userdom_use_user_terminals(dmesg_t)
optional_policy(`
- abrt_append_cache_files(dmesg_t)
+ abrt_cache_append(dmesg_t)
abrt_rw_fifo_file(dmesg_t)
abrt_manage_pid_files(dmesg_t)
')
')
optional_policy(`
- abrt_manage_cache_files(logrotate_t)
+ abrt_cache_manage(logrotate_t)
')
optional_policy(`
-
## <summary>system-config-kdump GUI</summary>
+
dontaudit livecd_t self:capability2 mac_admin;
-unconfined_domain_noaudit(livecd_t)
domain_ptrace_all_domains(livecd_t)
manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
files_tmp_filetrans(livecd_t, livecd_tmp_t, { dir file })
optional_policy(`
- hal_dbus_chat(livecd_t)
+ unconfined_domain_noaudit(livecd_t)
')
+optional_policy(`
+ hal_dbus_chat(livecd_t)
+')
allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
- userdom_unpriv_usertype($1, $1_mono_t)
- userdom_manage_tmpfs_role($2, $1_mono_t)
-
domtrans_pattern($3, mono_exec_t, $1_mono_t)
fs_dontaudit_rw_tmpfs_files($1_mono_t)
corecmd_bin_domtrans($1_mono_t, $1_t)
+
+ userdom_unpriv_usertype($1, $1_mono_t)
+ userdom_manage_tmpfs_role($2, $1_mono_t)
+
ifdef(`hide_broken_symptoms', `
dontaudit $1_t $1_mono_t:socket_class_set { read write };
')
## <summary>system-config-samba dbus service policy</summary>
-
-policy_module(sambagui,1.0.0)
+policy_module(sambagui, 1.0.0)
########################################
#
# system-config-samba local policy
#
-allow sambagui_t self:capability dac_override;
+allow sambagui_t self:capability dac_override;
allow sambagui_t self:fifo_file rw_fifo_file_perms;
allow sambagui_t self:unix_dgram_socket create_socket_perms;
-# handling with samba conf files
-samba_append_log(sambagui_t)
-samba_manage_config(sambagui_t)
-samba_manage_var_files(sambagui_t)
-samba_read_secrets(sambagui_t)
-samba_initrc_domtrans(sambagui_t)
-samba_domtrans_smbd(sambagui_t)
-samba_domtrans_nmbd(sambagui_t)
+# read meminfo
+kernel_read_system_state(sambagui_t)
# execut apps of system-config-samba
corecmd_exec_shell(sambagui_t)
corecmd_exec_bin(sambagui_t)
+dev_dontaudit_read_urand(sambagui_t)
+
files_read_etc_files(sambagui_t)
-files_read_usr_files(sambagui_t)
files_search_var_lib(sambagui_t)
-
-# reading shadow by pdbedit
-#auth_read_shadow(sambagui_t)
+files_read_usr_files(sambagui_t)
auth_use_nsswitch(sambagui_t)
miscfiles_read_localization(sambagui_t)
-# read meminfo
-kernel_read_system_state(sambagui_t)
-
-dev_dontaudit_read_urand(sambagui_t)
nscd_dontaudit_search_pid(sambagui_t)
userdom_dontaudit_search_admin_dir(sambagui_t)
+# handling with samba conf files
+samba_append_log(sambagui_t)
+samba_manage_config(sambagui_t)
+samba_manage_var_files(sambagui_t)
+samba_read_secrets(sambagui_t)
+samba_initrc_domtrans(sambagui_t)
+samba_domtrans_smbd(sambagui_t)
+samba_domtrans_nmbd(sambagui_t)
optional_policy(`
consoletype_exec(sambagui_t)
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
+########################################
+## <summary>
+## Delete generic lock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_generic_locks',`
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ delete_files_pattern($1, var_lock_t, var_lock_t)
+')
+
########################################
## <summary>
## Create, read, write, and delete generic
# Declarations
#
+## <desc>
+## <p>
+## Allow dbadm to manage files in users home directories
+## </p>
+## </desc>
+gen_tunable(dbadm_manage_user_files, false)
+
+## <desc>
+## <p>
+## Allow dbadm to read files in users home directories
+## </p>
+## </desc>
+gen_tunable(dbadm_read_user_files, false)
+
role dbadm_r;
userdom_unpriv_user_template(dbadm)
# database admin local policy
#
-optional_policy(`
- mysql_admin(dbadm_t, dbadm_r)
+allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace };
+
+files_dontaudit_search_all_dirs(dbadm_t)
+files_delete_generic_locks(dbadm_t)
+files_list_var(dbadm_t)
+
+selinux_get_enforce_mode(dbadm_t)
+
+logging_send_syslog_msg(dbadm_t)
+
+userdom_dontaudit_search_user_home_dirs(dbadm_t)
+
+tunable_policy(`dbadm_manage_user_files',`
+ userdom_manage_user_home_content_files(dbadm_t)
+ userdom_read_user_tmp_files(dbadm_t)
+ userdom_write_user_tmp_files(dbadm_t)
+')
+
+tunable_policy(`dbadm_read_user_files',`
+ userdom_read_user_home_content_files(dbadm_t)
+ userdom_read_user_tmp_files(dbadm_t)
')
optional_policy(`
- postgresql_admin(dbadm_t, dbadm_r)
+ mysql_admin(dbadm_t, dbadm_r)
')
-# For starting up daemon processes
optional_policy(`
