Changeset 2759

Show
Ignore:
Timestamp:
07/11/08 14:01:14 (4 months ago)
Author:
cpebenito
Message:

rbacsep: begin adding ubac controls.

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • branches/rbacsep/policy/constraints

    r2758 r2759  
    5252# 
    5353 
    54 exempted_ubac_constraint(dir, ubacfilesubj
    55 exempted_ubac_constraint(file, ubacfilesubj
    56 exempted_ubac_constraint(lnk_file, ubacfilesubj
    57 exempted_ubac_constraint(fifo_file, ubacfilesubj
    58 exempted_ubac_constraint(sock_file, ubacfilesubj
    59 exempted_ubac_constraint(chr_file, ubacfilesubj
    60 exempted_ubac_constraint(blk_file, ubacfilesubj
     54exempted_ubac_constraint(dir, ubacfile
     55exempted_ubac_constraint(file, ubacfile
     56exempted_ubac_constraint(lnk_file, ubacfile
     57exempted_ubac_constraint(fifo_file, ubacfile
     58exempted_ubac_constraint(sock_file, ubacfile
     59exempted_ubac_constraint(chr_file, ubacfile
     60exempted_ubac_constraint(blk_file, ubacfile
    6161 
    6262# SElinux object identity change constraint: 
     
    7575( 
    7676        basic_ubac_conditions 
    77         or t1 == ubacprocsubj 
     77        or t1 == ubacproc 
    7878); 
    7979 
     
    115115# 
    116116 
    117 exempted_ubac_constraint(socket, ubacsocksubj
    118 exempted_ubac_constraint(tcp_socket, ubacsocksubj
    119 exempted_ubac_constraint(udp_socket, ubacsocksubj
    120 exempted_ubac_constraint(rawip_socket, ubacsocksubj
    121 exempted_ubac_constraint(netlink_socket, ubacsocksubj
    122 exempted_ubac_constraint(packet_socket, ubacsocksubj
    123 exempted_ubac_constraint(key_socket, ubacsocksubj
    124 exempted_ubac_constraint(unix_stream_socket, ubacsocksubj
    125 exempted_ubac_constraint(unix_dgram_socket, ubacsocksubj
    126 exempted_ubac_constraint(netlink_route_socket, ubacsocksubj
    127 exempted_ubac_constraint(netlink_firewall_socket, ubacsocksubj
    128 exempted_ubac_constraint(netlink_tcpdiag_socket, ubacsocksubj
    129 exempted_ubac_constraint(netlink_nflog_socket, ubacsocksubj
    130 exempted_ubac_constraint(netlink_xfrm_socket, ubacsocksubj
    131 exempted_ubac_constraint(netlink_selinux_socket, ubacsocksubj
    132 exempted_ubac_constraint(netlink_audit_socket, ubacsocksubj
    133 exempted_ubac_constraint(netlink_ip6fw_socket, ubacsocksubj
    134 exempted_ubac_constraint(netlink_dnrt_socket, ubacsocksubj
    135 exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsocksubj
    136 exempted_ubac_constraint(appletalk_socket, ubacsocksubj
    137 exempted_ubac_constraint(dccp_socket, ubacsocksubj
     117exempted_ubac_constraint(socket, ubacsock
     118exempted_ubac_constraint(tcp_socket, ubacsock
     119exempted_ubac_constraint(udp_socket, ubacsock
     120exempted_ubac_constraint(rawip_socket, ubacsock
     121exempted_ubac_constraint(netlink_socket, ubacsock
     122exempted_ubac_constraint(packet_socket, ubacsock
     123exempted_ubac_constraint(key_socket, ubacsock
     124exempted_ubac_constraint(unix_stream_socket, ubacsock
     125exempted_ubac_constraint(unix_dgram_socket, ubacsock
     126exempted_ubac_constraint(netlink_route_socket, ubacsock
     127exempted_ubac_constraint(netlink_firewall_socket, ubacsock
     128exempted_ubac_constraint(netlink_tcpdiag_socket, ubacsock
     129exempted_ubac_constraint(netlink_nflog_socket, ubacsock
     130exempted_ubac_constraint(netlink_xfrm_socket, ubacsock
     131exempted_ubac_constraint(netlink_selinux_socket, ubacsock
     132exempted_ubac_constraint(netlink_audit_socket, ubacsock
     133exempted_ubac_constraint(netlink_ip6fw_socket, ubacsock
     134exempted_ubac_constraint(netlink_dnrt_socket, ubacsock
     135exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock
     136exempted_ubac_constraint(appletalk_socket, ubacsock
     137exempted_ubac_constraint(dccp_socket, ubacsock
    138138 
    139139constrain socket_class_set { create relabelto relabelfrom }  
     
