Changeset 2727

Show
Ignore:
Timestamp:
06/20/08 13:45:47 (4 months ago)
Author:
cpebenito
Message:

rbacsep: a whole slew of fixes.

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • branches/rbacsep/policy/modules/admin/sudo.te

    r2720 r2727  
    7676userdom_use_user_terminals(sudo_t) 
    7777# for some PAM modules and for cwd 
    78 userdom_dontaudit_search_all_users_home_content(sudo_t) 
     78userdom_dontaudit_search_user_home_content(sudo_t) 

  • branches/rbacsep/policy/modules/admin/updfstab.te

    r2724 r2727  
    8080seutil_read_file_contexts(updfstab_t) 
    8181 
    82 userdom_dontaudit_search_all_users_home_content(updfstab_t) 
     82userdom_dontaudit_search_user_home_content(updfstab_t) 
    8383userdom_dontaudit_use_unpriv_user_fds(updfstab_t) 
    8484 

  • branches/rbacsep/policy/modules/admin/usermanage.te

    r2675 r2727  
    123123# user generally runs this from their home directory, so do not audit a search 
    124124# on user home dir 
    125 userdom_dontaudit_search_all_users_home_content(chfn_t) 
     125userdom_dontaudit_search_user_home_content(chfn_t) 
    126126 
    127127######################################## 
     
    335335# user generally runs this from their home directory, so do not audit a search 
    336336# on user home dir 
    337 userdom_dontaudit_search_all_users_home_content(passwd_t) 
     337userdom_dontaudit_search_user_home_content(passwd_t) 
    338338 
    339339optional_policy(` 
     
    422422# user generally runs this from their home directory, so do not audit a search 
    423423# on user home dir 
    424 userdom_dontaudit_search_all_users_home_content(sysadm_passwd_t) 
     424userdom_dontaudit_search_user_home_content(sysadm_passwd_t) 
    425425 
    426426optional_policy(` 

  • branches/rbacsep/policy/modules/admin/vpn.te

    r2724 r2727  
    108108 
    109109userdom_use_all_users_fds(vpnc_t) 
    110 userdom_dontaudit_search_all_users_home_content(vpnc_t) 
     110userdom_dontaudit_search_user_home_content(vpnc_t) 
    111111 
    112112optional_policy(` 

  • branches/rbacsep/policy/modules/apps/ethereal.te

    r2724 r2727  
    9494 
    9595userdom_manage_user_home_content_files(ethereal_t) 
     96userdom_use_user_terminals(ethereal_t) 
    9697 
    9798tunable_policy(`use_nfs_home_dirs',` 

  • branches/rbacsep/policy/modules/apps/screen.if

    r2726 r2727  
    4545        corecmd_bin_domtrans(screen_t, $2) 
    4646 
    47         userdom_user_home_domtrans($1,screen_t,$2) 
     47        userdom_user_home_domtrans(screen_t,$2) 
    4848         
    4949        tunable_policy(`use_samba_home_dirs',` 

  • branches/rbacsep/policy/modules/apps/webalizer.te

    r2553 r2727  
    8585 
    8686userdom_use_unpriv_users_fds(webalizer_t) 
    87 userdom_dontaudit_search_all_users_home_content(webalizer_t) 
     87userdom_dontaudit_search_user_home_content(webalizer_t) 
    8888 
    8989apache_read_log(webalizer_t) 

