Navigation

← Previous Changeset
Next Changeset →

Changeset 2682

Timestamp:

05/13/08 09:07:42 (7 months ago)

Author:

pebenito

Message:

rbacsep: more collapsing in apps.

Files:

branches/rbacsep/policy/modules/apps/games.te (modified) (2 diffs)
branches/rbacsep/policy/modules/apps/vmware.te (modified) (6 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

branches/rbacsep/policy/modules/apps/games.te

r2675	r2682
10	10	files_type(games_data_t)
11	11
12		~~# games_t is for system operation of games, generic games daemons and~~
13		~~# games recovery scripts~~
14	12	type games_t;
15	13	type games_exec_t;
16		~~init_system_domain(games_t,~~games_exec_t)
	14	application_domain(games_t, games_exec_t)
17	15
18		type games_var_run_t;
19		files_pid_file(games_var_run_t)
	16	type games_devpts_t;
	17	term_pty(games_devpts_t)
	18
	19	# games_srv_t is for system operation of games, generic games daemons and
	20	# games recovery scripts
	21	type games_srv_t;
	22	init_system_domain(games_srv_t, games_exec_t)
	23
	24	type games_srv_var_run_t;
	25	files_pid_file(games_srv_var_run_t)
	26
	27	type games_tmpfs_t;
	28	files_tmpfs_file(games_tmpfs_t)
	29
	30	type games_tmp_t;
	31	files_tmp_file(games_tmp_t)
	32
	33	########################################
	34	#
	35	# Server local policy
	36	#
	37
	38	dontaudit games_srv_t self:capability sys_tty_config;
	39	allow games_srv_t self:process signal_perms;
	40
	41	manage_files_pattern(games_srv_t, games_data_t, games_data_t)
	42	manage_lnk_files_pattern(games_srv_t, games_data_t, games_data_t)
	43
	44	manage_files_pattern(games_srv_t, games_srv_var_run_t, games_srv_var_run_t)
	45	files_pid_filetrans(games_srv_t, games_srv_var_run_t, file)
	46
	47	can_exec(games_srv_t, games_exec_t)
	48
	49	kernel_read_kernel_sysctls(games_srv_t)
	50	kernel_list_proc(games_srv_t)
	51	kernel_read_proc_symlinks(games_srv_t)
	52
	53	dev_read_sysfs(games_srv_t)
	54
	55	fs_getattr_all_fs(games_srv_t)
	56	fs_search_auto_mountpoints(games_srv_t)
	57
	58	term_dontaudit_use_console(games_srv_t)
	59
	60	domain_use_interactive_fds(games_srv_t)
	61
	62	init_use_fds(games_srv_t)
	63	init_use_script_ptys(games_srv_t)
	64
	65	libs_use_ld_so(games_srv_t)
	66	libs_use_shared_libs(games_srv_t)
	67
	68	logging_send_syslog_msg(games_srv_t)
	69
	70	miscfiles_read_localization(games_srv_t)
	71
	72	userdom_dontaudit_use_unpriv_user_fds(games_srv_t)
	73
	74	sysadm_dontaudit_search_home_dirs(games_srv_t)
	75
	76	optional_policy(`
	77	seutil_sigchld_newrole(games_srv_t)
	78	')
	79
	80	optional_policy(`
	81	udev_read_db(games_srv_t)
	82	')
20	83
21	84	########################################
…	…
24	87	#
25	88
26		dontaudit games_t self:capability sys_tty_config;
27		allow games_t self:process signal_perms;
	89	allow games_t self:sem create_sem_perms;
	90	allow games_t self:tcp_socket create_stream_socket_perms;
	91	allow games_t self:udp_socket create_socket_perms;
28	92
29		manage_files_pattern(games_t,~~games_data_t,~~games_data_t)
30		manage_lnk_files_pattern(games_t,~~games_data_t,~~games_data_t)
	93	manage_files_pattern(games_t, games_data_t, games_data_t)
	94	manage_lnk_files_pattern(games_t, games_data_t, games_data_t)
31	95
32		manage_files_pattern(games_t,games_var_run_t,games_var_run_t)
33		~~files_pid_filetrans(games_t,games_var_run_t,file~~)
	96	allow games_t games_devpts_t:chr_file { rw_chr_file_perms setattr };
	97	term_create_pty(games_t, games_devpts_t)
34	98
