Navigation

← Previous Changeset
Next Changeset →

Changeset 2687

Timestamp:

05/21/08 09:48:34 (7 months ago)

Author:

pebenito

Message:

rbacsep: start adding per_role_template replacement interfaces and calls.

Files:

branches/rbacsep/policy/modules/admin/su.if (modified) (1 diff)
branches/rbacsep/policy/modules/admin/su.te (modified) (1 diff)
branches/rbacsep/policy/modules/admin/sudo.if (modified) (1 diff)
branches/rbacsep/policy/modules/admin/sudo.te (modified) (1 diff)
branches/rbacsep/policy/modules/apps/cdrecord.if (modified) (1 diff)
branches/rbacsep/policy/modules/apps/cdrecord.te (modified) (2 diffs)
branches/rbacsep/policy/modules/apps/ethereal.if (modified) (1 diff)
branches/rbacsep/policy/modules/apps/ethereal.te (modified) (1 diff)
branches/rbacsep/policy/modules/apps/evolution.if (modified) (1 diff)
branches/rbacsep/policy/modules/apps/evolution.te (modified) (7 diffs)
branches/rbacsep/policy/modules/apps/games.if (modified) (1 diff)
branches/rbacsep/policy/modules/apps/games.te (modified) (1 diff)
branches/rbacsep/policy/modules/apps/gift.if (modified) (1 diff)
branches/rbacsep/policy/modules/apps/gift.te (modified) (2 diffs)
branches/rbacsep/policy/modules/apps/gnome.if (modified) (1 diff)
branches/rbacsep/policy/modules/apps/gnome.te (modified) (2 diffs)
branches/rbacsep/policy/modules/apps/gpg.if (modified) (1 diff)
branches/rbacsep/policy/modules/apps/gpg.te (modified) (3 diffs)
branches/rbacsep/policy/modules/apps/irc.if (modified) (1 diff)
branches/rbacsep/policy/modules/apps/irc.te (modified) (1 diff)
branches/rbacsep/policy/modules/apps/java.if (modified) (3 diffs)
branches/rbacsep/policy/modules/apps/java.te (modified) (2 diffs)
branches/rbacsep/policy/modules/apps/lockdev.if (modified) (1 diff)
branches/rbacsep/policy/modules/apps/lockdev.te (modified) (1 diff)
branches/rbacsep/policy/modules/apps/mozilla.if (modified) (1 diff)
branches/rbacsep/policy/modules/apps/mozilla.te (modified) (3 diffs)
branches/rbacsep/policy/modules/apps/mplayer.if (modified) (1 diff)
branches/rbacsep/policy/modules/apps/mplayer.te (modified) (1 diff)
branches/rbacsep/policy/modules/apps/rssh.if (modified) (1 diff)
branches/rbacsep/policy/modules/apps/screen.if (modified) (1 diff)
branches/rbacsep/policy/modules/apps/screen.te (modified) (6 diffs)
branches/rbacsep/policy/modules/apps/thunderbird.if (modified) (1 diff)
branches/rbacsep/policy/modules/apps/thunderbird.te (modified) (2 diffs)
branches/rbacsep/policy/modules/apps/tvtime.if (modified) (1 diff)
branches/rbacsep/policy/modules/apps/tvtime.te (modified) (1 diff)
branches/rbacsep/policy/modules/apps/uml.if (modified) (1 diff)
branches/rbacsep/policy/modules/apps/uml.te (modified) (2 diffs)
branches/rbacsep/policy/modules/apps/userhelper.if (modified) (1 diff)
branches/rbacsep/policy/modules/apps/userhelper.te (modified) (2 diffs)
branches/rbacsep/policy/modules/apps/vmware.if (modified) (1 diff)
branches/rbacsep/policy/modules/apps/vmware.te (modified) (1 diff)
branches/rbacsep/policy/modules/apps/wireshark.if (modified) (1 diff)
branches/rbacsep/policy/modules/apps/wireshark.te (modified) (1 diff)
branches/rbacsep/policy/modules/roles/auditadm.te (modified) (3 diffs)
branches/rbacsep/policy/modules/roles/secadm.te (modified) (2 diffs)
branches/rbacsep/policy/modules/roles/staff.te (modified) (2 diffs)
branches/rbacsep/policy/modules/roles/sysadm.te (modified) (12 diffs)
branches/rbacsep/policy/modules/roles/unprivuser.te (modified) (1 diff)
branches/rbacsep/policy/rolemap (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

