[selinux-policy: 741/3172] start moving around to prep for 1.27.1-15 update
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:08:53 UTC 2010
commit f721a4967b9ad99299658c23bc951a36bf2de78f
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Oct 13 14:09:28 2005 +0000
start moving around to prep for 1.27.1-15 update
strict/domains/program/NetworkManager.te | 10 ++-
strict/domains/program/alsa.te | 11 +++-
strict/domains/program/amanda.te | 74 +++++---------------
strict/domains/program/{unused => }/bonobo.te | 0
strict/domains/program/{unused => }/cvs.te | 0
strict/domains/program/{unused => }/ddcprobe.te | 0
strict/domains/program/{unused => }/ethereal.te | 0
strict/domains/program/{unused => }/evolution.te | 0
strict/domains/program/{unused => }/fontconfig.te | 0
strict/domains/program/{unused => }/gconf.te | 0
strict/domains/program/{unused => }/gnome.te | 0
strict/domains/program/{unused => }/gnome_vfs.te | 0
strict/domains/program/{unused => }/iceauth.te | 0
strict/domains/program/openct.te | 16 ++++
strict/domains/program/{unused => }/orbit.te | 0
strict/domains/program/{unused => }/thunderbird.te | 0
strict/domains/program/unused/backup.te | 2 +
strict/file_contexts/program/openct.fc | 2 +
strict/file_contexts/program/pegasus.fc | 11 +++
strict/file_contexts/program/readahead.fc | 1 +
strict/file_contexts/program/roundup.fc | 2 +
strict/file_contexts/program/yppasswdd.fc | 2 +
22 files changed, 70 insertions(+), 61 deletions(-)
---
diff --git a/strict/domains/program/NetworkManager.te b/strict/domains/program/NetworkManager.te
index 1ef8916..e4efdd6 100644
--- a/strict/domains/program/NetworkManager.te
+++ b/strict/domains/program/NetworkManager.te
@@ -11,16 +11,16 @@
# NetworkManager_t is the domain for the NetworkManager daemon.
# NetworkManager_exec_t is the type of the NetworkManager executable.
#
-daemon_domain(NetworkManager, `, nscd_client_domain, privsysmod' )
+daemon_domain(NetworkManager, `, nscd_client_domain, privsysmod, mlsfileread' )
can_network(NetworkManager_t)
allow NetworkManager_t port_type:tcp_socket name_connect;
-allow NetworkManager_t dhcpc_port_t:udp_socket name_bind;
+allow NetworkManager_t { isakmp_port_t dhcpc_port_t }:udp_socket name_bind;
allow NetworkManager_t dhcpc_t:process signal;
can_ypbind(NetworkManager_t)
uses_shlib(NetworkManager_t)
-allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service sys_module};
+allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service sys_module ipc_lock};
allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read };
@@ -93,6 +93,9 @@ allow NetworkManager_t initrc_var_run_t:file { getattr read };
domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t)
allow NetworkManager_t self:netlink_route_socket r_netlink_socket_perms;
+# allow vpnc connections
+allow NetworkManager_t self:rawip_socket create_socket_perms;
+allow NetworkManager_t tun_tap_device_t:chr_file rw_file_perms;
domain_auto_trans(NetworkManager_t, initrc_exec_t, initrc_t)
domain_auto_trans(NetworkManager_t, dhcpc_exec_t, dhcpc_t)
@@ -106,3 +109,4 @@ allow NetworkManager_t dhcpc_var_run_t:file { getattr read unlink };
')
allow NetworkManager_t var_lib_t:dir search;
dontaudit NetworkManager_t user_tty_type:chr_file { read write };
+dontaudit NetworkManager_t security_t:dir search;
diff --git a/strict/domains/program/alsa.te b/strict/domains/program/alsa.te
index 5717244..ab80475 100644
--- a/strict/domains/program/alsa.te
+++ b/strict/domains/program/alsa.te
@@ -6,12 +6,19 @@
type alsa_t, domain, privlog, daemon;
type alsa_exec_t, file_type, sysadmfile, exec_type;
uses_shlib(alsa_t)
-allow alsa_t self:sem create_sem_perms;
-allow alsa_t self:shm create_shm_perms;
+allow alsa_t { unpriv_userdomain self }:sem create_sem_perms;
+allow alsa_t { unpriv_userdomain self }:shm create_shm_perms;
allow alsa_t self:unix_stream_socket create_stream_socket_perms;
+allow alsa_t self:unix_dgram_socket create_socket_perms;
+allow unpriv_userdomain alsa_t:sem { unix_read unix_write associate read write };
