+- Merge shlib_t into lib_t.
+- Merge strict and targeted policies. The policy will now behave like the
+ strict policy if the unconfined module is not present. If it is, it will
+ behave like the targeted policy. Added an unconfined role to have a mix
+ of confined and unconfined users.
+
* Fri Sep 28 2007 Chris PeBenito <selinux@tresys.com> - 20070928
- Add support for setting the unknown permissions handling.
- Fix XML building for external reference builds and headers builds.
headerdir = $(modpkgdir)/include
docsdir = $(prefix)/share/doc/$(PKGNAME)
-# compile strict policy if requested.
-ifneq ($(findstring strict,$(TYPE)),)
- M4PARAM += -D strict_policy
-endif
-
-# compile targeted policy if requested.
-ifneq ($(findstring targeted,$(TYPE)),)
- M4PARAM += -D targeted_policy
-endif
-
# enable MLS if requested.
-ifneq ($(findstring -mls,$(TYPE)),)
+ifeq "$(TYPE)" "mls"
M4PARAM += -D enable_mls
CHECKPOLICY += -M
CHECKMODULE += -M
endif
# enable MLS if MCS requested.
-ifneq ($(findstring -mcs,$(TYPE)),)
+ifeq "$(TYPE)" "mcs"
M4PARAM += -D enable_mcs
CHECKPOLICY += -M
CHECKMODULE += -M
2) Reference Policy Build Options (build.conf)
-TYPE String. Available options are strict, targeted,
- strict-mls, targeted-mls, strict-mcs, and targeted-mcs.
- This sets the policy type as strict or targeted, and
- optionally enables multi-leve security (MLS) or
+TYPE String. Available options are standard, mls, and mcs.
+ This optionally enables multi-level security (MLS) or
multi-category security (MCS) features. This option
- controls strict_policy, targeted_policy, enable_mls,
- and enable_mcs policy blocks.
+ controls enable_mls, and enable_mcs policy blocks.
NAME String (optional). Sets the name of the policy; the
NAME is used when installing files to e.g.,
Rules.monolithic Makefile rules specific to building monolithic policies.
build.conf Options which influence the building of the policy,
- such as the policy type (strict, targeted, etc.)
- and distribution.
+ such as the policy type and distribution.
config/appconfig-* Application configuration files for all configurations
of the Reference Policy (targeted/strict with or without
#OUTPUT_POLICY = 18
# Policy Type
-# strict, targeted,
-# strict-mls, targeted-mls,
-# strict-mcs, targeted-mcs
-TYPE = strict
+# standard, mls, mcs
+TYPE = standard
# Policy Name
# If set, this will be used as the policy
--- /dev/null
+system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0
+system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
+system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
+system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+
+staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+
+sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
+
+user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
sysadm_r:sysadm_t
staff_r:staff_t
+unconfined_r:unconfined_t
user_r:user_t
--- /dev/null
+system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
+system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
+staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
+#
+# Uncomment if you want to automatically login as sysadm_r
+#
+#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
--- /dev/null
+system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0
+system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
+system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
+system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+
+staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+
+sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
+
+user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
-sysadm_r:sysadm_t
+auditadm_r:auditadm_t
secadm_r:secadm_t
+sysadm_r:sysadm_t
staff_r:staff_t
+unconfined_r:unconfined_t
user_r:user_t
-auditadm_r:auditadm_t
--- /dev/null
+system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
+system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
+staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
+#
+# Uncomment if you want to automatically login as sysadm_r
+#
+#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
--- /dev/null
+system_r:crond_t user_r:user_crond_t staff_r:staff_crond_t sysadm_r:sysadm_crond_t system_r:system_crond_t unconfined_r:unconfined_crond_t
+system_r:local_login_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
+system_r:remote_login_t user_r:user_t staff_r:staff_t unconfined_r:unconfined_t
+system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
+system_r:sulogin_t sysadm_r:sysadm_t
+system_r:xdm_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
+
+staff_r:staff_su_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
+staff_r:staff_sudo_t sysadm_r:sysadm_t staff_r:staff_t
+
+sysadm_r:sysadm_su_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
+sysadm_r:sysadm_sudo_t sysadm_r:sysadm_t
+
+user_r:user_su_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
+user_r:user_sudo_t sysadm_r:sysadm_t user_r:user_t
sysadm_r:sysadm_t
staff_r:staff_t
+unconfined_r:unconfined_t
user_r:user_t
--- /dev/null
+system_r:crond_t unconfined_r:unconfined_t sysadm_r:sysadm_crond_t staff_r:staff_crond_t user_r:user_crond_t
+system_r:local_login_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+
+staff_r:staff_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+sysadm_r:sysadm_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+user_r:user_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+
+#
+# Uncomment if you want to automatically login as sysadm_r
+#
+#system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+++ /dev/null
-system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
-system_r:local_login_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
-system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0
-system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 mailman_r:user_crond_t:s0
-system_r:xdm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
-staff_r:staff_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
-sysadm_r:sysadm_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
-user_r:user_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
-sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
-staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
-user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
+++ /dev/null
-system_r:local_login_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-system_r:crond_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
-staff_r:staff_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-user_r:user_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-#
-# Uncomment if you want to automatically login as sysadm_r
-#
-#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+++ /dev/null
-system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
-system_r:local_login_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
-system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0
-system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 mailman_r:user_crond_t:s0
-system_r:xdm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
-staff_r:staff_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
-sysadm_r:sysadm_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
-user_r:user_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
-sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
-staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
-user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
+++ /dev/null
-system_r:local_login_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-system_r:crond_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
-staff_r:staff_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-user_r:user_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-#
-# Uncomment if you want to automatically login as sysadm_r
-#
-#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+++ /dev/null
-system_r:sulogin_t sysadm_r:sysadm_t
-system_r:local_login_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
-system_r:remote_login_t user_r:user_t staff_r:staff_t
-system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
-system_r:crond_t user_r:user_crond_t staff_r:staff_crond_t sysadm_r:sysadm_crond_t system_r:system_crond_t mailman_r:user_crond_t
-system_r:xdm_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
-staff_r:staff_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
-sysadm_r:sysadm_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
-user_r:user_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
-sysadm_r:sysadm_sudo_t sysadm_r:sysadm_t
-staff_r:staff_sudo_t sysadm_r:sysadm_t staff_r:staff_t
-user_r:user_sudo_t sysadm_r:sysadm_t user_r:user_t
+++ /dev/null
-system_r:local_login_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
-system_r:crond_t sysadm_r:sysadm_crond_t staff_r:staff_crond_t user_r:user_crond_t
-staff_r:staff_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
-sysadm_r:sysadm_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
-user_r:user_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
-#
-# Uncomment if you want to automatically login as sysadm_r
-#
-#system_r:sshd_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+++ /dev/null
-<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
- "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
-<busconfig>
- <selinux>
- </selinux>
-</busconfig>
+++ /dev/null
-system_r:crond_t:s0 system_r:unconfined_t:s0
-system_r:initrc_t:s0 system_r:unconfined_t:s0
-system_r:local_login_t:s0 system_r:unconfined_t:s0
-system_r:remote_login_t:s0 system_r:unconfined_t:s0
-system_r:rshd_t:s0 system_r:unconfined_t:s0
-system_r:sshd_t:s0 system_r:unconfined_t:s0
-system_r:sysadm_su_t:s0 system_r:unconfined_t:s0
-system_r:unconfined_t:s0 system_r:unconfined_t:s0
-system_r:xdm_t:s0 system_r:unconfined_t:s0
+++ /dev/null
-system_r:unconfined_t
+++ /dev/null
-system_r:unconfined_t:s0
+++ /dev/null
-user_u:system_r:initrc_t:s0
+++ /dev/null
-cdrom system_u:object_r:removable_device_t:s0
-floppy system_u:object_r:removable_device_t:s0
-disk system_u:object_r:fixed_disk_device_t:s0
+++ /dev/null
-system_u:object_r:removable_t:s0
+++ /dev/null
-system_r:unconfined_t:s0 system_r:unconfined_t:s0
-system_r:initrc_t:s0 system_r:unconfined_t:s0
+++ /dev/null
-root:root:s0-mcs_systemhigh
-__default__:user_u:s0
+++ /dev/null
-system_u:system_r:unconfined_t:s0
+++ /dev/null
-<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
- "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
-<busconfig>
- <selinux>
- </selinux>
-</busconfig>
+++ /dev/null
-system_r:crond_t:s0 system_r:unconfined_t:s0
-system_r:initrc_t:s0 system_r:unconfined_t:s0
-system_r:local_login_t:s0 system_r:unconfined_t:s0
-system_r:remote_login_t:s0 system_r:unconfined_t:s0
-system_r:rshd_t:s0 system_r:unconfined_t:s0
-system_r:sshd_t:s0 system_r:unconfined_t:s0
-system_r:sysadm_su_t:s0 system_r:unconfined_t:s0
-system_r:unconfined_t:s0 system_r:unconfined_t:s0
-system_r:xdm_t:s0 system_r:unconfined_t:s0
+++ /dev/null
-system_r:unconfined_t
+++ /dev/null
-system_r:unconfined_t:s0
+++ /dev/null
-user_u:system_r:initrc_t:s0-mls_systemhigh
+++ /dev/null
-cdrom system_u:object_r:removable_device_t:s0
-floppy system_u:object_r:removable_device_t:s0
-disk system_u:object_r:fixed_disk_device_t:s0
+++ /dev/null
-system_u:object_r:removable_t:s0
+++ /dev/null
-system_r:unconfined_t:s0 system_r:unconfined_t:s0
-system_r:initrc_t:s0 system_r:unconfined_t:s0
+++ /dev/null
-root:root:s0-mls_systemhigh
-__default__:user_u:s0
+++ /dev/null
-system_u:system_r:unconfined_t:s0
+++ /dev/null
-<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
- "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
-<busconfig>
- <selinux>
- </selinux>
-</busconfig>
+++ /dev/null
-system_r:crond_t system_r:unconfined_t
-system_r:initrc_t system_r:unconfined_t
-system_r:local_login_t system_r:unconfined_t
-system_r:remote_login_t system_r:unconfined_t
-system_r:rshd_t system_r:unconfined_t
-system_r:sshd_t system_r:unconfined_t
-system_r:sysadm_su_t system_r:unconfined_t
-system_r:unconfined_t system_r:unconfined_t
-system_r:xdm_t system_r:unconfined_t
+++ /dev/null
-system_r:unconfined_t
+++ /dev/null
-system_r:unconfined_t
+++ /dev/null
-user_u:system_r:initrc_t
+++ /dev/null
-cdrom system_u:object_r:removable_device_t
-floppy system_u:object_r:removable_device_t
-disk system_u:object_r:fixed_disk_device_t
+++ /dev/null
-system_u:object_r:removable_t
+++ /dev/null
-system_r:unconfined_t system_r:unconfined_t
-system_r:initrc_t system_r:unconfined_t
+++ /dev/null
-root:root
-__default__:user_u
+++ /dev/null
-system_u:system_r:unconfined_t
#
# SELinux process identity change constraint:
#
-ifdef(`strict_policy',`
- constrain process transition
- (
- u1 == u2
-
- or ( t1 == can_change_process_identity and t2 == process_user_target )
-
- or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
+constrain process transition
+(
+ u1 == u2
- or ( t1 == can_system_change and u2 == system_u )
+ or ( t1 == can_change_process_identity and t2 == process_user_target )
- or ( t1 == process_uncond_exempt )
- );
-')
+ or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
-ifdef(`targeted_policy',`
- constrain process transition
- (
- u1 == u2
+ or ( t1 == can_system_change and u2 == system_u )
- or t1 == can_change_process_identity
- );
-')
+ or ( t1 == process_uncond_exempt )
+);
#
# SELinux process role change constraint:
#
+constrain process transition
+(
+ r1 == r2
-ifdef(`strict_policy',`
- constrain process transition
- (
- r1 == r2
-
- or ( t1 == can_change_process_role and t2 == process_user_target )
-
- or ( t1 == cron_source_domain and t2 == cron_job_domain )
-
- or ( t1 == can_system_change and r2 == system_r )
+ or ( t1 == can_change_process_role and t2 == process_user_target )
- or ( t1 == process_uncond_exempt )
- );
-')
+ or ( t1 == cron_source_domain and t2 == cron_job_domain )
-ifdef(`targeted_policy',`
- constrain process transition
- (
- r1 == r2
+ or ( t1 == can_system_change and r2 == system_r )
- or t1 == can_change_process_role
- );
-')
+ or ( t1 == process_uncond_exempt )
+);
#
# SELinux dynamic transition constraint:
# file should be used.
#
-ifdef(`strict_policy',`
## <desc>
## <p>
## Enabling secure mode disallows programs, such as
## </p>
## </desc>
gen_bool(secure_mode,false)
-')
## <desc>
## <p>
# file should be used.
#
-########################################
-#
-# Common tunables
-#
-
## <desc>
## <p>
## Allow making the heap executable.
## </desc>
gen_tunable(global_ssp,false)
+## <desc>
+## <p>
+## Allow email client to various content.
+## nfs, samba, removable devices, user temp
+## and untrusted content files
+## </p>
+## </desc>
+gen_tunable(mail_read_content,false)
+
## <desc>
## <p>
## Allow nfs to be exported read/write.
## <desc>
## <p>
-## Support NFS home directories
-## </p>
-## </desc>
-gen_tunable(use_nfs_home_dirs,false)
-
-## <desc>
-## <p>
-## Support SAMBA home directories
+## Allow applications to read untrusted content
+## If this is disallowed, Internet content has
+## to be manually relabeled for read access to be granted
## </p>
## </desc>
-gen_tunable(use_samba_home_dirs,false)
-
-########################################
-#
-# Strict policy specific
-#
+gen_tunable(read_untrusted_content,false)
-ifdef(`strict_policy',`
## <desc>
## <p>
-## Allow email client to various content.
-## nfs, samba, removable devices, user temp
-## and untrusted content files
+## Support NFS home directories
## </p>
## </desc>
-gen_tunable(mail_read_content,false)
+gen_tunable(use_nfs_home_dirs,false)
## <desc>
## <p>
-## Allow applications to read untrusted content
-## If this is disallowed, Internet content has
-## to be manually relabeled for read access to be granted
+## Support SAMBA home directories
## </p>
## </desc>
-gen_tunable(read_untrusted_content,false)
+gen_tunable(use_samba_home_dirs,false)
## <desc>
## <p>
## </p>
## </desc>
gen_tunable(write_untrusted_content,false)
-')
userdom_dontaudit_search_sysadm_home_dirs(acct_t)
userdom_dontaudit_use_unpriv_user_fds(acct_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(acct_t)
- term_dontaudit_use_generic_ptys(acct_t)
- files_dontaudit_read_root_files(acct_t)
-')
-
optional_policy(`
optional_policy(`
# for monthly cron job
sysnet_read_config(apt_t)
-ifdef(`targeted_policy',`
- unconfined_domain(apt_t)
-')
-
# with boolean, for cron-apt and such?
#optional_policy(`
# cron_system_entry(apt_t,apt_exec_t)
rpm_read_db(apt_t)
rpm_domtrans(apt_t)
')
+
+optional_policy(`
+ unconfined_domain(apt_t)
+')
mount_domtrans(bootloader_t)
')
-ifdef(`targeted_policy',`
- term_use_unallocated_ttys(bootloader_t)
- term_use_generic_ptys(bootloader_t)
-')
-
optional_policy(`
fstools_exec(bootloader_t)
')
miscfiles_read_localization(brctl_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(brctl_t)
- term_dontaudit_use_generic_ptys(brctl_t)
-')
-
optional_policy(`
xen_append_log(brctl_t)
')
type consoletype_exec_t;
application_executable_file(consoletype_exec_t)
init_domain(consoletype_t,consoletype_exec_t)
-mls_file_read_all_levels(consoletype_t)
-mls_file_write_all_levels(consoletype_t)
+init_system_domain(consoletype_t,consoletype_exec_t)
role system_r types consoletype_t;
-ifdef(`targeted_policy',`',`
- init_system_domain(consoletype_t,consoletype_exec_t)
-')
-
########################################
#
# Local declarations
fs_search_auto_mountpoints(consoletype_t)
fs_write_nfs_files(consoletype_t)
+mls_file_read_all_levels(consoletype_t)
+mls_file_write_all_levels(consoletype_t)
+
term_use_console(consoletype_t)
term_use_unallocated_ttys(consoletype_t)
libs_use_ld_so(consoletype_t)
libs_use_shared_libs(consoletype_t)
-userdom_use_sysadm_terms(consoletype_t)
-userdom_use_sysadm_fds(consoletype_t)
-userdom_rw_sysadm_pipes(consoletype_t)
-
ifdef(`distro_redhat',`
fs_rw_tmpfs_chr_files(consoletype_t)
')
## </param>
#
interface(`dmesg_domtrans',`
- ifdef(`targeted_policy',`
- gen_require(`
- type dmesg_exec_t;
- ')
-
- # $0(): disabled in targeted policy as there
- # is no dmesg domain.
- ',`
- gen_require(`
- type dmesg_t, dmesg_exec_t;
- ')
-
- corecmd_search_bin($1)
- domain_auto_trans($1,dmesg_exec_t,dmesg_t)
-
- allow $1 dmesg_t:fd use;
- allow dmesg_t $1:fd use;
- allow dmesg_t $1:fifo_file rw_file_perms;
- allow dmesg_t $1:process sigchld;
+ gen_require(`
+ type dmesg_t, dmesg_exec_t;
')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dmesg_exec_t, dmesg_t)
')
########################################
## <rolecap/>
#
interface(`dmesg_exec',`
- ifdef(`targeted_policy',`
- # $0(): the dmesg program is an alias
- # of generic bin programs.
- corecmd_exec_bin($1)
- ',`
- gen_require(`
- type dmesg_exec_t;
- ')
-
- corecmd_search_bin($1)
- can_exec($1,dmesg_exec_t)
+ gen_require(`
+ type dmesg_exec_t;
')
+
+ corecmd_search_bin($1)
+ can_exec($1,dmesg_exec_t)
')
# Declarations
#
-ifdef(`strict_policy',`
- type dmesg_t;
- type dmesg_exec_t;
- init_system_domain(dmesg_t,dmesg_exec_t)
- role system_r types dmesg_t;
-')
-
-ifdef(`targeted_policy',`
- # dmesg domain is disabled in the
- # targeted policy. for compatibility
- # with strict:
- corecmd_bin_alias(dmesg_exec_t)
-')
+type dmesg_t;
+type dmesg_exec_t;
+init_system_domain(dmesg_t,dmesg_exec_t)
########################################
#
# Local policy
#
-ifdef(`strict_policy',`
- allow dmesg_t self:capability sys_admin;
- dontaudit dmesg_t self:capability sys_tty_config;
+allow dmesg_t self:capability sys_admin;
+dontaudit dmesg_t self:capability sys_tty_config;
- allow dmesg_t self:process signal_perms;
+allow dmesg_t self:process signal_perms;
- kernel_read_kernel_sysctls(dmesg_t)
- kernel_read_ring_buffer(dmesg_t)
- kernel_clear_ring_buffer(dmesg_t)
- kernel_change_ring_buffer_level(dmesg_t)
- kernel_list_proc(dmesg_t)
- kernel_read_proc_symlinks(dmesg_t)
+kernel_read_kernel_sysctls(dmesg_t)
+kernel_read_ring_buffer(dmesg_t)
+kernel_clear_ring_buffer(dmesg_t)
+kernel_change_ring_buffer_level(dmesg_t)
+kernel_list_proc(dmesg_t)
+kernel_read_proc_symlinks(dmesg_t)
- dev_read_sysfs(dmesg_t)
+dev_read_sysfs(dmesg_t)
- fs_search_auto_mountpoints(dmesg_t)
+fs_search_auto_mountpoints(dmesg_t)
- term_dontaudit_use_console(dmesg_t)
+term_dontaudit_use_console(dmesg_t)
- domain_use_interactive_fds(dmesg_t)
+domain_use_interactive_fds(dmesg_t)
- files_list_etc(dmesg_t)
- # for when /usr is not mounted:
- files_dontaudit_search_isid_type_dirs(dmesg_t)
+files_list_etc(dmesg_t)
+# for when /usr is not mounted:
+files_dontaudit_search_isid_type_dirs(dmesg_t)
- init_use_fds(dmesg_t)
- init_use_script_ptys(dmesg_t)
+init_use_fds(dmesg_t)
+init_use_script_ptys(dmesg_t)
- libs_use_ld_so(dmesg_t)
- libs_use_shared_libs(dmesg_t)
+libs_use_ld_so(dmesg_t)
+libs_use_shared_libs(dmesg_t)
- logging_send_syslog_msg(dmesg_t)
- logging_write_generic_logs(dmesg_t)
+logging_send_syslog_msg(dmesg_t)
+logging_write_generic_logs(dmesg_t)
- miscfiles_read_localization(dmesg_t)
+miscfiles_read_localization(dmesg_t)
- userdom_use_sysadm_terms(dmesg_t)
- userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
+userdom_use_sysadm_terms(dmesg_t)
+userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
- optional_policy(`
- seutil_sigchld_newrole(dmesg_t)
- ')
+optional_policy(`
+ seutil_sigchld_newrole(dmesg_t)
+')
- optional_policy(`
- udev_read_db(dmesg_t)
- ')
+optional_policy(`
+ udev_read_db(dmesg_t)
')
libs_use_shared_libs(dmidecode_t)
locallogin_use_fds(dmidecode_t)
-
-ifdef(`targeted_policy',`
- term_use_generic_ptys(dmidecode_t)
- term_use_unallocated_ttys(dmidecode_t)
-')
# since the scripts aren't labeled correctly yet...
allow dpkg_t dpkg_var_lib_t:file execute;
-ifdef(`targeted_policy',`
- unconfined_domain(dpkg_t)
-')
-
# TODO: allow?
#optional_policy(`
# cron_system_entry(dpkg_t,dpkg_exec_t)
nis_use_ypbind(dpkg_t)
')
+optional_policy(`
+ unconfined_domain(dpkg_t)
+')
+
# TODO: the following was copied from dpkg_script_t, and could probably
# be removed again when dpkg_script_t is actually used...
domain_signal_all_domains(dpkg_t)
userdom_use_all_users_fds(dpkg_script_t)
-ifdef(`distro_redhat',`
- unconfined_domain(dpkg_script_t)
-')
-
-ifdef(`targeted_policy',`
- unconfined_domain(dpkg_script_t)
-',`
- optional_policy(`
- bootloader_domtrans(dpkg_script_t)
- ')
-')
-
tunable_policy(`allow_execmem',`
allow dpkg_script_t self:process execmem;
')
+optional_policy(`
+ bootloader_domtrans(dpkg_script_t)
+')
+
optional_policy(`
mta_send_mail(dpkg_script_t)
')
nis_use_ypbind(dpkg_script_t)
')
+optional_policy(`
+ unconfined_domain(dpkg_script_t)
+')
+
optional_policy(`
usermanage_domtrans_groupadd(dpkg_script_t)
usermanage_domtrans_useradd(dpkg_script_t)
userdom_home_filetrans_generic_user_home_dir(firstboot_t)
userdom_generic_user_home_dir_filetrans_generic_user_home_content(firstboot_t,{ dir file lnk_file fifo_file sock_file })
-ifdef(`targeted_policy',`
- unconfined_domtrans(firstboot_t)
-')
-
optional_policy(`
hal_dbus_chat(firstboot_t)
')
samba_rw_config(firstboot_t)
')
+optional_policy(`
+ unconfined_domtrans(firstboot_t)
+')
+
optional_policy(`
usermanage_domtrans_chfn(firstboot_t)
usermanage_domtrans_groupadd(firstboot_t)
userdom_search_sysadm_home_dirs(kudzu_t)
userdom_dontaudit_use_unpriv_user_fds(kudzu_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(kudzu_t)
- term_dontaudit_use_generic_ptys(kudzu_t)
- files_dontaudit_read_root_files(kudzu_t)
-
- # cjp: this was originally in the else block
- # of ifdef userhelper.te, but it seems to
- # make more sense here. also, require
- # blocks curently do not work in the
- # else block of optionals
- unconfined_domain(kudzu_t)
-')
-
optional_policy(`
gpm_getattr_gpmctl(kudzu_t)
')
udev_read_db(kudzu_t)
')
+optional_policy(`
+ # cjp: this was originally in the else block
+ # of ifdef userhelper.te, but it seems to
+ # make more sense here. also, require
+ # blocks curently do not work in the
+ # else block of optionals
+ unconfined_domain(kudzu_t)
+')
+
ifdef(`TODO',`
allow kudzu_t modules_conf_t:file unlink;
optional_policy(`
filetrans_pattern(mrtg_t,mrtg_etc_t,mrtg_lock_t,file)
')
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(mrtg_t)
- term_dontaudit_use_generic_ptys(mrtg_t)
- files_dontaudit_read_root_files(mrtg_t)
-')
-
optional_policy(`
apache_manage_sys_content(mrtg_t)
')
# Declarations
#
-ifdef(`strict_policy',`
## <desc>
## <p>
## Control users use of ping and traceroute
## </p>
## </desc>
gen_tunable(user_ping,false)
-')
type netutils_t;
type netutils_exec_t;
userdom_use_all_users_fds(netutils_t)
-ifdef(`targeted_policy',`
- term_use_generic_ptys(netutils_t)
- term_use_unallocated_ttys(netutils_t)
-')
-
optional_policy(`
nis_use_ypbind(netutils_t)
')
init_dontaudit_use_fds(ping_t)
')
-ifdef(`targeted_policy',`
- term_use_unallocated_ttys(ping_t)
- term_use_generic_ptys(ping_t)
+tunable_policy(`user_ping',`
term_use_all_user_ttys(ping_t)
term_use_all_user_ptys(ping_t)
-',`
- tunable_policy(`user_ping',`
- term_use_all_user_ttys(ping_t)
- term_use_all_user_ptys(ping_t)
- ')
')
optional_policy(`
sysnet_read_config(traceroute_t)
-ifdef(`targeted_policy',`
- term_use_unallocated_ttys(traceroute_t)
- term_use_generic_ptys(traceroute_t)
-',`
- tunable_policy(`user_ping',`
- term_use_all_user_ttys(traceroute_t)
- term_use_all_user_ptys(traceroute_t)
- ')
+tunable_policy(`user_ping',`
+ term_use_all_user_ttys(traceroute_t)
+ term_use_all_user_ptys(traceroute_t)
')
optional_policy(`
libs_read_lib_files(gcc_config_t)
libs_domtrans_ldconfig(gcc_config_t)
libs_manage_shared_libs(gcc_config_t)
-lib_filetrans_shared_lib(gcc_config_t,file)
# gcc-config creates a temp dir for the libs
libs_manage_lib_dirs(gcc_config_t)
domtrans_pattern($1, prelink_exec_t, prelink_t)
')
+########################################
+## <summary>
+## Execute the prelink program in the prelink domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the prelink domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the prelink domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`prelink_run',`
+ gen_require(`
+ type prelink_t;
+ ')
+
+ prelink_domtrans($1)
+ role $2 types prelink_t;
+ allow prelink_t $3:chr_file rw_term_perms;
+')
+
########################################
## <summary>
## Make the specified file type prelinkable.
libs_use_shared_libs(prelink_t)
libs_manage_shared_libs(prelink_t)
libs_relabel_shared_libs(prelink_t)
-libs_use_lib_files(prelink_t)
-libs_manage_lib_files(prelink_t)
-libs_relabel_lib_files(prelink_t)
libs_delete_lib_symlinks(prelink_t)
miscfiles_read_localization(prelink_t)
-ifdef(`targeted_policy',`
- term_use_unallocated_ttys(prelink_t)
- term_use_generic_ptys(prelink_t)
-
- # prelink executables in the user homedir
- userdom_manage_generic_user_home_content_files(prelink_t)
- userdom_mmap_generic_user_home_content_files(prelink_t)
- userdom_dontaudit_relabel_generic_user_home_content_files(prelink_t)
-')
-
optional_policy(`
amanda_manage_lib(prelink_t)
')
userdom_dontaudit_use_unpriv_user_fds(quota_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(quota_t)
- term_dontaudit_use_generic_ptys(quota_t)
- files_dontaudit_read_root_files(quota_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(quota_t)
')
userdom_dontaudit_use_unpriv_user_fds(readahead_t)
userdom_dontaudit_search_sysadm_home_dirs(readahead_t)
-ifdef(`targeted_policy',`
- files_dontaudit_read_root_files(readahead_t)
- term_dontaudit_use_unallocated_ttys(readahead_t)
- term_dontaudit_use_generic_ptys(readahead_t)
-')
-
optional_policy(`
cron_system_entry(readahead_t, readahead_exec_t)
')
allow rpm_t self:dir search;
allow rpm_t self:file rw_file_perms;;
+allow rpm_t rpm_log_t:file manage_file_perms;
+logging_log_filetrans(rpm_t,rpm_log_t,file)
+
manage_dirs_pattern(rpm_t,rpm_tmp_t,rpm_tmp_t)
manage_files_pattern(rpm_t,rpm_tmp_t,rpm_tmp_t)
files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
userdom_use_unpriv_users_fds(rpm_t)
-ifdef(`distro_redhat',`
- unconfined_domain(rpm_t)
-')
-
-ifdef(`targeted_policy',`
- unconfined_domain(rpm_t)
- # yum-updatesd requires this
- unconfined_dbus_chat(rpm_t)
-',`
- # cjp: these are here to stop type_transition
- # conflicts since rpm_t is an alias of
- # unconfined in the targeted policy
- allow rpm_t rpm_log_t:file manage_file_perms;
- logging_log_filetrans(rpm_t,rpm_log_t,file)
-')
-
optional_policy(`
cron_system_entry(rpm_t,rpm_exec_t)
')
prelink_domtrans(rpm_t)
')
+optional_policy(`
+ unconfined_domain(rpm_t)
+ # yum-updatesd requires this
+ unconfined_dbus_chat(rpm_t)
+')
+
ifdef(`TODO',`
# read/write/create any files in the system
dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
userdom_use_all_users_fds(rpm_script_t)
-ifdef(`distro_redhat',`
- unconfined_domain(rpm_script_t)
-')
-
-ifdef(`targeted_policy',`
- unconfined_domain(rpm_script_t)
-
- optional_policy(`
- java_domtrans(rpm_script_t)
- ')
-
- optional_policy(`
- mono_domtrans(rpm_script_t)
- ')
-
- optional_policy(`
- unconfined_domtrans(rpm_script_t)
- ')
-')
-
ifdef(`distro_redhat',`
optional_policy(`
mta_send_mail(rpm_script_t)
tzdata_domtrans(rpm_script_t)
')
+optional_policy(`
+ unconfined_domain(rpm_script_t)
+ unconfined_domtrans(rpm_script_t)
+
+ optional_policy(`
+ java_domtrans(rpm_script_t)
+ ')
+
+ optional_policy(`
+ mono_domtrans(rpm_script_t)
+ ')
+')
+
optional_policy(`
usermanage_domtrans_groupadd(rpm_script_t)
usermanage_domtrans_useradd(rpm_script_t)
seutil_read_config($1_su_t)
seutil_read_default_contexts($1_su_t)
- ifdef(`strict_policy',`
- if(secure_mode) {
- # Only allow transitions to unprivileged user domains.
