_t dnssec_t:lnk_file read_lnk_file_perms; - -stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t) - -allow ndc_t named_conf_t:file read_file_perms; -allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; - -allow ndc_t named_zone_t:dir search_dir_perms; - -kernel_read_kernel_sysctls(ndc_t) - -corenet_all_recvfrom_unlabeled(ndc_t) -corenet_all_recvfrom_netlabel(ndc_t) -corenet_tcp_sendrecv_generic_if(ndc_t) -corenet_tcp_sendrecv_generic_node(ndc_t) -corenet_tcp_sendrecv_all_ports(ndc_t) -corenet_tcp_bind_generic_node(ndc_t) -corenet_tcp_connect_rndc_port(ndc_t) -corenet_sendrecv_rndc_client_packets(ndc_t) - -domain_use_interactive_fds(ndc_t) - -files_read_etc_files(ndc_t) -files_search_pids(ndc_t) - -fs_getattr_xattr_fs(ndc_t) - -init_use_fds(ndc_t) -init_use_script_ptys(ndc_t) - -logging_send_syslog_msg(ndc_t) - -miscfiles_read_localization(ndc_t) - -sysnet_read_config(ndc_t) -sysnet_dns_name_resolve(ndc_t) - -userdom_use_user_terminals(ndc_t) - -term_dontaudit_use_console(ndc_t) - -# for /etc/rndc.key -ifdef(`distro_redhat',` - allow ndc_t named_conf_t:dir search_dir_perms; -') - -optional_policy(` - nis_use_ypbind(ndc_t) -') - -optional_policy(` - nscd_socket_use(ndc_t) -') - -optional_policy(` - ppp_dontaudit_use_fds(ndc_t) -') diff --git a/policy/modules/services/bitlbee.fc b/policy/modules/services/bitlbee.fc deleted file mode 100644 index 0197980..0000000 --- a/policy/modules/services/bitlbee.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/rc\.d/init\.d/bitlbee -- gen_context(system_u:object_r:bitlbee_initrc_exec_t,s0) -/etc/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_conf_t,s0) - -/usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0) - -/var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0) diff --git a/policy/modules/services/bitlbee.if b/policy/modules/services/bitlbee.if deleted file mode 100644 index a64d94d..0000000 --- a/policy/modules/services/bitlbee.if +++ /dev/null @@ -1,59 +0,0 @@ -## Bitlbee service - -######################################## -## -## Read bitlbee configuration files -## -## -## -## Domain allowed accesss. -## -## -# -interface(`bitlbee_read_config',` - gen_require(` - type bitlbee_conf_t; - ') - - files_search_etc($1) - allow $1 bitlbee_conf_t:dir list_dir_perms; - allow $1 bitlbee_conf_t:file read_file_perms; -') - -######################################## -## -## All of the rules required to administrate -## an bitlbee environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the bitlbee domain. -## -## -## -# -interface(`bitlbee_admin',` - gen_require(` - type bitlbee_t, bitlbee_conf_t, bitlbee_var_t; - type bitlbee_initrc_exec_t; - ') - - allow $1 bitlbee_t:process { ptrace signal_perms }; - ps_process_pattern($1, bitlbee_t) - - init_labeled_script_domtrans($1, bitlbee_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 bitlbee_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, bitlbee_conf_t) - - files_list_var($1) - admin_pattern($1, bitlbee_var_t) -') diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te deleted file mode 100644 index 2ba2d1f..0000000 --- a/policy/modules/services/bitlbee.te +++ /dev/null @@ -1,95 +0,0 @@ -policy_module(bitlbee, 1.3.0) - -######################################## -# -# Declarations -# - -type bitlbee_t; -type bitlbee_exec_t; -init_daemon_domain(bitlbee_t, bitlbee_exec_t) -inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t) - -type bitlbee_conf_t; -files_config_file(bitlbee_conf_t) - -type bitlbee_initrc_exec_t; -init_script_file(bitlbee_initrc_exec_t) - -type bitlbee_tmp_t; -files_tmp_file(bitlbee_tmp_t) - -type bitlbee_var_t; -files_type(bitlbee_var_t) - -######################################## -# -# Local policy -# - -allow bitlbee_t self:capability { setgid setuid }; - -allow bitlbee_t self:udp_socket create_socket_perms; -allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms }; -allow bitlbee_t self:unix_stream_socket create_stream_socket_perms; -allow bitlbee_t self:fifo_file rw_fifo_file_perms; -allow bitlbee_t self:process signal; - -bitlbee_read_config(bitlbee_t) - -# tmp files -manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t) -files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, file) - -# user account information is read and edited at runtime; give the usual -# r/w access to bitlbee_var_t -manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t) -files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file) - -kernel_read_system_state(bitlbee_t) - -corenet_all_recvfrom_unlabeled(bitlbee_t) -corenet_udp_sendrecv_generic_if(bitlbee_t) -corenet_udp_sendrecv_generic_node(bitlbee_t) -corenet_tcp_sendrecv_generic_if(bitlbee_t) -corenet_tcp_sendrecv_generic_node(bitlbee_t) -# Allow bitlbee to connect to jabber servers -corenet_tcp_connect_jabber_client_port(bitlbee_t) -corenet_tcp_sendrecv_jabber_client_port(bitlbee_t) -# to AIM servers: -corenet_tcp_connect_aol_port(bitlbee_t) -corenet_tcp_sendrecv_aol_port(bitlbee_t) -# and to MMCC (Yahoo IM) servers: -corenet_tcp_connect_mmcc_port(bitlbee_t) -corenet_tcp_sendrecv_mmcc_port(bitlbee_t) -# and to MSNP (MSN Messenger) servers: -corenet_tcp_connect_msnp_port(bitlbee_t) -corenet_tcp_sendrecv_msnp_port(bitlbee_t) -# MSN can use passport auth, which is over http: -corenet_tcp_connect_http_port(bitlbee_t) -corenet_tcp_sendrecv_http_port(bitlbee_t) -corenet_tcp_connect_http_cache_port(bitlbee_t) -corenet_tcp_sendrecv_http_cache_port(bitlbee_t) - -dev_read_rand(bitlbee_t) -dev_read_urand(bitlbee_t) - -files_read_etc_files(bitlbee_t) -files_search_pids(bitlbee_t) -# grant read-only access to the user help files -files_read_usr_files(bitlbee_t) - -libs_legacy_use_shared_libs(bitlbee_t) - -auth_use_nsswitch(bitlbee_t) - -logging_send_syslog_msg(bitlbee_t) - -miscfiles_read_localization(bitlbee_t) - -sysnet_dns_name_resolve(bitlbee_t) - -optional_policy(` - # normally started from inetd using tcpwrappers, so use those entry points - tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t) -') diff --git a/policy/modules/services/bluetooth.fc b/policy/modules/services/bluetooth.fc deleted file mode 100644 index dc687e6..0000000 --- a/policy/modules/services/bluetooth.fc +++ /dev/null @@ -1,30 +0,0 @@ -# -# /etc -# -/etc/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_conf_t,s0) -/etc/bluetooth/link_key gen_context(system_u:object_r:bluetooth_conf_rw_t,s0) -/etc/rc\.d/init\.d/bluetooth -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) -/etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) -/etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) - -# -# /usr -# -/usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0) -/usr/bin/dund -- gen_context(system_u:object_r:bluetooth_exec_t,s0) -/usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) -/usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0) - -/usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) -/usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0) -/usr/sbin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0) -/usr/sbin/hid2hci -- gen_context(system_u:object_r:bluetooth_exec_t,s0) -/usr/sbin/sdpd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) - -# -# /var -# -/var/lib/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_var_lib_t,s0) - -/var/run/bluetoothd_address gen_context(system_u:object_r:bluetooth_var_run_t,s0) -/var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0) diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if deleted file mode 100644 index fa57a6f..0000000 --- a/policy/modules/services/bluetooth.if +++ /dev/null @@ -1,246 +0,0 @@ -## Bluetooth tools and system services. - -######################################## -## -## Role access for bluetooth -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -## -# -interface(`bluetooth_role',` - gen_require(` - type bluetooth_helper_t, bluetooth_helper_exec_t; - type bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t; - ') - - role $1 types bluetooth_helper_t; - - domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t) - - # allow ps to show cdrecord and allow the user to kill it - ps_process_pattern($2, bluetooth_helper_t) - allow $2 bluetooth_helper_t:process { ptrace signal_perms }; - - manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) - manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) - manage_sock_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) - - manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) - manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) -') - -##################################### -## -## Connect to bluetooth over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`bluetooth_stream_connect',` - gen_require(` - type bluetooth_t, bluetooth_var_run_t; - ') - - files_search_pids($1) - allow $1 bluetooth_t:socket rw_socket_perms; - stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t) -') - -######################################## -## -## Execute bluetooth in the bluetooth domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`bluetooth_domtrans',` - gen_require(` - type bluetooth_t, bluetooth_exec_t; - ') - - domtrans_pattern($1, bluetooth_exec_t, bluetooth_t) -') - -######################################## -## -## Read bluetooth daemon configuration. -## -## -## -## Domain allowed access. -## -## -# -interface(`bluetooth_read_config',` - gen_require(` - type bluetooth_conf_t; - ') - - allow $1 bluetooth_conf_t:file read_file_perms; -') - -######################################## -## -## Send and receive messages from -## bluetooth over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`bluetooth_dbus_chat',` - gen_require(` - type bluetooth_t; - class dbus send_msg; - ') - - allow $1 bluetooth_t:dbus send_msg; - allow bluetooth_t $1:dbus send_msg; -') - -######################################## -## -## dontaudit Send and receive messages from -## bluetooth over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`bluetooth_dontaudit_dbus_chat',` - gen_require(` - type bluetooth_t; - class dbus send_msg; - ') - - dontaudit $1 bluetooth_t:dbus send_msg; - dontaudit bluetooth_t $1:dbus send_msg; -') - -######################################## -## -## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated) -## -## -## -## Domain allowed to transition. -## -## -# -interface(`bluetooth_domtrans_helper',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Execute bluetooth_helper in the bluetooth_helper domain, and -## allow the specified role the bluetooth_helper domain. (Deprecated) -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -## -## The type of the terminal allow the bluetooth_helper domain to use. -## -## -## -# -interface(`bluetooth_run_helper',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Do not audit attempts to read bluetooth helper state files. -## -## -## -## Domain to not audit. -## -## -# -interface(`bluetooth_dontaudit_read_helper_state',` - gen_require(` - type bluetooth_helper_t; - ') - - dontaudit $1 bluetooth_helper_t:dir search_dir_perms; - dontaudit $1 bluetooth_helper_t:file read_file_perms; -') - -######################################## -## -## All of the rules required to administrate -## an bluetooth environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the bluetooth domain. -## -## -## -# -interface(`bluetooth_admin',` - gen_require(` - type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t; - type bluetooth_var_lib_t, bluetooth_var_run_t, bluetooth_initrc_exec_t; - type bluetooth_conf_t, bluetooth_conf_rw_t; - ') - - allow $1 bluetooth_t:process { ptrace signal_perms }; - ps_process_pattern($1, bluetooth_t) - - init_labeled_script_domtrans($1, bluetooth_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 bluetooth_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, bluetooth_tmp_t) - - files_list_var($1) - admin_pattern($1, bluetooth_lock_t) - - files_list_etc($1) - admin_pattern($1, bluetooth_conf_t) - admin_pattern($1, bluetooth_conf_rw_t) - - files_list_var_lib($1) - admin_pattern($1, bluetooth_var_lib_t) - - files_list_pids($1) - admin_pattern($1, bluetooth_var_run_t) -') diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te deleted file mode 100644 index 67818fe..0000000 --- a/policy/modules/services/bluetooth.te +++ /dev/null @@ -1,253 +0,0 @@ -policy_module(bluetooth, 3.3.0) - -######################################## -# -# Declarations -# - -type bluetooth_t; -type bluetooth_exec_t; -init_daemon_domain(bluetooth_t, bluetooth_exec_t) - -type bluetooth_conf_t; -files_type(bluetooth_conf_t) - -type bluetooth_conf_rw_t; -files_type(bluetooth_conf_rw_t) - -type bluetooth_helper_t; -type bluetooth_helper_exec_t; -typealias bluetooth_helper_t alias { user_bluetooth_helper_t staff_bluetooth_helper_t sysadm_bluetooth_helper_t }; -typealias bluetooth_helper_t alias { auditadm_bluetooth_helper_t secadm_bluetooth_helper_t }; -application_domain(bluetooth_helper_t, bluetooth_helper_exec_t) -ubac_constrained(bluetooth_helper_t) - -type bluetooth_helper_tmp_t; -typealias bluetooth_helper_tmp_t alias { user_bluetooth_helper_tmp_t staff_bluetooth_helper_tmp_t sysadm_bluetooth_helper_tmp_t }; -typealias bluetooth_helper_tmp_t alias { auditadm_bluetooth_helper_tmp_t secadm_bluetooth_helper_tmp_t }; -files_tmp_file(bluetooth_helper_tmp_t) -ubac_constrained(bluetooth_helper_tmp_t) - -type bluetooth_helper_tmpfs_t; -typealias bluetooth_helper_tmpfs_t alias { user_bluetooth_helper_tmpfs_t staff_bluetooth_helper_tmpfs_t sysadm_bluetooth_helper_tmpfs_t }; -typealias bluetooth_helper_tmpfs_t alias { auditadm_bluetooth_helper_tmpfs_t secadm_bluetooth_helper_tmpfs_t }; -files_tmpfs_file(bluetooth_helper_tmpfs_t) -ubac_constrained(bluetooth_helper_tmpfs_t) - -type bluetooth_initrc_exec_t; -init_script_file(bluetooth_initrc_exec_t) - -type bluetooth_lock_t; -files_lock_file(bluetooth_lock_t) - -type bluetooth_tmp_t; -files_tmp_file(bluetooth_tmp_t) - -type bluetooth_var_lib_t; -files_type(bluetooth_var_lib_t) - -type bluetooth_var_run_t; -files_pid_file(bluetooth_var_run_t) - -######################################## -# -# Bluetooth services local policy -# - -#sys_admin capability - redhat bug 573015 -allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock }; -dontaudit bluetooth_t self:capability sys_tty_config; -allow bluetooth_t self:process { getcap setcap getsched signal_perms }; -allow bluetooth_t self:fifo_file rw_fifo_file_perms; -allow bluetooth_t self:shm create_shm_perms; -allow bluetooth_t self:socket create_stream_socket_perms; -allow bluetooth_t self:unix_dgram_socket create_socket_perms; -allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow bluetooth_t self:tcp_socket create_stream_socket_perms; -allow bluetooth_t self:udp_socket create_socket_perms; -allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms; - -read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t) - -manage_dirs_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t) -manage_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t) -manage_lnk_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t) -manage_fifo_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t) -manage_sock_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t) -filetrans_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t, { dir file lnk_file sock_file fifo_file }) - -can_exec(bluetooth_t, bluetooth_helper_exec_t) - -allow bluetooth_t bluetooth_lock_t:file manage_file_perms; -files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file) - -manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t) -manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t) -files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { file dir }) - -manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t) -manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t) -files_var_lib_filetrans(bluetooth_t, bluetooth_var_lib_t, { dir file } ) - -manage_files_pattern(bluetooth_t, bluetooth_var_run_t, bluetooth_var_run_t) -manage_sock_files_pattern(bluetooth_t, bluetooth_var_run_t, bluetooth_var_run_t) -files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file }) - -kernel_read_kernel_sysctls(bluetooth_t) -kernel_read_system_state(bluetooth_t) -kernel_read_network_state(bluetooth_t) -kernel_request_load_module(bluetooth_t) -#search debugfs - redhat bug 548206 -kernel_search_debugfs(bluetooth_t) - -ifdef(`hide_broken_symptoms', ` - kernel_rw_unlabeled_socket(bluetooth_t) -') - -corenet_all_recvfrom_unlabeled(bluetooth_t) -corenet_all_recvfrom_netlabel(bluetooth_t) -corenet_tcp_sendrecv_generic_if(bluetooth_t) -corenet_udp_sendrecv_generic_if(bluetooth_t) -corenet_raw_sendrecv_generic_if(bluetooth_t) -corenet_tcp_sendrecv_generic_node(bluetooth_t) -corenet_udp_sendrecv_generic_node(bluetooth_t) -corenet_raw_sendrecv_generic_node(bluetooth_t) -corenet_tcp_sendrecv_all_ports(bluetooth_t) -corenet_udp_sendrecv_all_ports(bluetooth_t) - -dev_read_sysfs(bluetooth_t) -dev_rw_usbfs(bluetooth_t) -dev_rw_generic_usb_dev(bluetooth_t) -dev_read_urand(bluetooth_t) -dev_rw_input_dev(bluetooth_t) -dev_rw_wireless(bluetooth_t) - -fs_getattr_all_fs(bluetooth_t) -fs_search_auto_mountpoints(bluetooth_t) -fs_list_inotifyfs(bluetooth_t) - -#Handle bluetooth serial devices -term_use_unallocated_ttys(bluetooth_t) - -corecmd_exec_bin(bluetooth_t) -corecmd_exec_shell(bluetooth_t) - -domain_use_interactive_fds(bluetooth_t) -domain_dontaudit_search_all_domains_state(bluetooth_t) - -files_read_etc_files(bluetooth_t) -files_read_etc_runtime_files(bluetooth_t) -files_read_usr_files(bluetooth_t) - -auth_use_nsswitch(bluetooth_t) - -logging_send_syslog_msg(bluetooth_t) - -miscfiles_read_localization(bluetooth_t) -miscfiles_read_fonts(bluetooth_t) -miscfiles_read_hwdata(bluetooth_t) - -userdom_dontaudit_use_unpriv_user_fds(bluetooth_t) -userdom_dontaudit_use_user_terminals(bluetooth_t) -userdom_dontaudit_search_user_home_dirs(bluetooth_t) - -optional_policy(` - devicekit_dbus_chat_power(bluetooth_t) -') - -optional_policy(` - dbus_system_bus_client(bluetooth_t) - dbus_connect_system_bus(bluetooth_t) - - optional_policy(` - cups_dbus_chat(bluetooth_t) - ') - - optional_policy(` - hal_dbus_chat(bluetooth_t) - ') - - optional_policy(` - networkmanager_dbus_chat(bluetooth_t) - ') - - optional_policy(` - pulseaudio_dbus_chat(bluetooth_t) - ') -') - -optional_policy(` - seutil_sigchld_newrole(bluetooth_t) -') - -optional_policy(` - udev_read_db(bluetooth_t) -') - -optional_policy(` - ppp_domtrans(bluetooth_t) -') - -######################################## -# -# Bluetooth helper programs local policy -# - -allow bluetooth_helper_t self:capability sys_nice; -allow bluetooth_helper_t self:process getsched; -allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms; -allow bluetooth_helper_t self:shm create_shm_perms; -allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow bluetooth_helper_t self:tcp_socket create_socket_perms; -allow bluetooth_helper_t self:netlink_route_socket r_netlink_socket_perms; - -allow bluetooth_helper_t bluetooth_t:socket { read write }; - -manage_dirs_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) -manage_files_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) -manage_sock_files_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) -files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir sock_file }) - -manage_dirs_pattern(bluetooth_helper_t, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) -manage_files_pattern(bluetooth_helper_t, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) -fs_tmpfs_filetrans(bluetooth_helper_t, bluetooth_helper_tmpfs_t, { dir file }) - -kernel_read_system_state(bluetooth_helper_t) -kernel_read_kernel_sysctls(bluetooth_helper_t) - -dev_read_urand(bluetooth_helper_t) - -term_dontaudit_use_all_ttys(bluetooth_helper_t) - -corecmd_exec_bin(bluetooth_helper_t) -corecmd_exec_shell(bluetooth_helper_t) - -domain_read_all_domains_state(bluetooth_helper_t) - -files_read_etc_files(bluetooth_helper_t) -files_read_etc_runtime_files(bluetooth_helper_t) -files_read_usr_files(bluetooth_helper_t) -files_dontaudit_list_default(bluetooth_helper_t) - -locallogin_dontaudit_use_fds(bluetooth_helper_t) - -logging_send_syslog_msg(bluetooth_helper_t) - -miscfiles_read_localization(bluetooth_helper_t) - -sysnet_read_config(bluetooth_helper_t) - -optional_policy(` - bluetooth_dbus_chat(bluetooth_helper_t) - - dbus_system_bus_client(bluetooth_helper_t) - dbus_connect_system_bus(bluetooth_helper_t) -') - -optional_policy(` - nscd_socket_use(bluetooth_helper_t) -') - -optional_policy(` - xserver_user_x_domain_template(bluetooth_helper, bluetooth_helper_t, bluetooth_helper_tmpfs_t) -') diff --git a/policy/modules/services/boinc.fc b/policy/modules/services/boinc.fc deleted file mode 100644 index c095160..0000000 --- a/policy/modules/services/boinc.fc +++ /dev/null @@ -1,8 +0,0 @@ - -/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0) - -/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0) - -/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0) -/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) -/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) diff --git a/policy/modules/services/boinc.if b/policy/modules/services/boinc.if deleted file mode 100644 index fa9b95a..0000000 --- a/policy/modules/services/boinc.if +++ /dev/null @@ -1,150 +0,0 @@ -## policy for boinc - -######################################## -## -## Execute a domain transition to run boinc. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`boinc_domtrans',` - gen_require(` - type boinc_t, boinc_exec_t; - ') - - domtrans_pattern($1, boinc_exec_t, boinc_t) -') - -####################################### -## -## Execute boinc server in the boinc domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`boinc_initrc_domtrans',` - gen_require(` - type boinc_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, boinc_initrc_exec_t) -') - -######################################## -## -## Search boinc lib directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`boinc_search_lib',` - gen_require(` - type boinc_var_lib_t; - ') - - allow $1 boinc_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## Read boinc lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`boinc_read_lib_files',` - gen_require(` - type boinc_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t) -') - -######################################## -## -## Create, read, write, and delete -## boinc lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`boinc_manage_lib_files',` - gen_require(` - type boinc_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t) -') - -######################################## -## -## Manage boinc var_lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`boinc_manage_var_lib',` - gen_require(` - type boinc_var_lib_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t) - manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t) - manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t) -') - -######################################## -## -## All of the rules required to administrate -## an boinc environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`boinc_admin',` - gen_require(` - type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t; - ') - - allow $1 boinc_t:process { ptrace signal_perms }; - ps_process_pattern($1, boinc_t) - - boinc_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 boinc_initrc_exec_t system_r; - allow $2 system_r; - - files_list_var_lib($1) - admin_pattern($1, boinc_var_lib_t) -') diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te deleted file mode 100644 index 4bc3f06..0000000 --- a/policy/modules/services/boinc.te +++ /dev/null @@ -1,167 +0,0 @@ -policy_module(boinc, 1.0.0) - -######################################## -# -# Declarations -# - -type boinc_t; -type boinc_exec_t; -init_daemon_domain(boinc_t, boinc_exec_t) - -type boinc_initrc_exec_t; -init_script_file(boinc_initrc_exec_t) - -type boinc_tmp_t; -files_tmp_file(boinc_tmp_t) - -type boinc_tmpfs_t; -files_tmpfs_file(boinc_tmpfs_t) - -type boinc_var_lib_t; -files_type(boinc_var_lib_t) - -type boinc_project_t; -domain_type(boinc_project_t) -role system_r types boinc_project_t; - -permissive boinc_project_t; - -type boinc_project_tmp_t; -files_tmp_file(boinc_project_tmp_t) - -type boinc_project_var_lib_t; -files_type(boinc_project_var_lib_t) - -######################################## -# -# boinc local policy -# - -allow boinc_t self:capability { kill }; -allow boinc_t self:process { setsched sigkill }; - -allow boinc_t self:fifo_file rw_fifo_file_perms; -allow boinc_t self:unix_stream_socket create_stream_socket_perms; -allow boinc_t self:tcp_socket create_stream_socket_perms; -allow boinc_t self:sem create_sem_perms; -allow boinc_t self:shm create_shm_perms; - -manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) -manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) -files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file }) - -manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t) -fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file) - -exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) -manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) -manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) -filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir) - -manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) -manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) - -kernel_read_system_state(boinc_t) - -files_getattr_all_dirs(boinc_t) -files_getattr_all_files(boinc_t) - -corecmd_exec_bin(boinc_t) -corecmd_exec_shell(boinc_t) - -corenet_all_recvfrom_unlabeled(boinc_t) -corenet_all_recvfrom_netlabel(boinc_t) -corenet_tcp_sendrecv_generic_if(boinc_t) -corenet_udp_sendrecv_generic_if(boinc_t) -corenet_tcp_sendrecv_generic_node(boinc_t) -corenet_udp_sendrecv_generic_node(boinc_t) -corenet_tcp_sendrecv_all_ports(boinc_t) -corenet_udp_sendrecv_all_ports(boinc_t) -corenet_tcp_bind_generic_node(boinc_t) -corenet_udp_bind_generic_node(boinc_t) -corenet_tcp_bind_boinc_port(boinc_t) -corenet_tcp_connect_boinc_port(boinc_t) -corenet_tcp_connect_http_port(boinc_t) -corenet_tcp_connect_http_cache_port(boinc_t) - -dev_list_sysfs(boinc_t) -dev_read_rand(boinc_t) -dev_read_urand(boinc_t) -dev_read_sysfs(boinc_t) - -domain_read_all_domains_state(boinc_t) - -files_dontaudit_getattr_boot_dirs(boinc_t) - -files_read_etc_files(boinc_t) -files_read_usr_files(boinc_t) - -fs_getattr_all_fs(boinc_t) - -term_dontaudit_getattr_ptmx(boinc_t) - -miscfiles_read_localization(boinc_t) -miscfiles_read_generic_certs(boinc_t) - -logging_send_syslog_msg(boinc_t) - -sysnet_dns_name_resolve(boinc_t) - -mta_send_mail(boinc_t) - -######################################## -# -# boinc-projects local policy -# - -domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t) -allow boinc_t boinc_project_t:process sigkill; - -allow boinc_project_t self:process { ptrace setsched signal signull sigkill sigstop }; -allow boinc_project_t self:process { execmem execstack }; - -allow boinc_project_t self:fifo_file rw_fifo_file_perms; -allow boinc_project_t self:sem create_sem_perms; - -manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) -manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) -files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file }) - -allow boinc_project_t boinc_project_var_lib_t:file entrypoint; -exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) -manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) -manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) -files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, { file dir }) - -allow boinc_project_t boinc_project_var_lib_t:file execmod; - -allow boinc_project_t boinc_t:shm rw_shm_perms; -allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms; - -list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t) -rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t) - -kernel_read_system_state(boinc_project_t) -kernel_read_kernel_sysctls(boinc_project_t) -kernel_search_vm_sysctl(boinc_project_t) -kernel_read_network_state(boinc_project_t) - -corecmd_exec_bin(boinc_project_t) -corecmd_exec_shell(boinc_project_t) - -corenet_tcp_connect_boinc_port(boinc_project_t) - -dev_read_rand(boinc_project_t) -dev_read_urand(boinc_project_t) -dev_read_sysfs(boinc_project_t) -dev_rw_xserver_misc(boinc_project_t) - -files_read_etc_files(boinc_project_t) - -miscfiles_read_fonts(boinc_project_t) -miscfiles_read_localization(boinc_project_t) - -optional_policy(` - java_exec(boinc_project_t) -') diff --git a/policy/modules/services/bugzilla.fc b/policy/modules/services/bugzilla.fc deleted file mode 100644 index 18f37e2..0000000 --- a/policy/modules/services/bugzilla.fc +++ /dev/null @@ -1,4 +0,0 @@ - -/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0) -/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0) -/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0) diff --git a/policy/modules/services/bugzilla.if b/policy/modules/services/bugzilla.if deleted file mode 100644 index 3964548..0000000 --- a/policy/modules/services/bugzilla.if +++ /dev/null @@ -1,80 +0,0 @@ -## Bugzilla server - -######################################## -## -## Allow the specified domain to search -## bugzilla directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`bugzilla_search_dirs',` - gen_require(` - type httpd_bugzilla_content_t; - ') - - allow $1 httpd_bugzilla_content_t:dir search_dir_perms; -') - -######################################## -## -## Do not audit attempts to read and write -## bugzilla script unix domain stream sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`bugzilla_dontaudit_rw_script_stream_sockets',` - gen_require(` - type httpd_bugzilla_script_t; - ') - - dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write }; -') - -######################################## -## -## All of the rules required to administrate -## an bugzilla environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the bugzilla domain. -## -## -## -# -interface(`bugzilla_admin',` - gen_require(` - type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t; - type httpd_bugzilla_rw_content_t, httpd_bugzilla_tmp_t, httpd_bugzilla_script_exec_t; - type httpd_bugzilla_htaccess_t; - ') - - allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms }; - ps_process_pattern($1, httpd_bugzilla_script_t) - - files_list_tmp($1) - admin_pattern($1, httpd_bugzilla_tmp_t) - - files_list_var_lib(httpd_bugzilla_script_t) - - apache_list_sys_content($1) - admin_pattern($1, httpd_bugzilla_script_exec_t) - admin_pattern($1, httpd_bugzilla_script_t) - admin_pattern($1, httpd_bugzilla_content_t) - admin_pattern($1, httpd_bugzilla_htaccess_t) - admin_pattern($1, httpd_bugzilla_rw_content_t) - admin_pattern($1, httpd_bugzilla_ra_content_t) -') diff --git a/policy/modules/services/bugzilla.te b/policy/modules/services/bugzilla.te deleted file mode 100644 index c63c8fa..0000000 --- a/policy/modules/services/bugzilla.te +++ /dev/null @@ -1,55 +0,0 @@ -policy_module(bugzilla, 1.0) - -######################################## -# -# Declarations -# - -apache_content_template(bugzilla) - -type httpd_bugzilla_tmp_t; -files_tmp_file(httpd_bugzilla_tmp_t) - -######################################## -# -# bugzilla local policy -# - -allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms; -allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms; -allow httpd_bugzilla_script_t self:udp_socket create_socket_perms; - -corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t) -corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t) -corenet_tcp_sendrecv_all_if(httpd_bugzilla_script_t) -corenet_udp_sendrecv_all_if(httpd_bugzilla_script_t) -corenet_tcp_sendrecv_all_nodes(httpd_bugzilla_script_t) -corenet_udp_sendrecv_all_nodes(httpd_bugzilla_script_t) -corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t) -corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t) -corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t) -corenet_tcp_connect_mysqld_port(httpd_bugzilla_script_t) -corenet_tcp_connect_http_port(httpd_bugzilla_script_t) -corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t) -corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t) -corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t) - -manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t) -manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t) -files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir }) - -files_search_var_lib(httpd_bugzilla_script_t) - -mta_send_mail(httpd_bugzilla_script_t) - -sysnet_read_config(httpd_bugzilla_script_t) -sysnet_use_ldap(httpd_bugzilla_script_t) - -optional_policy(` - mysql_search_db(httpd_bugzilla_script_t) - mysql_stream_connect(httpd_bugzilla_script_t) -') - -optional_policy(` - postgresql_stream_connect(httpd_bugzilla_script_t) -') diff --git a/policy/modules/services/cachefilesd.fc b/policy/modules/services/cachefilesd.fc deleted file mode 100644 index 24d9837..0000000 --- a/policy/modules/services/cachefilesd.fc +++ /dev/null @@ -1,29 +0,0 @@ -############################################################################### -# -# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. -# Written by David Howells (dhowells@redhat.com) -# Karl MacMillan (kmacmill@redhat.com) -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version -# 2 of the License, or (at your option) any later version. -# -############################################################################### - -# -# Define the contexts to be assigned to various files and directories of -# importance to the CacheFiles kernel module and userspace management daemon. -# - -# cachefilesd executable will have: -# label: system_u:object_r:cachefilesd_exec_t -# MLS sensitivity: s0 -# MCS categories: - -/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0) -/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0) -/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0) -/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0) - -/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefiles_var_t,s0) diff --git a/policy/modules/services/cachefilesd.if b/policy/modules/services/cachefilesd.if deleted file mode 100644 index 3b41945..0000000 --- a/policy/modules/services/cachefilesd.if +++ /dev/null @@ -1,35 +0,0 @@ -############################################################################### -# -# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. -# Written by David Howells (dhowells@redhat.com) -# Karl MacMillan (kmacmill@redhat.com) -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version -# 2 of the License, or (at your option) any later version. -# -############################################################################### - -# -# Define the policy interface for the CacheFiles userspace management daemon. -# -## policy for cachefilesd - -######################################## -## -## Execute a domain transition to run cachefilesd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`cachefilesd_domtrans',` - gen_require(` - type cachefilesd_t, cachefilesd_exec_t; - ') - - domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t) -') diff --git a/policy/modules/services/cachefilesd.te b/policy/modules/services/cachefilesd.te deleted file mode 100644 index 575c16e..0000000 --- a/policy/modules/services/cachefilesd.te +++ /dev/null @@ -1,143 +0,0 @@ -############################################################################### -# -# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved. -# Written by David Howells (dhowells@redhat.com) -# Karl MacMillan (kmacmill@redhat.com) -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version -# 2 of the License, or (at your option) any later version. -# -############################################################################### - -# -# This security policy governs access by the CacheFiles kernel module and -# userspace management daemon to the files and directories in the on-disk -# cache, on behalf of the processes accessing the cache through a network -# filesystem such as NFS -# -policy_module(cachefilesd, 1.0.17) - -############################################################################### -# -# Declarations -# - -# -# Files in the cache are created by the cachefiles module with security ID -# cachefiles_var_t -# -type cachefiles_var_t; -files_type(cachefiles_var_t) - -# -# The /dev/cachefiles character device has security ID cachefiles_dev_t -# -type cachefiles_dev_t; -dev_node(cachefiles_dev_t) - -# -# The cachefilesd daemon normally runs with security ID cachefilesd_t -# -type cachefilesd_t; -type cachefilesd_exec_t; -init_daemon_domain(cachefilesd_t, cachefilesd_exec_t) - -# -# The cachefilesd daemon pid file context -# -type cachefilesd_var_run_t; -files_pid_file(cachefilesd_var_run_t) - -# -# The CacheFiles kernel module causes processes accessing the cache files to do -# so acting as security ID cachefiles_kernel_t -# -type cachefiles_kernel_t; -domain_type(cachefiles_kernel_t) -domain_obj_id_change_exemption(cachefiles_kernel_t) -role system_r types cachefiles_kernel_t; - -############################################################################### -# -# Permit RPM to deal with files in the cache -# -rpm_use_script_fds(cachefilesd_t) - -############################################################################### -# -# cachefilesd local policy -# -# These define what cachefilesd is permitted to do. This doesn't include very -# much: startup stuff, logging, pid file, scanning the cache superstructure and -# deleting files from the cache. It is not permitted to read/write files in -# the cache. -# -# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow -# rules. -# -allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override }; - -# Allow manipulation of pid file -allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms; -manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t) -manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t) -files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file) -files_create_as_is_all_files(cachefilesd_t) - -# Allow access to cachefiles device file -allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms; - -# Allow access to cache superstructure -allow cachefilesd_t cachefiles_var_t:dir { rw_dir_perms delete_dir_perms }; -allow cachefilesd_t cachefiles_var_t:file { rename delete_file_perms }; - -# Permit statfs on the backing filesystem -fs_getattr_xattr_fs(cachefilesd_t) - -# Basic access -files_read_etc_files(cachefilesd_t) -miscfiles_read_localization(cachefilesd_t) -logging_send_syslog_msg(cachefilesd_t) -init_dontaudit_use_script_ptys(cachefilesd_t) -term_dontaudit_use_generic_ptys(cachefilesd_t) -term_dontaudit_getattr_unallocated_ttys(cachefilesd_t) - -############################################################################### -# -# When cachefilesd invokes the kernel module to begin caching, it has to tell -# the kernel module the security context in which it should act, and this -# policy has to approve that. -# -# There are two parts to this: -# -# (1) the security context used by the module to access files in the cache, -# as set by the 'secctx' command in /etc/cachefilesd.conf, and -# -allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override }; - -# -# (2) the label that will be assigned to new files and directories created in -# the cache by the module, which will be the same as the label on the -# directory pointed to by the 'dir' command. -# -allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as }; - -############################################################################### -# -# cachefiles kernel module local policy -# -# This governs what the kernel module is allowed to do the contents of the -# cache. -# -allow cachefiles_kernel_t self:capability { dac_override dac_read_search }; - -manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t) -manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t) - -fs_getattr_xattr_fs(cachefiles_kernel_t) - -dev_search_sysfs(cachefiles_kernel_t) - -init_sigchld_script(cachefiles_kernel_t) diff --git a/policy/modules/services/canna.fc b/policy/modules/services/canna.fc deleted file mode 100644 index 5432d0e..0000000 --- a/policy/modules/services/canna.fc +++ /dev/null @@ -1,23 +0,0 @@ -/etc/rc\.d/init\.d/canna -- gen_context(system_u:object_r:canna_initrc_exec_t,s0) - -# -# /usr -# -/usr/bin/cannaping -- gen_context(system_u:object_r:canna_exec_t,s0) -/usr/bin/catdic -- gen_context(system_u:object_r:canna_exec_t,s0) - -/usr/sbin/cannaserver -- gen_context(system_u:object_r:canna_exec_t,s0) -/usr/sbin/jserver -- gen_context(system_u:object_r:canna_exec_t,s0) - -# -# /var -# -/var/lib/canna/dic(/.*)? gen_context(system_u:object_r:canna_var_lib_t,s0) -/var/lib/wnn/dic(/.*)? gen_context(system_u:object_r:canna_var_lib_t,s0) - -/var/log/canna(/.*)? gen_context(system_u:object_r:canna_log_t,s0) -/var/log/wnn(/.*)? gen_context(system_u:object_r:canna_log_t,s0) - -/var/run/\.iroha_unix -d gen_context(system_u:object_r:canna_var_run_t,s0) -/var/run/\.iroha_unix/.* -s gen_context(system_u:object_r:canna_var_run_t,s0) -/var/run/wnn-unix(/.*) gen_context(system_u:object_r:canna_var_run_t,s0) diff --git a/policy/modules/services/canna.if b/policy/modules/services/canna.if deleted file mode 100644 index 4a26b0c..0000000 --- a/policy/modules/services/canna.if +++ /dev/null @@ -1,61 +0,0 @@ -## Canna - kana-kanji conversion server - -######################################## -## -## Connect to Canna using a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`canna_stream_connect',` - gen_require(` - type canna_t, canna_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, canna_var_run_t, canna_var_run_t, canna_t) -') - -######################################## -## -## All of the rules required to administrate -## an canna environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the canna domain. -## -## -## -# -interface(`canna_admin',` - gen_require(` - type canna_t, canna_log_t, canna_var_lib_t; - type canna_var_run_t, canna_initrc_exec_t; - ') - - allow $1 canna_t:process { ptrace signal_perms }; - ps_process_pattern($1, canna_t) - - init_labeled_script_domtrans($1, canna_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 canna_initrc_exec_t system_r; - allow $2 system_r; - - logging_list_logs($1) - admin_pattern($1, canna_log_t) - - files_list_var_lib($1) - admin_pattern($1, canna_var_lib_t) - - files_list_pids($1) - admin_pattern($1, canna_var_run_t) -') diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te deleted file mode 100644 index d60e2bf..0000000 --- a/policy/modules/services/canna.te +++ /dev/null @@ -1,93 +0,0 @@ -policy_module(canna, 1.10.1) - -######################################## -# -# Declarations -# - -type canna_t; -type canna_exec_t; -init_daemon_domain(canna_t, canna_exec_t) - -type canna_initrc_exec_t; -init_script_file(canna_initrc_exec_t) - -type canna_log_t; -logging_log_file(canna_log_t) - -type canna_var_lib_t; -files_type(canna_var_lib_t) - -type canna_var_run_t; -files_pid_file(canna_var_run_t) - -######################################## -# -# Local policy -# - -allow canna_t self:capability { setgid setuid net_bind_service }; -dontaudit canna_t self:capability sys_tty_config; -allow canna_t self:process signal_perms; -allow canna_t self:unix_stream_socket { connectto create_stream_socket_perms}; -allow canna_t self:unix_dgram_socket create_stream_socket_perms; -allow canna_t self:tcp_socket create_stream_socket_perms; - -manage_files_pattern(canna_t, canna_log_t, canna_log_t) -allow canna_t canna_log_t:dir setattr_dir_perms; -logging_log_filetrans(canna_t, canna_log_t, { file dir }) - -manage_dirs_pattern(canna_t, canna_var_lib_t, canna_var_lib_t) -manage_files_pattern(canna_t, canna_var_lib_t, canna_var_lib_t) -manage_lnk_files_pattern(canna_t, canna_var_lib_t, canna_var_lib_t) -files_var_lib_filetrans(canna_t, canna_var_lib_t, file) - -manage_dirs_pattern(canna_t, canna_var_run_t, canna_var_run_t) -manage_files_pattern(canna_t, canna_var_run_t, canna_var_run_t) -manage_sock_files_pattern(canna_t, canna_var_run_t, canna_var_run_t) -files_pid_filetrans(canna_t, canna_var_run_t, { dir file sock_file }) - -kernel_read_kernel_sysctls(canna_t) -kernel_read_system_state(canna_t) - -corenet_all_recvfrom_unlabeled(canna_t) -corenet_all_recvfrom_netlabel(canna_t) -corenet_tcp_sendrecv_generic_if(canna_t) -corenet_tcp_sendrecv_generic_node(canna_t) -corenet_tcp_sendrecv_all_ports(canna_t) -corenet_tcp_connect_all_ports(canna_t) -corenet_sendrecv_all_client_packets(canna_t) - -dev_read_sysfs(canna_t) - -fs_getattr_all_fs(canna_t) -fs_search_auto_mountpoints(canna_t) - -domain_use_interactive_fds(canna_t) - -files_read_etc_files(canna_t) -files_read_etc_runtime_files(canna_t) -files_read_usr_files(canna_t) -files_search_tmp(canna_t) -files_dontaudit_read_root_files(canna_t) - -logging_send_syslog_msg(canna_t) - -miscfiles_read_localization(canna_t) - -sysnet_read_config(canna_t) - -userdom_dontaudit_use_unpriv_user_fds(canna_t) -userdom_dontaudit_search_user_home_dirs(canna_t) - -optional_policy(` - nis_use_ypbind(canna_t) -') - -optional_policy(` - seutil_sigchld_newrole(canna_t) -') - -optional_policy(` - udev_read_db(canna_t) -') diff --git a/policy/modules/services/ccs.fc b/policy/modules/services/ccs.fc deleted file mode 100644 index 8a7177d..0000000 --- a/policy/modules/services/ccs.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/cluster(/.*)? gen_context(system_u:object_r:cluster_conf_t,s0) - -/sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0) - -/var/run/cluster/ccsd\.pid -- gen_context(system_u:object_r:ccs_var_run_t,s0) -/var/run/cluster/ccsd\.sock -s gen_context(system_u:object_r:ccs_var_run_t,s0) diff --git a/policy/modules/services/ccs.if b/policy/modules/services/ccs.if deleted file mode 100644 index 3105b09..0000000 --- a/policy/modules/services/ccs.if +++ /dev/null @@ -1,75 +0,0 @@ -## Cluster Configuration System - -######################################## -## -## Execute a domain transition to run ccs. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ccs_domtrans',` - gen_require(` - type ccs_t, ccs_exec_t; - ') - - domtrans_pattern($1, ccs_exec_t, ccs_t) -') - -######################################## -## -## Connect to ccs over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`ccs_stream_connect',` - gen_require(` - type ccs_t, ccs_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, ccs_var_run_t, ccs_var_run_t, ccs_t) -') - -######################################## -## -## Read cluster configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`ccs_read_config',` - gen_require(` - type cluster_conf_t; - ') - - read_files_pattern($1, cluster_conf_t, cluster_conf_t) -') - -######################################## -## -## Manage cluster configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`ccs_manage_config',` - gen_require(` - type cluster_conf_t; - ') - - manage_dirs_pattern($1, cluster_conf_t, cluster_conf_t) - manage_files_pattern($1, cluster_conf_t, cluster_conf_t) -') diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te deleted file mode 100644 index 8d7e14e..0000000 --- a/policy/modules/services/ccs.te +++ /dev/null @@ -1,127 +0,0 @@ -policy_module(ccs, 1.5.0) - -######################################## -# -# Declarations -# - -type ccs_t; -type ccs_exec_t; -init_daemon_domain(ccs_t, ccs_exec_t) - -type cluster_conf_t; -files_type(cluster_conf_t) - -type ccs_tmp_t; -files_tmp_file(ccs_tmp_t) - -type ccs_tmpfs_t; -files_tmpfs_file(ccs_tmpfs_t) - -type ccs_var_lib_t; -logging_log_file(ccs_var_lib_t) - -type ccs_var_log_t; -logging_log_file(ccs_var_log_t) - -type ccs_var_run_t; -files_pid_file(ccs_var_run_t) - -######################################## -# -# ccs local policy -# - -allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin }; -allow ccs_t self:process { signal setrlimit setsched }; -dontaudit ccs_t self:process ptrace; -allow ccs_t self:fifo_file rw_fifo_file_perms; -allow ccs_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow ccs_t self:unix_dgram_socket create_socket_perms; -allow ccs_t self:netlink_route_socket r_netlink_socket_perms; -allow ccs_t self:tcp_socket create_stream_socket_perms; -allow ccs_t self:udp_socket { create_socket_perms listen recv_msg send_msg }; -# cjp: this needs to be fixed to be specific -allow ccs_t self:socket create_socket_perms; - -manage_files_pattern(ccs_t, cluster_conf_t, cluster_conf_t) - -# tmp file -allow ccs_t ccs_tmp_t:dir manage_dir_perms; -manage_dirs_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t) -manage_files_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t) -files_tmp_filetrans(ccs_t, ccs_tmp_t, { file dir }) - -manage_dirs_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t) -manage_files_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t) -fs_tmpfs_filetrans(ccs_t, ccs_tmpfs_t, { dir file }) - -# var lib files -manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t) -manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t) -files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir }) - -allow ccs_t ccs_var_log_t:dir setattr_dir_perms; -manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) -manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) -logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir }) - -# pid file -manage_dirs_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t) -manage_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t) -manage_sock_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t) -files_pid_filetrans(ccs_t, ccs_var_run_t, { dir file sock_file }) - -kernel_read_kernel_sysctls(ccs_t) - -corecmd_list_bin(ccs_t) -corecmd_exec_bin(ccs_t) - -corenet_all_recvfrom_unlabeled(ccs_t) -corenet_all_recvfrom_netlabel(ccs_t) -corenet_tcp_sendrecv_generic_if(ccs_t) -corenet_udp_sendrecv_generic_if(ccs_t) -corenet_tcp_sendrecv_generic_node(ccs_t) -corenet_udp_sendrecv_generic_node(ccs_t) -corenet_tcp_sendrecv_all_ports(ccs_t) -corenet_udp_sendrecv_all_ports(ccs_t) -corenet_tcp_bind_generic_node(ccs_t) -corenet_udp_bind_generic_node(ccs_t) -corenet_tcp_bind_cluster_port(ccs_t) -corenet_udp_bind_cluster_port(ccs_t) -corenet_udp_bind_netsupport_port(ccs_t) - -dev_read_urand(ccs_t) - -files_read_etc_files(ccs_t) -files_read_etc_runtime_files(ccs_t) - -init_rw_script_tmp_files(ccs_t) - -logging_send_syslog_msg(ccs_t) - -miscfiles_read_localization(ccs_t) - -sysnet_dns_name_resolve(ccs_t) - -userdom_manage_unpriv_user_shared_mem(ccs_t) -userdom_manage_unpriv_user_semaphores(ccs_t) - -ifdef(`hide_broken_symptoms',` - corecmd_dontaudit_write_bin_dirs(ccs_t) - files_manage_isid_type_files(ccs_t) -') - -optional_policy(` - aisexec_stream_connect(ccs_t) - corosync_stream_connect(ccs_t) -') - -optional_policy(` - qpidd_rw_semaphores(ccs_t) - qpidd_rw_shm(ccs_t) -') - -optional_policy(` - unconfined_use_fds(ccs_t) -') diff --git a/policy/modules/services/certmaster.fc b/policy/modules/services/certmaster.fc deleted file mode 100644 index 79295d6..0000000 --- a/policy/modules/services/certmaster.fc +++ /dev/null @@ -1,8 +0,0 @@ -/etc/certmaster(/.*)? gen_context(system_u:object_r:certmaster_etc_rw_t,s0) -/etc/rc\.d/init\.d/certmaster -- gen_context(system_u:object_r:certmaster_initrc_exec_t,s0) - -/usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0) - -/var/lib/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_lib_t,s0) -/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0) -/var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0) diff --git a/policy/modules/services/certmaster.if b/policy/modules/services/certmaster.if deleted file mode 100644 index ffd0da5..0000000 --- a/policy/modules/services/certmaster.if +++ /dev/null @@ -1,144 +0,0 @@ -## Certmaster SSL certificate distribution service - -######################################## -## -## Execute a domain transition to run certmaster. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`certmaster_domtrans',` - gen_require(` - type certmaster_t, certmaster_exec_t; - ') - - domtrans_pattern($1, certmaster_exec_t, certmaster_t) -') - -#################################### -## -## Execute certmaster in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`certmaster_exec',` - gen_require(` - type certmaster_exec_t; - ') - - can_exec($1, certmaster_exec_t) - corecmd_search_bin($1) -') - -####################################### -## -## read certmaster logs. -## -## -## -## Domain allowed access. -## -## -# -interface(`certmaster_read_log',` - gen_require(` - type certmaster_var_log_t; - ') - - read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) - logging_search_logs($1) -') - -####################################### -## -## Append to certmaster logs. -## -## -## -## Domain allowed access. -## -## -# -interface(`certmaster_append_log',` - gen_require(` - type certmaster_var_log_t; - ') - - append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) - logging_search_logs($1) -') - -####################################### -## -## Create, read, write, and delete -## certmaster logs. -## -## -## -## Domain allowed access. -## -## -# -interface(`certmaster_manage_log',` - gen_require(` - type certmaster_var_log_t; - ') - - manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) - manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) - logging_search_logs($1) -') - -######################################## -## -## All of the rules required to administrate -## an snort environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`certmaster_admin',` - gen_require(` - type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t; - type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t; - ') - - allow $1 certmaster_t:process { ptrace signal_perms }; - ps_process_pattern($1, certmaster_t) - - init_labeled_script_domtrans($1, certmaster_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 certmaster_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - miscfiles_manage_generic_cert_dirs($1) - miscfiles_manage_generic_cert_files($1) - - admin_pattern($1, certmaster_etc_rw_t) - - files_list_pids($1) - admin_pattern($1, certmaster_var_run_t) - - logging_list_logs($1) - admin_pattern($1, certmaster_var_log_t) - - files_list_var_lib($1) - admin_pattern($1, certmaster_var_lib_t) -') diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te deleted file mode 100644 index dbfd0a6..0000000 --- a/policy/modules/services/certmaster.te +++ /dev/null @@ -1,72 +0,0 @@ -policy_module(certmaster, 1.1.2) - -######################################## -# -# Declarations -# - -type certmaster_t; -type certmaster_exec_t; -init_daemon_domain(certmaster_t, certmaster_exec_t) - -type certmaster_initrc_exec_t; -init_script_file(certmaster_initrc_exec_t) - -type certmaster_etc_rw_t; -files_type(certmaster_etc_rw_t) - -type certmaster_var_lib_t; -files_type(certmaster_var_lib_t) - -type certmaster_var_log_t; -logging_log_file(certmaster_var_log_t) - -type certmaster_var_run_t; -files_pid_file(certmaster_var_run_t) - -########################################### -# -# certmaster local policy -# - -allow certmaster_t self:capability { dac_read_search dac_override sys_tty_config }; -allow certmaster_t self:tcp_socket create_stream_socket_perms; - -# config files -list_dirs_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t) -manage_files_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t) - -# var/lib files for certmaster -manage_files_pattern(certmaster_t, certmaster_var_lib_t, certmaster_var_lib_t) -manage_dirs_pattern(certmaster_t, certmaster_var_lib_t, certmaster_var_lib_t) -files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir }) - -# log files -manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t) -logging_log_filetrans(certmaster_t, certmaster_var_log_t, file) - -# pid file -manage_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t) -manage_sock_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t) -files_pid_filetrans(certmaster_t, certmaster_var_run_t, { file sock_file }) - -# read meminfo -kernel_read_system_state(certmaster_t) - -corecmd_search_bin(certmaster_t) -corecmd_getattr_bin_files(certmaster_t) - -corenet_tcp_bind_generic_node(certmaster_t) -corenet_tcp_bind_certmaster_port(certmaster_t) - -files_search_etc(certmaster_t) -files_read_usr_files(certmaster_t) -files_list_var(certmaster_t) -files_search_var_lib(certmaster_t) - -auth_use_nsswitch(certmaster_t) - -miscfiles_read_localization(certmaster_t) - -miscfiles_manage_generic_cert_dirs(certmaster_t) -miscfiles_manage_generic_cert_files(certmaster_t) diff --git a/policy/modules/services/certmonger.fc b/policy/modules/services/certmonger.fc deleted file mode 100644 index 5ad1a52..0000000 --- a/policy/modules/services/certmonger.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/rc\.d/init\.d/certmonger -- gen_context(system_u:object_r:certmonger_initrc_exec_t,s0) - -/usr/sbin/certmonger -- gen_context(system_u:object_r:certmonger_exec_t,s0) - -/var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0) -/var/run/certmonger.pid -- gen_context(system_u:object_r:certmonger_var_run_t,s0) diff --git a/policy/modules/services/certmonger.if b/policy/modules/services/certmonger.if deleted file mode 100644 index d664be8..0000000 --- a/policy/modules/services/certmonger.if +++ /dev/null @@ -1,174 +0,0 @@ -## Certificate status monitor and PKI enrollment client - -######################################## -## -## Execute a domain transition to run certmonger. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`certmonger_domtrans',` - gen_require(` - type certmonger_t, certmonger_exec_t; - ') - - domtrans_pattern($1, certmonger_exec_t, certmonger_t) -') - -######################################## -## -## Send and receive messages from -## certmonger over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`certmonger_dbus_chat',` - gen_require(` - type certmonger_t; - class dbus send_msg; - ') - - allow $1 certmonger_t:dbus send_msg; - allow certmonger_t $1:dbus send_msg; -') - -######################################## -## -## Execute certmonger server in the certmonger domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`certmonger_initrc_domtrans',` - gen_require(` - type certmonger_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, certmonger_initrc_exec_t) -') - -######################################## -## -## Read certmonger PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`certmonger_read_pid_files',` - gen_require(` - type certmonger_var_run_t; - ') - - files_search_pids($1) - allow $1 certmonger_var_run_t:file read_file_perms; -') - -######################################## -## -## Search certmonger lib directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`certmonger_search_lib',` - gen_require(` - type certmonger_var_lib_t; - ') - - allow $1 certmonger_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## Read certmonger lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`certmonger_read_lib_files',` - gen_require(` - type certmonger_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t) -') - -######################################## -## -## Create, read, write, and delete -## certmonger lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`certmonger_manage_lib_files',` - gen_require(` - type certmonger_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t) -') - -######################################## -## -## All of the rules required to administrate -## an certmonger environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`certmonger_admin',` - gen_require(` - type certmonger_t, certmonger_initrc_exec_t; - type certmonger_var_lib_t, certmonger_var_run_t; - ') - - ps_process_pattern($1, certmonger_t) - allow $1 certmonger_t:process { ptrace signal_perms }; - - # Allow certmonger_t to restart the apache service - certmonger_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 certmonger_initrc_exec_t system_r; - allow $2 system_r; - - files_list_var_lib($1) - admin_pattern($1, certmonger_var_lib_t) - - files_list_pids($1) - admin_pattern($1, certmonger_var_run_t) -') diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te deleted file mode 100644 index 5595c96..0000000 --- a/policy/modules/services/certmonger.te +++ /dev/null @@ -1,83 +0,0 @@ -policy_module(certmonger, 1.0.1) - -######################################## -# -# Declarations -# - -type certmonger_t; -type certmonger_exec_t; -init_daemon_domain(certmonger_t, certmonger_exec_t) - -type certmonger_initrc_exec_t; -init_script_file(certmonger_initrc_exec_t) - -type certmonger_var_run_t; -files_pid_file(certmonger_var_run_t) - -type certmonger_var_lib_t; -files_type(certmonger_var_lib_t) - -######################################## -# -# certmonger local policy -# - -allow certmonger_t self:capability { kill sys_nice }; -allow certmonger_t self:process { getsched setsched sigkill }; -allow certmonger_t self:fifo_file rw_file_perms; -allow certmonger_t self:unix_stream_socket create_stream_socket_perms; -allow certmonger_t self:tcp_socket create_stream_socket_perms; -allow certmonger_t self:netlink_route_socket r_netlink_socket_perms; - -manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) -manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) -files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir }) - -manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t) -manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t) -files_pid_filetrans(certmonger_t, certmonger_var_run_t, { file dir }) - -corenet_tcp_sendrecv_generic_if(certmonger_t) -corenet_tcp_sendrecv_generic_node(certmonger_t) -corenet_tcp_sendrecv_all_ports(certmonger_t) -corenet_tcp_connect_certmaster_port(certmonger_t) - -dev_read_urand(certmonger_t) - -domain_use_interactive_fds(certmonger_t) - -files_read_etc_files(certmonger_t) -files_read_usr_files(certmonger_t) -files_list_tmp(certmonger_t) - -logging_send_syslog_msg(certmonger_t) - -miscfiles_read_localization(certmonger_t) -miscfiles_manage_generic_cert_files(certmonger_t) - -sysnet_dns_name_resolve(certmonger_t) - -userdom_search_user_home_content(certmonger_t) - -optional_policy(` - apache_search_config(certmonger_t) -') - -optional_policy(` - bind_search_cache(certmonger_t) -') - -optional_policy(` - dbus_system_bus_client(certmonger_t) - dbus_connect_system_bus(certmonger_t) -') - -optional_policy(` - kerberos_use(certmonger_t) -') - -optional_policy(` - pcscd_stream_connect(certmonger_t) -') - diff --git a/policy/modules/services/cgroup.fc b/policy/modules/services/cgroup.fc deleted file mode 100644 index 420c9d3..0000000 --- a/policy/modules/services/cgroup.fc +++ /dev/null @@ -1,14 +0,0 @@ -/etc/cgconfig.conf -- gen_context(system_u:object_r:cgconfig_etc_t,s0) -/etc/cgrules.conf -- gen_context(system_u:object_r:cgrules_etc_t,s0) - -/etc/sysconfig/cgconfig -- gen_context(system_u:object_r:cgconfig_etc_t,s0) -/etc/sysconfig/cgred.conf -- gen_context(system_u:object_r:cgrules_etc_t,s0) - -/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t,s0) -/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t,s0) - -/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0) -/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0) -/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0) - -/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0) diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if deleted file mode 100644 index e5cbcef..0000000 --- a/policy/modules/services/cgroup.if +++ /dev/null @@ -1,199 +0,0 @@ -## libcg is a library that abstracts the control group file system in Linux. - -######################################## -## -## Execute a domain transition to run -## CG Clear. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`cgroup_domtrans_cgclear',` - gen_require(` - type cgclear_t, cgclear_exec_t; - ') - - domtrans_pattern($1, cgclear_exec_t, cgclear_t) - corecmd_search_bin($1) -') - -######################################## -## -## Execute a domain transition to run -## CG config parser. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`cgroup_domtrans_cgconfig',` - gen_require(` - type cgconfig_t, cgconfig_exec_t; - ') - - domtrans_pattern($1, cgconfig_exec_t, cgconfig_t) - corecmd_search_bin($1) -') - -######################################## -## -## Execute a domain transition to run -## CG config parser. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`cgroup_initrc_domtrans_cgconfig',` - gen_require(` - type cgconfig_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, cgconfig_initrc_exec_t) -') - -######################################## -## -## Execute a domain transition to run -## CG rules engine daemon. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`cgroup_domtrans_cgred',` - gen_require(` - type cgred_t, cgred_exec_t; - ') - - domtrans_pattern($1, cgred_exec_t, cgred_t) - corecmd_search_bin($1) -') - -######################################## -## -## Execute a domain transition to run -## CG rules engine daemon. -## domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`cgroup_initrc_domtrans_cgred',` - gen_require(` - type cgred_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, cgred_initrc_exec_t) -') - -######################################## -## -## Execute a domain transition to -## run CG Clear and allow the -## specified role the CG Clear -## domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`cgroup_run_cgclear',` - gen_require(` - type cgclear_t; - ') - - cgroup_domtrans_cgclear($1) - role $2 types cgclear_t; -') - -######################################## -## -## Connect to CG rules engine daemon -## over unix stream sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`cgroup_stream_connect_cgred', ` - gen_require(` - type cgred_var_run_t, cgred_t; - ') - - stream_connect_pattern($1, cgred_var_run_t, cgred_var_run_t, cgred_t) - files_search_pids($1) -') - -######################################## -## -## All of the rules required to administrate -## an cgroup environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`cgroup_admin',` - gen_require(` - type cgred_t, cgconfig_t, cgred_var_run_t; - type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t; - type cgrules_etc_t, cgclear_t; - ') - - allow $1 cgclear_t:process { ptrace signal_perms }; - ps_process_pattern($1, cgclear_t) - - allow $1 cgconfig_t:process { ptrace signal_perms }; - ps_process_pattern($1, cgconfig_t) - - allow $1 cgred_t:process { ptrace signal_perms }; - ps_process_pattern($1, cgred_t) - - admin_pattern($1, cgconfig_etc_t) - admin_pattern($1, cgrules_etc_t) - files_list_etc($1) - - admin_pattern($1, cgred_var_run_t) - files_list_pids($1) - - cgroup_initrc_domtrans_cgconfig($1) - domain_system_change_exemption($1) - role_transition $2 cgconfig_initrc_exec_t system_r; - allow $2 system_r; - - cgroup_initrc_domtrans_cgred($1) - role_transition $2 cgred_initrc_exec_t system_r; - - cgroup_run_cgclear($1, $2) -') diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te deleted file mode 100644 index 63a18fc..0000000 --- a/policy/modules/services/cgroup.te +++ /dev/null @@ -1,102 +0,0 @@ -policy_module(cgroup, 1.0.0) - -######################################## -# -# Declarations -# - -type cgclear_t; -type cgclear_exec_t; -init_daemon_domain(cgclear_t, cgclear_exec_t) - -type cgred_t; -type cgred_exec_t; -init_daemon_domain(cgred_t, cgred_exec_t) - -type cgred_initrc_exec_t; -init_script_file(cgred_initrc_exec_t) - -type cgred_var_run_t; -files_pid_file(cgred_var_run_t) - -type cgrules_etc_t; -files_config_file(cgrules_etc_t) - -type cgconfig_t alias cgconfigparser_t; -type cgconfig_exec_t alias cgconfigparser_exec_t; -init_daemon_domain(cgconfig_t, cgconfig_exec_t) - -type cgconfig_initrc_exec_t; -init_script_file(cgconfig_initrc_exec_t) - -type cgconfig_etc_t; -files_config_file(cgconfig_etc_t) - -######################################## -# -# cgclear personal policy. -# - -allow cgclear_t self:capability sys_admin; - -kernel_read_system_state(cgclear_t) - -domain_setpriority_all_domains(cgclear_t) - -fs_manage_cgroup_dirs(cgclear_t) -fs_manage_cgroup_files(cgclear_t) -fs_unmount_cgroup(cgclear_t) - -######################################## -# -# cgconfig personal policy. -# - -allow cgconfig_t self:capability { dac_override fowner chown sys_admin }; - -allow cgconfig_t cgconfig_etc_t:file read_file_perms; - -# search will do. -kernel_list_unlabeled(cgconfig_t) -kernel_read_system_state(cgconfig_t) - -# /etc/nsswitch.conf, /etc/passwd -files_read_etc_files(cgconfig_t) - -fs_manage_cgroup_dirs(cgconfig_t) -fs_manage_cgroup_files(cgconfig_t) -fs_mount_cgroup(cgconfig_t) -fs_mounton_cgroup(cgconfig_t) - -######################################## -# -# cgred personal policy. -# - -allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override }; -allow cgred_t self:netlink_socket { write bind create read }; -allow cgred_t self:unix_dgram_socket { write create connect }; - -allow cgred_t cgrules_etc_t:file read_file_perms; - -# rc script creates pid file -manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) -manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) -files_pid_filetrans(cgred_t, cgred_var_run_t, { file sock_file }) - -kernel_read_system_state(cgred_t) - -domain_read_all_domains_state(cgred_t) -domain_setpriority_all_domains(cgred_t) - -files_getattr_all_files(cgred_t) -files_getattr_all_sockets(cgred_t) -files_read_all_symlinks(cgred_t) -# /etc/group -files_read_etc_files(cgred_t) - -fs_write_cgroup_files(cgred_t) - -logging_send_syslog_msg(cgred_t) - -miscfiles_read_localization(cgred_t) diff --git a/policy/modules/services/chronyd.fc b/policy/modules/services/chronyd.fc deleted file mode 100644 index fd8cd0b..0000000 --- a/policy/modules/services/chronyd.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0) - -/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0) - -/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) - -/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0) -/var/log/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_log_t,s0) -/var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0) diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if deleted file mode 100644 index 2ede737..0000000 --- a/policy/modules/services/chronyd.if +++ /dev/null @@ -1,180 +0,0 @@ -## Chrony NTP background daemon - -##################################### -## -## Execute chronyd in the chronyd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`chronyd_domtrans',` - gen_require(` - type chronyd_t, chronyd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, chronyd_exec_t, chronyd_t) -') - -######################################## -## -## Execute chronyd server in the chronyd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`chronyd_initrc_domtrans',` - gen_require(` - type chronyd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, chronyd_initrc_exec_t) -') - -#################################### -## -## Execute chronyd -## -## -## -## Domain allowed access. -## -## -# -interface(`chronyd_exec',` - gen_require(` - type chronyd_exec_t; - ') - - can_exec($1, chronyd_exec_t) -') - -##################################### -## -## Read chronyd logs. -## -## -## -## Domain allowed access. -## -## -# -interface(`chronyd_read_log',` - gen_require(` - type chronyd_var_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t) -') - -######################################## -## -## Read and write chronyd shared memory. -## -## -## -## Domain allowed access. -## -## -# -interface(`chronyd_rw_shm',` - gen_require(` - type chronyd_t, chronyd_tmpfs_t; - ') - - allow $1 chronyd_t:shm rw_shm_perms; - allow $1 chronyd_tmpfs_t:dir list_dir_perms; - rw_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t) - read_lnk_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t) - fs_search_tmpfs($1) -') - -######################################## -## -## Read chronyd keys files. -## -## -## -## Domain allowed access. -## -## -# -interface(`chronyd_read_keys',` - gen_require(` - type chronyd_keys_t; - ') - - read_files_pattern($1, chronyd_keys_t, chronyd_keys_t) -') - -######################################## -## -## Append chronyd keys files. -## -## -## -## Domain allowed access. -## -## -# -interface(`chronyd_append_keys',` - gen_require(` - type chronyd_keys_t; - ') - - append_files_pattern($1, chronyd_keys_t, chronyd_keys_t) -') - -#################################### -## -## All of the rules required to administrate -## an chronyd environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the chronyd domain. -## -## -## -# -interface(`chronyd_admin',` - gen_require(` - type chronyd_t, chronyd_var_log_t, chronyd_var_run_t; - type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t; - type chronyd_keys_t; - ') - - allow $1 chronyd_t:process { ptrace signal_perms }; - ps_process_pattern($1, chronyd_t) - - init_labeled_script_domtrans($1, chronyd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 chronyd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, chronyd_keys_t) - - logging_list_logs($1) - admin_pattern($1, chronyd_var_log_t) - - files_list_var_lib($1) - admin_pattern($1, chronyd_var_lib_t) - - files_list_pids($1) - admin_pattern($1, chronyd_var_run_t) - - admin_pattern($1, chronyd_tmpfs_t) -') diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te deleted file mode 100644 index 7f4ca47..0000000 --- a/policy/modules/services/chronyd.te +++ /dev/null @@ -1,76 +0,0 @@ -policy_module(chronyd, 1.1.0) - -######################################## -# -# Declarations -# - -type chronyd_t; -type chronyd_exec_t; -init_daemon_domain(chronyd_t, chronyd_exec_t) - -type chronyd_initrc_exec_t; -init_script_file(chronyd_initrc_exec_t) - -type chronyd_keys_t; -files_type(chronyd_keys_t) - -type chronyd_tmpfs_t; -files_tmpfs_file(chronyd_tmpfs_t) - -type chronyd_var_lib_t; -files_type(chronyd_var_lib_t) - -type chronyd_var_log_t; -logging_log_file(chronyd_var_log_t) - -type chronyd_var_run_t; -files_pid_file(chronyd_var_run_t) - -######################################## -# -# Local policy -# - -allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time }; -allow chronyd_t self:process { getcap setcap setrlimit }; -allow chronyd_t self:shm create_shm_perms; -allow chronyd_t self:udp_socket create_socket_perms; -allow chronyd_t self:unix_dgram_socket create_socket_perms; - -allow chronyd_t chronyd_keys_t:file read_file_perms; - -manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t) -manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t) -fs_tmpfs_filetrans(chronyd_t, chronyd_tmpfs_t, { dir file }) - -manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) -manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) -manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) -files_var_lib_filetrans(chronyd_t, chronyd_var_lib_t, { file dir }) - -manage_files_pattern(chronyd_t, chronyd_var_log_t, chronyd_var_log_t) -manage_dirs_pattern(chronyd_t, chronyd_var_log_t, chronyd_var_log_t) -logging_log_filetrans(chronyd_t, chronyd_var_log_t, { file dir }) - -manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t) -manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t) -files_pid_filetrans(chronyd_t, chronyd_var_run_t, file) - -corenet_udp_bind_generic_node(chronyd_t) -corenet_udp_bind_ntp_port(chronyd_t) -# bind to udp/323 -corenet_udp_bind_chronyd_port(chronyd_t) - -# real time clock option -dev_rw_realtime_clock(chronyd_t) - -auth_use_nsswitch(chronyd_t) - -logging_send_syslog_msg(chronyd_t) - -miscfiles_read_localization(chronyd_t) - -optional_policy(` - gpsd_rw_shm(chronyd_t) -') diff --git a/policy/modules/services/cipe.fc b/policy/modules/services/cipe.fc deleted file mode 100644 index afcdf02..0000000 --- a/policy/modules/services/cipe.fc +++ /dev/null @@ -1,4 +0,0 @@ -# -# /usr -# -/usr/sbin/ciped.* -- gen_context(system_u:object_r:ciped_exec_t,s0) diff --git a/policy/modules/services/cipe.if b/policy/modules/services/cipe.if deleted file mode 100644 index b5fd668..0000000 --- a/policy/modules/services/cipe.if +++ /dev/null @@ -1 +0,0 @@ -## Encrypted tunnel daemon diff --git a/policy/modules/services/cipe.te b/policy/modules/services/cipe.te deleted file mode 100644 index 8e1ef38..0000000 --- a/policy/modules/services/cipe.te +++ /dev/null @@ -1,72 +0,0 @@ -policy_module(cipe, 1.5.0) - -######################################## -# -# Declarations -# - -type ciped_t; -type ciped_exec_t; -init_daemon_domain(ciped_t, ciped_exec_t) - -######################################## -# -# Local policy -# - -allow ciped_t self:capability { net_admin ipc_lock sys_tty_config }; -dontaudit ciped_t self:capability sys_tty_config; -allow ciped_t self:process signal_perms; -allow ciped_t self:fifo_file rw_fifo_file_perms; -allow ciped_t self:unix_dgram_socket create_socket_perms; -allow ciped_t self:unix_stream_socket create_socket_perms; -allow ciped_t self:udp_socket create_socket_perms; - -kernel_read_kernel_sysctls(ciped_t) -kernel_read_system_state(ciped_t) - -corecmd_exec_shell(ciped_t) -corecmd_exec_bin(ciped_t) - -corenet_all_recvfrom_unlabeled(ciped_t) -corenet_all_recvfrom_netlabel(ciped_t) -corenet_udp_sendrecv_generic_if(ciped_t) -corenet_udp_sendrecv_generic_node(ciped_t) -corenet_udp_sendrecv_all_ports(ciped_t) -corenet_udp_bind_generic_node(ciped_t) -# cipe uses the afs3-bos port (udp 7007) -corenet_udp_bind_afs_bos_port(ciped_t) -corenet_sendrecv_afs_bos_server_packets(ciped_t) - -dev_read_sysfs(ciped_t) -dev_read_rand(ciped_t) -# for SSP -dev_read_urand(ciped_t) - -domain_use_interactive_fds(ciped_t) - -files_read_etc_files(ciped_t) -files_read_etc_runtime_files(ciped_t) -files_dontaudit_search_var(ciped_t) - -fs_search_auto_mountpoints(ciped_t) - -logging_send_syslog_msg(ciped_t) - -miscfiles_read_localization(ciped_t) - -sysnet_read_config(ciped_t) - -userdom_dontaudit_use_unpriv_user_fds(ciped_t) - -optional_policy(` - nis_use_ypbind(ciped_t) -') - -optional_policy(` - seutil_sigchld_newrole(ciped_t) -') - -optional_policy(` - udev_read_db(ciped_t) -') diff --git a/policy/modules/services/clamav.fc b/policy/modules/services/clamav.fc deleted file mode 100644 index e8e9a21..0000000 --- a/policy/modules/services/clamav.fc +++ /dev/null @@ -1,20 +0,0 @@ -/etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0) -/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0) - -/usr/bin/clamscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) -/usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) -/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0) - -/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0) -/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0) - -/var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) -/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) -/var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0) -/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0) -/var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0) -/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0) -/var/run/clamav.* gen_context(system_u:object_r:clamd_var_run_t,s0) -/var/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0) -/var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) -/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0) diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if deleted file mode 100644 index 01b02f3..0000000 --- a/policy/modules/services/clamav.if +++ /dev/null @@ -1,192 +0,0 @@ -## ClamAV Virus Scanner - -######################################## -## -## Execute a domain transition to run clamd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`clamav_domtrans',` - gen_require(` - type clamd_t, clamd_exec_t; - ') - - domtrans_pattern($1, clamd_exec_t, clamd_t) -') - -######################################## -## -## Connect to run clamd. -## -## -## -## Domain allowed access. -## -## -# -interface(`clamav_stream_connect',` - gen_require(` - type clamd_t, clamd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t) -') - -######################################## -## -## Allow the specified domain to append -## to clamav log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`clamav_append_log',` - gen_require(` - type clamav_log_t; - ') - - logging_search_logs($1) - allow $1 clamav_log_t:dir list_dir_perms; - append_files_pattern($1, clamav_log_t, clamav_log_t) -') - -######################################## -## -## Read clamav configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`clamav_read_config',` - gen_require(` - type clamd_etc_t; - ') - - files_search_etc($1) - allow $1 clamd_etc_t:file read_file_perms; -') - -######################################## -## -## Search clamav libraries directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`clamav_search_lib',` - gen_require(` - type clamd_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 clamd_var_lib_t:dir search_dir_perms; -') - -######################################## -## -## Execute a domain transition to run clamscan. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`clamav_domtrans_clamscan',` - gen_require(` - type clamscan_t, clamscan_exec_t; - ') - - domtrans_pattern($1, clamscan_exec_t, clamscan_t) -') - -######################################## -## -## Execute clamscan without a transition. -## -## -## -## Domain allowed access. -## -## -# -interface(`clamav_exec_clamscan',` - gen_require(` - type clamscan_exec_t; - ') - - can_exec($1, clamscan_exec_t) -') - -######################################## -## -## All of the rules required to administrate -## an clamav environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the clamav domain. -## -## -## -# -interface(`clamav_admin',` - gen_require(` - type clamd_t, clamd_etc_t, clamd_tmp_t; - type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t; - type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t; - type freshclam_t, freshclam_var_log_t; - ') - - allow $1 clamd_t:process { ptrace signal_perms }; - ps_process_pattern($1, clamd_t) - - allow $1 clamscan_t:process { ptrace signal_perms }; - ps_process_pattern($1, clamscan_t) - - allow $1 freshclam_t:process { ptrace signal_perms }; - ps_process_pattern($1, freshclam_t) - - init_labeled_script_domtrans($1, clamd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 clamd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, clamd_etc_t) - - files_list_var_lib($1) - admin_pattern($1, clamd_var_lib_t) - - logging_list_logs($1) - admin_pattern($1, clamd_var_log_t) - - files_list_pids($1) - admin_pattern($1, clamd_var_run_t) - - files_list_tmp($1) - admin_pattern($1, clamd_tmp_t) - - admin_pattern($1, clamscan_tmp_t) - - admin_pattern($1, freshclam_var_log_t) -') diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te deleted file mode 100644 index 532fa91..0000000 --- a/policy/modules/services/clamav.te +++ /dev/null @@ -1,291 +0,0 @@ -policy_module(clamav, 1.8.1) - -## -##

-## Allow clamd to use JIT compiler -##

-##
-gen_tunable(clamd_use_jit, false) - -######################################## -# -# Declarations -# - -# Main clamd domain -type clamd_t; -type clamd_exec_t; -init_daemon_domain(clamd_t, clamd_exec_t) - -# configuration files -type clamd_etc_t; -files_config_file(clamd_etc_t) - -type clamd_initrc_exec_t; -init_script_file(clamd_initrc_exec_t) - -# tmp files -type clamd_tmp_t; -files_tmp_file(clamd_tmp_t) - -# log files -type clamd_var_log_t; -logging_log_file(clamd_var_log_t) - -# var/lib files -type clamd_var_lib_t; -files_type(clamd_var_lib_t) - -# pid files -type clamd_var_run_t; -files_pid_file(clamd_var_run_t) -typealias clamd_var_run_t alias clamd_sock_t; - -type clamscan_t; -type clamscan_exec_t; -init_daemon_domain(clamscan_t, clamscan_exec_t) - -# tmp files -type clamscan_tmp_t; -files_tmp_file(clamscan_tmp_t) - -type freshclam_t; -type freshclam_exec_t; -init_daemon_domain(freshclam_t, freshclam_exec_t) - -# log files -type freshclam_var_log_t; -logging_log_file(freshclam_var_log_t) - -######################################## -# -# clamd local policy -# - -allow clamd_t self:capability { kill setgid setuid dac_override }; -dontaudit clamd_t self:capability sys_tty_config; -allow clamd_t self:process signal; - -allow clamd_t self:fifo_file rw_fifo_file_perms; -allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow clamd_t self:unix_dgram_socket create_socket_perms; -allow clamd_t self:tcp_socket { listen accept }; - -# configuration files -allow clamd_t clamd_etc_t:dir list_dir_perms; -read_files_pattern(clamd_t, clamd_etc_t, clamd_etc_t) -read_lnk_files_pattern(clamd_t, clamd_etc_t, clamd_etc_t) - -# tmp files -manage_dirs_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t) -manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t) -files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir }) - -# var/lib files for clamd -manage_sock_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) -manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) -manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) - -# log files -manage_dirs_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) -manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) -logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file }) - -# pid file -manage_dirs_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) -manage_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) -manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) -files_pid_filetrans(clamd_t, clamd_var_run_t, { sock_file file dir }) - -kernel_dontaudit_list_proc(clamd_t) -kernel_read_sysctl(clamd_t) -kernel_read_kernel_sysctls(clamd_t) -kernel_read_system_state(clamd_t) - -corecmd_exec_shell(clamd_t) - -corenet_all_recvfrom_unlabeled(clamd_t) -corenet_all_recvfrom_netlabel(clamd_t) -corenet_tcp_sendrecv_generic_if(clamd_t) -corenet_tcp_sendrecv_generic_node(clamd_t) -corenet_tcp_sendrecv_all_ports(clamd_t) -corenet_tcp_sendrecv_clamd_port(clamd_t) -corenet_tcp_bind_generic_node(clamd_t) -corenet_tcp_bind_clamd_port(clamd_t) -corenet_tcp_bind_generic_port(clamd_t) -corenet_tcp_connect_generic_port(clamd_t) -corenet_sendrecv_clamd_server_packets(clamd_t) - -dev_read_rand(clamd_t) -dev_read_urand(clamd_t) - -domain_use_interactive_fds(clamd_t) - -files_read_etc_files(clamd_t) -files_read_etc_runtime_files(clamd_t) -files_search_spool(clamd_t) - -auth_use_nsswitch(clamd_t) - -logging_send_syslog_msg(clamd_t) - -miscfiles_read_localization(clamd_t) - -cron_use_fds(clamd_t) -cron_use_system_job_fds(clamd_t) -cron_rw_pipes(clamd_t) - -mta_read_config(clamd_t) -mta_send_mail(clamd_t) - -optional_policy(` - amavis_read_lib_files(clamd_t) - amavis_read_spool_files(clamd_t) - amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file) - amavis_create_pid_files(clamd_t) -') - -optional_policy(` - exim_read_spool_files(clamd_t) -') - -tunable_policy(`clamd_use_jit',` - allow clamd_t self:process execmem; - allow clamscan_t self:process execmem; -',` - dontaudit clamd_t self:process execmem; - dontaudit clamscan_t self:process execmem; -') - -######################################## -# -# Freshclam local policy -# - -allow freshclam_t self:capability { setgid setuid dac_override }; -allow freshclam_t self:fifo_file rw_fifo_file_perms; -allow freshclam_t self:unix_stream_socket create_stream_socket_perms; -allow freshclam_t self:unix_dgram_socket create_socket_perms; -allow freshclam_t self:tcp_socket { listen accept }; - -# configuration files -allow freshclam_t clamd_etc_t:dir list_dir_perms; -read_files_pattern(freshclam_t, clamd_etc_t, clamd_etc_t) -read_lnk_files_pattern(freshclam_t, clamd_etc_t, clamd_etc_t) - -# var/lib files together with clamd -manage_dirs_pattern(freshclam_t, clamd_var_lib_t, clamd_var_lib_t) -manage_files_pattern(freshclam_t, clamd_var_lib_t, clamd_var_lib_t) - -# pidfiles- var/run together with clamd -manage_files_pattern(freshclam_t, clamd_var_run_t, clamd_var_run_t) -manage_sock_files_pattern(freshclam_t, clamd_var_run_t, clamd_var_run_t) -files_pid_filetrans(freshclam_t, clamd_var_run_t, file) - -# log files (own logfiles only) -manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t) -allow freshclam_t freshclam_var_log_t:dir setattr_dir_perms; -read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t) -logging_log_filetrans(freshclam_t, freshclam_var_log_t, file) - -kernel_read_kernel_sysctls(freshclam_t) -kernel_read_system_state(freshclam_t) - -corecmd_exec_shell(freshclam_t) -corecmd_exec_bin(freshclam_t) - -corenet_all_recvfrom_unlabeled(freshclam_t) -corenet_all_recvfrom_netlabel(freshclam_t) -corenet_tcp_sendrecv_generic_if(freshclam_t) -corenet_tcp_sendrecv_generic_node(freshclam_t) -corenet_tcp_sendrecv_all_ports(freshclam_t) -corenet_tcp_sendrecv_clamd_port(freshclam_t) -corenet_tcp_connect_http_port(freshclam_t) -corenet_tcp_connect_clamd_port(freshclam_t) -corenet_sendrecv_http_client_packets(freshclam_t) - -dev_read_rand(freshclam_t) -dev_read_urand(freshclam_t) - -domain_use_interactive_fds(freshclam_t) - -files_read_etc_files(freshclam_t) -files_read_etc_runtime_files(freshclam_t) - -auth_use_nsswitch(freshclam_t) - -logging_send_syslog_msg(freshclam_t) - -miscfiles_read_localization(freshclam_t) - -clamav_stream_connect(freshclam_t) - -userdom_stream_connect(freshclam_t) - -tunable_policy(`clamd_use_jit',` - allow freshclam_t self:process execmem; -',` - dontaudit freshclam_t self:process execmem; -') - -optional_policy(` - cron_system_entry(freshclam_t, freshclam_exec_t) -') - -######################################## -# -# clamscam local policy -# - -allow clamscan_t self:capability { setgid setuid dac_override }; -allow clamscan_t self:fifo_file rw_file_perms; -allow clamscan_t self:unix_stream_socket create_stream_socket_perms; -allow clamscan_t self:unix_dgram_socket create_socket_perms; -allow clamscan_t self:tcp_socket create_stream_socket_perms; - -# configuration files -allow clamscan_t clamd_etc_t:dir list_dir_perms; -read_files_pattern(clamscan_t, clamd_etc_t, clamd_etc_t) -read_lnk_files_pattern(clamscan_t, clamd_etc_t, clamd_etc_t) - -# tmp files -manage_dirs_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t) -manage_files_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t) -files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir }) - -# var/lib files together with clamd -manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t) -allow clamscan_t clamd_var_lib_t:dir list_dir_perms; - -corenet_all_recvfrom_unlabeled(clamscan_t) -corenet_all_recvfrom_netlabel(clamscan_t) -corenet_tcp_sendrecv_generic_if(clamscan_t) -corenet_tcp_sendrecv_generic_node(clamscan_t) -corenet_tcp_sendrecv_all_ports(clamscan_t) -corenet_tcp_sendrecv_clamd_port(clamscan_t) -corenet_tcp_connect_clamd_port(clamscan_t) - -kernel_read_kernel_sysctls(clamscan_t) -kernel_read_system_state(clamscan_t) - -files_read_etc_files(clamscan_t) -files_read_etc_runtime_files(clamscan_t) -files_search_var_lib(clamscan_t) - -init_read_utmp(clamscan_t) -init_dontaudit_write_utmp(clamscan_t) - -miscfiles_read_localization(clamscan_t) -miscfiles_read_public_files(clamscan_t) - -clamav_stream_connect(clamscan_t) - -mta_send_mail(clamscan_t) - -optional_policy(` - amavis_read_spool_files(clamscan_t) -') - -optional_policy(` - apache_read_sys_content(clamscan_t) -') diff --git a/policy/modules/services/clockspeed.fc b/policy/modules/services/clockspeed.fc deleted file mode 100644 index a7aa385..0000000 --- a/policy/modules/services/clockspeed.fc +++ /dev/null @@ -1,14 +0,0 @@ - -# -# /usr -# -/usr/bin/clockadd -- gen_context(system_u:object_r:clockspeed_cli_exec_t,s0) -/usr/bin/clockspeed -- gen_context(system_u:object_r:clockspeed_srv_exec_t,s0) -/usr/bin/sntpclock -- gen_context(system_u:object_r:clockspeed_cli_exec_t,s0) -/usr/bin/taiclock -- gen_context(system_u:object_r:clockspeed_cli_exec_t,s0) -/usr/bin/taiclockd -- gen_context(system_u:object_r:clockspeed_srv_exec_t,s0) - -# -# /var -# -/var/lib/clockspeed(/.*)? gen_context(system_u:object_r:clockspeed_var_lib_t,s0) diff --git a/policy/modules/services/clockspeed.if b/policy/modules/services/clockspeed.if deleted file mode 100644 index 0797617..0000000 --- a/policy/modules/services/clockspeed.if +++ /dev/null @@ -1,44 +0,0 @@ -## Clockspeed simple network time protocol client - -######################################## -## -## Execute clockspeed utilities in the clockspeed_cli domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`clockspeed_domtrans_cli',` - gen_require(` - type clockspeed_cli_t, clockspeed_cli_exec_t; - ') - - domtrans_pattern($1, clockspeed_cli_exec_t, clockspeed_cli_t) -') - -######################################## -## -## Allow the specified role the clockspeed_cli domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`clockspeed_run_cli',` - gen_require(` - type clockspeed_cli_t; - ') - - role $2 types clockspeed_cli_t; - clockspeed_domtrans_cli($1) -') diff --git a/policy/modules/services/clockspeed.te b/policy/modules/services/clockspeed.te deleted file mode 100644 index b40f3f7..0000000 --- a/policy/modules/services/clockspeed.te +++ /dev/null @@ -1,72 +0,0 @@ -policy_module(clockspeed, 1.5.0) - -######################################## -# -# Declarations -# - -type clockspeed_cli_t; -type clockspeed_cli_exec_t; -application_domain(clockspeed_cli_t, clockspeed_cli_exec_t) - -type clockspeed_srv_t; -type clockspeed_srv_exec_t; -init_daemon_domain(clockspeed_srv_t, clockspeed_srv_exec_t) - -type clockspeed_var_lib_t; -files_type(clockspeed_var_lib_t) - -######################################## -# -# Client local policy -# - -allow clockspeed_cli_t self:capability sys_time; -allow clockspeed_cli_t self:udp_socket create_socket_perms; - -read_files_pattern(clockspeed_cli_t, clockspeed_var_lib_t, clockspeed_var_lib_t) - -corenet_all_recvfrom_unlabeled(clockspeed_cli_t) -corenet_all_recvfrom_netlabel(clockspeed_cli_t) -corenet_udp_sendrecv_generic_if(clockspeed_cli_t) -corenet_udp_sendrecv_generic_node(clockspeed_cli_t) -corenet_udp_sendrecv_ntp_port(clockspeed_cli_t) -corenet_sendrecv_ntp_client_packets(clockspeed_cli_t) - -files_list_var_lib(clockspeed_cli_t) -files_read_etc_files(clockspeed_cli_t) - -miscfiles_read_localization(clockspeed_cli_t) - -userdom_use_user_terminals(clockspeed_cli_t) - -######################################## -# -# Server local policy -# - -allow clockspeed_srv_t self:capability { sys_time net_bind_service }; -allow clockspeed_srv_t self:udp_socket create_socket_perms; -allow clockspeed_srv_t self:unix_dgram_socket create_socket_perms; -allow clockspeed_srv_t self:unix_stream_socket create_socket_perms; - -manage_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t) -manage_fifo_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t) - -corenet_all_recvfrom_unlabeled(clockspeed_srv_t) -corenet_all_recvfrom_netlabel(clockspeed_srv_t) -corenet_udp_sendrecv_generic_if(clockspeed_srv_t) -corenet_udp_sendrecv_generic_node(clockspeed_srv_t) -corenet_udp_sendrecv_ntp_port(clockspeed_srv_t) -corenet_udp_bind_generic_node(clockspeed_srv_t) -corenet_udp_bind_clockspeed_port(clockspeed_srv_t) -corenet_sendrecv_clockspeed_server_packets(clockspeed_srv_t) - -files_read_etc_files(clockspeed_srv_t) -files_list_var_lib(clockspeed_srv_t) - -miscfiles_read_localization(clockspeed_srv_t) - -optional_policy(` - daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t) -') diff --git a/policy/modules/services/clogd.fc b/policy/modules/services/clogd.fc deleted file mode 100644 index 6793948..0000000 --- a/policy/modules/services/clogd.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/sbin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0) - -/var/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0) diff --git a/policy/modules/services/clogd.if b/policy/modules/services/clogd.if deleted file mode 100644 index e438c5f..0000000 --- a/policy/modules/services/clogd.if +++ /dev/null @@ -1,79 +0,0 @@ -## clogd - Clustered Mirror Log Server - -###################################### -## -## Execute a domain transition to run clogd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`clogd_domtrans',` - gen_require(` - type clogd_t, clogd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, clogd_exec_t, clogd_t) -') - -##################################### -## -## Connect to clogd over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`clogd_stream_connect',` - gen_require(` - type clogd_t, clogd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, clogd_var_run_t, clogd_var_run_t, clogd_t) -') - -##################################### -## -## Allow read and write access to clogd semaphores. -## -## -## -## Domain allowed access. -## -## -# -interface(`clogd_rw_semaphores',` - gen_require(` - type clogd_t; - ') - - allow $1 clogd_t:sem rw_sem_perms; -') - -######################################## -## -## Read and write to group shared memory. -## -## -## -## Domain allowed access. -## -## -# -interface(`clogd_rw_shm',` - gen_require(` - type clogd_t, clogd_tmpfs_t; - ') - - allow $1 clogd_t:shm rw_shm_perms; - allow $1 clogd_tmpfs_t:dir list_dir_perms; - rw_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t) - fs_search_tmpfs($1) -') diff --git a/policy/modules/services/clogd.te b/policy/modules/services/clogd.te deleted file mode 100644 index d10acd2..0000000 --- a/policy/modules/services/clogd.te +++ /dev/null @@ -1,53 +0,0 @@ -policy_module(clogd, 1.0.0) - -######################################## -# -# Declarations -# - -type clogd_t; -type clogd_exec_t; -init_daemon_domain(clogd_t, clogd_exec_t) - -type clogd_tmpfs_t; -files_tmpfs_file(clogd_tmpfs_t) - -# pid files -type clogd_var_run_t; -files_pid_file(clogd_var_run_t) - -######################################## -# -# clogd local policy -# - -allow clogd_t self:capability { net_admin mknod }; -allow clogd_t self:process signal; -allow clogd_t self:sem create_sem_perms; -allow clogd_t self:shm create_shm_perms; -allow clogd_t self:netlink_socket create_socket_perms; -allow clogd_t self:unix_dgram_socket create_socket_perms; - -manage_dirs_pattern(clogd_t, clogd_tmpfs_t, clogd_tmpfs_t) -manage_files_pattern(clogd_t, clogd_tmpfs_t, clogd_tmpfs_t) -fs_tmpfs_filetrans(clogd_t, clogd_tmpfs_t, { dir file }) - -# pid files -manage_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t) -manage_sock_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t) -files_pid_filetrans(clogd_t, clogd_var_run_t, file) - -dev_read_lvm_control(clogd_t) -dev_manage_generic_blk_files(clogd_t) - -storage_raw_read_fixed_disk(clogd_t) -storage_raw_write_fixed_disk(clogd_t) - -logging_send_syslog_msg(clogd_t) - -miscfiles_read_localization(clogd_t) - -optional_policy(` - aisexec_stream_connect(clogd_t) - corosync_stream_connect(clogd_t) -') diff --git a/policy/modules/services/cmirrord.fc b/policy/modules/services/cmirrord.fc deleted file mode 100644 index e500fa5..0000000 --- a/policy/modules/services/cmirrord.fc +++ /dev/null @@ -1,6 +0,0 @@ - -/etc/rc\.d/init\.d/cmirrord -- gen_context(system_u:object_r:cmirrord_initrc_exec_t,s0) - -/usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0) - -/var/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0) diff --git a/policy/modules/services/cmirrord.if b/policy/modules/services/cmirrord.if deleted file mode 100644 index 756ac91..0000000 --- a/policy/modules/services/cmirrord.if +++ /dev/null @@ -1,113 +0,0 @@ -## policy for cmirrord - -######################################## -## -## Execute a domain transition to run cmirrord. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`cmirrord_domtrans',` - gen_require(` - type cmirrord_t, cmirrord_exec_t; - ') - - domtrans_pattern($1, cmirrord_exec_t, cmirrord_t) -') - -######################################## -## -## Execute cmirrord server in the cmirrord domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`cmirrord_initrc_domtrans',` - gen_require(` - type cmirrord_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, cmirrord_initrc_exec_t) -') - -######################################## -## -## Read cmirrord PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`cmirrord_read_pid_files',` - gen_require(` - type cmirrord_var_run_t; - ') - - files_search_pids($1) - allow $1 cmirrord_var_run_t:file read_file_perms; -') - -####################################### -## -## Read and write to cmirrord shared memory. -## -## -## -## Domain allowed access. -## -## -# -interface(`cmirrord_rw_shm',` - gen_require(` - type cmirrord_t, cmirrord_tmpfs_t; - ') - - allow $1 cmirrord_t:shm { rw_shm_perms destroy }; - allow $1 cmirrord_tmpfs_t:dir list_dir_perms; - rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) - delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) - read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) - fs_search_tmpfs($1) -') - -######################################## -## -## All of the rules required to administrate -## an cmirrord environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`cmirrord_admin',` - gen_require(` - type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t; - ') - - allow $1 cmirrord_t:process { ptrace signal_perms }; - ps_process_pattern($1, cmirrord_t) - - cmirrord_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 cmirrord_initrc_exec_t system_r; - allow $2 system_r; - - files_list_pids($1) - admin_pattern($1, cmirrord_var_run_t) -') diff --git a/policy/modules/services/cmirrord.te b/policy/modules/services/cmirrord.te deleted file mode 100644 index a2c7134..0000000 --- a/policy/modules/services/cmirrord.te +++ /dev/null @@ -1,53 +0,0 @@ -policy_module(cmirrord, 1.0.0) - -######################################## -# -# Declarations -# - -type cmirrord_t; -type cmirrord_exec_t; -init_daemon_domain(cmirrord_t, cmirrord_exec_t) - -type cmirrord_initrc_exec_t; -init_script_file(cmirrord_initrc_exec_t) - -type cmirrord_tmpfs_t; -files_tmpfs_file(cmirrord_tmpfs_t) - -type cmirrord_var_run_t; -files_pid_file(cmirrord_var_run_t) - -######################################## -# -# cmirrord local policy -# - -allow cmirrord_t self:capability { net_admin kill }; -dontaudit cmirrord_t self:capability sys_tty_config; -allow cmirrord_t self:process signal; -allow cmirrord_t self:fifo_file rw_fifo_file_perms; -allow cmirrord_t self:sem create_sem_perms; -allow cmirrord_t self:shm create_shm_perms; -allow cmirrord_t self:netlink_socket create_socket_perms; -allow cmirrord_t self:unix_stream_socket create_stream_socket_perms; - -manage_dirs_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t) -manage_files_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t) -fs_tmpfs_filetrans(cmirrord_t, cmirrord_tmpfs_t, { dir file }) - -manage_dirs_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t) -manage_files_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t) -files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file) - -domain_use_interactive_fds(cmirrord_t) - -files_read_etc_files(cmirrord_t) - -logging_send_syslog_msg(cmirrord_t) - -miscfiles_read_localization(cmirrord_t) - -optional_policy(` - corosync_stream_connect(cmirrord_t) -') diff --git a/policy/modules/services/cobbler.fc b/policy/modules/services/cobbler.fc deleted file mode 100644 index 90c60df..0000000 --- a/policy/modules/services/cobbler.fc +++ /dev/null @@ -1,32 +0,0 @@ - -/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t,s0) - -/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t,s0) - -/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0) - -/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) - -/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_var_lib_t,s0) -/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0) -/var/lib/tftpboot/ppc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -/var/lib/tftpboot/pxelinux\.0 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0) -/var/lib/tftpboot/pxelinux\.cfg(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -/var/lib/tftpboot/s390x(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -/var/lib/tftpboot/yaboot -- gen_context(system_u:object_r:cobbler_var_lib_t,s0) - -/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t,s0) - -# This should removable when cobbler package installs /var/www/cobbler/rendered -/var/www/cobbler(/.*)? gen_context(system_u:object_r:httpd_cobbler_content_t,s0) - -/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -/var/www/cobbler/ks_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -/var/www/cobbler/links(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -/var/www/cobbler/localmirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -/var/www/cobbler/pub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -/var/www/cobbler/rendered(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -/var/www/cobbler/repo_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) - diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if deleted file mode 100644 index e3787fb..0000000 --- a/policy/modules/services/cobbler.if +++ /dev/null @@ -1,218 +0,0 @@ -## Cobbler installation server. -## -##

-## Cobbler is a Linux installation server that allows for -## rapid setup of network installation environments. It -## glues together and automates many associated Linux -## tasks so you do not have to hop between lots of various -## commands and applications when rolling out new systems, -## and, in some cases, changing existing ones. -##

-##
- -######################################## -## -## Execute a domain transition to run cobblerd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`cobblerd_domtrans',` - gen_require(` - type cobblerd_t, cobblerd_exec_t; - ') - - domtrans_pattern($1, cobblerd_exec_t, cobblerd_t) - corecmd_search_bin($1) -') - -######################################## -## -## Execute cobblerd server in the cobblerd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`cobblerd_initrc_domtrans',` - gen_require(` - type cobblerd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, cobblerd_initrc_exec_t) -') - -######################################## -## -## List Cobbler configuration. -## -## -## -## Domain allowed access. -## -## -# -interface(`cobbler_list_config',` - gen_require(` - type cobbler_etc_t; - ') - - list_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) - files_search_etc($1) -') - -######################################## -## -## Read Cobbler configuration files. -## -## -## -## Domain to not audit. -## -## -# -interface(`cobbler_read_config',` - gen_require(` - type cobbler_etc_t; - ') - - read_files_pattern($1, cobbler_etc_t, cobbler_etc_t) - files_search_etc($1) -') - -######################################## -## -## Search cobbler dirs in /var/lib -## -## -## -## Domain allowed access. -## -## -# -interface(`cobbler_search_lib',` - gen_require(` - type cobbler_var_lib_t; - ') - - search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) - read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) - files_search_var_lib($1) -') - -######################################## -## -## Read cobbler files in /var/lib -## -## -## -## Domain allowed access. -## -## -# -interface(`cobbler_read_lib_files',` - gen_require(` - type cobbler_var_lib_t; - ') - - read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) - read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) - files_search_var_lib($1) -') - -######################################## -## -## Manage cobbler files in /var/lib -## -## -## -## Domain allowed access. -## -## -# -interface(`cobbler_manage_lib_files',` - gen_require(` - type cobbler_var_lib_t; - ') - - manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) - manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) - manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) - files_search_var_lib($1) -') - -######################################## -## -## Do not audit attempts to read and write -## Cobbler log files (leaked fd). -## -## -## -## Domain to not audit. -## -## -# -interface(`cobbler_dontaudit_rw_log',` - gen_require(` - type cobbler_var_log_t; - ') - - dontaudit $1 cobbler_var_log_t:file rw_inherited_file_perms; -') - -######################################## -## -## All of the rules required to administrate -## an cobblerd environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`cobblerd_admin',` - gen_require(` - type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; - type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t; - type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t; - ') - - allow $1 cobblerd_t:process { ptrace signal_perms }; - ps_process_pattern($1, cobblerd_t) - - files_list_etc($1) - admin_pattern($1, cobbler_etc_t) - - files_list_var_lib($1) - admin_pattern($1, cobbler_var_lib_t) - - logging_list_logs($1) - admin_pattern($1, cobbler_var_log_t) - - apache_list_sys_content($1) - admin_pattern($1, httpd_cobbler_content_t) - admin_pattern($1, httpd_cobbler_content_ra_t) - admin_pattern($1, httpd_cobbler_content_rw_t) - - cobblerd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 cobblerd_initrc_exec_t system_r; - allow $2 system_r; - - optional_policy(` - # traverse /var/lib/tftpdir to get to cobbler_var_lib_t there. - tftp_search_rw_content($1) - ') -') diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te deleted file mode 100644 index c4d678b..0000000 --- a/policy/modules/services/cobbler.te +++ /dev/null @@ -1,235 +0,0 @@ -policy_module(cobbler, 1.1.0) - -######################################## -# -# Cobbler personal declarations. -# - -## -##

-## Allow Cobbler to modify public files -## used for public file transfer services. -##

-##
-gen_tunable(cobbler_anon_write, false) - -## -##

-## Allow Cobbler to connect to the -## network using TCP. -##

-##
-gen_tunable(cobbler_can_network_connect, false) - -## -##

-## Allow Cobbler to access cifs file systems. -##

-##
-gen_tunable(cobbler_use_cifs, false) - -## -##

-## Allow Cobbler to access nfs file systems. -##

-##
-gen_tunable(cobbler_use_nfs, false) - -type cobblerd_t; -type cobblerd_exec_t; -init_daemon_domain(cobblerd_t, cobblerd_exec_t) - -type cobblerd_initrc_exec_t; -init_script_file(cobblerd_initrc_exec_t) - -type cobbler_etc_t; -files_config_file(cobbler_etc_t) - -type cobbler_var_log_t; -logging_log_file(cobbler_var_log_t) - -type cobbler_var_lib_t alias cobbler_content_t; -files_type(cobbler_var_lib_t) - -type cobbler_tmp_t; -files_tmp_file(cobbler_tmp_t) - -######################################## -# -# Cobbler personal policy. -# - -allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice }; -dontaudit cobblerd_t self:capability { sys_ptrace sys_tty_config }; - -allow cobblerd_t self:process { getsched setsched signal }; -allow cobblerd_t self:fifo_file rw_fifo_file_perms; -allow cobblerd_t self:netlink_route_socket create_netlink_socket_perms; -allow cobblerd_t self:tcp_socket create_stream_socket_perms; -allow cobblerd_t self:udp_socket create_socket_perms; -allow cobblerd_t self:unix_dgram_socket create_socket_perms; - -list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t) -read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t) - -# Something that runs in the cobberd_t domain tries to relabelfrom cobbler_var_lib_t dir to httpd_sys_content_t. -dontaudit cobblerd_t cobbler_var_lib_t:dir relabel_dir_perms; - -manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) -manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) -manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) -files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file lnk_file }) - -# Something really needs to write to cobbler.log. Ideally this should not be happening. -allow cobblerd_t cobbler_var_log_t:file write; - -append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) -create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) -read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) -setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) -logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file) - -manage_dirs_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t) -manage_files_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t) -files_tmp_filetrans(cobblerd_t, cobbler_tmp_t, { dir file }) - -kernel_read_system_state(cobblerd_t) -kernel_dontaudit_search_network_state(cobblerd_t) - -corecmd_exec_bin(cobblerd_t) -corecmd_exec_shell(cobblerd_t) - -corenet_all_recvfrom_netlabel(cobblerd_t) -corenet_all_recvfrom_unlabeled(cobblerd_t) -corenet_sendrecv_cobbler_server_packets(cobblerd_t) -corenet_tcp_bind_cobbler_port(cobblerd_t) -corenet_tcp_bind_generic_node(cobblerd_t) -corenet_tcp_sendrecv_generic_if(cobblerd_t) -corenet_tcp_sendrecv_generic_node(cobblerd_t) -corenet_tcp_sendrecv_generic_port(cobblerd_t) -corenet_tcp_sendrecv_cobbler_port(cobblerd_t) -# sync and rsync to ftp and http are permitted by default, for any other media use cobbler_can_network_connect. -corenet_tcp_connect_ftp_port(cobblerd_t) -corenet_tcp_sendrecv_ftp_port(cobblerd_t) -corenet_sendrecv_ftp_client_packets(cobblerd_t) -corenet_tcp_connect_http_port(cobblerd_t) -corenet_tcp_sendrecv_http_port(cobblerd_t) -corenet_sendrecv_http_client_packets(cobblerd_t) - -dev_read_urand(cobblerd_t) - -domain_dontaudit_exec_all_entry_files(cobblerd_t) -domain_dontaudit_read_all_domains_state(cobblerd_t) - -files_read_etc_files(cobblerd_t) -# mtab -files_read_etc_runtime_files(cobblerd_t) -files_read_usr_files(cobblerd_t) -files_list_boot(cobblerd_t) -files_read_boot_files(cobblerd_t) -files_list_tmp(cobblerd_t) - -# read from mounted images (install media) -fs_read_iso9660_files(cobblerd_t) - -init_dontaudit_read_all_script_files(cobblerd_t) - -term_use_console(cobblerd_t) - -miscfiles_read_localization(cobblerd_t) -miscfiles_read_public_files(cobblerd_t) - -selinux_dontaudit_read_fs(cobblerd_t) - -sysnet_read_config(cobblerd_t) -sysnet_rw_dhcp_config(cobblerd_t) -sysnet_write_config(cobblerd_t) - -userdom_dontaudit_use_user_terminals(cobblerd_t) -userdom_dontaudit_search_user_home_dirs(cobblerd_t) -userdom_dontaudit_search_admin_dir(cobblerd_t) - -tunable_policy(`cobbler_anon_write',` - miscfiles_manage_public_files(cobblerd_t) -') - -tunable_policy(`cobbler_can_network_connect',` - corenet_tcp_connect_all_ports(cobblerd_t) - corenet_tcp_sendrecv_all_ports(cobblerd_t) - corenet_sendrecv_all_client_packets(cobblerd_t) -') - -tunable_policy(`cobbler_use_cifs',` - fs_manage_cifs_dirs(cobblerd_t) - fs_manage_cifs_files(cobblerd_t) - fs_manage_cifs_symlinks(cobblerd_t) -') - -tunable_policy(`cobbler_use_nfs',` - fs_manage_nfs_dirs(cobblerd_t) - fs_manage_nfs_files(cobblerd_t) - fs_manage_nfs_symlinks(cobblerd_t) -') - -optional_policy(` - # Cobbler traverses /var/www to get to /var/www/cobbler/* - apache_search_sys_content(cobblerd_t) -') - -optional_policy(` - bind_read_config(cobblerd_t) - bind_write_config(cobblerd_t) - bind_domtrans_ndc(cobblerd_t) - bind_domtrans(cobblerd_t) - bind_initrc_domtrans(cobblerd_t) - bind_manage_zone(cobblerd_t) -') - -optional_policy(` - certmaster_exec(cobblerd_t) -') - -optional_policy(` - dhcpd_domtrans(cobblerd_t) - dhcpd_initrc_domtrans(cobblerd_t) -') - -optional_policy(` - dnsmasq_domtrans(cobblerd_t) - dnsmasq_initrc_domtrans(cobblerd_t) - dnsmasq_write_config(cobblerd_t) -') - -optional_policy(` - gnome_dontaudit_search_config(cobblerd_t) -') - -optional_policy(` - rpm_exec(cobblerd_t) -') - -optional_policy(` - rsync_exec(cobblerd_t) - rsync_manage_config(cobblerd_t) - # cobbler creates /etc/rsync.conf if its not there. - rsync_filetrans_config(cobblerd_t, file) -') - -optional_policy(` - # Cobbler puts objects in both /var/lib/tftpdir as well as /var/lib/tftpdir/images. - # tftp_manage_rw_content(cobblerd_t) can be used instead if: - # 1. cobbler package installs /var/lib/tftpdir/images. - # 2. no FILES in /var/lib/TFTPDIR are hard linked. - # Cobbler also creates other directories in /var/lib/tftpdir (etc, s390x, ppc, pxelinux.cfg) - # are any of those hard linked? - tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file }) -') - -######################################## -# -# Cobbler web local policy. -# - -apache_content_template(cobbler) -manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) -manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) diff --git a/policy/modules/services/comsat.fc b/policy/modules/services/comsat.fc deleted file mode 100644 index e7633fa..0000000 --- a/policy/modules/services/comsat.fc +++ /dev/null @@ -1,2 +0,0 @@ - -/usr/sbin/in\.comsat -- gen_context(system_u:object_r:comsat_exec_t,s0) diff --git a/policy/modules/services/comsat.if b/policy/modules/services/comsat.if deleted file mode 100644 index afc4dfe..0000000 --- a/policy/modules/services/comsat.if +++ /dev/null @@ -1 +0,0 @@ -## Comsat, a biff server. diff --git a/policy/modules/services/comsat.te b/policy/modules/services/comsat.te deleted file mode 100644 index 3d121fd..0000000 --- a/policy/modules/services/comsat.te +++ /dev/null @@ -1,74 +0,0 @@ -policy_module(comsat, 1.7.0) - -######################################## -# -# Declarations -# - -type comsat_t; -type comsat_exec_t; -inetd_udp_service_domain(comsat_t, comsat_exec_t) -role system_r types comsat_t; - -type comsat_tmp_t; -files_tmp_file(comsat_tmp_t) - -type comsat_var_run_t; -files_pid_file(comsat_var_run_t) - -######################################## -# -# Local policy -# - -allow comsat_t self:capability { setuid setgid }; -allow comsat_t self:process signal_perms; -allow comsat_t self:fifo_file rw_fifo_file_perms; -allow comsat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -allow comsat_t self:tcp_socket connected_stream_socket_perms; -allow comsat_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(comsat_t, comsat_tmp_t, comsat_tmp_t) -manage_files_pattern(comsat_t, comsat_tmp_t, comsat_tmp_t) -files_tmp_filetrans(comsat_t, comsat_tmp_t, { file dir }) - -manage_files_pattern(comsat_t, comsat_var_run_t, comsat_var_run_t) -files_pid_filetrans(comsat_t, comsat_var_run_t, file) - -kernel_read_kernel_sysctls(comsat_t) -kernel_read_network_state(comsat_t) -kernel_read_system_state(comsat_t) - -corenet_all_recvfrom_unlabeled(comsat_t) -corenet_all_recvfrom_netlabel(comsat_t) -corenet_tcp_sendrecv_generic_if(comsat_t) -corenet_udp_sendrecv_generic_if(comsat_t) -corenet_tcp_sendrecv_generic_node(comsat_t) -corenet_udp_sendrecv_generic_node(comsat_t) -corenet_udp_sendrecv_all_ports(comsat_t) - -dev_read_urand(comsat_t) - -fs_getattr_xattr_fs(comsat_t) - -files_read_etc_files(comsat_t) -files_list_usr(comsat_t) -files_search_spool(comsat_t) -files_search_home(comsat_t) - -auth_use_nsswitch(comsat_t) - -init_read_utmp(comsat_t) -init_dontaudit_write_utmp(comsat_t) - -logging_send_syslog_msg(comsat_t) - -miscfiles_read_localization(comsat_t) - -userdom_dontaudit_getattr_user_ttys(comsat_t) - -mta_getattr_spool(comsat_t) - -optional_policy(` - kerberos_use(comsat_t) -') diff --git a/policy/modules/services/consolekit.fc b/policy/modules/services/consolekit.fc deleted file mode 100644 index 32233ab..0000000 --- a/policy/modules/services/consolekit.fc +++ /dev/null @@ -1,7 +0,0 @@ -/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) - -/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) - -/var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) -/var/run/console-kit-daemon\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) -/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0) diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if deleted file mode 100644 index ac43a92..0000000 --- a/policy/modules/services/consolekit.if +++ /dev/null @@ -1,134 +0,0 @@ -## Framework for facilitating multiple user sessions on desktops. - -######################################## -## -## Execute a domain transition to run consolekit. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`consolekit_domtrans',` - gen_require(` - type consolekit_t, consolekit_exec_t; - ') - - domtrans_pattern($1, consolekit_exec_t, consolekit_t) -') - -######################################## -## -## Send and receive messages from -## consolekit over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`consolekit_dbus_chat',` - gen_require(` - type consolekit_t; - class dbus send_msg; - ') - - allow $1 consolekit_t:dbus send_msg; - allow consolekit_t $1:dbus send_msg; -') - -######################################## -## -## Dontaudit attempts to read consolekit log files. -## -## -## -## Domain to not audit. -## -## -# -interface(`consolekit_dontaudit_read_log',` - gen_require(` - type consolekit_log_t; - ') - - dontaudit $1 consolekit_log_t:file read_file_perms; -') - -######################################## -## -## Read consolekit log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`consolekit_read_log',` - gen_require(` - type consolekit_log_t; - ') - - read_files_pattern($1, consolekit_log_t, consolekit_log_t) - logging_search_logs($1) -') - -######################################## -## -## Manage consolekit log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`consolekit_manage_log',` - gen_require(` - type consolekit_log_t; - ') - - manage_files_pattern($1, consolekit_log_t, consolekit_log_t) - files_search_pids($1) -') - -######################################## -## -## Read consolekit PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`consolekit_read_pid_files',` - gen_require(` - type consolekit_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t) -') - -######################################## -## -## List consolekit PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`consolekit_list_pid_files',` - gen_require(` - type consolekit_var_run_t; - ') - - files_search_pids($1) - list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t) -') diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te deleted file mode 100644 index 16c0746..0000000 --- a/policy/modules/services/consolekit.te +++ /dev/null @@ -1,145 +0,0 @@ -policy_module(consolekit, 1.6.0) - -######################################## -# -# Declarations -# - -type consolekit_t; -type consolekit_exec_t; -init_daemon_domain(consolekit_t, consolekit_exec_t) - -type consolekit_log_t; -logging_log_file(consolekit_log_t) - -type consolekit_var_run_t; -files_pid_file(consolekit_var_run_t) - -type consolekit_tmpfs_t; -files_tmpfs_file(consolekit_tmpfs_t) - -######################################## -# -# consolekit local policy -# - -allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace }; -allow consolekit_t self:process { getsched signal }; -allow consolekit_t self:fifo_file rw_fifo_file_perms; -allow consolekit_t self:unix_stream_socket create_stream_socket_perms; -allow consolekit_t self:unix_dgram_socket create_socket_perms; - -manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) -logging_log_filetrans(consolekit_t, consolekit_log_t, file) - -manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) -manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) -files_pid_filetrans(consolekit_t, consolekit_var_run_t, { file dir }) - -kernel_read_system_state(consolekit_t) - -corecmd_exec_bin(consolekit_t) -corecmd_exec_shell(consolekit_t) - -dev_read_urand(consolekit_t) -dev_read_sysfs(consolekit_t) - -domain_read_all_domains_state(consolekit_t) -domain_use_interactive_fds(consolekit_t) -domain_dontaudit_ptrace_all_domains(consolekit_t) - -files_read_etc_files(consolekit_t) -files_read_usr_files(consolekit_t) -# needs to read /var/lib/dbus/machine-id -files_read_var_lib_files(consolekit_t) -files_search_all_mountpoints(consolekit_t) - -fs_list_inotifyfs(consolekit_t) - -mcs_ptrace_all(consolekit_t) - -term_use_all_terms(consolekit_t) - -auth_use_nsswitch(consolekit_t) -auth_manage_pam_console_data(consolekit_t) -auth_write_login_records(consolekit_t) - -init_telinit(consolekit_t) -init_rw_utmp(consolekit_t) - -logging_send_syslog_msg(consolekit_t) -logging_send_audit_msgs(consolekit_t) - -miscfiles_read_localization(consolekit_t) - -# consolekit needs to be able to ptrace all logged in users -userdom_ptrace_all_users(consolekit_t) -userdom_dontaudit_read_user_home_content_files(consolekit_t) -userdom_dontaudit_getattr_admin_home_files(consolekit_t) -userdom_read_user_tmp_files(consolekit_t) - -hal_ptrace(consolekit_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(consolekit_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(consolekit_t) -') - -optional_policy(` - cron_read_system_job_lib_files(consolekit_t) -') - -optional_policy(` - dbus_system_domain(consolekit_t, consolekit_exec_t) - - optional_policy(` - hal_dbus_chat(consolekit_t) - ') - - optional_policy(` - rpm_dbus_chat(consolekit_t) - ') - - optional_policy(` - unconfined_dbus_chat(consolekit_t) - ') -') - -optional_policy(` - networkmanager_append_log(consolekit_t) -') - -optional_policy(` - policykit_dbus_chat(consolekit_t) - policykit_domtrans_auth(consolekit_t) - policykit_read_lib(consolekit_t) - policykit_read_reload(consolekit_t) -') - -optional_policy(` - shutdown_domtrans(consolekit_t) -') - -optional_policy(` - xserver_read_xdm_pid(consolekit_t) - xserver_read_user_xauth(consolekit_t) - xserver_non_drawing_client(consolekit_t) - corenet_tcp_connect_xserver_port(consolekit_t) - xserver_stream_connect(consolekit_t) - xserver_user_x_domain_template(consolekit, consolekit_t, consolekit_tmpfs_t) -') - -optional_policy(` - udev_domtrans(consolekit_t) - udev_read_db(consolekit_t) - udev_signal(consolekit_t) -') - -optional_policy(` - #reading .Xauthity - unconfined_ptrace(consolekit_t) - unconfined_stream_connect(consolekit_t) -') diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc deleted file mode 100644 index 2098ee9..0000000 --- a/policy/modules/services/corosync.fc +++ /dev/null @@ -1,13 +0,0 @@ -/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0) - -/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0) - -/usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0) -/usr/sbin/cman_tool -- gen_context(system_u:object_r:corosync_exec_t,s0) - -/var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0) - -/var/log/cluster/corosync\.log -- gen_context(system_u:object_r:corosync_var_log_t,s0) - -/var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0) -/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0) diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if deleted file mode 100644 index a2e6830..0000000 --- a/policy/modules/services/corosync.if +++ /dev/null @@ -1,125 +0,0 @@ -## Corosync Cluster Engine - -######################################## -## -## Execute a domain transition to run corosync. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`corosync_domtrans',` - gen_require(` - type corosync_t, corosync_exec_t; - ') - - domtrans_pattern($1, corosync_exec_t, corosync_t) -') - -###################################### -## -## Execute corosync in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`corosync_exec',` - gen_require(` - type corosync_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, corosync_exec_t) -') - -####################################### -## -## Allow the specified domain to read corosync's log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`corosync_read_log',` - gen_require(` - type corosync_var_log_t; - ') - - logging_search_logs($1) - list_dirs_pattern($1, corosync_var_log_t, corosync_var_log_t) - read_files_pattern($1, corosync_var_log_t, corosync_var_log_t) -') - -##################################### -## -## Connect to corosync over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`corosync_stream_connect',` - gen_require(` - type corosync_t, corosync_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t) -') - -###################################### -## -## All of the rules required to administrate -## an corosync environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the corosyncd domain. -## -## -## -# -interface(`corosyncd_admin',` - gen_require(` - type corosync_t, corosync_var_lib_t, corosync_var_log_t; - type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t; - type corosync_initrc_exec_t; - ') - - allow $1 corosync_t:process { ptrace signal_perms }; - ps_process_pattern($1, corosync_t) - - init_labeled_script_domtrans($1, corosync_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 corosync_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, corosync_tmp_t) - - admin_pattern($1, corosync_tmpfs_t) - - files_list_var_lib($1) - admin_pattern($1, corosync_var_lib_t) - - logging_list_logs($1) - admin_pattern($1, corosync_var_log_t) - - files_list_pids($1) - admin_pattern($1, corosync_var_run_t) -') diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te deleted file mode 100644 index c3620a0..0000000 --- a/policy/modules/services/corosync.te +++ /dev/null @@ -1,121 +0,0 @@ -policy_module(corosync, 1.0.0) - -######################################## -# -# Declarations -# - -type corosync_t; -type corosync_exec_t; -init_daemon_domain(corosync_t, corosync_exec_t) - -type corosync_initrc_exec_t; -init_script_file(corosync_initrc_exec_t); - -type corosync_tmp_t; -files_tmp_file(corosync_tmp_t) - -type corosync_tmpfs_t; -files_tmpfs_file(corosync_tmpfs_t) - -type corosync_var_lib_t; -files_type(corosync_var_lib_t) - -type corosync_var_log_t; -logging_log_file(corosync_var_log_t) - -type corosync_var_run_t; -files_pid_file(corosync_var_run_t) - -######################################## -# -# corosync local policy -# - -allow corosync_t self:capability { dac_override sys_nice sys_ptrace sys_resource ipc_lock }; -allow corosync_t self:process { setrlimit setsched signal signull }; - -allow corosync_t self:fifo_file rw_fifo_file_perms; -allow corosync_t self:sem create_sem_perms; -allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow corosync_t self:unix_dgram_socket create_socket_perms; -allow corosync_t self:udp_socket create_socket_perms; - -can_exec(corosync_t, corosync_exec_t) - -manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t) -manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t) -files_tmp_filetrans(corosync_t, corosync_tmp_t, { file dir }) - -manage_dirs_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t) -manage_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t) -fs_tmpfs_filetrans(corosync_t, corosync_tmpfs_t, { dir file }) - -manage_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t) -manage_dirs_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t) -manage_sock_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t) -files_var_lib_filetrans(corosync_t, corosync_var_lib_t, { file dir sock_file }) - -manage_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t) -manage_sock_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t) -logging_log_filetrans(corosync_t, corosync_var_log_t, { sock_file file }) - -manage_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t) -manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t) -files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file }) - -kernel_read_system_state(corosync_t) -kernel_read_network_state(corosync_t) - -corecmd_exec_bin(corosync_t) -corecmd_exec_shell(corosync_t) - -corenet_udp_bind_netsupport_port(corosync_t) - -dev_read_urand(corosync_t) - -domain_read_all_domains_state(corosync_t) - -files_manage_mounttab(corosync_t) -files_read_usr_files(corosync_t) - -auth_use_nsswitch(corosync_t) - -init_read_script_state(corosync_t) -init_rw_script_tmp_files(corosync_t) - -logging_send_syslog_msg(corosync_t) - -miscfiles_read_localization(corosync_t) - -userdom_delete_user_tmpfs_files(corosync_t) -userdom_rw_user_tmpfs_files(corosync_t) - -optional_policy(` - fs_manage_tmpfs_files(corosync_t) - init_manage_script_status_files(corosync_t) -') - -optional_policy(` - ccs_read_config(corosync_t) -') - -optional_policy(` - cmirrord_rw_shm(corosync_t) -') - -optional_policy(` - lvm_rw_clvmd_tmpfs_files(corosync_t) -') - -optional_policy(` - # to communication with RHCS - rhcs_rw_cluster_shm(corosync_t) - rhcs_rw_cluster_semaphores(corosync_t) - rhcs_stream_connect_cluster(corosync_t) - rhcs_read_cluster_lib_files(corosync_t) -') - -optional_policy(` - rgmanager_manage_tmpfs_files(corosync_t) -') diff --git a/policy/modules/services/courier.fc b/policy/modules/services/courier.fc deleted file mode 100644 index f1bf79a..0000000 --- a/policy/modules/services/courier.fc +++ /dev/null @@ -1,24 +0,0 @@ -/etc/courier(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) - -/usr/bin/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) - -/usr/sbin/courierlogger -- gen_context(system_u:object_r:courier_exec_t,s0) -/usr/sbin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0) -/usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) - -/usr/lib(64)?/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) -/usr/lib(64)?/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0) -/usr/lib(64)?/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0) -/usr/lib(64)?/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0) -/usr/lib(64)?/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0) -/usr/lib(64)?/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) -/usr/lib(64)?/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0) -/usr/lib(64)?/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) -/usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0) - -/var/lib/courier(/.*)? -- gen_context(system_u:object_r:courier_var_lib_t,s0) - -/var/run/courier(/.*)? -- gen_context(system_u:object_r:courier_var_run_t,s0) - -/var/spool/authdaemon(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) -/var/spool/courier(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if deleted file mode 100644 index f081899..0000000 --- a/policy/modules/services/courier.if +++ /dev/null @@ -1,220 +0,0 @@ -## Courier IMAP and POP3 email servers - -######################################## -## -## Template for creating courier server processes. -## -## -## -## Prefix name of the server process. -## -## -# -template(`courier_domain_template',` - - ############################## - # - # Declarations - # - - type courier_$1_t; - type courier_$1_exec_t; - init_daemon_domain(courier_$1_t, courier_$1_exec_t) - - ############################## - # - # Declarations - # - - allow courier_$1_t self:capability dac_override; - dontaudit courier_$1_t self:capability sys_tty_config; - allow courier_$1_t self:process { setpgid signal_perms }; - allow courier_$1_t self:fifo_file { read write getattr }; - allow courier_$1_t self:tcp_socket create_stream_socket_perms; - allow courier_$1_t self:udp_socket create_socket_perms; - - can_exec(courier_$1_t, courier_$1_exec_t) - - read_files_pattern(courier_$1_t, courier_etc_t, courier_etc_t) - allow courier_$1_t courier_etc_t:dir list_dir_perms; - - manage_dirs_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) - manage_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) - manage_lnk_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) - manage_sock_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) - files_search_pids(courier_$1_t) - files_pid_filetrans(courier_$1_t, courier_var_run_t, dir) - - kernel_read_system_state(courier_$1_t) - kernel_read_kernel_sysctls(courier_$1_t) - - corecmd_exec_bin(courier_$1_t) - - corenet_all_recvfrom_unlabeled(courier_$1_t) - corenet_all_recvfrom_netlabel(courier_$1_t) - corenet_tcp_sendrecv_generic_if(courier_$1_t) - corenet_udp_sendrecv_generic_if(courier_$1_t) - corenet_tcp_sendrecv_generic_node(courier_$1_t) - corenet_udp_sendrecv_generic_node(courier_$1_t) - corenet_tcp_sendrecv_all_ports(courier_$1_t) - corenet_udp_sendrecv_all_ports(courier_$1_t) - - dev_read_sysfs(courier_$1_t) - - domain_use_interactive_fds(courier_$1_t) - - files_read_etc_files(courier_$1_t) - files_read_etc_runtime_files(courier_$1_t) - files_read_usr_files(courier_$1_t) - - fs_getattr_xattr_fs(courier_$1_t) - fs_search_auto_mountpoints(courier_$1_t) - - logging_send_syslog_msg(courier_$1_t) - - sysnet_read_config(courier_$1_t) - - userdom_dontaudit_use_unpriv_user_fds(courier_$1_t) - - optional_policy(` - seutil_sigchld_newrole(courier_$1_t) - ') - - optional_policy(` - udev_read_db(courier_$1_t) - ') -') - -######################################## -## -## Execute the courier authentication daemon with -## a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`courier_domtrans_authdaemon',` - gen_require(` - type courier_authdaemon_t, courier_authdaemon_exec_t; - ') - - domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t) -') - -######################################## -## -## Execute the courier POP3 and IMAP server with -## a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`courier_domtrans_pop',` - gen_require(` - type courier_pop_t, courier_pop_exec_t; - ') - - domtrans_pattern($1, courier_pop_exec_t, courier_pop_t) -') - -######################################## -## -## Read courier config files -## -## -## -## Domain allowed access. -## -## -# -interface(`courier_read_config',` - gen_require(` - type courier_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, courier_etc_t, courier_etc_t) -') - -######################################## -## -## Create, read, write, and delete courier -## spool directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`courier_manage_spool_dirs',` - gen_require(` - type courier_spool_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, courier_spool_t, courier_spool_t) -') - -######################################## -## -## Create, read, write, and delete courier -## spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`courier_manage_spool_files',` - gen_require(` - type courier_spool_t; - ') - - files_search_spool($1) - manage_files_pattern($1, courier_spool_t, courier_spool_t) -') - -######################################## -## -## Read courier spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`courier_read_spool',` - gen_require(` - type courier_spool_t; - ') - - files_search_spool($1) - read_files_pattern($1, courier_spool_t, courier_spool_t) -') - -######################################## -## -## Read and write to courier spool pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`courier_rw_spool_pipes',` - gen_require(` - type courier_spool_t; - ') - - allow $1 courier_spool_t:fifo_file rw_fifo_file_perms; -') diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te deleted file mode 100644 index cc93958..0000000 --- a/policy/modules/services/courier.te +++ /dev/null @@ -1,146 +0,0 @@ -policy_module(courier, 1.9.1) - -######################################## -# -# Declarations -# - -courier_domain_template(authdaemon) - -type courier_etc_t; -files_config_file(courier_etc_t) - -courier_domain_template(pcp) - -courier_domain_template(pop) - -type courier_spool_t; -files_type(courier_spool_t) - -courier_domain_template(tcpd) - -type courier_var_lib_t; -files_type(courier_var_lib_t) - -type courier_var_run_t; -files_pid_file(courier_var_run_t) - -type courier_exec_t; -mta_agent_executable(courier_exec_t) - -courier_domain_template(sqwebmail) -typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t; - -######################################## -# -# Authdaemon local policy -# - -allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config }; -allow courier_authdaemon_t self:unix_stream_socket connectto; - -can_exec(courier_authdaemon_t, courier_exec_t) - -allow courier_authdaemon_t courier_tcpd_t:fd use; -allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; -allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_fifo_file_perms; - -allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; -allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms; -allow courier_authdaemon_t courier_tcpd_t:process sigchld; -allow courier_authdaemon_t courier_tcpd_t:fd use; -allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; -allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms; - -manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t) -files_search_spool(courier_authdaemon_t) - -corecmd_search_bin(courier_authdaemon_t) - -# for SSP -dev_read_urand(courier_authdaemon_t) - -files_getattr_tmp_dirs(courier_authdaemon_t) - -auth_domtrans_chk_passwd(courier_authdaemon_t) - -libs_read_lib_files(courier_authdaemon_t) - -miscfiles_read_localization(courier_authdaemon_t) - -# should not be needed! -userdom_search_user_home_dirs(courier_authdaemon_t) - -courier_domtrans_pop(courier_authdaemon_t) - -######################################## -# -# Calendar (PCP) local policy -# - -allow courier_pcp_t self:capability { setuid setgid }; - -dev_read_rand(courier_pcp_t) - -######################################## -# -# POP3/IMAP local policy -# - -allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms; -allow courier_pop_t courier_authdaemon_t:process sigchld; - -allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; - -# inherits file handle - should it? -allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms; - -miscfiles_read_localization(courier_pop_t) - -courier_domtrans_authdaemon(courier_pop_t) - -# do the actual work (read the Maildir) -userdom_manage_user_home_content_files(courier_pop_t) -# cjp: the fact that this is different for pop vs imap means that -# there should probably be a courier_pop_t and courier_imap_t -# this should also probably be a separate type too instead of -# the regular home dir -userdom_manage_user_home_content_dirs(courier_pop_t) - -######################################## -# -# TCPd local policy -# - -allow courier_tcpd_t self:capability kill; - -can_exec(courier_tcpd_t, courier_exec_t) - -manage_files_pattern(courier_tcpd_t, courier_var_lib_t, courier_var_lib_t) -manage_lnk_files_pattern(courier_tcpd_t, courier_var_lib_t, courier_var_lib_t) -files_search_var_lib(courier_tcpd_t) - -corecmd_search_bin(courier_tcpd_t) - -corenet_tcp_bind_generic_node(courier_tcpd_t) -corenet_tcp_bind_pop_port(courier_tcpd_t) -corenet_sendrecv_pop_server_packets(courier_tcpd_t) - -# for TLS -dev_read_rand(courier_tcpd_t) -dev_read_urand(courier_tcpd_t) - -miscfiles_read_localization(courier_tcpd_t) - -courier_domtrans_pop(courier_tcpd_t) - -######################################## -# -# Webmail local policy -# - -kernel_read_kernel_sysctls(courier_sqwebmail_t) - -optional_policy(` - cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t) -') diff --git a/policy/modules/services/cpucontrol.fc b/policy/modules/services/cpucontrol.fc deleted file mode 100644 index 789c8c7..0000000 --- a/policy/modules/services/cpucontrol.fc +++ /dev/null @@ -1,10 +0,0 @@ - -/etc/firmware/.* -- gen_context(system_u:object_r:cpucontrol_conf_t,s0) - -/sbin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0) - -/usr/sbin/cpufreqd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0) -/usr/sbin/cpuspeed -- gen_context(system_u:object_r:cpuspeed_exec_t,s0) -/usr/sbin/powernowd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0) - -/var/run/cpufreqd\.pid -- gen_context(system_u:object_r:cpuspeed_var_run_t,s0) diff --git a/policy/modules/services/cpucontrol.if b/policy/modules/services/cpucontrol.if deleted file mode 100644 index ff6310d..0000000 --- a/policy/modules/services/cpucontrol.if +++ /dev/null @@ -1,17 +0,0 @@ -## Services for loading CPU microcode and CPU frequency scaling. - -######################################## -## -## CPUcontrol stub interface. No access allowed. -## -## -## -## Domain allowed access. -## -## -# -interface(`cpucontrol_stub',` - gen_require(` - type cpucontrol_t; - ') -') diff --git a/policy/modules/services/cpucontrol.te b/policy/modules/services/cpucontrol.te deleted file mode 100644 index 13d2f63..0000000 --- a/policy/modules/services/cpucontrol.te +++ /dev/null @@ -1,122 +0,0 @@ -policy_module(cpucontrol, 1.3.0) - -######################################## -# -# Declarations -# - -type cpucontrol_t; -type cpucontrol_exec_t; -init_system_domain(cpucontrol_t, cpucontrol_exec_t) - -type cpucontrol_conf_t; -files_type(cpucontrol_conf_t) - -type cpuspeed_t; -type cpuspeed_exec_t; -init_system_domain(cpuspeed_t, cpuspeed_exec_t) - -type cpuspeed_var_run_t; -files_pid_file(cpuspeed_var_run_t) - -######################################## -# -# CPU microcode loader local policy -# - -allow cpucontrol_t self:capability { ipc_lock sys_rawio }; -dontaudit cpucontrol_t self:capability sys_tty_config; -allow cpucontrol_t self:process signal_perms; - -allow cpucontrol_t cpucontrol_conf_t:dir list_dir_perms; -read_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t) -read_lnk_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t) - -kernel_list_proc(cpucontrol_t) -kernel_read_proc_symlinks(cpucontrol_t) -kernel_read_kernel_sysctls(cpucontrol_t) - -dev_read_sysfs(cpucontrol_t) -dev_rw_cpu_microcode(cpucontrol_t) - -fs_search_auto_mountpoints(cpucontrol_t) - -term_dontaudit_use_console(cpucontrol_t) - -domain_use_interactive_fds(cpucontrol_t) - -files_list_usr(cpucontrol_t) - -init_use_fds(cpucontrol_t) -init_use_script_ptys(cpucontrol_t) - -logging_send_syslog_msg(cpucontrol_t) - -userdom_dontaudit_use_unpriv_user_fds(cpucontrol_t) - -optional_policy(` - nscd_socket_use(cpucontrol_t) -') - -optional_policy(` - rhgb_use_ptys(cpucontrol_t) -') - -optional_policy(` - seutil_sigchld_newrole(cpucontrol_t) -') - -optional_policy(` - udev_read_db(cpucontrol_t) -') - -######################################## -# -# CPU frequency scaling daemons -# - -dontaudit cpuspeed_t self:capability sys_tty_config; -allow cpuspeed_t self:process { signal_perms setsched }; -allow cpuspeed_t self:unix_dgram_socket create_socket_perms; - -allow cpuspeed_t cpuspeed_var_run_t:file manage_file_perms; -files_pid_filetrans(cpuspeed_t, cpuspeed_var_run_t, file) - -kernel_read_system_state(cpuspeed_t) -kernel_read_kernel_sysctls(cpuspeed_t) - -dev_write_sysfs_dirs(cpuspeed_t) -dev_rw_sysfs(cpuspeed_t) - -domain_use_interactive_fds(cpuspeed_t) -# for demand/load-based scaling: -domain_read_all_domains_state(cpuspeed_t) - -files_read_etc_files(cpuspeed_t) -files_read_etc_runtime_files(cpuspeed_t) -files_list_usr(cpuspeed_t) - -fs_search_auto_mountpoints(cpuspeed_t) - -term_dontaudit_use_console(cpuspeed_t) - -init_use_fds(cpuspeed_t) -init_use_script_ptys(cpuspeed_t) - -logging_send_syslog_msg(cpuspeed_t) - -miscfiles_read_localization(cpuspeed_t) - -userdom_dontaudit_use_unpriv_user_fds(cpuspeed_t) - -optional_policy(` - nscd_socket_use(cpuspeed_t) -') - -optional_policy(` - seutil_sigchld_newrole(cpuspeed_t) -') - -optional_policy(` - udev_read_db(cpuspeed_t) -') diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc deleted file mode 100644 index 3e8ad69..0000000 --- a/policy/modules/services/cron.fc +++ /dev/null @@ -1,51 +0,0 @@ -/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) - -/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) -/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) - -/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0) -/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0) - -/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0) -/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0) -/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0) -/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0) - -/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) -/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) -/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) -/var/run/crond?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0) -/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) -/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) - -/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) -/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) - -/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) -#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) -/var/spool/cron/[^/]* -- <> - -ifdef(`distro_gentoo',` -/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) -/var/spool/cron/lastrun/[^/]* -- <> -') - -ifdef(`distro_suse', ` -/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) -/var/spool/cron/lastrun/[^/]* -- <> -/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) -') - -/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0) -/var/spool/cron/crontabs/.* -- <> -#/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) - -/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0) -/var/spool/fcron/.* <> -/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0) -/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) -/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) - -/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) - -/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0) diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if deleted file mode 100644 index b6402c9..0000000 --- a/policy/modules/services/cron.if +++ /dev/null @@ -1,720 +0,0 @@ -## Periodic execution of scheduled commands. - -####################################### -## -## The common rules for a crontab domain. -## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -# -template(`cron_common_crontab_template',` - gen_require(` - type crond_t, crond_var_run_t, crontab_exec_t; - type cron_spool_t, user_cron_spool_t; - ') - - ############################## - # - # Declarations - # - - type $1_t; - application_domain($1_t, crontab_exec_t) - ubac_constrained($1_t) - - type $1_tmp_t; - files_tmp_file($1_tmp_t) - - ############################## - # - # Local policy - # - - # dac_override is to create the file in the directory under /tmp - allow $1_t self:capability { fowner setuid setgid chown dac_override }; - allow $1_t self:process { setsched signal_perms }; - allow $1_t self:fifo_file rw_fifo_file_perms; - - allow $1_t crond_t:process signal; - allow $1_t crond_var_run_t:file read_file_perms; - - manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) - manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) - files_tmp_filetrans($1_t, $1_tmp_t, { dir file }) - - # create files in /var/spool/cron - manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t) - filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file) - files_list_spool($1_t) - - # crontab signals crond by updating the mtime on the spooldir - allow $1_t cron_spool_t:dir setattr_dir_perms; - - kernel_read_system_state($1_t) - - # for the checks used by crontab -u - selinux_dontaudit_search_fs($1_t) - - fs_getattr_xattr_fs($1_t) - - domain_use_interactive_fds($1_t) - - files_read_etc_files($1_t) - files_read_usr_files($1_t) - files_dontaudit_search_pids($1_t) - - auth_domtrans_chk_passwd($1_t) - - logging_send_syslog_msg($1_t) - logging_send_audit_msgs($1_t) - logging_set_loginuid($1_t) - - init_dontaudit_write_utmp($1_t) - init_read_utmp($1_t) - - miscfiles_read_localization($1_t) - - seutil_read_config($1_t) - - userdom_manage_user_tmp_dirs($1_t) - userdom_manage_user_tmp_files($1_t) - # Access terminals. - userdom_use_user_terminals($1_t) - # Read user crontabs - userdom_read_user_home_content_files($1_t) - userdom_read_user_home_content_symlinks($1_t) - - tunable_policy(`fcron_crond',` - # fcron wants an instant update of a crontab change for the administrator - # also crontab does a security check for crontab -u - dontaudit $1_t crond_t:process signal; - ') - - optional_policy(` - nscd_socket_use($1_t) - ') -') - -######################################## -## -## Role access for cron -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -## -# -interface(`cron_role',` - gen_require(` - type cronjob_t, crontab_t, crontab_exec_t; - type user_cron_spool_t, crond_t; - ') - - role $1 types { cronjob_t crontab_t }; - - # cronjob shows up in user ps - ps_process_pattern($2, cronjob_t) - - # Transition from the user domain to the derived domain. - domtrans_pattern($2, crontab_exec_t, crontab_t) - - allow crond_t $2:process transition; - dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; - allow $2 crond_t:process sigchld; - - # needs to be authorized SELinux context for cron - allow $2 user_cron_spool_t:file entrypoint; - - # crontab shows up in user ps - ps_process_pattern($2, crontab_t) - allow $2 crontab_t:process { ptrace signal_perms }; - - # Run helper programs as the user domain - #corecmd_bin_domtrans(crontab_t, $2) - #corecmd_shell_domtrans(crontab_t, $2) - corecmd_exec_bin(crontab_t) - corecmd_exec_shell(crontab_t) - - optional_policy(` - gen_require(` - class dbus send_msg; - ') - - dbus_stub(cronjob_t) - allow cronjob_t $2:dbus send_msg; - ') -') - -######################################## -## -## Role access for unconfined cronjobs -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -## -# -interface(`cron_unconfined_role',` - gen_require(` - type unconfined_cronjob_t; - ') - - role $1 types unconfined_cronjob_t; - - # cronjob shows up in user ps - ps_process_pattern($2, unconfined_cronjob_t) - allow $2 unconfined_cronjob_t:process { ptrace signal_perms }; - - optional_policy(` - gen_require(` - class dbus send_msg; - ') - - dbus_stub(unconfined_cronjob_t) - allow unconfined_cronjob_t $2:dbus send_msg; - ') -') - -######################################## -## -## Role access for cron -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -## -# -interface(`cron_admin_role',` - gen_require(` - type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t; - class passwd crontab; - ') - - role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t }; - - # cronjob shows up in user ps - ps_process_pattern($2, cronjob_t) - - # Manipulate other users crontab. - allow $2 self:passwd crontab; - - # Transition from the user domain to the derived domain. - domtrans_pattern($2, crontab_exec_t, admin_crontab_t) - - # crontab shows up in user ps - ps_process_pattern($2, admin_crontab_t) - allow $2 admin_crontab_t:process { ptrace signal_perms }; - - # Run helper programs as the user domain - #corecmd_bin_domtrans(admin_crontab_t, $2) - #corecmd_shell_domtrans(admin_crontab_t, $2) - corecmd_exec_bin(admin_crontab_t) - corecmd_exec_shell(admin_crontab_t) - - optional_policy(` - gen_require(` - class dbus send_msg; - ') - - dbus_stub(admin_cronjob_t) - allow cronjob_t $2:dbus send_msg; - ') -') - -######################################## -## -## Make the specified program domain accessable -## from the system cron jobs. -## -## -## -## The type of the process to transition to. -## -## -## -## -## The type of the file used as an entrypoint to this domain. -## -## -# -interface(`cron_system_entry',` - gen_require(` - type crond_t, system_cronjob_t; - ') - - domtrans_pattern(system_cronjob_t, $2, $1) - domtrans_pattern(crond_t, $2, $1) - - role system_r types $1; -') - -######################################## -## -## Execute cron in the cron system domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`cron_domtrans',` - gen_require(` - type system_cronjob_t, crond_exec_t; - ') - - domtrans_pattern($1, crond_exec_t, system_cronjob_t) -') - -######################################## -## -## Execute crond_exec_t -## -## -## -## Domain allowed access. -## -## -# -interface(`cron_exec',` - gen_require(` - type crond_exec_t; - ') - - can_exec($1, crond_exec_t) -') - -######################################## -## -## Execute crond server in the crond domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`cron_initrc_domtrans',` - gen_require(` - type crond_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, crond_initrc_exec_t) -') - -######################################## -## -## Inherit and use a file descriptor -## from the cron daemon. -## -## -## -## Domain allowed access. -## -## -# -interface(`cron_use_fds',` - gen_require(` - type crond_t; - ') - - allow $1 crond_t:fd use; -') - -######################################## -## -## Send a SIGCHLD signal to the cron daemon. -## -## -## -## Domain allowed access. -## -## -# -interface(`cron_sigchld',` - gen_require(` - type crond_t; - ') - - allow $1 crond_t:process sigchld; -') - -######################################## -## -## Read a cron daemon unnamed pipe. -## -## -## -## Domain allowed access. -## -## -# -interface(`cron_read_pipes',` - gen_require(` - type crond_t; - ') - - allow $1 crond_t:fifo_file read_fifo_file_perms; -') - -######################################## -## -## Do not audit attempts to write cron daemon unnamed pipes. -## -## -## -## Domain to not audit. -## -## -# -interface(`cron_dontaudit_write_pipes',` - gen_require(` - type crond_t; - ') - - dontaudit $1 crond_t:fifo_file write; -') - -######################################## -## -## Read and write a cron daemon unnamed pipe. -## -## -## -## Domain allowed access. -## -## -# -interface(`cron_rw_pipes',` - gen_require(` - type crond_t; - ') - - allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms; -') - -######################################## -## -## Read and write inherited user spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`cron_rw_inherited_user_spool_files',` - gen_require(` - type user_cron_spool_t; - ') - - allow $1 user_cron_spool_t:file rw_inherited_file_perms; -') - -######################################## -## -## Read and write inherited spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`cron_rw_inherited_spool_files',` - gen_require(` - type cron_spool_t; - ') - - allow $1 cron_spool_t:file rw_inherited_file_perms; -') - -######################################## -## -## Read, and write cron daemon TCP sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`cron_rw_tcp_sockets',` - gen_require(` - type crond_t; - ') - - allow $1 crond_t:tcp_socket { read write }; -') - -######################################## -## -## Dontaudit Read, and write cron daemon TCP sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`cron_dontaudit_rw_tcp_sockets',` - gen_require(` - type crond_t; - ') - - dontaudit $1 crond_t:tcp_socket { read write }; -') - -######################################## -## -## Search the directory containing user cron tables. -## -## -## -## Domain allowed access. -## -## -# -interface(`cron_search_spool',` - gen_require(` - type cron_spool_t; - ') - - files_search_spool($1) - allow $1 cron_spool_t:dir search_dir_perms; -') - -######################################## -## -## Manage pid files used by cron -## -## -## -## Domain allowed access. -## -## -# -interface(`cron_manage_pid_files',` - gen_require(` - type crond_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, crond_var_run_t, crond_var_run_t) -') - -######################################## -## -## Execute anacron in the cron system domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`cron_anacron_domtrans_system_job',` - gen_require(` - type system_cronjob_t, anacron_exec_t; - ') - - domtrans_pattern($1, anacron_exec_t, system_cronjob_t) -') - -######################################## -## -## Inherit and use a file descriptor -## from system cron jobs. -## -## -## -## Domain allowed access. -## -## -# -interface(`cron_use_system_job_fds',` - gen_require(` - type system_cronjob_t; - ') - - allow $1 system_cronjob_t:fd use; -') - -######################################## -## -## Write a system cron job unnamed pipe. -## -## -## -## Domain allowed access. -## -## -# -interface(`cron_write_system_job_pipes',` - gen_require(` - type system_cronjob_t; - ') - - allow $1 system_cronjob_t:fifo_file write; -') - -######################################## -## -## Read and write a system cron job unnamed pipe. -## -## -## -## Domain allowed access. -## -## -# -interface(`cron_rw_system_job_pipes',` - gen_require(` - type system_cronjob_t; - ') - - allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms; -') - -######################################## -## -## Allow read/write unix stream sockets from the system cron jobs. -## -## -## -## Domain allowed access. -## -## -# -interface(`cron_rw_system_job_stream_sockets',` - gen_require(` - type system_cronjob_t; - ') - - allow $1 system_cronjob_t:unix_stream_socket { read write }; -') - -######################################## -## -## Read temporary files from the system cron jobs. -## -## -## -## Domain allowed access. -## -## -# -interface(`cron_read_system_job_tmp_files',` - gen_require(` - type system_cronjob_tmp_t, cron_var_run_t; - ') - - files_search_tmp($1) - allow $1 system_cronjob_tmp_t:file read_file_perms; - - files_search_pids($1) - allow $1 cron_var_run_t:file read_file_perms; -') - -######################################## -## -## Do not audit attempts to append temporary -## files from the system cron jobs. -## -## -## -## Domain to not audit. -## -## -# -interface(`cron_dontaudit_append_system_job_tmp_files',` - gen_require(` - type system_cronjob_tmp_t; - ') - - dontaudit $1 system_cronjob_tmp_t:file append_file_perms; -') - -######################################## -## -## Do not audit attempts to write temporary -## files from the system cron jobs. -## -## -## -## Domain to not audit. -## -## -# -interface(`cron_dontaudit_write_system_job_tmp_files',` - gen_require(` - type system_cronjob_tmp_t; - type cron_var_run_t; - ') - - dontaudit $1 system_cronjob_tmp_t:file write_file_perms; - dontaudit $1 cron_var_run_t:file write_file_perms; -') - -######################################## -## -## Read temporary files from the system cron jobs. -## -## -## -## Domain allowed access. -## -## -# -interface(`cron_read_system_job_lib_files',` - gen_require(` - type system_cronjob_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) -') - -######################################## -## -## Manage files from the system cron jobs. -## -## -## -## Domain allowed access. -## -## -# -interface(`cron_manage_system_job_lib_files',` - gen_require(` - type system_cronjob_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) -') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te deleted file mode 100644 index 2a7f7f4..0000000 --- a/policy/modules/services/cron.te +++ /dev/null @@ -1,718 +0,0 @@ -policy_module(cron, 2.2.0) - -gen_require(` - class passwd rootok; -') - -######################################## -# -# Declarations -# - -## -##

-## Allow system cron jobs to relabel filesystem -## for restoring file contexts. -##

-##
-gen_tunable(cron_can_relabel, false) - -## -##

-## Enable extra rules in the cron domain -## to support fcron. -##

-##
-gen_tunable(fcron_crond, false) - -attribute cron_spool_type; - -type anacron_exec_t; -application_executable_file(anacron_exec_t) - -type cron_spool_t; -files_type(cron_spool_t) - -# var/lib files -type cron_var_lib_t; -files_type(cron_var_lib_t) - -type cron_var_run_t; -files_type(cron_var_run_t) - -# var/log files -type cron_log_t; -logging_log_file(cron_log_t) - -type cronjob_t; -typealias cronjob_t alias { user_crond_t staff_crond_t sysadm_crond_t }; -typealias cronjob_t alias { auditadm_crond_t secadm_crond_t }; -domain_type(cronjob_t) -domain_cron_exemption_target(cronjob_t) -corecmd_shell_entry_type(cronjob_t) -ubac_constrained(cronjob_t) - -type crond_t; -type crond_exec_t; -init_daemon_domain(crond_t, crond_exec_t) -domain_interactive_fd(crond_t) -domain_cron_exemption_source(crond_t) - -type crond_initrc_exec_t; -init_script_file(crond_initrc_exec_t) - -type crond_tmp_t; -files_tmp_file(crond_tmp_t) -files_poly_parent(crond_tmp_t) -mta_system_content(crond_tmp_t) - -type crond_var_run_t; -files_pid_file(crond_var_run_t) -mta_system_content(crond_var_run_t) - -type crontab_exec_t; -application_executable_file(crontab_exec_t) - -cron_common_crontab_template(admin_crontab) -typealias admin_crontab_t alias sysadm_crontab_t; -typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t; - -cron_common_crontab_template(crontab) -typealias crontab_t alias { user_crontab_t staff_crontab_t }; -typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; -typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; -typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; -allow admin_crontab_t crond_t:process signal; - -type system_cron_spool_t, cron_spool_type; -files_type(system_cron_spool_t) - -type system_cronjob_t alias system_crond_t; -init_daemon_domain(system_cronjob_t, anacron_exec_t) -corecmd_shell_entry_type(system_cronjob_t) -role system_r types system_cronjob_t; -domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t) - -type system_cronjob_lock_t alias system_crond_lock_t; -files_lock_file(system_cronjob_lock_t) - -type system_cronjob_tmp_t alias system_crond_tmp_t; -files_tmp_file(system_cronjob_tmp_t) - -type unconfined_cronjob_t; -domain_type(unconfined_cronjob_t) -domain_cron_exemption_target(unconfined_cronjob_t) - -# Type of user crontabs once moved to cron spool. -type user_cron_spool_t, cron_spool_type; -typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t }; -typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; -files_type(user_cron_spool_t) -ubac_constrained(user_cron_spool_t) -mta_system_content(user_cron_spool_t) - -type system_cronjob_var_lib_t; -files_type(system_cronjob_var_lib_t) -typealias system_cronjob_var_lib_t alias system_crond_var_lib_t; - -type system_cronjob_var_run_t; -files_pid_file(system_cronjob_var_run_t) - -ifdef(`enable_mcs',` - init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh) -') - -######################################## -# -# Admin crontab local policy -# - -# Allow our crontab domain to unlink a user cron spool file. -allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms }; - -# Manipulate other users crontab. -selinux_get_fs_mount(admin_crontab_t) -selinux_validate_context(admin_crontab_t) -selinux_compute_access_vector(admin_crontab_t) -selinux_compute_create_context(admin_crontab_t) -selinux_compute_relabel_context(admin_crontab_t) -selinux_compute_user_contexts(admin_crontab_t) - -tunable_policy(`fcron_crond',` - # fcron wants an instant update of a crontab change for the administrator - # also crontab does a security check for crontab -u - allow admin_crontab_t self:process setfscreate; -') - -######################################## -# -# Cron daemon local policy -# - -allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search }; -dontaudit crond_t self:capability { sys_resource sys_tty_config }; -allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; -allow crond_t self:process { setexec setfscreate }; -allow crond_t self:fd use; -allow crond_t self:fifo_file rw_fifo_file_perms; -allow crond_t self:unix_dgram_socket create_socket_perms; -allow crond_t self:unix_stream_socket create_stream_socket_perms; -allow crond_t self:unix_dgram_socket sendto; -allow crond_t self:unix_stream_socket connectto; -allow crond_t self:shm create_shm_perms; -allow crond_t self:sem create_sem_perms; -allow crond_t self:msgq create_msgq_perms; -allow crond_t self:msg { send receive }; -allow crond_t self:key { search write link }; - -manage_files_pattern(crond_t, cron_log_t, cron_log_t) -logging_log_filetrans(crond_t, cron_log_t, file) - -manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t) -files_pid_filetrans(crond_t, crond_var_run_t, file) - -manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) - -manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t) -manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t) -files_tmp_filetrans(crond_t, crond_tmp_t, { file dir }) - -list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) -read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) - -kernel_read_kernel_sysctls(crond_t) -kernel_read_fs_sysctls(crond_t) -kernel_search_key(crond_t) - -dev_read_sysfs(crond_t) -selinux_get_fs_mount(crond_t) -selinux_validate_context(crond_t) -selinux_compute_access_vector(crond_t) -selinux_compute_create_context(crond_t) -selinux_compute_relabel_context(crond_t) -selinux_compute_user_contexts(crond_t) - -dev_read_urand(crond_t) - -fs_getattr_all_fs(crond_t) -fs_search_auto_mountpoints(crond_t) -fs_list_inotifyfs(crond_t) - -# need auth_chkpwd to check for locked accounts. -auth_domtrans_chk_passwd(crond_t) - -corecmd_exec_shell(crond_t) -corecmd_list_bin(crond_t) -corecmd_read_bin_symlinks(crond_t) - -domain_use_interactive_fds(crond_t) -domain_subj_id_change_exemption(crond_t) -domain_role_change_exemption(crond_t) - -files_read_usr_files(crond_t) -files_read_etc_runtime_files(crond_t) -files_read_etc_files(crond_t) -files_read_generic_spool(crond_t) -files_list_usr(crond_t) -# Read from /var/spool/cron. -files_search_var_lib(crond_t) -files_search_default(crond_t) - -init_rw_utmp(crond_t) -init_spec_domtrans_script(crond_t) - -auth_use_nsswitch(crond_t) - -logging_send_audit_msgs(crond_t) -logging_send_syslog_msg(crond_t) -logging_set_loginuid(crond_t) - -seutil_read_config(crond_t) -seutil_read_default_contexts(crond_t) -seutil_sigchld_newrole(crond_t) - -miscfiles_read_localization(crond_t) - -userdom_use_unpriv_users_fds(crond_t) -# Not sure why this is needed -userdom_list_user_home_dirs(crond_t) -userdom_create_all_users_keys(crond_t) - -mta_send_mail(crond_t) -mta_system_content(cron_spool_t) - -ifdef(`distro_debian',` - # pam_limits is used - allow crond_t self:process setrlimit; - - optional_policy(` - # Debian logcheck has the home dir set to its cache - logwatch_search_cache_dir(crond_t) - ') -') - -ifdef(`distro_redhat',` - # Run the rpm program in the rpm_t domain. Allow creation of RPM log files - # via redirection of standard out. - optional_policy(` - rpm_manage_log(crond_t) - ') -') - -tunable_policy(`allow_polyinstantiation',` - files_polyinstantiate_all(crond_t) -') - -tunable_policy(`fcron_crond',` - allow crond_t system_cron_spool_t:file manage_file_perms; -') - -optional_policy(` - apache_search_sys_content(crond_t) -') - -optional_policy(` - djbdns_search_tinydns_keys(crond_t) - djbdns_link_tinydns_keys(crond_t) -') - -optional_policy(` - locallogin_search_keys(crond_t) - locallogin_link_keys(crond_t) -') - -optional_policy(` - # these should probably be unconfined_crond_t - dbus_system_bus_client(crond_t) - init_dbus_send_script(crond_t) -') - -optional_policy(` - mono_domtrans(crond_t) -') - -optional_policy(` - amanda_search_var_lib(crond_t) -') - -optional_policy(` - amavis_search_lib(crond_t) -') - -optional_policy(` - hal_dbus_chat(crond_t) - hal_write_log(crond_t) - hal_dbus_chat(system_cronjob_t) -') - -optional_policy(` - # cjp: why? - munin_search_lib(crond_t) -') - -optional_policy(` - rpc_search_nfs_state_data(crond_t) -') - -optional_policy(` - # Commonly used from postinst scripts - rpm_read_pipes(crond_t) -') - -optional_policy(` - # allow crond to find /usr/lib/postgresql/bin/do.maintenance - postgresql_search_db(crond_t) -') - -optional_policy(` - udev_read_db(crond_t) -') - -optional_policy(` - vnstatd_search_lib(crond_t) -') - -######################################## -# -# System cron process domain -# - -allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice }; -dontaudit system_cronjob_t self:capability sys_ptrace; - -allow system_cronjob_t self:process { signal_perms getsched setsched }; -allow system_cronjob_t self:fifo_file rw_fifo_file_perms; -allow system_cronjob_t self:passwd rootok; - -# This is to handle creation of files in /var/log directory. -# Used currently by rpm script log files -allow system_cronjob_t cron_log_t:file manage_file_perms; -logging_log_filetrans(system_cronjob_t, cron_log_t, file) - -# This is to handle /var/lib/misc directory. Used currently -# by prelink var/lib files for cron -allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms }; -files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) - -allow system_cronjob_t cron_var_run_t:file manage_file_perms; -files_pid_filetrans(system_cronjob_t, cron_var_run_t, file) - -allow system_cronjob_t system_cron_spool_t:file read_file_perms; - -# anacron forces the following -manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t) - -# The entrypoint interface is not used as this is not -# a regular entrypoint. Since crontab files are -# not directly executed, crond must ensure that -# the crontab file has a type that is appropriate -# for the domain of the user cron job. It -# performs an entrypoint permission check -# for this purpose. -allow system_cronjob_t system_cron_spool_t:file entrypoint; - -# Permit a transition from the crond_t domain to this domain. -# The transition is requested explicitly by the modified crond -# via setexeccon. There is no way to set up an automatic -# transition, since crontabs are configuration files, not executables. -allow crond_t system_cronjob_t:process transition; -dontaudit crond_t system_cronjob_t:process { noatsecure siginh rlimitinh }; -allow crond_t system_cronjob_t:fd use; -allow system_cronjob_t crond_t:fd use; -allow system_cronjob_t crond_t:fifo_file rw_file_perms; -allow system_cronjob_t crond_t:process sigchld; -allow crond_t system_cronjob_t:key manage_key_perms; - -# Write /var/lock/makewhatis.lock. -allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; -files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file) - -# write temporary files -manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) -manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) -filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) -files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) - -# var/lib files for system_crond -files_search_var_lib(system_cronjob_t) -manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t) - -# Read from /var/spool/cron. -allow system_cronjob_t cron_spool_t:dir list_dir_perms; -allow system_cronjob_t cron_spool_t:file rw_file_perms; - -kernel_read_kernel_sysctls(system_cronjob_t) -kernel_read_system_state(system_cronjob_t) -kernel_read_software_raid_state(system_cronjob_t) - -# ps does not need to access /boot when run from cron -files_dontaudit_search_boot(system_cronjob_t) - -corecmd_exec_all_executables(system_cronjob_t) - -corenet_all_recvfrom_unlabeled(system_cronjob_t) -corenet_all_recvfrom_netlabel(system_cronjob_t) -corenet_tcp_sendrecv_generic_if(system_cronjob_t) -corenet_udp_sendrecv_generic_if(system_cronjob_t) -corenet_tcp_sendrecv_generic_node(system_cronjob_t) -corenet_udp_sendrecv_generic_node(system_cronjob_t) -corenet_tcp_sendrecv_all_ports(system_cronjob_t) -corenet_udp_sendrecv_all_ports(system_cronjob_t) - -dev_getattr_all_blk_files(system_cronjob_t) -dev_getattr_all_chr_files(system_cronjob_t) -dev_read_urand(system_cronjob_t) -dev_read_sysfs(system_cronjob_t) - -fs_getattr_all_fs(system_cronjob_t) -fs_getattr_all_files(system_cronjob_t) -fs_getattr_all_symlinks(system_cronjob_t) -fs_getattr_all_pipes(system_cronjob_t) -fs_getattr_all_sockets(system_cronjob_t) - -# quiet other ps operations -domain_dontaudit_read_all_domains_state(system_cronjob_t) - -files_exec_etc_files(system_cronjob_t) -files_read_etc_files(system_cronjob_t) -files_read_etc_runtime_files(system_cronjob_t) -files_list_all(system_cronjob_t) -files_getattr_all_dirs(system_cronjob_t) -files_getattr_all_files(system_cronjob_t) -files_getattr_all_symlinks(system_cronjob_t) -files_getattr_all_pipes(system_cronjob_t) -files_getattr_all_sockets(system_cronjob_t) -files_read_usr_files(system_cronjob_t) -files_read_var_files(system_cronjob_t) -# for nscd: -files_dontaudit_search_pids(system_cronjob_t) -# Access other spool directories like -# /var/spool/anacron and /var/spool/slrnpull. -files_manage_generic_spool(system_cronjob_t) -files_create_boot_flag(system_cronjob_t) - -init_use_script_fds(system_cronjob_t) -init_read_utmp(system_cronjob_t) -init_dontaudit_rw_utmp(system_cronjob_t) -# prelink tells init to restart it self, we either need to allow or dontaudit -init_telinit(system_cronjob_t) -init_domtrans_script(system_cronjob_t) - -auth_use_nsswitch(system_cronjob_t) - -libs_exec_lib_files(system_cronjob_t) -libs_exec_ld_so(system_cronjob_t) - -logging_read_generic_logs(system_cronjob_t) -logging_send_audit_msgs(system_cronjob_t) -logging_send_syslog_msg(system_cronjob_t) - -miscfiles_read_localization(system_cronjob_t) -miscfiles_manage_man_pages(system_cronjob_t) - -seutil_read_config(system_cronjob_t) - -ifdef(`distro_redhat',` - # Run the rpm program in the rpm_t domain. Allow creation of RPM log files - allow crond_t system_cron_spool_t:file manage_file_perms; - - # via redirection of standard out. - optional_policy(` - rpm_manage_log(system_cronjob_t) - ') -') - -tunable_policy(`cron_can_relabel',` - seutil_domtrans_setfiles(system_cronjob_t) -',` - selinux_get_fs_mount(system_cronjob_t) - selinux_validate_context(system_cronjob_t) - selinux_compute_access_vector(system_cronjob_t) - selinux_compute_create_context(system_cronjob_t) - selinux_compute_relabel_context(system_cronjob_t) - selinux_compute_user_contexts(system_cronjob_t) - seutil_read_file_contexts(system_cronjob_t) -') - -optional_policy(` - # Needed for certwatch - apache_exec_modules(system_cronjob_t) - apache_read_config(system_cronjob_t) - apache_read_log(system_cronjob_t) - apache_read_sys_content(system_cronjob_t) - apache_delete_cache_dirs(system_cronjob_t) - apache_delete_cache_files(system_cronjob_t) -') - -optional_policy(` - cyrus_manage_data(system_cronjob_t) -') - -optional_policy(` - dbus_system_bus_client(system_cronjob_t) -') - -optional_policy(` - exim_read_spool_files(system_cronjob_t) -') - -optional_policy(` - ftp_read_log(system_cronjob_t) -') - -optional_policy(` - inn_manage_log(system_cronjob_t) - inn_manage_pid(system_cronjob_t) - inn_read_config(system_cronjob_t) -') - -optional_policy(` - livecd_read_tmp_files(system_cronjob_t) -') - -optional_policy(` - lpd_list_spool(system_cronjob_t) -') - -optional_policy(` - mono_domtrans(system_cronjob_t) -') - -optional_policy(` - mrtg_append_create_logs(system_cronjob_t) -') - -optional_policy(` - mta_send_mail(system_cronjob_t) - mta_system_content(system_cron_spool_t) -') - -optional_policy(` - mysql_read_config(system_cronjob_t) -') - -optional_policy(` - postfix_read_config(system_cronjob_t) -') - -optional_policy(` - prelink_delete_cache(system_cronjob_t) - prelink_manage_lib(system_cronjob_t) - prelink_manage_log(system_cronjob_t) - prelink_read_cache(system_cronjob_t) - prelink_relabel_lib(system_cronjob_t) -') - -optional_policy(` - samba_read_config(system_cronjob_t) - samba_read_log(system_cronjob_t) - #samba_read_secrets(system_cronjob_t) -') - -optional_policy(` - slocate_create_append_log(system_cronjob_t) -') - -optional_policy(` - spamassassin_manage_lib_files(system_cronjob_t) - spamassassin_manage_home_client(system_cronjob_t) -') - -optional_policy(` - sysstat_manage_log(system_cronjob_t) -') - -optional_policy(` - unconfined_domain(crond_t) - unconfined_domain(system_cronjob_t) -') - -optional_policy(` - unconfined_shell_domtrans(crond_t) - unconfined_dbus_send(crond_t) - userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) -') - -######################################## -# -# User cronjobs local policy -# - -allow cronjob_t self:process { signal_perms setsched }; -allow cronjob_t self:fifo_file rw_fifo_file_perms; -allow cronjob_t self:unix_stream_socket create_stream_socket_perms; -allow cronjob_t self:unix_dgram_socket create_socket_perms; - -# The entrypoint interface is not used as this is not -# a regular entrypoint. Since crontab files are -# not directly executed, crond must ensure that -# the crontab file has a type that is appropriate -# for the domain of the user cron job. It -# performs an entrypoint permission check -# for this purpose. -allow cronjob_t user_cron_spool_t:file entrypoint; - -# Permit a transition from the crond_t domain to this domain. -# The transition is requested explicitly by the modified crond -# via setexeccon. There is no way to set up an automatic -# transition, since crontabs are configuration files, not executables. -allow crond_t cronjob_t:process transition; -dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh }; -allow crond_t cronjob_t:fd use; -allow cronjob_t crond_t:fd use; -allow cronjob_t crond_t:fifo_file rw_file_perms; -allow cronjob_t crond_t:process sigchld; - -kernel_read_system_state(cronjob_t) -kernel_read_kernel_sysctls(cronjob_t) - -# ps does not need to access /boot when run from cron -files_dontaudit_search_boot(cronjob_t) - -corenet_all_recvfrom_unlabeled(cronjob_t) -corenet_all_recvfrom_netlabel(cronjob_t) -corenet_tcp_sendrecv_generic_if(cronjob_t) -corenet_udp_sendrecv_generic_if(cronjob_t) -corenet_tcp_sendrecv_generic_node(cronjob_t) -corenet_udp_sendrecv_generic_node(cronjob_t) -corenet_tcp_sendrecv_all_ports(cronjob_t) -corenet_udp_sendrecv_all_ports(cronjob_t) -corenet_tcp_connect_all_ports(cronjob_t) -corenet_sendrecv_all_client_packets(cronjob_t) - -dev_read_urand(cronjob_t) - -fs_getattr_all_fs(cronjob_t) - -corecmd_exec_all_executables(cronjob_t) - -# quiet other ps operations -domain_dontaudit_read_all_domains_state(cronjob_t) -domain_dontaudit_getattr_all_domains(cronjob_t) - -files_read_usr_files(cronjob_t) -files_exec_etc_files(cronjob_t) -# for nscd: -files_dontaudit_search_pids(cronjob_t) - -libs_exec_lib_files(cronjob_t) -libs_exec_ld_so(cronjob_t) - -files_read_etc_runtime_files(cronjob_t) -files_read_var_files(cronjob_t) -files_search_spool(cronjob_t) - -logging_search_logs(cronjob_t) - -seutil_read_config(cronjob_t) - -miscfiles_read_localization(cronjob_t) - -userdom_manage_user_tmp_files(cronjob_t) -userdom_manage_user_tmp_symlinks(cronjob_t) -userdom_manage_user_tmp_pipes(cronjob_t) -userdom_manage_user_tmp_sockets(cronjob_t) -# Run scripts in user home directory and access shared libs. -userdom_exec_user_home_content_files(cronjob_t) -# Access user files and dirs. -userdom_manage_user_home_content_files(cronjob_t) -userdom_manage_user_home_content_symlinks(cronjob_t) -userdom_manage_user_home_content_pipes(cronjob_t) -userdom_manage_user_home_content_sockets(cronjob_t) -#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) - -list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) -rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) -read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) -read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) -allow crond_t user_cron_spool_t:file manage_lnk_file_perms; - -tunable_policy(`fcron_crond',` - allow crond_t user_cron_spool_t:file manage_file_perms; -') - -# need a per-role version of this: -#optional_policy(` -# mono_domtrans(cronjob_t) -#') - -optional_policy(` - nis_use_ypbind(cronjob_t) -') - -######################################## -# -# Unconfined cronjobs local policy -# - -optional_policy(` - # Permit a transition from the crond_t domain to this domain. - # The transition is requested explicitly by the modified crond - # via setexeccon. There is no way to set up an automatic - # transition, since crontabs are configuration files, not executables. - allow crond_t unconfined_cronjob_t:process transition; - dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh }; - allow crond_t unconfined_cronjob_t:fd use; - - unconfined_domain(unconfined_cronjob_t) -') diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc deleted file mode 100644 index 286ec9e..0000000 --- a/policy/modules/services/cups.fc +++ /dev/null @@ -1,79 +0,0 @@ - -/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - -/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) -/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0) - -/etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0) - -/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0) - -/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - -/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) - -/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - -/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0) - -# keep as separate lines to ensure proper sorting -/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) -/usr/lib64/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) -/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) -/usr/lib64/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) -/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) -/usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) - -/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) - -/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0) -/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0) -/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0) -/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -/usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0) -/usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0) -/usr/sbin/ptal-photod -- gen_context(system_u:object_r:ptal_exec_t,s0) - -/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) -/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0) - -/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh) - -/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - -/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0) - -/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) -/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0) - -/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) -/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) -/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) -/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0) -/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0) -/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) -/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) -/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0) -/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) - -/usr/local/Brother/fax/.*\.log gen_context(system_u:object_r:cupsd_log_t,s0) -/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - -/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if deleted file mode 100644 index 777091a..0000000 --- a/policy/modules/services/cups.if +++ /dev/null @@ -1,358 +0,0 @@ -## Common UNIX printing system - -######################################## -## -## Setup cups to transtion to the cups backend domain -## -## -## -## Domain allowed access. -## -## -# -interface(`cups_backend',` - gen_require(` - type cupsd_t; - ') - - domain_type($1) - domain_entry_file($1, $2) - role system_r types $1; - - domtrans_pattern(cupsd_t, $2, $1) - allow cupsd_t $1:process signal; - allow $1 cupsd_t:unix_stream_socket connected_stream_socket_perms; - - cups_read_config($1) - cups_append_log($1) -') - -######################################## -## -## Execute cups in the cups domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`cups_domtrans',` - gen_require(` - type cupsd_t, cupsd_exec_t; - ') - - domtrans_pattern($1, cupsd_exec_t, cupsd_t) -') - -######################################## -## -## Connect to cupsd over an unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`cups_stream_connect',` - gen_require(` - type cupsd_t, cupsd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) -') - -######################################## -## -## Connect to cups over TCP. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`cups_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Send and receive messages from -## cups over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`cups_dbus_chat',` - gen_require(` - type cupsd_t; - class dbus send_msg; - ') - - allow $1 cupsd_t:dbus send_msg; - allow cupsd_t $1:dbus send_msg; -') - -######################################## -## -## Read cups PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`cups_read_pid_files',` - gen_require(` - type cupsd_var_run_t; - ') - - files_search_pids($1) - allow $1 cupsd_var_run_t:file read_file_perms; -') - -######################################## -## -## Execute cups_config in the cups_config domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`cups_domtrans_config',` - gen_require(` - type cupsd_config_t, cupsd_config_exec_t; - ') - - domtrans_pattern($1, cupsd_config_exec_t, cupsd_config_t) -') - -######################################## -## -## Send generic signals to the cups -## configuration daemon. -## -## -## -## Domain allowed access. -## -## -# -interface(`cups_signal_config',` - gen_require(` - type cupsd_config_t; - ') - - allow $1 cupsd_config_t:process signal; -') - -######################################## -## -## Send and receive messages from -## cupsd_config over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`cups_dbus_chat_config',` - gen_require(` - type cupsd_config_t; - class dbus send_msg; - ') - - allow $1 cupsd_config_t:dbus send_msg; - allow cupsd_config_t $1:dbus send_msg; -') - -######################################## -## -## Read cups configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`cups_read_config',` - gen_require(` - type cupsd_etc_t, cupsd_rw_etc_t; - type hplip_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, cupsd_etc_t, cupsd_etc_t) - read_files_pattern($1, hplip_etc_t, hplip_etc_t) - read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t) -') - -######################################## -## -## Read cups-writable configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`cups_read_rw_config',` - gen_require(` - type cupsd_etc_t, cupsd_rw_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t) -') - -######################################## -## -## Read cups log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`cups_read_log',` - gen_require(` - type cupsd_log_t; - ') - - logging_search_logs($1) - allow $1 cupsd_log_t:file read_file_perms; -') - -######################################## -## -## Append cups log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`cups_append_log',` - gen_require(` - type cupsd_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, cupsd_log_t, cupsd_log_t) -') - -######################################## -## -## Write cups log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`cups_write_log',` - gen_require(` - type cupsd_log_t; - ') - - logging_search_logs($1) - allow $1 cupsd_log_t:file write_file_perms; -') - -######################################## -## -## Connect to ptal over an unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`cups_stream_connect_ptal',` - gen_require(` - type ptal_t, ptal_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, ptal_var_run_t, ptal_var_run_t, ptal_t) -') - -######################################## -## -## All of the rules required to administrate -## an cups environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the cups domain. -## -## -## -# -interface(`cups_admin',` - gen_require(` - type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t; - type cupsd_etc_t, cupsd_log_t, hplip_etc_t; - type cupsd_config_var_run_t, cupsd_lpd_var_run_t, cupsd_initrc_exec_t; - type cupsd_var_run_t, ptal_etc_t, hplip_var_run_t; - type ptal_var_run_t; - ') - - allow $1 cupsd_t:process { ptrace signal_perms }; - ps_process_pattern($1, cupsd_t) - - init_labeled_script_domtrans($1, cupsd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 cupsd_initrc_exec_t system_r; - allow $2 system_r; - - admin_pattern($1, cupsd_etc_t) - files_list_etc($1) - - admin_pattern($1, cupsd_config_var_run_t) - - admin_pattern($1, cupsd_log_t) - logging_list_logs($1) - - admin_pattern($1, cupsd_lpd_tmp_t) - - admin_pattern($1, cupsd_lpd_var_run_t) - - admin_pattern($1, cupsd_tmp_t) - files_list_tmp($1) - - admin_pattern($1, cupsd_var_run_t) - files_list_pids($1) - - admin_pattern($1, hplip_etc_t) - - admin_pattern($1, hplip_var_run_t) - - admin_pattern($1, ptal_etc_t) - - admin_pattern($1, ptal_var_run_t) -') diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te deleted file mode 100644 index b3ab30f..0000000 --- a/policy/modules/services/cups.te +++ /dev/null @@ -1,799 +0,0 @@ -policy_module(cups, 1.14.0) - -######################################## -# -# Declarations -# - -type cupsd_config_t; -type cupsd_config_exec_t; -init_daemon_domain(cupsd_config_t, cupsd_config_exec_t) - -type cupsd_config_var_run_t; -files_pid_file(cupsd_config_var_run_t) - -type cupsd_t; -type cupsd_exec_t; -init_daemon_domain(cupsd_t, cupsd_exec_t) -mls_trusted_object(cupsd_t) - -type cupsd_etc_t; -files_config_file(cupsd_etc_t) - -type cupsd_initrc_exec_t; -init_script_file(cupsd_initrc_exec_t) - -type cupsd_interface_t; -files_type(cupsd_interface_t) - -type cupsd_rw_etc_t; -files_config_file(cupsd_rw_etc_t) - -type cupsd_lock_t; -files_lock_file(cupsd_lock_t) - -type cupsd_log_t; -logging_log_file(cupsd_log_t) - -type cupsd_lpd_t; -type cupsd_lpd_exec_t; -domain_type(cupsd_lpd_t) -domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t) -role system_r types cupsd_lpd_t; - -type cupsd_lpd_tmp_t; -files_tmp_file(cupsd_lpd_tmp_t) - -type cupsd_lpd_var_run_t; -files_pid_file(cupsd_lpd_var_run_t) - -type cups_pdf_t; -type cups_pdf_exec_t; -cups_backend(cups_pdf_t, cups_pdf_exec_t) - -type cups_pdf_tmp_t; -files_tmp_file(cups_pdf_tmp_t) - -type cupsd_tmp_t; -files_tmp_file(cupsd_tmp_t) - -type cupsd_var_run_t; -files_pid_file(cupsd_var_run_t) -mls_trusted_object(cupsd_var_run_t) - -type hplip_t; -type hplip_exec_t; -init_daemon_domain(hplip_t, hplip_exec_t) -# For CUPS to run as a backend -cups_backend(hplip_t, hplip_exec_t) - -type hplip_etc_t; -files_config_file(hplip_etc_t) - -type hplip_tmp_t; -files_tmp_file(hplip_tmp_t) - -type hplip_var_lib_t; -files_type(hplip_var_lib_t) - -type hplip_var_run_t; -files_pid_file(hplip_var_run_t) - -type ptal_t; -type ptal_exec_t; -init_daemon_domain(ptal_t, ptal_exec_t) - -type ptal_etc_t; -files_config_file(ptal_etc_t) - -type ptal_var_run_t; -files_pid_file(ptal_var_run_t) - -ifdef(`enable_mcs',` - init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, s0 - mcs_systemhigh) -') - -ifdef(`enable_mls',` - init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh) -') - -######################################## -# -# Cups local policy -# - -# /usr/lib/cups/backend/serial needs sys_admin(?!) -allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config }; -dontaudit cupsd_t self:capability { sys_tty_config net_admin }; -allow cupsd_t self:process { getpgid setpgid setsched signal_perms }; -allow cupsd_t self:fifo_file rw_fifo_file_perms; -allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow cupsd_t self:unix_dgram_socket create_socket_perms; -allow cupsd_t self:netlink_selinux_socket create_socket_perms; -allow cupsd_t self:shm create_shm_perms; -allow cupsd_t self:sem create_sem_perms; -allow cupsd_t self:tcp_socket create_stream_socket_perms; -allow cupsd_t self:udp_socket create_socket_perms; -allow cupsd_t self:appletalk_socket create_socket_perms; -# generic socket here until appletalk socket is available in kernels -allow cupsd_t self:socket create_socket_perms; - -allow cupsd_t cupsd_etc_t:{ dir file } setattr; -read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) -read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) -files_search_etc(cupsd_t) - -manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t) -can_exec(cupsd_t, cupsd_interface_t) - -manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) -manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) -filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file) -files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file }) - -# allow cups to execute its backend scripts -can_exec(cupsd_t, cupsd_exec_t) -allow cupsd_t cupsd_exec_t:dir search_dir_perms; -allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms; - -allow cupsd_t cupsd_lock_t:file manage_file_perms; -files_lock_filetrans(cupsd_t, cupsd_lock_t, file) - -manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) -manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) -allow cupsd_t cupsd_log_t:dir setattr; -logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir }) - -manage_dirs_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) -manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) -manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) -files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) - -allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms; -manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) -manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) -manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) -manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) -files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir file fifo_file }) - -allow cupsd_t hplip_t:process { signal sigkill }; - -read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) - -allow cupsd_t hplip_var_run_t:file read_file_perms; - -stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) -allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; - -kernel_read_system_state(cupsd_t) -kernel_read_network_state(cupsd_t) -kernel_read_all_sysctls(cupsd_t) -kernel_request_load_module(cupsd_t) - -corenet_all_recvfrom_unlabeled(cupsd_t) -corenet_all_recvfrom_netlabel(cupsd_t) -corenet_tcp_sendrecv_generic_if(cupsd_t) -corenet_udp_sendrecv_generic_if(cupsd_t) -corenet_raw_sendrecv_generic_if(cupsd_t) -corenet_tcp_sendrecv_generic_node(cupsd_t) -corenet_udp_sendrecv_generic_node(cupsd_t) -corenet_raw_sendrecv_generic_node(cupsd_t) -corenet_tcp_sendrecv_all_ports(cupsd_t) -corenet_udp_sendrecv_all_ports(cupsd_t) -corenet_tcp_bind_generic_node(cupsd_t) -corenet_udp_bind_generic_node(cupsd_t) -corenet_tcp_bind_ipp_port(cupsd_t) -corenet_udp_bind_ipp_port(cupsd_t) -corenet_udp_bind_howl_port(cupsd_t) -corenet_tcp_bind_reserved_port(cupsd_t) -corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) -corenet_tcp_bind_all_rpc_ports(cupsd_t) -corenet_tcp_connect_all_ports(cupsd_t) -corenet_sendrecv_hplip_client_packets(cupsd_t) -corenet_sendrecv_ipp_client_packets(cupsd_t) -corenet_sendrecv_ipp_server_packets(cupsd_t) - -dev_rw_printer(cupsd_t) -dev_read_urand(cupsd_t) -dev_read_sysfs(cupsd_t) -dev_rw_input_dev(cupsd_t) #447878 -dev_rw_generic_usb_dev(cupsd_t) -dev_rw_usbfs(cupsd_t) -dev_getattr_printer_dev(cupsd_t) - -domain_read_all_domains_state(cupsd_t) - -fs_getattr_all_fs(cupsd_t) -fs_search_auto_mountpoints(cupsd_t) -fs_search_fusefs(cupsd_t) -fs_read_anon_inodefs_files(cupsd_t) - -mls_file_downgrade(cupsd_t) -mls_file_write_all_levels(cupsd_t) -mls_file_read_all_levels(cupsd_t) -mls_rangetrans_target(cupsd_t) -mls_socket_write_all_levels(cupsd_t) -mls_fd_use_all_levels(cupsd_t) - -term_use_unallocated_ttys(cupsd_t) -term_search_ptys(cupsd_t) - -# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp -corecmd_exec_shell(cupsd_t) -corecmd_exec_bin(cupsd_t) - -domain_use_interactive_fds(cupsd_t) - -files_list_spool(cupsd_t) -files_read_etc_files(cupsd_t) -files_read_etc_runtime_files(cupsd_t) -# read python modules -files_read_usr_files(cupsd_t) -# for /var/lib/defoma -files_read_var_lib_files(cupsd_t) -files_list_world_readable(cupsd_t) -files_read_world_readable_files(cupsd_t) -files_read_world_readable_symlinks(cupsd_t) -# Satisfy readahead -files_read_var_files(cupsd_t) -files_read_var_symlinks(cupsd_t) -# for /etc/printcap -files_dontaudit_write_etc_files(cupsd_t) -# smbspool seems to be iterating through all existing tmp files. -# redhat bug #214953 -# cjp: this might be a broken behavior -files_dontaudit_getattr_all_tmp_files(cupsd_t) - -selinux_compute_access_vector(cupsd_t) -selinux_validate_context(cupsd_t) - -init_exec_script_files(cupsd_t) -init_read_utmp(cupsd_t) - -auth_domtrans_chk_passwd(cupsd_t) -auth_dontaudit_read_pam_pid(cupsd_t) -auth_rw_faillog(cupsd_t) -auth_use_nsswitch(cupsd_t) - -# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.* -libs_read_lib_files(cupsd_t) -libs_exec_lib_files(cupsd_t) - -logging_send_audit_msgs(cupsd_t) -logging_send_syslog_msg(cupsd_t) - -miscfiles_read_localization(cupsd_t) -# invoking ghostscript needs to read fonts -miscfiles_read_fonts(cupsd_t) -miscfiles_setattr_fonts_cache_dirs(cupsd_t) - -seutil_read_config(cupsd_t) -sysnet_exec_ifconfig(cupsd_t) - -files_dontaudit_list_home(cupsd_t) -userdom_dontaudit_use_unpriv_user_fds(cupsd_t) -userdom_dontaudit_search_user_home_content(cupsd_t) - -# Write to /var/spool/cups. -lpd_manage_spool(cupsd_t) -lpd_read_config(cupsd_t) -lpd_exec_lpr(cupsd_t) -lpd_relabel_spool(cupsd_t) - -optional_policy(` - apm_domtrans_client(cupsd_t) -') - -optional_policy(` - cron_system_entry(cupsd_t, cupsd_exec_t) -') - -optional_policy(` - dbus_system_bus_client(cupsd_t) - - userdom_dbus_send_all_users(cupsd_t) - - optional_policy(` - avahi_dbus_chat(cupsd_t) - ') - - optional_policy(` - hal_dbus_chat(cupsd_t) - ') - - # talk to processes that do not have policy - optional_policy(` - unconfined_dbus_chat(cupsd_t) - files_write_generic_pid_pipes(cupsd_t) - ') -') - -optional_policy(` - hostname_exec(cupsd_t) -') - -optional_policy(` - inetd_core_service_domain(cupsd_t, cupsd_exec_t) -') - -optional_policy(` - logrotate_domtrans(cupsd_t) -') - -optional_policy(` - mta_send_mail(cupsd_t) -') - -optional_policy(` - # cups execs smbtool which reads samba_etc_t files - samba_read_config(cupsd_t) - samba_rw_var_files(cupsd_t) -') - -optional_policy(` - seutil_sigchld_newrole(cupsd_t) -') - -optional_policy(` - snmp_read_snmp_var_lib_files(cupsd_t) -') - -optional_policy(` - udev_read_db(cupsd_t) -') - -######################################## -# -# Cups configuration daemon local policy -# - -allow cupsd_config_t self:capability { chown dac_override sys_tty_config }; -dontaudit cupsd_config_t self:capability sys_tty_config; -allow cupsd_config_t self:process { getsched signal_perms }; -allow cupsd_config_t self:fifo_file rw_fifo_file_perms; -allow cupsd_config_t self:unix_stream_socket create_socket_perms; -allow cupsd_config_t self:unix_dgram_socket create_socket_perms; -allow cupsd_config_t self:tcp_socket create_stream_socket_perms; - -allow cupsd_config_t cupsd_t:process signal; -ps_process_pattern(cupsd_config_t, cupsd_t) - -manage_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t) -manage_lnk_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t) -filetrans_pattern(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file) - -manage_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t) -manage_lnk_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t) -files_var_filetrans(cupsd_config_t, cupsd_rw_etc_t, file) - -can_exec(cupsd_config_t, cupsd_config_exec_t) - -allow cupsd_config_t cupsd_log_t:file rw_file_perms; - -manage_lnk_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) -manage_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) -manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) -files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) - -allow cupsd_config_t cupsd_var_run_t:file read_file_perms; - -manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) -manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) -files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file }) - -domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) - -read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t) - -kernel_read_system_state(cupsd_config_t) -kernel_read_all_sysctls(cupsd_config_t) - -corenet_all_recvfrom_unlabeled(cupsd_config_t) -corenet_all_recvfrom_netlabel(cupsd_config_t) -corenet_tcp_sendrecv_generic_if(cupsd_config_t) -corenet_tcp_sendrecv_generic_node(cupsd_config_t) -corenet_tcp_sendrecv_all_ports(cupsd_config_t) -corenet_tcp_connect_all_ports(cupsd_config_t) -corenet_sendrecv_all_client_packets(cupsd_config_t) - -dev_read_sysfs(cupsd_config_t) -dev_read_urand(cupsd_config_t) -dev_read_rand(cupsd_config_t) -dev_rw_generic_usb_dev(cupsd_config_t) - -files_search_all_mountpoints(cupsd_config_t) - -fs_getattr_all_fs(cupsd_config_t) -fs_search_auto_mountpoints(cupsd_config_t) - -corecmd_exec_bin(cupsd_config_t) -corecmd_exec_shell(cupsd_config_t) - -domain_use_interactive_fds(cupsd_config_t) -# killall causes the following -domain_dontaudit_search_all_domains_state(cupsd_config_t) - -files_read_usr_files(cupsd_config_t) -files_read_etc_files(cupsd_config_t) -files_read_etc_runtime_files(cupsd_config_t) -files_read_var_symlinks(cupsd_config_t) - -# Alternatives asks for this -init_getattr_all_script_files(cupsd_config_t) - -auth_use_nsswitch(cupsd_config_t) - -logging_send_syslog_msg(cupsd_config_t) - -miscfiles_read_localization(cupsd_config_t) -miscfiles_read_hwdata(cupsd_config_t) - -seutil_dontaudit_search_config(cupsd_config_t) - -userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) -userdom_dontaudit_search_user_home_dirs(cupsd_config_t) -userdom_rw_user_tmp_files(cupsd_config_t) - -cups_stream_connect(cupsd_config_t) - -lpd_read_config(cupsd_config_t) - -ifdef(`distro_redhat',` - optional_policy(` - rpm_read_db(cupsd_config_t) - ') -') - -optional_policy(` - term_use_generic_ptys(cupsd_config_t) -') - -optional_policy(` - cron_system_entry(cupsd_config_t, cupsd_config_exec_t) -') - -optional_policy(` - dbus_system_domain(cupsd_config_t, cupsd_config_exec_t) - - optional_policy(` - hal_dbus_chat(cupsd_config_t) - ') -') - -optional_policy(` - gnome_dontaudit_search_config(cupsd_config_t) -') - -optional_policy(` - hal_domtrans(cupsd_config_t) - hal_read_tmp_files(cupsd_config_t) - hal_dontaudit_use_fds(hplip_t) -') - -optional_policy(` - hostname_exec(cupsd_config_t) -') - -optional_policy(` - logrotate_use_fds(cupsd_config_t) -') - -optional_policy(` - policykit_dbus_chat(cupsd_config_t) - userdom_read_all_users_state(cupsd_config_t) -') - -optional_policy(` - rpm_read_db(cupsd_config_t) -') - -optional_policy(` - seutil_sigchld_newrole(cupsd_config_t) -') - -optional_policy(` - udev_read_db(cupsd_config_t) -') - -optional_policy(` - unconfined_stream_connect(cupsd_config_t) -') - -######################################## -# -# Cups lpd support -# - -allow cupsd_lpd_t self:process signal_perms; -allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms; -allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms; -allow cupsd_lpd_t self:udp_socket create_socket_perms; - -# for identd -# cjp: this should probably only be inetd_child rules? -allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -allow cupsd_lpd_t self:capability { setuid setgid }; -files_search_home(cupsd_lpd_t) -optional_policy(` - kerberos_use(cupsd_lpd_t) -') -#end for identd - -allow cupsd_lpd_t cupsd_etc_t:dir list_dir_perms; -read_files_pattern(cupsd_lpd_t, cupsd_etc_t, cupsd_etc_t) -read_lnk_files_pattern(cupsd_lpd_t, cupsd_etc_t, cupsd_etc_t) - -allow cupsd_lpd_t cupsd_rw_etc_t:dir list_dir_perms; -read_files_pattern(cupsd_lpd_t, cupsd_rw_etc_t, cupsd_rw_etc_t) -read_lnk_files_pattern(cupsd_lpd_t, cupsd_rw_etc_t, cupsd_rw_etc_t) - -manage_dirs_pattern(cupsd_lpd_t, cupsd_lpd_tmp_t, cupsd_lpd_tmp_t) -manage_files_pattern(cupsd_lpd_t, cupsd_lpd_tmp_t, cupsd_lpd_tmp_t) -files_tmp_filetrans(cupsd_lpd_t, cupsd_lpd_tmp_t, { file dir }) - -manage_files_pattern(cupsd_lpd_t, cupsd_lpd_var_run_t, cupsd_lpd_var_run_t) -files_pid_filetrans(cupsd_lpd_t, cupsd_lpd_var_run_t, file) - -kernel_read_kernel_sysctls(cupsd_lpd_t) -kernel_read_system_state(cupsd_lpd_t) -kernel_read_network_state(cupsd_lpd_t) - -corenet_all_recvfrom_unlabeled(cupsd_lpd_t) -corenet_all_recvfrom_netlabel(cupsd_lpd_t) -corenet_tcp_sendrecv_generic_if(cupsd_lpd_t) -corenet_udp_sendrecv_generic_if(cupsd_lpd_t) -corenet_tcp_sendrecv_generic_node(cupsd_lpd_t) -corenet_udp_sendrecv_generic_node(cupsd_lpd_t) -corenet_tcp_sendrecv_all_ports(cupsd_lpd_t) -corenet_udp_sendrecv_all_ports(cupsd_lpd_t) -corenet_tcp_bind_generic_node(cupsd_lpd_t) -corenet_udp_bind_generic_node(cupsd_lpd_t) -corenet_tcp_connect_ipp_port(cupsd_lpd_t) - -dev_read_urand(cupsd_lpd_t) -dev_read_rand(cupsd_lpd_t) - -fs_getattr_xattr_fs(cupsd_lpd_t) - -files_read_etc_files(cupsd_lpd_t) - -auth_use_nsswitch(cupsd_lpd_t) - -logging_send_syslog_msg(cupsd_lpd_t) - -miscfiles_read_localization(cupsd_lpd_t) -miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t) - -cups_stream_connect(cupsd_lpd_t) - -optional_policy(` - inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) -') - -######################################## -# -# cups_pdf local policy -# - -allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; -allow cups_pdf_t self:fifo_file rw_file_perms; -allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; - -manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) - -manage_files_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) -manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) -files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir }) - -fs_rw_anon_inodefs_files(cups_pdf_t) - -kernel_read_system_state(cups_pdf_t) - -files_read_etc_files(cups_pdf_t) -files_read_usr_files(cups_pdf_t) - -corecmd_exec_shell(cups_pdf_t) -corecmd_exec_bin(cups_pdf_t) - -auth_use_nsswitch(cups_pdf_t) - -miscfiles_read_localization(cups_pdf_t) -miscfiles_read_fonts(cups_pdf_t) -miscfiles_setattr_fonts_cache_dirs(cups_pdf_t) - -userdom_home_filetrans_user_home_dir(cups_pdf_t) -userdom_user_home_dir_filetrans_pattern(cups_pdf_t, { file dir }) -userdom_manage_user_home_content_dirs(cups_pdf_t) -userdom_manage_user_home_content_files(cups_pdf_t) -userdom_dontaudit_search_admin_dir(cups_pdf_t) - -lpd_manage_spool(cups_pdf_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_search_auto_mountpoints(cups_pdf_t) - fs_manage_nfs_dirs(cups_pdf_t) - fs_manage_nfs_files(cups_pdf_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(cups_pdf_t) - fs_manage_cifs_files(cups_pdf_t) -') - -optional_policy(` - gnome_read_config(cups_pdf_t) -') - -######################################## -# -# HPLIP local policy -# - -# Needed for USB Scanneer and xsane -allow hplip_t self:capability { dac_override dac_read_search net_raw }; -dontaudit hplip_t self:capability sys_tty_config; -allow hplip_t self:fifo_file rw_fifo_file_perms; -allow hplip_t self:process signal_perms; -allow hplip_t self:unix_dgram_socket create_socket_perms; -allow hplip_t self:unix_stream_socket create_socket_perms; -allow hplip_t self:netlink_route_socket r_netlink_socket_perms; -allow hplip_t self:tcp_socket create_stream_socket_perms; -allow hplip_t self:udp_socket create_socket_perms; -allow hplip_t self:rawip_socket create_socket_perms; - -allow hplip_t cupsd_etc_t:dir search_dir_perms; -manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t) -manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t) -files_tmp_filetrans(hplip_t, cupsd_tmp_t, { file dir }) - -cups_stream_connect(hplip_t) - -allow hplip_t hplip_etc_t:dir list_dir_perms; -read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) -read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) -files_search_etc(hplip_t) - -manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) -manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) - -manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) -files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file) - -manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) -files_pid_filetrans(hplip_t, hplip_var_run_t, file) - -kernel_read_system_state(hplip_t) -kernel_read_kernel_sysctls(hplip_t) - -corenet_all_recvfrom_unlabeled(hplip_t) -corenet_all_recvfrom_netlabel(hplip_t) -corenet_tcp_sendrecv_generic_if(hplip_t) -corenet_udp_sendrecv_generic_if(hplip_t) -corenet_raw_sendrecv_generic_if(hplip_t) -corenet_tcp_sendrecv_generic_node(hplip_t) -corenet_udp_sendrecv_generic_node(hplip_t) -corenet_raw_sendrecv_generic_node(hplip_t) -corenet_tcp_sendrecv_all_ports(hplip_t) -corenet_udp_sendrecv_all_ports(hplip_t) -corenet_tcp_bind_generic_node(hplip_t) -corenet_udp_bind_generic_node(hplip_t) -corenet_tcp_bind_hplip_port(hplip_t) -corenet_tcp_connect_hplip_port(hplip_t) -corenet_tcp_connect_ipp_port(hplip_t) -corenet_sendrecv_hplip_client_packets(hplip_t) -corenet_receive_hplip_server_packets(hplip_t) -corenet_udp_bind_howl_port(hplip_t) - -dev_read_sysfs(hplip_t) -dev_rw_printer(hplip_t) -dev_read_urand(hplip_t) -dev_read_rand(hplip_t) -dev_rw_generic_usb_dev(hplip_t) -dev_rw_usbfs(hplip_t) - -fs_getattr_all_fs(hplip_t) -fs_search_auto_mountpoints(hplip_t) -fs_rw_anon_inodefs_files(hplip_t) - -# for python -corecmd_exec_bin(hplip_t) - -domain_use_interactive_fds(hplip_t) - -files_read_etc_files(hplip_t) -files_read_etc_runtime_files(hplip_t) -files_read_usr_files(hplip_t) - -logging_send_syslog_msg(hplip_t) - -miscfiles_read_localization(hplip_t) - -sysnet_read_config(hplip_t) - -userdom_dontaudit_use_unpriv_user_fds(hplip_t) -userdom_dontaudit_search_user_home_dirs(hplip_t) -userdom_dontaudit_search_user_home_content(hplip_t) - -lpd_read_config(hplip_t) -lpd_manage_spool(hplip_t) - -optional_policy(` - dbus_system_bus_client(hplip_t) -') - -optional_policy(` - seutil_sigchld_newrole(hplip_t) -') - -optional_policy(` - snmp_read_snmp_var_lib_files(hplip_t) -') - -optional_policy(` - udev_read_db(hplip_t) -') - -######################################## -# -# PTAL local policy -# - -allow ptal_t self:capability { chown sys_rawio }; -dontaudit ptal_t self:capability sys_tty_config; -allow ptal_t self:fifo_file rw_fifo_file_perms; -allow ptal_t self:unix_dgram_socket create_socket_perms; -allow ptal_t self:unix_stream_socket create_stream_socket_perms; -allow ptal_t self:tcp_socket create_stream_socket_perms; - -allow ptal_t ptal_etc_t:dir list_dir_perms; -read_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t) -read_lnk_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t) -files_search_etc(ptal_t) - -manage_dirs_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) -manage_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) -manage_lnk_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) -manage_fifo_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) -manage_sock_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) -files_pid_filetrans(ptal_t, ptal_var_run_t, { dir file lnk_file sock_file fifo_file }) - -kernel_read_kernel_sysctls(ptal_t) -kernel_list_proc(ptal_t) -kernel_read_proc_symlinks(ptal_t) - -corenet_all_recvfrom_unlabeled(ptal_t) -corenet_all_recvfrom_netlabel(ptal_t) -corenet_tcp_sendrecv_generic_if(ptal_t) -corenet_tcp_sendrecv_generic_node(ptal_t) -corenet_tcp_sendrecv_all_ports(ptal_t) -corenet_tcp_bind_generic_node(ptal_t) -corenet_tcp_bind_ptal_port(ptal_t) - -dev_read_sysfs(ptal_t) -dev_read_usbfs(ptal_t) -dev_rw_printer(ptal_t) - -fs_getattr_all_fs(ptal_t) -fs_search_auto_mountpoints(ptal_t) - -domain_use_interactive_fds(ptal_t) - -files_read_etc_files(ptal_t) -files_read_etc_runtime_files(ptal_t) - -logging_send_syslog_msg(ptal_t) - -miscfiles_read_localization(ptal_t) - -sysnet_read_config(ptal_t) - -userdom_dontaudit_use_unpriv_user_fds(ptal_t) -userdom_dontaudit_search_user_home_content(ptal_t) - -optional_policy(` - seutil_sigchld_newrole(ptal_t) -') - -optional_policy(` - udev_read_db(ptal_t) -') diff --git a/policy/modules/services/cvs.fc b/policy/modules/services/cvs.fc deleted file mode 100644 index 48a30de..0000000 --- a/policy/modules/services/cvs.fc +++ /dev/null @@ -1,10 +0,0 @@ - -/opt/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0) - -/usr/bin/cvs -- gen_context(system_u:object_r:cvs_exec_t,s0) - -/var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0) - -#CVSWeb file context -/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) -/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if deleted file mode 100644 index 5bf3e60..0000000 --- a/policy/modules/services/cvs.if +++ /dev/null @@ -1,81 +0,0 @@ -## Concurrent versions system - -######################################## -## -## Read the CVS data and metadata. -## -## -## -## Domain allowed access. -## -## -# -interface(`cvs_read_data',` - gen_require(` - type cvs_data_t; - ') - - list_dirs_pattern($1, cvs_data_t, cvs_data_t) - read_files_pattern($1, cvs_data_t, cvs_data_t) - read_lnk_files_pattern($1, cvs_data_t, cvs_data_t) -') - -######################################## -## -## Allow the specified domain to execute cvs -## in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`cvs_exec',` - gen_require(` - type cvs_exec_t; - ') - - can_exec($1, cvs_exec_t) -') - -######################################## -## -## All of the rules required to administrate -## an cvs environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the cvs domain. -## -## -## -# -interface(`cvs_admin',` - gen_require(` - type cvs_t, cvs_tmp_t, cvs_initrc_exec_t; - type cvs_data_t, cvs_var_run_t; - ') - - allow $1 cvs_t:process { ptrace signal_perms }; - ps_process_pattern($1, cvs_t) - - # Allow cvs_t to restart the apache service - init_labeled_script_domtrans($1, cvs_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 cvs_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, cvs_tmp_t) - - admin_pattern($1, cvs_data_t) - - files_list_pids($1) - admin_pattern($1, cvs_var_run_t) -') diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te deleted file mode 100644 index e18dc0b..0000000 --- a/policy/modules/services/cvs.te +++ /dev/null @@ -1,116 +0,0 @@ -policy_module(cvs, 1.9.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow cvs daemon to read shadow -##

-##
-gen_tunable(allow_cvs_read_shadow, false) - -type cvs_t; -type cvs_exec_t; -inetd_tcp_service_domain(cvs_t, cvs_exec_t) -application_executable_file(cvs_exec_t) -role system_r types cvs_t; - -type cvs_data_t; # customizable -files_type(cvs_data_t) - -type cvs_initrc_exec_t; -init_script_file(cvs_initrc_exec_t) - -type cvs_tmp_t; -files_tmp_file(cvs_tmp_t) - -type cvs_var_run_t; -files_pid_file(cvs_var_run_t) - -######################################## -# -# Local policy -# - -allow cvs_t self:capability { setuid setgid }; -allow cvs_t self:process signal_perms; -allow cvs_t self:fifo_file rw_fifo_file_perms; -allow cvs_t self:tcp_socket connected_stream_socket_perms; -# for identd; cjp: this should probably only be inetd_child rules? -allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms; - -manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t) -manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t) -manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t) - -manage_dirs_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t) -manage_files_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t) -files_tmp_filetrans(cvs_t, cvs_tmp_t, { file dir }) - -manage_files_pattern(cvs_t, cvs_var_run_t, cvs_var_run_t) -files_pid_filetrans(cvs_t, cvs_var_run_t, file) - -kernel_read_kernel_sysctls(cvs_t) -kernel_read_system_state(cvs_t) -kernel_read_network_state(cvs_t) - -corenet_all_recvfrom_unlabeled(cvs_t) -corenet_all_recvfrom_netlabel(cvs_t) -corenet_tcp_sendrecv_generic_if(cvs_t) -corenet_udp_sendrecv_generic_if(cvs_t) -corenet_tcp_sendrecv_generic_node(cvs_t) -corenet_udp_sendrecv_generic_node(cvs_t) -corenet_tcp_sendrecv_all_ports(cvs_t) -corenet_udp_sendrecv_all_ports(cvs_t) - -dev_read_urand(cvs_t) - -fs_getattr_xattr_fs(cvs_t) - -auth_domtrans_chk_passwd(cvs_t) -auth_use_nsswitch(cvs_t) - -corecmd_exec_bin(cvs_t) -corecmd_exec_shell(cvs_t) - -files_read_etc_files(cvs_t) -files_read_etc_runtime_files(cvs_t) -# for identd; cjp: this should probably only be inetd_child rules? -files_search_home(cvs_t) - -logging_send_syslog_msg(cvs_t) -logging_send_audit_msgs(cvs_t) - -miscfiles_read_localization(cvs_t) - -mta_send_mail(cvs_t) - -# cjp: typeattribute doesnt work in conditionals yet -auth_can_read_shadow_passwords(cvs_t) -tunable_policy(`allow_cvs_read_shadow',` - allow cvs_t self:capability dac_override; - auth_tunable_read_shadow(cvs_t) -') - -optional_policy(` - kerberos_keytab_template(cvs, cvs_t) - kerberos_read_config(cvs_t) - kerberos_dontaudit_write_config(cvs_t) -') - -######################################## -# -# CVSWeb policy -# - -optional_policy(` - apache_content_template(cvs) - - read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) - manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) - manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) - files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) -') diff --git a/policy/modules/services/cyphesis.fc b/policy/modules/services/cyphesis.fc deleted file mode 100644 index c47a772..0000000 --- a/policy/modules/services/cyphesis.fc +++ /dev/null @@ -1,5 +0,0 @@ -/usr/bin/cyphesis -- gen_context(system_u:object_r:cyphesis_exec_t,s0) - -/var/log/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_log_t,s0) - -/var/run/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_var_run_t,s0) diff --git a/policy/modules/services/cyphesis.if b/policy/modules/services/cyphesis.if deleted file mode 100644 index 7e9057e..0000000 --- a/policy/modules/services/cyphesis.if +++ /dev/null @@ -1,19 +0,0 @@ -## Cyphesis WorldForge game server - -######################################## -## -## Execute a domain transition to run cyphesis. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`cyphesis_domtrans',` - gen_require(` - type cyphesis_t, cyphesis_exec_t; - ') - - domtrans_pattern($1, cyphesis_exec_t, cyphesis_t) -') diff --git a/policy/modules/services/cyphesis.te b/policy/modules/services/cyphesis.te deleted file mode 100644 index 1f789f8..0000000 --- a/policy/modules/services/cyphesis.te +++ /dev/null @@ -1,85 +0,0 @@ -policy_module(cyphesis, 1.2.0) - -######################################## -# -# Declarations -# - -type cyphesis_t; -type cyphesis_exec_t; -init_daemon_domain(cyphesis_t, cyphesis_exec_t) - -type cyphesis_log_t; -logging_log_file(cyphesis_log_t) - -type cyphesis_tmp_t; -files_tmp_file(cyphesis_tmp_t) - -type cyphesis_var_run_t; -files_pid_file(cyphesis_var_run_t) - -######################################## -# -# cyphesis local policy -# - -allow cyphesis_t self:process { setfscreate setsched signal }; -allow cyphesis_t self:fifo_file rw_fifo_file_perms; -allow cyphesis_t self:tcp_socket create_stream_socket_perms; -allow cyphesis_t self:unix_stream_socket create_stream_socket_perms; -allow cyphesis_t self:unix_dgram_socket create_socket_perms; - -manage_files_pattern(cyphesis_t, cyphesis_log_t, cyphesis_log_t) -logging_log_filetrans(cyphesis_t, cyphesis_log_t, file) - -# DAN > Does cyphesis really create a sock_file in /tmp? Why? -allow cyphesis_t cyphesis_tmp_t:sock_file manage_sock_file_perms; -files_tmp_filetrans(cyphesis_t, cyphesis_tmp_t, file) - -manage_dirs_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t) -manage_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t) -manage_sock_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t) -files_pid_filetrans(cyphesis_t, cyphesis_var_run_t, { dir file sock_file }) - -kernel_read_system_state(cyphesis_t) -kernel_read_kernel_sysctls(cyphesis_t) - -# DAN> What is cyphesis looking for in /bin? -corecmd_search_bin(cyphesis_t) -corecmd_getattr_bin_files(cyphesis_t) - -corenet_all_recvfrom_unlabeled(cyphesis_t) -corenet_tcp_sendrecv_generic_if(cyphesis_t) -corenet_tcp_sendrecv_generic_node(cyphesis_t) -corenet_tcp_sendrecv_all_ports(cyphesis_t) -corenet_tcp_bind_generic_node(cyphesis_t) -corenet_tcp_bind_cyphesis_port(cyphesis_t) -corenet_sendrecv_cyphesis_server_packets(cyphesis_t) - -dev_read_urand(cyphesis_t) - -# Init script handling -domain_use_interactive_fds(cyphesis_t) - -files_read_etc_files(cyphesis_t) -files_read_usr_files(cyphesis_t) - -logging_send_syslog_msg(cyphesis_t) - -miscfiles_read_localization(cyphesis_t) - -sysnet_dns_name_resolve(cyphesis_t) - -# cyphesis wants to talk to avahi via dbus -optional_policy(` - avahi_dbus_chat(cyphesis_t) - dbus_system_bus_client(cyphesis_t) -') - -optional_policy(` - kerberos_use(cyphesis_t) -') - -optional_policy(` - postgresql_stream_connect(cyphesis_t) -') diff --git a/policy/modules/services/cyrus.fc b/policy/modules/services/cyrus.fc deleted file mode 100644 index 445d93d..0000000 --- a/policy/modules/services/cyrus.fc +++ /dev/null @@ -1,5 +0,0 @@ -/etc/rc\.d/init\.d/cyrus -- gen_context(system_u:object_r:cyrus_initrc_exec_t,s0) - -/usr/lib(64)?/cyrus-imapd/cyrus-master -- gen_context(system_u:object_r:cyrus_exec_t,s0) - -/var/lib/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0) diff --git a/policy/modules/services/cyrus.if b/policy/modules/services/cyrus.if deleted file mode 100644 index e4e86d0..0000000 --- a/policy/modules/services/cyrus.if +++ /dev/null @@ -1,81 +0,0 @@ -## Cyrus is an IMAP service intended to be run on sealed servers - -######################################## -## -## Allow caller to create, read, write, -## and delete cyrus data files. -## -## -## -## Domain allowed access. -## -## -# -interface(`cyrus_manage_data',` - gen_require(` - type cyrus_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t) -') - -######################################## -## -## Connect to Cyrus using a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`cyrus_stream_connect',` - gen_require(` - type cyrus_t, cyrus_var_lib_t; - ') - - files_search_var_lib($1) - stream_connect_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t, cyrus_t) -') - -######################################## -## -## All of the rules required to administrate -## an cyrus environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the cyrus domain. -## -## -## -# -interface(`cyrus_admin',` - gen_require(` - type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t; - type cyrus_var_run_t, cyrus_initrc_exec_t; - ') - - allow $1 cyrus_t:process { ptrace signal_perms }; - ps_process_pattern($1, cyrus_t) - - init_labeled_script_domtrans($1, cyrus_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 cyrus_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, cyrus_tmp_t) - - files_list_var_lib($1) - admin_pattern($1, cyrus_var_lib_t) - - files_list_pids($1) - admin_pattern($1, cyrus_var_run_t) -') diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te deleted file mode 100644 index f80e725..0000000 --- a/policy/modules/services/cyrus.te +++ /dev/null @@ -1,146 +0,0 @@ -policy_module(cyrus, 1.10.0) - -######################################## -# -# Declarations -# - -type cyrus_t; -type cyrus_exec_t; -init_daemon_domain(cyrus_t, cyrus_exec_t) - -type cyrus_initrc_exec_t; -init_script_file(cyrus_initrc_exec_t) - -type cyrus_tmp_t; -files_tmp_file(cyrus_tmp_t) - -type cyrus_var_lib_t; -files_type(cyrus_var_lib_t) - -type cyrus_var_run_t; -files_pid_file(cyrus_var_run_t) - -######################################## -# -# Local policy -# - -allow cyrus_t self:capability { fsetid dac_override net_bind_service setgid setuid sys_resource }; -dontaudit cyrus_t self:capability sys_tty_config; -allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow cyrus_t self:process setrlimit; -allow cyrus_t self:fd use; -allow cyrus_t self:fifo_file rw_fifo_file_perms; -allow cyrus_t self:sock_file read_sock_file_perms; -allow cyrus_t self:shm create_shm_perms; -allow cyrus_t self:sem create_sem_perms; -allow cyrus_t self:msgq create_msgq_perms; -allow cyrus_t self:msg { send receive }; -allow cyrus_t self:unix_dgram_socket create_socket_perms; -allow cyrus_t self:unix_stream_socket create_stream_socket_perms; -allow cyrus_t self:unix_dgram_socket sendto; -allow cyrus_t self:unix_stream_socket connectto; -allow cyrus_t self:tcp_socket create_stream_socket_perms; -allow cyrus_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t) -manage_files_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t) -files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { file dir }) - -manage_dirs_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t) -manage_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t) -manage_lnk_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t) -manage_sock_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t) -files_pid_filetrans(cyrus_t, cyrus_var_run_t, file) - -manage_files_pattern(cyrus_t, cyrus_var_run_t, cyrus_var_run_t) -manage_sock_files_pattern(cyrus_t, cyrus_var_run_t, cyrus_var_run_t) -files_pid_filetrans(cyrus_t, cyrus_var_run_t, { file sock_file }) - -kernel_read_kernel_sysctls(cyrus_t) -kernel_read_system_state(cyrus_t) -kernel_read_all_sysctls(cyrus_t) - -corenet_all_recvfrom_unlabeled(cyrus_t) -corenet_all_recvfrom_netlabel(cyrus_t) -corenet_tcp_sendrecv_generic_if(cyrus_t) -corenet_udp_sendrecv_generic_if(cyrus_t) -corenet_tcp_sendrecv_generic_node(cyrus_t) -corenet_udp_sendrecv_generic_node(cyrus_t) -corenet_tcp_sendrecv_all_ports(cyrus_t) -corenet_udp_sendrecv_all_ports(cyrus_t) -corenet_tcp_bind_generic_node(cyrus_t) -corenet_tcp_bind_mail_port(cyrus_t) -corenet_tcp_bind_lmtp_port(cyrus_t) -corenet_tcp_bind_pop_port(cyrus_t) -corenet_tcp_bind_sieve_port(cyrus_t) -corenet_tcp_connect_all_ports(cyrus_t) -corenet_sendrecv_mail_server_packets(cyrus_t) -corenet_sendrecv_pop_server_packets(cyrus_t) -corenet_sendrecv_lmtp_server_packets(cyrus_t) -corenet_sendrecv_all_client_packets(cyrus_t) - -dev_read_rand(cyrus_t) -dev_read_urand(cyrus_t) -dev_read_sysfs(cyrus_t) - -fs_getattr_all_fs(cyrus_t) -fs_search_auto_mountpoints(cyrus_t) - -corecmd_exec_bin(cyrus_t) - -domain_use_interactive_fds(cyrus_t) - -files_list_var_lib(cyrus_t) -files_read_etc_files(cyrus_t) -files_read_etc_runtime_files(cyrus_t) -files_read_usr_files(cyrus_t) - -auth_use_nsswitch(cyrus_t) - -libs_exec_lib_files(cyrus_t) - -logging_send_syslog_msg(cyrus_t) - -miscfiles_read_localization(cyrus_t) -miscfiles_read_generic_certs(cyrus_t) - -sysnet_read_config(cyrus_t) - -userdom_use_unpriv_users_fds(cyrus_t) -userdom_dontaudit_search_user_home_dirs(cyrus_t) - -mta_manage_spool(cyrus_t) -mta_send_mail(cyrus_t) - -optional_policy(` - cron_system_entry(cyrus_t, cyrus_exec_t) -') - -optional_policy(` - kerberos_keytab_template(cyrus, cyrus_t) -') - -optional_policy(` - ldap_stream_connect(cyrus_t) -') - -optional_policy(` - sasl_connect(cyrus_t) -') - -optional_policy(` - seutil_sigchld_newrole(cyrus_t) -') - -optional_policy(` - files_dontaudit_write_usr_dirs(cyrus_t) - snmp_read_snmp_var_lib_files(cyrus_t) - snmp_dontaudit_write_snmp_var_lib_files(cyrus_t) - snmp_stream_connect(cyrus_t) -') - -optional_policy(` - udev_read_db(cyrus_t) -') diff --git a/policy/modules/services/dante.fc b/policy/modules/services/dante.fc deleted file mode 100644 index 139171d..0000000 --- a/policy/modules/services/dante.fc +++ /dev/null @@ -1,6 +0,0 @@ - -/etc/socks(/.*)? gen_context(system_u:object_r:dante_conf_t,s0) - -/usr/sbin/sockd -- gen_context(system_u:object_r:dante_exec_t,s0) - -/var/run/sockd\.pid -- gen_context(system_u:object_r:dante_var_run_t,s0) diff --git a/policy/modules/services/dante.if b/policy/modules/services/dante.if deleted file mode 100644 index 704661c..0000000 --- a/policy/modules/services/dante.if +++ /dev/null @@ -1 +0,0 @@ -## Dante msproxy and socks4/5 proxy server diff --git a/policy/modules/services/dante.te b/policy/modules/services/dante.te deleted file mode 100644 index a8b93c0..0000000 --- a/policy/modules/services/dante.te +++ /dev/null @@ -1,79 +0,0 @@ -policy_module(dante, 1.7.0) - -######################################## -# -# Declarations -# - -type dante_t; -type dante_exec_t; -init_daemon_domain(dante_t, dante_exec_t) - -type dante_conf_t; -files_type(dante_conf_t) - -type dante_var_run_t; -files_pid_file(dante_var_run_t) - -######################################## -# -# Local policy -# - -allow dante_t self:capability { setuid setgid }; -dontaudit dante_t self:capability sys_tty_config; -allow dante_t self:process signal_perms; -allow dante_t self:fifo_file rw_fifo_file_perms; -allow dante_t self:tcp_socket create_stream_socket_perms; -allow dante_t self:udp_socket create_socket_perms; - -allow dante_t dante_conf_t:dir list_dir_perms; -allow dante_t dante_conf_t:file read_file_perms; - -manage_files_pattern(dante_t, dante_var_run_t, dante_var_run_t) -files_pid_filetrans(dante_t, dante_var_run_t, file) - -kernel_read_kernel_sysctls(dante_t) -kernel_list_proc(dante_t) -kernel_read_proc_symlinks(dante_t) - -corenet_all_recvfrom_unlabeled(dante_t) -corenet_all_recvfrom_netlabel(dante_t) -corenet_tcp_sendrecv_generic_if(dante_t) -corenet_udp_sendrecv_generic_if(dante_t) -corenet_tcp_sendrecv_generic_node(dante_t) -corenet_udp_sendrecv_generic_node(dante_t) -corenet_tcp_sendrecv_all_ports(dante_t) -corenet_udp_sendrecv_all_ports(dante_t) -corenet_tcp_bind_generic_node(dante_t) -#TODO: no portcons for this type -#allow dante_t socks_port_t:tcp_socket name_bind; - -dev_read_sysfs(dante_t) - -domain_use_interactive_fds(dante_t) - -files_read_etc_files(dante_t) -files_read_etc_runtime_files(dante_t) - -fs_getattr_all_fs(dante_t) -fs_search_auto_mountpoints(dante_t) - -init_write_utmp(dante_t) - -logging_send_syslog_msg(dante_t) - -miscfiles_read_localization(dante_t) - -sysnet_read_config(dante_t) - -userdom_dontaudit_use_unpriv_user_fds(dante_t) -userdom_dontaudit_search_user_home_dirs(dante_t) - -optional_policy(` - seutil_sigchld_newrole(dante_t) -') - -optional_policy(` - udev_read_db(dante_t) -') diff --git a/policy/modules/services/dbskk.fc b/policy/modules/services/dbskk.fc deleted file mode 100644 index 7af2590..0000000 --- a/policy/modules/services/dbskk.fc +++ /dev/null @@ -1,2 +0,0 @@ - -/usr/sbin/dbskkd-cdb -- gen_context(system_u:object_r:dbskkd_exec_t,s0) diff --git a/policy/modules/services/dbskk.if b/policy/modules/services/dbskk.if deleted file mode 100644 index 9e71004..0000000 --- a/policy/modules/services/dbskk.if +++ /dev/null @@ -1 +0,0 @@ -## Dictionary server for the SKK Japanese input method system. diff --git a/policy/modules/services/dbskk.te b/policy/modules/services/dbskk.te deleted file mode 100644 index 1445f97..0000000 --- a/policy/modules/services/dbskk.te +++ /dev/null @@ -1,69 +0,0 @@ -policy_module(dbskk, 1.5.0) - -######################################## -# -# Declarations -# - -type dbskkd_t; -type dbskkd_exec_t; -inetd_service_domain(dbskkd_t, dbskkd_exec_t) -role system_r types dbskkd_t; - -type dbskkd_tmp_t; -files_tmp_file(dbskkd_tmp_t) - -type dbskkd_var_run_t; -files_pid_file(dbskkd_var_run_t) - -######################################## -# -# Local policy -# - -allow dbskkd_t self:process signal_perms; -allow dbskkd_t self:fifo_file rw_fifo_file_perms; -allow dbskkd_t self:tcp_socket connected_stream_socket_perms; -allow dbskkd_t self:udp_socket create_socket_perms; - -# for identd -# cjp: this should probably only be inetd_child rules? -allow dbskkd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -allow dbskkd_t self:capability { setuid setgid }; -files_search_home(dbskkd_t) -optional_policy(` - kerberos_use(dbskkd_t) -') -#end for identd - -manage_dirs_pattern(dbskkd_t, dbskkd_tmp_t, dbskkd_tmp_t) -manage_files_pattern(dbskkd_t, dbskkd_tmp_t, dbskkd_tmp_t) -files_tmp_filetrans(dbskkd_t, dbskkd_tmp_t, { file dir }) - -manage_files_pattern(dbskkd_t, dbskkd_var_run_t, dbskkd_var_run_t) -files_pid_filetrans(dbskkd_t, dbskkd_var_run_t, file) - -kernel_read_kernel_sysctls(dbskkd_t) -kernel_read_system_state(dbskkd_t) -kernel_read_network_state(dbskkd_t) - -corenet_all_recvfrom_unlabeled(dbskkd_t) -corenet_all_recvfrom_netlabel(dbskkd_t) -corenet_tcp_sendrecv_generic_if(dbskkd_t) -corenet_udp_sendrecv_generic_if(dbskkd_t) -corenet_tcp_sendrecv_generic_node(dbskkd_t) -corenet_udp_sendrecv_generic_node(dbskkd_t) -corenet_tcp_sendrecv_all_ports(dbskkd_t) -corenet_udp_sendrecv_all_ports(dbskkd_t) - -dev_read_urand(dbskkd_t) - -fs_getattr_xattr_fs(dbskkd_t) - -files_read_etc_files(dbskkd_t) - -auth_use_nsswitch(dbskkd_t) - -logging_send_syslog_msg(dbskkd_t) - -miscfiles_read_localization(dbskkd_t) diff --git a/policy/modules/services/dbus.fc b/policy/modules/services/dbus.fc deleted file mode 100644 index 81eba14..0000000 --- a/policy/modules/services/dbus.fc +++ /dev/null @@ -1,17 +0,0 @@ -/etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0) - -/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0) - -/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) -/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) - -/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) -/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) - -/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) - -/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) - -ifdef(`distro_redhat',` -/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) -') diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if deleted file mode 100644 index 74fa3d6..0000000 --- a/policy/modules/services/dbus.if +++ /dev/null @@ -1,524 +0,0 @@ -## Desktop messaging bus - -######################################## -## -## DBUS stub interface. No access allowed. -## -## -## -## Domain allowed access -## -## -# -interface(`dbus_stub',` - gen_require(` - type system_dbusd_t; - class dbus all_dbus_perms; - ') -') - -######################################## -## -## Role access for dbus -## -## -## -## The prefix of the user role (e.g., user -## is the prefix for user_r). -## -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -template(`dbus_role_template',` - gen_require(` - class dbus { send_msg acquire_svc }; - attribute dbusd_unconfined, session_bus_type; - type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t; - type $1_t; - ') - - ############################## - # - # Delcarations - # - - type $1_dbusd_t, session_bus_type; - domain_type($1_dbusd_t) - domain_entry_file($1_dbusd_t, dbusd_exec_t) - ubac_constrained($1_dbusd_t) - role $2 types $1_dbusd_t; - - ############################## - # - # Local policy - # - - allow $1_dbusd_t self:process { getattr sigkill signal }; - dontaudit $1_dbusd_t self:process ptrace; - allow $1_dbusd_t self:file { getattr read write }; - allow $1_dbusd_t self:fifo_file rw_fifo_file_perms; - allow $1_dbusd_t self:dbus { send_msg acquire_svc }; - allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms; - allow $1_dbusd_t self:unix_dgram_socket create_socket_perms; - allow $1_dbusd_t self:tcp_socket create_stream_socket_perms; - allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms; - - # For connecting to the bus - allow $3 $1_dbusd_t:unix_stream_socket connectto; - - # SE-DBus specific permissions - allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc }; - allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; - - allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms; - read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t) - read_lnk_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t) - - manage_dirs_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t) - manage_files_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t) - files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir }) - - domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) - - ps_process_pattern($3, $1_dbusd_t) - allow $3 $1_dbusd_t:process { ptrace signal_perms }; - - # cjp: this seems very broken - corecmd_bin_domtrans($1_dbusd_t, $1_t) - allow $1_dbusd_t $3:process sigkill; - allow $3 $1_dbusd_t:fd use; - allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms; - - kernel_read_system_state($1_dbusd_t) - kernel_read_kernel_sysctls($1_dbusd_t) - - corecmd_list_bin($1_dbusd_t) - corecmd_read_bin_symlinks($1_dbusd_t) - corecmd_read_bin_files($1_dbusd_t) - corecmd_read_bin_pipes($1_dbusd_t) - corecmd_read_bin_sockets($1_dbusd_t) - - corenet_all_recvfrom_unlabeled($1_dbusd_t) - corenet_all_recvfrom_netlabel($1_dbusd_t) - corenet_tcp_sendrecv_generic_if($1_dbusd_t) - corenet_tcp_sendrecv_generic_node($1_dbusd_t) - corenet_tcp_sendrecv_all_ports($1_dbusd_t) - corenet_tcp_bind_generic_node($1_dbusd_t) - corenet_tcp_bind_reserved_port($1_dbusd_t) - - dev_read_urand($1_dbusd_t) - - domain_use_interactive_fds($1_dbusd_t) - domain_read_all_domains_state($1_dbusd_t) - - files_read_etc_files($1_dbusd_t) - files_list_home($1_dbusd_t) - files_read_usr_files($1_dbusd_t) - files_dontaudit_search_var($1_dbusd_t) - - fs_getattr_romfs($1_dbusd_t) - fs_getattr_xattr_fs($1_dbusd_t) - fs_list_inotifyfs($1_dbusd_t) - fs_dontaudit_list_nfs($1_dbusd_t) - - selinux_get_fs_mount($1_dbusd_t) - selinux_validate_context($1_dbusd_t) - selinux_compute_access_vector($1_dbusd_t) - selinux_compute_create_context($1_dbusd_t) - selinux_compute_relabel_context($1_dbusd_t) - selinux_compute_user_contexts($1_dbusd_t) - - auth_read_pam_console_data($1_dbusd_t) - auth_use_nsswitch($1_dbusd_t) - - logging_send_audit_msgs($1_dbusd_t) - logging_send_syslog_msg($1_dbusd_t) - - miscfiles_read_localization($1_dbusd_t) - - seutil_read_config($1_dbusd_t) - seutil_read_default_contexts($1_dbusd_t) - - term_use_all_terms($1_dbusd_t) - - userdom_dontaudit_search_admin_dir($1_dbusd_t) - userdom_manage_user_home_content_dirs($1_dbusd_t) - userdom_manage_user_home_content_files($1_dbusd_t) - userdom_user_home_dir_filetrans_user_home_content($1_dbusd_t, { dir file }) - - ifdef(`hide_broken_symptoms',` - dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; - ') - - optional_policy(` - gnome_read_gconf_home_files($1_dbusd_t) - ') - - optional_policy(` - hal_dbus_chat($1_dbusd_t) - ') - - optional_policy(` - xserver_search_xdm_lib($1_dbusd_t) - xserver_use_xdm_fds($1_dbusd_t) - xserver_rw_xdm_pipes($1_dbusd_t) - ') -') - -####################################### -## -## Template for creating connections to -## the system DBUS. -## -## -## -## Domain allowed access. -## -## -# -interface(`dbus_system_bus_client',` - gen_require(` - type system_dbusd_t, system_dbusd_t; - type system_dbusd_var_run_t, system_dbusd_var_lib_t; - class dbus send_msg; - attribute dbusd_unconfined; - ') - - # SE-DBus specific permissions - allow $1 { system_dbusd_t self }:dbus send_msg; - allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg; - - read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) - files_search_var_lib($1) - - # For connecting to the bus - files_search_pids($1) - stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) - dbus_read_config($1) -') - -####################################### -## -## Template for creating connections to -## a user DBUS. -## -## -## -## Domain allowed access. -## -## -# -interface(`dbus_session_bus_client',` - gen_require(` - attribute session_bus_type; - class dbus send_msg; - ') - - # SE-DBus specific permissions - allow $1 { session_bus_type self }:dbus send_msg; - - # For connecting to the bus - allow $1 session_bus_type:unix_stream_socket connectto; -') - -######################################## -## -## Send a message the session DBUS. -## -## -## -## Domain allowed access. -## -## -# -interface(`dbus_send_session_bus',` - gen_require(` - attribute session_bus_type; - class dbus send_msg; - ') - - allow $1 session_bus_type:dbus send_msg; -') - -######################################## -## -## Read dbus configuration. -## -## -## -## Domain allowed access. -## -## -# -interface(`dbus_read_config',` - gen_require(` - type dbusd_etc_t; - ') - - allow $1 dbusd_etc_t:dir list_dir_perms; - allow $1 dbusd_etc_t:file read_file_perms; -') - -######################################## -## -## Read system dbus lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dbus_read_lib_files',` - gen_require(` - type system_dbusd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) -') - -######################################## -## -## Create, read, write, and delete -## system dbus lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dbus_manage_lib_files',` - gen_require(` - type system_dbusd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) -') - -######################################## -## -## Connect to the system DBUS -## for service (acquire_svc). -## -## -## -## Domain allowed access. -## -## -# -interface(`dbus_connect_session_bus',` - gen_require(` - attribute session_bus_type; - class dbus acquire_svc; - ') - - allow $1 session_bus_type:dbus acquire_svc; -') - -######################################## -## -## Allow a application domain to be started -## by the session dbus. -## -## -## -## Type to be used as a domain. -## -## -## -## -## Type of the program to be used as an -## entry point to this domain. -## -## -# -interface(`dbus_session_domain',` - gen_require(` - attribute session_bus_type; - ') - - domtrans_pattern(session_bus_type, $2, $1) - - dbus_session_bus_client($1) - dbus_connect_session_bus($1) -') - -######################################## -## -## Connect to the system DBUS -## for service (acquire_svc). -## -## -## -## Domain allowed access. -## -## -# -interface(`dbus_connect_system_bus',` - gen_require(` - type system_dbusd_t; - class dbus acquire_svc; - ') - - allow $1 system_dbusd_t:dbus acquire_svc; -') - -######################################## -## -## Send a message on the system DBUS. -## -## -## -## Domain allowed access. -## -## -# -interface(`dbus_send_system_bus',` - gen_require(` - type system_dbusd_t; - class dbus send_msg; - ') - - allow $1 system_dbusd_t:dbus send_msg; -') - -######################################## -## -## Allow unconfined access to the system DBUS. -## -## -## -## Domain allowed access. -## -## -# -interface(`dbus_system_bus_unconfined',` - gen_require(` - type system_dbusd_t; - class dbus all_dbus_perms; - ') - - allow $1 system_dbusd_t:dbus *; -') - -######################################## -## -## Create a domain for processes -## which can be started by the system dbus -## -## -## -## Type to be used as a domain. -## -## -## -## -## Type of the program to be used as an entry point to this domain. -## -## -# -interface(`dbus_system_domain',` - gen_require(` - type system_dbusd_t; - role system_r; - ') - - domain_type($1) - domain_entry_file($1, $2) - - role system_r types $1; - - domtrans_pattern(system_dbusd_t, $2, $1) - - fs_search_all($1) - - dbus_system_bus_client($1) - dbus_connect_system_bus($1) - - init_stream_connect($1) - - ps_process_pattern(system_dbusd_t, $1) - - userdom_dontaudit_search_admin_dir($1) - userdom_read_all_users_state($1) - - optional_policy(` - rpm_script_dbus_chat($1) - ') - - optional_policy(` - unconfined_dbus_send($1) - ') - - ifdef(`hide_broken_symptoms',` - dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; - ') -') - -######################################## -## -## Dontaudit Read, and write system dbus TCP sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` - gen_require(` - type system_dbusd_t; - ') - - allow $1 system_dbusd_t:tcp_socket { read write }; - allow $1 system_dbusd_t:fd use; -') - -######################################## -## -## Allow unconfined access to the system DBUS. -## -## -## -## Domain allowed access. -## -## -# -interface(`dbus_unconfined',` - gen_require(` - attribute dbusd_unconfined; - ') - - typeattribute $1 dbusd_unconfined; -') - -######################################## -## -## Delete all dbus pid files -## -## -## -## Domain allowed access. -## -## -# -interface(`dbus_delete_pid_files',` - gen_require(` - type system_dbusd_var_run_t; - ') - - files_search_pids($1) - delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) -') diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te deleted file mode 100644 index d9416fc..0000000 --- a/policy/modules/services/dbus.te +++ /dev/null @@ -1,180 +0,0 @@ -policy_module(dbus, 1.13.0) - -gen_require(` - class dbus all_dbus_perms; -') - -############################## -# -# Delcarations -# - -attribute dbusd_unconfined; -attribute session_bus_type; - -type dbusd_etc_t; -files_config_file(dbusd_etc_t) - -type dbusd_exec_t; -corecmd_executable_file(dbusd_exec_t) -typealias dbusd_exec_t alias system_dbusd_exec_t; - -type session_dbusd_tmp_t; -typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t }; -typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t }; -files_tmp_file(session_dbusd_tmp_t) -ubac_constrained(session_dbusd_tmp_t) - -type system_dbusd_t; -init_system_domain(system_dbusd_t, dbusd_exec_t) - -type system_dbusd_tmp_t; -files_tmp_file(system_dbusd_tmp_t) - -type system_dbusd_var_lib_t; -files_type(system_dbusd_var_lib_t) - -type system_dbusd_var_run_t; -files_pid_file(system_dbusd_var_run_t) - -ifdef(`enable_mcs',` - init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) -') - -ifdef(`enable_mls',` - init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh) -') - -############################## -# -# System bus local policy -# - -# dac_override: /var/run/dbus is owned by messagebus on Debian -# cjp: dac_override should probably go in a distro_debian -allow system_dbusd_t self:capability { dac_override setgid setpcap setuid }; -dontaudit system_dbusd_t self:capability sys_tty_config; -allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap }; -allow system_dbusd_t self:fifo_file rw_fifo_file_perms; -allow system_dbusd_t self:dbus { send_msg acquire_svc }; -allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto }; -allow system_dbusd_t self:unix_dgram_socket create_socket_perms; -# Receive notifications of policy reloads and enforcing status changes. -allow system_dbusd_t self:netlink_selinux_socket { create bind read }; - -can_exec(system_dbusd_t, dbusd_exec_t) - -allow system_dbusd_t dbusd_etc_t:dir list_dir_perms; -read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) -read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) - -manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) -manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) -files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir }) - -read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t) - -manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) -manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) -manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) -files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir }) - -kernel_read_system_state(system_dbusd_t) -kernel_read_kernel_sysctls(system_dbusd_t) - -dev_read_urand(system_dbusd_t) -dev_read_sysfs(system_dbusd_t) - -fs_getattr_all_fs(system_dbusd_t) -fs_list_inotifyfs(system_dbusd_t) -fs_search_auto_mountpoints(system_dbusd_t) -fs_dontaudit_list_nfs(system_dbusd_t) - -mls_fd_use_all_levels(system_dbusd_t) -mls_rangetrans_target(system_dbusd_t) -mls_file_read_all_levels(system_dbusd_t) -mls_socket_write_all_levels(system_dbusd_t) -mls_socket_read_to_clearance(system_dbusd_t) -mls_dbus_recv_all_levels(system_dbusd_t) - -selinux_get_fs_mount(system_dbusd_t) -selinux_validate_context(system_dbusd_t) -selinux_compute_access_vector(system_dbusd_t) -selinux_compute_create_context(system_dbusd_t) -selinux_compute_relabel_context(system_dbusd_t) -selinux_compute_user_contexts(system_dbusd_t) - -term_dontaudit_use_console(system_dbusd_t) - -auth_use_nsswitch(system_dbusd_t) -auth_read_pam_console_data(system_dbusd_t) - -corecmd_list_bin(system_dbusd_t) -corecmd_read_bin_pipes(system_dbusd_t) -corecmd_read_bin_sockets(system_dbusd_t) - -domain_use_interactive_fds(system_dbusd_t) -domain_read_all_domains_state(system_dbusd_t) - -files_read_etc_files(system_dbusd_t) -files_list_home(system_dbusd_t) -files_read_usr_files(system_dbusd_t) - -init_use_fds(system_dbusd_t) -init_use_script_ptys(system_dbusd_t) -init_bin_domtrans_spec(system_dbusd_t) -init_domtrans_script(system_dbusd_t) -init_rw_stream_sockets(system_dbusd_t) - -logging_send_audit_msgs(system_dbusd_t) -logging_send_syslog_msg(system_dbusd_t) - -miscfiles_read_localization(system_dbusd_t) -miscfiles_read_generic_certs(system_dbusd_t) - -seutil_read_config(system_dbusd_t) -seutil_read_default_contexts(system_dbusd_t) -seutil_sigchld_newrole(system_dbusd_t) - -userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t) -userdom_dontaudit_search_user_home_dirs(system_dbusd_t) - -optional_policy(` - bind_domtrans(system_dbusd_t) -') - -optional_policy(` - gnome_exec_gconf(system_dbusd_t) -') - -optional_policy(` - networkmanager_initrc_domtrans(system_dbusd_t) -') - -optional_policy(` - policykit_dbus_chat(system_dbusd_t) - policykit_domtrans_auth(system_dbusd_t) - policykit_search_lib(system_dbusd_t) -') - -optional_policy(` - sysnet_domtrans_dhcpc(system_dbusd_t) -') - -optional_policy(` - udev_read_db(system_dbusd_t) -') - -######################################## -# -# Unconfined access to this module -# -allow dbusd_unconfined session_bus_type:dbus all_dbus_perms; -allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms; -allow session_bus_type dbusd_unconfined:dbus send_msg; - -optional_policy(` - xserver_use_xdm_fds(session_bus_type) - xserver_rw_xdm_pipes(session_bus_type) - xserver_append_xdm_home_files(session_bus_type) -') diff --git a/policy/modules/services/dcc.fc b/policy/modules/services/dcc.fc deleted file mode 100644 index ecda170..0000000 --- a/policy/modules/services/dcc.fc +++ /dev/null @@ -1,21 +0,0 @@ -/etc/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) -/etc/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0) -/etc/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) - -/usr/bin/cdcc -- gen_context(system_u:object_r:cdcc_exec_t,s0) -/usr/bin/dccproc -- gen_context(system_u:object_r:dcc_client_exec_t,s0) - -/usr/libexec/dcc/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0) -/usr/libexec/dcc/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0) -/usr/libexec/dcc/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) -/usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0) - -/var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) -/var/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) - -/var/lib/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) -/var/lib/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) - -/var/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0) -/var/run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) -/var/run/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0) diff --git a/policy/modules/services/dcc.if b/policy/modules/services/dcc.if deleted file mode 100644 index bf65e7d..0000000 --- a/policy/modules/services/dcc.if +++ /dev/null @@ -1,173 +0,0 @@ -## Distributed checksum clearinghouse spam filtering - -######################################## -## -## Execute cdcc in the cdcc domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`dcc_domtrans_cdcc',` - gen_require(` - type cdcc_t, cdcc_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, cdcc_exec_t, cdcc_t) -') - -######################################## -## -## Execute cdcc in the cdcc domain, and -## allow the specified role the cdcc domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`dcc_run_cdcc',` - gen_require(` - type cdcc_t; - ') - - dcc_domtrans_cdcc($1) - role $2 types cdcc_t; -') - -######################################## -## -## Execute dcc_client in the dcc_client domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`dcc_domtrans_client',` - gen_require(` - type dcc_client_t, dcc_client_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dcc_client_exec_t, dcc_client_t) -') - -######################################## -## -## Send a signal to the dcc_client. -## -## -## -## Domain allowed access. -## -## -# -interface(`dcc_signal_client',` - gen_require(` - type dcc_client_t; - ') - - allow $1 dcc_client_t:process signal; -') - -######################################## -## -## Execute dcc_client in the dcc_client domain, and -## allow the specified role the dcc_client domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`dcc_run_client',` - gen_require(` - type dcc_client_t; - ') - - dcc_domtrans_client($1) - role $2 types dcc_client_t; -') - -######################################## -## -## Execute dbclean in the dcc_dbclean domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`dcc_domtrans_dbclean',` - gen_require(` - type dcc_dbclean_t, dcc_dbclean_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dcc_dbclean_exec_t, dcc_dbclean_t) -') - -######################################## -## -## Execute dbclean in the dcc_dbclean domain, and -## allow the specified role the dcc_dbclean domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`dcc_run_dbclean',` - gen_require(` - type dcc_dbclean_t; - ') - - dcc_domtrans_dbclean($1) - role $2 types dcc_dbclean_t; -') - -######################################## -## -## Connect to dccifd over a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`dcc_stream_connect_dccifd',` - gen_require(` - type dcc_var_t, dccifd_var_run_t, dccifd_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t) -') diff --git a/policy/modules/services/dcc.te b/policy/modules/services/dcc.te deleted file mode 100644 index 8bab059..0000000 --- a/policy/modules/services/dcc.te +++ /dev/null @@ -1,404 +0,0 @@ -policy_module(dcc, 1.9.1) - -######################################## -# -# Declarations -# - -type cdcc_t; -type cdcc_exec_t; -application_domain(cdcc_t, cdcc_exec_t) -role system_r types cdcc_t; - -type cdcc_tmp_t; -files_tmp_file(cdcc_tmp_t) - -type dcc_client_t; -type dcc_client_exec_t; -application_domain(dcc_client_t, dcc_client_exec_t) -role system_r types dcc_client_t; - -type dcc_client_map_t; -files_type(dcc_client_map_t) - -type dcc_client_tmp_t; -files_tmp_file(dcc_client_tmp_t) - -type dcc_dbclean_t; -type dcc_dbclean_exec_t; -application_domain(dcc_dbclean_t, dcc_dbclean_exec_t) -role system_r types dcc_dbclean_t; - -type dcc_dbclean_tmp_t; -files_tmp_file(dcc_dbclean_tmp_t) - -type dcc_var_t; -files_type(dcc_var_t) - -type dcc_var_run_t; -files_type(dcc_var_run_t) - -type dccd_t; -type dccd_exec_t; -init_daemon_domain(dccd_t, dccd_exec_t) - -type dccd_tmp_t; -files_tmp_file(dccd_tmp_t) - -type dccd_var_run_t; -files_pid_file(dccd_var_run_t) - -type dccifd_t; -type dccifd_exec_t; -init_daemon_domain(dccifd_t, dccifd_exec_t) - -type dccifd_tmp_t; -files_tmp_file(dccifd_tmp_t) - -type dccifd_var_run_t; -files_pid_file(dccifd_var_run_t) - -type dccm_t; -type dccm_exec_t; -init_daemon_domain(dccm_t, dccm_exec_t) - -type dccm_tmp_t; -files_tmp_file(dccm_tmp_t) - -type dccm_var_run_t; -files_pid_file(dccm_var_run_t) - -# NOTE: DCC has writeable files in /etc/dcc that should probably be in -# /var/lib/dcc. For now this policy supports both directories being -# writable. - -# cjp: dccifd and dccm should be merged, as -# they have the same rules. - -######################################## -# -# dcc daemon controller local policy -# - -allow cdcc_t self:capability { setuid setgid }; -allow cdcc_t self:unix_dgram_socket create_socket_perms; -allow cdcc_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t) -manage_files_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t) -files_tmp_filetrans(cdcc_t, cdcc_tmp_t, { file dir }) - -allow cdcc_t dcc_client_map_t:file rw_file_perms; - -# Access files in /var/dcc. The map file can be updated -allow cdcc_t dcc_var_t:dir list_dir_perms; -read_files_pattern(cdcc_t, dcc_var_t, dcc_var_t) -read_lnk_files_pattern(cdcc_t, dcc_var_t, dcc_var_t) - -corenet_all_recvfrom_unlabeled(cdcc_t) -corenet_all_recvfrom_netlabel(cdcc_t) -corenet_udp_sendrecv_generic_if(cdcc_t) -corenet_udp_sendrecv_generic_node(cdcc_t) -corenet_udp_sendrecv_all_ports(cdcc_t) - -files_read_etc_files(cdcc_t) -files_read_etc_runtime_files(cdcc_t) - -auth_use_nsswitch(cdcc_t) - -logging_send_syslog_msg(cdcc_t) - -miscfiles_read_localization(cdcc_t) - -userdom_use_user_terminals(cdcc_t) - -######################################## -# -# dcc procmail interface local policy -# - -allow dcc_client_t self:capability { setuid setgid }; -allow dcc_client_t self:unix_dgram_socket create_socket_perms; -allow dcc_client_t self:udp_socket create_socket_perms; - -allow dcc_client_t dcc_client_map_t:file rw_file_perms; - -manage_dirs_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t) -manage_files_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t) -files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir }) - -# Access files in /var/dcc. The map file can be updated -allow dcc_client_t dcc_var_t:dir list_dir_perms; -manage_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) -read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) - -kernel_read_system_state(dcc_client_t) - -corenet_all_recvfrom_unlabeled(dcc_client_t) -corenet_all_recvfrom_netlabel(dcc_client_t) -corenet_udp_sendrecv_generic_if(dcc_client_t) -corenet_udp_sendrecv_generic_node(dcc_client_t) -corenet_udp_sendrecv_all_ports(dcc_client_t) -corenet_udp_bind_generic_node(dcc_client_t) - -files_read_etc_files(dcc_client_t) -files_read_etc_runtime_files(dcc_client_t) - -fs_getattr_all_fs(dcc_client_t) - -auth_use_nsswitch(dcc_client_t) - -logging_send_syslog_msg(dcc_client_t) - -miscfiles_read_localization(dcc_client_t) - -userdom_use_user_terminals(dcc_client_t) - -optional_policy(` - amavis_read_spool_files(dcc_client_t) -') - -optional_policy(` - spamassassin_read_spamd_tmp_files(dcc_client_t) -') - -######################################## -# -# Database cleanup tool local policy -# - -allow dcc_dbclean_t self:unix_dgram_socket create_socket_perms; -allow dcc_dbclean_t self:udp_socket create_socket_perms; - -allow dcc_dbclean_t dcc_client_map_t:file rw_file_perms; - -manage_dirs_pattern(dcc_dbclean_t, dcc_dbclean_tmp_t, dcc_dbclean_tmp_t) -manage_files_pattern(dcc_dbclean_t, dcc_dbclean_tmp_t, dcc_dbclean_tmp_t) -files_tmp_filetrans(dcc_dbclean_t, dcc_dbclean_tmp_t, { file dir }) - -manage_dirs_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t) -manage_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t) -manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t) - -kernel_read_system_state(dcc_dbclean_t) - -corenet_all_recvfrom_unlabeled(dcc_dbclean_t) -corenet_all_recvfrom_netlabel(dcc_dbclean_t) -corenet_udp_sendrecv_generic_if(dcc_dbclean_t) -corenet_udp_sendrecv_generic_node(dcc_dbclean_t) -corenet_udp_sendrecv_all_ports(dcc_dbclean_t) - -files_read_etc_files(dcc_dbclean_t) -files_read_etc_runtime_files(dcc_dbclean_t) - -auth_use_nsswitch(dcc_dbclean_t) - -logging_send_syslog_msg(dcc_dbclean_t) - -miscfiles_read_localization(dcc_dbclean_t) - -userdom_use_user_terminals(dcc_dbclean_t) - -######################################## -# -# Server daemon local policy -# - -allow dccd_t self:capability net_admin; -dontaudit dccd_t self:capability sys_tty_config; -allow dccd_t self:process signal_perms; -allow dccd_t self:unix_stream_socket create_socket_perms; -allow dccd_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; -allow dccd_t self:udp_socket create_socket_perms; - -allow dccd_t dcc_client_map_t:file rw_file_perms; - -# Access files in /var/dcc. The map file can be updated -allow dccd_t dcc_var_t:dir list_dir_perms; -read_files_pattern(dccd_t, dcc_var_t, dcc_var_t) -read_lnk_files_pattern(dccd_t, dcc_var_t, dcc_var_t) - -# Runs the dbclean program -domtrans_pattern(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t) -corecmd_search_bin(dccd_t) - -# Updating dcc_db, flod, ... -manage_dirs_pattern(dccd_t, dcc_var_t, dcc_var_t) -manage_files_pattern(dccd_t, dcc_var_t, dcc_var_t) -manage_lnk_files_pattern(dccd_t, dcc_var_t, dcc_var_t) - -manage_dirs_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t) -manage_files_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t) -files_tmp_filetrans(dccd_t, dccd_tmp_t, { file dir }) - -manage_dirs_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t) -manage_files_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t) -files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file }) - -kernel_read_system_state(dccd_t) -kernel_read_kernel_sysctls(dccd_t) - -corenet_all_recvfrom_unlabeled(dccd_t) -corenet_all_recvfrom_netlabel(dccd_t) -corenet_udp_sendrecv_generic_if(dccd_t) -corenet_udp_sendrecv_generic_node(dccd_t) -corenet_udp_sendrecv_all_ports(dccd_t) -corenet_udp_bind_generic_node(dccd_t) -corenet_udp_bind_dcc_port(dccd_t) -corenet_sendrecv_dcc_server_packets(dccd_t) - -dev_read_sysfs(dccd_t) - -domain_use_interactive_fds(dccd_t) - -files_read_etc_files(dccd_t) -files_read_etc_runtime_files(dccd_t) - -fs_getattr_all_fs(dccd_t) -fs_search_auto_mountpoints(dccd_t) - -auth_use_nsswitch(dccd_t) - -logging_send_syslog_msg(dccd_t) - -miscfiles_read_localization(dccd_t) - -userdom_dontaudit_use_unpriv_user_fds(dccd_t) -userdom_dontaudit_search_user_home_dirs(dccd_t) - -optional_policy(` - seutil_sigchld_newrole(dccd_t) -') - -optional_policy(` - udev_read_db(dccd_t) -') - -######################################## -# -# Spamassassin and general MTA persistent client local policy -# - -dontaudit dccifd_t self:capability sys_tty_config; -allow dccifd_t self:process signal_perms; -allow dccifd_t self:unix_stream_socket create_stream_socket_perms; -allow dccifd_t self:unix_dgram_socket create_socket_perms; -allow dccifd_t self:udp_socket create_socket_perms; - -allow dccifd_t dcc_client_map_t:file rw_file_perms; - -# Updating dcc_db, flod, ... -manage_dirs_pattern(dccifd_t, dcc_var_t, dcc_var_t) -manage_files_pattern(dccifd_t, dcc_var_t, dcc_var_t) -manage_lnk_files_pattern(dccifd_t, dcc_var_t, dcc_var_t) -manage_fifo_files_pattern(dccifd_t, dcc_var_t, dcc_var_t) -manage_sock_files_pattern(dccifd_t, dcc_var_t, dcc_var_t) - -manage_dirs_pattern(dccifd_t, dccifd_tmp_t, dccifd_tmp_t) -manage_files_pattern(dccifd_t, dccifd_tmp_t, dccifd_tmp_t) -files_tmp_filetrans(dccifd_t, dccifd_tmp_t, { file dir }) - -manage_files_pattern(dccifd_t, dccifd_var_run_t, dccifd_var_run_t) -manage_sock_files_pattern(dccifd_t, dccifd_var_run_t, dccifd_var_run_t) -filetrans_pattern(dccifd_t, dcc_var_t, dccifd_var_run_t, { file sock_file }) -files_pid_filetrans(dccifd_t, dccifd_var_run_t, file) - -kernel_read_system_state(dccifd_t) -kernel_read_kernel_sysctls(dccifd_t) - -corenet_all_recvfrom_unlabeled(dccifd_t) -corenet_all_recvfrom_netlabel(dccifd_t) -corenet_udp_sendrecv_generic_if(dccifd_t) -corenet_udp_sendrecv_generic_node(dccifd_t) -corenet_udp_sendrecv_all_ports(dccifd_t) - -dev_read_sysfs(dccifd_t) - -domain_use_interactive_fds(dccifd_t) - -files_read_etc_files(dccifd_t) -files_read_etc_runtime_files(dccifd_t) - -fs_getattr_all_fs(dccifd_t) -fs_search_auto_mountpoints(dccifd_t) - -auth_use_nsswitch(dccifd_t) - -logging_send_syslog_msg(dccifd_t) - -miscfiles_read_localization(dccifd_t) - -userdom_dontaudit_use_unpriv_user_fds(dccifd_t) -userdom_dontaudit_search_user_home_dirs(dccifd_t) - -optional_policy(` - seutil_sigchld_newrole(dccifd_t) -') - -optional_policy(` - udev_read_db(dccifd_t) -') - -######################################## -# -# sendmail milter client local policy -# - -dontaudit dccm_t self:capability sys_tty_config; -allow dccm_t self:process signal_perms; -allow dccm_t self:unix_stream_socket create_stream_socket_perms; -allow dccm_t self:unix_dgram_socket create_socket_perms; -allow dccm_t self:udp_socket create_socket_perms; - -allow dccm_t dcc_client_map_t:file rw_file_perms; - -manage_dirs_pattern(dccm_t, dcc_var_t, dcc_var_t) -manage_files_pattern(dccm_t, dcc_var_t, dcc_var_t) -manage_lnk_files_pattern(dccm_t, dcc_var_t, dcc_var_t) -manage_fifo_files_pattern(dccm_t, dcc_var_t, dcc_var_t) -manage_sock_files_pattern(dccm_t, dcc_var_t, dcc_var_t) - -manage_dirs_pattern(dccm_t, dccm_tmp_t, dccm_tmp_t) -manage_files_pattern(dccm_t, dccm_tmp_t, dccm_tmp_t) -files_tmp_filetrans(dccm_t, dccm_tmp_t, { file dir }) - -manage_files_pattern(dccm_t, dccm_var_run_t, dccm_var_run_t) -manage_sock_files_pattern(dccm_t, dccm_var_run_t, dccm_var_run_t) -filetrans_pattern(dccm_t, dcc_var_run_t, dccm_var_run_t, { file sock_file }) -files_pid_filetrans(dccm_t, dccm_var_run_t, file) - -kernel_read_system_state(dccm_t) -kernel_read_kernel_sysctls(dccm_t) - -corenet_all_recvfrom_unlabeled(dccm_t) -corenet_all_recvfrom_netlabel(dccm_t) -corenet_udp_sendrecv_generic_if(dccm_t) -corenet_udp_sendrecv_generic_node(dccm_t) -corenet_udp_sendrecv_all_ports(dccm_t) - -dev_read_sysfs(dccm_t) - -domain_use_interactive_fds(dccm_t) - -files_read_etc_files(dccm_t) -files_read_etc_runtime_files(dccm_t) - -fs_getattr_all_fs(dccm_t) -fs_search_auto_mountpoints(dccm_t) - -auth_use_nsswitch(dccm_t) - -logging_send_syslog_msg(dccm_t) - -miscfiles_read_localization(dccm_t) - -userdom_dontaudit_use_unpriv_user_fds(dccm_t) -userdom_dontaudit_search_user_home_dirs(dccm_t) - -optional_policy(` - seutil_sigchld_newrole(dccm_t) -') - -optional_policy(` - udev_read_db(dccm_t) -') diff --git a/policy/modules/services/ddclient.fc b/policy/modules/services/ddclient.fc deleted file mode 100644 index 083c135..0000000 --- a/policy/modules/services/ddclient.fc +++ /dev/null @@ -1,12 +0,0 @@ -/etc/ddclient\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0) -/etc/ddtcd\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0) -/etc/rc\.d/init\.d/ddclient -- gen_context(system_u:object_r:ddclient_initrc_exec_t,s0) - -/usr/sbin/ddclient -- gen_context(system_u:object_r:ddclient_exec_t,s0) -/usr/sbin/ddtcd -- gen_context(system_u:object_r:ddclient_exec_t,s0) - -/var/cache/ddclient(/.*)? gen_context(system_u:object_r:ddclient_var_t,s0) -/var/lib/ddt-client(/.*)? gen_context(system_u:object_r:ddclient_var_lib_t,s0) -/var/log/ddtcd\.log.* -- gen_context(system_u:object_r:ddclient_log_t,s0) -/var/run/ddclient\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0) -/var/run/ddtcd\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0) diff --git a/policy/modules/services/ddclient.if b/policy/modules/services/ddclient.if deleted file mode 100644 index da508f4..0000000 --- a/policy/modules/services/ddclient.if +++ /dev/null @@ -1,93 +0,0 @@ -## Update dynamic IP address at DynDNS.org - -####################################### -## -## Execute ddclient in the ddclient domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ddclient_domtrans',` - gen_require(` - type ddclient_t, ddclient_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ddclient_exec_t, ddclient_t) -') - -######################################## -## -## Execute ddclient daemon on behalf of a user or staff type. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`ddclient_run',` - gen_require(` - type ddclient_t; - ') - - ddclient_domtrans($1) - role $2 types ddclient_t; -') - -######################################## -## -## All of the rules required to administrate -## an ddclient environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the ddclient domain. -## -## -## -# -interface(`ddclient_admin',` - gen_require(` - type ddclient_t, ddclient_etc_t, ddclient_log_t; - type ddclient_var_t, ddclient_var_lib_t, ddclient_initrc_exec_t; - type ddclient_var_run_t; - ') - - allow $1 ddclient_t:process { ptrace signal_perms }; - ps_process_pattern($1, ddclient_t) - - init_labeled_script_domtrans($1, ddclient_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ddclient_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, ddclient_etc_t) - - logging_list_logs($1) - admin_pattern($1, ddclient_log_t) - - files_list_var($1) - admin_pattern($1, ddclient_var_t) - - files_list_var_lib($1) - admin_pattern($1, ddclient_var_lib_t) - - files_list_pids($1) - admin_pattern($1, ddclient_var_run_t) -') diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te deleted file mode 100644 index 24ba98a..0000000 --- a/policy/modules/services/ddclient.te +++ /dev/null @@ -1,108 +0,0 @@ -policy_module(ddclient, 1.9.0) - -######################################## -# -# Declarations -# - -type ddclient_t; -type ddclient_exec_t; -init_daemon_domain(ddclient_t, ddclient_exec_t) - -type ddclient_etc_t; -files_config_file(ddclient_etc_t) - -type ddclient_initrc_exec_t; -init_script_file(ddclient_initrc_exec_t) - -type ddclient_log_t; -logging_log_file(ddclient_log_t) - -type ddclient_var_t; -files_type(ddclient_var_t) - -type ddclient_var_lib_t; -files_type(ddclient_var_lib_t) - -type ddclient_var_run_t; -files_pid_file(ddclient_var_run_t) - -######################################## -# -# Declarations -# - -dontaudit ddclient_t self:capability sys_tty_config; -allow ddclient_t self:process signal_perms; -allow ddclient_t self:fifo_file rw_fifo_file_perms; -allow ddclient_t self:tcp_socket create_socket_perms; -allow ddclient_t self:udp_socket create_socket_perms; - -allow ddclient_t ddclient_etc_t:file read_file_perms; - -allow ddclient_t ddclient_log_t:file manage_file_perms; -logging_log_filetrans(ddclient_t, ddclient_log_t, file) - -manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) -manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) -manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) -manage_fifo_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) -manage_sock_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) -files_var_filetrans(ddclient_t, ddclient_var_t, { file lnk_file sock_file fifo_file }) - -manage_files_pattern(ddclient_t, ddclient_var_lib_t, ddclient_var_lib_t) -files_var_lib_filetrans(ddclient_t, ddclient_var_lib_t, file) - -manage_files_pattern(ddclient_t, ddclient_var_run_t, ddclient_var_run_t) -files_pid_filetrans(ddclient_t, ddclient_var_run_t, file) - -kernel_read_system_state(ddclient_t) -kernel_read_network_state(ddclient_t) -kernel_read_software_raid_state(ddclient_t) -kernel_getattr_core_if(ddclient_t) -kernel_getattr_message_if(ddclient_t) -kernel_read_kernel_sysctls(ddclient_t) - -corecmd_exec_shell(ddclient_t) -corecmd_exec_bin(ddclient_t) - -corenet_all_recvfrom_unlabeled(ddclient_t) -corenet_all_recvfrom_netlabel(ddclient_t) -corenet_tcp_sendrecv_generic_if(ddclient_t) -corenet_udp_sendrecv_generic_if(ddclient_t) -corenet_tcp_sendrecv_generic_node(ddclient_t) -corenet_udp_sendrecv_generic_node(ddclient_t) -corenet_tcp_sendrecv_all_ports(ddclient_t) -corenet_udp_sendrecv_all_ports(ddclient_t) -corenet_tcp_connect_all_ports(ddclient_t) -corenet_sendrecv_all_client_packets(ddclient_t) - -dev_read_sysfs(ddclient_t) -dev_read_urand(ddclient_t) - -domain_use_interactive_fds(ddclient_t) - -files_read_etc_files(ddclient_t) -files_read_etc_runtime_files(ddclient_t) -files_read_usr_files(ddclient_t) - -fs_getattr_all_fs(ddclient_t) -fs_search_auto_mountpoints(ddclient_t) - -logging_send_syslog_msg(ddclient_t) - -miscfiles_read_localization(ddclient_t) - -sysnet_exec_ifconfig(ddclient_t) -sysnet_read_config(ddclient_t) - -userdom_dontaudit_use_unpriv_user_fds(ddclient_t) -userdom_dontaudit_search_user_home_dirs(ddclient_t) - -optional_policy(` - seutil_sigchld_newrole(ddclient_t) -') - -optional_policy(` - udev_read_db(ddclient_t) -') diff --git a/policy/modules/services/denyhosts.fc b/policy/modules/services/denyhosts.fc deleted file mode 100644 index 257fef6..0000000 --- a/policy/modules/services/denyhosts.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rc\.d/init\.d/denyhosts -- gen_context(system_u:object_r:denyhosts_initrc_exec_t,s0) - -/usr/bin/denyhosts\.py -- gen_context(system_u:object_r:denyhosts_exec_t,s0) - -/var/lib/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_lib_t,s0) -/var/lock/subsys/denyhosts -- gen_context(system_u:object_r:denyhosts_var_lock_t,s0) -/var/log/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_log_t,s0) diff --git a/policy/modules/services/denyhosts.if b/policy/modules/services/denyhosts.if deleted file mode 100644 index 9c9e65c..0000000 --- a/policy/modules/services/denyhosts.if +++ /dev/null @@ -1,86 +0,0 @@ -## DenyHosts SSH dictionary attack mitigation -## -##

