Changeset 2726
- Timestamp:
- 06/19/08 16:33:52 (2 months ago)
- Files:
-
- branches/rbacsep/policy/modules/admin/su.if (modified) (2 diffs)
- branches/rbacsep/policy/modules/admin/sudo.if (modified) (1 diff)
- branches/rbacsep/policy/modules/apps/cdrecord.if (modified) (1 diff)
- branches/rbacsep/policy/modules/apps/ethereal.if (modified) (2 diffs)
- branches/rbacsep/policy/modules/apps/evolution.if (modified) (1 diff)
- branches/rbacsep/policy/modules/apps/games.if (modified) (1 diff)
- branches/rbacsep/policy/modules/apps/gift.if (modified) (1 diff)
- branches/rbacsep/policy/modules/apps/gnome.if (modified) (1 diff)
- branches/rbacsep/policy/modules/apps/gpg.if (modified) (1 diff)
- branches/rbacsep/policy/modules/apps/irc.if (modified) (1 diff)
- branches/rbacsep/policy/modules/apps/java.if (modified) (1 diff)
- branches/rbacsep/policy/modules/apps/lockdev.if (modified) (1 diff)
- branches/rbacsep/policy/modules/apps/mozilla.if (modified) (1 diff)
- branches/rbacsep/policy/modules/apps/mplayer.if (modified) (1 diff)
- branches/rbacsep/policy/modules/apps/rssh.if (modified) (1 diff)
- branches/rbacsep/policy/modules/apps/screen.if (modified) (1 diff)
- branches/rbacsep/policy/modules/apps/thunderbird.if (modified) (1 diff)
- branches/rbacsep/policy/modules/apps/tvtime.if (modified) (1 diff)
- branches/rbacsep/policy/modules/apps/uml.if (modified) (1 diff)
- branches/rbacsep/policy/modules/apps/userhelper.if (modified) (1 diff)
- branches/rbacsep/policy/modules/apps/vmware.if (modified) (1 diff)
- branches/rbacsep/policy/modules/apps/wireshark.if (modified) (1 diff)
- branches/rbacsep/policy/modules/services/apache.if (modified) (1 diff)
- branches/rbacsep/policy/modules/services/bluetooth.if (modified) (1 diff)
- branches/rbacsep/policy/modules/services/cron.if (modified) (2 diffs)
- branches/rbacsep/policy/modules/services/dbus.if (modified) (3 diffs)
- branches/rbacsep/policy/modules/services/ftp.if (modified) (1 diff)
- branches/rbacsep/policy/modules/services/lpd.if (modified) (1 diff)
- branches/rbacsep/policy/modules/services/mta.if (modified) (1 diff)
- branches/rbacsep/policy/modules/services/postfix.if (modified) (1 diff)
- branches/rbacsep/policy/modules/services/pyzor.if (modified) (1 diff)
- branches/rbacsep/policy/modules/services/qmail.if (modified) (1 diff)
- branches/rbacsep/policy/modules/services/razor.if (modified) (1 diff)
- branches/rbacsep/policy/modules/services/samba.if (modified) (1 diff)
- branches/rbacsep/policy/modules/services/spamassassin.if (modified) (1 diff)
- branches/rbacsep/policy/modules/services/ssh.if (modified) (1 diff)
- branches/rbacsep/policy/modules/services/xserver.if (modified) (1 diff)
- branches/rbacsep/policy/modules/system/unconfined.te (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
branches/rbacsep/policy/modules/admin/su.if
r2687 r2726 127 127 ') 128 128 129 ######################################## ####################129 ######################################## 130 130 ## <summary> 131 131 ## Role access for su … … 163 163 ####################################### 164 164 ## <summary> 165 ## The per role template for the su module.166 ## </summary>167 ## <desc>168 ## <p>169 ## This template creates a derived domain which is allowed170 ## to change the linux user id, to run shells as a different171 ## user.172 ## </p>173 ## <p>174 ## This template is invoked automatically for each user, and175 ## generally does not need to be invoked directly176 ## by policy writers.177 ## </p>178 ## </desc>179 ## <param name="userdomain_prefix">180 ## <summary>181 ## The prefix of the user domain (e.g., user182 ## is the prefix for user_t).183 ## </summary>184 ## </param>185 ## <param