- su_role_template(dbadm, dbadm_r, dbadm_t)
+ postgresql_admin(dbadm_t, dbadm_r)
')
optional_policy(`
kernel_getattr_core_if(staff_usertype)
kernel_getattr_message_if(staff_usertype)
kernel_read_software_raid_state(staff_usertype)
+kernel_read_fs_sysctls(staff_usertype)
+
+domain_read_all_domains_state(staff_usertype)
+domain_getattr_all_domains(staff_usertype)
+domain_obj_id_change_exemption(staff_t)
+
+files_read_kernel_modules(staff_usertype)
+
+seutil_read_module_store(staff_t)
+seutil_run_newrole(staff_t, staff_r)
+
+term_use_unallocated_ttys(staff_usertype)
auth_domtrans_pam_console(staff_t)
init_dbus_chat(staff_t)
init_dbus_chat_script(staff_t)
-seutil_read_module_store(staff_t)
-seutil_run_newrole(staff_t, staff_r)
+miscfiles_read_hwdata(staff_usertype)
+
+modutils_read_module_config(staff_usertype)
+modutils_read_module_deps(staff_usertype)
+
netutils_run_ping(staff_t, staff_r)
netutils_signal_ping(staff_t)
mozilla_run_plugin(staff_t, staff_r)
')
-ifndef(`distro_redhat',`
-
-optional_policy(`
- auth_role(staff_r, staff_t)
-')
-')
-
optional_policy(`
auditadm_role_change(staff_r)
')
optional_policy(`
- kerneloops_manage_tmp_files(staff_t)
+ dbadm_role_change(staff_r)
')
optional_policy(`
logadm_role_change(staff_r)
')
-ifndef(`distro_redhat',`
optional_policy(`
- bluetooth_role(staff_r, staff_t)
-')
-
-optional_policy(`
- cdrecord_role(staff_r, staff_t)
-')
-
-optional_policy(`
- cron_role(staff_r, staff_t)
-')
-
-optional_policy(`
- dbus_role_template(staff, staff_r, staff_t)
-')
-
-optional_policy(`
- evolution_role(staff_r, staff_t)
-')
-
-optional_policy(`
- games_role(staff_r, staff_t)
-')
-
-optional_policy(`
- gift_role(staff_r, staff_t)
-')
-
-optional_policy(`
- gnome_role(staff_r, staff_t)
+ webadm_role_change(staff_r)
')
optional_policy(`
- gpg_role(staff_r, staff_t)
+ kerneloops_manage_tmp_files(staff_t)
')
optional_policy(`
- irc_role(staff_r, staff_t)
+ postgresql_role(staff_r, staff_t)
')
optional_policy(`
- java_role(staff_r, staff_t)
+ secadm_role_change(staff_r)
')
optional_policy(`
- lockdev_role(staff_r, staff_t)
+ unconfined_role_change(staff_r)
')
optional_policy(`
- lpd_role(staff_r, staff_t)
+ rtkit_scheduled(staff_t)
')
optional_policy(`
- mozilla_role(staff_r, staff_t)
+ screen_role_template(staff, staff_r, staff_t)
')
optional_policy(`
- mplayer_role(staff_r, staff_t)
+ ssh_role_template(staff, staff_r, staff_t)
')
optional_policy(`
- mta_role(staff_r, staff_t)
+ sudo_role_template(staff, staff_r, staff_t)
')
optional_policy(`
- oident_manage_user_content(staff_t)
- oident_relabel_user_content(staff_t)
-')
+ sysadm_role_change(staff_r)
+ userdom_dontaudit_use_user_terminals(staff_t)
')
optional_policy(`
- postgresql_role(staff_r, staff_t)
+ telepathy_dbus_session_role(staff_r, staff_t)
')
optional_policy(`
- rtkit_scheduled(staff_t)
+ xserver_role(staff_r, staff_t)
')
ifndef(`distro_redhat',`
-optional_policy(`
- pyzor_role(staff_r, staff_t)
-')
-
-optional_policy(`
- razor_role(staff_r, staff_t)
-')
+ optional_policy(`
+ auth_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ bluetooth_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ cdrecord_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ cron_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ dbus_role_template(staff, staff_r, staff_t)
+ ')
-optional_policy(`
- rssh_role(staff_r, staff_t)
-')
+ optional_policy(`
+ evolution_role(staff_r, staff_t)
+ ')
-optional_policy(`
- screen_role_template(staff, staff_r, staff_t)
-')
-')
+ optional_policy(`
+ games_role(staff_r, staff_t)
+ ')
-optional_policy(`
- secadm_role_change(staff_r)
-')
+ optional_policy(`
+ gift_role(staff_r, staff_t)
+ ')
-ifndef(`distro_redhat',`
-optional_policy(`
- spamassassin_role(staff_r, staff_t)
-')
-')
+ optional_policy(`
+ gnome_role(staff_r, staff_t)
+ ')
-optional_policy(`
- ssh_role_template(staff, staff_r, staff_t)
-')
+ optional_policy(`
+ gpg_role(staff_r, staff_t)
+ ')
-ifndef(`distro_redhat',`
-optional_policy(`
- su_role_template(staff, staff_r, staff_t)
-')
-')
+ optional_policy(`
+ irc_role(staff_r, staff_t)
+ ')
-optional_policy(`
- sudo_role_template(staff, staff_r, staff_t)
-')
+ optional_policy(`
+ java_role(staff_r, staff_t)
+ ')
-optional_policy(`
- sysadm_role_change(staff_r)
- userdom_dontaudit_use_user_terminals(staff_t)
-')
+ optional_policy(`
+ lockdev_role(staff_r, staff_t)
+ ')
-optional_policy(`
- telepathy_dbus_session_role(staff_r, staff_t)