-## DenyHosts is a script intended to be run by Linux -## system administrators to help thwart SSH server attacks -## (also known as dictionary based attacks and brute force -## attacks). -##

-##
- -######################################## -## -## Execute a domain transition to run denyhosts. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`denyhosts_domtrans',` - gen_require(` - type denyhosts_t, denyhosts_exec_t; - ') - - domtrans_pattern($1, denyhosts_exec_t, denyhosts_t) -') - -######################################## -## -## Execute denyhost server in the denyhost domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`denyhosts_initrc_domtrans',` - gen_require(` - type denyhosts_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, denyhosts_initrc_exec_t) -') - -######################################## -## -## All of the rules required to administrate -## an denyhosts environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`denyhosts_admin',` - gen_require(` - type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t; - type denyhosts_var_log_t, denyhosts_initrc_exec_t; - ') - - allow $1 denyhosts_t:process { ptrace signal_perms }; - ps_process_pattern($1, denyhosts_t) - - denyhosts_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 denyhosts_initrc_exec_t system_r; - allow $2 system_r; - - files_list_var_lib($1) - admin_pattern($1, denyhosts_var_lib_t) - - logging_list_logs($1) - admin_pattern($1, denyhosts_var_log_t) - - files_list_locks($1) - admin_pattern($1, denyhosts_var_lock_t) -') diff --git a/policy/modules/services/denyhosts.te b/policy/modules/services/denyhosts.te deleted file mode 100644 index b10da2c..0000000 --- a/policy/modules/services/denyhosts.te +++ /dev/null @@ -1,81 +0,0 @@ -policy_module(denyhosts, 1.0.0) - -######################################## -# -# DenyHosts personal declarations. -# - -type denyhosts_t; -type denyhosts_exec_t; -init_daemon_domain(denyhosts_t, denyhosts_exec_t) - -type denyhosts_initrc_exec_t; -init_script_file(denyhosts_initrc_exec_t) - -type denyhosts_var_lib_t; -files_type(denyhosts_var_lib_t) - -type denyhosts_var_lock_t; -files_lock_file(denyhosts_var_lock_t) - -type denyhosts_var_log_t; -logging_log_file(denyhosts_var_log_t) - -######################################## -# -# DenyHosts personal policy. -# -# Bug #588563 -allow denyhosts_t self:capability sys_tty_config; -allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms; -allow denyhosts_t self:tcp_socket create_socket_perms; -allow denyhosts_t self:udp_socket create_socket_perms; - -manage_files_pattern(denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lib_t) -files_var_lib_filetrans(denyhosts_t, denyhosts_var_lib_t, file) - -manage_dirs_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t) -manage_files_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t) -files_lock_filetrans(denyhosts_t, denyhosts_var_lock_t, { dir file }) - -append_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) -create_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) -read_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) -setattr_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) -logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file) - -kernel_read_system_state(denyhosts_t) - -corecmd_exec_bin(denyhosts_t) - -corenet_all_recvfrom_unlabeled(denyhosts_t) -corenet_all_recvfrom_netlabel(denyhosts_t) -corenet_tcp_sendrecv_generic_if(denyhosts_t) -corenet_tcp_sendrecv_generic_node(denyhosts_t) -corenet_tcp_bind_generic_node(denyhosts_t) -corenet_tcp_connect_smtp_port(denyhosts_t) -corenet_tcp_connect_sype_port(denyhosts_t) -corenet_sendrecv_smtp_client_packets(denyhosts_t) - -dev_read_urand(denyhosts_t) - -files_read_etc_files(denyhosts_t) -files_read_usr_files(denyhosts_t) - -# /var/log/secure -logging_read_generic_logs(denyhosts_t) -logging_send_syslog_msg(denyhosts_t) - -miscfiles_read_localization(denyhosts_t) - -sysnet_dns_name_resolve(denyhosts_t) -sysnet_manage_config(denyhosts_t) -sysnet_etc_filetrans_config(denyhosts_t) - -optional_policy(` - cron_system_entry(denyhosts_t, denyhosts_exec_t) -') - -optional_policy(` - gnome_dontaudit_search_config(denyhosts_t) -') diff --git a/policy/modules/services/devicekit.fc b/policy/modules/services/devicekit.fc deleted file mode 100644 index 418a5a0..0000000 --- a/policy/modules/services/devicekit.fc +++ /dev/null @@ -1,14 +0,0 @@ -/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0) -/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) -/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) -/usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) -/usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) - -/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) -/var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) -/var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) - -/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if deleted file mode 100644 index ab2edfc..0000000 --- a/policy/modules/services/devicekit.if +++ /dev/null @@ -1,175 +0,0 @@ -## Devicekit modular hardware abstraction layer - -######################################## -## -## Execute a domain transition to run devicekit. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`devicekit_domtrans',` - gen_require(` - type devicekit_t, devicekit_exec_t; - ') - - domtrans_pattern($1, devicekit_exec_t, devicekit_t) -') - -######################################## -## -## Send to devicekit over a unix domain -## datagram socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`devicekit_dgram_send',` - gen_require(` - type devicekit_t; - ') - - allow $1 devicekit_t:unix_dgram_socket sendto; -') - -######################################## -## -## Send and receive messages from -## devicekit over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`devicekit_dbus_chat',` - gen_require(` - type devicekit_t; - class dbus send_msg; - ') - - allow $1 devicekit_t:dbus send_msg; - allow devicekit_t $1:dbus send_msg; -') - -######################################## -## -## Send and receive messages from -## devicekit disk over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`devicekit_dbus_chat_disk',` - gen_require(` - type devicekit_disk_t; - class dbus send_msg; - ') - - allow $1 devicekit_disk_t:dbus send_msg; - allow devicekit_disk_t $1:dbus send_msg; -') - -######################################## -## -## Send signal devicekit power -## -## -## -## Domain allowed access. -## -## -# -interface(`devicekit_signal_power',` - gen_require(` - type devicekit_power_t; - ') - - allow $1 devicekit_power_t:process signal; -') - -######################################## -## -## Send and receive messages from -## devicekit power over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`devicekit_dbus_chat_power',` - gen_require(` - type devicekit_power_t; - class dbus send_msg; - ') - - allow $1 devicekit_power_t:dbus send_msg; - allow devicekit_power_t $1:dbus send_msg; -') - -######################################## -## -## Read devicekit PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`devicekit_read_pid_files',` - gen_require(` - type devicekit_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t) -') - -######################################## -## -## All of the rules required to administrate -## an devicekit environment -## -## -## -## Domain allowed access. -## -## -## -# -interface(`devicekit_admin',` - gen_require(` - type devicekit_t, devicekit_disk_t, devicekit_power_t; - type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; - ') - - allow $1 devicekit_t:process { ptrace signal_perms }; - ps_process_pattern($1, devicekit_t) - - allow $1 devicekit_disk_t:process { ptrace signal_perms }; - ps_process_pattern($1, devicekit_disk_t) - - allow $1 devicekit_power_t:process { ptrace signal_perms }; - ps_process_pattern($1, devicekit_power_t) - - admin_pattern($1, devicekit_tmp_t) - files_list_tmp($1) - - admin_pattern($1, devicekit_var_lib_t) - files_list_var_lib($1) - - admin_pattern($1, devicekit_var_run_t) - files_list_pids($1) -') diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te deleted file mode 100644 index 184b4b5..0000000 --- a/policy/modules/services/devicekit.te +++ /dev/null @@ -1,315 +0,0 @@ -policy_module(devicekit, 1.1.0) - -######################################## -# -# Declarations -# - -type devicekit_t; -type devicekit_exec_t; -dbus_system_domain(devicekit_t, devicekit_exec_t) - -type devicekit_power_t; -type devicekit_power_exec_t; -dbus_system_domain(devicekit_power_t, devicekit_power_exec_t) - -type devicekit_disk_t; -type devicekit_disk_exec_t; -dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t) - -type devicekit_tmp_t; -files_tmp_file(devicekit_tmp_t) - -type devicekit_var_run_t; -files_pid_file(devicekit_var_run_t) - -type devicekit_var_lib_t; -files_type(devicekit_var_lib_t) - -######################################## -# -# DeviceKit local policy -# - -allow devicekit_t self:unix_dgram_socket create_socket_perms; - -manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) -manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) -files_pid_filetrans(devicekit_t, devicekit_var_run_t, { file dir }) - -kernel_read_system_state(devicekit_t) - -dev_read_sysfs(devicekit_t) -dev_read_urand(devicekit_t) - -files_read_etc_files(devicekit_t) - -miscfiles_read_localization(devicekit_t) - -optional_policy(` - dbus_system_bus_client(devicekit_t) - - allow devicekit_t devicekit_disk_t:dbus send_msg; - allow devicekit_t devicekit_power_t:dbus send_msg; -') - -optional_policy(` - udev_read_db(devicekit_t) -') - -######################################## -# -# DeviceKit disk local policy -# - -allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio }; -allow devicekit_disk_t self:process { getsched signal_perms }; -allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; -allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; - -manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) -manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) -files_tmp_filetrans(devicekit_disk_t, devicekit_tmp_t, { file dir }) - -manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) -manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) -files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir) - -allow devicekit_disk_t devicekit_var_run_t:dir mounton; -manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) -manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) -files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { file dir }) - -kernel_list_unlabeled(devicekit_disk_t) -kernel_getattr_message_if(devicekit_disk_t) -kernel_read_fs_sysctls(devicekit_disk_t) -kernel_read_network_state(devicekit_disk_t) -kernel_read_software_raid_state(devicekit_disk_t) -kernel_read_system_state(devicekit_disk_t) -kernel_request_load_module(devicekit_disk_t) -kernel_setsched(devicekit_disk_t) - -corecmd_exec_bin(devicekit_disk_t) -corecmd_exec_shell(devicekit_disk_t) -corecmd_getattr_all_executables(devicekit_disk_t) - -dev_rw_sysfs(devicekit_disk_t) -dev_read_urand(devicekit_disk_t) -dev_getattr_usbfs_dirs(devicekit_disk_t) -dev_manage_generic_files(devicekit_disk_t) -dev_getattr_all_chr_files(devicekit_disk_t) -dev_getattr_mtrr_dev(devicekit_disk_t) - -domain_getattr_all_pipes(devicekit_disk_t) -domain_getattr_all_sockets(devicekit_disk_t) -domain_getattr_all_stream_sockets(devicekit_disk_t) -domain_read_all_domains_state(devicekit_disk_t) - -files_dontaudit_read_all_symlinks(devicekit_disk_t) -files_getattr_all_sockets(devicekit_disk_t) -files_getattr_all_dirs(devicekit_disk_t) -files_getattr_all_files(devicekit_disk_t) -files_getattr_all_pipes(devicekit_disk_t) -files_manage_boot_dirs(devicekit_disk_t) -files_manage_isid_type_dirs(devicekit_disk_t) -files_manage_mnt_dirs(devicekit_disk_t) -files_read_etc_files(devicekit_disk_t) -files_read_etc_runtime_files(devicekit_disk_t) -files_read_usr_files(devicekit_disk_t) - -fs_list_inotifyfs(devicekit_disk_t) -fs_manage_fusefs_dirs(devicekit_disk_t) -fs_mount_all_fs(devicekit_disk_t) -fs_unmount_all_fs(devicekit_disk_t) -fs_search_all(devicekit_disk_t) - -mls_file_read_all_levels(devicekit_disk_t) -mls_file_write_to_clearance(devicekit_disk_t) - -storage_raw_read_fixed_disk(devicekit_disk_t) -storage_raw_write_fixed_disk(devicekit_disk_t) -storage_raw_read_removable_device(devicekit_disk_t) -storage_raw_write_removable_device(devicekit_disk_t) - -term_use_all_terms(devicekit_disk_t) - -auth_use_nsswitch(devicekit_disk_t) - -miscfiles_read_localization(devicekit_disk_t) - -userdom_read_all_users_state(devicekit_disk_t) -userdom_search_user_home_dirs(devicekit_disk_t) - -optional_policy(` - dbus_system_bus_client(devicekit_disk_t) - - allow devicekit_disk_t devicekit_t:dbus send_msg; - - optional_policy(` - consolekit_dbus_chat(devicekit_disk_t) - ') -') - -optional_policy(` - fstools_domtrans(devicekit_disk_t) -') - -optional_policy(` - lvm_domtrans(devicekit_disk_t) -') - -optional_policy(` - mount_domtrans(devicekit_disk_t) -') - -optional_policy(` - policykit_dbus_chat(devicekit_disk_t) - policykit_domtrans_auth(devicekit_disk_t) - policykit_read_lib(devicekit_disk_t) - policykit_read_reload(devicekit_disk_t) -') - -optional_policy(` - raid_domtrans_mdadm(devicekit_disk_t) -') - -optional_policy(` - udev_domtrans(devicekit_disk_t) - udev_read_db(devicekit_disk_t) -') - -optional_policy(` - virt_manage_images(devicekit_disk_t) -') - -optional_policy(` - unconfined_domain(devicekit_t) - unconfined_domain(devicekit_power_t) - unconfined_domain(devicekit_disk_t) -') - -######################################## -# -# DeviceKit-Power local policy -# - -allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace }; -allow devicekit_power_t self:process { getsched signal_perms }; -allow devicekit_power_t self:fifo_file rw_fifo_file_perms; -allow devicekit_power_t self:unix_dgram_socket create_socket_perms; -allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms; - -manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t) -manage_files_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t) -files_tmp_filetrans(devicekit_power_t, devicekit_tmp_t, { file dir }) - -manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) -manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) -files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir) - -kernel_read_network_state(devicekit_power_t) -kernel_read_system_state(devicekit_power_t) -kernel_rw_hotplug_sysctls(devicekit_power_t) -kernel_rw_kernel_sysctl(devicekit_power_t) -kernel_search_debugfs(devicekit_power_t) -kernel_write_proc_files(devicekit_power_t) - -corecmd_exec_bin(devicekit_power_t) -corecmd_exec_shell(devicekit_power_t) - -consoletype_exec(devicekit_power_t) - -domain_read_all_domains_state(devicekit_power_t) - -dev_read_input(devicekit_power_t) -dev_rw_generic_usb_dev(devicekit_power_t) -dev_rw_generic_chr_files(devicekit_power_t) -dev_rw_netcontrol(devicekit_power_t) -dev_rw_sysfs(devicekit_power_t) -dev_read_rand(devicekit_power_t) - -files_read_kernel_img(devicekit_power_t) -files_read_etc_files(devicekit_power_t) -files_read_usr_files(devicekit_power_t) - -fs_list_inotifyfs(devicekit_power_t) -fs_getattr_all_fs(devicekit_power_t) - -term_use_all_terms(devicekit_power_t) - -auth_use_nsswitch(devicekit_power_t) - -miscfiles_read_localization(devicekit_power_t) - -modutils_domtrans_insmod(devicekit_power_t) - -sysnet_read_config(devicekit_power_t) -sysnet_domtrans_ifconfig(devicekit_power_t) -sysnet_domtrans_dhcpc(devicekit_power_t) - -userdom_read_all_users_state(devicekit_power_t) - -optional_policy(` - bootloader_domtrans(devicekit_power_t) -') - -optional_policy(` - cron_initrc_domtrans(devicekit_power_t) -') - -optional_policy(` - dbus_system_bus_client(devicekit_power_t) - - allow devicekit_power_t devicekit_t:dbus send_msg; - - optional_policy(` - consolekit_dbus_chat(devicekit_power_t) - ') - - optional_policy(` - networkmanager_dbus_chat(devicekit_power_t) - ') - - optional_policy(` - rpm_dbus_chat(devicekit_power_t) - ') -') - -optional_policy(` - fstools_domtrans(devicekit_power_t) -') - -optional_policy(` - gnome_read_home_config(devicekit_power_t) -') - -optional_policy(` - hal_domtrans_mac(devicekit_power_t) - hal_manage_log(devicekit_power_t) - hal_manage_pid_dirs(devicekit_power_t) - hal_manage_pid_files(devicekit_power_t) - hal_dbus_chat(devicekit_power_t) -') - -optional_policy(` - networkmanager_domtrans(devicekit_power_t) -') - -optional_policy(` - policykit_dbus_chat(devicekit_power_t) - policykit_domtrans_auth(devicekit_power_t) - policykit_read_lib(devicekit_power_t) - policykit_read_reload(devicekit_power_t) -') - -optional_policy(` - udev_read_db(devicekit_power_t) -') - -optional_policy(` - usbmuxd_stream_connect(devicekit_power_t) -') - -optional_policy(` - vbetool_domtrans(devicekit_power_t) -') diff --git a/policy/modules/services/dhcp.fc b/policy/modules/services/dhcp.fc deleted file mode 100644 index 767e0c7..0000000 --- a/policy/modules/services/dhcp.fc +++ /dev/null @@ -1,8 +0,0 @@ -/etc/rc\.d/init\.d/dhcpd -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0) - -/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0) - -/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0) -/var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0) - -/var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0) diff --git a/policy/modules/services/dhcp.if b/policy/modules/services/dhcp.if deleted file mode 100644 index 7e129ff..0000000 --- a/policy/modules/services/dhcp.if +++ /dev/null @@ -1,99 +0,0 @@ -## Dynamic host configuration protocol (DHCP) server - -######################################## -## -## Transition to dhcpd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`dhcpd_domtrans',` - gen_require(` - type dhcpd_t, dhcpd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dhcpd_exec_t, dhcpd_t) -') - -######################################## -## -## Set the attributes of the DCHP -## server state files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dhcpd_setattr_state_files',` - gen_require(` - type dhcpd_state_t; - ') - - sysnet_search_dhcp_state($1) - allow $1 dhcpd_state_t:file setattr_file_perms; -') - -######################################## -## -## Execute dhcp server in the dhcp domain. -## -## -## -## Domain allowed to transition. -## -## -# -# -interface(`dhcpd_initrc_domtrans',` - gen_require(` - type dhcpd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) -') - -######################################## -## -## All of the rules required to administrate -## an dhcp environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the dhcp domain. -## -## -## -# -interface(`dhcpd_admin',` - gen_require(` - type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t; - type dhcpd_var_run_t, dhcpd_initrc_exec_t; - ') - - allow $1 dhcpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, dhcpd_t) - - init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dhcpd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, dhcpd_tmp_t) - - admin_pattern($1, dhcpd_state_t) - - files_list_pids($1) - admin_pattern($1, dhcpd_var_run_t) -') diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te deleted file mode 100644 index a307b51..0000000 --- a/policy/modules/services/dhcp.te +++ /dev/null @@ -1,128 +0,0 @@ -policy_module(dhcp, 1.9.0) - -######################################## -# -# Declarations -# - -type dhcpd_t; -type dhcpd_exec_t; -init_daemon_domain(dhcpd_t, dhcpd_exec_t) - -type dhcpd_initrc_exec_t; -init_script_file(dhcpd_initrc_exec_t) - -type dhcpd_state_t; -files_type(dhcpd_state_t) - -type dhcpd_tmp_t; -files_tmp_file(dhcpd_tmp_t) - -type dhcpd_var_run_t; -files_pid_file(dhcpd_var_run_t) - -######################################## -# -# Local policy -# - -allow dhcpd_t self:capability { net_raw sys_resource }; -dontaudit dhcpd_t self:capability { net_admin sys_tty_config }; -allow dhcpd_t self:process signal_perms; -allow dhcpd_t self:fifo_file rw_fifo_file_perms; -allow dhcpd_t self:unix_dgram_socket create_socket_perms; -allow dhcpd_t self:unix_stream_socket create_socket_perms; -allow dhcpd_t self:tcp_socket create_stream_socket_perms; -allow dhcpd_t self:udp_socket create_socket_perms; -# Allow dhcpd_t to use packet sockets -allow dhcpd_t self:packet_socket create_socket_perms; -allow dhcpd_t self:rawip_socket create_socket_perms; - -can_exec(dhcpd_t, dhcpd_exec_t) - -manage_files_pattern(dhcpd_t, dhcpd_state_t, dhcpd_state_t) -sysnet_dhcp_state_filetrans(dhcpd_t, dhcpd_state_t, file) - -manage_dirs_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t) -manage_files_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t) -files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t, { file dir }) - -manage_files_pattern(dhcpd_t, dhcpd_var_run_t, dhcpd_var_run_t) -files_pid_filetrans(dhcpd_t, dhcpd_var_run_t, file) - -kernel_read_system_state(dhcpd_t) -kernel_read_kernel_sysctls(dhcpd_t) -kernel_read_network_state(dhcpd_t) - -corenet_all_recvfrom_unlabeled(dhcpd_t) -corenet_all_recvfrom_netlabel(dhcpd_t) -corenet_tcp_sendrecv_generic_if(dhcpd_t) -corenet_udp_sendrecv_generic_if(dhcpd_t) -corenet_raw_sendrecv_generic_if(dhcpd_t) -corenet_tcp_sendrecv_generic_node(dhcpd_t) -corenet_udp_sendrecv_generic_node(dhcpd_t) -corenet_raw_sendrecv_generic_node(dhcpd_t) -corenet_tcp_sendrecv_all_ports(dhcpd_t) -corenet_udp_sendrecv_all_ports(dhcpd_t) -corenet_tcp_bind_generic_node(dhcpd_t) -corenet_udp_bind_generic_node(dhcpd_t) -corenet_tcp_bind_dhcpd_port(dhcpd_t) -corenet_udp_bind_dhcpd_port(dhcpd_t) -corenet_udp_bind_pxe_port(dhcpd_t) -corenet_tcp_connect_all_ports(dhcpd_t) -corenet_sendrecv_dhcpd_server_packets(dhcpd_t) -corenet_sendrecv_pxe_server_packets(dhcpd_t) -corenet_sendrecv_all_client_packets(dhcpd_t) - -dev_read_sysfs(dhcpd_t) -dev_read_rand(dhcpd_t) -dev_read_urand(dhcpd_t) - -fs_getattr_all_fs(dhcpd_t) -fs_search_auto_mountpoints(dhcpd_t) - -corecmd_exec_bin(dhcpd_t) - -domain_use_interactive_fds(dhcpd_t) - -files_read_etc_files(dhcpd_t) -files_read_usr_files(dhcpd_t) -files_read_etc_runtime_files(dhcpd_t) -files_search_var_lib(dhcpd_t) - -auth_use_nsswitch(dhcpd_t) - -logging_send_syslog_msg(dhcpd_t) - -miscfiles_read_localization(dhcpd_t) - -sysnet_read_dhcp_config(dhcpd_t) - -userdom_dontaudit_use_unpriv_user_fds(dhcpd_t) -userdom_dontaudit_search_user_home_dirs(dhcpd_t) - -ifdef(`distro_gentoo',` - allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot }; -') - -optional_policy(` - # used for dynamic DNS - bind_read_dnssec_keys(dhcpd_t) -') - -optional_policy(` - cobbler_dontaudit_rw_log(dhcpd_t) -') - -optional_policy(` - dbus_system_bus_client(dhcpd_t) - dbus_connect_system_bus(dhcpd_t) -') - -optional_policy(` - seutil_sigchld_newrole(dhcpd_t) -') - -optional_policy(` - udev_read_db(dhcpd_t) -') diff --git a/policy/modules/services/dictd.fc b/policy/modules/services/dictd.fc deleted file mode 100644 index 54f88c8..0000000 --- a/policy/modules/services/dictd.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/rc\.d/init\.d/dictd -- gen_context(system_u:object_r:dictd_initrc_exec_t,s0) - -/etc/dictd\.conf -- gen_context(system_u:object_r:dictd_etc_t,s0) - -/usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0) - -/var/lib/dictd(/.*)? gen_context(system_u:object_r:dictd_var_lib_t,s0) - -/var/run/dictd\.pid -- gen_context(system_u:object_r:dictd_var_run_t,s0) diff --git a/policy/modules/services/dictd.if b/policy/modules/services/dictd.if deleted file mode 100644 index a0d23ce..0000000 --- a/policy/modules/services/dictd.if +++ /dev/null @@ -1,57 +0,0 @@ -## Dictionary daemon - -######################################## -## -## Use dictionary services by connecting -## over TCP. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`dictd_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## All of the rules required to administrate -## an dictd environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the dictd domain. -## -## -## -# -interface(`dictd_admin',` - gen_require(` - type dictd_t, dictd_etc_t, dictd_var_lib_t; - type dictd_var_run_t, dictd_initrc_exec_t; - ') - - allow $1 dictd_t:process { ptrace signal_perms }; - ps_process_pattern($1, dictd_t) - - init_labeled_script_domtrans($1, dictd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dictd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, dictd_etc_t) - - files_list_var_lib($1) - admin_pattern($1, dictd_var_lib_t) - - files_list_pids($1) - admin_pattern($1, dictd_var_run_t) -') diff --git a/policy/modules/services/dictd.te b/policy/modules/services/dictd.te deleted file mode 100644 index d2d9359..0000000 --- a/policy/modules/services/dictd.te +++ /dev/null @@ -1,98 +0,0 @@ -policy_module(dictd, 1.7.0) - -######################################## -# -# Declarations -# - -type dictd_t; -type dictd_exec_t; -init_daemon_domain(dictd_t, dictd_exec_t) - -type dictd_etc_t; -files_config_file(dictd_etc_t) - -type dictd_initrc_exec_t; -init_script_file(dictd_initrc_exec_t) - -type dictd_var_lib_t alias var_lib_dictd_t; -files_type(dictd_var_lib_t) - -type dictd_var_run_t; -files_pid_file(dictd_var_run_t) - -######################################## -# -# Local policy -# - -allow dictd_t self:capability { setuid setgid }; -dontaudit dictd_t self:capability sys_tty_config; -allow dictd_t self:process { signal_perms setpgid }; -allow dictd_t self:unix_stream_socket create_stream_socket_perms; -allow dictd_t self:tcp_socket create_stream_socket_perms; -allow dictd_t self:udp_socket create_socket_perms; - -allow dictd_t dictd_etc_t:file read_file_perms; -files_search_etc(dictd_t) - -allow dictd_t dictd_var_lib_t:dir list_dir_perms; -allow dictd_t dictd_var_lib_t:file read_file_perms; - -manage_files_pattern(dictd_t, dictd_var_run_t, dictd_var_run_t) -files_pid_filetrans(dictd_t, dictd_var_run_t, file) - -kernel_read_system_state(dictd_t) -kernel_read_kernel_sysctls(dictd_t) - -corenet_all_recvfrom_unlabeled(dictd_t) -corenet_all_recvfrom_netlabel(dictd_t) -corenet_tcp_sendrecv_generic_if(dictd_t) -corenet_raw_sendrecv_generic_if(dictd_t) -corenet_udp_sendrecv_generic_if(dictd_t) -corenet_tcp_sendrecv_generic_node(dictd_t) -corenet_udp_sendrecv_generic_node(dictd_t) -corenet_raw_sendrecv_generic_node(dictd_t) -corenet_tcp_sendrecv_all_ports(dictd_t) -corenet_udp_sendrecv_all_ports(dictd_t) -corenet_tcp_bind_generic_node(dictd_t) -corenet_tcp_bind_dict_port(dictd_t) -corenet_sendrecv_dict_server_packets(dictd_t) - -dev_read_sysfs(dictd_t) - -fs_getattr_xattr_fs(dictd_t) -fs_search_auto_mountpoints(dictd_t) - -domain_use_interactive_fds(dictd_t) - -files_read_etc_files(dictd_t) -files_read_etc_runtime_files(dictd_t) -files_read_usr_files(dictd_t) -files_search_var_lib(dictd_t) -# for checking for nscd -files_dontaudit_search_pids(dictd_t) - -logging_send_syslog_msg(dictd_t) - -miscfiles_read_localization(dictd_t) - -sysnet_read_config(dictd_t) - -userdom_dontaudit_use_unpriv_user_fds(dictd_t) - -optional_policy(` - nis_use_ypbind(dictd_t) -') - -optional_policy(` - nscd_socket_use(dictd_t) -') - -optional_policy(` - seutil_sigchld_newrole(dictd_t) -') - -optional_policy(` - udev_read_db(dictd_t) -') diff --git a/policy/modules/services/distcc.fc b/policy/modules/services/distcc.fc deleted file mode 100644 index 6ce6b00..0000000 --- a/policy/modules/services/distcc.fc +++ /dev/null @@ -1,2 +0,0 @@ - -/usr/bin/distccd -- gen_context(system_u:object_r:distccd_exec_t,s0) diff --git a/policy/modules/services/distcc.if b/policy/modules/services/distcc.if deleted file mode 100644 index 926e959..0000000 --- a/policy/modules/services/distcc.if +++ /dev/null @@ -1 +0,0 @@ -## Distributed compiler daemon diff --git a/policy/modules/services/distcc.te b/policy/modules/services/distcc.te deleted file mode 100644 index 54d93e8..0000000 --- a/policy/modules/services/distcc.te +++ /dev/null @@ -1,93 +0,0 @@ -policy_module(distcc, 1.8.0) - -######################################## -# -# Declarations -# - -type distccd_t; -type distccd_exec_t; -init_daemon_domain(distccd_t, distccd_exec_t) - -type distccd_log_t; -logging_log_file(distccd_log_t) - -type distccd_tmp_t; -files_tmp_file(distccd_tmp_t) - -type distccd_var_run_t; -files_pid_file(distccd_var_run_t) - -######################################## -# -# Local policy -# - -allow distccd_t self:capability { setgid setuid }; -dontaudit distccd_t self:capability sys_tty_config; -allow distccd_t self:process { signal_perms setsched }; -allow distccd_t self:fifo_file rw_fifo_file_perms; -allow distccd_t self:netlink_route_socket r_netlink_socket_perms; -allow distccd_t self:tcp_socket create_stream_socket_perms; -allow distccd_t self:udp_socket create_socket_perms; - -allow distccd_t distccd_log_t:file manage_file_perms; -logging_log_filetrans(distccd_t, distccd_log_t, file) - -manage_dirs_pattern(distccd_t, distccd_tmp_t, distccd_tmp_t) -manage_files_pattern(distccd_t, distccd_tmp_t, distccd_tmp_t) -files_tmp_filetrans(distccd_t, distccd_tmp_t, { file dir }) - -manage_files_pattern(distccd_t, distccd_var_run_t, distccd_var_run_t) -files_pid_filetrans(distccd_t, distccd_var_run_t, file) - -kernel_read_system_state(distccd_t) -kernel_read_kernel_sysctls(distccd_t) - -corenet_all_recvfrom_unlabeled(distccd_t) -corenet_all_recvfrom_netlabel(distccd_t) -corenet_tcp_sendrecv_generic_if(distccd_t) -corenet_udp_sendrecv_generic_if(distccd_t) -corenet_tcp_sendrecv_generic_node(distccd_t) -corenet_udp_sendrecv_generic_node(distccd_t) -corenet_tcp_sendrecv_all_ports(distccd_t) -corenet_udp_sendrecv_all_ports(distccd_t) -corenet_tcp_bind_generic_node(distccd_t) -corenet_tcp_bind_distccd_port(distccd_t) -corenet_sendrecv_distccd_server_packets(distccd_t) - -dev_read_sysfs(distccd_t) - -fs_getattr_all_fs(distccd_t) -fs_search_auto_mountpoints(distccd_t) - -corecmd_exec_bin(distccd_t) -corecmd_read_bin_symlinks(distccd_t) - -domain_use_interactive_fds(distccd_t) - -files_read_etc_files(distccd_t) -files_read_etc_runtime_files(distccd_t) - -libs_exec_lib_files(distccd_t) - -logging_send_syslog_msg(distccd_t) - -miscfiles_read_localization(distccd_t) - -sysnet_read_config(distccd_t) - -userdom_dontaudit_use_unpriv_user_fds(distccd_t) -userdom_dontaudit_search_user_home_dirs(distccd_t) - -optional_policy(` - nis_use_ypbind(distccd_t) -') - -optional_policy(` - seutil_sigchld_newrole(distccd_t) -') - -optional_policy(` - udev_read_db(distccd_t) -') diff --git a/policy/modules/services/djbdns.fc b/policy/modules/services/djbdns.fc deleted file mode 100644 index fdb6652..0000000 --- a/policy/modules/services/djbdns.fc +++ /dev/null @@ -1,9 +0,0 @@ - -/usr/bin/axfrdns -- gen_context(system_u:object_r:djbdns_axfrdns_exec_t,s0) -/usr/bin/dnscache -- gen_context(system_u:object_r:djbdns_dnscache_exec_t,s0) -/usr/bin/tinydns -- gen_context(system_u:object_r:djbdns_tinydns_exec_t,s0) - -/var/axfrdns/root(/.*)? gen_context(system_u:object_r:djbdns_axfrdns_conf_t,s0) -/var/dnscache/root(/.*)? gen_context(system_u:object_r:djbdns_dnscache_conf_t,s0) -/var/tinydns/root(/.*)? gen_context(system_u:object_r:djbdns_tinydns_conf_t,s0) - diff --git a/policy/modules/services/djbdns.if b/policy/modules/services/djbdns.if deleted file mode 100644 index ade3079..0000000 --- a/policy/modules/services/djbdns.if +++ /dev/null @@ -1,90 +0,0 @@ -## small and secure DNS daemon - -######################################## -## -## Create a set of derived types for djbdns -## components that are directly supervised by daemontools. -## -## -## -## The prefix to be used for deriving type names. -## -## -# -template(`djbdns_daemontools_domain_template',` - - type djbdns_$1_t; - type djbdns_$1_exec_t; - type djbdns_$1_conf_t; - files_config_file(djbdns_$1_conf_t) - - domain_type(djbdns_$1_t) - domain_entry_file(djbdns_$1_t, djbdns_$1_exec_t) - role system_r types djbdns_$1_t; - - daemontools_service_domain(djbdns_$1_t, djbdns_$1_exec_t) - daemontools_read_svc(djbdns_$1_t) - - allow djbdns_$1_t self:capability { net_bind_service setgid setuid sys_chroot }; - allow djbdns_$1_t self:process signal; - allow djbdns_$1_t self:fifo_file rw_fifo_file_perms; - allow djbdns_$1_t self:tcp_socket create_stream_socket_perms; - allow djbdns_$1_t self:udp_socket create_socket_perms; - - allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms; - allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms; - - corenet_all_recvfrom_unlabeled(djbdns_$1_t) - corenet_all_recvfrom_netlabel(djbdns_$1_t) - corenet_tcp_sendrecv_generic_if(djbdns_$1_t) - corenet_udp_sendrecv_generic_if(djbdns_$1_t) - corenet_tcp_sendrecv_generic_node(djbdns_$1_t) - corenet_udp_sendrecv_generic_node(djbdns_$1_t) - corenet_tcp_sendrecv_all_ports(djbdns_$1_t) - corenet_udp_sendrecv_all_ports(djbdns_$1_t) - corenet_tcp_bind_generic_node(djbdns_$1_t) - corenet_udp_bind_generic_node(djbdns_$1_t) - corenet_tcp_bind_dns_port(djbdns_$1_t) - corenet_udp_bind_dns_port(djbdns_$1_t) - corenet_udp_bind_generic_port(djbdns_$1_t) - corenet_sendrecv_dns_server_packets(djbdns_$1_t) - corenet_sendrecv_generic_server_packets(djbdns_$1_t) - - files_search_var(djbdns_$1_t) -') - -##################################### -## -## Allow search the djbdns-tinydns key ring. -## -## -## -## Domain allowed access. -## -## -# -interface(`djbdns_search_tinydns_keys',` - gen_require(` - type djbdns_tinydns_t; - ') - - allow $1 djbdns_tinydns_t:key search; -') - -##################################### -## -## Allow link to the djbdns-tinydns key ring. -## -## -## -## Domain allowed access. -## -## -# -interface(`djbdns_link_tinydns_keys',` - gen_require(` - type djbdns_tinydn_t; - ') - - allow $1 djbdns_tinydn_t:key link; -') diff --git a/policy/modules/services/djbdns.te b/policy/modules/services/djbdns.te deleted file mode 100644 index 51e2ce8..0000000 --- a/policy/modules/services/djbdns.te +++ /dev/null @@ -1,49 +0,0 @@ -policy_module(djbdns, 1.4.1) - -######################################## -# -# Declarations -# - -type djbdns_axfrdns_t; -type djbdns_axfrdns_exec_t; -domain_type(djbdns_axfrdns_t) -domain_entry_file(djbdns_axfrdns_t, djbdns_axfrdns_exec_t) -role system_r types djbdns_axfrdns_t; - -type djbdns_axfrdns_conf_t; -files_config_file(djbdns_axfrdns_conf_t) - -djbdns_daemontools_domain_template(dnscache) - -djbdns_daemontools_domain_template(tinydns) - -######################################## -# -# Local policy for axfrdns component -# - -allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot }; - -allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir list_dir_perms; -allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:file read_file_perms; - -allow djbdns_axfrdns_t djbdns_tinydns_t:dir list_dir_perms; -allow djbdns_axfrdns_t djbdns_tinydns_t:file read_file_perms; - -allow djbdns_axfrdns_t djbdns_tinydns_conf_t:dir list_dir_perms; -allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file read_file_perms; - -files_search_var(djbdns_axfrdns_t) - -daemontools_ipc_domain(djbdns_axfrdns_t) -daemontools_read_svc(djbdns_axfrdns_t) - -ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t) - -######################################## -# -# Local policy for tinydns -# - -init_dontaudit_use_script_fds(djbdns_tinydns_t) diff --git a/policy/modules/services/dkim.fc b/policy/modules/services/dkim.fc deleted file mode 100644 index dc1056c..0000000 --- a/policy/modules/services/dkim.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) - -/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) - -/var/db/dkim(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) - -/var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) -/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) -/var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0) diff --git a/policy/modules/services/dkim.if b/policy/modules/services/dkim.if deleted file mode 100644 index 32d108a..0000000 --- a/policy/modules/services/dkim.if +++ /dev/null @@ -1 +0,0 @@ -## DomainKeys Identified Mail milter. diff --git a/policy/modules/services/dkim.te b/policy/modules/services/dkim.te deleted file mode 100644 index 1b4983d..0000000 --- a/policy/modules/services/dkim.te +++ /dev/null @@ -1,31 +0,0 @@ -policy_module(dkim, 1.0.0) - -######################################## -# -# Declarations -# - -milter_template(dkim) - -# Type for the private key of dkim-filter -type dkim_milter_private_key_t; -files_type(dkim_milter_private_key_t) - -######################################## -# -# Local policy -# - -allow dkim_milter_t self:capability { setgid setuid }; - -read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t) - -kernel_read_kernel_sysctls(dkim_milter_t) - -dev_read_urand(dkim_milter_t) - -files_read_etc_files(dkim_milter_t) - -sysnet_dns_name_resolve(dkim_milter_t) - -mta_read_config(dkim_milter_t) diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc deleted file mode 100644 index b886676..0000000 --- a/policy/modules/services/dnsmasq.fc +++ /dev/null @@ -1,12 +0,0 @@ -/etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0) -/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0) - -/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0) - -/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) -/var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0) - -/var/log/dnsmasq\.log gen_context(system_u:object_r:dnsmasq_var_log_t,s0) - -/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) -/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if deleted file mode 100644 index c808b31..0000000 --- a/policy/modules/services/dnsmasq.if +++ /dev/null @@ -1,212 +0,0 @@ -## dnsmasq DNS forwarder and DHCP server - -######################################## -## -## Execute dnsmasq server in the dnsmasq domain. -## -## -## -## Domain allowed to transition. -## -## -# -# -interface(`dnsmasq_domtrans',` - gen_require(` - type dnsmasq_exec_t, dnsmasq_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t) -') - -######################################## -## -## Execute the dnsmasq init script in the init script domain. -## -## -## -## Domain allowed to transition. -## -## -# -# -interface(`dnsmasq_initrc_domtrans',` - gen_require(` - type dnsmasq_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) -') - -######################################## -## -## Send dnsmasq a signal -## -## -## -## Domain allowed access. -## -## -# -# -interface(`dnsmasq_signal',` - gen_require(` - type dnsmasq_t; - ') - - allow $1 dnsmasq_t:process signal; -') - -######################################## -## -## Send dnsmasq a signull -## -## -## -## Domain allowed access. -## -## -# -# -interface(`dnsmasq_signull',` - gen_require(` - type dnsmasq_t; - ') - - allow $1 dnsmasq_t:process signull; -') - -######################################## -## -## Send dnsmasq a kill signal. -## -## -## -## Domain allowed access. -## -## -# -# -interface(`dnsmasq_kill',` - gen_require(` - type dnsmasq_t; - ') - - allow $1 dnsmasq_t:process sigkill; -') - -######################################## -## -## Read dnsmasq config files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dnsmasq_read_config',` - gen_require(` - type dnsmasq_etc_t; - ') - - read_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t) - files_search_etc($1) -') - -######################################## -## -## Write to dnsmasq config files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dnsmasq_write_config',` - gen_require(` - type dnsmasq_etc_t; - ') - - write_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t) - files_search_etc($1) -') - -######################################## -## -## Delete dnsmasq pid files -## -## -## -## Domain allowed access. -## -## -# -interface(`dnsmasq_delete_pid_files',` - gen_require(` - type dnsmasq_var_run_t; - ') - - files_search_pids($1) - delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) -') - -######################################## -## -## Read dnsmasq pid files -## -## -## -## Domain allowed access. -## -## -# -# -interface(`dnsmasq_read_pid_files',` - gen_require(` - type dnsmasq_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) -') - -######################################## -## -## All of the rules required to administrate -## an dnsmasq environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the dnsmasq domain. -## -## -## -# -interface(`dnsmasq_admin',` - gen_require(` - type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t; - type dnsmasq_initrc_exec_t; - ') - - allow $1 dnsmasq_t:process { ptrace signal_perms }; - ps_process_pattern($1, dnsmasq_t) - - init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dnsmasq_initrc_exec_t system_r; - allow $2 system_r; - - files_list_var_lib($1) - admin_pattern($1, dnsmasq_lease_t) - - files_list_pids($1) - admin_pattern($1, dnsmasq_var_run_t) -') diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te deleted file mode 100644 index a50a8a7..0000000 --- a/policy/modules/services/dnsmasq.te +++ /dev/null @@ -1,121 +0,0 @@ -policy_module(dnsmasq, 1.9.0) - -######################################## -# -# Declarations -# - -type dnsmasq_t; -type dnsmasq_exec_t; -init_daemon_domain(dnsmasq_t, dnsmasq_exec_t) - -type dnsmasq_initrc_exec_t; -init_script_file(dnsmasq_initrc_exec_t) - -type dnsmasq_etc_t; -files_config_file(dnsmasq_etc_t) - -type dnsmasq_lease_t; -files_type(dnsmasq_lease_t) - -type dnsmasq_var_log_t; -logging_log_file(dnsmasq_var_log_t) - -type dnsmasq_var_run_t; -files_pid_file(dnsmasq_var_run_t) - -######################################## -# -# Local policy -# - -allow dnsmasq_t self:capability { chown dac_override net_admin setgid setuid net_bind_service net_raw }; -dontaudit dnsmasq_t self:capability sys_tty_config; -allow dnsmasq_t self:process { getcap setcap signal_perms }; -allow dnsmasq_t self:fifo_file rw_fifo_file_perms; -allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write }; -allow dnsmasq_t self:tcp_socket create_stream_socket_perms; -allow dnsmasq_t self:udp_socket create_socket_perms; -allow dnsmasq_t self:packet_socket create_socket_perms; -allow dnsmasq_t self:rawip_socket create_socket_perms; - -read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t) - -# dhcp leases -manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t) -files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file) - -manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t) -logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file) - -manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t) -files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file) - -kernel_read_kernel_sysctls(dnsmasq_t) -kernel_read_system_state(dnsmasq_t) - -corenet_all_recvfrom_unlabeled(dnsmasq_t) -corenet_all_recvfrom_netlabel(dnsmasq_t) -corenet_tcp_sendrecv_generic_if(dnsmasq_t) -corenet_udp_sendrecv_generic_if(dnsmasq_t) -corenet_raw_sendrecv_generic_if(dnsmasq_t) -corenet_tcp_sendrecv_generic_node(dnsmasq_t) -corenet_udp_sendrecv_generic_node(dnsmasq_t) -corenet_raw_sendrecv_generic_node(dnsmasq_t) -corenet_tcp_sendrecv_all_ports(dnsmasq_t) -corenet_udp_sendrecv_all_ports(dnsmasq_t) -corenet_tcp_bind_generic_node(dnsmasq_t) -corenet_udp_bind_generic_node(dnsmasq_t) -corenet_tcp_bind_dns_port(dnsmasq_t) -corenet_udp_bind_all_ports(dnsmasq_t) -corenet_sendrecv_dns_server_packets(dnsmasq_t) -corenet_sendrecv_dhcpd_server_packets(dnsmasq_t) - -dev_read_sysfs(dnsmasq_t) -dev_read_urand(dnsmasq_t) - -domain_use_interactive_fds(dnsmasq_t) - -files_read_etc_files(dnsmasq_t) -files_read_etc_runtime_files(dnsmasq_t) - -fs_getattr_all_fs(dnsmasq_t) -fs_search_auto_mountpoints(dnsmasq_t) - -auth_use_nsswitch(dnsmasq_t) - -logging_send_syslog_msg(dnsmasq_t) - -miscfiles_read_localization(dnsmasq_t) - -userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) -userdom_dontaudit_search_user_home_dirs(dnsmasq_t) - -optional_policy(` - cobbler_read_lib_files(dnsmasq_t) -') - -optional_policy(` - cron_manage_pid_files(dnsmasq_t) -') - -optional_policy(` - dbus_system_bus_client(dnsmasq_t) -') - -optional_policy(` - seutil_sigchld_newrole(dnsmasq_t) -') - -optional_policy(` - tftp_read_content(dnsmasq_t) -') - -optional_policy(` - udev_read_db(dnsmasq_t) -') - -optional_policy(` - virt_manage_lib_files(dnsmasq_t) - virt_read_pid_files(dnsmasq_t) -') diff --git a/policy/modules/services/dovecot.fc b/policy/modules/services/dovecot.fc deleted file mode 100644 index 9a1dcba..0000000 --- a/policy/modules/services/dovecot.fc +++ /dev/null @@ -1,43 +0,0 @@ - -# -# /etc -# -/etc/dovecot(/.*)?* gen_context(system_u:object_r:dovecot_etc_t,s0) -/etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0) -/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) - -/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0) -/etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0) - -# -# /usr -# -/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0) - -/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) -/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) - -ifdef(`distro_debian', ` -/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) -/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) -') - -ifdef(`distro_redhat', ` -/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) -/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) -/usr/libexec/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) -/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) -') - -# -# /var -# -/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) -/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0) - -/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) - -/var/log/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_log_t,s0) -/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) - -/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) diff --git a/policy/modules/services/dovecot.if b/policy/modules/services/dovecot.if deleted file mode 100644 index ee51a19..0000000 --- a/policy/modules/services/dovecot.if +++ /dev/null @@ -1,135 +0,0 @@ -## Dovecot POP and IMAP mail server - -######################################## -## -## Connect to dovecot auth unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`dovecot_stream_connect_auth',` - gen_require(` - type dovecot_auth_t, dovecot_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t) -') - -######################################## -## -## Execute dovecot_deliver in the dovecot_deliver domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`dovecot_domtrans_deliver',` - gen_require(` - type dovecot_deliver_t, dovecot_deliver_exec_t; - ') - - domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t) -') - -######################################## -## -## Create, read, write, and delete the dovecot spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dovecot_manage_spool',` - gen_require(` - type dovecot_spool_t; - ') - - files_search_spool($1) - manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t) - manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t) -') - -######################################## -## -## Do not audit attempts to delete dovecot lib files. -## -## -## -## Domain to not audit. -## -## -# -interface(`dovecot_dontaudit_unlink_lib_files',` - gen_require(` - type dovecot_var_lib_t; - ') - - dontaudit $1 dovecot_var_lib_t:file unlink; -') - -######################################## -## -## All of the rules required to administrate -## an dovecot environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the dovecot domain. -## -## -## -# -interface(`dovecot_admin',` - gen_require(` - type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t; - type dovecot_spool_t, dovecot_var_lib_t, dovecot_var_log_t; - type dovecot_var_run_t, dovecot_tmp_t, dovecot_keytab_t; - type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t; - ') - - allow $1 dovecot_t:process { ptrace signal_perms }; - ps_process_pattern($1, dovecot_t) - - init_labeled_script_domtrans($1, dovecot_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dovecot_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, dovecot_etc_t) - - files_list_tmp($1) - admin_pattern($1, dovecot_auth_tmp_t) - admin_pattern($1, dovecot_tmp_t) - - admin_pattern($1, dovecot_keytab_t) - - files_list_spool($1) - admin_pattern($1, dovecot_spool_t) - - files_list_var_lib($1) - admin_pattern($1, dovecot_var_lib_t) - - logging_search_logs($1) - admin_pattern($1, dovecot_var_log_t) - - files_list_pids($1) - admin_pattern($1, dovecot_var_run_t) - - admin_pattern($1, dovecot_cert_t) - - admin_pattern($1, dovecot_passwd_t) -') diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te deleted file mode 100644 index 396f956..0000000 --- a/policy/modules/services/dovecot.te +++ /dev/null @@ -1,329 +0,0 @@ -policy_module(dovecot, 1.12.0) - -######################################## -# -# Declarations -# -type dovecot_t; -type dovecot_exec_t; -init_daemon_domain(dovecot_t, dovecot_exec_t) - -type dovecot_auth_t; -type dovecot_auth_exec_t; -domain_type(dovecot_auth_t) -domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t) -role system_r types dovecot_auth_t; - -type dovecot_auth_tmp_t; -files_tmp_file(dovecot_auth_tmp_t) - -type dovecot_cert_t; -miscfiles_cert_type(dovecot_cert_t) - -type dovecot_deliver_t; -type dovecot_deliver_exec_t; -domain_type(dovecot_deliver_t) -domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t) -role system_r types dovecot_deliver_t; - -type dovecot_deliver_tmp_t; -files_tmp_file(dovecot_deliver_tmp_t) - -type dovecot_etc_t; -files_config_file(dovecot_etc_t) - -type dovecot_initrc_exec_t; -init_script_file(dovecot_initrc_exec_t) - -type dovecot_passwd_t; -files_type(dovecot_passwd_t) - -type dovecot_spool_t; -files_type(dovecot_spool_t) - -type dovecot_tmp_t; -files_tmp_file(dovecot_tmp_t) - -# /var/lib/dovecot holds SSL parameters file -type dovecot_var_lib_t; -files_type(dovecot_var_lib_t) - -type dovecot_var_log_t; -logging_log_file(dovecot_var_log_t) - -type dovecot_var_run_t; -files_pid_file(dovecot_var_run_t) - -######################################## -# -# dovecot local policy -# - -allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot }; -dontaudit dovecot_t self:capability sys_tty_config; -allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched }; -allow dovecot_t self:fifo_file rw_fifo_file_perms; -allow dovecot_t self:tcp_socket create_stream_socket_perms; -allow dovecot_t self:unix_dgram_socket create_socket_perms; -allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto }; - -domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t) - -allow dovecot_t dovecot_auth_t:process signal; - -allow dovecot_t dovecot_cert_t:dir list_dir_perms; -read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) -read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) - -allow dovecot_t dovecot_etc_t:dir list_dir_perms; -read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t) -files_search_etc(dovecot_t) - -can_exec(dovecot_t, dovecot_exec_t) - -manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t) -manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t) -files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir }) - -# Allow dovecot to create and read SSL parameters file -manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t) -files_search_var_lib(dovecot_t) -files_read_var_symlinks(dovecot_t) - -manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) -manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) -logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir }) - -manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) -manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) -manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) - -manage_dirs_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) -manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) -manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) -manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) -files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file }) - -kernel_read_kernel_sysctls(dovecot_t) -kernel_read_system_state(dovecot_t) - -corenet_all_recvfrom_unlabeled(dovecot_t) -corenet_all_recvfrom_netlabel(dovecot_t) -corenet_tcp_sendrecv_generic_if(dovecot_t) -corenet_tcp_sendrecv_generic_node(dovecot_t) -corenet_tcp_sendrecv_all_ports(dovecot_t) -corenet_tcp_bind_generic_node(dovecot_t) -corenet_tcp_bind_mail_port(dovecot_t) -corenet_tcp_bind_pop_port(dovecot_t) -corenet_tcp_connect_all_ports(dovecot_t) -corenet_tcp_connect_postgresql_port(dovecot_t) -corenet_sendrecv_pop_server_packets(dovecot_t) -corenet_sendrecv_all_client_packets(dovecot_t) - -dev_read_sysfs(dovecot_t) -dev_read_urand(dovecot_t) - -fs_getattr_all_fs(dovecot_t) -fs_getattr_all_dirs(dovecot_t) -fs_search_auto_mountpoints(dovecot_t) -fs_list_inotifyfs(dovecot_t) - -corecmd_exec_bin(dovecot_t) - -domain_use_interactive_fds(dovecot_t) - -files_read_etc_files(dovecot_t) -files_search_spool(dovecot_t) -files_search_tmp(dovecot_t) -files_dontaudit_list_default(dovecot_t) -# Dovecot now has quota support and it uses getmntent() to find the mountpoints. -files_read_etc_runtime_files(dovecot_t) -files_search_all_mountpoints(dovecot_t) - -init_getattr_utmp(dovecot_t) - -auth_use_nsswitch(dovecot_t) - -logging_send_syslog_msg(dovecot_t) - -miscfiles_read_generic_certs(dovecot_t) -miscfiles_read_localization(dovecot_t) - -userdom_dontaudit_use_unpriv_user_fds(dovecot_t) -userdom_manage_user_home_content_dirs(dovecot_t) -userdom_manage_user_home_content_files(dovecot_t) -userdom_manage_user_home_content_symlinks(dovecot_t) -userdom_manage_user_home_content_pipes(dovecot_t) -userdom_manage_user_home_content_sockets(dovecot_t) -userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file }) - -mta_manage_spool(dovecot_t) - -optional_policy(` - kerberos_keytab_template(dovecot, dovecot_t) -') - -optional_policy(` - postfix_manage_private_sockets(dovecot_t) - postfix_search_spool(dovecot_t) -') - -optional_policy(` - postgresql_stream_connect(dovecot_t) -') - -optional_policy(` - seutil_sigchld_newrole(dovecot_t) -') - -optional_policy(` - squid_dontaudit_search_cache(dovecot_t) -') - -optional_policy(` - udev_read_db(dovecot_t) -') - -######################################## -# -# dovecot auth local policy -# - -allow dovecot_auth_t self:capability { chown dac_override setgid setuid }; -allow dovecot_auth_t self:process { signal_perms getcap setcap }; -allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; -allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; -allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; - -allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; - -read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) - -manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) -manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) -files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) - -allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; -manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) -dovecot_stream_connect_auth(dovecot_auth_t) - -kernel_read_all_sysctls(dovecot_auth_t) -kernel_read_system_state(dovecot_auth_t) - -logging_send_audit_msgs(dovecot_auth_t) -logging_send_syslog_msg(dovecot_auth_t) - -dev_read_urand(dovecot_auth_t) - -auth_domtrans_chk_passwd(dovecot_auth_t) -auth_use_nsswitch(dovecot_auth_t) - -files_read_etc_files(dovecot_auth_t) -files_read_etc_runtime_files(dovecot_auth_t) -files_search_pids(dovecot_auth_t) -files_read_usr_files(dovecot_auth_t) -files_read_usr_symlinks(dovecot_auth_t) -files_read_var_lib_files(dovecot_auth_t) -files_search_tmp(dovecot_auth_t) -files_read_var_lib_files(dovecot_t) - -init_rw_utmp(dovecot_auth_t) - -miscfiles_read_localization(dovecot_auth_t) - -seutil_dontaudit_search_config(dovecot_auth_t) - -optional_policy(` - kerberos_use(dovecot_auth_t) - - # for gssapi (kerberos) - userdom_list_user_tmp(dovecot_auth_t) - userdom_read_user_tmp_files(dovecot_auth_t) - userdom_read_user_tmp_symlinks(dovecot_auth_t) -') - -optional_policy(` - mysql_search_db(dovecot_auth_t) - mysql_stream_connect(dovecot_auth_t) -') - -optional_policy(` - nis_authenticate(dovecot_auth_t) -') - -optional_policy(` - postfix_manage_private_sockets(dovecot_auth_t) - postfix_search_spool(dovecot_auth_t) -') - -######################################## -# -# dovecot deliver local policy -# -allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; - -allow dovecot_deliver_t dovecot_t:process signull; - -read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t) -allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; - -allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms; - -append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) - -manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t) -manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t) -files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir }) - -can_exec(dovecot_deliver_t, dovecot_deliver_exec_t) - -kernel_read_all_sysctls(dovecot_deliver_t) -kernel_read_system_state(dovecot_deliver_t) - -corecmd_exec_bin(dovecot_deliver_t) - -files_read_etc_files(dovecot_deliver_t) -files_read_etc_runtime_files(dovecot_deliver_t) - -auth_use_nsswitch(dovecot_deliver_t) - -logging_send_syslog_msg(dovecot_deliver_t) -logging_append_all_logs(dovecot_deliver_t) - -miscfiles_read_localization(dovecot_deliver_t) - -dovecot_stream_connect_auth(dovecot_deliver_t) - -files_search_tmp(dovecot_deliver_t) - -fs_getattr_all_fs(dovecot_deliver_t) - -userdom_manage_user_home_content_dirs(dovecot_deliver_t) -userdom_manage_user_home_content_files(dovecot_deliver_t) -userdom_manage_user_home_content_symlinks(dovecot_deliver_t) -userdom_manage_user_home_content_pipes(dovecot_deliver_t) -userdom_manage_user_home_content_sockets(dovecot_deliver_t) -userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(dovecot_deliver_t) - fs_manage_nfs_files(dovecot_deliver_t) - fs_manage_nfs_symlinks(dovecot_deliver_t) - fs_manage_nfs_dirs(dovecot_t) - fs_manage_nfs_files(dovecot_t) - fs_manage_nfs_symlinks(dovecot_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(dovecot_deliver_t) - fs_manage_cifs_files(dovecot_deliver_t) - fs_manage_cifs_symlinks(dovecot_deliver_t) - fs_manage_cifs_dirs(dovecot_t) - fs_manage_cifs_files(dovecot_t) - fs_manage_cifs_symlinks(dovecot_t) -') - -optional_policy(` - mta_manage_spool(dovecot_deliver_t) - mta_read_queue(dovecot_deliver_t) -') diff --git a/policy/modules/services/exim.fc b/policy/modules/services/exim.fc deleted file mode 100644 index c2570df..0000000 --- a/policy/modules/services/exim.fc +++ /dev/null @@ -1,11 +0,0 @@ - -/etc/rc\.d/init\.d/exim -- gen_context(system_u:object_r:exim_initrc_exec_t,s0) - -/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0) -/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0) -/var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0) -/var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0) - -ifdef(`distro_debian',` -/var/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_run_t,s0) -') diff --git a/policy/modules/services/exim.if b/policy/modules/services/exim.if deleted file mode 100644 index 464669c..0000000 --- a/policy/modules/services/exim.if +++ /dev/null @@ -1,257 +0,0 @@ -## Exim mail transfer agent - -######################################## -## -## Execute a domain transition to run exim. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`exim_domtrans',` - gen_require(` - type exim_t, exim_exec_t; - ') - - domtrans_pattern($1, exim_exec_t, exim_t) -') - -######################################## -## -## Execute exim in the exim domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`exim_initrc_domtrans',` - gen_require(` - type exim_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, exim_initrc_exec_t) -') - -######################################## -## -## Do not audit attempts to read, -## exim tmp files -## -## -## -## Domain to not audit. -## -## -# -interface(`exim_dontaudit_read_tmp_files',` - gen_require(` - type exim_tmp_t; - ') - - dontaudit $1 exim_tmp_t:file read_file_perms; -') - -######################################## -## -## Allow domain to read, exim tmp files -## -## -## -## Domain allowed access. -## -## -# -interface(`exim_read_tmp_files',` - gen_require(` - type exim_tmp_t; - ') - - allow $1 exim_tmp_t:file read_file_perms; - files_search_tmp($1) -') - -######################################## -## -## Read exim PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`exim_read_pid_files',` - gen_require(` - type exim_var_run_t; - ') - - allow $1 exim_var_run_t:file read_file_perms; - files_search_pids($1) -') - -######################################## -## -## Allow the specified domain to read exim's log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`exim_read_log',` - gen_require(` - type exim_log_t; - ') - - read_files_pattern($1, exim_log_t, exim_log_t) - logging_search_logs($1) -') - -######################################## -## -## Allow the specified domain to append -## exim log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`exim_append_log',` - gen_require(` - type exim_log_t; - ') - - append_files_pattern($1, exim_log_t, exim_log_t) - logging_search_logs($1) -') - -######################################## -## -## Allow the specified domain to manage exim's log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`exim_manage_log',` - gen_require(` - type exim_log_t; - ') - - manage_files_pattern($1, exim_log_t, exim_log_t) - logging_search_logs($1) -') - -######################################## -## -## Create, read, write, and delete -## exim spool dirs. -## -## -## -## Domain allowed access. -## -## -# -interface(`exim_manage_spool_dirs',` - gen_require(` - type exim_spool_t; - ') - - manage_dirs_pattern($1, exim_spool_t, exim_spool_t) - files_search_spool($1) -') - -######################################## -## -## Read exim spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`exim_read_spool_files',` - gen_require(` - type exim_spool_t; - ') - - allow $1 exim_spool_t:file read_file_perms; - allow $1 exim_spool_t:dir list_dir_perms; - files_search_spool($1) -') - -######################################## -## -## Create, read, write, and delete -## exim spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`exim_manage_spool_files',` - gen_require(` - type exim_spool_t; - ') - - manage_files_pattern($1, exim_spool_t, exim_spool_t) - files_search_spool($1) -') - -######################################## -## -## All of the rules required to administrate -## an exim environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -# -interface(`exim_admin',` - gen_require(` - type exim_t, exim_initrc_exec_t, exim_log_t; - type exim_tmp_t, exim_spool_t, exim_var_run_t; - ') - - allow $1 exim_t:process { ptrace signal_perms }; - ps_process_pattern($1, exim_t) - - exim_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 exim_initrc_exec_t system_r; - allow $2 system_r; - - logging_list_logs($1) - admin_pattern($1, exim_log_t) - - files_list_tmp($1) - admin_pattern($1, exim_tmp_t) - - files_list_spool($1) - admin_pattern($1, exim_spool_t) - - files_list_pids($1) - admin_pattern($1, exim_var_run_t) -') diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te deleted file mode 100644 index 18c3c33..0000000 --- a/policy/modules/services/exim.te +++ /dev/null @@ -1,211 +0,0 @@ -policy_module(exim, 1.5.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow exim to connect to databases (postgres, mysql) -##

-##
-gen_tunable(exim_can_connect_db, false) - -## -##

-## Allow exim to read unprivileged user files. -##

-##
-gen_tunable(exim_read_user_files, false) - -## -##

-## Allow exim to create, read, write, and delete -## unprivileged user files. -##

-##
-gen_tunable(exim_manage_user_files, false) - -type exim_t; -type exim_exec_t; -init_daemon_domain(exim_t, exim_exec_t) -mta_mailserver(exim_t, exim_exec_t) -mta_mailserver_user_agent(exim_t) -application_executable_file(exim_exec_t) -mta_agent_executable(exim_exec_t) - -type exim_initrc_exec_t; -init_script_file(exim_initrc_exec_t) - -type exim_log_t; -logging_log_file(exim_log_t) - -type exim_spool_t; -files_type(exim_spool_t) - -type exim_tmp_t; -files_tmp_file(exim_tmp_t) - -type exim_var_run_t; -files_pid_file(exim_var_run_t) - -######################################## -# -# exim local policy -# - -allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource }; -allow exim_t self:process { setrlimit setpgid }; -allow exim_t self:fifo_file rw_fifo_file_perms; -allow exim_t self:unix_stream_socket create_stream_socket_perms; -allow exim_t self:tcp_socket create_stream_socket_perms; -allow exim_t self:udp_socket create_socket_perms; - -can_exec(exim_t, exim_exec_t) - -manage_files_pattern(exim_t, exim_log_t, exim_log_t) -logging_log_filetrans(exim_t, exim_log_t, { file dir }) - -manage_dirs_pattern(exim_t, exim_spool_t, exim_spool_t) -manage_files_pattern(exim_t, exim_spool_t, exim_spool_t) -manage_sock_files_pattern(exim_t, exim_spool_t, exim_spool_t) -files_spool_filetrans(exim_t, exim_spool_t, { file dir sock_file }) - -manage_dirs_pattern(exim_t, exim_tmp_t, exim_tmp_t) -manage_files_pattern(exim_t, exim_tmp_t, exim_tmp_t) -files_tmp_filetrans(exim_t, exim_tmp_t, { file dir }) - -manage_dirs_pattern(exim_t, exim_var_run_t, exim_var_run_t) -manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t) -files_pid_filetrans(exim_t, exim_var_run_t, { file dir }) - -kernel_read_kernel_sysctls(exim_t) -kernel_read_network_state(exim_t) -kernel_dontaudit_read_system_state(exim_t) - -corecmd_search_bin(exim_t) - -corenet_all_recvfrom_unlabeled(exim_t) -corenet_all_recvfrom_netlabel(exim_t) -corenet_tcp_sendrecv_generic_if(exim_t) -corenet_udp_sendrecv_generic_if(exim_t) -corenet_tcp_sendrecv_generic_node(exim_t) -corenet_udp_sendrecv_generic_node(exim_t) -corenet_tcp_sendrecv_all_ports(exim_t) -corenet_tcp_bind_generic_node(exim_t) -corenet_tcp_bind_smtp_port(exim_t) -corenet_tcp_bind_amavisd_send_port(exim_t) -corenet_tcp_connect_auth_port(exim_t) -corenet_tcp_connect_smtp_port(exim_t) -corenet_tcp_connect_ldap_port(exim_t) -corenet_tcp_connect_inetd_child_port(exim_t) -# connect to spamassassin -corenet_tcp_connect_spamd_port(exim_t) - -dev_read_rand(exim_t) -dev_read_urand(exim_t) - -# Init script handling -domain_use_interactive_fds(exim_t) - -files_search_usr(exim_t) -files_search_var(exim_t) -files_read_etc_files(exim_t) -files_read_etc_runtime_files(exim_t) -files_getattr_all_mountpoints(exim_t) - -fs_getattr_xattr_fs(exim_t) -fs_list_inotifyfs(exim_t) - -auth_use_nsswitch(exim_t) - -logging_send_syslog_msg(exim_t) - -miscfiles_read_localization(exim_t) -miscfiles_read_generic_certs(exim_t) - -userdom_dontaudit_search_user_home_dirs(exim_t) - -mta_read_aliases(exim_t) -mta_read_config(exim_t) -mta_manage_spool(exim_t) -mta_mailserver_delivery(exim_t) - -tunable_policy(`exim_can_connect_db',` - corenet_tcp_connect_mysqld_port(exim_t) - corenet_sendrecv_mysqld_client_packets(exim_t) - corenet_tcp_connect_postgresql_port(exim_t) - corenet_sendrecv_postgresql_client_packets(exim_t) -') - -tunable_policy(`exim_read_user_files',` - userdom_read_user_home_content_files(exim_t) - userdom_read_user_tmp_files(exim_t) -') - -tunable_policy(`exim_manage_user_files',` - userdom_manage_user_home_content_dirs(exim_t) - userdom_read_user_tmp_files(exim_t) - userdom_write_user_tmp_files(exim_t) -') - -optional_policy(` - clamav_domtrans_clamscan(exim_t) - clamav_stream_connect(exim_t) -') - -optional_policy(` - cron_read_pipes(exim_t) - cron_rw_system_job_pipes(exim_t) -') - -optional_policy(` - cyrus_stream_connect(exim_t) -') - -optional_policy(` - kerberos_keytab_template(exim, exim_t) -') - -optional_policy(` - mailman_read_data_files(exim_t) - mailman_domtrans(exim_t) -') - -optional_policy(` - nagios_search_spool(exim_t) -') - -optional_policy(` - tunable_policy(`exim_can_connect_db',` - mysql_stream_connect(exim_t) - ') -') - -optional_policy(` - tunable_policy(`exim_can_connect_db',` - postgresql_stream_connect(exim_t) - ') -') - -optional_policy(` - procmail_domtrans(exim_t) - procmail_read_home_files(exim_t) -') - -optional_policy(` - sasl_connect(exim_t) -') - -optional_policy(` - # https://bugzilla.redhat.com/show_bug.cgi?id=512710 - # uses sendmail for outgoing mail and exim - # for incoming mail - sendmail_manage_tmp_files(exim_t) -') - -optional_policy(` - spamassassin_exec(exim_t) - spamassassin_exec_client(exim_t) -') diff --git a/policy/modules/services/fail2ban.fc b/policy/modules/services/fail2ban.fc deleted file mode 100644 index 0de2b83..0000000 --- a/policy/modules/services/fail2ban.fc +++ /dev/null @@ -1,8 +0,0 @@ -/etc/rc\.d/init\.d/fail2ban -- gen_context(system_u:object_r:fail2ban_initrc_exec_t,s0) - -/usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0) -/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0) - -/var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0) -/var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0) -/var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0) diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if deleted file mode 100644 index 87f6bfb..0000000 --- a/policy/modules/services/fail2ban.if +++ /dev/null @@ -1,195 +0,0 @@ -## Update firewall filtering to ban IP addresses with too many password failures. - -######################################## -## -## Execute a domain transition to run fail2ban. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`fail2ban_domtrans',` - gen_require(` - type fail2ban_t, fail2ban_exec_t; - ') - - domtrans_pattern($1, fail2ban_exec_t, fail2ban_t) -') - -##################################### -## -## Connect to fail2ban over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`fail2ban_stream_connect',` - gen_require(` - type fail2ban_t, fail2ban_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t) -') - -######################################## -## -## Read and write to an fail2ban unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`fail2ban_rw_stream_sockets',` - gen_require(` - type fail2ban_t; - ') - - allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms; -') - -######################################## -## -## Read fail2ban lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`fail2ban_read_lib_files',` - gen_require(` - type fail2ban_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 fail2ban_var_lib_t:file read_file_perms; -') - -######################################## -## -## Allow the specified domain to read fail2ban's log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fail2ban_read_log',` - gen_require(` - type fail2ban_log_t; - ') - - logging_search_logs($1) - allow $1 fail2ban_log_t:dir list_dir_perms; - allow $1 fail2ban_log_t:file read_file_perms; -') - -######################################## -## -## Allow the specified domain to append -## fail2ban log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`fail2ban_append_log',` - gen_require(` - type fail2ban_log_t; - ') - - logging_search_logs($1) - allow $1 fail2ban_log_t:dir list_dir_perms; - allow $1 fail2ban_log_t:file append_file_perms; -') - -######################################## -## -## Read fail2ban PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`fail2ban_read_pid_files',` - gen_require(` - type fail2ban_var_run_t; - ') - - files_search_pids($1) - allow $1 fail2ban_var_run_t:file read_file_perms; -') - -######################################## -## -## dontaudit read and write an leaked file descriptors -## -## -## -## Domain allowed access. -## -## -# -interface(`fail2ban_dontaudit_leaks',` - gen_require(` - type fail2ban_t; - ') - - dontaudit $1 fail2ban_t:tcp_socket { read write }; - dontaudit $1 fail2ban_t:unix_dgram_socket { read write }; - dontaudit $1 fail2ban_t:unix_stream_socket { read write }; -') - -######################################## -## -## All of the rules required to administrate -## an fail2ban environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the fail2ban domain. -## -## -## -# -interface(`fail2ban_admin',` - gen_require(` - type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t; - type fail2ban_var_run_t; - ') - - allow $1 fail2ban_t:process { ptrace signal_perms }; - ps_process_pattern($1, fail2ban_t) - - init_labeled_script_domtrans($1, fail2ban_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 fail2ban_initrc_exec_t system_r; - allow $2 system_r; - - logging_list_logs($1) - admin_pattern($1, fail2ban_log_t) - - files_list_pids($1) - admin_pattern($1, fail2ban_var_run_t) -') diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te deleted file mode 100644 index 0a4216c..0000000 --- a/policy/modules/services/fail2ban.te +++ /dev/null @@ -1,102 +0,0 @@ -policy_module(fail2ban, 1.4.0) - -######################################## -# -# Declarations -# - -type fail2ban_t; -type fail2ban_exec_t; -init_daemon_domain(fail2ban_t, fail2ban_exec_t) - -type fail2ban_initrc_exec_t; -init_script_file(fail2ban_initrc_exec_t) - -# log files -type fail2ban_log_t; -logging_log_file(fail2ban_log_t) - -type fail2ban_var_lib_t; -files_type(fail2ban_var_lib_t) - -# pid files -type fail2ban_var_run_t; -files_pid_file(fail2ban_var_run_t) - -######################################## -# -# fail2ban local policy -# - -allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config }; -allow fail2ban_t self:process signal; -allow fail2ban_t self:fifo_file rw_fifo_file_perms; -allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow fail2ban_t self:unix_dgram_socket create_socket_perms; -allow fail2ban_t self:tcp_socket create_stream_socket_perms; - -# log files -allow fail2ban_t fail2ban_log_t:dir setattr_dir_perms; -manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) -logging_log_filetrans(fail2ban_t, fail2ban_log_t, file) - -manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t) -manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t) -files_var_lib_filetrans(fail2ban_t, fail2ban_var_lib_t, { dir file }) - -# pid file -manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) -manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) -manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) -files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { dir file sock_file }) - -kernel_read_system_state(fail2ban_t) - -corecmd_exec_bin(fail2ban_t) -corecmd_exec_shell(fail2ban_t) - -corenet_all_recvfrom_unlabeled(fail2ban_t) -corenet_all_recvfrom_netlabel(fail2ban_t) -corenet_tcp_sendrecv_generic_if(fail2ban_t) -corenet_tcp_sendrecv_generic_node(fail2ban_t) -corenet_tcp_sendrecv_all_ports(fail2ban_t) -corenet_tcp_connect_whois_port(fail2ban_t) -corenet_sendrecv_whois_client_packets(fail2ban_t) - -dev_read_urand(fail2ban_t) - -domain_use_interactive_fds(fail2ban_t) - -files_read_etc_files(fail2ban_t) -files_read_etc_runtime_files(fail2ban_t) -files_read_usr_files(fail2ban_t) -files_list_var(fail2ban_t) -files_search_var_lib(fail2ban_t) - -fs_list_inotifyfs(fail2ban_t) -fs_getattr_all_fs(fail2ban_t) - -auth_use_nsswitch(fail2ban_t) - -logging_read_all_logs(fail2ban_t) -logging_send_syslog_msg(fail2ban_t) - -miscfiles_read_localization(fail2ban_t) - -mta_send_mail(fail2ban_t) - -optional_policy(` - apache_read_log(fail2ban_t) -') - -optional_policy(` - ftp_read_log(fail2ban_t) -') - -optional_policy(` - gnome_dontaudit_search_config(fail2ban_t) -') - -optional_policy(` - iptables_domtrans(fail2ban_t) -') diff --git a/policy/modules/services/fetchmail.fc b/policy/modules/services/fetchmail.fc deleted file mode 100644 index 455c620..0000000 --- a/policy/modules/services/fetchmail.fc +++ /dev/null @@ -1,19 +0,0 @@ - -# -# /etc -# - -/etc/fetchmailrc -- gen_context(system_u:object_r:fetchmail_etc_t,s0) - -# -# /usr -# - -/usr/bin/fetchmail -- gen_context(system_u:object_r:fetchmail_exec_t,s0) - -# -# /var -# - -/var/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0) -/var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0) diff --git a/policy/modules/services/fetchmail.if b/policy/modules/services/fetchmail.if deleted file mode 100644 index 7d64c0a..0000000 --- a/policy/modules/services/fetchmail.if +++ /dev/null @@ -1,31 +0,0 @@ -## Remote-mail retrieval and forwarding utility - -######################################## -## -## All of the rules required to administrate -## an fetchmail environment -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fetchmail_admin',` - gen_require(` - type fetchmail_t, fetchmail_etc_t, fetchmail_uidl_cache_t; - type fetchmail_var_run_t; - ') - - allow $1 fetchmail_t:process { ptrace signal_perms }; - ps_process_pattern($1, fetchmail_t) - - files_list_etc($1) - admin_pattern($1, fetchmail_etc_t) - - admin_pattern($1, fetchmail_uidl_cache_t) - - files_list_pids($1) - admin_pattern($1, fetchmail_var_run_t) -') diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te deleted file mode 100644 index 870d101..0000000 --- a/policy/modules/services/fetchmail.te +++ /dev/null @@ -1,104 +0,0 @@ -policy_module(fetchmail, 1.10.1) - -######################################## -# -# Declarations -# - -type fetchmail_t; -type fetchmail_exec_t; -init_daemon_domain(fetchmail_t, fetchmail_exec_t) -application_executable_file(fetchmail_exec_t) - -type fetchmail_var_run_t; -files_pid_file(fetchmail_var_run_t) - -type fetchmail_etc_t; -files_config_file(fetchmail_etc_t) - -type fetchmail_uidl_cache_t; -files_type(fetchmail_uidl_cache_t) - -######################################## -# -# Local policy -# - -dontaudit fetchmail_t self:capability sys_tty_config; -allow fetchmail_t self:process { signal_perms setrlimit }; -allow fetchmail_t self:unix_dgram_socket create_socket_perms; -allow fetchmail_t self:unix_stream_socket create_stream_socket_perms; -allow fetchmail_t self:netlink_route_socket r_netlink_socket_perms; -allow fetchmail_t self:tcp_socket create_socket_perms; -allow fetchmail_t self:udp_socket create_socket_perms; - -allow fetchmail_t fetchmail_etc_t:file read_file_perms; - -allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms; -mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file) - -manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t) -manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t) -files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, { dir file }) - -kernel_read_kernel_sysctls(fetchmail_t) -kernel_list_proc(fetchmail_t) -kernel_getattr_proc_files(fetchmail_t) -kernel_read_proc_symlinks(fetchmail_t) -kernel_dontaudit_read_system_state(fetchmail_t) - -#looks like it uses system command - calls uname -corecmd_exec_bin(fetchmail_t) -corecmd_exec_shell(fetchmail_t) - -corenet_all_recvfrom_unlabeled(fetchmail_t) -corenet_all_recvfrom_netlabel(fetchmail_t) -corenet_tcp_sendrecv_generic_if(fetchmail_t) -corenet_udp_sendrecv_generic_if(fetchmail_t) -corenet_tcp_sendrecv_generic_node(fetchmail_t) -corenet_udp_sendrecv_generic_node(fetchmail_t) -corenet_tcp_sendrecv_dns_port(fetchmail_t) -corenet_udp_sendrecv_dns_port(fetchmail_t) -corenet_tcp_sendrecv_pop_port(fetchmail_t) -corenet_tcp_sendrecv_smtp_port(fetchmail_t) -corenet_tcp_connect_all_ports(fetchmail_t) -corenet_sendrecv_all_client_packets(fetchmail_t) - -dev_read_sysfs(fetchmail_t) -dev_read_rand(fetchmail_t) -dev_read_urand(fetchmail_t) - -files_read_etc_files(fetchmail_t) -files_read_etc_runtime_files(fetchmail_t) -files_dontaudit_search_home(fetchmail_t) - -fs_getattr_all_fs(fetchmail_t) -fs_search_auto_mountpoints(fetchmail_t) - -domain_use_interactive_fds(fetchmail_t) - -logging_send_syslog_msg(fetchmail_t) - -miscfiles_read_localization(fetchmail_t) -miscfiles_read_generic_certs(fetchmail_t) - -sysnet_read_config(fetchmail_t) - -userdom_dontaudit_use_unpriv_user_fds(fetchmail_t) -userdom_dontaudit_search_user_home_dirs(fetchmail_t) - -optional_policy(` - procmail_domtrans(fetchmail_t) -') - -optional_policy(` - sendmail_manage_log(fetchmail_t) -') - -optional_policy(` - seutil_sigchld_newrole(fetchmail_t) -') - -optional_policy(` - udev_read_db(fetchmail_t) -') diff --git a/policy/modules/services/finger.fc b/policy/modules/services/finger.fc deleted file mode 100644 index c861192..0000000 --- a/policy/modules/services/finger.fc +++ /dev/null @@ -1,19 +0,0 @@ -# fingerd - -# -# /etc -# -/etc/cfingerd(/.*)? gen_context(system_u:object_r:fingerd_etc_t,s0) - -/etc/cron\.weekly/(c)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0) - -# -# /usr -# -/usr/sbin/in\.fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0) -/usr/sbin/[cef]fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0) - -# -# /var -# -/var/log/cfingerd\.log.* -- gen_context(system_u:object_r:fingerd_log_t,s0) diff --git a/policy/modules/services/finger.if b/policy/modules/services/finger.if deleted file mode 100644 index b5dd671..0000000 --- a/policy/modules/services/finger.if +++ /dev/null @@ -1,33 +0,0 @@ -## Finger user information service. - -######################################## -## -## Execute fingerd in the fingerd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`finger_domtrans',` - gen_require(` - type fingerd_t, fingerd_exec_t; - ') - - domtrans_pattern($1, fingerd_exec_t, fingerd_t) -') - -######################################## -## -## Allow the specified domain to connect to fingerd with a tcp socket. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`finger_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te deleted file mode 100644 index 9b7036a..0000000 --- a/policy/modules/services/finger.te +++ /dev/null @@ -1,121 +0,0 @@ -policy_module(finger, 1.9.0) - -######################################## -# -# Declarations -# - -type fingerd_t; -type fingerd_exec_t; -init_daemon_domain(fingerd_t, fingerd_exec_t) -inetd_tcp_service_domain(fingerd_t, fingerd_exec_t) - -type fingerd_etc_t; -files_config_file(fingerd_etc_t) - -type fingerd_log_t; -logging_log_file(fingerd_log_t) - -type fingerd_var_run_t; -files_pid_file(fingerd_var_run_t) - -######################################## -# -# Local policy -# - -allow fingerd_t self:capability { setgid setuid }; -dontaudit fingerd_t self:capability { sys_tty_config fsetid }; -allow fingerd_t self:process signal_perms; -allow fingerd_t self:fifo_file rw_fifo_file_perms; -allow fingerd_t self:tcp_socket connected_stream_socket_perms; -allow fingerd_t self:udp_socket create_socket_perms; -allow fingerd_t self:unix_dgram_socket create_socket_perms; -allow fingerd_t self:unix_stream_socket create_socket_perms; - -manage_files_pattern(fingerd_t, fingerd_var_run_t, fingerd_var_run_t) -files_pid_filetrans(fingerd_t, fingerd_var_run_t, file) - -allow fingerd_t fingerd_etc_t:dir list_dir_perms; -read_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t) -read_lnk_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t) - -allow fingerd_t fingerd_log_t:file manage_file_perms; -logging_log_filetrans(fingerd_t, fingerd_log_t, file) - -kernel_read_kernel_sysctls(fingerd_t) -kernel_read_system_state(fingerd_t) - -corenet_all_recvfrom_unlabeled(fingerd_t) -corenet_all_recvfrom_netlabel(fingerd_t) -corenet_tcp_sendrecv_generic_if(fingerd_t) -corenet_udp_sendrecv_generic_if(fingerd_t) -corenet_tcp_sendrecv_generic_node(fingerd_t) -corenet_udp_sendrecv_generic_node(fingerd_t) -corenet_tcp_sendrecv_all_ports(fingerd_t) -corenet_udp_sendrecv_all_ports(fingerd_t) -corenet_tcp_bind_generic_node(fingerd_t) -corenet_tcp_bind_fingerd_port(fingerd_t) - -dev_read_sysfs(fingerd_t) - -fs_getattr_all_fs(fingerd_t) -fs_search_auto_mountpoints(fingerd_t) - -term_getattr_all_ttys(fingerd_t) -term_getattr_all_ptys(fingerd_t) - -auth_read_lastlog(fingerd_t) - -corecmd_exec_bin(fingerd_t) -corecmd_exec_shell(fingerd_t) - -domain_use_interactive_fds(fingerd_t) - -files_search_home(fingerd_t) -files_read_etc_files(fingerd_t) -files_read_etc_runtime_files(fingerd_t) - -init_read_utmp(fingerd_t) -init_dontaudit_write_utmp(fingerd_t) - -logging_send_syslog_msg(fingerd_t) - -mta_getattr_spool(fingerd_t) - -sysnet_read_config(fingerd_t) - -miscfiles_read_localization(fingerd_t) - -# stop it accessing sub-directories, prevents checking a Maildir for new mail, -# have to change this when we create a type for Maildir -userdom_read_user_home_content_files(fingerd_t) -userdom_dontaudit_use_unpriv_user_fds(fingerd_t) - -optional_policy(` - cron_system_entry(fingerd_t, fingerd_exec_t) -') - -optional_policy(` - logrotate_exec(fingerd_t) -') - -optional_policy(` - nis_use_ypbind(fingerd_t) -') - -optional_policy(` - nscd_socket_use(fingerd_t) -') - -optional_policy(` - seutil_sigchld_newrole(fingerd_t) -') - -optional_policy(` - tcpd_wrapped_domain(fingerd_t, fingerd_exec_t) -') - -optional_policy(` - udev_read_db(fingerd_t) -') diff --git a/policy/modules/services/fprintd.fc b/policy/modules/services/fprintd.fc deleted file mode 100644 index a4f5fb1..0000000 --- a/policy/modules/services/fprintd.fc +++ /dev/null @@ -1,2 +0,0 @@ -/usr/libexec/fprintd -- gen_context(system_u:object_r:fprintd_exec_t,s0) -/var/lib/fprint(/.*)? gen_context(system_u:object_r:fprintd_var_lib_t,s0) diff --git a/policy/modules/services/fprintd.if b/policy/modules/services/fprintd.if deleted file mode 100644 index c02062c..0000000 --- a/policy/modules/services/fprintd.if +++ /dev/null @@ -1,40 +0,0 @@ -## DBus fingerprint reader service - -######################################## -## -## Execute a domain transition to run fprintd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`fprintd_domtrans',` - gen_require(` - type fprintd_t, fprintd_exec_t; - ') - - domtrans_pattern($1, fprintd_exec_t, fprintd_t) -') - -######################################## -## -## Send and receive messages from -## fprintd over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`fprintd_dbus_chat',` - gen_require(` - type fprintd_t; - class dbus send_msg; - ') - - allow $1 fprintd_t:dbus send_msg; - allow fprintd_t $1:dbus send_msg; -') diff --git a/policy/modules/services/fprintd.te b/policy/modules/services/fprintd.te deleted file mode 100644 index 899feaf..0000000 --- a/policy/modules/services/fprintd.te +++ /dev/null @@ -1,58 +0,0 @@ -policy_module(fprintd, 1.1.0) - -######################################## -# -# Declarations -# - -type fprintd_t; -type fprintd_exec_t; -dbus_system_domain(fprintd_t, fprintd_exec_t) - -type fprintd_var_lib_t; -files_type(fprintd_var_lib_t) - -######################################## -# -# Local policy -# - -allow fprintd_t self:capability { sys_nice sys_ptrace }; -allow fprintd_t self:fifo_file rw_fifo_file_perms; -allow fprintd_t self:process { getsched setsched signal }; - -manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) -manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) -files_var_lib_filetrans(fprintd_t, fprintd_var_lib_t, { dir file }) - -kernel_read_system_state(fprintd_t) - -corecmd_search_bin(fprintd_t) - -dev_list_usbfs(fprintd_t) -dev_rw_generic_usb_dev(fprintd_t) -dev_read_sysfs(fprintd_t) - -files_read_etc_files(fprintd_t) -files_read_usr_files(fprintd_t) - -fs_getattr_all_fs(fprintd_t) - -auth_use_nsswitch(fprintd_t) - -miscfiles_read_localization(fprintd_t) - -userdom_use_user_ptys(fprintd_t) -userdom_read_all_users_state(fprintd_t) - -optional_policy(` - consolekit_dbus_chat(fprintd_t) -') - -optional_policy(` - policykit_read_reload(fprintd_t) - policykit_read_lib(fprintd_t) - policykit_dbus_chat(fprintd_t) - policykit_domtrans_auth(fprintd_t) - policykit_dbus_chat_auth(fprintd_t) -') diff --git a/policy/modules/services/ftp.fc b/policy/modules/services/ftp.fc deleted file mode 100644 index a9a9116..0000000 --- a/policy/modules/services/ftp.fc +++ /dev/null @@ -1,32 +0,0 @@ -# -# /etc -# -/etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0) -/etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) -/etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0) -/etc/rc\.d/init\.d/proftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0) - -# -# /usr -# -/usr/bin/ftpdctl -- gen_context(system_u:object_r:ftpdctl_exec_t,s0) - -/usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) - -/usr/sbin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0) -/usr/sbin/in\.ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) -/usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) -/usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) -/usr/sbin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) - -# -# /var -# -/var/run/proftpd.* gen_context(system_u:object_r:ftpd_var_run_t,s0) - -/var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0) -/var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0) -/var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0) -/var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0) -/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0) -/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0) diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if deleted file mode 100644 index 26cc64b..0000000 --- a/policy/modules/services/ftp.if +++ /dev/null @@ -1,186 +0,0 @@ -## File transfer protocol service - -####################################### -## -## Allow domain dyntransition to sftpd_anon domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ftp_dyntrans_anon_sftpd',` - gen_require(` - type anon_sftpd_t; - ') - - dyntrans_pattern($1, anon_sftpd_t); -') - -######################################## -## -## Use ftp by connecting over TCP. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`ftp_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Read ftpd etc files -## -## -## -## Domain allowed access. -## -## -# -interface(`ftp_read_config',` - gen_require(` - type ftpd_etc_t; - ') - - files_search_etc($1) - allow $1 ftpd_etc_t:file read_file_perms; -') - -######################################## -## -## Read FTP transfer logs -## -## -## -## Domain allowed access. -## -## -# -interface(`ftp_read_log',` - gen_require(` - type xferlog_t; - ') - - logging_search_logs($1) - allow $1 xferlog_t:file read_file_perms; -') - -######################################## -## -## Execute the ftpdctl program in the ftpdctl domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ftp_domtrans_ftpdctl',` - gen_require(` - type ftpdctl_t, ftpdctl_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ftpdctl_exec_t, ftpdctl_t) -') - -######################################## -## -## Execute the ftpdctl program in the ftpdctl domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the ftpdctl domain. -## -## -## -# -interface(`ftp_run_ftpdctl',` - gen_require(` - type ftpdctl_t; - ') - - ftp_domtrans_ftpdctl($1) - role $2 types ftpdctl_t; -') - -####################################### -## -## Allow domain dyntransition to sftpd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ftp_dyntrans_sftpd',` - gen_require(` - type sftpd_t; - ') - - dyntrans_pattern($1, sftpd_t); -') - -######################################## -## -## All of the rules required to administrate -## an ftp environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the ftp domain. -## -## -## -# -interface(`ftp_admin',` - gen_require(` - type ftpd_t, ftpdctl_t, ftpd_tmp_t; - type ftpd_etc_t, ftpd_lock_t, ftpd_initrc_exec_t; - type ftpd_var_run_t, xferlog_t; - ') - - allow $1 ftpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, ftpd_t) - - init_labeled_script_domtrans($1, ftpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ftpd_initrc_exec_t system_r; - allow $2 system_r; - - ps_process_pattern($1, ftpdctl_t) - ftp_run_ftpdctl($1, $2) - - miscfiles_manage_public_files($1) - - files_list_tmp($1) - admin_pattern($1, ftpd_tmp_t) - - files_list_etc($1) - admin_pattern($1, ftpd_etc_t) - - files_list_var($1) - admin_pattern($1, ftpd_lock_t) - - files_list_pids($1) - admin_pattern($1, ftpd_var_run_t) - - logging_list_logs($1) - admin_pattern($1, xferlog_t) -') diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te deleted file mode 100644 index 2284f4e..0000000 --- a/policy/modules/services/ftp.te +++ /dev/null @@ -1,464 +0,0 @@ -policy_module(ftp, 1.12.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow ftp servers to upload files, used for public file -## transfer services. Directories must be labeled -## public_content_rw_t. -##

-##
-gen_tunable(allow_ftpd_anon_write, false) - -## -##

-## Allow ftp servers to login to local users and -## read/write all files on the system, governed by DAC. -##

-##
-gen_tunable(allow_ftpd_full_access, false) - -## -##

-## Allow ftp servers to use cifs -## used for public file transfer services. -##

-##
-gen_tunable(allow_ftpd_use_cifs, false) - -## -##

-## Allow ftp servers to use nfs -## used for public file transfer services. -##

-##
-gen_tunable(allow_ftpd_use_nfs, false) - -## -##

-## Allow ftp servers to use connect to mysql database -##

-##
-gen_tunable(ftpd_connect_db, false) - -## -##

-## Allow ftp to read and write files in the user home directories -##

-##
-gen_tunable(ftp_home_dir, false) - -## -##

-## Allow anon internal-sftp to upload files, used for -## public file transfer services. Directories must be labeled -## public_content_rw_t. -##

-##
-gen_tunable(sftpd_anon_write, false) - -## -##

-## Allow sftp-internal to read and write files -## in the user home directories -##

-##
-gen_tunable(sftpd_enable_homedirs, false) - -## -##

-## Allow sftp-internal to login to local users and -## read/write all files on the system, governed by DAC. -##

-##
-gen_tunable(sftpd_full_access, false) - -## -##

-## Allow interlnal-sftp to read and write files -## in the user ssh home directories. -##

-##
-gen_tunable(sftpd_write_ssh_home, false) - -type anon_sftpd_t; -typealias anon_sftpd_t alias sftpd_anon_t; -domain_type(anon_sftpd_t) -role system_r types anon_sftpd_t; - -type ftpd_t; -type ftpd_exec_t; -init_daemon_domain(ftpd_t, ftpd_exec_t) - -type ftpd_etc_t; -files_config_file(ftpd_etc_t) - -type ftpd_initrc_exec_t; -init_script_file(ftpd_initrc_exec_t) - -type ftpd_lock_t; -files_lock_file(ftpd_lock_t) - -type ftpd_tmp_t; -files_tmp_file(ftpd_tmp_t) - -type ftpd_tmpfs_t; -files_tmpfs_file(ftpd_tmpfs_t) - -type ftpd_var_run_t; -files_pid_file(ftpd_var_run_t) - -type ftpdctl_t; -type ftpdctl_exec_t; -init_system_domain(ftpdctl_t, ftpdctl_exec_t) - -type ftpdctl_tmp_t; -files_tmp_file(ftpdctl_tmp_t) - -type sftpd_t; -domain_type(sftpd_t) -role system_r types sftpd_t; - -type xferlog_t; -logging_log_file(xferlog_t) - -ifdef(`enable_mcs',` - init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh) -') - -ifdef(`enable_mls',` - init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh) -') - -######################################## -# -# anon-sftp local policy -# - -files_read_etc_files(anon_sftpd_t) - -miscfiles_read_public_files(anon_sftpd_t) - -tunable_policy(`sftpd_anon_write',` - miscfiles_manage_public_files(anon_sftpd_t) -') - -######################################## -# -# ftpd local policy -# - -allow ftpd_t self:capability { chown fowner fsetid ipc_lock setgid setuid sys_chroot sys_admin sys_nice sys_resource }; -dontaudit ftpd_t self:capability sys_tty_config; -allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms }; -allow ftpd_t self:fifo_file rw_fifo_file_perms; -allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms }; -allow ftpd_t self:unix_stream_socket create_stream_socket_perms; -allow ftpd_t self:tcp_socket create_stream_socket_perms; -allow ftpd_t self:udp_socket create_socket_perms; -allow ftpd_t self:shm create_shm_perms; -allow ftpd_t self:key manage_key_perms; - -allow ftpd_t ftpd_etc_t:file read_file_perms; - -allow ftpd_t ftpd_lock_t:file manage_file_perms; -files_lock_filetrans(ftpd_t, ftpd_lock_t, file) - -manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) -manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) - -manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) -manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) -manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) -manage_fifo_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) -manage_sock_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) -fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) -manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) -manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) -files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir }) - -# proftpd requires the client side to bind a socket so that -# it can stat the socket to perform access control decisions, -# since getsockopt with SO_PEERCRED is not available on all -# proftpd-supported OSs -allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms; - -# Create and modify /var/log/xferlog. -manage_files_pattern(ftpd_t, xferlog_t, xferlog_t) -logging_log_filetrans(ftpd_t, xferlog_t, file) - -kernel_read_kernel_sysctls(ftpd_t) -kernel_read_system_state(ftpd_t) -kernel_search_network_state(ftpd_t) - -dev_read_sysfs(ftpd_t) -dev_read_urand(ftpd_t) - -corecmd_exec_bin(ftpd_t) - -corenet_all_recvfrom_unlabeled(ftpd_t) -corenet_all_recvfrom_netlabel(ftpd_t) -corenet_tcp_sendrecv_generic_if(ftpd_t) -corenet_udp_sendrecv_generic_if(ftpd_t) -corenet_tcp_sendrecv_generic_node(ftpd_t) -corenet_udp_sendrecv_generic_node(ftpd_t) -corenet_tcp_sendrecv_all_ports(ftpd_t) -corenet_udp_sendrecv_all_ports(ftpd_t) -corenet_tcp_bind_generic_node(ftpd_t) -corenet_tcp_bind_ftp_port(ftpd_t) -corenet_tcp_bind_ftp_data_port(ftpd_t) -corenet_tcp_bind_generic_port(ftpd_t) -corenet_tcp_bind_all_unreserved_ports(ftpd_t) -corenet_dontaudit_tcp_bind_all_ports(ftpd_t) -corenet_tcp_connect_all_ports(ftpd_t) -corenet_sendrecv_ftp_server_packets(ftpd_t) - -domain_use_interactive_fds(ftpd_t) - -files_search_etc(ftpd_t) -files_read_etc_files(ftpd_t) -files_read_etc_runtime_files(ftpd_t) -files_search_var_lib(ftpd_t) - -fs_search_auto_mountpoints(ftpd_t) -fs_getattr_all_fs(ftpd_t) -fs_search_fusefs(ftpd_t) - -auth_use_nsswitch(ftpd_t) -auth_domtrans_chk_passwd(ftpd_t) -# Append to /var/log/wtmp. -auth_append_login_records(ftpd_t) -#kerberized ftp requires the following -auth_write_login_records(ftpd_t) -auth_rw_faillog(ftpd_t) - -init_rw_utmp(ftpd_t) - -logging_send_audit_msgs(ftpd_t) -logging_send_syslog_msg(ftpd_t) -logging_set_loginuid(ftpd_t) - -miscfiles_read_localization(ftpd_t) -miscfiles_read_public_files(ftpd_t) - -seutil_dontaudit_search_config(ftpd_t) - -sysnet_read_config(ftpd_t) -sysnet_use_ldap(ftpd_t) - -userdom_dontaudit_use_unpriv_user_fds(ftpd_t) -userdom_dontaudit_search_user_home_dirs(ftpd_t) - -tunable_policy(`allow_ftpd_anon_write',` - miscfiles_manage_public_files(ftpd_t) -') - -tunable_policy(`allow_ftpd_use_cifs',` - fs_read_cifs_files(ftpd_t) - fs_read_cifs_symlinks(ftpd_t) -') - -tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',` - fs_manage_cifs_files(ftpd_t) -') - -tunable_policy(`allow_ftpd_use_nfs',` - fs_read_nfs_files(ftpd_t) - fs_read_nfs_symlinks(ftpd_t) -') - -tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',` - fs_manage_nfs_files(ftpd_t) -') - -tunable_policy(`allow_ftpd_full_access',` - allow ftpd_t self:capability { dac_override dac_read_search }; - auth_manage_all_files_except_shadow(ftpd_t) -') - -tunable_policy(`ftp_home_dir',` - allow ftpd_t self:capability { dac_override dac_read_search }; - - # allow access to /home - files_list_home(ftpd_t) - userdom_read_user_home_content_files(ftpd_t) - userdom_manage_user_home_content(ftpd_t) - userdom_manage_user_tmp_files(ftpd_t) - userdom_tmp_filetrans_user_tmp(ftpd_t, file) -',` - # Needed for permissive mode, to make sure everything gets labeled correctly - userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file }) - files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir }) -') - -tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` - fs_manage_nfs_files(ftpd_t) - fs_read_nfs_symlinks(ftpd_t) -') - -tunable_policy(`ftp_home_dir && use_samba_home_dirs',` - fs_manage_cifs_files(ftpd_t) - fs_read_cifs_symlinks(ftpd_t) -') - -optional_policy(` - tunable_policy(`ftp_home_dir',` - apache_search_sys_content(ftpd_t) - ') -') - -optional_policy(` - corecmd_exec_shell(ftpd_t) - - files_read_usr_files(ftpd_t) - - cron_system_entry(ftpd_t, ftpd_exec_t) - - optional_policy(` - logrotate_exec(ftpd_t) - ') -') - -optional_policy(` - daemontools_service_domain(ftpd_t, ftpd_exec_t) -') - -optional_policy(` - selinux_validate_context(ftpd_t) - - kerberos_keytab_template(ftpd, ftpd_t) - kerberos_manage_host_rcache(ftpd_t) -') - -optional_policy(` - tunable_policy(`ftpd_connect_db',` - mysql_stream_connect(ftpd_t) - ') -') - -optional_policy(` - tunable_policy(`ftpd_connect_db',` - postgresql_stream_connect(ftpd_t) - ') -') - -tunable_policy(`ftpd_connect_db',` - mysql_tcp_connect(ftpd_t) - postgresql_tcp_connect(ftpd_t) -') - -optional_policy(` - inetd_tcp_service_domain(ftpd_t, ftpd_exec_t) - - optional_policy(` - tcpd_domtrans(tcpd_t) - ') -') - -optional_policy(` - dbus_system_bus_client(ftpd_t) - - optional_policy(` - oddjob_dbus_chat(ftpd_t) - oddjob_domtrans_mkhomedir(ftpd_t) - ') -') - -optional_policy(` - seutil_sigchld_newrole(ftpd_t) -') - -optional_policy(` - udev_read_db(ftpd_t) -') - -######################################## -# -# ftpdctl local policy -# - -# Allow ftpdctl to talk to ftpd over a socket connection -stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) -files_search_pids(ftpdctl_t) - -# ftpdctl creates a socket so that the daemon can perform -# access control decisions (see comments in ftpd_t rules above) -allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms; -files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file) - -# Allow ftpdctl to read config files -files_read_etc_files(ftpdctl_t) - -userdom_use_user_terminals(ftpdctl_t) - -######################################## -# -# sftpd local policy -# - -files_read_etc_files(sftpd_t) - -# allow read access to /home by default -userdom_read_user_home_content_files(sftpd_t) -userdom_read_user_home_content_symlinks(sftpd_t) -userdom_dontaudit_list_admin_dir(sftpd_t) - -tunable_policy(`sftpd_full_access',` - allow sftpd_t self:capability { dac_override dac_read_search }; - fs_read_noxattr_fs_files(sftpd_t) - auth_manage_all_files_except_shadow(sftpd_t) -') - -tunable_policy(`sftpd_write_ssh_home',` - ssh_manage_home_files(sftpd_t) -') - -tunable_policy(`sftpd_enable_homedirs',` - allow sftpd_t self:capability { dac_override dac_read_search }; - - # allow access to /home - files_list_home(sftpd_t) - userdom_read_user_home_content_files(sftpd_t) - userdom_manage_user_home_content(sftpd_t) -',` - # Needed for permissive mode, to make sure everything gets labeled correctly - userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file }) -') - -tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` - fs_manage_nfs_dirs(sftpd_t) - fs_manage_nfs_files(sftpd_t) - fs_manage_nfs_symlinks(sftpd_t) -') - -tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',` - fs_manage_cifs_dirs(sftpd_t) - fs_manage_cifs_files(sftpd_t) - fs_manage_cifs_symlinks(sftpd_t) -') - -tunable_policy(`sftpd_full_access',` - allow sftpd_t self:capability { dac_override dac_read_search }; - fs_read_noxattr_fs_files(sftpd_t) - auth_manage_all_files_except_shadow(sftpd_t) -') - -tunable_policy(`use_samba_home_dirs',` - # allow read access to /home by default - fs_list_cifs(sftpd_t) - fs_read_cifs_files(sftpd_t) - fs_read_cifs_symlinks(sftpd_t) -') - -tunable_policy(`use_nfs_home_dirs',` - # allow read access to /home by default - fs_list_nfs(sftpd_t) - fs_read_nfs_files(sftpd_t) - fs_read_nfs_symlinks(ftpd_t) -') diff --git a/policy/modules/services/gatekeeper.fc b/policy/modules/services/gatekeeper.fc deleted file mode 100644 index d6ef025..0000000 --- a/policy/modules/services/gatekeeper.fc +++ /dev/null @@ -1,8 +0,0 @@ -/etc/gatekeeper\.ini -- gen_context(system_u:object_r:gatekeeper_etc_t,s0) - -/usr/sbin/gk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0) -/usr/sbin/gnugk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0) - -/var/log/gnugk(/.*)? gen_context(system_u:object_r:gatekeeper_log_t,s0) -/var/run/gk\.pid -- gen_context(system_u:object_r:gatekeeper_var_run_t,s0) -/var/run/gnugk(/.*)? gen_context(system_u:object_r:gatekeeper_var_run_t,s0) diff --git a/policy/modules/services/gatekeeper.if b/policy/modules/services/gatekeeper.if deleted file mode 100644 index 311cb06..0000000 --- a/policy/modules/services/gatekeeper.if +++ /dev/null @@ -1 +0,0 @@ -## OpenH.323 Voice-Over-IP Gatekeeper diff --git a/policy/modules/services/gatekeeper.te b/policy/modules/services/gatekeeper.te deleted file mode 100644 index 6dbc203..0000000 --- a/policy/modules/services/gatekeeper.te +++ /dev/null @@ -1,99 +0,0 @@ -policy_module(gatekeeper, 1.7.0) - -######################################## -# -# Declarations -# - -type gatekeeper_t; -type gatekeeper_exec_t; -init_daemon_domain(gatekeeper_t, gatekeeper_exec_t) - -type gatekeeper_etc_t; -files_config_file(gatekeeper_etc_t) - -type gatekeeper_log_t; -logging_log_file(gatekeeper_log_t) - -# for stupid symlinks -type gatekeeper_tmp_t; -files_tmp_file(gatekeeper_tmp_t) - -type gatekeeper_var_run_t; -files_pid_file(gatekeeper_var_run_t) - -######################################## -# -# Local policy -# - -dontaudit gatekeeper_t self:capability sys_tty_config; -allow gatekeeper_t self:process { setsched signal_perms }; -allow gatekeeper_t self:fifo_file rw_fifo_file_perms; -allow gatekeeper_t self:tcp_socket create_stream_socket_perms; -allow gatekeeper_t self:udp_socket create_socket_perms; - -allow gatekeeper_t gatekeeper_etc_t:lnk_file read_lnk_file_perms; -allow gatekeeper_t gatekeeper_etc_t:file read_file_perms; -files_search_etc(gatekeeper_t) - -manage_files_pattern(gatekeeper_t, gatekeeper_log_t, gatekeeper_log_t) -logging_log_filetrans(gatekeeper_t, gatekeeper_log_t, { file dir }) - -manage_dirs_pattern(gatekeeper_t, gatekeeper_tmp_t, gatekeeper_tmp_t) -manage_files_pattern(gatekeeper_t, gatekeeper_tmp_t, gatekeeper_tmp_t) -files_tmp_filetrans(gatekeeper_t, gatekeeper_tmp_t, { file dir }) - -manage_files_pattern(gatekeeper_t, gatekeeper_var_run_t, gatekeeper_var_run_t) -files_pid_filetrans(gatekeeper_t, gatekeeper_var_run_t, file) - -kernel_read_system_state(gatekeeper_t) -kernel_read_kernel_sysctls(gatekeeper_t) - -corecmd_list_bin(gatekeeper_t) - -corenet_all_recvfrom_unlabeled(gatekeeper_t) -corenet_all_recvfrom_netlabel(gatekeeper_t) -corenet_tcp_sendrecv_generic_if(gatekeeper_t) -corenet_udp_sendrecv_generic_if(gatekeeper_t) -corenet_tcp_sendrecv_generic_node(gatekeeper_t) -corenet_udp_sendrecv_generic_node(gatekeeper_t) -corenet_tcp_sendrecv_all_ports(gatekeeper_t) -corenet_udp_sendrecv_all_ports(gatekeeper_t) -corenet_tcp_bind_generic_node(gatekeeper_t) -corenet_udp_bind_generic_node(gatekeeper_t) -corenet_tcp_bind_gatekeeper_port(gatekeeper_t) -corenet_udp_bind_gatekeeper_port(gatekeeper_t) -corenet_sendrecv_gatekeeper_server_packets(gatekeeper_t) - -dev_read_sysfs(gatekeeper_t) -# for SSP -dev_read_urand(gatekeeper_t) - -domain_use_interactive_fds(gatekeeper_t) - -files_read_etc_files(gatekeeper_t) - -fs_getattr_all_fs(gatekeeper_t) -fs_search_auto_mountpoints(gatekeeper_t) - -logging_send_syslog_msg(gatekeeper_t) - -miscfiles_read_localization(gatekeeper_t) - -sysnet_read_config(gatekeeper_t) - -userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t) -userdom_dontaudit_search_user_home_dirs(gatekeeper_t) - -optional_policy(` - nis_use_ypbind(gatekeeper_t) -') - -optional_policy(` - seutil_sigchld_newrole(gatekeeper_t) -') - -optional_policy(` - udev_read_db(gatekeeper_t) -') diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc deleted file mode 100644 index 2b552c5..0000000 --- a/policy/modules/services/git.fc +++ /dev/null @@ -1,13 +0,0 @@ -HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_session_content_t,s0) -HOME_DIR/\.gitaliases -- gen_context(system_u:object_r:git_session_content_t,s0) -HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:git_session_content_t,s0) - -/srv/git(/.*)? gen_context(system_u:object_r:git_system_content_t,s0) - -/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0) - -/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) -/var/lib/git(/.*)? gen_context(system_u:object_r:git_system_content_t,s0) -/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) -/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) -/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0) diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if deleted file mode 100644 index 3780650..0000000 --- a/policy/modules/services/git.if +++ /dev/null @@ -1,520 +0,0 @@ -## Fast Version Control System. -## -##

-## A really simple TCP git daemon that normally listens on -## port DEFAULT_GIT_PORT aka 9418. It waits for a -## connection asking for a service, and will serve that -## service if it is enabled. -##

-##
- -####################################### -## -## Role access for Git daemon session. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# -interface(`git_session_role',` - gen_require(` - type git_session_t, gitd_exec_t, git_session_content_t; - ') - - ######################################## - # - # Git daemon session shared declarations. - # - - role $1 types git_session_t; - - ######################################## - # - # Git daemon session shared policy. - # - - domtrans_pattern($2, gitd_exec_t, git_session_t) - - allow $2 git_session_t:process { ptrace signal_perms }; - ps_process_pattern($2, git_session_t) -') - -######################################## -## -## Create a set of derived types for Git -## daemon shared repository content. -## -## -## -## The prefix to be used for deriving type names. -## -## -# -template(`git_content_template',` - gen_require(` - attribute git_system_content, git_content; - ') - - ######################################## - # - # Git daemon content shared declarations. - # - - type git_$1_content_t, git_system_content, git_content; - files_type(git_$1_content_t) -') - -######################################## -## -## Create a set of derived types for Git -## daemon shared repository roles. -## -## -## -## The prefix to be used for deriving type names. -## -## -# -template(`git_role_template',` - gen_require(` - class context contains; - role system_r; - ') - - ######################################## - # - # Git daemon role shared declarations. - # - - attribute $1_usertype; - - type $1_t; - userdom_unpriv_usertype($1, $1_t) - domain_type($1_t) - - role $1_r types $1_t; - allow system_r $1_r; - - ######################################## - # - # Git daemon role shared policy. - # - - allow $1_t self:context contains; - allow $1_t self:fifo_file rw_fifo_file_perms; - - corecmd_exec_bin($1_t) - corecmd_bin_entry_type($1_t) - corecmd_shell_entry_type($1_t) - - domain_interactive_fd($1_t) - domain_user_exemption_target($1_t) - - kernel_read_system_state($1_t) - - files_read_etc_files($1_t) - files_dontaudit_search_home($1_t) - - miscfiles_read_localization($1_t) - - git_rwx_generic_system_content($1_t) - - ssh_rw_stream_sockets($1_t) - - tunable_policy(`git_system_use_cifs',` - fs_exec_cifs_files($1_t) - fs_manage_cifs_dirs($1_t) - fs_manage_cifs_files($1_t) - ') - - tunable_policy(`git_system_use_nfs',` - fs_exec_nfs_files($1_t) - fs_manage_nfs_dirs($1_t) - fs_manage_nfs_files($1_t) - ') - - optional_policy(` - nscd_read_pid($1_t) - ') -') - -####################################### -## -## Allow specified domain access to the -## specified Git daemon content. -## -## -## -## Domain allowed access. -## -## -## -## -## Type of the object that access is allowed to. -## -## -# -interface(`git_content_delegation',` - gen_require(` - type $1, $2; - ') - - exec_files_pattern($1, $2, $2) - manage_dirs_pattern($1, $2, $2) - manage_files_pattern($1, $2, $2) - files_search_var_lib($1) - - tunable_policy(`git_system_use_cifs',` - fs_exec_cifs_files($1) - fs_manage_cifs_dirs($1) - fs_manage_cifs_files($1) - ') - - tunable_policy(`git_system_use_nfs',` - fs_exec_nfs_files($1) - fs_manage_nfs_dirs($1) - fs_manage_nfs_files($1) - ') -') - -######################################## -## -## Allow the specified domain to manage -## and execute all Git daemon content. -## -## -## -## Domain allowed access. -## -## -# -interface(`git_rwx_all_content',` - gen_require(` - attribute git_content; - ') - - exec_files_pattern($1, git_content, git_content) - manage_dirs_pattern($1, git_content, git_content) - manage_files_pattern($1, git_content, git_content) - userdom_search_user_home_dirs($1) - files_search_var_lib($1) - - tunable_policy(`use_nfs_home_dirs',` - fs_exec_nfs_files($1) - fs_manage_nfs_dirs($1) - fs_manage_nfs_files($1) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_exec_cifs_files($1) - fs_manage_cifs_dirs($1) - fs_manage_cifs_files($1) - ') - - tunable_policy(`git_system_use_cifs',` - fs_exec_cifs_files($1) - fs_manage_cifs_dirs($1) - fs_manage_cifs_files($1) - ') - - tunable_policy(`git_system_use_nfs',` - fs_exec_nfs_files($1) - fs_manage_nfs_dirs($1) - fs_manage_nfs_files($1) - ') -') - -######################################## -## -## Allow the specified domain to manage -## and execute all Git daemon system content. -## -## -## -## Domain allowed access. -## -## -# -interface(`git_rwx_all_system_content',` - gen_require(` - attribute git_system_content; - ') - - exec_files_pattern($1, git_system_content, git_system_content) - manage_dirs_pattern($1, git_system_content, git_system_content) - manage_files_pattern($1, git_system_content, git_system_content) - files_search_var_lib($1) - - tunable_policy(`git_system_use_cifs',` - fs_exec_cifs_files($1) - fs_manage_cifs_dirs($1) - fs_manage_cifs_files($1) - ') - - tunable_policy(`git_system_use_nfs',` - fs_exec_nfs_files($1) - fs_manage_nfs_dirs($1) - fs_manage_nfs_files($1) - ') -') - -######################################## -## -## Allow the specified domain to manage -## and execute Git daemon generic system content. -## -## -## -## Domain allowed access. -## -## -# -interface(`git_rwx_generic_system_content',` - gen_require(` - type git_system_content_t; - ') - - exec_files_pattern($1, git_system_content_t, git_system_content_t) - manage_dirs_pattern($1, git_system_content_t, git_system_content_t) - manage_files_pattern($1, git_system_content_t, git_system_content_t) - files_search_var_lib($1) - - tunable_policy(`git_system_use_cifs',` - fs_exec_cifs_files($1) - fs_manage_cifs_dirs($1) - fs_manage_cifs_files($1) - ') - - tunable_policy(`git_system_use_nfs',` - fs_exec_nfs_files($1) - fs_manage_nfs_dirs($1) - fs_manage_nfs_files($1) - ') -') - -######################################## -## -## Allow the specified domain to read -## all Git daemon content files. -## -## -## -## Domain allowed access. -## -## -# -interface(`git_read_all_content_files',` - gen_require(` - attribute git_content; - ') - - list_dirs_pattern($1, git_content, git_content) - read_files_pattern($1, git_content, git_content) - userdom_search_user_home_dirs($1) - files_search_var_lib($1) - - tunable_policy(`use_nfs_home_dirs',` - fs_list_nfs($1) - fs_read_nfs_files($1) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_list_cifs($1) - fs_read_cifs_files($1) - ') - - tunable_policy(`git_system_use_cifs',` - fs_list_cifs($1) - fs_read_cifs_files($1) - ') - - tunable_policy(`git_system_use_nfs',` - fs_list_nfs($1) - fs_read_nfs_files($1) - ') -') - -######################################## -## -## Allow the specified domain to read -## Git daemon session content files. -## -## -## -## Domain allowed access. -## -## -# -interface(`git_read_session_content_files',` - gen_require(` - type git_session_content_t; - ') - - list_dirs_pattern($1, git_session_content_t, git_session_content_t) - read_files_pattern($1, git_session_content_t, git_session_content_t) - userdom_search_user_home_dirs($1) - - tunable_policy(`use_nfs_home_dirs',` - fs_list_nfs($1) - fs_read_nfs_files($1) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_list_cifs($1) - fs_read_cifs_files($1) - ') -') - -######################################## -## -## Allow the specified domain to read -## all Git daemon system content files. -## -## -## -## Domain allowed access. -## -## -# -interface(`git_read_all_system_content_files',` - gen_require(` - attribute git_system_content; - ') - - list_dirs_pattern($1, git_system_content, git_system_content) - read_files_pattern($1, git_system_content, git_system_content) - files_search_var_lib($1) - - tunable_policy(`git_system_use_cifs',` - fs_list_cifs($1) - fs_read_cifs_files($1) - ') - - tunable_policy(`git_system_use_nfs',` - fs_list_nfs($1) - fs_read_nfs_files($1) - ') -') - -######################################## -## -## Allow the specified domain to read -## Git daemon generic system content files. -## -## -## -## Domain allowed access. -## -## -# -interface(`git_read_generic_system_content_files',` - gen_require(` - type git_system_content_t; - ') - - list_dirs_pattern($1, git_system_content_t, git_system_content_t) - read_files_pattern($1, git_system_content_t, git_system_content_t) - files_search_var_lib($1) - - tunable_policy(`git_system_use_cifs',` - fs_list_cifs($1) - fs_read_cifs_files($1) - ') - - tunable_policy(`git_system_use_nfs',` - fs_list_nfs($1) - fs_read_nfs_files($1) - ') -') - -######################################## -## -## Allow the specified domain to relabel -## all Git daemon content. -## -## -## -## Domain allowed access. -## -## -# -interface(`git_relabel_all_content',` - gen_require(` - attribute git_content; - ') - - relabel_dirs_pattern($1, git_content, git_content) - relabel_files_pattern($1, git_content, git_content) - userdom_search_user_home_dirs($1) - files_search_var_lib($1) -') - -######################################## -## -## Allow the specified domain to relabel -## all Git daemon system content. -## -## -## -## Domain allowed access. -## -## -# -interface(`git_relabel_all_system_content',` - gen_require(` - attribute git_system_content; - ') - - relabel_dirs_pattern($1, git_system_content, git_system_content) - relabel_files_pattern($1, git_system_content, git_system_content) - files_search_var_lib($1) -') - -######################################## -## -## Allow the specified domain to relabel -## Git daemon generic system content. -## -## -## -## Domain allowed access. -## -## -# -interface(`git_relabel_generic_system_content',` - gen_require(` - type git_system_content_t; - ') - - relabel_dirs_pattern($1, git_system_content_t, git_system_content_t) - relabel_files_pattern($1, git_system_content_t, git_system_content_t) - files_search_var_lib($1) -') - -######################################## -## -## Allow the specified domain to relabel -## Git daemon session content. -## -## -## -## Domain allowed access. -## -## -# -interface(`git_relabel_session_content',` - gen_require(` - type git_session_content_t; - ') - - relabel_dirs_pattern($1, git_session_content_t, git_session_content_t) - relabel_files_pattern($1, git_session_content_t, git_session_content_t) - userdom_search_user_home_dirs($1) -') diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te deleted file mode 100644 index 8d10fc5..0000000 --- a/policy/modules/services/git.te +++ /dev/null @@ -1,192 +0,0 @@ -policy_module(git, 1.0.3) - -## -##

-## Allow Git daemon system to search home directories. -##

-##
-gen_tunable(git_system_enable_homedirs, false) - -## -##

-## Allow Git daemon system to access cifs file systems. -##

-##
-gen_tunable(git_system_use_cifs, false) - -## -##

-## Allow Git daemon system to access nfs file systems. -##

-##
-gen_tunable(git_system_use_nfs, false) - -######################################## -# -# Git daemon global private declarations. -# - -attribute git_domains; -attribute git_system_content; -attribute git_content; - -type gitd_exec_t; -application_executable_file(gitd_exec_t) - -######################################## -# -# Git daemon system private declarations. -# - -type git_system_t, git_domains; -inetd_service_domain(git_system_t, gitd_exec_t) -role system_r types git_system_t; - -type git_system_content_t, git_system_content, git_content; -files_type(git_system_content_t) -typealias git_system_content_t alias git_data_t; - -######################################## -# -# Git daemon session private declarations. -# - -## -##

-## Allow Git daemon session to bind -## tcp sockets to all unreserved ports. -##

-##
-gen_tunable(git_session_bind_all_unreserved_ports, false) - -type git_session_t, git_domains; -application_domain(git_session_t, gitd_exec_t) -ubac_constrained(git_session_t) - -type git_session_content_t, git_content; -userdom_user_home_content(git_session_content_t) - -######################################## -# -# Git daemon global private policy. -# - -allow git_domains self:fifo_file rw_fifo_file_perms; -allow git_domains self:netlink_route_socket create_netlink_socket_perms; -allow git_domains self:tcp_socket create_socket_perms; -allow git_domains self:udp_socket create_socket_perms; -allow git_domains self:unix_dgram_socket create_socket_perms; - -corenet_all_recvfrom_netlabel(git_domains) -corenet_all_recvfrom_unlabeled(git_domains) -corenet_tcp_bind_generic_node(git_domains) -corenet_tcp_sendrecv_generic_if(git_domains) -corenet_tcp_sendrecv_generic_node(git_domains) -corenet_tcp_sendrecv_generic_port(git_domains) -corenet_tcp_bind_git_port(git_domains) -corenet_sendrecv_git_server_packets(git_domains) - -corecmd_exec_bin(git_domains) - -files_read_etc_files(git_domains) -files_read_usr_files(git_domains) - -fs_search_auto_mountpoints(git_domains) - -kernel_read_system_state(git_domains) - -auth_use_nsswitch(git_domains) - -logging_send_syslog_msg(git_domains) - -miscfiles_read_localization(git_domains) - -sysnet_read_config(git_domains) - -optional_policy(` - automount_dontaudit_getattr_tmp_dirs(git_domains) -') - -optional_policy(` - nis_use_ypbind(git_domains) -') - -######################################## -# -# Git daemon system repository private policy. -# - -list_dirs_pattern(git_system_t, git_content, git_content) -read_files_pattern(git_system_t, git_content, git_content) -files_search_var_lib(git_system_t) - -tunable_policy(`git_system_enable_homedirs',` - userdom_search_user_home_dirs(git_system_t) -') - -tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',` - fs_list_nfs(git_system_t) - fs_read_nfs_files(git_system_t) -') - -tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',` - fs_list_cifs(git_system_t) - fs_read_cifs_files(git_system_t) -') - -tunable_policy(`git_system_use_cifs',` - fs_list_cifs(git_system_t) - fs_read_cifs_files(git_system_t) -') - -tunable_policy(`git_system_use_nfs',` - fs_list_nfs(git_system_t) - fs_read_nfs_files(git_system_t) -') - -######################################## -# -# Git daemon session repository private policy. -# - -allow git_session_t self:tcp_socket { accept listen }; - -list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t) -read_files_pattern(git_session_t, git_session_content_t, git_session_content_t) -userdom_search_user_home_dirs(git_session_t) - -userdom_use_user_terminals(git_session_t) - -tunable_policy(`git_session_bind_all_unreserved_ports',` - corenet_tcp_bind_all_unreserved_ports(git_session_t) - corenet_sendrecv_generic_server_packets(git_session_t) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_list_nfs(git_session_t) - fs_read_nfs_files(git_session_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_list_cifs(git_session_t) - fs_read_cifs_files(git_session_t) -') - -######################################## -# -# cgi git Declarations -# - -optional_policy(` - apache_content_template(git) - git_read_all_content_files(httpd_git_script_t) - files_dontaudit_getattr_tmp_dirs(httpd_git_script_t) -') - -######################################## -# -# Git-shell private policy. -# - -git_role_template(git_shell) -gen_user(git_shell_u, user, git_shell_r, s0, s0) diff --git a/policy/modules/services/gnomeclock.fc b/policy/modules/services/gnomeclock.fc deleted file mode 100644 index a8ce02e..0000000 --- a/policy/modules/services/gnomeclock.fc +++ /dev/null @@ -1,4 +0,0 @@ -/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) - -/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) - diff --git a/policy/modules/services/gnomeclock.if b/policy/modules/services/gnomeclock.if deleted file mode 100644 index b1f8f93..0000000 --- a/policy/modules/services/gnomeclock.if +++ /dev/null @@ -1,86 +0,0 @@ -## Gnome clock handler for setting the time. - -######################################## -## -## Execute a domain transition to run gnomeclock. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`gnomeclock_domtrans',` - gen_require(` - type gnomeclock_t, gnomeclock_exec_t; - ') - - domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t) -') - -######################################## -## -## Execute gnomeclock in the gnomeclock domain, and -## allow the specified role the gnomeclock domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`gnomeclock_run',` - gen_require(` - type gnomeclock_t; - ') - - gnomeclock_domtrans($1) - role $2 types gnomeclock_t; -') - -######################################## -## -## Send and receive messages from -## gnomeclock over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnomeclock_dbus_chat',` - gen_require(` - type gnomeclock_t; - class dbus send_msg; - ') - - allow $1 gnomeclock_t:dbus send_msg; - allow gnomeclock_t $1:dbus send_msg; -') - -######################################## -## -## Do not audit send and receive messages from -## gnomeclock over dbus. -## -## -## -## Domain to not audit. -## -## -# -interface(`gnomeclock_dontaudit_dbus_chat',` - gen_require(` - type gnomeclock_t; - class dbus send_msg; - ') - - dontaudit $1 gnomeclock_t:dbus send_msg; - dontaudit gnomeclock_t $1:dbus send_msg; -') diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te deleted file mode 100644 index 4fde46b..0000000 --- a/policy/modules/services/gnomeclock.te +++ /dev/null @@ -1,46 +0,0 @@ -policy_module(gnomeclock, 1.0.0) - -######################################## -# -# Declarations -# - -type gnomeclock_t; -type gnomeclock_exec_t; -dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) - -######################################## -# -# gnomeclock local policy -# - -allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace }; -allow gnomeclock_t self:process { getattr getsched }; -allow gnomeclock_t self:fifo_file rw_fifo_file_perms; -allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms; - -corecmd_exec_bin(gnomeclock_t) - -files_read_etc_files(gnomeclock_t) -files_read_usr_files(gnomeclock_t) - -auth_use_nsswitch(gnomeclock_t) - -clock_domtrans(gnomeclock_t) - -miscfiles_read_localization(gnomeclock_t) -miscfiles_manage_localization(gnomeclock_t) -miscfiles_etc_filetrans_localization(gnomeclock_t) - -userdom_read_all_users_state(gnomeclock_t) - -optional_policy(` - consolekit_dbus_chat(gnomeclock_t) -') - -optional_policy(` - policykit_dbus_chat(gnomeclock_t) - policykit_domtrans_auth(gnomeclock_t) - policykit_read_lib(gnomeclock_t) - policykit_read_reload(gnomeclock_t) -') diff --git a/policy/modules/services/gpm.fc b/policy/modules/services/gpm.fc deleted file mode 100644 index 6fc9661..0000000 --- a/policy/modules/services/gpm.fc +++ /dev/null @@ -1,7 +0,0 @@ - -/dev/gpmctl -s gen_context(system_u:object_r:gpmctl_t,s0) -/dev/gpmdata -p gen_context(system_u:object_r:gpmctl_t,s0) - -/etc/gpm(/.*)? gen_context(system_u:object_r:gpm_conf_t,s0) - -/usr/sbin/gpm -- gen_context(system_u:object_r:gpm_exec_t,s0) diff --git a/policy/modules/services/gpm.if b/policy/modules/services/gpm.if deleted file mode 100644 index d6b2959..0000000 --- a/policy/modules/services/gpm.if +++ /dev/null @@ -1,81 +0,0 @@ -## General Purpose Mouse driver - -######################################## -## -## Connect to GPM over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`gpm_stream_connect',` - gen_require(` - type gpmctl_t, gpm_t; - ') - - dev_list_all_dev_nodes($1) - stream_connect_pattern($1, gpmctl_t, gpmctl_t, gpm_t) -') - -######################################## -## -## Get the attributes of the GPM -## control channel named socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`gpm_getattr_gpmctl',` - gen_require(` - type gpmctl_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 gpmctl_t:sock_file getattr_sock_file_perms; -') - -######################################## -## -## Do not audit attempts to get the -## attributes of the GPM control channel -## named socket. -## -## -## -## Domain to not audit. -## -## -# -interface(`gpm_dontaudit_getattr_gpmctl',` - gen_require(` - type gpmctl_t; - ') - - dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms; -') - -######################################## -## -## Set the attributes of the GPM -## control channel named socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`gpm_setattr_gpmctl',` - gen_require(` - type gpmctl_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 gpmctl_t:sock_file setattr_sock_file_perms; -') diff --git a/policy/modules/services/gpm.te b/policy/modules/services/gpm.te deleted file mode 100644 index a627b34..0000000 --- a/policy/modules/services/gpm.te +++ /dev/null @@ -1,79 +0,0 @@ -policy_module(gpm, 1.8.0) - -######################################## -# -# Declarations -# - -type gpm_t; -type gpm_exec_t; -init_daemon_domain(gpm_t, gpm_exec_t) - -type gpm_conf_t; -files_type(gpm_conf_t) - -type gpm_tmp_t; -files_tmp_file(gpm_tmp_t) - -type gpm_var_run_t; -files_pid_file(gpm_var_run_t) - -type gpmctl_t; -files_type(gpmctl_t) - -######################################## -# -# Local policy -# - -allow gpm_t self:capability { setpcap setuid dac_override sys_admin sys_tty_config }; -allow gpm_t self:process { getcap setcap }; -allow gpm_t self:unix_stream_socket create_stream_socket_perms; - -allow gpm_t gpm_conf_t:dir list_dir_perms; -read_files_pattern(gpm_t, gpm_conf_t, gpm_conf_t) -read_lnk_files_pattern(gpm_t, gpm_conf_t, gpm_conf_t) - -manage_dirs_pattern(gpm_t, gpm_tmp_t, gpm_tmp_t) -manage_files_pattern(gpm_t, gpm_tmp_t, gpm_tmp_t) -files_tmp_filetrans(gpm_t, gpm_tmp_t, { file dir }) - -allow gpm_t gpm_var_run_t:file manage_file_perms; -files_pid_filetrans(gpm_t, gpm_var_run_t, file) - -allow gpm_t gpmctl_t:sock_file manage_sock_file_perms; -allow gpm_t gpmctl_t:fifo_file manage_fifo_file_perms; -dev_filetrans(gpm_t, gpmctl_t, { sock_file fifo_file }) - -kernel_read_kernel_sysctls(gpm_t) -kernel_list_proc(gpm_t) -kernel_read_proc_symlinks(gpm_t) - -dev_read_sysfs(gpm_t) -# Access the mouse. -dev_rw_input_dev(gpm_t) -dev_rw_mouse(gpm_t) - -files_read_etc_files(gpm_t) - -fs_getattr_all_fs(gpm_t) -fs_search_auto_mountpoints(gpm_t) - -term_use_unallocated_ttys(gpm_t) - -domain_use_interactive_fds(gpm_t) - -logging_send_syslog_msg(gpm_t) - -miscfiles_read_localization(gpm_t) - -userdom_dontaudit_use_unpriv_user_fds(gpm_t) -userdom_dontaudit_search_user_home_dirs(gpm_t) - -optional_policy(` - seutil_sigchld_newrole(gpm_t) -') - -optional_policy(` - udev_read_db(gpm_t) -') diff --git a/policy/modules/services/gpsd.fc b/policy/modules/services/gpsd.fc deleted file mode 100644 index 5e81e33..0000000 --- a/policy/modules/services/gpsd.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/rc\.d/init\.d/gpsd -- gen_context(system_u:object_r:gpsd_initrc_exec_t,s0) - -/usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0) - -/var/run/gpsd\.pid -- gen_context(system_u:object_r:gpsd_var_run_t,s0) -/var/run/gpsd\.sock -s gen_context(system_u:object_r:gpsd_var_run_t,s0) diff --git a/policy/modules/services/gpsd.if b/policy/modules/services/gpsd.if deleted file mode 100644 index c0ee676..0000000 --- a/policy/modules/services/gpsd.if +++ /dev/null @@ -1,66 +0,0 @@ -## gpsd monitor daemon - -######################################## -## -## Execute a domain transition to run gpsd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`gpsd_domtrans',` - gen_require(` - type gpsd_t, gpsd_exec_t; - ') - - domtrans_pattern($1, gpsd_exec_t, gpsd_t) -') - -######################################## -## -## Execute gpsd in the gpsd domain, and -## allow the specified role the gpsd domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`gpsd_run',` - gen_require(` - type gpsd_t; - ') - - gpsd_domtrans($1) - role $2 types gpsd_t; -') - -######################################## -## -## Read and write gpsd shared memory. -## -## -## -## Domain allowed access. -## -## -# -interface(`gpsd_rw_shm',` - gen_require(` - type gpsd_t, gpsd_tmpfs_t; - ') - - allow $1 gpsd_t:shm rw_shm_perms; - allow $1 gpsd_tmpfs_t:dir list_dir_perms; - rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) - read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) - fs_search_tmpfs($1) -') diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te deleted file mode 100644 index 7b9c543..0000000 --- a/policy/modules/services/gpsd.te +++ /dev/null @@ -1,68 +0,0 @@ -policy_module(gpsd, 1.1.0) - -######################################## -# -# Declarations -# - -type gpsd_t; -type gpsd_exec_t; -application_domain(gpsd_t, gpsd_exec_t) -init_daemon_domain(gpsd_t, gpsd_exec_t) - -type gpsd_initrc_exec_t; -init_script_file(gpsd_initrc_exec_t) - -type gpsd_tmpfs_t; -files_tmpfs_file(gpsd_tmpfs_t) - -type gpsd_var_run_t; -files_pid_file(gpsd_var_run_t) - -######################################## -# -# gpsd local policy -# - -allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_tty_config }; -allow gpsd_t self:process setsched; -allow gpsd_t self:shm create_shm_perms; -allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto }; -allow gpsd_t self:tcp_socket create_stream_socket_perms; - -manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) -manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) -fs_tmpfs_filetrans(gpsd_t, gpsd_tmpfs_t, { dir file }) - -manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t) -manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t) -files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file }) - -corenet_all_recvfrom_unlabeled(gpsd_t) -corenet_all_recvfrom_netlabel(gpsd_t) -corenet_tcp_sendrecv_generic_if(gpsd_t) -corenet_tcp_sendrecv_generic_node(gpsd_t) -corenet_tcp_sendrecv_all_ports(gpsd_t) -corenet_tcp_bind_all_nodes(gpsd_t) -corenet_tcp_bind_gpsd_port(gpsd_t) - -term_use_unallocated_ttys(gpsd_t) -term_setattr_unallocated_ttys(gpsd_t) - -auth_use_nsswitch(gpsd_t) - -logging_send_syslog_msg(gpsd_t) - -miscfiles_read_localization(gpsd_t) - -optional_policy(` - chronyd_rw_shm(gpsd_t) -') - -optional_policy(` - dbus_system_bus_client(gpsd_t) -') - -optional_policy(` - ntp_rw_shm(gpsd_t) -') diff --git a/policy/modules/services/hal.fc b/policy/modules/services/hal.fc deleted file mode 100644 index c98b0df..0000000 --- a/policy/modules/services/hal.fc +++ /dev/null @@ -1,33 +0,0 @@ - -/etc/hal/device\.d/printer_remove\.hal -- gen_context(system_u:object_r:hald_exec_t,s0) -/etc/hal/capability\.d/printer_update\.hal -- gen_context(system_u:object_r:hald_exec_t,s0) - -/usr/bin/hal-setup-keymap -- gen_context(system_u:object_r:hald_keymap_exec_t,s0) - -/usr/libexec/hal-acl-tool -- gen_context(system_u:object_r:hald_acl_exec_t,s0) -/usr/libexec/hal-dccm -- gen_context(system_u:object_r:hald_dccm_exec_t,s0) -/usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0) -/usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0) -/usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) -/usr/libexec/hald-addon-macbook-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) -/usr/sbin/radeontool -- gen_context(system_u:object_r:hald_mac_exec_t,s0) - -/usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0) - -/var/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0) - -/var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0) - -/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0) -/var/log/pm-.*\.log gen_context(system_u:object_r:hald_log_t,s0) - -/var/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) -/var/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0) -/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) -/var/run/pm-utils(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) -/var/run/synce.* gen_context(system_u:object_r:hald_var_run_t,s0) -/var/run/vbe.* -- gen_context(system_u:object_r:hald_var_run_t,s0) - -ifdef(`distro_gentoo',` -/var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0) -') diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if deleted file mode 100644 index 26de57a..0000000 --- a/policy/modules/services/hal.if +++ /dev/null @@ -1,457 +0,0 @@ -## Hardware abstraction layer - -######################################## -## -## Execute hal in the hal domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`hal_domtrans',` - gen_require(` - type hald_t, hald_exec_t; - ') - - domtrans_pattern($1, hald_exec_t, hald_t) -') - -######################################## -## -## Read hal system state -## -## -## -## Domain allowed access. -## -## -# -interface(`hal_read_state',` - gen_require(` - type hald_t; - ') - - kernel_search_proc($1) - ps_process_pattern($1, hald_t) -') - -######################################## -## -## Allow ptrace of hal domain -## -## -## -## Domain allowed access. -## -## -# -interface(`hal_ptrace',` - gen_require(` - type hald_t; - ') - - allow $1 hald_t:process ptrace; -') - -######################################## -## -## Allow domain to use file descriptors from hal. -## -## -## -## Domain allowed access. -## -## -# -interface(`hal_use_fds',` - gen_require(` - type hald_t; - ') - - allow $1 hald_t:fd use; -') - -######################################## -## -## Do not audit attempts to use file descriptors from hal. -## -## -## -## Domain to not audit. -## -## -# -interface(`hal_dontaudit_use_fds',` - gen_require(` - type hald_t; - ') - - dontaudit $1 hald_t:fd use; -') - -######################################## -## -## Allow attempts to read and write to -## hald unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`hal_rw_pipes',` - gen_require(` - type hald_t; - ') - - allow $1 hald_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## -## Do not audit attempts to read and write to -## hald unnamed pipes. -## -## -## -## Domain to not audit. -## -## -# -interface(`hal_dontaudit_rw_pipes',` - gen_require(` - type hald_t; - ') - - dontaudit $1 hald_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## -## Send to hal over a unix domain -## datagram socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`hal_dgram_send',` - gen_require(` - type hald_t; - ') - - allow $1 hald_t:unix_dgram_socket sendto; -') - -######################################## -## -## Send to hal over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`hal_stream_connect',` - gen_require(` - type hald_t; - ') - - allow $1 hald_t:unix_stream_socket connectto; -') - -######################################## -## -## Dontaudit read/write to a hal unix datagram socket. -## -## -## -## Domain to not audit. -## -## -# -interface(`hal_dontaudit_rw_dgram_sockets',` - gen_require(` - type hald_t; - ') - - dontaudit $1 hald_t:unix_dgram_socket { read write }; -') - -######################################## -## -## Send a dbus message to hal. -## -## -## -## Domain allowed access. -## -## -# -interface(`hal_dbus_send',` - gen_require(` - type hald_t; - class dbus send_msg; - ') - - allow $1 hald_t:dbus send_msg; -') - -######################################## -## -## Send and receive messages from -## hal over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`hal_dbus_chat',` - gen_require(` - type hald_t; - class dbus send_msg; - ') - - allow $1 hald_t:dbus send_msg; - allow hald_t $1:dbus send_msg; -') - -######################################## -## -## Execute hal mac in the hal mac domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`hal_domtrans_mac',` - gen_require(` - type hald_mac_t, hald_mac_exec_t; - ') - - domtrans_pattern($1, hald_mac_exec_t, hald_mac_t) -') - -######################################## -## -## Allow attempts to write the hal -## log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`hal_write_log',` - gen_require(` - type hald_log_t; - ') - - logging_search_logs($1) - allow $1 hald_log_t:file write_file_perms; -') - -######################################## -## -## Do not audit attempts to write the hal -## log files. -## -## -## -## Domain to not audit. -## -## -# -interface(`hal_dontaudit_write_log',` - gen_require(` - type hald_log_t; - ') - - dontaudit $1 hald_log_t:file { append write }; -') - -######################################## -## -## Manage hald log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`hal_manage_log',` - gen_require(` - type hald_log_t; - ') - - # log files for hald - manage_files_pattern($1, hald_log_t, hald_log_t) - logging_log_filetrans($1, hald_log_t, file) -') - -######################################## -## -## Read hald tmp files. -## -## -## -## Domain allowed access. -## -## -# -interface(`hal_read_tmp_files',` - gen_require(` - type hald_tmp_t; - ') - - allow $1 hald_tmp_t:file read_file_perms; -') - -######################################## -## -## Do not audit attempts to read or write -## HAL libraries files -## -## -## -## Domain to not audit. -## -## -# -interface(`hal_dontaudit_append_lib_files',` - gen_require(` - type hald_var_lib_t; - ') - - dontaudit $1 hald_var_lib_t:file { read_file_perms append_file_perms }; -') - -######################################## -## -## Read hald PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`hal_read_pid_files',` - gen_require(` - type hald_var_run_t; - ') - - files_search_pids($1) - allow $1 hald_var_run_t:file read_file_perms; -') - -######################################## -## -## Do not audit attempts to read -## hald PID files. -## -## -## -## Domain to not audit. -## -## -# -interface(`hal_dontaudit_read_pid_files',` - gen_require(` - type hald_var_run_t; - ') - - dontaudit $1 hald_var_run_t:file read_inherited_file_perms; -') - -######################################## -## -## Read/Write hald PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`hal_rw_pid_files',` - gen_require(` - type hald_var_run_t; - ') - - files_search_pids($1) - allow $1 hald_var_run_t:file rw_file_perms; -') - -######################################## -## -## Manage hald PID dirs. -## -## -## -## Domain allowed access. -## -## -# -interface(`hal_manage_pid_dirs',` - gen_require(` - type hald_var_run_t; - ') - - files_search_pids($1) - manage_dirs_pattern($1, hald_var_run_t, hald_var_run_t) -') - -######################################## -## -## Manage hald PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`hal_manage_pid_files',` - gen_require(` - type hald_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, hald_var_run_t, hald_var_run_t) -') - -######################################## -## -## dontaudit read and write an leaked file descriptors -## -## -## -## Domain to not audit. -## -## -# -interface(`hal_dontaudit_leaks',` - gen_require(` - type hald_log_t, hald_t, hald_var_run_t; - ') - - dontaudit $1 hald_t:fd use; - dontaudit $1 hald_log_t:file rw_inherited_file_perms; - dontaudit $1 hald_t:fifo_file rw_inherited_fifo_file_perms; - dontaudit hald_t $1:socket_class_set { read write }; - dontaudit $1 hald_var_run_t:file read_inherited_file_perms; -') diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te deleted file mode 100644 index ae0b05b..0000000 --- a/policy/modules/services/hal.te +++ /dev/null @@ -1,557 +0,0 @@ -policy_module(hal, 1.13.0) - -######################################## -# -# Declarations -# - -type hald_t; -type hald_exec_t; -init_daemon_domain(hald_t, hald_exec_t) - -type hald_acl_t; -type hald_acl_exec_t; -domain_type(hald_acl_t) -domain_entry_file(hald_acl_t, hald_acl_exec_t) -role system_r types hald_acl_t; - -type hald_cache_t; -files_pid_file(hald_cache_t) - -type hald_dccm_t; -type hald_dccm_exec_t; -domain_type(hald_dccm_t) -domain_entry_file(hald_dccm_t, hald_dccm_exec_t) -role system_r types hald_dccm_t; - -type hald_keymap_t; -type hald_keymap_exec_t; -domain_type(hald_keymap_t) -domain_entry_file(hald_keymap_t, hald_keymap_exec_t) -role system_r types hald_keymap_t; - -type hald_log_t; -logging_log_file(hald_log_t) - -type hald_mac_t; -type hald_mac_exec_t; -domain_type(hald_mac_t) -domain_entry_file(hald_mac_t, hald_mac_exec_t) -role system_r types hald_mac_t; - -type hald_sonypic_t; -type hald_sonypic_exec_t; -domain_type(hald_sonypic_t) -domain_entry_file(hald_sonypic_t, hald_sonypic_exec_t) -role system_r types hald_sonypic_t; - -type hald_tmp_t; -files_tmp_file(hald_tmp_t) - -type hald_var_run_t; -files_pid_file(hald_var_run_t) - -type hald_var_lib_t; -files_type(hald_var_lib_t) - -typealias hald_log_t alias pmtools_log_t; -typealias hald_var_run_t alias pmtools_var_run_t; - -######################################## -# -# Local policy -# - -# execute openvt which needs setuid -allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config }; -dontaudit hald_t self:capability {sys_ptrace sys_tty_config }; -allow hald_t self:process { getsched getattr signal_perms }; -allow hald_t self:fifo_file rw_fifo_file_perms; -allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow hald_t self:unix_dgram_socket create_socket_perms; -allow hald_t self:netlink_kobject_uevent_socket create_socket_perms; -allow hald_t self:tcp_socket create_stream_socket_perms; -allow hald_t self:udp_socket create_socket_perms; -# For backwards compatibility with older kernels -allow hald_t self:netlink_socket create_socket_perms; - -manage_files_pattern(hald_t, hald_cache_t, hald_cache_t) - -# log files for hald -manage_files_pattern(hald_t, hald_log_t, hald_log_t) -logging_log_filetrans(hald_t, hald_log_t, file) - -manage_dirs_pattern(hald_t, hald_tmp_t, hald_tmp_t) -manage_files_pattern(hald_t, hald_tmp_t, hald_tmp_t) -files_tmp_filetrans(hald_t, hald_tmp_t, { file dir }) - -# var/lib files for hald -manage_dirs_pattern(hald_t, hald_var_lib_t, hald_var_lib_t) -manage_files_pattern(hald_t, hald_var_lib_t, hald_var_lib_t) -manage_sock_files_pattern(hald_t, hald_var_lib_t, hald_var_lib_t) - -manage_dirs_pattern(hald_t, hald_var_run_t, hald_var_run_t) -manage_files_pattern(hald_t, hald_var_run_t, hald_var_run_t) -files_pid_filetrans(hald_t, hald_var_run_t, { dir file }) - -kernel_read_system_state(hald_t) -kernel_read_network_state(hald_t) -kernel_read_software_raid_state(hald_t) -kernel_rw_kernel_sysctl(hald_t) -kernel_read_fs_sysctls(hald_t) -kernel_rw_irq_sysctls(hald_t) -kernel_rw_vm_sysctls(hald_t) -kernel_write_proc_files(hald_t) -kernel_rw_net_sysctls(hald_t) -kernel_setsched(hald_t) -kernel_request_load_module(hald_t) - -auth_read_pam_console_data(hald_t) - -corecmd_exec_all_executables(hald_t) - -corenet_all_recvfrom_unlabeled(hald_t) -corenet_all_recvfrom_netlabel(hald_t) -corenet_tcp_sendrecv_generic_if(hald_t) -corenet_udp_sendrecv_generic_if(hald_t) -corenet_tcp_sendrecv_generic_node(hald_t) -corenet_udp_sendrecv_generic_node(hald_t) -corenet_tcp_sendrecv_all_ports(hald_t) -corenet_udp_sendrecv_all_ports(hald_t) - -dev_rw_usbfs(hald_t) -dev_read_rand(hald_t) -dev_read_urand(hald_t) -dev_read_input(hald_t) -dev_read_mouse(hald_t) -dev_rw_printer(hald_t) -dev_read_lvm_control(hald_t) -dev_getattr_all_chr_files(hald_t) -dev_manage_generic_chr_files(hald_t) -dev_manage_generic_blk_files(hald_t) -dev_rw_generic_usb_dev(hald_t) -dev_setattr_generic_usb_dev(hald_t) -dev_setattr_usbfs_files(hald_t) -dev_rw_power_management(hald_t) -dev_read_raw_memory(hald_t) -# hal is now execing pm-suspend -dev_rw_sysfs(hald_t) -dev_read_video_dev(hald_t) - -domain_use_interactive_fds(hald_t) -domain_read_all_domains_state(hald_t) -domain_dontaudit_ptrace_all_domains(hald_t) - -files_exec_etc_files(hald_t) -files_read_etc_files(hald_t) -files_rw_etc_runtime_files(hald_t) -files_manage_mnt_dirs(hald_t) -files_manage_mnt_files(hald_t) -files_manage_mnt_symlinks(hald_t) -files_search_var_lib(hald_t) -files_read_usr_files(hald_t) -# hal is now execing pm-suspend -files_create_boot_flag(hald_t) -files_getattr_all_dirs(hald_t) -files_getattr_all_files(hald_t) -files_read_kernel_img(hald_t) -files_rw_lock_dirs(hald_t) -files_read_generic_pids(hald_t) - -fs_getattr_all_fs(hald_t) -fs_search_all(hald_t) -fs_list_inotifyfs(hald_t) -fs_list_auto_mountpoints(hald_t) -fs_mount_dos_fs(hald_t) -fs_unmount_dos_fs(hald_t) -fs_manage_dos_files(hald_t) -fs_manage_fusefs_dirs(hald_t) -fs_rw_removable_blk_files(hald_t) - -files_getattr_all_mountpoints(hald_t) - -mls_file_read_all_levels(hald_t) - -selinux_get_fs_mount(hald_t) -selinux_validate_context(hald_t) -selinux_compute_access_vector(hald_t) -selinux_compute_create_context(hald_t) -selinux_compute_relabel_context(hald_t) -selinux_compute_user_contexts(hald_t) - -storage_raw_read_removable_device(hald_t) -storage_raw_write_removable_device(hald_t) -storage_raw_read_fixed_disk(hald_t) -storage_raw_write_fixed_disk(hald_t) - -# hal_probe_serial causes these -term_setattr_unallocated_ttys(hald_t) -term_use_unallocated_ttys(hald_t) - -auth_use_nsswitch(hald_t) - -fstools_getattr_swap_files(hald_t) - -init_domtrans_script(hald_t) -init_read_utmp(hald_t) -#hal runs shutdown, probably need a shutdown domain -init_rw_utmp(hald_t) -init_telinit(hald_t) - -libs_exec_ld_so(hald_t) -libs_exec_lib_files(hald_t) - -logging_send_audit_msgs(hald_t) -logging_send_syslog_msg(hald_t) -logging_search_logs(hald_t) - -miscfiles_read_localization(hald_t) -miscfiles_read_hwdata(hald_t) - -modutils_domtrans_insmod(hald_t) -modutils_read_module_deps(hald_t) - -seutil_read_config(hald_t) -seutil_read_default_contexts(hald_t) -seutil_read_file_contexts(hald_t) - -sysnet_delete_dhcpc_pid(hald_t) -sysnet_domtrans_dhcpc(hald_t) -sysnet_domtrans_ifconfig(hald_t) -sysnet_read_config(hald_t) -sysnet_read_dhcp_config(hald_t) -sysnet_read_dhcpc_pid(hald_t) -sysnet_signal_dhcpc(hald_t) - -userdom_dontaudit_use_unpriv_user_fds(hald_t) -userdom_dontaudit_search_user_home_dirs(hald_t) -userdom_stream_connect(hald_t) - -netutils_domtrans(hald_t) - -optional_policy(` - alsa_domtrans(hald_t) - alsa_read_rw_config(hald_t) -') - -optional_policy(` - bootloader_domtrans(hald_t) -') - -optional_policy(` - # For /usr/libexec/hald-addon-acpi - # writes to /var/run/acpid.socket - apm_stream_connect(hald_t) -') - -optional_policy(` - bind_search_cache(hald_t) -') - -optional_policy(` - bluetooth_domtrans(hald_t) -') - -optional_policy(` - clock_domtrans(hald_t) -') - -optional_policy(` - cups_domtrans_config(hald_t) - cups_signal_config(hald_t) -') - -optional_policy(` - dbus_system_domain(hald_t, hald_exec_t) - - init_dbus_chat_script(hald_t) - - optional_policy(` - networkmanager_dbus_chat(hald_t) - ') -') - -optional_policy(` - # For /usr/libexec/hald-probe-smbios - dmidecode_domtrans(hald_t) -') - -optional_policy(` - gnome_read_config(hald_t) -') - -optional_policy(` - gpm_dontaudit_getattr_gpmctl(hald_t) -') - -optional_policy(` - hotplug_read_config(hald_t) -') - -optional_policy(` - lvm_domtrans(hald_t) -') - -optional_policy(` - mount_domtrans(hald_t) -') - -optional_policy(` - ntp_domtrans(hald_t) -') - -optional_policy(` - pcmcia_manage_pid(hald_t) - pcmcia_manage_pid_chr_files(hald_t) -') - -optional_policy(` - podsleuth_domtrans(hald_t) -') - -optional_policy(` - ppp_domtrans(hald_t) - ppp_read_rw_config(hald_t) -') - -optional_policy(` - policykit_dbus_chat(hald_t) - policykit_domtrans_auth(hald_t) - policykit_domtrans_resolve(hald_t) - policykit_read_lib(hald_t) - policykit_read_reload(hald_t) -') - -optional_policy(` - rpc_search_nfs_state_data(hald_t) -') - -optional_policy(` - seutil_sigchld_newrole(hald_t) -') - -optional_policy(` - shutdown_domtrans(hald_t) -') - -optional_policy(` - udev_domtrans(hald_t) - udev_read_db(hald_t) -') - -optional_policy(` - usbmuxd_stream_connect(hald_t) -') - -optional_policy(` - updfstab_domtrans(hald_t) -') - -optional_policy(` - vbetool_domtrans(hald_t) -') - -optional_policy(` - virt_manage_images(hald_t) -') - -optional_policy(` - xserver_read_pid(hald_t) -') - -######################################## -# -# Hal acl local policy -# - -allow hald_acl_t self:capability { dac_override fowner sys_resource }; -allow hald_acl_t self:process { getattr signal }; -allow hald_acl_t self:fifo_file rw_fifo_file_perms; - -domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t) -allow hald_t hald_acl_t:process signal; -allow hald_acl_t hald_t:unix_stream_socket connectto; - -manage_dirs_pattern(hald_acl_t, hald_var_lib_t, hald_var_lib_t) -manage_files_pattern(hald_acl_t, hald_var_lib_t, hald_var_lib_t) -files_search_var_lib(hald_acl_t) - -manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) -manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) -files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file }) -allow hald_t hald_var_run_t:dir mounton; - -corecmd_exec_bin(hald_acl_t) - -dev_getattr_all_chr_files(hald_acl_t) -dev_setattr_all_chr_files(hald_acl_t) -dev_getattr_generic_usb_dev(hald_acl_t) -dev_getattr_video_dev(hald_acl_t) -dev_setattr_video_dev(hald_acl_t) -dev_getattr_sound_dev(hald_acl_t) -dev_setattr_sound_dev(hald_acl_t) -dev_setattr_generic_usb_dev(hald_acl_t) -dev_setattr_usbfs_files(hald_acl_t) - -files_read_usr_files(hald_acl_t) -files_read_etc_files(hald_acl_t) - -fs_getattr_all_fs(hald_acl_t) - -storage_getattr_removable_dev(hald_acl_t) -storage_setattr_removable_dev(hald_acl_t) -storage_getattr_fixed_disk_dev(hald_acl_t) -storage_setattr_fixed_disk_dev(hald_acl_t) - -auth_use_nsswitch(hald_acl_t) - -logging_send_syslog_msg(hald_acl_t) - -miscfiles_read_localization(hald_acl_t) - -optional_policy(` - policykit_dbus_chat(hald_acl_t) - policykit_domtrans_auth(hald_acl_t) - policykit_read_lib(hald_acl_t) - policykit_read_reload(hald_acl_t) -') - -######################################## -# -# Local hald mac policy -# - -allow hald_mac_t self:capability { setgid setuid sys_admin }; - -domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t) -allow hald_t hald_mac_t:process signal; -allow hald_mac_t hald_t:unix_stream_socket connectto; - -manage_dirs_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t) -manage_files_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t) -files_search_var_lib(hald_mac_t) - -write_files_pattern(hald_mac_t, hald_log_t, hald_log_t) - -kernel_read_system_state(hald_mac_t) - -dev_read_raw_memory(hald_mac_t) -dev_write_raw_memory(hald_mac_t) -dev_read_sysfs(hald_mac_t) - -files_read_usr_files(hald_mac_t) -files_read_etc_files(hald_mac_t) - -auth_use_nsswitch(hald_mac_t) - -logging_send_syslog_msg(hald_mac_t) - -miscfiles_read_localization(hald_mac_t) - -######################################## -# -# Local hald sonypic policy -# - -domtrans_pattern(hald_t, hald_sonypic_exec_t, hald_sonypic_t) -allow hald_t hald_sonypic_t:process signal; -allow hald_sonypic_t hald_t:unix_stream_socket connectto; - -dev_read_video_dev(hald_sonypic_t) -dev_write_video_dev(hald_sonypic_t) - -manage_dirs_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t) -manage_files_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t) -files_search_var_lib(hald_sonypic_t) - -write_files_pattern(hald_sonypic_t, hald_log_t, hald_log_t) - -files_read_usr_files(hald_sonypic_t) - -miscfiles_read_localization(hald_sonypic_t) - -######################################## -# -# Hal keymap local policy -# - -domtrans_pattern(hald_t, hald_keymap_exec_t, hald_keymap_t) -allow hald_t hald_keymap_t:process signal; -allow hald_keymap_t hald_t:unix_stream_socket connectto; - -manage_dirs_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t) -manage_files_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t) -files_search_var_lib(hald_keymap_t) - -write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t) - -dev_rw_input_dev(hald_keymap_t) - -files_read_etc_files(hald_keymap_t) -files_read_usr_files(hald_keymap_t) - -miscfiles_read_localization(hald_keymap_t) - -# This is caused by a bug in hald and PolicyKit. -# Should be removed when this is fixed -cron_read_system_job_lib_files(hald_t) - -######################################## -# -# Local hald dccm policy -# - -allow hald_dccm_t self:capability { chown net_bind_service }; -allow hald_dccm_t self:process getsched; -allow hald_dccm_t self:fifo_file rw_fifo_file_perms; -allow hald_dccm_t self:tcp_socket create_stream_socket_perms; -allow hald_dccm_t self:udp_socket create_socket_perms; -allow hald_dccm_t self:netlink_route_socket rw_netlink_socket_perms; - -domtrans_pattern(hald_t, hald_dccm_exec_t, hald_dccm_t) -allow hald_t hald_dccm_t:process signal; -allow hald_dccm_t hald_t:unix_stream_socket connectto; - -manage_dirs_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) -manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) -files_search_var_lib(hald_dccm_t) - -manage_dirs_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t) -manage_files_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t) -manage_sock_files_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t) -files_pid_filetrans(hald_dccm_t, hald_var_run_t, { dir file sock_file }) - -manage_sock_files_pattern(hald_dccm_t, hald_tmp_t, hald_tmp_t) -files_tmp_filetrans(hald_dccm_t, hald_tmp_t, sock_file) - -write_files_pattern(hald_dccm_t, hald_log_t, hald_log_t) - -kernel_search_network_sysctl(hald_dccm_t) - -dev_read_urand(hald_dccm_t) - -corenet_all_recvfrom_unlabeled(hald_dccm_t) -corenet_all_recvfrom_netlabel(hald_dccm_t) -corenet_tcp_sendrecv_generic_if(hald_dccm_t) -corenet_udp_sendrecv_generic_if(hald_dccm_t) -corenet_tcp_sendrecv_generic_node(hald_dccm_t) -corenet_udp_sendrecv_generic_node(hald_dccm_t) -corenet_tcp_sendrecv_all_ports(hald_dccm_t) -corenet_udp_sendrecv_all_ports(hald_dccm_t) -corenet_tcp_bind_generic_node(hald_dccm_t) -corenet_udp_bind_generic_node(hald_dccm_t) -corenet_udp_bind_dhcpc_port(hald_dccm_t) -corenet_tcp_bind_ftp_port(hald_dccm_t) -corenet_tcp_bind_dccm_port(hald_dccm_t) - -logging_send_syslog_msg(hald_dccm_t) - -files_read_usr_files(hald_dccm_t) - -miscfiles_read_localization(hald_dccm_t) - -hal_dontaudit_rw_dgram_sockets(hald_dccm_t) - -optional_policy(` - dbus_system_bus_client(hald_dccm_t) -') diff --git a/policy/modules/services/hddtemp.fc b/policy/modules/services/hddtemp.fc deleted file mode 100644 index 1676612..0000000 --- a/policy/modules/services/hddtemp.fc +++ /dev/null @@ -1,5 +0,0 @@ -/etc/rc\.d/init\.d/hddtemp -- gen_context(system_u:object_r:hddtemp_initrc_exec_t,s0) - -/etc/sysconfig/hddtemp -- gen_context(system_u:object_r:hddtemp_etc_t,s0) - -/usr/sbin/hddtemp -- gen_context(system_u:object_r:hddtemp_exec_t,s0) diff --git a/policy/modules/services/hddtemp.if b/policy/modules/services/hddtemp.if deleted file mode 100644 index db2d189..0000000 --- a/policy/modules/services/hddtemp.if +++ /dev/null @@ -1,73 +0,0 @@ -## hddtemp hard disk temperature tool running as a daemon. - -####################################### -## -## Execute a domain transition to run hddtemp. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`hddtemp_domtrans',` - gen_require(` - type hddtemp_t, hddtemp_exec_t; - ') - - domtrans_pattern($1, hddtemp_exec_t, hddtemp_t) - corecmd_search_bin($1) -') - -###################################### -## -## Execute hddtemp. -## -## -## -## Domain allowed access. -## -## -# -interface(`hddtemp_exec',` - gen_require(` - type hddtemp_exec_t; - ') - - can_exec($1, hddtemp_exec_t) - corecmd_search_bin($1) -') - -######################################## -## -## All of the rules required to -## administrate an hddtemp environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`hddtemp_admin',` - gen_require(` - type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t; - ') - - allow $1 hddtemp_t:process { ptrace signal_perms }; - ps_process_pattern($1, hddtemp_t) - - init_labeled_script_domtrans($1, hddtemp_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 hddtemp_initrc_exec_t system_r; - allow $2 system_r; - - admin_pattern($1, hddtemp_etc_t) - files_list_etc($1) -') diff --git a/policy/modules/services/hddtemp.te b/policy/modules/services/hddtemp.te deleted file mode 100644 index 1647fc4..0000000 --- a/policy/modules/services/hddtemp.te +++ /dev/null @@ -1,48 +0,0 @@ -policy_module(hddtemp, 1.0.1) - -######################################## -# -# Declarations -# - -type hddtemp_t; -type hddtemp_exec_t; -init_daemon_domain(hddtemp_t, hddtemp_exec_t) - -type hddtemp_initrc_exec_t; -init_script_file(hddtemp_initrc_exec_t) - -type hddtemp_etc_t; -files_config_file(hddtemp_etc_t) - -######################################## -# -# hddtemp local policy -# - -allow hddtemp_t self:capability sys_rawio; -dontaudit hddtemp_t self:capability sys_admin; -allow hddtemp_t self:netlink_route_socket r_netlink_socket_perms; -allow hddtemp_t self:tcp_socket create_stream_socket_perms; -allow hddtemp_t self:udp_socket create_socket_perms; - -allow hddtemp_t hddtemp_etc_t:file read_file_perms; - -corenet_all_recvfrom_unlabeled(hddtemp_t) -corenet_all_recvfrom_netlabel(hddtemp_t) -corenet_tcp_sendrecv_generic_if(hddtemp_t) -corenet_tcp_sendrecv_generic_node(hddtemp_t) -corenet_tcp_bind_generic_node(hddtemp_t) -corenet_tcp_sendrecv_all_ports(hddtemp_t) -corenet_tcp_bind_hddtemp_port(hddtemp_t) -corenet_sendrecv_hddtemp_server_packets(hddtemp_t) -corenet_tcp_sendrecv_hddtemp_port(hddtemp_t) - -files_search_etc(hddtemp_t) -files_read_usr_files(hddtemp_t) - -storage_raw_read_fixed_disk(hddtemp_t) - -logging_send_syslog_msg(hddtemp_t) - -miscfiles_read_localization(hddtemp_t) diff --git a/policy/modules/services/howl.fc b/policy/modules/services/howl.fc deleted file mode 100644 index faf9146..0000000 --- a/policy/modules/services/howl.fc +++ /dev/null @@ -1,5 +0,0 @@ - -/usr/bin/mDNSResponder -- gen_context(system_u:object_r:howl_exec_t,s0) -/usr/bin/nifd -- gen_context(system_u:object_r:howl_exec_t,s0) - -/var/run/nifd\.pid -- gen_context(system_u:object_r:howl_var_run_t,s0) diff --git a/policy/modules/services/howl.if b/policy/modules/services/howl.if deleted file mode 100644 index 9164dd2..0000000 --- a/policy/modules/services/howl.if +++ /dev/null @@ -1,19 +0,0 @@ -## Port of Apple Rendezvous multicast DNS - -######################################## -## -## Send generic signals to howl. -## -## -## -## Domain allowed access. -## -## -# -interface(`howl_signal',` - gen_require(` - type howl_t; - ') - - allow $1 howl_t:process signal; -') diff --git a/policy/modules/services/howl.te b/policy/modules/services/howl.te deleted file mode 100644 index 6ad2d3c..0000000 --- a/policy/modules/services/howl.te +++ /dev/null @@ -1,80 +0,0 @@ -policy_module(howl, 1.9.0) - -######################################## -# -# Declarations -# - -type howl_t; -type howl_exec_t; -init_daemon_domain(howl_t, howl_exec_t) - -type howl_var_run_t; -files_pid_file(howl_var_run_t) - -######################################## -# -# Local policy -# - -allow howl_t self:capability { kill net_admin }; -dontaudit howl_t self:capability sys_tty_config; -allow howl_t self:process signal_perms; -allow howl_t self:fifo_file rw_fifo_file_perms; -allow howl_t self:tcp_socket create_stream_socket_perms; -allow howl_t self:udp_socket create_socket_perms; - -manage_files_pattern(howl_t, howl_var_run_t, howl_var_run_t) -files_pid_filetrans(howl_t, howl_var_run_t, file) - -kernel_read_network_state(howl_t) -kernel_read_kernel_sysctls(howl_t) -kernel_request_load_module(howl_t) -kernel_list_proc(howl_t) -kernel_read_proc_symlinks(howl_t) - -corenet_all_recvfrom_unlabeled(howl_t) -corenet_all_recvfrom_netlabel(howl_t) -corenet_tcp_sendrecv_generic_if(howl_t) -corenet_udp_sendrecv_generic_if(howl_t) -corenet_tcp_sendrecv_generic_node(howl_t) -corenet_udp_sendrecv_generic_node(howl_t) -corenet_tcp_sendrecv_all_ports(howl_t) -corenet_udp_sendrecv_all_ports(howl_t) -corenet_tcp_bind_generic_node(howl_t) -corenet_udp_bind_generic_node(howl_t) -corenet_tcp_bind_howl_port(howl_t) -corenet_udp_bind_howl_port(howl_t) -corenet_sendrecv_howl_server_packets(howl_t) - -dev_read_sysfs(howl_t) - -fs_getattr_all_fs(howl_t) -fs_search_auto_mountpoints(howl_t) - -domain_use_interactive_fds(howl_t) - -files_read_etc_files(howl_t) - -init_rw_utmp(howl_t) - -logging_send_syslog_msg(howl_t) - -miscfiles_read_localization(howl_t) - -sysnet_read_config(howl_t) - -userdom_dontaudit_use_unpriv_user_fds(howl_t) -userdom_dontaudit_search_user_home_dirs(howl_t) - -optional_policy(` - nis_use_ypbind(howl_t) -') - -optional_policy(` - seutil_sigchld_newrole(howl_t) -') - -optional_policy(` - udev_read_db(howl_t) -') diff --git a/policy/modules/services/i18n_input.fc b/policy/modules/services/i18n_input.fc deleted file mode 100644 index 024eb18..0000000 --- a/policy/modules/services/i18n_input.fc +++ /dev/null @@ -1,19 +0,0 @@ -# -# /usr -# - -/usr/bin/iiimd\.bin -- gen_context(system_u:object_r:i18n_input_exec_t,s0) -/usr/bin/httx -- gen_context(system_u:object_r:i18n_input_exec_t,s0) -/usr/bin/htt_xbe -- gen_context(system_u:object_r:i18n_input_exec_t,s0) -/usr/bin/iiimx -- gen_context(system_u:object_r:i18n_input_exec_t,s0) - -/usr/lib/iiim/iiim-xbe -- gen_context(system_u:object_r:i18n_input_exec_t,s0) - -/usr/sbin/htt -- gen_context(system_u:object_r:i18n_input_exec_t,s0) -/usr/sbin/htt_server -- gen_context(system_u:object_r:i18n_input_exec_t,s0) - -# -# /var -# - -/var/run/iiim(/.*)? gen_context(system_u:object_r:i18n_input_var_run_t,s0) diff --git a/policy/modules/services/i18n_input.if b/policy/modules/services/i18n_input.if deleted file mode 100644 index bc7de4f..0000000 --- a/policy/modules/services/i18n_input.if +++ /dev/null @@ -1,15 +0,0 @@ -## IIIMF htt server - -######################################## -## -## Use i18n_input over a TCP connection. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`i18n_use',` - refpolicywarn(`$0($*) has been deprecated.') -') diff --git a/policy/modules/services/i18n_input.te b/policy/modules/services/i18n_input.te deleted file mode 100644 index 5fc89c4..0000000 --- a/policy/modules/services/i18n_input.te +++ /dev/null @@ -1,102 +0,0 @@ -policy_module(i18n_input, 1.8.0) - -######################################## -# -# Declarations -# - -type i18n_input_t; -type i18n_input_exec_t; -init_daemon_domain(i18n_input_t, i18n_input_exec_t) - -type i18n_input_var_run_t; -files_pid_file(i18n_input_var_run_t) - -######################################## -# -# i18n_input local policy -# - -allow i18n_input_t self:capability { kill setgid setuid }; -dontaudit i18n_input_t self:capability sys_tty_config; -allow i18n_input_t self:process { signal_perms setsched setpgid }; -allow i18n_input_t self:fifo_file rw_fifo_file_perms; -allow i18n_input_t self:unix_dgram_socket create_socket_perms; -allow i18n_input_t self:unix_stream_socket create_stream_socket_perms; -allow i18n_input_t self:tcp_socket create_stream_socket_perms; -allow i18n_input_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(i18n_input_t, i18n_input_var_run_t, i18n_input_var_run_t) -manage_files_pattern(i18n_input_t, i18n_input_var_run_t, i18n_input_var_run_t) -manage_sock_files_pattern(i18n_input_t, i18n_input_var_run_t, i18n_input_var_run_t) -files_pid_filetrans(i18n_input_t, i18n_input_var_run_t, file) - -can_exec(i18n_input_t, i18n_input_exec_t) - -kernel_read_kernel_sysctls(i18n_input_t) -kernel_read_system_state(i18n_input_t) - -corenet_all_recvfrom_unlabeled(i18n_input_t) -corenet_all_recvfrom_netlabel(i18n_input_t) -corenet_tcp_sendrecv_generic_if(i18n_input_t) -corenet_udp_sendrecv_generic_if(i18n_input_t) -corenet_tcp_sendrecv_generic_node(i18n_input_t) -corenet_udp_sendrecv_generic_node(i18n_input_t) -corenet_tcp_sendrecv_all_ports(i18n_input_t) -corenet_udp_sendrecv_all_ports(i18n_input_t) -corenet_tcp_bind_generic_node(i18n_input_t) -corenet_tcp_bind_i18n_input_port(i18n_input_t) -corenet_tcp_connect_all_ports(i18n_input_t) -corenet_sendrecv_i18n_input_server_packets(i18n_input_t) -corenet_sendrecv_all_client_packets(i18n_input_t) - -dev_read_sysfs(i18n_input_t) - -fs_getattr_all_fs(i18n_input_t) -fs_search_auto_mountpoints(i18n_input_t) - -corecmd_search_bin(i18n_input_t) -corecmd_exec_bin(i18n_input_t) - -domain_use_interactive_fds(i18n_input_t) - -files_read_etc_files(i18n_input_t) -files_read_etc_runtime_files(i18n_input_t) -files_read_usr_files(i18n_input_t) - -init_stream_connect_script(i18n_input_t) - -logging_send_syslog_msg(i18n_input_t) - -miscfiles_read_localization(i18n_input_t) - -sysnet_read_config(i18n_input_t) - -userdom_dontaudit_use_unpriv_user_fds(i18n_input_t) -userdom_read_user_home_content_files(i18n_input_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(i18n_input_t) - fs_read_nfs_symlinks(i18n_input_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(i18n_input_t) - fs_read_cifs_symlinks(i18n_input_t) -') - -optional_policy(` - canna_stream_connect(i18n_input_t) -') - -optional_policy(` - nis_use_ypbind(i18n_input_t) -') - -optional_policy(` - seutil_sigchld_newrole(i18n_input_t) -') - -optional_policy(` - udev_read_db(i18n_input_t) -') diff --git a/policy/modules/services/icecast.fc b/policy/modules/services/icecast.fc deleted file mode 100644 index a81e090..0000000 --- a/policy/modules/services/icecast.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rc\.d/init\.d/icecast -- gen_context(system_u:object_r:icecast_initrc_exec_t,s0) - -/usr/bin/icecast -- gen_context(system_u:object_r:icecast_exec_t,s0) - -/var/log/icecast(/.*)? gen_context(system_u:object_r:icecast_log_t,s0) - -/var/run/icecast(/.*)? gen_context(system_u:object_r:icecast_var_run_t,s0) diff --git a/policy/modules/services/icecast.if b/policy/modules/services/icecast.if deleted file mode 100644 index 40affd8..0000000 --- a/policy/modules/services/icecast.if +++ /dev/null @@ -1,187 +0,0 @@ -## ShoutCast compatible streaming media server - -######################################## -## -## Execute a domain transition to run icecast. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`icecast_domtrans',` - gen_require(` - type icecast_t, icecast_exec_t; - ') - - domtrans_pattern($1, icecast_exec_t, icecast_t) -') - -######################################## -## -## Allow domain signal icecast -## -## -## -## Domain allowed access. -## -## -# -interface(`icecast_signal',` - gen_require(` - type icecast_t; - ') - - allow $1 icecast_t:process signal; -') - -######################################## -## -## Execute icecast server in the icecast domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`icecast_initrc_domtrans',` - gen_require(` - type icecast_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, icecast_initrc_exec_t) -') - -######################################## -## -## Read icecast PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`icecast_read_pid_files',` - gen_require(` - type icecast_var_run_t; - ') - - files_search_pids($1) - allow $1 icecast_var_run_t:file read_file_perms; -') - -######################################## -## -## Manage icecast pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`icecast_manage_pid_files',` - gen_require(` - type icecast_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, icecast_var_run_t, icecast_var_run_t) -') - -######################################## -## -## Allow the specified domain to read icecast's log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`icecast_read_log',` - gen_require(` - type icecast_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, icecast_log_t, icecast_log_t) -') - -######################################## -## -## Allow the specified domain to append -## icecast log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`icecast_append_log',` - gen_require(` - type icecast_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, icecast_log_t, icecast_log_t) -') - -######################################## -## -## Allow domain to manage icecast log files -## -## -## -## Domain allow access. -## -## -# -interface(`icecast_manage_log',` - gen_require(` - type icecast_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, icecast_log_t, icecast_log_t) -') - -######################################## -## -## All of the rules required to administrate -## an icecast environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`icecast_admin',` - gen_require(` - type icecast_t, icecast_initrc_exec_t; - ') - - allow $1 icecast_t:process { ptrace signal_perms }; - ps_process_pattern($1, icecast_t) - - # Allow icecast_t to restart the apache service - icecast_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 icecast_initrc_exec_t system_r; - allow $2 system_r; - - icecast_manage_pid_files($1) - icecast_manage_log($1) -') diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te deleted file mode 100644 index 6bf7cc3..0000000 --- a/policy/modules/services/icecast.te +++ /dev/null @@ -1,76 +0,0 @@ -policy_module(icecast, 1.0.1) - -######################################## -# -# Declarations -# - -## -##

-## Allow icecast to connect to all ports, not just -## sound ports. -##

-##
-gen_tunable(icecast_connect_any, false) - -type icecast_t; -type icecast_exec_t; -init_daemon_domain(icecast_t, icecast_exec_t) - -type icecast_initrc_exec_t; -init_script_file(icecast_initrc_exec_t) - -type icecast_var_run_t; -files_pid_file(icecast_var_run_t) - -type icecast_log_t; -logging_log_file(icecast_log_t) - -######################################## -# -# icecast local policy -# - -allow icecast_t self:capability { dac_override setgid setuid sys_nice }; -allow icecast_t self:process { getsched fork setsched signal }; -allow icecast_t self:fifo_file rw_fifo_file_perms; -allow icecast_t self:unix_stream_socket create_stream_socket_perms; -allow icecast_t self:tcp_socket create_stream_socket_perms; - -manage_dirs_pattern(icecast_t, icecast_log_t, icecast_log_t) -manage_files_pattern(icecast_t, icecast_log_t, icecast_log_t) -logging_log_filetrans(icecast_t, icecast_log_t, { file dir }) - -manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) -manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) -files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir }) - -kernel_read_system_state(icecast_t) - -corenet_tcp_bind_soundd_port(icecast_t) -corenet_tcp_connect_soundd_port(icecast_t) - -tunable_policy(`icecast_connect_any',` - corenet_tcp_connect_all_ports(icecast_t) - corenet_tcp_bind_all_ports(icecast_t) - corenet_sendrecv_all_packets(icecast_t) -') - -# Init script handling -domain_use_interactive_fds(icecast_t) - -files_read_etc_files(icecast_t) - -auth_use_nsswitch(icecast_t) - -miscfiles_read_localization(icecast_t) - -sysnet_dns_name_resolve(icecast_t) - -optional_policy(` - apache_read_sys_content(icecast_t) -') - -optional_policy(` - rtkit_scheduled(icecast_t) -') diff --git a/policy/modules/services/ifplugd.fc b/policy/modules/services/ifplugd.fc deleted file mode 100644 index 2eda96f..0000000 --- a/policy/modules/services/ifplugd.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/ifplugd(/.*)? gen_context(system_u:object_r:ifplugd_etc_t,s0) - -/etc/rc\.d/init\.d/ifplugd -- gen_context(system_u:object_r:ifplugd_initrc_exec_t,s0) - -/usr/sbin/ifplugd -- gen_context(system_u:object_r:ifplugd_exec_t,s0) - -/var/run/ifplugd.* gen_context(system_u:object_r:ifplugd_var_run_t,s0) diff --git a/policy/modules/services/ifplugd.if b/policy/modules/services/ifplugd.if deleted file mode 100644 index 7665429..0000000 --- a/policy/modules/services/ifplugd.if +++ /dev/null @@ -1,133 +0,0 @@ -## Bring up/down ethernet interfaces based on cable detection. - -######################################## -## -## Execute a domain transition to run ifplugd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ifplugd_domtrans',` - gen_require(` - type ifplugd_t, ifplugd_exec_t; - ') - - domtrans_pattern($1, ifplugd_exec_t, ifplugd_t) -') - -######################################## -## -## Send a generic signal to ifplugd -## -## -## -## Domain allowed access. -## -## -# -interface(`ifplugd_signal',` - gen_require(` - type ifplugd_t; - ') - - allow $1 ifplugd_t:process signal; -') - -######################################## -## -## Read ifplugd etc configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`ifplugd_read_config',` - gen_require(` - type ifplugd_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t) -') - -######################################## -## -## Manage ifplugd etc configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`ifplugd_manage_config',` - gen_require(` - type ifplugd_etc_t; - ') - - files_search_etc($1) - manage_dirs_pattern($1, ifplugd_etc_t, ifplugd_etc_t) - manage_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t) -') - -######################################## -## -## Read ifplugd PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`ifplugd_read_pid_files',` - gen_require(` - type ifplugd_var_run_t; - ') - - files_search_pids($1) - allow $1 ifplugd_var_run_t:file read_file_perms; -') - -######################################## -## -## All of the rules required to administrate -## an ifplugd environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the ifplugd domain. -## -## -## -# -interface(`ifplugd_admin',` - gen_require(` - type ifplugd_t, ifplugd_etc_t, ifplugd_var_run_t; - type ifplugd_initrc_exec_t; - ') - - allow $1 ifplugd_t:process { ptrace signal_perms }; - ps_process_pattern($1, ifplugd_t) - - init_labeled_script_domtrans($1, ifplugd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ifplugd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, ifplugd_etc_t) - - files_list_pids($1) - admin_pattern($1, ifplugd_var_run_t) -') diff --git a/policy/modules/services/ifplugd.te b/policy/modules/services/ifplugd.te deleted file mode 100644 index 978c32f..0000000 --- a/policy/modules/services/ifplugd.te +++ /dev/null @@ -1,76 +0,0 @@ -policy_module(ifplugd, 1.0.0) - -######################################## -# -# Declarations -# - -type ifplugd_t; -type ifplugd_exec_t; -init_daemon_domain(ifplugd_t, ifplugd_exec_t) - -# config files -type ifplugd_etc_t; -files_type(ifplugd_etc_t) - -type ifplugd_initrc_exec_t; -init_script_file(ifplugd_initrc_exec_t) - -# pid files -type ifplugd_var_run_t; -files_pid_file(ifplugd_var_run_t) - -######################################## -# -# ifplugd local policy -# - -allow ifplugd_t self:capability { net_admin sys_nice net_bind_service }; -dontaudit ifplugd_t self:capability { sys_tty_config sys_ptrace }; -allow ifplugd_t self:process { signal signull }; -allow ifplugd_t self:fifo_file rw_fifo_file_perms; -allow ifplugd_t self:tcp_socket create_stream_socket_perms; -allow ifplugd_t self:udp_socket create_socket_perms; -allow ifplugd_t self:packet_socket create_socket_perms; -allow ifplugd_t self:netlink_route_socket create_netlink_socket_perms; - -# pid file -manage_files_pattern(ifplugd_t, ifplugd_var_run_t, ifplugd_var_run_t) -manage_sock_files_pattern(ifplugd_t, ifplugd_var_run_t, ifplugd_var_run_t) -files_pid_filetrans(ifplugd_t, ifplugd_var_run_t, { file sock_file }) - -# config files -read_files_pattern(ifplugd_t, ifplugd_etc_t, ifplugd_etc_t) -exec_files_pattern(ifplugd_t, ifplugd_etc_t, ifplugd_etc_t) - -kernel_read_system_state(ifplugd_t) -kernel_read_network_state(ifplugd_t) -kernel_rw_net_sysctls(ifplugd_t) -kernel_read_kernel_sysctls(ifplugd_t) - -corecmd_exec_shell(ifplugd_t) -corecmd_exec_bin(ifplugd_t) - -# reading of hardware information -dev_read_sysfs(ifplugd_t) - -domain_read_confined_domains_state(ifplugd_t) -domain_dontaudit_read_all_domains_state(ifplugd_t) - -auth_use_nsswitch(ifplugd_t) - -logging_send_syslog_msg(ifplugd_t) - -miscfiles_read_localization(ifplugd_t) - -netutils_domtrans(ifplugd_t) -# transition to ifconfig & dhcpc -sysnet_domtrans_ifconfig(ifplugd_t) -sysnet_domtrans_dhcpc(ifplugd_t) -sysnet_delete_dhcpc_pid(ifplugd_t) -sysnet_read_dhcpc_pid(ifplugd_t) -sysnet_signal_dhcpc(ifplugd_t) - -optional_policy(` - consoletype_exec(ifplugd_t) -') diff --git a/policy/modules/services/imaze.fc b/policy/modules/services/imaze.fc deleted file mode 100644 index 8d455ba..0000000 --- a/policy/modules/services/imaze.fc +++ /dev/null @@ -1,4 +0,0 @@ -/usr/games/imazesrv -- gen_context(system_u:object_r:imazesrv_exec_t,s0) -/usr/share/games/imaze(/.*)? gen_context(system_u:object_r:imazesrv_data_t,s0) - -/var/log/imaze\.log -- gen_context(system_u:object_r:imazesrv_log_t,s0) diff --git a/policy/modules/services/imaze.if b/policy/modules/services/imaze.if deleted file mode 100644 index 8eb9ec3..0000000 --- a/policy/modules/services/imaze.if +++ /dev/null @@ -1 +0,0 @@ -## iMaze game server diff --git a/policy/modules/services/imaze.te b/policy/modules/services/imaze.te deleted file mode 100644 index 0778af8..0000000 --- a/policy/modules/services/imaze.te +++ /dev/null @@ -1,99 +0,0 @@ -policy_module(imaze, 1.7.0) - -######################################## -# -# Declarations -# - -type imazesrv_t; -type imazesrv_exec_t; -init_daemon_domain(imazesrv_t, imazesrv_exec_t) - -type imazesrv_data_t; -files_type(imazesrv_data_t) - -type imazesrv_data_labs_t; -files_type(imazesrv_data_labs_t) - -type imazesrv_log_t; -logging_log_file(imazesrv_log_t) - -type imazesrv_var_run_t; -files_pid_file(imazesrv_var_run_t) - -######################################## -# -# Local policy -# - -dontaudit imazesrv_t self:capability sys_tty_config; -allow imazesrv_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow imazesrv_t self:fd use; -allow imazesrv_t self:fifo_file rw_fifo_file_perms; -allow imazesrv_t self:unix_dgram_socket { create_socket_perms sendto }; -allow imazesrv_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow imazesrv_t self:shm create_shm_perms; -allow imazesrv_t self:sem create_sem_perms; -allow imazesrv_t self:msgq create_msgq_perms; -allow imazesrv_t self:msg { send receive }; -allow imazesrv_t self:tcp_socket create_stream_socket_perms; -allow imazesrv_t self:udp_socket create_socket_perms; - -allow imazesrv_t imazesrv_data_t:dir list_dir_perms; -read_files_pattern(imazesrv_t, imazesrv_data_t, imazesrv_data_t) -read_lnk_files_pattern(imazesrv_t, imazesrv_data_t, imazesrv_data_t) - -allow imazesrv_t imazesrv_log_t:file manage_file_perms; -allow imazesrv_t imazesrv_log_t:dir add_entry_dir_perms; -logging_log_filetrans(imazesrv_t, imazesrv_log_t, file) - -manage_files_pattern(imazesrv_t, imazesrv_var_run_t, imazesrv_var_run_t) -files_pid_filetrans(imazesrv_t, imazesrv_var_run_t, file) - -kernel_read_kernel_sysctls(imazesrv_t) -kernel_list_proc(imazesrv_t) -kernel_read_proc_symlinks(imazesrv_t) - -corenet_all_recvfrom_unlabeled(imazesrv_t) -corenet_all_recvfrom_netlabel(imazesrv_t) -corenet_tcp_sendrecv_generic_if(imazesrv_t) -corenet_udp_sendrecv_generic_if(imazesrv_t) -corenet_tcp_sendrecv_generic_node(imazesrv_t) -corenet_udp_sendrecv_generic_node(imazesrv_t) -corenet_tcp_sendrecv_all_ports(imazesrv_t) -corenet_udp_sendrecv_all_ports(imazesrv_t) -corenet_tcp_bind_generic_node(imazesrv_t) -corenet_udp_bind_generic_node(imazesrv_t) -corenet_tcp_bind_imaze_port(imazesrv_t) -corenet_udp_bind_imaze_port(imazesrv_t) -corenet_sendrecv_imaze_server_packets(imazesrv_t) - -dev_read_sysfs(imazesrv_t) - -domain_use_interactive_fds(imazesrv_t) - -files_read_etc_files(imazesrv_t) - -fs_getattr_all_fs(imazesrv_t) -fs_search_auto_mountpoints(imazesrv_t) - -logging_send_syslog_msg(imazesrv_t) - -miscfiles_read_localization(imazesrv_t) - -sysnet_read_config(imazesrv_t) - -userdom_use_unpriv_users_fds(imazesrv_t) -userdom_dontaudit_search_user_home_dirs(imazesrv_t) - -optional_policy(` - nis_use_ypbind(imazesrv_t) -') - -optional_policy(` - seutil_sigchld_newrole(imazesrv_t) -') - -optional_policy(` - udev_read_db(imazesrv_t) -') diff --git a/policy/modules/services/inetd.fc b/policy/modules/services/inetd.fc deleted file mode 100644 index 39d5baa..0000000 --- a/policy/modules/services/inetd.fc +++ /dev/null @@ -1,12 +0,0 @@ - -/usr/sbin/identd -- gen_context(system_u:object_r:inetd_child_exec_t,s0) -/usr/sbin/in\..*d -- gen_context(system_u:object_r:inetd_child_exec_t,s0) -/usr/local/lib/pysieved/pysieved.*\.py -- gen_context(system_u:object_r:inetd_child_exec_t,s0) - -/usr/sbin/inetd -- gen_context(system_u:object_r:inetd_exec_t,s0) -/usr/sbin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0) -/usr/sbin/xinetd -- gen_context(system_u:object_r:inetd_exec_t,s0) - -/var/log/(x)?inetd\.log -- gen_context(system_u:object_r:inetd_log_t,s0) - -/var/run/(x)?inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0) diff --git a/policy/modules/services/inetd.if b/policy/modules/services/inetd.if deleted file mode 100644 index 6985546..0000000 --- a/policy/modules/services/inetd.if +++ /dev/null @@ -1,204 +0,0 @@ -## Internet services daemon. - -######################################## -## -## Define the specified domain as a inetd service. -## -## -##

-## Define the specified domain as a inetd service. The -## inetd_service_domain(), inetd_tcp_service_domain(), -## or inetd_udp_service_domain() interfaces should be used -## instead of this interface, as this interface only provides -## the common rules to these three interfaces. -##

-##
-## -## -## The type associated with the inetd service process. -## -## -## -## -## The type associated with the process program. -## -## -# -interface(`inetd_core_service_domain',` - gen_require(` - type inetd_t; - role system_r; - ') - - domain_type($1) - domain_entry_file($1, $2) - - role system_r types $1; - - domtrans_pattern(inetd_t, $2, $1) - allow inetd_t $1:process { siginh sigkill }; -') - -######################################## -## -## Define the specified domain as a TCP inetd service. -## -## -## -## The type associated with the inetd service process. -## -## -## -## -## The type associated with the process program. -## -## -# -interface(`inetd_tcp_service_domain',` - gen_require(` - type inetd_t; - ') - - inetd_core_service_domain($1, $2) - - allow $1 inetd_t:tcp_socket rw_stream_socket_perms; -') - -######################################## -## -## Define the specified domain as a UDP inetd service. -## -## -## -## The type associated with the inetd service process. -## -## -## -## -## The type associated with the process program. -## -## -# -interface(`inetd_udp_service_domain',` - gen_require(` - type inetd_t; - ') - - inetd_core_service_domain($1, $2) - - allow $1 inetd_t:udp_socket rw_socket_perms; -') - -######################################## -## -## Define the specified domain as a TCP and UDP inetd service. -## -## -## -## The type associated with the inetd service process. -## -## -## -## -## The type associated with the process program. -## -## -# -interface(`inetd_service_domain',` - gen_require(` - type inetd_t; - ') - - inetd_core_service_domain($1, $2) - - allow $1 inetd_t:tcp_socket rw_stream_socket_perms; - allow $1 inetd_t:udp_socket rw_socket_perms; - - # encrypt the service through stunnel - optional_policy(` - stunnel_service_domain($1, $2) - ') -') - -######################################## -## -## Inherit and use file descriptors from inetd. -## -## -## -## Domain allowed access. -## -## -# -interface(`inetd_use_fds',` - gen_require(` - type inetd_t; - ') - - allow $1 inetd_t:fd use; -') - -######################################## -## -## Connect to the inetd service using a TCP connection. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`inetd_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Run inetd child process in the inet child domain -## -## -## -## Domain allowed to transition. -## -## -# -interface(`inetd_domtrans_child',` - gen_require(` - type inetd_child_t, inetd_child_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, inetd_child_exec_t, inetd_child_t) -') - -######################################## -## -## Send UDP network traffic to inetd. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`inetd_udp_send',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Read and write inetd TCP sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`inetd_rw_tcp_sockets',` - gen_require(` - type inetd_t; - ') - - allow $1 inetd_t:tcp_socket rw_stream_socket_perms; -') diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te deleted file mode 100644 index c51a7b2..0000000 --- a/policy/modules/services/inetd.te +++ /dev/null @@ -1,242 +0,0 @@ -policy_module(inetd, 1.11.0) - -######################################## -# -# Declarations -# - -type inetd_t; -type inetd_exec_t; -init_daemon_domain(inetd_t, inetd_exec_t) - -type inetd_log_t; -logging_log_file(inetd_log_t) - -type inetd_tmp_t; -files_tmp_file(inetd_tmp_t) - -type inetd_var_run_t; -files_pid_file(inetd_var_run_t) - -type inetd_child_t; -type inetd_child_exec_t; -inetd_service_domain(inetd_child_t, inetd_child_exec_t) -role system_r types inetd_child_t; - -type inetd_child_tmp_t; -files_tmp_file(inetd_child_tmp_t) - -type inetd_child_var_run_t; -files_pid_file(inetd_child_var_run_t) - -ifdef(`enable_mcs',` - init_ranged_daemon_domain(inetd_t, inetd_exec_t, s0 - mcs_systemhigh) -') - -######################################## -# -# Local policy -# - -allow inetd_t self:capability { setuid setgid }; -dontaudit inetd_t self:capability sys_tty_config; -allow inetd_t self:process { setsched setexec }; -allow inetd_t self:fifo_file rw_fifo_file_perms; -allow inetd_t self:tcp_socket create_stream_socket_perms; -allow inetd_t self:udp_socket create_socket_perms; -allow inetd_t self:fd use; - -allow inetd_t inetd_log_t:file manage_file_perms; -logging_log_filetrans(inetd_t, inetd_log_t, file) - -manage_dirs_pattern(inetd_t, inetd_tmp_t, inetd_tmp_t) -manage_files_pattern(inetd_t, inetd_tmp_t, inetd_tmp_t) -files_tmp_filetrans(inetd_t, inetd_tmp_t, { file dir }) - -allow inetd_t inetd_var_run_t:file manage_file_perms; -files_pid_filetrans(inetd_t, inetd_var_run_t, file) - -kernel_read_kernel_sysctls(inetd_t) -kernel_list_proc(inetd_t) -kernel_read_proc_symlinks(inetd_t) -kernel_read_system_state(inetd_t) -kernel_tcp_recvfrom_unlabeled(inetd_t) - -corecmd_bin_domtrans(inetd_t, inetd_child_t) - -# base networking: -corenet_all_recvfrom_unlabeled(inetd_t) -corenet_all_recvfrom_netlabel(inetd_t) -corenet_tcp_sendrecv_generic_if(inetd_t) -corenet_udp_sendrecv_generic_if(inetd_t) -corenet_tcp_sendrecv_generic_node(inetd_t) -corenet_udp_sendrecv_generic_node(inetd_t) -corenet_tcp_sendrecv_all_ports(inetd_t) -corenet_udp_sendrecv_all_ports(inetd_t) -corenet_tcp_bind_generic_node(inetd_t) -corenet_udp_bind_generic_node(inetd_t) -corenet_tcp_connect_all_ports(inetd_t) -corenet_sendrecv_all_client_packets(inetd_t) - -# listen on service ports: -corenet_tcp_bind_amanda_port(inetd_t) -corenet_udp_bind_amanda_port(inetd_t) -corenet_tcp_bind_auth_port(inetd_t) -corenet_udp_bind_comsat_port(inetd_t) -corenet_tcp_bind_dbskkd_port(inetd_t) -corenet_udp_bind_dbskkd_port(inetd_t) -corenet_tcp_bind_ftp_port(inetd_t) -corenet_udp_bind_ftp_port(inetd_t) -corenet_tcp_bind_inetd_child_port(inetd_t) -corenet_udp_bind_inetd_child_port(inetd_t) -corenet_tcp_bind_ircd_port(inetd_t) -corenet_udp_bind_ktalkd_port(inetd_t) -corenet_tcp_bind_printer_port(inetd_t) -corenet_udp_bind_rlogind_port(inetd_t) -corenet_udp_bind_rsh_port(inetd_t) -corenet_tcp_bind_rsh_port(inetd_t) -corenet_tcp_bind_rsync_port(inetd_t) -corenet_udp_bind_rsync_port(inetd_t) -#corenet_tcp_bind_stunnel_port(inetd_t) -corenet_tcp_bind_swat_port(inetd_t) -corenet_udp_bind_swat_port(inetd_t) -corenet_tcp_bind_telnetd_port(inetd_t) -corenet_udp_bind_tftp_port(inetd_t) -corenet_tcp_bind_ssh_port(inetd_t) -corenet_tcp_bind_git_port(inetd_t) -corenet_udp_bind_git_port(inetd_t) - -# service port packets: -corenet_sendrecv_amanda_server_packets(inetd_t) -corenet_sendrecv_auth_server_packets(inetd_t) -corenet_sendrecv_comsat_server_packets(inetd_t) -corenet_sendrecv_dbskkd_server_packets(inetd_t) -corenet_sendrecv_ftp_server_packets(inetd_t) -corenet_sendrecv_inetd_child_server_packets(inetd_t) -corenet_sendrecv_ircd_server_packets(inetd_t) -corenet_sendrecv_ktalkd_server_packets(inetd_t) -corenet_sendrecv_printer_server_packets(inetd_t) -corenet_sendrecv_rsh_server_packets(inetd_t) -corenet_sendrecv_rsync_server_packets(inetd_t) -#corenet_sendrecv_stunnel_server_packets(inetd_t) -corenet_sendrecv_swat_server_packets(inetd_t) -corenet_sendrecv_tftp_server_packets(inetd_t) - -dev_read_sysfs(inetd_t) - -fs_getattr_all_fs(inetd_t) -fs_search_auto_mountpoints(inetd_t) - -selinux_validate_context(inetd_t) -selinux_compute_create_context(inetd_t) - -# Run other daemons in the inetd_child_t domain. -corecmd_search_bin(inetd_t) -corecmd_read_bin_symlinks(inetd_t) - -domain_use_interactive_fds(inetd_t) - -files_read_etc_files(inetd_t) -files_read_etc_runtime_files(inetd_t) - -auth_use_nsswitch(inetd_t) - -logging_send_syslog_msg(inetd_t) - -miscfiles_read_localization(inetd_t) - -# xinetd needs MLS override privileges to work -mls_fd_share_all_levels(inetd_t) -mls_socket_read_to_clearance(inetd_t) -mls_socket_write_to_clearance(inetd_t) -mls_process_set_level(inetd_t) - -sysnet_read_config(inetd_t) - -userdom_dontaudit_use_unpriv_user_fds(inetd_t) -userdom_dontaudit_search_user_home_dirs(inetd_t) - -ifdef(`distro_redhat',` - optional_policy(` - unconfined_domain(inetd_t) - ') -') - -ifdef(`enable_mls',` - corenet_tcp_recvfrom_netlabel(inetd_t) - corenet_udp_recvfrom_netlabel(inetd_t) -') - -optional_policy(` - amanda_search_lib(inetd_t) -') - -optional_policy(` - seutil_sigchld_newrole(inetd_t) -') - -optional_policy(` - udev_read_db(inetd_t) -') - -optional_policy(` - unconfined_domtrans(inetd_t) -') - -######################################## -# -# inetd child local_policy -# - -allow inetd_child_t self:process signal_perms; -allow inetd_child_t self:fifo_file rw_fifo_file_perms; -allow inetd_child_t self:tcp_socket connected_stream_socket_perms; -allow inetd_child_t self:udp_socket create_socket_perms; - -# for identd -allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -allow inetd_child_t self:capability { setuid setgid }; -files_search_home(inetd_child_t) - -manage_dirs_pattern(inetd_child_t, inetd_child_tmp_t, inetd_child_tmp_t) -manage_files_pattern(inetd_child_t, inetd_child_tmp_t, inetd_child_tmp_t) -files_tmp_filetrans(inetd_child_t, inetd_child_tmp_t, { file dir }) - -manage_files_pattern(inetd_child_t, inetd_child_var_run_t, inetd_child_var_run_t) -files_pid_filetrans(inetd_child_t, inetd_child_var_run_t, file) - -kernel_read_kernel_sysctls(inetd_child_t) -kernel_read_system_state(inetd_child_t) -kernel_read_network_state(inetd_child_t) - -corenet_all_recvfrom_unlabeled(inetd_child_t) -corenet_all_recvfrom_netlabel(inetd_child_t) -corenet_tcp_sendrecv_generic_if(inetd_child_t) -corenet_udp_sendrecv_generic_if(inetd_child_t) -corenet_tcp_sendrecv_generic_node(inetd_child_t) -corenet_udp_sendrecv_generic_node(inetd_child_t) -corenet_tcp_sendrecv_all_ports(inetd_child_t) -corenet_udp_sendrecv_all_ports(inetd_child_t) - -dev_read_urand(inetd_child_t) - -fs_getattr_xattr_fs(inetd_child_t) - -files_read_etc_files(inetd_child_t) -files_read_etc_runtime_files(inetd_child_t) - -auth_use_nsswitch(inetd_child_t) - -logging_send_syslog_msg(inetd_child_t) - -miscfiles_read_localization(inetd_child_t) - -sysnet_read_config(inetd_child_t) - -optional_policy(` - kerberos_use(inetd_child_t) -') - -optional_policy(` - unconfined_domain(inetd_child_t) -') diff --git a/policy/modules/services/inn.fc b/policy/modules/services/inn.fc deleted file mode 100644 index 8ca038d..0000000 --- a/policy/modules/services/inn.fc +++ /dev/null @@ -1,67 +0,0 @@ - -# -# /etc -# -/etc/news(/.*)? gen_context(system_u:object_r:innd_etc_t,s0) -/etc/news/boot -- gen_context(system_u:object_r:innd_exec_t,s0) -/etc/rc\.d/init\.d/innd -- gen_context(system_u:object_r:innd_initrc_exec_t,s0) - -# -# /usr -# -/usr/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/bin/rpost -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/bin/suck -- gen_context(system_u:object_r:innd_exec_t,s0) - -/usr/sbin/in\.nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/sbin/innd.* -- gen_context(system_u:object_r:innd_exec_t,s0) - -/var/lib/news(/.*)? gen_context(system_u:object_r:innd_var_lib_t,s0) - -/usr/lib(64)?/news/bin/actsync -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/archive -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/batcher -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/buffchan -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/convdate -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/ctlinnd -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/cvtbatch -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/expire -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/expireover -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/fastrm -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/filechan -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/getlist -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/grephistory -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/innconfval -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/inndf -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/inndstart -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/innfeed -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/innxbatch -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/innxmit -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/makedbz -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/makehistory -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/newsrequeue -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/nntpget -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/ovdb_recover -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/overchan -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/prunehistory -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/shlock -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/shrinkfile -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/startinnfeed -- gen_context(system_u:object_r:innd_exec_t,s0) - -# cjp: split these to fix an ordering -# problem with a match in corecommands -/usr/lib/news/bin/innd -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/sm -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib64/news/bin/innd -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib64/news/bin/sm -- gen_context(system_u:object_r:innd_exec_t,s0) - -/var/log/news(/.*)? gen_context(system_u:object_r:innd_log_t,s0) - -/var/run/innd(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0) -/var/run/news(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0) - -/var/spool/news(/.*)? gen_context(system_u:object_r:news_spool_t,s0) diff --git a/policy/modules/services/inn.if b/policy/modules/services/inn.if deleted file mode 100644 index 2f3d8dc..0000000 --- a/policy/modules/services/inn.if +++ /dev/null @@ -1,227 +0,0 @@ -## Internet News NNTP server - -######################################## -## -## Allow the specified domain to execute innd -## in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`inn_exec',` - gen_require(` - type innd_t; - ') - - can_exec($1, innd_exec_t) -') - -######################################## -## -## Allow the specified domain to execute -## inn configuration files in /etc. -## -## -## -## Domain allowed access. -## -## -# -interface(`inn_exec_config',` - gen_require(` - type innd_etc_t; - ') - - can_exec($1, innd_etc_t) -') - -######################################## -## -## Create, read, write, and delete the innd log. -## -## -## -## Domain allowed access. -## -## -# -interface(`inn_manage_log',` - gen_require(` - type innd_log_t; - ') - - logging_rw_generic_log_dirs($1) - manage_files_pattern($1, innd_log_t, innd_log_t) -') - -######################################## -## -## Create, read, write, and delete the innd pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`inn_manage_pid',` - gen_require(` - type innd_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, innd_var_run_t, innd_var_run_t) - manage_lnk_files_pattern($1, innd_var_run_t, innd_var_run_t) -') - -######################################## -## -## Read innd configuration files. -## -## -## -## Domain allowed access. -## -## - -# -interface(`inn_read_config',` - gen_require(` - type innd_etc_t; - ') - - files_search_etc($1) - allow $1 innd_etc_t:dir list_dir_perms; - allow $1 innd_etc_t:file read_file_perms; - allow $1 innd_etc_t:lnk_file read_lnk_file_perms; -') - -######################################## -## -## Read innd news library files. -## -## -## -## Domain allowed access. -## -## -# -interface(`inn_read_news_lib',` - gen_require(` - type innd_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 innd_var_lib_t:dir list_dir_perms; - allow $1 innd_var_lib_t:file read_file_perms; - allow $1 innd_var_lib_t:lnk_file read_lnk_file_perms; -') - -######################################## -## -## Read innd news library files. -## -## -## -## Domain allowed access. -## -## -# -interface(`inn_read_news_spool',` - gen_require(` - type news_spool_t; - ') - - files_search_spool($1) - allow $1 news_spool_t:dir list_dir_perms; - allow $1 news_spool_t:file read_file_perms; - allow $1 news_spool_t:lnk_file read_lnk_file_perms; -') - -######################################## -## -## Send to a innd unix dgram socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`inn_dgram_send',` - gen_require(` - type innd_t; - ') - - allow $1 innd_t:unix_dgram_socket sendto; -') - -######################################## -## -## Execute inn in the inn domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`inn_domtrans',` - gen_require(` - type innd_t, innd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, innd_exec_t, innd_t) -') - -######################################## -## -## All of the rules required to administrate -## an inn environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the inn domain. -## -## -## -# -interface(`inn_admin',` - gen_require(` - type innd_t, innd_etc_t, innd_log_t; - type news_spool_t, innd_var_lib_t, innd_var_run_t; - type innd_initrc_exec_t; - ') - - allow $1 innd_t:process { ptrace signal_perms }; - ps_process_pattern($1, innd_t) - - init_labeled_script_domtrans($1, innd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 innd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, innd_etc_t) - - logging_list_logs($1) - admin_pattern($1, innd_log_t) - - files_list_var_lib($1) - admin_pattern($1, innd_var_lib_t) - - files_list_pids($1) - admin_pattern($1, innd_var_run_t) - - files_list_spool($1) - admin_pattern($1, news_spool_t) -') diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te deleted file mode 100644 index dc7dd01..0000000 --- a/policy/modules/services/inn.te +++ /dev/null @@ -1,132 +0,0 @@ -policy_module(inn, 1.9.0) - -######################################## -# -# Declarations -# - -type innd_t; -type innd_exec_t; -init_daemon_domain(innd_t, innd_exec_t) - -type innd_etc_t; -files_config_file(innd_etc_t) - -type innd_initrc_exec_t; -init_script_file(innd_initrc_exec_t) - -type innd_log_t; -logging_log_file(innd_log_t) - -type innd_var_lib_t; -files_type(innd_var_lib_t) - -type innd_var_run_t; -files_pid_file(innd_var_run_t) - -type news_spool_t; -files_mountpoint(news_spool_t) - -######################################## -# -# Local policy -# - -allow innd_t self:capability { dac_override kill setgid setuid }; -dontaudit innd_t self:capability sys_tty_config; -allow innd_t self:process { setsched signal_perms }; -allow innd_t self:fifo_file rw_fifo_file_perms; -allow innd_t self:unix_dgram_socket { sendto create_socket_perms }; -allow innd_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow innd_t self:tcp_socket create_stream_socket_perms; -allow innd_t self:udp_socket create_socket_perms; -allow innd_t self:netlink_route_socket r_netlink_socket_perms; - -read_files_pattern(innd_t, innd_etc_t, innd_etc_t) -read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t) - -can_exec(innd_t, innd_exec_t) - -manage_files_pattern(innd_t, innd_log_t, innd_log_t) -allow innd_t innd_log_t:dir setattr_dir_perms; -logging_log_filetrans(innd_t, innd_log_t, file) - -manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t) -manage_files_pattern(innd_t, innd_var_lib_t, innd_var_lib_t) -files_var_lib_filetrans(innd_t, innd_var_lib_t, file) - -manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t) -manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) -manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) -files_pid_filetrans(innd_t, innd_var_run_t, { dir file }) - -manage_dirs_pattern(innd_t, news_spool_t, news_spool_t) -manage_files_pattern(innd_t, news_spool_t, news_spool_t) -manage_lnk_files_pattern(innd_t, news_spool_t, news_spool_t) - -kernel_read_kernel_sysctls(innd_t) -kernel_read_system_state(innd_t) - -corenet_all_recvfrom_unlabeled(innd_t) -corenet_all_recvfrom_netlabel(innd_t) -corenet_tcp_sendrecv_generic_if(innd_t) -corenet_udp_sendrecv_generic_if(innd_t) -corenet_tcp_sendrecv_generic_node(innd_t) -corenet_udp_sendrecv_generic_node(innd_t) -corenet_tcp_sendrecv_all_ports(innd_t) -corenet_udp_sendrecv_all_ports(innd_t) -corenet_tcp_bind_generic_node(innd_t) -corenet_tcp_bind_innd_port(innd_t) -corenet_tcp_connect_all_ports(innd_t) -corenet_sendrecv_innd_server_packets(innd_t) -corenet_sendrecv_all_client_packets(innd_t) - -dev_read_sysfs(innd_t) -dev_read_urand(innd_t) - -fs_getattr_all_fs(innd_t) -fs_search_auto_mountpoints(innd_t) - -corecmd_exec_bin(innd_t) -corecmd_exec_shell(innd_t) - -domain_use_interactive_fds(innd_t) - -files_list_spool(innd_t) -files_read_etc_files(innd_t) -files_read_etc_runtime_files(innd_t) -files_read_usr_files(innd_t) - -logging_send_syslog_msg(innd_t) - -miscfiles_read_localization(innd_t) - -seutil_dontaudit_search_config(innd_t) - -sysnet_read_config(innd_t) - -userdom_dontaudit_use_unpriv_user_fds(innd_t) -userdom_dontaudit_search_user_home_dirs(innd_t) -userdom_dgram_send(innd_t) - -mta_send_mail(innd_t) - -optional_policy(` - cron_system_entry(innd_t, innd_exec_t) -') - -optional_policy(` - hostname_exec(innd_t) -') - -optional_policy(` - nis_use_ypbind(innd_t) -') - -optional_policy(` - seutil_sigchld_newrole(innd_t) -') - -optional_policy(` - udev_read_db(innd_t) -') diff --git a/policy/modules/services/ircd.fc b/policy/modules/services/ircd.fc deleted file mode 100644 index d733fa8..0000000 --- a/policy/modules/services/ircd.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/(dancer-)?ircd(/.*)? gen_context(system_u:object_r:ircd_etc_t,s0) - -/usr/sbin/(dancer-)?ircd -- gen_context(system_u:object_r:ircd_exec_t,s0) - -/var/lib/dancer-ircd(/.*)? gen_context(system_u:object_r:ircd_var_lib_t,s0) -/var/log/(dancer-)?ircd(/.*)? gen_context(system_u:object_r:ircd_log_t,s0) -/var/run/dancer-ircd(/.*)? gen_context(system_u:object_r:ircd_var_run_t,s0) diff --git a/policy/modules/services/ircd.if b/policy/modules/services/ircd.if deleted file mode 100644 index 3f4de83..0000000 --- a/policy/modules/services/ircd.if +++ /dev/null @@ -1 +0,0 @@ -## IRC server diff --git a/policy/modules/services/ircd.te b/policy/modules/services/ircd.te deleted file mode 100644 index 75ab1e2..0000000 --- a/policy/modules/services/ircd.te +++ /dev/null @@ -1,93 +0,0 @@ -policy_module(ircd, 1.7.0) - -######################################## -# -# Declarations -# - -type ircd_t; -type ircd_exec_t; -init_daemon_domain(ircd_t, ircd_exec_t) - -type ircd_etc_t; -files_config_file(ircd_etc_t) - -type ircd_log_t; -logging_log_file(ircd_log_t) - -type ircd_var_lib_t; -files_type(ircd_var_lib_t) - -type ircd_var_run_t; -files_pid_file(ircd_var_run_t) - -######################################## -# -# Local policy -# - -dontaudit ircd_t self:capability sys_tty_config; -allow ircd_t self:process signal_perms; -allow ircd_t self:tcp_socket create_stream_socket_perms; -allow ircd_t self:udp_socket create_socket_perms; - -read_files_pattern(ircd_t, ircd_etc_t, ircd_etc_t) -read_lnk_files_pattern(ircd_t, ircd_etc_t, ircd_etc_t) -files_search_etc(ircd_t) - -manage_files_pattern(ircd_t, ircd_log_t, ircd_log_t) -logging_log_filetrans(ircd_t, ircd_log_t, { file dir }) - -manage_files_pattern(ircd_t, ircd_var_lib_t, ircd_var_lib_t) -files_var_lib_filetrans(ircd_t, ircd_var_lib_t, file) - -manage_files_pattern(ircd_t, ircd_var_run_t, ircd_var_run_t) -files_pid_filetrans(ircd_t, ircd_var_run_t, file) - -kernel_read_system_state(ircd_t) -kernel_read_kernel_sysctls(ircd_t) - -corecmd_search_bin(ircd_t) - -corenet_all_recvfrom_unlabeled(ircd_t) -corenet_all_recvfrom_netlabel(ircd_t) -corenet_tcp_sendrecv_generic_if(ircd_t) -corenet_udp_sendrecv_generic_if(ircd_t) -corenet_tcp_sendrecv_generic_node(ircd_t) -corenet_udp_sendrecv_generic_node(ircd_t) -corenet_tcp_sendrecv_all_ports(ircd_t) -corenet_udp_sendrecv_all_ports(ircd_t) -corenet_tcp_bind_generic_node(ircd_t) -corenet_tcp_bind_ircd_port(ircd_t) -corenet_sendrecv_ircd_server_packets(ircd_t) - -dev_read_sysfs(ircd_t) - -domain_use_interactive_fds(ircd_t) - -files_read_etc_files(ircd_t) -files_read_etc_runtime_files(ircd_t) - -fs_getattr_all_fs(ircd_t) -fs_search_auto_mountpoints(ircd_t) - -logging_send_syslog_msg(ircd_t) - -miscfiles_read_localization(ircd_t) - -sysnet_read_config(ircd_t) - -userdom_dontaudit_use_unpriv_user_fds(ircd_t) -userdom_dontaudit_search_user_home_dirs(ircd_t) - -optional_policy(` - nis_use_ypbind(ircd_t) -') - -optional_policy(` - seutil_sigchld_newrole(ircd_t) -') - -optional_policy(` - udev_read_db(ircd_t) -') diff --git a/policy/modules/services/irqbalance.fc b/policy/modules/services/irqbalance.fc deleted file mode 100644 index 3831075..0000000 --- a/policy/modules/services/irqbalance.fc +++ /dev/null @@ -1,2 +0,0 @@ - -/usr/sbin/irqbalance -- gen_context(system_u:object_r:irqbalance_exec_t,s0) diff --git a/policy/modules/services/irqbalance.if b/policy/modules/services/irqbalance.if deleted file mode 100644 index 058fb75..0000000 --- a/policy/modules/services/irqbalance.if +++ /dev/null @@ -1 +0,0 @@ -## IRQ balancing daemon diff --git a/policy/modules/services/irqbalance.te b/policy/modules/services/irqbalance.te deleted file mode 100644 index 9aeeaf9..0000000 --- a/policy/modules/services/irqbalance.te +++ /dev/null @@ -1,56 +0,0 @@ -policy_module(irqbalance, 1.5.0) - -######################################## -# -# Declarations -# - -type irqbalance_t; -type irqbalance_exec_t; -init_daemon_domain(irqbalance_t, irqbalance_exec_t) - -type irqbalance_var_run_t; -files_pid_file(irqbalance_var_run_t) - -######################################## -# -# Local policy -# - -allow irqbalance_t self:capability { setpcap net_admin }; -dontaudit irqbalance_t self:capability sys_tty_config; -allow irqbalance_t self:process { getcap setcap signal_perms }; -allow irqbalance_t self:udp_socket create_socket_perms; - -manage_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t) -files_pid_filetrans(irqbalance_t, irqbalance_var_run_t, file) - -kernel_read_network_state(irqbalance_t) -kernel_read_system_state(irqbalance_t) -kernel_read_kernel_sysctls(irqbalance_t) -kernel_rw_irq_sysctls(irqbalance_t) - -dev_read_sysfs(irqbalance_t) - -files_read_etc_files(irqbalance_t) -files_read_etc_runtime_files(irqbalance_t) - -fs_getattr_all_fs(irqbalance_t) -fs_search_auto_mountpoints(irqbalance_t) - -domain_use_interactive_fds(irqbalance_t) - -logging_send_syslog_msg(irqbalance_t) - -miscfiles_read_localization(irqbalance_t) - -userdom_dontaudit_use_unpriv_user_fds(irqbalance_t) -userdom_dontaudit_search_user_home_dirs(irqbalance_t) - -optional_policy(` - seutil_sigchld_newrole(irqbalance_t) -') - -optional_policy(` - udev_read_db(irqbalance_t) -') diff --git a/policy/modules/services/jabber.fc b/policy/modules/services/jabber.fc deleted file mode 100644 index deef4c7..0000000 --- a/policy/modules/services/jabber.fc +++ /dev/null @@ -1,15 +0,0 @@ -/etc/rc\.d/init\.d/jabber -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0) - -/usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0) - -# for new version of jabberd -/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0) -/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0) -/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0) -/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0) - -/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) - - -/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) -/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) diff --git a/policy/modules/services/jabber.if b/policy/modules/services/jabber.if deleted file mode 100644 index 9167dc9..0000000 --- a/policy/modules/services/jabber.if +++ /dev/null @@ -1,138 +0,0 @@ -## Jabber instant messaging server - -####################################### -## -## Execute a domain transition to run jabberd services -## -## -## -## Domain allowed to transition. -## -## -# -interface(`jabber_domtrans_jabberd',` - gen_require(` - type jabberd_t, jabberd_exec_t; - ') - - domtrans_pattern($1, jabberd_exec_t, jabberd_t) -') - -###################################### -## -## Execute a domain transition to run jabberd router service -## -## -## -## Domain allowed to transition. -## -## -# -interface(`jabber_domtrans_jabberd_router',` - gen_require(` - type jabberd_router_t, jabberd_router_exec_t; - ') - - domtrans_pattern($1, jabberd_router_exec_t, jabberd_router_t) -') - -####################################### -## -## Read jabberd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`jabberd_read_lib_files',` - gen_require(` - type jabberd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t) -') - -####################################### -## -## Dontaudit inherited read jabberd lib files. -## -## -## -## Domain to not audit. -## -## -# -interface(`jabberd_dontaudit_read_lib_files',` - gen_require(` - type jabberd_var_lib_t; - ') - - dontaudit $1 jabberd_var_lib_t:file read_inherited_file_perms; -') - -####################################### -## -## Create, read, write, and delete -## jabberd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`jabberd_manage_lib_files',` - gen_require(` - type jabberd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t) -') - -######################################## -## -## All of the rules required to administrate -## an jabber environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the jabber domain. -## -## -## -# -interface(`jabber_admin',` - gen_require(` - type jabberd_t, jabberd_log_t, jabberd_var_lib_t; - type jabberd_var_run_t, jabberd_initrc_exec_t, jabberd_router_t; - ') - - allow $1 jabberd_t:process { ptrace signal_perms }; - ps_process_pattern($1, jabberd_t) - - allow $1 jabberd_router_t:process { ptrace signal_perms }; - ps_process_pattern($1, jabberd_router_t) - - init_labeled_script_domtrans($1, jabberd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 jabberd_initrc_exec_t system_r; - allow $2 system_r; - - logging_list_logs($1) - admin_pattern($1, jabberd_log_t) - - files_list_var_lib($1) - admin_pattern($1, jabberd_var_lib_t) - - files_list_pids($1) - admin_pattern($1, jabberd_var_run_t) -') diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te deleted file mode 100644 index e184dff..0000000 --- a/policy/modules/services/jabber.te +++ /dev/null @@ -1,120 +0,0 @@ -policy_module(jabber, 1.8.0) - -######################################## -# -# Declarations -# - -attribute jabberd_domain; - -type jabberd_t, jabberd_domain; -type jabberd_exec_t; -init_daemon_domain(jabberd_t, jabberd_exec_t) - -type jabberd_initrc_exec_t; -init_script_file(jabberd_initrc_exec_t) - -type jabberd_router_t, jabberd_domain; -type jabberd_router_exec_t; -init_daemon_domain(jabberd_router_t, jabberd_router_exec_t) - -type jabberd_log_t; -logging_log_file(jabberd_log_t) - -type jabberd_var_lib_t; -files_type(jabberd_var_lib_t) - -type jabberd_var_run_t; -files_pid_file(jabberd_var_run_t) - -permissive jabberd_router_t; -permissive jabberd_t; - -###################################### -# -# Local policy for jabberd-router and c2s components -# - -allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms; - -corenet_tcp_bind_jabber_client_port(jabberd_router_t) -corenet_tcp_bind_jabber_router_port(jabberd_router_t) -corenet_tcp_connect_jabber_router_port(jabberd_router_t) -corenet_sendrecv_jabber_router_server_packets(jabberd_router_t) -corenet_sendrecv_jabber_client_server_packets(jabberd_router_t) - -fs_getattr_all_fs(jabberd_router_t) - -miscfiles_read_certs(jabberd_router_t) - -optional_policy(` - kerberos_use(jabberd_router_t) -') - -optional_policy(` - nis_use_ypbind(jabberd_router_t) -') - -##################################### -# -# Local policy for other jabberd components -# - -kernel_read_system_state(jabberd_t) - -corenet_tcp_bind_jabber_interserver_port(jabberd_t) -corenet_tcp_connect_jabber_router_port(jabberd_t) - -userdom_dontaudit_use_unpriv_user_fds(jabberd_t) -userdom_dontaudit_search_user_home_dirs(jabberd_t) - -optional_policy(` - seutil_sigchld_newrole(jabberd_t) -') - -optional_policy(` - udev_read_db(jabberd_t) -') - -####################################### -# -# Local policy for jabberd domains -# - -allow jabberd_domain self:process signal_perms; -allow jabberd_domain self:fifo_file read_fifo_file_perms; -allow jabberd_domain self:tcp_socket create_stream_socket_perms; -allow jabberd_domain self:udp_socket create_socket_perms; - -manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t) -manage_dirs_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t) - -# log and pid files are moved into /var/lib/jabberd in the newer version of jabberd -manage_files_pattern(jabberd_domain, jabberd_log_t, jabberd_log_t) -logging_log_filetrans(jabberd_domain, jabberd_log_t, { file dir }) - -manage_files_pattern(jabberd_domain, jabberd_var_run_t, jabberd_var_run_t) -files_pid_filetrans(jabberd_domain, jabberd_var_run_t, file) - -corenet_all_recvfrom_unlabeled(jabberd_domain) -corenet_all_recvfrom_netlabel(jabberd_domain) -corenet_tcp_sendrecv_generic_if(jabberd_domain) -corenet_udp_sendrecv_generic_if(jabberd_domain) -corenet_tcp_sendrecv_generic_node(jabberd_domain) -corenet_udp_sendrecv_generic_node(jabberd_domain) -corenet_tcp_sendrecv_all_ports(jabberd_domain) -corenet_udp_sendrecv_all_ports(jabberd_domain) -corenet_tcp_bind_generic_node(jabberd_domain) - -dev_read_urand(jabberd_domain) -dev_read_urand(jabberd_domain) -dev_read_sysfs(jabberd_domain) - -files_read_etc_files(jabberd_domain) -files_read_etc_runtime_files(jabberd_domain) - -logging_send_syslog_msg(jabberd_domain) - -miscfiles_read_localization(jabberd_domain) - -sysnet_read_config(jabberd_domain) diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc deleted file mode 100644 index e5db539..0000000 --- a/policy/modules/services/kerberos.fc +++ /dev/null @@ -1,33 +0,0 @@ -HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) -/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) - -/etc/krb5\.conf -- gen_context(system_u:object_r:krb5_conf_t,s0) -/etc/krb5\.keytab gen_context(system_u:object_r:krb5_keytab_t,s0) - -/etc/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -/etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) -/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) - -/etc/rc\.d/init\.d/kadmin -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) -/etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) -/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) -/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) - -/usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) -/usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) -/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0) -/usr/kerberos/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0) - -/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) - -/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) -/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) -/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) -/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0) - -/var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0) -/var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0) - -/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if deleted file mode 100644 index 8c72504..0000000 --- a/policy/modules/services/kerberos.if +++ /dev/null @@ -1,378 +0,0 @@ -## MIT Kerberos admin and KDC -## -##

-## This policy supports: -##

-##

-## Servers: -##

    -##
  • kadmind
  • -##
  • krb5kdc
  • -##
-##

-##

-## Clients: -##

    -##
  • kinit
  • -##
  • kdestroy
  • -##
  • klist
  • -##
  • ksu (incomplete)
  • -##
-##

-##
- -######################################## -## -## Execute kadmind in the current domain -## -## -## -## Domain allowed access. -## -## -# -interface(`kerberos_exec_kadmind',` - gen_require(` - type kadmind_exec_t; - ') - - can_exec($1, kadmind_exec_t) -') - -######################################## -## -## Execute a domain transition to run kpropd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`kerberos_domtrans_kpropd',` - gen_require(` - type kpropd_t, kpropd_exec_t; - ') - - domtrans_pattern($1, kpropd_exec_t, kpropd_t) -') - -######################################## -## -## Use kerberos services -## -## -## -## Domain allowed access. -## -## -# -interface(`kerberos_use',` - gen_require(` - type krb5_conf_t, krb5kdc_conf_t, krb5_host_rcache_t; - ') - - files_search_etc($1) - read_files_pattern($1, krb5_conf_t, krb5_conf_t) - dontaudit $1 krb5_conf_t:file write; - dontaudit $1 krb5kdc_conf_t:dir list_dir_perms; - dontaudit $1 krb5kdc_conf_t:file rw_file_perms; - - #kerberos libraries are attempting to set the correct file context - dontaudit $1 self:process setfscreate; - selinux_dontaudit_validate_context($1) - seutil_dontaudit_read_file_contexts($1) - - tunable_policy(`allow_kerberos',` - allow $1 self:tcp_socket create_socket_perms; - allow $1 self:udp_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled($1) - corenet_all_recvfrom_netlabel($1) - corenet_tcp_sendrecv_generic_if($1) - corenet_udp_sendrecv_generic_if($1) - corenet_tcp_sendrecv_generic_node($1) - corenet_udp_sendrecv_generic_node($1) - corenet_tcp_sendrecv_kerberos_port($1) - corenet_udp_sendrecv_kerberos_port($1) - corenet_tcp_bind_generic_node($1) - corenet_udp_bind_generic_node($1) - corenet_tcp_connect_kerberos_port($1) - corenet_tcp_connect_ocsp_port($1) - corenet_sendrecv_kerberos_client_packets($1) - corenet_sendrecv_ocsp_client_packets($1) - - allow $1 krb5_host_rcache_t:file getattr_file_perms; - ') - - optional_policy(` - tunable_policy(`allow_kerberos',` - pcscd_stream_connect($1) - ') - ') - - optional_policy(` - sssd_read_public_files($1) - ') -') - -######################################## -## -## Read the kerberos configuration file (/etc/krb5.conf). -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kerberos_read_config',` - gen_require(` - type krb5_conf_t, krb5_home_t; - ') - - files_search_etc($1) - allow $1 krb5_conf_t:file read_file_perms; - allow $1 krb5_home_t:file read_file_perms; -') - -######################################## -## -## Do not audit attempts to write the kerberos -## configuration file (/etc/krb5.conf). -## -## -## -## Domain to not audit. -## -## -# -interface(`kerberos_dontaudit_write_config',` - gen_require(` - type krb5_conf_t; - ') - - dontaudit $1 krb5_conf_t:file write; -') - -######################################## -## -## Read and write the kerberos configuration file (/etc/krb5.conf). -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kerberos_rw_config',` - gen_require(` - type krb5_conf_t; - ') - - files_search_etc($1) - allow $1 krb5_conf_t:file rw_file_perms; -') - -######################################## -## -## Read the kerberos key table. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kerberos_read_keytab',` - gen_require(` - type krb5_keytab_t; - ') - - files_search_etc($1) - allow $1 krb5_keytab_t:file read_file_perms; -') - -######################################## -## -## Read/Write the kerberos key table. -## -## -## -## Domain allowed access. -## -## -# -interface(`kerberos_rw_keytab',` - gen_require(` - type krb5_keytab_t; - ') - - files_search_etc($1) - allow $1 krb5_keytab_t:file rw_file_perms; -') - -######################################## -## -## Create a derived type for kerberos keytab -## -## -## -## The prefix to be used for deriving type names. -## -## -## -## -## Domain allowed access. -## -## -# -template(`kerberos_keytab_template',` - type $1_keytab_t; - files_type($1_keytab_t) - - allow $2 $1_keytab_t:file read_file_perms; - - kerberos_read_keytab($2) - kerberos_use($2) -') - -######################################## -## -## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kerberos_read_kdc_config',` - gen_require(` - type krb5kdc_conf_t; - ') - - files_search_etc($1) - read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t) -') - -######################################## -## -## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kerberos_manage_host_rcache',` - gen_require(` - type krb5_host_rcache_t; - ') - - # creates files as system_u no matter what the selinux user - # cjp: should be in the below tunable but typeattribute - # does not work in conditionals - domain_obj_id_change_exemption($1) - - tunable_policy(`allow_kerberos',` - allow $1 self:process setfscreate; - - selinux_validate_context($1) - - seutil_read_file_contexts($1) - - allow $1 krb5_host_rcache_t:file manage_file_perms; - files_search_tmp($1) - ') -') - -######################################## -## -## Connect to krb524 service -## -## -## -## Domain allowed access. -## -## -# -interface(`kerberos_connect_524',` - tunable_policy(`allow_kerberos',` - allow $1 self:udp_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled($1) - corenet_udp_sendrecv_generic_if($1) - corenet_udp_sendrecv_generic_node($1) - corenet_udp_sendrecv_kerberos_master_port($1) - corenet_sendrecv_kerberos_master_client_packets($1) - ') -') - -######################################## -## -## All of the rules required to administrate -## an kerberos environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the kerberos domain. -## -## -## -# -interface(`kerberos_admin',` - gen_require(` - type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t; - type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t; - type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; - type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t; - type krb5kdc_var_run_t, krb5_host_rcache_t; - ') - - allow $1 kadmind_t:process { ptrace signal_perms }; - ps_process_pattern($1, kadmind_t) - - allow $1 krb5kdc_t:process { ptrace signal_perms }; - ps_process_pattern($1, krb5kdc_t) - - allow $1 kpropd_t:process { ptrace signal_perms }; - ps_process_pattern($1, kpropd_t) - - init_labeled_script_domtrans($1, kerberos_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 kerberos_initrc_exec_t system_r; - allow $2 system_r; - - logging_list_logs($1) - admin_pattern($1, kadmind_log_t) - - files_list_tmp($1) - admin_pattern($1, kadmind_tmp_t) - - files_list_pids($1) - admin_pattern($1, kadmind_var_run_t) - - admin_pattern($1, krb5_conf_t) - - admin_pattern($1, krb5_host_rcache_t) - - admin_pattern($1, krb5_keytab_t) - - admin_pattern($1, krb5kdc_principal_t) - - admin_pattern($1, krb5kdc_tmp_t) - - admin_pattern($1, krb5kdc_var_run_t) -') diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te deleted file mode 100644 index 744e7d6..0000000 --- a/policy/modules/services/kerberos.te +++ /dev/null @@ -1,329 +0,0 @@ -policy_module(kerberos, 1.11.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow confined applications to run with kerberos. -##

-##
-gen_tunable(allow_kerberos, false) - -type kadmind_t; -type kadmind_exec_t; -init_daemon_domain(kadmind_t, kadmind_exec_t) -domain_obj_id_change_exemption(kadmind_t) - -type kadmind_log_t; -logging_log_file(kadmind_log_t) - -type kadmind_tmp_t; -files_tmp_file(kadmind_tmp_t) - -type kadmind_var_run_t; -files_pid_file(kadmind_var_run_t) - -type kerberos_initrc_exec_t; -init_script_file(kerberos_initrc_exec_t) - -type kpropd_t; -type kpropd_exec_t; -init_daemon_domain(kpropd_t, kpropd_exec_t) -domain_obj_id_change_exemption(kpropd_t) - -type krb5_conf_t; -files_type(krb5_conf_t) - -type krb5_home_t; -userdom_user_home_content(krb5_home_t) - -type krb5_host_rcache_t; -files_tmp_file(krb5_host_rcache_t) - -# types for general configuration files in /etc -type krb5_keytab_t; -files_security_file(krb5_keytab_t) - -# types for KDC configs and principal file(s) -type krb5kdc_conf_t; -files_type(krb5kdc_conf_t) - -type krb5kdc_lock_t; -files_type(krb5kdc_lock_t) - -# types for KDC principal file(s) -type krb5kdc_principal_t; -files_type(krb5kdc_principal_t) - -type krb5kdc_t; -type krb5kdc_exec_t; -init_daemon_domain(krb5kdc_t, krb5kdc_exec_t) -domain_obj_id_change_exemption(krb5kdc_t) - -type krb5kdc_log_t; -logging_log_file(krb5kdc_log_t) - -type krb5kdc_tmp_t; -files_tmp_file(krb5kdc_tmp_t) - -type krb5kdc_var_run_t; -files_pid_file(krb5kdc_var_run_t) - -######################################## -# -# kadmind local policy -# - -# Use capabilities. Surplus capabilities may be allowed. -allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice }; -dontaudit kadmind_t self:capability sys_tty_config; -allow kadmind_t self:process { setfscreate signal_perms }; -allow kadmind_t self:netlink_route_socket r_netlink_socket_perms; -allow kadmind_t self:unix_dgram_socket { connect create write }; -allow kadmind_t self:tcp_socket connected_stream_socket_perms; -allow kadmind_t self:udp_socket create_socket_perms; - -allow kadmind_t kadmind_log_t:file manage_file_perms; -logging_log_filetrans(kadmind_t, kadmind_log_t, file) - -allow kadmind_t krb5_conf_t:file read_file_perms; -dontaudit kadmind_t krb5_conf_t:file write; - -read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t) -dontaudit kadmind_t krb5kdc_conf_t:file { write_file_perms setattr_file_perms }; - -allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms }; - -allow kadmind_t krb5kdc_principal_t:file manage_file_perms; -filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file) - -can_exec(kadmind_t, kadmind_exec_t) - -manage_dirs_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t) -manage_files_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t) -files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir }) - -manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t) -files_pid_filetrans(kadmind_t, kadmind_var_run_t, file) - -kernel_read_kernel_sysctls(kadmind_t) -kernel_list_proc(kadmind_t) -kernel_read_network_state(kadmind_t) -kernel_read_proc_symlinks(kadmind_t) -kernel_read_system_state(kadmind_t) - -corenet_all_recvfrom_unlabeled(kadmind_t) -corenet_all_recvfrom_netlabel(kadmind_t) -corenet_tcp_sendrecv_generic_if(kadmind_t) -corenet_udp_sendrecv_generic_if(kadmind_t) -corenet_tcp_sendrecv_generic_node(kadmind_t) -corenet_udp_sendrecv_generic_node(kadmind_t) -corenet_tcp_sendrecv_all_ports(kadmind_t) -corenet_udp_sendrecv_all_ports(kadmind_t) -corenet_tcp_bind_generic_node(kadmind_t) -corenet_udp_bind_generic_node(kadmind_t) -corenet_tcp_bind_kerberos_admin_port(kadmind_t) -corenet_tcp_bind_kerberos_password_port(kadmind_t) -corenet_udp_bind_kerberos_admin_port(kadmind_t) -corenet_udp_bind_kerberos_password_port(kadmind_t) -corenet_tcp_bind_reserved_port(kadmind_t) -corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t) -corenet_sendrecv_kerberos_admin_server_packets(kadmind_t) -corenet_sendrecv_kerberos_password_server_packets(kadmind_t) - -dev_read_sysfs(kadmind_t) -dev_read_rand(kadmind_t) -dev_read_urand(kadmind_t) - -fs_getattr_all_fs(kadmind_t) -fs_search_auto_mountpoints(kadmind_t) - -domain_use_interactive_fds(kadmind_t) - -files_read_etc_files(kadmind_t) -files_read_usr_symlinks(kadmind_t) -files_read_usr_files(kadmind_t) -files_read_var_files(kadmind_t) - -selinux_validate_context(kadmind_t) - -logging_send_syslog_msg(kadmind_t) - -miscfiles_read_generic_certs(kadmind_t) -miscfiles_read_localization(kadmind_t) - -seutil_read_file_contexts(kadmind_t) - -sysnet_read_config(kadmind_t) -sysnet_use_ldap(kadmind_t) - -userdom_dontaudit_use_unpriv_user_fds(kadmind_t) -userdom_dontaudit_search_user_home_dirs(kadmind_t) - -optional_policy(` - nis_use_ypbind(kadmind_t) -') - -optional_policy(` - seutil_sigchld_newrole(kadmind_t) -') - -optional_policy(` - udev_read_db(kadmind_t) -') - -######################################## -# -# Krb5kdc local policy -# - -# Use capabilities. Surplus capabilities may be allowed. -allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice }; -dontaudit krb5kdc_t self:capability sys_tty_config; -allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms }; -allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms; -allow krb5kdc_t self:tcp_socket create_stream_socket_perms; -allow krb5kdc_t self:udp_socket create_socket_perms; -allow krb5kdc_t self:fifo_file rw_fifo_file_perms; - -allow krb5kdc_t krb5_conf_t:file read_file_perms; -dontaudit krb5kdc_t krb5_conf_t:file write; - -can_exec(krb5kdc_t, krb5kdc_exec_t) - -read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t) -dontaudit krb5kdc_t krb5kdc_conf_t:file write; - -allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms }; - -allow krb5kdc_t krb5kdc_log_t:file manage_file_perms; -logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file) - -allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms; - -manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) -manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) -files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir }) - -manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t) -files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file) - -kernel_read_system_state(krb5kdc_t) -kernel_read_kernel_sysctls(krb5kdc_t) -kernel_list_proc(krb5kdc_t) -kernel_read_proc_symlinks(krb5kdc_t) -kernel_read_network_state(krb5kdc_t) -kernel_search_network_sysctl(krb5kdc_t) - -corecmd_exec_bin(krb5kdc_t) - -corenet_all_recvfrom_unlabeled(krb5kdc_t) -corenet_all_recvfrom_netlabel(krb5kdc_t) -corenet_tcp_sendrecv_generic_if(krb5kdc_t) -corenet_udp_sendrecv_generic_if(krb5kdc_t) -corenet_tcp_sendrecv_generic_node(krb5kdc_t) -corenet_udp_sendrecv_generic_node(krb5kdc_t) -corenet_tcp_sendrecv_all_ports(krb5kdc_t) -corenet_udp_sendrecv_all_ports(krb5kdc_t) -corenet_tcp_bind_generic_node(krb5kdc_t) -corenet_udp_bind_generic_node(krb5kdc_t) -corenet_tcp_bind_kerberos_port(krb5kdc_t) -corenet_udp_bind_kerberos_port(krb5kdc_t) -corenet_tcp_connect_ocsp_port(krb5kdc_t) -corenet_sendrecv_kerberos_server_packets(krb5kdc_t) -corenet_sendrecv_ocsp_client_packets(krb5kdc_t) - -dev_read_sysfs(krb5kdc_t) -dev_read_urand(krb5kdc_t) - -fs_getattr_all_fs(krb5kdc_t) -fs_search_auto_mountpoints(krb5kdc_t) - -domain_use_interactive_fds(krb5kdc_t) - -files_read_etc_files(krb5kdc_t) -files_read_usr_symlinks(krb5kdc_t) -files_read_var_files(krb5kdc_t) - -selinux_validate_context(krb5kdc_t) - -logging_send_syslog_msg(krb5kdc_t) - -miscfiles_read_generic_certs(krb5kdc_t) -miscfiles_read_localization(krb5kdc_t) - -seutil_read_file_contexts(krb5kdc_t) - -sysnet_read_config(krb5kdc_t) -sysnet_use_ldap(krb5kdc_t) - -userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) -userdom_dontaudit_search_user_home_dirs(krb5kdc_t) - -optional_policy(` - nis_use_ypbind(krb5kdc_t) -') - -optional_policy(` - seutil_sigchld_newrole(krb5kdc_t) -') - -optional_policy(` - udev_read_db(krb5kdc_t) -') - -######################################## -# -# kpropd local policy -# - -allow kpropd_t self:capability net_bind_service; -allow kpropd_t self:process setfscreate; - -allow kpropd_t self:fifo_file rw_file_perms; -allow kpropd_t self:unix_stream_socket create_stream_socket_perms; -allow kpropd_t self:tcp_socket create_stream_socket_perms; - -allow kpropd_t krb5_host_rcache_t:file manage_file_perms; - -allow kpropd_t krb5_keytab_t:file read_file_perms; - -read_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_conf_t) - -manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t) -filetrans_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t, file) - -manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t) - -manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t) -manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t) -files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) - -corecmd_exec_bin(kpropd_t) - -corenet_all_recvfrom_unlabeled(kpropd_t) -corenet_tcp_sendrecv_generic_if(kpropd_t) -corenet_tcp_sendrecv_generic_node(kpropd_t) -corenet_tcp_sendrecv_all_ports(kpropd_t) -corenet_tcp_bind_generic_node(kpropd_t) -corenet_tcp_bind_kprop_port(kpropd_t) - -dev_read_urand(kpropd_t) - -files_read_etc_files(kpropd_t) -files_search_tmp(kpropd_t) - -selinux_validate_context(kpropd_t) - -logging_send_syslog_msg(kpropd_t) - -miscfiles_read_localization(kpropd_t) - -seutil_read_file_contexts(kpropd_t) - -sysnet_dns_name_resolve(kpropd_t) - -kerberos_use(kpropd_t) diff --git a/policy/modules/services/kerneloops.fc b/policy/modules/services/kerneloops.fc deleted file mode 100644 index 5ef261a..0000000 --- a/policy/modules/services/kerneloops.fc +++ /dev/null @@ -1,3 +0,0 @@ -/etc/rc\.d/init\.d/kerneloops -- gen_context(system_u:object_r:kerneloops_initrc_exec_t,s0) - -/usr/sbin/kerneloops -- gen_context(system_u:object_r:kerneloops_exec_t,s0) diff --git a/policy/modules/services/kerneloops.if b/policy/modules/services/kerneloops.if deleted file mode 100644 index dd32883..0000000 --- a/policy/modules/services/kerneloops.if +++ /dev/null @@ -1,114 +0,0 @@ -## Service for reporting kernel oopses to kerneloops.org - -######################################## -## -## Execute a domain transition to run kerneloops. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`kerneloops_domtrans',` - gen_require(` - type kerneloops_t, kerneloops_exec_t; - ') - - domtrans_pattern($1, kerneloops_exec_t, kerneloops_t) -') - -######################################## -## -## Send and receive messages from -## kerneloops over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`kerneloops_dbus_chat',` - gen_require(` - type kerneloops_t; - class dbus send_msg; - ') - - allow $1 kerneloops_t:dbus send_msg; - allow kerneloops_t $1:dbus send_msg; -') - -######################################## -## -## dontaudit attempts to Send and receive messages from -## kerneloops over dbus. -## -## -## -## Domain to not audit. -## -## -# -interface(`kerneloops_dontaudit_dbus_chat',` - gen_require(` - type kerneloops_t; - class dbus send_msg; - ') - - dontaudit $1 kerneloops_t:dbus send_msg; - dontaudit kerneloops_t $1:dbus send_msg; -') - -######################################## -## -## Allow domain to manage kerneloops tmp files -## -## -## -## Domain allowed access. -## -## -# -interface(`kerneloops_manage_tmp_files',` - gen_require(` - type kerneloops_tmp_t; - ') - - manage_files_pattern($1, kerneloops_tmp_t, kerneloops_tmp_t) - files_search_tmp($1) -') - -######################################## -## -## All of the rules required to administrate -## an kerneloops environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the kerneloops domain. -## -## -## -# -interface(`kerneloops_admin',` - gen_require(` - type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t; - ') - - allow $1 kerneloops_t:process { ptrace signal_perms }; - ps_process_pattern($1, kerneloops_t) - - init_labeled_script_domtrans($1, kerneloops_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 kerneloops_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, kerneloops_tmp_t) -') diff --git a/policy/modules/services/kerneloops.te b/policy/modules/services/kerneloops.te deleted file mode 100644 index 6b35547..0000000 --- a/policy/modules/services/kerneloops.te +++ /dev/null @@ -1,54 +0,0 @@ -policy_module(kerneloops, 1.4.0) - -######################################## -# -# Declarations -# - -type kerneloops_t; -type kerneloops_exec_t; -init_daemon_domain(kerneloops_t, kerneloops_exec_t) - -type kerneloops_initrc_exec_t; -init_script_file(kerneloops_initrc_exec_t) - -type kerneloops_tmp_t; -files_tmp_file(kerneloops_tmp_t) - -######################################## -# -# kerneloops local policy -# - -allow kerneloops_t self:capability sys_nice; -allow kerneloops_t self:process { getcap setcap setsched getsched signal }; -allow kerneloops_t self:fifo_file rw_file_perms; - -manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t) -files_tmp_filetrans(kerneloops_t, kerneloops_tmp_t, file) - -kernel_read_ring_buffer(kerneloops_t) - -# Init script handling -domain_use_interactive_fds(kerneloops_t) - -corenet_all_recvfrom_unlabeled(kerneloops_t) -corenet_all_recvfrom_netlabel(kerneloops_t) -corenet_tcp_sendrecv_generic_if(kerneloops_t) -corenet_tcp_sendrecv_generic_node(kerneloops_t) -corenet_tcp_sendrecv_all_ports(kerneloops_t) -corenet_tcp_bind_http_port(kerneloops_t) -corenet_tcp_connect_http_port(kerneloops_t) - -files_read_etc_files(kerneloops_t) - -auth_use_nsswitch(kerneloops_t) - -logging_send_syslog_msg(kerneloops_t) -logging_read_generic_logs(kerneloops_t) - -miscfiles_read_localization(kerneloops_t) - -optional_policy(` - dbus_system_domain(kerneloops_t, kerneloops_exec_t) -') diff --git a/policy/modules/services/ksmtuned.fc b/policy/modules/services/ksmtuned.fc deleted file mode 100644 index 8360166..0000000 --- a/policy/modules/services/ksmtuned.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0) - -/usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0) - -/var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0) - -/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0) diff --git a/policy/modules/services/ksmtuned.if b/policy/modules/services/ksmtuned.if deleted file mode 100644 index b733e45..0000000 --- a/policy/modules/services/ksmtuned.if +++ /dev/null @@ -1,72 +0,0 @@ -## Kernel Samepage Merging (KSM) Tuning Daemon - -######################################## -## -## Execute a domain transition to run ksmtuned. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ksmtuned_domtrans',` - gen_require(` - type ksmtuned_t, ksmtuned_exec_t; - ') - - domtrans_pattern($1, ksmtuned_exec_t, ksmtuned_t) -') - -######################################## -## -## Execute ksmtuned server in the ksmtuned domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ksmtuned_initrc_domtrans',` - gen_require(` - type ksmtuned_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, ksmtuned_initrc_exec_t) -') - -######################################## -## -## All of the rules required to administrate -## an ksmtuned environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`ksmtuned_admin',` - gen_require(` - type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t; - ') - - allow $1 ksmtuned_t:process { ptrace signal_perms }; - ps_process_pattern($1, ksmtuned_t) - - files_list_pids($1) - admin_pattern($1, ksmtuned_var_run_t) - - # Allow ksmtuned_t to restart the apache service - ksmtuned_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 ksmtuned_initrc_exec_t system_r; - allow $2 system_r; -') diff --git a/policy/modules/services/ksmtuned.te b/policy/modules/services/ksmtuned.te deleted file mode 100644 index 01adbed..0000000 --- a/policy/modules/services/ksmtuned.te +++ /dev/null @@ -1,51 +0,0 @@ -policy_module(ksmtuned, 1.0.0) - -######################################## -# -# Declarations -# - -type ksmtuned_t; -type ksmtuned_exec_t; -init_daemon_domain(ksmtuned_t, ksmtuned_exec_t) - -type ksmtuned_log_t; -logging_log_file(ksmtuned_log_t) - -type ksmtuned_initrc_exec_t; -init_script_file(ksmtuned_initrc_exec_t) - -type ksmtuned_var_run_t; -files_pid_file(ksmtuned_var_run_t) - -######################################## -# -# ksmtuned local policy -# - -allow ksmtuned_t self:capability { sys_ptrace sys_tty_config }; -allow ksmtuned_t self:fifo_file rw_file_perms; - -manage_dirs_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t) -manage_files_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t) -logging_log_filetrans(ksmtuned_t, ksmtuned_log_t, { file dir }) - -manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t) -files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file) - -kernel_read_system_state(ksmtuned_t) - -dev_rw_sysfs(ksmtuned_t) - -domain_read_all_domains_state(ksmtuned_t) -domain_dontaudit_read_all_domains_state(ksmtuned_t) - -corecmd_exec_bin(ksmtuned_t) - -files_read_etc_files(ksmtuned_t) - -mls_file_read_to_clearance(ksmtuned_t) - -term_use_all_terms(ksmtuned_t) - -miscfiles_read_localization(ksmtuned_t) diff --git a/policy/modules/services/ktalk.fc b/policy/modules/services/ktalk.fc deleted file mode 100644 index 47d0bf3..0000000 --- a/policy/modules/services/ktalk.fc +++ /dev/null @@ -1,7 +0,0 @@ - -/usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) - -/usr/sbin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) -/usr/sbin/in\.ntalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) - -/var/log/talkd.* -- gen_context(system_u:object_r:ktalkd_log_t,s0) diff --git a/policy/modules/services/ktalk.if b/policy/modules/services/ktalk.if deleted file mode 100644 index 5ba36db..0000000 --- a/policy/modules/services/ktalk.if +++ /dev/null @@ -1 +0,0 @@ -## KDE Talk daemon diff --git a/policy/modules/services/ktalk.te b/policy/modules/services/ktalk.te deleted file mode 100644 index ca5cfdf..0000000 --- a/policy/modules/services/ktalk.te +++ /dev/null @@ -1,79 +0,0 @@ -policy_module(ktalk, 1.8.0) - -######################################## -# -# Declarations -# - -type ktalkd_t; -type ktalkd_exec_t; -inetd_udp_service_domain(ktalkd_t, ktalkd_exec_t) -role system_r types ktalkd_t; - -type ktalkd_log_t; -logging_log_file(ktalkd_log_t) - -type ktalkd_tmp_t; -files_tmp_file(ktalkd_tmp_t) - -type ktalkd_var_run_t; -files_pid_file(ktalkd_var_run_t) - -######################################## -# -# Local policy -# - -allow ktalkd_t self:process signal_perms; -allow ktalkd_t self:fifo_file rw_fifo_file_perms; -allow ktalkd_t self:tcp_socket connected_stream_socket_perms; -allow ktalkd_t self:udp_socket create_socket_perms; -# for identd -# cjp: this should probably only be inetd_child rules? -allow ktalkd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -allow ktalkd_t self:capability { setuid setgid }; -files_search_home(ktalkd_t) -optional_policy(` - kerberos_use(ktalkd_t) -') -#end for identd - -allow ktalkd_t ktalkd_log_t:file manage_file_perms; -logging_log_filetrans(ktalkd_t, ktalkd_log_t, file) - -manage_dirs_pattern(ktalkd_t, ktalkd_tmp_t, ktalkd_tmp_t) -manage_files_pattern(ktalkd_t, ktalkd_tmp_t, ktalkd_tmp_t) -files_tmp_filetrans(ktalkd_t, ktalkd_tmp_t, { file dir }) - -manage_files_pattern(ktalkd_t, ktalkd_var_run_t, ktalkd_var_run_t) -files_pid_filetrans(ktalkd_t, ktalkd_var_run_t, file) - -kernel_read_kernel_sysctls(ktalkd_t) -kernel_read_system_state(ktalkd_t) -kernel_read_network_state(ktalkd_t) - -corenet_all_recvfrom_unlabeled(ktalkd_t) -corenet_all_recvfrom_netlabel(ktalkd_t) -corenet_tcp_sendrecv_generic_if(ktalkd_t) -corenet_udp_sendrecv_generic_if(ktalkd_t) -corenet_tcp_sendrecv_generic_node(ktalkd_t) -corenet_udp_sendrecv_generic_node(ktalkd_t) -corenet_tcp_sendrecv_all_ports(ktalkd_t) -corenet_udp_sendrecv_all_ports(ktalkd_t) - -dev_read_urand(ktalkd_t) - -fs_getattr_xattr_fs(ktalkd_t) - -files_read_etc_files(ktalkd_t) - -term_search_ptys(ktalkd_t) -term_use_all_terms(ktalkd_t) - -auth_use_nsswitch(ktalkd_t) - -init_read_utmp(ktalkd_t) - -logging_send_syslog_msg(ktalkd_t) - -miscfiles_read_localization(ktalkd_t) diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc deleted file mode 100644 index 335fda1..0000000 --- a/policy/modules/services/ldap.fc +++ /dev/null @@ -1,20 +0,0 @@ - -/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) -/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) - -/etc/rc\.d/init\.d/sldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) - -/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) - -ifdef(`distro_debian',` -/usr/lib/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) -') - -/var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) -/var/lib/ldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0) - -/var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0) -/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0) -/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) -/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) -/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if deleted file mode 100644 index c51c1f6..0000000 --- a/policy/modules/services/ldap.if +++ /dev/null @@ -1,198 +0,0 @@ -## OpenLDAP directory server - -####################################### -## -## Execute OpenLDAP in the ldap domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`ldap_domtrans',` - gen_require(` - type slapd_t, slapd_exec_t; - ') - - domtrans_pattern($1, slapd_exec_t, slapd_t) -') - -####################################### -## -## Execute OpenLDAP server in the ldap domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`ldap_initrc_domtrans',` - gen_require(` - type slapd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, slapd_initrc_exec_t) -') - -######################################## -## -## Read the contents of the OpenLDAP -## database directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`ldap_list_db',` - gen_require(` - type slapd_db_t; - ') - - allow $1 slapd_db_t:dir list_dir_perms; -') - -######################################## -## -## Read the contents of the OpenLDAP -## database files. -## -## -## -## Domain allowed access. -## -## -# -interface(`ldap_read_db_files',` - gen_require(` - type slapd_db_t; - ') - - read_files_pattern($1, slapd_db_t, slapd_db_t) -') - -######################################## -## -## Read the OpenLDAP configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`ldap_read_config',` - gen_require(` - type slapd_etc_t; - ') - - files_search_etc($1) - allow $1 slapd_etc_t:file read_file_perms; -') - -######################################## -## -## Use LDAP over TCP connection. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`ldap_use',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Connect to slapd over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`ldap_stream_connect',` - gen_require(` - type slapd_t, slapd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t) - - optional_policy(` - ldap_stream_connect_dirsrv($1) - ') -') - -######################################## -## -## Connect to dirsrv over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`ldap_stream_connect_dirsrv',` - gen_require(` - type dirsrv_t, dirsrv_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t) -') - -######################################## -## -## All of the rules required to administrate -## an ldap environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the ldap domain. -## -## -## -# -interface(`ldap_admin',` - gen_require(` - type slapd_t, slapd_tmp_t, slapd_replog_t; - type slapd_lock_t, slapd_etc_t, slapd_var_run_t; - type slapd_initrc_exec_t; - ') - - allow $1 slapd_t:process { ptrace signal_perms }; - ps_process_pattern($1, slapd_t) - - init_labeled_script_domtrans($1, slapd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 slapd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, slapd_etc_t) - - admin_pattern($1, slapd_lock_t) - - files_list_var_lib($1) - admin_pattern($1, slapd_replog_t) - - files_list_tmp($1) - admin_pattern($1, slapd_tmp_t) - - files_list_pids($1) - admin_pattern($1, slapd_var_run_t) -') diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te deleted file mode 100644 index 10c2d54..0000000 --- a/policy/modules/services/ldap.te +++ /dev/null @@ -1,146 +0,0 @@ -policy_module(ldap, 1.10.0) - -######################################## -# -# Declarations -# - -type slapd_t; -type slapd_exec_t; -init_daemon_domain(slapd_t, slapd_exec_t) - -type slapd_cert_t; -miscfiles_cert_type(slapd_cert_t) - -type slapd_db_t; -files_type(slapd_db_t) - -type slapd_etc_t; -files_config_file(slapd_etc_t) - -type slapd_initrc_exec_t; -init_script_file(slapd_initrc_exec_t) - -type slapd_lock_t; -files_lock_file(slapd_lock_t) - -type slapd_replog_t; -files_type(slapd_replog_t) - -type slapd_log_t; -logging_log_file(slapd_log_t) - -type slapd_tmp_t; -files_tmp_file(slapd_tmp_t) - -type slapd_tmpfs_t; -files_tmpfs_file(slapd_tmpfs_t) - -type slapd_var_run_t; -files_pid_file(slapd_var_run_t) - -######################################## -# -# Local policy -# - -# should not need kill -# cjp: why net_raw? -allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search }; -dontaudit slapd_t self:capability sys_tty_config; -allow slapd_t self:process setsched; -allow slapd_t self:fifo_file rw_fifo_file_perms; -allow slapd_t self:udp_socket create_socket_perms; -#slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach) -allow slapd_t self:tcp_socket create_stream_socket_perms; - -allow slapd_t slapd_cert_t:dir list_dir_perms; -read_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t) -read_lnk_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t) - -# Allow access to the slapd databases -manage_dirs_pattern(slapd_t, slapd_db_t, slapd_db_t) -manage_files_pattern(slapd_t, slapd_db_t, slapd_db_t) -manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t) - -allow slapd_t slapd_etc_t:file read_file_perms; - -allow slapd_t slapd_lock_t:file manage_file_perms; -files_lock_filetrans(slapd_t, slapd_lock_t, file) - -# Allow access to write the replication log (should tighten this) -manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t) -manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t) -manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t) - -manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t) -manage_files_pattern(slapd_t, slapd_log_t, slapd_log_t) -logging_log_filetrans(slapd_t, slapd_log_t, { file dir }) - -manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t) -manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t) -files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir }) - -manage_files_pattern(slapd_t, slapd_tmpfs_t, slapd_tmpfs_t) -fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t, file) - -manage_dirs_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) -manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) -manage_sock_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) -files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file }) - -kernel_read_system_state(slapd_t) -kernel_read_kernel_sysctls(slapd_t) - -corenet_all_recvfrom_unlabeled(slapd_t) -corenet_all_recvfrom_netlabel(slapd_t) -corenet_tcp_sendrecv_generic_if(slapd_t) -corenet_udp_sendrecv_generic_if(slapd_t) -corenet_tcp_sendrecv_generic_node(slapd_t) -corenet_udp_sendrecv_generic_node(slapd_t) -corenet_tcp_sendrecv_all_ports(slapd_t) -corenet_udp_sendrecv_all_ports(slapd_t) -corenet_tcp_bind_generic_node(slapd_t) -corenet_tcp_bind_ldap_port(slapd_t) -corenet_tcp_connect_all_ports(slapd_t) -corenet_sendrecv_ldap_server_packets(slapd_t) -corenet_sendrecv_all_client_packets(slapd_t) - -dev_read_urand(slapd_t) -dev_read_sysfs(slapd_t) - -fs_getattr_all_fs(slapd_t) -fs_search_auto_mountpoints(slapd_t) - -domain_use_interactive_fds(slapd_t) - -files_read_etc_files(slapd_t) -files_read_etc_runtime_files(slapd_t) -files_read_usr_files(slapd_t) -files_list_var_lib(slapd_t) - -auth_use_nsswitch(slapd_t) - -logging_send_syslog_msg(slapd_t) - -miscfiles_read_generic_certs(slapd_t) -miscfiles_read_localization(slapd_t) - -userdom_dontaudit_use_unpriv_user_fds(slapd_t) -userdom_dontaudit_search_user_home_dirs(slapd_t) - -optional_policy(` - kerberos_keytab_template(slapd, slapd_t) -') - -optional_policy(` - sasl_connect(slapd_t) -') - -optional_policy(` - seutil_sigchld_newrole(slapd_t) -') - -optional_policy(` - udev_read_db(slapd_t) -') diff --git a/policy/modules/services/likewise.fc b/policy/modules/services/likewise.fc deleted file mode 100644 index 057a4e4..0000000 --- a/policy/modules/services/likewise.fc +++ /dev/null @@ -1,54 +0,0 @@ -/etc/likewise-open(/.*)? gen_context(system_u:object_r:likewise_etc_t,s0) -/etc/likewise-open/.pstore.lock -- gen_context(system_u:object_r:likewise_pstore_lock_t,s0) -/etc/likewise-open/likewise-krb5-ad.conf -- gen_context(system_u:object_r:likewise_krb5_ad_t,s0) - -/etc/rc\.d/init\.d/dcerpcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) -/etc/rc\.d/init\.d/eventlogd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) -/etc/rc\.d/init\.d/lsassd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) -/etc/rc\.d/init\.d/lwiod -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) -/etc/rc\.d/init\.d/lwregd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) -/etc/rc\.d/init\.d/lwsmd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) -/etc/rc\.d/init\.d/netlogond -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) -/etc/rc\.d/init\.d/srvsvcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) - -/usr/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0) -/usr/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0) -/usr/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0) -/usr/sbin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0) -/usr/sbin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0) -/usr/sbin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0) -/usr/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0) -/usr/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0) - -/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0) -/var/lib/likewise-open/\.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0) -/var/lib/likewise-open/\.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s0) -/var/lib/likewise-open/\.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t,s0) -/var/lib/likewise-open/\.lwsm -s gen_context(system_u:object_r:lwsmd_var_socket_t,s0) -/var/lib/likewise-open/\.netlogond -s gen_context(system_u:object_r:netlogond_var_socket_t,s0) -/var/lib/likewise-open/\.ntlmd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0) -/var/lib/likewise-open/krb5-affinity.conf -- gen_context(system_u:object_r:netlogond_var_lib_t, s0) -/var/lib/likewise-open/krb5ccr_lsass -- gen_context(system_u:object_r:lsassd_var_lib_t, s0) -/var/lib/likewise-open/LWNetsd\.err -- gen_context(system_u:object_r:netlogond_var_lib_t,s0) -/var/lib/likewise-open/lsasd\.err -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) -/var/lib/likewise-open/regsd\.err -- gen_context(system_u:object_r:lwregd_var_lib_t,s0) -/var/lib/likewise-open/db -d gen_context(system_u:object_r:likewise_var_lib_t,s0) -/var/lib/likewise-open/db/lwi_events.db -- gen_context(system_u:object_r:eventlogd_var_lib_t,s0) -/var/lib/likewise-open/db/sam\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) -/var/lib/likewise-open/db/lsass-adcache\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) -/var/lib/likewise-open/db/lsass-adstate\.filedb -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) -/var/lib/likewise-open/db/registry\.db -- gen_context(system_u:object_r:lwregd_var_lib_t,s0) -/var/lib/likewise-open/rpc -d gen_context(system_u:object_r:likewise_var_lib_t,s0) -/var/lib/likewise-open/rpc/epmapper -s gen_context(system_u:object_r:dcerpcd_var_socket_t, s0) -/var/lib/likewise-open/rpc/lsass -s gen_context(system_u:object_r:lsassd_var_socket_t, s0) -/var/lib/likewise-open/rpc/socket -s gen_context(system_u:object_r:eventlogd_var_socket_t, s0) -/var/lib/likewise-open/run -d gen_context(system_u:object_r:likewise_var_lib_t,s0) -/var/lib/likewise-open/run/rpcdep.dat -- gen_context(system_u:object_r:dcerpcd_var_lib_t, s0) - -/var/run/eventlogd.pid -- gen_context(system_u:object_r:eventlogd_var_run_t,s0) -/var/run/lsassd.pid -- gen_context(system_u:object_r:lsassd_var_run_t,s0) -/var/run/lwiod.pid -- gen_context(system_u:object_r:lwiod_var_run_t,s0) -/var/run/lwregd.pid -- gen_context(system_u:object_r:lwregd_var_run_t,s0) -/var/run/netlogond.pid -- gen_context(system_u:object_r:netlogond_var_run_t,s0) -/var/run/srvsvcd.pid -- gen_context(system_u:object_r:srvsvcd_var_run_t,s0) - diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if deleted file mode 100644 index 81d98b3..0000000 --- a/policy/modules/services/likewise.if +++ /dev/null @@ -1,105 +0,0 @@ -## Likewise Active Directory support for UNIX. -## -##