name="user_domain">186 ## <summary>187 ## The type of the user domain.188 ## </summary>189 ## </param>190 ## <param name="user_role">191 ## <summary>192 ## The role associated with the user domain.193 ## </summary>194 ## </param>195 #196 template(`su_per_role_template',`197 gen_require(`198 attribute su_domain_type;199 type su_exec_t;200 bool secure_mode;201 ')202 203 type $1_su_t, su_domain_type;204 domain_entry_file($1_su_t,su_exec_t)205 domain_type($1_su_t)206 domain_interactive_fd($1_su_t)207 role $3 types $1_su_t;208 209 allow $2 $1_su_t:process signal;210 211 allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };212 dontaudit $1_su_t self:capability sys_tty_config;213 allow $1_su_t self:process { setexec setsched setrlimit };214 allow $1_su_t self:fifo_file rw_fifo_file_perms;215 allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };216 allow $1_su_t self:key { search write };217 218 # Transition from the user domain to this domain.219 domtrans_pattern($2, su_exec_t, $1_su_t)220 221 # By default, revert to the calling domain when a shell is executed.222 corecmd_shell_domtrans($1_su_t,$2)223 allow $2 $1_su_t:fd use;224 allow $2 $1_su_t:fifo_file rw_file_perms;225 allow $2 $1_su_t:process sigchld;226 227 kernel_read_system_state($1_su_t)228 kernel_read_kernel_sysctls($1_su_t)229 kernel_search_key($1_su_t)230 kernel_link_key($1_su_t)231 232 # for SSP233 dev_read_urand($1_su_t)234 235 fs_search_auto_mountpoints($1_su_t)236 237 # needed for pam_rootok238 selinux_compute_access_vector($1_su_t)239 240 auth_domtrans_user_chk_passwd($1,$1_su_t)241 auth_dontaudit_read_shadow($1_su_t)242 auth_use_nsswitch($1_su_t)243 auth_rw_faillog($1_su_t)244 245 corecmd_search_bin($1_su_t)246 247 domain_use_interactive_fds($1_su_t)248 249 files_read_etc_files($1_su_t)250 files_read_etc_runtime_files($1_su_t)251 files_search_var_lib($1_su_t)252 files_dontaudit_getattr_tmp_dirs($1_su_t)253 254 init_dontaudit_use_fds($1_su_t)255 # Write to utmp.256 init_rw_utmp($1_su_t)257 258 mls_file_write_all_levels($1_su_t)259 260 libs_use_ld_so($1_su_t)261 libs_use_shared_libs($1_su_t)262 263 logging_send_syslog_msg($1_su_t)264 265 miscfiles_read_localization($1_su_t)266 267 userdom_use_user_terminals($1,$1_su_t)268 userdom_search_user_home_dirs($1,$1_su_t)269 270 ifdef(`distro_rhel4',`271 domain_role_change_exemption($1_su_t)272 domain_subj_id_change_exemption($1_su_t)273 domain_obj_id_change_exemption($1_su_t)274 275 selinux_get_fs_mount($1_su_t)276 selinux_validate_context($1_su_t)277 selinux_compute_create_context($1_su_t)278 selinux_compute_relabel_context($1_su_t)279 selinux_compute_user_contexts($1_su_t)280 281 # Relabel ttys and ptys.282 term_relabel_all_user_ttys($1_su_t)283 term_relabel_all_user_ptys($1_su_t)284 # Close and re-open ttys and ptys to get the fd into the correct domain.285 term_use_all_user_ttys($1_su_t)286 term_use_all_user_ptys($1_su_t)287 288 seutil_read_config($1_su_t)289 seutil_read_default_contexts($1_su_t)290 291 if(secure_mode) {292 # Only allow transitions to unprivileged user domains.293 userdom_spec_domtrans_unpriv_users($1_su_t)294 } else {295 # Allow transitions to all user domains296 userdom_spec_domtrans_all_users($1_su_t)297 }298 299 optional_policy(`300 unconfined_domtrans($1_su_t)301 unconfined_signal($1_su_t)302 ')303 ')304 305 tunable_policy(`allow_polyinstantiation',`306 fs_mount_xattr_fs($1_su_t)307 fs_unmount_xattr_fs($1_su_t)308 ')309 310 tunable_policy(`use_nfs_home_dirs',`311 fs_search_nfs($1_su_t)312 ')313 314 tunable_policy(`use_samba_home_dirs',`315 fs_search_cifs($1_su_t)316 ')317 318 optional_policy(`319 cron_read_pipes($1_su_t)320 ')321 322 optional_policy(`323 kerberos_use($1_su_t)324 ')325 326 # Modify .Xauthority file (via xauth program).327 optional_policy(`328 xserver_user_home_dir_filetrans_user_xauth($1, su_domain_type)329 xserver_domtrans_user_xauth($1, $1_su_t)330 ')331 332 ifdef(`TODO',`333 allow $1_su_t $1_home_t:file manage_file_perms;334 335 # Access sshd cookie files.336 allow $1_su_t sshd_tmp_t:file rw_file_perms;337 file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t)338 ') dnl end TODO339 ')340 341 #######################################342 ## <summary>343 165 ## Execute su in the caller domain. 