- userdom_spec_domtrans_unpriv_users($1_su_t)
- } else {
- # Allow transitions to all user domains
- userdom_spec_domtrans_all_users($1_su_t)
- }
- ')
-
- ifdef(`targeted_policy',`
+ if(secure_mode) {
+ # Only allow transitions to unprivileged user domains.
+ userdom_spec_domtrans_unpriv_users($1_su_t)
+ } else {
+ # Allow transitions to all user domains
+ userdom_spec_domtrans_all_users($1_su_t)
+ }
+
+ optional_policy(`
unconfined_domtrans($1_su_t)
unconfined_signal($1_su_t)
')
')
- ifdef(`targeted_policy',`
- # allow user to suspend terminal.
- # does not work in strict since the
- # parent may not be able to use
- # the terminal if we newrole,
- # which relabels the terminal.
- allow $1_su_t self:process sigstop;
-
- corecmd_exec_bin($1_su_t)
- userdom_manage_all_users_home_content_files($1_su_t)
- userdom_manage_all_users_home_content_symlinks($1_su_t)
- ')
-
tunable_policy(`allow_polyinstantiation',`
fs_mount_xattr_fs($1_su_t)
fs_unmount_xattr_fs($1_su_t)
cron_system_entry(sxid_t,sxid_exec_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(sxid_t)
- term_dontaudit_use_generic_ptys(sxid_t)
- files_dontaudit_read_root_files(sxid_t)
-')
-
optional_policy(`
mta_send_mail(sxid_t)
')
domtrans_pattern($1,tzdata_exec_t,tzdata_t)
')
+
+########################################
+## <summary>
+## Execute the tzdata program in the tzdata domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the tzdata domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the tzdata domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`tzdata_run',`
+ gen_require(`
+ type tzdata_t;
+ ')
+
+ tzdata_domtrans($1)
+ role $2 types tzdata_t;
+ allow tzdata_t $3:chr_file rw_term_perms;
+')
miscfiles_manage_localization(tzdata_t)
miscfiles_etc_filetrans_localization(tzdata_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(tzdata_t)
- term_dontaudit_use_generic_ptys(tzdata_t)
-')
-
# tzdata looks for /var/spool/postfix/etc/localtime.
optional_policy(`
postfix_search_spool(tzdata_t)
seutil_read_default_contexts(updfstab_t)
seutil_read_file_contexts(updfstab_t)
-userdom_use_sysadm_ttys(updfstab_t)
userdom_dontaudit_search_all_users_home_content(updfstab_t)
userdom_dontaudit_use_unpriv_user_fds(updfstab_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(updfstab_t)
- term_dontaudit_use_generic_ptys(updfstab_t)
- files_dontaudit_read_root_files(updfstab_t)
-')
-
optional_policy(`
auth_domtrans_pam_console(updfstab_t)
')
#
# /usr
#
-ifdef(`targeted_policy',`
/usr/bin/gnatbind -- gen_context(system_u:object_r:ada_exec_t,s0)
/usr/bin/gnatls -- gen_context(system_u:object_r:ada_exec_t,s0)
/usr/bin/gnatmake -- gen_context(system_u:object_r:ada_exec_t,s0)
/usr/libexec/gcc(/.*)?/gnat1 -- gen_context(system_u:object_r:ada_exec_t,s0)
-')
## </param>
#
interface(`ada_domtrans',`
- ifdef(`targeted_policy',`
- gen_require(`
- type ada_t, ada_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, ada_exec_t, ada_t)
- ',`
- refpolicywarn(`$0($1) has no effect in strict policy.')
+ gen_require(`
+ type ada_t, ada_exec_t;
')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ada_exec_t, ada_t)
')
########################################
## </summary>
## <param name="domain">
## <summary>
-## The type of the process performing this action.
+## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## </param>
#
interface(`ada_run',`
- ifdef(`targeted_policy',`
- gen_require(`
- type ada_t;
- ')
-
- ada_domtrans($1)
- role $2 types ada_t;
- allow ada_t $3:chr_file rw_term_perms;
- ',`
- refpolicywarn(`$0($1) has no effect in strict policy.')
+ gen_require(`
+ type ada_t;
')
+
+ ada_domtrans($1)
+ role $2 types ada_t;
+ allow ada_t $3:chr_file rw_term_perms;
')
type ada_t;
type ada_exec_t;
application_domain(ada_t,ada_exec_t)
+role system_r types ada_t;
########################################
#
# Local policy
#
-ifdef(`targeted_policy',`
- allow ada_t self:process { execstack execmem };
+allow ada_t self:process { execstack execmem };
+
+optional_policy(`
unconfined_domain_noaudit(ada_t)
- role system_r types ada_t;
')
# Declarations
#
-ifdef(`strict_policy',`
## <desc>
## <p>
## Allow cdrecord to read various content.
## </p>
## </desc>
gen_tunable(cdrecord_read_content,false)
-')
type cdrecord_exec_t;
application_executable_file(cdrecord_exec_t)
+HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:ROLE_ethereal_home_t,s0)
/usr/sbin/ethereal.* -- gen_context(system_u:object_r:ethereal_exec_t,s0)
/usr/sbin/tethereal.* -- gen_context(system_u:object_r:tethereal_exec_t,s0)
-
-ifdef(`strict_policy',`
-HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:ROLE_ethereal_home_t,s0)
-')
+#
+# HOME_DIR/
+#
+
+HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:ROLE_evolution_home_t,s0)
+HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:ROLE_evolution_home_t,s0)
#
# /tmp
#
-ifdef(`strict_policy',`
/tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:ROLE_evolution_exchange_tmp_t,s0)
-')
#
# /usr
/usr/libexec/evolution/.*evolution-exchange-storage.* -- gen_context(system_u:object_r:evolution_exchange_exec_t,s0)
/usr/libexec/evolution-data-server.* -- gen_context(system_u:object_r:evolution_server_exec_t,s0)
/usr/libexec/evolution-webcal.* -- gen_context(system_u:object_r:evolution_webcal_exec_t,s0)
-
-ifdef(`strict_policy',`
-HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:ROLE_evolution_home_t,s0)
-HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:ROLE_evolution_home_t,s0)
-')
userdom_dontaudit_use_unpriv_user_fds(games_t)
userdom_dontaudit_search_sysadm_home_dirs(games_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(games_t)
- term_dontaudit_use_generic_ptys(games_t)
- files_dontaudit_read_root_files(games_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(games_t)
')
+HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:ROLE_gift_home_t,s0)
+
/usr/(local/)?bin/apollon -- gen_context(system_u:object_r:gift_exec_t,s0)
/usr/(local/)?bin/giftd -- gen_context(system_u:object_r:giftd_exec_t,s0)
/usr/(local/)?bin/giftui -- gen_context(system_u:object_r:gift_exec_t,s0)
/usr/(local/)?bin/giFToxic -- gen_context(system_u:object_r:gift_exec_t,s0)
-
-ifdef(`strict_policy',`
-HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:ROLE_gift_home_t,s0)
-')
HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:ROLE_gnome_home_t,s0)
+HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:ROLE_gconf_home_t,s0)
/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
-/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
-
-ifdef(`strict_policy',`
-HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:ROLE_gconf_home_t,s0)
-
/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:ROLE_gconf_tmp_t,s0)
-')
+
+/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:ROLE_gpg_secret_t,s0)
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
-
-ifdef(`targeted_policy',`',`
-HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:ROLE_gpg_secret_t,s0)
-')
#
# /home
#
-ifdef(`strict_policy',`
HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:ROLE_irc_home_t,s0)
-')
#
# /usr
libs_legacy_use_shared_libs($1_javaplugin_t)
libs_legacy_use_ld_so($1_javaplugin_t)
- libs_use_lib_files($1_javaplugin_t)
miscfiles_legacy_read_localization($1_javaplugin_t)
')
## </param>
#
interface(`java_domtrans',`
- ifdef(`targeted_policy',`
- gen_require(`
- type java_t, java_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, java_exec_t, java_t)
- ',`
- refpolicywarn(`$0($1) has no effect in strict policy.')
+ gen_require(`
+ type java_t, java_exec_t;
')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, java_exec_t, java_t)
')
# Local policy
#
-ifdef(`targeted_policy',`
- # execheap is needed for itanium/BEA jrocket
- allow java_t self:process { execstack execmem execheap };
- role system_r types java_t;
+# execheap is needed for itanium/BEA jrocket
+allow java_t self:process { execstack execmem execheap };
- init_dbus_chat_script(java_t)
+init_dbus_chat_script(java_t)
+optional_policy(`
unconfined_domain_noaudit(java_t)
unconfined_dbus_chat(java_t)
')
## </param>
#
interface(`loadkeys_domtrans',`
- ifdef(`strict_policy',`
- gen_require(`
- type loadkeys_t, loadkeys_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, loadkeys_exec_t, loadkeys_t)
- ',`
- refpolicywarn(`$0($*) has no effect in targeted policy.')
+ gen_require(`
+ type loadkeys_t, loadkeys_exec_t;
')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, loadkeys_exec_t, loadkeys_t)
')
########################################
## <rolecap/>
#
interface(`loadkeys_run',`
- ifdef(`targeted_policy',`
- # $0(): disabled in targeted policy as there
- # is no loadkeys domain.
- ',`
- gen_require(`
- type loadkeys_t;
- ')
-
- loadkeys_domtrans($1)
- role $2 types loadkeys_t;
- allow loadkeys_t $3:chr_file rw_term_perms;
+ gen_require(`
+ type loadkeys_t;
')
+
+ loadkeys_domtrans($1)
+ role $2 types loadkeys_t;
+ allow loadkeys_t $3:chr_file rw_term_perms;
')
########################################
## </param>
#
interface(`loadkeys_exec',`
- ifdef(`targeted_policy',`
- # $0(): the loadkeys program is an alias
- # of generic bin programs.
- corecmd_exec_bin($1)
- ',`
- gen_require(`
- type loadkeys_exec_t;
- ')
-
- can_exec($1,loadkeys_exec_t)
+ gen_require(`
+ type loadkeys_exec_t;
')
+
+ can_exec($1,loadkeys_exec_t)
')
# Declarations
#
-ifdef(`targeted_policy',`
- # for compatibility with strict:
- corecmd_bin_alias(loadkeys_exec_t)
-',`
- # cjp: this should probably be rewritten
- # per user domain, since it can rw
- # all user domain ttys
-
- type loadkeys_t;
- type loadkeys_exec_t;
- init_system_domain(loadkeys_t,loadkeys_exec_t)
-')
+# cjp: this should probably be rewritten
+# per user domain, since it can rw
+# all user domain ttys
+type loadkeys_t;
+type loadkeys_exec_t;
+init_system_domain(loadkeys_t,loadkeys_exec_t)
########################################
#
# Local policy
#
-ifdef(`targeted_policy',`
- # loadkeys domain disabled in targeted policy
-',`
- allow loadkeys_t self:capability { dac_override dac_read_search setuid sys_tty_config };
- allow loadkeys_t self:fifo_file rw_fifo_file_perms;
+allow loadkeys_t self:capability { dac_override dac_read_search setuid sys_tty_config };
+allow loadkeys_t self:fifo_file rw_fifo_file_perms;
- kernel_read_system_state(loadkeys_t)
+kernel_read_system_state(loadkeys_t)
- corecmd_exec_bin(loadkeys_t)
- corecmd_exec_shell(loadkeys_t)
+corecmd_exec_bin(loadkeys_t)
+corecmd_exec_shell(loadkeys_t)
- files_read_etc_files(loadkeys_t)
- files_read_etc_runtime_files(loadkeys_t)
+files_read_etc_files(loadkeys_t)
+files_read_etc_runtime_files(loadkeys_t)
- term_dontaudit_use_console(loadkeys_t)
- term_use_unallocated_ttys(loadkeys_t)
+term_dontaudit_use_console(loadkeys_t)
+term_use_unallocated_ttys(loadkeys_t)
- init_dontaudit_use_script_ptys(loadkeys_t)
+init_dontaudit_use_script_ptys(loadkeys_t)
- libs_use_ld_so(loadkeys_t)
- libs_use_shared_libs(loadkeys_t)
+libs_use_ld_so(loadkeys_t)
+libs_use_shared_libs(loadkeys_t)
- locallogin_use_fds(loadkeys_t)
+locallogin_use_fds(loadkeys_t)
- miscfiles_read_localization(loadkeys_t)
+miscfiles_read_localization(loadkeys_t)
- optional_policy(`
- nscd_dontaudit_search_pid(loadkeys_t)
- ')
+optional_policy(`
+ nscd_dontaudit_search_pid(loadkeys_t)
')
# Local policy
#
-ifdef(`targeted_policy',`
- allow mono_t self:process { execheap execmem };
+allow mono_t self:process { execheap execmem };
- unconfined_domain_noaudit(mono_t)
- unconfined_dbus_chat(mono_t)
-
- userdom_generic_user_home_dir_filetrans_generic_user_home_content(mono_t,{ dir file lnk_file fifo_file sock_file })
+userdom_generic_user_home_dir_filetrans_generic_user_home_content(mono_t,{ dir file lnk_file fifo_file sock_file })
- init_dbus_chat_script(mono_t)
+init_dbus_chat_script(mono_t)
- optional_policy(`
- avahi_dbus_chat(mono_t)
- ')
+optional_policy(`
+ avahi_dbus_chat(mono_t)
+')
- optional_policy(`
- cups_dbus_chat(mono_t)
- ')
+optional_policy(`
+ cups_dbus_chat(mono_t)
+')
- optional_policy(`
- hal_dbus_chat(mono_t)
- ')
+optional_policy(`
+ hal_dbus_chat(mono_t)
+')
- optional_policy(`
- networkmanager_dbus_chat(mono_t)
- ')
+optional_policy(`
+ networkmanager_dbus_chat(mono_t)
+')
- optional_policy(`
- rpm_dbus_chat(mono_t)
- ')
+optional_policy(`
+ rpm_dbus_chat(mono_t)
+')
- optional_policy(`
- unconfined_dbus_connect(mono_t)
- ')
+optional_policy(`
+ unconfined_domain_noaudit(mono_t)
+ unconfined_dbus_chat(mono_t)
+ unconfined_dbus_connect(mono_t)
')
+HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
+HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
+HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
+HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
+HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
+
#
# /bin
#
/usr/lib(64)?/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib(64)?/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-
-# netscape/mozilla
-ifdef(`strict_policy',`
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-')
term_dontaudit_getattr_pty_dirs($1_mozilla_t)
libs_use_ld_so($1_mozilla_t)
- libs_use_lib_files($1_mozilla_t)
libs_use_shared_libs($1_mozilla_t)
logging_send_syslog_msg($1_mozilla_t)
# Declarations
#
-ifdef(`strict_policy',`
## <desc>
## <p>
## Control mozilla content access
## </p>
## </desc>
gen_tunable(mozilla_read_content,false)
-')
type mozilla_conf_t;
files_config_file(mozilla_conf_t)
/usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0)
/usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0)
-ifdef(`strict_policy',`
HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:ROLE_mplayer_home_t,s0)
-')
# Declarations
#
-ifdef(`strict_policy',`
## <desc>
## <p>
## Allow mplayer executable stack
## </p>
## </desc>
gen_tunable(allow_mplayer_execstack,false)
-')
+
+type mencoder_exec_t;
+application_executable_file(mencoder_exec_t)
type mplayer_etc_t;
files_config_file(mplayer_etc_t)
-ifdef(`strict_policy',`
- type mencoder_exec_t;
- application_executable_file(mencoder_exec_t)
-
- type mplayer_exec_t;
- application_executable_file(mplayer_exec_t)
-')
-
-ifdef(`targeted_policy',`
- unconfined_execmem_alias_program(mencoder_exec_t)
- unconfined_execmem_alias_program(mplayer_exec_t)
-')
+type mplayer_exec_t;
+corecmd_executable_file(mplayer_exec_t)
+application_executable_file(mplayer_exec_t)
#
# /home
#
-ifdef(`strict_policy',`
HOME_DIR/\.screenrc -- gen_context(system_u:object_r:ROLE_screen_ro_home_t,s0)
-')
#
# /usr
#
/usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0)
-ifdef(`strict_policy',`
HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:ROLE_thunderbird_home_t,s0)
-')
+#
+# HOME_DIR/
+#
+HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:ROLE_uml_rw_t,s0)
+
#
# /usr
#
# /var
#
/var/run/uml-utilities(/.*)? gen_context(system_u:object_r:uml_switch_var_run_t,s0)
-
-ifdef(`strict_policy',`
- HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:ROLE_uml_rw_t,s0)
-')
userdom_dontaudit_use_unpriv_user_fds(uml_switch_t)
userdom_dontaudit_search_sysadm_home_dirs(uml_switch_t)
-ifdef(`targeted_policy',`
- files_dontaudit_read_root_files(uml_switch_t)
-
- term_dontaudit_use_unallocated_ttys(uml_switch_t)
- term_dontaudit_use_generic_ptys(uml_switch_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(uml_switch_t)
')
#
# HOME_DIR/
#
-ifdef(`strict_policy',`
HOME_DIR/\.vmware(/.*)? gen_context(system_u:object_r:ROLE_vmware_file_t,s0)
-HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:ROLE_vmware_file_t,s0)
HOME_DIR/\.vmware[^/]*/.*\.cfg -- gen_context(system_u:object_r:ROLE_vmware_conf_t,s0)
-')
+HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:ROLE_vmware_file_t,s0)
#
# /etc
userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
userdom_dontaudit_search_sysadm_home_dirs(vmware_host_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(vmware_host_t)
- term_dontaudit_use_generic_ptys(vmware_host_t)
- files_dontaudit_read_root_files(vmware_host_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(vmware_host_t)
apache_read_log(webalizer_t)
apache_manage_sys_content(webalizer_t)
-ifdef(`targeted_policy',`
- term_use_generic_ptys(webalizer_t)
- term_use_unallocated_ttys(webalizer_t)
-')
-
optional_policy(`
cron_system_entry(webalizer_t,webalizer_exec_t)
')
# Local policy
#
-ifdef(`targeted_policy',`
+optional_policy(`
allow wine_t self:process { execstack execmem execheap };
unconfined_domain_noaudit(wine_t)
files_execmod_all_files(wine_t)
/etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0)
')
-ifdef(`targeted_policy',`
-/etc/X11/prefdm -- gen_context(system_u:object_r:bin_t,s0)
-')
-
#
# /lib
#
########################################
## <summary>
-## Create a aliased type to generic bin files.
+## Create a aliased type to generic bin files. (Deprecated)
## </summary>
## <desc>
## <p>
-## Create a aliased type to generic bin files.
+## Create a aliased type to generic bin files. (Deprecated)
## </p>
## <p>
## This is added to support targeted policy. Its
## </param>
#
interface(`corecmd_bin_alias',`
- ifdef(`targeted_policy',`
- gen_require(`
- type bin_t;
- ')
-
- typealias bin_t alias $1;
- ',`
- refpolicywarn(`$0($*) has no effect in strict policy.')
- ')
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
# start with basic domain
domain_base_type($1)
- ifdef(`targeted_policy',`
- unconfined_use_fds($1)
- unconfined_sigchld($1)
- ')
-
# send init a sigchld and signull
optional_policy(`
init_sigchld($1)
interface(`domain_unconfined',`
gen_require(`
attribute set_curr_context;
- attribute can_change_process_identity;
- attribute can_change_process_role;
attribute can_change_object_identity;
attribute unconfined_domain_type;
+ attribute process_uncond_exempt;
')
typeattribute $1 unconfined_domain_type;
# pass constraints
- typeattribute $1 can_change_process_identity;
- typeattribute $1 can_change_process_role;
typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
+ typeattribute $1 process_uncond_exempt;
')
########################################
# list the root directory
files_list_root(domain)
-ifdef(`targeted_policy',`
- # RBAC is disabled in the targeted policy,
- # as only one role is used, system_r.
- role system_r types domain;
-
- # FIXME:
- # workaround until role dominance is fixed in
- # the module compiler
- role secadm_r types domain;
- role sysadm_r types domain;
- role user_r types domain;
- role staff_r types domain;
-')
-
tunable_policy(`global_ssp',`
# enable reading of urandom for all domains:
# this should be enabled when all programs
## Allow shared library text relocations in all files.
## </p>
## <p>
-## This is added to support WINE in the targeted
-## policy. It has no effect on the strict policy.
+## This is added to support WINE policy.
## </p>
## </desc>
## <param name="domain">
## </param>
#
interface(`files_execmod_all_files',`
- ifdef(`targeted_policy',`
- gen_require(`
- attribute file_type;
- ')
-
- allow $1 file_type:file execmod;
- ',`
- refpolicywarn(`$0($1) has no effect in strict policy.')
+ gen_require(`
+ attribute file_type;
')
+
+ allow $1 file_type:file execmod;
')
########################################
fs_associate(file_type)
fs_associate_noxattr(file_type)
-
-ifdef(`targeted_policy', `
- fs_associate_tmpfs(file_type)
-')
+fs_associate_tmpfs(file_type)
########################################
#
# Mount/unmount any filesystem with the context= option.
allow files_unconfined_type file_type:filesystem *;
-ifdef(`targeted_policy',`
- tunable_policy(`allow_execmod',`
- allow files_unconfined_type file_type:file execmod;
- ')
+tunable_policy(`allow_execmod',`
+ allow files_unconfined_type file_type:file execmod;
')
role staff_r;
role user_r;
+# here until order dependence is fixed:
+role unconfined_r;
+
ifdef(`enable_mls',`
role secadm_r;
role auditadm_r;
fs_rw_tmpfs_chr_files(kernel_t)
')
-ifdef(`targeted_policy',`
- unconfined_domain(kernel_t)
-')
-
tunable_policy(`read_default_t',`
files_list_default(kernel_t)
files_read_default_files(kernel_t)
seutil_read_bin_policy(kernel_t)
')
+optional_policy(`
+ unconfined_domain(kernel_t)
+')
+
########################################
#
# Unlabeled process local policy
#
-ifdef(`targeted_policy',`
- allow unlabeled_t self:filesystem associate;
-')
-
optional_policy(`
# If you load a new policy that removes active domains, processes can
# get stuck if you do not allow unlabeled processes to signal init.
fs_type(devpts_t)
fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
-ifdef(`targeted_policy',`
- # cjp: the ttynode should probably be removed.
- typeattribute devpts_t ttynode, ptynode;
-')
-
#
# devtty_t is the type of /dev/tty.
#
type tty_device_t, serial_device;
dev_node(tty_device_t)
-ifdef(`targeted_policy',`
- typeattribute tty_device_t ttynode;
-')
-
#
# usbtty_device_t is the type of /dev/usr/tty*
#
mta_read_config(amavis_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(amavis_t)
- term_dontaudit_use_unallocated_ttys(amavis_t)
-')
-
optional_policy(`
clamav_stream_connect(amavis_t)
clamav_domtrans_clamscan(amavis_t)
-# temporary hack till genhomedircon is fixed
-ifdef(`targeted_policy',`
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-',`
HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0)
-')
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
type httpd_tmpfs_t;
files_tmpfs_file(httpd_tmpfs_t)
-# Unconfined domain for apache scripts.
-# Only to be used as a last resort
-type httpd_unconfined_script_t;
-type httpd_unconfined_script_exec_t; # customizable
-domain_type(httpd_unconfined_script_t)
-domain_entry_file(httpd_unconfined_script_t,httpd_unconfined_script_exec_t)
-role system_r types httpd_unconfined_script_t;
-
# for apache2 memory mapped files
type httpd_var_lib_t;
files_type(httpd_var_lib_t)
type squirrelmail_spool_t;
files_tmp_file(squirrelmail_spool_t)
-ifdef(`targeted_policy',`
- typealias httpd_sys_content_t alias httpd_user_content_t;
- typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
-')
-
optional_policy(`
prelink_object_file(httpd_modules_t)
')
mta_send_mail(httpd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(httpd_t)
- term_dontaudit_use_generic_ptys(httpd_t)
- files_dontaudit_read_root_files(httpd_t)
-
- tunable_policy(`httpd_enable_homedirs',`
- userdom_search_generic_user_home_dirs(httpd_t)
- ')
-')
-
tunable_policy(`allow_httpd_anon_write',`
miscfiles_manage_public_files(httpd_t)
')
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
-tunable_policy(`httpd_enable_cgi',`
- domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
-
- allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop };
- allow httpd_t httpd_unconfined_script_exec_t:dir list_dir_perms;
-')
-
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
calamaris_read_www_files(httpd_t)
')
+optional_policy(`
+ cron_system_entry(httpd_t, httpd_exec_t)
+')
+
optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
miscfiles_read_localization(httpd_suexec_t)
-ifdef(`targeted_policy',`
- tunable_policy(`httpd_enable_homedirs',`
- userdom_search_generic_user_home_dirs(httpd_suexec_t)
- ')
-')
-
tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
allow httpd_suexec_t self:udp_socket create_socket_perms;
sysnet_read_config(httpd_suexec_t)
')
-tunable_policy(`httpd_enable_cgi',`
- domtrans_pattern(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
-')
-
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
')
allow httpd_sys_script_t httpd_log_t:file { getattr append };
')
-ifdef(`targeted_policy',`
- tunable_policy(`httpd_enable_homedirs',`
- userdom_search_generic_user_home_dirs(httpd_sys_script_t)
- ')
-')
-
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_files(httpd_sys_script_t)
fs_read_nfs_symlinks(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
')
-########################################
-#
-# Apache unconfined script local policy
-#
-
-unconfined_domain(httpd_unconfined_script_t)
-
-optional_policy(`
- cron_system_entry(httpd_t, httpd_exec_t)
-')
-
-optional_policy(`
- nscd_socket_use(httpd_unconfined_script_t)
-')
-
########################################
#
# httpd_rotatelogs local policy
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(httpd_rotatelogs_t)
- term_dontaudit_use_unallocated_ttys(httpd_rotatelogs_t)
-')
miscfiles_read_localization(apcupsd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(apcupsd_t)
-')
-
optional_policy(`
hostname_exec(apcupsd_t)
')
files_var_lib_filetrans(apmd_t,apmd_var_lib_t,file)
')
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(apmd_t)
- term_dontaudit_use_generic_ptys(apmd_t)
- files_dontaudit_read_root_files(apmd_t)
- unconfined_domain(apmd_t)
-')
-
optional_policy(`
automount_domtrans(apmd_t)
')
udev_read_state(apmd_t) #necessary?