    147147# SysV IPC rules 
    148148 
    149 exempted_ubac_constraint(sem, ubacipcsubj
    150 exempted_ubac_constraint(msg, ubacipcsubj
    151 exempted_ubac_constraint(msgq, ubacipcsubj
    152 exempted_ubac_constraint(shm, ubacipcsubj
    153 exempted_ubac_constraint(ipc, ubacipcsubj
     149exempted_ubac_constraint(sem, ubacipc
     150exempted_ubac_constraint(msg, ubacipc
     151exempted_ubac_constraint(msgq, ubacipc
     152exempted_ubac_constraint(shm, ubacipc
     153exempted_ubac_constraint(ipc, ubacipc
    154154 
    155155######################################## 
     
    158158# 
    159159 
    160 exempted_ubac_constraint(x_drawable, ubacxwinsubj
    161 exempted_ubac_constraint(x_screen, ubacxwinsubj
    162 exempted_ubac_constraint(x_gc, ubacxwinsubj
    163 exempted_ubac_constraint(x_font, ubacxwinsubj
    164 exempted_ubac_constraint(x_colormap, ubacxwinsubj
    165 exempted_ubac_constraint(x_property, ubacxwinsubj
    166 exempted_ubac_constraint(x_selection, ubacxwinsubj
    167 exempted_ubac_constraint(x_cursor, ubacxwinsubj
    168 exempted_ubac_constraint(x_client, ubacxwinsubj
    169 exempted_ubac_constraint(x_device, ubacxwinsubj
    170 exempted_ubac_constraint(x_server, ubacxwinsubj
    171 exempted_ubac_constraint(x_extension, ubacxwinsubj
    172 exempted_ubac_constraint(x_resource, ubacxwinsubj
    173 exempted_ubac_constraint(x_event, ubacxwinsubj
    174 exempted_ubac_constraint(x_synthetic_event, ubacxwinsubj
    175 exempted_ubac_constraint(x_application_data, ubacxwinsubj
     160exempted_ubac_constraint(x_drawable, ubacxwin
     161exempted_ubac_constraint(x_screen, ubacxwin
     162exempted_ubac_constraint(x_gc, ubacxwin
     163exempted_ubac_constraint(x_font, ubacxwin
     164exempted_ubac_constraint(x_colormap, ubacxwin
     165exempted_ubac_constraint(x_property, ubacxwin
     166exempted_ubac_constraint(x_selection, ubacxwin
     167exempted_ubac_constraint(x_cursor, ubacxwin
     168exempted_ubac_constraint(x_client, ubacxwin
     169exempted_ubac_constraint(x_device, ubacxwin
     170exempted_ubac_constraint(x_server, ubacxwin
     171exempted_ubac_constraint(x_extension, ubacxwin
     172exempted_ubac_constraint(x_resource, ubacxwin
     173exempted_ubac_constraint(x_event, ubacxwin
     174exempted_ubac_constraint(x_synthetic_event, ubacxwin
     175exempted_ubac_constraint(x_application_data, ubacxwin
    176176 
    177177######################################## 
     
    180180# 
    181181 
    182 exempted_ubac_constraint(dbus, ubacdbussubj
     182exempted_ubac_constraint(dbus, ubacdbus
    183183 
    184184######################################## 
     
    187187# 
    188188 
    189 exempted_ubac_constraint(key, ubackeysubj
     189exempted_ubac_constraint(key, ubackey
    190190 
    191191######################################## 
     