-')
+ optional_policy(`
+ lpd_role(staff_r, staff_t)
+ ')
-ifndef(`distro_redhat',`
-optional_policy(`
- thunderbird_role(staff_r, staff_t)
-')
+ optional_policy(`
+ mozilla_role(staff_r, staff_t)
+ ')
-optional_policy(`
- tvtime_role(staff_r, staff_t)
-')
+ optional_policy(`
+ mplayer_role(staff_r, staff_t)
+ ')
-optional_policy(`
- uml_role(staff_r, staff_t)
-')
+ optional_policy(`
+ mta_role(staff_r, staff_t)
+ ')
-optional_policy(`
- userhelper_role_template(staff, staff_r, staff_t)
-')
+ optional_policy(`
+ oident_manage_user_content(staff_t)
+ oident_relabel_user_content(staff_t)
+ ')
+ optional_policy(`
+ pyzor_role(staff_r, staff_t)
+ ')
-optional_policy(`
- vmware_role(staff_r, staff_t)
-')
+ optional_policy(`
+ razor_role(staff_r, staff_t)
+ ')
-optional_policy(`
- wireshark_role(staff_r, staff_t)
-')
+ optional_policy(`
+ rssh_role(staff_r, staff_t)
+ ')
-')
-
-optional_policy(`
- unconfined_role_change(staff_r)
-')
-
-optional_policy(`
- webadm_role_change(staff_r)
-')
+ optional_policy(`
+ spamassassin_role(staff_r, staff_t)
+ ')
-optional_policy(`
- xserver_role(staff_r, staff_t)
-')
+ optional_policy(`
+ su_role_template(staff, staff_r, staff_t)
+ ')
-domain_read_all_domains_state(staff_usertype)
-domain_getattr_all_domains(staff_usertype)
-domain_obj_id_change_exemption(staff_t)
+ optional_policy(`
+ thunderbird_role(staff_r, staff_t)
+ ')
-files_read_kernel_modules(staff_usertype)
+ optional_policy(`
+ tvtime_role(staff_r, staff_t)
+ ')
-kernel_read_fs_sysctls(staff_usertype)
+ optional_policy(`
+ uml_role(staff_r, staff_t)
+ ')
-modutils_read_module_config(staff_usertype)
-modutils_read_module_deps(staff_usertype)
+ optional_policy(`
+ userhelper_role_template(staff, staff_r, staff_t)
+ ')
-miscfiles_read_hwdata(staff_usertype)
+ optional_policy(`
+ vmware_role(staff_r, staff_t)
+ ')
-term_use_unallocated_ttys(staff_usertype)
+ optional_policy(`
+ wireshark_role(staff_r, staff_t)
+ ')
+')
optional_policy(`
accountsd_dbus_chat(staff_t)
sandbox_transition(staff_t, staff_r)
')
-optional_policy(`
- screen_role_template(staff, staff_r, staff_t)
-')
-
optional_policy(`
setroubleshoot_stream_connect(staff_t)
setroubleshoot_dbus_chat(staff_t)
#
# Local policy
#
+kernel_read_fs_sysctls(sysadm_t)
corecmd_exec_shell(sysadm_t)
domain_dontaudit_read_all_domains_state(sysadm_t)
+files_read_kernel_modules(sysadm_t)
+
mls_process_read_up(sysadm_t)
mls_file_read_to_clearance(sysadm_t)
mls_process_write_to_clearance(sysadm_t)
init_exec(sysadm_t)
init_exec_script_files(sysadm_t)
init_dbus_chat(sysadm_t)
+init_script_role_transition(sysadm_r)
+
+modutils_read_module_deps(sysadm_t)
+
+miscfiles_read_hwdata(sysadm_t)
# Add/remove user home directories
userdom_manage_user_home_dirs(sysadm_t)
apache_run_helper(sysadm_t, sysadm_r)
#apache_run_all_scripts(sysadm_t, sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
- ifndef(`distro_redhat',`
- apache_role(sysadm_r, sysadm_t)
- ')
')
optional_policy(`
auditadm_role_change(sysadm_r)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- auth_role(sysadm_r, sysadm_t)
-')
-')
-
optional_policy(`
backup_run(sysadm_t, sysadm_r)
')
bind_run_ndc(sysadm_t, sysadm_r)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- bluetooth_role(sysadm_r, sysadm_t)
-')
-')
-
optional_policy(`
bootloader_run(sysadm_t, sysadm_r)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- cdrecord_role(sysadm_r, sysadm_t)
-')
-')
-
optional_policy(`
certmonger_dbus_chat(sysadm_t)
')
consoletype_run(sysadm_t, sysadm_r)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- cron_admin_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
- dbus_role_template(sysadm, sysadm_r, sysadm_t)
-')
-')
-
optional_policy(`
daemonstools_run_start(sysadm_t, sysadm_r)
')
dpkg_run(sysadm_t, sysadm_r)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- evolution_role(sysadm_r, sysadm_t)
-')
-')
-
optional_policy(`
firstboot_run(sysadm_t, sysadm_r)
')
fstools_run(sysadm_t, sysadm_r)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- games_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
- gift_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
- gnome_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
- gpg_role(sysadm_r, sysadm_t)
-')
-')
-
optional_policy(`
hostname_run(sysadm_t, sysadm_r)
')
kerberos_exec_kadmind(sysadm_t)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- irc_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
