From 0703a8c886eb47fe7b1124572e5cd2fab0249817 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Fri, 2 Dec 2011 14:03:03 -0500 Subject: [PATCH] Policy cleanup for upstream acceptance --- policy/modules/kernel/terminal.fc | 2 +- policy/modules/services/glance.fc | 11 ++++---- policy/modules/services/glance.if | 14 ++-------- policy/modules/services/glance.te | 1 - policy/modules/services/matahari.fc | 39 ++++++++++++-------------- policy/modules/services/matahari.if | 12 ++------ policy/modules/services/matahari.te | 2 +- policy/modules/services/rabbitmq.fc | 6 ++-- policy/modules/services/rabbitmq.if | 2 -- policy/modules/services/rabbitmq.te | 4 +-- policy/modules/services/rhev.te | 2 -- policy/modules/services/rhsmcertd.fc | 8 +++--- policy/modules/services/rhsmcertd.if | 12 ++------ policy/modules/services/sanlock.te | 6 ++-- policy/modules/services/sblim.te | 9 ++---- policy/modules/services/ssh.if | 36 ++++++++++++------------ policy/modules/services/uuidd.fc | 1 - policy/modules/services/uuidd.if | 6 ++-- policy/modules/services/uuidd.te | 6 ++-- policy/modules/services/vdagent.fc | 7 ++--- policy/modules/services/vdagent.if | 41 +++++++++++++--------------- policy/modules/services/wdmd.fc | 2 +- policy/modules/system/authlogin.fc | 3 +- 23 files changed, 94 insertions(+), 138 deletions(-) diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc index eeb58891..5c54a980 100644 --- a/policy/modules/kernel/terminal.fc +++ b/policy/modules/kernel/terminal.fc @@ -19,7 +19,7 @@ /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) /dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/ttyUSB[0-9]+ -c gen_context(system_u:object_r:usbtty_device_t,s0) -/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0) +/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0) /dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0) diff --git a/policy/modules/services/glance.fc b/policy/modules/services/glance.fc index 7d27335e..657d8f52 100644 --- a/policy/modules/services/glance.fc +++ b/policy/modules/services/glance.fc @@ -1,14 +1,13 @@ -/usr/bin/glance-registry -- gen_context(system_u:object_r:glance_registry_exec_t,s0) +/etc/rc\.d/init\.d/openstack-glance-api -- gen_context(system_u:object_r:glance_api_initrc_exec_t,s0) -/usr/bin/glance-api -- gen_context(system_u:object_r:glance_api_exec_t,s0) +/etc/rc\.d/init\.d/openstack-glance-registry -- gen_context(system_u:object_r:glance_registry_initrc_exec_t,s0) + +/usr/bin/glance-api -- gen_context(system_u:object_r:glance_api_exec_t,s0) +/usr/bin/glance-registry -- gen_context(system_u:object_r:glance_registry_exec_t,s0) /var/lib/glance(/.*)? gen_context(system_u:object_r:glance_var_lib_t,s0) /var/log/glance(/.*)? gen_context(system_u:object_r:glance_log_t,s0) /var/run/glance(/.*)? gen_context(system_u:object_r:glance_var_run_t,s0) - -/etc/rc\.d/init\.d/openstack-glance-api -- gen_context(system_u:object_r:glance_api_initrc_exec_t,s0) - -/etc/rc\.d/init\.d/openstack-glance-registry -- gen_context(system_u:object_r:glance_registry_initrc_exec_t,s0) diff --git a/policy/modules/services/glance.if b/policy/modules/services/glance.if index 8cc6d17f..8f0f77bb 100644 --- a/policy/modules/services/glance.if +++ b/policy/modules/services/glance.if @@ -1,7 +1,6 @@ ## policy for glance - ######################################## ## ## Transition to glance. @@ -40,7 +39,6 @@ interface(`glance_domtrans_api',` domtrans_pattern($1, glance_api_exec_t, glance_api_t) ') - ######################################## ## ## Read glance's log files. @@ -236,13 +234,9 @@ interface(`glance_manage_pid_files',` # interface(`glance_admin',` gen_require(` - type glance_registry_t; - type