]>
Commit | Line | Data |
---|---|---|
127d617b | 1 | policy_module(libraries, 2.7.1) |
960373dd | 2 | |
48e0dbd6 CP |
3 | ######################################## |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
b4cd1533 CP |
8 | # |
9 | # ld_so_cache_t is the type of /etc/ld.so.cache. | |
10 | # | |
11 | type ld_so_cache_t; | |
8fd36732 | 12 | files_type(ld_so_cache_t) |
b4cd1533 | 13 | |
48e0dbd6 | 14 | # |
b4cd1533 CP |
15 | # ld_so_t is the type of the system dynamic loaders. |
16 | # | |
17 | type ld_so_t; | |
8fd36732 | 18 | files_type(ld_so_t) |
b4cd1533 | 19 | |
19b2dee3 CP |
20 | type ldconfig_t; |
21 | type ldconfig_exec_t; | |
3f67f722 | 22 | init_system_domain(ldconfig_t, ldconfig_exec_t) |
19b2dee3 CP |
23 | role system_r types ldconfig_t; |
24 | ||
9c4500b2 CP |
25 | type ldconfig_cache_t; |
26 | files_type(ldconfig_cache_t) | |
27 | ||
19b2dee3 CP |
28 | type ldconfig_tmp_t; |
29 | files_tmp_file(ldconfig_tmp_t) | |
30 | ||
b4cd1533 CP |
31 | # |
32 | # lib_t is the type of files in the system lib directories. | |
33 | # | |
350b6ab7 | 34 | type lib_t alias shlib_t; |
8fd36732 | 35 | files_type(lib_t) |
b4cd1533 | 36 | |
b4cd1533 | 37 | # |
0c4bf1c5 | 38 | # textrel_shlib_t is the type of shared objects in the system lib |
b4cd1533 CP |
39 | # directories, which require text relocation. |
40 | # | |
a324ef13 CP |
41 | type textrel_shlib_t alias texrel_shlib_t; |
42 | files_type(textrel_shlib_t) | |
48e0dbd6 | 43 | |
4c92f08f CP |
44 | ifdef(`distro_gentoo',` |
45 | # openrc unfortunately mounts a tmpfs | |
46 | # at /lib/rc/ | |
47 | files_mountpoint(lib_t) | |
48 | ') | |
49 | ||
e8cb08ae CP |
50 | optional_policy(` |
51 | postgresql_loadable_module(lib_t) | |
52 | postgresql_loadable_module(textrel_shlib_t) | |
53 | ') | |
54 | ||
48e0dbd6 CP |
55 | ######################################## |
56 | # | |
57 | # ldconfig local policy | |
58 | # | |
19b2dee3 | 59 | |
bc31d127 | 60 | allow ldconfig_t self:capability { dac_override sys_chroot }; |
48e0dbd6 | 61 | |
9c4500b2 CP |
62 | manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t) |
63 | ||
3eaa9939 | 64 | manage_files_pattern(ldconfig_t, ld_so_cache_t, ld_so_cache_t) |
3f67f722 | 65 | files_etc_filetrans(ldconfig_t, ld_so_cache_t, file) |
48e0dbd6 | 66 | |
3f67f722 CP |
67 | manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t) |
68 | manage_files_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t) | |
69 | manage_lnk_files_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t) | |
d534d35a | 70 | files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir lnk_file }) |
19b2dee3 | 71 | |
3f67f722 | 72 | manage_lnk_files_pattern(ldconfig_t, lib_t, lib_t) |
48e0dbd6 CP |
73 | |
74 | kernel_read_system_state(ldconfig_t) | |
75 | ||
0fd9dc55 | 76 | fs_getattr_xattr_fs(ldconfig_t) |