  • branches/rbacsep/policy/modules/roles/auditadm.if

    r2668 r2727  
    33######################################## 
    44## <summary> 
    5 ##      Change to the generic user role. 
     5##      Change to the audit administrator role. 
    66## </summary> 
    7 ## <param name="prefix"> 
     7## <param name="role"> 
    88##      <summary> 
    9 ##      The prefix of the user role (e.g., user 
    10 ##      is the prefix for user_r). 
     9##      Role allowed access. 
    1110##      </summary> 
    1211## </param> 
    1312## <rolecap/> 
    1413# 
    15 template(`auditadm_role_change_template',` 
    16         userdom_role_change_template($1, auditadm) 
     14interface(`auditadm_role_change',` 
     15        gen_require(` 
     16                role auditadm_r; 
     17        ') 
     18 
     19        allow $1 auditadm_r; 
    1720') 
    1821 
    1922######################################## 
    2023## <summary> 
    21 ##      Change from the generic user role. 
     24##      Change from the audit administrator role. 
    2225## </summary> 
    2326## <desc> 
    2427##      <p> 
    25 ##      Change from the generic user role to 
     28##      Change from the audit administrator role to 
    2629##      the specified role. 
    2730##      </p> 
    2831##      <p> 
    29 ##      This is a template to support third party modules 
     32##      This is an interface to support third party modules 
    3033##      and its use is not allowed in upstream reference 
    3134##      policy. 
    3235##      </p> 
    3336## </desc> 
    34 ## <param name="prefix"> 
     37## <param name="role"> 
    3538##      <summary> 
    36 ##      The prefix of the user role (e.g., user 
    37 ##      is the prefix for user_r). 
     39##      Role allowed access. 
    3840##      </summary> 
    3941## </param> 
    4042## <rolecap/> 
    4143# 
    42 template(`auditadm_role_change_to_template',` 
    43         userdom_role_change_template(auditadm, $1) 
     44interface(`auditadm_role_change_to',` 
     45        gen_require(` 
     46                role auditadm_r; 
     47        ') 
     48 
     49        allow auditadm_r $1; 
    4450') 
    45  

  • branches/rbacsep/policy/modules/roles/auditadm.te

    r2689 r2727  
    137137 
    138138optional_policy(` 
    139         secadm_role_change_template(auditadm
     139        secadm_role_change(auditadm_r
    140140') 
    141141 
     
    149149 
    150150optional_policy(` 
    151         sysadm_role_change_template(auditadm
     151        sysadm_role_change(auditadm_r
    152152        sysadm_dontaudit_read_home_content_files(auditadm_t) 
    153153') 

  • branches/rbacsep/policy/modules/roles/secadm.if

    r2668 r2727  
    33######################################## 
    44## <summary> 
    5 ##      Change to the generic user role. 
     5##      Change to the security administrator role. 
    66## </summary> 
    7 ## <param name="prefix"> 
     7## <param name="role"> 
    88##      <summary> 
    9 ##      The prefix of the user role (e.g., user 
    10 ##      is the prefix for user_r). 
     9##      Role allowed access. 
    1110##      </summary> 
    1211## </param> 
    1312## <rolecap/> 
    1413# 
    15 template(`secadm_role_change_template',` 
    16         userdom_role_change_template($1, secadm) 
     14interface(`secadm_role_change',` 
     15        gen_require(` 
     16                role secadm_r; 
     17        ') 
     18 
     19        allow $1 secadm_r; 
    1720') 
    1821 
    1922######################################## 
    2023## <summary> 
    21 ##      Change from the generic user role. 
     24##      Change from the security administrator role. 
    2225## </summary> 
    2326## <desc> 
    2427##      <p> 
    25 ##      Change from the generic user role to 
     28##      Change from the security administrator role to 
    2629##      the specified role. 
    2730##      </p> 
    2831##      <p> 
    29 ##      This is a template to support third party modules 
     32##      This is an interface to support third party modules 
    3033##      and its use is not allowed in upstream reference 
    3134##      policy. 
    3235##      </p> 
    3336## </desc> 
    34 ## <param name="prefix"> 
     37## <param name="role"> 
    3538##      <summary> 
    36 ##      The prefix of the user role (e.g., user 
    37 ##      is the prefix for user_r). 
     39##      Role allowed access. 
    3840##      </summary> 
    3941## </param> 
    4042## <rolecap/> 
    4143# 
    42 template(`secadm_role_change_to_template',` 
    43         userdom_role_change_template(secadm, $1) 
     44interface(`secadm_role_change_to_template',` 
     45        gen_require(` 
     46                role secadm_r; 
     47        ') 
     48 
     49        allow secadm_r $1; 
    4450') 
    4551 

  • branches/rbacsep/policy/modules/roles/secadm.te

    r2689 r2727  
    4949 
    5050optional_policy(` 
    51         auditadm_role_change_template(secadm
     51        auditadm_role_change(secadm_r
    5252') 
    5353 
     
    161161 
    162162optional_policy(` 
    163         sysadm_role_change_template(secadm
     163        sysadm_role_change(secadm_r
    164164        sysadm_dontaudit_read_home_content_files(secadm_t) 
    165165') 