glance_api_t; - type glance_log_t; - type glance_var_lib_t; - type glance_var_run_t; - type glance_registry_initrc_exec_t; - type glance_api_initrc_exec_t; + type glance_registry_t, glance_api_t, glance_log_t; + type glance_var_lib_t, glance_var_run_t; + type glance_registry_initrc_exec_t, glance_api_initrc_exec_t; ') allow $1 glance_registry_t:process signal_perms; @@ -271,6 +265,4 @@ interface(`glance_admin',` files_search_pids($1) admin_pattern($1, glance_var_run_t) - ') - diff --git a/policy/modules/services/glance.te b/policy/modules/services/glance.te index 34385c9b..4afb81fe 100644 --- a/policy/modules/services/glance.te +++ b/policy/modules/services/glance.te @@ -81,7 +81,6 @@ files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { file dir }) corenet_tcp_bind_generic_node(glance_registry_t) corenet_tcp_bind_glance_registry_port(glance_registry_t) - ######################################## # # glance-api local policy diff --git a/policy/modules/services/matahari.fc b/policy/modules/services/matahari.fc index 7f368707..ea9dc7ad 100644 --- a/policy/modules/services/matahari.fc +++ b/policy/modules/services/matahari.fc @@ -1,30 +1,25 @@ -/etc/rc\.d/init\.d/matahari-host gen_context(system_u:object_r:matahari_initrc_exec_t,s0) -/etc/rc\.d/init\.d/matahari-net gen_context(system_u:object_r:matahari_initrc_exec_t,s0) -/etc/rc\.d/init\.d/matahari-service gen_context(system_u:object_r:matahari_initrc_exec_t,s0) -/etc/rc\.d/init\.d/matahari-sysconfig gen_context(system_u:object_r:matahari_initrc_exec_t,s0) +/etc/rc\.d/init\.d/matahari-host gen_context(system_u:object_r:matahari_initrc_exec_t,s0) +/etc/rc\.d/init\.d/matahari-net gen_context(system_u:object_r:matahari_initrc_exec_t,s0) +/etc/rc\.d/init\.d/matahari-service gen_context(system_u:object_r:matahari_initrc_exec_t,s0) +/etc/rc\.d/init\.d/matahari-sysconfig gen_context(system_u:object_r:matahari_initrc_exec_t,s0) -/usr/sbin/matahari-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0) - -/usr/sbin/matahari-dbus-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0) - -/usr/sbin/matahari-qmf-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0) - -/usr/sbin/matahari-qmf-sysconfigd -- gen_context(system_u:object_r:matahari_sysconfigd_exec_t,s0) +/usr/sbin/matahari-dbus-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0) +/usr/sbin/matahari-dbus-networkd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0) +/usr/sbin/matahari-dbus-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0) -/usr/sbin/matahari-netd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0) +/usr/sbin/matahari-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0) -/usr/sbin/matahari-dbus-networkd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0) +/usr/sbin/matahari-netd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0) +/usr/sbin/matahari-qmf-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0) /usr/sbin/matahari-qmf-networkd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0) +/usr/sbin/matahari-qmf-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0) +/usr/sbin/matahari-qmf-sysconfigd -- gen_context(system_u:object_r:matahari_sysconfigd_exec_t,s0) -/usr/sbin/matahari-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0) - -/usr/sbin/matahari-dbus-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0) - -/usr/sbin/matahari-qmf-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0) +/usr/sbin/matahari-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0) -/var/lib/matahari(/.*)? gen_context(system_u:object_r:matahari_var_lib_t,s0) +/var/lib/matahari(/.*)? gen_context(system_u:object_r:matahari_var_lib_t,s0) -/var/run/matahari(/.