branches/rbacsep/policy/modules/admin/su.if

r2437	r2687
125	125	dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
126	126	') dnl end TODO
	127	')
	128
	129	############################################################
	130	## <summary>
	131	## Role access for su
	132	## </summary>
	133	## <param name="role">
	134	## <summary>
	135	## Role allowed access
	136	## </summary>
	137	## </param>
	138	## <param name="domain">
	139	## <summary>
	140	## User domain for the role
	141	## </summary>
	142	## </param>
	143	#
	144	interface(`su_role',`
	145	gen_require(`
	146	type su_t, su_exec_t;
	147	')
	148
	149	role $1 types su_t;
	150
	151	# Transition from the user domain to this domain.
	152	domtrans_pattern($2, su_exec_t, su_t)
	153
	154	allow $2 su_t:process signal;
	155
	156	# By default, revert to the calling domain when a shell is executed.
	157	corecmd_shell_domtrans(su_t, $2)
	158	allow $2 su_t:fd use;
	159	allow $2 su_t:fifo_file rw_file_perms;
	160	allow $2 su_t:process sigchld;
127	161	')
128	162

branches/rbacsep/policy/modules/admin/su.te

r2684	r2687
27	27	allow su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
28	28	allow su_t self:key { search write };
29
30		~~# Transition from the user domain to this domain.~~
31		~~domtrans_pattern($2, su_exec_t, su_t)~~
32
33		~~allow $2 su_t:process signal;~~
34
35		~~# By default, revert to the calling domain when a shell is executed.~~
36		~~corecmd_shell_domtrans(su_t,$2)~~
37		~~allow $2 su_t:fd use;~~
38		~~allow $2 su_t:fifo_file rw_file_perms;~~
39		~~allow $2 su_t:process sigchld;~~
40	29
41	30	kernel_read_system_state(su_t)

branches/rbacsep/policy/modules/admin/sudo.if

r2540	r2687
136	136	') dnl end TODO
137	137	')
	138
	139	############################################################
	140	## <summary>
	141	## Role access for sudo
	142	## </summary>
	143	## <param name="role">
	144	## <summary>
	145	## Role allowed access
	146	## </summary>
	147	## </param>
	148	## <param name="domain">
	149	## <summary>
	150	## User domain for the role
	151	## </summary>
	152	## </param>
	153	#
	154	interface(`sudo_role',`
	155	gen_require(`
	156	type sudo_t, sudo_exec_t;
	157	')
	158
	159	role $1 types sudo_t;
	160
	161	# Enter this derived domain from the user domain
	162	domtrans_pattern($2, sudo_exec_t, sudo_t)
	163
	164	# By default, revert to the calling domain when a shell is executed.
	165	corecmd_shell_domtrans(sudo_t, $2)
	166	allow $2 sudo_t:fd use;
	167	allow $2 sudo_t:fifo_file rw_file_perms;
	168	allow $2 sudo_t:process sigchld;
	169	')

branches/rbacsep/policy/modules/admin/sudo.te

r2684	r2687
32	32	allow sudo_t self:unix_stream_socket connectto;
33	33	allow sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
34
35		~~# Enter this derived domain from the user domain~~
36		~~domtrans_pattern($2, sudo_exec_t, sudo_t)~~
37
38		~~# By default, revert to the calling domain when a shell is executed.~~
39		~~corecmd_shell_domtrans(sudo_t,$2)~~
40		~~allow $2 sudo_t:fd use;~~
41		~~allow $2 sudo_t:fifo_file rw_file_perms;~~
42		~~allow $2 sudo_t:process sigchld;~~
43	34
44	35	kernel_read_kernel_sysctls(sudo_t)

branches/rbacsep/policy/modules/apps/cdrecord.if

r2372	r2687
189	189	')
190	190	')
	191
	192	########################################
	193	## <summary>
	194	## Role access for cdrecord
	195	## </summary>
	196	## <param name="role">
	197	## <summary>
	198	## Role allowed access
	199	## </summary>
	200	## </param>
	201	## <param name="domain">
	202	## <summary>
	203	## User domain for the role
	204	## </summary>
	205	## </param>
	206	#
	207	interface(`cdrecord_role',`
	208	gen_require(`
	209	type cdrecord_t, cdrecord_exec_t;
	210	')
	211
	212	role $1 types cdrecord_t;
	213
	214	# Transition from the user domain to the derived domain.
	215	domtrans_pattern($2, cdrecord_exec_t, cdrecord_t)
	216
	217	allow cdrecord_t $2:unix_stream_socket { getattr read write ioctl };
	218
	219	# allow ps to show cdrecord and allow the user to kill it
	220	ps_process_pattern($2, cdrecord_t)
	221	allow $2 cdrecord_t:process signal;
	222	')

