[people/stevee/selinux-policy.git] / policy / modules / system / libraries.te

policy_module(libraries, 2.7.1)

########################################
#
# Declarations
#

#
# ld_so_cache_t is the type of /etc/ld.so.cache.
#
type ld_so_cache_t;
files_type(ld_so_cache_t)

#
# ld_so_t is the type of the system dynamic loaders.
#
type ld_so_t;
files_type(ld_so_t)

type ldconfig_t;
type ldconfig_exec_t;
init_system_domain(ldconfig_t, ldconfig_exec_t)
role system_r types ldconfig_t;

type ldconfig_cache_t;
files_type(ldconfig_cache_t)

type ldconfig_tmp_t;
files_tmp_file(ldconfig_tmp_t)

#
# lib_t is the type of files in the system lib directories.
#
type lib_t alias shlib_t;
files_type(lib_t)

#
# textrel_shlib_t is the type of shared objects in the system lib
# directories, which require text relocation.
#
type textrel_shlib_t alias texrel_shlib_t;
files_type(textrel_shlib_t)

ifdef(`distro_gentoo',`
	# openrc unfortunately mounts a tmpfs
	# at /lib/rc/
	files_mountpoint(lib_t)
')

optional_policy(`
	postgresql_loadable_module(lib_t)
	postgresql_loadable_module(textrel_shlib_t)
')

########################################
#
# ldconfig local policy
#

allow ldconfig_t self:capability { dac_override sys_chroot };

manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)

manage_files_pattern(ldconfig_t, ld_so_cache_t, ld_so_cache_t)
files_etc_filetrans(ldconfig_t, ld_so_cache_t, file)

manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
manage_files_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
manage_lnk_files_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir lnk_file })

manage_lnk_files_pattern(ldconfig_t, lib_t, lib_t)

kernel_read_system_state(ldconfig_t)

fs_getattr_xattr_fs(ldconfig_t)

corecmd_search_bin(ldconfig_t)

domain_use_interactive_fds(ldconfig_t)

files_search_home(ldconfig_t)
files_search_var_lib(ldconfig_t)
files_read_etc_files(ldconfig_t)
files_read_usr_files(ldconfig_t)
files_search_tmp(ldconfig_t)
files_search_usr(ldconfig_t)
# for when /etc/ld.so.cache is mislabeled:
files_delete_etc_files(ldconfig_t)

init_use_script_ptys(ldconfig_t)
init_read_script_tmp_files(ldconfig_t)

miscfiles_read_localization(ldconfig_t)

logging_send_syslog_msg(ldconfig_t)

term_use_console(ldconfig_t)
userdom_use_inherited_user_terminals(ldconfig_t)
userdom_use_all_users_fds(ldconfig_t)

ifdef(`distro_ubuntu',`
	optional_policy(`
		unconfined_domain(ldconfig_t)
	')
')

userdom_dontaudit_list_admin_dir(ldconfig_t)
userdom_list_user_home_dirs(ldconfig_t)
userdom_manage_user_home_content_files(ldconfig_t)
userdom_manage_user_tmp_files(ldconfig_t)
userdom_manage_user_tmp_symlinks(ldconfig_t)

ifdef(`hide_broken_symptoms',`
	ifdef(`distro_gentoo',`
		# leaked fds from portage
		files_dontaudit_rw_var_files(ldconfig_t)

		optional_policy(`
			portage_dontaudit_search_tmp(ldconfig_t)
			portage_dontaudit_rw_tmp_files(ldconfig_t)
		')
	')

	dev_dontaudit_rw_lvm_control(ldconfig_t)
	term_dontaudit_use_unallocated_ttys(ldconfig_t)

	optional_policy(`
		unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
	')
')

optional_policy(`
	# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
	apache_dontaudit_search_modules(ldconfig_t)
')

optional_policy(`
	puppet_rw_tmp(ldconfig_t)
')