  • branches/rbacsep/policy/modules/roles/staff.if

    r2668 r2727  
    55##      Change to the staff role. 
    66## </summary> 
    7 ## <param name="prefix"> 
     7## <param name="role"> 
    88##      <summary> 
    9 ##      The prefix of the user role (e.g., user 
    10 ##      is the prefix for user_r). 
     9##      Role allowed access. 
    1110##      </summary> 
    1211## </param> 
    1312## <rolecap/> 
    1413# 
    15 template(`staff_role_change_template',` 
    16         userdom_role_change_template($1, staff) 
     14interface(`staff_role_change',` 
     15        gen_require(` 
     16                role staff_r; 
     17        ') 
     18 
     19        allow staff_r $1; 
    1720') 
    1821 
     
    2730##      </p> 
    2831##      <p> 
    29 ##      This is a template to support third party modules 
     32##      This is an interface to support third party modules 
    3033##      and its use is not allowed in upstream reference 
    3134##      policy. 
    3235##      </p> 
    3336## </desc> 
    34 ## <param name="prefix"> 
     37## <param name="role"> 
    3538##      <summary> 
    36 ##      The prefix of the user role (e.g., user 
    37 ##      is the prefix for user_r). 
     39##      Role allowed access. 
    3840##      </summary> 
    3941## </param> 
    4042## <rolecap/> 
    4143# 
    42 template(`staff_role_change_to_template',` 
    43         userdom_role_change_template(staff, $1) 
     44interface(`staff_role_change_to',` 
     45        gen_require(` 
     46                role staff_r; 
     47        ') 
     48 
     49        allow $1 staff_r; 
    4450') 
    4551 

  • branches/rbacsep/policy/modules/roles/staff.te

    r2689 r2727  
    2121 
    2222optional_policy(` 
    23         auditadm_role_change_template(staff
     23        auditadm_role_change(staff_r
    2424') 
    2525 
     
    109109 
    110110optional_policy(` 
    111         secadm_role_change_template(staff
     111        secadm_role_change(staff_r
    112112') 
    113113 
     
    129129 
    130130optional_policy(` 
    131         sysadm_role_change_template(staff
     131        sysadm_role_change(staff_r
    132132        sysadm_dontaudit_use_terms(staff_t) 
    133133') 

  • branches/rbacsep/policy/modules/roles/sysadm.if

    r2668 r2727  
    33######################################## 
    44## <summary> 
    5 ##      Change to the generic user role. 
    6 ## </summary> 
    7 ## <param name="prefix"> 
    8 ##      <summary> 
    9 ##      The prefix of the user role (e.g., user 
    10 ##      is the prefix for user_r). 
     5##      Change to the system administrator role. 
     6## </summary> 
     7## <param name="role"> 
     8##      <summary> 
     9##      Role allowed access. 
    1110##      </summary> 
    1211## </param> 
    1312## <rolecap/> 
    1413# 
    15 template(`sysadm_role_change_template',` 
    16         userdom_role_change_template($1, sysadm) 
    17 ') 
    18  
    19 ######################################## 
    20 ## <summary> 
    21 ##      Change from the generic user role. 
     14interface(`sysadm_role_change',` 
     15        gen_require(` 
     16                role sysadm_r; 
     17        ') 
     18 
     19        allow $1 sysadm_r; 
     20') 
     21 
     22######################################## 
     23## <summary> 
     24##      Change from the system administrator role. 
    2225## </summary> 
    2326## <desc> 
    2427##      <p> 
    25 ##      Change from the generic user role to 
     28##      Change from the system administrator role to 
    2629##      the specified role. 
    2730##      </p> 
    2831##      <p> 
    29 ##      This is a template to support third party modules 
     32##      This is an interface to support third party modules 
    3033##      and its use is not allowed in upstream reference 
    3134##      policy. 
    3235##      </p> 
    3336## </desc> 
    34 ## <param name="prefix"> 
    35 ##      <summary> 
    36 ##      The prefix of the user role (e.g., user 
    37 ##      is the prefix for user_r). 
     37## <param name="role"> 
     38##      <summary> 
     39##      Role allowed access. 
    3840##      </summary> 
    3941## </param> 
    4042## <rolecap/> 
    4143# 
    42 template(`sysadm_role_change_to_template',` 
    43         userdom_role_change_template(sysadm, $1) 
     44interface(`sysadm_role_change_to',` 
     45        gen_require(` 
     46                role sysadm_r; 
     47        ') 
     48 
     49        allow sysadm_r $1; 
    4450') 
    4551 

