diff options
Diffstat (limited to 'policy/modules/contrib')
1122 files changed, 2534 insertions, 107475 deletions
diff --git a/policy/modules/contrib/abrt.fc b/policy/modules/contrib/abrt.fc deleted file mode 100644 index e4f84dee..00000000 --- a/policy/modules/contrib/abrt.fc +++ /dev/null @@ -1,30 +0,0 @@ -/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) -/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) - -/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) -/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0) -/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0) -/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0) - -/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) -/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0) -/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) - -/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0) -/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0) - -/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) -/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) -/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) -/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) - -/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0) - -/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) -/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) -/var/run/abrtd?\.socket -s gen_context(system_u:object_r:abrt_var_run_t,s0) -/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) - -/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) -/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) -/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) diff --git a/policy/modules/contrib/abrt.if b/policy/modules/contrib/abrt.if deleted file mode 100644 index 058d908e..00000000 --- a/policy/modules/contrib/abrt.if +++ /dev/null @@ -1,326 +0,0 @@ -## <summary>Automated bug-reporting tool.</summary> - -###################################### -## <summary> -## Execute abrt in the abrt domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`abrt_domtrans',` - gen_require(` - type abrt_t, abrt_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, abrt_exec_t, abrt_t) -') - -###################################### -## <summary> -## Execute abrt in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`abrt_exec',` - gen_require(` - type abrt_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, abrt_exec_t) -') - -######################################## -## <summary> -## Send null signals to abrt. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`abrt_signull',` - gen_require(` - type abrt_t; - ') - - allow $1 abrt_t:process signull; -') - -######################################## -## <summary> -## Read process state of abrt. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`abrt_read_state',` - gen_require(` - type abrt_t; - ') - - ps_process_pattern($1, abrt_t) -') - -######################################## -## <summary> -## Connect to abrt over an unix stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`abrt_stream_connect',` - gen_require(` - type abrt_t, abrt_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, abrt_var_run_t, abrt_var_run_t, abrt_t) -') - -######################################## -## <summary> -## Send and receive messages from -## abrt over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`abrt_dbus_chat',` - gen_require(` - type abrt_t; - class dbus send_msg; - ') - - allow $1 abrt_t:dbus send_msg; - allow abrt_t $1:dbus send_msg; -') - -##################################### -## <summary> -## Execute abrt-helper in the abrt -## helper domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`abrt_domtrans_helper',` - gen_require(` - type abrt_helper_t, abrt_helper_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t) -') - -######################################## -## <summary> -## Execute abrt helper in the abrt -## helper domain, and allow the -## specified role the abrt helper domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`abrt_run_helper',` - gen_require(` - attribute_role abrt_helper_roles; - ') - - abrt_domtrans_helper($1) - roleattribute $2 abrt_helper_roles; -') - -######################################## -## <summary> -## Create, read, write, and delete -## abrt cache files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`abrt_cache_manage',` - refpolicywarn(`$0($*) has been deprecated, use abrt_manage_cache() instead.') - abrt_manage_cache($1) -') - -######################################## -## <summary> -## Create, read, write, and delete -## abrt cache content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`abrt_manage_cache',` - gen_require(` - type abrt_var_cache_t; - ') - - files_search_var($1) - manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) - manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) - manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t) -') - -#################################### -## <summary> -## Read abrt configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`abrt_read_config',` - gen_require(` - type abrt_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, abrt_etc_t, abrt_etc_t) -') - -###################################### -## <summary> -## Read abrt log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`abrt_read_log',` - gen_require(` - type abrt_var_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, abrt_var_log_t, abrt_var_log_t) -') - -###################################### -## <summary> -## Read abrt PID files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`abrt_read_pid_files',` - gen_require(` - type abrt_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, abrt_var_run_t, abrt_var_run_t) -') - -###################################### -## <summary> -## Create, read, write, and delete -## abrt PID files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`abrt_manage_pid_files',` - gen_require(` - type abrt_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t) -') - -##################################### -## <summary> -## All of the rules required to -## administrate an abrt environment, -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`abrt_admin',` - gen_require(` - attribute abrt_domain; - type abrt_t, abrt_etc_t, abrt_initrc_exec_t; - type abrt_var_cache_t, abrt_var_log_t, abrt_retrace_cache_t; - type abrt_var_run_t, abrt_tmp_t, abrt_retrace_spool_t; - ') - - allow $1 abrt_domain:process { ptrace signal_perms }; - ps_process_pattern($1, abrt_domain) - - init_labeled_script_domtrans($1, abrt_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 abrt_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, abrt_etc_t) - - logging_search_logs($1) - admin_pattern($1, abrt_var_log_t) - - files_search_var($1) - admin_pattern($1, { abrt_retrace_cache_t abrt_var_cache_t abrt_retrace_spool_t }) - - files_search_pids($1) - admin_pattern($1, abrt_var_run_t) - - files_search_tmp($1) - admin_pattern($1, abrt_tmp_t) -') diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te deleted file mode 100644 index cc43d25d..00000000 --- a/policy/modules/contrib/abrt.te +++ /dev/null @@ -1,415 +0,0 @@ -policy_module(abrt, 1.3.4) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether ABRT can modify -## public files used for public file -## transfer services. -## </p> -## </desc> -gen_tunable(abrt_anon_write, false) - -## <desc> -## <p> -## Determine whether ABRT can run in -## the abrt_handle_event_t domain to -## handle ABRT event scripts. -## </p> -## </desc> -gen_tunable(abrt_handle_event, false) - -attribute abrt_domain; - -attribute_role abrt_helper_roles; -roleattribute system_r abrt_helper_roles; - -type abrt_t, abrt_domain; -type abrt_exec_t; -init_daemon_domain(abrt_t, abrt_exec_t) - -type abrt_initrc_exec_t; -init_script_file(abrt_initrc_exec_t) - -type abrt_etc_t; -files_config_file(abrt_etc_t) - -type abrt_var_log_t; -logging_log_file(abrt_var_log_t) - -type abrt_tmp_t; -files_tmp_file(abrt_tmp_t) - -type abrt_var_cache_t; -files_type(abrt_var_cache_t) - -type abrt_var_run_t; -files_pid_file(abrt_var_run_t) - -type abrt_dump_oops_t, abrt_domain; -type abrt_dump_oops_exec_t; -init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t) - -type abrt_handle_event_t, abrt_domain; -type abrt_handle_event_exec_t; -domain_type(abrt_handle_event_t) -domain_entry_file(abrt_handle_event_t, abrt_handle_event_exec_t) -role system_r types abrt_handle_event_t; - -type abrt_helper_t, abrt_domain; -type abrt_helper_exec_t; -application_domain(abrt_helper_t, abrt_helper_exec_t) -role abrt_helper_roles types abrt_helper_t; - -type abrt_retrace_coredump_t, abrt_domain; -type abrt_retrace_coredump_exec_t; -domain_type(abrt_retrace_coredump_t) -domain_entry_file(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t) -role system_r types abrt_retrace_coredump_t; - -type abrt_retrace_worker_t, abrt_domain; -type abrt_retrace_worker_exec_t; -domain_type(abrt_retrace_worker_t) -domain_entry_file(abrt_retrace_worker_t, abrt_retrace_worker_exec_t) -role system_r types abrt_retrace_worker_t; - -type abrt_retrace_cache_t; -files_type(abrt_retrace_cache_t) - -type abrt_retrace_spool_t; -files_type(abrt_retrace_spool_t) - -type abrt_watch_log_t, abrt_domain; -type abrt_watch_log_exec_t; -init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t) - -ifdef(`enable_mcs',` - init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) -') - -######################################## -# -# Local policy -# - -allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice }; -dontaudit abrt_t self:capability sys_rawio; -allow abrt_t self:process { setpgid sigkill signal signull setsched getsched }; -allow abrt_t self:fifo_file rw_fifo_file_perms; -allow abrt_t self:tcp_socket { accept listen }; - -allow abrt_t abrt_etc_t:dir list_dir_perms; -rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t) - -manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t) -logging_log_filetrans(abrt_t, abrt_var_log_t, file) - -manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) -manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) -manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) -files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) - -manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) -manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) -manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) -files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir }) -files_spool_filetrans(abrt_t, abrt_var_cache_t, dir) - -manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) -manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) -manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) -manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) -files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file }) - -can_exec(abrt_t, abrt_tmp_t) - -kernel_read_ring_buffer(abrt_t) -kernel_read_system_state(abrt_t) -kernel_request_load_module(abrt_t) -kernel_rw_kernel_sysctl(abrt_t) - -corecmd_exec_bin(abrt_t) -corecmd_exec_shell(abrt_t) -corecmd_read_all_executables(abrt_t) - -corenet_all_recvfrom_netlabel(abrt_t) -corenet_all_recvfrom_unlabeled(abrt_t) -corenet_tcp_sendrecv_generic_if(abrt_t) -corenet_tcp_sendrecv_generic_node(abrt_t) -corenet_tcp_sendrecv_all_ports(abrt_t) -corenet_tcp_bind_generic_node(abrt_t) - -corenet_sendrecv_all_client_packets(abrt_t) -corenet_tcp_connect_http_port(abrt_t) -corenet_tcp_connect_ftp_port(abrt_t) -corenet_tcp_connect_all_ports(abrt_t) - -dev_getattr_all_chr_files(abrt_t) -dev_getattr_all_blk_files(abrt_t) -dev_read_rand(abrt_t) -dev_read_urand(abrt_t) -dev_rw_sysfs(abrt_t) -dev_dontaudit_read_raw_memory(abrt_t) - -domain_getattr_all_domains(abrt_t) -domain_read_all_domains_state(abrt_t) -domain_signull_all_domains(abrt_t) - -files_getattr_all_files(abrt_t) -files_read_config_files(abrt_t) -files_read_etc_runtime_files(abrt_t) -files_read_var_symlinks(abrt_t) -files_read_usr_files(abrt_t) -files_read_kernel_modules(abrt_t) -files_dontaudit_read_default_files(abrt_t) -files_dontaudit_read_all_symlinks(abrt_t) -files_dontaudit_getattr_all_sockets(abrt_t) -files_list_mnt(abrt_t) - -fs_getattr_all_fs(abrt_t) -fs_getattr_all_dirs(abrt_t) -fs_list_inotifyfs(abrt_t) -fs_read_fusefs_files(abrt_t) -fs_read_noxattr_fs_files(abrt_t) -fs_read_nfs_files(abrt_t) -fs_read_nfs_symlinks(abrt_t) -fs_search_all(abrt_t) - -auth_use_nsswitch(abrt_t) - -logging_read_generic_logs(abrt_t) - -miscfiles_read_public_files(abrt_t) - -userdom_dontaudit_read_user_home_content_files(abrt_t) - -tunable_policy(`abrt_anon_write',` - miscfiles_manage_public_files(abrt_t) -') - -optional_policy(` - apache_list_modules(abrt_t) - apache_read_module_files(abrt_t) -') - -optional_policy(` - dbus_system_domain(abrt_t, abrt_exec_t) - - optional_policy(` - policykit_dbus_chat(abrt_t) - ') -') - -optional_policy(` - dmesg_domtrans(abrt_t) -') - -optional_policy(` - policykit_domtrans_auth(abrt_t) - policykit_read_lib(abrt_t) - policykit_read_reload(abrt_t) -') - -optional_policy(` - prelink_exec(abrt_t) - libs_exec_ld_so(abrt_t) - corecmd_exec_all_executables(abrt_t) -') - -optional_policy(` - rpm_exec(abrt_t) - rpm_dontaudit_manage_db(abrt_t) - rpm_manage_cache(abrt_t) - rpm_manage_log(abrt_t) - rpm_manage_pid_files(abrt_t) - rpm_read_db(abrt_t) - rpm_signull(abrt_t) -') - -optional_policy(` - sendmail_domtrans(abrt_t) -') - -optional_policy(` - sosreport_domtrans(abrt_t) - sosreport_read_tmp_files(abrt_t) - sosreport_delete_tmp_files(abrt_t) -') - -####################################### -# -# Handle-event local policy -# - -allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; - -tunable_policy(`abrt_handle_event',` - domtrans_pattern(abrt_t, abrt_handle_event_exec_t, abrt_handle_event_t) -',` - can_exec(abrt_t, abrt_handle_event_exec_t) -') - -######################################## -# -# Helper local policy -# - -allow abrt_helper_t self:capability { chown setgid sys_nice }; -allow abrt_helper_t self:process signal; - -read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t) - -files_search_spool(abrt_helper_t) -manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) -manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) -manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) -files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) - -read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) - -corecmd_read_all_executables(abrt_helper_t) - -domain_read_all_domains_state(abrt_helper_t) - -fs_list_inotifyfs(abrt_helper_t) -fs_getattr_all_fs(abrt_helper_t) - -auth_use_nsswitch(abrt_helper_t) - -term_dontaudit_use_all_ttys(abrt_helper_t) -term_dontaudit_use_all_ptys(abrt_helper_t) - -ifdef(`hide_broken_symptoms',` - userdom_dontaudit_read_user_home_content_files(abrt_helper_t) - userdom_dontaudit_read_user_tmp_files(abrt_helper_t) - dev_dontaudit_read_all_blk_files(abrt_helper_t) - dev_dontaudit_read_all_chr_files(abrt_helper_t) - dev_dontaudit_write_all_chr_files(abrt_helper_t) - dev_dontaudit_write_all_blk_files(abrt_helper_t) - fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) -') - -####################################### -# -# Retrace coredump policy -# - -allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; - -list_dirs_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t) -read_files_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t) -read_lnk_files_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t) - -list_dirs_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t) -read_files_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t) -read_lnk_files_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t) - -corecmd_exec_bin(abrt_retrace_coredump_t) -corecmd_exec_shell(abrt_retrace_coredump_t) - -dev_read_urand(abrt_retrace_coredump_t) - -files_read_usr_files(abrt_retrace_coredump_t) - -sysnet_dns_name_resolve(abrt_retrace_coredump_t) - -optional_policy(` - rpm_exec(abrt_retrace_coredump_t) - rpm_dontaudit_manage_db(abrt_retrace_coredump_t) - rpm_manage_cache(abrt_retrace_coredump_t) - rpm_manage_log(abrt_retrace_coredump_t) - rpm_manage_pid_files(abrt_retrace_coredump_t) - rpm_read_db(abrt_retrace_coredump_t) - rpm_signull(abrt_retrace_coredump_t) -') - -####################################### -# -# Retrace worker policy -# - -allow abrt_retrace_worker_t self:capability setuid; -allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; - -domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -allow abrt_retrace_worker_t abrt_retrace_coredump_exec_t:file ioctl; - -manage_dirs_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t) -manage_files_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t) -manage_lnk_files_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t) - -allow abrt_retrace_worker_t abrt_etc_t:file read_file_perms; - -can_exec(abrt_retrace_worker_t, abrt_retrace_worker_exec_t) - -corecmd_exec_bin(abrt_retrace_worker_t) -corecmd_exec_shell(abrt_retrace_worker_t) - -dev_read_urand(abrt_retrace_worker_t) - -files_read_usr_files(abrt_retrace_worker_t) - -sysnet_dns_name_resolve(abrt_retrace_worker_t) - -######################################## -# -# Dump oops local policy -# - -allow abrt_dump_oops_t self:capability dac_override; -allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms; -allow abrt_dump_oops_t self:unix_stream_socket { accept listen }; - -files_search_spool(abrt_dump_oops_t) -manage_dirs_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) -manage_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) -manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) -files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir }) - -read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) -read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) - -read_files_pattern(abrt_dump_oops_t, abrt_etc_t, abrt_etc_t) - -kernel_read_kernel_sysctls(abrt_dump_oops_t) -kernel_read_ring_buffer(abrt_dump_oops_t) - -domain_use_interactive_fds(abrt_dump_oops_t) - -fs_list_inotifyfs(abrt_dump_oops_t) - -logging_read_generic_logs(abrt_dump_oops_t) - -####################################### -# -# Watch log local policy -# - -allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; -allow abrt_watch_log_t self:unix_stream_socket { accept listen }; - -read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) - -domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) - -corecmd_exec_bin(abrt_watch_log_t) - -logging_read_all_logs(abrt_watch_log_t) - -####################################### -# -# Global local policy -# - -kernel_read_system_state(abrt_domain) - -files_read_etc_files(abrt_domain) - -logging_send_syslog_msg(abrt_domain) - -miscfiles_read_localization(abrt_domain) diff --git a/policy/modules/contrib/accountsd.fc b/policy/modules/contrib/accountsd.fc deleted file mode 100644 index f9d8d7a9..00000000 --- a/policy/modules/contrib/accountsd.fc +++ /dev/null @@ -1,5 +0,0 @@ -/usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0) - -/usr/lib/accountsservice/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0) - -/var/lib/AccountsService(/.*)? gen_context(system_u:object_r:accountsd_var_lib_t,s0) diff --git a/policy/modules/contrib/accountsd.if b/policy/modules/contrib/accountsd.if deleted file mode 100644 index bd5ec9ab..00000000 --- a/policy/modules/contrib/accountsd.if +++ /dev/null @@ -1,148 +0,0 @@ -## <summary>AccountsService and daemon for manipulating user account information via D-Bus.</summary> - -######################################## -## <summary> -## Execute a domain transition to -## run accountsd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`accountsd_domtrans',` - gen_require(` - type accountsd_t, accountsd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, accountsd_exec_t, accountsd_t) -') - -######################################## -## <summary> -## Do not audit attempts to read and -## write Accounts Daemon fifo files. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`accountsd_dontaudit_rw_fifo_file',` - gen_require(` - type accountsd_t; - ') - - dontaudit $1 accountsd_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## <summary> -## Send and receive messages from -## accountsd over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`accountsd_dbus_chat',` - gen_require(` - type accountsd_t; - class dbus send_msg; - ') - - allow $1 accountsd_t:dbus send_msg; - allow accountsd_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Search accountsd lib directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`accountsd_search_lib',` - gen_require(` - type accountsd_var_lib_t; - ') - - allow $1 accountsd_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## <summary> -## Read accountsd lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`accountsd_read_lib_files',` - gen_require(` - type accountsd_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 accountsd_var_lib_t:dir list_dir_perms; - read_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## accountsd lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`accountsd_manage_lib_files',` - gen_require(` - type accountsd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an accountsd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`accountsd_admin',` - gen_require(` - type accountsd_t; - ') - - allow $1 accountsd_t:process { ptrace signal_perms }; - ps_process_pattern($1, accountsd_t) - - accountsd_manage_lib_files($1) -') diff --git a/policy/modules/contrib/accountsd.te b/policy/modules/contrib/accountsd.te deleted file mode 100644 index 313b33f4..00000000 --- a/policy/modules/contrib/accountsd.te +++ /dev/null @@ -1,73 +0,0 @@ -policy_module(accountsd, 1.0.6) - -gen_require(` - class passwd all_passwd_perms; -') - -######################################## -# -# Declarations -# - -type accountsd_t; -type accountsd_exec_t; -dbus_system_domain(accountsd_t, accountsd_exec_t) - -type accountsd_var_lib_t; -files_type(accountsd_var_lib_t) - -######################################## -# -# Local policy -# - -allow accountsd_t self:capability { chown dac_override setuid setgid sys_ptrace }; -allow accountsd_t self:process signal; -allow accountsd_t self:fifo_file rw_fifo_file_perms; -allow accountsd_t self:passwd { rootok passwd chfn chsh }; - -manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t) -manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t) -files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, dir) - -kernel_read_kernel_sysctls(accountsd_t) -kernel_read_system_state(accountsd_t) - -corecmd_exec_bin(accountsd_t) - -dev_read_sysfs(accountsd_t) - -files_read_mnt_files(accountsd_t) -files_read_usr_files(accountsd_t) - -fs_getattr_xattr_fs(accountsd_t) -fs_list_inotifyfs(accountsd_t) -fs_read_noxattr_fs_files(accountsd_t) - -auth_use_nsswitch(accountsd_t) -auth_read_login_records(accountsd_t) -auth_read_shadow(accountsd_t) - -miscfiles_read_localization(accountsd_t) - -logging_send_syslog_msg(accountsd_t) -logging_set_loginuid(accountsd_t) - -userdom_read_user_tmp_files(accountsd_t) -userdom_read_user_home_content_files(accountsd_t) - -usermanage_domtrans_useradd(accountsd_t) -usermanage_domtrans_passwd(accountsd_t) - -optional_policy(` - consolekit_dbus_chat(accountsd_t) - consolekit_read_log(accountsd_t) -') - -optional_policy(` - policykit_dbus_chat(accountsd_t) -') - -optional_policy(` - xserver_read_xdm_tmp_files(accountsd_t) -') diff --git a/policy/modules/contrib/acct.fc b/policy/modules/contrib/acct.fc deleted file mode 100644 index c6d17a2f..00000000 --- a/policy/modules/contrib/acct.fc +++ /dev/null @@ -1,11 +0,0 @@ -/etc/cron\.(daily|monthly)/acct -- gen_context(system_u:object_r:acct_exec_t,s0) - -/etc/rc\.d/init\.d/psacct -- gen_context(system_u:object_r:acct_initrc_exec_t,s0) - -/sbin/accton -- gen_context(system_u:object_r:acct_exec_t,s0) - -/usr/sbin/accton -- gen_context(system_u:object_r:acct_exec_t,s0) - -/var/account(/.*)? gen_context(system_u:object_r:acct_data_t,s0) - -/var/log/account(/.*)? gen_context(system_u:object_r:acct_data_t,s0) diff --git a/policy/modules/contrib/acct.if b/policy/modules/contrib/acct.if deleted file mode 100644 index 81280d00..00000000 --- a/policy/modules/contrib/acct.if +++ /dev/null @@ -1,116 +0,0 @@ -## <summary>Berkeley process accounting.</summary> - -######################################## -## <summary> -## Transition to the accounting -## management domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`acct_domtrans',` - gen_require(` - type acct_t, acct_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, acct_exec_t, acct_t) -') - -######################################## -## <summary> -## Execute accounting management tools -## in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`acct_exec',` - gen_require(` - type acct_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, acct_exec_t) -') - -######################################## -## <summary> -## Execute accounting management data -## in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`acct_exec_data',` - gen_require(` - type acct_data_t; - ') - - files_search_var($1) - can_exec($1, acct_data_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## process accounting data. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`acct_manage_data',` - gen_require(` - type acct_data_t; - ') - - files_search_var($1) - manage_files_pattern($1, acct_data_t, acct_data_t) - manage_lnk_files_pattern($1, acct_data_t, acct_data_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an acct environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`acct_admin',` - gen_require(` - type acct_t, acct_initrc_exec_t, acct_data_t; - ') - - allow $1 acct_t:process { ptrace signal_perms }; - ps_process_pattern($1, acct_t) - - init_labeled_script_domtrans($1, acct_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 acct_initrc_exec_t system_r; - allow $2 system_r; - - logging_search_logs($1) - admin_pattern($1, acct_data_t) -') diff --git a/policy/modules/contrib/acct.te b/policy/modules/contrib/acct.te deleted file mode 100644 index 1a1c91af..00000000 --- a/policy/modules/contrib/acct.te +++ /dev/null @@ -1,83 +0,0 @@ -policy_module(acct, 1.5.1) - -######################################## -# -# Declarations -# - -type acct_t; -type acct_exec_t; -init_system_domain(acct_t, acct_exec_t) - -type acct_initrc_exec_t; -init_script_file(acct_initrc_exec_t) - -type acct_data_t; -logging_log_file(acct_data_t) - -######################################## -# -# Local Policy -# - -allow acct_t self:capability { chown fsetid kill sys_pacct }; -dontaudit acct_t self:capability sys_tty_config; -allow acct_t self:process signal_perms; -allow acct_t self:fifo_file rw_fifo_file_perms; - -manage_files_pattern(acct_t, acct_data_t, acct_data_t) -manage_lnk_files_pattern(acct_t, acct_data_t, acct_data_t) - -can_exec(acct_t, acct_exec_t) - -kernel_list_proc(acct_t) -kernel_read_system_state(acct_t) -kernel_read_kernel_sysctls(acct_t) - -corecmd_exec_bin(acct_t) -corecmd_exec_shell(acct_t) - -dev_read_sysfs(acct_t) -dev_read_urand(acct_t) - -domain_use_interactive_fds(acct_t) - -fs_search_auto_mountpoints(acct_t) -fs_getattr_xattr_fs(acct_t) - -term_dontaudit_use_console(acct_t) -term_dontaudit_use_generic_ptys(acct_t) - -files_read_etc_runtime_files(acct_t) -files_list_usr(acct_t) - -auth_use_nsswitch(acct_t) - -init_use_fds(acct_t) -init_use_script_ptys(acct_t) -init_exec_script_files(acct_t) - -logging_send_syslog_msg(acct_t) - -miscfiles_read_localization(acct_t) - -userdom_dontaudit_search_user_home_dirs(acct_t) -userdom_dontaudit_use_unpriv_user_fds(acct_t) - -optional_policy(` - optional_policy(` - # for monthly cron job - auth_log_filetrans_login_records(acct_t) - auth_manage_login_records(acct_t) - ') - - cron_system_entry(acct_t, acct_exec_t) -') - -optional_policy(` - seutil_sigchld_newrole(acct_t) -') - -optional_policy(` - udev_read_db(acct_t) -') diff --git a/policy/modules/contrib/ada.fc b/policy/modules/contrib/ada.fc deleted file mode 100644 index f1502de8..00000000 --- a/policy/modules/contrib/ada.fc +++ /dev/null @@ -1,5 +0,0 @@ -/usr/bin/gnatbind -- gen_context(system_u:object_r:ada_exec_t,s0) -/usr/bin/gnatls -- gen_context(system_u:object_r:ada_exec_t,s0) -/usr/bin/gnatmake -- gen_context(system_u:object_r:ada_exec_t,s0) - -/usr/libexec/gcc(/.*)?/gnat1 -- gen_context(system_u:object_r:ada_exec_t,s0) diff --git a/policy/modules/contrib/ada.if b/policy/modules/contrib/ada.if deleted file mode 100644 index e514e8a9..00000000 --- a/policy/modules/contrib/ada.if +++ /dev/null @@ -1,45 +0,0 @@ -## <summary>GNAT Ada95 compiler.</summary> - -######################################## -## <summary> -## Execute the ada program in the ada domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`ada_domtrans',` - gen_require(` - type ada_t, ada_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ada_exec_t, ada_t) -') - -######################################## -## <summary> -## Execute ada in the ada domain, and -## allow the specified role the ada domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`ada_run',` - gen_require(` - attribute_role ada_roles; - ') - - ada_domtrans($1) - roleattribute $2 ada_roles; -') diff --git a/policy/modules/contrib/ada.te b/policy/modules/contrib/ada.te deleted file mode 100644 index 8b5ad06b..00000000 --- a/policy/modules/contrib/ada.te +++ /dev/null @@ -1,27 +0,0 @@ -policy_module(ada, 1.4.1) - -######################################## -# -# Declarations -# - -attribute_role ada_roles; -roleattribute system_r ada_roles; - -type ada_t; -type ada_exec_t; -application_domain(ada_t, ada_exec_t) -role ada_roles types ada_t; - -######################################## -# -# Local policy -# - -allow ada_t self:process { execstack execmem }; - -userdom_use_user_terminals(ada_t) - -optional_policy(` - unconfined_domain(ada_t) -') diff --git a/policy/modules/contrib/afs.fc b/policy/modules/contrib/afs.fc deleted file mode 100644 index 8926c169..00000000 --- a/policy/modules/contrib/afs.fc +++ /dev/null @@ -1,42 +0,0 @@ -/etc/(open)?afs(/.*)? gen_context(system_u:object_r:afs_config_t,s0) - -/etc/rc\.d/init\.d/openafs-client -- gen_context(system_u:object_r:afs_initrc_exec_t,s0) -/etc/rc\.d/init\.d/(open)?afs -- gen_context(system_u:object_r:afs_initrc_exec_t,s0) - -/usr/afs/bin/bosserver -- gen_context(system_u:object_r:afs_bosserver_exec_t,s0) -/usr/afs/bin/fileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) -/usr/afs/bin/kaserver -- gen_context(system_u:object_r:afs_kaserver_exec_t,s0) -/usr/afs/bin/ptserver -- gen_context(system_u:object_r:afs_ptserver_exec_t,s0) -/usr/afs/bin/salvager -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) -/usr/afs/bin/volserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) -/usr/afs/bin/vlserver -- gen_context(system_u:object_r:afs_vlserver_exec_t,s0) - -/usr/afs/db -d gen_context(system_u:object_r:afs_dbdir_t,s0) -/usr/afs/db/pr.* -- gen_context(system_u:object_r:afs_pt_db_t,s0) -/usr/afs/db/ka.* -- gen_context(system_u:object_r:afs_ka_db_t,s0) -/usr/afs/db/vl.* -- gen_context(system_u:object_r:afs_vl_db_t,s0) - -/usr/afs/etc(/.*)? gen_context(system_u:object_r:afs_config_t,s0) - -/usr/afs/local(/.*)? gen_context(system_u:object_r:afs_config_t,s0) - -/usr/afs/logs(/.*)? gen_context(system_u:object_r:afs_logfile_t,s0) - -/usr/libexec/openafs/fileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) -/usr/libexec/openafs/kaserver -- gen_context(system_u:object_r:afs_kaserver_exec_t,s0) -/usr/libexec/openafs/ptserver -- gen_context(system_u:object_r:afs_ptserver_exec_t,s0) -/usr/libexec/openafs/salvager -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) -/usr/libexec/openafs/volserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) -/usr/libexec/openafs/vlserver -- gen_context(system_u:object_r:afs_vlserver_exec_t,s0) - -/usr/sbin/afsd -- gen_context(system_u:object_r:afs_exec_t,s0) -/usr/sbin/bosserver -- gen_context(system_u:object_r:afs_bosserver_exec_t,s0) - -/usr/vice/cache(/.*)? gen_context(system_u:object_r:afs_cache_t,s0) -/usr/vice/etc/afsd -- gen_context(system_u:object_r:afs_exec_t,s0) - -/var/cache/(open)?afs(/.*)? gen_context(system_u:object_r:afs_cache_t,s0) - -/vicepa gen_context(system_u:object_r:afs_files_t,s0) -/vicepb gen_context(system_u:object_r:afs_files_t,s0) -/vicepc gen_context(system_u:object_r:afs_files_t,s0) diff --git a/policy/modules/contrib/afs.if b/policy/modules/contrib/afs.if deleted file mode 100644 index 3b41be69..00000000 --- a/policy/modules/contrib/afs.if +++ /dev/null @@ -1,125 +0,0 @@ -## <summary>Andrew Filesystem server.</summary> - -######################################## -## <summary> -## Execute a domain transition to run the -## afs client. