Changeset 2756
- Timestamp:
- 07/09/08 13:11:38 (5 months ago)
- Files:
-
- branches/rbacsep/policy/modules/apps/cdrecord.te (modified) (1 diff)
- branches/rbacsep/policy/modules/apps/evolution.if (modified) (1 diff)
- branches/rbacsep/policy/modules/apps/screen.if (modified) (1 diff)
- branches/rbacsep/policy/modules/services/cron.if (modified) (5 diffs)
- branches/rbacsep/policy/modules/services/cron.te (modified) (3 diffs)
- branches/rbacsep/policy/modules/services/dbus.if (modified) (1 diff)
- branches/rbacsep/policy/modules/services/ssh.if (modified) (1 diff)
- branches/rbacsep/policy/modules/services/xserver.if (modified) (4 diffs)
- branches/rbacsep/policy/modules/services/xserver.te (modified) (1 diff)
- branches/rbacsep/policy/modules/system/unconfined.te (modified) (1 diff)
- branches/rbacsep/policy/modules/system/userdomain.if (modified) (4 diffs)
- branches/rbacsep/policy/modules/system/userdomain.te (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
branches/rbacsep/policy/modules/apps/cdrecord.te
r2724 r2756 17 17 18 18 type cdrecord_t; 19 type cdrecord_exec_t; 19 20 application_domain(cdrecord_t, cdrecord_exec_t) 20 21 type cdrecord_exec_t;22 application_executable_file(cdrecord_exec_t)23 21 24 22 ######################################## branches/rbacsep/policy/modules/apps/evolution.if
r2726 r2756 24 24 type evolution_alarm_tmpfs_t, evolution_alarm_orbit_tmp_t; 25 25 type evolution_exchange_t, evolution_exchange_exec_t; 26 type evolution_exchange_tmpfs_t, $1_evolution_exchange_tmp_t;26 type evolution_exchange_tmpfs_t, evolution_exchange_tmp_t; 27 27 type evolution_exchange_orbit_tmp_t; 28 28 type evolution_server_t, evolution_server_exec_t; branches/rbacsep/policy/modules/apps/screen.if
r2738 r2756 24 24 template(`screen_role_template',` 25 25 gen_require(` 26 type screen_dir_t, screen_exec_t; 26 type screen_dir_t, screen_exec_t, screen_tmp_t; 27 type screen_home_t, screen_var_run_t; 27 28 ') 28 29 branches/rbacsep/policy/modules/services/cron.if
r2745 r2756 13 13 # 14 14 template(`cron_common_crontab_template',` 15 gen_require(`16 type crontab_exec_t, user_cron_spool_t;17 class dbus send_msg;18 ')19 20 15 ############################## 21 16 # … … 105 100 # 106 101 interface(`cron_role',` 102 gen_require(` 103 type cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t; 104 ') 107 105 108 106 role $1 types { cronjob_t crontab_t crontab_tmp_t }; … … 147 145 # 148 146 interface(`cron_unconfined_role',` 147 gen_require(` 148 type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t; 149 ') 149 150 150 151 role $1 types { unconfined_cronjob_t crontab_t crontab_tmp_t }; … … 167 168 168 169 optional_policy(` 169 dbus_stub( cronjob_t)170 171 allow cronjob_t $2:dbus send_msg;170 dbus_stub(unconfined_cronjob_t) 171 172 allow unconfined_cronjob_t $2:dbus send_msg; 172 173 ') 173 174 ') … … 191 192 gen_require(` 192 193 type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t; 194 class passwd crontab; 193 195 ') 194 196 branches/rbacsep/policy/modules/services/cron.te
r2727 r2756 43 43 logging_log_file(cron_log_t) 44 44 45 type cronjob_t; 46 domain_type(cronjob_t) 47 domain_cron_exemption_target(cronjob_t) 48 corecmd_shell_entry_type(cronjob_t) 49 45 50 type crond_t; 46 51 type crond_exec_t; … … 80 85 ') 81 86 82 type cronjob_t; 83 domain_type(cronjob_t) 84 domain_cron_exemption_target(cronjob_t) 85 corecmd_shell_entry_type(cronjob_t) 87 type unconfined_cronjob_t; 88 domain_type(unconfined_cronjob_t) 86 89 87 90 # Type of user crontabs once moved to cron spool. … … 583 586 584 587 optional_policy(` 585 type unconfined_cronjob_t;586 588 unconfined_domain(unconfined_cronjob_t) 587 589 ') branches/rbacsep/policy/modules/services/dbus.if
r2753 r2756 44 44 45 45 attribute session_bus_type; 46 type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t ;46 type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t; 47 47 ') 48 48 branches/rbacsep/policy/modules/services/ssh.if
r2752 r2756 311 311 template(`ssh_role_template',` 312 312 gen_require(` 313 attribute ssh_ agent_type;313 attribute ssh_server, ssh_agent_type; 314 314 315 315 type ssh_t, ssh_exec_t, ssh_tmpfs_t, home_ssh_t; 316 316 type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t; 317 type ssh_agent_tmp_t; 317 318 ') 318 319 branches/rbacsep/policy/modules/services/xserver.if