    194194# 
    195195 
    196 exempted_ubac_constraint(db_database, ubacdbsubj
    197 exempted_ubac_constraint(db_table, ubacdbsubj
    198 exempted_ubac_constraint(db_procedure, ubacdbsubj
    199 exempted_ubac_constraint(db_column, ubacdbsubj
    200 exempted_ubac_constraint(db_tuple, ubacdbsubj
    201 exempted_ubac_constraint(db_blob, ubacdbsubj
     196exempted_ubac_constraint(db_database, ubacdb
     197exempted_ubac_constraint(db_table, ubacdb
     198exempted_ubac_constraint(db_procedure, ubacdb
     199exempted_ubac_constraint(db_column, ubacdb
     200exempted_ubac_constraint(db_tuple, ubacdb
     201exempted_ubac_constraint(db_blob, ubacdb
    202202 
    203203 

  • branches/rbacsep/policy/modules/admin/su.if

    r2736 r2759  
    158158        domain_type($1_su_t) 
    159159        domain_interactive_fd($1_su_t) 
     160        ubac_constrained($1_su_t) 
    160161        role $2 types $1_su_t; 
    161162 

  • branches/rbacsep/policy/modules/admin/sudo.if

    r2751 r2759  
    4343        application_domain($1_sudo_t, sudo_exec_t) 
    4444        domain_interactive_fd($1_sudo_t) 
     45        ubac_constrained($1_sudo_t) 
    4546        role $2 types $1_sudo_t; 
    4647 

  • branches/rbacsep/policy/modules/apps/cdrecord.te

    r2756 r2759  
    1919type cdrecord_exec_t; 
    2020application_domain(cdrecord_t, cdrecord_exec_t) 
     21ubac_constrained(cdrecord_t) 
    2122 
    2223######################################## 

  • branches/rbacsep/policy/modules/apps/ethereal.te

    r2727 r2759  
    1010type ethereal_exec_t; 
    1111application_domain(ethereal_t, ethereal_exec_t) 
     12ubac_constrained(ethereal_t) 
    1213 
    1314type ethereal_home_t; 
     
    1718type ethereal_tmp_t; 
    1819files_tmp_file(ethereal_tmp_t) 
     20ubac_constrained(ethereal_tmp_t) 
    1921 
    2022type ethereal_tmpfs_t; 
    2123files_tmpfs_file(ethereal_tmpfs_t) 
     24ubac_constrained(ethereal_tmpfs_t) 
    2225 
    2326type tethereal_t; 

  • branches/rbacsep/policy/modules/apps/evolution.te

    r2724 r2759  
    1010type evolution_exec_t; 
    1111application_domain(evolution_t, evolution_exec_t) 
     12ubac_constrained(evolution_t) 
    1213 
    1314type evolution_alarm_t; 
    1415type evolution_alarm_exec_t; 
    1516application_domain(evolution_alarm_t, evolution_alarm_exec_t) 
     17ubac_constrained(evolution_alarm_t) 
    1618 
    1719type evolution_alarm_tmpfs_t; 
    1820files_tmpfs_file(evolution_alarm_tmpfs_t) 
     21ubac_constrained(evolution_alarm_tmpfs_t) 
    1922 
    2023type evolution_alarm_orbit_tmp_t; 
    2124files_tmp_file(evolution_alarm_orbit_tmp_t) 
     25ubac_constrained(evolution_alarm_orbit_tmp_t) 
    2226 
    2327type evolution_exchange_t; 
    2428type evolution_exchange_exec_t; 
    2529application_domain(evolution_exchange_t, evolution_exchange_exec_t) 
     30ubac_constrained(evolution_exchange_t) 
    2631 
    2732type evolution_exchange_tmpfs_t; 
    2833files_tmpfs_file(evolution_exchange_tmpfs_t) 
     34ubac_constrained(evolution_exchange_tmpfs_t) 
    2935 
    3036type evolution_exchange_tmp_t; 
    3137files_tmp_file(evolution_exchange_tmp_t) 
     38ubac_constrained(evolution_exchange_tmp_t) 
    3239 
    3340type evolution_exchange_orbit_tmp_t; 
    3441files_tmp_file(evolution_exchange_orbit_tmp_t) 
     42ubac_constrained(evolution_exchange_orbit_tmp_t) 
    3543 
    3644type evolution_home_t; 
     