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`afs_domtrans',` - gen_require(` - type afs_t, afs_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, afs_exec_t, afs_t) -') - -######################################## -## <summary> -## Read and write afs client UDP sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`afs_rw_udp_sockets',` - gen_require(` - type afs_t; - ') - - allow $1 afs_t:udp_socket { read write }; -') - -######################################## -## <summary> -## Read and write afs cache files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`afs_rw_cache',` - gen_require(` - type afs_cache_t; - ') - - files_search_var($1) - allow $1 afs_cache_t:file { read write }; -') - -######################################## -## <summary> -## Execute afs server in the afs domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`afs_initrc_domtrans',` - gen_require(` - type afs_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, afs_initrc_exec_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an afs environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`afs_admin',` - gen_require(` - attribute afs_domain; - type afs_initrc_exec_t, afs_dbdir_t, afs_pt_db_t; - type afs_ka_db_t, afs_vl_db_t, afs_config_t; - type afs_logfile_t, afs_cache_t, afs_files_t; - ') - - allow $1 afs_domain:process { ptrace signal_perms }; - ps_process_pattern($1, afs_domain) - - afs_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 afs_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, afs_config_t) - - files_search_var($1) - admin_pattern($1, afs_cache_t) - - files_search_var_lib($1) - admin_pattern($1, { afs_dbdir_t afs_pt_db_t afs_ka_db_t }) - admin_pattern($1, afs_vl_db_t) - - logging_search_logs($1) - admin_pattern($1, afs_logfile_t) - - admin_pattern($1, afs_files_t) -') diff --git a/policy/modules/contrib/afs.te b/policy/modules/contrib/afs.te deleted file mode 100644 index 6690cdf2..00000000 --- a/policy/modules/contrib/afs.te +++ /dev/null @@ -1,321 +0,0 @@ -policy_module(afs, 1.8.2) - -######################################## -# -# Declarations -# - -attribute afs_domain; - -type afs_t, afs_domain; -type afs_exec_t; -init_daemon_domain(afs_t, afs_exec_t) - -type afs_bosserver_t, afs_domain; -type afs_bosserver_exec_t; -init_daemon_domain(afs_bosserver_t, afs_bosserver_exec_t) - -type afs_cache_t; -files_type(afs_cache_t) - -type afs_config_t; -files_type(afs_config_t) - -type afs_dbdir_t; -files_type(afs_dbdir_t) - -# exported files -type afs_files_t; -files_type(afs_files_t) - -type afs_fsserver_t, afs_domain; -type afs_fsserver_exec_t; -domain_type(afs_fsserver_t) -domain_entry_file(afs_fsserver_t, afs_fsserver_exec_t) -role system_r types afs_fsserver_t; - -type afs_initrc_exec_t; -init_script_file(afs_initrc_exec_t) - -type afs_ka_db_t; -files_type(afs_ka_db_t) - -type afs_kaserver_t, afs_domain; -type afs_kaserver_exec_t; -domain_type(afs_kaserver_t) -domain_entry_file(afs_kaserver_t, afs_kaserver_exec_t) -role system_r types afs_kaserver_t; - -type afs_logfile_t; -logging_log_file(afs_logfile_t) - -type afs_pt_db_t; -files_type(afs_pt_db_t) - -type afs_ptserver_t, afs_domain; -type afs_ptserver_exec_t; -domain_type(afs_ptserver_t) -domain_entry_file(afs_ptserver_t, afs_ptserver_exec_t) -role system_r types afs_ptserver_t; - -type afs_vl_db_t; -files_type(afs_vl_db_t) - -type afs_vlserver_t, afs_domain; -type afs_vlserver_exec_t; -domain_type(afs_vlserver_t) -domain_entry_file(afs_vlserver_t, afs_vlserver_exec_t) -role system_r types afs_vlserver_t; - -######################################## -# -# afs client local policy -# - -allow afs_t self:capability { dac_override sys_admin sys_nice sys_tty_config }; -allow afs_t self:process { setsched signal }; -allow afs_t self:fifo_file rw_file_perms; -allow afs_t self:unix_stream_socket { accept listen }; - -manage_files_pattern(afs_t, afs_cache_t, afs_cache_t) -manage_dirs_pattern(afs_t, afs_cache_t, afs_cache_t) -files_var_filetrans(afs_t, afs_cache_t, { file dir }) - -kernel_rw_afs_state(afs_t) - -files_mounton_mnt(afs_t) -files_read_usr_files(afs_t) -files_rw_etc_runtime_files(afs_t) - -fs_getattr_xattr_fs(afs_t) -fs_mount_nfs(afs_t) -fs_read_nfs_symlinks(afs_t) - -logging_send_syslog_msg(afs_t) - -######################################## -# -# AFS bossserver local policy -# - -allow afs_bosserver_t self:process { setsched signal_perms }; -allow afs_bosserver_t self:tcp_socket create_stream_socket_perms; - -can_exec(afs_bosserver_t, afs_bosserver_exec_t) - -manage_dirs_pattern(afs_bosserver_t, afs_config_t, afs_config_t) -manage_files_pattern(afs_bosserver_t, afs_config_t, afs_config_t) - -allow afs_bosserver_t afs_dbdir_t:dir list_dir_perms; - -allow afs_bosserver_t afs_fsserver_t:process signal_perms; -domtrans_pattern(afs_bosserver_t, afs_fsserver_exec_t, afs_fsserver_t) - -allow afs_bosserver_t afs_kaserver_t:process signal_perms; -domtrans_pattern(afs_bosserver_t, afs_kaserver_exec_t, afs_kaserver_t) - -allow afs_bosserver_t afs_logfile_t:file manage_file_perms; -allow afs_bosserver_t afs_logfile_t:dir manage_dir_perms; - -allow afs_bosserver_t afs_ptserver_t:process signal_perms; -domtrans_pattern(afs_bosserver_t, afs_ptserver_exec_t, afs_ptserver_t) - -allow afs_bosserver_t afs_vlserver_t:process signal_perms; -domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t) - -kernel_read_kernel_sysctls(afs_bosserver_t) - -corenet_all_recvfrom_unlabeled(afs_bosserver_t) -corenet_all_recvfrom_netlabel(afs_bosserver_t) -corenet_udp_sendrecv_generic_if(afs_bosserver_t) -corenet_udp_sendrecv_generic_node(afs_bosserver_t) -corenet_udp_bind_generic_node(afs_bosserver_t) - -corenet_udp_bind_afs_bos_port(afs_bosserver_t) -corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t) -corenet_udp_sendrecv_afs_bos_port(afs_bosserver_t) - -files_list_home(afs_bosserver_t) -files_read_usr_files(afs_bosserver_t) - -seutil_read_config(afs_bosserver_t) - -######################################## -# -# fileserver local policy -# - -allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice }; -dontaudit afs_fsserver_t self:capability fsetid; -allow afs_fsserver_t self:process { setsched signal_perms }; -allow afs_fsserver_t self:fifo_file rw_fifo_file_perms; -allow afs_fsserver_t self:tcp_socket create_stream_socket_perms; - -read_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t) -allow afs_fsserver_t afs_config_t:dir list_dir_perms; - -manage_dirs_pattern(afs_fsserver_t, afs_config_t, afs_config_t) -manage_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t) - -allow afs_fsserver_t afs_files_t:filesystem getattr; -manage_dirs_pattern(afs_fsserver_t, afs_files_t, afs_files_t) -manage_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t) -manage_lnk_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t) -manage_fifo_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t) -manage_sock_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t) -filetrans_pattern(afs_fsserver_t, afs_config_t, afs_files_t, { file lnk_file sock_file fifo_file }) - -can_exec(afs_fsserver_t, afs_fsserver_exec_t) - -manage_dirs_pattern(afs_fsserver_t, afs_logfile_t, afs_logfile_t) -manage_files_pattern(afs_fsserver_t, afs_logfile_t, afs_logfile_t) - -kernel_read_system_state(afs_fsserver_t) -kernel_read_kernel_sysctls(afs_fsserver_t) - -corenet_all_recvfrom_unlabeled(afs_fsserver_t) -corenet_all_recvfrom_netlabel(afs_fsserver_t) -corenet_tcp_sendrecv_generic_if(afs_fsserver_t) -corenet_udp_sendrecv_generic_if(afs_fsserver_t) -corenet_tcp_sendrecv_generic_node(afs_fsserver_t) -corenet_udp_sendrecv_generic_node(afs_fsserver_t) -corenet_tcp_bind_generic_node(afs_fsserver_t) -corenet_udp_bind_generic_node(afs_fsserver_t) - -corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t) -corenet_tcp_bind_afs_fs_port(afs_fsserver_t) -corenet_udp_bind_afs_fs_port(afs_fsserver_t) -corenet_tcp_sendrecv_afs_fs_port(afs_fsserver_t) -corenet_udp_sendrecv_afs_fs_port(afs_fsserver_t) - -files_read_etc_runtime_files(afs_fsserver_t) -files_list_home(afs_fsserver_t) -files_read_usr_files(afs_fsserver_t) -files_list_pids(afs_fsserver_t) -files_dontaudit_search_mnt(afs_fsserver_t) - -fs_getattr_xattr_fs(afs_fsserver_t) - -term_dontaudit_use_console(afs_fsserver_t) - -init_dontaudit_use_script_fds(afs_fsserver_t) - -logging_send_syslog_msg(afs_fsserver_t) - -seutil_read_config(afs_fsserver_t) - -userdom_dontaudit_use_user_terminals(afs_fsserver_t) - -######################################## -# -# kaserver local policy -# - -allow afs_kaserver_t self:unix_stream_socket create_stream_socket_perms; -allow afs_kaserver_t self:tcp_socket create_stream_socket_perms; - -manage_files_pattern(afs_kaserver_t, afs_config_t, afs_config_t) - -manage_files_pattern(afs_kaserver_t, afs_dbdir_t, afs_ka_db_t) -filetrans_pattern(afs_kaserver_t, afs_dbdir_t, afs_ka_db_t, file) - -manage_dirs_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t) -manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t) - -kernel_read_kernel_sysctls(afs_kaserver_t) - -corenet_all_recvfrom_unlabeled(afs_kaserver_t) -corenet_all_recvfrom_netlabel(afs_kaserver_t) -corenet_udp_sendrecv_generic_if(afs_kaserver_t) -corenet_udp_sendrecv_generic_node(afs_kaserver_t) -corenet_udp_bind_generic_node(afs_kaserver_t) - -corenet_sendrecv_afs_ka_server_packets(afs_kaserver_t) -corenet_udp_bind_afs_ka_port(afs_kaserver_t) -corenet_udp_sendrecv_afs_ka_port(afs_kaserver_t) - -corenet_sendrecv_kerberos_server_packets(afs_kaserver_t) -corenet_udp_bind_kerberos_port(afs_kaserver_t) -corenet_udp_sendrecv_kerberos_port(afs_kaserver_t) - -files_list_home(afs_kaserver_t) -files_read_usr_files(afs_kaserver_t) - -seutil_read_config(afs_kaserver_t) - -userdom_dontaudit_use_user_terminals(afs_kaserver_t) - -######################################## -# -# ptserver local policy -# - -allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms; -allow afs_ptserver_t self:tcp_socket create_stream_socket_perms; - -read_files_pattern(afs_ptserver_t, afs_config_t, afs_config_t) -allow afs_ptserver_t afs_config_t:dir list_dir_perms; - -manage_dirs_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t) -manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t) - -manage_files_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t) -filetrans_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t, file) - -corenet_all_recvfrom_unlabeled(afs_ptserver_t) -corenet_all_recvfrom_netlabel(afs_ptserver_t) -corenet_tcp_sendrecv_generic_if(afs_ptserver_t) -corenet_udp_sendrecv_generic_if(afs_ptserver_t) -corenet_tcp_sendrecv_generic_node(afs_ptserver_t) -corenet_udp_sendrecv_generic_node(afs_ptserver_t) -corenet_tcp_sendrecv_all_ports(afs_ptserver_t) -corenet_udp_sendrecv_all_ports(afs_ptserver_t) -corenet_udp_bind_generic_node(afs_ptserver_t) -corenet_udp_bind_afs_pt_port(afs_ptserver_t) -corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t) - -userdom_dontaudit_use_user_terminals(afs_ptserver_t) - -######################################## -# -# vlserver local policy -# - -allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms; -allow afs_vlserver_t self:tcp_socket create_stream_socket_perms; - -read_files_pattern(afs_vlserver_t, afs_config_t, afs_config_t) -allow afs_vlserver_t afs_config_t:dir list_dir_perms; - -manage_dirs_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t) -manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t) - -manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t) -filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file) - -corenet_all_recvfrom_unlabeled(afs_vlserver_t) -corenet_all_recvfrom_netlabel(afs_vlserver_t) -corenet_tcp_sendrecv_generic_if(afs_vlserver_t) -corenet_udp_sendrecv_generic_if(afs_vlserver_t) -corenet_tcp_sendrecv_generic_node(afs_vlserver_t) -corenet_udp_sendrecv_generic_node(afs_vlserver_t) -corenet_tcp_sendrecv_all_ports(afs_vlserver_t) -corenet_udp_sendrecv_all_ports(afs_vlserver_t) -corenet_udp_bind_generic_node(afs_vlserver_t) -corenet_udp_bind_afs_vl_port(afs_vlserver_t) -corenet_sendrecv_afs_vl_server_packets(afs_vlserver_t) - -userdom_dontaudit_use_user_terminals(afs_vlserver_t) - -######################################## -# -# Global local policy -# - -allow afs_domain self:udp_socket create_socket_perms; - -files_read_etc_files(afs_domain) - -miscfiles_read_localization(afs_domain) - -sysnet_read_config(afs_domain) diff --git a/policy/modules/contrib/aiccu.fc b/policy/modules/contrib/aiccu.fc deleted file mode 100644 index 822d5e18..00000000 --- a/policy/modules/contrib/aiccu.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/aiccu\.conf -- gen_context(system_u:object_r:aiccu_etc_t,s0) - -/etc/rc\.d/init\.d/aiccu -- gen_context(system_u:object_r:aiccu_initrc_exec_t,s0) - -/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0) - -/var/run/aiccu\.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0) diff --git a/policy/modules/contrib/aiccu.if b/policy/modules/contrib/aiccu.if deleted file mode 100644 index 3b5dcb94..00000000 --- a/policy/modules/contrib/aiccu.if +++ /dev/null @@ -1,95 +0,0 @@ -## <summary>Automatic IPv6 Connectivity Client Utility.</summary> - -######################################## -## <summary> -## Execute a domain transition to run aiccu. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`aiccu_domtrans',` - gen_require(` - type aiccu_t, aiccu_exec_t; - ') - - domtrans_pattern($1, aiccu_exec_t, aiccu_t) - corecmd_search_bin($1) -') - -######################################## -## <summary> -## Execute aiccu server in the aiccu domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`aiccu_initrc_domtrans',` - gen_require(` - type aiccu_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, aiccu_initrc_exec_t) -') - -######################################## -## <summary> -## Read aiccu PID files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`aiccu_read_pid_files',` - gen_require(` - type aiccu_var_run_t; - ') - - allow $1 aiccu_var_run_t:file read_file_perms; - files_search_pids($1) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an aiccu environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`aiccu_admin',` - gen_require(` - type aiccu_t, aiccu_initrc_exec_t, aiccu_etc_t; - type aiccu_var_run_t; - ') - - allow $1 aiccu_t:process { ptrace signal_perms }; - ps_process_pattern($1, aiccu_t) - - aiccu_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 aiccu_initrc_exec_t system_r; - allow $2 system_r; - - admin_pattern($1, aiccu_etc_t) - files_list_etc($1) - - admin_pattern($1, aiccu_var_run_t) - files_list_pids($1) -') diff --git a/policy/modules/contrib/aiccu.te b/policy/modules/contrib/aiccu.te deleted file mode 100644 index 72c33c29..00000000 --- a/policy/modules/contrib/aiccu.te +++ /dev/null @@ -1,76 +0,0 @@ -policy_module(aiccu, 1.0.2) - -######################################## -# -# Declarations -# - -type aiccu_t; -type aiccu_exec_t; -init_daemon_domain(aiccu_t, aiccu_exec_t) - -type aiccu_initrc_exec_t; -init_script_file(aiccu_initrc_exec_t) - -type aiccu_etc_t; -files_config_file(aiccu_etc_t) - -type aiccu_var_run_t; -files_pid_file(aiccu_var_run_t) - -######################################## -# -# Local policy -# - -allow aiccu_t self:capability { kill net_admin net_raw }; -dontaudit aiccu_t self:capability sys_tty_config; -allow aiccu_t self:process signal; -allow aiccu_t self:fifo_file rw_fifo_file_perms; -allow aiccu_t self:netlink_route_socket nlmsg_write; -allow aiccu_t self:tcp_socket { accept listen }; -allow aiccu_t self:tun_socket create_socket_perms; -allow aiccu_t self:udp_socket { accept listen }; -allow aiccu_t self:unix_stream_socket { accept listen }; - -allow aiccu_t aiccu_etc_t:file read_file_perms; - -manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t) -manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t) -files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir }) - -kernel_read_system_state(aiccu_t) - -corecmd_exec_shell(aiccu_t) - -corenet_all_recvfrom_netlabel(aiccu_t) -corenet_all_recvfrom_unlabeled(aiccu_t) -corenet_tcp_bind_generic_node(aiccu_t) -corenet_tcp_sendrecv_generic_if(aiccu_t) -corenet_tcp_sendrecv_generic_node(aiccu_t) - -corenet_sendrecv_sixxsconfig_client_packets(aiccu_t) -corenet_tcp_connect_sixxsconfig_port(aiccu_t) -corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t) - -corenet_rw_tun_tap_dev(aiccu_t) - -domain_use_interactive_fds(aiccu_t) - -dev_read_rand(aiccu_t) -dev_read_urand(aiccu_t) - -files_read_etc_files(aiccu_t) - -logging_send_syslog_msg(aiccu_t) - -miscfiles_read_localization(aiccu_t) - -optional_policy(` - modutils_domtrans_insmod(aiccu_t) -') - -optional_policy(` - sysnet_dns_name_resolve(aiccu_t) - sysnet_domtrans_ifconfig(aiccu_t) -') diff --git a/policy/modules/contrib/aide.fc b/policy/modules/contrib/aide.fc deleted file mode 100644 index df6e4d0e..00000000 --- a/policy/modules/contrib/aide.fc +++ /dev/null @@ -1,6 +0,0 @@ -/usr/sbin/aide -- gen_context(system_u:object_r:aide_exec_t,mls_systemhigh) - -/var/lib/aide(/.*) gen_context(system_u:object_r:aide_db_t,mls_systemhigh) - -/var/log/aide(/.*)? gen_context(system_u:object_r:aide_log_t,mls_systemhigh) -/var/log/aide\.log -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh) diff --git a/policy/modules/contrib/aide.if b/policy/modules/contrib/aide.if deleted file mode 100644 index 01cbb67d..00000000 --- a/policy/modules/contrib/aide.if +++ /dev/null @@ -1,80 +0,0 @@ -## <summary>Aide filesystem integrity checker.</summary> - -######################################## -## <summary> -## Execute aide in the aide domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`aide_domtrans',` - gen_require(` - type aide_t, aide_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, aide_exec_t, aide_t) -') - -######################################## -## <summary> -## Execute aide programs in the AIDE -## domain and allow the specified role -## the AIDE domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`aide_run',` - gen_require(` - attribute_role aide_roles; - ') - - aide_domtrans($1) - roleattribute $2 aide_roles; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an aide environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`aide_admin',` - gen_require(` - type aide_t, aide_db_t, aide_log_t; - ') - - allow $1 aide_t:process { ptrace signal_perms }; - ps_process_pattern($1, aide_t) - - aide_run($1, $2) - - files_list_etc($1) - admin_pattern($1, aide_db_t) - - logging_list_logs($1) - admin_pattern($1, aide_log_t) -') diff --git a/policy/modules/contrib/aide.te b/policy/modules/contrib/aide.te deleted file mode 100644 index 4b28ab34..00000000 --- a/policy/modules/contrib/aide.te +++ /dev/null @@ -1,45 +0,0 @@ -policy_module(aide, 1.6.1) - -######################################## -# -# Declarations -# - -attribute_role aide_roles; - -type aide_t; -type aide_exec_t; -application_domain(aide_t, aide_exec_t) -role aide_roles types aide_t; - -type aide_log_t; -logging_log_file(aide_log_t) - -type aide_db_t; -files_type(aide_db_t) - -######################################## -# -# Local policy -# - -allow aide_t self:capability { dac_override fowner }; - -manage_files_pattern(aide_t, aide_db_t, aide_db_t) - -create_files_pattern(aide_t, aide_log_t, aide_log_t) -append_files_pattern(aide_t, aide_log_t, aide_log_t) -setattr_files_pattern(aide_t, aide_log_t, aide_log_t) -logging_log_filetrans(aide_t, aide_log_t, file) - -files_read_all_files(aide_t) -files_read_all_symlinks(aide_t) - -logging_send_audit_msgs(aide_t) -logging_send_syslog_msg(aide_t) - -userdom_use_user_terminals(aide_t) - -optional_policy(` - seutil_use_newrole_fds(aide_t) -') diff --git a/policy/modules/contrib/aisexec.fc b/policy/modules/contrib/aisexec.fc deleted file mode 100644 index e882bed7..00000000 --- a/policy/modules/contrib/aisexec.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:aisexec_initrc_exec_t,s0) - -/usr/sbin/aisexec -- gen_context(system_u:object_r:aisexec_exec_t,s0) - -/var/lib/openais(/.*)? gen_context(system_u:object_r:aisexec_var_lib_t,s0) - -/var/log/cluster/aisexec\.log.* -- gen_context(system_u:object_r:aisexec_var_log_t,s0) - -/var/run/aisexec.* gen_context(system_u:object_r:aisexec_var_run_t,s0) diff --git a/policy/modules/contrib/aisexec.if b/policy/modules/contrib/aisexec.if deleted file mode 100644 index a2997fa5..00000000 --- a/policy/modules/contrib/aisexec.if +++ /dev/null @@ -1,107 +0,0 @@ -## <summary>Aisexec Cluster Engine.</summary> - -######################################## -## <summary> -## Execute a domain transition to run aisexec. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`aisexec_domtrans',` - gen_require(` - type aisexec_t, aisexec_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, aisexec_exec_t, aisexec_t) -') - -##################################### -## <summary> -## Connect to aisexec over a unix -## stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`aisexec_stream_connect',` - gen_require(` - type aisexec_t, aisexec_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, aisexec_var_run_t, aisexec_var_run_t, aisexec_t) -') - -####################################### -## <summary> -## Read aisexec log files content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`aisexec_read_log',` - gen_require(` - type aisexec_var_log_t; - ') - - logging_search_logs($1) - list_dirs_pattern($1, aisexec_var_log_t, aisexec_var_log_t) - read_files_pattern($1, aisexec_var_log_t, aisexec_var_log_t) -') - -###################################### -## <summary> -## All of the rules required to -## administrate an aisexec environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`aisexecd_admin',` - gen_require(` - type aisexec_t, aisexec_var_lib_t, aisexec_var_log_t; - type aisexec_var_run_t, aisexec_tmp_t, aisexec_tmpfs_t; - type aisexec_initrc_exec_t; - ') - - allow $1 aisexec_t:process { ptrace signal_perms }; - ps_process_pattern($1, aisexec_t) - - init_labeled_script_domtrans($1, aisexec_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 aisexec_initrc_exec_t system_r; - allow $2 system_r; - - files_list_var_lib($1) - admin_pattern($1, aisexec_var_lib_t) - - logging_list_logs($1) - admin_pattern($1, aisexec_var_log_t) - - files_list_pids($1) - admin_pattern($1, aisexec_var_run_t) - - files_list_tmp($1) - admin_pattern($1, aisexec_tmp_t) - - admin_pattern($1, aisexec_tmpfs_t) -') diff --git a/policy/modules/contrib/aisexec.te b/policy/modules/contrib/aisexec.te deleted file mode 100644 index 196f7cfa..00000000 --- a/policy/modules/contrib/aisexec.te +++ /dev/null @@ -1,117 +0,0 @@ -policy_module(aisexec, 1.1.1) - -######################################## -# -# Declarations -# - -type aisexec_t; -type aisexec_exec_t; -init_daemon_domain(aisexec_t, aisexec_exec_t) - -type aisexec_initrc_exec_t; -init_script_file(aisexec_initrc_exec_t) - -type aisexec_tmp_t; -files_tmp_file(aisexec_tmp_t) - -type aisexec_tmpfs_t; -files_tmpfs_file(aisexec_tmpfs_t) - -type aisexec_var_lib_t; -files_type(aisexec_var_lib_t) - -type aisexec_var_log_t; -logging_log_file(aisexec_var_log_t) - -type aisexec_var_run_t; -files_pid_file(aisexec_var_run_t) - -######################################## -# -# Local policy -# - -allow aisexec_t self:capability { sys_nice sys_resource ipc_lock ipc_owner }; -allow aisexec_t self:process { setrlimit setsched signal }; -allow aisexec_t self:fifo_file rw_fifo_file_perms; -allow aisexec_t self:sem create_sem_perms; -allow aisexec_t self:unix_stream_socket { accept listen connectto }; - -manage_dirs_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t) -manage_files_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t) -files_tmp_filetrans(aisexec_t, aisexec_tmp_t, { dir file }) - -manage_dirs_pattern(aisexec_t, aisexec_tmpfs_t, aisexec_tmpfs_t) -manage_files_pattern(aisexec_t, aisexec_tmpfs_t, aisexec_tmpfs_t) -fs_tmpfs_filetrans(aisexec_t, aisexec_tmpfs_t, { dir file }) - -manage_files_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t) -manage_dirs_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t) -manage_sock_files_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t) -files_var_lib_filetrans(aisexec_t, aisexec_var_lib_t, dir) - -append_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t) -create_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t) -setattr_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t) -logging_log_filetrans(aisexec_t, aisexec_var_log_t, file) - -manage_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t) -manage_sock_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t) -files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file }) - -kernel_read_system_state(aisexec_t) - -corecmd_exec_bin(aisexec_t) - -corenet_all_recvfrom_unlabeled(aisexec_t) -corenet_all_recvfrom_netlabel(aisexec_t) -corenet_tcp_sendrecv_generic_if(aisexec_t) -corenet_udp_sendrecv_generic_if(aisexec_t) -corenet_tcp_sendrecv_generic_node(aisexec_t) -corenet_udp_sendrecv_generic_node(aisexec_t) -corenet_tcp_bind_generic_node(aisexec_t) -corenet_udp_bind_generic_node(aisexec_t) - -corenet_sendrecv_netsupport_server_packets(aisexec_t) -corenet_udp_bind_netsupport_port(aisexec_t) -corenet_udp_sendrecv_netsupport_port(aisexec_t) - -corenet_sendrecv_generic_server_packets(aisexec_t) -corenet_tcp_bind_reserved_port(aisexec_t) -corenet_tcp_sendrecv_reserved_port(aisexec_t) - -corenet_sendrecv_cluster_server_packets(aisexec_t) -corenet_udp_bind_cluster_port(aisexec_t) -corenet_udp_sendrecv_cluster_port(aisexec_t) - -dev_read_urand(aisexec_t) - -files_manage_mounttab(aisexec_t) - -auth_use_nsswitch(aisexec_t) - -init_rw_script_tmp_files(aisexec_t) - -logging_send_syslog_msg(aisexec_t) - -miscfiles_read_localization(aisexec_t) - -userdom_rw_unpriv_user_semaphores(aisexec_t) -userdom_rw_unpriv_user_shared_mem(aisexec_t) - -optional_policy(` - ccs_stream_connect(aisexec_t) -') - -optional_policy(` - rhcs_rw_dlm_controld_semaphores(aisexec_t) - - rhcs_rw_fenced_semaphores(aisexec_t) - - rhcs_rw_gfs_controld_semaphores(aisexec_t) - rhcs_rw_gfs_controld_shm(aisexec_t) - - rhcs_rw_groupd_semaphores(aisexec_t) - rhcs_rw_groupd_shm(aisexec_t) -') diff --git a/policy/modules/contrib/alsa.fc b/policy/modules/contrib/alsa.fc deleted file mode 100644 index 5de1e015..00000000 --- a/policy/modules/contrib/alsa.fc +++ /dev/null @@ -1,22 +0,0 @@ -HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0) - -/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0) - -/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) -/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) -/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) -/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) - -/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) -/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0) - -/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0) -/usr/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0) - -/usr/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) -/usr/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0) - -/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0) -/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) - -/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) diff --git a/policy/modules/contrib/alsa.if b/policy/modules/contrib/alsa.if deleted file mode 100644 index f46c4a21..00000000 --- a/policy/modules/contrib/alsa.if +++ /dev/null @@ -1,288 +0,0 @@ -## <summary>Advanced Linux Sound Architecture utilities.</summary> - -######################################## -## <summary> -## Role access for alsa. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -template(`alsa_role',` - refpolicywarn(`$0($*) has been deprecated') -') - -######################################## -## <summary> -## Execute a domain transition to run Alsa. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`alsa_domtrans',` - gen_require(` - type alsa_t, alsa_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, alsa_exec_t, alsa_t) -') - -######################################## -## <summary> -## Execute a domain transition to run -## Alsa, and allow the specified role -## the Alsa domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`alsa_run',` - gen_require(` - attribute_role alsa_roles; - ') - - alsa_domtrans($1) - roleattribute $2 alsa_roles; -') - -######################################## -## <summary> -## Read and write Alsa semaphores. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`alsa_rw_semaphores',` - gen_require(` - type alsa_t; - ') - - allow $1 alsa_t:sem rw_sem_perms; -') - -######################################## -## <summary> -## Read and write Alsa shared memory. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`alsa_rw_shared_mem',` - gen_require(` - type alsa_t; - ') - - allow $1 alsa_t:shm rw_shm_perms; -') - -######################################## -## <summary> -## Read writable Alsa configuration content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`alsa_read_rw_config',` - gen_require(` - type alsa_etc_rw_t; - ') - - files_search_etc($1) - allow $1 alsa_etc_rw_t:dir list_dir_perms; - read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) - read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) - - ifdef(`distro_debian',` - files_search_usr($1) - ') -') - -######################################## -## <summary> -## Manage writable Alsa config files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`alsa_manage_rw_config',` - gen_require(` - type alsa_etc_rw_t; - ') - - files_search_etc($1) - allow $1 alsa_etc_rw_t:dir list_dir_perms; - manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) - read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) - - ifdef(`distro_debian',` - files_search_usr($1) - ') -') - -######################################## -## <summary> -## Create, read, write, and delete -## alsa home files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`alsa_manage_home_files',` - gen_require(` - type alsa_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 alsa_home_t:file manage_file_perms; -') - -######################################## -## <summary> -## Read Alsa home files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`alsa_read_home_files',` - gen_require(` - type alsa_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 alsa_home_t:file read_file_perms; -') - -######################################## -## <summary> -## Relabel alsa home files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`alsa_relabel_home_files',` - gen_require(` - type alsa_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 alsa_home_t:file relabel_file_perms; -') - -######################################## -## <summary> -## Create objects in user home -## directories with the generic alsa -## home type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`alsa_home_filetrans_alsa_home',` - gen_require(` - type alsa_home_t; - ') - - userdom_user_home_dir_filetrans($1, alsa_home_t, $2, $3) -') - -######################################## -## <summary> -## Read Alsa lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`alsa_read_lib',` - gen_require(` - type alsa_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t) -') - -######################################## -## <summary> -## Mark the selected domain as an alsa-capable domain -## </summary> -## <param name="domain"> -## <summary> -## Domain that links with alsa -## </summary> -## </param> -## <param name="tmpfstype"> -## <summary> -## Tmpfs type used for shared memory of the given domain -## </summary> -## </param> -# -interface(`alsa_domain',` - gen_require(` - attribute alsadomain; - attribute alsatmpfsfile; - ') - - typeattribute $1 alsadomain; - typeattribute $2 alsatmpfsfile; - - # Perhaps we can introduce a tunable for the next? - allow $1 alsadomain:sem create_sem_perms; - allow $1 alsadomain:shm rw_shm_perms; - allow $1 alsatmpfsfile:file rw_file_perms; -') diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te deleted file mode 100644 index 59146a2c..00000000 --- a/policy/modules/contrib/alsa.te +++ /dev/null @@ -1,97 +0,0 @@ -policy_module(alsa, 1.11.4) - -######################################## -# -# Declarations -# - -attribute_role alsa_roles; - -type alsa_t; -type alsa_exec_t; -init_system_domain(alsa_t, alsa_exec_t) -role alsa_roles types alsa_t; - -type alsa_etc_rw_t; -files_config_file(alsa_etc_rw_t) - -type alsa_tmp_t; -files_tmp_file(alsa_tmp_t) - -type alsa_var_lib_t; -files_type(alsa_var_lib_t) - -type alsa_home_t; -userdom_user_home_content(alsa_home_t) - -######################################## -# -# Local policy -# - -allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner }; -dontaudit alsa_t self:capability sys_admin; -allow alsa_t self:sem create_sem_perms; -allow alsa_t self:shm create_shm_perms; -allow alsa_t self:unix_stream_socket { accept listen }; - -allow alsa_t alsa_home_t:file read_file_perms; - -manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t) -manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t) -files_etc_filetrans(alsa_t, alsa_etc_rw_t, file) - -can_exec(alsa_t, alsa_exec_t) - -manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t) -manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t) -files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file }) -userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file }) - -manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) -manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) - -kernel_read_system_state(alsa_t) - -corecmd_exec_bin(alsa_t) - -dev_read_sound(alsa_t) -dev_read_sysfs(alsa_t) -dev_write_sound(alsa_t) - -files_read_usr_files(alsa_t) -files_search_var_lib(alsa_t) - -term_dontaudit_use_console(alsa_t) -term_dontaudit_use_generic_ptys(alsa_t) -term_dontaudit_use_all_ptys(alsa_t) - -auth_use_nsswitch(alsa_t) - -init_use_fds(alsa_t) - -logging_send_syslog_msg(alsa_t) - -miscfiles_read_localization(alsa_t) - -userdom_manage_unpriv_user_semaphores(alsa_t) -userdom_manage_unpriv_user_shared_mem(alsa_t) -userdom_search_user_home_dirs(alsa_t) - -ifdef(`distro_gentoo',` - attribute alsadomain; - attribute alsatmpfsfile; - - typeattribute alsa_t alsadomain; - - ################################ - # - # alsadomain policy - # - allow alsadomain self:sem create_sem_perms; -') - -optional_policy(` - hal_use_fds(alsa_t) - hal_write_log(alsa_t) -') diff --git a/policy/modules/contrib/amanda.fc b/policy/modules/contrib/amanda.fc deleted file mode 100644 index 7f4dfbca..00000000 --- a/policy/modules/contrib/amanda.fc +++ /dev/null @@ -1,27 +0,0 @@ -/etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0) -/etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0) -/etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0) -/etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0) -# empty m4 string so the index macro is not invoked -/etc/amanda/.*/index`'(/.*)? gen_context(system_u:object_r:amanda_data_t,s0) - -/root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0) - -/usr/lib/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0) -/usr/lib/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0) -/usr/lib/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) -/usr/lib/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) -/usr/lib/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) - -/usr/sbin/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) -/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) - -/var/lib/amanda -d gen_context(system_u:object_r:amanda_var_lib_t,s0) -/var/lib/amanda/[^/]+(/.*)? gen_context(system_u:object_r:amanda_data_t,s0) -/var/lib/amanda/[^/]*/log(/.*)? gen_context(system_u:object_r:amanda_log_t,s0) -/var/lib/amanda/\.amandahosts -- gen_context(system_u:object_r:amanda_config_t,s0) -/var/lib/amanda/gnutar-lists(/.*)? gen_context(system_u:object_r:amanda_gnutarlists_t,s0) -# the null string in here because index is a m4 builtin function -/var/lib/amanda/[^/]+/index`'(/.*)? gen_context(system_u:object_r:amanda_var_lib_t,s0) - -/var/log/amanda(/.*)? gen_context(system_u:object_r:amanda_log_t,s0) diff --git a/policy/modules/contrib/amanda.if b/policy/modules/contrib/amanda.if deleted file mode 100644 index ea4cdc74..00000000 --- a/policy/modules/contrib/amanda.if +++ /dev/null @@ -1,161 +0,0 @@ -## <summary>Advanced Maryland Automatic Network Disk Archiver.</summary> - -######################################## -## <summary> -## Execute a domain transition to run -## Amanda recover. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`amanda_domtrans_recover',` - gen_require(` - type amanda_recover_t, amanda_recover_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, amanda_recover_exec_t, amanda_recover_t) -') - -######################################## -## <summary> -## Execute a domain transition to run -## Amanda recover, and allow the specified -## role the Amanda recover domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`amanda_run_recover',` - gen_require(` - attribute_role amanda_recover_roles; - ') - - amanda_domtrans_recover($1) - roleattribute $2 amanda_recover_roles; -') - -######################################## -## <summary> -## Search Amanda library directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`amanda_search_lib',` - gen_require(` - type amanda_usr_lib_t; - ') - - files_search_usr($1) - allow $1 amanda_usr_lib_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Do not audit attempts to read /etc/dumpdates. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`amanda_dontaudit_read_dumpdates',` - gen_require(` - type amanda_dumpdates_t; - ') - - dontaudit $1 amanda_dumpdates_t:file read_file_perms; -') - -######################################## -## <summary> -## Read and write /etc/dumpdates. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`amanda_rw_dumpdates_files',` - gen_require(` - type amanda_dumpdates_t; - ') - - files_search_etc($1) - allow $1 amanda_dumpdates_t:file rw_file_perms; -') - -######################################## -## <summary> -## Search Amanda library directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`amanda_manage_lib',` - gen_require(` - type amanda_usr_lib_t; - ') - - files_search_usr($1) - allow $1 amanda_usr_lib_t:dir manage_dir_perms; -') - -######################################## -## <summary> -## Read and append amanda log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`amanda_append_log_files',` - gen_require(` - type amanda_log_t; - ') - - logging_search_logs($1) - allow $1 amanda_log_t:file { read_file_perms append_file_perms }; -') - -####################################### -## <summary> -## Search Amanda var library directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`amanda_search_var_lib',` - gen_require(` - type amanda_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 amanda_var_lib_t:dir search_dir_perms; -') diff --git a/policy/modules/contrib/amanda.te b/policy/modules/contrib/amanda.te deleted file mode 100644 index ed45974f..00000000 --- a/policy/modules/contrib/amanda.te +++ /dev/null @@ -1,206 +0,0 @@ -policy_module(amanda, 1.14.2) - -####################################### -# -# Declarations -# - -attribute_role amanda_recover_roles; -roleattribute system_r amanda_recover_roles; - -type amanda_t; -type amanda_inetd_exec_t; -inetd_service_domain(amanda_t, amanda_inetd_exec_t) - -type amanda_exec_t; -domain_entry_file(amanda_t, amanda_exec_t) - -type amanda_log_t; -logging_log_file(amanda_log_t) - -type amanda_config_t; -files_type(amanda_config_t) - -type amanda_usr_lib_t; -files_type(amanda_usr_lib_t) - -type amanda_var_lib_t; -files_type(amanda_var_lib_t) - -type amanda_gnutarlists_t; -files_type(amanda_gnutarlists_t) - -type amanda_tmp_t; -files_tmp_file(amanda_tmp_t) - -type amanda_amandates_t; -files_type(amanda_amandates_t) - -type amanda_dumpdates_t; -files_type(amanda_dumpdates_t) - -type amanda_data_t; -files_type(amanda_data_t) - -type amanda_recover_t; -type amanda_recover_exec_t; -application_domain(amanda_recover_t, amanda_recover_exec_t) -role amanda_recover_roles types amanda_recover_t; - -type amanda_recover_dir_t; -files_type(amanda_recover_dir_t) - -optional_policy(` - prelink_object_file(amanda_usr_lib_t) -') - -######################################## -# -# Local policy -# - -allow amanda_t self:capability { chown dac_override setuid kill }; -allow amanda_t self:process { setpgid signal }; -allow amanda_t self:fifo_file rw_fifo_file_perms; -allow amanda_t self:unix_stream_socket { accept listen }; -allow amanda_t self:tcp_socket { accept listen }; - -allow amanda_t amanda_amandates_t:file rw_file_perms; - -allow amanda_t amanda_config_t:file read_file_perms; - -manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t) -manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t) -filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir }) - -allow amanda_t amanda_dumpdates_t:file rw_file_perms; - -allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms; -allow amanda_t amanda_gnutarlists_t:file manage_file_perms; -allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms; - -manage_dirs_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t) -manage_files_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t) - -manage_files_pattern(amanda_t, amanda_log_t, amanda_log_t) -manage_dirs_pattern(amanda_t, amanda_log_t, amanda_log_t) -logging_log_filetrans(amanda_t, amanda_log_t, dir) - -manage_files_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t) -manage_dirs_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t) -files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir }) - -can_exec(amanda_t, { amanda_exec_t amanda_inetd_exec_t }) - -kernel_read_kernel_sysctls(amanda_t) -kernel_read_system_state(amanda_t) -kernel_dontaudit_getattr_unlabeled_files(amanda_t) -kernel_dontaudit_read_proc_symlinks(amanda_t) - -corecmd_exec_shell(amanda_t) -corecmd_exec_bin(amanda_t) - -corenet_all_recvfrom_unlabeled(amanda_t) -corenet_all_recvfrom_netlabel(amanda_t) -corenet_tcp_sendrecv_generic_if(amanda_t) -corenet_tcp_sendrecv_generic_node(amanda_t) -corenet_tcp_sendrecv_all_ports(amanda_t) -corenet_tcp_bind_generic_node(amanda_t) - -corenet_sendrecv_all_server_packets(amanda_t) -corenet_tcp_bind_all_rpc_ports(amanda_t) -corenet_tcp_bind_generic_port(amanda_t) -corenet_dontaudit_tcp_bind_all_ports(amanda_t) - -dev_getattr_all_blk_files(amanda_t) -dev_getattr_all_chr_files(amanda_t) - -files_read_etc_runtime_files(amanda_t) -files_list_all(amanda_t) -files_read_all_files(amanda_t) -files_read_all_symlinks(amanda_t) -files_read_all_blk_files(amanda_t) -files_read_all_chr_files(amanda_t) -files_getattr_all_pipes(amanda_t) -files_getattr_all_sockets(amanda_t) - -fs_getattr_xattr_fs(amanda_t) -fs_list_all(amanda_t) - -storage_raw_read_fixed_disk(amanda_t) -storage_read_tape(amanda_t) -storage_write_tape(amanda_t) - -auth_use_nsswitch(amanda_t) -auth_read_shadow(amanda_t) - -logging_send_syslog_msg(amanda_t) - -######################################## -# -# Recover local policy -# - -allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override }; -allow amanda_recover_t self:process { sigkill sigstop signal }; -allow amanda_recover_t self:fifo_file rw_fifo_file_perms; -allow amanda_recover_t self:unix_stream_socket create_socket_perms; -allow amanda_recover_t self:tcp_socket { accept listen }; - -manage_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t) -manage_lnk_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t) - -manage_dirs_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) -manage_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) -manage_lnk_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) -manage_fifo_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) -manage_sock_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) -userdom_user_home_dir_filetrans(amanda_recover_t, amanda_recover_dir_t, { dir file lnk_file sock_file fifo_file }) - -manage_dirs_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t) -manage_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t) -manage_lnk_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t) -manage_fifo_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t) -manage_sock_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t) -files_tmp_filetrans(amanda_recover_t, amanda_tmp_t, { dir file lnk_file sock_file fifo_file }) - -kernel_read_kernel_sysctls(amanda_recover_t) -kernel_read_system_state(amanda_recover_t) - -corecmd_exec_shell(amanda_recover_t) -corecmd_exec_bin(amanda_recover_t) - -corenet_all_recvfrom_unlabeled(amanda_recover_t) -corenet_all_recvfrom_netlabel(amanda_recover_t) -corenet_tcp_sendrecv_generic_if(amanda_recover_t) -corenet_udp_sendrecv_generic_if(amanda_recover_t) -corenet_tcp_sendrecv_generic_node(amanda_recover_t) -corenet_udp_sendrecv_generic_node(amanda_recover_t) -corenet_tcp_sendrecv_all_ports(amanda_recover_t) -corenet_udp_sendrecv_all_ports(amanda_recover_t) -corenet_tcp_bind_generic_node(amanda_recover_t) -corenet_udp_bind_generic_node(amanda_recover_t) - -corenet_sendrecv_generic_server_packets(amanda_recover_t) -corenet_tcp_bind_reserved_port(amanda_recover_t) - -corenet_sendrecv_amanda_client_packets(amanda_recover_t) -corenet_tcp_connect_amanda_port(amanda_recover_t) - -domain_use_interactive_fds(amanda_recover_t) - -files_read_etc_runtime_files(amanda_recover_t) -files_search_pids(amanda_recover_t) -files_search_tmp(amanda_recover_t) - -auth_use_nsswitch(amanda_recover_t) - -fstools_domtrans(amanda_t) -fstools_signal(amanda_t) - -logging_search_logs(amanda_recover_t) - -miscfiles_read_localization(amanda_recover_t) - -userdom_use_user_terminals(amanda_recover_t) -userdom_search_user_home_content(amanda_recover_t) diff --git a/policy/modules/contrib/amavis.fc b/policy/modules/contrib/amavis.fc deleted file mode 100644 index 17689a70..00000000 --- a/policy/modules/contrib/amavis.fc +++ /dev/null @@ -1,28 +0,0 @@ -/etc/amavis(d)?\.conf -- gen_context(system_u:object_r:amavis_etc_t,s0) -/etc/amavisd(/.*)? gen_context(system_u:object_r:amavis_etc_t,s0) - -/etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0) -/etc/rc\.d/init\.d/amavisd-snmp -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0) - -/usr/lib/AntiVir/antivir -- gen_context(system_u:object_r:amavis_exec_t,s0) - -/usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0) - -ifdef(`distro_debian',` -/usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0) -') - -/var/opt/f-secure(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) - -/var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) - -/var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) - -/var/log/amavisd\.log.* -- gen_context(system_u:object_r:amavis_var_log_t,s0) - -/var/run/amavis(d)?(/.*)? gen_context(system_u:object_r:amavis_var_run_t,s0) -/var/run/amavisd-snmp-subagent\.pid -- gen_context(system_u:object_r:amavis_var_run_t,s0) - -/var/spool/amavisd(/.*)? gen_context(system_u:object_r:amavis_spool_t,s0) - -/var/virusmails(/.*)? gen_context(system_u:object_r:amavis_quarantine_t,s0) diff --git a/policy/modules/contrib/amavis.if b/policy/modules/contrib/amavis.if deleted file mode 100644 index 60d4f8c9..00000000 --- a/policy/modules/contrib/amavis.if +++ /dev/null @@ -1,264 +0,0 @@ -## <summary>High-performance interface between an email server and content checkers.</summary> - -######################################## -## <summary> -## Execute a domain transition to run amavis. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`amavis_domtrans',` - gen_require(` - type amavis_t, amavis_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, amavis_exec_t, amavis_t) -') - -######################################## -## <summary> -## Execute amavis server in the amavis domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`amavis_initrc_domtrans',` - gen_require(` - type amavis_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, amavis_initrc_exec_t) -') - -######################################## -## <summary> -## Read amavis spool files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`amavis_read_spool_files',` - gen_require(` - type amavis_spool_t; - ') - - files_search_spool($1) - read_files_pattern($1, amavis_spool_t, amavis_spool_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## amavis spool files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`amavis_manage_spool_files',` - gen_require(` - type amavis_spool_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, amavis_spool_t, amavis_spool_t) - manage_files_pattern($1, amavis_spool_t, amavis_spool_t) -') - -######################################## -## <summary> -## Create objects in the amavis spool directories -## with a private type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="private_type"> -## <summary> -## Private file type. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`amavis_spool_filetrans',` - gen_require(` - type amavis_spool_t; - ') - - files_search_spool($1) - filetrans_pattern($1, amavis_spool_t, $2, $3, $4) -') - -######################################## -## <summary> -## Search amavis lib directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`amavis_search_lib',` - gen_require(` - type amavis_var_lib_t; - ') - - allow $1 amavis_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## <summary> -## Read amavis lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`amavis_read_lib_files',` - gen_require(` - type amavis_var_lib_t; - ') - - read_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t) - allow $1 amavis_var_lib_t:dir list_dir_perms; - files_search_var_lib($1) -') - -######################################## -## <summary> -## Create, read, write, and delete -## amavis lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`amavis_manage_lib_files',` - gen_require(` - type amavis_var_lib_t; - ') - - manage_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t) - files_search_var_lib($1) -') - -######################################## -## <summary> -## Set attributes of amavis pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`amavis_setattr_pid_files',` - gen_require(` - type amavis_var_run_t; - ') - - allow $1 amavis_var_run_t:file setattr_file_perms; - files_search_pids($1) -') - -######################################## -## <summary> -## Create amavis pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`amavis_create_pid_files',` - gen_require(` - type amavis_var_run_t; - ') - - allow $1 amavis_var_run_t:dir add_entry_dir_perms; - allow $1 amavis_var_run_t:file create_file_perms; - files_search_pids($1) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an amavis environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`amavis_admin',` - gen_require(` - type amavis_t, amavis_tmp_t, amavis_var_log_t; - type amavis_spool_t, amavis_var_lib_t, amavis_var_run_t; - type amavis_etc_t, amavis_quarantine_t, amavis_initrc_exec_t; - ') - - allow $1 amavis_t:process { ptrace signal_perms }; - ps_process_pattern($1, amavis_t) - - amavis_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 amavis_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, amavis_etc_t) - - admin_pattern($1, amavis_quarantine_t) - - files_list_spool($1) - admin_pattern($1, amavis_spool_t) - - files_list_tmp($1) - admin_pattern($1, amavis_tmp_t) - - files_list_var_lib($1) - admin_pattern($1, amavis_var_lib_t) - - logging_list_logs($1) - admin_pattern($1, amavis_var_log_t) - - files_list_pids($1) - admin_pattern($1, amavis_var_run_t) -') diff --git a/policy/modules/contrib/amavis.te b/policy/modules/contrib/amavis.te deleted file mode 100644 index ab55ba78..00000000 --- a/policy/modules/contrib/amavis.te +++ /dev/null @@ -1,199 +0,0 @@ -policy_module(amavis, 1.14.3) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether amavis can -## use JIT compiler. -## </p> -## </desc> -gen_tunable(amavis_use_jit, false) - -type amavis_t; -type amavis_exec_t; -init_daemon_domain(amavis_t, amavis_exec_t) - -type amavis_etc_t; -files_config_file(amavis_etc_t) - -type amavis_initrc_exec_t; -init_script_file(amavis_initrc_exec_t) - -type amavis_var_run_t; -files_pid_file(amavis_var_run_t) - -type amavis_var_lib_t; -files_type(amavis_var_lib_t) - -type amavis_var_log_t; -logging_log_file(amavis_var_log_t) - -type amavis_tmp_t; -files_tmp_file(amavis_tmp_t) - -type amavis_quarantine_t; -files_type(amavis_quarantine_t) - -type amavis_spool_t; -files_type(amavis_spool_t) - -######################################## -# -# Local policy -# - -allow amavis_t self:capability { kill chown dac_override setgid setuid }; -dontaudit amavis_t self:capability sys_tty_config; -allow amavis_t self:process signal_perms; -allow amavis_t self:fifo_file rw_fifo_file_perms; -allow amavis_t self:unix_stream_socket { accept connectto listen }; -allow amavis_t self:tcp_socket { listen accept }; - -allow amavis_t amavis_etc_t:dir list_dir_perms; -read_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t) -read_lnk_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t) - -manage_dirs_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t) -manage_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t) -manage_sock_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t) - -manage_dirs_pattern(amavis_t, amavis_spool_t, amavis_spool_t) -manage_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) -manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) -manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) -filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file) - -manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t) -allow amavis_t amavis_tmp_t:dir setattr_dir_perms; -files_tmp_filetrans(amavis_t, amavis_tmp_t, file) - -manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) -manage_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) -manage_sock_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) - -allow amavis_t amavis_var_log_t:dir setattr_dir_perms; -manage_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t) -manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t) -logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir }) - -manage_dirs_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t) -manage_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t) -manage_sock_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t) -files_pid_filetrans(amavis_t, amavis_var_run_t, { dir file sock_file }) - -can_exec(amavis_t, amavis_exec_t) - -kernel_read_kernel_sysctls(amavis_t) -kernel_read_system_state(amavis_t) -kernel_dontaudit_list_proc(amavis_t) -kernel_dontaudit_read_proc_symlinks(amavis_t) - -corecmd_exec_bin(amavis_t) -corecmd_exec_shell(amavis_t) - -corenet_all_recvfrom_unlabeled(amavis_t) -corenet_all_recvfrom_netlabel(amavis_t) -corenet_tcp_sendrecv_generic_if(amavis_t) -corenet_udp_sendrecv_generic_if(amavis_t) -corenet_tcp_sendrecv_generic_node(amavis_t) -corenet_udp_sendrecv_generic_node(amavis_t) -corenet_tcp_sendrecv_all_ports(amavis_t) -corenet_udp_sendrecv_all_ports(amavis_t) -corenet_tcp_bind_generic_node(amavis_t) -corenet_udp_bind_generic_node(amavis_t) - -corenet_sendrecv_amavisd_send_client_packets(amavis_t) -corenet_tcp_connect_amavisd_send_port(amavis_t) - -corenet_sendrecv_amavisd_recv_server_packets(amavis_t) -corenet_tcp_bind_amavisd_recv_port(amavis_t) - -corenet_sendrecv_generic_server_packets(amavis_t) -corenet_udp_bind_generic_port(amavis_t) -corenet_dontaudit_udp_bind_all_ports(amavis_t) - -corenet_sendrecv_razor_client_packets(amavis_t) -corenet_tcp_connect_razor_port(amavis_t) - -dev_read_rand(amavis_t) -dev_read_sysfs(amavis_t) -dev_read_urand(amavis_t) - -domain_use_interactive_fds(amavis_t) -domain_dontaudit_read_all_domains_state(amavis_t) - -files_read_etc_runtime_files(amavis_t) -files_read_usr_files(amavis_t) -files_search_spool(amavis_t) - -fs_getattr_xattr_fs(amavis_t) - -auth_use_nsswitch(amavis_t) -auth_dontaudit_read_shadow(amavis_t) - -init_read_state(amavis_t) -init_read_utmp(amavis_t) -init_stream_connect_script(amavis_t) - -logging_send_syslog_msg(amavis_t) - -miscfiles_read_localization(amavis_t) - -userdom_dontaudit_search_user_home_dirs(amavis_t) - -tunable_policy(`amavis_use_jit',` - allow amavis_t self:process execmem; -',` - dontaudit amavis_t self:process execmem; -') - -optional_policy(` - clamav_stream_connect(amavis_t) - clamav_domtrans_clamscan(amavis_t) - clamav_read_state_clamd(amavis_t) -') - -optional_policy(` - cron_use_fds(amavis_t) - cron_use_system_job_fds(amavis_t) - cron_rw_pipes(amavis_t) -') - -optional_policy(` - dcc_domtrans_client(amavis_t) - dcc_stream_connect_dccifd(amavis_t) -') - -optional_policy(` - mta_read_config(amavis_t) -') - -optional_policy(` - postfix_read_config(amavis_t) - postfix_list_spool(amavis_t) -') - -optional_policy(` - pyzor_domtrans(amavis_t) - pyzor_signal(amavis_t) -') - -optional_policy(` - razor_domtrans(amavis_t) -') - -optional_policy(` - snmp_manage_var_lib_dirs(amavis_t) - snmp_manage_var_lib_files(amavis_t) - snmp_stream_connect(amavis_t) -') - -optional_policy(` - spamassassin_exec(amavis_t) - spamassassin_exec_client(amavis_t) - spamassassin_read_lib_files(amavis_t) -') diff --git a/policy/modules/contrib/amtu.fc b/policy/modules/contrib/amtu.fc deleted file mode 100644 index 67e5f709..00000000 --- a/policy/modules/contrib/amtu.fc +++ /dev/null @@ -1,5 +0,0 @@ -/etc/rc\.d/init\.d/amtu -- gen_context(system_u:object_r:amtu_initrc_exec_t,s0) - -/usr/bin/amtu -- gen_context(system_u:object_r:amtu_exec_t,s0) - -/usr/sbin/amtu -- gen_context(system_u:object_r:amtu_exec_t,s0) diff --git a/policy/modules/contrib/amtu.if b/policy/modules/contrib/amtu.if deleted file mode 100644 index 884b23b4..00000000 --- a/policy/modules/contrib/amtu.if +++ /dev/null @@ -1,77 +0,0 @@ -## <summary>Abstract Machine Test Utility.</summary> - -######################################## -## <summary> -## Execute a domain transition to run Amtu. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`amtu_domtrans',` - gen_require(` - type amtu_t, amtu_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, amtu_exec_t, amtu_t) -') - -######################################## -## <summary> -## Execute a domain transition to run -## Amtu, and allow the specified role -## the Amtu domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`amtu_run',` - gen_require(` - attribute_role amtu_roles; - ') - - amtu_domtrans($1) - roleattribute $2 amtu_roles; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an amtu environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`amtu_admin',` - gen_require(` - type amtu_t, amtu_initrc_exec_t; - ') - - allow $1 amtu_t:process { ptrace signal_perms }; - ps_process_pattern($1, amtu_t) - - init_labeled_script_domtrans($1, amtu_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 amtu_initrc_exec_t system_r; - allow $2 system_r; -') diff --git a/policy/modules/contrib/amtu.te b/policy/modules/contrib/amtu.te deleted file mode 100644 index c960f92e..00000000 --- a/policy/modules/contrib/amtu.te +++ /dev/null @@ -1,39 +0,0 @@ -policy_module(amtu, 1.2.3) - -######################################## -# -# Declarations -# - -attribute_role amtu_roles; - -type amtu_t; -type amtu_exec_t; -init_system_domain(amtu_t, amtu_exec_t) -role amtu_roles types amtu_t; - -type amtu_initrc_exec_t; -init_script_file(amtu_initrc_exec_t) - -######################################## -# -# Local policy -# - -kernel_read_system_state(amtu_t) - -files_manage_boot_files(amtu_t) -files_read_etc_runtime_files(amtu_t) -files_read_etc_files(amtu_t) - -logging_send_audit_msgs(amtu_t) - -userdom_use_user_terminals(amtu_t) - -optional_policy(` - nscd_dontaudit_search_pid(amtu_t) -') - -optional_policy(` - seutil_use_newrole_fds(amtu_t) -') diff --git a/policy/modules/contrib/anaconda.fc b/policy/modules/contrib/anaconda.fc deleted file mode 100644 index b098089d..00000000 --- a/policy/modules/contrib/anaconda.fc +++ /dev/null @@ -1 +0,0 @@ -# No file context specifications. diff --git a/policy/modules/contrib/anaconda.if b/policy/modules/contrib/anaconda.if deleted file mode 100644 index 14a61b7e..00000000 --- a/policy/modules/contrib/anaconda.if +++ /dev/null @@ -1 +0,0 @@ -## <summary>Anaconda installer.</summary> diff --git a/policy/modules/contrib/anaconda.te b/policy/modules/contrib/anaconda.te deleted file mode 100644 index 6f1384cd..00000000 --- a/policy/modules/contrib/anaconda.te +++ /dev/null @@ -1,55 +0,0 @@ -policy_module(anaconda, 1.6.1) - -gen_require(` - class passwd all_passwd_perms; -') - -######################################## -# -# Declarations -# - -type anaconda_t; -type anaconda_exec_t; -domain_type(anaconda_t) -domain_entry_file(anaconda_t, anaconda_exec_t) -domain_obj_id_change_exemption(anaconda_t) -role system_r types anaconda_t; - -######################################## -# -# Local policy -# - -allow anaconda_t self:process execmem; -allow anaconda_t self:passwd { rootok passwd chfn chsh }; - -kernel_domtrans_to(anaconda_t, anaconda_exec_t) - -init_domtrans_script(anaconda_t) - -logging_send_syslog_msg(anaconda_t) - -modutils_domtrans_insmod(anaconda_t) -modutils_domtrans_depmod(anaconda_t) - -seutil_domtrans_semanage(anaconda_t) - -userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file }) - -optional_policy(` - rpm_domtrans(anaconda_t) - rpm_domtrans_script(anaconda_t) -') - -optional_policy(` - ssh_domtrans_keygen(anaconda_t) -') - -optional_policy(` - udev_domtrans(anaconda_t) -') - -optional_policy(` - unconfined_domain_noaudit(anaconda_t) -') diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc new file mode 100644 index 00000000..a72f5d9f --- /dev/null +++ b/policy/modules/contrib/android.fc @@ -0,0 +1,10 @@ +HOME_DIR/\.AndroidStudio.*(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.android(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.gradle(/.*)? gen_context(system_u:object_r:android_home_t,s0) + +/opt/android-studio/bin/studio\.sh gen_context(system_u:object_r:android_java_exec_t,s0) + +/opt/android-sdk-update-manager/platform-tools/adb -- gen_context(system_u:object_r:android_tools_exec_t,s0) +/opt/android-sdk-update-manager/platform-tools/fastboot -- gen_context(system_u:object_r:android_tools_exec_t,s0) +/opt/android-sdk-update-manager/tools/android -- gen_context(system_u:object_r:android_java_exec_t,s0) +/opt/android-sdk-update-manager(/.*)? gen_context(system_u:object_r:android_sdk_t,s0) diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if new file mode 100644 index 00000000..a50093af --- /dev/null +++ b/policy/modules/contrib/android.if @@ -0,0 +1,103 @@ +## <summary>Android development tools - adb, fastboot, android studio</summary> + +####################################### +## <summary> +## The role for using the android tools. +## </summary> +## <param name="role"> +## <summary> +## The role associated with the user domain. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## The user domain. +## </summary> +## </param> +# +interface(`android_role',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + type android_home_t; + type android_tmp_t; + type android_java_t; + type android_java_exec_t; + type android_sdk_t; + ') + + role $1 types android_tools_t; + role $1 types android_java_t; + + domtrans_pattern($2, android_tools_exec_t, android_tools_t) + domtrans_pattern($2, android_java_exec_t, android_java_t) + + allow $2 android_tools_t:process { ptrace signal_perms }; + allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh }; + + manage_dirs_pattern($2, android_home_t, android_home_t) + manage_files_pattern($2, android_home_t, android_home_t) + manage_lnk_files_pattern($2, android_home_t, android_home_t) + + list_dirs_pattern($2, android_sdk_t, android_sdk_t) + read_files_pattern($2, android_sdk_t, android_sdk_t) + read_lnk_files_pattern($2, android_sdk_t, android_sdk_t) + + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio") + + manage_dirs_pattern($2, android_tmp_t, android_tmp_t) + manage_files_pattern($2, android_tmp_t, android_tmp_t) + + allow $2 android_home_t:dir relabel_dir_perms; + allow $2 android_home_t:file relabel_file_perms; + allow $2 android_tools_exec_t:file relabel_file_perms; + + ps_process_pattern($2, android_tools_t) + ps_process_pattern($2, android_java_t) + + android_dbus_chat($2) +') + +######################################### +## <summary> +## Execute the android tools commands in the +## android tools domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> + +interface(`android_tools_domtrans',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, android_tools_exec_t, android_tools_t) +') + +######################################### +## <summary> +## Send and receive messages from the android java +## domain over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`android_dbus_chat',` + gen_require(` + type android_java_t; + class dbus send_msg; + ') + + allow $1 android_java_t:dbus send_msg; + allow android_java_t $1:dbus send_msg; +') diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te new file mode 100644 index 00000000..4fb4a851 --- /dev/null +++ b/policy/modules/contrib/android.te @@ -0,0 +1,131 @@ +policy_module(android, 1.0.0) + +############################ +# +# Declarations +# + +# adb needs to be labelled with android_tools_exec_t +type android_tools_t; +type android_tools_exec_t; # customizable +userdom_user_application_domain(android_tools_t, android_tools_exec_t) + +type android_tmp_t; +userdom_user_tmp_file(android_tmp_t) + +# for X server SHM +type android_tmpfs_t; +userdom_user_tmpfs_file(android_tmpfs_t) + +type android_java_t; +type android_java_exec_t; +userdom_user_application_domain(android_java_t, android_java_exec_t) +java_domain_type(android_java_t) + +# the android dir ~/.android/, ~/.AndroidStudio/ +# this is customizable since the sdk needs to be labelled +type android_home_t; # customizable +userdom_user_home_content(android_home_t) +userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file }) + +type android_sdk_t; +files_type(android_sdk_t) + +############################ +# +# Android Tools Policy Rules +# + +# this domain has access to usb and is intended for adb and fastboot +# the java domain can run these tools + +allow android_tools_t self:process { execmem signal_perms }; + +allow android_tools_t self:fifo_file rw_fifo_file_perms; +allow android_tools_t self:tcp_socket create_stream_socket_perms; + +can_exec(android_tools_t, android_tools_exec_t) + +manage_dirs_pattern(android_tools_t, android_home_t, android_home_t) +manage_files_pattern(android_tools_t, android_home_t, android_home_t) + +list_dirs_pattern(android_tools_t, android_sdk_t, android_sdk_t) +read_files_pattern(android_tools_t, android_sdk_t, android_sdk_t) + +files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir }) +manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t) +manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t) + +corecmd_list_bin(android_tools_t) + +corenet_tcp_bind_adb_port(android_tools_t) +corenet_tcp_bind_generic_node(android_tools_t) +corenet_tcp_connect_adb_port(android_tools_t) + +dev_read_sysfs(android_tools_t) +dev_rw_generic_usb_dev(android_tools_t) + +files_read_etc_files(android_tools_t) + +userdom_manage_user_home_content_dirs(android_tools_t) +userdom_manage_user_home_content_files(android_tools_t) +userdom_search_user_home_content(android_tools_t) +userdom_use_user_terminals(android_tools_t) + +sysnet_dns_name_resolve(android_tools_t) + + +############################ +# +# Android Java Policy Rules +# + +# this domain is for java and android studio and +# all the (java-based) build tools + +allow android_java_t self:tcp_socket { accept listen }; + +can_exec(android_java_t, android_home_t) +can_exec(android_java_t, android_java_exec_t) +can_exec(android_java_t, android_sdk_t) + +manage_dirs_pattern(android_java_t, android_home_t, android_home_t) +manage_files_pattern(android_java_t, android_home_t, android_home_t) + +manage_dirs_pattern(android_java_t, android_sdk_t, android_sdk_t) +manage_files_pattern(android_java_t, android_sdk_t, android_sdk_t) + +manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t) +manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t) + +corecmd_exec_bin(android_java_t) +corecmd_exec_shell(android_java_t) + +corenet_tcp_bind_all_unreserved_ports(android_java_t) +corenet_tcp_bind_generic_node(android_java_t) +corenet_tcp_connect_adb_port(android_java_t) +corenet_tcp_connect_http_port(android_java_t) +corenet_udp_bind_generic_node(android_java_t) + +dev_rw_kvm(android_java_t) +dev_rw_dri(android_java_t) +dev_read_sysfs(android_java_t) + +domain_dontaudit_getattr_all_domains(android_java_t) +domain_dontaudit_search_all_domains_state(android_java_t) + +miscfiles_read_fonts(android_java_t) +miscfiles_read_localization(android_java_t) + +userdom_use_user_terminals(android_java_t) +userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".android") +userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".AndroidStudioBeta") +userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".AndroidStudio") + +android_tools_domtrans(android_java_t) + +dbus_all_session_bus_client(android_java_t) + +xdg_read_config_home_files(android_java_t) + +xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t) diff --git a/policy/modules/contrib/apache.fc b/policy/modules/contrib/apache.fc deleted file mode 100644 index 69530920..00000000 --- a/policy/modules/contrib/apache.fc +++ /dev/null @@ -1,160 +0,0 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) -HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess -- gen_context(system_u:object_r:httpd_user_htaccess_t,s0) -HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_user_ra_content_t,s0) - -/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0) -/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0) -/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0) -/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) - -/etc/rc\.d/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) -/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) -/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) - -/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) -/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) - -/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) - -/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - -/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) - -/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0) -/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0) - -/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) -/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) -/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) -/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) -/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) -/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) -/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) -/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) - -/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0) - -/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) -/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) -/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0) -/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0) -/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0) -/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) -/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) -/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) - -ifdef(`distro_suse',` -/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) -') - -/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0) -/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/usr/share/jetty/bin/jetty\.sh -- gen_context(system_u:object_r:httpd_exec_t,s0) -/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) - -/var/cache/apache2(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) - -/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) -/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) - -/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) -/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) -/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) - -/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) -/var/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0) -/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) -/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) -/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) -/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0) -/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0) -/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0) - -/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0) -/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) - -/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/var/www/html/[^/]*/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) -/var/www/html/[^/]*/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) -/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if deleted file mode 100644 index bbf6e4b9..00000000 --- a/policy/modules/contrib/apache.if +++ /dev/null @@ -1,1359 +0,0 @@ -## <summary>Various web servers.</summary> - -######################################## -## <summary> -## Create a set of derived types for -## httpd web content. -## </summary> -## <param name="prefix"> -## <summary> -## The prefix to be used for deriving type names. -## </summary> -## </param> -# -template(`apache_content_template',` - gen_require(` - attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type; - attribute httpd_script_domains, httpd_htaccess_type; - type httpd_t, httpd_suexec_t; - ') - - ######################################## - # - # Declarations - # - - ## <desc> - ## <p> - ## Determine whether the script domain can - ## modify public files used for public file - ## transfer services. Directories/Files must - ## be labeled public_content_rw_t. - ## </p> - ## </desc> - gen_tunable(allow_httpd_$1_script_anon_write, false) - - type httpd_$1_content_t, httpdcontent; # customizable - typealias httpd_$1_content_t alias httpd_$1_script_ro_t; - files_type(httpd_$1_content_t) - - type httpd_$1_htaccess_t, httpd_htaccess_type; # customizable; - files_type(httpd_$1_htaccess_t) - - type httpd_$1_script_t, httpd_script_domains; - domain_type(httpd_$1_script_t) - role system_r types httpd_$1_script_t; - - type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable; - corecmd_shell_entry_type(httpd_$1_script_t) - domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t) - - type httpd_$1_rw_content_t, httpdcontent; # customizable - typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t }; - files_type(httpd_$1_rw_content_t) - - type httpd_$1_ra_content_t, httpdcontent; # customizable - typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t }; - files_type(httpd_$1_ra_content_t) - - ######################################## - # - # Policy - # - - can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) - - allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms }; - allow httpd_$1_script_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms }; - allow httpd_$1_script_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms; - - allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:dir list_dir_perms; - allow httpd_$1_script_t httpd_$1_content_t:file read_file_perms; - allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:lnk_file read_lnk_file_perms; - - manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file }) - - allow { httpd_t httpd_suexec_t } httpd_$1_content_t:dir list_dir_perms; - allow { httpd_t httpd_suexec_t } { httpd_$1_content_t httpd_$1_htaccess_t }:file read_file_perms; - allow { httpd_t httpd_suexec_t } httpd_$1_content_t:lnk_file read_lnk_file_perms; - - ifdef(`distro_gentoo',` - gen_require(` - attribute httpd_rw_content; - attribute httpd_ra_content; - type httpd_log_t; - ') - - typeattribute httpd_$1_rw_content_t httpd_rw_content; - typeattribute httpd_$1_ra_content_t httpd_ra_content; - ') - - tunable_policy(`allow_httpd_$1_script_anon_write',` - miscfiles_manage_public_files(httpd_$1_script_t) - ') - - tunable_policy(`httpd_builtin_scripting',` - manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_fifo_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - - allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms }; - allow httpd_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms }; - allow httpd_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms; - ') - - tunable_policy(`httpd_builtin_scripting && httpd_tmp_exec',` - can_exec(httpd_t, httpd_$1_rw_content_t) - ') - - tunable_policy(`httpd_enable_cgi',` - allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint; - domtrans_pattern({ httpd_t httpd_suexec_t httpd_exec_scripts }, httpd_$1_script_exec_t, httpd_$1_script_t) - ') - - tunable_policy(`httpd_enable_cgi && httpd_tmp_exec',` - can_exec(httpd_$1_script_t, httpd_$1_rw_content_t) - ') - - tunable_policy(`httpd_enable_cgi && httpd_unified',` - allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file entrypoint; - allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:dir manage_dir_perms; - allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file manage_file_perms; - ') - - tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` - filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file }) - ') -') - -######################################## -## <summary> -## Role access for apache. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`apache_role',` - gen_require(` - attribute httpdcontent; - type httpd_user_content_t, httpd_user_htaccess_t; - type httpd_user_script_t, httpd_user_script_exec_t; - type httpd_user_ra_content_t, httpd_user_rw_content_t; - ') - - role $1 types httpd_user_script_t; - - allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms }; - - allow $2 httpd_user_content_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 httpd_user_content_t:file { manage_file_perms relabel_file_perms }; - allow $2 httpd_user_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - - allow $2 httpd_user_ra_content_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 httpd_user_ra_content_t:file { manage_file_perms relabel_file_perms }; - allow $2 httpd_user_ra_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - - allow $2 httpd_user_rw_content_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 httpd_user_rw_content_t:file { manage_file_perms relabel_file_perms }; - allow $2 httpd_user_rw_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - - allow $2 httpd_user_script_exec_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 httpd_user_script_exec_t:file { manage_file_perms relabel_file_perms }; - allow $2 httpd_user_script_exec_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - - userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "public_html") - userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "web") - userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "www") - - filetrans_pattern($2, httpd_user_content_t, httpd_user_htaccess_t, file, ".htaccess") - filetrans_pattern($2, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin") - filetrans_pattern($2, httpd_user_content_t, httpd_user_ra_content_t, dir, "logs") - - tunable_policy(`httpd_enable_cgi',` - domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t) - ') - - tunable_policy(`httpd_enable_cgi && httpd_unified',` - domtrans_pattern($2, httpdcontent, httpd_user_script_t) - ') -') - -######################################## -## <summary> -## Read user httpd script executable files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_read_user_scripts',` - gen_require(` - type httpd_user_script_exec_t; - ') - - allow $1 httpd_user_script_exec_t:dir list_dir_perms; - read_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t) - read_lnk_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t) -') - -######################################## -## <summary> -## Read user httpd content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_read_user_content',` - gen_require(` - type httpd_user_content_t; - ') - - allow $1 httpd_user_content_t:dir list_dir_perms; - read_files_pattern($1, httpd_user_content_t, httpd_user_content_t) - read_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t) -') - -######################################## -## <summary> -## Execute httpd with a domain transition. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`apache_domtrans',` - gen_require(` - type httpd_t, httpd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, httpd_exec_t, httpd_t) -') - -######################################## -## <summary> -## Execute httpd server in the httpd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`apache_initrc_domtrans',` - gen_require(` - type httpd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, httpd_initrc_exec_t) -') - -####################################### -## <summary> -## Send generic signals to httpd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_signal',` - gen_require(` - type httpd_t; - ') - - allow $1 httpd_t:process signal; -') - -######################################## -## <summary> -## Send null signals to httpd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_signull',` - gen_require(` - type httpd_t; - ') - - allow $1 httpd_t:process signull; -') - -######################################## -## <summary> -## Send child terminated signals to httpd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_sigchld',` - gen_require(` - type httpd_t; - ') - - allow $1 httpd_t:process sigchld; -') - -######################################## -## <summary> -## Inherit and use file descriptors -## from httpd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_use_fds',` - gen_require(` - type httpd_t; - ') - - allow $1 httpd_t:fd use; -') - -######################################## -## <summary> -## Do not audit attempts to read and -## write httpd unnamed pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`apache_dontaudit_rw_fifo_file',` - gen_require(` - type httpd_t; - ') - - dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## <summary> -## Do not audit attempts to read and -## write httpd unix domain stream sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`apache_dontaudit_rw_stream_sockets',` - gen_require(` - type httpd_t; - ') - - dontaudit $1 httpd_t:unix_stream_socket { read write }; -') - -######################################## -## <summary> -## Do not audit attempts to read and -## write httpd TCP sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`apache_dontaudit_rw_tcp_sockets',` - gen_require(` - type httpd_t; - ') - - dontaudit $1 httpd_t:tcp_socket { read write }; -') - -######################################## -## <summary> -## Create, read, write, and delete -## all httpd content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`apache_manage_all_content',` - gen_require(` - attribute httpdcontent, httpd_script_exec_type; - ') - - manage_dirs_pattern($1, httpdcontent, httpdcontent) - manage_files_pattern($1, httpdcontent, httpdcontent) - manage_lnk_files_pattern($1, httpdcontent, httpdcontent) - - manage_dirs_pattern($1, httpd_script_exec_type, httpd_script_exec_type) - manage_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) - manage_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) -') - -######################################## -## <summary> -## Set attributes httpd cache directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_setattr_cache_dirs',` - gen_require(` - type httpd_cache_t; - ') - - allow $1 httpd_cache_t:dir setattr_dir_perms; -') - -######################################## -## <summary> -## List httpd cache directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_list_cache',` - gen_require(` - type httpd_cache_t; - ') - - list_dirs_pattern($1, httpd_cache_t, httpd_cache_t) -') - -######################################## -## <summary> -## Read and write httpd cache files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_rw_cache_files',` - gen_require(` - type httpd_cache_t; - ') - - allow $1 httpd_cache_t:file rw_file_perms; -') - -######################################## -## <summary> -## Delete httpd cache directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_delete_cache_dirs',` - gen_require(` - type httpd_cache_t; - ') - - delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t) -') - -######################################## -## <summary> -## Delete httpd cache files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_delete_cache_files',` - gen_require(` - type httpd_cache_t; - ') - - delete_files_pattern($1, httpd_cache_t, httpd_cache_t) -') - -######################################## -## <summary> -## Read httpd configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`apache_read_config',` - gen_require(` - type httpd_config_t; - ') - - files_search_etc($1) - allow $1 httpd_config_t:dir list_dir_perms; - read_files_pattern($1, httpd_config_t, httpd_config_t) - read_lnk_files_pattern($1, httpd_config_t, httpd_config_t) -') - -######################################## -## <summary> -## Search httpd configuration directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_search_config',` - gen_require(` - type httpd_config_t; - ') - - files_search_etc($1) - allow $1 httpd_config_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## httpd configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_manage_config',` - gen_require(` - type httpd_config_t; - ') - - files_search_etc($1) - manage_dirs_pattern($1, httpd_config_t, httpd_config_t) - manage_files_pattern($1, httpd_config_t, httpd_config_t) - read_lnk_files_pattern($1, httpd_config_t, httpd_config_t) -') - -######################################## -## <summary> -## Execute the Apache helper program -## with a domain transition. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_domtrans_helper',` - gen_require(` - type httpd_helper_t, httpd_helper_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, httpd_helper_exec_t, httpd_helper_t) -') - -######################################## -## <summary> -## Execute the Apache helper program with -## a domain transition, and allow the -## specified role the Apache helper domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`apache_run_helper',` - gen_require(` - attribute_role httpd_helper_roles; - ') - - apache_domtrans_helper($1) - roleattribute $2 httpd_helper_roles; -') - -######################################## -## <summary> -## Read httpd log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`apache_read_log',` - gen_require(` - type httpd_log_t; - ') - - logging_search_logs($1) - allow $1 httpd_log_t:dir list_dir_perms; - read_files_pattern($1, httpd_log_t, httpd_log_t) - read_lnk_files_pattern($1, httpd_log_t, httpd_log_t) -') - -######################################## -## <summary> -## Append httpd log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_append_log',` - gen_require(` - type httpd_log_t; - ') - - logging_search_logs($1) - allow $1 httpd_log_t:dir list_dir_perms; - append_files_pattern($1, httpd_log_t, httpd_log_t) -') - -######################################## -## <summary> -## Do not audit attempts to append -## httpd log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`apache_dontaudit_append_log',` - gen_require(` - type httpd_log_t; - ') - - dontaudit $1 httpd_log_t:file append_file_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## httpd log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_manage_log',` - gen_require(` - type httpd_log_t; - ') - - logging_search_logs($1) - manage_dirs_pattern($1, httpd_log_t, httpd_log_t) - manage_files_pattern($1, httpd_log_t, httpd_log_t) - read_lnk_files_pattern($1, httpd_log_t, httpd_log_t) -') - -####################################### -## <summary> -## Write apache log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_write_log',` - gen_require(` - type httpd_log_t; - ') - - logging_search_logs($1) - write_files_pattern($1, httpd_log_t, httpd_log_t) -') - -######################################## -## <summary> -## Do not audit attempts to search -## httpd module directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`apache_dontaudit_search_modules',` - gen_require(` - type httpd_modules_t; - ') - - dontaudit $1 httpd_modules_t:dir search_dir_perms; -') - -######################################## -## <summary> -## List httpd module directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_list_modules',` - gen_require(` - type httpd_modules_t; - ') - - allow $1 httpd_modules_t:dir list_dir_perms; -') - -######################################## -## <summary> -## Execute httpd module files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_exec_modules',` - gen_require(` - type httpd_modules_t; - ') - - allow $1 httpd_modules_t:dir list_dir_perms; - allow $1 httpd_modules_t:lnk_file read_lnk_file_perms; - can_exec($1, httpd_modules_t) -') - -######################################## -## <summary> -## Read httpd module files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_read_module_files',` - gen_require(` - type httpd_modules_t; - ') - - libs_search_lib($1) - read_files_pattern($1, httpd_modules_t, httpd_modules_t) -') - -######################################## -## <summary> -## Execute a domain transition to -## run httpd_rotatelogs. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`apache_domtrans_rotatelogs',` - gen_require(` - type httpd_rotatelogs_t, httpd_rotatelogs_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) -') - -######################################## -## <summary> -## List httpd system content directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_list_sys_content',` - gen_require(` - type httpd_sys_content_t; - ') - - list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) - files_search_var($1) -') - -######################################## -## <summary> -## Create, read, write, and delete -## httpd system content files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`apache_manage_sys_content',` - gen_require(` - type httpd_sys_content_t; - ') - - files_search_var($1) - manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) - manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) - manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## httpd system rw content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_manage_sys_rw_content',` - gen_require(` - type httpd_sys_rw_content_t; - ') - - apache_search_sys_content($1) - manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) - manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t) - manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) -') - -######################################## -## <summary> -## Execute all httpd scripts in the -## system script domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`apache_domtrans_sys_script',` - gen_require(` - attribute httpdcontent; - type httpd_sys_script_t; - ') - - tunable_policy(`httpd_enable_cgi && httpd_unified',` - domtrans_pattern($1, httpdcontent, httpd_sys_script_t) - ') -') - -######################################## -## <summary> -## Do not audit attempts to read and -## write httpd system script unix -## domain stream sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`apache_dontaudit_rw_sys_script_stream_sockets',` - gen_require(` - type httpd_sys_script_t; - ') - - dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write }; -') - -######################################## -## <summary> -## Execute all user scripts in the user -## script domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`apache_domtrans_all_scripts',` - gen_require(` - attribute httpd_exec_scripts; - ') - - typeattribute $1 httpd_exec_scripts; -') - -######################################## -## <summary> -## Execute all user scripts in the user -## script domain. Add user script domains -## to the specified role. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`apache_run_all_scripts',` - gen_require(` - attribute httpd_exec_scripts, httpd_script_domains; - ') - - role $2 types httpd_script_domains; - apache_domtrans_all_scripts($1) -') - -######################################## -## <summary> -## Read httpd squirrelmail data files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_read_squirrelmail_data',` - gen_require(` - type httpd_squirrelmail_t; - ') - - allow $1 httpd_squirrelmail_t:file read_file_perms; -') - -######################################## -## <summary> -## Append httpd squirrelmail data files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_append_squirrelmail_data',` - gen_require(` - type httpd_squirrelmail_t; - ') - - allow $1 httpd_squirrelmail_t:file append_file_perms; -') - -######################################## -## <summary> -## Search httpd system content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_search_sys_content',` - gen_require(` - type httpd_sys_content_t; - ') - - files_search_var($1) - allow $1 httpd_sys_content_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Read httpd system content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_read_sys_content',` - gen_require(` - type httpd_sys_content_t; - ') - - allow $1 httpd_sys_content_t:dir list_dir_perms; - read_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) - read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) -') - -######################################## -## <summary> -## Search httpd system CGI directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_search_sys_scripts',` - gen_require(` - type httpd_sys_content_t, httpd_sys_script_exec_t; - ') - - search_dirs_pattern($1, httpd_sys_content_t, httpd_sys_script_exec_t) -') - -######################################## -## <summary> -## Create, read, write, and delete all -## user httpd content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`apache_manage_all_user_content',` - refpolicywarn(`$0($*) has been deprecated, use apache_manage_all_content() instead.') - apache_manage_all_content($1) -') - -######################################## -## <summary> -## Search system script state directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_search_sys_script_state',` - gen_require(` - type httpd_sys_script_t; - ') - - allow $1 httpd_sys_script_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Read httpd tmp files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_read_tmp_files',` - gen_require(` - type httpd_tmp_t; - ') - - files_search_tmp($1) - read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) -') - -######################################## -## <summary> -## Do not audit attempts to write -## httpd tmp files. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`apache_dontaudit_write_tmp_files',` - gen_require(` - type httpd_tmp_t; - ') - - dontaudit $1 httpd_tmp_t:file write_file_perms; -') - -######################################## -## <summary> -## Execute CGI in the specified domain. -## </summary> -## <desc> -## <p> -## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -## </p> -## </desc> -## <param name="domain"> -## <summary> -## Domain run the cgi script in. -## </summary> -## </param> -## <param name="entrypoint"> -## <summary> -## Type of the executable to enter the cgi domain. -## </summary> -## </param> -# -interface(`apache_cgi_domain',` - gen_require(` - type httpd_t, httpd_sys_script_exec_t; - ') - - domtrans_pattern(httpd_t, $2, $1) - apache_search_sys_scripts($1) - - allow httpd_t $1:process signal; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an apache environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`apache_admin',` - gen_require(` - attribute httpdcontent, httpd_script_exec_type; - attribute httpd_script_domains, httpd_htaccess_type; - type httpd_t, httpd_config_t, httpd_log_t; - type httpd_modules_t, httpd_lock_t, httpd_helper_t; - type httpd_var_run_t, httpd_keytab_t, httpd_passwd_t; - type httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t; - type httpd_initrc_exec_t, httpd_suexec_t; - ') - - allow $1 { httpd_script_domains httpd_t httpd_helper_t }:process { ptrace signal_perms }; - allow $1 { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { httpd_script_domains httpd_t httpd_helper_t }) - ps_process_pattern($1, { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t }) - - init_labeled_script_domtrans($1, httpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 httpd_initrc_exec_t system_r; - allow $2 system_r; - - apache_manage_all_content($1) - miscfiles_manage_public_files($1) - - files_search_etc($1) - admin_pattern($1, { httpd_config_t httpd_keytab_t }) - - logging_search_logs($1) - admin_pattern($1, httpd_log_t) - - admin_pattern($1, httpd_modules_t) - - admin_pattern($1, httpd_lock_t) - files_lock_filetrans($1, httpd_lock_t, file) - - admin_pattern($1, httpd_var_run_t) - files_pid_filetrans($1, httpd_var_run_t, file) - - admin_pattern($1, { httpdcontent httpd_script_exec_type httpd_htaccess_type }) - admin_pattern($1, { httpd_tmp_t httpd_suexec_tmp_t }) - - apache_run_all_scripts($1, $2) - apache_run_helper($1, $2) -') - -######################################## -## <summary> -## Read all appendable content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`apache_read_all_ra_content',` - gen_require(` - attribute httpd_ra_content; - ') - - read_files_pattern($1, httpd_ra_content, httpd_ra_content) - read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content) -') - -######################################## -## <summary> -## Append to all appendable web content files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`apache_append_all_ra_content',` - gen_require(` - attribute httpd_ra_content; - ') - - apache_search_all_content($1) - append_files_pattern($1, httpd_ra_content, httpd_ra_content) -') - -######################################## -## <summary> -## Read all read/write content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`apache_read_all_rw_content',` - gen_require(` - attribute httpd_rw_content; - ') - - read_files_pattern($1, httpd_rw_content, httpd_rw_content) - read_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content) -') - -######################################## -## <summary> -## Manage all read/write content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`apache_manage_all_rw_content',` - gen_require(` - attribute httpd_rw_content; - ') - - manage_dirs_pattern($1, httpd_rw_content, httpd_rw_content) - manage_files_pattern($1, httpd_rw_content, httpd_rw_content) - manage_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content) -') - -######################################## -## <summary> -## Read all web content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`apache_read_all_content',` - gen_require(` - attribute httpdcontent, httpd_script_exec_type; - ') - - read_files_pattern($1, httpdcontent, httpdcontent) - read_lnk_files_pattern($1, httpdcontent, httpdcontent) - - read_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) - read_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) -') - -######################################## -## <summary> -## Search all apache content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_search_all_content',` - gen_require(` - attribute httpdcontent; - ') - - allow $1 httpdcontent:dir search_dir_perms; -') diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te deleted file mode 100644 index 0f24dc8c..00000000 --- a/policy/modules/contrib/apache.te +++ /dev/null @@ -1,1418 +0,0 @@ -policy_module(apache, 2.6.10) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether httpd can modify -## public files used for public file -## transfer services. Directories/Files must -## be labeled public_content_rw_t. -## </p> -## </desc> -gen_tunable(allow_httpd_anon_write, false) - -## <desc> -## <p> -## Determine whether httpd can use mod_auth_pam. -## </p> -## </desc> -gen_tunable(allow_httpd_mod_auth_pam, false) - -## <desc> -## <p> -## Determine whether httpd can use built in scripting. -## </p> -## </desc> -gen_tunable(httpd_builtin_scripting, false) - -## <desc> -## <p> -## Determine whether httpd can check spam. -## </p> -## </desc> -gen_tunable(httpd_can_check_spam, false) - -## <desc> -## <p> -## Determine whether httpd scripts and modules -## can connect to the network using TCP. -## </p> -## </desc> -gen_tunable(httpd_can_network_connect, false) - -## <desc> -## <p> -## Determine whether httpd scripts and modules -## can connect to cobbler over the network. -## </p> -## </desc> -gen_tunable(httpd_can_network_connect_cobbler, false) - -## <desc> -## <p> -## Determine whether scripts and modules can -## connect to databases over the network. -## </p> -## </desc> -gen_tunable(httpd_can_network_connect_db, false) - -## <desc> -## <p> -## Determine whether httpd can connect to -## ldap over the network. -## </p> -## </desc> -gen_tunable(httpd_can_network_connect_ldap, false) - -## <desc> -## <p> -## Determine whether httpd can connect -## to memcache server over the network. -## </p> -## </desc> -gen_tunable(httpd_can_network_connect_memcache, false) - -## <desc> -## <p> -## Determine whether httpd can act as a relay. -## </p> -## </desc> -gen_tunable(httpd_can_network_relay, false) - -## <desc> -## <p> -## Determine whether httpd daemon can -## connect to zabbix over the network. -## </p> -## </desc> -gen_tunable(httpd_can_network_connect_zabbix, false) - -## <desc> -## <p> -## Determine whether httpd can send mail. -## </p> -## </desc> -gen_tunable(httpd_can_sendmail, false) - -## <desc> -## <p> -## Determine whether httpd can communicate -## with avahi service via dbus. -## </p> -## </desc> -gen_tunable(httpd_dbus_avahi, false) - -## <desc> -## <p> -## Determine wether httpd can use support. -## </p> -## </desc> -gen_tunable(httpd_enable_cgi, false) - -## <desc> -## <p> -## Determine whether httpd can act as a -## FTP server by listening on the ftp port. -## </p> -## </desc> -gen_tunable(httpd_enable_ftp_server, false) - -## <desc> -## <p> -## Determine whether httpd can traverse -## user home directories. -## </p> -## </desc> -gen_tunable(httpd_enable_homedirs, false) - -## <desc> -## <p> -## Determine whether httpd gpg can modify -## public files used for public file -## transfer services. Directories/Files must -## be labeled public_content_rw_t. -## </p> -## </desc> -gen_tunable(httpd_gpg_anon_write, false) - -## <desc> -## <p> -## Determine whether httpd can execute -## its temporary content. -## </p> -## </desc> -gen_tunable(httpd_tmp_exec, false) - -## <desc> -## <p> -## Determine whether httpd scripts and -## modules can use execmem and execstack. -## </p> -## </desc> -gen_tunable(httpd_execmem, false) - -## <desc> -## <p> -## Determine whether httpd can connect -## to port 80 for graceful shutdown. -## </p> -## </desc> -gen_tunable(httpd_graceful_shutdown, false) - -## <desc> -## <p> -## Determine whether httpd can -## manage IPA content files. -## </p> -## </desc> -gen_tunable(httpd_manage_ipa, false) - -## <desc> -## <p> -## Determine whether httpd can use mod_auth_ntlm_winbind. -## </p> -## </desc> -gen_tunable(httpd_mod_auth_ntlm_winbind, false) - -## <desc> -## <p> -## Determine whether httpd can read -## generic user home content files. -## </p> -## </desc> -gen_tunable(httpd_read_user_content, false) - -## <desc> -## <p> -## Determine whether httpd can change -## its resource limits. -## </p> -## </desc> -gen_tunable(httpd_setrlimit, false) - -## <desc> -## <p> -## Determine whether httpd can run -## SSI executables in the same domain -## as system CGI scripts. -## </p> -## </desc> -gen_tunable(httpd_ssi_exec, false) - -## <desc> -## <p> -## Determine whether httpd can communicate -## with the terminal. Needed for entering the -## passphrase for certificates at the terminal. -## </p> -## </desc> -gen_tunable(httpd_tty_comm, false) - -## <desc> -## <p> -## Determine whether httpd can have full access -## to its content types. -## </p> -## </desc> -gen_tunable(httpd_unified, false) - -## <desc> -## <p> -## Determine whether httpd can use -## cifs file systems. -## </p> -## </desc> -gen_tunable(httpd_use_cifs, false) - -## <desc> -## <p> -## Determine whether httpd can -## use fuse file systems. -## </p> -## </desc> -gen_tunable(httpd_use_fusefs, false) - -## <desc> -## <p> -## Determine whether httpd can use gpg. -## </p> -## </desc> -gen_tunable(httpd_use_gpg, false) - -## <desc> -## <p> -## Determine whether httpd can use -## nfs file systems. -## </p> -## </desc> -gen_tunable(httpd_use_nfs, false) - -attribute httpdcontent; -attribute httpd_htaccess_type; - -# domains that can exec all scripts -attribute httpd_exec_scripts; - -attribute httpd_script_exec_type; - -# all script domains -attribute httpd_script_domains; - -attribute_role httpd_helper_roles; -roleattribute system_r httpd_helper_roles; - -type httpd_t; -type httpd_exec_t; -init_daemon_domain(httpd_t, httpd_exec_t) - -type httpd_cache_t; -files_type(httpd_cache_t) - -type httpd_config_t; -files_config_file(httpd_config_t) - -type httpd_helper_t; -type httpd_helper_exec_t; -application_domain(httpd_helper_t, httpd_helper_exec_t) -role httpd_helper_roles types httpd_helper_t; - -type httpd_initrc_exec_t; -init_script_file(httpd_initrc_exec_t) - -type httpd_lock_t; -files_lock_file(httpd_lock_t) - -type httpd_log_t; -logging_log_file(httpd_log_t) - -type httpd_modules_t; -files_type(httpd_modules_t) - -type httpd_rotatelogs_t; -type httpd_rotatelogs_exec_t; -init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) - -type httpd_squirrelmail_t; -files_type(httpd_squirrelmail_t) - -type squirrelmail_spool_t; -files_tmp_file(squirrelmail_spool_t) - -type httpd_suexec_t; -type httpd_suexec_exec_t; -domain_type(httpd_suexec_t) -domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t) -role system_r types httpd_suexec_t; - -type httpd_suexec_tmp_t; -files_tmp_file(httpd_suexec_tmp_t) - -apache_content_template(sys) -corecmd_shell_entry_type(httpd_sys_script_t) -typealias httpd_sys_content_t alias ntop_http_content_t; - -type httpd_tmp_t; -files_tmp_file(httpd_tmp_t) - -type httpd_tmpfs_t; -files_tmpfs_file(httpd_tmpfs_t) - -apache_content_template(user) -ubac_constrained(httpd_user_script_t) -userdom_user_home_content(httpd_user_content_t) -userdom_user_home_content(httpd_user_htaccess_t) -userdom_user_home_content(httpd_user_script_exec_t) -userdom_user_home_content(httpd_user_ra_content_t) -userdom_user_home_content(httpd_user_rw_content_t) -typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; -typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; -typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; -typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t }; -typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t }; -typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t }; -typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t }; -typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t }; -typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t }; -typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t }; -typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t }; -typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t }; -typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t }; - -type httpd_var_lib_t; -files_type(httpd_var_lib_t) - -type httpd_var_run_t; -files_pid_file(httpd_var_run_t) - -type httpd_passwd_t; -type httpd_passwd_exec_t; -domain_type(httpd_passwd_t) -domain_entry_file(httpd_passwd_t, httpd_passwd_exec_t) -role system_r types httpd_passwd_t; - -type httpd_gpg_t; -domain_type(httpd_gpg_t) -role system_r types httpd_gpg_t; - -optional_policy(` - prelink_object_file(httpd_modules_t) -') - -######################################## -# -# Local policy -# - -allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config }; -dontaudit httpd_t self:capability net_admin; -allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow httpd_t self:fd use; -allow httpd_t self:sock_file read_sock_file_perms; -allow httpd_t self:fifo_file rw_fifo_file_perms; -allow httpd_t self:shm create_shm_perms; -allow httpd_t self:sem create_sem_perms; -allow httpd_t self:msgq create_msgq_perms; -allow httpd_t self:msg { send receive }; -allow httpd_t self:unix_dgram_socket sendto; -allow httpd_t self:unix_stream_socket { accept connectto listen }; -allow httpd_t self:tcp_socket { accept listen }; - -manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) -manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) -manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) -files_var_filetrans(httpd_t, httpd_cache_t, dir) - -allow httpd_t httpd_config_t:dir list_dir_perms; -read_files_pattern(httpd_t, httpd_config_t, httpd_config_t) -read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t) - -allow httpd_t httpd_lock_t:file manage_file_perms; -files_lock_filetrans(httpd_t, httpd_lock_t, file) - -allow httpd_t httpd_log_t:dir setattr_dir_perms; -create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t) -create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) -append_files_pattern(httpd_t, httpd_log_t, httpd_log_t) -read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) -read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) -logging_log_filetrans(httpd_t, httpd_log_t, file) - -allow httpd_t httpd_modules_t:dir list_dir_perms; -mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) -read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) -read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) - -allow httpd_t httpd_rotatelogs_t:process signal_perms; - -manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) -manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) -manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) - -allow httpd_t httpd_suexec_exec_t:file read_file_perms; - -allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; - -manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file }) -userdom_user_tmp_filetrans(httpd_t, httpd_tmp_t, dir) - -manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -manage_lnk_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) -manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) -files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file }) - -setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir }) - -manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) -manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) -manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) - -can_exec(httpd_t, httpd_exec_t) - -domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t) -domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t) -domtrans_pattern(httpd_t, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) -domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) - -kernel_read_kernel_sysctls(httpd_t) -kernel_read_network_state(httpd_t) -kernel_read_system_state(httpd_t) -kernel_search_network_sysctl(httpd_t) - -corenet_all_recvfrom_unlabeled(httpd_t) -corenet_all_recvfrom_netlabel(httpd_t) -corenet_tcp_sendrecv_generic_if(httpd_t) -corenet_tcp_sendrecv_generic_node(httpd_t) -corenet_tcp_bind_generic_node(httpd_t) - -corenet_sendrecv_http_server_packets(httpd_t) -corenet_tcp_bind_http_port(httpd_t) -corenet_tcp_sendrecv_http_port(httpd_t) - -corenet_sendrecv_http_cache_server_packets(httpd_t) -corenet_tcp_bind_http_cache_port(httpd_t) -corenet_tcp_sendrecv_http_cache_port(httpd_t) - -corecmd_exec_bin(httpd_t) -corecmd_exec_shell(httpd_t) - -dev_read_sysfs(httpd_t) -dev_read_rand(httpd_t) -dev_read_urand(httpd_t) -dev_rw_crypto(httpd_t) - -domain_use_interactive_fds(httpd_t) - -fs_getattr_all_fs(httpd_t) -fs_search_auto_mountpoints(httpd_t) - -fs_getattr_all_fs(httpd_t) -fs_read_anon_inodefs_files(httpd_t) -fs_read_iso9660_files(httpd_t) -fs_search_auto_mountpoints(httpd_t) - -files_dontaudit_getattr_all_pids(httpd_t) -files_read_usr_files(httpd_t) -files_list_mnt(httpd_t) -files_search_spool(httpd_t) -files_read_var_symlinks(httpd_t) -files_read_var_lib_files(httpd_t) -files_search_home(httpd_t) -files_getattr_home_dir(httpd_t) -files_read_etc_runtime_files(httpd_t) -files_read_var_lib_symlinks(httpd_t) - -auth_use_nsswitch(httpd_t) - -libs_read_lib_files(httpd_t) - -logging_send_syslog_msg(httpd_t) - -miscfiles_read_localization(httpd_t) -miscfiles_read_fonts(httpd_t) -miscfiles_read_public_files(httpd_t) -miscfiles_read_generic_certs(httpd_t) -miscfiles_read_tetex_data(httpd_t) - -seutil_dontaudit_search_config(httpd_t) - -userdom_use_unpriv_users_fds(httpd_t) - -ifdef(`TODO',` - tunable_policy(`allow_httpd_mod_auth_pam',` - auth_domtrans_chk_passwd(httpd_t) - - logging_send_audit_msgs(httpd_t) - ') -') - -ifdef(`hide_broken_symptoms',` - libs_exec_lib_files(httpd_t) -') - -tunable_policy(`allow_httpd_anon_write',` - miscfiles_manage_public_files(httpd_t) -') - -tunable_policy(`httpd_can_network_connect',` - corenet_sendrecv_all_client_packets(httpd_t) - corenet_tcp_connect_all_ports(httpd_t) - corenet_tcp_sendrecv_all_ports(httpd_t) -') - -tunable_policy(`httpd_can_network_connect_db',` - corenet_sendrecv_gds_db_client_packets(httpd_t) - corenet_tcp_connect_gds_db_port(httpd_t) - corenet_tcp_sendrecv_gds_db_port(httpd_t) - corenet_sendrecv_mssql_client_packets(httpd_t) - corenet_tcp_connect_mssql_port(httpd_t) - corenet_tcp_sendrecv_mssql_port(httpd_t) - corenet_sendrecv_oracledb_client_packets(httpd_t) - corenet_tcp_connect_oracledb_port(httpd_t) - corenet_tcp_sendrecv_oracledb_port(httpd_t) -') - -tunable_policy(`httpd_can_network_relay',` - corenet_sendrecv_gopher_client_packets(httpd_t) - corenet_tcp_connect_gopher_port(httpd_t) - corenet_tcp_sendrecv_gopher_port(httpd_t) - corenet_sendrecv_ftp_client_packets(httpd_t) - corenet_tcp_connect_ftp_port(httpd_t) - corenet_tcp_sendrecv_ftp_port(httpd_t) - corenet_sendrecv_http_client_packets(httpd_t) - corenet_tcp_connect_http_port(httpd_t) - corenet_tcp_sendrecv_http_port(httpd_t) - corenet_sendrecv_http_cache_client_packets(httpd_t) - corenet_tcp_connect_http_cache_port(httpd_t) - corenet_tcp_sendrecv_http_cache_port(httpd_t) - corenet_sendrecv_squid_client_packets(httpd_t) - corenet_tcp_connect_squid_port(httpd_t) - corenet_tcp_sendrecv_squid_port(httpd_t) -') - -tunable_policy(`httpd_builtin_scripting',` - exec_files_pattern(httpd_t, httpd_script_exec_type, httpd_script_exec_type) - - allow httpd_t httpdcontent:dir list_dir_perms; - allow httpd_t httpdcontent:file read_file_perms; - allow httpd_t httpdcontent:lnk_file read_lnk_file_perms; -') - -tunable_policy(`httpd_enable_cgi',` - allow httpd_t httpd_script_domains:process { signal sigkill sigstop }; - allow httpd_t httpd_script_exec_type:dir