- java_role(sysadm_r, sysadm_t)
-')
-')
-
optional_policy(`
kudzu_run(sysadm_t, sysadm_r)
')
libs_run_ldconfig(sysadm_t, sysadm_r)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- lockdev_role(sysadm_r, sysadm_t)
-')
-')
-
optional_policy(`
logrotate_run(sysadm_t, sysadm_r)
')
mount_run_showmount(sysadm_t, sysadm_r)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- mozilla_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
- mplayer_role(sysadm_r, sysadm_t)
-')
-')
-
optional_policy(`
mta_role(sysadm_r, sysadm_t)
')
prelink_run(sysadm_t, sysadm_r)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- pyzor_role(sysadm_r, sysadm_t)
-')
-')
-
optional_policy(`
quota_run(sysadm_t, sysadm_r)
')
raid_domtrans_mdadm(sysadm_t)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- razor_role(sysadm_r, sysadm_t)
-')
-')
-
optional_policy(`
rpc_domtrans_nfsd(sysadm_t)
')
rpm_run(sysadm_t, sysadm_r)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- rssh_role(sysadm_r, sysadm_t)
-')
-')
optional_policy(`
rsync_exec(sysadm_t)
shutdown_run(sysadm_t, sysadm_r)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- spamassassin_role(sysadm_r, sysadm_t)
-')
-')
optional_policy(`
ssh_role_template(sysadm, sysadm_r, sysadm_t)
sysnet_run_dhcpc(sysadm_t, sysadm_r)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- thunderbird_role(sysadm_r, sysadm_t)
-')
-')
-
optional_policy(`
tripwire_run_siggen(sysadm_t, sysadm_r)
tripwire_run_tripwire(sysadm_t, sysadm_r)
tripwire_run_twprint(sysadm_t, sysadm_r)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- tvtime_role(sysadm_r, sysadm_t)
-')
-')
-
optional_policy(`
tzdata_domtrans(sysadm_t)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- uml_role(sysadm_r, sysadm_t)
-')
-')
-
optional_policy(`
unconfined_domtrans(sysadm_t)
')
usbmodules_run(sysadm_t, sysadm_r)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- userhelper_role_template(sysadm, sysadm_r, sysadm_t)
-')
-')
-
optional_policy(`
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- vmware_role(sysadm_r, sysadm_t)
-')
-')
optional_policy(`
vpn_run(sysadm_t, sysadm_r)
virt_stream_connect(sysadm_t)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- wireshark_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
- xserver_role(sysadm_r, sysadm_t)
-')
-')
-
optional_policy(`
yam_run(sysadm_t, sysadm_r)
')
zebra_stream_connect(sysadm_t)
')
-init_script_role_transition(sysadm_r)
+ifndef(`distro_redhat',`
+ optional_policy(`
+ apache_role(sysadm_r, sysadm_t)
+ ')
+ optional_policy(`
+ auth_role(sysadm_r, sysadm_t)
+ ')
-files_read_kernel_modules(sysadm_t)
-kernel_read_fs_sysctls(sysadm_t)
-modutils_read_module_deps(sysadm_t)
-miscfiles_read_hwdata(sysadm_t)
+ optional_policy(`
+ bluetooth_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ cdrecord_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ cron_admin_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ dbus_role_template(sysadm, sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ evolution_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ games_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ gift_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ gnome_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ gpg_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ irc_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ java_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ lockdev_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ mozilla_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ mplayer_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ pyzor_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ razor_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ rssh_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ spamassassin_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ thunderbird_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ tvtime_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ uml_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ userhelper_role_template(sysadm, sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ vmware_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ wireshark_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ xserver_role(sysadm_r, sysadm_t)
+ ')
+')