    4048type evolution_orbit_tmp_t; 
    4149files_tmp_file(evolution_orbit_tmp_t) 
     50ubac_constrained(evolution_orbit_tmp_t) 
    4251 
    4352type evolution_server_t; 
    4453type evolution_server_exec_t; 
    4554application_domain(evolution_server_t, evolution_server_exec_t) 
     55ubac_constrained(evolution_server_t) 
    4656 
    4757type evolution_server_orbit_tmp_t; 
    4858files_tmp_file(evolution_server_orbit_tmp_t) 
     59ubac_constrained(evolution_server_orbit_tmp_t) 
    4960 
    5061type evolution_tmpfs_t; 
    5162files_tmpfs_file(evolution_tmpfs_t) 
     63ubac_constrained(evolution_tmpfs_t) 
    5264 
    5365type evolution_webcal_t; 
    5466type evolution_webcal_exec_t; 
    5567application_domain(evolution_webcal_t, evolution_webcal_exec_t) 
     68ubac_constrained(evolution_webcal_t) 
    5669 
    5770type evolution_webcal_tmpfs_t; 
    5871files_tmpfs_file(evolution_webcal_tmpfs_t) 
     72ubac_constrained(evolution_webcal_tmpfs_t) 
    5973 
    6074######################################## 

  • branches/rbacsep/policy/modules/apps/games.te

    r2745 r2759  
    99type games_data_t; 
    1010files_type(games_data_t) 
     11ubac_constrained(games_data_t) 
    1112 
    1213type games_t; 
    1314type games_exec_t; 
    1415application_domain(games_t, games_exec_t) 
     16ubac_constrained(games_t) 
    1517 
    1618type games_devpts_t; 
    1719term_pty(games_devpts_t) 
     20ubac_constrained(games_devpts_t) 
    1821 
    1922# games_srv_t is for system operation of games, generic games daemons and 
     
    2528files_pid_file(games_srv_var_run_t) 
    2629 
     30type games_tmp_t; 
     31files_tmp_file(games_tmp_t) 
     32ubac_constrained(games_tmp_t) 
     33 
    2734type games_tmpfs_t; 
    2835files_tmpfs_file(games_tmpfs_t) 
    29  
    30 type games_tmp_t; 
    31 files_tmp_file(games_tmp_t) 
     36ubac_constrained(games_tmpfs_t) 
    3237 
    3338######################################## 

  • branches/rbacsep/policy/modules/apps/gift.te

    r2724 r2759  
    1010type gift_exec_t; 
    1111application_domain(gift_t, gift_exec_t) 
     12ubac_constrained(gift_t) 
    1213 
    1314type gift_home_t; 
     
    1718type gift_tmpfs_t; 
    1819files_tmpfs_file(gift_tmpfs_t) 
     20ubac_constrained(gift_tmpfs_t) 
    1921 
    2022type giftd_t; 
    2123type giftd_exec_t; 
    2224application_domain(giftd_t, giftd_exec_t) 
     25ubac_constrained(giftd_t) 
    2326 
    2427############################## 

  • branches/rbacsep/policy/modules/apps/gnome.te

    r2720 r2759  
    1818type gconfd_exec_t; 
    1919application_domain(gconfd_t, gconfd_exec_t) 
     20ubac_constrained(gconfd_t) 
    2021 
    2122type gnome_home_t; 
     
    2425type gconf_tmp_t; 
    2526files_tmp_file(gconf_tmp_t) 
     27ubac_constrained(gconf_tmp_t) 
    2628 
    2729############################## 

  • branches/rbacsep/policy/modules/apps/gpg.te

    r2745 r2759  
    1818type gpg_exec_t; 
    1919application_domain(gpg_t, gpg_exec_t) 
     20ubac_constrained(gpg_t) 
    2021 
    2122type gpg_agent_t; 
    2223type gpg_agent_exec_t; 
    2324application_domain(gpg_agent_t, gpg_agent_exec_t) 
     25ubac_constrained(gpg_agent_t) 
    2426 
    2527type gpg_agent_tmp_t; 
    2628files_tmp_file(gpg_agent_tmp_t) 
     29ubac_constrained(gpg_agent_tmp_t) 
    2730 
    2831type gpg_secret_t; 
     