-## Likewise Open is a free, open source application that joins Linux, Unix, -## and Mac machines to Microsoft Active Directory to securely authenticate -## users with their domain credentials. -##

-##
- -####################################### -## -## The template to define a likewise domain. -## -## -##

-## This template creates a domain to be used for -## a new likewise daemon. -##

-##
-## -## -## The type of daemon to be used. -## -## -# -template(`likewise_domain_template',` - - gen_require(` - attribute likewise_domains; - type likewise_var_lib_t; - ') - - ######################################## - # - # Declarations - # - - type $1_t; - type $1_exec_t; - init_daemon_domain($1_t, $1_exec_t) - domain_use_interactive_fds($1_t) - - typeattribute $1_t likewise_domains; - - type $1_var_run_t; - files_pid_file($1_var_run_t) - - type $1_var_socket_t; - files_type($1_var_socket_t) - - type $1_var_lib_t; - files_type($1_var_lib_t) - - #################################### - # - # Local Policy - # - - allow $1_t self:process { signal_perms getsched setsched }; - allow $1_t self:fifo_file rw_fifo_file_perms; - allow $1_t self:unix_dgram_socket create_socket_perms; - allow $1_t self:unix_stream_socket create_stream_socket_perms; - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; - - allow $1_t likewise_var_lib_t:dir setattr_dir_perms; - - manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - files_pid_filetrans($1_t, $1_var_run_t, file) - - manage_files_pattern($1_t, likewise_var_lib_t, $1_var_lib_t) - filetrans_pattern($1_t, likewise_var_lib_t, $1_var_lib_t, file) - - manage_sock_files_pattern($1_t, likewise_var_lib_t, $1_var_socket_t) - filetrans_pattern($1_t, likewise_var_lib_t, $1_var_socket_t, sock_file) - - dev_read_rand($1_t) - dev_read_urand($1_t) - - files_read_etc_files($1_t) - files_search_var_lib($1_t) - - logging_send_syslog_msg($1_t) - - miscfiles_read_localization($1_t) -') - -######################################## -## -## Connect to lsassd. -## -## -## -## Domain allowed access. -## -## -# -interface(`likewise_stream_connect_lsassd',` - gen_require(` - type likewise_var_lib_t, lsassd_var_socket_t, lsassd_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t) -') diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te deleted file mode 100644 index 65e6d81..0000000 --- a/policy/modules/services/likewise.te +++ /dev/null @@ -1,238 +0,0 @@ -policy_module(likewise, 1.0.1) - -################################# -# -# Declarations -# - -attribute likewise_domains; - -type likewise_etc_t; -files_config_file(likewise_etc_t) - -type likewise_initrc_exec_t; -init_script_file(likewise_initrc_exec_t) - -type likewise_var_lib_t; -files_type(likewise_var_lib_t) - -type likewise_pstore_lock_t; -files_type(likewise_pstore_lock_t) - -type likewise_krb5_ad_t; -files_type(likewise_krb5_ad_t) - -likewise_domain_template(dcerpcd) - -likewise_domain_template(eventlogd) - -likewise_domain_template(lsassd) - -type lsassd_tmp_t; -files_tmp_file(lsassd_tmp_t) - -likewise_domain_template(lwiod) - -likewise_domain_template(lwregd) - -likewise_domain_template(lwsmd) - -likewise_domain_template(netlogond) - -likewise_domain_template(srvsvcd) - -################################# -# -# Likewise dcerpcd personal policy -# - -stream_connect_pattern(dcerpcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) - -corenet_all_recvfrom_netlabel(dcerpcd_t) -corenet_all_recvfrom_unlabeled(dcerpcd_t) -corenet_sendrecv_generic_client_packets(dcerpcd_t) -corenet_sendrecv_generic_server_packets(dcerpcd_t) -corenet_tcp_sendrecv_generic_if(dcerpcd_t) -corenet_tcp_sendrecv_generic_node(dcerpcd_t) -corenet_tcp_sendrecv_generic_port(dcerpcd_t) -corenet_tcp_bind_generic_node(dcerpcd_t) -corenet_tcp_bind_epmap_port(dcerpcd_t) -corenet_tcp_connect_generic_port(dcerpcd_t) -corenet_udp_bind_generic_node(dcerpcd_t) -corenet_udp_bind_epmap_port(dcerpcd_t) -corenet_udp_sendrecv_generic_if(dcerpcd_t) -corenet_udp_sendrecv_generic_node(dcerpcd_t) -corenet_udp_sendrecv_generic_port(dcerpcd_t) - -################################# -# -# Likewise Auditing and Logging service policy -# - -stream_connect_pattern(eventlogd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t) -stream_connect_pattern(eventlogd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) - -corenet_all_recvfrom_netlabel(eventlogd_t) -corenet_all_recvfrom_unlabeled(eventlogd_t) -corenet_sendrecv_generic_server_packets(eventlogd_t) -corenet_tcp_sendrecv_generic_if(eventlogd_t) -corenet_tcp_sendrecv_generic_node(eventlogd_t) -corenet_tcp_sendrecv_generic_port(eventlogd_t) -corenet_tcp_bind_generic_node(eventlogd_t) -corenet_udp_bind_generic_node(eventlogd_t) -corenet_udp_sendrecv_generic_if(eventlogd_t) -corenet_udp_sendrecv_generic_node(eventlogd_t) -corenet_udp_sendrecv_generic_port(eventlogd_t) - -################################# -# -# Likewise Authentication service local policy -# - -allow lsassd_t self:capability { fowner chown fsetid dac_override sys_time }; -allow lsassd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms; - -allow lsassd_t likewise_krb5_ad_t:file read_file_perms; -allow lsassd_t netlogond_var_lib_t:file read_file_perms; - -manage_files_pattern(lsassd_t, likewise_etc_t, likewise_etc_t) - -manage_files_pattern(lsassd_t, lsassd_tmp_t, lsassd_tmp_t); -files_tmp_filetrans(lsassd_t, lsassd_tmp_t, file) - -stream_connect_pattern(lsassd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t) -stream_connect_pattern(lsassd_t, likewise_var_lib_t, eventlogd_var_socket_t, eventlogd_t) -stream_connect_pattern(lsassd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t) -stream_connect_pattern(lsassd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) -stream_connect_pattern(lsassd_t, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t) - -kernel_read_system_state(lsassd_t) -kernel_getattr_proc_files(lsassd_t) -kernel_list_all_proc(lsassd_t) -kernel_list_proc(lsassd_t) - -corecmd_exec_bin(lsassd_t) -corecmd_exec_shell(lsassd_t) - -corenet_all_recvfrom_netlabel(lsassd_t) -corenet_all_recvfrom_unlabeled(lsassd_t) -corenet_tcp_sendrecv_generic_if(lsassd_t) -corenet_tcp_sendrecv_generic_node(lsassd_t) -corenet_tcp_sendrecv_generic_port(lsassd_t) -corenet_tcp_bind_generic_node(lsassd_t) -corenet_tcp_connect_epmap_port(lsassd_t) -corenet_tcp_sendrecv_epmap_port(lsassd_t) - -domain_obj_id_change_exemption(lsassd_t) - -files_manage_etc_files(lsassd_t) -files_manage_etc_symlinks(lsassd_t) -files_manage_etc_runtime_files(lsassd_t) -files_relabelto_home(lsassd_t) - -selinux_get_fs_mount(lsassd_t) -selinux_validate_context(lsassd_t) - -seutil_read_config(lsassd_t) -seutil_read_default_contexts(lsassd_t) -seutil_read_file_contexts(lsassd_t) -seutil_run_semanage(lsassd_t, lsassd_t) - -sysnet_use_ldap(lsassd_t) -sysnet_read_config(lsassd_t) - -userdom_home_filetrans_user_home_dir(lsassd_t) -userdom_manage_user_home_content_files(lsassd_t) - -optional_policy(` - kerberos_rw_keytab(lsassd_t) - kerberos_use(lsassd_t) -') - -################################# -# -# Likewise I/O service local policy -# - -allow lwiod_t self:capability { fowner chown fsetid dac_override }; -allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms; - -allow lwiod_t likewise_krb5_ad_t:file read_file_perms; -allow lwiod_t netlogond_var_lib_t:file read_file_perms; - -stream_connect_pattern(lwiod_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) -stream_connect_pattern(lwiod_t, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t) - -corenet_all_recvfrom_netlabel(lwiod_t) -corenet_all_recvfrom_unlabeled(lwiod_t) -corenet_sendrecv_smbd_server_packets(lwiod_t) -corenet_sendrecv_smbd_client_packets(lwiod_t) -corenet_tcp_sendrecv_generic_if(lwiod_t) -corenet_tcp_sendrecv_generic_node(lwiod_t) -corenet_tcp_sendrecv_generic_port(lwiod_t) -corenet_tcp_bind_generic_node(lwiod_t) -corenet_tcp_bind_smbd_port(lwiod_t) -corenet_tcp_connect_smbd_port(lwiod_t) - -sysnet_read_config(lwiod_t) - -optional_policy(` - kerberos_rw_config(lwiod_t) - kerberos_use(lwiod_t) -') - -################################# -# -# Likewise Service Manager service local policy -# - -allow lwsmd_t likewise_domains:process signal; - -domtrans_pattern(lwsmd_t, dcerpcd_exec_t, dcerpcd_t) -domtrans_pattern(lwsmd_t, eventlogd_exec_t, eventlogd_t) -domtrans_pattern(lwsmd_t, lsassd_exec_t, lsassd_t) -domtrans_pattern(lwsmd_t, lwiod_exec_t, lwiod_t) -domtrans_pattern(lwsmd_t, lwregd_exec_t, lwregd_t) -domtrans_pattern(lwsmd_t, netlogond_exec_t, netlogond_t) -domtrans_pattern(lwsmd_t, srvsvcd_exec_t, srvsvcd_t) - -stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t) -stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) - -################################# -# -# Likewise DC location service local policy -# - -allow netlogond_t self:capability dac_override; - -manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t) - -stream_connect_pattern(netlogond_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) - -sysnet_dns_name_resolve(netlogond_t) -sysnet_use_ldap(netlogond_t) - -################################# -# -# Likewise Srv service local policy -# - -allow srvsvcd_t likewise_etc_t:dir search_dir_perms; - -stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t) -stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t) -stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) - -corenet_all_recvfrom_netlabel(srvsvcd_t) -corenet_all_recvfrom_unlabeled(srvsvcd_t) -corenet_sendrecv_generic_server_packets(srvsvcd_t) -corenet_tcp_sendrecv_generic_if(srvsvcd_t) -corenet_tcp_sendrecv_generic_node(srvsvcd_t) -corenet_tcp_sendrecv_generic_port(srvsvcd_t) -corenet_tcp_bind_generic_node(srvsvcd_t) - -optional_policy(` - kerberos_use(srvsvcd_t) -') diff --git a/policy/modules/services/lircd.fc b/policy/modules/services/lircd.fc deleted file mode 100644 index 49e04e5..0000000 --- a/policy/modules/services/lircd.fc +++ /dev/null @@ -1,10 +0,0 @@ -/dev/lircd -s gen_context(system_u:object_r:lircd_sock_t,s0) - -/etc/rc\.d/init\.d/lirc -- gen_context(system_u:object_r:lircd_initrc_exec_t,s0) -/etc/lircd\.conf -- gen_context(system_u:object_r:lircd_etc_t,s0) - -/usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0) - -/var/run/lirc(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0) -/var/run/lircd(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0) -/var/run/lircd\.pid gen_context(system_u:object_r:lircd_var_run_t,s0) diff --git a/policy/modules/services/lircd.if b/policy/modules/services/lircd.if deleted file mode 100644 index 5cfe950..0000000 --- a/policy/modules/services/lircd.if +++ /dev/null @@ -1,95 +0,0 @@ -## Linux infared remote control daemon - -######################################## -## -## Execute a domain transition to run lircd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`lircd_domtrans',` - gen_require(` - type lircd_t, lircd_exec_t; - ') - - domain_auto_trans($1, lircd_exec_t, lircd_t) -') - -###################################### -## -## Connect to lircd over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`lircd_stream_connect',` - gen_require(` - type lircd_var_run_t, lircd_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, lircd_var_run_t, lircd_var_run_t, lircd_t) -') - -####################################### -## -## Read lircd etc file -## -## -## -## Domain allowed access. -## -## -# -interface(`lircd_read_config',` - gen_require(` - type lircd_etc_t; - ') - - read_files_pattern($1, lircd_etc_t, lircd_etc_t) -') - -######################################## -## -## All of the rules required to administrate -## a lircd environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the syslog domain. -## -## -## -# -interface(`lircd_admin',` - gen_require(` - type lircd_t, lircd_var_run_t, lircd_etc_t; - type lircd_initrc_exec_t; - ') - - allow $1 lircd_t:process { ptrace signal_perms }; - ps_process_pattern($1, lircd_t) - - init_labeled_script_domtrans($1, lircd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 lircd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, lircd_etc_t) - - files_list_pids($1) - admin_pattern($1, lircd_var_run_t) -') diff --git a/policy/modules/services/lircd.te b/policy/modules/services/lircd.te deleted file mode 100644 index 02f6985..0000000 --- a/policy/modules/services/lircd.te +++ /dev/null @@ -1,65 +0,0 @@ -policy_module(lircd, 1.1.0) - -######################################## -# -# Declarations -# - -type lircd_t; -type lircd_exec_t; -init_daemon_domain(lircd_t, lircd_exec_t) - -type lircd_initrc_exec_t; -init_script_file(lircd_initrc_exec_t) - -type lircd_etc_t; -files_type(lircd_etc_t) - -type lircd_var_run_t alias lircd_sock_t; -files_pid_file(lircd_var_run_t) - -######################################## -# -# lircd local policy -# - -allow lircd_t self:capability { chown kill sys_admin }; -allow lircd_t self:process { fork signal }; -allow lircd_t self:fifo_file rw_fifo_file_perms; -allow lircd_t self:unix_dgram_socket create_socket_perms; -allow lircd_t self:tcp_socket create_stream_socket_perms; - -# etc file -read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t) - -manage_dirs_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) -manage_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) -manage_sock_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) -files_pid_filetrans(lircd_t, lircd_var_run_t, { file dir }) -# /dev/lircd socket -dev_filetrans(lircd_t, lircd_var_run_t, sock_file) - -corenet_tcp_sendrecv_generic_if(lircd_t) -corenet_tcp_bind_generic_node(lircd_t) -corenet_tcp_bind_lirc_port(lircd_t) -corenet_tcp_sendrecv_all_ports(lircd_t) -corenet_tcp_connect_lirc_port(lircd_t) - -dev_rw_generic_usb_dev(lircd_t) -dev_read_mouse(lircd_t) -dev_filetrans_lirc(lircd_t) -dev_rw_lirc(lircd_t) -dev_rw_input_dev(lircd_t) - -files_read_etc_files(lircd_t) -files_list_var(lircd_t) -files_manage_generic_locks(lircd_t) -files_read_all_locks(lircd_t) - -term_use_ptmx(lircd_t) - -logging_send_syslog_msg(lircd_t) - -miscfiles_read_localization(lircd_t) - -sysnet_dns_name_resolve(lircd_t) diff --git a/policy/modules/services/lpd.fc b/policy/modules/services/lpd.fc deleted file mode 100644 index 5c9eb68..0000000 --- a/policy/modules/services/lpd.fc +++ /dev/null @@ -1,37 +0,0 @@ -# -# /dev -# -/dev/printer -s gen_context(system_u:object_r:printer_t,s0) - -/opt/gutenprint/s?bin(/.*)? gen_context(system_u:object_r:lpr_exec_t,s0) - -# -# /usr -# -/usr/bin/cancel(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) -/usr/bin/lp(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) -/usr/bin/lpoptions -- gen_context(system_u:object_r:lpr_exec_t,s0) -/usr/bin/lpq(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) -/usr/bin/lpr(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) -/usr/bin/lprm(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) -/usr/bin/lpstat(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) - -/usr/sbin/accept -- gen_context(system_u:object_r:lpr_exec_t,s0) -/usr/sbin/checkpc -- gen_context(system_u:object_r:checkpc_exec_t,s0) -/usr/sbin/lpd -- gen_context(system_u:object_r:lpd_exec_t,s0) -/usr/sbin/lpadmin -- gen_context(system_u:object_r:lpr_exec_t,s0) -/usr/sbin/lpc(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) -/usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0) -/usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0) - -/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0) - -/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0) - -# -# /var -# -/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh) -/var/spool/cups-pdf(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh) -/var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0) -/var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0) diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if deleted file mode 100644 index ea7dca0..0000000 --- a/policy/modules/services/lpd.if +++ /dev/null @@ -1,215 +0,0 @@ -## Line printer daemon - -######################################## -## -## Role access for lpd -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -## -# -interface(`lpd_role',` - gen_require(` - type lpr_t, lpr_exec_t, print_spool_t; - ') - - role $1 types lpr_t; - - # Transition from the user domain to the derived domain. - domtrans_pattern($2, lpr_exec_t, lpr_t) - dontaudit lpr_t $2:unix_stream_socket { read write }; - - ps_process_pattern($2, lpr_t) - allow $2 lpr_t:process { ptrace signal_perms }; - - optional_policy(` - cups_read_config($2) - ') -') - -######################################## -## -## Execute lpd in the lpd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`lpd_domtrans_checkpc',` - gen_require(` - type checkpc_t, checkpc_exec_t; - ') - - domtrans_pattern($1, checkpc_exec_t, checkpc_t) -') - -######################################## -## -## Execute amrecover in the lpd domain, and -## allow the specified role the lpd domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`lpd_run_checkpc',` - gen_require(` - type checkpc_t; - ') - - lpd_domtrans_checkpc($1) - role $2 types checkpc_t; -') - -######################################## -## -## List the contents of the printer spool directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`lpd_list_spool',` - gen_require(` - type print_spool_t; - ') - - files_search_spool($1) - allow $1 print_spool_t:dir list_dir_perms; -') - -######################################## -## -## Read the printer spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`lpd_read_spool',` - gen_require(` - type print_spool_t; - ') - - files_search_spool($1) - read_files_pattern($1, print_spool_t, print_spool_t) -') - -######################################## -## -## Create, read, write, and delete printer spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`lpd_manage_spool',` - gen_require(` - type print_spool_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, print_spool_t, print_spool_t) - manage_files_pattern($1, print_spool_t, print_spool_t) - manage_lnk_files_pattern($1, print_spool_t, print_spool_t) -') - -######################################## -## -## Relabel from and to the spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`lpd_relabel_spool',` - gen_require(` - type print_spool_t; - ') - - files_search_spool($1) - allow $1 print_spool_t:file relabel_file_perms; -') - -######################################## -## -## List the contents of the printer spool directories. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`lpd_read_config',` - gen_require(` - type printconf_t; - ') - - allow $1 printconf_t:dir list_dir_perms; - read_files_pattern($1, printconf_t, printconf_t) -') - -######################################## -## -## Transition to a user lpr domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`lpd_domtrans_lpr',` - gen_require(` - type lpr_t, lpr_exec_t; - ') - - domtrans_pattern($1, lpr_exec_t, lpr_t) -') - -######################################## -## -## Allow the specified domain to execute lpr -## in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`lpd_exec_lpr',` - gen_require(` - type lpr_exec_t; - ') - - can_exec($1, lpr_exec_t) -') diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te deleted file mode 100644 index 80671d9..0000000 --- a/policy/modules/services/lpd.te +++ /dev/null @@ -1,333 +0,0 @@ -policy_module(lpd, 1.12.0) - -######################################## -# -# Declarations -# - -## -##

-## Use lpd server instead of cups -##

-##
-gen_tunable(use_lpd_server, false) - -type checkpc_t; -type checkpc_exec_t; -init_system_domain(checkpc_t, checkpc_exec_t) -role system_r types checkpc_t; - -type checkpc_log_t; -logging_log_file(checkpc_log_t) - -type lpd_t; -type lpd_exec_t; -init_daemon_domain(lpd_t, lpd_exec_t) - -type lpd_tmp_t; -files_tmp_file(lpd_tmp_t) - -type lpd_var_run_t; -files_pid_file(lpd_var_run_t) - -type lpr_t; -type lpr_exec_t; -typealias lpr_t alias { user_lpr_t staff_lpr_t sysadm_lpr_t }; -typealias lpr_t alias { auditadm_lpr_t secadm_lpr_t }; -application_domain(lpr_t, lpr_exec_t) -ubac_constrained(lpr_t) - -type lpr_tmp_t; -typealias lpr_tmp_t alias { user_lpr_tmp_t staff_lpr_tmp_t sysadm_lpr_tmp_t }; -typealias lpr_tmp_t alias { auditadm_lpr_tmp_t secadm_lpr_tmp_t }; -files_tmp_file(lpr_tmp_t) -ubac_constrained(lpr_tmp_t) - -# Type for spool files. -type print_spool_t; -typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t }; -typealias print_spool_t alias { auditadm_print_spool_t secadm_print_spool_t }; -files_type(print_spool_t) -ubac_constrained(print_spool_t) - -type printer_t; -files_type(printer_t) - -type printconf_t; -files_type(printconf_t) - -######################################## -# -# Checkpc local policy -# - -# Allow checkpc to access the lpd spool so it can check & fix it. -# This requires that /usr/sbin/checkpc have type checkpc_t. - -allow checkpc_t self:capability { setgid setuid dac_override }; -allow checkpc_t self:process signal_perms; -allow checkpc_t self:unix_stream_socket create_socket_perms; -allow checkpc_t self:tcp_socket create_socket_perms; -allow checkpc_t self:udp_socket create_socket_perms; - -allow checkpc_t checkpc_log_t:file manage_file_perms; -logging_log_filetrans(checkpc_t, checkpc_log_t, file) - -allow checkpc_t lpd_var_run_t:dir search_dir_perms; -files_search_pids(checkpc_t) - -rw_files_pattern(checkpc_t, print_spool_t, print_spool_t) -delete_files_pattern(checkpc_t, print_spool_t, print_spool_t) -files_search_spool(checkpc_t) - -allow checkpc_t printconf_t:file getattr_file_perms; -allow checkpc_t printconf_t:dir list_dir_perms; - -kernel_read_system_state(checkpc_t) - -corenet_all_recvfrom_unlabeled(checkpc_t) -corenet_all_recvfrom_netlabel(checkpc_t) -corenet_tcp_sendrecv_generic_if(checkpc_t) -corenet_udp_sendrecv_generic_if(checkpc_t) -corenet_tcp_sendrecv_generic_node(checkpc_t) -corenet_udp_sendrecv_generic_node(checkpc_t) -corenet_tcp_sendrecv_all_ports(checkpc_t) -corenet_udp_sendrecv_all_ports(checkpc_t) -corenet_tcp_connect_all_ports(checkpc_t) -corenet_sendrecv_all_client_packets(checkpc_t) - -dev_append_printer(checkpc_t) - -# This is less desirable, but checkpc demands /bin/bash and /bin/chown: -corecmd_exec_shell(checkpc_t) -corecmd_exec_bin(checkpc_t) - -domain_use_interactive_fds(checkpc_t) - -files_read_etc_files(checkpc_t) -files_read_etc_runtime_files(checkpc_t) - -init_use_script_ptys(checkpc_t) -# Allow access to /dev/console through the fd: -init_use_fds(checkpc_t) - -sysnet_read_config(checkpc_t) - -userdom_use_user_terminals(checkpc_t) - -optional_policy(` - cron_system_entry(checkpc_t, checkpc_exec_t) -') - -optional_policy(` - logging_send_syslog_msg(checkpc_t) -') - -optional_policy(` - nis_use_ypbind(checkpc_t) -') - -######################################## -# -# Lpd local policy -# - -allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner }; -dontaudit lpd_t self:capability sys_tty_config; -allow lpd_t self:process signal_perms; -allow lpd_t self:fifo_file rw_fifo_file_perms; -allow lpd_t self:unix_stream_socket create_stream_socket_perms; -allow lpd_t self:unix_dgram_socket create_socket_perms; -allow lpd_t self:tcp_socket create_stream_socket_perms; -allow lpd_t self:udp_socket create_stream_socket_perms; - -manage_dirs_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t) -manage_files_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t) -files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir }) - -manage_dirs_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t) -manage_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t) -manage_sock_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t) -files_pid_filetrans(lpd_t, lpd_var_run_t, { dir file }) - -# Write to /var/spool/lpd. -manage_files_pattern(lpd_t, print_spool_t, print_spool_t) -files_search_spool(lpd_t) - -# lpd must be able to execute the filter utilities in /usr/share/printconf. -allow lpd_t printconf_t:dir list_dir_perms; -can_exec(lpd_t, printconf_t) - -# Create and bind to /dev/printer. -allow lpd_t printer_t:lnk_file manage_lnk_file_perms; -dev_filetrans(lpd_t, printer_t, lnk_file) - -kernel_read_kernel_sysctls(lpd_t) -# bash wants access to /proc/meminfo -kernel_read_system_state(lpd_t) - -corenet_all_recvfrom_unlabeled(lpd_t) -corenet_all_recvfrom_netlabel(lpd_t) -corenet_tcp_sendrecv_generic_if(lpd_t) -corenet_udp_sendrecv_generic_if(lpd_t) -corenet_tcp_sendrecv_generic_node(lpd_t) -corenet_udp_sendrecv_generic_node(lpd_t) -corenet_tcp_sendrecv_all_ports(lpd_t) -corenet_udp_sendrecv_all_ports(lpd_t) -corenet_tcp_bind_generic_node(lpd_t) -corenet_tcp_bind_printer_port(lpd_t) -corenet_sendrecv_printer_server_packets(lpd_t) - -dev_read_sysfs(lpd_t) -dev_rw_printer(lpd_t) - -fs_getattr_all_fs(lpd_t) -fs_search_auto_mountpoints(lpd_t) - -# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp -corecmd_exec_bin(lpd_t) -corecmd_exec_shell(lpd_t) - -domain_use_interactive_fds(lpd_t) - -files_read_etc_runtime_files(lpd_t) -files_read_usr_files(lpd_t) -# for defoma -files_list_world_readable(lpd_t) -files_read_world_readable_files(lpd_t) -files_read_world_readable_symlinks(lpd_t) -files_list_var_lib(lpd_t) -files_read_var_lib_files(lpd_t) -files_read_var_lib_symlinks(lpd_t) -# config files for lpd are of type etc_t, probably should change this -files_read_etc_files(lpd_t) - -logging_send_syslog_msg(lpd_t) - -miscfiles_read_fonts(lpd_t) -miscfiles_read_localization(lpd_t) - -sysnet_read_config(lpd_t) - -userdom_dontaudit_use_unpriv_user_fds(lpd_t) -userdom_dontaudit_search_user_home_dirs(lpd_t) - -optional_policy(` - nis_use_ypbind(lpd_t) -') - -optional_policy(` - seutil_sigchld_newrole(lpd_t) -') - -optional_policy(` - udev_read_db(lpd_t) -') - -############################## -# -# Local policy -# - -allow lpr_t self:capability { setuid dac_override net_bind_service chown }; -allow lpr_t self:unix_stream_socket create_stream_socket_perms; -allow lpr_t self:tcp_socket create_socket_perms; -allow lpr_t self:udp_socket create_socket_perms; - -can_exec(lpr_t, lpr_exec_t) - -# Allow lpd to read, rename, and unlink spool files. -allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms }; - -kernel_read_kernel_sysctls(lpr_t) - -corenet_all_recvfrom_unlabeled(lpr_t) -corenet_all_recvfrom_netlabel(lpr_t) -corenet_tcp_sendrecv_generic_if(lpr_t) -corenet_udp_sendrecv_generic_if(lpr_t) -corenet_tcp_sendrecv_generic_node(lpr_t) -corenet_udp_sendrecv_generic_node(lpr_t) -corenet_tcp_sendrecv_all_ports(lpr_t) -corenet_udp_sendrecv_all_ports(lpr_t) -corenet_tcp_connect_all_ports(lpr_t) -corenet_sendrecv_all_client_packets(lpr_t) - -dev_read_rand(lpr_t) -dev_read_urand(lpr_t) - -domain_use_interactive_fds(lpr_t) - -files_search_spool(lpr_t) -# for lpd config files (should have a new type) -files_read_etc_files(lpr_t) -# for test print -files_read_usr_files(lpr_t) -#Added to cover read_content macro -files_list_home(lpr_t) -files_read_generic_tmp_files(lpr_t) - -fs_getattr_xattr_fs(lpr_t) - -# Access the terminal. -term_use_controlling_term(lpr_t) -term_use_generic_ptys(lpr_t) - -auth_use_nsswitch(lpr_t) - -miscfiles_read_localization(lpr_t) - -userdom_read_user_tmp_symlinks(lpr_t) -# Write to the user domain tty. -userdom_use_user_terminals(lpr_t) -userdom_read_user_home_content_files(lpr_t) -userdom_read_user_tmp_files(lpr_t) - -tunable_policy(`use_lpd_server',` - # lpr can run in lightweight mode, without a local print spooler. - allow lpr_t lpd_var_run_t:dir search_dir_perms; - allow lpr_t lpd_var_run_t:sock_file write_sock_file_perms; - files_read_var_files(lpr_t) - - # Connect to lpd via a Unix domain socket. - allow lpr_t printer_t:sock_file read_sock_file_perms; - stream_connect_pattern(lpr_t, printer_t, printer_t, lpd_t) - # Send SIGHUP to lpd. - allow lpr_t lpd_t:process signal; - - manage_dirs_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t) - manage_files_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t) - files_tmp_filetrans(lpr_t, lpr_tmp_t, { file dir }) - - manage_files_pattern(lpr_t, print_spool_t, print_spool_t) - filetrans_pattern(lpr_t, print_spool_t, print_spool_t, file) - # Read and write shared files in the spool directory. - allow lpr_t print_spool_t:file rw_file_perms; - - allow lpr_t printconf_t:dir list_dir_perms; - read_files_pattern(lpr_t, printconf_t, printconf_t) - read_lnk_files_pattern(lpr_t, printconf_t, printconf_t) -') - -tunable_policy(`use_nfs_home_dirs',` - files_list_home(lpr_t) - fs_list_auto_mountpoints(lpr_t) - fs_read_nfs_files(lpr_t) - fs_read_nfs_symlinks(lpr_t) -') - -tunable_policy(`use_samba_home_dirs',` - files_list_home(lpr_t) - fs_list_auto_mountpoints(lpr_t) - fs_read_cifs_files(lpr_t) - fs_read_cifs_symlinks(lpr_t) -') - -optional_policy(` - cups_read_config(lpr_t) - cups_stream_connect(lpr_t) - cups_read_pid_files(lpr_t) -') - -optional_policy(` - logging_send_syslog_msg(lpr_t) -') diff --git a/policy/modules/services/mailman.fc b/policy/modules/services/mailman.fc deleted file mode 100644 index 14ad189..0000000 --- a/policy/modules/services/mailman.fc +++ /dev/null @@ -1,34 +0,0 @@ -/usr/lib(64)?/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -/usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) - -/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) -/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0) -/var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0) -/var/log/mailman(/.*)? gen_context(system_u:object_r:mailman_log_t,s0) -/var/run/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0) - -# -# distro_debian -# -ifdef(`distro_debian', ` -/etc/cron\.daily/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) -/etc/cron\.monthly/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) - -/usr/lib/cgi-bin/mailman/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) -/usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -/usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -') - -# -# distro_redhat -# -ifdef(`distro_redhat', ` -/etc/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) - -/usr/lib(64)?/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) -/usr/lib(64)?/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) -/usr/lib(64)?/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -/usr/lib(64)?/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) - -/var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) -') diff --git a/policy/modules/services/mailman.if b/policy/modules/services/mailman.if deleted file mode 100644 index 84b7626..0000000 --- a/policy/modules/services/mailman.if +++ /dev/null @@ -1,352 +0,0 @@ -## Mailman is for managing electronic mail discussion and e-newsletter lists - -####################################### -## -## The template to define a mailmain domain. -## -## -##

-## This template creates a domain to be used for -## a new mailman daemon. -##

-##
-## -## -## The type of daemon to be used eg, cgi would give mailman_cgi_ -## -## -# -template(`mailman_domain_template',` - type mailman_$1_t; - domain_type(mailman_$1_t) - role system_r types mailman_$1_t; - - type mailman_$1_exec_t; - domain_entry_file(mailman_$1_t, mailman_$1_exec_t) - - type mailman_$1_tmp_t; - files_tmp_file(mailman_$1_tmp_t) - - allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms; - allow mailman_$1_t self:tcp_socket create_stream_socket_perms; - allow mailman_$1_t self:udp_socket create_socket_perms; - - files_search_spool(mailman_$1_t) - - manage_dirs_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t) - manage_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t) - manage_lnk_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t) - - manage_dirs_pattern(mailman_$1_t, mailman_data_t, mailman_data_t) - manage_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t) - manage_lnk_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t) - - manage_files_pattern(mailman_$1_t, mailman_lock_t, mailman_lock_t) - files_lock_filetrans(mailman_$1_t, mailman_lock_t, file) - - manage_files_pattern(mailman_$1_t, mailman_log_t, mailman_log_t) - logging_log_filetrans(mailman_$1_t, mailman_log_t, file) - - manage_dirs_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t) - manage_files_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t) - files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir }) - - kernel_read_kernel_sysctls(mailman_$1_t) - kernel_read_system_state(mailman_$1_t) - - corenet_all_recvfrom_unlabeled(mailman_$1_t) - corenet_all_recvfrom_netlabel(mailman_$1_t) - corenet_tcp_sendrecv_generic_if(mailman_$1_t) - corenet_udp_sendrecv_generic_if(mailman_$1_t) - corenet_raw_sendrecv_generic_if(mailman_$1_t) - corenet_tcp_sendrecv_generic_node(mailman_$1_t) - corenet_udp_sendrecv_generic_node(mailman_$1_t) - corenet_raw_sendrecv_generic_node(mailman_$1_t) - corenet_tcp_sendrecv_all_ports(mailman_$1_t) - corenet_udp_sendrecv_all_ports(mailman_$1_t) - corenet_tcp_bind_generic_node(mailman_$1_t) - corenet_udp_bind_generic_node(mailman_$1_t) - corenet_tcp_connect_smtp_port(mailman_$1_t) - corenet_sendrecv_smtp_client_packets(mailman_$1_t) - - fs_getattr_xattr_fs(mailman_$1_t) - - corecmd_exec_all_executables(mailman_$1_t) - - files_exec_etc_files(mailman_$1_t) - files_read_usr_files(mailman_$1_t) - files_list_var(mailman_$1_t) - files_list_var_lib(mailman_$1_t) - files_read_var_lib_symlinks(mailman_$1_t) - files_read_etc_runtime_files(mailman_$1_t) - - auth_use_nsswitch(mailman_$1_t) - - libs_exec_ld_so(mailman_$1_t) - libs_exec_lib_files(mailman_$1_t) - - logging_send_syslog_msg(mailman_$1_t) - - miscfiles_read_localization(mailman_$1_t) -') - -####################################### -## -## Execute mailman in the mailman domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`mailman_domtrans',` - gen_require(` - type mailman_mail_exec_t, mailman_mail_t; - ') - - domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t) -') - -####################################### -## -## Execute mailman CGI scripts in the -## mailman CGI domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`mailman_domtrans_cgi',` - gen_require(` - type mailman_cgi_exec_t, mailman_cgi_t; - ') - - domtrans_pattern($1, mailman_cgi_exec_t, mailman_cgi_t) -') - -####################################### -## -## Execute mailman in the caller domain. -## -## -## -## Domain allowd access. -## -## -# -interface(`mailman_exec',` - gen_require(` - type mailman_mail_exec_t; - ') - - can_exec($1, mailman_mail_exec_t) -') - -####################################### -## -## Send generic signals to the mailman cgi domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`mailman_signal_cgi',` - gen_require(` - type mailman_cgi_t; - ') - - allow $1 mailman_cgi_t:process signal; -') - -####################################### -## -## Allow domain to search data directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`mailman_search_data',` - gen_require(` - type mailman_data_t; - ') - - allow $1 mailman_data_t:dir search_dir_perms; -') - -####################################### -## -## Allow domain to to read mailman data files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mailman_read_data_files',` - gen_require(` - type mailman_data_t; - ') - - list_dirs_pattern($1, mailman_data_t, mailman_data_t) - read_files_pattern($1, mailman_data_t, mailman_data_t) - read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) -') - -####################################### -## -## Allow domain to to create mailman data files -## and write the directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`mailman_manage_data_files',` - gen_require(` - type mailman_data_t; - ') - - manage_dirs_pattern($1, mailman_data_t, mailman_data_t) - manage_files_pattern($1, mailman_data_t, mailman_data_t) -') - -####################################### -## -## List the contents of mailman data directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`mailman_list_data',` - gen_require(` - type mailman_data_t; - ') - - allow $1 mailman_data_t:dir list_dir_perms; -') - -####################################### -## -## Allow read acces to mailman data symbolic links. -## -## -## -## Domain allowed access. -## -## -# -interface(`mailman_read_data_symlinks',` - gen_require(` - type mailman_data_t; - ') - - read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) -') - -####################################### -## -## Read mailman logs. -## -## -## -## Domain allowed access. -## -## -# -interface(`mailman_read_log',` - gen_require(` - type mailman_log_t; - ') - - read_files_pattern($1, mailman_log_t, mailman_log_t) -') - -####################################### -## -## Append to mailman logs. -## -## -## -## Domain allowed access. -## -## -# -interface(`mailman_append_log',` - gen_require(` - type mailman_log_t; - ') - - append_files_pattern($1, mailman_log_t, mailman_log_t) -') - -####################################### -## -## Create, read, write, and delete -## mailman logs. -## -## -## -## Domain allowed access. -## -## -# -interface(`mailman_manage_log',` - gen_require(` - type mailman_log_t; - ') - - manage_files_pattern($1, mailman_log_t, mailman_log_t) - manage_lnk_files_pattern($1, mailman_log_t, mailman_log_t) -') - -####################################### -## -## Allow domain to read mailman archive files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mailman_read_archive',` - gen_require(` - type mailman_archive_t; - ') - - allow $1 mailman_archive_t:dir list_dir_perms; - read_files_pattern($1, mailman_archive_t, mailman_archive_t) - read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t) -') - -####################################### -## -## Execute mailman_queue in the mailman_queue domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`mailman_domtrans_queue',` - gen_require(` - type mailman_queue_exec_t, mailman_queue_t; - ') - - domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t) -') diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te deleted file mode 100644 index 96e3c80..0000000 --- a/policy/modules/services/mailman.te +++ /dev/null @@ -1,132 +0,0 @@ -policy_module(mailman, 1.8.0) - -######################################## -# -# Declarations -# - -mailman_domain_template(cgi) - -type mailman_data_t; -files_type(mailman_data_t) - -type mailman_archive_t; -files_type(mailman_archive_t) - -type mailman_log_t; -logging_log_file(mailman_log_t) - -type mailman_lock_t; -files_lock_file(mailman_lock_t) - -mailman_domain_template(mail) -init_daemon_domain(mailman_mail_t, mailman_mail_exec_t) - -mailman_domain_template(queue) - -######################################## -# -# Mailman CGI local policy -# - -# cjp: the template invocation for cgi should be -# in the below optional policy; however, there are no -# optionals for file contexts yet, so it is promoted -# to global scope until such facilities exist. - -optional_policy(` - dev_read_urand(mailman_cgi_t) - - manage_dirs_pattern(mailman_cgi_t, mailman_archive_t, mailman_archive_t) - manage_files_pattern(mailman_cgi_t, mailman_archive_t, mailman_archive_t) - manage_lnk_files_pattern(mailman_cgi_t, mailman_archive_t, mailman_archive_t) - - files_search_spool(mailman_cgi_t) - - term_use_controlling_term(mailman_cgi_t) - - # for python pre-compile foolishness - libs_dontaudit_write_lib_dirs(mailman_cgi_t) - - apache_sigchld(mailman_cgi_t) - apache_use_fds(mailman_cgi_t) - apache_dontaudit_append_log(mailman_cgi_t) - apache_search_sys_script_state(mailman_cgi_t) - apache_read_config(mailman_cgi_t) - apache_dontaudit_rw_stream_sockets(mailman_cgi_t) -') - -######################################## -# -# Mailman mail local policy -# - -allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config }; -allow mailman_mail_t self:process { signal signull }; -allow mailman_mail_t self:unix_dgram_socket create_socket_perms; - -manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) -manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) -manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) - -files_search_spool(mailman_mail_t) - -fs_rw_anon_inodefs_files(mailman_mail_t) - -mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t) -mta_dontaudit_rw_queue(mailman_mail_t) - -optional_policy(` - courier_read_spool(mailman_mail_t) -') - -optional_policy(` - gnome_dontaudit_search_config(mailman_mail_t) -') - -optional_policy(` - cron_read_pipes(mailman_mail_t) -') - -optional_policy(` - postfix_search_spool(mailman_mail_t) -') - -######################################## -# -# Mailman queue local policy -# - -allow mailman_queue_t self:capability { setgid setuid }; -allow mailman_queue_t self:process signal; -allow mailman_queue_t self:fifo_file rw_fifo_file_perms; -allow mailman_queue_t self:unix_dgram_socket create_socket_perms; - -manage_dirs_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t) -manage_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t) -manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t) - -kernel_read_proc_symlinks(mailman_queue_t) - -auth_domtrans_chk_passwd(mailman_queue_t) - -files_dontaudit_search_pids(mailman_queue_t) - -# for su -seutil_dontaudit_search_config(mailman_queue_t) - -# some of the following could probably be changed to dontaudit, someone who -# knows mailman well should test this out and send the changes -userdom_search_user_home_dirs(mailman_queue_t) - -optional_policy(` - apache_read_config(mailman_queue_t) -') - -optional_policy(` - cron_system_entry(mailman_queue_t, mailman_queue_exec_t) -') - -optional_policy(` - su_exec(mailman_queue_t) -') diff --git a/policy/modules/services/memcached.fc b/policy/modules/services/memcached.fc deleted file mode 100644 index 4d69477..0000000 --- a/policy/modules/services/memcached.fc +++ /dev/null @@ -1,5 +0,0 @@ -/etc/rc\.d/init\.d/memcached -- gen_context(system_u:object_r:memcached_initrc_exec_t,s0) - -/usr/bin/memcached -- gen_context(system_u:object_r:memcached_exec_t,s0) - -/var/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0) diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if deleted file mode 100644 index 5008a6c..0000000 --- a/policy/modules/services/memcached.if +++ /dev/null @@ -1,72 +0,0 @@ -## high-performance memory object caching system - -######################################## -## -## Execute a domain transition to run memcached. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`memcached_domtrans',` - gen_require(` - type memcached_t, memcached_exec_t; - ') - - domtrans_pattern($1, memcached_exec_t, memcached_t) -') - -######################################## -## -## Read memcached PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`memcached_read_pid_files',` - gen_require(` - type memcached_var_run_t; - ') - - files_search_pids($1) - allow $1 memcached_var_run_t:file read_file_perms; -') - -######################################## -## -## All of the rules required to administrate -## an memcached environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the memcached domain. -## -## -## -# -interface(`memcached_admin',` - gen_require(` - type memcached_t, memcached_initrc_exec_t, memcached_var_run_t; - ') - - allow $1 memcached_t:process { ptrace signal_perms }; - ps_process_pattern($1, memcached_t) - - init_labeled_script_domtrans($1, memcached_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 memcached_initrc_exec_t system_r; - allow $2 system_r; - - files_list_pids($1) - admin_pattern($1, memcached_var_run_t) -') diff --git a/policy/modules/services/memcached.te b/policy/modules/services/memcached.te deleted file mode 100644 index b681608..0000000 --- a/policy/modules/services/memcached.te +++ /dev/null @@ -1,58 +0,0 @@ -policy_module(memcached, 1.2.0) - -######################################## -# -# Declarations -# - -type memcached_t; -type memcached_exec_t; -init_daemon_domain(memcached_t, memcached_exec_t) - -type memcached_initrc_exec_t; -init_script_file(memcached_initrc_exec_t) - -type memcached_var_run_t; -files_pid_file(memcached_var_run_t) - -######################################## -# -# memcached local policy -# - -allow memcached_t self:capability { setuid setgid }; -dontaudit memcached_t self:capability sys_tty_config; -allow memcached_t self:process { setrlimit signal_perms }; -allow memcached_t self:tcp_socket create_stream_socket_perms; -allow memcached_t self:udp_socket { create_socket_perms listen }; -allow memcached_t self:fifo_file rw_fifo_file_perms; -allow memcached_t self:unix_stream_socket create_stream_socket_perms; - -corenet_all_recvfrom_unlabeled(memcached_t) -corenet_udp_sendrecv_generic_if(memcached_t) -corenet_udp_sendrecv_generic_node(memcached_t) -corenet_udp_sendrecv_all_ports(memcached_t) -corenet_udp_bind_generic_node(memcached_t) -corenet_tcp_sendrecv_generic_if(memcached_t) -corenet_tcp_sendrecv_generic_node(memcached_t) -corenet_tcp_sendrecv_all_ports(memcached_t) -corenet_tcp_bind_generic_node(memcached_t) -corenet_tcp_bind_memcache_port(memcached_t) -corenet_udp_bind_memcache_port(memcached_t) - -manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) -manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) -files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir }) - -kernel_read_kernel_sysctls(memcached_t) -kernel_read_system_state(memcached_t) - -files_read_etc_files(memcached_t) - -term_dontaudit_use_all_ptys(memcached_t) -term_dontaudit_use_all_ttys(memcached_t) -term_dontaudit_use_console(memcached_t) - -auth_use_nsswitch(memcached_t) - -miscfiles_read_localization(memcached_t) diff --git a/policy/modules/services/metadata.xml b/policy/modules/services/metadata.xml deleted file mode 100644 index 4e6ec17..0000000 --- a/policy/modules/services/metadata.xml +++ /dev/null @@ -1,4 +0,0 @@ - - Policy modules for system services, like cron, and network services, - like sshd. - diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc deleted file mode 100644 index 613c69d..0000000 --- a/policy/modules/services/milter.fc +++ /dev/null @@ -1,17 +0,0 @@ -/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) - -/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) -/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) -/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0) -/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0) - -/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) -/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0) - -/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) -/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) -/var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) -/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) -/var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0) - -/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0) diff --git a/policy/modules/services/milter.if b/policy/modules/services/milter.if deleted file mode 100644 index d7e81f3..0000000 --- a/policy/modules/services/milter.if +++ /dev/null @@ -1,140 +0,0 @@ -## Milter mail filters - -######################################## -## -## Create a set of derived types for various -## mail filter applications using the milter interface. -## -## -## -## The name to be used for deriving type names. -## -## -# -template(`milter_template',` - # attributes common to all milters - gen_require(` - attribute milter_data_type, milter_domains; - ') - - type $1_milter_t, milter_domains; - type $1_milter_exec_t; - init_daemon_domain($1_milter_t, $1_milter_exec_t) - role system_r types $1_milter_t; - - # Type for the milter data (e.g. the socket used to communicate with the MTA) - type $1_milter_data_t, milter_data_type; - files_type($1_milter_data_t) - - allow $1_milter_t self:fifo_file rw_fifo_file_perms; - - # Allow communication with MTA over a unix-domain socket - # Note: usage with TCP sockets requires additional policy - manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) - - # Create other data files and directories in the data directory - manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) - - files_read_etc_files($1_milter_t) - - kernel_dontaudit_read_system_state($1_milter_t) - - miscfiles_read_localization($1_milter_t) - - logging_send_syslog_msg($1_milter_t) -') - -######################################## -## -## MTA communication with milter sockets -## -## -## -## Domain allowed access. -## -## -# -interface(`milter_stream_connect_all',` - gen_require(` - attribute milter_data_type, milter_domains; - ') - - files_search_pids($1) - stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains) -') - -######################################## -## -## Allow getattr of milter sockets -## -## -## -## Domain allowed access. -## -## -# -interface(`milter_getattr_all_sockets',` - gen_require(` - attribute milter_data_type; - ') - - getattr_sock_files_pattern($1, milter_data_type, milter_data_type) -') - -######################################## -## -## Allow setattr of milter dirs -## -## -## -## Domain allowed access. -## -## -# -interface(`milter_setattr_all_dirs',` - gen_require(` - attribute milter_data_type; - ') - - setattr_dirs_pattern($1, milter_data_type, milter_data_type) -') - -######################################## -## -## Manage spamassassin milter state -## -## -## -## Domain allowed access. -## -## -# -interface(`milter_manage_spamass_state',` - gen_require(` - type spamass_milter_state_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t) - manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t) - manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t) -') - -####################################### -## -## Delete dkim-milter PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`milter_delete_dkim_pid_files',` - gen_require(` - type dkim_milter_data_t; - ') - - files_search_pids($1) - delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t) -') diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te deleted file mode 100644 index f42a489..0000000 --- a/policy/modules/services/milter.te +++ /dev/null @@ -1,119 +0,0 @@ -policy_module(milter, 1.2.1) - -######################################## -# -# Declarations -# - -# attributes common to all milters -attribute milter_domains; -attribute milter_data_type; - -# support for dkim-milter - domainKeys Identified Mail sender authentication sendmail milter -milter_template(dkim) - -# type for the private key of dkim-milter -type dkim_milter_private_key_t; -files_type(dkim_milter_private_key_t) - -# currently-supported milters are milter-greylist, milter-regex and spamass-milter -milter_template(greylist) -milter_template(regex) -milter_template(spamass) - -# Type for the spamass-milter home directory, under which spamassassin will -# store system-wide preferences, bayes databases etc. if not configured to -# use per-user configuration -type spamass_milter_state_t; -files_type(spamass_milter_state_t) - -####################################### -# -# dkim-milter local policy -# - -allow dkim_milter_t self:capability { kill setgid setuid }; -allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms; - -read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t) - -auth_use_nsswitch(dkim_milter_t) - -sysnet_dns_name_resolve(dkim_milter_t) - -mta_read_config(dkim_milter_t) - -######################################## -# -# milter-greylist local policy -# ensure smtp clients retry mail like real MTAs and not spamware -# http://hcpnet.free.fr/milter-greylist/ -# - -# It removes any existing socket (not owned by root) whilst running as root, -# fixes permissions, renices itself and then calls setgid() and setuid() to -# drop privileges -allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice }; -allow greylist_milter_t self:process { setsched getsched }; - -# It creates a pid file /var/run/milter-greylist.pid -files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file) - -kernel_read_kernel_sysctls(greylist_milter_t) - -# Allow the milter to read a GeoIP database in /usr/share -files_read_usr_files(greylist_milter_t) -# The milter runs from /var/lib/milter-greylist and maintains files there -files_search_var_lib(greylist_milter_t) - -# Look up username for dropping privs -auth_use_nsswitch(greylist_milter_t) - -# Config is in /etc/mail/greylist.conf -mta_read_config(greylist_milter_t) - -######################################## -# -# milter-regex local policy -# filter emails using regular expressions -# http://www.benzedrine.cx/milter-regex.html -# - -# It removes any existing socket (not owned by root) whilst running as root -# and then calls setgid() and setuid() to drop privileges -allow regex_milter_t self:capability { setuid setgid dac_override }; - -# The milter's socket directory lives under /var/spool -files_search_spool(regex_milter_t) - -# Look up username for dropping privs -auth_use_nsswitch(regex_milter_t) - -# Config is in /etc/mail/milter-regex.conf -mta_read_config(regex_milter_t) - -######################################## -# -# spamass-milter local policy -# pipe emails through SpamAssassin -# http://savannah.nongnu.org/projects/spamass-milt/ -# - -# The milter runs from /var/lib/spamass-milter -allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms; -files_search_var_lib(spamass_milter_t) - -kernel_read_system_state(spamass_milter_t) - -# When used with -b or -B options, the milter invokes sendmail to send mail -# to a spamtrap address, using popen() -corecmd_exec_shell(spamass_milter_t) -corecmd_read_bin_symlinks(spamass_milter_t) -corecmd_search_bin(spamass_milter_t) - -mta_send_mail(spamass_milter_t) - -# The main job of the milter is to pipe spam through spamc and act on the result -optional_policy(` - spamassassin_domtrans_client(spamass_milter_t) -') diff --git a/policy/modules/services/mock.fc b/policy/modules/services/mock.fc deleted file mode 100644 index 42bb2a3..0000000 --- a/policy/modules/services/mock.fc +++ /dev/null @@ -1,6 +0,0 @@ - -/usr/sbin/mock -- gen_context(system_u:object_r:mock_exec_t,s0) - -/var/lib/mock(/.*)? gen_context(system_u:object_r:mock_var_lib_t,s0) - -/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0) diff --git a/policy/modules/services/mock.if b/policy/modules/services/mock.if deleted file mode 100644 index d76fb11..0000000 --- a/policy/modules/services/mock.if +++ /dev/null @@ -1,236 +0,0 @@ -## policy for mock - -######################################## -## -## Execute a domain transition to run mock. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`mock_domtrans',` - gen_require(` - type mock_t, mock_exec_t; - ') - - domtrans_pattern($1, mock_exec_t, mock_t) -') - -######################################## -## -## Search mock lib directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`mock_search_lib',` - gen_require(` - type mock_var_lib_t; - ') - - allow $1 mock_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## Read mock lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mock_read_lib_files',` - gen_require(` - type mock_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, mock_var_lib_t, mock_var_lib_t) -') - -######################################## -## -## Create, read, write, and delete -## mock lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mock_manage_lib_files',` - gen_require(` - type mock_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, mock_var_lib_t, mock_var_lib_t) -') - -######################################## -## -## Manage mock lib dirs files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mock_manage_lib_dirs',` - gen_require(` - type mock_var_lib_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t) -') - -######################################### -## -## Manage mock lib symlinks. -## -## -## -## Domain allowed access. -## -## -# -interface(`mock_manage_lib_symlinks',` - gen_require(` - type mock_var_lib_t; - ') - - files_search_var_lib($1) - manage_lnk_files_pattern($1, mock_var_lib_t, mock_var_lib_t) -') - -######################################## -## -## Manage mock lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mock_manage_lib_chr_files',` - gen_require(` - type mock_var_lib_t; - ') - - files_search_var_lib($1) - manage_chr_files_pattern($1, mock_var_lib_t, mock_var_lib_t) -') - -######################################## -## -## Execute mock in the mock domain, and -## allow the specified role the mock domain. -## -## -## -## Domain allowed access -## -## -## -## -## The role to be allowed the mock domain. -## -## -## -# -interface(`mock_run',` - gen_require(` - type mock_t; - ') - - mock_domtrans($1) - role $2 types mock_t; -') - -######################################## -## -## Role access for mock -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -## -# -interface(`mock_role',` - gen_require(` - type mock_t; - ') - - role $1 types mock_t; - - mock_domtrans($2) - - ps_process_pattern($2, mock_t) - allow $2 mock_t:process { ptrace signal_perms }; -') - -####################################### -## -## Send a generic signal to mock. -## -## -## -## Domain allowed access. -## -## -# -interface(`mock_signal',` - gen_require(` - type mock_t; - ') - - allow $1 mock_t:process signal; -') - -######################################## -## -## All of the rules required to administrate -## an mock environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`mock_admin',` - gen_require(` - type mock_t, mock_var_lib_t; - ') - - allow $1 mock_t:process { ptrace signal_perms }; - ps_process_pattern($1, mock_t) - - files_list_var_lib($1) - admin_pattern($1, mock_var_lib_t) -') diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te deleted file mode 100644 index b05a9cd..0000000 --- a/policy/modules/services/mock.te +++ /dev/null @@ -1,99 +0,0 @@ -policy_module(mock,1.0.0) - -######################################## -# -# Declarations -# - -type mock_t; -type mock_exec_t; -application_domain(mock_t, mock_exec_t) -domain_role_change_exemption(mock_t) -domain_system_change_exemption(mock_t) -role system_r types mock_t; - -permissive mock_t; - -type mock_cache_t; -files_type(mock_cache_t) - -type mock_tmp_t; -files_tmp_file(mock_tmp_t) - -type mock_var_lib_t; -files_type(mock_var_lib_t) - -######################################## -# -# mock local policy -# - -allow mock_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner }; -allow mock_t self:process { siginh noatsecure signull transition rlimitinh setsched setpgid sigkill }; -dontaudit mock_t self:process { siginh noatsecure rlimitinh }; -allow mock_t self:fifo_file manage_fifo_file_perms; -allow mock_t self:unix_stream_socket create_stream_socket_perms; -allow mock_t self:unix_dgram_socket create_socket_perms; - -manage_dirs_pattern(mock_t, mock_cache_t, mock_cache_t) -manage_files_pattern(mock_t, mock_cache_t, mock_cache_t) -files_var_filetrans(mock_t, mock_cache_t, { dir file } ) - -manage_dirs_pattern(mock_t, mock_tmp_t, mock_tmp_t) -manage_files_pattern(mock_t, mock_tmp_t, mock_tmp_t) -files_tmp_filetrans(mock_t, mock_tmp_t, { dir file }) -can_exec(mock_t, mock_tmp_t) - -manage_dirs_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) -manage_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) -manage_lnk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) -manage_chr_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) -files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file }) -can_exec(mock_t, mock_var_lib_t) -allow mock_t mock_var_lib_t:dir mounton; - -kernel_list_proc(mock_t) -kernel_read_irq_sysctls(mock_t) -kernel_read_system_state(mock_t) -kernel_read_kernel_sysctls(mock_t) -kernel_request_load_module(mock_t) - -corecmd_exec_bin(mock_t) -corecmd_exec_shell(mock_t) - -corenet_tcp_connect_http_port(mock_t) - -dev_read_urand(mock_t) - -domain_read_all_domains_state(mock_t) -domain_use_interactive_fds(mock_t) - -files_read_etc_files(mock_t) -files_read_usr_files(mock_t) - -fs_getattr_all_fs(mock_t) - -selinux_get_enforce_mode(mock_t) - -auth_use_nsswitch(mock_t) - -init_exec(mock_t) - -libs_domtrans_ldconfig(mock_t) - -logging_send_audit_msgs(mock_t) -logging_send_syslog_msg(mock_t) - -miscfiles_read_localization(mock_t) - -mount_domtrans(mock_t) - -optional_policy(` - rpm_exec(mock_t) - rpm_manage_db(mock_t) - rpm_entry_type(mock_t) -') - -optional_policy(` - apache_read_sys_content_rw_files(mock_t) -') diff --git a/policy/modules/services/modemmanager.fc b/policy/modules/services/modemmanager.fc deleted file mode 100644 index a83894c..0000000 --- a/policy/modules/services/modemmanager.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/modem-manager -- gen_context(system_u:object_r:modemmanager_exec_t,s0) diff --git a/policy/modules/services/modemmanager.if b/policy/modules/services/modemmanager.if deleted file mode 100644 index 7a7fc02..0000000 --- a/policy/modules/services/modemmanager.if +++ /dev/null @@ -1,40 +0,0 @@ -## Provides a DBus interface to communicate with mobile broadband (GSM, CDMA, UMTS, ...) cards. - -######################################## -## -## Execute a domain transition to run modemmanager. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`modemmanager_domtrans',` - gen_require(` - type modemmanager_t, modemmanager_exec_t; - ') - - domtrans_pattern($1, modemmanager_exec_t, modemmanager_t) -') - -######################################## -## -## Send and receive messages from -## modemmanager over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`modemmanager_dbus_chat',` - gen_require(` - type modemmanager_t; - class dbus send_msg; - ') - - allow $1 modemmanager_t:dbus send_msg; - allow modemmanager_t $1:dbus send_msg; -') diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te deleted file mode 100644 index 7f18c33..0000000 --- a/policy/modules/services/modemmanager.te +++ /dev/null @@ -1,51 +0,0 @@ -policy_module(modemmanager, 1.1.0) - -######################################## -# -# Declarations -# - -type modemmanager_t; -type modemmanager_exec_t; -dbus_system_domain(modemmanager_t, modemmanager_exec_t) -typealias modemmanager_t alias ModemManager_t; -typealias modemmanager_exec_t alias ModemManager_exec_t; - -######################################## -# -# ModemManager local policy -# - -allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config }; -allow modemmanager_t self:process { getsched signal }; -allow modemmanager_t self:fifo_file rw_file_perms; -allow modemmanager_t self:unix_stream_socket create_stream_socket_perms; -allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms; - -kernel_read_system_state(modemmanager_t) - -dev_read_sysfs(modemmanager_t) -dev_rw_modem(modemmanager_t) - -files_read_etc_files(modemmanager_t) - -term_use_generic_ptys(modemmanager_t) -term_use_unallocated_ttys(modemmanager_t) - -miscfiles_read_localization(modemmanager_t) - -logging_send_syslog_msg(modemmanager_t) - -networkmanager_dbus_chat(modemmanager_t) - -optional_policy(` - devicekit_dbus_chat_power(modemmanager_t) -') - -optional_policy(` - policykit_dbus_chat(modemmanager_t) -') - -optional_policy(` - udev_read_db(modemmanager_t) -') diff --git a/policy/modules/services/mojomojo.fc b/policy/modules/services/mojomojo.fc deleted file mode 100644 index 824c979..0000000 --- a/policy/modules/services/mojomojo.fc +++ /dev/null @@ -1,5 +0,0 @@ -/usr/bin/mojomojo_fastcgi\.pl -- gen_context(system_u:object_r:httpd_mojomojo_script_exec_t,s0) - -/usr/share/mojomojo/root(/.*)? gen_context(system_u:object_r:httpd_mojomojo_content_t,s0) - -/var/lib/mojomojo(/.*)? gen_context(system_u:object_r:httpd_mojomojo_rw_content_t,s0) diff --git a/policy/modules/services/mojomojo.if b/policy/modules/services/mojomojo.if deleted file mode 100644 index 88e7330..0000000 --- a/policy/modules/services/mojomojo.if +++ /dev/null @@ -1,42 +0,0 @@ -## MojoMojo Wiki - -######################################## -## -## All of the rules required to administrate -## an mojomojo environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`mojomojo_admin',` - gen_require(` - type httpd_mojomojo_script_t, httpd_mojomojo_content_t, httpd_mojomojo_ra_content_t; - type httpd_mojomojo_rw_content_t, httpd_mojomojo_tmp_t, httpd_mojomojo_htaccess_t; - type httpd_mojomojo_script_exec_t; - ') - - allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms }; - ps_process_pattern($1, httpd_mojomojo_script_t) - - files_list_tmp($1) - admin_pattern($1, httpd_mojomojo_tmp_t) - - files_list_var_lib(httpd_mojomojo_script_t) - - apache_list_sys_content($1) - admin_pattern($1, httpd_mojomojo_script_exec_t) - admin_pattern($1, httpd_mojomojo_script_t) - admin_pattern($1, httpd_mojomojo_content_t) - admin_pattern($1, httpd_mojomojo_htaccess_t) - admin_pattern($1, httpd_mojomojo_rw_content_t) - admin_pattern($1, httpd_mojomojo_ra_content_t) -') diff --git a/policy/modules/services/mojomojo.te b/policy/modules/services/mojomojo.te deleted file mode 100644 index ed69996..0000000 --- a/policy/modules/services/mojomojo.te +++ /dev/null @@ -1,43 +0,0 @@ -policy_module(mojomojo, 1.0.0) - -######################################## -# -# Declarations -# - -apache_content_template(mojomojo) - -type httpd_mojomojo_tmp_t; -files_tmp_file(httpd_mojomojo_tmp_t) - -######################################## -# -# mojomojo local policy -# - -allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; - -manage_dirs_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t) -manage_files_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t) -files_tmp_filetrans(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, { file dir }) - -corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t) -corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t) -corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t) -corenet_sendrecv_postgresql_client_packets(httpd_mojomojo_script_t) -corenet_sendrecv_mysqld_client_packets(httpd_mojomojo_script_t) -corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t) - -files_search_var_lib(httpd_mojomojo_script_t) - -sysnet_dns_name_resolve(httpd_mojomojo_script_t) - -mta_send_mail(httpd_mojomojo_script_t) - -optional_policy(` - mysql_stream_connect(httpd_mojomojo_script_t) -') - -optional_policy(` - postgresql_stream_connect(httpd_mojomojo_script_t) -') diff --git a/policy/modules/services/monop.fc b/policy/modules/services/monop.fc deleted file mode 100644 index 9ee4028..0000000 --- a/policy/modules/services/monop.fc +++ /dev/null @@ -1,4 +0,0 @@ -/etc/monopd\.conf -- gen_context(system_u:object_r:monopd_etc_t,s0) - -/usr/sbin/monopd -- gen_context(system_u:object_r:monopd_exec_t,s0) -/usr/share/monopd/games(/.*)? gen_context(system_u:object_r:monopd_share_t,s0) diff --git a/policy/modules/services/monop.if b/policy/modules/services/monop.if deleted file mode 100644 index 2611351..0000000 --- a/policy/modules/services/monop.if +++ /dev/null @@ -1 +0,0 @@ -## Monopoly daemon diff --git a/policy/modules/services/monop.te b/policy/modules/services/monop.te deleted file mode 100644 index 6647a35..0000000 --- a/policy/modules/services/monop.te +++ /dev/null @@ -1,85 +0,0 @@ -policy_module(monop, 1.7.0) - -######################################## -# -# Declarations -# - -type monopd_t; -type monopd_exec_t; -init_daemon_domain(monopd_t, monopd_exec_t) - -type monopd_etc_t; -files_config_file(monopd_etc_t) - -type monopd_share_t; -files_type(monopd_share_t) - -type monopd_var_run_t; -files_pid_file(monopd_var_run_t) - -######################################## -# -# Local policy -# - -dontaudit monopd_t self:capability sys_tty_config; -allow monopd_t self:process signal_perms; -allow monopd_t self:tcp_socket create_stream_socket_perms; -allow monopd_t self:udp_socket create_socket_perms; - -allow monopd_t monopd_etc_t:file read_file_perms; -files_search_etc(monopd_t) - -allow monopd_t monopd_share_t:dir list_dir_perms; -read_files_pattern(monopd_t, monopd_share_t, monopd_share_t) -read_lnk_files_pattern(monopd_t, monopd_share_t, monopd_share_t) - -manage_files_pattern(monopd_t, monopd_var_run_t, monopd_var_run_t) -files_pid_filetrans(monopd_t, monopd_var_run_t, file) - -kernel_read_kernel_sysctls(monopd_t) -kernel_list_proc(monopd_t) -kernel_read_proc_symlinks(monopd_t) - -corenet_all_recvfrom_unlabeled(monopd_t) -corenet_all_recvfrom_netlabel(monopd_t) -corenet_tcp_sendrecv_generic_if(monopd_t) -corenet_udp_sendrecv_generic_if(monopd_t) -corenet_tcp_sendrecv_generic_node(monopd_t) -corenet_udp_sendrecv_generic_node(monopd_t) -corenet_tcp_sendrecv_all_ports(monopd_t) -corenet_udp_sendrecv_all_ports(monopd_t) -corenet_tcp_bind_generic_node(monopd_t) -corenet_tcp_bind_monopd_port(monopd_t) -corenet_sendrecv_monopd_server_packets(monopd_t) - -dev_read_sysfs(monopd_t) - -domain_use_interactive_fds(monopd_t) - -files_read_etc_files(monopd_t) - -fs_getattr_all_fs(monopd_t) -fs_search_auto_mountpoints(monopd_t) - -logging_send_syslog_msg(monopd_t) - -miscfiles_read_localization(monopd_t) - -sysnet_read_config(monopd_t) - -userdom_dontaudit_use_unpriv_user_fds(monopd_t) -userdom_dontaudit_search_user_home_dirs(monopd_t) - -optional_policy(` - nis_use_ypbind(monopd_t) -') - -optional_policy(` - seutil_sigchld_newrole(monopd_t) -') - -optional_policy(` - udev_read_db(monopd_t) -') diff --git a/policy/modules/services/mpd.fc b/policy/modules/services/mpd.fc deleted file mode 100644 index 564b22d..0000000 --- a/policy/modules/services/mpd.fc +++ /dev/null @@ -1,10 +0,0 @@ - -/etc/mpd\.conf -- gen_context(system_u:object_r:mpd_etc_t,s0) - -/etc/rc\.d/init\.d/mpd -- gen_context(system_u:object_r:mpd_initrc_exec_t,s0) - -/usr/bin/mpd -- gen_context(system_u:object_r:mpd_exec_t,s0) - -/var/lib/mpd(/.*)? gen_context(system_u:object_r:mpd_var_lib_t,s0) -/var/lib/mpd/music(/.*)? gen_context(system_u:object_r:mpd_data_t,s0) -/var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0) diff --git a/policy/modules/services/mpd.if b/policy/modules/services/mpd.if deleted file mode 100644 index 311aaed..0000000 --- a/policy/modules/services/mpd.if +++ /dev/null @@ -1,267 +0,0 @@ -## policy for daemon for playing music - -######################################## -## -## Execute a domain transition to run mpd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`mpd_domtrans',` - gen_require(` - type mpd_t, mpd_exec_t; - ') - - domtrans_pattern($1, mpd_exec_t, mpd_t) -') - -######################################## -## -## Execute mpd server in the mpd domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`mpd_initrc_domtrans',` - gen_require(` - type mpd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, mpd_initrc_exec_t) -') - -####################################### -## -## Read mpd data files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mpd_read_data_files',` - gen_require(` - type mpd_data_t; - ') - - mpd_search_lib($1) - read_files_pattern($1, mpd_data_t, mpd_data_t) -') - -####################################### -## -## Read mpd tmpfs files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mpd_read_tmpfs_files',` - gen_require(` - type mpd_tmpfs_t; - ') - - fs_search_tmpfs($1) - read_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) -') - -################################### -## -## Manage mpd tmpfs files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mpd_manage_tmpfs_files',` - gen_require(` - type mpd_tmpfs_t; - ') - - fs_search_tmpfs($1) - manage_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) - manage_lnk_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) -') - -###################################### -## -## Manage mpd data files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mpd_manage_data_files',` - gen_require(` - type mpd_data_t; - ') - - mpd_search_lib($1) - manage_files_pattern($1, mpd_data_t, mpd_data_t) -') - -######################################## -## -## Search mpd lib directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`mpd_search_lib',` - gen_require(` - type mpd_var_lib_t; - ') - - allow $1 mpd_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## Read mpd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mpd_read_lib_files',` - gen_require(` - type mpd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t) -') - -######################################## -## -## Create, read, write, and delete -## mpd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mpd_manage_lib_files',` - gen_require(` - type mpd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t) -') - -####################################### -## -## Create an object in the root directory, with a private -## type using a type transition. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -# -interface(`mpd_var_lib_filetrans',` - gen_require(` - type mpd_var_lib_t; - ') - - files_search_var_lib($1) - filetrans_pattern($1, mpd_var_lib_t, $2, $3) -') - -######################################## -## -## Manage mpd lib dirs files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mpd_manage_lib_dirs',` - gen_require(` - type mpd_var_lib_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, mpd_var_lib_t, mpd_var_lib_t) -') - -######################################## -## -## All of the rules required to administrate -## an mpd environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`mpd_admin',` - gen_require(` - type mpd_t, mpd_initrc_exec_t, mpd_etc_t; - type mpd_data_t, mpd_log_t, mpd_var_lib_t; - type mpd_tmpfs_t; - ') - - allow $1 mpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, mpd_t) - - mpd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 mpd_initrc_exec_t system_r; - allow $2 system_r; - - admin_pattern($1, mpd_etc_t) - files_list_etc($1) - - files_list_var_lib($1) - admin_pattern($1, mpd_var_lib_t) - - admin_pattern($1, mpd_data_t) - - admin_pattern($1, mpd_log_t) - - fs_list_tmpfs($1) - admin_pattern($1, mpd_tmpfs_t) -') diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te deleted file mode 100644 index 84bc8bb..0000000 --- a/policy/modules/services/mpd.te +++ /dev/null @@ -1,110 +0,0 @@ -policy_module(mpd, 1.0.0) - -######################################## -# -# Declarations -# - -type mpd_t; -type mpd_exec_t; -init_daemon_domain(mpd_t, mpd_exec_t) - -permissive mpd_t; - -type mpd_initrc_exec_t; -init_script_file(mpd_initrc_exec_t) - -type mpd_etc_t; -files_config_file(mpd_etc_t) - -# type for music content -type mpd_data_t; -files_type(mpd_data_t) - -type mpd_log_t; -logging_log_file(mpd_log_t) - -type mpd_tmp_t; -files_tmp_file(mpd_tmp_t) - -type mpd_tmpfs_t; -files_tmpfs_file(mpd_tmpfs_t) - -type mpd_var_lib_t; -files_type(mpd_var_lib_t) - -######################################## -# -# mpd local policy -# - -#cjp: dac_override bug in mpd relating to mpd.log file -allow mpd_t self:capability { dac_override kill setgid setuid }; -allow mpd_t self:process { getsched setsched setrlimit signal signull }; -allow mpd_t self:fifo_file rw_fifo_file_perms; -allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow mpd_t self:tcp_socket create_stream_socket_perms; -allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms; -allow mpd_t self:unix_dgram_socket { create_socket_perms sendto }; - -read_files_pattern(mpd_t, mpd_etc_t, mpd_etc_t) - -manage_dirs_pattern(mpd_t, mpd_data_t, mpd_data_t) -manage_files_pattern(mpd_t, mpd_data_t, mpd_data_t) - -manage_dirs_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) -manage_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) -manage_sock_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) -files_tmp_filetrans(mpd_t, mpd_tmp_t, { dir file sock_file }) - -manage_files_pattern(mpd_t, mpd_tmpfs_t, mpd_tmpfs_t) -manage_dirs_pattern(mpd_t, mpd_tmpfs_t, mpd_tmpfs_t) -fs_tmpfs_filetrans(mpd_t, mpd_tmpfs_t, file ) - -manage_dirs_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t) -manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t) -manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t) -files_var_lib_filetrans(mpd_t, mpd_var_lib_t, { dir file lnk_file }) - -kernel_read_system_state(mpd_t) -kernel_read_kernel_sysctls(mpd_t) - -corecmd_exec_bin(mpd_t) - -corenet_sendrecv_pulseaudio_client_packets(mpd_t) -corenet_tcp_connect_http_port(mpd_t) -corenet_tcp_connect_http_cache_port(mpd_t) -corenet_tcp_connect_pulseaudio_port(mpd_t) -corenet_tcp_bind_mpd_port(mpd_t) -corenet_tcp_bind_soundd_port(mpd_t) - -dev_read_sysfs(mpd_t) - -files_read_usr_files(mpd_t) - -fs_getattr_tmpfs(mpd_t) -fs_list_inotifyfs(mpd_t) -fs_rw_anon_inodefs_files(mpd_t) - -auth_use_nsswitch(mpd_t) - -logging_send_syslog_msg(mpd_t) - -miscfiles_read_localization(mpd_t) - -userdom_read_home_audio_files(mpd_t) -userdom_read_user_tmpfs_files(mpd_t) - -optional_policy(` - dbus_system_bus_client(mpd_t) -') - -optional_policy(` - pulseaudio_exec(mpd_t) - pulseaudio_stream_connect(mpd_t) - pulseaudio_signull(mpd_t) -') - -optional_policy(` - udev_read_db(mpd_t) -') diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc deleted file mode 100644 index c526ce8..0000000 --- a/policy/modules/services/mta.fc +++ /dev/null @@ -1,34 +0,0 @@ -HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_home_t,s0) -HOME_DIR/dead.letter -- gen_context(system_u:object_r:mail_home_t,s0) - -/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) - -/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) -/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) -/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0) -/etc/mail/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) -/etc/mail/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) -ifdef(`distro_redhat',` -/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0) -') - -/root/\.forward -- gen_context(system_u:object_r:mail_home_t,s0) -/root/dead.letter -- gen_context(system_u:object_r:mail_home_t,s0) - -/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) - -/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) -/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) - -/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) -/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) -/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) -/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) - -/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) - -/var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) - -/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) -/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) -/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if deleted file mode 100644 index 2f948ad..0000000 --- a/policy/modules/services/mta.if +++ /dev/null @@ -1,985 +0,0 @@ -## Policy common to all email tranfer agents. - -######################################## -## -## MTA stub interface. No access allowed. -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_stub',` - gen_require(` - type sendmail_exec_t; - ') -') - -####################################### -## -## Basic mail transfer agent domain template. -## -## -##

-## This template creates a derived domain which is -## a email transfer agent, which sends mail on -## behalf of the user. -##

-##

-## This is the basic types and rules, common -## to the system agent and user agents. -##

-##
-## -## -## The prefix of the domain (e.g., user -## is the prefix for user_t). -## -## -## -# -template(`mta_base_mail_template',` - gen_require(` - attribute user_mail_domain; - type sendmail_exec_t; - ') - - ############################## - # - # $1_mail_t declarations - # - - type $1_mail_t, user_mail_domain; - application_domain($1_mail_t, sendmail_exec_t) - - type $1_mail_tmp_t; - files_tmp_file($1_mail_tmp_t) - - ############################## - # - # $1_mail_t local policy - # - - allow $1_mail_t self:capability { setuid setgid chown }; - allow $1_mail_t self:process { signal_perms setrlimit }; - allow $1_mail_t self:tcp_socket create_socket_perms; - - # re-exec itself - can_exec($1_mail_t, sendmail_exec_t) - allow $1_mail_t sendmail_exec_t:lnk_file read_lnk_file_perms; - - kernel_read_system_state($1_mail_t) - kernel_read_kernel_sysctls($1_mail_t) - - corenet_all_recvfrom_unlabeled($1_mail_t) - corenet_all_recvfrom_netlabel($1_mail_t) - corenet_tcp_sendrecv_generic_if($1_mail_t) - corenet_tcp_sendrecv_generic_node($1_mail_t) - corenet_tcp_sendrecv_all_ports($1_mail_t) - corenet_tcp_connect_all_ports($1_mail_t) - corenet_tcp_connect_smtp_port($1_mail_t) - corenet_sendrecv_smtp_client_packets($1_mail_t) - - corecmd_exec_bin($1_mail_t) - - files_read_etc_files($1_mail_t) - files_search_spool($1_mail_t) - # It wants to check for nscd - files_dontaudit_search_pids($1_mail_t) - - auth_use_nsswitch($1_mail_t) - - init_dontaudit_rw_utmp($1_mail_t) - - logging_send_syslog_msg($1_mail_t) - - miscfiles_read_localization($1_mail_t) - - optional_policy(` - exim_read_log($1_mail_t) - exim_append_log($1_mail_t) - exim_manage_spool_files($1_mail_t) - ') - - optional_policy(` - postfix_domtrans_user_mail_handler($1_mail_t) - ') - - optional_policy(` - procmail_exec($1_mail_t) - ') - - optional_policy(` - qmail_domtrans_inject($1_mail_t) - ') - - optional_policy(` - gen_require(` - type etc_mail_t, mail_spool_t, mqueue_spool_t; - ') - - manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) - manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) - files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir }) - - allow $1_mail_t etc_mail_t:dir search_dir_perms; - - # Write to /var/spool/mail and /var/spool/mqueue. - manage_files_pattern($1_mail_t, mail_spool_t, mail_spool_t) - manage_files_pattern($1_mail_t, mqueue_spool_t, mqueue_spool_t) - - # Check available space. - fs_getattr_xattr_fs($1_mail_t) - - files_read_etc_runtime_files($1_mail_t) - - # Write to /var/log/sendmail.st - sendmail_manage_log($1_mail_t) - sendmail_create_log($1_mail_t) - ') - - optional_policy(` - uucp_manage_spool($1_mail_t) - ') -') - -######################################## -## -## Role access for mta -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -## -# -interface(`mta_role',` - gen_require(` - attribute mta_user_agent; - type user_mail_t, sendmail_exec_t; - ') - - role $1 types { user_mail_t mta_user_agent }; - - # Transition from the user domain to the derived domain. - domtrans_pattern($2, sendmail_exec_t, user_mail_t) - allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms; - - allow mta_user_agent $2:fd use; - allow mta_user_agent $2:process sigchld; - allow mta_user_agent $2:fifo_file { read write }; -') - -######################################## -## -## Make the specified domain usable for a mail server. -## -## -## -## Type to be used as a mail server domain. -## -## -## -## -## Type of the program to be used as an entry point to this domain. -## -## -# -interface(`mta_mailserver',` - gen_require(` - attribute mailserver_domain; - ') - - init_daemon_domain($1, $2) - typeattribute $1 mailserver_domain; -') - -######################################## -## -## Make the specified type a MTA executable file. -## -## -## -## Type to be used as a mail client. -## -## -# -interface(`mta_agent_executable',` - gen_require(` - attribute mta_exec_type; - ') - - typeattribute $1 mta_exec_type; - - application_executable_file($1) -') - -###################################### -## -## Dontaudit read and write an leaked file descriptors -## -## -## -## Domain to not audit. -## -## -# -interface(`mta_dontaudit_leaks_system_mail',` - gen_require(` - type system_mail_t; - ') - - dontaudit $1 system_mail_t:fifo_file write; - dontaudit $1 system_mail_t:tcp_socket { read write }; -') - -######################################## -## -## Make the specified type by a system MTA. -## -## -## -## Type to be used as a mail client. -## -## -# -interface(`mta_system_content',` - gen_require(` - attribute mailcontent_type; - ') - - typeattribute $1 mailcontent_type; -') - -######################################## -## -## Modified mailserver interface for -## sendmail daemon use. -## -## -##

-## A modified MTA mail server interface for -## the sendmail program. It's design does -## not fit well with policy, and using the -## regular interface causes a type_transition -## conflict if direct running of init scripts -## is enabled. -##

-##

-## This interface should most likely only be used -## by the sendmail policy. -##

-##
-## -## -## The type to be used for the mail server. -## -## -# -interface(`mta_sendmail_mailserver',` - gen_require(` - attribute mailserver_domain; - type sendmail_exec_t; - ') - - init_system_domain($1, sendmail_exec_t) - typeattribute $1 mailserver_domain; -') - -####################################### -## -## Make a type a mailserver type used -## for sending mail. -## -## -## -## Mail server domain type used for sending mail. -## -## -# -interface(`mta_mailserver_sender',` - gen_require(` - attribute mailserver_sender; - ') - - typeattribute $1 mailserver_sender; -') - -####################################### -## -## Make a type a mailserver type used -## for delivering mail to local users. -## -## -## -## Mail server domain type used for delivering mail. -## -## -# -interface(`mta_mailserver_delivery',` - gen_require(` - attribute mailserver_delivery; - ') - - typeattribute $1 mailserver_delivery; -') - -####################################### -## -## Make a type a mailserver type used -## for sending mail on behalf of local -## users to the local mail spool. -## -## -## -## Mail server domain type used for sending local mail. -## -## -# -interface(`mta_mailserver_user_agent',` - gen_require(` - attribute mta_user_agent; - ') - - typeattribute $1 mta_user_agent; -') - -######################################## -## -## Send mail from the system. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`mta_send_mail',` - gen_require(` - attribute mta_user_agent, mta_exec_type; - type system_mail_t; - ') - - allow $1 mta_exec_type:lnk_file read_lnk_file_perms; - corecmd_read_bin_symlinks($1) - domtrans_pattern($1, mta_exec_type, system_mail_t) - - allow mta_user_agent $1:fd use; - allow mta_user_agent $1:process sigchld; - allow mta_user_agent $1:fifo_file rw_fifo_file_perms; - - ifdef(`hide_broken_symptoms',` - dontaudit system_mail_t $1:socket_class_set { read write }; - ') -') - -######################################## -## -## Execute send mail in a specified domain. -## -## -##

-## Execute send mail in a specified domain. -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-##
-## -## -## Domain allowed to transition. -## -## -## -## -## Domain to transition to. -## -## -# -interface(`mta_sendmail_domtrans',` - gen_require(` - attribute mta_exec_type; - ') - - files_search_usr($1) - allow $1 mta_exec_type:lnk_file read_lnk_file_perms; - corecmd_read_bin_symlinks($1) - - allow $2 mta_exec_type:file entrypoint; - domtrans_pattern($1, mta_exec_type, $2) -') - -######################################## -## -## Send system mail client a signal -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_signal_system_mail',` - gen_require(` - type system_mail_t; - ') - - allow $1 system_mail_t:process signal; -') - -######################################## -## -## Send system mail client a kill signal -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_kill_system_mail',` - gen_require(` - type system_mail_t; - ') - - allow $1 system_mail_t:process sigkill; -') - -######################################## -## -## Execute sendmail in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_sendmail_exec',` - gen_require(` - type sendmail_exec_t; - ') - - can_exec($1, sendmail_exec_t) -') - -######################################## -## -## Read mail server configuration. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mta_read_config',` - gen_require(` - type etc_mail_t; - ') - - files_search_etc($1) - allow $1 etc_mail_t:dir list_dir_perms; - read_files_pattern($1, etc_mail_t, etc_mail_t) - read_lnk_files_pattern($1, etc_mail_t, etc_mail_t) -') - -######################################## -## -## write mail server configuration. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mta_write_config',` - gen_require(` - type etc_mail_t; - ') - - manage_files_pattern($1, etc_mail_t, etc_mail_t) - allow $1 etc_mail_t:file setattr_file_perms; -') - -######################################## -## -## Read mail address aliases. -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_read_aliases',` - gen_require(` - type etc_aliases_t; - ') - - files_search_etc($1) - allow $1 etc_aliases_t:file read_file_perms; -') - -######################################## -## -## Create, read, write, and delete mail address aliases. -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_manage_aliases',` - gen_require(` - type etc_aliases_t; - ') - - files_search_etc($1) - manage_files_pattern($1, etc_aliases_t, etc_aliases_t) - manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t) -') - -######################################## -## -## Type transition files created in /etc -## to the mail address aliases type. -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_etc_filetrans_aliases',` - gen_require(` - type etc_aliases_t; - ') - - files_etc_filetrans($1, etc_aliases_t, file) -') - -######################################## -## -## Read and write mail aliases. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mta_rw_aliases',` - gen_require(` - type etc_aliases_t; - ') - - files_search_etc($1) - allow $1 etc_aliases_t:file { rw_file_perms setattr_file_perms }; -') - -####################################### -## -## Do not audit attempts to read and write TCP -## sockets of mail delivery domains. -## -## -## -## Domain to not audit. -## -## -# -interface(`mta_dontaudit_rw_delivery_tcp_sockets',` - gen_require(` - attribute mailserver_delivery; - ') - - dontaudit $1 mailserver_delivery:tcp_socket { read write }; -') - -####################################### -## -## Connect to all mail servers over TCP. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_tcp_connect_all_mailservers',` - refpolicywarn(`$0($*) has been deprecated.') -') - -####################################### -## -## Do not audit attempts to read a symlink -## in the mail spool. -## -## -## -## Domain to not audit. -## -## -# -interface(`mta_dontaudit_read_spool_symlinks',` - gen_require(` - type mail_spool_t; - ') - - dontaudit $1 mail_spool_t:lnk_file read; -') - -######################################## -## -## Get the attributes of mail spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_getattr_spool',` - gen_require(` - type mail_spool_t; - ') - - files_search_spool($1) - allow $1 mail_spool_t:dir list_dir_perms; - getattr_files_pattern($1, mail_spool_t, mail_spool_t) - read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) -') - -######################################## -## -## Do not audit attempts to get the attributes -## of mail spool files. -## -## -## -## Domain to not audit. -## -## -# -interface(`mta_dontaudit_getattr_spool_files',` - gen_require(` - type mail_spool_t; - ') - - files_dontaudit_search_spool($1) - dontaudit $1 mail_spool_t:dir search_dir_perms; - dontaudit $1 mail_spool_t:lnk_file read_lnk_file_perms; - dontaudit $1 mail_spool_t:file getattr_file_perms; -') - -####################################### -## -## Create private objects in the -## mail spool directory. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -# -interface(`mta_spool_filetrans',` - gen_require(` - type mail_spool_t; - ') - - files_search_spool($1) - filetrans_pattern($1, mail_spool_t, $2, $3) -') - -######################################## -## -## Read and write the mail spool. -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_rw_spool',` - gen_require(` - type mail_spool_t; - ') - - files_search_spool($1) - allow $1 mail_spool_t:dir list_dir_perms; - allow $1 mail_spool_t:file setattr_file_perms; - manage_files_pattern($1, mail_spool_t, mail_spool_t) - read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) -') - -####################################### -## -## Create, read, and write the mail spool. -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_append_spool',` - gen_require(` - type mail_spool_t; - ') - - files_search_spool($1) - allow $1 mail_spool_t:dir list_dir_perms; - create_files_pattern($1, mail_spool_t, mail_spool_t) - write_files_pattern($1, mail_spool_t, mail_spool_t) - read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) -') - -####################################### -## -## Delete from the mail spool. -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_delete_spool',` - gen_require(` - type mail_spool_t; - ') - - files_search_spool($1) - delete_files_pattern($1, mail_spool_t, mail_spool_t) -') - -######################################## -## -## Create, read, write, and delete mail spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_manage_spool',` - gen_require(` - type mail_spool_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, mail_spool_t, mail_spool_t) - manage_files_pattern($1, mail_spool_t, mail_spool_t) - manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t) -') - -######################################## -## -## Search mail queue dirs. -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_search_queue',` - gen_require(` - type mqueue_spool_t; - ') - - files_search_spool($1) - allow $1 mqueue_spool_t:dir search_dir_perms; -') - -####################################### -## -## List the mail queue. -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_list_queue',` - gen_require(` - type mqueue_spool_t; - ') - - allow $1 mqueue_spool_t:dir list_dir_perms; - files_search_spool($1) -') - -####################################### -## -## Read the mail queue. -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_read_queue',` - gen_require(` - type mqueue_spool_t; - ') - - read_files_pattern($1, mqueue_spool_t, mqueue_spool_t) - files_search_spool($1) -') - -####################################### -## -## Do not audit attempts to read and -## write the mail queue. -## -## -## -## Domain to not audit. -## -## -# -interface(`mta_dontaudit_rw_queue',` - gen_require(` - type mqueue_spool_t; - ') - - dontaudit $1 mqueue_spool_t:dir search_dir_perms; - dontaudit $1 mqueue_spool_t:file rw_file_perms; -') - -######################################## -## -## Create, read, write, and delete -## mail queue files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_manage_queue',` - gen_require(` - type mqueue_spool_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, mqueue_spool_t, mqueue_spool_t) - manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t) -') - -####################################### -## -## Read sendmail binary. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for postfix -interface(`mta_read_sendmail_bin',` - gen_require(` - type sendmail_exec_t; - ') - - allow $1 sendmail_exec_t:file read_file_perms; -') - -####################################### -## -## Read and write unix domain stream sockets -## of user mail domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_rw_user_mail_stream_sockets',` - gen_require(` - attribute user_mail_domain; - ') - - allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; -') - -######################################## -## -## Type transition files created in calling dir -## to the mail address aliases type. -## -## -## -## Domain allowed access. -## -## -## -## -## Directory to transition on. -## -## -# -interface(`mta_filetrans_aliases',` - gen_require(` - type etc_aliases_t; - ') - - filetrans_pattern($1, $2, etc_aliases_t, file) -') - -###################################### -## -## ALlow domain to read mail content in the homedir -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_read_home',` - gen_require(` - type mail_home_t; - ') - - userdom_search_user_home_dirs($1) - read_files_pattern($1, mail_home_t, mail_home_t) - - ifdef(`distro_redhat',` - userdom_search_admin_dir($1) - ') -') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te deleted file mode 100644 index 36e64e9..0000000 --- a/policy/modules/services/mta.te +++ /dev/null @@ -1,334 +0,0 @@ -policy_module(mta, 2.3.0) - -######################################## -# -# Declarations -# - -attribute mailcontent_type; -attribute mta_exec_type; -attribute mta_user_agent; -attribute mailserver_delivery; -attribute mailserver_domain; -attribute mailserver_sender; - -attribute user_mail_domain; - -type etc_aliases_t; -files_type(etc_aliases_t) - -type etc_mail_t; -files_config_file(etc_mail_t) - -type mail_home_t alias mail_forward_t; -userdom_user_home_content(mail_home_t) - -type mqueue_spool_t; -files_mountpoint(mqueue_spool_t) - -type mail_spool_t; -files_mountpoint(mail_spool_t) - -type sendmail_exec_t; -mta_agent_executable(sendmail_exec_t) - -mta_base_mail_template(system) -role system_r types system_mail_t; - -mta_base_mail_template(user) -typealias user_mail_t alias { staff_mail_t sysadm_mail_t }; -typealias user_mail_t alias { auditadm_mail_t secadm_mail_t }; -typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t }; -typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t }; -ubac_constrained(user_mail_t) -ubac_constrained(user_mail_tmp_t) - -######################################## -# -# System mail local policy -# - -# newalias required this, not sure if it is needed in 'if' file -allow system_mail_t self:capability { dac_override fowner }; - -read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) - -dev_read_sysfs(system_mail_t) -dev_read_rand(system_mail_t) -dev_read_urand(system_mail_t) - -files_read_usr_files(system_mail_t) - -fs_rw_anon_inodefs_files(system_mail_t) - -selinux_getattr_fs(system_mail_t) - -term_dontaudit_use_unallocated_ttys(system_mail_t) - -init_use_script_ptys(system_mail_t) - -userdom_use_user_terminals(system_mail_t) -userdom_dontaudit_search_user_home_dirs(system_mail_t) -userdom_dontaudit_list_admin_dir(system_mail_t) - -logging_append_all_logs(system_mail_t) - -optional_policy(` - apache_read_squirrelmail_data(system_mail_t) - apache_append_squirrelmail_data(system_mail_t) - - # apache should set close-on-exec - apache_dontaudit_append_log(system_mail_t) - apache_dontaudit_rw_stream_sockets(system_mail_t) - apache_dontaudit_rw_tcp_sockets(system_mail_t) - apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) - apache_dontaudit_write_tmp_files(system_mail_t) - - # apache should set close-on-exec - apache_dontaudit_rw_stream_sockets(mta_user_agent) - apache_dontaudit_rw_sys_script_stream_sockets(mta_user_agent) - apache_append_log(mta_user_agent) -') - -optional_policy(` - arpwatch_manage_tmp_files(system_mail_t) - - ifdef(`hide_broken_symptoms',` - arpwatch_dontaudit_rw_packet_sockets(system_mail_t) - ') -') - -optional_policy(` - bugzilla_search_dirs(system_mail_t) - bugzilla_dontaudit_rw_script_stream_sockets(system_mail_t) -') - -optional_policy(` - clamav_stream_connect(system_mail_t) - clamav_append_log(system_mail_t) -') - -optional_policy(` - cron_read_system_job_tmp_files(system_mail_t) - cron_dontaudit_write_pipes(system_mail_t) - cron_rw_system_job_stream_sockets(system_mail_t) - cron_rw_inherited_spool_files(system_mail_t) - cron_rw_inherited_user_spool_files(system_mail_t) -') - -optional_policy(` - courier_manage_spool_dirs(system_mail_t) - courier_manage_spool_files(system_mail_t) - courier_rw_spool_pipes(system_mail_t) -') - -optional_policy(` - cvs_read_data(system_mail_t) -') - -optional_policy(` - fail2ban_append_log(system_mail_t) - fail2ban_dontaudit_leaks(system_mail_t) -') - -optional_policy(` - logrotate_read_tmp_files(system_mail_t) -') - -optional_policy(` - logwatch_read_tmp_files(system_mail_t) -') - -optional_policy(` - # newaliases runs as system_mail_t when the sendmail initscript does a restart - milter_getattr_all_sockets(system_mail_t) -') - -optional_policy(` - munin_dontaudit_leaks(system_mail_t) -') - -optional_policy(` - nagios_read_tmp_files(system_mail_t) -') - -optional_policy(` - manage_dirs_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) - manage_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) - manage_lnk_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) - manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) - manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) - files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) - - domain_use_interactive_fds(system_mail_t) -') - -optional_policy(` - qmail_domtrans_inject(system_mail_t) -') - -optional_policy(` - sxid_read_log(system_mail_t) -') - -optional_policy(` - userdom_dontaudit_use_user_ptys(system_mail_t) - - optional_policy(` - cron_dontaudit_append_system_job_tmp_files(system_mail_t) - ') -') - -optional_policy(` - spamd_stream_connect(system_mail_t) -') - -optional_policy(` - smartmon_read_tmp_files(system_mail_t) -') - -# should break this up among sections: - -optional_policy(` - # why is mail delivered to a directory of type arpwatch_data_t? - arpwatch_search_data(mailserver_delivery) - arpwatch_manage_tmp_files(mta_user_agent) - - ifdef(`hide_broken_symptoms',` - arpwatch_dontaudit_rw_packet_sockets(mta_user_agent) - ') - - optional_policy(` - cron_read_system_job_tmp_files(mta_user_agent) - ') -') - -######################################## -# -# Mailserver delivery local policy -# - -allow mailserver_delivery mail_spool_t:dir list_dir_perms; -create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -read_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) - -userdom_search_admin_dir(mailserver_delivery) -read_files_pattern(mailserver_delivery, mail_home_t, mail_home_t) - -read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(mailserver_delivery) - fs_manage_cifs_files(mailserver_delivery) - fs_manage_cifs_symlinks(mailserver_delivery) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(mailserver_delivery) - fs_manage_nfs_files(mailserver_delivery) - fs_manage_nfs_symlinks(mailserver_delivery) -') - -optional_policy(` - dovecot_manage_spool(mailserver_delivery) - dovecot_domtrans_deliver(mailserver_delivery) -') - -optional_policy(` - # so MTA can access /var/lib/mailman/mail/wrapper - files_search_var_lib(mailserver_delivery) - - mailman_domtrans(mailserver_delivery) - mailman_read_data_symlinks(mailserver_delivery) -') - -optional_policy(` - uucp_domtrans_uux(mailserver_delivery) -') - -######################################## -# -# User send mail local policy -# - - -domain_use_interactive_fds(user_mail_t) - -userdom_use_user_terminals(user_mail_t) -# Write to the user domain tty. cjp: why? -userdom_use_user_terminals(mta_user_agent) -# Create dead.letter in user home directories. -userdom_manage_user_home_content_files(user_mail_t) -userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file) -# for reading .forward - maybe we need a new type for it? -# also for delivering mail to maildir -userdom_manage_user_home_content_dirs(mailserver_delivery) -userdom_manage_user_home_content_files(mailserver_delivery) -userdom_manage_user_home_content_symlinks(mailserver_delivery) -userdom_manage_user_home_content_pipes(mailserver_delivery) -userdom_manage_user_home_content_sockets(mailserver_delivery) -userdom_user_home_dir_filetrans_user_home_content(mailserver_delivery, { dir file lnk_file fifo_file sock_file }) -# Read user temporary files. -userdom_read_user_tmp_files(user_mail_t) -userdom_dontaudit_append_user_tmp_files(user_mail_t) -# cjp: this should probably be read all user tmp -# files in an appropriate place for mta_user_agent -userdom_read_user_tmp_files(mta_user_agent) - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files(user_mail_t) - fs_manage_cifs_symlinks(user_mail_t) -') - -optional_policy(` - allow user_mail_t self:capability dac_override; - - # Read user temporary files. - # postfix seems to need write access if the file handle is opened read/write - userdom_rw_user_tmp_files(user_mail_t) - - postfix_read_config(user_mail_t) - postfix_list_spool(user_mail_t) -') - -######################################## -# -# Comman user_mail_domain policy -# - -allow user_mail_domain self:fifo_file rw_fifo_file_perms; -allow user_mail_domain mta_exec_type:file entrypoint; - -read_files_pattern(user_mail_domain, etc_aliases_t, etc_aliases_t) - -can_exec(user_mail_domain, mta_exec_type) - -allow system_mail_t user_mail_domain:file read_file_perms; - -read_files_pattern(user_mail_domain, etc_mail_t, etc_mail_t) - -kernel_read_system_state(user_mail_domain) -kernel_read_network_state(user_mail_domain) -kernel_request_load_module(user_mail_domain) - -optional_policy(` - # postfix needs this for newaliases - files_getattr_tmp_dirs(user_mail_domain) - - postfix_exec_master(user_mail_domain) - postfix_read_config(user_mail_domain) - postfix_search_spool(user_mail_domain) - - ifdef(`distro_redhat',` - # compatability for old default main.cf - postfix_config_filetrans(user_mail_domain, etc_aliases_t, { dir file lnk_file sock_file fifo_file }) - ') -') - -optional_policy(` - exim_domtrans(user_mail_domain) - exim_manage_log(user_mail_domain) -') diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc deleted file mode 100644 index bad9920..0000000 --- a/policy/modules/services/munin.fc +++ /dev/null @@ -1,70 +0,0 @@ -/etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0) -/etc/rc\.d/init\.d/munin-node -- gen_context(system_u:object_r:munin_initrc_exec_t,s0) - -/usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) -/usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) -/usr/share/munin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) -/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0) - -# disk plugins -/usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/df.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/hddtemp.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/smart_.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) - -# mail plugins -/usr/share/munin/plugins/courier_mta_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/exim_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/mailman -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/mailscanner -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/postfix_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/sendmail_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/qmail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) - -# services plugins -/usr/share/munin/plugins/apache_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/asterisk_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/http_loadtime -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/fail2ban -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/lpstat -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/mysql_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/named -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/ntp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/nut.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/openvpn -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/ping_ -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/postgres_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/samba -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/slapd_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/snmp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/squid_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) - -# system plugins -/usr/share/munin/plugins/acpi -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/cpu.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/forks -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/if_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/iostat.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/interrupts -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/proc_pri -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/swap -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/uptime -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/users -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) - -/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) -/var/lib/munin/plugin-state(/.*)? gen_context(system_u:object_r:munin_plugin_state_t,s0) -/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) -/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) -/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) -/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if deleted file mode 100644 index 92c9dca..0000000 --- a/policy/modules/services/munin.if +++ /dev/null @@ -1,210 +0,0 @@ -## Munin network-wide load graphing (formerly LRRD) - -######################################## -## -## Create a set of derived types for various -## munin plugins, -## -## -## -## The name to be used for deriving type names. -## -## -# -template(`munin_plugin_template',` - gen_require(` - type munin_t; - attribute munin_plugin_domain; - ') - - type $1_munin_plugin_t, munin_plugin_domain; - type $1_munin_plugin_exec_t; - typealias $1_munin_plugin_t alias munin_$1_plugin_t; - typealias $1_munin_plugin_exec_t alias munin_$1_plugin_exec_t; - application_domain($1_munin_plugin_t, $1_munin_plugin_exec_t) - role system_r types $1_munin_plugin_t; - - type $1_munin_plugin_tmp_t; - typealias $1_munin_plugin_tmp_t alias munin_$1_plugin_tmp_t; - files_tmp_file($1_munin_plugin_tmp_t) - - allow $1_munin_plugin_t self:fifo_file rw_fifo_file_perms; - - manage_files_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t) - manage_dirs_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t) - files_tmp_filetrans($1_munin_plugin_t, $1_munin_plugin_tmp_t, { dir file }) - - # automatic transition rules from munin domain - # to specific munin plugin domain - domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t) - allow munin_t $1_munin_plugin_t:process signal; -') - -######################################## -## -## Connect to munin over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`munin_stream_connect',` - gen_require(` - type munin_var_run_t, munin_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, munin_var_run_t, munin_var_run_t, munin_t) -') - -####################################### -## -## Read munin configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`munin_read_config',` - gen_require(` - type munin_etc_t; - ') - - allow $1 munin_etc_t:dir list_dir_perms; - allow $1 munin_etc_t:file read_file_perms; - allow $1 munin_etc_t:lnk_file read_lnk_file_perms; - files_search_etc($1) -') - -###################################### -## -## dontaudit read and write an leaked file descriptors -## -## -## -## Domain to not audit. -## -## -# -interface(`munin_dontaudit_leaks',` - gen_require(` - type munin_t; - ') - - dontaudit $1 munin_t:tcp_socket { read write }; -') - -####################################### -## -## Append to the munin log. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`munin_append_log',` - gen_require(` - type munin_log_t; - ') - - logging_search_logs($1) - allow $1 munin_log_t:dir list_dir_perms; - append_files_pattern($1, munin_log_t, munin_log_t) -') - -####################################### -## -## Search munin library directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`munin_search_lib',` - gen_require(` - type munin_var_lib_t; - ') - - allow $1 munin_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -####################################### -## -## Do not audit attempts to search -## munin library directories. -## -## -## -## Domain to not audit. -## -## -# -interface(`munin_dontaudit_search_lib',` - gen_require(` - type munin_var_lib_t; - ') - - dontaudit $1 munin_var_lib_t:dir search_dir_perms; -') - -######################################## -## -## All of the rules required to administrate -## an munin environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the munin domain. -## -## -## -# -interface(`munin_admin',` - gen_require(` - type munin_t, munin_etc_t, munin_tmp_t; - type munin_log_t, munin_var_lib_t, munin_var_run_t; - type httpd_munin_content_t, munin_initrc_exec_t; - ') - - allow $1 munin_t:process { ptrace signal_perms }; - ps_process_pattern($1, munin_t) - - init_labeled_script_domtrans($1, munin_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 munin_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, munin_tmp_t) - - logging_list_logs($1) - admin_pattern($1, munin_log_t) - - files_list_etc($1) - admin_pattern($1, munin_etc_t) - - files_list_var_lib($1) - admin_pattern($1, munin_var_lib_t) - - files_list_pids($1) - admin_pattern($1, munin_var_run_t) - - admin_pattern($1, httpd_munin_content_t) -') diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te deleted file mode 100644 index 6f8b0fd..0000000 --- a/policy/modules/services/munin.te +++ /dev/null @@ -1,345 +0,0 @@ -policy_module(munin, 1.8.0) - -######################################## -# -# Declarations -# - -attribute munin_plugin_domain; - -type munin_t alias lrrd_t; -type munin_exec_t alias lrrd_exec_t; -init_daemon_domain(munin_t, munin_exec_t) - -type munin_etc_t alias lrrd_etc_t; -files_config_file(munin_etc_t) - -type munin_initrc_exec_t; -init_script_file(munin_initrc_exec_t) - -type munin_log_t alias lrrd_log_t; -logging_log_file(munin_log_t) - -type munin_tmp_t alias lrrd_tmp_t; -files_tmp_file(munin_tmp_t) - -type munin_var_lib_t alias lrrd_var_lib_t; -files_type(munin_var_lib_t) - -type munin_plugin_state_t; -files_type(munin_plugin_state_t) - -type munin_var_run_t alias lrrd_var_run_t; -files_pid_file(munin_var_run_t) - -munin_plugin_template(disk) - -munin_plugin_template(mail) - -munin_plugin_template(services) - -munin_plugin_template(system) - -######################################## -# -# Local policy -# - -allow munin_t self:capability { chown dac_override setgid setuid sys_rawio }; -dontaudit munin_t self:capability sys_tty_config; -allow munin_t self:process { getsched setsched signal_perms }; -allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow munin_t self:unix_dgram_socket { create_socket_perms sendto }; -allow munin_t self:tcp_socket create_stream_socket_perms; -allow munin_t self:udp_socket create_socket_perms; -allow munin_t self:fifo_file manage_fifo_file_perms; - -allow munin_t munin_etc_t:dir list_dir_perms; -read_files_pattern(munin_t, munin_etc_t, munin_etc_t) -read_lnk_files_pattern(munin_t, munin_etc_t, munin_etc_t) -files_search_etc(munin_t) - -can_exec(munin_t, munin_exec_t) - -manage_dirs_pattern(munin_t, munin_log_t, munin_log_t) -manage_files_pattern(munin_t, munin_log_t, munin_log_t) -logging_log_filetrans(munin_t, munin_log_t, { file dir }) - -manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t) -manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t) -manage_sock_files_pattern(munin_t, munin_tmp_t, munin_tmp_t) -files_tmp_filetrans(munin_t, munin_tmp_t, { file dir sock_file }) - -# Allow access to the munin databases -manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) -manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) -manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) -files_search_var_lib(munin_t) - -manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t) -manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) -manage_sock_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) -files_pid_filetrans(munin_t, munin_var_run_t, { file dir }) - -read_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t) - -kernel_read_system_state(munin_t) -kernel_read_network_state(munin_t) -kernel_read_all_sysctls(munin_t) - -corecmd_exec_bin(munin_t) -corecmd_exec_shell(munin_t) - -corenet_all_recvfrom_unlabeled(munin_t) -corenet_all_recvfrom_netlabel(munin_t) -corenet_tcp_sendrecv_generic_if(munin_t) -corenet_udp_sendrecv_generic_if(munin_t) -corenet_tcp_sendrecv_generic_node(munin_t) -corenet_udp_sendrecv_generic_node(munin_t) -corenet_tcp_sendrecv_all_ports(munin_t) -corenet_udp_sendrecv_all_ports(munin_t) -corenet_tcp_bind_generic_node(munin_t) -corenet_tcp_bind_munin_port(munin_t) -corenet_tcp_connect_munin_port(munin_t) -corenet_tcp_connect_http_port(munin_t) - -dev_read_sysfs(munin_t) -dev_read_urand(munin_t) - -domain_use_interactive_fds(munin_t) -domain_read_all_domains_state(munin_t) - -files_read_etc_files(munin_t) -files_read_etc_runtime_files(munin_t) -files_read_usr_files(munin_t) -files_list_spool(munin_t) - -fs_getattr_all_fs(munin_t) -fs_search_auto_mountpoints(munin_t) - -auth_use_nsswitch(munin_t) - -logging_send_syslog_msg(munin_t) -logging_read_all_logs(munin_t) - -miscfiles_read_fonts(munin_t) -miscfiles_read_localization(munin_t) -miscfiles_setattr_fonts_cache_dirs(munin_t) - -sysnet_exec_ifconfig(munin_t) - -userdom_dontaudit_use_unpriv_user_fds(munin_t) -userdom_dontaudit_search_user_home_dirs(munin_t) - -optional_policy(` - apache_content_template(munin) - - manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) - manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) - apache_search_sys_content(munin_t) -') - -optional_policy(` - cron_system_entry(munin_t, munin_exec_t) -') - -optional_policy(` - fstools_domtrans(munin_t) -') - -optional_policy(` - lpd_domtrans_lpr(munin_t) -') - -optional_policy(` - mta_read_config(munin_t) - mta_send_mail(munin_t) - mta_list_queue(munin_t) - mta_read_queue(munin_t) -') - -optional_policy(` - mysql_read_config(munin_t) - mysql_stream_connect(munin_t) -') - -optional_policy(` - netutils_domtrans_ping(munin_t) -') - -optional_policy(` - postfix_list_spool(munin_t) - postfix_getattr_spool_files(munin_t) -') - -optional_policy(` - rpc_search_nfs_state_data(munin_t) -') - -optional_policy(` - sendmail_read_log(munin_t) -') - -optional_policy(` - seutil_sigchld_newrole(munin_t) -') - -optional_policy(` - udev_read_db(munin_t) -') - -################################### -# -# local policy for disk plugins -# - -allow munin_disk_plugin_t self:capability { sys_admin sys_rawio }; -allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; - -rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) - -corecmd_exec_shell(disk_munin_plugin_t) - -corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t) - -files_read_etc_runtime_files(disk_munin_plugin_t) - -dev_getattr_lvm_control(disk_munin_plugin_t) -dev_read_sysfs(disk_munin_plugin_t) -dev_read_urand(disk_munin_plugin_t) - -storage_raw_read_fixed_disk(disk_munin_plugin_t) - -sysnet_read_config(disk_munin_plugin_t) - -optional_policy(` - hddtemp_exec(disk_munin_plugin_t) -') - -optional_policy(` - fstools_exec(disk_munin_plugin_t) -') - -#################################### -# -# local policy for mail plugins -# - -allow mail_munin_plugin_t self:capability dac_override; - -rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) - -dev_read_urand(mail_munin_plugin_t) - -logging_read_generic_logs(mail_munin_plugin_t) - -mta_read_config(mail_munin_plugin_t) -mta_send_mail(mail_munin_plugin_t) -mta_list_queue(mail_munin_plugin_t) -mta_read_queue(mail_munin_plugin_t) - -optional_policy(` - postfix_read_config(mail_munin_plugin_t) - postfix_list_spool(mail_munin_plugin_t) - postfix_getattr_spool_files(mail_munin_plugin_t) -') - -optional_policy(` - sendmail_read_log(mail_munin_plugin_t) -') - -################################### -# -# local policy for service plugins -# - -allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms; -allow services_munin_plugin_t self:udp_socket create_socket_perms; -allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; - -corenet_tcp_connect_all_ports(services_munin_plugin_t) -corenet_tcp_connect_http_port(services_munin_plugin_t) - -dev_read_urand(services_munin_plugin_t) -dev_read_rand(services_munin_plugin_t) - -sysnet_read_config(services_munin_plugin_t) - -optional_policy(` - cups_stream_connect(services_munin_plugin_t) -') - -optional_policy(` - lpd_exec_lpr(services_munin_plugin_t) -') - -optional_policy(` - mysql_read_config(services_munin_plugin_t) - mysql_stream_connect(services_munin_plugin_t) -') - -optional_policy(` - netutils_domtrans_ping(services_munin_plugin_t) -') - -optional_policy(` - postgresql_stream_connect(services_munin_plugin_t) -') - -optional_policy(` - snmp_read_snmp_var_lib_files(services_munin_plugin_t) -') - -optional_policy(` - varnishd_read_lib_files(services_munin_plugin_t) -') - -################################## -# -# local policy for system plugins -# - -allow system_munin_plugin_t self:udp_socket create_socket_perms; - -rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) - -kernel_read_network_state(system_munin_plugin_t) -kernel_read_all_sysctls(system_munin_plugin_t) - -dev_read_sysfs(system_munin_plugin_t) -dev_read_urand(system_munin_plugin_t) - -domain_read_all_domains_state(system_munin_plugin_t) - -# needed by users plugin -init_read_utmp(system_munin_plugin_t) - -sysnet_exec_ifconfig(system_munin_plugin_t) - -term_getattr_unallocated_ttys(system_munin_plugin_t) -term_getattr_all_ptys(system_munin_plugin_t) - -################################ -# -# local policy for munin plugin domains -# - -allow munin_plugin_domain munin_exec_t:file read_file_perms; -allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms; - -# creates plugin state files -manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t) - -read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t) - -kernel_read_system_state(munin_plugin_domain) - -corecmd_exec_bin(munin_plugin_domain) -corecmd_exec_shell(munin_plugin_domain) - -files_read_etc_files(munin_plugin_domain) -files_read_usr_files(munin_plugin_domain) - -fs_getattr_all_fs(munin_plugin_domain) - -miscfiles_read_localization(munin_plugin_domain) diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc deleted file mode 100644 index cc7192c..0000000 --- a/policy/modules/services/mysql.fc +++ /dev/null @@ -1,30 +0,0 @@ -# mysql database server - -# -# /etc -# -/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0) -/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0) -/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0) -/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0) - -# -# /usr -# -/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) - -/usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0) - -/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) -/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0) - -# -# /var -# -/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) -/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0) - -/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) - -/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0) -/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if deleted file mode 100644 index 4d3b208..0000000 --- a/policy/modules/services/mysql.if +++ /dev/null @@ -1,359 +0,0 @@ -## Policy for MySQL - -###################################### -## -## Execute MySQL in the mysql domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`mysql_domtrans',` - gen_require(` - type mysqld_t, mysqld_exec_t; - ') - - domtrans_pattern($1, mysqld_exec_t, mysqld_t) -') - -######################################## -## -## Send a generic signal to MySQL. -## -## -## -## Domain allowed access. -## -## -# -interface(`mysql_signal',` - gen_require(` - type mysqld_t; - ') - - allow $1 mysqld_t:process signal; -') - -######################################## -## -## Allow the specified domain to connect to postgresql with a tcp socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`mysql_tcp_connect',` - gen_require(` - type mysqld_t; - ') - - corenet_tcp_recvfrom_labeled($1, mysqld_t) - corenet_tcp_sendrecv_mysqld_port($1) - corenet_tcp_connect_mysqld_port($1) - corenet_sendrecv_mysqld_client_packets($1) -') - -######################################## -## -## Connect to MySQL using a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mysql_stream_connect',` - gen_require(` - type mysqld_t, mysqld_var_run_t, mysqld_db_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t) - stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t) -') - -######################################## -## -## Read MySQL configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mysql_read_config',` - gen_require(` - type mysqld_etc_t; - ') - - allow $1 mysqld_etc_t:dir list_dir_perms; - allow $1 mysqld_etc_t:file read_file_perms; - allow $1 mysqld_etc_t:lnk_file read_lnk_file_perms; -') - -######################################## -## -## Search the directories that contain MySQL -## database storage. -## -## -## -## Domain allowed access. -## -## -# -# cjp: "_dir" in the name is added to clarify that this -# is not searching the database itself. -interface(`mysql_search_db',` - gen_require(` - type mysqld_db_t; - ') - - files_search_var_lib($1) - allow $1 mysqld_db_t:dir search_dir_perms; -') - -######################################## -## -## Read and write to the MySQL database directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`mysql_rw_db_dirs',` - gen_require(` - type mysqld_db_t; - ') - - files_search_var_lib($1) - allow $1 mysqld_db_t:dir rw_dir_perms; -') - -######################################## -## -## Create, read, write, and delete MySQL database directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`mysql_manage_db_dirs',` - gen_require(` - type mysqld_db_t; - ') - - files_search_var_lib($1) - allow $1 mysqld_db_t:dir manage_dir_perms; -') - -####################################### -## -## Append to the MySQL database directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`mysql_append_db_files',` - gen_require(` - type mysqld_db_t; - ') - - files_search_var_lib($1) - append_files_pattern($1, mysqld_db_t, mysqld_db_t) -') - -####################################### -## -## Read and write to the MySQL database directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`mysql_rw_db_files',` - gen_require(` - type mysqld_db_t; - ') - - files_search_var_lib($1) - rw_files_pattern($1, mysqld_db_t, mysqld_db_t) -') - -####################################### -## -## Create, read, write, and delete MySQL database files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mysql_manage_db_files',` - gen_require(` - type mysqld_db_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, mysqld_db_t, mysqld_db_t) -') - -######################################## -## -## Read and write to the MySQL database -## named socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`mysql_rw_db_sockets',` - gen_require(` - type mysqld_db_t; - ') - - files_search_var_lib($1) - allow $1 mysqld_db_t:dir search_dir_perms; - allow $1 mysqld_db_t:sock_file rw_sock_file_perms; -') - -######################################## -## -## Write to the MySQL log. -## -## -## -## Domain allowed access. -## -## -# -interface(`mysql_write_log',` - gen_require(` - type mysqld_log_t; - ') - - logging_search_logs($1) - allow $1 mysqld_log_t:file { write_file_perms setattr_file_perms }; -') - -###################################### -## -## Execute MySQL server in the mysql domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`mysql_domtrans_mysql_safe',` - gen_require(` - type mysqld_safe_t, mysqld_safe_exec_t; - ') - - domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t) -') - -##################################### -## -## Read MySQL PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mysql_read_pid_files',` - gen_require(` - type mysqld_var_run_t; - ') - - mysql_search_pid_files($1) - read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t) -') - -##################################### -## -## Search MySQL PID files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mysql_search_pid_files',` - gen_require(` - type mysqld_var_run_t; - ') - - search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t) -') - -######################################## -## -## All of the rules required to administrate an mysql environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the mysql domain. -## -## -## -# -interface(`mysql_admin',` - gen_require(` - type mysqld_t, mysqld_var_run_t, mysqld_initrc_exec_t; - type mysqld_tmp_t, mysqld_db_t, mysqld_log_t; - type mysqld_etc_t; - ') - - allow $1 mysqld_t:process { ptrace signal_perms }; - ps_process_pattern($1, mysqld_t) - - init_labeled_script_domtrans($1, mysqld_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 mysqld_initrc_exec_t system_r; - allow $2 system_r; - - files_list_pids($1) - admin_pattern($1, mysqld_var_run_t) - - admin_pattern($1, mysqld_db_t) - - files_list_etc($1) - admin_pattern($1, mysqld_etc_t) - - logging_list_logs($1) - admin_pattern($1, mysqld_log_t) - - files_list_tmp($1) - admin_pattern($1, mysqld_tmp_t) -') diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te deleted file mode 100644 index 086df22..0000000 --- a/policy/modules/services/mysql.te +++ /dev/null @@ -1,242 +0,0 @@ -policy_module(mysql, 1.12.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow mysqld to connect to all ports -##

-##
-gen_tunable(mysql_connect_any, false) - -type mysqld_t; -type mysqld_exec_t; -init_daemon_domain(mysqld_t, mysqld_exec_t) - -type mysqld_safe_t; -type mysqld_safe_exec_t; -init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t) - -type mysqld_var_run_t; -files_pid_file(mysqld_var_run_t) - -type mysqld_db_t; -files_type(mysqld_db_t) - -type mysqld_etc_t alias etc_mysqld_t; -files_config_file(mysqld_etc_t) - -type mysqld_initrc_exec_t; -init_script_file(mysqld_initrc_exec_t) - -type mysqld_log_t; -logging_log_file(mysqld_log_t) - -type mysqld_tmp_t; -files_tmp_file(mysqld_tmp_t) - -type mysqlmanagerd_t; -type mysqlmanagerd_exec_t; -init_daemon_domain(mysqlmanagerd_t, mysqlmanagerd_exec_t) - -type mysqlmanagerd_initrc_exec_t; -init_script_file(mysqlmanagerd_initrc_exec_t) - -type mysqlmanagerd_var_run_t; -files_pid_file(mysqlmanagerd_var_run_t) - -######################################## -# -# Local policy -# - -allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource net_bind_service }; -dontaudit mysqld_t self:capability sys_tty_config; -allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; -allow mysqld_t self:fifo_file rw_fifo_file_perms; -allow mysqld_t self:shm create_shm_perms; -allow mysqld_t self:unix_stream_socket create_stream_socket_perms; -allow mysqld_t self:tcp_socket create_stream_socket_perms; -allow mysqld_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) -manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) -manage_sock_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) -manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) -files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file }) - -allow mysqld_t mysqld_etc_t:file read_file_perms; -allow mysqld_t mysqld_etc_t:lnk_file read_lnk_file_perms; -allow mysqld_t mysqld_etc_t:dir list_dir_perms; - -allow mysqld_t mysqld_log_t:file manage_file_perms; -logging_log_filetrans(mysqld_t, mysqld_log_t, file) - -manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) -manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) -files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir }) - -manage_dirs_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) -manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) -manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) -files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file }) - -kernel_read_system_state(mysqld_t) -kernel_read_kernel_sysctls(mysqld_t) - -corenet_all_recvfrom_unlabeled(mysqld_t) -corenet_all_recvfrom_netlabel(mysqld_t) -corenet_tcp_sendrecv_generic_if(mysqld_t) -corenet_udp_sendrecv_generic_if(mysqld_t) -corenet_tcp_sendrecv_generic_node(mysqld_t) -corenet_udp_sendrecv_generic_node(mysqld_t) -corenet_tcp_sendrecv_all_ports(mysqld_t) -corenet_udp_sendrecv_all_ports(mysqld_t) -corenet_tcp_bind_generic_node(mysqld_t) -corenet_tcp_bind_mysqld_port(mysqld_t) -corenet_tcp_connect_mysqld_port(mysqld_t) -corenet_sendrecv_mysqld_client_packets(mysqld_t) -corenet_sendrecv_mysqld_server_packets(mysqld_t) - -dev_read_sysfs(mysqld_t) -dev_read_urand(mysqld_t) - -fs_getattr_all_fs(mysqld_t) -fs_search_auto_mountpoints(mysqld_t) -fs_rw_hugetlbfs_files(mysqld_t) - -domain_use_interactive_fds(mysqld_t) - -files_getattr_var_lib_dirs(mysqld_t) -files_read_etc_runtime_files(mysqld_t) -files_read_etc_files(mysqld_t) -files_read_usr_files(mysqld_t) -files_search_var_lib(mysqld_t) - -auth_use_nsswitch(mysqld_t) - -logging_send_syslog_msg(mysqld_t) - -miscfiles_read_localization(mysqld_t) - -sysnet_read_config(mysqld_t) - -userdom_dontaudit_use_unpriv_user_fds(mysqld_t) -# for /root/.my.cnf - should not be needed: -userdom_read_user_home_content_files(mysqld_t) - -ifdef(`distro_redhat',` - filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file) -') - -tunable_policy(`mysql_connect_any',` - corenet_tcp_connect_all_ports(mysqld_t) - corenet_sendrecv_all_client_packets(mysqld_t) -') - -optional_policy(` - daemontools_service_domain(mysqld_t, mysqld_exec_t) -') - -optional_policy(` - seutil_sigchld_newrole(mysqld_t) -') - -optional_policy(` - udev_read_db(mysqld_t) -') - -####################################### -# -# Local mysqld_safe policy -# - -allow mysqld_safe_t self:capability { chown dac_override fowner kill }; -dontaudit mysqld_safe_t self:capability sys_ptrace; -allow mysqld_safe_t self:process { setsched getsched setrlimit }; -allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; - -read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) - -domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) - -allow mysqld_safe_t mysqld_log_t:file manage_file_perms; - -manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) -delete_sock_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) - -kernel_read_system_state(mysqld_safe_t) -kernel_read_kernel_sysctls(mysqld_safe_t) - -corecmd_exec_bin(mysqld_safe_t) - -dev_list_sysfs(mysqld_safe_t) - -domain_read_all_domains_state(mysqld_safe_t) - -files_dontaudit_search_all_mountpoints(mysqld_safe_t) -files_read_etc_files(mysqld_safe_t) -files_read_usr_files(mysqld_safe_t) -files_dontaudit_getattr_all_dirs(mysqld_safe_t) - -logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) - -hostname_exec(mysqld_safe_t) - -miscfiles_read_localization(mysqld_safe_t) - -mysql_manage_db_files(mysqld_safe_t) -mysql_read_config(mysqld_safe_t) -mysql_search_pid_files(mysqld_safe_t) -mysql_write_log(mysqld_safe_t) - -######################################## -# -# MySQL Manager Policy -# - -allow mysqlmanagerd_t self:capability { dac_override kill }; -allow mysqlmanagerd_t self:process signal; -allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; -allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; -allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; - -mysql_read_config(initrc_t) -mysql_read_config(mysqlmanagerd_t) -mysql_read_pid_files(mysqlmanagerd_t) -mysql_search_db(mysqlmanagerd_t) -mysql_signal(mysqlmanagerd_t) -mysql_stream_connect(mysqlmanagerd_t) - -domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) - -manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) -manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) -filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) - -kernel_read_system_state(mysqlmanagerd_t) - -corecmd_exec_shell(mysqlmanagerd_t) - -corenet_all_recvfrom_unlabeled(mysqlmanagerd_t) -corenet_all_recvfrom_netlabel(mysqlmanagerd_t) -corenet_tcp_sendrecv_generic_if(mysqlmanagerd_t) -corenet_tcp_sendrecv_generic_node(mysqlmanagerd_t) -corenet_tcp_sendrecv_all_ports(mysqlmanagerd_t) -corenet_tcp_bind_generic_node(mysqlmanagerd_t) -corenet_tcp_bind_mysqlmanagerd_port(mysqlmanagerd_t) -corenet_tcp_connect_mysqlmanagerd_port(mysqlmanagerd_t) -corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_t) -corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t) - -dev_read_urand(mysqlmanagerd_t) - -files_read_etc_files(mysqlmanagerd_t) -files_read_usr_files(mysqlmanagerd_t) - -miscfiles_read_localization(mysqlmanagerd_t) - -userdom_getattr_user_home_dirs(mysqlmanagerd_t) diff --git a/policy/modules/services/nagios.fc b/policy/modules/services/nagios.fc deleted file mode 100644 index 1fc9905..0000000 --- a/policy/modules/services/nagios.fc +++ /dev/null @@ -1,88 +0,0 @@ -/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) -/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) -/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) -/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) - -/usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) -/usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) - -/usr/lib(64)?/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -/usr/lib(64)?/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) - -/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) -/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) - -/var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0) - -/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) - -ifdef(`distro_debian',` -/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) -') -/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) - -# admin plugins -/usr/lib(64)?/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0) - -# check disk plugins -/usr/lib(64)?/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) - -# mail plugins -/usr/lib(64)?/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0) - -# system plugins -/usr/lib(64)?/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - -# services plugins -/usr/lib(64)?/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - -# unconfined plugins -/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if deleted file mode 100644 index 89e1edf..0000000 --- a/policy/modules/services/nagios.if +++ /dev/null @@ -1,245 +0,0 @@ -## Net Saint / NAGIOS - network monitoring server - -######################################## -## -## Create a set of derived types for various -## nagios plugins, -## -## -## -## The name to be used for deriving type names. -## -## -# -template(`nagios_plugin_template',` - gen_require(` - type nagios_t, nrpe_t, nagios_log_t; - ') - - type nagios_$1_plugin_t; - type nagios_$1_plugin_exec_t; - application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t) - role system_r types nagios_$1_plugin_t; - - allow nagios_$1_plugin_t self:fifo_file rw_fifo_file_perms; - - domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) - allow nrpe_t nagios_$1_plugin_t:process { signal sigkill }; - - # needed by command.cfg - domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) - - allow nagios_t nagios_$1_plugin_t:process signal_perms; - - # cjp: leaked file descriptor - dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write }; - dontaudit nagios_$1_plugin_t nagios_log_t:file { read write }; - - miscfiles_read_localization(nagios_$1_plugin_t) -') - -######################################## -## -## Do not audit attempts to read or write nagios -## unnamed pipes. -## -## -## -## Domain to not audit. -## -## -# -interface(`nagios_dontaudit_rw_pipes',` - gen_require(` - type nagios_t; - ') - - dontaudit $1 nagios_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## -## Allow the specified domain to read -## nagios configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`nagios_read_config',` - gen_require(` - type nagios_etc_t; - ') - - allow $1 nagios_etc_t:dir list_dir_perms; - allow $1 nagios_etc_t:file read_file_perms; - files_search_etc($1) -') - -###################################### -## -## Read nagios logs. -## -## -## -## Domain allowed access. -## -## -# -interface(`nagios_read_log',` - gen_require(` - type nagios_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, nagios_log_t, nagios_log_t) -') - -######################################## -## -## Do not audit attempts to read or write nagios logs. -## -## -## -## Domain to not audit. -## -## -# -interface(`nagios_dontaudit_rw_log',` - gen_require(` - type nagios_log_t; - ') - - dontaudit $1 nagios_log_t:file rw_file_perms; -') - -######################################## -## -## Search nagios spool directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`nagios_search_spool',` - gen_require(` - type nagios_spool_t; - ') - - allow $1 nagios_spool_t:dir search_dir_perms; - files_search_spool($1) -') - -######################################## -## -## Allow the specified domain to read -## nagios temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`nagios_read_tmp_files',` - gen_require(` - type nagios_tmp_t; - ') - - allow $1 nagios_tmp_t:file read_file_perms; - files_search_tmp($1) -') - -######################################## -## -## Allow the specified domain to read -## nagios temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`nagios_rw_inerited_tmp_files',` - gen_require(` - type nagios_tmp_t; - ') - - allow $1 nagios_tmp_t:file rw_inherited_file_perms; - files_search_tmp($1) -') - -######################################## -## -## Execute the nagios NRPE with -## a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`nagios_domtrans_nrpe',` - gen_require(` - type nrpe_t, nrpe_exec_t; - ') - - domtrans_pattern($1, nrpe_exec_t, nrpe_t) -') - -######################################## -## -## All of the rules required to administrate -## an nagios environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the nagios domain. -## -## -## -# -interface(`nagios_admin',` - gen_require(` - type nagios_t, nrpe_t, nagios_initrc_exec_t; - type nagios_tmp_t, nagios_log_t, nagios_var_run_t; - type nagios_etc_t, nrpe_etc_t, nagios_spool_t; - ') - - allow $1 nagios_t:process { ptrace signal_perms }; - ps_process_pattern($1, nagios_t) - - init_labeled_script_domtrans($1, nagios_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 nagios_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, nagios_tmp_t) - - logging_list_logs($1) - admin_pattern($1, nagios_log_t) - - files_list_etc($1) - admin_pattern($1, nagios_etc_t) - - files_list_spool($1) - admin_pattern($1, nagios_spool_t) - - files_list_pids($1) - admin_pattern($1, nagios_var_run_t) - - admin_pattern($1, nrpe_etc_t) -') diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te deleted file mode 100644 index 3b620e3..0000000 --- a/policy/modules/services/nagios.te +++ /dev/null @@ -1,390 +0,0 @@ -policy_module(nagios, 1.9.1) - -######################################## -# -# Declarations -# - -type nagios_t; -type nagios_exec_t; -init_daemon_domain(nagios_t, nagios_exec_t) - -type nagios_etc_t; -files_config_file(nagios_etc_t) - -type nagios_initrc_exec_t; -init_script_file(nagios_initrc_exec_t) - -type nagios_log_t; -logging_log_file(nagios_log_t) - -type nagios_tmp_t; -files_tmp_file(nagios_tmp_t) - -type nagios_var_run_t; -files_pid_file(nagios_var_run_t) - -type nagios_spool_t; -files_type(nagios_spool_t) - -nagios_plugin_template(admin) -nagios_plugin_template(checkdisk) -nagios_plugin_template(mail) -nagios_plugin_template(services) -nagios_plugin_template(system) -nagios_plugin_template(unconfined) - -type nagios_system_plugin_tmp_t; -files_tmp_file(nagios_system_plugin_tmp_t) - -type nrpe_t; -type nrpe_exec_t; -init_daemon_domain(nrpe_t, nrpe_exec_t) - -type nrpe_etc_t; -files_config_file(nrpe_etc_t) - -type nrpe_var_run_t; -files_pid_file(nrpe_var_run_t) - -######################################## -# -# Nagios local policy -# - -allow nagios_t self:capability { dac_override setgid setuid }; -dontaudit nagios_t self:capability sys_tty_config; -allow nagios_t self:process { setpgid signal_perms }; -allow nagios_t self:fifo_file rw_file_perms; -allow nagios_t self:tcp_socket create_stream_socket_perms; -allow nagios_t self:udp_socket create_socket_perms; - -read_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t) -read_lnk_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t) -allow nagios_t nagios_etc_t:dir list_dir_perms; - -manage_files_pattern(nagios_t, nagios_log_t, nagios_log_t) -manage_fifo_files_pattern(nagios_t, nagios_log_t, nagios_log_t) -logging_log_filetrans(nagios_t, nagios_log_t, { file dir }) - -manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t) -manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t) -files_tmp_filetrans(nagios_t, nagios_tmp_t, { file dir }) - -manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) -files_pid_filetrans(nagios_t, nagios_var_run_t, file) - -manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) -files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file) - -kernel_read_system_state(nagios_t) -kernel_read_kernel_sysctls(nagios_t) - -corecmd_exec_bin(nagios_t) -corecmd_exec_shell(nagios_t) - -corenet_all_recvfrom_unlabeled(nagios_t) -corenet_all_recvfrom_netlabel(nagios_t) -corenet_tcp_sendrecv_generic_if(nagios_t) -corenet_udp_sendrecv_generic_if(nagios_t) -corenet_tcp_sendrecv_generic_node(nagios_t) -corenet_udp_sendrecv_generic_node(nagios_t) -corenet_tcp_sendrecv_all_ports(nagios_t) -corenet_udp_sendrecv_all_ports(nagios_t) -corenet_tcp_connect_all_ports(nagios_t) - -corenet_dontaudit_tcp_bind_all_reserved_ports(nagios_t) -corenet_dontaudit_udp_bind_all_reserved_ports(nagios_t) - -dev_read_sysfs(nagios_t) -dev_read_urand(nagios_t) - -domain_use_interactive_fds(nagios_t) -# for ps -domain_read_all_domains_state(nagios_t) - -files_read_etc_files(nagios_t) -files_read_etc_runtime_files(nagios_t) -files_read_kernel_symbol_table(nagios_t) -files_search_spool(nagios_t) -files_read_usr_files(nagios_t) - -fs_getattr_all_fs(nagios_t) -fs_search_auto_mountpoints(nagios_t) - -auth_use_nsswitch(nagios_t) - -logging_send_syslog_msg(nagios_t) - -miscfiles_read_localization(nagios_t) - -userdom_dontaudit_use_unpriv_user_fds(nagios_t) -userdom_dontaudit_search_user_home_dirs(nagios_t) - -mta_send_mail(nagios_t) -mta_signal_system_mail(nagios_t) -mta_kill_system_mail(nagios_t) - -optional_policy(` - netutils_kill_ping(nagios_t) -') - -optional_policy(` - seutil_sigchld_newrole(nagios_t) -') - -optional_policy(` - udev_read_db(nagios_t) -') - -######################################## -# -# Nagios CGI local policy -# - -optional_policy(` - apache_content_template(nagios) - typealias httpd_nagios_script_t alias nagios_cgi_t; - typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t; - - allow httpd_nagios_script_t self:process signal_perms; - - read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) - read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) - - files_search_spool(httpd_nagios_script_t) - rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t) - - allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms; - read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) - read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) - - allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms; - read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) - read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) - - kernel_read_system_state(httpd_nagios_script_t) - - domain_dontaudit_read_all_domains_state(httpd_nagios_script_t) - - files_read_etc_runtime_files(httpd_nagios_script_t) - files_read_kernel_symbol_table(httpd_nagios_script_t) - - logging_send_syslog_msg(httpd_nagios_script_t) -') - -######################################## -# -# Nagios remote plugin executor local policy -# - -allow nrpe_t self:capability { setuid setgid }; -dontaudit nrpe_t self:capability { sys_tty_config sys_resource }; -allow nrpe_t self:process { setpgid signal_perms setsched setrlimit }; -allow nrpe_t self:fifo_file rw_fifo_file_perms; -allow nrpe_t self:tcp_socket create_stream_socket_perms; - -domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) - -read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t) -files_search_etc(nrpe_t) - -manage_files_pattern(nrpe_t, nrpe_var_run_t, nrpe_var_run_t) -files_pid_filetrans(nrpe_t, nrpe_var_run_t, file) - -kernel_read_system_state(nrpe_t) -kernel_read_kernel_sysctls(nrpe_t) - -corecmd_exec_bin(nrpe_t) -corecmd_exec_shell(nrpe_t) - -corenet_tcp_bind_generic_node(nrpe_t) -corenet_tcp_bind_inetd_child_port(nrpe_t) -corenet_sendrecv_unlabeled_packets(nrpe_t) - -dev_read_sysfs(nrpe_t) -dev_read_urand(nrpe_t) - -domain_use_interactive_fds(nrpe_t) -domain_read_all_domains_state(nrpe_t) - -files_read_etc_runtime_files(nrpe_t) -files_read_etc_files(nrpe_t) - -fs_getattr_all_fs(nrpe_t) -fs_search_auto_mountpoints(nrpe_t) - -auth_use_nsswitch(nrpe_t) - -logging_send_syslog_msg(nrpe_t) - -miscfiles_read_localization(nrpe_t) - -userdom_dontaudit_use_unpriv_user_fds(nrpe_t) - -optional_policy(` - inetd_tcp_service_domain(nrpe_t, nrpe_exec_t) -') - -optional_policy(` - mta_send_mail(nrpe_t) -') - -optional_policy(` - seutil_sigchld_newrole(nrpe_t) -') - -optional_policy(` - tcpd_wrapped_domain(nrpe_t, nrpe_exec_t) -') - -optional_policy(` - udev_read_db(nrpe_t) -') - -##################################### -# -# local policy for admin check plugins -# - -corecmd_read_bin_files(nagios_admin_plugin_t) -corecmd_read_bin_symlinks(nagios_admin_plugin_t) - -dev_read_urand(nagios_admin_plugin_t) -dev_getattr_all_chr_files(nagios_admin_plugin_t) -dev_getattr_all_blk_files(nagios_admin_plugin_t) - -files_read_etc_files(nagios_admin_plugin_t) -# for check_file_age plugin -files_getattr_all_dirs(nagios_admin_plugin_t) -files_getattr_all_files(nagios_admin_plugin_t) -files_getattr_all_symlinks(nagios_admin_plugin_t) -files_getattr_all_pipes(nagios_admin_plugin_t) -files_getattr_all_sockets(nagios_admin_plugin_t) -files_getattr_all_file_type_fs(nagios_admin_plugin_t) - -###################################### -# -# local policy for mail check plugins -# - -allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; -allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms; -allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms; -allow nagios_mail_plugin_t self:udp_socket create_socket_perms; - -kernel_read_system_state(nagios_mail_plugin_t) -kernel_read_kernel_sysctls(nagios_mail_plugin_t) - -corecmd_read_bin_files(nagios_mail_plugin_t) -corecmd_read_bin_symlinks(nagios_mail_plugin_t) - -dev_read_urand(nagios_mail_plugin_t) - -files_read_etc_files(nagios_mail_plugin_t) - -logging_send_syslog_msg(nagios_mail_plugin_t) - -sysnet_read_config(nagios_mail_plugin_t) - -optional_policy(` - mta_send_mail(nagios_mail_plugin_t) -') - -optional_policy(` - nscd_dontaudit_search_pid(nagios_mail_plugin_t) -') - -optional_policy(` - postfix_stream_connect_master(nagios_mail_plugin_t) - posftix_exec_postqueue(nagios_mail_plugin_t) -') - -###################################### -# -# local policy for disk check plugins -# - -# needed by ioctl() -allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; - -files_read_etc_runtime_files(nagios_checkdisk_plugin_t) - -fs_getattr_all_fs(nagios_checkdisk_plugin_t) - -storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) - -####################################### -# -# local policy for service check plugins -# - -allow nagios_services_plugin_t self:capability { net_bind_service net_raw }; -allow nagios_services_plugin_t self:process { signal sigkill }; -allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms; -allow nagios_services_plugin_t self:udp_socket create_socket_perms; - -corecmd_exec_bin(nagios_services_plugin_t) - -corenet_tcp_connect_all_ports(nagios_services_plugin_t) -corenet_udp_bind_dhcpc_port(nagios_services_plugin_t) - -auth_use_nsswitch(nagios_services_plugin_t) - -domain_read_all_domains_state(nagios_services_plugin_t) - -files_read_usr_files(nagios_services_plugin_t) - -optional_policy(` - netutils_domtrans_ping(nagios_services_plugin_t) - netutils_signal_ping(nagios_services_plugin_t) - netutils_kill_ping(nagios_services_plugin_t) -') - -optional_policy(` - mysql_stream_connect(nagios_services_plugin_t) -') - -optional_policy(` - snmp_read_snmp_var_lib_files(nagios_services_plugin_t) -') - -###################################### -# -# local policy for system check plugins -# - -allow nagios_system_plugin_t self:capability dac_override; -dontaudit nagios_system_plugin_t self:capability { setuid setgid }; - -# check_log -manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) -manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) -files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file }) - -kernel_read_system_state(nagios_system_plugin_t) -kernel_read_kernel_sysctls(nagios_system_plugin_t) - -corecmd_exec_bin(nagios_system_plugin_t) -corecmd_exec_shell(nagios_system_plugin_t) - -dev_read_sysfs(nagios_system_plugin_t) -dev_read_urand(nagios_system_plugin_t) - -domain_read_all_domains_state(nagios_system_plugin_t) - -files_read_etc_files(nagios_system_plugin_t) - -# needed by check_users plugin -optional_policy(` - init_read_utmp(nagios_system_plugin_t) -') - -######################################## -# -# Unconfined plugin policy -# - -optional_policy(` - unconfined_domain(nagios_unconfined_plugin_t) -') diff --git a/policy/modules/services/nessus.fc b/policy/modules/services/nessus.fc deleted file mode 100644 index 74da57f..0000000 --- a/policy/modules/services/nessus.fc +++ /dev/null @@ -1,10 +0,0 @@ - -/etc/nessus/nessusd\.conf -- gen_context(system_u:object_r:nessusd_etc_t,s0) - -/usr/lib(64)?/nessus/plugins/.* -- gen_context(system_u:object_r:nessusd_exec_t,s0) - -/usr/sbin/nessusd -- gen_context(system_u:object_r:nessusd_exec_t,s0) - -/var/lib/nessus(/.*)? gen_context(system_u:object_r:nessusd_db_t,s0) - -/var/log/nessus(/.*)? gen_context(system_u:object_r:nessusd_log_t,s0) diff --git a/policy/modules/services/nessus.if b/policy/modules/services/nessus.if deleted file mode 100644 index 6ec8003..0000000 --- a/policy/modules/services/nessus.if +++ /dev/null @@ -1,15 +0,0 @@ -## Nessus network scanning daemon - -######################################## -## -## Connect to nessus over a TCP socket (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`nessus_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') diff --git a/policy/modules/services/nessus.te b/policy/modules/services/nessus.te deleted file mode 100644 index b16c387..0000000 --- a/policy/modules/services/nessus.te +++ /dev/null @@ -1,105 +0,0 @@ -policy_module(nessus, 1.7.0) - -######################################## -# -# Local policy -# - -type nessusd_t; -type nessusd_exec_t; -init_daemon_domain(nessusd_t, nessusd_exec_t) - -type nessusd_db_t; -files_type(nessusd_db_t) - -type nessusd_etc_t; -files_config_file(nessusd_etc_t) - -type nessusd_log_t; -logging_log_file(nessusd_log_t) - -type nessusd_var_run_t; -files_pid_file(nessusd_var_run_t) - -######################################## -# -# Declarations -# - -allow nessusd_t self:capability net_raw; -dontaudit nessusd_t self:capability sys_tty_config; -allow nessusd_t self:process { setsched signal_perms }; -allow nessusd_t self:fifo_file rw_fifo_file_perms; -allow nessusd_t self:tcp_socket create_stream_socket_perms; -allow nessusd_t self:udp_socket create_socket_perms; -allow nessusd_t self:rawip_socket create_socket_perms; -allow nessusd_t self:packet_socket create_socket_perms; - -# Allow access to the nessusd authentication database -manage_dirs_pattern(nessusd_t, nessusd_db_t, nessusd_db_t) -manage_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t) -manage_lnk_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t) -files_list_var_lib(nessusd_t) - -allow nessusd_t nessusd_etc_t:file read_file_perms; -files_search_etc(nessusd_t) - -manage_files_pattern(nessusd_t, nessusd_log_t, nessusd_log_t) -logging_log_filetrans(nessusd_t, nessusd_log_t, { file dir }) - -manage_files_pattern(nessusd_t, nessusd_var_run_t, nessusd_var_run_t) -files_pid_filetrans(nessusd_t, nessusd_var_run_t, file) - -kernel_read_system_state(nessusd_t) -kernel_read_kernel_sysctls(nessusd_t) - -# for nmap etc -corecmd_exec_bin(nessusd_t) - -corenet_all_recvfrom_unlabeled(nessusd_t) -corenet_all_recvfrom_netlabel(nessusd_t) -corenet_tcp_sendrecv_generic_if(nessusd_t) -corenet_udp_sendrecv_generic_if(nessusd_t) -corenet_raw_sendrecv_generic_if(nessusd_t) -corenet_tcp_sendrecv_generic_node(nessusd_t) -corenet_udp_sendrecv_generic_node(nessusd_t) -corenet_raw_sendrecv_generic_node(nessusd_t) -corenet_tcp_sendrecv_all_ports(nessusd_t) -corenet_udp_sendrecv_all_ports(nessusd_t) -corenet_tcp_bind_generic_node(nessusd_t) -corenet_tcp_bind_nessus_port(nessusd_t) -corenet_tcp_connect_all_ports(nessusd_t) -corenet_sendrecv_all_client_packets(nessusd_t) -corenet_sendrecv_nessus_server_packets(nessusd_t) - -dev_read_sysfs(nessusd_t) -dev_read_urand(nessusd_t) - -domain_use_interactive_fds(nessusd_t) - -files_read_etc_files(nessusd_t) -files_read_etc_runtime_files(nessusd_t) - -fs_getattr_all_fs(nessusd_t) -fs_search_auto_mountpoints(nessusd_t) - -logging_send_syslog_msg(nessusd_t) - -miscfiles_read_localization(nessusd_t) - -sysnet_read_config(nessusd_t) - -userdom_dontaudit_use_unpriv_user_fds(nessusd_t) -userdom_dontaudit_search_user_home_dirs(nessusd_t) - -optional_policy(` - nis_use_ypbind(nessusd_t) -') - -optional_policy(` - seutil_sigchld_newrole(nessusd_t) -') - -optional_policy(` - udev_read_db(nessusd_t) -') diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc deleted file mode 100644 index d15cc4b..0000000 --- a/policy/modules/services/networkmanager.fc +++ /dev/null @@ -1,30 +0,0 @@ -/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) - -/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) - -/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) -/etc/wicd/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) -/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) - -/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) - -/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) -/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) - -/usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -/usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) - -/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) -/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) - -/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0) -/var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) - -/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if deleted file mode 100644 index 8069487..0000000 --- a/policy/modules/services/networkmanager.if +++ /dev/null @@ -1,262 +0,0 @@ -## Manager for dynamically switching between networks. - -######################################## -## -## Read and write NetworkManager UDP sockets. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for named. -interface(`networkmanager_rw_udp_sockets',` - gen_require(` - type NetworkManager_t; - ') - - allow $1 NetworkManager_t:udp_socket { read write }; -') - -######################################## -## -## Read and write NetworkManager packet sockets. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for named. -interface(`networkmanager_rw_packet_sockets',` - gen_require(` - type NetworkManager_t; - ') - - allow $1 NetworkManager_t:packet_socket { read write }; -') - -####################################### -## -## Allow caller to relabel tun_socket -## -## -## -## Domain allowed access. -## -## -# -interface(`networkmanager_attach_tun_iface',` - gen_require(` - type NetworkManager_t; - ') - - allow $1 NetworkManager_t:tun_socket relabelfrom; - allow $1 self:tun_socket relabelto; -') - -######################################## -## -## Read and write NetworkManager netlink -## routing sockets. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for named. -interface(`networkmanager_rw_routing_sockets',` - gen_require(` - type NetworkManager_t; - ') - - allow $1 NetworkManager_t:netlink_route_socket { read write }; -') - -######################################## -## -## Execute NetworkManager with a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`networkmanager_domtrans',` - gen_require(` - type NetworkManager_t, NetworkManager_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t) -') - -######################################## -## -## Execute NetworkManager scripts with an automatic domain transition to initrc. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`networkmanager_initrc_domtrans',` - gen_require(` - type NetworkManager_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) -') - -######################################## -## -## Send and receive messages from -## NetworkManager over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`networkmanager_dbus_chat',` - gen_require(` - type NetworkManager_t; - class dbus send_msg; - ') - - allow $1 NetworkManager_t:dbus send_msg; - allow NetworkManager_t $1:dbus send_msg; -') - -######################################## -## -## Do not audit attempts to send and -## receive messages from NetworkManager -## over dbus. -## -## -## -## Domain to not audit. -## -## -# -interface(`networkmanager_dontaudit_dbus_chat',` - gen_require(` - type NetworkManager_t; - class dbus send_msg; - ') - - dontaudit $1 NetworkManager_t:dbus send_msg; - dontaudit NetworkManager_t $1:dbus send_msg; -') - -######################################## -## -## Send a generic signal to NetworkManager -## -## -## -## Domain allowed access. -## -## -# -interface(`networkmanager_signal',` - gen_require(` - type NetworkManager_t; - ') - - allow $1 NetworkManager_t:process signal; -') - -######################################## -## -## Read NetworkManager lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`networkmanager_read_lib_files',` - gen_require(` - type NetworkManager_var_lib_t; - ') - - files_search_var_lib($1) - list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) - read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) -') - -######################################## -## -## Read NetworkManager PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`networkmanager_read_pid_files',` - gen_require(` - type NetworkManager_var_run_t; - ') - - files_search_pids($1) - allow $1 NetworkManager_var_run_t:file read_file_perms; -') - -######################################## -## -## Execute NetworkManager in the NetworkManager domain, and -## allow the specified role the NetworkManager domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`networkmanager_run',` - gen_require(` - type NetworkManager_t, NetworkManager_exec_t; - ') - - networkmanager_domtrans($1) - role $2 types NetworkManager_t; -') - -######################################## -## -## Allow the specified domain to append -## to Network Manager log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`networkmanager_append_log',` - gen_require(` - type NetworkManager_log_t; - ') - - logging_search_logs($1) - allow $1 NetworkManager_log_t:dir list_dir_perms; - append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) -') diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te deleted file mode 100644 index 02ae4e0..0000000 --- a/policy/modules/services/networkmanager.te +++ /dev/null @@ -1,310 +0,0 @@ -policy_module(networkmanager, 1.14.0) - -######################################## -# -# Declarations -# - -type NetworkManager_t; -type NetworkManager_exec_t; -init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) - -type NetworkManager_initrc_exec_t; -init_script_file(NetworkManager_initrc_exec_t) - -type NetworkManager_log_t; -logging_log_file(NetworkManager_log_t) - -type NetworkManager_tmp_t; -files_tmp_file(NetworkManager_tmp_t) - -type NetworkManager_var_lib_t; -files_type(NetworkManager_var_lib_t) - -type NetworkManager_var_run_t; -files_pid_file(NetworkManager_var_run_t) - -type wpa_cli_t; -type wpa_cli_exec_t; -init_system_domain(wpa_cli_t, wpa_cli_exec_t) - -######################################## -# -# Local policy -# - -# networkmanager will ptrace itself if gdb is installed -# and it receives a unexpected signal (rh bug #204161) -allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock }; -dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace }; -allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; -allow NetworkManager_t self:fifo_file rw_fifo_file_perms; -allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; -allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; -allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms; -allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms; -allow NetworkManager_t self:tcp_socket create_stream_socket_perms; -allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto }; -allow NetworkManager_t self:udp_socket create_socket_perms; -allow NetworkManager_t self:packet_socket create_socket_perms; - -allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto; - -can_exec(NetworkManager_t, NetworkManager_exec_t) - -manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) -logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) - -can_exec(NetworkManager_t, NetworkManager_tmp_t) -manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) -manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) -files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) - -manage_dirs_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t) -manage_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t) -files_var_lib_filetrans(NetworkManager_t, NetworkManager_var_lib_t, dir) - -manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) -manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) -manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) -files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file }) - -kernel_read_system_state(NetworkManager_t) -kernel_read_network_state(NetworkManager_t) -kernel_read_kernel_sysctls(NetworkManager_t) -kernel_request_load_module(NetworkManager_t) -kernel_read_debugfs(NetworkManager_t) -kernel_rw_net_sysctls(NetworkManager_t) - -corenet_all_recvfrom_unlabeled(NetworkManager_t) -corenet_all_recvfrom_netlabel(NetworkManager_t) -corenet_tcp_sendrecv_generic_if(NetworkManager_t) -corenet_udp_sendrecv_generic_if(NetworkManager_t) -corenet_raw_sendrecv_generic_if(NetworkManager_t) -corenet_tcp_sendrecv_generic_node(NetworkManager_t) -corenet_udp_sendrecv_generic_node(NetworkManager_t) -corenet_raw_sendrecv_generic_node(NetworkManager_t) -corenet_tcp_sendrecv_all_ports(NetworkManager_t) -corenet_udp_sendrecv_all_ports(NetworkManager_t) -corenet_udp_bind_generic_node(NetworkManager_t) -corenet_udp_bind_isakmp_port(NetworkManager_t) -corenet_udp_bind_dhcpc_port(NetworkManager_t) -corenet_tcp_connect_all_ports(NetworkManager_t) -corenet_sendrecv_isakmp_server_packets(NetworkManager_t) -corenet_sendrecv_dhcpc_server_packets(NetworkManager_t) -corenet_sendrecv_all_client_packets(NetworkManager_t) -corenet_rw_tun_tap_dev(NetworkManager_t) -corenet_getattr_ppp_dev(NetworkManager_t) - -dev_read_sysfs(NetworkManager_t) -dev_read_rand(NetworkManager_t) -dev_read_urand(NetworkManager_t) -dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) -dev_getattr_all_chr_files(NetworkManager_t) - -fs_getattr_all_fs(NetworkManager_t) -fs_search_auto_mountpoints(NetworkManager_t) -fs_list_inotifyfs(NetworkManager_t) - -mls_file_read_all_levels(NetworkManager_t) - -selinux_dontaudit_search_fs(NetworkManager_t) - -corecmd_exec_shell(NetworkManager_t) -corecmd_exec_bin(NetworkManager_t) - -domain_use_interactive_fds(NetworkManager_t) -domain_read_confined_domains_state(NetworkManager_t) - -files_read_etc_files(NetworkManager_t) -files_read_etc_runtime_files(NetworkManager_t) -files_read_usr_files(NetworkManager_t) -files_read_usr_src_files(NetworkManager_t) - -storage_getattr_fixed_disk_dev(NetworkManager_t) - -init_read_utmp(NetworkManager_t) -init_dontaudit_write_utmp(NetworkManager_t) -init_domtrans_script(NetworkManager_t) - -auth_use_nsswitch(NetworkManager_t) - -logging_send_syslog_msg(NetworkManager_t) - -miscfiles_read_localization(NetworkManager_t) -miscfiles_read_generic_certs(NetworkManager_t) - -modutils_domtrans_insmod(NetworkManager_t) - -seutil_read_config(NetworkManager_t) - -sysnet_domtrans_ifconfig(NetworkManager_t) -sysnet_domtrans_dhcpc(NetworkManager_t) -sysnet_signal_dhcpc(NetworkManager_t) -sysnet_read_dhcpc_pid(NetworkManager_t) -sysnet_read_dhcp_config(NetworkManager_t) -sysnet_delete_dhcpc_pid(NetworkManager_t) -sysnet_kill_dhcpc(NetworkManager_t) -sysnet_read_dhcpc_state(NetworkManager_t) -sysnet_delete_dhcpc_state(NetworkManager_t) -sysnet_search_dhcp_state(NetworkManager_t) -# in /etc created by NetworkManager will be labelled net_conf_t. -sysnet_manage_config(NetworkManager_t) -sysnet_etc_filetrans_config(NetworkManager_t) - -userdom_stream_connect(NetworkManager_t) -userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) -userdom_dontaudit_use_user_ttys(NetworkManager_t) -# Read gnome-keyring -userdom_read_home_certs(NetworkManager_t) -userdom_read_user_home_content_files(NetworkManager_t) -userdom_dgram_send(NetworkManager_t) - -cron_read_system_job_lib_files(NetworkManager_t) - -optional_policy(` - avahi_domtrans(NetworkManager_t) - avahi_kill(NetworkManager_t) - avahi_signal(NetworkManager_t) - avahi_signull(NetworkManager_t) - avahi_dbus_chat(NetworkManager_t) -') - -optional_policy(` - bind_domtrans(NetworkManager_t) - bind_manage_cache(NetworkManager_t) - bind_kill(NetworkManager_t) - bind_signal(NetworkManager_t) - bind_signull(NetworkManager_t) -') - -optional_policy(` - bluetooth_dontaudit_read_helper_state(NetworkManager_t) -') - -optional_policy(` - consoletype_domtrans(NetworkManager_t) -') - -optional_policy(` - dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) - - init_dbus_chat(NetworkManager_t) - - optional_policy(` - consolekit_dbus_chat(NetworkManager_t) - ') -') - -optional_policy(` - dnsmasq_read_pid_files(NetworkManager_t) - dnsmasq_delete_pid_files(NetworkManager_t) - dnsmasq_domtrans(NetworkManager_t) - dnsmasq_initrc_domtrans(NetworkManager_t) - dnsmasq_kill(NetworkManager_t) - dnsmasq_signal(NetworkManager_t) - dnsmasq_signull(NetworkManager_t) -') - -optional_policy(` - hal_write_log(NetworkManager_t) -') - -optional_policy(` - howl_signal(NetworkManager_t) -') - -optional_policy(` - ipsec_domtrans_mgmt(NetworkManager_t) - ipsec_kill_mgmt(NetworkManager_t) - ipsec_signal_mgmt(NetworkManager_t) - ipsec_signull_mgmt(NetworkManager_t) -') - -optional_policy(` - iptables_domtrans(NetworkManager_t) -') - -optional_policy(` - nscd_domtrans(NetworkManager_t) - nscd_signal(NetworkManager_t) - nscd_signull(NetworkManager_t) - nscd_kill(NetworkManager_t) - nscd_initrc_domtrans(NetworkManager_t) -') - -optional_policy(` - # Dispatcher starting and stoping ntp - ntp_initrc_domtrans(NetworkManager_t) -') - -optional_policy(` - openvpn_domtrans(NetworkManager_t) - openvpn_kill(NetworkManager_t) - openvpn_signal(NetworkManager_t) - openvpn_signull(NetworkManager_t) -') - -optional_policy(` - policykit_dbus_chat(NetworkManager_t) - policykit_domtrans_auth(NetworkManager_t) - policykit_read_lib(NetworkManager_t) - policykit_read_reload(NetworkManager_t) - userdom_read_all_users_state(NetworkManager_t) -') - -optional_policy(` - ppp_initrc_domtrans(NetworkManager_t) - ppp_domtrans(NetworkManager_t) - ppp_manage_pid_files(NetworkManager_t) - ppp_kill(NetworkManager_t) - ppp_signal(NetworkManager_t) - ppp_signull(NetworkManager_t) - ppp_read_config(NetworkManager_t) -') - -optional_policy(` - rpm_exec(NetworkManager_t) - rpm_read_db(NetworkManager_t) - rpm_dontaudit_manage_db(NetworkManager_t) -') - -optional_policy(` - seutil_sigchld_newrole(NetworkManager_t) -') - -optional_policy(` - udev_exec(NetworkManager_t) - udev_read_db(NetworkManager_t) -') - -optional_policy(` - vpn_domtrans(NetworkManager_t) - vpn_kill(NetworkManager_t) - vpn_signal(NetworkManager_t) - vpn_signull(NetworkManager_t) - vpn_relabelfrom_tun_socket(NetworkManager_t) -') - -######################################## -# -# wpa_cli local policy -# - -allow wpa_cli_t self:capability dac_override; -allow wpa_cli_t self:unix_dgram_socket create_socket_perms; - -allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto; - -manage_sock_files_pattern(wpa_cli_t, NetworkManager_tmp_t, NetworkManager_tmp_t) -files_tmp_filetrans(wpa_cli_t, NetworkManager_tmp_t, sock_file) - -list_dirs_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t) -rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t) - -init_dontaudit_use_fds(wpa_cli_t) -init_use_script_ptys(wpa_cli_t) - -miscfiles_read_localization(wpa_cli_t) - -term_dontaudit_use_console(wpa_cli_t) diff --git a/policy/modules/services/nis.fc b/policy/modules/services/nis.fc deleted file mode 100644 index 0c97dab..0000000 --- a/policy/modules/services/nis.fc +++ /dev/null @@ -1,22 +0,0 @@ -/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0) -/etc/rc\.d/init\.d/yppasswdd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) -/etc/rc\.d/init\.d/ypserv -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) -/etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) -/etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0) - -/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) - -/usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) -/usr/lib64/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) - -/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) -/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) -/usr/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) -/usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0) - -/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0) - -/var/run/ypxfrd.* -- gen_context(system_u:object_r:ypxfr_var_run_t,s0) -/var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0) -/var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0) -/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0) diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if deleted file mode 100644 index 995a6cb..0000000 --- a/policy/modules/services/nis.if +++ /dev/null @@ -1,377 +0,0 @@ -## Policy for NIS (YP) servers and clients - -######################################## -## -## Use the ypbind service to access NIS services -## unconditionally. -## -## -##

-## Use the ypbind service to access NIS services -## unconditionally. -##

-##

-## This interface was added because of apache and -## spamassassin, to fix a nested conditionals problem. -## When that support is added, this should be removed, -## and the regular interface should be used. -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`nis_use_ypbind_uncond',` - gen_require(` - type var_yp_t; - ') - - allow $1 self:capability net_bind_service; - - allow $1 self:tcp_socket create_stream_socket_perms; - allow $1 self:udp_socket create_socket_perms; - - allow $1 var_yp_t:dir list_dir_perms; - allow $1 var_yp_t:lnk_file read_lnk_file_perms; - allow $1 var_yp_t:file read_file_perms; - - corenet_all_recvfrom_unlabeled($1) - corenet_all_recvfrom_netlabel($1) - corenet_tcp_sendrecv_generic_if($1) - corenet_udp_sendrecv_generic_if($1) - corenet_tcp_sendrecv_generic_node($1) - corenet_udp_sendrecv_generic_node($1) - corenet_tcp_sendrecv_all_ports($1) - corenet_udp_sendrecv_all_ports($1) - corenet_tcp_bind_generic_node($1) - corenet_udp_bind_generic_node($1) - corenet_tcp_bind_generic_port($1) - corenet_udp_bind_generic_port($1) - corenet_tcp_bind_all_rpc_ports($1) - corenet_udp_bind_all_rpc_ports($1) - corenet_dontaudit_tcp_bind_all_ports($1) - corenet_dontaudit_udp_bind_all_ports($1) - corenet_tcp_connect_portmap_port($1) - corenet_tcp_connect_all_reserved_ports($1) - corenet_tcp_connect_generic_port($1) - corenet_dontaudit_tcp_connect_all_ports($1) - corenet_sendrecv_portmap_client_packets($1) - corenet_sendrecv_generic_client_packets($1) - corenet_sendrecv_generic_server_packets($1) - - sysnet_read_config($1) -') - -######################################## -## -## Use the ypbind service to access NIS services. -## -## -##

-## Allow the specified domain to use the ypbind service -## to access Network Information Service (NIS) services. -## Information that can be retreived from NIS includes -## usernames, passwords, home directories, and groups. -## If the network is configured to have a single sign-on -## using NIS, it is likely that any program that does -## authentication will need this access. -##

-##
-## -## -## Domain allowed access. -## -## -## -## -# -interface(`nis_use_ypbind',` - tunable_policy(`allow_ypbind',` - nis_use_ypbind_uncond($1) - ') -') - -######################################## -## -## Use the nis to authenticate passwords -## -## -## -## Domain allowed access. -## -## -## -# -interface(`nis_authenticate',` - tunable_policy(`allow_ypbind',` - nis_use_ypbind_uncond($1) - corenet_tcp_bind_all_rpc_ports($1) - corenet_udp_bind_all_rpc_ports($1) - ') -') - -######################################## -## -## Execute ypbind in the ypbind domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`nis_domtrans_ypbind',` - gen_require(` - type ypbind_t, ypbind_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ypbind_exec_t, ypbind_t) -') - -######################################## -## -## Execute ypbind in the ypbind domain, and -## allow the specified role the ypbind domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`nis_run_ypbind',` - gen_require(` - type ypbind_t; - ') - - nis_domtrans_ypbind($1) - role $2 types ypbind_t; -') - -######################################## -## -## Send generic signals to ypbind. -## -## -## -## Domain allowed access. -## -## -# -interface(`nis_signal_ypbind',` - gen_require(` - type ypbind_t; - ') - - allow $1 ypbind_t:process signal; -') - -######################################## -## -## List the contents of the NIS data directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`nis_list_var_yp',` - gen_require(` - type var_yp_t; - ') - - files_search_var($1) - allow $1 var_yp_t:dir list_dir_perms; -') - -######################################## -## -## Send UDP network traffic to NIS clients. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`nis_udp_send_ypbind',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Connect to ypbind over TCP. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`nis_tcp_connect_ypbind',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Read ypbind pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`nis_read_ypbind_pid',` - gen_require(` - type ypbind_var_run_t; - ') - - files_search_pids($1) - allow $1 ypbind_var_run_t:file read_file_perms; -') - -######################################## -## -## Read ypserv configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`nis_read_ypserv_config',` - gen_require(` - type ypserv_conf_t; - ') - - files_search_etc($1) - allow $1 ypserv_conf_t:file read_file_perms; -') - -######################################## -## -## Execute ypxfr in the ypxfr domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`nis_domtrans_ypxfr',` - gen_require(` - type ypxfr_t, ypxfr_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ypxfr_exec_t, ypxfr_t) -') - -######################################## -## -## Execute nis server in the nis domain. -## -## -## -## Domain allowed to transition. -## -## -# -# -interface(`nis_initrc_domtrans',` - gen_require(` - type nis_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, nis_initrc_exec_t) -') - -######################################## -## -## Execute nis server in the nis domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`nis_initrc_domtrans_ypbind',` - gen_require(` - type ypbind_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, ypbind_initrc_exec_t) -') - -######################################## -## -## All of the rules required to administrate -## an nis environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`nis_admin',` - gen_require(` - type ypbind_t, yppasswdd_t, ypserv_t; - type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t; - type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t; - type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t; - ') - - allow $1 ypbind_t:process { ptrace signal_perms }; - ps_process_pattern($1, ypbind_t) - - allow $1 yppasswdd_t:process { ptrace signal_perms }; - ps_process_pattern($1, yppasswdd_t) - - allow $1 ypserv_t:process { ptrace signal_perms }; - ps_process_pattern($1, ypserv_t) - - allow $1 ypxfr_t:process { ptrace signal_perms }; - ps_process_pattern($1, ypxfr_t) - - nis_initrc_domtrans($1) - nis_initrc_domtrans_ypbind($1) - domain_system_change_exemption($1) - role_transition $2 nis_initrc_exec_t system_r; - role_transition $2 ypbind_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, ypbind_tmp_t) - - files_list_pids($1) - admin_pattern($1, ypbind_var_run_t) - - admin_pattern($1, yppasswdd_var_run_t) - - files_list_etc($1) - admin_pattern($1, ypserv_conf_t) - - admin_pattern($1, ypserv_tmp_t) - - admin_pattern($1, ypserv_var_run_t) -') diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te deleted file mode 100644 index 5f2ba87..0000000 --- a/policy/modules/services/nis.te +++ /dev/null @@ -1,348 +0,0 @@ -policy_module(nis, 1.10.0) - -######################################## -# -# Declarations -# - -type nis_initrc_exec_t; -init_script_file(nis_initrc_exec_t) - -type var_yp_t; -files_type(var_yp_t) - -type ypbind_t; -type ypbind_exec_t; -init_daemon_domain(ypbind_t, ypbind_exec_t) - -type ypbind_initrc_exec_t; -init_script_file(ypbind_initrc_exec_t) - -type ypbind_tmp_t; -files_tmp_file(ypbind_tmp_t) - -type ypbind_var_run_t; -files_pid_file(ypbind_var_run_t) - -type yppasswdd_t; -type yppasswdd_exec_t; -init_daemon_domain(yppasswdd_t, yppasswdd_exec_t) -domain_obj_id_change_exemption(yppasswdd_t) - -type yppasswdd_var_run_t; -files_pid_file(yppasswdd_var_run_t) - -type ypserv_t; -type ypserv_exec_t; -init_daemon_domain(ypserv_t, ypserv_exec_t) - -type ypserv_conf_t; -files_type(ypserv_conf_t) - -type ypserv_tmp_t; -files_tmp_file(ypserv_tmp_t) - -type ypserv_var_run_t; -files_pid_file(ypserv_var_run_t) - -type ypxfr_t; -type ypxfr_exec_t; -init_daemon_domain(ypxfr_t, ypxfr_exec_t) - -type ypxfr_var_run_t; -files_pid_file(ypxfr_var_run_t) - -######################################## -# -# ypbind local policy -# - -dontaudit ypbind_t self:capability { net_admin sys_tty_config }; -allow ypbind_t self:process signal_perms; -allow ypbind_t self:fifo_file rw_fifo_file_perms; -allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms; -allow ypbind_t self:netlink_route_socket r_netlink_socket_perms; -allow ypbind_t self:tcp_socket create_stream_socket_perms; -allow ypbind_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(ypbind_t, ypbind_tmp_t, ypbind_tmp_t) -manage_files_pattern(ypbind_t, ypbind_tmp_t, ypbind_tmp_t) -files_tmp_filetrans(ypbind_t, ypbind_tmp_t, { file dir }) - -manage_files_pattern(ypbind_t, ypbind_var_run_t, ypbind_var_run_t) -files_pid_filetrans(ypbind_t, ypbind_var_run_t, file) - -manage_files_pattern(ypbind_t, var_yp_t, var_yp_t) - -kernel_read_system_state(ypbind_t) -kernel_read_kernel_sysctls(ypbind_t) - -corenet_all_recvfrom_unlabeled(ypbind_t) -corenet_all_recvfrom_netlabel(ypbind_t) -corenet_tcp_sendrecv_generic_if(ypbind_t) -corenet_udp_sendrecv_generic_if(ypbind_t) -corenet_tcp_sendrecv_generic_node(ypbind_t) -corenet_udp_sendrecv_generic_node(ypbind_t) -corenet_tcp_sendrecv_all_ports(ypbind_t) -corenet_udp_sendrecv_all_ports(ypbind_t) -corenet_tcp_bind_generic_node(ypbind_t) -corenet_udp_bind_generic_node(ypbind_t) -corenet_tcp_bind_generic_port(ypbind_t) -corenet_udp_bind_generic_port(ypbind_t) -corenet_tcp_bind_reserved_port(ypbind_t) -corenet_udp_bind_reserved_port(ypbind_t) -corenet_tcp_bind_all_rpc_ports(ypbind_t) -corenet_udp_bind_all_rpc_ports(ypbind_t) -corenet_tcp_connect_all_ports(ypbind_t) -corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t) -corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t) -corenet_sendrecv_all_client_packets(ypbind_t) -corenet_sendrecv_generic_server_packets(ypbind_t) - -dev_read_sysfs(ypbind_t) - -fs_getattr_all_fs(ypbind_t) -fs_search_auto_mountpoints(ypbind_t) - -domain_use_interactive_fds(ypbind_t) - -files_read_etc_files(ypbind_t) -files_list_var(ypbind_t) - -logging_send_syslog_msg(ypbind_t) - -miscfiles_read_localization(ypbind_t) - -sysnet_read_config(ypbind_t) - -userdom_dontaudit_use_unpriv_user_fds(ypbind_t) -userdom_dontaudit_search_user_home_dirs(ypbind_t) - -optional_policy(` - dbus_system_bus_client(ypbind_t) - dbus_connect_system_bus(ypbind_t) - init_dbus_chat_script(ypbind_t) - - optional_policy(` - networkmanager_dbus_chat(ypbind_t) - ') -') - -optional_policy(` - seutil_sigchld_newrole(ypbind_t) -') - -optional_policy(` - udev_read_db(ypbind_t) -') - -######################################## -# -# yppasswdd local policy -# - -allow yppasswdd_t self:capability dac_override; -dontaudit yppasswdd_t self:capability sys_tty_config; -allow yppasswdd_t self:process { getsched setfscreate signal_perms }; -allow yppasswdd_t self:fifo_file rw_fifo_file_perms; -allow yppasswdd_t self:unix_dgram_socket create_socket_perms; -allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms; -allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms; -allow yppasswdd_t self:tcp_socket create_stream_socket_perms; -allow yppasswdd_t self:udp_socket create_socket_perms; - -manage_files_pattern(yppasswdd_t, yppasswdd_var_run_t, yppasswdd_var_run_t) -files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file) - -manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t) -manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t) - -kernel_list_proc(yppasswdd_t) -kernel_read_proc_symlinks(yppasswdd_t) -kernel_getattr_proc_files(yppasswdd_t) -kernel_read_kernel_sysctls(yppasswdd_t) - -corenet_all_recvfrom_unlabeled(yppasswdd_t) -corenet_all_recvfrom_netlabel(yppasswdd_t) -corenet_tcp_sendrecv_generic_if(yppasswdd_t) -corenet_udp_sendrecv_generic_if(yppasswdd_t) -corenet_tcp_sendrecv_generic_node(yppasswdd_t) -corenet_udp_sendrecv_generic_node(yppasswdd_t) -corenet_tcp_sendrecv_all_ports(yppasswdd_t) -corenet_udp_sendrecv_all_ports(yppasswdd_t) -corenet_tcp_bind_generic_node(yppasswdd_t) -corenet_udp_bind_generic_node(yppasswdd_t) -corenet_tcp_bind_all_rpc_ports(yppasswdd_t) -corenet_udp_bind_all_rpc_ports(yppasswdd_t) -corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t) -corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t) -corenet_sendrecv_generic_server_packets(yppasswdd_t) - -dev_read_sysfs(yppasswdd_t) - -fs_getattr_all_fs(yppasswdd_t) -fs_search_auto_mountpoints(yppasswdd_t) - -selinux_get_fs_mount(yppasswdd_t) - -auth_manage_shadow(yppasswdd_t) -auth_relabel_shadow(yppasswdd_t) -auth_etc_filetrans_shadow(yppasswdd_t) - -corecmd_exec_bin(yppasswdd_t) -corecmd_exec_shell(yppasswdd_t) - -domain_use_interactive_fds(yppasswdd_t) - -files_read_etc_files(yppasswdd_t) -files_read_etc_runtime_files(yppasswdd_t) -files_relabel_etc_files(yppasswdd_t) - -logging_send_syslog_msg(yppasswdd_t) - -miscfiles_read_localization(yppasswdd_t) - -sysnet_read_config(yppasswdd_t) - -userdom_dontaudit_use_unpriv_user_fds(yppasswdd_t) -userdom_dontaudit_search_user_home_dirs(yppasswdd_t) - -optional_policy(` - hostname_exec(yppasswdd_t) -') - -optional_policy(` - seutil_sigchld_newrole(yppasswdd_t) -') - -optional_policy(` - udev_read_db(yppasswdd_t) -') - -######################################## -# -# ypserv local policy -# - -dontaudit ypserv_t self:capability sys_tty_config; -allow ypserv_t self:process signal_perms; -allow ypserv_t self:fifo_file rw_fifo_file_perms; -allow ypserv_t self:unix_dgram_socket create_socket_perms; -allow ypserv_t self:unix_stream_socket create_stream_socket_perms; -allow ypserv_t self:netlink_route_socket r_netlink_socket_perms; -allow ypserv_t self:tcp_socket connected_stream_socket_perms; -allow ypserv_t self:udp_socket create_socket_perms; - -manage_files_pattern(ypserv_t, var_yp_t, var_yp_t) - -allow ypserv_t ypserv_conf_t:file read_file_perms; - -manage_dirs_pattern(ypserv_t, ypserv_tmp_t, ypserv_tmp_t) -manage_files_pattern(ypserv_t, ypserv_tmp_t, ypserv_tmp_t) -files_tmp_filetrans(ypserv_t, ypserv_tmp_t, { file dir }) - -manage_files_pattern(ypserv_t, ypserv_var_run_t, ypserv_var_run_t) -files_pid_filetrans(ypserv_t, ypserv_var_run_t, file) - -kernel_read_kernel_sysctls(ypserv_t) -kernel_list_proc(ypserv_t) -kernel_read_proc_symlinks(ypserv_t) - -corenet_all_recvfrom_unlabeled(ypserv_t) -corenet_all_recvfrom_netlabel(ypserv_t) -corenet_tcp_sendrecv_generic_if(ypserv_t) -corenet_udp_sendrecv_generic_if(ypserv_t) -corenet_tcp_sendrecv_generic_node(ypserv_t) -corenet_udp_sendrecv_generic_node(ypserv_t) -corenet_tcp_sendrecv_all_ports(ypserv_t) -corenet_udp_sendrecv_all_ports(ypserv_t) -corenet_tcp_bind_generic_node(ypserv_t) -corenet_udp_bind_generic_node(ypserv_t) -corenet_tcp_bind_reserved_port(ypserv_t) -corenet_udp_bind_reserved_port(ypserv_t) -corenet_tcp_bind_all_rpc_ports(ypserv_t) -corenet_udp_bind_all_rpc_ports(ypserv_t) -corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t) -corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t) -corenet_sendrecv_generic_server_packets(ypserv_t) - -dev_read_sysfs(ypserv_t) - -fs_getattr_all_fs(ypserv_t) -fs_search_auto_mountpoints(ypserv_t) - -corecmd_exec_bin(ypserv_t) - -domain_use_interactive_fds(ypserv_t) - -files_read_var_files(ypserv_t) -files_read_etc_files(ypserv_t) - -logging_send_syslog_msg(ypserv_t) - -miscfiles_read_localization(ypserv_t) - -nis_domtrans_ypxfr(ypserv_t) - -sysnet_read_config(ypserv_t) - -userdom_dontaudit_use_unpriv_user_fds(ypserv_t) -userdom_dontaudit_search_user_home_dirs(ypserv_t) - -optional_policy(` - seutil_sigchld_newrole(ypserv_t) -') - -optional_policy(` - udev_read_db(ypserv_t) -') - -######################################## -# -# ypxfr local policy -# - -allow ypxfr_t self:unix_stream_socket create_stream_socket_perms; -allow ypxfr_t self:unix_dgram_socket create_stream_socket_perms; -allow ypxfr_t self:tcp_socket create_stream_socket_perms; -allow ypxfr_t self:udp_socket create_socket_perms; -allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms; - -manage_files_pattern(ypxfr_t, var_yp_t, var_yp_t) - -allow ypxfr_t ypserv_t:tcp_socket { read write }; -allow ypxfr_t ypserv_t:udp_socket { read write }; - -allow ypxfr_t ypserv_conf_t:file read_file_perms; - -manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t) -files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file) - -corenet_all_recvfrom_unlabeled(ypxfr_t) -corenet_all_recvfrom_netlabel(ypxfr_t) -corenet_tcp_sendrecv_generic_if(ypxfr_t) -corenet_udp_sendrecv_generic_if(ypxfr_t) -corenet_tcp_sendrecv_generic_node(ypxfr_t) -corenet_udp_sendrecv_generic_node(ypxfr_t) -corenet_tcp_sendrecv_all_ports(ypxfr_t) -corenet_udp_sendrecv_all_ports(ypxfr_t) -corenet_tcp_bind_generic_node(ypxfr_t) -corenet_udp_bind_generic_node(ypxfr_t) -corenet_tcp_bind_reserved_port(ypxfr_t) -corenet_udp_bind_reserved_port(ypxfr_t) -corenet_tcp_bind_all_rpc_ports(ypxfr_t) -corenet_udp_bind_all_rpc_ports(ypxfr_t) -corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) -corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t) -corenet_tcp_connect_all_ports(ypxfr_t) -corenet_sendrecv_generic_server_packets(ypxfr_t) -corenet_sendrecv_all_client_packets(ypxfr_t) - -files_read_etc_files(ypxfr_t) -files_search_usr(ypxfr_t) - -logging_send_syslog_msg(ypxfr_t) - -miscfiles_read_localization(ypxfr_t) - -sysnet_read_config(ypxfr_t) diff --git a/policy/modules/services/nscd.fc b/policy/modules/services/nscd.fc deleted file mode 100644 index 623b731..0000000 --- a/policy/modules/services/nscd.fc +++ /dev/null @@ -1,13 +0,0 @@ -/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0) - -/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) - -/var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) -/var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) - -/var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0) - -/var/run/nscd\.pid -- gen_context(system_u:object_r:nscd_var_run_t,s0) -/var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0) - -/var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if deleted file mode 100644 index 99cefb8..0000000 --- a/policy/modules/services/nscd.if +++ /dev/null @@ -1,313 +0,0 @@ -## Name service cache daemon - -######################################## -## -## Send generic signals to NSCD. -## -## -## -## Domain allowed access. -## -## -# -interface(`nscd_signal',` - gen_require(` - type nscd_t; - ') - - allow $1 nscd_t:process signal; -') - -######################################## -## -## Send NSCD the kill signal. -## -## -## -## Domain allowed access. -## -## -# -interface(`nscd_kill',` - gen_require(` - type nscd_t; - ') - - allow $1 nscd_t:process sigkill; -') - -######################################## -## -## Send signulls to NSCD. -## -## -## -## Domain allowed access. -## -## -# -interface(`nscd_signull',` - gen_require(` - type nscd_t; - ') - - allow $1 nscd_t:process signull; -') - -######################################## -## -## Execute NSCD in the nscd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`nscd_domtrans',` - gen_require(` - type nscd_t, nscd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, nscd_exec_t, nscd_t) -') - -######################################## -## -## Allow the specified domain to execute nscd -## in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`nscd_exec',` - gen_require(` - type nscd_exec_t; - ') - - can_exec($1, nscd_exec_t) -') - -######################################## -## -## Use NSCD services by connecting using -## a unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`nscd_socket_use',` - gen_require(` - type nscd_t, nscd_var_run_t; - class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv }; - ') - - allow $1 self:unix_stream_socket create_socket_perms; - - allow $1 nscd_t:nscd { getpwd getgrp gethost }; - dontaudit $1 nscd_t:fd use; - dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv }; - files_search_pids($1) - stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) - dontaudit $1 nscd_var_run_t:file read_file_perms; -') - -######################################## -## -## Use nscd services -## -## -## -## Domain allowed access. -## -## -# -interface(`nscd_use',` - tunable_policy(`nscd_use_shm',` - nscd_shm_use($1) - ',` - nscd_socket_use($1) - ') -') - -######################################## -## -## Use NSCD services by mapping the database from -## an inherited NSCD file descriptor. -## -## -## -## Domain allowed access. -## -## -# -interface(`nscd_shm_use',` - gen_require(` - type nscd_t, nscd_var_run_t; - class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; - ') - - allow $1 nscd_var_run_t:dir list_dir_perms; - allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost }; - - # Receive fd from nscd and map the backing file with read access. - allow $1 nscd_t:fd use; - - # cjp: these were originally inherited from the - # nscd_socket_domain macro. need to investigate - # if they are all actually required - allow $1 self:unix_stream_socket create_stream_socket_perms; - - # dg: This may not be required. - allow $1 nscd_var_run_t:sock_file read_sock_file_perms; - - stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) - files_search_pids($1) - allow $1 nscd_t:nscd { getpwd getgrp gethost }; - dontaudit $1 nscd_var_run_t:file read_file_perms; -') - -######################################## -## -## Do not audit attempts to search the NSCD pid directory. -## -## -## -## Domain to not audit. -## -## -# -interface(`nscd_dontaudit_search_pid',` - gen_require(` - type nscd_var_run_t; - ') - - dontaudit $1 nscd_var_run_t:dir search_dir_perms; -') - -######################################## -## -## Read NSCD pid file. -## -## -## -## Domain allowed access. -## -## -# -interface(`nscd_read_pid',` - gen_require(` - type nscd_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, nscd_var_run_t, nscd_var_run_t) -') - -######################################## -## -## Unconfined access to NSCD services. -## -## -## -## Domain allowed access. -## -## -# -interface(`nscd_unconfined',` - gen_require(` - type nscd_t; - class nscd all_nscd_perms; - ') - - allow $1 nscd_t:nscd *; -') - -######################################## -## -## Execute nscd in the nscd domain, and -## allow the specified role the nscd domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`nscd_run',` - gen_require(` - type nscd_t; - ') - - nscd_domtrans($1) - role $2 types nscd_t; -') - -######################################## -## -## Execute the nscd server init script. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`nscd_initrc_domtrans',` - gen_require(` - type nscd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, nscd_initrc_exec_t) -') - -######################################## -## -## All of the rules required to administrate -## an nscd environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the nscd domain. -## -## -## -# -interface(`nscd_admin',` - gen_require(` - type nscd_t, nscd_log_t, nscd_var_run_t; - type nscd_initrc_exec_t; - ') - - allow $1 nscd_t:process { ptrace signal_perms }; - ps_process_pattern($1, nscd_t) - - init_labeled_script_domtrans($1, nscd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 nscd_initrc_exec_t system_r; - allow $2 system_r; - - logging_list_logs($1) - admin_pattern($1, nscd_log_t) - - files_list_pids($1) - admin_pattern($1, nscd_var_run_t) -') diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te deleted file mode 100644 index 6b54db7..0000000 --- a/policy/modules/services/nscd.te +++ /dev/null @@ -1,156 +0,0 @@ -policy_module(nscd, 1.10.1) - -gen_require(` - class nscd all_nscd_perms; -') - -## -##

-## Allow confined applications to use nscd shared memory. -##

-##
-gen_tunable(nscd_use_shm, false) - -######################################## -# -# Declarations -# - -# cjp: this is out of order because of an -# ordering problem with loadable modules -type nscd_var_run_t; -files_pid_file(nscd_var_run_t) - -# nscd is both the client program and the daemon. -type nscd_t; -type nscd_exec_t; -init_daemon_domain(nscd_t, nscd_exec_t) - -type nscd_initrc_exec_t; -init_script_file(nscd_initrc_exec_t) - -type nscd_log_t; -logging_log_file(nscd_log_t) - -######################################## -# -# Local policy -# - -allow nscd_t self:capability { kill setgid setuid sys_ptrace }; -dontaudit nscd_t self:capability sys_tty_config; -allow nscd_t self:process { getattr getcap setcap setsched signal_perms }; -allow nscd_t self:fifo_file read_fifo_file_perms; -allow nscd_t self:unix_stream_socket create_stream_socket_perms; -allow nscd_t self:unix_dgram_socket create_socket_perms; -allow nscd_t self:netlink_selinux_socket create_socket_perms; -allow nscd_t self:tcp_socket create_socket_perms; -allow nscd_t self:udp_socket create_socket_perms; - -# For client program operation, invoked from sysadm_t. -# Transition occurs to nscd_t due to direct_sysadm_daemon. -allow nscd_t self:nscd { admin getstat }; - -allow nscd_t nscd_log_t:file manage_file_perms; -logging_log_filetrans(nscd_t, nscd_log_t, file) - -manage_dirs_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) -manage_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) -manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) -files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file dir }) - -corecmd_search_bin(nscd_t) -can_exec(nscd_t, nscd_exec_t) - -kernel_read_kernel_sysctls(nscd_t) -kernel_list_proc(nscd_t) -kernel_read_proc_symlinks(nscd_t) - -dev_read_sysfs(nscd_t) -dev_read_rand(nscd_t) -dev_read_urand(nscd_t) - -fs_getattr_all_fs(nscd_t) -fs_search_auto_mountpoints(nscd_t) -fs_list_inotifyfs(nscd_t) - -# for when /etc/passwd has just been updated and has the wrong type -auth_getattr_shadow(nscd_t) -auth_use_nsswitch(nscd_t) - -corenet_all_recvfrom_unlabeled(nscd_t) -corenet_all_recvfrom_netlabel(nscd_t) -corenet_tcp_sendrecv_generic_if(nscd_t) -corenet_udp_sendrecv_generic_if(nscd_t) -corenet_tcp_sendrecv_generic_node(nscd_t) -corenet_udp_sendrecv_generic_node(nscd_t) -corenet_tcp_sendrecv_all_ports(nscd_t) -corenet_udp_sendrecv_all_ports(nscd_t) -corenet_udp_bind_generic_node(nscd_t) -corenet_tcp_connect_all_ports(nscd_t) -corenet_sendrecv_all_client_packets(nscd_t) -corenet_rw_tun_tap_dev(nscd_t) - -selinux_get_fs_mount(nscd_t) -selinux_validate_context(nscd_t) -selinux_compute_access_vector(nscd_t) -selinux_compute_create_context(nscd_t) -selinux_compute_relabel_context(nscd_t) -selinux_compute_user_contexts(nscd_t) -domain_use_interactive_fds(nscd_t) -domain_search_all_domains_state(nscd_t) - -files_read_etc_files(nscd_t) -files_read_generic_tmp_symlinks(nscd_t) -# Needed to read files created by firstboot "/etc/hesiod.conf" -files_read_etc_runtime_files(nscd_t) - -logging_send_audit_msgs(nscd_t) -logging_send_syslog_msg(nscd_t) - -miscfiles_read_localization(nscd_t) - -seutil_read_config(nscd_t) -seutil_read_default_contexts(nscd_t) -seutil_sigchld_newrole(nscd_t) - -sysnet_read_config(nscd_t) - -userdom_dontaudit_use_user_terminals(nscd_t) -userdom_dontaudit_use_unpriv_user_fds(nscd_t) -userdom_dontaudit_search_user_home_dirs(nscd_t) - -optional_policy(` - accountsd_dontaudit_rw_fifo_file(nscd_t) -') - -optional_policy(` - cron_read_system_job_tmp_files(nscd_t) -') - -optional_policy(` - kerberos_use(nscd_t) -') - -optional_policy(` - udev_read_db(nscd_t) -') - -optional_policy(` - xen_dontaudit_rw_unix_stream_sockets(nscd_t) - xen_append_log(nscd_t) -') - -optional_policy(` - tunable_policy(`samba_domain_controller',` - samba_append_log(nscd_t) - samba_dontaudit_use_fds(nscd_t) - ') - - samba_read_config(nscd_t) - samba_read_var_files(nscd_t) -') - -optional_policy(` - unconfined_dontaudit_rw_packet_sockets(nscd_t) -') diff --git a/policy/modules/services/nsd.fc b/policy/modules/services/nsd.fc deleted file mode 100644 index 53cc800..0000000 --- a/policy/modules/services/nsd.fc +++ /dev/null @@ -1,14 +0,0 @@ - -/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0) -/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0) -/etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) -/etc/nsd/secondary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) - -/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0) -/usr/sbin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0) -/usr/sbin/nsd-notify -- gen_context(system_u:object_r:nsd_exec_t,s0) -/usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0) - -/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) -/var/lib/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0) -/var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0) diff --git a/policy/modules/services/nsd.if b/policy/modules/services/nsd.if deleted file mode 100644 index a1371d5..0000000 --- a/policy/modules/services/nsd.if +++ /dev/null @@ -1,29 +0,0 @@ -## Authoritative only name server - -######################################## -## -## Send and receive datagrams from NSD. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`nsd_udp_chat',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Connect to NSD over a TCP socket (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`nsd_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') diff --git a/policy/modules/services/nsd.te b/policy/modules/services/nsd.te deleted file mode 100644 index 4b15536..0000000 --- a/policy/modules/services/nsd.te +++ /dev/null @@ -1,180 +0,0 @@ -policy_module(nsd, 1.7.0) - -######################################## -# -# Declarations -# - -type nsd_t; -type nsd_exec_t; -init_daemon_domain(nsd_t, nsd_exec_t) - -# A type for configuration files of nsd -type nsd_conf_t; -files_type(nsd_conf_t) - -type nsd_crond_t; -domain_type(nsd_crond_t) -domain_entry_file(nsd_crond_t, nsd_exec_t) -role system_r types nsd_crond_t; - -# a type for nsd.db -type nsd_db_t; -files_type(nsd_db_t) - -type nsd_var_run_t; -files_pid_file(nsd_var_run_t) - -# A type for zone files -type nsd_zone_t; -files_type(nsd_zone_t) - -######################################## -# -# NSD Local policy -# - -allow nsd_t self:capability { dac_override chown setuid setgid }; -dontaudit nsd_t self:capability sys_tty_config; -allow nsd_t self:process signal_perms; -allow nsd_t self:tcp_socket create_stream_socket_perms; -allow nsd_t self:udp_socket create_socket_perms; - -allow nsd_t nsd_conf_t:dir list_dir_perms; -read_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t) -read_lnk_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t) - -allow nsd_t nsd_db_t:file manage_file_perms; -filetrans_pattern(nsd_t, nsd_zone_t, nsd_db_t, file) - -manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t) -files_pid_filetrans(nsd_t, nsd_var_run_t, file) - -allow nsd_t nsd_zone_t:dir list_dir_perms; -read_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t) -read_lnk_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t) - -can_exec(nsd_t, nsd_exec_t) - -kernel_read_system_state(nsd_t) -kernel_read_kernel_sysctls(nsd_t) - -corecmd_exec_bin(nsd_t) - -corenet_all_recvfrom_unlabeled(nsd_t) -corenet_all_recvfrom_netlabel(nsd_t) -corenet_tcp_sendrecv_generic_if(nsd_t) -corenet_udp_sendrecv_generic_if(nsd_t) -corenet_tcp_sendrecv_generic_node(nsd_t) -corenet_udp_sendrecv_generic_node(nsd_t) -corenet_tcp_sendrecv_all_ports(nsd_t) -corenet_udp_sendrecv_all_ports(nsd_t) -corenet_tcp_bind_generic_node(nsd_t) -corenet_udp_bind_generic_node(nsd_t) -corenet_tcp_bind_dns_port(nsd_t) -corenet_udp_bind_dns_port(nsd_t) -corenet_sendrecv_dns_server_packets(nsd_t) - -dev_read_sysfs(nsd_t) - -domain_use_interactive_fds(nsd_t) - -files_read_etc_files(nsd_t) -files_read_etc_runtime_files(nsd_t) - -fs_getattr_all_fs(nsd_t) -fs_search_auto_mountpoints(nsd_t) - -logging_send_syslog_msg(nsd_t) - -miscfiles_read_localization(nsd_t) - -sysnet_read_config(nsd_t) - -userdom_dontaudit_use_unpriv_user_fds(nsd_t) -userdom_dontaudit_search_user_home_dirs(nsd_t) - -optional_policy(` - nis_use_ypbind(nsd_t) -') - -optional_policy(` - seutil_sigchld_newrole(nsd_t) -') - -optional_policy(` - udev_read_db(nsd_t) -') - -######################################## -# -# Zone update cron job local policy -# - -# kill capability for root cron job and non-root daemon -allow nsd_crond_t self:capability { dac_override kill }; -dontaudit nsd_crond_t self:capability sys_nice; -allow nsd_crond_t self:process { setsched signal_perms }; -allow nsd_crond_t self:fifo_file rw_fifo_file_perms; -allow nsd_crond_t self:tcp_socket create_socket_perms; -allow nsd_crond_t self:udp_socket create_socket_perms; - -allow nsd_crond_t nsd_conf_t:file read_file_perms; - -allow nsd_crond_t nsd_db_t:file manage_file_perms; -filetrans_pattern(nsd_crond_t, nsd_zone_t, nsd_db_t, file) -files_search_var_lib(nsd_crond_t) - -allow nsd_crond_t nsd_t:process signal; - -ps_process_pattern(nsd_crond_t, nsd_t) - -manage_files_pattern(nsd_crond_t, nsd_zone_t, nsd_zone_t) -filetrans_pattern(nsd_crond_t, nsd_conf_t, nsd_zone_t, file) - -can_exec(nsd_crond_t, nsd_exec_t) - -kernel_read_system_state(nsd_crond_t) - -corecmd_exec_bin(nsd_crond_t) -corecmd_exec_shell(nsd_crond_t) - -corenet_all_recvfrom_unlabeled(nsd_crond_t) -corenet_all_recvfrom_netlabel(nsd_crond_t) -corenet_tcp_sendrecv_generic_if(nsd_crond_t) -corenet_udp_sendrecv_generic_if(nsd_crond_t) -corenet_tcp_sendrecv_generic_node(nsd_crond_t) -corenet_udp_sendrecv_generic_node(nsd_crond_t) -corenet_tcp_sendrecv_all_ports(nsd_crond_t) -corenet_udp_sendrecv_all_ports(nsd_crond_t) -corenet_tcp_connect_all_ports(nsd_crond_t) -corenet_sendrecv_all_client_packets(nsd_crond_t) - -# for SSP -dev_read_urand(nsd_crond_t) - -domain_dontaudit_read_all_domains_state(nsd_crond_t) - -files_read_etc_files(nsd_crond_t) -files_read_etc_runtime_files(nsd_crond_t) -files_search_var_lib(nsd_t) - -logging_send_syslog_msg(nsd_crond_t) - -miscfiles_read_localization(nsd_crond_t) - -sysnet_read_config(nsd_crond_t) - -userdom_dontaudit_search_user_home_dirs(nsd_crond_t) - -optional_policy(` - cron_system_entry(nsd_crond_t, nsd_exec_t) -') - -optional_policy(` - nis_use_ypbind(nsd_crond_t) -') - -optional_policy(` - nscd_read_pid(nsd_crond_t) -') diff --git a/policy/modules/services/nslcd.fc b/policy/modules/services/nslcd.fc deleted file mode 100644 index ce913b2..0000000 --- a/policy/modules/services/nslcd.fc +++ /dev/null @@ -1,4 +0,0 @@ -/etc/nss-ldapd.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0) -/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0) -/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0) -/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0) diff --git a/policy/modules/services/nslcd.if b/policy/modules/services/nslcd.if deleted file mode 100644 index be5a5b4..0000000 --- a/policy/modules/services/nslcd.if +++ /dev/null @@ -1,114 +0,0 @@ -## nslcd - local LDAP name service daemon. - -######################################## -## -## Execute a domain transition to run nslcd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`nslcd_domtrans',` - gen_require(` - type nslcd_t, nslcd_exec_t; - ') - - domtrans_pattern($1, nslcd_exec_t, nslcd_t) -') - -######################################## -## -## Execute nslcd server in the nslcd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`nslcd_initrc_domtrans',` - gen_require(` - type nslcd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, nslcd_initrc_exec_t) -') - -######################################## -## -## Read nslcd PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`nslcd_read_pid_files',` - gen_require(` - type nslcd_var_run_t; - ') - - files_search_pids($1) - allow $1 nslcd_var_run_t:file read_file_perms; -') - -######################################## -## -## Connect to nslcd over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`nslcd_stream_connect',` - gen_require(` - type nslcd_t, nslcd_var_run_t; - ') - - stream_connect_pattern($1, nslcd_var_run_t, nslcd_var_run_t, nslcd_t) - files_search_pids($1) -') - -######################################## -## -## All of the rules required to administrate -## an nslcd environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`nslcd_admin',` - gen_require(` - type nslcd_t, nslcd_initrc_exec_t, nslcd_var_run_t; - type nslcd_conf_t; - ') - - ps_process_pattern($1, nslcd_t) - allow $1 nslcd_t:process { ptrace signal_perms }; - - # Allow nslcd_t to restart the apache service - nslcd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 nslcd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, nslcd_conf_t) - - files_list_pids($1) - admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t) -') diff --git a/policy/modules/services/nslcd.te b/policy/modules/services/nslcd.te deleted file mode 100644 index 34eee5f..0000000 --- a/policy/modules/services/nslcd.te +++ /dev/null @@ -1,45 +0,0 @@ -policy_module(nslcd, 1.1.1) - -######################################## -# -# Declarations -# - -type nslcd_t; -type nslcd_exec_t; -init_daemon_domain(nslcd_t, nslcd_exec_t) - -type nslcd_initrc_exec_t; -init_script_file(nslcd_initrc_exec_t) - -type nslcd_var_run_t; -files_pid_file(nslcd_var_run_t) - -type nslcd_conf_t; -files_type(nslcd_conf_t) - -######################################## -# -# nslcd local policy -# - -allow nslcd_t self:capability { setgid setuid dac_override }; -allow nslcd_t self:process signal; -allow nslcd_t self:unix_stream_socket create_stream_socket_perms; - -allow nslcd_t nslcd_conf_t:file read_file_perms; - -manage_dirs_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t) -manage_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t) -manage_sock_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t) -files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir }) - -kernel_read_system_state(nslcd_t) - -files_read_etc_files(nslcd_t) - -auth_use_nsswitch(nslcd_t) - -logging_send_syslog_msg(nslcd_t) - -miscfiles_read_localization(nslcd_t) diff --git a/policy/modules/services/ntop.fc b/policy/modules/services/ntop.fc deleted file mode 100644 index 1838432..0000000 --- a/policy/modules/services/ntop.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/ntop(/.*)? gen_context(system_u:object_r:ntop_etc_t,s0) - -/usr/bin/ntop -- gen_context(system_u:object_r:ntop_exec_t,s0) - -/var/lib/ntop(/.*)? gen_context(system_u:object_r:ntop_var_lib_t,s0) -/var/run/ntop\.pid -- gen_context(system_u:object_r:ntop_var_run_t,s0) diff --git a/policy/modules/services/ntop.if b/policy/modules/services/ntop.if deleted file mode 100644 index 4bf0a14..0000000 --- a/policy/modules/services/ntop.if +++ /dev/null @@ -1 +0,0 @@ -## Network Top diff --git a/policy/modules/services/ntop.te b/policy/modules/services/ntop.te deleted file mode 100644 index 9d1e60a..0000000 --- a/policy/modules/services/ntop.te +++ /dev/null @@ -1,114 +0,0 @@ -policy_module(ntop, 1.9.0) - -######################################## -# -# Declarations -# - -type ntop_t; -type ntop_exec_t; -init_daemon_domain(ntop_t, ntop_exec_t) -application_domain(ntop_t, ntop_exec_t) - -type ntop_initrc_exec_t; -init_script_file(ntop_initrc_exec_t) - -type ntop_etc_t; -files_config_file(ntop_etc_t) - -type ntop_tmp_t; -files_tmp_file(ntop_tmp_t) - -type ntop_var_lib_t; -files_type(ntop_var_lib_t) - -type ntop_var_run_t; -files_pid_file(ntop_var_run_t) - -######################################## -# -# Local Policy -# - -allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin }; -dontaudit ntop_t self:capability sys_tty_config; -allow ntop_t self:process signal_perms; -allow ntop_t self:fifo_file rw_fifo_file_perms; -allow ntop_t self:tcp_socket create_stream_socket_perms; -allow ntop_t self:udp_socket create_socket_perms; -allow ntop_t self:unix_dgram_socket create_socket_perms; -allow ntop_t self:unix_stream_socket create_stream_socket_perms; -allow ntop_t self:packet_socket create_socket_perms; -allow ntop_t self:socket create_socket_perms; - -allow ntop_t ntop_etc_t:dir list_dir_perms; -read_files_pattern(ntop_t, ntop_etc_t, ntop_etc_t) -read_lnk_files_pattern(ntop_t, ntop_etc_t, ntop_etc_t) - -manage_dirs_pattern(ntop_t, ntop_tmp_t, ntop_tmp_t) -manage_files_pattern(ntop_t, ntop_tmp_t, ntop_tmp_t) -files_tmp_filetrans(ntop_t, ntop_tmp_t, { file dir }) - -manage_dirs_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t) -manage_files_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t) -files_var_lib_filetrans(ntop_t, ntop_var_lib_t, { file dir }) - -manage_files_pattern(ntop_t, ntop_var_run_t, ntop_var_run_t) -files_pid_filetrans(ntop_t, ntop_var_run_t, file) - -kernel_request_load_module(ntop_t) -kernel_read_system_state(ntop_t) -kernel_read_network_state(ntop_t) -kernel_read_kernel_sysctls(ntop_t) -kernel_list_proc(ntop_t) -kernel_read_proc_symlinks(ntop_t) - -corenet_all_recvfrom_unlabeled(ntop_t) -corenet_all_recvfrom_netlabel(ntop_t) -corenet_tcp_sendrecv_generic_if(ntop_t) -corenet_udp_sendrecv_generic_if(ntop_t) -corenet_raw_sendrecv_generic_if(ntop_t) -corenet_tcp_sendrecv_generic_node(ntop_t) -corenet_udp_sendrecv_generic_node(ntop_t) -corenet_raw_sendrecv_generic_node(ntop_t) -corenet_tcp_sendrecv_all_ports(ntop_t) -corenet_udp_sendrecv_all_ports(ntop_t) -corenet_tcp_bind_ntop_port(ntop_t) -corenet_tcp_connect_ntop_port(ntop_t) -corenet_tcp_connect_http_port(ntop_t) -corenet_sendrecv_http_client_packets(ntop_t) -corenet_sendrecv_ntop_client_packets(ntop_t) -corenet_sendrecv_ntop_server_packets(ntop_t) - -dev_read_sysfs(ntop_t) -dev_rw_generic_usb_dev(ntop_t) - -domain_use_interactive_fds(ntop_t) - -files_read_etc_files(ntop_t) -files_read_usr_files(ntop_t) - -fs_getattr_all_fs(ntop_t) -fs_search_auto_mountpoints(ntop_t) - -auth_use_nsswitch(ntop_t) - -logging_send_syslog_msg(ntop_t) - -miscfiles_read_localization(ntop_t) -miscfiles_read_fonts(ntop_t) - -userdom_dontaudit_use_unpriv_user_fds(ntop_t) -userdom_dontaudit_search_user_home_dirs(ntop_t) - -optional_policy(` - apache_read_sys_content(ntop_t) -') - -optional_policy(` - seutil_sigchld_newrole(ntop_t) -') - -optional_policy(` - udev_read_db(ntop_t) -') diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc deleted file mode 100644 index e79dccc..0000000 --- a/policy/modules/services/ntp.fc +++ /dev/null @@ -1,22 +0,0 @@ - -/etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0) -/etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0) - -/etc/ntpd?\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) -/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0) -/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) -/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0) -/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:net_conf_t,s0) - -/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0) - -/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) -/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) - -/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) - -/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0) -/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0) -/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) - -/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0) diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if deleted file mode 100644 index 694b002..0000000 --- a/policy/modules/services/ntp.if +++ /dev/null @@ -1,164 +0,0 @@ -## Network time protocol daemon - -######################################## -## -## NTP stub interface. No access allowed. -## -## -## -## Domain allowed access. -## -## -# -interface(`ntp_stub',` - gen_require(` - type ntpd_t; - ') -') - -######################################## -## -## Execute ntp server in the ntpd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ntp_domtrans',` - gen_require(` - type ntpd_t, ntpd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ntpd_exec_t, ntpd_t) -') - -######################################## -## -## Execute ntp in the ntp domain, and -## allow the specified role the ntp domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`ntp_run',` - gen_require(` - type ntpd_t; - ') - - ntp_domtrans($1) - role $2 types ntpd_t; -') - -######################################## -## -## Execute ntp server in the ntpd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ntp_domtrans_ntpdate',` - gen_require(` - type ntpd_t, ntpdate_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ntpdate_exec_t, ntpd_t) -') - -######################################## -## -## Execute ntp server in the ntpd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ntp_initrc_domtrans',` - gen_require(` - type ntpd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, ntpd_initrc_exec_t) -') - -######################################## -## -## Read and write ntpd shared memory. -## -## -## -## Domain allowed access. -## -## -# -interface(`ntp_rw_shm',` - gen_require(` - type ntpd_t, ntpd_tmpfs_t; - ') - - allow $1 ntpd_t:shm rw_shm_perms; - list_dirs_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) - rw_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) - read_lnk_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) - fs_search_tmpfs($1) -') - -######################################## -## -## All of the rules required to administrate -## an ntp environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the ntp domain. -## -## -## -# -interface(`ntp_admin',` - gen_require(` - type ntpd_t, ntpd_tmp_t, ntpd_log_t; - type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t; - ') - - allow $1 ntpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, ntpd_t) - - init_labeled_script_domtrans($1, ntpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ntpd_initrc_exec_t system_r; - allow $2 system_r; - - admin_pattern($1, ntpd_key_t) - - logging_list_logs($1) - admin_pattern($1, ntpd_log_t) - - files_list_tmp($1) - admin_pattern($1, ntpd_tmp_t) - - files_list_pids($1) - admin_pattern($1, ntpd_var_run_t) -') diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te deleted file mode 100644 index b5b5992..0000000 --- a/policy/modules/services/ntp.te +++ /dev/null @@ -1,159 +0,0 @@ -policy_module(ntp, 1.10.0) - -######################################## -# -# Declarations -# - -type ntp_drift_t; -files_type(ntp_drift_t) - -type ntpd_t; -type ntpd_exec_t; -init_daemon_domain(ntpd_t, ntpd_exec_t) - -type ntpd_initrc_exec_t; -init_script_file(ntpd_initrc_exec_t) - -type ntpd_key_t; -files_type(ntpd_key_t) - -type ntpd_log_t; -logging_log_file(ntpd_log_t) - -type ntpd_tmp_t; -files_tmp_file(ntpd_tmp_t) - -type ntpd_tmpfs_t; -files_tmpfs_file(ntpd_tmpfs_t) - -type ntpd_var_run_t; -files_pid_file(ntpd_var_run_t) - -type ntpdate_exec_t; -init_system_domain(ntpd_t, ntpdate_exec_t) - -######################################## -# -# Local policy -# - -# sys_resource and setrlimit is for locking memory -# ntpdate wants sys_nice -allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource }; -dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; -allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit }; -allow ntpd_t self:fifo_file rw_fifo_file_perms; -allow ntpd_t self:shm create_shm_perms; -allow ntpd_t self:unix_dgram_socket create_socket_perms; -allow ntpd_t self:unix_stream_socket create_socket_perms; -allow ntpd_t self:tcp_socket create_stream_socket_perms; -allow ntpd_t self:udp_socket create_socket_perms; - -manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) - -can_exec(ntpd_t, ntpd_exec_t) - -read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) -read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) - -allow ntpd_t ntpd_log_t:dir setattr; -manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) -logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir }) - -# for some reason it creates a file in /tmp -manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t) -manage_files_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t) -files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir }) - -manage_dirs_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t) -manage_files_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t) -fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file }) - -manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t) -files_pid_filetrans(ntpd_t, ntpd_var_run_t, file) - -kernel_read_kernel_sysctls(ntpd_t) -kernel_read_system_state(ntpd_t) -kernel_read_network_state(ntpd_t) -kernel_request_load_module(ntpd_t) - -corenet_all_recvfrom_unlabeled(ntpd_t) -corenet_all_recvfrom_netlabel(ntpd_t) -corenet_tcp_sendrecv_generic_if(ntpd_t) -corenet_udp_sendrecv_generic_if(ntpd_t) -corenet_tcp_sendrecv_generic_node(ntpd_t) -corenet_udp_sendrecv_generic_node(ntpd_t) -corenet_tcp_sendrecv_all_ports(ntpd_t) -corenet_udp_sendrecv_all_ports(ntpd_t) -corenet_tcp_bind_generic_node(ntpd_t) -corenet_udp_bind_generic_node(ntpd_t) -corenet_udp_bind_ntp_port(ntpd_t) -corenet_tcp_connect_ntp_port(ntpd_t) -corenet_sendrecv_ntp_server_packets(ntpd_t) -corenet_sendrecv_ntp_client_packets(ntpd_t) - -dev_read_sysfs(ntpd_t) -# for SSP -dev_read_urand(ntpd_t) -dev_rw_realtime_clock(ntpd_t) - -fs_getattr_all_fs(ntpd_t) -fs_search_auto_mountpoints(ntpd_t) -# Necessary to communicate with gpsd devices -fs_rw_tmpfs_files(ntpd_t) - -term_use_ptmx(ntpd_t) - -auth_use_nsswitch(ntpd_t) - -corecmd_exec_bin(ntpd_t) -corecmd_exec_shell(ntpd_t) - -domain_use_interactive_fds(ntpd_t) -domain_dontaudit_list_all_domains_state(ntpd_t) - -files_read_etc_files(ntpd_t) -files_read_etc_runtime_files(ntpd_t) -files_read_usr_files(ntpd_t) -files_list_var_lib(ntpd_t) - -init_exec_script_files(ntpd_t) - -logging_send_syslog_msg(ntpd_t) - -miscfiles_read_localization(ntpd_t) - -userdom_dontaudit_use_unpriv_user_fds(ntpd_t) -userdom_list_user_home_dirs(ntpd_t) - -optional_policy(` - # for cron jobs - cron_system_entry(ntpd_t, ntpdate_exec_t) -') - -optional_policy(` - gpsd_rw_shm(ntpd_t) -') - -optional_policy(` - firstboot_dontaudit_use_fds(ntpd_t) - firstboot_dontaudit_rw_pipes(ntpd_t) - firstboot_dontaudit_rw_stream_sockets(ntpd_t) -') - -optional_policy(` - hal_dontaudit_write_log(ntpd_t) -') - -optional_policy(` - logrotate_exec(ntpd_t) -') - -optional_policy(` - seutil_sigchld_newrole(ntpd_t) -') - -optional_policy(` - udev_read_db(ntpd_t) -') diff --git a/policy/modules/services/nut.fc b/policy/modules/services/nut.fc deleted file mode 100644 index 0a929ef..0000000 --- a/policy/modules/services/nut.fc +++ /dev/null @@ -1,12 +0,0 @@ -/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0) - -/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) - -/usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0) -/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0) - -/var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0) - -/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) -/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) -/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) diff --git a/policy/modules/services/nut.if b/policy/modules/services/nut.if deleted file mode 100644 index 56660c5..0000000 --- a/policy/modules/services/nut.if +++ /dev/null @@ -1 +0,0 @@ -## nut - Network UPS Tools diff --git a/policy/modules/services/nut.te b/policy/modules/services/nut.te deleted file mode 100644 index b40e1e7..0000000 --- a/policy/modules/services/nut.te +++ /dev/null @@ -1,171 +0,0 @@ -policy_module(nut, 1.1.1) - -######################################## -# -# Declarations -# - -type nut_conf_t; -files_config_file(nut_conf_t) - -type nut_upsd_t; -type nut_upsd_exec_t; -init_daemon_domain(nut_upsd_t, nut_upsd_exec_t) - -type nut_upsmon_t; -type nut_upsmon_exec_t; -init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t) - -type nut_upsdrvctl_t; -type nut_upsdrvctl_exec_t; -init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t) - -type nut_var_run_t; -files_pid_file(nut_var_run_t) - -######################################## -# -# Local policy for upsd -# - -allow nut_upsd_t self:capability { setgid setuid dac_override }; - -allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto }; -allow nut_upsd_t self:tcp_socket connected_stream_socket_perms; - -allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto; - -read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t) - -# pid file -manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) -manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) -manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) -files_pid_filetrans(nut_upsd_t, nut_var_run_t, { dir file sock_file }) - -kernel_read_kernel_sysctls(nut_upsd_t) - -corenet_tcp_bind_ups_port(nut_upsd_t) -corenet_tcp_bind_generic_port(nut_upsd_t) -corenet_tcp_bind_all_nodes(nut_upsd_t) - -files_read_usr_files(nut_upsd_t) - -auth_use_nsswitch(nut_upsd_t) - -logging_send_syslog_msg(nut_upsd_t) - -miscfiles_read_localization(nut_upsd_t) - -######################################## -# -# Local policy for upsmon -# - -allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid }; -allow nut_upsmon_t self:fifo_file rw_fifo_file_perms; -allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto }; -allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto }; -allow nut_upsmon_t self:tcp_socket create_socket_perms; - -read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t) - -# pid file -manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t) -manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t) -files_pid_filetrans(nut_upsmon_t, nut_var_run_t, file) - -kernel_read_kernel_sysctls(nut_upsmon_t) -kernel_read_system_state(nut_upsmon_t) - -corecmd_exec_bin(nut_upsmon_t) -corecmd_exec_shell(nut_upsmon_t) - -corenet_tcp_connect_ups_port(nut_upsmon_t) -corenet_tcp_connect_generic_port(nut_upsmon_t) - -# Creates /etc/killpower -files_manage_etc_runtime_files(nut_upsmon_t) -files_etc_filetrans_etc_runtime(nut_upsmon_t, file) -files_search_usr(nut_upsmon_t) - -# /usr/bin/wall -term_write_all_terms(nut_upsmon_t) - -# upsmon runs shutdown, probably need a shutdown domain -init_rw_utmp(nut_upsmon_t) -init_telinit(nut_upsmon_t) - -logging_send_syslog_msg(nut_upsmon_t) - -auth_use_nsswitch(nut_upsmon_t) - -miscfiles_read_localization(nut_upsmon_t) - -mta_send_mail(nut_upsmon_t) - -optional_policy(` - shutdown_domtrans(nut_upsmon_t) -') - -######################################## -# -# Local policy for upsdrvctl -# - -allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid }; -allow nut_upsdrvctl_t self:process { sigchld signal signull }; -allow nut_upsdrvctl_t self:fd use; -allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms; -allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto }; -allow nut_upsdrvctl_t self:udp_socket create_socket_perms; - -read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t) - -# pid file -manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) -manage_dirs_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) -manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) -files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, { file sock_file }) - -kernel_read_kernel_sysctls(nut_upsdrvctl_t) - -# /sbin/upsdrvctl executes other drivers -corecmd_exec_bin(nut_upsdrvctl_t) - -dev_read_urand(nut_upsdrvctl_t) -dev_rw_generic_usb_dev(nut_upsdrvctl_t) - -term_use_unallocated_ttys(nut_upsdrvctl_t) - -auth_use_nsswitch(nut_upsdrvctl_t) - -init_sigchld(nut_upsdrvctl_t) - -logging_send_syslog_msg(nut_upsdrvctl_t) - -miscfiles_read_localization(nut_upsdrvctl_t) - -####################################### -# -# Local policy for upscgi scripts -# requires httpd_enable_cgi and httpd_can_network_connect -# - -optional_policy(` - apache_content_template(nutups_cgi) - - read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t) - - corenet_all_recvfrom_unlabeled(httpd_nutups_cgi_script_t) - corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t) - corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t) - corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t) - corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t) - corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t) - corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t) - corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t) - corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t) - - sysnet_dns_name_resolve(httpd_nutups_cgi_script_t) -') diff --git a/policy/modules/services/nx.fc b/policy/modules/services/nx.fc deleted file mode 100644 index c4d2dca..0000000 --- a/policy/modules/services/nx.fc +++ /dev/null @@ -1,12 +0,0 @@ -/opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) -/opt/NX/home(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0) -/opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) -/opt/NX/var(/.*)? gen_context(system_u:object_r:nx_server_var_run_t,s0) - -/usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) -/usr/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) -/usr/NX/home(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0) -/usr/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) - -/var/lib/nxserver(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0) -/var/lib/nxserver/home/.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) diff --git a/policy/modules/services/nx.if b/policy/modules/services/nx.if deleted file mode 100644 index cbb2bce..0000000 --- a/policy/modules/services/nx.if +++ /dev/null @@ -1,89 +0,0 @@ -## NX remote desktop - -######################################## -## -## Transition to NX server. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`nx_spec_domtrans_server',` - gen_require(` - type nx_server_t, nx_server_exec_t; - ') - - spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t) -') - -######################################## -## -## Read nx home directory content -## -## -## -## Domain allowed access. -## -## -# -interface(`nx_read_home_files',` - gen_require(` - type nx_server_home_ssh_t, nx_server_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 nx_server_var_lib_t:dir search_dir_perms; - read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t) - read_lnk_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t) -') - -######################################## -## -## Read nx /var/lib content -## -## -## -## Domain allowed access. -## -## -# -interface(`nx_search_var_lib',` - gen_require(` - type nx_server_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 nx_server_var_lib_t:dir search_dir_perms; -') - -######################################## -## -## Create an object in the root directory, with a private -## type using a type transition. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -# -interface(`nx_var_lib_filetrans',` - gen_require(` - type nx_server_var_lib_t; - ') - - files_search_var_lib($1) - filetrans_pattern($1, nx_server_var_lib_t, $2, $3) -') diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te deleted file mode 100644 index 1c72c6e..0000000 --- a/policy/modules/services/nx.te +++ /dev/null @@ -1,103 +0,0 @@ -policy_module(nx, 1.5.0) - -######################################## -# -# Declarations -# - -type nx_server_t; -type nx_server_exec_t; -domain_type(nx_server_t) -domain_entry_file(nx_server_t, nx_server_exec_t) -domain_user_exemption_target(nx_server_t) -# we need an extra role because nxserver is called from sshd -# cjp: do we really need this? -role nx_server_r types nx_server_t; -allow system_r nx_server_r; - -type nx_server_devpts_t; -term_user_pty(nx_server_t, nx_server_devpts_t) - -type nx_server_tmp_t; -files_tmp_file(nx_server_tmp_t) - -type nx_server_var_lib_t; -files_type(nx_server_var_lib_t) - -type nx_server_var_run_t; -files_pid_file(nx_server_var_run_t) - -type nx_server_home_ssh_t; -files_type(nx_server_home_ssh_t) - -######################################## -# -# NX server local policy -# - -allow nx_server_t self:fifo_file rw_fifo_file_perms; -allow nx_server_t self:tcp_socket create_socket_perms; -allow nx_server_t self:udp_socket create_socket_perms; - -allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; -term_create_pty(nx_server_t, nx_server_devpts_t) - -manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t) -manage_files_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t) -files_tmp_filetrans(nx_server_t, nx_server_tmp_t, { file dir }) - -manage_files_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t) -manage_dirs_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t) -files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir }) - -manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t) -files_pid_filetrans(nx_server_t, nx_server_var_run_t, file) - -manage_dirs_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t) -manage_files_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t) - -kernel_read_system_state(nx_server_t) -kernel_read_kernel_sysctls(nx_server_t) - -# nxserver is a shell script --> call other programs -corecmd_exec_shell(nx_server_t) -corecmd_exec_bin(nx_server_t) - -corenet_all_recvfrom_unlabeled(nx_server_t) -corenet_all_recvfrom_netlabel(nx_server_t) -corenet_tcp_sendrecv_generic_if(nx_server_t) -corenet_udp_sendrecv_generic_if(nx_server_t) -corenet_tcp_sendrecv_generic_node(nx_server_t) -corenet_udp_sendrecv_generic_node(nx_server_t) -corenet_tcp_sendrecv_all_ports(nx_server_t) -corenet_udp_sendrecv_all_ports(nx_server_t) -corenet_tcp_connect_all_ports(nx_server_t) -corenet_sendrecv_all_client_packets(nx_server_t) - -dev_read_urand(nx_server_t) - -files_read_etc_files(nx_server_t) -files_read_etc_runtime_files(nx_server_t) -# for reading the config files; maybe a separate type, -# but users need to be able to also read the config -files_read_usr_files(nx_server_t) - -miscfiles_read_localization(nx_server_t) - -seutil_dontaudit_search_config(nx_server_t) - -sysnet_read_config(nx_server_t) - -ifdef(`TODO',` - # clients already have create permissions; the nxclient wants to also have unlink rights - allow userdomain xdm_tmp_t:sock_file delete_sock_file_perms; - # for a lockfile created by the client process - allow nx_server_t user_tmpfile:file getattr_file_perms; -') - -######################################## -# -# SSH component local policy -# - -ssh_basic_client_template(nx_server, nx_server_t, nx_server_r) diff --git a/policy/modules/services/oav.fc b/policy/modules/services/oav.fc deleted file mode 100644 index 0a66474..0000000 --- a/policy/modules/services/oav.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/oav-update(/.*)? gen_context(system_u:object_r:oav_update_etc_t,s0) -/etc/scannerdaemon/scannerdaemon\.conf -- gen_context(system_u:object_r:scannerdaemon_etc_t,s0) - -/usr/sbin/oav-update -- gen_context(system_u:object_r:oav_update_exec_t,s0) -/usr/sbin/scannerdaemon -- gen_context(system_u:object_r:scannerdaemon_exec_t,s0) - -/var/lib/oav-virussignatures -- gen_context(system_u:object_r:oav_update_var_lib_t,s0) -/var/lib/oav-update(/.*)? gen_context(system_u:object_r:oav_update_var_lib_t,s0) -/var/log/scannerdaemon\.log -- gen_context(system_u:object_r:scannerdaemon_log_t,s0) diff --git a/policy/modules/services/oav.if b/policy/modules/services/oav.if deleted file mode 100644 index 7f0d644..0000000 --- a/policy/modules/services/oav.if +++ /dev/null @@ -1,46 +0,0 @@ -## Open AntiVirus scannerdaemon and signature update - -######################################## -## -## Execute oav_update in the oav_update domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`oav_domtrans_update',` - gen_require(` - type oav_update_t, oav_update_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, oav_update_exec_t, oav_update_t) -') - -######################################## -## -## Execute oav_update in the oav_update domain, and -## allow the specified role the oav_update domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`oav_run_update',` - gen_require(` - type oav_update_t; - ') - - oav_domtrans_update($1) - role $2 types oav_update_t; -') diff --git a/policy/modules/services/oav.te b/policy/modules/services/oav.te deleted file mode 100644 index b4c5f86..0000000 --- a/policy/modules/services/oav.te +++ /dev/null @@ -1,146 +0,0 @@ -policy_module(oav, 1.9.0) - -######################################## -# -# Declarations -# - -type oav_update_t; -type oav_update_exec_t; -application_domain(oav_update_t, oav_update_exec_t) - -# cjp: may be collapsable to etc_t -type oav_update_etc_t; -files_config_file(oav_update_etc_t) - -type oav_update_var_lib_t; -files_type(oav_update_var_lib_t) - -type scannerdaemon_t; -type scannerdaemon_exec_t; -init_daemon_domain(scannerdaemon_t, scannerdaemon_exec_t) - -type scannerdaemon_etc_t; -files_config_file(scannerdaemon_etc_t) - -type scannerdaemon_log_t; -logging_log_file(scannerdaemon_log_t) - -type scannerdaemon_var_run_t; -files_pid_file(scannerdaemon_var_run_t) - -######################################## -# -# OAV update local policy -# - -allow oav_update_t self:tcp_socket create_stream_socket_perms; -allow oav_update_t self:udp_socket create_socket_perms; - -# Can read /etc/oav-update/* files -allow oav_update_t oav_update_etc_t:dir list_dir_perms; -allow oav_update_t oav_update_etc_t:file read_file_perms; - -# Can read /var/lib/oav-update/current -manage_dirs_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t) -manage_files_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t) -read_lnk_files_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t) - -corecmd_exec_all_executables(oav_update_t) - -corenet_all_recvfrom_unlabeled(oav_update_t) -corenet_all_recvfrom_netlabel(oav_update_t) -corenet_tcp_sendrecv_generic_if(oav_update_t) -corenet_udp_sendrecv_generic_if(oav_update_t) -corenet_tcp_sendrecv_generic_node(oav_update_t) -corenet_udp_sendrecv_generic_node(oav_update_t) -corenet_tcp_sendrecv_all_ports(oav_update_t) -corenet_udp_sendrecv_all_ports(oav_update_t) - -files_exec_etc_files(oav_update_t) - -libs_exec_ld_so(oav_update_t) -libs_exec_lib_files(oav_update_t) - -logging_send_syslog_msg(oav_update_t) - -sysnet_read_config(oav_update_t) - -userdom_use_user_terminals(oav_update_t) - -optional_policy(` - cron_system_entry(oav_update_t, oav_update_exec_t) -') - -######################################## -# -# Scannerdaemon local policy -# - -dontaudit scannerdaemon_t self:capability sys_tty_config; -allow scannerdaemon_t self:process signal_perms; -allow scannerdaemon_t self:fifo_file rw_fifo_file_perms; -allow scannerdaemon_t self:tcp_socket create_stream_socket_perms; -allow scannerdaemon_t self:udp_socket create_socket_perms; - -allow scannerdaemon_t oav_update_var_lib_t:dir list_dir_perms; -allow scannerdaemon_t oav_update_var_lib_t:file read_file_perms; -files_search_var_lib(scannerdaemon_t) - -allow scannerdaemon_t scannerdaemon_etc_t:file read_file_perms; - -allow scannerdaemon_t scannerdaemon_log_t:file manage_file_perms; -logging_log_filetrans(scannerdaemon_t, scannerdaemon_log_t, file) - -manage_files_pattern(scannerdaemon_t, scannerdaemon_var_run_t, scannerdaemon_var_run_t) -files_pid_filetrans(scannerdaemon_t, scannerdaemon_var_run_t, file) - -kernel_read_system_state(scannerdaemon_t) -kernel_read_kernel_sysctls(scannerdaemon_t) - -# Can run kaffe -corecmd_exec_all_executables(scannerdaemon_t) - -corenet_all_recvfrom_unlabeled(scannerdaemon_t) -corenet_all_recvfrom_netlabel(scannerdaemon_t) -corenet_tcp_sendrecv_generic_if(scannerdaemon_t) -corenet_udp_sendrecv_generic_if(scannerdaemon_t) -corenet_tcp_sendrecv_generic_node(scannerdaemon_t) -corenet_udp_sendrecv_generic_node(scannerdaemon_t) -corenet_tcp_sendrecv_all_ports(scannerdaemon_t) -corenet_udp_sendrecv_all_ports(scannerdaemon_t) - -dev_read_sysfs(scannerdaemon_t) - -domain_use_interactive_fds(scannerdaemon_t) - -files_read_etc_files(scannerdaemon_t) -files_read_etc_runtime_files(scannerdaemon_t) -# Can run kaffe -files_exec_etc_files(scannerdaemon_t) - -fs_getattr_all_fs(scannerdaemon_t) -fs_search_auto_mountpoints(scannerdaemon_t) - -auth_dontaudit_read_shadow(scannerdaemon_t) - -# Can run kaffe -libs_exec_ld_so(scannerdaemon_t) -libs_exec_lib_files(scannerdaemon_t) - -logging_send_syslog_msg(scannerdaemon_t) - -miscfiles_read_localization(scannerdaemon_t) - -sysnet_read_config(scannerdaemon_t) - -userdom_dontaudit_use_unpriv_user_fds(scannerdaemon_t) -userdom_dontaudit_search_user_home_dirs(scannerdaemon_t) - -optional_policy(` - seutil_sigchld_newrole(scannerdaemon_t) -') - -optional_policy(` - udev_read_db(scannerdaemon_t) -') diff --git a/policy/modules/services/oddjob.fc b/policy/modules/services/oddjob.fc deleted file mode 100644 index 5ee1598..0000000 --- a/policy/modules/services/oddjob.fc +++ /dev/null @@ -1,6 +0,0 @@ -/usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) -/usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) - -/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) - -/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0) diff --git a/policy/modules/services/oddjob.if b/policy/modules/services/oddjob.if deleted file mode 100644 index ca6517b..0000000 --- a/policy/modules/services/oddjob.if +++ /dev/null @@ -1,149 +0,0 @@ -## -## Oddjob provides a mechanism by which unprivileged applications can -## request that specified privileged operations be performed on their -## behalf. -## - -######################################## -## -## Execute a domain transition to run oddjob. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`oddjob_domtrans',` - gen_require(` - type oddjob_t, oddjob_exec_t; - ') - - domtrans_pattern($1, oddjob_exec_t, oddjob_t) -') - -##################################### -## -## Do not audit attempts to read and write -## oddjob fifo file. -## -## -## -## Domain to not audit. -## -## -# -interface(`oddjob_dontaudit_rw_fifo_file',` - gen_require(` - type oddjob_t; - ') - - dontaudit $1 oddjob_t:fifo_file rw_inherited_fifo_file_perms; -') - -######################################## -## -## Make the specified program domain accessable -## from the oddjob. -## -## -## -## The type of the process to transition to. -## -## -## -## -## The type of the file used as an entrypoint to this domain. -## -## -# -interface(`oddjob_system_entry',` - gen_require(` - type oddjob_t; - ') - - domtrans_pattern(oddjob_t, $2, $1) - domain_user_exemption_target($1) -') - -######################################## -## -## Send and receive messages from -## oddjob over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`oddjob_dbus_chat',` - gen_require(` - type oddjob_t; - class dbus send_msg; - ') - - allow $1 oddjob_t:dbus send_msg; - allow oddjob_t $1:dbus send_msg; -') - -###################################### -## -## Send a SIGCHLD signal to oddjob. -## -## -## -## Domain allowed access. -## -## -# -interface(`oddjob_sigchld',` - gen_require(` - type oddjob_t; - ') - - allow $1 oddjob_t:process sigchld; -') - -######################################## -## -## Execute a domain transition to run oddjob_mkhomedir. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`oddjob_domtrans_mkhomedir',` - gen_require(` - type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t; - ') - - domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t) -') - -######################################## -## -## Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`oddjob_run_mkhomedir',` - gen_require(` - type oddjob_mkhomedir_t; - ') - - oddjob_domtrans_mkhomedir($1) - role $2 types oddjob_mkhomedir_t; -') diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te deleted file mode 100644 index c8f4d64..0000000 --- a/policy/modules/services/oddjob.te +++ /dev/null @@ -1,102 +0,0 @@ -policy_module(oddjob, 1.7.0) - -######################################## -# -# Declarations -# - -type oddjob_t; -type oddjob_exec_t; -init_daemon_domain(oddjob_t, oddjob_exec_t) -domain_obj_id_change_exemption(oddjob_t) -domain_role_change_exemption(oddjob_t) -domain_subj_id_change_exemption(oddjob_t) - -type oddjob_mkhomedir_t; -type oddjob_mkhomedir_exec_t; -domain_obj_id_change_exemption(oddjob_mkhomedir_t) -init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) -oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) - -# pid files -type oddjob_var_run_t; -files_pid_file(oddjob_var_run_t) - -ifdef(`enable_mcs',` - init_ranged_daemon_domain(oddjob_t, oddjob_exec_t, s0 - mcs_systemhigh) -') - -######################################## -# -# oddjob local policy -# - -allow oddjob_t self:capability setgid; -allow oddjob_t self:process { setexec signal }; -allow oddjob_t self:fifo_file rw_fifo_file_perms; -allow oddjob_t self:unix_stream_socket create_stream_socket_perms; - -manage_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t) -manage_sock_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t) -files_pid_filetrans(oddjob_t, oddjob_var_run_t, { file sock_file }) - -kernel_read_system_state(oddjob_t) - -corecmd_exec_bin(oddjob_t) -corecmd_exec_shell(oddjob_t) - -mcs_process_set_categories(oddjob_t) - -selinux_compute_create_context(oddjob_t) - -files_read_etc_files(oddjob_t) - -miscfiles_read_localization(oddjob_t) - -locallogin_dontaudit_use_fds(oddjob_t) - -optional_policy(` - dbus_system_bus_client(oddjob_t) - dbus_connect_system_bus(oddjob_t) -') - -optional_policy(` - unconfined_domtrans(oddjob_t) -') - -######################################## -# -# oddjob_mkhomedir local policy -# - -allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override }; -allow oddjob_mkhomedir_t self:process setfscreate; -allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms; -allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms; - -kernel_read_system_state(oddjob_mkhomedir_t) - -files_read_etc_files(oddjob_mkhomedir_t) - -auth_use_nsswitch(oddjob_mkhomedir_t) - -logging_send_syslog_msg(oddjob_mkhomedir_t) - -miscfiles_read_localization(oddjob_mkhomedir_t) - -selinux_get_fs_mount(oddjob_mkhomedir_t) -selinux_validate_context(oddjob_mkhomedir_t) -selinux_compute_access_vector(oddjob_mkhomedir_t) -selinux_compute_create_context(oddjob_mkhomedir_t) -selinux_compute_relabel_context(oddjob_mkhomedir_t) -selinux_compute_user_contexts(oddjob_mkhomedir_t) - -seutil_read_config(oddjob_mkhomedir_t) -seutil_read_file_contexts(oddjob_mkhomedir_t) -seutil_read_default_contexts(oddjob_mkhomedir_t) - -# Add/remove user home directories -userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t) -userdom_manage_user_home_dirs(oddjob_mkhomedir_t) -userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) -userdom_manage_user_home_content(oddjob_mkhomedir_t) diff --git a/policy/modules/services/oident.fc b/policy/modules/services/oident.fc deleted file mode 100644 index 5840ea8..0000000 --- a/policy/modules/services/oident.fc +++ /dev/null @@ -1,8 +0,0 @@ -HOME_DIR/\.oidentd.conf gen_context(system_u:object_r:oidentd_home_t, s0) - -/etc/oidentd\.conf -- gen_context(system_u:object_r:oidentd_config_t, s0) -/etc/oidentd_masq\.conf -- gen_context(system_u:object_r:oidentd_config_t, s0) - -/etc/rc\.d/init\.d/oidentd -- gen_context(system_u:object_r:oidentd_initrc_exec_t, s0) - -/usr/sbin/oidentd -- gen_context(system_u:object_r:oidentd_exec_t, s0) diff --git a/policy/modules/services/oident.if b/policy/modules/services/oident.if deleted file mode 100644 index b1b5e51..0000000 --- a/policy/modules/services/oident.if +++ /dev/null @@ -1,102 +0,0 @@ -## SELinux policy for Oident daemon. -## -##

-## Oident daemon is a server that implements the TCP/IP -## standard IDENT user identification protocol as -## specified in the RFC 1413 document. -##

-##
- -######################################## -## -## Allow the specified domain to read -## Oidentd personal configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`oident_read_user_content',` - gen_require(` - type oidentd_home_t; - ') - - allow $1 oidentd_home_t:file read_file_perms; - userdom_search_user_home_dirs($1) -') - -######################################## -## -## Allow the specified domain to create, read, write, and delete -## Oidentd personal configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`oident_manage_user_content',` - gen_require(` - type oidentd_home_t; - ') - - allow $1 oidentd_home_t:file manage_file_perms; - userdom_search_user_home_dirs($1) -') - -######################################## -## -## Allow the specified domain to relabel -## Oidentd personal configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`oident_relabel_user_content',` - gen_require(` - type oidentd_home_t; - ') - - allow $1 oidentd_home_t:file relabel_file_perms; - userdom_search_user_home_dirs($1) -') - -######################################## -## -## All of the rules required to administrate -## an oident environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`oident_admin',` - gen_require(` - type oidentd_t, oidentd_initrc_exec_t, oidentd_config_t; - ') - - allow $1 oidentd_t:process { ptrace signal_perms }; - ps_process_pattern($1, oidentd_t) - - init_labeled_script_domtrans($1, oidentd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 oidentd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, oidentd_config_t) -') diff --git a/policy/modules/services/oident.te b/policy/modules/services/oident.te deleted file mode 100644 index 73c1fa5..0000000 --- a/policy/modules/services/oident.te +++ /dev/null @@ -1,73 +0,0 @@ -policy_module(oident, 2.1.0) - -######################################## -# -# Oident daemon private declarations -# - -type oidentd_t; -type oidentd_exec_t; -init_daemon_domain(oidentd_t, oidentd_exec_t) - -type oidentd_home_t; -typealias oidentd_home_t alias { oidentd_user_content_t oidentd_staff_content_t oidentd_sysadm_content_t }; -typealias oidentd_home_t alias { oidentd_secadm_content_t oidentd_auditadm_content_t }; -userdom_user_home_content(oidentd_home_t) - -type oidentd_initrc_exec_t; -init_script_file(oidentd_initrc_exec_t) - -type oidentd_config_t; -files_config_file(oidentd_config_t) - -######################################## -# -# Oident daemon private policy -# - -allow oidentd_t self:capability { setuid setgid }; -allow oidentd_t self:netlink_route_socket create_netlink_socket_perms; -allow oidentd_t self:netlink_tcpdiag_socket create_netlink_socket_perms; -allow oidentd_t self:tcp_socket create_stream_socket_perms; -allow oidentd_t self:udp_socket create_socket_perms; -allow oidentd_t self:unix_dgram_socket { create connect }; - -allow oidentd_t oidentd_config_t:file read_file_perms; - -corenet_all_recvfrom_unlabeled(oidentd_t) -corenet_all_recvfrom_netlabel(oidentd_t) -corenet_tcp_sendrecv_generic_if(oidentd_t) -corenet_tcp_sendrecv_generic_node(oidentd_t) -corenet_tcp_bind_generic_node(oidentd_t) -corenet_tcp_bind_auth_port(oidentd_t) -corenet_sendrecv_auth_server_packets(oidentd_t) - -files_read_etc_files(oidentd_t) - -kernel_read_kernel_sysctls(oidentd_t) -kernel_read_network_state(oidentd_t) -kernel_read_network_state_symlinks(oidentd_t) -kernel_read_sysctl(oidentd_t) -kernel_request_load_module(oidentd_t) - -logging_send_syslog_msg(oidentd_t) - -miscfiles_read_localization(oidentd_t) - -sysnet_read_config(oidentd_t) - -oident_read_user_content(oidentd_t) - -optional_policy(` - nis_use_ypbind(oidentd_t) -') - -tunable_policy(`use_samba_home_dirs', ` - fs_list_cifs(oidentd_t) - fs_read_cifs_files(oidentd_t) -') - -tunable_policy(`use_nfs_home_dirs', ` - fs_list_nfs(oidentd_t) - fs_read_nfs_files(oidentd_t) -') diff --git a/policy/modules/services/openca.fc b/policy/modules/services/openca.fc deleted file mode 100644 index 72a2db6..0000000 --- a/policy/modules/services/openca.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/openca(/.*)? gen_context(system_u:object_r:openca_etc_t,s0) -/etc/openca/.*\.in(/.*)? gen_context(system_u:object_r:openca_etc_in_t,s0) -/etc/openca/rbac(/.*)? gen_context(system_u:object_r:openca_etc_writeable_t,s0) - -/usr/share/openca(/.*)? gen_context(system_u:object_r:openca_usr_share_t,s0) -/usr/share/openca/cgi-bin/ca/.+ -- gen_context(system_u:object_r:openca_ca_exec_t,s0) - -/var/lib/openca(/.*)? gen_context(system_u:object_r:openca_var_lib_t,s0) -/var/lib/openca/crypto/keys(/.*)? gen_context(system_u:object_r:openca_var_lib_keys_t,s0) diff --git a/policy/modules/services/openca.if b/policy/modules/services/openca.if deleted file mode 100644 index a8c1eef..0000000 --- a/policy/modules/services/openca.if +++ /dev/null @@ -1,76 +0,0 @@ -## OpenCA - Open Certificate Authority - -######################################## -## -## Execute the OpenCA program with -## a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`openca_domtrans',` - gen_require(` - type openca_ca_t, openca_ca_exec_t, openca_usr_share_t; - ') - - domtrans_pattern($1, openca_ca_exec_t, openca_ca_t) - allow $1 openca_usr_share_t:dir search_dir_perms; - files_search_usr($1) -') - -######################################## -## -## Send OpenCA generic signals. -## -## -## -## Domain allowed access. -## -## -# -interface(`openca_signal',` - gen_require(` - type openca_ca_t; - ') - - allow $1 openca_ca_t:process signal; -') - -######################################## -## -## Send OpenCA stop signals. -## -## -## -## Domain allowed access. -## -## -# -interface(`openca_sigstop',` - gen_require(` - type openca_ca_t; - ') - - allow $1 openca_ca_t:process sigstop; -') - -######################################## -## -## Kill OpenCA. -## -## -## -## Domain allowed access. -## -## -# -interface(`openca_kill',` - gen_require(` - type openca_ca_t; - ') - - allow $1 openca_ca_t:process sigkill; -') diff --git a/policy/modules/services/openca.te b/policy/modules/services/openca.te deleted file mode 100644 index 2df8170..0000000 --- a/policy/modules/services/openca.te +++ /dev/null @@ -1,82 +0,0 @@ -policy_module(openca, 1.2.0) - -######################################## -# -# Declarations -# - -type openca_ca_t; -type openca_ca_exec_t; -domain_type(openca_ca_t) -domain_entry_file(openca_ca_t, openca_ca_exec_t) -role system_r types openca_ca_t; - -# cjp: seems like some of these types -# can be removed and replaced with generic -# etc or usr files. - -# /etc/openca standard files -type openca_etc_t; -files_config_file(openca_etc_t) - -# /etc/openca template files -type openca_etc_in_t; -files_type(openca_etc_in_t) - -# /etc/openca writeable (from CGI script) files -type openca_etc_writeable_t; -files_type(openca_etc_writeable_t) - -# /usr/share/openca/crypto/keys -type openca_usr_share_t; -files_type(openca_usr_share_t) - -# /var/lib/openca -type openca_var_lib_t; -files_type(openca_var_lib_t) - -# /var/lib/openca/crypto/keys -type openca_var_lib_keys_t; -files_type(openca_var_lib_keys_t) - -######################################## -# -# Local policy -# - -# Allow access to other files under /etc/openca -allow openca_ca_t openca_etc_t:file read_file_perms; -allow openca_ca_t openca_etc_t:dir list_dir_perms; - -# Allow access to writeable files under /etc/openca -manage_dirs_pattern(openca_ca_t, openca_etc_writeable_t, openca_etc_writeable_t) -manage_files_pattern(openca_ca_t, openca_etc_writeable_t, openca_etc_writeable_t) - -# Allow access to other /var/lib/openca files -manage_dirs_pattern(openca_ca_t, openca_var_lib_t, openca_var_lib_t) -manage_files_pattern(openca_ca_t, openca_var_lib_t, openca_var_lib_t) - -# Allow access to private CA key -manage_dirs_pattern(openca_ca_t, openca_var_lib_keys_t, openca_var_lib_keys_t) -manage_files_pattern(openca_ca_t, openca_var_lib_keys_t, openca_var_lib_keys_t) - -# Allow access to other /usr/share/openca files -read_files_pattern(openca_ca_t, openca_usr_share_t, openca_usr_share_t) -read_lnk_files_pattern(openca_ca_t, openca_usr_share_t, openca_usr_share_t) -allow openca_ca_t openca_usr_share_t:dir list_dir_perms; - -# the perl executable will be able to run a perl script -corecmd_exec_bin(openca_ca_t) - -dev_read_rand(openca_ca_t) - -files_list_default(openca_ca_t) - -init_use_fds(openca_ca_t) -init_use_script_fds(openca_ca_t) - -libs_exec_lib_files(openca_ca_t) - -apache_append_log(openca_ca_t) -# Allow the script to return its output -apache_rw_cache_files(openca_ca_t) diff --git a/policy/modules/services/openct.fc b/policy/modules/services/openct.fc deleted file mode 100644 index 58c8816..0000000 --- a/policy/modules/services/openct.fc +++ /dev/null @@ -1,10 +0,0 @@ -# -# /usr -# -/usr/sbin/ifdhandler -- gen_context(system_u:object_r:openct_exec_t,s0) -/usr/sbin/openct-control -- gen_context(system_u:object_r:openct_exec_t,s0) - -# -# /var -# -/var/run/openct(/.*)? gen_context(system_u:object_r:openct_var_run_t,s0) diff --git a/policy/modules/services/openct.if b/policy/modules/services/openct.if deleted file mode 100644 index 9197ef0..0000000 --- a/policy/modules/services/openct.if +++ /dev/null @@ -1,95 +0,0 @@ -## Service for handling smart card readers. - -######################################## -## -## Send openct a null signal. -## -## -## -## Domain allowed access. -## -## -# -interface(`openct_signull',` - gen_require(` - type openct_t; - ') - - allow $1 openct_t:process signull; -') - -######################################## -## -## Execute openct in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`openct_exec',` - gen_require(` - type openct_t, openct_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, openct_exec_t) -') - -######################################## -## -## Execute a domain transition to run openct. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`openct_domtrans',` - gen_require(` - type openct_t, openct_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, openct_exec_t, openct_t) -') - -######################################## -## -## Read openct PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`openct_read_pid_files',` - gen_require(` - type openct_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, openct_var_run_t, openct_var_run_t) -') - -######################################## -## -## Connect to openct over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`openct_stream_connect',` - gen_require(` - type openct_t, openct_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, openct_var_run_t, openct_var_run_t, openct_t) -') diff --git a/policy/modules/services/openct.te b/policy/modules/services/openct.te deleted file mode 100644 index 78722e7..0000000 --- a/policy/modules/services/openct.te +++ /dev/null @@ -1,61 +0,0 @@ -policy_module(openct, 1.4.1) - -######################################## -# -# Declarations -# - -type openct_t; -type openct_exec_t; -init_daemon_domain(openct_t, openct_exec_t) - -type openct_var_run_t; -files_pid_file(openct_var_run_t) - -######################################## -# -# Local policy -# - -dontaudit openct_t self:capability sys_tty_config; -allow openct_t self:process signal_perms; - -manage_dirs_pattern(openct_t, openct_var_run_t, openct_var_run_t) -manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) -manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) -files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file }) - -kernel_read_kernel_sysctls(openct_t) -kernel_list_proc(openct_t) -kernel_read_proc_symlinks(openct_t) - -dev_read_sysfs(openct_t) -# openct asks for this -dev_rw_usbfs(openct_t) -dev_rw_smartcard(openct_t) -dev_rw_generic_usb_dev(openct_t) - -domain_use_interactive_fds(openct_t) - -# openct asks for this -files_read_etc_files(openct_t) - -fs_getattr_all_fs(openct_t) -fs_search_auto_mountpoints(openct_t) - -logging_send_syslog_msg(openct_t) - -miscfiles_read_localization(openct_t) - -userdom_dontaudit_use_unpriv_user_fds(openct_t) -userdom_dontaudit_search_user_home_dirs(openct_t) - -openct_exec(openct_t) - -optional_policy(` - seutil_sigchld_newrole(openct_t) -') - -optional_policy(` - udev_read_db(openct_t) -') diff --git a/policy/modules/services/openvpn.fc b/policy/modules/services/openvpn.fc deleted file mode 100644 index 9c186d2..0000000 --- a/policy/modules/services/openvpn.fc +++ /dev/null @@ -1,17 +0,0 @@ -# -# /etc -# -/etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0) -/etc/openvpn/ipp.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0) -/etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0) - -# -# /usr -# -/usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0) - -# -# /var -# -/var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0) -/var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0) diff --git a/policy/modules/services/openvpn.if b/policy/modules/services/openvpn.if deleted file mode 100644 index d883214..0000000 --- a/policy/modules/services/openvpn.if +++ /dev/null @@ -1,163 +0,0 @@ -## full-featured SSL VPN solution - -######################################## -## -## Execute OPENVPN clients in the openvpn domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`openvpn_domtrans',` - gen_require(` - type openvpn_t, openvpn_exec_t; - ') - - domtrans_pattern($1, openvpn_exec_t, openvpn_t) -') - -######################################## -## -## Execute OPENVPN clients in the openvpn domain, and -## allow the specified role the openvpn domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`openvpn_run',` - gen_require(` - type openvpn_t; - ') - - openvpn_domtrans($1) - role $2 types openvpn_t; -') - -######################################## -## -## Send OPENVPN clients the kill signal. -## -## -## -## Domain allowed access. -## -## -# -interface(`openvpn_kill',` - gen_require(` - type openvpn_t; - ') - - allow $1 openvpn_t:process sigkill; -') - -######################################## -## -## Send generic signals to OPENVPN clients. -## -## -## -## Domain allowed access. -## -## -# -interface(`openvpn_signal',` - gen_require(` - type openvpn_t; - ') - - allow $1 openvpn_t:process signal; -') - -######################################## -## -## Send signulls to OPENVPN clients. -## -## -## -## Domain allowed access. -## -## -# -interface(`openvpn_signull',` - gen_require(` - type openvpn_t; - ') - - allow $1 openvpn_t:process signull; -') - -######################################## -## -## Allow the specified domain to read -## OpenVPN configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`openvpn_read_config',` - gen_require(` - type openvpn_etc_t; - ') - - files_search_etc($1) - allow $1 openvpn_etc_t:dir list_dir_perms; - read_files_pattern($1, openvpn_etc_t, openvpn_etc_t) - read_lnk_files_pattern($1, openvpn_etc_t, openvpn_etc_t) -') - -######################################## -## -## All of the rules required to administrate -## an openvpn environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the openvpn domain. -## -## -## -# -interface(`openvpn_admin',` - gen_require(` - type openvpn_t, openvpn_etc_t, openvpn_var_log_t; - type openvpn_var_run_t, openvpn_initrc_exec_t; - ') - - allow $1 openvpn_t:process { ptrace signal_perms }; - ps_process_pattern($1, openvpn_t) - - init_labeled_script_domtrans($1, openvpn_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 openvpn_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, openvpn_etc_t) - - logging_list_logs($1) - admin_pattern($1, openvpn_var_log_t) - - files_list_pids($1) - admin_pattern($1, openvpn_var_run_t) -') diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te deleted file mode 100644 index cb87bef..0000000 --- a/policy/modules/services/openvpn.te +++ /dev/null @@ -1,151 +0,0 @@ -policy_module(openvpn, 1.10.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow openvpn to read home directories -##