list_dir_perms; -') - -tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` - fs_nfs_domtrans(httpd_t, httpd_sys_script_t) -') - -tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` - fs_cifs_domtrans(httpd_t, httpd_sys_script_t) -') - -# tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',` -# fs_fusefs_domtrans(httpd_t, httpd_sys_script_t) -# ') - -tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` - domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) - - manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) - manage_files_pattern(httpd_t, httpdcontent, httpdcontent) - manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent) - manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent) - manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent) -') - -tunable_policy(`httpd_enable_ftp_server',` - corenet_sendrecv_ftp_server_packets(httpd_t) - corenet_tcp_bind_ftp_port(httpd_t) - corenet_tcp_sendrecv_ftp_port(httpd_t) -') - -tunable_policy(`httpd_enable_homedirs',` - userdom_search_user_home_dirs(httpd_t) -') - -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` - fs_list_auto_mountpoints(httpd_t) - fs_read_nfs_files(httpd_t) - fs_read_nfs_symlinks(httpd_t) -') - -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',` - fs_exec_nfs_files(httpd_t) -') - -tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` - fs_list_auto_mountpoints(httpd_t) - fs_read_cifs_files(httpd_t) - fs_read_cifs_symlinks(httpd_t) -') - -tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',` - fs_exec_cifs_files(httpd_t) -') - -tunable_policy(`httpd_execmem',` - allow httpd_t self:process { execmem execstack }; -') - -tunable_policy(`httpd_can_sendmail',` - corenet_sendrecv_smtp_client_packets(httpd_t) - corenet_tcp_connect_smtp_port(httpd_t) - corenet_tcp_sendrecv_smtp_port(httpd_t) - corenet_sendrecv_pop_client_packets(httpd_t) - corenet_tcp_connect_pop_port(httpd_t) - corenet_tcp_sendrecv_pop_port(httpd_t) - - mta_send_mail(httpd_t) - mta_signal_system_mail(httpd_t) -') - -optional_policy(` - tunable_policy(`httpd_can_network_connect_zabbix',` - zabbix_tcp_connect(httpd_t) - ') -') - -optional_policy(` - tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',` - spamassassin_domtrans_client(httpd_t) - ') -') - -tunable_policy(`httpd_graceful_shutdown',` - corenet_sendrecv_http_client_packets(httpd_t) - corenet_tcp_connect_http_port(httpd_t) - corenet_tcp_sendrecv_http_port(httpd_t) -') - -optional_policy(` - tunable_policy(`httpd_enable_cgi && httpd_use_gpg',` - gpg_spec_domtrans(httpd_t, httpd_gpg_t) - ') -') - -optional_policy(` - tunable_policy(`httpd_mod_auth_ntlm_winbind',` - samba_domtrans_winbind_helper(httpd_t) - ') -') - -tunable_policy(`httpd_read_user_content',` - userdom_read_user_home_content_files(httpd_t) -') - -tunable_policy(`httpd_setrlimit',` - allow httpd_t self:process setrlimit; - allow httpd_t self:capability sys_resource; -') - -tunable_policy(`httpd_ssi_exec',` - corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) -') - -tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',` - can_exec(httpd_t, httpd_tmp_t) -') - -tunable_policy(`httpd_tty_comm',` - userdom_use_user_terminals(httpd_t) -',` - userdom_dontaudit_use_user_terminals(httpd_t) -') - -tunable_policy(`httpd_use_cifs',` - fs_list_auto_mountpoints(httpd_t) - fs_manage_cifs_dirs(httpd_t) - fs_manage_cifs_files(httpd_t) - fs_manage_cifs_symlinks(httpd_t) -') - -tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',` - fs_exec_cifs_files(httpd_t) -') - -tunable_policy(`httpd_use_fusefs',` - fs_list_auto_mountpoints(httpd_t) - fs_manage_fusefs_dirs(httpd_t) - fs_manage_fusefs_files(httpd_t) - fs_read_fusefs_symlinks(httpd_t) -') - -tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` - fs_exec_fusefs_files(httpd_t) -') - -tunable_policy(`httpd_use_nfs',` - fs_list_auto_mountpoints(httpd_t) - fs_manage_nfs_dirs(httpd_t) - fs_manage_nfs_files(httpd_t) - fs_manage_nfs_symlinks(httpd_t) -') - -tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` - fs_exec_nfs_files(httpd_t) -') - -optional_policy(` - calamaris_read_www_files(httpd_t) -') - -optional_policy(` - ccs_read_config(httpd_t) -') - -optional_policy(` - clamav_domtrans_clamscan(httpd_t) -') - -optional_policy(` - cobbler_read_config(httpd_t) - cobbler_read_lib_files(httpd_t) -') - -optional_policy(` - cron_system_entry(httpd_t, httpd_exec_t) -') - -optional_policy(` - cvs_read_data(httpd_t) -') - -optional_policy(` - daemontools_service_domain(httpd_t, httpd_exec_t) -') - -optional_policy(` - dbus_system_bus_client(httpd_t) - - tunable_policy(`httpd_dbus_avahi',` - avahi_dbus_chat(httpd_t) - ') -') - -optional_policy(` - git_read_generic_sys_content_files(httpd_t) -') - -optional_policy(` - gitosis_read_lib_files(httpd_t) -') - -optional_policy(` - kerberos_keytab_template(httpd, httpd_t) - kerberos_manage_host_rcache(httpd_t) - kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_23") - kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_48") -') - -optional_policy(` - ldap_stream_connect(httpd_t) - - tunable_policy(`httpd_can_network_connect_ldap',` - ldap_tcp_connect(httpd_t) - ') -') - -optional_policy(` - mailman_signal_cgi(httpd_t) - mailman_domtrans_cgi(httpd_t) - mailman_read_data_files(httpd_t) - mailman_search_data(httpd_t) - mailman_read_archive(httpd_t) -') - -optional_policy(` - memcached_stream_connect(httpd_t) - - tunable_policy(`httpd_can_network_connect_memcache',` - memcached_tcp_connect(httpd_t) - ') - - tunable_policy(`httpd_manage_ipa',` - memcached_manage_pid_files(httpd_t) - ') -') - -optional_policy(` - mysql_read_config(httpd_t) - mysql_stream_connect(httpd_t) - - tunable_policy(`httpd_can_network_connect_db',` - mysql_tcp_connect(httpd_t) - ') -') - -optional_policy(` - nagios_read_config(httpd_t) -') - -optional_policy(` - openca_domtrans(httpd_t) - openca_signal(httpd_t) - openca_sigstop(httpd_t) - openca_kill(httpd_t) -') - -optional_policy(` - pcscd_read_pid_files(httpd_t) -') - -optional_policy(` - postgresql_stream_connect(httpd_t) - postgresql_unpriv_client(httpd_t) - - tunable_policy(`httpd_can_network_connect_db',` - postgresql_tcp_connect(httpd_t) - ') -') - -optional_policy(` - puppet_read_lib_files(httpd_t) -') - -optional_policy(` - rpc_search_nfs_state_data(httpd_t) -') - -optional_policy(` - seutil_sigchld_newrole(httpd_t) -') - -optional_policy(` - smokeping_read_lib_files(httpd_t) -') - -optional_policy(` - snmp_dontaudit_read_snmp_var_lib_files(httpd_t) - snmp_dontaudit_write_snmp_var_lib_files(httpd_t) -') - -optional_policy(` - udev_read_db(httpd_t) -') - -optional_policy(` - yam_read_content(httpd_t) -') - -######################################## -# -# Helper local policy -# - -read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t) - -append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t) -read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t) - -files_search_etc(httpd_helper_t) - -logging_search_logs(httpd_helper_t) -logging_send_syslog_msg(httpd_helper_t) - -tunable_policy(`httpd_tty_comm',` - userdom_use_user_terminals(httpd_helper_t) -',` - userdom_dontaudit_use_user_terminals(httpd_helper_t) -') - -######################################## -# -# Suexec local policy -# - -allow httpd_suexec_t self:capability { setuid setgid }; -allow httpd_suexec_t self:process signal_perms; -allow httpd_suexec_t self:fifo_file rw_fifo_file_perms; -allow httpd_suexec_t self:tcp_socket { accept listen }; -allow httpd_suexec_t self:unix_stream_socket { accept listen }; - -create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) -append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) -read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) -read_lnk_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) - -manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) -manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) -files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) - -kernel_read_kernel_sysctls(httpd_suexec_t) -kernel_list_proc(httpd_suexec_t) -kernel_read_proc_symlinks(httpd_suexec_t) - -corenet_all_recvfrom_unlabeled(httpd_suexec_t) -corenet_all_recvfrom_netlabel(httpd_suexec_t) -corenet_tcp_sendrecv_generic_if(httpd_suexec_t) -corenet_tcp_sendrecv_generic_node(httpd_suexec_t) - -corecmd_exec_bin(httpd_suexec_t) -corecmd_exec_shell(httpd_suexec_t) - -dev_read_urand(httpd_suexec_t) - -fs_read_iso9660_files(httpd_suexec_t) -fs_search_auto_mountpoints(httpd_suexec_t) - -files_read_usr_files(httpd_suexec_t) -files_dontaudit_search_pids(httpd_suexec_t) -files_search_home(httpd_suexec_t) - -auth_use_nsswitch(httpd_suexec_t) - -logging_search_logs(httpd_suexec_t) -logging_send_syslog_msg(httpd_suexec_t) - -miscfiles_read_localization(httpd_suexec_t) -miscfiles_read_public_files(httpd_suexec_t) - -tunable_policy(`httpd_builtin_scripting',` - exec_files_pattern(httpd_suexec_t, httpd_script_exec_type, httpd_script_exec_type) - - allow httpd_suexec_t httpdcontent:dir list_dir_perms; - allow httpd_suexec_t httpdcontent:file read_file_perms; - allow httpd_suexec_t httpdcontent:lnk_file read_lnk_file_perms; -') - -tunable_policy(`httpd_can_network_connect',` - corenet_tcp_connect_all_ports(httpd_suexec_t) - corenet_sendrecv_all_client_packets(httpd_suexec_t) - corenet_tcp_sendrecv_all_ports(httpd_suexec_t) -') - -tunable_policy(`httpd_can_network_connect_db',` - corenet_sendrecv_gds_db_client_packets(httpd_suexec_t) - corenet_tcp_connect_gds_db_port(httpd_suexec_t) - corenet_tcp_sendrecv_gds_db_port(httpd_suexec_t) - corenet_sendrecv_mssql_client_packets(httpd_suexec_t) - corenet_tcp_connect_mssql_port(httpd_suexec_t) - corenet_tcp_sendrecv_mssql_port(httpd_suexec_t) - corenet_sendrecv_oracledb_client_packets(httpd_suexec_t) - corenet_tcp_connect_oracledb_port(httpd_suexec_t) - corenet_tcp_sendrecv_oracledb_port(httpd_suexec_t) -') - -tunable_policy(`httpd_can_sendmail',` - corenet_sendrecv_smtp_client_packets(httpd_suexec_t) - corenet_tcp_connect_smtp_port(httpd_suexec_t) - corenet_tcp_sendrecv_smtp_port(httpd_suexec_t) - corenet_sendrecv_pop_client_packets(httpd_suexec_t) - corenet_tcp_connect_pop_port(httpd_suexec_t) - corenet_tcp_sendrecv_pop_port(httpd_suexec_t) - mta_send_mail(httpd_suexec_t) - mta_signal_system_mail(httpd_suexec_t) -') - -tunable_policy(`httpd_enable_cgi && httpd_unified',` - domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) -') - -tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` - fs_list_auto_mountpoints(httpd_suexec_t) - fs_read_cifs_files(httpd_suexec_t) - fs_read_cifs_symlinks(httpd_suexec_t) -') - -tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',` - fs_exec_cifs_files(httpd_suexec_t) -') - -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` - fs_list_auto_mountpoints(httpd_suexec_t) - fs_read_nfs_files(httpd_suexec_t) - fs_read_nfs_symlinks(httpd_suexec_t) -') - -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',` - fs_exec_nfs_files(httpd_suexec_t) -') - -tunable_policy(`httpd_execmem',` - allow httpd_suexec_t self:process { execmem execstack }; -') - -tunable_policy(`httpd_tmp_exec',` - can_exec(httpd_suexec_t, httpd_suexec_tmp_t) -') - -tunable_policy(`httpd_tty_comm',` - userdom_use_user_terminals(httpd_suexec_t) -',` - userdom_dontaudit_use_user_terminals(httpd_suexec_t) -') - -tunable_policy(`httpd_use_cifs',` - fs_list_auto_mountpoints(httpd_suexec_t) - fs_manage_cifs_dirs(httpd_suexec_t) - fs_manage_cifs_files(httpd_suexec_t) - fs_manage_cifs_symlinks(httpd_suexec_t) -') - -tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',` - fs_exec_cifs_files(httpd_suexec_t) -') - -tunable_policy(`httpd_use_fusefs',` - fs_list_auto_mountpoints(httpd_suexec_t) - fs_manage_fusefs_dirs(httpd_suexec_t) - fs_manage_fusefs_files(httpd_suexec_t) - fs_read_fusefs_symlinks(httpd_suexec_t) -') - -tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` - fs_exec_fusefs_files(httpd_suexec_t) -') - -tunable_policy(`httpd_use_nfs',` - fs_list_auto_mountpoints(httpd_suexec_t) - fs_manage_nfs_dirs(httpd_suexec_t) - fs_manage_nfs_files(httpd_suexec_t) - fs_manage_nfs_symlinks(httpd_suexec_t) -') - -tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` - fs_exec_nfs_files(httpd_suexec_t) -') - -optional_policy(` - mailman_domtrans_cgi(httpd_suexec_t) -') - -optional_policy(` - mysql_stream_connect(httpd_suexec_t) - mysql_read_config(httpd_suexec_t) - - tunable_policy(`httpd_can_network_connect_db',` - mysql_tcp_connect(httpd_suexec_t) - ') -') - -optional_policy(` - postgresql_stream_connect(httpd_suexec_t) - postgresql_unpriv_client(httpd_suexec_t) - - tunable_policy(`httpd_can_network_connect_db',` - postgresql_tcp_connect(httpd_suexec_t) - ') -') - -tunable_policy(`httpd_read_user_content',` - userdom_read_user_home_content_files(httpd_suexec_t) -') - -tunable_policy(`httpd_enable_homedirs',` - userdom_search_user_home_dirs(httpd_suexec_t) -') - -######################################## -# -# Common script local policy -# - -allow httpd_script_domains self:fifo_file rw_file_perms; -allow httpd_script_domains self:unix_stream_socket connectto; - -allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms; - -append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) -read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) - -kernel_dontaudit_search_sysctl(httpd_script_domains) -kernel_dontaudit_search_kernel_sysctl(httpd_script_domains) - -corenet_all_recvfrom_unlabeled(httpd_script_domains) -corenet_all_recvfrom_netlabel(httpd_script_domains) -corenet_tcp_sendrecv_generic_if(httpd_script_domains) -corenet_tcp_sendrecv_generic_node(httpd_script_domains) - -corecmd_exec_all_executables(httpd_script_domains) - -dev_read_rand(httpd_script_domains) -dev_read_urand(httpd_script_domains) - -files_exec_etc_files(httpd_script_domains) -files_read_etc_files(httpd_script_domains) -files_search_home(httpd_script_domains) - -libs_exec_ld_so(httpd_script_domains) -libs_exec_lib_files(httpd_script_domains) - -logging_search_logs(httpd_script_domains) - -miscfiles_read_fonts(httpd_script_domains) -miscfiles_read_public_files(httpd_script_domains) - -seutil_dontaudit_search_config(httpd_script_domains) - -tunable_policy(`httpd_enable_cgi && httpd_unified',` - allow httpd_script_domains httpdcontent:file entrypoint; - - manage_dirs_pattern(httpd_script_domains, httpdcontent, httpdcontent) - manage_files_pattern(httpd_script_domains, httpdcontent, httpdcontent) - manage_lnk_files_pattern(httpd_script_domains, httpdcontent, httpdcontent) - - can_exec(httpd_script_domains, httpdcontent) -') - -tunable_policy(`httpd_enable_cgi',` - allow httpd_script_domains self:process { setsched signal_perms }; - allow httpd_script_domains self:unix_stream_socket create_stream_socket_perms; - - kernel_read_system_state(httpd_script_domains) - - fs_getattr_all_fs(httpd_script_domains) - - files_read_etc_runtime_files(httpd_script_domains) - files_read_usr_files(httpd_script_domains) - - libs_read_lib_files(httpd_script_domains) - - miscfiles_read_localization(httpd_script_domains) -') - -optional_policy(` - tunable_policy(`httpd_enable_cgi && allow_ypbind',` - nis_use_ypbind_uncond(httpd_script_domains) - ') -') - -tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` - corenet_sendrecv_gds_db_client_packets(httpd_script_domains) - corenet_tcp_connect_gds_db_port(httpd_script_domains) - corenet_tcp_sendrecv_gds_db_port(httpd_script_domains) - corenet_sendrecv_mssql_client_packets(httpd_script_domains) - corenet_tcp_connect_mssql_port(httpd_script_domains) - corenet_tcp_sendrecv_mssql_port(httpd_script_domains) - corenet_sendrecv_oracledb_client_packets(httpd_script_domains) - corenet_tcp_connect_oracledb_port(httpd_script_domains) - corenet_tcp_sendrecv_oracledb_port(httpd_script_domains) -') - -optional_policy(` - mysql_read_config(httpd_script_domains) - mysql_stream_connect(httpd_script_domains) - - tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` - mysql_tcp_connect(httpd_script_domains) - ') -') - -optional_policy(` - postgresql_stream_connect(httpd_script_domains) - - tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` - postgresql_tcp_connect(httpd_script_domains) - ') -') - -optional_policy(` - nscd_use(httpd_script_domains) -') - -######################################## -# -# System script local policy -# - -allow httpd_sys_script_t self:tcp_socket { accept listen }; - -allow httpd_sys_script_t httpd_t:tcp_socket { read write }; - -dontaudit httpd_sys_script_t httpd_config_t:dir search; - -allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms }; - -allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; -allow httpd_sys_script_t squirrelmail_spool_t:file read_file_perms; -allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms; - -kernel_read_kernel_sysctls(httpd_sys_script_t) - -fs_search_auto_mountpoints(httpd_sys_script_t) - -files_read_var_symlinks(httpd_sys_script_t) -files_search_var_lib(httpd_sys_script_t) -files_search_spool(httpd_sys_script_t) - -apache_domtrans_rotatelogs(httpd_sys_script_t) - -auth_use_nsswitch(httpd_sys_script_t) - -tunable_policy(`httpd_can_sendmail',` - corenet_sendrecv_smtp_client_packets(httpd_sys_script_t) - corenet_tcp_connect_smtp_port(httpd_sys_script_t) - corenet_tcp_sendrecv_smtp_port(httpd_sys_script_t) - corenet_sendrecv_pop_client_packets(httpd_sys_script_t) - corenet_tcp_connect_pop_port(httpd_sys_script_t) - corenet_tcp_sendrecv_pop_port(httpd_sys_script_t) - - mta_send_mail(httpd_sys_script_t) - mta_signal_system_mail(httpd_sys_script_t) -') - -tunable_policy(`httpd_enable_homedirs',` - userdom_search_user_home_dirs(httpd_sys_script_t) -') - -tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` - corenet_tcp_connect_all_ports(httpd_sys_script_t) - corenet_sendrecv_all_client_packets(httpd_sys_script_t) - corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) -') - -tunable_policy(`httpd_execmem',` - allow httpd_sys_script_t self:process { execmem execstack }; -') - -tunable_policy(`httpd_read_user_content',` - userdom_read_user_home_content_files(httpd_sys_script_t) -') - -tunable_policy(`httpd_use_cifs',` - fs_list_auto_mountpoints(httpd_sys_script_t) - fs_manage_cifs_dirs(httpd_sys_script_t) - fs_manage_cifs_files(httpd_sys_script_t) - fs_manage_cifs_symlinks(httpd_sys_script_t) -') - -tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',` - fs_exec_cifs_files(httpd_sys_script_t) -') - -tunable_policy(`httpd_use_fusefs',` - fs_list_auto_mountpoints(httpd_sys_script_t) - fs_manage_fusefs_dirs(httpd_sys_script_t) - fs_manage_fusefs_files(httpd_sys_script_t) - fs_read_fusefs_symlinks(httpd_sys_script_t) -') - -tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` - fs_exec_fusefs_files(httpd_sys_script_t) -') - -tunable_policy(`httpd_use_nfs',` - fs_list_auto_mountpoints(httpd_sys_script_t) - fs_manage_nfs_dirs(httpd_sys_script_t) - fs_manage_nfs_files(httpd_sys_script_t) - fs_manage_nfs_symlinks(httpd_sys_script_t) -') - -tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` - fs_exec_nfs_files(httpd_sys_script_t) -') - -optional_policy(` - clamav_domtrans_clamscan(httpd_sys_script_t) -') - -optional_policy(` - postgresql_unpriv_client(httpd_sys_script_t) -') - -######################################## -# -# Rotatelogs local policy -# - -allow httpd_rotatelogs_t self:capability dac_override; - -manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) -read_lnk_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) - -kernel_read_kernel_sysctls(httpd_rotatelogs_t) -kernel_dontaudit_list_proc(httpd_rotatelogs_t) - -files_read_etc_files(httpd_rotatelogs_t) - -logging_search_logs(httpd_rotatelogs_t) - -miscfiles_read_localization(httpd_rotatelogs_t) - -######################################## -# -# Unconfined script local policy -# - -optional_policy(` - apache_content_template(unconfined) - unconfined_domain(httpd_unconfined_script_t) -') - -######################################## -# -# User content local policy -# - -tunable_policy(`httpd_enable_homedirs',` - userdom_search_user_home_dirs(httpd_user_script_t) -') - -tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` - fs_list_auto_mountpoints(httpd_user_script_t) - fs_read_cifs_files(httpd_user_script_t) - fs_read_cifs_symlinks(httpd_user_script_t) -') - -tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',` - fs_exec_cifs_files(httpd_user_script_t) -') - -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` - fs_list_auto_mountpoints(httpd_user_script_t) - fs_read_nfs_files(httpd_user_script_t) - fs_read_nfs_symlinks(httpd_user_script_t) -') - -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',` - fs_exec_nfs_files(httpd_user_script_t) -') - -tunable_policy(`httpd_read_user_content',` - userdom_read_user_home_content_files(httpd_user_script_t) -') - -optional_policy(` - postgresql_unpriv_client(httpd_user_script_t) -') - -######################################## -# -# Passwd local policy -# - -allow httpd_passwd_t self:fifo_file manage_fifo_file_perms; -allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms; -allow httpd_passwd_t self:unix_dgram_socket create_socket_perms; - -dontaudit httpd_passwd_t httpd_config_t:file read_file_perms; - -kernel_read_system_state(httpd_passwd_t) - -corecmd_exec_bin(httpd_passwd_t) -corecmd_exec_shell(httpd_passwd_t) - -dev_read_urand(httpd_passwd_t) - -domain_use_interactive_fds(httpd_passwd_t) - -auth_use_nsswitch(httpd_passwd_t) - -miscfiles_read_generic_certs(httpd_passwd_t) -miscfiles_read_localization(httpd_passwd_t) - -######################################## -# -# GPG local policy -# - -allow httpd_gpg_t self:process setrlimit; - -allow httpd_gpg_t httpd_t:fd use; -allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms; -allow httpd_gpg_t httpd_t:process sigchld; - -dev_read_rand(httpd_gpg_t) -dev_read_urand(httpd_gpg_t) - -files_read_usr_files(httpd_gpg_t) - -miscfiles_read_localization(httpd_gpg_t) - -tunable_policy(`httpd_gpg_anon_write',` - miscfiles_manage_public_files(httpd_gpg_t) -') - -optional_policy(` - apache_manage_sys_rw_content(httpd_gpg_t) -') - -optional_policy(` - gpg_entry_type(httpd_gpg_t) - gpg_exec(httpd_gpg_t) -') - -ifdef(`distro_gentoo',` - attribute httpd_ra_content; - attribute httpd_rw_content; -') diff --git a/policy/modules/contrib/apcupsd.fc b/policy/modules/contrib/apcupsd.fc deleted file mode 100644 index 5ec0e13c..00000000 --- a/policy/modules/contrib/apcupsd.fc +++ /dev/null @@ -1,18 +0,0 @@ -/etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0) - -/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) - -/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) - -/var/lock/subsys/apcupsd -- gen_context(system_u:object_r:apcupsd_lock_t,s0) - -/var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) -/var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) - -/var/run/apcupsd\.pid -- gen_context(system_u:object_r:apcupsd_var_run_t,s0) - -/var/www/apcupsd/multimon\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) -/var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) -/var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) -/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) -/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) diff --git a/policy/modules/contrib/apcupsd.if b/policy/modules/contrib/apcupsd.if deleted file mode 100644 index f3c0abac..00000000 --- a/policy/modules/contrib/apcupsd.if +++ /dev/null @@ -1,168 +0,0 @@ -## <summary>APC UPS monitoring daemon.</summary> - -######################################## -## <summary> -## Execute a domain transition to -## run apcupsd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`apcupsd_domtrans',` - gen_require(` - type apcupsd_t, apcupsd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, apcupsd_exec_t, apcupsd_t) -') - -######################################## -## <summary> -## Execute apcupsd server in the -## apcupsd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`apcupsd_initrc_domtrans',` - gen_require(` - type apcupsd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, apcupsd_initrc_exec_t) -') - -######################################## -## <summary> -## Read apcupsd PID files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apcupsd_read_pid_files',` - gen_require(` - type apcupsd_var_run_t; - ') - - files_search_pids($1) - allow $1 apcupsd_var_run_t:file read_file_perms; -') - -######################################## -## <summary> -## Read apcupsd log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`apcupsd_read_log',` - gen_require(` - type apcupsd_log_t; - ') - - logging_search_logs($1) - allow $1 apcupsd_log_t:dir list_dir_perms; - allow $1 apcupsd_log_t:file read_file_perms; -') - -######################################## -## <summary> -## Append apcupsd log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apcupsd_append_log',` - gen_require(` - type apcupsd_log_t; - ') - - logging_search_logs($1) - allow $1 apcupsd_log_t:dir list_dir_perms; - allow $1 apcupsd_log_t:file append_file_perms; -') - -######################################## -## <summary> -## Execute a domain transition to -## run httpd_apcupsd_cgi_script. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`apcupsd_cgi_script_domtrans',` - gen_require(` - type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t; - ') - - files_search_var($1) - domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t) - - optional_policy(` - apache_search_sys_content($1) - ') -') - -######################################## -## <summary> -## All of the rules required to -## administrate an apcupsd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`apcupsd_admin',` - gen_require(` - type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t; - type apcupsd_var_run_t, apcupsd_initrc_exec_t, apcupsd_lock_t; - ') - - allow $1 apcupsd_t:process { ptrace signal_perms }; - ps_process_pattern($1, apcupsd_t) - - apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 apcupsd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_var($1) - admin_pattern($1, apcupsd_lock_t) - - logging_list_logs($1) - admin_pattern($1, apcupsd_log_t) - - files_list_tmp($1) - admin_pattern($1, apcupsd_tmp_t) - - files_list_pids($1) - admin_pattern($1, apcupsd_var_run_t) -') diff --git a/policy/modules/contrib/apcupsd.te b/policy/modules/contrib/apcupsd.te deleted file mode 100644 index b2363276..00000000 --- a/policy/modules/contrib/apcupsd.te +++ /dev/null @@ -1,127 +0,0 @@ -policy_module(apcupsd, 1.8.4) - -######################################## -# -# Declarations -# - -type apcupsd_t; -type apcupsd_exec_t; -init_daemon_domain(apcupsd_t, apcupsd_exec_t) - -type apcupsd_lock_t; -files_lock_file(apcupsd_lock_t) - -type apcupsd_initrc_exec_t; -init_script_file(apcupsd_initrc_exec_t) - -type apcupsd_log_t; -logging_log_file(apcupsd_log_t) - -type apcupsd_tmp_t; -files_tmp_file(apcupsd_tmp_t) - -type apcupsd_var_run_t; -files_pid_file(apcupsd_var_run_t) - -######################################## -# -# Local policy -# - -allow apcupsd_t self:capability { dac_override setgid sys_tty_config }; -allow apcupsd_t self:process signal; -allow apcupsd_t self:fifo_file rw_file_perms; -allow apcupsd_t self:unix_stream_socket create_stream_socket_perms; -allow apcupsd_t self:tcp_socket create_stream_socket_perms; - -allow apcupsd_t apcupsd_lock_t:file manage_file_perms; -files_lock_filetrans(apcupsd_t, apcupsd_lock_t, file) - -append_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t) -create_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t) -setattr_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t) -logging_log_filetrans(apcupsd_t, apcupsd_log_t, file) - -manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t) -files_tmp_filetrans(apcupsd_t, apcupsd_tmp_t, file) - -manage_files_pattern(apcupsd_t, apcupsd_var_run_t, apcupsd_var_run_t) -files_pid_filetrans(apcupsd_t, apcupsd_var_run_t, file) - -kernel_read_system_state(apcupsd_t) - -corecmd_exec_bin(apcupsd_t) -corecmd_exec_shell(apcupsd_t) - -corenet_all_recvfrom_unlabeled(apcupsd_t) -corenet_all_recvfrom_netlabel(apcupsd_t) -corenet_tcp_sendrecv_generic_if(apcupsd_t) -corenet_tcp_sendrecv_generic_node(apcupsd_t) -corenet_tcp_bind_generic_node(apcupsd_t) -corenet_udp_sendrecv_generic_if(apcupsd_t) -corenet_udp_sendrecv_generic_node(apcupsd_t) -corenet_udp_bind_generic_node(apcupsd_t) - -corenet_tcp_bind_apcupsd_port(apcupsd_t) -corenet_sendrecv_apcupsd_server_packets(apcupsd_t) -corenet_tcp_sendrecv_apcupsd_port(apcupsd_t) -corenet_tcp_connect_apcupsd_port(apcupsd_t) - -corenet_udp_bind_snmp_port(apcupsd_t) -corenet_sendrecv_snmp_server_packets(apcupsd_t) -corenet_udp_sendrecv_snmp_port(apcupsd_t) - -dev_rw_generic_usb_dev(apcupsd_t) - -files_read_etc_files(apcupsd_t) -files_manage_etc_runtime_files(apcupsd_t) -files_etc_filetrans_etc_runtime(apcupsd_t, file, "nologin") - -term_use_unallocated_ttys(apcupsd_t) - -logging_send_syslog_msg(apcupsd_t) - -miscfiles_read_localization(apcupsd_t) - -sysnet_dns_name_resolve(apcupsd_t) - -userdom_use_user_ttys(apcupsd_t) - -optional_policy(` - hostname_exec(apcupsd_t) -') - -optional_policy(` - mta_send_mail(apcupsd_t) - mta_system_content(apcupsd_tmp_t) -') - -optional_policy(` - shutdown_domtrans(apcupsd_t) -') - -######################################## -# -# CGI local policy -# - -optional_policy(` - apache_content_template(apcupsd_cgi) - - allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms; - allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t) - corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t) - corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t) - corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t) - corenet_tcp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t) - corenet_sendrecv_apcupsd_client_packets(httpd_apcupsd_cgi_script_t) - corenet_tcp_connect_apcupsd_port(httpd_apcupsd_cgi_script_t) - corenet_udp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t) - corenet_udp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t) - corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t) - - sysnet_dns_name_resolve(httpd_apcupsd_cgi_script_t) -') diff --git a/policy/modules/contrib/apm.fc b/policy/modules/contrib/apm.fc deleted file mode 100644 index ce27d2fb..00000000 --- a/policy/modules/contrib/apm.fc +++ /dev/null @@ -1,19 +0,0 @@ -/etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:apmd_initrc_exec_t,s0) - -/usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0) - -/usr/sbin/acpid -- gen_context(system_u:object_r:apmd_exec_t,s0) -/usr/sbin/apmd -- gen_context(system_u:object_r:apmd_exec_t,s0) -/usr/sbin/powersaved -- gen_context(system_u:object_r:apmd_exec_t,s0) - -/var/lock/subsys/acpid -- gen_context(system_u:object_r:apmd_lock_t,s0) - -/var/log/acpid.* -- gen_context(system_u:object_r:apmd_log_t,s0) - -/var/run/\.?acpid\.socket -s gen_context(system_u:object_r:apmd_var_run_t,s0) -/var/run/acpid\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0) -/var/run/apmd\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0) -/var/run/powersaved\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0) -/var/run/powersave_socket -s gen_context(system_u:object_r:apmd_var_run_t,s0) - -/var/lib/acpi(/.*)? gen_context(system_u:object_r:apmd_var_lib_t,s0) diff --git a/policy/modules/contrib/apm.if b/policy/modules/contrib/apm.if deleted file mode 100644 index 1a7a97e5..00000000 --- a/policy/modules/contrib/apm.if +++ /dev/null @@ -1,190 +0,0 @@ -## <summary>Advanced power management.</summary> - -######################################## -## <summary> -## Execute apm in the apm domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`apm_domtrans_client',` - gen_require(` - type apm_t, apm_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, apm_exec_t, apm_t) -') - -######################################## -## <summary> -## Execute apm in the apm domain -## and allow the specified role -## the apm domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`apm_run_client',` - gen_require(` - attribute_role apm_roles; - ') - - apm_domtrans_client($1) - roleattribute $2 apm_roles; -') - -######################################## -## <summary> -## Use apmd file descriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apm_use_fds',` - gen_require(` - type apmd_t; - ') - - allow $1 apmd_t:fd use; -') - -######################################## -## <summary> -## Write apmd unnamed pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apm_write_pipes',` - gen_require(` - type apmd_t; - ') - - allow $1 apmd_t:fifo_file write; -') - -######################################## -## <summary> -## Read and write to apmd unix -## stream sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apm_rw_stream_sockets',` - gen_require(` - type apmd_t; - ') - - allow $1 apmd_t:unix_stream_socket { read write }; -') - -######################################## -## <summary> -## Append apmd log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apm_append_log',` - gen_require(` - type apmd_log_t; - ') - - logging_search_logs($1) - allow $1 apmd_log_t:file append_file_perms; -') - -######################################## -## <summary> -## Connect to apmd over an unix -## stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apm_stream_connect',` - gen_require(` - type apmd_t, apmd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an apm environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`apm_admin',` - gen_require(` - type apmd_t, apmd_initrc_exec_t, apmd_log_t; - type apmd_lock_t, apmd_var_run_t, apmd_var_lib_t; - type apmd_tmp_t; - ') - - allow $1 apmd_t:process { ptrace signal_perms }; - ps_process_pattern($1, apmd_t) - - init_labeled_script_domtrans($1, apmd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 apmd_initrc_exec_t system_r; - allow $2 system_r; - - logging_search_logs($1) - admin_pattern($1, apmd_log_t) - - files_search_locks($1) - admin_pattern($1, apmd_lock_t) - - files_search_pids($1) - admin_pattern($1, apmd_var_run_t) - - files_search_var_lib($1) - admin_pattern($1, apmd_var_lib_t) - - files_search_tmp($1) - admin_pattern($1, apmd_tmp_t) - - apm_run_client($1, $2) -') diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te deleted file mode 100644 index 3590e2fa..00000000 --- a/policy/modules/contrib/apm.te +++ /dev/null @@ -1,231 +0,0 @@ -policy_module(apm, 1.11.4) - -######################################## -# -# Declarations -# - -attribute_role apm_roles; -roleattribute system_r apm_roles; - -type apmd_t; -type apmd_exec_t; -init_daemon_domain(apmd_t, apmd_exec_t) - -type apmd_initrc_exec_t; -init_script_file(apmd_initrc_exec_t) - -type apm_t; -type apm_exec_t; -application_domain(apm_t, apm_exec_t) -role apm_roles types apm_t; - -type apmd_lock_t; -files_lock_file(apmd_lock_t) - -type apmd_log_t; -logging_log_file(apmd_log_t) - -type apmd_tmp_t; -files_tmp_file(apmd_tmp_t) - -type apmd_var_lib_t; -files_type(apmd_var_lib_t) - -type apmd_var_run_t; -files_pid_file(apmd_var_run_t) - -######################################## -# -# Client local policy -# - -allow apm_t self:capability { dac_override sys_admin }; - -kernel_read_system_state(apm_t) - -dev_rw_apm_bios(apm_t) - -fs_getattr_xattr_fs(apm_t) - -term_use_all_terms(apm_t) - -domain_use_interactive_fds(apm_t) - -logging_send_syslog_msg(apm_t) - -######################################## -# -# Server local policy -# - -allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod }; -dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config }; -allow apmd_t self:process { signal_perms getsession }; -allow apmd_t self:fifo_file rw_fifo_file_perms; -allow apmd_t self:netlink_socket create_socket_perms; -allow apmd_t self:unix_stream_socket { accept listen }; - -allow apmd_t apmd_lock_t:file manage_file_perms; -files_lock_filetrans(apmd_t, apmd_lock_t, file) - -allow apmd_t apmd_log_t:file manage_file_perms; -logging_log_filetrans(apmd_t, apmd_log_t, file) - -manage_dirs_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t) -manage_files_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t) -files_tmp_filetrans(apmd_t, apmd_tmp_t, { file dir }) - -manage_dirs_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t) -manage_files_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t) -files_var_lib_filetrans(apmd_t, apmd_var_lib_t, dir) - -manage_files_pattern(apmd_t, apmd_var_run_t, apmd_var_run_t) -manage_sock_files_pattern(apmd_t, apmd_var_run_t, apmd_var_run_t) -files_pid_filetrans(apmd_t, apmd_var_run_t, { file sock_file }) - -can_exec(apmd_t, apmd_var_run_t) - -kernel_read_kernel_sysctls(apmd_t) -kernel_rw_all_sysctls(apmd_t) -kernel_read_system_state(apmd_t) -kernel_write_proc_files(apmd_t) - -dev_read_input(apmd_t) -dev_read_mouse(apmd_t) -dev_read_realtime_clock(apmd_t) -dev_read_urand(apmd_t) -dev_rw_apm_bios(apmd_t) -dev_rw_sysfs(apmd_t) -dev_dontaudit_getattr_all_chr_files(apmd_t) -dev_dontaudit_getattr_all_blk_files(apmd_t) - -files_exec_etc_files(apmd_t) -files_read_etc_runtime_files(apmd_t) -files_dontaudit_getattr_all_files(apmd_t) -files_dontaudit_getattr_all_symlinks(apmd_t) -files_dontaudit_getattr_all_pipes(apmd_t) -files_dontaudit_getattr_all_sockets(apmd_t) - -fs_dontaudit_list_tmpfs(apmd_t) -fs_getattr_all_fs(apmd_t) -fs_search_auto_mountpoints(apmd_t) -fs_dontaudit_getattr_all_files(apmd_t) -fs_dontaudit_getattr_all_symlinks(apmd_t) -fs_dontaudit_getattr_all_pipes(apmd_t) -fs_dontaudit_getattr_all_sockets(apmd_t) - -selinux_search_fs(apmd_t) - -corecmd_exec_all_executables(apmd_t) - -domain_read_all_domains_state(apmd_t) -domain_dontaudit_ptrace_all_domains(apmd_t) -domain_use_interactive_fds(apmd_t) -domain_dontaudit_getattr_all_sockets(apmd_t) -domain_dontaudit_getattr_all_key_sockets(apmd_t) -domain_dontaudit_list_all_domains_state(apmd_t) - -auth_use_nsswitch(apmd_t) - -init_domtrans_script(apmd_t) - -libs_exec_ld_so(apmd_t) -libs_exec_lib_files(apmd_t) - -logging_send_audit_msgs(apmd_t) -logging_send_syslog_msg(apmd_t) - -miscfiles_read_localization(apmd_t) -miscfiles_read_hwdata(apmd_t) - -modutils_domtrans_insmod(apmd_t) -modutils_read_module_config(apmd_t) - -seutil_dontaudit_read_config(apmd_t) - -userdom_dontaudit_use_unpriv_user_fds(apmd_t) -userdom_dontaudit_search_user_home_dirs(apmd_t) -userdom_dontaudit_search_user_home_content(apmd_t) - -optional_policy(` - automount_domtrans(apmd_t) -') - -optional_policy(` - clock_domtrans(apmd_t) - clock_rw_adjtime(apmd_t) -') - -optional_policy(` - cron_system_entry(apmd_t, apmd_exec_t) - cron_anacron_domtrans_system_job(apmd_t) -') - -optional_policy(` - devicekit_manage_pid_files(apmd_t) - devicekit_manage_log_files(apmd_t) - devicekit_relabel_log_files(apmd_t) -') - -optional_policy(` - dbus_system_bus_client(apmd_t) - - optional_policy(` - consolekit_dbus_chat(apmd_t) - ') - - optional_policy(` - networkmanager_dbus_chat(apmd_t) - ') -') - -optional_policy(` - fstools_domtrans(apmd_t) -') - -optional_policy(` - iptables_domtrans(apmd_t) -') - -optional_policy(` - logrotate_use_fds(apmd_t) -') - -optional_policy(` - mta_send_mail(apmd_t) -') - -optional_policy(` - netutils_domtrans(apmd_t) -') - -optional_policy(` - pcmcia_domtrans_cardmgr(apmd_t) - pcmcia_domtrans_cardctl(apmd_t) -') - -optional_policy(` - seutil_sigchld_newrole(apmd_t) -') - -optional_policy(` - shutdown_domtrans(apmd_t) -') - -optional_policy(` - sysnet_domtrans_ifconfig(apmd_t) -') - -optional_policy(` - udev_read_db(apmd_t) - udev_read_state(apmd_t) -') - -optional_policy(` - vbetool_domtrans(apmd_t) -') - -optional_policy(` - xserver_domtrans(apmd_t) -') diff --git a/policy/modules/contrib/apt.fc b/policy/modules/contrib/apt.fc deleted file mode 100644 index 1fd6888e..00000000 --- a/policy/modules/contrib/apt.fc +++ /dev/null @@ -1,20 +0,0 @@ -ifndef(`distro_redhat',` -/usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0) -/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0) -/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0) -/usr/lib/packagekit/packagekitd -- gen_context(system_u:object_r:apt_exec_t,s0) -/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0) -/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0) -/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) -') - -/var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0) - -/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) -/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) - -/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0) - -/var/log/aptitude.