    3235type gpg_helper_exec_t; 
    3336application_domain(gpg_helper_t, gpg_helper_exec_t) 
     37ubac_constrained(gpg_helper_t) 
    3438 
    3539type gpg_pinentry_t; 
    3640type pinentry_exec_t; 
    3741application_domain(gpg_pinentry_t, pinentry_exec_t) 
     42ubac_constrained(gpg_pinentry_t) 
    3843 
    3944######################################## 

  • branches/rbacsep/policy/modules/apps/irc.te

    r2720 r2759  
    1111type irc_exec_t; 
    1212application_domain(irc_t, irc_exec_t) 
     13ubac_constrained(irc_t) 
    1314 
    1415type irc_home_t; 

  • branches/rbacsep/policy/modules/apps/java.te

    r2724 r2759  
    1717type java_exec_t; 
    1818application_domain(java_t, java_exec_t) 
     19ubac_constrained(java_t) 
    1920typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t }; 
    2021typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t }; 
     
    2223type java_tmp_t; 
    2324files_tmp_file(java_tmp_t) 
     25ubac_constrained(java_tmp_t) 
    2426typealias java_tmp_t alias { staff_javaplugin_tmp_t user_javaplugin_tmp_t sysadm_javaplugin_tmp_t }; 
    2527typealias java_tmp_t alias { auditadm_tmp_javaplugin_t secadm_javaplugin_tmp_t }; 
    2628 
    2729type java_tmpfs_t; 
     30ubac_constrained(java_tmpfs_t) 
    2831files_tmpfs_file(java_tmpfs_t) 
    2932typealias java_tmpfs_t alias { staff_javaplugin_tmpfs_t user_javaplugin_tmpfs_t sysadm_javaplugin_tmpfs_t }; 

  • branches/rbacsep/policy/modules/apps/lockdev.te

    r2724 r2759  
    1010type lockdev_exec_t; 
    1111application_domain(lockdev_t, lockdev_exec_t) 
     12ubac_constrained(lockdev_t) 
    1213 
    1314type lockdev_lock_t; 
    1415files_lock_file(lockdev_lock_t) 
     16ubac_constrained(lockdev_lock_t) 
    1517 
    1618######################################## 

  • branches/rbacsep/policy/modules/apps/mozilla.te

    r2724 r2759  
    1717type mozilla_exec_t; 
    1818application_domain(mozilla_t, mozilla_exec_t) 
     19ubac_constrained(mozilla_t) 
    1920 
    2021type mozilla_conf_t; 
     
    2728type mozilla_tmpfs_t; 
    2829files_tmpfs_file(mozilla_tmpfs_t) 
     30ubac_constrained(mozilla_tmpfs_t) 
    2931 
    3032######################################## 

  • branches/rbacsep/policy/modules/apps/mplayer.te

    r2724 r2759  
    1717type mencoder_exec_t; 
    1818application_domain(mencoder_t, mencoder_exec_t) 
     19ubac_constrained(mencoder_t) 
    1920 
    2021type mplayer_t; 
    2122type mplayer_exec_t; 
    2223application_domain(mplayer_t, mplayer_exec_t) 
     24ubac_constrained(mplayer_t) 
    2325 
    2426type mplayer_etc_t; 
     
    3133type mplayer_tmpfs_t; 
    3234files_tmpfs_file(mplayer_tmpfs_t) 
     35ubac_constrained(mplayer_tmpfs_t) 
    3336 
    3437######################################## 

  • branches/rbacsep/policy/modules/apps/rssh.te

    r2724 r2759  
    1515domain_user_exemption_target(rssh_t) 
    1616domain_interactive_fd(rssh_t) 
     17ubac_constrained(rssh_t) 
    1718role system_r types rssh_t; 
    1819 
    1920type rssh_devpts_t; 
    2021term_user_pty(rssh_t, rssh_devpts_t) 
     22ubac_constrained(rssh_devpts_t) 
    2123 
    2224type rssh_ro_t, rssh_ro_content_type; 

  • branches/rbacsep/policy/modules/apps/screen.if

    r2756 r2759  
    3636        application_domain($1_screen_t, screen_exec_t) 
    3737        domain_interactive_fd($1_screen_t) 
     38        ubac_constrained($1_screen_t) 
    3839        role $2 types $1_screen_t; 
    3940 

  • branches/rbacsep/policy/modules/apps/screen.te

    r2738 r2759  
    1515type screen_tmp_t; 
    1616files_tmp_file(screen_tmp_t) 
     17ubac_constrained(screen_tmp_t) 
    1718 
    1819type screen_home_t; 
     