344 166 ## </summary> branches/rbacsep/policy/modules/admin/sudo.if
r2687 r2726 1 1 ## <summary>Execute a command with a substitute user</summary> 2 3 #######################################4 ## <summary>5 ## The per role template for the sudo module.6 ## </summary>7 ## <desc>8 ## <p>9 ## This template creates a derived domain which is allowed10 ## to change the linux user id, to run commands as a different11 ## user.12 ## </p>13 ## <p>14 ## This template is invoked automatically for each user, and15 ## generally does not need to be invoked directly16 ## by policy writers.17 ## </p>18 ## </desc>19 ## <param name="userdomain_prefix">20 ## <summary>21 ## The prefix of the user domain (e.g., user22 ## is the prefix for user_t).23 ## </summary>24 ## </param>25 ## <param name="user_domain">26 ## <summary>27 ## The type of the user domain.28 ## </summary>29 ## </param>30 ## <param name="user_role">31 ## <summary>32 ## The role associated with the user domain.33 ## </summary>34 ## </param>35 #36 template(`sudo_per_role_template',`37 38 gen_require(`39 type sudo_exec_t;40 ')41 42 ##############################43 #44 # Declarations45 #46 47 type $1_sudo_t;48 application_domain($1_sudo_t,sudo_exec_t)49 domain_interactive_fd($1_sudo_t)50 role $3 types $1_sudo_t;51 52 ##############################53 #54 # Local Policy55 #56 57 # Use capabilities.58 allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };59 allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };60 allow $1_sudo_t self:process { setexec setrlimit };61 allow $1_sudo_t self:fd use;62 allow $1_sudo_t self:fifo_file rw_fifo_file_perms;63 allow $1_sudo_t self:shm create_shm_perms;64 allow $1_sudo_t self:sem create_sem_perms;65 allow $1_sudo_t self:msgq create_msgq_perms;66 allow $1_sudo_t self:msg { send receive };67 allow $1_sudo_t self:unix_dgram_socket create_socket_perms;68 allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;69 allow $1_sudo_t self:unix_dgram_socket sendto;70 allow $1_sudo_t self:unix_stream_socket connectto;71 allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };72 73 # Enter this derived domain from the user domain74 domtrans_pattern($2, sudo_exec_t, $1_sudo_t)75 76 # By default, revert to the calling domain when a shell is executed.77 corecmd_shell_domtrans($1_sudo_t,$2)78 allow $2 $1_sudo_t:fd use;79 allow $2 $1_sudo_t:fifo_file rw_file_perms;80 allow $2 $1_sudo_t:process sigchld;81 82 kernel_read_kernel_sysctls($1_sudo_t)83 kernel_read_system_state($1_sudo_t)84 kernel_search_key($1_sudo_t)85 86 dev_read_urand($1_sudo_t)87 88 fs_search_auto_mountpoints($1_sudo_t)89 fs_getattr_xattr_fs($1_sudo_t)90 91 auth_domtrans_chk_passwd($1_sudo_t)92 # sudo stores a token in the pam_pid directory93 auth_manage_pam_pid($1_sudo_t)94 auth_use_nsswitch($1_sudo_t)95 96 corecmd_read_bin_symlinks($1_sudo_t)97 corecmd_getattr_all_executables($1_sudo_t)98 99 domain_use_interactive_fds($1_sudo_t)100 domain_sigchld_interactive_fds($1_sudo_t)101 domain_getattr_all_entry_files($1_sudo_t)102 103 files_read_etc_files($1_sudo_t)104 files_read_var_files($1_sudo_t)105 files_read_usr_symlinks($1_sudo_t)106 files_getattr_usr_files($1_sudo_t)107 # for some PAM modules and for