branches/rbacsep/policy/modules/apps/cdrecord.te

r2680	r2687
32	32	allow cdrecord_t self:unix_stream_socket create_stream_socket_perms;
33	33
34		~~allow cdrecord_t $2:unix_stream_socket { getattr read write ioctl };~~
35
36		~~# allow ps to show cdrecord and allow the user to kill it~~
37		~~ps_process_pattern($2, cdrecord_t)~~
38		~~allow $2 cdrecord_t:process signal;~~
39
40		~~# Transition from the user domain to the derived domain.~~
41		~~domtrans_pattern($2, cdrecord_exec_t, cdrecord_t)~~
42
43	34	# allow searching for cdrom-drive
44	35	dev_list_all_dev_nodes(cdrecord_t)
…	…
65	56	# write to the user domain tty.
66	57	userdom_use_user_terminals($1, cdrecord_t)
67		~~userdom_use_user_terminals($1, $2)~~
68
69	58	userdom_read_user_home_content_files($1, cdrecord_t)
70	59

branches/rbacsep/policy/modules/apps/ethereal.if

r2675	r2687
216	216	')
217	217
	218	############################################################
	219	## <summary>
	220	## Role access for ethereal
	221	## </summary>
	222	## <param name="role">
	223	## <summary>
	224	## Role allowed access
	225	## </summary>
	226	## </param>
	227	## <param name="domain">
	228	## <summary>
	229	## User domain for the role
	230	## </summary>
	231	## </param>
	232	#
	233	interface(`ethereal_role',`
	234	gen_require(`
	235	type ethereal_t, ethereal_exec_t;
	236	type ethereal_home_t, ethereal_tmp_t;
	237	type ethereal_tmpfs_t;
	238	')
	239
	240	role $1 types { ethereal_t ethereal_home_t ethereal_tmp_t ethereal_tmpfs_t };
	241
	242	domain_auto_trans($2, ethereal_exec_t, ethereal_t)
	243	allow ethereal_t $2:fd use;
	244	allow ethereal_t $2:process sigchld;
	245
	246	manage_dirs_pattern($2, ethereal_home_t, ethereal_home_t)
	247	manage_files_pattern($2, ethereal_home_t, ethereal_home_t)
	248	manage_lnk_files_pattern($2, ethereal_home_t, ethereal_home_t)
	249	relabel_dirs_pattern($2, ethereal_home_t, ethereal_home_t)
	250	relabel_files_pattern($2, ethereal_home_t, ethereal_home_t)
	251	relabel_lnk_files_pattern($2, ethereal_home_t, ethereal_home_t)
	252	')
	253
218	254	########################################
219	255	## <summary>

branches/rbacsep/policy/modules/apps/ethereal.te

r2680	r2687
64	64	manage_fifo_files_pattern(ethereal_t, ethereal_tmpfs_t, ethereal_tmpfs_t)
65	65	fs_tmpfs_filetrans(ethereal_t, ethereal_tmpfs_t, { dir file lnk_file sock_file fifo_file })
66
67		~~domain_auto_trans($2, ethereal_exec_t, ethereal_t)~~
68		~~allow ethereal_t $2:fd use;~~
69		~~allow ethereal_t $2:process sigchld;~~
70
71		~~manage_dirs_pattern($2, ethereal_home_t, ethereal_home_t)~~
72		~~manage_files_pattern($2, ethereal_home_t, ethereal_home_t)~~
73		~~manage_lnk_files_pattern($2, ethereal_home_t, ethereal_home_t)~~
74		~~relabel_dirs_pattern($2, ethereal_home_t, ethereal_home_t)~~
75		~~relabel_files_pattern($2, ethereal_home_t, ethereal_home_t)~~
76		~~relabel_lnk_files_pattern($2, ethereal_home_t, ethereal_home_t)~~
77	66
78	67	kernel_read_kernel_sysctls(ethereal_t)