')
+optional_policy(`
+ unconfined_domain(apmd_t)
+')
+
# cjp: related to sleep/resume (?)
optional_policy(`
xserver_domtrans_xdm_xserver(apmd_t)
mta_send_mail(arpwatch_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(arpwatch_t)
- term_dontaudit_use_generic_ptys(arpwatch_t)
- files_dontaudit_read_root_files(arpwatch_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(arpwatch_t)
')
userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
userdom_dontaudit_search_sysadm_home_dirs(asterisk_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(asterisk_t)
- term_dontaudit_use_generic_ptys(asterisk_t)
- files_dontaudit_read_root_files(asterisk_t)
-')
-
optional_policy(`
nis_use_ypbind(asterisk_t)
')
userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
userdom_dontaudit_search_sysadm_home_dirs(entropyd_t)
-ifdef(`targeted_policy', `
- files_dontaudit_read_root_files(entropyd_t)
-
- term_dontaudit_use_unallocated_ttys(entropyd_t)
- term_dontaudit_use_generic_ptys(entropyd_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(entropyd_t)
')
userdom_dontaudit_use_unpriv_user_fds(automount_t)
userdom_dontaudit_search_sysadm_home_dirs(automount_t)
-ifdef(`targeted_policy', `
- files_dontaudit_read_root_files(automount_t)
- term_dontaudit_use_unallocated_ttys(automount_t)
- term_dontaudit_use_generic_ptys(automount_t)
-')
-
optional_policy(`
bind_search_cache(automount_t)
')
userdom_dontaudit_use_unpriv_user_fds(avahi_t)
userdom_dontaudit_search_sysadm_home_dirs(avahi_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(avahi_t)
- term_dontaudit_use_generic_ptys(avahi_t)
- files_dontaudit_read_root_files(avahi_t)
-')
-
optional_policy(`
dbus_system_bus_client_template(avahi,avahi_t)
dbus_connect_system_bus(avahi_t)
userdom_dontaudit_use_unpriv_user_fds(named_t)
userdom_dontaudit_search_sysadm_home_dirs(named_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(named_t)
- term_dontaudit_use_generic_ptys(named_t)
- files_dontaudit_read_root_files(named_t)
-')
-
tunable_policy(`named_write_master_zones',`
manage_dirs_pattern(named_t,named_zone_t,named_zone_t)
manage_files_pattern(named_t,named_zone_t,named_zone_t)
allow ndc_t named_conf_t:dir search;
')
-ifdef(`targeted_policy',`
- kernel_dontaudit_read_unlabeled_files(ndc_t)
-
- term_use_unallocated_ttys(ndc_t)
- term_use_generic_ptys(ndc_t)
-')
-
optional_policy(`
nis_use_ypbind(ndc_t)
')
## <summary>Bluetooth tools and system services.</summary>
+#######################################
+## <summary>
+## The per role template for the bluetooth module.
+## </summary>
+## <desc>
+## <p>
+## This template creates derived domains which are used
+## for bluetooth.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`bluetooth_per_role_template',`
+ gen_require(`
+ attribute bluetooth_helper_domain;
+ type bluetooth_helper_exec_t;
+ ')
+
+ type $1_bluetooth_t, bluetooth_helper_domain;
+ application_domain($1_bluetooth_t, bluetooth_helper_exec_t)
+ role $3 types $1_bluetooth_t;
+
+ type $1_bluetooth_tmp_t;
+ files_tmp_file($1_bluetooth_tmp_t)
+
+ type $1_bluetooth_tmpfs_t;
+ files_tmpfs_file($1_bluetooth_tmpfs_t)
+
+ allow $1_bluetooth_t self:capability sys_nice;
+ allow $1_bluetooth_t self:process getsched;
+ allow $1_bluetooth_t self:fifo_file rw_fifo_file_perms;
+ allow $1_bluetooth_t self:shm create_shm_perms;
+ allow $1_bluetooth_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow $1_bluetooth_t self:tcp_socket create_socket_perms;
+ allow $1_bluetooth_t self:netlink_route_socket r_netlink_socket_perms;
+
+ allow $1_bluetooth_t bluetooth_t:socket { read write };
+
+ manage_dirs_pattern($1_bluetooth_t, $1_bluetooth_tmp_t, $1_bluetooth_tmp_t)
+ manage_files_pattern($1_bluetooth_t, $1_bluetooth_tmp_t, $1_bluetooth_tmp_t)
+ manage_sock_files_pattern($1_bluetooth_t, $1_bluetooth_tmp_t, $1_bluetooth_tmp_t)
+ files_tmp_filetrans($1_bluetooth_t, $1_bluetooth_tmp_t, { file dir sock_file })
+
+ manage_dirs_pattern($1_bluetooth_t, $1_bluetooth_tmpfs_t, $1_bluetooth_tmpfs_t)
+ manage_files_pattern($1_bluetooth_t, $1_bluetooth_tmpfs_t, $1_bluetooth_tmpfs_t)
+ fs_tmpfs_filetrans($1_bluetooth_t, $1_bluetooth_tmpfs_t, { dir file })
+
+ kernel_read_system_state($1_bluetooth_t)
+ kernel_read_kernel_sysctls($1_bluetooth_t)
+
+ dev_read_urand($1_bluetooth_t)
+
+ term_dontaudit_use_all_user_ttys($1_bluetooth_t)
+
+ corecmd_exec_bin($1_bluetooth_t)
+ corecmd_exec_shell($1_bluetooth_t)
+
+ domain_read_all_domains_state($1_bluetooth_t)
+
+ files_read_etc_files($1_bluetooth_t)
+ files_read_etc_runtime_files($1_bluetooth_t)
+ files_read_usr_files($1_bluetooth_t)
+ files_dontaudit_list_default($1_bluetooth_t)
+
+ libs_use_ld_so($1_bluetooth_t)
+ libs_use_shared_libs($1_bluetooth_t)
+
+ locallogin_dontaudit_use_fds($1_bluetooth_t)
+
+ logging_send_syslog_msg($1_bluetooth_t)
+
+ miscfiles_read_localization($1_bluetooth_t)
+
+ sysnet_read_config($1_bluetooth_t)
+
+ optional_policy(`
+ bluetooth_dbus_chat($1_bluetooth_t)
+ dbus_system_bus_client_template($1_bluetooth, $1_bluetooth_t)
+ dbus_connect_system_bus($1_bluetooth_t)
+ dbus_send_system_bus($1_bluetooth_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1_bluetooth_t)
+ ')
+
+ optional_policy(`
+ xserver_user_client_template($1, $1_bluetooth_t, $1_bluetooth_tmpfs_t)
+ ')
+')
+
########################################
## <summary>
## Execute bluetooth in the bluetooth domain.
########################################
## <summary>
-## Execute bluetooth_helper in the bluetooth_helper domain.
+## Send and receive messages from
+## bluetooth over dbus.
## </summary>
## <param name="domain">
## <summary>
-## The type of the process performing this action.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`bluetooth_domtrans_helper',`
+interface(`bluetooth_dbus_chat',`
gen_require(`
- type bluetooth_helper_t, bluetooth_helper_exec_t;
+ type bluetooth_t;
+ class dbus send_msg;
')
- domtrans_pattern($1,bluetooth_helper_exec_t,bluetooth_helper_t)
+ allow $1 bluetooth_t:dbus send_msg;
+ allow bluetooth_t $1:dbus send_msg;
')
########################################
## <summary>
-## Send and receive messages from
-## bluetooth over dbus.
+## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## The type of the process performing this action.
## </summary>
## </param>
#
-interface(`bluetooth_dbus_chat',`
- gen_require(`
- type bluetooth_t;
- class dbus send_msg;
- ')
-
- allow $1 bluetooth_t:dbus send_msg;
- allow bluetooth_t $1:dbus send_msg;
+interface(`bluetooth_domtrans_helper',`
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
## <summary>
## Execute bluetooth_helper in the bluetooth_helper domain, and
-## allow the specified role the bluetooth_helper domain.
+## allow the specified role the bluetooth_helper domain. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## <rolecap/>
#
interface(`bluetooth_run_helper',`
- gen_require(`
- type bluetooth_helper_t;
- ')
-
- bluetooth_domtrans_helper($1)
- role $2 types bluetooth_helper_t;
- allow bluetooth_helper_t $3:chr_file rw_term_perms;
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
#
interface(`bluetooth_dontaudit_read_helper_files',`
gen_require(`
- type bluetooth_helper_t;
+ attribute bluetooth_helper_domain;
')
- dontaudit $1 bluetooth_helper_t:dir search;
- dontaudit $1 bluetooth_helper_t:file { read getattr };
+ dontaudit $1 bluetooth_helper_domain:dir search;
+ dontaudit $1 bluetooth_helper_domain:file { read getattr };
')
type bluetooth_conf_rw_t;
files_type(bluetooth_conf_rw_t)
-type bluetooth_helper_t;
-type bluetooth_helper_exec_t;
-domain_type(bluetooth_helper_t)
-domain_entry_file(bluetooth_helper_t,bluetooth_helper_exec_t)
-role system_r types bluetooth_helper_t;
+attribute bluetooth_helper_domain;
-type bluetooth_helper_tmp_t;
-files_tmp_file(bluetooth_helper_tmp_t)
+type bluetooth_helper_exec_t;
+application_executable_file(bluetooth_helper_exec_t)
type bluetooth_lock_t;
files_lock_file(bluetooth_lock_t)
manage_sock_files_pattern(bluetooth_t,bluetooth_conf_t,bluetooth_conf_rw_t)
filetrans_pattern(bluetooth_t,bluetooth_conf_t,bluetooth_conf_rw_t,{ dir file lnk_file sock_file fifo_file })
-domtrans_pattern(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
+can_exec(bluetooth_t, bluetooth_helper_exec_t)
allow bluetooth_t bluetooth_lock_t:file manage_file_perms;
files_lock_filetrans(bluetooth_t,bluetooth_lock_t,file)
libs_use_ld_so(bluetooth_t)
libs_use_shared_libs(bluetooth_t)
-locallogin_dontaudit_use_fds(bluetooth_helper_t)
-
logging_send_syslog_msg(bluetooth_t)
miscfiles_read_localization(bluetooth_t)
userdom_dontaudit_use_sysadm_ptys(bluetooth_t)
userdom_dontaudit_search_sysadm_home_dirs(bluetooth_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(bluetooth_t)
- term_dontaudit_use_generic_ptys(bluetooth_t)
- files_dontaudit_read_root_files(bluetooth_t)
-')
-
optional_policy(`
dbus_system_bus_client_template(bluetooth,bluetooth_t)
dbus_connect_system_bus(bluetooth_t)
udev_read_db(bluetooth_t)
')
-########################################
-#
-# Bluetooth helper local policy
-#
-
-allow bluetooth_helper_t self:capability sys_nice;
-allow bluetooth_helper_t self:process getsched;
-allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms;
-allow bluetooth_helper_t self:shm create_shm_perms;
-allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow bluetooth_helper_t self:tcp_socket create_socket_perms;
-allow bluetooth_helper_t self:netlink_route_socket r_netlink_socket_perms;
-
-allow bluetooth_helper_t bluetooth_t:socket { read write };
-
-manage_dirs_pattern(bluetooth_helper_t,bluetooth_helper_tmp_t,bluetooth_helper_tmp_t)
-manage_files_pattern(bluetooth_helper_t,bluetooth_helper_tmp_t,bluetooth_helper_tmp_t)
-manage_sock_files_pattern(bluetooth_helper_t,bluetooth_helper_tmp_t,bluetooth_helper_tmp_t)
-files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir sock_file })
-
-kernel_read_system_state(bluetooth_helper_t)
-kernel_read_kernel_sysctls(bluetooth_helper_t)
-
-dev_read_urand(bluetooth_helper_t)
-
-term_dontaudit_use_all_user_ttys(bluetooth_helper_t)
-
-corecmd_exec_bin(bluetooth_helper_t)
-corecmd_exec_shell(bluetooth_helper_t)
-
-domain_read_all_domains_state(bluetooth_helper_t)
-
-files_read_etc_files(bluetooth_helper_t)
-files_read_etc_runtime_files(bluetooth_helper_t)
-files_read_usr_files(bluetooth_helper_t)
-files_search_tmp(bluetooth_helper_t)
-files_dontaudit_list_default(bluetooth_helper_t)
-
-libs_use_ld_so(bluetooth_helper_t)
-libs_use_shared_libs(bluetooth_helper_t)
-
-logging_send_syslog_msg(bluetooth_helper_t)
-
-miscfiles_read_localization(bluetooth_helper_t)
-miscfiles_read_fonts(bluetooth_helper_t)
-
-sysnet_read_config(bluetooth_helper_t)
-
-ifdef(`targeted_policy',`
- files_rw_generic_tmp_sockets(bluetooth_helper_t)
- files_manage_generic_tmp_files(bluetooth_helper_t)
-
- fs_rw_tmpfs_files(bluetooth_helper_t)
-
- term_dontaudit_use_generic_ptys(bluetooth_helper_t)
- term_dontaudit_use_unallocated_ttys(bluetooth_helper_t)
-
- unconfined_stream_connect(bluetooth_helper_t)
-
- userdom_manage_generic_user_home_content_files(bluetooth_helper_t)
-
- optional_policy(`
- corenet_tcp_connect_xserver_port(bluetooth_helper_t)
- #Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=205956
- xserver_read_xdm_tmp_files(bluetooth_helper_t)
- xserver_stream_connect_xdm(bluetooth_helper_t)
- xserver_use_xdm_fds(bluetooth_helper_t)
- xserver_rw_xdm_pipes(bluetooth_helper_t)
- # when started via startx
- xserver_stream_connect_xdm_xserver(bluetooth_helper_t)
- ')
-')
-
-optional_policy(`
- bluetooth_dbus_chat(bluetooth_helper_t)
- dbus_system_bus_client_template(bluetooth_helper,bluetooth_helper_t)
- dbus_connect_system_bus(bluetooth_helper_t)
- dbus_send_system_bus(bluetooth_helper_t)
-')
-
-optional_policy(`
- nscd_socket_use(bluetooth_helper_t)
-')
-
optional_policy(`
ppp_domtrans(bluetooth_t)
')
-
-optional_policy(`
- xserver_stream_connect_xdm(bluetooth_helper_t)
-')
userdom_dontaudit_use_unpriv_user_fds(canna_t)
userdom_dontaudit_search_sysadm_home_dirs(canna_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(canna_t)
- term_dontaudit_use_generic_ptys(canna_t)
- files_dontaudit_read_root_files(canna_t)
-')
-
optional_policy(`
nis_use_ypbind(canna_t)
')
files_manage_isid_type_files(ccs_t)
')
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(ccs_t)
- term_dontaudit_use_unallocated_ttys(ccs_t)
-')
-
optional_policy(`
unconfined_use_fds(ccs_t)
')
userdom_dontaudit_use_unpriv_user_fds(ciped_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(ciped_t)
- term_dontaudit_use_generic_ptys(ciped_t)
- files_dontaudit_read_root_files(ciped_t)
-')
-
optional_policy(`
nis_use_ypbind(ciped_t)
')
cron_use_system_job_fds(clamd_t)
cron_rw_pipes(clamd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(clamd_t)
- term_dontaudit_use_generic_ptys(clamd_t)
-')
-
optional_policy(`
amavis_read_lib_files(clamd_t)
amavis_read_spool_files(clamd_t)
userdom_dontaudit_use_unpriv_user_fds(courier_$1_t)
- ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(courier_$1_t)
- term_dontaudit_use_generic_ptys(courier_$1_t)
- files_dontaudit_read_root_files(courier_$1_t)
- ')
-
optional_policy(`
seutil_sigchld_newrole(courier_$1_t)
')
userdom_dontaudit_use_unpriv_user_fds(cpucontrol_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(cpucontrol_t)
- term_dontaudit_use_generic_ptys(cpucontrol_t)
- files_dontaudit_read_root_files(cpucontrol_t)
-')
-
optional_policy(`
nscd_socket_use(cpucontrol_t)
')
userdom_dontaudit_use_unpriv_user_fds(cpuspeed_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(cpuspeed_t)
- term_dontaudit_use_generic_ptys(cpuspeed_t)
- files_dontaudit_read_root_files(cpuspeed_t)
-')
-
optional_policy(`
nscd_socket_use(cpuspeed_t)
')
allow crond_t $1_cron_spool_t:file manage_file_perms;
')
+ # need a per-role version of this:
+ #optional_policy(`
+ # mono_domtrans($1_crond_t)
+ #')
+
+ optional_policy(`
+ dbus_stub($1_crond_t)
+
+ allow $1_crond_t $2:dbus send_msg;
+ ')
+
optional_policy(`
nis_use_ypbind($1_crond_t)
')
type system_cron_spool_t, cron_spool_type;
files_type(system_cron_spool_t)
-ifdef(`targeted_policy',`
- typealias crond_t alias system_crond_t;
-',`
- type system_crond_t;
-')
+type system_crond_t;
init_daemon_domain(system_crond_t,anacron_exec_t)
corecmd_shell_entry_type(system_crond_t)
role system_r types system_crond_t;
type system_crond_tmp_t;
files_tmp_file(system_crond_tmp_t)
-ifdef(`targeted_policy',`
- type sysadm_cron_spool_t;
- files_type(sysadm_cron_spool_t)
-')
-
ifdef(`enable_mcs',`
init_ranged_daemon_domain(crond_t,crond_exec_t,s0 - mcs_systemhigh)
')
allow crond_t cron_spool_t:dir rw_dir_perms;
allow crond_t cron_spool_t:file read_file_perms;
+manage_dirs_pattern(crond_t,crond_tmp_t,crond_tmp_t)
+manage_files_pattern(crond_t,crond_tmp_t,crond_tmp_t)
+files_tmp_filetrans(crond_t,crond_tmp_t,{ file dir })
+
allow crond_t system_cron_spool_t:dir list_dir_perms;
allow crond_t system_cron_spool_t:file read_file_perms;
locallogin_link_keys(crond_t)
')
-ifdef(`targeted_policy',`
- manage_dirs_pattern(crond_t,system_crond_tmp_t,system_crond_tmp_t)
- manage_files_pattern(crond_t,system_crond_tmp_t,system_crond_tmp_t)
- manage_lnk_files_pattern(crond_t,system_crond_tmp_t,system_crond_tmp_t)
- manage_fifo_files_pattern(crond_t,system_crond_tmp_t,system_crond_tmp_t)
- manage_sock_files_pattern(crond_t,system_crond_tmp_t,system_crond_tmp_t)
- files_tmp_filetrans(crond_t,system_crond_tmp_t,{ dir file lnk_file sock_file fifo_file })
-
- unconfined_domain(crond_t)
-
- userdom_manage_generic_user_home_content_dirs(crond_t)
- userdom_manage_generic_user_home_content_files(crond_t)
- userdom_manage_generic_user_home_content_symlinks(crond_t)
- userdom_manage_generic_user_home_content_sockets(crond_t)
- userdom_manage_generic_user_home_content_pipes(crond_t)
- userdom_generic_user_home_dir_filetrans_generic_user_home_content(crond_t,{ dir file lnk_file fifo_file sock_file })
-
- allow crond_t unconfined_t:dbus send_msg;
- allow crond_t initrc_t:dbus send_msg;
-
- optional_policy(`
- mono_domtrans(crond_t)
- ')
-',`
- manage_dirs_pattern(crond_t,crond_tmp_t,crond_tmp_t)
- manage_files_pattern(crond_t,crond_tmp_t,crond_tmp_t)
- files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
-')
-
tunable_policy(`fcron_crond', `
allow crond_t system_cron_spool_t:file manage_file_perms;
')
# System cron process domain
#
+allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
+allow system_crond_t self:process { signal_perms setsched };
+allow system_crond_t self:fifo_file rw_fifo_file_perms;
+allow system_crond_t self:passwd rootok;
+
# This is to handle creation of files in /var/log directory.
# Used currently by rpm script log files
allow system_crond_t cron_log_t:file manage_file_perms;
allow system_crond_t cron_var_lib_t:file manage_file_perms;
files_var_lib_filetrans(system_crond_t,cron_var_lib_t,file)
-optional_policy(`
- # cjp: why?
- squid_domtrans(system_crond_t)
-')
+allow system_crond_t system_cron_spool_t:file read_file_perms;
+# The entrypoint interface is not used as this is not
+# a regular entrypoint. Since crontab files are
+# not directly executed, crond must ensure that
+# the crontab file has a type that is appropriate
+# for the domain of the user cron job. It
+# performs an entrypoint permission check
+# for this purpose.
+allow system_crond_t system_cron_spool_t:file entrypoint;
+
+# Permit a transition from the crond_t domain to this domain.
+# The transition is requested explicitly by the modified crond
+# via setexeccon. There is no way to set up an automatic
+# transition, since crontabs are configuration files, not executables.
+allow crond_t system_crond_t:process transition;
+dontaudit crond_t system_crond_t:process { noatsecure siginh rlimitinh };
+allow crond_t system_crond_t:fd use;
+allow system_crond_t crond_t:fd use;
+allow system_crond_t crond_t:fifo_file rw_file_perms;
+allow system_crond_t crond_t:process sigchld;
+
+# Write /var/lock/makewhatis.lock.
+allow system_crond_t system_crond_lock_t:file manage_file_perms;
+files_lock_filetrans(system_crond_t,system_crond_lock_t,file)
+
+# write temporary files
+manage_files_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t)
+manage_lnk_files_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t)
+filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file })
+files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file)
-ifdef(`targeted_policy',`
- # cjp: FIXME
- allow crond_t unconfined_t:process transition;
-',`
- allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
- allow system_crond_t self:process { signal_perms setsched };
- allow system_crond_t self:fifo_file rw_fifo_file_perms;
- allow system_crond_t self:passwd rootok;
-
- # The entrypoint interface is not used as this is not
- # a regular entrypoint. Since crontab files are
- # not directly executed, crond must ensure that
- # the crontab file has a type that is appropriate
- # for the domain of the user cron job. It
- # performs an entrypoint permission check
- # for this purpose.
- allow system_crond_t system_cron_spool_t:file entrypoint;
-
- allow system_crond_t system_cron_spool_t:file read_file_perms;
-
- # Permit a transition from the crond_t domain to this domain.
- # The transition is requested explicitly by the modified crond
- # via setexeccon. There is no way to set up an automatic
- # transition, since crontabs are configuration files, not executables.
- allow crond_t system_crond_t:process transition;
- dontaudit crond_t system_crond_t:process { noatsecure siginh rlimitinh };
- allow crond_t system_crond_t:fd use;
- allow system_crond_t crond_t:fd use;
- allow system_crond_t crond_t:fifo_file rw_file_perms;
- allow system_crond_t crond_t:process sigchld;
-
- # Write /var/lock/makewhatis.lock.
- allow system_crond_t system_crond_lock_t:file manage_file_perms;
- files_lock_filetrans(system_crond_t,system_crond_lock_t,file)
-
- # write temporary files
- manage_files_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t)
- manage_lnk_files_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t)
- filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file })
- files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file)
-
- # Read from /var/spool/cron.
- allow system_crond_t cron_spool_t:dir list_dir_perms;
- allow system_crond_t cron_spool_t:file read_file_perms;
-
- kernel_read_kernel_sysctls(system_crond_t)
- kernel_read_system_state(system_crond_t)
- kernel_read_software_raid_state(system_crond_t)
-
- # ps does not need to access /boot when run from cron
- files_dontaudit_search_boot(system_crond_t)
-
- corecmd_exec_all_executables(system_crond_t)
-
- corenet_all_recvfrom_unlabeled(system_crond_t)
- corenet_all_recvfrom_netlabel(system_crond_t)
- corenet_tcp_sendrecv_all_if(system_crond_t)
- corenet_udp_sendrecv_all_if(system_crond_t)
- corenet_tcp_sendrecv_all_nodes(system_crond_t)
- corenet_udp_sendrecv_all_nodes(system_crond_t)
- corenet_tcp_sendrecv_all_ports(system_crond_t)
- corenet_udp_sendrecv_all_ports(system_crond_t)
-
- dev_getattr_all_blk_files(system_crond_t)
- dev_getattr_all_chr_files(system_crond_t)
- dev_read_urand(system_crond_t)
-
- fs_getattr_all_fs(system_crond_t)
- fs_getattr_all_files(system_crond_t)
- fs_getattr_all_symlinks(system_crond_t)
- fs_getattr_all_pipes(system_crond_t)
- fs_getattr_all_sockets(system_crond_t)
-
- # quiet other ps operations
- domain_dontaudit_read_all_domains_state(system_crond_t)
-
- files_exec_etc_files(system_crond_t)
- files_read_etc_files(system_crond_t)
- files_read_etc_runtime_files(system_crond_t)
- files_list_all(system_crond_t)
- files_getattr_all_dirs(system_crond_t)
- files_getattr_all_files(system_crond_t)
- files_getattr_all_symlinks(system_crond_t)
- files_getattr_all_pipes(system_crond_t)
- files_getattr_all_sockets(system_crond_t)
- files_read_usr_files(system_crond_t)
- files_read_var_files(system_crond_t)
- # for nscd:
- files_dontaudit_search_pids(system_crond_t)
- # Access other spool directories like
- # /var/spool/anacron and /var/spool/slrnpull.
- files_manage_generic_spool(system_crond_t)
-
- init_use_script_fds(system_crond_t)
- init_read_utmp(system_crond_t)
- init_dontaudit_rw_utmp(system_crond_t)
- # prelink tells init to restart it self, we either need to allow or dontaudit
- init_write_initctl(system_crond_t)
-
- libs_use_ld_so(system_crond_t)
- libs_use_shared_libs(system_crond_t)
- libs_exec_lib_files(system_crond_t)
- libs_exec_ld_so(system_crond_t)
-
- logging_read_generic_logs(system_crond_t)
- logging_send_syslog_msg(system_crond_t)
-
- miscfiles_read_localization(system_crond_t)
- miscfiles_manage_man_pages(system_crond_t)
-
- seutil_read_config(system_crond_t)
-
- ifdef(`distro_redhat', `
- # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
- # via redirection of standard out.
- optional_policy(`
- rpm_manage_log(system_crond_t)
- ')
- ')
-
- tunable_policy(`cron_can_relabel',`
- seutil_domtrans_setfiles(system_crond_t)
- ',`
- selinux_get_fs_mount(system_crond_t)
- selinux_validate_context(system_crond_t)
- selinux_compute_access_vector(system_crond_t)
- selinux_compute_create_context(system_crond_t)
- selinux_compute_relabel_context(system_crond_t)
- selinux_compute_user_contexts(system_crond_t)
- seutil_read_file_contexts(system_crond_t)
- ')
+# Read from /var/spool/cron.