cwd108 files_dontaudit_search_home($1_sudo_t)109 110 init_rw_utmp($1_sudo_t)111 112 libs_use_ld_so($1_sudo_t)113 libs_use_shared_libs($1_sudo_t)114 115 logging_send_syslog_msg($1_sudo_t)116 117 miscfiles_read_localization($1_sudo_t)118 119 userdom_manage_user_home_content_files($1,$1_sudo_t)120 userdom_manage_user_home_content_symlinks($1,$1_sudo_t)121 userdom_manage_user_tmp_files($1,$1_sudo_t)122 userdom_manage_user_tmp_symlinks($1,$1_sudo_t)123 userdom_use_user_terminals($1,$1_sudo_t)124 userdom_use_unpriv_users_fds($1_sudo_t)125 # for some PAM modules and for cwd126 userdom_dontaudit_search_all_users_home_content($1_sudo_t)127 128 ifdef(`TODO',`129 # for when the network connection is killed130 dontaudit unpriv_userdomain $1_sudo_t:process signal;131 132 ifdef(`mta.te', `133 domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)134 ')135 136 ') dnl end TODO137 ')138 2 139 3 ############################################################ branches/rbacsep/policy/modules/apps/cdrecord.if
r2687 r2726 1 1 ## <summary>Policy for cdrecord</summary> 2 3 #######################################4 ## <summary>5 ## The per role template for the cdrecord module.6 ## </summary>7 ## <desc>8 ## <p>9 ## This template creates derived domains which are used10 ## for cdrecord.11 ## </p>12 ## <p>13 ## This template is invoked automatically for each user, and14 ## generally does not need to be invoked directly15 ## by policy writers.16 ## </p>17 ## </desc>18 ## <param name="userdomain_prefix">19 ## <summary>20 ## The prefix of the user domain (e.g., user21 ## is the prefix for user_t).22 ## </summary>23 ## </param>24 ## <param name="user_domain">25 ## <summary>26 ## The type of the user domain.27 ## </summary>28 ## </param>29 ## <param name="user_role">30 ## <summary>31 ## The role associated with the user domain.32 ## </summary>33 ## </param>34 #35 template(`cdrecord_per_role_template', `36 37 gen_require(`38 type cdrecord_exec_t;39 ')40 41 ########################################42 #43 # Declarations44 #45 46 type $1_cdrecord_t;47 application_domain($1_cdrecord_t,cdrecord_exec_t)48 role $3 types $1_cdrecord_t;49 50 ########################################51 #52 # Local policy53 #54 55 allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };56 allow $1_cdrecord_t self:process { getsched setsched sigkill };57 allow $1_cdrecord_t self:unix_dgram_socket create_socket_perms;58 allow $1_cdrecord_t self:unix_stream_socket create_stream_socket_perms;59 60 allow $1_cdrecord_t $2:unix_stream_socket { getattr read write ioctl };61 62 # allow ps to show cdrecord and allow the user to kill it63 ps_process_pattern($2,$1_cdrecord_t)64 allow $2 $1_cdrecord_t:process signal;65 66 # Transition from the user domain to the derived domain.67 domtrans_pattern($2,cdrecord_exec_t,$1_cdrecord_t)68 69 # allow searching for cdrom-drive70 dev_list_all_dev_nodes($1_cdrecord_t)71 72 domain_interactive_fd($1_cdrecord_t)73 domain_use_interactive_fds($1_cdrecord_t)74 75 files_read_etc_files($1_cdrecord_t)76 77 term_use_controlling_term($1_cdrecord_t)78 term_list_ptys($1_cdrecord_t)79 80 # allow cdrecord to write the CD81 storage_raw_write_removable_device($1_cdrecord_t)82 storage_write_scsi_generic($1_cdrecord_t)83 84 libs_use_ld_so($1_cdrecord_t)85 libs_use_shared_libs($1_cdrecord_t)86 87 logging_send_syslog_msg($1_cdrecord_t)88 89 miscfiles_read_localization($1_cdrecord_t)90 91 # write to the user domain tty.92 userdom_use_user_terminals($1,$1_cdrecord_t)93 userdom_use_user_terminals($1,$2)94 95 userdom_read_user_home_content_files($1,$1_cdrecord_t)96 97 # Handle nfs home dirs98 tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`99 fs_list_auto_mountpoints($1_cdrecord_t)100 