+allow unpriv_userdomain alsa_t:shm { unix_read unix_write create_shm_perms };
+
type alsa_etc_rw_t, file_type, sysadmfile, usercanread;
rw_dir_create_file(alsa_t,alsa_etc_rw_t)
allow alsa_t self:capability { setgid setuid ipc_owner };
+dontaudit alsa_t self:capability sys_admin;
allow alsa_t devpts_t:chr_file { read write };
allow alsa_t etc_t:file { getattr read };
domain_auto_trans(pam_console_t, alsa_exec_t, alsa_t)
+role system_r types alsa_t;
+read_locale(alsa_t)
diff --git a/strict/domains/program/amanda.te b/strict/domains/program/amanda.te
index 2785acf..4b63f5f 100644
--- a/strict/domains/program/amanda.te
+++ b/strict/domains/program/amanda.te
@@ -84,7 +84,6 @@ domain_auto_trans(inetd_t, amanda_inetd_exec_t, amanda_t)
# configuration files -> read only
allow amanda_t amanda_config_t:file { getattr read };
-allow amanda_t amanda_config_t:dir search;
# access to amanda_amandates_t
allow amanda_t amanda_amandates_t:file { getattr lock read write };
@@ -97,43 +96,18 @@ allow amanda_t amanda_data_t:dir { read search write };
allow amanda_t amanda_data_t:file { read write };
# access to proc_t
-allow amanda_t proc_t:dir { getattr search };
allow amanda_t proc_t:file { getattr read };
# access to etc_t and similar
-allow amanda_t etc_t:dir { getattr search };
allow amanda_t etc_t:file { getattr read };
allow amanda_t etc_runtime_t:file { getattr read };
-# access to var_t and similar
-allow amanda_t var_t:dir search;
-allow amanda_t var_lib_t:dir search;
-allow amanda_t amanda_var_lib_t:dir search;
-
# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists)
-allow amanda_t amanda_gnutarlists_t:dir { add_name read remove_name search write };
-allow amanda_t amanda_gnutarlists_t:file { create getattr read rename setattr unlink write };
-
-# access to var_run_t
-allow amanda_t var_run_t:dir search;
-
-# access to var_log_t
-allow amanda_t var_log_t:dir getattr;
-
-# access to var_spool_t
-allow amanda_t var_spool_t:dir getattr;
-
-# access to amanda_usr_lib_t
-allow amanda_t amanda_usr_lib_t:dir search;
+rw_dir_create_file(amanda_t, amanda_gnutarlists_t)
# access to device_t and similar
-allow amanda_t device_t:dir search;
-allow amanda_t devpts_t:dir getattr;
allow amanda_t devtty_t:chr_file { read write };
-# access to boot_t
-allow amanda_t boot_t:dir getattr;
-
# access to fs_t
allow amanda_t fs_t:filesystem getattr;
@@ -158,7 +132,8 @@ allow amanda_t bin_t:file { execute execute_no_trans };
allow amanda_t self:capability { chown dac_override setuid };
allow amanda_t self:process { fork sigchld setpgid signal };
-allow amanda_t self:unix_dgram_socket create;
+allow amanda_t self:dir search;
+allow amanda_t self:file { getattr read };
###################################
@@ -170,7 +145,8 @@ can_ypbind(amanda_t);
can_exec(amanda_t, sbin_t);
allow amanda_t self:fifo_file { getattr read write ioctl lock };
-allow amanda_t self:unix_stream_socket { connect create read write };
+allow amanda_t self:unix_stream_socket create_stream_socket_perms;
+allow amanda_t self:unix_dgram_socket create_socket_perms;
##########################
@@ -192,18 +168,8 @@ allow inetd_t amanda_usr_lib_t:dir search;
########################
# access to user_home_t
-allow amanda_t { user_home_dir_type user_home_type }:dir { search getattr read };
allow amanda_t user_home_type:file { getattr read };
-# access to file_t ( /floppy, /cdrom )
-allow amanda_t mnt_t:dir getattr;
-
-###########
-# Dontaudit
-###########
-dontaudit amanda_t lost_found_t:dir { getattr read };
-
-
##############################################################################
# AMANDA RECOVER DECLARATIONS
##############################################################################
@@ -214,7 +180,8 @@ dontaudit amanda_t lost_found_t:dir { getattr read };
# type for amrecover
type amanda_recover_t, domain;
-role sysadm_r types { amanda_recover_t amanda_recover_dir_t };
+role sysadm_r types amanda_recover_t;
+role system_r types amanda_recover_t;
# exec types for amrecover
type amanda_recover_exec_t, file_type, sysadmfile, exec_type;