+allow system_crond_t cron_spool_t:dir list_dir_perms;
+allow system_crond_t cron_spool_t:file read_file_perms;
+
+kernel_read_kernel_sysctls(system_crond_t)
+kernel_read_system_state(system_crond_t)
+kernel_read_software_raid_state(system_crond_t)
+
+# ps does not need to access /boot when run from cron
+files_dontaudit_search_boot(system_crond_t)
+
+corecmd_exec_all_executables(system_crond_t)
+
+corenet_all_recvfrom_unlabeled(system_crond_t)
+corenet_all_recvfrom_netlabel(system_crond_t)
+corenet_tcp_sendrecv_all_if(system_crond_t)
+corenet_udp_sendrecv_all_if(system_crond_t)
+corenet_tcp_sendrecv_all_nodes(system_crond_t)
+corenet_udp_sendrecv_all_nodes(system_crond_t)
+corenet_tcp_sendrecv_all_ports(system_crond_t)
+corenet_udp_sendrecv_all_ports(system_crond_t)
+
+dev_getattr_all_blk_files(system_crond_t)
+dev_getattr_all_chr_files(system_crond_t)
+dev_read_urand(system_crond_t)
+
+fs_getattr_all_fs(system_crond_t)
+fs_getattr_all_files(system_crond_t)
+fs_getattr_all_symlinks(system_crond_t)
+fs_getattr_all_pipes(system_crond_t)
+fs_getattr_all_sockets(system_crond_t)
+
+# quiet other ps operations
+domain_dontaudit_read_all_domains_state(system_crond_t)
+
+files_exec_etc_files(system_crond_t)
+files_read_etc_files(system_crond_t)
+files_read_etc_runtime_files(system_crond_t)
+files_list_all(system_crond_t)
+files_getattr_all_dirs(system_crond_t)
+files_getattr_all_files(system_crond_t)
+files_getattr_all_symlinks(system_crond_t)
+files_getattr_all_pipes(system_crond_t)
+files_getattr_all_sockets(system_crond_t)
+files_read_usr_files(system_crond_t)
+files_read_var_files(system_crond_t)
+# for nscd:
+files_dontaudit_search_pids(system_crond_t)
+# Access other spool directories like
+# /var/spool/anacron and /var/spool/slrnpull.
+files_manage_generic_spool(system_crond_t)
+
+init_use_script_fds(system_crond_t)
+init_read_utmp(system_crond_t)
+init_dontaudit_rw_utmp(system_crond_t)
+# prelink tells init to restart it self, we either need to allow or dontaudit
+init_write_initctl(system_crond_t)
+
+libs_use_ld_so(system_crond_t)
+libs_use_shared_libs(system_crond_t)
+libs_exec_lib_files(system_crond_t)
+libs_exec_ld_so(system_crond_t)
+
+logging_read_generic_logs(system_crond_t)
+logging_send_syslog_msg(system_crond_t)
+
+miscfiles_read_localization(system_crond_t)
+miscfiles_manage_man_pages(system_crond_t)
+
+seutil_read_config(system_crond_t)
+ifdef(`distro_redhat', `
+ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+ # via redirection of standard out.
optional_policy(`
- # Needed for certwatch
- apache_exec_modules(system_crond_t)
- apache_read_config(system_crond_t)
- apache_read_log(system_crond_t)
- apache_read_sys_content(system_crond_t)
+ rpm_manage_log(system_crond_t)
')
+')
- optional_policy(`
- cyrus_manage_data(system_crond_t)
- ')
+tunable_policy(`cron_can_relabel',`
+ seutil_domtrans_setfiles(system_crond_t)
+',`
+ selinux_get_fs_mount(system_crond_t)
+ selinux_validate_context(system_crond_t)
+ selinux_compute_access_vector(system_crond_t)
+ selinux_compute_create_context(system_crond_t)
+ selinux_compute_relabel_context(system_crond_t)
+ selinux_compute_user_contexts(system_crond_t)
+ seutil_read_file_contexts(system_crond_t)
+')
- optional_policy(`
- ftp_read_log(system_crond_t)
- ')
+optional_policy(`
+ # Needed for certwatch
+ apache_exec_modules(system_crond_t)
+ apache_read_config(system_crond_t)
+ apache_read_log(system_crond_t)
+ apache_read_sys_content(system_crond_t)
+')
- optional_policy(`
- inn_manage_log(system_crond_t)
- inn_manage_pid(system_crond_t)
- inn_read_config(system_crond_t)
- ')
+optional_policy(`
+ cyrus_manage_data(system_crond_t)
+')
- optional_policy(`
- mrtg_append_create_logs(system_crond_t)
- ')
+optional_policy(`
+ ftp_read_log(system_crond_t)
+')
- optional_policy(`
- mta_send_mail(system_crond_t)
- ')
+optional_policy(`
+ inn_manage_log(system_crond_t)
+ inn_manage_pid(system_crond_t)
+ inn_read_config(system_crond_t)
+')
- optional_policy(`
- mysql_read_config(system_crond_t)
- ')
+optional_policy(`
+ mrtg_append_create_logs(system_crond_t)
+')
- optional_policy(`
- nis_use_ypbind(system_crond_t)
- ')
+optional_policy(`
+ mta_send_mail(system_crond_t)
+')
- optional_policy(`
- nscd_socket_use(system_crond_t)
- ')
+optional_policy(`
+ mysql_read_config(system_crond_t)
+')
- optional_policy(`
- postfix_read_config(system_crond_t)
- ')
+optional_policy(`
+ nis_use_ypbind(system_crond_t)
+')
- optional_policy(`
- prelink_read_cache(system_crond_t)
- prelink_manage_log(system_crond_t)
- prelink_delete_cache(system_crond_t)
- ')
+optional_policy(`
+ nscd_socket_use(system_crond_t)
+')
- optional_policy(`
- samba_read_config(system_crond_t)
- samba_read_log(system_crond_t)
- #samba_read_secrets(system_crond_t)
- ')
+optional_policy(`
+ postfix_read_config(system_crond_t)
+')
- optional_policy(`
- slocate_create_append_log(system_crond_t)
- ')
+optional_policy(`
+ prelink_read_cache(system_crond_t)
+ prelink_manage_log(system_crond_t)
+ prelink_delete_cache(system_crond_t)
+')
- optional_policy(`
- sysstat_manage_log(system_crond_t)
- ')
+optional_policy(`
+ samba_read_config(system_crond_t)
+ samba_read_log(system_crond_t)
+ #samba_read_secrets(system_crond_t)
+')
+
+optional_policy(`
+ slocate_create_append_log(system_crond_t)
+')
- ifdef(`TODO',`
- dontaudit userdomain system_crond_t:fd use;
+optional_policy(`
+ # cjp: why?
+ squid_domtrans(system_crond_t)
+')
- allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;
+optional_policy(`
+ sysstat_manage_log(system_crond_t)
+')
- # for if /var/mail is a symlink
- allow system_crond_t mail_spool_t:lnk_file read;
+optional_policy(`
+ unconfined_domain(system_crond_t)
- ifdef(`mta.te', `
- allow mta_user_agent system_crond_t:fd use;
- r_dir_file(system_mail_t, crond_tmp_t)
- ')
- ') dnl end TODO
+ userdom_priveleged_home_dir_manager(system_crond_t)
+')
+
+ifdef(`TODO',`
+ifdef(`mta.te', `
+allow system_crond_t mail_spool_t:lnk_file read;
+allow mta_user_agent system_crond_t:fd use;
+r_dir_file(system_mail_t, crond_tmp_t)
')
+') dnl end TODO
lpd_relabel_spool(cupsd_t)
')
-ifdef(`targeted_policy',`
- files_dontaudit_read_root_files(cupsd_t)
-
- term_dontaudit_use_unallocated_ttys(cupsd_t)
- term_dontaudit_use_generic_ptys(cupsd_t)
-
- init_stream_connect_script(cupsd_t)
-
- unconfined_rw_pipes(cupsd_t)
-
- optional_policy(`
- init_dbus_chat_script(cupsd_t)
-
- unconfined_dbus_send(cupsd_t)
-
- dbus_stub(cupsd_t)
- ')
-')
-
optional_policy(`
apm_domtrans_client(cupsd_t)
')
')
')
-ifdef(`targeted_policy',`
- files_dontaudit_read_root_files(cupsd_config_t)
-
- term_dontaudit_use_unallocated_ttys(cupsd_config_t)
- term_use_generic_ptys(cupsd_config_t)
-
- unconfined_rw_pipes(cupsd_config_t)
-')
-
optional_policy(`
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
lpd_read_config(cupsd_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(hplip_t)
- term_dontaudit_use_generic_ptys(hplip_t)
- files_dontaudit_read_root_files(hplip_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(hplip_t)
')
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
userdom_dontaudit_search_all_users_home_content(ptal_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(ptal_t)
- term_dontaudit_use_generic_ptys(ptal_t)
- files_dontaudit_read_root_files(ptal_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(ptal_t)
')
userdom_dontaudit_use_unpriv_user_fds(cyrus_t)
userdom_dontaudit_search_sysadm_home_dirs(cyrus_t)
userdom_use_unpriv_users_fds(cyrus_t)
-userdom_use_sysadm_ptys(cyrus_t)
mta_manage_spool(cyrus_t)
mta_send_mail(cyrus_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(cyrus_t)
- term_dontaudit_use_generic_ptys(cyrus_t)
- files_dontaudit_read_root_files(cyrus_t)
-')
-
optional_policy(`
cron_system_entry(cyrus_t,cyrus_exec_t)
')
userdom_dontaudit_use_unpriv_user_fds(dante_t)
userdom_dontaudit_search_sysadm_home_dirs(dante_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(dante_t)
- term_dontaudit_use_generic_ptys(dante_t)
- files_dontaudit_read_root_files(dante_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(dante_t)
')
interface(`dbus_stub',`
gen_require(`
type system_dbusd_t;
+ class dbus all_dbus_perms;
')
')
policy_module(dbus,1.7.0)
gen_require(`
- class dbus { send_msg acquire_svc };
+ class dbus all_dbus_perms;
')
##############################
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
userdom_dontaudit_search_sysadm_home_dirs(system_dbusd_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(system_dbusd_t)
- term_dontaudit_use_generic_ptys(system_dbusd_t)
- files_dontaudit_read_root_files(system_dbusd_t)
-')
-
tunable_policy(`read_default_t',`
files_list_default(system_dbusd_t)
files_read_default_files(system_dbusd_t)
userdom_dontaudit_use_unpriv_user_fds(dccd_t)
userdom_dontaudit_search_sysadm_home_dirs(dccd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(dccd_t)
- term_dontaudit_use_generic_ptys(dccd_t)
- files_dontaudit_read_root_files(dccd_t)
-')
-
optional_policy(`
nscd_socket_use(dccd_t)
')
userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
userdom_dontaudit_search_sysadm_home_dirs(dccifd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(dccifd_t)
- term_dontaudit_use_generic_ptys(dccifd_t)
- files_dontaudit_read_root_files(dccifd_t)
-')
-
optional_policy(`
nscd_socket_use(dccifd_t)
')
userdom_dontaudit_use_unpriv_user_fds(dccm_t)
userdom_dontaudit_search_sysadm_home_dirs(dccm_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(dccm_t)
- term_dontaudit_use_generic_ptys(dccm_t)
- files_dontaudit_read_root_files(dccm_t)
-')
-
optional_policy(`
nscd_socket_use(dccm_t)
')
userdom_dontaudit_use_unpriv_user_fds(ddclient_t)
userdom_dontaudit_search_sysadm_home_dirs(ddclient_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(ddclient_t)
- term_dontaudit_use_generic_ptys(ddclient_t)
- files_dontaudit_read_root_files(ddclient_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(ddclient_t)
')
allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
')
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(dhcpd_t)
- term_dontaudit_use_generic_ptys(dhcpd_t)
- files_dontaudit_read_root_files(dhcpd_t)
-')
-
optional_policy(`
# used for dynamic DNS
bind_read_dnssec_keys(dhcpd_t)
userdom_dontaudit_use_unpriv_user_fds(dictd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(dictd_t)
- term_dontaudit_use_generic_ptys(dictd_t)
- files_dontaudit_read_root_files(dictd_t)
-')
-
optional_policy(`
nis_use_ypbind(dictd_t)
')
userdom_dontaudit_use_unpriv_user_fds(distccd_t)
userdom_dontaudit_search_sysadm_home_dirs(distccd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(distccd_t)
- term_dontaudit_use_generic_ptys(distccd_t)
- files_dontaudit_read_root_files(distccd_t)
-')
-
optional_policy(`
nis_use_ypbind(distccd_t)
')
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_sysadm_home_dirs(dnsmasq_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(dnsmasq_t)
- term_dontaudit_use_generic_ptys(dnsmasq_t)
- files_dontaudit_read_root_files(dnsmasq_t)
-')
-
optional_policy(`
nis_use_ypbind(dnsmasq_t)
')
mta_manage_spool(dovecot_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(dovecot_t)
- term_dontaudit_use_generic_ptys(dovecot_t)
- files_dontaudit_read_root_files(dovecot_t)
-')
-
optional_policy(`
kerberos_use(dovecot_t)
')
miscfiles_read_localization(fail2ban_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(fail2ban_t)
- term_dontaudit_use_generic_ptys(fail2ban_t)
-')
-
optional_policy(`
apache_read_log(fail2ban_t)
')
userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
userdom_dontaudit_search_sysadm_home_dirs(fetchmail_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(fetchmail_t)
- term_dontaudit_use_generic_ptys(fetchmail_t)
- files_dontaudit_read_root_files(fetchmail_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(fetchmail_t)
')
# have to change this when we create a type for Maildir
userdom_dontaudit_search_generic_user_home_dirs(fingerd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(fingerd_t)
- term_dontaudit_use_generic_ptys(fingerd_t)
- files_dontaudit_read_root_files(fingerd_t)
-')
-
optional_policy(`
cron_system_entry(fingerd_t, fingerd_exec_t)
')
corecmd_search_bin($1)
domtrans_pattern($1, ftpdctl_exec_t, ftpdctl_t)
')
+
+########################################
+## <summary>
+## Execute the ftpdctl program in the ftpdctl domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the ftpdctl domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the ftpdctl domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ftp_run_ftpdctl',`
+ gen_require(`
+ type ftpdctl_t;
+ ')
+
+ ftp_domtrans_ftpdctl($1)
+ role $2 types ftpdctl_t;
+ allow ftpdctl_t $3:chr_file rw_term_perms;
+')
userdom_dontaudit_search_sysadm_home_dirs(ftpd_t)
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
-ifdef(`targeted_policy',`
- files_dontaudit_read_root_files(ftpd_t)
-
- term_dontaudit_use_generic_ptys(ftpd_t)
- term_dontaudit_use_unallocated_ttys(ftpd_t)
-')
-
tunable_policy(`allow_ftpd_anon_write',`
miscfiles_manage_public_files(ftpd_t)
')
userdom_manage_all_users_home_content_dirs(ftpd_t)
userdom_manage_all_users_home_content_files(ftpd_t)
userdom_manage_all_users_home_content_symlinks(ftpd_t)
-
- ifdef(`targeted_policy',`
- userdom_generic_user_home_dir_filetrans_generic_user_home_content(ftpd_t,{ dir file lnk_file sock_file fifo_file })
- ')
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
libs_use_ld_so(ftpdctl_t)
libs_use_shared_libs(ftpdctl_t)
-
-ifdef(`targeted_policy',`
- term_use_generic_ptys(ftpdctl_t)
-')
userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
userdom_dontaudit_search_sysadm_home_dirs(gatekeeper_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(gatekeeper_t)
- term_dontaudit_use_generic_ptys(gatekeeper_t)
- files_dontaudit_read_root_files(gatekeeper_t)
-')
-
optional_policy(`
nis_use_ypbind(gatekeeper_t)
')
userdom_dontaudit_use_unpriv_user_fds(gpm_t)
userdom_dontaudit_search_sysadm_home_dirs(gpm_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(gpm_t)
- term_dontaudit_use_generic_ptys(gpm_t)
- files_dontaudit_read_root_files(gpm_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(gpm_t)
')
userdom_dontaudit_use_unpriv_user_fds(hald_t)
userdom_dontaudit_search_sysadm_home_dirs(hald_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(hald_t)
- files_dontaudit_read_root_files(hald_t)
-')
-
optional_policy(`
alsa_domtrans(hald_t)
alsa_read_rw_config(hald_t)
miscfiles_read_localization(hald_acl_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_console(hald_acl_t)
- term_dontaudit_use_generic_ptys(hald_acl_t)
-')
-
########################################
#
# Local hald mac policy
miscfiles_read_localization(hald_mac_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_console(hald_mac_t)
- term_dontaudit_use_generic_ptys(hald_mac_t)
-')
-
########################################
#
# Local hald sonypic policy
miscfiles_read_localization(hald_sonypic_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_console(hald_sonypic_t)
- term_dontaudit_use_generic_ptys(hald_sonypic_t)
-')
-
########################################
#
# Hal keymap local policy
userdom_dontaudit_use_unpriv_user_fds(howl_t)
userdom_dontaudit_search_sysadm_home_dirs(howl_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(howl_t)
- term_dontaudit_use_generic_ptys(howl_t)
- files_dontaudit_read_root_files(howl_t)
-')
-
optional_policy(`
nis_use_ypbind(howl_t)
')
userdom_dontaudit_search_sysadm_home_dirs(i18n_input_t)
userdom_read_unpriv_users_home_content_files(i18n_input_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(i18n_input_t)
- term_dontaudit_use_generic_ptys(i18n_input_t)
- files_dontaudit_read_root_files(i18n_input_t)
-')
-
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(i18n_input_t)
fs_read_nfs_symlinks(i18n_input_t)
userdom_use_unpriv_users_fds(imazesrv_t)
userdom_dontaudit_search_sysadm_home_dirs(imazesrv_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(imazesrv_t)
- term_dontaudit_use_generic_ptys(imazesrv_t)
- files_dontaudit_read_root_files(imazesrv_t)
-')
-
optional_policy(`
nis_use_ypbind(imazesrv_t)
')
corenet_tcp_recvfrom_netlabel(inetd_t)
corenet_udp_recvfrom_netlabel(inetd_t)
')
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(inetd_t)
- term_dontaudit_use_generic_ptys(inetd_t)
- files_dontaudit_read_root_files(inetd_t)
-')
-
optional_policy(`
amanda_search_lib(inetd_t)
')
udev_read_db(inetd_t)
')
-ifdef(`targeted_policy',`
- unconfined_domain(inetd_t)
-',`
- optional_policy(`
- unconfined_domtrans(inetd_t)
- ')
+optional_policy(`
+ unconfined_domtrans(inetd_t)
')
########################################
sysnet_read_config(inetd_child_t)
-ifdef(`targeted_policy',`
- unconfined_domain(inetd_child_t)
-')
-
optional_policy(`
kerberos_use(inetd_child_t)
')
+optional_policy(`
+ unconfined_domain(inetd_child_t)
+')
mta_send_mail(innd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(innd_t)
- term_dontaudit_use_generic_ptys(innd_t)
- files_dontaudit_read_root_files(innd_t)
-')
-
optional_policy(`
cron_system_entry(innd_t, innd_exec_t)
')
userdom_dontaudit_use_unpriv_user_fds(ircd_t)
userdom_dontaudit_search_sysadm_home_dirs(ircd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(ircd_t)
- term_dontaudit_use_generic_ptys(ircd_t)
- files_dontaudit_read_root_files(ircd_t)
-')
-
optional_policy(`
nis_use_ypbind(ircd_t)
')
userdom_dontaudit_use_unpriv_user_fds(irqbalance_t)
userdom_dontaudit_search_sysadm_home_dirs(irqbalance_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(irqbalance_t)
- term_dontaudit_use_generic_ptys(irqbalance_t)
- files_dontaudit_read_root_files(irqbalance_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(irqbalance_t)
')
userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
userdom_dontaudit_search_sysadm_home_dirs(jabberd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(jabberd_t)
- term_dontaudit_use_generic_ptys(jabberd_t)
- files_dontaudit_read_root_files(jabberd_t)
-')
-
optional_policy(`
nis_use_ypbind(jabberd_t)
')
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
userdom_dontaudit_search_sysadm_home_dirs(kadmind_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(kadmind_t)
- term_dontaudit_use_generic_ptys(kadmind_t)
- files_dontaudit_read_root_files(kadmind_t)
-')
-
optional_policy(`
nis_use_ypbind(kadmind_t)
')
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(krb5kdc_t)
- term_dontaudit_use_generic_ptys(krb5kdc_t)
- files_dontaudit_read_root_files(krb5kdc_t)
-')
-
optional_policy(`
nis_use_ypbind(krb5kdc_t)
')
sysnet_read_config(ktalkd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(ktalkd_t)
- term_dontaudit_use_unallocated_ttys(ktalkd_t)
-')
-
optional_policy(`
nis_use_ypbind(ktalkd_t)
')
userdom_dontaudit_use_unpriv_user_fds(slapd_t)
userdom_dontaudit_search_sysadm_home_dirs(slapd_t)
-ifdef(`targeted_policy',`
- #reh slapcat will want to talk to the terminal
- term_use_generic_ptys(slapd_t)
- term_use_unallocated_ttys(slapd_t)
-
- userdom_search_generic_user_home_dirs(slapd_t)
- #need to be able to read ldif files created by root
- # cjp: fix to not use templated interface:
- userdom_read_user_home_content_files(user,slapd_t)
-
- term_dontaudit_use_unallocated_ttys(slapd_t)
- term_dontaudit_use_generic_ptys(slapd_t)
- files_dontaudit_read_root_files(slapd_t)
-')
-
optional_policy(`
kerberos_use(slapd_t)
')
sysnet_read_config(checkpc_t)
-ifdef(`targeted_policy',`
- term_use_generic_ptys(checkpc_t)
- term_use_unallocated_ttys(checkpc_t)
-')
-
optional_policy(`
cron_system_entry(checkpc_t,checkpc_exec_t)
')
userdom_dontaudit_use_unpriv_user_fds(lpd_t)
userdom_dontaudit_search_sysadm_home_dirs(lpd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(lpd_t)
- term_dontaudit_use_generic_ptys(lpd_t)
- files_dontaudit_read_root_files(lpd_t)
-')
-
optional_policy(`
nis_use_ypbind(lpd_t)
')
userdom_dontaudit_use_unpriv_user_fds(monopd_t)
userdom_dontaudit_search_sysadm_home_dirs(monopd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(monopd_t)
- term_dontaudit_use_generic_ptys(monopd_t)
- files_dontaudit_read_root_files(monopd_t)
-')
-
optional_policy(`
nis_use_ypbind(monopd_t)
')
type $1_mail_t;
')
- ifdef(`strict_policy',`
- # allow the sysadmin to do "mail someone < /home/user/whatever"
- userdom_read_unpriv_users_home_content_files($1_mail_t)
- ')
+ # allow the sysadmin to do "mail someone < /home/user/whatever"
+ userdom_read_unpriv_users_home_content_files($1_mail_t)
optional_policy(`
gen_require(`
mta_base_mail_template(system)
role system_r types system_mail_t;
-# cjp: need to resolve this, but require{}
-# does not work in the else part of the optional
-#ifdef(`strict_policy',`
-# optional_policy(`',`
-# init_system_domain(system_mail_t,sendmail_exec_t)
-# ')
-#')
-
########################################
#
# System mail local policy
userdom_use_sysadm_terms(system_mail_t)
userdom_dontaudit_search_sysadm_home_dirs(system_mail_t)
-ifdef(`targeted_policy',`
- typealias system_mail_t alias sysadm_mail_t;
-
- manage_dirs_pattern(system_mail_t,mail_spool_t,mail_spool_t)
- manage_files_pattern(system_mail_t,mail_spool_t,mail_spool_t)
- manage_lnk_files_pattern(system_mail_t,mail_spool_t,mail_spool_t)
- manage_fifo_files_pattern(system_mail_t,mail_spool_t,mail_spool_t)
-
- # for reading .forward - maybe we need a new type for it?
- # also for delivering mail to maildir
- userdom_manage_generic_user_home_content_dirs(mailserver_delivery)
- userdom_manage_generic_user_home_content_files(mailserver_delivery)
- userdom_manage_generic_user_home_content_symlinks(mailserver_delivery)
- userdom_manage_generic_user_home_content_sockets(mailserver_delivery)
- userdom_manage_generic_user_home_content_pipes(mailserver_delivery)
- userdom_generic_user_home_dir_filetrans_generic_user_home_content(mailserver_delivery,{ dir file lnk_file sock_file fifo_file })
-
-# cjp: another require-in-else to resolve
-# optional_policy(`',`
- corecmd_exec_all_executables(system_mail_t)
-
- files_exec_etc_files(system_mail_t)
-
- libs_exec_ld_so(system_mail_t)
- libs_exec_lib_files(system_mail_t)
-# ')
-')
-
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
apache_append_squirrelmail_data(system_mail_t)
# why is mail delivered to a directory of type arpwatch_data_t?
arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
+
ifdef(`hide_broken_symptoms', `
arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
')
+
optional_policy(`
cron_read_system_job_tmp_files(mta_user_agent)
')
userdom_dontaudit_use_unpriv_user_fds(munin_t)
userdom_dontaudit_search_sysadm_home_dirs(munin_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(munin_t)
- term_dontaudit_use_generic_ptys(munin_t)
- files_dontaudit_read_root_files(munin_t)
-')
-
optional_policy(`
# for accessing the output directory
apache_search_sys_content(munin_t)
type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t;
')
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(mysqld_t)
- term_dontaudit_use_generic_ptys(mysqld_t)
- files_dontaudit_read_root_files(mysqld_t)
-')
-
optional_policy(`
daemontools_service_domain(mysqld_t, mysqld_exec_t)
')
mta_send_mail(nagios_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(nagios_t)
- term_dontaudit_use_generic_ptys(nagios_t)
- files_dontaudit_read_root_files(nagios_t)
-')
-
optional_policy(`
auth_use_nsswitch(nagios_t)
')
userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(nrpe_t)
- term_dontaudit_use_generic_ptys(nrpe_t)
- files_dontaudit_read_root_files(nrpe_t)
-')
-
optional_policy(`
inetd_tcp_service_domain(nrpe_t, nrpe_exec_t)
')
userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
userdom_dontaudit_search_sysadm_home_dirs(nessusd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(nessusd_t)
- term_dontaudit_use_generic_ptys(nessusd_t)
- files_dontaudit_read_root_files(nessusd_t)
-')
-
optional_policy(`
nis_use_ypbind(nessusd_t)
')
userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
userdom_dontaudit_search_sysadm_home_dirs(NetworkManager_t)
userdom_dontaudit_use_unpriv_users_ttys(NetworkManager_t)
-
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(NetworkManager_t)
- term_dontaudit_use_generic_ptys(NetworkManager_t)
- files_dontaudit_read_root_files(NetworkManager_t)
- # Read gnome-keyring
- userdom_read_generic_user_home_content_files(NetworkManager_t)
-
- optional_policy(`
- unconfined_rw_pipes(NetworkManager_t)
- ')
-')
+# Read gnome-keyring
+userdom_read_unpriv_users_home_content_files(NetworkManager_t)
optional_policy(`
bind_domtrans(NetworkManager_t)
udev_read_db(NetworkManager_t)
')
+optional_policy(`
+ # Read gnome-keyring
+ unconfined_read_home_content_files(NetworkManager_t)
+')
+
optional_policy(`
vpn_domtrans(NetworkManager_t)
vpn_signal(NetworkManager_t)
userdom_dontaudit_use_unpriv_user_fds(ypbind_t)
userdom_dontaudit_search_sysadm_home_dirs(ypbind_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(ypbind_t)
- term_dontaudit_use_generic_ptys(ypbind_t)
- files_dontaudit_read_root_files(ypbind_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(ypbind_t)
')
userdom_dontaudit_use_unpriv_user_fds(yppasswdd_t)
userdom_dontaudit_search_sysadm_home_dirs(yppasswdd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(yppasswdd_t)
- term_dontaudit_use_generic_ptys(yppasswdd_t)
- files_dontaudit_read_root_files(yppasswdd_t)
-')
-
optional_policy(`
hostname_exec(yppasswdd_t)
')
userdom_dontaudit_use_unpriv_user_fds(ypserv_t)
userdom_dontaudit_search_sysadm_home_dirs(ypserv_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(ypserv_t)
- term_dontaudit_use_generic_ptys(ypserv_t)
- files_dontaudit_read_root_files(ypserv_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(ypserv_t)
')
miscfiles_read_localization(ypxfr_t)
sysnet_read_config(ypxfr_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(ypxfr_t)
- term_dontaudit_use_generic_ptys(ypxfr_t)
-')
userdom_dontaudit_use_unpriv_user_fds(nscd_t)
userdom_dontaudit_search_sysadm_home_dirs(nscd_t)
-ifdef(`targeted_policy',`
- term_use_unallocated_ttys(nscd_t)
- term_use_generic_ptys(nscd_t)
- files_dontaudit_read_root_files(nscd_t)
-')
-
optional_policy(`
udev_read_db(nscd_t)
')
userdom_dontaudit_use_unpriv_user_fds(nsd_t)
userdom_dontaudit_search_sysadm_home_dirs(nsd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(nsd_t)
- term_dontaudit_use_generic_ptys(nsd_t)
- files_dontaudit_read_root_files(nsd_t)
-')
-
optional_policy(`
nis_use_ypbind(nsd_t)
')
userdom_dontaudit_use_unpriv_user_fds(ntop_t)
userdom_dontaudit_search_sysadm_home_dirs(ntop_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(ntop_t)
- term_dontaudit_use_generic_ptys(ntop_t)
- files_dontaudit_read_root_files(ntop_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(ntop_t)
')
userdom_list_sysadm_home_dirs(ntpd_t)
userdom_dontaudit_list_sysadm_home_dirs(ntpd_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(ntpd_t)
- term_dontaudit_use_generic_ptys(ntpd_t)
- files_dontaudit_read_root_files(ntpd_t)
-
- optional_policy(`
- # The Gnome date GUI code is requesting that
- # the ntp code change the date of the machine.