files_list_home($1_cdrecord_t)101 fs_read_nfs_files($1_cdrecord_t)102 fs_read_nfs_symlinks($1_cdrecord_t)103 104 ',`105 files_dontaudit_list_home($1_cdrecord_t)106 fs_dontaudit_list_auto_mountpoints($1_cdrecord_t)107 fs_dontaudit_read_nfs_files($1_cdrecord_t)108 fs_dontaudit_list_nfs($1_cdrecord_t)109 ')110 # Handle samba home dirs111 tunable_policy(`cdrecord_read_content && use_samba_home_dirs',`112 fs_list_auto_mountpoints($1_cdrecord_t)113 files_list_home($1_cdrecord_t)114 fs_read_cifs_files($1_cdrecord_t)115 fs_read_cifs_symlinks($1_cdrecord_t)116 ',`117 files_dontaudit_list_home($1_cdrecord_t)118 fs_dontaudit_list_auto_mountpoints($1_cdrecord_t)119 fs_dontaudit_read_cifs_files($1_cdrecord_t)120 fs_dontaudit_list_cifs($1_cdrecord_t)121 ')122 123 # Handle removable media, /tmp, and /home124 tunable_policy(`cdrecord_read_content',`125 userdom_list_user_tmp($1,$1_cdrecord_t)126 userdom_read_user_tmp_files($1,$1_cdrecord_t)127 userdom_read_user_tmp_symlinks($1,$1_cdrecord_t)128 userdom_search_user_home_dirs($1,$1_cdrecord_t)129 userdom_read_user_home_content_files($1,$1_cdrecord_t)130 userdom_read_user_home_content_symlinks($1,$1_cdrecord_t)131 132 ifdef(`enable_mls',`133 ',`134 fs_search_removable($1_cdrecord_t)135 fs_read_removable_files($1_cdrecord_t)136 fs_read_removable_symlinks($1_cdrecord_t)137 ')138 ',`139 files_dontaudit_list_tmp($1_cdrecord_t)140 files_dontaudit_list_home($1_cdrecord_t)141 fs_dontaudit_list_removable($1_cdrecord_t)142 fs_dontaudit_read_removable_files($1_cdrecord_t)143 userdom_dontaudit_list_user_tmp($1,$1_cdrecord_t)144 userdom_dontaudit_read_user_tmp_files($1,$1_cdrecord_t)145 userdom_dontaudit_list_user_home_dirs($1,$1_cdrecord_t)146 userdom_dontaudit_read_user_home_content_files($1,$1_cdrecord_t)147 ')148 149 # Handle default_t content150 tunable_policy(`cdrecord_read_content && read_default_t',`151 files_list_default($1_cdrecord_t)152 files_read_default_files($1_cdrecord_t)153 files_read_default_symlinks($1_cdrecord_t)154 ',`155 files_dontaudit_read_default_files($1_cdrecord_t)156 files_dontaudit_list_default($1_cdrecord_t)157 ')158 159 # Handle untrusted content160 tunable_policy(`cdrecord_read_content && read_untrusted_content',`161 files_list_tmp($1_cdrecord_t)162 files_list_home($1_cdrecord_t)163 userdom_search_user_home_dirs($1,$1_cdrecord_t)164 165 userdom_list_user_untrusted_content($1,$1_cdrecord_t)166 userdom_read_user_untrusted_content_files($1,$1_cdrecord_t)167 userdom_read_user_untrusted_content_symlinks($1,$1_cdrecord_t)168 userdom_list_user_tmp_untrusted_content($1,$1_cdrecord_t)169 userdom_read_user_tmp_untrusted_content_files($1,$1_cdrecord_t)170 userdom_read_user_tmp_untrusted_content_symlinks($1,$1_cdrecord_t)171 ',`172 files_dontaudit_list_tmp($1_cdrecord_t)173 files_dontaudit_list_home($1_cdrecord_t)174 userdom_dontaudit_list_user_home_dirs($1,$1_cdrecord_t)175 userdom_dontaudit_list_user_untrusted_content($1,$1_cdrecord_t)176 userdom_dontaudit_read_user_untrusted_content_files($1,$1_cdrecord_t)177 userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_cdrecord_t)178 userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_cdrecord_t)179 ')180 181 tunable_policy(`use_nfs_home_dirs',`182 files_search_mnt($1_cdrecord_t)183 fs_read_nfs_files($1_cdrecord_t)184 fs_read_nfs_symlinks($1_cdrecord_t)185 ')186 187 optional_policy(`188 resmgr_stream_connect($1_cdrecord_t)189 ')190 ')191 2 192 3 ######################################## branches/rbacsep/policy/modules/apps/ethereal.if
