[people/stevee/selinux-policy.git] / policy / modules / system / libraries.te


policy_module(libraries,2.0.0)

########################################
#
# Declarations
#

#
# ld_so_cache_t is the type of /etc/ld.so.cache.
#
type ld_so_cache_t;
files_type(ld_so_cache_t)

#
# ld_so_t is the type of the system dynamic loaders.
#
type ld_so_t;
files_type(ld_so_t)

type ldconfig_t;
type ldconfig_exec_t;
init_system_domain(ldconfig_t,ldconfig_exec_t)
role system_r types ldconfig_t;

type ldconfig_tmp_t;
files_tmp_file(ldconfig_tmp_t)

#
# lib_t is the type of files in the system lib directories.
#
type lib_t alias shlib_t;
files_type(lib_t)

#
# textrel_shlib_t is the type of shared objects in the system lib
# directories, which require text relocation.
#
type textrel_shlib_t alias texrel_shlib_t;
files_type(textrel_shlib_t)

########################################
#
# ldconfig local policy
#

allow ldconfig_t self:capability sys_chroot;

allow ldconfig_t ld_so_cache_t:file manage_file_perms;
files_etc_filetrans(ldconfig_t,ld_so_cache_t,file)

manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
manage_files_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
manage_lnk_files_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir lnk_file })

manage_lnk_files_pattern(ldconfig_t,lib_t,lib_t)

kernel_read_system_state(ldconfig_t)

fs_getattr_xattr_fs(ldconfig_t)

domain_use_interactive_fds(ldconfig_t)

files_search_var_lib(ldconfig_t)
files_read_etc_files(ldconfig_t)
files_search_tmp(ldconfig_t)
files_search_usr(ldconfig_t)
# for when /etc/ld.so.cache is mislabeled:
files_delete_etc_files(ldconfig_t)

init_use_script_ptys(ldconfig_t)

libs_use_ld_so(ldconfig_t)
libs_use_shared_libs(ldconfig_t)

miscfiles_read_localization(ldconfig_t)

logging_send_syslog_msg(ldconfig_t)

userdom_use_all_users_fds(ldconfig_t)

ifdef(`hide_broken_symptoms',`
	optional_policy(`
		unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
	')
')

optional_policy(`
	# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
	apache_dontaudit_search_modules(ldconfig_t)
')

optional_policy(`
	# When you install a kernel the postinstall builds a initrd image in tmp 
	# and executes ldconfig on it.  If you dont allow this kernel installs 
	# blow up.
	rpm_manage_script_tmp_files(ldconfig_t)
')
Commit	Line	Data
e181fe05	1
f7925f25	2	policy_module(libraries,2.0.0)
960373dd	3
48e0dbd6 CP	4	########################################
	5	#
	6	# Declarations
	7	#
	8
b4cd1533 CP	9	#
	10	# ld_so_cache_t is the type of /etc/ld.so.cache.
	11	#
	12	type ld_so_cache_t;
8fd36732	13	files_type(ld_so_cache_t)
b4cd1533	14
48e0dbd6	15	#
b4cd1533 CP	16	# ld_so_t is the type of the system dynamic loaders.
	17	#
	18	type ld_so_t;
8fd36732	19	files_type(ld_so_t)
b4cd1533	20
19b2dee3 CP	21	type ldconfig_t;
	22	type ldconfig_exec_t;
	23	init_system_domain(ldconfig_t,ldconfig_exec_t)
	24	role system_r types ldconfig_t;
	25
	26	type ldconfig_tmp_t;
	27	files_tmp_file(ldconfig_tmp_t)
	28
b4cd1533 CP	29	#
	30	# lib_t is the type of files in the system lib directories.
	31	#
350b6ab7	32	type lib_t alias shlib_t;
8fd36732	33	files_type(lib_t)
b4cd1533	34
b4cd1533	35	#
0c4bf1c5	36	# textrel_shlib_t is the type of shared objects in the system lib
b4cd1533 CP	37	# directories, which require text relocation.
b4cd1533 CP	38	#
a324ef13 CP	39	type textrel_shlib_t alias texrel_shlib_t;
a324ef13 CP	40	files_type(textrel_shlib_t)
48e0dbd6 CP	41
	42	########################################
	43	#
	44	# ldconfig local policy
	45	#
19b2dee3 CP	46
19b2dee3 CP	47	allow ldconfig_t self:capability sys_chroot;
48e0dbd6	48
c0868a7a	49	allow ldconfig_t ld_so_cache_t:file manage_file_perms;
103fe280	50	files_etc_filetrans(ldconfig_t,ld_so_cache_t,file)
48e0dbd6	51
19b2dee3 CP	52	manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
19b2dee3 CP	53	manage_files_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
d534d35a CP	54	manage_lnk_files_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
d534d35a CP	55	files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir lnk_file })
19b2dee3	56
c0868a7a	57	manage_lnk_files_pattern(ldconfig_t,lib_t,lib_t)
48e0dbd6 CP	58
	59	kernel_read_system_state(ldconfig_t)
	60
0fd9dc55	61	fs_getattr_xattr_fs(ldconfig_t)
48e0dbd6	62
15722ec9	63	domain_use_interactive_fds(ldconfig_t)
48e0dbd6	64
7a2f20a3	65	files_search_var_lib(ldconfig_t)
8fd36732	66	files_read_etc_files(ldconfig_t)
ebdc3b79	67	files_search_tmp(ldconfig_t)
b0d2243c	68	files_search_usr(ldconfig_t)
48e0dbd6	69	# for when /etc/ld.so.cache is mislabeled:
8fd36732	70	files_delete_etc_files(ldconfig_t)
48e0dbd6	71
1815bad1	72	init_use_script_ptys(ldconfig_t)
48e0dbd6	73
c0868a7a CP	74	libs_use_ld_so(ldconfig_t)
	75	libs_use_shared_libs(ldconfig_t)
	76
19b2dee3 CP	77	miscfiles_read_localization(ldconfig_t)
19b2dee3 CP	78
c9428d33	79	logging_send_syslog_msg(ldconfig_t)
48e0dbd6	80
15722ec9	81	userdom_use_all_users_fds(ldconfig_t)
48e0dbd6	82
a42ca7eb	83	ifdef(`hide_broken_symptoms',`
bb7170f6	84	optional_policy(`
1815bad1	85	unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
0c73cd25	86	')
48e0dbd6 CP	87	')
48e0dbd6 CP	88
bb7170f6	89	optional_policy(`
a42ca7eb	90	# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
c6d4c8f1	91	apache_dontaudit_search_modules(ldconfig_t)
a42ca7eb	92	')
82e284bb CP	93
	94	optional_policy(`
	95	# When you install a kernel the postinstall builds a initrd image in tmp
	96	# and executes ldconfig on it. If you dont allow this kernel installs
	97	# blow up.
	98	rpm_manage_script_tmp_files(ldconfig_t)
	99	')