* gen_context(system_u:object_r:apt_var_log_t,s0) - -/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0) diff --git a/policy/modules/contrib/apt.if b/policy/modules/contrib/apt.if deleted file mode 100644 index e2414c4e..00000000 --- a/policy/modules/contrib/apt.if +++ /dev/null @@ -1,221 +0,0 @@ -## <summary>Advanced package tool.</summary> - -######################################## -## <summary> -## Execute apt programs in the apt domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`apt_domtrans',` - gen_require(` - type apt_t, apt_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, apt_exec_t, apt_t) -') - -######################################## -## <summary> -## Execute apt programs in the apt domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`apt_run',` - gen_require(` - attribute_role apt_roles; - ') - - apt_domtrans($1) - roleattribute $2 apt_roles; -') - -######################################## -## <summary> -## Use apt file descriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apt_use_fds',` - gen_require(` - type apt_t; - ') - - allow $1 apt_t:fd use; -') - -######################################## -## <summary> -## Do not audit attempts to use -## apt file descriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`apt_dontaudit_use_fds',` - gen_require(` - type apt_t; - ') - - dontaudit $1 apt_t:fd use; -') - -######################################## -## <summary> -## Read apt unnamed pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apt_read_pipes',` - gen_require(` - type apt_t; - ') - - allow $1 apt_t:fifo_file read_fifo_file_perms; -') - -######################################## -## <summary> -## Read and write apt unnamed pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apt_rw_pipes',` - gen_require(` - type apt_t; - ') - - allow $1 apt_t:fifo_file rw_file_perms; -') - -######################################## -## <summary> -## Read and write apt ptys. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apt_use_ptys',` - gen_require(` - type apt_devpts_t; - ') - - allow $1 apt_devpts_t:chr_file rw_term_perms; -') - -######################################## -## <summary> -## Read apt package cache content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apt_read_cache',` - gen_require(` - type apt_var_cache_t; - ') - - files_search_var($1) - allow $1 apt_var_cache_t:dir list_dir_perms; - dontaudit $1 apt_var_cache_t:dir write_dir_perms; - allow $1 apt_var_cache_t:file read_file_perms; -') - -######################################## -## <summary> -## Read apt package database content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apt_read_db',` - gen_require(` - type apt_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 apt_var_lib_t:dir list_dir_perms; - read_files_pattern($1, apt_var_lib_t, apt_var_lib_t) - read_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## apt package database content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apt_manage_db',` - gen_require(` - type apt_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, apt_var_lib_t, apt_var_lib_t) - manage_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t) -') - -######################################## -## <summary> -## Do not audit attempts to create, -## read, write, and delete apt -## package database content. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`apt_dontaudit_manage_db',` - gen_require(` - type apt_var_lib_t; - ') - - dontaudit $1 apt_var_lib_t:dir rw_dir_perms; - dontaudit $1 apt_var_lib_t:file manage_file_perms; - dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_file_perms; -') diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te deleted file mode 100644 index e2d8d52b..00000000 --- a/policy/modules/contrib/apt.te +++ /dev/null @@ -1,148 +0,0 @@ -policy_module(apt, 1.7.5) - -######################################## -# -# Declarations -# - -attribute_role apt_roles; - -type apt_t; -type apt_exec_t; -init_system_domain(apt_t, apt_exec_t) -domain_system_change_exemption(apt_t) -role apt_roles types apt_t; - -type apt_devpts_t; -term_pty(apt_devpts_t) - -type apt_lock_t; -files_lock_file(apt_lock_t) - -type apt_tmp_t; -files_tmp_file(apt_tmp_t) - -type apt_tmpfs_t; -files_tmpfs_file(apt_tmpfs_t) - -type apt_var_cache_t alias var_cache_apt_t; -files_type(apt_var_cache_t) - -type apt_var_lib_t alias var_lib_apt_t; -files_type(apt_var_lib_t) - -type apt_var_log_t; -logging_log_file(apt_var_log_t) - -######################################## -# -# Local policy -# - -allow apt_t self:capability { chown dac_override fowner fsetid }; -allow apt_t self:process { signal setpgid fork }; -allow apt_t self:fd use; -allow apt_t self:fifo_file rw_fifo_file_perms; -allow apt_t self:unix_dgram_socket sendto; -allow apt_t self:unix_stream_socket { accept connectto listen }; -allow apt_t self:udp_socket { connect create_socket_perms }; -allow apt_t self:tcp_socket create_stream_socket_perms; -allow apt_t self:shm create_shm_perms; -allow apt_t self:sem create_sem_perms; -allow apt_t self:msgq create_msgq_perms; -allow apt_t self:msg { send receive }; -allow apt_t self:netlink_route_socket r_netlink_socket_perms; - -allow apt_t apt_lock_t:dir manage_dir_perms; -allow apt_t apt_lock_t:file manage_file_perms; -files_lock_filetrans(apt_t, apt_lock_t, { dir file }) - -manage_dirs_pattern(apt_t, apt_tmp_t, apt_tmp_t) -manage_files_pattern(apt_t, apt_tmp_t, apt_tmp_t) -files_tmp_filetrans(apt_t, apt_tmp_t, { file dir }) - -manage_dirs_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) -manage_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) -manage_lnk_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) -manage_fifo_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) -manage_sock_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) -fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t) -files_var_filetrans(apt_t, apt_var_cache_t, dir) - -manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t) -files_var_lib_filetrans(apt_t, apt_var_lib_t, dir) - -allow apt_t apt_var_log_t:file manage_file_perms; -logging_log_filetrans(apt_t, apt_var_log_t, file) - -kernel_read_system_state(apt_t) -kernel_read_kernel_sysctls(apt_t) - -corecmd_exec_bin(apt_t) -corecmd_exec_shell(apt_t) - -corenet_all_recvfrom_unlabeled(apt_t) -corenet_all_recvfrom_netlabel(apt_t) -corenet_tcp_sendrecv_generic_if(apt_t) -corenet_tcp_sendrecv_generic_node(apt_t) -corenet_tcp_sendrecv_all_ports(apt_t) - -corenet_sendrecv_all_client_packets(apt_t) -corenet_tcp_connect_all_ports(apt_t) - -dev_read_urand(apt_t) - -domain_getattr_all_domains(apt_t) -domain_use_interactive_fds(apt_t) - -files_exec_usr_files(apt_t) -files_read_etc_files(apt_t) -files_read_etc_runtime_files(apt_t) - -fs_getattr_all_fs(apt_t) - -term_create_pty(apt_t, apt_devpts_t) -term_list_ptys(apt_t) -term_use_all_terms(apt_t) - -libs_exec_ld_so(apt_t) -libs_exec_lib_files(apt_t) - -logging_send_syslog_msg(apt_t) - -miscfiles_read_localization(apt_t) - -seutil_use_newrole_fds(apt_t) - -sysnet_read_config(apt_t) - -userdom_use_user_terminals(apt_t) - -optional_policy(` - cron_system_entry(apt_t, apt_exec_t) -') - -optional_policy(` - dbus_system_domain(apt_t, apt_exec_t) -') - -optional_policy(` - dpkg_read_db(apt_t) - dpkg_domtrans(apt_t) - dpkg_lock_db(apt_t) -') - -optional_policy(` - nis_use_ypbind(apt_t) -') - -optional_policy(` - rpm_read_db(apt_t) - rpm_domtrans(apt_t) -') - -optional_policy(` - unconfined_domain(apt_t) -') diff --git a/policy/modules/contrib/arpwatch.fc b/policy/modules/contrib/arpwatch.fc deleted file mode 100644 index 9ca0d0fb..00000000 --- a/policy/modules/contrib/arpwatch.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0) - -/usr/sbin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0) - -/var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0) - -/var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0) - -/var/run/arpwatch.*\.pid -- gen_context(system_u:object_r:arpwatch_var_run_t,s0) diff --git a/policy/modules/contrib/arpwatch.if b/policy/modules/contrib/arpwatch.if deleted file mode 100644 index 50c9b9c8..00000000 --- a/policy/modules/contrib/arpwatch.if +++ /dev/null @@ -1,159 +0,0 @@ -## <summary>Ethernet activity monitor.</summary> - -######################################## -## <summary> -## Execute arpwatch server in the -## arpwatch domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`arpwatch_initrc_domtrans',` - gen_require(` - type arpwatch_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, arpwatch_initrc_exec_t) -') - -######################################## -## <summary> -## Search arpwatch data file directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`arpwatch_search_data',` - gen_require(` - type arpwatch_data_t; - ') - - files_search_var_lib($1) - allow $1 arpwatch_data_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## arpwatch data files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`arpwatch_manage_data_files',` - gen_require(` - type arpwatch_data_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, arpwatch_data_t, arpwatch_data_t) -') - -######################################## -## <summary> -## Read and write arpwatch temporary -## files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`arpwatch_rw_tmp_files',` - gen_require(` - type arpwatch_tmp_t; - ') - - files_search_tmp($1) - allow $1 arpwatch_tmp_t:file rw_file_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## arpwatch temporary files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`arpwatch_manage_tmp_files',` - gen_require(` - type arpwatch_tmp_t; - ') - - files_search_tmp($1) - allow $1 arpwatch_tmp_t:file manage_file_perms; -') - -######################################## -## <summary> -## Do not audit attempts to read and -## write arpwatch packet sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`arpwatch_dontaudit_rw_packet_sockets',` - gen_require(` - type arpwatch_t; - ') - - dontaudit $1 arpwatch_t:packet_socket { read write }; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an arpwatch environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`arpwatch_admin',` - gen_require(` - type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t; - type arpwatch_data_t, arpwatch_var_run_t; - ') - - allow $1 arpwatch_t:process { ptrace signal_perms }; - ps_process_pattern($1, arpwatch_t) - - arpwatch_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 arpwatch_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, arpwatch_tmp_t) - - files_list_var($1) - admin_pattern($1, arpwatch_data_t) - - files_list_pids($1) - admin_pattern($1, arpwatch_var_run_t) -') diff --git a/policy/modules/contrib/arpwatch.te b/policy/modules/contrib/arpwatch.te deleted file mode 100644 index fa18c76d..00000000 --- a/policy/modules/contrib/arpwatch.te +++ /dev/null @@ -1,82 +0,0 @@ -policy_module(arpwatch, 1.10.4) - -######################################## -# -# Declarations -# - -type arpwatch_t; -type arpwatch_exec_t; -init_daemon_domain(arpwatch_t, arpwatch_exec_t) - -type arpwatch_initrc_exec_t; -init_script_file(arpwatch_initrc_exec_t) - -type arpwatch_data_t; -files_type(arpwatch_data_t) - -type arpwatch_tmp_t; -files_tmp_file(arpwatch_tmp_t) - -type arpwatch_var_run_t; -files_pid_file(arpwatch_var_run_t) - -######################################## -# -# Local policy -# - -allow arpwatch_t self:capability { net_admin net_raw setgid setuid }; -dontaudit arpwatch_t self:capability sys_tty_config; -allow arpwatch_t self:process signal_perms; -allow arpwatch_t self:unix_stream_socket { accept listen }; -allow arpwatch_t self:tcp_socket { accept listen }; -allow arpwatch_t self:packet_socket create_socket_perms; -allow arpwatch_t self:socket create_socket_perms; - -manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) -manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) -manage_lnk_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) - -manage_dirs_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t) -manage_files_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t) -files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir }) - -manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t) -files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file) - -kernel_read_kernel_sysctls(arpwatch_t) -kernel_read_network_state(arpwatch_t) -kernel_read_system_state(arpwatch_t) -kernel_request_load_module(arpwatch_t) - -dev_read_sysfs(arpwatch_t) -dev_read_usbmon_dev(arpwatch_t) -dev_rw_generic_usb_dev(arpwatch_t) - -fs_getattr_all_fs(arpwatch_t) -fs_search_auto_mountpoints(arpwatch_t) - -domain_use_interactive_fds(arpwatch_t) - -files_read_usr_files(arpwatch_t) -files_search_var_lib(arpwatch_t) - -auth_use_nsswitch(arpwatch_t) - -logging_send_syslog_msg(arpwatch_t) - -miscfiles_read_localization(arpwatch_t) - -userdom_dontaudit_search_user_home_dirs(arpwatch_t) -userdom_dontaudit_use_unpriv_user_fds(arpwatch_t) - -mta_send_mail(arpwatch_t) - -optional_policy(` - seutil_sigchld_newrole(arpwatch_t) -') - -optional_policy(` - udev_read_db(arpwatch_t) -') diff --git a/policy/modules/contrib/asterisk.fc b/policy/modules/contrib/asterisk.fc deleted file mode 100644 index e300b1a0..00000000 --- a/policy/modules/contrib/asterisk.fc +++ /dev/null @@ -1,13 +0,0 @@ -/etc/asterisk(/.*)? gen_context(system_u:object_r:asterisk_etc_t,s0) - -/etc/rc\.d/init\.d/asterisk -- gen_context(system_u:object_r:asterisk_initrc_exec_t,s0) - -/usr/sbin/asterisk -- gen_context(system_u:object_r:asterisk_exec_t,s0) - -/var/lib/asterisk(/.*)? gen_context(system_u:object_r:asterisk_var_lib_t,s0) - -/var/log/asterisk(/.*)? gen_context(system_u:object_r:asterisk_log_t,s0) - -/var/run/asterisk.* gen_context(system_u:object_r:asterisk_var_run_t,s0) - -/var/spool/asterisk(/.*)? gen_context(system_u:object_r:asterisk_spool_t,s0) diff --git a/policy/modules/contrib/asterisk.if b/policy/modules/contrib/asterisk.if deleted file mode 100644 index 7268a049..00000000 --- a/policy/modules/contrib/asterisk.if +++ /dev/null @@ -1,133 +0,0 @@ -## <summary>Asterisk IP telephony server.</summary> - -###################################### -## <summary> -## Execute asterisk in the asterisk domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`asterisk_domtrans',` - gen_require(` - type asterisk_t, asterisk_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, asterisk_exec_t, asterisk_t) -') - -##################################### -## <summary> -## Connect to asterisk over a unix domain. -## stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`asterisk_stream_connect',` - gen_require(` - type asterisk_t, asterisk_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t) -') - -####################################### -## <summary> -## Set attributes of asterisk log -## files and directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`asterisk_setattr_logs',` - gen_require(` - type asterisk_log_t; - ') - - setattr_files_pattern($1, asterisk_log_t, asterisk_log_t) - setattr_dirs_pattern($1, asterisk_log_t, asterisk_log_t) - logging_search_logs($1) -') - -####################################### -## <summary> -## Set attributes of the asterisk -## PID content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`asterisk_setattr_pid_files',` - gen_require(` - type asterisk_var_run_t; - ') - - setattr_files_pattern($1, asterisk_var_run_t, asterisk_var_run_t) - setattr_dirs_pattern($1, asterisk_var_run_t, asterisk_var_run_t) - files_search_pids($1) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an asterisk environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`asterisk_admin',` - gen_require(` - type asterisk_t, asterisk_var_run_t, asterisk_spool_t; - type asterisk_etc_t, asterisk_tmp_t, asterisk_log_t; - type asterisk_var_lib_t, asterisk_initrc_exec_t; - ') - - allow $1 asterisk_t:process { ptrace signal_perms }; - ps_process_pattern($1, asterisk_t) - - init_labeled_script_domtrans($1, asterisk_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 asterisk_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, asterisk_tmp_t) - - files_list_etc($1) - admin_pattern($1, asterisk_etc_t) - - logging_list_logs($1) - admin_pattern($1, asterisk_log_t) - - files_list_spool($1) - admin_pattern($1, asterisk_spool_t) - - files_list_var_lib($1) - admin_pattern($1, asterisk_var_lib_t) - - files_list_pids($1) - admin_pattern($1, asterisk_var_run_t) -') diff --git a/policy/modules/contrib/asterisk.te b/policy/modules/contrib/asterisk.te deleted file mode 100644 index 5439f1c6..00000000 --- a/policy/modules/contrib/asterisk.te +++ /dev/null @@ -1,191 +0,0 @@ -policy_module(asterisk, 1.11.3) - -######################################## -# -# Declarations -# - -type asterisk_t; -type asterisk_exec_t; -init_daemon_domain(asterisk_t, asterisk_exec_t) - -type asterisk_initrc_exec_t; -init_script_file(asterisk_initrc_exec_t) - -type asterisk_etc_t; -files_config_file(asterisk_etc_t) - -type asterisk_log_t; -logging_log_file(asterisk_log_t) - -type asterisk_spool_t; -files_type(asterisk_spool_t) - -type asterisk_tmp_t; -files_tmp_file(asterisk_tmp_t) - -type asterisk_tmpfs_t; -files_tmpfs_file(asterisk_tmpfs_t) - -type asterisk_var_lib_t; -files_type(asterisk_var_lib_t) - -type asterisk_var_run_t; -files_pid_file(asterisk_var_run_t) -init_daemon_run_dir(asterisk_var_run_t, "asterisk") - -######################################## -# -# Local policy -# - -allow asterisk_t self:capability { dac_override chown setgid setuid sys_nice net_admin }; -dontaudit asterisk_t self:capability { sys_module sys_tty_config }; -allow asterisk_t self:process { getsched setsched signal_perms getcap setcap }; -allow asterisk_t self:fifo_file rw_fifo_file_perms; -allow asterisk_t self:sem create_sem_perms; -allow asterisk_t self:shm create_shm_perms; -allow asterisk_t self:unix_stream_socket { accept connectto listen }; -allow asterisk_t self:tcp_socket { accept listen }; - -allow asterisk_t asterisk_etc_t:dir list_dir_perms; -read_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t) -read_lnk_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t) - -append_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t) -create_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t) -setattr_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t) - -manage_dirs_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t) -manage_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t) -manage_lnk_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t) - -manage_dirs_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t) -manage_files_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t) -files_tmp_filetrans(asterisk_t, asterisk_tmp_t, { file dir }) - -manage_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t) -manage_lnk_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t) -manage_fifo_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t) -manage_sock_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t) -fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t) - -manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) -manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) -manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) -files_pid_filetrans(asterisk_t, asterisk_var_run_t, file) - -can_exec(asterisk_t, asterisk_exec_t) - -kernel_read_kernel_sysctls(asterisk_t) -kernel_read_network_state(asterisk_t) -kernel_read_system_state(asterisk_t) -kernel_request_load_module(asterisk_t) - -corecmd_exec_bin(asterisk_t) -corecmd_exec_shell(asterisk_t) - -corenet_all_recvfrom_unlabeled(asterisk_t) -corenet_all_recvfrom_netlabel(asterisk_t) -corenet_tcp_sendrecv_generic_if(asterisk_t) -corenet_udp_sendrecv_generic_if(asterisk_t) -corenet_tcp_sendrecv_generic_node(asterisk_t) -corenet_udp_sendrecv_generic_node(asterisk_t) -corenet_tcp_sendrecv_all_ports(asterisk_t) -corenet_udp_sendrecv_all_ports(asterisk_t) -corenet_tcp_bind_generic_node(asterisk_t) -corenet_udp_bind_generic_node(asterisk_t) - -corenet_sendrecv_asterisk_server_packets(asterisk_t) -corenet_tcp_bind_asterisk_port(asterisk_t) -corenet_udp_bind_asterisk_port(asterisk_t) - -corenet_sendrecv_embrace_dp_c_client_packets(asterisk_t) -corenet_tcp_connect_embrace_dp_c_port(asterisk_t) - -corenet_sendrecv_sip_server_packets(asterisk_t) -corenet_tcp_bind_sip_port(asterisk_t) -corenet_udp_bind_sip_port(asterisk_t) - -corenet_sendrecv_generic_server_packets(asterisk_t) -corenet_tcp_bind_generic_port(asterisk_t) -corenet_udp_bind_generic_port(asterisk_t) -corenet_dontaudit_udp_bind_all_ports(asterisk_t) - -corenet_sendrecv_jabber_client_client_packets(asterisk_t) -corenet_tcp_connect_jabber_client_port(asterisk_t) - -corenet_sendrecv_pdps_client_packets(asterisk_t) -corenet_tcp_connect_pdps_port(asterisk_t) - -corenet_sendrecv_pktcable_cops_client_packets(asterisk_t) -corenet_tcp_connect_pktcable_cops_port(asterisk_t) - -corenet_sendrecv_sip_client_packets(asterisk_t) -corenet_tcp_connect_sip_port(asterisk_t) - -dev_rw_generic_usb_dev(asterisk_t) -dev_read_sysfs(asterisk_t) -dev_read_sound(asterisk_t) -dev_write_sound(asterisk_t) -dev_read_rand(asterisk_t) -dev_read_urand(asterisk_t) - -domain_use_interactive_fds(asterisk_t) - -files_read_usr_files(asterisk_t) -files_search_spool(asterisk_t) -files_dontaudit_search_home(asterisk_t) - -fs_getattr_all_fs(asterisk_t) -fs_list_inotifyfs(asterisk_t) -fs_read_anon_inodefs_files(asterisk_t) -fs_search_auto_mountpoints(asterisk_t) - -auth_use_nsswitch(asterisk_t) - -logging_send_syslog_msg(asterisk_t) - -miscfiles_read_localization(asterisk_t) - -userdom_dontaudit_use_unpriv_user_fds(asterisk_t) -userdom_dontaudit_search_user_home_dirs(asterisk_t) - -optional_policy(` - alsa_read_rw_config(asterisk_t) -') - -optional_policy(` - mysql_stream_connect(asterisk_t) - mysql_tcp_connect(asterisk_t) -') - -optional_policy(` - mta_send_mail(asterisk_t) - mta_system_content(asterisk_tmp_t) -') - -optional_policy(` - postfix_domtrans_postdrop(asterisk_t) -') - -optional_policy(` - postgresql_stream_connect(asterisk_t) - postgresql_tcp_connect(asterisk_t) -') - -optional_policy(` - seutil_sigchld_newrole(asterisk_t) -') - -optional_policy(` - snmp_read_snmp_var_lib_files(asterisk_t) - snmp_stream_connect(asterisk_t) - snmp_tcp_connect(asterisk_t) -') - -optional_policy(` - udev_read_db(asterisk_t) -') diff --git a/policy/modules/contrib/at.fc b/policy/modules/contrib/at.fc index ba2e7a13..39c83a99 100644 --- a/policy/modules/contrib/at.fc +++ b/policy/modules/contrib/at.fc @@ -1,9 +1,9 @@ /etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:atd_initrc_exec_t,s0) /usr/bin/at -- gen_context(system_u:object_r:at_exec_t,s0) -/usr/sbin/atd -- gen_context(system_u:object_r:atd_exec_t,s0) +/usr/bin/atd -- gen_context(system_u:object_r:atd_exec_t,s0) -/var/run/atd\.pid -- gen_context(system_u:object_r:atd_var_run_t,s0) +/run/atd\.pid -- gen_context(system_u:object_r:atd_runtime_t,s0) /var/spool/at(/.*)? gen_context(system_u:object_r:at_spool_t,s0) /var/spool/at/atjobs(/.*)? gen_context(system_u:object_r:at_job_t,s0) diff --git a/policy/modules/contrib/at.te b/policy/modules/contrib/at.te index c28a9e7b..82ca038c 100644 --- a/policy/modules/contrib/at.te +++ b/policy/modules/contrib/at.te @@ -21,8 +21,8 @@ init_daemon_domain(atd_t, atd_exec_t) type atd_initrc_exec_t; init_script_file(atd_initrc_exec_t) -type atd_var_run_t; -files_pid_file(atd_var_run_t) +type atd_runtime_t alias atd_var_run_t; +files_runtime_file(atd_runtime_t) ######################################## # @@ -39,8 +39,8 @@ list_dirs_pattern(atd_t, at_spool_t, at_job_t) manage_files_pattern(atd_t, at_job_log_t, at_job_log_t) -manage_files_pattern(atd_t, atd_var_run_t, atd_var_run_t) -files_pid_filetrans(atd_t, atd_var_run_t, file) +manage_files_pattern(atd_t, atd_runtime_t, atd_runtime_t) +files_runtime_filetrans(atd_t, atd_runtime_t, file) kernel_read_kernel_sysctls(atd_t) @@ -81,13 +81,13 @@ allow at_t at_spool_t:dir search_dir_perms; allow at_t atd_t:process signal; -allow at_t atd_var_run_t:file read_file_perms; +allow at_t atd_runtime_t:file read_file_perms; domain_use_interactive_fds(at_t) files_read_etc_files(at_t) files_search_spool(at_t) -files_search_pids(at_t) +files_search_runtime(at_t) miscfiles_read_localization(at_t) diff --git a/policy/modules/contrib/authbind.fc b/policy/modules/contrib/authbind.fc deleted file mode 100644 index 699ecc13..00000000 --- a/policy/modules/contrib/authbind.fc +++ /dev/null @@ -1,3 +0,0 @@ -/etc/authbind(/.*)? gen_context(system_u:object_r:authbind_etc_t,s0) - -/usr/lib/authbind/helper -- gen_context(system_u:object_r:authbind_exec_t,s0) diff --git a/policy/modules/contrib/authbind.if b/policy/modules/contrib/authbind.if deleted file mode 100644 index 40fdc752..00000000 --- a/policy/modules/contrib/authbind.if +++ /dev/null @@ -1,46 +0,0 @@ -## <summary>Tool for non-root processes to bind to reserved ports.</summary> - -######################################## -## <summary> -## Execute authbind in the authbind domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`authbind_domtrans',` - gen_require(` - type authbind_t, authbind_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, authbind_exec_t, authbind_t) -') - -######################################## -## <summary> -## Execute authbind in the authbind -## domain, and allow the specified -## role the authbind domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`authbind_run',` - gen_require(` - attribute_role authbind_roles; - ') - - authbind_domtrans($1) - roleattribute $2 authbind_roles; -') diff --git a/policy/modules/contrib/authbind.te b/policy/modules/contrib/authbind.te deleted file mode 100644 index a194e016..00000000 --- a/policy/modules/contrib/authbind.te +++ /dev/null @@ -1,34 +0,0 @@ -policy_module(authbind, 1.2.1) - -######################################## -# -# Declarations -# - -attribute_role authbind_roles; -roleattribute system_r authbind_roles; - -type authbind_t; -type authbind_exec_t; -application_domain(authbind_t, authbind_exec_t) -role authbind_roles types authbind_t; - -type authbind_etc_t; -files_config_file(authbind_etc_t) - -######################################## -# -# Local policy -# - -allow authbind_t self:capability net_bind_service; - -allow authbind_t authbind_etc_t:dir list_dir_perms; -exec_files_pattern(authbind_t, authbind_etc_t, authbind_etc_t) -read_lnk_files_pattern(authbind_t, authbind_etc_t, authbind_etc_t) - -files_list_etc(authbind_t) - -term_use_console(authbind_t) - -logging_send_syslog_msg(authbind_t) diff --git a/policy/modules/contrib/automount.fc b/policy/modules/contrib/automount.fc deleted file mode 100644 index 92adb37e..00000000 --- a/policy/modules/contrib/automount.fc +++ /dev/null @@ -1,8 +0,0 @@ -/etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0) -/etc/rc\.d/init\.d/autofs -- gen_context(system_u:object_r:automount_initrc_exec_t,s0) - -/usr/sbin/automount -- gen_context(system_u:object_r:automount_exec_t,s0) - -/var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0) - -/var/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0) diff --git a/policy/modules/contrib/automount.if b/policy/modules/contrib/automount.if deleted file mode 100644 index 089430ad..00000000 --- a/policy/modules/contrib/automount.if +++ /dev/null @@ -1,174 +0,0 @@ -## <summary>Filesystem automounter service.</summary> - -######################################## -## <summary> -## Execute automount in the automount domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`automount_domtrans',` - gen_require(` - type automount_t, automount_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, automount_exec_t, automount_t) -') - -######################################## -## <summary> -## Send generic signals to automount. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -# -interface(`automount_signal',` - gen_require(` - type automount_t; - ') - - allow $1 automount_t:process signal; -') - -######################################## -## <summary> -## Execute automount in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`automount_exec_config',` - refpolicywarn(`$0(): has been deprecated, please use files_exec_etc_files() instead.') - files_exec_etc_files($1) -') - -######################################## -## <summary> -## Read automount process state. -## </summary> -## <param name="domain"> -## <summary> -## Domain to allow access. -## </summary> -## </param> -# -interface(`automount_read_state',` - gen_require(` - type automount_t; - ') - - kernel_search_proc($1) - allow $1 automount_t:dir list_dir_perms; - read_files_pattern($1, automount_t, automount_t) - read_lnk_files_pattern($1, automount_t, automount_t) -') - -######################################## -## <summary> -## Do not audit attempts to use -## automount file descriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`automount_dontaudit_use_fds',` - gen_require(` - type automount_t; - ') - - dontaudit $1 automount_t:fd use; -') - -######################################## -## <summary> -## Do not audit attempts to write -## automount unnamed pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`automount_dontaudit_write_pipes',` - gen_require(` - type automount_t; - ') - - dontaudit $1 automount_t:fifo_file write; -') - -######################################## -## <summary> -## Do not audit attempts to get -## attributes of automount temporary -## directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`automount_dontaudit_getattr_tmp_dirs',` - gen_require(` - type automount_tmp_t; - ') - - dontaudit $1 automount_tmp_t:dir getattr_dir_perms; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an automount environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`automount_admin',` - gen_require(` - type automount_t, automount_lock_t, automount_tmp_t; - type automount_var_run_t, automount_initrc_exec_t; - ') - - allow $1 automount_t:process { ptrace signal_perms }; - ps_process_pattern($1, automount_t) - - init_labeled_script_domtrans($1, automount_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 automount_initrc_exec_t system_r; - allow $2 system_r; - - files_list_var($1) - admin_pattern($1, automount_lock_t) - - files_list_tmp($1) - admin_pattern($1, automount_tmp_t) - - files_list_pids($1) - admin_pattern($1, automount_var_run_t) -') diff --git a/policy/modules/contrib/automount.te b/policy/modules/contrib/automount.te deleted file mode 100644 index a579c3b5..00000000 --- a/policy/modules/contrib/automount.te +++ /dev/null @@ -1,162 +0,0 @@ -policy_module(automount, 1.13.3) - -######################################## -# -# Declarations -# - -type automount_t; -type automount_exec_t; -init_daemon_domain(automount_t, automount_exec_t) - -type automount_initrc_exec_t; -init_script_file(automount_initrc_exec_t) - -type automount_var_run_t; -files_pid_file(automount_var_run_t) - -type automount_lock_t; -files_lock_file(automount_lock_t) - -type automount_tmp_t; -files_tmp_file(automount_tmp_t) -files_mountpoint(automount_tmp_t) - -######################################## -# -# Local policy -# - -allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin }; -dontaudit automount_t self:capability sys_tty_config; -allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit }; -allow automount_t self:fifo_file rw_fifo_file_perms; -allow automount_t self:tcp_socket { accept listen }; -allow automount_t self:rawip_socket create_socket_perms; - -can_exec(automount_t, automount_exec_t) - -allow automount_t automount_lock_t:file manage_file_perms; -files_lock_filetrans(automount_t, automount_lock_t, file) - -manage_dirs_pattern(automount_t, automount_tmp_t, automount_tmp_t) -manage_files_pattern(automount_t, automount_tmp_t, automount_tmp_t) -files_tmp_filetrans(automount_t, automount_tmp_t, { file dir }) -files_home_filetrans(automount_t, automount_tmp_t, dir) -files_root_filetrans(automount_t, automount_tmp_t, dir) - -manage_files_pattern(automount_t, automount_var_run_t, automount_var_run_t) -manage_fifo_files_pattern(automount_t, automount_var_run_t, automount_var_run_t) -files_pid_filetrans(automount_t, automount_var_run_t, { file fifo_file }) - -kernel_read_kernel_sysctls(automount_t) -kernel_read_irq_sysctls(automount_t) -kernel_read_fs_sysctls(automount_t) -kernel_read_vm_sysctls(automount_t) -kernel_read_proc_symlinks(automount_t) -kernel_read_system_state(automount_t) -kernel_read_network_state(automount_t) -kernel_list_proc(automount_t) -kernel_dontaudit_search_xen_state(automount_t) - -corecmd_exec_bin(automount_t) -corecmd_exec_shell(automount_t) - -corenet_all_recvfrom_unlabeled(automount_t) -corenet_all_recvfrom_netlabel(automount_t) -corenet_tcp_sendrecv_generic_if(automount_t) -corenet_udp_sendrecv_generic_if(automount_t) -corenet_tcp_sendrecv_generic_node(automount_t) -corenet_udp_sendrecv_generic_node(automount_t) -corenet_tcp_sendrecv_all_ports(automount_t) -corenet_udp_sendrecv_all_ports(automount_t) -corenet_tcp_bind_generic_node(automount_t) -corenet_udp_bind_generic_node(automount_t) - -corenet_sendrecv_all_client_packets(automount_t) -corenet_sendrecv_all_server_packets(automount_t) -corenet_tcp_connect_portmap_port(automount_t) -corenet_tcp_connect_all_ports(automount_t) -# Automount execs showmount when you browse /net. This is required until -# Someone writes a showmount policy -corenet_tcp_bind_reserved_port(automount_t) -corenet_tcp_bind_all_rpc_ports(automount_t) -corenet_udp_bind_reserved_port(automount_t) -corenet_udp_bind_all_rpc_ports(automount_t) - -files_dontaudit_write_var_dirs(automount_t) -files_getattr_all_dirs(automount_t) -files_getattr_default_dirs(automount_t) -files_getattr_home_dir(automount_t) -files_getattr_isid_type_dirs(automount_t) -files_exec_etc_files(automount_t) -files_list_mnt(automount_t) -files_manage_non_security_dirs(automount_t) -files_mount_all_file_type_fs(automount_t) -files_mounton_all_mountpoints(automount_t) -files_mounton_mnt(automount_t) -files_read_etc_runtime_files(automount_t) -files_read_usr_files(automount_t) -files_search_boot(automount_t) -files_search_all(automount_t) -files_unmount_all_file_type_fs(automount_t) - -fs_getattr_all_dirs(automount_t) -fs_getattr_all_fs(automount_t) -fs_manage_auto_mountpoints(automount_t) -fs_manage_autofs_symlinks(automount_t) -fs_mount_all_fs(automount_t) -fs_mount_autofs(automount_t) -fs_read_nfs_files(automount_t) -fs_search_all(automount_t) -fs_search_auto_mountpoints(automount_t) -fs_unmount_all_fs(automount_t) -fs_unmount_autofs(automount_t) - -dev_read_rand(automount_t) -dev_read_sysfs(automount_t) -dev_read_urand(automount_t) -dev_rw_autofs(automount_t) - -domain_use_interactive_fds(automount_t) -domain_dontaudit_read_all_domains_state(automount_t) - -storage_rw_fuse(automount_t) - -term_dontaudit_getattr_pty_dirs(automount_t) - -auth_use_nsswitch(automount_t) - -logging_send_syslog_msg(automount_t) -logging_search_logs(automount_t) - -miscfiles_read_localization(automount_t) -miscfiles_read_generic_certs(automount_t) - -mount_domtrans(automount_t) -mount_signal(automount_t) - -userdom_dontaudit_use_unpriv_user_fds(automount_t) - -optional_policy(` - fstools_domtrans(automount_t) -') - -optional_policy(` - kerberos_keytab_template(automount, automount_t) - kerberos_read_config(automount_t) - kerberos_dontaudit_write_config(automount_t) -') - -optional_policy(` - samba_read_config(automount_t) - samba_manage_var_files(automount_t) -') - -optional_policy(` - seutil_sigchld_newrole(automount_t) -') - -optional_policy(` - udev_read_db(automount_t) -') diff --git a/policy/modules/contrib/avahi.fc b/policy/modules/contrib/avahi.fc deleted file mode 100644 index e9fe2cac..00000000 --- a/policy/modules/contrib/avahi.