gen_require(`
type mozilla_plugin_t, mozilla_plugin_exec_t;
type mozilla_plugin_config_t, mozilla_plugin_config_exec_t;
+ type mozilla_plugin_rw_t;
class dbus send_msg;
')
ps_process_pattern($1, mozilla_plugin_t)
allow $1 mozilla_plugin_t:process signal_perms;
+
+ list_dirs_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+ read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+ read_lnk_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+ can_exec($1, mozilla_plugin_rw_t)
')
########################################
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
/dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/ttyUSB[0-9]+ -c gen_context(system_u:object_r:usbtty_device_t,s0)
-/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0)
+/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0)
/dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
-/usr/bin/glance-registry -- gen_context(system_u:object_r:glance_registry_exec_t,s0)
+/etc/rc\.d/init\.d/openstack-glance-api -- gen_context(system_u:object_r:glance_api_initrc_exec_t,s0)
-/usr/bin/glance-api -- gen_context(system_u:object_r:glance_api_exec_t,s0)
+/etc/rc\.d/init\.d/openstack-glance-registry -- gen_context(system_u:object_r:glance_registry_initrc_exec_t,s0)
+
+/usr/bin/glance-api -- gen_context(system_u:object_r:glance_api_exec_t,s0)
+/usr/bin/glance-registry -- gen_context(system_u:object_r:glance_registry_exec_t,s0)
/var/lib/glance(/.*)? gen_context(system_u:object_r:glance_var_lib_t,s0)
/var/log/glance(/.*)? gen_context(system_u:object_r:glance_log_t,s0)
/var/run/glance(/.*)? gen_context(system_u:object_r:glance_var_run_t,s0)
-
-/etc/rc\.d/init\.d/openstack-glance-api -- gen_context(system_u:object_r:glance_api_initrc_exec_t,s0)
-
-/etc/rc\.d/init\.d/openstack-glance-registry -- gen_context(system_u:object_r:glance_registry_initrc_exec_t,s0)
## <summary>policy for glance</summary>
-
########################################
## <summary>
## Transition to glance.
domtrans_pattern($1, glance_api_exec_t, glance_api_t)
')
-
########################################
## <summary>
## Read glance's log files.
#
interface(`glance_admin',`
gen_require(`
- type glance_registry_t;
- type glance_api_t;
- type glance_log_t;
- type glance_var_lib_t;
- type glance_var_run_t;
- type glance_registry_initrc_exec_t;
- type glance_api_initrc_exec_t;
+ type glance_registry_t, glance_api_t, glance_log_t;
+ type glance_var_lib_t, glance_var_run_t;
+ type glance_registry_initrc_exec_t, glance_api_initrc_exec_t;
')
allow $1 glance_registry_t:process signal_perms;
files_search_pids($1)
admin_pattern($1, glance_var_run_t)
-
')
-
corenet_tcp_bind_generic_node(glance_registry_t)
corenet_tcp_bind_glance_registry_port(glance_registry_t)
-
########################################
#
# glance-api local policy
-/etc/rc\.d/init\.d/matahari-host gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/matahari-net gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/matahari-service gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/matahari-sysconfig gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/matahari-host gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/matahari-net gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/matahari-service gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/matahari-sysconfig gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
-/usr/sbin/matahari-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0)
-
-/usr/sbin/matahari-dbus-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0)
-
-/usr/sbin/matahari-qmf-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0)
-
-/usr/sbin/matahari-qmf-sysconfigd -- gen_context(system_u:object_r:matahari_sysconfigd_exec_t,s0)
+/usr/sbin/matahari-dbus-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0)
+/usr/sbin/matahari-dbus-networkd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0)
+/usr/sbin/matahari-dbus-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0)
-/usr/sbin/matahari-netd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0)
+/usr/sbin/matahari-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0)
-/usr/sbin/matahari-dbus-networkd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0)
+/usr/sbin/matahari-netd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0)
+/usr/sbin/matahari-qmf-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0)
/usr/sbin/matahari-qmf-networkd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0)
+/usr/sbin/matahari-qmf-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0)
+/usr/sbin/matahari-qmf-sysconfigd -- gen_context(system_u:object_r:matahari_sysconfigd_exec_t,s0)
-/usr/sbin/matahari-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0)
-
-/usr/sbin/matahari-dbus-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0)
-
-/usr/sbin/matahari-qmf-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0)
+/usr/sbin/matahari-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0)
-/var/lib/matahari(/.*)? gen_context(system_u:object_r:matahari_var_lib_t,s0)
+/var/lib/matahari(/.*)? gen_context(system_u:object_r:matahari_var_lib_t,s0)
-/var/run/matahari(/.*)? gen_context(system_u:object_r:matahari_var_run_t,s0)
-/var/run/matahari\.pid -- gen_context(system_u:object_r:matahari_var_run_t,s0)
-/var/run/matahari-broker\.pid -- gen_context(system_u:object_r:matahari_var_run_t,s0)
+/var/run/matahari(/.*)? gen_context(system_u:object_r:matahari_var_run_t,s0)
+/var/run/matahari\.pid -- gen_context(system_u:object_r:matahari_var_run_t,s0)
+/var/run/matahari-broker\.pid -- gen_context(system_u:object_r:matahari_var_run_t,s0)
type matahari_$1_t, matahari_domain;
type matahari_$1_exec_t;
init_daemon_domain(matahari_$1_t, matahari_$1_exec_t)
-
')
########################################
manage_dirs_pattern($1, matahari_var_lib_t, matahari_var_lib_t)
')