    2122type screen_var_run_t; 
    2223files_pid_file(screen_var_run_t) 
     24ubac_constrained(screen_var_run_t) 

  • branches/rbacsep/policy/modules/apps/thunderbird.te

    r2724 r2759  
    1010type thunderbird_exec_t; 
    1111application_domain(thunderbird_t, thunderbird_exec_t) 
     12ubac_constrained(thunderbird_t) 
    1213 
    1314type thunderbird_home_t; 
     
    1718type thunderbird_tmpfs_t; 
    1819files_tmpfs_file(thunderbird_tmpfs_t) 
     20ubac_constrained(thunderbird_tmpfs_t) 
    1921 
    2022######################################## 

  • branches/rbacsep/policy/modules/apps/tvtime.te

    r2724 r2759  
    1010type tvtime_exec_t; 
    1111application_domain(tvtime_t, tvtime_exec_t) 
     12ubac_constrained(tvtime_t) 
    1213 
    1314type tvtime_home_t alias tvtime_rw_t; 
     
    1718type tvtime_tmp_t; 
    1819files_tmp_file(tvtime_tmp_t) 
     20ubac_constrained(tvtime_tmp_t) 
    1921 
    2022type tvtime_tmpfs_t; 
    2123files_tmpfs_file(tvtime_tmpfs_t) 
     24ubac_constrained(tvtime_tmpfs_t) 
    2225 
    2326######################################## 

  • branches/rbacsep/policy/modules/apps/uml.te

    r2745 r2759  
    1010type uml_exec_t; 
    1111application_domain(uml_t, uml_exec_t) 
     12ubac_constrained(uml_t) 
    1213 
    1314type uml_ro_t; 
    1415files_type(uml_ro_t) 
     16ubac_constrained(uml_ro_t) 
    1517 
    1618type uml_rw_t; 
    1719files_type(uml_rw_t) 
     20ubac_constrained(uml_rw_t) 
    1821 
    1922type uml_tmp_t; 
    2023files_tmp_file(uml_tmp_t) 
     24ubac_constrained(uml_tmp_t) 
    2125 
    2226type uml_tmpfs_t; 
    2327files_tmpfs_file(uml_tmpfs_t) 
     28ubac_constrained(uml_tmpfs_t) 
    2429 
    2530type uml_devpts_t; 
    2631term_pty(uml_devpts_t) 
     32ubac_constrained(uml_devpts_t) 
    2733 
    2834type uml_switch_t; 

  • branches/rbacsep/policy/modules/apps/userhelper.if

    r2750 r2759  
    3939        domain_interactive_fd($1_userhelper_t) 
    4040        domain_subj_id_change_exemption($1_userhelper_t) 
     41        ubac_constrained($1_userhelper_t) 
    4142        role $2 types $1_userhelper_t; 
    4243 

  • branches/rbacsep/policy/modules/apps/wireshark.te

    r2724 r2759  
    1010type wireshark_exec_t; 
    1111application_domain(wireshark_t, wireshark_exec_t) 
     12ubac_constrained(wireshark_t) 
    1213 
    1314type wireshark_home_t; 
     
    1718type wireshark_tmp_t; 
    1819files_tmp_file(wireshark_tmp_t) 
     20ubac_constrained(wireshark_tmp_t) 
    1921 
    2022type wireshark_tmpfs_t; 
    2123files_tmpfs_file(wireshark_tmpfs_t) 
     24ubac_constrained(wireshark_tmpfs_t) 
    2225 
    2326############################## 