r2724 r2726 1 1 ## <summary>Ethereal packet capture tool.</summary> 2 3 #######################################4 ## <summary>5 ## The per role template for the ethereal module.6 ## </summary>7 ## <desc>8 ## <p>9 ## This template creates a derived domains which are used10 ## for ethereal packet capture tool.11 ## </p>12 ## <p>13 ## This template is invoked automatically for each user, and14 ## generally does not need to be invoked directly15 ## by policy writers.16 ## </p>17 ## </desc>18 ## <param name="userdomain_prefix">19 ## <summary>20 ## The prefix of the user domain (e.g., user21 ## is the prefix for user_t).22 ## </summary>23 ## </param>24 ## <param name="user_domain">25 ## <summary>26 ## The type of the user domain.27 ## </summary>28 ## </param>29 ## <param name="user_role">30 ## <summary>31 ## The role associated with the user domain.32 ## </summary>33 ## </param>34 #35 template(`ethereal_per_role_template',`36 37 gen_require(`38 type ethereal_exec_t;39 ')40 41 ##############################42 #43 # Declarations44 #45 46 # Type for program47 type $1_ethereal_t;48 application_domain($1_ethereal_t,ethereal_exec_t)49 role $3 types $1_ethereal_t;50 51 type $1_ethereal_home_t alias $1_ethereal_rw_t;52 files_poly_member($1_ethereal_home_t)53 userdom_user_home_content($1,$1_ethereal_home_t)54 55 type $1_ethereal_tmp_t;56 files_tmp_file($1_ethereal_tmp_t)57 58 type $1_ethereal_tmpfs_t;59 files_tmpfs_file($1_ethereal_tmpfs_t)60 61 ##############################62 #63 # Local Policy64 #65 66 allow $1_ethereal_t self:capability { net_admin net_raw setgid };67 allow $1_ethereal_t self:process { signal getsched };68 allow $1_ethereal_t self:fifo_file { getattr read write };69 allow $1_ethereal_t self:shm destroy;70 allow $1_ethereal_t self:shm create_shm_perms;71 allow $1_ethereal_t self:netlink_route_socket { nlmsg_read create_socket_perms };72 allow $1_ethereal_t self:packet_socket { setopt bind ioctl getopt create read };73 allow $1_ethereal_t self:tcp_socket create_socket_perms;74 allow $1_ethereal_t self:udp_socket create_socket_perms;75 76 # Re-execute itself (why?)77 can_exec($1_ethereal_t, ethereal_exec_t)78 corecmd_search_bin($1_ethereal_t)79 80 # /home/.ethereal81 manage_dirs_pattern($1_ethereal_t,$1_ethereal_home_t,$1_ethereal_home_t)82 manage_files_pattern($1_ethereal_t,$1_ethereal_home_t,$1_ethereal_home_t)83 manage_lnk_files_pattern($1_ethereal_t,$1_ethereal_home_t,$1_ethereal_home_t)84 userdom_user_home_dir_filetrans($1,$1_ethereal_t,$1_ethereal_home_t,dir)85 86 # Store temporary files87 manage_dirs_pattern($1_ethereal_t,$1_ethereal_tmp_t,$1_ethereal_tmp_t)88 manage_files_pattern($1_ethereal_t,$1_ethereal_tmp_t,$1_ethereal_tmp_t)89 files_tmp_filetrans($1_ethereal_t, $1_ethereal_tmp_t, { dir file })90 91 manage_dirs_pattern($1_ethereal_t,$1_ethereal_tmpfs_t,$1_ethereal_tmpfs_t)92 manage_files_pattern($1_ethereal_t,$1_ethereal_tmpfs_t,$1_ethereal_tmpfs_t)93 manage_lnk_files_pattern($1_ethereal_t,$1_ethereal_tmpfs_t,$1_ethereal_tmpfs_t)94 manage_sock_files_pattern($1_ethereal_t,$1_ethereal_tmpfs_t,$1_ethereal_tmpfs_t)95 manage_fifo_files_pattern($1_ethereal_t,$1_ethereal_tmpfs_t,$1_ethereal_tmpfs_t)96 fs_tmpfs_filetrans($1_ethereal_t,$1_ethereal_tmpfs_t,{ dir file lnk_file sock_file fifo_file })97 98 domain_auto_trans($2, ethereal_exec_t, $1_ethereal_t)99 allow $1_ethereal_t $2:fd use;100 allow $1_ethereal_t $2:process sigchld;101 102 manage_dirs_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t)103 manage_files_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t)104 manage_lnk_files_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t)105 relabel_dirs_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t)106 relabel_files_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t)107 relabel_lnk_files_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t)108 109 kernel_read_kernel_sysctls($1_ethereal_t)110 kernel_read_system_state($1_ethereal_t)111 