branches/rbacsep/policy/modules/apps/evolution.if

r2675	r2687
791	791	########################################
792	792	## <summary>
	793	## Role access for evolution
	794	## </summary>
	795	## <param name="role">
	796	## <summary>
	797	## Role allowed access
	798	## </summary>
	799	## </param>
	800	## <param name="domain">
	801	## <summary>
	802	## User domain for the role
	803	## </summary>
	804	## </param>
	805	#
	806	interface(`evolution_role',`
	807	gen_require(`
	808	type evolution_t, evolution_exec_t;
	809	type evolution_tmpfs_t, evolution_home_t;
	810	type evolution_orbit_tmp_t;
	811	type evolution_alarm_t, evolution_alarm_exec_t;
	812	type evolution_alarm_tmpfs_t, evolution_alarm_orbit_tmp_t;
	813	type evolution_exchange_t, evolution_exchange_exec_t;
	814	type evolution_exchange_tmpfs_t, $1_evolution_exchange_tmp_t;
	815	type evolution_exchange_orbit_tmp_t;
	816	type evolution_server_t, evolution_server_exec_t;
	817	type evolution_server_orbit_tmp_t;
	818	type evolution_webcal_t, evolution_webcal_exec_t;
	819	type evolution_webcal_tmpfs_t;
	820	')
	821
	822	role $2 types { evolution_t evolution_tmpfs_t evolution_home_t };
	823	role $2 types { evolution_orbit_tmp_t evolution_alarm_t };
	824	role $2 types { evolution_alarm_tmpfs_t evolution_alarm_orbit_tmp_t };
	825	role $2 types { evolution_exchange_t evolution_exchange_tmpfs_t };
	826	role $2 types { evolution_exchange_tmp_t evolution_exchange_orbit_tmp_t };
	827	role $2 types { evolution_server_t evolution_server_orbit_tmp_t };
	828	role $2 types { evolution_webcal_t evolution_webcal_tmpfs_t };
	829
	830	domtrans_pattern($2, evolution_exec_t, evolution_t)
	831	domtrans_pattern($2, evolution_alarm_exec_t, evolution_alarm_t)
	832	domtrans_pattern($2, evolution_exchange_exec_t, evolution_exchange_t)
	833	domtrans_pattern($2, evolution_server_exec_t, evolution_server_t)
	834	domtrans_pattern($2, evolution_webcal_exec_t, evolution_webcal_t)
	835
	836	ps_process_pattern($2, evolution_t)
	837	ps_process_pattern($2, evolution_alarm_t)
	838	ps_process_pattern($2, evolution_exchange_t)
	839	ps_process_pattern($2, evolution_server_t)
	840	ps_process_pattern($2, evolution_webcal_t)
	841
	842	allow evolution_t $2:dir search;
	843	allow evolution_t $2:file read;
	844	allow evolution_t $2:lnk_file read;
	845	allow evolution_t $2:unix_stream_socket connectto;
	846
	847	allow $2 evolution_t:unix_stream_socket connectto;
	848	allow $2 evolution_t:process noatsecure;
	849	allow $2 evolution_t:process signal_perms;
	850
	851	# Access .evolution
	852	allow $2 evolution_home_t:dir manage_dir_perms;
	853	allow $2 evolution_home_t:file manage_file_perms;
	854	allow $2 evolution_home_t:lnk_file manage_lnk_file_perms;
	855	allow $2 evolution_home_t:{ dir file lnk_file } { relabelfrom relabelto };
	856
	857	allow evolution_exchange_t $2:unix_stream_socket connectto;
	858
	859	# Clock applet talks to exchange (FIXME: Needs policy)
	860	allow $2 evolution_exchange_t:unix_stream_socket connectto;
	861	allow $2 evolution_exchange_orbit_tmp_t:sock_file write;
	862	')
	863
	864	########################################
	865	## <summary>
793	866	## Create objects in users evolution home folders.
794	867	## </summary>