-##
-gen_tunable(openvpn_enable_homedirs, false) - -# main openvpn domain -type openvpn_t; -type openvpn_exec_t; -init_daemon_domain(openvpn_t, openvpn_exec_t) - -# configuration files -type openvpn_etc_t; -files_config_file(openvpn_etc_t) - -type openvpn_etc_rw_t; -files_config_file(openvpn_etc_rw_t) - -type openvpn_tmp_t; -files_tmp_file(openvpn_tmp_t) - -type openvpn_initrc_exec_t; -init_script_file(openvpn_initrc_exec_t) - -# log files -type openvpn_var_log_t; -logging_log_file(openvpn_var_log_t) - -# pid files -type openvpn_var_run_t; -files_pid_file(openvpn_var_run_t) - -######################################## -# -# openvpn local policy -# - -allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config }; -allow openvpn_t self:process { signal getsched }; -allow openvpn_t self:fifo_file rw_fifo_file_perms; -allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto }; -allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow openvpn_t self:udp_socket create_socket_perms; -allow openvpn_t self:tcp_socket server_stream_socket_perms; -allow openvpn_t self:tun_socket { create_socket_perms relabelfrom }; -allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms; - -can_exec(openvpn_t, openvpn_etc_t) -read_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t) -read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t) - -manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t) -filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) - -manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t) -files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file) - -allow openvpn_t openvpn_var_log_t:file manage_file_perms; -logging_log_filetrans(openvpn_t, openvpn_var_log_t, file) - -manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) -manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) -files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir }) - -kernel_read_kernel_sysctls(openvpn_t) -kernel_read_net_sysctls(openvpn_t) -kernel_read_network_state(openvpn_t) -kernel_read_system_state(openvpn_t) -kernel_request_load_module(openvpn_t) - -corecmd_exec_bin(openvpn_t) -corecmd_exec_shell(openvpn_t) - -corenet_all_recvfrom_unlabeled(openvpn_t) -corenet_all_recvfrom_netlabel(openvpn_t) -corenet_tcp_sendrecv_generic_if(openvpn_t) -corenet_udp_sendrecv_generic_if(openvpn_t) -corenet_tcp_sendrecv_generic_node(openvpn_t) -corenet_udp_sendrecv_generic_node(openvpn_t) -corenet_tcp_sendrecv_all_ports(openvpn_t) -corenet_udp_sendrecv_all_ports(openvpn_t) -corenet_tcp_bind_generic_node(openvpn_t) -corenet_udp_bind_generic_node(openvpn_t) -corenet_tcp_bind_openvpn_port(openvpn_t) -corenet_udp_bind_openvpn_port(openvpn_t) -corenet_tcp_bind_http_port(openvpn_t) -corenet_tcp_connect_openvpn_port(openvpn_t) -corenet_tcp_connect_http_port(openvpn_t) -corenet_tcp_connect_http_cache_port(openvpn_t) -corenet_rw_tun_tap_dev(openvpn_t) -corenet_sendrecv_openvpn_server_packets(openvpn_t) -corenet_sendrecv_openvpn_client_packets(openvpn_t) -corenet_sendrecv_http_client_packets(openvpn_t) - -dev_search_sysfs(openvpn_t) -dev_read_rand(openvpn_t) -dev_read_urand(openvpn_t) - -files_read_etc_files(openvpn_t) -files_read_etc_runtime_files(openvpn_t) - -auth_use_pam(openvpn_t) - -logging_send_syslog_msg(openvpn_t) - -miscfiles_read_localization(openvpn_t) -miscfiles_read_all_certs(openvpn_t) - -sysnet_dns_name_resolve(openvpn_t) -sysnet_exec_ifconfig(openvpn_t) -sysnet_manage_config(openvpn_t) -sysnet_etc_filetrans_config(openvpn_t) - -userdom_use_user_terminals(openvpn_t) -userdom_read_home_certs(openvpn_t) -userdom_attach_admin_tun_iface(openvpn_t) - -tunable_policy(`openvpn_enable_homedirs',` - userdom_search_user_home_dirs(openvpn_t) -') - -tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',` - fs_read_nfs_files(openvpn_t) -') - -tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',` - fs_read_cifs_files(openvpn_t) -') - -optional_policy(` - daemontools_service_domain(openvpn_t, openvpn_exec_t) -') - -optional_policy(` - dbus_system_bus_client(openvpn_t) - dbus_connect_system_bus(openvpn_t) - - networkmanager_dbus_chat(openvpn_t) -') - -optional_policy(` - unconfined_attach_tun_iface(openvpn_t) -') diff --git a/policy/modules/services/pads.fc b/policy/modules/services/pads.fc deleted file mode 100644 index 0870c56..0000000 --- a/policy/modules/services/pads.fc +++ /dev/null @@ -1,10 +0,0 @@ -/etc/pads-ether-codes -- gen_context(system_u:object_r:pads_config_t, s0) -/etc/pads-signature-list -- gen_context(system_u:object_r:pads_config_t, s0) -/etc/pads.conf -- gen_context(system_u:object_r:pads_config_t, s0) -/etc/pads-assets.csv -- gen_context(system_u:object_r:pads_config_t, s0) - -/etc/rc\.d/init\.d/pads -- gen_context(system_u:object_r:pads_initrc_exec_t, s0) - -/usr/bin/pads -- gen_context(system_u:object_r:pads_exec_t, s0) - -/var/run/pads.pid -- gen_context(system_u:object_r:pads_var_run_t, s0) diff --git a/policy/modules/services/pads.if b/policy/modules/services/pads.if deleted file mode 100644 index 8235fb6..0000000 --- a/policy/modules/services/pads.if +++ /dev/null @@ -1,47 +0,0 @@ -## Passive Asset Detection System -## -##

-## PADS is a libpcap based detection engine used to -## passively detect network assets. It is designed to -## complement IDS technology by providing context to IDS -## alerts. -##

-##
- -######################################## -## -## All of the rules required to administrate -## an pads environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`pads_admin',` - gen_require(` - type pads_t, pads_config_t, pads_initrc_exec_t; - type pads_var_run_t; - ') - - allow $1 pads_t:process { ptrace signal_perms }; - ps_process_pattern($1, pads_t) - - init_labeled_script_domtrans($1, pads_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 pads_initrc_exec_t system_r; - allow $2 system_r; - - files_list_pids($1) - admin_pattern($1, pads_var_run_t) - - files_list_etc($1) - admin_pattern($1, pads_config_t) -') diff --git a/policy/modules/services/pads.te b/policy/modules/services/pads.te deleted file mode 100644 index f414173..0000000 --- a/policy/modules/services/pads.te +++ /dev/null @@ -1,62 +0,0 @@ -policy_module(pads, 1.0.0) - -######################################## -# -# Declarations -# - -type pads_t; -type pads_exec_t; -init_daemon_domain(pads_t, pads_exec_t) - -type pads_initrc_exec_t; -init_script_file(pads_initrc_exec_t) - -type pads_config_t; -files_config_file(pads_config_t) - -type pads_var_run_t; -files_pid_file(pads_var_run_t) - -######################################## -# -# Declarations -# - -allow pads_t self:capability { dac_override net_raw }; -allow pads_t self:netlink_route_socket create_netlink_socket_perms; -allow pads_t self:packet_socket create_socket_perms; -allow pads_t self:udp_socket create_socket_perms; -allow pads_t self:unix_dgram_socket create_socket_perms; - -allow pads_t pads_config_t:file manage_file_perms; -files_etc_filetrans(pads_t, pads_config_t, file) - -allow pads_t pads_var_run_t:file manage_file_perms; -files_pid_filetrans(pads_t, pads_var_run_t, file) - -kernel_read_sysctl(pads_t) - -corecmd_search_bin(pads_t) - -corenet_all_recvfrom_unlabeled(pads_t) -corenet_all_recvfrom_netlabel(pads_t) -corenet_tcp_sendrecv_generic_if(pads_t) -corenet_tcp_sendrecv_generic_node(pads_t) -corenet_tcp_connect_prelude_port(pads_t) - -dev_read_rand(pads_t) -dev_read_urand(pads_t) - -files_read_etc_files(pads_t) -files_search_spool(pads_t) - -miscfiles_read_localization(pads_t) - -logging_send_syslog_msg(pads_t) - -sysnet_dns_name_resolve(pads_t) - -optional_policy(` - prelude_manage_spool(pads_t) -') diff --git a/policy/modules/services/passenger.fc b/policy/modules/services/passenger.fc deleted file mode 100644 index 8d00972..0000000 --- a/policy/modules/services/passenger.fc +++ /dev/null @@ -1,6 +0,0 @@ - -/usr/lib(64)?/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0) - -/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0) - -/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0) diff --git a/policy/modules/services/passenger.if b/policy/modules/services/passenger.if deleted file mode 100644 index 66f9799..0000000 --- a/policy/modules/services/passenger.if +++ /dev/null @@ -1,67 +0,0 @@ -## Passenger policy - -###################################### -## -## Execute passenger in the passenger domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`passenger_domtrans',` - gen_require(` - type passenger_t, passenger_exec_t; - ') - - allow $1 self:capability { fowner fsetid }; - - allow $1 passenger_t:process signal; - - domtrans_pattern($1, passenger_exec_t, passenger_t) - allow $1 passenger_t:unix_stream_socket { read write shutdown }; - allow passenger_t $1:unix_stream_socket { read write }; -') - -###################################### -## -## Manage passenger var_run content. -## -## -## -## Domain allowed access. -## -## -# -interface(`passenger_manage_pid_content',` - gen_require(` - type passenger_var_run_t; - ') - - files_search_pids($1) - manage_dirs_pattern($1, passenger_var_run_t, passenger_var_run_t) - manage_files_pattern($1, passenger_var_run_t, passenger_var_run_t) - manage_fifo_files_pattern($1, passenger_var_run_t, passenger_var_run_t) - manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t) -') - -######################################## -## -## Read passenger lib files -## -## -## -## Domain allowed access. -## -## -# -interface(`passenger_read_lib_files',` - gen_require(` - type passenger_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) - read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) -') diff --git a/policy/modules/services/passenger.te b/policy/modules/services/passenger.te deleted file mode 100644 index ba9fdb9..0000000 --- a/policy/modules/services/passenger.te +++ /dev/null @@ -1,66 +0,0 @@ -policy_module(passanger, 1.0.0) - -######################################## -# -# Declarations -# - -type passenger_t; -type passenger_exec_t; -domain_type(passenger_t) -domain_entry_file(passenger_t, passenger_exec_t) -role system_r types passenger_t; - -type passenger_tmp_t; -files_tmp_file(passenger_tmp_t) - -type passenger_var_lib_t; -files_type(passenger_var_lib_t) - -type passenger_var_run_t; -files_pid_file(passenger_var_run_t) - -permissive passenger_t; - -######################################## -# -# passanger local policy -# - -allow passenger_t self:capability { dac_override fsetid fowner chown setuid setgid }; -allow passenger_t self:process signal; -allow passenger_t self:fifo_file rw_fifo_file_perms; -allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto }; - -files_search_var_lib(passenger_t) -manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t) -manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t) - -manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) -manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) -manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) -manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) -files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file }) - -kernel_read_system_state(passenger_t) -kernel_read_kernel_sysctls(passenger_t) - -corenet_tcp_connect_http_port(passenger_t) - -corecmd_exec_bin(passenger_t) -corecmd_exec_shell(passenger_t) - -dev_read_urand(passenger_t) - -files_read_etc_files(passenger_t) - -auth_use_nsswitch(passenger_t) - -miscfiles_read_localization(passenger_t) - -userdom_dontaudit_use_user_terminals(passenger_t) - -optional_policy(` - apache_append_log(passenger_t) - apache_read_sys_content(passenger_t) -') diff --git a/policy/modules/services/pcscd.fc b/policy/modules/services/pcscd.fc deleted file mode 100644 index 87f17e8..0000000 --- a/policy/modules/services/pcscd.fc +++ /dev/null @@ -1,6 +0,0 @@ -/var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0) -/var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0) -/var/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0) -/var/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0) - -/usr/sbin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0) diff --git a/policy/modules/services/pcscd.if b/policy/modules/services/pcscd.if deleted file mode 100644 index ea5ae69..0000000 --- a/policy/modules/services/pcscd.if +++ /dev/null @@ -1,95 +0,0 @@ -## PCSC smart card service - -######################################## -## -## Execute a domain transition to run pcscd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`pcscd_domtrans',` - gen_require(` - type pcscd_t, pcscd_exec_t; - ') - - domtrans_pattern($1, pcscd_exec_t, pcscd_t) -') - -######################################## -## -## Read pcscd pub files. -## -## -## -## Domain allowed access. -## -## -# -interface(`pcscd_read_pub_files',` - gen_require(` - type pcscd_var_run_t; - ') - - files_search_pids($1) - allow $1 pcscd_var_run_t:file read_file_perms; -') - -######################################## -## -## Manage pcscd pub files. -## -## -## -## Domain allowed access. -## -## -# -interface(`pcscd_manage_pub_files',` - gen_require(` - type pcscd_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t) -') - -######################################## -## -## Manage pcscd pub fifo files. -## -## -## -## Domain allowed access. -## -## -# -interface(`pcscd_manage_pub_pipes',` - gen_require(` - type pcscd_var_run_t; - ') - - files_search_pids($1) - manage_fifo_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t) -') - -######################################## -## -## Connect to pcscd over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`pcscd_stream_connect',` - gen_require(` - type pcscd_t, pcscd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, pcscd_var_run_t, pcscd_var_run_t, pcscd_t) -') diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te deleted file mode 100644 index df751a6..0000000 --- a/policy/modules/services/pcscd.te +++ /dev/null @@ -1,78 +0,0 @@ -policy_module(pcscd, 1.6.1) - -######################################## -# -# Declarations -# - -type pcscd_t; -type pcscd_exec_t; -init_daemon_domain(pcscd_t, pcscd_exec_t) - -# pid files -type pcscd_var_run_t; -files_pid_file(pcscd_var_run_t) - -######################################## -# -# pcscd local policy -# - -allow pcscd_t self:capability { dac_override dac_read_search }; -allow pcscd_t self:process signal; -allow pcscd_t self:fifo_file rw_fifo_file_perms; -allow pcscd_t self:unix_stream_socket create_stream_socket_perms; -allow pcscd_t self:unix_dgram_socket create_socket_perms; -allow pcscd_t self:tcp_socket create_stream_socket_perms; - -manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) -manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) -manage_fifo_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) -manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) -files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir }) - -kernel_read_system_state(pcscd_t) - -corenet_all_recvfrom_unlabeled(pcscd_t) -corenet_all_recvfrom_netlabel(pcscd_t) -corenet_tcp_sendrecv_generic_if(pcscd_t) -corenet_tcp_sendrecv_generic_node(pcscd_t) -corenet_tcp_sendrecv_all_ports(pcscd_t) -corenet_tcp_connect_http_port(pcscd_t) - -dev_rw_generic_usb_dev(pcscd_t) -dev_rw_smartcard(pcscd_t) -dev_rw_usbfs(pcscd_t) -dev_read_sysfs(pcscd_t) - -files_read_etc_files(pcscd_t) -files_read_etc_runtime_files(pcscd_t) - -term_use_unallocated_ttys(pcscd_t) -term_dontaudit_getattr_pty_dirs(pcscd_t) - -locallogin_use_fds(pcscd_t) - -logging_send_syslog_msg(pcscd_t) - -miscfiles_read_localization(pcscd_t) - -sysnet_dns_name_resolve(pcscd_t) - -optional_policy(` - dbus_system_bus_client(pcscd_t) - - optional_policy(` - hal_dbus_chat(pcscd_t) - ') -') - -optional_policy(` - openct_stream_connect(pcscd_t) - openct_read_pid_files(pcscd_t) - openct_signull(pcscd_t) -') - -optional_policy(` - rpm_use_script_fds(pcscd_t) -') diff --git a/policy/modules/services/pegasus.fc b/policy/modules/services/pegasus.fc deleted file mode 100644 index 9515043..0000000 --- a/policy/modules/services/pegasus.fc +++ /dev/null @@ -1,12 +0,0 @@ - -/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) -/etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0) - -/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) -/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) - -/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) - -/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) - -/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) diff --git a/policy/modules/services/pegasus.if b/policy/modules/services/pegasus.if deleted file mode 100644 index 920b13f..0000000 --- a/policy/modules/services/pegasus.if +++ /dev/null @@ -1 +0,0 @@ -## The Open Group Pegasus CIM/WBEM Server. diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te deleted file mode 100644 index 5322412..0000000 --- a/policy/modules/services/pegasus.te +++ /dev/null @@ -1,157 +0,0 @@ -policy_module(pegasus, 1.8.0) - -######################################## -# -# Declarations -# - -type pegasus_t; -type pegasus_exec_t; -init_daemon_domain(pegasus_t, pegasus_exec_t) - -type pegasus_data_t; -files_type(pegasus_data_t) - -type pegasus_tmp_t; -files_tmp_file(pegasus_tmp_t) - -type pegasus_conf_t; -files_type(pegasus_conf_t) - -type pegasus_mof_t; -files_type(pegasus_mof_t) - -type pegasus_var_run_t; -files_pid_file(pegasus_var_run_t) - -######################################## -# -# Local policy -# - -allow pegasus_t self:capability { chown ipc_lock sys_nice setuid setgid dac_override net_bind_service }; -dontaudit pegasus_t self:capability sys_tty_config; -allow pegasus_t self:process signal; -allow pegasus_t self:fifo_file rw_fifo_file_perms; -allow pegasus_t self:unix_dgram_socket create_socket_perms; -allow pegasus_t self:unix_stream_socket create_stream_socket_perms; -allow pegasus_t self:tcp_socket create_stream_socket_perms; - -allow pegasus_t pegasus_conf_t:dir rw_dir_perms; -allow pegasus_t pegasus_conf_t:file { read_file_perms link delete_file_perms }; -allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; - -manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) -manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) -manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) -filetrans_pattern(pegasus_t, pegasus_conf_t, pegasus_data_t, { file dir }) - -can_exec(pegasus_t, pegasus_exec_t) - -allow pegasus_t pegasus_mof_t:dir list_dir_perms; -read_files_pattern(pegasus_t, pegasus_mof_t, pegasus_mof_t) -read_lnk_files_pattern(pegasus_t, pegasus_mof_t, pegasus_mof_t) - -manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t) -manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t) -files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir }) - -allow pegasus_t pegasus_var_run_t:sock_file { create_sock_file_perms setattr_sock_file_perms delete_sock_file_perms }; -manage_dirs_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) -manage_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) -files_pid_filetrans(pegasus_t, pegasus_var_run_t, { file dir }) - -kernel_read_kernel_sysctls(pegasus_t) -kernel_read_fs_sysctls(pegasus_t) -kernel_read_system_state(pegasus_t) -kernel_search_vm_sysctl(pegasus_t) -kernel_read_net_sysctls(pegasus_t) -kernel_read_xen_state(pegasus_t) -kernel_write_xen_state(pegasus_t) - -corenet_all_recvfrom_unlabeled(pegasus_t) -corenet_all_recvfrom_netlabel(pegasus_t) -corenet_tcp_sendrecv_generic_if(pegasus_t) -corenet_tcp_sendrecv_generic_node(pegasus_t) -corenet_tcp_sendrecv_all_ports(pegasus_t) -corenet_tcp_bind_generic_node(pegasus_t) -corenet_tcp_bind_pegasus_http_port(pegasus_t) -corenet_tcp_bind_pegasus_https_port(pegasus_t) -corenet_tcp_connect_pegasus_http_port(pegasus_t) -corenet_tcp_connect_pegasus_https_port(pegasus_t) -corenet_tcp_connect_generic_port(pegasus_t) -corenet_sendrecv_generic_client_packets(pegasus_t) -corenet_sendrecv_pegasus_http_client_packets(pegasus_t) -corenet_sendrecv_pegasus_http_server_packets(pegasus_t) -corenet_sendrecv_pegasus_https_client_packets(pegasus_t) -corenet_sendrecv_pegasus_https_server_packets(pegasus_t) - -corecmd_exec_bin(pegasus_t) -corecmd_exec_shell(pegasus_t) - -dev_read_sysfs(pegasus_t) -dev_read_urand(pegasus_t) - -fs_getattr_all_fs(pegasus_t) -fs_search_auto_mountpoints(pegasus_t) -files_getattr_all_dirs(pegasus_t) - -auth_use_nsswitch(pegasus_t) -auth_domtrans_chk_passwd(pegasus_t) -auth_read_shadow(pegasus_t) - -domain_use_interactive_fds(pegasus_t) -domain_read_all_domains_state(pegasus_t) - -files_read_all_files(pegasus_t) -files_read_var_lib_symlinks(pegasus_t) - -hostname_exec(pegasus_t) - -init_rw_utmp(pegasus_t) -init_stream_connect_script(pegasus_t) - -logging_send_audit_msgs(pegasus_t) -logging_send_syslog_msg(pegasus_t) - -miscfiles_read_localization(pegasus_t) - -sysnet_domtrans_ifconfig(pegasus_t) - -userdom_dontaudit_use_unpriv_user_fds(pegasus_t) -userdom_dontaudit_search_user_home_dirs(pegasus_t) - -optional_policy(` - rpm_exec(pegasus_t) -') - -optional_policy(` - samba_manage_config(pegasus_t) -') - -optional_policy(` - ssh_exec(pegasus_t) -') - -optional_policy(` - seutil_sigchld_newrole(pegasus_t) - seutil_dontaudit_read_config(pegasus_t) -') - -optional_policy(` - udev_read_db(pegasus_t) -') - -optional_policy(` - unconfined_signull(pegasus_t) -') - -optional_policy(` - virt_domtrans(pegasus_t) - virt_manage_config(pegasus_t) -') - -optional_policy(` - xen_stream_connect(pegasus_t) - xen_stream_connect_xenstore(pegasus_t) -') diff --git a/policy/modules/services/perdition.fc b/policy/modules/services/perdition.fc deleted file mode 100644 index bcdf89b..0000000 --- a/policy/modules/services/perdition.fc +++ /dev/null @@ -1,3 +0,0 @@ -/etc/perdition(/.*)? gen_context(system_u:object_r:perdition_etc_t,s0) - -/usr/sbin/perdition -- gen_context(system_u:object_r:perdition_exec_t,s0) diff --git a/policy/modules/services/perdition.if b/policy/modules/services/perdition.if deleted file mode 100644 index 2b0bd64..0000000 --- a/policy/modules/services/perdition.if +++ /dev/null @@ -1,15 +0,0 @@ -## Perdition POP and IMAP proxy - -######################################## -## -## Connect to perdition over a TCP socket (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`perdition_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') diff --git a/policy/modules/services/perdition.te b/policy/modules/services/perdition.te deleted file mode 100644 index 3636277..0000000 --- a/policy/modules/services/perdition.te +++ /dev/null @@ -1,75 +0,0 @@ -policy_module(perdition, 1.7.0) - -######################################## -# -# Declarations -# - -type perdition_t; -type perdition_exec_t; -init_daemon_domain(perdition_t, perdition_exec_t) - -type perdition_etc_t; -files_config_file(perdition_etc_t) - -type perdition_var_run_t; -files_pid_file(perdition_var_run_t) - -######################################## -# -# Local policy -# - -allow perdition_t self:capability { setgid setuid }; -dontaudit perdition_t self:capability sys_tty_config; -allow perdition_t self:process signal_perms; -allow perdition_t self:tcp_socket create_stream_socket_perms; -allow perdition_t self:udp_socket create_socket_perms; - -allow perdition_t perdition_etc_t:file read_file_perms; -files_search_etc(perdition_t) - -manage_files_pattern(perdition_t, perdition_var_run_t, perdition_var_run_t) -files_pid_filetrans(perdition_t, perdition_var_run_t, file) - -kernel_read_kernel_sysctls(perdition_t) -kernel_list_proc(perdition_t) -kernel_read_proc_symlinks(perdition_t) - -corenet_all_recvfrom_unlabeled(perdition_t) -corenet_all_recvfrom_netlabel(perdition_t) -corenet_tcp_sendrecv_generic_if(perdition_t) -corenet_udp_sendrecv_generic_if(perdition_t) -corenet_tcp_sendrecv_generic_node(perdition_t) -corenet_udp_sendrecv_generic_node(perdition_t) -corenet_tcp_sendrecv_all_ports(perdition_t) -corenet_udp_sendrecv_all_ports(perdition_t) -corenet_tcp_bind_generic_node(perdition_t) -corenet_tcp_bind_pop_port(perdition_t) -corenet_sendrecv_pop_server_packets(perdition_t) - -dev_read_sysfs(perdition_t) - -domain_use_interactive_fds(perdition_t) - -fs_getattr_all_fs(perdition_t) -fs_search_auto_mountpoints(perdition_t) - -files_read_etc_files(perdition_t) - -logging_send_syslog_msg(perdition_t) - -miscfiles_read_localization(perdition_t) - -sysnet_read_config(perdition_t) - -userdom_dontaudit_use_unpriv_user_fds(perdition_t) -userdom_dontaudit_search_user_home_dirs(perdition_t) - -optional_policy(` - seutil_sigchld_newrole(perdition_t) -') - -optional_policy(` - udev_read_db(perdition_t) -') diff --git a/policy/modules/services/pingd.fc b/policy/modules/services/pingd.fc deleted file mode 100644 index ea085f7..0000000 --- a/policy/modules/services/pingd.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/pingd.conf -- gen_context(system_u:object_r:pingd_etc_t,s0) -/etc/rc\.d/init\.d/whatsup-pingd -- gen_context(system_u:object_r:pingd_initrc_exec_t,s0) - -/usr/lib/pingd(/.*)? gen_context(system_u:object_r:pingd_modules_t,s0) - -/usr/sbin/pingd -- gen_context(system_u:object_r:pingd_exec_t,s0) diff --git a/policy/modules/services/pingd.if b/policy/modules/services/pingd.if deleted file mode 100644 index 1bfd8d2..0000000 --- a/policy/modules/services/pingd.if +++ /dev/null @@ -1,96 +0,0 @@ -## Pingd of the Whatsup cluster node up/down detection utility - -######################################## -## -## Execute a domain transition to run pingd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`pingd_domtrans',` - gen_require(` - type pingd_t, pingd_exec_t; - ') - - domtrans_pattern($1, pingd_exec_t, pingd_t) -') - -####################################### -## -## Read pingd etc configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`pingd_read_config',` - gen_require(` - type pingd_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, pingd_etc_t, pingd_etc_t) -') - -####################################### -## -## Manage pingd etc configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`pingd_manage_config',` - gen_require(` - type pingd_etc_t; - ') - - files_search_etc($1) - manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t) - manage_files_pattern($1, pingd_etc_t, pingd_etc_t) -') - -####################################### -## -## All of the rules required to administrate -## an pingd environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the pingd domain. -## -## -## -# -interface(`pingd_admin',` - gen_require(` - type pingd_t, pingd_etc_t, pingd_modules_t; - type pingd_initrc_exec_t; - ') - - allow $1 pingd_t:process { ptrace signal_perms }; - ps_process_pattern($1, pingd_t) - - init_labeled_script_domtrans($1, pingd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 pingd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, pingd_etc_t) - - files_list_usr($1) - admin_pattern($1, pingd_modules_t) -') diff --git a/policy/modules/services/pingd.te b/policy/modules/services/pingd.te deleted file mode 100644 index 4a9d196..0000000 --- a/policy/modules/services/pingd.te +++ /dev/null @@ -1,47 +0,0 @@ -policy_module(pingd, 1.0.0) - -######################################## -# -# Declarations -# - -type pingd_t; -type pingd_exec_t; -init_daemon_domain(pingd_t, pingd_exec_t) - -# type for config -type pingd_etc_t; -files_type(pingd_etc_t) - -type pingd_initrc_exec_t; -init_script_file(pingd_initrc_exec_t) - -# type for pingd modules -type pingd_modules_t; -files_type(pingd_modules_t) - -######################################## -# -# pingd local policy -# - -allow pingd_t self:capability net_raw; -allow pingd_t self:tcp_socket create_stream_socket_perms; -allow pingd_t self:rawip_socket create_socket_perms; - -read_files_pattern(pingd_t, pingd_etc_t, pingd_etc_t) - -read_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t) -mmap_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t) - -corenet_raw_bind_generic_node(pingd_t) -corenet_tcp_bind_generic_node(pingd_t) -corenet_tcp_bind_pingd_port(pingd_t) - -auth_use_nsswitch(pingd_t) - -files_search_usr(pingd_t) - -logging_send_syslog_msg(pingd_t) - -miscfiles_read_localization(pingd_t) diff --git a/policy/modules/services/piranha.fc b/policy/modules/services/piranha.fc deleted file mode 100644 index 2c7e06f..0000000 --- a/policy/modules/services/piranha.fc +++ /dev/null @@ -1,26 +0,0 @@ - -/etc/rc\.d/init\.d/pulse -- gen_context(system_u:object_r:piranha_pulse_initrc_exec_t,s0) - -# RHEL6 -#/etc/sysconfig/ha/lvs\.cf -- gen_context(system_u:object_r:piranha_etc_rw_t,s0) - -/etc/piranha/lvs\.cf -- gen_context(system_u:object_r:piranha_etc_rw_t,s0) - -/usr/bin/paster -- gen_context(system_u:object_r:piranha_web_exec_t,s0) - -/usr/sbin/fos -- gen_context(system_u:object_r:piranha_fos_exec_t,s0) -/usr/sbin/lvsd -- gen_context(system_u:object_r:piranha_lvs_exec_t,s0) -/usr/sbin/piranha_gui -- gen_context(system_u:object_r:piranha_web_exec_t,s0) -/usr/sbin/pulse -- gen_context(system_u:object_r:piranha_pulse_exec_t,s0) - -/var/lib/luci(/.*)? gen_context(system_u:object_r:piranha_web_data_t,s0) -/var/lib/luci/cert(/.*)? gen_context(system_u:object_r:piranha_web_conf_t,s0) -/var/lib/luci/etc(/.*)? gen_context(system_u:object_r:piranha_web_conf_t,s0) - -/var/log/piranha(/.*)? gen_context(system_u:object_r:piranha_log_t,s0) - -/var/run/fos\.pid -- gen_context(system_u:object_r:piranha_fos_var_run_t,s0) -/var/run/lvs\.pid -- gen_context(system_u:object_r:piranha_lvs_var_run_t,s0) -/var/run/piranha-httpd\.pid -- gen_context(system_u:object_r:piranha_web_var_run_t,s0) -/var/run/pulse\.pid -- gen_context(system_u:object_r:piranha_pulse_var_run_t,s0) - diff --git a/policy/modules/services/piranha.if b/policy/modules/services/piranha.if deleted file mode 100644 index 6403c17..0000000 --- a/policy/modules/services/piranha.if +++ /dev/null @@ -1,173 +0,0 @@ -## policy for piranha - -####################################### -## -## Creates types and rules for a basic -## cluster init daemon domain. -## -## -## -## Prefix for the domain. -## -## -# -template(`piranha_domain_template',` - gen_require(` - attribute piranha_domain; - ') - - ############################## - # - # piranha_$1_t declarations - # - - type piranha_$1_t, piranha_domain; - type piranha_$1_exec_t; - init_daemon_domain(piranha_$1_t, piranha_$1_exec_t) - - # pid files - type piranha_$1_var_run_t; - files_pid_file(piranha_$1_var_run_t) - - ############################## - # - # piranha_$1_t local policy - # - - manage_files_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t) - manage_dirs_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t) - files_pid_filetrans(piranha_$1_t, piranha_$1_var_run_t, { dir file }) -') - -######################################## -## -## Execute a domain transition to run fos. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`piranha_domtrans_fos',` - gen_require(` - type piranha_fos_t, piranha_fos_exec_t; - ') - - domtrans_pattern($1, piranha_fos_exec_t, piranha_fos_t) -') - -####################################### -## -## Execute a domain transition to run lvsd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`piranha_domtrans_lvs',` - gen_require(` - type piranha_lvs_t, piranha_lvs_exec_t; - ') - - domtrans_pattern($1, piranha_lvs_exec_t, piranha_lvs_t) -') - -####################################### -## -## Execute a domain transition to run pulse. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`piranha_domtrans_pulse',` - gen_require(` - type piranha_pulse_t, piranha_pulse_exec_t; - ') - - domtrans_pattern($1, piranha_pulse_exec_t, piranha_pulse_t) -') - -####################################### -## -## Execute pulse server in the pulse domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`piranha_pulse_initrc_domtrans',` - gen_require(` - type piranha_pulse_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, piranha_pulse_initrc_exec_t) -') - -######################################## -## -## Allow the specified domain to read piranha's log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`piranha_read_log',` - gen_require(` - type piranha_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, piranha_log_t, piranha_log_t) -') - -######################################## -## -## Allow the specified domain to append -## piranha log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`piranha_append_log',` - gen_require(` - type piranha_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, piranha_log_t, piranha_log_t) -') - -######################################## -## -## Allow domain to manage piranha log files -## -## -## -## Domain allowed access. -## -## -# -interface(`piranha_manage_log',` - gen_require(` - type piranha_log_t; - ') - - logging_search_logs($1) - manage_dirs_pattern($1, piranha_log_t, piranha_log_t) - manage_files_pattern($1, piranha_log_t, piranha_log_t) - manage_lnk_files_pattern($1, piranha_log_t, piranha_log_t) -') diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te deleted file mode 100644 index 6b69f38..0000000 --- a/policy/modules/services/piranha.te +++ /dev/null @@ -1,214 +0,0 @@ -policy_module(piranha, 1.0.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow piranha-lvs domain to connect to the network using TCP. -##

-##
-gen_tunable(piranha_lvs_can_network_connect, false) - -attribute piranha_domain; - -piranha_domain_template(fos) - -piranha_domain_template(lvs) - -piranha_domain_template(pulse) - -type piranha_pulse_initrc_exec_t; -init_script_file(piranha_pulse_initrc_exec_t) - -piranha_domain_template(web) - -type piranha_web_tmpfs_t; -files_tmpfs_file(piranha_web_tmpfs_t) - -type piranha_web_conf_t; -files_type(piranha_web_conf_t) - -type piranha_web_data_t; -files_type(piranha_web_data_t) - -type piranha_web_tmp_t; -files_tmp_file(piranha_web_tmp_t) - -type piranha_etc_rw_t; -files_type(piranha_etc_rw_t) - -type piranha_log_t; -logging_log_file(piranha_log_t) - -####################################### -# -# piranha-fos local policy -# - -kernel_read_kernel_sysctls(piranha_fos_t) - -domain_read_all_domains_state(piranha_fos_t) - -consoletype_exec(piranha_fos_t) - -# start and stop services -init_domtrans_script(piranha_fos_t) - -######################################## -# -# piranha-gui local policy -# - -allow piranha_web_t self:capability { setuid sys_nice kill setgid }; -allow piranha_web_t self:process { getsched setsched signal signull ptrace }; -allow piranha_web_t self:rawip_socket create_socket_perms; -allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms; -allow piranha_web_t self:sem create_sem_perms; -allow piranha_web_t self:shm create_shm_perms; - -manage_files_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t) -manage_dirs_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t) -files_var_lib_filetrans(piranha_web_t, piranha_web_data_t, file) - -read_files_pattern(piranha_web_t, piranha_web_conf_t, piranha_web_conf_t) - -rw_files_pattern(piranha_web_t, piranha_etc_rw_t, piranha_etc_rw_t) - -manage_dirs_pattern(piranha_web_t, piranha_log_t, piranha_log_t) -manage_files_pattern(piranha_web_t, piranha_log_t, piranha_log_t) -logging_log_filetrans(piranha_web_t, piranha_log_t, { dir file }) - -can_exec(piranha_web_t, piranha_web_tmp_t) -manage_dirs_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t) -manage_files_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t) -files_tmp_filetrans(piranha_web_t, piranha_web_tmp_t, { file dir }) - -manage_dirs_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t) -manage_files_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t) -fs_tmpfs_filetrans(piranha_web_t, piranha_web_tmpfs_t, { dir file }) - -piranha_pulse_initrc_domtrans(piranha_web_t) - -kernel_read_kernel_sysctls(piranha_web_t) - -corenet_tcp_bind_http_cache_port(piranha_web_t) -corenet_tcp_bind_luci_port(piranha_web_t) -corenet_tcp_bind_piranha_port(piranha_web_t) -corenet_tcp_connect_ricci_port(piranha_web_t) - -dev_read_urand(piranha_web_t) - -domain_read_all_domains_state(piranha_web_t) - -files_read_usr_files(piranha_web_t) - -consoletype_exec(piranha_web_t) - -optional_policy(` - apache_read_config(piranha_web_t) - apache_exec_modules(piranha_web_t) - apache_exec(piranha_web_t) -') - -optional_policy(` - gnome_dontaudit_search_config(piranha_web_t) -') - -optional_policy(` - sasl_connect(piranha_web_t) -') - -###################################### -# -# piranha-lvs local policy -# - -# neede by nanny -allow piranha_lvs_t self:capability { net_raw sys_nice }; -allow piranha_lvs_t self:process signal; -allow piranha_lvs_t self:unix_dgram_socket create_socket_perms; -allow piranha_lvs_t self:rawip_socket create_socket_perms; - -kernel_read_kernel_sysctls(piranha_lvs_t) - -# needed by nanny -corenet_tcp_connect_ftp_port(piranha_lvs_t) -corenet_tcp_connect_http_port(piranha_lvs_t) - -sysnet_dns_name_resolve(piranha_lvs_t) - -# needed by nanny -tunable_policy(`piranha_lvs_can_network_connect',` - corenet_tcp_connect_all_ports(piranha_lvs_t) -') - -# needed by ipvsadm -optional_policy(` - iptables_domtrans(piranha_lvs_t) -') - -####################################### -# -# piranha-pulse local policy -# - -allow piranha_pulse_t self:packet_socket create_socket_perms; - -# pulse starts fos and lvs daemon -domtrans_pattern(piranha_fos_t, piranha_fos_exec_t, piranha_fos_t) -allow piranha_pulse_t piranha_fos_t:process signal; - -domtrans_pattern(piranha_pulse_t, piranha_lvs_exec_t, piranha_lvs_t) -allow piranha_pulse_t piranha_lvs_t:process signal; - -corenet_udp_bind_apertus_ldp_port(piranha_pulse_t) - -sysnet_dns_name_resolve(piranha_pulse_t) - -optional_policy(` - netutils_domtrans_ping(piranha_pulse_t) -') - -optional_policy(` - sysnet_domtrans_ifconfig(piranha_pulse_t) -') - -#################################### -# -# piranha domains common policy -# - -allow piranha_domain self:fifo_file rw_fifo_file_perms; -allow piranha_domain self:tcp_socket create_stream_socket_perms; -allow piranha_domain self:udp_socket create_socket_perms; -allow piranha_domain self:unix_stream_socket create_stream_socket_perms; - -read_files_pattern(piranha_domain, piranha_etc_rw_t, piranha_etc_rw_t) - -kernel_read_system_state(piranha_domain) -kernel_read_network_state(piranha_domain) - -corenet_all_recvfrom_unlabeled(piranha_domain) -corenet_all_recvfrom_netlabel(piranha_domain) -corenet_tcp_sendrecv_generic_if(piranha_domain) -corenet_udp_sendrecv_generic_if(piranha_domain) -corenet_tcp_sendrecv_generic_node(piranha_domain) -corenet_udp_sendrecv_generic_node(piranha_domain) -corenet_tcp_sendrecv_all_ports(piranha_domain) -corenet_udp_sendrecv_all_ports(piranha_domain) -corenet_tcp_bind_generic_node(piranha_domain) -corenet_udp_bind_generic_node(piranha_domain) - -files_read_etc_files(piranha_domain) - -corecmd_exec_bin(piranha_domain) -corecmd_exec_shell(piranha_domain) - -logging_send_syslog_msg(piranha_domain) - -miscfiles_read_localization(piranha_domain) - -sysnet_read_config(piranha_domain) diff --git a/policy/modules/services/plymouthd.fc b/policy/modules/services/plymouthd.fc deleted file mode 100644 index 5702ca4..0000000 --- a/policy/modules/services/plymouthd.fc +++ /dev/null @@ -1,7 +0,0 @@ -/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0) - -/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) - -/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0) -/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0) -/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0) diff --git a/policy/modules/services/plymouthd.if b/policy/modules/services/plymouthd.if deleted file mode 100644 index 07dd3ff..0000000 --- a/policy/modules/services/plymouthd.if +++ /dev/null @@ -1,262 +0,0 @@ -## Plymouth graphical boot - -######################################## -## -## Execute a domain transition to run plymouthd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`plymouthd_domtrans',` - gen_require(` - type plymouthd_t, plymouthd_exec_t; - ') - - domtrans_pattern($1, plymouthd_exec_t, plymouthd_t) -') - -######################################## -## -## Execute the plymoth daemon in the current domain -## -## -## -## Domain allowed access. -## -## -# -interface(`plymouthd_exec',` - gen_require(` - type plymouthd_exec_t; - ') - - can_exec($1, plymouthd_exec_t) -') - -######################################## -## -## Allow domain to Stream socket connect -## to Plymouth daemon. -## -## -## -## Domain allowed access. -## -## -# -interface(`plymouthd_stream_connect',` - gen_require(` - type plymouthd_t; - ') - - allow $1 plymouthd_t:unix_stream_socket connectto; -') - -######################################## -## -## Execute the plymoth command in the current domain -## -## -## -## Domain allowed access. -## -## -# -interface(`plymouthd_exec_plymouth',` - gen_require(` - type plymouth_exec_t; - ') - - can_exec($1, plymouth_exec_t) -') - -######################################## -## -## Execute a domain transition to run plymouthd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`plymouthd_domtrans_plymouth',` - gen_require(` - type plymouth_t, plymouth_exec_t; - ') - - domtrans_pattern($1, plymouth_exec_t, plymouth_t) -') - -######################################## -## -## Search plymouthd spool directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`plymouthd_search_spool',` - gen_require(` - type plymouthd_spool_t; - ') - - allow $1 plymouthd_spool_t:dir search_dir_perms; - files_search_spool($1) -') - -######################################## -## -## Read plymouthd spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`plymouthd_read_spool_files',` - gen_require(` - type plymouthd_spool_t; - ') - - files_search_spool($1) - read_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t) -') - -######################################## -## -## Create, read, write, and delete -## plymouthd spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`plymouthd_manage_spool_files',` - gen_require(` - type plymouthd_spool_t; - ') - - files_search_spool($1) - manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t) -') - -######################################## -## -## Search plymouthd lib directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`plymouthd_search_lib',` - gen_require(` - type plymouthd_var_lib_t; - ') - - allow $1 plymouthd_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## Read plymouthd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`plymouthd_read_lib_files',` - gen_require(` - type plymouthd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t) -') - -######################################## -## -## Create, read, write, and delete -## plymouthd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`plymouthd_manage_lib_files',` - gen_require(` - type plymouthd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t) -') - -######################################## -## -## Read plymouthd PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`plymouthd_read_pid_files',` - gen_require(` - type plymouthd_var_run_t; - ') - - files_search_pids($1) - allow $1 plymouthd_var_run_t:file read_file_perms; -') - -######################################## -## -## All of the rules required to administrate -## an plymouthd environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`plymouthd_admin',` - gen_require(` - type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t; - type plymouthd_var_run_t; - ') - - allow $1 plymouthd_t:process { ptrace signal_perms }; - ps_process_pattern($1, plymouthd_t) - - files_list_var_lib($1) - admin_pattern($1, plymouthd_spool_t) - - admin_pattern($1, plymouthd_var_lib_t) - - files_list_pids($1) - admin_pattern($1, plymouthd_var_run_t) -') diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te deleted file mode 100644 index 836e2e2..0000000 --- a/policy/modules/services/plymouthd.te +++ /dev/null @@ -1,104 +0,0 @@ -policy_module(plymouthd, 1.0.0) - -######################################## -# -# Declarations -# - -type plymouth_t; -type plymouth_exec_t; -application_domain(plymouth_t, plymouth_exec_t) - -type plymouthd_t; -type plymouthd_exec_t; -init_daemon_domain(plymouthd_t, plymouthd_exec_t) - -type plymouthd_spool_t; -files_type(plymouthd_spool_t) - -type plymouthd_var_lib_t; -files_type(plymouthd_var_lib_t) - -type plymouthd_var_run_t; -files_pid_file(plymouthd_var_run_t) - -######################################## -# -# Plymouthd private policy -# - -allow plymouthd_t self:capability { sys_admin sys_tty_config }; -dontaudit plymouthd_t self:capability dac_override; -allow plymouthd_t self:process signal; -allow plymouthd_t self:fifo_file rw_fifo_file_perms; -allow plymouthd_t self:unix_stream_socket create_stream_socket_perms; - -manage_dirs_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t) -manage_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t) -manage_sock_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t) -files_spool_filetrans(plymouthd_t, plymouthd_spool_t, { file dir sock_file }) - -manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t) -manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t) -files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir }) - -manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) -manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) -files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir }) - -kernel_read_system_state(plymouthd_t) -kernel_request_load_module(plymouthd_t) -kernel_change_ring_buffer_level(plymouthd_t) - -dev_rw_dri(plymouthd_t) -dev_read_sysfs(plymouthd_t) -dev_read_framebuffer(plymouthd_t) -dev_write_framebuffer(plymouthd_t) - -domain_use_interactive_fds(plymouthd_t) - -files_read_etc_files(plymouthd_t) -files_read_usr_files(plymouthd_t) - -term_use_unallocated_ttys(plymouthd_t) - -miscfiles_read_localization(plymouthd_t) -miscfiles_read_fonts(plymouthd_t) -miscfiles_manage_fonts_cache(plymouthd_t) - -userdom_read_admin_home_files(plymouthd_t) - -######################################## -# -# Plymouth private policy -# - -allow plymouth_t self:process signal; -allow plymouth_t self:fifo_file rw_file_perms; -allow plymouth_t self:unix_stream_socket create_stream_socket_perms; - -kernel_read_system_state(plymouth_t) -kernel_stream_connect(plymouth_t) - -domain_use_interactive_fds(plymouth_t) - -files_read_etc_files(plymouth_t) - -term_use_ptmx(plymouth_t) - -miscfiles_read_localization(plymouth_t) - -sysnet_read_config(plymouth_t) - -plymouthd_stream_connect(plymouth_t) - -ifdef(`hide_broken_symptoms',` - optional_policy(` - hal_dontaudit_write_log(plymouth_t) - hal_dontaudit_rw_pipes(plymouth_t) - ') -') - -optional_policy(` - lvm_domtrans(plymouth_t) -') diff --git a/policy/modules/services/policykit.fc b/policy/modules/services/policykit.fc deleted file mode 100644 index c65d18f..0000000 --- a/policy/modules/services/policykit.fc +++ /dev/null @@ -1,18 +0,0 @@ -/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) -/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) -/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) -/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) - -/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) -/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) -/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) -/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0) -/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) -/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0) - -/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0) -/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) -/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) -/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) -/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) - diff --git a/policy/modules/services/policykit.if b/policy/modules/services/policykit.if deleted file mode 100644 index 13cdc77..0000000 --- a/policy/modules/services/policykit.if +++ /dev/null @@ -1,282 +0,0 @@ -## Policy framework for controlling privileges for system-wide services. - -######################################## -## -## Send and receive messages from -## policykit over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`policykit_dbus_chat',` - gen_require(` - type policykit_t; - class dbus send_msg; - ') - - ps_process_pattern(policykit_t, $1) - - allow $1 policykit_t:dbus send_msg; - allow policykit_t $1:dbus send_msg; -') - -######################################## -## -## Send and receive messages from -## policykit over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`policykit_dbus_chat_auth',` - gen_require(` - type policykit_auth_t; - class dbus send_msg; - ') - - ps_process_pattern(policykit_auth_t, $1) - - allow $1 policykit_auth_t:dbus send_msg; - allow policykit_auth_t $1:dbus send_msg; -') - -######################################## -## -## Execute a domain transition to run polkit_auth. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`policykit_domtrans_auth',` - gen_require(` - type policykit_auth_t, policykit_auth_exec_t; - ') - - domtrans_pattern($1, policykit_auth_exec_t, policykit_auth_t) -') - -######################################## -## -## Execute a policy_auth in the policy_auth domain, and -## allow the specified role the policy_auth domain, -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`policykit_run_auth',` - gen_require(` - type policykit_auth_t; - ') - - policykit_domtrans_auth($1) - role $2 types policykit_auth_t; - - allow $1 policykit_auth_t:process signal; - ps_process_pattern(policykit_auth_t, $1) -') - -######################################## -## -## Execute a domain transition to run polkit_grant. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`policykit_domtrans_grant',` - gen_require(` - type policykit_grant_t, policykit_grant_exec_t; - ') - - domtrans_pattern($1, policykit_grant_exec_t, policykit_grant_t) -') - -######################################## -## -## Execute a policy_grant in the policy_grant domain, and -## allow the specified role the policy_grant domain, -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`policykit_run_grant',` - gen_require(` - type policykit_grant_t; - ') - - policykit_domtrans_grant($1) - role $2 types policykit_grant_t; - - allow $1 policykit_grant_t:process signal; - - ps_process_pattern(policykit_grant_t, $1) -') - -######################################## -## -## read policykit reload files -## -## -## -## Domain allowed access. -## -## -# -interface(`policykit_read_reload',` - gen_require(` - type policykit_reload_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, policykit_reload_t, policykit_reload_t) -') - -######################################## -## -## rw policykit reload files -## -## -## -## Domain allowed access. -## -## -# -interface(`policykit_rw_reload',` - gen_require(` - type policykit_reload_t; - ') - - files_search_var_lib($1) - rw_files_pattern($1, policykit_reload_t, policykit_reload_t) -') - -######################################## -## -## Execute a domain transition to run polkit_resolve. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`policykit_domtrans_resolve',` - gen_require(` - type policykit_resolve_t, policykit_resolve_exec_t; - ') - - domtrans_pattern($1, policykit_resolve_exec_t, policykit_resolve_t) - - ps_process_pattern(policykit_resolve_t, $1) -') - -######################################## -## -## Search policykit lib directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`policykit_search_lib',` - gen_require(` - type policykit_var_lib_t; - ') - - allow $1 policykit_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## read policykit lib files -## -## -## -## Domain allowed access. -## -## -# -interface(`policykit_read_lib',` - gen_require(` - type policykit_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t) - - # Broken placement - cron_read_system_job_lib_files($1) -') - -####################################### -## -## The per role template for the policykit module. -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -template(`policykit_role',` - policykit_run_auth($2, $1) - policykit_run_grant($2, $1) - policykit_read_lib($2) - policykit_read_reload($2) - policykit_dbus_chat($2) -') - -######################################## -## -## Send generic signal to policy_auth -## -## -## -## Domain allowed to transition. -## -## -# -interface(`policykit_signal_auth',` - gen_require(` - type policykit_auth_t; - ') - - allow $1 policykit_auth_t:process signal; -') diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te deleted file mode 100644 index 7385ecf..0000000 --- a/policy/modules/services/policykit.te +++ /dev/null @@ -1,276 +0,0 @@ -policy_module(policykit, 1.1.0) - -######################################## -# -# Declarations -# - -type policykit_t alias polkit_t; -type policykit_exec_t alias polkit_exec_t; -init_daemon_domain(policykit_t, policykit_exec_t) - -type policykit_auth_t alias polkit_auth_t; -type policykit_auth_exec_t alias polkit_auth_exec_t; -init_daemon_domain(policykit_auth_t, policykit_auth_exec_t) - -type policykit_grant_t alias polkit_grant_t; -type policykit_grant_exec_t alias polkit_grant_exec_t; -init_system_domain(policykit_grant_t, policykit_grant_exec_t) - -type policykit_resolve_t alias polkit_resolve_t; -type policykit_resolve_exec_t alias polkit_resolve_exec_t; -init_system_domain(policykit_resolve_t, policykit_resolve_exec_t) - -type policykit_reload_t alias polkit_reload_t; -files_type(policykit_reload_t) - -type policykit_tmp_t; -files_tmp_file(policykit_tmp_t) - -type policykit_var_lib_t alias polkit_var_lib_t; -files_type(policykit_var_lib_t) - -type policykit_var_run_t alias polkit_var_run_t; -files_pid_file(policykit_var_run_t) - -######################################## -# -# policykit local policy -# - -allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_ptrace }; -allow policykit_t self:process { getsched getattr signal }; -allow policykit_t self:fifo_file rw_fifo_file_perms; -allow policykit_t self:unix_dgram_socket create_socket_perms; -allow policykit_t self:unix_stream_socket { create_stream_socket_perms connectto }; - -policykit_domtrans_auth(policykit_t) - -can_exec(policykit_t, policykit_exec_t) -corecmd_exec_bin(policykit_t) - -rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t) - -policykit_domtrans_resolve(policykit_t) - -manage_files_pattern(policykit_t, policykit_var_lib_t, policykit_var_lib_t) - -manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) -manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) -files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir }) - -kernel_read_system_state(policykit_t) -kernel_read_kernel_sysctls(policykit_t) - -domain_read_all_domains_state(policykit_t) - -files_read_etc_files(policykit_t) -files_read_usr_files(policykit_t) -files_dontaudit_search_all_mountpoints(policykit_t) - -fs_list_inotifyfs(policykit_t) - -auth_use_nsswitch(policykit_t) - -logging_send_syslog_msg(policykit_t) - -miscfiles_read_localization(policykit_t) - -userdom_getattr_all_users(policykit_t) -userdom_read_all_users_state(policykit_t) -userdom_dontaudit_search_admin_dir(policykit_t) - -optional_policy(` - dbus_system_domain(policykit_t, policykit_exec_t) - - optional_policy(` - consolekit_dbus_chat(policykit_t) - ') - - optional_policy(` - rpm_dbus_chat(policykit_t) - ') -') - -optional_policy(` - consolekit_list_pid_files(policykit_t) - consolekit_read_pid_files(policykit_t) -') - -optional_policy(` - gnome_read_config(policykit_t) -') - -######################################## -# -# polkit_auth local policy -# - -allow policykit_auth_t self:capability { ipc_lock setgid setuid }; -dontaudit policykit_auth_t self:capability sys_tty_config; -allow policykit_auth_t self:process { getattr getsched signal }; -allow policykit_auth_t self:fifo_file rw_fifo_file_perms; - -allow policykit_auth_t self:unix_dgram_socket create_socket_perms; -allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms; - -policykit_dbus_chat(policykit_auth_t) - -kernel_read_system_state(policykit_auth_t) - -can_exec(policykit_auth_t, policykit_auth_exec_t) -corecmd_exec_bin(policykit_auth_t) - -rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t) - -manage_dirs_pattern(policykit_auth_t, policykit_tmp_t, policykit_tmp_t) -manage_files_pattern(policykit_auth_t, policykit_tmp_t, policykit_tmp_t) -files_tmp_filetrans(policykit_auth_t, policykit_tmp_t, { file dir }) - -manage_files_pattern(policykit_auth_t, policykit_var_lib_t, policykit_var_lib_t) - -manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) -manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) -files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir }) - -kernel_dontaudit_search_kernel_sysctl(policykit_auth_t) - -dev_read_video_dev(policykit_auth_t) - -files_read_etc_files(policykit_auth_t) -files_read_usr_files(policykit_auth_t) -files_search_home(policykit_auth_t) - -fs_getattr_all_fs(polkit_auth_t) -fs_search_tmpfs(polkit_auth_t) - -auth_use_nsswitch(policykit_auth_t) -auth_read_var_auth(policykit_auth_t) -auth_domtrans_chk_passwd(policykit_auth_t) - -logging_send_syslog_msg(policykit_auth_t) - -miscfiles_read_localization(policykit_auth_t) -miscfiles_read_fonts(policykit_auth_t) -miscfiles_setattr_fonts_cache_dirs(policykit_auth_t) - -userdom_dontaudit_read_user_home_content_files(policykit_auth_t) -userdom_dontaudit_write_user_tmp_files(policykit_auth_t) -userdom_read_admin_home_files(policykit_auth_t) - -optional_policy(` - dbus_system_domain( policykit_auth_t, policykit_auth_exec_t) - dbus_session_bus_client(policykit_auth_t) - - optional_policy(` - consolekit_dbus_chat(policykit_auth_t) - ') -') - -optional_policy(` - kernel_search_proc(policykit_auth_t) - hal_read_state(policykit_auth_t) -') - -optional_policy(` - xserver_stream_connect(policykit_auth_t) - xserver_xdm_append_log(policykit_auth_t) - xserver_read_xdm_pid(policykit_auth_t) - xserver_search_xdm_lib(policykit_auth_t) - xserver_create_xdm_tmp_sockets(policykit_auth_t) -') - -######################################## -# -# polkit_grant local policy -# - -allow policykit_grant_t self:capability setuid; -allow policykit_grant_t self:process getattr; -allow policykit_grant_t self:fifo_file rw_fifo_file_perms; - -allow policykit_grant_t self:unix_dgram_socket create_socket_perms; -allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; - -policykit_domtrans_auth(policykit_grant_t) - -policykit_domtrans_resolve(policykit_grant_t) - -can_exec(policykit_grant_t, policykit_grant_exec_t) -corecmd_search_bin(policykit_grant_t) - -rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t) - -manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t) - -manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t) - -files_read_etc_files(policykit_grant_t) -files_read_usr_files(policykit_grant_t) - -auth_use_nsswitch(policykit_grant_t) -auth_domtrans_chk_passwd(policykit_grant_t) - -logging_send_syslog_msg(policykit_grant_t) - -miscfiles_read_localization(policykit_grant_t) - -userdom_read_all_users_state(policykit_grant_t) - -optional_policy(` - cron_manage_system_job_lib_files(policykit_grant_t) -') - - optional_policy(` - dbus_system_bus_client(policykit_grant_t) - optional_policy(` - consolekit_dbus_chat(policykit_grant_t) - ') -') - -######################################## -# -# polkit_resolve local policy -# - -allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace }; -allow policykit_resolve_t self:process getattr; -allow policykit_resolve_t self:fifo_file rw_fifo_file_perms; - -allow policykit_resolve_t self:unix_dgram_socket create_socket_perms; -allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms; - -policykit_domtrans_auth(policykit_resolve_t) - -read_files_pattern(policykit_resolve_t, policykit_reload_t, policykit_reload_t) - -read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t) - -can_exec(policykit_resolve_t, policykit_resolve_exec_t) -corecmd_search_bin(policykit_resolve_t) - -files_read_etc_files(policykit_resolve_t) -files_read_usr_files(policykit_resolve_t) - -mcs_ptrace_all(policykit_resolve_t) - -auth_use_nsswitch(policykit_resolve_t) - -logging_send_syslog_msg(policykit_resolve_t) - -miscfiles_read_localization(policykit_resolve_t) - -userdom_read_all_users_state(policykit_resolve_t) - -optional_policy(` - dbus_system_bus_client(policykit_resolve_t) - - optional_policy(` - consolekit_dbus_chat(policykit_resolve_t) - ') -') - -optional_policy(` - kernel_search_proc(policykit_resolve_t) - hal_read_state(policykit_resolve_t) -') diff --git a/policy/modules/services/portmap.fc b/policy/modules/services/portmap.fc deleted file mode 100644 index 76f5834..0000000 --- a/policy/modules/services/portmap.fc +++ /dev/null @@ -1,12 +0,0 @@ - -/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0) - -ifdef(`distro_debian',` -/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) -/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) -', ` -/usr/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) -/usr/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) -') - -/var/run/portmap\.upgrade-state -- gen_context(system_u:object_r:portmap_var_run_t,s0) diff --git a/policy/modules/services/portmap.if b/policy/modules/services/portmap.if deleted file mode 100644 index 374afcf..0000000 --- a/policy/modules/services/portmap.if +++ /dev/null @@ -1,89 +0,0 @@ -## RPC port mapping service. - -######################################## -## -## Execute portmap_helper in the helper domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`portmap_domtrans_helper',` - gen_require(` - type portmap_helper_t, portmap_helper_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, portmap_helper_exec_t, portmap_helper_t) -') - -######################################## -## -## Execute portmap helper in the helper domain, and -## allow the specified role the helper domain. -## Communicate with portmap. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`portmap_run_helper',` - gen_require(` - type portmap_t, portmap_helper_t; - ') - - portmap_domtrans_helper($1) - role $2 types portmap_helper_t; -') - -######################################## -## -## Send UDP network traffic to portmap. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`portmap_udp_send',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Send and receive UDP network traffic from portmap. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`portmap_udp_chat',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Connect to portmap over a TCP socket (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`portmap_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') diff --git a/policy/modules/services/portmap.te b/policy/modules/services/portmap.te deleted file mode 100644 index d1cf513..0000000 --- a/policy/modules/services/portmap.te +++ /dev/null @@ -1,149 +0,0 @@ -policy_module(portmap, 1.9.0) - -######################################## -# -# Declarations -# - -type portmap_t; -type portmap_exec_t; -init_daemon_domain(portmap_t, portmap_exec_t) - -type portmap_helper_t; -type portmap_helper_exec_t; -init_system_domain(portmap_helper_t, portmap_helper_exec_t) - -type portmap_tmp_t; -files_tmp_file(portmap_tmp_t) - -type portmap_var_run_t; -files_pid_file(portmap_var_run_t) - -######################################## -# -# Portmap local policy -# - -allow portmap_t self:capability { setuid setgid }; -dontaudit portmap_t self:capability sys_tty_config; -allow portmap_t self:netlink_route_socket r_netlink_socket_perms; -allow portmap_t self:unix_dgram_socket create_socket_perms; -allow portmap_t self:unix_stream_socket create_stream_socket_perms; -allow portmap_t self:tcp_socket create_stream_socket_perms; -allow portmap_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(portmap_t, portmap_tmp_t, portmap_tmp_t) -manage_files_pattern(portmap_t, portmap_tmp_t, portmap_tmp_t) -files_tmp_filetrans(portmap_t, portmap_tmp_t, { file dir }) - -manage_files_pattern(portmap_t, portmap_var_run_t, portmap_var_run_t) -files_pid_filetrans(portmap_t, portmap_var_run_t, file) - -kernel_read_system_state(portmap_t) -kernel_read_kernel_sysctls(portmap_t) - -corenet_all_recvfrom_unlabeled(portmap_t) -corenet_all_recvfrom_netlabel(portmap_t) -corenet_tcp_sendrecv_generic_if(portmap_t) -corenet_udp_sendrecv_generic_if(portmap_t) -corenet_tcp_sendrecv_generic_node(portmap_t) -corenet_udp_sendrecv_generic_node(portmap_t) -corenet_tcp_sendrecv_all_ports(portmap_t) -corenet_udp_sendrecv_all_ports(portmap_t) -corenet_tcp_bind_generic_node(portmap_t) -corenet_udp_bind_generic_node(portmap_t) -corenet_tcp_bind_portmap_port(portmap_t) -corenet_udp_bind_portmap_port(portmap_t) -corenet_tcp_connect_all_ports(portmap_t) -corenet_sendrecv_portmap_client_packets(portmap_t) -corenet_sendrecv_portmap_server_packets(portmap_t) -# portmap binds to arbitary ports -corenet_tcp_bind_generic_port(portmap_t) -corenet_udp_bind_generic_port(portmap_t) -corenet_tcp_bind_reserved_port(portmap_t) -corenet_udp_bind_reserved_port(portmap_t) -corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_t) -corenet_dontaudit_udp_bind_all_ports(portmap_t) - -dev_read_sysfs(portmap_t) - -fs_getattr_all_fs(portmap_t) -fs_search_auto_mountpoints(portmap_t) - -domain_use_interactive_fds(portmap_t) - -files_read_etc_files(portmap_t) - -logging_send_syslog_msg(portmap_t) - -miscfiles_read_localization(portmap_t) - -sysnet_read_config(portmap_t) - -userdom_dontaudit_use_unpriv_user_fds(portmap_t) -userdom_dontaudit_search_user_home_dirs(portmap_t) - -optional_policy(` - nis_use_ypbind(portmap_t) -') - -optional_policy(` - nscd_socket_use(portmap_t) -') - -optional_policy(` - seutil_sigchld_newrole(portmap_t) -') - -optional_policy(` - udev_read_db(portmap_t) -') - -######################################## -# -# Portmap helper local policy -# - -dontaudit portmap_helper_t self:capability net_admin; -allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms; -allow portmap_helper_t self:tcp_socket create_stream_socket_perms; -allow portmap_helper_t self:udp_socket create_socket_perms; - -allow portmap_helper_t portmap_var_run_t:file manage_file_perms; -files_pid_filetrans(portmap_helper_t, portmap_var_run_t, file) - -corenet_all_recvfrom_unlabeled(portmap_helper_t) -corenet_all_recvfrom_netlabel(portmap_helper_t) -corenet_tcp_sendrecv_generic_if(portmap_helper_t) -corenet_udp_sendrecv_generic_if(portmap_helper_t) -corenet_raw_sendrecv_generic_if(portmap_helper_t) -corenet_tcp_sendrecv_generic_node(portmap_helper_t) -corenet_udp_sendrecv_generic_node(portmap_helper_t) -corenet_raw_sendrecv_generic_node(portmap_helper_t) -corenet_tcp_sendrecv_all_ports(portmap_helper_t) -corenet_udp_sendrecv_all_ports(portmap_helper_t) -corenet_tcp_bind_generic_node(portmap_helper_t) -corenet_udp_bind_generic_node(portmap_helper_t) -corenet_tcp_bind_reserved_port(portmap_helper_t) -corenet_udp_bind_reserved_port(portmap_helper_t) -corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_helper_t) -corenet_dontaudit_udp_bind_all_reserved_ports(portmap_helper_t) -corenet_tcp_connect_all_ports(portmap_helper_t) - -domain_dontaudit_use_interactive_fds(portmap_helper_t) - -files_read_etc_files(portmap_helper_t) -files_rw_generic_pids(portmap_helper_t) - -init_rw_utmp(portmap_helper_t) - -logging_send_syslog_msg(portmap_helper_t) - -sysnet_read_config(portmap_helper_t) - -userdom_use_user_terminals(portmap_helper_t) -userdom_dontaudit_use_all_users_fds(portmap_helper_t) - -optional_policy(` - nis_use_ypbind(portmap_helper_t) -') diff --git a/policy/modules/services/portreserve.fc b/policy/modules/services/portreserve.fc deleted file mode 100644 index 1d9fa76..0000000 --- a/policy/modules/services/portreserve.fc +++ /dev/null @@ -1,8 +0,0 @@ - -/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0) - -/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0) - -/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) - -/var/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_var_run_t,s0) diff --git a/policy/modules/services/portreserve.if b/policy/modules/services/portreserve.if deleted file mode 100644 index 7385056..0000000 --- a/policy/modules/services/portreserve.if +++ /dev/null @@ -1,120 +0,0 @@ -## Reserve well-known ports in the RPC port range. - -######################################## -## -## Execute a domain transition to run portreserve. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`portreserve_domtrans',` - gen_require(` - type portreserve_t, portreserve_exec_t; - ') - - domtrans_pattern($1, portreserve_exec_t, portreserve_t) -') - -######################################## -## -## Execute portreserve in the portreserve domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`portreserve_initrc_domtrans',` - gen_require(` - type portreserve_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, portreserve_initrc_exec_t) -') - -####################################### -## -## Allow the specified domain to read -## portreserve etcuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`portreserve_read_config',` - gen_require(` - type portreserve_etc_t; - ') - - files_search_etc($1) - allow $1 portreserve_etc_t:dir list_dir_perms; - read_files_pattern($1, portreserve_etc_t, portreserve_etc_t) - read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t) -') - -####################################### -## -## Allow the specified domain to manage -## portreserve etcuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`portreserve_manage_config',` - gen_require(` - type portreserve_etc_t; - ') - - files_search_etc($1) - manage_dirs_pattern($1, portreserve_etc_t, portreserve_etc_t) - manage_files_pattern($1, portreserve_etc_t, portreserve_etc_t) - read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t) -') - -######################################## -## -## All of the rules required to administrate -## an portreserve environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`portreserve_admin',` - gen_require(` - type portreserve_t, portreserve_etc_t, portreserve_var_run_t; - type portreserve_initrc_exec_t; - ') - - allow $1 portreserve_t:process { ptrace signal_perms }; - ps_process_pattern($1, portreserve_t) - - portreserve_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 portreserve_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, portreserve_etc_t) - - files_list_pids($1) - admin_pattern($1, portreserve_var_run_t) -') diff --git a/policy/modules/services/portreserve.te b/policy/modules/services/portreserve.te deleted file mode 100644 index e091aba..0000000 --- a/policy/modules/services/portreserve.te +++ /dev/null @@ -1,54 +0,0 @@ -policy_module(portreserve, 1.2.0) - -######################################## -# -# Declarations -# - -type portreserve_t; -type portreserve_exec_t; -init_daemon_domain(portreserve_t, portreserve_exec_t) - -type portreserve_initrc_exec_t; -init_script_file(portreserve_initrc_exec_t) - -type portreserve_etc_t; -files_type(portreserve_etc_t) - -type portreserve_var_run_t; -files_pid_file(portreserve_var_run_t) - -######################################## -# -# Portreserve local policy -# - -allow portreserve_t self:capability { dac_read_search dac_override }; -allow portreserve_t self:fifo_file rw_fifo_file_perms; -allow portreserve_t self:unix_stream_socket create_stream_socket_perms; -allow portreserve_t self:unix_dgram_socket { create_socket_perms sendto }; -allow portreserve_t self:tcp_socket create_socket_perms; -allow portreserve_t self:udp_socket create_socket_perms; - -# Read etc files -list_dirs_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t) -read_files_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t) - -# Manage /var/run/portreserve/* -manage_dirs_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) -manage_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) -manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) -files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir }) - -corecmd_getattr_bin_files(portreserve_t) - -corenet_all_recvfrom_unlabeled(portreserve_t) -corenet_all_recvfrom_netlabel(portreserve_t) -corenet_tcp_bind_generic_node(portreserve_t) -corenet_udp_bind_generic_node(portreserve_t) -corenet_tcp_bind_all_ports(portreserve_t) -corenet_udp_bind_all_ports(portreserve_t) - -files_read_etc_files(portreserve_t) - -userdom_dontaudit_search_user_home_content(portreserve_t) diff --git a/policy/modules/services/portslave.fc b/policy/modules/services/portslave.fc deleted file mode 100644 index 2dd7786..0000000 --- a/policy/modules/services/portslave.fc +++ /dev/null @@ -1,4 +0,0 @@ -/etc/portslave(/.*)? gen_context(system_u:object_r:portslave_etc_t,s0) - -/usr/sbin/ctlportslave -- gen_context(system_u:object_r:portslave_exec_t,s0) -/usr/sbin/portslave -- gen_context(system_u:object_r:portslave_exec_t,s0) diff --git a/policy/modules/services/portslave.if b/policy/modules/services/portslave.if deleted file mode 100644 index b53ff77..0000000 --- a/policy/modules/services/portslave.if +++ /dev/null @@ -1,19 +0,0 @@ -## Portslave terminal server software - -######################################## -## -## Execute portslave with a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`portslave_domtrans',` - gen_require(` - type portslave_t, portslave_exec_t; - ') - - domtrans_pattern($1, portslave_exec_t, portslave_t) -') diff --git a/policy/modules/services/portslave.te b/policy/modules/services/portslave.te deleted file mode 100644 index 69c331e..0000000 --- a/policy/modules/services/portslave.te +++ /dev/null @@ -1,125 +0,0 @@ -policy_module(portslave, 1.7.0) - -######################################## -# -# Declarations -# - -type portslave_t; -type portslave_exec_t; -init_domain(portslave_t, portslave_exec_t) -init_daemon_domain(portslave_t, portslave_exec_t) - -type portslave_etc_t; -files_config_file(portslave_etc_t) - -type portslave_lock_t; -files_lock_file(portslave_lock_t) - -######################################## -# -# Local policy -# - -# setuid setgid net_admin fsetid for pppd -# sys_admin for ctlportslave -# net_bind_service for rlogin -allow portslave_t self:capability { setuid setgid net_admin fsetid net_bind_service sys_tty_config }; -dontaudit portslave_t self:capability sys_admin; -allow portslave_t self:process signal_perms; -allow portslave_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow portslave_t self:fd use; -allow portslave_t self:fifo_file rw_fifo_file_perms; -allow portslave_t self:unix_dgram_socket create_socket_perms; -allow portslave_t self:unix_stream_socket create_stream_socket_perms; -allow portslave_t self:unix_dgram_socket sendto; -allow portslave_t self:unix_stream_socket connectto; -allow portslave_t self:shm create_shm_perms; -allow portslave_t self:sem create_sem_perms; -allow portslave_t self:msgq create_msgq_perms; -allow portslave_t self:msg { send receive }; -allow portslave_t self:tcp_socket create_stream_socket_perms; -allow portslave_t self:udp_socket create_socket_perms; - -allow portslave_t portslave_etc_t:dir list_dir_perms; -read_files_pattern(portslave_t, portslave_etc_t, portslave_etc_t) -read_lnk_files_pattern(portslave_t, portslave_etc_t, portslave_etc_t) - -allow portslave_t portslave_lock_t:file manage_file_perms; -files_lock_filetrans(portslave_t, portslave_lock_t, file) - -kernel_read_system_state(portslave_t) -kernel_read_kernel_sysctls(portslave_t) - -corecmd_exec_bin(portslave_t) -corecmd_exec_shell(portslave_t) - -corenet_all_recvfrom_unlabeled(portslave_t) -corenet_all_recvfrom_netlabel(portslave_t) -corenet_tcp_sendrecv_generic_if(portslave_t) -corenet_udp_sendrecv_generic_if(portslave_t) -corenet_tcp_sendrecv_generic_node(portslave_t) -corenet_udp_sendrecv_generic_node(portslave_t) -corenet_tcp_sendrecv_all_ports(portslave_t) -corenet_udp_sendrecv_all_ports(portslave_t) -corenet_rw_ppp_dev(portslave_t) - -dev_read_sysfs(portslave_t) -# for ssh -dev_read_urand(portslave_t) - -domain_use_interactive_fds(portslave_t) - -files_read_etc_files(portslave_t) -files_read_etc_runtime_files(portslave_t) -files_exec_etc_files(portslave_t) - -fs_search_auto_mountpoints(portslave_t) -fs_getattr_xattr_fs(portslave_t) - -term_use_unallocated_ttys(portslave_t) -term_setattr_unallocated_ttys(portslave_t) -term_use_all_ttys(portslave_t) -term_search_ptys(portslave_t) - -auth_rw_login_records(portslave_t) -auth_domtrans_chk_passwd(portslave_t) - -init_rw_utmp(portslave_t) - -logging_send_syslog_msg(portslave_t) -logging_search_logs(portslave_t) - -sysnet_read_config(portslave_t) - -userdom_use_unpriv_users_fds(portslave_t) -# for ~/.ppprc - if it actually exists then you need some policy to read it -userdom_search_user_home_dirs(portslave_t) - -mta_send_mail(portslave_t) - -# this should probably be a domtrans to pppd -# instead of exec. -ppp_read_rw_config(portslave_t) -ppp_exec(portslave_t) -ppp_read_secrets(portslave_t) -ppp_manage_pid_files(portslave_t) -ppp_pid_filetrans(portslave_t) - -ssh_exec(portslave_t) - -optional_policy(` - inetd_tcp_service_domain(portslave_t, portslave_exec_t) -') - -optional_policy(` - nis_use_ypbind(portslave_t) -') - -optional_policy(` - seutil_sigchld_newrole(portslave_t) -') - -optional_policy(` - udev_read_db(portslave_t) -') diff --git a/policy/modules/services/postfix.fc b/policy/modules/services/postfix.fc deleted file mode 100644 index c114a40..0000000 --- a/policy/modules/services/postfix.fc +++ /dev/null @@ -1,54 +0,0 @@ -# postfix -/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0) -/etc/postfix(/.*)? gen_context(system_u:object_r:postfix_etc_t,s0) -ifdef(`distro_redhat', ` -/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) -/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) -/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) -/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0) -/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0) -/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) -/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0) -/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) -/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) -/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) -/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) -/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) -/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) -', ` -/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) -/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) -/usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0) -/usr/lib/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -/usr/lib/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0) -/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) -/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0) -/usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) -/usr/lib/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) -/usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) -/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) -/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) -/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) -') -/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0) -/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0) -/usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) -/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -/usr/sbin/postlock -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -/usr/sbin/postlog -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -/usr/sbin/postmap -- gen_context(system_u:object_r:postfix_map_exec_t,s0) -/usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0) -/usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0) - -/var/lib/postfix(/.*)? gen_context(system_u:object_r:postfix_data_t,s0) - -/var/spool/postfix(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0) -/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) -/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) -/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) -/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0) -/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) -/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if deleted file mode 100644 index 7391f7e..0000000 --- a/policy/modules/services/postfix.if +++ /dev/null @@ -1,758 +0,0 @@ -## Postfix email server - -######################################## -## -## Postfix stub interface. No access allowed. -## -## -## -## Domain allowed access. -## -## -# -interface(`postfix_stub',` - gen_require(` - type postfix_master_t; - ') -') - -######################################## -## -## Creates types and rules for a basic -## postfix process domain. -## -## -## -## Prefix for the domain. -## -## -# -template(`postfix_domain_template',` - type postfix_$1_t; - type postfix_$1_exec_t; - domain_type(postfix_$1_t) - domain_entry_file(postfix_$1_t, postfix_$1_exec_t) - role system_r types postfix_$1_t; - - dontaudit postfix_$1_t self:capability sys_tty_config; - allow postfix_$1_t self:process { signal_perms setpgid }; - allow postfix_$1_t self:unix_dgram_socket create_socket_perms; - allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms; - allow postfix_$1_t self:unix_stream_socket connectto; - - allow postfix_master_t postfix_$1_t:process signal; - #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456 - allow postfix_$1_t postfix_master_t:file read; - - allow postfix_$1_t postfix_etc_t:dir list_dir_perms; - read_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t) - read_lnk_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t) - - can_exec(postfix_$1_t, postfix_$1_exec_t) - - allow postfix_$1_t postfix_exec_t:file { mmap_file_perms lock }; - - allow postfix_$1_t postfix_master_t:process sigchld; - - allow postfix_$1_t postfix_spool_t:dir list_dir_perms; - - allow postfix_$1_t postfix_var_run_t:file manage_file_perms; - files_pid_filetrans(postfix_$1_t, postfix_var_run_t, file) - - kernel_read_system_state(postfix_$1_t) - kernel_read_network_state(postfix_$1_t) - kernel_read_all_sysctls(postfix_$1_t) - - dev_read_sysfs(postfix_$1_t) - dev_read_rand(postfix_$1_t) - dev_read_urand(postfix_$1_t) - - fs_search_auto_mountpoints(postfix_$1_t) - fs_getattr_xattr_fs(postfix_$1_t) - fs_rw_anon_inodefs_files(postfix_$1_t) - - term_dontaudit_use_console(postfix_$1_t) - - corecmd_exec_shell(postfix_$1_t) - - files_read_etc_files(postfix_$1_t) - files_read_etc_runtime_files(postfix_$1_t) - files_read_usr_files(postfix_$1_t) - files_read_usr_symlinks(postfix_$1_t) - files_search_spool(postfix_$1_t) - files_getattr_tmp_dirs(postfix_$1_t) - files_search_all_mountpoints(postfix_$1_t) - - init_dontaudit_use_fds(postfix_$1_t) - init_sigchld(postfix_$1_t) - - auth_use_nsswitch(postfix_$1_t) - - logging_send_syslog_msg(postfix_$1_t) - - miscfiles_read_localization(postfix_$1_t) - miscfiles_read_generic_certs(postfix_$1_t) - - userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t) - - optional_policy(` - udev_read_db(postfix_$1_t) - ') -') - -######################################## -## -## Creates a postfix server process domain. -## -## -## -## Prefix of the domain. -## -## -# -template(`postfix_server_domain_template',` - postfix_domain_template($1) - - type postfix_$1_tmp_t; - files_tmp_file(postfix_$1_tmp_t) - - allow postfix_$1_t self:capability { setuid setgid dac_override }; - allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; - allow postfix_$1_t self:tcp_socket create_socket_perms; - allow postfix_$1_t self:udp_socket create_socket_perms; - - manage_dirs_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t) - manage_files_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t) - files_tmp_filetrans(postfix_$1_t, postfix_$1_tmp_t, { file dir }) - - domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t) - - corenet_all_recvfrom_unlabeled(postfix_$1_t) - corenet_all_recvfrom_netlabel(postfix_$1_t) - corenet_tcp_sendrecv_generic_if(postfix_$1_t) - corenet_udp_sendrecv_generic_if(postfix_$1_t) - corenet_tcp_sendrecv_generic_node(postfix_$1_t) - corenet_udp_sendrecv_generic_node(postfix_$1_t) - corenet_tcp_sendrecv_all_ports(postfix_$1_t) - corenet_udp_sendrecv_all_ports(postfix_$1_t) - corenet_tcp_bind_generic_node(postfix_$1_t) - corenet_udp_bind_generic_node(postfix_$1_t) - corenet_tcp_connect_all_ports(postfix_$1_t) - corenet_sendrecv_all_client_packets(postfix_$1_t) -') - -######################################## -## -## Creates a process domain for programs -## that are ran by users. -## -## -## -## Prefix of the domain. -## -## -# -template(`postfix_user_domain_template',` - gen_require(` - attribute postfix_user_domains, postfix_user_domtrans; - ') - - postfix_domain_template($1) - - typeattribute postfix_$1_t postfix_user_domains; - - allow postfix_$1_t self:capability dac_override; - - domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t) - - domain_use_interactive_fds(postfix_$1_t) -') - -######################################## -## -## Read postfix configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`postfix_read_config',` - gen_require(` - type postfix_etc_t; - ') - - read_files_pattern($1, postfix_etc_t, postfix_etc_t) - read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t) - files_search_etc($1) -') - -######################################## -## -## Create files with the specified type in -## the postfix configuration directories. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -# -interface(`postfix_config_filetrans',` - gen_require(` - type postfix_etc_t; - ') - - files_search_etc($1) - filetrans_pattern($1, postfix_etc_t, $2, $3) -') - -######################################## -## -## Do not audit attempts to read and -## write postfix local delivery -## TCP sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`postfix_dontaudit_rw_local_tcp_sockets',` - gen_require(` - type postfix_local_t; - ') - - dontaudit $1 postfix_local_t:tcp_socket { read write }; -') - -######################################## -## -## Allow read/write postfix local pipes -## TCP sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`postfix_rw_local_pipes',` - gen_require(` - type postfix_local_t; - ') - - allow $1 postfix_local_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## -## Allow domain to read postfix local process state -## -## -## -## Domain allowed access. -## -## -# -interface(`postfix_read_local_state',` - gen_require(` - type postfix_local_t; - ') - - kernel_search_proc($1) - ps_process_pattern($1, postfix_local_t) -') - -######################################## -## -## Allow domain to read postfix master process state -## -## -## -## Domain allowed access. -## -## -# -interface(`postfix_read_master_state',` - gen_require(` - type postfix_master_t; - ') - - kernel_search_proc($1) - ps_process_pattern($1, postfix_master_t) -') - -######################################## -## -## Do not audit attempts to use -## postfix master process file -## file descriptors. -## -## -## -## Domain to not audit. -## -## -# -interface(`postfix_dontaudit_use_fds',` - gen_require(` - type postfix_master_t; - ') - - dontaudit $1 postfix_master_t:fd use; -') - -######################################## -## -## Execute postfix_map in the postfix_map domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`postfix_domtrans_map',` - gen_require(` - type postfix_map_t, postfix_map_exec_t; - ') - - domtrans_pattern($1, postfix_map_exec_t, postfix_map_t) -') - -######################################## -## -## Execute postfix_map in the postfix_map domain, and -## allow the specified role the postfix_map domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`postfix_run_map',` - gen_require(` - type postfix_map_t; - ') - - postfix_domtrans_map($1) - role $2 types postfix_map_t; -') - -######################################## -## -## Execute the master postfix program in the -## postfix_master domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`postfix_domtrans_master',` - gen_require(` - type postfix_master_t, postfix_master_exec_t; - ') - - domtrans_pattern($1, postfix_master_exec_t, postfix_master_t) -') - - -######################################## -## -## Execute the master postfix in the postfix master domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`postfix_initrc_domtrans',` - gen_require(` - type postfix_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, postfix_initrc_exec_t) -') - -######################################## -## -## Execute the master postfix program in the -## caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`postfix_exec_master',` - gen_require(` - type postfix_master_exec_t; - ') - - can_exec($1, postfix_master_exec_t) -') - -####################################### -## -## Connect to postfix master process using a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`postfix_stream_connect_master',` - gen_require(` - type postfix_master_t, postfix_public_t; - ') - - stream_connect_pattern($1, postfix_public_t, postfix_public_t, postfix_master_t) -') - -######################################## -## -## Execute the master postdrop in the -## postfix_postdrop domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`postfix_domtrans_postdrop',` - gen_require(` - type postfix_postdrop_t, postfix_postdrop_exec_t; - ') - - domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t) -') - -######################################## -## -## Execute the master postqueue in the -## postfix_postqueue domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`postfix_domtrans_postqueue',` - gen_require(` - type postfix_postqueue_t, postfix_postqueue_exec_t; - ') - - domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t) -') - -####################################### -## -## Execute the master postqueue in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`posftix_exec_postqueue',` - gen_require(` - type postfix_postqueue_exec_t; - ') - - can_exec($1, postfix_postqueue_exec_t) -') - -######################################## -## -## Create a named socket in a postfix private directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`postfix_create_private_sockets',` - gen_require(` - type postfix_private_t; - ') - - allow $1 postfix_private_t:dir list_dir_perms; - create_sock_files_pattern($1, postfix_private_t, postfix_private_t) -') - -######################################## -## -## manage named socket in a postfix private directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`postfix_manage_private_sockets',` - gen_require(` - type postfix_private_t; - ') - - allow $1 postfix_private_t:dir list_dir_perms; - manage_sock_files_pattern($1, postfix_private_t, postfix_private_t) -') - -######################################## -## -## Execute the master postfix program in the -## postfix_master domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`postfix_domtrans_smtp',` - gen_require(` - type postfix_smtp_t, postfix_smtp_exec_t; - ') - - domtrans_pattern($1, postfix_smtp_exec_t, postfix_smtp_t) -') - -######################################## -## -## Getattr postfix mail spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`postfix_getattr_spool_files',` - gen_require(` - attribute postfix_spool_type; - ') - - files_search_spool($1) - getattr_files_pattern($1, postfix_spool_type, postfix_spool_type) -') - -######################################## -## -## Search postfix mail spool directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`postfix_search_spool',` - gen_require(` - attribute postfix_spool_type; - ') - - allow $1 postfix_spool_type:dir search_dir_perms; - files_search_spool($1) -') - -######################################## -## -## List postfix mail spool directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`postfix_list_spool',` - gen_require(` - attribute postfix_spool_type; - ') - - allow $1 postfix_spool_type:dir list_dir_perms; - files_search_spool($1) -') - -######################################## -## -## Read postfix mail spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`postfix_read_spool_files',` - gen_require(` - attribute postfix_spool_type; - ') - - files_search_spool($1) - read_files_pattern($1, postfix_spool_type, postfix_spool_type) -') - -######################################## -## -## Create, read, write, and delete postfix mail spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`postfix_manage_spool_files',` - gen_require(` - attribute postfix_spool_type; - ') - - files_search_spool($1) - manage_files_pattern($1, postfix_spool_type, postfix_spool_type) -') - -######################################## -## -## Execute postfix user mail programs -## in their respective domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`postfix_domtrans_user_mail_handler',` - gen_require(` - attribute postfix_user_domtrans; - ') - - typeattribute $1 postfix_user_domtrans; -') - -######################################## -## -## All of the rules required to administrate -## an postfix environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`postfix_admin',` - gen_require(` - attribute postfix_spool_type; - type postfix_bounce_t, postfix_cleanup_t, postfix_local_t; - type postfix_master_t, postfix_pickup_t, postfix_qmgr_t; - type postfix_initrc_exec_t, postfix_data_t, postfix_etc_t; - type postfix_map_tmp_t, postfix_prng_t, postfix_public_t; - type postfix_smtpd_t, postfix_var_run_t; - ') - - allow $1 postfix_bounce_t:process { ptrace signal_perms }; - ps_process_pattern($1, postfix_bounce_t) - - allow $1 postfix_cleanup_t:process { ptrace signal_perms }; - ps_process_pattern($1, postfix_cleanup_t) - - allow $1 postfix_local_t:process { ptrace signal_perms }; - ps_process_pattern($1, postfix_local_t) - - allow $1 postfix_master_t:process { ptrace signal_perms }; - ps_process_pattern($1, postfix_master_t) - - allow $1 postfix_pickup_t:process { ptrace signal_perms }; - ps_process_pattern($1, postfix_pickup_t) - - allow $1 postfix_qmgr_t:process { ptrace signal_perms }; - ps_process_pattern($1, postfix_qmgr_t) - - allow $1 postfix_smtpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, postfix_smtpd_t) - - postfix_run_map($1, $2) - postfix_run_postdrop($1, $2) - - postfix_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 postfix_initrc_exec_t system_r; - allow $2 system_r; - - admin_pattern($1, postfix_data_t) - - files_list_etc($1) - admin_pattern($1, postfix_etc_t) - - files_list_spool($1) - admin_pattern($1, postfix_spool_type) - - admin_pattern($1, postfix_var_run_t) - - files_list_tmp($1) - admin_pattern($1, postfix_map_tmp_t) - - admin_pattern($1, postfix_prng_t) - - admin_pattern($1, postfix_public_t) -') - -######################################## -## -## Execute the master postdrop in the -## postfix_postdrop domain. -## -## -## -## Domain allowed to transition. -## -## -## -# -interface(`postfix_run_postdrop',` - gen_require(` - type postfix_postdrop_t; - ') - - postfix_domtrans_postdrop($1) - role $2 types postfix_postdrop_t; -') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te deleted file mode 100644 index 628fcda..0000000 --- a/policy/modules/services/postfix.te +++ /dev/null @@ -1,681 +0,0 @@ -policy_module(postfix, 1.12.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow postfix_local domain full write access to mail_spool directories -##

-##
-gen_tunable(allow_postfix_local_write_mail_spool, false) - -attribute postfix_spool_type; -attribute postfix_user_domains; -# domains that transition to the -# postfix user domains -attribute postfix_user_domtrans; - -postfix_server_domain_template(bounce) - -type postfix_spool_bounce_t, postfix_spool_type; -files_type(postfix_spool_bounce_t) - -postfix_server_domain_template(cleanup) - -type postfix_etc_t; -files_config_file(postfix_etc_t) - -type postfix_exec_t; -application_executable_file(postfix_exec_t) - -postfix_server_domain_template(local) -mta_mailserver_delivery(postfix_local_t) - -# Program for creating database files -type postfix_map_t; -type postfix_map_exec_t; -application_domain(postfix_map_t, postfix_map_exec_t) -role system_r types postfix_map_t; - -type postfix_map_tmp_t; -files_tmp_file(postfix_map_tmp_t) - -postfix_domain_template(master) -typealias postfix_master_t alias postfix_t; -# alias is a hack to make the disable trans bool -# generation macro work -mta_mailserver(postfix_t, postfix_master_exec_t) - -type postfix_initrc_exec_t; -init_script_file(postfix_initrc_exec_t) - -postfix_server_domain_template(pickup) - -postfix_server_domain_template(pipe) - -postfix_user_domain_template(postdrop) -mta_mailserver_user_agent(postfix_postdrop_t) - -postfix_user_domain_template(postqueue) -mta_mailserver_user_agent(postfix_postqueue_t) - -type postfix_private_t; -files_type(postfix_private_t) - -type postfix_prng_t; -files_type(postfix_prng_t) - -postfix_server_domain_template(qmgr) - -postfix_user_domain_template(showq) - -postfix_server_domain_template(smtp) -mta_mailserver_sender(postfix_smtp_t) - -postfix_server_domain_template(smtpd) - -type postfix_spool_t, postfix_spool_type; -files_type(postfix_spool_t) - -type postfix_spool_maildrop_t, postfix_spool_type; -files_type(postfix_spool_maildrop_t) - -type postfix_spool_flush_t, postfix_spool_type; -files_type(postfix_spool_flush_t) - -type postfix_public_t; -files_type(postfix_public_t) - -type postfix_var_run_t; -files_pid_file(postfix_var_run_t) - -# the data_directory config parameter -type postfix_data_t; -files_type(postfix_data_t) - -postfix_server_domain_template(virtual) -mta_mailserver_delivery(postfix_virtual_t) - -######################################## -# -# Postfix master process local policy -# - -# chown is to set the correct ownership of queue dirs -allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; -allow postfix_master_t self:process setrlimit; -allow postfix_master_t self:fifo_file rw_fifo_file_perms; -allow postfix_master_t self:tcp_socket create_stream_socket_perms; -allow postfix_master_t self:udp_socket create_socket_perms; - -allow postfix_master_t postfix_etc_t:dir rw_dir_perms; -allow postfix_master_t postfix_etc_t:file rw_file_perms; -mta_filetrans_aliases(postfix_master_t, postfix_etc_t) - -can_exec(postfix_master_t, postfix_exec_t) - -allow postfix_master_t postfix_data_t:dir manage_dir_perms; -allow postfix_master_t postfix_data_t:file manage_file_perms; - -allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock }; - -allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms; - -allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms; - -manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) -manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) - -domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) - -allow postfix_master_t postfix_prng_t:file rw_file_perms; - -manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t) -manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t) - -domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) - -# allow access to deferred queue and allow removing bogus incoming entries -manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) -manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) -files_spool_filetrans(postfix_master_t, postfix_spool_t, dir) - -allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms; -allow postfix_master_t postfix_spool_bounce_t:file getattr_file_perms; - -manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) -manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) -manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) - -delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) - -kernel_read_all_sysctls(postfix_master_t) - -corenet_all_recvfrom_unlabeled(postfix_master_t) -corenet_all_recvfrom_netlabel(postfix_master_t) -corenet_tcp_sendrecv_generic_if(postfix_master_t) -corenet_udp_sendrecv_generic_if(postfix_master_t) -corenet_tcp_sendrecv_generic_node(postfix_master_t) -corenet_udp_sendrecv_generic_node(postfix_master_t) -corenet_tcp_sendrecv_all_ports(postfix_master_t) -corenet_udp_sendrecv_all_ports(postfix_master_t) -corenet_udp_bind_generic_node(postfix_master_t) -corenet_udp_bind_all_unreserved_ports(postfix_master_t) -corenet_dontaudit_udp_bind_all_ports(postfix_master_t) -corenet_tcp_bind_generic_node(postfix_master_t) -corenet_tcp_bind_amavisd_send_port(postfix_master_t) -corenet_tcp_bind_smtp_port(postfix_master_t) -corenet_tcp_connect_all_ports(postfix_master_t) -corenet_sendrecv_amavisd_send_server_packets(postfix_master_t) -corenet_sendrecv_smtp_server_packets(postfix_master_t) -corenet_sendrecv_all_client_packets(postfix_master_t) - -# for a find command -selinux_dontaudit_search_fs(postfix_master_t) - -corecmd_exec_shell(postfix_master_t) -corecmd_exec_bin(postfix_master_t) - -domain_use_interactive_fds(postfix_master_t) - -files_read_usr_files(postfix_master_t) -files_search_var_lib(postfix_master_t) -files_search_tmp(postfix_master_t) - -term_dontaudit_search_ptys(postfix_master_t) - -miscfiles_read_man_pages(postfix_master_t) - -seutil_sigchld_newrole(postfix_master_t) -# postfix does a "find" on startup for some reason - keep it quiet -seutil_dontaudit_search_config(postfix_master_t) - -mta_rw_aliases(postfix_master_t) -mta_read_sendmail_bin(postfix_master_t) -mta_getattr_spool(postfix_master_t) - -ifdef(`distro_redhat',` - # for newer main.cf that uses /etc/aliases - mta_manage_aliases(postfix_master_t) - mta_etc_filetrans_aliases(postfix_master_t) -') - -optional_policy(` - cyrus_stream_connect(postfix_master_t) -') - -optional_policy(` - kerberos_keytab_template(postfix, postfix_t) -') - -optional_policy(` -# for postalias - mailman_manage_data_files(postfix_master_t) -') - -optional_policy(` - mysql_stream_connect(postfix_master_t) -') - -optional_policy(` - postgrey_search_spool(postfix_master_t) -') - -optional_policy(` - sendmail_signal(postfix_master_t) -') - -######################################## -# -# Postfix bounce local policy -# - -allow postfix_bounce_t self:capability dac_read_search; -allow postfix_bounce_t self:tcp_socket create_socket_perms; - -allow postfix_bounce_t postfix_public_t:sock_file write; -allow postfix_bounce_t postfix_public_t:dir search_dir_perms; - -manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) -manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) -manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) -files_spool_filetrans(postfix_bounce_t, postfix_spool_t, dir) - -manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) -manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) -manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) - -######################################## -# -# Postfix cleanup local policy -# - -allow postfix_cleanup_t self:process setrlimit; - -# connect to master process -stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, postfix_master_t) - -rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t) -write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t) - -manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) -manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) -manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) -files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir) - -allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms; - -corecmd_exec_bin(postfix_cleanup_t) - -mta_read_aliases(postfix_cleanup_t) - -optional_policy(` - mailman_read_data_files(postfix_cleanup_t) -') - -######################################## -# -# Postfix local local policy -# - -allow postfix_local_t self:process { setsched setrlimit }; -allow postfix_local_t self:fifo_file rw_fifo_file_perms; - -# connect to master process -stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t) - -# for .forward - maybe we need a new type for it? -rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t) - -domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t) - -allow postfix_local_t postfix_spool_t:file rw_file_perms; - -corecmd_exec_shell(postfix_local_t) -corecmd_exec_bin(postfix_local_t) - -files_read_etc_files(postfix_local_t) - -logging_dontaudit_search_logs(postfix_local_t) - -mta_read_aliases(postfix_local_t) -mta_delete_spool(postfix_local_t) -# For reading spamassasin -mta_read_config(postfix_local_t) -# Handle vacation script -mta_send_mail(postfix_local_t) - -userdom_read_user_home_content_files(postfix_local_t) - -tunable_policy(`allow_postfix_local_write_mail_spool',` - mta_manage_spool(postfix_local_t) -') - -optional_policy(` - clamav_search_lib(postfix_local_t) - clamav_exec_clamscan(postfix_local_t) -') - -optional_policy(` -# for postalias - mailman_manage_data_files(postfix_local_t) - mailman_append_log(postfix_local_t) - mailman_read_log(postfix_local_t) -') - -optional_policy(` - nagios_search_spool(postfix_local_t) -') - -optional_policy(` - procmail_domtrans(postfix_local_t) -') - -optional_policy(` - zarafa_deliver_domtrans(postfix_local_t) -') - -######################################## -# -# Postfix map local policy -# -allow postfix_map_t self:capability { dac_override setgid setuid }; -allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; -allow postfix_map_t self:unix_dgram_socket create_socket_perms; -allow postfix_map_t self:tcp_socket create_stream_socket_perms; -allow postfix_map_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t) -manage_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t) -manage_lnk_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t) - -manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) -manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) -files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir }) - -kernel_read_kernel_sysctls(postfix_map_t) -kernel_dontaudit_list_proc(postfix_map_t) -kernel_dontaudit_read_system_state(postfix_map_t) - -corenet_all_recvfrom_unlabeled(postfix_map_t) -corenet_all_recvfrom_netlabel(postfix_map_t) -corenet_tcp_sendrecv_generic_if(postfix_map_t) -corenet_udp_sendrecv_generic_if(postfix_map_t) -corenet_tcp_sendrecv_generic_node(postfix_map_t) -corenet_udp_sendrecv_generic_node(postfix_map_t) -corenet_tcp_sendrecv_all_ports(postfix_map_t) -corenet_udp_sendrecv_all_ports(postfix_map_t) -corenet_tcp_connect_all_ports(postfix_map_t) -corenet_sendrecv_all_client_packets(postfix_map_t) - -corecmd_list_bin(postfix_map_t) -corecmd_read_bin_symlinks(postfix_map_t) -corecmd_read_bin_files(postfix_map_t) -corecmd_read_bin_pipes(postfix_map_t) -corecmd_read_bin_sockets(postfix_map_t) - -files_list_home(postfix_map_t) -files_read_usr_files(postfix_map_t) -files_read_etc_files(postfix_map_t) -files_read_etc_runtime_files(postfix_map_t) -files_dontaudit_search_var(postfix_map_t) - -auth_use_nsswitch(postfix_map_t) - -logging_send_syslog_msg(postfix_map_t) - -miscfiles_read_localization(postfix_map_t) - -optional_policy(` - locallogin_dontaudit_use_fds(postfix_map_t) -') - -optional_policy(` -# for postalias - mailman_manage_data_files(postfix_map_t) -') - -######################################## -# -# Postfix pickup local policy -# - -allow postfix_pickup_t self:tcp_socket create_socket_perms; - -stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t) - -rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) -rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) - -postfix_list_spool(postfix_pickup_t) - -allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms; -read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) - -######################################## -# -# Postfix pipe local policy -# - -allow postfix_pipe_t self:process setrlimit; -allow postfix_pipe_t self:fifo_file rw_fifo_file_perms; - -write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) - -write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t) - -rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) - -domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) - -corecmd_exec_bin(postfix_pipe_t) - -optional_policy(` - dovecot_domtrans_deliver(postfix_pipe_t) -') - -optional_policy(` - procmail_domtrans(postfix_pipe_t) -') - -optional_policy(` - mailman_domtrans_queue(postfix_pipe_t) -') - -optional_policy(` - mta_manage_spool(postfix_pipe_t) - mta_send_mail(postfix_pipe_t) -') - -optional_policy(` - spamassassin_domtrans_client(postfix_pipe_t) - spamassassin_kill_client(postfix_pipe_t) -') - -optional_policy(` - uucp_domtrans_uux(postfix_pipe_t) -') - -######################################## -# -# Postfix postdrop local policy -# - -# usually it does not need a UDP socket -allow postfix_postdrop_t self:capability sys_resource; -allow postfix_postdrop_t self:tcp_socket create; -allow postfix_postdrop_t self:udp_socket create_socket_perms; - -# Might be a leak, but I need a postfix expert to explain -allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write }; - -rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t) - -postfix_list_spool(postfix_postdrop_t) -manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) - -corenet_udp_sendrecv_generic_if(postfix_postdrop_t) -corenet_udp_sendrecv_generic_node(postfix_postdrop_t) - -term_dontaudit_use_all_ptys(postfix_postdrop_t) -term_dontaudit_use_all_ttys(postfix_postdrop_t) - -mta_rw_user_mail_stream_sockets(postfix_postdrop_t) - -optional_policy(` - apache_dontaudit_rw_fifo_file(postfix_postdrop_t) -') - -optional_policy(` - cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) -') - -# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239951 -optional_policy(` - fstools_read_pipes(postfix_postdrop_t) -') - -optional_policy(` - sendmail_rw_unix_stream_sockets(postfix_postdrop_t) -') - -optional_policy(` - uucp_manage_spool(postfix_postdrop_t) -') - -####################################### -# -# Postfix postqueue local policy -# - -allow postfix_postqueue_t self:tcp_socket create; -allow postfix_postqueue_t self:udp_socket { create ioctl }; - -# wants to write to /var/spool/postfix/public/showq -stream_connect_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t, postfix_master_t) - -# write to /var/spool/postfix/public/qmgr -write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t) - -domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) - -# to write the mailq output, it really should not need read access! -term_use_all_ptys(postfix_postqueue_t) -term_use_all_ttys(postfix_postqueue_t) - -init_sigchld_script(postfix_postqueue_t) -init_use_script_fds(postfix_postqueue_t) - -optional_policy(` - cron_system_entry(postfix_postqueue_t, postfix_postqueue_exec_t) -') - -optional_policy(` - ppp_use_fds(postfix_postqueue_t) - ppp_sigchld(postfix_postqueue_t) -') - -######################################## -# -# Postfix qmgr local policy -# - -stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) - -rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t) - -# for /var/spool/postfix/active -manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) -manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) -manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) -files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) - -allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; -allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; -allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms; - -corecmd_exec_bin(postfix_qmgr_t) - -######################################## -# -# Postfix showq local policy -# - -allow postfix_showq_t self:capability { setuid setgid }; -allow postfix_showq_t self:tcp_socket create_socket_perms; - -allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms }; - -allow postfix_showq_t postfix_spool_t:file read_file_perms; - -postfix_list_spool(postfix_showq_t) - -allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; -allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; -allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; - -# to write the mailq output, it really should not need read access! -term_use_all_ptys(postfix_showq_t) -term_use_all_ttys(postfix_showq_t) - -######################################## -# -# Postfix smtp delivery local policy -# - -# connect to master process -allow postfix_smtp_t self:capability sys_chroot; -stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) - -allow postfix_smtp_t postfix_prng_t:file rw_file_perms; - -allow postfix_smtp_t postfix_spool_t:file rw_file_perms; - -files_search_all_mountpoints(postfix_smtp_t) - -optional_policy(` - cyrus_stream_connect(postfix_smtp_t) -') - -optional_policy(` - milter_stream_connect_all(postfix_smtp_t) -') - -######################################## -# -# Postfix smtpd local policy -# -allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms; - -# connect to master process -stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) - -# Connect to policy server -corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t) - -# for prng_exch -allow postfix_smtpd_t postfix_spool_t:file rw_file_perms; -allow postfix_smtpd_t postfix_prng_t:file rw_file_perms; - -corecmd_exec_bin(postfix_smtpd_t) - -# for OpenSSL certificates -files_read_usr_files(postfix_smtpd_t) - -# postfix checks the size of all mounted file systems -fs_getattr_all_dirs(postfix_smtpd_t) -fs_getattr_all_fs(postfix_smtpd_t) - -mta_read_aliases(postfix_smtpd_t) - -optional_policy(` - dovecot_stream_connect_auth(postfix_smtpd_t) -') - -optional_policy(` - mailman_read_data_files(postfix_smtpd_t) -') - -optional_policy(` - postgrey_stream_connect(postfix_smtpd_t) -') - -optional_policy(` - sasl_connect(postfix_smtpd_t) -') - -######################################## -# -# Postfix virtual local policy -# - -allow postfix_virtual_t self:process { setsched setrlimit }; -allow postfix_virtual_t self:fifo_file rw_fifo_file_perms; - -allow postfix_virtual_t postfix_spool_t:file rw_file_perms; - -# connect to master process -stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) - -corecmd_exec_shell(postfix_virtual_t) -corecmd_exec_bin(postfix_virtual_t) - -files_read_etc_files(postfix_virtual_t) -files_read_usr_files(postfix_virtual_t) - -mta_read_aliases(postfix_virtual_t) -mta_delete_spool(postfix_virtual_t) -# For reading spamassasin -mta_read_config(postfix_virtual_t) -mta_manage_spool(postfix_virtual_t) - -userdom_manage_user_home_dirs(postfix_virtual_t) -userdom_manage_user_home_content(postfix_virtual_t) -userdom_home_filetrans_user_home_dir(postfix_virtual_t) -userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir }) diff --git a/policy/modules/services/postfixpolicyd.fc b/policy/modules/services/postfixpolicyd.fc deleted file mode 100644 index 4361cb6..0000000 --- a/policy/modules/services/postfixpolicyd.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/policyd.conf -- gen_context(system_u:object_r:postfix_policyd_conf_t, s0) -/etc/rc\.d/init\.d/postfixpolicyd -- gen_context(system_u:object_r:postfix_policyd_initrc_exec_t,s0) - -/usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t, s0) - -/var/run/policyd\.pid -- gen_context(system_u:object_r:postfix_policyd_var_run_t, s0) diff --git a/policy/modules/services/postfixpolicyd.if b/policy/modules/services/postfixpolicyd.if deleted file mode 100644 index d960d3f..0000000 --- a/policy/modules/services/postfixpolicyd.if +++ /dev/null @@ -1,39 +0,0 @@ -## Postfix policy server - -######################################## -## -## All of the rules required to administrate -## an postfixpolicyd environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the postfixpolicyd domain. -## -## -## -# -interface(`postfixpolicyd_admin',` - gen_require(` - type postfix_policyd_t, postfix_policyd_conf_t; - type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t; - ') - - allow $1 postfix_policyd_t:process { ptrace signal_perms }; - ps_process_pattern($1, postfix_policyd_t) - - init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 postfix_policyd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, postfix_policyd_conf_t) - - files_list_pids($1) - admin_pattern($1, postfix_policyd_var_run_t) -') diff --git a/policy/modules/services/postfixpolicyd.te b/policy/modules/services/postfixpolicyd.te deleted file mode 100644 index 7d73656..0000000 --- a/policy/modules/services/postfixpolicyd.te +++ /dev/null @@ -1,53 +0,0 @@ -policy_module(postfixpolicyd, 1.2.0) - -######################################## -# -# Declarations -# - -type postfix_policyd_t; -type postfix_policyd_exec_t; -init_daemon_domain(postfix_policyd_t, postfix_policyd_exec_t) - -type postfix_policyd_conf_t; -files_config_file(postfix_policyd_conf_t) - -type postfix_policyd_initrc_exec_t; -init_script_file(postfix_policyd_initrc_exec_t) - -type postfix_policyd_var_run_t; -files_pid_file(postfix_policyd_var_run_t) - -######################################## -# -# Local Policy -# - -allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid }; -allow postfix_policyd_t self:process setrlimit; -allow postfix_policyd_t self:tcp_socket create_stream_socket_perms; -allow postfix_policyd_t self:unix_dgram_socket create_socket_perms; - -allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms; -allow postfix_policyd_t postfix_policyd_conf_t:file read_file_perms; -allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms; - -manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t) -files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file) - -corenet_all_recvfrom_unlabeled(postfix_policyd_t) -corenet_tcp_sendrecv_generic_if(postfix_policyd_t) -corenet_tcp_sendrecv_generic_node(postfix_policyd_t) -corenet_tcp_sendrecv_all_ports(postfix_policyd_t) -corenet_tcp_bind_generic_node(postfix_policyd_t) -corenet_tcp_bind_postfix_policyd_port(postfix_policyd_t) -corenet_tcp_bind_mysqld_port(postfix_policyd_t) - -files_read_etc_files(postfix_policyd_t) -files_read_usr_files(postfix_policyd_t) - -logging_send_syslog_msg(postfix_policyd_t) - -miscfiles_read_localization(postfix_policyd_t) - -sysnet_dns_name_resolve(postfix_policyd_t) diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc deleted file mode 100644 index f03fad4..0000000 --- a/policy/modules/services/postgresql.fc +++ /dev/null @@ -1,48 +0,0 @@ -# -# /etc -# -/etc/postgresql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0) -/etc/rc\.d/init\.d/(se)?postgresql -- gen_context(system_u:object_r:postgresql_initrc_exec_t,s0) -/etc/sysconfig/pgsql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0) - -# -# /usr -# -/usr/bin/initdb(\.sepgsql)? -- gen_context(system_u:object_r:postgresql_exec_t,s0) -/usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0) - -/usr/lib(64)?/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) -/usr/lib(64)?/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0) -/usr/lib(64)?/postgresql/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0) - -ifdef(`distro_debian', ` -/usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0) -') - -ifdef(`distro_redhat', ` -/usr/share/jonas/pgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) -') - -# -# /var -# -/var/lib/postgres(ql)?(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) - -/var/lib/pgsql/data(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) -/var/lib/pgsql/logfile(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0) -/var/lib/pgsql/pgstartup\.log gen_context(system_u:object_r:postgresql_log_t,s0) - -/var/lib/sepgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) -/var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0) - -/var/log/postgres\.log.* -- gen_context(system_u:object_r:postgresql_log_t,s0) -/var/log/postgresql(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0) -/var/log/sepostgresql\.log.* -- gen_context(system_u:object_r:postgresql_log_t,s0) - -ifdef(`distro_redhat', ` -/var/log/rhdb/rhdb(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0) -') - -/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0) - -/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0) diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if deleted file mode 100644 index 4782bdb..0000000 --- a/policy/modules/services/postgresql.if +++ /dev/null @@ -1,454 +0,0 @@ -## PostgreSQL relational database - -####################################### -## -## Role access for SE-PostgreSQL. -## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# -interface(`postgresql_role',` - gen_require(` - class db_database all_db_database_perms; - class db_table all_db_table_perms; - class db_procedure all_db_procedure_perms; - class db_column all_db_column_perms; - class db_tuple all_db_tuple_perms; - class db_blob all_db_blob_perms; - - attribute sepgsql_client_type, sepgsql_database_type; - attribute sepgsql_sysobj_table_type; - - type sepgsql_trusted_proc_exec_t, sepgsql_trusted_proc_t; - type user_sepgsql_blob_t, user_sepgsql_proc_exec_t; - type user_sepgsql_sysobj_t, user_sepgsql_table_t; - ') - - ######################################## - # - # Declarations - # - - typeattribute $2 sepgsql_client_type; - role $1 types sepgsql_trusted_proc_t; - - ############################## - # - # Client local policy - # - - allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock }; - allow $2 user_sepgsql_table_t:db_column { getattr use select update insert }; - allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete }; - type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t; - - allow $2 user_sepgsql_sysobj_t:db_tuple { use select }; - type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t; - - allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute }; - type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t; - - allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; - type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t; - - allow $2 sepgsql_trusted_proc_t:process transition; - type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; - - tunable_policy(`sepgsql_enable_users_ddl',` - allow $2 user_sepgsql_table_t:db_table { create drop setattr }; - allow $2 user_sepgsql_table_t:db_column { create drop setattr }; - - allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete }; - allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr }; - ') -') - -######################################## -## -## Marks as a SE-PostgreSQL loadable shared library module -## -## -## -## Type marked as a database object type. -## -## -# -interface(`postgresql_loadable_module',` - gen_require(` - attribute sepgsql_module_type; - ') - - typeattribute $1 sepgsql_module_type; -') - -######################################## -## -## Marks as a SE-PostgreSQL database object type -## -## -## -## Type marked as a database object type. -## -## -# -interface(`postgresql_database_object',` - gen_require(` - attribute sepgsql_database_type; - ') - - typeattribute $1 sepgsql_database_type; -') - -######################################## -## -## Marks as a SE-PostgreSQL table/column/tuple object type -## -## -## -## Type marked as a table/column/tuple object type. -## -## -# -interface(`postgresql_table_object',` - gen_require(` - attribute sepgsql_table_type; - ') - - typeattribute $1 sepgsql_table_type; -') - -######################################## -## -## Marks as a SE-PostgreSQL system table/column/tuple object type -## -## -## -## Type marked as a table/column/tuple object type. -## -## -# -interface(`postgresql_system_table_object',` - gen_require(` - attribute sepgsql_table_type, sepgsql_sysobj_table_type; - ') - - typeattribute $1 sepgsql_table_type; - typeattribute $1 sepgsql_sysobj_table_type; -') - -######################################## -## -## Marks as a SE-PostgreSQL procedure object type -## -## -## -## Type marked as a database object type. -## -## -# -interface(`postgresql_procedure_object',` - gen_require(` - attribute sepgsql_procedure_type; - ') - - typeattribute $1 sepgsql_procedure_type; -') - -######################################## -## -## Marks as a SE-PostgreSQL binary large object type -## -## -## -## Type marked as a database binary large object type. -## -## -# -interface(`postgresql_blob_object',` - gen_require(` - attribute sepgsql_blob_type; - ') - - typeattribute $1 sepgsql_blob_type; -') - -######################################## -## -## Allow the specified domain to search postgresql's database directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`postgresql_search_db',` - gen_require(` - type postgresql_db_t; - ') - - allow $1 postgresql_db_t:dir search_dir_perms; -') - -######################################## -## -## Allow the specified domain to manage postgresql's database. -## -## -## -## Domain allowed access. -## -## -# -interface(`postgresql_manage_db',` - gen_require(` - type postgresql_db_t; - ') - - allow $1 postgresql_db_t:dir rw_dir_perms; - allow $1 postgresql_db_t:file rw_file_perms; - allow $1 postgresql_db_t:lnk_file read_lnk_file_perms; -') - -######################################## -## -## Execute postgresql in the postgresql domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`postgresql_domtrans',` - gen_require(` - type postgresql_t, postgresql_exec_t; - ') - - domtrans_pattern($1, postgresql_exec_t, postgresql_t) -') - -###################################### -## -## Allow domain to signal postgresql -## -## -## -## Domain allowed access. -## -## -# -interface(`postgresql_signal',` - gen_require(` - type postgresql_t; - ') - allow $1 postgresql_t:process signal; -') - -######################################## -## -## Allow the specified domain to read postgresql's etc. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`postgresql_read_config',` - gen_require(` - type postgresql_etc_t; - ') - - files_search_etc($1) - allow $1 postgresql_etc_t:dir list_dir_perms; - allow $1 postgresql_etc_t:file read_file_perms; - allow $1 postgresql_etc_t:lnk_file read_lnk_file_perms; -') - -######################################## -## -## Allow the specified domain to connect to postgresql with a tcp socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`postgresql_tcp_connect',` - gen_require(` - type postgresql_t; - ') - - corenet_tcp_recvfrom_labeled($1, postgresql_t) - corenet_tcp_sendrecv_postgresql_port($1) - corenet_tcp_connect_postgresql_port($1) - corenet_sendrecv_postgresql_client_packets($1) -') - -######################################## -## -## Allow the specified domain to connect to postgresql with a unix socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`postgresql_stream_connect',` - gen_require(` - type postgresql_t, postgresql_var_run_t, postgresql_tmp_t; - ') - - files_search_pids($1) - files_search_tmp($1) - stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t }, { postgresql_var_run_t postgresql_tmp_t }, postgresql_t) -') - -######################################## -## -## Allow the specified domain unprivileged accesses to unifined database objects -## managed by SE-PostgreSQL, -## -## -## -## Domain allowed access. -## -## -# -interface(`postgresql_unpriv_client',` - gen_require(` - class db_database all_db_database_perms; - class db_table all_db_table_perms; - class db_procedure all_db_procedure_perms; - class db_column all_db_column_perms; - class db_tuple all_db_tuple_perms; - class db_blob all_db_blob_perms; - - attribute sepgsql_client_type; - attribute sepgsql_database_type, sepgsql_sysobj_table_type; - - type sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t; - type unpriv_sepgsql_blob_t, unpriv_sepgsql_proc_exec_t; - type unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t; - ') - - ######################################## - # - # Declarations - # - - typeattribute $1 sepgsql_client_type; - - ######################################## - # - # Client local policy - # - - type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; - allow $1 sepgsql_trusted_proc_t:process transition; - - allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock }; - allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert }; - allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete }; - type_transition $1 sepgsql_database_type:db_table unpriv_sepgsql_table_t; - - allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select }; - type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t; - - allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute }; - type_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t; - - allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; - type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t; - - tunable_policy(`sepgsql_enable_users_ddl',` - allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr }; - allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr }; - allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete }; - allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr }; - ') -') - -######################################## -## -## Allow the specified domain unconfined accesses to any database objects -## managed by SE-PostgreSQL, -## -## -## -## Domain allowed access. -## -## -# -interface(`postgresql_unconfined',` - gen_require(` - attribute sepgsql_unconfined_type; - ') - - typeattribute $1 sepgsql_unconfined_type; -') - -######################################## -## -## All of the rules required to administrate an postgresql environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the postgresql domain. -## -## -## -# -interface(`postgresql_admin',` - gen_require(` - attribute sepgsql_admin_type, sepgsql_client_type; - type postgresql_t, postgresql_var_run_t, postgresql_initrc_exec_t; - type postgresql_tmp_t, postgresql_db_t, postgresql_log_t; - type postgresql_etc_t; - ') - - typeattribute $1 sepgsql_admin_type; - - allow $1 postgresql_t:process { ptrace signal_perms }; - ps_process_pattern($1, postgresql_t) - - init_labeled_script_domtrans($1, postgresql_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 postgresql_initrc_exec_t system_r; - allow $2 system_r; - - files_list_pids($1) - admin_pattern($1, postgresql_var_run_t) - - files_list_var_lib($1) - admin_pattern($1, postgresql_db_t) - - files_list_etc($1) - admin_pattern($1, postgresql_etc_t) - - logging_list_logs($1) - admin_pattern($1, postgresql_log_t) - - files_list_tmp($1) - admin_pattern($1, postgresql_tmp_t) - - postgresql_tcp_connect($1) - postgresql_stream_connect($1) -') diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te deleted file mode 100644 index b4101fa..0000000 --- a/policy/modules/services/postgresql.te +++ /dev/null @@ -1,418 +0,0 @@ -policy_module(postgresql, 1.11.1) - -gen_require(` - class db_database all_db_database_perms; - class db_table all_db_table_perms; - class db_procedure all_db_procedure_perms; - class db_column all_db_column_perms; - class db_tuple all_db_tuple_perms; - class db_blob all_db_blob_perms; -') - -################################# -# -# Declarations -# - -## -##

-## Allow unprived users to execute DDL statement -##

-##
-gen_tunable(sepgsql_enable_users_ddl, true) - -## -##

-## Allow database admins to execute DML statement -##

-##
-gen_tunable(sepgsql_unconfined_dbadm, true) - -type postgresql_t; -type postgresql_exec_t; -init_daemon_domain(postgresql_t, postgresql_exec_t) - -type postgresql_db_t; -files_type(postgresql_db_t) - -type postgresql_etc_t; -files_config_file(postgresql_etc_t) - -type postgresql_initrc_exec_t; -init_script_file(postgresql_initrc_exec_t) - -type postgresql_lock_t; -files_lock_file(postgresql_lock_t) - -type postgresql_log_t; -logging_log_file(postgresql_log_t) - -type postgresql_tmp_t; -files_tmp_file(postgresql_tmp_t) - -type postgresql_var_run_t; -files_pid_file(postgresql_var_run_t) - -# database clients attribute -attribute sepgsql_admin_type; -attribute sepgsql_client_type; -attribute sepgsql_unconfined_type; - -# database objects attribute -attribute sepgsql_database_type; -attribute sepgsql_table_type; -attribute sepgsql_sysobj_table_type; -attribute sepgsql_procedure_type; -attribute sepgsql_blob_type; -attribute sepgsql_module_type; - -# database object types -type sepgsql_blob_t; -postgresql_blob_object(sepgsql_blob_t) - -type sepgsql_db_t; -postgresql_database_object(sepgsql_db_t) - -type sepgsql_fixed_table_t; -postgresql_table_object(sepgsql_fixed_table_t) - -type sepgsql_proc_exec_t; -typealias sepgsql_proc_exec_t alias sepgsql_proc_t; -postgresql_procedure_object(sepgsql_proc_exec_t) - -type sepgsql_ro_blob_t; -postgresql_blob_object(sepgsql_ro_blob_t) - -type sepgsql_ro_table_t; -postgresql_table_object(sepgsql_ro_table_t) - -type sepgsql_secret_blob_t; -postgresql_blob_object(sepgsql_secret_blob_t) - -type sepgsql_secret_table_t; -postgresql_table_object(sepgsql_secret_table_t) - -type sepgsql_sysobj_t; -postgresql_system_table_object(sepgsql_sysobj_t) - -type sepgsql_table_t; -postgresql_table_object(sepgsql_table_t) - -type sepgsql_trusted_proc_exec_t; -postgresql_procedure_object(sepgsql_trusted_proc_exec_t) - -# Trusted Procedure Domain -type sepgsql_trusted_proc_t; -domain_type(sepgsql_trusted_proc_t) -postgresql_unconfined(sepgsql_trusted_proc_t) -role system_r types sepgsql_trusted_proc_t; - -# Types for unprivileged client -type unpriv_sepgsql_blob_t; -postgresql_blob_object(unpriv_sepgsql_blob_t) - -type unpriv_sepgsql_proc_exec_t; -postgresql_procedure_object(unpriv_sepgsql_proc_exec_t) - -type unpriv_sepgsql_sysobj_t; -postgresql_system_table_object(unpriv_sepgsql_sysobj_t) - -type unpriv_sepgsql_table_t; -postgresql_table_object(unpriv_sepgsql_table_t) - -# Types for UBAC -type user_sepgsql_blob_t; -typealias user_sepgsql_blob_t alias { staff_sepgsql_blob_t sysadm_sepgsql_blob_t }; -typealias user_sepgsql_blob_t alias { auditadm_sepgsql_blob_t secadm_sepgsql_blob_t }; -postgresql_blob_object(user_sepgsql_blob_t) - -type user_sepgsql_proc_exec_t; -typealias user_sepgsql_proc_exec_t alias { staff_sepgsql_proc_exec_t sysadm_sepgsql_proc_exec_t }; -typealias user_sepgsql_proc_exec_t alias { auditadm_sepgsql_proc_exec_t secadm_sepgsql_proc_exec_t }; -postgresql_procedure_object(user_sepgsql_proc_exec_t) - -type user_sepgsql_sysobj_t; -typealias user_sepgsql_sysobj_t alias { staff_sepgsql_sysobj_t sysadm_sepgsql_sysobj_t }; -typealias user_sepgsql_sysobj_t alias { auditadm_sepgsql_sysobj_t secadm_sepgsql_sysobj_t }; -postgresql_system_table_object(user_sepgsql_sysobj_t) - -type user_sepgsql_table_t; -typealias user_sepgsql_table_t alias { staff_sepgsql_table_t sysadm_sepgsql_table_t }; -typealias user_sepgsql_table_t alias { auditadm_sepgsql_table_t secadm_sepgsql_table_t }; -postgresql_table_object(user_sepgsql_table_t) - -######################################## -# -# postgresql Local policy -# -allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin }; -dontaudit postgresql_t self:capability { sys_tty_config sys_admin }; -allow postgresql_t self:process signal_perms; -allow postgresql_t self:fifo_file rw_fifo_file_perms; -allow postgresql_t self:file { getattr read }; -allow postgresql_t self:sem create_sem_perms; -allow postgresql_t self:shm create_shm_perms; -allow postgresql_t self:tcp_socket create_stream_socket_perms; -allow postgresql_t self:udp_socket create_stream_socket_perms; -allow postgresql_t self:unix_dgram_socket create_socket_perms; -allow postgresql_t self:unix_stream_socket create_stream_socket_perms; -allow postgresql_t self:netlink_selinux_socket create_socket_perms; - -allow postgresql_t sepgsql_database_type:db_database *; -type_transition postgresql_t postgresql_t:db_database sepgsql_db_t; - -allow postgresql_t sepgsql_module_type:db_database install_module; -# Database/Loadable module -allow sepgsql_database_type sepgsql_module_type:db_database load_module; - -allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *; -type_transition postgresql_t sepgsql_database_type:db_table sepgsql_sysobj_t; - -allow postgresql_t sepgsql_procedure_type:db_procedure *; -type_transition postgresql_t sepgsql_database_type:db_procedure sepgsql_proc_exec_t; - -allow postgresql_t sepgsql_blob_type:db_blob *; -type_transition postgresql_t sepgsql_database_type:db_blob sepgsql_blob_t; - -manage_dirs_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) -manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) -manage_lnk_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) -manage_fifo_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) -manage_sock_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) -files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file }) - -allow postgresql_t postgresql_etc_t:dir list_dir_perms; -read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t) -read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t) - -allow postgresql_t postgresql_exec_t:lnk_file read_lnk_file_perms; -can_exec(postgresql_t, postgresql_exec_t ) - -allow postgresql_t postgresql_lock_t:file manage_file_perms; -files_lock_filetrans(postgresql_t, postgresql_lock_t, file) - -manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t) -logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir }) - -manage_dirs_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) -manage_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) -manage_lnk_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) -manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) -manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) -files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file }) -fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file }) - -manage_dirs_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) -manage_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) -manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) -files_pid_filetrans(postgresql_t, postgresql_var_run_t, { dir file }) - -kernel_read_kernel_sysctls(postgresql_t) -kernel_read_system_state(postgresql_t) -kernel_list_proc(postgresql_t) -kernel_read_all_sysctls(postgresql_t) -kernel_read_proc_symlinks(postgresql_t) - -corenet_all_recvfrom_unlabeled(postgresql_t) -corenet_all_recvfrom_netlabel(postgresql_t) -corenet_tcp_sendrecv_generic_if(postgresql_t) -corenet_udp_sendrecv_generic_if(postgresql_t) -corenet_tcp_sendrecv_generic_node(postgresql_t) -corenet_udp_sendrecv_generic_node(postgresql_t) -corenet_tcp_sendrecv_all_ports(postgresql_t) -corenet_udp_sendrecv_all_ports(postgresql_t) -corenet_udp_bind_generic_node(postgresql_t) -corenet_tcp_bind_generic_node(postgresql_t) -corenet_tcp_bind_postgresql_port(postgresql_t) -corenet_tcp_connect_auth_port(postgresql_t) -corenet_tcp_connect_postgresql_port(postgresql_t) -corenet_sendrecv_postgresql_server_packets(postgresql_t) -corenet_sendrecv_auth_client_packets(postgresql_t) - -dev_read_sysfs(postgresql_t) -dev_read_urand(postgresql_t) - -fs_getattr_all_fs(postgresql_t) -fs_search_auto_mountpoints(postgresql_t) -fs_rw_hugetlbfs_files(postgresql_t) - -selinux_get_enforce_mode(postgresql_t) -selinux_validate_context(postgresql_t) -selinux_compute_access_vector(postgresql_t) -selinux_compute_create_context(postgresql_t) -selinux_compute_relabel_context(postgresql_t) - -term_use_controlling_term(postgresql_t) - -corecmd_exec_bin(postgresql_t) -corecmd_exec_shell(postgresql_t) - -domain_dontaudit_list_all_domains_state(postgresql_t) -domain_use_interactive_fds(postgresql_t) - -files_dontaudit_search_home(postgresql_t) -files_read_etc_files(postgresql_t) -files_read_etc_runtime_files(postgresql_t) -files_read_usr_files(postgresql_t) - -auth_use_pam(postgresql_t) - -init_read_utmp(postgresql_t) - -logging_send_syslog_msg(postgresql_t) -logging_send_audit_msgs(postgresql_t) - -miscfiles_read_localization(postgresql_t) - -seutil_libselinux_linked(postgresql_t) - -userdom_dontaudit_use_unpriv_user_fds(postgresql_t) -userdom_dontaudit_search_user_home_dirs(postgresql_t) -userdom_dontaudit_use_user_terminals(postgresql_t) - -mta_getattr_spool(postgresql_t) - -tunable_policy(`allow_execmem',` - allow postgresql_t self:process execmem; -') - -optional_policy(` - consoletype_exec(postgresql_t) -') - -optional_policy(` - cron_search_spool(postgresql_t) - cron_system_entry(postgresql_t, postgresql_exec_t) -') - -optional_policy(` - hostname_exec(postgresql_t) -') - -optional_policy(` - ipsec_match_default_spd(postgresql_t) -') - -optional_policy(` - kerberos_use(postgresql_t) -') - -optional_policy(` - seutil_sigchld_newrole(postgresql_t) -') - -optional_policy(` - udev_read_db(postgresql_t) -') - -######################################## -# -# Rules common to all clients -# - -allow sepgsql_client_type sepgsql_db_t:db_database { getattr access get_param set_param }; -type_transition sepgsql_client_type sepgsql_client_type:db_database sepgsql_db_t; - -allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr use select insert lock }; -allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr use select insert }; -allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert }; - -allow sepgsql_client_type sepgsql_table_t:db_table { getattr use select update insert delete lock }; -allow sepgsql_client_type sepgsql_table_t:db_column { getattr use select update insert }; -allow sepgsql_client_type sepgsql_table_t:db_tuple { use select update insert delete }; - -allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use select lock }; -allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select }; -allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select }; - -allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr; -allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr; - -allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use select lock }; -allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select }; -allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select }; - -allow sepgsql_client_type sepgsql_proc_exec_t:db_procedure { getattr execute install }; -allow sepgsql_client_type sepgsql_trusted_proc_exec_t:db_procedure { getattr execute entrypoint }; - -allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write }; -allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read }; -allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr; - -# The purpose of the dontaudit rule in row-level access control is to prevent a flood of logs. -# If a client tries to SELECT a table including violated tuples, these are filtered from -# the result set as if not exist, but its access denied longs can be recorded within log files. -# In generally, the number of tuples are much larger than the number of columns, tables and so on. -# So, it makes a flood of logs when many tuples are violated. -# -# The default policy does not prevent anything for sepgsql_client_type sepgsql_unconfined_type, -# so we don't need "dontaudit" rules in Type-Enforcement. However, MLS/MCS can prevent them -# to access classified tuples and can make a audit record. -# -# Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL. -dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete }; - -######################################## -# -# Rules common to administrator clients -# - -allow sepgsql_admin_type sepgsql_database_type:db_database { create drop getattr setattr relabelfrom relabelto access }; -type_transition sepgsql_admin_type sepgsql_admin_type:db_database sepgsql_db_t; - -allow sepgsql_admin_type sepgsql_table_type:db_table { create drop getattr setattr relabelfrom relabelto lock }; -allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto }; -allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { relabelfrom relabelto select update insert delete }; - -type_transition sepgsql_admin_type sepgsql_database_type:db_table sepgsql_table_t; - -allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create drop getattr relabelfrom relabelto }; -allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute; - -type_transition sepgsql_admin_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t; - -allow sepgsql_admin_type sepgsql_blob_type:db_blob { create drop getattr setattr relabelfrom relabelto }; - -type_transition sepgsql_admin_type sepgsql_database_type:db_blob sepgsql_blob_t; - -allow sepgsql_admin_type sepgsql_module_type:db_database install_module; - -kernel_relabelfrom_unlabeled_database(sepgsql_admin_type) - -tunable_policy(`sepgsql_unconfined_dbadm',` - allow sepgsql_admin_type sepgsql_database_type:db_database *; - - allow sepgsql_admin_type sepgsql_table_type:{ db_table db_column db_tuple } *; - - allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure *; - allow sepgsql_admin_type sepgsql_trusted_proc_exec_t:db_procedure ~install; - allow sepgsql_admin_type sepgsql_procedure_type:db_procedure ~{ execute install }; - - allow sepgsql_admin_type sepgsql_blob_type:db_blob *; -') - -######################################## -# -# Unconfined access to this module -# - -allow sepgsql_unconfined_type sepgsql_database_type:db_database *; -type_transition sepgsql_unconfined_type sepgsql_unconfined_type:db_database sepgsql_db_t; - -type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t; -type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t; -type_transition sepgsql_unconfined_type sepgsql_database_type:db_blob sepgsql_blob_t; - -allow sepgsql_unconfined_type sepgsql_table_type:{ db_table db_column db_tuple } *; - -# unconfined domain is not allowed to invoke user defined procedure directly. -# They have to confirm and relabel it at first. -allow sepgsql_unconfined_type sepgsql_proc_exec_t:db_procedure *; -allow sepgsql_unconfined_type sepgsql_trusted_proc_exec_t:db_procedure ~install; -allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure ~{ execute install }; - -allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; - -allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module; - -kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type) diff --git a/policy/modules/services/postgrey.fc b/policy/modules/services/postgrey.fc deleted file mode 100644 index e731841..0000000 --- a/policy/modules/services/postgrey.fc +++ /dev/null @@ -1,12 +0,0 @@ - -/etc/postgrey(/.*)? gen_context(system_u:object_r:postgrey_etc_t,s0) -/etc/rc\.d/init\.d/postgrey -- gen_context(system_u:object_r:postgrey_initrc_exec_t,s0) - -/usr/sbin/postgrey -- gen_context(system_u:object_r:postgrey_exec_t,s0) - -/var/lib/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_lib_t,s0) - -/var/run/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_run_t,s0) -/var/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0) - -/var/spool/postfix/postgrey(/.*)? gen_context(system_u:object_r:postgrey_spool_t,s0) diff --git a/policy/modules/services/postgrey.if b/policy/modules/services/postgrey.if deleted file mode 100644 index 6f55445..0000000 --- a/policy/modules/services/postgrey.if +++ /dev/null @@ -1,81 +0,0 @@ -## Postfix grey-listing server - -######################################## -## -## Write to postgrey socket -## -## -## -## Domain allowed access. -## -## -# -interface(`postgrey_stream_connect',` - gen_require(` - type postgrey_var_run_t, postgrey_t, postgrey_spool_t; - ') - - stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t) - files_search_pids($1) - files_search_spool($1) -') - -######################################## -## -## Search the spool directory -## -## -## -## Domain allowed access. -## -## -# -interface(`postgrey_search_spool',` - gen_require(` - type postgrey_spool_t; - ') - - files_search_spool($1) - allow $1 postgrey_spool_t:dir search_dir_perms; -') - -######################################## -## -## All of the rules required to administrate -## an postgrey environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the postgrey domain. -## -## -## -# -interface(`postgrey_admin',` - gen_require(` - type postgrey_t, postgrey_etc_t, postgrey_initrc_exec_t; - type postgrey_var_lib_t, postgrey_var_run_t; - ') - - allow $1 postgrey_t:process { ptrace signal_perms }; - ps_process_pattern($1, postgrey_t) - - init_labeled_script_domtrans($1, postgrey_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 postgrey_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, postgrey_etc_t) - - files_list_var_lib($1) - admin_pattern($1, postgrey_var_lib_t) - - files_list_pids($1) - admin_pattern($1, postgrey_var_run_t) -') diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te deleted file mode 100644 index 6e8c3c8..0000000 --- a/policy/modules/services/postgrey.te +++ /dev/null @@ -1,107 +0,0 @@ -policy_module(postgrey, 1.7.1) - -######################################## -# -# Declarations -# - -type postgrey_t; -type postgrey_exec_t; -init_daemon_domain(postgrey_t, postgrey_exec_t) - -type postgrey_etc_t; -files_config_file(postgrey_etc_t) - -type postgrey_initrc_exec_t; -init_script_file(postgrey_initrc_exec_t) - -type postgrey_spool_t; -files_type(postgrey_spool_t) - -type postgrey_var_lib_t; -files_type(postgrey_var_lib_t) - -type postgrey_var_run_t; -files_pid_file(postgrey_var_run_t) - -######################################## -# -# Local policy -# - -allow postgrey_t self:capability { chown dac_override setgid setuid }; -dontaudit postgrey_t self:capability sys_tty_config; -allow postgrey_t self:process signal_perms; -allow postgrey_t self:tcp_socket create_stream_socket_perms; -allow postgrey_t self:fifo_file create_fifo_file_perms; - -allow postgrey_t postgrey_etc_t:dir list_dir_perms; -read_files_pattern(postgrey_t, postgrey_etc_t, postgrey_etc_t) -read_lnk_files_pattern(postgrey_t, postgrey_etc_t, postgrey_etc_t) - -manage_dirs_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) -manage_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) -manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) -manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) - -manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t) -files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file) - -manage_dirs_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t) -manage_files_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t) -manage_sock_files_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t) -files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file }) - -kernel_read_system_state(postgrey_t) -kernel_read_kernel_sysctls(postgrey_t) - -# for perl -corecmd_search_bin(postgrey_t) - -corenet_all_recvfrom_unlabeled(postgrey_t) -corenet_all_recvfrom_netlabel(postgrey_t) -corenet_tcp_sendrecv_generic_if(postgrey_t) -corenet_tcp_sendrecv_generic_node(postgrey_t) -corenet_tcp_sendrecv_all_ports(postgrey_t) -corenet_tcp_bind_generic_node(postgrey_t) -corenet_tcp_bind_postgrey_port(postgrey_t) -corenet_sendrecv_postgrey_server_packets(postgrey_t) - -dev_read_urand(postgrey_t) -dev_read_sysfs(postgrey_t) - -domain_use_interactive_fds(postgrey_t) - -files_read_etc_files(postgrey_t) -files_read_etc_runtime_files(postgrey_t) -files_read_usr_files(postgrey_t) -files_getattr_tmp_dirs(postgrey_t) - -fs_getattr_all_fs(postgrey_t) -fs_search_auto_mountpoints(postgrey_t) - -logging_send_syslog_msg(postgrey_t) - -miscfiles_read_localization(postgrey_t) - -sysnet_read_config(postgrey_t) - -userdom_dontaudit_use_unpriv_user_fds(postgrey_t) -userdom_dontaudit_search_user_home_dirs(postgrey_t) - -optional_policy(` - nis_use_ypbind(postgrey_t) -') - -optional_policy(` - postfix_read_config(postgrey_t) - postfix_manage_spool_files(postgrey_t) -') - -optional_policy(` - seutil_sigchld_newrole(postgrey_t) -') - -optional_policy(` - udev_read_db(postgrey_t) -') diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc deleted file mode 100644 index 2d82c6d..0000000 --- a/policy/modules/services/ppp.fc +++ /dev/null @@ -1,38 +0,0 @@ -# -# /etc -# -/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) - -/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0) -/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) -/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0) -/etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0) -/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) -# Fix /etc/ppp {up,down} family scripts (see man pppd) -/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) - -/root/.ppprc -- gen_context(system_u:object_r:pppd_etc_t,s0) - -# -# /sbin -# -/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0) - -# -# /usr -# -/usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0) -/usr/sbin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0) -/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0) - -# -# /var -# -/var/run/(i)?ppp.*pid[^/]* -- gen_context(system_u:object_r:pppd_var_run_t,s0) -/var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0) -/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0) -# Fix pptp sockets -/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0) - -/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0) -/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0) diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if deleted file mode 100644 index 09699d1..0000000 --- a/policy/modules/services/ppp.if +++ /dev/null @@ -1,394 +0,0 @@ -## Point to Point Protocol daemon creates links in ppp networks - -######################################## -## -## Use PPP file discriptors. -## -## -## -## Domain allowed access. -## -## -# -interface(`ppp_use_fds',` - gen_require(` - type pppd_t; - ') - - allow $1 pppd_t:fd use; -') - -######################################## -## -## Do not audit attempts to inherit -## and use PPP file discriptors. -## -## -## -## Domain to not audit. -## -## -# -interface(`ppp_dontaudit_use_fds',` - gen_require(` - type pppd_t; - ') - - dontaudit $1 pppd_t:fd use; -') - -######################################## -## -## Send a SIGCHLD signal to PPP. -## -## -## -## Domain allowed access. -## -## -# -interface(`ppp_sigchld',` - gen_require(` - type pppd_t; - - ') - - allow $1 pppd_t:process sigchld; -') - -######################################## -## -## Send ppp a kill signal -## -## -## -## Domain allowed access. -## -## -# -interface(`ppp_kill',` - gen_require(` - type pppd_t; - ') - - allow $1 pppd_t:process sigkill; -') - -######################################## -## -## Send a generic signal to PPP. -## -## -## -## Domain allowed access. -## -## -# -interface(`ppp_signal',` - gen_require(` - type pppd_t; - ') - - allow $1 pppd_t:process signal; -') - -######################################## -## -## Send a generic signull to PPP. -## -## -## -## Domain allowed access. -## -## -# -interface(`ppp_signull',` - gen_require(` - type pppd_t; - ') - - allow $1 pppd_t:process signull; -') - -######################################## -## -## Execute domain in the ppp domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ppp_domtrans',` - gen_require(` - type pppd_t, pppd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, pppd_exec_t, pppd_t) -') - -######################################## -## -## Conditionally execute ppp daemon on behalf of a user or staff type. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the ppp domain. -## -## -## -# -interface(`ppp_run_cond',` - gen_require(` - type pppd_t; - ') - - role $2 types pppd_t; - - tunable_policy(`pppd_for_user',` - ppp_domtrans($1) - ') -') - -######################################## -## -## Unconditionally execute ppp daemon on behalf of a user or staff type. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the ppp domain. -## -## -## -# -interface(`ppp_run',` - gen_require(` - type pppd_t, pptp_t; - ') - - ppp_domtrans($1) - role $2 types { pppd_t pptp_t }; - - optional_policy(` - ddclient_run(pppd_t, $2) - ') -') - -######################################## -## -## Execute domain in the ppp caller. -## -## -## -## Domain allowed access. -## -## -# -interface(`ppp_exec',` - gen_require(` - type pppd_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, pppd_exec_t) -') - -######################################## -## -## Read ppp configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`ppp_read_config',` - gen_require(` - type pppd_etc_t; - ') - - read_files_pattern($1, pppd_etc_t, pppd_etc_t) - files_search_etc($1) -') - -######################################## -## -## Read PPP-writable configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`ppp_read_rw_config',` - gen_require(` - type pppd_etc_t, pppd_etc_rw_t; - ') - - allow $1 pppd_etc_t:dir list_dir_perms; - allow $1 pppd_etc_rw_t:file read_file_perms; - files_search_etc($1) -') - -######################################## -## -## Read PPP secrets. -## -## -## -## Domain allowed access. -## -## -# -interface(`ppp_read_secrets',` - gen_require(` - type pppd_etc_t, pppd_secret_t; - ') - - allow $1 pppd_etc_t:dir list_dir_perms; - allow $1 pppd_secret_t:file read_file_perms; - files_search_etc($1) -') - -######################################## -## -## Read PPP pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`ppp_read_pid_files',` - gen_require(` - type pppd_var_run_t; - ') - - files_search_pids($1) - allow $1 pppd_var_run_t:file read_file_perms; -') - -######################################## -## -## Create, read, write, and delete PPP pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`ppp_manage_pid_files',` - gen_require(` - type pppd_var_run_t; - ') - - files_search_pids($1) - allow $1 pppd_var_run_t:file manage_file_perms; -') - -######################################## -## -## Create, read, write, and delete PPP pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`ppp_pid_filetrans',` - gen_require(` - type pppd_var_run_t; - ') - - files_pid_filetrans($1, pppd_var_run_t, file) -') - -######################################## -## -## Execute ppp server in the ntpd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ppp_initrc_domtrans',` - gen_require(` - type pppd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, pppd_initrc_exec_t) -') - -######################################## -## -## All of the rules required to administrate -## an ppp environment -## -## -## -## Domain allowed access. -## -## -## -# -interface(`ppp_admin',` - gen_require(` - type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t; - type pppd_etc_t, pppd_secret_t, pppd_var_run_t; - type pptp_t, pptp_log_t, pptp_var_run_t; - type pppd_initrc_exec_t, pppd_etc_rw_t; - ') - - allow $1 pppd_t:process { ptrace signal_perms }; - ps_process_pattern($1, pppd_t) - - allow $1 pptp_t:process { ptrace signal_perms }; - ps_process_pattern($1, pptp_t) - - ppp_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 pppd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, pppd_tmp_t) - - logging_list_logs($1) - admin_pattern($1, pppd_log_t) - - files_list_locks($1) - admin_pattern($1, pppd_lock_t) - - files_list_etc($1) - admin_pattern($1, pppd_etc_t) - - admin_pattern($1, pppd_etc_rw_t) - - admin_pattern($1, pppd_secret_t) - - files_list_pids($1) - admin_pattern($1, pppd_var_run_t) - - admin_pattern($1, pptp_log_t) - - admin_pattern($1, pptp_var_run_t) -') diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te deleted file mode 100644 index d32a0d2..0000000 --- a/policy/modules/services/ppp.te +++ /dev/null @@ -1,325 +0,0 @@ -policy_module(ppp, 1.12.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow pppd to load kernel modules for certain modems -##

-##
-gen_tunable(pppd_can_insmod, false) - -## -##

-## Allow pppd to be run for a regular user -##

-##
-gen_tunable(pppd_for_user, false) - -# pppd_t is the domain for the pppd program. -# pppd_exec_t is the type of the pppd executable. -type pppd_t; -type pppd_exec_t; -init_daemon_domain(pppd_t, pppd_exec_t) - -type pppd_devpts_t; -term_pty(pppd_devpts_t) - -# Define a separate type for /etc/ppp -type pppd_etc_t; -files_config_file(pppd_etc_t) - -# Define a separate type for writable files under /etc/ppp -type pppd_etc_rw_t; -files_type(pppd_etc_rw_t) - -type pppd_initrc_exec_t alias pppd_script_exec_t; -init_script_file(pppd_initrc_exec_t) - -# pppd_secret_t is the type of the pap and chap password files -type pppd_secret_t; -files_type(pppd_secret_t) - -type pppd_log_t; -logging_log_file(pppd_log_t) - -type pppd_lock_t; -files_lock_file(pppd_lock_t) - -type pppd_tmp_t; -files_tmp_file(pppd_tmp_t) - -type pppd_var_run_t; -files_pid_file(pppd_var_run_t) - -type pptp_t; -type pptp_exec_t; -init_daemon_domain(pptp_t, pptp_exec_t) - -type pptp_log_t; -logging_log_file(pptp_log_t) - -type pptp_var_run_t; -files_pid_file(pptp_var_run_t) - -######################################## -# -# PPPD Local policy -# - -allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override }; -dontaudit pppd_t self:capability sys_tty_config; -allow pppd_t self:process { getsched signal }; -allow pppd_t self:fifo_file rw_fifo_file_perms; -allow pppd_t self:socket create_socket_perms; -allow pppd_t self:unix_dgram_socket create_socket_perms; -allow pppd_t self:unix_stream_socket create_socket_perms; -allow pppd_t self:netlink_route_socket rw_netlink_socket_perms; -allow pppd_t self:tcp_socket create_stream_socket_perms; -allow pppd_t self:udp_socket { connect connected_socket_perms }; -allow pppd_t self:packet_socket create_socket_perms; - -domtrans_pattern(pppd_t, pptp_exec_t, pptp_t) - -allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; - -allow pppd_t pppd_etc_t:dir rw_dir_perms; -allow pppd_t pppd_etc_t:file read_file_perms; -allow pppd_t pppd_etc_t:lnk_file read_lnk_file_perms; - -manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t) -# Automatically label newly created files under /etc/ppp with this type -filetrans_pattern(pppd_t, pppd_etc_t, pppd_etc_rw_t, file) - -allow pppd_t pppd_lock_t:file manage_file_perms; -files_lock_filetrans(pppd_t, pppd_lock_t, file) - -allow pppd_t pppd_log_t:file manage_file_perms; -logging_log_filetrans(pppd_t, pppd_log_t, file) - -manage_dirs_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t) -manage_files_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t) -files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir }) - -manage_dirs_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) -manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) -files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file }) - -allow pppd_t pptp_t:process signal; - -# for SSP -# Access secret files -allow pppd_t pppd_secret_t:file read_file_perms; - -ppp_initrc_domtrans(pppd_t) - -kernel_read_kernel_sysctls(pppd_t) -kernel_read_system_state(pppd_t) -kernel_rw_net_sysctls(pppd_t) -kernel_read_network_state(pppd_t) -kernel_request_load_module(pppd_t) - -dev_read_urand(pppd_t) -dev_search_sysfs(pppd_t) -dev_read_sysfs(pppd_t) -dev_rw_modem(pppd_t) - -corenet_all_recvfrom_unlabeled(pppd_t) -corenet_all_recvfrom_netlabel(pppd_t) -corenet_tcp_sendrecv_generic_if(pppd_t) -corenet_raw_sendrecv_generic_if(pppd_t) -corenet_udp_sendrecv_generic_if(pppd_t) -corenet_tcp_sendrecv_generic_node(pppd_t) -corenet_raw_sendrecv_generic_node(pppd_t) -corenet_udp_sendrecv_generic_node(pppd_t) -corenet_tcp_sendrecv_all_ports(pppd_t) -corenet_udp_sendrecv_all_ports(pppd_t) -# Access /dev/ppp. -corenet_rw_ppp_dev(pppd_t) - -fs_getattr_all_fs(pppd_t) -fs_search_auto_mountpoints(pppd_t) - -term_use_unallocated_ttys(pppd_t) -term_setattr_unallocated_ttys(pppd_t) -term_ioctl_generic_ptys(pppd_t) -# for pppoe -term_create_pty(pppd_t, pppd_devpts_t) - -# allow running ip-up and ip-down scripts and running chat. -corecmd_exec_bin(pppd_t) -corecmd_exec_shell(pppd_t) - -domain_use_interactive_fds(pppd_t) - -files_exec_etc_files(pppd_t) -files_manage_etc_runtime_files(pppd_t) -files_dontaudit_write_etc_files(pppd_t) - -# for scripts -files_read_etc_files(pppd_t) - -init_read_utmp(pppd_t) -init_dontaudit_write_utmp(pppd_t) -init_signal_script(pppd_t) - -auth_use_nsswitch(pppd_t) - -logging_send_syslog_msg(pppd_t) -logging_send_audit_msgs(pppd_t) - -miscfiles_read_localization(pppd_t) - -sysnet_exec_ifconfig(pppd_t) -sysnet_manage_config(pppd_t) -sysnet_etc_filetrans_config(pppd_t) - -userdom_use_user_terminals(pppd_t) -userdom_dontaudit_use_unpriv_user_fds(pppd_t) -userdom_search_user_home_dirs(pppd_t) - -ppp_exec(pppd_t) - -optional_policy(` - ddclient_domtrans(pppd_t) -') - -optional_policy(` - tunable_policy(`pppd_can_insmod && ! secure_mode_insmod',` - modutils_domtrans_insmod_uncond(pppd_t) - ') -') - -optional_policy(` - mta_send_mail(pppd_t) - mta_system_content(pppd_etc_t) - mta_system_content(pppd_etc_rw_t) -') - -optional_policy(` - networkmanager_signal(pppd_t) -') - -optional_policy(` - postfix_domtrans_master(pppd_t) -') - -optional_policy(` - seutil_sigchld_newrole(pppd_t) -') - -optional_policy(` - udev_read_db(pppd_t) -') - -######################################## -# -# PPTP Local policy -# - -allow pptp_t self:capability { dac_override dac_read_search net_raw net_admin }; -dontaudit pptp_t self:capability sys_tty_config; -allow pptp_t self:process signal; -allow pptp_t self:fifo_file rw_fifo_file_perms; -allow pptp_t self:unix_dgram_socket create_socket_perms; -allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow pptp_t self:rawip_socket create_socket_perms; -allow pptp_t self:tcp_socket create_socket_perms; -allow pptp_t self:udp_socket create_socket_perms; -allow pptp_t self:netlink_route_socket rw_netlink_socket_perms; - -allow pptp_t pppd_etc_t:dir list_dir_perms; -allow pptp_t pppd_etc_t:file read_file_perms; -allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; - -allow pptp_t pppd_etc_rw_t:dir list_dir_perms; -allow pptp_t pppd_etc_rw_t:file read_file_perms; -allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms; -can_exec(pptp_t, pppd_etc_rw_t) - -# Allow pptp to append to pppd log files -allow pptp_t pppd_log_t:file append_file_perms; - -allow pptp_t pptp_log_t:file manage_file_perms; -logging_log_filetrans(pptp_t, pptp_log_t, file) - -manage_dirs_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) -manage_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) -manage_sock_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) -files_pid_filetrans(pptp_t, pptp_var_run_t, { file dir }) - -kernel_list_proc(pptp_t) -kernel_read_kernel_sysctls(pptp_t) -kernel_read_proc_symlinks(pptp_t) -kernel_read_system_state(pptp_t) - -dev_read_sysfs(pptp_t) - -corecmd_exec_shell(pptp_t) -corecmd_read_bin_symlinks(pptp_t) - -corenet_all_recvfrom_unlabeled(pptp_t) -corenet_all_recvfrom_netlabel(pptp_t) -corenet_tcp_sendrecv_generic_if(pptp_t) -corenet_raw_sendrecv_generic_if(pptp_t) -corenet_tcp_sendrecv_generic_node(pptp_t) -corenet_raw_sendrecv_generic_node(pptp_t) -corenet_tcp_sendrecv_all_ports(pptp_t) -corenet_tcp_bind_generic_node(pptp_t) -corenet_tcp_connect_generic_port(pptp_t) -corenet_tcp_connect_all_reserved_ports(pptp_t) -corenet_sendrecv_generic_client_packets(pptp_t) - -files_read_etc_files(pptp_t) - -fs_getattr_all_fs(pptp_t) -fs_search_auto_mountpoints(pptp_t) - -term_ioctl_generic_ptys(pptp_t) -term_search_ptys(pptp_t) -term_use_ptmx(pptp_t) - -domain_use_interactive_fds(pptp_t) - -auth_use_nsswitch(pptp_t) - -logging_send_syslog_msg(pptp_t) - -miscfiles_read_localization(pptp_t) - -sysnet_exec_ifconfig(pptp_t) - -userdom_dontaudit_use_unpriv_user_fds(pptp_t) -userdom_dontaudit_search_user_home_dirs(pptp_t) -userdom_signal_unpriv_users(pptp_t) - -optional_policy(` - consoletype_exec(pppd_t) -') - -optional_policy(` - dbus_system_domain(pppd_t, pppd_exec_t) - - optional_policy(` - networkmanager_dbus_chat(pppd_t) - ') -') - -optional_policy(` - hostname_exec(pptp_t) -') - -optional_policy(` - seutil_sigchld_newrole(pptp_t) -') - -optional_policy(` - udev_read_db(pptp_t) -') - -optional_policy(` - postfix_read_config(pppd_t) -') diff --git a/policy/modules/services/prelude.fc b/policy/modules/services/prelude.fc deleted file mode 100644 index 3bd847a..0000000 --- a/policy/modules/services/prelude.fc +++ /dev/null @@ -1,18 +0,0 @@ -/etc/prelude-correlator(/.*)? gen_context(system_u:object_r:prelude_correlator_config_t, s0) -/etc/rc\.d/init\.d/prelude-correlator -- gen_context(system_u:object_r:prelude_initrc_exec_t, s0) -/etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0) -/etc/rc\.d/init\.d/prelude-manager -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0) - -/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0) - -/usr/bin/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_exec_t, s0) -/usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0) -/usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0) -/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0) - -/var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0) -/var/log/prelude.* gen_context(system_u:object_r:prelude_log_t,s0) -/var/run/prelude-lml.pid -- gen_context(system_u:object_r:prelude_lml_var_run_t,s0) -/var/run/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_var_run_t,s0) -/var/spool/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) -/var/spool/prelude(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) diff --git a/policy/modules/services/prelude.if b/policy/modules/services/prelude.if deleted file mode 100644 index 77ef768..0000000 --- a/policy/modules/services/prelude.if +++ /dev/null @@ -1,148 +0,0 @@ -## Prelude hybrid intrusion detection system - -######################################## -## -## Execute a domain transition to run prelude. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`prelude_domtrans',` - gen_require(` - type prelude_t, prelude_exec_t; - ') - - domtrans_pattern($1, prelude_exec_t, prelude_t) -') - -######################################## -## -## Execute a domain transition to run prelude_audisp. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`prelude_domtrans_audisp',` - gen_require(` - type prelude_audisp_t, prelude_audisp_exec_t; - ') - - domtrans_pattern($1, prelude_audisp_exec_t, prelude_audisp_t) -') - -######################################## -## -## Signal the prelude_audisp domain. -## -## -## -## Domain allowed acccess. -## -## -# -interface(`prelude_signal_audisp',` - gen_require(` - type prelude_audisp_t; - ') - - allow $1 prelude_audisp_t:process signal; -') - -######################################## -## -## Read the prelude spool files -## -## -## -## Domain allowed access. -## -## -# -interface(`prelude_read_spool',` - gen_require(` - type prelude_spool_t; - ') - - files_search_spool($1) - read_files_pattern($1, prelude_spool_t, prelude_spool_t) -') - -######################################## -## -## Manage to prelude-manager spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`prelude_manage_spool',` - gen_require(` - type prelude_spool_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, prelude_spool_t, prelude_spool_t) - manage_files_pattern($1, prelude_spool_t, prelude_spool_t) -') - -######################################## -## -## All of the rules required to administrate -## an prelude environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`prelude_admin',` - gen_require(` - type prelude_t, prelude_spool_t, prelude_initrc_exec_t; - type prelude_var_run_t, prelude_var_lib_t, prelude_lml_var_run_t; - type prelude_audisp_t, prelude_audisp_var_run_t, prelude_lml_tmp_t; - type prelude_lml_t; - ') - - allow $1 prelude_t:process { ptrace signal_perms }; - ps_process_pattern($1, prelude_t) - - allow $1 prelude_audisp_t:process { ptrace signal_perms }; - ps_process_pattern($1, prelude_audisp_t) - - allow $1 prelude_lml_t:process { ptrace signal_perms }; - ps_process_pattern($1, prelude_lml_t) - - init_labeled_script_domtrans($1, prelude_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 prelude_initrc_exec_t system_r; - allow $2 system_r; - - files_list_spool($1) - admin_pattern($1, prelude_spool_t) - - files_list_var_lib($1) - admin_pattern($1, prelude_var_lib_t) - - files_list_pids($1) - admin_pattern($1, prelude_var_run_t) - admin_pattern($1, prelude_audisp_var_run_t) - admin_pattern($1, prelude_lml_var_run_t) - - files_list_tmp($1) - admin_pattern($1, prelude_lml_tmp_t) -') diff --git a/policy/modules/services/prelude.te b/policy/modules/services/prelude.te deleted file mode 100644 index 7a7310d..0000000 --- a/policy/modules/services/prelude.te +++ /dev/null @@ -1,307 +0,0 @@ -policy_module(prelude, 1.2.1) - -######################################## -# -# Declarations -# - -type prelude_t; -type prelude_exec_t; -init_daemon_domain(prelude_t, prelude_exec_t) - -type prelude_initrc_exec_t; -init_script_file(prelude_initrc_exec_t) - -type prelude_spool_t; -files_type(prelude_spool_t) - -type prelude_log_t; -logging_log_file(prelude_log_t) - -type prelude_var_run_t; -files_pid_file(prelude_var_run_t) - -type prelude_var_lib_t; -files_type(prelude_var_lib_t) - -type prelude_audisp_t; -type prelude_audisp_exec_t; -init_daemon_domain(prelude_audisp_t, prelude_audisp_exec_t) -logging_dispatcher_domain(prelude_audisp_t, prelude_audisp_exec_t) - -type prelude_audisp_var_run_t; -files_pid_file(prelude_audisp_var_run_t) - -type prelude_correlator_t; -type prelude_correlator_exec_t; -init_daemon_domain(prelude_correlator_t, prelude_correlator_exec_t) - -type prelude_correlator_config_t; -files_config_file(prelude_correlator_config_t) - -type prelude_lml_t; -type prelude_lml_exec_t; -init_daemon_domain(prelude_lml_t, prelude_lml_exec_t) - -type prelude_lml_tmp_t; -files_tmp_file(prelude_lml_tmp_t) - -type prelude_lml_var_run_t; -files_pid_file(prelude_lml_var_run_t) - -######################################## -# -# prelude local policy -# - -allow prelude_t self:capability { dac_override sys_tty_config }; -allow prelude_t self:fifo_file rw_file_perms; -allow prelude_t self:unix_stream_socket create_stream_socket_perms; -allow prelude_t self:netlink_route_socket r_netlink_socket_perms; -allow prelude_t self:tcp_socket create_stream_socket_perms; - -manage_files_pattern(prelude_t, prelude_log_t, prelude_log_t) -logging_log_filetrans(prelude_t, prelude_log_t, file) - -manage_dirs_pattern(prelude_t, prelude_spool_t, prelude_spool_t) -manage_files_pattern(prelude_t, prelude_spool_t, prelude_spool_t) -files_search_spool(prelude_t) - -manage_dirs_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t) -manage_files_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t) -files_search_var_lib(prelude_t) - -manage_dirs_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) -manage_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) -manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) -files_pid_filetrans(prelude_t, prelude_var_run_t, { dir file }) - -kernel_read_system_state(prelude_t) -kernel_read_sysctl(prelude_t) - -corecmd_search_bin(prelude_t) - -corenet_all_recvfrom_unlabeled(prelude_t) -corenet_all_recvfrom_netlabel(prelude_t) -corenet_tcp_sendrecv_generic_if(prelude_t) -corenet_tcp_sendrecv_generic_node(prelude_t) -corenet_tcp_bind_generic_node(prelude_t) -corenet_tcp_bind_prelude_port(prelude_t) -corenet_tcp_connect_prelude_port(prelude_t) -corenet_tcp_connect_postgresql_port(prelude_t) -corenet_tcp_connect_mysqld_port(prelude_t) - -dev_read_rand(prelude_t) -dev_read_urand(prelude_t) - -files_read_etc_files(prelude_t) -files_read_etc_runtime_files(prelude_t) -files_read_usr_files(prelude_t) -files_search_tmp(prelude_t) - -fs_rw_anon_inodefs_files(prelude_t) - -auth_use_nsswitch(prelude_t) - -logging_send_audit_msgs(prelude_t) -logging_send_syslog_msg(prelude_t) - -miscfiles_read_localization(prelude_t) - -optional_policy(` - mysql_search_db(prelude_t) - mysql_stream_connect(prelude_t) -') - -optional_policy(` - postgresql_stream_connect(prelude_t) -') - -######################################## -# -# prelude_audisp local policy -# - -allow prelude_audisp_t self:capability { dac_override ipc_lock setpcap }; -allow prelude_audisp_t self:process { getcap setcap }; -allow prelude_audisp_t self:fifo_file rw_file_perms; -allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms; -allow prelude_audisp_t self:unix_dgram_socket create_socket_perms; -allow prelude_audisp_t self:netlink_route_socket r_netlink_socket_perms; -allow prelude_audisp_t self:tcp_socket create_socket_perms; - -manage_dirs_pattern(prelude_audisp_t, prelude_spool_t, prelude_spool_t) -manage_files_pattern(prelude_audisp_t, prelude_spool_t, prelude_spool_t) -files_search_spool(prelude_audisp_t) - -manage_sock_files_pattern(prelude_audisp_t, prelude_audisp_var_run_t, prelude_audisp_var_run_t) -files_pid_filetrans(prelude_audisp_t, prelude_audisp_var_run_t, sock_file) - -kernel_read_sysctl(prelude_audisp_t) -kernel_read_system_state(prelude_audisp_t) - -corecmd_search_bin(prelude_audisp_t) - -corenet_all_recvfrom_unlabeled(prelude_audisp_t) -corenet_all_recvfrom_netlabel(prelude_audisp_t) -corenet_tcp_sendrecv_generic_if(prelude_audisp_t) -corenet_tcp_sendrecv_generic_node(prelude_audisp_t) -corenet_tcp_bind_generic_node(prelude_audisp_t) -corenet_tcp_connect_prelude_port(prelude_audisp_t) - -dev_read_rand(prelude_audisp_t) -dev_read_urand(prelude_audisp_t) - -# Init script handling -domain_use_interactive_fds(prelude_audisp_t) - -files_read_etc_files(prelude_audisp_t) -files_read_etc_runtime_files(prelude_audisp_t) -files_search_tmp(prelude_audisp_t) - -logging_send_syslog_msg(prelude_audisp_t) - -miscfiles_read_localization(prelude_audisp_t) - -sysnet_dns_name_resolve(prelude_audisp_t) - -######################################## -# -# prelude_correlator local policy -# - -allow prelude_correlator_t self:capability dac_override; -allow prelude_correlator_t self:netlink_route_socket r_netlink_socket_perms; -allow prelude_correlator_t self:tcp_socket create_stream_socket_perms; -allow prelude_correlator_t self:unix_dgram_socket create_socket_perms; - -allow prelude_correlator_t prelude_correlator_config_t:dir list_dir_perms; -read_files_pattern(prelude_correlator_t, prelude_correlator_config_t, prelude_correlator_config_t) - -kernel_read_sysctl(prelude_correlator_t) - -corecmd_search_bin(prelude_correlator_t) - -corenet_all_recvfrom_unlabeled(prelude_correlator_t) -corenet_all_recvfrom_netlabel(prelude_correlator_t) -corenet_tcp_sendrecv_generic_if(prelude_correlator_t) -corenet_tcp_sendrecv_generic_node(prelude_correlator_t) -corenet_tcp_connect_prelude_port(prelude_correlator_t) - -dev_read_rand(prelude_correlator_t) -dev_read_urand(prelude_correlator_t) - -files_read_etc_files(prelude_correlator_t) -files_read_usr_files(prelude_correlator_t) -files_search_spool(prelude_correlator_t) - -logging_send_syslog_msg(prelude_correlator_t) - -miscfiles_read_localization(prelude_correlator_t) - -sysnet_dns_name_resolve(prelude_correlator_t) - -prelude_manage_spool(prelude_correlator_t) - -######################################## -# -# prelude_lml local declarations -# - -allow prelude_lml_t self:capability dac_override; -allow prelude_lml_t self:tcp_socket { setopt create_socket_perms }; -allow prelude_lml_t self:unix_dgram_socket create_socket_perms; -allow prelude_lml_t self:fifo_file rw_fifo_file_perms; -allow prelude_lml_t self:unix_stream_socket connectto; - -manage_dirs_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t) -manage_files_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t) -files_tmp_filetrans(prelude_lml_t, prelude_lml_tmp_t, { file dir }) -files_list_tmp(prelude_lml_t) - -manage_dirs_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t) -manage_files_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t) -files_search_spool(prelude_lml_t) - -manage_dirs_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t) -manage_files_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t) -files_search_var_lib(prelude_lml_t) - -manage_files_pattern(prelude_lml_t, prelude_lml_var_run_t, prelude_lml_var_run_t) -files_pid_filetrans(prelude_lml_t, prelude_lml_var_run_t, file) - -kernel_read_system_state(prelude_lml_t) -kernel_read_sysctl(prelude_lml_t) - -corecmd_exec_bin(prelude_lml_t) - -corenet_tcp_sendrecv_generic_if(prelude_lml_t) -corenet_tcp_sendrecv_generic_node(prelude_lml_t) -corenet_tcp_recvfrom_netlabel(prelude_lml_t) -corenet_tcp_recvfrom_unlabeled(prelude_lml_t) -corenet_sendrecv_unlabeled_packets(prelude_lml_t) -corenet_tcp_connect_prelude_port(prelude_lml_t) - -dev_read_rand(prelude_lml_t) -dev_read_urand(prelude_lml_t) - -files_list_etc(prelude_lml_t) -files_read_etc_files(prelude_lml_t) -files_read_etc_runtime_files(prelude_lml_t) - -fs_getattr_all_fs(prelude_lml_t) -fs_list_inotifyfs(prelude_lml_t) -fs_rw_anon_inodefs_files(prelude_lml_t) - -auth_use_nsswitch(prelude_lml_t) - -libs_exec_lib_files(prelude_lml_t) -libs_read_lib_files(prelude_lml_t) - -logging_send_syslog_msg(prelude_lml_t) -logging_read_generic_logs(prelude_lml_t) - -miscfiles_read_localization(prelude_lml_t) - -sysnet_dns_name_resolve(prelude_lml_t) - -userdom_read_all_users_state(prelude_lml_t) - -optional_policy(` - apache_search_sys_content(prelude_lml_t) - apache_read_log(prelude_lml_t) -') - -######################################## -# -# prewikka_cgi Declarations -# - -optional_policy(` - apache_content_template(prewikka) - - can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t) - - files_read_etc_files(httpd_prewikka_script_t) - files_search_tmp(httpd_prewikka_script_t) - - kernel_read_sysctl(httpd_prewikka_script_t) - kernel_search_network_sysctl(httpd_prewikka_script_t) - - corenet_tcp_connect_postgresql_port(httpd_prewikka_script_t) - - auth_use_nsswitch(httpd_prewikka_script_t) - - logging_send_syslog_msg(httpd_prewikka_script_t) - - apache_search_sys_content(httpd_prewikka_script_t) - - optional_policy(` - mysql_search_db(httpd_prewikka_script_t) - mysql_stream_connect(httpd_prewikka_script_t) - ') - - optional_policy(` - postgresql_stream_connect(httpd_prewikka_script_t) - ') -') diff --git a/policy/modules/services/privoxy.fc b/policy/modules/services/privoxy.fc deleted file mode 100644 index be4998a..0000000 --- a/policy/modules/services/privoxy.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/privoxy/[^/]*\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0) -/etc/rc\.d/init\.d/privoxy -- gen_context(system_u:object_r:privoxy_initrc_exec_t,s0) - -/usr/sbin/privoxy -- gen_context(system_u:object_r:privoxy_exec_t,s0) - -/var/log/privoxy(/.*)? gen_context(system_u:object_r:privoxy_log_t,s0) diff --git a/policy/modules/services/privoxy.if b/policy/modules/services/privoxy.if deleted file mode 100644 index 7221526..0000000 --- a/policy/modules/services/privoxy.if +++ /dev/null @@ -1,42 +0,0 @@ -## Privacy enhancing web proxy. - -######################################## -## -## All of the rules required to administrate -## an privoxy environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`privoxy_admin',` - gen_require(` - type privoxy_t, privoxy_log_t, privoxy_initrc_exec_t; - type privoxy_etc_rw_t, privoxy_var_run_t; - ') - - allow $1 privoxy_t:process { ptrace signal_perms }; - ps_process_pattern($1, privoxy_t) - - init_labeled_script_domtrans($1, privoxy_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 privoxy_initrc_exec_t system_r; - allow $2 system_r; - - logging_list_logs($1) - admin_pattern($1, privoxy_log_t) - - files_list_etc($1) - admin_pattern($1, privoxy_etc_rw_t) - - files_list_pids($1) - admin_pattern($1, privoxy_var_run_t) -') diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te deleted file mode 100644 index 2404ddc..0000000 --- a/policy/modules/services/privoxy.te +++ /dev/null @@ -1,103 +0,0 @@ -policy_module(privoxy, 1.10.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow privoxy to connect to all ports, not just -## HTTP, FTP, and Gopher ports. -##

-##
-gen_tunable(privoxy_connect_any, false) - -type privoxy_t; # web_client_domain -type privoxy_exec_t; -init_daemon_domain(privoxy_t, privoxy_exec_t) - -type privoxy_initrc_exec_t; -init_script_file(privoxy_initrc_exec_t) - -type privoxy_etc_rw_t; -files_type(privoxy_etc_rw_t) - -type privoxy_log_t; -logging_log_file(privoxy_log_t) - -type privoxy_var_run_t; -files_pid_file(privoxy_var_run_t) - -######################################## -# -# Local Policy -# - -allow privoxy_t self:capability { setgid setuid }; -dontaudit privoxy_t self:capability sys_tty_config; -allow privoxy_t self:tcp_socket create_stream_socket_perms; - -allow privoxy_t privoxy_etc_rw_t:file rw_file_perms; - -manage_files_pattern(privoxy_t, privoxy_log_t, privoxy_log_t) -logging_log_filetrans(privoxy_t, privoxy_log_t, file) - -manage_files_pattern(privoxy_t, privoxy_var_run_t, privoxy_var_run_t) -files_pid_filetrans(privoxy_t, privoxy_var_run_t, file) - -kernel_read_system_state(privoxy_t) -kernel_read_kernel_sysctls(privoxy_t) - -corenet_all_recvfrom_unlabeled(privoxy_t) -corenet_all_recvfrom_netlabel(privoxy_t) -corenet_tcp_sendrecv_generic_if(privoxy_t) -corenet_tcp_sendrecv_generic_node(privoxy_t) -corenet_tcp_sendrecv_all_ports(privoxy_t) -corenet_tcp_bind_generic_node(privoxy_t) -corenet_tcp_bind_http_cache_port(privoxy_t) -corenet_tcp_connect_http_port(privoxy_t) -corenet_tcp_connect_http_cache_port(privoxy_t) -corenet_tcp_connect_squid_port(privoxy_t) -corenet_tcp_connect_ftp_port(privoxy_t) -corenet_tcp_connect_pgpkeyserver_port(privoxy_t) -corenet_tcp_connect_tor_port(privoxy_t) -corenet_sendrecv_http_cache_client_packets(privoxy_t) -corenet_sendrecv_squid_client_packets(privoxy_t) -corenet_sendrecv_http_cache_server_packets(privoxy_t) -corenet_sendrecv_http_client_packets(privoxy_t) -corenet_sendrecv_ftp_client_packets(privoxy_t) -corenet_sendrecv_tor_client_packets(privoxy_t) - -dev_read_sysfs(privoxy_t) - -fs_getattr_all_fs(privoxy_t) -fs_search_auto_mountpoints(privoxy_t) - -domain_use_interactive_fds(privoxy_t) - -files_read_etc_files(privoxy_t) - -auth_use_nsswitch(privoxy_t) - -logging_send_syslog_msg(privoxy_t) - -miscfiles_read_localization(privoxy_t) - -userdom_dontaudit_use_unpriv_user_fds(privoxy_t) -userdom_dontaudit_search_user_home_dirs(privoxy_t) -# cjp: this should really not be needed -userdom_use_user_terminals(privoxy_t) - -tunable_policy(`privoxy_connect_any',` - corenet_tcp_connect_all_ports(privoxy_t) - corenet_sendrecv_all_client_packets(privoxy_t) -') - -optional_policy(` - seutil_sigchld_newrole(privoxy_t) -') - -optional_policy(` - udev_read_db(privoxy_t) -') diff --git a/policy/modules/services/procmail.fc b/policy/modules/services/procmail.fc deleted file mode 100644 index 4b36a13..0000000 --- a/policy/modules/services/procmail.fc +++ /dev/null @@ -1,7 +0,0 @@ -HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0) -/root/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0) - -/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0) - -/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0) -/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0) diff --git a/policy/modules/services/procmail.if b/policy/modules/services/procmail.if deleted file mode 100644 index 166e9c3..0000000 --- a/policy/modules/services/procmail.if +++ /dev/null @@ -1,98 +0,0 @@ -## Procmail mail delivery agent - -######################################## -## -## Execute procmail with a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`procmail_domtrans',` - gen_require(` - type procmail_exec_t, procmail_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, procmail_exec_t, procmail_t) -') - -######################################## -## -## Execute procmail in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`procmail_exec',` - gen_require(` - type procmail_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - can_exec($1, procmail_exec_t) -') - -######################################## -## -## Read procmail tmp files. -## -## -## -## Domain allowed access. -## -## -# -interface(`procmail_read_tmp_files',` - gen_require(` - type procmail_tmp_t; - ') - - files_search_tmp($1) - allow $1 procmail_tmp_t:file read_file_perms; -') - -######################################## -## -## Read/write procmail tmp files. -## -## -## -## Domain allowed access. -## -## -# -interface(`procmail_rw_tmp_files',` - gen_require(` - type procmail_tmp_t; - ') - - files_search_tmp($1) - rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t) -') - -######################################## -## -## Read procmail home directory content -## -## -## -## Domain allowed access. -## -## -# -interface(`procmail_read_home_files',` - gen_require(` - type procmail_home_t; - ') - - userdom_search_user_home_dirs($1) - read_files_pattern($1, procmail_home_t, procmail_home_t) -') diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te deleted file mode 100644 index 2a70dd1..0000000 --- a/policy/modules/services/procmail.te +++ /dev/null @@ -1,163 +0,0 @@ -policy_module(procmail, 1.12.0) - -######################################## -# -# Declarations -# - -type procmail_t; -type procmail_exec_t; -application_domain(procmail_t, procmail_exec_t) -role system_r types procmail_t; - -type procmail_home_t; -userdom_user_home_content(procmail_home_t) - -type procmail_log_t; -logging_log_file(procmail_log_t) - -type procmail_tmp_t; -files_tmp_file(procmail_tmp_t) - -######################################## -# -# Local policy -# - -allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_override }; -allow procmail_t self:process { setsched signal signull }; -allow procmail_t self:fifo_file rw_fifo_file_perms; -allow procmail_t self:unix_stream_socket create_socket_perms; -allow procmail_t self:unix_dgram_socket create_socket_perms; -allow procmail_t self:tcp_socket create_stream_socket_perms; -allow procmail_t self:udp_socket create_socket_perms; - -can_exec(procmail_t, procmail_exec_t) - -# Write log to /var/log/procmail.log or /var/log/procmail/.* -allow procmail_t procmail_log_t:dir setattr_dir_perms; -create_files_pattern(procmail_t, procmail_log_t, procmail_log_t) -append_files_pattern(procmail_t, procmail_log_t, procmail_log_t) -read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t) -logging_log_filetrans(procmail_t, procmail_log_t, { file dir }) - -allow procmail_t procmail_tmp_t:file manage_file_perms; -files_tmp_filetrans(procmail_t, procmail_tmp_t, file) - -kernel_read_system_state(procmail_t) -kernel_read_kernel_sysctls(procmail_t) - -corenet_all_recvfrom_unlabeled(procmail_t) -corenet_all_recvfrom_netlabel(procmail_t) -corenet_tcp_sendrecv_generic_if(procmail_t) -corenet_udp_sendrecv_generic_if(procmail_t) -corenet_tcp_sendrecv_generic_node(procmail_t) -corenet_udp_sendrecv_generic_node(procmail_t) -corenet_tcp_sendrecv_all_ports(procmail_t) -corenet_udp_sendrecv_all_ports(procmail_t) -corenet_udp_bind_generic_node(procmail_t) -corenet_tcp_connect_spamd_port(procmail_t) -corenet_sendrecv_spamd_client_packets(procmail_t) -corenet_sendrecv_comsat_client_packets(procmail_t) - -dev_read_urand(procmail_t) - -fs_getattr_xattr_fs(procmail_t) -fs_search_auto_mountpoints(procmail_t) -fs_rw_anon_inodefs_files(procmail_t) - -auth_use_nsswitch(procmail_t) - -corecmd_exec_bin(procmail_t) -corecmd_exec_shell(procmail_t) -corecmd_read_bin_symlinks(procmail_t) - -files_read_etc_files(procmail_t) -files_read_etc_runtime_files(procmail_t) -files_search_pids(procmail_t) -# for spamassasin -files_read_usr_files(procmail_t) - -logging_send_syslog_msg(procmail_t) -logging_append_all_logs(procmail_t) - -miscfiles_read_localization(procmail_t) - -list_dirs_pattern(procmail_t, procmail_home_t, procmail_home_t) -read_files_pattern(procmail_t, procmail_home_t, procmail_home_t) -userdom_search_user_home_dirs(procmail_t) -userdom_search_admin_dir(procmail_t) - -# only works until we define a different type for maildir -userdom_manage_user_home_content_dirs(procmail_t) -userdom_manage_user_home_content_files(procmail_t) -userdom_manage_user_home_content_symlinks(procmail_t) -userdom_manage_user_home_content_pipes(procmail_t) -userdom_manage_user_home_content_sockets(procmail_t) -userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file }) - -# Execute user executables -userdom_exec_user_bin_files(procmail_t) - -mta_manage_spool(procmail_t) -mta_read_queue(procmail_t) - -ifdef(`hide_broken_symptoms',` - mta_dontaudit_rw_queue(procmail_t) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(procmail_t) - fs_manage_nfs_files(procmail_t) - fs_manage_nfs_symlinks(procmail_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(procmail_t) - fs_manage_cifs_files(procmail_t) - fs_manage_cifs_symlinks(procmail_t) -') - -optional_policy(` - clamav_domtrans_clamscan(procmail_t) - clamav_search_lib(procmail_t) -') - -optional_policy(` - munin_dontaudit_search_lib(procmail_t) -') - -optional_policy(` - # for a bug in the postfix local program - postfix_dontaudit_rw_local_tcp_sockets(procmail_t) - postfix_dontaudit_use_fds(procmail_t) - postfix_read_spool_files(procmail_t) - postfix_read_local_state(procmail_t) - postfix_read_master_state(procmail_t) -') - -optional_policy(` - nagios_search_spool(procmail_t) -') - -optional_policy(` - pyzor_domtrans(procmail_t) - pyzor_signal(procmail_t) -') - -optional_policy(` - mta_read_config(procmail_t) - sendmail_domtrans(procmail_t) - sendmail_signal(procmail_t) - sendmail_dontaudit_rw_tcp_sockets(procmail_t) - sendmail_dontaudit_rw_unix_stream_sockets(procmail_t) -') - -optional_policy(` - corenet_udp_bind_generic_port(procmail_t) - corenet_dontaudit_udp_bind_all_ports(procmail_t) - - spamassassin_domtrans_local_client(procmail_t) - spamassassin_domtrans_client(procmail_t) - spamassassin_read_lib_files(procmail_t) -') diff --git a/policy/modules/services/psad.fc b/policy/modules/services/psad.fc deleted file mode 100644 index 6c66d44..0000000 --- a/policy/modules/services/psad.fc +++ /dev/null @@ -1,8 +0,0 @@ -/etc/rc\.d/init\.d/psad -- gen_context(system_u:object_r:psad_initrc_exec_t,s0) -/etc/psad(/.*)? gen_context(system_u:object_r:psad_etc_t,s0) - -/usr/sbin/psad -- gen_context(system_u:object_r:psad_exec_t,s0) - -/var/lib/psad(/.*)? gen_context(system_u:object_r:psad_var_lib_t,s0) -/var/log/psad(/.*)? gen_context(system_u:object_r:psad_var_log_t,s0) -/var/run/psad(/.*)? gen_context(system_u:object_r:psad_var_run_t,s0) diff --git a/policy/modules/services/psad.if b/policy/modules/services/psad.if deleted file mode 100644 index d1a3745..0000000 --- a/policy/modules/services/psad.if +++ /dev/null @@ -1,281 +0,0 @@ -## Intrusion Detection and Log Analysis with iptables - -######################################## -## -## Execute a domain transition to run psad. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`psad_domtrans',` - gen_require(` - type psad_t, psad_exec_t; - ') - - domtrans_pattern($1, psad_exec_t, psad_t) -') - -######################################## -## -## Send a generic signal to psad -## -## -## -## Domain allowed access. -## -## -# -interface(`psad_signal',` - gen_require(` - type psad_t; - ') - - allow $1 psad_t:process signal; -') - -####################################### -## -## Send a null signal to psad. -## -## -## -## Domain allowed access. -## -## -# -interface(`psad_signull',` - gen_require(` - type psad_t; - ') - - allow $1 psad_t:process signull; -') - -######################################## -## -## Read psad etc configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`psad_read_config',` - gen_require(` - type psad_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, psad_etc_t, psad_etc_t) -') - -######################################## -## -## Manage psad etc configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`psad_manage_config',` - gen_require(` - type psad_etc_t; - ') - - files_search_etc($1) - manage_dirs_pattern($1, psad_etc_t, psad_etc_t) - manage_files_pattern($1, psad_etc_t, psad_etc_t) -') - -######################################## -## -## Read psad PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`psad_read_pid_files',` - gen_require(` - type psad_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, psad_var_run_t, psad_var_run_t) -') - -######################################## -## -## Read and write psad PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`psad_rw_pid_files',` - gen_require(` - type psad_var_run_t; - ') - - files_search_pids($1) - rw_files_pattern($1, psad_var_run_t, psad_var_run_t) -') - -######################################## -## -## Allow the specified domain to read psad's log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`psad_read_log',` - gen_require(` - type psad_var_log_t; - ') - - logging_search_logs($1) - list_dirs_pattern($1, psad_var_log_t, psad_var_log_t) - read_files_pattern($1, psad_var_log_t, psad_var_log_t) -') - -######################################## -## -## Allow the specified domain to append to psad's log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`psad_append_log',` - gen_require(` - type psad_var_log_t; - ') - - logging_search_logs($1) - list_dirs_pattern($1, psad_var_log_t, psad_var_log_t) - append_files_pattern($1, psad_var_log_t, psad_var_log_t) -') - -######################################## -## -## Allow the specified domain to write to psad's log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`psad_write_log',` - gen_require(` - type psad_var_log_t; - ') - - logging_search_logs($1) - write_files_pattern($1, psad_var_log_t, psad_var_log_t) -') - -######################################## -## -## Read and write psad fifo files. -## -## -## -## Domain allowed access. -## -## -# -interface(`psad_rw_fifo_file',` - gen_require(` - type psad_t; - ') - - files_search_var_lib($1) - search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t) - rw_fifo_files_pattern($1, psad_var_lib_t, psad_var_lib_t) -') - -####################################### -## -## Read and write psad tmp files. -## -## -## -## Domain allowed access. -## -## -# -interface(`psad_rw_tmp_files',` - gen_require(` - type psad_tmp_t; - ') - - files_search_tmp($1) - rw_files_pattern($1, psad_tmp_t, psad_tmp_t) -') - -######################################## -## -## All of the rules required to administrate -## an psad environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the syslog domain. -## -## -## -# -interface(`psad_admin',` - gen_require(` - type psad_t, psad_var_run_t, psad_var_log_t; - type psad_initrc_exec_t, psad_var_lib_t, psad_etc_t; - type psad_tmp_t; - ') - - allow $1 psad_t:process { ptrace signal_perms }; - ps_process_pattern($1, psad_t) - - init_labeled_script_domtrans($1, psad_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 psad_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, psad_etc_t) - - files_list_pids($1) - admin_pattern($1, psad_var_run_t) - - logging_list_logs($1) - admin_pattern($1, psad_var_log_t) - - files_list_var_lib($1) - admin_pattern($1, psad_var_lib_t) - - files_list_tmp($1) - admin_pattern($1, psad_tmp_t) -') diff --git a/policy/modules/services/psad.te b/policy/modules/services/psad.te deleted file mode 100644 index c23cd14..0000000 --- a/policy/modules/services/psad.te +++ /dev/null @@ -1,108 +0,0 @@ -policy_module(psad, 1.0.0) - -######################################## -# -# Declarations -# - -type psad_t; -type psad_exec_t; -init_daemon_domain(psad_t, psad_exec_t) - -# config files -type psad_etc_t; -files_type(psad_etc_t) - -type psad_initrc_exec_t; -init_script_file(psad_initrc_exec_t) - -# var/lib files -type psad_var_lib_t; -files_type(psad_var_lib_t) - -# log files -type psad_var_log_t; -logging_log_file(psad_var_log_t) - -# pid files -type psad_var_run_t; -files_pid_file(psad_var_run_t) - -# tmp files -type psad_tmp_t; -files_tmp_file(psad_tmp_t) - -######################################## -# -# psad local policy -# - -allow psad_t self:capability { net_admin net_raw setuid setgid dac_override }; -dontaudit psad_t self:capability sys_tty_config; -allow psad_t self:process signull; -allow psad_t self:fifo_file rw_fifo_file_perms; -allow psad_t self:rawip_socket create_socket_perms; - -# config files -read_files_pattern(psad_t, psad_etc_t, psad_etc_t) -list_dirs_pattern(psad_t, psad_etc_t, psad_etc_t) - -# log files -manage_files_pattern(psad_t, psad_var_log_t, psad_var_log_t) -manage_dirs_pattern(psad_t, psad_var_log_t, psad_var_log_t) -logging_log_filetrans(psad_t, psad_var_log_t, { file dir }) - -# pid file -manage_dirs_pattern(psad_t, psad_var_run_t, psad_var_run_t) -manage_files_pattern(psad_t, psad_var_run_t, psad_var_run_t) -manage_sock_files_pattern(psad_t, psad_var_run_t, psad_var_run_t) -files_pid_filetrans(psad_t, psad_var_run_t, { dir file sock_file }) - -# tmp files -manage_dirs_pattern(psad_t, psad_tmp_t, psad_tmp_t) -manage_files_pattern(psad_t, psad_tmp_t, psad_tmp_t) -files_tmp_filetrans(psad_t, psad_tmp_t, { file dir }) - -# /var/lib files -search_dirs_pattern(psad_t, psad_var_lib_t, psad_var_lib_t) -manage_fifo_files_pattern(psad_t, psad_var_lib_t, psad_var_lib_t) - -kernel_read_system_state(psad_t) -kernel_read_network_state(psad_t) -kernel_read_net_sysctls(psad_t) - -corecmd_exec_shell(psad_t) -corecmd_exec_bin(psad_t) - -corenet_all_recvfrom_unlabeled(psad_t) -corenet_all_recvfrom_netlabel(psad_t) -corenet_tcp_sendrecv_generic_if(psad_t) -corenet_tcp_sendrecv_generic_node(psad_t) -corenet_tcp_bind_generic_node(psad_t) -corenet_tcp_sendrecv_all_ports(psad_t) -corenet_tcp_connect_whois_port(psad_t) -corenet_sendrecv_whois_client_packets(psad_t) - -dev_read_urand(psad_t) - -files_read_etc_runtime_files(psad_t) -files_read_usr_files(psad_t) - -fs_getattr_all_fs(psad_t) - -auth_use_nsswitch(psad_t) - -iptables_domtrans(psad_t) - -logging_read_generic_logs(psad_t) -logging_read_syslog_config(psad_t) -logging_send_syslog_msg(psad_t) - -miscfiles_read_localization(psad_t) - -sysnet_exec_ifconfig(psad_t) - -optional_policy(` - mta_send_mail(psad_t) - mta_read_queue(psad_t) -') diff --git a/policy/modules/services/publicfile.fc b/policy/modules/services/publicfile.fc deleted file mode 100644 index 5b20b68..0000000 --- a/policy/modules/services/publicfile.fc +++ /dev/null @@ -1,7 +0,0 @@ - -/usr/bin/ftpd -- gen_context(system_u:object_r:publicfile_exec_t,s0) -/usr/bin/httpd -- gen_context(system_u:object_r:publicfile_exec_t,s0) - -# this is the place where online content located -# set this to suit your needs -#/var/www(/.*)? gen_context(system_u:object_r:publicfile_content_t,s0) diff --git a/policy/modules/services/publicfile.if b/policy/modules/services/publicfile.if deleted file mode 100644 index 5b07592..0000000 --- a/policy/modules/services/publicfile.if +++ /dev/null @@ -1 +0,0 @@ -## publicfile supplies files to the public through HTTP and FTP diff --git a/policy/modules/services/publicfile.te b/policy/modules/services/publicfile.te deleted file mode 100644 index 32edb73..0000000 --- a/policy/modules/services/publicfile.te +++ /dev/null @@ -1,34 +0,0 @@ -policy_module(publicfile, 1.1.0) - -######################################## -# -# Declarations -# - -type publicfile_t; -type publicfile_exec_t; -init_daemon_domain(publicfile_t, publicfile_exec_t) - -type publicfile_content_t; -files_type(publicfile_content_t) - -######################################## -# -# Local policy -# - -allow publicfile_t self:capability { dac_override setgid setuid sys_chroot }; -allow publicfile_t publicfile_content_t:dir list_dir_perms; -allow publicfile_t publicfile_content_t:file read_file_perms; - -files_search_var(publicfile_t) - -optional_policy(` - daemontools_ipc_domain(publicfile_t) -') - -optional_policy(` - ucspitcp_service_domain(publicfile_t, publicfile_exec_t) -') - -#allow publicfile_t initrc_t:tcp_socket { read write }; diff --git a/policy/modules/services/puppet.fc b/policy/modules/services/puppet.fc deleted file mode 100644 index 2f1e529..0000000 --- a/policy/modules/services/puppet.fc +++ /dev/null @@ -1,11 +0,0 @@ -/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) - -/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0) -/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0) - -/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) -/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) - -/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) -/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) -/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0) diff --git a/policy/modules/services/puppet.if b/policy/modules/services/puppet.if deleted file mode 100644 index 0456b11..0000000 --- a/policy/modules/services/puppet.if +++ /dev/null @@ -1,31 +0,0 @@ -## Puppet client daemon -## -##

-## Puppet is a configuration management system written in Ruby. -## The client daemon is responsible for periodically requesting the -## desired system state from the server and ensuring the state of -## the client system matches. -##

-##
- -################################################ -## -## Read / Write to Puppet temp files. Puppet uses -## some system binaries (groupadd, etc) that run in -## a non-puppet domain and redirects output into temp -## files. -## -## -## -## Domain allowed access. -## -## -# -interface(`puppet_rw_tmp',` - gen_require(` - type puppet_tmp_t; - ') - - allow $1 puppet_tmp_t:file rw_file_perms; - files_search_tmp($1) -') diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te deleted file mode 100644 index 80c1f5d..0000000 --- a/policy/modules/services/puppet.te +++ /dev/null @@ -1,244 +0,0 @@ -policy_module(puppet, 1.0.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow Puppet client to manage all file -## types. -##

-##
-gen_tunable(puppet_manage_all_files, false) - -type puppet_t; -type puppet_exec_t; -init_daemon_domain(puppet_t, puppet_exec_t) - -type puppet_etc_t; -files_config_file(puppet_etc_t) - -type puppet_initrc_exec_t; -init_script_file(puppet_initrc_exec_t) - -type puppet_log_t; -logging_log_file(puppet_log_t) - -type puppet_tmp_t; -files_tmp_file(puppet_tmp_t) - -type puppet_var_lib_t; -files_type(puppet_var_lib_t) - -type puppet_var_run_t; -files_pid_file(puppet_var_run_t) - -type puppetmaster_t; -type puppetmaster_exec_t; -init_daemon_domain(puppetmaster_t, puppetmaster_exec_t) - -type puppetmaster_initrc_exec_t; -init_script_file(puppetmaster_initrc_exec_t) - -type puppetmaster_tmp_t; -files_tmp_file(puppetmaster_tmp_t) - -######################################## -# -# Puppet personal policy -# - -allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config }; -allow puppet_t self:process { signal signull getsched setsched }; -allow puppet_t self:fifo_file rw_fifo_file_perms; -allow puppet_t self:netlink_route_socket create_netlink_socket_perms; -allow puppet_t self:tcp_socket create_stream_socket_perms; -allow puppet_t self:udp_socket create_socket_perms; - -read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t) - -manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) -manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) -files_search_var_lib(puppet_t) - -manage_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) -manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) -files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir }) - -create_dirs_pattern(puppet_t, var_log_t, puppet_log_t) -create_files_pattern(puppet_t, puppet_log_t, puppet_log_t) -append_files_pattern(puppet_t, puppet_log_t, puppet_log_t) -logging_log_filetrans(puppet_t, puppet_log_t, { file dir }) - -manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t) -manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t) -files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir }) - -kernel_dontaudit_search_sysctl(puppet_t) -kernel_dontaudit_search_kernel_sysctl(puppet_t) -kernel_read_system_state(puppet_t) -kernel_read_crypto_sysctls(puppet_t) - -corecmd_exec_bin(puppet_t) -corecmd_exec_shell(puppet_t) - -corenet_all_recvfrom_netlabel(puppet_t) -corenet_all_recvfrom_unlabeled(puppet_t) -corenet_tcp_sendrecv_generic_if(puppet_t) -corenet_tcp_sendrecv_generic_node(puppet_t) -corenet_tcp_bind_generic_node(puppet_t) -corenet_tcp_connect_puppet_port(puppet_t) -corenet_sendrecv_puppet_client_packets(puppet_t) - -dev_read_rand(puppet_t) -dev_read_sysfs(puppet_t) -dev_read_urand(puppet_t) - -domain_read_all_domains_state(puppet_t) -domain_interactive_fd(puppet_t) - -files_manage_config_files(puppet_t) -files_manage_config_dirs(puppet_t) -files_manage_etc_dirs(puppet_t) -files_manage_etc_files(puppet_t) -files_read_usr_symlinks(puppet_t) -files_relabel_config_dirs(puppet_t) -files_relabel_config_files(puppet_t) - -selinux_search_fs(puppet_t) -selinux_set_all_booleans(puppet_t) -selinux_set_generic_booleans(puppet_t) -selinux_validate_context(puppet_t) - -term_dontaudit_getattr_unallocated_ttys(puppet_t) -term_dontaudit_getattr_all_ttys(puppet_t) - -init_all_labeled_script_domtrans(puppet_t) -init_domtrans_script(puppet_t) -init_read_utmp(puppet_t) -init_signull_script(puppet_t) - -logging_send_syslog_msg(puppet_t) - -miscfiles_read_hwdata(puppet_t) -miscfiles_read_localization(puppet_t) - -seutil_domtrans_setfiles(puppet_t) -seutil_domtrans_semanage(puppet_t) - -sysnet_dns_name_resolve(puppet_t) -sysnet_run_ifconfig(puppet_t, system_r) - -tunable_policy(`puppet_manage_all_files',` - auth_manage_all_files_except_shadow(puppet_t) -') - -optional_policy(` - consoletype_domtrans(puppet_t) -') - -optional_policy(` - hostname_exec(puppet_t) -') - -optional_policy(` - files_rw_var_files(puppet_t) - - rpm_domtrans(puppet_t) - rpm_manage_db(puppet_t) - rpm_manage_log(puppet_t) -') - -optional_policy(` - unconfined_domain(puppet_t) -') - -optional_policy(` - usermanage_domtrans_groupadd(puppet_t) - usermanage_domtrans_useradd(puppet_t) -') - -######################################## -# -# Pupper master personal policy -# - -allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config }; -allow puppetmaster_t self:process { signal_perms getsched setsched }; -allow puppetmaster_t self:fifo_file rw_fifo_file_perms; -allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms; -allow puppetmaster_t self:socket create; -allow puppetmaster_t self:tcp_socket create_stream_socket_perms; -allow puppetmaster_t self:udp_socket create_socket_perms; - -list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) -read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) - -allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr_dir_perms }; -allow puppetmaster_t puppet_log_t:file { rw_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) -allow puppetmaster_t puppet_log_t:file relabel_file_perms; - -manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) -manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) -allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms; - -setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) -manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) -files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir }) -allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms; - -manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) -manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) -files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir }) -allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms; - -kernel_dontaudit_search_kernel_sysctl(puppetmaster_t) -kernel_read_system_state(puppetmaster_t) -kernel_read_crypto_sysctls(puppetmaster_t) -kernel_read_kernel_sysctls(puppetmaster_t) - -corecmd_exec_bin(puppetmaster_t) -corecmd_exec_shell(puppetmaster_t) - -corenet_all_recvfrom_netlabel(puppetmaster_t) -corenet_all_recvfrom_unlabeled(puppetmaster_t) -corenet_tcp_sendrecv_generic_if(puppetmaster_t) -corenet_tcp_sendrecv_generic_node(puppetmaster_t) -corenet_tcp_bind_generic_node(puppetmaster_t) -corenet_tcp_bind_puppet_port(puppetmaster_t) -corenet_sendrecv_puppet_server_packets(puppetmaster_t) - -dev_read_rand(puppetmaster_t) -dev_read_urand(puppetmaster_t) - -domain_read_all_domains_state(puppetmaster_t) - -files_read_etc_files(puppetmaster_t) -files_search_var_lib(puppetmaster_t) - -selinux_validate_context(puppetmaster_t) - -logging_send_syslog_msg(puppetmaster_t) - -miscfiles_read_localization(puppetmaster_t) - -seutil_read_file_contexts(puppetmaster_t) - -sysnet_dns_name_resolve(puppetmaster_t) -sysnet_run_ifconfig(puppetmaster_t, system_r) - -mta_send_mail(puppetmaster_t) - -optional_policy(` - hostname_exec(puppetmaster_t) -') - -optional_policy(` - files_read_usr_symlinks(puppetmaster_t) - - rpm_exec(puppetmaster_t) - rpm_read_db(puppetmaster_t) -') diff --git a/policy/modules/services/pxe.fc b/policy/modules/services/pxe.fc deleted file mode 100644 index 44b3a0c..0000000 --- a/policy/modules/services/pxe.fc +++ /dev/null @@ -1,6 +0,0 @@ - -/usr/sbin/pxe -- gen_context(system_u:object_r:pxe_exec_t,s0) - -/var/log/pxe\.log -- gen_context(system_u:object_r:pxe_log_t,s0) - -/var/run/pxe\.pid -- gen_context(system_u:object_r:pxe_var_run_t,s0) diff --git a/policy/modules/services/pxe.if b/policy/modules/services/pxe.if deleted file mode 100644 index d3d6a6b..0000000 --- a/policy/modules/services/pxe.if +++ /dev/null @@ -1 +0,0 @@ -## Server for the PXE network boot protocol diff --git a/policy/modules/services/pxe.te b/policy/modules/services/pxe.te deleted file mode 100644 index fec69eb..0000000 --- a/policy/modules/services/pxe.te +++ /dev/null @@ -1,63 +0,0 @@ -policy_module(pxe, 1.4.0) - -# cjp: policy seems incomplete - -######################################## -# -# Declarations -# - -type pxe_t; -type pxe_exec_t; -init_daemon_domain(pxe_t, pxe_exec_t) - -type pxe_log_t; -logging_log_file(pxe_log_t) - -type pxe_var_run_t; -files_pid_file(pxe_var_run_t) - -######################################## -# -# Local policy -# - -allow pxe_t self:capability { chown setgid setuid }; -dontaudit pxe_t self:capability sys_tty_config; -allow pxe_t self:process signal_perms; - -allow pxe_t pxe_log_t:file manage_file_perms; -logging_log_filetrans(pxe_t, pxe_log_t, file) - -manage_files_pattern(pxe_t, pxe_var_run_t, pxe_var_run_t) -files_pid_filetrans(pxe_t, pxe_var_run_t, file) - -kernel_read_kernel_sysctls(pxe_t) -kernel_list_proc(pxe_t) -kernel_read_proc_symlinks(pxe_t) - -corenet_udp_bind_pxe_port(pxe_t) - -dev_read_sysfs(pxe_t) - -domain_use_interactive_fds(pxe_t) - -files_read_etc_files(pxe_t) - -fs_getattr_all_fs(pxe_t) -fs_search_auto_mountpoints(pxe_t) - -logging_send_syslog_msg(pxe_t) - -miscfiles_read_localization(pxe_t) - -userdom_dontaudit_use_unpriv_user_fds(pxe_t) -userdom_dontaudit_search_user_home_dirs(pxe_t) - -optional_policy(` - seutil_sigchld_newrole(pxe_t) -') - -optional_policy(` - udev_read_db(pxe_t) -') diff --git a/policy/modules/services/pyicqt.fc b/policy/modules/services/pyicqt.fc deleted file mode 100644 index 491fe8f..0000000 --- a/policy/modules/services/pyicqt.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_conf_t,s0) - -/usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0) - -/var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0) - -/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_spool_t,s0) diff --git a/policy/modules/services/pyicqt.if b/policy/modules/services/pyicqt.if deleted file mode 100644 index 9604b6a..0000000 --- a/policy/modules/services/pyicqt.if +++ /dev/null @@ -1 +0,0 @@ -## PyICQt is an ICQ transport for XMPP server. diff --git a/policy/modules/services/pyicqt.te b/policy/modules/services/pyicqt.te deleted file mode 100644 index a841221..0000000 --- a/policy/modules/services/pyicqt.te +++ /dev/null @@ -1,59 +0,0 @@ -policy_module(pyicqt, 1.0.0) - -######################################## -# -# Declarations -# - -type pyicqt_t; -type pyicqt_exec_t; -init_daemon_domain(pyicqt_t, pyicqt_exec_t) - -type pyicqt_conf_t; -files_config_file(pyicqt_conf_t) - -type pyicqt_spool_t; -files_type(pyicqt_spool_t) - -type pyicqt_var_run_t; -files_pid_file(pyicqt_var_run_t) - -######################################## -# -# PyICQt policy -# - -allow pyicqt_t self:fifo_file rw_fifo_file_perms; -allow pyicqt_t self:tcp_socket create_socket_perms; -allow pyicqt_t self:udp_socket create_socket_perms; - -read_files_pattern(pyicqt_t, pyicqt_conf_t, pyicqt_conf_t) - -manage_dirs_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t) -manage_files_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t) -files_spool_filetrans(pyicqt_t, pyicqt_spool_t, { dir file }) - -manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t) -files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file) - -kernel_read_system_state(pyicqt_t) - -corecmd_exec_bin(pyicqt_t) - -corenet_all_recvfrom_unlabeled(pyicqt_t) -corenet_all_recvfrom_netlabel(pyicqt_t) -corenet_tcp_sendrecv_generic_if(pyicqt_t) -corenet_tcp_sendrecv_generic_node(pyicqt_t) -corenet_tcp_connect_generic_port(pyicqt_t) -corenet_sendrecv_generic_client_packets(pyicqt_t) - -dev_read_urand(pyicqt_t) - -files_read_etc_files(pyicqt_t) -files_read_usr_files(pyicqt_t) - -libs_read_lib_files(pyicqt_t) - -miscfiles_read_localization(pyicqt_t) - -sysnet_read_config(pyicqt_t) diff --git a/policy/modules/services/pyzor.fc b/policy/modules/services/pyzor.fc deleted file mode 100644 index 705196e..0000000 --- a/policy/modules/services/pyzor.fc +++ /dev/null @@ -1,13 +0,0 @@ -/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) -/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) - -HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) -HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) -/root/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) -/root/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) - -/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) -/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) - -/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0) -/var/log/pyzord\.log -- gen_context(system_u:object_r:pyzord_log_t,s0) diff --git a/policy/modules/services/pyzor.if b/policy/modules/services/pyzor.if deleted file mode 100644 index aa3d0b4..0000000 --- a/policy/modules/services/pyzor.if +++ /dev/null @@ -1,135 +0,0 @@ -## Pyzor is a distributed, collaborative spam detection and filtering network. - -######################################## -## -## Role access for pyzor -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -## -# -interface(`pyzor_role',` - gen_require(` - type pyzor_t, pyzor_exec_t; - type pyzor_home_t, pyzor_var_lib_t, pyzor_tmp_t; - ') - - role $1 types pyzor_t; - - # Transition from the user domain to the derived domain. - domtrans_pattern($2, pyzor_exec_t, pyzor_t) - - # allow ps to show pyzor and allow the user to kill it - ps_process_pattern($2, pyzor_t) - allow $2 pyzor_t:process { ptrace signal_perms }; -') - -######################################## -## -## Send generic signals to pyzor -## -## -## -## Domain allowed access. -## -## -# -interface(`pyzor_signal',` - gen_require(` - type pyzor_t; - ') - - allow $1 pyzor_t:process signal; -') - -######################################## -## -## Execute pyzor with a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`pyzor_domtrans',` - gen_require(` - type pyzor_exec_t, pyzor_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, pyzor_exec_t, pyzor_t) -') - -######################################## -## -## Execute pyzor in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`pyzor_exec',` - gen_require(` - type pyzor_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - can_exec($1, pyzor_exec_t) -') - -######################################## -## -## All of the rules required to administrate -## an pyzor environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the pyzor domain. -## -## -## -# -interface(`pyzor_admin',` - gen_require(` - type pyzord_t, pyzor_tmp_t, pyzord_log_t; - type pyzor_etc_t, pyzor_var_lib_t, pyzord_initrc_exec_t; - ') - - allow $1 pyzord_t:process { ptrace signal_perms }; - ps_process_pattern($1, pyzord_t) - - init_labeled_script_domtrans($1, pyzord_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 pyzord_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, pyzor_tmp_t) - - logging_list_logs($1) - admin_pattern($1, pyzord_log_t) - - files_list_etc($1) - admin_pattern($1, pyzor_etc_t) - - files_list_var_lib($1) - admin_pattern($1, pyzor_var_lib_t) -') diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te deleted file mode 100644 index d455637..0000000 --- a/policy/modules/services/pyzor.te +++ /dev/null @@ -1,174 +0,0 @@ -policy_module(pyzor, 2.1.0) - -######################################## -# -# Declarations -# - -ifdef(`distro_redhat',` - gen_require(` - type spamc_t, spamc_exec_t, spamd_t; - type spamd_initrc_exec_t, spamd_exec_t, spamc_tmp_t; - type spamd_log_t, spamd_var_lib_t, spamd_etc_t; - type spamc_tmp_t, spamc_home_t; - ') - - typealias spamc_t alias pyzor_t; - typealias spamc_exec_t alias pyzor_exec_t; - typealias spamd_t alias pyzord_t; - typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t; - typealias spamd_exec_t alias pyzord_exec_t; - typealias spamc_tmp_t alias pyzor_tmp_t; - typealias spamd_log_t alias pyzor_log_t; - typealias spamd_log_t alias pyzord_log_t; - typealias spamd_var_lib_t alias pyzor_var_lib_t; - typealias spamd_etc_t alias pyzor_etc_t; - typealias spamc_home_t alias pyzor_home_t; - typealias spamc_home_t alias user_pyzor_home_t; -',` - type pyzor_t; - type pyzor_exec_t; - typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t }; - typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t }; - application_domain(pyzor_t, pyzor_exec_t) - ubac_constrained(pyzor_t) - role system_r types pyzor_t; - - type pyzor_etc_t; - files_type(pyzor_etc_t) - - type pyzor_home_t; - typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t }; - typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t }; - userdom_user_home_content(pyzor_home_t) - - type pyzor_tmp_t; - typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t }; - typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t }; - files_tmp_file(pyzor_tmp_t) - ubac_constrained(pyzor_tmp_t) - - type pyzor_var_lib_t; - typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t }; - typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t }; - files_type(pyzor_var_lib_t) - ubac_constrained(pyzor_var_lib_t) - - type pyzord_t; - type pyzord_exec_t; - init_daemon_domain(pyzord_t, pyzord_exec_t) - - type pyzord_log_t; - logging_log_file(pyzord_log_t) -') - -######################################## -# -# Pyzor client local policy -# - -allow pyzor_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) -manage_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) -manage_lnk_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) -userdom_user_home_dir_filetrans(pyzor_t, pyzor_home_t, { dir file lnk_file }) - -allow pyzor_t pyzor_var_lib_t:dir list_dir_perms; -read_files_pattern(pyzor_t, pyzor_var_lib_t, pyzor_var_lib_t) -files_search_var_lib(pyzor_t) - -manage_files_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t) -manage_dirs_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t) -files_tmp_filetrans(pyzor_t, pyzor_tmp_t, { file dir }) - -kernel_read_kernel_sysctls(pyzor_t) -kernel_read_system_state(pyzor_t) - -corecmd_list_bin(pyzor_t) -corecmd_getattr_bin_files(pyzor_t) - -corenet_tcp_sendrecv_generic_if(pyzor_t) -corenet_udp_sendrecv_generic_if(pyzor_t) -corenet_tcp_sendrecv_generic_node(pyzor_t) -corenet_udp_sendrecv_generic_node(pyzor_t) -corenet_tcp_sendrecv_all_ports(pyzor_t) -corenet_udp_sendrecv_all_ports(pyzor_t) -corenet_tcp_connect_http_port(pyzor_t) - -dev_read_urand(pyzor_t) - -fs_getattr_xattr_fs(pyzor_t) - -files_read_etc_files(pyzor_t) - -auth_use_nsswitch(pyzor_t) - -miscfiles_read_localization(pyzor_t) - -mta_read_queue(pyzor_t) - -userdom_dontaudit_search_user_home_dirs(pyzor_t) - -optional_policy(` - amavis_manage_lib_files(pyzor_t) - amavis_manage_spool_files(pyzor_t) -') - -optional_policy(` - spamassassin_signal_spamd(pyzor_t) - spamassassin_read_spamd_tmp_files(pyzor_t) -') - -######################################## -# -# Pyzor server local policy -# - -allow pyzord_t self:udp_socket create_socket_perms; - -manage_files_pattern(pyzord_t, pyzor_var_lib_t, pyzor_var_lib_t) -allow pyzord_t pyzor_var_lib_t:dir setattr; -files_var_lib_filetrans(pyzord_t, pyzor_var_lib_t, { file dir }) - -read_files_pattern(pyzord_t, pyzor_etc_t, pyzor_etc_t) -allow pyzord_t pyzor_etc_t:dir list_dir_perms; - -can_exec(pyzord_t, pyzor_exec_t) - -manage_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t) -allow pyzord_t pyzord_log_t:dir setattr_dir_perms; -logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir }) - -kernel_read_kernel_sysctls(pyzord_t) -kernel_read_system_state(pyzord_t) - -dev_read_urand(pyzord_t) - -corecmd_exec_bin(pyzord_t) - -corenet_all_recvfrom_unlabeled(pyzord_t) -corenet_all_recvfrom_netlabel(pyzord_t) -corenet_udp_sendrecv_generic_if(pyzord_t) -corenet_udp_sendrecv_generic_node(pyzord_t) -corenet_udp_sendrecv_all_ports(pyzord_t) -corenet_udp_bind_generic_node(pyzord_t) -corenet_udp_bind_pyzor_port(pyzord_t) -corenet_sendrecv_pyzor_server_packets(pyzord_t) - -files_read_etc_files(pyzord_t) - -auth_use_nsswitch(pyzord_t) - -locallogin_dontaudit_use_fds(pyzord_t) - -miscfiles_read_localization(pyzord_t) - -# Do not audit attempts to access /root. -userdom_dontaudit_search_user_home_dirs(pyzord_t) - -mta_manage_spool(pyzord_t) - -optional_policy(` - logging_send_syslog_msg(pyzord_t) -') diff --git a/policy/modules/services/qmail.fc b/policy/modules/services/qmail.fc deleted file mode 100644 index 0055e54..0000000 --- a/policy/modules/services/qmail.fc +++ /dev/null @@ -1,47 +0,0 @@ - -/var/qmail/alias -d gen_context(system_u:object_r:qmail_alias_home_t,s0) -/var/qmail/alias(/.*)? gen_context(system_u:object_r:qmail_alias_home_t,s0) - -/var/qmail/bin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0) -/var/qmail/bin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0) -/var/qmail/bin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0) -/var/qmail/bin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0) -/var/qmail/bin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0) -/var/qmail/bin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0) -/var/qmail/bin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0) -/var/qmail/bin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0) -/var/qmail/bin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0) -/var/qmail/bin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0) -/var/qmail/bin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0) -/var/qmail/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0) -/var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0) - -/var/qmail/control(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) - -/var/qmail/queue(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0) - -ifdef(`distro_debian', ` -/etc/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) - -/usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0) - -#/usr/local/bin/serialmail/.* -- gen_context(system_u:object_r:qmail_serialmail_exec_t,s0) - -/usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0) -/usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0) -/usr/sbin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0) -/usr/sbin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0) -/usr/sbin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0) -/usr/sbin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0) -/usr/sbin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0) -/usr/sbin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0) -/usr/sbin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0) -/usr/sbin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0) -/usr/sbin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0) -/usr/sbin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0) - -/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) - -/var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0) -') - diff --git a/policy/modules/services/qmail.if b/policy/modules/services/qmail.if deleted file mode 100644 index 77a25f5..0000000 --- a/policy/modules/services/qmail.if +++ /dev/null @@ -1,149 +0,0 @@ -## Qmail Mail Server - -######################################## -## -## Template for qmail parent/sub-domain pairs -## -## -## -## The prefix of the child domain -## -## -## -## -## The name of the parent domain. -## -## -# -template(`qmail_child_domain_template',` - type $1_t; - domain_type($1_t) - type $1_exec_t; - domain_entry_file($1_t, $1_exec_t) - domain_auto_trans($2, $1_exec_t, $1_t) - role system_r types $1_t; - - allow $1_t self:process signal_perms; - - allow $1_t $2:fd use; - allow $1_t $2:fifo_file rw_file_perms; - allow $1_t $2:process sigchld; - - allow $1_t qmail_etc_t:dir list_dir_perms; - allow $1_t qmail_etc_t:file read_file_perms; - allow $1_t qmail_etc_t:lnk_file read_lnk_file_perms; - - allow $1_t qmail_start_t:fd use; - - kernel_list_proc($2) - kernel_read_proc_symlinks($2) - - corecmd_search_bin($1_t) - - files_search_var($1_t) - - fs_getattr_xattr_fs($1_t) - - miscfiles_read_localization($1_t) -') - -######################################## -## -## Transition to qmail_inject_t -## -## -## -## Domain allowed to transition. -## -## -# -interface(`qmail_domtrans_inject',` - gen_require(` - type qmail_inject_t, qmail_inject_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, qmail_inject_exec_t, qmail_inject_t) - - ifdef(`distro_debian',` - files_search_usr($1) - ',` - files_search_var($1) - ') -') - -######################################## -## -## Transition to qmail_queue_t -## -## -## -## Domain allowed to transition. -## -## -# -interface(`qmail_domtrans_queue',` - gen_require(` - type qmail_queue_t, qmail_queue_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, qmail_queue_exec_t, qmail_queue_t) - - ifdef(`distro_debian',` - files_search_usr($1) - ',` - files_search_var($1) - ') -') - -######################################## -## -## Read qmail configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`qmail_read_config',` - gen_require(` - type qmail_etc_t; - ') - - allow $1 qmail_etc_t:dir list_dir_perms; - allow $1 qmail_etc_t:file read_file_perms; - allow $1 qmail_etc_t:lnk_file read_lnk_file_perms; - files_search_var($1) - - ifdef(`distro_debian',` - # handle /etc/qmail - files_search_etc($1) - ') -') - -######################################## -## -## Define the specified domain as a qmail-smtp service. -## Needed by antivirus/antispam filters. -## -## -## -## Domain allowed access -## -## -## -## -## The type associated with the process program. -## -## -# -interface(`qmail_smtpd_service_domain',` - gen_require(` - type qmail_smtpd_t; - ') - - domtrans_pattern(qmail_smtpd_t, $2, $1) -') diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te deleted file mode 100644 index 54329f9..0000000 --- a/policy/modules/services/qmail.te +++ /dev/null @@ -1,325 +0,0 @@ -policy_module(qmail, 1.5.0) - -######################################## -# -# Declarations -# - -attribute qmail_user_domains; - -type qmail_alias_home_t; -files_type(qmail_alias_home_t) - -qmail_child_domain_template(qmail_clean, qmail_start_t) - -type qmail_etc_t; -files_config_file(qmail_etc_t) - -type qmail_exec_t; -files_type(qmail_exec_t) - -type qmail_inject_t, qmail_user_domains; -type qmail_inject_exec_t; -domain_type(qmail_inject_t) -domain_entry_file(qmail_inject_t, qmail_inject_exec_t) -mta_mailserver_user_agent(qmail_inject_t) -role system_r types qmail_inject_t; - -qmail_child_domain_template(qmail_local, qmail_lspawn_t) -mta_mailserver_delivery(qmail_local_t) - -qmail_child_domain_template(qmail_lspawn, qmail_start_t) -mta_mailserver_delivery(qmail_lspawn_t) - -qmail_child_domain_template(qmail_queue, qmail_inject_t) -typeattribute qmail_queue_t qmail_user_domains; -mta_mailserver_user_agent(qmail_queue_t) - -qmail_child_domain_template(qmail_remote, qmail_rspawn_t) -mta_mailserver_sender(qmail_remote_t) - -qmail_child_domain_template(qmail_rspawn, qmail_start_t) - -qmail_child_domain_template(qmail_send, qmail_start_t) - -qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t) - -qmail_child_domain_template(qmail_splogger, qmail_start_t) - -type qmail_spool_t; -files_type(qmail_spool_t) - -type qmail_start_t; -type qmail_start_exec_t; -init_daemon_domain(qmail_start_t, qmail_start_exec_t) - -type qmail_tcp_env_t; -type qmail_tcp_env_exec_t; -application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t) - -######################################## -# -# qmail-clean local policy -# this component cleans up the queue directory -# - -read_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t) -delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t) - -######################################## -# -# qmail-inject local policy -# this component preprocesses mail from stdin and invokes qmail-queue -# - -allow qmail_inject_t self:process signal_perms; -allow qmail_inject_t self:fifo_file write_fifo_file_perms; - -allow qmail_inject_t qmail_queue_exec_t:file read_file_perms; - -corecmd_search_bin(qmail_inject_t) - -files_search_var(qmail_inject_t) - -miscfiles_read_localization(qmail_inject_t) - -qmail_read_config(qmail_inject_t) - -######################################## -# -# qmail-local local policy -# this component delivers a mail message -# - -allow qmail_local_t self:process signal_perms; -allow qmail_local_t self:fifo_file write_file_perms; -allow qmail_local_t self:unix_stream_socket create_stream_socket_perms; - -manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t) -manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t) - -can_exec(qmail_local_t, qmail_local_exec_t) - -allow qmail_local_t qmail_queue_exec_t:file read_file_perms; - -allow qmail_local_t qmail_spool_t:file read_file_perms; - -kernel_read_system_state(qmail_local_t) - -corecmd_exec_bin(qmail_local_t) -corecmd_exec_shell(qmail_local_t) - -files_read_etc_files(qmail_local_t) -files_read_etc_runtime_files(qmail_local_t) - -auth_use_nsswitch(qmail_local_t) - -logging_send_syslog_msg(qmail_local_t) - -mta_append_spool(qmail_local_t) - -qmail_domtrans_queue(qmail_local_t) - -optional_policy(` - uucp_domtrans(qmail_local_t) -') - -optional_policy(` - spamassassin_domtrans_client(qmail_local_t) -') - -######################################## -# -# qmail-lspawn local policy -# this component schedules local deliveries -# - -allow qmail_lspawn_t self:capability { setuid setgid }; -allow qmail_lspawn_t self:process signal_perms; -allow qmail_lspawn_t self:fifo_file rw_fifo_file_perms; -allow qmail_lspawn_t self:unix_stream_socket create_socket_perms; - -can_exec(qmail_lspawn_t, qmail_exec_t) - -allow qmail_lspawn_t qmail_local_exec_t:file read_file_perms; - -read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t) - -corecmd_search_bin(qmail_lspawn_t) - -files_read_etc_files(qmail_lspawn_t) -files_search_pids(qmail_lspawn_t) -files_search_tmp(qmail_lspawn_t) - -######################################## -# -# qmail-queue local policy -# this component places a mail in a delivery queue, later to be processed by qmail-send -# - -allow qmail_queue_t qmail_lspawn_t:fd use; -allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms; - -allow qmail_queue_t qmail_smtpd_t:process sigchld; -allow qmail_queue_t qmail_smtpd_t:fd use; -allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms; - -manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) -manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) -rw_fifo_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) - -corecmd_exec_bin(qmail_queue_t) - -logging_send_syslog_msg(qmail_queue_t) - -optional_policy(` - daemontools_ipc_domain(qmail_queue_t) -') - -######################################## -# -# qmail-remote local policy -# this component sends mail via SMTP -# - -allow qmail_remote_t self:tcp_socket create_socket_perms; -allow qmail_remote_t self:udp_socket create_socket_perms; - -rw_files_pattern(qmail_remote_t, qmail_spool_t, qmail_spool_t) - -corenet_all_recvfrom_unlabeled(qmail_remote_t) -corenet_all_recvfrom_netlabel(qmail_remote_t) -corenet_tcp_sendrecv_generic_if(qmail_remote_t) -corenet_udp_sendrecv_generic_if(qmail_remote_t) -corenet_tcp_sendrecv_generic_node(qmail_remote_t) -corenet_udp_sendrecv_generic_node(qmail_remote_t) -corenet_tcp_sendrecv_smtp_port(qmail_remote_t) -corenet_udp_sendrecv_dns_port(qmail_remote_t) -corenet_tcp_connect_smtp_port(qmail_remote_t) -corenet_sendrecv_smtp_client_packets(qmail_remote_t) - -dev_read_rand(qmail_remote_t) -dev_read_urand(qmail_remote_t) - -sysnet_read_config(qmail_remote_t) - -######################################## -# -# qmail-rspawn local policy -# this component scedules remote deliveries -# - -allow qmail_rspawn_t self:process signal_perms; -allow qmail_rspawn_t self:fifo_file read_fifo_file_perms; - -allow qmail_rspawn_t qmail_remote_exec_t:file read_file_perms; - -rw_files_pattern(qmail_rspawn_t, qmail_spool_t, qmail_spool_t) - -corecmd_search_bin(qmail_rspawn_t) - -######################################## -# -# qmail-send local policy -# this component delivers mail messages from the queue -# - -allow qmail_send_t self:process signal_perms; -allow qmail_send_t self:fifo_file write_fifo_file_perms; - -manage_dirs_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t) -manage_files_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t) -read_fifo_files_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t) - -qmail_domtrans_queue(qmail_send_t) - -optional_policy(` - daemontools_ipc_domain(qmail_send_t) -') - -######################################## -# -# qmail-smtpd local policy -# this component receives mails via SMTP -# - -allow qmail_smtpd_t self:process signal_perms; -allow qmail_smtpd_t self:fifo_file write_fifo_file_perms; -allow qmail_smtpd_t self:tcp_socket create_socket_perms; - -allow qmail_smtpd_t qmail_queue_exec_t:file read_file_perms; - -dev_read_rand(qmail_smtpd_t) -dev_read_urand(qmail_smtpd_t) - -qmail_domtrans_queue(qmail_smtpd_t) - -optional_policy(` - daemontools_ipc_domain(qmail_smtpd_t) -') - -optional_policy(` - kerberos_keytab_template(qmail, qmail_smtpd_t) -') - -optional_policy(` - ucspitcp_service_domain(qmail_smtpd_t, qmail_smtpd_exec_t) -') - -######################################## -# -# splogger local policy -# this component creates entries in syslog -# - -allow qmail_splogger_t self:unix_dgram_socket create_socket_perms; - -files_read_etc_files(qmail_splogger_t) - -init_dontaudit_use_script_fds(qmail_splogger_t) - -miscfiles_read_localization(qmail_splogger_t) - -######################################## -# -# qmail-start local policy -# this component starts up the mail delivery component -# - -allow qmail_start_t self:capability { setgid setuid }; -dontaudit qmail_start_t self:capability sys_tty_config; -allow qmail_start_t self:process signal_perms; -allow qmail_start_t self:fifo_file rw_fifo_file_perms; - -can_exec(qmail_start_t, qmail_start_exec_t) - -corecmd_search_bin(qmail_start_t) - -files_search_var(qmail_start_t) - -qmail_read_config(qmail_start_t) - -optional_policy(` - daemontools_service_domain(qmail_start_t, qmail_start_exec_t) - daemontools_ipc_domain(qmail_start_t) -') - -######################################## -# -# tcp-env local policy -# this component sets up TCP-related environment variables -# - -allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms; - -corecmd_search_bin(qmail_tcp_env_t) - -sysnet_read_config(qmail_tcp_env_t) - -optional_policy(` - inetd_tcp_service_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t) -') - -optional_policy(` - ucspitcp_service_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t) -') diff --git a/policy/modules/services/qpidd.fc b/policy/modules/services/qpidd.fc deleted file mode 100644 index f3b89e4..0000000 --- a/policy/modules/services/qpidd.fc +++ /dev/null @@ -1,9 +0,0 @@ - -/usr/sbin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0) - -/etc/rc\.d/init\.d/qpidd -- gen_context(system_u:object_r:qpidd_initrc_exec_t,s0) - -/var/lib/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_lib_t,s0) - -/var/run/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_run_t,s0) -/var/run/qpidd\.pid gen_context(system_u:object_r:qpidd_var_run_t,s0) diff --git a/policy/modules/services/qpidd.if b/policy/modules/services/qpidd.if deleted file mode 100644 index c403abc..0000000 --- a/policy/modules/services/qpidd.if +++ /dev/null @@ -1,228 +0,0 @@ -## policy for qpidd - -######################################## -## -## Execute a domain transition to run qpidd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`qpidd_domtrans',` - gen_require(` - type qpidd_t, qpidd_exec_t; - ') - - domtrans_pattern($1, qpidd_exec_t, qpidd_t) -') - -######################################## -## -## Execute qpidd server in the qpidd domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`qpidd_initrc_domtrans',` - gen_require(` - type qpidd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, qpidd_initrc_exec_t) -') - -######################################## -## -## Read qpidd PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`qpidd_read_pid_files',` - gen_require(` - type qpidd_var_run_t; - ') - - files_search_pids($1) - allow $1 qpidd_var_run_t:file read_file_perms; -') - -######################################## -## -## Manage qpidd var_run files. -## -## -## -## Domain allowed access. -## -## -# -interface(`qpidd_manage_var_run',` - gen_require(` - type qpidd_var_run_t; - ') - - files_search_pids($1) - manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t) - manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t) - manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t) -') - -######################################## -## -## Search qpidd lib directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`qpidd_search_lib',` - gen_require(` - type qpidd_var_lib_t; - ') - - allow $1 qpidd_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## Read qpidd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`qpidd_read_lib_files',` - gen_require(` - type qpidd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) -') - -######################################## -## -## Create, read, write, and delete -## qpidd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`qpidd_manage_lib_files',` - gen_require(` - type qpidd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) -') - -######################################## -## -## Manage qpidd var_lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`qpidd_manage_var_lib',` - gen_require(` - type qpidd_var_lib_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) - manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) - manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) -') - -######################################## -## -## All of the rules required to administrate -## an qpidd environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`qpidd_admin',` - gen_require(` - type qpidd_t, qpidd_initrc_exec_t; - ') - - allow $1 qpidd_t:process { ptrace signal_perms }; - ps_process_pattern($1, qpidd_t) - - # Allow qpidd_t to restart the apache service - qpidd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 qpidd_initrc_exec_t system_r; - allow $2 system_r; - - qpidd_manage_var_run($1) - - qpidd_manage_var_lib($1) -') - -##################################### -## -## Allow read and write access to qpidd semaphores. -## -## -## -## Domain allowed access. -## -## -# -interface(`qpidd_rw_semaphores',` - gen_require(` - type qpidd_t; - ') - - allow $1 qpidd_t:sem rw_sem_perms; -') - -######################################## -## -## Read and write to qpidd shared memory. -## -## -## -## Domain allowed access. -## -## -# -interface(`qpidd_rw_shm',` - gen_require(` - type qpidd_t; - ') - - allow $1 qpidd_t:shm rw_shm_perms; -') diff --git a/policy/modules/services/qpidd.te b/policy/modules/services/qpidd.te deleted file mode 100644 index 43639a0..0000000 --- a/policy/modules/services/qpidd.te +++ /dev/null @@ -1,59 +0,0 @@ -policy_module(qpidd, 1.0.0) - -######################################## -# -# Declarations -# - -type qpidd_t; -type qpidd_exec_t; -init_daemon_domain(qpidd_t, qpidd_exec_t) - -type qpidd_initrc_exec_t; -init_script_file(qpidd_initrc_exec_t) - -type qpidd_var_run_t; -files_pid_file(qpidd_var_run_t) - -type qpidd_var_lib_t; -files_type(qpidd_var_lib_t) - -######################################## -# -# qpidd local policy -# - -allow qpidd_t self:process { setsched signull }; -allow qpidd_t self:fifo_file rw_fifo_file_perms; -allow qpidd_t self:sem create_sem_perms; -allow qpidd_t self:shm create_shm_perms; -allow qpidd_t self:tcp_socket create_stream_socket_perms; -allow qpidd_t self:unix_stream_socket create_stream_socket_perms; - -manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) -manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) -files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir }) - -manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) -manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) -files_pid_filetrans(qpidd_t, qpidd_var_run_t, { file dir }) - -kernel_read_system_state(qpidd_t) - -corenet_all_recvfrom_unlabeled(qpidd_t) -corenet_all_recvfrom_netlabel(qpidd_t) -corenet_tcp_bind_generic_node(qpidd_t) -corenet_tcp_sendrecv_generic_if(qpidd_t) -corenet_tcp_sendrecv_generic_node(qpidd_t) -corenet_tcp_sendrecv_all_ports(qpidd_t) -corenet_tcp_bind_amqp_port(qpidd_t) - -dev_read_urand(qpidd_t) - -files_read_etc_files(qpidd_t) - -logging_send_syslog_msg(qpidd_t) - -miscfiles_read_localization(qpidd_t) - -sysnet_dns_name_resolve(qpidd_t) diff --git a/policy/modules/services/radius.fc b/policy/modules/services/radius.fc deleted file mode 100644 index 09f7b50..0000000 --- a/policy/modules/services/radius.fc +++ /dev/null @@ -1,23 +0,0 @@ - -/etc/cron\.(daily|monthly)/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0) -/etc/cron\.(daily|weekly|monthly)/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0) -/etc/rc\.d/init\.d/radiusd -- gen_context(system_u:object_r:radiusd_initrc_exec_t,s0) - -/etc/raddb(/.*)? gen_context(system_u:object_r:radiusd_etc_t,s0) -/etc/raddb/db\.daily -- gen_context(system_u:object_r:radiusd_etc_rw_t,s0) - -/usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0) -/usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0) - -/var/lib/radiousd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0) - -/var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) -/var/log/radacct(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) -/var/log/radius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) -/var/log/radius\.log.* -- gen_context(system_u:object_r:radiusd_log_t,s0) -/var/log/radiusd-freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) -/var/log/radutmp -- gen_context(system_u:object_r:radiusd_log_t,s0) -/var/log/radwtmp.* -- gen_context(system_u:object_r:radiusd_log_t,s0) - -/var/run/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_run_t,s0) -/var/run/radiusd\.pid -- gen_context(system_u:object_r:radiusd_var_run_t,s0) diff --git a/policy/modules/services/radius.if b/policy/modules/services/radius.if deleted file mode 100644 index 8f132e7..0000000 --- a/policy/modules/services/radius.if +++ /dev/null @@ -1,62 +0,0 @@ -## RADIUS authentication and accounting server. - -######################################## -## -## Use radius over a UDP connection. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`radius_use',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## All of the rules required to administrate -## an radius environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`radius_admin',` - gen_require(` - type radiusd_t, radiusd_etc_t, radiusd_log_t; - type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t; - type radiusd_initrc_exec_t; - ') - - allow $1 radiusd_t:process { ptrace signal_perms }; - ps_process_pattern($1, radiusd_t) - - init_labeled_script_domtrans($1, radiusd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 radiusd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, radiusd_etc_t) - - logging_list_logs($1) - admin_pattern($1, radiusd_log_t) - - admin_pattern($1, radiusd_etc_rw_t) - - files_list_var_lib($1) - admin_pattern($1, radiusd_var_lib_t) - - files_list_pids($1) - admin_pattern($1, radiusd_var_run_t) -') diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te deleted file mode 100644 index b3f1fd3..0000000 --- a/policy/modules/services/radius.te +++ /dev/null @@ -1,143 +0,0 @@ -policy_module(radius, 1.11.0) - -######################################## -# -# Declarations -# - -type radiusd_t; -type radiusd_exec_t; -init_daemon_domain(radiusd_t, radiusd_exec_t) - -type radiusd_etc_t; -files_config_file(radiusd_etc_t) - -type radiusd_etc_rw_t; -files_type(radiusd_etc_rw_t) - -type radiusd_initrc_exec_t; -init_script_file(radiusd_initrc_exec_t) - -type radiusd_log_t; -logging_log_file(radiusd_log_t) - -type radiusd_var_lib_t; -files_type(radiusd_var_lib_t) - -type radiusd_var_run_t; -files_pid_file(radiusd_var_run_t) - -######################################## -# -# Local policy -# - -# fsetid is for gzip which needs it when run from scripts -# gzip also needs chown access to preserve GID for radwtmp files -allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; -dontaudit radiusd_t self:capability sys_tty_config; -allow radiusd_t self:process { getsched setrlimit setsched sigkill signal }; -allow radiusd_t self:fifo_file rw_fifo_file_perms; -allow radiusd_t self:unix_stream_socket create_stream_socket_perms; -allow radiusd_t self:tcp_socket create_stream_socket_perms; -allow radiusd_t self:udp_socket create_socket_perms; - -allow radiusd_t radiusd_etc_t:dir list_dir_perms; -read_files_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_t) -read_lnk_files_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_t) -files_search_etc(radiusd_t) - -manage_dirs_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t) -manage_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t) -manage_lnk_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t) -filetrans_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_rw_t, { dir file lnk_file }) - -manage_dirs_pattern(radiusd_t, radiusd_log_t, radiusd_log_t) -manage_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t) -logging_log_filetrans(radiusd_t, radiusd_log_t,{ file dir }) - -manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t) - -manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) -manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) -manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) -files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir }) - -kernel_read_kernel_sysctls(radiusd_t) -kernel_read_system_state(radiusd_t) - -corenet_all_recvfrom_unlabeled(radiusd_t) -corenet_all_recvfrom_netlabel(radiusd_t) -corenet_tcp_sendrecv_generic_if(radiusd_t) -corenet_udp_sendrecv_generic_if(radiusd_t) -corenet_tcp_sendrecv_generic_node(radiusd_t) -corenet_udp_sendrecv_generic_node(radiusd_t) -corenet_tcp_sendrecv_all_ports(radiusd_t) -corenet_udp_sendrecv_all_ports(radiusd_t) -corenet_udp_bind_generic_node(radiusd_t) -corenet_udp_bind_radacct_port(radiusd_t) -corenet_udp_bind_radius_port(radiusd_t) -corenet_tcp_connect_mysqld_port(radiusd_t) -corenet_tcp_connect_snmp_port(radiusd_t) -corenet_sendrecv_radius_server_packets(radiusd_t) -corenet_sendrecv_radacct_server_packets(radiusd_t) -corenet_sendrecv_mysqld_client_packets(radiusd_t) -corenet_sendrecv_snmp_client_packets(radiusd_t) -# for RADIUS proxy port -corenet_udp_bind_generic_port(radiusd_t) -corenet_dontaudit_udp_bind_all_ports(radiusd_t) -corenet_sendrecv_generic_server_packets(radiusd_t) - -dev_read_sysfs(radiusd_t) - -fs_getattr_all_fs(radiusd_t) -fs_search_auto_mountpoints(radiusd_t) - -corecmd_exec_bin(radiusd_t) -corecmd_exec_shell(radiusd_t) - -domain_use_interactive_fds(radiusd_t) - -files_read_usr_files(radiusd_t) -files_read_etc_files(radiusd_t) -files_read_etc_runtime_files(radiusd_t) - -auth_use_nsswitch(radiusd_t) -auth_read_shadow(radiusd_t) -auth_domtrans_chk_passwd(radiusd_t) - -libs_exec_lib_files(radiusd_t) - -logging_send_syslog_msg(radiusd_t) - -miscfiles_read_localization(radiusd_t) -miscfiles_read_generic_certs(radiusd_t) - -userdom_dontaudit_use_unpriv_user_fds(radiusd_t) -userdom_dontaudit_search_user_home_dirs(radiusd_t) - -optional_policy(` - cron_system_entry(radiusd_t, radiusd_exec_t) -') - -optional_policy(` - logrotate_exec(radiusd_t) -') - -optional_policy(` - mysql_read_config(radiusd_t) - mysql_stream_connect(radiusd_t) -') - -optional_policy(` - samba_domtrans_winbind_helper(radiusd_t) - samba_read_var_files(radiusd_t) -') - -optional_policy(` - seutil_sigchld_newrole(radiusd_t) -') - -optional_policy(` - udev_read_db(radiusd_t) -') diff --git a/policy/modules/services/radvd.fc b/policy/modules/services/radvd.fc deleted file mode 100644 index cc98d83..0000000 --- a/policy/modules/services/radvd.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/radvd\.conf -- gen_context(system_u:object_r:radvd_etc_t,s0) -/etc/rc\.d/init\.d/radvd -- gen_context(system_u:object_r:radvd_initrc_exec_t,s0) - -/usr/sbin/radvd -- gen_context(system_u:object_r:radvd_exec_t,s0) - -/var/run/radvd\.pid -- gen_context(system_u:object_r:radvd_var_run_t,s0) -/var/run/radvd(/.*)? gen_context(system_u:object_r:radvd_var_run_t,s0) diff --git a/policy/modules/services/radvd.if b/policy/modules/services/radvd.if deleted file mode 100644 index 2bd662a..0000000 --- a/policy/modules/services/radvd.if +++ /dev/null @@ -1,39 +0,0 @@ -## IPv6 router advertisement daemon - -######################################## -## -## All of the rules required to administrate -## an radvd environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`radvd_admin',` - gen_require(` - type radvd_t, radvd_etc_t, radvd_initrc_exec_t; - type radvd_var_run_t; - ') - - allow $1 radvd_t:process { ptrace signal_perms }; - ps_process_pattern($1, radvd_t) - - init_labeled_script_domtrans($1, radvd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 radvd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, radvd_etc_t) - - files_list_pids($1) - admin_pattern($1, radvd_var_run_t) -') diff --git a/policy/modules/services/radvd.te b/policy/modules/services/radvd.te deleted file mode 100644 index 54b3cd3..0000000 --- a/policy/modules/services/radvd.te +++ /dev/null @@ -1,82 +0,0 @@ -policy_module(radvd, 1.12.1) - -######################################## -# -# Declarations -# -type radvd_t; -type radvd_exec_t; -init_daemon_domain(radvd_t, radvd_exec_t) - -type radvd_initrc_exec_t; -init_script_file(radvd_initrc_exec_t) - -type radvd_var_run_t; -files_pid_file(radvd_var_run_t) - -type radvd_etc_t; -files_config_file(radvd_etc_t) - -######################################## -# -# Local policy -# -allow radvd_t self:capability { kill setgid setuid net_raw net_admin }; -dontaudit radvd_t self:capability sys_tty_config; -allow radvd_t self:process { fork signal_perms }; -allow radvd_t self:unix_dgram_socket create_socket_perms; -allow radvd_t self:unix_stream_socket create_socket_perms; -allow radvd_t self:rawip_socket create_socket_perms; -allow radvd_t self:tcp_socket create_stream_socket_perms; -allow radvd_t self:udp_socket create_socket_perms; -allow radvd_t self:fifo_file rw_file_perms; - -allow radvd_t radvd_etc_t:file read_file_perms; - -manage_dirs_pattern(radvd_t, radvd_var_run_t, radvd_var_run_t) -manage_files_pattern(radvd_t, radvd_var_run_t, radvd_var_run_t) -files_pid_filetrans(radvd_t, radvd_var_run_t, { dir file }) - -kernel_read_kernel_sysctls(radvd_t) -kernel_rw_net_sysctls(radvd_t) -kernel_read_network_state(radvd_t) -kernel_read_system_state(radvd_t) -kernel_request_load_module(radvd_t) - -corenet_all_recvfrom_unlabeled(radvd_t) -corenet_all_recvfrom_netlabel(radvd_t) -corenet_tcp_sendrecv_generic_if(radvd_t) -corenet_udp_sendrecv_generic_if(radvd_t) -corenet_raw_sendrecv_generic_if(radvd_t) -corenet_tcp_sendrecv_generic_node(radvd_t) -corenet_udp_sendrecv_generic_node(radvd_t) -corenet_raw_sendrecv_generic_node(radvd_t) -corenet_tcp_sendrecv_all_ports(radvd_t) -corenet_udp_sendrecv_all_ports(radvd_t) - -dev_read_sysfs(radvd_t) - -fs_getattr_all_fs(radvd_t) -fs_search_auto_mountpoints(radvd_t) - -domain_use_interactive_fds(radvd_t) - -files_read_etc_files(radvd_t) -files_list_usr(radvd_t) - -auth_use_nsswitch(radvd_t) - -logging_send_syslog_msg(radvd_t) - -miscfiles_read_localization(radvd_t) - -userdom_dontaudit_use_unpriv_user_fds(radvd_t) -userdom_dontaudit_search_user_home_dirs(radvd_t) - -optional_policy(` - seutil_sigchld_newrole(radvd_t) -') - -optional_policy(` - udev_read_db(radvd_t) -') diff --git a/policy/modules/services/razor.fc b/policy/modules/services/razor.fc deleted file mode 100644 index 71d657c..0000000 --- a/policy/modules/services/razor.fc +++ /dev/null @@ -1,9 +0,0 @@ -/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) -HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) - -/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) - -/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0) - -/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0) -/var/log/razor-agent\.log -- gen_context(system_u:object_r:razor_log_t,s0) diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if deleted file mode 100644 index 3203212..0000000 --- a/policy/modules/services/razor.if +++ /dev/null @@ -1,201 +0,0 @@ -## A distributed, collaborative, spam detection and filtering network. -## -##

-## A distributed, collaborative, spam detection and filtering network. -##

-##

-## This policy will work with either the ATrpms provided config -## file in /etc/razor, or with the default of dumping everything into -## $HOME/.razor. -##

-##
- -####################################### -## -## Template to create types and rules common to -## all razor domains. -## -## -## -## The prefix of the domain (e.g., user -## is the prefix for user_t). -## -## -# -template(`razor_common_domain_template',` - gen_require(` - type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t; - ') - - type $1_t; - domain_type($1_t) - domain_entry_file($1_t, razor_exec_t) - - allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow $1_t self:fd use; - allow $1_t self:fifo_file rw_fifo_file_perms; - allow $1_t self:unix_dgram_socket create_socket_perms; - allow $1_t self:unix_stream_socket create_stream_socket_perms; - allow $1_t self:unix_dgram_socket sendto; - allow $1_t self:unix_stream_socket connectto; - allow $1_t self:shm create_shm_perms; - allow $1_t self:sem create_sem_perms; - allow $1_t self:msgq create_msgq_perms; - allow $1_t self:msg { send receive }; - allow $1_t self:tcp_socket create_socket_perms; - - # Read system config file - allow $1_t razor_etc_t:dir list_dir_perms; - allow $1_t razor_etc_t:file read_file_perms; - allow $1_t razor_etc_t:lnk_file read_lnk_file_perms; - - manage_dirs_pattern($1_t, razor_log_t, razor_log_t) - manage_files_pattern($1_t, razor_log_t, razor_log_t) - manage_lnk_files_pattern($1_t, razor_log_t, razor_log_t) - logging_log_filetrans($1_t, razor_log_t, file) - - manage_dirs_pattern($1_t, razor_var_lib_t, razor_var_lib_t) - manage_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t) - manage_lnk_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t) - files_search_var_lib($1_t) - - # Razor is one executable and several symlinks - allow $1_t razor_exec_t:file read_file_perms; - allow $1_t razor_exec_t:lnk_file read_lnk_file_perms; - - kernel_read_system_state($1_t) - kernel_read_network_state($1_t) - kernel_read_software_raid_state($1_t) - kernel_getattr_core_if($1_t) - kernel_getattr_message_if($1_t) - kernel_read_kernel_sysctls($1_t) - - corecmd_exec_bin($1_t) - - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) - corenet_tcp_sendrecv_generic_if($1_t) - corenet_raw_sendrecv_generic_if($1_t) - corenet_tcp_sendrecv_generic_node($1_t) - corenet_raw_sendrecv_generic_node($1_t) - corenet_tcp_sendrecv_razor_port($1_t) - - # mktemp and other randoms - dev_read_rand($1_t) - dev_read_urand($1_t) - - files_search_pids($1_t) - # Allow access to various files in the /etc/directory including mtab - # and nsswitch - files_read_etc_files($1_t) - files_read_etc_runtime_files($1_t) - - fs_search_auto_mountpoints($1_t) - - libs_read_lib_files($1_t) - - miscfiles_read_localization($1_t) - - sysnet_read_config($1_t) - sysnet_dns_name_resolve($1_t) - - optional_policy(` - nis_use_ypbind($1_t) - ') -') - -######################################## -## -## Role access for razor -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -## -# -interface(`razor_role',` - gen_require(` - type razor_t, razor_exec_t, razor_home_t; - ') - - role $1 types razor_t; - - # Transition from the user domain to the derived domain. - domtrans_pattern($2, razor_exec_t, razor_t) - - # allow ps to show razor and allow the user to kill it - ps_process_pattern($2, razor_t) - allow $2 razor_t:process { ptrace signal_perms }; - - manage_dirs_pattern($2, razor_home_t, razor_home_t) - manage_files_pattern($2, razor_home_t, razor_home_t) - manage_lnk_files_pattern($2, razor_home_t, razor_home_t) - relabel_dirs_pattern($2, razor_home_t, razor_home_t) - relabel_files_pattern($2, razor_home_t, razor_home_t) - relabel_lnk_files_pattern($2, razor_home_t, razor_home_t) -') - -######################################## -## -## Execute razor in the system razor domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`razor_domtrans',` - gen_require(` - type razor_t, razor_exec_t; - ') - - domtrans_pattern($1, razor_exec_t, razor_t) -') - -######################################## -## -## Create, read, write, and delete razor files -## in a user home subdirectory. -## -## -## -## Domain allowed access. -## -## -# -interface(`razor_manage_user_home_files',` - gen_require(` - type razor_home_t; - ') - - userdom_search_user_home_dirs($1) - manage_files_pattern($1, razor_home_t, razor_home_t) - read_lnk_files_pattern($1, razor_home_t, razor_home_t) -') - -######################################## -## -## read razor lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`razor_read_lib_files',` - gen_require(` - type razor_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) -') diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te deleted file mode 100644 index f24c52e..0000000 --- a/policy/modules/services/razor.te +++ /dev/null @@ -1,143 +0,0 @@ -policy_module(razor, 2.1.1) - -######################################## -# -# Declarations -# - -ifdef(`distro_redhat',` - gen_require(` - type spamc_t, spamc_exec_t, spamd_log_t; - type spamd_spool_t, spamd_var_lib_t, spamd_etc_t; - type spamc_home_t, spamc_tmp_t; - ') - - typealias spamc_t alias razor_t; - typealias spamc_exec_t alias razor_exec_t; - typealias spamd_log_t alias razor_log_t; - typealias spamd_var_lib_t alias razor_var_lib_t; - typealias spamd_etc_t alias razor_etc_t; - typealias spamc_home_t alias razor_home_t; - typealias spamc_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; - typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; - typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; - typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; -',` - type razor_exec_t; - corecmd_executable_file(razor_exec_t) - - type razor_etc_t; - files_config_file(razor_etc_t) - - type razor_home_t; - typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; - typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; - userdom_user_home_content(razor_home_t) - - type razor_log_t; - logging_log_file(razor_log_t) - - type razor_tmp_t; - typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; - typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; - files_tmp_file(razor_tmp_t) - ubac_constrained(razor_tmp_t) - - type razor_var_lib_t; - files_type(razor_var_lib_t) - - # these are here due to ordering issues: - razor_common_domain_template(razor) - typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t }; - typealias razor_t alias { auditadm_razor_t secadm_razor_t }; - ubac_constrained(razor_t) - - razor_common_domain_template(system_razor) - role system_r types system_razor_t; - - ######################################## - # - # System razor local policy - # - - # this version of razor is invoked typically - # via the system spam filter - - allow system_razor_t self:tcp_socket create_socket_perms; - - manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t) - manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) - manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) - files_search_etc(system_razor_t) - - allow system_razor_t razor_log_t:file manage_file_perms; - logging_log_filetrans(system_razor_t, razor_log_t, file) - - manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t) - files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file) - - corenet_all_recvfrom_unlabeled(system_razor_t) - corenet_all_recvfrom_netlabel(system_razor_t) - corenet_tcp_sendrecv_generic_if(system_razor_t) - corenet_raw_sendrecv_generic_if(system_razor_t) - corenet_tcp_sendrecv_generic_node(system_razor_t) - corenet_raw_sendrecv_generic_node(system_razor_t) - corenet_tcp_sendrecv_razor_port(system_razor_t) - corenet_tcp_connect_razor_port(system_razor_t) - corenet_sendrecv_razor_client_packets(system_razor_t) - - sysnet_read_config(system_razor_t) - - # cjp: this shouldn't be needed - userdom_use_unpriv_users_fds(system_razor_t) - - optional_policy(` - logging_send_syslog_msg(system_razor_t) - ') - - optional_policy(` - nscd_socket_use(system_razor_t) - ') - - ######################################## - # - # User razor local policy - # - - # Allow razor to be run by hand. Needed by any action other than - # invocation from a spam filter. - - allow razor_t self:unix_stream_socket create_stream_socket_perms; - - manage_dirs_pattern(razor_t, razor_home_t, razor_home_t) - manage_files_pattern(razor_t, razor_home_t, razor_home_t) - manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t) - userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir) - - manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t) - manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t) - files_tmp_filetrans(razor_t, razor_tmp_t, { file dir }) - - auth_use_nsswitch(razor_t) - - logging_send_syslog_msg(razor_t) - - userdom_search_user_home_dirs(razor_t) - userdom_use_user_terminals(razor_t) - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(razor_t) - fs_manage_nfs_files(razor_t) - fs_manage_nfs_symlinks(razor_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(razor_t) - fs_manage_cifs_files(razor_t) - fs_manage_cifs_symlinks(razor_t) - ') - - optional_policy(` - milter_manage_spamass_state(razor_t) - ') -') diff --git a/policy/modules/services/rdisc.fc b/policy/modules/services/rdisc.fc deleted file mode 100644 index dee4adc..0000000 --- a/policy/modules/services/rdisc.fc +++ /dev/null @@ -1,2 +0,0 @@ - -/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0) diff --git a/policy/modules/services/rdisc.if b/policy/modules/services/rdisc.if deleted file mode 100644 index fe24d25..0000000 --- a/policy/modules/services/rdisc.if +++ /dev/null @@ -1,20 +0,0 @@ -## Network router discovery daemon - -###################################### -## -## Execute rdisc in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`rdisc_exec',` - gen_require(` - type rdisc_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, rdisc_exec_t) -') diff --git a/policy/modules/services/rdisc.te b/policy/modules/services/rdisc.te deleted file mode 100644 index 0f07685..0000000 --- a/policy/modules/services/rdisc.te +++ /dev/null @@ -1,58 +0,0 @@ -policy_module(rdisc, 1.8.0) - -######################################## -# -# Declarations -# - -type rdisc_t; -type rdisc_exec_t; -init_daemon_domain(rdisc_t, rdisc_exec_t) - -######################################## -# -# Local policy -# - -allow rdisc_t self:capability net_raw; -dontaudit rdisc_t self:capability sys_tty_config; -allow rdisc_t self:process signal_perms; -allow rdisc_t self:unix_stream_socket create_stream_socket_perms; -allow rdisc_t self:udp_socket create_socket_perms; -allow rdisc_t self:rawip_socket create_socket_perms; - -kernel_list_proc(rdisc_t) -kernel_read_proc_symlinks(rdisc_t) -kernel_read_kernel_sysctls(rdisc_t) - -corenet_all_recvfrom_unlabeled(rdisc_t) -corenet_all_recvfrom_netlabel(rdisc_t) -corenet_udp_sendrecv_generic_if(rdisc_t) -corenet_raw_sendrecv_generic_if(rdisc_t) -corenet_udp_sendrecv_generic_node(rdisc_t) -corenet_raw_sendrecv_generic_node(rdisc_t) -corenet_udp_sendrecv_all_ports(rdisc_t) - -dev_read_sysfs(rdisc_t) - -fs_search_auto_mountpoints(rdisc_t) - -domain_use_interactive_fds(rdisc_t) - -files_read_etc_files(rdisc_t) - -logging_send_syslog_msg(rdisc_t) - -miscfiles_read_localization(rdisc_t) - -sysnet_read_config(rdisc_t) - -userdom_dontaudit_use_unpriv_user_fds(rdisc_t) - -optional_policy(` - seutil_sigchld_newrole(rdisc_t) -') - -optional_policy(` - udev_read_db(rdisc_t) -') diff --git a/policy/modules/services/remotelogin.fc b/policy/modules/services/remotelogin.fc deleted file mode 100644 index d8691bd..0000000 --- a/policy/modules/services/remotelogin.fc +++ /dev/null @@ -1,2 +0,0 @@ - -# Remote login currently has no file contexts. diff --git a/policy/modules/services/remotelogin.if b/policy/modules/services/remotelogin.if deleted file mode 100644 index 31be971..0000000 --- a/policy/modules/services/remotelogin.if +++ /dev/null @@ -1,37 +0,0 @@ -## Policy for rshd, rlogind, and telnetd. - -######################################## -## -## Domain transition to the remote login domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`remotelogin_domtrans',` - gen_require(` - type remote_login_t; - ') - - auth_domtrans_login_program($1, remote_login_t) -') - -######################################## -## -## allow Domain to signal remote login domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`remotelogin_signal',` - gen_require(` - type remote_login_t; - ') - - allow $1 remote_login_t:process signal; -') diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te deleted file mode 100644 index cdd0542..0000000 --- a/policy/modules/services/remotelogin.te +++ /dev/null @@ -1,122 +0,0 @@ -policy_module(remotelogin, 1.7.0) - -######################################## -# -# Declarations -# - -type remote_login_t; -domain_interactive_fd(remote_login_t) -auth_login_pgm_domain(remote_login_t) -auth_login_entry_type(remote_login_t) - -type remote_login_tmp_t; -files_tmp_file(remote_login_tmp_t) - -######################################## -# -# Remote login remote policy -# - -allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config }; -allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow remote_login_t self:process { setrlimit setexec }; -allow remote_login_t self:fd use; -allow remote_login_t self:fifo_file rw_fifo_file_perms; -allow remote_login_t self:sock_file read_sock_file_perms; -allow remote_login_t self:unix_dgram_socket create_socket_perms; -allow remote_login_t self:unix_stream_socket create_stream_socket_perms; -allow remote_login_t self:unix_dgram_socket sendto; -allow remote_login_t self:unix_stream_socket connectto; -allow remote_login_t self:shm create_shm_perms; -allow remote_login_t self:sem create_sem_perms; -allow remote_login_t self:msgq create_msgq_perms; -allow remote_login_t self:msg { send receive }; -allow remote_login_t self:key write; - -manage_dirs_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t) -manage_files_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t) -files_tmp_filetrans(remote_login_t, remote_login_tmp_t, { file dir }) - -kernel_read_system_state(remote_login_t) -kernel_read_kernel_sysctls(remote_login_t) - -dev_getattr_mouse_dev(remote_login_t) -dev_setattr_mouse_dev(remote_login_t) -dev_dontaudit_search_sysfs(remote_login_t) - -fs_getattr_xattr_fs(remote_login_t) -fs_search_auto_mountpoints(remote_login_t) - -term_relabel_all_ptys(remote_login_t) - -auth_rw_login_records(remote_login_t) -auth_rw_faillog(remote_login_t) -auth_manage_pam_console_data(remote_login_t) -auth_domtrans_pam_console(remote_login_t) - -corecmd_list_bin(remote_login_t) -corecmd_read_bin_symlinks(remote_login_t) -# cjp: these are probably not needed: -corecmd_read_bin_files(remote_login_t) -corecmd_read_bin_pipes(remote_login_t) -corecmd_read_bin_sockets(remote_login_t) - -domain_read_all_entry_files(remote_login_t) - -files_read_etc_files(remote_login_t) -files_read_etc_runtime_files(remote_login_t) -files_list_home(remote_login_t) -files_read_usr_files(remote_login_t) -files_list_world_readable(remote_login_t) -files_read_world_readable_files(remote_login_t) -files_read_world_readable_symlinks(remote_login_t) -files_read_world_readable_pipes(remote_login_t) -files_read_world_readable_sockets(remote_login_t) -files_list_mnt(remote_login_t) -# for when /var/mail is a sym-link -files_read_var_symlinks(remote_login_t) - -sysnet_dns_name_resolve(remote_login_t) - -miscfiles_read_localization(remote_login_t) - -userdom_use_unpriv_users_fds(remote_login_t) -userdom_search_user_home_content(remote_login_t) -# Only permit unprivileged user domains to be entered via rlogin, -# since very weak authentication is used. -userdom_signal_unpriv_users(remote_login_t) -userdom_spec_domtrans_unpriv_users(remote_login_t) - -# Search for mail spool file. -mta_getattr_spool(remote_login_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(remote_login_t) - fs_read_nfs_symlinks(remote_login_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(remote_login_t) - fs_read_cifs_symlinks(remote_login_t) -') - -optional_policy(` - alsa_domtrans(remote_login_t) -') - -optional_policy(` - nis_use_ypbind(remote_login_t) -') - -optional_policy(` - nscd_socket_use(remote_login_t) -') - -optional_policy(` - unconfined_shell_domtrans(remote_login_t) -') - -optional_policy(` - usermanage_read_crack_db(remote_login_t) -') diff --git a/policy/modules/services/resmgr.fc b/policy/modules/services/resmgr.fc deleted file mode 100644 index af810b9..0000000 --- a/policy/modules/services/resmgr.fc +++ /dev/null @@ -1,7 +0,0 @@ - -/etc/resmgr\.conf -- gen_context(system_u:object_r:resmgrd_etc_t,s0) - -/sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0) - -/var/run/\.resmgr_socket -s gen_context(system_u:object_r:resmgrd_var_run_t,s0) -/var/run/resmgr\.pid -- gen_context(system_u:object_r:resmgrd_var_run_t,s0) diff --git a/policy/modules/services/resmgr.if b/policy/modules/services/resmgr.if deleted file mode 100644 index eabdd78..0000000 --- a/policy/modules/services/resmgr.if +++ /dev/null @@ -1,21 +0,0 @@ -## Resource management daemon - -######################################## -## -## Connect to resmgrd over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`resmgr_stream_connect',` - gen_require(` - type resmgrd_var_run_t, resmgrd_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, resmgrd_var_run_t, resmgrd_var_run_t, resmgrd_t) -') diff --git a/policy/modules/services/resmgr.te b/policy/modules/services/resmgr.te deleted file mode 100644 index bf5efbf..0000000 --- a/policy/modules/services/resmgr.te +++ /dev/null @@ -1,66 +0,0 @@ -policy_module(resmgr, 1.2.0) - -######################################## -# -# Declarations -# - -type resmgrd_t; -type resmgrd_exec_t; -init_daemon_domain(resmgrd_t, resmgrd_exec_t) - -type resmgrd_etc_t; -files_config_file(resmgrd_etc_t) - -type resmgrd_var_run_t; -files_pid_file(resmgrd_var_run_t) - -######################################## -# -# Local policy -# - -allow resmgrd_t self:capability { dac_override sys_admin sys_rawio }; -dontaudit resmgrd_t self:capability sys_tty_config; -allow resmgrd_t self:process signal_perms; - -allow resmgrd_t resmgrd_etc_t:file read_file_perms; -files_search_etc(resmgrd_t) - -allow resmgrd_t resmgrd_var_run_t:file manage_file_perms; -allow resmgrd_t resmgrd_var_run_t:sock_file manage_sock_file_perms; -files_pid_filetrans(resmgrd_t, resmgrd_var_run_t, { file sock_file }) - -kernel_list_proc(resmgrd_t) -kernel_read_proc_symlinks(resmgrd_t) -kernel_read_kernel_sysctls(resmgrd_t) - -dev_read_sysfs(resmgrd_t) -dev_getattr_scanner_dev(resmgrd_t) - -domain_use_interactive_fds(resmgrd_t) - -files_read_etc_files(resmgrd_t) - -fs_search_auto_mountpoints(resmgrd_t) - -storage_dontaudit_read_fixed_disk(resmgrd_t) -storage_read_scsi_generic(resmgrd_t) -storage_raw_read_removable_device(resmgrd_t) -# not sure if it needs write access, needs to be investigated further... -storage_write_scsi_generic(resmgrd_t) -storage_raw_write_removable_device(resmgrd_t) - -logging_send_syslog_msg(resmgrd_t) - -miscfiles_read_localization(resmgrd_t) - -userdom_dontaudit_use_unpriv_user_fds(resmgrd_t) - -optional_policy(` - seutil_sigchld_newrole(resmgrd_t) -') - -optional_policy(` - udev_read_db(resmgrd_t) -') diff --git a/policy/modules/services/rgmanager.fc b/policy/modules/services/rgmanager.fc deleted file mode 100644 index c025d59..0000000 --- a/policy/modules/services/rgmanager.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0) - -/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0) - -/var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0) - -/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0) - -/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0) diff --git a/policy/modules/services/rgmanager.if b/policy/modules/services/rgmanager.if deleted file mode 100644 index 9c2c963..0000000 --- a/policy/modules/services/rgmanager.if +++ /dev/null @@ -1,138 +0,0 @@ -## rgmanager - Resource Group Manager - -####################################### -## -## Execute a domain transition to run rgmanager. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rgmanager_domtrans',` - gen_require(` - type rgmanager_t, rgmanager_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rgmanager_exec_t, rgmanager_t) -') - -######################################## -## -## Connect to rgmanager over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`rgmanager_stream_connect',` - gen_require(` - type rgmanager_t, rgmanager_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t) -') - -###################################### -## -## Allow manage rgmanager tmp files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rgmanager_manage_tmp_files',` - gen_require(` - type rgmanager_tmp_t; - ') - - files_search_tmp($1) - manage_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t) -') - -###################################### -## -## Allow manage rgmanager tmpfs files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rgmanager_manage_tmpfs_files',` - gen_require(` - type rgmanager_tmpfs_t; - ') - - fs_search_tmpfs($1) - manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t) -') - -####################################### -## -## Allow read and write access to rgmanager semaphores. -## -## -## -## Domain allowed access. -## -## -# -interface(`rgmanager_rw_semaphores',` - gen_require(` - type rgmanager_t; - ') - - allow $1 rgmanager_t:sem rw_sem_perms; -') - -###################################### -## -## All of the rules required to administrate -## an rgmanager environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the rgmanager domain. -## -## -## -# -interface(`rgmanager_admin',` - gen_require(` - type rgmanager_t, rgmanager_initrc_exec_t, rgmanager_tmp_t; - type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t; - ') - - allow $1 rgmanager_t:process { ptrace signal_perms }; - ps_process_pattern($1, rgmanager_t) - - init_labeled_script_domtrans($1, rgmanager_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 rgmanager_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, rgmanager_tmp_t) - - admin_pattern($1, rgmanager_tmpfs_t) - - logging_list_logs($1) - admin_pattern($1, rgmanager_var_log_t) - - files_list_pids($1) - admin_pattern($1, rgmanager_var_run_t) -') diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te deleted file mode 100644 index 612e4e4..0000000 --- a/policy/modules/services/rgmanager.te +++ /dev/null @@ -1,217 +0,0 @@ -policy_module(rgmanager, 1.0.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow rgmanager domain to connect to the network using TCP. -##