optional_policy(`
	# When you install a kernel the postinstall builds a initrd image in tmp 
	# and executes ldconfig on it. If you dont allow this kernel installs 
	# blow up.
	rpm_manage_script_tmp_files(ldconfig_t)
')
Commit	Line	Data
127d617b	1	policy_module(libraries, 2.7.1)
960373dd	2
48e0dbd6 CP	3	########################################
	4	#
	5	# Declarations
	6	#
	7
b4cd1533 CP	8	#
	9	# ld_so_cache_t is the type of /etc/ld.so.cache.
	10	#
	11	type ld_so_cache_t;
8fd36732	12	files_type(ld_so_cache_t)
b4cd1533	13
48e0dbd6	14	#
b4cd1533 CP	15	# ld_so_t is the type of the system dynamic loaders.
	16	#
	17	type ld_so_t;
8fd36732	18	files_type(ld_so_t)
b4cd1533	19
19b2dee3 CP	20	type ldconfig_t;
19b2dee3 CP	21	type ldconfig_exec_t;
3f67f722	22	init_system_domain(ldconfig_t, ldconfig_exec_t)
19b2dee3 CP	23	role system_r types ldconfig_t;
19b2dee3 CP	24
9c4500b2 CP	25	type ldconfig_cache_t;
	26	files_type(ldconfig_cache_t)
	27
19b2dee3 CP	28	type ldconfig_tmp_t;
	29	files_tmp_file(ldconfig_tmp_t)
	30
b4cd1533 CP	31	#
	32	# lib_t is the type of files in the system lib directories.
	33	#
350b6ab7	34	type lib_t alias shlib_t;
8fd36732	35	files_type(lib_t)
b4cd1533	36
b4cd1533	37	#
0c4bf1c5	38	# textrel_shlib_t is the type of shared objects in the system lib
b4cd1533 CP	39	# directories, which require text relocation.
b4cd1533 CP	40	#
a324ef13 CP	41	type textrel_shlib_t alias texrel_shlib_t;
a324ef13 CP	42	files_type(textrel_shlib_t)
48e0dbd6	43
4c92f08f CP	44	ifdef(`distro_gentoo',`
	45	# openrc unfortunately mounts a tmpfs
	46	# at /lib/rc/
	47	files_mountpoint(lib_t)
	48	')
	49
e8cb08ae CP	50	optional_policy(`
	51	postgresql_loadable_module(lib_t)
	52	postgresql_loadable_module(textrel_shlib_t)
	53	')
	54
48e0dbd6 CP	55	########################################
	56	#
	57	# ldconfig local policy
	58	#
19b2dee3	59
bc31d127	60	allow ldconfig_t self:capability { dac_override sys_chroot };
48e0dbd6	61
9c4500b2 CP	62	manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
9c4500b2 CP	63
3eaa9939	64	manage_files_pattern(ldconfig_t, ld_so_cache_t, ld_so_cache_t)
3f67f722	65	files_etc_filetrans(ldconfig_t, ld_so_cache_t, file)
48e0dbd6	66
3f67f722 CP	67	manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
	68	manage_files_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
	69	manage_lnk_files_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
d534d35a	70	files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir lnk_file })
19b2dee3	71
3f67f722	72	manage_lnk_files_pattern(ldconfig_t, lib_t, lib_t)
48e0dbd6 CP	73
	74	kernel_read_system_state(ldconfig_t)
	75
0fd9dc55	76	fs_getattr_xattr_fs(ldconfig_t)
48e0dbd6	77
bc31d127 CP	78	corecmd_search_bin(ldconfig_t)
bc31d127 CP	79
15722ec9	80	domain_use_interactive_fds(ldconfig_t)
48e0dbd6	81
3eaa9939	82	files_search_home(ldconfig_t)
7a2f20a3	83	files_search_var_lib(ldconfig_t)
8fd36732	84	files_read_etc_files(ldconfig_t)
bc31d127	85	files_read_usr_files(ldconfig_t)
ebdc3b79	86	files_search_tmp(ldconfig_t)
b0d2243c	87	files_search_usr(ldconfig_t)
48e0dbd6	88	# for when /etc/ld.so.cache is mislabeled:
8fd36732	89	files_delete_etc_files(ldconfig_t)
48e0dbd6	90
1815bad1	91	init_use_script_ptys(ldconfig_t)
bc31d127	92	init_read_script_tmp_files(ldconfig_t)
48e0dbd6	93
19b2dee3 CP	94	miscfiles_read_localization(ldconfig_t)
19b2dee3 CP	95
c9428d33	96	logging_send_syslog_msg(ldconfig_t)
48e0dbd6	97
3eaa9939	98	term_use_console(ldconfig_t)
af2d8802	99	userdom_use_inherited_user_terminals(ldconfig_t)
15722ec9	100	userdom_use_all_users_fds(ldconfig_t)
48e0dbd6	101
12cf805e CP	102	ifdef(`distro_ubuntu',`
	103	optional_policy(`
	104	unconfined_domain(ldconfig_t)
	105	')
	106	')
	107
64b66577	108	userdom_dontaudit_list_admin_dir(ldconfig_t)
3e3e453c	109	userdom_list_user_home_dirs(ldconfig_t)
3eaa9939 DW	110	userdom_manage_user_home_content_files(ldconfig_t)
	111	userdom_manage_user_tmp_files(ldconfig_t)
	112	userdom_manage_user_tmp_symlinks(ldconfig_t)
	113
a42ca7eb	114	ifdef(`hide_broken_symptoms',`
8b850199 CP	115	ifdef(`distro_gentoo',`
	116	# leaked fds from portage
	117	files_dontaudit_rw_var_files(ldconfig_t)
	118
	119	optional_policy(`
	120	portage_dontaudit_search_tmp(ldconfig_t)
	121	portage_dontaudit_rw_tmp_files(ldconfig_t)
	122	')
	123	')
	124
8f10e6ea DW	125	dev_dontaudit_rw_lvm_control(ldconfig_t)
	126	term_dontaudit_use_unallocated_ttys(ldconfig_t)
	127
bb7170f6	128	optional_policy(`
1815bad1	129	unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
0c73cd25	130	')
48e0dbd6 CP	131	')
48e0dbd6 CP	132
bb7170f6	133	optional_policy(`
a42ca7eb	134	# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
c6d4c8f1	135	apache_dontaudit_search_modules(ldconfig_t)
a42ca7eb	136	')
82e284bb	137
e6d8fd1e CP	138	optional_policy(`
	139	puppet_rw_tmp(ldconfig_t)
	140	')
	141
82e284bb CP	142	optional_policy(`
82e284bb CP	143	# When you install a kernel the postinstall builds a initrd image in tmp
ff8f0a63	144	# and executes ldconfig on it. If you dont allow this kernel installs
82e284bb CP	145	# blow up.
	146	rpm_manage_script_tmp_files(ldconfig_t)
	147	')
bc31d127	148