@@ -236,22 +203,22 @@ file_type_auto_trans(amanda_recover_t, tmp_t, amanda_tmp_t)
uses_shlib(amanda_recover_t)
allow amanda_recover_t self:process { fork sigkill sigstop sigchld signal };
allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override net_bind_service };
-allow amanda_recover_t shell_exec_t:file { execute execute_no_trans getattr read };
+can_exec(amanda_recover_t, shell_exec_t)
allow amanda_recover_t privfd:fd use;
# amrecover network and process communication
#############################################
-can_network_server(amanda_recover_t);
+can_network(amanda_recover_t);
+allow amanda_recover_t amanda_port_t:tcp_socket name_connect;
can_ypbind(amanda_recover_t);
+read_locale(amanda_recover_t);
allow amanda_recover_t self:fifo_file { getattr ioctl read write };
allow amanda_recover_t self:unix_stream_socket { connect create read write };
-
-allow amanda_t self:dir search;
-allow amanda_t self:file { getattr read };
-
+allow amanda_recover_t var_log_t:dir search;
+rw_dir_create_file(amanda_recover_t, amanda_log_t)
# amrecover file permissions
############################
@@ -301,22 +268,17 @@ allow amanda_recover_t tmp_t:dir search;
#
allow inetd_t amanda_port_t:{ tcp_socket udp_socket } name_bind;
-allow amanda_t file_type:dir {getattr read search };
+#amanda needs to look at fs_type directories to decide whether it should backup
+allow amanda_t { fs_type file_type }:dir {getattr read search };
allow amanda_t file_type:{ lnk_file file chr_file blk_file } {getattr read };
allow amanda_t device_type:{ blk_file chr_file } getattr;
allow amanda_t fixed_disk_device_t:blk_file read;
domain_auto_trans(amanda_t, fsadm_exec_t, fsadm_t)
-dontaudit amanda_t file_type:sock_file getattr;
+allow amanda_t file_type:sock_file getattr;
logdir_domain(amanda)
-dontaudit amanda_t autofs_t:dir { getattr read search };
-dontaudit amanda_t binfmt_misc_fs_t:dir getattr;
-dontaudit amanda_t nfs_t:dir { getattr read };
-dontaudit amanda_t proc_t:dir read;
dontaudit amanda_t proc_t:lnk_file read;
-dontaudit amanda_t rpc_pipefs_t:dir { getattr read };
-dontaudit amanda_t security_t:dir { getattr read };
-dontaudit amanda_t sysfs_t:dir { getattr read };
dontaudit amanda_t unlabeled_t:file getattr;
-dontaudit amanda_t usbfs_t:dir getattr;
+#amanda wants to check attributes on fifo_files
+allow amanda_t file_type:fifo_file getattr;
diff --git a/strict/domains/program/unused/bonobo.te b/strict/domains/program/bonobo.te
similarity index 100%
rename from strict/domains/program/unused/bonobo.te
rename to strict/domains/program/bonobo.te
diff --git a/strict/domains/program/unused/cvs.te b/strict/domains/program/cvs.te
similarity index 100%
rename from strict/domains/program/unused/cvs.te
rename to strict/domains/program/cvs.te
diff --git a/strict/domains/program/unused/ddcprobe.te b/strict/domains/program/ddcprobe.te
similarity index 100%
rename from strict/domains/program/unused/ddcprobe.te
rename to strict/domains/program/ddcprobe.te
diff --git a/strict/domains/program/unused/ethereal.te b/strict/domains/program/ethereal.te
similarity index 100%
rename from strict/domains/program/unused/ethereal.te
rename to strict/domains/program/ethereal.te
diff --git a/strict/domains/program/unused/evolution.te b/strict/domains/program/evolution.te
similarity index 100%
rename from strict/domains/program/unused/evolution.te
rename to strict/domains/program/evolution.te
diff --git a/strict/domains/program/unused/fontconfig.te b/strict/domains/program/fontconfig.te
similarity index 100%
rename from strict/domains/program/unused/fontconfig.te
rename to strict/domains/program/fontconfig.te
diff --git a/strict/domains/program/unused/gconf.te b/strict/domains/program/gconf.te
similarity index 100%
rename from strict/domains/program/unused/gconf.te
rename to strict/domains/program/gconf.te
diff --git a/strict/domains/program/unused/gnome.te b/strict/domains/program/gnome.te
similarity index 100%
rename from strict/domains/program/unused/gnome.te
rename to strict/domains/program/gnome.te