mozilla_run_plugin(user_t, user_r)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- auth_role(user_r, user_t)
-')
-
-optional_policy(`
- bluetooth_role(user_r, user_t)
-')
-
-optional_policy(`
- cdrecord_role(user_r, user_t)
-')
-
-optional_policy(`
- cron_role(user_r, user_t)
-')
-
-optional_policy(`
- dbus_role_template(user, user_r, user_t)
-')
-
-optional_policy(`
- evolution_role(user_r, user_t)
-')
-
-optional_policy(`
- games_role(user_r, user_t)
-')
-
-optional_policy(`
- gift_role(user_r, user_t)
-')
-
-optional_policy(`
- gnome_role(user_r, user_t)
-')
-
-optional_policy(`
- gpg_role(user_r, user_t)
-')
-
-optional_policy(`
- irc_role(user_r, user_t)
-')
-
-optional_policy(`
- java_role(user_r, user_t)
-')
-
-optional_policy(`
- lockdev_role(user_r, user_t)
-')
-
-optional_policy(`
- lpd_role(user_r, user_t)
-')
-
-optional_policy(`
- mozilla_role(user_r, user_t)
-')
-
-optional_policy(`
- mplayer_role(user_r, user_t)
-')
-
-optional_policy(`
- mta_role(user_r, user_t)
-')
-
-optional_policy(`
- oident_manage_user_content(user_t)
- oident_relabel_user_content(user_t)
-')
-
-optional_policy(`
- postgresql_role(user_r, user_t)
-')
-
-optional_policy(`
- pyzor_role(user_r, user_t)
-')
-
-optional_policy(`
- razor_role(user_r, user_t)
-')
-
-optional_policy(`
- rssh_role(user_r, user_t)
-')
-')
-
optional_policy(`
rpm_dontaudit_dbus_chat(user_t)
')
telepathy_dbus_session_role(user_r, user_t)
')
-ifndef(`distro_redhat',`
-optional_policy(`
- spamassassin_role(user_r, user_t)
-')
-
-optional_policy(`
- ssh_role_template(user, user_r, user_t)
-')
-
-optional_policy(`
- su_role_template(user, user_r, user_t)
-')
-
-optional_policy(`
- sudo_role_template(user, user_r, user_t)
-')
-
-optional_policy(`
- thunderbird_role(user_r, user_t)
-')
-
-optional_policy(`
- tvtime_role(user_r, user_t)
-')
-
-optional_policy(`
- uml_role(user_r, user_t)
-')
-
-optional_policy(`
- userhelper_role_template(user, user_r, user_t)
-')
-
-optional_policy(`
- vmware_role(user_r, user_t)
-')
-
-optional_policy(`
- wireshark_role(user_r, user_t)
-')
-
-')
-
optional_policy(`
setroubleshoot_dontaudit_stream_connect(user_t)
')
optional_policy(`
xserver_role(user_r, user_t)
')
+
+ifndef(`distro_redhat',`
+ optional_policy(`
+ auth_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ bluetooth_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ cdrecord_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ cron_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ dbus_role_template(user, user_r, user_t)
+ ')
+
+ optional_policy(`
+ evolution_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ games_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ gift_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ gnome_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ gpg_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ irc_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ java_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ lockdev_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ lpd_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ mozilla_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ mplayer_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ mta_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ oident_manage_user_content(user_t)
+ oident_relabel_user_content(user_t)
+ ')
+
+ optional_policy(`
+ postgresql_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ pyzor_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ razor_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ rssh_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ spamassassin_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ ssh_role_template(user, user_r, user_t)
+ ')
+
+ optional_policy(`
+ su_role_template(user, user_r, user_t)
+ ')
+
+ optional_policy(`
+ sudo_role_template(user, user_r, user_t)
+ ')
+
+ optional_policy(`
+ thunderbird_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ tvtime_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ uml_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ userhelper_role_template(user, user_r, user_t)
+ ')
+
+ optional_policy(`
+ vmware_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ wireshark_role(user_r, user_t)
+ ')
+')
domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t)
-ifdef(`hide_broken_symptoms', `
- dontaudit abrt_helper_t $1:socket_class_set { read write };
-')
+ ifdef(`hide_broken_symptoms', `