branches/rbacsep/policy/modules/apps/evolution.te

r2680	r2687
83	83	allow evolution_t evolution_home_t:file manage_file_perms;
84	84	allow evolution_t evolution_home_t:lnk_file manage_lnk_file_perms;
	85	userdom_search_user_home_dirs($1, evolution_t)
85	86
86	87	allow evolution_t evolution_orbit_tmp_t:dir manage_dir_perms;
…	…
106	107	allow evolution_t evolution_tmpfs_t:fifo_file manage_fifo_file_perms;
107	108	fs_tmpfs_filetrans(evolution_t, evolution_tmpfs_t, { dir file lnk_file sock_file fifo_file })
108
109		~~allow evolution_t $2:dir search;~~
110		~~allow evolution_t $2:fd use;~~
111		~~allow evolution_t $2:file read;~~
112		~~allow evolution_t $2:lnk_file read;~~
113		~~allow evolution_t $2:process sigchld;~~
114		~~allow evolution_t $2:unix_stream_socket connectto;~~
115		~~allow evolution_t $2:dir search;~~
116		~~allow evolution_t $2:file read;~~
117
118		~~domain_auto_trans($2, evolution_exec_t, evolution_t)~~
119
120		~~allow $2 evolution_t:unix_stream_socket connectto;~~
121		~~allow $2 evolution_t:process noatsecure;~~
122		~~allow $2 evolution_t:process signal_perms;~~
123
124		~~# Access .evolution~~
125		~~allow $2 evolution_home_t:dir manage_dir_perms;~~
126		~~allow $2 evolution_home_t:file manage_file_perms;~~
127		~~allow $2 evolution_home_t:lnk_file manage_lnk_file_perms;~~
128		~~allow $2 evolution_home_t:{ dir file lnk_file } { relabelfrom relabelto };~~
129		~~userdom_search_user_home_dirs($1, evolution_t)~~
130
131		~~# Allow the user domain to signal/ps.~~
132		~~allow $2 evolution_t:dir { search getattr read };~~
133		~~allow $2 evolution_t:{ file lnk_file } { read getattr };~~
134		~~allow $2 evolution_t:process getattr;~~
135
136		~~domain_dontaudit_read_all_domains_state(evolution_t)~~
137	109
138	110	#FIXME check to see if really needed
…	…
180	152	dev_read_urand(evolution_t)
181	153
	154	domain_dontaudit_read_all_domains_state(evolution_t)
	155
182	156	files_read_etc_files(evolution_t)
183	157	files_read_usr_files(evolution_t)
…	…
431	405	allow evolution_alarm_t evolution_server_orbit_tmp_t:sock_file write;
432	406
433		~~domain_auto_trans($2, evolution_alarm_exec_t, evolution_alarm_t)~~
434		~~allow evolution_alarm_t $2:fd use;~~
435
436	407	dev_read_urand(evolution_alarm_t)
437	408
…	…
513	484	fs_tmpfs_filetrans(evolution_exchange_t, evolution_exchange_tmpfs_t, { dir file lnk_file sock_file fifo_file })
514	485
515		~~allow evolution_exchange_t $2:unix_stream_socket connectto;~~
516	486	allow evolution_exchange_t $1_tmp_t:sock_file write;
517
518		~~# Clock applet talks to exchange (FIXME: Needs policy)~~
519		~~allow $2 evolution_exchange_t:unix_stream_socket connectto;~~
520		~~allow $2 evolution_exchange_orbit_tmp_t:sock_file write;~~
521
522		~~# Transition from user domain~~
523		~~domain_auto_trans($2, evolution_exchange_exec_t, evolution_exchange_t)~~
524	487
525	488	kernel_read_network_state(evolution_exchange_t)
…	…
594	557	allow evolution_server_t evolution_alarm_t:unix_stream_socket connectto;
595	558	allow evolution_server_t evolution_alarm_orbit_tmp_t:sock_file write;
596
597		~~# Transition from user type~~
598		~~domain_auto_trans($2, evolution_server_exec_t, evolution_server_t)~~
599	559
600	560	kernel_read_system_state(evolution_server_t)
…	…
672	632	allow evolution_webcal_t evolution_webcal_tmpfs_t:fifo_file manage_fifo_file_perms;
673	633	fs_tmpfs_filetrans(evolution_webcal_t, evolution_webcal_tmpfs_t, { dir file lnk_file sock_file fifo_file })
674
675		~~# Transition from user type~~
676		~~domain_auto_trans($2, evolution_webcal_exec_t, evolution_webcal_t)~~
677	634
678	635	corenet_all_recvfrom_unlabeled(evolution_webcal_t)

branches/rbacsep/policy/modules/apps/games.if

r2675	r2687
166	166	')
167	167	')
	168
	169	############################################################
	170	## <summary>
	171	## Role access for games
	172	## </summary>
	173	## <param name="role">
	174	## <summary>
	175	## Role allowed access
	176	## </summary>
	177	## </param>
	178	## <param name="domain">
	179	## <summary>
	180	## User domain for the role
	181	## </summary>
	182	## </param>
	183	#
	184	interface(`games_role',`
	185	gen_require(`
	186	type games_t, games_exec_t;
	187	type games_devpts_t, games_tmpfs_t;
	188	type games_tmp_t;
	189	')
	190
	191	role $1 types { games_t games_devpts_t games_tmpfs_t games_tmp_t };
	192
	193	domtrans_pattern($2, games_exec_t, games_t)
	194	allow $2 games_t:unix_stream_socket connectto;
	195	allow games_t $2:unix_stream_socket connectto;
	196	')

branches/rbacsep/policy/modules/apps/games.te

r2682	r2687
109	109	can_exec(games_t, games_exec_t)
110	110
111		~~domain_auto_trans($2, games_exec_t, games_t)~~
112		~~allow $2 games_t:unix_stream_socket connectto;~~
113		~~allow games_t $2:unix_stream_socket connectto;~~
114
115	111	kernel_read_system_state(games_t)
116	112