diff --git a/strict/domains/program/unused/gnome_vfs.te b/strict/domains/program/gnome_vfs.te
similarity index 100%
rename from strict/domains/program/unused/gnome_vfs.te
rename to strict/domains/program/gnome_vfs.te
diff --git a/strict/domains/program/unused/iceauth.te b/strict/domains/program/iceauth.te
similarity index 100%
rename from strict/domains/program/unused/iceauth.te
rename to strict/domains/program/iceauth.te
diff --git a/strict/domains/program/openct.te b/strict/domains/program/openct.te
new file mode 100644
index 0000000..244fc2f
--- /dev/null
+++ b/strict/domains/program/openct.te
@@ -0,0 +1,16 @@
+#DESC openct - read files in page cache
+#
+# Author: Dan Walsh (dwalsh at redhat.com)
+#
+
+#################################
+#
+# Declarations for openct
+#
+
+daemon_domain(openct)
+#
+# openct asks for these
+#
+rw_dir_file(openct_t, usbfs_t)
+allow openct_t etc_t:file r_file_perms;
diff --git a/strict/domains/program/unused/orbit.te b/strict/domains/program/orbit.te
similarity index 100%
rename from strict/domains/program/unused/orbit.te
rename to strict/domains/program/orbit.te
diff --git a/strict/domains/program/unused/thunderbird.te b/strict/domains/program/thunderbird.te
similarity index 100%
rename from strict/domains/program/unused/thunderbird.te
rename to strict/domains/program/thunderbird.te
diff --git a/strict/domains/program/unused/backup.te b/strict/domains/program/unused/backup.te
index 89c5171..628527d 100644
--- a/strict/domains/program/unused/backup.te
+++ b/strict/domains/program/unused/backup.te
@@ -16,7 +16,9 @@ type backup_store_t, file_type, sysadmfile;
role system_r types backup_t;
role sysadm_r types backup_t;
+ifdef(`targeted_policy', `', `
domain_auto_trans(sysadm_t, backup_exec_t, backup_t)
+')
allow backup_t privfd:fd use;
ifdef(`crond.te', `
system_crond_entry(backup_exec_t, backup_t)
diff --git a/strict/file_contexts/program/openct.fc b/strict/file_contexts/program/openct.fc
new file mode 100644
index 0000000..43d656e
--- /dev/null
+++ b/strict/file_contexts/program/openct.fc
@@ -0,0 +1,2 @@
+/usr/sbin/openct-control -- system_u:object_r:openct_exec_t
+/var/run/openct(/.*)? system_u:object_r:openct_var_run_t
diff --git a/strict/file_contexts/program/pegasus.fc b/strict/file_contexts/program/pegasus.fc
new file mode 100644
index 0000000..d81b968
--- /dev/null
+++ b/strict/file_contexts/program/pegasus.fc
@@ -0,0 +1,11 @@
+# File Contexts for The Open Group Pegasus (tog-pegasus) cimserver
+/usr/sbin/cimserver -- system_u:object_r:pegasus_exec_t
+/usr/sbin/cimconfig -- system_u:object_r:pegasus_conf_exec_t
+/usr/sbin/cimuser -- system_u:object_r:pegasus_conf_exec_t
+/usr/sbin/cimauth -- system_u:object_r:pegasus_conf_exec_t
+/usr/sbin/init_repository -- system_u:object_r:pegasus_exec_t
+/usr/lib(64)?/Pegasus/providers/.*\.so.* system_u:object_r:shlib_t
+/etc/Pegasus(/.*)? system_u:object_r:pegasus_conf_t
+/var/lib/Pegasus(/.*)? system_u:object_r:pegasus_data_t
+/var/run/tog-pegasus(/.*)? system_u:object_r:pegasus_var_run_t
+/usr/share/Pegasus/mof(/.*)?/.*\.mof system_u:object_r:pegasus_mof_t
diff --git a/strict/file_contexts/program/readahead.fc b/strict/file_contexts/program/readahead.fc
new file mode 100644
index 0000000..0755fef
--- /dev/null
+++ b/strict/file_contexts/program/readahead.fc
@@ -0,0 +1 @@
+/usr/sbin/readahead -- system_u:object_r:readahead_exec_t
diff --git a/strict/file_contexts/program/roundup.fc b/strict/file_contexts/program/roundup.fc
new file mode 100644
index 0000000..99b2700
--- /dev/null
+++ b/strict/file_contexts/program/roundup.fc
@@ -0,0 +1,2 @@
+/usr/bin/roundup-server -- system_u:object_r:roundup_exec_t
+/var/lib/roundup(/.*)? -- system_u:object_r:roundup_var_lib_t
diff --git a/strict/file_contexts/program/yppasswdd.fc b/strict/file_contexts/program/yppasswdd.fc
new file mode 100644
index 0000000..e390bd8
--- /dev/null
+++ b/strict/file_contexts/program/yppasswdd.fc
@@ -0,0 +1,2 @@
+# yppasswd
+/usr/sbin/rpc.yppasswdd -- system_u:object_r:yppasswdd_exec_t
More information about the scm-commits
mailing list