-
########################################
## <summary>
## Read matahari PID files.
#
interface(`matahari_admin',`
gen_require(`
- type matahari_initrc_exec_t;
- type matahari_hostd_t;
- type matahari_netd_t;
- type matahari_serviced_t;
- type matahari_var_lib_t;
- type matahari_var_run_t;
+ type matahari_initrc_exec_t, matahari_hostd_t;
+ type matahari_netd_t, matahari_serviced_t;
+ type matahari_var_lib_t, matahari_var_run_t;
')
init_labeled_script_domtrans($1, matahari_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, matahari_var_run_t)
-
')
# matahari domain local policy
#
-allow matahari_domain self:process { signal };
+allow matahari_domain self:process signal;
allow matahari_domain self:fifo_file rw_fifo_file_perms;
allow matahari_domain self:unix_stream_socket create_stream_socket_perms;
-/usr/lib64/erlang/erts-5.8.5/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0)
/usr/lib64/erlang/erts-5.8.5/bin/beam.* -- gen_context(system_u:object_r:rabbitmq_beam_exec_t,s0)
-#/usr/lib64/erlang/lib/os_mon-2.2.7/priv/bin/cpu_sup -- gen_context(system_u:object_r:rabbitmq_cpu_sup_exec_t,s0)
+/usr/lib64/erlang/erts-5.8.5/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0)
-/var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0)
/var/lib/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0)
+
+/var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0)
## <summary>policy for rabbitmq</summary>
-
########################################
## <summary>
## Transition to rabbitmq.
corecmd_search_bin($1)
domtrans_pattern($1, rabbitmq_exec_t, rabbitmq_t)
')
-
allow rabbitmq_beam_t self:process { setsched signal signull };
allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms;
-allow rabbitmq_beam_t self:tcp_socket { accept listen };
+allow rabbitmq_beam_t self:tcp_socket create_stream_socket_perms;
manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
-allow rabbitmq_epmd_t self:process { signal };
+allow rabbitmq_epmd_t self:process signal;
allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
type rhev_agentd_var_run_t;
files_pid_file(rhev_agentd_var_run_t)
-# WHY IS USED /TMP DIRECTORY
type rhev_agentd_tmp_t;
files_tmp_file(rhev_agentd_tmp_t)
optional_policy(`
xserver_dbus_chat_xdm(rhev_agentd_t)
')
-
/usr/bin/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_exec_t,s0)
-/var/lib/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_lib_t,s0)
-
-/var/log/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_log_t,s0)
+/var/lib/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_lib_t,s0)
/var/lock/subsys/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_lock_t,s0)
-/var/run/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_run_t,s0)
+/var/log/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_log_t,s0)
+
+/var/run/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_run_t,s0)
domtrans_pattern($1, rhsmcertd_exec_t, rhsmcertd_t)
')
-
########################################
## <summary>
## Execute rhsmcertd server in the rhsmcertd domain.
init_labeled_script_domtrans($1, rhsmcertd_initrc_exec_t)
')
-
########################################
## <summary>
## Read rhsmcertd's log files.
manage_dirs_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
')
