Changeset 2780
- Timestamp:
- 08/14/08 09:19:50 (3 months ago)
- Files:
-
- trunk/policy/modules/admin/bootloader.if (modified) (1 diff)
- trunk/policy/modules/admin/bootloader.te (modified) (2 diffs)
- trunk/policy/modules/admin/kudzu.te (modified) (2 diffs)
- trunk/policy/modules/services/courier.fc (modified) (1 diff)
- trunk/policy/modules/services/courier.if (modified) (1 diff)
- trunk/policy/modules/services/courier.te (modified) (2 diffs)
- trunk/policy/modules/services/rdisc.te (modified) (2 diffs)
- trunk/policy/modules/services/rpc.te (modified) (7 diffs)
- trunk/policy/modules/system/getty.fc (modified) (1 diff)
- trunk/policy/modules/system/getty.te (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
trunk/policy/modules/admin/bootloader.if
r2763 r2780 50 50 role $2 types bootloader_t; 51 51 allow bootloader_t $3:chr_file rw_term_perms; 52 53 ifdef(`distro_redhat',` 54 # for mke2fs 55 mount_run(bootloader_t, $2, $3) 56 ') 52 57 ') 53 58 trunk/policy/modules/admin/bootloader.te
r2763 r2780 1 1 2 policy_module(bootloader, 1.8. 0)2 policy_module(bootloader, 1.8.1) 3 3 4 4 ######################################## … … 173 173 # for mke2fs 174 174 mount_domtrans(bootloader_t) 175 176 optional_policy(` 177 unconfined_domain(bootloader_t) 178 ') 175 179 ') 176 180 trunk/policy/modules/admin/kudzu.te
r2763 r2780 1 1 2 policy_module(kudzu, 1.6. 0)2 policy_module(kudzu, 1.6.1) 3 3 4 4 ######################################## … … 144 144 145 145 optional_policy(` 146 # cjp: this was originally in the else block 147 # of ifdef userhelper.te, but it seems to 148 # make more sense here. also, require 149 # blocks curently do not work in the 150 # else block of optionals 146 unconfined_domtrans(kudzu_t) 151 147 unconfined_domain(kudzu_t) 152 148 ') 153 154 ifdef(`TODO',`155 allow kudzu_t modules_conf_t:file unlink;156 optional_policy(`157 allow kudzu_t printconf_t:file { getattr read };158 ')159 optional_policy(`160 allow kudzu_t xserver_exec_t:file getattr;161 ')162 optional_policy(`163 allow kudzu_t rhgb_t:unix_stream_socket connectto;164 ')165 optional_policy(`166 role system_r types sysadm_userhelper_t;167 domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t)168 ')169 allow kudzu_t cupsd_rw_etc_t:dir list_dir_perms;170 ')trunk/policy/modules/services/courier.fc
r1715 r2780 20 20 21 21 /var/run/courier(/.*)? -- gen_context(system_u:object_r:courier_var_run_t,s0) 22 23 /var/spool/courier(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) trunk/policy/modules/services/courier.if
r2763 r2780 124 124 domtrans_pattern($1, courier_pop_exec_t, courier_pop_t) 125 125 ') 126 127 ######################################## 128 ## <summary> 129 ## Read courier config files 130 ## </summary> 131 ## <param name="prefix"> 132 ## <summary> 133 ## Domain allowed access. 134 ## </summary> 135 ## </param> 136 # 137 interface(`courier_read_config',` 138 gen_require(` 139 type courier_etc_t; 140 ') 141 142 read_files_pattern($1, courier_etc_t, courier_etc_t) 143 ') 144 145 ######################################## 146 ## <summary> 147 ## Create, read, write, and delete courier 148 ## spool directories. 149 ## </summary> 150 ## <param name="prefix"> 151 ## <summary> 152 ## Domain allowed access. 153 ## </summary> 154 ## </param> 155 # 156 interface(`courier_manage_spool_dirs',` 157 gen_require(` 158 type courier_spool_t; 159 ') 160 161 manage_dirs_pattern($1, courier_spool_t, courier_spool_t) 162 ') 163 164 ######################################## 165 ## <summary> 166 ## Create, read, write, and delete courier 167 ## spool files. 168 ## </summary> 169 ## <param name="prefix"> 170 ## <summary> 171 ## Domain allowed access. 172 ## </summary> 173 ## </param> 174 # 175 interface(`courier_manage_spool_files',` 176 gen_require(` 177 type courier_spool_t; 178 ') 179 180 manage_files_pattern($1, courier_spool_t, courier_spool_t) 181 ') 182 183 ######################################## 184 ## <summary> 185 ## Read and write to courier spool pipes. 186 ## </summary> 187 ## <param name="domain"> 188 ## <summary> 189 ## Domain to not audit. 190 ## </summary> 191 ## </param> 192 # 193 interface(`courier_rw_spool_pipes',` 194 gen_require(` 195 type courier_spool_t; 196 ') 197 198 allow $1 courier_spool_t:fifo_file rw_fifo_file_perms; 199 ') trunk/policy/modules/services/courier.te