branches/rbacsep/policy/modules/apps/gift.if

r2675	r2687
195	195	')
196	196	')
	197
	198	############################################################
	199	## <summary>
	200	## Role access for gift
	201	## </summary>
	202	## <param name="role">
	203	## <summary>
	204	## Role allowed access
	205	## </summary>
	206	## </param>
	207	## <param name="domain">
	208	## <summary>
	209	## User domain for the role
	210	## </summary>
	211	## </param>
	212	#
	213	interface(`gift_role',`
	214	gen_require(`
	215	type gift_t, gift_exec_t;
	216	type giftd_t, giftd_exec_t;
	217	type gift_home_t, gift_tmpfs_t;
	218	')
	219
	220	role $1 types { gift_t giftd_t gift_home_t gift_tmpfs_t };
	221
	222	# transition from user domain
	223	domtrans_pattern($2, gift_exec_t, gift_t)
	224	domtrans_pattern($2, giftd_exec_t, giftd_t)
	225
	226	# user managed content
	227	manage_dirs_pattern($2, gift_home_t, gift_home_t)
	228	manage_files_pattern($2, gift_home_t, gift_home_t)
	229	manage_lnk_files_pattern($2, gift_home_t, gift_home_t)
	230	relabel_dirs_pattern($2, gift_home_t, gift_home_t)
	231	relabel_files_pattern($2, gift_home_t, gift_home_t)
	232	relabel_lnk_files_pattern($2, gift_home_t, gift_home_t)
	233
	234	# Allow the user domain to signal/ps.
	235	ps_process_pattern($2, gift_t)
	236	allow $2 gift_t:process signal_perms;
	237	')

branches/rbacsep/policy/modules/apps/gift.te

r2680	r2687
42	42	# Launch gift daemon
43	43	domtrans_pattern(gift_t, giftd_exec_t, giftd_t)
44
45		~~# transition from user domain~~
46		~~domtrans_pattern($2, gift_exec_t, gift_t)~~
47
48		~~# user managed content~~
49		~~manage_dirs_pattern($2,gift_home_t, gift_home_t)~~
50		~~manage_files_pattern($2,gift_home_t, gift_home_t)~~
51		~~manage_lnk_files_pattern($2,gift_home_t, gift_home_t)~~
52		~~relabel_dirs_pattern($2,gift_home_t, gift_home_t)~~
53		~~relabel_files_pattern($2,gift_home_t, gift_home_t)~~
54		~~relabel_lnk_files_pattern($2,gift_home_t, gift_home_t)~~
55
56		~~# Allow the user domain to signal/ps.~~
57		~~ps_process_pattern($2,gift_t)~~
58		~~allow $2 gift_t:process signal_perms;~~
59	44
60	45	# Read /proc/meminfo
…	…
112	97	userdom_user_home_dir_filetrans($1, giftd_t, gift_home_t, dir)
113	98
114		~~domtrans_pattern($2, giftd_exec_t, giftd_t)~~
115
116	99	kernel_read_system_state(giftd_t)
117	100	kernel_read_kernel_sysctls(giftd_t)

branches/rbacsep/policy/modules/apps/gnome.if

r2372	r2687
109	109	')
110	110	')
	111
	112	############################################################
	113	## <summary>
	114	## Role access for gnome
	115	## </summary>
	116	## <param name="role">
	117	## <summary>
	118	## Role allowed access
	119	## </summary>
	120	## </param>
	121	## <param name="domain">
	122	## <summary>
	123	## User domain for the role
	124	## </summary>
	125	## </param>
	126	#
	127	interface(`gnome_role',`
	128	gen_require(`
	129	type gconfd_t, gconfd_exec_t;
	130	type gconf_home_t, gnome_home_t;
	131	type gconf_tmp_t;
	132	')
	133
	134	role $1 types { gconfd_t gconf_home_t gconf_tmp_t gnome_home_t };
	135
	136	domain_auto_trans($2, gconfd_exec_t, gconfd_t)
	137	allow gconfd_t $2:fd use;
	138	allow gconfd_t $2:fifo_file write;
	139	allow gconfd_t $2:unix_stream_socket connectto;
111	140
	141	ps_process_pattern($2, gconfd_t)
	142
	143	#gnome_stream_connect_gconf_template($1, $2)
	144	read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
	145	allow $2 gconfd_t:unix_stream_socket connectto;
	146	')
	147
112	148	########################################
113	149	## <summary>

branches/rbacsep/policy/modules/apps/gnome.te

r2680	r2687
41	41	userdom_user_tmp_filetrans($1,gconfd_t, gconf_tmp_t, { dir file })
42	42
43		~~domain_auto_trans($2, gconfd_exec_t, gconfd_t)~~
44		~~allow gconfd_t $2:fd use;~~
45		~~allow gconfd_t $2:fifo_file write;~~
46		~~allow gconfd_t $2:unix_stream_socket connectto;~~
47
48	43	allow gconfd_t gconf_etc_t:dir list_dir_perms;
49	44	read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
50
51		~~ps_process_pattern($2, gconfd_t)~~
52	45
53	46	dev_read_urand(gconfd_t)
…	…
66	59	userdom_tmp_filetrans_user_tmp($1, gconfd_t, dir)
67	60
68		~~gnome_stream_connect_gconf_template($1, $2)~~
69
70	61	optional_policy(`
71	62	nscd_dontaudit_search_pid(gconfd_t)

