[people/stevee/selinux-policy.git] / policy / modules / system / libraries.te


policy_module(libraries, 2.6.0)

########################################
#
# Declarations
#

#
# ld_so_cache_t is the type of /etc/ld.so.cache.
#
type ld_so_cache_t;
files_type(ld_so_cache_t)

#
# ld_so_t is the type of the system dynamic loaders.
#
type ld_so_t;
files_type(ld_so_t)

type ldconfig_t;
type ldconfig_exec_t;
init_system_domain(ldconfig_t, ldconfig_exec_t)
role system_r types ldconfig_t;

type ldconfig_cache_t;
files_type(ldconfig_cache_t)

type ldconfig_tmp_t;
files_tmp_file(ldconfig_tmp_t)

#
# lib_t is the type of files in the system lib directories.
#
type lib_t alias shlib_t;
files_type(lib_t)

#
# textrel_shlib_t is the type of shared objects in the system lib
# directories, which require text relocation.
#
type textrel_shlib_t alias texrel_shlib_t;
files_type(textrel_shlib_t)

ifdef(`distro_gentoo',`
	# openrc unfortunately mounts a tmpfs
	# at /lib/rc/
	files_mountpoint(lib_t)
')

optional_policy(`
	postgresql_loadable_module(lib_t)
	postgresql_loadable_module(textrel_shlib_t)
')

########################################
#
# ldconfig local policy
#

allow ldconfig_t self:capability sys_chroot;

manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)

allow ldconfig_t ld_so_cache_t:file manage_file_perms;
files_etc_filetrans(ldconfig_t, ld_so_cache_t, file)

manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
manage_files_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
manage_lnk_files_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir lnk_file })

manage_lnk_files_pattern(ldconfig_t, lib_t, lib_t)

kernel_read_system_state(ldconfig_t)

fs_getattr_xattr_fs(ldconfig_t)

domain_use_interactive_fds(ldconfig_t)

files_search_var_lib(ldconfig_t)
files_read_etc_files(ldconfig_t)
files_search_tmp(ldconfig_t)
files_search_usr(ldconfig_t)
# for when /etc/ld.so.cache is mislabeled:
files_delete_etc_files(ldconfig_t)

init_use_script_ptys(ldconfig_t)

miscfiles_read_localization(ldconfig_t)

logging_send_syslog_msg(ldconfig_t)

userdom_use_user_terminals(ldconfig_t)
userdom_use_all_users_fds(ldconfig_t)

ifdef(`distro_ubuntu',`
	optional_policy(`
		unconfined_domain(ldconfig_t)
	')
')

ifdef(`hide_broken_symptoms',`
	optional_policy(`
		unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
	')
')

optional_policy(`
	# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
	apache_dontaudit_search_modules(ldconfig_t)
')

optional_policy(`
	apt_rw_pipes(ldconfig_t)
	apt_use_fds(ldconfig_t)
	apt_use_ptys(ldconfig_t)
')

optional_policy(`
	puppet_rw_tmp(ldconfig_t)
')