r2763 r2780 1 1 2 policy_module(courier, 1.5. 0)2 policy_module(courier, 1.5.1) 3 3 4 4 ######################################## … … 10 10 11 11 type courier_etc_t; 12 files_ type(courier_etc_t)12 files_config_file(courier_etc_t) 13 13 14 14 courier_domain_template(pcp) 15 15 16 16 courier_domain_template(pop) 17 18 type courier_spool_t; 19 files_type(courier_spool_t) 17 20 18 21 courier_domain_template(tcpd) trunk/policy/modules/services/rdisc.te
r2763 r2780 1 1 2 policy_module(rdisc, 1.5. 0)2 policy_module(rdisc, 1.5.1) 3 3 4 4 ######################################## … … 48 48 logging_send_syslog_msg(rdisc_t) 49 49 50 miscfiles_read_localization(rdisc_t) 51 50 52 sysnet_read_config(rdisc_t) 51 53 trunk/policy/modules/services/rpc.te
r2763 r2780 1 1 2 policy_module(rpc, 1.8. 0)2 policy_module(rpc, 1.8.1) 3 3 4 4 ######################################## … … 63 63 # rpc.statd executes sm-notify 64 64 can_exec(rpcd_t, rpcd_exec_t) 65 corecmd_search_bin(rpcd_t)66 65 67 66 kernel_read_system_state(rpcd_t) 68 kernel_ search_network_state(rpcd_t)67 kernel_read_network_state(rpcd_t) 69 68 # for rpc.rquotad 70 69 kernel_read_sysctl(rpcd_t) 71 70 kernel_rw_fs_sysctls(rpcd_t) 71 72 corecmd_exec_bin(rpcd_t) 73 74 files_manage_mounttab(rpcd_t) 72 75 73 76 fs_list_rpc(rpcd_t) … … 75 78 fs_read_rpc_symlinks(rpcd_t) 76 79 fs_read_rpc_sockets(rpcd_t) 77 term_use_controlling_term(rpcd_t)78 80 79 # cjp: this should really have its own type 80 files_manage_mounttab(rpcd_t) 81 selinux_dontaudit_read_fs(rpcd_t) 81 82 82 83 miscfiles_read_certs(rpcd_t) … … 105 106 corenet_udp_bind_all_rpc_ports(nfsd_t) 106 107 107 fs_mount_nfsd_fs(nfsd_t) 108 fs_search_nfsd_fs(nfsd_t) 109 fs_getattr_all_fs(nfsd_t) 110 fs_rw_nfsd_fs(nfsd_t) 111 112 term_use_controlling_term(nfsd_t) 108 dev_dontaudit_getattr_all_blk_files(nfsd_t) 109 dev_dontaudit_getattr_all_chr_files(nfsd_t) 110 dev_rw_lvm_control(nfsd_t) 113 111 114 112 # does not really need this, but it is easier to just allow it … … 118 116 # cjp: this should really have its own type 119 117 files_manage_mounttab(rpcd_t) 118 119 fs_mount_nfsd_fs(nfsd_t) 120 fs_search_nfsd_fs(nfsd_t) 121 fs_getattr_all_fs(nfsd_t) 122 fs_getattr_all_dirs(nfsd_t) 123 fs_rw_nfsd_fs(nfsd_t) 124 125 storage_dontaudit_read_fixed_disk(nfsd_t) 120 126 121 127 # Read access to public_content_t and public_content_rw_t … … 150 156 files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) 151 157 158 kernel_read_system_state(gssd_t) 152 159 kernel_read_network_state(gssd_t) 153 160 kernel_read_network_state_symlinks(gssd_t) … … 162 169 files_list_tmp(gssd_t) 163 170 files_read_usr_symlinks(gssd_t) 171 172 auth_use_nsswitch(gssd_t) 164 173 165 174 miscfiles_read_certs(gssd_t) trunk/policy/modules/system/getty.fc
r1933 r2780 9 9 /var/run/mgetty\.pid.* -- gen_context(system_u:object_r:getty_var_run_t,s0) 10 10 11 /var/spool/fax --gen_context(system_u:object_r:getty_var_run_t,s0)12 /var/spool/voice --gen_context(system_u:object_r:getty_var_run_t,s0)11 /var/spool/fax(/.*)? gen_context(system_u:object_r:getty_var_run_t,s0) 12 /var/spool/voice(/.*)? gen_context(system_u:object_r:getty_var_run_t,s0) trunk/policy/modules/system/getty.te
r2656 r2780 1 1 2 policy_module(getty, 1.6.0)2 policy_module(getty, 1.6.1) 3 3 4 4 ######################################## … … 10 10 type getty_exec_t; 11 11 init_domain(getty_t,getty_exec_t) 12 init_system_domain(getty_t, getty_exec_t) 12 13 domain_interactive_fd(getty_t) 13 14