-##
-gen_tunable(rgmanager_can_network_connect, false) - -type rgmanager_t; -type rgmanager_exec_t; -init_daemon_domain(rgmanager_t, rgmanager_exec_t) - -type rgmanager_initrc_exec_t; -init_script_file(rgmanager_initrc_exec_t) - -type rgmanager_tmp_t; -files_tmp_file(rgmanager_tmp_t) - -type rgmanager_tmpfs_t; -files_tmpfs_file(rgmanager_tmpfs_t) - -type rgmanager_var_log_t; -logging_log_file(rgmanager_var_log_t) - -type rgmanager_var_run_t; -files_pid_file(rgmanager_var_run_t) - -######################################## -# -# rgmanager local policy -# - -allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock }; -dontaudit rgmanager_t self:capability { sys_ptrace }; -allow rgmanager_t self:process { setsched signal }; -dontaudit rgmanager_t self:process ptrace; - -allow rgmanager_t self:fifo_file rw_fifo_file_perms; -allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms }; -allow rgmanager_t self:unix_dgram_socket create_socket_perms; -allow rgmanager_t self:tcp_socket create_stream_socket_perms; - -manage_dirs_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t) -manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t) -files_tmp_filetrans(rgmanager_t, rgmanager_tmp_t, { file dir }) - -manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t) -manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t) -fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file }) - -manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t) -logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file }) - -manage_dirs_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) -manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) -manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) -files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file dir }) - -kernel_kill(rgmanager_t) -kernel_read_kernel_sysctls(rgmanager_t) -kernel_read_rpc_sysctls(rgmanager_t) -kernel_read_system_state(rgmanager_t) -kernel_rw_rpc_sysctls(rgmanager_t) -kernel_search_debugfs(rgmanager_t) -kernel_search_network_state(rgmanager_t) - -corecmd_exec_bin(rgmanager_t) -corecmd_exec_shell(rgmanager_t) -consoletype_exec(rgmanager_t) - -# need to write to /dev/misc/dlm-control -dev_rw_dlm_control(rgmanager_t) -dev_setattr_dlm_control(rgmanager_t) -dev_search_sysfs(rgmanager_t) - -domain_read_all_domains_state(rgmanager_t) -domain_getattr_all_domains(rgmanager_t) -domain_dontaudit_ptrace_all_domains(rgmanager_t) - -files_create_var_run_dirs(rgmanager_t) -files_getattr_all_symlinks(rgmanager_t) -files_list_all(rgmanager_t) -files_manage_mnt_dirs(rgmanager_t) -files_manage_mnt_files(rgmanager_t) -files_manage_mnt_symlinks(rgmanager_t) -files_manage_isid_type_files(rgmanager_t) -files_manage_isid_type_dirs(rgmanager_t) - -fs_getattr_xattr_fs(rgmanager_t) -fs_getattr_all_fs(rgmanager_t) - -storage_raw_read_fixed_disk(rgmanager_t) -storage_getattr_fixed_disk_dev(rgmanager_t) - -term_getattr_pty_fs(rgmanager_t) -#term_use_ptmx(rgmanager_t) - -# needed by resources scripts -auth_read_all_files_except_shadow(rgmanager_t) -auth_dontaudit_getattr_shadow(rgmanager_t) -auth_use_nsswitch(rgmanager_t) - -logging_send_syslog_msg(rgmanager_t) - -miscfiles_read_localization(rgmanager_t) - -mount_domtrans(rgmanager_t) - -tunable_policy(`rgmanager_can_network_connect',` - corenet_tcp_connect_all_ports(rgmanager_t) -') - -# rgmanager can run resource scripts -optional_policy(` - aisexec_stream_connect(rgmanager_t) - corosync_stream_connect(rgmanager_t) -') - -optional_policy(` - apache_domtrans(rgmanager_t) - apache_signal(rgmanager_t) -') - -optional_policy(` - fstools_domtrans(rgmanager_t) -') - -optional_policy(` - rhcs_stream_connect_groupd(rgmanager_t) -') - -optional_policy(` - hostname_exec(rgmanager_t) -') - -optional_policy(` - ccs_manage_config(rgmanager_t) - ccs_stream_connect(rgmanager_t) - rhcs_stream_connect_gfs_controld(rgmanager_t) -') - -optional_policy(` - lvm_domtrans(rgmanager_t) -') - -optional_policy(` - ldap_initrc_domtrans(rgmanager_t) - ldap_domtrans(rgmanager_t) -') - -optional_policy(` - mysql_domtrans_mysql_safe(rgmanager_t) - mysql_stream_connect(rgmanager_t) -') - -optional_policy(` - netutils_domtrans(rgmanager_t) - netutils_domtrans_ping(rgmanager_t) -') - -optional_policy(` - postgresql_domtrans(rgmanager_t) - postgresql_signal(rgmanager_t) -') - -optional_policy(` - rdisc_exec(rgmanager_t) -') - -optional_policy(` - ricci_dontaudit_rw_modcluster_pipes(rgmanager_t) -') - -optional_policy(` - rpc_initrc_domtrans_nfsd(rgmanager_t) - rpc_initrc_domtrans_rpcd(rgmanager_t) - - rpc_domtrans_nfsd(rgmanager_t) - rpc_domtrans_rpcd(rgmanager_t) - rpc_manage_nfs_state_data(rgmanager_t) -') - -optional_policy(` - samba_initrc_domtrans(rgmanager_t) - samba_domtrans_smbd(rgmanager_t) - samba_domtrans_nmbd(rgmanager_t) - samba_manage_var_files(rgmanager_t) - samba_rw_config(rgmanager_t) - samba_signal_smbd(rgmanager_t) - samba_signal_nmbd(rgmanager_t) -') - -optional_policy(` - sysnet_domtrans_ifconfig(rgmanager_t) -') - -optional_policy(` - udev_read_db(rgmanager_t) -') - -optional_policy(` - virt_stream_connect(rgmanager_t) -') - -optional_policy(` - unconfined_domain(rgmanager_t) -') - -optional_policy(` - xen_domtrans_xm(rgmanager_t) -') diff --git a/policy/modules/services/rhcs.fc b/policy/modules/services/rhcs.fc deleted file mode 100644 index d862e7e..0000000 --- a/policy/modules/services/rhcs.fc +++ /dev/null @@ -1,25 +0,0 @@ -/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) -/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0) -/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0) -/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0) -/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0) -/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0) -/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0) - -/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0) - -/var/lib/cluster(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) -/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0) - -/var/log/cluster/.*\.*log <> -/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0) -/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0) -/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0) -/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0) - -/var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0) -/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0) -/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0) -/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0) -/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0) -/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0) diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if deleted file mode 100644 index 229a3c7..0000000 --- a/policy/modules/services/rhcs.if +++ /dev/null @@ -1,450 +0,0 @@ -## RHCS - Red Hat Cluster Suite - -####################################### -## -## Creates types and rules for a basic -## rhcs init daemon domain. -## -## -## -## Prefix for the domain. -## -## -# -template(`rhcs_domain_template',` - gen_require(` - attribute cluster_domain, cluster_tmpfs, cluster_pid; - ') - - ############################## - # - # Declarations - # - - type $1_t, cluster_domain; - type $1_exec_t; - init_daemon_domain($1_t, $1_exec_t) - - type $1_tmpfs_t, cluster_tmpfs; - files_tmpfs_file($1_tmpfs_t) - - type $1_var_log_t; - logging_log_file($1_var_log_t) - - type $1_var_run_t, cluster_pid; - files_pid_file($1_var_run_t) - - ############################## - # - # Local policy - # - - manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file }) - - manage_files_pattern($1_t, $1_var_log_t, $1_var_log_t) - manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t) - logging_log_filetrans($1_t, $1_var_log_t, { file sock_file }) - - manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file }) -') - -###################################### -## -## Execute a domain transition to run dlm_controld. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rhcs_domtrans_dlm_controld',` - gen_require(` - type dlm_controld_t, dlm_controld_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dlm_controld_exec_t, dlm_controld_t) -') - -##################################### -## -## Connect to dlm_controld over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhcs_stream_connect_dlm_controld',` - gen_require(` - type dlm_controld_t, dlm_controld_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t) -') - -##################################### -## -## Allow read and write access to dlm_controld semaphores. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhcs_rw_dlm_controld_semaphores',` - gen_require(` - type dlm_controld_t, dlm_controld_tmpfs_t; - ') - - allow $1 dlm_controld_t:sem { rw_sem_perms destroy }; - - fs_search_tmpfs($1) - manage_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t) -') - -###################################### -## -## Execute a domain transition to run fenced. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rhcs_domtrans_fenced',` - gen_require(` - type fenced_t, fenced_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, fenced_exec_t, fenced_t) -') - -###################################### -## -## Allow read and write access to fenced semaphores. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhcs_rw_fenced_semaphores',` - gen_require(` - type fenced_t, fenced_tmpfs_t; - ') - - allow $1 fenced_t:sem { rw_sem_perms destroy }; - - fs_search_tmpfs($1) - manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t) -') - -###################################### -## -## Connect to fenced over an unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhcs_stream_connect_fenced',` - gen_require(` - type fenced_var_run_t, fenced_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t) -') - -##################################### -## -## Execute a domain transition to run gfs_controld. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rhcs_domtrans_gfs_controld',` - gen_require(` - type gfs_controld_t, gfs_controld_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, gfs_controld_exec_t, gfs_controld_t) -') - -#################################### -## -## Allow read and write access to gfs_controld semaphores. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhcs_rw_gfs_controld_semaphores',` - gen_require(` - type gfs_controld_t, gfs_controld_tmpfs_t; - ') - - allow $1 gfs_controld_t:sem { rw_sem_perms destroy }; - - fs_search_tmpfs($1) - manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t) -') - -######################################## -## -## Read and write to gfs_controld_t shared memory. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhcs_rw_gfs_controld_shm',` - gen_require(` - type gfs_controld_t, gfs_controld_tmpfs_t; - ') - - allow $1 gfs_controld_t:shm { rw_shm_perms destroy }; - - fs_search_tmpfs($1) - manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t) -') - -##################################### -## -## Connect to gfs_controld_t over an unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhcs_stream_connect_gfs_controld',` - gen_require(` - type gfs_controld_t, gfs_controld_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, gfs_controld_var_run_t, gfs_controld_var_run_t, gfs_controld_t) -') - -###################################### -## -## Execute a domain transition to run groupd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rhcs_domtrans_groupd',` - gen_require(` - type groupd_t, groupd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, groupd_exec_t, groupd_t) -') - -##################################### -## -## Connect to groupd over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhcs_stream_connect_groupd',` - gen_require(` - type groupd_t, groupd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t) -') - -##################################### -## -## Allow read and write access to groupd semaphores. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhcs_rw_groupd_semaphores',` - gen_require(` - type groupd_t, groupd_tmpfs_t; - ') - - allow $1 groupd_t:sem { rw_sem_perms destroy }; - - fs_search_tmpfs($1) - manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) -') - -######################################## -## -## Read and write to group shared memory. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhcs_rw_groupd_shm',` - gen_require(` - type groupd_t, groupd_tmpfs_t; - ') - - allow $1 groupd_t:shm { rw_shm_perms destroy }; - - fs_search_tmpfs($1) - manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) -') - -######################################## -## -## Read and write to group shared memory. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhcs_rw_cluster_shm',` - gen_require(` - attribute cluster_domain, cluster_tmpfs; - ') - - allow $1 cluster_domain:shm { rw_shm_perms destroy }; - - fs_search_tmpfs($1) - manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs) -') - -#################################### -## -## Read and write access to cluster domains semaphores. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhcs_rw_cluster_semaphores',` - gen_require(` - attribute cluster_domain; - ') - - allow $1 cluster_domain:sem { rw_sem_perms destroy }; -') - -#################################### -## -## Connect to cluster domains over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhcs_stream_connect_cluster',` - gen_require(` - attribute cluster_domain, cluster_pid; - ') - - files_search_pids($1) - stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain) -') - -###################################### -## -## Execute a domain transition to run qdiskd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rhcs_domtrans_qdiskd',` - gen_require(` - type qdiskd_t, qdiskd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, qdiskd_exec_t, qdiskd_t) -') - -######################################## -## -## Allow domain to read qdiskd tmpfs files -## -## -## -## Domain allowed access. -## -## -# -interface(`rhcs_read_qdiskd_tmpfs_files',` - gen_require(` - type qdiskd_tmpfs_t; - ') - - fs_search_tmpfs($1) - allow $1 qdiskd_tmpfs_t:file read_file_perms; -') - -###################################### -## -## Allow domain to read cluster lib files -## -## -## -## Domain allowed access. -## -## -# -interface(`rhcs_read_cluster_lib_files',` - gen_require(` - type cluster_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) -') diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te deleted file mode 100644 index 8d40ec9..0000000 --- a/policy/modules/services/rhcs.te +++ /dev/null @@ -1,244 +0,0 @@ -policy_module(rhcs, 1.1.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow fenced domain to connect to the network using TCP. -##

-##
-gen_tunable(fenced_can_network_connect, false) - -attribute cluster_domain; -attribute cluster_tmpfs; -attribute cluster_pid; - -rhcs_domain_template(dlm_controld) - -rhcs_domain_template(fenced) - -type fenced_lock_t; -files_lock_file(fenced_lock_t) - -type fenced_tmp_t; -files_tmp_file(fenced_tmp_t) - -rhcs_domain_template(gfs_controld) - -rhcs_domain_template(groupd) - -rhcs_domain_template(qdiskd) - -type qdiskd_var_lib_t; -files_type(qdiskd_var_lib_t) - -# type for cluster lib files -type cluster_var_lib_t; -files_type(cluster_var_lib_t) - -##################################### -# -# dlm_controld local policy -# - -allow dlm_controld_t self:capability { net_admin sys_admin sys_resource }; - -allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms; - -stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) -stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) - -kernel_read_system_state(dlm_controld_t) - -dev_rw_dlm_control(dlm_controld_t) -dev_rw_sysfs(dlm_controld_t) - -fs_manage_configfs_files(dlm_controld_t) -fs_manage_configfs_dirs(dlm_controld_t) - -init_rw_script_tmp_files(dlm_controld_t) - -####################################### -# -# fenced local policy -# - -allow fenced_t self:capability { sys_rawio sys_resource }; -allow fenced_t self:process { getsched signal_perms }; - -allow fenced_t self:tcp_socket create_stream_socket_perms; -allow fenced_t self:udp_socket create_socket_perms; - -can_exec(fenced_t, fenced_exec_t) - -manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t) -files_lock_filetrans(fenced_t, fenced_lock_t, file) - -manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) -manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) -manage_fifo_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) -files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) - -stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) - -kernel_read_system_state(fenced_t) - -corecmd_exec_bin(fenced_t) -corecmd_exec_shell(fenced_t) - -corenet_tcp_connect_http_port(fenced_t) - -dev_read_sysfs(fenced_t) -dev_read_urand(fenced_t) - -files_read_usr_symlinks(fenced_t) - -storage_raw_read_fixed_disk(fenced_t) -storage_raw_write_fixed_disk(fenced_t) -storage_raw_read_removable_device(fenced_t) - -term_getattr_pty_fs(fenced_t) -term_use_ptmx(fenced_t) - -auth_use_nsswitch(fenced_t) - -tunable_policy(`fenced_can_network_connect',` - corenet_tcp_connect_all_ports(fenced_t) -') - -# needed by fence_scsi -optional_policy(` - corosync_exec(fenced_t) -') - -optional_policy(` - ccs_read_config(fenced_t) -') - -optional_policy(` - lvm_domtrans(fenced_t) - lvm_read_config(fenced_t) -') - -###################################### -# -# gfs_controld local policy -# - -allow gfs_controld_t self:capability { net_admin sys_resource }; -allow gfs_controld_t self:shm create_shm_perms; -allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms; - -stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t) -stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) -stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) - -kernel_read_system_state(gfs_controld_t) - -dev_rw_dlm_control(gfs_controld_t) -dev_setattr_dlm_control(gfs_controld_t) -dev_rw_sysfs(gfs_controld_t) - -storage_getattr_removable_dev(gfs_controld_t) - -init_rw_script_tmp_files(gfs_controld_t) - -optional_policy(` - lvm_exec(gfs_controld_t) - dev_rw_lvm_control(gfs_controld_t) -') - -####################################### -# -# groupd local policy -# - -allow groupd_t self:capability { sys_nice sys_resource }; -allow groupd_t self:process setsched; -allow groupd_t self:shm create_shm_perms; - -dev_list_sysfs(groupd_t) - -files_read_etc_files(groupd_t) - -init_rw_script_tmp_files(groupd_t) - -###################################### -# -# qdiskd local policy -# - -allow qdiskd_t self:capability { ipc_lock sys_boot }; -allow qdiskd_t self:tcp_socket create_stream_socket_perms; -allow qdiskd_t self:udp_socket create_socket_perms; - -manage_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) -manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) -manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) -files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file }) - -kernel_read_system_state(qdiskd_t) -kernel_read_software_raid_state(qdiskd_t) -kernel_getattr_core_if(qdiskd_t) - -corecmd_getattr_bin_files(qdiskd_t) -corecmd_exec_shell(qdiskd_t) - -dev_read_sysfs(qdiskd_t) -dev_list_all_dev_nodes(qdiskd_t) -dev_getattr_all_blk_files(qdiskd_t) -dev_getattr_all_chr_files(qdiskd_t) -dev_manage_generic_blk_files(qdiskd_t) -dev_manage_generic_chr_files(qdiskd_t) - -domain_dontaudit_getattr_all_pipes(qdiskd_t) -domain_dontaudit_getattr_all_sockets(qdiskd_t) - -files_dontaudit_getattr_all_sockets(qdiskd_t) -files_dontaudit_getattr_all_pipes(qdiskd_t) -files_read_etc_files(qdiskd_t) - -storage_raw_read_removable_device(qdiskd_t) -storage_raw_write_removable_device(qdiskd_t) -storage_raw_read_fixed_disk(qdiskd_t) -storage_raw_write_fixed_disk(qdiskd_t) - -auth_use_nsswitch(qdiskd_t) - -optional_policy(` - netutils_domtrans_ping(qdiskd_t) -') - -optional_policy(` - udev_read_db(qdiskd_t) -') - -##################################### -# -# rhcs domains common policy -# - -allow cluster_domain self:capability sys_nice; -allow cluster_domain self:process setsched; -allow cluster_domain self:sem create_sem_perms; -allow cluster_domain self:fifo_file rw_fifo_file_perms; -allow cluster_domain self:unix_stream_socket create_stream_socket_perms; -allow cluster_domain self:unix_dgram_socket create_socket_perms; - -manage_files_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t) -manage_dirs_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t) - -logging_send_syslog_msg(cluster_domain) - -miscfiles_read_localization(cluster_domain) - -optional_policy(` - ccs_stream_connect(cluster_domain) -') - -optional_policy(` - corosync_stream_connect(cluster_domain) -') diff --git a/policy/modules/services/rhgb.fc b/policy/modules/services/rhgb.fc deleted file mode 100644 index 9e5d31b..0000000 --- a/policy/modules/services/rhgb.fc +++ /dev/null @@ -1,4 +0,0 @@ -# -# /usr -# -/usr/bin/rhgb -- gen_context(system_u:object_r:rhgb_exec_t,s0) diff --git a/policy/modules/services/rhgb.if b/policy/modules/services/rhgb.if deleted file mode 100644 index 793a29f..0000000 --- a/policy/modules/services/rhgb.if +++ /dev/null @@ -1,199 +0,0 @@ -## Red Hat Graphical Boot - -######################################## -## -## RHGB stub interface. No access allowed. -## -## -## -## N/A -## -## -# -interface(`rhgb_stub',` - gen_require(` - type rhgb_t; - ') -') - -######################################## -## -## Use a rhgb file descriptor. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhgb_use_fds',` - gen_require(` - type rhgb_t; - ') - - allow $1 rhgb_t:fd use; -') - -######################################## -## -## Get the process group of rhgb. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhgb_getpgid',` - gen_require(` - type rhgb_t; - ') - - allow $1 rhgb_t:process getpgid; -') - -######################################## -## -## Send a signal to rhgb. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhgb_signal',` - gen_require(` - type rhgb_t; - ') - - allow $1 rhgb_t:process signal; -') - -######################################## -## -## Read and write to unix stream sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhgb_rw_stream_sockets',` - gen_require(` - type rhgb_t; - ') - - allow $1 rhgb_t:unix_stream_socket { read write }; -') - -######################################## -## -## Do not audit attempts to read and write -## rhgb unix domain stream sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`rhgb_dontaudit_rw_stream_sockets',` - gen_require(` - type rhgb_t; - ') - - dontaudit $1 rhgb_t:unix_stream_socket { read write }; -') - -######################################## -## -## Connected to rhgb unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhgb_stream_connect',` - gen_require(` - type rhgb_t; - ') - - allow $1 rhgb_t:unix_stream_socket connectto; -') - -######################################## -## -## Read and write to rhgb shared memory. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhgb_rw_shm',` - gen_require(` - type rhgb_t; - ') - - allow $1 rhgb_t:shm rw_shm_perms; -') - -######################################## -## -## Read from and write to the rhgb devpts. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhgb_use_ptys',` - gen_require(` - type rhgb_devpts_t; - ') - - allow $1 rhgb_devpts_t:chr_file rw_term_perms; -') - -######################################## -## -## dontaudit Read from and write to the rhgb devpts. -## -## -## -## Domain to not audit. -## -## -# -interface(`rhgb_dontaudit_use_ptys',` - gen_require(` - type rhgb_devpts_t; - ') - - dontaudit $1 rhgb_devpts_t:chr_file rw_term_perms; -') - -######################################## -## -## Read and write to rhgb temporary file system. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhgb_rw_tmpfs_files',` - gen_require(` - type rhgb_tmpfs_t; - ') - - fs_search_tmpfs($1) - allow $1 rhgb_tmpfs_t:file rw_file_perms; -') diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te deleted file mode 100644 index 4d10897..0000000 --- a/policy/modules/services/rhgb.te +++ /dev/null @@ -1,142 +0,0 @@ -policy_module(rhgb, 1.9.0) - -######################################## -# -# Declarations -# - -type rhgb_t; -type rhgb_exec_t; -init_daemon_domain(rhgb_t, rhgb_exec_t) - -type rhgb_tmpfs_t; -files_tmpfs_file(rhgb_tmpfs_t) - -type rhgb_devpts_t; -term_pty(rhgb_devpts_t) - -######################################## -# -# Local policy -# - -allow rhgb_t self:capability { fsetid setgid setuid sys_admin sys_tty_config }; -dontaudit rhgb_t self:capability sys_tty_config; -allow rhgb_t self:process { setpgid signal_perms }; -allow rhgb_t self:shm create_shm_perms; -allow rhgb_t self:unix_stream_socket create_stream_socket_perms; -allow rhgb_t self:fifo_file rw_fifo_file_perms; -allow rhgb_t self:tcp_socket create_socket_perms; -allow rhgb_t self:udp_socket create_socket_perms; -allow rhgb_t self:netlink_route_socket r_netlink_socket_perms; - -allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; -term_create_pty(rhgb_t, rhgb_devpts_t) - -manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) -manage_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) -manage_lnk_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) -manage_fifo_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) -manage_sock_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) -fs_tmpfs_filetrans(rhgb_t, rhgb_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -kernel_read_kernel_sysctls(rhgb_t) -kernel_read_system_state(rhgb_t) - -corecmd_exec_bin(rhgb_t) -corecmd_exec_shell(rhgb_t) - -corenet_all_recvfrom_unlabeled(rhgb_t) -corenet_all_recvfrom_netlabel(rhgb_t) -corenet_tcp_sendrecv_generic_if(rhgb_t) -corenet_udp_sendrecv_generic_if(rhgb_t) -corenet_tcp_sendrecv_generic_node(rhgb_t) -corenet_udp_sendrecv_generic_node(rhgb_t) -corenet_tcp_sendrecv_all_ports(rhgb_t) -corenet_udp_sendrecv_all_ports(rhgb_t) -corenet_tcp_connect_all_ports(rhgb_t) -corenet_sendrecv_all_client_packets(rhgb_t) - -dev_read_sysfs(rhgb_t) -dev_read_urand(rhgb_t) - -domain_use_interactive_fds(rhgb_t) - -files_read_etc_files(rhgb_t) -files_read_var_files(rhgb_t) -files_read_etc_runtime_files(rhgb_t) -files_search_tmp(rhgb_t) -files_read_usr_files(rhgb_t) -files_mounton_mnt(rhgb_t) -files_dontaudit_rw_root_dir(rhgb_t) -files_dontaudit_read_default_files(rhgb_t) -files_dontaudit_search_pids(rhgb_t) -# for nscd -files_dontaudit_search_var(rhgb_t) - -fs_search_auto_mountpoints(rhgb_t) -fs_mount_ramfs(rhgb_t) -fs_unmount_ramfs(rhgb_t) -fs_getattr_tmpfs(rhgb_t) -# for ramfs file systems -fs_manage_ramfs_dirs(rhgb_t) -fs_manage_ramfs_files(rhgb_t) -fs_manage_ramfs_pipes(rhgb_t) -fs_manage_ramfs_sockets(rhgb_t) - -selinux_dontaudit_read_fs(rhgb_t) - -term_use_unallocated_ttys(rhgb_t) -term_use_ptmx(rhgb_t) -term_getattr_pty_fs(rhgb_t) - -init_write_initctl(rhgb_t) - -# for localization -libs_read_lib_files(rhgb_t) - -logging_send_syslog_msg(rhgb_t) - -miscfiles_read_localization(rhgb_t) -miscfiles_read_fonts(rhgb_t) -miscfiles_dontaudit_write_fonts(rhgb_t) - -seutil_search_default_contexts(rhgb_t) -seutil_read_config(rhgb_t) - -sysnet_read_config(rhgb_t) -sysnet_domtrans_ifconfig(rhgb_t) - -userdom_dontaudit_use_unpriv_user_fds(rhgb_t) -userdom_dontaudit_search_user_home_content(rhgb_t) - -xserver_read_tmp_files(rhgb_t) -xserver_kill(rhgb_t) -# for running setxkbmap -xserver_read_xkb_libs(rhgb_t) -xserver_domtrans(rhgb_t) -xserver_signal(rhgb_t) -xserver_read_xdm_tmp_files(rhgb_t) -xserver_stream_connect(rhgb_t) - -optional_policy(` - consoletype_exec(rhgb_t) -') - -optional_policy(` - nis_use_ypbind(rhgb_t) -') - -optional_policy(` - seutil_sigchld_newrole(rhgb_t) -') - -optional_policy(` - udev_read_db(rhgb_t) -') - -ifdef(`TODO',` - #this seems a bit much - allow domain rhgb_devpts_t:chr_file { read write }; - allow initrc_t rhgb_gph_t:fd use; -') diff --git a/policy/modules/services/ricci.fc b/policy/modules/services/ricci.fc deleted file mode 100644 index ed5dc05..0000000 --- a/policy/modules/services/ricci.fc +++ /dev/null @@ -1,19 +0,0 @@ - -/etc/rc\.d/init\.d/ricci -- gen_context(system_u:object_r:ricci_initrc_exec_t,s0) - -/usr/libexec/modcluster -- gen_context(system_u:object_r:ricci_modcluster_exec_t,s0) -/usr/libexec/ricci-modlog -- gen_context(system_u:object_r:ricci_modlog_exec_t,s0) -/usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0) -/usr/libexec/ricci-modservice -- gen_context(system_u:object_r:ricci_modservice_exec_t,s0) -/usr/libexec/ricci-modstorage -- gen_context(system_u:object_r:ricci_modstorage_exec_t,s0) - -/usr/sbin/modclusterd -- gen_context(system_u:object_r:ricci_modclusterd_exec_t,s0) -/usr/sbin/ricci -- gen_context(system_u:object_r:ricci_exec_t,s0) - -/var/lib/ricci(/.*)? gen_context(system_u:object_r:ricci_var_lib_t,s0) - -/var/log/clumond\.log -- gen_context(system_u:object_r:ricci_modcluster_var_log_t,s0) - -/var/run/clumond\.sock -s gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0) -/var/run/modclusterd\.pid -- gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0) -/var/run/ricci\.pid -- gen_context(system_u:object_r:ricci_var_run_t,s0) diff --git a/policy/modules/services/ricci.if b/policy/modules/services/ricci.if deleted file mode 100644 index 3128dd8..0000000 --- a/policy/modules/services/ricci.if +++ /dev/null @@ -1,267 +0,0 @@ -## Ricci cluster management agent - -######################################## -## -## Execute a domain transition to run ricci. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ricci_domtrans',` - gen_require(` - type ricci_t, ricci_exec_t; - ') - - domtrans_pattern($1, ricci_exec_t, ricci_t) -') - -####################################### -## -## Execute ricci server in the ricci domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`ricci_initrc_domtrans',` - gen_require(` - type ricci_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, ricci_initrc_exec_t) -') - -######################################## -## -## Execute a domain transition to run ricci_modcluster. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ricci_domtrans_modcluster',` - gen_require(` - type ricci_modcluster_t, ricci_modcluster_exec_t; - ') - - domtrans_pattern($1, ricci_modcluster_exec_t, ricci_modcluster_t) -') - -######################################## -## -## Do not audit attempts to use -## ricci_modcluster file descriptors. -## -## -## -## Domain to not audit. -## -## -# -interface(`ricci_dontaudit_use_modcluster_fds',` - gen_require(` - type ricci_modcluster_t; - ') - - dontaudit $1 ricci_modcluster_t:fd use; -') - -######################################## -## -## Do not audit attempts to read write -## ricci_modcluster unamed pipes. -## -## -## -## Domain to not audit. -## -## -# -interface(`ricci_dontaudit_rw_modcluster_pipes',` - gen_require(` - type ricci_modcluster_t; - ') - - dontaudit $1 ricci_modcluster_t:fifo_file rw_inherited_fifo_file_perms; -') - -######################################## -## -## Connect to ricci_modclusterd over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`ricci_stream_connect_modclusterd',` - gen_require(` - type ricci_modclusterd_t, ricci_modcluster_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t, ricci_modclusterd_t) -') - -######################################## -## -## Read and write to ricci_modcluserd temporary file system. -## -## -## -## Domain allowed access. -## -## -# -interface(`ricci_rw_modclusterd_tmpfs_files',` - gen_require(` - type ricci_modcluserd_tmpfs_t; - ') - - fs_search_tmpfs($1) - allow $1 ricci_modcluserd_tmpfs_t:file rw_file_perms; -') - -######################################## -## -## Execute a domain transition to run ricci_modlog. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ricci_domtrans_modlog',` - gen_require(` - type ricci_modlog_t, ricci_modlog_exec_t; - ') - - domtrans_pattern($1, ricci_modlog_exec_t, ricci_modlog_t) -') - -######################################## -## -## Execute a domain transition to run ricci_modrpm. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ricci_domtrans_modrpm',` - gen_require(` - type ricci_modrpm_t, ricci_modrpm_exec_t; - ') - - domtrans_pattern($1, ricci_modrpm_exec_t, ricci_modrpm_t) -') - -######################################## -## -## Execute a domain transition to run ricci_modservice. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ricci_domtrans_modservice',` - gen_require(` - type ricci_modservice_t, ricci_modservice_exec_t; - ') - - domtrans_pattern($1, ricci_modservice_exec_t, ricci_modservice_t) -') - -######################################## -## -## Execute a domain transition to run ricci_modstorage. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ricci_domtrans_modstorage',` - gen_require(` - type ricci_modstorage_t, ricci_modstorage_exec_t; - ') - - domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t) -') - -#################################### -## -## Allow the specified domain to manage ricci's lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`ricci_manage_lib_files',` - gen_require(` - type ricci_var_lib_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, ricci_var_lib_t, ricci_var_lib_t) - manage_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t) -') - -######################################## -## -## All of the rules required to administrate -## an ricci environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`ricci_admin',` - gen_require(` - type ricci_t, ricci_initrc_exec_t, ricci_tmp_t; - type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t; - ') - - allow $1 ricci_t:process { ptrace signal_perms }; - ps_process_pattern($1, ricci_t) - - ricci_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 ricci_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, ricci_tmp_t) - - files_list_var_lib($1) - admin_pattern($1, ricci_var_lib_t) - - logging_list_logs($1) - admin_pattern($1, ricci_var_log_t) - - files_list_pids($1) - admin_pattern($1, ricci_var_run_t) -') diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te deleted file mode 100644 index 29e7311..0000000 --- a/policy/modules/services/ricci.te +++ /dev/null @@ -1,507 +0,0 @@ -policy_module(ricci, 1.7.0) - -######################################## -# -# Declarations -# - -type ricci_t; -type ricci_exec_t; -init_daemon_domain(ricci_t, ricci_exec_t) - -type ricci_initrc_exec_t; -init_script_file(ricci_initrc_exec_t) - -type ricci_tmp_t; -files_tmp_file(ricci_tmp_t) - -type ricci_var_lib_t; -files_type(ricci_var_lib_t) - -type ricci_var_log_t; -logging_log_file(ricci_var_log_t) - -type ricci_var_run_t; -files_pid_file(ricci_var_run_t) - -type ricci_modcluster_t; -type ricci_modcluster_exec_t; -domain_type(ricci_modcluster_t) -domain_entry_file(ricci_modcluster_t, ricci_modcluster_exec_t) -role system_r types ricci_modcluster_t; - -type ricci_modcluster_var_lib_t; -files_type(ricci_modcluster_var_lib_t) - -type ricci_modcluster_var_log_t; -logging_log_file(ricci_modcluster_var_log_t) - -type ricci_modcluster_var_run_t; -files_pid_file(ricci_modcluster_var_run_t) - -type ricci_modclusterd_t; -type ricci_modclusterd_exec_t; -init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t) - -type ricci_modclusterd_tmpfs_t; -files_tmpfs_file(ricci_modclusterd_tmpfs_t) - -type ricci_modlog_t; -type ricci_modlog_exec_t; -domain_type(ricci_modlog_t) -domain_entry_file(ricci_modlog_t, ricci_modlog_exec_t) -role system_r types ricci_modlog_t; - -type ricci_modrpm_t; -type ricci_modrpm_exec_t; -domain_type(ricci_modrpm_t) -domain_entry_file(ricci_modrpm_t, ricci_modrpm_exec_t) -role system_r types ricci_modrpm_t; - -type ricci_modservice_t; -type ricci_modservice_exec_t; -domain_type(ricci_modservice_t) -domain_entry_file(ricci_modservice_t, ricci_modservice_exec_t) -role system_r types ricci_modservice_t; - -type ricci_modstorage_t; -type ricci_modstorage_exec_t; -domain_type(ricci_modstorage_t) -domain_entry_file(ricci_modstorage_t, ricci_modstorage_exec_t) -role system_r types ricci_modstorage_t; - -type ricci_modstorage_lock_t; -files_lock_file(ricci_modstorage_lock_t) - -######################################## -# -# ricci local policy -# - -allow ricci_t self:capability { setuid sys_nice sys_boot }; -allow ricci_t self:process setsched; -allow ricci_t self:fifo_file rw_fifo_file_perms; -allow ricci_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow ricci_t self:tcp_socket create_stream_socket_perms; - -domain_auto_trans(ricci_t, ricci_modcluster_exec_t, ricci_modcluster_t) -domain_auto_trans(ricci_t, ricci_modlog_exec_t, ricci_modlog_t) -domain_auto_trans(ricci_t, ricci_modrpm_exec_t, ricci_modrpm_t) -domain_auto_trans(ricci_t, ricci_modservice_exec_t, ricci_modservice_t) -domain_auto_trans(ricci_t, ricci_modstorage_exec_t, ricci_modstorage_t) - -manage_dirs_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t) -manage_files_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t) -files_tmp_filetrans(ricci_t, ricci_tmp_t, { file dir }) - -manage_dirs_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t) -manage_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t) -manage_sock_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t) -files_var_lib_filetrans(ricci_t, ricci_var_lib_t, { file dir sock_file }) - -allow ricci_t ricci_var_log_t:dir setattr_dir_perms; -manage_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t) -manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t) -logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir }) - -manage_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t) -manage_sock_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t) -files_pid_filetrans(ricci_t, ricci_var_run_t, { file sock_file }) - -kernel_read_kernel_sysctls(ricci_t) -kernel_read_system_state(ricci_t) - -corecmd_exec_bin(ricci_t) - -corenet_all_recvfrom_unlabeled(ricci_t) -corenet_all_recvfrom_netlabel(ricci_t) -corenet_tcp_sendrecv_generic_if(ricci_t) -corenet_tcp_sendrecv_generic_node(ricci_t) -corenet_tcp_sendrecv_all_ports(ricci_t) -corenet_tcp_bind_generic_node(ricci_t) -corenet_udp_bind_generic_node(ricci_t) -corenet_tcp_bind_ricci_port(ricci_t) -corenet_udp_bind_ricci_port(ricci_t) -corenet_tcp_connect_http_port(ricci_t) - -dev_read_urand(ricci_t) - -domain_read_all_domains_state(ricci_t) - -files_read_etc_files(ricci_t) -files_read_etc_runtime_files(ricci_t) -files_create_boot_flag(ricci_t) - -auth_domtrans_chk_passwd(ricci_t) -auth_append_login_records(ricci_t) - -init_stream_connect_script(ricci_t) - -locallogin_dontaudit_use_fds(ricci_t) - -logging_send_syslog_msg(ricci_t) - -miscfiles_read_localization(ricci_t) - -sysnet_dns_name_resolve(ricci_t) - -optional_policy(` - ccs_read_config(ricci_t) -') - -optional_policy(` - dbus_system_bus_client(ricci_t) - - oddjob_dbus_chat(ricci_t) -') - -optional_policy(` - # Needed so oddjob can run halt/reboot on behalf of ricci - corecmd_bin_entry_type(ricci_t) - term_dontaudit_search_ptys(ricci_t) - init_exec(ricci_t) - init_telinit(ricci_t) - init_rw_utmp(ricci_t) - - oddjob_system_entry(ricci_t, ricci_exec_t) -') - -optional_policy(` - rpm_use_script_fds(ricci_t) -') - -optional_policy(` - sasl_connect(ricci_t) -') - -optional_policy(` - shutdown_domtrans(ricci_t) -') - -optional_policy(` - unconfined_use_fds(ricci_t) -') - -optional_policy(` - xen_domtrans_xm(ricci_t) -') - -######################################## -# -# ricci_modcluster local policy -# - -allow ricci_modcluster_t self:capability { net_bind_service sys_nice }; -allow ricci_modcluster_t self:process setsched; -allow ricci_modcluster_t self:fifo_file rw_fifo_file_perms; - -kernel_read_kernel_sysctls(ricci_modcluster_t) -kernel_read_system_state(ricci_modcluster_t) - -corecmd_exec_shell(ricci_modcluster_t) -corecmd_exec_bin(ricci_modcluster_t) - -corenet_tcp_bind_cluster_port(ricci_modclusterd_t) -corenet_tcp_bind_reserved_port(ricci_modclusterd_t) - -domain_read_all_domains_state(ricci_modcluster_t) - -files_search_locks(ricci_modcluster_t) -files_read_etc_runtime_files(ricci_modcluster_t) -files_read_etc_files(ricci_modcluster_t) -files_search_usr(ricci_modcluster_t) - -init_exec(ricci_modcluster_t) -init_domtrans_script(ricci_modcluster_t) - -logging_send_syslog_msg(ricci_modcluster_t) - -miscfiles_read_localization(ricci_modcluster_t) - -modutils_domtrans_insmod(ricci_modcluster_t) - -mount_domtrans(ricci_modcluster_t) - -consoletype_exec(ricci_modcluster_t) - -ricci_stream_connect_modclusterd(ricci_modcluster_t) - -optional_policy(` - aisexec_stream_connect(ricci_modcluster_t) - corosync_stream_connect(ricci_modcluster_t) -') - -optional_policy(` - ccs_stream_connect(ricci_modcluster_t) - ccs_domtrans(ricci_modcluster_t) - ccs_manage_config(ricci_modcluster_t) -') - -optional_policy(` - lvm_domtrans(ricci_modcluster_t) -') - -optional_policy(` - nscd_socket_use(ricci_modcluster_t) -') - -optional_policy(` - oddjob_system_entry(ricci_modcluster_t, ricci_modcluster_exec_t) -') - -optional_policy(` - rgmanager_stream_connect(ricci_modclusterd_t) -') - -######################################## -# -# ricci_modclusterd local policy -# - -allow ricci_modclusterd_t self:capability { sys_nice sys_tty_config }; -allow ricci_modclusterd_t self:process { signal sigkill setsched }; -allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms; -allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms; -allow ricci_modclusterd_t self:tcp_socket create_stream_socket_perms; -# cjp: this needs to be fixed for a specific socket type: -allow ricci_modclusterd_t self:socket create_socket_perms; - -allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto; -allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms; - -manage_dirs_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t) -manage_files_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t) -fs_tmpfs_filetrans(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, { dir file }) - -allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr; -manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) -manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) -logging_log_filetrans(ricci_modclusterd_t, ricci_modcluster_var_log_t, { sock_file file dir }) - -manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t) -manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t) -files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock_file }) - -kernel_read_kernel_sysctls(ricci_modclusterd_t) -kernel_read_system_state(ricci_modclusterd_t) -kernel_request_load_module(ricci_modclusterd_t) - -corecmd_exec_bin(ricci_modclusterd_t) - -corenet_tcp_sendrecv_generic_if(ricci_modclusterd_t) -corenet_tcp_sendrecv_all_ports(ricci_modclusterd_t) -corenet_tcp_bind_generic_node(ricci_modclusterd_t) -corenet_tcp_bind_ricci_modcluster_port(ricci_modclusterd_t) -corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t) - -domain_read_all_domains_state(ricci_modclusterd_t) - -files_read_etc_files(ricci_modclusterd_t) -files_read_etc_runtime_files(ricci_modclusterd_t) - -fs_getattr_xattr_fs(ricci_modclusterd_t) - -auth_use_nsswitch(ricci_modclusterd_t) - -init_stream_connect_script(ricci_modclusterd_t) - -locallogin_dontaudit_use_fds(ricci_modclusterd_t) - -logging_send_syslog_msg(ricci_modclusterd_t) - -miscfiles_read_localization(ricci_modclusterd_t) - -sysnet_domtrans_ifconfig(ricci_modclusterd_t) - -optional_policy(` - aisexec_stream_connect(ricci_modclusterd_t) - corosync_stream_connect(ricci_modclusterd_t) -') - -optional_policy(` - ccs_domtrans(ricci_modclusterd_t) - ccs_stream_connect(ricci_modclusterd_t) - ccs_read_config(ricci_modclusterd_t) -') - -optional_policy(` - rgmanager_stream_connect(ricci_modclusterd_t) -') - -optional_policy(` - unconfined_use_fds(ricci_modclusterd_t) -') - -######################################## -# -# ricci_modlog local policy -# - -allow ricci_modlog_t self:capability sys_nice; -allow ricci_modlog_t self:process setsched; - -kernel_read_kernel_sysctls(ricci_modlog_t) -kernel_read_system_state(ricci_modlog_t) - -corecmd_exec_bin(ricci_modlog_t) - -domain_read_all_domains_state(ricci_modlog_t) - -files_read_etc_files(ricci_modlog_t) -files_search_usr(ricci_modlog_t) - -logging_read_generic_logs(ricci_modlog_t) - -miscfiles_read_localization(ricci_modlog_t) - -optional_policy(` - nscd_dontaudit_search_pid(ricci_modlog_t) -') - -optional_policy(` - oddjob_system_entry(ricci_modlog_t, ricci_modlog_exec_t) -') - -######################################## -# -# ricci_modrpm local policy -# - -allow ricci_modrpm_t self:fifo_file read_fifo_file_perms; - -kernel_read_kernel_sysctls(ricci_modrpm_t) - -corecmd_exec_bin(ricci_modrpm_t) - -files_search_usr(ricci_modrpm_t) -files_read_etc_files(ricci_modrpm_t) - -miscfiles_read_localization(ricci_modrpm_t) - -optional_policy(` - oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t) -') - -optional_policy(` - rpm_domtrans(ricci_modrpm_t) -') - -######################################## -# -# ricci_modservice local policy -# - -allow ricci_modservice_t self:capability { dac_override sys_nice }; -allow ricci_modservice_t self:fifo_file rw_fifo_file_perms; -allow ricci_modservice_t self:process setsched; - -kernel_read_kernel_sysctls(ricci_modservice_t) -kernel_read_system_state(ricci_modservice_t) - -corecmd_exec_bin(ricci_modservice_t) -corecmd_exec_shell(ricci_modservice_t) - -files_read_etc_files(ricci_modservice_t) -files_read_etc_runtime_files(ricci_modservice_t) -files_search_usr(ricci_modservice_t) -# Needed for running chkconfig -files_manage_etc_symlinks(ricci_modservice_t) - -consoletype_exec(ricci_modservice_t) - -init_domtrans_script(ricci_modservice_t) - -miscfiles_read_localization(ricci_modservice_t) - -optional_policy(` - ccs_read_config(ricci_modservice_t) -') - -optional_policy(` - nscd_dontaudit_search_pid(ricci_modservice_t) -') - -optional_policy(` - oddjob_system_entry(ricci_modservice_t, ricci_modservice_exec_t) -') - -######################################## -# -# ricci_modstorage local policy -# - -allow ricci_modstorage_t self:process { setsched signal }; -dontaudit ricci_modstorage_t self:process ptrace; -allow ricci_modstorage_t self:capability { mknod sys_nice }; -allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms; -allow ricci_modstorage_t self:unix_dgram_socket create_socket_perms; - -kernel_read_kernel_sysctls(ricci_modstorage_t) -kernel_read_system_state(ricci_modstorage_t) - -create_files_pattern(ricci_modstorage_t, ricci_modstorage_lock_t, ricci_modstorage_lock_t) -files_lock_filetrans(ricci_modstorage_t, ricci_modstorage_lock_t, file) - -corecmd_exec_shell(ricci_modstorage_t) -corecmd_exec_bin(ricci_modstorage_t) - -dev_read_sysfs(ricci_modstorage_t) -dev_read_urand(ricci_modstorage_t) -dev_manage_generic_blk_files(ricci_modstorage_t) - -domain_read_all_domains_state(ricci_modstorage_t) - -#Needed for editing /etc/fstab -files_manage_etc_files(ricci_modstorage_t) -files_read_etc_runtime_files(ricci_modstorage_t) -files_read_usr_files(ricci_modstorage_t) -files_read_kernel_modules(ricci_modstorage_t) - -files_create_default_dir(ricci_modstorage_t) -files_root_filetrans_default(ricci_modstorage_t, dir) -files_mounton_default(ricci_modstorage_t) -files_manage_default_dirs(ricci_modstorage_t) -files_manage_default_files(ricci_modstorage_t) - -storage_raw_read_fixed_disk(ricci_modstorage_t) - -term_dontaudit_use_console(ricci_modstorage_t) - -fstools_domtrans(ricci_modstorage_t) - -logging_send_syslog_msg(ricci_modstorage_t) - -miscfiles_read_localization(ricci_modstorage_t) - -modutils_read_module_deps(ricci_modstorage_t) - -consoletype_exec(ricci_modstorage_t) - -mount_domtrans(ricci_modstorage_t) - -optional_policy(` - aisexec_stream_connect(ricci_modstorage_t) - corosync_stream_connect(ricci_modstorage_t) -') - -optional_policy(` - ccs_stream_connect(ricci_modstorage_t) - ccs_read_config(ricci_modstorage_t) -') - -optional_policy(` - lvm_domtrans(ricci_modstorage_t) - lvm_manage_config(ricci_modstorage_t) -') - -optional_policy(` - nscd_socket_use(ricci_modstorage_t) -') - -optional_policy(` - oddjob_system_entry(ricci_modstorage_t, ricci_modstorage_exec_t) -') - -optional_policy(` - raid_domtrans_mdadm(ricci_modstorage_t) -') diff --git a/policy/modules/services/rlogin.fc b/policy/modules/services/rlogin.fc deleted file mode 100644 index c3c2775..0000000 --- a/policy/modules/services/rlogin.fc +++ /dev/null @@ -1,10 +0,0 @@ -HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0) -HOME_DIR/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0) -/root/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0) -/root/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0) - -/usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0) - -/usr/lib(64)?/telnetlogin -- gen_context(system_u:object_r:rlogind_exec_t,s0) - -/usr/sbin/in\.rlogind -- gen_context(system_u:object_r:rlogind_exec_t,s0) diff --git a/policy/modules/services/rlogin.if b/policy/modules/services/rlogin.if deleted file mode 100644 index 63e78c6..0000000 --- a/policy/modules/services/rlogin.if +++ /dev/null @@ -1,47 +0,0 @@ -## Remote login daemon - -######################################## -## -## Execute rlogind in the rlogin domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rlogin_domtrans',` - gen_require(` - type rlogind_t, rlogind_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rlogind_exec_t, rlogind_t) -') - -######################################## -## -## read rlogin homedir content (.config) -## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The type of the user domain. -## -## -# -template(`rlogin_read_home_content',` - gen_require(` - type rlogind_home_t; - ') - - userdom_search_user_home_dirs($1) - list_dirs_pattern($1, rlogind_home_t, rlogind_home_t) - read_files_pattern($1, rlogind_home_t, rlogind_home_t) - read_lnk_files_pattern($1, rlogind_home_t, rlogind_home_t) -') diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te deleted file mode 100644 index 0155ca7..0000000 --- a/policy/modules/services/rlogin.te +++ /dev/null @@ -1,118 +0,0 @@ -policy_module(rlogin, 1.9.0) - -######################################## -# -# Declarations -# - -type rlogind_t; -type rlogind_exec_t; -inetd_service_domain(rlogind_t, rlogind_exec_t) -role system_r types rlogind_t; - -type rlogind_devpts_t; #, userpty_type; -term_login_pty(rlogind_devpts_t) - -type rlogind_home_t; -userdom_user_home_content(rlogind_home_t) - -type rlogind_tmp_t; -files_tmp_file(rlogind_tmp_t) - -type rlogind_var_run_t; -files_pid_file(rlogind_var_run_t) - -######################################## -# -# Local policy -# - -allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override }; -allow rlogind_t self:process signal_perms; -allow rlogind_t self:fifo_file rw_fifo_file_perms; -allow rlogind_t self:tcp_socket connected_stream_socket_perms; -# for identd; cjp: this should probably only be inetd_child rules? -allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms; - -allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; -term_create_pty(rlogind_t, rlogind_devpts_t) - -# for /usr/lib/telnetlogin -can_exec(rlogind_t, rlogind_exec_t) - -manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) -manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) - -manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t) -files_pid_filetrans(rlogind_t, rlogind_var_run_t, file) - -kernel_read_kernel_sysctls(rlogind_t) -kernel_read_system_state(rlogind_t) -kernel_read_network_state(rlogind_t) - -corenet_all_recvfrom_unlabeled(rlogind_t) -corenet_all_recvfrom_netlabel(rlogind_t) -corenet_tcp_sendrecv_generic_if(rlogind_t) -corenet_udp_sendrecv_generic_if(rlogind_t) -corenet_tcp_sendrecv_generic_node(rlogind_t) -corenet_udp_sendrecv_generic_node(rlogind_t) -corenet_tcp_sendrecv_all_ports(rlogind_t) -corenet_udp_sendrecv_all_ports(rlogind_t) - -dev_read_urand(rlogind_t) - -domain_interactive_fd(rlogind_t) - -fs_getattr_xattr_fs(rlogind_t) -fs_search_auto_mountpoints(rlogind_t) - -auth_domtrans_chk_passwd(rlogind_t) -auth_rw_login_records(rlogind_t) -auth_use_nsswitch(rlogind_t) -auth_login_pgm_domain(rlogind_t) - -files_read_etc_files(rlogind_t) -files_read_etc_runtime_files(rlogind_t) -files_search_home(rlogind_t) -files_search_default(rlogind_t) - -init_rw_utmp(rlogind_t) - -logging_send_syslog_msg(rlogind_t) - -miscfiles_read_localization(rlogind_t) - -seutil_read_config(rlogind_t) - -userdom_setattr_user_ptys(rlogind_t) -# cjp: this is egregious -userdom_read_user_home_content_files(rlogind_t) -userdom_search_admin_dir(rlogind_t) -userdom_manage_user_tmp_files(rlogind_t) -userdom_tmp_filetrans_user_tmp(rlogind_t, file) - -remotelogin_domtrans(rlogind_t) -remotelogin_signal(rlogind_t) - -rlogin_read_home_content(rlogind_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_list_nfs(rlogind_t) - fs_read_nfs_files(rlogind_t) - fs_read_nfs_symlinks(rlogind_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_list_cifs(rlogind_t) - fs_read_cifs_files(rlogind_t) - fs_read_cifs_symlinks(rlogind_t) -') - -optional_policy(` - kerberos_keytab_template(rlogind, rlogind_t) - kerberos_manage_host_rcache(rlogind_t) -') - -optional_policy(` - tcpd_wrapped_domain(rlogind_t, rlogind_exec_t) -') diff --git a/policy/modules/services/roundup.fc b/policy/modules/services/roundup.fc deleted file mode 100644 index e4110e6..0000000 --- a/policy/modules/services/roundup.fc +++ /dev/null @@ -1,11 +0,0 @@ -/etc/rc\.d/init\.d/roundup -- gen_context(system_u:object_r:roundup_initrc_exec_t,s0) - -# -# /usr -# -/usr/bin/roundup-server -- gen_context(system_u:object_r:roundup_exec_t,s0) - -# -# /var -# -/var/lib/roundup(/.*)? -- gen_context(system_u:object_r:roundup_var_lib_t,s0) diff --git a/policy/modules/services/roundup.if b/policy/modules/services/roundup.if deleted file mode 100644 index 30c4b75..0000000 --- a/policy/modules/services/roundup.if +++ /dev/null @@ -1,39 +0,0 @@ -## Roundup Issue Tracking System policy - -######################################## -## -## All of the rules required to administrate -## an roundup environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the roundup domain. -## -## -## -# -interface(`roundup_admin',` - gen_require(` - type roundup_t, roundup_var_lib_t, roundup_var_run_t; - type roundup_initrc_exec_t; - ') - - allow $1 roundup_t:process { ptrace signal_perms }; - ps_process_pattern($1, roundup_t) - - init_labeled_script_domtrans($1, roundup_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 roundup_initrc_exec_t system_r; - allow $2 system_r; - - files_list_var_lib($1) - admin_pattern($1, roundup_var_lib_t) - - files_list_pids($1) - admin_pattern($1, roundup_var_run_t) -') diff --git a/policy/modules/services/roundup.te b/policy/modules/services/roundup.te deleted file mode 100644 index 57f839f..0000000 --- a/policy/modules/services/roundup.te +++ /dev/null @@ -1,96 +0,0 @@ -policy_module(roundup, 1.7.0) - -######################################## -# -# Declarations -# - -type roundup_t; -type roundup_exec_t; -init_daemon_domain(roundup_t, roundup_exec_t) - -type roundup_initrc_exec_t; -init_script_file(roundup_initrc_exec_t) - -type roundup_var_run_t; -files_pid_file(roundup_var_run_t) - -type roundup_var_lib_t; -files_type(roundup_var_lib_t) - -######################################## -# -# Local policy -# - -allow roundup_t self:capability { setgid setuid }; -dontaudit roundup_t self:capability sys_tty_config; -allow roundup_t self:process signal_perms; -allow roundup_t self:unix_stream_socket create_stream_socket_perms; -allow roundup_t self:tcp_socket create_stream_socket_perms; -allow roundup_t self:udp_socket create_socket_perms; - -manage_files_pattern(roundup_t, roundup_var_lib_t, roundup_var_lib_t) -files_var_lib_filetrans(roundup_t, roundup_var_lib_t, file) - -manage_files_pattern(roundup_t, roundup_var_run_t, roundup_var_run_t) -files_pid_filetrans(roundup_t, roundup_var_run_t, file) - -kernel_read_kernel_sysctls(roundup_t) -kernel_list_proc(roundup_t) -kernel_read_proc_symlinks(roundup_t) - -dev_read_sysfs(roundup_t) - -# execute python -corecmd_exec_bin(roundup_t) - -corenet_all_recvfrom_unlabeled(roundup_t) -corenet_all_recvfrom_netlabel(roundup_t) -corenet_tcp_sendrecv_generic_if(roundup_t) -corenet_udp_sendrecv_generic_if(roundup_t) -corenet_raw_sendrecv_generic_if(roundup_t) -corenet_tcp_sendrecv_generic_node(roundup_t) -corenet_udp_sendrecv_generic_node(roundup_t) -corenet_raw_sendrecv_generic_node(roundup_t) -corenet_tcp_sendrecv_all_ports(roundup_t) -corenet_udp_sendrecv_all_ports(roundup_t) -corenet_tcp_bind_generic_node(roundup_t) -corenet_tcp_bind_http_cache_port(roundup_t) -corenet_tcp_connect_smtp_port(roundup_t) -corenet_sendrecv_http_cache_server_packets(roundup_t) -corenet_sendrecv_smtp_client_packets(roundup_t) - -# /usr/share/mysql/charsets/Index.xml -dev_read_urand(roundup_t) - -domain_use_interactive_fds(roundup_t) - -# /usr/share/mysql/charsets/Index.xml -files_read_usr_files(roundup_t) -files_read_etc_files(roundup_t) - -fs_getattr_all_fs(roundup_t) -fs_search_auto_mountpoints(roundup_t) - -logging_send_syslog_msg(roundup_t) - -miscfiles_read_localization(roundup_t) - -sysnet_read_config(roundup_t) - -userdom_dontaudit_use_unpriv_user_fds(roundup_t) -userdom_dontaudit_search_user_home_dirs(roundup_t) - -optional_policy(` - mysql_stream_connect(roundup_t) - mysql_search_db(roundup_t) -') - -optional_policy(` - seutil_sigchld_newrole(roundup_t) -') - -optional_policy(` - udev_read_db(roundup_t) -') diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc deleted file mode 100644 index 5c70c0c..0000000 --- a/policy/modules/services/rpc.fc +++ /dev/null @@ -1,31 +0,0 @@ -# -# /etc -# -/etc/exports -- gen_context(system_u:object_r:exports_t,s0) -/etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0) -/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) -/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) - -# -# /sbin -# -/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) -/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) - -# -# /usr -# -/usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0) -/usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0) -/usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0) -/usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0) -/usr/sbin/rpc\.rquotad -- gen_context(system_u:object_r:rpcd_exec_t,s0) -/usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0) - -# -# /var -# -/var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0) - -/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0) -/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if deleted file mode 100644 index 28e7576..0000000 --- a/policy/modules/services/rpc.if +++ /dev/null @@ -1,442 +0,0 @@ -## Remote Procedure Call Daemon for managment of network based process communication - -######################################## -## -## RPC stub interface. No access allowed. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpc_stub',` - gen_require(` - type exports_t; - ') -') - -####################################### -## -## The template to define a rpc domain. -## -## -##

-## This template creates a domain to be used for -## a new rpc daemon. -##

-##
-## -## -## The type of daemon to be used. -## -## -# -template(`rpc_domain_template',` - gen_require(` - type var_lib_nfs_t; - ') - - ######################################## - # - # Declarations - # - - type $1_t; - type $1_exec_t; - init_daemon_domain($1_t, $1_exec_t) - domain_use_interactive_fds($1_t) - - #################################### - # - # Local Policy - # - - dontaudit $1_t self:capability { net_admin sys_tty_config }; - allow $1_t self:capability net_bind_service; - allow $1_t self:process signal_perms; - allow $1_t self:unix_dgram_socket create_socket_perms; - allow $1_t self:unix_stream_socket create_stream_socket_perms; - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; - - manage_dirs_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t) - manage_files_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t) - - kernel_list_proc($1_t) - kernel_read_proc_symlinks($1_t) - kernel_read_kernel_sysctls($1_t) - # bind to arbitary unused ports - kernel_rw_rpc_sysctls($1_t) - - dev_read_sysfs($1_t) - dev_read_urand($1_t) - dev_read_rand($1_t) - - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) - corenet_tcp_sendrecv_generic_if($1_t) - corenet_udp_sendrecv_generic_if($1_t) - corenet_tcp_sendrecv_generic_node($1_t) - corenet_udp_sendrecv_generic_node($1_t) - corenet_tcp_sendrecv_all_ports($1_t) - corenet_udp_sendrecv_all_ports($1_t) - corenet_tcp_bind_generic_node($1_t) - corenet_udp_bind_generic_node($1_t) - corenet_tcp_bind_reserved_port($1_t) - corenet_tcp_connect_all_ports($1_t) - corenet_sendrecv_portmap_client_packets($1_t) - # do not log when it tries to bind to a port belonging to another domain - corenet_dontaudit_tcp_bind_all_ports($1_t) - corenet_dontaudit_udp_bind_all_ports($1_t) - # bind to arbitary unused ports - corenet_tcp_bind_generic_port($1_t) - corenet_udp_bind_generic_port($1_t) - corenet_tcp_bind_all_rpc_ports($1_t) - corenet_udp_bind_all_rpc_ports($1_t) - corenet_sendrecv_generic_server_packets($1_t) - - fs_rw_rpc_named_pipes($1_t) - fs_search_auto_mountpoints($1_t) - - files_read_etc_files($1_t) - files_read_etc_runtime_files($1_t) - files_search_var($1_t) - files_search_var_lib($1_t) - files_list_home($1_t) - - auth_use_nsswitch($1_t) - - logging_send_syslog_msg($1_t) - - miscfiles_read_localization($1_t) - - userdom_dontaudit_use_unpriv_user_fds($1_t) - - optional_policy(` - rpcbind_stream_connect($1_t) - ') - - optional_policy(` - seutil_sigchld_newrole($1_t) - ') - - optional_policy(` - udev_read_db($1_t) - ') -') - -######################################## -## -## Send UDP network traffic to rpc and recieve UDP traffic from rpc. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`rpc_udp_send',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Do not audit attempts to get the attributes -## of the NFS export file. -## -## -## -## Domain to not audit. -## -## -# -interface(`rpc_dontaudit_getattr_exports',` - gen_require(` - type exports_t; - ') - - dontaudit $1 exports_t:file getattr_file_perms; -') - -######################################## -## -## Allow read access to exports. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpc_read_exports',` - gen_require(` - type exports_t; - ') - - allow $1 exports_t:file read_file_perms; -') - -######################################## -## -## Allow write access to exports. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpc_write_exports',` - gen_require(` - type exports_t; - ') - - allow $1 exports_t:file write_file_perms; -') - -######################################## -## -## Execute domain in nfsd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rpc_domtrans_nfsd',` - gen_require(` - type nfsd_t, nfsd_exec_t; - ') - - domtrans_pattern($1, nfsd_exec_t, nfsd_t) -') - -####################################### -## -## Execute domain in nfsd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rpc_initrc_domtrans_nfsd',` - gen_require(` - type nfsd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, nfsd_initrc_exec_t) -') - -######################################## -## -## Execute domain in rpcd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rpc_domtrans_rpcd',` - gen_require(` - type rpcd_t, rpcd_exec_t; - ') - - domtrans_pattern($1, rpcd_exec_t, rpcd_t) - allow rpcd_t $1:process signal; -') - -######################################## -## -## Execute rpcd in the rcpd domain, and -## allow the specified role the rpcd domain. -## -## -## -## The role to be allowed the rpcd domain. -## -## -# -interface(`rpc_run_rpcd',` - gen_require(` - type rpcd_t; - ') - - rpc_domtrans_rpcd($1) - role $2 types rpcd_t; -') - -####################################### -## -## Execute domain in rpcd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rpc_initrc_domtrans_rpcd',` - gen_require(` - type rpcd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, rpcd_initrc_exec_t) -') - -######################################## -## -## Read NFS exported content. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`rpc_read_nfs_content',` - gen_require(` - type nfsd_ro_t, nfsd_rw_t; - ') - - allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms; - allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms; - allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file read_lnk_file_perms; -') - -######################################## -## -## Allow domain to create read and write NFS directories. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`rpc_manage_nfs_rw_content',` - gen_require(` - type nfsd_rw_t; - ') - - manage_dirs_pattern($1, nfsd_rw_t, nfsd_rw_t) - manage_files_pattern($1, nfsd_rw_t, nfsd_rw_t) - manage_lnk_files_pattern($1, nfsd_rw_t, nfsd_rw_t) -') - -######################################## -## -## Allow domain to create read and write NFS directories. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`rpc_manage_nfs_ro_content',` - gen_require(` - type nfsd_ro_t; - ') - - manage_dirs_pattern($1, nfsd_ro_t, nfsd_ro_t) - manage_files_pattern($1, nfsd_ro_t, nfsd_ro_t) - manage_lnk_files_pattern($1, nfsd_ro_t, nfsd_ro_t) -') - -######################################## -## -## Allow domain to read and write to an NFS UDP socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpc_udp_rw_nfs_sockets',` - gen_require(` - type nfsd_t; - ') - - allow $1 nfsd_t:udp_socket rw_socket_perms; -') - -######################################## -## -## Send UDP traffic to NFSd. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`rpc_udp_send_nfs',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Search NFS state data in /var/lib/nfs. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpc_search_nfs_state_data',` - gen_require(` - type var_lib_nfs_t; - ') - - files_search_var_lib($1) - allow $1 var_lib_nfs_t:dir search_dir_perms; -') - -######################################## -## -## Read NFS state data in /var/lib/nfs. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpc_read_nfs_state_data',` - gen_require(` - type var_lib_nfs_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) -') - -######################################## -## -## Manage NFS state data in /var/lib/nfs. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpc_manage_nfs_state_data',` - gen_require(` - type var_lib_nfs_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) - allow $1 var_lib_nfs_t:file relabel_file_perms; -') diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te deleted file mode 100644 index 288e6cc..0000000 --- a/policy/modules/services/rpc.te +++ /dev/null @@ -1,255 +0,0 @@ -policy_module(rpc, 1.12.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow gssd to read temp directory. For access to kerberos tgt. -##

-##
-gen_tunable(allow_gssd_read_tmp, true) - -## -##

-## Allow nfs servers to modify public files -## used for public file transfer services. Files/Directories must be -## labeled public_content_rw_t. -##

-##
-gen_tunable(allow_nfsd_anon_write, false) - -type exports_t; -files_config_file(exports_t) - -rpc_domain_template(gssd) - -type gssd_tmp_t; -files_tmp_file(gssd_tmp_t) - -type rpcd_var_run_t; -files_pid_file(rpcd_var_run_t) - -# rpcd_t is the domain of rpc daemons. -# rpc_exec_t is the type of rpc daemon programs. -rpc_domain_template(rpcd) - -type rpcd_initrc_exec_t; -init_script_file(rpcd_initrc_exec_t); - -rpc_domain_template(nfsd) - -type nfsd_initrc_exec_t; -init_script_file(nfsd_initrc_exec_t); - -type nfsd_rw_t; -files_type(nfsd_rw_t) - -type nfsd_ro_t; -files_type(nfsd_ro_t) - -type var_lib_nfs_t; -files_mountpoint(var_lib_nfs_t) - -######################################## -# -# RPC local policy -# - -allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid }; -allow rpcd_t self:process { getcap setcap }; -allow rpcd_t self:fifo_file rw_fifo_file_perms; - -allow rpcd_t rpcd_var_run_t:dir setattr_dir_perms; -manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) -manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) -files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir }) - -# rpc.statd executes sm-notify -can_exec(rpcd_t, rpcd_exec_t) - -kernel_read_system_state(rpcd_t) -kernel_read_network_state(rpcd_t) -# for rpc.rquotad -kernel_read_sysctl(rpcd_t) -kernel_rw_fs_sysctls(rpcd_t) -kernel_dontaudit_getattr_core_if(rpcd_t) -kernel_signal(rpcd_t) - -corecmd_exec_bin(rpcd_t) - -files_manage_mounttab(rpcd_t) -files_getattr_all_dirs(rpcd_t) - -fs_list_rpc(rpcd_t) -fs_read_rpc_files(rpcd_t) -fs_read_rpc_symlinks(rpcd_t) -fs_rw_rpc_sockets(rpcd_t) -fs_get_all_fs_quotas(rpcd_t) -fs_set_xattr_fs_quotas(rpcd_t) -fs_getattr_all_fs(rpcd_t) - -storage_getattr_fixed_disk_dev(rpcd_t) - -selinux_dontaudit_read_fs(rpcd_t) - -miscfiles_read_generic_certs(rpcd_t) - -seutil_dontaudit_search_config(rpcd_t) - -userdom_signal_unpriv_users(rpcd_t) -userdom_read_user_home_content_files(rpcd_t) - -optional_policy(` - automount_signal(rpcd_t) - automount_dontaudit_write_pipes(rpcd_t) -') - -optional_policy(` - domain_unconfined_signal(rpcd_t) -') - -optional_policy(` - nis_read_ypserv_config(rpcd_t) -') - -optional_policy(` - rgmanager_manage_tmp_files(rpcd_t) -') - -######################################## -# -# NFSD local policy -# - -allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; - -allow nfsd_t exports_t:file read_file_perms; -allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; - -# for /proc/fs/nfs/exports - should we have a new type? -kernel_read_system_state(nfsd_t) -kernel_read_network_state(nfsd_t) -kernel_dontaudit_getattr_core_if(nfsd_t) -kernel_setsched(nfsd_t) - -corenet_tcp_bind_all_rpc_ports(nfsd_t) -corenet_udp_bind_all_rpc_ports(nfsd_t) - -dev_dontaudit_getattr_all_blk_files(nfsd_t) -dev_dontaudit_getattr_all_chr_files(nfsd_t) -dev_rw_lvm_control(nfsd_t) - -# does not really need this, but it is easier to just allow it -files_search_pids(nfsd_t) -# for exportfs and rpc.mountd -files_getattr_tmp_dirs(nfsd_t) -# cjp: this should really have its own type -files_manage_mounttab(nfsd_t) -files_read_etc_runtime_files(nfsd_t) - -fs_mount_nfsd_fs(nfsd_t) -fs_search_nfsd_fs(nfsd_t) -fs_getattr_all_fs(nfsd_t) -fs_getattr_all_dirs(nfsd_t) -fs_rw_nfsd_fs(nfsd_t) - -storage_dontaudit_read_fixed_disk(nfsd_t) -storage_raw_read_removable_device(nfsd_t) - -# Read access to public_content_t and public_content_rw_t -miscfiles_read_public_files(nfsd_t) - -userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir }) - -# Write access to public_content_t and public_content_rw_t -tunable_policy(`allow_nfsd_anon_write',` - miscfiles_manage_public_files(nfsd_t) -') - -tunable_policy(`nfs_export_all_rw',` - dev_getattr_all_blk_files(nfsd_t) - dev_getattr_all_chr_files(nfsd_t) - - fs_read_noxattr_fs_files(nfsd_t) - auth_manage_all_files_except_shadow(nfsd_t) -') - -tunable_policy(`nfs_export_all_ro',` - dev_getattr_all_blk_files(nfsd_t) - dev_getattr_all_chr_files(nfsd_t) - - files_getattr_all_pipes(nfsd_t) - files_getattr_all_sockets(nfsd_t) - - fs_read_noxattr_fs_files(nfsd_t) - - auth_read_all_dirs_except_shadow(nfsd_t) - auth_read_all_files_except_shadow(nfsd_t) -') - -######################################## -# -# GSSD local policy -# - -allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice }; -allow gssd_t self:process { getsched setsched }; -allow gssd_t self:fifo_file rw_fifo_file_perms; - -manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) -manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) -files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) - -kernel_read_system_state(gssd_t) -kernel_read_network_state(gssd_t) -kernel_read_network_state_symlinks(gssd_t) -kernel_request_load_module(gssd_t) -kernel_search_network_sysctl(gssd_t) -kernel_signal(gssd_t) - -corecmd_exec_bin(gssd_t) - -fs_list_rpc(gssd_t) -fs_rw_rpc_sockets(gssd_t) -fs_read_rpc_files(gssd_t) - -fs_list_inotifyfs(gssd_t) -files_list_tmp(gssd_t) -files_read_usr_symlinks(gssd_t) -files_dontaudit_write_var_dirs(gssd_t) - -auth_use_nsswitch(gssd_t) -auth_manage_cache(gssd_t) - -miscfiles_read_generic_certs(gssd_t) - -mount_signal(gssd_t) - -userdom_signal_all_users(gssd_t) - -tunable_policy(`allow_gssd_read_tmp',` - userdom_list_user_tmp(gssd_t) - userdom_read_user_tmp_files(gssd_t) - userdom_read_user_tmp_symlinks(gssd_t) - userdom_write_user_tmp_files(gssd_t) - files_read_generic_tmp_files(gssd_t) -') - -optional_policy(` - automount_signal(gssd_t) -') - -optional_policy(` - kerberos_keytab_template(gssd, gssd_t) -') - -optional_policy(` - pcscd_read_pub_files(gssd_t) -') - -optional_policy(` - xserver_rw_xdm_tmp_files(gssd_t) -') diff --git a/policy/modules/services/rpcbind.fc b/policy/modules/services/rpcbind.fc deleted file mode 100644 index 5a965e9..0000000 --- a/policy/modules/services/rpcbind.fc +++ /dev/null @@ -1,10 +0,0 @@ -/etc/rc\.d/init\.d/rpcbind -- gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0) - -/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0) - -/var/cache/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0) -/var/lib/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0) - -/var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) -/var/run/rpcbind\.lock -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) -/var/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0) diff --git a/policy/modules/services/rpcbind.if b/policy/modules/services/rpcbind.if deleted file mode 100644 index 0458ba7..0000000 --- a/policy/modules/services/rpcbind.if +++ /dev/null @@ -1,153 +0,0 @@ -## Universal Addresses to RPC Program Number Mapper - -######################################## -## -## Execute a domain transition to run rpcbind. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rpcbind_domtrans',` - gen_require(` - type rpcbind_t, rpcbind_exec_t; - ') - - domtrans_pattern($1, rpcbind_exec_t, rpcbind_t) -') - -######################################## -## -## Connect to rpcbindd over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpcbind_stream_connect',` - gen_require(` - type rpcbind_t, rpcbind_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, rpcbind_var_run_t, rpcbind_var_run_t, rpcbind_t) -') - -######################################## -## -## Read rpcbind PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpcbind_read_pid_files',` - gen_require(` - type rpcbind_var_run_t; - ') - - files_search_pids($1) - allow $1 rpcbind_var_run_t:file read_file_perms; -') - -######################################## -## -## Search rpcbind lib directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpcbind_search_lib',` - gen_require(` - type rpcbind_var_lib_t; - ') - - allow $1 rpcbind_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## Read rpcbind lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpcbind_read_lib_files',` - gen_require(` - type rpcbind_var_lib_t; - ') - - read_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t) - files_search_var_lib($1) -') - -######################################## -## -## Create, read, write, and delete -## rpcbind lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpcbind_manage_lib_files',` - gen_require(` - type rpcbind_var_lib_t; - ') - - manage_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t) - files_search_var_lib($1) -') - -######################################## -## -## All of the rules required to administrate -## an rpcbind environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the rpcbind domain. -## -## -## -# -interface(`rpcbind_admin',` - gen_require(` - type rpcbind_t, rpcbind_var_lib_t, rpcbind_var_run_t; - type rpcbind_initrc_exec_t; - ') - - allow $1 rpcbind_t:process { ptrace signal_perms }; - ps_process_pattern($1, rpcbind_t) - - init_labeled_script_domtrans($1, rpcbind_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 rpcbind_initrc_exec_t system_r; - allow $2 system_r; - - files_list_var_lib($1) - admin_pattern($1, rpcbind_var_lib_t) - - files_list_pids($1) - admin_pattern($1, rpcbind_var_run_t) -') diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te deleted file mode 100644 index 9cb5e25..0000000 --- a/policy/modules/services/rpcbind.te +++ /dev/null @@ -1,79 +0,0 @@ -policy_module(rpcbind, 1.5.0) - -######################################## -# -# Declarations -# - -type rpcbind_t; -type rpcbind_exec_t; -init_daemon_domain(rpcbind_t, rpcbind_exec_t) - -type rpcbind_initrc_exec_t; -init_script_file(rpcbind_initrc_exec_t) - -type rpcbind_var_run_t; -files_pid_file(rpcbind_var_run_t) - -type rpcbind_var_lib_t; -files_type(rpcbind_var_lib_t) - -######################################## -# -# rpcbind local policy -# - -allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config }; -allow rpcbind_t self:fifo_file rw_file_perms; -allow rpcbind_t self:unix_stream_socket create_stream_socket_perms; -allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms; -allow rpcbind_t self:udp_socket create_socket_perms; -allow rpcbind_t self:tcp_socket create_stream_socket_perms; - -manage_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t) -manage_sock_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t) -files_pid_filetrans(rpcbind_t, rpcbind_var_run_t, { file sock_file }) - -manage_dirs_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t) -manage_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t) -manage_sock_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t) -files_var_lib_filetrans(rpcbind_t, rpcbind_var_lib_t, { file dir sock_file }) - -kernel_read_system_state(rpcbind_t) -kernel_read_network_state(rpcbind_t) -kernel_request_load_module(rpcbind_t) - -corecmd_exec_shell(rpcbind_t) - -corenet_all_recvfrom_unlabeled(rpcbind_t) -corenet_all_recvfrom_netlabel(rpcbind_t) -corenet_tcp_sendrecv_generic_if(rpcbind_t) -corenet_udp_sendrecv_generic_if(rpcbind_t) -corenet_tcp_sendrecv_generic_node(rpcbind_t) -corenet_udp_sendrecv_generic_node(rpcbind_t) -corenet_tcp_sendrecv_all_ports(rpcbind_t) -corenet_udp_sendrecv_all_ports(rpcbind_t) -corenet_tcp_bind_generic_node(rpcbind_t) -corenet_udp_bind_generic_node(rpcbind_t) -corenet_tcp_bind_portmap_port(rpcbind_t) -corenet_udp_bind_portmap_port(rpcbind_t) -corenet_udp_bind_all_rpc_ports(rpcbind_t) - -domain_use_interactive_fds(rpcbind_t) - -files_read_etc_files(rpcbind_t) -files_read_etc_runtime_files(rpcbind_t) - -logging_send_syslog_msg(rpcbind_t) - -miscfiles_read_localization(rpcbind_t) - -sysnet_dns_name_resolve(rpcbind_t) - -ifdef(`hide_broken_symptoms',` - dontaudit rpcbind_t self:udp_socket listen; -') - -optional_policy(` - nis_use_ypbind(rpcbind_t) -') diff --git a/policy/modules/services/rshd.fc b/policy/modules/services/rshd.fc deleted file mode 100644 index 6a4db03..0000000 --- a/policy/modules/services/rshd.fc +++ /dev/null @@ -1,5 +0,0 @@ - -/usr/kerberos/sbin/kshd -- gen_context(system_u:object_r:rshd_exec_t,s0) - -/usr/sbin/in\.rexecd -- gen_context(system_u:object_r:rshd_exec_t,s0) -/usr/sbin/in\.rshd -- gen_context(system_u:object_r:rshd_exec_t,s0) diff --git a/policy/modules/services/rshd.if b/policy/modules/services/rshd.if deleted file mode 100644 index 2e87d76..0000000 --- a/policy/modules/services/rshd.if +++ /dev/null @@ -1,21 +0,0 @@ -## Remote shell service. - -######################################## -## -## Domain transition to rshd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rshd_domtrans',` - gen_require(` - type rshd_exec_t, rshd_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, rshd_exec_t, rshd_t) -') diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te deleted file mode 100644 index 49a4283..0000000 --- a/policy/modules/services/rshd.te +++ /dev/null @@ -1,97 +0,0 @@ -policy_module(rshd, 1.7.0) - -######################################## -# -# Declarations -# -type rshd_t; -type rshd_exec_t; -inetd_tcp_service_domain(rshd_t, rshd_exec_t) -domain_subj_id_change_exemption(rshd_t) -domain_role_change_exemption(rshd_t) -role system_r types rshd_t; - -######################################## -# -# Local policy -# -allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override }; -allow rshd_t self:process { signal_perms fork setsched setpgid setexec }; -allow rshd_t self:fifo_file rw_fifo_file_perms; -allow rshd_t self:tcp_socket create_stream_socket_perms; - -kernel_read_kernel_sysctls(rshd_t) - -corenet_all_recvfrom_unlabeled(rshd_t) -corenet_all_recvfrom_netlabel(rshd_t) -corenet_tcp_sendrecv_generic_if(rshd_t) -corenet_udp_sendrecv_generic_if(rshd_t) -corenet_tcp_sendrecv_generic_node(rshd_t) -corenet_udp_sendrecv_generic_node(rshd_t) -corenet_tcp_sendrecv_all_ports(rshd_t) -corenet_udp_sendrecv_all_ports(rshd_t) -corenet_tcp_bind_generic_node(rshd_t) -corenet_tcp_bind_rsh_port(rshd_t) -corenet_tcp_bind_all_rpc_ports(rshd_t) -corenet_tcp_connect_all_ports(rshd_t) -corenet_tcp_connect_all_rpc_ports(rshd_t) -corenet_sendrecv_rsh_server_packets(rshd_t) - -dev_read_urand(rshd_t) - -selinux_get_fs_mount(rshd_t) -selinux_validate_context(rshd_t) -selinux_compute_access_vector(rshd_t) -selinux_compute_create_context(rshd_t) -selinux_compute_relabel_context(rshd_t) -selinux_compute_user_contexts(rshd_t) - -corecmd_read_bin_symlinks(rshd_t) - -files_list_home(rshd_t) -files_read_etc_files(rshd_t) -files_search_tmp(rshd_t) - -auth_login_pgm_domain(rshd_t) -auth_write_login_records(rshd_t) - -init_rw_utmp(rshd_t) - -logging_send_syslog_msg(rshd_t) -logging_search_logs(rshd_t) - -miscfiles_read_localization(rshd_t) - -seutil_read_config(rshd_t) -seutil_read_default_contexts(rshd_t) - -userdom_search_user_home_content(rshd_t) -userdom_manage_tmp_role(system_r, rshd_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(rshd_t) - fs_read_nfs_symlinks(rshd_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(rshd_t) - fs_read_cifs_symlinks(rshd_t) -') - -optional_policy(` - kerberos_keytab_template(rshd, rshd_t) - kerberos_manage_host_rcache(rshd_t) -') - -optional_policy(` - rlogin_read_home_content(rshd_t) -') - -optional_policy(` - tcpd_wrapped_domain(rshd_t, rshd_exec_t) -') - -optional_policy(` - unconfined_shell_domtrans(rshd_t) - unconfined_signal(rshd_t) -') diff --git a/policy/modules/services/rsync.fc b/policy/modules/services/rsync.fc deleted file mode 100644 index 479615b..0000000 --- a/policy/modules/services/rsync.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rsyncd\.conf -- gen_context(system_u:object_r:rsync_etc_t, s0) - -/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) - -/var/log/rsync\.log -- gen_context(system_u:object_r:rsync_log_t,s0) - -/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0) diff --git a/policy/modules/services/rsync.if b/policy/modules/services/rsync.if deleted file mode 100644 index b28cae5..0000000 --- a/policy/modules/services/rsync.if +++ /dev/null @@ -1,186 +0,0 @@ -## Fast incremental file transfer for synchronization - -######################################## -## -## Make rsync an entry point for -## the specified domain. -## -## -## -## The domain for which init scripts are an entrypoint. -## -## -# cjp: added for portage -interface(`rsync_entry_type',` - gen_require(` - type rsync_exec_t; - ') - - domain_entry_file($1, rsync_exec_t) -') - -######################################## -## -## Execute a rsync in a specified domain. -## -## -##

-## Execute a rsync in a specified domain. -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-##
-## -## -## Domain allowed to transition. -## -## -## -## -## Domain to transition to. -## -## -# cjp: added for portage -interface(`rsync_entry_spec_domtrans',` - gen_require(` - type rsync_exec_t; - ') - - domain_trans($1, rsync_exec_t, $2) -') - -######################################## -## -## Execute a rsync in a specified domain. -## -## -##

-## Execute a rsync in a specified domain. -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-##
-## -## -## Domain allowed to transition. -## -## -## -## -## Domain to transition to. -## -## -# cjp: added for portage -interface(`rsync_entry_domtrans',` - gen_require(` - type rsync_exec_t; - ') - - domain_auto_trans($1, rsync_exec_t, $2) -') - -######################################## -## -## Execute rsync in the caller domain domain. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`rsync_exec',` - gen_require(` - type rsync_exec_t; - ') - - can_exec($1, rsync_exec_t) -') - -######################################## -## -## Read rsync config files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rsync_read_config',` - gen_require(` - type rsync_etc_t; - ') - - read_files_pattern($1, rsync_etc_t, rsync_etc_t) - files_search_etc($1) -') - -######################################## -## -## Write to rsync config files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rsync_write_config',` - gen_require(` - type rsync_etc_t; - ') - - write_files_pattern($1, rsync_etc_t, rsync_etc_t) - files_search_etc($1) -') - -######################################## -## -## Manage rsync config files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rsync_manage_config',` - gen_require(` - type rsync_etc_t; - ') - - manage_files_pattern($1, rsync_etc_t, rsync_etc_t) - files_search_etc($1) -') - -######################################## -## -## Create objects in etc directories -## with rsync etc type. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Class of the object being created. -## -## -# -interface(`rsync_filetrans_config',` - gen_require(` - type rsync_etc_t; - ') - - files_etc_filetrans($1, rsync_etc_t, $2) -') diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te deleted file mode 100644 index 5e7b7cf..0000000 --- a/policy/modules/services/rsync.te +++ /dev/null @@ -1,155 +0,0 @@ -policy_module(rsync, 1.10.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow rsync to run as a client -##

-##
-gen_tunable(rsync_client, false) - -## -##

-## Allow rsync to export any files/directories read only. -##

-##
-gen_tunable(rsync_export_all_ro, false) - -## -##

-## Allow rsync to modify public files -## used for public file transfer services. Files/Directories must be -## labeled public_content_rw_t. -##

-##
-gen_tunable(allow_rsync_anon_write, false) - -type rsync_t; -type rsync_exec_t; -application_executable_file(rsync_exec_t) -role system_r types rsync_t; - -type rsync_etc_t; -files_config_file(rsync_etc_t) - -type rsync_data_t; -files_type(rsync_data_t) - -type rsync_log_t; -logging_log_file(rsync_log_t) - -type rsync_tmp_t; -files_tmp_file(rsync_tmp_t) - -type rsync_var_run_t; -files_pid_file(rsync_var_run_t) - -######################################## -# -# Local policy -# - -allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot }; -allow rsync_t self:process signal_perms; -allow rsync_t self:fifo_file rw_fifo_file_perms; -allow rsync_t self:tcp_socket create_stream_socket_perms; -allow rsync_t self:udp_socket connected_socket_perms; - -# for identd -# cjp: this should probably only be inetd_child_t rules? -# search home and kerberos also. -allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -#end for identd - -read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t) - -allow rsync_t rsync_data_t:dir list_dir_perms; -read_files_pattern(rsync_t, rsync_data_t, rsync_data_t) -read_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t) - -manage_files_pattern(rsync_t, rsync_log_t, rsync_log_t) -logging_log_filetrans(rsync_t, rsync_log_t, file) - -manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t) -manage_files_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t) -files_tmp_filetrans(rsync_t, rsync_tmp_t, { file dir }) - -manage_files_pattern(rsync_t, rsync_var_run_t, rsync_var_run_t) -files_pid_filetrans(rsync_t, rsync_var_run_t, file) - -kernel_read_kernel_sysctls(rsync_t) -kernel_read_system_state(rsync_t) -kernel_read_network_state(rsync_t) - -corenet_all_recvfrom_unlabeled(rsync_t) -corenet_all_recvfrom_netlabel(rsync_t) -corenet_tcp_sendrecv_generic_if(rsync_t) -corenet_udp_sendrecv_generic_if(rsync_t) -corenet_tcp_sendrecv_generic_node(rsync_t) -corenet_udp_sendrecv_generic_node(rsync_t) -corenet_tcp_sendrecv_all_ports(rsync_t) -corenet_udp_sendrecv_all_ports(rsync_t) -corenet_tcp_bind_generic_node(rsync_t) -corenet_tcp_bind_rsync_port(rsync_t) -corenet_sendrecv_rsync_server_packets(rsync_t) - -dev_read_urand(rsync_t) - -fs_getattr_xattr_fs(rsync_t) - -files_read_etc_files(rsync_t) -files_search_home(rsync_t) - -auth_use_nsswitch(rsync_t) - -logging_send_syslog_msg(rsync_t) - -miscfiles_read_localization(rsync_t) -miscfiles_read_public_files(rsync_t) - -tunable_policy(`allow_rsync_anon_write',` - miscfiles_manage_public_files(rsync_t) -') - -optional_policy(` - daemontools_service_domain(rsync_t, rsync_exec_t) -') - -optional_policy(` - kerberos_use(rsync_t) -') - -optional_policy(` - inetd_service_domain(rsync_t, rsync_exec_t) -') - -tunable_policy(`rsync_export_all_ro',` - files_getattr_all_pipes(rsync_t) - fs_read_noxattr_fs_files(rsync_t) - fs_read_nfs_files(rsync_t) - fs_read_cifs_files(rsync_t) - auth_read_all_dirs_except_shadow(rsync_t) - auth_read_all_files_except_shadow(rsync_t) - auth_read_all_symlinks_except_shadow(rsync_t) - auth_tunable_read_shadow(rsync_t) -') - -tunable_policy(`rsync_client',` - corenet_tcp_connect_rsync_port(rsync_t) - corenet_tcp_connect_ssh_port(rsync_t) - manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t) - manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t) - manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t) -') - -optional_policy(` - tunable_policy(`rsync_client',` - ssh_exec(rsync_t) - ') -') - -auth_can_read_shadow_passwords(rsync_t) diff --git a/policy/modules/services/rtkit.fc b/policy/modules/services/rtkit.fc deleted file mode 100644 index 52c441e..0000000 --- a/policy/modules/services/rtkit.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/libexec/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0) diff --git a/policy/modules/services/rtkit.if b/policy/modules/services/rtkit.if deleted file mode 100644 index d632bc0..0000000 --- a/policy/modules/services/rtkit.if +++ /dev/null @@ -1,82 +0,0 @@ -## Realtime scheduling for user processes. - -######################################## -## -## Execute a domain transition to run rtkit_daemon. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rtkit_daemon_domtrans',` - gen_require(` - type rtkit_daemon_t, rtkit_daemon_exec_t; - ') - - domtrans_pattern($1, rtkit_daemon_exec_t, rtkit_daemon_t) -') - -######################################## -## -## Send and receive messages from -## rtkit_daemon over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`rtkit_daemon_dbus_chat',` - gen_require(` - type rtkit_daemon_t; - class dbus send_msg; - ') - - allow $1 rtkit_daemon_t:dbus send_msg; - allow rtkit_daemon_t $1:dbus send_msg; -') - -######################################## -## -## Do not audit send and receive messages from -## rtkit_daemon over dbus. -## -## -## -## Domain to not audit. -## -## -# -interface(`rtkit_daemon_dontaudit_dbus_chat',` - gen_require(` - type rtkit_daemon_t; - class dbus send_msg; - ') - - dontaudit $1 rtkit_daemon_t:dbus send_msg; - dontaudit rtkit_daemon_t $1:dbus send_msg; -') - -######################################## -## -## Allow rtkit to control scheduling for your process -## -## -## -## Domain allowed access. -## -## -# -interface(`rtkit_scheduled',` - gen_require(` - type rtkit_daemon_t; - ') - - kernel_search_proc($1) - ps_process_pattern(rtkit_daemon_t, $1) - allow rtkit_daemon_t $1:process { getsched setsched }; - rtkit_daemon_dbus_chat($1) -') diff --git a/policy/modules/services/rtkit.te b/policy/modules/services/rtkit.te deleted file mode 100644 index 7d64285..0000000 --- a/policy/modules/services/rtkit.te +++ /dev/null @@ -1,36 +0,0 @@ -policy_module(rtkit, 1.1.0) - -######################################## -# -# Declarations -# - -type rtkit_daemon_t; -type rtkit_daemon_exec_t; -dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t) -init_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t) - -######################################## -# -# rtkit_daemon local policy -# - -allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace }; -allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit }; - -kernel_read_system_state(rtkit_daemon_t) - -domain_getsched_all_domains(rtkit_daemon_t) -domain_read_all_domains_state(rtkit_daemon_t) - -fs_rw_anon_inodefs_files(rtkit_daemon_t) - -auth_use_nsswitch(rtkit_daemon_t) - -logging_send_syslog_msg(rtkit_daemon_t) - -miscfiles_read_localization(rtkit_daemon_t) - -optional_policy(` - policykit_dbus_chat(rtkit_daemon_t) -') diff --git a/policy/modules/services/rwho.fc b/policy/modules/services/rwho.fc deleted file mode 100644 index bc048ce..0000000 --- a/policy/modules/services/rwho.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rc\.d/init\.d/rwhod -- gen_context(system_u:object_r:rwho_initrc_exec_t,s0) - -/usr/sbin/rwhod -- gen_context(system_u:object_r:rwho_exec_t,s0) - -/var/spool/rwho(/.*)? gen_context(system_u:object_r:rwho_spool_t,s0) - -/var/log/rwhod(/.*)? gen_context(system_u:object_r:rwho_log_t,s0) diff --git a/policy/modules/services/rwho.if b/policy/modules/services/rwho.if deleted file mode 100644 index 664e68e..0000000 --- a/policy/modules/services/rwho.if +++ /dev/null @@ -1,154 +0,0 @@ -## Who is logged in on other machines? - -######################################## -## -## Execute a domain transition to run rwho. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rwho_domtrans',` - gen_require(` - type rwho_t, rwho_exec_t; - ') - - domtrans_pattern($1, rwho_exec_t, rwho_t) -') - -######################################## -## -## Search rwho log directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`rwho_search_log',` - gen_require(` - type rwho_log_t; - ') - - allow $1 rwho_log_t:dir search_dir_perms; - logging_search_logs($1) -') - -######################################## -## -## Read rwho log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rwho_read_log_files',` - gen_require(` - type rwho_log_t; - ') - - allow $1 rwho_log_t:file read_file_perms; - allow $1 rwho_log_t:dir list_dir_perms; - logging_search_logs($1) -') - -######################################## -## -## Search rwho spool directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`rwho_search_spool',` - gen_require(` - type rwho_spool_t; - ') - - allow $1 rwho_spool_t:dir search_dir_perms; - files_search_spool($1) -') - -######################################## -## -## Read rwho spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rwho_read_spool_files',` - gen_require(` - type rwho_spool_t; - ') - - read_files_pattern($1, rwho_spool_t, rwho_spool_t) - files_search_spool($1) -') - -######################################## -## -## Create, read, write, and delete -## rwho spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rwho_manage_spool_files',` - gen_require(` - type rwho_spool_t; - ') - - manage_files_pattern($1, rwho_spool_t, rwho_spool_t) - files_search_spool($1) -') - -######################################## -## -## All of the rules required to administrate -## an rwho environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role allowed access. -## -## -## -# -interface(`rwho_admin',` - gen_require(` - type rwho_t, rwho_log_t, rwho_spool_t; - type rwho_initrc_exec_t; - ') - - allow $1 rwho_t:process { ptrace signal_perms }; - ps_process_pattern($1, rwho_t) - - init_labeled_script_domtrans($1, rwho_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 rwho_initrc_exec_t system_r; - allow $2 system_r; - - logging_list_logs($1) - admin_pattern($1, rwho_log_t) - - files_list_spool($1) - admin_pattern($1, rwho_spool_t) -') diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te deleted file mode 100644 index d78daf4..0000000 --- a/policy/modules/services/rwho.te +++ /dev/null @@ -1,63 +0,0 @@ -policy_module(rwho, 1.6.0) - -######################################## -# -# Declarations -# - -type rwho_t; -type rwho_exec_t; -init_daemon_domain(rwho_t, rwho_exec_t) - -type rwho_initrc_exec_t; -init_script_file(rwho_initrc_exec_t) - -type rwho_log_t; -files_type(rwho_log_t) - -type rwho_spool_t; -files_type(rwho_spool_t) - -######################################## -# -# rwho local policy -# - -allow rwho_t self:capability sys_chroot; -allow rwho_t self:unix_dgram_socket create; -allow rwho_t self:fifo_file rw_file_perms; -allow rwho_t self:unix_stream_socket create_stream_socket_perms; -allow rwho_t self:udp_socket create_socket_perms; - -allow rwho_t rwho_log_t:dir manage_dir_perms; -allow rwho_t rwho_log_t:file manage_file_perms; -logging_log_filetrans(rwho_t, rwho_log_t, { file dir }) - -allow rwho_t rwho_spool_t:dir manage_dir_perms; -allow rwho_t rwho_spool_t:file manage_file_perms; -files_spool_filetrans(rwho_t, rwho_spool_t, { file dir }) - -kernel_read_system_state(rwho_t) - -corenet_all_recvfrom_unlabeled(rwho_t) -corenet_all_recvfrom_netlabel(rwho_t) -corenet_udp_sendrecv_generic_if(rwho_t) -corenet_udp_sendrecv_generic_node(rwho_t) -corenet_udp_sendrecv_all_ports(rwho_t) -corenet_udp_bind_generic_node(rwho_t) -corenet_udp_bind_rwho_port(rwho_t) -corenet_sendrecv_rwho_server_packets(rwho_t) - -domain_use_interactive_fds(rwho_t) - -files_read_etc_files(rwho_t) - -init_read_utmp(rwho_t) -init_dontaudit_write_utmp(rwho_t) - -logging_send_syslog_msg(rwho_t) - -miscfiles_read_localization(rwho_t) - -sysnet_dns_name_resolve(rwho_t) - diff --git a/policy/modules/services/samba.fc b/policy/modules/services/samba.fc deleted file mode 100644 index 73db5ba..0000000 --- a/policy/modules/services/samba.fc +++ /dev/null @@ -1,57 +0,0 @@ - -# -# /etc -# -/etc/rc\.d/init\.d/nmb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) -/etc/rc\.d/init\.d/smb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) -/etc/rc\.d/init\.d/winbind -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) -/etc/samba/MACHINE\.SID -- gen_context(system_u:object_r:samba_secrets_t,s0) -/etc/samba/passdb\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) -/etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) -/etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0) -/etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0) - -# -# /usr -# -/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0) -/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) -/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) -/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0) -/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0) - -/usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0) -/usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0) -/usr/sbin/smbd -- gen_context(system_u:object_r:smbd_exec_t,s0) -/usr/sbin/winbindd -- gen_context(system_u:object_r:winbind_exec_t,s0) - -# -# /var -# -/var/cache/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) -/var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) - -/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) -/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) - -/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0) - -/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) -/var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) -/var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) -/var/run/samba/locking\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) -/var/run/samba/messages\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0) -/var/run/samba/namelist\.debug -- gen_context(system_u:object_r:nmbd_var_run_t,s0) -/var/run/samba/nmbd\.pid -- gen_context(system_u:object_r:nmbd_var_run_t,s0) -/var/run/samba/sessionid\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) -/var/run/samba/share_info\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) -/var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0) -/var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0) - -/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) - -/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) - -ifndef(`enable_mls',` -/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) -') diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if deleted file mode 100644 index 9e72970..0000000 --- a/policy/modules/services/samba.if +++ /dev/null @@ -1,814 +0,0 @@ -## -## SMB and CIFS client/server programs for UNIX and -## name Service Switch daemon for resolving names -## from Windows NT servers. -## - -######################################## -## -## Execute nmbd net in the nmbd_t domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`samba_domtrans_nmbd',` - gen_require(` - type nmbd_t, nmbd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, nmbd_exec_t, nmbd_t) -') - -####################################### -## -## Allow domain to signal samba -## -## -## -## Domain allowed access. -## -## -# -interface(`samba_signal_nmbd',` - gen_require(` - type nmbd_t; - ') - allow $1 nmbd_t:process signal; -') - -######################################## -## -## Execute samba server in the samba domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`samba_initrc_domtrans',` - gen_require(` - type samba_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, samba_initrc_exec_t) -') - -######################################## -## -## Execute samba net in the samba_net domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`samba_domtrans_net',` - gen_require(` - type samba_net_t, samba_net_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, samba_net_exec_t, samba_net_t) -') - -######################################## -## -## Execute samba net in the samba_unconfined_net domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`samba_domtrans_unconfined_net',` - gen_require(` - type samba_unconfined_net_t, samba_net_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, samba_net_exec_t, samba_unconfined_net_t) -') - -######################################## -## -## Execute samba net in the samba_net domain, and -## allow the specified role the samba_net domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`samba_run_net',` - gen_require(` - type samba_net_t; - ') - - samba_domtrans_net($1) - role $2 types samba_net_t; -') - -####################################### -## -## The role for the samba module. -## -## -## -## The role to be allowed the samba_net domain. -## -## -## -# -interface(`samba_role_notrans',` - gen_require(` - type smbd_t; - ') - - role $1 types smbd_t; -') - -######################################## -## -## Execute samba net in the samba_unconfined_net domain, and -## allow the specified role the samba_unconfined_net domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to be allowed the samba_unconfined_net domain. -## -## -## -# -interface(`samba_run_unconfined_net',` - gen_require(` - type samba_unconfined_net_t; - ') - - samba_domtrans_unconfined_net($1) - role $2 types samba_unconfined_net_t; -') - -######################################## -## -## Execute smbmount in the smbmount domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`samba_domtrans_smbmount',` - gen_require(` - type smbmount_t, smbmount_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, smbmount_exec_t, smbmount_t) -') - -######################################## -## -## Execute smbmount interactively and do -## a domain transition to the smbmount domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`samba_run_smbmount',` - gen_require(` - type smbmount_t; - ') - - samba_domtrans_smbmount($1) - role $2 types smbmount_t; -') - -######################################## -## -## Allow the specified domain to read -## samba configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`samba_read_config',` - gen_require(` - type samba_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, samba_etc_t, samba_etc_t) -') - -######################################## -## -## Allow the specified domain to read -## and write samba configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`samba_rw_config',` - gen_require(` - type samba_etc_t; - ') - - files_search_etc($1) - rw_files_pattern($1, samba_etc_t, samba_etc_t) -') - -######################################## -## -## Allow the specified domain to read -## and write samba configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`samba_manage_config',` - gen_require(` - type samba_etc_t; - ') - - files_search_etc($1) - manage_dirs_pattern($1, samba_etc_t, samba_etc_t) - manage_files_pattern($1, samba_etc_t, samba_etc_t) -') - -######################################## -## -## Allow the specified domain to read samba's log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`samba_read_log',` - gen_require(` - type samba_log_t; - ') - - logging_search_logs($1) - allow $1 samba_log_t:dir list_dir_perms; - read_files_pattern($1, samba_log_t, samba_log_t) -') - -######################################## -## -## Allow the specified domain to append to samba's log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`samba_append_log',` - gen_require(` - type samba_log_t; - ') - - logging_search_logs($1) - allow $1 samba_log_t:dir list_dir_perms; - allow $1 samba_log_t:file append_file_perms; -') - -######################################## -## -## Execute samba log in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`samba_exec_log',` - gen_require(` - type samba_log_t; - ') - - logging_search_logs($1) - can_exec($1, samba_log_t) -') - -######################################## -## -## Allow the specified domain to read samba's secrets. -## -## -## -## Domain allowed access. -## -## -# -interface(`samba_read_secrets',` - gen_require(` - type samba_secrets_t; - ') - - files_search_etc($1) - allow $1 samba_secrets_t:file read_file_perms; -') - -######################################## -## -## Allow the specified domain to read samba's shares -## -## -## -## Domain allowed access. -## -## -# -interface(`samba_read_share_files',` - gen_require(` - type samba_share_t; - ') - - allow $1 samba_share_t:filesystem getattr; - read_files_pattern($1, samba_share_t, samba_share_t) -') - -######################################## -## -## Allow the specified domain to search -## samba /var directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`samba_search_var',` - gen_require(` - type samba_var_t; - ') - - files_search_var_lib($1) - allow $1 samba_var_t:dir search_dir_perms; -') - -######################################## -## -## Allow the specified domain to -## read samba /var files. -## -## -## -## Domain allowed access. -## -## -# -interface(`samba_read_var_files',` - gen_require(` - type samba_var_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, samba_var_t, samba_var_t) -') - -######################################## -## -## Do not audit attempts to write samba -## /var files. -## -## -## -## Domain to not audit. -## -## -# -interface(`samba_dontaudit_write_var_files',` - gen_require(` - type samba_var_t; - ') - - dontaudit $1 samba_var_t:file write; -') - -######################################## -## -## Allow the specified domain to -## read and write samba /var files. -## -## -## -## Domain allowed access. -## -## -# -interface(`samba_rw_var_files',` - gen_require(` - type samba_var_t; - ') - - files_search_var_lib($1) - rw_files_pattern($1, samba_var_t, samba_var_t) -') - -######################################## -## -## Allow the specified domain to -## read and write samba /var files. -## -## -## -## Domain allowed access. -## -## -# -interface(`samba_manage_var_files',` - gen_require(` - type samba_var_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, samba_var_t, samba_var_t) - manage_lnk_files_pattern($1, samba_var_t, samba_var_t) -') - -######################################## -## -## Execute a domain transition to run smbcontrol. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`samba_domtrans_smbcontrol',` - gen_require(` - type smbcontrol_t, smbcontrol_exec_t; - ') - - domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t) -') - -######################################## -## -## Execute smbcontrol in the smbcontrol domain, and -## allow the specified role the smbcontrol domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`samba_run_smbcontrol',` - gen_require(` - type smbcontrol_t; - ') - - samba_domtrans_smbcontrol($1) - role $2 types smbcontrol_t; -') - -######################################## -## -## Execute smbd in the smbd_t domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`samba_domtrans_smbd',` - gen_require(` - type smbd_t, smbd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, smbd_exec_t, smbd_t) -') - -###################################### -## -## Allow domain to signal samba -## -## -## -## Domain allowed access. -## -## -# -interface(`samba_signal_smbd',` - gen_require(` - type smbd_t; - ') - allow $1 smbd_t:process signal; -') - -######################################## -## -## Do not audit attempts to use file descriptors from samba. -## -## -## -## Domain to not audit. -## -## -# -interface(`samba_dontaudit_use_fds',` - gen_require(` - type smbd_t; - ') - - dontaudit $1 smbd_t:fd use; -') - -######################################## -## -## Allow the specified domain to write to smbmount tcp sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`samba_write_smbmount_tcp_sockets',` - gen_require(` - type smbmount_t; - ') - - allow $1 smbmount_t:tcp_socket write; -') - -######################################## -## -## Allow the specified domain to read and write to smbmount tcp sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`samba_rw_smbmount_tcp_sockets',` - gen_require(` - type smbmount_t; - ') - - allow $1 smbmount_t:tcp_socket { read write }; -') - -######################################## -## -## Execute winbind_helper in the winbind_helper domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`samba_domtrans_winbind_helper',` - gen_require(` - type winbind_helper_t, winbind_helper_exec_t; - ') - - domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) - allow $1 winbind_helper_t:process signal; -') - -######################################## -## -## Execute winbind_helper in the winbind_helper domain, and -## allow the specified role the winbind_helper domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`samba_run_winbind_helper',` - gen_require(` - type winbind_helper_t; - ') - - samba_domtrans_winbind_helper($1) - role $2 types winbind_helper_t; -') - -######################################## -## -## Allow the specified domain to read the winbind pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`samba_read_winbind_pid',` - gen_require(` - type winbind_var_run_t; - ') - - files_search_pids($1) - allow $1 winbind_var_run_t:file read_file_perms; -') - -######################################## -## -## Connect to winbind. -## -## -## -## Domain allowed access. -## -## -# -interface(`samba_stream_connect_winbind',` - gen_require(` - type samba_var_t, winbind_t, winbind_var_run_t; - ') - - files_search_pids($1) - allow $1 samba_var_t:dir search_dir_perms; - stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t) - - ifndef(`distro_redhat',` - gen_require(` - type winbind_tmp_t; - ') - - # the default for the socket is (poorly named): - # /tmp/.winbindd/pipe - files_search_tmp($1) - stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t) - ') -') - -######################################## -## -## Create a set of derived types for apache -## web content. -## -## -## -## The prefix to be used for deriving type names. -## -## -# -template(`samba_helper_template',` - gen_require(` - type smbd_t; - role system_r; - ') - - #This type is for samba helper scripts - type samba_$1_script_t; - domain_type(samba_$1_script_t) - role system_r types samba_$1_script_t; - - # This type is used for executable scripts files - type samba_$1_script_exec_t; - corecmd_shell_entry_type(samba_$1_script_t) - domain_entry_file(samba_$1_script_t, samba_$1_script_exec_t) - - domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t) - allow smbd_t samba_$1_script_exec_t:file ioctl; -') - -######################################## -## -## All of the rules required to administrate -## an samba environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the samba domain. -## -## -## -# -interface(`samba_admin',` - gen_require(` - type nmbd_t, nmbd_var_run_t, smbd_var_run_t; - type smbd_t, smbd_tmp_t, samba_secrets_t; - type samba_initrc_exec_t, samba_log_t, samba_var_t; - type samba_etc_t, samba_share_t, winbind_log_t; - type swat_var_run_t, swat_tmp_t, samba_unconfined_script_exec_t; - type winbind_var_run_t, winbind_tmp_t, samba_unconfined_script_t; - ') - - allow $1 smbd_t:process { ptrace signal_perms }; - ps_process_pattern($1, smbd_t) - - allow $1 nmbd_t:process { ptrace signal_perms }; - ps_process_pattern($1, nmbd_t) - - allow $1 samba_unconfined_script_t:process { ptrace signal_perms }; - ps_process_pattern($1, samba_unconfined_script_t) - - samba_run_smbcontrol($1, $2, $3) - samba_run_winbind_helper($1, $2, $3) - samba_run_smbmount($1, $2, $3) - samba_run_net($1, $2, $3) - - init_labeled_script_domtrans($1, samba_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 samba_initrc_exec_t system_r; - allow $2 system_r; - - admin_pattern($1, nmbd_var_run_t) - - admin_pattern($1, samba_etc_t) - files_list_etc($1) - - admin_pattern($1, samba_log_t) - logging_list_logs($1) - - admin_pattern($1, samba_secrets_t) - - admin_pattern($1, samba_share_t) - - admin_pattern($1, samba_var_t) - files_list_var($1) - - admin_pattern($1, smbd_var_run_t) - files_list_pids($1) - - admin_pattern($1, smbd_tmp_t) - files_list_tmp($1) - - admin_pattern($1, swat_var_run_t) - - admin_pattern($1, swat_tmp_t) - - admin_pattern($1, winbind_log_t) - - admin_pattern($1, winbind_tmp_t) - - admin_pattern($1, winbind_var_run_t) - admin_pattern($1, samba_unconfined_script_exec_t) -') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te deleted file mode 100644 index 6e627d6..0000000 --- a/policy/modules/services/samba.te +++ /dev/null @@ -1,957 +0,0 @@ -policy_module(samba, 1.13.0) - -################################# -# -# Declarations -# - -## -##

-## Allow samba to modify public files used for public file -## transfer services. Files/Directories must be labeled -## public_content_rw_t. -##

-##
-gen_tunable(allow_smbd_anon_write, false) - -## -##

-## Allow samba to create new home directories (e.g. via PAM) -##

-##
-gen_tunable(samba_create_home_dirs, false) - -## -##

-## Allow samba to act as the domain controller, add users, -## groups and change passwords. -## -##

-##
-gen_tunable(samba_domain_controller, false) - -## -##

-## Allow samba to share users home directories. -##

-##
-gen_tunable(samba_enable_home_dirs, false) - -## -##

-## Allow samba to share any file/directory read only. -##

-##
-gen_tunable(samba_export_all_ro, false) - -## -##

-## Allow samba to share any file/directory read/write. -##

-##
-gen_tunable(samba_export_all_rw, false) - -## -##

-## Allow samba to run unconfined scripts -##

-##
-gen_tunable(samba_run_unconfined, false) - -## -##

-## Allow samba to export NFS volumes. -##

-##
-gen_tunable(samba_share_nfs, false) - -## -##

-## Allow samba to export ntfs/fusefs volumes. -##

-##
-gen_tunable(samba_share_fusefs, false) - -type nmbd_t; -type nmbd_exec_t; -init_daemon_domain(nmbd_t, nmbd_exec_t) - -type nmbd_var_run_t; -files_pid_file(nmbd_var_run_t) - -type samba_etc_t; -files_config_file(samba_etc_t) - -type samba_initrc_exec_t; -init_script_file(samba_initrc_exec_t) - -type samba_log_t; -logging_log_file(samba_log_t) - -type samba_net_t; -type samba_net_exec_t; -application_domain(samba_net_t, samba_net_exec_t) -role system_r types samba_net_t; - -type samba_net_tmp_t; -files_tmp_file(samba_net_tmp_t) - -type samba_secrets_t; -files_type(samba_secrets_t) - -type samba_share_t; # customizable -files_type(samba_share_t) - -type samba_var_t; -files_type(samba_var_t) - -type smbcontrol_t; -type smbcontrol_exec_t; -application_domain(smbcontrol_t, smbcontrol_exec_t) -role system_r types smbcontrol_t; - -type smbd_t; -type smbd_exec_t; -init_daemon_domain(smbd_t, smbd_exec_t) - -type smbd_tmp_t; -files_tmp_file(smbd_tmp_t) - -type smbd_var_run_t; -files_pid_file(smbd_var_run_t) - -type smbmount_t; -domain_type(smbmount_t) - -type smbmount_exec_t; -domain_entry_file(smbmount_t, smbmount_exec_t) - -type swat_t; -type swat_exec_t; -domain_type(swat_t) -domain_entry_file(swat_t, swat_exec_t) -role system_r types swat_t; - -type swat_tmp_t; -files_tmp_file(swat_tmp_t) - -type swat_var_run_t; -files_pid_file(swat_var_run_t) - -type winbind_t; -type winbind_exec_t; -init_daemon_domain(winbind_t, winbind_exec_t) - -type winbind_helper_t; -domain_type(winbind_helper_t) -role system_r types winbind_helper_t; - -type winbind_helper_exec_t; -domain_entry_file(winbind_helper_t, winbind_helper_exec_t) - -type winbind_log_t; -logging_log_file(winbind_log_t) - -type winbind_var_run_t; -files_pid_file(winbind_var_run_t) - -######################################## -# -# Samba net local policy -# -allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search dac_override }; -allow samba_net_t self:process { getsched setsched }; -allow samba_net_t self:unix_dgram_socket create_socket_perms; -allow samba_net_t self:unix_stream_socket create_stream_socket_perms; -allow samba_net_t self:udp_socket create_socket_perms; -allow samba_net_t self:tcp_socket create_socket_perms; - -allow samba_net_t samba_etc_t:file read_file_perms; - -manage_files_pattern(samba_net_t, samba_etc_t, samba_secrets_t) -filetrans_pattern(samba_net_t, samba_etc_t, samba_secrets_t, file) - -manage_dirs_pattern(samba_net_t, samba_net_tmp_t, samba_net_tmp_t) -manage_files_pattern(samba_net_t, samba_net_tmp_t, samba_net_tmp_t) -files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir }) - -manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t) -manage_files_pattern(samba_net_t, samba_var_t, samba_var_t) -manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t) - -kernel_read_proc_symlinks(samba_net_t) -kernel_read_system_state(samba_net_t) - -corenet_all_recvfrom_unlabeled(samba_net_t) -corenet_all_recvfrom_netlabel(samba_net_t) -corenet_tcp_sendrecv_generic_if(samba_net_t) -corenet_udp_sendrecv_generic_if(samba_net_t) -corenet_raw_sendrecv_generic_if(samba_net_t) -corenet_tcp_sendrecv_generic_node(samba_net_t) -corenet_udp_sendrecv_generic_node(samba_net_t) -corenet_raw_sendrecv_generic_node(samba_net_t) -corenet_tcp_sendrecv_all_ports(samba_net_t) -corenet_udp_sendrecv_all_ports(samba_net_t) -corenet_tcp_bind_generic_node(samba_net_t) -corenet_udp_bind_generic_node(samba_net_t) -corenet_tcp_connect_smbd_port(samba_net_t) - -dev_read_urand(samba_net_t) - -domain_use_interactive_fds(samba_net_t) - -files_read_etc_files(samba_net_t) -files_read_usr_symlinks(samba_net_t) - -auth_use_nsswitch(samba_net_t) -auth_manage_cache(samba_net_t) - -logging_send_syslog_msg(samba_net_t) - -miscfiles_read_localization(samba_net_t) - -samba_read_var_files(samba_net_t) - -userdom_use_user_terminals(samba_net_t) -userdom_list_user_home_dirs(samba_net_t) - -optional_policy(` - pcscd_read_pub_files(samba_net_t) -') - -optional_policy(` - kerberos_use(samba_net_t) -') - -######################################## -# -# smbd Local policy -# -allow smbd_t self:capability { chown fowner kill setgid setuid sys_nice sys_admin sys_resource lease dac_override dac_read_search }; -dontaudit smbd_t self:capability sys_tty_config; -allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow smbd_t self:process setrlimit; -allow smbd_t self:fd use; -allow smbd_t self:fifo_file rw_fifo_file_perms; -allow smbd_t self:msg { send receive }; -allow smbd_t self:msgq create_msgq_perms; -allow smbd_t self:sem create_sem_perms; -allow smbd_t self:shm create_shm_perms; -allow smbd_t self:sock_file read_sock_file_perms; -allow smbd_t self:tcp_socket create_stream_socket_perms; -allow smbd_t self:udp_socket create_socket_perms; -allow smbd_t self:unix_dgram_socket { create_socket_perms sendto }; -allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; - -allow smbd_t nmbd_t:process { signal signull }; - -allow smbd_t nmbd_var_run_t:file rw_file_perms; - -allow smbd_t samba_etc_t:file { rw_file_perms setattr }; - -manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t) -manage_files_pattern(smbd_t, samba_log_t, samba_log_t) - -allow smbd_t samba_net_tmp_t:file getattr; - -manage_files_pattern(smbd_t, samba_secrets_t, samba_secrets_t) -filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file) - -manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t) -manage_files_pattern(smbd_t, samba_share_t, samba_share_t) -manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) -allow smbd_t samba_share_t:filesystem { getattr quotaget }; - -manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t) -manage_files_pattern(smbd_t, samba_var_t, samba_var_t) -manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) -manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t) - -allow smbd_t smbcontrol_t:process { signal signull }; - -manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) -manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) -files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) - -manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) -manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) -manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) -files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file }) - -allow smbd_t swat_t:process signal; - -allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms; - -allow smbd_t winbind_t:process { signal signull }; - -kernel_getattr_core_if(smbd_t) -kernel_getattr_message_if(smbd_t) -kernel_read_network_state(smbd_t) -kernel_read_fs_sysctls(smbd_t) -kernel_read_kernel_sysctls(smbd_t) -kernel_read_software_raid_state(smbd_t) -kernel_read_system_state(smbd_t) - -corecmd_exec_shell(smbd_t) -corecmd_exec_bin(smbd_t) - -corenet_all_recvfrom_unlabeled(smbd_t) -corenet_all_recvfrom_netlabel(smbd_t) -corenet_tcp_sendrecv_generic_if(smbd_t) -corenet_udp_sendrecv_generic_if(smbd_t) -corenet_raw_sendrecv_generic_if(smbd_t) -corenet_tcp_sendrecv_generic_node(smbd_t) -corenet_udp_sendrecv_generic_node(smbd_t) -corenet_raw_sendrecv_generic_node(smbd_t) -corenet_tcp_sendrecv_all_ports(smbd_t) -corenet_udp_sendrecv_all_ports(smbd_t) -corenet_tcp_bind_generic_node(smbd_t) -corenet_udp_bind_generic_node(smbd_t) -corenet_tcp_bind_smbd_port(smbd_t) -corenet_tcp_connect_ipp_port(smbd_t) -corenet_tcp_connect_smbd_port(smbd_t) - -dev_read_sysfs(smbd_t) -dev_read_urand(smbd_t) -dev_getattr_mtrr_dev(smbd_t) -dev_dontaudit_getattr_usbfs_dirs(smbd_t) -# For redhat bug 566984 -dev_getattr_all_blk_files(smbd_t) -dev_getattr_all_chr_files(smbd_t) - -fs_getattr_all_fs(smbd_t) -fs_getattr_all_dirs(smbd_t) -fs_get_xattr_fs_quotas(smbd_t) -fs_search_auto_mountpoints(smbd_t) -fs_getattr_rpc_dirs(smbd_t) -fs_list_inotifyfs(smbd_t) -fs_get_all_fs_quotas(smbd_t) - -auth_use_nsswitch(smbd_t) -auth_domtrans_chk_passwd(smbd_t) -auth_domtrans_upd_passwd(smbd_t) -auth_manage_cache(smbd_t) - -domain_use_interactive_fds(smbd_t) -domain_dontaudit_list_all_domains_state(smbd_t) - -files_list_var_lib(smbd_t) -files_read_etc_files(smbd_t) -files_read_etc_runtime_files(smbd_t) -files_read_usr_files(smbd_t) -files_search_spool(smbd_t) -# smbd seems to getattr all mountpoints -files_dontaudit_getattr_all_dirs(smbd_t) -files_dontaudit_list_all_mountpoints(smbd_t) -# Allow samba to list mnt_t for potential mounted dirs -files_list_mnt(smbd_t) - -init_rw_utmp(smbd_t) - -logging_search_logs(smbd_t) -logging_send_syslog_msg(smbd_t) - -miscfiles_read_localization(smbd_t) -miscfiles_read_public_files(smbd_t) - -userdom_use_unpriv_users_fds(smbd_t) -userdom_search_user_home_content(smbd_t) -userdom_signal_all_users(smbd_t) - -usermanage_read_crack_db(smbd_t) - -term_use_ptmx(smbd_t) - -ifdef(`hide_broken_symptoms', ` - files_dontaudit_getattr_default_dirs(smbd_t) - files_dontaudit_getattr_boot_dirs(smbd_t) - fs_dontaudit_getattr_tmpfs_dirs(smbd_t) -') - -tunable_policy(`allow_smbd_anon_write',` - miscfiles_manage_public_files(smbd_t) -') - -tunable_policy(`samba_domain_controller',` - gen_require(` - class passwd passwd; - ') - - usermanage_domtrans_passwd(smbd_t) - usermanage_kill_passwd(smbd_t) - usermanage_domtrans_useradd(smbd_t) - usermanage_domtrans_groupadd(smbd_t) - allow smbd_t self:passwd passwd; -') - -tunable_policy(`samba_enable_home_dirs',` - userdom_manage_user_home_content(smbd_t) -') - -# Support Samba sharing of NFS mount points -tunable_policy(`samba_share_nfs',` - fs_manage_nfs_dirs(smbd_t) - fs_manage_nfs_files(smbd_t) - fs_manage_nfs_symlinks(smbd_t) - fs_manage_nfs_named_pipes(smbd_t) - fs_manage_nfs_named_sockets(smbd_t) -') - -# Support Samba sharing of ntfs/fusefs mount points -tunable_policy(`samba_share_fusefs',` - fs_manage_fusefs_dirs(smbd_t) - fs_manage_fusefs_files(smbd_t) -',` - fs_search_fusefs(smbd_t) -') - - -optional_policy(` - cups_read_rw_config(smbd_t) - cups_stream_connect(smbd_t) -') - -optional_policy(` - kerberos_use(smbd_t) - kerberos_keytab_template(smbd, smbd_t) -') - -optional_policy(` - lpd_exec_lpr(smbd_t) -') - -optional_policy(` - qemu_manage_tmp_dirs(smbd_t) - qemu_manage_tmp_files(smbd_t) -') - -optional_policy(` - rpc_search_nfs_state_data(smbd_t) -') - -optional_policy(` - seutil_sigchld_newrole(smbd_t) -') - -optional_policy(` - udev_read_db(smbd_t) -') - -tunable_policy(`samba_create_home_dirs',` - allow smbd_t self:capability chown; - userdom_create_user_home_dirs(smbd_t) -') -userdom_home_filetrans_user_home_dir(smbd_t) - -tunable_policy(`samba_export_all_ro',` - fs_read_noxattr_fs_files(smbd_t) - auth_read_all_dirs_except_shadow(smbd_t) - auth_read_all_files_except_shadow(smbd_t) - fs_read_noxattr_fs_files(nmbd_t) - auth_read_all_dirs_except_shadow(nmbd_t) - auth_read_all_files_except_shadow(nmbd_t) -') - -tunable_policy(`samba_export_all_rw',` - fs_read_noxattr_fs_files(smbd_t) - auth_manage_all_files_except_shadow(smbd_t) - fs_read_noxattr_fs_files(nmbd_t) - auth_manage_all_files_except_shadow(nmbd_t) -') -userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) - -######################################## -# -# nmbd Local policy -# - -dontaudit nmbd_t self:capability sys_tty_config; -allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow nmbd_t self:fd use; -allow nmbd_t self:fifo_file rw_fifo_file_perms; -allow nmbd_t self:msg { send receive }; -allow nmbd_t self:msgq create_msgq_perms; -allow nmbd_t self:sem create_sem_perms; -allow nmbd_t self:shm create_shm_perms; -allow nmbd_t self:sock_file read_sock_file_perms; -allow nmbd_t self:tcp_socket create_stream_socket_perms; -allow nmbd_t self:udp_socket create_socket_perms; -allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; -allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; - -manage_dirs_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -files_pid_filetrans(nmbd_t, nmbd_var_run_t, { dir file }) - -read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) -read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) - -manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) -manage_files_pattern(nmbd_t, samba_log_t, samba_log_t) - -manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) - -allow nmbd_t smbcontrol_t:process signal; - -allow nmbd_t smbd_var_run_t:dir rw_dir_perms; - -kernel_getattr_core_if(nmbd_t) -kernel_getattr_message_if(nmbd_t) -kernel_read_kernel_sysctls(nmbd_t) -kernel_read_network_state(nmbd_t) -kernel_read_software_raid_state(nmbd_t) -kernel_read_system_state(nmbd_t) - -corenet_all_recvfrom_unlabeled(nmbd_t) -corenet_all_recvfrom_netlabel(nmbd_t) -corenet_tcp_sendrecv_generic_if(nmbd_t) -corenet_udp_sendrecv_generic_if(nmbd_t) -corenet_tcp_sendrecv_generic_node(nmbd_t) -corenet_udp_sendrecv_generic_node(nmbd_t) -corenet_tcp_sendrecv_all_ports(nmbd_t) -corenet_udp_sendrecv_all_ports(nmbd_t) -corenet_udp_bind_generic_node(nmbd_t) -corenet_udp_bind_nmbd_port(nmbd_t) -corenet_sendrecv_nmbd_server_packets(nmbd_t) -corenet_sendrecv_nmbd_client_packets(nmbd_t) -corenet_tcp_connect_smbd_port(nmbd_t) - -dev_read_sysfs(nmbd_t) -dev_getattr_mtrr_dev(nmbd_t) - -fs_getattr_all_fs(nmbd_t) -fs_search_auto_mountpoints(nmbd_t) - -domain_use_interactive_fds(nmbd_t) - -files_read_usr_files(nmbd_t) -files_read_etc_files(nmbd_t) -files_list_var_lib(nmbd_t) - -auth_use_nsswitch(nmbd_t) - -logging_search_logs(nmbd_t) -logging_send_syslog_msg(nmbd_t) - -miscfiles_read_localization(nmbd_t) - -userdom_use_unpriv_users_fds(nmbd_t) -userdom_dontaudit_search_user_home_dirs(nmbd_t) - -optional_policy(` - seutil_sigchld_newrole(nmbd_t) -') - -optional_policy(` - udev_read_db(nmbd_t) -') - -######################################## -# -# smbcontrol local policy -# - -# internal communication is often done using fifo and unix sockets. -allow smbcontrol_t self:fifo_file rw_file_perms; -allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; - -allow smbcontrol_t nmbd_t:process { signal signull }; -read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t) - -allow smbcontrol_t smbd_t:process { signal signull }; -read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t) -allow smbcontrol_t winbind_t:process { signal signull }; - -files_search_var_lib(smbcontrol_t) -samba_read_config(smbcontrol_t) -samba_rw_var_files(smbcontrol_t) -samba_search_var(smbcontrol_t) -samba_read_winbind_pid(smbcontrol_t) - -domain_use_interactive_fds(smbcontrol_t) - -files_read_etc_files(smbcontrol_t) - -miscfiles_read_localization(smbcontrol_t) - -userdom_use_user_terminals(smbcontrol_t) - -######################################## -# -# smbmount Local policy -# - -allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown }; # FIXME: is all of this really necessary? -allow smbmount_t self:process { fork signal_perms }; -allow smbmount_t self:tcp_socket create_stream_socket_perms; -allow smbmount_t self:udp_socket connect; -allow smbmount_t self:unix_dgram_socket create_socket_perms; -allow smbmount_t self:unix_stream_socket create_socket_perms; - -allow smbmount_t samba_etc_t:dir list_dir_perms; -allow smbmount_t samba_etc_t:file read_file_perms; - -can_exec(smbmount_t, smbmount_exec_t) - -allow smbmount_t samba_log_t:dir list_dir_perms; -allow smbmount_t samba_log_t:file manage_file_perms; - -allow smbmount_t samba_secrets_t:file manage_file_perms; - -manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) -manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) -files_list_var_lib(smbmount_t) - -kernel_read_system_state(smbmount_t) - -corenet_all_recvfrom_unlabeled(smbmount_t) -corenet_all_recvfrom_netlabel(smbmount_t) -corenet_tcp_sendrecv_generic_if(smbmount_t) -corenet_raw_sendrecv_generic_if(smbmount_t) -corenet_udp_sendrecv_generic_if(smbmount_t) -corenet_tcp_sendrecv_generic_node(smbmount_t) -corenet_raw_sendrecv_generic_node(smbmount_t) -corenet_udp_sendrecv_generic_node(smbmount_t) -corenet_tcp_sendrecv_all_ports(smbmount_t) -corenet_udp_sendrecv_all_ports(smbmount_t) -corenet_tcp_bind_generic_node(smbmount_t) -corenet_udp_bind_generic_node(smbmount_t) -corenet_tcp_connect_all_ports(smbmount_t) - -fs_getattr_cifs(smbmount_t) -fs_mount_cifs(smbmount_t) -fs_remount_cifs(smbmount_t) -fs_unmount_cifs(smbmount_t) -fs_list_cifs(smbmount_t) -fs_read_cifs_files(smbmount_t) - -storage_raw_read_fixed_disk(smbmount_t) -storage_raw_write_fixed_disk(smbmount_t) - -corecmd_list_bin(smbmount_t) - -files_list_mnt(smbmount_t) -files_mounton_mnt(smbmount_t) -files_manage_etc_runtime_files(smbmount_t) -files_etc_filetrans_etc_runtime(smbmount_t, file) -files_read_etc_files(smbmount_t) - -auth_use_nsswitch(smbmount_t) - -miscfiles_read_localization(smbmount_t) - -mount_use_fds(smbmount_t) - -locallogin_use_fds(smbmount_t) - -logging_search_logs(smbmount_t) - -userdom_use_user_terminals(smbmount_t) -userdom_use_all_users_fds(smbmount_t) - -optional_policy(` - cups_read_rw_config(smbmount_t) -') - -######################################## -# -# SWAT Local policy -# - -allow swat_t self:capability { dac_override setuid setgid sys_resource }; -allow swat_t self:process { setrlimit signal_perms }; -allow swat_t self:fifo_file rw_fifo_file_perms; -allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -allow swat_t self:tcp_socket create_stream_socket_perms; -allow swat_t self:udp_socket create_socket_perms; -allow swat_t self:unix_stream_socket connectto; - -samba_domtrans_smbd(swat_t) -allow swat_t smbd_t:process { signal signull }; - -samba_domtrans_nmbd(swat_t) -allow swat_t nmbd_t:process { signal signull }; -allow nmbd_t swat_t:process signal; - -allow swat_t nmbd_var_run_t:file read_file_perms; - -allow swat_t smbd_port_t:tcp_socket name_bind; - -allow swat_t nmbd_port_t:udp_socket name_bind; - -rw_files_pattern(swat_t, samba_etc_t, samba_etc_t) -read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t) - -manage_dirs_pattern(swat_t, samba_log_t, samba_log_t) -manage_files_pattern(swat_t, samba_log_t, samba_log_t) - -manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) - -manage_files_pattern(swat_t, samba_var_t, samba_var_t) -files_list_var_lib(swat_t) - -allow swat_t smbd_exec_t:file mmap_file_perms ; - -allow swat_t smbd_t:process signull; - -allow swat_t smbd_var_run_t:file read_file_perms; -allow swat_t smbd_var_run_t:file { lock unlink }; - -manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) -manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) - -manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) -files_pid_filetrans(swat_t, swat_var_run_t, file) - -allow swat_t winbind_exec_t:file mmap_file_perms; -domtrans_pattern(swat_t, winbind_exec_t, winbind_t) -allow swat_t winbind_t:process { signal signull }; - -read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t) -allow swat_t winbind_var_run_t:dir { write add_name remove_name }; -allow swat_t winbind_var_run_t:sock_file { create unlink }; - -kernel_read_kernel_sysctls(swat_t) -kernel_read_system_state(swat_t) -kernel_read_network_state(swat_t) - -corecmd_search_bin(swat_t) - -corenet_all_recvfrom_unlabeled(swat_t) -corenet_all_recvfrom_netlabel(swat_t) -corenet_tcp_sendrecv_generic_if(swat_t) -corenet_udp_sendrecv_generic_if(swat_t) -corenet_raw_sendrecv_generic_if(swat_t) -corenet_tcp_sendrecv_generic_node(swat_t) -corenet_udp_sendrecv_generic_node(swat_t) -corenet_raw_sendrecv_generic_node(swat_t) -corenet_tcp_sendrecv_all_ports(swat_t) -corenet_udp_sendrecv_all_ports(swat_t) -corenet_tcp_connect_smbd_port(swat_t) -corenet_tcp_connect_ipp_port(swat_t) -corenet_sendrecv_smbd_client_packets(swat_t) -corenet_sendrecv_ipp_client_packets(swat_t) - -dev_read_urand(swat_t) - -files_list_var_lib(swat_t) -files_read_etc_files(swat_t) -files_search_home(swat_t) -files_read_usr_files(swat_t) -fs_getattr_xattr_fs(swat_t) - -auth_domtrans_chk_passwd(swat_t) -auth_use_nsswitch(swat_t) - -init_read_utmp(swat_t) -init_dontaudit_write_utmp(swat_t) - -logging_send_syslog_msg(swat_t) -logging_send_audit_msgs(swat_t) -logging_search_logs(swat_t) - -miscfiles_read_localization(swat_t) - -userdom_dontaudit_search_admin_dir(swat_t) - -optional_policy(` - cups_read_rw_config(swat_t) - cups_stream_connect(swat_t) -') - -optional_policy(` - inetd_service_domain(swat_t, swat_exec_t) -') - -optional_policy(` - kerberos_use(swat_t) -') - -######################################## -# -# Winbind local policy -# - -allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; -dontaudit winbind_t self:capability sys_tty_config; -allow winbind_t self:process { signal_perms getsched setsched }; -allow winbind_t self:fifo_file rw_fifo_file_perms; -allow winbind_t self:unix_dgram_socket create_socket_perms; -allow winbind_t self:unix_stream_socket create_stream_socket_perms; -allow winbind_t self:tcp_socket create_stream_socket_perms; -allow winbind_t self:udp_socket create_socket_perms; - -allow winbind_t nmbd_t:process { signal signull }; - -allow winbind_t nmbd_var_run_t:file read_file_perms; - -allow winbind_t samba_etc_t:dir list_dir_perms; -read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -read_lnk_files_pattern(winbind_t, samba_etc_t, samba_etc_t) - -manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) -filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) - -manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) -manage_files_pattern(winbind_t, samba_log_t, samba_log_t) -manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) - -manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -manage_files_pattern(winbind_t, samba_var_t, samba_var_t) -manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t) -files_list_var_lib(winbind_t) - -rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) - -allow winbind_t winbind_log_t:file manage_file_perms; -logging_log_filetrans(winbind_t, winbind_log_t, file) - -userdom_manage_user_tmp_dirs(winbind_t) -userdom_manage_user_tmp_files(winbind_t) -userdom_tmp_filetrans_user_tmp(winbind_t, { file dir }) - -manage_dirs_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) -manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) -manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) -files_pid_filetrans(winbind_t, winbind_var_run_t, { file dir }) - -kernel_read_kernel_sysctls(winbind_t) -kernel_read_system_state(winbind_t) - -corecmd_exec_bin(winbind_t) - -corenet_all_recvfrom_unlabeled(winbind_t) -corenet_all_recvfrom_netlabel(winbind_t) -corenet_tcp_sendrecv_generic_if(winbind_t) -corenet_udp_sendrecv_generic_if(winbind_t) -corenet_raw_sendrecv_generic_if(winbind_t) -corenet_tcp_sendrecv_generic_node(winbind_t) -corenet_udp_sendrecv_generic_node(winbind_t) -corenet_raw_sendrecv_generic_node(winbind_t) -corenet_tcp_sendrecv_all_ports(winbind_t) -corenet_udp_sendrecv_all_ports(winbind_t) -corenet_tcp_bind_generic_node(winbind_t) -corenet_udp_bind_generic_node(winbind_t) -corenet_tcp_connect_smbd_port(winbind_t) -corenet_tcp_connect_smbd_port(winbind_t) -corenet_tcp_connect_epmap_port(winbind_t) -corenet_tcp_connect_all_unreserved_ports(winbind_t) - -dev_read_sysfs(winbind_t) -dev_read_urand(winbind_t) - -fs_getattr_all_fs(winbind_t) -fs_search_auto_mountpoints(winbind_t) - -auth_domtrans_chk_passwd(winbind_t) -auth_use_nsswitch(winbind_t) -auth_manage_cache(winbind_t) - -domain_use_interactive_fds(winbind_t) - -files_read_etc_files(winbind_t) -files_read_usr_symlinks(winbind_t) - -logging_send_syslog_msg(winbind_t) - -miscfiles_read_localization(winbind_t) - -userdom_dontaudit_use_unpriv_user_fds(winbind_t) -userdom_manage_user_home_content_dirs(winbind_t) -userdom_manage_user_home_content_files(winbind_t) -userdom_manage_user_home_content_symlinks(winbind_t) -userdom_manage_user_home_content_pipes(winbind_t) -userdom_manage_user_home_content_sockets(winbind_t) -userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file }) - -optional_policy(` - kerberos_use(winbind_t) -') - -optional_policy(` - seutil_sigchld_newrole(winbind_t) -') - -optional_policy(` - udev_read_db(winbind_t) -') - -######################################## -# -# Winbind helper local policy -# - -allow winbind_helper_t self:unix_dgram_socket create_socket_perms; -allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms; - -allow winbind_helper_t samba_etc_t:dir list_dir_perms; -read_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t) -read_lnk_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t) - -allow winbind_helper_t samba_var_t:dir search_dir_perms; -files_list_var_lib(winbind_helper_t) - -allow winbind_t smbcontrol_t:process signal; - -stream_connect_pattern(winbind_helper_t, winbind_var_run_t, winbind_var_run_t, winbind_t) - -term_list_ptys(winbind_helper_t) - -domain_use_interactive_fds(winbind_helper_t) - -auth_use_nsswitch(winbind_helper_t) - -logging_send_syslog_msg(winbind_helper_t) - -miscfiles_read_localization(winbind_helper_t) - -userdom_use_user_terminals(winbind_helper_t) - -optional_policy(` - apache_append_log(winbind_helper_t) -') - -optional_policy(` - squid_read_log(winbind_helper_t) - squid_append_log(winbind_helper_t) - squid_rw_stream_sockets(winbind_helper_t) -') - -######################################## -# -# samba_unconfined_script_t local policy -# - -optional_policy(` - type samba_unconfined_net_t; - domain_type(samba_unconfined_net_t) - domain_entry_file(samba_unconfined_net_t, samba_net_exec_t) - role system_r types samba_unconfined_net_t; - - unconfined_domain(samba_unconfined_net_t) - - manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t) - filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file) - userdom_use_user_terminals(samba_unconfined_net_t) -') - - type samba_unconfined_script_t; - type samba_unconfined_script_exec_t; - domain_type(samba_unconfined_script_t) - domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t) - corecmd_shell_entry_type(samba_unconfined_script_t) - role system_r types samba_unconfined_script_t; - - allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; - allow smbd_t samba_unconfined_script_exec_t:file ioctl; - -optional_policy(` - unconfined_domain(samba_unconfined_script_t) -') - - tunable_policy(`samba_run_unconfined',` - domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) -',` - can_exec(smbd_t, samba_unconfined_script_exec_t) -') diff --git a/policy/modules/services/sasl.fc b/policy/modules/services/sasl.fc deleted file mode 100644 index ff0ce69..0000000 --- a/policy/modules/services/sasl.fc +++ /dev/null @@ -1,11 +0,0 @@ -/etc/rc\.d/init\.d/sasl -- gen_context(system_u:object_r:saslauthd_initrc_exec_t,s0) - -# -# /usr -# -/usr/sbin/saslauthd -- gen_context(system_u:object_r:saslauthd_exec_t,s0) - -# -# /var -# -/var/run/saslauthd(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0) diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if deleted file mode 100644 index c3ffa9d..0000000 --- a/policy/modules/services/sasl.if +++ /dev/null @@ -1,58 +0,0 @@ -## SASL authentication server - -######################################## -## -## Connect to SASL. -## -## -## -## Domain allowed access. -## -## -# -interface(`sasl_connect',` - gen_require(` - type saslauthd_t, saslauthd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, saslauthd_var_run_t, saslauthd_var_run_t, saslauthd_t) -') - -######################################## -## -## All of the rules required to administrate -## an sasl environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`sasl_admin',` - gen_require(` - type saslauthd_t, saslauthd_tmp_t, saslauthd_var_run_t; - type saslauthd_initrc_exec_t; - ') - - allow $1 saslauthd_t:process { ptrace signal_perms }; - ps_process_pattern($1, saslauthd_t) - - init_labeled_script_domtrans($1, saslauthd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 saslauthd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, saslauthd_tmp_t) - - files_list_pids($1) - admin_pattern($1, saslauthd_var_run_t) -') diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te deleted file mode 100644 index 87810ec..0000000 --- a/policy/modules/services/sasl.te +++ /dev/null @@ -1,114 +0,0 @@ -policy_module(sasl, 1.13.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow sasl to read shadow -##

-##
-gen_tunable(allow_saslauthd_read_shadow, false) - -type saslauthd_t; -type saslauthd_exec_t; -init_daemon_domain(saslauthd_t, saslauthd_exec_t) - -type saslauthd_initrc_exec_t; -init_script_file(saslauthd_initrc_exec_t) - -type saslauthd_tmp_t; -files_tmp_file(saslauthd_tmp_t) - -type saslauthd_var_run_t; -files_pid_file(saslauthd_var_run_t) - -######################################## -# -# Local policy -# - -allow saslauthd_t self:capability { setgid setuid }; -dontaudit saslauthd_t self:capability sys_tty_config; -allow saslauthd_t self:process signal_perms; -allow saslauthd_t self:fifo_file rw_fifo_file_perms; -allow saslauthd_t self:unix_dgram_socket create_socket_perms; -allow saslauthd_t self:unix_stream_socket create_stream_socket_perms; -allow saslauthd_t self:tcp_socket create_socket_perms; - -allow saslauthd_t saslauthd_tmp_t:dir setattr; -manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t) -files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file) - -manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) -manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) -manage_sock_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) -files_pid_filetrans(saslauthd_t, saslauthd_var_run_t, { file dir }) - -kernel_read_kernel_sysctls(saslauthd_t) -kernel_read_system_state(saslauthd_t) - -#577519 -corecmd_exec_bin(saslauthd_t) - -corenet_all_recvfrom_unlabeled(saslauthd_t) -corenet_all_recvfrom_netlabel(saslauthd_t) -corenet_tcp_sendrecv_generic_if(saslauthd_t) -corenet_tcp_sendrecv_generic_node(saslauthd_t) -corenet_tcp_sendrecv_all_ports(saslauthd_t) -corenet_tcp_connect_pop_port(saslauthd_t) -corenet_sendrecv_pop_client_packets(saslauthd_t) - -dev_read_urand(saslauthd_t) - -fs_getattr_all_fs(saslauthd_t) -fs_search_auto_mountpoints(saslauthd_t) - -selinux_compute_access_vector(saslauthd_t) - -auth_use_pam(saslauthd_t) - -domain_use_interactive_fds(saslauthd_t) - -files_read_etc_files(saslauthd_t) -files_dontaudit_read_etc_runtime_files(saslauthd_t) -files_search_var_lib(saslauthd_t) -files_dontaudit_getattr_home_dir(saslauthd_t) -files_dontaudit_getattr_tmp_dirs(saslauthd_t) - -init_dontaudit_stream_connect_script(saslauthd_t) - -logging_send_syslog_msg(saslauthd_t) - -miscfiles_read_localization(saslauthd_t) -miscfiles_read_generic_certs(saslauthd_t) - -seutil_dontaudit_read_config(saslauthd_t) - -userdom_dontaudit_use_unpriv_user_fds(saslauthd_t) -userdom_dontaudit_search_user_home_dirs(saslauthd_t) - -# cjp: typeattribute doesnt work in conditionals -auth_can_read_shadow_passwords(saslauthd_t) -tunable_policy(`allow_saslauthd_read_shadow',` - auth_tunable_read_shadow(saslauthd_t) -') - -optional_policy(` - kerberos_keytab_template(saslauthd, saslauthd_t) -') - -optional_policy(` - mysql_search_db(saslauthd_t) - mysql_stream_connect(saslauthd_t) -') - -optional_policy(` - seutil_sigchld_newrole(saslauthd_t) -') - -optional_policy(` - udev_read_db(saslauthd_t) -') diff --git a/policy/modules/services/sendmail.fc b/policy/modules/services/sendmail.fc deleted file mode 100644 index ef4199b..0000000 --- a/policy/modules/services/sendmail.fc +++ /dev/null @@ -1,8 +0,0 @@ - -/etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0) - -/var/log/sendmail\.st -- gen_context(system_u:object_r:sendmail_log_t,s0) -/var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0) - -/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) -/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) diff --git a/policy/modules/services/sendmail.if b/policy/modules/services/sendmail.if deleted file mode 100644 index 5700fb8..0000000 --- a/policy/modules/services/sendmail.if +++ /dev/null @@ -1,358 +0,0 @@ -## Policy for sendmail. - -######################################## -## -## Sendmail stub interface. No access allowed. -## -## -## -## Domain allowed access. -## -## -# -interface(`sendmail_stub',` - gen_require(` - type sendmail_t; - ') -') - -######################################## -## -## Allow attempts to read and write to -## sendmail unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`sendmail_rw_pipes',` - gen_require(` - type sendmail_t; - ') - - allow $1 sendmail_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## -## Domain transition to sendmail. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`sendmail_domtrans',` - gen_require(` - type sendmail_t; - ') - - mta_sendmail_domtrans($1, sendmail_t) -') - -####################################### -## -## Execute sendmail in the sendmail domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`sendmail_initrc_domtrans',` - gen_require(` - type sendmail_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, sendmail_initrc_exec_t) -') - -######################################## -## -## Execute the sendmail program in the sendmail domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the sendmail domain. -## -## -## -# -interface(`sendmail_run',` - gen_require(` - type sendmail_t; - ') - - sendmail_domtrans($1) - role $2 types sendmail_t; -') - -######################################## -## -## Send generic signals to sendmail. -## -## -## -## Domain allowed access. -## -## -# -interface(`sendmail_signal',` - gen_require(` - type sendmail_t; - ') - - allow $1 sendmail_t:process signal; -') - -######################################## -## -## Read and write sendmail TCP sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`sendmail_rw_tcp_sockets',` - gen_require(` - type sendmail_t; - ') - - allow $1 sendmail_t:tcp_socket { read write }; -') - -######################################## -## -## Do not audit attempts to read and write -## sendmail TCP sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`sendmail_dontaudit_rw_tcp_sockets',` - gen_require(` - type sendmail_t; - ') - - dontaudit $1 sendmail_t:tcp_socket { read write }; -') - -######################################## -## -## Read and write sendmail unix_stream_sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`sendmail_rw_unix_stream_sockets',` - gen_require(` - type sendmail_t; - ') - - allow $1 sendmail_t:unix_stream_socket rw_socket_perms; -') - -######################################## -## -## Do not audit attempts to read and write -## sendmail unix_stream_sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`sendmail_dontaudit_rw_unix_stream_sockets',` - gen_require(` - type sendmail_t; - ') - - dontaudit $1 sendmail_t:unix_stream_socket rw_socket_perms; -') - -######################################## -## -## Read sendmail logs. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`sendmail_read_log',` - gen_require(` - type sendmail_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, sendmail_log_t, sendmail_log_t) -') - -######################################## -## -## Create, read, write, and delete sendmail logs. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`sendmail_manage_log',` - gen_require(` - type sendmail_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, sendmail_log_t, sendmail_log_t) -') - -######################################## -## -## Create sendmail logs with the correct type. -## -## -## -## Domain allowed access. -## -## -# -interface(`sendmail_create_log',` - gen_require(` - type sendmail_log_t; - ') - - logging_log_filetrans($1, sendmail_log_t, file) -') - -######################################## -## -## Manage sendmail tmp files. -## -## -## -## Domain allowed access. -## -## -# -interface(`sendmail_manage_tmp_files',` - gen_require(` - type sendmail_tmp_t; - ') - - files_search_tmp($1) - manage_files_pattern($1, sendmail_tmp_t, sendmail_tmp_t) -') - -######################################## -## -## Execute sendmail in the unconfined sendmail domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`sendmail_domtrans_unconfined',` - gen_require(` - type unconfined_sendmail_t; - ') - - mta_sendmail_domtrans($1, unconfined_sendmail_t) -') - -######################################## -## -## Execute sendmail in the unconfined sendmail domain, and -## allow the specified role the unconfined sendmail domain, -## and use the caller's terminal. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`sendmail_run_unconfined',` - gen_require(` - type unconfined_sendmail_t; - ') - - sendmail_domtrans_unconfined($1) - role $2 types unconfined_sendmail_t; -') - -######################################## -## -## All of the rules required to administrate -## an sendmail environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`sendmail_admin',` - gen_require(` - type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t; - type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t; - type mail_spool_t; - ') - - allow $1 sendmail_t:process { ptrace signal_perms }; - ps_process_pattern($1, sendmail_t) - - allow $1 unconfined_sendmail_t:process { ptrace signal_perms }; - ps_process_pattern($1, unconfined_sendmail_t) - - sendmail_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 sendmail_initrc_exec_t system_r; - - logging_list_logs($1) - admin_pattern($1, sendmail_log_t) - - files_list_tmp($1) - admin_pattern($1, sendmail_tmp_t) - - files_list_pids($1) - admin_pattern($1, sendmail_var_run_t) - - files_list_spool($1) - admin_pattern($1, mail_spool_t) -') diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te deleted file mode 100644 index b6781d5..0000000 --- a/policy/modules/services/sendmail.te +++ /dev/null @@ -1,198 +0,0 @@ -policy_module(sendmail, 1.11.0) - -######################################## -# -# Declarations -# - -type sendmail_log_t; -logging_log_file(sendmail_log_t) - -type sendmail_tmp_t; -files_tmp_file(sendmail_tmp_t) - -type sendmail_var_run_t; -files_pid_file(sendmail_var_run_t) - -type sendmail_t; -mta_sendmail_mailserver(sendmail_t) -mta_mailserver_delivery(sendmail_t) -mta_mailserver_sender(sendmail_t) - -type sendmail_initrc_exec_t; -init_script_file(sendmail_initrc_exec_t) - -type unconfined_sendmail_t; -application_domain(unconfined_sendmail_t, sendmail_exec_t) -role system_r types unconfined_sendmail_t; - -######################################## -# -# Sendmail local policy -# - -allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config }; -allow sendmail_t self:process { setsched setpgid setrlimit signal signull }; -allow sendmail_t self:fifo_file rw_fifo_file_perms; -allow sendmail_t self:unix_stream_socket create_stream_socket_perms; -allow sendmail_t self:unix_dgram_socket create_socket_perms; -allow sendmail_t self:tcp_socket create_stream_socket_perms; -allow sendmail_t self:udp_socket create_socket_perms; - -allow sendmail_t sendmail_log_t:dir setattr; -manage_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t) -logging_log_filetrans(sendmail_t, sendmail_log_t, { file dir }) - -manage_dirs_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t) -manage_files_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t) -files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir }) - -allow sendmail_t sendmail_var_run_t:file manage_file_perms; -files_pid_filetrans(sendmail_t, sendmail_var_run_t, file) - -kernel_read_network_state(sendmail_t) -kernel_read_kernel_sysctls(sendmail_t) -# for piping mail to a command -kernel_read_system_state(sendmail_t) - -corenet_all_recvfrom_unlabeled(sendmail_t) -corenet_all_recvfrom_netlabel(sendmail_t) -corenet_tcp_sendrecv_generic_if(sendmail_t) -corenet_tcp_sendrecv_generic_node(sendmail_t) -corenet_tcp_sendrecv_all_ports(sendmail_t) -corenet_tcp_bind_generic_node(sendmail_t) -corenet_tcp_bind_smtp_port(sendmail_t) -corenet_tcp_connect_all_ports(sendmail_t) -corenet_sendrecv_smtp_server_packets(sendmail_t) -corenet_sendrecv_smtp_client_packets(sendmail_t) - -dev_read_urand(sendmail_t) -dev_read_sysfs(sendmail_t) - -fs_getattr_all_fs(sendmail_t) -fs_search_auto_mountpoints(sendmail_t) -fs_rw_anon_inodefs_files(sendmail_t) - -term_dontaudit_use_console(sendmail_t) -term_dontaudit_use_generic_ptys(sendmail_t) - -# for piping mail to a command -corecmd_exec_shell(sendmail_t) -corecmd_exec_bin(sendmail_t) - -domain_use_interactive_fds(sendmail_t) - -files_read_etc_files(sendmail_t) -files_read_usr_files(sendmail_t) -files_search_spool(sendmail_t) -# for piping mail to a command -files_read_etc_runtime_files(sendmail_t) -files_read_all_tmp_files(sendmail_t) - -init_use_fds(sendmail_t) -init_use_script_ptys(sendmail_t) -# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console -init_read_utmp(sendmail_t) -init_dontaudit_write_utmp(sendmail_t) -init_rw_script_tmp_files(sendmail_t) - -auth_use_nsswitch(sendmail_t) - -# Read /usr/lib/sasl2/.* -libs_read_lib_files(sendmail_t) - -logging_send_syslog_msg(sendmail_t) -logging_dontaudit_write_generic_logs(sendmail_t) - -miscfiles_read_generic_certs(sendmail_t) -miscfiles_read_localization(sendmail_t) - -userdom_dontaudit_use_unpriv_user_fds(sendmail_t) -userdom_read_user_home_content_files(sendmail_t) - -mta_read_config(sendmail_t) -mta_etc_filetrans_aliases(sendmail_t) -# Write to /etc/aliases and /etc/mail. -mta_manage_aliases(sendmail_t) -# Write to /var/spool/mail and /var/spool/mqueue. -mta_manage_queue(sendmail_t) -mta_manage_spool(sendmail_t) -mta_sendmail_exec(sendmail_t) - -optional_policy(` - cron_read_pipes(sendmail_t) -') - -optional_policy(` - clamav_search_lib(sendmail_t) - clamav_stream_connect(sendmail_t) -') - -optional_policy(` - cyrus_stream_connect(sendmail_t) -') - -optional_policy(` - exim_domtrans(sendmail_t) -') - -optional_policy(` - fail2ban_read_lib_files(sendmail_t) - fail2ban_rw_stream_sockets(sendmail_t) -') - -optional_policy(` - kerberos_keytab_template(sendmail, sendmail_t) -') - -optional_policy(` - milter_stream_connect_all(sendmail_t) -') - -optional_policy(` - munin_dontaudit_search_lib(sendmail_t) -') - -optional_policy(` - postfix_domtrans_postdrop(sendmail_t) - postfix_domtrans_master(sendmail_t) - postfix_domtrans_postqueue(sendmail_t) - postfix_read_config(sendmail_t) - postfix_search_spool(sendmail_t) -') - -optional_policy(` - procmail_domtrans(sendmail_t) - procmail_rw_tmp_files(sendmail_t) -') - -optional_policy(` - seutil_sigchld_newrole(sendmail_t) -') - -optional_policy(` - sasl_connect(sendmail_t) -') - -optional_policy(` - spamd_stream_connect(sendmail_t) -') - -optional_policy(` - udev_read_db(sendmail_t) -') - -optional_policy(` - uucp_domtrans_uux(sendmail_t) -') - -######################################## -# -# Unconfined sendmail local policy -# Allow unconfined domain to run newalias and have transitions work -# - -optional_policy(` - mta_etc_filetrans_aliases(unconfined_sendmail_t) - unconfined_domain_noaudit(unconfined_sendmail_t) -') diff --git a/policy/modules/services/setroubleshoot.fc b/policy/modules/services/setroubleshoot.fc deleted file mode 100644 index 397a522..0000000 --- a/policy/modules/services/setroubleshoot.fc +++ /dev/null @@ -1,9 +0,0 @@ -/usr/sbin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0) - -/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0) - -/var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0) - -/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0) - -/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0) diff --git a/policy/modules/services/setroubleshoot.if b/policy/modules/services/setroubleshoot.if deleted file mode 100644 index d9f5dbc..0000000 --- a/policy/modules/services/setroubleshoot.if +++ /dev/null @@ -1,154 +0,0 @@ -## SELinux troubleshooting service - -######################################## -## -## Connect to setroubleshootd over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`setroubleshoot_stream_connect',` - gen_require(` - type setroubleshootd_t, setroubleshoot_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, setroubleshoot_var_run_t, setroubleshoot_var_run_t, setroubleshootd_t) - allow $1 setroubleshoot_var_run_t:sock_file read; -') - -######################################## -## -## Dontaudit attempts to connect to setroubleshootd -## over an unix stream socket. -## -## -## -## Domain to not audit. -## -## -# -interface(`setroubleshoot_dontaudit_stream_connect',` - gen_require(` - type setroubleshootd_t, setroubleshoot_var_run_t; - ') - - dontaudit $1 setroubleshoot_var_run_t:sock_file rw_sock_file_perms; - dontaudit $1 setroubleshootd_t:unix_stream_socket connectto; -') - -######################################## -## -## Send and receive messages from -## setroubleshoot over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`setroubleshoot_dbus_chat',` - gen_require(` - type setroubleshootd_t; - class dbus send_msg; - ') - - allow $1 setroubleshootd_t:dbus send_msg; - allow setroubleshootd_t $1:dbus send_msg; -') - -######################################## -## -## Do not audit send and receive messages from -## setroubleshoot over dbus. -## -## -## -## Domain to not audit. -## -## -# -interface(`setroubleshoot_dontaudit_dbus_chat',` - gen_require(` - type setroubleshootd_t; - class dbus send_msg; - ') - - dontaudit $1 setroubleshootd_t:dbus send_msg; - dontaudit setroubleshootd_t $1:dbus send_msg; -') - -######################################## -## -## Send and receive messages from -## setroubleshoot over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`setroubleshoot_dbus_chat_fixit',` - gen_require(` - type setroubleshoot_fixit_t; - class dbus send_msg; - ') - - allow $1 setroubleshoot_fixit_t:dbus send_msg; - allow setroubleshoot_fixit_t $1:dbus send_msg; -') - -######################################## -## -## Dontaudit read/write to a setroubleshoot leaked sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`setroubleshoot_fixit_dontaudit_leaks',` - gen_require(` - type setroubleshoot_fixit_t; - ') - - dontaudit $1 setroubleshoot_fixit_t:unix_dgram_socket { read write }; - dontaudit $1 setroubleshoot_fixit_t:unix_stream_socket { read write }; -') - -######################################## -## -## All of the rules required to administrate -## an setroubleshoot environment -## -## -## -## Domain allowed access. -## -## -## -# -interface(`setroubleshoot_admin',` - gen_require(` - type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_run_t; - type setroubleshoot_var_lib_t; - ') - - allow $1 setroubleshootd_t:process { ptrace signal_perms }; - ps_process_pattern($1, setroubleshootd_t) - - logging_list_logs($1) - admin_pattern($1, setroubleshoot_var_log_t) - - files_list_var_lib($1) - admin_pattern($1, setroubleshoot_var_lib_t) - - files_list_pids($1) - admin_pattern($1, setroubleshoot_var_run_t) -') diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te deleted file mode 100644 index 679558c..0000000 --- a/policy/modules/services/setroubleshoot.te +++ /dev/null @@ -1,194 +0,0 @@ -policy_module(setroubleshoot, 1.11.0) - -######################################## -# -# Declarations -# - -type setroubleshootd_t alias setroubleshoot_t; -type setroubleshootd_exec_t; -domain_type(setroubleshootd_t) -init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) - -type setroubleshoot_fixit_t; -type setroubleshoot_fixit_exec_t; -dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t) - -type setroubleshoot_var_lib_t; -files_type(setroubleshoot_var_lib_t) - -# log files -type setroubleshoot_var_log_t; -logging_log_file(setroubleshoot_var_log_t) - -# pid files -type setroubleshoot_var_run_t; -files_pid_file(setroubleshoot_var_run_t) - -######################################## -# -# setroubleshootd local policy -# - -allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config }; -allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal }; -# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run -allow setroubleshootd_t self:process { execmem execstack }; -allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; -allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; -allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow setroubleshootd_t self:unix_dgram_socket create_socket_perms; - -# database files -allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr; -manage_files_pattern(setroubleshootd_t, setroubleshoot_var_lib_t, setroubleshoot_var_lib_t) -files_var_lib_filetrans(setroubleshootd_t, setroubleshoot_var_lib_t, { file dir }) - -# log files -allow setroubleshootd_t setroubleshoot_var_log_t:dir setattr; -manage_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) -manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) -logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir }) - -# pid file -manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) -manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) -manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) -files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file dir }) - -kernel_read_kernel_sysctls(setroubleshootd_t) -kernel_read_system_state(setroubleshootd_t) -kernel_read_net_sysctls(setroubleshootd_t) -kernel_read_network_state(setroubleshootd_t) -kernel_dontaudit_list_all_proc(setroubleshootd_t) -kernel_read_unlabeled_state(setroubleshootd_t) - -corecmd_exec_bin(setroubleshootd_t) -corecmd_exec_shell(setroubleshootd_t) - -corenet_all_recvfrom_unlabeled(setroubleshootd_t) -corenet_all_recvfrom_netlabel(setroubleshootd_t) -corenet_tcp_sendrecv_generic_if(setroubleshootd_t) -corenet_tcp_sendrecv_generic_node(setroubleshootd_t) -corenet_tcp_sendrecv_all_ports(setroubleshootd_t) -corenet_tcp_bind_generic_node(setroubleshootd_t) -corenet_tcp_connect_smtp_port(setroubleshootd_t) -corenet_sendrecv_smtp_client_packets(setroubleshootd_t) - -dev_read_urand(setroubleshootd_t) -dev_read_sysfs(setroubleshootd_t) -dev_getattr_all_blk_files(setroubleshootd_t) -dev_getattr_all_chr_files(setroubleshootd_t) - -domain_dontaudit_search_all_domains_state(setroubleshootd_t) -domain_signull_all_domains(setroubleshootd_t) - -files_read_usr_files(setroubleshootd_t) -files_read_etc_files(setroubleshootd_t) -files_list_all(setroubleshootd_t) -files_getattr_all_files(setroubleshootd_t) -files_getattr_all_pipes(setroubleshootd_t) -files_getattr_all_sockets(setroubleshootd_t) -files_read_all_symlinks(setroubleshootd_t) - -fs_getattr_all_dirs(setroubleshootd_t) -fs_getattr_all_files(setroubleshootd_t) -fs_read_fusefs_symlinks(setroubleshootd_t) -fs_list_inotifyfs(setroubleshootd_t) -fs_dontaudit_read_nfs_files(setroubleshootd_t) -fs_dontaudit_read_cifs_files(setroubleshootd_t) - -selinux_get_enforce_mode(setroubleshootd_t) -selinux_validate_context(setroubleshootd_t) - -term_dontaudit_use_all_ptys(setroubleshootd_t) -term_dontaudit_use_all_ttys(setroubleshootd_t) - -auth_use_nsswitch(setroubleshootd_t) - -init_read_utmp(setroubleshootd_t) -init_dontaudit_write_utmp(setroubleshootd_t) - -miscfiles_read_localization(setroubleshootd_t) - -locallogin_dontaudit_use_fds(setroubleshootd_t) - -logging_send_audit_msgs(setroubleshootd_t) -logging_send_syslog_msg(setroubleshootd_t) -logging_stream_connect_dispatcher(setroubleshootd_t) - -modutils_read_module_config(setroubleshootd_t) - -seutil_read_config(setroubleshootd_t) -seutil_read_file_contexts(setroubleshootd_t) -seutil_read_bin_policy(setroubleshootd_t) - -userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) - -optional_policy(` - locate_read_lib_files(setroubleshootd_t) -') - -optional_policy(` - dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) -') - -optional_policy(` - rpm_signull(setroubleshootd_t) - rpm_read_db(setroubleshootd_t) - rpm_dontaudit_manage_db(setroubleshootd_t) - rpm_use_script_fds(setroubleshootd_t) -') - -######################################## -# -# setroubleshoot_fixit local policy -# - -allow setroubleshoot_fixit_t self:capability sys_nice; -allow setroubleshoot_fixit_t self:process { setsched getsched }; -allow setroubleshoot_fixit_t self:fifo_file rw_fifo_file_perms; -allow setroubleshoot_fixit_t self:unix_dgram_socket create_socket_perms; - -allow setroubleshoot_fixit_t setroubleshootd_t:process signull; - -setroubleshoot_dbus_chat(setroubleshoot_fixit_t) -setroubleshoot_stream_connect(setroubleshoot_fixit_t) - -kernel_read_system_state(setroubleshoot_fixit_t) - -corecmd_exec_bin(setroubleshoot_fixit_t) -corecmd_exec_shell(setroubleshoot_fixit_t) - -seutil_domtrans_setfiles(setroubleshoot_fixit_t) -seutil_domtrans_setsebool(setroubleshoot_fixit_t) - -files_read_usr_files(setroubleshoot_fixit_t) -files_read_etc_files(setroubleshoot_fixit_t) -files_list_tmp(setroubleshoot_fixit_t) - -auth_use_nsswitch(setroubleshoot_fixit_t) - -logging_send_audit_msgs(setroubleshoot_fixit_t) -logging_send_syslog_msg(setroubleshoot_fixit_t) - -miscfiles_read_localization(setroubleshoot_fixit_t) - -userdom_dontaudit_search_admin_dir(setroubleshoot_fixit_t) -userdom_signull_unpriv_users(setroubleshoot_fixit_t) - -optional_policy(` - gnome_dontaudit_search_config(setroubleshoot_fixit_t) -') - -optional_policy(` - rpm_signull(setroubleshoot_fixit_t) - rpm_read_db(setroubleshoot_fixit_t) - rpm_dontaudit_manage_db(setroubleshoot_fixit_t) - rpm_use_script_fds(setroubleshoot_fixit_t) -') - -optional_policy(` - policykit_dbus_chat(setroubleshoot_fixit_t) - userdom_read_all_users_state(setroubleshoot_fixit_t) -') diff --git a/policy/modules/services/slrnpull.fc b/policy/modules/services/slrnpull.fc deleted file mode 100644 index 1714ce0..0000000 --- a/policy/modules/services/slrnpull.fc +++ /dev/null @@ -1,10 +0,0 @@ -# -# /usr -# - -/usr/bin/slrnpull -- gen_context(system_u:object_r:slrnpull_exec_t,s0) - -# -# /var -# -/var/spool/slrnpull(/.*)? gen_context(system_u:object_r:slrnpull_spool_t,s0) diff --git a/policy/modules/services/slrnpull.if b/policy/modules/services/slrnpull.if deleted file mode 100644 index d7e8289..0000000 --- a/policy/modules/services/slrnpull.if +++ /dev/null @@ -1,42 +0,0 @@ -## Service for downloading news feeds the slrn newsreader. - -######################################## -## -## Allow the domain to search slrnpull spools. -## -## -## -## Domain allowed access. -## -## -# -interface(`slrnpull_search_spool',` - gen_require(` - type slrnpull_spool_t; - ') - - files_search_spool($1) - allow $1 slrnpull_spool_t:dir search_dir_perms; -') - -######################################## -## -## Allow the domain to create, read, -## write, and delete slrnpull spools. -## -## -## -## Domain allowed access. -## -## -# -interface(`slrnpull_manage_spool',` - gen_require(` - type slrnpull_spool_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, slrnpull_spool_t, slrnpull_spool_t) - manage_files_pattern($1, slrnpull_spool_t, slrnpull_spool_t) - manage_lnk_files_pattern($1, slrnpull_spool_t, slrnpull_spool_t) -') diff --git a/policy/modules/services/slrnpull.te b/policy/modules/services/slrnpull.te deleted file mode 100644 index e5e72fd..0000000 --- a/policy/modules/services/slrnpull.te +++ /dev/null @@ -1,70 +0,0 @@ -policy_module(slrnpull, 1.4.0) - -######################################## -# -# Declarations -# - -type slrnpull_t; -type slrnpull_exec_t; -init_daemon_domain(slrnpull_t, slrnpull_exec_t) - -type slrnpull_var_run_t; -files_pid_file(slrnpull_var_run_t) - -type slrnpull_spool_t; -files_type(slrnpull_spool_t) - -type slrnpull_log_t; -logging_log_file(slrnpull_log_t) - -######################################## -# -# Local policy -# - -dontaudit slrnpull_t self:capability sys_tty_config; -allow slrnpull_t self:process signal_perms; - -allow slrnpull_t slrnpull_log_t:file manage_file_perms; -logging_log_filetrans(slrnpull_t, slrnpull_log_t, file) - -manage_dirs_pattern(slrnpull_t, slrnpull_spool_t, slrnpull_spool_t) -manage_files_pattern(slrnpull_t, slrnpull_spool_t, slrnpull_spool_t) -manage_lnk_files_pattern(slrnpull_t, slrnpull_spool_t, slrnpull_spool_t) -files_search_spool(slrnpull_t) - -manage_files_pattern(slrnpull_t, slrnpull_var_run_t, slrnpull_var_run_t) -files_pid_filetrans(slrnpull_t, slrnpull_var_run_t, file) - -kernel_list_proc(slrnpull_t) -kernel_read_kernel_sysctls(slrnpull_t) -kernel_read_proc_symlinks(slrnpull_t) - -dev_read_sysfs(slrnpull_t) - -domain_use_interactive_fds(slrnpull_t) - -files_read_etc_files(slrnpull_t) - -fs_getattr_all_fs(slrnpull_t) -fs_search_auto_mountpoints(slrnpull_t) - -logging_send_syslog_msg(slrnpull_t) - -miscfiles_read_localization(slrnpull_t) - -userdom_dontaudit_use_unpriv_user_fds(slrnpull_t) -userdom_dontaudit_search_user_home_dirs(slrnpull_t) - -optional_policy(` - cron_system_entry(slrnpull_t, slrnpull_exec_t) -') - -optional_policy(` - seutil_sigchld_newrole(slrnpull_t) -') - -optional_policy(` - udev_read_db(slrnpull_t) -') diff --git a/policy/modules/services/smartmon.fc b/policy/modules/services/smartmon.fc deleted file mode 100644 index 268ae3d..0000000 --- a/policy/modules/services/smartmon.fc +++ /dev/null @@ -1,12 +0,0 @@ -/etc/rc\.d/init\.d/smartd -- gen_context(system_u:object_r:fsdaemon_initrc_exec_t,s0) - -# -# /usr -# -/usr/sbin/smartd -- gen_context(system_u:object_r:fsdaemon_exec_t,s0) - -# -# /var -# -/var/run/smartd\.pid -- gen_context(system_u:object_r:fsdaemon_var_run_t,s0) - diff --git a/policy/modules/services/smartmon.if b/policy/modules/services/smartmon.if deleted file mode 100644 index d5b2d93..0000000 --- a/policy/modules/services/smartmon.if +++ /dev/null @@ -1,58 +0,0 @@ -## Smart disk monitoring daemon policy - -####################################### -## -## Allow caller to read smartmon temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`smartmon_read_tmp_files',` - gen_require(` - type fsdaemon_tmp_t; - ') - - files_search_tmp($1) - allow $1 fsdaemon_tmp_t:file read_file_perms; -') - -######################################## -## -## All of the rules required to administrate -## an smartmon environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`smartmon_admin',` - gen_require(` - type fsdaemon_t, fsdaemon_tmp_t, fsdaemon_var_run_t; - type fsdaemon_initrc_exec_t; - ') - - allow $1 fsdaemon_t:process { ptrace signal_perms }; - ps_process_pattern($1, fsdaemon_t) - - init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 fsdaemon_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, fsdaemon_tmp_t) - - files_list_pids($1) - admin_pattern($1, fsdaemon_var_run_t) -') diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te deleted file mode 100644 index 6f49778..0000000 --- a/policy/modules/services/smartmon.te +++ /dev/null @@ -1,123 +0,0 @@ -policy_module(smartmon, 1.10.0) - -######################################## -# -# Declarations -# - -## -##

-## Enable additional permissions needed to support -## devices on 3ware controllers. -##

-##
-gen_tunable(smartmon_3ware, false) - -type fsdaemon_t; -type fsdaemon_exec_t; -init_daemon_domain(fsdaemon_t, fsdaemon_exec_t) - -type fsdaemon_initrc_exec_t; -init_script_file(fsdaemon_initrc_exec_t) - -type fsdaemon_var_run_t; -files_pid_file(fsdaemon_var_run_t) - -type fsdaemon_tmp_t; -files_tmp_file(fsdaemon_tmp_t) - -ifdef(`enable_mls',` - init_ranged_daemon_domain(fsdaemon_t, fsdaemon_exec_t, mls_systemhigh) -') - -######################################## -# -# Local policy -# - -allow fsdaemon_t self:capability { setpcap setgid sys_rawio sys_admin }; -dontaudit fsdaemon_t self:capability sys_tty_config; -allow fsdaemon_t self:process { getcap setcap signal_perms }; -allow fsdaemon_t self:fifo_file rw_fifo_file_perms; -allow fsdaemon_t self:unix_dgram_socket create_socket_perms; -allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms; -allow fsdaemon_t self:udp_socket create_socket_perms; -allow fsdaemon_t self:netlink_route_socket r_netlink_socket_perms; - -manage_dirs_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t) -manage_files_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t) -files_tmp_filetrans(fsdaemon_t, fsdaemon_tmp_t, { file dir }) - -manage_files_pattern(fsdaemon_t, fsdaemon_var_run_t, fsdaemon_var_run_t) -files_pid_filetrans(fsdaemon_t, fsdaemon_var_run_t, file) - -kernel_read_kernel_sysctls(fsdaemon_t) -kernel_read_software_raid_state(fsdaemon_t) -kernel_read_system_state(fsdaemon_t) - -corecmd_exec_all_executables(fsdaemon_t) - -corenet_all_recvfrom_unlabeled(fsdaemon_t) -corenet_all_recvfrom_netlabel(fsdaemon_t) -corenet_udp_sendrecv_generic_if(fsdaemon_t) -corenet_udp_sendrecv_generic_node(fsdaemon_t) -corenet_udp_sendrecv_all_ports(fsdaemon_t) - -dev_read_sysfs(fsdaemon_t) -dev_read_urand(fsdaemon_t) - -domain_use_interactive_fds(fsdaemon_t) - -files_exec_etc_files(fsdaemon_t) -files_read_etc_runtime_files(fsdaemon_t) -# for config -files_read_etc_files(fsdaemon_t) -files_read_usr_files(fsdaemon_t) - -fs_getattr_all_fs(fsdaemon_t) -fs_search_auto_mountpoints(fsdaemon_t) - -mls_file_read_all_levels(fsdaemon_t) -#mls_rangetrans_target(fsdaemon_t) - -storage_raw_read_fixed_disk(fsdaemon_t) -storage_raw_write_fixed_disk(fsdaemon_t) -storage_raw_read_removable_device(fsdaemon_t) -storage_read_scsi_generic(fsdaemon_t) -storage_write_scsi_generic(fsdaemon_t) - -term_dontaudit_search_ptys(fsdaemon_t) - -libs_exec_ld_so(fsdaemon_t) -libs_exec_lib_files(fsdaemon_t) - -logging_send_syslog_msg(fsdaemon_t) - -miscfiles_read_localization(fsdaemon_t) - -seutil_sigchld_newrole(fsdaemon_t) - -sysnet_dns_name_resolve(fsdaemon_t) - -userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t) -userdom_dontaudit_search_user_home_dirs(fsdaemon_t) - -tunable_policy(`smartmon_3ware',` - allow fsdaemon_t self:process setfscreate; - - storage_create_fixed_disk_dev(fsdaemon_t) - storage_delete_fixed_disk_dev(fsdaemon_t) - storage_dev_filetrans_fixed_disk(fsdaemon_t) - - selinux_validate_context(fsdaemon_t) - - seutil_read_file_contexts(fsdaemon_t) -') - -optional_policy(` - mta_send_mail(fsdaemon_t) -') - -optional_policy(` - udev_read_db(fsdaemon_t) -') diff --git a/policy/modules/services/smokeping.fc b/policy/modules/services/smokeping.fc deleted file mode 100644 index 9ff2d99..0000000 --- a/policy/modules/services/smokeping.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/rc\.d/init\.d/smokeping -- gen_context(system_u:object_r:smokeping_initrc_exec_t,s0) - -/usr/sbin/smokeping -- gen_context(system_u:object_r:smokeping_exec_t,s0) - -/usr/share/smokeping/cgi(/.*)? gen_context(system_u:object_r:httpd_smokeping_cgi_script_exec_t,s0) - -/var/lib/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_lib_t,s0) - -/var/run/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_run_t,s0) diff --git a/policy/modules/services/smokeping.if b/policy/modules/services/smokeping.if deleted file mode 100644 index 8265278..0000000 --- a/policy/modules/services/smokeping.if +++ /dev/null @@ -1,167 +0,0 @@ -## Smokeping network latency measurement. - -######################################## -## -## Execute a domain transition to run smokeping. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`smokeping_domtrans',` - gen_require(` - type smokeping_t, smokeping_exec_t; - ') - - domtrans_pattern($1, smokeping_exec_t, smokeping_t) -') - -######################################## -## -## Execute smokeping server in the smokeping domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`smokeping_initrc_domtrans',` - gen_require(` - type smokeping_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, smokeping_initrc_exec_t) -') - -######################################## -## -## Read smokeping PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`smokeping_read_pid_files',` - gen_require(` - type smokeping_var_run_t; - ') - - files_search_pids($1) - allow $1 smokeping_var_run_t:file read_file_perms; -') - -######################################## -## -## Manage smokeping PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`smokeping_manage_pid_files',` - gen_require(` - type smokeping_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, smokeping_var_run_t, smokeping_var_run_t) -') - -######################################## -## -## Get attributes of smokeping lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`smokeping_getattr_lib_files',` - gen_require(` - type smokeping_var_lib_t; - ') - - getattr_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t) - files_search_var_lib($1) -') - -######################################## -## -## Read smokeping lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`smokeping_read_lib_files',` - gen_require(` - type smokeping_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t) -') - -######################################## -## -## Manage smokeping lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`smokeping_manage_lib_files',` - gen_require(` - type smokeping_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t) -') - -######################################## -## -## All of the rules required to administrate -## a smokeping environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`smokeping_admin',` - gen_require(` - type smokeping_t, smokeping_initrc_exec_t; - ') - - allow $1 smokeping_t:process { ptrace signal_perms }; - ps_process_pattern($1, smokeping_t) - - smokeping_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 smokeping_initrc_exec_t system_r; - allow $2 system_r; - - smokeping_manage_pid_files($1) - - smokeping_manage_lib_files($1) -') diff --git a/policy/modules/services/smokeping.te b/policy/modules/services/smokeping.te deleted file mode 100644 index 247beaf..0000000 --- a/policy/modules/services/smokeping.te +++ /dev/null @@ -1,77 +0,0 @@ -policy_module(smokeping, 1.0.0) - -######################################## -# -# Declarations -# - -type smokeping_t; -type smokeping_exec_t; -init_daemon_domain(smokeping_t, smokeping_exec_t) - -type smokeping_initrc_exec_t; -init_script_file(smokeping_initrc_exec_t) - -type smokeping_var_run_t; -files_pid_file(smokeping_var_run_t) - -type smokeping_var_lib_t; -files_type(smokeping_var_lib_t) - -######################################## -# -# smokeping local policy -# - -dontaudit smokeping_t self:capability { dac_read_search dac_override }; -allow smokeping_t self:fifo_file rw_fifo_file_perms; -allow smokeping_t self:udp_socket create_socket_perms; -allow smokeping_t self:unix_stream_socket create_stream_socket_perms; - -manage_dirs_pattern(smokeping_t, smokeping_var_run_t, smokeping_var_run_t) -manage_files_pattern(smokeping_t, smokeping_var_run_t, smokeping_var_run_t) -files_pid_filetrans(smokeping_t, smokeping_var_run_t, { file dir }) - -manage_dirs_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t) -manage_files_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t) -files_var_lib_filetrans(smokeping_t, smokeping_var_lib_t, { file dir } ) - -corecmd_read_bin_symlinks(smokeping_t) - -dev_read_urand(smokeping_t) - -files_read_etc_files(smokeping_t) -files_read_usr_files(smokeping_t) -files_search_tmp(smokeping_t) - -auth_use_nsswitch(smokeping_t) -auth_dontaudit_read_shadow(smokeping_t) - -logging_send_syslog_msg(smokeping_t) - -miscfiles_read_localization(smokeping_t) - -mta_send_mail(smokeping_t) - -netutils_domtrans_ping(smokeping_t) - -####################################### -# -# local policy for smokeping cgi scripts -# - -optional_policy(` - apache_content_template(smokeping_cgi) - - allow httpd_smokeping_cgi_script_t self:udp_socket create_socket_perms; - - manage_dirs_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t) - manage_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t) - - getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t) - - files_search_tmp(httpd_smokeping_cgi_script_t) - files_search_var_lib(httpd_smokeping_cgi_script_t) - - sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t) -') diff --git a/policy/modules/services/snmp.fc b/policy/modules/services/snmp.fc deleted file mode 100644 index ac10740..0000000 --- a/policy/modules/services/snmp.fc +++ /dev/null @@ -1,24 +0,0 @@ -/etc/rc\.d/init\.d/snmpd -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0) -/etc/rc\.d/init\.d/snmptrapd -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0) - -# -# /usr -# -/usr/sbin/snmp(trap)?d -- gen_context(system_u:object_r:snmpd_exec_t,s0) - -/usr/share/snmp/mibs/\.index -- gen_context(system_u:object_r:snmpd_var_lib_t,s0) - -# -# /var -# -/var/agentx(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) - -/var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) -/var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) - -/var/log/snmpd\.log -- gen_context(system_u:object_r:snmpd_log_t,s0) - -/var/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) - -/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) -/var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if deleted file mode 100644 index bfdf197..0000000 --- a/policy/modules/services/snmp.if +++ /dev/null @@ -1,148 +0,0 @@ -## Simple network management protocol services - -######################################## -## -## Connect to snmpd using a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`snmp_stream_connect',` - gen_require(` - type snmpd_t, snmpd_var_lib_t; - ') - - files_search_var_lib($1) - stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t) -') - -######################################## -## -## Use snmp over a TCP connection. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`snmp_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Send and receive UDP traffic to SNMP (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`snmp_udp_chat',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Read snmpd libraries. -## -## -## -## Domain allowed access. -## -## -# -interface(`snmp_read_snmp_var_lib_files',` - gen_require(` - type snmpd_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 snmpd_var_lib_t:dir list_dir_perms; - read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) - read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) -') - -######################################## -## -## dontaudit Read snmpd libraries. -## -## -## -## Domain to not audit. -## -## -# -interface(`snmp_dontaudit_read_snmp_var_lib_files',` - gen_require(` - type snmpd_var_lib_t; - ') - - dontaudit $1 snmpd_var_lib_t:dir list_dir_perms; - dontaudit $1 snmpd_var_lib_t:file read_file_perms; - dontaudit $1 snmpd_var_lib_t:lnk_file read_lnk_file_perms; -') - -######################################## -## -## dontaudit write snmpd libraries files. -## -## -## -## Domain to not audit. -## -## -# -interface(`snmp_dontaudit_write_snmp_var_lib_files',` - gen_require(` - type snmpd_var_lib_t; - ') - - dontaudit $1 snmpd_var_lib_t:file write; -') - -######################################## -## -## All of the rules required to administrate -## an snmp environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the snmp domain. -## -## -## -# -interface(`snmp_admin',` - gen_require(` - type snmpd_t, snmpd_log_t, snmpd_initrc_exec_t; - type snmpd_var_lib_t, snmpd_var_run_t; - ') - - allow $1 snmpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, snmpd_t) - - init_labeled_script_domtrans($1, snmpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 snmpd_initrc_exec_t system_r; - allow $2 system_r; - - logging_list_logs($1) - admin_pattern($1, snmpd_log_t) - - files_list_var_lib($1) - admin_pattern($1, snmpd_var_lib_t) - - files_list_pids($1) - admin_pattern($1, snmpd_var_run_t) -') diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te deleted file mode 100644 index 0927db4..0000000 --- a/policy/modules/services/snmp.te +++ /dev/null @@ -1,176 +0,0 @@ -policy_module(snmp, 1.11.0) - -######################################## -# -# Declarations -# - -type snmpd_t; -type snmpd_exec_t; -init_daemon_domain(snmpd_t, snmpd_exec_t) - -type snmpd_initrc_exec_t; -init_script_file(snmpd_initrc_exec_t) - -type snmpd_log_t; -logging_log_file(snmpd_log_t) - -type snmpd_var_run_t; -files_pid_file(snmpd_var_run_t) - -type snmpd_var_lib_t; -files_type(snmpd_var_lib_t) - -######################################## -# -# Local policy -# - -allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid sys_ptrace net_admin sys_nice sys_tty_config }; -dontaudit snmpd_t self:capability { sys_module sys_tty_config }; -allow snmpd_t self:process { signal_perms getsched setsched }; -allow snmpd_t self:fifo_file rw_fifo_file_perms; -allow snmpd_t self:unix_dgram_socket create_socket_perms; -allow snmpd_t self:unix_stream_socket create_stream_socket_perms; -allow snmpd_t self:tcp_socket create_stream_socket_perms; -allow snmpd_t self:udp_socket connected_stream_socket_perms; - -allow snmpd_t snmpd_log_t:file manage_file_perms; -logging_log_filetrans(snmpd_t, snmpd_log_t, file) - -manage_dirs_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) -manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) -manage_sock_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) -files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file) -files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file }) -files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, file) - -manage_dirs_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t) -manage_files_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t) -files_pid_filetrans(snmpd_t, snmpd_var_run_t, { file dir }) - -kernel_read_device_sysctls(snmpd_t) -kernel_read_kernel_sysctls(snmpd_t) -kernel_read_fs_sysctls(snmpd_t) -kernel_read_net_sysctls(snmpd_t) -kernel_read_proc_symlinks(snmpd_t) -kernel_read_system_state(snmpd_t) -kernel_read_network_state(snmpd_t) - -corecmd_exec_bin(snmpd_t) -corecmd_exec_shell(snmpd_t) - -corenet_all_recvfrom_unlabeled(snmpd_t) -corenet_all_recvfrom_netlabel(snmpd_t) -corenet_tcp_sendrecv_generic_if(snmpd_t) -corenet_udp_sendrecv_generic_if(snmpd_t) -corenet_tcp_sendrecv_generic_node(snmpd_t) -corenet_udp_sendrecv_generic_node(snmpd_t) -corenet_tcp_sendrecv_all_ports(snmpd_t) -corenet_udp_sendrecv_all_ports(snmpd_t) -corenet_tcp_bind_generic_node(snmpd_t) -corenet_udp_bind_generic_node(snmpd_t) -corenet_tcp_bind_snmp_port(snmpd_t) -corenet_udp_bind_snmp_port(snmpd_t) -corenet_sendrecv_snmp_server_packets(snmpd_t) -corenet_tcp_connect_agentx_port(snmpd_t) -corenet_tcp_bind_agentx_port(snmpd_t) -corenet_udp_bind_agentx_port(snmpd_t) - -dev_list_sysfs(snmpd_t) -dev_read_sysfs(snmpd_t) -dev_read_urand(snmpd_t) -dev_read_rand(snmpd_t) -dev_getattr_usbfs_dirs(snmpd_t) - -domain_use_interactive_fds(snmpd_t) -domain_signull_all_domains(snmpd_t) -domain_read_all_domains_state(snmpd_t) -domain_dontaudit_ptrace_all_domains(snmpd_t) -domain_exec_all_entry_files(snmpd_t) - -files_read_etc_files(snmpd_t) -files_read_usr_files(snmpd_t) -files_read_etc_runtime_files(snmpd_t) -files_search_home(snmpd_t) - -fs_getattr_all_dirs(snmpd_t) -fs_getattr_all_fs(snmpd_t) -fs_search_auto_mountpoints(snmpd_t) - -storage_dontaudit_read_fixed_disk(snmpd_t) -storage_dontaudit_read_removable_device(snmpd_t) -storage_dontaudit_write_removable_device(snmpd_t) - -auth_use_nsswitch(snmpd_t) -auth_read_all_dirs_except_shadow(snmpd_t) - -init_read_utmp(snmpd_t) -init_dontaudit_write_utmp(snmpd_t) - -logging_send_syslog_msg(snmpd_t) - -miscfiles_read_localization(snmpd_t) - -seutil_dontaudit_search_config(snmpd_t) - -sysnet_read_config(snmpd_t) - -userdom_dontaudit_use_unpriv_user_fds(snmpd_t) -userdom_dontaudit_search_user_home_dirs(snmpd_t) - -ifdef(`distro_redhat',` - optional_policy(` - rpm_read_db(snmpd_t) - rpm_dontaudit_manage_db(snmpd_t) - ') -') - -optional_policy(` - amanda_dontaudit_read_dumpdates(snmpd_t) -') - -optional_policy(` - consoletype_exec(snmpd_t) -') - -optional_policy(` - cups_read_rw_config(snmpd_t) -') - -optional_policy(` - mta_read_config(snmpd_t) - mta_search_queue(snmpd_t) -') - -optional_policy(` - rpc_search_nfs_state_data(snmpd_t) -') - -optional_policy(` - sendmail_read_log(snmpd_t) -') - -optional_policy(` - seutil_sigchld_newrole(snmpd_t) -') - -optional_policy(` - squid_read_config(snmpd_t) -') - -optional_policy(` - udev_read_db(snmpd_t) -') - -optional_policy(` - virt_stream_connect(snmpd_t) -') - -optional_policy(` - kernel_read_xen_state(snmpd_t) - kernel_write_xen_state(snmpd_t) - - xen_stream_connect(snmpd_t) - xen_stream_connect_xenstore(snmpd_t) -') diff --git a/policy/modules/services/snort.fc b/policy/modules/services/snort.fc deleted file mode 100644 index 7bedd2f..0000000 --- a/policy/modules/services/snort.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/rc\.d/init\.d/snortd -- gen_context(system_u:object_r:snort_initrc_exec_t,s0) -/etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0) - -/usr/s?bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0) -/usr/sbin/snort-plain -- gen_context(system_u:object_r:snort_exec_t,s0) - -/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0) - -/var/run/snort.* -- gen_context(system_u:object_r:snort_var_run_t,s0) diff --git a/policy/modules/services/snort.if b/policy/modules/services/snort.if deleted file mode 100644 index 88ebedb..0000000 --- a/policy/modules/services/snort.if +++ /dev/null @@ -1,60 +0,0 @@ -## Snort network intrusion detection system - -######################################## -## -## Execute a domain transition to run snort. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`snort_domtrans',` - gen_require(` - type snort_t, snort_exec_t; - ') - - domtrans_pattern($1, snort_exec_t, snort_t) -') - -######################################## -## -## All of the rules required to administrate -## an snort environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the snort domain. -## -## -## -# -interface(`snort_admin',` - gen_require(` - type snort_t, snort_var_run_t, snort_log_t; - type snort_etc_t, snort_initrc_exec_t; - ') - - allow $1 snort_t:process { ptrace signal_perms }; - ps_process_pattern($1, snort_t) - - init_labeled_script_domtrans($1, snort_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 snort_initrc_exec_t system_r; - allow $2 system_r; - - admin_pattern($1, snort_etc_t) - files_list_etc($1) - - admin_pattern($1, snort_log_t) - logging_list_logs($1) - - admin_pattern($1, snort_var_run_t) - files_list_pids($1) -') diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te deleted file mode 100644 index 012723c..0000000 --- a/policy/modules/services/snort.te +++ /dev/null @@ -1,117 +0,0 @@ -policy_module(snort, 1.9.1) - -######################################## -# -# Declarations -# - -type snort_t; -type snort_exec_t; -init_daemon_domain(snort_t, snort_exec_t) - -type snort_etc_t; -files_config_file(snort_etc_t) - -type snort_initrc_exec_t; -init_script_file(snort_initrc_exec_t) - -type snort_log_t; -logging_log_file(snort_log_t) - -type snort_tmp_t; -files_tmp_file(snort_tmp_t) - -type snort_var_run_t; -files_pid_file(snort_var_run_t) - -######################################## -# -# Local policy -# - -allow snort_t self:capability { setgid setuid net_admin net_raw dac_override }; -dontaudit snort_t self:capability sys_tty_config; -allow snort_t self:process signal_perms; -allow snort_t self:netlink_route_socket create_netlink_socket_perms; -allow snort_t self:tcp_socket create_stream_socket_perms; -allow snort_t self:udp_socket create_socket_perms; -allow snort_t self:packet_socket create_socket_perms; -allow snort_t self:socket create_socket_perms; -# Snort IPS node. unverified. -allow snort_t self:netlink_firewall_socket create_socket_perms; - -allow snort_t snort_etc_t:dir list_dir_perms; -allow snort_t snort_etc_t:file read_file_perms; -allow snort_t snort_etc_t:lnk_file read_lnk_file_perms; - -manage_files_pattern(snort_t, snort_log_t, snort_log_t) -create_dirs_pattern(snort_t, snort_log_t, snort_log_t) -logging_log_filetrans(snort_t, snort_log_t, { file dir }) - -manage_dirs_pattern(snort_t, snort_tmp_t, snort_tmp_t) -manage_files_pattern(snort_t, snort_tmp_t, snort_tmp_t) -files_tmp_filetrans(snort_t, snort_tmp_t, { file dir }) - -manage_files_pattern(snort_t, snort_var_run_t, snort_var_run_t) -files_pid_filetrans(snort_t, snort_var_run_t, file) - -kernel_read_kernel_sysctls(snort_t) -kernel_read_sysctl(snort_t) -kernel_list_proc(snort_t) -kernel_read_proc_symlinks(snort_t) -kernel_request_load_module(snort_t) -kernel_dontaudit_read_system_state(snort_t) -kernel_read_network_state(snort_t) - -corenet_all_recvfrom_unlabeled(snort_t) -corenet_all_recvfrom_netlabel(snort_t) -corenet_tcp_sendrecv_generic_if(snort_t) -corenet_udp_sendrecv_generic_if(snort_t) -corenet_raw_sendrecv_generic_if(snort_t) -corenet_tcp_sendrecv_generic_node(snort_t) -corenet_udp_sendrecv_generic_node(snort_t) -corenet_raw_sendrecv_generic_node(snort_t) -corenet_tcp_sendrecv_all_ports(snort_t) -corenet_udp_sendrecv_all_ports(snort_t) -corenet_tcp_connect_prelude_port(snort_t) - -dev_read_sysfs(snort_t) -dev_read_rand(snort_t) -dev_read_urand(snort_t) -dev_read_usbmon_dev(snort_t) -# Red Hat bug 559861: Snort wants read, write, and ioctl on /dev/usbmon -# Snort uses libpcap, which can also monitor USB traffic. Maybe this is a side effect? -dev_rw_generic_usb_dev(snort_t) - -domain_use_interactive_fds(snort_t) - -files_read_etc_files(snort_t) -files_dontaudit_read_etc_runtime_files(snort_t) - -fs_getattr_all_fs(snort_t) -fs_search_auto_mountpoints(snort_t) - -init_read_utmp(snort_t) - -logging_send_syslog_msg(snort_t) - -miscfiles_read_localization(snort_t) - -sysnet_read_config(snort_t) -# snorts must be able to resolve dns in case it wants to relay to a remote prelude-manager -sysnet_dns_name_resolve(snort_t) - -userdom_dontaudit_use_unpriv_user_fds(snort_t) -userdom_dontaudit_search_user_home_dirs(snort_t) - -optional_policy(` - prelude_manage_spool(snort_t) -') - -optional_policy(` - seutil_sigchld_newrole(snort_t) -') - -optional_policy(` - udev_read_db(snort_t) -') diff --git a/policy/modules/services/soundserver.fc b/policy/modules/services/soundserver.fc deleted file mode 100644 index d89b2cb..0000000 --- a/policy/modules/services/soundserver.fc +++ /dev/null @@ -1,13 +0,0 @@ -/etc/nas(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0) -/etc/rc\.d/init\.d/nasd -- gen_context(system_u:object_r:soundd_initrc_exec_t,s0) -/etc/yiff(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0) - -/usr/bin/nasd -- gen_context(system_u:object_r:soundd_exec_t,s0) -/usr/bin/gpe-soundserver -- gen_context(system_u:object_r:soundd_exec_t,s0) - -/usr/sbin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0) - -/var/run/nasd(/.*)? gen_context(system_u:object_r:soundd_var_run_t,s0) -/var/run/yiff-[0-9]+\.pid -- gen_context(system_u:object_r:soundd_var_run_t,s0) - -/var/state/yiff(/.*)? gen_context(system_u:object_r:soundd_state_t,s0) diff --git a/policy/modules/services/soundserver.if b/policy/modules/services/soundserver.if deleted file mode 100644 index 4a15633..0000000 --- a/policy/modules/services/soundserver.if +++ /dev/null @@ -1,56 +0,0 @@ -## sound server for network audio server programs, nasd, yiff, etc - -######################################## -## -## Connect to the sound server over a TCP socket (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`soundserver_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## All of the rules required to administrate -## an soundd environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the soundd domain. -## -## -## -# -interface(`soundserver_admin',` - gen_require(` - type soundd_t, soundd_etc_t, soundd_initrc_exec_t; - type soundd_tmp_t, soundd_var_run_t; - ') - - allow $1 soundd_t:process { ptrace signal_perms }; - ps_process_pattern($1, soundd_t) - - init_labeled_script_domtrans($1, soundd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 soundd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, soundd_etc_t) - - files_list_tmp($1) - admin_pattern($1, soundd_tmp_t) - - files_list_pids($1) - admin_pattern($1, soundd_var_run_t) -') diff --git a/policy/modules/services/soundserver.te b/policy/modules/services/soundserver.te deleted file mode 100644 index 3217605..0000000 --- a/policy/modules/services/soundserver.te +++ /dev/null @@ -1,114 +0,0 @@ -policy_module(soundserver, 1.8.0) - -######################################## -# -# Declarations -# - -type soundd_t; -type soundd_exec_t; -init_daemon_domain(soundd_t, soundd_exec_t) - -type soundd_etc_t alias etc_soundd_t; -files_config_file(soundd_etc_t) - -type soundd_initrc_exec_t; -init_script_file(soundd_initrc_exec_t) - -type soundd_state_t; -files_type(soundd_state_t) - -type soundd_tmp_t; -files_tmp_file(soundd_tmp_t) - -# for yiff - probably need some rules for the client support too -type soundd_tmpfs_t; -files_tmpfs_file(soundd_tmpfs_t) - -type soundd_var_run_t; -files_pid_file(soundd_var_run_t) - -######################################## -# -# Declarations -# - -allow soundd_t self:capability dac_override; -dontaudit soundd_t self:capability sys_tty_config; -allow soundd_t self:process { setpgid signal_perms }; -allow soundd_t self:tcp_socket create_stream_socket_perms; -allow soundd_t self:udp_socket create_socket_perms; -allow soundd_t self:unix_stream_socket { connectto create_stream_socket_perms }; - -# for yiff -allow soundd_t self:shm create_shm_perms; - -read_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t) -read_lnk_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t) - -manage_files_pattern(soundd_t, soundd_state_t, soundd_state_t) -manage_lnk_files_pattern(soundd_t, soundd_state_t, soundd_state_t) - -manage_dirs_pattern(soundd_t, soundd_tmp_t, soundd_tmp_t) -manage_files_pattern(soundd_t, soundd_tmp_t, soundd_tmp_t) -files_tmp_filetrans(soundd_t, soundd_tmp_t, { file dir }) - -manage_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t) -manage_lnk_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t) -manage_fifo_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t) -manage_sock_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t) -fs_tmpfs_filetrans(soundd_t, soundd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -manage_sock_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t) -manage_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t) -manage_dirs_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t) -files_pid_filetrans(soundd_t, soundd_var_run_t, { file dir }) - -kernel_read_kernel_sysctls(soundd_t) -kernel_list_proc(soundd_t) -kernel_read_proc_symlinks(soundd_t) - -corenet_all_recvfrom_unlabeled(soundd_t) -corenet_all_recvfrom_netlabel(soundd_t) -corenet_tcp_sendrecv_generic_if(soundd_t) -corenet_udp_sendrecv_generic_if(soundd_t) -corenet_tcp_sendrecv_generic_node(soundd_t) -corenet_udp_sendrecv_generic_node(soundd_t) -corenet_tcp_sendrecv_all_ports(soundd_t) -corenet_udp_sendrecv_all_ports(soundd_t) -corenet_tcp_bind_generic_node(soundd_t) -corenet_tcp_bind_soundd_port(soundd_t) -corenet_sendrecv_soundd_server_packets(soundd_t) - -dev_read_sysfs(soundd_t) -dev_read_sound(soundd_t) -dev_write_sound(soundd_t) - -domain_use_interactive_fds(soundd_t) - -files_read_etc_files(soundd_t) -files_read_etc_runtime_files(soundd_t) - -fs_getattr_all_fs(soundd_t) -fs_search_auto_mountpoints(soundd_t) - -logging_send_syslog_msg(soundd_t) - -miscfiles_read_localization(soundd_t) - -sysnet_read_config(soundd_t) - -userdom_dontaudit_use_unpriv_user_fds(soundd_t) -userdom_dontaudit_search_user_home_dirs(soundd_t) - -optional_policy(` - alsa_domtrans(soundd_t) -') - -optional_policy(` - seutil_sigchld_newrole(soundd_t) -') - -optional_policy(` - udev_read_db(soundd_t) -') diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc deleted file mode 100644 index 540981f..0000000 --- a/policy/modules/services/spamassassin.fc +++ /dev/null @@ -1,26 +0,0 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) -/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) - -/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) -/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) - -/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0) -/usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0) -/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0) -/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) - -/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) -/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0) - -/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) -/var/lib/spamassassin/compiled(/.*)? gen_context(system_u:object_r:spamd_compiled_t,s0) - -/var/log/spamd\.log -- gen_context(system_u:object_r:spamd_log_t,s0) -/var/log/mimedefang -- gen_context(system_u:object_r:spamd_log_t,s0) - -/var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) - -/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) -/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) -/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) -/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if deleted file mode 100644 index 7f57f22..0000000 --- a/policy/modules/services/spamassassin.if +++ /dev/null @@ -1,341 +0,0 @@ -## Filter used for removing unsolicited email. - -######################################## -## -## Role access for spamassassin -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -## -# -interface(`spamassassin_role',` - gen_require(` - type spamc_t, spamc_exec_t, spamc_tmp_t; - type spamassassin_t, spamassassin_exec_t; - type spamassassin_home_t, spamassassin_tmp_t; - ') - - role $1 types { spamc_t spamassassin_t }; - - domtrans_pattern($2, spamassassin_exec_t, spamassassin_t) - - allow $2 spamassassin_t:process { ptrace signal_perms }; - ps_process_pattern($2, spamassassin_t) - - domtrans_pattern($2, spamc_exec_t, spamc_t) - - allow $2 spamc_t:process { ptrace signal_perms }; - ps_process_pattern($2, spamc_t) - - manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t) - manage_files_pattern($2, spamassassin_home_t, spamassassin_home_t) - manage_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t) - relabel_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t) - relabel_files_pattern($2, spamassassin_home_t, spamassassin_home_t) - relabel_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t) -') - -######################################## -## -## Execute the standalone spamassassin -## program in the caller directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`spamassassin_exec',` - gen_require(` - type spamassassin_exec_t; - ') - - can_exec($1, spamassassin_exec_t) -') - -######################################## -## -## Singnal the spam assassin daemon -## -## -## -## Domain allowed access. -## -## -# -interface(`spamassassin_signal_spamd',` - gen_require(` - type spamd_t; - ') - - allow $1 spamd_t:process signal; -') - -######################################## -## -## Execute the spamassassin daemon -## program in the caller directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`spamassassin_exec_spamd',` - gen_require(` - type spamd_exec_t; - ') - - can_exec($1, spamd_exec_t) -') - -######################################## -## -## Execute spamassassin client in the spamassassin client domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`spamassassin_domtrans_client',` - gen_require(` - type spamc_t, spamc_exec_t; - ') - - domtrans_pattern($1, spamc_exec_t, spamc_t) - allow $1 spamc_exec_t:file ioctl; -') - -######################################## -## -## Send kill signal to spamassassin client -## -## -## -## Domain allowed access. -## -## -# -interface(`spamassassin_kill_client',` - gen_require(` - type spamc_t; - ') - - allow $1 spamc_t:process sigkill; -') - -######################################## -## -## Manage spamc home files. -## -## -## -## Domain allowed access. -## -## -# -interface(`spamassassin_manage_home_client',` - gen_require(` - type spamc_home_t; - ') - - userdom_search_user_home_dirs($1) - manage_dirs_pattern($1, spamc_home_t, spamc_home_t) - manage_files_pattern($1, spamc_home_t, spamc_home_t) - manage_lnk_files_pattern($1, spamc_home_t, spamc_home_t) -') - -######################################## -## -## Execute the spamassassin client -## program in the caller directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`spamassassin_exec_client',` - gen_require(` - type spamc_exec_t; - ') - - can_exec($1, spamc_exec_t) -') - -######################################## -## -## Execute spamassassin standalone client in the user spamassassin domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`spamassassin_domtrans_local_client',` - gen_require(` - type spamassassin_t, spamassassin_exec_t; - ') - - domtrans_pattern($1, spamassassin_exec_t, spamassassin_t) -') - -######################################## -## -## read spamd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`spamassassin_read_lib_files',` - gen_require(` - type spamd_var_lib_t; - ') - - files_search_var_lib($1) - list_dirs_pattern($1, spamd_var_lib_t, spamd_var_lib_t) - read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) - read_lnk_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) -') - -######################################## -## -## Create, read, write, and delete -## spamd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`spamassassin_manage_lib_files',` - gen_require(` - type spamd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) -') - -######################################## -## -## Read temporary spamd file. -## -## -## -## Domain allowed access. -## -## -# -interface(`spamassassin_read_spamd_tmp_files',` - gen_require(` - type spamd_tmp_t; - ') - - files_search_tmp($1) - allow $1 spamd_tmp_t:file read_file_perms; -') - -######################################## -## -## Do not audit attempts to get attributes of temporary -## spamd sockets/ -## -## -## -## Domain to not audit. -## -## -# -interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` - gen_require(` - type spamd_tmp_t; - ') - - dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms; -') - -######################################## -## -## Connect to run spamd. -## -## -## -## Domain allowed to connect. -## -## -# -interface(`spamd_stream_connect',` - gen_require(` - type spamd_t, spamd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t) -') - -######################################## -## -## All of the rules required to administrate -## an spamassassin environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the spamassassin domain. -## -## -## -# -interface(`spamassassin_spamd_admin',` - gen_require(` - type spamd_t, spamd_tmp_t, spamd_log_t; - type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t; - type spamd_initrc_exec_t; - ') - - allow $1 spamd_t:process { ptrace signal_perms }; - ps_process_pattern($1, spamd_t) - - init_labeled_script_domtrans($1, spamd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 spamd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, spamd_tmp_t) - - logging_list_logs($1) - admin_pattern($1, spamd_log_t) - - files_list_spool($1) - admin_pattern($1, spamd_spool_t) - - files_list_var_lib($1) - admin_pattern($1, spamd_var_lib_t) - - files_list_pids($1) - admin_pattern($1, spamd_var_run_t) -') diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te deleted file mode 100644 index 56e4c2e..0000000 --- a/policy/modules/services/spamassassin.te +++ /dev/null @@ -1,546 +0,0 @@ -policy_module(spamassassin, 2.3.1) - -######################################## -# -# Declarations -# - -## -##

-## Allow user spamassassin clients to use the network. -##

-##
-gen_tunable(spamassassin_can_network, false) - -## -##

-## Allow spamd to read/write user home directories. -##

-##
-gen_tunable(spamd_enable_home_dirs, true) - -ifdef(`distro_redhat',` - # spamassassin client executable - type spamc_t; - type spamc_exec_t; - application_domain(spamc_t, spamc_exec_t) - role system_r types spamc_t; - - type spamd_etc_t; - files_config_file(spamd_etc_t) - - typealias spamc_exec_t alias spamassassin_exec_t; - typealias spamc_t alias spamassassin_t; - - type spamc_home_t; - userdom_user_home_content(spamc_home_t) - typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; - typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; - typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t }; - typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t }; - - type spamc_tmp_t; - files_tmp_file(spamc_tmp_t) - typealias spamc_tmp_t alias spamassassin_tmp_t; - typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; - typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; - - typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; - typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; -',` - type spamassassin_t; - type spamassassin_exec_t; - typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t }; - typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t }; - application_domain(spamassassin_t, spamassassin_exec_t) - ubac_constrained(spamassassin_t) - - type spamassassin_home_t; - typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; - typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; - userdom_user_home_content(spamassassin_home_t) - - type spamassassin_tmp_t; - typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; - typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; - files_tmp_file(spamassassin_tmp_t) - ubac_constrained(spamassassin_tmp_t) - - type spamc_t; - type spamc_exec_t; - typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t }; - typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t }; - application_domain(spamc_t, spamc_exec_t) - ubac_constrained(spamc_t) - - type spamc_tmp_t; - typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; - typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; - files_tmp_file(spamc_tmp_t) - ubac_constrained(spamc_tmp_t) -') - -type spamd_t; -type spamd_exec_t; -init_daemon_domain(spamd_t, spamd_exec_t) - -type spamd_compiled_t; -files_type(spamd_compiled_t) - -type spamd_initrc_exec_t; -init_script_file(spamd_initrc_exec_t) - -type spamd_log_t; -logging_log_file(spamd_log_t) - -type spamd_spool_t; -files_type(spamd_spool_t) - -type spamd_tmp_t; -files_tmp_file(spamd_tmp_t) - -# var/lib files -type spamd_var_lib_t; -files_type(spamd_var_lib_t) - -type spamd_var_run_t; -files_pid_file(spamd_var_run_t) - -############################## -# -# Standalone program local policy -# - -allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow spamassassin_t self:fd use; -allow spamassassin_t self:fifo_file rw_fifo_file_perms; -allow spamassassin_t self:sock_file read_sock_file_perms; -allow spamassassin_t self:unix_dgram_socket create_socket_perms; -allow spamassassin_t self:unix_stream_socket create_stream_socket_perms; -allow spamassassin_t self:unix_dgram_socket sendto; -allow spamassassin_t self:unix_stream_socket connectto; -allow spamassassin_t self:shm create_shm_perms; -allow spamassassin_t self:sem create_sem_perms; -allow spamassassin_t self:msgq create_msgq_perms; -allow spamassassin_t self:msg { send receive }; - -manage_dirs_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) -manage_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) -manage_lnk_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) -manage_fifo_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) -manage_sock_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) -userdom_user_home_dir_filetrans(spamassassin_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file }) - -manage_dirs_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t) -manage_files_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t) -files_tmp_filetrans(spamassassin_t, spamassassin_tmp_t, { file dir }) - -manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) -manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) -manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) -manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) -manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) -userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file }) - -kernel_read_kernel_sysctls(spamassassin_t) - -dev_read_urand(spamassassin_t) - -fs_search_auto_mountpoints(spamassassin_t) -fs_getattr_all_fs(spamassassin_t) - -# this should probably be removed -corecmd_list_bin(spamassassin_t) -corecmd_read_bin_symlinks(spamassassin_t) -corecmd_read_bin_files(spamassassin_t) -corecmd_read_bin_pipes(spamassassin_t) -corecmd_read_bin_sockets(spamassassin_t) - -domain_use_interactive_fds(spamassassin_t) - -files_read_etc_files(spamassassin_t) -files_read_etc_runtime_files(spamassassin_t) -files_list_home(spamassassin_t) -files_read_usr_files(spamassassin_t) -files_dontaudit_search_var(spamassassin_t) - -logging_send_syslog_msg(spamassassin_t) - -miscfiles_read_localization(spamassassin_t) - -# cjp: this could probably be removed -seutil_read_config(spamassassin_t) - -sysnet_dns_name_resolve(spamassassin_t) - -# set tunable if you have spamassassin do DNS lookups -tunable_policy(`spamassassin_can_network',` - allow spamassassin_t self:tcp_socket create_stream_socket_perms; - allow spamassassin_t self:udp_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled(spamassassin_t) - corenet_all_recvfrom_netlabel(spamassassin_t) - corenet_tcp_sendrecv_generic_if(spamassassin_t) - corenet_udp_sendrecv_generic_if(spamassassin_t) - corenet_tcp_sendrecv_generic_node(spamassassin_t) - corenet_udp_sendrecv_generic_node(spamassassin_t) - corenet_tcp_sendrecv_all_ports(spamassassin_t) - corenet_udp_sendrecv_all_ports(spamassassin_t) - corenet_tcp_connect_all_ports(spamassassin_t) - corenet_sendrecv_all_client_packets(spamassassin_t) - corenet_udp_bind_generic_node(spamassassin_t) - corenet_udp_bind_generic_port(spamassassin_t) - corenet_dontaudit_udp_bind_all_ports(spamassassin_t) - - sysnet_read_config(spamassassin_t) -') - -tunable_policy(`spamd_enable_home_dirs',` - userdom_manage_user_home_content_dirs(spamd_t) - userdom_manage_user_home_content_files(spamd_t) - userdom_manage_user_home_content_symlinks(spamd_t) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(spamassassin_t) - fs_manage_nfs_files(spamassassin_t) - fs_manage_nfs_symlinks(spamassassin_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(spamassassin_t) - fs_manage_cifs_files(spamassassin_t) - fs_manage_cifs_symlinks(spamassassin_t) -') - -optional_policy(` - # Write pid file and socket in ~/.evolution/cache/tmp - evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file }) -') - -optional_policy(` - tunable_policy(`spamassassin_can_network && allow_ypbind',` - nis_use_ypbind_uncond(spamassassin_t) - ') -') - -optional_policy(` - mta_read_config(spamassassin_t) - sendmail_stub(spamassassin_t) - sendmail_dontaudit_rw_unix_stream_sockets(spamassassin_t) - sendmail_dontaudit_rw_tcp_sockets(spamassassin_t) -') - -######################################## -# -# Client local policy -# - -allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow spamc_t self:fd use; -allow spamc_t self:fifo_file rw_fifo_file_perms; -allow spamc_t self:sock_file read_sock_file_perms; -allow spamc_t self:shm create_shm_perms; -allow spamc_t self:sem create_sem_perms; -allow spamc_t self:msgq create_msgq_perms; -allow spamc_t self:msg { send receive }; -allow spamc_t self:unix_dgram_socket create_socket_perms; -allow spamc_t self:unix_stream_socket create_stream_socket_perms; -allow spamc_t self:unix_dgram_socket sendto; -allow spamc_t self:unix_stream_socket connectto; -allow spamc_t self:tcp_socket create_stream_socket_perms; -allow spamc_t self:udp_socket create_socket_perms; - -can_exec(spamc_t, spamc_exec_t) - -manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) -manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) -files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir }) - -manage_dirs_pattern(spamc_t, spamc_home_t, spamc_home_t) -manage_files_pattern(spamc_t, spamc_home_t, spamc_home_t) -manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t) -manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t) -manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t) -userdom_user_home_dir_filetrans(spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file }) -userdom_append_user_home_content_files(spamc_t) - -list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) -read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) - -# Allow connecting to a local spamd -allow spamc_t spamd_t:unix_stream_socket connectto; -allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms; -spamd_stream_connect(spamc_t) - -kernel_read_kernel_sysctls(spamc_t) -kernel_read_system_state(spamc_t) - -corenet_all_recvfrom_unlabeled(spamc_t) -corenet_all_recvfrom_netlabel(spamc_t) -corenet_tcp_sendrecv_generic_if(spamc_t) -corenet_udp_sendrecv_generic_if(spamc_t) -corenet_tcp_sendrecv_generic_node(spamc_t) -corenet_udp_sendrecv_generic_node(spamc_t) -corenet_tcp_sendrecv_all_ports(spamc_t) -corenet_udp_sendrecv_all_ports(spamc_t) -corenet_tcp_connect_all_ports(spamc_t) -corenet_sendrecv_all_client_packets(spamc_t) -corenet_tcp_connect_spamd_port(spamc_t) - -fs_search_auto_mountpoints(spamc_t) - -# cjp: these should probably be removed: -corecmd_list_bin(spamc_t) -corecmd_read_bin_symlinks(spamc_t) -corecmd_read_bin_files(spamc_t) -corecmd_read_bin_pipes(spamc_t) -corecmd_read_bin_sockets(spamc_t) - -domain_use_interactive_fds(spamc_t) - -files_read_etc_files(spamc_t) -files_read_etc_runtime_files(spamc_t) -files_read_usr_files(spamc_t) -files_dontaudit_search_var(spamc_t) -# cjp: this may be removable: -files_list_home(spamc_t) -files_list_var_lib(spamc_t) - -fs_search_auto_mountpoints(spamc_t) - -logging_send_syslog_msg(spamc_t) - -auth_use_nsswitch(spamc_t) - -miscfiles_read_localization(spamc_t) - -# cjp: this should probably be removed: -seutil_read_config(spamc_t) - -sysnet_read_config(spamc_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(spamc_t) - fs_manage_nfs_files(spamc_t) - fs_manage_nfs_symlinks(spamc_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(spamc_t) - fs_manage_cifs_files(spamc_t) - fs_manage_cifs_symlinks(spamc_t) -') - -optional_policy(` - # Allow connection to spamd socket above - evolution_stream_connect(spamc_t) -') - -optional_policy(` - milter_manage_spamass_state(spamc_t) -') - -optional_policy(` - postfix_domtrans_postdrop(spamc_t) - postfix_search_spool(spamc_t) - postfix_rw_local_pipes(spamc_t) -') - -optional_policy(` - mta_send_mail(spamc_t) - mta_read_config(spamc_t) - mta_read_queue(spamc_t) - sendmail_stub(spamc_t) - sendmail_rw_pipes(spamc_t) - sendmail_dontaudit_rw_tcp_sockets(spamc_t) -') - -######################################## -# -# Server local policy -# - -# Spamassassin, when run as root and using per-user config files, -# setuids to the user running spamc. Comment this if you are not -# using this ability. - -allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config }; -dontaudit spamd_t self:capability sys_tty_config; -allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow spamd_t self:fd use; -allow spamd_t self:fifo_file rw_fifo_file_perms; -allow spamd_t self:sock_file read_sock_file_perms; -allow spamd_t self:shm create_shm_perms; -allow spamd_t self:sem create_sem_perms; -allow spamd_t self:msgq create_msgq_perms; -allow spamd_t self:msg { send receive }; -allow spamd_t self:unix_dgram_socket create_socket_perms; -allow spamd_t self:unix_stream_socket create_stream_socket_perms; -allow spamd_t self:unix_dgram_socket sendto; -allow spamd_t self:unix_stream_socket connectto; -allow spamd_t self:tcp_socket create_stream_socket_perms; -allow spamd_t self:udp_socket create_socket_perms; - -can_exec(spamd_t, spamd_compiled_t) -manage_dirs_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t) -manage_files_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t) - -manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t) -logging_log_filetrans(spamd_t, spamd_log_t, file) - -manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t) -manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t) -manage_sock_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t) -files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) - -manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) -manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) -files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) - -# var/lib files for spamd -allow spamd_t spamd_var_lib_t:dir list_dir_perms; -manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) -manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) - -manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) -manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) -manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) -files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir }) - -can_exec(spamd_t, spamd_exec_t) - -kernel_read_all_sysctls(spamd_t) -kernel_read_system_state(spamd_t) - -corenet_all_recvfrom_unlabeled(spamd_t) -corenet_all_recvfrom_netlabel(spamd_t) -corenet_tcp_sendrecv_generic_if(spamd_t) -corenet_udp_sendrecv_generic_if(spamd_t) -corenet_tcp_sendrecv_generic_node(spamd_t) -corenet_udp_sendrecv_generic_node(spamd_t) -corenet_tcp_sendrecv_all_ports(spamd_t) -corenet_udp_sendrecv_all_ports(spamd_t) -corenet_tcp_bind_generic_node(spamd_t) -corenet_tcp_bind_spamd_port(spamd_t) -corenet_tcp_connect_razor_port(spamd_t) -corenet_tcp_connect_smtp_port(spamd_t) -corenet_sendrecv_razor_client_packets(spamd_t) -corenet_sendrecv_spamd_server_packets(spamd_t) -# spamassassin 3.1 needs this for its -# DnsResolver.pm module which binds to -# random ports >= 1024. -corenet_udp_bind_generic_node(spamd_t) -corenet_udp_bind_generic_port(spamd_t) -corenet_udp_bind_imaze_port(spamd_t) -corenet_dontaudit_udp_bind_all_ports(spamd_t) -corenet_sendrecv_imaze_server_packets(spamd_t) -corenet_sendrecv_generic_server_packets(spamd_t) - -dev_read_sysfs(spamd_t) -dev_read_urand(spamd_t) - -fs_getattr_all_fs(spamd_t) -fs_search_auto_mountpoints(spamd_t) - -auth_dontaudit_read_shadow(spamd_t) - -corecmd_exec_bin(spamd_t) - -domain_use_interactive_fds(spamd_t) - -files_read_usr_files(spamd_t) -files_read_etc_files(spamd_t) -files_read_etc_runtime_files(spamd_t) -# /var/lib/spamassin -files_read_var_lib_files(spamd_t) - -init_dontaudit_rw_utmp(spamd_t) - -auth_use_nsswitch(spamd_t) - -logging_send_syslog_msg(spamd_t) - -miscfiles_read_localization(spamd_t) - -userdom_use_unpriv_users_fds(spamd_t) -userdom_search_user_home_dirs(spamd_t) - -optional_policy(` - exim_manage_spool_dirs(spamd_t) - exim_manage_spool_files(spamd_t) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(spamd_t) - fs_manage_nfs_files(spamd_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(spamd_t) - fs_manage_cifs_files(spamd_t) -') - -optional_policy(` - amavis_manage_lib_files(spamd_t) -') - -optional_policy(` - cron_system_entry(spamd_t, spamd_exec_t) -') - -optional_policy(` - daemontools_service_domain(spamd_t, spamd_exec_t) -') - -optional_policy(` - dcc_domtrans_cdcc(spamd_t) - dcc_domtrans_client(spamd_t) - dcc_signal_client(spamd_t) - dcc_stream_connect_dccifd(spamd_t) -') - -optional_policy(` - milter_manage_spamass_state(spamd_t) -') - -optional_policy(` - mysql_tcp_connect(spamd_t) - mysql_search_db(spamd_t) - mysql_stream_connect(spamd_t) -') - -optional_policy(` - postfix_read_config(spamd_t) -') - -optional_policy(` - postgresql_tcp_connect(spamd_t) - postgresql_stream_connect(spamd_t) -') - -optional_policy(` - pyzor_domtrans(spamd_t) - pyzor_signal(spamd_t) -') - -optional_policy(` - razor_domtrans(spamd_t) - razor_read_lib_files(spamd_t) - tunable_policy(`spamd_enable_home_dirs',` - razor_manage_user_home_files(spamd_t) - ') -') - -optional_policy(` - seutil_sigchld_newrole(spamd_t) -') - -optional_policy(` - sendmail_stub(spamd_t) - mta_read_config(spamd_t) -') - -optional_policy(` - udev_read_db(spamd_t) -') diff --git a/policy/modules/services/speedtouch.fc b/policy/modules/services/speedtouch.fc deleted file mode 100644 index 9760d15..0000000 --- a/policy/modules/services/speedtouch.fc +++ /dev/null @@ -1,2 +0,0 @@ -/usr/sbin/speedmgmt -- gen_context(system_u:object_r:speedmgmt_exec_t,s0) - diff --git a/policy/modules/services/speedtouch.if b/policy/modules/services/speedtouch.if deleted file mode 100644 index 826e2db..0000000 --- a/policy/modules/services/speedtouch.if +++ /dev/null @@ -1 +0,0 @@ -## Alcatel speedtouch USB ADSL modem diff --git a/policy/modules/services/speedtouch.te b/policy/modules/services/speedtouch.te deleted file mode 100644 index ade10f5..0000000 --- a/policy/modules/services/speedtouch.te +++ /dev/null @@ -1,61 +0,0 @@ -policy_module(speedtouch, 1.4.0) - -####################################### -# -# Rules for the speedmgmt_t domain. -# - -type speedmgmt_t; -type speedmgmt_exec_t; -init_daemon_domain(speedmgmt_t, speedmgmt_exec_t) - -type speedmgmt_tmp_t; -files_tmp_file(speedmgmt_tmp_t) - -type speedmgmt_var_run_t; -files_pid_file(speedmgmt_var_run_t) - -######################################## -# -# Local policy -# - -dontaudit speedmgmt_t self:capability sys_tty_config; -allow speedmgmt_t self:process signal_perms; - -manage_dirs_pattern(speedmgmt_t, speedmgmt_tmp_t, speedmgmt_tmp_t) -manage_files_pattern(speedmgmt_t, speedmgmt_tmp_t, speedmgmt_tmp_t) -files_tmp_filetrans(speedmgmt_t, speedmgmt_tmp_t, { file dir }) - -manage_files_pattern(speedmgmt_t, speedmgmt_var_run_t, speedmgmt_var_run_t) -files_pid_filetrans(speedmgmt_t, speedmgmt_var_run_t, file) - -kernel_read_kernel_sysctls(speedmgmt_t) -kernel_list_proc(speedmgmt_t) -kernel_read_proc_symlinks(speedmgmt_t) - -dev_read_sysfs(speedmgmt_t) -dev_read_usbfs(speedmgmt_t) - -domain_use_interactive_fds(speedmgmt_t) - -files_read_etc_files(speedmgmt_t) -files_read_usr_files(speedmgmt_t) - -fs_getattr_all_fs(speedmgmt_t) -fs_search_auto_mountpoints(speedmgmt_t) - -logging_send_syslog_msg(speedmgmt_t) - -miscfiles_read_localization(speedmgmt_t) - -userdom_dontaudit_use_unpriv_user_fds(speedmgmt_t) -userdom_dontaudit_search_user_home_dirs(speedmgmt_t) - -optional_policy(` - seutil_sigchld_newrole(speedmgmt_t) -') - -optional_policy(` - udev_read_db(speedmgmt_t) -') diff --git a/policy/modules/services/squid.fc b/policy/modules/services/squid.fc deleted file mode 100644 index 6cc4a90..0000000 --- a/policy/modules/services/squid.fc +++ /dev/null @@ -1,14 +0,0 @@ -/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0) -/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) - -/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) -/usr/lib64/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) -/usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0) -/usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) - -/var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) -/var/log/squid(/.*)? gen_context(system_u:object_r:squid_log_t,s0) -/var/log/squidGuard(/.*)? gen_context(system_u:object_r:squid_log_t,s0) -/var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0) -/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) -/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if deleted file mode 100644 index 1d0c078..0000000 --- a/policy/modules/services/squid.if +++ /dev/null @@ -1,231 +0,0 @@ -## Squid caching http proxy server - -######################################## -## -## Execute squid in the squid domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`squid_domtrans',` - gen_require(` - type squid_t, squid_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, squid_exec_t, squid_t) -') - -######################################## -## -## Execute squid -## -## -## -## Domain allowed access. -## -## -# -interface(`squid_exec',` - gen_require(` - type squid_exec_t; - ') - - can_exec($1, squid_exec_t) -') - -######################################## -## -## Send generic signals to squid. -## -## -## -## Domain allowed access. -## -## -# -interface(`squid_signal',` - gen_require(` - type squid_t; - ') - - allow $1 squid_t:process signal; -') - -######################################## -## -## Allow read and write squid -## unix domain stream sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`squid_rw_stream_sockets',` - gen_require(` - type squid_t; - ') - - allow $1 squid_t:unix_stream_socket rw_socket_perms; -') - -######################################## -## -## Do not audit attempts to search squid cache dirs -## -## -## -## Domain to not audit. -## -## -# -interface(`squid_dontaudit_search_cache',` - gen_require(` - type squid_cache_t; - ') - - dontaudit $1 squid_cache_t:dir search_dir_perms; -') - -######################################## -## -## Read squid configuration file. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`squid_read_config',` - gen_require(` - type squid_conf_t; - ') - - files_search_etc($1) - read_files_pattern($1, squid_conf_t, squid_conf_t) -') - -######################################## -## -## Append squid logs. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`squid_read_log',` - gen_require(` - type squid_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, squid_log_t, squid_log_t) -') - -######################################## -## -## Append squid logs. -## -## -## -## Domain allowed access. -## -## -# -interface(`squid_append_log',` - gen_require(` - type squid_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, squid_log_t, squid_log_t) -') - -######################################## -## -## Create, read, write, and delete -## squid logs. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`squid_manage_logs',` - gen_require(` - type squid_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, squid_log_t, squid_log_t) -') - -######################################## -## -## Use squid services by connecting over TCP. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`squid_use',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## All of the rules required to administrate -## an squid environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the squid domain. -## -## -## -# -interface(`squid_admin',` - gen_require(` - type squid_t, squid_cache_t, squid_conf_t; - type squid_log_t, squid_var_run_t, squid_initrc_exec_t; - ') - - allow $1 squid_t:process { ptrace signal_perms }; - ps_process_pattern($1, squid_t) - - init_labeled_script_domtrans($1, squid_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 squid_initrc_exec_t system_r; - allow $2 system_r; - - files_list_var($1) - admin_pattern($1, squid_cache_t) - - files_list_etc($1) - admin_pattern($1, squid_conf_t) - - logging_list_logs($1) - admin_pattern($1, squid_log_t) - - files_list_pids($1) - admin_pattern($1, squid_var_run_t) -') diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te deleted file mode 100644 index 744b172..0000000 --- a/policy/modules/services/squid.te +++ /dev/null @@ -1,208 +0,0 @@ -policy_module(squid, 1.10.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow squid to connect to all ports, not just -## HTTP, FTP, and Gopher ports. -##

-##
-gen_tunable(squid_connect_any, false) - -## -##

-## Allow squid to run as a transparent proxy (TPROXY) -##

-##
-gen_tunable(squid_use_tproxy, false) - -type squid_t; -type squid_exec_t; -init_daemon_domain(squid_t, squid_exec_t) - -# type for /var/cache/squid -type squid_cache_t; -files_type(squid_cache_t) - -type squid_conf_t; -files_type(squid_conf_t) - -type squid_initrc_exec_t; -init_script_file(squid_initrc_exec_t) - -type squid_log_t; -logging_log_file(squid_log_t) - -type squid_tmpfs_t; -files_tmpfs_file(squid_tmpfs_t) - -type squid_var_run_t; -files_pid_file(squid_var_run_t) - -######################################## -# -# Local policy -# - -allow squid_t self:capability { setgid kill setuid dac_override sys_resource }; -dontaudit squid_t self:capability sys_tty_config; -allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; -allow squid_t self:fifo_file rw_fifo_file_perms; -allow squid_t self:sock_file read_sock_file_perms; -allow squid_t self:fd use; -allow squid_t self:shm create_shm_perms; -allow squid_t self:sem create_sem_perms; -allow squid_t self:msgq create_msgq_perms; -allow squid_t self:msg { send receive }; -allow squid_t self:unix_stream_socket create_stream_socket_perms; -allow squid_t self:unix_dgram_socket create_socket_perms; -allow squid_t self:unix_dgram_socket sendto; -allow squid_t self:unix_stream_socket connectto; -allow squid_t self:tcp_socket create_stream_socket_perms; -allow squid_t self:udp_socket create_socket_perms; - -# Grant permissions to create, access, and delete cache files. -manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t) -manage_files_pattern(squid_t, squid_cache_t, squid_cache_t) -manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t) - -allow squid_t squid_conf_t:dir list_dir_perms; -read_files_pattern(squid_t, squid_conf_t, squid_conf_t) -read_lnk_files_pattern(squid_t, squid_conf_t, squid_conf_t) - -can_exec(squid_t, squid_exec_t) - -manage_dirs_pattern(squid_t, squid_log_t, squid_log_t) -manage_files_pattern(squid_t, squid_log_t, squid_log_t) -manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t) -logging_log_filetrans(squid_t, squid_log_t, { file dir }) - -#squid requires the following when run in diskd mode, the recommended setting -manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t) -fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file) - -manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t) -files_pid_filetrans(squid_t, squid_var_run_t, file) - -kernel_read_kernel_sysctls(squid_t) -kernel_read_system_state(squid_t) - -files_dontaudit_getattr_boot_dirs(squid_t) - -corenet_all_recvfrom_unlabeled(squid_t) -corenet_all_recvfrom_netlabel(squid_t) -corenet_tcp_sendrecv_generic_if(squid_t) -corenet_udp_sendrecv_generic_if(squid_t) -corenet_tcp_sendrecv_generic_node(squid_t) -corenet_udp_sendrecv_generic_node(squid_t) -corenet_tcp_sendrecv_all_ports(squid_t) -corenet_udp_sendrecv_all_ports(squid_t) -corenet_tcp_bind_generic_node(squid_t) -corenet_udp_bind_generic_node(squid_t) -corenet_tcp_bind_http_port(squid_t) -corenet_tcp_bind_http_cache_port(squid_t) -corenet_udp_bind_http_cache_port(squid_t) -corenet_tcp_bind_ftp_port(squid_t) -corenet_tcp_bind_gopher_port(squid_t) -corenet_udp_bind_gopher_port(squid_t) -corenet_tcp_bind_squid_port(squid_t) -corenet_udp_bind_squid_port(squid_t) -corenet_udp_bind_wccp_port(squid_t) -corenet_tcp_connect_ftp_port(squid_t) -corenet_tcp_connect_gopher_port(squid_t) -corenet_tcp_connect_http_port(squid_t) -corenet_tcp_connect_http_cache_port(squid_t) -corenet_tcp_connect_pgpkeyserver_port(squid_t) -corenet_sendrecv_ftp_client_packets(squid_t) -corenet_sendrecv_gopher_client_packets(squid_t) -corenet_sendrecv_http_client_packets(squid_t) -corenet_sendrecv_http_server_packets(squid_t) -corenet_sendrecv_http_cache_server_packets(squid_t) -corenet_sendrecv_http_cache_client_packets(squid_t) -corenet_sendrecv_pgpkeyserver_client_packets(squid_t) -corenet_sendrecv_squid_client_packets(squid_t) -corenet_sendrecv_squid_server_packets(squid_t) -corenet_sendrecv_wccp_server_packets(squid_t) - -dev_read_sysfs(squid_t) -dev_read_urand(squid_t) - -fs_getattr_all_fs(squid_t) -fs_search_auto_mountpoints(squid_t) -fs_list_inotifyfs(squid_t) - -selinux_dontaudit_getattr_dir(squid_t) - -term_dontaudit_getattr_pty_dirs(squid_t) - -# to allow running programs from /usr/lib/squid (IE unlinkd) -corecmd_exec_bin(squid_t) -corecmd_exec_shell(squid_t) - -domain_use_interactive_fds(squid_t) - -files_read_etc_files(squid_t) -files_read_etc_runtime_files(squid_t) -files_read_usr_files(squid_t) -files_search_spool(squid_t) -files_dontaudit_getattr_tmp_dirs(squid_t) -files_getattr_home_dir(squid_t) - -auth_use_nsswitch(squid_t) -auth_domtrans_chk_passwd(squid_t) - -# to allow running programs from /usr/lib/squid (IE unlinkd) -libs_exec_lib_files(squid_t) - -logging_send_syslog_msg(squid_t) - -miscfiles_read_generic_certs(squid_t) -miscfiles_read_localization(squid_t) - -userdom_use_unpriv_users_fds(squid_t) -userdom_dontaudit_search_user_home_dirs(squid_t) - -tunable_policy(`squid_connect_any',` - corenet_tcp_connect_all_ports(squid_t) - corenet_tcp_bind_all_ports(squid_t) - corenet_sendrecv_all_packets(squid_t) -') - -tunable_policy(`squid_use_tproxy',` - allow squid_t self:capability net_admin; - corenet_tcp_bind_netport_port(squid_t) -') - -optional_policy(` - apache_content_template(squid) - - allow httpd_squid_script_t self:tcp_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled(httpd_squid_script_t) - corenet_all_recvfrom_netlabel(httpd_squid_script_t) - corenet_tcp_connect_http_cache_port(httpd_squid_script_t) - - sysnet_dns_name_resolve(httpd_squid_script_t) - - squid_read_config(httpd_squid_script_t) -') - -optional_policy(` - cron_system_entry(squid_t, squid_exec_t) -') - -optional_policy(` - samba_domtrans_winbind_helper(squid_t) -') - -optional_policy(` - seutil_sigchld_newrole(squid_t) -') - -optional_policy(` - udev_read_db(squid_t) -') diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc deleted file mode 100644 index 06da5f7..0000000 --- a/policy/modules/services/ssh.fc +++ /dev/null @@ -1,25 +0,0 @@ -HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) -HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) - -/var/lib/gitolite/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) - -/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0) - -/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) -/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0) -/etc/ssh/ssh_host_dsa_key -- gen_context(system_u:object_r:sshd_key_t,s0) -/etc/ssh/ssh_host_rsa_key -- gen_context(system_u:object_r:sshd_key_t,s0) - -/usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0) -/usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) -/usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0) - -/usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) - -/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) - -/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) -/var/run/sshd\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) - -/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) -/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if deleted file mode 100644 index 784c363..0000000 --- a/policy/modules/services/ssh.if +++ /dev/null @@ -1,781 +0,0 @@ -## Secure shell client and server policy. - -####################################### -## -## Basic SSH client template. -## -## -##

-## This template creates a derived domains which are used -## for ssh client sessions. A derived -## type is also created to protect the user ssh keys. -##

-##

-## This template was added for NX. -##

-##
-## -## -## The prefix of the domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The type of the domain. -## -## -## -## -## The role associated with the user domain. -## -## -# -template(`ssh_basic_client_template',` - gen_require(` - attribute ssh_server; - type ssh_exec_t, sshd_key_t, sshd_tmp_t; - type ssh_home_t; - ') - - ############################## - # - # Declarations - # - - type $1_ssh_t; - application_domain($1_ssh_t, ssh_exec_t) - role $3 types $1_ssh_t; - - ############################## - # - # Client local policy - # - - allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search }; - allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow $1_ssh_t self:fd use; - allow $1_ssh_t self:fifo_file rw_fifo_file_perms; - allow $1_ssh_t self:unix_dgram_socket { create_socket_perms sendto }; - allow $1_ssh_t self:unix_stream_socket { create_stream_socket_perms connectto }; - allow $1_ssh_t self:shm create_shm_perms; - allow $1_ssh_t self:sem create_sem_perms; - allow $1_ssh_t self:msgq create_msgq_perms; - allow $1_ssh_t self:msg { send receive }; - allow $1_ssh_t self:tcp_socket create_stream_socket_perms; - - # for rsync - allow $1_ssh_t $2:unix_stream_socket rw_socket_perms; - allow $1_ssh_t $2:unix_stream_socket connectto; - - # Read the ssh key file. - allow $1_ssh_t sshd_key_t:file read_file_perms; - - # Access the ssh temporary files. - allow $1_ssh_t sshd_tmp_t:dir manage_dir_perms; - allow $1_ssh_t sshd_tmp_t:file manage_file_perms; - files_tmp_filetrans($1_ssh_t, sshd_tmp_t, { file dir }) - - # Transition from the domain to the derived domain. - domtrans_pattern($2, ssh_exec_t, $1_ssh_t) - - # inheriting stream sockets is needed for "ssh host command" as no pty - # is allocated - # cjp: should probably fix target to be an attribute for ssh servers - # or "regular" (not special like sshd_extern_t) servers - allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms; - - # allow ps to show ssh - ps_process_pattern($2, $1_ssh_t) - - # user can manage the keys and config - manage_files_pattern($2, ssh_home_t, ssh_home_t) - manage_lnk_files_pattern($2, ssh_home_t, ssh_home_t) - manage_sock_files_pattern($2, ssh_home_t, ssh_home_t) - - # ssh client can manage the keys and config - manage_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t) - read_lnk_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t) - - # ssh servers can read the user keys and config - allow ssh_server ssh_home_t:dir list_dir_perms; - read_files_pattern(ssh_server, ssh_home_t, ssh_home_t) - read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t) - - kernel_read_kernel_sysctls($1_ssh_t) - kernel_read_system_state($1_ssh_t) - - corenet_all_recvfrom_unlabeled($1_ssh_t) - corenet_all_recvfrom_netlabel($1_ssh_t) - corenet_tcp_sendrecv_generic_if($1_ssh_t) - corenet_tcp_sendrecv_generic_node($1_ssh_t) - corenet_tcp_sendrecv_all_ports($1_ssh_t) - corenet_tcp_connect_ssh_port($1_ssh_t) - corenet_sendrecv_ssh_client_packets($1_ssh_t) - corenet_tcp_bind_generic_node($1_ssh_t) - corenet_tcp_bind_all_unreserved_ports($1_ssh_t) - - dev_read_urand($1_ssh_t) - - fs_getattr_all_fs($1_ssh_t) - fs_search_auto_mountpoints($1_ssh_t) - - # run helper programs - needed eg for x11-ssh-askpass - corecmd_exec_shell($1_ssh_t) - corecmd_exec_bin($1_ssh_t) - - domain_use_interactive_fds($1_ssh_t) - - files_list_home($1_ssh_t) - files_read_usr_files($1_ssh_t) - files_read_etc_runtime_files($1_ssh_t) - files_read_etc_files($1_ssh_t) - files_read_var_files($1_ssh_t) - - auth_use_nsswitch($1_ssh_t) - - logging_send_syslog_msg($1_ssh_t) - logging_read_generic_logs($1_ssh_t) - - miscfiles_read_localization($1_ssh_t) - - seutil_read_config($1_ssh_t) - - optional_policy(` - kerberos_use($1_ssh_t) - ') -') - -####################################### -## -## The template to define a ssh server. -## -## -##

-## This template creates a domains to be used for -## creating a ssh server. This is typically done -## to have multiple ssh servers of different sensitivities, -## such as for an internal network-facing ssh server, and -## a external network-facing ssh server. -##

-##
-## -## -## The prefix of the server domain (e.g., sshd -## is the prefix for sshd_t). -## -## -# -template(`ssh_server_template',` - type $1_t, ssh_server; - auth_login_pgm_domain($1_t) - - type $1_devpts_t; - term_login_pty($1_devpts_t) - - type $1_tmpfs_t; - files_tmpfs_file($1_tmpfs_t) - - type $1_var_run_t; - files_pid_file($1_var_run_t) - - allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config }; - allow $1_t self:fifo_file rw_fifo_file_perms; - allow $1_t self:process { signal getsched setsched setrlimit setexec }; - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; - # ssh agent connections: - allow $1_t self:unix_stream_socket create_stream_socket_perms; - allow $1_t self:shm create_shm_perms; - - allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom }; - term_create_pty($1_t, $1_devpts_t) - - manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file) - - allow $1_t $1_var_run_t:file manage_file_perms; - files_pid_filetrans($1_t, $1_var_run_t, file) - - can_exec($1_t, sshd_exec_t) - - # Access key files - allow $1_t sshd_key_t:file read_file_perms; - - kernel_read_kernel_sysctls($1_t) - kernel_read_network_state($1_t) - kernel_request_load_module(ssh_t) - - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) - corenet_tcp_sendrecv_generic_if($1_t) - corenet_udp_sendrecv_generic_if($1_t) - corenet_raw_sendrecv_generic_if($1_t) - corenet_tcp_sendrecv_generic_node($1_t) - corenet_udp_sendrecv_generic_node($1_t) - corenet_raw_sendrecv_generic_node($1_t) - corenet_udp_sendrecv_all_ports($1_t) - corenet_tcp_sendrecv_all_ports($1_t) - corenet_tcp_bind_generic_node($1_t) - corenet_udp_bind_generic_node($1_t) - corenet_tcp_bind_ssh_port($1_t) - corenet_sendrecv_ssh_server_packets($1_t) - # -R qualifier - corenet_sendrecv_ssh_server_packets($1_t) - # tunnel feature and -w (net_admin capability also) - corenet_rw_tun_tap_dev($1_t) - - fs_dontaudit_getattr_all_fs($1_t) - - auth_rw_login_records($1_t) - auth_rw_faillog($1_t) - - corecmd_read_bin_symlinks($1_t) - corecmd_getattr_bin_files($1_t) - # for sshd subsystems, such as sftp-server. - corecmd_getattr_bin_files($1_t) - - domain_interactive_fd($1_t) - domain_dyntrans_type($1_t) - - files_read_etc_files($1_t) - files_read_etc_runtime_files($1_t) - files_read_usr_files($1_t) - - logging_search_logs($1_t) - - miscfiles_read_localization($1_t) - - userdom_dontaudit_relabelfrom_user_ptys($1_t) - userdom_read_user_home_content_files($1_t) - - # Allow checking users mail at login - mta_getattr_spool($1_t) - - tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files($1_t) - fs_read_nfs_symlinks($1_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files($1_t) - ') - - optional_policy(` - kerberos_use($1_t) - kerberos_manage_host_rcache($1_t) - ') - - optional_policy(` - files_read_var_lib_symlinks($1_t) - nx_spec_domtrans_server($1_t) - ') - - optional_policy(` - rlogin_read_home_content($1_t) - ') - - optional_policy(` - shutdown_getattr_exec_files($1_t) - ') -') - -######################################## -## -## Role access for ssh -## -## -## -## The prefix of the role (e.g., user -## is the prefix for user_r). -## -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -## -# -template(`ssh_role_template',` - gen_require(` - attribute ssh_server, ssh_agent_type; - type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t; - type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t; - type ssh_agent_tmp_t; - ') - - ############################## - # - # Declarations - # - - role $2 types ssh_t; - - type $1_ssh_agent_t, ssh_agent_type; - application_domain($1_ssh_agent_t, ssh_agent_exec_t) - domain_interactive_fd($1_ssh_agent_t) - ubac_constrained($1_ssh_agent_t) - role $2 types $1_ssh_agent_t; - - ############################## - # - # Local policy - # - - # Transition from the domain to the derived domain. - domtrans_pattern($3, ssh_exec_t, ssh_t) - - # inheriting stream sockets is needed for "ssh host command" as no pty - # is allocated - allow $3 ssh_server:unix_stream_socket rw_stream_socket_perms; - - # allow ps to show ssh - ps_process_pattern($3, ssh_t) - allow $3 ssh_t:process { ptrace signal_perms }; - - # for rsync - allow ssh_t $3:unix_stream_socket rw_socket_perms; - allow ssh_t $3:unix_stream_socket connectto; - - # user can manage the keys and config - manage_files_pattern($3, ssh_home_t, ssh_home_t) - manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t) - manage_sock_files_pattern($3, ssh_home_t, ssh_home_t) - userdom_search_user_home_dirs($1_t) - userdom_manage_tmp_role($2, ssh_t) - - ############################## - # - # SSH agent local policy - # - - allow $1_ssh_agent_t self:process setrlimit; - allow $1_ssh_agent_t self:capability setgid; - - allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull; - - allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto }; - - manage_dirs_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t) - manage_sock_files_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t) - files_tmp_filetrans($1_ssh_agent_t, ssh_agent_tmp_t, { dir sock_file }) - - # for ssh-add - stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t) - - # Allow the user shell to signal the ssh program. - allow $3 $1_ssh_agent_t:process { ptrace signal_perms }; - - # allow ps to show ssh - ps_process_pattern($3, $1_ssh_agent_t) - - domtrans_pattern($3, ssh_agent_exec_t, $1_ssh_agent_t) - - kernel_read_kernel_sysctls($1_ssh_agent_t) - - dev_read_urand($1_ssh_agent_t) - dev_read_rand($1_ssh_agent_t) - - fs_search_auto_mountpoints($1_ssh_agent_t) - - # transition back to normal privs upon exec - corecmd_shell_domtrans($1_ssh_agent_t, $3) - corecmd_bin_domtrans($1_ssh_agent_t, $3) - - domain_use_interactive_fds($1_ssh_agent_t) - - files_read_etc_files($1_ssh_agent_t) - files_read_etc_runtime_files($1_ssh_agent_t) - - libs_read_lib_files($1_ssh_agent_t) - - logging_send_syslog_msg($1_ssh_agent_t) - - miscfiles_read_localization($1_ssh_agent_t) - miscfiles_read_generic_certs($1_ssh_agent_t) - - seutil_dontaudit_read_config($1_ssh_agent_t) - - # Write to the user domain tty. - userdom_use_user_terminals($1_ssh_agent_t) - - # for the transition back to normal privs upon exec - userdom_search_user_home_content($1_ssh_agent_t) - userdom_user_home_domtrans($1_ssh_agent_t, $3) - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files($1_ssh_agent_t) - - # transition back to normal privs upon exec - fs_nfs_domtrans($1_ssh_agent_t, $3) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files($1_ssh_agent_t) - - # transition back to normal privs upon exec - fs_cifs_domtrans($1_ssh_agent_t, $3) - ') - - optional_policy(` - nis_use_ypbind($1_ssh_agent_t) - ') - - optional_policy(` - xserver_use_xdm_fds($1_ssh_agent_t) - xserver_rw_xdm_pipes($1_ssh_agent_t) - ') -') - -######################################## -## -## Send a SIGCHLD signal to the ssh server. -## -## -## -## Domain allowed access. -## -## -# -interface(`ssh_sigchld',` - gen_require(` - type sshd_t; - ') - - allow $1 sshd_t:process sigchld; -') - -######################################## -## -## Send a generic signal to the ssh server. -## -## -## -## Domain allowed access. -## -## -# -interface(`ssh_signal',` - gen_require(` - type sshd_t; - ') - - allow $1 sshd_t:process signal; -') - -######################################## -## -## Read a ssh server unnamed pipe. -## -## -## -## Domain allowed access. -## -## -# -interface(`ssh_read_pipes',` - gen_require(` - type sshd_t; - ') - - allow $1 sshd_t:fifo_file read_fifo_file_perms; -') - -######################################## -## -## Read and write a ssh server unnamed pipe. -## -## -## -## Domain allowed access. -## -## -# -interface(`ssh_rw_pipes',` - gen_require(` - type sshd_t; - ') - - allow $1 sshd_t:fifo_file rw_inherited_fifo_file_perms; -') - -######################################## -## -## Read and write ssh server unix domain stream sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`ssh_rw_stream_sockets',` - gen_require(` - type sshd_t; - ') - - allow $1 sshd_t:unix_stream_socket rw_stream_socket_perms; -') - -######################################## -## -## Read and write ssh server TCP sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`ssh_rw_tcp_sockets',` - gen_require(` - type sshd_t; - ') - - allow $1 sshd_t:tcp_socket rw_stream_socket_perms; -') - -######################################## -## -## Do not audit attempts to read and write -## ssh server TCP sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`ssh_dontaudit_rw_tcp_sockets',` - gen_require(` - type sshd_t; - ') - - dontaudit $1 sshd_t:tcp_socket { read write }; -') - -######################################## -## -## Connect to SSH daemons over TCP sockets. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`ssh_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Execute the ssh daemon sshd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ssh_domtrans',` - gen_require(` - type sshd_t, sshd_exec_t; - ') - - domtrans_pattern($1, sshd_exec_t, sshd_t) -') - -######################################## -## -## Execute sshd server in the sshd domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`ssh_initrc_domtrans',` - gen_require(` - type sshd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, sshd_initrc_exec_t) -') - -######################################## -## -## Execute the ssh client in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`ssh_exec',` - gen_require(` - type ssh_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, ssh_exec_t) -') - -######################################## -## -## Set the attributes of sshd key files. -## -## -## -## Domain allowed access. -## -## -# -interface(`ssh_setattr_key_files',` - gen_require(` - type sshd_key_t; - ') - - allow $1 sshd_key_t:file setattr_file_perms; - files_search_pids($1) -') - -######################################## -## -## Execute the ssh agent client in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`ssh_agent_exec',` - gen_require(` - type ssh_agent_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, ssh_agent_exec_t) -') - -######################################## -## -## Read ssh home directory content -## -## -## -## Domain allowed access. -## -## -# -interface(`ssh_read_user_home_files',` - gen_require(` - type ssh_home_t; - ') - - allow $1 ssh_home_t:dir list_dir_perms; - read_files_pattern($1, ssh_home_t, ssh_home_t) - read_lnk_files_pattern($1, ssh_home_t, ssh_home_t) - userdom_search_user_home_dirs($1) -') - -######################################## -## -## Execute the ssh key generator in the ssh keygen domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ssh_domtrans_keygen',` - gen_require(` - type ssh_keygen_t, ssh_keygen_exec_t; - ') - - domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t) -') - -######################################## -## -## Read ssh server keys -## -## -## -## Domain to not audit. -## -## -# -interface(`ssh_dontaudit_read_server_keys',` - gen_require(` - type sshd_key_t; - ') - - dontaudit $1 sshd_key_t:file read_file_perms; -') - -###################################### -## -## Manage ssh home directory content -## -## -## -## Domain allowed access. -## -## -# -interface(`ssh_manage_home_files',` - gen_require(` - type ssh_home_t; - ') - - manage_files_pattern($1, ssh_home_t, ssh_home_t) - userdom_search_user_home_dirs($1) -') - -####################################### -## -## Delete from the ssh temp files. -## -## -## -## Domain allowed access. -## -## -# -interface(`ssh_delete_tmp',` - gen_require(` - type sshd_tmp_t; - ') - - files_search_tmp($1) - delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) -') - -######################################## -## -## Send a null signal to sshd processes. -## -## -## -## Domain allowed access. -## -## -# -interface(`ssh_signull',` - gen_require(` - type sshd_t; - ') - - allow $1 sshd_t:process signull; -') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te deleted file mode 100644 index c7efe5d..0000000 --- a/policy/modules/services/ssh.te +++ /dev/null @@ -1,433 +0,0 @@ -policy_module(ssh, 2.2.0) - -######################################## -# -# Declarations -# - -## -##