- unconfined_rw_pipes(ntpd_t)
- ')
-')
-
optional_policy(`
# for cron jobs
cron_system_entry(ntpd_t,ntpdate_exec_t)
userdom_dontaudit_use_unpriv_user_fds(scannerdaemon_t)
userdom_dontaudit_search_sysadm_home_dirs(scannerdaemon_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(scannerdaemon_t)
- term_dontaudit_use_generic_ptys(scannerdaemon_t)
- files_dontaudit_read_root_files(scannerdaemon_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(scannerdaemon_t)
')
locallogin_dontaudit_use_fds(oddjob_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(oddjob_t)
- term_dontaudit_use_unallocated_ttys(oddjob_t)
-')
-
optional_policy(`
dbus_system_bus_client_template(oddjob,oddjob_t)
dbus_send_system_bus(oddjob_t)
openct_exec(openct_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(openct_t)
- term_dontaudit_use_generic_ptys(openct_t)
- files_dontaudit_read_root_files(openct_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(openct_t)
')
sysnet_dns_name_resolve(openvpn_t)
sysnet_exec_ifconfig(openvpn_t)
-ifdef(`targeted_policy',`
- # Need to interact with terminals if config option "auth-user-pass" is used
- term_use_generic_ptys(openvpn_t)
-')
-
tunable_policy(`openvpn_enable_homedirs',`
userdom_read_unpriv_users_home_content_files(openvpn_t)
')
sysnet_dns_name_resolve(pcscd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(pcscd_t)
- term_dontaudit_use_unallocated_ttys(pcscd_t)
-')
-
optional_policy(`
openct_stream_connect(pcscd_t)
openct_read_pid_files(pcscd_t)
userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
userdom_dontaudit_search_sysadm_home_dirs(pegasus_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(pegasus_t)
- term_dontaudit_use_generic_ptys(pegasus_t)
- files_dontaudit_read_root_files(pegasus_t)
- unconfined_signull(pegasus_t)
-')
-
optional_policy(`
logging_send_syslog_msg(pegasus_t)
')
optional_policy(`
udev_read_db(pegasus_t)
')
+
+optional_policy(`
+ unconfined_signull(pegasus_t)
+')
userdom_dontaudit_use_unpriv_user_fds(perdition_t)
userdom_dontaudit_search_sysadm_home_dirs(perdition_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(perdition_t)
- term_dontaudit_use_generic_ptys(perdition_t)
- files_dontaudit_read_root_files(perdition_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(perdition_t)
')
userdom_dontaudit_use_unpriv_user_fds(portmap_t)
userdom_dontaudit_search_sysadm_home_dirs(portmap_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(portmap_t)
- term_dontaudit_use_generic_ptys(portmap_t)
- files_dontaudit_read_root_files(portmap_t)
-')
-
optional_policy(`
nis_use_ypbind(portmap_t)
')
userdom_dontaudit_use_all_users_fds(portmap_helper_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(portmap_helper_t)
- term_dontaudit_use_generic_ptys(portmap_helper_t)
-')
-
optional_policy(`
nis_use_ypbind(portmap_helper_t)
')
ssh_exec(portslave_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(portslave_t)
- term_dontaudit_use_generic_ptys(portslave_t)
- files_dontaudit_read_root_files(portslave_t)
-')
-
optional_policy(`
inetd_tcp_service_domain(portslave_t,portslave_exec_t)
')
userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t)
- ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(postfix_$1_t)
- term_dontaudit_use_generic_ptys(postfix_$1_t)
- files_dontaudit_read_root_files(postfix_$1_t)
- ')
-
optional_policy(`
nscd_socket_use(postfix_$1_t)
')
optional_policy(`
auth_use_nsswitch(postfix_master_t)
')
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(postfix_master_t)
- term_dontaudit_use_generic_ptys(postfix_master_t)
-')
-
optional_policy(`
cyrus_stream_connect(postfix_master_t)
')
mysql_stream_connect(postfix_master_t)
')
-optional_policy(`
- nis_use_ypbind(postfix_master_t)
-')
-
optional_policy(`
sendmail_signal(postfix_master_t)
')
sysnet_read_config(postfix_map_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(postfix_map_t)
- term_dontaudit_use_generic_ptys(postfix_map_t)
-')
-
tunable_policy(`read_default_t',`
files_list_default(postfix_map_t)
files_read_default_files(postfix_map_t)
mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
-ifdef(`targeted_policy', `
- term_use_unallocated_ttys(postfix_postdrop_t)
- term_use_generic_ptys(postfix_postdrop_t)
-')
-
optional_policy(`
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
mta_getattr_spool(postgresql_t)
-ifdef(`targeted_policy', `
- files_dontaudit_read_root_files(postgresql_t)
- term_dontaudit_use_generic_ptys(postgresql_t)
- term_dontaudit_use_unallocated_ttys(postgresql_t)
-')
-
tunable_policy(`allow_execmem',`
allow postgresql_t self:process execmem;
')
optional_policy(`
udev_read_db(postgresql_t)
')
-
-ifdef(`TODO',`
-ifdef(`distro_debian', `
- init_exec_script_files(postgresql_t)
- # gross hack
- postgresql_domtrans(dpkg_t)
- can_exec(postgresql_t, dpkg_exec_t)
-')
-
-ifdef(`distro_gentoo', `
- allow postgresql_t initrc_su_t:process { sigchld };
- # "su - postgres ..." is called from initrc_t
- postgresql_search_db(initrc_su_t)
- dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms;
-')
-')
userdom_dontaudit_use_unpriv_user_fds(postgrey_t)
userdom_dontaudit_search_sysadm_home_dirs(postgrey_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(postgrey_t)
- term_dontaudit_use_generic_ptys(postgrey_t)
- files_dontaudit_read_root_files(postgrey_t)
-')
-
optional_policy(`
nis_use_ypbind(postgrey_t)
')
## </desc>
gen_tunable(pppd_can_insmod,false)
-ifdef(`strict_policy',`
## <desc>
## <p>
## Allow pppd to be run for a regular user
## </p>
## </desc>
gen_tunable(pppd_for_user,false)
-')
# pppd_t is the domain for the pppd program.
# pppd_exec_t is the type of the pppd executable.
ppp_exec(pppd_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(pppd_t)
- term_dontaudit_use_generic_ptys(pppd_t)
- files_dontaudit_read_root_files(pppd_t)
-')
-
optional_policy(`
ddclient_domtrans(pppd_t)
')
userdom_dontaudit_use_unpriv_user_fds(pptp_t)
userdom_dontaudit_search_sysadm_home_dirs(pptp_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(pptp_t)
- term_dontaudit_use_generic_ptys(pptp_t)
- files_dontaudit_read_root_files(pptp_t)
-')
-
optional_policy(`
consoletype_exec(pppd_t)
')
# cjp: this should really not be needed
userdom_use_sysadm_terms(privoxy_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(privoxy_t)
- term_dontaudit_use_generic_ptys(privoxy_t)
- files_dontaudit_read_root_files(privoxy_t)
-')
-
optional_policy(`
nis_use_ypbind(privoxy_t)
')
userdom_dontaudit_use_unpriv_user_fds(pxe_t)
userdom_dontaudit_search_sysadm_home_dirs(pxe_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(pxe_t)
- term_dontaudit_use_generic_ptys(pxe_t)
- files_dontaudit_read_root_files(pxe_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(pxe_t)
')
/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
+HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:ROLE_pyzor_home_t,s0)
+
/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0)
/var/log/pyzord\.log -- gen_context(system_u:object_r:pyzord_log_t,s0)
-
-ifdef(`strict_policy',`
-HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:ROLE_pyzor_home_t,s0)
-')
## <summary>Pyzor is a distributed, collaborative spam detection and filtering network.</summary>
+#######################################
+## <summary>
+## The per role template for the pyzor module.
+## </summary>
+## <desc>
+## <p>
+## This template allows pyzor to manage files in
+## a user home directory, creating files with the
+## correct type.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
+template(`pyzor_per_role_template',`
+ gen_require(`
+ type pyzord_t;
+ ')
+
+ type $1_pyzor_home_t;
+ userdom_user_home_content($1, $1_pyzor_home_t)
+
+ manage_dirs_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t)
+ manage_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t)
+ manage_lnk_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t)
+ userdom_user_home_dir_filetrans($1, pyzord_t, $1_pyzor_home_t, { dir file lnk_file })
+')
+
########################################
## <summary>
## Send generic signals to pyzor
corecmd_search_bin($1)
can_exec($1,pyzor_exec_t)
')
-
-#######################################
-## <summary>
-## The per role template for the pyzor module.
-## </summary>
-## <desc>
-## <p>
-## This template allows pyzor to manage files in
-## a user home directory, creating files with the
-## correct type.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-#
-template(`pyzor_per_role_template',`
- gen_require(`
- type pyzord_t;
- ')
-
- type $1_pyzor_home_t;
- userdom_user_home_content($1,$1_pyzor_home_t)
-
- manage_dirs_pattern(pyzord_t,$1_pyzor_home_t,$1_pyzor_home_t)
- manage_files_pattern(pyzord_t,$1_pyzor_home_t,$1_pyzor_home_t)
- manage_lnk_files_pattern(pyzord_t,$1_pyzor_home_t,$1_pyzor_home_t)
- userdom_search_user_home_dirs($1,pyzord_t)
- userdom_user_home_dir_filetrans($1,pyzord_t,$1_pyzor_home_t,{ dir file lnk_file })
-')
userdom_dontaudit_search_sysadm_home_dirs(pyzor_t)
-ifdef(`targeted_policy',`
- userdom_read_generic_user_home_content_files(pyzor_t)
-')
-
optional_policy(`
amavis_manage_lib_files(pyzor_t)
amavis_manage_spool_files(pyzor_t)
mta_manage_spool(pyzord_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(pyzord_t)
- term_dontaudit_use_unallocated_ttys(pyzord_t)
-
- userdom_read_generic_user_home_content_files(pyzord_t)
-')
-
optional_policy(`
logging_send_syslog_msg(pyzord_t)
')
userdom_dontaudit_search_sysadm_home_dirs(radiusd_t)
userdom_dontaudit_getattr_sysadm_home_dirs(radiusd_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(radiusd_t)
- term_dontaudit_use_generic_ptys(radiusd_t)
- files_dontaudit_read_root_files(radiusd_t)
-')
-
optional_policy(`
cron_system_entry(radiusd_t,radiusd_exec_t)
')
userdom_dontaudit_use_unpriv_user_fds(radvd_t)
userdom_dontaudit_search_sysadm_home_dirs(radvd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(radvd_t)
- term_dontaudit_use_generic_ptys(radvd_t)
- files_dontaudit_read_root_files(radvd_t)
-')
-
optional_policy(`
nis_use_ypbind(radvd_t)
')
-ifdef(`strict_policy',`
HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:ROLE_razor_home_t,s0)
-')
/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
userdom_dontaudit_use_unpriv_user_fds(rdisc_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(rdisc_t)
- term_dontaudit_use_generic_ptys(rdisc_t)
- files_dontaudit_read_root_files(rdisc_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(rdisc_t)
')
# Search for mail spool file.
mta_getattr_spool(remote_login_t)
-ifdef(`targeted_policy',`
- unconfined_domain(remote_login_t)
- unconfined_shell_domtrans(remote_login_t)
-')
-
tunable_policy(`read_default_t',`
files_list_default(remote_login_t)
files_read_default_files(remote_login_t)
nscd_socket_use(remote_login_t)
')
+optional_policy(`
+ unconfined_domain(remote_login_t)
+ unconfined_shell_domtrans(remote_login_t)
+')
+
optional_policy(`
usermanage_read_crack_db(remote_login_t)
')
userdom_dontaudit_use_unpriv_user_fds(resmgrd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(resmgrd_t)
- term_dontaudit_use_generic_ptys(resmgrd_t)
- files_dontaudit_read_root_files(resmgrd_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(resmgrd_t)
')
allow rhgb_t self:udp_socket create_socket_perms;
allow rhgb_t self:netlink_route_socket r_netlink_socket_perms;
+allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr };
+term_create_pty(rhgb_t,rhgb_devpts_t)
+
manage_dirs_pattern(rhgb_t,rhgb_tmpfs_t,rhgb_tmpfs_t)
manage_files_pattern(rhgb_t,rhgb_tmpfs_t,rhgb_tmpfs_t)
manage_lnk_files_pattern(rhgb_t,rhgb_tmpfs_t,rhgb_tmpfs_t)
xserver_read_xkb_libs(rhgb_t)
xserver_domtrans_xdm_xserver(rhgb_t)
xserver_signal_xdm_xserver(rhgb_t)
-
-ifdef(`strict_policy',`
- allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr };
- term_create_pty(rhgb_t,rhgb_devpts_t)
-', `
- files_dontaudit_read_root_files(rhgb_t)
-
- term_use_generic_ptys(rhgb_t)
- term_setattr_generic_ptys(rhgb_t)
- term_dontaudit_use_unallocated_ttys(rhgb_t)
-
- xserver_domtrans_xdm_xserver(rhgb_t)
- xserver_read_xdm_tmp_files(rhgb_t)
-')
+xserver_read_xdm_tmp_files(rhgb_t)
optional_policy(`
consoletype_exec(rhgb_t)
sysnet_dns_name_resolve(ricci_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_generic_ptys(ricci_t)
- term_dontaudit_use_unallocated_ttys(ricci_t)
-')
-
optional_policy(`
ccs_read_config(ricci_t)
')
oddjob_system_entry(ricci_modcluster_t, ricci_modcluster_exec_t)
')
-# XXX This has got to go.
-unconfined_domain(ricci_modcluster_t)
+optional_policy(`
+ # XXX This has got to go.
+ unconfined_domain(ricci_modcluster_t)
+')
########################################
#
sysnet_domtrans_ifconfig(ricci_modclusterd_t)
sysnet_dns_name_resolve(ricci_modclusterd_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_generic_ptys(ricci_modclusterd_t)
- term_dontaudit_use_unallocated_ttys(ricci_modclusterd_t)
-')
-
optional_policy(`
ccs_domtrans(ricci_modclusterd_t)
ccs_stream_connect(ricci_modclusterd_t)
userdom_dontaudit_use_unpriv_user_fds(roundup_t)
userdom_dontaudit_search_sysadm_home_dirs(roundup_t)
-ifdef(`targeted_policy',`
- files_dontaudit_read_root_files(roundup_t)
- term_dontaudit_use_unallocated_ttys(roundup_t)
- term_dontaudit_use_generic_ptys(roundup_t)
-')
-
optional_policy(`
mysql_stream_connect(roundup_t)
mysql_search_db(roundup_t)
userdom_dontaudit_use_unpriv_user_fds($1_t)
- ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys($1_t)
- term_dontaudit_use_generic_ptys($1_t)
- files_dontaudit_read_root_files($1_t)
- ')
-
optional_policy(`
nis_use_ypbind($1_t)
')
miscfiles_read_certs(gssd_t)
-ifdef(`targeted_policy',`
- files_read_generic_tmp_files(gssd_t)
- files_read_generic_tmp_symlinks(gssd_t)
- # Manage the users kerberos tgt file
- files_manage_generic_tmp_files(gssd_t)
-')
-
tunable_policy(`allow_gssd_read_tmp',`
userdom_list_unpriv_users_tmp(gssd_t)
userdom_read_unpriv_users_tmp_files(gssd_t)
userdom_search_all_users_home_content(rshd_t)
-ifdef(`targeted_policy',`
- unconfined_shell_domtrans(rshd_t)
-')
-
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(rshd_t)
fs_read_nfs_symlinks(rshd_t)
optional_policy(`
tcpd_wrapped_domain(rshd_t,rshd_exec_t)
')
+
+optional_policy(`
+ unconfined_shell_domtrans(rshd_t)
+')
miscfiles_read_localization(rwho_t)
sysnet_dns_name_resolve(rwho_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(rwho_t)
- term_dontaudit_use_generic_ptys(rwho_t)
-')
domtrans_pattern($1,smbmount_exec_t,smbmount_t)
')
+########################################
+## <summary>
+## Execute smbmount interactively and do
+## a domain transition to the smbmount domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed acces.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the smbmount domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the smbmount domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_run_smbmount',`
+ gen_require(`
+ type smbmount_t;
+ ')
+
+ samba_domtrans_smbmount($1)
+ role $2 types smbmount_t;
+ allow smbmount_t $3:chr_file rw_term_perms;
+')
+
########################################
## <summary>
## Allow the specified domain to read
type samba_share_t; # customizable
files_type(samba_share_t)
-type samba_unconfined_script_t;
-type samba_unconfined_script_exec_t;
-domain_type(samba_unconfined_script_t)
-domain_entry_file(samba_unconfined_script_t,samba_unconfined_script_exec_t)
-corecmd_shell_entry_type(samba_unconfined_script_t)
-role system_r types samba_unconfined_script_t;
-
type samba_var_t;
files_type(samba_var_t)
userdom_dontaudit_search_sysadm_home_dirs(samba_net_t)
-ifdef(`targeted_policy',`
- term_use_generic_ptys(samba_net_t)
- term_use_unallocated_ttys(samba_net_t)
-')
-
optional_policy(`
kerberos_use(samba_net_t)
')
fs_dontaudit_getattr_tmpfs_dirs(smbd_t)
')
-ifdef(`targeted_policy', `
- files_dontaudit_read_root_files(smbd_t)
- term_dontaudit_use_generic_ptys(smbd_t)
- term_dontaudit_use_unallocated_ttys(smbd_t)
-')
-
tunable_policy(`allow_smbd_anon_write',`
miscfiles_manage_public_files(smbd_t)
')
userdom_dontaudit_use_unpriv_user_fds(nmbd_t)
userdom_use_unpriv_users_fds(nmbd_t)
-ifdef(`targeted_policy', `
- files_dontaudit_read_root_files(nmbd_t)
- term_dontaudit_use_generic_ptys(nmbd_t)
- term_dontaudit_use_unallocated_ttys(nmbd_t)
-')
-
optional_policy(`
nis_use_ypbind(nmbd_t)
')
storage_raw_write_fixed_disk(smbmount_t)
term_list_ptys(smbmount_t)
-term_use_controlling_term(smbmount_t)
corecmd_list_bin(smbmount_t)
sysnet_read_config(smbmount_t)
userdom_use_all_users_fds(smbmount_t)
-userdom_use_sysadm_ttys(smbmount_t)
-
-optional_policy(`
- cups_read_rw_config(smbd_t)
-')
optional_policy(`
nis_use_ypbind(smbmount_t)
userdom_dontaudit_search_sysadm_home_dirs(winbind_t)
userdom_priveleged_home_dir_manager(winbind_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(winbind_t)
- term_dontaudit_use_generic_ptys(winbind_t)
- files_dontaudit_read_root_files(winbind_t)
-')
-
optional_policy(`
kerberos_use(winbind_t)
')
miscfiles_read_localization(winbind_helper_t)
-ifdef(`targeted_policy',`
- term_use_generic_ptys(winbind_helper_t)
- term_use_unallocated_ttys(winbind_helper_t)
-')
-
optional_policy(`
nscd_socket_use(winbind_helper_t)
')
# samba_unconfined_script_t local policy
#
-allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
-allow smbd_t samba_unconfined_script_exec_t:file ioctl;
+optional_policy(`
+ type samba_unconfined_script_t;
+ type samba_unconfined_script_exec_t;
+ domain_type(samba_unconfined_script_t)
+ domain_entry_file(samba_unconfined_script_t,samba_unconfined_script_exec_t)
+ corecmd_shell_entry_type(samba_unconfined_script_t)
+ role system_r types samba_unconfined_script_t;
+
+ allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
+ allow smbd_t samba_unconfined_script_exec_t:file ioctl;
-unconfined_domain(samba_unconfined_script_t)
+ unconfined_domain(samba_unconfined_script_t)
-tunable_policy(`samba_run_unconfined',`
- domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
+ tunable_policy(`samba_run_unconfined',`
+ domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
+ ')
')
userdom_dontaudit_use_unpriv_user_fds(saslauthd_t)
userdom_dontaudit_search_sysadm_home_dirs(saslauthd_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(saslauthd_t)
- term_dontaudit_use_generic_ptys(saslauthd_t)
- files_dontaudit_read_root_files(saslauthd_t)
-')
-
-# cjp: typeattribute dont work in conditionals yet
+# cjp: typeattribute doesnt work in conditionals
auth_can_read_shadow_passwords(saslauthd_t)
tunable_policy(`allow_saslauthd_read_shadow',`
auth_tunable_read_shadow(saslauthd_t)
mta_manage_queue(sendmail_t)
mta_manage_spool(sendmail_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(sendmail_t)
- term_dontaudit_use_generic_ptys(sendmail_t)
- files_dontaudit_read_root_files(sendmail_t)
-')
-
optional_policy(`
clamav_search_lib(sendmail_t)
')
userdom_dontaudit_read_sysadm_home_content_files(setroubleshootd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(setroubleshootd_t)
- term_dontaudit_use_unallocated_ttys(setroubleshootd_t)
-')
-
optional_policy(`
rpm_read_db(setroubleshootd_t)
rpm_dontaudit_manage_db(setroubleshootd_t)
userdom_dontaudit_use_unpriv_user_fds(slrnpull_t)
userdom_dontaudit_search_sysadm_home_dirs(slrnpull_t)
-ifdef(`targeted_policy',`
- files_dontaudit_read_root_files(slrnpull_t)
- term_dontaudit_use_unallocated_ttys(slrnpull_t)
- term_dontaudit_use_generic_ptys(slrnpull_t)
-')
-
optional_policy(`
cron_system_entry(slrnpull_t,slrnpull_exec_t)
')
userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t)
userdom_dontaudit_search_sysadm_home_dirs(fsdaemon_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(fsdaemon_t)
- term_dontaudit_use_generic_ptys(fsdaemon_t)
- files_dontaudit_read_root_files(fsdaemon_t)
-')
-
optional_policy(`
mta_send_mail(fsdaemon_t)
')
')
')
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(snmpd_t)
- term_dontaudit_use_generic_ptys(snmpd_t)
- files_dontaudit_read_root_files(snmpd_t)
-')
-
optional_policy(`
amanda_dontaudit_read_dumpdates(snmpd_t)
')
userdom_dontaudit_use_unpriv_user_fds(snort_t)
userdom_dontaudit_search_sysadm_home_dirs(snort_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(snort_t)
- term_dontaudit_use_generic_ptys(snort_t)
- files_dontaudit_read_root_files(snort_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(snort_t)
')
userdom_dontaudit_use_unpriv_user_fds(soundd_t)
userdom_dontaudit_search_sysadm_home_dirs(soundd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(soundd_t)
- term_dontaudit_use_generic_ptys(soundd_t)
- files_dontaudit_read_root_files(soundd_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(soundd_t)
')
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0)
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
-
-ifdef(`strict_policy',`
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
-')
sysnet_read_config($1_spamassassin_t)
')
+ tunable_policy(`spamd_enable_home_dirs',`
+ userdom_manage_user_home_content_dirs($1,spamd_t)
+ userdom_manage_user_home_content_files($1,spamd_t)
+ userdom_manage_user_home_content_symlinks($1,spamd_t)
+ ')
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_spamassassin_t)
fs_manage_nfs_files($1_spamassassin_t)
# Declarations
#
-ifdef(`strict_policy',`
## <desc>
## <p>
## Allow user spamassassin clients to use the network.
## </p>
## </desc>
gen_tunable(spamassassin_can_network,false)
-')
-ifdef(`targeted_policy',`
## <desc>
## <p>
## Allow spamd to read/write user home directories.
## </p>
## </desc>
gen_tunable(spamd_enable_home_dirs,true)
-')
# spamassassin client executable
type spamc_exec_t;
libs_use_ld_so(spamd_t)
libs_use_shared_libs(spamd_t)
-# Various Perl bits
-libs_use_lib_files(spamd_t)
logging_send_syslog_msg(spamd_t)
userdom_search_unpriv_users_home_dirs(spamd_t)
userdom_dontaudit_search_sysadm_home_dirs(spamd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(spamd_t)
- term_dontaudit_use_generic_ptys(spamd_t)
-
- files_dontaudit_read_root_files(spamd_t)
-
- tunable_policy(`spamd_enable_home_dirs',`
- userdom_manage_generic_user_home_content_dirs(spamd_t)
- userdom_manage_generic_user_home_content_files(spamd_t)
- userdom_manage_generic_user_home_content_symlinks(spamd_t)
- userdom_generic_user_home_dir_filetrans_generic_user_home_content(spamd_t,dir)
- ')
-')
-
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(spamd_t)
')
userdom_dontaudit_use_unpriv_user_fds(speedmgmt_t)
userdom_dontaudit_search_sysadm_home_dirs(speedmgmt_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(speedmgmt_t)
- term_dontaudit_use_generic_ptys(speedmgmt_t)
- files_dontaudit_read_root_files(speedmgmt_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(speedmgmt_t)
')
userdom_dontaudit_use_unpriv_user_fds(squid_t)
userdom_dontaudit_search_sysadm_home_dirs(squid_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(squid_t)
- term_dontaudit_use_generic_ptys(squid_t)
- files_dontaudit_read_root_files(squid_t)
-')
-
tunable_policy(`squid_connect_any',`
corenet_tcp_connect_all_ports(squid_t)
')
+HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ROLE_home_ssh_t,s0)
+
/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
/etc/ssh/ssh_host_dsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
/etc/ssh/ssh_host_rsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
/usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
+/usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
/usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
/usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
-/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
-
-ifdef(`targeted_policy', `', `
-/usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
-
-HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ROLE_home_ssh_t,s0)
-')
+/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
-ifdef(`targeted_policy',`
- unconfined_domain(sshd_t)
- unconfined_shell_domtrans(sshd_t)
-')
-
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
rssh_read_all_users_ro_content(sshd_t)
')
+optional_policy(`
+ unconfined_domain(sshd_t)
+ unconfined_shell_domtrans(sshd_t)
+')
+
ifdef(`TODO',`
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# sshd_extern_t is the domain for ssh from outside our network
#
-ifdef(`strict_policy',`
- ifdef(`TODO',`
- domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
+ifdef(`TODO',`
+domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
- domain_trans(sshd_extern_t, shell_exec_t, user_mini_domain)
- # Signal the user domains.
- allow sshd_extern_t user_mini_domain:process signal;
+domain_trans(sshd_extern_t, shell_exec_t, user_mini_domain)
+# Signal the user domains.
+allow sshd_extern_t user_mini_domain:process signal;
- ifdef(`xauth.te', `
- domain_trans(sshd_extern_t, xauth_exec_t, user_mini_domain)
- ')
+ifdef(`xauth.te', `
+domain_trans(sshd_extern_t, xauth_exec_t, user_mini_domain)
+')
- # Relabel and access ptys created by sshd
- # ioctl is necessary for logout() processing for utmp entry and for w to
- # display the tty.
- # some versions of sshd on the new SE Linux require setattr
- allow sshd_extern_t user_mini_domain:chr_file { relabelto read write getattr ioctl setattr };
+# Relabel and access ptys created by sshd
+# ioctl is necessary for logout() processing for utmp entry and for w to
+# display the tty.
+# some versions of sshd on the new SE Linux require setattr
+allow sshd_extern_t user_mini_domain:chr_file { relabelto read write getattr ioctl setattr };
- # inheriting stream sockets is needed for "ssh host command" as no pty
- # is allocated
- allow user_mini_domain sshd_extern_t:unix_stream_socket rw_stream_socket_perms;
+# inheriting stream sockets is needed for "ssh host command" as no pty
+# is allocated
+allow user_mini_domain sshd_extern_t:unix_stream_socket rw_stream_socket_perms;
- optional_policy(`
- domain_trans(inetd_t, sshd_exec_t, sshd_extern_t)
- ')
+optional_policy(`
+ domain_trans(inetd_t, sshd_exec_t, sshd_extern_t)
+')
- ifdef(`direct_sysadm_daemon', `
- # Direct execution by sysadm_r.