branches/rbacsep/policy/modules/apps/gpg.if

r2372	r2687
317	317	')
318	318
	319	############################################################
	320	## <summary>
	321	## Role access for gpg
	322	## </summary>
	323	## <param name="role">
	324	## <summary>
	325	## Role allowed access
	326	## </summary>
	327	## </param>
	328	## <param name="domain">
	329	## <summary>
	330	## User domain for the role
	331	## </summary>
	332	## </param>
	333	#
	334	interface(`gpg_role',`
	335	gen_require(`
	336	type gpg_t, gpg_exec_t;
	337	type gpg_agent_t, gpg_agent_exec_t;
	338	type gpg_agent_tmp_t, gpg_secret_t;
	339	type gpg_helper_t, gpg_pinentry_t;
	340	')
	341
	342	role $1 types { gpg_t gpg_agent_t gpg_agent_tmp_t };
	343	role $1 types { gpg_secret_t gpg_helper_t gpg_pinentry_t };
	344
	345	# transition from the userdomain to the derived domain
	346	domtrans_pattern($2, gpg_exec_t, gpg_t)
	347
	348	# allow ps to show gpg
	349	ps_process_pattern($2, gpg_t)
	350	allow $2 gpg_t:process signal;
	351
	352	# communicate with the user
	353	allow gpg_helper_t $2:fd use;
	354	allow gpg_helper_t $2:fifo_file write;
	355
	356	# allow ps to show gpg-agent
	357	ps_process_pattern($2, gpg_agent_t)
	358
	359	# Allow the user shell to signal the gpg-agent program.
	360	allow $2 gpg_agent_t:process { signal sigkill };
	361
	362	manage_dirs_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
	363	manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
	364	manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
	365	files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
	366
	367	# Transition from the user domain to the agent domain.
	368	domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
	369	')
	370
319	371	########################################
320	372	## <summary>

branches/rbacsep/policy/modules/apps/gpg.te

r2680	r2687
48	48	manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
49	49	userdom_user_home_dir_filetrans($1, gpg_t, gpg_secret_t, dir)
50
51		~~# transition from the userdomain to the derived domain~~
52		~~domtrans_pattern($2,gpg_exec_t, gpg_t)~~
53
54		~~# allow ps to show gpg~~
55		~~ps_process_pattern($2,gpg_t)~~
56		~~allow $2 gpg_t:process signal;~~
57	50
58	51	corenet_all_recvfrom_unlabeled(gpg_t)
…	…
105	98	allow gpg_helper_t self:tcp_socket { connect connected_socket_perms };
106	99	allow gpg_helper_t self:udp_socket { connect connected_socket_perms };
107
108		~~# communicate with the user~~
109		~~allow gpg_helper_t $2:fd use;~~
110		~~allow gpg_helper_t $2:fifo_file write;~~
111	100
112	101	dontaudit gpg_helper_t gpg_secret_t:file read;
…	…
169	158	stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
170	159
171		~~# allow ps to show gpg-agent~~
172		~~ps_process_pattern($2,gpg_agent_t)~~
173
174		~~# Allow the user shell to signal the gpg-agent program.~~
175		~~allow $2 gpg_agent_t:process { signal sigkill };~~
176
177		~~manage_dirs_pattern($2,gpg_agent_tmp_t, gpg_agent_tmp_t)~~
178		~~manage_files_pattern($2,gpg_agent_tmp_t, gpg_agent_tmp_t)~~
179		~~manage_sock_files_pattern($2,gpg_agent_tmp_t, gpg_agent_tmp_t)~~
180		~~files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })~~
181
182		~~# Transition from the user domain to the derived domain.~~
183		~~domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)~~
184
185	160	corecmd_search_bin(gpg_agent_t)
186	161

branches/rbacsep/policy/modules/apps/irc.if

r2372	r2687
149	149	')
150	150	')
	151
	152	########################################
	153	## <summary>
	154	## Role access for IRC
	155	## </summary>
	156	## <param name="role">
	157	## <summary>
	158	## Role allowed access
	159	## </summary>
	160	## </param>
	161	## <param name="domain">
	162	## <summary>
	163	## User domain for the role
	164	## </summary>
	165	## </param>
	166	#
	167	interface(`irc_role',`
	168	gen_require(`
	169	type irc_t, irc_exec_t;
	170	type irc_home_t, irc_tmp_t;
	171	')
	172
	173	role $1 types { irc_t irc_home_t irc_tmp_t };
	174
	175	# Transition from the user domain to the derived domain.
	176	domtrans_pattern($2, irc_exec_t, irc_t)
	177
	178	# allow ps to show irc
	179	ps_process_pattern($2, irc_t)
	180	allow $2 irc_t:process signal;
	181	')