-## allow host key based authentication -##

-##
-gen_tunable(allow_ssh_keysign, false) - -## -##

-## Allow ssh logins as sysadm_r:sysadm_t -##

-##
-gen_tunable(ssh_sysadm_login, false) - -## -##

-## allow sshd to forward port connections -##

-##
-gen_tunable(sshd_forward_ports, false) - -attribute ssh_server; -attribute ssh_agent_type; - -type ssh_keygen_t; -type ssh_keygen_exec_t; -init_system_domain(ssh_keygen_t, ssh_keygen_exec_t) - -type sshd_exec_t; -corecmd_executable_file(sshd_exec_t) - -ssh_server_template(sshd) -init_daemon_domain(sshd_t, sshd_exec_t) - -type sshd_initrc_exec_t; -init_script_file(sshd_initrc_exec_t) - -type sshd_key_t; -files_type(sshd_key_t) - -type ssh_t; -type ssh_exec_t; -typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t }; -typealias ssh_t alias { auditadm_ssh_t secadm_ssh_t }; -application_domain(ssh_t, ssh_exec_t) -ubac_constrained(ssh_t) - -type ssh_agent_exec_t; -corecmd_executable_file(ssh_agent_exec_t) - -type ssh_agent_tmp_t; -typealias ssh_agent_tmp_t alias { user_ssh_agent_tmp_t staff_ssh_agent_tmp_t sysadm_ssh_agent_tmp_t }; -typealias ssh_agent_tmp_t alias { auditadm_ssh_agent_tmp_t secadm_ssh_agent_tmp_t }; -files_tmp_file(ssh_agent_tmp_t) -ubac_constrained(ssh_agent_tmp_t) - -type ssh_keysign_t; -type ssh_keysign_exec_t; -typealias ssh_keysign_t alias { user_ssh_keysign_t staff_ssh_keysign_t sysadm_ssh_keysign_t }; -typealias ssh_keysign_t alias { auditadm_ssh_keysign_t secadm_ssh_keysign_t }; -application_domain(ssh_keysign_t, ssh_keysign_exec_t) -ubac_constrained(ssh_keysign_t) - -type ssh_tmpfs_t; -typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t }; -typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t }; -files_tmpfs_file(ssh_tmpfs_t) -ubac_constrained(ssh_tmpfs_t) - -type ssh_home_t; -typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; -typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; -userdom_user_home_content(ssh_home_t) - -ifdef(`enable_mcs',` - init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh) -') - -############################## -# -# SSH client local policy -# - -allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; -allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow ssh_t self:fd use; -allow ssh_t self:fifo_file rw_fifo_file_perms; -allow ssh_t self:unix_dgram_socket { create_socket_perms sendto }; -allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow ssh_t self:shm create_shm_perms; -allow ssh_t self:sem create_sem_perms; -allow ssh_t self:msgq create_msgq_perms; -allow ssh_t self:msg { send receive }; -allow ssh_t self:tcp_socket create_stream_socket_perms; - -# Read the ssh key file. -allow ssh_t sshd_key_t:file read_file_perms; - -manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) -manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) -manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) -manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) -fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) -manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) -userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file }) -userdom_stream_connect(ssh_t) - -# Allow the ssh program to communicate with ssh-agent. -stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type) - -allow ssh_t sshd_t:unix_stream_socket connectto; - -# ssh client can manage the keys and config -manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t) -read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t) - -# ssh servers can read the user keys and config -manage_dirs_pattern(ssh_server, ssh_home_t, ssh_home_t) -manage_files_pattern(ssh_server, ssh_home_t, ssh_home_t) -userdom_user_home_dir_filetrans(ssh_server, ssh_home_t, dir) -userdom_admin_home_dir_filetrans(ssh_server, ssh_home_t, dir) - -kernel_read_kernel_sysctls(ssh_t) -kernel_read_system_state(ssh_t) - -corenet_all_recvfrom_unlabeled(ssh_t) -corenet_all_recvfrom_netlabel(ssh_t) -corenet_tcp_sendrecv_generic_if(ssh_t) -corenet_tcp_sendrecv_generic_node(ssh_t) -corenet_tcp_sendrecv_all_ports(ssh_t) -corenet_tcp_connect_ssh_port(ssh_t) -corenet_sendrecv_ssh_client_packets(ssh_t) -corenet_tcp_bind_generic_node(ssh_t) -corenet_tcp_bind_all_unreserved_ports(ssh_t) - -dev_read_urand(ssh_t) - -fs_getattr_all_fs(ssh_t) -fs_search_auto_mountpoints(ssh_t) - -# run helper programs - needed eg for x11-ssh-askpass -corecmd_exec_shell(ssh_t) -corecmd_exec_bin(ssh_t) - -domain_use_interactive_fds(ssh_t) - -files_list_home(ssh_t) -files_read_usr_files(ssh_t) -files_read_etc_runtime_files(ssh_t) -files_read_etc_files(ssh_t) -files_read_var_files(ssh_t) - -logging_send_syslog_msg(ssh_t) -logging_read_generic_logs(ssh_t) - -auth_use_nsswitch(ssh_t) - -miscfiles_read_localization(ssh_t) - -seutil_read_config(ssh_t) - -userdom_dontaudit_list_user_home_dirs(ssh_t) -userdom_search_user_home_dirs(ssh_t) -# Write to the user domain tty. -userdom_use_user_terminals(ssh_t) -# needs to read krb/write tgt -userdom_read_user_tmp_files(ssh_t) -userdom_write_user_tmp_files(ssh_t) -userdom_read_user_home_content_symlinks(ssh_t) - -tunable_policy(`allow_ssh_keysign',` - domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(ssh_t) - fs_manage_nfs_files(ssh_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(ssh_t) - fs_manage_cifs_files(ssh_t) -') - -# for port forwarding -tunable_policy(`user_tcp_server',` - corenet_tcp_bind_ssh_port(ssh_t) - corenet_tcp_bind_generic_node(ssh_t) -') - -optional_policy(` - xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t) - xserver_domtrans_xauth(ssh_t) -') - -######################################## -# -# ssh_keygen local policy -# - -# ssh_keygen_t is the type of the ssh-keygen program when run at install time -# and by sysadm_t - -dontaudit ssh_keygen_t self:capability sys_tty_config; -allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; -allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; - -allow ssh_keygen_t sshd_key_t:file manage_file_perms; -files_etc_filetrans(ssh_keygen_t, sshd_key_t, file) - -kernel_read_kernel_sysctls(ssh_keygen_t) - -fs_search_auto_mountpoints(ssh_keygen_t) - -dev_read_sysfs(ssh_keygen_t) -dev_read_urand(ssh_keygen_t) - -term_dontaudit_use_console(ssh_keygen_t) - -domain_use_interactive_fds(ssh_keygen_t) - -files_read_etc_files(ssh_keygen_t) - -init_use_fds(ssh_keygen_t) -init_use_script_ptys(ssh_keygen_t) - -logging_send_syslog_msg(ssh_keygen_t) - -userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) - -optional_policy(` - nscd_socket_use(ssh_keygen_t) -') - -optional_policy(` - seutil_sigchld_newrole(ssh_keygen_t) -') - -optional_policy(` - udev_read_db(ssh_keygen_t) -') - -############################## -# -# ssh_keysign_t local policy -# - -tunable_policy(`allow_ssh_keysign',` - allow ssh_keysign_t self:capability { setgid setuid }; - allow ssh_keysign_t self:unix_stream_socket create_socket_perms; - - allow ssh_keysign_t sshd_key_t:file read_file_perms; - - dev_read_urand(ssh_keysign_t) - - files_read_etc_files(ssh_keysign_t) -') - -optional_policy(` - tunable_policy(`allow_ssh_keysign',` - nscd_socket_use(ssh_keysign_t) - ') -') - -################################# -# -# sshd local policy -# -# sshd_t is the domain for the sshd program. -# - -# so a tunnel can point to another ssh tunnel -allow sshd_t self:netlink_route_socket r_netlink_socket_perms; -allow sshd_t self:key { search link write }; -allow sshd_t self:process setcurrent; - -kernel_search_key(sshd_t) -kernel_link_key(sshd_t) - -term_use_all_ptys(sshd_t) -term_setattr_all_ptys(sshd_t) -term_setattr_all_ttys(sshd_t) -term_relabelto_all_ptys(sshd_t) -term_use_ptmx(sshd_t) - -# for X forwarding -corenet_tcp_bind_xserver_port(sshd_t) -corenet_sendrecv_xserver_server_packets(sshd_t) - -userdom_read_user_home_content_files(sshd_t) -userdom_read_user_home_content_symlinks(sshd_t) -userdom_search_admin_dir(sshd_t) -userdom_manage_tmp_role(system_r, sshd_t) -userdom_spec_domtrans_unpriv_users(sshd_t) -userdom_signal_unpriv_users(sshd_t) - -tunable_policy(`sshd_forward_ports',` - corenet_tcp_bind_all_unreserved_ports(sshd_t) - corenet_tcp_connect_all_ports(sshd_t) -') - -tunable_policy(`ssh_sysadm_login',` - # Relabel and access ptys created by sshd - # ioctl is necessary for logout() processing for utmp entry and for w to - # display the tty. - # some versions of sshd on the new SE Linux require setattr - userdom_signal_all_users(sshd_t) -') - -optional_policy(` - daemontools_service_domain(sshd_t, sshd_exec_t) -') - -optional_policy(` - kerberos_keytab_template(sshd, sshd_t) -') - -optional_policy(` - ftp_dyntrans_sftpd(sshd_t) - ftp_dyntrans_anon_sftpd(sshd_t) -') - -optional_policy(` - gitosis_manage_lib_files(sshd_t) -') - -optional_policy(` - inetd_tcp_service_domain(sshd_t, sshd_exec_t) -') - -optional_policy(` - nx_read_home_files(sshd_t) -') - -optional_policy(` - rpm_use_script_fds(sshd_t) -') - -optional_policy(` - rssh_spec_domtrans(sshd_t) - # For reading /home/user/.ssh - rssh_read_ro_content(sshd_t) -') - -optional_policy(` - usermanage_domtrans_passwd(sshd_t) - usermanage_read_crack_db(sshd_t) -') - -optional_policy(` - unconfined_shell_domtrans(sshd_t) -') - -optional_policy(` - xserver_domtrans_xauth(sshd_t) -') - -ifdef(`TODO',` - tunable_policy(`ssh_sysadm_login',` - # Relabel and access ptys created by sshd - # ioctl is necessary for logout() processing for utmp entry and for w to - # display the tty. - # some versions of sshd on the new SE Linux require setattr - allow sshd_t ptyfile:chr_file relabelto; - - optional_policy(` - domain_trans(sshd_t, xauth_exec_t, userdomain) - ') - ',` - optional_policy(` - domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain) - ') - # Relabel and access ptys created by sshd - # ioctl is necessary for logout() processing for utmp entry and for w to - # display the tty. - # some versions of sshd on the new SE Linux require setattr - allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms }; - ') -') dnl endif TODO - -######################################## -# -# ssh_keygen local policy -# - -# ssh_keygen_t is the type of the ssh-keygen program when run at install time -# and by sysadm_t - -dontaudit ssh_keygen_t self:capability sys_tty_config; -allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; -allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; - -allow ssh_keygen_t sshd_key_t:file manage_file_perms; -files_etc_filetrans(ssh_keygen_t, sshd_key_t, file) - -kernel_read_kernel_sysctls(ssh_keygen_t) - -fs_search_auto_mountpoints(ssh_keygen_t) - -dev_read_sysfs(ssh_keygen_t) -dev_read_urand(ssh_keygen_t) - -term_dontaudit_use_console(ssh_keygen_t) - -domain_use_interactive_fds(ssh_keygen_t) - -files_read_etc_files(ssh_keygen_t) - -init_use_fds(ssh_keygen_t) -init_use_script_ptys(ssh_keygen_t) - -auth_use_nsswitch(ssh_keygen_t) - -logging_send_syslog_msg(ssh_keygen_t) - -userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) - -optional_policy(` - seutil_sigchld_newrole(ssh_keygen_t) -') - -optional_policy(` - udev_read_db(ssh_keygen_t) -') diff --git a/policy/modules/services/sssd.fc b/policy/modules/services/sssd.fc deleted file mode 100644 index 4271815..0000000 --- a/policy/modules/services/sssd.fc +++ /dev/null @@ -1,11 +0,0 @@ -/etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0) - -/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0) - -/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) - -/var/lib/sss/pubconf(/.*)? gen_context(system_u:object_r:sssd_public_t,s0) - -/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0) - -/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if deleted file mode 100644 index 6dbfc01..0000000 --- a/policy/modules/services/sssd.if +++ /dev/null @@ -1,249 +0,0 @@ -## System Security Services Daemon - -######################################## -## -## Execute a domain transition to run sssd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`sssd_domtrans',` - gen_require(` - type sssd_t, sssd_exec_t; - ') - - domtrans_pattern($1, sssd_exec_t, sssd_t) -') - -######################################## -## -## Execute sssd server in the sssd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`sssd_initrc_domtrans',` - gen_require(` - type sssd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, sssd_initrc_exec_t) -') - -######################################## -## -## Read sssd public files. -## -## -## -## Domain allowed access. -## -## -# -interface(`sssd_read_public_files',` - gen_require(` - type sssd_public_t; - ') - - sssd_search_lib($1) - read_files_pattern($1, sssd_public_t, sssd_public_t) -') - -######################################## -## -## Read sssd PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`sssd_read_pid_files',` - gen_require(` - type sssd_var_run_t; - ') - - files_search_pids($1) - allow $1 sssd_var_run_t:file read_file_perms; -') - -######################################## -## -## Manage sssd var_run files. -## -## -## -## Domain allowed access. -## -## -# -interface(`sssd_manage_pids',` - gen_require(` - type sssd_var_run_t; - ') - - files_search_pids($1) - manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t) - manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t) -') - -######################################## -## -## Search sssd lib directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`sssd_search_lib',` - gen_require(` - type sssd_var_lib_t; - ') - - allow $1 sssd_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## Do not audit attempts to search sssd lib directories. -## -## -## -## Domain to not audit. -## -## -# -interface(`sssd_dontaudit_search_lib',` - gen_require(` - type sssd_var_lib_t; - ') - - dontaudit $1 sssd_var_lib_t:dir search_dir_perms; -') - -######################################## -## -## Read sssd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`sssd_read_lib_files',` - gen_require(` - type sssd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) -') - -######################################## -## -## Create, read, write, and delete -## sssd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`sssd_manage_lib_files',` - gen_require(` - type sssd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) -') - -######################################## -## -## Send and receive messages from -## sssd over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`sssd_dbus_chat',` - gen_require(` - type sssd_t; - class dbus send_msg; - ') - - allow $1 sssd_t:dbus send_msg; - allow sssd_t $1:dbus send_msg; -') - -######################################## -## -## Connect to sssd over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`sssd_stream_connect',` - gen_require(` - type sssd_t, sssd_var_lib_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, sssd_var_lib_t, sssd_var_lib_t, sssd_t) -') - -######################################## -## -## All of the rules required to administrate -## an sssd environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the sssd domain. -## -## -## -# -interface(`sssd_admin',` - gen_require(` - type sssd_t, sssd_public_t, sssd_initrc_exec_t; - ') - - allow $1 sssd_t:process { ptrace signal_perms }; - ps_process_pattern($1, sssd_t) - - # Allow sssd_t to restart the apache service - sssd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 sssd_initrc_exec_t system_r; - allow $2 system_r; - - sssd_manage_pids($1) - - sssd_manage_lib_files($1) - - admin_pattern($1, sssd_public_t) -') diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te deleted file mode 100644 index 7113802..0000000 --- a/policy/modules/services/sssd.te +++ /dev/null @@ -1,95 +0,0 @@ -policy_module(sssd, 1.1.0) - -######################################## -# -# Declarations -# - -type sssd_t; -type sssd_exec_t; -init_daemon_domain(sssd_t, sssd_exec_t) - -type sssd_initrc_exec_t; -init_script_file(sssd_initrc_exec_t) - -type sssd_public_t; -files_pid_file(sssd_public_t) - -type sssd_var_lib_t; -files_type(sssd_var_lib_t) - -type sssd_var_log_t; -logging_log_file(sssd_var_log_t) - -type sssd_var_run_t; -files_pid_file(sssd_var_run_t) - -######################################## -# -# sssd local policy -# - -allow sssd_t self:capability { chown dac_read_search dac_override kill sys_nice setgid setuid }; -allow sssd_t self:process { setfscreate setsched sigkill signal getsched }; -allow sssd_t self:fifo_file rw_fifo_file_perms; -allow sssd_t self:key manage_key_perms; -allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto }; - -manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t) -manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t) - -manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) -manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) -manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) -files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir }) - -manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) -logging_log_filetrans(sssd_t, sssd_var_log_t, file) - -manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) -manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) -files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) - -kernel_read_network_state(sssd_t) -kernel_read_system_state(sssd_t) - -corecmd_exec_bin(sssd_t) - -dev_read_urand(sssd_t) - -domain_read_all_domains_state(sssd_t) -domain_obj_id_change_exemption(sssd_t) - -files_list_tmp(sssd_t) -files_read_etc_files(sssd_t) -files_read_usr_files(sssd_t) - -fs_list_inotifyfs(sssd_t) - -selinux_validate_context(sssd_t) - -seutil_read_file_contexts(sssd_t) - -mls_file_read_to_clearance(sssd_t) - -auth_use_nsswitch(sssd_t) -auth_domtrans_chk_passwd(sssd_t) -auth_domtrans_upd_passwd(sssd_t) - -init_read_utmp(sssd_t) - -logging_send_syslog_msg(sssd_t) -logging_send_audit_msgs(sssd_t) - -miscfiles_read_localization(sssd_t) - -userdom_manage_tmp_role(system_r, sssd_t) - -optional_policy(` - dbus_system_bus_client(sssd_t) - dbus_connect_system_bus(sssd_t) -') - -optional_policy(` - kerberos_manage_host_rcache(sssd_t) -') diff --git a/policy/modules/services/stunnel.fc b/policy/modules/services/stunnel.fc deleted file mode 100644 index 50e29aa..0000000 --- a/policy/modules/services/stunnel.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/stunnel(/.*)? gen_context(system_u:object_r:stunnel_etc_t,s0) - -/usr/bin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0) - -/usr/sbin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0) - -/var/run/stunnel(/.*)? gen_context(system_u:object_r:stunnel_var_run_t,s0) diff --git a/policy/modules/services/stunnel.if b/policy/modules/services/stunnel.if deleted file mode 100644 index eaf49b2..0000000 --- a/policy/modules/services/stunnel.if +++ /dev/null @@ -1,25 +0,0 @@ -## SSL Tunneling Proxy - -######################################## -## -## Define the specified domain as a stunnel inetd service. -## -## -## -## The type associated with the stunnel inetd service process. -## -## -## -## -## The type associated with the process program. -## -## -# -interface(`stunnel_service_domain',` - gen_require(` - type stunnel_t; - ') - - domtrans_pattern(stunnel_t, $2, $1) - allow $1 stunnel_t:tcp_socket rw_socket_perms; -') diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te deleted file mode 100644 index 296e5ba..0000000 --- a/policy/modules/services/stunnel.te +++ /dev/null @@ -1,120 +0,0 @@ -policy_module(stunnel, 1.9.1) - -######################################## -# -# Declarations -# - -type stunnel_t; -type stunnel_exec_t; - -type stunnel_etc_t; -files_config_file(stunnel_etc_t) - -type stunnel_tmp_t; -files_tmp_file(stunnel_tmp_t) - -type stunnel_var_run_t; -files_pid_file(stunnel_var_run_t) - -ifdef(`distro_gentoo',` - init_daemon_domain(stunnel_t, stunnel_exec_t) -',` - inetd_tcp_service_domain(stunnel_t, stunnel_exec_t) -') - -######################################## -# -# Local policy -# - -allow stunnel_t self:capability { setgid setuid sys_chroot }; -allow stunnel_t self:process signal_perms; -allow stunnel_t self:fifo_file rw_fifo_file_perms; -allow stunnel_t self:tcp_socket create_stream_socket_perms; -allow stunnel_t self:udp_socket create_socket_perms; - -allow stunnel_t stunnel_etc_t:dir list_dir_perms; -allow stunnel_t stunnel_etc_t:file read_file_perms; -allow stunnel_t stunnel_etc_t:lnk_file read_lnk_file_perms; - -manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) -manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) -files_tmp_filetrans(stunnel_t, stunnel_tmp_t, { file dir }) - -manage_dirs_pattern(stunnel_t, stunnel_var_run_t, stunnel_var_run_t) -manage_files_pattern(stunnel_t, stunnel_var_run_t, stunnel_var_run_t) -files_pid_filetrans(stunnel_t, stunnel_var_run_t, { dir file }) - -kernel_read_kernel_sysctls(stunnel_t) -kernel_read_system_state(stunnel_t) -kernel_read_network_state(stunnel_t) - -corecmd_exec_bin(stunnel_t) - -corenet_all_recvfrom_unlabeled(stunnel_t) -corenet_all_recvfrom_netlabel(stunnel_t) -corenet_tcp_sendrecv_generic_if(stunnel_t) -corenet_udp_sendrecv_generic_if(stunnel_t) -corenet_tcp_sendrecv_generic_node(stunnel_t) -corenet_udp_sendrecv_generic_node(stunnel_t) -corenet_tcp_sendrecv_all_ports(stunnel_t) -corenet_udp_sendrecv_all_ports(stunnel_t) -corenet_tcp_bind_generic_node(stunnel_t) -corenet_tcp_connect_all_ports(stunnel_t) - -fs_getattr_all_fs(stunnel_t) - -auth_use_nsswitch(stunnel_t) - -logging_send_syslog_msg(stunnel_t) - -miscfiles_read_localization(stunnel_t) - -sysnet_read_config(stunnel_t) - -ifdef(`distro_gentoo',` - dontaudit stunnel_t self:capability sys_tty_config; - allow stunnel_t self:udp_socket create_socket_perms; - - dev_read_sysfs(stunnel_t) - - fs_search_auto_mountpoints(stunnel_t) - - domain_use_interactive_fds(stunnel_t) - - userdom_dontaudit_use_unpriv_user_fds(stunnel_t) - userdom_dontaudit_search_user_home_dirs(stunnel_t) - - optional_policy(` - daemontools_service_domain(stunnel_t, stunnel_exec_t) - ') - - optional_policy(` - seutil_sigchld_newrole(stunnel_t) - ') - - optional_policy(` - udev_read_db(stunnel_t) - ') -',` - allow stunnel_t self:netlink_tcpdiag_socket r_netlink_socket_perms; - - dev_read_urand(stunnel_t) - - files_read_etc_files(stunnel_t) - files_read_etc_runtime_files(stunnel_t) - files_search_home(stunnel_t) - - optional_policy(` - kerberos_use(stunnel_t) - ') -') - -# hack since this port has no interfaces since it doesnt -# have net_contexts -gen_require(` - type stunnel_port_t; -') - -allow stunnel_t stunnel_port_t:tcp_socket name_bind; diff --git a/policy/modules/services/sysstat.fc b/policy/modules/services/sysstat.fc deleted file mode 100644 index 08d999c..0000000 --- a/policy/modules/services/sysstat.fc +++ /dev/null @@ -1,8 +0,0 @@ - -/usr/lib(64)?/atsar/atsa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) -/usr/lib(64)?/sa/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) -/usr/lib(64)?/sysstat/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) - -/var/log/atsar(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0) -/var/log/sa(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0) -/var/log/sysstat(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0) diff --git a/policy/modules/services/sysstat.if b/policy/modules/services/sysstat.if deleted file mode 100644 index 7a23b3b..0000000 --- a/policy/modules/services/sysstat.if +++ /dev/null @@ -1,21 +0,0 @@ -## Policy for sysstat. Reports on various system states - -######################################## -## -## Manage sysstat logs. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`sysstat_manage_log',` - gen_require(` - type sysstat_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, sysstat_log_t, sysstat_log_t) -') diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te deleted file mode 100644 index 3645a22..0000000 --- a/policy/modules/services/sysstat.te +++ /dev/null @@ -1,72 +0,0 @@ -policy_module(sysstat, 1.6.0) - -######################################## -# -# Declarations -# - -type sysstat_t; -type sysstat_exec_t; -init_system_domain(sysstat_t, sysstat_exec_t) - -type sysstat_log_t; -logging_log_file(sysstat_log_t) - -######################################## -# -# Local policy -# - -allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_config }; -allow sysstat_t self:fifo_file rw_fifo_file_perms; - -can_exec(sysstat_t, sysstat_exec_t) - -manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t) -manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) -manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t) -logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir }) - -# get info from /proc -kernel_read_system_state(sysstat_t) -kernel_read_network_state(sysstat_t) -kernel_read_kernel_sysctls(sysstat_t) -kernel_read_fs_sysctls(sysstat_t) -kernel_read_rpc_sysctls(sysstat_t) - -corecmd_exec_bin(sysstat_t) - -dev_read_urand(sysstat_t) -dev_read_sysfs(sysstat_t) - -files_search_var(sysstat_t) -# for mtab -files_read_etc_runtime_files(sysstat_t) -#for fstab -files_read_etc_files(sysstat_t) - -fs_getattr_xattr_fs(sysstat_t) -fs_list_inotifyfs(sysstat_t) - -term_use_console(sysstat_t) -term_use_all_terms(sysstat_t) - -init_use_fds(sysstat_t) - -locallogin_use_fds(sysstat_t) - -miscfiles_read_localization(sysstat_t) - -userdom_dontaudit_list_user_home_dirs(sysstat_t) - -optional_policy(` - cron_system_entry(sysstat_t, sysstat_exec_t) -') - -optional_policy(` - logging_send_syslog_msg(sysstat_t) -') - -optional_policy(` - nscd_socket_use(sysstat_t) -') diff --git a/policy/modules/services/tcpd.fc b/policy/modules/services/tcpd.fc deleted file mode 100644 index 2e8d7a1..0000000 --- a/policy/modules/services/tcpd.fc +++ /dev/null @@ -1,2 +0,0 @@ - -/usr/sbin/tcpd -- gen_context(system_u:object_r:tcpd_exec_t,s0) diff --git a/policy/modules/services/tcpd.if b/policy/modules/services/tcpd.if deleted file mode 100644 index 2075ebb..0000000 --- a/policy/modules/services/tcpd.if +++ /dev/null @@ -1,45 +0,0 @@ -## Policy for TCP daemon. - -######################################## -## -## Execute tcpd in the tcpd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`tcpd_domtrans',` - gen_require(` - type tcpd_t, tcpd_exec_t; - ') - - domtrans_pattern($1, tcpd_exec_t, tcpd_t) -') - -######################################## -## -## Create a domain for services that -## utilize tcp wrappers. -## -## -## -## Type to be used as a domain. -## -## -## -## -## Type of the program to be used as an entry point to this domain. -## -## -# -interface(`tcpd_wrapped_domain',` - gen_require(` - type tcpd_t; - role system_r; - ') - - domtrans_pattern(tcpd_t, $2, $1) - role system_r types $1; -') diff --git a/policy/modules/services/tcpd.te b/policy/modules/services/tcpd.te deleted file mode 100644 index 4e84f23..0000000 --- a/policy/modules/services/tcpd.te +++ /dev/null @@ -1,49 +0,0 @@ -policy_module(tcpd, 1.4.0) - -######################################## -# -# Declarations -# -type tcpd_t; -type tcpd_exec_t; -inetd_tcp_service_domain(tcpd_t, tcpd_exec_t) - -type tcpd_tmp_t; -files_tmp_file(tcpd_tmp_t) - -######################################## -# -# Local policy -# -allow tcpd_t self:tcp_socket create_stream_socket_perms; - -manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t) -manage_files_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t) -files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir }) - -corenet_all_recvfrom_unlabeled(tcpd_t) -corenet_all_recvfrom_netlabel(tcpd_t) -corenet_tcp_sendrecv_generic_if(tcpd_t) -corenet_tcp_sendrecv_generic_node(tcpd_t) -corenet_tcp_sendrecv_all_ports(tcpd_t) - -fs_getattr_xattr_fs(tcpd_t) - -# Run other daemons in the inetd child domain. -corecmd_search_bin(tcpd_t) - -files_read_etc_files(tcpd_t) -# no good reason for files_dontaudit_search_var, probably nscd -files_dontaudit_search_var(tcpd_t) - -logging_send_syslog_msg(tcpd_t) - -miscfiles_read_localization(tcpd_t) - -sysnet_read_config(tcpd_t) - -inetd_domtrans_child(tcpd_t) - -optional_policy(` - nis_use_ypbind(tcpd_t) -') diff --git a/policy/modules/services/telnet.fc b/policy/modules/services/telnet.fc deleted file mode 100644 index 7405170..0000000 --- a/policy/modules/services/telnet.fc +++ /dev/null @@ -1,4 +0,0 @@ - -/usr/sbin/in\.telnetd -- gen_context(system_u:object_r:telnetd_exec_t,s0) - -/usr/kerberos/sbin/telnetd -- gen_context(system_u:object_r:telnetd_exec_t,s0) diff --git a/policy/modules/services/telnet.if b/policy/modules/services/telnet.if deleted file mode 100644 index 58e7ec0..0000000 --- a/policy/modules/services/telnet.if +++ /dev/null @@ -1 +0,0 @@ -## Telnet daemon diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te deleted file mode 100644 index 34c4c57..0000000 --- a/policy/modules/services/telnet.te +++ /dev/null @@ -1,98 +0,0 @@ -policy_module(telnet, 1.10.0) - -######################################## -# -# Declarations -# - -type telnetd_t; -type telnetd_exec_t; -inetd_service_domain(telnetd_t, telnetd_exec_t) - -type telnetd_devpts_t; #, userpty_type; -term_login_pty(telnetd_devpts_t) - -type telnetd_tmp_t; -files_tmp_file(telnetd_tmp_t) - -type telnetd_var_run_t; -files_pid_file(telnetd_var_run_t) - -######################################## -# -# Local policy -# - -allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override }; -allow telnetd_t self:process signal_perms; -allow telnetd_t self:fifo_file rw_fifo_file_perms; -allow telnetd_t self:tcp_socket connected_stream_socket_perms; -allow telnetd_t self:udp_socket create_socket_perms; -# for identd; cjp: this should probably only be inetd_child rules? -allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; - -allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; -term_create_pty(telnetd_t, telnetd_devpts_t) - -manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t) -manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t) - -manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t) -files_pid_filetrans(telnetd_t, telnetd_var_run_t, file) - -kernel_read_kernel_sysctls(telnetd_t) -kernel_read_system_state(telnetd_t) -kernel_read_network_state(telnetd_t) - -corenet_all_recvfrom_unlabeled(telnetd_t) -corenet_all_recvfrom_netlabel(telnetd_t) -corenet_tcp_sendrecv_generic_if(telnetd_t) -corenet_udp_sendrecv_generic_if(telnetd_t) -corenet_tcp_sendrecv_generic_node(telnetd_t) -corenet_udp_sendrecv_generic_node(telnetd_t) -corenet_tcp_sendrecv_all_ports(telnetd_t) -corenet_udp_sendrecv_all_ports(telnetd_t) - -dev_read_urand(telnetd_t) - -domain_interactive_fd(telnetd_t) - -fs_getattr_xattr_fs(telnetd_t) - -auth_rw_login_records(telnetd_t) -auth_use_nsswitch(telnetd_t) - -corecmd_search_bin(telnetd_t) - -files_read_usr_files(telnetd_t) -files_read_etc_files(telnetd_t) -files_read_etc_runtime_files(telnetd_t) - -init_rw_utmp(telnetd_t) - -logging_send_syslog_msg(telnetd_t) - -miscfiles_read_localization(telnetd_t) - -seutil_read_config(telnetd_t) - -remotelogin_domtrans(telnetd_t) - -userdom_search_user_home_dirs(telnetd_t) -userdom_setattr_user_ptys(telnetd_t) -userdom_manage_user_tmp_files(telnetd_t) -userdom_tmp_filetrans_user_tmp(telnetd_t, file) - -tunable_policy(`use_nfs_home_dirs',` - fs_search_nfs(telnetd_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_search_cifs(telnetd_t) -') - -optional_policy(` - kerberos_keytab_template(telnetd, telnetd_t) - kerberos_manage_host_rcache(telnetd_t) -') - diff --git a/policy/modules/services/tftp.fc b/policy/modules/services/tftp.fc deleted file mode 100644 index 25eee43..0000000 --- a/policy/modules/services/tftp.fc +++ /dev/null @@ -1,8 +0,0 @@ - -/usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0) -/usr/sbin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0) - -/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0) -/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0) - -/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0) diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if deleted file mode 100644 index 1427b54..0000000 --- a/policy/modules/services/tftp.if +++ /dev/null @@ -1,118 +0,0 @@ -## Trivial file transfer protocol daemon - -######################################## -## -## Read tftp content -## -## -## -## Domain allowed access. -## -## -# -interface(`tftp_read_content',` - gen_require(` - type tftpdir_t; - ') - - read_files_pattern($1, tftpdir_t, tftpdir_t) - read_lnk_files_pattern($1, tftpdir_t, tftpdir_t) -') - -######################################## -## -## Search tftp /var/lib directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`tftp_search_rw_content',` - gen_require(` - type tftpdir_rw_t; - ') - - search_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) - files_search_var_lib($1) -') - -######################################## -## -## Manage tftp /var/lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`tftp_manage_rw_content',` - gen_require(` - type tftpdir_rw_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) - manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) -') - -######################################## -## -## Create objects in tftpdir directories -## with specified types. -## -## -## -## Domain allowed access. -## -## -## -## -## Private file type. -## -## -## -## -## Class of the object being created. -## -## -# -interface(`tftp_filetrans_tftpdir',` - gen_require(` - type tftpdir_rw_t; - ') - - filetrans_pattern($1, tftpdir_rw_t, $2, $3) - files_search_var_lib($1) -') - -######################################## -## -## All of the rules required to administrate -## an tftp environment -## -## -## -## Domain allowed access. -## -## -## -# -interface(`tftp_admin',` - gen_require(` - type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t; - ') - - allow $1 tftpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, tftpd_t) - - files_list_var_lib($1) - admin_pattern($1, tftpdir_rw_t) - - admin_pattern($1, tftpdir_t) - - files_list_pids($1) - admin_pattern($1, tftpd_var_run_t) -') diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te deleted file mode 100644 index 97ce79e..0000000 --- a/policy/modules/services/tftp.te +++ /dev/null @@ -1,110 +0,0 @@ -policy_module(tftp, 1.12.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow tftp to modify public files -## used for public file transfer services. -##

-##
-gen_tunable(tftp_anon_write, false) - -type tftpd_t; -type tftpd_exec_t; -init_daemon_domain(tftpd_t, tftpd_exec_t) - -type tftpd_var_run_t; -files_pid_file(tftpd_var_run_t) - -type tftpdir_t; -files_type(tftpdir_t) - -type tftpdir_rw_t; -files_type(tftpdir_rw_t) - -######################################## -# -# Local policy -# - -allow tftpd_t self:capability { setgid setuid sys_chroot }; -dontaudit tftpd_t self:capability sys_tty_config; -allow tftpd_t self:tcp_socket create_stream_socket_perms; -allow tftpd_t self:udp_socket create_socket_perms; -allow tftpd_t self:unix_dgram_socket create_socket_perms; -allow tftpd_t self:unix_stream_socket create_stream_socket_perms; - -allow tftpd_t tftpdir_t:dir list_dir_perms; -allow tftpd_t tftpdir_t:file read_file_perms; -allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms; - -manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) -manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) -manage_lnk_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) - -manage_files_pattern(tftpd_t, tftpd_var_run_t, tftpd_var_run_t) -files_pid_filetrans(tftpd_t, tftpd_var_run_t, file) - -kernel_read_system_state(tftpd_t) -kernel_read_kernel_sysctls(tftpd_t) - -corenet_all_recvfrom_unlabeled(tftpd_t) -corenet_all_recvfrom_netlabel(tftpd_t) -corenet_tcp_sendrecv_generic_if(tftpd_t) -corenet_udp_sendrecv_generic_if(tftpd_t) -corenet_tcp_sendrecv_generic_node(tftpd_t) -corenet_udp_sendrecv_generic_node(tftpd_t) -corenet_tcp_sendrecv_all_ports(tftpd_t) -corenet_udp_sendrecv_all_ports(tftpd_t) -corenet_tcp_bind_generic_node(tftpd_t) -corenet_udp_bind_generic_node(tftpd_t) -corenet_udp_bind_tftp_port(tftpd_t) -corenet_sendrecv_tftp_server_packets(tftpd_t) - -dev_read_sysfs(tftpd_t) - -fs_getattr_all_fs(tftpd_t) -fs_search_auto_mountpoints(tftpd_t) - -domain_use_interactive_fds(tftpd_t) - -files_read_etc_files(tftpd_t) -files_read_etc_runtime_files(tftpd_t) -files_read_var_files(tftpd_t) -files_read_var_symlinks(tftpd_t) -files_search_var(tftpd_t) - -auth_use_nsswitch(tftpd_t) - -logging_send_syslog_msg(tftpd_t) - -miscfiles_read_localization(tftpd_t) -miscfiles_read_public_files(tftpd_t) - -userdom_dontaudit_use_unpriv_user_fds(tftpd_t) -userdom_dontaudit_use_user_terminals(tftpd_t) -userdom_dontaudit_search_user_home_dirs(tftpd_t) - -tunable_policy(`tftp_anon_write',` - miscfiles_manage_public_files(tftpd_t) -') - -optional_policy(` - cobbler_read_lib_files(tftpd_t) -') - -optional_policy(` - inetd_udp_service_domain(tftpd_t, tftpd_exec_t) -') - -optional_policy(` - seutil_sigchld_newrole(tftpd_t) -') - -optional_policy(` - udev_read_db(tftpd_t) -') diff --git a/policy/modules/services/tgtd.fc b/policy/modules/services/tgtd.fc deleted file mode 100644 index 8294f6f..0000000 --- a/policy/modules/services/tgtd.fc +++ /dev/null @@ -1,3 +0,0 @@ -/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0) -/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0) -/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0) diff --git a/policy/modules/services/tgtd.if b/policy/modules/services/tgtd.if deleted file mode 100644 index c2ed23a..0000000 --- a/policy/modules/services/tgtd.if +++ /dev/null @@ -1,46 +0,0 @@ -## Linux Target Framework Daemon. -## -##

-## Linux target framework (tgt) aims to simplify various -## SCSI target driver (iSCSI, Fibre Channel, SRP, etc) creation -## and maintenance. Our key goals are the clean integration into -## the scsi-mid layer and implementing a great portion of tgt -## in user space. -##

-##
- -##################################### -## -## Allow read and write access to tgtd semaphores. -## -## -## -## Domain allowed access. -## -## -# -interface(`tgtd_rw_semaphores',` - gen_require(` - type tgtd_t; - ') - - allow $1 tgtd_t:sem rw_sem_perms; -') - -###################################### -## -## Manage tgtd sempaphores. -## -## -## -## Domain allowed access. -## -## -# -interface(`tgtd_manage_semaphores',` - gen_require(` - type tgtd_t; - ') - - allow $1 tgtd_t:sem create_sem_perms; -') diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te deleted file mode 100644 index 44dfdc8..0000000 --- a/policy/modules/services/tgtd.te +++ /dev/null @@ -1,74 +0,0 @@ -policy_module(tgtd, 1.1.0) - -######################################## -# -# TGTD personal declarations. -# - -type tgtd_t; -type tgtd_exec_t; -init_daemon_domain(tgtd_t, tgtd_exec_t) - -type tgtd_initrc_exec_t; -init_script_file(tgtd_initrc_exec_t) - -type tgtd_tmp_t; -files_tmp_file(tgtd_tmp_t) - -type tgtd_tmpfs_t; -files_tmpfs_file(tgtd_tmpfs_t) - -type tgtd_var_lib_t; -files_type(tgtd_var_lib_t) - -######################################## -# -# TGTD personal policy. -# - -allow tgtd_t self:capability sys_resource; -allow tgtd_t self:process { setrlimit signal }; -allow tgtd_t self:fifo_file rw_fifo_file_perms; -allow tgtd_t self:netlink_route_socket create_netlink_socket_perms; -allow tgtd_t self:shm create_shm_perms; -allow tgtd_t self:sem create_sem_perms; -allow tgtd_t self:tcp_socket create_stream_socket_perms; -allow tgtd_t self:udp_socket create_socket_perms; -allow tgtd_t self:unix_dgram_socket create_socket_perms; - -manage_sock_files_pattern(tgtd_t, tgtd_tmp_t, tgtd_tmp_t) -files_tmp_filetrans(tgtd_t, tgtd_tmp_t, { sock_file }) - -manage_files_pattern(tgtd_t, tgtd_tmpfs_t, tgtd_tmpfs_t) -fs_tmpfs_filetrans(tgtd_t, tgtd_tmpfs_t, file) - -manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) -manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) -files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file }) - -kernel_read_fs_sysctls(tgtd_t) - -corenet_all_recvfrom_netlabel(tgtd_t) -corenet_all_recvfrom_unlabeled(tgtd_t) -corenet_tcp_sendrecv_generic_if(tgtd_t) -corenet_tcp_sendrecv_generic_node(tgtd_t) -corenet_tcp_sendrecv_iscsi_port(tgtd_t) -corenet_tcp_bind_generic_node(tgtd_t) -corenet_tcp_bind_iscsi_port(tgtd_t) -corenet_sendrecv_iscsi_server_packets(tgtd_t) - -dev_search_sysfs(tgtd_t) - -files_read_etc_files(tgtd_t) - -fs_read_anon_inodefs_files(tgtd_t) - -storage_manage_fixed_disk(tgtd_t) - -logging_send_syslog_msg(tgtd_t) - -miscfiles_read_localization(tgtd_t) - -optional_policy(` - iscsi_manage_semaphores(tgtd_t) -') diff --git a/policy/modules/services/timidity.fc b/policy/modules/services/timidity.fc deleted file mode 100644 index ed5eef3..0000000 --- a/policy/modules/services/timidity.fc +++ /dev/null @@ -1,2 +0,0 @@ - -/usr/bin/timidity -- gen_context(system_u:object_r:timidity_exec_t,s0) diff --git a/policy/modules/services/timidity.if b/policy/modules/services/timidity.if deleted file mode 100644 index 989b240..0000000 --- a/policy/modules/services/timidity.if +++ /dev/null @@ -1 +0,0 @@ -## MIDI to WAV converter and player configured as a service diff --git a/policy/modules/services/timidity.te b/policy/modules/services/timidity.te deleted file mode 100644 index 67b5592..0000000 --- a/policy/modules/services/timidity.te +++ /dev/null @@ -1,85 +0,0 @@ -policy_module(timidity, 1.9.0) - -# Note: You only need this policy if you want to run timidity as a server - -######################################## -# -# Declarations -# - -type timidity_t; -type timidity_exec_t; -init_daemon_domain(timidity_t, timidity_exec_t) -application_domain(timidity_t, timidity_exec_t) - -type timidity_tmpfs_t; -files_tmpfs_file(timidity_tmpfs_t) - -######################################## -# -# Local policy -# - -allow timidity_t self:capability { dac_override dac_read_search }; -dontaudit timidity_t self:capability sys_tty_config; -allow timidity_t self:process { signal_perms getsched }; -allow timidity_t self:shm create_shm_perms; -allow timidity_t self:unix_stream_socket create_stream_socket_perms; -allow timidity_t self:tcp_socket create_stream_socket_perms; -allow timidity_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t) -manage_files_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t) -manage_lnk_files_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t) -manage_fifo_files_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t) -manage_sock_files_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t) -fs_tmpfs_filetrans(timidity_t, timidity_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -kernel_read_kernel_sysctls(timidity_t) -# read /proc/cpuinfo -kernel_read_system_state(timidity_t) - -corenet_all_recvfrom_unlabeled(timidity_t) -corenet_all_recvfrom_netlabel(timidity_t) -corenet_tcp_sendrecv_generic_if(timidity_t) -corenet_udp_sendrecv_generic_if(timidity_t) -corenet_tcp_sendrecv_generic_node(timidity_t) -corenet_udp_sendrecv_generic_node(timidity_t) -corenet_tcp_sendrecv_all_ports(timidity_t) -corenet_udp_sendrecv_all_ports(timidity_t) - -dev_read_sysfs(timidity_t) -dev_read_sound(timidity_t) -dev_write_sound(timidity_t) - -fs_search_auto_mountpoints(timidity_t) - -domain_use_interactive_fds(timidity_t) - -files_search_tmp(timidity_t) -# read /usr/share/alsa/alsa.conf -files_read_usr_files(timidity_t) -# read /etc/esd.conf -files_read_etc_files(timidity_t) - -# read libartscbackend.la -libs_read_lib_files(timidity_t) - -logging_send_syslog_msg(timidity_t) - -sysnet_read_config(timidity_t) - -userdom_dontaudit_use_unpriv_user_fds(timidity_t) - -# stupid timidity won't start if it can't search its current directory. -# allow this so /etc/init.d/alsasound start works from /root -# cjp: this should be fixed if possible so this rule can be removed. -userdom_search_user_home_dirs(timidity_t) - -optional_policy(` - seutil_sigchld_newrole(timidity_t) -') - -optional_policy(` - udev_read_db(timidity_t) -') diff --git a/policy/modules/services/tor.fc b/policy/modules/services/tor.fc deleted file mode 100644 index e2e06b2..0000000 --- a/policy/modules/services/tor.fc +++ /dev/null @@ -1,12 +0,0 @@ -/etc/rc\.d/init\.d/tor -- gen_context(system_u:object_r:tor_initrc_exec_t,s0) -/etc/tor(/.*)? gen_context(system_u:object_r:tor_etc_t,s0) - -/usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) -/usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) - -/var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) -/var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) - -/var/log/tor(/.*)? gen_context(system_u:object_r:tor_var_log_t,s0) - -/var/run/tor(/.*)? gen_context(system_u:object_r:tor_var_run_t,s0) diff --git a/policy/modules/services/tor.if b/policy/modules/services/tor.if deleted file mode 100644 index 464347f..0000000 --- a/policy/modules/services/tor.if +++ /dev/null @@ -1,64 +0,0 @@ -## TOR, the onion router - -######################################## -## -## Execute a domain transition to run TOR. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`tor_domtrans',` - gen_require(` - type tor_t, tor_exec_t; - ') - - domtrans_pattern($1, tor_exec_t, tor_t) -') - -######################################## -## -## All of the rules required to administrate -## an tor environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the tor domain. -## -## -## -# -interface(`tor_admin',` - gen_require(` - type tor_t, tor_var_log_t, tor_etc_t; - type tor_var_lib_t, tor_var_run_t; - type tor_initrc_exec_t; - ') - - allow $1 tor_t:process { ptrace signal_perms }; - ps_process_pattern($1, tor_t) - - init_labeled_script_domtrans($1, tor_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 tor_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, tor_etc_t) - - files_list_var_lib($1) - admin_pattern($1, tor_var_lib_t) - - logging_list_logs($1) - admin_pattern($1, tor_var_log_t) - - files_list_pids($1) - admin_pattern($1, tor_var_run_t) -') diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te deleted file mode 100644 index 7f0d9a9..0000000 --- a/policy/modules/services/tor.te +++ /dev/null @@ -1,116 +0,0 @@ -policy_module(tor, 1.7.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow tor daemon to bind -## tcp sockets to all unreserved ports. -##

-##
-gen_tunable(tor_bind_all_unreserved_ports, false) - -type tor_t; -type tor_exec_t; -init_daemon_domain(tor_t, tor_exec_t) - -# etc/tor -type tor_etc_t; -files_config_file(tor_etc_t) - -type tor_initrc_exec_t; -init_script_file(tor_initrc_exec_t) - -# var/lib/tor -type tor_var_lib_t; -files_type(tor_var_lib_t) - -# log files -type tor_var_log_t; -logging_log_file(tor_var_log_t) - -# pid files -type tor_var_run_t; -files_pid_file(tor_var_run_t) - -######################################## -# -# tor local policy -# - -allow tor_t self:capability { setgid setuid sys_tty_config }; -allow tor_t self:process signal; -allow tor_t self:fifo_file rw_fifo_file_perms; -allow tor_t self:unix_stream_socket create_stream_socket_perms; -allow tor_t self:netlink_route_socket r_netlink_socket_perms; -allow tor_t self:tcp_socket create_stream_socket_perms; - -# configuration files -allow tor_t tor_etc_t:dir list_dir_perms; -read_files_pattern(tor_t, tor_etc_t, tor_etc_t) -read_lnk_files_pattern(tor_t, tor_etc_t, tor_etc_t) - -# var/lib/tor files -manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) -manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) -manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) -files_usr_filetrans(tor_t, tor_var_lib_t, file) -files_var_filetrans(tor_t, tor_var_lib_t, { file dir sock_file }) -files_var_lib_filetrans(tor_t, tor_var_lib_t, file) - -# log files -allow tor_t tor_var_log_t:dir setattr; -manage_files_pattern(tor_t, tor_var_log_t, tor_var_log_t) -manage_sock_files_pattern(tor_t, tor_var_log_t, tor_var_log_t) -logging_log_filetrans(tor_t, tor_var_log_t, { sock_file file dir }) - -# pid file -manage_dirs_pattern(tor_t, tor_var_run_t, tor_var_run_t) -manage_files_pattern(tor_t, tor_var_run_t, tor_var_run_t) -manage_sock_files_pattern(tor_t, tor_var_run_t, tor_var_run_t) -files_pid_filetrans(tor_t, tor_var_run_t, { file sock_file dir }) - -kernel_read_system_state(tor_t) - -# networking basics -corenet_all_recvfrom_unlabeled(tor_t) -corenet_all_recvfrom_netlabel(tor_t) -corenet_tcp_sendrecv_generic_if(tor_t) -corenet_tcp_sendrecv_generic_node(tor_t) -corenet_tcp_sendrecv_all_ports(tor_t) -corenet_tcp_sendrecv_all_reserved_ports(tor_t) -corenet_tcp_bind_generic_node(tor_t) -corenet_tcp_bind_tor_port(tor_t) -corenet_sendrecv_tor_server_packets(tor_t) -# TOR will need to connect to various ports -corenet_tcp_connect_all_ports(tor_t) -corenet_sendrecv_all_client_packets(tor_t) -# ... especially including port 80 and other privileged ports -corenet_tcp_connect_all_reserved_ports(tor_t) -corenet_udp_bind_dns_port(tor_t) - -# tor uses crypto and needs random -dev_read_urand(tor_t) - -domain_use_interactive_fds(tor_t) - -files_read_etc_files(tor_t) -files_read_etc_runtime_files(tor_t) -files_read_usr_files(tor_t) - -auth_use_nsswitch(tor_t) - -logging_send_syslog_msg(tor_t) - -miscfiles_read_localization(tor_t) - -tunable_policy(`tor_bind_all_unreserved_ports',` - corenet_tcp_bind_all_unreserved_ports(tor_t) -') - -optional_policy(` - seutil_sigchld_newrole(tor_t) -') diff --git a/policy/modules/services/transproxy.fc b/policy/modules/services/transproxy.fc deleted file mode 100644 index ce33f17..0000000 --- a/policy/modules/services/transproxy.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/sbin/tproxy -- gen_context(system_u:object_r:transproxy_exec_t,s0) - -/var/run/tproxy\.pid -- gen_context(system_u:object_r:transproxy_var_run_t,s0) diff --git a/policy/modules/services/transproxy.if b/policy/modules/services/transproxy.if deleted file mode 100644 index 23323f9..0000000 --- a/policy/modules/services/transproxy.if +++ /dev/null @@ -1 +0,0 @@ -## HTTP transperant proxy diff --git a/policy/modules/services/transproxy.te b/policy/modules/services/transproxy.te deleted file mode 100644 index 95cf0c0..0000000 --- a/policy/modules/services/transproxy.te +++ /dev/null @@ -1,65 +0,0 @@ -policy_module(transproxy, 1.7.0) - -######################################## -# -# Declarations -# - -type transproxy_t; -type transproxy_exec_t; -init_daemon_domain(transproxy_t, transproxy_exec_t) - -type transproxy_var_run_t; -files_pid_file(transproxy_var_run_t) - -######################################## -# -# Local policy -# - -allow transproxy_t self:capability { setgid setuid }; -dontaudit transproxy_t self:capability sys_tty_config; -allow transproxy_t self:process signal_perms; -allow transproxy_t self:tcp_socket create_stream_socket_perms; - -manage_files_pattern(transproxy_t, transproxy_var_run_t, transproxy_var_run_t) -files_pid_filetrans(transproxy_t, transproxy_var_run_t, file) - -kernel_read_kernel_sysctls(transproxy_t) -kernel_list_proc(transproxy_t) -kernel_read_proc_symlinks(transproxy_t) - -corenet_all_recvfrom_unlabeled(transproxy_t) -corenet_all_recvfrom_netlabel(transproxy_t) -corenet_tcp_sendrecv_generic_if(transproxy_t) -corenet_tcp_sendrecv_generic_node(transproxy_t) -corenet_tcp_sendrecv_all_ports(transproxy_t) -corenet_tcp_bind_generic_node(transproxy_t) -corenet_tcp_bind_transproxy_port(transproxy_t) -corenet_sendrecv_transproxy_server_packets(transproxy_t) - -dev_read_sysfs(transproxy_t) - -domain_use_interactive_fds(transproxy_t) - -files_read_etc_files(transproxy_t) - -fs_getattr_all_fs(transproxy_t) -fs_search_auto_mountpoints(transproxy_t) - -logging_send_syslog_msg(transproxy_t) - -miscfiles_read_localization(transproxy_t) - -sysnet_read_config(transproxy_t) - -userdom_dontaudit_use_unpriv_user_fds(transproxy_t) -userdom_dontaudit_search_user_home_dirs(transproxy_t) - -optional_policy(` - seutil_sigchld_newrole(transproxy_t) -') - -optional_policy(` - udev_read_db(transproxy_t) -') diff --git a/policy/modules/services/tuned.fc b/policy/modules/services/tuned.fc deleted file mode 100644 index 639c962..0000000 --- a/policy/modules/services/tuned.fc +++ /dev/null @@ -1,8 +0,0 @@ -/etc/rc\.d/init\.d/tuned -- gen_context(system_u:object_r:tuned_initrc_exec_t,s0) - -/usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0) - -/var/log/tuned(/.*)? gen_context(system_u:object_r:tuned_log_t,s0) -/var/log/tuned\.log -- gen_context(system_u:object_r:tuned_log_t,s0) - -/var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0) diff --git a/policy/modules/services/tuned.if b/policy/modules/services/tuned.if deleted file mode 100644 index 752697f..0000000 --- a/policy/modules/services/tuned.if +++ /dev/null @@ -1,128 +0,0 @@ -## Dynamic adaptive system tuning daemon - -######################################## -## -## Execute a domain transition to run tuned. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`tuned_domtrans',` - gen_require(` - type tuned_t, tuned_exec_t; - ') - - domtrans_pattern($1, tuned_exec_t, tuned_t) -') - -####################################### -## -## Execute tuned in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`tuned_exec',` - gen_require(` - type tuned_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, tuned_exec_t) -') - -###################################### -## -## Read tuned PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`tuned_read_pid_files',` - gen_require(` - type tuned_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, tuned_var_run_t, tuned_var_run_t) -') - -####################################### -## -## Manage tuned PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`tuned_manage_pid_files',` - gen_require(` - type tuned_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, tuned_var_run_t, tuned_var_run_t) -') - -######################################## -## -## Execute tuned server in the tuned domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`tuned_initrc_domtrans',` - gen_require(` - type tuned_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, tuned_initrc_exec_t) -') - -######################################## -## -## All of the rules required to administrate -## an tuned environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`tuned_admin',` - gen_require(` - type tuned_t, tuned_var_run_t, tuned_initrc_exec_t; - ') - - allow $1 tuned_t:process { ptrace signal_perms }; - ps_process_pattern($1, tuned_t) - - tuned_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 tuned_initrc_exec_t system_r; - allow $2 system_r; - - files_list_pids($1) - admin_pattern($1, tuned_var_run_t) -') diff --git a/policy/modules/services/tuned.te b/policy/modules/services/tuned.te deleted file mode 100644 index b3983a9..0000000 --- a/policy/modules/services/tuned.te +++ /dev/null @@ -1,69 +0,0 @@ -policy_module(tuned, 1.1.0) - -######################################## -# -# Declarations -# - -type tuned_t; -type tuned_exec_t; -init_daemon_domain(tuned_t, tuned_exec_t) - -type tuned_initrc_exec_t; -init_script_file(tuned_initrc_exec_t) - -type tuned_log_t; -logging_log_file(tuned_log_t) - -type tuned_var_run_t; -files_pid_file(tuned_var_run_t) - -######################################## -# -# tuned local policy -# - -dontaudit tuned_t self:capability { dac_override sys_tty_config }; -allow tuned_t self:fifo_file rw_fifo_file_perms; - -manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t) -manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t) -logging_log_filetrans(tuned_t, tuned_log_t, file) - -manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) -files_pid_filetrans(tuned_t, tuned_var_run_t, file) - -corecmd_exec_shell(tuned_t) -corecmd_exec_bin(tuned_t) - -kernel_read_system_state(tuned_t) -kernel_read_network_state(tuned_t) - -dev_read_urand(tuned_t) -dev_read_sysfs(tuned_t) -# to allow cpu tuning -dev_rw_netcontrol(tuned_t) - -files_read_etc_files(tuned_t) -files_read_usr_files(tuned_t) -files_dontaudit_search_home(tuned_t) - -logging_send_syslog_msg(tuned_t) - -miscfiles_read_localization(tuned_t) - -userdom_dontaudit_search_user_home_dirs(tuned_t) - -# to allow disk tuning -optional_policy(` - fstools_domtrans(tuned_t) -') - -optional_policy(` - gnome_dontaudit_search_config(tuned_t) -') - -# to allow network interface tuning -optional_policy(` - sysnet_domtrans_ifconfig(tuned_t) -') diff --git a/policy/modules/services/ucspitcp.fc b/policy/modules/services/ucspitcp.fc deleted file mode 100644 index 667d0b5..0000000 --- a/policy/modules/services/ucspitcp.fc +++ /dev/null @@ -1,3 +0,0 @@ - -/usr/bin/rblsmtpd -- gen_context(system_u:object_r:rblsmtpd_exec_t,s0) -/usr/bin/tcpserver -- gen_context(system_u:object_r:ucspitcp_exec_t,s0) diff --git a/policy/modules/services/ucspitcp.if b/policy/modules/services/ucspitcp.if deleted file mode 100644 index 1f6f55b..0000000 --- a/policy/modules/services/ucspitcp.if +++ /dev/null @@ -1,35 +0,0 @@ -## ucspitcp policy -## -##

-## Policy for DJB's ucspi-tcpd -##

-##
- -######################################## -## -## Define a specified domain as a ucspitcp service. -## -## -## -## Domain allowed access. -## -## -## -## -## The type associated with the process program. -## -## -# -interface(`ucspitcp_service_domain',` - gen_require(` - type ucspitcp_t; - role system_r; - ') - - domain_type($1) - domain_entry_file($1, $2) - - role system_r types $1; - - domtrans_pattern(ucspitcp_t, $2, $1) -') diff --git a/policy/modules/services/ucspitcp.te b/policy/modules/services/ucspitcp.te deleted file mode 100644 index 37c056b..0000000 --- a/policy/modules/services/ucspitcp.te +++ /dev/null @@ -1,93 +0,0 @@ -policy_module(ucspitcp, 1.3.0) - -######################################## -# -# Declarations -# - -type rblsmtpd_t; -type rblsmtpd_exec_t; -init_system_domain(rblsmtpd_t, rblsmtpd_exec_t) - -type ucspitcp_t; -type ucspitcp_exec_t; -init_system_domain(ucspitcp_t, ucspitcp_exec_t) - -######################################## -# -# Local policy for rblsmtpd -# - -ucspitcp_service_domain(rblsmtpd_t, rblsmtpd_exec_t) - -corecmd_search_bin(rblsmtpd_t) - -corenet_all_recvfrom_unlabeled(rblsmtpd_t) -corenet_all_recvfrom_netlabel(rblsmtpd_t) -corenet_tcp_sendrecv_generic_if(rblsmtpd_t) -corenet_udp_sendrecv_generic_if(rblsmtpd_t) -corenet_tcp_sendrecv_generic_node(rblsmtpd_t) -corenet_udp_sendrecv_generic_node(rblsmtpd_t) -corenet_tcp_sendrecv_all_ports(rblsmtpd_t) -corenet_udp_sendrecv_all_ports(rblsmtpd_t) -corenet_tcp_bind_generic_node(rblsmtpd_t) -corenet_udp_bind_generic_port(rblsmtpd_t) - -files_read_etc_files(rblsmtpd_t) -files_search_var(rblsmtpd_t) - -optional_policy(` - daemontools_ipc_domain(rblsmtpd_t) -') - -######################################## -# -# Local policy for tcpserver -# - -allow ucspitcp_t self:capability { setgid setuid }; -allow ucspitcp_t self:fifo_file rw_fifo_file_perms; -allow ucspitcp_t self:tcp_socket create_stream_socket_perms; -allow ucspitcp_t self:udp_socket create_socket_perms; - -corecmd_search_bin(ucspitcp_t) - -# base networking: -corenet_all_recvfrom_unlabeled(ucspitcp_t) -corenet_all_recvfrom_netlabel(ucspitcp_t) -corenet_tcp_sendrecv_generic_if(ucspitcp_t) -corenet_udp_sendrecv_generic_if(ucspitcp_t) -corenet_tcp_sendrecv_generic_node(ucspitcp_t) -corenet_udp_sendrecv_generic_node(ucspitcp_t) -corenet_tcp_sendrecv_all_ports(ucspitcp_t) -corenet_udp_sendrecv_all_ports(ucspitcp_t) -corenet_tcp_bind_generic_node(ucspitcp_t) -corenet_udp_bind_generic_node(ucspitcp_t) - -# server ports: -corenet_tcp_bind_ftp_port(ucspitcp_t) -corenet_tcp_bind_ftp_data_port(ucspitcp_t) -corenet_tcp_bind_http_port(ucspitcp_t) -corenet_tcp_bind_smtp_port(ucspitcp_t) -corenet_tcp_bind_dns_port(ucspitcp_t) -corenet_udp_bind_dns_port(ucspitcp_t) -corenet_udp_bind_generic_port(ucspitcp_t) - -# server packets: -corenet_sendrecv_ftp_server_packets(ucspitcp_t) -corenet_sendrecv_http_server_packets(ucspitcp_t) -corenet_sendrecv_smtp_server_packets(ucspitcp_t) -corenet_sendrecv_dns_server_packets(ucspitcp_t) -corenet_sendrecv_generic_server_packets(ucspitcp_t) - -files_search_var(ucspitcp_t) -files_read_etc_files(ucspitcp_t) - -sysnet_read_config(ucspitcp_t) - -optional_policy(` - daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t) - daemontools_sigchld_run(ucspitcp_t) - daemontools_read_svc(ucspitcp_t) -') - diff --git a/policy/modules/services/ulogd.fc b/policy/modules/services/ulogd.fc deleted file mode 100644 index 831b4a3..0000000 --- a/policy/modules/services/ulogd.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rc\.d/init\.d/ulogd -- gen_context(system_u:object_r:ulogd_initrc_exec_t,s0) -/etc/ulogd.conf -- gen_context(system_u:object_r:ulogd_etc_t,s0) - -/usr/lib/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0) -/usr/sbin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0) - -/var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0) diff --git a/policy/modules/services/ulogd.if b/policy/modules/services/ulogd.if deleted file mode 100644 index fd72fe8..0000000 --- a/policy/modules/services/ulogd.if +++ /dev/null @@ -1,142 +0,0 @@ -## Iptables/netfilter userspace logging daemon. - -######################################## -## -## Execute a domain transition to run ulogd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ulogd_domtrans',` - gen_require(` - type ulogd_t, ulogd_exec_t; - ') - - domtrans_pattern($1, ulogd_exec_t, ulogd_t) -') - -######################################## -## -## Allow the specified domain to read -## ulogd configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`ulogd_read_config',` - gen_require(` - type ulogd_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, ulogd_etc_t, ulogd_etc_t) -') - -######################################## -## -## Allow the specified domain to read ulogd's log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`ulogd_read_log',` - gen_require(` - type ulogd_var_log_t; - ') - - logging_search_logs($1) - allow $1 ulogd_var_log_t:dir list_dir_perms; - read_files_pattern($1, ulogd_var_log_t, ulogd_var_log_t) -') - -####################################### -## -## Allow the specified domain to search ulogd's log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`ulogd_search_log',` - gen_require(` - type ulogd_var_log_t; - ') - - logging_search_logs($1) - allow $1 ulogd_var_log_t:dir search_dir_perms; -') - -######################################## -## -## Allow the specified domain to append to ulogd's log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`ulogd_append_log',` - gen_require(` - type ulogd_var_log_t; - ') - - logging_search_logs($1) - allow $1 ulogd_var_log_t:dir list_dir_perms; - allow $1 ulogd_var_log_t:file append_file_perms; -') - -######################################## -## -## All of the rules required to administrate -## an ulogd environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the syslog domain. -## -## -## -# -interface(`ulogd_admin',` - gen_require(` - type ulogd_t, ulogd_etc_t, ulogd_modules_t; - type ulogd_var_log_t, ulogd_initrc_exec_t; - ') - - allow $1 ulogd_t:process { ptrace signal_perms }; - ps_process_pattern($1, ulogd_t) - - init_labeled_script_domtrans($1, ulogd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ulogd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, ulogd_etc_t) - - logging_list_logs($1) - admin_pattern($1, ulogd_var_log_t) - - files_list_usr($1) - admin_pattern($1, ulogd_modules_t) -') diff --git a/policy/modules/services/ulogd.te b/policy/modules/services/ulogd.te deleted file mode 100644 index ef97cb3..0000000 --- a/policy/modules/services/ulogd.te +++ /dev/null @@ -1,64 +0,0 @@ -policy_module(ulogd, 1.1.0) - -######################################## -# -# Declarations -# - -type ulogd_t; -type ulogd_exec_t; -init_daemon_domain(ulogd_t, ulogd_exec_t) - -# config files -type ulogd_etc_t; -files_type(ulogd_etc_t) - -type ulogd_initrc_exec_t; -init_script_file(ulogd_initrc_exec_t) - -# /usr/lib files -type ulogd_modules_t; -files_type(ulogd_modules_t) - -# log files -type ulogd_var_log_t; -logging_log_file(ulogd_var_log_t) - -######################################## -# -# ulogd local policy -# - -allow ulogd_t self:capability net_admin; -allow ulogd_t self:netlink_nflog_socket create_socket_perms; -allow ulogd_t self:netlink_route_socket r_netlink_socket_perms; -allow ulogd_t self:tcp_socket { create_stream_socket_perms connect }; -allow ulogd_t self:udp_socket create_socket_perms; - -# config files -read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t) - -# modules for ulogd -list_dirs_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t) -mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t) - -# log files -manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) -logging_log_filetrans(ulogd_t, ulogd_var_log_t, file) - -files_read_etc_files(ulogd_t) -files_read_usr_files(ulogd_t) - -miscfiles_read_localization(ulogd_t) - -sysnet_dns_name_resolve(ulogd_t) - -optional_policy(` - mysql_stream_connect(ulogd_t) - mysql_tcp_connect(ulogd_t) -') - -optional_policy(` - postgresql_stream_connect(ulogd_t) - postgresql_tcp_connect(ulogd_t) -') diff --git a/policy/modules/services/uptime.fc b/policy/modules/services/uptime.fc deleted file mode 100644 index e30d6fc..0000000 --- a/policy/modules/services/uptime.fc +++ /dev/null @@ -1,6 +0,0 @@ - -/etc/uptimed\.conf -- gen_context(system_u:object_r:uptimed_etc_t,s0) - -/usr/sbin/uptimed -- gen_context(system_u:object_r:uptimed_exec_t,s0) - -/var/spool/uptimed(/.*)? gen_context(system_u:object_r:uptimed_spool_t,s0) diff --git a/policy/modules/services/uptime.if b/policy/modules/services/uptime.if deleted file mode 100644 index 447abf7..0000000 --- a/policy/modules/services/uptime.if +++ /dev/null @@ -1 +0,0 @@ -## Uptime daemon diff --git a/policy/modules/services/uptime.te b/policy/modules/services/uptime.te deleted file mode 100644 index 037a1e8..0000000 --- a/policy/modules/services/uptime.te +++ /dev/null @@ -1,73 +0,0 @@ -policy_module(uptime, 1.4.0) - -######################################## -# -# Declarations -# - -type uptimed_t; -type uptimed_exec_t; -init_daemon_domain(uptimed_t, uptimed_exec_t) - -type uptimed_etc_t alias etc_uptimed_t; -files_config_file(uptimed_etc_t) - -type uptimed_spool_t; -files_type(uptimed_spool_t) - -type uptimed_var_run_t; -files_pid_file(uptimed_var_run_t) - -######################################## -# -# Local policy -# - -dontaudit uptimed_t self:capability sys_tty_config; -allow uptimed_t self:process signal_perms; -allow uptimed_t self:fifo_file write_fifo_file_perms; - -allow uptimed_t uptimed_etc_t:file read_file_perms; -files_search_etc(uptimed_t) - -allow uptimed_t uptimed_spool_t:file manage_file_perms; - -manage_files_pattern(uptimed_t, uptimed_var_run_t, uptimed_var_run_t) -files_pid_filetrans(uptimed_t, uptimed_var_run_t, file) - -manage_dirs_pattern(uptimed_t, uptimed_spool_t, uptimed_spool_t) -manage_files_pattern(uptimed_t, uptimed_spool_t, uptimed_spool_t) -files_spool_filetrans(uptimed_t, uptimed_spool_t, { dir file }) - -kernel_read_system_state(uptimed_t) -kernel_read_kernel_sysctls(uptimed_t) - -corecmd_exec_shell(uptimed_t) - -dev_read_sysfs(uptimed_t) - -domain_use_interactive_fds(uptimed_t) - -files_read_etc_runtime_files(uptimed_t) - -fs_getattr_all_fs(uptimed_t) -fs_search_auto_mountpoints(uptimed_t) - -logging_send_syslog_msg(uptimed_t) - -miscfiles_read_localization(uptimed_t) - -userdom_dontaudit_use_unpriv_user_fds(uptimed_t) -userdom_dontaudit_search_user_home_dirs(uptimed_t) - -optional_policy(` - mta_send_mail(uptimed_t) -') - -optional_policy(` - seutil_sigchld_newrole(uptimed_t) -') - -optional_policy(` - udev_read_db(uptimed_t) -') diff --git a/policy/modules/services/usbmuxd.fc b/policy/modules/services/usbmuxd.fc deleted file mode 100644 index 40b8b8d..0000000 --- a/policy/modules/services/usbmuxd.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0) - -/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0) diff --git a/policy/modules/services/usbmuxd.if b/policy/modules/services/usbmuxd.if deleted file mode 100644 index 53792d3..0000000 --- a/policy/modules/services/usbmuxd.if +++ /dev/null @@ -1,39 +0,0 @@ -## USB multiplexing daemon for communicating with Apple iPod Touch and iPhone - -######################################## -## -## Execute a domain transition to run usbmuxd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`usbmuxd_domtrans',` - gen_require(` - type usbmuxd_t, usbmuxd_exec_t; - ') - - domtrans_pattern($1, usbmuxd_exec_t, usbmuxd_t) -') - -##################################### -## -## Connect to usbmuxd over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`usbmuxd_stream_connect',` - gen_require(` - type usbmuxd_t, usbmuxd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t) -') diff --git a/policy/modules/services/usbmuxd.te b/policy/modules/services/usbmuxd.te deleted file mode 100644 index edfbe55..0000000 --- a/policy/modules/services/usbmuxd.te +++ /dev/null @@ -1,42 +0,0 @@ -policy_module(usbmuxd, 1.0.0) - -######################################## -# -# Declarations -# - -type usbmuxd_t; -type usbmuxd_exec_t; -application_domain(usbmuxd_t, usbmuxd_exec_t) -role system_r types usbmuxd_t; - -type usbmuxd_var_run_t; -files_pid_file(usbmuxd_var_run_t) - -######################################## -# -# usbmuxd local policy -# - -allow usbmuxd_t self:capability { kill setgid setuid }; -allow usbmuxd_t self:process { fork signal signull }; -allow usbmuxd_t self:fifo_file rw_fifo_file_perms; - -manage_dirs_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) -manage_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) -manage_sock_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) -files_pid_filetrans(usbmuxd_t, usbmuxd_var_run_t, { file dir sock_file }) - -kernel_read_kernel_sysctls(usbmuxd_t) -kernel_read_system_state(usbmuxd_t) - -dev_read_sysfs(usbmuxd_t) -dev_rw_generic_usb_dev(usbmuxd_t) - -files_read_etc_files(usbmuxd_t) - -miscfiles_read_localization(usbmuxd_t) - -auth_use_nsswitch(usbmuxd_t) - -logging_send_syslog_msg(usbmuxd_t) diff --git a/policy/modules/services/uucp.fc b/policy/modules/services/uucp.fc deleted file mode 100644 index e1c0d8d..0000000 --- a/policy/modules/services/uucp.fc +++ /dev/null @@ -1,11 +0,0 @@ - -/usr/bin/uux -- gen_context(system_u:object_r:uux_exec_t,s0) - -/usr/sbin/uucico -- gen_context(system_u:object_r:uucpd_exec_t,s0) - -/var/spool/uucp(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0) -/var/spool/uucppublic(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0) - -/var/lock/uucp(/.*)? gen_context(system_u:object_r:uucpd_lock_t,s0) - -/var/log/uucp(/.*)? gen_context(system_u:object_r:uucpd_log_t,s0) diff --git a/policy/modules/services/uucp.if b/policy/modules/services/uucp.if deleted file mode 100644 index a717e2d..0000000 --- a/policy/modules/services/uucp.if +++ /dev/null @@ -1,120 +0,0 @@ -## Unix to Unix Copy - -######################################## -## -## Execute the uucico program in the -## uucpd_t domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`uucp_domtrans',` - gen_require(` - type uucpd_t, uucpd_exec_t; - ') - - domtrans_pattern($1, uucpd_exec_t, uucpd_t) -') - -######################################## -## -## Allow the specified domain to append -## to uucp log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`uucp_append_log',` - gen_require(` - type uucpd_log_t; - ') - - logging_search_logs($1) - allow $1 uucpd_log_t:dir list_dir_perms; - append_files_pattern($1, uucpd_log_t, uucpd_log_t) -') - -######################################## -## -## Create, read, write, and delete uucp spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`uucp_manage_spool',` - gen_require(` - type uucpd_spool_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, uucpd_spool_t, uucpd_spool_t) - manage_files_pattern($1, uucpd_spool_t, uucpd_spool_t) - manage_lnk_files_pattern($1, uucpd_spool_t, uucpd_spool_t) -') - -######################################## -## -## Execute the master uux program in the -## uux_t domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`uucp_domtrans_uux',` - gen_require(` - type uux_t, uux_exec_t; - ') - - domtrans_pattern($1, uux_exec_t, uux_t) -') - -######################################## -## -## All of the rules required to administrate -## an uucp environment -## -## -## -## Domain allowed access. -## -## -## -# -interface(`uucp_admin',` - gen_require(` - type uucpd_t, uucpd_tmp_t, uucpd_log_t; - type uucpd_spool_t, uucpd_ro_t, uucpd_rw_t; - type uucpd_var_run_t; - ') - - allow $1 uucpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, uucpd_t) - - logging_list_logs($1) - admin_pattern($1, uucpd_log_t) - - files_list_spool($1) - admin_pattern($1, uucpd_spool_t) - - admin_pattern($1, uucpd_ro_t) - - admin_pattern($1, uucpd_rw_t) - - files_list_tmp($1) - admin_pattern($1, uucpd_tmp_t) - - files_list_pids($1) - admin_pattern($1, uucpd_var_run_t) -') diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te deleted file mode 100644 index 1e40c2a..0000000 --- a/policy/modules/services/uucp.te +++ /dev/null @@ -1,149 +0,0 @@ -policy_module(uucp, 1.11.0) - -######################################## -# -# Declarations -# -type uucpd_t; -type uucpd_exec_t; -inetd_tcp_service_domain(uucpd_t, uucpd_exec_t) - -type uucpd_lock_t; -files_lock_file(uucpd_lock_t) - -type uucpd_tmp_t; -files_tmp_file(uucpd_tmp_t) - -type uucpd_var_run_t; -files_pid_file(uucpd_var_run_t) - -type uucpd_rw_t; -files_type(uucpd_rw_t) - -type uucpd_ro_t; -files_type(uucpd_ro_t) - -type uucpd_spool_t; -files_type(uucpd_spool_t) - -type uucpd_log_t; -logging_log_file(uucpd_log_t) - -type uux_t; -type uux_exec_t; -application_domain(uux_t, uux_exec_t) -role system_r types uux_t; - -######################################## -# -# UUCPd Local policy -# -allow uucpd_t self:capability { setuid setgid }; -allow uucpd_t self:process signal_perms; -allow uucpd_t self:fifo_file rw_fifo_file_perms; -allow uucpd_t self:tcp_socket connected_stream_socket_perms; -allow uucpd_t self:udp_socket create_socket_perms; -allow uucpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; - -allow uucpd_t uucpd_log_t:dir setattr; -manage_files_pattern(uucpd_t, uucpd_log_t, uucpd_log_t) -logging_log_filetrans(uucpd_t, uucpd_log_t, { file dir }) - -allow uucpd_t uucpd_ro_t:dir list_dir_perms; -read_files_pattern(uucpd_t, uucpd_ro_t, uucpd_ro_t) -read_lnk_files_pattern(uucpd_t, uucpd_ro_t, uucpd_ro_t) - -manage_dirs_pattern(uucpd_t, uucpd_rw_t, uucpd_rw_t) -manage_files_pattern(uucpd_t, uucpd_rw_t, uucpd_rw_t) -manage_lnk_files_pattern(uucpd_t, uucpd_rw_t, uucpd_rw_t) - -uucp_manage_spool(uucpd_t) - -manage_dirs_pattern(uucpd_t, uucpd_lock_t, uucpd_lock_t) -manage_files_pattern(uucpd_t, uucpd_lock_t, uucpd_lock_t) -files_search_locks(uucpd_t) - -manage_dirs_pattern(uucpd_t, uucpd_tmp_t, uucpd_tmp_t) -manage_files_pattern(uucpd_t, uucpd_tmp_t, uucpd_tmp_t) -files_tmp_filetrans(uucpd_t, uucpd_tmp_t, { file dir }) - -manage_files_pattern(uucpd_t, uucpd_var_run_t, uucpd_var_run_t) -files_pid_filetrans(uucpd_t, uucpd_var_run_t, file) - -kernel_read_kernel_sysctls(uucpd_t) -kernel_read_system_state(uucpd_t) -kernel_read_network_state(uucpd_t) - -corenet_all_recvfrom_unlabeled(uucpd_t) -corenet_all_recvfrom_netlabel(uucpd_t) -corenet_tcp_sendrecv_generic_if(uucpd_t) -corenet_udp_sendrecv_generic_if(uucpd_t) -corenet_tcp_sendrecv_generic_node(uucpd_t) -corenet_udp_sendrecv_generic_node(uucpd_t) -corenet_tcp_sendrecv_all_ports(uucpd_t) -corenet_udp_sendrecv_all_ports(uucpd_t) -corenet_tcp_connect_ssh_port(uucpd_t) - -dev_read_urand(uucpd_t) - -fs_getattr_xattr_fs(uucpd_t) - -corecmd_exec_bin(uucpd_t) -corecmd_exec_shell(uucpd_t) - -files_read_etc_files(uucpd_t) -files_search_home(uucpd_t) -files_search_spool(uucpd_t) - -term_setattr_controlling_term(uucpd_t) - -auth_use_nsswitch(uucpd_t) - -logging_send_syslog_msg(uucpd_t) - -miscfiles_read_localization(uucpd_t) - -mta_send_mail(uucpd_t) - -optional_policy(` - cron_system_entry(uucpd_t, uucpd_exec_t) -') - -optional_policy(` - kerberos_use(uucpd_t) -') - -optional_policy(` - ssh_exec(uucpd_t) -') - -######################################## -# -# UUX Local policy -# - -allow uux_t self:capability { setuid setgid }; -allow uux_t self:fifo_file write_fifo_file_perms; - -uucp_append_log(uux_t) -uucp_manage_spool(uux_t) - -corecmd_exec_bin(uux_t) - -files_read_etc_files(uux_t) - -fs_rw_anon_inodefs_files(uux_t) - -logging_send_syslog_msg(uux_t) - -miscfiles_read_localization(uux_t) - -optional_policy(` - mta_send_mail(uux_t) - mta_read_queue(uux_t) - sendmail_dontaudit_rw_unix_stream_sockets(uux_t) -') - -optional_policy(` - nscd_socket_use(uux_t) -') diff --git a/policy/modules/services/uwimap.fc b/policy/modules/services/uwimap.fc deleted file mode 100644 index 43bdef0..0000000 --- a/policy/modules/services/uwimap.fc +++ /dev/null @@ -1,2 +0,0 @@ - -/usr/sbin/imapd -- gen_context(system_u:object_r:imapd_exec_t,s0) diff --git a/policy/modules/services/uwimap.if b/policy/modules/services/uwimap.if deleted file mode 100644 index 8337684..0000000 --- a/policy/modules/services/uwimap.if +++ /dev/null @@ -1,20 +0,0 @@ -## University of Washington IMAP toolkit POP3 and IMAP mail server - -######################################## -## -## Execute the UW IMAP/POP3 servers with a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`uwimap_domtrans',` - gen_require(` - type imapd_t, imapd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, imapd_exec_t, imapd_t) -') diff --git a/policy/modules/services/uwimap.te b/policy/modules/services/uwimap.te deleted file mode 100644 index 41fa663..0000000 --- a/policy/modules/services/uwimap.te +++ /dev/null @@ -1,95 +0,0 @@ -policy_module(uwimap, 1.8.0) - -######################################## -# -# Declarations -# - -type imapd_t; -type imapd_exec_t; -init_daemon_domain(imapd_t, imapd_exec_t) -inetd_tcp_service_domain(imapd_t, imapd_exec_t) - -type imapd_tmp_t; -files_tmp_file(imapd_tmp_t) - -type imapd_var_run_t; -files_pid_file(imapd_var_run_t) - -######################################## -# -# Local policy -# - -allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource }; -dontaudit imapd_t self:capability sys_tty_config; -allow imapd_t self:process signal_perms; -allow imapd_t self:fifo_file rw_fifo_file_perms; -allow imapd_t self:tcp_socket create_stream_socket_perms; - -manage_dirs_pattern(imapd_t, imapd_tmp_t, imapd_tmp_t) -manage_files_pattern(imapd_t, imapd_tmp_t, imapd_tmp_t) -files_tmp_filetrans(imapd_t, imapd_tmp_t, { file dir }) - -manage_files_pattern(imapd_t, imapd_var_run_t, imapd_var_run_t) -files_pid_filetrans(imapd_t, imapd_var_run_t, file) - -kernel_read_kernel_sysctls(imapd_t) -kernel_list_proc(imapd_t) -kernel_read_proc_symlinks(imapd_t) - -corenet_all_recvfrom_unlabeled(imapd_t) -corenet_all_recvfrom_netlabel(imapd_t) -corenet_tcp_sendrecv_generic_if(imapd_t) -corenet_tcp_sendrecv_generic_node(imapd_t) -corenet_tcp_sendrecv_all_ports(imapd_t) -corenet_tcp_bind_generic_node(imapd_t) -corenet_tcp_bind_pop_port(imapd_t) -corenet_tcp_connect_all_ports(imapd_t) -corenet_sendrecv_pop_server_packets(imapd_t) -corenet_sendrecv_all_client_packets(imapd_t) - -dev_read_sysfs(imapd_t) -#urandom, for ssl -dev_read_rand(imapd_t) -dev_read_urand(imapd_t) - -domain_use_interactive_fds(imapd_t) - -#read /etc/ for hostname nsswitch.conf -files_read_etc_files(imapd_t) - -fs_getattr_all_fs(imapd_t) -fs_search_auto_mountpoints(imapd_t) - -auth_domtrans_chk_passwd(imapd_t) - -logging_send_syslog_msg(imapd_t) - -miscfiles_read_localization(imapd_t) - -sysnet_read_config(imapd_t) - -userdom_dontaudit_use_unpriv_user_fds(imapd_t) -# cjp: this is excessive, should be limited to the -# mail directories -userdom_manage_user_home_content_dirs(imapd_t) -userdom_manage_user_home_content_files(imapd_t) -userdom_manage_user_home_content_symlinks(imapd_t) -userdom_manage_user_home_content_pipes(imapd_t) -userdom_manage_user_home_content_sockets(imapd_t) -userdom_user_home_dir_filetrans_user_home_content(imapd_t, { dir file lnk_file fifo_file sock_file }) - -mta_rw_spool(imapd_t) - -optional_policy(` - seutil_sigchld_newrole(imapd_t) -') - -optional_policy(` - tcpd_wrapped_domain(imapd_t, imapd_exec_t) -') - -optional_policy(` - udev_read_db(imapd_t) -') diff --git a/policy/modules/services/varnishd.fc b/policy/modules/services/varnishd.fc deleted file mode 100644 index 194d123..0000000 --- a/policy/modules/services/varnishd.fc +++ /dev/null @@ -1,18 +0,0 @@ -/etc/rc\.d/init\.d/varnish -- gen_context(system_u:object_r:varnishd_initrc_exec_t,s0) -/etc/rc\.d/init\.d/varnishlog -- gen_context(system_u:object_r:varnishlog_initrc_exec_t,s0) -/etc/rc\.d/init\.d/varnishncsa -- gen_context(system_u:object_r:varnishlog_initrc_exec_t,s0) - -/etc/varnish(/.*)? gen_context(system_u:object_r:varnishd_etc_t,s0) - -/usr/bin/varnishlog -- gen_context(system_u:object_r:varnishlog_exec_t,s0) -/usr/bin/varnisncsa -- gen_context(system_u:object_r:varnishlog_exec_t,s0) - -/usr/sbin/varnishd -- gen_context(system_u:object_r:varnishd_exec_t,s0) - -/var/lib/varnish(/.*)? gen_context(system_u:object_r:varnishd_var_lib_t,s0) - -/var/log/varnish(/.*)? gen_context(system_u:object_r:varnishlog_log_t,s0) - -/var/run/varnish\.pid -- gen_context(system_u:object_r:varnishd_var_run_t,s0) -/var/run/varnishlog\.pid -- gen_context(system_u:object_r:varnishlog_var_run_t,s0) -/var/run/varnishncsa\.pid -- gen_context(system_u:object_r:varnishlog_var_run_t,s0) diff --git a/policy/modules/services/varnishd.if b/policy/modules/services/varnishd.if deleted file mode 100644 index fe5ce10..0000000 --- a/policy/modules/services/varnishd.if +++ /dev/null @@ -1,216 +0,0 @@ -## Varnishd http accelerator daemon - -####################################### -## -## Execute varnishd in the varnishd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`varnishd_domtrans',` - gen_require(` - type varnishd_t, varnishd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, varnishd_exec_t, varnishd_t) -') - -####################################### -## -## Execute varnishd -## -## -## -## Domain allowed access. -## -## -# -interface(`varnishd_exec',` - gen_require(` - type varnishd_exec_t; - ') - - can_exec($1, varnishd_exec_t) -') - -###################################### -## -## Read varnishd configuration file. -## -## -## -## Domain allowed access. -## -## -# -interface(`varnishd_read_config',` - gen_require(` - type varnishd_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, varnishd_etc_t, varnishd_etc_t) -') - -##################################### -## -## Read varnish lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`varnishd_read_lib_files',` - gen_require(` - type varnishd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, varnishd_var_lib_t, varnishd_var_lib_t) -') - -####################################### -## -## Read varnish logs. -## -## -## -## Domain allowed access. -## -## -# -interface(`varnishd_read_log',` - gen_require(` - type varnishlog_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, varnishlog_log_t, varnishlog_log_t) -') - -###################################### -## -## Append varnish logs. -## -## -## -## Domain allowed access. -## -## -# -interface(`varnishd_append_log',` - gen_require(` - type varnishlog_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, varnishlog_log_t, varnishlog_log_t) -') - -##################################### -## -## Manage varnish logs. -## -## -## -## Domain allowed access. -## -## -# -interface(`varnishd_manage_log',` - gen_require(` - type varnishlog_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, varnishlog_log_t, varnishlog_log_t) -') - -###################################### -## -## All of the rules required to administrate -## an varnishlog environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the varnishlog domain. -## -## -## -# -interface(`varnishd_admin_varnishlog',` - gen_require(` - type varnishlog_t, varnishlog_initrc_exec_t, varnishlog_log_t; - type varnishlog_var_run_t; - ') - - allow $1 varnishlog_t:process { ptrace signal_perms }; - ps_process_pattern($1, varnishlog_t) - - init_labeled_script_domtrans($1, varnishlog_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 varnishlog_initrc_exec_t system_r; - allow $2 system_r; - - files_list_pids($1) - admin_pattern($1, varnishlog_var_run_t) - - logging_list_logs($1) - admin_pattern($1, varnishlog_log_t) -') - -####################################### -## -## All of the rules required to administrate -## an varnishd environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the varnishd domain. -## -## -## -# -interface(`varnishd_admin',` - gen_require(` - type varnishd_t, varnishd_var_lib_t, varnishd_etc_t; - type varnishd_var_run_t, varnishd_tmp_t; - type varnishd_initrc_exec_t; - ') - - allow $1 varnishd_t:process { ptrace signal_perms }; - ps_process_pattern($1, varnishd_t) - - init_labeled_script_domtrans($1, varnishd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 varnishd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_var_lib($1) - admin_pattern($1, varnishd_var_lib_t) - - files_list_etc($1) - admin_pattern($1, varnishd_etc_t) - - files_list_pids($1) - admin_pattern($1, varnishd_var_run_t) - - files_list_tmp($1) - admin_pattern($1, varnishd_tmp_t) -') diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te deleted file mode 100644 index c6bf70e..0000000 --- a/policy/modules/services/varnishd.te +++ /dev/null @@ -1,118 +0,0 @@ -policy_module(varnishd, 1.1.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow varnishd to connect to all ports, -## not just HTTP. -##

-##
-gen_tunable(varnishd_connect_any, false) - -type varnishd_t; -type varnishd_exec_t; -init_daemon_domain(varnishd_t, varnishd_exec_t) - -type varnishd_initrc_exec_t; -init_script_file(varnishd_initrc_exec_t) - -type varnishd_etc_t; -files_type(varnishd_etc_t) - -type varnishd_tmp_t; -files_tmp_file(varnishd_tmp_t) - -type varnishd_var_lib_t; -files_type(varnishd_var_lib_t) - -type varnishd_var_run_t; -files_pid_file(varnishd_var_run_t) - -type varnishlog_t; -type varnishlog_exec_t; -init_daemon_domain(varnishlog_t, varnishlog_exec_t) - -type varnishlog_initrc_exec_t; -init_script_file(varnishlog_initrc_exec_t) - -type varnishlog_var_run_t; -files_pid_file(varnishlog_var_run_t) - -type varnishlog_log_t; -files_type(varnishlog_log_t) - -######################################## -# -# varnishd local policy -# - -allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid }; -dontaudit varnishd_t self:capability sys_tty_config; -allow varnishd_t self:process signal; -allow varnishd_t self:fifo_file rw_fifo_file_perms; -allow varnishd_t self:tcp_socket create_stream_socket_perms; -allow varnishd_t self:udp_socket create_socket_perms; - -read_files_pattern(varnishd_t, varnishd_etc_t, varnishd_etc_t) -list_dirs_pattern(varnishd_t, varnishd_etc_t, varnishd_etc_t) - -manage_dirs_pattern(varnishd_t, varnishd_tmp_t, varnishd_tmp_t) -manage_files_pattern(varnishd_t, varnishd_tmp_t, varnishd_tmp_t) -files_tmp_filetrans(varnishd_t, varnishd_tmp_t, { file dir }) - -exec_files_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t) -manage_dirs_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t) -manage_files_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t) -files_var_lib_filetrans(varnishd_t, varnishd_var_lib_t, { dir file }) - -manage_files_pattern(varnishd_t, varnishd_var_run_t, varnishd_var_run_t) -files_pid_filetrans(varnishd_t, varnishd_var_run_t, file) - -kernel_read_system_state(varnishd_t) - -corecmd_exec_bin(varnishd_t) -corecmd_exec_shell(varnishd_t) - -corenet_tcp_sendrecv_generic_if(varnishd_t) -corenet_tcp_bind_generic_node(varnishd_t) -corenet_tcp_bind_http_port(varnishd_t) -corenet_tcp_bind_http_cache_port(varnishd_t) -corenet_tcp_bind_varnishd_port(varnishd_t) -corenet_tcp_connect_http_cache_port(varnishd_t) -corenet_tcp_connect_http_port(varnishd_t) - -dev_read_urand(varnishd_t) - -fs_getattr_all_fs(varnishd_t) - -auth_use_nsswitch(varnishd_t) - -logging_send_syslog_msg(varnishd_t) - -miscfiles_read_localization(varnishd_t) - -sysnet_read_config(varnishd_t) - -tunable_policy(`varnishd_connect_any',` - corenet_tcp_connect_all_ports(varnishd_t) - corenet_tcp_bind_all_ports(varnishd_t) -') - -####################################### -# -# varnishlog local policy -# - -manage_files_pattern(varnishlog_t, varnishlog_var_run_t, varnishlog_var_run_t) -files_pid_filetrans(varnishlog_t, varnishlog_var_run_t, file) - -manage_dirs_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t) -manage_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t) -logging_log_filetrans(varnishlog_t, varnishlog_log_t, { file dir }) - -files_search_var_lib(varnishlog_t) -read_files_pattern(varnishlog_t, varnishd_var_lib_t, varnishd_var_lib_t) diff --git a/policy/modules/services/vhostmd.fc b/policy/modules/services/vhostmd.fc deleted file mode 100644 index c1fb329..0000000 --- a/policy/modules/services/vhostmd.fc +++ /dev/null @@ -1,5 +0,0 @@ -/etc/rc.d/init.d/vhostmd -- gen_context(system_u:object_r:vhostmd_initrc_exec_t,s0) - -/usr/sbin/vhostmd -- gen_context(system_u:object_r:vhostmd_exec_t,s0) - -/var/run/vhostmd.pid -- gen_context(system_u:object_r:vhostmd_var_run_t,s0) diff --git a/policy/modules/services/vhostmd.if b/policy/modules/services/vhostmd.if deleted file mode 100644 index da605ba..0000000 --- a/policy/modules/services/vhostmd.if +++ /dev/null @@ -1,224 +0,0 @@ -## Virtual host metrics daemon - -######################################## -## -## Execute a domain transition to run vhostmd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`vhostmd_domtrans',` - gen_require(` - type vhostmd_t, vhostmd_exec_t; - ') - - domtrans_pattern($1, vhostmd_exec_t, vhostmd_t) -') - -######################################## -## -## Execute vhostmd server in the vhostmd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`vhostmd_initrc_domtrans',` - gen_require(` - type vhostmd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, vhostmd_initrc_exec_t) -') - -######################################## -## -## Allow domain to read, vhostmd tmpfs files -## -## -## -## Domain allowed access. -## -## -# -interface(`vhostmd_read_tmpfs_files',` - gen_require(` - type vhostmd_tmpfs_t; - ') - - allow $1 vhostmd_tmpfs_t:file read_file_perms; - fs_search_tmpfs($1) -') - -######################################## -## -## Do not audit attempts to read, -## vhostmd tmpfs files -## -## -## -## Domain to not audit. -## -## -# -interface(`vhostmd_dontaudit_read_tmpfs_files',` - gen_require(` - type vhostmd_tmpfs_t; - ') - - dontaudit $1 vhostmd_tmpfs_t:file read_file_perms; -') - -####################################### -## -## Allow domain to read and write vhostmd tmpfs files -## -## -## -## Domain allowed access. -## -## -# -interface(`vhostmd_rw_tmpfs_files',` - gen_require(` - type vhostmd_tmpfs_t; - ') - - rw_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t) - fs_search_tmpfs($1) -') - -######################################## -## -## Create, read, write, and delete vhostmd tmpfs files. -## -## -## -## Domain allowed access. -## -## -# -interface(`vhostmd_manage_tmpfs_files',` - gen_require(` - type vhostmd_tmpfs_t; - ') - - manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t) - fs_search_tmpfs($1) -') - -######################################## -## -## Read vhostmd PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`vhostmd_read_pid_files',` - gen_require(` - type vhostmd_var_run_t; - ') - - files_search_pids($1) - allow $1 vhostmd_var_run_t:file read_file_perms; -') - -######################################## -## -## Manage vhostmd var_run files. -## -## -## -## Domain allowed access. -## -## -# -interface(`vhostmd_manage_pid_files',` - gen_require(` - type vhostmd_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t) -') - -######################################## -## -## Connect to vhostmd over an unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`vhostmd_stream_connect',` - gen_require(` - type vhostmd_t, vhostmd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t, vhostmd_t) -') - -####################################### -## -## Dontaudit read and write to vhostmd -## over an unix domain stream socket. -## -## -## -## Domain to not audit. -## -## -# -interface(`vhostmd_dontaudit_rw_stream_connect',` - gen_require(` - type vhostmd_t; - ') - - dontaudit $1 vhostmd_t:unix_stream_socket { read write }; -') - -######################################## -## -## All of the rules required to administrate -## an vhostmd environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`vhostmd_admin',` - gen_require(` - type vhostmd_t, vhostmd_initrc_exec_t; - ') - - allow $1 vhostmd_t:process { ptrace signal_perms }; - ps_process_pattern($1, vhostmd_t) - - vhostmd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 vhostmd_initrc_exec_t system_r; - allow $2 system_r; - - vhostmd_manage_tmpfs_files($1) - - vhostmd_manage_pid_files($1) -') diff --git a/policy/modules/services/vhostmd.te b/policy/modules/services/vhostmd.te deleted file mode 100644 index 7baeb6f..0000000 --- a/policy/modules/services/vhostmd.te +++ /dev/null @@ -1,79 +0,0 @@ -policy_module(vhostmd, 1.0.0) - -######################################## -# -# Declarations -# - -type vhostmd_t; -type vhostmd_exec_t; -init_daemon_domain(vhostmd_t, vhostmd_exec_t) - -type vhostmd_initrc_exec_t; -init_script_file(vhostmd_initrc_exec_t) - -type vhostmd_tmpfs_t; -files_tmpfs_file(vhostmd_tmpfs_t) - -type vhostmd_var_run_t; -files_pid_file(vhostmd_var_run_t) - -######################################## -# -# vhostmd local policy -# - -allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid }; -allow vhostmd_t self:process { setsched getsched }; -allow vhostmd_t self:fifo_file rw_fifo_file_perms; - -manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t) -manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t) -fs_tmpfs_filetrans(vhostmd_t, vhostmd_tmpfs_t, { file dir }) - -manage_dirs_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t) -manage_files_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t) -files_pid_filetrans(vhostmd_t, vhostmd_var_run_t, { file dir }) - -kernel_read_system_state(vhostmd_t) -kernel_read_network_state(vhostmd_t) -kernel_write_xen_state(vhostmd_t) - -corecmd_exec_bin(vhostmd_t) -corecmd_exec_shell(vhostmd_t) - -corenet_tcp_connect_soundd_port(vhostmd_t) - -# 579803 -files_list_tmp(vhostmd_t) -files_read_etc_files(vhostmd_t) -files_read_usr_files(vhostmd_t) - -dev_read_sysfs(vhostmd_t) - -auth_use_nsswitch(vhostmd_t) - -logging_send_syslog_msg(vhostmd_t) - -miscfiles_read_localization(vhostmd_t) - -optional_policy(` - hostname_exec(vhostmd_t) -') - -optional_policy(` - rpm_exec(vhostmd_t) - rpm_read_db(vhostmd_t) -') - -optional_policy(` - virt_stream_connect(vhostmd_t) - virt_write_content(vhostmd_t) -') - -optional_policy(` - xen_domtrans_xm(vhostmd_t) - xen_stream_connect(vhostmd_t) - xen_stream_connect_xenstore(vhostmd_t) - xen_stream_connect_xm(vhostmd_t) -') diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc deleted file mode 100644 index be4b00f..0000000 --- a/policy/modules/services/virt.fc +++ /dev/null @@ -1,32 +0,0 @@ -HOME_DIR/.libvirt(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0) -HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) - -/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) -/etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) -/etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) -/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) -/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) -/etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0) -/etc/xen/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) -/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) -/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) - -/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0) -/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0) - -/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) - -/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) -/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) -/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) - -/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) -/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) -/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) - -/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if deleted file mode 100644 index dbdc0e0..0000000 --- a/policy/modules/services/virt.if +++ /dev/null @@ -1,610 +0,0 @@ -## Libvirt virtualization API - -######################################## -## -## Creates types and rules for a basic -## qemu process domain. -## -## -## -## Prefix for the domain. -## -## -# -template(`virt_domain_template',` - gen_require(` - type virtd_t; - attribute virt_image_type, virt_domain; - ') - - type $1_t, virt_domain; - domain_type($1_t) - domain_user_exemption_target($1_t) - mls_rangetrans_target($1_t) - mcs_untrusted_proc($1_t) - role system_r types $1_t; - - type $1_devpts_t; - term_pty($1_devpts_t) - - type $1_tmp_t; - files_tmp_file($1_tmp_t) - - type $1_tmpfs_t; - files_tmpfs_file($1_tmpfs_t) - - type $1_image_t, virt_image_type; - files_type($1_image_t) - dev_node($1_image_t) - dev_associate_sysfs($1_image_t) - - allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; - term_create_pty($1_t, $1_devpts_t) - - manage_dirs_pattern($1_t, $1_image_t, $1_image_t) - manage_files_pattern($1_t, $1_image_t, $1_image_t) - manage_fifo_files_pattern($1_t, $1_image_t, $1_image_t) - read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) - rw_chr_files_pattern($1_t, $1_image_t, $1_image_t) - rw_blk_files_pattern($1_t, $1_image_t, $1_image_t) - fs_hugetlbfs_filetrans($1_t, $1_image_t, file) - - manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) - manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) - manage_lnk_files_pattern($1_t, $1_tmp_t, $1_tmp_t) - files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) - - manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) - - optional_policy(` - xserver_rw_shm($1_t) - ') -') - -######################################## -## -## Make the specified type usable as a virt image -## -## -## -## Type to be used as a virtual image -## -## -# -interface(`virt_image',` - gen_require(` - attribute virt_image_type; - ') - - typeattribute $1 virt_image_type; - files_type($1) - - # virt images can be assigned to blk devices - dev_node($1) -') - -######################################## -## -## Execute a domain transition to run virt. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`virt_domtrans',` - gen_require(` - type virtd_t, virtd_exec_t; - ') - - domtrans_pattern($1, virtd_exec_t, virtd_t) -') - -####################################### -## -## Connect to virt over an unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_stream_connect',` - gen_require(` - type virtd_t, virt_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) -') - -######################################## -## -## Allow domain to attach to virt TUN devices -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_attach_tun_iface',` - gen_require(` - type virtd_t; - ') - - allow $1 virtd_t:tun_socket relabelfrom; - allow $1 self:tun_socket relabelto; -') - -######################################## -## -## Read virt config files. -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_read_config',` - gen_require(` - type virt_etc_t, virt_etc_rw_t; - ') - - files_search_etc($1) - read_files_pattern($1, virt_etc_t, virt_etc_t) - read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) - read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) -') - -######################################## -## -## manage virt config files. -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_manage_config',` - gen_require(` - type virt_etc_t, virt_etc_rw_t; - ') - - files_search_etc($1) - manage_files_pattern($1, virt_etc_t, virt_etc_t) - manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) - manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) -') - -######################################## -## -## Allow domain to manage virt image files -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_read_content',` - gen_require(` - type virt_content_t; - ') - - virt_search_lib($1) - allow $1 virt_content_t:dir list_dir_perms; - list_dirs_pattern($1, virt_content_t, virt_content_t) - read_files_pattern($1, virt_content_t, virt_content_t) - read_lnk_files_pattern($1, virt_content_t, virt_content_t) - read_blk_files_pattern($1, virt_content_t, virt_content_t) - - tunable_policy(`virt_use_nfs',` - fs_list_nfs($1) - fs_read_nfs_files($1) - fs_read_nfs_symlinks($1) - ') - - tunable_policy(`virt_use_samba',` - fs_list_cifs($1) - fs_read_cifs_files($1) - fs_read_cifs_symlinks($1) - ') -') - -######################################## -## -## Allow domain to write virt image files -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_write_content',` - gen_require(` - type virt_content_t; - ') - - allow $1 virt_content_t:file write_file_perms; -') - -######################################## -## -## Read virt PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_read_pid_files',` - gen_require(` - type virt_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, virt_var_run_t, virt_var_run_t) -') - -######################################## -## -## Manage virt pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_manage_pid_files',` - gen_require(` - type virt_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, virt_var_run_t, virt_var_run_t) -') - -######################################## -## -## Search virt lib directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_search_lib',` - gen_require(` - type virt_var_lib_t; - ') - - allow $1 virt_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## Read virt lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_read_lib_files',` - gen_require(` - type virt_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) - read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t) -') - -######################################## -## -## Dontaudit inherited read virt lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_dontaudit_read_lib_files',` - gen_require(` - type virt_var_lib_t; - ') - - dontaudit $1 virt_var_lib_t:file read_inherited_file_perms; -') - -######################################## -## -## Create, read, write, and delete -## virt lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_manage_lib_files',` - gen_require(` - type virt_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t) -') - -######################################## -## -## Allow the specified domain to read virt's log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`virt_read_log',` - gen_require(` - type virt_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, virt_log_t, virt_log_t) -') - -######################################## -## -## Allow the specified domain to append -## virt log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_append_log',` - gen_require(` - type virt_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, virt_log_t, virt_log_t) -') - -######################################## -## -## Allow domain to manage virt log files -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_manage_log',` - gen_require(` - type virt_log_t; - ') - - manage_dirs_pattern($1, virt_log_t, virt_log_t) - manage_files_pattern($1, virt_log_t, virt_log_t) - manage_lnk_files_pattern($1, virt_log_t, virt_log_t) -') - -######################################## -## -## Allow domain to read virt image files -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_read_images',` - gen_require(` - type virt_var_lib_t; - attribute virt_image_type; - ') - - virt_search_lib($1) - allow $1 virt_image_type:dir list_dir_perms; - list_dirs_pattern($1, virt_image_type, virt_image_type) - read_files_pattern($1, virt_image_type, virt_image_type) - read_lnk_files_pattern($1, virt_image_type, virt_image_type) - read_blk_files_pattern($1, virt_image_type, virt_image_type) - - tunable_policy(`virt_use_nfs',` - fs_list_nfs($1) - fs_read_nfs_files($1) - fs_read_nfs_symlinks($1) - ') - - tunable_policy(`virt_use_samba',` - fs_list_cifs($1) - fs_read_cifs_files($1) - fs_read_cifs_symlinks($1) - ') -') - -######################################## -## -## Allow domain to read virt blk image files -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_read_blk_images',` - gen_require(` - attribute virt_image_type; - ') - - read_blk_files_pattern($1, virt_image_type, virt_image_type) -') - -######################################## -## -## Create, read, write, and delete -## svirt cache files. -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_manage_cache',` - gen_require(` - type virt_cache_t; - ') - - files_search_var($1) - manage_dirs_pattern($1, virt_cache_t, virt_cache_t) - manage_files_pattern($1, virt_cache_t, virt_cache_t) - manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t) -') - -######################################## -## -## Allow domain to manage virt image files -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_manage_images',` - gen_require(` - type virt_var_lib_t; - attribute virt_image_type; - ') - - virt_search_lib($1) - allow $1 virt_image_type:dir list_dir_perms; - manage_dirs_pattern($1, virt_image_type, virt_image_type) - manage_files_pattern($1, virt_image_type, virt_image_type) - read_lnk_files_pattern($1, virt_image_type, virt_image_type) - rw_blk_files_pattern($1, virt_image_type, virt_image_type) - - tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs($1) - fs_manage_nfs_files($1) - fs_read_nfs_symlinks($1) - ') - - tunable_policy(`virt_use_samba',` - fs_manage_cifs_files($1) - fs_manage_cifs_files($1) - fs_read_cifs_symlinks($1) - ') -') - -######################################## -## -## All of the rules required to administrate -## an virt environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`virt_admin',` - gen_require(` - type virtd_t, virtd_initrc_exec_t; - ') - - allow $1 virtd_t:process { ptrace signal_perms }; - ps_process_pattern($1, virtd_t) - - init_labeled_script_domtrans($1, virtd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 virtd_initrc_exec_t system_r; - allow $2 system_r; - - virt_manage_pid_files($1) - - virt_manage_lib_files($1) - - virt_manage_log($1) -') - -######################################## -## -## Execute qemu in the svirt domain, and -## allow the specified role the svirt domain. -## -## -## -## Domain allowed access -## -## -## -## -## The role to be allowed the sandbox domain. -## -## -## -# -interface(`virt_transition_svirt',` - gen_require(` - type svirt_t; - ') - - allow $1 svirt_t:process transition; - role $2 types svirt_t; - - optional_policy(` - ptchown_run(svirt_t, $2) - ') -') - -######################################## -## -## Do not audit attempts to write virt daemon unnamed pipes. -## -## -## -## Domain to not audit. -## -## -# -interface(`virt_dontaudit_write_pipes',` - gen_require(` - type virtd_t; - ') - - dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; -') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te deleted file mode 100644 index 62e349a..0000000 --- a/policy/modules/services/virt.te +++ /dev/null @@ -1,671 +0,0 @@ -policy_module(virt, 1.4.0) - -######################################## -# -# Declarations -# - -attribute virsh_transition_domain; - -## -##

-## Allow virt to use serial/parallell communication ports -##

-##
-gen_tunable(virt_use_comm, false) - -## -##

-## Allow virt to read fuse files -##

-##
-gen_tunable(virt_use_fusefs, false) - -## -##

-## Allow virt to manage nfs files -##

-##
-gen_tunable(virt_use_nfs, false) - -## -##

-## Allow virt to manage cifs files -##

-##
-gen_tunable(virt_use_samba, false) - -## -##

-## Allow virt to manage device configuration, (pci) -##

-##
-gen_tunable(virt_use_sysfs, false) - -## -##

-## Allow virtual machine to interact with the xserver -##

-##
-gen_tunable(virt_use_xserver, false) - -## -##

-## Allow virt to use usb devices -##

-##
-gen_tunable(virt_use_usb, true) - -virt_domain_template(svirt) -role system_r types svirt_t; - -attribute virt_domain; -attribute virt_image_type; - -type virt_cache_t alias svirt_cache_t; -files_type(virt_cache_t) - -type virt_etc_t; -files_config_file(virt_etc_t) - -type virt_etc_rw_t; -files_type(virt_etc_rw_t) - -# virt Image files -type virt_image_t; # customizable -virt_image(virt_image_t) -files_mountpoint(virt_image_t) - -# virt Image files -type virt_content_t; # customizable -virt_image(virt_content_t) -userdom_user_home_content(virt_content_t) - -type virt_tmp_t; -files_tmp_file(virt_tmp_t) - -type virt_log_t; -logging_log_file(virt_log_t) -mls_trusted_object(virt_log_t) - -type virt_var_run_t; -files_pid_file(virt_var_run_t) - -type virt_var_lib_t; -files_mountpoint(virt_var_lib_t) - -type virtd_t; -type virtd_exec_t; -init_daemon_domain(virtd_t, virtd_exec_t) -domain_obj_id_change_exemption(virtd_t) -domain_subj_id_change_exemption(virtd_t) - -type virtd_initrc_exec_t; -init_script_file(virtd_initrc_exec_t) - -type qemu_var_run_t; -typealias qemu_var_run_t alias svirt_var_run_t; -files_pid_file(qemu_var_run_t) -mls_trusted_object(qemu_var_run_t) - -ifdef(`enable_mcs',` - init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) -') - -ifdef(`enable_mls',` - init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) -') - -######################################## -# -# svirt local policy -# - -allow svirt_t self:udp_socket create_socket_perms; - -read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t) - -allow svirt_t svirt_image_t:dir search_dir_perms; -manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t) -manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t) -manage_fifo_files_pattern(svirt_t, svirt_image_t, svirt_image_t) -fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file) - -list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) -read_files_pattern(svirt_t, virt_content_t, virt_content_t) -dontaudit svirt_t virt_content_t:file write_file_perms; -dontaudit svirt_t virt_content_t:dir write; - -corenet_udp_sendrecv_generic_if(svirt_t) -corenet_udp_sendrecv_generic_node(svirt_t) -corenet_udp_sendrecv_all_ports(svirt_t) -corenet_udp_bind_generic_node(svirt_t) -corenet_udp_bind_all_ports(svirt_t) -corenet_tcp_bind_all_ports(svirt_t) -corenet_tcp_connect_all_ports(svirt_t) - -dev_list_sysfs(svirt_t) - -userdom_search_user_home_content(svirt_t) -userdom_read_user_home_content_symlinks(svirt_t) -userdom_read_all_users_state(svirt_t) - -tunable_policy(`virt_use_comm',` - term_use_unallocated_ttys(svirt_t) - dev_rw_printer(svirt_t) -') - -tunable_policy(`virt_use_fusefs',` - fs_read_fusefs_files(svirt_t) - fs_read_fusefs_symlinks(svirt_t) -') - -tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs(svirt_t) - fs_manage_nfs_files(svirt_t) - fs_manage_nfs_named_sockets(svirt_t) - fs_read_nfs_symlinks(svirt_t) -') - -tunable_policy(`virt_use_samba',` - fs_manage_cifs_dirs(svirt_t) - fs_manage_cifs_files(svirt_t) - fs_manage_cifs_named_sockets(svirt_t) - fs_read_cifs_symlinks(virtd_t) -') - -tunable_policy(`virt_use_sysfs',` - dev_rw_sysfs(svirt_t) -') - -tunable_policy(`virt_use_usb',` - dev_rw_usbfs(svirt_t) - dev_read_sysfs(svirt_t) - fs_manage_dos_dirs(svirt_t) - fs_manage_dos_files(svirt_t) -') - -optional_policy(` - tunable_policy(`virt_use_xserver',` - xserver_stream_connect(svirt_t) - ') -') - -optional_policy(` - xen_rw_image_files(svirt_t) -') - -optional_policy(` - xen_rw_image_files(svirt_t) -') - -######################################## -# -# virtd local policy -# - -allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; -allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; -allow virtd_t self:fifo_file rw_fifo_file_perms; -allow virtd_t self:unix_stream_socket create_stream_socket_perms; -allow virtd_t self:tcp_socket create_stream_socket_perms; -allow virtd_t self:tun_socket create_socket_perms; -allow virtd_t self:rawip_socket create_socket_perms; -allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms; - -manage_dirs_pattern(virtd_t, virt_cache_t, virt_cache_t) -manage_files_pattern(virtd_t, virt_cache_t, virt_cache_t) - -manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t) -manage_files_pattern(virtd_t, virt_content_t, virt_content_t) - -allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill }; - -allow virtd_t qemu_var_run_t:file relabel_file_perms; -manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) -manage_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) -manage_sock_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) -stream_connect_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t, virt_domain) - -read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) - -manage_dirs_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) -manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) -manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) -filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) - -manage_files_pattern(virtd_t, virt_image_type, virt_image_type) -manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) -manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type) -allow virtd_t virt_image_type:file relabel_file_perms; -allow virtd_t virt_image_type:blk_file relabel_blk_file_perms; - -manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t) -manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t) -files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir }) -can_exec(virtd_t, virt_tmp_t) - -manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) -manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -logging_log_filetrans(virtd_t, virt_log_t, { file dir }) - -manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -files_var_lib_filetrans(virtd_t, virt_var_lib_t, { file dir }) - -manage_dirs_pattern(virtd_t, virt_var_run_t, virt_var_run_t) -manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) -manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) -files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) - -kernel_read_system_state(virtd_t) -kernel_read_network_state(virtd_t) -kernel_rw_net_sysctls(virtd_t) -kernel_read_kernel_sysctls(virtd_t) -kernel_request_load_module(virtd_t) -kernel_search_debugfs(virtd_t) - -corecmd_exec_bin(virtd_t) -corecmd_exec_shell(virtd_t) - -corenet_all_recvfrom_unlabeled(virtd_t) -corenet_all_recvfrom_netlabel(virtd_t) -corenet_tcp_sendrecv_generic_if(virtd_t) -corenet_tcp_sendrecv_generic_node(virtd_t) -corenet_tcp_sendrecv_all_ports(virtd_t) -corenet_tcp_bind_generic_node(virtd_t) -corenet_tcp_bind_virt_port(virtd_t) -corenet_tcp_bind_vnc_port(virtd_t) -corenet_tcp_connect_vnc_port(virtd_t) -corenet_tcp_connect_soundd_port(virtd_t) -corenet_rw_tun_tap_dev(virtd_t) - -dev_rw_sysfs(virtd_t) -dev_read_rand(virtd_t) -dev_rw_kvm(virtd_t) -dev_getattr_all_chr_files(virtd_t) -dev_rw_mtrr(virtd_t) -dev_rw_vhost(virtd_t) - -# Init script handling -domain_use_interactive_fds(virtd_t) -domain_read_all_domains_state(virtd_t) -domain_read_all_domains_state(virtd_t) - -files_read_usr_files(virtd_t) -files_read_etc_files(virtd_t) -files_read_usr_files(virtd_t) -files_read_etc_runtime_files(virtd_t) -files_search_all(virtd_t) -files_read_kernel_modules(virtd_t) -files_read_usr_src_files(virtd_t) -files_relabelto_system_conf_files(virtd_t) -files_relabelfrom_system_conf_files(virtd_t) - -# Manages /etc/sysconfig/system-config-firewall -files_manage_system_conf_files(virtd_t) -files_manage_system_conf_files(virtd_t) -files_etc_filetrans_system_conf(virtd_t) - -fs_list_auto_mountpoints(virtd_t) -fs_getattr_xattr_fs(virtd_t) -fs_rw_anon_inodefs_files(virtd_t) -fs_list_inotifyfs(virtd_t) -fs_manage_cgroup_dirs(virtd_t) -fs_rw_cgroup_files(virtd_t) -fs_manage_hugetlbfs_dirs(virtd_t) -fs_rw_hugetlbfs_files(virtd_t) - -mls_fd_share_all_levels(virtd_t) -mls_file_read_to_clearance(virtd_t) -mls_file_write_to_clearance(virtd_t) -mls_process_read_to_clearance(virtd_t) -mls_process_write_to_clearance(virtd_t) -mls_net_write_within_range(virtd_t) -mls_socket_write_to_clearance(virtd_t) -mls_socket_read_to_clearance(virtd_t) -mls_rangetrans_source(virtd_t) - -mcs_process_set_categories(virtd_t) - -storage_manage_fixed_disk(virtd_t) -storage_relabel_fixed_disk(virtd_t) -storage_raw_write_removable_device(virtd_t) -storage_raw_read_removable_device(virtd_t) - -term_getattr_pty_fs(virtd_t) -term_use_generic_ptys(virtd_t) -term_use_ptmx(virtd_t) - -auth_use_nsswitch(virtd_t) - -miscfiles_read_localization(virtd_t) -miscfiles_read_generic_certs(virtd_t) -miscfiles_read_hwdata(virtd_t) - -modutils_read_module_deps(virtd_t) -modutils_read_module_config(virtd_t) -modutils_manage_module_config(virtd_t) - -logging_send_syslog_msg(virtd_t) -logging_send_audit_msgs(virtd_t) - -selinux_validate_context(virtd_t) - -seutil_read_config(virtd_t) -seutil_read_default_contexts(virtd_t) -seutil_read_file_contexts(virtd_t) - -sysnet_domtrans_ifconfig(virtd_t) -sysnet_read_config(virtd_t) - -userdom_list_admin_dir(virtd_t) -userdom_getattr_all_users(virtd_t) -userdom_list_user_home_content(virtd_t) -userdom_read_all_users_state(virtd_t) -userdom_read_user_home_content_files(virtd_t) -userdom_relabel_user_home_files(virtd_t) -userdom_setattr_user_home_content_files(virtd_t) - -consoletype_exec(virtd_t) - -tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs(virtd_t) - fs_manage_nfs_files(virtd_t) - fs_read_nfs_symlinks(virtd_t) -') - -tunable_policy(`virt_use_samba',` - fs_manage_nfs_files(virtd_t) - fs_manage_cifs_files(virtd_t) - fs_read_cifs_symlinks(virtd_t) -') - -optional_policy(` - brctl_domtrans(virtd_t) -') - -optional_policy(` - dbus_system_bus_client(virtd_t) - - optional_policy(` - avahi_dbus_chat(virtd_t) - ') - - optional_policy(` - consolekit_dbus_chat(virtd_t) - ') - - optional_policy(` - hal_dbus_chat(virtd_t) - ') -') - -optional_policy(` - dnsmasq_domtrans(virtd_t) - dnsmasq_signal(virtd_t) - dnsmasq_kill(virtd_t) - dnsmasq_read_pid_files(virtd_t) - dnsmasq_signull(virtd_t) -') - -optional_policy(` - iptables_domtrans(virtd_t) - iptables_initrc_domtrans(virtd_t) - - # Manages /etc/sysconfig/system-config-firewall - iptables_manage_config(virtd_t) -') - -optional_policy(` - kerberos_keytab_template(virtd, virtd_t) -') - -optional_policy(` - lvm_domtrans(virtd_t) -') - -optional_policy(` - policykit_dbus_chat(virtd_t) - policykit_domtrans_auth(virtd_t) - policykit_domtrans_resolve(virtd_t) - policykit_read_lib(virtd_t) -') - -optional_policy(` - qemu_domtrans(virtd_t) - qemu_read_state(virtd_t) - qemu_signal(virtd_t) - qemu_kill(virtd_t) - qemu_setsched(virtd_t) - qemu_entry_type(virt_domain) - qemu_exec(virt_domain) -') - -optional_policy(` - sasl_connect(virtd_t) -') - -optional_policy(` - kernel_read_xen_state(virtd_t) - kernel_write_xen_state(virtd_t) - - xen_stream_connect(virtd_t) - xen_stream_connect_xenstore(virtd_t) - xen_read_image_files(virtd_t) -') - -optional_policy(` - udev_domtrans(virtd_t) - udev_read_db(virtd_t) -') - -optional_policy(` - unconfined_domain(virtd_t) -') - -######################################## -# -# virtual domains common policy -# - -allow virt_domain self:capability { dac_read_search dac_override kill }; -allow virt_domain self:process { execmem execstack signal getsched signull }; -allow virt_domain self:fifo_file rw_fifo_file_perms; -allow virt_domain self:shm create_shm_perms; -allow virt_domain self:unix_stream_socket create_stream_socket_perms; -allow virt_domain self:unix_dgram_socket { create_socket_perms sendto }; -allow virt_domain self:tcp_socket create_stream_socket_perms; - -manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) -manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t) -files_var_filetrans(virt_domain, virt_cache_t, { file dir }) - -manage_dirs_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t) -manage_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t) -manage_sock_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t) -manage_lnk_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t) -files_pid_filetrans(virt_domain, qemu_var_run_t, { dir file }) -stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t) - -dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; - -append_files_pattern(virt_domain, virt_log_t, virt_log_t) - -append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) - -kernel_read_system_state(virt_domain) - -corecmd_exec_bin(virt_domain) -corecmd_exec_shell(virt_domain) - -corenet_all_recvfrom_unlabeled(virt_domain) -corenet_all_recvfrom_netlabel(virt_domain) -corenet_tcp_sendrecv_generic_if(virt_domain) -corenet_tcp_sendrecv_generic_node(virt_domain) -corenet_tcp_sendrecv_all_ports(virt_domain) -corenet_tcp_bind_generic_node(virt_domain) -corenet_tcp_bind_vnc_port(virt_domain) -corenet_rw_tun_tap_dev(virt_domain) -corenet_tcp_bind_virt_migration_port(virt_domain) -corenet_tcp_connect_virt_migration_port(virt_domain) - -dev_read_generic_symlinks(virt_domain) -dev_read_rand(virt_domain) -dev_read_sound(virt_domain) -dev_read_urand(virt_domain) -dev_write_sound(virt_domain) -dev_rw_ksm(virt_domain) -dev_rw_kvm(virt_domain) -dev_rw_qemu(virt_domain) -dev_rw_vhost(virt_domain) - -domain_use_interactive_fds(virt_domain) - -files_read_etc_files(virt_domain) -files_read_mnt_symlinks(virt_domain) -files_read_usr_files(virt_domain) -files_read_var_files(virt_domain) -files_search_all(virt_domain) - -fs_getattr_tmpfs(virt_domain) -fs_rw_anon_inodefs_files(virt_domain) -fs_rw_tmpfs_files(virt_domain) -fs_getattr_hugetlbfs(virt_domain) - -# I think we need these for now. -miscfiles_read_public_files(virt_domain) -storage_raw_read_removable_device(virt_domain) - -term_use_all_terms(virt_domain) -term_getattr_pty_fs(virt_domain) -term_use_generic_ptys(virt_domain) -term_use_ptmx(virt_domain) - -auth_use_nsswitch(virt_domain) - -logging_send_syslog_msg(virt_domain) - -miscfiles_read_localization(virt_domain) - -optional_policy(` - ptchown_domtrans(virt_domain) -') - -optional_policy(` - pulseaudio_dontaudit_exec(virt_domain) -') - -optional_policy(` - virt_read_config(virt_domain) - virt_read_lib_files(virt_domain) - virt_read_content(virt_domain) - virt_stream_connect(virt_domain) -') - -######################################## -# -# xm local policy -# -type virsh_t; -type virsh_exec_t; -init_system_domain(virsh_t, virsh_exec_t) -typealias virsh_t alias xm_t; -typealias virsh_exec_t alias xm_exec_t; - -allow virsh_t self:capability { dac_override ipc_lock sys_tty_config }; -allow virsh_t self:process { getcap getsched setcap signal }; -allow virsh_t self:fifo_file rw_fifo_file_perms; -allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow virsh_t self:tcp_socket create_stream_socket_perms; - -manage_files_pattern(virsh_t, virt_image_type, virt_image_type) -manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) -manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type) - -dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms; - -kernel_read_system_state(virsh_t) -kernel_read_network_state(virsh_t) -kernel_read_kernel_sysctls(virsh_t) -kernel_read_sysctl(virsh_t) -kernel_read_xen_state(virsh_t) -kernel_write_xen_state(virsh_t) - -corecmd_exec_bin(virsh_t) -corecmd_exec_shell(virsh_t) - -corenet_tcp_sendrecv_generic_if(virsh_t) -corenet_tcp_sendrecv_generic_node(virsh_t) -corenet_tcp_connect_soundd_port(virsh_t) - -dev_read_urand(virsh_t) -dev_read_sysfs(virsh_t) - -files_read_etc_runtime_files(virsh_t) -files_read_usr_files(virsh_t) -files_list_mnt(virsh_t) -# Some common macros (you might be able to remove some) -files_read_etc_files(virsh_t) - -fs_getattr_all_fs(virsh_t) -fs_manage_xenfs_dirs(virsh_t) -fs_manage_xenfs_files(virsh_t) -fs_search_auto_mountpoints(virsh_t) - -storage_raw_read_fixed_disk(virsh_t) - -term_use_all_terms(virsh_t) - -init_stream_connect_script(virsh_t) -init_rw_script_stream_sockets(virsh_t) -init_use_fds(virsh_t) - -miscfiles_read_localization(virsh_t) - -sysnet_dns_name_resolve(virsh_t) - -optional_policy(` - xen_manage_image_dirs(virsh_t) - xen_append_log(virsh_t) - xen_stream_connect(virsh_t) - xen_stream_connect_xenstore(virsh_t) -') - -optional_policy(` - dbus_system_bus_client(virsh_t) - - optional_policy(` - hal_dbus_chat(virsh_t) - ') -') - -optional_policy(` - vhostmd_rw_tmpfs_files(virsh_t) - vhostmd_stream_connect(virsh_t) - vhostmd_dontaudit_rw_stream_connect(virsh_t) -') - -optional_policy(` - virt_domtrans(virsh_t) - virt_manage_images(virsh_t) - virt_manage_config(virsh_t) - virt_stream_connect(virsh_t) -') - -optional_policy(` - ssh_basic_client_template(virsh, virsh_t, system_r) - - kernel_read_xen_state(virsh_ssh_t) - kernel_write_xen_state(virsh_ssh_t) - - dontaudit virsh_ssh_t virsh_transition_domain:fifo_file rw_inherited_fifo_file_perms; - files_search_tmp(virsh_ssh_t) - - fs_manage_xenfs_dirs(virsh_ssh_t) - fs_manage_xenfs_files(virsh_ssh_t) - - userdom_search_admin_dir(virsh_ssh_t) -') diff --git a/policy/modules/services/vnstatd.fc b/policy/modules/services/vnstatd.fc deleted file mode 100644 index 7667c31..0000000 --- a/policy/modules/services/vnstatd.fc +++ /dev/null @@ -1,6 +0,0 @@ - -/usr/bin/vnstat -- gen_context(system_u:object_r:vnstat_exec_t,s0) - -/usr/sbin/vnstatd -- gen_context(system_u:object_r:vnstatd_exec_t,s0) - -/var/lib/vnstat(/.*)? gen_context(system_u:object_r:vnstatd_var_lib_t,s0) diff --git a/policy/modules/services/vnstatd.if b/policy/modules/services/vnstatd.if deleted file mode 100644 index b9104b7..0000000 --- a/policy/modules/services/vnstatd.if +++ /dev/null @@ -1,144 +0,0 @@ -## policy for vnstatd - -######################################## -## -## Execute a domain transition to run vnstatd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`vnstatd_domtrans',` - gen_require(` - type vnstatd_t, vnstatd_exec_t; - ') - - domtrans_pattern($1, vnstatd_exec_t, vnstatd_t) -') - -######################################## -## -## Execute a domain transition to run vnstat. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`vnstatd_domtrans_vnstat',` - gen_require(` - type vnstat_t, vnstat_exec_t; - ') - - domtrans_pattern($1, vnstat_exec_t, vnstat_t) -') - -######################################## -## -## Search vnstatd lib directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`vnstatd_search_lib',` - gen_require(` - type vnstatd_var_lib_t; - ') - - allow $1 vnstatd_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## Read vnstatd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`vnstatd_read_lib_files',` - gen_require(` - type vnstatd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) -') - -######################################## -## -## Create, read, write, and delete -## vnstatd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`vnstatd_manage_lib_files',` - gen_require(` - type vnstatd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) -') - -######################################## -## -## Manage vnstatd lib dirs files. -## -## -## -## Domain allowed access. -## -## -# -interface(`vnstatd_manage_lib_dirs',` - gen_require(` - type vnstatd_var_lib_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) -') - - -######################################## -## -## All of the rules required to administrate -## an vnstatd environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`vnstatd_admin',` - gen_require(` - type vnstatd_t, vnstatd_var_lib_t; - ') - - allow $1 vnstatd_t:process { ptrace signal_perms }; - ps_process_pattern($1, vnstatd_t) - - files_list_var_lib($1) - admin_pattern($1, vnstatd_var_lib_t) -') diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te deleted file mode 100644 index 8ec07ff..0000000 --- a/policy/modules/services/vnstatd.te +++ /dev/null @@ -1,65 +0,0 @@ -policy_module(vnstatd, 1.0.0) - -######################################## -# -# Declarations -# - -type vnstatd_t; -type vnstatd_exec_t; -init_daemon_domain(vnstatd_t, vnstatd_exec_t) - -permissive vnstatd_t; - -type vnstatd_var_lib_t; -files_type(vnstatd_var_lib_t) - -type vnstat_t; -type vnstat_exec_t; -application_domain(vnstat_t, vnstat_exec_t) -cron_system_entry(vnstat_t, vnstat_exec_t) - -######################################## -# -# vnstatd local policy -# -allow vnstatd_t self:process { fork signal }; -allow vnstatd_t self:fifo_file rw_fifo_file_perms; -allow vnstatd_t self:unix_stream_socket create_stream_socket_perms; - -manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) -manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) -files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file }) - -domain_use_interactive_fds(vnstatd_t) - -files_read_etc_files(vnstatd_t) - -logging_send_syslog_msg(vnstatd_t) - -miscfiles_read_localization(vnstatd_t) - -######################################## -# -# vnstat local policy -# -allow vnstat_t self:process signal; -allow vnstat_t self:fifo_file rw_fifo_file_perms; -allow vnstat_t self:unix_stream_socket create_stream_socket_perms; - -manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t) -manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t) -files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file }) - -kernel_read_network_state(vnstat_t) -kernel_read_system_state(vnstat_t) - -domain_use_interactive_fds(vnstat_t) - -files_read_etc_files(vnstat_t) - -fs_getattr_xattr_fs(vnstat_t) - -logging_send_syslog_msg(vnstat_t) - -miscfiles_read_localization(vnstat_t) diff --git a/policy/modules/services/w3c.fc b/policy/modules/services/w3c.fc deleted file mode 100644 index a9cc9a8..0000000 --- a/policy/modules/services/w3c.fc +++ /dev/null @@ -1,4 +0,0 @@ -/usr/lib/cgi-bin/check gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0) - -/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0) -/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0) diff --git a/policy/modules/services/w3c.if b/policy/modules/services/w3c.if deleted file mode 100644 index 8f678a9..0000000 --- a/policy/modules/services/w3c.if +++ /dev/null @@ -1 +0,0 @@ -## W3C Markup Validator diff --git a/policy/modules/services/w3c.te b/policy/modules/services/w3c.te deleted file mode 100644 index f4c4c1b..0000000 --- a/policy/modules/services/w3c.te +++ /dev/null @@ -1,33 +0,0 @@ -policy_module(w3c, 1.0.0) - -######################################## -# -# Declarations -# - -apache_content_template(w3c_validator) - -type httpd_w3c_validator_tmp_t; -files_tmp_file(httpd_w3c_validator_tmp_t) - -######################################## -# -# Local policy -# - -manage_dirs_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t) -manage_files_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t) -files_tmp_filetrans(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, { file dir }) - -corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t) -corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) -corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) -corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t) -corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t) -corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t) - -miscfiles_read_generic_certs(httpd_w3c_validator_script_t) - -sysnet_dns_name_resolve(httpd_w3c_validator_script_t) - -apache_dontaudit_rw_tmp_files(httpd_w3c_validator_script_t) diff --git a/policy/modules/services/watchdog.fc b/policy/modules/services/watchdog.fc deleted file mode 100644 index 7551c51..0000000 --- a/policy/modules/services/watchdog.fc +++ /dev/null @@ -1,5 +0,0 @@ -/usr/sbin/watchdog -- gen_context(system_u:object_r:watchdog_exec_t,s0) - -/var/log/watchdog(/.*)? gen_context(system_u:object_r:watchdog_log_t,s0) - -/var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0) diff --git a/policy/modules/services/watchdog.if b/policy/modules/services/watchdog.if deleted file mode 100644 index f8acf10..0000000 --- a/policy/modules/services/watchdog.if +++ /dev/null @@ -1 +0,0 @@ -## Software watchdog diff --git a/policy/modules/services/watchdog.te b/policy/modules/services/watchdog.te deleted file mode 100644 index b10bb05..0000000 --- a/policy/modules/services/watchdog.te +++ /dev/null @@ -1,105 +0,0 @@ -policy_module(watchdog, 1.7.0) - -################################# -# -# Rules for the watchdog_t domain. -# - -type watchdog_t; -type watchdog_exec_t; -init_daemon_domain(watchdog_t, watchdog_exec_t) - -type watchdog_log_t; -logging_log_file(watchdog_log_t) - -type watchdog_var_run_t; -files_pid_file(watchdog_var_run_t) - -######################################## -# -# Declarations -# - -allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource }; -dontaudit watchdog_t self:capability sys_tty_config; -allow watchdog_t self:process { setsched signal_perms }; -allow watchdog_t self:fifo_file rw_fifo_file_perms; -allow watchdog_t self:unix_stream_socket create_socket_perms; -allow watchdog_t self:tcp_socket create_stream_socket_perms; -allow watchdog_t self:udp_socket create_socket_perms; - -allow watchdog_t watchdog_log_t:file manage_file_perms; -logging_log_filetrans(watchdog_t, watchdog_log_t, file) - -manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t) -files_pid_filetrans(watchdog_t, watchdog_var_run_t, file) - -kernel_read_system_state(watchdog_t) -kernel_read_kernel_sysctls(watchdog_t) -kernel_unmount_proc(watchdog_t) - -# for orderly shutdown -corecmd_exec_shell(watchdog_t) - -# cjp: why networking? -corenet_all_recvfrom_unlabeled(watchdog_t) -corenet_all_recvfrom_netlabel(watchdog_t) -corenet_tcp_sendrecv_generic_if(watchdog_t) -corenet_udp_sendrecv_generic_if(watchdog_t) -corenet_tcp_sendrecv_generic_node(watchdog_t) -corenet_udp_sendrecv_generic_node(watchdog_t) -corenet_tcp_sendrecv_all_ports(watchdog_t) -corenet_udp_sendrecv_all_ports(watchdog_t) -corenet_tcp_connect_all_ports(watchdog_t) -corenet_sendrecv_all_client_packets(watchdog_t) - -dev_read_sysfs(watchdog_t) -dev_write_watchdog(watchdog_t) -# do not care about saving the random seed -dev_dontaudit_read_rand(watchdog_t) -dev_dontaudit_read_urand(watchdog_t) - -domain_use_interactive_fds(watchdog_t) -domain_getsession_all_domains(watchdog_t) -domain_sigchld_all_domains(watchdog_t) -domain_sigstop_all_domains(watchdog_t) -domain_signull_all_domains(watchdog_t) -domain_signal_all_domains(watchdog_t) -domain_kill_all_domains(watchdog_t) - -files_read_etc_files(watchdog_t) -# for updating mtab on umount -files_manage_etc_runtime_files(watchdog_t) -files_etc_filetrans_etc_runtime(watchdog_t, file) - -fs_unmount_xattr_fs(watchdog_t) -fs_getattr_all_fs(watchdog_t) -fs_search_auto_mountpoints(watchdog_t) - -# record the fact that we are going down -auth_append_login_records(watchdog_t) - -logging_send_syslog_msg(watchdog_t) - -miscfiles_read_localization(watchdog_t) - -sysnet_read_config(watchdog_t) - -userdom_dontaudit_use_unpriv_user_fds(watchdog_t) -userdom_dontaudit_search_user_home_dirs(watchdog_t) - -optional_policy(` - mta_send_mail(watchdog_t) -') - -optional_policy(` - nis_use_ypbind(watchdog_t) -') - -optional_policy(` - seutil_sigchld_newrole(watchdog_t) -') - -optional_policy(` - udev_read_db(watchdog_t) -') diff --git a/policy/modules/services/xfs.fc b/policy/modules/services/xfs.fc deleted file mode 100644 index 8e70038..0000000 --- a/policy/modules/services/xfs.fc +++ /dev/null @@ -1,8 +0,0 @@ - -/tmp/\.font-unix(/.*)? gen_context(system_u:object_r:xfs_tmp_t,s0) - -/usr/bin/xfs -- gen_context(system_u:object_r:xfs_exec_t,s0) -/usr/bin/xfstt -- gen_context(system_u:object_r:xfs_exec_t,s0) - -/usr/X11R6/bin/xfs -- gen_context(system_u:object_r:xfs_exec_t,s0) -/usr/X11R6/bin/xfs-xtt -- gen_context(system_u:object_r:xfs_exec_t,s0) diff --git a/policy/modules/services/xfs.if b/policy/modules/services/xfs.if deleted file mode 100644 index 42a0efb..0000000 --- a/policy/modules/services/xfs.if +++ /dev/null @@ -1,59 +0,0 @@ -## X Windows Font Server - -######################################## -## -## Read a X font server named socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`xfs_read_sockets',` - gen_require(` - type xfs_tmp_t; - ') - - files_search_tmp($1) - read_sock_files_pattern($1, xfs_tmp_t, xfs_tmp_t) -') - -######################################## -## -## Connect to a X font server over -## a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`xfs_stream_connect',` - gen_require(` - type xfs_tmp_t, xfs_t; - ') - - files_search_tmp($1) - stream_connect_pattern($1, xfs_tmp_t, xfs_tmp_t, xfs_t) -') - -######################################## -## -## Allow the specified domain to execute xfs -## in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`xfs_exec',` - gen_require(` - type xfs_exec_t; - ') - - can_exec($1, xfs_exec_t) -') diff --git a/policy/modules/services/xfs.te b/policy/modules/services/xfs.te deleted file mode 100644 index 11c1b12..0000000 --- a/policy/modules/services/xfs.te +++ /dev/null @@ -1,87 +0,0 @@ -policy_module(xfs, 1.6.0) - -######################################## -# -# Declarations -# - -type xfs_t; -type xfs_exec_t; -init_daemon_domain(xfs_t, xfs_exec_t) - -type xfs_tmp_t; -files_tmp_file(xfs_tmp_t) - -type xfs_var_run_t; -files_pid_file(xfs_var_run_t) - -######################################## -# -# Local policy -# - -allow xfs_t self:capability { dac_override setgid setuid }; -dontaudit xfs_t self:capability sys_tty_config; -allow xfs_t self:process { signal_perms setpgid }; -allow xfs_t self:unix_stream_socket create_stream_socket_perms; -allow xfs_t self:unix_dgram_socket create_socket_perms; -allow xfs_t self:tcp_socket create_stream_socket_perms; - -manage_dirs_pattern(xfs_t, xfs_tmp_t, xfs_tmp_t) -manage_sock_files_pattern(xfs_t, xfs_tmp_t, xfs_tmp_t) -files_tmp_filetrans(xfs_t, xfs_tmp_t, { sock_file dir }) - -manage_files_pattern(xfs_t, xfs_var_run_t, xfs_var_run_t) -files_pid_filetrans(xfs_t, xfs_var_run_t, file) - -kernel_read_kernel_sysctls(xfs_t) -kernel_read_system_state(xfs_t) - -corenet_all_recvfrom_unlabeled(xfs_t) -corenet_all_recvfrom_netlabel(xfs_t) -corenet_tcp_sendrecv_generic_if(xfs_t) -corenet_tcp_sendrecv_generic_node(xfs_t) -corenet_tcp_sendrecv_all_ports(xfs_t) -corenet_tcp_bind_generic_node(xfs_t) -corenet_tcp_bind_xfs_port(xfs_t) -corenet_sendrecv_xfs_server_packets(xfs_t) - -corecmd_list_bin(xfs_t) - -dev_read_sysfs(xfs_t) -dev_read_urand(xfs_t) -dev_read_rand(xfs_t) - -fs_getattr_all_fs(xfs_t) -fs_search_auto_mountpoints(xfs_t) - -domain_use_interactive_fds(xfs_t) - -files_read_etc_files(xfs_t) -files_read_etc_runtime_files(xfs_t) -files_read_usr_files(xfs_t) - -auth_use_nsswitch(xfs_t) - -logging_send_syslog_msg(xfs_t) - -miscfiles_read_localization(xfs_t) -miscfiles_read_fonts(xfs_t) - -userdom_dontaudit_use_unpriv_user_fds(xfs_t) -userdom_dontaudit_search_user_home_dirs(xfs_t) - -xfs_exec(xfs_t) - -ifdef(`distro_debian',` - # for /tmp/.font-unix/fs7100 - init_script_tmp_filetrans(xfs_t, xfs_tmp_t, sock_file) -') - -optional_policy(` - seutil_sigchld_newrole(xfs_t) -') - -optional_policy(` - udev_read_db(xfs_t) -') diff --git a/policy/modules/services/xprint.fc b/policy/modules/services/xprint.fc deleted file mode 100644 index 6a857ff..0000000 --- a/policy/modules/services/xprint.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/Xprt -- gen_context(system_u:object_r:xprint_exec_t,s0) diff --git a/policy/modules/services/xprint.if b/policy/modules/services/xprint.if deleted file mode 100644 index e69a82a..0000000 --- a/policy/modules/services/xprint.if +++ /dev/null @@ -1 +0,0 @@ -## X print server diff --git a/policy/modules/services/xprint.te b/policy/modules/services/xprint.te deleted file mode 100644 index 68d13e5..0000000 --- a/policy/modules/services/xprint.te +++ /dev/null @@ -1,82 +0,0 @@ -policy_module(xprint, 1.7.0) - -######################################## -# -# Declarations -# - -type xprint_t; -type xprint_exec_t; -init_daemon_domain(xprint_t, xprint_exec_t) - -type xprint_var_run_t; -files_pid_file(xprint_var_run_t) - -######################################## -# -# Local policy -# - -dontaudit xprint_t self:capability sys_tty_config; -allow xprint_t self:process signal_perms; -allow xprint_t self:fifo_file rw_file_perms; -allow xprint_t self:tcp_socket create_stream_socket_perms; -allow xprint_t self:udp_socket create_socket_perms; - -manage_files_pattern(xprint_t, xprint_var_run_t, xprint_var_run_t) -files_pid_filetrans(xprint_t, xprint_var_run_t, file) - -kernel_read_system_state(xprint_t) -kernel_read_kernel_sysctls(xprint_t) - -corecmd_exec_bin(xprint_t) -corecmd_exec_shell(xprint_t) - -corenet_all_recvfrom_unlabeled(xprint_t) -corenet_all_recvfrom_netlabel(xprint_t) -corenet_tcp_sendrecv_generic_if(xprint_t) -corenet_udp_sendrecv_generic_if(xprint_t) -corenet_tcp_sendrecv_generic_node(xprint_t) -corenet_udp_sendrecv_generic_node(xprint_t) -corenet_tcp_sendrecv_all_ports(xprint_t) -corenet_udp_sendrecv_all_ports(xprint_t) - -dev_read_sysfs(xprint_t) -dev_read_urand(xprint_t) - -domain_use_interactive_fds(xprint_t) - -files_read_etc_files(xprint_t) -files_read_etc_runtime_files(xprint_t) -files_read_usr_files(xprint_t) -files_search_var_lib(xprint_t) -files_search_tmp(xprint_t) - -fs_getattr_all_fs(xprint_t) -fs_search_auto_mountpoints(xprint_t) - -logging_send_syslog_msg(xprint_t) - -miscfiles_read_fonts(xprint_t) -miscfiles_read_localization(xprint_t) - -sysnet_read_config(xprint_t) - -userdom_dontaudit_use_unpriv_user_fds(xprint_t) -userdom_dontaudit_search_user_home_dirs(xprint_t) - -optional_policy(` - cups_read_config(xprint_t) -') - -optional_policy(` - nis_use_ypbind(xprint_t) -') - -optional_policy(` - seutil_sigchld_newrole(xprint_t) -') - -optional_policy(` - udev_read_db(xprint_t) -') diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc deleted file mode 100644 index 6a160b2..0000000 --- a/policy/modules/services/xserver.fc +++ /dev/null @@ -1,141 +0,0 @@ -# -# HOME_DIR -# -HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) -HOME_DIR/\.fonts\.d(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0) -HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) -HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) -HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) -HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0) -HOME_DIR/\.DCOP.* -- gen_context(system_u:object_r:iceauth_home_t,s0) -HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) -HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) -HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) -HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) -HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) -HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0) -HOME_DIR/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0) - -/root/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) -/root/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) -/root/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) -# -# /dev -# -/dev/xconsole -p gen_context(system_u:object_r:xconsole_device_t,s0) - -# -# /etc -# - -/etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0) - -/etc/gdm(/.*)? gen_context(system_u:object_r:xdm_etc_t,s0) - -/etc/kde3?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0) -/etc/kde3?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0) -/etc/kde3?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) -/etc/kde3?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0) - -/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) -/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) -/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) -/etc/X11/wdm/Xsetup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) -/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) -/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0) - -# -# /opt -# - -/opt/kde3/bin/kdm -- gen_context(system_u:object_r:xdm_exec_t,s0) - -# -# /tmp -# - -/tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_tmp_t,s0) -/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0) -/tmp/\.ICE-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0) - -# -# /usr -# - -/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) -/usr/(s)?bin/lxdm -- gen_context(system_u:object_r:xdm_exec_t,s0) -/usr/(s)?bin/lxdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) -/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) -/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) -/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) -/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0) -/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0) -/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0) -/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) -/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) -ifdef(`distro_debian', ` -/usr/sbin/gdm -- gen_context(system_u:object_r:xdm_exec_t,s0) -') - -/usr/lib(64)?/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) - -/usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) - -/usr/X11R6/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) -/usr/X11R6/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) -/usr/X11R6/bin/X -- gen_context(system_u:object_r:xserver_exec_t,s0) -/usr/X11R6/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) -/usr/X11R6/bin/XFree86 -- gen_context(system_u:object_r:xserver_exec_t,s0) -/usr/X11R6/bin/Xipaq -- gen_context(system_u:object_r:xserver_exec_t,s0) -/usr/X11R6/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) -/usr/X11R6/bin/Xwrapper -- gen_context(system_u:object_r:xserver_exec_t,s0) -/usr/X11R6/lib/X11/xkb -d gen_context(system_u:object_r:xkb_var_lib_t,s0) -/usr/X11R6/lib/X11/xkb/.* -- gen_context(system_u:object_r:xkb_var_lib_t,s0) - -# -# /var -# - -/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) - -/var/lib/[gxkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) -/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) -/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) -/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0) - -/var/cache/gdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) - -/var/log/gdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0) -/var/log/slim\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0) -/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0) -/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) -/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0) -/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0) -/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) - -/var/spool/gdm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0) - -/var/run/slim(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -/var/run/kdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -/var/run/gdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0) -/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) -/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) -/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -/var/run/slim.* -- gen_context(system_u:object_r:xdm_var_run_t,s0) -/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0) -/var/run/lxdm(/*.)? gen_context(system_u:object_r:xdm_var_run_t,s0) - -/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0) -/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0) - -ifdef(`distro_suse',` -/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) -') - -/var/lib/nxserver/home/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) -/var/lib/nxserver/home/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) -/var/lib/pqsql/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) -/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) - diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if deleted file mode 100644 index f963642..0000000 --- a/policy/modules/services/xserver.if +++ /dev/null @@ -1,1713 +0,0 @@ -## X Windows Server - -######################################## -## -## Rules required for using the X Windows server -## and environment, for restricted users. -## -## -## -## Role allowed access. -## -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_restricted_role',` - gen_require(` - type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t; - type user_fonts_t, user_fonts_cache_t, user_fonts_config_t, xdm_tmp_t; - type iceauth_t, iceauth_exec_t, iceauth_home_t; - type xauth_t, xauth_exec_t, xauth_home_t; - class dbus send_msg; - ') - - role $1 types { xserver_t xauth_t iceauth_t }; - - # Xserver read/write client shm - allow xserver_t $2:fd use; - allow xserver_t $2:shm rw_shm_perms; - - domtrans_pattern($2, xserver_exec_t, xserver_t) - allow xserver_t $2:process { getpgid signal }; - - allow xserver_t $2:shm rw_shm_perms; - - allow $2 user_fonts_t:dir list_dir_perms; - allow $2 user_fonts_t:file read_file_perms; - allow $2 user_fonts_t:lnk_file read_lnk_file_perms; - - allow $2 user_fonts_config_t:dir list_dir_perms; - allow $2 user_fonts_config_t:file read_file_perms; - - manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) - manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) - - stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t) - allow $2 xserver_tmp_t:sock_file delete_sock_file_perms; - files_search_tmp($2) - - # Communicate via System V shared memory. - allow $2 xserver_t:shm r_shm_perms; - allow $2 xserver_tmpfs_t:file read_file_perms; - - # allow ps to show iceauth - ps_process_pattern($2, iceauth_t) - - domtrans_pattern($2, iceauth_exec_t, iceauth_t) - - allow $2 iceauth_home_t:file read_file_perms; - - domtrans_pattern($2, xauth_exec_t, xauth_t) - - allow $2 xauth_t:process signal; - - # allow ps to show xauth - ps_process_pattern($2, xauth_t) - allow $2 xserver_t:process signal; - - allow $2 xauth_home_t:file read_file_perms; - - # for when /tmp/.X11-unix is created by the system - allow $2 xdm_t:fd use; - allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms; - allow $2 xdm_tmp_t:dir search_dir_perms; - allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms; - dontaudit $2 xdm_t:tcp_socket { read write }; - dontaudit $2 xdm_tmp_t:dir setattr_dir_perms; - - allow $2 xdm_t:dbus send_msg; - allow xdm_t $2:dbus send_msg; - - # Client read xserver shm - allow $2 xserver_t:fd use; - allow $2 xserver_tmpfs_t:file read_file_perms; - - # Read /tmp/.X0-lock - allow $2 xserver_tmp_t:file read_inherited_file_perms; - - dev_rw_xserver_misc($2) - dev_rw_power_management($2) - dev_read_input($2) - dev_read_misc($2) - dev_write_misc($2) - # open office is looking for the following - dev_getattr_agp_dev($2) - - # GNOME checks for usb and other devices: - dev_rw_usbfs($2) - - miscfiles_read_fonts($2) - miscfiles_setattr_fonts_cache_dirs($2) - miscfiles_read_hwdata($2) - - xserver_common_x_domain_template(user, $2) - xserver_xsession_entry_type($2) - xserver_dontaudit_write_log($2) - xserver_stream_connect_xdm($2) - # certain apps want to read xdm.pid file - xserver_read_xdm_pid($2) - # gnome-session creates socket under /tmp/.ICE-unix/ - xserver_create_xdm_tmp_sockets($2) - # Needed for escd, remove if we get escd policy - xserver_manage_xdm_tmp_files($2) - xserver_read_xdm_etc_files($2) - - ifdef(`hide_broken_symptoms',` - dontaudit iceauth_t $2:socket_class_set { read write }; - ') - - # Client write xserver shm - tunable_policy(`allow_write_xshm',` - allow $2 xserver_t:shm rw_shm_perms; - allow $2 xserver_tmpfs_t:file rw_file_perms; - ') - - tunable_policy(`user_direct_dri',` - dev_rw_dri($2) - ') - - optional_policy(` - gnome_read_gconf_config($2) - ') -') - -######################################## -## -## Rules required for using the X Windows server -## and environment. -## -## -## -## Role allowed access. -## -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_role',` - gen_require(` - type iceauth_home_t, xserver_t, xserver_tmpfs_t, xauth_home_t; - type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; - ') - - xserver_restricted_role($1, $2) - - # Communicate via System V shared memory. - allow $2 xserver_t:shm rw_shm_perms; - allow $2 xserver_tmpfs_t:file rw_file_perms; - - allow $2 iceauth_home_t:file manage_file_perms; - allow $2 iceauth_home_t:file relabel_file_perms; - - allow $2 xauth_home_t:file manage_file_perms; - allow $2 xauth_home_t:file relabel_file_perms; - - mls_xwin_read_to_clearance($2) - manage_dirs_pattern($2, user_fonts_t, user_fonts_t) - manage_files_pattern($2, user_fonts_t, user_fonts_t) - allow $2 user_fonts_t:lnk_file read_lnk_file_perms; - relabel_dirs_pattern($2, user_fonts_t, user_fonts_t) - relabel_files_pattern($2, user_fonts_t, user_fonts_t) - - manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) - manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) - relabel_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) - relabel_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) - - manage_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) - manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) - relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) - relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) -') - -####################################### -## -## Create sessions on the X server, with read-only -## access to the X server shared -## memory segments. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the domain SYSV tmpfs files. -## -## -# -interface(`xserver_ro_session',` - gen_require(` - type xserver_t, xserver_tmp_t, xserver_tmpfs_t; - ') - - # Xserver read/write client shm - allow xserver_t $1:fd use; - allow xserver_t $1:shm rw_shm_perms; - allow xserver_t $2:file rw_file_perms; - - # Connect to xserver - allow $1 xserver_t:unix_stream_socket connectto; - allow $1 xserver_t:process signal; - - # Read /tmp/.X0-lock - allow $1 xserver_tmp_t:file read_file_perms; - - # Client read xserver shm - allow $1 xserver_t:fd use; - allow $1 xserver_t:shm r_shm_perms; - allow $1 xserver_tmpfs_t:file read_file_perms; -') - -####################################### -## -## Create sessions on the X server, with read and write -## access to the X server shared -## memory segments. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the domain SYSV tmpfs files. -## -## -# -interface(`xserver_rw_session',` - gen_require(` - type xserver_t, xserver_tmpfs_t; - ') - - xserver_ro_session($1, $2) - allow $1 xserver_t:shm rw_shm_perms; - allow $1 xserver_tmpfs_t:file rw_file_perms; -') - -####################################### -## -## Create non-drawing client sessions on an X server. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_non_drawing_client',` - gen_require(` - class x_drawable { getattr get_property }; - class x_extension { query use }; - class x_gc { create setattr }; - class x_property read; - - type xserver_t, xdm_var_run_t; - type xextension_t, xproperty_t, root_xdrawable_t; - ') - - allow $1 self:x_gc { create setattr }; - - allow $1 xdm_var_run_t:dir search_dir_perms; - allow $1 xserver_t:unix_stream_socket connectto; - - allow $1 xextension_t:x_extension { query use }; - allow $1 root_xdrawable_t:x_drawable { getattr get_property }; - allow $1 xproperty_t:x_property read; -') - -####################################### -## -## Create full client sessions -## on a user X server. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the domain SYSV tmpfs files. -## -## -# -interface(`xserver_user_client',` - refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.') - gen_require(` - type xdm_t, xdm_tmp_t; - type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; - ') - - allow $1 self:shm create_shm_perms; - allow $1 self:unix_dgram_socket create_socket_perms; - allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; - - # Read .Xauthority file - allow $1 xauth_home_t:file read_file_perms; - allow $1 iceauth_home_t:file read_file_perms; - - # for when /tmp/.X11-unix is created by the system - allow $1 xdm_t:fd use; - allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms; - allow $1 xdm_tmp_t:dir search_dir_perms; - allow $1 xdm_tmp_t:sock_file { read write }; - dontaudit $1 xdm_t:tcp_socket { read write }; - - # Allow connections to X server. - files_search_tmp($1) - - miscfiles_read_fonts($1) - - userdom_search_user_home_dirs($1) - # for .xsession-errors - userdom_dontaudit_write_user_home_content_files($1) - - xserver_ro_session($1,$2) - xserver_use_user_fonts($1) - - xserver_read_xdm_tmp_files($1) - - # Client write xserver shm - tunable_policy(`allow_write_xshm',` - allow $1 xserver_t:shm rw_shm_perms; - allow $1 xserver_tmpfs_t:file rw_file_perms; - ') -') - -####################################### -## -## Interface to provide X object permissions on a given X server to -## an X client domain. Provides the minimal set required by a basic -## X client application. -## -## -## -## The prefix of the X client domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Client domain allowed access. -## -## -# -template(`xserver_common_x_domain_template',` - gen_require(` - type root_xdrawable_t, xdm_t, xserver_t; - type xproperty_t, $1_xproperty_t; - type xevent_t, client_xevent_t; - type input_xevent_t, $1_input_xevent_t; - - attribute x_domain, input_xevent_type; - attribute xdrawable_type, xcolormap_type; - - class x_drawable all_x_drawable_perms; - class x_property all_x_property_perms; - class x_event all_x_event_perms; - class x_synthetic_event all_x_synthetic_event_perms; - class x_client destroy; - class x_server manage; - class x_screen { saver_setattr saver_hide saver_show }; - class x_pointer { get_property set_property manage }; - class x_keyboard { read manage }; - ') - - ############################## - # - # Local Policy - # - - # Type attributes - typeattribute $2 x_domain; - typeattribute $2 xdrawable_type, xcolormap_type; - - # X Properties - # disable property transitions for the time being. -# type_transition $2 xproperty_t:x_property $1_xproperty_t; - - # X Windows - # new windows have the domain type - type_transition $2 root_xdrawable_t:x_drawable $2; - - # X Input - # distinguish input events - type_transition $2 input_xevent_t:x_event $1_input_xevent_t; - # can send own events - allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } send; - # can receive own events - allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive; - # can receive default events - allow $2 client_xevent_t:{ x_event x_synthetic_event } receive; - allow $2 xevent_t:{ x_event x_synthetic_event } receive; - # dont audit send failures - dontaudit $2 input_xevent_type:x_event send; - - allow $2 xdm_t:x_drawable { hide read add_child manage }; - allow $2 xdm_t:x_client destroy; - - allow $2 root_xdrawable_t:x_drawable write; - allow $2 xserver_t:x_server manage; - allow $2 xserver_t:x_screen { saver_setattr saver_hide saver_show }; - allow $2 xserver_t:x_pointer { get_property set_property manage }; - allow $2 xserver_t:x_keyboard { read manage }; -') - -####################################### -## -## Template for creating the set of types used -## in an X windows domain. -## -## -## -## The prefix of the X client domain (e.g., user -## is the prefix for user_t). -## -## -# -template(`xserver_object_types_template',` - gen_require(` - attribute xproperty_type, input_xevent_type, xevent_type; - ') - - ############################## - # - # Declarations - # - - # Types for properties - type $1_xproperty_t, xproperty_type; - ubac_constrained($1_xproperty_t) - - # Types for events - type $1_input_xevent_t, input_xevent_type, xevent_type; - ubac_constrained($1_input_xevent_t) -') - -####################################### -## -## Interface to provide X object permissions on a given X server to -## an X client domain. Provides the minimal set required by a basic -## X client application. -## -## -## -## The prefix of the X client domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Client domain allowed access. -## -## -## -## -## The type of the domain SYSV tmpfs files. -## -## -# -template(`xserver_user_x_domain_template',` - gen_require(` - type xdm_t, xdm_tmp_t, xserver_tmpfs_t; - type xauth_home_t, iceauth_home_t, xserver_t; - ') - - allow $2 self:shm create_shm_perms; - allow $2 self:unix_dgram_socket create_socket_perms; - allow $2 self:unix_stream_socket { connectto create_stream_socket_perms }; - - # Read .Xauthority file - allow $2 xauth_home_t:file read_file_perms; - allow $2 iceauth_home_t:file read_file_perms; - - # for when /tmp/.X11-unix is created by the system - allow $2 xdm_t:fd use; - allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms; - allow $2 xdm_tmp_t:dir search_dir_perms; - allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms; - dontaudit $2 xdm_t:tcp_socket { read write }; - - # Allow connections to X server. - files_search_tmp($2) - - miscfiles_read_fonts($2) - - userdom_search_user_home_dirs($2) - # for .xsession-errors - userdom_dontaudit_write_user_home_content_files($2) - - xserver_ro_session($2, $3) - xserver_use_user_fonts($2) - - xserver_read_xdm_tmp_files($2) - xserver_read_xdm_pid($2) - - # X object manager - xserver_object_types_template($1) - xserver_common_x_domain_template($1, $2) - - # Client write xserver shm - tunable_policy(`allow_write_xshm',` - allow $2 xserver_t:shm rw_shm_perms; - allow $2 xserver_tmpfs_t:file rw_file_perms; - ') - - tunable_policy(`user_direct_dri',` - dev_rw_dri($2) - ') -') - -######################################## -## -## Read user fonts, user font configuration, -## and manage the user font cache. -## -## -##

-## Read user fonts, user font configuration, -## and manage the user font cache. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`xserver_use_user_fonts',` - gen_require(` - type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; - ') - - # Read per user fonts - allow $1 user_fonts_t:dir list_dir_perms; - allow $1 user_fonts_t:file read_file_perms; - allow $1 user_fonts_t:lnk_file read_lnk_file_perms; - - # Manipulate the global font cache - manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t) - manage_files_pattern($1, user_fonts_cache_t, user_fonts_cache_t) - - # Read per user font config - allow $1 user_fonts_config_t:dir list_dir_perms; - allow $1 user_fonts_config_t:file read_file_perms; - - userdom_search_user_home_dirs($1) -') - -######################################## -## -## Transition to the Xauthority domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`xserver_domtrans_xauth',` - gen_require(` - type xauth_t, xauth_exec_t; - ') - - domtrans_pattern($1, xauth_exec_t, xauth_t) - - ifdef(`hide_broken_symptoms',` - dontaudit xauth_t $1:socket_class_set { read write }; - ') -') - -######################################## -## -## Dontaudit exec of Xauthority program. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_dontaudit_exec_xauth',` - gen_require(` - type xauth_exec_t; - ') - - dontaudit $1 xauth_exec_t:file execute; -') - -######################################## -## -## Create a Xauthority file in the user home directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_user_home_dir_filetrans_user_xauth',` - gen_require(` - type xauth_home_t; - ') - - userdom_user_home_dir_filetrans($1, xauth_home_t, file) -') - -######################################## -## -## Read all users fonts, user font configurations, -## and manage all users font caches. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_use_all_users_fonts',` - refpolicywarn(`$0() has been deprecated, please use xserver_use_user_fonts.') - xserver_use_user_fonts($1) -') - -######################################## -## -## Read all users .Xauthority. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_read_user_xauth',` - gen_require(` - type xauth_home_t; - ') - - allow $1 xauth_home_t:file read_file_perms; - userdom_search_user_home_dirs($1) - xserver_read_xdm_pid($1) -') - -######################################## -## -## Set the attributes of the X windows console named pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_setattr_console_pipes',` - gen_require(` - type xconsole_device_t; - ') - - allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms; -') - -######################################## -## -## Read and write the X windows console named pipe. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_rw_console',` - gen_require(` - type xconsole_device_t; - ') - - allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## -## Use file descriptors for xdm. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_use_xdm_fds',` - gen_require(` - type xdm_t; - ') - - allow $1 xdm_t:fd use; -') - -######################################## -## -## Do not audit attempts to inherit -## XDM file descriptors. -## -## -## -## Domain to not audit. -## -## -# -interface(`xserver_dontaudit_use_xdm_fds',` - gen_require(` - type xdm_t; - ') - - dontaudit $1 xdm_t:fd use; -') - -######################################## -## -## Read and write XDM unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_rw_xdm_pipes',` - gen_require(` - type xdm_t; - ') - - allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms; -') - -######################################## -## -## Do not audit attempts to read and write -## XDM unnamed pipes. -## -## -## -## Domain to not audit. -## -## -# -interface(`xserver_dontaudit_rw_xdm_pipes',` - gen_require(` - type xdm_t; - ') - - dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## -## Connect to XDM over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_stream_connect_xdm',` - gen_require(` - type xdm_t, xdm_tmp_t, xdm_var_run_t; - ') - - files_search_tmp($1) - files_search_pids($1) - stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t) -') - -######################################## -## -## Read xdm-writable configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_read_xdm_rw_config',` - gen_require(` - type xdm_rw_etc_t; - ') - - files_search_etc($1) - allow $1 xdm_rw_etc_t:file read_file_perms; -') - -######################################## -## -## Set the attributes of XDM temporary directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_setattr_xdm_tmp_dirs',` - gen_require(` - type xdm_tmp_t; - ') - - allow $1 xdm_tmp_t:dir setattr_dir_perms; -') - -######################################## -## -## Create a named socket in a XDM -## temporary directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_create_xdm_tmp_sockets',` - gen_require(` - type xdm_tmp_t; - ') - - files_search_tmp($1) - allow $1 xdm_tmp_t:dir list_dir_perms; - create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) -') - -######################################## -## -## Read XDM pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_read_xdm_pid',` - gen_require(` - type xdm_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, xdm_var_run_t, xdm_var_run_t) -') - -######################################## -## -## Read XDM var lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_read_xdm_lib_files',` - gen_require(` - type xdm_var_lib_t; - ') - - allow $1 xdm_var_lib_t:file read_file_perms; -') - -######################################## -## -## Make an X session script an entrypoint for the specified domain. -## -## -## -## The domain for which the shell is an entrypoint. -## -## -# -interface(`xserver_xsession_entry_type',` - gen_require(` - type xsession_exec_t; - ') - - domain_entry_file($1, xsession_exec_t) -') - -######################################## -## -## Execute an X session in the target domain. This -## is an explicit transition, requiring the -## caller to use setexeccon(). -## -## -##

-## Execute an Xsession in the target domain. This -## is an explicit transition, requiring the -## caller to use setexeccon(). -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-##
-## -## -## Domain allowed to transition. -## -## -## -## -## The type of the shell process. -## -## -# -interface(`xserver_xsession_spec_domtrans',` - gen_require(` - type xsession_exec_t; - ') - - domain_trans($1, xsession_exec_t, $2) -') - -######################################## -## -## Get the attributes of X server logs. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_getattr_log',` - gen_require(` - type xserver_log_t; - ') - - logging_search_logs($1) - allow $1 xserver_log_t:file getattr_file_perms; -') - -######################################## -## -## Do not audit attempts to write the X server -## log files. -## -## -## -## Domain to not audit. -## -## -# -interface(`xserver_dontaudit_write_log',` - gen_require(` - type xserver_log_t; - ') - - dontaudit $1 xserver_log_t:file rw_inherited_file_perms; -') - -######################################## -## -## Delete X server log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_delete_log',` - gen_require(` - type xserver_log_t; - ') - - logging_search_logs($1) - allow $1 xserver_log_t:dir list_dir_perms; - delete_files_pattern($1, xserver_log_t, xserver_log_t) - delete_fifo_files_pattern($1, xserver_log_t, xserver_log_t) -') - -######################################## -## -## Read X keyboard extension libraries. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_read_xkb_libs',` - gen_require(` - type xkb_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 xkb_var_lib_t:dir list_dir_perms; - read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) - read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) -') - -######################################## -## -## Read xdm config files. -## -## -## -## Domain to not audit -## -## -# -interface(`xserver_read_xdm_etc_files',` - gen_require(` - type xdm_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, xdm_etc_t, xdm_etc_t) - read_lnk_files_pattern($1, xdm_etc_t, xdm_etc_t) -') - -######################################## -## -## Manage xdm config files. -## -## -## -## Domain to not audit -## -## -# -interface(`xserver_manage_xdm_etc_files',` - gen_require(` - type xdm_etc_t; - ') - - files_search_etc($1) - manage_files_pattern($1, xdm_etc_t, xdm_etc_t) -') - -######################################## -## -## Read xdm temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_read_xdm_tmp_files',` - gen_require(` - type xdm_tmp_t; - ') - - files_search_tmp($1) - read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) -') - -######################################## -## -## Do not audit attempts to read xdm temporary files. -## -## -## -## Domain to not audit. -## -## -# -interface(`xserver_dontaudit_read_xdm_tmp_files',` - gen_require(` - type xdm_tmp_t; - ') - - dontaudit $1 xdm_tmp_t:dir search_dir_perms; - dontaudit $1 xdm_tmp_t:file read_file_perms; -') - -######################################## -## -## Read write xdm temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_rw_xdm_tmp_files',` - gen_require(` - type xdm_tmp_t; - ') - - allow $1 xdm_tmp_t:dir search_dir_perms; - allow $1 xdm_tmp_t:file rw_file_perms; -') - -######################################## -## -## Create, read, write, and delete xdm temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_manage_xdm_tmp_files',` - gen_require(` - type xdm_tmp_t; - ') - - manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t) -') - -######################################## -## -## Do not audit attempts to get the attributes of -## xdm temporary named sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` - gen_require(` - type xdm_tmp_t; - ') - - dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms; -') - -######################################## -## -## Execute the X server in the X server domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`xserver_domtrans',` - gen_require(` - type xserver_t, xserver_exec_t; - ') - - allow $1 xserver_t:process siginh; - domtrans_pattern($1, xserver_exec_t, xserver_t) - - allow xserver_t $1:process getpgid; -') - -######################################## -## -## Signal X servers -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_signal',` - gen_require(` - type xserver_t; - ') - - allow $1 xserver_t:process signal; -') - -######################################## -## -## Kill X servers -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_kill',` - gen_require(` - type xserver_t; - ') - - allow $1 xserver_t:process sigkill; -') - -######################################## -## -## Read and write X server Sys V Shared -## memory segments. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_rw_shm',` - gen_require(` - type xserver_t; - ') - - allow $1 xserver_t:shm rw_shm_perms; -') - -######################################## -## -## Do not audit attempts to read and write to -## X server sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`xserver_dontaudit_rw_tcp_sockets',` - gen_require(` - type xserver_t; - ') - - dontaudit $1 xserver_t:tcp_socket { read write }; -') - -######################################## -## -## Do not audit attempts to read and write X server -## unix domain stream sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`xserver_dontaudit_rw_stream_sockets',` - gen_require(` - type xserver_t; - ') - - dontaudit $1 xserver_t:unix_stream_socket { read write }; -') - -######################################## -## -## Connect to the X server over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_stream_connect',` - gen_require(` - type xserver_t, xserver_tmp_t; - ') - - files_search_tmp($1) - stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) - allow xserver_t $1:shm rw_shm_perms; -') - -######################################## -## -## Read X server temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_read_tmp_files',` - gen_require(` - type xserver_tmp_t; - ') - - allow $1 xserver_tmp_t:file read_file_perms; - files_search_tmp($1) -') - -######################################## -## -## Interface to provide X object permissions on a given X server to -## an X client domain. Gives the domain permission to read the -## virtual core keyboard and virtual core pointer devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_manage_core_devices',` - gen_require(` - type xserver_t, root_xdrawable_t; - class x_device all_x_device_perms; - class x_pointer all_x_pointer_perms; - class x_keyboard all_x_keyboard_perms; - class x_screen all_x_screen_perms; - class x_drawable { manage }; - attribute x_domain; - class x_drawable { read manage setattr show }; - class x_resource { write read }; - ') - - allow $1 xserver_t:{ x_device x_pointer x_keyboard } *; - allow $1 xserver_t:{ x_screen } setattr; - - allow $1 x_domain:x_drawable { read manage setattr show }; - allow $1 x_domain:x_resource { write read }; - allow $1 root_xdrawable_t:x_drawable { manage read }; -') - -######################################## -## -## Interface to provide X object permissions on a given X server to -## an X client domain. Gives the domain complete control over the -## display. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_unconfined',` - gen_require(` - attribute x_domain, xserver_unconfined_type; - ') - - typeattribute $1 x_domain; - typeattribute $1 xserver_unconfined_type; -') - -######################################## -## -## Dontaudit append to .xsession-errors file -## -## -## -## Domain to not audit -## -## -# -interface(`xserver_dontaudit_append_xdm_home_files',` - gen_require(` - type xdm_home_t, xserver_tmp_t; - ') - - dontaudit $1 xdm_home_t:file rw_inherited_file_perms; - dontaudit $1 xserver_tmp_t:file rw_inherited_file_perms; - - tunable_policy(`use_nfs_home_dirs',` - fs_dontaudit_rw_nfs_files($1) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_dontaudit_rw_cifs_files($1) - ') -') - -######################################## -## -## append to .xsession-errors file -## -## -## -## Domain to not audit -## -## -# -interface(`xserver_append_xdm_home_files',` - gen_require(` - type xdm_home_t, xserver_tmp_t; - ') - - allow $1 xdm_home_t:file append_file_perms; - allow $1 xserver_tmp_t:file append_file_perms; - - tunable_policy(`use_nfs_home_dirs',` - fs_append_nfs_files($1) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_append_cifs_files($1) - ') -') - -######################################## -## -## Manage the xdm_spool files -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_xdm_manage_spool',` - gen_require(` - type xdm_spool_t; - ') - - files_search_spool($1) - manage_files_pattern($1, xdm_spool_t, xdm_spool_t) -') - -######################################## -## -## Send and receive messages from -## xdm over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_dbus_chat_xdm',` - gen_require(` - type xdm_t; - class dbus send_msg; - ') - - allow $1 xdm_t:dbus send_msg; - allow xdm_t $1:dbus send_msg; -') - -######################################## -## -## Read xserver files created in /var/run -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_read_pid',` - gen_require(` - type xserver_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, xserver_var_run_t, xserver_var_run_t) -') - -######################################## -## -## Execute xserver files created in /var/run -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_exec_pid',` - gen_require(` - type xserver_var_run_t; - ') - - files_search_pids($1) - exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t) -') - -######################################## -## -## Write xserver files created in /var/run -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_write_pid',` - gen_require(` - type xserver_var_run_t; - ') - - files_search_pids($1) - write_files_pattern($1, xserver_var_run_t, xserver_var_run_t) -') - -######################################## -## -## Allow append the xdm -## log files. -## -## -## -## Domain to not audit -## -## -# -interface(`xserver_xdm_append_log',` - gen_require(` - type xdm_log_t; - attribute xdmhomewriter; - ') - - typeattribute $1 xdmhomewriter; - append_files_pattern($1, xdm_log_t, xdm_log_t) -') - -######################################## -## -## Read a user Iceauthority domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_read_user_iceauth',` - gen_require(` - type iceauth_home_t; - ') - - # Read .Iceauthority file - allow $1 iceauth_home_t:file read_file_perms; -') - -######################################## -## -## Read/write inherited user homedir fonts. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_rw_inherited_user_fonts',` - gen_require(` - type user_fonts_t, user_fonts_config_t; - ') - - allow $1 user_fonts_t:file rw_inherited_file_perms; - allow $1 user_fonts_t:file read_lnk_file_perms; - - allow $1 user_fonts_config_t:file rw_inherited_file_perms; -') - -######################################## -## -## Search XDM var lib dirs. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_search_xdm_lib',` - gen_require(` - type xdm_var_lib_t; - ') - - allow $1 xdm_var_lib_t:dir search_dir_perms; -') - -######################################## -## -## Make an X executable an entrypoint for the specified domain. -## -## -## -## The domain for which the shell is an entrypoint. -## -## -# -interface(`xserver_entry_type',` - gen_require(` - type xserver_exec_t; - ') - - domain_entry_file($1, xserver_exec_t) -') - -######################################## -## -## Execute xsever in the xserver domain, and -## allow the specified role the xserver domain. -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed the xserver domain. -## -## -## -# -interface(`xserver_run',` - gen_require(` - type xserver_t; - ') - - xserver_domtrans($1) - role $2 types xserver_t; -') - -######################################## -## -## Execute xsever in the xserver domain, and -## allow the specified role the xserver domain. -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed the xserver domain. -## -## -## -# -interface(`xserver_run_xauth',` - gen_require(` - type xauth_t; - ') - - xserver_domtrans_xauth($1) - role $2 types xauth_t; -') - -######################################## -## -## Read user homedir fonts. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`xserver_read_home_fonts',` - gen_require(` - type user_fonts_t, user_fonts_config_t; - ') - - list_dirs_pattern($1, user_fonts_t, user_fonts_t) - read_files_pattern($1, user_fonts_t, user_fonts_t) - read_lnk_files_pattern($1, user_fonts_t, user_fonts_t) - - read_files_pattern($1, user_fonts_config_t, user_fonts_config_t) -') - -######################################## -## -## Manage user homedir fonts. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`xserver_manage_home_fonts',` - gen_require(` - type user_fonts_t, user_fonts_config_t; - ') - - manage_dirs_pattern($1, user_fonts_t, user_fonts_t) - manage_files_pattern($1, user_fonts_t, user_fonts_t) - manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t) - - manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) -') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te deleted file mode 100644 index edd7260..0000000 --- a/policy/modules/services/xserver.te +++ /dev/null @@ -1,1370 +0,0 @@ -policy_module(xserver, 3.4.2) - -gen_require(` - class x_drawable all_x_drawable_perms; - class x_screen all_x_screen_perms; - class x_gc all_x_gc_perms; - class x_font all_x_font_perms; - class x_colormap all_x_colormap_perms; - class x_property all_x_property_perms; - class x_selection all_x_selection_perms; - class x_cursor all_x_cursor_perms; - class x_client all_x_client_perms; - class x_device all_x_device_perms; - class x_pointer all_x_pointer_perms; - class x_keyboard all_x_keyboard_perms; - class x_server all_x_server_perms; - class x_extension all_x_extension_perms; - class x_resource all_x_resource_perms; - class x_event all_x_event_perms; - class x_synthetic_event all_x_synthetic_event_perms; -') - -######################################## -# -# Declarations -# - -## -##

-## Allows clients to write to the X server shared -## memory segments. -##

-##
-gen_tunable(allow_write_xshm, false) - -## -##

-## Allows XServer to execute writable memory -##

-##
-gen_tunable(allow_xserver_execmem, false) - -## -##

-## Allow xdm logins as sysadm -##

-##
-gen_tunable(xdm_sysadm_login, false) - -## -##

-## Support X userspace object manager -##

-##
-gen_tunable(xserver_object_manager, false) - -## -##

-## Allow regular users direct dri device access -##

-##
-gen_tunable(user_direct_dri, false) - -attribute xdmhomewriter; -attribute x_userdomain; -attribute x_domain; - -# X Events -attribute xevent_type; -attribute input_xevent_type; -type xevent_t, xevent_type; -typealias xevent_t alias { user_property_xevent_t staff_property_xevent_t sysadm_property_xevent_t }; -typealias xevent_t alias { auditadm_property_xevent_t secadm_property_xevent_t }; -typealias xevent_t alias { user_focus_xevent_t staff_focus_xevent_t sysadm_focus_xevent_t }; -typealias xevent_t alias { auditadm_focus_xevent_t secadm_focus_xevent_t }; -typealias xevent_t alias { user_manage_xevent_t staff_manage_xevent_t sysadm_manage_xevent_t }; -typealias xevent_t alias { auditadm_manage_xevent_t secadm_manage_xevent_t }; -typealias xevent_t alias { user_default_xevent_t staff_default_xevent_t sysadm_default_xevent_t }; -typealias xevent_t alias { auditadm_default_xevent_t secadm_default_xevent_t }; - -type client_xevent_t, xevent_type; -typealias client_xevent_t alias { user_client_xevent_t staff_client_xevent_t sysadm_client_xevent_t }; -typealias client_xevent_t alias { auditadm_client_xevent_t secadm_client_xevent_t }; - -type input_xevent_t, xevent_type, input_xevent_type; - -# X Extensions -attribute xextension_type; -type xextension_t, xextension_type; -type security_xextension_t, xextension_type; - -# X Properties -attribute xproperty_type; -type xproperty_t, xproperty_type; -type seclabel_xproperty_t, xproperty_type; -type clipboard_xproperty_t, xproperty_type; - -# X Selections -attribute xselection_type; -type xselection_t, xselection_type; -type clipboard_xselection_t, xselection_type; -#type settings_xselection_t, xselection_type; -#type dbus_xselection_t, xselection_type; - -# X Drawables -attribute xdrawable_type; -attribute xcolormap_type; -type root_xdrawable_t, xdrawable_type; -type root_xcolormap_t, xcolormap_type; - -attribute xserver_unconfined_type; - -xserver_object_types_template(root) -xserver_object_types_template(user) - -typealias user_xproperty_t alias { staff_xproperty_t sysadm_xproperty_t }; -typealias user_xproperty_t alias { auditadm_xproperty_t secadm_xproperty_t }; -typealias user_input_xevent_t alias { staff_input_xevent_t sysadm_input_xevent_t }; -typealias user_input_xevent_t alias { auditadm_input_xevent_t secadm_input_xevent_t }; - -type remote_t; -xserver_object_types_template(remote) -xserver_common_x_domain_template(remote, remote_t) - -type user_fonts_t; -typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t }; -typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t }; -typealias user_fonts_t alias { xguest_fonts_t unconfined_fonts_t user_fonts_home_t }; -userdom_user_home_content(user_fonts_t) - -type user_fonts_cache_t; -typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t }; -typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t }; -typealias user_fonts_cache_t alias { xguest_fonts_cache_t unconfined_fonts_cache_t }; -userdom_user_home_content(user_fonts_cache_t) - -type user_fonts_config_t; -typealias user_fonts_config_t alias { staff_fonts_config_t sysadm_fonts_config_t }; -typealias user_fonts_config_t alias { auditadm_fonts_config_t secadm_fonts_config_t }; -typealias user_fonts_config_t alias { fonts_config_home_t xguest_fonts_config_t unconfined_fonts_config_t }; -userdom_user_home_content(user_fonts_config_t) - -type iceauth_t; -type iceauth_exec_t; -typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t }; -typealias iceauth_t alias { xguest_iceauth_t }; -typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t }; -application_domain(iceauth_t, iceauth_exec_t) -ubac_constrained(iceauth_t) - -type iceauth_home_t; -typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t }; -typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t }; -typealias iceauth_home_t alias { xguest_iceauth_home_t }; -userdom_user_home_content(iceauth_home_t) - -type xauth_t; -type xauth_exec_t; -typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t }; -typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t }; -typealias xauth_t alias { xguest_xauth_t unconfined_xauth_t }; -application_domain(xauth_t, xauth_exec_t) -ubac_constrained(xauth_t) - -type xauth_home_t; -typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t }; -typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t }; -typealias xauth_home_t alias { xguest_xauth_home_t unconfined_xauth_home_t }; -userdom_user_home_content(xauth_home_t) - -type xauth_tmp_t; -typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t }; -typealias xauth_tmp_t alias { xguest_xauth_tmp_t unconfined_xauth_tmp_t }; -typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t }; -files_tmp_file(xauth_tmp_t) -ubac_constrained(xauth_tmp_t) - -# this is not actually a device, its a pipe -type xconsole_device_t; -files_type(xconsole_device_t) -fs_associate_tmpfs(xconsole_device_t) -files_associate_tmp(xconsole_device_t) - -type xdm_t; -type xdm_exec_t; -auth_login_pgm_domain(xdm_t) -init_domain(xdm_t, xdm_exec_t) -init_system_domain(xdm_t, xdm_exec_t) -xserver_object_types_template(xdm) -xserver_common_x_domain_template(xdm, xdm_t) - -type xdm_lock_t; -files_lock_file(xdm_lock_t) - -type xdm_etc_t; -files_config_file(xdm_etc_t) - -type xdm_rw_etc_t; -files_config_file(xdm_rw_etc_t) - -type xdm_spool_t; -files_type(xdm_spool_t) - -type xdm_var_lib_t; -files_type(xdm_var_lib_t) - -type xdm_var_run_t; -files_pid_file(xdm_var_run_t) - -type xserver_var_lib_t; -files_type(xserver_var_lib_t) - -type xserver_var_run_t; -files_pid_file(xserver_var_run_t) - -type xdm_tmp_t; -files_tmp_file(xdm_tmp_t) -typealias xdm_tmp_t alias { xserver_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t }; -typealias xdm_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t }; -ubac_constrained(xdm_tmp_t) - -type xdm_tmpfs_t; -files_tmpfs_file(xdm_tmpfs_t) - -type xdm_home_t; -userdom_user_home_content(xdm_home_t) - -type xdm_log_t; -logging_log_file(xdm_log_t) - -# type for /var/lib/xkb -type xkb_var_lib_t; -files_type(xkb_var_lib_t) - -# Type for the executable used to start the X server, e.g. Xwrapper. -type xserver_t; -type xserver_exec_t; -typealias xserver_t alias { user_xserver_t staff_xserver_t sysadm_xserver_t }; -typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t }; -init_system_domain(xserver_t, xserver_exec_t) -ubac_constrained(xserver_t) - -type xserver_tmpfs_t; -typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t xguest_xserver_tmpfs_t unconfined_xserver_tmpfs_t xdm_xserver_tmpfs_t }; -typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t }; -files_tmpfs_file(xserver_tmpfs_t) -ubac_constrained(xserver_tmpfs_t) - -type xsession_exec_t; -corecmd_executable_file(xsession_exec_t) - -# Type for the X server log file. -type xserver_log_t; -logging_log_file(xserver_log_t) - -ifdef(`enable_mcs',` - init_ranged_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh) - init_ranged_daemon_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh) -') - -optional_policy(` - prelink_object_file(xkb_var_lib_t) -') - -######################################## -# -# Iceauth local policy -# - -allow iceauth_t iceauth_home_t:file manage_file_perms; -userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file) - -allow xdm_t iceauth_home_t:file read_file_perms; - -dev_read_rand(iceauth_t) - -fs_search_auto_mountpoints(iceauth_t) - -userdom_use_user_terminals(iceauth_t) -userdom_read_user_tmp_files(iceauth_t) -userdom_read_all_users_state(iceauth_t) - -tunable_policy(`use_fusefs_home_dirs',` - fs_manage_fusefs_files(iceauth_t) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files(iceauth_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files(iceauth_t) -') - -ifdef(`hide_broken_symptoms',` - dev_dontaudit_read_urand(iceauth_t) - dev_dontaudit_rw_dri(iceauth_t) - dev_dontaudit_rw_generic_dev_nodes(iceauth_t) - fs_dontaudit_list_inotifyfs(iceauth_t) - fs_dontaudit_rw_anon_inodefs_files(iceauth_t) - term_dontaudit_use_unallocated_ttys(iceauth_t) - - userdom_dontaudit_read_user_home_content_files(iceauth_t) - userdom_dontaudit_write_user_home_content_files(iceauth_t) - userdom_dontaudit_write_user_tmp_files(iceauth_t) - - optional_policy(` - mozilla_dontaudit_rw_user_home_files(iceauth_t) - ') -') - -######################################## -# -# Xauth local policy -# - -allow xauth_t self:capability dac_override; -allow xauth_t self:process signal; -allow xauth_t self:unix_stream_socket create_stream_socket_perms; - -allow xauth_t xdm_t:process sigchld; -allow xauth_t xserver_t:unix_stream_socket connectto; - -corenet_tcp_connect_xserver_port(xauth_t) - -allow xauth_t xauth_home_t:file manage_file_perms; -userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file) -userdom_admin_home_dir_filetrans(xauth_t, xauth_home_t, file) - -manage_dirs_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t) -manage_files_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t) - -manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) -manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) -files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir }) - -stream_connect_pattern(xauth_t, xserver_tmp_t, xserver_tmp_t, xserver_t) - -kernel_read_system_state(xauth_t) - -domain_use_interactive_fds(xauth_t) -domain_dontaudit_leaks(xauth_t) - -files_read_etc_files(xauth_t) -files_read_usr_files(xauth_t) -files_search_pids(xauth_t) -files_dontaudit_getattr_all_dirs(xauth_t) -files_dontaudit_leaks(xauth_t) -files_var_lib_filetrans(xauth_t, xauth_home_t, file) - -fs_dontaudit_leaks(xauth_t) -fs_getattr_all_fs(xauth_t) -fs_search_auto_mountpoints(xauth_t) - -# Probably a leak -term_dontaudit_use_ptmx(xauth_t) -term_dontaudit_use_console(xauth_t) - -auth_use_nsswitch(xauth_t) - -userdom_use_user_terminals(xauth_t) -userdom_read_user_tmp_files(xauth_t) -userdom_read_all_users_state(xauth_t) - -xserver_rw_xdm_tmp_files(xauth_t) - -ifdef(`hide_broken_symptoms',` - fs_dontaudit_rw_anon_inodefs_files(xauth_t) - fs_dontaudit_list_inotifyfs(xauth_t) - userdom_manage_user_home_content_files(xauth_t) - userdom_manage_user_tmp_files(xauth_t) - dev_dontaudit_rw_generic_dev_nodes(xauth_t) - miscfiles_read_fonts(xauth_t) -') - -tunable_policy(`use_fusefs_home_dirs',` - fs_manage_fusefs_files(xauth_t) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files(xauth_t) - fs_read_nfs_symlinks(xauth_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files(xauth_t) -') - -ifdef(`hide_broken_symptoms',` - term_dontaudit_use_unallocated_ttys(xauth_t) - dev_dontaudit_rw_dri(xauth_t) -') - -optional_policy(` - nx_var_lib_filetrans(xauth_t, xauth_home_t, file) -') - -optional_policy(` - ssh_sigchld(xauth_t) - ssh_read_pipes(xauth_t) - ssh_dontaudit_rw_tcp_sockets(xauth_t) -') - -######################################## -# -# XDM Local policy -# - -allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace }; -allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched setsched setrlimit signal_perms setkeycreate ptrace }; -allow xdm_t self:fifo_file rw_fifo_file_perms; -allow xdm_t self:shm create_shm_perms; -allow xdm_t self:sem create_sem_perms; -allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow xdm_t self:unix_dgram_socket { create_socket_perms sendto }; -allow xdm_t self:tcp_socket create_stream_socket_perms; -allow xdm_t self:udp_socket create_socket_perms; -allow xdm_t self:netlink_kobject_uevent_socket create_socket_perms; -allow xdm_t self:socket create_socket_perms; -allow xdm_t self:appletalk_socket create_socket_perms; -allow xdm_t self:key { search link write }; - -allow xdm_t xauth_home_t:file manage_file_perms; - -allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms }; -manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) -manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) - -manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t) -userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file) -#Handle mislabeled files in homedir -userdom_delete_user_home_content_files(xdm_t) -userdom_signull_unpriv_users(xdm_t) -userdom_dontaudit_read_admin_home_lnk_files(xdm_t) - -# Allow gdm to run gdm-binary -can_exec(xdm_t, xdm_exec_t) - -allow xdm_t xdm_lock_t:file manage_file_perms; -files_lock_filetrans(xdm_t, xdm_lock_t, file) - -read_lnk_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t) -read_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t) -# wdm has its own config dir /etc/X11/wdm -# this is ugly, daemons should not create files under /etc! -manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t) - -manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) -manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) -manage_lnk_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) -manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) -files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file lnk_file }) -relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) -relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) - -manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) -manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) -manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) -manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) -manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) - -fs_getattr_all_fs(xdm_t) -fs_list_inotifyfs(xdm_t) -fs_read_noxattr_fs_files(xdm_t) -fs_dontaudit_list_fusefs(xdm_t) -fs_manage_cgroup_dirs(xdm_t) -fs_manage_cgroup_files(xdm_t) - -manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t) - -files_search_spool(xdm_t) -manage_dirs_pattern(xdm_t, xdm_spool_t, xdm_spool_t) -manage_files_pattern(xdm_t, xdm_spool_t, xdm_spool_t) -files_spool_filetrans(xdm_t, xdm_spool_t, { file dir }) - -manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) -manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) -manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) -manage_sock_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) -files_var_lib_filetrans(xdm_t, xdm_var_lib_t, { file dir }) -# Read machine-id -files_read_var_lib_files(xdm_t) - -manage_dirs_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) -manage_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) -manage_fifo_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) -manage_sock_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) -files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file }) - -allow xdm_t xserver_t:process { signal signull }; -allow xdm_t xserver_t:unix_stream_socket connectto; - -allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms; -allow xdm_t xserver_tmp_t:dir { setattr_dir_perms list_dir_perms }; - -# transition to the xdm xserver -domtrans_pattern(xdm_t, xserver_exec_t, xserver_t) - -ps_process_pattern(xserver_t, xdm_t) -allow xserver_t xdm_t:process signal; -allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; - -allow xdm_t xserver_t:shm rw_shm_perms; -read_files_pattern(xdm_t, xserver_t, xserver_t) - -# connect to xdm xserver over stream socket -stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) - -# Remove /tmp/.X11-unix/X0. -delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) -delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) - -manage_dirs_pattern(xdm_t, xdm_log_t, xdm_log_t) -manage_files_pattern(xdm_t, xdm_log_t, xdm_log_t) -manage_fifo_files_pattern(xdm_t, xdm_log_t, xdm_log_t) -logging_log_filetrans(xdm_t, xdm_log_t, { dir file }) - -manage_dirs_pattern(xdm_t, xserver_log_t, xserver_log_t) -manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t) -manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t) - -kernel_read_system_state(xdm_t) -kernel_read_device_sysctls(xdm_t) -kernel_read_kernel_sysctls(xdm_t) -kernel_read_net_sysctls(xdm_t) -kernel_read_network_state(xdm_t) -kernel_request_load_module(xdm_t) -kernel_stream_connect(xdm_t) - -corecmd_exec_shell(xdm_t) -corecmd_exec_bin(xdm_t) -corecmd_dontaudit_write_bin_files(xdm_t) - -corenet_all_recvfrom_unlabeled(xdm_t) -corenet_all_recvfrom_netlabel(xdm_t) -corenet_tcp_sendrecv_generic_if(xdm_t) -corenet_udp_sendrecv_generic_if(xdm_t) -corenet_tcp_sendrecv_generic_node(xdm_t) -corenet_udp_sendrecv_generic_node(xdm_t) -corenet_tcp_sendrecv_all_ports(xdm_t) -corenet_udp_sendrecv_all_ports(xdm_t) -corenet_tcp_bind_generic_node(xdm_t) -corenet_udp_bind_generic_node(xdm_t) -corenet_udp_bind_ipp_port(xdm_t) -corenet_udp_bind_xdmcp_port(xdm_t) -corenet_tcp_connect_all_ports(xdm_t) -corenet_sendrecv_all_client_packets(xdm_t) -# xdm tries to bind to biff_port_t -corenet_dontaudit_tcp_bind_all_ports(xdm_t) - -dev_rwx_zero(xdm_t) -dev_read_rand(xdm_t) -dev_rw_sysfs(xdm_t) -dev_getattr_framebuffer_dev(xdm_t) -dev_setattr_framebuffer_dev(xdm_t) -dev_getattr_mouse_dev(xdm_t) -dev_setattr_mouse_dev(xdm_t) -dev_rw_apm_bios(xdm_t) -dev_rw_input_dev(xdm_t) -dev_setattr_apm_bios_dev(xdm_t) -dev_rw_dri(xdm_t) -dev_rw_agp(xdm_t) -dev_getattr_xserver_misc_dev(xdm_t) -dev_setattr_xserver_misc_dev(xdm_t) -dev_getattr_misc_dev(xdm_t) -dev_setattr_misc_dev(xdm_t) -dev_dontaudit_rw_misc(xdm_t) -dev_read_video_dev(xdm_t) -dev_write_video_dev(xdm_t) -dev_setattr_video_dev(xdm_t) -dev_getattr_scanner_dev(xdm_t) -dev_setattr_scanner_dev(xdm_t) -dev_read_sound(xdm_t) -dev_write_sound(xdm_t) -dev_getattr_power_mgmt_dev(xdm_t) -dev_setattr_power_mgmt_dev(xdm_t) -dev_getattr_null_dev(xdm_t) -dev_setattr_null_dev(xdm_t) - -domain_use_interactive_fds(xdm_t) -# Do not audit denied probes of /proc. -domain_dontaudit_read_all_domains_state(xdm_t) -domain_dontaudit_ptrace_all_domains(xdm_t) -domain_dontaudit_signal_all_domains(xdm_t) - -files_read_etc_files(xdm_t) -files_read_var_files(xdm_t) -files_read_etc_runtime_files(xdm_t) -files_exec_etc_files(xdm_t) -files_list_mnt(xdm_t) -# Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme... -files_read_usr_files(xdm_t) -# Poweroff wants to create the /poweroff file when run from xdm -files_create_boot_flag(xdm_t) -files_dontaudit_getattr_boot_dirs(xdm_t) -files_dontaudit_write_usr_files(xdm_t) -files_dontaudit_getattr_all_dirs(xdm_t) -files_dontaudit_getattr_all_symlinks(xdm_t) - -fs_getattr_all_fs(xdm_t) -fs_search_auto_mountpoints(xdm_t) -fs_rw_anon_inodefs_files(xdm_t) -fs_mount_tmpfs(xdm_t) - -mls_socket_write_to_clearance(xdm_t) - -storage_dontaudit_read_fixed_disk(xdm_t) -storage_dontaudit_write_fixed_disk(xdm_t) -storage_dontaudit_setattr_fixed_disk_dev(xdm_t) -storage_dontaudit_raw_read_removable_device(xdm_t) -storage_dontaudit_raw_write_removable_device(xdm_t) -storage_dontaudit_setattr_removable_dev(xdm_t) -storage_dontaudit_rw_scsi_generic(xdm_t) -storage_dontaudit_rw_fuse(xdm_t) - -term_setattr_console(xdm_t) -term_use_console(xdm_t) -term_use_unallocated_ttys(xdm_t) -term_setattr_unallocated_ttys(xdm_t) -term_relabel_all_ttys(xdm_t) -term_relabel_unallocated_ttys(xdm_t) - -auth_domtrans_pam_console(xdm_t) -auth_manage_pam_pid(xdm_t) -auth_manage_pam_console_data(xdm_t) -auth_signal_pam(xdm_t) -auth_rw_faillog(xdm_t) -auth_write_login_records(xdm_t) - -# Run telinit->init to shutdown. -init_telinit(xdm_t) -init_dbus_chat(xdm_t) - -libs_exec_lib_files(xdm_t) - -logging_read_generic_logs(xdm_t) - -miscfiles_search_man_pages(xdm_t) -miscfiles_read_localization(xdm_t) -miscfiles_read_fonts(xdm_t) -miscfiles_manage_fonts_cache(xdm_t) -miscfiles_manage_localization(xdm_t) -miscfiles_read_hwdata(xdm_t) - -userdom_dontaudit_use_unpriv_user_fds(xdm_t) -userdom_create_all_users_keys(xdm_t) -# for .dmrc -userdom_read_user_home_content_files(xdm_t) -# Search /proc for any user domain processes. -userdom_read_all_users_state(xdm_t) -userdom_signal_all_users(xdm_t) -userdom_stream_connect(xdm_t) -userdom_manage_user_tmp_dirs(xdm_t) -userdom_manage_user_tmp_files(xdm_t) -userdom_manage_user_tmp_sockets(xdm_t) -userdom_manage_tmpfs_role(system_r, xdm_t) - -application_signal(xdm_t) - -xserver_rw_session(xdm_t, xdm_tmpfs_t) -xserver_unconfined(xdm_t) -xserver_domtrans_xauth(xdm_t) - -ifndef(`distro_redhat',` - allow xdm_t self:process { execheap execmem }; -') - -ifdef(`distro_rhel4',` - allow xdm_t self:process { execheap execmem }; -') - -tunable_policy(`use_fusefs_home_dirs',` - fs_manage_fusefs_dirs(xdm_t) - fs_manage_fusefs_files(xdm_t) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(xdm_t) - fs_manage_nfs_files(xdm_t) - fs_manage_nfs_symlinks(xdm_t) - fs_exec_nfs_files(xdm_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(xdm_t) - fs_manage_cifs_files(xdm_t) - fs_manage_cifs_symlinks(xdm_t) - fs_exec_cifs_files(xdm_t) -') - -tunable_policy(`xdm_sysadm_login',` - userdom_xsession_spec_domtrans_all_users(xdm_t) - # FIXME: -# xserver_rw_session_template(xdm,userdomain) -',` - userdom_xsession_spec_domtrans_unpriv_users(xdm_t) - # FIXME: -# xserver_rw_session_template(xdm,unpriv_userdomain) -# dontaudit xserver_t sysadm_t:shm { unix_read unix_write }; -# allow xserver_t xdm_tmpfs_t:file rw_file_perms; -') - -optional_policy(` - accountsd_read_lib_files(xdm_t) -') - -optional_policy(` - alsa_domtrans(xdm_t) - alsa_read_rw_config(xdm_t) -') - -optional_policy(` - consolekit_dbus_chat(xdm_t) - consolekit_read_log(xdm_t) -') - -optional_policy(` - consoletype_exec(xdm_t) -') - -optional_policy(` - # Use dbus to start other processes as xdm_t - dbus_role_template(xdm, system_r, xdm_t) - - dontaudit xdm_dbusd_t xdm_var_lib_t:dir search_dir_perms; - xserver_xdm_append_log(xdm_dbusd_t) - xserver_read_xdm_pid(xdm_dbusd_t) - - corecmd_bin_entry_type(xdm_t) - - dbus_system_bus_client(xdm_t) - - optional_policy(` - bluetooth_dbus_chat(xdm_t) - ') - - optional_policy(` - devicekit_dbus_chat_disk(xdm_t) - devicekit_dbus_chat_power(xdm_t) - ') - - optional_policy(` - hal_dbus_chat(xdm_t) - ') - - optional_policy(` - networkmanager_dbus_chat(xdm_t) - ') -') - -optional_policy(` - # Talk to the console mouse server. - gpm_stream_connect(xdm_t) - gpm_setattr_gpmctl(xdm_t) -') - -optional_policy(` - gnome_manage_config(xdm_t) - gnome_manage_gconf_home_files(xdm_t) - gnome_read_config(xdm_t) - gnome_read_gconf_config(xdm_t) -') - -optional_policy(` - hostname_exec(xdm_t) -') - -optional_policy(` - loadkeys_exec(xdm_t) -') - -optional_policy(` - locallogin_signull(xdm_t) -') - -optional_policy(` - # Do not audit attempts to check whether user root has email - mta_dontaudit_getattr_spool_files(xdm_t) -') - -optional_policy(` - policykit_dbus_chat(xdm_t) - policykit_domtrans_auth(xdm_t) - policykit_read_lib(xdm_t) - policykit_read_reload(xdm_t) - policykit_signal_auth(xdm_t) -') - -optional_policy(` - pcscd_stream_connect(xdm_t) -') - -optional_policy(` - plymouthd_search_spool(xdm_t) - plymouthd_exec_plymouth(xdm_t) - plymouthd_stream_connect(xdm_t) -') - -optional_policy(` - pulseaudio_exec(xdm_t) - pulseaudio_dbus_chat(xdm_t) - pulseaudio_stream_connect(xdm_t) -') - -optional_policy(` - resmgr_stream_connect(xdm_t) -') - -# On crash gdm execs gdb to dump stack -optional_policy(` - rpm_exec(xdm_t) - rpm_read_db(xdm_t) - rpm_dontaudit_manage_db(xdm_t) -') - -optional_policy(` - rtkit_scheduled(xdm_t) -') - -optional_policy(` - seutil_sigchld_newrole(xdm_t) -') - -optional_policy(` - ssh_signull(xdm_t) -') - -optional_policy(` - shutdown_domtrans(xdm_t) -') - -optional_policy(` - udev_read_db(xdm_t) -') - -optional_policy(` - unconfined_shell_domtrans(xdm_t) - unconfined_signal(xdm_t) -') - -optional_policy(` - userhelper_dontaudit_search_config(xdm_t) -') - -optional_policy(` - usermanage_read_crack_db(xdm_t) -') - -optional_policy(` - wm_exec(xdm_t) -') - -optional_policy(` - xfs_stream_connect(xdm_t) -') - -######################################## -# -# X server local policy -# - -# X Object Manager rules -type_transition xserver_t xserver_t:x_drawable root_xdrawable_t; -type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; -type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; - -allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; -allow xserver_t input_xevent_t:x_event send; - -# setuid/setgid for the wrapper program to change UID -# sys_rawio is for iopl access - should not be needed for frame-buffer -# sys_admin, locking shared mem? chowning IPC message queues or semaphores? -# admin of APM bios? -# sys_nice is so that the X server can set a negative nice value -# execheap needed until the X module loader is fixed. -# NVIDIA Needs execstack - -allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_ptrace sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; -dontaudit xserver_t self:capability chown; -allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow xserver_t self:fd use; -allow xserver_t self:fifo_file rw_fifo_file_perms; -allow xserver_t self:sock_file read_sock_file_perms; -allow xserver_t self:shm create_shm_perms; -allow xserver_t self:sem create_sem_perms; -allow xserver_t self:msgq create_msgq_perms; -allow xserver_t self:msg { send receive }; -allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; -allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow xserver_t self:tcp_socket create_stream_socket_perms; -allow xserver_t self:udp_socket create_socket_perms; -allow xserver_t self:netlink_selinux_socket create_socket_perms; -allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms; - -allow xserver_t { input_xevent_t input_xevent_type }:x_event send; - -domtrans_pattern(xserver_t, xauth_exec_t, xauth_t) - -allow xserver_t xauth_home_t:file read_file_perms; - -manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) - -filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) - -manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -manage_fifo_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) -manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) -files_search_var_lib(xserver_t) - -manage_dirs_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t) -manage_files_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t) -files_var_lib_filetrans(xserver_t, xserver_var_lib_t, dir) - -manage_dirs_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t) -manage_files_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t) -manage_sock_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) -files_pid_filetrans(xserver_t, xserver_var_run_t, { file dir }) - -# Create files in /var/log with the xserver_log_t type. -manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t) -logging_log_filetrans(xserver_t, xserver_log_t, file) -manage_files_pattern(xserver_t, xdm_log_t, xdm_log_t) - -kernel_read_system_state(xserver_t) -kernel_read_device_sysctls(xserver_t) -kernel_read_modprobe_sysctls(xserver_t) -# Xorg wants to check if kernel is tainted -kernel_read_kernel_sysctls(xserver_t) -kernel_write_proc_files(xserver_t) -kernel_request_load_module(xserver_t) - -# Run helper programs in xserver_t. -corecmd_exec_bin(xserver_t) -corecmd_exec_shell(xserver_t) - -corenet_all_recvfrom_unlabeled(xserver_t) -corenet_all_recvfrom_netlabel(xserver_t) -corenet_tcp_sendrecv_generic_if(xserver_t) -corenet_udp_sendrecv_generic_if(xserver_t) -corenet_tcp_sendrecv_generic_node(xserver_t) -corenet_udp_sendrecv_generic_node(xserver_t) -corenet_tcp_sendrecv_all_ports(xserver_t) -corenet_udp_sendrecv_all_ports(xserver_t) -corenet_tcp_bind_generic_node(xserver_t) -corenet_tcp_bind_xserver_port(xserver_t) -corenet_tcp_connect_all_ports(xserver_t) -corenet_sendrecv_xserver_server_packets(xserver_t) -corenet_sendrecv_all_client_packets(xserver_t) - -dev_rw_sysfs(xserver_t) -dev_rw_mouse(xserver_t) -dev_rw_mtrr(xserver_t) -dev_rw_apm_bios(xserver_t) -dev_rw_agp(xserver_t) -dev_rw_framebuffer(xserver_t) -dev_manage_dri_dev(xserver_t) -dev_create_generic_dirs(xserver_t) -dev_setattr_generic_dirs(xserver_t) -# raw memory access is needed if not using the frame buffer -dev_read_raw_memory(xserver_t) -dev_wx_raw_memory(xserver_t) -# for other device nodes such as the NVidia binary-only driver -dev_rw_xserver_misc(xserver_t) -# read events - the synaptics touchpad driver reads raw events -dev_rw_input_dev(xserver_t) -dev_read_raw_memory(xserver_t) -dev_write_raw_memory(xserver_t) -dev_rwx_zero(xserver_t) - -domain_dontaudit_read_all_domains_state(xserver_t) -domain_signal_all_domains(xserver_t) - -files_read_etc_files(xserver_t) -files_read_etc_runtime_files(xserver_t) -files_read_usr_files(xserver_t) -files_rw_tmpfs_files(xserver_t) - -# brought on by rhgb -files_search_mnt(xserver_t) -# for nscd -files_dontaudit_search_pids(xserver_t) - -fs_getattr_xattr_fs(xserver_t) -fs_search_nfs(xserver_t) -fs_search_auto_mountpoints(xserver_t) -fs_search_ramfs(xserver_t) -fs_rw_tmpfs_files(xserver_t) - -mls_xwin_read_to_clearance(xserver_t) -mls_process_write_to_clearance(xserver_t) -mls_file_read_to_clearance(xserver_t) -mls_file_write_all_levels(xserver_t) -mls_file_upgrade(xserver_t) - -selinux_validate_context(xserver_t) -selinux_compute_access_vector(xserver_t) -selinux_compute_create_context(xserver_t) - -auth_use_nsswitch(xserver_t) - -init_getpgid(xserver_t) - -term_setattr_unallocated_ttys(xserver_t) -term_use_unallocated_ttys(xserver_t) - -getty_use_fds(xserver_t) - -locallogin_use_fds(xserver_t) - -logging_send_syslog_msg(xserver_t) -logging_send_audit_msgs(xserver_t) - -miscfiles_read_localization(xserver_t) -miscfiles_read_fonts(xserver_t) -miscfiles_read_hwdata(xserver_t) - -modutils_domtrans_insmod(xserver_t) - -# read x_contexts -seutil_read_default_contexts(xserver_t) -seutil_read_config(xserver_t) -seutil_read_file_contexts(xserver_t) - -userdom_search_user_home_dirs(xserver_t) -userdom_use_user_ttys(xserver_t) -userdom_setattr_user_ttys(xserver_t) -userdom_rw_user_tmpfs_files(xserver_t) - -xserver_use_user_fonts(xserver_t) - -ifndef(`distro_redhat',` - allow xserver_t self:process { execmem execheap execstack }; - domain_mmap_low_uncond(xserver_t) -') - -ifdef(`distro_rhel4',` - allow xserver_t self:process { execmem execheap execstack }; -') - -ifdef(`enable_mls',` - range_transition xserver_t xserver_tmp_t:sock_file s0 - mls_systemhigh; - range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh; -') - -tunable_policy(`!xserver_object_manager',` - # should be xserver_unconfined(xserver_t), - # but typeattribute doesnt work in conditionals - - allow xserver_t xserver_t:x_server *; - allow xserver_t { x_domain root_xdrawable_t }:x_drawable *; - allow xserver_t xserver_t:x_screen *; - allow xserver_t x_domain:x_gc *; - allow xserver_t { x_domain root_xcolormap_t }:x_colormap *; - allow xserver_t xproperty_type:x_property *; - allow xserver_t xselection_type:x_selection *; - allow xserver_t x_domain:x_cursor *; - allow xserver_t x_domain:x_client *; - allow xserver_t { x_domain xserver_t }:x_device *; - allow xserver_t { x_domain xserver_t }:x_pointer *; - allow xserver_t { x_domain xserver_t }:x_keyboard *; - allow xserver_t xextension_type:x_extension *; - allow xserver_t { x_domain xserver_t }:x_resource *; - allow xserver_t xevent_type:{ x_event x_synthetic_event } *; -') - -optional_policy(` - apm_stream_connect(xserver_t) -') - -optional_policy(` - auth_search_pam_console_data(xserver_t) -') - -optional_policy(` - devicekit_signal_power(xserver_t) -') - -optional_policy(` - rhgb_getpgid(xserver_t) - rhgb_signal(xserver_t) -') - -optional_policy(` - setrans_translate_context(xserver_t) -') - -optional_policy(` - sandbox_rw_xserver_tmpfs_files(xserver_t) -') - -optional_policy(` - udev_read_db(xserver_t) -') - -optional_policy(` - unconfined_domain(xserver_t) - unconfined_domtrans(xserver_t) -') - -optional_policy(` - userhelper_search_config(xserver_t) -') - -optional_policy(` - wine_rw_shm(xserver_t) -') - -optional_policy(` - xfs_stream_connect(xserver_t) -') - -######################################## -# -# XDM Xserver local policy -# -# cjp: when xdm is configurable via tunable these -# rules will be enabled only when xdm is enabled - -allow xserver_t xdm_t:process { signal getpgid }; -allow xserver_t xdm_t:shm rw_shm_perms; - -# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open -# handle of a file inside the dir!!! -allow xserver_t xdm_var_lib_t:file read_file_perms; -dontaudit xserver_t xdm_var_lib_t:dir search_dir_perms; - -read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) - -# Label pid and temporary files with derived types. -manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) - -# Run xkbcomp. -allow xserver_t xkb_var_lib_t:lnk_file read_lnk_file_perms; -can_exec(xserver_t, xkb_var_lib_t) - -# VNC v4 module in X server -corenet_tcp_bind_vnc_port(xserver_t) - -init_use_fds(xserver_t) - -# FIXME: After per user fonts are properly working -# xserver_t may no longer have any reason -# to read ROLE_home_t - examine this in more detail -# (xauth?) -userdom_read_user_home_content_files(xserver_t) -userdom_read_all_users_state(xserver_t) - -xserver_use_user_fonts(xserver_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(xserver_t) - fs_manage_nfs_files(xserver_t) - fs_manage_nfs_symlinks(xserver_t) -') - -tunable_policy(`use_fusefs_home_dirs',` - fs_manage_fusefs_dirs(xserver_t) - fs_manage_fusefs_files(xserver_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(xserver_t) - fs_manage_cifs_files(xserver_t) - fs_manage_cifs_symlinks(xserver_t) -') - -optional_policy(` - dbus_system_bus_client(xserver_t) - - optional_policy(` - hal_dbus_chat(xserver_t) - ') -') - -optional_policy(` - mono_rw_shm(xserver_t) -') - -optional_policy(` - rhgb_rw_shm(xserver_t) - rhgb_rw_tmpfs_files(xserver_t) -') - -optional_policy(` - userhelper_search_config(xserver_t) -') - -######################################## -# -# Rules common to all X window domains -# - -# Hacks -# everyone can do override-redirect windows. -# this could be used to spoof labels -allow x_domain self:x_drawable override; -# firefox gets nosy with other people's windows -allow x_domain x_domain:x_drawable { list_child receive }; - -# X Server -# can get X server attributes -allow x_domain xserver_t:x_server getattr; -# can grab the server -allow x_domain xserver_t:x_server grab; -# can read and write server-owned generic resources -allow x_domain xserver_t:x_resource { read write }; -# can mess with own clients -allow x_domain self:x_client { getattr manage destroy }; - -# X Protocol Extensions -allow x_domain xextension_t:x_extension { query use }; -allow x_domain security_xextension_t:x_extension { query use }; - -# X Properties -# can change properties of root window -allow x_domain root_xdrawable_t:x_drawable { list_property get_property set_property }; -# can change properties of my own windows -allow x_domain self:x_drawable { list_property get_property set_property }; -# can read and write cut buffers -allow x_domain clipboard_xproperty_t:x_property { create read write append }; -# can read security labels -allow x_domain seclabel_xproperty_t:x_property { getattr read }; -# can change all other properties -allow x_domain xproperty_t:x_property { getattr create read write append destroy }; - -# X Windows -# operations allowed on root windows -allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; -# operations allowed on my windows -allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; -allow x_domain self:x_drawable blend; -# operations allowed on all windows -allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; - -# X Colormaps -# can use the default colormap -allow x_domain root_xcolormap_t:x_colormap { read use add_color remove_color install uninstall }; -# can create and use colormaps -allow x_domain self:x_colormap *; - -# X Devices -# operations allowed on my own devices -allow x_domain self:{ x_device x_pointer x_keyboard } *; -# operations allowed on generic devices -allow x_domain xserver_t:x_device { use getattr setattr getfocus setfocus bell grab freeze force_cursor }; -# operations allowed on core keyboard -allow x_domain xserver_t:x_keyboard { use getattr setattr getfocus setfocus bell grab }; -# operations allowed on core pointer -allow x_domain xserver_t:x_pointer { read use getattr setattr getfocus setfocus bell grab freeze force_cursor }; - -# all devices can generate input events -allow x_domain root_xdrawable_t:x_drawable send; -allow x_domain x_domain:x_drawable send; -allow x_domain input_xevent_t:x_event send; - -# dontaudit keyloggers repeatedly polling -#dontaudit x_domain xserver_t:x_keyboard read; - -# X Input -# can receive default events -allow x_domain xevent_t:{ x_event x_synthetic_event } receive; -# can receive ICCCM events -allow x_domain client_xevent_t:{ x_event x_synthetic_event } receive; -# can send ICCCM events to the root window -allow x_domain client_xevent_t:x_synthetic_event send; -# can receive root window input events -allow x_domain root_input_xevent_t:x_event receive; - -# X Selections -# can use the clipboard -allow x_domain clipboard_xselection_t:x_selection { getattr setattr read }; -# can use default selections -allow x_domain xselection_t:x_selection { getattr setattr read }; - -# Other X Objects -# can create and use cursors -allow x_domain self:x_cursor *; -# can create and use graphics contexts -allow x_domain self:x_gc *; -# can read and write own objects -allow x_domain self:x_resource { read write }; -# can mess with the screensaver -allow x_domain xserver_t:x_screen { getattr saver_getattr }; - -# Device rules -allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell }; -allow x_domain xserver_t:x_screen getattr; - -######################################## -# -# Rules for unconfined access to this module -# - -allow xserver_unconfined_type xserver_t:x_server *; -allow xserver_unconfined_type xdrawable_type:x_drawable *; -allow xserver_unconfined_type xserver_t:x_screen *; -allow xserver_unconfined_type x_domain:x_gc *; -allow xserver_unconfined_type xcolormap_type:x_colormap *; -allow xserver_unconfined_type xproperty_type:x_property *; -allow xserver_unconfined_type xselection_type:x_selection *; -allow xserver_unconfined_type x_domain:x_cursor *; -allow xserver_unconfined_type x_domain:x_client *; -allow xserver_unconfined_type { x_domain xserver_t }:x_device *; -allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *; -allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *; -allow xserver_unconfined_type xextension_type:x_extension *; -allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; -allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; - -tunable_policy(`! xserver_object_manager',` - # should be xserver_unconfined(x_domain), - # but typeattribute doesnt work in conditionals - - allow x_domain xserver_t:x_server *; - allow x_domain xdrawable_type:x_drawable *; - allow x_domain xserver_t:x_screen *; - allow x_domain x_domain:x_gc *; - allow x_domain xcolormap_type:x_colormap *; - allow x_domain xproperty_type:x_property *; - allow x_domain xselection_type:x_selection *; - allow x_domain x_domain:x_cursor *; - allow x_domain x_domain:x_client *; - allow x_domain { x_domain xserver_t }:x_device *; - allow x_domain { x_domain xserver_t }:x_pointer *; - allow x_domain { x_domain xserver_t }:x_keyboard *; - allow x_domain xextension_type:x_extension *; - allow x_domain { x_domain xserver_t }:x_resource *; - allow x_domain xevent_type:{ x_event x_synthetic_event } *; -') - -tunable_policy(`allow_xserver_execmem',` - allow xserver_t self:process { execheap execmem execstack }; -') - -# Hack to handle the problem of using the nvidia blobs -tunable_policy(`allow_execmem',` - allow xdm_t self:process execmem; -') - -tunable_policy(`allow_execstack',` - allow xdm_t self:process { execstack execmem }; -') - -tunable_policy(`use_nfs_home_dirs',` - fs_append_nfs_files(xdmhomewriter) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_append_nfs_files(xdmhomewriter) -') - -optional_policy(` - unconfined_rw_shm(xserver_t) - unconfined_execmem_rw_shm(xserver_t) - - # xserver signals unconfined user on startx - unconfined_signal(xserver_t) - unconfined_getpgid(xserver_t) -') diff --git a/policy/modules/services/zabbix.fc b/policy/modules/services/zabbix.fc deleted file mode 100644 index 3102286..0000000 --- a/policy/modules/services/zabbix.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rc\.d/init\.d/zabbix -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0) - -/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) - -/var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0) - -/var/run/zabbix(/.*)? gen_context(system_u:object_r:zabbix_var_run_t,s0) diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if deleted file mode 100644 index 4776863..0000000 --- a/policy/modules/services/zabbix.if +++ /dev/null @@ -1,116 +0,0 @@ -## Distributed infrastructure monitoring - -######################################## -## -## Execute a domain transition to run zabbix. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`zabbix_domtrans',` - gen_require(` - type zabbix_t, zabbix_exec_t; - ') - - domtrans_pattern($1, zabbix_exec_t, zabbix_t) -') - -######################################## -## -## Allow the specified domain to read zabbix's log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`zabbix_read_log',` - gen_require(` - type zabbix_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, zabbix_log_t, zabbix_log_t) -') - -######################################## -## -## Allow the specified domain to append -## zabbix log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`zabbix_append_log',` - gen_require(` - type zabbix_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, zabbix_log_t, zabbix_log_t) -') - -######################################## -## -## Read zabbix PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`zabbix_read_pid_files',` - gen_require(` - type zabbix_var_run_t; - ') - - files_search_pids($1) - allow $1 zabbix_var_run_t:file read_file_perms; -') - -######################################## -## -## All of the rules required to administrate -## an zabbix environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the zabbix domain. -## -## -## -# -interface(`zabbix_admin',` - gen_require(` - type zabbix_t, zabbix_log_t, zabbix_var_run_t; - type zabbix_initrc_exec_t; - ') - - allow $1 zabbix_t:process { ptrace signal_perms }; - ps_process_pattern($1, zabbix_t) - - init_labeled_script_domtrans($1, zabbix_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 zabbix_initrc_exec_t system_r; - allow $2 system_r; - - logging_list_logs($1) - admin_pattern($1, zabbix_log_t) - - files_list_pids($1) - admin_pattern($1, zabbix_var_run_t) -') diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te deleted file mode 100644 index 20d7cde..0000000 --- a/policy/modules/services/zabbix.te +++ /dev/null @@ -1,52 +0,0 @@ -policy_module(zabbix, 1.2.1) - -######################################## -# -# Declarations -# - -type zabbix_t; -type zabbix_exec_t; -init_daemon_domain(zabbix_t, zabbix_exec_t) - -type zabbix_initrc_exec_t; -init_script_file(zabbix_initrc_exec_t) - -# log files -type zabbix_log_t; -logging_log_file(zabbix_log_t) - -# pid files -type zabbix_var_run_t; -files_pid_file(zabbix_var_run_t) - -######################################## -# -# zabbix local policy -# - -allow zabbix_t self:capability { setuid setgid }; -allow zabbix_t self:fifo_file rw_fifo_file_perms; -allow zabbix_t self:unix_stream_socket create_stream_socket_perms; - -# log files -allow zabbix_t zabbix_log_t:dir setattr_dir_perms; -manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) -logging_log_filetrans(zabbix_t, zabbix_log_t, file) - -# pid file -manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) -manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) -files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file }) - -files_read_etc_files(zabbix_t) - -miscfiles_read_localization(zabbix_t) - -optional_policy(` - mysql_stream_connect(zabbix_t) -') - -optional_policy(` - postgresql_stream_connect(zabbix_t) -') diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc deleted file mode 100644 index 56cb5af..0000000 --- a/policy/modules/services/zarafa.fc +++ /dev/null @@ -1,27 +0,0 @@ - -/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0) - -/usr/bin/zarafa-dagent -- gen_context(system_u:object_r:zarafa_deliver_exec_t,s0) - -/usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0) - -/usr/bin/zarafa-gateway -- gen_context(system_u:object_r:zarafa_gateway_exec_t,s0) - -/usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0) - -/usr/bin/zarafa-ical -- gen_context(system_u:object_r:zarafa_ical_exec_t,s0) - -/usr/bin/zarafa-monitor -- gen_context(system_u:object_r:zarafa_monitor_exec_t,s0) - -/var/log/zarafa/server\.log -- gen_context(system_u:object_r:zarafa_server_log_t,s0) -/var/log/zarafa/spooler\.log -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0) -/var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0) -/var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0) -/var/log/zarafa/monitor\.log -- gen_context(system_u:object_r:zarafa_monitor_log_t,s0) - -/var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0) -/var/run/zarafa-gateway\.pid -- gen_context(system_u:object_r:zarafa_gateway_var_run_t,s0) -/var/run/zarafa-server\.pid -- gen_context(system_u:object_r:zarafa_server_var_run_t,s0) -/var/run/zarafa-spooler\.pid -- gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0) -/var/run/zarafa-ical\.pid -- gen_context(system_u:object_r:zarafa_ical_var_run_t,s0) -/var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0) diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if deleted file mode 100644 index 4f2dde8..0000000 --- a/policy/modules/services/zarafa.if +++ /dev/null @@ -1,102 +0,0 @@ -## policy for zarafa services - -###################################### -## -## Creates types and rules for a basic -## zararfa init daemon domain. -## -## -## -## Prefix for the domain. -## -## -# -template(`zarafa_domain_template',` - gen_require(` - attribute zarafa_domain; - ') - - ############################## - # - # $1_t declarations - # - - type zarafa_$1_t, zarafa_domain; - type zarafa_$1_exec_t; - init_daemon_domain(zarafa_$1_t, zarafa_$1_exec_t) - - type zarafa_$1_log_t; - logging_log_file(zarafa_$1_log_t) - - type zarafa_$1_var_run_t; - files_pid_file(zarafa_$1_var_run_t) - - ############################## - # - # $1_t local policy - # - - manage_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) - manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) - files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file }) - #stream_connect_pattern(zarafa_$1_t, $1_var_run_t, $1_var_run_t, virtd_t) - - manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t,zarafa_$1_log_t) - #manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_log_t,zarafa_$1_log_t) - logging_log_filetrans(zarafa_$1_t,zarafa_$1_log_t,{ file }) -') - -######################################## -## -## Execute a domain transition to run zarafa_server. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`zarafa_server_domtrans',` - gen_require(` - type zarafa_server_t, zarafa_server_exec_t; - ') - - domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t) -') - -######################################## -## -## Execute a domain transition to run zarafa_deliver. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`zarafa_deliver_domtrans',` - gen_require(` - type zarafa_deliver_t, zarafa_deliver_exec_t; - ') - - domtrans_pattern($1, zarafa_deliver_exec_t, zarafa_deliver_t) -') - -####################################### -## -## Connect to zarafa-server unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`zarafa_stream_connect_server',` - gen_require(` - type zarafa_server_t, zarafa_server_var_run_t; - ') - - files_search_var_lib($1) - stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t) -') diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te deleted file mode 100644 index 3ce4d86..0000000 --- a/policy/modules/services/zarafa.te +++ /dev/null @@ -1,132 +0,0 @@ -policy_module(zarafa, 1.0.0) - -######################################## -# -# Declarations -# - -attribute zarafa_domain; - -zarafa_domain_template(monitor) -zarafa_domain_template(ical) -zarafa_domain_template(server) -zarafa_domain_template(spooler) -zarafa_domain_template(gateway) -zarafa_domain_template(deliver) - -type zarafa_deliver_tmp_t; -files_tmp_file(zarafa_deliver_tmp_t) - -type zarafa_etc_t; -files_config_file(zarafa_etc_t) - -type zarafa_share_t; -files_type(zarafa_share_t) - -permissive zarafa_server_t; -permissive zarafa_spooler_t; -permissive zarafa_gateway_t; -permissive zarafa_deliver_t; -permissive zarafa_ical_t; -permissive zarafa_monitor_t; - -######################################## -# -# zarafa-deliver local policy -# - -manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t) -manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t) -files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir }) - -#temporary -#allow zarafa_deliver_t port_t:tcp_socket name_bind; - -######################################## -# -# zarafa_server local policy -# - -allow zarafa_server_t self:capability { chown kill net_bind_service }; -allow zarafa_server_t self:process { setrlimit signal }; - -corenet_tcp_bind_zarafa_port(zarafa_server_t) - -files_read_usr_files(zarafa_server_t) - -logging_send_syslog_msg(zarafa_server_t) -logging_send_audit_msgs(zarafa_server_t) - -sysnet_dns_name_resolve(zarafa_server_t) - -optional_policy(` - mysql_stream_connect(zarafa_server_t) -') - -optional_policy(` - kerberos_use(zarafa_server_t) -') - -######################################## -# -# zarafa_spooler local policy -# - -allow zarafa_spooler_t self:capability { chown kill }; -allow zarafa_spooler_t self:process signal; - -corenet_tcp_connect_smtp_port(zarafa_spooler_t) - -######################################## -# -# zarafa_gateway local policy -# - -allow zarafa_gateway_t self:capability { chown kill }; -allow zarafa_gateway_t self:process { setrlimit signal }; - -corenet_tcp_bind_pop_port(zarafa_gateway_t) - -####################################### -# -# zarafa-ical local policy -# - -allow zarafa_ical_t self:capability chown; - -corenet_tcp_bind_http_cache_port(zarafa_ical_t) - -###################################### -# -# zarafa-monitor local policy -# - -allow zarafa_monitor_t self:capability chown; - -######################################## -# -# zarafa domains local policy -# - -# bad permission on /etc/zarafa -allow zarafa_domain self:capability { dac_override setgid setuid }; -allow zarafa_domain self:fifo_file rw_fifo_file_perms; -allow zarafa_domain self:tcp_socket create_stream_socket_perms; -allow zarafa_domain self:unix_stream_socket create_stream_socket_perms; - -stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t) - -read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t) - -kernel_read_system_state(zarafa_domain) - -files_read_etc_files(zarafa_domain) - -auth_use_nsswitch(zarafa_domain) - -miscfiles_read_localization(zarafa_domain) - -# temporary rules -optional_policy(` - apache_content_template(zarafa) -') diff --git a/policy/modules/services/zebra.fc b/policy/modules/services/zebra.fc deleted file mode 100644 index e1b30b2..0000000 --- a/policy/modules/services/zebra.fc +++ /dev/null @@ -1,22 +0,0 @@ -/etc/rc\.d/init\.d/bgpd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) -/etc/rc\.d/init\.d/ospf6d -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) -/etc/rc\.d/init\.d/ospfd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) -/etc/rc\.d/init\.d/ripd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) -/etc/rc\.d/init\.d/ripngd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) -/etc/rc\.d/init\.d/zebra -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) - -/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0) -/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0) - -/etc/quagga(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0) -/etc/zebra(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0) - -/usr/sbin/ospf.* -- gen_context(system_u:object_r:zebra_exec_t,s0) -/usr/sbin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0) - -/var/log/quagga(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) -/var/log/zebra(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) - -/var/run/\.zebra -s gen_context(system_u:object_r:zebra_var_run_t,s0) -/var/run/\.zserv -s gen_context(system_u:object_r:zebra_var_run_t,s0) -/var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0) diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if deleted file mode 100644 index 347f754..0000000 --- a/policy/modules/services/zebra.if +++ /dev/null @@ -1,86 +0,0 @@ -## Zebra border gateway protocol network routing service - -######################################## -## -## Read the configuration files for zebra. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`zebra_read_config',` - gen_require(` - type zebra_conf_t; - ') - - files_search_etc($1) - allow $1 zebra_conf_t:dir list_dir_perms; - read_files_pattern($1, zebra_conf_t, zebra_conf_t) - read_lnk_files_pattern($1, zebra_conf_t, zebra_conf_t) -') - -######################################## -## -## Connect to zebra over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`zebra_stream_connect',` - gen_require(` - type zebra_t, zebra_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t) -') - -######################################## -## -## All of the rules required to administrate -## an zebra environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the zebra domain. -## -## -## -# -interface(`zebra_admin',` - gen_require(` - type zebra_t, zebra_tmp_t, zebra_log_t; - type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t; - ') - - allow $1 zebra_t:process { ptrace signal_perms }; - ps_process_pattern($1, zebra_t) - - init_labeled_script_domtrans($1, zebra_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 zebra_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, zebra_conf_t) - - logging_list_logs($1) - admin_pattern($1, zebra_log_t) - - files_list_tmp($1) - admin_pattern($1, zebra_tmp_t) - - files_list_pids($1) - admin_pattern($1, zebra_var_run_t) -') diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te deleted file mode 100644 index f0b1201..0000000 --- a/policy/modules/services/zebra.te +++ /dev/null @@ -1,139 +0,0 @@ -policy_module(zebra, 1.11.1) - -######################################## -# -# Declarations -# - -## -##

-## Allow zebra daemon to write it configuration files -##

-##
-gen_tunable(allow_zebra_write_config, false) - -type zebra_t; -type zebra_exec_t; -init_daemon_domain(zebra_t, zebra_exec_t) - -type zebra_conf_t; -files_type(zebra_conf_t) - -type zebra_initrc_exec_t; -init_script_file(zebra_initrc_exec_t) - -type zebra_log_t; -logging_log_file(zebra_log_t) - -type zebra_tmp_t; -files_tmp_file(zebra_tmp_t) - -type zebra_var_run_t; -files_pid_file(zebra_var_run_t) - -######################################## -# -# Local policy -# - -allow zebra_t self:capability { setgid setuid net_admin net_raw }; -dontaudit zebra_t self:capability sys_tty_config; -allow zebra_t self:process { signal_perms getcap setcap }; -allow zebra_t self:file rw_file_perms; -allow zebra_t self:unix_dgram_socket create_socket_perms; -allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow zebra_t self:netlink_route_socket rw_netlink_socket_perms; -allow zebra_t self:tcp_socket { connect connected_stream_socket_perms }; -allow zebra_t self:udp_socket create_socket_perms; -allow zebra_t self:rawip_socket create_socket_perms; - -allow zebra_t zebra_conf_t:dir list_dir_perms; -read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) -read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) - -allow zebra_t zebra_log_t:dir setattr_dir_perms; -manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t) -manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t) -logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir }) - -# /tmp/.bgpd is such a bad idea! -allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms; -files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file) - -manage_dirs_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) -manage_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) -manage_sock_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) -files_pid_filetrans(zebra_t, zebra_var_run_t, { dir file sock_file }) - -kernel_read_system_state(zebra_t) -kernel_read_network_state(zebra_t) -kernel_read_kernel_sysctls(zebra_t) -kernel_rw_net_sysctls(zebra_t) - -corenet_all_recvfrom_unlabeled(zebra_t) -corenet_all_recvfrom_netlabel(zebra_t) -corenet_tcp_sendrecv_generic_if(zebra_t) -corenet_udp_sendrecv_generic_if(zebra_t) -corenet_raw_sendrecv_generic_if(zebra_t) -corenet_tcp_sendrecv_generic_node(zebra_t) -corenet_udp_sendrecv_generic_node(zebra_t) -corenet_raw_sendrecv_generic_node(zebra_t) -corenet_tcp_sendrecv_all_ports(zebra_t) -corenet_udp_sendrecv_all_ports(zebra_t) -corenet_tcp_bind_generic_node(zebra_t) -corenet_udp_bind_generic_node(zebra_t) -corenet_tcp_bind_bgp_port(zebra_t) -corenet_tcp_bind_zebra_port(zebra_t) -corenet_udp_bind_router_port(zebra_t) -corenet_tcp_connect_bgp_port(zebra_t) -corenet_sendrecv_zebra_server_packets(zebra_t) -corenet_sendrecv_router_server_packets(zebra_t) - -dev_associate_usbfs(zebra_var_run_t) -dev_list_all_dev_nodes(zebra_t) -dev_read_sysfs(zebra_t) -dev_rw_zero(zebra_t) - -fs_getattr_all_fs(zebra_t) -fs_search_auto_mountpoints(zebra_t) - -term_list_ptys(zebra_t) - -domain_use_interactive_fds(zebra_t) - -files_search_etc(zebra_t) -files_read_etc_files(zebra_t) -files_read_etc_runtime_files(zebra_t) - -logging_send_syslog_msg(zebra_t) - -miscfiles_read_localization(zebra_t) - -sysnet_read_config(zebra_t) - -userdom_dontaudit_use_unpriv_user_fds(zebra_t) -userdom_dontaudit_search_user_home_dirs(zebra_t) - -tunable_policy(`allow_zebra_write_config',` - manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) -') - -optional_policy(` - nis_use_ypbind(zebra_t) -') - -optional_policy(` - rpm_read_pipes(zebra_t) -') - -optional_policy(` - seutil_sigchld_newrole(zebra_t) -') - -optional_policy(` - udev_read_db(zebra_t) -') - -optional_policy(` - unconfined_sigchld(zebra_t) -') diff --git a/policy/modules/services/zosremote.fc b/policy/modules/services/zosremote.fc deleted file mode 100644 index d719d0b..0000000 --- a/policy/modules/services/zosremote.fc +++ /dev/null @@ -1 +0,0 @@ -/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0) diff --git a/policy/modules/services/zosremote.if b/policy/modules/services/zosremote.if deleted file mode 100644 index 13f0eef..0000000 --- a/policy/modules/services/zosremote.if +++ /dev/null @@ -1,46 +0,0 @@ -## policy for z/OS Remote-services Audit dispatcher plugin - -######################################## -## -## Execute a domain transition to run audispd-zos-remote. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`zosremote_domtrans',` - gen_require(` - type zos_remote_t, zos_remote_exec_t; - ') - - domtrans_pattern($1, zos_remote_exec_t, zos_remote_t) -') - -######################################## -## -## Allow specified type and role to transition and -## run in the zos_remote_t domain. Allow specified type -## to use zos_remote_t terminal. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`zosremote_run',` - gen_require(` - type zos_remote_t; - ') - - zosremote_domtrans($1) - role $2 types zos_remote_t; -') diff --git a/policy/modules/services/zosremote.te b/policy/modules/services/zosremote.te deleted file mode 100644 index 3d407c6..0000000 --- a/policy/modules/services/zosremote.te +++ /dev/null @@ -1,28 +0,0 @@ -policy_module(zosremote, 1.1.0) - -######################################## -# -# Declarations -# - -type zos_remote_t; -type zos_remote_exec_t; -init_system_domain(zos_remote_t, zos_remote_exec_t) -logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t) - -######################################## -# -# zos_remote local policy -# - -allow zos_remote_t self:process signal; -allow zos_remote_t self:fifo_file rw_fifo_file_perms; -allow zos_remote_t self:unix_stream_socket create_stream_socket_perms; - -files_read_etc_files(zos_remote_t) - -auth_use_nsswitch(zos_remote_t) - -miscfiles_read_localization(zos_remote_t) - -logging_send_syslog_msg(zos_remote_t) diff --git a/policy/modules/system/application.fc b/policy/modules/system/application.fc deleted file mode 100644 index 08133f3..0000000 --- a/policy/modules/system/application.fc +++ /dev/null @@ -1 +0,0 @@ -# No application file contexts. diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if deleted file mode 100644 index 108595b..0000000 --- a/policy/modules/system/application.if +++ /dev/null @@ -1,150 +0,0 @@ -## Policy for user executable applications. - -######################################## -## -## Make the specified type usable as an application domain. -## -## -## -## Type to be used as a domain type. -## -## -# -interface(`application_type',` - gen_require(` - attribute application_domain_type; - ') - - typeattribute $1 application_domain_type; - - # start with basic domain - domain_type($1) -') - -######################################## -## -## Make the specified type usable for files -## that are exectuables, such as binary programs. -## This does not include shared libraries. -## -## -## -## Type to be used for files. -## -## -# -interface(`application_executable_file',` - gen_require(` - attribute application_exec_type; - ') - - typeattribute $1 application_exec_type; - - corecmd_executable_file($1) -') - -######################################## -## -## Execute application executables in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`application_exec',` - gen_require(` - attribute application_exec_type; - ') - - can_exec($1, application_exec_type) -') - -######################################## -## -## Execute all executable files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`application_exec_all',` - corecmd_dontaudit_exec_all_executables($1) - corecmd_exec_bin($1) - corecmd_exec_shell($1) - corecmd_exec_chroot($1) - - application_exec($1) -') - -######################################## -## -## Create a domain for applications. -## -## -##

-## Create a domain for applications. Typically these are -## programs that are run interactively. -##

-##

-## The types will be made usable as a domain and file, making -## calls to domain_type() and files_type() redundant. -##

-##
-## -## -## Type to be used as an application domain. -## -## -## -## -## Type of the program to be used as an entry point to this domain. -## -## -## -# -interface(`application_domain',` - application_type($1) - application_executable_file($2) - domain_entry_file($1, $2) -') - -######################################## -## -## Send signull to all application domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`application_signull',` - gen_require(` - attribute application_domain_type; - ') - - allow $1 application_domain_type:process signull; -') - -######################################## -## -## Send signal to all application domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`application_signal',` - gen_require(` - attribute application_domain_type; - ') - - allow $1 application_domain_type:process signal; -') diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te deleted file mode 100644 index 2fa3974..0000000 --- a/policy/modules/system/application.te +++ /dev/null @@ -1,32 +0,0 @@ -policy_module(application, 1.2.0) - -# Attribute of user applications -attribute application_domain_type; - -# Executables to be run by user -attribute application_exec_type; - -userdom_inherit_append_user_home_content_files(application_domain_type) -userdom_inherit_append_admin_home_files(application_domain_type) -userdom_inherit_append_user_tmp_files(application_domain_type) -logging_inherit_append_all_logs(application_domain_type) - -files_dontaudit_search_all_dirs(application_domain_type) - -optional_policy(` - afs_rw_udp_sockets(application_domain_type) -') - -optional_policy(` - cron_rw_inherited_user_spool_files(application_domain_type) - cron_sigchld(application_domain_type) -') - -optional_policy(` - ssh_sigchld(application_domain_type) - ssh_rw_stream_sockets(application_domain_type) -') - -optional_policy(` - sudo_sigchld(application_domain_type) -') diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc deleted file mode 100644 index 2997dd7..0000000 --- a/policy/modules/system/authlogin.fc +++ /dev/null @@ -1,47 +0,0 @@ - -/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) - -/etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) -/etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0) -/etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0) -/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) -/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) - -/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) -/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) -/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) -/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0) -/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) -/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) -ifdef(`distro_suse', ` -/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) -') - -/usr/kerberos/sbin/login\.krb5 -- gen_context(system_u:object_r:login_exec_t,s0) - -/usr/sbin/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0) -ifdef(`distro_gentoo', ` -/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) -') - -/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) - -/var/db/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) - -/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) -/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0) -/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) - -/var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0) -/var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) -/var/log/faillog -- gen_context(system_u:object_r:faillog_t,s0) -/var/log/lastlog -- gen_context(system_u:object_r:lastlog_t,s0) -/var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0) -/var/log/tallylog -- gen_context(system_u:object_r:faillog_t,s0) -/var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0) - -/var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0) -/var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) -/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) -/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) -/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if deleted file mode 100644 index c411b5e..0000000 --- a/policy/modules/system/authlogin.if +++ /dev/null @@ -1,1670 +0,0 @@ -## Common policy for authentication and user login. - -######################################## -## -## Role access for password authentication. -## -## -## -## Role allowed access. -## -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_role',` - gen_require(` - type chkpwd_t, chkpwd_exec_t, shadow_t; - ') - - role $1 types chkpwd_t; - - # Transition from the user domain to this domain. - domtrans_pattern($2, chkpwd_exec_t, chkpwd_t) - - ps_process_pattern($2, chkpwd_t) - - dontaudit $2 shadow_t:file read_file_perms; -') - -######################################## -## -## Use PAM for authentication. -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_use_pam',` - - # for SSP/ProPolice - dev_read_urand($1) - # for encrypted homedir - dev_read_sysfs($1) - - auth_domtrans_chk_passwd($1) - auth_domtrans_upd_passwd($1) - auth_dontaudit_read_shadow($1) - auth_read_login_records($1) - auth_append_login_records($1) - auth_rw_lastlog($1) - auth_rw_faillog($1) - auth_exec_pam($1) - auth_use_nsswitch($1) - - init_rw_stream_sockets($1) - - logging_send_audit_msgs($1) - logging_send_syslog_msg($1) - - optional_policy(` - dbus_system_bus_client($1) - - optional_policy(` - consolekit_dbus_chat($1) - ') - - optional_policy(` - fprintd_dbus_chat($1) - ') - ') - - optional_policy(` - kerberos_manage_host_rcache($1) - kerberos_read_config($1) - ') - - optional_policy(` - nis_authenticate($1) - ') -') - -######################################## -## -## Make the specified domain used for a login program. -## -## -## -## Domain type used for a login program domain. -## -## -# -interface(`auth_login_pgm_domain',` - gen_require(` - type var_auth_t, auth_cache_t; - attribute polydomain; - ') - - domain_type($1) - typeattribute $1 polydomain; - - domain_subj_id_change_exemption($1) - domain_role_change_exemption($1) - domain_obj_id_change_exemption($1) - role system_r types $1; - - # Needed for pam_selinux_permit to cleanup properly - domain_read_all_domains_state($1) - domain_kill_all_domains($1) - - # pam_keyring - allow $1 self:capability ipc_lock; - allow $1 self:process setkeycreate; - allow $1 self:key manage_key_perms; - userdom_manage_all_users_keys($1) - - files_list_var_lib($1) - manage_dirs_pattern($1, var_auth_t, var_auth_t) - manage_files_pattern($1, var_auth_t, var_auth_t) - - manage_dirs_pattern($1, auth_cache_t, auth_cache_t) - manage_files_pattern($1, auth_cache_t, auth_cache_t) - manage_sock_files_pattern($1, auth_cache_t, auth_cache_t) - files_var_filetrans($1, auth_cache_t, dir) - - # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 - kernel_rw_afs_state($1) - - # for fingerprint readers - dev_rw_input_dev($1) - dev_rw_generic_usb_dev($1) - - files_read_etc_files($1) - - fs_list_auto_mountpoints($1) - fs_manage_cgroup_dirs($1) - fs_manage_cgroup_files($1) - - selinux_get_fs_mount($1) - selinux_validate_context($1) - selinux_compute_access_vector($1) - selinux_compute_create_context($1) - selinux_compute_relabel_context($1) - selinux_compute_user_contexts($1) - - mls_file_read_all_levels($1) - mls_file_write_all_levels($1) - mls_file_upgrade($1) - mls_file_downgrade($1) - mls_process_set_level($1) - mls_fd_share_all_levels($1) - - auth_manage_pam_pid($1) - auth_use_pam($1) - - init_rw_utmp($1) - - logging_set_loginuid($1) - logging_set_tty_audit($1) - - seutil_read_config($1) - seutil_read_default_contexts($1) - - userdom_set_rlimitnh($1) - userdom_read_user_home_content_symlinks($1) - userdom_delete_user_tmp_files($1) - userdom_search_admin_dir($1) - - optional_policy(` - afs_rw_udp_sockets($1) - ') - - optional_policy(` - kerberos_read_config($1) - ') - - optional_policy(` - oddjob_dbus_chat($1) - oddjob_domtrans_mkhomedir($1) - ') - - optional_policy(` - corecmd_exec_bin($1) - storage_getattr_fixed_disk_dev($1) - mount_domtrans($1) - ') - - optional_policy(` - fprintd_dbus_chat($1) - ') - - optional_policy(` - ssh_agent_exec($1) - ssh_read_user_home_files($1) - userdom_read_user_home_content_files($1) - ') -') - -######################################## -## -## Use the login program as an entry point program. -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_login_entry_type',` - gen_require(` - type login_exec_t; - ') - - domain_entry_file($1, login_exec_t) -') - -######################################## -## -## Execute a login_program in the target domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The type of the login_program process. -## -## -# -interface(`auth_domtrans_login_program',` - gen_require(` - type login_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, login_exec_t,$2) -') - -######################################## -## -## Execute a login_program in the target domain, -## with a range transition. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The type of the login_program process. -## -## -## -## -## Range of the login program. -## -## -# -interface(`auth_ranged_domtrans_login_program',` - gen_require(` - type login_exec_t; - ') - - auth_domtrans_login_program($1,$2) - - ifdef(`enable_mcs',` - range_transition $1 login_exec_t:process $3; - ') - - ifdef(`enable_mls',` - range_transition $1 login_exec_t:process $3; - ') -') - -######################################## -## -## Search authentication cache -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_search_cache',` - gen_require(` - type auth_cache_t; - ') - - allow $1 auth_cache_t:dir search_dir_perms; -') - -######################################## -## -## Read authentication cache -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_read_cache',` - gen_require(` - type auth_cache_t; - ') - - read_files_pattern($1, auth_cache_t, auth_cache_t) -') - -######################################## -## -## Read/Write authentication cache -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_rw_cache',` - gen_require(` - type auth_cache_t; - ') - - rw_files_pattern($1, auth_cache_t, auth_cache_t) -') - -######################################## -## -## Manage authentication cache -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_manage_cache',` - gen_require(` - type auth_cache_t; - ') - - manage_dirs_pattern($1, auth_cache_t, auth_cache_t) - manage_files_pattern($1, auth_cache_t, auth_cache_t) -') - -####################################### -## -## Automatic transition from cache_t to cache. -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_var_filetrans_cache',` - gen_require(` - type auth_cache_t; - ') - - files_var_filetrans($1, auth_cache_t, { file dir } ) -') - -######################################## -## -## Run unix_chkpwd to check a password. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`auth_domtrans_chk_passwd',` - gen_require(` - type chkpwd_t, chkpwd_exec_t, shadow_t; - type auth_cache_t; - ') - - allow $1 auth_cache_t:dir search_dir_perms; - - corecmd_search_bin($1) - domtrans_pattern($1, chkpwd_exec_t, chkpwd_t) - - dontaudit $1 shadow_t:file read_file_perms; - - dev_read_rand($1) - dev_read_urand($1) - - auth_use_nsswitch($1) - auth_rw_faillog($1) - - logging_send_audit_msgs($1) - - miscfiles_read_generic_certs($1) - - optional_policy(` - kerberos_read_keytab($1) - kerberos_connect_524($1) - ') - - optional_policy(` - pcscd_manage_pub_files($1) - pcscd_manage_pub_pipes($1) - pcscd_stream_connect($1) - ') - - optional_policy(` - samba_stream_connect_winbind($1) - ') - auth_domtrans_upd_passwd($1) -') - -######################################## -## -## Run unix_chkpwd to check a password. -## Stripped down version to be called within boolean -## -## -## -## Domain allowed to transition. -## -## -# -interface(`auth_domtrans_chkpwd',` - gen_require(` - type chkpwd_t, chkpwd_exec_t, shadow_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, chkpwd_exec_t, chkpwd_t) - dontaudit $1 shadow_t:file { getattr read }; - auth_domtrans_upd_passwd($1) -') - -######################################## -## -## Execute chkpwd programs in the chkpwd domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the chkpwd domain. -## -## -# -interface(`auth_run_chk_passwd',` - gen_require(` - type chkpwd_t; - ') - - auth_domtrans_chk_passwd($1) - role $2 types chkpwd_t; - auth_run_upd_passwd($1, $2) -') - -######################################## -## -## Execute a domain transition to run unix_update. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`auth_domtrans_upd_passwd',` - gen_require(` - type updpwd_t, updpwd_exec_t; - ') - - domtrans_pattern($1, updpwd_exec_t, updpwd_t) - auth_dontaudit_read_shadow($1) - -') - -######################################## -## -## Execute updpwd programs in the updpwd domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the updpwd domain. -## -## -# -interface(`auth_run_upd_passwd',` - gen_require(` - type updpwd_t; - ') - - auth_domtrans_upd_passwd($1) - role $2 types updpwd_t; -') - -######################################## -## -## Get the attributes of the shadow passwords file. -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_getattr_shadow',` - gen_require(` - type shadow_t; - ') - - files_search_etc($1) - allow $1 shadow_t:file getattr; -') - -######################################## -## -## Do not audit attempts to get the attributes -## of the shadow passwords file. -## -## -## -## Domain to not audit. -## -## -# -interface(`auth_dontaudit_getattr_shadow',` - gen_require(` - type shadow_t; - ') - - dontaudit $1 shadow_t:file getattr; -') - -######################################## -## -## Read the shadow passwords file (/etc/shadow) -## -## -## -## Domain allowed access. -## -## -# -# cjp: these next three interfaces are split -# since typeattribute does not work in conditionals -# yet, otherwise they should be one interface. -# -interface(`auth_read_shadow',` - auth_can_read_shadow_passwords($1) - auth_tunable_read_shadow($1) -') - -######################################## -## -## Pass shadow assertion for reading. -## -## -##

-## Pass shadow assertion for reading. -## This should only be used with -## auth_tunable_read_shadow(), and -## only exists because typeattribute -## does not work in conditionals. -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`auth_can_read_shadow_passwords',` - gen_require(` - attribute can_read_shadow_passwords; - ') - - typeattribute $1 can_read_shadow_passwords; -') - -######################################## -## -## Read the shadow password file. -## -## -##

-## Read the shadow password file. This -## should only be used in a conditional; -## it does not pass the reading shadow -## assertion. -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`auth_tunable_read_shadow',` - gen_require(` - type shadow_t; - ') - - files_list_etc($1) - allow $1 shadow_t:file read_file_perms; -') - -######################################## -## -## Do not audit attempts to read the shadow -## password file (/etc/shadow). -## -## -## -## Domain to not audit. -## -## -# -interface(`auth_dontaudit_read_shadow',` - gen_require(` - type shadow_t; - ') - - dontaudit $1 shadow_t:file read_file_perms; -') - -######################################## -## -## Read and write the shadow password file (/etc/shadow). -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_rw_shadow',` - gen_require(` - attribute can_read_shadow_passwords, can_write_shadow_passwords; - type shadow_t; - ') - - files_list_etc($1) - allow $1 shadow_t:file rw_file_perms; - typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; -') - -######################################## -## -## Create, read, write, and delete the shadow -## password file. -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_manage_shadow',` - gen_require(` - attribute can_read_shadow_passwords, can_write_shadow_passwords; - type shadow_t; - ') - - allow $1 shadow_t:file manage_file_perms; - typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; -') - -####################################### -## -## Automatic transition from etc to shadow. -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_etc_filetrans_shadow',` - gen_require(` - type shadow_t; - ') - - files_etc_filetrans($1, shadow_t, file) -') - -####################################### -## -## Relabel to the shadow -## password file type. -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_relabelto_shadow',` - gen_require(` - attribute can_relabelto_shadow_passwords; - type shadow_t; - ') - - files_search_etc($1) - allow $1 shadow_t:file relabelto; - typeattribute $1 can_relabelto_shadow_passwords; -') - -####################################### -## -## Relabel from and to the shadow -## password file type. -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_relabel_shadow',` - gen_require(` - attribute can_relabelto_shadow_passwords; - type shadow_t; - ') - - files_search_etc($1) - allow $1 shadow_t:file relabel_file_perms; - typeattribute $1 can_relabelto_shadow_passwords; -') - -####################################### -## -## Append to the login failure log. -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_append_faillog',` - gen_require(` - type faillog_t; - ') - - logging_search_logs($1) - allow $1 faillog_t:file append_file_perms; -') - -######################################## -## -## Read and write the login failure log. -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_rw_faillog',` - gen_require(` - type faillog_t; - ') - - logging_search_logs($1) - allow $1 faillog_t:file rw_file_perms; -') - -######################################## -## -## Manage the login failure log. -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_manage_faillog',` - gen_require(` - type faillog_t; - ') - - logging_search_logs($1) - allow $1 faillog_t:file manage_file_perms; -') - -####################################### -## -## Read the last logins log. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`auth_read_lastlog',` - gen_require(` - type lastlog_t; - ') - - logging_search_logs($1) - allow $1 lastlog_t:file read_file_perms; -') - -####################################### -## -## Append only to the last logins log. -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_append_lastlog',` - gen_require(` - type lastlog_t; - ') - - logging_search_logs($1) - allow $1 lastlog_t:file { append_file_perms lock }; -') - -####################################### -## -## Read and write to the last logins log. -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_rw_lastlog',` - gen_require(` - type lastlog_t; - ') - - logging_search_logs($1) - allow $1 lastlog_t:file { rw_file_perms lock setattr }; -') - -######################################## -## -## Execute pam programs in the pam domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`auth_domtrans_pam',` - gen_require(` - type pam_t, pam_exec_t; - ') - - domtrans_pattern($1, pam_exec_t, pam_t) -') - -######################################## -## -## Send generic signals to pam processes. -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_signal_pam',` - gen_require(` - type pam_t; - ') - - allow $1 pam_t:process signal; -') - -######################################## -## -## Execute pam programs in the PAM domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the PAM domain. -## -## -# -interface(`auth_run_pam',` - gen_require(` - type pam_t; - ') - - auth_domtrans_pam($1) - role $2 types pam_t; -') - -######################################## -## -## Execute the pam program. -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_exec_pam',` - gen_require(` - type pam_exec_t; - ') - - can_exec($1, pam_exec_t) -') - -######################################## -## -## Read var auth files. Used by various other applications -## and pam applets etc. -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_read_var_auth',` - gen_require(` - type var_auth_t; - ') - - files_search_var($1) - read_files_pattern($1, var_auth_t, var_auth_t) -') - -######################################## -## -## Manage var auth files. Used by various other applications -## and pam applets etc. -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_manage_var_auth',` - gen_require(` - type var_auth_t; - ') - - files_search_var($1) - allow $1 var_auth_t:dir manage_dir_perms; - allow $1 var_auth_t:file rw_file_perms; - allow $1 var_auth_t:lnk_file rw_lnk_file_perms; -') - -######################################## -## -## Read PAM PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_read_pam_pid',` - gen_require(` - type pam_var_run_t; - ') - - files_search_pids($1) - allow $1 pam_var_run_t:dir list_dir_perms; - allow $1 pam_var_run_t:file read_file_perms; -') - -####################################### -## -## Do not audit attemps to read PAM PID files. -## -## -## -## Domain to not audit. -## -## -# -interface(`auth_dontaudit_read_pam_pid',` - gen_require(` - type pam_var_run_t; - ') - - dontaudit $1 pam_var_run_t:file { getattr read }; -') - -######################################## -## -## Delete pam PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_delete_pam_pid',` - gen_require(` - type pam_var_run_t; - ') - - files_search_pids($1) - allow $1 pam_var_run_t:dir del_entry_dir_perms; - allow $1 pam_var_run_t:file delete_file_perms; -') - -######################################## -## -## Manage pam PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_manage_pam_pid',` - gen_require(` - type pam_var_run_t; - ') - - files_search_pids($1) - allow $1 pam_var_run_t:dir manage_dir_perms; - allow $1 pam_var_run_t:file manage_file_perms; -') - -######################################## -## -## Execute pam_console with a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`auth_domtrans_pam_console',` - gen_require(` - type pam_console_t, pam_console_exec_t; - ') - - domtrans_pattern($1, pam_console_exec_t, pam_console_t) -') - -######################################## -## -## Search the contents of the -## pam_console data directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_search_pam_console_data',` - gen_require(` - type pam_var_console_t; - ') - - files_search_pids($1) - allow $1 pam_var_console_t:dir search_dir_perms; -') - -######################################## -## -## List the contents of the pam_console -## data directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_list_pam_console_data',` - gen_require(` - type pam_var_console_t; - ') - - files_search_pids($1) - allow $1 pam_var_console_t:dir list_dir_perms; -') - -######################################## -## -## Read pam_console data files. -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_read_pam_console_data',` - gen_require(` - type pam_var_console_t; - ') - - files_search_pids($1) - allow $1 pam_var_console_t:dir list_dir_perms; - allow $1 pam_var_console_t:file read_file_perms; -') - -######################################## -## -## Create, read, write, and delete -## pam_console data files. -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_manage_pam_console_data',` - gen_require(` - type pam_var_console_t; - ') - - files_search_pids($1) - manage_files_pattern($1, pam_var_console_t, pam_var_console_t) - manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t) -') - -####################################### -## -## Delete pam_console data. -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_delete_pam_console_data',` - gen_require(` - type pam_var_console_t; - ') - - files_search_var($1) - files_search_pids($1) - delete_files_pattern($1, pam_var_console_t, pam_var_console_t) -') - -######################################## -## -## Read all directories on the filesystem, except -## the shadow passwords and listed exceptions. -## -## -## -## Domain allowed access. -## -## -## -## -## The types to be excluded. Each type or attribute -## must be negated by the caller. -## -## -# -interface(`auth_read_all_dirs_except_shadow',` - gen_require(` - type shadow_t; - ') - - files_read_all_dirs_except($1,$2 -shadow_t) -') - -######################################## -## -## Read all files on the filesystem, except -## the shadow passwords and listed exceptions. -## -## -## -## Domain allowed access. -## -## -## -## -## The types to be excluded. Each type or attribute -## must be negated by the caller. -## -## -## -# -interface(`auth_read_all_files_except_shadow',` - gen_require(` - type shadow_t; - ') - - files_read_all_files_except($1,$2 -shadow_t) -') - -######################################## -## -## Read all symbolic links on the filesystem, except -## the shadow passwords and listed exceptions. -## -## -## -## Domain allowed access. -## -## -## -## -## The types to be excluded. Each type or attribute -## must be negated by the caller. -## -## -# -interface(`auth_read_all_symlinks_except_shadow',` - gen_require(` - type shadow_t; - ') - - files_read_all_symlinks_except($1,$2 -shadow_t) -') - -######################################## -## -## Relabel all files on the filesystem, except -## the shadow passwords and listed exceptions. -## -## -## -## Domain allowed access. -## -## -## -## -## The types to be excluded. Each type or attribute -## must be negated by the caller. -## -## -# - -interface(`auth_relabel_all_files_except_shadow',` - gen_require(` - type shadow_t; - ') - - files_relabel_all_files($1,$2 -shadow_t) -') - -######################################## -## -## Read and write all files on the filesystem, except -## the shadow passwords and listed exceptions. -## -## -## -## Domain allowed access. -## -## -## -## -## The types to be excluded. Each type or attribute -## must be negated by the caller. -## -## -# - -interface(`auth_rw_all_files_except_shadow',` - gen_require(` - type shadow_t; - ') - - files_rw_all_files($1,$2 -shadow_t) -') - -######################################## -## -## Manage all files on the filesystem, except -## the shadow passwords and listed exceptions. -## -## -## -## Domain allowed access. -## -## -## -## -## The types to be excluded. Each type or attribute -## must be negated by the caller. -## -## -# - -interface(`auth_manage_all_files_except_shadow',` - gen_require(` - type shadow_t; - ') - - files_manage_all_files($1,$2 -shadow_t) -') - -######################################## -## -## Execute utempter programs in the utempter domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`auth_domtrans_utempter',` - gen_require(` - type utempter_t, utempter_exec_t; - ') - - domtrans_pattern($1, utempter_exec_t, utempter_t) -') - -######################################## -## -## Execute utempter programs in the utempter domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the utempter domain. -## -## -# -interface(`auth_run_utempter',` - gen_require(` - type utempter_t; - ') - - auth_domtrans_utempter($1) - role $2 types utempter_t; -') - -####################################### -## -## Do not audit attemps to execute utempter executable. -## -## -## -## Domain to not audit. -## -## -# -interface(`auth_dontaudit_exec_utempter',` - gen_require(` - type utempter_exec_t; - ') - - dontaudit $1 utempter_exec_t:file { execute execute_no_trans }; -') - -######################################## -## -## Set the attributes of login record files. -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_setattr_login_records',` - gen_require(` - type wtmp_t; - ') - - allow $1 wtmp_t:file setattr; - logging_search_logs($1) -') - -######################################## -## -## Read login records files (/var/log/wtmp). -## -## -## -## Domain allowed access. -## -## -## -# -interface(`auth_read_login_records',` - gen_require(` - type wtmp_t; - ') - - logging_search_logs($1) - allow $1 wtmp_t:file read_file_perms; -') - -######################################## -## -## Do not audit attempts to read login records -## files (/var/log/wtmp). -## -## -## -## Domain to not audit. -## -## -## -# -interface(`auth_dontaudit_read_login_records',` - gen_require(` - type wtmp_t; - ') - - dontaudit $1 wtmp_t:file read_file_perms; -') - -######################################## -## -## Do not audit attempts to write to -## login records files. -## -## -## -## Domain to not audit. -## -## -# -interface(`auth_dontaudit_write_login_records',` - gen_require(` - type wtmp_t; - ') - - dontaudit $1 wtmp_t:file write; -') - -####################################### -## -## Append to login records (wtmp). -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_append_login_records',` - gen_require(` - type wtmp_t; - ') - - allow $1 wtmp_t:file append_file_perms; - logging_search_logs($1) -') - -####################################### -## -## Write to login records (wtmp). -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_write_login_records',` - gen_require(` - type wtmp_t; - ') - - allow $1 wtmp_t:file { write_file_perms lock }; -') - -######################################## -## -## Read and write login records. -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_rw_login_records',` - gen_require(` - type wtmp_t; - ') - - allow $1 wtmp_t:file rw_file_perms; - logging_search_logs($1) -') - -######################################## -## -## Create a login records in the log directory -## using a type transition. -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_log_filetrans_login_records',` - gen_require(` - type wtmp_t; - ') - - logging_log_filetrans($1, wtmp_t, file) -') - -######################################## -## -## Create, read, write, and delete login -## records files. -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_manage_login_records',` - gen_require(` - type wtmp_t; - ') - - logging_rw_generic_log_dirs($1) - allow $1 wtmp_t:file manage_file_perms; -') - -######################################## -## -## Use nsswitch to look up user, password, group, or -## host information. -## -## -##