  • branches/rbacsep/policy/modules/kernel/ubac.if

    r2758 r2759  
    33##      Contains attributes used in UBAC policy. 
    44## </required> 
     5 
     6interface(`ubac_constrained',` 
     7        gen_require(` 
     8                attribute ubac_constrained_type; 
     9        ') 
     10 
     11        typeattribute $1 ubac_constrained_type; 
     12') 
     13 
     14interface(`ubac_file_exempt',` 
     15        gen_require(` 
     16                attribute ubacfile; 
     17        ') 
     18 
     19        typeattribute $1 ubacfile; 
     20') 
     21 
     22interface(`ubac_process_exempt',` 
     23        gen_require(` 
     24                attribute ubacproc; 
     25        ') 
     26 
     27        typeattribute $1 ubacproc; 
     28') 
     29 
     30interface(`ubac_socket_exempt',` 
     31        gen_require(` 
     32                attribute ubacsock; 
     33        ') 
     34 
     35        typeattribute $1 ubacsock; 
     36') 
     37 
     38interface(`ubac_sysvipc_exempt',` 
     39        gen_require(` 
     40                attribute ubacipc; 
     41        ') 
     42 
     43        typeattribute $1 ubacipc; 
     44') 
     45 
     46interface(`ubac_xwin_exempt',` 
     47        gen_require(` 
     48                attribute ubacxwin; 
     49        ') 
     50 
     51        typeattribute $1 ubacxwin; 
     52') 
     53 
     54interface(`ubac_dbus_exempt',` 
     55        gen_require(` 
     56                attribute ubacdbus; 
     57        ') 
     58 
     59        typeattribute $1 ubacdbus; 
     60') 
     61 
     62interface(`ubac_key_exempt',` 
     63        gen_require(` 
     64                attribute ubackey; 
     65        ') 
     66 
     67        typeattribute $1 ubackey; 
     68') 
     69 
     70interface(`ubac_db_exempt',` 
     71        gen_require(` 
     72                attribute ubacdb; 
     73        ') 
     74 
     75        typeattribute $1 ubacdb; 
     76') 

  • branches/rbacsep/policy/modules/kernel/ubac.te

    r2758 r2759  
    99attribute ubac_constrained_type; 
    1010 
    11 attribute ubacfilesubj
    12 attribute ubacprocsubj
    13 attribute ubacsocksubj
    14 attribute ubacipcsubj
    15 attribute ubacxwinsubj
    16 attribute ubacdbussubj
    17 attribute ubackeysubj
    18 attribute ubacdbsubj
     11attribute ubacfile
     12attribute ubacproc
     13attribute ubacsock
     14attribute ubacipc
     15attribute ubacxwin
     16attribute ubacdbus
     17attribute ubackey
     18attribute ubacdb
    1919 

  • branches/rbacsep/policy/modules/services/apache.te

    r2745 r2759  
    751751 
    752752typeattribute httpd_user_script_t httpd_script_domains; 
     753ubac_constrained(httpd_user_script_t) 
    753754userdom_user_home_content(httpd_user_content_t) 
     755userdom_user_home_content(httpd_user_htaccess_t) 
     756userdom_user_home_content(httpd_user_script_exec_t) 
     757userdom_user_home_content(httpd_user_script_ra_t) 
     758userdom_user_home_content(httpd_user_script_ro_t) 
     759userdom_user_home_content(httpd_user_script_rw_t) 
    754760 
    755761tunable_policy(`httpd_enable_cgi && httpd_unified',` 

  • branches/rbacsep/policy/modules/services/bluetooth.te

    r2745 r2759  
    1919type bluetooth_helper_exec_t; 
    2020application_domain(bluetooth_helper_t, bluetooth_helper_exec_t) 
     21ubac_constrained(bluetooth_helper_t) 
    2122 
    2223type bluetooth_helper_tmp_t; 
    2324files_tmp_file(bluetooth_helper_tmp_t) 
     25ubac_constrained(bluetooth_helper_tmp_t) 
    2426 
    2527type bluetooth_helper_tmpfs_t; 
    2628files_tmpfs_file(bluetooth_helper_tmpfs_t) 
     29ubac_constrained(bluetooth_helper_tmpfs_t) 
    2730 
    2831type bluetooth_lock_t; 

  • branches/rbacsep/policy/modules/services/cron.if

    r2756 r2759  
    2020        type $1_t; 
    2121        application_domain($1_t, crontab_exec_t) 
     22        ubac_constrained($1_t) 
    2223 
    2324        type $1_tmp_t; 

  • branches/rbacsep/policy/modules/services/cron.te

    r2756 r2759  
    4747domain_cron_exemption_target(cronjob_t) 
    4848corecmd_shell_entry_type(cronjob_t) 
     49ubac_constrained(cronjob_t) 
    4950 
    5051type crond_t; 
     