35		can_exec(games_t,games_exec_t)
	99	manage_dirs_pattern(games_t, games_tmp_t, games_tmp_t)
	100	manage_files_pattern(games_t, games_tmp_t, games_tmp_t)
	101	files_tmp_filetrans(games_t, games_tmp_t, { file dir })
36	102
37		kernel_read_kernel_sysctls(games_t)
38		kernel_list_proc(games_t)
39		kernel_read_proc_symlinks(games_t)
	103	manage_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
	104	manage_lnk_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
	105	manage_fifo_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
	106	manage_sock_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
	107	fs_tmpfs_filetrans(games_t, games_tmpfs_t, { file lnk_file sock_file fifo_file })
40	108
41		~~dev_read_sysfs(games~~_t)
	109	can_exec(games_t, games_exec_t)
42	110
43		fs_getattr_all_fs(games_t)
44		fs_search_auto_mountpoints(games_t)
	111	domain_auto_trans($2, games_exec_t, games_t)
	112	allow $2 games_t:unix_stream_socket connectto;
	113	allow games_t $2:unix_stream_socket connectto;
45	114
46		~~term_dontaudit_use_consol~~e(games_t)
	115	kernel_read_system_state(games_t)
47	116
48		~~domain_use_interactive_fds~~(games_t)
	117	corecmd_exec_bin(games_t)
49	118
50		init_use_fds(games_t)
51		init_use_script_ptys(games_t)
	119	corenet_all_recvfrom_unlabeled(games_t)
	120	corenet_all_recvfrom_netlabel(games_t)
	121	corenet_tcp_sendrecv_generic_if(games_t)
	122	corenet_udp_sendrecv_generic_if(games_t)
	123	corenet_tcp_sendrecv_all_nodes(games_t)
	124	corenet_udp_sendrecv_all_nodes(games_t)
	125	corenet_tcp_sendrecv_all_ports(games_t)
	126	corenet_udp_sendrecv_all_ports(games_t)
	127	corenet_tcp_bind_all_nodes(games_t)
	128	corenet_tcp_bind_generic_port(games_t)
	129	corenet_tcp_connect_generic_port(games_t)
	130	corenet_sendrecv_generic_client_packets(games_t)
	131	corenet_sendrecv_generic_server_packets(games_t)
52	132
	133	dev_read_sound(games_t)
	134	dev_write_sound(games_t)
	135	dev_read_input(games_t)
	136	dev_read_mouse(games_t)
	137	dev_read_urand(games_t)
	138
	139	files_list_var(games_t)
	140	files_search_var_lib(games_t)
	141	files_dontaudit_search_var(games_t)
	142	files_read_etc_files(games_t)
	143	files_read_usr_files(games_t)
	144	files_read_var_files(games_t)
	145
	146	init_dontaudit_rw_utmp(games_t)
	147
	148	logging_dontaudit_search_logs(games_t)
	149
	150	libs_use_shared_libs(games_t)
53	151	libs_use_ld_so(games_t)
54		~~libs_use_shared_libs(games_t)~~
55	152
56		logging_send_syslog_msg(games_t)
57
	153	miscfiles_read_man_pages(games_t)
58	154	miscfiles_read_localization(games_t)
59	155
60		~~userdom_dontaudit_use_unpriv_user_fds~~(games_t)
	156	sysnet_read_config(games_t)
61	157
62		sysadm_dontaudit_search_home_dirs(games_t)
	158	userdom_manage_user_tmp_dirs($1,games_t)
	159	userdom_manage_user_tmp_files($1,games_t)
	160	userdom_manage_user_tmp_symlinks($1,games_t)
	161	userdom_manage_user_tmp_sockets($1,games_t)
	162	# Suppress .icons denial until properly implemented
	163	userdom_dontaudit_read_user_home_content_files($1,games_t)
63	164
64		~~optional_policy(~~`
65		~~seutil_sigchld_newrole(games_t)~~
	165	tunable_policy(`allow_execmem',`
	166	allow games_t self:process execmem;
66	167	')
67	168
68	169	optional_policy(`
69		~~udev_read_db~~(games_t)
	170	nscd_socket_use(games_t)
70	171	')
	172
	173	optional_policy(`
	174	xserver_user_x_domain_template($1,games,games_t, games_tmpfs_t)
	175	xserver_create_xdm_tmp_sockets(games_t)
	176	xserver_read_xdm_lib_files(games_t)
	177	')

