[people/stevee/selinux-policy.git] / policy / modules / system / libraries.te


policy_module(libraries, 2.3.1)

########################################
#
# Declarations
#

#
# ld_so_cache_t is the type of /etc/ld.so.cache.
#
type ld_so_cache_t;
files_type(ld_so_cache_t)

#
# ld_so_t is the type of the system dynamic loaders.
#
type ld_so_t;
files_type(ld_so_t)

type ldconfig_t;
type ldconfig_exec_t;
init_system_domain(ldconfig_t,ldconfig_exec_t)
role system_r types ldconfig_t;

type ldconfig_cache_t;
files_type(ldconfig_cache_t)

type ldconfig_tmp_t;
files_tmp_file(ldconfig_tmp_t)

#
# lib_t is the type of files in the system lib directories.
#
type lib_t alias shlib_t;
files_type(lib_t)

#
# textrel_shlib_t is the type of shared objects in the system lib
# directories, which require text relocation.
#
type textrel_shlib_t alias texrel_shlib_t;
files_type(textrel_shlib_t)

optional_policy(`
	postgresql_loadable_module(lib_t)
	postgresql_loadable_module(textrel_shlib_t)
')

########################################
#
# ldconfig local policy
#

allow ldconfig_t self:capability sys_chroot;

manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)

allow ldconfig_t ld_so_cache_t:file manage_file_perms;
files_etc_filetrans(ldconfig_t,ld_so_cache_t,file)

manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
manage_files_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
manage_lnk_files_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir lnk_file })

manage_lnk_files_pattern(ldconfig_t,lib_t,lib_t)

kernel_read_system_state(ldconfig_t)

fs_getattr_xattr_fs(ldconfig_t)

domain_use_interactive_fds(ldconfig_t)

files_search_var_lib(ldconfig_t)
files_read_etc_files(ldconfig_t)
files_search_tmp(ldconfig_t)
files_search_usr(ldconfig_t)
# for when /etc/ld.so.cache is mislabeled:
files_delete_etc_files(ldconfig_t)

init_use_script_ptys(ldconfig_t)

miscfiles_read_localization(ldconfig_t)

logging_send_syslog_msg(ldconfig_t)

userdom_use_user_terminals(ldconfig_t)
userdom_use_all_users_fds(ldconfig_t)

ifdef(`distro_ubuntu',`
	optional_policy(`
		unconfined_domain(ldconfig_t)
	')
')

ifdef(`hide_broken_symptoms',`
	optional_policy(`
		unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
	')
')

optional_policy(`
	# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
	apache_dontaudit_search_modules(ldconfig_t)
')

optional_policy(`
	apt_rw_pipes(ldconfig_t)
	apt_use_fds(ldconfig_t)
	apt_use_ptys(ldconfig_t)
')