  • branches/rbacsep/policy/modules/roles/sysadm.te

    r2705 r2727  
    3535# For sending reboot and wall messages 
    3636userdom_use_unpriv_users_ptys(sysadm_t) 
    37 userdom_use_unpriv_users_ttys(sysadm_t) 
     37userdom_use_user_ttys(sysadm_t) 
    3838 
    3939ifdef(`direct_sysadm_daemon',` 
     
    8080 
    8181optional_policy(` 
    82         auditadm_role_change_template(sysadm
     82        auditadm_role_change(sysadm_r
    8383') 
    8484 
     
    156156        ethereal_role(sysadm_r, sysadm_t) 
    157157        ethereal_run_tethereal(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) 
    158         ethereal_admin_template(sysadm) 
    159158') 
    160159 
     
    258257 
    259258optional_policy(` 
    260         mta_admin_template(sysadm, sysadm_t) 
    261259        mta_role(sysadm_r, sysadm_t) 
    262260') 
     
    340338 
    341339optional_policy(` 
    342         secadm_role_change_template(sysadm
     340        secadm_role_change(sysadm_r
    343341') 
    344342 
     
    357355 
    358356optional_policy(` 
    359         staff_role_change_template(sysadm
     357        staff_role_change(sysadm_r
    360358') 
    361359 
     
    405403        unprivuser_home_filetrans_home_dir(sysadm_t) 
    406404 
    407         unprivuser_role_change_template(sysadm
     405        unprivuser_role_change(sysadm_r
    408406') 
    409407 

  • branches/rbacsep/policy/modules/roles/unprivuser.if

    r2668 r2727  
    55##      Change to the generic user role. 
    66## </summary> 
    7 ## <param name="prefix"> 
    8 ##      <summary> 
    9 ##      The prefix of the user role (e.g., user 
    10 ##      is the prefix for user_r). 
     7## <param name="role"> 
     8##      <summary> 
     9##      Role allowed access. 
    1110##      </summary> 
    1211## </param> 
    1312## <rolecap/> 
    1413# 
    15 template(`unprivuser_role_change_template',` 
    16         userdom_role_change_template($1, user) 
     14interface(`unprivuser_role_change',` 
     15        gen_require(` 
     16                role user_r; 
     17        ') 
     18 
     19        allow $1 user_r; 
    1720') 
    1821 
     
    2730##      </p> 
    2831##      <p> 
    29 ##      This is a template to support third party modules 
     32##      This is an interface to support third party modules 
    3033##      and its use is not allowed in upstream reference 
    3134##      policy. 
    3235##      </p> 
    3336## </desc> 
    34 ## <param name="prefix"> 
    35 ##      <summary> 
    36 ##      The prefix of the user role (e.g., user 
    37 ##      is the prefix for user_r). 
     37## <param name="role"> 
     38##      <summary> 
     39##      Role allowed access. 
    3840##      </summary> 
    3941## </param> 
    4042## <rolecap/> 
    4143# 
    42 template(`unprivuser_role_change_to_template',` 
    43         userdom_role_change_template(user, $1) 
     44interface(`unprivuser_role_change_to',` 
     45        gen_require(` 
     46                role user_r; 
     47        ') 
     48 
     49        allow user_r $1; 
    4450') 
    4551 

  • branches/rbacsep/policy/modules/services/apm.te

    r2724 r2727  
    140140 
    141141userdom_dontaudit_use_unpriv_user_fds(apmd_t) 
    142 userdom_dontaudit_search_all_users_home_content(apmd_t) # Excessive? 
     142userdom_dontaudit_search_user_home_content(apmd_t) # Excessive? 
    143143 
    144144sysadm_dontaudit_search_home_dirs(apmd_t) 

  • branches/rbacsep/policy/modules/services/cron.if

    r2726 r2727  
    3636        allow $1_t self:capability { fowner setuid setgid chown dac_override }; 
    3737        allow $1_t self:process signal_perms; 
    38  
    39         # Allow crond to read those crontabs in cron spool. 
    40         allow crond_t $1_cron_spool_t:file manage_file_perms; 
    4138 
    4239        allow $1_t $1_tmp_t:file manage_file_perms; 
     