-
########################################
## <summary>
## Read rhsmcertd PID files.
#
interface(`rhsmcertd_admin',`
gen_require(`
- type rhsmcertd_t;
- type rhsmcertd_initrc_exec_t;
- type rhsmcertd_log_t;
- type rhsmcertd_var_lib_t;
- type rhsmcertd_var_run_t;
+ type rhsmcertd_t, rhsmcertd_initrc_exec_t, rhsmcertd_log_t;
+ type rhsmcertd_var_lib_t, rhsmcertd_var_run_t;
')
allow $1 rhsmcertd_t:process signal_perms;
files_search_pids($1)
admin_pattern($1, rhsmcertd_var_run_t)
-
')
-
#
# sanlock local policy
#
-allow sanlock_t self:capability { kill sys_nice ipc_lock };
+allow sanlock_t self:capability { sys_nice ipc_lock };
allow sanlock_t self:process { setsched signull };
allow sanlock_t self:fifo_file rw_fifo_file_perms;
dev_read_urand(sanlock_t)
-logging_send_syslog_msg(sanlock_t)
-
init_read_utmp(sanlock_t)
init_dontaudit_write_utmp(sanlock_t)
+logging_send_syslog_msg(sanlock_t)
+
miscfiles_read_localization(sanlock_t)
tunable_policy(`sanlock_use_nfs',`
#
# sblim_gatherd local policy
#
-
-#needed by ps
-allow sblim_gatherd_t self:capability { kill dac_override };
+allow sblim_gatherd_t self:capability dac_override;
allow sblim_gatherd_t self:process signal;
-
allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
allow sblim_gatherd_t self:unix_stream_socket create_stream_socket_perms;
fs_getattr_all_fs(sblim_gatherd_t)
+sysnet_dns_name_resolve(sblim_gatherd_t)
+
term_getattr_pty_fs(sblim_gatherd_t)
init_read_utmp(sblim_gatherd_t)
optional_policy(`
ssh_signull(sblim_gatherd_t)
- sysnet_dns_name_resolve(sblim_gatherd_t)
')
optional_policy(`
files_read_etc_files(sblim_domain)
miscfiles_read_localization(sblim_domain)
-
allow $1 sshd_t:process signal;
')
+########################################
+## <summary>
+## Send a null signal to sshd processes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_signull',`
+ gen_require(`
+ type sshd_t;
+ ')
+
+ allow $1 sshd_t:process signull;
+')
+
########################################
## <summary>
## Read a ssh server unnamed pipe.
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
-########################################
-## <summary>
-## Send a null signal to sshd processes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ssh_signull',`
- gen_require(`
- type sshd_t;
- ')
-
- allow $1 sshd_t:process signull;
-')
-
#####################################
## <summary>
## Allow domain dyntransition to chroot_user_t domain.
/etc/rc\.d/init\.d/uuidd -- gen_context(system_u:object_r:uuidd_initrc_exec_t,s0)
-
/usr/sbin/uuidd -- gen_context(system_u:object_r:uuidd_exec_t,s0)
/var/lib/libuuid(/.*)? gen_context(system_u:object_r:uuidd_var_lib_t,s0)
#
interface(`uuidd_admin',`
gen_require(`
- type uuidd_t;
- type uuidd_initrc_exec_t;
- type uuidd_var_lib_t;
- type uuidd_var_run_t;
+ type uuidd_t, uuidd_initrc_exec_t;
+ type uuidd_var_run_t, uuidd_var_lib_t;
')
allow $1 uuidd_t:process signal_perms;
#
# uuidd local policy
#
-allow uuidd_t self:capability { setuid };
-allow uuidd_t self:process { signal };
-
+allow uuidd_t self:capability setuid;
+allow uuidd_t self:process signal;
allow uuidd_t self:fifo_file rw_fifo_file_perms;
allow uuidd_t self:unix_stream_socket create_stream_socket_perms;
allow uuidd_t self:udp_socket create_socket_perms;
files_read_etc_files(uuidd_t)
miscfiles_read_localization(uuidd_t)
-
+/usr/sbin/spice-vdagentd -- gen_context(system_u:object_r:vdagent_exec_t,s0)
-/usr/sbin/spice-vdagentd -- gen_context(system_u:object_r:vdagent_exec_t,s0)
+/var/log/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_log_t,s0)
+/var/log/spice-vdagentd\.log -- gen_context(system_u:object_r:vdagent_log_t,s0)
/var/run/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_var_run_t,s0)
/var/run/spice-vdagentd.\pid -- gen_context(system_u:object_r:vdagent_var_run_t,s0)
-/var/log/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_log_t,s0)
-/var/log/spice-vdagentd\.log -- gen_context(system_u:object_r:vdagent_log_t,s0)
-
## <summary>policy for vdagent</summary>
-#####################################
-## <summary>
-## Getattr on vdagent executable.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`vdagent_getattr_exec',`
- gen_require(`
- type vdagent_exec_t;
- ')
-
- allow $1 vdagent_exec_t:file getattr;
-')
-
########################################
## <summary>
## Execute a domain transition to run vdagent.
domtrans_pattern($1, vdagent_exec_t, vdagent_t)
')
+#####################################
+## <summary>
+## Getattr on vdagent executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vdagent_getattr_exec',`
+ gen_require(`
+ type vdagent_exec_t;
+ ')
+
+ allow $1 vdagent_exec_t:file getattr;
+')
+
#######################################
## <summary>
## Get the attributes of vdagent logs.
#
interface(`vdagent_admin',`
gen_require(`
- type vdagent_t;
- type vdagent_var_run_t;
+ type vdagent_t, vdagent_var_run_t;
')
allow $1 vdagent_t:process signal_perms;
files_search_pids($1)
admin_pattern($1, vdagent_var_run_t)
-
')
-
/etc/rc\.d/init\.d/wdmd -- gen_context(system_u:object_r:wdmd_initrc_exec_t,s0)
-/var/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_var_run_t,s0)
+/var/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_var_run_t,s0)
/usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0)
/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
')
+/var/ace(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+
/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
-/var/ace(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
/var/db/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)