+ dontaudit abrt_helper_t $1:socket_class_set { read write };
+ ')
')
########################################
## </summary>
## </param>
#
-interface(`abrt_append_cache_files',`
+interface(`abrt_cache_append',`
gen_require(`
type abrt_var_cache_t;
')
## </summary>
## </param>
#
-interface(`abrt_manage_cache_files',`
+interface(`abrt_cache_manage',`
gen_require(`
type abrt_var_cache_t;
')
optional_policy(`
cobbler_list_config(httpd_t)
cobbler_read_config(httpd_t)
- cobbler_read_content(httpd_t)
+ cobbler_read_lib_files(httpd_t)
tunable_policy(`httpd_can_network_connect_cobbler',`
corenet_tcp_connect_cobbler_port(httpd_t)
/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0)
-/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
-
-/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
-/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
-/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_content_t,s0)
-/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_content_t,s0)
-/var/lib/tftpboot/ppc(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
-/var/lib/tftpboot/pxelinux\.0 -- gen_context(system_u:object_r:cobbler_content_t,s0)
-/var/lib/tftpboot/pxelinux\.cfg(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
-/var/lib/tftpboot/s390x(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
-/var/lib/tftpboot/yaboot -- gen_context(system_u:object_r:cobbler_content_t,s0)
+/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+
+/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/ppc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/pxelinux\.0 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/pxelinux\.cfg(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/s390x(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/yaboot -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t,s0)
# This should removable when cobbler package installs /var/www/cobbler/rendered
-/var/www/cobbler(/.*)? gen_context(system_u:object_r:httpd_cobbler_content_t,s0)
-
-/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
-/var/www/cobbler/ks_mirror(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
-/var/www/cobbler/links(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
-/var/www/cobbler/localmirror(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
-/var/www/cobbler/pub(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
-/var/www/cobbler/rendered(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
-/var/www/cobbler/repo_mirror(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
+/var/www/cobbler(/.*)? gen_context(system_u:object_r:httpd_cobbler_var_lib_t,s0)
+
+/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/ks_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/links(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/localmirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/pub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/rendered(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/repo_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
## <summary>Cobbler installation server.</summary>
+## <desc>
+## <p>
+## Cobbler is a Linux installation server that allows for
+## rapid setup of network installation environments. It
+## glues together and automates many associated Linux
+## tasks so you do not have to hop between lots of various
+## commands and applications when rolling out new systems,
+## and, in some cases, changing existing ones.
+## </p>
+## </desc>
########################################
## <summary>
type cobbler_etc_t;
')
- list_dirs_pattern($1, cobbler_content_t, cobbler_content_t)
+ list_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
files_search_etc($1)
')
########################################
## <summary>
-## Manage cobbler content.
+## Search cobbler dirs in /var/lib
## </summary>
## <param name="domain">
## <summary>
## </summary>
## </param>
#
-interface(`cobbler_manage_content',`
+interface(`cobbler_search_lib',`
gen_require(`
- type cobbler_content_t;
+ type cobbler_var_lib_t;
')
- manage_dirs_pattern($1, cobbler_content_t, cobbler_content_t)
- manage_files_pattern($1, cobbler_content_t, cobbler_content_t)
- manage_lnk_files_pattern($1, cobbler_content_t, cobbler_content_t)
+ search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
files_search_var_lib($1)
')
########################################
## <summary>
-## Read cobbler content.