branches/rbacsep/policy/modules/apps/irc.te

r2680	r2687
39	39	manage_sock_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
40	40	files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
41
42		~~# Transition from the user domain to the derived domain.~~
43		~~domtrans_pattern($2,irc_exec_t, irc_t)~~
44
45		~~# allow ps to show irc~~
46		~~ps_process_pattern($2,irc_t)~~
47		~~allow $2 irc_t:process signal;~~
48	41
49	42	kernel_read_proc_symlinks(irc_t)

branches/rbacsep/policy/modules/apps/java.if

r2675	r2687
171	171	########################################
172	172	## <summary>
	173	## Role access for java
	174	## </summary>
	175	## <param name="role">
	176	## <summary>
	177	## Role allowed access
	178	## </summary>
	179	## </param>
	180	## <param name="domain">
	181	## <summary>
	182	## User domain for the role
	183	## </summary>
	184	## </param>
	185	#
	186	interface(`java_role',`
	187	gen_require(`
	188	type javaplugin_t, java_exec_t;
	189	type javaplugin_tmp_t, javaplugin_tmpfs_t;
	190	')
	191
	192	role $2 types { javaplugin_t javaplugin_tmp_t javaplugin_tmpfs_t };
	193
	194	# The user role is authorized for this domain.
	195	domtrans_pattern($2, java_exec_t, javaplugin_t)
	196	allow javaplugin_t $2:process signull;
	197	# Unrestricted inheritance from the caller.
	198	allow $2 javaplugin_t:process { noatsecure siginh rlimitinh };
	199
	200	allow javaplugin_t $2:unix_stream_socket connectto;
	201	allow javaplugin_t $2:unix_stream_socket { read write };
	202	')
	203
	204	########################################
	205	## <summary>
173	206	## Run java in javaplugin domain.
174	207	## </summary>
…	…
204	237	########################################
205	238	## <summary>
206		## Execute the java program in the java domain.
	239	## Execute the java program in the unconfined java domain.
207	240	## </summary>
208	241	## <param name="domain">
…	…
214	247	interface(`java_domtrans',`
215	248	gen_require(`
216		type java_t, java_exec_t;
217		')
218
	249	type unconfined_java_t, java_exec_t;
	250	')
	251
	252	domtrans_pattern($1, java_exec_t, unconfined_java_t)
219	253	corecmd_search_bin($1)
220		domtrans_pattern($1, java_exec_t, java_t)
221		')
	254	')

branches/rbacsep/policy/modules/apps/java.te

r2675	r2687
12	12	## </p>
13	13	## </desc>
14		gen_tunable(allow_java_execstack,false)
	14	gen_tunable(allow_java_execstack, false)
15	15
16	16	type java_t;
17	17	type java_exec_t;
18		init_system_domain(java_t,java_exec_t)
	18	application_domain(java_t, java_exec_t)
	19	typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
	20	typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
	21
	22	type java_tmp_t;
	23	files_tmp_file(java_tmp_t)
	24	typealias java_tmp_t alias { staff_javaplugin_tmp_t user_javaplugin_tmp_t sysadm_javaplugin_tmp_t };
	25	typealias java_tmp_t alias { auditadm_tmp_javaplugin_t secadm_javaplugin_tmp_t };
	26
	27	type java_tmpfs_t;
	28	files_tmpfs_file(java_tmpfs_t)
	29	typealias java_tmpfs_t alias { staff_javaplugin_tmpfs_t user_javaplugin_tmpfs_t sysadm_javaplugin_tmpfs_t };
	30	typealias java_tmpfs_t alias { auditadm_tmpfs_javaplugin_t secadm_tmpfs_javaplugin_t };
19	31
20	32	########################################
…	…
23	35	#
24	36
25		# execheap is needed for itanium/BEA jrocket
26		allow java_t self:process { execstack execmem execheap };
	37	allow java_t self:process { signal_perms getsched setsched execmem };
	38	allow java_t self:fifo_file rw_fifo_file_perms;
	39	allow java_t self:tcp_socket create_socket_perms;
	40	allow java_t self:udp_socket create_socket_perms;
27	41
28		init_dbus_chat_script(java_t)
	42	manage_dirs_pattern(java_t, java_tmp_t, java_tmp_t)
	43	manage_files_pattern(java_t, java_tmp_t, java_tmp_t)
	44	files_tmp_filetrans(java_t, java_tmp_t,{ file dir })
	45