-## Allow the specified domain to look up user, password, -## group, or host information using the name service. -## The most common use of this interface is for services -## that do host name resolution (usually DNS resolution). -##

-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`auth_use_nsswitch',` - - allow $1 self:netlink_route_socket r_netlink_socket_perms; - - files_list_var_lib($1) - - # read /etc/nsswitch.conf - files_read_etc_files($1) - - miscfiles_read_generic_certs($1) - - sysnet_dns_name_resolve($1) - sysnet_use_ldap($1) - - optional_policy(` - avahi_stream_connect($1) - ') - - optional_policy(` - ldap_stream_connect($1) - ') - - optional_policy(` - likewise_stream_connect_lsassd($1) - ') - - optional_policy(` - kerberos_use($1) - ') - - optional_policy(` - nis_use_ypbind($1) - ') - - optional_policy(` - nscd_use($1) - ') - - optional_policy(` - nslcd_stream_connect($1) - ') - - optional_policy(` - sssd_stream_connect($1) - ') - - optional_policy(` - samba_stream_connect_winbind($1) - samba_read_var_files($1) - samba_dontaudit_write_var_files($1) - ') -') - -######################################## -## -## Unconfined access to the authlogin module. -## -## -##

-## Unconfined access to the authlogin module. -##

-##

-## Currently, this only allows assertions for -## the shadow passwords file (/etc/shadow) to -## be passed. No access is granted yet. -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`auth_unconfined',` - gen_require(` - attribute can_read_shadow_passwords; - attribute can_write_shadow_passwords; - attribute can_relabelto_shadow_passwords; - ') - - typeattribute $1 can_read_shadow_passwords; - typeattribute $1 can_write_shadow_passwords; - typeattribute $1 can_relabelto_shadow_passwords; -') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te deleted file mode 100644 index ee0fe55..0000000 --- a/policy/modules/system/authlogin.te +++ /dev/null @@ -1,405 +0,0 @@ -policy_module(authlogin, 2.2.0) - -######################################## -# -# Declarations -# - -attribute can_read_shadow_passwords; -attribute can_write_shadow_passwords; -attribute can_relabelto_shadow_passwords; -attribute polydomain; - -type auth_cache_t; -logging_log_file(auth_cache_t) - -type chkpwd_t, can_read_shadow_passwords; -type chkpwd_exec_t; -typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t }; -typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t }; -application_domain(chkpwd_t, chkpwd_exec_t) -role system_r types chkpwd_t; - -type faillog_t; -logging_log_file(faillog_t) - -type lastlog_t; -logging_log_file(lastlog_t) - -type login_exec_t; -application_executable_file(login_exec_t) - -type pam_console_t; -type pam_console_exec_t; -init_system_domain(pam_console_t, pam_console_exec_t) -role system_r types pam_console_t; - -type pam_t; -domain_type(pam_t) -role system_r types pam_t; - -type pam_exec_t; -domain_entry_file(pam_t, pam_exec_t) - -type pam_tmp_t; -files_tmp_file(pam_tmp_t) - -type pam_var_console_t; -files_type(pam_var_console_t) - -type pam_var_run_t; -files_pid_file(pam_var_run_t) - -type shadow_t; -files_security_file(shadow_t) -neverallow ~can_read_shadow_passwords shadow_t:file read; -neverallow ~can_write_shadow_passwords shadow_t:file { create write }; -neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto; - -type updpwd_t; -type updpwd_exec_t; -domain_type(updpwd_t) -domain_entry_file(updpwd_t, updpwd_exec_t) -domain_obj_id_change_exemption(updpwd_t) -role system_r types updpwd_t; - -type utempter_t; -type utempter_exec_t; -application_domain(utempter_t, utempter_exec_t) - -# -# var_auth_t is the type of /var/lib/auth, usually -# used for auth data in pam_able -# -type var_auth_t; -files_type(var_auth_t) - -type wtmp_t; -logging_log_file(wtmp_t) - -######################################## -# -# Check password local policy -# - -allow chkpwd_t self:capability { dac_override setuid }; -dontaudit chkpwd_t self:capability sys_tty_config; -allow chkpwd_t self:process { getattr signal }; - -allow chkpwd_t shadow_t:file read_file_perms; -files_list_etc(chkpwd_t) - -# is_selinux_enabled -kernel_read_system_state(chkpwd_t) - -domain_dontaudit_use_interactive_fds(chkpwd_t) - -dev_read_rand(chkpwd_t) -dev_read_urand(chkpwd_t) - -files_read_etc_files(chkpwd_t) -# for nscd -files_dontaudit_search_var(chkpwd_t) - -fs_dontaudit_getattr_xattr_fs(chkpwd_t) - -term_dontaudit_use_console(chkpwd_t) -term_dontaudit_use_unallocated_ttys(chkpwd_t) -term_dontaudit_use_generic_ptys(chkpwd_t) -term_dontaudit_use_all_ptys(chkpwd_t) - -auth_use_nsswitch(chkpwd_t) - -logging_send_audit_msgs(chkpwd_t) -logging_send_syslog_msg(chkpwd_t) - -miscfiles_read_localization(chkpwd_t) - -seutil_read_config(chkpwd_t) -seutil_dontaudit_use_newrole_fds(chkpwd_t) - -userdom_use_user_terminals(chkpwd_t) - -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(chkpwd_t) - ') -') - -optional_policy(` - # apache leaks file descriptors - apache_dontaudit_rw_tcp_sockets(chkpwd_t) -') - -optional_policy(` - kerberos_use(chkpwd_t) -') - -optional_policy(` - nis_authenticate(chkpwd_t) -') - -######################################## -# -# PAM local policy -# - -allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -dontaudit pam_t self:capability sys_tty_config; - -allow pam_t self:fd use; -allow pam_t self:fifo_file rw_file_perms; -allow pam_t self:unix_dgram_socket create_socket_perms; -allow pam_t self:unix_stream_socket rw_stream_socket_perms; -allow pam_t self:unix_dgram_socket sendto; -allow pam_t self:unix_stream_socket connectto; -allow pam_t self:shm create_shm_perms; -allow pam_t self:sem create_sem_perms; -allow pam_t self:msgq create_msgq_perms; -allow pam_t self:msg { send receive }; - -delete_files_pattern(pam_t, pam_var_run_t, pam_var_run_t) -read_files_pattern(pam_t, pam_var_run_t, pam_var_run_t) -files_list_pids(pam_t) - -allow pam_t pam_tmp_t:dir manage_dir_perms; -allow pam_t pam_tmp_t:file manage_file_perms; -files_tmp_filetrans(pam_t, pam_tmp_t, { file dir }) - -auth_use_nsswitch(pam_t) - -kernel_read_system_state(pam_t) - -files_read_etc_files(pam_t) - -fs_search_auto_mountpoints(pam_t) - -miscfiles_read_localization(pam_t) - -term_use_all_ttys(pam_t) -term_use_all_ptys(pam_t) - -init_dontaudit_rw_utmp(pam_t) - -logging_send_syslog_msg(pam_t) - -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(pam_t) - ') -') - -optional_policy(` - locallogin_use_fds(pam_t) -') - -######################################## -# -# PAM console local policy -# - -allow pam_console_t self:capability { chown fowner fsetid }; -dontaudit pam_console_t self:capability sys_tty_config; - -allow pam_console_t self:process { sigchld sigkill sigstop signull signal }; - -# for /var/run/console.lock checking -read_files_pattern(pam_console_t, pam_var_console_t, pam_var_console_t) -read_lnk_files_pattern(pam_console_t, pam_var_console_t, pam_var_console_t) -dontaudit pam_console_t pam_var_console_t:file write; - -kernel_read_kernel_sysctls(pam_console_t) -kernel_use_fds(pam_console_t) -# Read /proc/meminfo -kernel_read_system_state(pam_console_t) - -dev_read_sysfs(pam_console_t) -dev_getattr_apm_bios_dev(pam_console_t) -dev_setattr_apm_bios_dev(pam_console_t) -dev_getattr_dri_dev(pam_console_t) -dev_setattr_dri_dev(pam_console_t) -dev_getattr_input_dev(pam_console_t) -dev_setattr_input_dev(pam_console_t) -dev_getattr_framebuffer_dev(pam_console_t) -dev_setattr_framebuffer_dev(pam_console_t) -dev_getattr_generic_usb_dev(pam_console_t) -dev_setattr_generic_usb_dev(pam_console_t) -dev_getattr_misc_dev(pam_console_t) -dev_setattr_misc_dev(pam_console_t) -dev_getattr_mouse_dev(pam_console_t) -dev_setattr_mouse_dev(pam_console_t) -dev_getattr_power_mgmt_dev(pam_console_t) -dev_setattr_power_mgmt_dev(pam_console_t) -dev_getattr_printer_dev(pam_console_t) -dev_setattr_printer_dev(pam_console_t) -dev_getattr_scanner_dev(pam_console_t) -dev_setattr_scanner_dev(pam_console_t) -dev_getattr_sound_dev(pam_console_t) -dev_setattr_sound_dev(pam_console_t) -dev_getattr_video_dev(pam_console_t) -dev_setattr_video_dev(pam_console_t) -dev_getattr_xserver_misc_dev(pam_console_t) -dev_setattr_xserver_misc_dev(pam_console_t) -dev_read_urand(pam_console_t) - -files_read_etc_files(pam_console_t) -files_search_pids(pam_console_t) -files_list_mnt(pam_console_t) -files_dontaudit_search_isid_type_dirs(pam_console_t) -# read /etc/mtab -files_read_etc_runtime_files(pam_console_t) - -fs_list_auto_mountpoints(pam_console_t) -fs_list_noxattr_fs(pam_console_t) -fs_getattr_all_fs(pam_console_t) - -mls_file_read_all_levels(pam_console_t) -mls_file_write_all_levels(pam_console_t) - -storage_getattr_fixed_disk_dev(pam_console_t) -storage_setattr_fixed_disk_dev(pam_console_t) -storage_getattr_removable_dev(pam_console_t) -storage_setattr_removable_dev(pam_console_t) -storage_getattr_scsi_generic_dev(pam_console_t) -storage_setattr_scsi_generic_dev(pam_console_t) - -term_use_console(pam_console_t) -term_use_all_ttys(pam_console_t) -term_use_all_ptys(pam_console_t) -term_setattr_console(pam_console_t) -term_getattr_unallocated_ttys(pam_console_t) -term_setattr_unallocated_ttys(pam_console_t) -term_use_unallocated_ttys(pam_console_t) - -auth_use_nsswitch(pam_console_t) - -domain_use_interactive_fds(pam_console_t) - -init_use_fds(pam_console_t) -init_use_script_ptys(pam_console_t) - -logging_send_syslog_msg(pam_console_t) - -miscfiles_read_localization(pam_console_t) -miscfiles_read_generic_certs(pam_console_t) - -seutil_read_file_contexts(pam_console_t) - -userdom_dontaudit_use_unpriv_user_fds(pam_console_t) - -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(pam_console_t) - ') -') - -optional_policy(` - gpm_getattr_gpmctl(pam_console_t) - gpm_setattr_gpmctl(pam_console_t) -') - -optional_policy(` - hotplug_use_fds(pam_console_t) - hotplug_dontaudit_search_config(pam_console_t) -') - -optional_policy(` - seutil_sigchld_newrole(pam_console_t) -') - -optional_policy(` - udev_read_db(pam_console_t) -') - -optional_policy(` - xserver_read_xdm_pid(pam_console_t) - xserver_dontaudit_write_log(pam_console_t) -') - -######################################## -# -# updpwd local policy -# - -allow updpwd_t self:capability { chown dac_override }; -allow updpwd_t self:process setfscreate; -allow updpwd_t self:fifo_file rw_fifo_file_perms; -allow updpwd_t self:unix_stream_socket create_stream_socket_perms; -allow updpwd_t self:unix_dgram_socket create_socket_perms; - -kernel_read_system_state(updpwd_t) - -dev_read_urand(updpwd_t) - -files_manage_etc_files(updpwd_t) - -term_dontaudit_use_console(updpwd_t) -term_dontaudit_use_unallocated_ttys(updpwd_t) - -auth_manage_shadow(updpwd_t) -auth_use_nsswitch(updpwd_t) - -logging_send_syslog_msg(updpwd_t) - -miscfiles_read_localization(updpwd_t) - -userdom_use_user_terminals(updpwd_t) - -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(updpwd_t) - ') -') - -######################################## -# -# Utempter local policy -# - -allow utempter_t self:capability setgid; -allow utempter_t self:unix_stream_socket create_stream_socket_perms; - -allow utempter_t wtmp_t:file rw_file_perms; - -dev_read_urand(utempter_t) - -files_read_etc_files(utempter_t) - -term_getattr_all_ttys(utempter_t) -term_getattr_all_ptys(utempter_t) -term_dontaudit_use_all_ttys(utempter_t) -term_dontaudit_use_all_ptys(utempter_t) -term_dontaudit_use_ptmx(utempter_t) - -init_rw_utmp(utempter_t) - -domain_use_interactive_fds(utempter_t) - -logging_search_logs(utempter_t) - -userdom_use_user_terminals(utempter_t) -# Allow utemper to write to /tmp/.xses-* -userdom_write_user_tmp_files(utempter_t) - -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(utempter_t) - ') -') - -optional_policy(` - nscd_socket_use(utempter_t) -') - -optional_policy(` - xserver_use_xdm_fds(utempter_t) - xserver_rw_xdm_pipes(utempter_t) -') - -tunable_policy(`allow_polyinstantiation',` - files_polyinstantiate_all(polydomain) - userdom_manage_user_home_content_dirs(polydomain) - userdom_manage_user_home_content_files(polydomain) - userdom_relabelto_user_home_dirs(polydomain) - userdom_relabelto_user_home_files(polydomain) -') diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc deleted file mode 100644 index c5e05ca..0000000 --- a/policy/modules/system/clock.fc +++ /dev/null @@ -1,5 +0,0 @@ - -/etc/adjtime -- gen_context(system_u:object_r:adjtime_t,s0) - -/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) - diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if deleted file mode 100644 index e2f6d93..0000000 --- a/policy/modules/system/clock.if +++ /dev/null @@ -1,100 +0,0 @@ -## Policy for reading and setting the hardware clock. - -######################################## -## -## Execute hwclock in the clock domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`clock_domtrans',` - gen_require(` - type hwclock_t, hwclock_exec_t; - ') - - domtrans_pattern($1, hwclock_exec_t, hwclock_t) -') - -######################################## -## -## Execute hwclock in the clock domain, and -## allow the specified role the hwclock domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`clock_run',` - gen_require(` - type hwclock_t; - ') - - clock_domtrans($1) - role $2 types hwclock_t; -') - -######################################## -## -## Execute hwclock in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`clock_exec',` - gen_require(` - type hwclock_exec_t; - ') - - can_exec($1, hwclock_exec_t) -') - -######################################## -## -## Do not audit attempts to write clock drift adjustments. -## -## -## -## Domain to not audit. -## -## -# -interface(`clock_dontaudit_write_adjtime',` - gen_require(` - type adjtime_t; - ') - - dontaudit $1 adjtime_t:file write; -') - -######################################## -## -## Read and write clock drift adjustments. -## -## -## -## Domain allowed access. -## -## -# -interface(`clock_rw_adjtime',` - gen_require(` - type adjtime_t; - ') - - allow $1 adjtime_t:file rw_file_perms; - files_list_etc($1) -') diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te deleted file mode 100644 index b9ed25b..0000000 --- a/policy/modules/system/clock.te +++ /dev/null @@ -1,81 +0,0 @@ -policy_module(clock, 1.6.0) - -######################################## -# -# Declarations -# - -type adjtime_t; -files_type(adjtime_t) - -type hwclock_t; -type hwclock_exec_t; -init_system_domain(hwclock_t, hwclock_exec_t) -role system_r types hwclock_t; - -######################################## -# -# Local policy -# - -# Give hwclock the capabilities it requires. dac_override is a surprise, -# but hwclock does require it. -allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config }; -dontaudit hwclock_t self:capability sys_tty_config; -allow hwclock_t self:process signal_perms; -allow hwclock_t self:fifo_file rw_fifo_file_perms; - -# Allow hwclock to store & retrieve correction factors. -allow hwclock_t adjtime_t:file { rw_file_perms setattr }; - -kernel_read_kernel_sysctls(hwclock_t) -kernel_read_system_state(hwclock_t) - -corecmd_exec_bin(hwclock_t) -corecmd_exec_shell(hwclock_t) - -dev_read_sysfs(hwclock_t) -dev_rw_realtime_clock(hwclock_t) - -files_read_etc_files(hwclock_t) -# for when /usr is not mounted: -files_dontaudit_search_isid_type_dirs(hwclock_t) - -fs_getattr_xattr_fs(hwclock_t) -fs_search_auto_mountpoints(hwclock_t) - -term_dontaudit_use_console(hwclock_t) -term_use_unallocated_ttys(hwclock_t) -term_use_all_ttys(hwclock_t) -term_use_all_ptys(hwclock_t) - -domain_use_interactive_fds(hwclock_t) - -init_use_fds(hwclock_t) -init_use_script_ptys(hwclock_t) - -logging_send_audit_msgs(hwclock_t) -logging_send_syslog_msg(hwclock_t) - -miscfiles_read_localization(hwclock_t) - -optional_policy(` - apm_append_log(hwclock_t) - apm_rw_stream_sockets(hwclock_t) -') - -optional_policy(` - nscd_socket_use(hwclock_t) -') - -optional_policy(` - seutil_sigchld_newrole(hwclock_t) -') - -optional_policy(` - udev_read_db(hwclock_t) -') - -optional_policy(` - userdom_dontaudit_use_unpriv_user_fds(hwclock_t) -') diff --git a/policy/modules/system/daemontools.fc b/policy/modules/system/daemontools.fc deleted file mode 100644 index 26df050..0000000 --- a/policy/modules/system/daemontools.fc +++ /dev/null @@ -1,53 +0,0 @@ -# -# /service -# - -/service -d gen_context(system_u:object_r:svc_svc_t,s0) -/service/.* gen_context(system_u:object_r:svc_svc_t,s0) - -# -# /usr -# - -/usr/bin/envdir -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/usr/bin/envuidgid -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/usr/bin/fghack -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/usr/bin/multilog -- gen_context(system_u:object_r:svc_multilog_exec_t,s0) -/usr/bin/pgrphack -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/usr/bin/setlock -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/usr/bin/setuidgid -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/usr/bin/softlimit -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/usr/bin/svc -- gen_context(system_u:object_r:svc_start_exec_t,s0) -/usr/bin/svok -- gen_context(system_u:object_r:svc_start_exec_t,s0) -/usr/bin/svscan -- gen_context(system_u:object_r:svc_start_exec_t,s0) -/usr/bin/svscanboot -- gen_context(system_u:object_r:svc_start_exec_t,s0) -/usr/bin/supervise -- gen_context(system_u:object_r:svc_start_exec_t,s0) - -# -# /var -# - -/var/axfrdns(/.*)? gen_context(system_u:object_r:svc_svc_t,s0) -/var/axfrdns/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/var/axfrdns/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/var/axfrdns/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0) - -/var/dnscache(/.*)? gen_context(system_u:object_r:svc_svc_t,s0) -/var/dnscache/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0) -/var/dnscache/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/var/dnscache/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) - -/var/qmail/supervise(/.*)? gen_context(system_u:object_r:svc_svc_t,s0) -/var/qmail/supervise/.*/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/var/qmail/supervise/.*/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) - -/var/service/.* gen_context(system_u:object_r:svc_svc_t,s0) -/var/service/.*/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0) -/var/service/.*/log/main(/.*)? gen_context(system_u:object_r:svc_log_t,s0) -/var/service/.*/log/run gen_context(system_u:object_r:svc_run_exec_t,s0) -/var/service/.*/run.* gen_context(system_u:object_r:svc_run_exec_t,s0) - -/var/tinydns(/.*)? gen_context(system_u:object_r:svc_svc_t,s0) -/var/tinydns/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/var/tinydns/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/var/tinydns/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0) diff --git a/policy/modules/system/daemontools.if b/policy/modules/system/daemontools.if deleted file mode 100644 index 81e5ed4..0000000 --- a/policy/modules/system/daemontools.if +++ /dev/null @@ -1,212 +0,0 @@ -## Collection of tools for managing UNIX services -## -##

-## Policy for DJB's daemontools -##

-##
- -######################################## -## -## An ipc channel between the supervised domain and svc_start_t -## -## -## -## Domain allowed access. -## -## -# -interface(`daemontools_ipc_domain',` - gen_require(` - type svc_start_t; - ') - - allow $1 svc_start_t:process sigchld; - allow $1 svc_start_t:fd use; - allow $1 svc_start_t:fifo_file { read write getattr }; - allow svc_start_t $1:process signal; -') - -######################################## -## -## Define a specified domain as a supervised service. -## -## -## -## Domain allowed access. -## -## -## -## -## The type associated with the process program. -## -## -# -interface(`daemontools_service_domain',` - gen_require(` - type svc_run_t; - ') - - domain_auto_trans(svc_run_t, $2, $1) - daemontools_ipc_domain($1) - - allow svc_run_t $1:process signal; - allow $1 svc_run_t:fd use; -') - -######################################## -## -## Execute in the svc_start_t domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`daemontools_domtrans_start',` - gen_require(` - type svc_start_t, svc_start_exec_t; - ') - - domtrans_pattern($1, svc_start_exec_t, svc_start_t) -') - -###################################### -## -## Execute svc_start in the svc_start domain, and -## allow the specified role the svc_start domain. -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed the svc_start domain. -## -## -## -# -interface(`daemonstools_run_start',` - gen_require(` - type svc_start_t; - ') - - daemontools_domtrans_start($1) - role $2 types svc_start_t; -') - -######################################## -## -## Execute in the svc_run_t domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`daemontools_domtrans_run',` - gen_require(` - type svc_run_t, svc_run_exec_t; - ') - - domtrans_pattern($1, svc_run_exec_t, svc_run_t) -') - -######################################## -## -## Execute in the svc_multilog_t domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`daemontools_domtrans_multilog',` - gen_require(` - type svc_multilog_t, svc_multilog_exec_t; - ') - - domtrans_pattern($1, svc_multilog_exec_t, svc_multilog_t) -') - -######################################## -## -## Allow a domain to read svc_svc_t files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`daemontools_read_svc',` - gen_require(` - type svc_svc_t; - ') - - allow $1 svc_svc_t:dir list_dir_perms; - allow $1 svc_svc_t:file read_file_perms; -') - -###################################### -## -## Search svc_svc_t directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`daemontools_search_svc_dir',` - gen_require(` - type svc_svc_t; - ') - - allow $1 svc_svc_t:dir search_dir_perms; -') - -######################################## -## -## Allow a domain to create svc_svc_t files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`daemontools_manage_svc',` - gen_require(` - type svc_svc_t; - ') - - allow $1 svc_svc_t:dir manage_dir_perms; - allow $1 svc_svc_t:fifo_file manage_fifo_file_perms; - allow $1 svc_svc_t:file manage_file_perms; - allow $1 svc_svc_t:lnk_file { read create }; -') - -###################################### -## -## Send a SIGCHLD signal to svc_run domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`daemontools_sigchld_run',` - gen_require(` - type svc_run_t; - ') - - allow $1 svc_run_t:process sigchld; -') diff --git a/policy/modules/system/daemontools.te b/policy/modules/system/daemontools.te deleted file mode 100644 index 699451c..0000000 --- a/policy/modules/system/daemontools.te +++ /dev/null @@ -1,130 +0,0 @@ -policy_module(daemontools, 1.2.0) - -######################################## -# -# Declarations -# - -type svc_conf_t; -files_type(svc_conf_t) - -type svc_log_t; -files_type(svc_log_t) - -type svc_multilog_t; -type svc_multilog_exec_t; -application_domain(svc_multilog_t, svc_multilog_exec_t) -role system_r types svc_multilog_t; - -type svc_run_t; -type svc_run_exec_t; -application_domain(svc_run_t, svc_run_exec_t) -role system_r types svc_run_t; - -type svc_start_t; -type svc_start_exec_t; -init_domain(svc_start_t, svc_start_exec_t) -init_system_domain(svc_start_t, svc_start_exec_t) -role system_r types svc_start_t; - -type svc_svc_t; -files_type(svc_svc_t) - -######################################## -# -# multilog local policy -# - -# multilog creates /service/*/log/status -manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t) - -term_write_console(svc_multilog_t) - -init_use_fds(svc_multilog_t) -init_dontaudit_use_script_fds(svc_multilog_t) - -# writes to /var/log/*/* -logging_manage_generic_logs(svc_multilog_t) - -daemontools_ipc_domain(svc_multilog_t) - -######################################## -# -# local policy for binaries that impose -# a given environment to supervised daemons -# ie. softlimit, setuidgid, envuidgid, envdir, fghack .. -# - -allow svc_run_t self:capability { setgid setuid chown fsetid sys_resource }; -allow svc_run_t self:process setrlimit; -allow svc_run_t self:fifo_file rw_fifo_file_perms; -allow svc_run_t self:unix_stream_socket create_stream_socket_perms; - -allow svc_run_t svc_conf_t:dir list_dir_perms; -allow svc_run_t svc_conf_t:file read_file_perms; - -can_exec(svc_run_t, svc_run_exec_t) - -kernel_read_system_state(svc_run_t) - -dev_read_urand(svc_run_t) - -corecmd_exec_bin(svc_run_t) -corecmd_exec_shell(svc_run_t) - -term_write_console(svc_run_t) - -files_read_etc_files(svc_run_t) -files_read_etc_runtime_files(svc_run_t) -files_search_pids(svc_run_t) -files_search_var_lib(svc_run_t) - -init_use_script_fds(svc_run_t) -init_use_fds(svc_run_t) - -daemontools_domtrans_multilog(svc_run_t) -daemontools_read_svc(svc_run_t) - -optional_policy(` - qmail_read_config(svc_run_t) -') - -######################################## -# -# local policy for service monitoring programs -# ie svc, svscan, supervise ... -# - -allow svc_start_t svc_run_t:process { signal setrlimit }; - -allow svc_start_t self:fifo_file rw_fifo_file_perms; -allow svc_start_t self:capability kill; -allow svc_start_t self:tcp_socket create_stream_socket_perms; -allow svc_start_t self:unix_stream_socket create_socket_perms; - -can_exec(svc_start_t, svc_start_exec_t) - -mmap_files_pattern(svc_start_t, svc_svc_t, svc_svc_t) - -kernel_read_kernel_sysctls(svc_start_t) -kernel_read_system_state(svc_start_t) - -corecmd_exec_bin(svc_start_t) -corecmd_exec_shell(svc_start_t) - -corenet_tcp_bind_generic_node(svc_start_t) -corenet_tcp_bind_generic_port(svc_start_t) - -term_write_console(svc_start_t) - -files_read_etc_files(svc_start_t) -files_read_etc_runtime_files(svc_start_t) -files_search_var(svc_start_t) -files_search_pids(svc_start_t) - -logging_send_syslog_msg(svc_start_t) - -miscfiles_read_localization(svc_start_t) - -daemontools_domtrans_run(svc_start_t) -daemontools_manage_svc(svc_start_t) diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc deleted file mode 100644 index dd65c15..0000000 --- a/policy/modules/system/fstools.fc +++ /dev/null @@ -1,45 +0,0 @@ -/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/dumpe2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/e2fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/lsraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/mke2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - -/usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - -/usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) - -/var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0) diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if deleted file mode 100644 index 016a770..0000000 --- a/policy/modules/system/fstools.if +++ /dev/null @@ -1,156 +0,0 @@ -## Tools for filesystem management, such as mkfs and fsck. - -######################################## -## -## Execute fs tools in the fstools domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`fstools_domtrans',` - gen_require(` - type fsadm_t, fsadm_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, fsadm_exec_t, fsadm_t) -') - -######################################## -## -## Execute fs tools in the fstools domain, and -## allow the specified role the fs tools domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`fstools_run',` - gen_require(` - type fsadm_t; - ') - - fstools_domtrans($1) - role $2 types fsadm_t; -') - -######################################## -## -## Execute fsadm in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`fstools_exec',` - gen_require(` - type fsadm_exec_t; - ') - - can_exec($1, fsadm_exec_t) -') - -######################################## -## -## Send signal to fsadm process -## -## -## -## Domain allowed access. -## -## -# -interface(`fstools_signal',` - gen_require(` - type fsadm_t; - ') - - allow $1 fsadm_t:process signal; -') - -######################################## -## -## Read fstools unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`fstools_read_pipes',` - gen_require(` - type fsadm_t; - ') - - allow $1 fsadm_t:fifo_file read_fifo_file_perms; -') - -######################################## -## -## Relabel a file to the type used by the -## filesystem tools programs. -## -## -## -## Domain allowed access. -## -## -# -interface(`fstools_relabelto_entry_files',` - gen_require(` - type fsadm_exec_t; - ') - - allow $1 fsadm_exec_t:file relabelto; -') - -######################################## -## -## Create, read, write, and delete a file used by the -## filesystem tools programs. -## -## -## -## Domain allowed access. -## -## -# -interface(`fstools_manage_entry_files',` - gen_require(` - type fsadm_exec_t; - ') - - allow $1 fsadm_exec_t:file manage_file_perms; -') - -######################################## -## -## Getattr swapfile -## -## -## -## Domain allowed access. -## -## -# -interface(`fstools_getattr_swap_files',` - gen_require(` - type swapfile_t; - ') - - allow $1 swapfile_t:file getattr; -') diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te deleted file mode 100644 index 7cb7582..0000000 --- a/policy/modules/system/fstools.te +++ /dev/null @@ -1,196 +0,0 @@ -policy_module(fstools, 1.14.0) - -######################################## -# -# Declarations -# - -type fsadm_t; -type fsadm_exec_t; -init_system_domain(fsadm_t, fsadm_exec_t) -role system_r types fsadm_t; - -type fsadm_log_t; -logging_log_file(fsadm_log_t) - -type fsadm_tmp_t; -files_tmp_file(fsadm_tmp_t) - -type swapfile_t; # customizable -files_type(swapfile_t) - -######################################## -# -# local policy -# - -# ipc_lock is for losetup -allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_override dac_read_search }; -allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap }; -allow fsadm_t self:fd use; -allow fsadm_t self:fifo_file rw_fifo_file_perms; -allow fsadm_t self:sock_file read_sock_file_perms; -allow fsadm_t self:unix_dgram_socket create_socket_perms; -allow fsadm_t self:unix_stream_socket create_stream_socket_perms; -allow fsadm_t self:unix_dgram_socket sendto; -allow fsadm_t self:unix_stream_socket connectto; -allow fsadm_t self:shm create_shm_perms; -allow fsadm_t self:sem create_sem_perms; -allow fsadm_t self:msgq create_msgq_perms; -allow fsadm_t self:msg { send receive }; - -can_exec(fsadm_t, fsadm_exec_t) - -allow fsadm_t fsadm_tmp_t:dir manage_dir_perms; -allow fsadm_t fsadm_tmp_t:file manage_file_perms; -files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir }) - -# log files -allow fsadm_t fsadm_log_t:dir setattr; -manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t) -logging_log_filetrans(fsadm_t, fsadm_log_t, file) - -# Enable swapping to files -allow fsadm_t swapfile_t:file { rw_file_perms swapon }; - -kernel_read_system_state(fsadm_t) -kernel_read_kernel_sysctls(fsadm_t) -kernel_request_load_module(fsadm_t) -# Allow console log change (updfstab) -kernel_change_ring_buffer_level(fsadm_t) -# mkreiserfs needs this -kernel_getattr_proc(fsadm_t) -kernel_getattr_core_if(fsadm_t) -# Access to /initrd devices -kernel_rw_unlabeled_dirs(fsadm_t) -kernel_rw_unlabeled_blk_files(fsadm_t) - -corecmd_exec_bin(fsadm_t) -#RedHat bug #201164 -corecmd_exec_shell(fsadm_t) -# cjp: these are probably not needed: -corecmd_read_bin_files(fsadm_t) -corecmd_read_bin_pipes(fsadm_t) -corecmd_read_bin_sockets(fsadm_t) - -dev_getattr_all_chr_files(fsadm_t) -dev_dontaudit_getattr_all_blk_files(fsadm_t) -dev_dontaudit_getattr_generic_files(fsadm_t) -# mkreiserfs and other programs need this for UUID -dev_read_rand(fsadm_t) -dev_read_urand(fsadm_t) -# Recreate /dev/cdrom. -dev_manage_generic_symlinks(fsadm_t) -# fdisk needs this for early boot -dev_manage_generic_blk_files(fsadm_t) -# Access to /initrd devices -dev_search_usbfs(fsadm_t) -# for swapon -dev_read_sysfs(fsadm_t) -# Access to /initrd devices -dev_getattr_usbfs_dirs(fsadm_t) -# Access to /dev/mapper/control -dev_rw_lvm_control(fsadm_t) - -domain_use_interactive_fds(fsadm_t) - -files_getattr_boot_dirs(fsadm_t) -files_list_home(fsadm_t) -files_read_usr_files(fsadm_t) -files_read_etc_files(fsadm_t) -files_manage_lost_found(fsadm_t) -files_manage_isid_type_dirs(fsadm_t) -# Write to /etc/mtab. -files_manage_etc_runtime_files(fsadm_t) -files_etc_filetrans_etc_runtime(fsadm_t, file) -# Access to /initrd devices -files_rw_isid_type_dirs(fsadm_t) -files_rw_isid_type_blk_files(fsadm_t) -files_read_isid_type_files(fsadm_t) - -fs_search_auto_mountpoints(fsadm_t) -fs_getattr_xattr_fs(fsadm_t) -fs_rw_ramfs_pipes(fsadm_t) -fs_rw_tmpfs_files(fsadm_t) -# remount file system to apply changes -fs_remount_xattr_fs(fsadm_t) -# for /dev/shm -fs_search_tmpfs(fsadm_t) -fs_getattr_tmpfs_dirs(fsadm_t) -fs_read_tmpfs_symlinks(fsadm_t) -fs_manage_nfs_files(fsadm_t) -fs_manage_cifs_files(fsadm_t) -fs_rw_hugetlbfs_files(fsadm_t) -# Recreate /mnt/cdrom. -files_manage_mnt_dirs(fsadm_t) -# for tune2fs -files_search_all(fsadm_t) - -mls_file_read_all_levels(fsadm_t) -mls_file_write_all_levels(fsadm_t) - -storage_raw_read_fixed_disk(fsadm_t) -storage_raw_write_fixed_disk(fsadm_t) -storage_raw_read_removable_device(fsadm_t) -storage_raw_write_removable_device(fsadm_t) -storage_read_scsi_generic(fsadm_t) -storage_swapon_fixed_disk(fsadm_t) - -term_use_console(fsadm_t) - -init_use_fds(fsadm_t) -init_use_script_ptys(fsadm_t) -init_dontaudit_getattr_initctl(fsadm_t) - -logging_send_syslog_msg(fsadm_t) - -miscfiles_read_localization(fsadm_t) - -modutils_read_module_config(fsadm_t) -modutils_read_module_deps(fsadm_t) - -seutil_read_config(fsadm_t) - -term_use_all_terms(fsadm_t) - -ifdef(`distro_redhat',` - optional_policy(` - unconfined_domain(fsadm_t) - ') -') - -optional_policy(` - amanda_rw_dumpdates_files(fsadm_t) - amanda_append_log_files(fsadm_t) -') - -optional_policy(` - # for smartctl cron jobs - cron_system_entry(fsadm_t, fsadm_exec_t) -') - -optional_policy(` - hal_dontaudit_write_log(fsadm_t) -') - -optional_policy(` - livecd_rw_tmp_files(fsadm_t) -') - -optional_policy(` - nis_use_ypbind(fsadm_t) -') - -optional_policy(` - fs_dontaudit_write_ramfs_pipes(fsadm_t) - rhgb_stub(fsadm_t) -') - -optional_policy(` - virt_read_blk_images(fsadm_t) -') - -optional_policy(` - xen_append_log(fsadm_t) - xen_rw_image_files(fsadm_t) -') diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc deleted file mode 100644 index e1a1848..0000000 --- a/policy/modules/system/getty.fc +++ /dev/null @@ -1,12 +0,0 @@ - -/etc/mgetty(/.*)? gen_context(system_u:object_r:getty_etc_t,s0) - -/sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0) - -/var/log/mgetty\.log.* -- gen_context(system_u:object_r:getty_log_t,s0) -/var/log/vgetty\.log\..* -- gen_context(system_u:object_r:getty_log_t,s0) - -/var/run/mgetty\.pid.* -- gen_context(system_u:object_r:getty_var_run_t,s0) - -/var/spool/fax(/.*)? gen_context(system_u:object_r:getty_var_run_t,s0) -/var/spool/voice(/.*)? gen_context(system_u:object_r:getty_var_run_t,s0) diff --git a/policy/modules/system/getty.if b/policy/modules/system/getty.if deleted file mode 100644 index e4376aa..0000000 --- a/policy/modules/system/getty.if +++ /dev/null @@ -1,98 +0,0 @@ -## Policy for getty. - -######################################## -## -## Execute gettys in the getty domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`getty_domtrans',` - gen_require(` - type getty_t, getty_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, getty_exec_t, getty_t) -') - -######################################## -## -## Inherit and use getty file descriptors. -## -## -## -## Domain allowed access. -## -## -# -interface(`getty_use_fds',` - gen_require(` - type getty_t; - ') - - allow $1 getty_t:fd use; -') - -######################################## -## -## Allow process to read getty log file. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`getty_read_log',` - gen_require(` - type getty_log_t; - ') - - logging_search_logs($1) - allow $1 getty_log_t:file read_file_perms; -') - -######################################## -## -## Allow process to read getty config file. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`getty_read_config',` - gen_require(` - type getty_etc_t; - ') - - files_search_etc($1) - allow $1 getty_etc_t:file read_file_perms; -') - -######################################## -## -## Allow process to edit getty config file. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`getty_rw_config',` - gen_require(` - type getty_etc_t; - ') - - files_search_etc($1) - allow $1 getty_etc_t:file rw_file_perms; -') diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te deleted file mode 100644 index 55c2d03..0000000 --- a/policy/modules/system/getty.te +++ /dev/null @@ -1,135 +0,0 @@ -policy_module(getty, 1.8.0) - -######################################## -# -# Declarations -# - -type getty_t; -type getty_exec_t; -init_domain(getty_t, getty_exec_t) -init_system_domain(getty_t, getty_exec_t) -domain_interactive_fd(getty_t) - -type getty_etc_t; -typealias getty_etc_t alias etc_getty_t; -files_config_file(getty_etc_t) - -type getty_lock_t; -files_lock_file(getty_lock_t) - -type getty_log_t; -logging_log_file(getty_log_t) - -type getty_tmp_t; -files_tmp_file(getty_tmp_t) - -type getty_var_run_t; -files_pid_file(getty_var_run_t) - -######################################## -# -# Getty local policy -# - -# Use capabilities. -allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid }; -dontaudit getty_t self:capability sys_tty_config; -allow getty_t self:process { getpgid setpgid getsession signal_perms }; -allow getty_t self:fifo_file rw_fifo_file_perms; - -read_files_pattern(getty_t, getty_etc_t, getty_etc_t) -read_lnk_files_pattern(getty_t, getty_etc_t, getty_etc_t) -files_etc_filetrans(getty_t, getty_etc_t,{ file dir }) - -allow getty_t getty_lock_t:file manage_file_perms; -files_lock_filetrans(getty_t, getty_lock_t, file) - -allow getty_t getty_log_t:file manage_file_perms; -logging_log_filetrans(getty_t, getty_log_t, file) - -allow getty_t getty_tmp_t:file manage_file_perms; -allow getty_t getty_tmp_t:dir manage_dir_perms; -files_tmp_filetrans(getty_t, getty_tmp_t, { file dir }) - -manage_files_pattern(getty_t, getty_var_run_t, getty_var_run_t) -files_pid_filetrans(getty_t, getty_var_run_t, file) - -kernel_read_system_state(getty_t) - -# these two needed for receiving faxes -corecmd_exec_bin(getty_t) -corecmd_exec_shell(getty_t) - -dev_read_sysfs(getty_t) - -files_rw_generic_pids(getty_t) -files_read_etc_runtime_files(getty_t) -files_read_etc_files(getty_t) -files_search_spool(getty_t) - -fs_search_auto_mountpoints(getty_t) -# for error condition handling -fs_getattr_xattr_fs(getty_t) - -mcs_process_set_categories(getty_t) - -mls_file_read_all_levels(getty_t) -mls_file_write_all_levels(getty_t) - -# Chown, chmod, read and write ttys. -term_use_all_ttys(getty_t) -term_use_unallocated_ttys(getty_t) -term_setattr_all_ttys(getty_t) -term_setattr_unallocated_ttys(getty_t) -term_setattr_console(getty_t) -term_use_console(getty_t) - -auth_rw_login_records(getty_t) - -init_rw_utmp(getty_t) -init_use_script_ptys(getty_t) -init_dontaudit_use_script_ptys(getty_t) - -locallogin_domtrans(getty_t) - -logging_send_syslog_msg(getty_t) - -miscfiles_read_localization(getty_t) - -ifdef(`distro_gentoo',` - # Gentoo default /etc/issue makes agetty - # do a DNS lookup for the hostname - sysnet_dns_name_resolve(getty_t) -') - -ifdef(`distro_redhat',` - # getty requires sys_admin #209426 - allow getty_t self:capability sys_admin; -') - -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(getty_t) - ') -') - -optional_policy(` - mta_send_mail(getty_t) -') - -optional_policy(` - nscd_socket_use(getty_t) -') - -optional_policy(` - ppp_domtrans(getty_t) -') - -optional_policy(` - rhgb_dontaudit_use_ptys(getty_t) -') - -optional_policy(` - udev_read_db(getty_t) -') diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc deleted file mode 100644 index 9dfecf7..0000000 --- a/policy/modules/system/hostname.fc +++ /dev/null @@ -1,2 +0,0 @@ - -/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) diff --git a/policy/modules/system/hostname.if b/policy/modules/system/hostname.if deleted file mode 100644 index 187f04f..0000000 --- a/policy/modules/system/hostname.if +++ /dev/null @@ -1,65 +0,0 @@ -## Policy for changing the system host name. - -######################################## -## -## Execute hostname in the hostname domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`hostname_domtrans',` - gen_require(` - type hostname_t, hostname_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, hostname_exec_t, hostname_t) -') - -######################################## -## -## Execute hostname in the hostname domain, and -## allow the specified role the hostname domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`hostname_run',` - gen_require(` - type hostname_t; - ') - - hostname_domtrans($1) - role $2 types hostname_t; -') - -######################################## -## -## Execute hostname in the caller domain. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`hostname_exec',` - gen_require(` - type hostname_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, hostname_exec_t) -') diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te deleted file mode 100644 index 683494c..0000000 --- a/policy/modules/system/hostname.te +++ /dev/null @@ -1,71 +0,0 @@ -policy_module(hostname, 1.6.1) - -######################################## -# -# Declarations -# - -type hostname_t; -type hostname_exec_t; -init_system_domain(hostname_t, hostname_exec_t) -role system_r types hostname_t; - -######################################## -# -# Local policy -# - -# for setting the hostname -allow hostname_t self:process { sigchld sigkill sigstop signull signal }; -allow hostname_t self:capability sys_admin; -allow hostname_t self:unix_stream_socket create_stream_socket_perms; -dontaudit hostname_t self:capability sys_tty_config; - -kernel_list_proc(hostname_t) -kernel_read_proc_symlinks(hostname_t) - -dev_read_sysfs(hostname_t) -# Early devtmpfs, before udev relabel -dev_dontaudit_rw_generic_chr_files(hostname_t) - -domain_dontaudit_leaks(hostname_t) -domain_use_interactive_fds(hostname_t) - -files_read_etc_files(hostname_t) -files_dontaudit_leaks(hostname_t) -files_dontaudit_search_var(hostname_t) -# for when /usr is not mounted: -files_dontaudit_search_isid_type_dirs(hostname_t) - -fs_getattr_xattr_fs(hostname_t) -fs_search_auto_mountpoints(hostname_t) -fs_dontaudit_leaks(hostname_t) -fs_dontaudit_use_tmpfs_chr_dev(hostname_t) - -term_dontaudit_use_console(hostname_t) -term_use_all_ttys(hostname_t) -term_use_all_ptys(hostname_t) - -init_use_fds(hostname_t) -init_use_script_fds(hostname_t) -init_use_script_ptys(hostname_t) - -logging_send_syslog_msg(hostname_t) - -miscfiles_read_localization(hostname_t) - -sysnet_read_config(hostname_t) -sysnet_dns_name_resolve(hostname_t) - -optional_policy(` - nis_use_ypbind(hostname_t) -') - -optional_policy(` - xen_append_log(hostname_t) - xen_dontaudit_use_fds(hostname_t) -') - -optional_policy(` - unconfined_dontaudit_rw_pipes(hostname_t) -') diff --git a/policy/modules/system/hotplug.fc b/policy/modules/system/hotplug.fc deleted file mode 100644 index caf736b..0000000 --- a/policy/modules/system/hotplug.fc +++ /dev/null @@ -1,11 +0,0 @@ - -/etc/hotplug(/.*)? gen_context(system_u:object_r:hotplug_etc_t,s0) -/etc/hotplug/firmware\.agent -- gen_context(system_u:object_r:hotplug_exec_t,s0) - -/etc/hotplug\.d/.* -- gen_context(system_u:object_r:hotplug_exec_t,s0) - -/sbin/hotplug -- gen_context(system_u:object_r:hotplug_exec_t,s0) -/sbin/netplugd -- gen_context(system_u:object_r:hotplug_exec_t,s0) - -/var/run/usb(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0) -/var/run/hotplug(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0) diff --git a/policy/modules/system/hotplug.if b/policy/modules/system/hotplug.if deleted file mode 100644 index 40eb10c..0000000 --- a/policy/modules/system/hotplug.if +++ /dev/null @@ -1,175 +0,0 @@ -## -## Policy for hotplug system, for supporting the -## connection and disconnection of devices at runtime. -## - -######################################## -## -## Execute hotplug with a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`hotplug_domtrans',` - gen_require(` - type hotplug_t, hotplug_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, hotplug_exec_t, hotplug_t) -') - -######################################## -## -## Execute hotplug in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`hotplug_exec',` - gen_require(` - type hotplug_t; - ') - - corecmd_search_bin($1) - can_exec($1, hotplug_exec_t) -') - -######################################## -## -## Inherit and use hotplug file descriptors. -## -## -## -## Domain allowed access. -## -## -# -interface(`hotplug_use_fds',` - gen_require(` - type hotplug_t; - ') - - allow $1 hotplug_t:fd use; -') - -######################################## -## -## Do not audit attempts to inherit -## hotplug file descriptors. -## -## -## -## Domain to not audit. -## -## -# -interface(`hotplug_dontaudit_use_fds',` - gen_require(` - type hotplug_t; - ') - - dontaudit $1 hotplug_t:fd use; -') - -######################################## -## -## Do not audit attempts to search the -## hotplug configuration directories. -## -## -## -## Domain to not audit. -## -## -# -interface(`hotplug_dontaudit_search_config',` - gen_require(` - type hotplug_etc_t; - ') - - dontaudit $1 hotplug_etc_t:dir search; -') - -######################################## -## -## Get the attributes of the hotplug configuration directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`hotplug_getattr_config_dirs',` - gen_require(` - type hotplug_etc_t; - ') - - allow $1 hotplug_etc_t:dir getattr; -') - -######################################## -## -## Search the hotplug configuration directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`hotplug_search_config',` - gen_require(` - type hotplug_etc_t; - ') - - allow $1 hotplug_etc_t:dir search_dir_perms; -') - -######################################## -## -## Read the configuration files for hotplug. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`hotplug_read_config',` - gen_require(` - type hotplug_etc_t; - ') - - files_search_etc($1) - allow $1 hotplug_etc_t:dir list_dir_perms; - read_files_pattern($1, hotplug_etc_t, hotplug_etc_t) - read_lnk_files_pattern($1, hotplug_etc_t, hotplug_etc_t) -') - -######################################## -## -## Search the hotplug PIDs. -## -## -## -## Domain allowed access. -## -## -# -interface(`hotplug_search_pids',` - gen_require(` - type hotplug_var_run_t; - ') - - allow $1 hotplug_var_run_t:dir search_dir_perms; - files_search_pids($1) -') diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te deleted file mode 100644 index 7c6933f..0000000 --- a/policy/modules/system/hotplug.te +++ /dev/null @@ -1,201 +0,0 @@ -policy_module(hotplug, 1.13.0) - -######################################## -# -# Declarations -# - -type hotplug_t; -type hotplug_exec_t; -kernel_domtrans_to(hotplug_t, hotplug_exec_t) -init_daemon_domain(hotplug_t, hotplug_exec_t) - -type hotplug_etc_t; -files_config_file(hotplug_etc_t) -init_daemon_domain(hotplug_t, hotplug_etc_t) - -type hotplug_var_run_t; -files_pid_file(hotplug_var_run_t) - -######################################## -# -# Local policy -# - -allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio }; -dontaudit hotplug_t self:capability { sys_module sys_admin sys_ptrace sys_tty_config }; -# for access("/etc/bashrc", X_OK) on Red Hat -dontaudit hotplug_t self:capability { dac_override dac_read_search }; -allow hotplug_t self:process { setpgid getsession getattr signal_perms }; -allow hotplug_t self:fifo_file rw_file_perms; -allow hotplug_t self:netlink_route_socket r_netlink_socket_perms; -allow hotplug_t self:udp_socket create_socket_perms; -allow hotplug_t self:tcp_socket connected_stream_socket_perms; - -read_files_pattern(hotplug_t, hotplug_etc_t, hotplug_etc_t) -read_lnk_files_pattern(hotplug_t, hotplug_etc_t, hotplug_etc_t) -can_exec(hotplug_t, hotplug_etc_t) -allow hotplug_t hotplug_etc_t:dir list_dir_perms; - -can_exec(hotplug_t, hotplug_exec_t) - -manage_dirs_pattern(hotplug_t, hotplug_var_run_t, hotplug_var_run_t) -manage_files_pattern(hotplug_t, hotplug_var_run_t, hotplug_var_run_t) -files_pid_filetrans(hotplug_t, hotplug_var_run_t, { dir file }) - -kernel_sigchld(hotplug_t) -kernel_setpgid(hotplug_t) -kernel_read_system_state(hotplug_t) -kernel_read_network_state(hotplug_t) -kernel_read_kernel_sysctls(hotplug_t) -kernel_rw_net_sysctls(hotplug_t) - -files_read_kernel_modules(hotplug_t) - -corenet_all_recvfrom_unlabeled(hotplug_t) -corenet_all_recvfrom_netlabel(hotplug_t) -corenet_tcp_sendrecv_generic_if(hotplug_t) -corenet_udp_sendrecv_generic_if(hotplug_t) -corenet_tcp_sendrecv_generic_node(hotplug_t) -corenet_udp_sendrecv_generic_node(hotplug_t) -corenet_tcp_sendrecv_all_ports(hotplug_t) -corenet_udp_sendrecv_all_ports(hotplug_t) - -dev_rw_sysfs(hotplug_t) -dev_read_usbfs(hotplug_t) -dev_setattr_printer_dev(hotplug_t) -dev_setattr_sound_dev(hotplug_t) -# for SSP: -dev_read_urand(hotplug_t) - -fs_getattr_all_fs(hotplug_t) -fs_search_auto_mountpoints(hotplug_t) - -storage_setattr_fixed_disk_dev(hotplug_t) -storage_setattr_removable_dev(hotplug_t) - -corecmd_exec_bin(hotplug_t) -corecmd_exec_shell(hotplug_t) - -domain_use_interactive_fds(hotplug_t) -# for ps -domain_dontaudit_read_all_domains_state(hotplug_t) -domain_dontaudit_getattr_all_domains(hotplug_t) - -files_read_etc_files(hotplug_t) -files_manage_etc_runtime_files(hotplug_t) -files_etc_filetrans_etc_runtime(hotplug_t, file) -files_exec_etc_files(hotplug_t) -# for when filesystems are not mounted early in the boot: -files_dontaudit_search_isid_type_dirs(hotplug_t) - -init_read_script_state(hotplug_t) -# Allow hotplug (including /sbin/ifup-local) to start/stop services and -# run sendmail -q -init_domtrans_script(hotplug_t) -# kernel threads inherit from shared descriptor table used by init -init_dontaudit_rw_initctl(hotplug_t) - -logging_send_syslog_msg(hotplug_t) -logging_search_logs(hotplug_t) - -# Read /usr/lib/gconv/.* -libs_read_lib_files(hotplug_t) - -miscfiles_read_hwdata(hotplug_t) -miscfiles_read_localization(hotplug_t) - -modutils_domtrans_insmod(hotplug_t) -modutils_read_module_deps(hotplug_t) - -seutil_dontaudit_search_config(hotplug_t) - -sysnet_read_config(hotplug_t) - -userdom_dontaudit_use_unpriv_user_fds(hotplug_t) -userdom_dontaudit_search_user_home_dirs(hotplug_t) - -ifdef(`distro_redhat', ` - optional_policy(` - # for arping used for static IP addresses on PCMCIA ethernet - netutils_domtrans(hotplug_t) - netutils_signal(hotplug_t) - fs_rw_tmpfs_chr_files(hotplug_t) - ') - files_getattr_generic_locks(hotplug_t) -') - -optional_policy(` - brctl_domtrans(hotplug_t) -') - -optional_policy(` - consoletype_exec(hotplug_t) -') - -optional_policy(` - dbus_system_bus_client(hotplug_t) -') - -optional_policy(` - fstools_domtrans(hotplug_t) -') - -optional_policy(` - hal_dgram_send(hotplug_t) -') - -optional_policy(` - hostname_exec(hotplug_t) -') - -optional_policy(` - iptables_domtrans(hotplug_t) -') - -optional_policy(` - mount_domtrans(hotplug_t) -') - -optional_policy(` - mta_send_mail(hotplug_t) -') - -optional_policy(` - nis_use_ypbind(hotplug_t) -') - -optional_policy(` - nscd_socket_use(hotplug_t) -') - -optional_policy(` - seutil_sigchld_newrole(hotplug_t) -') - -optional_policy(` - sysnet_domtrans_dhcpc(hotplug_t) - sysnet_signal_dhcpc(hotplug_t) - sysnet_kill_dhcpc(hotplug_t) - sysnet_signull_dhcpc(hotplug_t) - sysnet_sigstop_dhcpc(hotplug_t) - sysnet_sigchld_dhcpc(hotplug_t) - sysnet_read_dhcpc_pid(hotplug_t) - sysnet_rw_dhcp_config(hotplug_t) - sysnet_domtrans_ifconfig(hotplug_t) - sysnet_signal_ifconfig(hotplug_t) -') - -optional_policy(` - udev_domtrans(hotplug_t) - udev_helper_domtrans(hotplug_t) - udev_read_db(hotplug_t) -') - -optional_policy(` - updfstab_domtrans(hotplug_t) -') - -optional_policy(` - usbmodules_domtrans(hotplug_t) -') diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc deleted file mode 100644 index b338481..0000000 --- a/policy/modules/system/init.fc +++ /dev/null @@ -1,77 +0,0 @@ -# -# /etc -# -/etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) - -/etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) -/etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0) - -/etc/rc\.d/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) -/etc/sysconfig/network-scripts/ifup-ipsec -- gen_context(system_u:object_r:initrc_exec_t,s0) - -/etc/X11/prefdm -- gen_context(system_u:object_r:initrc_exec_t,s0) - -ifdef(`distro_gentoo',` -/etc/vmware/init\.d/vmware -- gen_context(system_u:object_r:initrc_exec_t,s0) -/etc/x11/startDM\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0) -') - -# -# /dev -# -/dev/initctl -p gen_context(system_u:object_r:initctl_t,s0) - -# -# /sbin -# -/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0) - -# -# /sbin -# -/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) -/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) - -ifdef(`distro_gentoo', ` -/sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) -/sbin/runscript -- gen_context(system_u:object_r:initrc_exec_t,s0) -/sbin/runscript\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0) -/sbin/runsvcscript\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0) -/sbin/svcinit -- gen_context(system_u:object_r:initrc_exec_t,s0) -') - -# -# /usr -# -/usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0) - -/usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) -/usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) - -/usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0) -/usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) -/usr/sbin/startx -- gen_context(system_u:object_r:initrc_exec_t,s0) - -/usr/share/system-config-services/system-config-services-mechanism\.py -- gen_context(system_u:object_r:initrc_exec_t,s0) - -# -# /var -# -ifdef(`distro_gentoo', ` -/var/lib/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0) -/var/run/svscan\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0) -') - -/var/run/utmp -- gen_context(system_u:object_r:initrc_var_run_t,s0) -/var/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0) -/var/run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0) -/var/run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0) - -ifdef(`distro_suse', ` -/var/run/bootsplashctl -p gen_context(system_u:object_r:initrc_var_run_t,s0) -/var/run/keymap -- gen_context(system_u:object_r:initrc_var_run_t,s0) -/var/run/numlock-on -- gen_context(system_u:object_r:initrc_var_run_t,s0) -/var/run/setleds-on -- gen_context(system_u:object_r:initrc_var_run_t,s0) -/var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0) -') - diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if deleted file mode 100644 index 666a58f..0000000 --- a/policy/modules/system/init.if +++ /dev/null @@ -1,1936 +0,0 @@ -## System initialization programs (init and init scripts). - -######################################## -## -## Create a file type used for init scripts. -## -## -##

-## Create a file type used for init scripts. It can not be -## used in conjunction with init_script_domain(). These -## script files are typically stored in the /etc/init.d directory. -##

-##

-## Typically this is used to constrain what services an -## admin can start/stop. For example, a policy writer may want -## to constrain a web administrator to only being able to -## restart the web server, not other services. This special type -## will help address that goal. -##

-##

-## This also makes the type usable for files; thus an -## explicit call to files_type() is redundant. -##

-##
-## -## -## Type to be used for a script file. -## -## -## -# -interface(`init_script_file',` - gen_require(` - type initrc_t; - attribute init_script_file_type, init_run_all_scripts_domain; - ') - - typeattribute $1 init_script_file_type; - - domain_entry_file(initrc_t, $1) - - domtrans_pattern(init_run_all_scripts_domain, $1, initrc_t) -') - -######################################## -## -## Create a domain used for init scripts. -## -## -##

-## Create a domain used for init scripts. -## Can not be used in conjunction with -## init_script_file(). -##

-##
-## -## -## Type to be used as an init script domain. -## -## -## -## -## Type of the script file used as an entry point to this domain. -## -## -# -interface(`init_script_domain',` - gen_require(` - attribute init_script_domain_type, init_script_file_type; - attribute init_run_all_scripts_domain; - ') - - typeattribute $1 init_script_domain_type; - typeattribute $2 init_script_file_type; - - domain_type($1) - domain_entry_file($1, $2) - - domtrans_pattern(init_run_all_scripts_domain, $2, $1) -') - -######################################## -## -## Create a domain which can be started by init. -## -## -## -## Type to be used as a domain. -## -## -## -## -## Type of the program to be used as an entry point to this domain. -## -## -# -interface(`init_domain',` - gen_require(` - type init_t; - role system_r; - ') - - domain_type($1) - domain_entry_file($1,$2) - - role system_r types $1; - - tunable_policy(`init_systemd',`', ` - domtrans_pattern(init_t,$2,$1) - allow init_t $1:unix_stream_socket create_stream_socket_perms; - allow $1 init_t:unix_dgram_socket sendto; - ') - - ifdef(`hide_broken_symptoms',` - # RHEL4 systems seem to have a stray - # fds open from the initrd - ifdef(`distro_rhel4',` - kernel_dontaudit_use_fds($1) - ') - ') -') - -######################################## -## -## Create a domain which can be started by init, -## with a range transition. -## -## -## -## Type to be used as a domain. -## -## -## -## -## Type of the program to be used as an entry point to this domain. -## -## -## -## -## Range for the domain. -## -## -# -interface(`init_ranged_domain',` - gen_require(` - type init_t; - ') - - init_domain($1,$2) - - ifdef(`enable_mcs',` - range_transition init_t $2:process $3; - ') - - ifdef(`enable_mls',` - range_transition init_t $2:process $3; - mls_rangetrans_target($1) - ') -') - -######################################## -## -## Create a domain for long running processes -## (daemons/services) which are started by init scripts. -## -## -##

-## Create a domain for long running processes (daemons/services) -## which are started by init scripts. Short running processes -## should use the init_system_domain() interface instead. -## Typically all long running processes started by an init -## script (usually in /etc/init.d) will need to use this -## interface. -##

-##

-## The types will be made usable as a domain and file, making -## calls to domain_type() and files_type() redundant. -##

-##

-## If the process must also run in a specific MLS/MCS level, -## the init_ranged_daemon_domain() should be used instead. -##

-##
-## -## -## Type to be used as a daemon domain. -## -## -## -## -## Type of the program to be used as an entry point to this domain. -## -## -## -# -interface(`init_daemon_domain',` - gen_require(` - attribute direct_run_init, direct_init, direct_init_entry; - type initrc_t; - type init_t; - role system_r; - attribute daemon; - attribute initrc_transition_domain; - ') - - typeattribute $1 daemon; - - domain_type($1) - domain_entry_file($1,$2) - - role system_r types $1; - - domtrans_pattern(initrc_t,$2,$1) - allow initrc_t $1:process siginh; - allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms; - allow $1 initrc_transition_domain:fd use; - - tunable_policy(`init_upstart || init_systemd',` - # Handle upstart direct transition to a executable - domtrans_pattern(init_t,$2,$1) - allow init_t $1:process siginh; - ') - - tunable_policy(`init_systemd',` - allow init_t $1:unix_stream_socket create_stream_socket_perms; - allow $1 init_t:unix_dgram_socket sendto; - ') - - # daemons started from init will - # inherit fds from init for the console - init_dontaudit_use_fds($1) - term_dontaudit_use_console($1) - - # init script ptys are the stdin/out/err - # when using run_init - init_use_script_ptys($1) - - ifdef(`direct_sysadm_daemon',` - domtrans_pattern(direct_run_init,$2,$1) - allow direct_run_init $1:process { noatsecure siginh rlimitinh }; - - typeattribute $1 direct_init; - typeattribute $2 direct_init_entry; - - userdom_dontaudit_use_user_terminals($1) - ') - - ifdef(`hide_broken_symptoms',` - # RHEL4 systems seem to have a stray - # fds open from the initrd - ifdef(`distro_rhel4',` - kernel_dontaudit_use_fds($1) - ') - ') - - optional_policy(` - nscd_socket_use($1) - ') -') - -######################################## -## -## Create a domain for long running processes -## (daemons/services) which are started by init scripts, -## running at a specified MLS/MCS range. -## -## -##

-## Create a domain for long running processes (daemons/services) -## which are started by init scripts, running at a specified -## MLS/MCS range. Short running processes -## should use the init_ranged_system_domain() interface instead. -## Typically all long running processes started by an init -## script (usually in /etc/init.d) will need to use this -## interface if they need to run in a specific MLS/MCS range. -##

-##

-## The types will be made usable as a domain and file, making -## calls to domain_type() and files_type() redundant. -##

-##

-## If the policy build option TYPE is standard (MLS and MCS disabled), -## this interface has the same behavior as init_daemon_domain(). -##

-##
-## -## -## Type to be used as a daemon domain. -## -## -## -## -## Type of the program to be used as an entry point to this domain. -## -## -## -## -## MLS/MCS range for the domain. -## -## -## -# -interface(`init_ranged_daemon_domain',` - gen_require(` - type initrc_t; - ') - -# init_daemon_domain($1,$2) - - ifdef(`enable_mcs',` - range_transition initrc_t $2:process $3; - ') - - ifdef(`enable_mls',` - range_transition initrc_t $2:process $3; - mls_rangetrans_target($1) - ') -') - -######################################## -## -## Create a domain for short running processes -## which are started by init scripts. -## -## -##

-## Create a domain for long running processes (daemons/services) -## which are started by init scripts. These are generally applications that -## are used to initialize the system during boot. -## Long running processes -## should use the init_daemon_domain() interface instead. -## Typically all short running processes started by an init -## script (usually in /etc/init.d) will need to use this -## interface. -##

-##

-## The types will be made usable as a domain and file, making -## calls to domain_type() and files_type() redundant. -##

-##

-## If the process must also run in a specific MLS/MCS level, -## the init_ranged_system_domain() should be used instead. -##

-##
-## -## -## Type to be used as a system domain. -## -## -## -## -## Type of the program to be used as an entry point to this domain. -## -## -## -# -interface(`init_system_domain',` - gen_require(` - type init_t; - type initrc_t; - role system_r; - attribute initrc_transition_domain; - ') - - application_domain($1,$2) - - role system_r types $1; - - domtrans_pattern(initrc_t,$2,$1) - allow initrc_t $1:process siginh; - allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms; - allow $1 initrc_transition_domain:fd use; - - tunable_policy(`init_systemd',` - # Handle upstart/systemd direct transition to a executable - domtrans_pattern(init_t,$2,$1) - allow init_t $1:process siginh; - allow init_t $1:unix_stream_socket create_stream_socket_perms; - allow $1 init_t:unix_dgram_socket sendto; - ') - - ifdef(`hide_broken_symptoms',` - # RHEL4 systems seem to have a stray - # fds open from the initrd - ifdef(`distro_rhel4',` - kernel_dontaudit_use_fds($1) - ') - ') - - userdom_dontaudit_search_user_home_dirs($1) - userdom_dontaudit_rw_stream($1) - userdom_dontaudit_write_user_tmp_files($1) - - tunable_policy(`allow_daemons_use_tty',` - term_use_all_ttys($1) - term_use_all_ptys($1) - ',` - term_dontaudit_use_all_ttys($1) - term_dontaudit_use_all_ptys($1) - ') - - # these apps are often redirect output to random log files - logging_inherit_append_all_logs($1) - - optional_policy(` - cron_rw_pipes($1) - ') - - optional_policy(` - xserver_dontaudit_append_xdm_home_files($1) - ') - - optional_policy(` - unconfined_dontaudit_rw_pipes($1) - unconfined_dontaudit_rw_stream($1) - userdom_dontaudit_read_user_tmp_files($1) - ') - - init_rw_script_stream_sockets($1) -') - -######################################## -## -## Create a domain for short running processes -## which are started by init scripts. -## -## -##

-## Create a domain for long running processes (daemons/services) -## which are started by init scripts. -## These are generally applications that -## are used to initialize the system during boot. -## Long running processes -## should use the init_ranged_system_domain() interface instead. -## Typically all short running processes started by an init -## script (usually in /etc/init.d) will need to use this -## interface if they need to run in a specific MLS/MCS range. -##

-##

-## The types will be made usable as a domain and file, making -## calls to domain_type() and files_type() redundant. -##

-##

-## If the policy build option TYPE is standard (MLS and MCS disabled), -## this interface has the same behavior as init_system_domain(). -##

-##
-## -## -## Type to be used as a system domain. -## -## -## -## -## Type of the program to be used as an entry point to this domain. -## -## -## -## -## Range for the domain. -## -## -## -# -interface(`init_ranged_system_domain',` - gen_require(` - type initrc_t; - ') - - init_system_domain($1,$2) - - ifdef(`enable_mcs',` - range_transition initrc_t $2:process $3; - ') - - ifdef(`enable_mls',` - range_transition initrc_t $2:process $3; - ') -') - -######################################## -## -## Execute init (/sbin/init) with a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`init_domtrans',` - gen_require(` - type init_t, init_exec_t; - ') - - domtrans_pattern($1, init_exec_t, init_t) -') - -######################################## -## -## Execute the init program in the caller domain. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`init_exec',` - gen_require(` - type init_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, init_exec_t) -') - -######################################## -## -## Get the process group of init. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_getpgid',` - gen_require(` - type init_t; - ') - - allow $1 init_t:process getpgid; -') - -######################################## -## -## Send init a null signal. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_signull',` - gen_require(` - type init_t; - ') - - allow $1 init_t:process signull; -') - -######################################## -## -## Send init a SIGCHLD signal. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_sigchld',` - gen_require(` - type init_t; - ') - - allow $1 init_t:process sigchld; -') - -######################################## -## -## Inherit and use file descriptors from init. -## -## -##

-## Allow the specified domain to inherit file -## descriptors from the init program (process ID 1). -## Typically the only file descriptors to be -## inherited from init are for the console. -## This does not allow the domain any access to -## the object to which the file descriptors references. -##

-##

-## Related interfaces: -##

-##
    -##
  • init_dontaudit_use_fds()
  • -##
  • term_dontaudit_use_console()
  • -##
  • term_use_console()
  • -##
-##

-## Example usage: -##

-##

-## init_use_fds(mydomain_t) -## term_use_console(mydomain_t) -##

-##

-## Normally, processes that can inherit these file -## descriptors (usually services) write messages to the -## system log instead of writing to the console. -## Therefore, in many cases, this access should -## dontaudited instead. -##

-##

-## Example dontaudit usage: -##

-##

-## init_dontaudit_use_fds(mydomain_t) -## term_dontaudit_use_console(mydomain_t) -##

-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`init_use_fds',` - gen_require(` - type init_t; - ') - - allow $1 init_t:fd use; -') - -######################################## -## -## Do not audit attempts to inherit file -## descriptors from init. -## -## -## -## Domain to not audit. -## -## -# -interface(`init_dontaudit_use_fds',` - gen_require(` - type init_t; - ') - - dontaudit $1 init_t:fd use; -') - -######################################## -## -## Send UDP network traffic to init. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`init_udp_send',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Get the attributes of initctl. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_getattr_initctl',` - gen_require(` - type initctl_t; - ') - - allow $1 initctl_t:fifo_file getattr; -') - -######################################## -## -## Do not audit attempts to get the -## attributes of initctl. -## -## -## -## Domain to not audit. -## -## -# -interface(`init_dontaudit_getattr_initctl',` - gen_require(` - type initctl_t; - ') - - dontaudit $1 initctl_t:fifo_file getattr; -') - -######################################## -## -## Write to initctl. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_write_initctl',` - gen_require(` - type initctl_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 initctl_t:fifo_file write; -') - -######################################## -## -## Use telinit (Read and write initctl). -## -## -## -## Domain allowed access. -## -## -## -# -interface(`init_telinit',` - gen_require(` - type initctl_t; - ') - - corecmd_exec_bin($1) - - dev_list_all_dev_nodes($1) - allow $1 initctl_t:fifo_file rw_fifo_file_perms; - - init_exec($1) - - tunable_policy(`init_upstart || init_systemd',` - gen_require(` - type init_t; - ') - - allow $1 init_t:process signal; - # upstart uses a datagram socket instead of initctl pipe - allow $1 self:unix_dgram_socket create_socket_perms; - allow $1 init_t:unix_dgram_socket sendto; - #576913 - allow $1 init_t:unix_stream_socket connectto; - ') -') - -######################################## -## -## Read and write initctl. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_rw_initctl',` - gen_require(` - type initctl_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 initctl_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## -## Do not audit attempts to read and -## write initctl. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_dontaudit_rw_initctl',` - gen_require(` - type initctl_t; - ') - - dontaudit $1 initctl_t:fifo_file { read write }; -') - -######################################## -## -## Make init scripts an entry point for -## the specified domain. -## -## -## -## Domain allowed access. -## -## -# cjp: added for gentoo integrated run_init -interface(`init_script_file_entry_type',` - gen_require(` - type initrc_exec_t; - ') - - domain_entry_file($1, initrc_exec_t) -') - -######################################## -## -## Execute init scripts with a specified domain transition. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`init_spec_domtrans_script',` - gen_require(` - type initrc_t; - attribute init_script_file_type; - ') - - files_list_etc($1) - spec_domtrans_pattern($1, init_script_file_type, initrc_t) - - ifdef(`enable_mcs',` - range_transition $1 init_script_file_type:process s0; - ') - - ifdef(`enable_mls',` - range_transition $1 init_script_file_type:process s0 - mls_systemhigh; - ') -') - -######################################## -## -## Execute init scripts with an automatic domain transition. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`init_domtrans_script',` - gen_require(` - type initrc_t; - attribute init_script_file_type; - attribute initrc_transition_domain; - ') - typeattribute $1 initrc_transition_domain; - - files_list_etc($1) - domtrans_pattern($1, init_script_file_type, initrc_t) - - ifdef(`enable_mcs',` - range_transition $1 init_script_file_type:process s0; - ') - - ifdef(`enable_mls',` - range_transition $1 init_script_file_type:process s0 - mls_systemhigh; - ') -') - -######################################## -## -## Execute a file in a bin directory -## in the initrc_t domain -## -## -## -## Domain allowed access. -## -## -# -interface(`init_bin_domtrans_spec',` - gen_require(` - type initrc_t; - ') - - corecmd_bin_domtrans($1, initrc_t) -') - -######################################## -## -## Execute a init script in a specified domain. -## -## -##

-## Execute a init script in a specified domain. -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-##
-## -## -## Domain allowed to transition. -## -## -## -## -## Domain to transition to. -## -## -# cjp: added for gentoo integrated run_init -interface(`init_script_file_domtrans',` - gen_require(` - type initrc_exec_t; - ') - - files_list_etc($1) - domain_auto_trans($1, initrc_exec_t,$2) -') - -######################################## -## -## Transition to the init script domain -## on a specified labeled init script. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Labeled init script file. -## -## -# -interface(`init_labeled_script_domtrans',` - gen_require(` - type initrc_t; - attribute initrc_transition_domain; - ') - - typeattribute $1 initrc_transition_domain; - # service script searches all filesystems via mountpoint - fs_search_all($1) - domtrans_pattern($1, $2, initrc_t) - files_search_etc($1) -') - -######################################### -## -## Transition to the init script domain -## for all labeled init script types -## -## -## -## Domain allowed to transition. -## -## -# -interface(`init_all_labeled_script_domtrans',` - gen_require(` - attribute init_script_file_type; - ') - - init_labeled_script_domtrans($1, init_script_file_type) -') - -######################################## -## -## Start and stop daemon programs directly. -## -## -##

-## Start and stop daemon programs directly -## in the traditional "/etc/init.d/daemon start" -## style, and do not require run_init. -##

-##
-## -## -## Domain allowed access. -## -## -## -## -## The role to be performing this action. -## -## -# -interface(`init_run_daemon',` - gen_require(` - attribute direct_run_init, direct_init, direct_init_entry; - role system_r; - ') - - typeattribute $1 direct_run_init; - role_transition $2 direct_init_entry system_r; -') - -######################################## -## -## Read the process state (/proc/pid) of init. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_read_state',` - gen_require(` - attribute init_t; - ') - - allow $1 init_t:dir search_dir_perms; - allow $1 init_t:file read_file_perms; - allow $1 init_t:lnk_file read_lnk_file_perms; -') - -######################################## -## -## Ptrace init -## -## -## -## Domain allowed access. -## -## -## -# -interface(`init_ptrace',` - gen_require(` - attribute init_t; - ') - - allow $1 init_t:process ptrace; -') - -######################################## -## -## Write an init script unnamed pipe. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_write_script_pipes',` - gen_require(` - type initrc_t; - ') - - allow $1 initrc_t:fifo_file write; -') - -######################################## -## -## Get the attribute of init script entrypoint files. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_getattr_script_files',` - gen_require(` - type initrc_exec_t; - ') - - files_list_etc($1) - allow $1 initrc_exec_t:file getattr; -') - -######################################## -## -## Read init scripts. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_read_script_files',` - gen_require(` - type initrc_exec_t; - ') - - files_search_etc($1) - allow $1 initrc_exec_t:file read_file_perms; -') - -######################################## -## -## Execute init scripts in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_exec_script_files',` - gen_require(` - type initrc_exec_t; - ') - - files_list_etc($1) - can_exec($1, initrc_exec_t) -') - -######################################## -## -## Get the attribute of all init script entrypoint files. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_getattr_all_script_files',` - gen_require(` - attribute init_script_file_type; - ') - - files_list_etc($1) - allow $1 init_script_file_type:file getattr; -') - -######################################## -## -## Read all init script files. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_read_all_script_files',` - gen_require(` - attribute init_script_file_type; - ') - - files_search_etc($1) - allow $1 init_script_file_type:file read_file_perms; -') - -####################################### -## -## Dontaudit read all init script files. -## -## -## -## Domain to not audit. -## -## -# -interface(`init_dontaudit_read_all_script_files',` - gen_require(` - attribute init_script_file_type; - ') - - dontaudit $1 init_script_file_type:file read_file_perms; -') - -######################################## -## -## Execute all init scripts in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_exec_all_script_files',` - gen_require(` - attribute init_script_file_type; - ') - - files_list_etc($1) - can_exec($1, init_script_file_type) -') - -######################################## -## -## Read the process state (/proc/pid) of the init scripts. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_read_script_state',` - gen_require(` - type initrc_t; - ') - - kernel_search_proc($1) - ps_process_pattern($1, initrc_t) -') - -######################################## -## -## Inherit and use init script file descriptors. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_use_script_fds',` - gen_require(` - type initrc_t; - ') - - allow $1 initrc_t:fd use; -') - -######################################## -## -## Do not audit attempts to inherit -## init script file descriptors. -## -## -## -## Domain to not audit. -## -## -# -interface(`init_dontaudit_use_script_fds',` - gen_require(` - type initrc_t; - ') - - dontaudit $1 initrc_t:fd use; -') - -######################################## -## -## Get the process group ID of init scripts. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_getpgid_script',` - gen_require(` - type initrc_t; - ') - - allow $1 initrc_t:process getpgid; -') - -######################################## -## -## Send SIGCHLD signals to init scripts. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_sigchld_script',` - gen_require(` - type initrc_t; - ') - - allow $1 initrc_t:process sigchld; -') - -######################################## -## -## Send generic signals to init scripts. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_signal_script',` - gen_require(` - type initrc_t; - ') - - allow $1 initrc_t:process signal; -') - -######################################## -## -## Send null signals to init scripts. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_signull_script',` - gen_require(` - type initrc_t; - ') - - allow $1 initrc_t:process signull; -') - -######################################## -## -## Read and write init script unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_rw_script_pipes',` - gen_require(` - type initrc_t; - ') - - allow $1 initrc_t:fifo_file { read write }; -') - -######################################## -## -## Send UDP network traffic to init scripts. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`init_udp_send_script',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Allow the specified domain to connect to -## init scripts with a unix socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_stream_connect_script',` - gen_require(` - type initrc_t; - ') - - allow $1 initrc_t:unix_stream_socket connectto; -') - -######################################## -## -## Allow the specified domain to read/write to -## init scripts with a unix domain stream sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_rw_script_stream_sockets',` - gen_require(` - type initrc_t; - ') - - allow $1 initrc_t:unix_stream_socket rw_socket_perms; -') - -######################################## -## -## Dont audit the specified domain connecting to -## init scripts with a unix domain stream socket. -## -## -## -## Domain to not audit. -## -## -# -interface(`init_dontaudit_stream_connect_script',` - gen_require(` - type initrc_t; - ') - - dontaudit $1 initrc_t:unix_stream_socket connectto; -') -######################################## -## -## Send messages to init scripts over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_dbus_send_script',` - gen_require(` - type initrc_t; - class dbus send_msg; - ') - - allow $1 initrc_t:dbus send_msg; -') - -######################################## -## -## Send and receive messages from -## init over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_dbus_chat',` - gen_require(` - type init_t; - class dbus send_msg; - ') - - allow $1 init_t:dbus send_msg; - allow init_t $1:dbus send_msg; -') - -######################################## -## -## Send and receive messages from -## init scripts over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_dbus_chat_script',` - gen_require(` - type initrc_t; - class dbus send_msg; - ') - - allow $1 initrc_t:dbus send_msg; - allow initrc_t $1:dbus send_msg; -') - -######################################## -## -## Read and write the init script pty. -## -## -##

-## Read and write the init script pty. This -## pty is generally opened by the open_init_pty -## portion of the run_init program so that the -## daemon does not require direct access to -## the administrator terminal. -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`init_use_script_ptys',` - gen_require(` - type initrc_devpts_t; - ') - - term_list_ptys($1) - allow $1 initrc_devpts_t:chr_file { rw_term_perms lock append }; -') - -######################################## -## -## Do not audit attempts to read and -## write the init script pty. -## -## -## -## Domain to not audit. -## -## -# -interface(`init_dontaudit_use_script_ptys',` - gen_require(` - type initrc_devpts_t; - ') - - dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append }; -') - -######################################## -## -## Get the attributes of init script -## status files. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_getattr_script_status_files',` - gen_require(` - type initrc_state_t; - ') - - getattr_files_pattern($1, initrc_state_t, initrc_state_t) -') - -######################################## -## -## Manage init script -## status files. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_manage_script_status_files',` - gen_require(` - type initrc_state_t; - ') - - manage_files_pattern($1, initrc_state_t, initrc_state_t) -') - -######################################## -## -## Do not audit attempts to read init script -## status files. -## -## -## -## Domain to not audit. -## -## -# -interface(`init_dontaudit_read_script_status_files',` - gen_require(` - type initrc_state_t; - ') - - dontaudit $1 initrc_state_t:dir search_dir_perms; - dontaudit $1 initrc_state_t:file read_file_perms; -') - -######################################## -## -## Read init script temporary data. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_read_script_tmp_files',` - gen_require(` - type initrc_tmp_t; - ') - - files_search_tmp($1) - read_files_pattern($1, initrc_tmp_t, initrc_tmp_t) -') - -######################################## -## -## Read and write init script temporary data. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_rw_script_tmp_files',` - gen_require(` - type initrc_tmp_t; - ') - - files_search_tmp($1) - rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t) -') - -######################################## -## -## Create files in a init script -## temporary data directory. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created -## -## -## -## -## The object class. -## -## -# -interface(`init_script_tmp_filetrans',` - gen_require(` - type initrc_tmp_t; - ') - - files_search_tmp($1) - filetrans_pattern($1, initrc_tmp_t, $2, $3) -') - -######################################## -## -## Get the attributes of init script process id files. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_getattr_utmp',` - gen_require(` - type initrc_var_run_t; - ') - - allow $1 initrc_var_run_t:file getattr; -') - -######################################## -## -## Read utmp. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_read_utmp',` - gen_require(` - type initrc_var_run_t; - ') - - files_list_pids($1) - allow $1 initrc_var_run_t:file read_file_perms; -') - -######################################## -## -## Do not audit attempts to write utmp. -## -## -## -## Domain to not audit. -## -## -# -interface(`init_dontaudit_write_utmp',` - gen_require(` - type initrc_var_run_t; - ') - - dontaudit $1 initrc_var_run_t:file { write lock }; -') - -######################################## -## -## Write to utmp. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_write_utmp',` - gen_require(` - type initrc_var_run_t; - ') - - files_list_pids($1) - allow $1 initrc_var_run_t:file { getattr open write }; -') - -######################################## -## -## Do not audit attempts to lock -## init script pid files. -## -## -## -## Domain to not audit. -## -## -# -interface(`init_dontaudit_lock_utmp',` - gen_require(` - type initrc_var_run_t; - ') - - dontaudit $1 initrc_var_run_t:file lock; -') - -######################################## -## -## Read and write utmp. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_rw_utmp',` - gen_require(` - type initrc_var_run_t; - ') - - files_list_pids($1) - allow $1 initrc_var_run_t:file rw_file_perms; -') - -######################################## -## -## Do not audit attempts to read and write utmp. -## -## -## -## Domain to not audit. -## -## -# -interface(`init_dontaudit_rw_utmp',` - gen_require(` - type initrc_var_run_t; - ') - - dontaudit $1 initrc_var_run_t:file rw_file_perms; -') - -######################################## -## -## Create, read, write, and delete utmp. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_manage_utmp',` - gen_require(` - type initrc_var_run_t; - ') - - files_search_pids($1) - allow $1 initrc_var_run_t:file manage_file_perms; -') - -######################################## -## -## Create files in /var/run with the -## utmp file type. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_pid_filetrans_utmp',` - gen_require(` - type initrc_var_run_t; - ') - - files_pid_filetrans($1, initrc_var_run_t, file) -') - -######################################## -## -## Allow the specified domain to connect to daemon with a tcp socket -## -## -## -## Domain allowed access. -## -## -# -interface(`init_tcp_recvfrom_all_daemons',` - gen_require(` - attribute daemon; - ') - - corenet_tcp_recvfrom_labeled($1, daemon) -') - -######################################## -## -## Allow the specified domain to connect to daemon with a udp socket -## -## -## -## Domain allowed access. -## -## -# -interface(`init_udp_recvfrom_all_daemons',` - gen_require(` - attribute daemon; - ') - corenet_udp_recvfrom_labeled($1, daemon) -') - -######################################## -## -## Transition to system_r when execute an init script -## -## -##

-## Execute a init script in a specified role -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-##
-## -## -## Role to transition from. -## -## -# -interface(`init_script_role_transition',` - gen_require(` - attribute init_script_file_type; - ') - - role_transition $1 init_script_file_type system_r; -') - -######################################## -## -## dontaudit read and write an leaked init scrip file descriptors -## -## -## -## Domain allowed access. -## -## -# -interface(`init_dontaudit_script_leaks',` - gen_require(` - type initrc_t; - ') - - dontaudit $1 initrc_t:tcp_socket { read write }; - dontaudit $1 initrc_t:udp_socket { read write }; - dontaudit $1 initrc_t:unix_dgram_socket { read write }; - dontaudit $1 initrc_t:unix_stream_socket { read write }; - dontaudit $1 initrc_t:shm rw_shm_perms; - init_dontaudit_use_script_ptys($1) - init_dontaudit_use_script_fds($1) -') - - -######################################## -## -## Allow the specified domain to connect to -## the init process with a unix socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_stream_connect',` - gen_require(` - type init_t; - ') - - allow $1 init_t:unix_stream_socket connectto; -') - -######################################## -## -## Allow the specified domain to read/write to -## init with a unix domain stream sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_rw_stream_sockets',` - gen_require(` - type init_t; - ') - - allow $1 init_t:unix_stream_socket rw_stream_socket_perms; -') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te deleted file mode 100644 index 532ff21..0000000 --- a/policy/modules/system/init.te +++ /dev/null @@ -1,1134 +0,0 @@ -policy_module(init, 1.15.3) - -gen_require(` - class passwd rootok; -') - -######################################## -# -# Declarations -# - -## -##

-## Enable support for upstart as the init program. -##

-##
-gen_tunable(init_upstart, false) - -## -##

-## Enable support for systemd as the init program. -##

-##
-gen_tunable(init_systemd, false) - -## -##

-## Allow all daemons the ability to read/write terminals -##

-##
-gen_tunable(allow_daemons_use_tty, false) - -## -##

-## Allow all daemons to write corefiles to / -##

-##
-gen_tunable(allow_daemons_dump_core, false) - -# used for direct running of init scripts -# by admin domains -attribute direct_run_init; -attribute direct_init; -attribute direct_init_entry; - -attribute init_script_domain_type; -attribute init_script_file_type; -attribute init_run_all_scripts_domain; -attribute initrc_transition_domain; - -# Mark process types as daemons -attribute daemon; - -# -# init_t is the domain of the init process. -# -type init_t, initrc_transition_domain; -type init_exec_t; -domain_type(init_t) -domain_entry_file(init_t, init_exec_t) -kernel_domtrans_to(init_t, init_exec_t) -role system_r types init_t; - -# -# init_var_run_t is the type for /var/run/shutdown.pid. -# -type init_var_run_t; -files_pid_file(init_var_run_t) - -# -# initctl_t is the type of the named pipe created -# by init during initialization. This pipe is used -# to communicate with init. -# -type initctl_t; -files_type(initctl_t) -mls_trusted_object(initctl_t) - -type initrc_t, init_script_domain_type, init_run_all_scripts_domain; -type initrc_exec_t, init_script_file_type; -domain_type(initrc_t) -domain_entry_file(initrc_t, initrc_exec_t) -role system_r types initrc_t; -# should be part of the true block -# of the below init_upstart tunable -# but this has a typeattribute in it -corecmd_shell_entry_type(initrc_t) -corecmd_bin_entry_type(initrc_t) - -type initrc_devpts_t; -term_pty(initrc_devpts_t) -files_type(initrc_devpts_t) - -type initrc_state_t; -files_type(initrc_state_t) - -type initrc_tmp_t; -files_tmp_file(initrc_tmp_t) - -type initrc_var_run_t; -files_pid_file(initrc_var_run_t) - -ifdef(`enable_mls',` - kernel_ranged_domtrans_to(init_t, init_exec_t, s0 - mls_systemhigh) -') - -######################################## -# -# Init local policy -# - -# Use capabilities. old rule: -allow init_t self:capability ~{ audit_control audit_write sys_module }; -# is ~sys_module really needed? observed: -# sys_boot -# sys_tty_config -# kill: now provided by domain_kill_all_domains() -# setuid (from /sbin/shutdown) -# sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot() - -allow init_t self:fifo_file rw_fifo_file_perms; - -# Re-exec itself -can_exec(init_t, init_exec_t) - -allow init_t initrc_t:unix_stream_socket { connectto rw_stream_socket_perms }; -allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms }; -allow initrc_t init_t:fifo_file rw_fifo_file_perms; - -# For /var/run/shutdown.pid. -allow init_t init_var_run_t:file manage_file_perms; -files_pid_filetrans(init_t, init_var_run_t, file) - -allow init_t initctl_t:fifo_file manage_fifo_file_perms; -dev_filetrans(init_t, initctl_t, fifo_file) - -# Modify utmp. -allow init_t initrc_var_run_t:file { rw_file_perms setattr }; - -kernel_read_system_state(init_t) -kernel_share_state(init_t) -kernel_stream_connect(init_t) - -corecmd_exec_chroot(init_t) -corecmd_exec_bin(init_t) - -dev_read_sysfs(init_t) -dev_read_urand(init_t) -# Early devtmpfs -dev_rw_generic_chr_files(init_t) - -domain_getpgid_all_domains(init_t) -domain_kill_all_domains(init_t) -domain_signal_all_domains(init_t) -domain_signull_all_domains(init_t) -domain_sigstop_all_domains(init_t) -domain_sigstop_all_domains(init_t) -domain_sigchld_all_domains(init_t) -domain_read_all_domains_state(init_t) - -files_read_etc_files(init_t) -files_read_all_pids(init_t) -files_rw_generic_pids(init_t) -files_dontaudit_search_isid_type_dirs(init_t) -files_manage_etc_runtime_files(init_t) -files_etc_filetrans_etc_runtime(init_t, file) -# Run /etc/X11/prefdm: -files_exec_etc_files(init_t) -# file descriptors inherited from the rootfs: -files_dontaudit_rw_root_files(init_t) -files_dontaudit_rw_root_chr_files(init_t) - -fs_list_inotifyfs(init_t) -# cjp: this may be related to /dev/log -fs_write_ramfs_sockets(init_t) - -mcs_process_set_categories(init_t) -mcs_killall(init_t) - -mls_file_read_all_levels(init_t) -mls_file_write_all_levels(init_t) -mls_process_write_down(init_t) -mls_fd_use_all_levels(init_t) - -selinux_set_all_booleans(init_t) - -term_use_all_terms(init_t) - -# Run init scripts. -init_domtrans_script(init_t) - -libs_rw_ld_so_cache(init_t) - -logging_send_syslog_msg(init_t) -logging_send_audit_msgs(init_t) -logging_rw_generic_logs(init_t) - -seutil_read_config(init_t) - -miscfiles_read_localization(init_t) - -allow init_t self:process setsched; - -ifdef(`distro_gentoo',` - allow init_t self:process { getcap setcap }; -') - -ifdef(`distro_redhat',` - fs_read_tmpfs_symlinks(init_t) - fs_rw_tmpfs_chr_files(init_t) - fs_tmpfs_filetrans(init_t, initctl_t, fifo_file) -') - -tunable_policy(`init_upstart || init_systemd',` - corecmd_shell_domtrans(init_t, initrc_t) -',` - # Run the shell in the sysadm role for single-user mode. - # causes problems with upstart - sysadm_shell_domtrans(init_t) -') - -storage_raw_rw_fixed_disk(init_t) -modutils_domtrans_insmod(init_t) - -tunable_policy(`init_systemd',` - allow init_t self:unix_dgram_socket { create_socket_perms sendto }; - allow init_t self:process { setsockcreate setfscreate }; - allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; - allow init_t self:netlink_kobject_uevent_socket create_socket_perms; - # Until systemd is fixed - allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write }; - allow init_t self:netlink_route_socket create_netlink_socket_perms; - - kernel_list_unlabeled(init_t) - kernel_read_network_state(init_t) - kernel_unmount_debugfs(init_t) - - dev_write_kmsg(init_t) - dev_rw_autofs(init_t) - dev_manage_generic_dirs(init_t) - dev_manage_generic_files(init_t) - dev_read_generic_chr_files(init_t) - dev_relabelfrom_generic_chr_files(init_t) - dev_relabel_autofs_dev(init_t) - dev_manage_sysfs_dirs(init_t) - dev_filetrans_named_dev(init_t) - - files_mounton_all_mountpoints(init_t) - files_manage_all_pids_dirs(init_t) - - fs_manage_cgroup_dirs(init_t) - fs_manage_hugetlbfs_dirs(init_t) - fs_manage_tmpfs_dirs(init_t) - fs_mount_all_fs(init_t) - fs_list_auto_mountpoints(init_t) - fs_read_cgroup_files(init_t) - fs_write_cgroup_files(init_t) - fs_search_cgroup_dirs(daemon) - - selinux_compute_create_context(init_t) - selinux_validate_context(init_t) - selinux_unmount_fs(init_t) - - storage_getattr_removable_dev(init_t) - - init_read_script_state(init_t) - - seutil_read_file_contexts(init_t) -') - -optional_policy(` - auth_rw_login_records(init_t) -') - -optional_policy(` - consolekit_manage_log(init_t) -') - -optional_policy(` - dbus_connect_system_bus(init_t) - dbus_system_bus_client(init_t) - dbus_delete_pid_files(init_t) -') - -optional_policy(` - # /var/run/dovecot/login/ssl-parameters.dat is a hard link to - # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up - # the directory. But we do not want to allow this. - # The master process of dovecot will manage this file. - dovecot_dontaudit_unlink_lib_files(initrc_t) -') - -optional_policy(` - nscd_socket_use(init_t) -') - -optional_policy(` - plymouthd_stream_connect(init_t) - plymouthd_exec_plymouth(init_t) -') - -optional_policy(` - sssd_stream_connect(init_t) -') - -optional_policy(` - udev_read_db(init_t) -') - -optional_policy(` - unconfined_domain(init_t) -') - -######################################## -# -# Init script local policy -# - -allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; -allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module }; -dontaudit initrc_t self:capability sys_module; # sysctl is triggering this -allow initrc_t self:passwd rootok; -allow initrc_t self:key manage_key_perms; - -# Allow IPC with self -allow initrc_t self:unix_dgram_socket create_socket_perms; -allow initrc_t self:unix_stream_socket { create listen accept ioctl read getattr write setattr append bind connect getopt setopt shutdown connectto }; -allow initrc_t self:tcp_socket create_stream_socket_perms; -allow initrc_t self:udp_socket create_socket_perms; -allow initrc_t self:fifo_file rw_file_perms; - -allow initrc_t initrc_devpts_t:chr_file rw_term_perms; -term_create_pty(initrc_t, initrc_devpts_t) - -# Going to single user mode -init_telinit(initrc_t) - -can_exec(initrc_t, init_script_file_type) - -domtrans_pattern(init_run_all_scripts_domain, initrc_exec_t, initrc_t) - -manage_dirs_pattern(initrc_t, initrc_state_t, initrc_state_t) -manage_files_pattern(initrc_t, initrc_state_t, initrc_state_t) -manage_lnk_files_pattern(initrc_t, initrc_state_t, initrc_state_t) -manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) - -allow initrc_t initrc_var_run_t:file manage_file_perms; -files_pid_filetrans(initrc_t, initrc_var_run_t, file) -files_manage_generic_pids_symlinks(initrc_t) - -can_exec(initrc_t, initrc_tmp_t) -manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) -manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) -manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) -files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir }) - -init_write_initctl(initrc_t) - -kernel_read_system_state(initrc_t) -kernel_read_software_raid_state(initrc_t) -kernel_read_network_state(initrc_t) -kernel_read_ring_buffer(initrc_t) -kernel_change_ring_buffer_level(initrc_t) -kernel_clear_ring_buffer(initrc_t) -kernel_get_sysvipc_info(initrc_t) -kernel_read_all_sysctls(initrc_t) -kernel_request_load_module(initrc_t) -kernel_rw_all_sysctls(initrc_t) -# for lsof which is used by alsa shutdown: -kernel_dontaudit_getattr_message_if(initrc_t) -kernel_stream_connect(initrc_t) -files_read_kernel_modules(initrc_t) -files_read_config_files(initrc_t) -files_read_var_lib_symlinks(initrc_t) -files_setattr_pid_dirs(initrc_t) - -files_read_kernel_symbol_table(initrc_t) -files_exec_etc_files(initrc_t) -files_manage_etc_symlinks(initrc_t) -files_manage_system_conf_files(initrc_t) - -fs_manage_tmpfs_dirs(initrc_t) -fs_tmpfs_filetrans(initrc_t, initrc_state_t, file) - -corecmd_exec_all_executables(initrc_t) - -corenet_all_recvfrom_unlabeled(initrc_t) -corenet_all_recvfrom_netlabel(initrc_t) -corenet_tcp_sendrecv_all_if(initrc_t) -corenet_udp_sendrecv_all_if(initrc_t) -corenet_tcp_sendrecv_all_nodes(initrc_t) -corenet_udp_sendrecv_all_nodes(initrc_t) -corenet_tcp_sendrecv_all_ports(initrc_t) -corenet_udp_sendrecv_all_ports(initrc_t) -corenet_tcp_connect_all_ports(initrc_t) -corenet_sendrecv_all_client_packets(initrc_t) - -dev_read_rand(initrc_t) -dev_read_urand(initrc_t) -dev_write_kmsg(initrc_t) -dev_write_rand(initrc_t) -dev_write_urand(initrc_t) -dev_rw_sysfs(initrc_t) -dev_list_usbfs(initrc_t) -dev_read_framebuffer(initrc_t) -dev_write_framebuffer(initrc_t) -dev_read_realtime_clock(initrc_t) -dev_read_sound_mixer(initrc_t) -dev_write_sound_mixer(initrc_t) -dev_setattr_all_chr_files(initrc_t) -dev_rw_lvm_control(initrc_t) -dev_rw_generic_chr_files(initrc_t) -dev_delete_lvm_control_dev(initrc_t) -dev_manage_generic_symlinks(initrc_t) -dev_manage_generic_files(initrc_t) -# Wants to remove udev.tbl: -dev_delete_generic_symlinks(initrc_t) -dev_getattr_all_blk_files(initrc_t) -dev_getattr_all_chr_files(initrc_t) -dev_rw_xserver_misc(initrc_t) - -domain_kill_all_domains(initrc_t) -domain_signal_all_domains(initrc_t) -domain_signull_all_domains(initrc_t) -domain_sigstop_all_domains(initrc_t) -domain_sigstop_all_domains(initrc_t) -domain_sigchld_all_domains(initrc_t) -domain_read_all_domains_state(initrc_t) -domain_getattr_all_domains(initrc_t) -domain_dontaudit_ptrace_all_domains(initrc_t) -domain_getsession_all_domains(initrc_t) -domain_use_interactive_fds(initrc_t) -# for lsof which is used by alsa shutdown: -domain_dontaudit_getattr_all_udp_sockets(initrc_t) -domain_dontaudit_getattr_all_tcp_sockets(initrc_t) -domain_dontaudit_getattr_all_dgram_sockets(initrc_t) -domain_dontaudit_getattr_all_pipes(initrc_t) - -files_getattr_all_dirs(initrc_t) -files_getattr_all_files(initrc_t) -files_getattr_all_symlinks(initrc_t) -files_getattr_all_pipes(initrc_t) -files_getattr_all_sockets(initrc_t) -files_purge_tmp(initrc_t) -files_manage_all_locks(initrc_t) -files_manage_boot_files(initrc_t) -files_read_all_pids(initrc_t) -files_delete_root_files(initrc_t) -files_delete_all_pids(initrc_t) -files_delete_all_pid_dirs(initrc_t) -files_read_etc_files(initrc_t) -files_manage_etc_runtime_files(initrc_t) -files_etc_filetrans_etc_runtime(initrc_t, file) -files_exec_etc_files(initrc_t) -files_read_usr_files(initrc_t) -files_manage_urandom_seed(initrc_t) -files_manage_generic_spool(initrc_t) -# Mount and unmount file systems. -# cjp: not sure why these are here; should use mount policy -files_list_isid_type_dirs(initrc_t) -files_mounton_isid_type_dirs(initrc_t) -files_list_default(initrc_t) -files_mounton_default(initrc_t) -files_manage_mnt_dirs(initrc_t) -files_manage_mnt_files(initrc_t) - -fs_delete_cgroup_dirs(initrc_t) -fs_list_cgroup_dirs(initrc_t) -fs_rw_cgroup_files(initrc_t) -fs_list_inotifyfs(initrc_t) -fs_register_binary_executable_type(initrc_t) -# rhgb-console writes to ramfs -fs_write_ramfs_pipes(initrc_t) -# cjp: not sure why these are here; should use mount policy -fs_mount_all_fs(initrc_t) -fs_unmount_all_fs(initrc_t) -fs_remount_all_fs(initrc_t) -fs_getattr_all_fs(initrc_t) -fs_search_all(initrc_t) -fs_getattr_nfsd_files(initrc_t) - -# initrc_t needs to do a pidof which requires ptrace -mcs_ptrace_all(initrc_t) -mcs_killall(initrc_t) -mcs_process_set_categories(initrc_t) - -mls_file_read_all_levels(initrc_t) -mls_file_write_all_levels(initrc_t) -mls_process_read_up(initrc_t) -mls_process_write_down(initrc_t) -mls_rangetrans_source(initrc_t) -mls_fd_share_all_levels(initrc_t) -mls_socket_write_to_clearance(initrc_t) - -selinux_get_enforce_mode(initrc_t) - -storage_getattr_fixed_disk_dev(initrc_t) -storage_setattr_fixed_disk_dev(initrc_t) -storage_setattr_removable_dev(initrc_t) - -term_use_all_terms(initrc_t) -term_reset_tty_labels(initrc_t) - -auth_rw_login_records(initrc_t) -auth_setattr_login_records(initrc_t) -auth_rw_lastlog(initrc_t) -auth_read_pam_pid(initrc_t) -auth_delete_pam_pid(initrc_t) -auth_delete_pam_console_data(initrc_t) -auth_use_nsswitch(initrc_t) -auth_manage_faillog(initrc_t) - -libs_rw_ld_so_cache(initrc_t) -libs_exec_lib_files(initrc_t) -libs_exec_ld_so(initrc_t) - -logging_send_audit_msgs(initrc_t) -logging_send_syslog_msg(initrc_t) -logging_manage_generic_logs(initrc_t) -logging_read_all_logs(initrc_t) -logging_append_all_logs(initrc_t) -logging_read_audit_config(initrc_t) - -miscfiles_read_localization(initrc_t) -# slapd needs to read cert files from its initscript -miscfiles_manage_generic_cert_files(initrc_t) - -modutils_read_module_config(initrc_t) -modutils_domtrans_insmod(initrc_t) - -seutil_read_config(initrc_t) - -userdom_read_admin_home_files(initrc_t) -userdom_read_user_home_content_files(initrc_t) -# Allow access to the sysadm TTYs. Note that this will give access to the -# TTYs to any process in the initrc_t domain. Therefore, daemons and such -# started from init should be placed in their own domain. -userdom_use_user_terminals(initrc_t) - -ifdef(`distro_debian',` - dev_setattr_generic_dirs(initrc_t) - - fs_tmpfs_filetrans(initrc_t, initrc_var_run_t, dir) - - # for storing state under /dev/shm - fs_setattr_tmpfs_dirs(initrc_t) - storage_manage_fixed_disk(initrc_t) - storage_tmpfs_filetrans_fixed_disk(initrc_t) - - files_setattr_etc_dirs(initrc_t) -') - -ifdef(`distro_gentoo',` - kernel_dontaudit_getattr_core_if(initrc_t) - - # seed udev /dev - allow initrc_t self:process setfscreate; - dev_create_null_dev(initrc_t) - dev_create_zero_dev(initrc_t) - dev_create_generic_dirs(initrc_t) - term_create_console_dev(initrc_t) - - # unfortunately /sbin/rc does stupid tricks - # with /dev/.rcboot to decide if we are in - # early init - dev_create_generic_dirs(initrc_t) - dev_delete_generic_dirs(initrc_t) - - # allow bootmisc to create /var/lock/.keep. - files_manage_generic_locks(initrc_t) - - # openrc uses tmpfs for its state data - fs_tmpfs_filetrans(initrc_t, initrc_state_t, { dir file fifo_file lnk_file }) - - # init scripts touch this - clock_dontaudit_write_adjtime(initrc_t) - - logging_send_audit_msgs(initrc_t) - - # for integrated run_init to read run_init_type. - # happens during boot (/sbin/rc execs init scripts) - seutil_read_default_contexts(initrc_t) - - # /lib/rcscripts/net/system.sh rewrites resolv.conf :( - sysnet_create_config(initrc_t) - sysnet_write_config(initrc_t) - sysnet_setattr_config(initrc_t) - - optional_policy(` - arpwatch_manage_data_files(initrc_t) - ') - - optional_policy(` - dhcpd_setattr_state_files(initrc_t) - ') -') - -ifdef(`distro_redhat',` - # this is from kmodule, which should get its own policy: - allow initrc_t self:capability sys_admin; - - allow initrc_t self:process setfscreate; - - # Red Hat systems seem to have a stray - # fd open from the initrd - kernel_use_fds(initrc_t) - files_dontaudit_read_root_files(initrc_t) - - # These seem to be from the initrd - # during device initialization: - dev_create_generic_dirs(initrc_t) - dev_rwx_zero(initrc_t) - dev_rx_raw_memory(initrc_t) - dev_wx_raw_memory(initrc_t) - storage_raw_read_fixed_disk(initrc_t) - storage_raw_write_fixed_disk(initrc_t) - - files_create_boot_dirs(initrc_t) - files_create_boot_flag(initrc_t) - files_rw_boot_symlinks(initrc_t) - # wants to read /.fonts directory - files_read_default_files(initrc_t) - files_mountpoint(initrc_tmp_t) - # Needs to cp localtime to /var dirs - files_write_var_dirs(initrc_t) - - fs_read_tmpfs_symlinks(initrc_t) - fs_rw_tmpfs_chr_files(initrc_t) - - storage_manage_fixed_disk(initrc_t) - storage_dev_filetrans_fixed_disk(initrc_t) - storage_getattr_removable_dev(initrc_t) - - # readahead asks for these - auth_dontaudit_read_shadow(initrc_t) - - # init scripts cp /etc/localtime over other directories localtime - miscfiles_rw_localization(initrc_t) - miscfiles_setattr_localization(initrc_t) - miscfiles_relabel_localization(initrc_t) - - miscfiles_read_fonts(initrc_t) - miscfiles_read_hwdata(initrc_t) - - optional_policy(` - alsa_manage_rw_config(initrc_t) - ') - - optional_policy(` - bind_manage_config_dirs(initrc_t) - bind_write_config(initrc_t) - bind_setattr_zone_dirs(initrc_t) - ') - - optional_policy(` - gnome_manage_gconf_config(initrc_t) - ') - - optional_policy(` - ldap_read_db_files(initrc_t) - ') - - optional_policy(` - pulseaudio_stream_connect(initrc_t) - ') - - optional_policy(` - #for /etc/rc.d/init.d/nfs to create /etc/exports - rpc_write_exports(initrc_t) - rpc_manage_nfs_state_data(initrc_t) - ') - optional_policy(` - rpcbind_stream_connect(initrc_t) - ') - - optional_policy(` - sysnet_rw_dhcp_config(initrc_t) - sysnet_manage_config(initrc_t) - sysnet_manage_dhcpc_state(initrc_t) - sysnet_relabelfrom_dhcpc_state(initrc_t) - sysnet_relabelfrom_net_conf(initrc_t) - sysnet_relabelto_net_conf(initrc_t) - ') - - optional_policy(` - xserver_delete_log(initrc_t) - ') -') - -ifdef(`distro_suse',` - optional_policy(` - # set permissions on /tmp/.X11-unix - xserver_setattr_xdm_tmp_dirs(initrc_t) - ') -') - -domain_dontaudit_use_interactive_fds(daemon) - -userdom_dontaudit_list_admin_dir(daemon) -userdom_dontaudit_search_user_tmp(daemon) - -tunable_policy(`allow_daemons_use_tty',` - term_use_unallocated_ttys(daemon) - term_use_generic_ptys(daemon) - term_use_all_ttys(daemon) - term_use_all_ptys(daemon) -',` - term_dontaudit_use_unallocated_ttys(daemon) - term_dontaudit_use_generic_ptys(daemon) - term_dontaudit_use_all_ttys(daemon) - term_dontaudit_use_all_ptys(daemon) - ') - -# system-config-services causes avc messages that should be dontaudited -tunable_policy(`allow_daemons_dump_core',` - files_manage_root_files(daemon) -') - -optional_policy(` - unconfined_dontaudit_rw_pipes(daemon) - unconfined_dontaudit_rw_stream(daemon) - userdom_dontaudit_read_user_tmp_files(daemon) - userdom_dontaudit_write_user_tmp_files(daemon) -') - -optional_policy(` - amavis_search_lib(initrc_t) - amavis_setattr_pid_files(initrc_t) -') - -optional_policy(` - dev_rw_apm_bios(initrc_t) -') - -optional_policy(` - apache_read_config(initrc_t) - apache_list_modules(initrc_t) - # webmin seems to cause this. - apache_search_sys_content(daemon) -') - -optional_policy(` - bind_read_config(initrc_t) - - # for chmod in start script - bind_setattr_pid_dirs(initrc_t) -') - -optional_policy(` - dev_read_usbfs(initrc_t) - bluetooth_read_config(initrc_t) -') - -optional_policy(` - cgroup_stream_connect_cgred(initrc_t) - domain_setpriority_all_domains(initrc_t) -') - -optional_policy(` - clamav_read_config(initrc_t) -') - -optional_policy(` - cpucontrol_stub(initrc_t) - dev_getattr_cpu_dev(initrc_t) -') - -optional_policy(` - chronyd_append_keys(initrc_t) - chronyd_read_keys(initrc_t) -') - -optional_policy(` - dev_getattr_printer_dev(initrc_t) - - cups_read_log(initrc_t) - cups_read_rw_config(initrc_t) -#cups init script clears error log - cups_write_log(initrc_t) -') - -optional_policy(` - daemontools_manage_svc(initrc_t) -') - -optional_policy(` - dbus_connect_system_bus(initrc_t) - dbus_system_bus_client(initrc_t) - dbus_read_config(initrc_t) - dbus_manage_lib_files(initrc_t) - - init_dbus_chat(initrc_t) - - optional_policy(` - consolekit_dbus_chat(initrc_t) - ') - - optional_policy(` - networkmanager_dbus_chat(initrc_t) - ') - - optional_policy(` - policykit_dbus_chat(initrc_t) - ') -') - -optional_policy(` - # /var/run/dovecot/login/ssl-parameters.dat is a hard link to - # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up - # the directory. But we do not want to allow this. - # The master process of dovecot will manage this file. - dovecot_dontaudit_unlink_lib_files(initrc_t) -') - -optional_policy(` - ftp_read_config(initrc_t) -') - -optional_policy(` - gpm_setattr_gpmctl(initrc_t) -') - -optional_policy(` - hal_write_log(initrc_t) -') - -optional_policy(` - dev_read_usbfs(initrc_t) - - # init scripts run /etc/hotplug/usb.rc - hotplug_read_config(initrc_t) - - modutils_read_module_deps(initrc_t) -') - -optional_policy(` - inn_exec_config(initrc_t) -') - -optional_policy(` - ipsec_read_config(initrc_t) - ipsec_manage_pid(initrc_t) -') - -optional_policy(` - iscsi_stream_connect(initrc_t) - iscsi_read_lib_files(initrc_t) -') - -optional_policy(` - kerberos_use(initrc_t) -') - -optional_policy(` - ldap_read_config(initrc_t) - ldap_list_db(initrc_t) -') - -optional_policy(` - loadkeys_exec(initrc_t) -') - -optional_policy(` - # in emergency/recovery situations use sulogin - locallogin_domtrans_sulogin(initrc_t) -') - -optional_policy(` - # This is needed to permit chown to read /var/spool/lpd/lp. - # This is opens up security more than necessary; this means that ANYTHING - # running in the initrc_t domain can read the printer spool directory. - # Perhaps executing /etc/rc.d/init.d/lpd should transition - # to domain lpd_t, instead of waiting for executing lpd. - lpd_list_spool(initrc_t) - - lpd_read_config(initrc_t) -') - -optional_policy(` - #allow initrc_t lvm_control_t:chr_file unlink; - - dev_read_lvm_control(initrc_t) - dev_create_generic_chr_files(initrc_t) - - lvm_read_config(initrc_t) -') - -optional_policy(` - mailman_list_data(initrc_t) - mailman_read_data_symlinks(initrc_t) -') - -optional_policy(` - milter_delete_dkim_pid_files(initrc_t) - milter_setattr_all_dirs(initrc_t) -') - -optional_policy(` - mta_read_config(initrc_t) - mta_write_config(initrc_t) - mta_dontaudit_read_spool_symlinks(initrc_t) -') - -optional_policy(` - ifdef(`distro_redhat',` - mysql_manage_db_dirs(initrc_t) - ') - - mysql_stream_connect(initrc_t) - mysql_write_log(initrc_t) - mysql_read_config(initrc_t) -') - -optional_policy(` - nis_list_var_yp(initrc_t) -') - -optional_policy(` - openvpn_read_config(initrc_t) -') - -optional_policy(` - plymouthd_stream_connect(initrc_t) -') - -optional_policy(` - postgresql_manage_db(initrc_t) - postgresql_read_config(initrc_t) -') - -optional_policy(` - postfix_list_spool(initrc_t) -') - -optional_policy(` - puppet_rw_tmp(initrc_t) -') - -optional_policy(` - quota_manage_flags(initrc_t) -') - -optional_policy(` - raid_manage_mdadm_pid(initrc_t) -') - -optional_policy(` - ricci_manage_lib_files(initrc_t) -') - -optional_policy(` - fs_write_ramfs_sockets(initrc_t) - fs_search_ramfs(initrc_t) - - rhgb_rw_stream_sockets(initrc_t) - rhgb_stream_connect(initrc_t) -') - -optional_policy(` - rpc_read_exports(initrc_t) -') - -optional_policy(` - # bash tries to access a block device in the initrd - kernel_dontaudit_getattr_unlabeled_blk_files(initrc_t) - - # for a bug in rm - files_dontaudit_write_all_pids(initrc_t) - - # bash tries ioctl for some reason - files_dontaudit_ioctl_all_pids(initrc_t) - -') - -optional_policy(` - samba_rw_config(initrc_t) - samba_read_winbind_pid(initrc_t) -') - -optional_policy(` - # shorewall-init script run /var/lib/shorewall/firewall - shorewall_domtrans_lib(initrc_t) -') - -optional_policy(` - squid_read_config(initrc_t) - squid_manage_logs(initrc_t) -') - -ifdef(`enabled_mls',` -optional_policy(` - # allow init scripts to su - su_restricted_domain_template(initrc, initrc_t, system_r) -') -') - -optional_policy(` - ssh_dontaudit_read_server_keys(initrc_t) - ssh_setattr_key_files(initrc_t) -') - -optional_policy(` - sysnet_read_dhcpc_state(initrc_t) -') - -optional_policy(` - udev_rw_db(initrc_t) - udev_manage_pid_files(initrc_t) - udev_manage_rules_files(initrc_t) -') - -optional_policy(` - uml_setattr_util_sockets(initrc_t) -') - -optional_policy(` - virt_manage_cache(initrc_t) - virt_manage_lib_files(initrc_t) -') - -# Cron jobs used to start and stop services -optional_policy(` - cron_rw_pipes(daemon) - cron_rw_inherited_user_spool_files(daemon) -') - -optional_policy(` - unconfined_domain(initrc_t) - domain_role_change_exemption(initrc_t) - - ifdef(`distro_redhat',` - # system-config-services causes avc messages that should be dontaudited - unconfined_dontaudit_rw_pipes(daemon) - ') - - optional_policy(` - mono_domtrans(initrc_t) - ') - - # Allow SELinux aware applications to request rpm_script_t execution - rpm_transition_script(initrc_t) - - - optional_policy(` - gen_require(` - type unconfined_execmem_t, execmem_exec_t; - ') - init_system_domain(unconfined_execmem_t, execmem_exec_t) - ') - - optional_policy(` - rtkit_scheduled(initrc_t) - ') -') - -optional_policy(` - rpm_delete_db(initrc_t) -') - -optional_policy(` - vmware_read_system_config(initrc_t) - vmware_append_system_config(initrc_t) -') - -optional_policy(` - miscfiles_manage_fonts(initrc_t) - - # cjp: is this really needed? - xfs_read_sockets(initrc_t) -') - -optional_policy(` - # Set device ownerships/modes. - xserver_setattr_console_pipes(initrc_t) - - # init script wants to check if it needs to update windowmanagerlist - xserver_read_xdm_rw_config(initrc_t) -') - -optional_policy(` - zebra_read_config(initrc_t) -') - -userdom_inherit_append_user_home_content_files(daemon) -userdom_inherit_append_user_tmp_files(daemon) -userdom_dontaudit_rw_stream(daemon) - -logging_append_all_logs(daemon) - -optional_policy(` - # sudo service restart causes this - unconfined_signull(daemon) -') - - -optional_policy(` - xserver_dontaudit_append_xdm_home_files(daemon) - tunable_policy(`use_nfs_home_dirs',` - fs_dontaudit_rw_nfs_files(daemon) - ') - tunable_policy(`use_samba_home_dirs',` - fs_dontaudit_rw_cifs_files(daemon) - ') -') - -init_rw_script_stream_sockets(daemon) - -optional_policy(` - fail2ban_read_lib_files(daemon) -') - -init_rw_stream_sockets(daemon) - -ifdef(`hide_broken_symptoms',` -optional_policy(` -gen_require(` - type system_dbusd_var_run_t; - type fsadm_t; - type avahi_var_run_t; -') - -fs_list_auto_mountpoints(fsadm_t) - -fs_list_auto_mountpoints(lvm_t) -fs_list_hugetlbfs(lvm_t) - -allow init_t avahi_var_run_t:dir { write add_name }; -allow init_t avahi_var_run_t:sock_file create; - -allow init_t system_dbusd_var_run_t:dir { write add_name }; -allow init_t system_dbusd_var_run_t:sock_file create; - -') -') diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc deleted file mode 100644 index 942bea1..0000000 --- a/policy/modules/system/ipsec.fc +++ /dev/null @@ -1,46 +0,0 @@ -/etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) -/etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) - -/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0) -/etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) -/etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0) - -/etc/racoon(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0) -/etc/racoon/certs(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) - -/etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) - -/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) - -/usr/lib(64)?/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) -/usr/lib(64)?/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) -/usr/lib(64)?/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0) -/usr/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) -/usr/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) -/usr/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) - -/usr/libexec/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) -/usr/libexec/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) -/usr/libexec/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0) -/usr/libexec/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) -/usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) -/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) -/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) - -/usr/local/lib(64)?/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0) -/usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) -/usr/local/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) -/usr/local/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) - -/usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) -/usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0) -/usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) - -/var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0) - -/var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0) - -/var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) - -/var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) -/var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if deleted file mode 100644 index cba1b30..0000000 --- a/policy/modules/system/ipsec.if +++ /dev/null @@ -1,371 +0,0 @@ -## TCP/IP encryption - -######################################## -## -## Execute ipsec in the ipsec domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ipsec_domtrans',` - gen_require(` - type ipsec_t, ipsec_exec_t; - ') - - domtrans_pattern($1, ipsec_exec_t, ipsec_t) -') - -######################################## -## -## Execute ipsec in the ipsec mgmt domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`ipsec_domtrans_mgmt',` - gen_require(` - type ipsec_mgmt_t, ipsec_mgmt_exec_t; - ') - - domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t) -') - -######################################## -## -## Connect to IPSEC using a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`ipsec_stream_connect',` - gen_require(` - type ipsec_t, ipsec_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, ipsec_var_run_t, ipsec_var_run_t, ipsec_t) -') - -######################################## -## -## Connect to racoon using a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`ipsec_stream_connect_racoon',` - gen_require(` - type racoon_t, ipsec_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, ipsec_var_run_t, ipsec_var_run_t, racoon_t) -') - -######################################## -## -## Get the attributes of an IPSEC key socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`ipsec_getattr_key_sockets',` - gen_require(` - type ipsec_t; - ') - - allow $1 ipsec_t:key_socket getattr; -') - -######################################## -## -## Execute the IPSEC management program in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`ipsec_exec_mgmt',` - gen_require(` - type ipsec_exec_t; - ') - - can_exec($1, ipsec_exec_t) -') - -######################################## -## -## Read the IPSEC configuration -## -## -## -## Domain allowed access. -## -## -## -# -interface(`ipsec_read_config',` - gen_require(` - type ipsec_conf_file_t; - ') - - files_search_etc($1) - allow $1 ipsec_conf_file_t:file read_file_perms; -') - -######################################## -## -## Match the default SPD entry. -## -## -## -## Domain allowed access. -## -## -# -interface(`ipsec_match_default_spd',` - gen_require(` - type ipsec_spd_t; - ') - - allow $1 ipsec_spd_t:association polmatch; - allow $1 self:association sendto; -') - -######################################## -## -## Set the context of a SPD entry to -## the default context. -## -## -## -## Domain allowed access. -## -## -# -interface(`ipsec_setcontext_default_spd',` - gen_require(` - type ipsec_spd_t; - ') - - allow $1 ipsec_spd_t:association setcontext; -') - -######################################## -## -## write the ipsec_var_run_t files. -## -## -## -## Domain allowed access. -## -## -# -interface(`ipsec_write_pid',` - gen_require(` - type ipsec_var_run_t; - ') - - files_search_pids($1) - write_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t) -') - -######################################## -## -## Create, read, write, and delete the IPSEC pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`ipsec_manage_pid',` - gen_require(` - type ipsec_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t) -') - -######################################## -## -## Execute racoon in the racoon domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ipsec_domtrans_racoon',` - gen_require(` - type racoon_t, racoon_exec_t; - ') - - domtrans_pattern($1, racoon_exec_t, racoon_t) -') - -######################################## -## -## Execute racoon and allow the specified role the domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`ipsec_run_racoon',` - gen_require(` - type racoon_t; - ') - - ipsec_domtrans_racoon($1) - role $2 types racoon_t; -') - -######################################## -## -## Execute setkey in the setkey domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ipsec_domtrans_setkey',` - gen_require(` - type setkey_t, setkey_exec_t; - ') - - domtrans_pattern($1, setkey_exec_t, setkey_t) -') - -######################################## -## -## Execute setkey and allow the specified role the domains. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access.. -## -## -## -# -interface(`ipsec_run_setkey',` - gen_require(` - type setkey_t; - ') - - ipsec_domtrans_setkey($1) - role $2 types setkey_t; -') - -######################################## -## -## Send ipsec mgmt a signal -## -## -## -## Domain allowed access. -## -## -# -# -interface(`ipsec_signal_mgmt',` - gen_require(` - type ipsec_mgmt_t; - ') - - allow $1 ipsec_mgmt_t:process signal; -') - -######################################## -## -## Send ipsec mgmt a signull -## -## -## -## Domain allowed access. -## -## -# -# -interface(`ipsec_signull_mgmt',` - gen_require(` - type ipsec_mgmt_t; - ') - - allow $1 ipsec_mgmt_t:process signull; -') - -######################################## -## -## Send ipsec mgmt a kill signal. -## -## -## -## Domain allowed access. -## -## -# -# -interface(`ipsec_kill_mgmt',` - gen_require(` - type ipsec_mgmt_t; - ') - - allow $1 ipsec_mgmt_t:process sigkill; -') - -###################################### -## -## Send and receive messages from -## ipsec-mgmt over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`ipsec_mgmt_dbus_chat',` - gen_require(` - type ipsec_mgmt_t; - class dbus send_msg; - ') - - allow $1 ipsec_mgmt_t:dbus send_msg; - allow ipsec_mgmt_t $1:dbus send_msg; -') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te deleted file mode 100644 index 6de1ab4..0000000 --- a/policy/modules/system/ipsec.te +++ /dev/null @@ -1,464 +0,0 @@ -policy_module(ipsec, 1.11.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow racoon to read shadow -##

-##
-gen_tunable(racoon_read_shadow, false) - -type ipsec_t; -type ipsec_exec_t; -init_daemon_domain(ipsec_t, ipsec_exec_t) -role system_r types ipsec_t; - -# type for ipsec configuration file(s) - not for keys -type ipsec_conf_file_t; -files_type(ipsec_conf_file_t) - -type ipsec_initrc_exec_t; -init_script_file(ipsec_initrc_exec_t) - -# type for file(s) containing ipsec keys - RSA or preshared -type ipsec_key_file_t; -files_type(ipsec_key_file_t) - -type ipsec_log_t; -logging_log_file(ipsec_log_t) - -# Default type for IPSEC SPD entries -type ipsec_spd_t; - -type ipsec_tmp_t; -files_tmp_file(ipsec_tmp_t) - -# type for runtime files, including pluto.ctl -type ipsec_var_run_t; -files_pid_file(ipsec_var_run_t) - -type ipsec_mgmt_t; -type ipsec_mgmt_exec_t; -init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) -corecmd_shell_entry_type(ipsec_mgmt_t) -role system_r types ipsec_mgmt_t; - -type ipsec_mgmt_lock_t; -files_lock_file(ipsec_mgmt_lock_t) - -type ipsec_mgmt_var_run_t; -files_pid_file(ipsec_mgmt_var_run_t) - -type racoon_t; -type racoon_exec_t; -init_daemon_domain(racoon_t, racoon_exec_t) -role system_r types racoon_t; - -type racoon_tmp_t; -files_tmp_file(racoon_tmp_t) - -type setkey_t; -type setkey_exec_t; -init_system_domain(setkey_t, setkey_exec_t) -role system_r types setkey_t; - -######################################## -# -# ipsec Local policy -# - -allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice }; -dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config }; -allow ipsec_t self:process { getcap setcap getsched signal setsched }; -allow ipsec_t self:tcp_socket create_stream_socket_perms; -allow ipsec_t self:udp_socket create_socket_perms; -allow ipsec_t self:key_socket create_socket_perms; -allow ipsec_t self:fifo_file read_fifo_file_perms; -allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write }; - -allow ipsec_t ipsec_initrc_exec_t:file read_file_perms; - -allow ipsec_t ipsec_conf_file_t:dir list_dir_perms; -read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t) -read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t) - -allow ipsec_t ipsec_key_file_t:dir list_dir_perms; -manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) -read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) - -manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) -manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) -files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file }) - -manage_dirs_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) -manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) -manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) -files_pid_filetrans(ipsec_t, ipsec_var_run_t, { dir file sock_file }) - -can_exec(ipsec_t, ipsec_mgmt_exec_t) - -# pluto runs an updown script (by calling popen()!) as this is by default -# a shell script, we need to find a way to make things work without -# letting all sorts of stuff possibly be run... -# so try flipping back into the ipsec_mgmt_t domain -corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t) -allow ipsec_mgmt_t ipsec_t:fd use; -allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms; -allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }; -allow ipsec_mgmt_t ipsec_t:process sigchld; - -kernel_read_kernel_sysctls(ipsec_t) -kernel_list_proc(ipsec_t) -kernel_read_proc_symlinks(ipsec_t) -# allow pluto to access /proc/net/ipsec_eroute; -kernel_read_system_state(ipsec_t) -kernel_read_network_state(ipsec_t) -kernel_read_software_raid_state(ipsec_t) -kernel_request_load_module(ipsec_t) -kernel_getattr_core_if(ipsec_t) -kernel_getattr_message_if(ipsec_t) - -corecmd_exec_shell(ipsec_t) -corecmd_exec_bin(ipsec_t) - -# Pluto needs network access -corenet_all_recvfrom_unlabeled(ipsec_t) -corenet_tcp_sendrecv_all_if(ipsec_t) -corenet_raw_sendrecv_all_if(ipsec_t) -corenet_tcp_sendrecv_all_nodes(ipsec_t) -corenet_raw_sendrecv_all_nodes(ipsec_t) -corenet_tcp_sendrecv_all_ports(ipsec_t) -corenet_tcp_bind_all_nodes(ipsec_t) -corenet_udp_bind_all_nodes(ipsec_t) -corenet_tcp_bind_reserved_port(ipsec_t) -corenet_tcp_bind_isakmp_port(ipsec_t) -corenet_udp_bind_isakmp_port(ipsec_t) -corenet_udp_bind_ipsecnat_port(ipsec_t) -corenet_sendrecv_generic_server_packets(ipsec_t) -corenet_sendrecv_isakmp_server_packets(ipsec_t) - -dev_read_sysfs(ipsec_t) -dev_read_rand(ipsec_t) -dev_read_urand(ipsec_t) - -domain_use_interactive_fds(ipsec_t) - -files_list_tmp(ipsec_t) -files_read_etc_files(ipsec_t) -files_read_usr_files(ipsec_t) -files_dontaudit_search_home(ipsec_t) - -fs_getattr_all_fs(ipsec_t) -fs_search_auto_mountpoints(ipsec_t) - -term_use_console(ipsec_t) -term_dontaudit_use_all_ttys(ipsec_t) - -auth_use_nsswitch(ipsec_t) - -init_use_fds(ipsec_t) -init_use_script_ptys(ipsec_t) - -logging_send_syslog_msg(ipsec_t) - -miscfiles_read_localization(ipsec_t) - -sysnet_domtrans_ifconfig(ipsec_t) -sysnet_manage_config(ipsec_t) -sysnet_etc_filetrans_config(ipsec_t) - -userdom_dontaudit_use_unpriv_user_fds(ipsec_t) -userdom_dontaudit_search_user_home_dirs(ipsec_t) - -optional_policy(` - seutil_sigchld_newrole(ipsec_t) -') - -optional_policy(` - udev_read_db(ipsec_t) -') - -######################################## -# -# ipsec_mgmt Local policy -# - -allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice }; -dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config }; -allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal }; -allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; -allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; -allow ipsec_mgmt_t self:udp_socket create_socket_perms; -allow ipsec_mgmt_t self:key_socket create_socket_perms; -allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms; - -allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; -files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) - -manage_dirs_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t) -manage_files_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t) -files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file }) - -manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t) -logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) - -allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; -files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) - -manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) -manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) - -allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms; -files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file) - -# _realsetup needs to be able to cat /var/run/pluto.pid, -# run ps on that pid, and delete the file -read_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t) -read_lnk_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t) - -# logger, running in ipsec_mgmt_t needs to use sockets -allow ipsec_mgmt_t self:unix_dgram_socket { create connect write }; -allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write }; - -allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms; - -manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t) -manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t) - -# whack needs to connect to pluto -stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t) - -can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t) -allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read; - -domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t) - -kernel_rw_net_sysctls(ipsec_mgmt_t) -# allow pluto to access /proc/net/ipsec_eroute; -kernel_read_system_state(ipsec_mgmt_t) -kernel_read_network_state(ipsec_mgmt_t) -kernel_read_software_raid_state(ipsec_mgmt_t) -kernel_read_kernel_sysctls(ipsec_mgmt_t) -kernel_getattr_core_if(ipsec_mgmt_t) -kernel_getattr_message_if(ipsec_mgmt_t) - -# don't audit using of lsof -dontaudit ipsec_mgmt_t self:capability sys_ptrace; - -domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t) -domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t) - -dev_dontaudit_getattr_all_blk_files(ipsec_mgmt_t) -dev_dontaudit_getattr_all_chr_files(ipsec_mgmt_t) - -files_dontaudit_getattr_all_files(ipsec_mgmt_t) -files_dontaudit_getattr_all_sockets(ipsec_mgmt_t) -files_read_kernel_symbol_table(ipsec_mgmt_t) -files_getattr_kernel_modules(ipsec_mgmt_t) - -# the default updown script wants to run route -# the ipsec wrapper wants to run /usr/bin/logger (should we put -# it in its own domain?) -corecmd_exec_bin(ipsec_mgmt_t) -corecmd_exec_shell(ipsec_mgmt_t) - -dev_read_rand(ipsec_mgmt_t) -dev_read_urand(ipsec_mgmt_t) - -domain_use_interactive_fds(ipsec_mgmt_t) -# denials when ps tries to search /proc. Do not audit these denials. -domain_dontaudit_read_all_domains_state(ipsec_mgmt_t) -# suppress audit messages about unnecessary socket access -# cjp: this seems excessive -domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t) -domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t) - -files_read_etc_files(ipsec_mgmt_t) -files_exec_etc_files(ipsec_mgmt_t) -files_read_etc_runtime_files(ipsec_mgmt_t) -files_read_usr_files(ipsec_mgmt_t) -files_dontaudit_getattr_default_dirs(ipsec_mgmt_t) -files_dontaudit_getattr_default_files(ipsec_mgmt_t) -files_list_tmp(ipsec_mgmt_t) - -fs_getattr_xattr_fs(ipsec_mgmt_t) -fs_list_tmpfs(ipsec_mgmt_t) - -term_use_console(ipsec_mgmt_t) -term_use_all_terms(ipsec_mgmt_t) - -auth_dontaudit_read_login_records(ipsec_mgmt_t) - -init_read_utmp(ipsec_mgmt_t) -init_use_script_ptys(ipsec_mgmt_t) -init_exec_script_files(ipsec_mgmt_t) -init_use_fds(ipsec_mgmt_t) -init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) - -logging_send_syslog_msg(ipsec_mgmt_t) - -miscfiles_read_localization(ipsec_mgmt_t) - -modutils_domtrans_insmod(ipsec_mgmt_t) - -seutil_dontaudit_search_config(ipsec_mgmt_t) - -sysnet_manage_config(ipsec_mgmt_t) -sysnet_domtrans_ifconfig(ipsec_mgmt_t) -sysnet_etc_filetrans_config(ipsec_mgmt_t) - -userdom_use_user_terminals(ipsec_mgmt_t) - -optional_policy(` - consoletype_exec(ipsec_mgmt_t) -') - -optional_policy(` - hostname_exec(ipsec_mgmt_t) -') - -optional_policy(` - dbus_system_bus_client(ipsec_mgmt_t) - dbus_connect_system_bus(ipsec_mgmt_t) - - optional_policy(` - networkmanager_dbus_chat(ipsec_mgmt_t) - ') -') - -optional_policy(` - iptables_domtrans(ipsec_mgmt_t) -') - -optional_policy(` - nscd_socket_use(ipsec_mgmt_t) -') - -ifdef(`TODO',` -# ideally it would not need this. It wants to write to /root/.rnd -file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file) - -allow ipsec_mgmt_t dev_fs:file_class_set getattr; -') dnl end TODO - -######################################## -# -# Racoon local policy -# - -allow racoon_t self:capability { net_admin net_bind_service }; -allow racoon_t self:netlink_route_socket create_netlink_socket_perms; -allow racoon_t self:unix_dgram_socket { connect create ioctl write }; -allow racoon_t self:netlink_selinux_socket { bind create read }; -allow racoon_t self:udp_socket create_socket_perms; -allow racoon_t self:key_socket create_socket_perms; -allow racoon_t self:fifo_file rw_fifo_file_perms; - -manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t) -manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t) -files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file }) - -can_exec(racoon_t, racoon_exec_t) - -can_exec(racoon_t, setkey_exec_t) - -# manage pid file -manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t) -manage_sock_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t) -files_pid_filetrans(racoon_t, ipsec_var_run_t, file) - -allow racoon_t ipsec_conf_file_t:dir list_dir_perms; -read_files_pattern(racoon_t, ipsec_conf_file_t, ipsec_conf_file_t) -read_lnk_files_pattern(racoon_t, ipsec_conf_file_t, ipsec_conf_file_t) - -allow racoon_t ipsec_key_file_t:dir list_dir_perms; -read_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t) -read_lnk_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t) - -kernel_read_system_state(racoon_t) -kernel_read_network_state(racoon_t) -kernel_request_load_module(racoon_t) - -corecmd_exec_shell(racoon_t) -corecmd_exec_bin(racoon_t) - -corenet_all_recvfrom_unlabeled(racoon_t) -corenet_tcp_sendrecv_all_if(racoon_t) -corenet_udp_sendrecv_all_if(racoon_t) -corenet_tcp_sendrecv_all_nodes(racoon_t) -corenet_udp_sendrecv_all_nodes(racoon_t) -corenet_tcp_bind_all_nodes(racoon_t) -corenet_udp_bind_all_nodes(racoon_t) -corenet_udp_bind_isakmp_port(racoon_t) -corenet_udp_bind_ipsecnat_port(racoon_t) - -dev_read_urand(racoon_t) - -# allow racoon to set contexts on ipsec policy and SAs -domain_ipsec_setcontext_all_domains(racoon_t) - -files_read_etc_files(racoon_t) - -fs_dontaudit_getattr_xattr_fs(racoon_t) - -# allow racoon to use avc_has_perm to check context on proposed SA -selinux_compute_access_vector(racoon_t) - -auth_use_nsswitch(racoon_t) - -ipsec_setcontext_default_spd(racoon_t) - -locallogin_use_fds(racoon_t) - -logging_send_syslog_msg(racoon_t) -logging_send_audit_msgs(racoon_t) - -miscfiles_read_localization(racoon_t) - -sysnet_exec_ifconfig(racoon_t) - -auth_use_pam(racoon_t) - -auth_can_read_shadow_passwords(racoon_t) -tunable_policy(`racoon_read_shadow',` - auth_tunable_read_shadow(racoon_t) -') - -######################################## -# -# Setkey local policy -# - -allow setkey_t self:capability net_admin; -allow setkey_t self:key_socket create_socket_perms; -allow setkey_t self:netlink_route_socket create_netlink_socket_perms; - -allow setkey_t ipsec_conf_file_t:dir list_dir_perms; -read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t) -read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t) - -kernel_request_load_module(setkey_t) - -# allow setkey utility to set contexts on SA's and policy -domain_ipsec_setcontext_all_domains(setkey_t) - -files_read_etc_files(setkey_t) - -init_dontaudit_use_fds(setkey_t) -init_read_script_tmp_files(setkey_t) - -# allow setkey to set the context for ipsec SAs and policy. -ipsec_setcontext_default_spd(setkey_t) - -locallogin_use_fds(setkey_t) - -miscfiles_read_localization(setkey_t) - -seutil_read_config(setkey_t) - -userdom_use_user_terminals(setkey_t) -userdom_read_user_tmp_files(setkey_t) diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc deleted file mode 100644 index fd99a6e..0000000 --- a/policy/modules/system/iptables.fc +++ /dev/null @@ -1,20 +0,0 @@ -/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) - -/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) - -/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) - -/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) - - -/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) -/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0) -/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) -/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if deleted file mode 100644 index 59bfb17..0000000 --- a/policy/modules/system/iptables.if +++ /dev/null @@ -1,171 +0,0 @@ -## Policy for iptables. - -######################################## -## -## Execute iptables in the iptables domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`iptables_domtrans',` - gen_require(` - type iptables_t, iptables_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, iptables_exec_t, iptables_t) - - ifdef(`hide_broken_symptoms', ` - dontaudit iptables_t $1:socket_class_set { read write }; - ') -') - -######################################## -## -## Execute iptables in the iptables domain, and -## allow the specified role the iptables domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`iptables_run',` - gen_require(` - type iptables_t; - ') - - iptables_domtrans($1) - role $2 types iptables_t; - - sysnet_run_ifconfig(iptables_t, $2) - - optional_policy(` - modutils_run_insmod(iptables_t, $2) - ') -') - -######################################## -## -## Execute iptables in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`iptables_exec',` - gen_require(` - type iptables_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, iptables_exec_t) -') - -##################################### -## -## Execute iptables in the iptables domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`iptables_initrc_domtrans',` - gen_require(` - type iptables_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, iptables_initrc_exec_t) -') - -##################################### -## -## Set the attributes of iptables config files. -## -## -## -## Domain allowed access. -## -## -# -interface(`iptables_setattr_config',` - gen_require(` - type iptables_conf_t; - ') - - files_search_etc($1) - allow $1 iptables_conf_t:file setattr; -') - -##################################### -## -## Read iptables config files. -## -## -## -## Domain allowed access. -## -## -# -interface(`iptables_read_config',` - gen_require(` - type iptables_conf_t; - ') - - files_search_etc($1) - allow $1 iptables_conf_t:dir list_dir_perms; - read_files_pattern($1, iptables_conf_t, iptables_conf_t) -') - -##################################### -## -## Create files in /etc with the type used for -## the iptables config files. -## -## -## -## Domain allowed access. -## -## -# -interface(`iptables_etc_filetrans_config',` - gen_require(` - type iptables_conf_t; - ') - - files_etc_filetrans($1, iptables_conf_t, file) -') - -################################### -## -## Manage iptables config files. -## -## -## -## Domain allowed access. -## -## -# -interface(`iptables_manage_config',` - gen_require(` - type iptables_conf_t; - type etc_t; - ') - - files_search_etc($1) - manage_files_pattern($1, iptables_conf_t, iptables_conf_t) -') diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te deleted file mode 100644 index bce3aea..0000000 --- a/policy/modules/system/iptables.te +++ /dev/null @@ -1,143 +0,0 @@ -policy_module(iptables, 1.11.0) - -######################################## -# -# Declarations -# - -type iptables_t; -type iptables_exec_t; -init_system_domain(iptables_t, iptables_exec_t) -role system_r types iptables_t; - -type iptables_initrc_exec_t; -init_script_file(iptables_initrc_exec_t) - -type iptables_tmp_t; -files_tmp_file(iptables_tmp_t) - -type iptables_var_run_t; -files_pid_file(iptables_var_run_t) - -######################################## -# -# Iptables local policy -# - -allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw }; -dontaudit iptables_t self:capability sys_tty_config; -allow iptables_t self:fifo_file rw_fifo_file_perms; -allow iptables_t self:process { sigchld sigkill sigstop signull signal }; -# needed by ipvsadm -allow iptables_t self:netlink_socket create_socket_perms; -allow iptables_t self:rawip_socket create_socket_perms; - -files_manage_system_conf_files(iptables_t) -files_etc_filetrans_system_conf(iptables_t) - -manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t) -files_pid_filetrans(iptables_t, iptables_var_run_t, file) - -can_exec(iptables_t, iptables_exec_t) - -allow iptables_t iptables_tmp_t:dir manage_dir_perms; -allow iptables_t iptables_tmp_t:file manage_file_perms; -files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir }) - -kernel_request_load_module(iptables_t) -kernel_read_system_state(iptables_t) -kernel_read_network_state(iptables_t) -kernel_read_kernel_sysctls(iptables_t) -kernel_read_modprobe_sysctls(iptables_t) -kernel_use_fds(iptables_t) - -# needed by ipvsadm -corecmd_exec_bin(iptables_t) -corecmd_exec_shell(iptables_t) - -corenet_relabelto_all_packets(iptables_t) -corenet_dontaudit_rw_tun_tap_dev(iptables_t) - -dev_read_sysfs(iptables_t) -ifdef(`hide_broken_symptoms',` - dev_dontaudit_write_mtrr(iptables_t) -') - -fs_getattr_xattr_fs(iptables_t) -fs_search_auto_mountpoints(iptables_t) -fs_list_inotifyfs(iptables_t) - -mls_file_read_all_levels(iptables_t) - -term_dontaudit_use_console(iptables_t) -term_use_all_terms(iptables_t) - -domain_use_interactive_fds(iptables_t) - -files_read_etc_files(iptables_t) -files_read_etc_runtime_files(iptables_t) -files_read_usr_files(iptables_t) - -auth_use_nsswitch(iptables_t) - -init_use_fds(iptables_t) -init_use_script_ptys(iptables_t) -# to allow rules to be saved on reboot: -init_rw_script_tmp_files(iptables_t) -init_rw_script_stream_sockets(iptables_t) -init_dontaudit_script_leaks(iptables_t) - -logging_send_syslog_msg(iptables_t) - -miscfiles_read_localization(iptables_t) - -sysnet_domtrans_ifconfig(iptables_t) -sysnet_dns_name_resolve(iptables_t) - -userdom_use_user_terminals(iptables_t) -userdom_use_all_users_fds(iptables_t) - -optional_policy(` - fail2ban_append_log(iptables_t) - fail2ban_dontaudit_leaks(iptables_t) -') - -optional_policy(` - firstboot_use_fds(iptables_t) - firstboot_rw_pipes(iptables_t) -') - -optional_policy(` - modutils_domtrans_insmod(iptables_t) -') - -optional_policy(` - # for iptables -L - nis_use_ypbind(iptables_t) -') - -optional_policy(` - ppp_dontaudit_use_fds(iptables_t) -') - -optional_policy(` - psad_rw_tmp_files(iptables_t) - psad_write_log(iptables_t) -') - -optional_policy(` - rhgb_dontaudit_use_ptys(iptables_t) -') - -optional_policy(` - seutil_sigchld_newrole(iptables_t) -') - -optional_policy(` - shorewall_rw_lib_files(iptables_t) - shorewall_read_tmp_files(iptables_t) -') - -optional_policy(` - udev_read_db(iptables_t) -') diff --git a/policy/modules/system/iscsi.fc b/policy/modules/system/iscsi.fc deleted file mode 100644 index 14d9670..0000000 --- a/policy/modules/system/iscsi.fc +++ /dev/null @@ -1,7 +0,0 @@ -/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) -/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) - -/var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0) -/var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0) -/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0) -/var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) diff --git a/policy/modules/system/iscsi.if b/policy/modules/system/iscsi.if deleted file mode 100644 index ad0b864..0000000 --- a/policy/modules/system/iscsi.if +++ /dev/null @@ -1,76 +0,0 @@ -## Establish connections to iSCSI devices - -######################################## -## -## Execute a domain transition to run iscsid. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`iscsid_domtrans',` - gen_require(` - type iscsid_t, iscsid_exec_t; - ') - - domtrans_pattern($1, iscsid_exec_t, iscsid_t) -') - -######################################## -## -## Connect to ISCSI using a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`iscsi_stream_connect',` - gen_require(` - type iscsid_t, iscsi_var_lib_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t, iscsid_t) -') - -######################################## -## -## Read iscsi lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`iscsi_read_lib_files',` - gen_require(` - type iscsi_var_lib_t; - ') - - read_files_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t) - allow $1 iscsi_var_lib_t:dir list_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## Manage iscsid sempaphores. -## -## -## -## Domain allowed access. -## -## -# -interface(`iscsi_manage_semaphores',` - gen_require(` - type iscsid_t; - ') - - allow $1 iscsid_t:sem create_sem_perms; -') diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te deleted file mode 100644 index 3ab3a47..0000000 --- a/policy/modules/system/iscsi.te +++ /dev/null @@ -1,97 +0,0 @@ -policy_module(iscsi, 1.7.0) - -######################################## -# -# Declarations -# - -type iscsid_t; -type iscsid_exec_t; -domain_type(iscsid_t) -init_daemon_domain(iscsid_t, iscsid_exec_t) - -type iscsi_lock_t; -files_lock_file(iscsi_lock_t) - -type iscsi_log_t; -logging_log_file(iscsi_log_t) - -type iscsi_tmp_t; -files_tmp_file(iscsi_tmp_t) - -type iscsi_var_lib_t; -files_type(iscsi_var_lib_t) - -type iscsi_var_run_t; -files_pid_file(iscsi_var_run_t) - -######################################## -# -# iscsid local policy -# - -allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource }; -allow iscsid_t self:process { setrlimit setsched signal }; -allow iscsid_t self:fifo_file rw_fifo_file_perms; -allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow iscsid_t self:unix_dgram_socket create_socket_perms; -allow iscsid_t self:sem create_sem_perms; -allow iscsid_t self:shm create_shm_perms; -allow iscsid_t self:netlink_socket create_socket_perms; -allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms; -allow iscsid_t self:netlink_route_socket rw_netlink_socket_perms; -allow iscsid_t self:tcp_socket create_stream_socket_perms; - -can_exec(iscsid_t, iscsid_exec_t) - -manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t) -files_lock_filetrans(iscsid_t, iscsi_lock_t, file) - -manage_files_pattern(iscsid_t, iscsi_log_t, iscsi_log_t) -logging_log_filetrans(iscsid_t, iscsi_log_t, file) - -manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t) -manage_files_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t) -fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, { dir file } ) - -allow iscsid_t iscsi_var_lib_t:dir list_dir_perms; -read_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t) -read_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t) -files_search_var_lib(iscsid_t) - -manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t) -files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) - -kernel_read_network_state(iscsid_t) -kernel_read_system_state(iscsid_t) - -corenet_all_recvfrom_unlabeled(iscsid_t) -corenet_all_recvfrom_netlabel(iscsid_t) -corenet_tcp_sendrecv_generic_if(iscsid_t) -corenet_tcp_sendrecv_generic_node(iscsid_t) -corenet_tcp_sendrecv_all_ports(iscsid_t) -corenet_tcp_connect_http_port(iscsid_t) -corenet_tcp_connect_iscsi_port(iscsid_t) -corenet_tcp_connect_isns_port(iscsid_t) - -dev_rw_sysfs(iscsid_t) -dev_rw_userio_dev(iscsid_t) -dev_read_raw_memory(iscsid_t) -dev_write_raw_memory(iscsid_t) - -domain_use_interactive_fds(iscsid_t) -domain_dontaudit_read_all_domains_state(iscsid_t) - -files_read_etc_files(iscsid_t) - -auth_use_nsswitch(iscsid_t) - -init_stream_connect_script(iscsid_t) - -logging_send_syslog_msg(iscsid_t) - -miscfiles_read_localization(iscsid_t) - -optional_policy(` - tgtd_manage_semaphores(iscsid_t) -') diff --git a/policy/modules/system/kdump.fc b/policy/modules/system/kdump.fc deleted file mode 100644 index c66934f..0000000 --- a/policy/modules/system/kdump.fc +++ /dev/null @@ -1,5 +0,0 @@ -/etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0) -/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0) - -/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) -/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) diff --git a/policy/modules/system/kdump.if b/policy/modules/system/kdump.if deleted file mode 100644 index 672d323..0000000 --- a/policy/modules/system/kdump.if +++ /dev/null @@ -1,111 +0,0 @@ -## Kernel crash dumping mechanism - -###################################### -## -## Execute kdump in the kdump domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`kdump_domtrans',` - gen_require(` - type kdump_t, kdump_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, kdump_exec_t, kdump_t) -') - -####################################### -## -## Execute kdump in the kdump domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`kdump_initrc_domtrans',` - gen_require(` - type kdump_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, kdump_initrc_exec_t) -') - -##################################### -## -## Read kdump configuration file. -## -## -## -## Domain allowed access. -## -## -# -interface(`kdump_read_config',` - gen_require(` - type kdump_etc_t; - ') - - files_search_etc($1) - allow $1 kdump_etc_t:file read_file_perms; -') - -#################################### -## -## Manage kdump configuration file. -## -## -## -## Domain allowed access. -## -## -# -interface(`kdump_manage_config',` - gen_require(` - type kdump_etc_t; - ') - - files_search_etc($1) - allow $1 kdump_etc_t:file manage_file_perms; -') - -###################################### -## -## All of the rules required to administrate -## an kdump environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the kdump domain. -## -## -## -# -interface(`kdump_admin',` - gen_require(` - type kdump_t, kdump_etc_t; - type kdump_initrc_exec_t; - ') - - allow $1 kdump_t:process { ptrace signal_perms }; - ps_process_pattern($1, kdump_t) - - init_labeled_script_domtrans($1, kdump_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 kdump_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, kdump_etc_t) -') diff --git a/policy/modules/system/kdump.te b/policy/modules/system/kdump.te deleted file mode 100644 index 7682697..0000000 --- a/policy/modules/system/kdump.te +++ /dev/null @@ -1,38 +0,0 @@ -policy_module(kdump, 1.1.0) - -####################################### -# -# Declarations -# - -type kdump_t; -type kdump_exec_t; -init_system_domain(kdump_t, kdump_exec_t) - -type kdump_etc_t; -files_config_file(kdump_etc_t) - -type kdump_initrc_exec_t; -init_script_file(kdump_initrc_exec_t) - -##################################### -# -# kdump local policy -# - -allow kdump_t self:capability { sys_boot dac_override }; - -read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t) - -files_read_etc_runtime_files(kdump_t) -files_read_kernel_img(kdump_t) - -kernel_read_system_state(kdump_t) -kernel_read_core_if(kdump_t) -kernel_read_debugfs(kdump_t) -kernel_request_load_module(kdump_t) - -dev_read_framebuffer(kdump_t) -dev_read_sysfs(kdump_t) - -term_use_console(kdump_t) diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc deleted file mode 100644 index 1d2236b..0000000 --- a/policy/modules/system/libraries.fc +++ /dev/null @@ -1,463 +0,0 @@ -# -# /emul -# -ifdef(`distro_debian',` -/emul/ia32-linux/usr(/.*)?/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) -/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0) -/emul/ia32-linux/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) -/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) -') - -ifdef(`distro_gentoo',` -/emul/linux/x86/usr(/.*)?/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) -/emul/linux/x86/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) -/emul/linux/x86/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) -') - -ifdef(`distro_redhat',` -/emul/ia32-linux/usr(/.*)?/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) -/emul/ia32-linux/usr(/.*)?/java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) -/emul/ia32-linux/usr(/.*)?/java/.*\.jar -- gen_context(system_u:object_r:lib_t,s0) -/emul/ia32-linux/usr(/.*)?/java/.*\.jsa -- gen_context(system_u:object_r:lib_t,s0) -/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0) -/emul/ia32-linux/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) -/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) -') - -# -# /etc -# -/etc/ld\.so\.cache -- gen_context(system_u:object_r:ld_so_cache_t,s0) -/etc/ld\.so\.preload -- gen_context(system_u:object_r:ld_so_cache_t,s0) - -/etc/ppp/plugins/rp-pppoe\.so -- gen_context(system_u:object_r:lib_t,s0) - -# -# /lib(64)? -# -/lib -d gen_context(system_u:object_r:lib_t,s0) -/lib/.* gen_context(system_u:object_r:lib_t,s0) -/lib64 -d gen_context(system_u:object_r:lib_t,s0) -/lib64/.* gen_context(system_u:object_r:lib_t,s0) -/lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) -/lib64/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) - -/lib/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/lib64/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -ifdef(`distro_debian',` -/lib32 -l gen_context(system_u:object_r:lib_t,s0) -/lib64 -l gen_context(system_u:object_r:lib_t,s0) -') - -ifdef(`distro_gentoo',` -/lib -l gen_context(system_u:object_r:lib_t,s0) -/lib32 -d gen_context(system_u:object_r:lib_t,s0) -/lib32/.* gen_context(system_u:object_r:lib_t,s0) -/lib32/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) -') - -# -# /opt -# -/opt/.*\.so gen_context(system_u:object_r:lib_t,s0) -/opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0) -/opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0) -/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) -/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) - -/opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -# despite the extensions, they are actually libs -/opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- gen_context(system_u:object_r:lib_t,s0) - -/opt/Komodo-Edit-5/lib/python/lib/python2.6/lib-dynload/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -ifdef(`distro_gentoo',` -# despite the extensions, they are actually libs -/opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:lib_t,s0) -/opt/Acrobat[5-9]/Reader/intellinux/plug_ins3d/.*\.x3d -- gen_context(system_u:object_r:lib_t,s0) -/opt/Acrobat[5-9]/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0) - -/opt/netscape/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0) -/opt/netscape/plugins/libflashplayer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/opt/netscape/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/opt/RealPlayer/codecs(/.*)? gen_context(system_u:object_r:lib_t,s0) -/opt/RealPlayer/common(/.*)? gen_context(system_u:object_r:lib_t,s0) -/opt/RealPlayer/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) -/opt/RealPlayer/mozilla(/.*)? gen_context(system_u:object_r:lib_t,s0) -/opt/RealPlayer/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0) -') - -ifdef(`distro_redhat',` -/opt/Adobe(/.*?)/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/opt/Adobe/Reader.?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0) -/opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/opt/cx.*/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/opt/ibm/java.*/jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) -/opt/ibm/java.*/jre/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/opt/ibm/java.*/jre/bin/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -') - -# -# /sbin -# -/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0) - -# -# /usr -# -/usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) -/usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0) - -/usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0) -/usr/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0) - -/usr/(.*/)?lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0) - -/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib64/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/vlc/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/catalyst/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib/ADM_plugins/videoFilter/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libzita-convolver\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/nvidia/libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) -/usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/xorg/modules/drivers/nvidia_drv\.o -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -ifdef(`distro_debian',` -/usr/lib32 -l gen_context(system_u:object_r:lib_t,s0) -') - -ifdef(`distro_gentoo',` -/usr/lib -l gen_context(system_u:object_r:lib_t,s0) -') - -ifdef(`distro_redhat',` -/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- gen_context(system_u:object_r:lib_t,s0) - -# The following are libraries with text relocations in need of execmod permissions -# Some of them should be fixed and removed from this list - -# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv -# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php -HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib/allegro/(.*/)?alleg-vga\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/firefox/plugins/libractrl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib64/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib/nx/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib/VBoxVMM\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib64/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libgpac\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/X11R6/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libHermes\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/valgrind/hp2ps -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/valgrind/stage2 -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/valgrind/vg.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/.*/program/libicudata\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/.*/program/libsts645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/.*/program/libvclplug_gen645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/.*/program/libwrp645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/.*/program/libswd680li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/.*/program/librecentfile\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/.*/program/libsvx680li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/.*/program/libsoffice\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(.*/)?pcsc/drivers(/.*)?/lib(cm2020|cm4000|SCR24x)\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -# Fedora Extras packages: ladspa, imlib2, ocaml -/usr/lib(64)?/ladspa/analogue_osc_1416\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/ladspa/bandpass_a_iir_1893\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/ladspa/bandpass_iir_1892\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/ladspa/butterworth_1902\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/ladspa/fm_osc_1415\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/ladspa/gsm_1215\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/ladspa/gverb_1216\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/ladspa/hermes_filter_1200\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/ladspa/highpass_iir_1890\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/ladspa/lowpass_iir_1891\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/ladspa/notch_iir_1894\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/ladspa/pitch_scale_1193\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/ladspa/pitch_scale_1194\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/ladspa/sc1_1425\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/ladspa/sc2_1426\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/sane/libsane-epkowa\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame -/usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/local(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/local/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/local/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -# Jai, Sun Microsystems (Jpackage SPRM) -/usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libdivxdecore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libdivxencore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib(64)?/libdvdcss\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -# vmware -/usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/vmware/lib(/.*)?/libvmware-gksu.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib(64)?/(virtualbox(-ose)?/)?(components/)?VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/virtualbox/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -# Java, Sun Microsystems (JPackage SRPM) -/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/(local/)?acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?lib/xchat/plugins/systray\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib/acroread/(.*/)?sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib/acroread/(.*/)?nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0) -/usr/lib64/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0) -') dnl end distro_redhat - -# -# /var -# -/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) - -/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) -/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) - -/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) - -/usr/lib(64)?/pgsql/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) -/usr/lib(64)?/pgsql/test/regress/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) -/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) - -ifdef(`distro_suse',` -/var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0) -') - -/usr/share/hplip/prnt/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0) -/usr/share/squeezeboxserver/CPAN/arch/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) -/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) -/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) - -/usr/lib(64)?/libmyth[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/mythtv/filters/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib64/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/opt/altera9.1/quartus/linux/libccl_err\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib(64)?/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/i686/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/local/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/googleearth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/opt/google/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib(64)?/nspluginwrapper/np.*\.so -- gen_context(system_u:object_r:lib_t,s0) - -/usr/lib/oracle/.*/lib/libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib/oracle(64)?/.*/lib/libclntsh\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) - -/opt/(.*/)?oracle/(.*/)?libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libnnz11.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - - -/opt/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) -/opt/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/local/Zend/lib/ZendExtensionManager\.so gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib(64)?/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib(64)?/midori/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib(64)?/libav.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib(64)?/xine/plugins/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib(64)?/yafaray/libDarkSky.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib/libADM.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -HOME_DIR/\.gstreamer-.*/plugins/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib(64)?/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -ifdef(`fixed',` -/usr/lib(64)?/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libavcodec.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libavutil.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/X11R6/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -# Flash plugin, Macromedia -HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/php/modules/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/httpd/modules/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -') -/opt/VBoxGuestAdditions.*/lib/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib(64)?/nmm/liba52\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/opt/lampp/lib/libct\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/opt/lampp/lib/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/opt/VirtualBox(/.*)?/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib(64)?/chromium-browser/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/local/zend/lib/apache2/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib(64)?/python.*/site-packages/pymedia/muxer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/local/games/darwinia/lib/libSDL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/ocp-.*/mixclip\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib(64)?/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/opt/AutoScan/usr/lib/libvte\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/bin/bsnes -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib/firefox/plugins/libractrl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib(64)?/libGLcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib(64)?/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/opt/Unify/SQLBase/libgptsblmsui11\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/opt/real/RealPlayer/plugins(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/opt/real/RealPlayer/codecs(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib(64)?/vdpau/libvdpau_nvidia\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib(64)?/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/lib/nsr/(.*/)?.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if deleted file mode 100644 index 8b174c8..0000000 --- a/policy/modules/system/libraries.if +++ /dev/null @@ -1,518 +0,0 @@ -## Policy for system libraries. - -######################################## -## -## Execute ldconfig in the ldconfig domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`libs_domtrans_ldconfig',` - gen_require(` - type ldconfig_t, ldconfig_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ldconfig_exec_t, ldconfig_t) -') - -######################################## -## -## Execute ldconfig in the ldconfig domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the ldconfig domain. -## -## -## -# -interface(`libs_run_ldconfig',` - gen_require(` - type ldconfig_t; - ') - - libs_domtrans_ldconfig($1) - role $2 types ldconfig_t; -') - -######################################## -## -## Execute ldconfig in the caller domain. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`libs_exec_ldconfig',` - gen_require(` - type ldconfig_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, ldconfig_exec_t) -') - -######################################## -## -## Use the dynamic link/loader for automatic loading -## of shared libraries. -## -## -## -## Domain allowed access. -## -## -# -interface(`libs_use_ld_so',` - gen_require(` - type lib_t, ld_so_t, ld_so_cache_t; - ') - - files_list_etc($1) - allow $1 lib_t:dir list_dir_perms; - - read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t }) - mmap_files_pattern($1, lib_t, ld_so_t) - - allow $1 ld_so_cache_t:file read_file_perms; -') - -######################################## -## -## Use the dynamic link/loader for automatic loading -## of shared libraries with legacy support. -## -## -## -## Domain allowed access. -## -## -# -interface(`libs_legacy_use_ld_so',` - gen_require(` - type ld_so_t, ld_so_cache_t; - ') - - libs_use_ld_so($1) - allow $1 ld_so_t:file execmod; - allow $1 ld_so_cache_t:file execute; -') - -######################################## -## -## Execute the dynamic link/loader in the caller's domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`libs_exec_ld_so',` - gen_require(` - type lib_t, ld_so_t; - ') - - allow $1 lib_t:dir list_dir_perms; - read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t }) - exec_files_pattern($1, lib_t, ld_so_t) -') - -######################################## -## -## Create, read, write, and delete the -## dynamic link/loader. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for prelink -interface(`libs_manage_ld_so',` - gen_require(` - type lib_t, ld_so_t; - ') - - manage_files_pattern($1, lib_t, ld_so_t) -') - -######################################## -## -## Relabel to and from the type used for -## the dynamic link/loader. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for prelink -interface(`libs_relabel_ld_so',` - gen_require(` - type lib_t, ld_so_t; - ') - - relabel_files_pattern($1, lib_t, ld_so_t) -') - -######################################## -## -## Modify the dynamic link/loader's cached listing -## of shared libraries. -## -## -## -## Domain allowed access. -## -## -# -interface(`libs_rw_ld_so_cache',` - gen_require(` - type ld_so_cache_t; - ') - - files_list_etc($1) - allow $1 ld_so_cache_t:file rw_file_perms; -') - -######################################## -## -## Search library directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`libs_search_lib',` - gen_require(` - type lib_t; - ') - - allow $1 lib_t:dir search_dir_perms; -') - -######################################## -## -## Do not audit attempts to write to library directories. -## -## -##

-## Do not audit attempts to write to library directories. -## Typically this is used to quiet attempts to recompile -## python byte code. -##

-##
-## -## -## Domain to not audit. -## -## -# -interface(`libs_dontaudit_write_lib_dirs',` - gen_require(` - type lib_t; - ') - - dontaudit $1 lib_t:dir write; -') - -######################################## -## -## Create, read, write, and delete library directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`libs_manage_lib_dirs',` - gen_require(` - type lib_t; - ') - - allow $1 lib_t:dir manage_dir_perms; -') - -######################################## -## -## Read files in the library directories, such -## as static libraries. -## -## -## -## Domain allowed access. -## -## -# -interface(`libs_read_lib_files',` - gen_require(` - type lib_t; - ') - - files_list_usr($1) - list_dirs_pattern($1, lib_t, lib_t) - read_files_pattern($1, lib_t, lib_t) - read_lnk_files_pattern($1, lib_t, lib_t) -') - -######################################## -## -## Execute library scripts in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`libs_exec_lib_files',` - gen_require(` - type lib_t; - ') - - files_search_usr($1) - allow $1 lib_t:dir list_dir_perms; - read_lnk_files_pattern($1, lib_t, lib_t) - exec_files_pattern($1, lib_t, lib_t) -') - -######################################## -## -## Load and execute functions from generic -## lib files as shared libraries. -## -## -## -## Domain allowed access. -## -## -# -interface(`libs_use_lib_files',` - refpolicywarn(`$0($*) has been deprecated, use libs_use_shared_libs() instead.') - libs_use_shared_libs($1) -') - -######################################## -## -## Create, read, write, and delete generic -## files in library directories. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for prelink -interface(`libs_manage_lib_files',` - gen_require(` - type lib_t; - ') - - manage_files_pattern($1, lib_t, lib_t) -') - -######################################## -## -## Relabel files to the type used in library directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`libs_relabelto_lib_files',` - gen_require(` - type lib_t; - ') - - relabelto_files_pattern($1, lib_t, lib_t) -') - -######################################## -## -## Relabel to and from the type used -## for generic lib files. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for prelink -interface(`libs_relabel_lib_files',` - gen_require(` - type lib_t; - ') - - relabel_files_pattern($1, lib_t, lib_t) -') - -######################################## -## -## Delete generic symlinks in library directories. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for prelink -interface(`libs_delete_lib_symlinks',` - gen_require(` - type lib_t; - ') - - delete_lnk_files_pattern($1, lib_t, lib_t) -') - -######################################## -## -## Create, read, write, and delete shared libraries. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for prelink -interface(`libs_manage_shared_libs',` - gen_require(` - type lib_t, textrel_shlib_t; - ') - - manage_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) -') - -######################################## -## -## Load and execute functions from shared libraries. -## -## -## -## Domain allowed access. -## -## -# -interface(`libs_use_shared_libs',` - gen_require(` - type lib_t, textrel_shlib_t; - ') - - files_search_usr($1) - allow $1 lib_t:dir list_dir_perms; - read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) - mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) - allow $1 textrel_shlib_t:file execmod; -') - -######################################## -## -## Load and execute functions from shared libraries, -## with legacy support. -## -## -## -## Domain allowed access. -## -## -# -interface(`libs_legacy_use_shared_libs',` - gen_require(` - type lib_t; - ') - - libs_use_shared_libs($1) - allow $1 lib_t:file execmod; -') - -######################################## -## -## Relabel to and from the type used for -## shared libraries. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for prelink -interface(`libs_relabel_shared_libs',` - gen_require(` - type lib_t, textrel_shlib_t; - ') - - relabel_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) -') - -######################################## -## -## Create an object in lib directories, with -## the shared libraries type using a type transition. -## -## -## -## Domain allowed access. -## -## -## -## -## The object class of the object being created. -## -## -# -interface(`lib_filetrans_shared_lib',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Create an object in lib directories, with -## the shared libraries type using a type transition. (Deprecated) -## -## -##

-## Create an object in lib directories, with -## the shared libraries type using a type transition. (Deprecated) -##

-##

-## lib_filetrans_shared_lib() should be used instead. -##

-##
-## -## -## Domain allowed access. -## -## -## -## -## The object class of the object being created. -## -## -# -interface(`files_lib_filetrans_shared_lib',` - refpolicywarn(`$0($*) has been deprecated.') -') diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te deleted file mode 100644 index 99d7f60..0000000 --- a/policy/modules/system/libraries.te +++ /dev/null @@ -1,157 +0,0 @@ -policy_module(libraries, 2.7.0) - -######################################## -# -# Declarations -# - -# -# ld_so_cache_t is the type of /etc/ld.so.cache. -# -type ld_so_cache_t; -files_type(ld_so_cache_t) - -# -# ld_so_t is the type of the system dynamic loaders. -# -type ld_so_t; -files_type(ld_so_t) - -type ldconfig_t; -type ldconfig_exec_t; -init_system_domain(ldconfig_t, ldconfig_exec_t) -role system_r types ldconfig_t; - -type ldconfig_cache_t; -files_type(ldconfig_cache_t) - -type ldconfig_tmp_t; -files_tmp_file(ldconfig_tmp_t) - -# -# lib_t is the type of files in the system lib directories. -# -type lib_t alias shlib_t; -files_type(lib_t) - -# -# textrel_shlib_t is the type of shared objects in the system lib -# directories, which require text relocation. -# -type textrel_shlib_t alias texrel_shlib_t; -files_type(textrel_shlib_t) - -ifdef(`distro_gentoo',` - # openrc unfortunately mounts a tmpfs - # at /lib/rc/ - files_mountpoint(lib_t) -') - -optional_policy(` - postgresql_loadable_module(lib_t) - postgresql_loadable_module(textrel_shlib_t) -') - -######################################## -# -# ldconfig local policy -# - -allow ldconfig_t self:capability { dac_override sys_chroot }; - -manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t) - -manage_files_pattern(ldconfig_t, ld_so_cache_t, ld_so_cache_t) -files_etc_filetrans(ldconfig_t, ld_so_cache_t, file) - -manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t) -manage_files_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t) -manage_lnk_files_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t) -files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir lnk_file }) - -manage_lnk_files_pattern(ldconfig_t, lib_t, lib_t) - -kernel_read_system_state(ldconfig_t) - -fs_getattr_xattr_fs(ldconfig_t) - -corecmd_search_bin(ldconfig_t) - -domain_use_interactive_fds(ldconfig_t) - -files_search_home(ldconfig_t) -files_search_var_lib(ldconfig_t) -files_read_etc_files(ldconfig_t) -files_read_usr_files(ldconfig_t) -files_search_tmp(ldconfig_t) -files_search_usr(ldconfig_t) -# for when /etc/ld.so.cache is mislabeled: -files_delete_etc_files(ldconfig_t) - -init_use_script_ptys(ldconfig_t) -init_read_script_tmp_files(ldconfig_t) - -miscfiles_read_localization(ldconfig_t) - -logging_send_syslog_msg(ldconfig_t) - -term_use_console(ldconfig_t) -userdom_use_user_terminals(ldconfig_t) -userdom_use_all_users_fds(ldconfig_t) - -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(ldconfig_t) - ') -') - -userdom_manage_user_home_content_files(ldconfig_t) -userdom_manage_user_tmp_files(ldconfig_t) -userdom_manage_user_tmp_symlinks(ldconfig_t) - -ifdef(`hide_broken_symptoms',` - ifdef(`distro_gentoo',` - # leaked fds from portage - files_dontaudit_rw_var_files(ldconfig_t) - - optional_policy(` - portage_dontaudit_search_tmp(ldconfig_t) - portage_dontaudit_rw_tmp_files(ldconfig_t) - ') - ') - - optional_policy(` - unconfined_dontaudit_rw_tcp_sockets(ldconfig_t) - ') -') - -optional_policy(` - # dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway - apache_dontaudit_search_modules(ldconfig_t) -') - -optional_policy(` - apt_rw_pipes(ldconfig_t) - apt_use_fds(ldconfig_t) - apt_use_ptys(ldconfig_t) -') - -optional_policy(` - gnome_append_generic_cache_files(ldconfig_t) -') - -optional_policy(` - puppet_rw_tmp(ldconfig_t) -') - -optional_policy(` - # When you install a kernel the postinstall builds a initrd image in tmp - # and executes ldconfig on it. If you dont allow this kernel installs - # blow up. - rpm_manage_script_tmp_files(ldconfig_t) -') - -optional_policy(` - unconfined_domain(ldconfig_t) -') - diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc deleted file mode 100644 index be6a81b..0000000 --- a/policy/modules/system/locallogin.fc +++ /dev/null @@ -1,3 +0,0 @@ - -/sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0) -/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0) diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if deleted file mode 100644 index 0e3c2a9..0000000 --- a/policy/modules/system/locallogin.if +++ /dev/null @@ -1,131 +0,0 @@ -## Policy for local logins. - -######################################## -## -## Execute local logins in the local login domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`locallogin_domtrans',` - gen_require(` - type local_login_t; - ') - - auth_domtrans_login_program($1, local_login_t) - - ifdef(`enable_mcs',` - auth_ranged_domtrans_login_program($1, local_login_t, s0 - mcs_systemhigh) - ') -') - -######################################## -## -## Allow processes to inherit local login file descriptors. -## -## -## -## Domain allowed access. -## -## -# -interface(`locallogin_use_fds',` - gen_require(` - type local_login_t; - ') - - allow $1 local_login_t:fd use; -') - -######################################## -## -## Do not audit attempts to inherit local login file descriptors. -## -## -## -## Domain to not audit. -## -## -# -interface(`locallogin_dontaudit_use_fds',` - gen_require(` - type local_login_t; - ') - - dontaudit $1 local_login_t:fd use; -') - -######################################## -## -## Send a null signal to local login processes. -## -## -## -## Domain allowed access. -## -## -# -interface(`locallogin_signull',` - gen_require(` - type local_login_t; - ') - - allow $1 local_login_t:process signull; -') - -######################################## -## -## Search for key. -## -## -## -## Domain allowed access. -## -## -# -interface(`locallogin_search_keys',` - gen_require(` - type local_login_t; - ') - - allow $1 local_login_t:key search; -') - -######################################## -## -## Allow link to the local_login key ring. -## -## -## -## Domain allowed access. -## -## -# -interface(`locallogin_link_keys',` - gen_require(` - type local_login_t; - ') - - allow $1 local_login_t:key link; -') - -######################################## -## -## Execute local logins in the local login domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`locallogin_domtrans_sulogin',` - gen_require(` - type sulogin_exec_t, sulogin_t; - ') - - domtrans_pattern($1, sulogin_exec_t, sulogin_t) -') diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te deleted file mode 100644 index 26e9f79..0000000 --- a/policy/modules/system/locallogin.te +++ /dev/null @@ -1,271 +0,0 @@ -policy_module(locallogin, 1.10.0) - -######################################## -# -# Declarations -# - -type local_login_t; -domain_interactive_fd(local_login_t) -auth_login_pgm_domain(local_login_t) -auth_login_entry_type(local_login_t) - -type local_login_lock_t; -files_lock_file(local_login_lock_t) - -type local_login_tmp_t; -files_tmp_file(local_login_tmp_t) -files_poly_parent(local_login_tmp_t) - -type sulogin_t; -type sulogin_exec_t; -domain_obj_id_change_exemption(sulogin_t) -domain_subj_id_change_exemption(sulogin_t) -domain_role_change_exemption(sulogin_t) -domain_interactive_fd(sulogin_t) -init_domain(sulogin_t, sulogin_exec_t) -init_system_domain(sulogin_t, sulogin_exec_t) -role system_r types sulogin_t; - -######################################## -# -# Local login local policy -# - -allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_ptrace sys_resource sys_tty_config }; -allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap }; -allow local_login_t self:fd use; -allow local_login_t self:fifo_file rw_fifo_file_perms; -allow local_login_t self:sock_file read_sock_file_perms; -allow local_login_t self:unix_dgram_socket create_socket_perms; -allow local_login_t self:unix_stream_socket create_stream_socket_perms; -allow local_login_t self:unix_dgram_socket sendto; -allow local_login_t self:unix_stream_socket connectto; -allow local_login_t self:shm create_shm_perms; -allow local_login_t self:sem create_sem_perms; -allow local_login_t self:msgq create_msgq_perms; -allow local_login_t self:msg { send receive }; -allow local_login_t self:key { search write link }; - -allow local_login_t local_login_lock_t:file manage_file_perms; -files_lock_filetrans(local_login_t, local_login_lock_t, file) - -allow local_login_t local_login_tmp_t:dir manage_dir_perms; -allow local_login_t local_login_tmp_t:file manage_file_perms; -files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir }) - -kernel_read_system_state(local_login_t) -kernel_read_kernel_sysctls(local_login_t) -kernel_search_key(local_login_t) -kernel_link_key(local_login_t) - -corecmd_list_bin(local_login_t) -corecmd_read_bin_symlinks(local_login_t) -# cjp: these are probably not needed: -corecmd_read_bin_files(local_login_t) -corecmd_read_bin_pipes(local_login_t) -corecmd_read_bin_sockets(local_login_t) - -dev_setattr_mouse_dev(local_login_t) -dev_getattr_mouse_dev(local_login_t) -dev_getattr_power_mgmt_dev(local_login_t) -dev_setattr_power_mgmt_dev(local_login_t) -dev_getattr_sound_dev(local_login_t) -dev_setattr_sound_dev(local_login_t) -dev_rw_generic_usb_dev(local_login_t) -dev_read_video_dev(local_login_t) -dev_dontaudit_getattr_apm_bios_dev(local_login_t) -dev_dontaudit_setattr_apm_bios_dev(local_login_t) -dev_dontaudit_read_framebuffer(local_login_t) -dev_dontaudit_setattr_framebuffer_dev(local_login_t) -dev_dontaudit_getattr_generic_blk_files(local_login_t) -dev_dontaudit_setattr_generic_blk_files(local_login_t) -dev_dontaudit_getattr_generic_chr_files(local_login_t) -dev_dontaudit_setattr_generic_chr_files(local_login_t) -dev_dontaudit_setattr_generic_symlinks(local_login_t) -dev_dontaudit_getattr_misc_dev(local_login_t) -dev_dontaudit_setattr_misc_dev(local_login_t) -dev_dontaudit_getattr_scanner_dev(local_login_t) -dev_dontaudit_setattr_scanner_dev(local_login_t) -dev_dontaudit_search_sysfs(local_login_t) -dev_dontaudit_getattr_video_dev(local_login_t) -dev_dontaudit_setattr_video_dev(local_login_t) - -domain_read_all_entry_files(local_login_t) - -files_read_etc_files(local_login_t) -files_read_etc_runtime_files(local_login_t) -files_read_usr_files(local_login_t) -files_list_mnt(local_login_t) -files_list_world_readable(local_login_t) -files_read_world_readable_files(local_login_t) -files_read_world_readable_symlinks(local_login_t) -files_read_world_readable_pipes(local_login_t) -files_read_world_readable_sockets(local_login_t) -# for when /var/mail is a symlink -files_read_var_symlinks(local_login_t) - -fs_search_auto_mountpoints(local_login_t) - -storage_dontaudit_getattr_fixed_disk_dev(local_login_t) -storage_dontaudit_setattr_fixed_disk_dev(local_login_t) -storage_dontaudit_getattr_removable_dev(local_login_t) -storage_dontaudit_setattr_removable_dev(local_login_t) - -term_use_all_ttys(local_login_t) -term_use_unallocated_ttys(local_login_t) -term_relabel_unallocated_ttys(local_login_t) -term_relabel_all_ttys(local_login_t) -term_setattr_all_ttys(local_login_t) -term_setattr_unallocated_ttys(local_login_t) - -auth_rw_login_records(local_login_t) -auth_rw_faillog(local_login_t) -auth_manage_pam_pid(local_login_t) -auth_manage_pam_console_data(local_login_t) -auth_domtrans_pam_console(local_login_t) - -init_dontaudit_use_fds(local_login_t) -init_stream_connect(local_login_t) - -miscfiles_read_localization(local_login_t) - -userdom_spec_domtrans_all_users(local_login_t) -userdom_signal_all_users(local_login_t) -userdom_search_user_home_content(local_login_t) -userdom_use_unpriv_users_fds(local_login_t) -userdom_sigchld_all_users(local_login_t) -userdom_create_all_users_keys(local_login_t) - -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(local_login_t) - ') -') - -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(local_login_t) - fs_read_nfs_symlinks(local_login_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(local_login_t) - fs_read_cifs_symlinks(local_login_t) -') - -tunable_policy(`allow_console_login',` - term_use_console(local_login_t) - term_relabel_console(local_login_t) - term_setattr_console(local_login_t) -') - -optional_policy(` - alsa_domtrans(local_login_t) -') - -optional_policy(` - dbus_system_bus_client(local_login_t) - - consolekit_dbus_chat(local_login_t) -') - -optional_policy(` - gpm_getattr_gpmctl(local_login_t) - gpm_setattr_gpmctl(local_login_t) -') - -optional_policy(` - # Search for mail spool file. - mta_getattr_spool(local_login_t) -') - -optional_policy(` - nis_use_ypbind(local_login_t) -') - -optional_policy(` - nscd_socket_use(local_login_t) -') - -optional_policy(` - unconfined_shell_domtrans(local_login_t) -') - -optional_policy(` - usermanage_read_crack_db(local_login_t) -') - -optional_policy(` - xserver_read_xdm_tmp_files(local_login_t) - xserver_rw_xdm_tmp_files(local_login_t) -') - -################################# -# -# Sulogin local policy -# - -allow sulogin_t self:capability dac_override; -allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow sulogin_t self:fd use; -allow sulogin_t self:fifo_file rw_fifo_file_perms; -allow sulogin_t self:unix_dgram_socket create_socket_perms; -allow sulogin_t self:unix_stream_socket create_stream_socket_perms; -allow sulogin_t self:unix_dgram_socket sendto; -allow sulogin_t self:unix_stream_socket connectto; -allow sulogin_t self:shm create_shm_perms; -allow sulogin_t self:sem create_sem_perms; -allow sulogin_t self:msgq create_msgq_perms; -allow sulogin_t self:msg { send receive }; - -kernel_read_system_state(sulogin_t) - -fs_search_auto_mountpoints(sulogin_t) -fs_rw_tmpfs_chr_files(sulogin_t) - -files_read_etc_files(sulogin_t) -# because file systems are not mounted: -files_dontaudit_search_isid_type_dirs(sulogin_t) - -auth_read_shadow(sulogin_t) -auth_use_nsswitch(sulogin_t) - -init_getpgid_script(sulogin_t) - -logging_send_syslog_msg(sulogin_t) - -seutil_read_config(sulogin_t) -seutil_read_default_contexts(sulogin_t) - -userdom_use_unpriv_users_fds(sulogin_t) - -userdom_search_user_home_dirs(sulogin_t) -userdom_use_user_ptys(sulogin_t) - -term_use_console(sulogin_t) -term_use_unallocated_ttys(sulogin_t) - -ifdef(`enable_mls',` - sysadm_shell_domtrans(sulogin_t) -',` - optional_policy(` - unconfined_shell_domtrans(sulogin_t) - ') -') - -# suse and debian do not use pam with sulogin... -ifdef(`distro_suse', `define(`sulogin_no_pam')') -ifdef(`distro_debian', `define(`sulogin_no_pam')') - -allow sulogin_t self:capability sys_tty_config; -ifdef(`sulogin_no_pam', ` - init_getpgid(sulogin_t) -', ` - allow sulogin_t self:process setexec; - selinux_get_fs_mount(sulogin_t) - selinux_validate_context(sulogin_t) - selinux_compute_access_vector(sulogin_t) - selinux_compute_create_context(sulogin_t) - selinux_compute_relabel_context(sulogin_t) - selinux_compute_user_contexts(sulogin_t) -') diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc deleted file mode 100644 index ca6409c..0000000 --- a/policy/modules/system/logging.fc +++ /dev/null @@ -1,80 +0,0 @@ -/dev/log -s gen_context(system_u:object_r:devlog_t,s0) - -/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) -/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) -/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) -/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) -/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) - -/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) -/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) -/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) -/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) -/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) -/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) -/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) -/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) -/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) -/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) - -/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) - -/usr/local/centreon/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) - -/usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) -/usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0) -/usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) -/usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) -/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) -/usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) - -/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) -/var/lib/syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) -/var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) - -ifdef(`distro_suse', ` -/var/lib/stunnel/dev/log -s gen_context(system_u:object_r:devlog_t,s0) -') - -/var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) -/var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) -/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0) - -/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) -/var/log/.* gen_context(system_u:object_r:var_log_t,s0) -/var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) -/var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) -/var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) -/var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) -/var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) -/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) -/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0) - -ifndef(`distro_gentoo',` -/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) -') - -ifdef(`distro_redhat',` -/var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0) -/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0) -') - -/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) -/var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,mls_systemhigh) -/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) -/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) -/var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0) -/var/run/log -s gen_context(system_u:object_r:devlog_t,s0) -/var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0) -/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0) -/var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0) -/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0) - -/var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) -/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0) -/var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0) -/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0) - -/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) - -/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if deleted file mode 100644 index 453377e..0000000 --- a/policy/modules/system/logging.if +++ /dev/null @@ -1,1065 +0,0 @@ -## Policy for the kernel message logger and system logging daemon. - -######################################## -## -## Make the specified type usable for log files -## in a filesystem. -## -## -##

-## Make the specified type usable for log files in a filesystem. -## This will also make the type usable for files, making -## calls to files_type() redundant. Failure to use this interface -## for a log file type may result in problems with log -## rotation, log analysis, and log monitoring programs. -##

-##

-## Related interfaces: -##

-##
    -##
  • logging_log_filetrans()
  • -##
-##

-## Example usage with a domain that can create -## and append to a private log file stored in the -## general directories (e.g., /var/log): -##

-##

-## type mylogfile_t; -## logging_log_file(mylogfile_t) -## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms }; -## logging_log_filetrans(mydomain_t, mylogfile_t, file) -##

-##
-## -## -## Type to be used for files. -## -## -## -# -interface(`logging_log_file',` - gen_require(` - attribute logfile; - ') - - files_type($1) - files_associate_tmp($1) - fs_associate_tmpfs($1) - typeattribute $1 logfile; -') - -####################################### -## -## Send audit messages. -## -## -## -## Domain allowed access. -## -## -# -interface(`logging_send_audit_msgs',` - allow $1 self:capability audit_write; - allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay }; -') - -####################################### -## -## dontaudit attempts to send audit messages. -## -## -## -## Domain to not audit. -## -## -# -interface(`logging_dontaudit_send_audit_msgs',` - dontaudit $1 self:capability audit_write; - dontaudit $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay }; -') - -######################################## -## -## Set login uid -## -## -## -## Domain allowed access. -## -## -# -interface(`logging_set_loginuid',` - allow $1 self:capability audit_control; - allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay }; -') - -######################################## -## -## Set tty auditing -## -## -## -## Domain allowed access. -## -## -# -interface(`logging_set_tty_audit',` - allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_tty_audit }; -') - -######################################## -## -## Set up audit -## -## -## -## Domain allowed access. -## -## -# -interface(`logging_set_audit_parameters',` - allow $1 self:capability { audit_write audit_control }; - allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -') - -######################################## -## -## Read the audit log. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`logging_read_audit_log',` - gen_require(` - type auditd_log_t; - ') - - files_search_var($1) - read_files_pattern($1, auditd_log_t, auditd_log_t) - allow $1 auditd_log_t:dir list_dir_perms; -') - -######################################## -## -## Execute auditctl in the auditctl domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`logging_domtrans_auditctl',` - gen_require(` - type auditctl_t, auditctl_exec_t; - ') - - domtrans_pattern($1, auditctl_exec_t, auditctl_t) -') - -######################################## -## -## Execute auditctl in the auditctl domain, and -## allow the specified role the auditctl domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`logging_run_auditctl',` - gen_require(` - type auditctl_t; - ') - - logging_domtrans_auditctl($1) - role $2 types auditctl_t; -') - -######################################## -## -## Execute auditd in the auditd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`logging_domtrans_auditd',` - gen_require(` - type auditd_t, auditd_exec_t; - ') - - domtrans_pattern($1, auditd_exec_t, auditd_t) -') - -######################################## -## -## Execute auditd in the auditd domain, and -## allow the specified role the auditd domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`logging_run_auditd',` - gen_require(` - type auditd_t; - ') - - logging_domtrans_auditd($1) - role $2 types auditd_t; -') - -######################################## -## -## Connect to auditdstored over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`logging_stream_connect_auditd',` - refpolicywarn(`$0($*) has been deprecated, logging_stream_connect_dispatcher() should be used instead.') - logging_stream_connect_dispatcher($1) -') - -######################################## -## -## Execute a domain transition to run the audit dispatcher. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`logging_domtrans_dispatcher',` - gen_require(` - type audisp_t, audisp_exec_t; - ') - - domtrans_pattern($1, audisp_exec_t, audisp_t) -') - -######################################## -## -## Signal the audit dispatcher. -## -## -## -## Domain allowed access. -## -## -# -interface(`logging_signal_dispatcher',` - gen_require(` - type audisp_t; - ') - - allow $1 audisp_t:process signal; -') - -######################################## -## -## Create a domain for processes -## which can be started by the system audit dispatcher -## -## -## -## Type to be used as a domain. -## -## -## -## -## Type of the program to be used as an entry point to this domain. -## -## -# -interface(`logging_dispatcher_domain',` - gen_require(` - type audisp_t; - role system_r; - ') - - domain_type($1) - domain_entry_file($1, $2) - - role system_r types $1; - - domtrans_pattern(audisp_t, $2, $1) - allow audisp_t $1:process { sigkill sigstop signull signal }; - - allow audisp_t $2:file getattr; - allow $1 audisp_t:unix_stream_socket rw_socket_perms; -') - -######################################## -## -## Connect to the audit dispatcher over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`logging_stream_connect_dispatcher',` - gen_require(` - type audisp_t, audisp_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, audisp_var_run_t, audisp_var_run_t, audisp_t) -') - -######################################## -## -## Manage the auditd configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`logging_manage_audit_config',` - gen_require(` - type auditd_etc_t; - ') - - files_search_etc($1) - manage_files_pattern($1, auditd_etc_t, auditd_etc_t) -') - -######################################## -## -## Manage the audit log. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`logging_manage_audit_log',` - gen_require(` - type auditd_log_t; - ') - - files_search_var($1) - manage_dirs_pattern($1, auditd_log_t, auditd_log_t) - manage_files_pattern($1, auditd_log_t, auditd_log_t) -') - -######################################## -## -## Execute klogd in the klog domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`logging_domtrans_klog',` - gen_require(` - type klogd_t, klogd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, klogd_exec_t, klogd_t) -') - -######################################## -## -## Check if syslogd is executable. -## -## -## -## Domain allowed access. -## -## -# -interface(`logging_check_exec_syslog',` - gen_require(` - type syslogd_exec_t; - ') - - corecmd_list_bin($1) - corecmd_read_bin_symlinks($1) - allow $1 syslogd_exec_t:file execute; -') - -######################################## -## -## Execute syslogd in the syslog domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`logging_domtrans_syslog',` - gen_require(` - type syslogd_t, syslogd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, syslogd_exec_t, syslogd_t) -') - -######################################## -## -## Create an object in the log directory, with a private type. -## -## -##

-## Allow the specified domain to create an object -## in the general system log directories (e.g., /var/log) -## with a private type. Typically this is used for creating -## private log files in /var/log with the private type instead -## of the general system log type. To accomplish this goal, -## either the program must be SELinux-aware, or use this interface. -##

-##

-## Related interfaces: -##

-##
    -##
  • logging_log_file()
  • -##
-##

-## Example usage with a domain that can create -## and append to a private log file stored in the -## general directories (e.g., /var/log): -##

-##

-## type mylogfile_t; -## logging_log_file(mylogfile_t) -## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms }; -## logging_log_filetrans(mydomain_t, mylogfile_t, file) -##

-##
-## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -## -# -interface(`logging_log_filetrans',` - gen_require(` - type var_log_t; - ') - - files_search_var($1) - filetrans_pattern($1, var_log_t, $2, $3) -') - -######################################## -## -## Send system log messages. -## -## -##

-## Allow the specified domain to connect to the -## system log service (syslog), to send messages be added to -## the system logs. Typically this is used by services -## that do not have their own log file in /var/log. -##

-##

-## This does not allow messages to be sent to -## the auditing system. -##

-##

-## Programs which use the libc function syslog() will -## require this access. -##

-##

-## Related interfaces: -##

-##
    -##
  • logging_send_audit_msgs()
  • -##
-##
-## -## -## Domain allowed access. -## -## -# -interface(`logging_send_syslog_msg',` - gen_require(` - type syslogd_t, devlog_t; - ') - - allow $1 devlog_t:lnk_file read_lnk_file_perms; - allow $1 devlog_t:sock_file write_sock_file_perms; - - # the type of socket depends on the syslog daemon - allow $1 syslogd_t:unix_dgram_socket sendto; - allow $1 syslogd_t:unix_stream_socket connectto; - allow $1 self:unix_dgram_socket create_socket_perms; - allow $1 self:unix_stream_socket create_socket_perms; - - # If syslog is down, the glibc syslog() function - # will write to the console. - term_write_console($1) - term_dontaudit_read_console($1) -') - -######################################## -## -## Connect to the syslog control unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`logging_stream_connect_syslog',` - gen_require(` - type syslogd_t, syslogd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t) -') - -######################################## -## -## Read the auditd configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`logging_read_audit_config',` - gen_require(` - type auditd_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, auditd_etc_t, auditd_etc_t) - allow $1 auditd_etc_t:dir list_dir_perms; -') - -######################################## -## -## dontaudit search of auditd configuration files. -## -## -## -## Domain to not audit. -## -## -## -# -interface(`logging_dontaudit_search_audit_config',` - gen_require(` - type auditd_etc_t; - ') - - dontaudit $1 auditd_etc_t:dir search_dir_perms; -') - -######################################## -## -## Read syslog configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`logging_read_syslog_config',` - gen_require(` - type syslog_conf_t; - ') - - allow $1 syslog_conf_t:file read_file_perms; -') - -######################################## -## -## Allows the domain to open a file in the -## log directory, but does not allow the listing -## of the contents of the log directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`logging_search_logs',` - gen_require(` - type var_log_t; - ') - - files_search_var($1) - allow $1 var_log_t:dir search_dir_perms; -') - -####################################### -## -## Do not audit attempts to search the var log directory. -## -## -## -## Domain not to audit. -## -## -# -interface(`logging_dontaudit_search_logs',` - gen_require(` - type var_log_t; - ') - - dontaudit $1 var_log_t:dir search_dir_perms; -') - -####################################### -## -## List the contents of the generic log directory (/var/log). -## -## -## -## Domain allowed access. -## -## -# -interface(`logging_list_logs',` - gen_require(` - type var_log_t; - ') - - files_search_var($1) - allow $1 var_log_t:dir list_dir_perms; -') - -####################################### -## -## Read and write the generic log directory (/var/log). -## -## -## -## Domain allowed access. -## -## -# -interface(`logging_rw_generic_log_dirs',` - gen_require(` - type var_log_t; - ') - - files_search_var($1) - allow $1 var_log_t:dir rw_dir_perms; -') - -######################################## -## -## Do not audit attempts to get the atttributes -## of any log files. -## -## -## -## Domain to not audit. -## -## -# -interface(`logging_dontaudit_getattr_all_logs',` - gen_require(` - attribute logfile; - ') - - dontaudit $1 logfile:file getattr; -') - -######################################## -## -## Append to all log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`logging_append_all_logs',` - gen_require(` - attribute logfile; - type var_log_t; - ') - - files_search_var($1) - append_files_pattern($1, logfile, logfile) -') - -######################################## -## -## Append to all log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`logging_inherit_append_all_logs',` - gen_require(` - attribute logfile; - ') - - allow $1 logfile:file { getattr append }; -') - -######################################## -## -## Read all log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`logging_read_all_logs',` - gen_require(` - attribute logfile; - ') - - files_search_var($1) - allow $1 logfile:dir list_dir_perms; - read_files_pattern($1, logfile, logfile) -') - -######################################## -## -## Execute all log files in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -# cjp: not sure why this is needed. This was added -# because of logrotate. -interface(`logging_exec_all_logs',` - gen_require(` - attribute logfile; - ') - - files_search_var($1) - allow $1 logfile:dir list_dir_perms; - can_exec($1, logfile) -') - -######################################## -## -## read/write to all log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`logging_rw_all_logs',` - gen_require(` - attribute logfile; - ') - - files_search_var($1) - rw_files_pattern($1, logfile, logfile) -') - -######################################## -## -## Create, read, write, and delete all log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`logging_manage_all_logs',` - gen_require(` - attribute logfile; - ') - - files_search_var($1) - manage_files_pattern($1, logfile, logfile) - manage_lnk_files_pattern($1, logfile, logfile) -') - -######################################## -## -## Read generic log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`logging_read_generic_logs',` - gen_require(` - type var_log_t; - ') - - files_search_var($1) - allow $1 var_log_t:dir list_dir_perms; - read_files_pattern($1, var_log_t, var_log_t) -') - -######################################## -## -## Write generic log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`logging_write_generic_logs',` - gen_require(` - type var_log_t; - ') - - files_search_var($1) - allow $1 var_log_t:dir list_dir_perms; - write_files_pattern($1, var_log_t, var_log_t) -') - -######################################## -## -## Dontaudit Write generic log files. -## -## -## -## Domain to not audit. -## -## -# -interface(`logging_dontaudit_write_generic_logs',` - gen_require(` - type var_log_t; - ') - - dontaudit $1 var_log_t:file write; -') - -######################################## -## -## Read and write generic log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`logging_rw_generic_logs',` - gen_require(` - type var_log_t; - ') - - files_search_var($1) - allow $1 var_log_t:dir list_dir_perms; - rw_files_pattern($1, var_log_t, var_log_t) -') - -######################################## -## -## Create, read, write, and delete -## generic log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`logging_manage_generic_logs',` - gen_require(` - type var_log_t; - ') - - files_search_var($1) - manage_files_pattern($1, var_log_t, var_log_t) -') - -######################################## -## -## All of the rules required to administrate -## the audit environment -## -## -## -## Domain allowed access. -## -## -## -## -## User role allowed access. -## -## -## -# -interface(`logging_admin_audit',` - gen_require(` - type auditd_t, auditd_etc_t, auditd_log_t; - type auditd_var_run_t; - type auditd_initrc_exec_t; - ') - - allow $1 auditd_t:process { ptrace signal_perms }; - ps_process_pattern($1, auditd_t) - - manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) - manage_files_pattern($1, auditd_etc_t, auditd_etc_t) - - manage_dirs_pattern($1, auditd_log_t, auditd_log_t) - manage_files_pattern($1, auditd_log_t, auditd_log_t) - - manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t) - manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t) - - logging_run_auditctl($1, $2) - - init_labeled_script_domtrans($1, auditd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 auditd_initrc_exec_t system_r; - allow $2 system_r; -') - -######################################## -## -## All of the rules required to administrate -## the syslog environment -## -## -## -## Domain allowed access. -## -## -## -## -## User role allowed access. -## -## -## -# -interface(`logging_admin_syslog',` - gen_require(` - type syslogd_t, klogd_t, syslog_conf_t; - type syslogd_tmp_t, syslogd_var_lib_t; - type syslogd_var_run_t, klogd_var_run_t; - type klogd_tmp_t, var_log_t; - type syslogd_initrc_exec_t; - ') - - allow $1 syslogd_t:process { ptrace signal_perms }; - allow $1 klogd_t:process { ptrace signal_perms }; - ps_process_pattern($1, syslogd_t) - ps_process_pattern($1, klogd_t) - - manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) - manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) - - manage_dirs_pattern($1, klogd_tmp_t, klogd_tmp_t) - manage_files_pattern($1, klogd_tmp_t, klogd_tmp_t) - - manage_dirs_pattern($1, syslogd_tmp_t, syslogd_tmp_t) - manage_files_pattern($1, syslogd_tmp_t, syslogd_tmp_t) - - manage_dirs_pattern($1, syslog_conf_t, syslog_conf_t) - manage_files_pattern($1, syslog_conf_t, syslog_conf_t) - files_etc_filetrans($1, syslog_conf_t, file) - - manage_dirs_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t) - manage_files_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t) - - manage_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t) - manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) - - logging_manage_all_logs($1) - allow $1 logfile:dir relabel_dir_perms; - allow $1 logfile:file relabel_file_perms; - - init_labeled_script_domtrans($1, syslogd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 syslogd_initrc_exec_t system_r; - allow $2 system_r; -') - -######################################## -## -## All of the rules required to administrate -## the logging environment -## -## -## -## Domain allowed access. -## -## -## -## -## User role allowed access. -## -## -## -# -interface(`logging_admin',` - logging_admin_audit($1, $2) - logging_admin_syslog($1, $2) -') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te deleted file mode 100644 index 4762f02..0000000 --- a/policy/modules/system/logging.te +++ /dev/null @@ -1,531 +0,0 @@ -policy_module(logging, 1.16.0) - -######################################## -# -# Declarations -# - -attribute logfile; - -type auditctl_t; -type auditctl_exec_t; -init_system_domain(auditctl_t, auditctl_exec_t) -role system_r types auditctl_t; - -type auditd_etc_t; -files_security_file(auditd_etc_t) - -type auditd_log_t; -files_security_file(auditd_log_t) -files_security_mountpoint(auditd_log_t) - -type auditd_t; -type auditd_exec_t; -init_daemon_domain(auditd_t, auditd_exec_t) - -type auditd_initrc_exec_t; -init_script_file(auditd_initrc_exec_t) - -type auditd_var_run_t; -files_pid_file(auditd_var_run_t) - -type audisp_t; -type audisp_exec_t; -init_system_domain(audisp_t, audisp_exec_t) - -type audisp_var_run_t; -files_pid_file(audisp_var_run_t) - -type audisp_remote_t; -type audisp_remote_exec_t; -logging_dispatcher_domain(audisp_remote_t, audisp_remote_exec_t) - -type devlog_t; -files_type(devlog_t) -mls_trusted_object(devlog_t) - -type klogd_t; -type klogd_exec_t; -init_daemon_domain(klogd_t, klogd_exec_t) - -type klogd_tmp_t; -files_tmp_file(klogd_tmp_t) - -type klogd_var_run_t; -files_pid_file(klogd_var_run_t) - -type syslog_conf_t; -files_type(syslog_conf_t) - -type syslogd_t; -type syslogd_exec_t; -init_daemon_domain(syslogd_t, syslogd_exec_t) -mls_trusted_object(syslogd_t) - -type syslogd_initrc_exec_t; -init_script_file(syslogd_initrc_exec_t) - -type syslogd_tmp_t; -files_tmp_file(syslogd_tmp_t) - -type syslogd_var_lib_t; -files_type(syslogd_var_lib_t) - -type syslogd_var_run_t; -files_pid_file(syslogd_var_run_t) - -type var_log_t; -logging_log_file(var_log_t) -files_mountpoint(var_log_t) - -ifdef(`enable_mls',` - init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh) - init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh) -') - -######################################## -# -# Auditctl local policy -# - -allow auditctl_t self:capability { fsetid dac_read_search dac_override }; -allow auditctl_t self:netlink_audit_socket nlmsg_readpriv; - -read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t) -allow auditctl_t auditd_etc_t:dir list_dir_perms; - -# Needed for adding watches -files_getattr_all_dirs(auditctl_t) -files_getattr_all_files(auditctl_t) -files_read_etc_files(auditctl_t) - -kernel_read_kernel_sysctls(auditctl_t) -kernel_read_proc_symlinks(auditctl_t) -kernel_setsched(auditctl_t) - -domain_read_all_domains_state(auditctl_t) -domain_use_interactive_fds(auditctl_t) - -mls_file_read_all_levels(auditctl_t) - -term_use_all_terms(auditctl_t) - -init_dontaudit_use_fds(auditctl_t) - -locallogin_dontaudit_use_fds(auditctl_t) - -logging_set_audit_parameters(auditctl_t) -logging_send_syslog_msg(auditctl_t) - -######################################## -# -# Auditd local policy -# - -allow auditd_t self:capability { chown fsetid sys_nice sys_resource }; -dontaudit auditd_t self:capability sys_tty_config; -allow auditd_t self:process { getcap signal_perms setcap setpgid setsched }; -allow auditd_t self:file rw_file_perms; -allow auditd_t self:unix_dgram_socket create_socket_perms; -allow auditd_t self:fifo_file rw_fifo_file_perms; -allow auditd_t self:tcp_socket create_stream_socket_perms; - -allow auditd_t auditd_etc_t:dir list_dir_perms; -allow auditd_t auditd_etc_t:file read_file_perms; - -manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) -manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) -allow auditd_t var_log_t:dir search_dir_perms; - -manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) -manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) -files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file }) - -kernel_read_kernel_sysctls(auditd_t) -# Needs to be able to run dispatcher. see /etc/audit/auditd.conf -# Probably want a transition, and a new auditd_helper app -kernel_read_system_state(auditd_t) - -dev_read_sysfs(auditd_t) - -fs_getattr_all_fs(auditd_t) -fs_search_auto_mountpoints(auditd_t) -fs_rw_anon_inodefs_files(auditd_t) - -selinux_search_fs(auditctl_t) - -corenet_all_recvfrom_unlabeled(auditd_t) -corenet_all_recvfrom_netlabel(auditd_t) -corenet_tcp_sendrecv_generic_if(auditd_t) -corenet_tcp_sendrecv_generic_node(auditd_t) -corenet_tcp_sendrecv_all_ports(auditd_t) -corenet_tcp_bind_generic_node(auditd_t) -corenet_tcp_bind_audit_port(auditd_t) -corenet_sendrecv_audit_server_packets(auditd_t) - -# Needs to be able to run dispatcher. see /etc/audit/auditd.conf -# Probably want a transition, and a new auditd_helper app -corecmd_exec_bin(auditd_t) -corecmd_exec_shell(auditd_t) - -domain_use_interactive_fds(auditd_t) - -files_read_etc_files(auditd_t) -files_list_usr(auditd_t) - -init_telinit(auditd_t) - -logging_set_audit_parameters(auditd_t) -logging_send_syslog_msg(auditd_t) -logging_domtrans_dispatcher(auditd_t) -logging_signal_dispatcher(auditd_t) - -auth_use_nsswitch(auditd_t) - -miscfiles_read_localization(auditd_t) - -mls_file_read_all_levels(auditd_t) -mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory - -seutil_dontaudit_read_config(auditd_t) - -sysnet_dns_name_resolve(auditd_t) - -userdom_use_user_terminals(auditd_t) -userdom_dontaudit_use_unpriv_user_fds(auditd_t) -userdom_dontaudit_search_user_home_dirs(auditd_t) - -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(auditd_t) - ') -') - -optional_policy(` - mta_send_mail(auditd_t) -') - -optional_policy(` - seutil_sigchld_newrole(auditd_t) -') - -optional_policy(` - udev_read_db(auditd_t) -') - -######################################## -# -# audit dispatcher local policy -# - -allow audisp_t self:capability { dac_override setpcap sys_nice }; -allow audisp_t self:process { getcap signal_perms setcap setsched }; -allow audisp_t self:fifo_file rw_fifo_file_perms; -allow audisp_t self:unix_stream_socket create_stream_socket_perms; -allow audisp_t self:unix_dgram_socket create_socket_perms; - -allow audisp_t auditd_t:unix_stream_socket rw_socket_perms; - -manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) -files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file) - -corecmd_exec_bin(audisp_t) -corecmd_exec_shell(audisp_t) - -domain_use_interactive_fds(audisp_t) - -files_read_etc_files(audisp_t) -files_read_etc_runtime_files(audisp_t) - -mls_file_read_all_levels(audisp_t) -mls_file_write_all_levels(audisp_t) -mls_socket_write_all_levels(audisp_t) -mls_dbus_send_all_levels(audisp_t) - -auth_use_nsswitch(audisp_t) - -logging_send_syslog_msg(audisp_t) - -miscfiles_read_localization(audisp_t) - -sysnet_dns_name_resolve(audisp_t) - -optional_policy(` - dbus_system_bus_client(audisp_t) - - optional_policy(` - setroubleshoot_dbus_chat(audisp_t) - ') -') - -######################################## -# -# Audit remote logger local policy -# -allow audisp_remote_t self:capability { setuid setpcap }; -allow audisp_remote_t self:process { getcap setcap }; -allow audisp_remote_t self:tcp_socket create_socket_perms; -allow audisp_remote_t var_log_t:dir search_dir_perms; - -corecmd_exec_bin(audisp_remote_t) - -corenet_all_recvfrom_unlabeled(audisp_remote_t) -corenet_all_recvfrom_netlabel(audisp_remote_t) -corenet_tcp_sendrecv_generic_if(audisp_remote_t) -corenet_tcp_sendrecv_generic_node(audisp_remote_t) -corenet_tcp_sendrecv_all_ports(audisp_remote_t) -corenet_tcp_bind_audit_port(audisp_remote_t) -corenet_tcp_bind_generic_node(audisp_remote_t) -corenet_tcp_connect_audit_port(audisp_remote_t) -corenet_sendrecv_audit_client_packets(audisp_remote_t) - -files_read_etc_files(audisp_remote_t) - -logging_send_syslog_msg(audisp_remote_t) -logging_send_audit_msgs(audisp_remote_t) - -auth_use_nsswitch(audisp_remote_t) - -miscfiles_read_localization(audisp_remote_t) - -init_telinit(audisp_remote_t) -init_read_utmp(audisp_remote_t) -init_dontaudit_write_utmp(audisp_remote_t) - -sysnet_dns_name_resolve(audisp_remote_t) - -######################################## -# -# klogd local policy -# - -allow klogd_t self:capability sys_admin; -dontaudit klogd_t self:capability { sys_resource sys_tty_config }; -allow klogd_t self:process signal_perms; - -manage_dirs_pattern(klogd_t, klogd_tmp_t, klogd_tmp_t) -manage_files_pattern(klogd_t, klogd_tmp_t, klogd_tmp_t) -files_tmp_filetrans(klogd_t, klogd_tmp_t,{ file dir }) - -manage_files_pattern(klogd_t, klogd_var_run_t, klogd_var_run_t) -files_pid_filetrans(klogd_t, klogd_var_run_t, file) - -kernel_read_system_state(klogd_t) -kernel_read_messages(klogd_t) -kernel_read_kernel_sysctls(klogd_t) -# Control syslog and console logging -kernel_clear_ring_buffer(klogd_t) -kernel_change_ring_buffer_level(klogd_t) - -files_read_kernel_symbol_table(klogd_t) - -dev_read_raw_memory(klogd_t) -dev_read_sysfs(klogd_t) - -fs_getattr_all_fs(klogd_t) -fs_search_auto_mountpoints(klogd_t) - -domain_use_interactive_fds(klogd_t) - -files_read_etc_runtime_files(klogd_t) -# read /etc/nsswitch.conf -files_read_etc_files(klogd_t) - -logging_send_syslog_msg(klogd_t) - -miscfiles_read_localization(klogd_t) - -mls_file_read_all_levels(klogd_t) - -userdom_dontaudit_search_user_home_dirs(klogd_t) - -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(klogd_t) - ') -') - -optional_policy(` - udev_read_db(klogd_t) -') - -optional_policy(` - seutil_sigchld_newrole(klogd_t) -') - -######################################## -# -# syslogd local policy -# - -# chown fsetid for syslog-ng -# sys_admin for the integrated klog of syslog-ng and metalog -# cjp: why net_admin! -allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid }; -dontaudit syslogd_t self:capability sys_tty_config; -# setpgid for metalog -# setrlimit for syslog-ng -allow syslogd_t self:process { signal_perms setpgid setrlimit }; -# receive messages to be logged -allow syslogd_t self:unix_dgram_socket create_socket_perms; -allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -allow syslogd_t self:unix_dgram_socket sendto; -allow syslogd_t self:fifo_file rw_fifo_file_perms; -allow syslogd_t self:udp_socket create_socket_perms; -allow syslogd_t self:tcp_socket create_stream_socket_perms; - -allow syslogd_t syslog_conf_t:file read_file_perms; - -# Create and bind to /dev/log or /var/run/log. -allow syslogd_t devlog_t:sock_file manage_sock_file_perms; -files_pid_filetrans(syslogd_t, devlog_t, sock_file) - -# create/append log files. -manage_files_pattern(syslogd_t, var_log_t, var_log_t) -rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) - -# Allow access for syslog-ng -allow syslogd_t var_log_t:dir { create setattr }; - -# manage temporary files -manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) -manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) -files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) - -manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) -manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) -files_search_var_lib(syslogd_t) - -manage_dirs_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) -manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) -manage_sock_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) -files_pid_filetrans(syslogd_t, syslogd_var_run_t, { file dir }) - -# manage pid file -manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) -files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) - -kernel_read_system_state(syslogd_t) -kernel_read_kernel_sysctls(syslogd_t) -kernel_read_proc_symlinks(syslogd_t) -# Allow access to /proc/kmsg for syslog-ng -kernel_read_messages(syslogd_t) -kernel_clear_ring_buffer(syslogd_t) -kernel_change_ring_buffer_level(syslogd_t) - -corenet_all_recvfrom_unlabeled(syslogd_t) -corenet_all_recvfrom_netlabel(syslogd_t) -corenet_udp_sendrecv_generic_if(syslogd_t) -corenet_udp_sendrecv_generic_node(syslogd_t) -corenet_udp_sendrecv_all_ports(syslogd_t) -corenet_udp_bind_generic_node(syslogd_t) -corenet_udp_bind_syslogd_port(syslogd_t) -# syslog-ng can listen and connect on tcp port 514 (rsh) -corenet_tcp_sendrecv_generic_if(syslogd_t) -corenet_tcp_sendrecv_generic_node(syslogd_t) -corenet_tcp_sendrecv_all_ports(syslogd_t) -corenet_tcp_bind_generic_node(syslogd_t) -corenet_tcp_bind_rsh_port(syslogd_t) -corenet_tcp_connect_rsh_port(syslogd_t) -# Allow users to define additional syslog ports to connect to -corenet_tcp_bind_syslogd_port(syslogd_t) -corenet_tcp_connect_syslogd_port(syslogd_t) -corenet_tcp_connect_postgresql_port(syslogd_t) -corenet_tcp_connect_mysqld_port(syslogd_t) - -# syslog-ng can send or receive logs -corenet_sendrecv_syslogd_client_packets(syslogd_t) -corenet_sendrecv_syslogd_server_packets(syslogd_t) -corenet_sendrecv_postgresql_client_packets(syslogd_t) -corenet_sendrecv_mysqld_client_packets(syslogd_t) - -dev_filetrans(syslogd_t, devlog_t, sock_file) -dev_read_sysfs(syslogd_t) -dev_read_rand(syslogd_t) - -domain_use_interactive_fds(syslogd_t) - -files_read_etc_files(syslogd_t) -files_read_usr_files(syslogd_t) -files_read_var_files(syslogd_t) -files_read_etc_runtime_files(syslogd_t) -# /initrd is not umounted before minilog starts -files_dontaudit_search_isid_type_dirs(syslogd_t) -files_read_kernel_symbol_table(syslogd_t) - -fs_getattr_all_fs(syslogd_t) -fs_search_auto_mountpoints(syslogd_t) - -mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories - -term_write_console(syslogd_t) -# Allow syslog to a terminal -term_write_unallocated_ttys(syslogd_t) - -# for sending messages to logged in users -init_read_utmp(syslogd_t) -init_dontaudit_write_utmp(syslogd_t) -term_write_all_ttys(syslogd_t) - -auth_use_nsswitch(syslogd_t) - -init_use_fds(syslogd_t) - -# cjp: this doesnt make sense -logging_send_syslog_msg(syslogd_t) - -miscfiles_read_localization(syslogd_t) - -userdom_dontaudit_use_unpriv_user_fds(syslogd_t) -userdom_dontaudit_search_user_home_dirs(syslogd_t) - -ifdef(`distro_gentoo',` - # default gentoo syslog-ng config appends kernel - # and high priority messages to /dev/tty12 - term_append_unallocated_ttys(syslogd_t) - term_dontaudit_setattr_unallocated_ttys(syslogd_t) -') - -ifdef(`distro_suse',` - # suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel - files_var_lib_filetrans(syslogd_t, devlog_t, sock_file) -') - -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(syslogd_t) - ') -') - -optional_policy(` - bind_search_cache(syslogd_t) -') - -optional_policy(` - inn_manage_log(syslogd_t) -') - -optional_policy(` - mysql_stream_connect(syslogd_t) -') - -optional_policy(` - postgresql_stream_connect(syslogd_t) -') - -optional_policy(` - seutil_sigchld_newrole(syslogd_t) -') - -optional_policy(` - daemontools_search_svc_dir(syslogd_t) -') - -optional_policy(` - udev_read_db(syslogd_t) -') - -optional_policy(` - # log to the xconsole - xserver_rw_console(syslogd_t) -') diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc deleted file mode 100644 index 31efcb2..0000000 --- a/policy/modules/system/lvm.fc +++ /dev/null @@ -1,103 +0,0 @@ - -# LVM creates lock files in /var before /var is mounted -# configure LVM to put lockfiles in /etc/lvm/lock instead -# for this policy to work (unless you have no separate /var) - -# -# /bin -# -ifdef(`distro_gentoo',` -/bin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) -') - -# -# /etc -# -/etc/lvm(/.*)? gen_context(system_u:object_r:lvm_etc_t,s0) -/etc/lvm/\.cache -- gen_context(system_u:object_r:lvm_metadata_t,s0) -/etc/lvm/cache(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) -/etc/lvm/archive(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) -/etc/lvm/backup(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) -/etc/lvm/lock(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) - -/etc/lvmtab(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) -/etc/lvmtab\.d(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) - -# -# /lib -# -/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) -/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) -/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0) - -# -# /sbin -# -/sbin/mount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/dmsetup\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/e2fsadm -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/lvchange -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/lvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/lvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/lvextend -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/lvreduce -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/lvremove -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/lvrename -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/lvresize -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/multipathd -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/multipath\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/pvchange -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/pvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/pvdata -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/pvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/pvmove -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/pvremove -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/pvs -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/pvscan -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/vgcfgbackup -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/vgcfgrestore -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/vgchange -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/vgchange\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/vgck -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/vgcreate -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/vgdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/vgexport -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/vgextend -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/vgimport -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/vgmerge -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/vgmknodes -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/vgreduce -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/vgremove -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/vgrename -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/vgs -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/vgscan -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/vgscan\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/vgsplit -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/vgwrapper -- gen_context(system_u:object_r:lvm_exec_t,s0) - -# -# /usr -# -/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0) -/usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0) - -# -# /var -# -/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) -/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) -/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) -/var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0) -/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if deleted file mode 100644 index b4f0663..0000000 --- a/policy/modules/system/lvm.if +++ /dev/null @@ -1,143 +0,0 @@ -## Policy for logical volume management programs. - -######################################## -## -## Execute lvm programs in the lvm domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`lvm_domtrans',` - gen_require(` - type lvm_t, lvm_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, lvm_exec_t, lvm_t) -') - -######################################## -## -## Execute lvm programs in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`lvm_exec',` - gen_require(` - type lvm_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, lvm_exec_t) -') - -######################################## -## -## Execute lvm programs in the lvm domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the LVM domain. -## -## -## -# -interface(`lvm_run',` - gen_require(` - type lvm_t; - ') - - lvm_domtrans($1) - role $2 types lvm_t; -') - -######################################## -## -## Read LVM configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`lvm_read_config',` - gen_require(` - type lvm_etc_t; - ') - - files_search_etc($1) - allow $1 lvm_etc_t:dir list_dir_perms; - read_files_pattern($1, lvm_etc_t, lvm_etc_t) -') - -######################################## -## -## Manage LVM configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`lvm_manage_config',` - gen_require(` - type lvm_etc_t; - ') - - files_search_etc($1) - manage_dirs_pattern($1, lvm_etc_t, lvm_etc_t) - manage_files_pattern($1, lvm_etc_t, lvm_etc_t) -') - -###################################### -## -## Execute a domain transition to run clvmd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`lvm_domtrans_clvmd',` - gen_require(` - type clvmd_t, clvmd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, clvmd_exec_t, clvmd_t) -') - -######################################## -## -## Read and write to lvm temporary file system. -## -## -## -## Domain allowed access. -## -## -# -interface(`lvm_rw_clvmd_tmpfs_files',` - gen_require(` - type clvmd_tmpfs_t; - ') - - allow $1 clvmd_tmpfs_t:file rw_file_perms; -') diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te deleted file mode 100644 index 7f649d5..0000000 --- a/policy/modules/system/lvm.te +++ /dev/null @@ -1,378 +0,0 @@ -policy_module(lvm, 1.12.0) - -######################################## -# -# Declarations -# - -type clvmd_t; -type clvmd_exec_t; -init_daemon_domain(clvmd_t, clvmd_exec_t) - -type clvmd_initrc_exec_t; -init_script_file(clvmd_initrc_exec_t) - -type clmvd_tmpfs_t; -files_tmpfs_file(clmvd_tmpfs_t) - -type clvmd_var_run_t; -files_pid_file(clvmd_var_run_t) - -type lvm_t; -type lvm_exec_t; -init_system_domain(lvm_t, lvm_exec_t) -# needs privowner because it assigns the identity system_u to device nodes -# but runs as the identity of the sysadmin -domain_obj_id_change_exemption(lvm_t) -role system_r types lvm_t; - -type lvm_etc_t; -files_type(lvm_etc_t) - -type lvm_lock_t; -files_lock_file(lvm_lock_t) - -type lvm_metadata_t; -files_type(lvm_metadata_t) - -type lvm_var_lib_t; -files_type(lvm_var_lib_t) - -type lvm_var_run_t; -files_pid_file(lvm_var_run_t) - -type lvm_tmp_t; -files_tmp_file(lvm_tmp_t) - -######################################## -# -# Cluster LVM daemon local policy -# - -allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod }; -dontaudit clvmd_t self:capability sys_tty_config; -allow clvmd_t self:process { signal_perms setsched }; -dontaudit clvmd_t self:process ptrace; -allow clvmd_t self:socket create_socket_perms; -allow clvmd_t self:fifo_file rw_fifo_file_perms; -allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow clvmd_t self:tcp_socket create_stream_socket_perms; -allow clvmd_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(clvmd_t, clmvd_tmpfs_t, clmvd_tmpfs_t) -manage_files_pattern(clvmd_t, clmvd_tmpfs_t,clmvd_tmpfs_t) -fs_tmpfs_filetrans(clvmd_t, clmvd_tmpfs_t, { dir file }) - -manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t) -files_pid_filetrans(clvmd_t, clvmd_var_run_t, file) - -read_files_pattern(clvmd_t, lvm_metadata_t, lvm_metadata_t) - -kernel_read_kernel_sysctls(clvmd_t) -kernel_read_system_state(clvmd_t) -kernel_list_proc(clvmd_t) -kernel_read_proc_symlinks(clvmd_t) -kernel_search_debugfs(clvmd_t) -kernel_dontaudit_getattr_core_if(clvmd_t) - -corecmd_exec_shell(clvmd_t) -corecmd_getattr_bin_files(clvmd_t) - -corenet_all_recvfrom_unlabeled(clvmd_t) -corenet_all_recvfrom_netlabel(clvmd_t) -corenet_tcp_sendrecv_generic_if(clvmd_t) -corenet_udp_sendrecv_generic_if(clvmd_t) -corenet_raw_sendrecv_generic_if(clvmd_t) -corenet_tcp_sendrecv_generic_node(clvmd_t) -corenet_udp_sendrecv_generic_node(clvmd_t) -corenet_raw_sendrecv_generic_node(clvmd_t) -corenet_tcp_sendrecv_all_ports(clvmd_t) -corenet_udp_sendrecv_all_ports(clvmd_t) -corenet_tcp_bind_generic_node(clvmd_t) -corenet_tcp_bind_reserved_port(clvmd_t) -corenet_dontaudit_tcp_bind_all_reserved_ports(clvmd_t) -corenet_sendrecv_generic_server_packets(clvmd_t) - -dev_read_sysfs(clvmd_t) -dev_manage_generic_symlinks(clvmd_t) -dev_relabel_generic_dev_dirs(clvmd_t) -dev_manage_generic_blk_files(clvmd_t) -dev_manage_generic_chr_files(clvmd_t) -dev_rw_lvm_control(clvmd_t) -dev_dontaudit_getattr_all_blk_files(clvmd_t) -dev_dontaudit_getattr_all_chr_files(clvmd_t) -dev_create_generic_dirs(clvmd_t) -dev_delete_generic_dirs(clvmd_t) - -files_read_etc_files(clvmd_t) -files_list_usr(clvmd_t) - -fs_getattr_all_fs(clvmd_t) -fs_search_auto_mountpoints(clvmd_t) -fs_dontaudit_list_tmpfs(clvmd_t) -fs_dontaudit_read_removable_files(clvmd_t) -fs_rw_anon_inodefs_files(clvmd_t) - -storage_dontaudit_getattr_removable_dev(clvmd_t) -storage_manage_fixed_disk(clvmd_t) -storage_dev_filetrans_fixed_disk(clvmd_t) -storage_relabel_fixed_disk(clvmd_t) -storage_raw_read_fixed_disk(clvmd_t) - -domain_use_interactive_fds(clvmd_t) - -auth_use_nsswitch(clvmd_t) - -init_dontaudit_getattr_initctl(clvmd_t) - -logging_send_syslog_msg(clvmd_t) - -miscfiles_read_localization(clvmd_t) - -seutil_dontaudit_search_config(clvmd_t) -seutil_sigchld_newrole(clvmd_t) -seutil_read_config(clvmd_t) -seutil_read_file_contexts(clvmd_t) -seutil_search_default_contexts(clvmd_t) - -userdom_dontaudit_use_unpriv_user_fds(clvmd_t) -userdom_dontaudit_search_user_home_dirs(clvmd_t) - -lvm_domtrans(clvmd_t) -lvm_read_config(clvmd_t) - -ifdef(`distro_redhat',` - optional_policy(` - unconfined_domain(clvmd_t) - ') -') - -optional_policy(` - aisexec_stream_connect(clvmd_t) - corosync_stream_connect(clvmd_t) -') - -optional_policy(` - ccs_stream_connect(clvmd_t) -') - -optional_policy(` - gpm_dontaudit_getattr_gpmctl(clvmd_t) -') - -optional_policy(` - ricci_dontaudit_rw_modcluster_pipes(clvmd_t) - ricci_dontaudit_use_modcluster_fds(clvmd_t) -') - -optional_policy(` - udev_read_db(clvmd_t) -') - -######################################## -# -# LVM Local policy -# - -# DAC overrides and mknod for modifying /dev entries (vgmknodes) -# rawio needed for dmraid -# net_admin for multipath -allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin }; -dontaudit lvm_t self:capability sys_tty_config; -allow lvm_t self:process { sigchld sigkill sigstop signull signal }; -# LVM will complain a lot if it cannot set its priority. -allow lvm_t self:process setsched; -allow lvm_t self:sem create_sem_perms; -allow lvm_t self:file rw_file_perms; -allow lvm_t self:fifo_file manage_fifo_file_perms; -allow lvm_t self:unix_dgram_socket create_socket_perms; -allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms; - -allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms }; - -manage_dirs_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t) -manage_files_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t) -files_tmp_filetrans(lvm_t, lvm_tmp_t, { file dir }) - -# /lib/lvm- holds the actual LVM binaries (and symlinks) -read_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t) -read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t) - -# LVM is split into many individual binaries -can_exec(lvm_t, lvm_exec_t) - -# Creating lock files -manage_files_pattern(lvm_t, lvm_lock_t, lvm_lock_t) -files_lock_filetrans(lvm_t, lvm_lock_t, file) - -manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) -manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) -files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) - -manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) -manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) -manage_sock_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) -files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file }) - -read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) -read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) -# Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d -manage_files_pattern(lvm_t, lvm_metadata_t, lvm_metadata_t) -filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file) -files_etc_filetrans(lvm_t, lvm_metadata_t, file) -files_search_mnt(lvm_t) - -kernel_get_sysvipc_info(lvm_t) -kernel_read_system_state(lvm_t) -kernel_read_kernel_sysctls(lvm_t) -# Read system variables in /proc/sys -kernel_read_kernel_sysctls(lvm_t) -# it has no reason to need this -kernel_dontaudit_getattr_core_if(lvm_t) -kernel_use_fds(lvm_t) -kernel_request_load_module(lvm_t) -kernel_search_debugfs(lvm_t) - -corecmd_exec_bin(lvm_t) -corecmd_exec_shell(lvm_t) - -dev_create_generic_chr_files(lvm_t) -dev_delete_generic_dirs(lvm_t) -dev_read_rand(lvm_t) -dev_read_urand(lvm_t) -dev_rw_lvm_control(lvm_t) -dev_manage_generic_symlinks(lvm_t) -dev_relabel_generic_dev_dirs(lvm_t) -dev_manage_generic_blk_files(lvm_t) -# Read /sys/block. Device mapper metadata is kept there. -dev_read_sysfs(lvm_t) -# cjp: this has no effect since LVM does not -# have lnk_file relabelto for anything else. -# perhaps this should be blk_files? -dev_relabel_generic_symlinks(lvm_t) -# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex... -dev_dontaudit_read_all_chr_files(lvm_t) -dev_dontaudit_read_all_blk_files(lvm_t) -dev_dontaudit_getattr_generic_chr_files(lvm_t) -dev_dontaudit_getattr_generic_blk_files(lvm_t) -dev_dontaudit_getattr_generic_pipes(lvm_t) -dev_create_generic_dirs(lvm_t) -dev_rw_generic_files(lvm_t) - -domain_use_interactive_fds(lvm_t) -domain_read_all_domains_state(lvm_t) - -files_read_usr_files(lvm_t) -files_read_etc_files(lvm_t) -files_read_etc_runtime_files(lvm_t) -# for when /usr is not mounted: -files_dontaudit_search_isid_type_dirs(lvm_t) -files_dontaudit_getattr_tmpfs_files(lvm_t) - -fs_getattr_all_fs(lvm_t) -fs_search_auto_mountpoints(lvm_t) -fs_list_tmpfs(lvm_t) -fs_read_tmpfs_symlinks(lvm_t) -fs_dontaudit_read_removable_files(lvm_t) -fs_dontaudit_getattr_tmpfs_files(lvm_t) -fs_rw_anon_inodefs_files(lvm_t) - -mls_file_read_all_levels(lvm_t) -mls_file_write_to_clearance(lvm_t) -mls_file_upgrade(lvm_t) - -selinux_get_fs_mount(lvm_t) -selinux_validate_context(lvm_t) -selinux_compute_access_vector(lvm_t) -selinux_compute_create_context(lvm_t) -selinux_compute_relabel_context(lvm_t) -selinux_compute_user_contexts(lvm_t) - -storage_relabel_fixed_disk(lvm_t) -storage_dontaudit_read_removable_device(lvm_t) -# LVM creates block devices in /dev/mapper or /dev/ -# depending on its version -# LVM(2) needs to create directores (/dev/mapper, /dev/) -# and links from /dev/ to /dev/mapper/- -# cjp: need create interface here for fixed disk create -storage_dev_filetrans_fixed_disk(lvm_t) -# Access raw devices and old /dev/lvm (c 109,0). Is this needed? -storage_manage_fixed_disk(lvm_t) - -term_use_all_terms(lvm_t) - -init_use_fds(lvm_t) -init_dontaudit_getattr_initctl(lvm_t) -init_use_script_ptys(lvm_t) -init_read_script_state(lvm_t) - -logging_send_syslog_msg(lvm_t) - -miscfiles_read_localization(lvm_t) - -seutil_read_config(lvm_t) -seutil_read_file_contexts(lvm_t) -seutil_search_default_contexts(lvm_t) -seutil_sigchld_newrole(lvm_t) - -userdom_use_user_terminals(lvm_t) - -ifdef(`distro_redhat',` - # this is from the initrd: - files_rw_isid_type_dirs(lvm_t) - - optional_policy(` - unconfined_domain(lvm_t) - ') -') - -optional_policy(` - aisexec_stream_connect(lvm_t) - corosync_stream_connect(lvm_t) -') - -optional_policy(` - bootloader_rw_tmp_files(lvm_t) -') - -optional_policy(` - ccs_stream_connect(lvm_t) -') - -optional_policy(` - gpm_dontaudit_getattr_gpmctl(lvm_t) -') - -optional_policy(` - dbus_system_bus_client(lvm_t) - - optional_policy(` - hal_dbus_chat(lvm_t) - ') -') - -optional_policy(` - livecd_rw_semaphores(lvm_t) -') - -optional_policy(` - modutils_domtrans_insmod(lvm_t) -') - -optional_policy(` - rpm_manage_script_tmp_files(lvm_t) -') - -optional_policy(` - udev_read_db(lvm_t) -') - -optional_policy(` - virt_manage_images(lvm_t) -') - -optional_policy(` - xen_append_log(lvm_t) - xen_dontaudit_rw_unix_stream_sockets(lvm_t) -') diff --git a/policy/modules/system/metadata.xml b/policy/modules/system/metadata.xml deleted file mode 100644 index 4866e97..0000000 --- a/policy/modules/system/metadata.xml +++ /dev/null @@ -1,3 +0,0 @@ - - Policy modules for system functions from init to multi-user login. - diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc deleted file mode 100644 index a8bd9fe..0000000 --- a/policy/modules/system/miscfiles.fc +++ /dev/null @@ -1,94 +0,0 @@ -# -# /emul -# -ifdef(`distro_gentoo',` -/emul/linux/x86/usr/(X11R6/)?lib/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) -') - -# -# /etc -# -/etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) -/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) -/etc/timezone -- gen_context(system_u:object_r:locale_t,s0) -/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) -/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0) - -ifdef(`distro_redhat',` -/etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0) -') - -# -# /opt -# -/opt/(.*/)?man(/.*)? gen_context(system_u:object_r:man_t,s0) - -# -# /srv -# -/srv/([^/]*/)?ftp(/.*)? gen_context(system_u:object_r:public_content_t,s0) -/srv/([^/]*/)?rsync(/.*)? gen_context(system_u:object_r:public_content_t,s0) - -# -# /usr -# -/usr/lib/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) - -/usr/lib(64)?/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0) - -/usr/local/man(/.*)? gen_context(system_u:object_r:man_t,s0) -/usr/local/share/man(/.*)? gen_context(system_u:object_r:man_t,s0) - -/usr/local/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) - -/usr/man(/.*)? gen_context(system_u:object_r:man_t,s0) - -/usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) -/usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) -/usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) -/usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) -/usr/share/man(/.*)? gen_context(system_u:object_r:man_t,s0) -/usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) -/usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0) - -/usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0) -/usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0) - -/usr/X11R6/lib/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) - -/usr/X11R6/man(/.*)? gen_context(system_u:object_r:man_t,s0) - -ifdef(`distro_gentoo',` -/usr/share/misc/(pci|usb)\.ids -- gen_context(system_u:object_r:hwdata_t,s0) -') - -ifdef(`distro_redhat',` -/usr/share/hwdata(/.*)? gen_context(system_u:object_r:hwdata_t,s0) -') - -# -# /var -# -/var/ftp(/.*)? gen_context(system_u:object_r:public_content_t,s0) - -/var/lib/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) - -/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0) -/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) -/var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0) - -/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) - -/var/spool/abrt-upload(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0) - -/var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) - -ifdef(`distro_debian',` -/var/lib/msttcorefonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) -/var/lib/usbutils(/.*)? gen_context(system_u:object_r:hwdata_t,s0) -') - -ifdef(`distro_redhat',` -/var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) -/var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) -') diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if deleted file mode 100644 index 926ba65..0000000 --- a/policy/modules/system/miscfiles.if +++ /dev/null @@ -1,771 +0,0 @@ -## Miscelaneous files. - -######################################## -## -## Make the specified type usable as a cert file. -## -## -##

-## Make the specified type usable for cert files. -## This will also make the type usable for files, making -## calls to files_type() redundant. Failure to use this interface -## for a temporary file may result in problems with -## cert management tools. -##

-##

-## Related interfaces: -##

-##
    -##
  • files_type()
  • -##
-##

-## Example: -##

-##

-## type mycertfile_t; -## cert_type(mycertfile_t) -## allow mydomain_t mycertfile_t:file read_file_perms; -## files_search_etc(mydomain_t) -##

-##
-## -## -## Type to be used for files. -## -## -## -# -interface(`miscfiles_cert_type',` - gen_require(` - attribute cert_type; - ') - - typeattribute $1 cert_type; - files_type($1) -') - -######################################## -## -## Read all SSL certificates. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`miscfiles_read_all_certs',` - gen_require(` - attribute cert_type; - ') - - allow $1 cert_type:dir list_dir_perms; - read_files_pattern($1, cert_type, cert_type) - read_lnk_files_pattern($1, cert_type, cert_type) -') - -######################################## -## -## Read generic SSL certificates. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`miscfiles_read_generic_certs',` - gen_require(` - type cert_t; - ') - - allow $1 cert_t:dir list_dir_perms; - read_files_pattern($1, cert_t, cert_t) - read_lnk_files_pattern($1, cert_t, cert_t) -') - -######################################## -## -## Manage generic SSL certificates. -## -## -## -## Domain allowed access. -## -## -# -interface(`miscfiles_manage_generic_cert_dirs',` - gen_require(` - type cert_t; - ') - - manage_dirs_pattern($1, cert_t, cert_t) -') - -######################################## -## -## Manage generic SSL certificates. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`miscfiles_manage_generic_cert_files',` - gen_require(` - type cert_t; - ') - - manage_files_pattern($1, cert_t, cert_t) - read_lnk_files_pattern($1, cert_t, cert_t) -') - -######################################## -## -## Read SSL certificates. -## -## -## -## Domain allowed access. -## -## -# -interface(`miscfiles_read_certs',` - miscfiles_read_generic_certs($1) - refpolicywarn(`$0() has been deprecated, please use miscfiles_read_generic_certs() instead.') -') - -######################################## -## -## Manage SSL certificates. -## -## -## -## Domain allowed access. -## -## -# -interface(`miscfiles_manage_cert_dirs',` - miscfiles_manage_generic_cert_dirs($1) - refpolicywarn(`$0() has been deprecated, please use miscfiles_manage_generic_cert_dirs() instead.') -') - -######################################## -## -## Manage SSL certificates. -## -## -## -## Domain allowed access. -## -## -# -interface(`miscfiles_manage_cert_files',` - miscfiles_manage_generic_cert_files($1) - refpolicywarn(`$0() has been deprecated, please use miscfiles_manage_generic_cert_files() instead.') -') - -######################################## -## -## Read fonts. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`miscfiles_read_fonts',` - gen_require(` - type fonts_t, fonts_cache_t; - ') - - # cjp: fonts can be in either of these dirs - files_search_usr($1) - libs_search_lib($1) - - allow $1 fonts_t:dir list_dir_perms; - read_files_pattern($1, fonts_t, fonts_t) - read_lnk_files_pattern($1, fonts_t, fonts_t) - - allow $1 fonts_cache_t:dir list_dir_perms; - read_files_pattern($1, fonts_cache_t, fonts_cache_t) - read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t) -') - -######################################## -## -## Set the attributes on a fonts directory. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`miscfiles_setattr_fonts_dirs',` - gen_require(` - type fonts_t; - ') - - allow $1 fonts_t:dir setattr; -') - -######################################## -## -## Do not audit attempts to set the attributes -## on a fonts directory. -## -## -## -## Domain to not audit. -## -## -## -# -interface(`miscfiles_dontaudit_setattr_fonts_dirs',` - gen_require(` - type fonts_t; - ') - - dontaudit $1 fonts_t:dir setattr; -') - -######################################## -## -## Do not audit attempts to write fonts. -## -## -## -## Domain to not audit. -## -## -## -# -interface(`miscfiles_dontaudit_write_fonts',` - gen_require(` - type fonts_t; - ') - - dontaudit $1 fonts_t:dir { write setattr }; - dontaudit $1 fonts_t:file write; -') - -######################################## -## -## Create, read, write, and delete fonts. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`miscfiles_manage_fonts',` - gen_require(` - type fonts_t; - ') - - # cjp: fonts can be in either of these dirs - files_search_usr($1) - libs_search_lib($1) - - manage_dirs_pattern($1, fonts_t, fonts_t) - manage_files_pattern($1, fonts_t, fonts_t) - manage_lnk_files_pattern($1, fonts_t, fonts_t) -') - -######################################## -## -## Set the attributes on a fonts cache directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`miscfiles_setattr_fonts_cache_dirs',` - gen_require(` - type fonts_cache_t; - ') - - allow $1 fonts_cache_t:dir setattr; -') - -######################################## -## -## Do not audit attempts to set the attributes -## on a fonts cache directory. -## -## -## -## Domain to not audit. -## -## -# -interface(`miscfiles_dontaudit_setattr_fonts_cache_dirs',` - gen_require(` - type fonts_cache_t; - ') - - dontaudit $1 fonts_cache_t:dir setattr; -') - -######################################## -## -## Create, read, write, and delete fonts cache. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`miscfiles_manage_fonts_cache',` - gen_require(` - type fonts_cache_t; - ') - - files_search_var($1) - - manage_dirs_pattern($1, fonts_cache_t, fonts_cache_t) - manage_files_pattern($1, fonts_cache_t, fonts_cache_t) - manage_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t) -') - -######################################## -## -## Read hardware identification data. -## -## -## -## Domain allowed access. -## -## -# -interface(`miscfiles_read_hwdata',` - gen_require(` - type hwdata_t; - ') - - allow $1 hwdata_t:dir list_dir_perms; - read_files_pattern($1, hwdata_t, hwdata_t) - read_lnk_files_pattern($1, hwdata_t, hwdata_t) -') - -######################################## -## -## Allow process to setattr localization info -## -## -## -## Domain allowed access. -## -## -# -interface(`miscfiles_setattr_localization',` - gen_require(` - type locale_t; - ') - - files_search_usr($1) - allow $1 locale_t:dir list_dir_perms; - allow $1 locale_t:file setattr; -') - -######################################## -## -## Allow process to read localization information. -## -## -##

-## Allow the specified domain to read the localization files. -## This is typically for time zone configuration files, such as -## /etc/localtime and files in /usr/share/zoneinfo. -## Typically, any domain which needs to know the GMT/UTC -## offset of the current timezone will need access -## to these files. Generally, it should be safe for any -## domain to read these files. -##

-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`miscfiles_read_localization',` - gen_require(` - type locale_t; - ') - - files_read_etc_symlinks($1) - files_search_usr($1) - allow $1 locale_t:dir list_dir_perms; - read_files_pattern($1, locale_t, locale_t) - read_lnk_files_pattern($1, locale_t, locale_t) -') - -######################################## -## -## Allow process to write localization info -## -## -## -## Domain allowed access. -## -## -# -interface(`miscfiles_rw_localization',` - gen_require(` - type locale_t; - ') - - files_search_usr($1) - allow $1 locale_t:dir list_dir_perms; - rw_files_pattern($1, locale_t, locale_t) -') - -######################################## -## -## Allow process to relabel localization info -## -## -## -## Domain allowed access. -## -## -# -interface(`miscfiles_relabel_localization',` - gen_require(` - type locale_t; - ') - - files_search_usr($1) - relabel_files_pattern($1, locale_t, locale_t) -') - -######################################## -## -## Allow process to read legacy time localization info -## -## -## -## Domain allowed access. -## -## -# -interface(`miscfiles_legacy_read_localization',` - gen_require(` - type locale_t; - ') - - miscfiles_read_localization($1) - allow $1 locale_t:file execute; -') - -######################################## -## -## Search man pages. -## -## -## -## Domain allowed access. -## -## -# -interface(`miscfiles_search_man_pages',` - gen_require(` - type man_t; - ') - - allow $1 man_t:dir search_dir_perms; - files_search_usr($1) -') - -######################################## -## -## Do not audit attempts to search man pages. -## -## -## -## Domain to not audit. -## -## -# -interface(`miscfiles_dontaudit_search_man_pages',` - gen_require(` - type man_t; - ') - - dontaudit $1 man_t:dir search_dir_perms; -') - -######################################## -## -## Read man pages -## -## -## -## Domain allowed access. -## -## -## -# -interface(`miscfiles_read_man_pages',` - gen_require(` - type man_t; - ') - - files_search_usr($1) - allow $1 man_t:dir list_dir_perms; - read_files_pattern($1, man_t, man_t) - read_lnk_files_pattern($1, man_t, man_t) -') - -######################################## -## -## Delete man pages -## -## -## -## Domain allowed access. -## -## -# cjp: added for tmpreaper -# -interface(`miscfiles_delete_man_pages',` - gen_require(` - type man_t; - ') - - files_search_usr($1) - - allow $1 man_t:dir setattr; - # RH bug #309351 - allow $1 man_t:dir list_dir_perms; - delete_dirs_pattern($1, man_t, man_t) - delete_files_pattern($1, man_t, man_t) - delete_lnk_files_pattern($1, man_t, man_t) -') - -######################################## -## -## Create, read, write, and delete man pages -## -## -## -## Domain allowed access. -## -## -# -interface(`miscfiles_manage_man_pages',` - gen_require(` - type man_t; - ') - - files_search_usr($1) - manage_dirs_pattern($1, man_t, man_t) - manage_files_pattern($1, man_t, man_t) - read_lnk_files_pattern($1, man_t, man_t) -') - -######################################## -## -## Read public files used for file -## transfer services. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`miscfiles_read_public_files',` - gen_require(` - type public_content_t, public_content_rw_t; - ') - - allow $1 { public_content_t public_content_rw_t }:dir list_dir_perms; - read_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t }) - read_lnk_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t }) -') - -######################################## -## -## Create, read, write, and delete public files -## and directories used for file transfer services. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`miscfiles_manage_public_files',` - gen_require(` - type public_content_rw_t; - ') - - manage_dirs_pattern($1, public_content_rw_t, public_content_rw_t) - manage_files_pattern($1, public_content_rw_t, public_content_rw_t) - manage_lnk_files_pattern($1, public_content_rw_t, public_content_rw_t) -') - -######################################## -## -## Read TeX data -## -## -## -## Domain allowed access. -## -## -# -interface(`miscfiles_read_tetex_data',` - gen_require(` - type tetex_data_t; - ') - - files_search_var($1) - files_search_var_lib($1) - - # cjp: TeX data can be in either of the above dirs - allow $1 tetex_data_t:dir list_dir_perms; - read_files_pattern($1, tetex_data_t, tetex_data_t) - read_lnk_files_pattern($1, tetex_data_t, tetex_data_t) -') - -######################################## -## -## Execute TeX data programs in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`miscfiles_exec_tetex_data',` - gen_require(` - type fonts_t; - type tetex_data_t; - ') - - files_search_var($1) - files_search_var_lib($1) - - # cjp: TeX data can be in either of the above dirs - allow $1 tetex_data_t:dir list_dir_perms; - exec_files_pattern($1, tetex_data_t, tetex_data_t) -') - -######################################## -## -## Let test files be an entry point for -## a specified domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`miscfiles_domain_entry_test_files',` - gen_require(` - type test_file_t; - ') - - domain_entry_file($1, test_file_t) -') - -######################################## -## -## Read test files and directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`miscfiles_read_test_files',` - gen_require(` - type test_file_t; - ') - - read_files_pattern($1, test_file_t, test_file_t) - read_lnk_files_pattern($1, test_file_t, test_file_t) -') - -######################################## -## -## Execute test files. -## -## -## -## Domain allowed access. -## -## -# -interface(`miscfiles_exec_test_files',` - gen_require(` - type test_file_t; - ') - - exec_files_pattern($1, test_file_t, test_file_t) - read_lnk_files_pattern($1, test_file_t, test_file_t) -') - -######################################## -## -## Execute test files. -## -## -## -## Domain allowed access. -## -## -# -interface(`miscfiles_etc_filetrans_localization',` - gen_require(` - type locale_t; - ') - - files_etc_filetrans($1, locale_t, file) - -') - -######################################## -## -## Create, read, write, and delete localization -## -## -## -## Domain allowed access. -## -## -## -# -interface(`miscfiles_manage_localization',` - gen_require(` - type locale_t; - ') - - manage_dirs_pattern($1, locale_t, locale_t) - manage_files_pattern($1, locale_t, locale_t) - manage_lnk_files_pattern($1, locale_t, locale_t) -') - diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te deleted file mode 100644 index 59c70bf..0000000 --- a/policy/modules/system/miscfiles.te +++ /dev/null @@ -1,62 +0,0 @@ -policy_module(miscfiles, 1.8.1) - -######################################## -# -# Declarations -# -attribute cert_type; - -# -# cert_t is the type of files in the system certs directories. -# -type cert_t; -miscfiles_cert_type(cert_t) - -# -# fonts_t is the type of various font -# files in /usr -# -type fonts_t; -files_type(fonts_t) - -type fonts_cache_t; -files_type(fonts_cache_t) - -# -# type for /usr/share/hwdata -# -type hwdata_t; -files_type(hwdata_t) - -# -# locale_t is the type for system localization -# -type locale_t; -files_type(locale_t) - -# -# man_t is the type for the man directories. -# -type man_t alias catman_t; -files_type(man_t) - -# -# Types for public content -# -type public_content_t; #, customizable; -files_type(public_content_t) - -type public_content_rw_t; #, customizable; -files_type(public_content_rw_t) - -# -# Base type for the tests directory. -# -type test_file_t; -files_type(test_file_t) - -# -# for /var/{spool,lib}/texmf index files -# -type tetex_data_t; -files_tmp_file(tetex_data_t) diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc deleted file mode 100644 index 532181a..0000000 --- a/policy/modules/system/modutils.fc +++ /dev/null @@ -1,24 +0,0 @@ - -/etc/modules\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0) -/etc/modprobe\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0) -/etc/modprobe\.d(/.*)? gen_context(system_u:object_r:modules_conf_t,s0) - -ifdef(`distro_gentoo',` -# gentoo init scripts still manage this file -# even if devfs is off -/etc/modprobe.devfs.* -- gen_context(system_u:object_r:modules_conf_t,s0) -') - -/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0) -/lib64/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0) - -/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0) -/lib64/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0) - -/sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0) -/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0) -/sbin/insmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0) -/sbin/modprobe.* -- gen_context(system_u:object_r:insmod_exec_t,s0) -/sbin/modules-update -- gen_context(system_u:object_r:update_modules_exec_t,s0) -/sbin/rmmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0) -/sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0) diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if deleted file mode 100644 index def8d5a..0000000 --- a/policy/modules/system/modutils.if +++ /dev/null @@ -1,357 +0,0 @@ -## Policy for kernel module utilities - -###################################### -## -## Getattr the dependencies of kernel modules. -## -## -## -## Domain allowed access. -## -## -# -interface(`modutils_getattr_module_deps',` - gen_require(` - type modules_dep_t; - ') - - getattr_files_pattern($1, modules_object_t, modules_dep_t) -') - -######################################## -## -## Read the dependencies of kernel modules. -## -## -## -## Domain allowed access. -## -## -# -interface(`modutils_read_module_deps',` - gen_require(` - type modules_dep_t; - ') - - files_list_kernel_modules($1) - allow $1 modules_dep_t:file read_file_perms; -') - -######################################## -## -## list the configuration options used when -## loading modules. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`modutils_list_module_config',` - gen_require(` - type modules_conf_t; - ') - - list_dirs_pattern($1, modules_conf_t, modules_conf_t) -') - -######################################## -## -## Read the configuration options used when -## loading modules. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`modutils_read_module_config',` - gen_require(` - type modules_conf_t; - ') - - # This file type can be in /etc or - # /lib(64)?/modules - files_search_etc($1) - files_search_boot($1) - - read_files_pattern($1, modules_conf_t, modules_conf_t) - read_lnk_files_pattern($1, modules_conf_t, modules_conf_t) -') - -######################################## -## -## Rename a file with the configuration options used when -## loading modules. -## -## -## -## Domain allowed access. -## -## -# -interface(`modutils_rename_module_config',` - gen_require(` - type modules_conf_t; - ') - - rename_files_pattern($1, modules_conf_t, modules_conf_t) -') - -######################################## -## -## Unlink a file with the configuration options used when -## loading modules. -## -## -## -## Domain allowed access. -## -## -# -interface(`modutils_delete_module_config',` - gen_require(` - type modules_conf_t; - ') - - delete_files_pattern($1, modules_conf_t, modules_conf_t) -') - -######################################## -## -## Manage files with the configuration options used when -## loading modules. -## -## -## -## Domain allowed access. -## -## -# -interface(`modutils_manage_module_config',` - gen_require(` - type modules_conf_t; - ') - - manage_files_pattern($1, modules_conf_t, modules_conf_t) -') - -######################################## -## -## Unconditionally execute insmod in the insmod domain. -## -## -## -## Domain allowed to transition. -## -## -# -# cjp: this is added for pppd, due to nested -# conditionals not working. -interface(`modutils_domtrans_insmod_uncond',` - gen_require(` - type insmod_t, insmod_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, insmod_exec_t, insmod_t) -') - -######################################## -## -## Execute insmod in the insmod domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`modutils_domtrans_insmod',` - gen_require(` - bool secure_mode_insmod; - ') - - if (!secure_mode_insmod) { - modutils_domtrans_insmod_uncond($1) - } -') - -######################################## -## -## Execute insmod in the insmod domain, and -## allow the specified role the insmod domain, -## and use the caller's terminal. Has a sigchld -## backchannel. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`modutils_run_insmod',` - gen_require(` - type insmod_t; - ') - - modutils_domtrans_insmod($1) - role $2 types insmod_t; -') - -######################################## -## -## Execute insmod in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`modutils_exec_insmod',` - gen_require(` - type insmod_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, insmod_exec_t) -') - -######################################## -## -## Execute depmod in the depmod domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`modutils_domtrans_depmod',` - gen_require(` - type depmod_t, depmod_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, depmod_exec_t, depmod_t) -') - -######################################## -## -## Execute depmod in the depmod domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`modutils_run_depmod',` - gen_require(` - type depmod_t, insmod_t; - ') - - modutils_domtrans_depmod($1) - role $2 types depmod_t; -') - -######################################## -## -## Execute depmod in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`modutils_exec_depmod',` - gen_require(` - type depmod_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, depmod_exec_t) -') - -######################################## -## -## Execute depmod in the depmod domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`modutils_domtrans_update_mods',` - gen_require(` - type update_modules_t, update_modules_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, update_modules_exec_t, update_modules_t) -') - -######################################## -## -## Execute update_modules in the update_modules domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`modutils_run_update_mods',` - gen_require(` - type update_modules_t; - ') - - modutils_domtrans_update_mods($1) - role $2 types update_modules_t; - - modutils_run_insmod(update_modules_t, $2) -') - -######################################## -## -## Execute update_modules in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`modutils_exec_update_mods',` - gen_require(` - type update_modules_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, update_modules_exec_t) -') diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te deleted file mode 100644 index 9abf3b1..0000000 --- a/policy/modules/system/modutils.te +++ /dev/null @@ -1,340 +0,0 @@ -policy_module(modutils, 1.10.0) - -gen_require(` - bool secure_mode_insmod; -') - -######################################## -# -# Declarations -# - -type depmod_t; -type depmod_exec_t; -init_system_domain(depmod_t, depmod_exec_t) -role system_r types depmod_t; - -type insmod_t; -type insmod_exec_t; -application_domain(insmod_t, insmod_exec_t) -mls_file_write_all_levels(insmod_t) -mls_process_write_down(insmod_t) -role system_r types insmod_t; - -# module loading config -type modules_conf_t; -files_type(modules_conf_t) - -# module dependencies -type modules_dep_t; -files_type(modules_dep_t) - -type update_modules_t; -type update_modules_exec_t; -init_system_domain(update_modules_t, update_modules_exec_t) -role system_r types update_modules_t; - -type update_modules_tmp_t; -files_tmp_file(update_modules_tmp_t) - -######################################## -# -# depmod local policy -# - -can_exec(depmod_t, depmod_exec_t) - -# Read conf.modules. -read_files_pattern(depmod_t, modules_conf_t, modules_conf_t) - -allow depmod_t modules_dep_t:file manage_file_perms; -files_kernel_modules_filetrans(depmod_t, modules_dep_t, file) - -kernel_read_system_state(depmod_t) - -corecmd_search_bin(depmod_t) - -domain_use_interactive_fds(depmod_t) - -files_delete_kernel_modules(depmod_t) -files_read_kernel_symbol_table(depmod_t) -files_read_kernel_modules(depmod_t) -files_read_etc_runtime_files(depmod_t) -files_read_etc_files(depmod_t) -files_read_usr_src_files(depmod_t) -files_list_usr(depmod_t) -files_append_var_files(depmod_t) -files_read_boot_files(depmod_t) - -fs_getattr_xattr_fs(depmod_t) - -term_use_console(depmod_t) - -init_use_fds(depmod_t) -init_use_script_fds(depmod_t) -init_use_script_ptys(depmod_t) - -userdom_use_user_terminals(depmod_t) -# Read System.map from home directories. -files_list_home(depmod_t) -userdom_read_user_home_content_files(depmod_t) -userdom_manage_user_tmp_files(depmod_t) - -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(depmod_t) - ') -') - -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(depmod_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(depmod_t) -') - -optional_policy(` - rpm_rw_pipes(depmod_t) - rpm_manage_script_tmp_files(depmod_t) -') - -optional_policy(` - # Read System.map from home directories. - unconfined_domain(depmod_t) -') - -######################################## -# -# insmod local policy -# - -allow insmod_t self:capability { dac_override mknod net_raw sys_nice sys_tty_config }; -allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; - -allow insmod_t self:udp_socket create_socket_perms; -allow insmod_t self:rawip_socket create_socket_perms; - -# Read module config and dependency information -list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t) -read_files_pattern(insmod_t, modules_conf_t, modules_conf_t) -list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t) -read_files_pattern(insmod_t, modules_dep_t, modules_dep_t) - -can_exec(insmod_t, insmod_exec_t) - -kernel_load_module(insmod_t) -kernel_read_system_state(insmod_t) -kernel_read_network_state(insmod_t) -kernel_write_proc_files(insmod_t) -kernel_mount_debugfs(insmod_t) -kernel_mount_kvmfs(insmod_t) -kernel_read_debugfs(insmod_t) -kernel_request_load_module(insmod_t) -# Rules for /proc/sys/kernel/tainted -kernel_read_kernel_sysctls(insmod_t) -kernel_rw_kernel_sysctl(insmod_t) -kernel_read_hotplug_sysctls(insmod_t) -kernel_setsched(insmod_t) - -corecmd_exec_bin(insmod_t) -corecmd_exec_shell(insmod_t) - -dev_rw_sysfs(insmod_t) -dev_search_usbfs(insmod_t) -dev_rw_mtrr(insmod_t) -dev_read_urand(insmod_t) -dev_rw_agp(insmod_t) -dev_read_sound(insmod_t) -dev_write_sound(insmod_t) -dev_rw_apm_bios(insmod_t) -dev_create_generic_chr_files(insmod_t) - -domain_signal_all_domains(insmod_t) -domain_use_interactive_fds(insmod_t) - -files_read_kernel_modules(insmod_t) -files_read_etc_runtime_files(insmod_t) -files_read_etc_files(insmod_t) -files_read_usr_files(insmod_t) -files_exec_etc_files(insmod_t) -# for nscd: -files_dontaudit_search_pids(insmod_t) -# for when /var is not mounted early in the boot: -files_dontaudit_search_isid_type_dirs(insmod_t) -# for locking: (cjp: ????) -files_write_kernel_modules(insmod_t) - -fs_getattr_xattr_fs(insmod_t) -fs_dontaudit_use_tmpfs_chr_dev(insmod_t) -fs_mount_rpc_pipefs(insmod_t) -fs_search_rpc(insmod_t) - -init_rw_initctl(insmod_t) -init_use_fds(insmod_t) -init_use_script_fds(insmod_t) -init_use_script_ptys(insmod_t) -init_spec_domtrans_script(insmod_t) -init_rw_script_tmp_files(insmod_t) - -logging_send_syslog_msg(insmod_t) -logging_search_logs(insmod_t) - -miscfiles_read_localization(insmod_t) - -seutil_read_file_contexts(insmod_t) - -term_use_all_terms(insmod_t) -userdom_dontaudit_search_user_home_dirs(insmod_t) - -if( ! secure_mode_insmod ) { - kernel_domtrans_to(insmod_t, insmod_exec_t) -} - -optional_policy(` - alsa_domtrans(insmod_t) -') - -optional_policy(` - firstboot_dontaudit_rw_pipes(insmod_t) - firstboot_dontaudit_rw_stream_sockets(insmod_t) -') - -optional_policy(` - firewallgui_dontaudit_rw_pipes(insmod_t) -') - -optional_policy(` - hal_write_log(insmod_t) -') - -optional_policy(` - hotplug_search_config(insmod_t) -') - -optional_policy(` - mount_domtrans(insmod_t) -') - -optional_policy(` - nis_use_ypbind(insmod_t) -') - -optional_policy(` - nscd_socket_use(insmod_t) -') - -optional_policy(` - fs_manage_ramfs_files(insmod_t) - - rhgb_use_fds(insmod_t) - rhgb_dontaudit_use_ptys(insmod_t) - - xserver_dontaudit_write_log(insmod_t) - xserver_stream_connect(insmod_t) - xserver_dontaudit_rw_stream_sockets(insmod_t) - - ifdef(`hide_broken_symptoms',` - xserver_dontaudit_rw_tcp_sockets(insmod_t) - ') -') - -optional_policy(` - rpm_rw_pipes(insmod_t) -') - -optional_policy(` - unconfined_domain(insmod_t) - unconfined_dontaudit_rw_pipes(insmod_t) -') - -optional_policy(` - virt_dontaudit_write_pipes(insmod_t) -') - -optional_policy(` - # cjp: why is this needed: - dev_rw_xserver_misc(insmod_t) - - xserver_getattr_log(insmod_t) -') - -################################# -# -# update-modules local policy -# - -allow update_modules_t self:fifo_file rw_fifo_file_perms; - -allow update_modules_t modules_dep_t:file rw_file_perms; - -can_exec(update_modules_t, insmod_exec_t) -can_exec(update_modules_t, update_modules_exec_t) - -# manage module loading configuration -manage_files_pattern(update_modules_t, modules_conf_t, modules_conf_t) -files_kernel_modules_filetrans(update_modules_t, modules_conf_t, file) -files_etc_filetrans(update_modules_t, modules_conf_t, file) - -# transition to depmod -domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t) -allow update_modules_t depmod_t:fd use; -allow depmod_t update_modules_t:fd use; -allow depmod_t update_modules_t:fifo_file rw_file_perms; -allow depmod_t update_modules_t:process sigchld; - -manage_dirs_pattern(update_modules_t, update_modules_tmp_t, update_modules_tmp_t) -manage_files_pattern(update_modules_t, update_modules_tmp_t, update_modules_tmp_t) -files_tmp_filetrans(update_modules_t, update_modules_tmp_t, { file dir }) - -kernel_read_kernel_sysctls(update_modules_t) -kernel_read_system_state(update_modules_t) - -corecmd_exec_bin(update_modules_t) -corecmd_exec_shell(update_modules_t) - -dev_read_urand(update_modules_t) - -domain_use_interactive_fds(update_modules_t) - -files_read_etc_runtime_files(update_modules_t) -files_read_etc_files(update_modules_t) -files_exec_etc_files(update_modules_t) - -fs_getattr_xattr_fs(update_modules_t) - -term_use_console(update_modules_t) - -init_use_fds(update_modules_t) -init_use_script_fds(update_modules_t) -init_use_script_ptys(update_modules_t) - -logging_send_syslog_msg(update_modules_t) - -miscfiles_read_localization(update_modules_t) - -userdom_use_user_terminals(update_modules_t) -userdom_dontaudit_search_user_home_dirs(update_modules_t) - -ifdef(`distro_gentoo',` - files_search_pids(update_modules_t) - files_getattr_usr_src_files(update_modules_t) - files_list_isid_type_dirs(update_modules_t) # /var - - # update-modules on Gentoo throws errors when run because it - # sources /etc/init.d/functions.sh, which always scans - # /var/lib/init.d to set SOFTLEVEL environment var. - # This is never used by update-modules. - files_dontaudit_search_var_lib(update_modules_t) - init_dontaudit_read_script_status_files(update_modules_t) - - optional_policy(` - consoletype_exec(update_modules_t) - ') -') - -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(update_modules_t) - ') -') diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc deleted file mode 100644 index e3d06fd..0000000 --- a/policy/modules/system/mount.fc +++ /dev/null @@ -1,10 +0,0 @@ -/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) -/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) -/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) -/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) -/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0) -/usr/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0) -/usr/sbin/showmount -- gen_context(system_u:object_r:showmount_exec_t,s0) - -/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) -/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if deleted file mode 100644 index 3490497..0000000 --- a/policy/modules/system/mount.if +++ /dev/null @@ -1,340 +0,0 @@ -## Policy for mount. - -######################################## -## -## Execute mount in the mount domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`mount_domtrans',` - gen_require(` - type mount_t, mount_exec_t; - ') - - domtrans_pattern($1, mount_exec_t, mount_t) - mount_domtrans_fusermount($1) - -ifdef(`hide_broken_symptoms', ` - dontaudit mount_t $1:unix_stream_socket { read write }; - dontaudit mount_t $1:tcp_socket { read write }; - dontaudit mount_t $1:udp_socket { read write }; -') - -') - -######################################## -## -## Execute mount in the mount domain, and -## allow the specified role the mount domain, -## and use the caller's terminal. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`mount_run',` - gen_require(` - type mount_t; - ') - - mount_domtrans($1) - role $2 types mount_t; - - optional_policy(` - fstools_run(mount_t, $2) - ') - - # Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711 - optional_policy(` - lvm_run(mount_t, $2) - ') - - optional_policy(` - modutils_run_insmod(mount_t, $2) - ') - - optional_policy(` - rpc_run_rpcd(mount_t, $2) - ') - - optional_policy(` - samba_run_smbmount(mount_t, $2) - ') -') - -######################################## -## -## Execute fusermount in the mount domain, and -## allow the specified role the mount domain, -## and use the caller's terminal. -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed the mount domain. -## -## -## -# -interface(`mount_run_fusermount',` - gen_require(` - type mount_t; - ') - - mount_domtrans_fusermount($1) - role $2 types mount_t; - - fstools_run(mount_t, $2) -') - -######################################## -## -## Execute mount in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`mount_exec',` - gen_require(` - type mount_exec_t; - ') - - # cjp: this should be removed: - allow $1 mount_exec_t:dir list_dir_perms; - - allow $1 mount_exec_t:lnk_file read_lnk_file_perms; - can_exec($1, mount_exec_t) -') - -######################################## -## -## Send a generic signal to mount. -## -## -## -## Domain allowed access. -## -## -# -interface(`mount_signal',` - gen_require(` - type mount_t; - type unconfined_mount_t; - ') - - allow $1 mount_t:process signal; - allow $1 unconfined_mount_t:process signal; -') - -######################################## -## -## Use file descriptors for mount. -## -## -## -## Domain allowed access. -## -## -# -interface(`mount_use_fds',` - gen_require(` - type mount_t; - ') - - allow $1 mount_t:fd use; -') - -######################################## -## -## Allow the mount domain to send nfs requests for mounting -## network drives -## -## -##