- domain_auto_trans(sysadm_t, sshd_exec_t, sshd_t)
- role_transition sysadm_r sshd_exec_t system_r;
- ')
- ') dnl endif TODO
+ifdef(`direct_sysadm_daemon', `
+# Direct execution by sysadm_r.
+domain_auto_trans(sysadm_t, sshd_exec_t, sshd_t)
+role_transition sysadm_r sshd_exec_t system_r;
')
+') dnl endif TODO
########################################
#
allow ssh_keygen_t proc_t:dir r_dir_perms;
allow ssh_keygen_t proc_t:lnk_file read;
-userdom_use_sysadm_ttys(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
-# cjp: with the old daemon_(base_)domain being broken up into
-# a daemon and system interface, this probably is not needed:
-ifdef(`direct_sysadm_daemon',`
- userdom_dontaudit_use_sysadm_terms(ssh_keygen_t)
-')
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(ssh_keygen_t)
- term_dontaudit_use_generic_ptys(ssh_keygen_t)
- files_dontaudit_read_root_files(ssh_keygen_t)
-')
-
optional_policy(`
nscd_socket_use(ssh_keygen_t)
')
userdom_dontaudit_use_unpriv_user_fds(stunnel_t)
userdom_dontaudit_search_sysadm_home_dirs(stunnel_t)
- ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(stunnel_t)
- term_dontaudit_use_generic_ptys(stunnel_t)
- files_dontaudit_read_root_files(stunnel_t)
- ')
-
optional_policy(`
daemontools_service_domain(stunnel_t, stunnel_exec_t)
')
userdom_dontaudit_use_sysadm_ttys(tftpd_t)
userdom_dontaudit_search_sysadm_home_dirs(tftpd_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(tftpd_t)
- term_dontaudit_use_generic_ptys(tftpd_t)
- files_dontaudit_read_root_files(tftpd_t)
-')
-
optional_policy(`
inetd_udp_service_domain(tftpd_t,tftpd_exec_t)
')
# cjp: this should be fixed if possible so this rule can be removed.
userdom_search_sysadm_home_dirs(timidity_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(timidity_t)
- term_dontaudit_use_generic_ptys(timidity_t)
- files_dontaudit_read_root_files(timidity_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(timidity_t)
')
userdom_dontaudit_use_unpriv_user_fds(transproxy_t)
userdom_dontaudit_search_sysadm_home_dirs(transproxy_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(transproxy_t)
- term_dontaudit_use_generic_ptys(transproxy_t)
- files_dontaudit_read_root_files(transproxy_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(transproxy_t)
')
userdom_dontaudit_use_unpriv_user_fds(uptimed_t)
userdom_dontaudit_search_sysadm_home_dirs(uptimed_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(uptimed_t)
- term_dontaudit_use_generic_ptys(uptimed_t)
- files_dontaudit_read_root_files(uptimed_t)
-')
-
optional_policy(`
mta_send_mail(uptimed_t)
')
miscfiles_read_localization(uux_t)
-ifdef(`targeted_policy',`
- term_use_unallocated_ttys(uux_t)
- term_use_generic_ptys(uux_t)
-')
-
optional_policy(`
mta_send_mail(uux_t)
')
mta_rw_spool(imapd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(imapd_t)
- term_dontaudit_use_generic_ptys(imapd_t)
- files_dontaudit_read_root_files(imapd_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(imapd_t)
')
userdom_dontaudit_use_unpriv_user_fds(watchdog_t)
userdom_dontaudit_search_sysadm_home_dirs(watchdog_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(watchdog_t)
- term_dontaudit_use_generic_ptys(watchdog_t)
- files_dontaudit_read_root_files(watchdog_t)
-')
-
optional_policy(`
mta_send_mail(watchdog_t)
')
init_script_tmp_filetrans(xfs_t,xfs_tmp_t,sock_file)
')
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(xfs_t)
- term_dontaudit_use_generic_ptys(xfs_t)
- files_dontaudit_read_root_files(xfs_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(xfs_t)
')
userdom_dontaudit_use_unpriv_user_fds(xprint_t)
userdom_dontaudit_search_sysadm_home_dirs(xprint_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(xprint_t)
- term_dontaudit_use_generic_ptys(xprint_t)
- files_dontaudit_read_root_files(xprint_t)
-')
-
optional_policy(`
cups_read_config(xprint_t)
')
#
# HOME_DIR
#
-ifdef(`strict_policy',`
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:ROLE_fonts_config_t,s0)
HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:ROLE_fonts_t,s0)
HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:ROLE_fonts_cache_t,s0)
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:ROLE_iceauth_home_t,s0)
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
-')
#
# /dev
/tmp/\.ICE-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
/tmp/\.ICE-unix/.* -s <<none>>
+/tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_xserver_tmp_t,s0)
/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
/tmp/\.X11-unix/.* -s <<none>>
-ifdef(`strict_policy',`
-/tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_xserver_tmp_t,s0)
-')
-
#
# /usr
#
attribute xauth_home_type;
')
- ifdef(`strict_policy',`
- allow $1 xauth_home_type:file read_file_perms;
- userdom_search_all_users_home_dirs($1)
- ',`
- userdom_read_generic_user_home_content_files($1)
- ')
+ allow $1 xauth_home_type:file read_file_perms;
+ userdom_search_all_users_home_dirs($1)
')
########################################
# Declarations
#
-ifdef(`strict_policy',`
## <desc>
## <p>
## Allows clients to write to the X server shared
## </p>
## </desc>
gen_tunable(allow_write_xshm,false)
-')
## <desc>
## <p>
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
-ifdef(`targeted_policy',`
- unconfined_domain(xdm_t)
- unconfined_domtrans(xdm_t)
- userdom_generic_user_home_dir_filetrans_generic_user_home_content(xdm_t, {file dir })
-
- ifndef(`distro_redhat',`
- allow xdm_t self:process { execheap execmem };
- ')
-
- ifdef(`distro_rhel4',`
- allow xdm_t self:process { execheap execmem };
- ')
-')
-
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
fs_manage_nfs_files(xdm_t)
udev_read_db(xdm_t)
')
+optional_policy(`
+ unconfined_domain(xdm_t)
+ unconfined_domtrans(xdm_t)
+
+ ifndef(`distro_redhat',`
+ allow xdm_t self:process { execheap execmem };
+ ')
+
+ ifdef(`distro_rhel4',`
+ allow xdm_t self:process { execheap execmem };
+ ')
+')
+
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
')
fs_manage_cifs_symlinks(xdm_xserver_t)
')
-ifdef(`targeted_policy',`
+optional_policy(`
+ resmgr_stream_connect(xdm_t)
+')
+
+optional_policy(`
+ rhgb_rw_shm(xdm_xserver_t)
+ rhgb_rw_tmpfs_files(xdm_xserver_t)
+')
+
+optional_policy(`
unconfined_domain_noaudit(xdm_xserver_t)
unconfined_domtrans(xdm_xserver_t)
')
')
-optional_policy(`
- resmgr_stream_connect(xdm_t)
-')
-
-optional_policy(`
- rhgb_rw_shm(xdm_xserver_t)
- rhgb_rw_tmpfs_files(xdm_xserver_t)
-')
-
ifdef(`TODO',`
# Need to further investigate these permissions and
# perhaps define derived types.
miscfiles_read_localization(zabbix_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(zabbix_t)
- term_dontaudit_use_generic_ptys(zabbix_t)
-')
-
optional_policy(`
mysql_stream_connect(zabbix_t)
')
userdom_dontaudit_use_unpriv_user_fds(zebra_t)
userdom_dontaudit_search_sysadm_home_dirs(zebra_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(zebra_t)
- term_dontaudit_use_generic_ptys(zebra_t)
- files_dontaudit_read_root_files(zebra_t)
- unconfined_sigchld(zebra_t)
-')
-
tunable_policy(`allow_zebra_write_config',`
allow zebra_t zebra_conf_t:dir write;
allow zebra_t zebra_conf_t:file write;
optional_policy(`
udev_read_db(zebra_t)
')
+
+optional_policy(`
+ unconfined_sigchld(zebra_t)
+')
## </param>
#
template(`auth_domtrans_user_chk_passwd',`
- ifdef(`targeted_policy',`
- gen_require(`
- type system_chkpwd_t, chkpwd_exec_t;
- ')
-
- corecmd_search_bin($2)
- domtrans_pattern($2,chkpwd_exec_t,system_chkpwd_t)
- ',`
- gen_require(`
- type $1_chkpwd_t, chkpwd_exec_t;
- ')
-
- corecmd_search_bin($2)
- domtrans_pattern($2,chkpwd_exec_t,$1_chkpwd_t)
+ gen_require(`
+ type $1_chkpwd_t, chkpwd_exec_t;
')
+
+ corecmd_search_bin($2)
+ domtrans_pattern($2,chkpwd_exec_t,$1_chkpwd_t)
')
########################################
userdom_dontaudit_use_unpriv_user_fds(pam_console_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(pam_console_t)
- term_dontaudit_use_generic_ptys(pam_console_t)
- files_dontaudit_read_root_files(pam_console_t)
-')
-
optional_policy(`
gpm_getattr_gpmctl(pam_console_t)
gpm_setattr_gpmctl(pam_console_t)
nscd_socket_use(utempter_t)
')
+optional_policy(`
+ # Allow utemper to write to /tmp/.xses-*
+ unconfined_write_tmp_files(utempter_t)
+')
+
optional_policy(`
xserver_use_xdm_fds(utempter_t)
xserver_rw_xdm_pipes(utempter_t)
miscfiles_read_localization(hwclock_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(hwclock_t)
- term_dontaudit_use_generic_ptys(hwclock_t)
- files_dontaudit_read_root_files(hwclock_t)
-')
-
optional_policy(`
apm_append_log(hwclock_t)
apm_rw_stream_sockets(hwclock_t)
userdom_use_unpriv_users_fds(fsadm_t)
-ifdef(`targeted_policy',`
- term_use_unallocated_ttys(fsadm_t)
- term_use_generic_ptys(fsadm_t)
-')
-
tunable_policy(`read_default_t',`
files_list_default(fsadm_t)
files_read_default_files(fsadm_t)
sysnet_dontaudit_read_config(getty_t)
')
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(getty_t)
- term_dontaudit_use_generic_ptys(getty_t)
-')
-
optional_policy(`
mta_send_mail(getty_t)
')
files_getattr_generic_locks(hotplug_t)
')
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(hotplug_t)
- term_dontaudit_use_generic_ptys(hotplug_t)
-')
-
optional_policy(`
consoletype_exec(hotplug_t)
')
/etc/rc\.d/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/etc/X11/prefdm -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
ifdef(`distro_gentoo',`
/etc/vmware/init\.d/vmware -- gen_context(system_u:object_r:initrc_exec_t,s0)
/etc/x11/startDM.sh -- gen_context(system_u:object_r:initrc_exec_t,s0)
')
-ifdef(`strict_policy',`
-/etc/X11/prefdm -- gen_context(system_u:object_r:initrc_exec_t,s0)
-')
-
#
# /dev
#
dontaudit $1 initrc_t:unix_stream_socket connectto;
')
+########################################
+## <summary>
+## Send messages to init scripts over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_dbus_send_script',`
+ gen_require(`
+ type initrc_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 initrc_t:dbus send_msg;
+')
########################################
## <summary>
# Declarations
#
-ifdef(`targeted_policy',`
-## <desc>
-## <p>
-## Allow all daemons the ability to use unallocated ttys
-## </p>
-## </desc>
-gen_tunable(allow_daemons_use_tty,false)
-')
-
# used for direct running of init scripts
# by admin domains
attribute direct_run_init;
fs_tmpfs_filetrans(init_t,initctl_t,fifo_file)
')
-ifdef(`targeted_policy',`
- unconfined_domain(init_t)
-')
-
optional_policy(`
auth_rw_login_records(init_t)
')
nscd_socket_use(init_t)
')
+optional_policy(`
+ unconfined_domain(init_t)
+')
+
# Run the shell in the sysadm_t domain for single-user mode.
optional_policy(`
userdom_shell_domtrans_sysadm(init_t)
')
')
-ifdef(`targeted_policy',`
- domain_subj_id_change_exemption(initrc_t)
- unconfined_domain(initrc_t)
-
- ifdef(`distro_redhat',`
- # system-config-services causes avc messages that should be dontaudited
- unconfined_dontaudit_rw_pipes(daemon)
- ')
-
- tunable_policy(`allow_daemons_use_tty',`
- term_use_unallocated_ttys(daemon)
- term_use_generic_ptys(daemon)
- ')
-
- optional_policy(`
- mono_domtrans(initrc_t)
- ')
-',`
- # cjp: require doesnt work in the else of optionals :\
- # this also would result in a type transition
- # conflict if sendmail is enabled
-# optional_policy(`',`
-# mta_send_mail(initrc_t)
-# ')
-
- # allow init scripts to su
- optional_policy(`
- su_restricted_domain_template(initrc,initrc_t,system_r)
- ')
-')
-
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
+# cjp: require doesnt work in the else of optionals :\
+# this also would result in a type transition
+# conflict if sendmail is enabled
+#optional_policy(`',`
+# mta_send_mail(initrc_t)
+#')
optional_policy(`
ifdef(`distro_redhat',`
squid_manage_logs(initrc_t)
')
+optional_policy(`
+ # allow init scripts to su
+ su_restricted_domain_template(initrc,initrc_t,system_r)
+')
+
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
')
uml_setattr_util_sockets(initrc_t)
')
+optional_policy(`
+ unconfined_domain(initrc_t)
+
+ ifdef(`distro_redhat',`
+ # system-config-services causes avc messages that should be dontaudited
+ unconfined_dontaudit_rw_pipes(daemon)
+ ')
+
+ optional_policy(`
+ mono_domtrans(initrc_t)
+ ')
+')
+
optional_policy(`
vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t)
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_sysadm_home_dirs(ipsec_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(ipsec_t)
- term_dontaudit_use_generic_ptys(ipsec_t)
- files_dontaudit_read_root_files(ipsec_t)
-')
-
optional_policy(`
nis_use_ypbind(ipsec_t)
')
userdom_use_all_users_fds(iptables_t)
-ifdef(`targeted_policy', `
- term_use_unallocated_ttys(iptables_t)
- term_use_generic_ptys(iptables_t)
- files_dontaudit_read_root_files(iptables_t)
- unconfined_rw_pipes(iptables_t)
-')
-
optional_policy(`
fail2ban_append_log(iptables_t)
')
miscfiles_read_localization(iscsid_t)
sysnet_dns_name_resolve(iscsid_t)
-
-ifdef(`targeted_policy',`
- term_use_generic_ptys(iscsid_t)
-')
#
ifdef(`distro_debian',`
/emul/ia32-linux/usr(/.*)?/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/emul/ia32-linux/usr(/.*)?/lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
/emul/ia32-linux/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/emul/ia32-linux/lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
')
ifdef(`distro_gentoo',`
/emul/linux/x86/usr(/.*)?/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/emul/linux/x86/usr(/.*)?/lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
/emul/linux/x86/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/emul/linux/x86/lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
/emul/linux/x86/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
')
ifdef(`distro_redhat',`
/emul/ia32-linux/usr(/.*)?/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/emul/ia32-linux/usr(/.*)?/lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
-/emul/ia32-linux/usr(/.*)?/java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
-/emul/ia32-linux/usr(/.*)?/java/.*\.jar -- gen_context(system_u:object_r:shlib_t,s0)
-/emul/ia32-linux/usr(/.*)?/java/.*\.jsa -- gen_context(system_u:object_r:shlib_t,s0)
+/emul/ia32-linux/usr(/.*)?/java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
+/emul/ia32-linux/usr(/.*)?/java/.*\.jar -- gen_context(system_u:object_r:lib_t,s0)
+/emul/ia32-linux/usr(/.*)?/java/.*\.jsa -- gen_context(system_u:object_r:lib_t,s0)
/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
/emul/ia32-linux/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/emul/ia32-linux/lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
')
/etc/ld\.so\.cache -- gen_context(system_u:object_r:ld_so_cache_t,s0)
/etc/ld\.so\.preload -- gen_context(system_u:object_r:ld_so_cache_t,s0)
-/etc/ppp/plugins/rp-pppoe\.so -- gen_context(system_u:object_r:shlib_t,s0)
+/etc/ppp/plugins/rp-pppoe\.so -- gen_context(system_u:object_r:lib_t,s0)
#
# /lib(64)?
/lib/.* gen_context(system_u:object_r:lib_t,s0)
/lib64 -d gen_context(system_u:object_r:lib_t,s0)
/lib64/.* gen_context(system_u:object_r:lib_t,s0)
-/lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
-/lib64/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
/lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
/lib64/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
/lib -l gen_context(system_u:object_r:lib_t,s0)
/lib32 -d gen_context(system_u:object_r:lib_t,s0)
/lib32/.* gen_context(system_u:object_r:lib_t,s0)
-/lib32/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
/lib32/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
')
# /opt
#
/opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/opt/(.*/)?lib/.+\.so -- gen_context(system_u:object_r:shlib_t,s0)
-/opt/(.*/)?lib/.+\.so\.[^/]* -- gen_context(system_u:object_r:shlib_t,s0)
/opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/opt/(.*/)?lib64/.+\.so -- gen_context(system_u:object_r:shlib_t,s0)
-/opt/(.*/)?lib64/.+\.so\.[^/]* -- gen_context(system_u:object_r:shlib_t,s0)
-/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:shlib_t,s0)
+/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:shlib_t,s0)
+/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/cxoffice/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
ifdef(`distro_gentoo',`
# despite the extensions, they are actually libs
-/opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:shlib_t,s0)
-/opt/Acrobat[5-9]/Reader/intellinux/plug_ins3d/.*\.x3d -- gen_context(system_u:object_r:shlib_t,s0)
-/opt/Acrobat[5-9]/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:shlib_t,s0)
+/opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
+/opt/Acrobat[5-9]/Reader/intellinux/plug_ins3d/.*\.x3d -- gen_context(system_u:object_r:lib_t,s0)
+/opt/Acrobat[5-9]/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0)
/opt/netscape/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/opt/netscape/plugins/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
/opt/netscape/plugins/libflashplayer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/netscape/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/RealPlayer/codecs(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/opt/RealPlayer/codecs/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
/opt/RealPlayer/common(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/opt/RealPlayer/common/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
/opt/RealPlayer/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/opt/RealPlayer/lib/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
/opt/RealPlayer/mozilla(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/opt/RealPlayer/mozilla/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
/opt/RealPlayer/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/opt/RealPlayer/plugins/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
')
#
/usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:shlib_t,s0)
-/usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:shlib_t,s0)
+/usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
+/usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0)
/usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/usr/(.*/)?lib/.+\.so -- gen_context(system_u:object_r:shlib_t,s0)
-/usr/(.*/)?lib/.+\.so\.[^/]* -- gen_context(system_u:object_r:shlib_t,s0)
/usr/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/usr/(.*/)?lib64/.+\.so -- gen_context(system_u:object_r:shlib_t,s0)
-/usr/(.*/)?lib64/.+\.so\.[^/]* -- gen_context(system_u:object_r:shlib_t,s0)
/usr/(.*/)?lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/transgaming_cedega/gddb_parser.so -- gen_context(system_u:object_r:shlib_t,s0)
/usr/lib/vlc/codec/libdmo_plugin.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/librealaudio_plugin.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/win32/.* -- gen_context(system_u:object_r:shlib_t,s0)
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
+/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
/usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
')
ifdef(`distro_redhat',`
-/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- gen_context(system_u:object_r:shlib_t,s0)
+/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- gen_context(system_u:object_r:lib_t,s0)
# The following are libraries with text relocations in need of execmod permissions
# Some of them should be fixed and removed from this list
#
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-/var/ftp/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
-/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:shlib_t,s0)
+/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
ifdef(`distro_suse',`
/var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
-/var/spool/postfix/lib(64)?/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
-/var/spool/postfix/lib(64)?/[^/]*/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
-/var/spool/postfix/lib(64)?/devfsd/.+\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
## </param>
#
interface(`libs_use_lib_files',`
- gen_require(`
- type lib_t;
- ')
-
- files_list_usr($1)
- allow $1 lib_t:dir list_dir_perms;
- read_lnk_files_pattern($1,lib_t,lib_t)
- mmap_files_pattern($1,lib_t,lib_t)
+ refpolicywarn(`$0($*) has been deprecated, use libs_use_shared_libs() instead.')
+ libs_use_shared_libs($1)
')
########################################
# cjp: added for prelink
interface(`libs_manage_shared_libs',`
gen_require(`
- type lib_t, shlib_t, textrel_shlib_t;
+ type lib_t, textrel_shlib_t;
')
- manage_files_pattern($1,lib_t,{ shlib_t textrel_shlib_t })
+ manage_files_pattern($1,lib_t,{ lib_t textrel_shlib_t })
')
########################################
#
interface(`libs_use_shared_libs',`
gen_require(`
- type lib_t, shlib_t, textrel_shlib_t;
+ type lib_t, textrel_shlib_t;
')
files_list_usr($1)
allow $1 lib_t:dir list_dir_perms;
- read_lnk_files_pattern($1,lib_t,{ lib_t shlib_t textrel_shlib_t })
- mmap_files_pattern($1,lib_t,{ shlib_t textrel_shlib_t })
+ read_lnk_files_pattern($1,lib_t,{ lib_t textrel_shlib_t })
+ mmap_files_pattern($1,lib_t,{ lib_t textrel_shlib_t })
allow $1 textrel_shlib_t:file execmod;
')
#
interface(`libs_legacy_use_shared_libs',`
gen_require(`
- type shlib_t, textrel_shlib_t;
+ type lib_t;
')
libs_use_shared_libs($1)
- allow $1 { shlib_t textrel_shlib_t }:file execmod;
+ allow $1 lib_t:file execmod;
')
########################################
# cjp: added for prelink
interface(`libs_relabel_shared_libs',`
gen_require(`
- type lib_t, shlib_t, textrel_shlib_t;
+ type lib_t, textrel_shlib_t;
')
- relabel_files_pattern($1,lib_t,{ shlib_t textrel_shlib_t })
+ relabel_files_pattern($1,lib_t,{ lib_t textrel_shlib_t })
')
########################################
## </param>
#
interface(`lib_filetrans_shared_lib',`
- gen_require(`
- type lib_t, shlib_t;
- ')
-
- filetrans_pattern($1,lib_t,shlib_t,$2)
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
## </param>
#
interface(`files_lib_filetrans_shared_lib',`
- refpolicywarn(`$0($*) has been deprecated, use lib_filetrans_shared_lib() instead.')
- lib_filetrans_shared_lib($1,$2)
+ refpolicywarn(`$0($*) has been deprecated.')
')
#
# lib_t is the type of files in the system lib directories.
#
-type lib_t;
+type lib_t alias shlib_t;
files_type(lib_t)
-#
-# shlib_t is the type of shared objects in the system lib
-# directories.
-#
-ifdef(`targeted_policy',`
- typealias lib_t alias shlib_t;
-',`
- type shlib_t;
- files_type(shlib_t)
-')
-
#
# textrel_shlib_t is the type of shared objects in the system lib
# directories, which require text relocation.
')
')
-ifdef(`targeted_policy',`
- allow ldconfig_t lib_t:file read_file_perms;
- files_read_generic_tmp_symlinks(ldconfig_t)
- term_dontaudit_use_generic_ptys(ldconfig_t)
- term_dontaudit_use_unallocated_ttys(ldconfig_t)
-')
-
optional_policy(`
# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
apache_dontaudit_search_modules(ldconfig_t)
userdom_sigchld_all_users(local_login_t)
userdom_create_all_users_keys(local_login_t)
-ifdef(`targeted_policy',`
- unconfined_shell_domtrans(local_login_t)
-')
-
tunable_policy(`read_default_t',`
files_list_default(local_login_t)
files_read_default_files(local_login_t)
')
optional_policy(`
- dbus_system_bus_client_template(local_login,local_login_t)
+ alsa_domtrans(local_login_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client_template(local_login, local_login_t)
dbus_send_system_bus(local_login_t)
consolekit_dbus_chat(local_login_t)
')
optional_policy(`
- usermanage_read_crack_db(local_login_t)
+ unconfined_domain(local_login_t)
')
optional_policy(`
- alsa_domtrans(local_login_t)
+ usermanage_read_crack_db(local_login_t)
')
optional_policy(`
logging_send_syslog_msg(auditctl_t)
-ifdef(`targeted_policy',`
- term_use_generic_ptys(auditctl_t)
- term_use_unallocated_ttys(auditctl_t)
-')
-
########################################
#
# Auditd local policy
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_sysadm_home_dirs(auditd_t)
-# cjp: this is questionable
-userdom_use_sysadm_ttys(auditd_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(auditd_t)
- term_dontaudit_use_unallocated_ttys(auditd_t)
- unconfined_dontaudit_read_pipes(auditd_t)
-')
optional_policy(`
seutil_sigchld_newrole(auditd_t)
udev_read_db(klogd_t)
')
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(klogd_t)
- term_dontaudit_use_unallocated_ttys(klogd_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(klogd_t)
')
files_var_lib_filetrans(syslogd_t,devlog_t,sock_file)
')
-ifdef(`targeted_policy',`
- allow syslogd_t var_run_t:fifo_file { ioctl read write };
- term_dontaudit_use_unallocated_ttys(syslogd_t)
- term_dontaudit_use_generic_ptys(syslogd_t)
- files_dontaudit_read_root_files(syslogd_t)
-')
-
optional_policy(`
inn_manage_log(syslogd_t)
')
lvm_domtrans(clvmd_t)
lvm_read_config(clvmd_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(clvmd_t)
- term_dontaudit_use_generic_ptys(clvmd_t)
- files_dontaudit_read_root_files(clvmd_t)
-')
-
optional_policy(`
ccs_stream_connect(clvmd_t)
')
files_rw_isid_type_dirs(lvm_t)
')
-ifdef(`targeted_policy', `
- term_use_unallocated_ttys(lvm_t)
- term_use_generic_ptys(lvm_t)
-
- files_dontaudit_read_root_files(lvm_t)
-')
-
optional_policy(`
bootloader_rw_tmp_files(lvm_t)
')
kernel_domtrans_to(insmod_t,insmod_exec_t)
}
-ifdef(`targeted_policy',`
- term_use_unallocated_ttys(insmod_t)
- term_use_generic_ptys(insmod_t)
-')
-
optional_policy(`
hotplug_search_config(insmod_t)
')
userdom_read_staff_home_content_files(depmod_t)
userdom_read_sysadm_home_content_files(depmod_t)
-ifdef(`targeted_policy', `
- term_use_unallocated_ttys(depmod_t)
- term_use_generic_ptys(depmod_t)
+optional_policy(`
+ # Read System.map from home directories.