    7370        seutil_read_config($1_t) 
    7471 
    75         userdom_manage_user_tmp_dirs($1,$1_t) 
    76         userdom_manage_user_tmp_files($1,$1_t) 
     72        userdom_manage_user_tmp_dirs($1_t) 
     73        userdom_manage_user_tmp_files($1_t) 
    7774        # Access terminals. 
    78         userdom_use_user_terminals($1,$1_t) 
     75        userdom_use_user_terminals($1_t) 
    7976        # Read user crontabs 
    80         userdom_read_user_home_content_files($1,$1_t) 
     77        userdom_read_user_home_content_files($1_t) 
    8178 
    8279        tunable_policy(`fcron_crond',` 
     
    112109        # cronjob shows up in user ps 
    113110        ps_process_pattern($2, cronjob_t) 
     111 
     112        # Transition from the user domain to the derived domain. 
     113        domtrans_pattern($2, crontab_exec_t, crontab_t) 
     114 
     115        # crontab shows up in user ps 
     116        ps_process_pattern($2, crontab_t) 
     117        allow $2 crontab_t:process signal; 
     118 
     119        # Run helper programs as the user domain 
     120        corecmd_bin_domtrans(crontab_t, $2) 
     121        corecmd_shell_domtrans(crontab_t, $2) 
     122 
     123        optional_policy(` 
     124                dbus_stub(cronjob_t) 
     125 
     126                allow cronjob_t $2:dbus send_msg; 
     127        ')               
     128') 
     129 
     130######################################## 
     131## <summary> 
     132##      Role access for unconfined cronjobs 
     133## </summary> 
     134## <param name="role"> 
     135##      <summary> 
     136##      Role allowed access 
     137##      </summary> 
     138## </param> 
     139## <param name="domain"> 
     140##      <summary> 
     141##      User domain for the role 
     142##      </summary> 
     143## </param> 
     144# 
     145interface(`cron_unconfined_role',` 
     146 
     147        role $1 types { unconfined_cronjob_t crontab_t crontab_tmp_t }; 
     148 
     149        # cronjob shows up in user ps 
     150        ps_process_pattern($2, unconfined_cronjob_t) 
    114151 
    115152        # Transition from the user domain to the derived domain. 

  • branches/rbacsep/policy/modules/services/cron.te

    r2724 r2727  
    576576        nis_use_ypbind(cronjob_t) 
    577577') 
     578 
     579######################################## 
     580# 
     581# Unconfined cronjobs local policy 
     582# 
     583 
     584optional_policy(` 
     585        type unconfined_cronjob_t; 
     586        unconfined_domain(unconfined_cronjob_t) 
     587') 

  • branches/rbacsep/policy/modules/services/cups.te

    r2724 r2727  
    224224 
    225225userdom_dontaudit_use_unpriv_user_fds(cupsd_t) 
    226 userdom_dontaudit_search_all_users_home_content(cupsd_t) 
     226userdom_dontaudit_search_user_home_content(cupsd_t) 
    227227 
    228228# Write to /var/spool/cups. 
     
    563563 
    564564userdom_dontaudit_use_unpriv_user_fds(hplip_t) 
    565 userdom_dontaudit_search_all_users_home_content(hplip_t) 
     565userdom_dontaudit_search_user_home_content(hplip_t) 
    566566 
    567567lpd_read_config(cupsd_t) 
     
    639639 
    640640userdom_dontaudit_use_unpriv_user_fds(ptal_t) 
    641 userdom_dontaudit_search_all_users_home_content(ptal_t) 
     641userdom_dontaudit_search_user_home_content(ptal_t) 
    642642 
    643643optional_policy(` 

  • branches/rbacsep/policy/modules/services/exim.te

    r2675 r2727  
    112112tunable_policy(`exim_read_user_files',` 
    113113        userdom_read_unpriv_users_home_content_files(exim_t) 
    114         userdom_read_unpriv_users_tmp_files(exim_t) 
     114        userdom_read_user_tmp_files(exim_t) 
    115115') 
    116116 
    117117tunable_policy(`exim_manage_user_files',` 
    118118        userdom_manage_unpriv_users_home_content_dirs(exim_t) 
    119         userdom_read_unpriv_users_tmp_files(exim_t) 
    120         userdom_write_unpriv_users_tmp_files(exim_t) 
     119        userdom_read_user_tmp_files(exim_t) 
     120        userdom_write_user_tmp_files(exim_t) 
    121121') 