optional_policy(`
	# When you install a kernel the postinstall builds a initrd image in tmp 
	# and executes ldconfig on it.  If you dont allow this kernel installs 
	# blow up.
	rpm_manage_script_tmp_files(ldconfig_t)
')
Commit	Line	Data
e181fe05	1
296273a7	2	policy_module(libraries, 2.3.1)
960373dd	3
48e0dbd6 CP	4	########################################
	5	#
	6	# Declarations
	7	#
	8
b4cd1533 CP	9	#
	10	# ld_so_cache_t is the type of /etc/ld.so.cache.
	11	#
	12	type ld_so_cache_t;
8fd36732	13	files_type(ld_so_cache_t)
b4cd1533	14
48e0dbd6	15	#
b4cd1533 CP	16	# ld_so_t is the type of the system dynamic loaders.
	17	#
	18	type ld_so_t;
8fd36732	19	files_type(ld_so_t)
b4cd1533	20
19b2dee3 CP	21	type ldconfig_t;
	22	type ldconfig_exec_t;
	23	init_system_domain(ldconfig_t,ldconfig_exec_t)
	24	role system_r types ldconfig_t;
	25
9c4500b2 CP	26	type ldconfig_cache_t;
	27	files_type(ldconfig_cache_t)
	28
19b2dee3 CP	29	type ldconfig_tmp_t;
	30	files_tmp_file(ldconfig_tmp_t)
	31
b4cd1533 CP	32	#
	33	# lib_t is the type of files in the system lib directories.
	34	#
350b6ab7	35	type lib_t alias shlib_t;
8fd36732	36	files_type(lib_t)
b4cd1533	37
b4cd1533	38	#
0c4bf1c5	39	# textrel_shlib_t is the type of shared objects in the system lib
b4cd1533 CP	40	# directories, which require text relocation.
b4cd1533 CP	41	#
a324ef13 CP	42	type textrel_shlib_t alias texrel_shlib_t;
a324ef13 CP	43	files_type(textrel_shlib_t)
48e0dbd6	44
e8cb08ae CP	45	optional_policy(`
	46	postgresql_loadable_module(lib_t)
	47	postgresql_loadable_module(textrel_shlib_t)
	48	')
	49
48e0dbd6 CP	50	########################################
	51	#
	52	# ldconfig local policy
	53	#
19b2dee3 CP	54
19b2dee3 CP	55	allow ldconfig_t self:capability sys_chroot;
48e0dbd6	56
9c4500b2 CP	57	manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
9c4500b2 CP	58
c0868a7a	59	allow ldconfig_t ld_so_cache_t:file manage_file_perms;
103fe280	60	files_etc_filetrans(ldconfig_t,ld_so_cache_t,file)
48e0dbd6	61
19b2dee3 CP	62	manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
19b2dee3 CP	63	manage_files_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
d534d35a CP	64	manage_lnk_files_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
d534d35a CP	65	files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir lnk_file })
19b2dee3	66
c0868a7a	67	manage_lnk_files_pattern(ldconfig_t,lib_t,lib_t)
48e0dbd6 CP	68
	69	kernel_read_system_state(ldconfig_t)
	70
0fd9dc55	71	fs_getattr_xattr_fs(ldconfig_t)
48e0dbd6	72
15722ec9	73	domain_use_interactive_fds(ldconfig_t)
48e0dbd6	74
7a2f20a3	75	files_search_var_lib(ldconfig_t)
8fd36732	76	files_read_etc_files(ldconfig_t)
ebdc3b79	77	files_search_tmp(ldconfig_t)
b0d2243c	78	files_search_usr(ldconfig_t)
48e0dbd6	79	# for when /etc/ld.so.cache is mislabeled:
8fd36732	80	files_delete_etc_files(ldconfig_t)
48e0dbd6	81
1815bad1	82	init_use_script_ptys(ldconfig_t)
48e0dbd6	83
19b2dee3 CP	84	miscfiles_read_localization(ldconfig_t)
19b2dee3 CP	85
c9428d33	86	logging_send_syslog_msg(ldconfig_t)
48e0dbd6	87
296273a7	88	userdom_use_user_terminals(ldconfig_t)
15722ec9	89	userdom_use_all_users_fds(ldconfig_t)
48e0dbd6	90
12cf805e CP	91	ifdef(`distro_ubuntu',`
	92	optional_policy(`
	93	unconfined_domain(ldconfig_t)
	94	')
	95	')
	96
a42ca7eb	97	ifdef(`hide_broken_symptoms',`
bb7170f6	98	optional_policy(`
1815bad1	99	unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
0c73cd25	100	')
48e0dbd6 CP	101	')
48e0dbd6 CP	102
bb7170f6	103	optional_policy(`
a42ca7eb	104	# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
c6d4c8f1	105	apache_dontaudit_search_modules(ldconfig_t)
a42ca7eb	106	')
82e284bb	107
e065ac8a CP	108	optional_policy(`
	109	apt_rw_pipes(ldconfig_t)
	110	apt_use_fds(ldconfig_t)
	111	apt_use_ptys(ldconfig_t)
	112	')
	113
82e284bb CP	114	optional_policy(`
	115	# When you install a kernel the postinstall builds a initrd image in tmp
	116	# and executes ldconfig on it. If you dont allow this kernel installs
	117	# blow up.
	118	rpm_manage_script_tmp_files(ldconfig_t)
	119	')