+ unconfined_read_home_content_files(depmod_t)
')
optional_policy(`
consoletype_exec(update_modules_t)
')
')
-
-ifdef(`targeted_policy',`
- term_use_generic_ptys(update_modules_t)
- term_use_unallocated_ttys(update_modules_t)
-')
mount_domtrans($1)
role $2 types mount_t;
allow mount_t $3:chr_file rw_file_perms;
+
+ optional_policy(`
+ samba_run_smbmount($1, $2, $3)
+ ')
')
########################################
## </param>
#
interface(`mount_domtrans_unconfined',`
- ifdef(`targeted_policy',`
- gen_require(`
- type unconfined_mount_t, mount_exec_t;
- ')
+ gen_require(`
+ type unconfined_mount_t, mount_exec_t;
+ ')
- domtrans_pattern($1,mount_exec_t,unconfined_mount_t)
+ domtrans_pattern($1, mount_exec_t, unconfined_mount_t)
+')
- allow $1 unconfined_mount_t:fd use;
- allow unconfined_mount_t $1:fd use;
- allow unconfined_mount_t $1:fifo_file rw_file_perms;
- allow unconfined_mount_t $1:process sigchld;
- ',`
- mount_domtrans($1)
+########################################
+## <summary>
+## Execute mount in the unconfined mount domain, and
+## allow the specified role the unconfined mount domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the unconfined mount domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the unconfined mount domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mount_run_unconfined',`
+ gen_require(`
+ type unconfined_mount_t;
')
+
+ mount_domtrans_unconfined($1)
+ role $2 types unconfined_mount_t;
+ allow unconfined_mount_t $3:chr_file rw_file_perms;
')
# Declarations
#
-ifdef(`targeted_policy',`
## <desc>
## <p>
## Allow mount to mount any file
## </p>
## </desc>
gen_tunable(allow_mount_anyfile,false)
-')
type mount_t;
type mount_exec_t;
type mount_tmp_t;
files_tmp_file(mount_tmp_t)
-ifdef(`targeted_policy',`
- type unconfined_mount_t;
- application_domain(unconfined_mount_t,mount_exec_t)
-')
+# causes problems with interfaces when
+# this is optionally declared in monolithic
+# policy--duplicate type declaration
+type unconfined_mount_t;
+application_domain(unconfined_mount_t,mount_exec_t)
########################################
#
')
')
-ifdef(`targeted_policy',`
- tunable_policy(`allow_mount_anyfile',`
- auth_read_all_dirs_except_shadow(mount_t)
- auth_read_all_files_except_shadow(mount_t)
- files_mounton_non_security(mount_t)
- ')
+tunable_policy(`allow_mount_anyfile',`
+ auth_read_all_dirs_except_shadow(mount_t)
+ auth_read_all_files_except_shadow(mount_t)
+ files_mounton_non_security(mount_t)
')
optional_policy(`
# Unconfined mount local policy
#
-ifdef(`targeted_policy',`
+optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
')
userdom_dontaudit_use_unpriv_user_fds(cardmgr_t)
userdom_dontaudit_search_sysadm_home_dirs(cardmgr_t)
-ifdef(`targeted_policy',`
- term_use_unallocated_ttys(cardmgr_t)
- term_use_generic_ptys(cardmgr_t)
- term_dontaudit_use_unallocated_ttys(cardmgr_t)
- term_dontaudit_use_generic_ptys(cardmgr_t)
- files_dontaudit_read_root_files(cardmgr_t)
-')
-
optional_policy(`
seutil_dontaudit_read_config(cardmgr_t)
seutil_sigchld_newrole(cardmgr_t)
mta_send_mail(mdadm_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(mdadm_t)
- term_dontaudit_use_generic_ptys(mdadm_t)
- files_dontaudit_read_root_files(mdadm_t)
-')
-
optional_policy(`
gpm_dontaudit_getattr_gpmctl(mdadm_t)
')
policy_module(selinuxutil,1.7.0)
-ifdef(`strict_policy',`
- gen_require(`
- bool secure_mode;
- ')
+gen_require(`
+ bool secure_mode;
')
########################################
userdom_use_all_users_fds(checkpolicy_t)
-ifdef(`targeted_policy',`
- term_use_generic_ptys(checkpolicy_t)
- term_use_unallocated_ttys(checkpolicy_t)
-')
-
########################################
#
# Load_policy local policy
')
')
-ifdef(`targeted_policy',`
- term_use_unallocated_ttys(load_policy_t)
- term_use_generic_ptys(load_policy_t)
-')
-
########################################
#
# Newrole local policy
userdom_dontaudit_search_all_users_home_content(newrole_t)
userdom_search_all_users_home_dirs(newrole_t)
-ifdef(`strict_policy',`
- # if secure mode is enabled, then newrole
- # can only transition to unprivileged users
- if(secure_mode) {
- userdom_spec_domtrans_unpriv_users(newrole_t)
- } else {
- userdom_spec_domtrans_all_users(newrole_t)
- }
-')
+# if secure mode is enabled, then newrole
+# can only transition to unprivileged users
+if(secure_mode) {
+ userdom_spec_domtrans_unpriv_users(newrole_t)
+} else {
+ userdom_spec_domtrans_all_users(newrole_t)
+}
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all(newrole_t)
miscfiles_read_localization(restorecond_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(restorecond_t)
- term_dontaudit_use_unallocated_ttys(restorecond_t)
-')
-
optional_policy(`
rpm_use_script_fds(restorecond_t)
')
libs_use_ld_so(semanage_t)
libs_use_shared_libs(semanage_t)
-libs_use_lib_files(semanage_t)
locallogin_use_fds(semanage_t)
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
-userdom_search_sysadm_home_dirs(semanage_t)
-
ifdef(`distro_debian',`
files_read_var_lib_files(semanage_t)
files_read_var_lib_symlinks(semanage_t)
# Handle pp files created in homedir and /tmp
userdom_read_sysadm_home_content_files(semanage_t)
userdom_read_sysadm_tmp_files(semanage_t)
+
+ optional_policy(`
+ unconfined_read_home_content_files(semanage_t)
+ unconfined_read_tmp_files(semanage_t)
+ ')
')
########################################
files_exec_etc_files(dhcpc_t)
')
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(dhcpc_t)
- term_dontaudit_use_generic_ptys(dhcpc_t)
- files_dontaudit_read_root_files(dhcpc_t)
-')
-
optional_policy(`
consoletype_domtrans(dhcpc_t)
')
')
')
-ifdef(`targeted_policy',`
- term_use_generic_ptys(ifconfig_t)
- term_use_unallocated_ttys(ifconfig_t)
-
- optional_policy(`
- unconfined_dontaudit_read_pipes(ifconfig_t)
- ')
-')
-
optional_policy(`
netutils_domtrans(dhcpc_t)
')
sysnet_manage_config(udev_t)
sysnet_etc_filetrans_config(udev_t)
-userdom_use_sysadm_ttys(udev_t)
userdom_dontaudit_search_all_users_home_content(udev_t)
ifdef(`distro_gentoo',`
netutils_domtrans(udev_t)
')
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(udev_t)
- term_dontaudit_use_generic_ptys(udev_t)
-')
-
optional_policy(`
brctl_domtrans(udev_t)
')
# e.g.:
# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
+/usr/bin/qemu.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
-ifdef(`targeted_policy',`
+/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/bin/qemu.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+
/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
#
interface(`unconfined_domain_noaudit',`
gen_require(`
+ type unconfined_t;
class dbus all_dbus_perms;
class nscd all_nscd_perms;
class passwd all_passwd_perms;
# ')
')
+########################################
+## <summary>
+## Add an alias type to the unconfined domain. (Deprecated)
+## </summary>
+## <desc>
+## <p>
+## Add an alias type to the unconfined domain. (Deprecated)
+## </p>
+## <p>
+## This is added to support targeted policy. Its
+## use should be limited. It has no effect
+## on the strict policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## New alias of the unconfined domain.
+## </summary>
+## </param>
+#
+interface(`unconfined_alias_domain',`
+ refpolicywarn(`$0($1) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Add an alias type to the unconfined execmem
+## program file type. (Deprecated)
+## </summary>
+## <desc>
+## <p>
+## Add an alias type to the unconfined execmem
+## program file type. (Deprecated)
+## </p>
+## <p>
+## This is added to support targeted policy. Its
+## use should be limited. It has no effect
+## on the strict policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## New alias of the unconfined execmem program type.
+## </summary>
+## </param>
+#
+interface(`unconfined_execmem_alias_program',`
+ refpolicywarn(`$0($1) has been deprecated.')
+')
+
########################################
## <summary>
## Transition to the unconfined domain.
########################################
## <summary>
-## Add an alias type to the unconfined domain.
+## Connect to the the unconfined DBUS
+## for service (acquire_svc).
## </summary>
-## <desc>
-## <p>
-## Add an alias type to the unconfined domain.
-## </p>
-## <p>
-## This is added to support targeted policy. Its
-## use should be limited. It has no effect
-## on the strict policy.
-## </p>
-## </desc>
## <param name="domain">
## <summary>
-## New alias of the unconfined domain.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`unconfined_alias_domain',`
- ifdef(`targeted_policy',`
- gen_require(`
- type unconfined_t;
- ')
-
- typealias unconfined_t alias $1;
- ',`
- refpolicywarn(`$0($1) has no effect in strict policy.')
+interface(`unconfined_dbus_connect',`
+ gen_require(`
+ type unconfined_t;
+ class dbus acquire_svc;
')
+
+ allow $1 unconfined_t:dbus acquire_svc;
')
########################################
## <summary>
-## Add an alias type to the unconfined execmem
-## program file type.
+## Read files in unconfined users home directories.
## </summary>
-## <desc>
-## <p>
-## Add an alias type to the unconfined execmem
-## program file type.
-## </p>
-## <p>
-## This is added to support targeted policy. Its
-## use should be limited. It has no effect
-## on the strict policy.
-## </p>
-## </desc>
## <param name="domain">
## <summary>
-## New alias of the unconfined execmem program type.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`unconfined_execmem_alias_program',`
- ifdef(`targeted_policy',`
- gen_require(`
- type unconfined_execmem_exec_t;
- ')
+interface(`unconfined_read_home_content_files',`
+ gen_require(`
+ type unconfined_home_dir_t, unconfined_home_t;
+ ')
- typealias unconfined_execmem_exec_t alias $1;
- ',`
- refpolicywarn(`$0($1) has no effect in strict policy.')
+ files_search_home($1)
+ allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms;
+ read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
+ read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
+')
+
+########################################
+## <summary>
+## Read unconfined users temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_read_tmp_files',`
+ gen_require(`
+ type unconfined_tmp_t;
')
+
+ files_search_tmp($1)
+ allow $1 unconfined_tmp_t:dir list_dir_perms;
+ read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
+ read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
')
########################################
## <summary>
-## Connect to the the unconfined DBUS
-## for service (acquire_svc).
+## Write unconfined users temporary files.
## </summary>
## <param name="domain">
## <summary>
## </summary>
## </param>
#
-interface(`unconfined_dbus_connect',`
+interface(`unconfined_write_tmp_files',`
gen_require(`
- type unconfined_t;
- class dbus acquire_svc;
+ type unconfined_tmp_t;
')
- allow $1 unconfined_t:dbus acquire_svc;
+ allow $1 unconfined_tmp_t:file { getattr write append };
')
# Declarations
#
-type unconfined_t;
+# usage in this module of types created by these
+# calls is not correct, however we dont currently
+# have another method to add access to these types
+userdom_base_user_template(unconfined)
+userdom_manage_home_template(unconfined)
+userdom_manage_tmp_template(unconfined)
+userdom_manage_tmpfs_template(unconfined)
+
type unconfined_exec_t;
-init_system_domain(unconfined_t,unconfined_exec_t)
+init_system_domain(unconfined_t, unconfined_exec_t)
-ifdef(`targeted_policy',`
- type unconfined_execmem_t;
- type unconfined_execmem_exec_t;
- init_system_domain(unconfined_execmem_t,unconfined_execmem_exec_t)
-')
+type unconfined_execmem_t;
+type unconfined_execmem_exec_t;
+init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
+role unconfined_r types unconfined_execmem_t;
########################################
#
# Local policy
#
-unconfined_domain(unconfined_t)
+domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t)
+
+files_create_boot_flag(unconfined_t)
+
+mcs_killall(unconfined_t)
+mcs_ptrace_all(unconfined_t)
+
+init_run_daemon(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+
+libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
logging_send_syslog_msg(unconfined_t)
+logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-ifdef(`targeted_policy',`
- allow unconfined_t self:system syslog_read;
- dontaudit unconfined_t self:capability sys_module;
+mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
- domain_auto_trans(unconfined_t,unconfined_execmem_exec_t,unconfined_execmem_t)
+seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
- files_create_boot_flag(unconfined_t)
+unconfined_domain(unconfined_t)
- mcs_killall(unconfined_t)
- mcs_ptrace_all(unconfined_t)
+userdom_priveleged_home_dir_manager(unconfined_t)
- init_domtrans_script(unconfined_t)
+optional_policy(`
+ ada_domtrans(unconfined_t)
+')
- libs_domtrans_ldconfig(unconfined_t)
+optional_policy(`
+ apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ apache_per_role_template(unconfined, unconfined_t, unconfined_r)
+ # this is disallowed usage:
+ unconfined_domain(httpd_unconfined_script_t)
+')
- logging_domtrans_auditctl(unconfined_t)
+optional_policy(`
+ bind_run_ndc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
- mount_domtrans_unconfined(unconfined_t)
+optional_policy(`
+ bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
- seutil_domtrans_setfiles(unconfined_t)
- seutil_domtrans_semanage(unconfined_t)
+optional_policy(`
+ cron_per_role_template(unconfined, unconfined_t, unconfined_r)
+ # this is disallowed usage:
+ unconfined_domain(unconfined_crond_t)
+')
- userdom_unconfined(unconfined_t)
- userdom_priveleged_home_dir_manager(unconfined_t)
+optional_policy(`
+ init_dbus_chat_script(unconfined_t)
- optional_policy(`
- ada_domtrans(unconfined_t)
- ')
+ dbus_stub(unconfined_t)
optional_policy(`
- apache_domtrans_helper(unconfined_t)
+ avahi_dbus_chat(unconfined_t)
')
optional_policy(`
- bind_domtrans_ndc(unconfined_t)
+ bluetooth_dbus_chat(unconfined_t)
')
optional_policy(`
- bootloader_domtrans(unconfined_t)
+ consolekit_dbus_chat(unconfined_t)
')
optional_policy(`
- init_dbus_chat_script(unconfined_t)
-
- dbus_stub(unconfined_t)
-
- optional_policy(`
- avahi_dbus_chat(unconfined_t)
- ')
-
- optional_policy(`
- bluetooth_dbus_chat(unconfined_t)
- ')
-
- optional_policy(`
- consolekit_dbus_chat(unconfined_t)
- ')
-
- optional_policy(`
- cups_dbus_chat_config(unconfined_t)
- ')
-
- optional_policy(`
- hal_dbus_chat(unconfined_t)
- ')
-
- optional_policy(`
- networkmanager_dbus_chat(unconfined_t)
- ')
-
- optional_policy(`
- oddjob_dbus_chat(unconfined_t)
- ')
+ cups_dbus_chat_config(unconfined_t)
')
optional_policy(`
- firstboot_domtrans(unconfined_t)
+ hal_dbus_chat(unconfined_t)
')
optional_policy(`
- ftp_domtrans_ftpdctl(unconfined_t)
+ networkmanager_dbus_chat(unconfined_t)
')
optional_policy(`
- inn_domtrans(unconfined_t)
+ oddjob_dbus_chat(unconfined_t)
')
+')
- optional_policy(`
- java_domtrans(unconfined_t)
- ')
+optional_policy(`
+ firstboot_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
- optional_policy(`
- lpd_domtrans_checkpc(unconfined_t)
- ')
+optional_policy(`
+ ftp_run_ftpdctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
- optional_policy(`
- modutils_domtrans_update_mods(unconfined_t)
- ')
+optional_policy(`
+ inn_domtrans(unconfined_t)
+')
- optional_policy(`
- mono_domtrans(unconfined_t)
- ')
+optional_policy(`
+ java_domtrans(unconfined_t)
+')
- optional_policy(`
- oddjob_domtrans_mkhomedir(unconfined_t)
- ')
+optional_policy(`
+ lpd_run_checkpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
- optional_policy(`
- prelink_domtrans(unconfined_t)
- ')
+optional_policy(`
+ modutils_run_update_mods(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
- optional_policy(`
- portmap_domtrans_helper(unconfined_t)
- ')
+optional_policy(`
+ mono_domtrans(unconfined_t)
+')
- optional_policy(`
- postfix_domtrans_map(unconfined_t)
- # cjp: this should probably be removed:
- postfix_domtrans_master(unconfined_t)
- ')
+optional_policy(`
+ mta_per_role_template(unconfined, unconfined_t, unconfined_r)
+')
- optional_policy(`
- # cjp: this should probably be removed:
- rpc_domtrans_nfsd(unconfined_t)
- ')
+optional_policy(`
+ oddjob_domtrans_mkhomedir(unconfined_t)
+')
- optional_policy(`
- rpm_domtrans(unconfined_t)
- ')
+optional_policy(`
+ prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
- optional_policy(`
- samba_domtrans_net(unconfined_t)
- samba_domtrans_winbind_helper(unconfined_t)
- ')
+optional_policy(`
+ portmap_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
- optional_policy(`
- sendmail_domtrans(unconfined_t)
- ')
+optional_policy(`
+ postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ # cjp: this should probably be removed:
+ postfix_domtrans_master(unconfined_t)
+')
- optional_policy(`
- sysnet_domtrans_dhcpc(unconfined_t)
- sysnet_dbus_chat_dhcpc(unconfined_t)
- ')
- optional_policy(`
- tzdata_domtrans(unconfined_t)
- ')
+optional_policy(`
+ pyzor_per_role_template(unconfined)
+')
- optional_policy(`
- usermanage_domtrans_admin_passwd(unconfined_t)
- ')
+optional_policy(`
+ # cjp: this should probably be removed:
+ rpc_domtrans_nfsd(unconfined_t)
+')
- optional_policy(`
- vpn_domtrans(unconfined_t)
- ')
+optional_policy(`
+ rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
- optional_policy(`
- webalizer_domtrans(unconfined_t)
- ')
+optional_policy(`
+ samba_per_role_template(unconfined)
+ samba_run_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
- optional_policy(`
- wine_domtrans(unconfined_t)
- ')
+optional_policy(`
+ spamassassin_per_role_template(unconfined, unconfined_t, unconfined_r)
+')
- optional_policy(`
- xserver_domtrans_xdm_xserver(unconfined_t)
- ')
+optional_policy(`
+ sysnet_run_dhcpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ sysnet_dbus_chat_dhcpc(unconfined_t)
+')
+
+optional_policy(`
+ tzdata_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
+
+optional_policy(`
+ usermanage_run_admin_passwd(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
+
+optional_policy(`
+ vpn_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
+
+optional_policy(`
+ webalizer_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
+
+optional_policy(`
+ wine_domtrans(unconfined_t)
+')
+
+optional_policy(`
+ xserver_domtrans_xdm_xserver(unconfined_t)
')
########################################
# Unconfined Execmem Local policy
#
-ifdef(`targeted_policy',`
- allow unconfined_execmem_t self:process { execstack execmem };
- unconfined_domain_noaudit(unconfined_execmem_t)
+allow unconfined_execmem_t self:process { execstack execmem };
+unconfined_domain_noaudit(unconfined_execmem_t)
- optional_policy(`
- dbus_stub(unconfined_execmem_t)
+optional_policy(`
+ dbus_stub(unconfined_execmem_t)
- init_dbus_chat_script(unconfined_execmem_t)
- unconfined_dbus_chat(unconfined_execmem_t)
+ init_dbus_chat_script(unconfined_execmem_t)
+ unconfined_dbus_chat(unconfined_execmem_t)
- optional_policy(`
- hal_dbus_chat(unconfined_execmem_t)
- ')
+ optional_policy(`
+ hal_dbus_chat(unconfined_execmem_t)
')
')
## <rolecap/>
#
template(`userdom_role_change_generic_user',`
- ifdef(`strict_policy',`
- userdom_role_change_template($1,user)
- ',`
- refpolicywarn(`$0($*) has no effect in targeted policy.')
- ')
+ userdom_role_change_template($1, user)
')
########################################
## <rolecap/>
#
template(`userdom_role_change_from_generic_user',`
- ifdef(`strict_policy',`
- userdom_role_change_template(user,$1)
- ',`
- refpolicywarn(`$0($*) has no effect in targeted policy.')
- ')
+ userdom_role_change_template(user, $1)
')
########################################
## <rolecap/>
#
template(`userdom_role_change_staff',`
- ifdef(`strict_policy',`
- userdom_role_change_template($1,staff)
- ',`
- refpolicywarn(`$0($*) has no effect in targeted policy.')
- ')
+ userdom_role_change_template($1, staff)
')
########################################
## <rolecap/>
#
template(`userdom_role_change_from_staff',`
- ifdef(`strict_policy',`
- userdom_role_change_template(staff,$1)
- ',`
- refpolicywarn(`$0($*) has no effect in targeted policy.')
- ')
+ userdom_role_change_template(staff, $1)
')
########################################
## <rolecap/>
#
template(`userdom_role_change_sysadm',`
- ifdef(`strict_policy',`
- userdom_role_change_template($1,sysadm)
- ',`
- refpolicywarn(`$0($*) has no effect in targeted policy.')
- ')
+ userdom_role_change_template($1, sysadm)
')
########################################
## <rolecap/>
#
template(`userdom_role_change_from_sysadm',`
- ifdef(`strict_policy',`
- userdom_role_change_template(sysadm,$1)
- ',`
- refpolicywarn(`$0($*) has no effect in targeted policy.')
- ')
+ userdom_role_change_template(sysadm, $1)
')
########################################
## </param>
#
template(`userdom_setattr_user_ptys',`
- ifdef(`strict_policy',`
- gen_require(`
- type $1_devpts_t;
- ')
-
- allow $2 $1_devpts_t:chr_file setattr;
+ gen_require(`
+ type $1_devpts_t;
')
+
+ allow $2 $1_devpts_t:chr_file setattr;
')
########################################
## </param>
#
template(`userdom_create_user_pty',`
- ifdef(`strict_policy',`
- gen_require(`
- type $1_devpts_t;
- ')
-
- term_create_pty($2,$1_devpts_t)
+ gen_require(`
+ type $1_devpts_t;
')
+
+ term_create_pty($2, $1_devpts_t)
')
########################################
## </param>
#
template(`userdom_setattr_user_ttys',`
- ifdef(`targeted_policy',`
- term_setattr_unallocated_ttys($2)
- ',`
- gen_require(`
- type $1_tty_device_t;
- ')
-
- allow $2 $1_tty_device_t:chr_file setattr;
+ gen_require(`
+ type $1_tty_device_t;
')
+
+ allow $2 $1_tty_device_t:chr_file setattr;
')
########################################
## </param>
#
template(`userdom_use_user_ttys',`
- ifdef(`targeted_policy',`
- term_use_unallocated_ttys($2)
- ',`
- gen_require(`
- type $1_tty_device_t;
- ')
-
- allow $2 $1_tty_device_t:chr_file rw_term_perms;
+ gen_require(`
+ type $1_tty_device_t;
')
+
+ allow $2 $1_tty_device_t:chr_file rw_term_perms;
')
########################################
## </param>
#
template(`userdom_use_user_terminals',`
- ifdef(`targeted_policy',`
- term_use_unallocated_ttys($2)
- term_use_generic_ptys($2)
- ',`
- gen_require(`
- type $1_tty_device_t, $1_devpts_t;
- ')
-
- allow $2 $1_tty_device_t:chr_file rw_term_perms;
- allow $2 $1_devpts_t:chr_file rw_term_perms;
- term_list_ptys($2)
+ gen_require(`
+ type $1_tty_device_t, $1_devpts_t;
')
+
+ allow $2 $1_tty_device_t:chr_file rw_term_perms;
+ allow $2 $1_devpts_t:chr_file rw_term_perms;
+ term_list_ptys($2)
')
########################################
## </param>
#
interface(`userdom_shell_domtrans_sysadm',`
- ifdef(`targeted_policy',`
- #cjp: need to doublecheck this one
- unconfined_shell_domtrans($1)
- ',`
- gen_require(`
- type sysadm_t;
- ')
-
- corecmd_shell_domtrans($1,sysadm_t)
- allow sysadm_t $1:fd use;
- allow sysadm_t $1:fifo_file rw_file_perms;
- allow sysadm_t $1:process sigchld;
+ gen_require(`
+ type sysadm_t;
')
+
+ corecmd_shell_domtrans($1, sysadm_t)
+ allow sysadm_t $1:fd use;
+ allow sysadm_t $1:fifo_file rw_file_perms;
+ allow sysadm_t $1:process sigchld;
')
########################################
## </param>
#
interface(`userdom_manage_staff_home_dirs',`
- ifdef(`targeted_policy',`
- userdom_manage_generic_user_home_dirs($1)
- ',`
- gen_require(`
- type staff_home_dir_t;
- ')
-
- files_search_home($1)
- allow $1 staff_home_dir_t:dir manage_dir_perms;
+ gen_require(`
+ type staff_home_dir_t;
')
+
+ files_search_home($1)
+ allow $1 staff_home_dir_t:dir manage_dir_perms;
')
########################################
## </param>
#
interface(`userdom_relabelto_staff_home_dirs',`
- ifdef(`targeted_policy',`
- userdom_relabelto_generic_user_home_dirs($1)
- ',`
- gen_require(`
- type staff_home_dir_t;
- ')
-
- files_search_home($1)
- allow $1 staff_home_dir_t:dir relabelto;
+ gen_require(`
+ type staff_home_dir_t;
')
+
+ files_search_home($1)
+ allow $1 staff_home_dir_t:dir relabelto;
')
########################################
## </param>
#
interface(`userdom_sigchld_sysadm',`
- ifdef(`targeted_policy',`
- unconfined_sigchld($1)
- ',`
- gen_require(`
- type sysadm_t;
- ')
-
- allow $1 sysadm_t:process sigchld;
+ gen_require(`
+ type sysadm_t;
')
+
+ allow $1 sysadm_t:process sigchld;
')
########################################
## </param>
#
interface(`userdom_dontaudit_getattr_sysadm_ttys',`
- ifdef(`targeted_policy',`
- term_dontaudit_getattr_unallocated_ttys($1)
- ',`
- gen_require(`
- type sysadm_tty_device_t;
- ')
-
- dontaudit $1 sysadm_tty_device_t:chr_file getattr;
+ gen_require(`
+ type sysadm_tty_device_t;
')
+
+ dontaudit $1 sysadm_tty_device_t:chr_file getattr;
')
########################################
## </param>
#
interface(`userdom_use_sysadm_ttys',`
- ifdef(`targeted_policy',`
- term_use_unallocated_ttys($1)
- ',`
- gen_require(`
- type sysadm_tty_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- term_list_ptys($1)
- allow $1 sysadm_tty_device_t:chr_file rw_term_perms;
+ gen_require(`
+ type sysadm_tty_device_t;
')
+
+ dev_list_all_dev_nodes($1)
+ term_list_ptys($1)
+ allow $1 sysadm_tty_device_t:chr_file rw_term_perms;
')
########################################
## </param>
#
interface(`userdom_dontaudit_use_sysadm_ttys',`
- ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys($1)
- ',`
- gen_require(`
- type sysadm_tty_device_t;
- ')
-
- dontaudit $1 sysadm_tty_device_t:chr_file { read write };
+ gen_require(`
+ type sysadm_tty_device_t;
')
+
+ dontaudit $1 sysadm_tty_device_t:chr_file { read write };
')
########################################
## </param>
#
interface(`userdom_use_sysadm_ptys',`
- ifdef(`targeted_policy',`
- term_use_generic_ptys($1)
- ',`
- gen_require(`
- type sysadm_devpts_t;
- ')
-
- dev_list_all_dev_nodes($1)
- term_list_ptys($1)
- allow $1 sysadm_devpts_t:chr_file rw_term_perms;
+ gen_require(`
+ type sysadm_devpts_t;
')
+
+ dev_list_all_dev_nodes($1)
+ term_list_ptys($1)
+ allow $1 sysadm_devpts_t:chr_file rw_term_perms;
')
########################################
## </param>
#
interface(`userdom_dontaudit_use_sysadm_ptys',`
- ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys($1)
- ',`
- gen_require(`
- type sysadm_devpts_t;
- ')
-
- dontaudit $1 sysadm_devpts_t:chr_file { read write };
+ gen_require(`
+ type sysadm_devpts_t;
')
+
+ dontaudit $1 sysadm_devpts_t:chr_file { read write };
')
########################################
## </param>
#
interface(`userdom_dontaudit_use_sysadm_terms',`
- ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys($1)
- ',`
- gen_require(`
- attribute admin_terminal;
- ')
-
- dontaudit $1 admin_terminal:chr_file { read write };
+ gen_require(`
+ attribute admin_terminal;
')
+
+ dontaudit $1 admin_terminal:chr_file { read write };
')
########################################
## </param>
#
interface(`userdom_use_sysadm_fds',`
- ifdef(`targeted_policy',`
- unconfined_use_fds($1)
- ',`
- gen_require(`
- type sysadm_t;
- ')
-
- allow $1 sysadm_t:fd use;
+ gen_require(`
+ type sysadm_t;
')
+
+ allow $1 sysadm_t:fd use;
')
########################################
## </param>
#
interface(`userdom_rw_sysadm_pipes',`
- ifdef(`targeted_policy',`
- #cjp: need to doublecheck this one
- unconfined_rw_pipes($1)
- ',`
- gen_require(`
- type sysadm_t;
- ')
-
- allow $1 sysadm_t:fifo_file rw_fifo_file_perms;
+ gen_require(`
+ type sysadm_t;
')
+
+ allow $1 sysadm_t:fifo_file rw_fifo_file_perms;
')
########################################
## </param>
#
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
- ifdef(`targeted_policy',`
- gen_require(`
- type user_home_dir_t;
- ')
-
- dontaudit $1 user_home_dir_t:dir getattr;
- ', `
- gen_require(`
- type sysadm_home_dir_t;
- ')
-
- dontaudit $1 sysadm_home_dir_t:dir getattr;
+ gen_require(`
+ type sysadm_home_dir_t;
')
+
+ dontaudit $1 sysadm_home_dir_t:dir getattr;
')
########################################
## </param>
#
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
- ifdef(`targeted_policy',`
- gen_require(`
- type user_home_dir_t;
- ')
-
- dontaudit $1 user_home_dir_t:dir search_dir_perms;
- ',`
- gen_require(`
- type sysadm_home_dir_t;
- ')
-
- dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
+ gen_require(`
+ type sysadm_home_dir_t;
')
+
+ dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
')
########################################
## </param>
#
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
- ifdef(`targeted_policy',`
- gen_require(`
- type user_home_dir_t, user_home_t;
- ')
-
- dontaudit $1 user_home_dir_t:dir search_dir_perms;
- dontaudit $1 user_home_t:dir search_dir_perms;
- dontaudit $1 user_home_t:file r_file_perms;
- ',`
- gen_require(`
- type sysadm_home_dir_t, sysadm_home_t;
- ')
-
- dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
- dontaudit $1 sysadm_home_t:dir search_dir_perms;
- dontaudit $1 sysadm_home_t:file r_file_perms;
+ gen_require(`
+ type sysadm_home_dir_t, sysadm_home_t;
')
+
+ dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
+ dontaudit $1 sysadm_home_t:dir search_dir_perms;
+ dontaudit $1 sysadm_home_t:file read_file_perms;
')
########################################
## </param>
#
interface(`userdom_read_sysadm_home_content_files',`
- ifdef(`strict_policy',`
- gen_require(`
- type sysadm_home_dir_t, sysadm_home_t;
- ')
-
- files_search_home($1)
- allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
- read_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t)
- read_lnk_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t)
- ',`
- userdom_read_generic_user_home_content_files($1)
+ gen_require(`
+ type sysadm_home_dir_t, sysadm_home_t;
')
+
+ files_search_home($1)
+ allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
+ read_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
+ read_lnk_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
')
########################################
## <summary>
-## Read files in the sysadm users home directory.