48e0dbd6 | 77 | |
bc31d127 CP |
78 | corecmd_search_bin(ldconfig_t) |
79 | ||
15722ec9 | 80 | domain_use_interactive_fds(ldconfig_t) |
48e0dbd6 | 81 | |
3eaa9939 | 82 | files_search_home(ldconfig_t) |
7a2f20a3 | 83 | files_search_var_lib(ldconfig_t) |
8fd36732 | 84 | files_read_etc_files(ldconfig_t) |
bc31d127 | 85 | files_read_usr_files(ldconfig_t) |
ebdc3b79 | 86 | files_search_tmp(ldconfig_t) |
b0d2243c | 87 | files_search_usr(ldconfig_t) |
48e0dbd6 | 88 | # for when /etc/ld.so.cache is mislabeled: |
8fd36732 | 89 | files_delete_etc_files(ldconfig_t) |
48e0dbd6 | 90 | |
1815bad1 | 91 | init_use_script_ptys(ldconfig_t) |
bc31d127 | 92 | init_read_script_tmp_files(ldconfig_t) |
48e0dbd6 | 93 | |
19b2dee3 CP |
94 | miscfiles_read_localization(ldconfig_t) |
95 | ||
c9428d33 | 96 | logging_send_syslog_msg(ldconfig_t) |
48e0dbd6 | 97 | |
3eaa9939 | 98 | term_use_console(ldconfig_t) |
af2d8802 | 99 | userdom_use_inherited_user_terminals(ldconfig_t) |
15722ec9 | 100 | userdom_use_all_users_fds(ldconfig_t) |
48e0dbd6 | 101 | |
12cf805e CP |
102 | ifdef(`distro_ubuntu',` |
103 | optional_policy(` | |
104 | unconfined_domain(ldconfig_t) | |
105 | ') | |
106 | ') | |
107 | ||
64b66577 | 108 | userdom_dontaudit_list_admin_dir(ldconfig_t) |
3e3e453c | 109 | userdom_list_user_home_dirs(ldconfig_t) |
3eaa9939 DW |
110 | userdom_manage_user_home_content_files(ldconfig_t) |
111 | userdom_manage_user_tmp_files(ldconfig_t) | |
112 | userdom_manage_user_tmp_symlinks(ldconfig_t) | |
113 | ||
a42ca7eb | 114 | ifdef(`hide_broken_symptoms',` |
8b850199 CP |
115 | ifdef(`distro_gentoo',` |
116 | # leaked fds from portage | |
117 | files_dontaudit_rw_var_files(ldconfig_t) | |
118 | ||
119 | optional_policy(` | |
120 | portage_dontaudit_search_tmp(ldconfig_t) | |
121 | portage_dontaudit_rw_tmp_files(ldconfig_t) | |
122 | ') | |
123 | ') | |
124 | ||
8f10e6ea DW |
125 | dev_dontaudit_rw_lvm_control(ldconfig_t) |
126 | term_dontaudit_use_unallocated_ttys(ldconfig_t) | |
127 | ||
bb7170f6 | 128 | optional_policy(` |
1815bad1 | 129 | unconfined_dontaudit_rw_tcp_sockets(ldconfig_t) |
0c73cd25 | 130 | ') |
48e0dbd6 CP |
131 | ') |
132 | ||
bb7170f6 | 133 | optional_policy(` |
a42ca7eb | 134 | # dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway |
c6d4c8f1 | 135 | apache_dontaudit_search_modules(ldconfig_t) |
a42ca7eb | 136 | ') |
82e284bb | 137 | |
e6d8fd1e CP |
138 | optional_policy(` |
139 | puppet_rw_tmp(ldconfig_t) | |
140 | ') | |
141 | ||
82e284bb CP |
142 | optional_policy(` |
143 | # When you install a kernel the postinstall builds a initrd image in tmp | |
ff8f0a63 | 144 | # and executes ldconfig on it. If you dont allow this kernel installs |
82e284bb CP |
145 | # blow up. |
146 | rpm_manage_script_tmp_files(ldconfig_t) | |
147 | ') | |
bc31d127 | 148 |