kernel_read_sysctl($1_ethereal_t)112 113 corecmd_search_bin($1_ethereal_t)114 115 corenet_tcp_connect_generic_port($1_ethereal_t)116 corenet_tcp_sendrecv_generic_if($1_ethereal_t)117 118 dev_read_urand($1_ethereal_t)119 120 files_read_etc_files($1_ethereal_t)121 files_read_usr_files($1_ethereal_t)122 123 fs_list_inotifyfs($1_ethereal_t)124 fs_search_auto_mountpoints($1_ethereal_t)125 126 libs_read_lib_files($1_ethereal_t)127 libs_use_ld_so($1_ethereal_t)128 libs_use_shared_libs($1_ethereal_t)129 130 miscfiles_read_fonts($1_ethereal_t)131 miscfiles_read_localization($1_ethereal_t)132 133 seutil_use_newrole_fds($1_ethereal_t)134 135 sysnet_read_config($1_ethereal_t)136 137 userdom_manage_user_home_content_files($1,$1_ethereal_t)138 139 tunable_policy(`use_nfs_home_dirs',`140 fs_manage_nfs_dirs($1_ethereal_t)141 fs_manage_nfs_files($1_ethereal_t)142 fs_manage_nfs_symlinks($1_ethereal_t)143 ')144 145 tunable_policy(`use_samba_home_dirs',`146 fs_manage_cifs_dirs($1_ethereal_t)147 fs_manage_cifs_files($1_ethereal_t)148 fs_manage_cifs_symlinks($1_ethereal_t)149 ')150 151 optional_policy(`152 nscd_socket_use($1_ethereal_t)153 ')154 155 # Manual transition from userhelper156 optional_policy(`157 userhelper_use_user_fd($1,$1_ethereal_t)158 userhelper_sigchld_user($1,$1_ethereal_t)159 ')160 161 optional_policy(`162 xserver_user_x_domain_template($1,$1_ethereal,$1_ethereal_t,$1_ethereal_tmpfs_t)163 xserver_create_xdm_tmp_sockets($1_ethereal_t)164 ')165 166 ifdef(`TODO',`167 # Why does it write this?168 optional_policy(`169 dontaudit sysadm_ethereal_t snmpd_var_lib_t:file write;170 ')171 #TODO172 gnome_application($1_ethereal, $1)173 gnome_file_dialog($1_ethereal, $1)174 # FIXME: policy is incomplete175 ')176 177 ')178 179 #######################################180 ## <summary>181 ## The administrative functions template for the ethereal module.182 ## </summary>183 ## <desc>184 ## <p>185 ## This template creates rules for administrating ethereal,186 ## allowing the specified user to manage ethereal files.187 ## </p>188 ## </desc>189 ## <param name="userdomain_prefix">190 ## <summary>191 ## The prefix of the user domain (e.g., user192 ## is the prefix for user_t).193 ## </summary>194 ## </param>195 #196 template(`ethereal_admin_template',`197 gen_require(`198 type $1_ethereal_t;199 ')200 201 # Create various types of sockets202 allow $1_ethereal_t self:netlink_route_socket create_netlink_socket_perms;203 allow $1_ethereal_t self:udp_socket create_socket_perms;204 allow $1_ethereal_t self:packet_socket create_socket_perms;205 allow $1_ethereal_t self:unix_stream_socket create_stream_socket_perms;206 allow $1_ethereal_t self:tcp_socket create_socket_perms;207 208 userdom_use_user_terminals($1,$1_ethereal_t)209 # Ethereal tries to write to user terminal210 userdom_dontaudit_use_user_terminals($1,$1_ethereal_t)211 ')212 2 213 3 ############################################################ … … 275 65 ## </param> 276 66 # 277 template(`ethereal_domtrans_tethereal',`67 interface(`ethereal_domtrans_tethereal',` 278 68 gen_require(` 279 69 type tethereal_t, tethereal_exec_t; branches/rbacsep/policy/modules/apps/evolution.if