  • branches/rbacsep/policy/modules/services/mta.if

    r2726 r2727  
    138138######################################## 
    139139## <summary> 
    140 ##      Provide extra permissions for admin users 
    141 ##      mail domain. 
    142 ## </summary> 
    143 ## <param name="userdomain_prefix"> 
    144 ##      <summary> 
    145 ##      The prefix of the user domain (e.g., user 
    146 ##      is the prefix for user_t). 
    147 ##      </summary> 
    148 ## </param> 
    149 ## <param name="user_domain"> 
    150 ##      <summary> 
    151 ##      The type of the user domain. 
    152 ##      </summary> 
    153 ## </param> 
    154 ## <rolecap/> 
    155 # 
    156 template(`mta_admin_template',` 
    157         gen_require(` 
    158                 type $1_mail_t; 
    159         ') 
    160  
    161         # allow the sysadmin to do "mail someone < /home/user/whatever" 
    162         userdom_read_unpriv_users_home_content_files($1_mail_t) 
    163  
    164         optional_policy(` 
    165                 gen_require(` 
    166                         attribute mta_user_agent; 
    167                         type etc_aliases_t; 
    168                 ') 
    169  
    170                 allow mta_user_agent $2:fifo_file { read write }; 
    171  
    172                 manage_dirs_pattern($1_mail_t,etc_aliases_t,etc_aliases_t) 
    173                 manage_files_pattern($1_mail_t,etc_aliases_t,etc_aliases_t) 
    174                 manage_lnk_files_pattern($1_mail_t,etc_aliases_t,etc_aliases_t) 
    175                 manage_fifo_files_pattern($1_mail_t,etc_aliases_t,etc_aliases_t) 
    176                 manage_sock_files_pattern($1_mail_t,etc_aliases_t,etc_aliases_t) 
    177                 files_etc_filetrans($1_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file }) 
    178  
    179                 # postfix needs this for newaliases 
    180                 files_getattr_tmp_dirs($1_mail_t) 
    181  
    182                 postfix_exec_master($1_mail_t) 
    183  
    184                 ifdef(`distro_redhat',` 
    185                         # compatability for old default main.cf 
    186                         postfix_config_filetrans($1_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file }) 
    187                 ') 
    188         ') 
    189 ') 
    190  
    191 ######################################## 
    192 ## <summary> 
    193140##      Role access for mta 
    194141## </summary> 
     
    216163        allow $2 sendmail_exec_t:lnk_file { getattr read }; 
    217164 
    218         allow mta_user_agent $1:fd use; 
    219         allow mta_user_agent $1:process sigchld; 
    220         allow mta_user_agent $1:fifo_file { read write }; 
     165        allow mta_user_agent $2:fd use; 
     166        allow mta_user_agent $2:process sigchld; 
     167        allow mta_user_agent $2:fifo_file { read write }; 
    221168') 
    222169 

  • branches/rbacsep/policy/modules/services/mta.te

    r2720 r2727  
    131131 
    132132optional_policy(` 
    133         userdom_dontaudit_use_unpriv_users_ptys(system_mail_t) 
     133        userdom_dontaudit_use_user_ptys(system_mail_t) 
    134134 
    135135        optional_policy(` 

  • branches/rbacsep/policy/modules/services/networkmanager.te

    r2724 r2727  
    110110 
    111111userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) 
    112 userdom_dontaudit_use_unpriv_users_ttys(NetworkManager_t) 
     112userdom_dontaudit_use_user_ttys(NetworkManager_t) 
    113113# Read gnome-keyring 
    114114userdom_read_unpriv_users_home_content_files(NetworkManager_t) 

  • branches/rbacsep/policy/modules/services/rhgb.te

    r2724 r2727  
    112112 
    113113userdom_dontaudit_use_unpriv_user_fds(rhgb_t) 
    114 userdom_dontaudit_search_all_users_home_content(rhgb_t) 
     114userdom_dontaudit_search_user_home_content(rhgb_t) 
    115115 
    116116sysadm_dontaudit_search_home_dirs(rhgb_t) 