*)? gen_context(system_u:object_r:matahari_var_run_t,s0) -/var/run/matahari\.pid -- gen_context(system_u:object_r:matahari_var_run_t,s0) -/var/run/matahari-broker\.pid -- gen_context(system_u:object_r:matahari_var_run_t,s0) +/var/run/matahari(/.*)? gen_context(system_u:object_r:matahari_var_run_t,s0) +/var/run/matahari\.pid -- gen_context(system_u:object_r:matahari_var_run_t,s0) +/var/run/matahari-broker\.pid -- gen_context(system_u:object_r:matahari_var_run_t,s0) diff --git a/policy/modules/services/matahari.if b/policy/modules/services/matahari.if index 0d771fd7..2e8b6d85 100644 --- a/policy/modules/services/matahari.if +++ b/policy/modules/services/matahari.if @@ -24,7 +24,6 @@ template(`matahari_domain_template',` type matahari_$1_t, matahari_domain; type matahari_$1_exec_t; init_daemon_domain(matahari_$1_t, matahari_$1_exec_t) - ') ######################################## @@ -104,7 +103,6 @@ interface(`matahari_manage_lib_dirs',` manage_dirs_pattern($1, matahari_var_lib_t, matahari_var_lib_t) ') - ######################################## ## ## Read matahari PID files. @@ -216,12 +214,9 @@ interface(`matahari_serviced_domtrans',` # interface(`matahari_admin',` gen_require(` - type matahari_initrc_exec_t; - type matahari_hostd_t; - type matahari_netd_t; - type matahari_serviced_t; - type matahari_var_lib_t; - type matahari_var_run_t; + type matahari_initrc_exec_t, matahari_hostd_t; + type matahari_netd_t, matahari_serviced_t; + type matahari_var_lib_t, matahari_var_run_t; ') init_labeled_script_domtrans($1, matahari_initrc_exec_t) @@ -246,5 +241,4 @@ interface(`matahari_admin',` files_search_pids($1) admin_pattern($1, matahari_var_run_t) - ') diff --git a/policy/modules/services/matahari.te b/policy/modules/services/matahari.te index 372ed056..4ea6ac39 100644 --- a/policy/modules/services/matahari.te +++ b/policy/modules/services/matahari.te @@ -77,7 +77,7 @@ dev_read_sysfs(matahari_sysconfigd_t) # matahari domain local policy # -allow matahari_domain self:process { signal }; +allow matahari_domain self:process signal; allow matahari_domain self:fifo_file rw_fifo_file_perms; allow matahari_domain self:unix_stream_socket create_stream_socket_perms; diff --git a/policy/modules/services/rabbitmq.fc b/policy/modules/services/rabbitmq.fc index 7908e1de..594c1102 100644 --- a/policy/modules/services/rabbitmq.fc +++ b/policy/modules/services/rabbitmq.fc @@ -1,7 +1,7 @@ -/usr/lib64/erlang/erts-5.8.5/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0) /usr/lib64/erlang/erts-5.8.5/bin/beam.* -- gen_context(system_u:object_r:rabbitmq_beam_exec_t,s0) -#/usr/lib64/erlang/lib/os_mon-2.2.7/priv/bin/cpu_sup -- gen_context(system_u:object_r:rabbitmq_cpu_sup_exec_t,s0) +/usr/lib64/erlang/erts-5.8.5/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0) -/var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0) /var/lib/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0) + +/var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0) diff --git a/policy/modules/services/rabbitmq.if b/policy/modules/services/rabbitmq.if index f15d8c3e..491bd1f7 100644 --- a/policy/modules/services/rabbitmq.if +++ b/policy/modules/services/rabbitmq.if @@ -1,7 +1,6 @@ ## policy for rabbitmq - ######################################## ## ## Transition to rabbitmq. @@ -20,4 +19,3 @@ interface(`rabbitmq_domtrans',` corecmd_search_bin($1) domtrans_pattern($1, rabbitmq_exec_t, rabbitmq_t) ') - diff --git a/policy/modules/services/rabbitmq.te b/policy/modules/services/rabbitmq.te index 55aaca1d..591ca324 100644 --- a/policy/modules/services/rabbitmq.te +++ b/policy/modules/services/rabbitmq.te @@ -27,7 +27,7 @@ logging_log_file(rabbitmq_var_log_t) allow rabbitmq_beam_t self:process { setsched signal signull }; allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms; -allow rabbitmq_beam_t self:tcp_socket { accept listen }; +allow rabbitmq_beam_t self:tcp_socket create_stream_socket_perms; manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) @@ -65,7 +65,7 @@ optional_policy(` domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t) -allow rabbitmq_epmd_t self:process { signal }; +allow rabbitmq_epmd_t self:process signal; allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms; allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms; diff --git a/policy/modules/services/rhev.te b/policy/modules/services/rhev.te index 1ec5e7c3..6c383561 100644 --- a/policy/modules/services/rhev.te +++ b/policy/modules/services/rhev.te @@ -12,7 +12,6 @@ init_daemon_domain(rhev_agentd_t, rhev_agentd_exec_t) type rhev_agentd_var_run_t; files_pid_file(rhev_agentd_var_run_t) -# WHY IS USED /TMP DIRECTORY type rhev_agentd_tmp_t; files_tmp_file(rhev_agentd_tmp_t) @@ -80,4 +79,3 @@ optional_policy(` optional_policy(` xserver_dbus_chat_xdm(rhev_agentd_t) ') - diff --git a/policy/modules/services/rhsmcertd.fc b/policy/modules/services/rhsmcertd.fc index 5094d939..b2a8835b 100644 --- a/policy/modules/services/rhsmcertd.fc +++ b/policy/modules/services/rhsmcertd.fc @@ -3,10 +3,10 @@ /usr/bin/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_exec_t,s0) -/var/lib/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_lib_t,s0) - -/var/log/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_log_t,s0) +/var/lib/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_lib_t,s0) /var/lock/subsys/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_lock_t,s0) -/var/run/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_run_t,s0) +/var/log/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_log_t,s0) + +/var/run/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_run_t,s0) diff --git a/policy/modules/services/rhsmcertd.if b/policy/modules/services/rhsmcertd.if index 61d0a4cb..6572600c 100644 --- a/policy/modules/services/rhsmcertd.if +++ b/policy/modules/services/rhsmcertd.if @@ -20,7 +20,6 @@ interface(`rhsmcertd_domtrans',` domtrans_pattern($1, rhsmcertd_exec_t, rhsmcertd_t) ') - ######################################## ## ## Execute rhsmcertd server in the rhsmcertd domain. @@ -39,7 +38,6 @@ interface(`rhsmcertd_initrc_domtrans',` init_labeled_script_domtrans($1, rhsmcertd_initrc_exec_t) ') - ######################################## ## ## Read rhsmcertd's log files. @@ -176,7 +174,6 @@ interface(`rhsmcertd_manage_lib_dirs',` manage_dirs_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) ') - ######################################## ## ## Read rhsmcertd PID files. @@ -277,11 +274,8 @@ interface(`rhsmcertd_dontaudit_dbus_chat',` # interface(`rhsmcertd_admin',` gen_require(` - type rhsmcertd_t; - type rhsmcertd_initrc_exec_t; - type rhsmcertd_log_t; - type rhsmcertd_var_lib_t; - type rhsmcertd_var_run_t; + type rhsmcertd_t, rhsmcertd_initrc_exec_t, rhsmcertd_log_t; + type rhsmcertd_var_lib_t, rhsmcertd_var_run_t; ') allow $1 rhsmcertd_t:process signal_perms; @@ -303,6 +297,4 @@ interface(`rhsmcertd_admin',` files_search_pids($1) admin_pattern($1, rhsmcertd_var_run_t) - ') - diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te index 96adff59..64d3e6ae 100644 --- a/policy/modules/services/sanlock.te +++ b/policy/modules/services/sanlock.te @@ -44,7 +44,7 @@ ifdef(`enable_mls',` # # sanlock local policy # -allow sanlock_t self:capability { kill sys_nice ipc_lock }; +allow sanlock_t self:capability { sys_nice ipc_lock }; allow sanlock_t self:process { setsched signull }; allow sanlock_t self:fifo_file rw_fifo_file_perms; @@ -68,11 +68,11 @@ storage_raw_rw_fixed_disk(sanlock_t) dev_read_urand(sanlock_t) -logging_send_syslog_msg(sanlock_t) - init_read_utmp(sanlock_t) init_dontaudit_write_utmp(sanlock_t) +logging_send_syslog_msg(sanlock_t) + miscfiles_read_localization(sanlock_t) tunable_policy(`sanlock_use_nfs',` diff --git a/policy/modules/services/sblim.te b/policy/modules/services/sblim.te index c4d91920..7fad0505 100644 --- a/policy/modules/services/sblim.te +++ b/policy/modules/services/sblim.te @@ -22,11 +22,8 @@ files_pid_file(sblim_var_run_t) # # sblim_gatherd local policy # - -#needed by ps -allow sblim_gatherd_t self:capability { kill dac_override }; +allow sblim_gatherd_t self:capability dac_override; allow sblim_gatherd_t self:process signal; - allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms; allow sblim_gatherd_t self:unix_stream_socket create_stream_socket_perms; @@ -45,6 +42,8 @@ domain_read_all_domains_state(sblim_gatherd_t) fs_getattr_all_fs(sblim_gatherd_t) +sysnet_dns_name_resolve(sblim_gatherd_t) + term_getattr_pty_fs(sblim_gatherd_t) init_read_utmp(sblim_gatherd_t) @@ -61,7 +60,6 @@ optional_policy(` optional_policy(` ssh_signull(sblim_gatherd_t) - sysnet_dns_name_resolve(sblim_gatherd_t) ') optional_policy(` @@ -105,4 +103,3 @@ logging_send_syslog_msg(sblim_domain) files_read_etc_files(sblim_domain) miscfiles_read_localization(sblim_domain) - diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index e494f5cd..c2efd25d 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -479,6 +479,24 @@ interface(`ssh_signal',` allow $1 sshd_t:process signal; ') +######################################## +## +## Send a null signal to sshd processes. +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_signull',` + gen_require(` + type sshd_t; + ') + + allow $1 sshd_t:process signull; +') + ######################################## ## ## Read a ssh server unnamed pipe. @@ -870,24 +888,6 @@ interface(`ssh_delete_tmp',` delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') -######################################## -## -## Send a null signal to sshd processes. -## -## -## -## Domain allowed access. -## -## -# -interface(`ssh_signull',` - gen_require(` - type sshd_t; - ') - - allow $1 sshd_t:process signull; -') - ##################################### ## ## Allow domain dyntransition to chroot_user_t domain. diff --git a/policy/modules/services/uuidd.fc b/policy/modules/services/uuidd.fc index c1846674..d8102327 100644 --- a/policy/modules/services/uuidd.fc +++ b/policy/modules/services/uuidd.fc @@ -1,7 +1,6 @@ /etc/rc\.d/init\.d/uuidd -- gen_context(system_u:object_r:uuidd_initrc_exec_t,s0) - /usr/sbin/uuidd -- gen_context(system_u:object_r:uuidd_exec_t,s0) /var/lib/libuuid(/.*)? gen_context(system_u:object_r:uuidd_var_lib_t,s0) diff --git a/policy/modules/services/uuidd.if b/policy/modules/services/uuidd.if index c82f1780..adf79eb9 100644 --- a/policy/modules/services/uuidd.if +++ b/policy/modules/services/uuidd.if @@ -171,10 +171,8 @@ interface(`uuidd_stream_connect_manager',` # interface(`uuidd_admin',` gen_require(` - type uuidd_t; - type uuidd_initrc_exec_t; - type uuidd_var_lib_t; - type uuidd_var_run_t; + type uuidd_t, uuidd_initrc_exec_t; + type uuidd_var_run_t, uuidd_var_lib_t; ') allow $1 uuidd_t:process signal_perms; diff --git a/policy/modules/services/uuidd.te b/policy/modules/services/uuidd.te index ac053f34..04589dc0 100644 --- a/policy/modules/services/uuidd.te +++ b/policy/modules/services/uuidd.te @@ -22,9 +22,8 @@ files_pid_file(uuidd_var_run_t) # # uuidd