r2724 r2726 1 1 ## <summary>Evolution email client</summary> 2 3 #######################################4 ## <summary>5 ## The per role template for the evolution module.6 ## </summary>7 ## <desc>8 ## <p>9 ## This template creates a derived domains which are used10 ## for evolution email client and other related evolution applications such as webcal and alarm11 ## type is also created to protect the user evolution keys.12 ## </p>13 ## <p>14 ## This template is invoked automatically for each user, and15 ## generally does not need to be invoked directly16 ## by policy writers.17 ## </p>18 ## </desc>19 ## <param name="userdomain_prefix">20 ## <summary>21 ## The prefix of the user domain (e.g., user22 ## is the prefix for user_t).23 ## </summary>24 ## </param>25 ## <param name="user_domain">26 ## <summary>27 ## The type of the user domain.28 ## </summary>29 ## </param>30 ## <param name="user_role">31 ## <summary>32 ## The role associated with the user domain.33 ## </summary>34 ## </param>35 #36 template(`evolution_per_role_template',`37 38 ########################################39 #40 # Declarations41 #42 43 type $1_evolution_t;44 application_domain($1_evolution_t,evolution_exec_t)45 role $3 types $1_evolution_t;46 47 type $1_evolution_tmpfs_t;48 files_tmpfs_file($1_evolution_tmpfs_t)49 50 type $1_evolution_home_t alias $1_evolution_rw_t;51 files_poly_member($1_evolution_home_t)52 userdom_user_home_content($1,$1_evolution_home_t)53 54 type $1_evolution_orbit_tmp_t;55 files_tmp_file($1_evolution_orbit_tmp_t)56 57 type $1_evolution_alarm_t;58 application_domain($1_evolution_alarm_t,evolution_alarm_exec_t)59 role $3 types $1_evolution_alarm_t;60 61 type $1_evolution_alarm_tmpfs_t;62 files_tmpfs_file($1_evolution_alarm_tmpfs_t)63 64 type $1_evolution_alarm_orbit_tmp_t;65 files_tmp_file($1_evolution_alarm_orbit_tmp_t)66 67 type $1_evolution_exchange_t;68 application_domain($1_evolution_exchange_t,evolution_exchange_exec_t)69 role $3 types $1_evolution_exchange_t;70 71 type $1_evolution_exchange_tmpfs_t;72 files_tmpfs_file($1_evolution_exchange_tmpfs_t)73 74 type $1_evolution_exchange_tmp_t;75 files_tmp_file($1_evolution_exchange_tmp_t)76 77 type $1_evolution_exchange_orbit_tmp_t;78 files_tmp_file($1_evolution_exchange_orbit_tmp_t)79 80 type $1_evolution_server_t;81 application_domain($1_evolution_server_t,evolution_server_exec_t)82 role $3 types $1_evolution_server_t;83 84 type $1_evolution_server_orbit_tmp_t;85 files_tmp_file($1_evolution_server_orbit_tmp_t)86 87 type $1_evolution_webcal_t;88 application_domain($1_evolution_webcal_t,evolution_webcal_exec_t)89 role $3 types $1_evolution_webcal_t;90 91 type $1_evolution_webcal_tmpfs_t;92 files_tmpfs_file($1_evolution_webcal_tmpfs_t)93 94 type $1_orbit_tmp_t;95 files_tmp_file($1_orbit_tmp_t)96 97 ########################################98 #99 # Evolution local policy100 #101 102 allow $1_evolution_t self:capability { setuid setgid sys_nice };103 allow $1_evolution_t self:process { signal getsched setsched };104 allow $1_evolution_t self:fifo_file rw_file_perms;105 allow $1_evolution_t self:tcp_socket create_socket_perms;106 allow $1_evolution_t self:udp_socket create_socket_perms;107 108 allow $1_evolution_t $1_evolution_alarm_t:dir search_dir_perms;109 allow $1_evolution_t $1_evolution_alarm_t:file read;110 111 allow $1_evolution_t $1_evolution_alarm_t:unix_stream_socket connectto;112 allow $1_evolution_t $1_evolution_alarm_orbit_tmp_t:sock_file write;113 114 can_exec($1_evolution_t,evolution_alarm_exec_t)115 116 allow $1_evolution_t $1_evolution_exchange_t:unix_stream_socket connectto;117 allow $1_evolution_t $1_evolution_exchange_orbit_tmp_t:sock_file write;118 119 allow $1_evolution_t $1_evolution_home_t:dir manage_dir_perms;120 allow $1_evolution_t $1_evolution_home_t:file manage_file_perms;121 allow $1_evolution_t $1_evolution_home_t:lnk_file manage_lnk_file_perms;122 123 allow $1_evolution_t $1_evolution_orbit_tmp_t:dir manage_dir_perms;124 allow $1_evolution_t $1_evolution_orbit_tmp_t:file manage_file_perms;125 files_tmp_filetrans($1_evolution_t,$1_evolution_orbit_tmp_t,{ dir file })126 127 allow $1_evolution_server_t $1_evolution_orbit_tmp_t:dir manage_dir_perms;128 allow $1_evolution_server_t $1_evolution_orbit_tmp