-## Allow the mount domain to send nfs requests for mounting -## network drives -##

-##

-## This interface has been deprecated as these rules were -## a side effect of leaked mount file descriptors. This -## interface has no effect. -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`mount_send_nfs_client_request',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Execute mount in the unconfined mount domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`mount_domtrans_unconfined',` - gen_require(` - type unconfined_mount_t, mount_exec_t; - ') - - domtrans_pattern($1, mount_exec_t, unconfined_mount_t) -') - -######################################## -## -## Execute mount in the unconfined mount domain, and -## allow the specified role the unconfined mount domain, -## and use the caller's terminal. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`mount_run_unconfined',` - gen_require(` - type unconfined_mount_t; - ') - - mount_domtrans_unconfined($1) - role $2 types unconfined_mount_t; - - optional_policy(` - rpc_run_rpcd(unconfined_mount_t, $2) - ') - - optional_policy(` - samba_run_smbmount(unconfined_mount_t, $2) - ') -') - -######################################## -## -## Execute fusermount in the mount domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`mount_domtrans_fusermount',` - gen_require(` - type mount_t, fusermount_exec_t; - ') - - domtrans_pattern($1, fusermount_exec_t, mount_t) -') - -######################################## -## -## Execute fusermount. -## -## -## -## Domain allowed access. -## -## -# -interface(`mount_exec_fusermount',` - gen_require(` - type fusermount_exec_t; - ') - - can_exec($1, fusermount_exec_t) -') - -######################################## -## -## dontaudit Execute fusermount. -## -## -## -## Domain allowed access. -## -## -# -interface(`mount_dontaudit_exec_fusermount',` - gen_require(` - type fusermount_exec_t; - ') - - dontaudit $1 fusermount_exec_t:file exec_file_perms; -') - -###################################### -## -## Execute a domain transition to run showmount. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`mount_domtrans_showmount',` - gen_require(` - type showmount_t, showmount_exec_t; - ') - - domtrans_pattern($1, showmount_exec_t, showmount_t) -') - -###################################### -## -## Execute showmount in the showmount domain, and -## allow the specified role the showmount domain. -## -## -## -## Domain allowed access -## -## -## -## -## The role to be allowed the showmount domain. -## -## -# -interface(`mount_run_showmount',` - gen_require(` - type showmount_t; - ') - - mount_domtrans_showmount($1) - role $2 types showmount_t; -') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te deleted file mode 100644 index 8848e14..0000000 --- a/policy/modules/system/mount.te +++ /dev/null @@ -1,351 +0,0 @@ -policy_module(mount, 1.11.1) - -######################################## -# -# Declarations -# - -## -##

-## Allow the mount command to mount any directory or file. -##

-##
-gen_tunable(allow_mount_anyfile, false) - -type mount_t; -type mount_exec_t; -init_system_domain(mount_t, mount_exec_t) -role system_r types mount_t; - -type fusermount_exec_t; -domain_entry_file(mount_t, fusermount_exec_t) - -typealias mount_t alias mount_ntfs_t; -typealias mount_exec_t alias mount_ntfs_exec_t; - -type mount_loopback_t; # customizable -files_type(mount_loopback_t) -typealias mount_loopback_t alias mount_loop_t; - -type mount_tmp_t; -files_tmp_file(mount_tmp_t) - -# causes problems with interfaces when -# this is optionally declared in monolithic -# policy--duplicate type declaration -type unconfined_mount_t; -application_domain(unconfined_mount_t, mount_exec_t) -role system_r types unconfined_mount_t; - -type mount_var_run_t; -files_pid_file(mount_var_run_t) - -# showmount - show mount information for an NFS server - -type showmount_t; -type showmount_exec_t; -application_domain(showmount_t, showmount_exec_t) -role system_r types showmount_t; - -######################################## -# -# mount local policy -# - -# setuid/setgid needed to mount cifs -allow mount_t self:capability { fsetid ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid }; -allow mount_t self:process { getcap getsched ptrace setcap setrlimit signal }; -allow mount_t self:fifo_file rw_fifo_file_perms; -allow mount_t self:unix_stream_socket create_stream_socket_perms; -allow mount_t self:unix_dgram_socket create_socket_perms; - -allow mount_t mount_loopback_t:file read_file_perms; - -allow mount_t mount_tmp_t:file manage_file_perms; -allow mount_t mount_tmp_t:dir manage_dir_perms; - -can_exec(mount_t, mount_exec_t) - -files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) - -manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t) -manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t) -files_pid_filetrans(mount_t,mount_var_run_t,dir) -files_var_filetrans(mount_t,mount_var_run_t,dir) - -# In order to mount reiserfs_t -kernel_dontaudit_getattr_core_if(mount_t) -kernel_list_unlabeled(mount_t) -kernel_mount_unlabeled(mount_t) -kernel_unmount_unlabeled(mount_t) -kernel_read_system_state(mount_t) -kernel_read_network_state(mount_t) -kernel_read_kernel_sysctls(mount_t) -kernel_manage_debugfs(mount_t) -kernel_setsched(mount_t) -kernel_use_fds(mount_t) -kernel_request_load_module(mount_t) - -# required for mount.smbfs -corecmd_exec_bin(mount_t) - -dev_getattr_generic_blk_files(mount_t) -dev_getattr_all_blk_files(mount_t) -dev_list_all_dev_nodes(mount_t) -dev_read_usbfs(mount_t) -dev_read_rand(mount_t) -dev_read_sysfs(mount_t) -dev_rw_lvm_control(mount_t) -dev_dontaudit_getattr_all_chr_files(mount_t) -dev_dontaudit_getattr_memory_dev(mount_t) -dev_getattr_sound_dev(mount_t) -ifdef(`hide_broken_symptoms',` - dev_rw_generic_blk_files(mount_t) -') -# Early devtmpfs, before udev relabel -dev_dontaudit_rw_generic_chr_files(mount_t) - -domain_use_interactive_fds(mount_t) -domain_dontaudit_search_all_domains_state(mount_t) - -files_search_all(mount_t) -files_read_etc_files(mount_t) -files_manage_etc_runtime_files(mount_t) -files_etc_filetrans_etc_runtime(mount_t, file) -# for when /etc/mtab loses its type -files_delete_etc_files(mount_t) -files_mounton_all_mountpoints(mount_t) -# ntfs-3g checks whether the mountpoint is writable before mounting -files_write_all_mountpoints(mount_t) -files_unmount_rootfs(mount_t) - -# These rules need to be generalized. Only admin, initrc should have it: -files_relabel_all_file_type_fs(mount_t) -files_mount_all_file_type_fs(mount_t) -files_unmount_all_file_type_fs(mount_t) -files_read_isid_type_files(mount_t) -# For reading cert files -files_read_usr_files(mount_t) -files_list_mnt(mount_t) - -fs_list_all(mount_t) -fs_getattr_all_fs(mount_t) -fs_mount_all_fs(mount_t) -fs_unmount_all_fs(mount_t) -fs_remount_all_fs(mount_t) -fs_relabelfrom_all_fs(mount_t) -fs_rw_anon_inodefs_files(mount_t) -fs_rw_tmpfs_chr_files(mount_t) -fs_rw_nfsd_fs(mount_t) -fs_manage_tmpfs_dirs(mount_t) -fs_read_tmpfs_symlinks(mount_t) -fs_read_fusefs_files(mount_t) -fs_manage_nfs_dirs(mount_t) -fs_read_nfs_symlinks(mount_t) -fs_manage_cgroup_dirs(mount_t) -fs_manage_cgroup_files(mount_t) - -mls_file_read_all_levels(mount_t) -mls_file_write_all_levels(mount_t) - -selinux_get_enforce_mode(mount_t) -selinux_dontaudit_write_fs(mount_t) - -storage_raw_read_fixed_disk(mount_t) -storage_raw_write_fixed_disk(mount_t) -storage_raw_read_removable_device(mount_t) -storage_raw_write_removable_device(mount_t) -storage_rw_fuse(mount_t) - -term_use_all_terms(mount_t) - -auth_use_nsswitch(mount_t) - -init_use_fds(mount_t) -init_use_script_ptys(mount_t) -init_dontaudit_getattr_initctl(mount_t) -init_stream_connect_script(mount_t) -init_rw_script_stream_sockets(mount_t) - -logging_send_syslog_msg(mount_t) - -miscfiles_read_localization(mount_t) - -sysnet_use_portmap(mount_t) - -seutil_read_config(mount_t) - -userdom_use_all_users_fds(mount_t) -userdom_manage_user_home_content_dirs(mount_t) -userdom_read_user_home_content_symlinks(mount_t) - -optional_policy(` - abrt_rw_fifo_file(mount_t) -') - -ifdef(`distro_redhat',` - optional_policy(` - auth_read_pam_console_data(mount_t) - # mount config by default sets fscontext=removable_t - fs_relabelfrom_dos_fs(mount_t) - ') -') - -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(mount_t) - ') -') - -corecmd_exec_shell(mount_t) - -modutils_domtrans_insmod(mount_t) - -fstools_domtrans(mount_t) - -tunable_policy(`allow_mount_anyfile',` - auth_read_all_dirs_except_shadow(mount_t) - auth_read_all_files_except_shadow(mount_t) - files_mounton_non_security(mount_t) - files_rw_all_inherited_files(mount_t) -') - -optional_policy(` - # for nfs - corenet_all_recvfrom_unlabeled(mount_t) - corenet_all_recvfrom_netlabel(mount_t) - corenet_tcp_sendrecv_all_if(mount_t) - corenet_raw_sendrecv_all_if(mount_t) - corenet_udp_sendrecv_all_if(mount_t) - corenet_tcp_sendrecv_all_nodes(mount_t) - corenet_raw_sendrecv_all_nodes(mount_t) - corenet_udp_sendrecv_all_nodes(mount_t) - corenet_tcp_sendrecv_all_ports(mount_t) - corenet_udp_sendrecv_all_ports(mount_t) - corenet_tcp_bind_all_nodes(mount_t) - corenet_udp_bind_all_nodes(mount_t) - corenet_tcp_bind_generic_port(mount_t) - corenet_udp_bind_generic_port(mount_t) - corenet_tcp_bind_reserved_port(mount_t) - corenet_udp_bind_reserved_port(mount_t) - corenet_tcp_bind_all_rpc_ports(mount_t) - corenet_udp_bind_all_rpc_ports(mount_t) - corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t) - corenet_dontaudit_udp_bind_all_reserved_ports(mount_t) - corenet_tcp_connect_all_ports(mount_t) - - fs_search_rpc(mount_t) - - rpc_stub(mount_t) - - rpc_domtrans_rpcd(mount_t) -') - -optional_policy(` - apm_use_fds(mount_t) -') - -optional_policy(` - cron_system_entry(mount_t, mount_exec_t) -') - -optional_policy(` - dbus_system_bus_client(mount_t) - - optional_policy(` - hal_dbus_chat(mount_t) - ') -') - - -optional_policy(` - hal_write_log(mount_t) - hal_use_fds(mount_t) - hal_dontaudit_rw_pipes(mount_t) -') - -optional_policy(` - ifdef(`hide_broken_symptoms',` - # for a bug in the X server - rhgb_dontaudit_rw_stream_sockets(mount_t) - term_dontaudit_use_ptmx(mount_t) - ') -') - -optional_policy(` - livecd_rw_tmp_files(mount_t) -') - -# Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711 -optional_policy(` - lvm_domtrans(mount_t) -') - -# for kernel package installation -optional_policy(` - rpm_rw_pipes(mount_t) - rpm_dontaudit_leaks(mount_t) -') - -optional_policy(` - samba_domtrans_smbmount(mount_t) - samba_read_config(mount_t) -') - -optional_policy(` - ssh_exec(mount_t) -') - -optional_policy(` - usbmuxd_stream_connect(mount_t) -') - -optional_policy(` - vmware_exec_host(mount_t) -') - -######################################## -# -# Unconfined mount local policy -# - -optional_policy(` - unconfined_domain_noaudit(unconfined_mount_t) -') - -optional_policy(` - userdom_unpriv_usertype(unconfined, unconfined_mount_t) - files_etc_filetrans_etc_runtime(unconfined_mount_t, file) -') - -###################################### -# -# showmount local policy -# - -allow showmount_t self:tcp_socket create_stream_socket_perms; -allow showmount_t self:udp_socket create_socket_perms; - -kernel_read_system_state(showmount_t) - -corenet_all_recvfrom_unlabeled(showmount_t) -corenet_all_recvfrom_netlabel(showmount_t) -corenet_tcp_sendrecv_generic_if(showmount_t) -corenet_udp_sendrecv_generic_if(showmount_t) -corenet_tcp_sendrecv_generic_node(showmount_t) -corenet_udp_sendrecv_generic_node(showmount_t) -corenet_tcp_sendrecv_all_ports(showmount_t) -corenet_udp_sendrecv_all_ports(showmount_t) -corenet_tcp_bind_generic_node(showmount_t) -corenet_udp_bind_generic_node(showmount_t) -corenet_tcp_bind_all_rpc_ports(showmount_t) -corenet_udp_bind_all_rpc_ports(showmount_t) -corenet_tcp_connect_all_ports(showmount_t) - -files_read_etc_files(showmount_t) - -miscfiles_read_localization(showmount_t) - -sysnet_dns_name_resolve(showmount_t) - -userdom_use_user_terminals(showmount_t) diff --git a/policy/modules/system/netlabel.fc b/policy/modules/system/netlabel.fc deleted file mode 100644 index b263a8a..0000000 --- a/policy/modules/system/netlabel.fc +++ /dev/null @@ -1 +0,0 @@ -/sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0) diff --git a/policy/modules/system/netlabel.if b/policy/modules/system/netlabel.if deleted file mode 100644 index 8cfaa75..0000000 --- a/policy/modules/system/netlabel.if +++ /dev/null @@ -1,46 +0,0 @@ -## NetLabel/CIPSO labeled networking management - -######################################## -## -## Execute netlabel_mgmt in the netlabel_mgmt domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`netlabel_domtrans_mgmt',` - gen_require(` - type netlabel_mgmt_t, netlabel_mgmt_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, netlabel_mgmt_exec_t, netlabel_mgmt_t) -') - -######################################## -## -## Execute netlabel_mgmt in the netlabel_mgmt domain, and -## allow the specified role the netlabel_mgmt domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`netlabel_run_mgmt',` - gen_require(` - type netlabel_mgmt_t; - ') - - netlabel_domtrans_mgmt($1) - role $2 types netlabel_mgmt_t; -') diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te deleted file mode 100644 index cbbda4a..0000000 --- a/policy/modules/system/netlabel.te +++ /dev/null @@ -1,28 +0,0 @@ -policy_module(netlabel, 1.3.0) - -######################################## -# -# Declarations -# - -type netlabel_mgmt_t; -type netlabel_mgmt_exec_t; -application_domain(netlabel_mgmt_t, netlabel_mgmt_exec_t) -role system_r types netlabel_mgmt_t; - -######################################## -# -# NetLabel Management Tools Local policy -# - -# modify the network subsystem configuration -allow netlabel_mgmt_t self:capability net_admin; -allow netlabel_mgmt_t self:netlink_socket create_socket_perms; - -kernel_read_network_state(netlabel_mgmt_t) - -files_read_etc_files(netlabel_mgmt_t) - -seutil_use_newrole_fds(netlabel_mgmt_t) - -userdom_use_user_terminals(netlabel_mgmt_t) diff --git a/policy/modules/system/pcmcia.fc b/policy/modules/system/pcmcia.fc deleted file mode 100644 index 9cf0e56..0000000 --- a/policy/modules/system/pcmcia.fc +++ /dev/null @@ -1,10 +0,0 @@ - -/etc/apm/event\.d/pcmcia -- gen_context(system_u:object_r:cardmgr_exec_t,s0) - -/sbin/cardctl -- gen_context(system_u:object_r:cardctl_exec_t,s0) -/sbin/cardmgr -- gen_context(system_u:object_r:cardmgr_exec_t,s0) - -/var/lib/pcmcia(/.*)? gen_context(system_u:object_r:cardmgr_var_run_t,s0) - -/var/run/cardmgr\.pid -- gen_context(system_u:object_r:cardmgr_var_run_t,s0) -/var/run/stab -- gen_context(system_u:object_r:cardmgr_var_run_t,s0) diff --git a/policy/modules/system/pcmcia.if b/policy/modules/system/pcmcia.if deleted file mode 100644 index aef445d..0000000 --- a/policy/modules/system/pcmcia.if +++ /dev/null @@ -1,156 +0,0 @@ -## PCMCIA card management services - -######################################## -## -## PCMCIA stub interface. No access allowed. -## -## -## -## Domain allowed access. -## -## -# -interface(`pcmcia_stub',` - gen_require(` - type cardmgr_t; - ') -') - -######################################## -## -## Execute cardmgr in the cardmgr domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`pcmcia_domtrans_cardmgr',` - gen_require(` - type cardmgr_t, cardmgr_exec_t; - ') - - domtrans_pattern($1, cardmgr_exec_t, cardmgr_t) -') - -######################################## -## -## Inherit and use file descriptors from cardmgr. -## -## -## -## Domain allowed access. -## -## -# -interface(`pcmcia_use_cardmgr_fds',` - gen_require(` - type cardmgr_t; - ') - - allow $1 cardmgr_t:fd use; -') - -######################################## -## -## Execute cardctl in the cardmgr domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`pcmcia_domtrans_cardctl',` - gen_require(` - type cardmgr_t, cardctl_exec_t; - ') - - domtrans_pattern($1, cardctl_exec_t, cardmgr_t) -') - -######################################## -## -## Execute cardmgr in the cardctl domain, and -## allow the specified role the cardmgr domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`pcmcia_run_cardctl',` - gen_require(` - type cardmgr_t; - ') - - pcmcia_domtrans_cardctl($1) - role $2 types cardmgr_t; -') - -######################################## -## -## Read cardmgr pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`pcmcia_read_pid',` - gen_require(` - type cardmgr_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, cardmgr_var_run_t, cardmgr_var_run_t) -') - -######################################## -## -## Create, read, write, and delete -## cardmgr pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`pcmcia_manage_pid',` - gen_require(` - type cardmgr_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, cardmgr_var_run_t, cardmgr_var_run_t) -') - -######################################## -## -## Create, read, write, and delete -## cardmgr runtime character nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`pcmcia_manage_pid_chr_files',` - gen_require(` - type cardmgr_var_run_t; - ') - - files_search_pids($1) - manage_chr_files_pattern($1, cardmgr_var_run_t, cardmgr_var_run_t) -') diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te deleted file mode 100644 index 4d06ae3..0000000 --- a/policy/modules/system/pcmcia.te +++ /dev/null @@ -1,137 +0,0 @@ -policy_module(pcmcia, 1.6.0) - -######################################## -# -# Declarations -# - -type cardmgr_t; -type cardmgr_exec_t; -init_daemon_domain(cardmgr_t, cardmgr_exec_t) - -# Create symbolic links in /dev. -# cjp: this should probably be eliminated -type cardmgr_lnk_t; -files_type(cardmgr_lnk_t) - -type cardmgr_var_lib_t; -files_type(cardmgr_var_lib_t) - -type cardmgr_var_run_t; -files_pid_file(cardmgr_var_run_t) - -type cardctl_exec_t; -application_domain(cardmgr_t, cardctl_exec_t) - -######################################## -# -# Local policy -# - -# Use capabilities (net_admin for route), setuid for cardctl -allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod }; -dontaudit cardmgr_t self:capability sys_tty_config; -allow cardmgr_t self:process signal_perms; -allow cardmgr_t self:fifo_file rw_fifo_file_perms; -allow cardmgr_t self:unix_dgram_socket create_socket_perms; -allow cardmgr_t self:unix_stream_socket create_socket_perms; - -allow cardmgr_t cardmgr_lnk_t:lnk_file manage_lnk_file_perms; -dev_filetrans(cardmgr_t, cardmgr_lnk_t, lnk_file) - -# Create stab file -manage_files_pattern(cardmgr_t, cardmgr_var_lib_t, cardmgr_var_lib_t) -files_var_lib_filetrans(cardmgr_t, cardmgr_var_lib_t, file) - -allow cardmgr_t cardmgr_var_run_t:file manage_file_perms; -files_pid_filetrans(cardmgr_t, cardmgr_var_run_t, file) - -kernel_read_system_state(cardmgr_t) -kernel_read_kernel_sysctls(cardmgr_t) -kernel_dontaudit_getattr_message_if(cardmgr_t) - -corecmd_exec_all_executables(cardmgr_t) - -dev_read_sysfs(cardmgr_t) -dev_manage_cardmgr_dev(cardmgr_t) -dev_filetrans_cardmgr(cardmgr_t) -dev_getattr_all_chr_files(cardmgr_t) -dev_getattr_all_blk_files(cardmgr_t) -# for SSP -dev_read_urand(cardmgr_t) - -domain_use_interactive_fds(cardmgr_t) -# Read /proc/PID directories for all domains (for fuser). -domain_read_confined_domains_state(cardmgr_t) -domain_getattr_confined_domains(cardmgr_t) -domain_dontaudit_ptrace_confined_domains(cardmgr_t) -# cjp: these look excessive: -domain_dontaudit_getattr_all_pipes(cardmgr_t) -domain_dontaudit_getattr_all_sockets(cardmgr_t) - -files_search_kernel_modules(cardmgr_t) -files_list_usr(cardmgr_t) -files_search_home(cardmgr_t) -files_read_etc_runtime_files(cardmgr_t) -files_exec_etc_files(cardmgr_t) -# for /var/lib/misc/pcmcia-scheme -# would be better to have it in a different type if I knew how it was created.. -files_read_var_lib_files(cardmgr_t) -# cjp: these look excessive: -files_dontaudit_getattr_all_dirs(cardmgr_t) -files_dontaudit_getattr_all_files(cardmgr_t) -files_dontaudit_getattr_all_symlinks(cardmgr_t) -files_dontaudit_getattr_all_pipes(cardmgr_t) -files_dontaudit_getattr_all_sockets(cardmgr_t) - -fs_getattr_all_fs(cardmgr_t) -fs_search_auto_mountpoints(cardmgr_t) - -term_use_unallocated_ttys(cardmgr_t) -term_getattr_all_ttys(cardmgr_t) -term_dontaudit_getattr_all_ptys(cardmgr_t) - -libs_exec_ld_so(cardmgr_t) -libs_exec_lib_files(cardmgr_t) - -logging_send_syslog_msg(cardmgr_t) - -miscfiles_read_localization(cardmgr_t) - -modutils_domtrans_insmod(cardmgr_t) - -sysnet_domtrans_ifconfig(cardmgr_t) -# for /etc/resolv.conf -sysnet_etc_filetrans_config(cardmgr_t) -sysnet_manage_config(cardmgr_t) - -userdom_use_user_terminals(cardmgr_t) -userdom_dontaudit_use_unpriv_user_fds(cardmgr_t) -userdom_dontaudit_search_user_home_dirs(cardmgr_t) - -optional_policy(` - seutil_dontaudit_read_config(cardmgr_t) - seutil_sigchld_newrole(cardmgr_t) -') - -optional_policy(` - sysnet_domtrans_dhcpc(cardmgr_t) - - sysnet_read_dhcpc_pid(cardmgr_t) - sysnet_delete_dhcpc_pid(cardmgr_t) - sysnet_kill_dhcpc(cardmgr_t) - sysnet_sigchld_dhcpc(cardmgr_t) - sysnet_signal_dhcpc(cardmgr_t) - sysnet_signull_dhcpc(cardmgr_t) - sysnet_sigstop_dhcpc(cardmgr_t) -') - -optional_policy(` - udev_read_db(cardmgr_t) -') - -# Create device files in /tmp. -# cjp: why is this created all over the place? -files_pid_filetrans(cardmgr_t, cardmgr_dev_t, { chr_file blk_file }) -files_tmp_filetrans(cardmgr_t, cardmgr_dev_t, { chr_file blk_file }) -filetrans_pattern(cardmgr_t, cardmgr_var_run_t, cardmgr_dev_t, { chr_file blk_file }) diff --git a/policy/modules/system/raid.fc b/policy/modules/system/raid.fc deleted file mode 100644 index 42d3890..0000000 --- a/policy/modules/system/raid.fc +++ /dev/null @@ -1,7 +0,0 @@ -/dev/.mdadm\.map -- gen_context(system_u:object_r:mdadm_var_run_t,s0) -/dev/md(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0) - -/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0) -/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) - -/var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0) diff --git a/policy/modules/system/raid.if b/policy/modules/system/raid.if deleted file mode 100644 index c817fda..0000000 --- a/policy/modules/system/raid.if +++ /dev/null @@ -1,49 +0,0 @@ -## RAID array management tools - -######################################## -## -## Execute software raid tools in the mdadm domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`raid_domtrans_mdadm',` - gen_require(` - type mdadm_t, mdadm_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, mdadm_exec_t, mdadm_t) -') - -######################################## -## -## Create, read, write, and delete the mdadm pid files. -## -## -##

-## Create, read, write, and delete the mdadm pid files. -##

-##

-## Added for use in the init module. -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`raid_manage_mdadm_pid',` - gen_require(` - type mdadm_var_run_t; - ') - - # FIXME: maybe should have a type_transition. not - # clear what this is doing, from the original - # mdadm policy - allow $1 mdadm_var_run_t:file manage_file_perms; -') diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te deleted file mode 100644 index 6500830..0000000 --- a/policy/modules/system/raid.te +++ /dev/null @@ -1,100 +0,0 @@ -policy_module(raid, 1.10.0) - -######################################## -# -# Declarations -# - -type mdadm_t; -type mdadm_exec_t; -init_daemon_domain(mdadm_t, mdadm_exec_t) -role system_r types mdadm_t; - -type mdadm_var_run_t alias mdadm_map_t; -files_pid_file(mdadm_var_run_t) -dev_associate(mdadm_var_run_t) - -######################################## -# -# Local policy -# - -allow mdadm_t self:capability { dac_override sys_admin ipc_lock }; -dontaudit mdadm_t self:capability sys_tty_config; -allow mdadm_t self:process { sigchld sigkill sigstop signull signal }; -allow mdadm_t self:fifo_file rw_fifo_file_perms; - -manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) -manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) -manage_sock_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) -files_pid_filetrans(mdadm_t, mdadm_var_run_t, { file dir }) -dev_filetrans(mdadm_t, mdadm_var_run_t, { file dir sock_file }) - -kernel_read_system_state(mdadm_t) -kernel_read_kernel_sysctls(mdadm_t) -kernel_rw_software_raid_state(mdadm_t) -kernel_getattr_core_if(mdadm_t) - -# Helper program access -corecmd_exec_bin(mdadm_t) -corecmd_exec_shell(mdadm_t) - -dev_read_sysfs(mdadm_t) -# Ignore attempts to read every device file -dev_dontaudit_getattr_all_blk_files(mdadm_t) -dev_dontaudit_getattr_all_chr_files(mdadm_t) -dev_dontaudit_getattr_generic_files(mdadm_t) -dev_dontaudit_getattr_generic_chr_files(mdadm_t) -dev_dontaudit_getattr_generic_blk_files(mdadm_t) -dev_read_realtime_clock(mdadm_t) -# unfortunately needed for DMI decoding: -dev_read_raw_memory(mdadm_t) -dev_read_generic_files(mdadm_t) - -domain_use_interactive_fds(mdadm_t) - -files_read_etc_files(mdadm_t) -files_read_etc_runtime_files(mdadm_t) -files_dontaudit_getattr_tmpfs_files(mdadm_t) - -fs_list_hugetlbfs(mdadm_t) -fs_list_auto_mountpoints(mdadm_t) -fs_dontaudit_list_tmpfs(mdadm_t) - -mls_file_read_all_levels(mdadm_t) -mls_file_write_all_levels(mdadm_t) - -# RAID block device access -storage_manage_fixed_disk(mdadm_t) -storage_dev_filetrans_fixed_disk(mdadm_t) -storage_read_scsi_generic(mdadm_t) - -term_dontaudit_list_ptys(mdadm_t) - -init_dontaudit_getattr_initctl(mdadm_t) - -logging_send_syslog_msg(mdadm_t) - -miscfiles_read_localization(mdadm_t) - -userdom_dontaudit_use_unpriv_user_fds(mdadm_t) -userdom_dontaudit_search_user_home_content(mdadm_t) -userdom_dontaudit_use_user_terminals(mdadm_t) - -mta_send_mail(mdadm_t) - -optional_policy(` - gpm_dontaudit_getattr_gpmctl(mdadm_t) -') - -optional_policy(` - seutil_sigchld_newrole(mdadm_t) -') - -optional_policy(` - udev_read_db(mdadm_t) -') - -optional_policy(` - unconfined_domain(mdadm_t) -') diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc deleted file mode 100644 index 9e81136..0000000 --- a/policy/modules/system/selinuxutil.fc +++ /dev/null @@ -1,57 +0,0 @@ -# SELinux userland utilities - -# -# /etc -# -/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0) -/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0) -/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0) -/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) -/etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) -/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s0) -/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) -/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0) -/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0) -/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s0) - -# -# /root -# -/root/\.default_contexts -- gen_context(system_u:object_r:default_context_t,s0) - -# -# /sbin -# -/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0) -/sbin/restorecon -- gen_context(system_u:object_r:setfiles_exec_t,s0) -/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0) - -# -# /usr -# -/usr/bin/checkpolicy -- gen_context(system_u:object_r:checkpolicy_exec_t,s0) -/usr/bin/newrole -- gen_context(system_u:object_r:newrole_exec_t,s0) - -/usr/lib(64)?/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0) - -/usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0) -/usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0) -/usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0) -/usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0) -/usr/sbin/setsebool -- gen_context(system_u:object_r:setsebool_exec_t,s0) -/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0) -/usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0) -/usr/share/system-config-selinux/system-config-selinux-dbus\.py -- gen_context(system_u:object_r:semanage_exec_t,s0) - -# -# /var/run -# -/var/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0) - -# -# /var/lib -# -/var/lib/selinux(/.*)? gen_context(system_u:object_r:selinux_var_lib_t,s0) - -/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) -/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if deleted file mode 100644 index bbaa8cf..0000000 --- a/policy/modules/system/selinuxutil.if +++ /dev/null @@ -1,1491 +0,0 @@ -## Policy for SELinux policy and userland applications. - -####################################### -## -## Execute checkpolicy in the checkpolicy domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`seutil_domtrans_checkpolicy',` - gen_require(` - type checkpolicy_t, checkpolicy_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, checkpolicy_exec_t, checkpolicy_t) -') - -######################################## -## -## Execute checkpolicy in the checkpolicy domain, and -## allow the specified role the checkpolicy domain, -## and use the caller's terminal. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`seutil_run_checkpolicy',` - gen_require(` - type checkpolicy_t; - ') - - seutil_domtrans_checkpolicy($1) - role $2 types checkpolicy_t; -') - -######################################## -## -## Execute checkpolicy in the caller domain. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`seutil_exec_checkpolicy',` - gen_require(` - type checkpolicy_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - can_exec($1, checkpolicy_exec_t) -') - -####################################### -## -## Execute load_policy in the load_policy domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`seutil_domtrans_loadpolicy',` - gen_require(` - type load_policy_t, load_policy_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, load_policy_exec_t, load_policy_t) - - ifdef(`hide_broken_symptoms', ` - dontaudit load_policy_t $1:socket_class_set { read write }; - ') -') - -######################################## -## -## Execute load_policy in the load_policy domain, and -## allow the specified role the load_policy domain, -## and use the caller's terminal. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`seutil_run_loadpolicy',` - gen_require(` - type load_policy_t; - ') - - seutil_domtrans_loadpolicy($1) - role $2 types load_policy_t; -') - -######################################## -## -## Execute load_policy in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`seutil_exec_loadpolicy',` - gen_require(` - type load_policy_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, load_policy_exec_t) -') - -######################################## -## -## Read the load_policy program file. -## -## -## -## Domain allowed access. -## -## -# -interface(`seutil_read_loadpolicy',` - gen_require(` - type load_policy_exec_t; - ') - - corecmd_search_bin($1) - allow $1 load_policy_exec_t:file read_file_perms; -') - -####################################### -## -## Execute newrole in the newole domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`seutil_domtrans_newrole',` - gen_require(` - type newrole_t, newrole_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, newrole_exec_t, newrole_t) -') - -######################################## -## -## Execute newrole in the newrole domain, and -## allow the specified role the newrole domain, -## and use the caller's terminal. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`seutil_run_newrole',` - gen_require(` - type newrole_t; - ') - - seutil_domtrans_newrole($1) - role $2 types newrole_t; - - auth_run_upd_passwd(newrole_t, $2) -') - -######################################## -## -## Execute newrole in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`seutil_exec_newrole',` - gen_require(` - type newrole_t, newrole_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - can_exec($1, newrole_exec_t) -') - -######################################## -## -## Do not audit the caller attempts to send -## a signal to newrole. -## -## -## -## Domain to not audit. -## -## -# -interface(`seutil_dontaudit_signal_newrole',` - gen_require(` - type newrole_t; - ') - - dontaudit $1 newrole_t:process signal; -') - -######################################## -## -## Send a SIGCHLD signal to newrole. -## -## -##

-## Allow the specified domain to send a SIGCHLD -## signal to newrole. This signal is automatically -## sent from a process that is terminating to -## its parent. This may be needed by domains -## that are executed from newrole. -##

-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`seutil_sigchld_newrole',` - gen_require(` - type newrole_t; - ') - - allow $1 newrole_t:process sigchld; -') - -######################################## -## -## Inherit and use newrole file descriptors. -## -## -## -## Domain allowed access. -## -## -# -interface(`seutil_use_newrole_fds',` - gen_require(` - type newrole_t; - ') - - allow $1 newrole_t:fd use; -') - -######################################## -## -## Do not audit attempts to inherit and use -## newrole file descriptors. -## -## -## -## Domain to not audit. -## -## -# -interface(`seutil_dontaudit_use_newrole_fds',` - gen_require(` - type newrole_t; - ') - - dontaudit $1 newrole_t:fd use; -') - -####################################### -## -## Execute restorecon in the restorecon domain. (Deprecated) -## -## -## -## Domain allowed to transition. -## -## -# -interface(`seutil_domtrans_restorecon',` - refpolicywarn(`$0($*) has been deprecated, please use seutil_domtrans_setfiles() instead.') - seutil_domtrans_setfiles($1) -') - -######################################## -## -## Execute restorecon in the restorecon domain, and -## allow the specified role the restorecon domain, -## and use the caller's terminal. (Deprecated) -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`seutil_run_restorecon',` - refpolicywarn(`$0($*) has been deprecated, please use seutil_run_setfiles() instead.') - seutil_run_setfiles($1,$2) -') - -######################################## -## -## Execute restorecon in the caller domain. (Deprecated) -## -## -## -## Domain allowed access. -## -## -## -# -interface(`seutil_exec_restorecon',` - refpolicywarn(`$0($*) has been deprecated, please use seutil_exec_setfiles() instead.') - seutil_exec_setfiles($1) -') - -######################################## -## -## Execute restorecond in the caller domain. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`seutil_exec_restorecond',` - gen_require(` - type restorecond_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - can_exec($1, restorecond_exec_t) -') - -######################################## -## -## Execute run_init in the run_init domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`seutil_domtrans_runinit',` - gen_require(` - type run_init_t, run_init_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, run_init_exec_t, run_init_t) -') - -######################################## -## -## Execute init scripts in the run_init domain. -## -## -##

-## Execute init scripts in the run_init domain. -## This is used for the Gentoo integrated run_init. -##

-##
-## -## -## Domain allowed to transition. -## -## -# -interface(`seutil_init_script_domtrans_runinit',` - gen_require(` - type run_init_t; - ') - - init_script_file_domtrans($1, run_init_t) - - allow run_init_t $1:fd use; - allow run_init_t $1:fifo_file rw_file_perms; - allow run_init_t $1:process sigchld; -') - -######################################## -## -## Execute run_init in the run_init domain, and -## allow the specified role the run_init domain, -## and use the caller's terminal. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`seutil_run_runinit',` - gen_require(` - type run_init_t; - role system_r; - ') - - auth_run_chk_passwd(run_init_t, $2) - seutil_domtrans_runinit($1) - role $2 types run_init_t; - - allow $2 system_r; -') - -######################################## -## -## Execute init scripts in the run_init domain, and -## allow the specified role the run_init domain, -## and use the caller's terminal. -## -## -##

-## Execute init scripts in the run_init domain, and -## allow the specified role the run_init domain, -## and use the caller's terminal. -##

-##

-## This is used for the Gentoo integrated run_init. -##

-##
-## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`seutil_init_script_run_runinit',` - gen_require(` - type run_init_t; - role system_r; - ') - - auth_run_chk_passwd(run_init_t, $2) - seutil_init_script_domtrans_runinit($1) - role $2 types run_init_t; - - allow $2 system_r; -') - -######################################## -## -## Inherit and use run_init file descriptors. -## -## -## -## Domain allowed access. -## -## -# -interface(`seutil_use_runinit_fds',` - gen_require(` - type run_init_t; - ') - - allow $1 run_init_t:fd use; -') - -######################################## -## -## Execute setfiles in the setfiles domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`seutil_domtrans_setfiles',` - gen_require(` - type setfiles_t, setfiles_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, setfiles_exec_t, setfiles_t) - - ifdef(`hide_broken_symptoms', ` - dontaudit setfiles_t $1:socket_class_set { read write }; - ') -') - -######################################## -## -## Execute setfiles in the setfiles domain, and -## allow the specified role the setfiles domain, -## and use the caller's terminal. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`seutil_run_setfiles',` - gen_require(` - type setfiles_t; - ') - - seutil_domtrans_setfiles($1) - role $2 types setfiles_t; -') - -######################################## -## -## Execute setfiles in the setfiles domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`seutil_domtrans_setfiles_mac',` - gen_require(` - type setfiles_mac_t, setfiles_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, setfiles_exec_t, setfiles_mac_t) -') - -######################################## -## -## Execute setfiles in the setfiles_mac domain, and -## allow the specified role the setfiles_mac domain, -## and use the caller's terminal. -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed the setfiles_mac domain. -## -## -## -# -interface(`seutil_run_setfiles_mac',` - gen_require(` - type setfiles_mac_t; - ') - - seutil_domtrans_setfiles_mac($1) - role $2 types setfiles_mac_t; -') - -######################################## -## -## Execute setfiles in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`seutil_exec_setfiles',` - gen_require(` - type setfiles_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - can_exec($1, setfiles_exec_t) -') - -######################################## -## -## Do not audit attempts to search the SELinux -## configuration directory (/etc/selinux). -## -## -## -## Domain to not audit. -## -## -# -interface(`seutil_dontaudit_search_config',` - gen_require(` - type selinux_config_t; - ') - - dontaudit $1 selinux_config_t:dir search_dir_perms; -') - -######################################## -## -## Do not audit attempts to read the SELinux -## userland configuration (/etc/selinux). -## -## -## -## Domain to not audit. -## -## -# -interface(`seutil_dontaudit_read_config',` - gen_require(` - type selinux_config_t; - ') - - dontaudit $1 selinux_config_t:dir search_dir_perms; - dontaudit $1 selinux_config_t:file read_file_perms; -') - -######################################## -## -## Read the general SELinux configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`seutil_read_config',` - gen_require(` - type selinux_config_t; - ') - - files_search_etc($1) - allow $1 selinux_config_t:dir list_dir_perms; - read_files_pattern($1, selinux_config_t, selinux_config_t) - read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) -') - -######################################## -## -## Read and write the general SELinux configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`seutil_rw_config',` - gen_require(` - type selinux_config_t; - ') - - files_search_etc($1) - allow $1 selinux_config_t:dir list_dir_perms; - rw_files_pattern($1, selinux_config_t, selinux_config_t) -') - -####################################### -## -## Create, read, write, and delete -## the general selinux configuration files. (Deprecated) -## -## -##

-## Create, read, write, and delete -## the general selinux configuration files. -##

-##

-## This interface has been deprecated, please -## use the seutil_manage_config() interface instead. -##

-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`seutil_manage_selinux_config',` - refpolicywarn(`$0($*) has been deprecated. Please use seutil_manage_config() instead.') - seutil_manage_config($1) -') - -####################################### -## -## Create, read, write, and delete -## the general selinux configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`seutil_manage_config',` - gen_require(` - type selinux_config_t; - ') - - files_search_etc($1) - manage_dirs_pattern($1, selinux_config_t, selinux_config_t) - manage_files_pattern($1, selinux_config_t, selinux_config_t) - read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) -') - -####################################### -## -## Create, read, write, and delete -## the general selinux configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`seutil_manage_config_dirs',` - gen_require(` - type selinux_config_t; - ') - - files_search_etc($1) - allow $1 selinux_config_t:dir manage_dir_perms; -') - -######################################## -## -## Search the policy directory with default_context files. -## -## -## -## Domain allowed access. -## -## -# -interface(`seutil_search_default_contexts',` - gen_require(` - type selinux_config_t, default_context_t; - ') - - files_search_etc($1) - search_dirs_pattern($1, selinux_config_t, default_context_t) -') - -######################################## -## -## Read the default_contexts files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`seutil_read_default_contexts',` - gen_require(` - type selinux_config_t, default_context_t; - ') - - files_search_etc($1) - allow $1 selinux_config_t:dir search_dir_perms; - allow $1 default_context_t:dir list_dir_perms; - read_files_pattern($1, default_context_t, default_context_t) -') - -######################################## -## -## Create, read, write, and delete the default_contexts files. -## -## -## -## Domain allowed access. -## -## -# -interface(`seutil_manage_default_contexts',` - gen_require(` - type selinux_config_t, default_context_t; - ') - - files_search_etc($1) - allow $1 selinux_config_t:dir search_dir_perms; - manage_files_pattern($1, default_context_t, default_context_t) -') - -######################################## -## -## Read the file_contexts files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`seutil_read_file_contexts',` - gen_require(` - type selinux_config_t, default_context_t, file_context_t; - ') - - files_search_etc($1) - allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; - read_files_pattern($1, file_context_t, file_context_t) -') - -######################################## -## -## Do not audit attempts to read the file_contexts files. -## -## -## -## Domain to not audit. -## -## -## -# -interface(`seutil_dontaudit_read_file_contexts',` - gen_require(` - type selinux_config_t, default_context_t, file_context_t; - ') - - dontaudit $1 { selinux_config_t default_context_t file_context_t }:dir search_dir_perms; - dontaudit $1 file_context_t:file read_file_perms; -') - -######################################## -## -## Read and write the file_contexts files. -## -## -## -## Domain allowed access. -## -## -# -interface(`seutil_rw_file_contexts',` - gen_require(` - type selinux_config_t, file_context_t, default_context_t; - ') - - files_search_etc($1) - allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; - rw_files_pattern($1, file_context_t, file_context_t) -') - -######################################## -## -## Create, read, write, and delete the file_contexts files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`seutil_manage_file_contexts',` - gen_require(` - type selinux_config_t, file_context_t, default_context_t; - ') - - files_search_etc($1) - allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; - manage_files_pattern($1, file_context_t, file_context_t) -') - -######################################## -## -## Read the SELinux binary policy. -## -## -## -## Domain allowed access. -## -## -# -interface(`seutil_read_bin_policy',` - gen_require(` - type selinux_config_t, policy_config_t; - ') - - files_search_etc($1) - allow $1 selinux_config_t:dir search_dir_perms; - read_files_pattern($1, policy_config_t, policy_config_t) -') - -######################################## -## -## Create the SELinux binary policy. -## -## -## -## Domain allowed access. -## -## -# -interface(`seutil_create_bin_policy',` - gen_require(` -# attribute can_write_binary_policy; - type selinux_config_t, policy_config_t; - ') - - files_search_etc($1) - allow $1 selinux_config_t:dir search_dir_perms; - create_files_pattern($1, policy_config_t, policy_config_t) - write_files_pattern($1, policy_config_t, policy_config_t) -# typeattribute $1 can_write_binary_policy; -') - -######################################## -## -## Allow the caller to relabel a file to the binary policy type. -## -## -## -## Domain allowed access. -## -## -# -interface(`seutil_relabelto_bin_policy',` - gen_require(` - attribute can_relabelto_binary_policy; - type policy_config_t; - ') - - allow $1 policy_config_t:file relabelto; - typeattribute $1 can_relabelto_binary_policy; -') - -######################################## -## -## Create, read, write, and delete the SELinux -## binary policy. -## -## -## -## Domain allowed access. -## -## -# -interface(`seutil_manage_bin_policy',` - gen_require(` - attribute can_write_binary_policy; - type selinux_config_t, policy_config_t; - ') - - files_search_etc($1) - allow $1 selinux_config_t:dir search_dir_perms; - manage_files_pattern($1, policy_config_t, policy_config_t) - typeattribute $1 can_write_binary_policy; -') - -######################################## -## -## Read SELinux policy source files. -## -## -## -## Domain allowed access. -## -## -# -interface(`seutil_read_src_policy',` - gen_require(` - type selinux_config_t, policy_src_t; - ') - - files_search_etc($1) - list_dirs_pattern($1, selinux_config_t, policy_src_t) - read_files_pattern($1, policy_src_t, policy_src_t) -') - -######################################## -## -## Create, read, write, and delete SELinux -## policy source files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`seutil_manage_src_policy',` - gen_require(` - type selinux_config_t, policy_src_t; - ') - - files_search_etc($1) - allow $1 selinux_config_t:dir search_dir_perms; - manage_dirs_pattern($1, policy_src_t, policy_src_t) - manage_files_pattern($1, policy_src_t, policy_src_t) -') - -######################################## -## -## Execute a domain transition to run semanage. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`seutil_domtrans_semanage',` - gen_require(` - type semanage_t, semanage_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, semanage_exec_t, semanage_t) - - ifdef(`hide_broken_symptoms', ` - dontaudit semanage_t $1:socket_class_set { read write }; - ') -') - -######################################## -## -## Execute a domain transition to run setsebool. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`seutil_domtrans_setsebool',` - gen_require(` - type setsebool_t, setsebool_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, setsebool_exec_t, setsebool_t) -') - -######################################## -## -## Execute semanage in the semanage domain, and -## allow the specified role the semanage domain, -## and use the caller's terminal. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`seutil_run_semanage',` - gen_require(` - type semanage_t; - ') - - seutil_domtrans_semanage($1) - seutil_run_setfiles(semanage_t, $2) - seutil_run_loadpolicy(semanage_t, $2) - role $2 types semanage_t; -') - -######################################## -## -## Execute setsebool in the semanage domain, and -## allow the specified role the semanage domain, -## and use the caller's terminal. -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed the setsebool domain. -## -## -## -# -interface(`seutil_run_setsebool',` - gen_require(` - type semanage_t; - ') - - seutil_domtrans_setsebool($1) - role $2 types setsebool_t; -') - -######################################## -## -## Full management of the semanage -## module store. -## -## -## -## Domain allowed access. -## -## -# -interface(`seutil_read_module_store',` - gen_require(` - type selinux_config_t, semanage_store_t; - ') - - files_search_etc($1) - list_dirs_pattern($1, selinux_config_t, semanage_store_t) - read_files_pattern($1, semanage_store_t, semanage_store_t) -') - -######################################## -## -## Full management of the semanage -## module store. -## -## -## -## Domain allowed access. -## -## -# -interface(`seutil_manage_module_store',` - gen_require(` - type selinux_config_t, semanage_store_t; - ') - - files_search_etc($1) - manage_dirs_pattern($1, selinux_config_t, semanage_store_t) - manage_files_pattern($1, semanage_store_t, semanage_store_t) - filetrans_pattern($1, selinux_config_t, semanage_store_t, dir) -') - -####################################### -## -## Get read lock on module store -## -## -## -## Domain allowed access. -## -## -# -interface(`seutil_get_semanage_read_lock',` - gen_require(` - type selinux_config_t, semanage_read_lock_t; - ') - - files_search_etc($1) - rw_files_pattern($1, selinux_config_t, semanage_read_lock_t) -') - -####################################### -## -## Get trans lock on module store -## -## -## -## Domain allowed access. -## -## -# -interface(`seutil_get_semanage_trans_lock',` - gen_require(` - type selinux_config_t, semanage_trans_lock_t; - ') - - files_search_etc($1) - rw_files_pattern($1, selinux_config_t, semanage_trans_lock_t) -') - -######################################## -## -## SELinux-enabled program access for -## libselinux-linked programs. -## -## -##

-## SELinux-enabled programs are typically -## linked to the libselinux library. This -## interface will allow access required for -## the libselinux constructor to function. -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`seutil_libselinux_linked',` - selinux_get_fs_mount($1) - seutil_read_config($1) -') - -######################################## -## -## Do not audit SELinux-enabled program access for -## libselinux-linked programs. -## -## -##

-## SELinux-enabled programs are typically -## linked to the libselinux library. This -## interface will dontaudit access required for -## the libselinux constructor to function. -##

-##

-## Generally this should not be used on anything -## but simple SELinux-enabled programs that do not -## rely on data initialized by the libselinux -## constructor. -##

-##
-## -## -## Domain to not audit. -## -## -# -interface(`seutil_dontaudit_libselinux_linked',` - selinux_dontaudit_get_fs_mount($1) - seutil_dontaudit_read_config($1) -') - -####################################### -## -## All rules necessary to run semanage command -## -## -## -## Domain allowed access. -## -## -# -interface(`seutil_semanage_policy',` - gen_require(` - type semanage_tmp_t; - type policy_config_t; - ') - allow $1 self:capability { dac_override sys_resource }; - dontaudit $1 self:capability sys_tty_config; - allow $1 self:process signal; - allow $1 self:unix_stream_socket create_stream_socket_perms; - allow $1 self:unix_dgram_socket create_socket_perms; - logging_send_audit_msgs($1) - - # Running genhomedircon requires this for finding all users - auth_use_nsswitch($1) - - allow $1 policy_config_t:file { read write }; - - allow $1 semanage_tmp_t:dir manage_dir_perms; - allow $1 semanage_tmp_t:file manage_file_perms; - files_tmp_filetrans($1, semanage_tmp_t, { file dir }) - - kernel_read_system_state($1) - kernel_read_kernel_sysctls($1) - - corecmd_exec_bin($1) - corecmd_exec_shell($1) - - dev_read_urand($1) - - domain_use_interactive_fds($1) - - files_read_etc_files($1) - files_read_etc_runtime_files($1) - files_read_usr_files($1) - files_list_pids($1) - fs_list_inotifyfs($1) - fs_getattr_all_fs($1) - - mls_file_write_all_levels($1) - mls_file_read_all_levels($1) - - selinux_getattr_fs($1) - selinux_validate_context($1) - selinux_get_enforce_mode($1) - - term_use_all_terms($1) - - locallogin_use_fds($1) - - logging_send_syslog_msg($1) - - miscfiles_read_localization($1) - - seutil_search_default_contexts($1) - seutil_domtrans_loadpolicy($1) - seutil_read_config($1) - seutil_manage_bin_policy($1) - seutil_use_newrole_fds($1) - seutil_manage_module_store($1) - seutil_get_semanage_trans_lock($1) - seutil_get_semanage_read_lock($1) - - userdom_dontaudit_write_user_home_content_files($1) - -') - - -####################################### -## -## All rules necessary to run setfiles command -## -## -## -## Domain allowed access. -## -## -# -interface(`seutil_setfiles',` - -allow $1 self:capability { dac_override dac_read_search fowner }; -dontaudit $1 self:capability sys_tty_config; -allow $1 self:fifo_file rw_file_perms; -dontaudit $1 self:dir relabelfrom; -dontaudit $1 self:file relabelfrom; -dontaudit $1 self:lnk_file relabelfrom; - - -allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms; -allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms; -allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock }; - -logging_send_audit_msgs($1) - -kernel_read_system_state($1) -kernel_relabelfrom_unlabeled_dirs($1) -kernel_relabelfrom_unlabeled_files($1) -kernel_relabelfrom_unlabeled_symlinks($1) -kernel_relabelfrom_unlabeled_pipes($1) -kernel_relabelfrom_unlabeled_sockets($1) -kernel_use_fds($1) -kernel_rw_pipes($1) -kernel_rw_unix_dgram_sockets($1) -kernel_dontaudit_list_all_proc($1) -kernel_read_all_sysctls($1) -kernel_read_network_state_symlinks($1) - -dev_relabel_all_dev_nodes($1) - -domain_use_interactive_fds($1) -domain_read_all_domains_state($1) - -files_read_etc_runtime_files($1) -files_read_etc_files($1) -files_list_all($1) -files_relabel_all_files($1) -files_list_isid_type_dirs($1) -files_read_isid_type_files($1) -files_dontaudit_read_all_symlinks($1) - -fs_getattr_xattr_fs($1) -fs_list_all($1) -fs_getattr_all_files($1) -fs_search_auto_mountpoints($1) -fs_relabelfrom_noxattr_fs($1) - -mls_file_read_all_levels($1) -mls_file_write_all_levels($1) -mls_file_upgrade($1) -mls_file_downgrade($1) - -selinux_validate_context($1) -selinux_compute_access_vector($1) -selinux_compute_create_context($1) -selinux_compute_relabel_context($1) -selinux_compute_user_contexts($1) - -term_use_all_terms($1) - -# this is to satisfy the assertion: -auth_relabelto_shadow($1) - -init_use_fds($1) -init_use_script_fds($1) -init_use_script_ptys($1) -init_exec_script_files($1) - -logging_send_syslog_msg($1) - -miscfiles_read_localization($1) - -seutil_libselinux_linked($1) - -userdom_use_all_users_fds($1) -# for config files in a home directory -userdom_read_user_home_content_files($1) - -ifdef(`distro_debian',` - # udev tmpfs is populated with static device nodes - # and then relabeled afterwards; thus - # /dev/console has the tmpfs type - fs_rw_tmpfs_chr_files($1) -') - -ifdef(`distro_redhat',` - fs_rw_tmpfs_chr_files($1) - fs_rw_tmpfs_blk_files($1) - fs_relabel_tmpfs_blk_file($1) - fs_relabel_tmpfs_chr_file($1) -') - -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain($1) - ') -') - -optional_policy(` - hotplug_use_fds($1) -') -') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te deleted file mode 100644 index edee963..0000000 --- a/policy/modules/system/selinuxutil.te +++ /dev/null @@ -1,541 +0,0 @@ -policy_module(selinuxutil, 1.14.0) - -gen_require(` - bool secure_mode; -') - -######################################## -# -# Declarations -# - -attribute can_write_binary_policy; -attribute can_relabelto_binary_policy; - -# -# selinux_config_t is the type applied to -# /etc/selinux/config -# -# cjp: this is out of order due to rules -# in the domain_type interface -# (fix dup decl) -type selinux_config_t; -files_type(selinux_config_t) - -type selinux_var_lib_t; -files_type(selinux_var_lib_t) - -type checkpolicy_t, can_write_binary_policy; -type checkpolicy_exec_t; -application_domain(checkpolicy_t, checkpolicy_exec_t) -role system_r types checkpolicy_t; - -# -# default_context_t is the type applied to -# /etc/selinux/*/contexts/* -# -type default_context_t; -files_type(default_context_t) - -# -# file_context_t is the type applied to -# /etc/selinux/*/contexts/files -# -type file_context_t; -files_type(file_context_t) - -type load_policy_t; -type load_policy_exec_t; -application_domain(load_policy_t, load_policy_exec_t) -role system_r types load_policy_t; - -type newrole_t; -type newrole_exec_t; -application_domain(newrole_t, newrole_exec_t) -domain_role_change_exemption(newrole_t) -domain_obj_id_change_exemption(newrole_t) -domain_interactive_fd(newrole_t) - -# -# policy_config_t is the type of /etc/security/selinux/* -# the security server policy configuration. -# -#type policy_config_t; -#files_type(policy_config_t) -typealias semanage_store_t alias policy_config_t; - -neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; -#neverallow ~can_write_binary_policy policy_config_t:file { write append }; - -# -# policy_src_t is the type of the policy source -# files. -# -type policy_src_t; -files_type(policy_src_t) - -type restorecond_t; -type restorecond_exec_t; -init_daemon_domain(restorecond_t, restorecond_exec_t) -domain_obj_id_change_exemption(restorecond_t) - -type restorecond_var_run_t; -files_pid_file(restorecond_var_run_t) - -type run_init_t; -type run_init_exec_t; -application_domain(run_init_t, run_init_exec_t) -domain_system_change_exemption(run_init_t) -role system_r types run_init_t; - -type semanage_t; -type semanage_exec_t; -application_domain(semanage_t, semanage_exec_t) -dbus_system_domain(semanage_t, semanage_exec_t) -domain_interactive_fd(semanage_t) -role system_r types semanage_t; - -type setsebool_t; -type setsebool_exec_t; -init_system_domain(setsebool_t, setsebool_exec_t) - -type semanage_store_t; -files_type(semanage_store_t) - -type semanage_read_lock_t; -files_type(semanage_read_lock_t) - -type semanage_tmp_t; -files_tmp_file(semanage_tmp_t) - -type semanage_trans_lock_t; -files_type(semanage_trans_lock_t) - -type setfiles_t alias restorecon_t, can_relabelto_binary_policy; -type setfiles_exec_t alias restorecon_exec_t; -init_system_domain(setfiles_t, setfiles_exec_t) -domain_obj_id_change_exemption(setfiles_t) - -type setfiles_mac_t; -domain_type(setfiles_mac_t) -domain_entry_file(setfiles_mac_t, setfiles_exec_t) -domain_obj_id_change_exemption(setfiles_mac_t) - -######################################## -# -# Checkpolicy local policy -# - -allow checkpolicy_t self:capability dac_override; - -# able to create and modify binary policy files -manage_files_pattern(checkpolicy_t, policy_config_t, policy_config_t) - -# allow test policies to be created in src directories -filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file) - -# only allow read of policy source files -read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t) -read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t) -allow checkpolicy_t selinux_config_t:dir search_dir_perms; - -domain_use_interactive_fds(checkpolicy_t) - -files_list_usr(checkpolicy_t) -# directory search permissions for path to source and binary policy files -files_search_etc(checkpolicy_t) - -fs_getattr_xattr_fs(checkpolicy_t) - -term_use_console(checkpolicy_t) - -init_use_fds(checkpolicy_t) -init_use_script_ptys(checkpolicy_t) - -userdom_use_user_terminals(checkpolicy_t) -userdom_use_all_users_fds(checkpolicy_t) - -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(checkpolicy_t) - ') -') - -######################################## -# -# Load_policy local policy -# - -allow load_policy_t self:capability dac_override; - -# only allow read of policy config files -read_files_pattern(load_policy_t,{ policy_src_t policy_config_t },policy_config_t) - -domain_use_interactive_fds(load_policy_t) - -# for mcs.conf -files_read_etc_files(load_policy_t) -files_read_etc_runtime_files(load_policy_t) - -fs_getattr_xattr_fs(load_policy_t) - -mls_file_read_all_levels(load_policy_t) - -selinux_load_policy(load_policy_t) -selinux_set_all_booleans(load_policy_t) - -term_use_console(load_policy_t) -term_list_ptys(load_policy_t) - -init_use_script_fds(load_policy_t) -init_use_script_ptys(load_policy_t) -init_write_script_pipes(load_policy_t) - -miscfiles_read_localization(load_policy_t) - -seutil_libselinux_linked(load_policy_t) - -userdom_use_user_terminals(load_policy_t) -userdom_use_all_users_fds(load_policy_t) - -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(load_policy_t) - ') -') - -ifdef(`hide_broken_symptoms',` - # cjp: cover up stray file descriptors. - dontaudit load_policy_t selinux_config_t:file write; - - optional_policy(` - unconfined_dontaudit_read_pipes(load_policy_t) - ') -') - -######################################## -# -# Newrole local policy -# - -allow newrole_t self:capability { fowner setuid setgid dac_override }; -allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; -allow newrole_t self:process setexec; -allow newrole_t self:fd use; -allow newrole_t self:fifo_file rw_fifo_file_perms; -allow newrole_t self:sock_file read_sock_file_perms; -allow newrole_t self:shm create_shm_perms; -allow newrole_t self:sem create_sem_perms; -allow newrole_t self:msgq create_msgq_perms; -allow newrole_t self:msg { send receive }; -allow newrole_t self:unix_dgram_socket sendto; -allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; -logging_send_audit_msgs(newrole_t) - -read_files_pattern(newrole_t, default_context_t, default_context_t) -read_lnk_files_pattern(newrole_t, default_context_t, default_context_t) - -kernel_read_system_state(newrole_t) -kernel_read_kernel_sysctls(newrole_t) - -corecmd_list_bin(newrole_t) -corecmd_read_bin_symlinks(newrole_t) - -dev_read_urand(newrole_t) - -domain_use_interactive_fds(newrole_t) -# for when the user types "exec newrole" at the command line: -domain_sigchld_interactive_fds(newrole_t) - -files_read_etc_files(newrole_t) -files_read_var_files(newrole_t) -files_read_var_symlinks(newrole_t) - -fs_getattr_xattr_fs(newrole_t) -fs_search_auto_mountpoints(newrole_t) - -mls_file_read_all_levels(newrole_t) -mls_file_write_all_levels(newrole_t) -mls_file_upgrade(newrole_t) -mls_file_downgrade(newrole_t) -mls_process_set_level(newrole_t) -mls_fd_share_all_levels(newrole_t) - -selinux_validate_context(newrole_t) -selinux_compute_access_vector(newrole_t) -selinux_compute_create_context(newrole_t) -selinux_compute_relabel_context(newrole_t) -selinux_compute_user_contexts(newrole_t) - -term_use_all_ttys(newrole_t) -term_use_all_ptys(newrole_t) -term_relabel_all_ttys(newrole_t) -term_relabel_all_ptys(newrole_t) -term_getattr_unallocated_ttys(newrole_t) -term_dontaudit_use_unallocated_ttys(newrole_t) - -auth_use_pam(newrole_t) - -# Write to utmp. -init_rw_utmp(newrole_t) -init_use_fds(newrole_t) - -miscfiles_read_localization(newrole_t) - -seutil_libselinux_linked(newrole_t) - -userdom_use_unpriv_users_fds(newrole_t) -# for some PAM modules and for cwd -userdom_dontaudit_search_user_home_content(newrole_t) -userdom_search_user_home_dirs(newrole_t) - -optional_policy(` - xserver_dontaudit_exec_xauth(newrole_t) -') - -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(newrole_t) - ') -') - -# if secure mode is enabled, then newrole -# can only transition to unprivileged users -if(secure_mode) { - userdom_spec_domtrans_unpriv_users(newrole_t) -} else { - userdom_spec_domtrans_all_users(newrole_t) -} - -tunable_policy(`allow_polyinstantiation',` - files_polyinstantiate_all(newrole_t) -') - -######################################## -# -# Restorecond local policy -# - -allow restorecond_t self:capability { dac_override dac_read_search fowner }; -allow restorecond_t self:fifo_file rw_fifo_file_perms; - -allow restorecond_t restorecond_var_run_t:file manage_file_perms; -files_pid_filetrans(restorecond_t, restorecond_var_run_t, file) - -kernel_use_fds(restorecond_t) -kernel_rw_pipes(restorecond_t) -kernel_read_system_state(restorecond_t) - -files_dontaudit_read_all_symlinks(restorecond_t) - -fs_relabelfrom_noxattr_fs(restorecond_t) -fs_dontaudit_list_nfs(restorecond_t) -fs_getattr_xattr_fs(restorecond_t) -fs_list_inotifyfs(restorecond_t) - -selinux_validate_context(restorecond_t) -selinux_compute_access_vector(restorecond_t) -selinux_compute_create_context(restorecond_t) -selinux_compute_relabel_context(restorecond_t) -selinux_compute_user_contexts(restorecond_t) - -auth_relabel_all_files_except_shadow(restorecond_t ) -auth_read_all_files_except_shadow(restorecond_t) -auth_use_nsswitch(restorecond_t) - -locallogin_dontaudit_use_fds(restorecond_t) - -logging_send_syslog_msg(restorecond_t) - -miscfiles_read_localization(restorecond_t) - -seutil_libselinux_linked(restorecond_t) - -userdom_read_user_home_content_symlinks(restorecond_t) - -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(restorecond_t) - ') -') - -optional_policy(` - rpm_use_script_fds(restorecond_t) -') - -################################# -# -# Run_init local policy -# - -allow run_init_t self:process setexec; -allow run_init_t self:capability setuid; -allow run_init_t self:fifo_file rw_file_perms; -logging_send_audit_msgs(run_init_t) - -# often the administrator runs such programs from a directory that is owned -# by a different user or has restrictive SE permissions, do not want to audit -# the failed access to the current directory -dontaudit run_init_t self:capability { dac_override dac_read_search }; - -corecmd_exec_bin(run_init_t) -corecmd_exec_shell(run_init_t) - -dev_dontaudit_list_all_dev_nodes(run_init_t) - -domain_use_interactive_fds(run_init_t) - -files_read_etc_files(run_init_t) -files_dontaudit_search_all_dirs(run_init_t) - -fs_getattr_xattr_fs(run_init_t) - -mls_rangetrans_source(run_init_t) - -selinux_validate_context(run_init_t) -selinux_compute_access_vector(run_init_t) -selinux_compute_create_context(run_init_t) -selinux_compute_relabel_context(run_init_t) -selinux_compute_user_contexts(run_init_t) - -auth_use_nsswitch(run_init_t) -auth_domtrans_chk_passwd(run_init_t) -auth_domtrans_upd_passwd(run_init_t) -auth_dontaudit_read_shadow(run_init_t) - -init_spec_domtrans_script(run_init_t) -# for utmp -init_rw_utmp(run_init_t) - -logging_send_syslog_msg(run_init_t) - -miscfiles_read_localization(run_init_t) - -seutil_libselinux_linked(run_init_t) -seutil_read_default_contexts(run_init_t) - -userdom_use_user_terminals(run_init_t) - -ifndef(`direct_sysadm_daemon',` - ifdef(`distro_gentoo',` - # Gentoo integrated run_init: - init_script_file_entry_type(run_init_t) - ') -') - -optional_policy(` - rpm_domtrans(run_init_t) -') - -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(run_init_t) - ') -') - -optional_policy(` - daemontools_domtrans_start(run_init_t) -') - -######################################## -# -# semodule local policy -# - -seutil_semanage_policy(semanage_t) -allow semanage_t self:fifo_file rw_fifo_file_perms; - -manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) -manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) - -selinux_set_all_booleans(semanage_t) -can_exec(semanage_t, semanage_exec_t) - -# Admins are creating pp files in random locations -auth_read_all_files_except_shadow(semanage_t) - -seutil_manage_file_contexts(semanage_t) -seutil_manage_config(semanage_t) -seutil_domtrans_setfiles(semanage_t) - -# netfilter_contexts: -seutil_manage_default_contexts(semanage_t) - -ifdef(`distro_debian',` - files_read_var_lib_files(semanage_t) - files_read_var_lib_symlinks(semanage_t) -') - -optional_policy(` - setrans_initrc_domtrans(semanage_t) - domain_system_change_exemption(semanage_t) - consoletype_exec(semanage_t) -') - -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(semanage_t) - ') -') - -optional_policy(` - #signal mcstrans on reload - init_spec_domtrans_script(semanage_t) -') - -# cjp: need a more general way to handle this: -ifdef(`enable_mls',` - # read secadm tmp files -',` - # Handle pp files created in homedir and /tmp - userdom_read_user_home_content_files(semanage_t) - userdom_read_user_tmp_files(semanage_t) -') - -userdom_search_admin_dir(semanage_t) - -####################################n#### -# -# setsebool local policy -# -seutil_semanage_policy(setsebool_t) -selinux_set_all_booleans(setsebool_t) - -init_dontaudit_use_fds(setsebool_t) - -# Bug in semanage -seutil_domtrans_setfiles(setsebool_t) -seutil_manage_file_contexts(setsebool_t) -seutil_manage_default_contexts(setsebool_t) -seutil_manage_config(setsebool_t) - -######################################## -# -# Setfiles local policy -# - -seutil_setfiles(setfiles_t) -# During boot in Rawhide -term_use_generic_ptys(setfiles_t) - -seutil_setfiles(setfiles_mac_t) -allow setfiles_mac_t self:capability2 mac_admin; -kernel_relabelto_unlabeled(setfiles_mac_t) - -optional_policy(` - files_dontaudit_write_isid_chr_files(setfiles_mac_t) - livecd_dontaudit_leaks(setfiles_mac_t) - livecd_rw_tmp_files(setfiles_mac_t) - dev_dontaudit_write_all_chr_files(setfiles_mac_t) -') - -ifdef(`hide_broken_symptoms',` - optional_policy(` - setroubleshoot_fixit_dontaudit_leaks(setfiles_t) - setroubleshoot_fixit_dontaudit_leaks(setsebool_t) - ') -') - -optional_policy(` - unconfined_domain(setfiles_mac_t) -') diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc deleted file mode 100644 index bea4629..0000000 --- a/policy/modules/system/setrans.fc +++ /dev/null @@ -1,5 +0,0 @@ -/etc/rc\.d/init\.d/mcstrans -- gen_context(system_u:object_r:setrans_initrc_exec_t,s0) - -/sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0) - -/var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh) diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if deleted file mode 100644 index efa9c27..0000000 --- a/policy/modules/system/setrans.if +++ /dev/null @@ -1,42 +0,0 @@ -## SELinux MLS/MCS label translation service. - -######################################## -## -## Execute setrans server in the setrans domain. -## -## -## -## Domain allowed to transition. -## -## -# -# -interface(`setrans_initrc_domtrans',` - gen_require(` - type setrans_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, setrans_initrc_exec_t) -') - -####################################### -## -## Allow a domain to translate contexts. -## -## -## -## Domain allowed access. -## -## -# -interface(`setrans_translate_context',` - gen_require(` - type setrans_t, setrans_var_run_t; - class context translate; - ') - - allow $1 self:unix_stream_socket create_stream_socket_perms; - allow $1 setrans_t:context translate; - stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t) - files_list_pids($1) -') diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te deleted file mode 100644 index 4488c6d..0000000 --- a/policy/modules/system/setrans.te +++ /dev/null @@ -1,88 +0,0 @@ -policy_module(setrans, 1.7.0) - -gen_require(` - class context contains; -') - -######################################## -# -# Declarations -# - -type setrans_t; -type setrans_exec_t; -init_daemon_domain(setrans_t, setrans_exec_t) -mls_trusted_object(setrans_t) - -type setrans_initrc_exec_t; -init_script_file(setrans_initrc_exec_t) - -type setrans_var_run_t; -files_pid_file(setrans_var_run_t) -mls_trusted_object(setrans_var_run_t) - -ifdef(`enable_mcs',` - init_ranged_daemon_domain(setrans_t, setrans_exec_t, s0 - mcs_systemhigh) -') - -ifdef(`enable_mls',` - init_ranged_daemon_domain(setrans_t, setrans_exec_t, mls_systemhigh) -') - -######################################## -# -# setrans local policy -# - -allow setrans_t self:capability sys_resource; -allow setrans_t self:process { setrlimit getcap setcap signal_perms }; -allow setrans_t self:unix_stream_socket create_stream_socket_perms; -allow setrans_t self:unix_dgram_socket create_socket_perms; -allow setrans_t self:netlink_selinux_socket create_socket_perms; -allow setrans_t self:context contains; - -can_exec(setrans_t, setrans_exec_t) -corecmd_search_bin(setrans_t) - -# create unix domain socket in /var -manage_dirs_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t) -manage_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t) -manage_sock_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t) -files_pid_filetrans(setrans_t, setrans_var_run_t, { file dir }) - -kernel_read_kernel_sysctls(setrans_t) -kernel_read_proc_symlinks(setrans_t) - -# allow performing getpidcon() on all processes -domain_read_all_domains_state(setrans_t) -domain_dontaudit_search_all_domains_state(setrans_t) -domain_getattr_all_domains(setrans_t) -domain_getsession_all_domains(setrans_t) - -files_read_etc_runtime_files(setrans_t) - -mls_file_read_all_levels(setrans_t) -mls_file_write_all_levels(setrans_t) -mls_net_receive_all_levels(setrans_t) -mls_socket_write_all_levels(setrans_t) -mls_process_read_up(setrans_t) -mls_socket_read_all_levels(setrans_t) - -selinux_compute_access_vector(setrans_t) - -term_dontaudit_use_generic_ptys(setrans_t) -term_dontaudit_use_unallocated_ttys(setrans_t) - -init_dontaudit_use_script_ptys(setrans_t) - -locallogin_dontaudit_use_fds(setrans_t) - -logging_send_syslog_msg(setrans_t) - -miscfiles_read_localization(setrans_t) - -seutil_read_config(setrans_t) - -optional_policy(` - rpm_use_script_fds(setrans_t) -') diff --git a/policy/modules/system/sosreport.fc b/policy/modules/system/sosreport.fc deleted file mode 100644 index 0928140..0000000 --- a/policy/modules/system/sosreport.fc +++ /dev/null @@ -1,2 +0,0 @@ - -/usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0) diff --git a/policy/modules/system/sosreport.if b/policy/modules/system/sosreport.if deleted file mode 100644 index fec3374..0000000 --- a/policy/modules/system/sosreport.if +++ /dev/null @@ -1,131 +0,0 @@ - -## policy for sosreport - -######################################## -## -## Execute a domain transition to run sosreport. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`sosreport_domtrans',` - gen_require(` - type sosreport_t, sosreport_exec_t; - ') - - domtrans_pattern($1, sosreport_exec_t, sosreport_t) -') - - -######################################## -## -## Execute sosreport in the sosreport domain, and -## allow the specified role the sosreport domain. -## -## -## -## Domain allowed access -## -## -## -## -## The role to be allowed the sosreport domain. -## -## -# -interface(`sosreport_run',` - gen_require(` - type sosreport_t; - ') - - sosreport_domtrans($1) - role $2 types sosreport_t; -') - -######################################## -## -## Role access for sosreport -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`sosreport_role',` - gen_require(` - type sosreport_t; - ') - - role $1 types sosreport_t; - - sosreport_domtrans($2) - - ps_process_pattern($2, sosreport_t) - allow $2 sosreport_t:process signal; -') - -######################################## -## -## Allow the specified domain to read -## sosreport tmp files. -## -## -## -## Domain allowed access. -## -## -# -interface(`sosreport_read_tmp_files',` - gen_require(` - type sosreport_tmp_t; - ') - - files_search_tmp($1) - read_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t) -') - -######################################## -## -## Delete sosreport tmp files. -## -## -## -## Domain allowed access. -## -## -# -interface(`sosreport_delete_tmp_files',` - gen_require(` - type sosreport_tmp_t; - ') - - files_delete_tmp_dir_entry($1) - delete_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t) -') - -######################################## -## -## Append sosreport tmp files. -## -## -## -## Domain allowed access. -## -## -# -interface(`sosreport_append_tmp_files',` - gen_require(` - type sosreport_tmp_t; - ') - - allow $1 sosreport_tmp_t:file append; -') diff --git a/policy/modules/system/sosreport.te b/policy/modules/system/sosreport.te deleted file mode 100644 index c15bcea..0000000 --- a/policy/modules/system/sosreport.te +++ /dev/null @@ -1,154 +0,0 @@ -policy_module(sosreport,1.0.0) - -######################################## -# -# Declarations -# - -type sosreport_t; -type sosreport_exec_t; -application_domain(sosreport_t, sosreport_exec_t) -role system_r types sosreport_t; - -type sosreport_tmp_t; -files_tmp_file(sosreport_tmp_t) - -type sosreport_tmpfs_t; -files_tmpfs_file(sosreport_tmpfs_t) - -######################################## -# -# sosreport local policy -# - -allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice sys_ptrace dac_override }; -allow sosreport_t self:process { setsched signull }; - -allow sosreport_t self:fifo_file rw_fifo_file_perms; -allow sosreport_t self:tcp_socket create_stream_socket_perms; -allow sosreport_t self:udp_socket create_socket_perms; -allow sosreport_t self:unix_dgram_socket create_socket_perms; -allow sosreport_t self:netlink_route_socket r_netlink_socket_perms; -allow sosreport_t self:unix_stream_socket create_stream_socket_perms; - -# sosreport tmp files -manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) -manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) -manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) -files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir }) - -manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t) -fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t,file) - -kernel_read_network_state(sosreport_t) -kernel_read_all_sysctls(sosreport_t) -kernel_read_software_raid_state(sosreport_t) -kernel_search_debugfs(sosreport_t) -kernel_read_messages(sosreport_t) - -corecmd_exec_all_executables(sosreport_t) - -dev_getattr_all_chr_files(sosreport_t) -dev_getattr_all_blk_files(sosreport_t) -dev_getattr_generic_chr_files(sosreport_t) -dev_getattr_generic_blk_files(sosreport_t) -dev_getattr_mtrr_dev(sosreport_t) - -dev_read_rand(sosreport_t) -dev_read_urand(sosreport_t) -dev_read_raw_memory(sosreport_t) -dev_read_sysfs(sosreport_t) - -domain_getattr_all_domains(sosreport_t) -domain_read_all_domains_state(sosreport_t) -domain_getattr_all_sockets(sosreport_t) -domain_getattr_all_pipes(sosreport_t) -domain_signull_all_domains(sosreport_t) - -# for blkid.tab -files_manage_etc_runtime_files(sosreport_t) -files_etc_filetrans_etc_runtime(sosreport_t, file) - -files_getattr_all_sockets(sosreport_t) -files_exec_etc_files(sosreport_t) -files_list_all(sosreport_t) -files_read_config_files(sosreport_t) -files_read_etc_files(sosreport_t) -files_read_generic_tmp_files(sosreport_t) -files_read_usr_files(sosreport_t) -files_read_var_lib_files(sosreport_t) -files_read_var_symlinks(sosreport_t) -files_read_kernel_modules(sosreport_t) -files_read_all_symlinks(sosreport_t) - -fs_getattr_all_fs(sosreport_t) -fs_list_inotifyfs(sosreport_t) - -# cjp: some config files do not have configfile attribute -# sosreport needs to read various files on system -auth_read_all_files_except_shadow(sosreport_t) -auth_use_nsswitch(sosreport_t) - -init_domtrans_script(sosreport_t) - -libs_domtrans_ldconfig(sosreport_t) - -logging_read_all_logs(sosreport_t) -logging_send_syslog_msg(sosreport_t) - -miscfiles_read_localization(sosreport_t) - -# needed by modinfo -modutils_read_module_deps(sosreport_t) - -sysnet_read_config(sosreport_t) - -optional_policy(` - abrt_manage_pid_files(sosreport_t) -') - -optional_policy(` - cups_stream_connect(sosreport_t) -') - -optional_policy(` - dmesg_domtrans(sosreport_t) -') - -optional_policy(` - fstools_domtrans(sosreport_t) -') - -optional_policy(` - dbus_system_bus_client(sosreport_t) - - optional_policy(` - hal_dbus_chat(sosreport_t) - ') -') - -optional_policy(` - lvm_domtrans(sosreport_t) -') - -optional_policy(` - mount_domtrans(sosreport_t) -') - -optional_policy(` - pulseaudio_stream_connect(sosreport_t) -') - -optional_policy(` - rpm_exec(sosreport_t) - rpm_dontaudit_manage_db(sosreport_t) - rpm_read_db(sosreport_t) -') - -optional_policy(` - xserver_stream_connect(sosreport_t) -') - -optional_policy(` - unconfined_domain(sosreport_t) -') diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc deleted file mode 100644 index 4bb3158..0000000 --- a/policy/modules/system/sysnetwork.fc +++ /dev/null @@ -1,68 +0,0 @@ - -# -# /bin -# -/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - -# -# /etc -# -/etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) -/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0) -/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) -/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) -/etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) -/etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0) -/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0) -/etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0) -/etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0) -/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) -/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) - -/etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) -/etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) - -ifdef(`distro_redhat',` -/etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) -/etc/sysconfig/networking(/.*)? gen_context(system_u:object_r:net_conf_t,s0) -/etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0) -') - -# -# /sbin -# -/sbin/dhclient.* -- gen_context(system_u:object_r:dhcpc_exec_t,s0) -/sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) -/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) -/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0) -/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - -# -# /usr -# -/usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - -# -# /var -# -/var/lib/dhcp3? -d gen_context(system_u:object_r:dhcp_state_t,s0) -/var/lib/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcpc_state_t,s0) -/var/lib/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) -/var/lib/dhclient(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) -/var/lib/wifiroamd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) - -/var/run/dhclient.* -- gen_context(system_u:object_r:dhcpc_var_run_t,s0) - -ifdef(`distro_gentoo',` -/var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) -') - -/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if deleted file mode 100644 index 350d003..0000000 --- a/policy/modules/system/sysnetwork.if +++ /dev/null @@ -1,877 +0,0 @@ -## Policy for network configuration: ifconfig and dhcp client. - -####################################### -## -## Execute dhcp client in dhcpc domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`sysnet_domtrans_dhcpc',` - gen_require(` - type dhcpc_t, dhcpc_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dhcpc_exec_t, dhcpc_t) -') - -######################################## -## -## Execute DHCP clients in the dhcpc domain, and -## allow the specified role the dhcpc domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`sysnet_run_dhcpc',` - gen_require(` - type dhcpc_t; - ') - - sysnet_domtrans_dhcpc($1) - role $2 types dhcpc_t; - - modutils_run_insmod(dhcpc_t, $2) - - sysnet_run_ifconfig(dhcpc_t, $2) - - optional_policy(` - consoletype_run(dhcpc_t, $2) - ') - - optional_policy(` - hostname_run(dhcpc_t, $2) - ') - - optional_policy(` - netutils_run(dhcpc_t, $2) - netutils_run_ping(dhcpc_t, $2) - ') - - optional_policy(` - networkmanager_run(dhcpc_t, $2) - ') - - optional_policy(` - nis_run_ypbind(dhcpc_t, $2) - ') - - optional_policy(` - nscd_run(dhcpc_t, $2) - ') - - optional_policy(` - ntp_run(dhcpc_t, $2) - ') - - seutil_run_setfiles(dhcpc_t, $2) -') - -######################################## -## -## Do not audit attempts to use -## the dhcp file descriptors. -## -## -## -## Domain to not audit. -## -## -# -interface(`sysnet_dontaudit_use_dhcpc_fds',` - gen_require(` - type dhcpc_t; - ') - - dontaudit $1 dhcpc_t:fd use; -') - -######################################## -## -## Send a SIGCHLD signal to the dhcp client. -## -## -## -## Domain allowed access. -## -## -# -interface(`sysnet_sigchld_dhcpc',` - gen_require(` - type dhcpc_t; - ') - - allow $1 dhcpc_t:process sigchld; -') - -######################################## -## -## Send a kill signal to the dhcp client. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`sysnet_kill_dhcpc',` - gen_require(` - type dhcpc_t; - ') - - allow $1 dhcpc_t:process sigkill; -') - -######################################## -## -## Send a SIGSTOP signal to the dhcp client. -## -## -## -## Domain allowed access. -## -## -# -interface(`sysnet_sigstop_dhcpc',` - gen_require(` - type dhcpc_t; - ') - - allow $1 dhcpc_t:process sigstop; -') - -######################################## -## -## Send a null signal to the dhcp client. -## -## -## -## Domain allowed access. -## -## -# -interface(`sysnet_signull_dhcpc',` - gen_require(` - type dhcpc_t; - ') - - allow $1 dhcpc_t:process signull; -') - -######################################## -## -## Send a generic signal to the dhcp client. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`sysnet_signal_dhcpc',` - gen_require(` - type dhcpc_t; - ') - - allow $1 dhcpc_t:process signal; -') - -######################################## -## -## Send and receive messages from -## dhcpc over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`sysnet_dbus_chat_dhcpc',` - gen_require(` - type dhcpc_t; - class dbus send_msg; - ') - - allow $1 dhcpc_t:dbus send_msg; - allow dhcpc_t $1:dbus send_msg; -') - -######################################## -## -## Read and write dhcp configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`sysnet_rw_dhcp_config',` - gen_require(` - type dhcp_etc_t; - ') - - files_search_etc($1) - allow $1 dhcp_etc_t:file rw_file_perms; -') - -######################################## -## -## Read dhcp client state files. -## -## -## -## Domain allowed access. -## -## -# -interface(`sysnet_read_dhcpc_state',` - gen_require(` - type dhcpc_state_t; - ') - - read_files_pattern($1, dhcpc_state_t, dhcpc_state_t) -') - -####################################### -## -## Delete the dhcp client state files. -## -## -## -## Domain allowed access. -## -## -# -interface(`sysnet_delete_dhcpc_state',` - gen_require(` - type dhcpc_state_t; - ') - - delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t) -') - -######################################## -## -## Allow caller to relabel dhcpc_state files -## -## -## -## Domain allowed access. -## -## -# -interface(`sysnet_relabelfrom_dhcpc_state',` - - gen_require(` - type dhcpc_state_t; - ') - - allow $1 dhcpc_state_t:file relabelfrom; -') - -####################################### -## -## Manage the dhcp client state files. -## -## -## -## Domain allowed access. -## -## -# -interface(`sysnet_manage_dhcpc_state',` - gen_require(` - type dhcpc_state_t; - ') - - manage_files_pattern($1, dhcpc_state_t, dhcpc_state_t) -') - -####################################### -## -## Set the attributes of network config files. -## -## -## -## Domain allowed access. -## -## -# -interface(`sysnet_setattr_config',` - gen_require(` - type net_conf_t; - ') - - files_search_etc($1) - allow $1 net_conf_t:file setattr; -') - -####################################### -## -## Allow caller to relabel net_conf files -## -## -## -## Domain allowed access. -## -## -# -interface(`sysnet_relabelfrom_net_conf',` - - gen_require(` - type net_conf_t; - ') - - allow $1 net_conf_t:file relabelfrom; -') - -###################################### -## -## Allow caller to relabel net_conf files -## -## -## -## Domain allowed access. -## -## -# -interface(`sysnet_relabelto_net_conf',` - - gen_require(` - type net_conf_t; - ') - - allow $1 net_conf_t:file relabelto; -') - -####################################### -## -## Read network config files. -## -## -##

-## Allow the specified domain to read the -## general network configuration files. A -## common example of this is the -## /etc/resolv.conf file, which has domain -## name system (DNS) server IP addresses. -## Typically, most networking processes will -## require the access provided by this interface. -##

-##

-## Higher-level interfaces which involve -## networking will generally call this interface, -## for example: -##

-##
    -##
  • sysnet_dns_name_resolve()
  • -##
  • sysnet_use_ldap()
  • -##
  • sysnet_use_portmap()
  • -##
-##
-## -## -## Domain allowed access. -## -## -# -interface(`sysnet_read_config',` - gen_require(` - type net_conf_t; - ') - - files_search_etc($1) - allow $1 net_conf_t:file read_file_perms; - - ifdef(`distro_redhat',` - allow $1 net_conf_t:dir list_dir_perms; - read_files_pattern($1, net_conf_t, net_conf_t) - ') -') - -####################################### -## -## Do not audit attempts to read network config files. -## -## -## -## Domain to not audit. -## -## -# -interface(`sysnet_dontaudit_read_config',` - gen_require(` - type net_conf_t; - ') - - dontaudit $1 net_conf_t:file read_file_perms; -') - -####################################### -## -## Write network config files. -## -## -## -## Domain allowed access. -## -## -# -interface(`sysnet_write_config',` - gen_require(` - type net_conf_t; - ') - - files_search_etc($1) - allow $1 net_conf_t:file write_file_perms; -') - -####################################### -## -## Create network config files. -## -## -## -## Domain allowed access. -## -## -# -interface(`sysnet_create_config',` - gen_require(` - type net_conf_t; - ') - - files_search_etc($1) - allow $1 net_conf_t:file create_file_perms; -') - -####################################### -## -## Create files in /etc with the type used for -## the network config files. -## -## -## -## Domain allowed access. -## -## -# -interface(`sysnet_etc_filetrans_config',` - gen_require(` - type net_conf_t; - ') - - files_etc_filetrans($1, net_conf_t, file) -') - -####################################### -## -## Create, read, write, and delete network config files. -## -## -## -## Domain allowed access. -## -## -# -interface(`sysnet_manage_config',` - gen_require(` - type net_conf_t; - ') - - allow $1 net_conf_t:dir list_dir_perms; - manage_files_pattern($1, net_conf_t, net_conf_t) -') - -####################################### -## -## Read the dhcp client pid file. -## -## -## -## Domain allowed access. -## -## -# -interface(`sysnet_read_dhcpc_pid',` - gen_require(` - type dhcpc_var_run_t; - ') - - files_list_pids($1) - allow $1 dhcpc_var_run_t:file read_file_perms; -') - -####################################### -## -## Delete the dhcp client pid file. -## -## -## -## Domain allowed access. -## -## -# -interface(`sysnet_delete_dhcpc_pid',` - gen_require(` - type dhcpc_var_run_t; - ') - - files_rw_pid_dirs($1) - allow $1 dhcpc_var_run_t:file unlink; -') - -####################################### -## -## Execute ifconfig in the ifconfig domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`sysnet_domtrans_ifconfig',` - gen_require(` - type ifconfig_t, ifconfig_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ifconfig_exec_t, ifconfig_t) - ifdef(`hide_broken_symptoms', ` - dontaudit ifconfig_t $1:socket_class_set { read write }; - ') - -') - -######################################## -## -## Execute ifconfig in the ifconfig domain, and -## allow the specified role the ifconfig domain, -## and use the caller's terminal. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`sysnet_run_ifconfig',` - gen_require(` - type ifconfig_t; - ') - - corecmd_search_bin($1) - sysnet_domtrans_ifconfig($1) - role $2 types ifconfig_t; -') - -####################################### -## -## Execute ifconfig in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`sysnet_exec_ifconfig',` - gen_require(` - type ifconfig_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, ifconfig_exec_t) -') - -######################################## -## -## Send a generic signal to ifconfig. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`sysnet_signal_ifconfig',` - gen_require(` - type ifconfig_t; - ') - - allow $1 ifconfig_t:process signal; -') - -######################################## -## -## Send a kill signal to iconfig. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`sysnet_kill_ifconfig',` - gen_require(` - type ifconfig_t; - ') - - allow $1 ifconfig_t:process sigkill; -') - -######################################## -## -## Read the DHCP configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`sysnet_read_dhcp_config',` - gen_require(` - type dhcp_etc_t; - ') - - files_search_etc($1) - allow $1 dhcp_etc_t:dir list_dir_perms; - read_files_pattern($1, dhcp_etc_t, dhcp_etc_t) -') - -######################################## -## -## Search the DHCP state data directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`sysnet_search_dhcp_state',` - gen_require(` - type dhcp_state_t; - ') - - files_search_var_lib($1) - allow $1 dhcp_state_t:dir search_dir_perms; -') - -######################################## -## -## Create DHCP state data. -## -## -##

-## Create DHCP state data. -##

-##

-## This is added for DHCP server, as -## the server and client put their state -## files in the same directory. -##

-##
-## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created -## -## -## -## -## The object class. -## -## -# -interface(`sysnet_dhcp_state_filetrans',` - gen_require(` - type dhcp_state_t; - ') - - files_search_var_lib($1) - filetrans_pattern($1, dhcp_state_t, $2, $3) -') - -######################################## -## -## Perform a DNS name resolution. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`sysnet_dns_name_resolve',` - gen_require(` - type net_conf_t; - ') - - allow $1 self:tcp_socket create_socket_perms; - allow $1 self:udp_socket create_socket_perms; - allow $1 self:netlink_route_socket r_netlink_socket_perms; - - corenet_all_recvfrom_unlabeled($1) - corenet_all_recvfrom_netlabel($1) - corenet_tcp_sendrecv_generic_if($1) - corenet_udp_sendrecv_generic_if($1) - corenet_tcp_sendrecv_generic_node($1) - corenet_udp_sendrecv_generic_node($1) - corenet_tcp_sendrecv_dns_port($1) - corenet_udp_sendrecv_dns_port($1) - corenet_tcp_connect_dns_port($1) - corenet_sendrecv_dns_client_packets($1) - - sysnet_read_config($1) - - optional_policy(` - avahi_stream_connect($1) - ') - - optional_policy(` - nscd_socket_use($1) - ') -') - -######################################## -## -## Connect and use a LDAP server. -## -## -## -## Domain allowed access. -## -## -# -interface(`sysnet_use_ldap',` - gen_require(` - type net_conf_t; - ') - - allow $1 self:tcp_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled($1) - corenet_all_recvfrom_netlabel($1) - corenet_tcp_sendrecv_generic_if($1) - corenet_tcp_sendrecv_generic_node($1) - corenet_tcp_sendrecv_ldap_port($1) - corenet_tcp_connect_ldap_port($1) - corenet_sendrecv_ldap_client_packets($1) - - files_search_etc($1) - allow $1 net_conf_t:file read_file_perms; - # LDAP Configuration using encrypted requires - dev_read_urand($1) -') - -######################################## -## -## Connect and use remote port mappers. -## -## -## -## Domain allowed access. -## -## -# -interface(`sysnet_use_portmap',` - gen_require(` - type net_conf_t; - ') - - allow $1 self:tcp_socket create_socket_perms; - allow $1 self:udp_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled($1) - corenet_all_recvfrom_netlabel($1) - corenet_tcp_sendrecv_generic_if($1) - corenet_udp_sendrecv_generic_if($1) - corenet_tcp_sendrecv_generic_node($1) - corenet_udp_sendrecv_generic_node($1) - corenet_tcp_sendrecv_portmap_port($1) - corenet_udp_sendrecv_portmap_port($1) - corenet_tcp_connect_portmap_port($1) - corenet_sendrecv_portmap_client_packets($1) - - files_search_etc($1) - allow $1 net_conf_t:file read_file_perms; -') - -######################################## -## -## Do not audit attempts to use -## the dhcp file descriptors. -## -## -## -## The domain sending the SIGCHLD. -## -## -# -interface(`sysnet_dontaudit_dhcpc_use_fds',` - gen_require(` - type dhcpc_t; - ') - - dontaudit $1 dhcpc_t:fd use; -') - -######################################## -## -## Transition to system_r when execute an dhclient script -## -## -##

-## Execute dhclient script in a specified role -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-##
-## -## -## Role to transition from. -## -## -interface(`sysnet_role_transition_dhcpc',` - gen_require(` - type dhcpc_exec_t; - ') - - role_transition $1 dhcpc_exec_t system_r; -') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te deleted file mode 100644 index 3663802..0000000 --- a/policy/modules/system/sysnetwork.te +++ /dev/null @@ -1,411 +0,0 @@ -policy_module(sysnetwork, 1.11.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow dhcpc client applications to execute iptables commands -##

-##
-gen_tunable(dhcpc_exec_iptables, false) - -# this is shared between dhcpc and dhcpd: -type dhcp_etc_t; -typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t }; -files_config_file(dhcp_etc_t) - -# this is shared between dhcpc and dhcpd: -type dhcp_state_t; -files_type(dhcp_state_t) - -type dhcpc_t; -type dhcpc_exec_t; -init_daemon_domain(dhcpc_t, dhcpc_exec_t) -role system_r types dhcpc_t; - -type dhcpc_helper_exec_t; -init_script_file(dhcpc_helper_exec_t) - -type dhcpc_state_t; -files_type(dhcpc_state_t) - -type dhcpc_tmp_t; -files_tmp_file(dhcpc_tmp_t) - -type dhcpc_var_run_t; -files_pid_file(dhcpc_var_run_t) - -type ifconfig_t; -type ifconfig_exec_t; -init_system_domain(ifconfig_t, ifconfig_exec_t) -role system_r types ifconfig_t; - -type net_conf_t alias resolv_conf_t; -files_type(net_conf_t) - -######################################## -# -# DHCP client local policy -# -allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config }; -dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace }; -# for access("/etc/bashrc", X_OK) on Red Hat -dontaudit dhcpc_t self:capability { dac_read_search sys_module }; -allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms }; - -allow dhcpc_t self:fifo_file rw_fifo_file_perms; -allow dhcpc_t self:tcp_socket create_stream_socket_perms; -allow dhcpc_t self:udp_socket create_socket_perms; -allow dhcpc_t self:packet_socket create_socket_perms; -allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read }; - -allow dhcpc_t dhcp_etc_t:dir list_dir_perms; -read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) -exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) - -allow dhcpc_t dhcp_state_t:file read_file_perms; -allow dhcpc_t dhcp_state_t:file relabel_file_perms; - -manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t) -filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file) -allow dhcpc_t dhcpc_state_t:file relabel_file_perms; - -# create pid file -manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t) -files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, file) - -# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files -# in /etc created by dhcpcd will be labelled net_conf_t. -allow dhcpc_t net_conf_t:file manage_file_perms; -allow dhcpc_t net_conf_t:file relabel_file_perms; -sysnet_manage_config(dhcpc_t) -files_etc_filetrans(dhcpc_t, net_conf_t, file) - -# create temp files -manage_dirs_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t) -manage_files_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t) -files_tmp_filetrans(dhcpc_t, dhcpc_tmp_t, { file dir }) - -can_exec(dhcpc_t, dhcpc_exec_t) - -# transition to ifconfig -domtrans_pattern(dhcpc_t, ifconfig_exec_t, ifconfig_t) - -kernel_read_system_state(dhcpc_t) -kernel_read_network_state(dhcpc_t) -kernel_search_network_sysctl(dhcpc_t) -kernel_read_kernel_sysctls(dhcpc_t) -kernel_request_load_module(dhcpc_t) -kernel_use_fds(dhcpc_t) - -corecmd_exec_bin(dhcpc_t) -corecmd_exec_shell(dhcpc_t) - -corenet_all_recvfrom_unlabeled(dhcpc_t) -corenet_all_recvfrom_netlabel(dhcpc_t) -corenet_tcp_sendrecv_all_if(dhcpc_t) -corenet_raw_sendrecv_all_if(dhcpc_t) -corenet_udp_sendrecv_all_if(dhcpc_t) -corenet_tcp_sendrecv_all_nodes(dhcpc_t) -corenet_raw_sendrecv_all_nodes(dhcpc_t) -corenet_udp_sendrecv_all_nodes(dhcpc_t) -corenet_tcp_sendrecv_all_ports(dhcpc_t) -corenet_udp_sendrecv_all_ports(dhcpc_t) -corenet_tcp_bind_all_nodes(dhcpc_t) -corenet_udp_bind_all_nodes(dhcpc_t) -corenet_udp_bind_dhcpc_port(dhcpc_t) -corenet_tcp_connect_all_ports(dhcpc_t) -corenet_sendrecv_dhcpd_client_packets(dhcpc_t) -corenet_sendrecv_dhcpc_server_packets(dhcpc_t) -corenet_dontaudit_udp_bind_all_reserved_ports(dhcpc_t) -corenet_udp_bind_all_unreserved_ports(dhcpc_t) - -dev_read_sysfs(dhcpc_t) -# for SSP: -dev_read_urand(dhcpc_t) - -domain_obj_id_change_exemption(dhcpc_t) -domain_use_interactive_fds(dhcpc_t) -domain_dontaudit_read_all_domains_state(dhcpc_t) - -files_read_etc_files(dhcpc_t) -files_read_etc_runtime_files(dhcpc_t) -files_read_usr_files(dhcpc_t) -files_search_home(dhcpc_t) -files_search_var_lib(dhcpc_t) -files_dontaudit_search_locks(dhcpc_t) -files_getattr_generic_locks(dhcpc_t) - -fs_getattr_all_fs(dhcpc_t) -fs_search_auto_mountpoints(dhcpc_t) - -term_dontaudit_use_all_ttys(dhcpc_t) -term_dontaudit_use_all_ptys(dhcpc_t) -term_dontaudit_use_unallocated_ttys(dhcpc_t) -term_dontaudit_use_generic_ptys(dhcpc_t) - -init_rw_utmp(dhcpc_t) -init_stream_connect(dhcpc_t) - -logging_send_syslog_msg(dhcpc_t) - -miscfiles_read_localization(dhcpc_t) - -modutils_domtrans_insmod(dhcpc_t) - -userdom_use_user_terminals(dhcpc_t) -userdom_dontaudit_search_user_home_dirs(dhcpc_t) - -ifdef(`distro_redhat', ` - files_exec_etc_files(dhcpc_t) -') - -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(dhcpc_t) - ') -') - -optional_policy(` - consoletype_domtrans(dhcpc_t) -') - -optional_policy(` - chronyd_initrc_domtrans(dhcpc_t) -') - -optional_policy(` - init_dbus_chat_script(dhcpc_t) - - dbus_system_bus_client(dhcpc_t) - dbus_connect_system_bus(dhcpc_t) - - optional_policy(` - networkmanager_dbus_chat(dhcpc_t) - ') -') - -optional_policy(` - hostname_domtrans(dhcpc_t) -') - -optional_policy(` - hal_dontaudit_rw_dgram_sockets(dhcpc_t) - hal_dontaudit_read_pid_files(dhcpc_t) - hal_dontaudit_write_log(dhcpc_t) -') - -optional_policy(` - hotplug_getattr_config_dirs(dhcpc_t) - hotplug_search_config(dhcpc_t) - - ifdef(`distro_redhat',` - logging_domtrans_syslog(dhcpc_t) - ') -') - -# for the dhcp client to run ping to check IP addresses -optional_policy(` - netutils_domtrans_ping(dhcpc_t) - netutils_domtrans(dhcpc_t) -',` - allow dhcpc_t self:capability setuid; - allow dhcpc_t self:rawip_socket create_socket_perms; -') - -optional_policy(` - networkmanager_domtrans(dhcpc_t) - networkmanager_read_pid_files(dhcpc_t) - networkmanager_read_lib_files(dhcpc_t) -') - -optional_policy(` - nis_initrc_domtrans_ypbind(dhcpc_t) - nis_read_ypbind_pid(dhcpc_t) -') - -optional_policy(` - nscd_initrc_domtrans(dhcpc_t) - nscd_domtrans(dhcpc_t) - nscd_read_pid(dhcpc_t) -') - -optional_policy(` - ntp_initrc_domtrans(dhcpc_t) -') - -optional_policy(` - pcmcia_stub(dhcpc_t) - dev_rw_cardmgr(dhcpc_t) -') - -optional_policy(` - seutil_sigchld_newrole(dhcpc_t) - seutil_dontaudit_search_config(dhcpc_t) - seutil_domtrans_setfiles(dhcpc_t) -') - -optional_policy(` - udev_read_db(dhcpc_t) -') - -optional_policy(` - userdom_use_all_users_fds(dhcpc_t) -') - -optional_policy(` - vmware_append_log(dhcpc_t) -') - -optional_policy(` - kernel_read_xen_state(dhcpc_t) - kernel_write_xen_state(dhcpc_t) - xen_append_log(dhcpc_t) - xen_dontaudit_rw_unix_stream_sockets(dhcpc_t) -') - -######################################## -# -# Ifconfig local policy -# - -allow ifconfig_t self:capability { net_raw net_admin sys_tty_config }; -allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; -allow ifconfig_t self:fd use; -allow ifconfig_t self:fifo_file rw_fifo_file_perms; -allow ifconfig_t self:sock_file read_sock_file_perms; -allow ifconfig_t self:socket create_socket_perms; -allow ifconfig_t self:unix_dgram_socket create_socket_perms; -allow ifconfig_t self:unix_stream_socket create_stream_socket_perms; -allow ifconfig_t self:unix_dgram_socket sendto; -allow ifconfig_t self:unix_stream_socket connectto; -allow ifconfig_t self:shm create_shm_perms; -allow ifconfig_t self:sem create_sem_perms; -allow ifconfig_t self:msgq create_msgq_perms; -allow ifconfig_t self:msg { send receive }; -# Create UDP sockets, necessary when called from dhcpc -allow ifconfig_t self:udp_socket create_socket_perms; -# for /sbin/ip -allow ifconfig_t self:packet_socket create_socket_perms; -allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; -allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read }; -allow ifconfig_t self:tcp_socket { create ioctl }; - -kernel_use_fds(ifconfig_t) -kernel_read_system_state(ifconfig_t) -kernel_read_network_state(ifconfig_t) -kernel_request_load_module(ifconfig_t) -kernel_search_network_sysctl(ifconfig_t) -kernel_rw_net_sysctls(ifconfig_t) - -corenet_rw_tun_tap_dev(ifconfig_t) - -dev_read_sysfs(ifconfig_t) -# for IPSEC setup: -dev_read_urand(ifconfig_t) - -domain_use_interactive_fds(ifconfig_t) - -read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t) - -files_read_etc_files(ifconfig_t) -files_read_etc_runtime_files(ifconfig_t) -files_read_usr_files(ifconfig_t) - -fs_getattr_xattr_fs(ifconfig_t) -fs_search_auto_mountpoints(ifconfig_t) - -selinux_dontaudit_getattr_fs(ifconfig_t) - -term_dontaudit_use_console(ifconfig_t) -term_dontaudit_use_all_ttys(ifconfig_t) -term_dontaudit_use_all_ptys(ifconfig_t) -term_dontaudit_use_ptmx(ifconfig_t) -term_dontaudit_use_generic_ptys(ifconfig_t) - -files_dontaudit_read_root_files(ifconfig_t) - -init_use_fds(ifconfig_t) -init_use_script_ptys(ifconfig_t) - -libs_read_lib_files(ifconfig_t) - -logging_send_syslog_msg(ifconfig_t) - -miscfiles_read_localization(ifconfig_t) - -modutils_domtrans_insmod(ifconfig_t) - -seutil_use_runinit_fds(ifconfig_t) - -sysnet_dns_name_resolve(ifconfig_t) - -userdom_use_user_terminals(ifconfig_t) -userdom_use_all_users_fds(ifconfig_t) - -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(ifconfig_t) - ') -') - -optional_policy(` - brctl_domtrans(ifconfig_t) -') - -ifdef(`hide_broken_symptoms',` - optional_policy(` - dev_dontaudit_rw_cardmgr(ifconfig_t) - ') - - optional_policy(` - udev_dontaudit_rw_dgram_sockets(ifconfig_t) - ') -') - -optional_policy(` - hal_dontaudit_rw_pipes(ifconfig_t) - hal_dontaudit_rw_dgram_sockets(ifconfig_t) - hal_dontaudit_read_pid_files(ifconfig_t) - hal_write_log(ifconfig_t) -') - -optional_policy(` - ipsec_write_pid(ifconfig_t) -') - -optional_policy(` - netutils_domtrans(dhcpc_t) -') - -optional_policy(` - nis_use_ypbind(ifconfig_t) -') - -optional_policy(` - ppp_use_fds(ifconfig_t) -') - -optional_policy(` - unconfined_dontaudit_rw_pipes(ifconfig_t) -') - -optional_policy(` - vmware_append_log(ifconfig_t) -') - -optional_policy(` - kernel_read_xen_state(ifconfig_t) - kernel_write_xen_state(ifconfig_t) - xen_append_log(ifconfig_t) - xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) -') - -optional_policy(` - tunable_policy(`dhcpc_exec_iptables',` - iptables_domtrans(dhcpc_t) - ') -') diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc deleted file mode 100644 index 44fe366..0000000 --- a/policy/modules/system/udev.fc +++ /dev/null @@ -1,25 +0,0 @@ -/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0) -/dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0) -/dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0) - -/etc/dev\.d/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) - -/etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0) - -/etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0) -/etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) - -/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) - -/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) -/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) -/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) -/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) -/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0) -/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0) -/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0) - -/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) - -/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) -/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if deleted file mode 100644 index 5b277ea..0000000 --- a/policy/modules/system/udev.if +++ /dev/null @@ -1,233 +0,0 @@ -## Policy for udev. - -######################################## -## -## Send generic signals to udev. -## -## -## -## Domain allowed access. -## -## -# -interface(`udev_signal',` - gen_require(` - type udev_t; - ') - - allow $1 udev_t:process signal; -') - -######################################## -## -## Execute udev in the udev domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`udev_domtrans',` - gen_require(` - type udev_t, udev_exec_t; - ') - - domtrans_pattern($1, udev_exec_t, udev_t) - allow $1 udev_t:process noatsecure; -') - -######################################## -## -## Execute udev in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`udev_exec',` - gen_require(` - type udev_exec_t; - ') - - can_exec($1, udev_exec_t) -') - -######################################## -## -## Execute a udev helper in the udev domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`udev_helper_domtrans',` - gen_require(` - type udev_t, udev_helper_exec_t; - ') - - domtrans_pattern($1, udev_helper_exec_t, udev_t) -') - -######################################## -## -## Allow process to read udev process state. -## -## -## -## Domain allowed access. -## -## -# -interface(`udev_read_state',` - gen_require(` - type udev_t; - ') - - kernel_search_proc($1) - ps_process_pattern($1, udev_t) -') - -######################################## -## -## Do not audit attempts to inherit a -## udev file descriptor. -## -## -## -## Domain to not audit. -## -## -# -interface(`udev_dontaudit_use_fds',` - gen_require(` - type udev_t; - ') - - dontaudit $1 udev_t:fd use; -') - -######################################## -## -## Do not audit attempts to read or write -## to a udev unix datagram socket. -## -## -## -## Domain to not audit. -## -## -# -interface(`udev_dontaudit_rw_dgram_sockets',` - gen_require(` - type udev_t; - ') - - dontaudit $1 udev_t:unix_dgram_socket { read write }; -') - -######################################## -## -## Manage udev rules files -## -## -## -## Domain allowed access. -## -## -# -interface(`udev_manage_rules_files',` - gen_require(` - type udev_rules_t; - ') - - manage_files_pattern($1, udev_rules_t, udev_rules_t) -') - -######################################## -## -## Do not audit search of udev database directories. -## -## -## -## Domain to not audit. -## -## -# -interface(`udev_dontaudit_search_db',` - gen_require(` - type udev_tbl_t; - ') - - dontaudit $1 udev_tbl_t:dir search_dir_perms; -') - -######################################## -## -## Read the udev device table. -## -## -##

-## Allow the specified domain to read the udev device table. -##

-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`udev_read_db',` - gen_require(` - type udev_tbl_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 udev_tbl_t:dir list_dir_perms; - read_files_pattern($1, udev_tbl_t, udev_tbl_t) - read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t) -') - -######################################## -## -## Allow process to modify list of devices. -## -## -## -## Domain allowed access. -## -## -# -interface(`udev_rw_db',` - gen_require(` - type udev_tbl_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 udev_tbl_t:file rw_file_perms; -') - -######################################## -## -## Create, read, write, and delete -## udev pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`udev_manage_pid_files',` - gen_require(` - type udev_var_run_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, udev_var_run_t, udev_var_run_t) -') diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te deleted file mode 100644 index 4867243..0000000 --- a/policy/modules/system/udev.te +++ /dev/null @@ -1,317 +0,0 @@ -policy_module(udev, 1.12.0) - -######################################## -# -# Declarations -# - -type udev_t; -type udev_exec_t; -type udev_helper_exec_t; -kernel_domtrans_to(udev_t, udev_exec_t) -domain_obj_id_change_exemption(udev_t) -domain_entry_file(udev_t, udev_helper_exec_t) -domain_interactive_fd(udev_t) -init_daemon_domain(udev_t, udev_exec_t) - -type udev_etc_t alias etc_udev_t; -files_config_file(udev_etc_t) - -type udev_tbl_t alias udev_tdb_t; -files_type(udev_tbl_t) - -type udev_rules_t; -files_type(udev_rules_t) - -type udev_var_run_t; -files_pid_file(udev_var_run_t) - -ifdef(`enable_mcs',` - kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh) - init_ranged_daemon_domain(udev_t, udev_exec_t, s0 - mcs_systemhigh) -') - -######################################## -# -# Local policy -# - -allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace }; -dontaudit udev_t self:capability sys_tty_config; -allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow udev_t self:process { execmem setfscreate }; -allow udev_t self:fd use; -allow udev_t self:fifo_file rw_fifo_file_perms; -allow udev_t self:sock_file read_sock_file_perms; -allow udev_t self:shm create_shm_perms; -allow udev_t self:sem create_sem_perms; -allow udev_t self:msgq create_msgq_perms; -allow udev_t self:msg { send receive }; -allow udev_t self:unix_stream_socket { listen accept }; -allow udev_t self:unix_dgram_socket sendto; -allow udev_t self:unix_stream_socket connectto; -allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; -allow udev_t self:rawip_socket create_socket_perms; -allow udev_t self:netlink_socket create_socket_perms; - -allow udev_t udev_exec_t:file write; -can_exec(udev_t, udev_exec_t) - -allow udev_t udev_helper_exec_t:dir list_dir_perms; -can_exec(udev_t, udev_helper_exec_t) - -# read udev config -allow udev_t udev_etc_t:file read_file_perms; - -# create udev database in /dev/.udevdb -allow udev_t udev_tbl_t:file manage_file_perms; -dev_filetrans(udev_t, udev_tbl_t, file) - -list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t) -read_files_pattern(udev_t, udev_rules_t, udev_rules_t) - -manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t) -manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) -manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) -files_pid_filetrans(udev_t, udev_var_run_t, { file dir }) - -kernel_read_system_state(udev_t) -kernel_request_load_module(udev_t) -kernel_getattr_core_if(udev_t) -kernel_use_fds(udev_t) -kernel_read_device_sysctls(udev_t) -kernel_read_hotplug_sysctls(udev_t) -kernel_read_modprobe_sysctls(udev_t) -kernel_read_kernel_sysctls(udev_t) -kernel_rw_hotplug_sysctls(udev_t) -kernel_rw_unix_dgram_sockets(udev_t) -kernel_dgram_send(udev_t) -kernel_signal(udev_t) -kernel_search_debugfs(udev_t) - -#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182 -kernel_rw_net_sysctls(udev_t) -kernel_read_network_state(udev_t) -kernel_read_software_raid_state(udev_t) - -corecmd_exec_all_executables(udev_t) - -dev_rw_sysfs(udev_t) -dev_manage_all_dev_nodes(udev_t) -dev_rw_generic_files(udev_t) -dev_delete_generic_files(udev_t) -dev_search_usbfs(udev_t) -dev_relabel_all_dev_nodes(udev_t) -# udev_node.c/node_symlink() symlink labels are explicitly -# preserved, instead of short circuiting the relabel -dev_relabel_generic_symlinks(udev_t) -dev_manage_generic_symlinks(udev_t) - -domain_read_all_domains_state(udev_t) -domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these - -files_read_usr_files(udev_t) -files_read_etc_runtime_files(udev_t) - -# console_init manages files in /etc/sysconfig -files_manage_etc_files(udev_t) -files_exec_etc_files(udev_t) -files_dontaudit_search_isid_type_dirs(udev_t) -files_getattr_generic_locks(udev_t) -files_search_mnt(udev_t) -files_list_tmp(udev_t) - -fs_getattr_all_fs(udev_t) -fs_list_inotifyfs(udev_t) -fs_rw_anon_inodefs_files(udev_t) -fs_list_auto_mountpoints(udev_t) -fs_list_hugetlbfs(udev_t) - -mcs_ptrace_all(udev_t) - -mls_file_read_all_levels(udev_t) -mls_file_write_all_levels(udev_t) -mls_file_upgrade(udev_t) -mls_file_downgrade(udev_t) -mls_process_write_down(udev_t) - -selinux_get_fs_mount(udev_t) -selinux_validate_context(udev_t) -selinux_compute_access_vector(udev_t) -selinux_compute_create_context(udev_t) -selinux_compute_relabel_context(udev_t) -selinux_compute_user_contexts(udev_t) - -auth_read_pam_console_data(udev_t) -auth_domtrans_pam_console(udev_t) -auth_use_nsswitch(udev_t) - -init_read_utmp(udev_t) -init_dontaudit_write_utmp(udev_t) -init_getattr_initctl(udev_t) - -logging_search_logs(udev_t) -logging_send_syslog_msg(udev_t) -logging_send_audit_msgs(udev_t) - -miscfiles_read_localization(udev_t) -miscfiles_read_hwdata(udev_t) - -modutils_domtrans_insmod(udev_t) -# read modules.inputmap: -modutils_read_module_deps(udev_t) - -seutil_read_config(udev_t) -seutil_read_default_contexts(udev_t) -seutil_read_file_contexts(udev_t) -seutil_domtrans_setfiles(udev_t) - -sysnet_domtrans_ifconfig(udev_t) -sysnet_domtrans_dhcpc(udev_t) -sysnet_rw_dhcp_config(udev_t) -sysnet_read_dhcpc_pid(udev_t) -sysnet_delete_dhcpc_pid(udev_t) -sysnet_signal_dhcpc(udev_t) -sysnet_manage_config(udev_t) -sysnet_etc_filetrans_config(udev_t) - -userdom_dontaudit_search_user_home_content(udev_t) - -ifdef(`distro_gentoo',` - # during boot, init scripts use /dev/.rcsysinit - # existance to determine if we are in early booting - init_getattr_script_status_files(udev_t) -') - -ifdef(`distro_redhat',` - fs_manage_tmpfs_dirs(udev_t) - fs_manage_tmpfs_files(udev_t) - fs_manage_tmpfs_symlinks(udev_t) - fs_manage_tmpfs_sockets(udev_t) - fs_manage_tmpfs_blk_files(udev_t) - fs_manage_tmpfs_chr_files(udev_t) - fs_relabel_tmpfs_blk_file(udev_t) - fs_relabel_tmpfs_chr_file(udev_t) - fs_manage_hugetlbfs_dirs(udev_t) - - term_search_ptys(udev_t) - - # for arping used for static IP addresses on PCMCIA ethernet - netutils_domtrans(udev_t) - - optional_policy(` - unconfined_domain(udev_t) - ') -') - -optional_policy(` - alsa_domtrans(udev_t) - alsa_read_lib(udev_t) - alsa_read_rw_config(udev_t) -') - -optional_policy(` - bluetooth_domtrans(udev_t) -') - -optional_policy(` - brctl_domtrans(udev_t) -') - -optional_policy(` - clock_domtrans(udev_t) -') - -optional_policy(` - consolekit_read_pid_files(udev_t) -') - -optional_policy(` - consoletype_exec(udev_t) -') - -optional_policy(` - cups_domtrans_config(udev_t) - cups_read_config(udev_t) -') - -optional_policy(` - dbus_system_bus_client(udev_t) -') - -optional_policy(` - devicekit_read_pid_files(udev_t) - devicekit_dgram_send(udev_t) -') - -optional_policy(` - gnome_read_home_config(udev_t) -') - -optional_policy(` - lvm_domtrans(udev_t) -') - -optional_policy(` - fstools_domtrans(udev_t) -') - -optional_policy(` - hal_dgram_send(udev_t) - - ifdef(`hide_broken_symptoms',` - hal_dontaudit_rw_dgram_sockets(udev_t) - ') -') - -optional_policy(` - hotplug_read_config(udev_t) - # usb.agent searches /var/run/usb - hotplug_search_pids(udev_t) -') - -optional_policy(` - mount_domtrans(udev_t) -') - -optional_policy(` - networkmanager_dbus_chat(udev_t) -') - -optional_policy(` - openct_read_pid_files(udev_t) - openct_domtrans(udev_t) -') - -optional_policy(` - pcscd_read_pub_files(udev_t) - pcscd_domtrans(udev_t) -') - -optional_policy(` - raid_domtrans_mdadm(udev_t) -') - -optional_policy(` - usbmuxd_domtrans(udev_t) - usbmuxd_stream_connect(udev_t) -') - -optional_policy(` - unconfined_signal(udev_t) -') - -optional_policy(` - vbetool_domtrans(udev_t) -') - -optional_policy(` - kernel_write_xen_state(udev_t) - kernel_read_xen_state(udev_t) - xen_manage_log(udev_t) - xen_read_image_files(udev_t) -') - -optional_policy(` - xserver_read_xdm_pid(udev_t) -') diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc deleted file mode 100644 index 8b34dbc..0000000 --- a/policy/modules/system/unconfined.fc +++ /dev/null @@ -1 +0,0 @@ -# Add programs here which should not be confined by SELinux diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if deleted file mode 100644 index c6e8ffe..0000000 --- a/policy/modules/system/unconfined.if +++ /dev/null @@ -1,192 +0,0 @@ -## The unconfined domain. - -######################################## -## -## Make the specified domain unconfined. -## -## -## -## Domain to make unconfined. -## -## -# -interface(`unconfined_domain_noaudit',` - gen_require(` - class dbus all_dbus_perms; - class nscd all_nscd_perms; - class passwd all_passwd_perms; - ') - - # Use any Linux capability. - allow $1 self:capability all_capabilities; - allow $1 self:fifo_file manage_fifo_file_perms; - - # Transition to myself, to make get_ordered_context_list happy. - allow $1 self:process transition; - - # Write access is for setting attributes under /proc/self/attr. - allow $1 self:file rw_file_perms; - allow $1 self:dir rw_dir_perms; - - # Userland object managers - allow $1 self:nscd all_nscd_perms; - allow $1 self:dbus all_dbus_perms; - allow $1 self:passwd all_passwd_perms; - allow $1 self:association all_association_perms; - allow $1 self:socket_class_set create_socket_perms; - - kernel_unconfined($1) - corenet_unconfined($1) - dev_unconfined($1) - domain_unconfined($1) - domain_dontaudit_read_all_domains_state($1) - domain_dontaudit_ptrace_all_domains($1) - files_unconfined($1) - fs_unconfined($1) - selinux_unconfined($1) - - domain_mmap_low($1) - - mls_file_read_all_levels($1) - - ubac_process_exempt($1) - - tunable_policy(`allow_execheap',` - # Allow making the stack executable via mprotect. - allow $1 self:process execheap; - ') - - tunable_policy(`allow_execmem',` - # Allow making anonymous memory executable, e.g. - # for runtime-code generation or executable stack. - allow $1 self:process execmem; - ') - - tunable_policy(`allow_execstack',` - # Allow making the stack executable via mprotect; - # execstack implies execmem; - allow $1 self:process { execstack execmem }; -# auditallow $1 self:process execstack; - ') - - optional_policy(` - auth_unconfined($1) - ') - - optional_policy(` - # Communicate via dbusd. - dbus_system_bus_unconfined($1) - dbus_unconfined($1) - ') - - optional_policy(` - ipsec_setcontext_default_spd($1) - ipsec_match_default_spd($1) - ') - - optional_policy(` - nscd_unconfined($1) - ') - - optional_policy(` - postgresql_unconfined($1) - ') - - optional_policy(` - seutil_create_bin_policy($1) - seutil_relabelto_bin_policy($1) - ') - - optional_policy(` - storage_unconfined($1) - ') - - optional_policy(` - xserver_unconfined($1) - ') -') - -######################################## -## -## Make the specified domain unconfined and -## audit executable heap usage. -## -## -##

-## Make the specified domain unconfined and -## audit executable heap usage. With exception -## of memory protections, usage of this interface -## will result in the level of access the domain has -## is like SELinux was not being used. -##

-##

-## Only completely trusted domains should use this interface. -##

-##
-## -## -## Domain to make unconfined. -## -## -# -interface(`unconfined_domain',` - gen_require(` - attribute unconfined_services; - ') - - unconfined_domain_noaudit($1) - - tunable_policy(`allow_execheap',` - auditallow $1 self:process execheap; - ') -') - -######################################## -## -## Add an alias type to the unconfined domain. (Deprecated) -## -## -##

-## Add an alias type to the unconfined domain. (Deprecated) -##

-##

-## This is added to support targeted policy. Its -## use should be limited. It has no effect -## on the strict policy. -##

-##
-## -## -## New alias of the unconfined domain. -## -## -# -interface(`unconfined_alias_domain',` - refpolicywarn(`$0($1) has been deprecated.') -') - -######################################## -## -## Add an alias type to the unconfined execmem -## program file type. (Deprecated) -## -## -##

-## Add an alias type to the unconfined execmem -## program file type. (Deprecated) -##

-##

-## This is added to support targeted policy. Its -## use should be limited. It has no effect -## on the strict policy. -##

-##
-## -## -## New alias of the unconfined execmem program type. -## -## -# -interface(`unconfined_execmem_alias_program',` - refpolicywarn(`$0($1) has been deprecated.') -') diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te deleted file mode 100644 index 4474379..0000000 --- a/policy/modules/system/unconfined.te +++ /dev/null @@ -1,8 +0,0 @@ -policy_module(unconfined, 3.2.0) - -######################################## -# -# Declarations -# -attribute unconfined_services; - diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc deleted file mode 100644 index 392d1ee..0000000 --- a/policy/modules/system/userdomain.fc +++ /dev/null @@ -1,17 +0,0 @@ -HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) -HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) -HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) -/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) -/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) -/root/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) -/root/\.debug(/.*)? <> -/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0) -/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) -HOME_DIR/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0) -HOME_DIR/local/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0) -HOME_DIR/Audio(/.*)? gen_context(system_u:object_r:audio_home_t,s0) -HOME_DIR/Music(/.*)? gen_context(system_u:object_r:audio_home_t,s0) -HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) -HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0) -HOME_DIR/\.gvfs(/.*)? <> -HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if deleted file mode 100644 index 54365f8..0000000 --- a/policy/modules/system/userdomain.if +++ /dev/null @@ -1,4324 +0,0 @@ -## Policy for user domains - -####################################### -## -## The template containing the most basic rules common to all users. -## -## -##

-## The template containing the most basic rules common to all users. -##

-##

-## This template creates a user domain, types, and -## rules for the user's tty and pty. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -# -template(`userdom_base_user_template',` - - gen_require(` - attribute userdomain; - type user_devpts_t, user_tty_device_t; - class context contains; - ') - - attribute $1_file_type; - attribute $1_usertype; - - type $1_t, userdomain, $1_usertype; - domain_type($1_t) - corecmd_shell_entry_type($1_t) - corecmd_bin_entry_type($1_t) - domain_user_exemption_target($1_t) - ubac_constrained($1_t) - role $1_r types $1_t; - allow system_r $1_r; - - term_user_pty($1_t, user_devpts_t) - - term_user_tty($1_t, user_tty_device_t) - term_dontaudit_getattr_generic_ptys($1_t) - - allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr }; - allow $1_usertype $1_usertype:fd use; - allow $1_usertype $1_t:key { create view read write search link setattr }; - - allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms; - allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto }; - allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto }; - allow $1_usertype $1_usertype:shm create_shm_perms; - allow $1_usertype $1_usertype:sem create_sem_perms; - allow $1_usertype $1_usertype:msgq create_msgq_perms; - allow $1_usertype $1_usertype:msg { send receive }; - allow $1_usertype $1_usertype:context contains; - dontaudit $1_usertype $1_usertype:socket create; - - allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms }; - term_create_pty($1_usertype, user_devpts_t) - # avoid annoying messages on terminal hangup on role change - dontaudit $1_usertype user_devpts_t:chr_file ioctl; - - allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms }; - # avoid annoying messages on terminal hangup on role change - dontaudit $1_usertype user_tty_device_t:chr_file ioctl; - - application_exec_all($1_usertype) - - kernel_read_kernel_sysctls($1_usertype) - kernel_read_all_sysctls($1_usertype) - kernel_dontaudit_list_unlabeled($1_usertype) - kernel_dontaudit_getattr_unlabeled_files($1_usertype) - kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype) - kernel_dontaudit_getattr_unlabeled_pipes($1_usertype) - kernel_dontaudit_getattr_unlabeled_sockets($1_usertype) - kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype) - kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype) - kernel_dontaudit_list_proc($1_usertype) - - dev_dontaudit_getattr_all_blk_files($1_usertype) - dev_dontaudit_getattr_all_chr_files($1_usertype) - dev_getattr_mtrr_dev($1_t) - - # When the user domain runs ps, there will be a number of access - # denials when ps tries to search /proc. Do not audit these denials. - domain_dontaudit_read_all_domains_state($1_usertype) - domain_dontaudit_getattr_all_domains($1_usertype) - domain_dontaudit_getsession_all_domains($1_usertype) - - files_read_etc_files($1_usertype) - files_list_mnt($1_usertype) - files_read_mnt_files($1_usertype) - files_read_etc_runtime_files($1_usertype) - files_read_usr_files($1_usertype) - files_read_usr_src_files($1_usertype) - # Read directories and files with the readable_t type. - # This type is a general type for "world"-readable files. - files_list_world_readable($1_usertype) - files_read_world_readable_files($1_usertype) - files_read_world_readable_symlinks($1_usertype) - files_read_world_readable_pipes($1_usertype) - files_read_world_readable_sockets($1_usertype) - # old broswer_domain(): - files_dontaudit_getattr_all_dirs($1_usertype) - files_dontaudit_list_non_security($1_usertype) - files_dontaudit_getattr_all_files($1_usertype) - files_dontaudit_getattr_non_security_symlinks($1_usertype) - files_dontaudit_getattr_non_security_pipes($1_usertype) - files_dontaudit_getattr_non_security_sockets($1_usertype) - - files_exec_usr_files($1_t) - - fs_list_cgroup_dirs($1_usertype) - fs_dontaudit_rw_cgroup_files($1_usertype) - - storage_rw_fuse($1_usertype) - - auth_use_nsswitch($1_usertype) - - init_stream_connect($1_usertype) - # The library functions always try to open read-write first, - # then fall back to read-only if it fails. - init_dontaudit_rw_utmp($1_usertype) - - libs_exec_ld_so($1_usertype) - - miscfiles_read_localization($1_t) - miscfiles_read_generic_certs($1_t) - - miscfiles_read_all_certs($1_usertype) - miscfiles_read_localization($1_usertype) - miscfiles_read_man_pages($1_usertype) - miscfiles_read_public_files($1_usertype) - - tunable_policy(`allow_execmem',` - # Allow loading DSOs that require executable stack. - allow $1_t self:process execmem; - ') - - tunable_policy(`allow_execmem && allow_execstack',` - # Allow making the stack executable via mprotect. - allow $1_t self:process execstack; - ') - - optional_policy(` - fs_list_cgroup_dirs($1_usertype) - ') - - optional_policy(` - ssh_rw_stream_sockets($1_usertype) - ssh_delete_tmp($1_t) - ssh_signal($1_t) - ') -') - -####################################### -## -## Allow a home directory for which the -## role has read-only access. -## -## -##

-## Allow a home directory for which the -## role has read-only access. -##

-##

-## This does not allow execute access. -##

-##
-## -## -## The user role -## -## -## -## -## The user domain -## -## -## -# -interface(`userdom_ro_home_role',` - gen_require(` - type user_home_t, user_home_dir_t; - ') - - role $1 types { user_home_t user_home_dir_t }; - - ############################## - # - # Domain access to home dir - # - - type_member $2 user_home_dir_t:dir user_home_dir_t; - - # read-only home directory - allow $2 user_home_dir_t:dir list_dir_perms; - allow $2 user_home_t:dir list_dir_perms; - allow $2 user_home_t:file entrypoint; - read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) - read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) - read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) - read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) - files_list_home($2) - -') - -####################################### -## -## Allow a home directory for which the -## role has full access. -## -## -##

-## Allow a home directory for which the -## role has full access. -##

-##

-## This does not allow execute access. -##

-##
-## -## -## The user role -## -## -## -## -## The user domain -## -## -## -# -interface(`userdom_manage_home_role',` - gen_require(` - type user_home_t, user_home_dir_t; - attribute user_home_type; - ') - - role $1 types { user_home_type user_home_dir_t }; - - ############################## - # - # Domain access to home dir - # - - type_member $2 user_home_dir_t:dir user_home_dir_t; - - # full control of the home directory - allow $2 user_home_t:dir mounton; - allow $2 user_home_t:file entrypoint; - - allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom }; - allow $2 user_home_dir_t:lnk_file read_lnk_file_perms; - manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type) - manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) - manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) - manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) - manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) - relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type) - relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) - relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) - relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) - relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) - filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) - files_list_home($2) - - # cjp: this should probably be removed: - allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; - - tunable_policy(`use_nfs_home_dirs',` - fs_mount_nfs($2) - fs_mounton_nfs($2) - fs_manage_nfs_dirs($2) - fs_manage_nfs_files($2) - fs_manage_nfs_symlinks($2) - fs_manage_nfs_named_sockets($2) - fs_manage_nfs_named_pipes($2) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_mount_cifs($2) - fs_mounton_cifs($2) - fs_manage_cifs_dirs($2) - fs_manage_cifs_files($2) - fs_manage_cifs_symlinks($2) - fs_manage_cifs_named_sockets($2) - fs_manage_cifs_named_pipes($2) - ') -') - -####################################### -## -## Manage user temporary files -## -## -## -## Role allowed access. -## -## -## -## -## Domain allowed access. -## -## -## -# -interface(`userdom_manage_tmp_role',` - gen_require(` - type user_tmp_t; - ') - - role $1 types user_tmp_t; - - files_poly_member_tmp($2, user_tmp_t) - - manage_dirs_pattern($2, user_tmp_t, user_tmp_t) - manage_files_pattern($2, user_tmp_t, user_tmp_t) - manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t) - manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) - manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) - files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) - relabel_files_pattern($2, user_tmp_t, user_tmp_t) -') - -####################################### -## -## Dontaudit search of user bin dirs. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_dontaudit_search_user_bin_dirs',` - gen_require(` - type home_bin_t; - ') - - dontaudit $1 home_bin_t:dir search_dir_perms; -') - -####################################### -## -## Execute user bin files. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_exec_user_bin_files',` - gen_require(` - attribute user_home_type; - type home_bin_t, user_home_dir_t; - ') - - exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t) - files_search_home($1) -') - -####################################### -## -## The execute access user temporary files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`userdom_exec_user_tmp_files',` - gen_require(` - type user_tmp_t; - ') - - exec_files_pattern($1, user_tmp_t, user_tmp_t) - dontaudit $1 user_tmp_t:sock_file execute; - files_search_tmp($1) -') - -####################################### -## -## Role access for the user tmpfs type -## that the user has full access. -## -## -##

-## Role access for the user tmpfs type -## that the user has full access. -##

-##

-## This does not allow execute access. -##

-##
-## -## -## Role allowed access. -## -## -## -## -## Domain allowed access. -## -## -## -# -interface(`userdom_manage_tmpfs_role',` - gen_require(` - type user_tmpfs_t; - ') - - role $1 types user_tmpfs_t; - - manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t) - manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t) - manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t) - manage_sock_files_pattern($2, user_tmpfs_t, user_tmpfs_t) - manage_fifo_files_pattern($2, user_tmpfs_t, user_tmpfs_t) - fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file }) -') - -####################################### -## -## The interface allowing the user basic -## network permissions -## -## -## -## The user domain -## -## -## -# -interface(`userdom_basic_networking',` - - allow $1 self:tcp_socket create_stream_socket_perms; - allow $1 self:udp_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled($1) - corenet_all_recvfrom_netlabel($1) - corenet_tcp_sendrecv_generic_if($1) - corenet_udp_sendrecv_generic_if($1) - corenet_tcp_sendrecv_generic_node($1) - corenet_udp_sendrecv_generic_node($1) - corenet_tcp_sendrecv_all_ports($1) - corenet_udp_sendrecv_all_ports($1) - corenet_tcp_connect_all_ports($1) - corenet_sendrecv_all_client_packets($1) - - optional_policy(` - init_tcp_recvfrom_all_daemons($1) - init_udp_recvfrom_all_daemons($1) - ') - - optional_policy(` - ipsec_match_default_spd($1) - ') - -') - -####################################### -## -## The template for creating a user xwindows client. (Deprecated) -## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -# -template(`userdom_xwindows_client_template',` - refpolicywarn(`$0() has been deprecated, please use xserver_role() instead.') - gen_require(` - type $1_t, user_tmpfs_t; - ') - - dev_rw_xserver_misc($1_t) - dev_rw_power_management($1_t) - dev_read_input($1_t) - dev_read_misc($1_t) - dev_write_misc($1_t) - # open office is looking for the following - dev_getattr_agp_dev($1_t) - dev_dontaudit_rw_dri($1_t) - # GNOME checks for usb and other devices: - dev_rw_usbfs($1_t) - dev_rw_generic_usb_dev($1_t) - - xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) - xserver_xsession_entry_type($1_t) - xserver_dontaudit_write_log($1_t) - xserver_stream_connect_xdm($1_t) - # certain apps want to read xdm.pid file - xserver_read_xdm_pid($1_t) - # gnome-session creates socket under /tmp/.ICE-unix/ - xserver_create_xdm_tmp_sockets($1_t) - # Needed for escd, remove if we get escd policy - xserver_manage_xdm_tmp_files($1_t) -') - -####################################### -## -## The template for allowing the user to change passwords. -## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -# -template(`userdom_change_password_template',` - gen_require(` - type $1_t; - role $1_r; - ') - - optional_policy(` - usermanage_run_chfn($1_t,$1_r) - usermanage_run_passwd($1_t,$1_r) - ') -') - -####################################### -## -## The template containing rules common to unprivileged -## users and administrative users. -## -## -##

-## This template creates a user domain, types, and -## rules for the user's tty, pty, tmp, and tmpfs files. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -# -template(`userdom_common_user_template',` - gen_require(` - attribute unpriv_userdomain; - ') - - userdom_basic_networking($1_usertype) - - ############################## - # - # User domain Local policy - # - - # evolution and gnome-session try to create a netlink socket - dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; - dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; - allow $1_t self:netlink_kobject_uevent_socket create_socket_perms; - allow $1_t self:socket create_socket_perms; - - allow $1_usertype unpriv_userdomain:fd use; - - kernel_read_system_state($1_usertype) - kernel_read_network_state($1_usertype) - kernel_read_net_sysctls($1_usertype) - # Very permissive allowing every domain to see every type: - kernel_get_sysvipc_info($1_usertype) - # Find CDROM devices: - kernel_read_device_sysctls($1_usertype) - kernel_request_load_module($1_usertype) - - corenet_udp_bind_generic_node($1_usertype) - corenet_udp_bind_generic_port($1_usertype) - - dev_read_rand($1_usertype) - dev_write_sound($1_usertype) - dev_read_sound($1_usertype) - dev_read_sound_mixer($1_usertype) - dev_write_sound_mixer($1_usertype) - - files_exec_etc_files($1_usertype) - files_search_locks($1_usertype) - # Check to see if cdrom is mounted - files_search_mnt($1_usertype) - # cjp: perhaps should cut back on file reads: - files_read_var_files($1_usertype) - files_read_var_symlinks($1_usertype) - files_read_generic_spool($1_usertype) - files_read_var_lib_files($1_usertype) - # Stat lost+found. - files_getattr_lost_found_dirs($1_usertype) - files_read_config_files($1_usertype) - fs_read_noxattr_fs_files($1_usertype) - fs_read_noxattr_fs_symlinks($1_usertype) - fs_rw_cgroup_files($1_usertype) - - logging_send_syslog_msg($1_usertype) - logging_send_audit_msgs($1_usertype) - selinux_get_enforce_mode($1_usertype) - - # cjp: some of this probably can be removed - selinux_get_fs_mount($1_usertype) - selinux_validate_context($1_usertype) - selinux_compute_access_vector($1_usertype) - selinux_compute_create_context($1_usertype) - selinux_compute_relabel_context($1_usertype) - selinux_compute_user_contexts($1_usertype) - - # for eject - storage_getattr_fixed_disk_dev($1_usertype) - - auth_read_login_records($1_usertype) - auth_run_pam($1_t,$1_r) - auth_run_utempter($1_t,$1_r) - - init_read_utmp($1_usertype) - - seutil_read_file_contexts($1_usertype) - seutil_read_default_contexts($1_usertype) - seutil_run_newrole($1_t,$1_r) - seutil_exec_checkpolicy($1_t) - seutil_exec_setfiles($1_usertype) - # for when the network connection is killed - # this is needed when a login role can change - # to this one. - seutil_dontaudit_signal_newrole($1_t) - - tunable_policy(`user_direct_mouse',` - dev_read_mouse($1_usertype) - ') - - tunable_policy(`user_ttyfile_stat',` - term_getattr_all_ttys($1_t) - ') - - optional_policy(` - alsa_read_rw_config($1_usertype) - ') - - optional_policy(` - # Allow graphical boot to check battery lifespan - apm_stream_connect($1_usertype) - ') - - optional_policy(` - canna_stream_connect($1_usertype) - ') - - optional_policy(` - chrome_role($1_r, $1_usertype) - ') - - optional_policy(` - dbus_system_bus_client($1_usertype) - - allow $1_usertype $1_usertype:dbus send_msg; - - optional_policy(` - avahi_dbus_chat($1_usertype) - ') - - optional_policy(` - policykit_dbus_chat($1_usertype) - ') - - optional_policy(` - bluetooth_dbus_chat($1_usertype) - ') - - optional_policy(` - consolekit_dbus_chat($1_usertype) - consolekit_read_log($1_usertype) - ') - - optional_policy(` - devicekit_dbus_chat($1_usertype) - devicekit_dbus_chat_power($1_usertype) - devicekit_dbus_chat_disk($1_usertype) - ') - - optional_policy(` - evolution_dbus_chat($1_usertype) - evolution_alarm_dbus_chat($1_usertype) - ') - - optional_policy(` - gnome_dbus_chat_gconfdefault($1_usertype) - ') - - optional_policy(` - hal_dbus_chat($1_usertype) - ') - - optional_policy(` - modemmanager_dbus_chat($1_usertype) - ') - - optional_policy(` - networkmanager_dbus_chat($1_usertype) - networkmanager_read_lib_files($1_usertype) - ') - - optional_policy(` - vpn_dbus_chat($1_usertype) - ') - ') - - optional_policy(` - git_session_role($1_r, $1_usertype) - ') - - optional_policy(` - inetd_use_fds($1_usertype) - inetd_rw_tcp_sockets($1_usertype) - ') - - optional_policy(` - inn_read_config($1_usertype) - inn_read_news_lib($1_usertype) - inn_read_news_spool($1_usertype) - ') - - optional_policy(` - locate_read_lib_files($1_usertype) - ') - - # for running depmod as part of the kernel packaging process - optional_policy(` - modutils_read_module_config($1_usertype) - ') - - optional_policy(` - mta_rw_spool($1_usertype) - mta_manage_queue($1_usertype) - ') - - optional_policy(` - nsplugin_role($1_r, $1_usertype) - ') - - optional_policy(` - tunable_policy(`allow_user_mysql_connect',` - mysql_stream_connect($1_t) - ') - ') - - optional_policy(` - # to allow monitoring of pcmcia status - pcmcia_read_pid($1_usertype) - ') - - optional_policy(` - pcscd_read_pub_files($1_usertype) - pcscd_stream_connect($1_usertype) - ') - - optional_policy(` - tunable_policy(`allow_user_postgresql_connect',` - postgresql_stream_connect($1_usertype) - postgresql_tcp_connect($1_usertype) - ') - ') - - optional_policy(` - resmgr_stream_connect($1_usertype) - ') - - optional_policy(` - rpc_dontaudit_getattr_exports($1_usertype) - rpc_manage_nfs_rw_content($1_usertype) - ') - - optional_policy(` - rpcbind_stream_connect($1_usertype) - ') - - optional_policy(` - samba_stream_connect_winbind($1_usertype) - ') - - optional_policy(` - sandbox_transition($1_usertype, $1_r) - ') - - optional_policy(` - seunshare_role_template($1, $1_r, $1_t) - ') - - optional_policy(` - slrnpull_search_spool($1_usertype) - ') - -') - -####################################### -## -## The template for creating a login user. -## -## -##

-## This template creates a user domain, types, and -## rules for the user's tty, pty, home directories, -## tmp, and tmpfs files. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -# -template(`userdom_login_user_template', ` - gen_require(` - class context contains; - ') - - userdom_base_user_template($1) - - userdom_manage_home_role($1_r, $1_usertype) - - userdom_manage_tmp_role($1_r, $1_usertype) - userdom_manage_tmpfs_role($1_r, $1_usertype) - - ifelse(`$1',`unconfined',`',` - gen_tunable(allow_$1_exec_content, true) - - tunable_policy(`allow_$1_exec_content',` - userdom_exec_user_tmp_files($1_usertype) - userdom_exec_user_home_content_files($1_usertype) - ') - tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` - fs_exec_nfs_files($1_usertype) - ') - - tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` - fs_exec_cifs_files($1_usertype) - ') - ') - - userdom_change_password_template($1) - - ############################## - # - # User domain Local policy - # - - allow $1_t self:capability { setgid chown fowner }; - dontaudit $1_t self:capability { sys_nice fsetid }; - - allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap }; - dontaudit $1_t self:process setrlimit; - dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; - - allow $1_t self:context contains; - - kernel_dontaudit_read_system_state($1_usertype) - kernel_dontaudit_list_all_proc($1_usertype) - - dev_read_sysfs($1_usertype) - dev_read_urand($1_usertype) - - domain_use_interactive_fds($1_usertype) - # Command completion can fire hundreds of denials - domain_dontaudit_exec_all_entry_files($1_usertype) - - files_dontaudit_list_default($1_usertype) - files_dontaudit_read_default_files($1_usertype) - # Stat lost+found. - files_getattr_lost_found_dirs($1_usertype) - - fs_get_all_fs_quotas($1_usertype) - fs_getattr_all_fs($1_usertype) - fs_search_all($1_usertype) - fs_list_inotifyfs($1_usertype) - fs_rw_anon_inodefs_files($1_usertype) - - auth_dontaudit_write_login_records($1_t) - auth_rw_cache($1_t) - - # Stop warnings about access to /dev/console - init_dontaudit_use_fds($1_usertype) - init_dontaudit_use_script_fds($1_usertype) - - libs_exec_lib_files($1_usertype) - - logging_dontaudit_getattr_all_logs($1_usertype) - - # for running TeX programs - miscfiles_read_tetex_data($1_usertype) - miscfiles_exec_tetex_data($1_usertype) - - seutil_read_config($1_usertype) - - optional_policy(` - cups_read_config($1_usertype) - cups_stream_connect($1_usertype) - cups_stream_connect_ptal($1_usertype) - ') - - optional_policy(` - kerberos_use($1_usertype) - kerberos_connect_524($1_usertype) - ') - - optional_policy(` - mta_dontaudit_read_spool_symlinks($1_usertype) - ') - - optional_policy(` - quota_dontaudit_getattr_db($1_usertype) - ') - - optional_policy(` - rpm_read_db($1_usertype) - rpm_dontaudit_manage_db($1_usertype) - rpm_read_cache($1_usertype) - ') - - optional_policy(` - oddjob_run_mkhomedir($1_t, $1_r) - ') -') - -####################################### -## -## The template for creating a unprivileged login user. -## -## -##

-## This template creates a user domain, types, and -## rules for the user's tty, pty, home directories, -## tmp, and tmpfs files. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -# -template(`userdom_restricted_user_template',` - gen_require(` - attribute unpriv_userdomain; - ') - - userdom_login_user_template($1) - - typeattribute $1_t unpriv_userdomain; - domain_interactive_fd($1_t) - - allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms; - dontaudit $1_usertype self:netlink_audit_socket create_socket_perms; - - ############################## - # - # Local policy - # - - optional_policy(` - loadkeys_run($1_t,$1_r) - ') -') - -####################################### -## -## The template for creating a unprivileged xwindows login user. -## -## -##

-## The template for creating a unprivileged xwindows login user. -##

-##

-## This template creates a user domain, types, and -## rules for the user's tty, pty, home directories, -## tmp, and tmpfs files. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -# -template(`userdom_restricted_xwindows_user_template',` - - userdom_restricted_user_template($1) - - ############################## - # - # Local policy - # - - auth_role($1_r, $1_t) - auth_search_pam_console_data($1_usertype) - auth_dontaudit_read_login_records($1_usertype) - - dev_read_sound($1_usertype) - dev_write_sound($1_usertype) - # gnome keyring wants to read this. - dev_dontaudit_read_rand($1_usertype) - # temporarily allow since openoffice requires this - dev_read_rand($1_usertype) - - dev_read_video_dev($1_usertype) - dev_write_video_dev($1_usertype) - dev_rw_wireless($1_usertype) - - tunable_policy(`user_rw_noexattrfile',` - dev_rw_usbfs($1_t) - dev_rw_generic_usb_dev($1_usertype) - - fs_manage_noxattr_fs_files($1_usertype) - fs_manage_noxattr_fs_dirs($1_usertype) - fs_manage_dos_dirs($1_usertype) - fs_manage_dos_files($1_usertype) - storage_raw_read_removable_device($1_usertype) - storage_raw_write_removable_device($1_usertype) - ') - - logging_send_syslog_msg($1_usertype) - logging_dontaudit_send_audit_msgs($1_t) - - # Need to to this just so screensaver will work. Should be moved to screensaver domain - logging_send_audit_msgs($1_t) - selinux_get_enforce_mode($1_t) - seutil_exec_restorecond($1_t) - seutil_read_file_contexts($1_t) - seutil_read_default_contexts($1_t) - - xserver_restricted_role($1_r, $1_t) - - optional_policy(` - alsa_read_rw_config($1_usertype) - ') - - optional_policy(` - dbus_role_template($1, $1_r, $1_usertype) - dbus_system_bus_client($1_usertype) - allow $1_usertype $1_usertype:dbus send_msg; - - optional_policy(` - abrt_dbus_chat($1_usertype) - abrt_run_helper($1_usertype, $1_r) - ') - - optional_policy(` - consolekit_dontaudit_read_log($1_usertype) - consolekit_dbus_chat($1_usertype) - ') - - optional_policy(` - cups_dbus_chat($1_usertype) - cups_dbus_chat_config($1_usertype) - ') - - optional_policy(` - devicekit_dbus_chat($1_usertype) - devicekit_dbus_chat_disk($1_usertype) - devicekit_dbus_chat_power($1_usertype) - ') - - optional_policy(` - fprintd_dbus_chat($1_t) - ') - ') - - optional_policy(` - openoffice_role_template($1, $1_r, $1_usertype) - ') - - optional_policy(` - policykit_role($1_r, $1_usertype) - ') - - optional_policy(` - pulseaudio_role($1_r, $1_usertype) - ') - - optional_policy(` - rtkit_scheduled($1_usertype) - ') - - optional_policy(` - setroubleshoot_dontaudit_stream_connect($1_t) - ') - - optional_policy(` - udev_read_db($1_usertype) - ') - - optional_policy(` - wm_role_template($1, $1_r, $1_t) - ') -') - -####################################### -## -## The template for creating a unprivileged user roughly -## equivalent to a regular linux user. -## -## -##

-## The template for creating a unprivileged user roughly -## equivalent to a regular linux user. -##

-##

-## This template creates a user domain, types, and -## rules for the user's tty, pty, home directories, -## tmp, and tmpfs files. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -# -template(`userdom_unpriv_user_template', ` - - ############################## - # - # Declarations - # - - # Inherit rules for ordinary users. - userdom_restricted_xwindows_user_template($1) - userdom_common_user_template($1) - - ############################## - # - # Local policy - # - - # port access is audited even if dac would not have allowed it, so dontaudit it here -# corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) - # Need the following rule to allow users to run vpnc - corenet_tcp_bind_xserver_port($1_t) - corenet_tcp_bind_all_nodes($1_usertype) - - storage_rw_fuse($1_t) - - miscfiles_read_hwdata($1_usertype) - - # Allow users to run TCP servers (bind to ports and accept connection from - # the same domain and outside users) disabling this forces FTP passive mode - # and may change other protocols - tunable_policy(`user_tcp_server',` - corenet_tcp_bind_all_unreserved_ports($1_usertype) - ') - - tunable_policy(`user_setrlimit',` - allow $1_usertype self:process setrlimit; - ') - - optional_policy(` - cdrecord_role($1_r, $1_t) - ') - - optional_policy(` - cron_role($1_r, $1_t) - ') - - optional_policy(` - games_rw_data($1_usertype) - ') - - optional_policy(` - gpg_role($1_r, $1_usertype) - ') - - optional_policy(` - gnomeclock_dbus_chat($1_t) - ') - - optional_policy(` - gpm_stream_connect($1_usertype) - ') - - optional_policy(` - execmem_role_template($1, $1_r, $1_t) - ') - - optional_policy(` - java_role_template($1, $1_r, $1_t) - ') - - optional_policy(` - mono_role_template($1, $1_r, $1_t) - ') - - optional_policy(` - mount_run_fusermount($1_t, $1_r) - ') - - optional_policy(` - wine_role_template($1, $1_r, $1_t) - ') - - optional_policy(` - postfix_run_postdrop($1_t, $1_r) - ') - - # Run pppd in pppd_t by default for user - optional_policy(` - ppp_run_cond($1_t, $1_r) - ') -') - -####################################### -## -## The template for creating an administrative user. -## -## -##

-## This template creates a user domain, types, and -## rules for the user's tty, pty, home directories, -## tmp, and tmpfs files. -##

-##

-## The privileges given to administrative users are: -##

    -##
  • Raw disk access
  • -##
  • Set all sysctls
  • -##
  • All kernel ring buffer controls
  • -##
  • Create, read, write, and delete all files but shadow
  • -##
  • Manage source and binary format SELinux policy
  • -##
  • Run insmod
  • -##
-##

-##
-## -## -## The prefix of the user domain (e.g., sysadm -## is the prefix for sysadm_t). -## -## -# -template(`userdom_admin_user_template',` - gen_require(` - attribute admindomain; - class passwd { passwd chfn chsh rootok crontab }; - ') - - ############################## - # - # Declarations - # - - # Inherit rules for ordinary users. - userdom_login_user_template($1) - userdom_common_user_template($1) - - domain_obj_id_change_exemption($1_t) - role system_r types $1_t; - - typeattribute $1_t admindomain; - - ifdef(`direct_sysadm_daemon',` - domain_system_change_exemption($1_t) - ') - - ############################## - # - # $1_t local policy - # - - allow $1_t self:capability ~{ sys_module audit_control audit_write }; - allow $1_t self:process { setexec setfscreate }; - allow $1_t self:netlink_audit_socket nlmsg_readpriv; - allow $1_t self:tun_socket create; - # Set password information for other users. - allow $1_t self:passwd { passwd chfn chsh }; - # Skip authentication when pam_rootok is specified. - allow $1_t self:passwd rootok; - - # Manipulate other users crontab. - allow $1_t self:passwd crontab; - - kernel_read_software_raid_state($1_t) - kernel_getattr_core_if($1_t) - kernel_getattr_message_if($1_t) - kernel_change_ring_buffer_level($1_t) - kernel_clear_ring_buffer($1_t) - kernel_read_ring_buffer($1_t) - kernel_get_sysvipc_info($1_t) - kernel_rw_all_sysctls($1_t) - # signal unlabeled processes: - kernel_kill_unlabeled($1_t) - kernel_signal_unlabeled($1_t) - kernel_sigstop_unlabeled($1_t) - kernel_signull_unlabeled($1_t) - kernel_sigchld_unlabeled($1_t) - kernel_signal($1_t) - - corenet_tcp_bind_generic_port($1_t) - # allow setting up tunnels - corenet_rw_tun_tap_dev($1_t) - - dev_getattr_generic_blk_files($1_t) - dev_getattr_generic_chr_files($1_t) - # for lsof - dev_getattr_mtrr_dev($1_t) - # Allow MAKEDEV to work - dev_create_all_blk_files($1_t) - dev_create_all_chr_files($1_t) - dev_delete_all_blk_files($1_t) - dev_delete_all_chr_files($1_t) - dev_rename_all_blk_files($1_t) - dev_rename_all_chr_files($1_t) - dev_create_generic_symlinks($1_t) - - domain_setpriority_all_domains($1_t) - domain_read_all_domains_state($1_t) - domain_getattr_all_domains($1_t) - domain_dontaudit_ptrace_all_domains($1_t) - # signal all domains: - domain_kill_all_domains($1_t) - domain_signal_all_domains($1_t) - domain_signull_all_domains($1_t) - domain_sigstop_all_domains($1_t) - domain_sigstop_all_domains($1_t) - domain_sigchld_all_domains($1_t) - # for lsof - domain_getattr_all_sockets($1_t) - domain_dontaudit_getattr_all_sockets($1_t) - - files_exec_usr_src_files($1_t) - - fs_getattr_all_fs($1_t) - fs_getattr_all_files($1_t) - fs_list_all($1_t) - fs_set_all_quotas($1_t) - fs_exec_noxattr($1_t) - - storage_raw_read_removable_device($1_t) - storage_raw_write_removable_device($1_t) - - term_use_all_terms($1_t) - - auth_getattr_shadow($1_t) - # Manage almost all files - auth_manage_all_files_except_shadow($1_t) - # Relabel almost all files - auth_relabel_all_files_except_shadow($1_t) - - init_telinit($1_t) - - logging_send_syslog_msg($1_t) - - modutils_domtrans_insmod($1_t) - modutils_domtrans_depmod($1_t) - - # The following rule is temporary until such time that a complete - # policy management infrastructure is in place so that an administrator - # cannot directly manipulate policy files with arbitrary programs. - seutil_manage_src_policy($1_t) - # Violates the goal of limiting write access to checkpolicy. - # But presently necessary for installing the file_contexts file. - seutil_manage_bin_policy($1_t) - - userdom_manage_user_home_content_dirs($1_t) - userdom_manage_user_home_content_files($1_t) - userdom_manage_user_home_content_symlinks($1_t) - userdom_manage_user_home_content_pipes($1_t) - userdom_manage_user_home_content_sockets($1_t) - userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) - - tunable_policy(`user_rw_noexattrfile',` - fs_manage_noxattr_fs_files($1_t) - fs_manage_noxattr_fs_dirs($1_t) - ',` - fs_read_noxattr_fs_files($1_t) - ') - - optional_policy(` - postgresql_unconfined($1_t) - ') - - optional_policy(` - userhelper_exec($1_t) - ') -') - -######################################## -## -## Allow user to run as a secadm -## -## -##

-## Create objects in a user home directory -## with an automatic type transition to -## a specified private type. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## Domain allowed access. -## -## -## -## -## The role of the object to create. -## -## -# -template(`userdom_security_admin_template',` - allow $1 self:capability { dac_read_search dac_override }; - - corecmd_exec_shell($1) - - domain_obj_id_change_exemption($1) - - dev_relabel_all_dev_nodes($1) - - files_create_boot_flag($1) - files_create_default_dir($1) - files_root_filetrans_default($1, dir) - - # Necessary for managing /boot/efi - fs_manage_dos_files($1) - - mls_process_read_up($1) - mls_file_read_all_levels($1) - mls_file_upgrade($1) - mls_file_downgrade($1) - - selinux_set_enforce_mode($1) - selinux_set_all_booleans($1) - selinux_set_parameters($1) - - auth_relabel_all_files_except_shadow($1) - auth_relabel_shadow($1) - - init_exec($1) - - logging_send_syslog_msg($1) - logging_read_audit_log($1) - logging_read_generic_logs($1) - logging_read_audit_config($1) - - seutil_manage_bin_policy($1) - seutil_run_checkpolicy($1,$2) - seutil_run_loadpolicy($1,$2) - seutil_run_semanage($1,$2) - seutil_run_setsebool($1,$2) - seutil_run_setfiles($1, $2) - - optional_policy(` - aide_run($1,$2) - ') - - optional_policy(` - consoletype_exec($1) - ') - - optional_policy(` - dmesg_exec($1) - ') - - optional_policy(` - ipsec_run_setkey($1,$2) - ') - - optional_policy(` - netlabel_run_mgmt($1,$2) - ') -') - -######################################## -## -## Make the specified type usable in a -## user home directory. -## -## -## -## Type to be used as a file in the -## user home directory. -## -## -# -interface(`userdom_user_home_content',` - gen_require(` - type user_home_t; - attribute user_home_type; - ') - - allow $1 user_home_t:filesystem associate; - files_type($1) - ubac_constrained($1) - - files_poly_member($1) - typeattribute $1 user_home_type; -') - -######################################## -## -## Allow domain to attach to TUN devices created by administrative users. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_attach_admin_tun_iface',` - gen_require(` - attribute admindomain; - ') - - allow $1 admindomain:tun_socket relabelfrom; - allow $1 self:tun_socket relabelto; -') - -######################################## -## -## Set the attributes of a user pty. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_setattr_user_ptys',` - gen_require(` - type user_devpts_t; - ') - - allow $1 user_devpts_t:chr_file setattr_chr_file_perms; -') - -######################################## -## -## Create a user pty. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_create_user_pty',` - gen_require(` - type user_devpts_t; - ') - - term_create_pty($1, user_devpts_t) -') - -######################################## -## -## Get the attributes of user home directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_getattr_user_home_dirs',` - gen_require(` - type user_home_dir_t; - ') - - allow $1 user_home_dir_t:dir getattr_dir_perms; - files_search_home($1) -') - -######################################## -## -## Do not audit attempts to get the attributes of user home directories. -## -## -## -## Domain to not audit. -## -## -# -interface(`userdom_dontaudit_getattr_user_home_dirs',` - gen_require(` - type user_home_dir_t; - ') - - dontaudit $1 user_home_dir_t:dir getattr_dir_perms; -') - -######################################## -## -## Search user home directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_search_user_home_dirs',` - gen_require(` - type user_home_dir_t; - ') - - allow $1 user_home_dir_t:dir search_dir_perms; - allow $1 user_home_dir_t:lnk_file read_lnk_file_perms; - files_search_home($1) -') - -######################################## -## -## Do not audit attempts to search user home directories. -## -## -##

-## Do not audit attempts to search user home directories. -## This will supress SELinux denial messages when the specified -## domain is denied the permission to search these directories. -##

-##
-## -## -## Domain to not audit. -## -## -## -# -interface(`userdom_dontaudit_search_user_home_dirs',` - gen_require(` - type user_home_dir_t; - ') - - dontaudit $1 user_home_dir_t:dir search_dir_perms; -') - -######################################## -## -## List user home directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_list_user_home_dirs',` - gen_require(` - type user_home_dir_t; - ') - - allow $1 user_home_dir_t:dir list_dir_perms; - files_search_home($1) - - tunable_policy(`use_nfs_home_dirs',` - fs_list_nfs($1) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_list_cifs($1) - ') -') - -######################################## -## -## Do not audit attempts to list user home subdirectories. -## -## -## -## Domain to not audit. -## -## -# -interface(`userdom_dontaudit_list_user_home_dirs',` - gen_require(` - type user_home_dir_t; - type user_home_t; - ') - - dontaudit $1 user_home_dir_t:dir list_dir_perms; - dontaudit $1 user_home_t:dir list_dir_perms; -') - -######################################## -## -## Create user home directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_create_user_home_dirs',` - gen_require(` - type user_home_dir_t; - ') - - allow $1 user_home_dir_t:dir create_dir_perms; -') - -######################################## -## -## Create user home directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_manage_user_home_dirs',` - gen_require(` - type user_home_dir_t; - ') - - allow $1 user_home_dir_t:dir manage_dir_perms; -') - -######################################## -## -## Relabel to user home directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_relabelto_user_home_dirs',` - gen_require(` - type user_home_dir_t; - ') - - allow $1 user_home_dir_t:dir relabelto; -') - - -######################################## -## -## Relabel to user home files. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_relabelto_user_home_files',` - gen_require(` - type user_home_t; - ') - - allow $1 user_home_t:file relabelto; -') -######################################## -## -## Relabel user home files. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_relabel_user_home_files',` - gen_require(` - type user_home_t; - ') - - allow $1 user_home_t:file relabel_file_perms; -') - -######################################## -## -## Create directories in the home dir root with -## the user home directory type. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_home_filetrans_user_home_dir',` - gen_require(` - type user_home_dir_t; - ') - - files_home_filetrans($1, user_home_dir_t, dir) -') - -######################################## -## -## Do a domain transition to the specified -## domain when executing a program in the -## user home directory. -## -## -##

-## Do a domain transition to the specified -## domain when executing a program in the -## user home directory. -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-##
-## -## -## Domain allowed to transition. -## -## -## -## -## Domain to transition to. -## -## -# -interface(`userdom_user_home_domtrans',` - gen_require(` - type user_home_dir_t, user_home_t; - ') - - domain_auto_trans($1, user_home_t, $2) - allow $1 user_home_dir_t:dir search_dir_perms; - files_search_home($1) -') - -######################################## -## -## Do not audit attempts to search user home content directories. -## -## -## -## Domain to not audit. -## -## -# -interface(`userdom_dontaudit_search_user_home_content',` - gen_require(` - type user_home_t; - ') - - dontaudit $1 user_home_t:dir search_dir_perms; - fs_dontaudit_list_nfs($1) - fs_dontaudit_list_cifs($1) -') - -######################################## -## -## List contents of users home directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_list_user_home_content',` - gen_require(` - type user_home_dir_t; - attribute user_home_type; - ') - - files_list_home($1) - allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms; -') - -######################################## -## -## Create, read, write, and delete directories -## in a user home subdirectory. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_manage_user_home_content_dirs',` - gen_require(` - type user_home_dir_t, user_home_t; - ') - - manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t) - files_search_home($1) -') - -######################################## -## -## Delete directories in a user home subdirectory. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_delete_user_home_content_dirs',` - gen_require(` - type user_home_t; - ') - - allow $1 user_home_t:dir delete_dir_perms; -') - -######################################## -## -## Set the attributes of user home files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`userdom_setattr_user_home_content_files',` - gen_require(` - type user_home_t; - ') - - allow $1 user_home_t:file setattr; -') - -######################################## -## -## Do not audit attempts to set the -## attributes of user home files. -## -## -## -## Domain to not audit. -## -## -# -interface(`userdom_dontaudit_setattr_user_home_content_files',` - gen_require(` - type user_home_t; - ') - - dontaudit $1 user_home_t:file setattr_file_perms; -') - -######################################## -## -## Mmap user home files. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_mmap_user_home_content_files',` - gen_require(` - type user_home_dir_t, user_home_t; - ') - - mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) - files_search_home($1) -') - -######################################## -## -## Read user home files. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_read_user_home_content_files',` - gen_require(` - type user_home_dir_t, user_home_t; - ') - - list_dirs_pattern($1, { user_home_dir_t user_home_t }, { user_home_dir_t user_home_t }) - read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) - files_search_home($1) -') - -######################################## -## -## Do not audit attempts to getattr user home files. -## -## -## -## Domain to not audit. -## -## -# -interface(`userdom_dontaudit_getattr_user_home_content',` - gen_require(` - attribute user_home_type; - ') - - dontaudit $1 user_home_type:dir getattr; - dontaudit $1 user_home_type:file getattr; -') - -######################################## -## -## Do not audit attempts to read user home files. -## -## -## -## Domain to not audit. -## -## -# -interface(`userdom_dontaudit_read_user_home_content_files',` - gen_require(` - attribute user_home_type; - type user_home_dir_t; - ') - - dontaudit $1 user_home_dir_t:dir list_dir_perms; - dontaudit $1 user_home_type:dir list_dir_perms; - dontaudit $1 user_home_type:file read_file_perms; - dontaudit $1 user_home_type:lnk_file read_lnk_file_perms; -') - -######################################## -## -## Do not audit attempts to append user home files. -## -## -## -## Domain to not audit. -## -## -# -interface(`userdom_dontaudit_append_user_home_content_files',` - gen_require(` - type user_home_t; - ') - - dontaudit $1 user_home_t:file append_file_perms; -') - -######################################## -## -## Do not audit attempts to write user home files. -## -## -## -## Domain to not audit. -## -## -# -interface(`userdom_dontaudit_write_user_home_content_files',` - gen_require(` - type user_home_t; - ') - - dontaudit $1 user_home_t:file write_file_perms; -') - -######################################## -## -## Delete files in a user home subdirectory. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_delete_user_home_content_files',` - gen_require(` - type user_home_t; - ') - - allow $1 user_home_t:file delete_file_perms; -') - -######################################## -## -## Do not audit attempts to write user home files. -## -## -## -## Domain to not audit. -## -## -# -interface(`userdom_dontaudit_relabel_user_home_content_files',` - gen_require(` - type user_home_t; - ') - - dontaudit $1 user_home_t:file relabel_file_perms; -') - -######################################## -## -## Read user home subdirectory symbolic links. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_read_user_home_content_symlinks',` - gen_require(` - type user_home_dir_t, user_home_t; - ') - - allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms; -') - -######################################## -## -## Execute user home files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`userdom_exec_user_home_content_files',` - gen_require(` - type user_home_dir_t; - attribute user_home_type; - ') - - files_search_home($1) - exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) - dontaudit $1 user_home_type:sock_file execute; - ') - -######################################## -## -## Do not audit attempts to execute user home files. -## -## -## -## Domain to not audit. -## -## -# -interface(`userdom_dontaudit_exec_user_home_content_files',` - gen_require(` - type user_home_t; - ') - - dontaudit $1 user_home_t:file exec_file_perms; -') - -######################################## -## -## Create, read, write, and delete files -## in a user home subdirectory. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_manage_user_home_content_files',` - gen_require(` - type user_home_dir_t, user_home_t; - ') - - manage_files_pattern($1, user_home_t, user_home_t) - allow $1 user_home_dir_t:dir search_dir_perms; - files_search_home($1) -') - -######################################## -## -## Do not audit attempts to create, read, write, and delete directories -## in a user home subdirectory. -## -## -## -## Domain to not audit. -## -## -# -interface(`userdom_dontaudit_manage_user_home_content_dirs',` - gen_require(` - type user_home_dir_t, user_home_t; - ') - - dontaudit $1 user_home_t:dir manage_dir_perms; -') - -######################################## -## -## Create, read, write, and delete symbolic links -## in a user home subdirectory. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_manage_user_home_content_symlinks',` - gen_require(` - type user_home_dir_t, user_home_t; - ') - - manage_lnk_files_pattern($1, user_home_t, user_home_t) - allow $1 user_home_dir_t:dir search_dir_perms; - files_search_home($1) -') - -######################################## -## -## Delete symbolic links in a user home directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_delete_user_home_content_symlinks',` - gen_require(` - type user_home_t; - ') - - allow $1 user_home_t:lnk_file delete_lnk_file_perms; -') - -######################################## -## -## Create, read, write, and delete named pipes -## in a user home subdirectory. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_manage_user_home_content_pipes',` - gen_require(` - type user_home_dir_t, user_home_t; - ') - - manage_fifo_files_pattern($1, user_home_t, user_home_t) - allow $1 user_home_dir_t:dir search_dir_perms; - files_search_home($1) -') - -######################################## -## -## Create, read, write, and delete named sockets -## in a user home subdirectory. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_manage_user_home_content_sockets',` - gen_require(` - type user_home_dir_t, user_home_t; - ') - - allow $1 user_home_dir_t:dir search_dir_perms; - manage_sock_files_pattern($1, user_home_t, user_home_t) - files_search_home($1) -') - -######################################## -## -## Create objects in a user home directory -## with an automatic type transition to -## a specified private type. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to create. -## -## -## -## -## The class of the object to be created. -## -## -# -interface(`userdom_user_home_dir_filetrans',` - gen_require(` - type user_home_dir_t; - ') - - filetrans_pattern($1, user_home_dir_t, $2, $3) - files_search_home($1) -') - -######################################## -## -## Create objects in a user home directory -## with an automatic type transition to -## a specified private type. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to create. -## -## -## -## -## The class of the object to be created. -## -## -# -interface(`userdom_user_home_content_filetrans',` - gen_require(` - type user_home_dir_t, user_home_t; - ') - - filetrans_pattern($1, user_home_t, $2, $3) - allow $1 user_home_dir_t:dir search_dir_perms; - files_search_home($1) -') - -######################################## -## -## Create objects in a user home directory -## with an automatic type transition to -## the user home file type. -## -## -## -## Domain allowed access. -## -## -## -## -## The class of the object to be created. -## -## -# -interface(`userdom_user_home_dir_filetrans_user_home_content',` - gen_require(` - type user_home_dir_t, user_home_t; - ') - - filetrans_pattern($1, user_home_dir_t, user_home_t, $2) - files_search_home($1) -') - -######################################## -## -## Write to user temporary named sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_write_user_tmp_sockets',` - gen_require(` - type user_tmp_t; - ') - - allow $1 user_tmp_t:sock_file write_sock_file_perms; - files_search_tmp($1) -') - -######################################## -## -## List user temporary directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_list_user_tmp',` - gen_require(` - type user_tmp_t; - ') - - allow $1 user_tmp_t:dir list_dir_perms; - files_search_tmp($1) -') - -######################################## -## -## Do not audit attempts to list user -## temporary directories. -## -## -## -## Domain to not audit. -## -## -# -interface(`userdom_dontaudit_list_user_tmp',` - gen_require(` - type user_tmp_t; - ') - - dontaudit $1 user_tmp_t:dir list_dir_perms; -') - -######################################## -## -## Do not audit attempts to manage users -## temporary directories. -## -## -## -## Domain to not audit. -## -## -# -interface(`userdom_dontaudit_manage_user_tmp_dirs',` - gen_require(` - type user_tmp_t; - ') - - dontaudit $1 user_tmp_t:dir manage_dir_perms; -') - -######################################## -## -## Read user temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_read_user_tmp_files',` - gen_require(` - type user_tmp_t; - ') - - read_files_pattern($1, user_tmp_t, user_tmp_t) - allow $1 user_tmp_t:dir list_dir_perms; - files_search_tmp($1) -') - -######################################## -## -## Do not audit attempts to read users -## temporary files. -## -## -## -## Domain to not audit. -## -## -# -interface(`userdom_dontaudit_read_user_tmp_files',` - gen_require(` - type user_tmp_t; - ') - - dontaudit $1 user_tmp_t:file read_inherited_file_perms; -') - -######################################## -## -## Do not audit attempts to append users -## temporary files. -## -## -## -## Domain to not audit. -## -## -# -interface(`userdom_dontaudit_append_user_tmp_files',` - gen_require(` - type user_tmp_t; - ') - - dontaudit $1 user_tmp_t:file append_file_perms; -') - -######################################## -## -## Read and write user temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_rw_user_tmp_files',` - gen_require(` - type user_tmp_t; - ') - - allow $1 user_tmp_t:dir list_dir_perms; - rw_files_pattern($1, user_tmp_t, user_tmp_t) - files_search_tmp($1) -') - -######################################## -## -## Do not audit attempts to manage users -## temporary files. -## -## -## -## Domain to not audit. -## -## -# -interface(`userdom_dontaudit_manage_user_tmp_files',` - gen_require(` - type user_tmp_t; - ') - - dontaudit $1 user_tmp_t:file manage_file_perms; -') - -######################################## -## -## Read user temporary symbolic links. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_read_user_tmp_symlinks',` - gen_require(` - type user_tmp_t; - ') - - read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) - allow $1 user_tmp_t:dir list_dir_perms; - files_search_tmp($1) -') - -######################################## -## -## Create, read, write, and delete user -## temporary directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_manage_user_tmp_dirs',` - gen_require(` - type user_tmp_t; - ') - - manage_dirs_pattern($1, user_tmp_t, user_tmp_t) - files_search_tmp($1) -') - -######################################## -## -## Create, read, write, and delete user -## temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_manage_user_tmp_files',` - gen_require(` - type user_tmp_t; - ') - - manage_files_pattern($1, user_tmp_t, user_tmp_t) - files_search_tmp($1) -') - -######################################## -## -## Create, read, write, and delete user -## temporary symbolic links. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_manage_user_tmp_symlinks',` - gen_require(` - type user_tmp_t; - ') - - manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) - files_search_tmp($1) -') - -######################################## -## -## Create, read, write, and delete user -## temporary named pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_manage_user_tmp_pipes',` - gen_require(` - type user_tmp_t; - ') - - manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t) - files_search_tmp($1) -') - -######################################## -## -## Create, read, write, and delete user -## temporary named sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_manage_user_tmp_sockets',` - gen_require(` - type user_tmp_t; - ') - - manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) - files_search_tmp($1) -') - -######################################## -## -## Create objects in a user temporary directory -## with an automatic type transition to -## a specified private type. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to create. -## -## -## -## -## The class of the object to be created. -## -## -# -interface(`userdom_user_tmp_filetrans',` - gen_require(` - type user_tmp_t; - ') - - filetrans_pattern($1, user_tmp_t, $2, $3) - files_search_tmp($1) -') - -######################################## -## -## Create objects in the temporary directory -## with an automatic type transition to -## the user temporary type. -## -## -## -## Domain allowed access. -## -## -## -## -## The class of the object to be created. -## -## -# -interface(`userdom_tmp_filetrans_user_tmp',` - gen_require(` - type user_tmp_t; - ') - - files_tmp_filetrans($1, user_tmp_t, $2) -') - -######################################## -## -## Read user tmpfs files. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_read_user_tmpfs_files',` - gen_require(` - type user_tmpfs_t; - ') - - read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) - read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) - allow $1 user_tmpfs_t:dir list_dir_perms; - fs_search_tmpfs($1) -') - -######################################## -## -## Read/Write user tmpfs files. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_rw_user_tmpfs_files',` - gen_require(` - type user_tmpfs_t; - ') - - rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t) - read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) - allow $1 user_tmpfs_t:dir list_dir_perms; - fs_search_tmpfs($1) -') - -######################################## -## -## Get the attributes of a user domain tty. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_getattr_user_ttys',` - gen_require(` - type user_tty_device_t; - ') - - allow $1 user_tty_device_t:chr_file getattr_chr_file_perms; -') - -######################################## -## -## Do not audit attempts to get the attributes of a user domain tty. -## -## -## -## Domain to not audit. -## -## -# -interface(`userdom_dontaudit_getattr_user_ttys',` - gen_require(` - type user_tty_device_t; - ') - - dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms; -') - -######################################## -## -## Set the attributes of a user domain tty. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_setattr_user_ttys',` - gen_require(` - type user_tty_device_t; - ') - - allow $1 user_tty_device_t:chr_file setattr_chr_file_perms; -') - -######################################## -## -## Do not audit attempts to set the attributes of a user domain tty. -## -## -## -## Domain to not audit. -## -## -# -interface(`userdom_dontaudit_setattr_user_ttys',` - gen_require(` - type user_tty_device_t; - ') - - dontaudit $1 user_tty_device_t:chr_file setattr_chr_file_perms; -') - -######################################## -## -## Read and write a user domain tty. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_use_user_ttys',` - gen_require(` - type user_tty_device_t; - ') - - allow $1 user_tty_device_t:chr_file rw_term_perms; -') - -######################################## -## -## Read and write a user domain pty. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_use_user_ptys',` - gen_require(` - type user_devpts_t; - ') - - allow $1 user_devpts_t:chr_file rw_term_perms; -') - -######################################## -## -## Read and write a user TTYs and PTYs. -## -## -##

-## Allow the specified domain to read and write user -## TTYs and PTYs. This will allow the domain to -## interact with the user via the terminal. Typically -## all interactive applications will require this -## access. -##

-##

-## However, this also allows the applications to spy -## on user sessions or inject information into the -## user session. Thus, this access should likely -## not be allowed for non-interactive domains. -##

-##
-## -## -## Domain allowed access. -## -## -## -# -interface(`userdom_use_user_terminals',` - gen_require(` - type user_tty_device_t, user_devpts_t; - ') - - allow $1 user_tty_device_t:chr_file rw_term_perms; - allow $1 user_devpts_t:chr_file rw_term_perms; - term_list_ptys($1) -') - -######################################## -## -## Do not audit attempts to read and write -## a user domain tty and pty. -## -## -## -## Domain to not audit. -## -## -# -interface(`userdom_dontaudit_use_user_terminals',` - gen_require(` - type user_tty_device_t, user_devpts_t; - ') - - dontaudit $1 user_tty_device_t:chr_file rw_term_perms; - dontaudit $1 user_devpts_t:chr_file rw_term_perms; -') - -######################################## -## -## Execute a shell in all user domains. This -## is an explicit transition, requiring the -## caller to use setexeccon(). -## -## -## -## Domain allowed to transition. -## -## -# -interface(`userdom_spec_domtrans_all_users',` - gen_require(` - attribute userdomain; - ') - - corecmd_shell_spec_domtrans($1, userdomain) - allow userdomain $1:fd use; - allow userdomain $1:fifo_file rw_file_perms; - allow userdomain $1:process sigchld; -') - -######################################## -## -## Execute an Xserver session in all unprivileged user domains. This -## is an explicit transition, requiring the -## caller to use setexeccon(). -## -## -## -## Domain allowed to transition. -## -## -# -interface(`userdom_xsession_spec_domtrans_all_users',` - gen_require(` - attribute userdomain; - ') - - xserver_xsession_spec_domtrans($1, userdomain) - allow userdomain $1:fd use; - allow userdomain $1:fifo_file rw_file_perms; - allow userdomain $1:process sigchld; -') - -######################################## -## -## Execute a shell in all unprivileged user domains. This -## is an explicit transition, requiring the -## caller to use setexeccon(). -## -## -## -## Domain allowed to transition. -## -## -# -interface(`userdom_spec_domtrans_unpriv_users',` - gen_require(` - attribute unpriv_userdomain; - ') - - corecmd_shell_spec_domtrans($1, unpriv_userdomain) - allow unpriv_userdomain $1:fd use; - allow unpriv_userdomain $1:fifo_file rw_file_perms; - allow unpriv_userdomain $1:process sigchld; -') - -######################################## -## -## Execute an Xserver session in all unprivileged user domains. This -## is an explicit transition, requiring the -## caller to use setexeccon(). -## -## -## -## Domain allowed to transition. -## -## -# -interface(`userdom_xsession_spec_domtrans_unpriv_users',` - gen_require(` - attribute unpriv_userdomain; - ') - - xserver_xsession_spec_domtrans($1, unpriv_userdomain) - allow unpriv_userdomain $1:fd use; - allow unpriv_userdomain $1:fifo_file rw_file_perms; - allow unpriv_userdomain $1:process sigchld; -') - -######################################## -## -## Manage unpriviledged user SysV sempaphores. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_manage_unpriv_user_semaphores',` - gen_require(` - attribute unpriv_userdomain; - ') - - allow $1 unpriv_userdomain:sem create_sem_perms; -') - -######################################## -## -## Manage unpriviledged user SysV shared -## memory segments. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_manage_unpriv_user_shared_mem',` - gen_require(` - attribute unpriv_userdomain; - ') - - allow $1 unpriv_userdomain:shm create_shm_perms; -') - -######################################## -## -## Execute bin_t in the unprivileged user domains. This -## is an explicit transition, requiring the -## caller to use setexeccon(). -## -## -## -## Domain allowed to transition. -## -## -# -interface(`userdom_bin_spec_domtrans_unpriv_users',` - gen_require(` - attribute unpriv_userdomain; - ') - - corecmd_bin_spec_domtrans($1, unpriv_userdomain) - allow unpriv_userdomain $1:fd use; - allow unpriv_userdomain $1:fifo_file rw_file_perms; - allow unpriv_userdomain $1:process sigchld; -') - -######################################## -## -## Execute all entrypoint files in unprivileged user -## domains. This is an explicit transition, requiring the -## caller to use setexeccon(). -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_entry_spec_domtrans_unpriv_users',` - gen_require(` - attribute unpriv_userdomain; - ') - - domain_entry_file_spec_domtrans($1, unpriv_userdomain) - allow unpriv_userdomain $1:fd use; - allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms; - allow unpriv_userdomain $1:process sigchld; -') - -######################################## -## -## Search users home directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_search_user_home_content',` - gen_require(` - type user_home_dir_t; - attribute user_home_type; - ') - - files_list_home($1) - allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms; - allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms; -') - -######################################## -## -## Send general signals to unprivileged user domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_signal_unpriv_users',` - gen_require(` - attribute unpriv_userdomain; - ') - - allow $1 unpriv_userdomain:process signal; -') - -######################################## -## -## Inherit the file descriptors from unprivileged user domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_use_unpriv_users_fds',` - gen_require(` - attribute unpriv_userdomain; - ') - - allow $1 unpriv_userdomain:fd use; -') - -######################################## -## -## Do not audit attempts to inherit the file descriptors -## from unprivileged user domains. -## -## -##

-## Do not audit attempts to inherit the file descriptors -## from unprivileged user domains. This will supress -## SELinux denial messages when the specified domain is denied -## the permission to inherit these file descriptors. -##

-##
-## -## -## Domain to not audit. -## -## -## -# -interface(`userdom_dontaudit_use_unpriv_user_fds',` - gen_require(` - attribute unpriv_userdomain; - ') - - dontaudit $1 unpriv_userdomain:fd use; -') - -######################################## -## -## Do not audit attempts to use user ptys. -## -## -## -## Domain to not audit. -## -## -# -interface(`userdom_dontaudit_use_user_ptys',` - gen_require(` - type user_devpts_t; - ') - - dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms; -') - -######################################## -## -## Relabel files to unprivileged user pty types. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_relabelto_user_ptys',` - gen_require(` - type user_devpts_t; - ') - - allow $1 user_devpts_t:chr_file relabelto; -') - -######################################## -## -## Do not audit attempts to relabel files from -## user pty types. -## -## -## -## Domain to not audit. -## -## -# -interface(`userdom_dontaudit_relabelfrom_user_ptys',` - gen_require(` - type user_devpts_t; - ') - - dontaudit $1 user_devpts_t:chr_file relabelfrom; -') - -######################################## -## -## Write all users files in /tmp -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_write_user_tmp_files',` - gen_require(` - type user_tmp_t; - ') - - write_files_pattern($1, user_tmp_t, user_tmp_t) -') - -######################################## -## -## Do not audit attempts to write users -## temporary files. -## -## -## -## Domain to not audit. -## -## -# -interface(`userdom_dontaudit_write_user_tmp_files',` - gen_require(` - type user_tmp_t; - ') - - dontaudit $1 user_tmp_t:file write; -') - -######################################## -## -## Do not audit attempts to read/write users -## temporary fifo files. -## -## -## -## Domain to not audit. -## -## -# -interface(`userdom_dontaudit_rw_user_tmp_pipes',` - gen_require(` - type user_tmp_t; - ') - - dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; -') - -######################################## -## -## Do not audit attempts to use user ttys. -## -## -## -## Domain to not audit. -## -## -# -interface(`userdom_dontaudit_use_user_ttys',` - gen_require(` - type user_tty_device_t; - ') - - dontaudit $1 user_tty_device_t:chr_file rw_file_perms; -') - -######################################## -## -## Read the process state of all user domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_read_all_users_state',` - gen_require(` - attribute userdomain; - ') - - read_files_pattern($1, userdomain, userdomain) - read_lnk_files_pattern($1,userdomain,userdomain) - kernel_search_proc($1) -') - -######################################## -## -## Get the attributes of all user domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_getattr_all_users',` - gen_require(` - attribute userdomain; - ') - - allow $1 userdomain:process getattr; -') - -######################################## -## -## Inherit the file descriptors from all user domains -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_use_all_users_fds',` - gen_require(` - attribute userdomain; - ') - - allow $1 userdomain:fd use; -') - -######################################## -## -## Do not audit attempts to inherit the file -## descriptors from any user domains. -## -## -## -## Domain to not audit. -## -## -# -interface(`userdom_dontaudit_use_all_users_fds',` - gen_require(` - attribute userdomain; - ') - - dontaudit $1 userdomain:fd use; -') - -######################################## -## -## Send general signals to all user domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_signal_all_users',` - gen_require(` - attribute userdomain; - ') - - allow $1 userdomain:process signal; -') - -######################################## -## -## Send a SIGCHLD signal to all user domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_sigchld_all_users',` - gen_require(` - attribute userdomain; - ') - - allow $1 userdomain:process sigchld; -') - -######################################## -## -## Create keys for all user domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_create_all_users_keys',` - gen_require(` - attribute userdomain; - ') - - allow $1 userdomain:key create; -') - -######################################## -## -## Send a dbus message to all user domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_dbus_send_all_users',` - gen_require(` - attribute userdomain; - class dbus send_msg; - ') - - allow $1 userdomain:dbus send_msg; -') - -######################################## -## -## Allow apps to set rlimits on userdomain -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_set_rlimitnh',` - gen_require(` - attribute userdomain; - ') - - allow $1 userdomain:process rlimitinh; -') - -######################################## -## -## Define this type as a Allow apps to set rlimits on userdomain -## -## -## -## Domain allowed access. -## -## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_unpriv_usertype',` - gen_require(` - attribute unpriv_userdomain, userdomain; - attribute $1_usertype; - ') - typeattribute $2 $1_usertype; - typeattribute $2 unpriv_userdomain; - typeattribute $2 userdomain; - - ubac_constrained($2) -') - -######################################## -## -## Connect to users over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_stream_connect',` - gen_require(` - type user_tmp_t; - attribute userdomain; - ') - - stream_connect_pattern($1, user_tmp_t, user_tmp_t, userdomain) -') - -######################################## -## -## Ptrace user domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_ptrace_all_users',` - gen_require(` - attribute userdomain; - ') - - allow $1 userdomain:process ptrace; -') - -######################################## -## -## dontaudit Search /root -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_dontaudit_search_admin_dir',` - gen_require(` - type admin_home_t; - ') - - dontaudit $1 admin_home_t:dir search_dir_perms; -') - -######################################## -## -## dontaudit list /root -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_dontaudit_list_admin_dir',` - gen_require(` - type admin_home_t; - ') - - dontaudit $1 admin_home_t:dir list_dir_perms; -') - -######################################## -## -## Allow domain to list /root -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_list_admin_dir',` - gen_require(` - type admin_home_t; - ') - - allow $1 admin_home_t:dir list_dir_perms; -') - -######################################## -## -## Allow Search /root -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_search_admin_dir',` - gen_require(` - type admin_home_t; - ') - - allow $1 admin_home_t:dir search_dir_perms; -') - -######################################## -## -## RW unpriviledged user SysV sempaphores. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_rw_semaphores',` - gen_require(` - attribute unpriv_userdomain; - ') - - allow $1 unpriv_userdomain:sem rw_sem_perms; -') - -######################################## -## -## Send a message to unpriv users over a unix domain -## datagram socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_dgram_send',` - gen_require(` - attribute unpriv_userdomain; - ') - - allow $1 unpriv_userdomain:unix_dgram_socket sendto; -') - -###################################### -## -## Send a message to users over a unix domain -## datagram socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_users_dgram_send',` - gen_require(` - attribute userdomain; - ') - - allow $1 userdomain:unix_dgram_socket sendto; -') - -####################################### -## -## Allow execmod on files in homedirectory -## -## -## -## Domain allowed access. -## -## -## -# -interface(`userdom_execmod_user_home_files',` - gen_require(` - type user_home_type; - ') - - allow $1 user_home_type:file execmod; -') - -######################################## -## -## Read admin home files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`userdom_read_admin_home_files',` - gen_require(` - type admin_home_t; - ') - - read_files_pattern($1, admin_home_t, admin_home_t) -') - -######################################## -## -## Execute admin home files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`userdom_exec_admin_home_files',` - gen_require(` - type admin_home_t; - ') - - exec_files_pattern($1, admin_home_t, admin_home_t) -') - -######################################## -## -## Append files inherited -## in the /root directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_inherit_append_admin_home_files',` - gen_require(` - type admin_home_t; - ') - - allow $1 admin_home_t:file { getattr append }; -') - - -####################################### -## -## Manage all files/directories in the homedir -## -## -## -## The user domain -## -## -## -# -interface(`userdom_manage_user_home_content',` - gen_require(` - type user_home_dir_t, user_home_t; - attribute user_home_type; - ') - - files_list_home($1) - manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type) - manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) - manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) - manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) - manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) - filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) - -') - - -######################################## -## -## Create objects in a user home directory -## with an automatic type transition to -## the user home file type. -## -## -## -## Domain allowed access. -## -## -## -## -## The class of the object to be created. -## -## -# -interface(`userdom_user_home_dir_filetrans_pattern',` - gen_require(` - type user_home_dir_t, user_home_t; - ') - - type_transition $1 user_home_dir_t:$2 user_home_t; -') - -######################################## -## -## Create objects in the /root directory -## with an automatic type transition to -## a specified private type. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to create. -## -## -## -## -## The class of the object to be created. -## -## -# -interface(`userdom_admin_home_dir_filetrans',` - gen_require(` - type admin_home_t; - ') - - filetrans_pattern($1, admin_home_t, $2, $3) -') - -######################################## -## -## Send signull to unprivileged user domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_signull_unpriv_users',` - gen_require(` - attribute unpriv_userdomain; - ') - - allow $1 unpriv_userdomain:process signull; -') - -######################################## -## -## Write all users files in /tmp -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_write_user_tmp_dirs',` - gen_require(` - type user_tmp_t; - ') - - write_files_pattern($1, user_tmp_t, user_tmp_t) -') - -######################################## -## -## Manage keys for all user domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_manage_all_users_keys',` - gen_require(` - attribute userdomain; - ') - - allow $1 userdomain:key manage_key_perms; -') - - -######################################## -## -## Do not audit attempts to read and write -## unserdomain stream. -## -## -## -## Domain to not audit. -## -## -# -interface(`userdom_dontaudit_rw_stream',` - gen_require(` - attribute userdomain; - ') - - dontaudit $1 userdomain:unix_stream_socket rw_socket_perms; -') - -######################################## -## -## Append files -## in a user home subdirectory. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_append_user_home_content_files',` - gen_require(` - type user_home_dir_t, user_home_t; - ') - - append_files_pattern($1, user_home_t, user_home_t) - allow $1 user_home_dir_t:dir search_dir_perms; - files_search_home($1) -') - -######################################## -## -## Read files inherited -## in a user home subdirectory. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_read_inherited_user_home_content_files',` - gen_require(` - attribute user_home_type; - ') - - allow $1 user_home_type:file { getattr read }; -') - -######################################## -## -## Append files inherited -## in a user home subdirectory. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_inherit_append_user_home_content_files',` - gen_require(` - type user_home_t; - ') - - allow $1 user_home_t:file { getattr append }; -') - -######################################## -## -## Append files inherited -## in a user tmp files. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_inherit_append_user_tmp_files',` - gen_require(` - type user_tmp_t; - ') - - allow $1 user_tmp_t:file { getattr append }; -') - -###################################### -## -## Read audio files in the users homedir. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`userdom_read_home_audio_files',` - gen_require(` - type audio_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 audio_home_t:dir list_dir_perms; - read_files_pattern($1, audio_home_t, audio_home_t) - read_lnk_files_pattern($1, audio_home_t, audio_home_t) -') - -######################################## -## -## Read system SSL certificates in the users homedir. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`userdom_read_home_certs',` - gen_require(` - type home_cert_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 home_cert_t:dir list_dir_perms; - read_files_pattern($1, home_cert_t, home_cert_t) - read_lnk_files_pattern($1, home_cert_t, home_cert_t) -') - -######################################## -## -## dontaudit Search getatrr /root files -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_dontaudit_getattr_admin_home_files',` - gen_require(` - type admin_home_t; - ') - - dontaudit $1 admin_home_t:file getattr; -') - -######################################## -## -## dontaudit read /root lnk files -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_dontaudit_read_admin_home_lnk_files',` - gen_require(` - type admin_home_t; - ') - - dontaudit $1 admin_home_t:lnk_file read; -') - -######################################## -## -## dontaudit read /root files -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_dontaudit_read_admin_home_files',` - gen_require(` - type admin_home_t; - ') - - dontaudit $1 admin_home_t:file read_file_perms; -') - -######################################## -## -## Create, read, write, and delete user -## temporary chr files. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_manage_user_tmp_chr_files',` - gen_require(` - type user_tmp_t; - ') - - manage_chr_files_pattern($1, user_tmp_t, user_tmp_t) - files_search_tmp($1) -') - -######################################## -## -## Create, read, write, and delete user -## temporary blk files. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_manage_user_tmp_blk_files',` - gen_require(` - type user_tmp_t; - ') - - manage_blk_files_pattern($1, user_tmp_t, user_tmp_t) - files_search_tmp($1) -') - -######################################## -## -## Dontaudit attempt to set attributes on user temporary directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_dontaudit_setattr_user_tmp',` - gen_require(` - type user_tmp_t; - ') - - dontaudit $1 user_tmp_t:dir setattr; -') - -######################################## -## -## Write all inherited users files in /tmp -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_write_inherited_user_tmp_files',` - gen_require(` - type user_tmp_t; - ') - - allow $1 user_tmp_t:file write; -') - -######################################## -## -## Delete all users files in /tmp -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_delete_user_tmp_files',` - gen_require(` - type user_tmp_t; - ') - - allow $1 user_tmp_t:file delete_file_perms; -') - -######################################## -## -## Delete user tmpfs files. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_delete_user_tmpfs_files',` - gen_require(` - type user_tmpfs_t; - ') - - allow $1 user_tmpfs_t:file delete_file_perms; -') - -######################################## -## -## Read/Write unpriviledged user SysV shared -## memory segments. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_rw_unpriv_user_shared_mem',` - gen_require(` - attribute unpriv_userdomain; - ') - - allow $1 unpriv_userdomain:shm rw_shm_perms; -') - -######################################## -## -## Do not audit attempts to search user -## temporary directories. -## -## -## -## Domain to not audit. -## -## -# -interface(`userdom_dontaudit_search_user_tmp',` - gen_require(` - type user_tmp_t; - ') - - dontaudit $1 user_tmp_t:dir search_dir_perms; -') - -######################################## -## -## Execute a file in a user home directory -## in the specified domain. -## -## -##

-## Execute a file in a user home directory -## in the specified domain. -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-##
-## -## -## Domain allowed access. -## -## -## -## -## The type of the new process. -## -## -# -interface(`userdom_domtrans_user_home',` - gen_require(` - type user_home_t; - ') - - read_lnk_files_pattern($1, user_home_t, user_home_t) - domain_transition_pattern($1, user_home_t, $2) - type_transition $1 user_home_t:process $2; -') - -######################################## -## -## Execute a file in a user tmp directory -## in the specified domain. -## -## -##

-## Execute a file in a user tmp directory -## in the specified domain. -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-##
-## -## -## Domain allowed access. -## -## -## -## -## The type of the new process. -## -## -# -interface(`userdom_domtrans_user_tmp',` - gen_require(` - type user_tmp_t; - ') - - files_search_tmp($1) - read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) - domain_transition_pattern($1, user_tmp_t, $2) - type_transition $1 user_tmp_t:process $2; -') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te deleted file mode 100644 index 0aa5ce3..0000000 --- a/policy/modules/system/userdomain.te +++ /dev/null @@ -1,137 +0,0 @@ -policy_module(userdomain, 4.4.3) - -######################################## -# -# Declarations -# - -## -##

-## Allow users to connect to mysql -##

-##
-gen_tunable(allow_user_mysql_connect, false) - -## -##

-## Allow users to connect to PostgreSQL -##

-##
-gen_tunable(allow_user_postgresql_connect, false) - -## -##

-## Allow regular users direct mouse access -##

-##
-gen_tunable(user_direct_mouse, false) - -## -##

-## Allow users to read system messages. -##

-##
-gen_tunable(user_dmesg, false) - -## -##

-## Allow user to r/w files on filesystems -## that do not have extended attributes (FAT, CDROM, FLOPPY) -##

-##
-gen_tunable(user_rw_noexattrfile, false) - -## -##

-## Allow user processes to change their priority -##

-##
-gen_tunable(user_setrlimit, false) - -## -##

-## Allow w to display everyone -##

-##
-gen_tunable(user_ttyfile_stat, false) - -attribute admindomain; - -# all user domains -attribute userdomain; - -# unprivileged user domains -attribute unpriv_userdomain; - -attribute untrusted_content_type; -attribute untrusted_content_tmp_type; - -# unprivileged user domains -attribute user_home_type; - -type admin_home_t; -files_type(admin_home_t) -files_associate_tmp(admin_home_t) -fs_associate_tmpfs(admin_home_t) -files_mountpoint(admin_home_t) - -type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; -fs_associate_tmpfs(user_home_dir_t) -files_type(user_home_dir_t) -files_mountpoint(user_home_dir_t) -files_associate_tmp(user_home_dir_t) -files_poly(user_home_dir_t) -files_poly_member(user_home_dir_t) -files_poly_parent(user_home_dir_t) -ubac_constrained(user_home_dir_t) - -type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; -typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; -typeattribute user_home_t user_home_type; -userdom_user_home_content(user_home_t) -fs_associate_tmpfs(user_home_t) -files_associate_tmp(user_home_t) -files_poly_member(user_home_t) -files_poly_parent(user_home_t) -files_mountpoint(user_home_t) -ubac_constrained(user_home_t) - -type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t }; -dev_node(user_devpts_t) -files_type(user_devpts_t) -ubac_constrained(user_devpts_t) - -type user_tmp_t alias { winbind_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t }; -typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t }; -files_tmp_file(user_tmp_t) -userdom_user_home_content(user_tmp_t) - -type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t }; -files_tmpfs_file(user_tmpfs_t) -userdom_user_home_content(user_tmpfs_t) - -type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; -dev_node(user_tty_device_t) -ubac_constrained(user_tty_device_t) - -type audio_home_t; -userdom_user_home_content(audio_home_t) -ubac_constrained(audio_home_t) - -type home_bin_t; -userdom_user_home_content(home_bin_t) -ubac_constrained(home_bin_t) - -type home_cert_t; -miscfiles_cert_type(home_cert_t) -userdom_user_home_content(home_cert_t) -ubac_constrained(home_cert_t) - -tunable_policy(`allow_console_login',` - term_use_console(userdomain) -') - -allow userdomain userdomain:process signull; - -# Nautilus causes this avc -dontaudit unpriv_userdomain self:dir setattr; diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc deleted file mode 100644 index 744fa64..0000000 --- a/policy/modules/system/xen.fc +++ /dev/null @@ -1,37 +0,0 @@ -/dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0) - -/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0) - -ifdef(`distro_debian',` -/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) -/usr/lib/xen-[^/]*/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) -/usr/lib/xen-[^/]*/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) -/usr/lib/xen-[^/]*/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) -',` -/usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) -/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) -/usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) -/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) -') - -/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) -/var/lib/xen/images(/.*)? gen_context(system_u:object_r:xen_image_t,s0) -/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) -/var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0) - -/var/log/evtchnd\.log -- gen_context(system_u:object_r:evtchnd_var_log_t,s0) -/var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0) -/var/log/xen-hotplug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) -/var/log/xend\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) -/var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) - -/var/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0) -/var/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0) -/var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0) -/var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) -/var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0) -/var/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) -/var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0) -/var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0) - -/xen(/.*)? gen_context(system_u:object_r:xen_image_t,s0) diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if deleted file mode 100644 index 4aa96c6..0000000 --- a/policy/modules/system/xen.if +++ /dev/null @@ -1,259 +0,0 @@ -## Xen hypervisor - -######################################## -## -## Execute a domain transition to run xend. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`xen_domtrans',` - gen_require(` - type xend_t, xend_exec_t; - ') - - domtrans_pattern($1, xend_exec_t, xend_t) -') - -######################################## -## -## Inherit and use xen file descriptors. -## -## -## -## Domain allowed access. -## -## -# -interface(`xen_use_fds',` - gen_require(` - type xend_t; - ') - - allow $1 xend_t:fd use; -') - -######################################## -## -## Do not audit attempts to inherit -## xen file descriptors. -## -## -## -## Domain to not audit. -## -## -# -interface(`xen_dontaudit_use_fds',` - gen_require(` - type xend_t; - ') - - dontaudit $1 xend_t:fd use; -') - -######################################## -## -## Read xend image files. -## -## -## -## Domain allowed access. -## -## -# -interface(`xen_read_image_files',` - gen_require(` - type xen_image_t, xend_var_lib_t; - ') - - files_list_var_lib($1) - - list_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t) - read_files_pattern($1, { xend_var_lib_t xen_image_t }, xen_image_t) -') - -######################################## -## -## Allow the specified domain to read/write -## xend image files. -## -## -## -## Domain allowed access. -## -## -# -interface(`xen_manage_image_dirs',` - gen_require(` - type xend_var_lib_t; - ') - - files_list_var_lib($1) - manage_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t) -') - -######################################## -## -## Allow the specified domain to read/write -## xend image files. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`xen_rw_image_files',` - gen_require(` - type xen_image_t, xend_var_lib_t; - ') - - files_list_var_lib($1) - allow $1 xend_var_lib_t:dir search_dir_perms; - rw_files_pattern($1, xen_image_t, xen_image_t) -') - -######################################## -## -## Allow the specified domain to append -## xend log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`xen_append_log',` - gen_require(` - type xend_var_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, xend_var_log_t, xend_var_log_t) - dontaudit $1 xend_var_log_t:file write; -') - -######################################## -## -## Create, read, write, and delete the -## xend log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`xen_manage_log',` - gen_require(` - type xend_var_log_t; - ') - - logging_search_logs($1) - manage_dirs_pattern($1, xend_var_log_t, xend_var_log_t) - manage_files_pattern($1, xend_var_log_t, xend_var_log_t) -') - -######################################## -## -## Do not audit attempts to read and write -## Xen unix domain stream sockets. These -## are leaked file descriptors. -## -## -## -## Domain to not audit. -## -## -# -interface(`xen_dontaudit_rw_unix_stream_sockets',` - gen_require(` - type xend_t; - ') - - dontaudit $1 xend_t:unix_stream_socket { read write }; -') - -######################################## -## -## Connect to xenstored over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`xen_stream_connect_xenstore',` - gen_require(` - type xenstored_t, xenstored_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, xenstored_var_run_t, xenstored_var_run_t, xenstored_t) -') - -######################################## -## -## Connect to xend over an unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`xen_stream_connect',` - gen_require(` - type xend_t, xend_var_run_t, xend_var_lib_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, xend_var_run_t, xend_var_run_t, xend_t) - - files_search_var_lib($1) - stream_connect_pattern($1, xend_var_lib_t, xend_var_lib_t, xend_t) -') - -######################################## -## -## Execute a domain transition to run xm. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`xen_domtrans_xm',` - gen_require(` - type xm_t, xm_exec_t; - attribute virsh_transition_domain; - ') - typeattribute $1 virsh_transition_domain; - domtrans_pattern($1, xm_exec_t, xm_t) -') - -######################################## -## -## Connect to xm over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`xen_stream_connect_xm',` - gen_require(` - type xm_t, xenstored_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, xenstored_var_run_t, xenstored_var_run_t, xm_t) -') diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te deleted file mode 100644 index 600d43f..0000000 --- a/policy/modules/system/xen.te +++ /dev/null @@ -1,386 +0,0 @@ -policy_module(xen, 1.10.0) - -######################################## -# -# Declarations -# -attribute xm_transition_domain; - -## -##

-## Allow xen to manage nfs files -##

-##
-gen_tunable(xen_use_nfs, false) - -type evtchnd_t; -type evtchnd_exec_t; -init_daemon_domain(evtchnd_t, evtchnd_exec_t) - -# log files -type evtchnd_var_log_t; -logging_log_file(evtchnd_var_log_t) - -# pid files -type evtchnd_var_run_t; -files_pid_file(evtchnd_var_run_t) - -# console ptys -type xen_devpts_t; -term_pty(xen_devpts_t) -files_type(xen_devpts_t) - -# Xen Image files -type xen_image_t; # customizable -files_type(xen_image_t) -# xen_image_t can be assigned to blk devices -dev_node(xen_image_t) -virt_image(xen_image_t) - -type xenctl_t; -files_type(xenctl_t) - -type xend_t; -type xend_exec_t; -domain_type(xend_t) -init_daemon_domain(xend_t, xend_exec_t) - -# tmp files -type xend_tmp_t; -files_tmp_file(xend_tmp_t) - -# var/lib files -type xend_var_lib_t; -files_type(xend_var_lib_t) -# for mounting an NFS store -files_mountpoint(xend_var_lib_t) - -# log files -type xend_var_log_t; -logging_log_file(xend_var_log_t) - -# pid files -type xend_var_run_t; -files_pid_file(xend_var_run_t) -files_mountpoint(xend_var_run_t) - -type xenstored_t; -type xenstored_exec_t; -init_daemon_domain(xenstored_t, xenstored_exec_t) - -type xenstored_tmp_t; -files_tmp_file(xenstored_tmp_t) - -# var/lib files -type xenstored_var_lib_t; -files_type(xenstored_var_lib_t) - -# log files -type xenstored_var_log_t; -logging_log_file(xenstored_var_log_t) - -# pid files -type xenstored_var_run_t; -files_pid_file(xenstored_var_run_t) - -type xenconsoled_t; -type xenconsoled_exec_t; -init_daemon_domain(xenconsoled_t, xenconsoled_exec_t) - -# pid files -type xenconsoled_var_run_t; -files_pid_file(xenconsoled_var_run_t) - -####################################### -# -# evtchnd local policy -# - -manage_dirs_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) -manage_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) -logging_log_filetrans(evtchnd_t, evtchnd_var_log_t, { file dir }) - -manage_dirs_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t) -manage_files_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t) -manage_sock_files_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t) -files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir }) - -######################################## -# -# xend local policy -# - -allow xend_t self:capability { mknod dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_ptrace sys_tty_config net_raw }; -dontaudit xend_t self:capability { sys_ptrace }; -allow xend_t self:process { signal sigkill }; -dontaudit xend_t self:process ptrace; -# internal communication is often done using fifo and unix sockets. -allow xend_t self:fifo_file rw_fifo_file_perms; -allow xend_t self:unix_stream_socket create_stream_socket_perms; -allow xend_t self:unix_dgram_socket create_socket_perms; -allow xend_t self:netlink_route_socket r_netlink_socket_perms; -allow xend_t self:tcp_socket create_stream_socket_perms; -allow xend_t self:packet_socket create_socket_perms; - -allow xend_t xen_image_t:dir list_dir_perms; -manage_dirs_pattern(xend_t, xen_image_t, xen_image_t) -manage_files_pattern(xend_t, xen_image_t, xen_image_t) -read_lnk_files_pattern(xend_t, xen_image_t, xen_image_t) -rw_blk_files_pattern(xend_t, xen_image_t, xen_image_t) - -allow xend_t xenctl_t:fifo_file manage_fifo_file_perms; -dev_filetrans(xend_t, xenctl_t, fifo_file) - -manage_files_pattern(xend_t, xend_tmp_t, xend_tmp_t) -manage_dirs_pattern(xend_t, xend_tmp_t, xend_tmp_t) -files_tmp_filetrans(xend_t, xend_tmp_t, { file dir }) - -# pid file -manage_dirs_pattern(xend_t, xend_var_run_t, xend_var_run_t) -manage_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) -manage_sock_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) -manage_fifo_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) -files_pid_filetrans(xend_t, xend_var_run_t, { file sock_file fifo_file dir }) - -# log files -manage_dirs_pattern(xend_t, xend_var_log_t, xend_var_log_t) -manage_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) -manage_sock_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) -logging_log_filetrans(xend_t, xend_var_log_t, { sock_file file dir }) - -# var/lib files for xend -manage_dirs_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) -manage_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) -manage_sock_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) -manage_fifo_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) -files_var_lib_filetrans(xend_t, xend_var_lib_t, { file dir }) - -# transition to store -domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t) - -# transition to console -domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t) - -kernel_read_kernel_sysctls(xend_t) -kernel_read_system_state(xend_t) -kernel_write_xen_state(xend_t) -kernel_read_xen_state(xend_t) -kernel_rw_net_sysctls(xend_t) -kernel_read_network_state(xend_t) - -corecmd_exec_bin(xend_t) -corecmd_exec_shell(xend_t) - -corenet_all_recvfrom_unlabeled(xend_t) -corenet_all_recvfrom_netlabel(xend_t) -corenet_tcp_sendrecv_generic_if(xend_t) -corenet_tcp_sendrecv_generic_node(xend_t) -corenet_tcp_sendrecv_all_ports(xend_t) -corenet_tcp_bind_generic_node(xend_t) -corenet_tcp_bind_xen_port(xend_t) -corenet_tcp_bind_soundd_port(xend_t) -corenet_tcp_bind_generic_port(xend_t) -corenet_tcp_bind_vnc_port(xend_t) -corenet_tcp_connect_xserver_port(xend_t) -corenet_tcp_connect_xen_port(xend_t) -corenet_sendrecv_xserver_client_packets(xend_t) -corenet_sendrecv_xen_server_packets(xend_t) -corenet_sendrecv_xen_client_packets(xend_t) -corenet_sendrecv_soundd_server_packets(xend_t) -corenet_rw_tun_tap_dev(xend_t) - -dev_read_urand(xend_t) -dev_manage_xen(xend_t) -dev_filetrans_xen(xend_t) -dev_rw_sysfs(xend_t) -dev_rw_xen(xend_t) - -domain_read_all_domains_state(xend_t) -domain_dontaudit_read_all_domains_state(xend_t) -domain_dontaudit_ptrace_all_domains(xend_t) - -files_read_etc_files(xend_t) -files_read_kernel_symbol_table(xend_t) -files_read_kernel_img(xend_t) -files_manage_etc_runtime_files(xend_t) -files_etc_filetrans_etc_runtime(xend_t, file) -files_read_usr_files(xend_t) -files_read_default_symlinks(xend_t) - -storage_raw_read_fixed_disk(xend_t) -storage_raw_write_fixed_disk(xend_t) -storage_raw_read_removable_device(xend_t) - -term_getattr_all_ptys(xend_t) -term_use_generic_ptys(xend_t) -term_use_ptmx(xend_t) -term_getattr_pty_fs(xend_t) - -init_stream_connect_script(xend_t) - -locallogin_dontaudit_use_fds(xend_t) - -logging_send_syslog_msg(xend_t) - -lvm_domtrans(xend_t) - -miscfiles_read_localization(xend_t) -miscfiles_read_hwdata(xend_t) - -mount_domtrans(xend_t) - -sysnet_domtrans_dhcpc(xend_t) -sysnet_signal_dhcpc(xend_t) -sysnet_domtrans_ifconfig(xend_t) -sysnet_dns_name_resolve(xend_t) -sysnet_delete_dhcpc_pid(xend_t) -sysnet_read_dhcpc_pid(xend_t) -sysnet_rw_dhcp_config(xend_t) - -userdom_dontaudit_search_user_home_dirs(xend_t) - -xen_stream_connect_xenstore(xend_t) - -netutils_domtrans(xend_t) - -virt_read_config(xend_t) - -optional_policy(` - brctl_domtrans(xend_t) -') - -optional_policy(` - consoletype_exec(xend_t) -') - -######################################## -# -# Xen console local policy -# - -allow xenconsoled_t self:capability { dac_override fsetid ipc_lock }; -allow xenconsoled_t self:process setrlimit; -allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms; -allow xenconsoled_t self:fifo_file rw_fifo_file_perms; - -allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms; - -# pid file -manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t) -manage_sock_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t) -files_pid_filetrans(xenconsoled_t, xenconsoled_var_run_t, { file sock_file }) - -kernel_read_kernel_sysctls(xenconsoled_t) -kernel_write_xen_state(xenconsoled_t) -kernel_read_xen_state(xenconsoled_t) - -dev_manage_xen(xenconsoled_t) -dev_filetrans_xen(xenconsoled_t) -dev_rw_sysfs(xenconsoled_t) - -domain_dontaudit_ptrace_all_domains(xenconsoled_t) - -files_read_etc_files(xenconsoled_t) -files_read_usr_files(xenconsoled_t) - -fs_list_tmpfs(xenconsoled_t) -fs_manage_xenfs_dirs(xenconsoled_t) -fs_manage_xenfs_files(xenconsoled_t) - -term_create_pty(xenconsoled_t, xen_devpts_t) -term_use_generic_ptys(xenconsoled_t) -term_use_console(xenconsoled_t) - -init_use_fds(xenconsoled_t) -init_use_script_ptys(xenconsoled_t) - -miscfiles_read_localization(xenconsoled_t) - -xen_manage_log(xenconsoled_t) -xen_stream_connect_xenstore(xenconsoled_t) - -optional_policy(` - ptchown_domtrans(xenconsoled_t) -') - -######################################## -# -# Xen store local policy -# - -allow xenstored_t self:capability { dac_override mknod ipc_lock sys_resource }; -allow xenstored_t self:unix_stream_socket create_stream_socket_perms; -allow xenstored_t self:unix_dgram_socket create_socket_perms; - -manage_files_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) -manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) -files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) - -# pid file -manage_dirs_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) -manage_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) -manage_sock_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) -files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file dir }) - -# log files -manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -manage_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -manage_sock_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -logging_log_filetrans(xenstored_t, xenstored_var_log_t, { sock_file file dir }) - -# var/lib files for xenstored -manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) -manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) -manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) -files_var_lib_filetrans(xenstored_t, xenstored_var_lib_t, { file dir sock_file }) - -stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchnd_t) - -kernel_write_xen_state(xenstored_t) -kernel_read_xen_state(xenstored_t) - -dev_create_generic_dirs(xenstored_t) -dev_manage_xen(xenstored_t) -dev_filetrans_xen(xenstored_t) -dev_rw_xen(xenstored_t) -dev_read_sysfs(xenstored_t) - -files_read_usr_files(xenstored_t) - -fs_search_xenfs(xenstored_t) -fs_manage_xenfs_files(xenstored_t) - -storage_raw_read_fixed_disk(xenstored_t) -storage_raw_write_fixed_disk(xenstored_t) -storage_raw_read_removable_device(xenstored_t) - -term_use_generic_ptys(xenstored_t) -term_use_console(xenconsoled_t) - -init_use_fds(xenstored_t) -init_use_script_ptys(xenstored_t) - -logging_send_syslog_msg(xenstored_t) - -miscfiles_read_localization(xenstored_t) - -xen_append_log(xenstored_t) - -######################################## -# -# SSH component local policy -# -optional_policy(` - #Should have a boolean wrapping these - fs_list_auto_mountpoints(xend_t) - files_search_mnt(xend_t) - fs_getattr_all_fs(xend_t) - fs_read_dos_files(xend_t) - fs_manage_xenfs_dirs(xend_t) - fs_manage_xenfs_files(xend_t) - - tunable_policy(`xen_use_nfs',` - fs_manage_nfs_files(xend_t) - fs_read_nfs_symlinks(xend_t) - ') -') diff --git a/policy/policy_capabilities b/policy/policy_capabilities deleted file mode 100644 index db3cbca..0000000 --- a/policy/policy_capabilities +++ /dev/null @@ -1,33 +0,0 @@ -# -# This file contains the policy capabilites -# that are enabled in this policy, not a -# declaration of DAC capabilites such as -# dac_override. -# -# The affected object classes and their -# permissions should also be listed in -# the comments for each capability. -# - -# Enable additional networking access control for -# labeled networking peers. -# -# Checks enabled: -# node: sendto recvfrom -# netif: ingress egress -# peer: recv -# -policycap network_peer_controls; - -# Enable additional access controls for opening -# a file (and similar objects). -# -# Checks enabled: -# dir: open -# file: open -# fifo_file: open -# sock_file: open -# chr_file: open -# blk_file: open -# -policycap open_perms; diff --git a/policy/rolemap b/policy/rolemap deleted file mode 100644 index c1de37e..0000000 --- a/policy/rolemap +++ /dev/null @@ -1,13 +0,0 @@ -# -# This file contains the mappings -# used for per-role template -# infrastructure. Each line describes -# the prefix and user domain type -# corresponding to each role. -# -# syntax: role prefix user_domain -# - -# This support has been deprecated and -# will be removed in the future. Note: No -# per-role templates exist in refpolicy. diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt deleted file mode 100644 index 4719351..0000000 --- a/policy/support/file_patterns.spt +++ /dev/null @@ -1,553 +0,0 @@ -# -# Directory patterns (dir) -# -# Parameters: -# 1. domain type -# 2. container (directory) type -# 3. directory type -# -define(`getattr_dirs_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:dir getattr_dir_perms; -') - -define(`setattr_dirs_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:dir setattr_dir_perms; -') - -define(`search_dirs_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:dir search_dir_perms; -') - -define(`list_dirs_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:dir list_dir_perms; -') - -define(`add_entry_dirs_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:dir add_entry_dir_perms; -') - -define(`del_entry_dirs_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:dir del_entry_dir_perms; -') - -define(`rw_dirs_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:dir { add_entry_dir_perms del_entry_dir_perms }; -') - -define(`create_dirs_pattern',` - allow $1 $2:dir add_entry_dir_perms; - allow $1 $3:dir create_dir_perms; -') - -define(`delete_dirs_pattern',` - allow $1 $2:dir del_entry_dir_perms; - allow $1 $3:dir delete_dir_perms; -') - -define(`rename_dirs_pattern',` - allow $1 $2:dir rw_dir_perms; - allow $1 $3:dir rename_dir_perms; -') - -define(`manage_dirs_pattern',` - allow $1 $2:dir rw_dir_perms; - allow $1 $3:dir manage_dir_perms; -') - -define(`relabelfrom_dirs_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:dir relabelfrom_dir_perms; -') - -define(`relabelto_dirs_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:dir relabelto_dir_perms; -') - -define(`relabel_dirs_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:dir relabel_dir_perms; -') - -# -# Regular file patterns (file) -# -# Parameters: -# 1. domain type -# 2. container (directory) type -# 3. file type -# -define(`getattr_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:file getattr_file_perms; -') - -define(`setattr_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:file setattr_file_perms; -') - -define(`read_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:file read_file_perms; -') - -define(`mmap_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:file mmap_file_perms; -') - -define(`exec_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:file exec_file_perms; -') - -define(`append_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:file append_file_perms; -') - -define(`write_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:file write_file_perms; -') - -define(`rw_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:file rw_file_perms; -') - -define(`create_files_pattern',` - allow $1 $2:dir add_entry_dir_perms; - allow $1 $3:file create_file_perms; -') - -define(`delete_files_pattern',` - allow $1 $2:dir del_entry_dir_perms; - allow $1 $3:file delete_file_perms; -') - -define(`rename_files_pattern',` - allow $1 $2:dir rw_dir_perms; - allow $1 $3:file rename_file_perms; -') - -define(`manage_files_pattern',` - allow $1 $2:dir rw_dir_perms; - allow $1 $3:file manage_file_perms; -') - -define(`relabelfrom_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:file relabelfrom_file_perms; -') - -define(`relabelto_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:file relabelto_file_perms; -') - -define(`relabel_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:file relabel_file_perms; -') - -# -# Symbolic link patterns (lnk_file) -# -# Parameters: -# 1. domain type -# 2. container (directory) type -# 3. file type -# -define(`getattr_lnk_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:lnk_file getattr_lnk_file_perms; -') - -define(`setattr_lnk_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:lnk_file setattr_lnk_file_perms; -') - -define(`read_lnk_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:lnk_file read_lnk_file_perms; -') - -define(`append_lnk_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:lnk_file append_lnk_file_perms; -') - -define(`write_lnk_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:lnk_file write_lnk_file_perms; -') - -define(`rw_lnk_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:lnk_file rw_lnk_file_perms; -') - -define(`create_lnk_files_pattern',` - allow $1 $2:dir add_entry_dir_perms; - allow $1 $3:lnk_file create_lnk_file_perms; -') - -define(`delete_lnk_files_pattern',` - allow $1 $2:dir del_entry_dir_perms; - allow $1 $3:lnk_file delete_lnk_file_perms; -') - -define(`rename_lnk_files_pattern',` - allow $1 $2:dir rw_dir_perms; - allow $1 $3:lnk_file rename_lnk_file_perms; -') - -define(`manage_lnk_files_pattern',` - allow $1 $2:dir rw_dir_perms; - allow $1 $3:lnk_file manage_lnk_file_perms; -') - -define(`relabelfrom_lnk_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:lnk_file relabelfrom_lnk_file_perms; -') - -define(`relabelto_lnk_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:lnk_file relabelto_lnk_file_perms; -') - -define(`relabel_lnk_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:lnk_file relabel_lnk_file_perms; -') - -# -# (Un)named Pipes/FIFO patterns (fifo_file) -# -# Parameters: -# 1. domain type -# 2. container (directory) type -# 3. file type -# -define(`getattr_fifo_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:fifo_file getattr_fifo_file_perms; -') - -define(`setattr_fifo_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:fifo_file setattr_fifo_file_perms; -') - -define(`read_fifo_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:fifo_file read_fifo_file_perms; -') - -define(`append_fifo_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:fifo_file append_fifo_file_perms; -') - -define(`write_fifo_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:fifo_file write_fifo_file_perms; -') - -define(`rw_fifo_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:fifo_file rw_fifo_file_perms; -') - -define(`create_fifo_files_pattern',` - allow $1 $2:dir add_entry_dir_perms; - allow $1 $3:fifo_file create_fifo_file_perms; -') - -define(`delete_fifo_files_pattern',` - allow $1 $2:dir del_entry_dir_perms; - allow $1 $3:fifo_file delete_fifo_file_perms; -') - -define(`rename_fifo_files_pattern',` - allow $1 $2:dir rw_dir_perms; - allow $1 $3:fifo_file rename_fifo_file_perms; -') - -define(`manage_fifo_files_pattern',` - allow $1 $2:dir rw_dir_perms; - allow $1 $3:fifo_file manage_fifo_file_perms; -') - -define(`relabelfrom_fifo_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:fifo_file relabelfrom_fifo_file_perms; -') - -define(`relabelto_fifo_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:fifo_file relabelto_fifo_file_perms; -') - -define(`relabel_fifo_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:fifo_file relabel_fifo_file_perms; -') - -# -# (Un)named sockets patterns (sock_file) -# -# Parameters: -# 1. domain type -# 2. container (directory) type -# 3. file type -# -define(`getattr_sock_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:sock_file getattr_sock_file_perms; -') - -define(`setattr_sock_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:sock_file setattr_sock_file_perms; -') - -define(`read_sock_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:sock_file read_sock_file_perms; -') - -define(`write_sock_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:sock_file write_sock_file_perms; -') - -define(`rw_sock_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:sock_file rw_sock_file_perms; -') - -define(`create_sock_files_pattern',` - allow $1 $2:dir add_entry_dir_perms; - allow $1 $3:sock_file create_sock_file_perms; -') - -define(`delete_sock_files_pattern',` - allow $1 $2:dir del_entry_dir_perms; - allow $1 $3:sock_file delete_sock_file_perms; -') - -define(`rename_sock_files_pattern',` - allow $1 $2:dir rw_dir_perms; - allow $1 $3:sock_file rename_sock_file_perms; -') - -define(`manage_sock_files_pattern',` - allow $1 $2:dir rw_dir_perms; - allow $1 $3:sock_file manage_sock_file_perms; -') - -define(`relabelfrom_sock_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:sock_file relabelfrom_sock_file_perms; -') - -define(`relabelto_sock_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:sock_file relabelto_sock_file_perms; -') - -define(`relabel_sock_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:sock_file relabel_sock_file_perms; -') - -# -# Block device node patterns (blk_file) -# -# Parameters: -# 1. domain type -# 2. container (directory) type -# 3. file type -# -define(`getattr_blk_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:blk_file getattr_blk_file_perms; -') - -define(`setattr_blk_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:blk_file setattr_blk_file_perms; -') - -define(`read_blk_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:blk_file read_blk_file_perms; -') - -define(`append_blk_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:blk_file append_blk_file_perms; -') - -define(`write_blk_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:blk_file write_blk_file_perms; -') - -define(`rw_blk_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:blk_file rw_blk_file_perms; -') - -define(`create_blk_files_pattern',` - allow $1 self:capability mknod; - allow $1 $2:dir add_entry_dir_perms; - allow $1 $3:blk_file create_blk_file_perms; -') - -define(`delete_blk_files_pattern',` - allow $1 $2:dir del_entry_dir_perms; - allow $1 $3:blk_file delete_blk_file_perms; -') - -define(`rename_blk_files_pattern',` - allow $1 $2:dir rw_dir_perms; - allow $1 $3:blk_file rename_blk_file_perms; -') - -define(`manage_blk_files_pattern',` - allow $1 self:capability mknod; - allow $1 $2:dir rw_dir_perms; - allow $1 $3:blk_file manage_blk_file_perms; -') - -define(`relabelfrom_blk_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:blk_file relabelfrom_blk_file_perms; -') - -define(`relabelto_blk_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:blk_file relabelto_blk_file_perms; -') - -define(`relabel_blk_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:blk_file relabel_blk_file_perms; -') - -# -# Character device node patterns (chr_file) -# -# Parameters: -# 1. domain type -# 2. container (directory) type -# 3. file type -# -define(`getattr_chr_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:chr_file getattr_chr_file_perms; -') - -define(`setattr_chr_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:chr_file setattr_chr_file_perms; -') - -define(`read_chr_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:chr_file read_chr_file_perms; -') - -define(`append_chr_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:chr_file append_chr_file_perms; -') - -define(`write_chr_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:chr_file write_chr_file_perms; -') - -define(`rw_chr_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:chr_file rw_chr_file_perms; -') - -define(`create_chr_files_pattern',` - allow $1 self:capability mknod; - allow $1 $2:dir add_entry_dir_perms; - allow $1 $3:chr_file create_chr_file_perms; -') - -define(`delete_chr_files_pattern',` - allow $1 $2:dir del_entry_dir_perms; - allow $1 $3:chr_file delete_chr_file_perms; -') - -define(`rename_chr_files_pattern',` - allow $1 $2:dir rw_dir_perms; - allow $1 $3:chr_file rename_chr_file_perms; -') - -define(`manage_chr_files_pattern',` - allow $1 self:capability mknod; - allow $1 $2:dir rw_dir_perms; - allow $1 $3:chr_file manage_chr_file_perms; -') - -define(`relabelfrom_chr_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:chr_file relabelfrom_chr_file_perms; -') - -define(`relabelto_chr_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:chr_file relabelto_chr_file_perms; -') - -define(`relabel_chr_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:chr_file relabel_chr_file_perms; -') - -# -# File type_transition patterns -# -# pattern(domain,dirtype,newtype,class(es)) -# -define(`filetrans_add_pattern',` - allow $1 $2:dir { list_dir_perms add_entry_dir_perms }; - type_transition $1 $2:$4 $3; -') - -define(`filetrans_pattern',` - allow $1 $2:dir rw_dir_perms; - type_transition $1 $2:$4 $3 $5; -') - -define(`admin_pattern',` - manage_dirs_pattern($1,$2,$2) - manage_files_pattern($1,$2,$2) - manage_lnk_files_pattern($1,$2,$2) - manage_fifo_files_pattern($1,$2,$2) - manage_sock_files_pattern($1,$2,$2) - - relabel_dirs_pattern($1,$2,$2) - relabel_files_pattern($1,$2,$2) - relabel_lnk_files_pattern($1,$2,$2) - relabel_fifo_files_pattern($1,$2,$2) - relabel_sock_files_pattern($1,$2,$2) -') diff --git a/policy/support/ipc_patterns.spt b/policy/support/ipc_patterns.spt deleted file mode 100644 index 310f9ef..0000000 --- a/policy/support/ipc_patterns.spt +++ /dev/null @@ -1,14 +0,0 @@ -# -# unix domain socket patterns -# -define(`stream_connect_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:sock_file write_sock_file_perms; - allow $1 $4:unix_stream_socket connectto; -') - -define(`dgram_send_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:sock_file write_sock_file_perms; - allow $1 $4:unix_dgram_socket sendto; -') diff --git a/policy/support/loadable_module.spt b/policy/support/loadable_module.spt deleted file mode 100644 index 1fe3ab3..0000000 --- a/policy/support/loadable_module.spt +++ /dev/null @@ -1,151 +0,0 @@ -######################################## -# -# Macros for switching between source policy -# and loadable policy module support -# - -############################## -# -# For adding the module statement -# -define(`policy_module',` - ifndef(`self_contained_policy',` - module $1 $2; - - require { - role system_r; - all_kernel_class_perms - - ifdef(`enable_mcs',` - decl_sens(0,0) - decl_cats(0,decr(mcs_num_cats)) - ') - - ifdef(`enable_mls',` - decl_sens(0,decr(mls_num_sens)) - decl_cats(0,decr(mls_num_cats)) - ') - } - ') -') - -############################## -# -# For use in interfaces, to optionally insert a require block -# -define(`gen_require',` - ifdef(`self_contained_policy',` - ifdef(`__in_optional_policy',` - require { - $1 - } # end require - ') - ',` - require { - $1 - } # end require - ') -') - -# helper function, since m4 wont expand macros -# if a line is a comment (#): -define(`policy_m4_comment',` -##### $2 depth: $1 -')dnl - -############################## -# -# In the future interfaces should be in loadable modules -# -# template(name,rules) -# -define(`template',` dnl - ifdef(`$1',`refpolicyerr(`duplicate definition of $1(). Original definition on '$1.) define(`__if_error')',`define(`$1',__line__)') dnl - `define(`$1',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) dnl - $2 dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `$1'(dollarsstar)) dnl - '') -') - -############################## -# -# In the future interfaces should be in loadable modules -# -# interface(name,rules) -# -define(`interface',` dnl - ifdef(`$1',`refpolicyerr(`duplicate definition of $1(). Original definition on '$1.) define(`__if_error')',`define(`$1',__line__)') dnl - `define(`$1',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) dnl - $2 - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `$1'(dollarsstar)) dnl - '') -') - -define(`policy_call_depth',0) - -############################## -# -# Optional policy handling -# -define(`optional_policy',` - ifelse(regexp(`$1',`\W'),`-1',` - refpolicywarn(`deprecated use of module name ($1) as first parameter of optional_policy() block.') - optional_policy(shift($*)) - ',` - optional {`'pushdef(`__in_optional_policy') - $1 - ifelse(`$2',`',`',`} else { - $2 - ')}`'popdef(`__in_optional_policy')`'ifndef(`__in_optional_policy',` # end optional') - ') -') - -############################## -# -# Determine if we should use the default -# tunable value as specified by the policy -# or if the override value should be used -# -define(`dflt_or_overr',`ifdef(`$1',$1,$2)') - -############################## -# -# Extract booleans out of an expression. -# This needs to be reworked so expressions -# with parentheses can work. - -define(`declare_required_symbols',` -ifelse(regexp($1, `\w'), -1, `', `dnl -bool regexp($1, `\(\w+\)', `\1'); -declare_required_symbols(regexp($1, `\w+\(.*\)', `\1'))dnl -') dnl -') - -############################## -# -# Tunable declaration -# -define(`gen_tunable',` - bool $1 dflt_or_overr(`$1'_conf,$2); -') - -############################## -# -# Tunable policy handling -# -define(`tunable_policy',` - gen_require(` - declare_required_symbols(`$1') - ') - if (`$1') { - $2 - ifelse(`$3',`',`',`} else { - $3 - ')} -') diff --git a/policy/support/misc_macros.spt b/policy/support/misc_macros.spt deleted file mode 100644 index 4ca5688..0000000 --- a/policy/support/misc_macros.spt +++ /dev/null @@ -1,78 +0,0 @@ - -######################################## -# -# Helper macros -# - -# -# shiftn(num,list...) -# -# shift the list num times -# -define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')') - -# -# ifndef(expr,true_block,false_block) -# -# m4 does not have this. -# -define(`ifndef',`ifdef(`$1',`$3',`$2')') - -# -# __endline__ -# -# dummy macro to insert a newline. used for -# errprint, so the close parentheses can be -# indented correctly. -# -define(`__endline__',` -') - -######################################## -# -# refpolwarn(message) -# -# print a warning message -# -define(`refpolicywarn',`errprint(__file__:__line__: Warning: `$1'__endline__)') - -######################################## -# -# refpolerr(message) -# -# print an error message. does not -# make anything fail. -# -define(`refpolicyerr',`errprint(__file__:__line__: Error: `$1'__endline__)') - -######################################## -# -# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_categories]) -# -define(`gen_user',`dnl -ifdef(`users_extra',`dnl -ifelse(`$2',,,`user $1 prefix $2;') -',`dnl -user $1 roles { $3 }`'ifdef(`enable_mls', ` level $4 range $5')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$6',,,` - s0:$6')'); -')dnl -') - -######################################## -# -# gen_context(context,mls_sensitivity,[mcs_categories]) -# -define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')')dnl - -######################################## -# -# can_exec(domain,executable) -# -define(`can_exec',`allow $1 $2:file { mmap_file_perms ioctl lock execute_no_trans };') - -######################################## -# -# gen_bool(name,default_value) -# -define(`gen_bool',` - bool $1 dflt_or_overr(`$1'_conf,$2); -') diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt deleted file mode 100644 index df6b5de..0000000 --- a/policy/support/misc_patterns.spt +++ /dev/null @@ -1,68 +0,0 @@ -# -# Specified domain transition patterns -# -define(`domain_transition_pattern',` - allow $1 $2:file { getattr open read execute }; - allow $1 $3:process transition; - dontaudit $1 $3:process { noatsecure siginh rlimitinh }; -') - -# compatibility: -define(`domain_trans',`domain_transition_pattern($*)') - -define(`spec_domtrans_pattern',` - allow $1 self:process setexec; - domain_transition_pattern($1,$2,$3) - - allow $3 $1:fd use; - allow $3 $1:fifo_file rw_inherited_fifo_file_perms; - allow $3 $1:process sigchld; -') - -# -# Automatic domain transition patterns -# -define(`domain_auto_transition_pattern',` - domain_transition_pattern($1,$2,$3) - type_transition $1 $2:process $3; -') - -# compatibility: -define(`domain_auto_trans',`domain_auto_transition_pattern($*)') - -define(`domtrans_pattern',` - domain_auto_transition_pattern($1,$2,$3) - - allow $3 $1:fd use; - allow $3 $1:fifo_file rw_inherited_fifo_file_perms; - allow $3 $1:process sigchld; - - ifdef(`hide_broken_symptoms', ` - dontaudit $3 $1:socket_class_set { read write }; - ') -') - -# -# Dynamic transition pattern -# -define(`dyntrans_pattern',` - allow $1 self:process setcurrent; - allow $1 $2:process dyntransition; - allow $2 $1:process sigchld; -') - -# -# Other process permissions -# -define(`send_audit_msgs_pattern',` - refpolicywarn(`$0($*) has been deprecated, please use logging_send_audit_msgs($1) instead.') - allow $1 self:capability audit_write; - allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -') - -define(`ps_process_pattern',` - allow $1 $2:dir list_dir_perms; - allow $1 $2:file read_file_perms; - allow $1 $2:lnk_file read_lnk_file_perms; - allow $1 $2:process getattr; -') diff --git a/policy/support/mls_mcs_macros.spt b/policy/support/mls_mcs_macros.spt deleted file mode 100644 index 7593e20..0000000 --- a/policy/support/mls_mcs_macros.spt +++ /dev/null @@ -1,57 +0,0 @@ -######################################## -# -# gen_cats(N) -# -# declares categores c0 to c(N-1) -# -define(`decl_cats',`dnl -category c$1; -ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl -') - -define(`gen_cats',`decl_cats(0,decr($1))') - -######################################## -# -# gen_sens(N) -# -# declares sensitivites s0 to s(N-1) with dominance -# in increasing numeric order with s0 lowest, s(N-1) highest -# -define(`decl_sens',`dnl -sensitivity s$1; -ifelse(`$1',`$2',,`decl_sens(incr($1),$2)')dnl -') - -define(`gen_dominance',`s$1 ifelse(`$1',`$2',,`gen_dominance(incr($1),$2)')') - -define(`gen_sens',` -# Each sensitivity has a name and zero or more aliases. -decl_sens(0,decr($1)) - -# Define the ordering of the sensitivity levels (least to greatest) -dominance { gen_dominance(0,decr($1)) } -') - -######################################## -# -# gen_levels(N,M) -# -# levels from s0 to (N-1) with categories c0 to (M-1) -# -define(`decl_levels',`dnl -level s$1:c0.c$3; -ifelse(`$1',`$2',,`decl_levels(incr($1),$2,$3)')dnl -') - -define(`gen_levels',`decl_levels(0,decr($1),decr($2))') - -######################################## -# -# Basic level names for system low and high -# -define(`mls_systemlow',`s0') -define(`mls_systemhigh',`s`'decr(mls_num_sens):c0.c`'decr(mls_num_cats)') -define(`mcs_systemlow',`s0') -define(`mcs_systemhigh',`s0:c0.c`'decr(mcs_num_cats)') -define(`mcs_allcats',`c0.c`'decr(mcs_num_cats)') diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt deleted file mode 100644 index d9b0868..0000000 --- a/policy/support/obj_perm_sets.spt +++ /dev/null @@ -1,337 +0,0 @@ -######################################## -# -# Support macros for sets of object classes and permissions -# -# This file should only have object class and permission set macros - they -# can only reference object classes and/or permissions. - -# -# All directory and file classes -# -define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }') - -# -# All non-directory file classes. -# -define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }') - -# -# Non-device file classes. -# -define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }') - -# -# Device file classes. -# -define(`devfile_class_set', `{ chr_file blk_file }') - -# -# All socket classes. -# -define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }') - - -# -# Datagram socket classes. -# -define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }') - -# -# Stream socket classes. -# -define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }') - -# -# Unprivileged socket classes (exclude rawip, netlink, packet). -# -define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }') - -######################################## -# -# Macros for sets of permissions -# - -# -# Permissions for getting file attributes. -# -define(`stat_file_perms', `{ getattr } refpolicywarn(`$0 is deprecated please use getattr_file_perms instead.')') - -# -# Permissions for executing files. -# -define(`x_file_perms', `{ getattr open execute } refpolicywarn(`$0 is deprecated please use { getattr execute } instead.')') - -# -# Permissions for reading files and their attributes. -# -define(`r_file_perms', `{ open read getattr lock ioctl } refpolicywarn(`$0 is deprecated please use read_file_perms instead.')') - -# -# Permissions for reading and executing files. -# -define(`rx_file_perms', `{ open read getattr lock execute ioctl } refpolicywarn(`$0 is deprecated please use { mmap_file_perms ioctl lock } instead.')') - -# -# Permissions for reading and appending to files. -# -define(`ra_file_perms', `{ open ioctl read getattr lock append } refpolicywarn(`$0 is deprecated please use { read_file_perms append_file_perms } instead.')') - -# -# Permissions for linking, unlinking and renaming files. -# -define(`link_file_perms', `{ getattr link unlink rename } refpolicywarn(`$0 is deprecated please use { getattr link unlink rename } instead.')') - -# -# Permissions for creating lnk_files. -# -define(`create_lnk_perms', `{ create read write getattr setattr link unlink rename } refpolicywarn(`$0 is deprecated please use manage_lnk_file_perms instead.')') - -# -# Permissions for reading directories and their attributes. -# -define(`r_dir_perms', `{ open read getattr lock search ioctl } refpolicywarn(`$0 is deprecated please use list_dir_perms instead.')') - -# -# Permissions for reading and adding names to directories. -# -define(`ra_dir_perms', `{ open read getattr lock search ioctl add_name write } refpolicywarn(`$0 is deprecated please use { list_dir_perms add_entry_dir_perms } instead.')') - - -# -# Permissions to mount and unmount file systems. -# -define(`mount_fs_perms', `{ mount remount unmount getattr }') - -# -# Permissions for using sockets. -# -define(`rw_socket_perms', `{ ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }') - -# -# Permissions for creating and using sockets. -# -define(`create_socket_perms', `{ create rw_socket_perms }') - -# -# Permissions for using stream sockets. -# -define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }') - -# -# Permissions for creating and using stream sockets. -# -define(`create_stream_socket_perms', `{ create_socket_perms listen accept }') - -# -# Permissions for creating and using sockets. -# -define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') - -# -# Permissions for creating and using sockets. -# -define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }') - - -# -# Permissions for creating and using netlink sockets. -# -define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }') - -# -# Permissions for using netlink sockets for operations that modify state. -# -define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }') - -# -# Permissions for using netlink sockets for operations that observe state. -# -define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }') - -# -# Permissions for sending all signals. -# -define(`signal_perms', `{ sigchld sigkill sigstop signull signal }') - -# -# Permissions for sending and receiving network packets. -# -define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }') - -# -# Permissions for using System V IPC -# -define(`r_sem_perms', `{ associate getattr read unix_read }') -define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }') -define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }') -define(`r_msgq_perms', `{ associate getattr read unix_read }') -define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }') -define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }') -define(`r_shm_perms', `{ associate getattr read unix_read }') -define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }') -define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }') - -######################################## -# -# New permission sets -# - -# -# Directory (dir) -# -define(`getattr_dir_perms',`{ getattr }') -define(`setattr_dir_perms',`{ setattr }') -define(`search_dir_perms',`{ getattr search open }') -define(`list_dir_perms',`{ getattr search open read lock ioctl }') -define(`add_entry_dir_perms',`{ getattr search open lock ioctl write add_name }') -define(`del_entry_dir_perms',`{ getattr search open lock ioctl write remove_name }') -define(`rw_dir_perms', `{ open read getattr lock search ioctl add_name remove_name write }') -define(`create_dir_perms',`{ getattr create }') -define(`rename_dir_perms',`{ getattr rename }') -define(`delete_dir_perms',`{ getattr rmdir }') -define(`manage_dir_perms',`{ create open getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }') -define(`relabelfrom_dir_perms',`{ getattr relabelfrom }') -define(`relabelto_dir_perms',`{ getattr relabelto }') -define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }') - -# -# Regular file (file) -# -define(`getattr_file_perms',`{ getattr }') -define(`setattr_file_perms',`{ setattr }') -define(`read_inherited_file_perms',`{ getattr read ioctl lock }') -define(`read_file_perms',`{ open read_inherited_file_perms }') -define(`mmap_file_perms',`{ getattr open read execute ioctl }') -define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }') -define(`append_file_perms',`{ getattr open append lock ioctl }') -define(`write_file_perms',`{ getattr open write append lock ioctl }') -define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }') -define(`rw_file_perms',`{ open rw_inherited_file_perms }') -define(`create_file_perms',`{ getattr create open }') -define(`rename_file_perms',`{ getattr rename }') -define(`delete_file_perms',`{ getattr unlink }') -define(`manage_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }') -define(`relabelfrom_file_perms',`{ getattr relabelfrom }') -define(`relabelto_file_perms',`{ getattr relabelto }') -define(`relabel_file_perms',`{ getattr relabelfrom relabelto }') - -# -# Symbolic link (lnk_file) -# -define(`getattr_lnk_file_perms',`{ getattr }') -define(`setattr_lnk_file_perms',`{ setattr }') -define(`read_lnk_file_perms',`{ getattr read }') -define(`append_lnk_file_perms',`{ getattr append lock ioctl }') -define(`write_lnk_file_perms',`{ getattr append write lock ioctl }') -define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }') -define(`create_lnk_file_perms',`{ create getattr }') -define(`rename_lnk_file_perms',`{ getattr rename }') -define(`delete_lnk_file_perms',`{ getattr unlink }') -define(`manage_lnk_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }') -define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }') -define(`relabelto_lnk_file_perms',`{ getattr relabelto }') -define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }') - -# -# (Un)named Pipes/FIFOs (fifo_file) -# -define(`getattr_fifo_file_perms',`{ getattr }') -define(`setattr_fifo_file_perms',`{ setattr }') -define(`read_fifo_file_perms',`{ getattr open read lock ioctl }') -define(`append_fifo_file_perms',`{ getattr open append lock ioctl }') -define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }') -define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }') -define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }') -define(`create_fifo_file_perms',`{ getattr create open }') -define(`rename_fifo_file_perms',`{ getattr rename }') -define(`delete_fifo_file_perms',`{ getattr unlink }') -define(`manage_fifo_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }') -define(`relabelfrom_fifo_file_perms',`{ getattr relabelfrom }') -define(`relabelto_fifo_file_perms',`{ getattr relabelto }') -define(`relabel_fifo_file_perms',`{ getattr relabelfrom relabelto }') - -# -# (Un)named Sockets (sock_file) -# -define(`getattr_sock_file_perms',`{ getattr }') -define(`setattr_sock_file_perms',`{ setattr }') -define(`read_sock_file_perms',`{ getattr open read }') -define(`write_sock_file_perms',`{ getattr write open append }') -define(`rw_inherited_sock_file_perms',`{ getattr read write append }') -define(`rw_sock_file_perms',`{ open rw_inherited_sock_file_perms }') -define(`create_sock_file_perms',`{ getattr create open }') -define(`rename_sock_file_perms',`{ getattr rename }') -define(`delete_sock_file_perms',`{ getattr unlink }') -define(`manage_sock_file_perms',`{ create open getattr setattr read write rename link unlink ioctl lock append }') -define(`relabelfrom_sock_file_perms',`{ getattr relabelfrom }') -define(`relabelto_sock_file_perms',`{ getattr relabelto }') -define(`relabel_sock_file_perms',`{ getattr relabelfrom relabelto }') - -# -# Block device nodes (blk_file) -# -define(`getattr_blk_file_perms',`{ getattr }') -define(`setattr_blk_file_perms',`{ setattr }') -define(`read_blk_file_perms',`{ getattr open read lock ioctl }') -define(`append_blk_file_perms',`{ getattr open append lock ioctl }') -define(`write_blk_file_perms',`{ getattr open write append lock ioctl }') -define(`rw_inherited_blk_file_perms',`{ getattr read write append ioctl lock }') -define(`rw_blk_file_perms',`{ open rw_inherited_blk_file_perms }') -define(`create_blk_file_perms',`{ getattr create }') -define(`rename_blk_file_perms',`{ getattr rename }') -define(`delete_blk_file_perms',`{ getattr unlink }') -define(`manage_blk_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }') -define(`relabelfrom_blk_file_perms',`{ getattr relabelfrom }') -define(`relabelto_blk_file_perms',`{ getattr relabelto }') -define(`relabel_blk_file_perms',`{ getattr relabelfrom relabelto }') - -# -# Character device nodes (chr_file) -# -define(`getattr_chr_file_perms',`{ getattr }') -define(`setattr_chr_file_perms',`{ setattr }') -define(`read_chr_file_perms',`{ getattr open read lock ioctl }') -define(`append_chr_file_perms',`{ getattr open append lock ioctl }') -define(`write_chr_file_perms',`{ getattr open write append lock ioctl }') -define(`rw_inherited_chr_file_perms',`{ getattr read write append ioctl lock }') -define(`rw_chr_file_perms',`{ open rw_inherited_chr_file_perms }') -define(`create_chr_file_perms',`{ getattr create }') -define(`rename_chr_file_perms',`{ getattr rename }') -define(`delete_chr_file_perms',`{ getattr unlink }') -define(`manage_chr_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }') -define(`relabelfrom_chr_file_perms',`{ getattr relabelfrom }') -define(`relabelto_chr_file_perms',`{ getattr relabelto }') -define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }') - -######################################## -# -# Special permission sets -# - -# -# Use (read and write) terminals -# -define(`rw_inherited_term_perms', `{ getattr open read write ioctl append }') -define(`rw_term_perms', `{ open rw_inherited_term_perms }') - -# -# Sockets -# -define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') -define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }') - -# -# Keys -# -define(`manage_key_perms', `{ create link read search setattr view write } ') - -# -# All -# -define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap } -') - -define(`all_nscd_perms', `{ getserv getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost shmemserv } ') -define(`all_dbus_perms', `{ acquire_svc send_msg } ') -define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ') -define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ') diff --git a/policy/users b/policy/users deleted file mode 100644 index be2a04c..0000000 --- a/policy/users +++ /dev/null @@ -1,38 +0,0 @@ -################################## -# -# Core User configuration. -# - -# -# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) -# -# Note: Identities without a prefix will not be listed -# in the users_extra file used by genhomedircon. - -# -# system_u is the user identity for system processes and objects. -# There should be no corresponding Unix user identity for system, -# and a user process should never be assigned the system user -# identity. -# -gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) - -# -# user_u is a generic user identity for Linux users who have no -# SELinux user identity defined. The modified daemons will use -# this user identity in the security context if there is no matching -# SELinux user identity for a Linux user. If you do not want to -# permit any access to such users, then remove this entry. -# -gen_user(user_u, user, user_r, s0, s0) -gen_user(staff_u, user, staff_r system_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) - -# -# The following users correspond to Unix identities. -# These identities are typically assigned as the user attribute -# when login starts the user shell. Users with access to the sysadm_r -# role should use the staff_r role instead of the user_r role when -# not in the sysadm_r. -# -gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)