+## Read cobbler files in /var/lib
## </summary>
## <param name="domain">
## <summary>
## </summary>
## </param>
#
-interface(`cobbler_read_content',`
+interface(`cobbler_read_lib_files',`
gen_require(`
- type cobbler_content_t;
+ type cobbler_var_lib_t;
')
- read_files_pattern($1, cobbler_content_t, cobbler_content_t)
- read_lnk_files_pattern($1, cobbler_content_t, cobbler_content_t)
+ read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
files_search_var_lib($1)
')
########################################
## <summary>
-## Search cobbler content.
+## Manage cobbler files in /var/lib
## </summary>
## <param name="domain">
## <summary>
## </summary>
## </param>
#
-interface(`cobbler_search_content',`
+interface(`cobbler_manage_lib_files',`
gen_require(`
- type cobbler_content_t;
+ type cobbler_var_lib_t;
')
- search_dirs_pattern($1, cobbler_content_t, cobbler_content_t)
- read_lnk_files_pattern($1, cobbler_content_t, cobbler_content_t)
+ manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
files_search_var_lib($1)
')
#
interface(`cobblerd_admin',`
gen_require(`
- type cobblerd_t, cobbler_var_log_t;
- type cobbler_etc_t, cobblerd_initrc_exec_t, cobbler_content_t;
+ type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
+ type cobbler_etc_t, cobblerd_initrc_exec_t;
+ type httpd_cobbler_content_t;
+ type httpd_cobbler_content_ra_t;
+ type httpd_cobbler_content_rw_t;
')
allow $1 cobblerd_t:process { ptrace signal_perms getattr };
read_files_pattern($1, cobblerd_t, cobblerd_t)
- cobblerd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 cobblerd_initrc_exec_t system_r;
- allow $2 system_r;
-
- admin_pattern($1, cobbler_etc_t)
files_search_etc($1)
+ admin_pattern($1, cobbler_etc_t)
- admin_pattern($1, cobbler_content_t)
files_list_var_lib($1)
+ admin_pattern($1, cobbler_var_lib_t)
- admin_pattern($1, cobbler_var_log_t)
logging_search_logs($1)
+ admin_pattern($1, cobbler_var_log_t)
- # below may want to be removed.
- tunable_policy(`cobbler_anon_write',`
- miscfiles_manage_public_files($1)
- ')
-
- optional_policy(`
- gen_require(`
- type httpd_cobbler_content_t;
- ')
+ apache_search_sys_content($1)
+ admin_pattern($1, httpd_cobbler_content_t)
+ admin_pattern($1, httpd_cobbler_content_ra_t)
+ admin_pattern($1, httpd_cobbler_content_rw_t)
- # manage /var/www/cobbler
- admin_pattern($1, httpd_cobbler_content_t)
- apache_search_sys_content($1)
- ')
+ cobblerd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 cobblerd_initrc_exec_t system_r;
+ allow $2 system_r;
optional_policy(`
- # traverse /var/lib/tftpdir to get to cobbler_content_t there.
+ # traverse /var/lib/tftpdir to get to cobbler_var_lib_t there.
tftp_search_rw_content($1)
')
')
-
policy_module(cobbler, 1.1.0)
########################################
## <desc>
## <p>
-## Allow Cobbler to modify public files
-## used for public file transfer services.
+## Allow Cobbler to modify public files
+## used for public file transfer services.
## </p>
## </desc>
gen_tunable(cobbler_anon_write, false)
type cobbler_etc_t;
files_config_file(cobbler_etc_t)
-type cobbler_content_t;
-typealias cobbler_content_t alias cobbler_var_lib_t;
-files_type(cobbler_content_t)
-
type cobbler_var_log_t;
logging_log_file(cobbler_var_log_t)
+type cobbler_var_lib_t alias cobbler_content_t;
+files_type(cobbler_var_lib_t)
+
type cobbler_tmp_t;
files_tmp_file(cobbler_tmp_t)
-# Cobbler check is not supported and is silently ignored.
-
########################################
#
-# Cobbler local policy.
+# Cobbler personal policy.
#
allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice };
list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
-# Something that runs in the cobberd_t domain tries to relabelfrom cobbler_content_t dir to httpd_sys_content_t.
-dontaudit cobblerd_t cobbler_content_t:dir relabel_dir_perms;
+# Something that runs in the cobberd_t domain tries to relabelfrom cobbler_var_lib_t dir to httpd_sys_content_t.