branches/rbacsep/policy/modules/apps/vmware.te

r2675	r2682
8	8
9	9	# VMWare user program
	10	type vmware_t;
10	11	type vmware_exec_t;
11		corecmd_executable_file(vmware_exec_t)
	12	application_domain(vmware_t, vmware_exec_t)
	13
	14	type vmware_conf_t;
	15	userdom_user_home_content($1,vmware_conf_t)
	16
	17	type vmware_file_t;
	18	userdom_user_home_content($1,vmware_file_t)
12	19
13	20	# VMWare host programs
14	21	type vmware_host_t;
15	22	type vmware_host_exec_t;
16		init_daemon_domain(vmware_host_t,vmware_host_exec_t)
	23	init_daemon_domain(vmware_host_t, vmware_host_exec_t)
	24
	25	type vmware_host_pid_t alias vmware_var_run_t;
	26	files_pid_file(vmware_host_pid_t)
	27
	28	type vmware_pid_t;
	29	files_pid_file(vmware_pid_t)
17	30
18	31	# Systemwide configuration files
…	…
20	33	files_type(vmware_sys_conf_t)
21	34
22		type vmware_var_run_t;
23		files_pid_file(vmware_var_run_t)
	35	type vmware_tmp_t;
	36	files_tmp_file(vmware_tmp_t)
	37
	38	type vmware_tmpfs_t;
	39	files_tmpfs_file(vmware_tmpfs_t)
24	40
25	41	########################################
…	…
36	52
37	53	# cjp: the ro and rw files should be split up
38		manage_files_pattern(vmware_host_t,~~vmware_sys_conf_t,~~vmware_sys_conf_t)
39
40		manage_files_pattern(vmware_host_t,~~vmware_var_run_t,~~vmware_var_run_t)
41		manage_sock_files_pattern(vmware_host_t,~~vmware_var_run_t,~~vmware_var_run_t)
42		files_pid_filetrans(vmware_host_t,~~vmware_var_run_t,~~{ file sock_file })
	54	manage_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t)
	55
	56	manage_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
	57	manage_sock_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
	58	files_pid_filetrans(vmware_host_t, vmware_var_run_t, { file sock_file })
43	59
44	60	kernel_read_kernel_sysctls(vmware_host_t)
…	…
91	107	sysadm_dontaudit_search_home_dirs(vmware_host_t)
92	108
	109	netutils_domtrans_ping(vmware_host_t)
	110
93	111	optional_policy(`
94	112	seutil_sigchld_newrole(vmware_host_t)
…	…
99	117	udev_read_db(vmware_host_t)
100	118	')
101		~~netutils_domtrans_ping(vmware_host_t)~~
102	119
103	120	ifdef(`TODO',`
…	…
112	129	allow kernel_t self:socket create;
113	130	')
	131
	132	##############################
	133	#
	134	# VMWare guest local policy
	135	#
	136
	137	allow vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown };
	138	dontaudit vmware_t self:capability sys_tty_config;
	139	allow vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
	140	allow vmware_t self:process { execmem execstack };
	141	allow vmware_t self:fd use;
	142	allow vmware_t self:fifo_file rw_fifo_file_perms;
	143	allow vmware_t self:unix_dgram_socket { create_socket_perms sendto };
	144	allow vmware_t self:unix_stream_socket { create_stream_socket_perms connectto };
	145	allow vmware_t self:shm create_shm_perms;
	146	allow vmware_t self:sem create_sem_perms;
	147	allow vmware_t self:msgq create_msgq_perms;
	148	allow vmware_t self:msg { send receive };
	149
	150	can_exec(vmware_t, vmware_exec_t)
	151
	152	# User configuration files
	153	allow vmware_t vmware_conf_t:file manage_file_perms;
	154