r2728 r2756 2 2 3 3 interface(`xserver_role',` 4 gen_require(` 5 type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t; 6 type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; 7 type iceauth_t, iceauth_exec_t, iceauth_home_t; 8 type xauth_t, xauth_exec_t, xauth_home_t; 9 10 type info_xproperty_t; 11 12 class x_drawable all_x_drawable_perms; 13 class x_screen all_x_screen_perms; 14 class x_gc all_x_gc_perms; 15 class x_font all_x_font_perms; 16 class x_colormap all_x_colormap_perms; 17 class x_property all_x_property_perms; 18 class x_selection all_x_selection_perms; 19 class x_cursor all_x_cursor_perms; 20 class x_client all_x_client_perms; 21 class x_device all_x_device_perms; 22 class x_server all_x_server_perms; 23 class x_extension all_x_extension_perms; 24 class x_resource all_x_resource_perms; 25 class x_event all_x_event_perms; 26 class x_synthetic_event all_x_synthetic_event_perms; 27 ') 4 28 5 29 domtrans_pattern($2, xserver_exec_t, xserver_t) … … 229 253 template(`xserver_common_x_domain_template',` 230 254 gen_require(` 255 type $1_xproperty_t, $1_input_xevent_t, $1_property_xevent_t; 256 type $1_focus_xevent_t, $1_manage_xevent_t, $1_default_xevent_t; 257 type $1_client_xevent_t; 258 231 259 type rootwindow_t, xproperty_t; 232 260 type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t; … … 280 308 281 309 template(`xserver_object_types_template',` 310 gen_require(` 311 attribute xproperty_type, input_xevent_type, xevent_type; 312 ') 313 282 314 ############################## 283 315 # … … 325 357 type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; 326 358 ') 327 328 # Type attributes329 typeattribute $2 x_domain;330 359 331 360 allow $2 self:shm create_shm_perms; branches/rbacsep/policy/modules/services/xserver.te
r2748 r2756 1 1 2 2 policy_module(xserver, 2.1.0) 3 4 gen_require(` 5 class x_drawable all_x_drawable_perms; 6 class x_screen all_x_screen_perms; 7 class x_gc all_x_gc_perms; 8 class x_font all_x_font_perms; 9 class x_colormap all_x_colormap_perms; 10 class x_property all_x_property_perms; 11 class x_selection all_x_selection_perms; 12 class x_cursor all_x_cursor_perms; 13 class x_client all_x_client_perms; 14 class x_device all_x_device_perms; 15 class x_server all_x_server_perms; 16 class x_extension all_x_extension_perms; 17 class x_resource all_x_resource_perms; 18 class x_event all_x_event_perms; 19 class x_synthetic_event all_x_synthetic_event_perms; 20 ') 3 21 4 22 ######################################## branches/rbacsep/policy/modules/system/unconfined.te
r2745 r2756 11 11 # have another method to add access to these types 12 12 userdom_base_user_template(unconfined) 13 userdom_manage_home_ template(unconfined)14 userdom_manage_tmp_ template(unconfined)15 userdom_manage_tmpfs_ template(unconfined)13 userdom_manage_home_role(unconfined_r, unconfined_t) 14 userdom_manage_tmp_role(unconfined_r, unconfined_t) 15 userdom_manage_tmpfs_role(unconfined_r, unconfined_t) 16 16 17 17 type unconfined_exec_t; branches/rbacsep/policy/modules/system/userdomain.if
r2746 r2756 40 40 allow system_r $1_r; 41 41 42 # XXX cjp: temporary hack 43 ifelse(`$1',`user',`',` 44 typealias user_devpts_t alias $1_devpts_t; 45 ') 42 46 term_user_pty($1_t, user_devpts_t) 43 47 role $1_r types user_devpts_t; 44 48 49 # XXX cjp: temporary hack 50 ifelse(`$1',`user',`',` 51 typealias user_tty_device_t alias $1_tty_device_t; 52 ') 45 53 term_user_tty($1_t, user_tty_device_t) 46 54 role $1_r types user_tty_device_t; … … 846 854 # Local policy 847 855 # 848 849 # privileged home directory writers850 manage_dirs_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)851 manage_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)852 manage_lnk_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)853 manage_sock_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)854 manage_fifo_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)855 filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })856 856 857 857 optional_policy(` … … 1059 1059 template(`userdom_admin_user_template',` 1060 1060 gen_require(` 1061 attribute admin_terminal,privhome;1061 attribute privhome; 1062 1062 class passwd { passwd chfn chsh rootok }; 1063 1063 ') … … 2564 2564 interface(`userdom_manage_all_users_home_content_symlinks',` 2565 2565 gen_require(` 2566 attribute home_type;2566 type user_home_t, user_home_dir_t; 2567 2567 ') 2568 2568 branches/rbacsep/policy/modules/system/userdomain.te
r2745 r2756 82 82 files_mountpoint(user_home_t) 83 83 84 type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };84 type user_devpts_t; # alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t }; 85 85 dev_node(user_devpts_t) 86 86 files_type(user_devpts_t) … … 95 95 userdom_user_home_content(user_tmpfs_t) 96 96 97 type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };97 type user_tty_device_t; # alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; 98 98 dev_node(user_tty_device_t)