    9192type user_cron_spool_t, cron_spool_type; 
    9293files_type(user_cron_spool_t) 
     94ubac_constrained(user_cron_spool_t) 
    9395 
    9496######################################## 

  • branches/rbacsep/policy/modules/services/dbus.if

    r2756 r2759  
    5555        domain_type($1_dbusd_t) 
    5656        domain_entry_file($1_dbusd_t, dbusd_exec_t) 
     57        ubac_constrained($1_dbusd_t) 
    5758        role $2 types $1_dbusd_t; 
    5859 

  • branches/rbacsep/policy/modules/services/dbus.te

    r2753 r2759  
    2121type session_dbusd_tmp_t; 
    2222files_tmp_file(session_dbusd_tmp_t) 
     23ubac_constrained(session_dbusd_tmp_t) 
    2324 
    2425type system_dbusd_t; 

  • branches/rbacsep/policy/modules/services/lpd.te

    r2745 r2759  
    3535type lpr_exec_t; 
    3636application_domain(lpr_t, lpr_exec_t) 
     37ubac_constrained(lpr_t) 
    3738 
    3839type lpr_tmp_t; 
    3940files_tmp_file(lpr_tmp_t) 
     41ubac_constrained(lpr_tmp_t) 
    4042 
    4143# Type for spool files. 
    4244type print_spool_t; 
    4345files_type(print_spool_t) 
     46ubac_constrained(print_spool_t) 
    4447 
    4548type printer_t; 

  • branches/rbacsep/policy/modules/services/mta.te

    r2745 r2759  
    3333 
    3434mta_base_mail_template(user) 
     35ubac_constrained(user_mail_t) 
     36ubac_constrained(user_mail_tmp_t) 
    3537 
    3638######################################## 

  • branches/rbacsep/policy/modules/services/pyzor.te

    r2745 r2759  
    1010type pyzor_exec_t; 
    1111application_domain(pyzor_t,pyzor_exec_t) 
     12ubac_constrained(pyzor_t) 
    1213role system_r types pyzor_t; 
    1314 
     
    2021type pyzor_tmp_t; 
    2122files_tmp_file(pyzor_tmp_t) 
     23ubac_constrained(pyzor_tmp_t) 
    2224 
    2325type pyzor_var_lib_t; 
    2426files_type(pyzor_var_lib_t) 
     27ubac_constrained(pyzor_var_lib_t) 
    2528 
    2629type pyzord_t; 

  • branches/rbacsep/policy/modules/services/razor.te

    r2720 r2759  
    2222type razor_tmp_t; 
    2323files_tmp_file(razor_tmp_t) 
     24ubac_constrained(razor_tmp_t) 
    2425 
    2526type razor_var_lib_t; 
     
    2829# these are here due to ordering issues: 
    2930razor_common_domain_template(razor) 
     31ubac_constrained(razor_t) 
    3032 
    3133razor_common_domain_template(system_razor) 

  • branches/rbacsep/policy/modules/services/spamassassin.te

    r2745 r2759  
    2424type spamassassin_exec_t; 
    2525application_domain(spamassassin_t, spamassassin_exec_t) 
     26ubac_constrained(spamassassin_t) 
    2627 
    2728type spamassassin_home_t; 
     
    3132type spamassassin_tmp_t; 
    3233files_tmp_file(spamassassin_tmp_t) 
     34ubac_constrained(spamassassin_tmp_t) 
    3335 
    3436type spamc_t; 
    3537type spamc_exec_t; 
    3638application_domain(spamc_t, spamc_exec_t) 
     39ubac_constrained(spamc_t) 
    3740 
    3841type spamc_tmp_t; 
    3942files_tmp_file(spamc_tmp_t) 
     43ubac_constrained(spamc_tmp_t) 
    4044 
    4145type spamd_t; 

  • branches/rbacsep/policy/modules/services/ssh.if

    r2756 r2759  
    326326        application_domain($1_ssh_agent_t, ssh_agent_exec_t) 
    327327        domain_interactive_fd($1_ssh_agent_t) 
     328        ubac_constrained($1_ssh_agent_t) 
    328329        role $2 types $1_ssh_agent_t; 
    329330 

  • branches/rbacsep/policy/modules/services/ssh.te

    r2755 r2759