optional_policy(`
	# When you install a kernel the postinstall builds a initrd image in tmp 
	# and executes ldconfig on it. If you dont allow this kernel installs 
	# blow up.
	rpm_manage_script_tmp_files(ldconfig_t)
')
Commit	Line	Data
e181fe05	1
ed3a1f55	2	policy_module(libraries, 2.6.0)
960373dd	3
48e0dbd6 CP	4	########################################
	5	#
	6	# Declarations
	7	#
	8
b4cd1533 CP	9	#
	10	# ld_so_cache_t is the type of /etc/ld.so.cache.
	11	#
	12	type ld_so_cache_t;
8fd36732	13	files_type(ld_so_cache_t)
b4cd1533	14
48e0dbd6	15	#
b4cd1533 CP	16	# ld_so_t is the type of the system dynamic loaders.
	17	#
	18	type ld_so_t;
8fd36732	19	files_type(ld_so_t)
b4cd1533	20
19b2dee3 CP	21	type ldconfig_t;
19b2dee3 CP	22	type ldconfig_exec_t;
3f67f722	23	init_system_domain(ldconfig_t, ldconfig_exec_t)
19b2dee3 CP	24	role system_r types ldconfig_t;
19b2dee3 CP	25
9c4500b2 CP	26	type ldconfig_cache_t;
	27	files_type(ldconfig_cache_t)
	28
19b2dee3 CP	29	type ldconfig_tmp_t;
	30	files_tmp_file(ldconfig_tmp_t)
	31
b4cd1533 CP	32	#
	33	# lib_t is the type of files in the system lib directories.
	34	#
350b6ab7	35	type lib_t alias shlib_t;
8fd36732	36	files_type(lib_t)
b4cd1533	37
b4cd1533	38	#
0c4bf1c5	39	# textrel_shlib_t is the type of shared objects in the system lib
b4cd1533 CP	40	# directories, which require text relocation.
b4cd1533 CP	41	#
a324ef13 CP	42	type textrel_shlib_t alias texrel_shlib_t;
a324ef13 CP	43	files_type(textrel_shlib_t)
48e0dbd6	44
4c92f08f CP	45	ifdef(`distro_gentoo',`
	46	# openrc unfortunately mounts a tmpfs
	47	# at /lib/rc/
	48	files_mountpoint(lib_t)
	49	')
	50
e8cb08ae CP	51	optional_policy(`
	52	postgresql_loadable_module(lib_t)
	53	postgresql_loadable_module(textrel_shlib_t)
	54	')
	55
48e0dbd6 CP	56	########################################
	57	#
	58	# ldconfig local policy
	59	#
19b2dee3 CP	60
19b2dee3 CP	61	allow ldconfig_t self:capability sys_chroot;
48e0dbd6	62
9c4500b2 CP	63	manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
9c4500b2 CP	64
c0868a7a	65	allow ldconfig_t ld_so_cache_t:file manage_file_perms;
3f67f722	66	files_etc_filetrans(ldconfig_t, ld_so_cache_t, file)
48e0dbd6	67
3f67f722 CP	68	manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
	69	manage_files_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
	70	manage_lnk_files_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
d534d35a	71	files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir lnk_file })
19b2dee3	72
3f67f722	73	manage_lnk_files_pattern(ldconfig_t, lib_t, lib_t)
48e0dbd6 CP	74
	75	kernel_read_system_state(ldconfig_t)
	76
0fd9dc55	77	fs_getattr_xattr_fs(ldconfig_t)
48e0dbd6	78
15722ec9	79	domain_use_interactive_fds(ldconfig_t)
48e0dbd6	80
7a2f20a3	81	files_search_var_lib(ldconfig_t)
8fd36732	82	files_read_etc_files(ldconfig_t)
ebdc3b79	83	files_search_tmp(ldconfig_t)
b0d2243c	84	files_search_usr(ldconfig_t)
48e0dbd6	85	# for when /etc/ld.so.cache is mislabeled:
8fd36732	86	files_delete_etc_files(ldconfig_t)
48e0dbd6	87
1815bad1	88	init_use_script_ptys(ldconfig_t)
48e0dbd6	89
19b2dee3 CP	90	miscfiles_read_localization(ldconfig_t)
19b2dee3 CP	91
c9428d33	92	logging_send_syslog_msg(ldconfig_t)
48e0dbd6	93
296273a7	94	userdom_use_user_terminals(ldconfig_t)
15722ec9	95	userdom_use_all_users_fds(ldconfig_t)
48e0dbd6	96
12cf805e CP	97	ifdef(`distro_ubuntu',`
	98	optional_policy(`
	99	unconfined_domain(ldconfig_t)
	100	')
	101	')
	102
a42ca7eb	103	ifdef(`hide_broken_symptoms',`
bb7170f6	104	optional_policy(`
1815bad1	105	unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
0c73cd25	106	')
48e0dbd6 CP	107	')
48e0dbd6 CP	108
bb7170f6	109	optional_policy(`
a42ca7eb	110	# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
c6d4c8f1	111	apache_dontaudit_search_modules(ldconfig_t)
a42ca7eb	112	')
82e284bb	113
e065ac8a CP	114	optional_policy(`
	115	apt_rw_pipes(ldconfig_t)
	116	apt_use_fds(ldconfig_t)
	117	apt_use_ptys(ldconfig_t)
	118	')
	119
e6d8fd1e CP	120	optional_policy(`
	121	puppet_rw_tmp(ldconfig_t)
	122	')
	123
82e284bb CP	124	optional_policy(`
82e284bb CP	125	# When you install a kernel the postinstall builds a initrd image in tmp
ff8f0a63	126	# and executes ldconfig on it. If you dont allow this kernel installs
82e284bb CP	127	# blow up.
	128	rpm_manage_script_tmp_files(ldconfig_t)
	129	')