  • branches/rbacsep/policy/modules/services/rpc.te

    r2675 r2727  
    166166 
    167167tunable_policy(`allow_gssd_read_tmp',` 
    168         userdom_list_unpriv_users_tmp(gssd_t)  
    169         userdom_read_unpriv_users_tmp_files(gssd_t)  
    170         userdom_read_unpriv_users_tmp_symlinks(gssd_t)  
     168        userdom_list_user_tmp(gssd_t)  
     169        userdom_read_user_tmp_files(gssd_t)  
     170        userdom_read_user_tmp_symlinks(gssd_t)  
    171171') 
    172172 

  • branches/rbacsep/policy/modules/services/spamassassin.if

    r2726 r2727  
    112112        ') 
    113113 
    114         domtrans_pattern($1, spamc_exec_t, $1_spamc_t) 
     114        domtrans_pattern($1, spamc_exec_t, spamc_t) 
    115115') 
    116116 

  • branches/rbacsep/policy/modules/services/ssh.if

    r2726 r2727  
    259259        sysnet_read_config($1_t) 
    260260 
    261         userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t) 
     261        userdom_dontaudit_relabelfrom_user_ptys($1_t) 
    262262        userdom_search_all_users_home_dirs($1_t) 
    263263 
     
    329329 
    330330        # user can manage the keys and config 
    331         manage_files_pattern($2,home_ssh_t,home_ssh_t) 
    332         manage_lnk_files_pattern($2,home_ssh_t,home_ssh_t) 
    333         manage_sock_files_pattern($2,home_ssh_t,home_ssh_t) 
     331        manage_files_pattern($2, home_ssh_t, home_ssh_t) 
     332        manage_lnk_files_pattern($2, home_ssh_t, home_ssh_t) 
     333        manage_sock_files_pattern($2, home_ssh_t, home_ssh_t) 
    334334 
    335335        domtrans_pattern($2, ssh_agent_exec_t, ssh_agent_t) 
     
    348348 
    349349        # for the transition back to normal privs upon exec 
    350         userdom_user_home_domtrans($1,ssh_agent_t,$2) 
     350        userdom_user_home_domtrans(ssh_agent_t,$2) 
    351351        allow $2 ssh_agent_t:fd use; 
    352352        allow $2 ssh_agent_t:fifo_file rw_file_perms; 

  • branches/rbacsep/policy/modules/services/ssh.te

    r2724 r2727  
    389389 
    390390        userdom_setattr_unpriv_users_ptys(sshd_t) 
    391         userdom_relabelto_unpriv_users_ptys(sshd_t) 
     391        userdom_relabelto_user_ptys(sshd_t) 
    392392        userdom_use_unpriv_users_ptys(sshd_t) 
    393393') 

  • branches/rbacsep/policy/modules/services/xserver.if

    r2726 r2727  
    229229template(`xserver_common_x_domain_template',` 
    230230        gen_require(` 
    231                 type rootwindow_t, std_xext_t, shmem_xext_t; 
     231                type xserver_t, rootwindow_t, std_xext_t, shmem_xext_t; 
    232232                type xproperty_t, info_xproperty_t, clipboard_xproperty_t; 
    233233                type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t; 
     
    235235                type clipboard_xselection_t, xselection_t; 
    236236 
    237                 attribute x_server_domain, x_domain; 
     237                attribute x_domain; 
    238238                attribute xproperty_type; 
    239239                attribute xevent_type, xextension_type; 
     
    284284        # everyone can get the input focus of everyone else 
    285285        # this is a fundamental brokenness in the X protocol 
    286         allow $2 { x_domain x_server_domain }:x_device getfocus; 
     286        allow $2 { x_domain xserver_t }:x_device getfocus; 
    287287        # everyone can grab the server 
    288288        # everyone does it, it is basically a free DOS attack 
    289         allow $2 x_server_domain:x_server grab; 
     289        allow $2 xserver_t:x_server grab; 
    290290        # everyone can get the font path, etc. 
    291291        # this could leak out sensitive information 
    292         allow $2 x_server_domain:x_server getattr; 
     292  &