+## Read sysadm temporary files.
## </summary>
## <param name="domain">
## <summary>
## </param>
#
interface(`userdom_read_sysadm_tmp_files',`
- ifdef(`strict_policy',`
- gen_require(`
- type sysadm_tmp_t;
- ')
-
- files_search_tmp($1)
- allow $1 sysadm_tmp_t:dir list_dir_perms;
- read_files_pattern($1,sysadm_tmp_t,sysadm_tmp_t)
- read_lnk_files_pattern($1,sysadm_tmp_t,sysadm_tmp_t)
- ',`
- files_read_generic_tmp_files($1)
+ gen_require(`
+ type sysadm_tmp_t;
')
+
+ files_search_tmp($1)
+ allow $1 sysadm_tmp_t:dir list_dir_perms;
+ read_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
+ read_lnk_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
')
########################################
## </param>
#
interface(`userdom_use_unpriv_users_ptys',`
- ifdef(`targeted_policy',`
- term_use_generic_ptys($1)
- ',`
- gen_require(`
- attribute user_ptynode;
- ')
-
- term_search_ptys($1)
- allow $1 user_ptynode:chr_file rw_file_perms;
+ gen_require(`
+ attribute user_ptynode;
')
+
+ term_search_ptys($1)
+ allow $1 user_ptynode:chr_file rw_file_perms;
')
########################################
## </param>
#
interface(`userdom_dontaudit_use_unpriv_users_ptys',`
- ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys($1)
- ',`
- gen_require(`
- attribute user_ptynode;
- ')
-
- dontaudit $1 user_ptynode:chr_file rw_file_perms;
+ gen_require(`
+ attribute user_ptynode;
')
+
+ dontaudit $1 user_ptynode:chr_file rw_file_perms;
')
########################################
## </param>
#
interface(`userdom_list_unpriv_users_tmp',`
- ifdef(`targeted_policy',`
- files_list_tmp($1)
- ',`
- gen_require(`
- attribute user_tmpfile;
- ')
-
- allow $1 user_tmpfile:dir list_dir_perms;
+ gen_require(`
+ attribute user_tmpfile;
')
+
+ allow $1 user_tmpfile:dir list_dir_perms;
')
########################################
## </param>
#
interface(`userdom_read_unpriv_users_tmp_files',`
- ifdef(`targeted_policy',`
- files_read_generic_tmp_files($1)
- ',`
- gen_require(`
- attribute user_tmpfile;
- ')
-
- allow $1 user_tmpfile:file { read getattr };
+ gen_require(`
+ attribute user_tmpfile;
')
+
+ allow $1 user_tmpfile:file { read getattr };
')
########################################
## </param>
#
interface(`userdom_read_unpriv_users_tmp_symlinks',`
- ifdef(`targeted_policy',`
- files_read_generic_tmp_symlinks($1)
- ',`
- gen_require(`
- attribute user_tmpfile;
- ')
-
- allow $1 user_tmpfile:lnk_file { getattr read };
+ gen_require(`
+ attribute user_tmpfile;
')
+
+ allow $1 user_tmpfile:lnk_file { getattr read };
')
########################################
## </param>
#
interface(`userdom_use_unpriv_users_ttys',`
- ifdef(`targeted_policy',`
- term_use_unallocated_ttys($1)
- ',`
- gen_require(`
- attribute user_ttynode;
- ')
-
- allow $1 user_ttynode:chr_file rw_term_perms;
+ gen_require(`
+ attribute user_ttynode;
')
+
+ allow $1 user_ttynode:chr_file rw_term_perms;
')
########################################
## </param>
#
interface(`userdom_dontaudit_use_unpriv_users_ttys',`
- ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys($1)
- ',`
- gen_require(`
- attribute user_ttynode;
- ')
-
- dontaudit $1 user_ttynode:chr_file rw_file_perms;
+ gen_require(`
+ attribute user_ttynode;
')
+
+ dontaudit $1 user_ttynode:chr_file rw_file_perms;
')
########################################
## </param>
#
interface(`userdom_create_all_users_keys',`
- ifdef(`strict_policy',`
- gen_require(`
- attribute userdomain;
- ')
-
- allow $1 userdomain:key create;
- ',`
- unconfined_create_keys($1)
+ gen_require(`
+ attribute userdomain;
')
+
+ allow $1 userdomain:key create;
')
########################################
########################################
## <summary>
-## Unconfined access to user domains.
+## Unconfined access to user domains. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## </param>
#
interface(`userdom_unconfined',`
- gen_require(`
- type user_home_dir_t;
- ')
-
- allow $1 user_home_dir_t:dir manage_dir_perms;
- files_home_filetrans($1,user_home_dir_t,dir)
+ refpolicywarn(`$0($*) has been deprecated.')
')
# Declarations
#
-ifdef(`strict_policy',`
## <desc>
## <p>
## Allow sysadm to ptrace all processes
## </p>
## </desc>
gen_tunable(user_ttyfile_stat,false)
-')
# admin users terminals (tty and pty)
attribute admin_terminal;
# Local policy
#
-ifdef(`strict_policy',`
- userdom_admin_user_template(sysadm)
- userdom_unpriv_user_template(staff)
- userdom_unpriv_user_template(user)
+userdom_admin_user_template(sysadm)
+userdom_unpriv_user_template(staff)
+userdom_unpriv_user_template(user)
- # user role change rules:
- # sysadm_r can change to user roles
- userdom_role_change_template(sysadm, user)
- userdom_role_change_template(sysadm, staff)
+# user role change rules:
+# sysadm_r can change to user roles
+userdom_role_change_template(sysadm, user)
+userdom_role_change_template(sysadm, staff)
- # only staff_r can change to sysadm_r
- userdom_role_change_template(staff, sysadm)
- dontaudit staff_t admin_terminal:chr_file { read write };
+# only staff_r can change to sysadm_r
+userdom_role_change_template(staff, sysadm)
+dontaudit staff_t admin_terminal:chr_file { read write };
- ifdef(`enable_mls',`
- userdom_unpriv_user_template(secadm)
- userdom_unpriv_user_template(auditadm)
+ifdef(`enable_mls',`
+ userdom_unpriv_user_template(secadm)
+ userdom_unpriv_user_template(auditadm)
- userdom_role_change_template(staff,auditadm)
- userdom_role_change_template(staff,secadm)
+ userdom_role_change_template(staff, auditadm)
+ userdom_role_change_template(staff, secadm)
- userdom_role_change_template(sysadm,secadm)
- userdom_role_change_template(sysadm,auditadm)
+ userdom_role_change_template(sysadm, secadm)
+ userdom_role_change_template(sysadm, auditadm)
- userdom_role_change_template(auditadm,secadm)
- userdom_role_change_template(auditadm,sysadm)
+ userdom_role_change_template(auditadm, secadm)
+ userdom_role_change_template(auditadm, sysadm)
- userdom_role_change_template(secadm,auditadm)
- userdom_role_change_template(secadm,sysadm)
- ')
+ userdom_role_change_template(secadm, auditadm)
+ userdom_role_change_template(secadm, sysadm)
+')
- # this should be tunable_policy, but
- # currently type_change and RBAC allow
- # do not work in conditionals
- ifdef(`user_canbe_sysadm',`
- userdom_role_change_template(user,sysadm)
- ')
+# this should be tunable_policy, but
+# currently type_change and RBAC allow
+# do not work in conditionals
+ifdef(`user_canbe_sysadm',`
+ userdom_role_change_template(user, sysadm)
+')
- ########################################
- #
- # Sysadm local policy
- #
+########################################
+#
+# Sysadm local policy
+#
- # for su
- allow sysadm_t userdomain:fd use;
+# for su
+allow sysadm_t userdomain:fd use;
- # Add/remove user home directories
- allow sysadm_t user_home_dir_t:dir manage_dir_perms;
- files_home_filetrans(sysadm_t,user_home_dir_t,dir)
+# Add/remove user home directories
+allow sysadm_t user_home_dir_t:dir manage_dir_perms;
+files_home_filetrans(sysadm_t, user_home_dir_t, dir)
- corecmd_exec_shell(sysadm_t)
+corecmd_exec_shell(sysadm_t)
- mls_process_read_up(sysadm_t)
+mls_process_read_up(sysadm_t)
- init_exec(sysadm_t)
+init_exec(sysadm_t)
- # Following for sending reboot and wall messages
- userdom_use_unpriv_users_ptys(sysadm_t)
- userdom_use_unpriv_users_ttys(sysadm_t)
+# Following for sending reboot and wall messages
+userdom_use_unpriv_users_ptys(sysadm_t)
+userdom_use_unpriv_users_ttys(sysadm_t)
- ifdef(`direct_sysadm_daemon',`
- optional_policy(`
- init_run_daemon(sysadm_t,sysadm_r,admin_terminal)
- ')
- ',`
- ifdef(`distro_gentoo',`
- optional_policy(`
- seutil_init_script_run_runinit(sysadm_t,sysadm_r,admin_terminal)
- ')
- ')
+ifdef(`direct_sysadm_daemon',`
+ optional_policy(`
+ init_run_daemon(sysadm_t, sysadm_r, admin_terminal)
')
-
- ifdef(`enable_mls',`
- allow auditadm_t self:capability { dac_read_search dac_override };
- seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
- domain_kill_all_domains(auditadm_t)
- seutil_read_bin_policy(auditadm_t)
- corecmd_exec_shell(auditadm_t)
- logging_send_syslog_msg(auditadm_t)
- logging_read_generic_logs(auditadm_t)
- logging_manage_audit_log(auditadm_t)
- logging_manage_audit_config(auditadm_t)
- logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t })
- logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
- userdom_dontaudit_read_sysadm_home_content_files(auditadm_t)
-
- allow secadm_t self:capability { dac_read_search dac_override };
- corecmd_exec_shell(secadm_t)
- domain_obj_id_change_exemption(secadm_t)
- mls_process_read_up(secadm_t)
- mls_file_read_all_levels(secadm_t)
- mls_file_write_all_levels(secadm_t)
- mls_file_upgrade(secadm_t)
- mls_file_downgrade(secadm_t)
- auth_relabel_all_files_except_shadow(secadm_t)
- dev_relabel_all_dev_nodes(secadm_t)
- auth_relabel_shadow(secadm_t)
- init_exec(secadm_t)
- logging_read_audit_log(secadm_t)
- logging_read_generic_logs(secadm_t)
- logging_read_audit_config(secadm_t)
- userdom_dontaudit_append_staff_home_content_files(secadm_t)
- userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
-
+',`
+ ifdef(`distro_gentoo',`
optional_policy(`
- aide_run(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
+ seutil_init_script_run_runinit(sysadm_t, sysadm_r, admin_terminal)
')
-
- optional_policy(`
- netlabel_run_mgmt(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
- ')
- ',`
- logging_manage_audit_log(sysadm_t)
- logging_manage_audit_config(sysadm_t)
- logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- tunable_policy(`allow_ptrace',`
- domain_ptrace_all_domains(sysadm_t)
- ')
-
- optional_policy(`
- amanda_run_recover(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- apache_run_helper(sysadm_t,sysadm_r,admin_terminal)
- #apache_run_all_scripts(sysadm_t,sysadm_r)
- #apache_domtrans_sys_script(sysadm_t)
')
+')
- optional_policy(`
- tzdata_domtrans(sysadm_t)
- ')
+ifdef(`enable_mls',`
+ allow auditadm_t self:capability { dac_read_search dac_override };
+ seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+ domain_kill_all_domains(auditadm_t)
+ seutil_read_bin_policy(auditadm_t)
+ corecmd_exec_shell(auditadm_t)
+ logging_send_syslog_msg(auditadm_t)
+ logging_read_generic_logs(auditadm_t)
+ logging_manage_audit_log(auditadm_t)
+ logging_manage_audit_config(auditadm_t)
+ logging_run_auditctl(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+ logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+ userdom_dontaudit_read_sysadm_home_content_files(auditadm_t)
+
+ allow secadm_t self:capability { dac_read_search dac_override };
+ corecmd_exec_shell(secadm_t)
+ domain_obj_id_change_exemption(secadm_t)
+ mls_process_read_up(secadm_t)
+ mls_file_read_all_levels(secadm_t)
+ mls_file_write_all_levels(secadm_t)
+ mls_file_upgrade(secadm_t)
+ mls_file_downgrade(secadm_t)
+ auth_relabel_all_files_except_shadow(secadm_t)
+ dev_relabel_all_dev_nodes(secadm_t)
+ auth_relabel_shadow(secadm_t)
+ init_exec(secadm_t)
+ logging_read_audit_log(secadm_t)
+ logging_read_generic_logs(secadm_t)
+ logging_read_audit_config(secadm_t)
+ userdom_dontaudit_append_staff_home_content_files(secadm_t)
+ userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
+
+ optional_policy(`
+ aide_run(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
+ ')
+
+ optional_policy(`
+ netlabel_run_mgmt(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
+ ')
+',`
+ logging_manage_audit_log(sysadm_t)
+ logging_manage_audit_config(sysadm_t)
+ logging_run_auditctl(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- raid_domtrans_mdadm(sysadm_t)
- ')
+tunable_policy(`allow_ptrace',`
+ domain_ptrace_all_domains(sysadm_t)
+')
- optional_policy(`
- # cjp: why is this not apm_run_client
- apm_domtrans_client(sysadm_t)
- ')
+optional_policy(`
+ amanda_run_recover(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- apt_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ apache_run_helper(sysadm_t, sysadm_r, admin_terminal)
+ #apache_run_all_scripts(sysadm_t, sysadm_r)
+ #apache_domtrans_sys_script(sysadm_t)
+')
- optional_policy(`
- backup_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ tzdata_domtrans(sysadm_t)
+')
- optional_policy(`
- bootloader_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ raid_domtrans_mdadm(sysadm_t)
+')
- optional_policy(`
- bind_run_ndc(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ # cjp: why is this not apm_run_client
+ apm_domtrans_client(sysadm_t)
+')
- optional_policy(`
- bluetooth_run_helper(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ apt_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- consoletype_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ backup_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- clock_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ bootloader_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- clockspeed_run_cli(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ bind_run_ndc(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- certwatch_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ certwatch_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- cvs_exec(sysadm_t)
- ')
+optional_policy(`
+ consoletype_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- consoletype_exec(sysadm_t)
+optional_policy(`
+ clock_run(sysadm_t, sysadm_r, admin_terminal)
+')
- ifdef(`enable_mls',`
- consoletype_exec(auditadm_t)
- ')
- ')
+optional_policy(`
+ clockspeed_run_cli(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- cron_admin_template(sysadm,sysadm_t,sysadm_r)
- ')
+optional_policy(`
+ cvs_exec(sysadm_t)
+')
- optional_policy(`
- dcc_run_cdcc(sysadm_t,sysadm_r,admin_terminal)
- dcc_run_client(sysadm_t,sysadm_r,admin_terminal)
- dcc_run_dbclean(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ consoletype_exec(sysadm_t)
- optional_policy(`
- ddcprobe_run(sysadm_t,sysadm_r,admin_terminal)
+ ifdef(`enable_mls',`
+ consoletype_exec(auditadm_t)
')
+')
- optional_policy(`
- dmesg_exec(sysadm_t)
+optional_policy(`
+ cron_admin_template(sysadm, sysadm_t, sysadm_r)
+')
- ifdef(`enable_mls',`
- dmesg_exec(auditadm_t)
- ')
- ')
+optional_policy(`
+ dcc_run_cdcc(sysadm_t, sysadm_r, admin_terminal)
+ dcc_run_client(sysadm_t, sysadm_r, admin_terminal)
+ dcc_run_dbclean(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- dmidecode_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ ddcprobe_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- dpkg_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ dmesg_exec(sysadm_t)
- optional_policy(`
- ethereal_run_tethereal(sysadm_t,sysadm_r,admin_terminal)
- ethereal_admin_template(sysadm,sysadm_t,sysadm_r)
+ ifdef(`enable_mls',`
+ dmesg_exec(auditadm_t)
')
+')
- optional_policy(`
- firstboot_run(sysadm_t,sysadm_r,sysadm_tty_device_t)
- ')
+optional_policy(`
+ dmidecode_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- fstools_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ dpkg_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- hostname_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ ethereal_run_tethereal(sysadm_t, sysadm_r, admin_terminal)
+ ethereal_admin_template(sysadm, sysadm_t, sysadm_r)
+')
- optional_policy(`
- # allow system administrator to use the ipsec script to look
- # at things (e.g., ipsec auto --status)
- # probably should create an ipsec_admin role for this kind of thing
- ipsec_exec_mgmt(sysadm_t)
- ipsec_stream_connect(sysadm_t)
- # for lsof
- ipsec_getattr_key_sockets(sysadm_t)
- ')
+optional_policy(`
+ firstboot_run(sysadm_t, sysadm_r, sysadm_tty_device_t)
+')
- optional_policy(`
- iptables_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ fstools_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- libs_run_ldconfig(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ hostname_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- lvm_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ # allow system administrator to use the ipsec script to look
+ # at things (e.g., ipsec auto --status)
+ # probably should create an ipsec_admin role for this kind of thing
+ ipsec_exec_mgmt(sysadm_t)
+ ipsec_stream_connect(sysadm_t)
+ # for lsof
+ ipsec_getattr_key_sockets(sysadm_t)
+')
- optional_policy(`
- logrotate_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ iptables_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- lpd_run_checkpc(sysadm_t,sysadm_r,admin_terminal)
- lpr_admin_template(sysadm,sysadm_t,sysadm_r)
- ')
+optional_policy(`
+ libs_run_ldconfig(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- kudzu_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ lvm_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- modutils_run_depmod(sysadm_t,sysadm_r,admin_terminal)
- modutils_run_insmod(sysadm_t,sysadm_r,admin_terminal)
- modutils_run_update_mods(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ logrotate_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- mount_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ lpd_run_checkpc(sysadm_t, sysadm_r, admin_terminal)
+ lpr_admin_template(sysadm, sysadm_t, sysadm_r)
+')
- optional_policy(`
- mta_admin_template(sysadm,sysadm_t,sysadm_r)
- ')
+optional_policy(`
+ kudzu_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- mysql_stream_connect(sysadm_t)
- ')
+optional_policy(`
+ modutils_run_depmod(sysadm_t, sysadm_r, admin_terminal)
+ modutils_run_insmod(sysadm_t, sysadm_r, admin_terminal)
+ modutils_run_update_mods(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- netutils_run(sysadm_t,sysadm_r,admin_terminal)
- netutils_run_ping(sysadm_t,sysadm_r,admin_terminal)
- netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ mount_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- rpc_domtrans_nfsd(sysadm_t)
- ')
+optional_policy(`
+ mta_admin_template(sysadm, sysadm_t, sysadm_r)
+')
- optional_policy(`
- munin_stream_connect(sysadm_t)
- ')
+optional_policy(`
+ mysql_stream_connect(sysadm_t)
+')
- optional_policy(`
- ntp_stub()
- corenet_udp_bind_ntp_port(sysadm_t)
- ')
+optional_policy(`
+ netutils_run(sysadm_t, sysadm_r, admin_terminal)
+ netutils_run_ping(sysadm_t, sysadm_r, admin_terminal)
+ netutils_run_traceroute(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- oav_run_update(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ rpc_domtrans_nfsd(sysadm_t)
+')
- optional_policy(`
- pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ munin_stream_connect(sysadm_t)
+')
- optional_policy(`
- portage_run(sysadm_t,sysadm_r,admin_terminal)
- portage_run_gcc_config(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ ntp_stub()
+ corenet_udp_bind_ntp_port(sysadm_t)
+')
- optional_policy(`
- portmap_run_helper(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ oav_run_update(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- quota_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ pcmcia_run_cardctl(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- rpm_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ portage_run(sysadm_t, sysadm_r, admin_terminal)
+ portage_run_gcc_config(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- rsync_exec(sysadm_t)
- ')
+optional_policy(`
+ portmap_run_helper(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- samba_run_net(sysadm_t,sysadm_r,admin_terminal)
- samba_run_winbind_helper(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ quota_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
- seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
+optional_policy(`
+ rpm_run(sysadm_t, sysadm_r, admin_terminal)
+')
- ifdef(`enable_mls',`
- userdom_security_admin_template(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
- ', `
- userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal)
- ')
- ')
+optional_policy(`
+ rsync_exec(sysadm_t)
+')
- optional_policy(`
- sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal)
- sysnet_run_dhcpc(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ samba_run_net(sysadm_t, sysadm_r, admin_terminal)
+ samba_run_winbind_helper(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- tripwire_run_siggen(sysadm_t,sysadm_r,admin_terminal)
- tripwire_run_tripwire(sysadm_t,sysadm_r,admin_terminal)
- tripwire_run_twadmin(sysadm_t,sysadm_r,admin_terminal)
- tripwire_run_twprint(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ seutil_run_setfiles(sysadm_t, sysadm_r, admin_terminal)
+ seutil_run_runinit(sysadm_t, sysadm_r, admin_terminal)
- optional_policy(`
- unconfined_domtrans(sysadm_t,sysadm_r,admin_terminal)
+ ifdef(`enable_mls',`
+ userdom_security_admin_template(secadm_t, secadm_r, { secadm_tty_device_t sysadm_devpts_t })
+ ', `
+ userdom_security_admin_template(sysadm_t, sysadm_r, admin_terminal)
')
+')
- optional_policy(`
- usbmodules_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ sysnet_run_ifconfig(sysadm_t, sysadm_r, admin_terminal)
+ sysnet_run_dhcpc(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal)
- usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
- usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ tripwire_run_siggen(sysadm_t, sysadm_r, admin_terminal)
+ tripwire_run_tripwire(sysadm_t, sysadm_r, admin_terminal)
+ tripwire_run_twadmin(sysadm_t, sysadm_r, admin_terminal)
+ tripwire_run_twprint(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- vpn_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ unconfined_domtrans(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- webalizer_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ usbmodules_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- yam_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ usermanage_run_admin_passwd(sysadm_t, sysadm_r, admin_terminal)
+ usermanage_run_groupadd(sysadm_t, sysadm_r, admin_terminal)
+ usermanage_run_useradd(sysadm_t, sysadm_r, admin_terminal)
')
-ifdef(`targeted_policy',`
- # Define some type aliases to help with compatibility with
- # strict policy.
- unconfined_alias_domain(secadm_t)
- unconfined_alias_domain(auditadm_t)
- unconfined_alias_domain(sysadm_t)
-
- # User home directory type.
- type user_home_t alias { staff_home_t sysadm_home_t }, home_type, user_home_type;
- files_type(user_home_t)
- files_associate_tmp(user_home_t)
- fs_associate_tmpfs(user_home_t)
-
- type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type, home_type, user_home_dir_type;
- files_type(user_home_dir_t)
- files_associate_tmp(user_home_dir_t)
- fs_associate_tmpfs(user_home_dir_t)
-
- # compatibility for switching from strict
-# dominance { role secadm_r { role system_r; }}
-# dominance { role auditadm_r { role system_r; }}
-# dominance { role sysadm_r { role system_r; }}
-# dominance { role user_r { role system_r; }}
-# dominance { role staff_r { role system_r; }}
-
- # dont need to use the full role_change()
- allow sysadm_r system_r;
- allow sysadm_r user_r;
- allow user_r system_r;
- allow user_r sysadm_r;
- allow system_r sysadm_r;
- allow system_r sysadm_r;
-
- manage_dirs_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
- manage_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
- manage_lnk_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
- manage_sock_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
- manage_fifo_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
- filetrans_pattern(privhome,user_home_dir_t,user_home_t,{ dir file lnk_file sock_file fifo_file })
- files_search_home(privhome)
+optional_policy(`
+ vpn_run(sysadm_t, sysadm_r, admin_terminal)
+')
- ifdef(`enable_mls',`
- allow secadm_r system_r;
- allow auditadm_r system_r;
- allow secadm_r user_r;
- allow staff_r secadm_r;
- allow staff_r auditadm_r;
- ')
+optional_policy(`
+ webalizer_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- samba_per_role_template(user)
- ')
+optional_policy(`
+ yam_run(sysadm_t, sysadm_r, admin_terminal)
')
consoletype_exec(xend_t)
')
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(xend_t)
- term_dontaudit_use_generic_ptys(xend_t)
-
- optional_policy(`
- unconfined_rw_pipes(xend_t)
- ')
-')
-
########################################
#
# Xen console local policy
# syntax: role prefix user_domain
#
-ifdef(`strict_policy',`
- user_r user user_t
- staff_r staff staff_t
- sysadm_r sysadm sysadm_t
+user_r user user_t
+staff_r staff staff_t
+sysadm_r sysadm sysadm_t
- ifdef(`enable_mls',`
- secadm_r secadm secadm_t
- auditadm_r auditadm auditadm_t
- ')
+ifdef(`enable_mls',`
+ secadm_r secadm secadm_t
+ auditadm_r auditadm auditadm_t
')
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
-ifdef(`targeted_policy',`
-gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-',`
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-')
+
+# Until order dependence is fixed for users:
+gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
-ifdef(`targeted_policy',`
- gen_user(root, user, user_r sysadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ifdef(`direct_sysadm_daemon',`
+ gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
',`
- ifdef(`direct_sysadm_daemon',`
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
- ',`
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
- ')
+ gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
')
XMLLINT := $(BINDIR)/xmllint
# set default build options if missing
-TYPE ?= strict
+TYPE ?= standard
DIRECT_INITRC ?= n
POLY ?= n
QUIET ?= y
globaltun = $(HEADERDIR)/global_tunables.xml
globalbool = $(HEADERDIR)/global_booleans.xml
-# compile strict policy if requested.
-ifneq ($(findstring strict,$(TYPE)),)
- M4PARAM += -D strict_policy
-endif
-
-# compile targeted policy if requested.
-ifneq ($(findstring targeted,$(TYPE)),)
- M4PARAM += -D targeted_policy
-endif
-
# enable MLS if requested.
-ifneq ($(findstring -mls,$(TYPE)),)
+ifeq "$(TYPE)" "mls"
M4PARAM += -D enable_mls
CHECKPOLICY += -M
CHECKMODULE += -M
endif
# enable MLS if MCS requested.
-ifneq ($(findstring -mcs,$(TYPE)),)
+ifeq "$(TYPE)" "mcs"
M4PARAM += -D enable_mcs
CHECKPOLICY += -M
CHECKMODULE += -M
projects / people / stevee / selinux-policy.git / commitdiff