local policy # -allow uuidd_t self:capability { setuid }; -allow uuidd_t self:process { signal }; - +allow uuidd_t self:capability setuid; +allow uuidd_t self:process signal; allow uuidd_t self:fifo_file rw_fifo_file_perms; allow uuidd_t self:unix_stream_socket create_stream_socket_perms; allow uuidd_t self:udp_socket create_socket_perms; @@ -43,4 +42,3 @@ domain_use_interactive_fds(uuidd_t) files_read_etc_files(uuidd_t) miscfiles_read_localization(uuidd_t) - diff --git a/policy/modules/services/vdagent.fc b/policy/modules/services/vdagent.fc index 71d97843..2ba852cd 100644 --- a/policy/modules/services/vdagent.fc +++ b/policy/modules/services/vdagent.fc @@ -1,11 +1,10 @@ +/usr/sbin/spice-vdagentd -- gen_context(system_u:object_r:vdagent_exec_t,s0) -/usr/sbin/spice-vdagentd -- gen_context(system_u:object_r:vdagent_exec_t,s0) +/var/log/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_log_t,s0) +/var/log/spice-vdagentd\.log -- gen_context(system_u:object_r:vdagent_log_t,s0) /var/run/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_var_run_t,s0) /var/run/spice-vdagentd.\pid -- gen_context(system_u:object_r:vdagent_var_run_t,s0) -/var/log/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_log_t,s0) -/var/log/spice-vdagentd\.log -- gen_context(system_u:object_r:vdagent_log_t,s0) - diff --git a/policy/modules/services/vdagent.if b/policy/modules/services/vdagent.if index 57471cc9..6467d916 100644 --- a/policy/modules/services/vdagent.if +++ b/policy/modules/services/vdagent.if @@ -1,24 +1,6 @@ ## policy for vdagent -##################################### -## -## Getattr on vdagent executable. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`vdagent_getattr_exec',` - gen_require(` - type vdagent_exec_t; - ') - - allow $1 vdagent_exec_t:file getattr; -') - ######################################## ## ## Execute a domain transition to run vdagent. @@ -37,6 +19,24 @@ interface(`vdagent_domtrans',` domtrans_pattern($1, vdagent_exec_t, vdagent_t) ') +##################################### +## +## Getattr on vdagent executable. +## +## +## +## Domain allowed access. +## +## +# +interface(`vdagent_getattr_exec',` + gen_require(` + type vdagent_exec_t; + ') + + allow $1 vdagent_exec_t:file getattr; +') + ####################################### ## ## Get the attributes of vdagent logs. @@ -114,8 +114,7 @@ interface(`vdagent_stream_connect',` # interface(`vdagent_admin',` gen_require(` - type vdagent_t; - type vdagent_var_run_t; + type vdagent_t, vdagent_var_run_t; ') allow $1 vdagent_t:process signal_perms; @@ -126,6 +125,4 @@ interface(`vdagent_admin',` files_search_pids($1) admin_pattern($1, vdagent_var_run_t) - ') - diff --git a/policy/modules/services/wdmd.fc b/policy/modules/services/wdmd.fc index 2f21759f..ad47e050 100644 --- a/policy/modules/services/wdmd.fc +++ b/policy/modules/services/wdmd.fc @@ -1,6 +1,6 @@ /etc/rc\.d/init\.d/wdmd -- gen_context(system_u:object_r:wdmd_initrc_exec_t,s0) -/var/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_var_run_t,s0) +/var/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_var_run_t,s0) /usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0) diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc index a004698a..a13830af 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc @@ -31,8 +31,9 @@ ifdef(`distro_gentoo', ` /usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ') +/var/ace(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + /var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) -/var/ace(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) /var/db/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) -- 2.47.3