	155	# VMWare disks
	156	manage_files_pattern(vmware_t, vmware_file_t, vmware_file_t)
	157	manage_lnk_files_pattern(vmware_t, vmware_file_t, vmware_file_t)
	158
	159	allow vmware_t vmware_tmp_t:file execute;
	160	manage_dirs_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t)
	161	manage_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t)
	162	manage_sock_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t)
	163	files_tmp_filetrans(vmware_t, vmware_tmp_t, { file dir })
	164
	165	manage_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
	166	manage_lnk_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
	167	manage_fifo_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
	168	manage_sock_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
	169	fs_tmpfs_filetrans(vmware_t, vmware_tmpfs_t, { dir file lnk_file sock_file fifo_file })
	170
	171	# Read clobal configuration files
	172	allow vmware_t vmware_sys_conf_t:dir list_dir_perms;
	173	read_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t)
	174	read_lnk_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t)
	175
	176	manage_dirs_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
	177	manage_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
	178	manage_lnk_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
	179	manage_sock_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
	180	files_pid_filetrans(vmware_t, vmware_pid_t, { dir file lnk_file })
	181
	182	domtrans_pattern($2, vmware_exec_t, vmware_t)
	183
	184	kernel_read_system_state(vmware_t)
	185	kernel_read_network_state(vmware_t)
	186	kernel_read_kernel_sysctls(vmware_t)
	187
	188	# startup scripts
	189	corecmd_exec_bin(vmware_t)
	190	corecmd_exec_shell(vmware_t)
	191
	192	dev_read_raw_memory(vmware_t)
	193	dev_write_raw_memory(vmware_t)
	194	dev_read_mouse(vmware_t)
	195	dev_write_sound(vmware_t)
	196	dev_read_realtime_clock(vmware_t)
	197	dev_rwx_vmware(vmware_t)
	198	dev_rw_usbfs(vmware_t)
	199	dev_search_sysfs(vmware_t)
	200
	201	domain_use_interactive_fds(vmware_t)
	202
	203	files_read_etc_files(vmware_t)
	204	files_read_etc_runtime_files(vmware_t)
	205	files_read_usr_files(vmware_t)
	206	files_list_home(vmware_t)
	207
	208	fs_getattr_xattr_fs(vmware_t)
	209	fs_search_auto_mountpoints(vmware_t)
	210
	211	storage_raw_read_removable_device(vmware_t)
	212	storage_raw_write_removable_device(vmware_t)
	213
	214	libs_use_ld_so(vmware_t)
	215	libs_use_shared_libs(vmware_t)
	216	# startup scripts run ldd
	217	libs_exec_ld_so(vmware_t)
	218	# Access X11 config files
	219	libs_read_lib_files(vmware_t)
	220
	221	miscfiles_read_localization(vmware_t)
	222
	223	userdom_use_user_terminals($1,vmware_t)
	224	userdom_use_unpriv_users_fds(vmware_t)
	225	userdom_list_user_home_dirs($1,vmware_t)
	226	# cjp: why?
	227	userdom_read_user_home_content_files($1,vmware_t)
	228
	229	sysnet_dns_name_resolve(vmware_t)
	230	sysnet_read_config(vmware_t)
	231
	232	xserver_user_x_domain_template($1,vmware,vmware_t, vmware_tmpfs_t)

Download in other formats:

Unified Diff
Zip Disabled

* Generating other formats may take time.