+dontaudit cobblerd_t cobbler_var_lib_t:dir relabel_dir_perms;
-manage_dirs_pattern(cobblerd_t, cobbler_content_t, cobbler_content_t)
-manage_files_pattern(cobblerd_t, cobbler_content_t, cobbler_content_t)
-manage_lnk_files_pattern(cobblerd_t, cobbler_content_t, cobbler_content_t)
-files_var_lib_filetrans(cobblerd_t, cobbler_content_t, { dir file lnk_file })
+manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file lnk_file })
# Something really needs to write to cobbler.log. Ideally this should not be happening.
allow cobblerd_t cobbler_var_log_t:file write;
corenet_all_recvfrom_netlabel(cobblerd_t)
corenet_all_recvfrom_unlabeled(cobblerd_t)
+corenet_sendrecv_cobbler_server_packets(cobblerd_t)
+corenet_tcp_bind_cobbler_port(cobblerd_t)
corenet_tcp_bind_generic_node(cobblerd_t)
corenet_tcp_sendrecv_generic_if(cobblerd_t)
corenet_tcp_sendrecv_generic_node(cobblerd_t)
corenet_tcp_sendrecv_generic_port(cobblerd_t)
-corenet_tcp_bind_cobbler_port(cobblerd_t)
corenet_tcp_sendrecv_cobbler_port(cobblerd_t)
-corenet_sendrecv_cobbler_server_packets(cobblerd_t)
# sync and rsync to ftp and http are permitted by default, for any other media use cobbler_can_network_connect.
corenet_tcp_connect_ftp_port(cobblerd_t)
corenet_tcp_sendrecv_ftp_port(cobblerd_t)
# 2. no FILES in /var/lib/TFTPDIR are hard linked.
# Cobbler also creates other directories in /var/lib/tftpdir (etc, s390x, ppc, pxelinux.cfg)
# are any of those hard linked?
- tftp_filetrans_tftpdir(cobblerd_t, cobbler_content_t, { dir file })
+ tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
')
########################################
# Cobbler web local policy.
#
-# This should be removable when cobbler package installs /var/www/cobbler/rendered.
-optional_policy(`
- gen_require(`
- attribute httpdcontent;
- ')
-
- apache_content_template(cobbler)
- # To filetrans the /var/www/cobbler/rendered directory to cobbler_content_t.
- # I added "file" to it for now because fenris02 reported that cobbler buildiso tried to create a file with type
- # httpd_cobbler_content_t and i do not know where exaclty. Google reports it should be /var/www/cobbler/pub but
- # that directory should have been labeled cobbler_content_t.
- filetrans_pattern(cobblerd_t, httpd_cobbler_content_t, cobbler_content_t, { dir file })
- # Something that runs in the cobberd_t domain tries to relabelfrom cobbler_content_t dir to httpd_sys_content_t.
- dontaudit cobblerd_t httpdcontent:dir relabel_dir_perms;
-')
+apache_content_template(cobbler)
+manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
+manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
optional_policy(`
- cobbler_read_content(dnsmasq_t)
+ cobbler_read_lib_files(dnsmasq_t)
')
optional_policy(`
-policy_module(mojomojo, 1.0)
+policy_module(mojomojo, 1.0.0)
########################################
#
files_tmp_filetrans(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, { file dir })
corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t)
-corenet_sendrecv_postgresql_client_packets(httpd_mojomojo_script_t)
-
corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t)
-corenet_sendrecv_mysqld_client_packets(httpd_mojomojo_script_t)
-
corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
+corenet_sendrecv_postgresql_client_packets(httpd_mojomojo_script_t)
+corenet_sendrecv_mysqld_client_packets(httpd_mojomojo_script_t)
corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
files_search_var_lib(httpd_mojomojo_script_t)
-mta_send_mail(httpd_mojomojo_script_t)
-
sysnet_dns_name_resolve(httpd_mojomojo_script_t)
+mta_send_mail(httpd_mojomojo_script_t)
+
optional_policy(`
mysql_stream_connect(httpd_mojomojo_script_t)
')
')
optional_policy(`
- cobbler_read_content(tftpd_t)
+ cobbler_read_lib_files(tftpd_t)
')
optional_policy(`
allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw };
dontaudit iptables_t self:capability sys_tty_config;
-allow iptables_t self:fifo_file rw_file_perms;
+allow iptables_t self:fifo_file rw_fifo_file_perms;
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
# needed by ipvsadm
allow iptables_t self:netlink_socket create_socket_perms;
# default MLS/MCS sensitivity and category settings.
MLS_SENS ?= 16
-MLS_CATS ?= 256
-MCS_CATS ?= 256
+MLS_CATS ?= 1024
+MCS_CATS ?= 1024
ifeq ($(QUIET),y)
verbose := @
projects / people / stevee / selinux-policy.git / commitdiff