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0) - -/usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0) -/usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0) -/usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0) - -/var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0) - -/var/lib/avahi-autoipd(/.*)? gen_context(system_u:object_r:avahi_var_lib_t,s0) diff --git a/policy/modules/contrib/avahi.if b/policy/modules/contrib/avahi.if deleted file mode 100644 index aebe7cb5..00000000 --- a/policy/modules/contrib/avahi.if +++ /dev/null @@ -1,172 +0,0 @@ -## <summary>mDNS/DNS-SD daemon implementing Apple ZeroConf architecture.</summary> - -######################################## -## <summary> -## Execute avahi server in the avahi domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`avahi_domtrans',` - gen_require(` - type avahi_exec_t, avahi_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, avahi_exec_t, avahi_t) -') - -######################################## -## <summary> -## Send generic signals to avahi. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`avahi_signal',` - gen_require(` - type avahi_t; - ') - - allow $1 avahi_t:process signal; -') - -######################################## -## <summary> -## Send kill signals to avahi. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`avahi_kill',` - gen_require(` - type avahi_t; - ') - - allow $1 avahi_t:process sigkill; -') - -######################################## -## <summary> -## Send null signals to avahi. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`avahi_signull',` - gen_require(` - type avahi_t; - ') - - allow $1 avahi_t:process signull; -') - -######################################## -## <summary> -## Send and receive messages from -## avahi over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`avahi_dbus_chat',` - gen_require(` - type avahi_t; - class dbus send_msg; - ') - - allow $1 avahi_t:dbus send_msg; - allow avahi_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Connect to avahi using a unix -$$ stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`avahi_stream_connect',` - gen_require(` - type avahi_t, avahi_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, avahi_var_run_t, avahi_var_run_t, avahi_t) -') - -######################################## -## <summary> -## Do not audit attempts to search -## avahi pid directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`avahi_dontaudit_search_pid',` - gen_require(` - type avahi_var_run_t; - ') - - dontaudit $1 avahi_var_run_t:dir search_dir_perms; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an avahi environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`avahi_admin',` - gen_require(` - type avahi_t, avahi_var_run_t, avahi_initrc_exec_t; - type avahi_var_lib_t; - ') - - allow $1 avahi_t:process { ptrace signal_perms }; - ps_process_pattern($1, avahi_t) - - init_labeled_script_domtrans($1, avahi_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 avahi_initrc_exec_t system_r; - allow $2 system_r; - - files_search_pids($1) - admin_pattern($1, avahi_var_run_t) - - files_search_var_lib($1) - admin_pattern($1, avahi_var_lib_t) -') diff --git a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te deleted file mode 100644 index 60e76be5..00000000 --- a/policy/modules/contrib/avahi.te +++ /dev/null @@ -1,114 +0,0 @@ -policy_module(avahi, 1.13.2) - -######################################## -# -# Declarations -# - -type avahi_t; -type avahi_exec_t; -init_daemon_domain(avahi_t, avahi_exec_t) - -type avahi_initrc_exec_t; -init_script_file(avahi_initrc_exec_t) - -type avahi_var_lib_t; -files_pid_file(avahi_var_lib_t) - -type avahi_var_run_t; -files_pid_file(avahi_var_run_t) - -######################################## -# -# Local policy -# - -allow avahi_t self:capability { dac_override setgid chown fowner kill net_admin net_raw setuid sys_chroot }; -dontaudit avahi_t self:capability sys_tty_config; -allow avahi_t self:process { setrlimit signal_perms getcap setcap }; -allow avahi_t self:fifo_file rw_fifo_file_perms; -allow avahi_t self:unix_stream_socket { accept connectto listen }; -allow avahi_t self:tcp_socket { accept listen }; -allow avahi_t self:packet_socket create_socket_perms; - -manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) -manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) -files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file }) - -manage_dirs_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) -manage_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) -manage_sock_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) -allow avahi_t avahi_var_run_t:dir setattr_dir_perms; -files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file }) - -kernel_read_kernel_sysctls(avahi_t) -kernel_read_network_state(avahi_t) -kernel_read_system_state(avahi_t) -kernel_request_load_module(avahi_t) - -corecmd_exec_bin(avahi_t) -corecmd_exec_shell(avahi_t) - -corenet_all_recvfrom_unlabeled(avahi_t) -corenet_all_recvfrom_netlabel(avahi_t) -corenet_tcp_sendrecv_generic_if(avahi_t) -corenet_udp_sendrecv_generic_if(avahi_t) -corenet_tcp_sendrecv_generic_node(avahi_t) -corenet_udp_sendrecv_generic_node(avahi_t) -corenet_tcp_sendrecv_all_ports(avahi_t) -corenet_udp_sendrecv_all_ports(avahi_t) -corenet_tcp_bind_generic_node(avahi_t) -corenet_udp_bind_generic_node(avahi_t) - -corenet_sendrecv_howl_server_packets(avahi_t) -corenet_tcp_bind_howl_port(avahi_t) -corenet_udp_bind_howl_port(avahi_t) - -dev_read_sysfs(avahi_t) -dev_read_urand(avahi_t) - -fs_getattr_all_fs(avahi_t) -fs_search_auto_mountpoints(avahi_t) -fs_list_inotifyfs(avahi_t) - -domain_use_interactive_fds(avahi_t) - -files_read_etc_runtime_files(avahi_t) -files_read_usr_files(avahi_t) - -auth_use_nsswitch(avahi_t) - -init_signal_script(avahi_t) -init_signull_script(avahi_t) - -logging_send_syslog_msg(avahi_t) - -miscfiles_read_localization(avahi_t) -miscfiles_read_generic_certs(avahi_t) - -sysnet_domtrans_ifconfig(avahi_t) -sysnet_manage_config(avahi_t) -sysnet_etc_filetrans_config(avahi_t) - -userdom_dontaudit_use_unpriv_user_fds(avahi_t) -userdom_dontaudit_search_user_home_dirs(avahi_t) - -optional_policy(` - dbus_system_domain(avahi_t, avahi_exec_t) - - optional_policy(` - init_dbus_chat_script(avahi_t) - ') -') - -optional_policy(` - rpcbind_signull(avahi_t) -') - -optional_policy(` - seutil_sigchld_newrole(avahi_t) -') - -optional_policy(` - udev_read_db(avahi_t) -') diff --git a/policy/modules/contrib/awstats.fc b/policy/modules/contrib/awstats.fc deleted file mode 100644 index 11e6d5ff..00000000 --- a/policy/modules/contrib/awstats.fc +++ /dev/null @@ -1,5 +0,0 @@ -/usr/share/awstats/tools/.+\.pl -- gen_context(system_u:object_r:awstats_exec_t,s0) -/usr/share/awstats/wwwroot(/.*)? gen_context(system_u:object_r:httpd_awstats_content_t,s0) -/usr/share/awstats/wwwroot/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_awstats_script_exec_t,s0) - -/var/lib/awstats(/.*)? gen_context(system_u:object_r:awstats_var_lib_t,s0) diff --git a/policy/modules/contrib/awstats.if b/policy/modules/contrib/awstats.if deleted file mode 100644 index 68616dd9..00000000 --- a/policy/modules/contrib/awstats.if +++ /dev/null @@ -1,49 +0,0 @@ -## <summary>Log file analyzer for advanced statistics.</summary> - -######################################## -## <summary> -## Execute the awstats program in -## the awstats domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`awstats_domtrans',` - gen_require(` - type awstats_t, awstats_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, awstats_exec_t, awstats_t) -') - -######################################## -## <summary> -## Read and write awstats unnamed pipes. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`awstats_rw_pipes',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## <summary> -## Execute awstats cgi scripts in the caller domain. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`awstats_cgi_exec',` - refpolicywarn(`$0($*) has been deprecated.') -') diff --git a/policy/modules/contrib/awstats.te b/policy/modules/contrib/awstats.te deleted file mode 100644 index d6ab8241..00000000 --- a/policy/modules/contrib/awstats.te +++ /dev/null @@ -1,98 +0,0 @@ -policy_module(awstats, 1.4.4) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether awstats can -## purge httpd log files. -## </p> -## </desc> -gen_tunable(awstats_purge_apache_log_files, false) - -type awstats_t; -type awstats_exec_t; -domain_type(awstats_t) -domain_entry_file(awstats_t, awstats_exec_t) -role system_r types awstats_t; - -type awstats_tmp_t; -files_tmp_file(awstats_tmp_t) - -type awstats_var_lib_t; -files_type(awstats_var_lib_t) - -apache_content_template(awstats) - -######################################## -# -# Local policy -# - -allow awstats_t self:fifo_file rw_fifo_file_perms; - -manage_dirs_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t) -manage_files_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t) -files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file }) - -manage_files_pattern(awstats_t, awstats_var_lib_t, awstats_var_lib_t) - -allow awstats_t { httpd_awstats_content_t httpd_awstats_script_exec_t }:dir search_dir_perms; - -can_exec(awstats_t, { awstats_exec_t httpd_awstats_script_exec_t }) - -kernel_dontaudit_read_system_state(awstats_t) - -corecmd_exec_bin(awstats_t) -corecmd_exec_shell(awstats_t) - -dev_read_urand(awstats_t) - -files_dontaudit_search_all_mountpoints(awstats_t) -files_read_etc_files(awstats_t) -files_read_usr_files(awstats_t) - -fs_list_inotifyfs(awstats_t) - -libs_read_lib_files(awstats_t) - -logging_read_generic_logs(awstats_t) - -miscfiles_read_localization(awstats_t) - -sysnet_dns_name_resolve(awstats_t) - -tunable_policy(`awstats_purge_apache_log_files',` - apache_write_log(awstats_t) -') - -optional_policy(` - apache_read_log(awstats_t) -') - -optional_policy(` - cron_system_entry(awstats_t, awstats_exec_t) -') - -optional_policy(` - nscd_dontaudit_search_pid(awstats_t) -') - -optional_policy(` - squid_read_log(awstats_t) -') - -######################################## -# -# CGI local policy -# - -allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms; - -read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t) -files_search_var_lib(httpd_awstats_script_t) - -apache_read_log(httpd_awstats_script_t) diff --git a/policy/modules/contrib/backup.fc b/policy/modules/contrib/backup.fc deleted file mode 100644 index 075621d0..00000000 --- a/policy/modules/contrib/backup.fc +++ /dev/null @@ -1,4 +0,0 @@ -/etc/cron\.daily/aptitude -- gen_context(system_u:object_r:backup_exec_t,s0) -/etc/cron\.daily/standard -- gen_context(system_u:object_r:backup_exec_t,s0) - -/var/backups(/.*)? gen_context(system_u:object_r:backup_store_t,s0) diff --git a/policy/modules/contrib/backup.if b/policy/modules/contrib/backup.if deleted file mode 100644 index 894810ec..00000000 --- a/policy/modules/contrib/backup.if +++ /dev/null @@ -1,47 +0,0 @@ -## <summary>System backup scripts.</summary> - -######################################## -## <summary> -## Execute backup in the backup domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`backup_domtrans',` - gen_require(` - type backup_t, backup_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, backup_exec_t, backup_t) -') - -######################################## -## <summary> -## Execute backup in the backup -## domain, and allow the specified -## role the backup domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`backup_run',` - gen_require(` - attribute_role backup_roles; - ') - - backup_domtrans($1) - roleattribute $2 backup_roles; -') diff --git a/policy/modules/contrib/backup.te b/policy/modules/contrib/backup.te deleted file mode 100644 index d6ceef4d..00000000 --- a/policy/modules/contrib/backup.te +++ /dev/null @@ -1,82 +0,0 @@ -policy_module(backup, 1.5.2) - -######################################## -# -# Declarations -# - -attribute_role backup_roles; -roleattribute system_r backup_roles; - -type backup_t; -type backup_exec_t; -application_domain(backup_t, backup_exec_t) -role backup_roles types backup_t; - -type backup_store_t; -files_type(backup_store_t) - -######################################## -# -# Local policy -# - -allow backup_t self:capability dac_override; -allow backup_t self:process signal; -allow backup_t self:fifo_file rw_fifo_file_perms; -allow backup_t self:tcp_socket create_socket_perms; -allow backup_t self:udp_socket create_socket_perms; - -allow backup_t backup_store_t:file setattr_file_perms; -manage_files_pattern(backup_t, backup_store_t, backup_store_t) -rw_files_pattern(backup_t, backup_store_t, backup_store_t) -read_lnk_files_pattern(backup_t, backup_store_t, backup_store_t) - -kernel_read_system_state(backup_t) -kernel_read_kernel_sysctls(backup_t) - -corecmd_exec_bin(backup_t) -corecmd_exec_shell(backup_t) - -corenet_all_recvfrom_unlabeled(backup_t) -corenet_all_recvfrom_netlabel(backup_t) -corenet_tcp_sendrecv_generic_if(backup_t) -corenet_tcp_sendrecv_generic_node(backup_t) -corenet_tcp_sendrecv_all_ports(backup_t) - -corenet_tcp_connect_all_ports(backup_t) -corenet_sendrecv_all_client_packets(backup_t) - -dev_getattr_all_blk_files(backup_t) -dev_getattr_all_chr_files(backup_t) -dev_read_urand(backup_t) - -domain_use_interactive_fds(backup_t) - -files_read_all_files(backup_t) -files_read_all_symlinks(backup_t) -files_getattr_all_pipes(backup_t) -files_getattr_all_sockets(backup_t) - -fs_getattr_xattr_fs(backup_t) -fs_list_all(backup_t) - -auth_read_shadow(backup_t) - -logging_send_syslog_msg(backup_t) - -sysnet_read_config(backup_t) - -userdom_use_user_terminals(backup_t) - -optional_policy(` - cron_system_entry(backup_t, backup_exec_t) -') - -optional_policy(` - hostname_exec(backup_t) -') - -optional_policy(` - nis_use_ypbind(backup_t) -') diff --git a/policy/modules/contrib/bacula.fc b/policy/modules/contrib/bacula.fc deleted file mode 100644 index 27ec3d51..00000000 --- a/policy/modules/contrib/bacula.fc +++ /dev/null @@ -1,17 +0,0 @@ -/bacula(/.*)? gen_context(system_u:object_r:bacula_store_t,s0) - -/etc/bacula.* gen_context(system_u:object_r:bacula_etc_t,s0) - -/etc/rc\.d/init\.d/bacula.* -- gen_context(system_u:object_r:bacula_initrc_exec_t,s0) - -/usr/sbin/bacula.* -- gen_context(system_u:object_r:bacula_exec_t,s0) -/usr/sbin/bat -- gen_context(system_u:object_r:bacula_admin_exec_t,s0) -/usr/sbin/bconsole -- gen_context(system_u:object_r:bacula_admin_exec_t,s0) - -/var/lib/bacula.* gen_context(system_u:object_r:bacula_var_lib_t,s0) - -/var/log/bacula.* gen_context(system_u:object_r:bacula_log_t,s0) - -/var/run/bacula.* -- gen_context(system_u:object_r:bacula_var_run_t,s0) - -/var/spool/bacula.* gen_context(system_u:object_r:bacula_spool_t,s0) diff --git a/policy/modules/contrib/bacula.if b/policy/modules/contrib/bacula.if deleted file mode 100644 index dcd774ee..00000000 --- a/policy/modules/contrib/bacula.if +++ /dev/null @@ -1,98 +0,0 @@ -## <summary>Cross platform network backup.</summary> - -######################################## -## <summary> -## Execute bacula admin bacula -## admin domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`bacula_domtrans_admin',` - gen_require(` - type bacula_admin_t, bacula_admin_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, bacula_admin_exec_t, bacula_admin_t) -') - -######################################## -## <summary> -## Execute user interfaces in the -## bacula admin domain, and allow the -## specified role the bacula admin domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`bacula_run_admin',` - gen_require(` - attribute_role bacula_admin_roles; - ') - - bacula_domtrans_admin($1) - roleattribute $2 bacula_admin_roles; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an bacula environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`bacula_admin',` - gen_require(` - type bacula_t, bacula_etc_t, bacula_log_t; - type bacula_spool_t, bacula_var_lib_t; - type bacula_var_run_t, bacula_initrc_exec_t; - ') - - allow $1 bacula_t:process { ptrace signal_perms }; - ps_process_pattern($1, bacula_t) - - init_labeled_script_domtrans($1, bacula_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 bacula_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, bacula_etc_t) - - logging_search_logs($1) - admin_pattern($1, bacula_log_t) - - files_search_var($1) - admin_pattern($1, bacula_spool_t) - - files_search_var_lib($1) - admin_pattern($1, bacula_var_lib_t) - - files_search_pids($1) - admin_pattern($1, bacula_var_run_t) - - bacula_run_admin($1, $2) -') diff --git a/policy/modules/contrib/bacula.te b/policy/modules/contrib/bacula.te deleted file mode 100644 index 3beba2f5..00000000 --- a/policy/modules/contrib/bacula.te +++ /dev/null @@ -1,158 +0,0 @@ -policy_module(bacula, 1.1.1) - -######################################## -# -# Declarations -# - -attribute_role bacula_admin_roles; - -type bacula_t; -type bacula_exec_t; -init_daemon_domain(bacula_t, bacula_exec_t) - -type bacula_initrc_exec_t; -init_script_file(bacula_initrc_exec_t) - -type bacula_etc_t; -files_type(bacula_etc_t) - -type bacula_log_t; -logging_log_file(bacula_log_t) - -type bacula_spool_t; -files_type(bacula_spool_t) - -type bacula_store_t; -files_type(bacula_store_t) -files_mountpoint(bacula_store_t) - -type bacula_var_lib_t; -files_type(bacula_var_lib_t) - -type bacula_var_run_t; -files_pid_file(bacula_var_run_t) - -type bacula_admin_t; -type bacula_admin_exec_t; -application_domain(bacula_admin_t, bacula_admin_exec_t) -role bacula_admin_roles types bacula_admin_t; - -######################################## -# -# Local policy -# - -allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid}; -allow bacula_t self:process signal; -allow bacula_t self:fifo_file rw_fifo_file_perms; -allow bacula_t self:tcp_socket { accept listen }; - -read_files_pattern(bacula_t, bacula_etc_t, bacula_etc_t) - -append_files_pattern(bacula_t, bacula_log_t, bacula_log_t) -create_files_pattern(bacula_t, bacula_log_t, bacula_log_t) -setattr_files_pattern(bacula_t, bacula_log_t, bacula_log_t) - -manage_dirs_pattern(bacula_t, bacula_spool_t, bacula_spool_t) -manage_files_pattern(bacula_t, bacula_spool_t, bacula_spool_t) - -manage_files_pattern(bacula_t, bacula_store_t, bacula_store_t) -manage_lnk_files_pattern(bacula_t, bacula_store_t, bacula_store_t) -manage_dirs_pattern(bacula_t, bacula_store_t, bacula_store_t) - -manage_dirs_pattern(bacula_t, bacula_var_lib_t, bacula_var_lib_t) -manage_files_pattern(bacula_t, bacula_var_lib_t, bacula_var_lib_t) -files_var_lib_filetrans(bacula_t, bacula_var_lib_t, dir) - -allow bacula_t bacula_var_run_t:file manage_file_perms; -files_pid_filetrans(bacula_t, bacula_var_run_t, file) - -kernel_read_kernel_sysctls(bacula_t) -kernel_read_system_state(bacula_t) - -corecmd_exec_bin(bacula_t) -corecmd_exec_shell(bacula_t) - -corenet_all_recvfrom_unlabeled(bacula_t) -corenet_all_recvfrom_netlabel(bacula_t) -corenet_tcp_sendrecv_generic_if(bacula_t) -corenet_udp_sendrecv_generic_if(bacula_t) -corenet_tcp_sendrecv_generic_node(bacula_t) -corenet_udp_sendrecv_generic_node(bacula_t) -corenet_tcp_sendrecv_all_ports(bacula_t) -corenet_udp_sendrecv_all_ports(bacula_t) -corenet_tcp_bind_generic_node(bacula_t) -corenet_udp_bind_generic_node(bacula_t) - -corenet_sendrecv_generic_server_packets(bacula_t) -corenet_udp_bind_generic_port(bacula_t) - -corenet_sendrecv_hplip_server_packets(bacula_t) -corenet_tcp_bind_hplip_port(bacula_t) -corenet_udp_bind_hplip_port(bacula_t) - -corenet_sendrecv_all_client_packets(bacula_t) -corenet_tcp_connect_all_ports(bacula_t) - -dev_getattr_all_blk_files(bacula_t) -dev_getattr_all_chr_files(bacula_t) - -files_dontaudit_getattr_all_sockets(bacula_t) -files_read_all_files(bacula_t) -files_read_all_symlinks(bacula_t) - -fs_getattr_xattr_fs(bacula_t) -fs_list_all(bacula_t) - -auth_read_shadow(bacula_t) - -logging_send_syslog_msg(bacula_t) - -sysnet_dns_name_resolve(bacula_t) - -optional_policy(` - mysql_stream_connect(bacula_t) - mysql_tcp_connect(bacula_t) -') - -optional_policy(` - nis_use_ypbind(bacula_t) -') - -optional_policy(` - sysnet_use_ldap(bacula_t) - ldap_stream_connect(bacula_t) -') - -######################################## -# -# Client local policy -# - -allow bacula_admin_t self:process signal; -allow bacula_admin_t self:tcp_socket { accept listen }; -allow bacula_admin_t self:dgram_socket_class_set create_socket_perms; - -read_files_pattern(bacula_admin_t, bacula_etc_t, bacula_etc_t) - -corenet_all_recvfrom_unlabeled(bacula_admin_t) -corenet_all_recvfrom_netlabel(bacula_admin_t) -corenet_tcp_sendrecv_generic_if(bacula_admin_t) -corenet_tcp_sendrecv_generic_node(bacula_admin_t) -corenet_tcp_sendrecv_all_ports(bacula_admin_t) -corenet_tcp_bind_generic_node(bacula_admin_t) - -corenet_sendrecv_hplip_client_packets(bacula_admin_t) -corenet_tcp_connect_hplip_port(bacula_admin_t) - -domain_use_interactive_fds(bacula_admin_t) - -files_read_etc_files(bacula_admin_t) - -miscfiles_read_localization(bacula_admin_t) - -sysnet_dns_name_resolve(bacula_admin_t) - -userdom_dontaudit_search_user_home_dirs(bacula_admin_t) -userdom_use_user_ptys(bacula_admin_t) diff --git a/policy/modules/contrib/bcfg2.fc b/policy/modules/contrib/bcfg2.fc deleted file mode 100644 index fb42e352..00000000 --- a/policy/modules/contrib/bcfg2.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rc\.d/init\.d/bcfg2-server -- gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0) - -/usr/sbin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0) - -/var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0) - -/var/run/bcfg2-server\.pid -- gen_context(system_u:object_r:bcfg2_var_run_t,s0) diff --git a/policy/modules/contrib/bcfg2.if b/policy/modules/contrib/bcfg2.if deleted file mode 100644 index ec95d361..00000000 --- a/policy/modules/contrib/bcfg2.if +++ /dev/null @@ -1,154 +0,0 @@ -## <summary>configuration management suite.</summary> - -######################################## -## <summary> -## Execute bcfg2 in the bcfg2 domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`bcfg2_domtrans',` - gen_require(` - type bcfg2_t, bcfg2_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, bcfg2_exec_t, bcfg2_t) -') - -######################################## -## <summary> -## Execute bcfg2 server in the bcfg2 domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`bcfg2_initrc_domtrans',` - gen_require(` - type bcfg2_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, bcfg2_initrc_exec_t) -') - -######################################## -## <summary> -## Search bcfg2 lib directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`bcfg2_search_lib',` - gen_require(` - type bcfg2_var_lib_t; - ') - - allow $1 bcfg2_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## <summary> -## Read bcfg2 lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`bcfg2_read_lib_files',` - gen_require(` - type bcfg2_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## bcfg2 lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`bcfg2_manage_lib_files',` - gen_require(` - type bcfg2_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## bcfg2 lib directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`bcfg2_manage_lib_dirs',` - gen_require(` - type bcfg2_var_lib_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an bcfg2 environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`bcfg2_admin',` - gen_require(` - type bcfg2_t, bcfg2_initrc_exec_t, bcfg2_var_lib_t; - type bcfg2_var_run_t; - ') - - allow $1 bcfg2_t:process { ptrace signal_perms }; - ps_process_pattern($1, bcfg2_t) - - bcfg2_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 bcfg2_initrc_exec_t system_r; - allow $2 system_r; - - files_search_pids($1) - admin_pattern($1, bcfg2_var_run_t) - - files_search_var_lib($1) - admin_pattern($1, bcfg2_var_lib_t) -') diff --git a/policy/modules/contrib/bcfg2.te b/policy/modules/contrib/bcfg2.te deleted file mode 100644 index 536ec3c5..00000000 --- a/policy/modules/contrib/bcfg2.te +++ /dev/null @@ -1,61 +0,0 @@ -policy_module(bcfg2, 1.0.1) - -######################################## -# -# Declarations -# - -type bcfg2_t; -type bcfg2_exec_t; -init_daemon_domain(bcfg2_t, bcfg2_exec_t) - -type bcfg2_initrc_exec_t; -init_script_file(bcfg2_initrc_exec_t) - -type bcfg2_var_lib_t; -files_type(bcfg2_var_lib_t) - -type bcfg2_var_run_t; -files_pid_file(bcfg2_var_run_t) - -######################################## -# -# Local policy -# - -allow bcfg2_t self:fifo_file rw_fifo_file_perms; -allow bcfg2_t self:tcp_socket { accept listen }; -allow bcfg2_t self:unix_stream_socket { accept connectto listen }; - -manage_dirs_pattern(bcfg2_t, bcfg2_var_lib_t, bcfg2_var_lib_t) -manage_files_pattern(bcfg2_t, bcfg2_var_lib_t, bcfg2_var_lib_t) -files_var_lib_filetrans(bcfg2_t, bcfg2_var_lib_t, dir) - -manage_files_pattern(bcfg2_t, bcfg2_var_run_t, bcfg2_var_run_t) -files_pid_filetrans(bcfg2_t, bcfg2_var_run_t, file) - -kernel_read_system_state(bcfg2_t) - -corenet_all_recvfrom_unlabeled(bcfg2_t) -corenet_all_recvfrom_netlabel(bcfg2_t) -corenet_tcp_sendrecv_generic_if(bcfg2_t) -corenet_tcp_sendrecv_generic_node(bcfg2_t) -corenet_tcp_bind_generic_node(bcfg2_t) - -corenet_sendrecv_cyphesis_server_packets(bcfg2_t) -corenet_tcp_bind_cyphesis_port(bcfg2_t) -corenet_tcp_sendrecv_cyphesis_port(bcfg2_t) - -corecmd_exec_bin(bcfg2_t) - -dev_read_urand(bcfg2_t) - -domain_use_interactive_fds(bcfg2_t) - -files_read_usr_files(bcfg2_t) - -auth_use_nsswitch(bcfg2_t) - -logging_send_syslog_msg(bcfg2_t) - -miscfiles_read_localization(bcfg2_t) diff --git a/policy/modules/contrib/bind.fc b/policy/modules/contrib/bind.fc deleted file mode 100644 index 2b9a3a10..00000000 --- a/policy/modules/contrib/bind.fc +++ /dev/null @@ -1,54 +0,0 @@ -/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) -/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) - -/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) -/etc/bind/named\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0) -/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) -/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0) -/etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0) -/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0) -/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) -/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0) -/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0) -/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) -/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0) -/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0) - -/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0) -/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) -/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) -/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0) -/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0) - -/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0) - -/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0) - -/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) - -/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) -/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0) -/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0) -/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) -/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) -/var/named/chroot/etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0) -/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0) -/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0) -/var/named/chroot/proc(/.*)? <<none>> -/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0) -/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) -/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -/var/named/chroot/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0) -/var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) -/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0) - -/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0) -/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) -/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) -/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) diff --git a/policy/modules/contrib/bind.if b/policy/modules/contrib/bind.if deleted file mode 100644 index 866a1e29..00000000 --- a/policy/modules/contrib/bind.if +++ /dev/null @@ -1,393 +0,0 @@ -## <summary>Berkeley Internet name domain DNS server.</summary> - -######################################## -## <summary> -## Execute bind server in the bind domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`bind_initrc_domtrans',` - gen_require(` - type named_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, named_initrc_exec_t) -') - -######################################## -## <summary> -## Execute ndc in the ndc domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`bind_domtrans_ndc',` - gen_require(` - type ndc_t, ndc_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ndc_exec_t, ndc_t) -') - -######################################## -## <summary> -## Send generic signals to bind. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`bind_signal',` - gen_require(` - type named_t; - ') - - allow $1 named_t:process signal; -') - -######################################## -## <summary> -## Send null signals to bind. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`bind_signull',` - gen_require(` - type named_t; - ') - - allow $1 named_t:process signull; -') - -######################################## -## <summary> -## Send kill signals to bind. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`bind_kill',` - gen_require(` - type named_t; - ') - - allow $1 named_t:process sigkill; -') - -######################################## -## <summary> -## Execute ndc in the ndc domain, and -## allow the specified role the ndc domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`bind_run_ndc',` - gen_require(` - attribute_role ndc_roles; - ') - - bind_domtrans_ndc($1) - roleattribute $2 ndc_roles; -') - -######################################## -## <summary> -## Execute bind in the named domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`bind_domtrans',` - gen_require(` - type named_t, named_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, named_exec_t, named_t) -') - -######################################## -## <summary> -## Read dnssec key files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`bind_read_dnssec_keys',` - gen_require(` - type named_conf_t, named_zone_t, dnssec_t; - ') - - read_files_pattern($1, { named_conf_t named_zone_t }, dnssec_t) -') - -######################################## -## <summary> -## Read bind named configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`bind_read_config',` - gen_require(` - type named_conf_t; - ') - - read_files_pattern($1, named_conf_t, named_conf_t) -') - -######################################## -## <summary> -## Write bind named configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`bind_write_config',` - gen_require(` - type named_conf_t; - ') - - write_files_pattern($1, named_conf_t, named_conf_t) - allow $1 named_conf_t:file setattr_file_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## bind configuration directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`bind_manage_config_dirs',` - gen_require(` - type named_conf_t; - ') - - manage_dirs_pattern($1, named_conf_t, named_conf_t) -') - -######################################## -## <summary> -## Search bind cache directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`bind_search_cache',` - gen_require(` - type named_conf_t, named_cache_t, named_zone_t; - ') - - files_search_var($1) - allow $1 named_conf_t:dir search_dir_perms; - allow $1 named_zone_t:dir search_dir_perms; - allow $1 named_cache_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## bind cache files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`bind_manage_cache',` - gen_require(` - type named_cache_t, named_zone_t; - ') - - files_search_var($1) - allow $1 named_zone_t:dir search_dir_perms; - manage_files_pattern($1, named_cache_t, named_cache_t) - manage_lnk_files_pattern($1, named_cache_t, named_cache_t) -') - -######################################## -## <summary> -## Set attributes of bind pid directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`bind_setattr_pid_dirs',` - gen_require(` - type named_var_run_t; - ') - - allow $1 named_var_run_t:dir setattr_dir_perms; -') - -######################################## -## <summary> -## Set attributes of bind zone directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`bind_setattr_zone_dirs',` - gen_require(` - type named_zone_t; - ') - - allow $1 named_zone_t:dir setattr_dir_perms; -') - -######################################## -## <summary> -## Read bind zone files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`bind_read_zone',` - gen_require(` - type named_zone_t; - ') - - files_search_var($1) - read_files_pattern($1, named_zone_t, named_zone_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## bind zone files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`bind_manage_zone',` - gen_require(` - type named_zone_t; - ') - - files_search_var($1) - manage_files_pattern($1, named_zone_t, named_zone_t) -') - -######################################## -## <summary> -## Send and receive datagrams to and from named. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`bind_udp_chat_named',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## <summary> -## All of the rules required to -## administrate an bind environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`bind_admin',` - gen_require(` - type named_t, named_tmp_t, named_log_t; - type named_cache_t, named_zone_t, named_initrc_exec_t; - type dnssec_t, ndc_t, named_conf_t, named_var_run_t; - ') - - allow $1 { named_t ndc_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { named_t ndc_t }) - - init_labeled_script_domtrans($1, named_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 named_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, named_tmp_t) - - logging_list_logs($1) - admin_pattern($1, named_log_t) - - files_list_etc($1) - admin_pattern($1, named_conf_t) - - files_list_var($1) - admin_pattern($1, { dnssec_t named_cache_t named_zone_t }) - - files_list_pids($1) - admin_pattern($1, named_var_run_t) - - bind_run_ndc($1, $2) -') diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te deleted file mode 100644 index 076ffee9..00000000 --- a/policy/modules/contrib/bind.te +++ /dev/null @@ -1,264 +0,0 @@ -policy_module(bind, 1.12.8) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether Bind can bind tcp socket to http ports. -## </p> -## </desc> -gen_tunable(named_tcp_bind_http_port, false) - -## <desc> -## <p> -## Determine whether Bind can write to master zone files. -## Generally this is used for dynamic DNS or zone transfers. -## </p> -## </desc> -gen_tunable(named_write_master_zones, false) - -attribute_role ndc_roles; - -type dnssec_t; -files_security_file(dnssec_t) -files_mountpoint(dnssec_t) - -type named_t; -type named_exec_t; -init_daemon_domain(named_t, named_exec_t) - -type named_checkconf_exec_t; -init_system_domain(named_t, named_checkconf_exec_t) - -type named_conf_t; -files_type(named_conf_t) -files_mountpoint(named_conf_t) - -# for secondary zone files -type named_cache_t; -files_type(named_cache_t) - -type named_initrc_exec_t; -init_script_file(named_initrc_exec_t) - -type named_log_t; -logging_log_file(named_log_t) - -type named_tmp_t; -files_tmp_file(named_tmp_t) - -type named_var_run_t; -files_pid_file(named_var_run_t) -init_daemon_run_dir(named_var_run_t, "named") - -# for primary zone files -type named_zone_t; -files_type(named_zone_t) - -type ndc_t; -type ndc_exec_t; -init_system_domain(ndc_t, ndc_exec_t) -role ndc_roles types ndc_t; - -######################################## -# -# Local policy -# - -allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource }; -dontaudit named_t self:capability sys_tty_config; -allow named_t self:process { setsched getcap setcap setrlimit signal_perms }; -allow named_t self:fifo_file rw_fifo_file_perms; -allow named_t self:unix_stream_socket { accept listen }; -allow named_t self:tcp_socket { accept listen }; - -allow named_t dnssec_t:file read_file_perms; - -allow named_t named_conf_t:dir list_dir_perms; -read_files_pattern(named_t, named_conf_t, named_conf_t) -read_lnk_files_pattern(named_t, named_conf_t, named_conf_t) - -manage_files_pattern(named_t, named_cache_t, named_cache_t) -manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t) - -can_exec(named_t, named_exec_t) - -append_files_pattern(named_t, named_log_t, named_log_t) -create_files_pattern(named_t, named_log_t, named_log_t) -setattr_files_pattern(named_t, named_log_t, named_log_t) -logging_log_filetrans(named_t, named_log_t, file) - -manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t) -manage_files_pattern(named_t, named_tmp_t, named_tmp_t) -files_tmp_filetrans(named_t, named_tmp_t, { file dir }) - -manage_dirs_pattern(named_t, named_var_run_t, named_var_run_t) -manage_files_pattern(named_t, named_var_run_t, named_var_run_t) -manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t) -files_pid_filetrans(named_t, named_var_run_t, { dir file sock_file }) - -allow named_t named_zone_t:dir list_dir_perms; -read_files_pattern(named_t, named_zone_t, named_zone_t) -read_lnk_files_pattern(named_t, named_zone_t, named_zone_t) - -kernel_read_kernel_sysctls(named_t) -kernel_read_system_state(named_t) -kernel_read_network_state(named_t) - -corecmd_search_bin(named_t) - -corenet_all_recvfrom_unlabeled(named_t) -corenet_all_recvfrom_netlabel(named_t) -corenet_tcp_sendrecv_generic_if(named_t) -corenet_udp_sendrecv_generic_if(named_t) -corenet_tcp_sendrecv_generic_node(named_t) -corenet_udp_sendrecv_generic_node(named_t) -corenet_tcp_bind_generic_node(named_t) -corenet_udp_bind_generic_node(named_t) - -corenet_sendrecv_all_server_packets(named_t) -corenet_tcp_bind_dns_port(named_t) -corenet_udp_bind_dns_port(named_t) -corenet_tcp_sendrecv_dns_port(named_t) -corenet_udp_sendrecv_dns_port(named_t) - -corenet_tcp_bind_rndc_port(named_t) -corenet_tcp_sendrecv_rndc_port(named_t) - -corenet_dontaudit_udp_bind_all_reserved_ports(named_t) -corenet_udp_bind_all_unreserved_ports(named_t) -corenet_udp_sendrecv_all_ports(named_t) - -corenet_sendrecv_all_client_packets(named_t) -corenet_tcp_connect_all_ports(named_t) -corenet_tcp_sendrecv_all_ports(named_t) - -dev_read_sysfs(named_t) -dev_read_rand(named_t) -dev_read_urand(named_t) - -domain_use_interactive_fds(named_t) - -files_read_etc_runtime_files(named_t) - -fs_getattr_all_fs(named_t) -fs_search_auto_mountpoints(named_t) - -auth_use_nsswitch(named_t) - -logging_send_syslog_msg(named_t) - -miscfiles_read_generic_certs(named_t) -miscfiles_read_localization(named_t) - -userdom_dontaudit_use_unpriv_user_fds(named_t) -userdom_dontaudit_search_user_home_dirs(named_t) - -tunable_policy(`named_tcp_bind_http_port',` - corenet_sendrecv_http_server_packets(named_t) - corenet_tcp_bind_http_port(named_t) - corenet_tcp_sendrecv_http_port(named_t) -') - -tunable_policy(`named_write_master_zones',` - manage_dirs_pattern(named_t, named_zone_t, named_zone_t) - manage_files_pattern(named_t, named_zone_t, named_zone_t) - manage_lnk_files_pattern(named_t, named_zone_t, named_zone_t) -') - -optional_policy(` - dbus_system_domain(named_t, named_exec_t) - - init_dbus_chat_script(named_t) - - sysnet_dbus_chat_dhcpc(named_t) - - optional_policy(` - networkmanager_dbus_chat(named_t) - ') -') - -optional_policy(` - kerberos_keytab_template(named, named_t) -') - -optional_policy(` - ldap_stream_connect(named_t) -') - -optional_policy(` - networkmanager_rw_udp_sockets(named_t) - networkmanager_rw_packet_sockets(named_t) - networkmanager_rw_routing_sockets(named_t) -') - -optional_policy(` - seutil_sigchld_newrole(named_t) -') - -optional_policy(` - udev_read_db(named_t) -') - -######################################## -# -# NDC local policy -# - -allow ndc_t self:capability { dac_override net_admin }; -allow ndc_t self:process signal_perms; -allow ndc_t self:fifo_file rw_fifo_file_perms; -allow ndc_t self:unix_stream_socket { accept listen }; - -allow ndc_t dnssec_t:file read_file_perms; -allow ndc_t dnssec_t:lnk_file read_lnk_file_perms; - -stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t) - -allow ndc_t named_conf_t:file read_file_perms; -allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; - -allow ndc_t named_zone_t:dir search_dir_perms; - -kernel_read_kernel_sysctls(ndc_t) -kernel_read_system_state(ndc_t) - -corenet_all_recvfrom_unlabeled(ndc_t) -corenet_all_recvfrom_netlabel(ndc_t) -corenet_tcp_sendrecv_generic_if(ndc_t) -corenet_tcp_sendrecv_generic_node(ndc_t) -corenet_tcp_sendrecv_all_ports(ndc_t) -corenet_tcp_bind_generic_node(ndc_t) - -corenet_tcp_connect_rndc_port(ndc_t) -corenet_sendrecv_rndc_client_packets(ndc_t) - -domain_use_interactive_fds(ndc_t) - -files_search_pids(ndc_t) - -fs_getattr_xattr_fs(ndc_t) - -term_dontaudit_use_console(ndc_t) - -auth_use_nsswitch(ndc_t) - -init_use_fds(ndc_t) -init_use_script_ptys(ndc_t) - -logging_send_syslog_msg(ndc_t) - -miscfiles_read_localization(ndc_t) - -userdom_use_user_terminals(ndc_t) - -ifdef(`distro_redhat',` - allow ndc_t named_conf_t:dir search_dir_perms; -') - -optional_policy(` - ppp_dontaudit_use_fds(ndc_t) -') diff --git a/policy/modules/contrib/bird.fc b/policy/modules/contrib/bird.fc deleted file mode 100644 index 7b63b8e1..00000000 --- a/policy/modules/contrib/bird.fc +++ /dev/null @@ -1,11 +0,0 @@ -/etc/bird\.conf -- gen_context(system_u:object_r:bird_etc_t,s0) - -/etc/default/bird -- gen_context(system_u:object_r:bird_etc_t,s0) - -/etc/rc\.d/init\.d/bird -- gen_context(system_u:object_r:bird_initrc_exec_t,s0) - -/usr/sbin/bird -- gen_context(system_u:object_r:bird_exec_t,s0) - -/var/log/bird\.log.* -- gen_context(system_u:object_r:bird_log_t,s0) - -/var/run/bird\.ctl -s gen_context(system_u:object_r:bird_var_run_t,s0) diff --git a/policy/modules/contrib/bird.if b/policy/modules/contrib/bird.if deleted file mode 100644 index 85c035f9..00000000 --- a/policy/modules/contrib/bird.if +++ /dev/null @@ -1,42 +0,0 @@ -## <summary>BIRD Internet Routing Daemon.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an bird environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`bird_admin',` - gen_require(` - type bird_t, bird_etc_t, bird_log_t; - type bird_var_run_t, bird_initrc_exec_t; - ') - - allow $1 bird_t:process { ptrace signal_perms }; - ps_process_pattern($1, bird_t) - - init_labeled_script_domtrans($1, bird_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 bird_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, bird_etc_t) - - logging_list_logs($1) - admin_pattern($1, bird_log_t) - - files_list_pids($1) - admin_pattern($1, bird_var_run_t) -') diff --git a/policy/modules/contrib/bird.te b/policy/modules/contrib/bird.te deleted file mode 100644 index d4d71ec1..00000000 --- a/policy/modules/contrib/bird.te +++ /dev/null @@ -1,58 +0,0 @@ -policy_module(bird, 1.0.2) - -######################################## -# -# Declarations -# - -type bird_t; -type bird_exec_t; -init_daemon_domain(bird_t, bird_exec_t) - -type bird_initrc_exec_t; -init_script_file(bird_initrc_exec_t) - -type bird_etc_t; -files_config_file(bird_etc_t) - -type bird_log_t; -logging_log_file(bird_log_t) - -type bird_var_run_t; -files_pid_file(bird_var_run_t) - -######################################## -# -# Local policy -# - -allow bird_t self:capability net_admin; -allow bird_t self:netlink_route_socket create_netlink_socket_perms; -allow bird_t self:tcp_socket create_stream_socket_perms; - -allow bird_t bird_etc_t:file read_file_perms; - -allow bird_t bird_log_t:file { create_file_perms append_file_perms setattr_file_perms }; -logging_log_filetrans(bird_t, bird_log_t, file) - -allow bird_t bird_var_run_t:sock_file manage_sock_file_perms; -files_pid_filetrans(bird_t, bird_var_run_t, sock_file) - -corenet_all_recvfrom_unlabeled(bird_t) -corenet_all_recvfrom_netlabel(bird_t) -corenet_tcp_sendrecv_generic_if(bird_t) -corenet_tcp_bind_generic_node(bird_t) -corenet_tcp_sendrecv_generic_node(bird_t) - -corenet_sendrecv_bgp_client_packets(bird_t) -corenet_sendrecv_bgp_server_packets(bird_t) -corenet_tcp_bind_bgp_port(bird_t) -corenet_tcp_connect_bgp_port(bird_t) -corenet_tcp_sendrecv_bgp_port(bird_t) - -# /etc/iproute2/rt_realms -files_read_etc_files(bird_t) - -logging_send_syslog_msg(bird_t) - -miscfiles_read_localization(bird_t) diff --git a/policy/modules/contrib/bitcoin.fc b/policy/modules/contrib/bitcoin.fc new file mode 100644 index 00000000..d2198e4d --- /dev/null +++ b/policy/modules/contrib/bitcoin.fc @@ -0,0 +1,16 @@ +# +# /etc +# +/etc/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_etc_t,s0) +/etc/rc\.d/init\.d/bitcoind -- gen_context(system_u:object_r:bitcoin_initrc_exec_t,s0) + +# +# /usr +# +/usr/bin/bitcoind -- gen_context(system_u:object_r:bitcoin_exec_t,s0) + +# +# /var +# +/var/lib/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_var_lib_t,s0) + diff --git a/policy/modules/contrib/bitcoin.if b/policy/modules/contrib/bitcoin.if new file mode 100644 index 00000000..bf4b333a --- /dev/null +++ b/policy/modules/contrib/bitcoin.if @@ -0,0 +1,45 @@ +## <summary>Bitcoin software-based online payment system</summary> + +######################################### +## <summary> +## Administer a bitcoin environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +# +interface(`bitcoin_admin',` + gen_require(` + type bitcoin_t; + type bitcoin_etc_t, bitcoin_tmp_t, bitcoin_log_t; + type bitcoin_var_lib_t, bitcoin_runtime_t; + type bitcoin_initrc_exec_t; + ') + + allow $1 bitcoin_t:process { ptrace signal_perms }; + ps_process_pattern($1, bitcoin_t) + + init_startstop_service($1, $2, bitcoin_t, bitcoin_initrc_exec_t) + + files_list_tmp($1) + admin_pattern($1, bitcoin_tmp_t) + + logging_list_logs($1) + admin_pattern($1, bitcoin_log_t) + + files_list_etc($1) + admin_pattern($1, bitcoin_etc_t) + + files_list_var_lib($1) + admin_pattern($1, bitcoin_var_lib_t) + + files_list_runtime($1) + admin_pattern($1, bitcoin_runtime_t) +') diff --git a/policy/modules/contrib/bitcoin.te b/policy/modules/contrib/bitcoin.te new file mode 100644 index 00000000..2852f6b4 --- /dev/null +++ b/policy/modules/contrib/bitcoin.te @@ -0,0 +1,96 @@ +policy_module(bitcoin, 0.1) + +######################################### +# +# Declarations +# + +## <desc> +## <p> +## Determine whether the bitcoin daemon can bind +## to all unreserved ports or not. +## </p> +## </desc> +gen_tunable(bitcoin_bind_all_unreserved_ports, false) + +type bitcoin_t; +type bitcoin_exec_t; +init_daemon_domain(bitcoin_t, bitcoin_exec_t) + +type bitcoin_initrc_exec_t; +init_script_file(bitcoin_initrc_exec_t) + +type bitcoin_etc_t; +files_config_file(bitcoin_etc_t) +init_script_readable_type(bitcoin_etc_t) + +type bitcoin_log_t; +logging_log_file(bitcoin_log_t) + +type bitcoin_var_lib_t; +files_type(bitcoin_var_lib_t) +init_script_readable_type(bitcoin_var_lib_t) + +type bitcoin_runtime_t alias bitcoin_var_run_t; +files_runtime_file(bitcoin_runtime_t) + +type bitcoin_tmp_t; +files_tmp_file(bitcoin_tmp_t) + +######################################### +# +# Local policy +# + +allow bitcoin_t self:process signal_perms; +allow bitcoin_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; +allow bitcoin_t self:tcp_socket create_stream_socket_perms; + +read_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t) +read_lnk_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t) +#list_dirs_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t) + +allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms }; +files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file) + +allow bitcoin_t bitcoin_var_lib_t:lnk_file read_lnk_file_perms; +manage_files_pattern(bitcoin_t, bitcoin_var_lib_t, bitcoin_var_lib_t) +manage_dirs_pattern(bitcoin_t, bitcoin_var_lib_t, bitcoin_var_lib_t) + +kernel_read_system_state(bitcoin_t) +kernel_read_vm_sysctls(bitcoin_t) + +corenet_all_recvfrom_netlabel(bitcoin_t) +corenet_all_recvfrom_unlabeled(bitcoin_t) + +corenet_sendrecv_bitcoin_server_packets(bitcoin_t) +# TODO why bind and connect simultaneously? If needed, perhaps also bitcoin_client_packets +corenet_tcp_bind_bitcoin_port(bitcoin_t) +corenet_tcp_connect_bitcoin_port(bitcoin_t) +corenet_tcp_connect_http_port(bitcoin_t) +corenet_tcp_bind_generic_node(bitcoin_t) +corenet_tcp_sendrecv_generic_if(bitcoin_t) +corenet_tcp_sendrecv_generic_node(bitcoin_t) +#corenet_sendrecv_dns_server_packets(bitcoin_t) +#corenet_udp_bind_dns_port(bitcoin_t) + +dev_read_sysfs(bitcoin_t) +dev_read_urand(bitcoin_t) + +domain_use_interactive_fds(bitcoin_t) + +files_read_etc_runtime_files(bitcoin_t) +files_read_usr_files(bitcoin_t) + +fs_getattr_xattr_fs(bitcoin_t) +#fs_associate(bitcoin_var_lib_t) + +auth_use_nsswitch(bitcoin_t) + +miscfiles_read_localization(bitcoin_t) + +userdom_use_user_terminals(bitcoin_t) + +tunable_policy(`bitcoin_bind_all_unreserved_ports',` + corenet_tcp_bind_all_unreserved_ports(bitcoin_t) +') diff --git a/policy/modules/contrib/bitlbee.fc b/policy/modules/contrib/bitlbee.fc deleted file mode 100644 index e9708d6c..00000000 --- a/policy/modules/contrib/bitlbee.fc +++ /dev/null @@ -1,14 +0,0 @@ -/etc/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_conf_t,s0) - -/etc/rc\.d/init\.d/bitlbee -- gen_context(system_u:object_r:bitlbee_initrc_exec_t,s0) - -/usr/bin/bip -- gen_context(system_u:object_r:bitlbee_exec_t,s0) -/usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0) - -/var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0) - -/var/log/bip(/.*)? gen_context(system_u:object_r:bitlbee_log_t,s0) - -/var/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0) -/var/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0) -/var/run/bip(/.*)? gen_context(system_u:object_r:bitlbee_var_run_t,s0) diff --git a/policy/modules/contrib/bitlbee.if b/policy/modules/contrib/bitlbee.if deleted file mode 100644 index e73fb799..00000000 --- a/policy/modules/contrib/bitlbee.if +++ /dev/null @@ -1,69 +0,0 @@ -## <summary>Tunnels instant messaging traffic to a virtual IRC channel.</summary> - -######################################## -## <summary> -## Read bitlbee configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`bitlbee_read_config',` - gen_require(` - type bitlbee_conf_t; - ') - - files_search_etc($1) - allow $1 bitlbee_conf_t:dir list_dir_perms; - allow $1 bitlbee_conf_t:file read_file_perms; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an bitlbee environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`bitlbee_admin',` - gen_require(` - type bitlbee_t, bitlbee_conf_t, bitlbee_var_t; - type bitlbee_initrc_exec_t, bitlbee_var_run_t; - type bitlbee_log_t, bitlbee_tmp_t; - ') - - allow $1 bitlbee_t:process { ptrace signal_perms }; - ps_process_pattern($1, bitlbee_t) - - init_labeled_script_domtrans($1, bitlbee_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 bitlbee_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, bitlbee_conf_t) - - logging_search_logs($1) - admin_pattern($1, bitlbee_log_t) - - files_search_tmp($1) - admin_pattern($1, bitlbee_tmp_t) - - files_search_pids($1) - admin_pattern($1, bitlbee_var_run_t) - - files_search_var_lib($1) - admin_pattern($1, bitlbee_var_t) -') diff --git a/policy/modules/contrib/bitlbee.te b/policy/modules/contrib/bitlbee.te deleted file mode 100644 index ac8c91e1..00000000 --- a/policy/modules/contrib/bitlbee.te +++ /dev/null @@ -1,124 +0,0 @@ -policy_module(bitlbee, 1.4.4) - -######################################## -# -# Declarations -# - -type bitlbee_t; -type bitlbee_exec_t; -init_daemon_domain(bitlbee_t, bitlbee_exec_t) -inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t) - -type bitlbee_conf_t; -files_config_file(bitlbee_conf_t) - -type bitlbee_initrc_exec_t; -init_script_file(bitlbee_initrc_exec_t) - -type bitlbee_tmp_t; -files_tmp_file(bitlbee_tmp_t) - -type bitlbee_var_t; -files_type(bitlbee_var_t) - -type bitlbee_log_t; -logging_log_file(bitlbee_log_t) - -type bitlbee_var_run_t; -files_pid_file(bitlbee_var_run_t) - -######################################## -# -# Local policy -# - -allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice }; -allow bitlbee_t self:process { setsched signal }; -allow bitlbee_t self:fifo_file rw_fifo_file_perms; -allow bitlbee_t self:tcp_socket { accept listen }; -allow bitlbee_t self:unix_stream_socket { accept listen }; - -allow bitlbee_t bitlbee_conf_t:dir list_dir_perms; -allow bitlbee_t bitlbee_conf_t:file read_file_perms; - -manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) -append_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) -create_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) -setattr_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) - -manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t) -manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t) -files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file }) - -manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t) -files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file) - -manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) -manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) -manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) -files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file }) - -kernel_read_kernel_sysctls(bitlbee_t) -kernel_read_system_state(bitlbee_t) - -corenet_all_recvfrom_unlabeled(bitlbee_t) -corenet_all_recvfrom_netlabel(bitlbee_t) -corenet_tcp_sendrecv_generic_if(bitlbee_t) -corenet_tcp_sendrecv_generic_node(bitlbee_t) -corenet_tcp_bind_generic_node(bitlbee_t) - -corenet_sendrecv_jabber_client_client_packets(bitlbee_t) -corenet_tcp_connect_jabber_client_port(bitlbee_t) -corenet_tcp_sendrecv_jabber_client_port(bitlbee_t) - -corenet_sendrecv_aol_client_packets(bitlbee_t) -corenet_tcp_connect_aol_port(bitlbee_t) -corenet_tcp_sendrecv_aol_port(bitlbee_t) - -corenet_sendrecv_gatekeeper_client_packets(bitlbee_t) -corenet_tcp_connect_gatekeeper_port(bitlbee_t) -corenet_tcp_sendrecv_gatekeeper_port(bitlbee_t) - -corenet_sendrecv_mmcc_client_packets(bitlbee_t) -corenet_tcp_connect_mmcc_port(bitlbee_t) -corenet_tcp_sendrecv_mmcc_port(bitlbee_t) - -corenet_sendrecv_msnp_client_packets(bitlbee_t) -corenet_tcp_connect_msnp_port(bitlbee_t) -corenet_tcp_sendrecv_msnp_port(bitlbee_t) - -corenet_sendrecv_http_client_packets(bitlbee_t) -corenet_tcp_connect_http_port(bitlbee_t) -corenet_tcp_sendrecv_http_port(bitlbee_t) - -corenet_sendrecv_http_cache_client_packets(bitlbee_t) -corenet_tcp_connect_http_cache_port(bitlbee_t) -corenet_tcp_sendrecv_http_cache_port(bitlbee_t) - -corenet_sendrecv_ircd_server_packets(bitlbee_t) -corenet_tcp_bind_ircd_port(bitlbee_t) -corenet_sendrecv_ircd_client_packets(bitlbee_t) -corenet_tcp_connect_ircd_port(bitlbee_t) -corenet_tcp_sendrecv_ircd_port(bitlbee_t) - -corenet_sendrecv_interwise_server_packets(bitlbee_t) -corenet_tcp_bind_interwise_port(bitlbee_t) -corenet_tcp_sendrecv_interwise_port(bitlbee_t) - -dev_read_rand(bitlbee_t) -dev_read_urand(bitlbee_t) - -files_read_usr_files(bitlbee_t) - -libs_legacy_use_shared_libs(bitlbee_t) - -auth_use_nsswitch(bitlbee_t) - -logging_send_syslog_msg(bitlbee_t) - -miscfiles_read_localization(bitlbee_t) - -optional_policy(` - tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t) -') diff --git a/policy/modules/contrib/blueman.fc b/policy/modules/contrib/blueman.fc deleted file mode 100644 index c295d2e0..00000000 --- a/policy/modules/contrib/blueman.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/libexec/blueman-mechanism -- gen_context(system_u:object_r:blueman_exec_t,s0) - -/var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0) diff --git a/policy/modules/contrib/blueman.if b/policy/modules/contrib/blueman.if deleted file mode 100644 index 16ec5252..00000000 --- a/policy/modules/contrib/blueman.if +++ /dev/null @@ -1,99 +0,0 @@ -## <summary>Tool to manage Bluetooth devices.</summary> - -######################################## -## <summary> -## Execute blueman in the blueman domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`blueman_domtrans',` - gen_require(` - type blueman_t, blueman_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, blueman_exec_t, blueman_t) -') - -######################################## -## <summary> -## Send and receive messages from -## blueman over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`blueman_dbus_chat',` - gen_require(` - type blueman_t; - class dbus send_msg; - ') - - allow $1 blueman_t:dbus send_msg; - allow blueman_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Search blueman lib directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`blueman_search_lib',` - gen_require(` - type blueman_var_lib_t; - ') - - allow $1 blueman_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## <summary> -## Read blueman lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`blueman_read_lib_files',` - gen_require(` - type blueman_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, blueman_var_lib_t, blueman_var_lib_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## blueman lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`blueman_manage_lib_files',` - gen_require(` - type blueman_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, blueman_var_lib_t, blueman_var_lib_t) -') diff --git a/policy/modules/contrib/blueman.te b/policy/modules/contrib/blueman.te deleted file mode 100644 index bc5c9841..00000000 --- a/policy/modules/contrib/blueman.te +++ /dev/null @@ -1,69 +0,0 @@ -policy_module(blueman, 1.0.4) - -######################################## -# -# Declarations -# - -type blueman_t; -type blueman_exec_t; -dbus_system_domain(blueman_t, blueman_exec_t) - -type blueman_var_lib_t; -files_type(blueman_var_lib_t) - -type blueman_var_run_t; -files_pid_file(blueman_var_run_t) - -######################################## -# -# Local policy -# - -allow blueman_t self:capability { net_admin sys_nice }; -allow blueman_t self:process { signal_perms setsched }; -allow blueman_t self:fifo_file rw_fifo_file_perms; - -manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t) -manage_files_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t) -files_var_lib_filetrans(blueman_t, blueman_var_lib_t, dir) - -manage_dirs_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t) -manage_files_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t) -files_pid_filetrans(blueman_t, blueman_var_run_t, { dir file }) - -kernel_read_net_sysctls(blueman_t) -kernel_read_system_state(blueman_t) -kernel_request_load_module(blueman_t) - -corecmd_exec_bin(blueman_t) - -dev_read_rand(blueman_t) -dev_read_urand(blueman_t) -dev_rw_wireless(blueman_t) - -domain_use_interactive_fds(blueman_t) - -files_list_tmp(blueman_t) -files_read_usr_files(blueman_t) - -auth_use_nsswitch(blueman_t) - -logging_send_syslog_msg(blueman_t) - -miscfiles_read_localization(blueman_t) - -sysnet_domtrans_ifconfig(blueman_t) - -optional_policy(` - avahi_domtrans(blueman_t) -') - -optional_policy(` - dnsmasq_domtrans(blueman_t) - dnsmasq_read_pid_files(blueman_t) -') - -optional_policy(` - iptables_domtrans(blueman_t) -') diff --git a/policy/modules/contrib/bluetooth.fc b/policy/modules/contrib/bluetooth.fc deleted file mode 100644 index 2b9c7f32..00000000 --- a/policy/modules/contrib/bluetooth.fc +++ /dev/null @@ -1,24 +0,0 @@ -/etc/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_conf_t,s0) -/etc/bluetooth/link_key -- gen_context(system_u:object_r:bluetooth_conf_rw_t,s0) - -/etc/rc\.d/init\.d/bluetooth -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) -/etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) -/etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) - -/usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0) -/usr/bin/dund -- gen_context(system_u:object_r:bluetooth_exec_t,s0) -/usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) -/usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0) - -/usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) -/usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0) -/usr/sbin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0) -/usr/sbin/hid2hci -- gen_context(system_u:object_r:bluetooth_exec_t,s0) -/usr/sbin/sdpd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) - -/var/lib/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_var_lib_t,s0) - -/var/lock/subsys/bluetoothd -- gen_context(system_u:object_r:bluetooth_lock_t,s0) - -/var/run/bluetoothd_address -- gen_context(system_u:object_r:bluetooth_var_run_t,s0) -/var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0) diff --git a/policy/modules/contrib/bluetooth.if b/policy/modules/contrib/bluetooth.if deleted file mode 100644 index c723a0ae..00000000 --- a/policy/modules/contrib/bluetooth.if +++ /dev/null @@ -1,238 +0,0 @@ -## <summary>Bluetooth tools and system services.</summary> - -######################################## -## <summary> -## Role access for bluetooth. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role -## </summary> -## </param> -# -interface(`bluetooth_role',` - gen_require(` - attribute_role bluetooth_helper_roles; - type bluetooth_t, bluetooth_helper_t, bluetooth_helper_exec_t; - type bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_var_run_t; - ') - - ######################################## - # - # Declarations - # - - roleattribute $1 bluetooth_helper_roles; - - ######################################## - # - # Policy - # - - domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t) - - ps_process_pattern($2, bluetooth_helper_t) - allow $2 bluetooth_helper_t:process { ptrace signal_perms }; - - allow $2 bluetooth_t:socket rw_socket_perms; - - allow $2 { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t }:file { manage_file_perms relabel_file_perms }; - allow $2 bluetooth_helper_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - - stream_connect_pattern($2, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t) - files_search_pids($2) -') - -##################################### -## <summary> -## Connect to bluetooth over a unix domain -## stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`bluetooth_stream_connect',` - gen_require(` - type bluetooth_t, bluetooth_var_run_t; - ') - - files_search_pids($1) - allow $1 bluetooth_t:socket rw_socket_perms; - stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t) -') - -######################################## -## <summary> -## Execute bluetooth in the bluetooth domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`bluetooth_domtrans',` - gen_require(` - type bluetooth_t, bluetooth_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, bluetooth_exec_t, bluetooth_t) -') - -######################################## -## <summary> -## Read bluetooth configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`bluetooth_read_config',` - gen_require(` - type bluetooth_conf_t; - ') - - allow $1 bluetooth_conf_t:file read_file_perms; -') - -######################################## -## <summary> -## Send and receive messages from -## bluetooth over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`bluetooth_dbus_chat',` - gen_require(` - type bluetooth_t; - class dbus send_msg; - ') - - allow $1 bluetooth_t:dbus send_msg; - allow bluetooth_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`bluetooth_domtrans_helper',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## <summary> -## Execute bluetooth_helper in the bluetooth_helper domain, and -## allow the specified role the bluetooth_helper domain. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="terminal"> -## <summary> -## The type of the terminal allow the bluetooth_helper domain to use. -## </summary> -## </param> -## <rolecap/> -# -interface(`bluetooth_run_helper',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## <summary> -## Do not audit attempts to read -## bluetooth process state files. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`bluetooth_dontaudit_read_helper_state',` - gen_require(` - type bluetooth_helper_t; - ') - - dontaudit $1 bluetooth_helper_t:dir search_dir_perms; - dontaudit $1 bluetooth_helper_t:file read_file_perms; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an bluetooth environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`bluetooth_admin',` - gen_require(` - type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t; - type bluetooth_var_lib_t, bluetooth_var_run_t; - type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_var_lib_t; - type bluetooth_initrc_exec_t; - ') - - allow $1 bluetooth_t:process { ptrace signal_perms }; - ps_process_pattern($1, bluetooth_t) - - init_labeled_script_domtrans($1, bluetooth_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 bluetooth_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, bluetooth_tmp_t) - - files_list_var($1) - admin_pattern($1, bluetooth_lock_t) - - files_list_etc($1) - admin_pattern($1, { bluetooth_conf_t bluetooth_conf_rw_t }) - - files_list_var_lib($1) - admin_pattern($1, bluetooth_var_lib_t) - - files_list_pids($1) - admin_pattern($1, bluetooth_var_run_t) -') diff --git a/policy/modules/contrib/bluetooth.te b/policy/modules/contrib/bluetooth.te deleted file mode 100644 index 6f09d24e..00000000 --- a/policy/modules/contrib/bluetooth.te +++ /dev/null @@ -1,224 +0,0 @@ -policy_module(bluetooth, 3.4.5) - -######################################## -# -# Declarations -# - -attribute_role bluetooth_helper_roles; - -type bluetooth_t; -type bluetooth_exec_t; -init_daemon_domain(bluetooth_t, bluetooth_exec_t) - -type bluetooth_conf_t; -files_config_file(bluetooth_conf_t) - -type bluetooth_conf_rw_t; -files_type(bluetooth_conf_rw_t) - -type bluetooth_helper_t; -type bluetooth_helper_exec_t; -typealias bluetooth_helper_t alias { user_bluetooth_helper_t staff_bluetooth_helper_t sysadm_bluetooth_helper_t }; -typealias bluetooth_helper_t alias { auditadm_bluetooth_helper_t secadm_bluetooth_helper_t }; -userdom_user_application_domain(bluetooth_helper_t, bluetooth_helper_exec_t) -role bluetooth_helper_roles types bluetooth_helper_t; - -type bluetooth_helper_tmp_t; -typealias bluetooth_helper_tmp_t alias { user_bluetooth_helper_tmp_t staff_bluetooth_helper_tmp_t sysadm_bluetooth_helper_tmp_t }; -typealias bluetooth_helper_tmp_t alias { auditadm_bluetooth_helper_tmp_t secadm_bluetooth_helper_tmp_t }; -userdom_user_tmp_file(bluetooth_helper_tmp_t) - -type bluetooth_helper_tmpfs_t; -typealias bluetooth_helper_tmpfs_t alias { user_bluetooth_helper_tmpfs_t staff_bluetooth_helper_tmpfs_t sysadm_bluetooth_helper_tmpfs_t }; -typealias bluetooth_helper_tmpfs_t alias { auditadm_bluetooth_helper_tmpfs_t secadm_bluetooth_helper_tmpfs_t }; -userdom_user_tmpfs_file(bluetooth_helper_tmpfs_t) - -type bluetooth_initrc_exec_t; -init_script_file(bluetooth_initrc_exec_t) - -type bluetooth_lock_t; -files_lock_file(bluetooth_lock_t) - -type bluetooth_tmp_t; -files_tmp_file(bluetooth_tmp_t) - -type bluetooth_var_lib_t; -files_type(bluetooth_var_lib_t) - -type bluetooth_var_run_t; -files_pid_file(bluetooth_var_run_t) - -######################################## -# -# Local policy -# - -allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock }; -dontaudit bluetooth_t self:capability sys_tty_config; -allow bluetooth_t self:process { getcap setcap getsched signal_perms }; -allow bluetooth_t self:fifo_file rw_fifo_file_perms; -allow bluetooth_t self:shm create_shm_perms; -allow bluetooth_t self:socket create_stream_socket_perms; -allow bluetooth_t self:unix_stream_socket { accept connectto listen }; -allow bluetooth_t self:tcp_socket { accept listen }; -allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms; - -read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t) - -manage_dirs_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t) -manage_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t) -manage_lnk_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t) -manage_fifo_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t) -manage_sock_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t) -filetrans_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t, { dir file lnk_file sock_file fifo_file }) - -allow bluetooth_t bluetooth_lock_t:file manage_file_perms; -files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file) - -manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t) -manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t) -files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file }) - -manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t) -manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t) -files_var_lib_filetrans(bluetooth_t, bluetooth_var_lib_t, { dir file } ) - -manage_files_pattern(bluetooth_t, bluetooth_var_run_t, bluetooth_var_run_t) -manage_sock_files_pattern(bluetooth_t, bluetooth_var_run_t, bluetooth_var_run_t) -files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file }) - -can_exec(bluetooth_t, bluetooth_helper_exec_t) - -kernel_read_kernel_sysctls(bluetooth_t) -kernel_read_system_state(bluetooth_t) -kernel_read_network_state(bluetooth_t) -kernel_request_load_module(bluetooth_t) -kernel_search_debugfs(bluetooth_t) - -corecmd_exec_bin(bluetooth_t) -corecmd_exec_shell(bluetooth_t) - -dev_read_sysfs(bluetooth_t) -dev_rw_usbfs(bluetooth_t) -dev_rw_generic_usb_dev(bluetooth_t) -dev_read_urand(bluetooth_t) -dev_rw_input_dev(bluetooth_t) -dev_rw_wireless(bluetooth_t) - -domain_use_interactive_fds(bluetooth_t) -domain_dontaudit_search_all_domains_state(bluetooth_t) - -files_read_etc_runtime_files(bluetooth_t) -files_read_usr_files(bluetooth_t) - -fs_getattr_all_fs(bluetooth_t) -fs_search_auto_mountpoints(bluetooth_t) -fs_list_inotifyfs(bluetooth_t) - -term_use_unallocated_ttys(bluetooth_t) - -auth_use_nsswitch(bluetooth_t) - -logging_send_syslog_msg(bluetooth_t) - -miscfiles_read_localization(bluetooth_t) -miscfiles_read_fonts(bluetooth_t) -miscfiles_read_hwdata(bluetooth_t) - -userdom_dontaudit_use_unpriv_user_fds(bluetooth_t) -userdom_dontaudit_use_user_terminals(bluetooth_t) -userdom_dontaudit_search_user_home_dirs(bluetooth_t) - -optional_policy(` - dbus_system_bus_client(bluetooth_t) - - optional_policy(` - cups_dbus_chat(bluetooth_t) - ') - - optional_policy(` - devicekit_dbus_chat_power(bluetooth_t) - ') - - optional_policy(` - hal_dbus_chat(bluetooth_t) - ') - - optional_policy(` - networkmanager_dbus_chat(bluetooth_t) - ') - - optional_policy(` - pulseaudio_dbus_chat(bluetooth_t) - ') -') - -optional_policy(` - seutil_sigchld_newrole(bluetooth_t) -') - -optional_policy(` - udev_read_db(bluetooth_t) -') - -optional_policy(` - ppp_domtrans(bluetooth_t) -') - -######################################## -# -# Helper local policy -# - -allow bluetooth_helper_t self:capability sys_nice; -allow bluetooth_helper_t self:process getsched; -allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms; -allow bluetooth_helper_t self:shm create_shm_perms; -allow bluetooth_helper_t self:unix_stream_socket { accept connectto listen }; - -allow bluetooth_helper_t bluetooth_t:socket { read write }; - -manage_dirs_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) -manage_files_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) -manage_sock_files_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) -files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { dir file sock_file }) - -manage_dirs_pattern(bluetooth_helper_t, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) -manage_files_pattern(bluetooth_helper_t, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) -fs_tmpfs_filetrans(bluetooth_helper_t, bluetooth_helper_tmpfs_t, { dir file }) - -kernel_read_system_state(bluetooth_helper_t) -kernel_read_kernel_sysctls(bluetooth_helper_t) - -corecmd_exec_bin(bluetooth_helper_t) -corecmd_exec_shell(bluetooth_helper_t) - -dev_read_urand(bluetooth_helper_t) - -domain_read_all_domains_state(bluetooth_helper_t) - -files_read_etc_runtime_files(bluetooth_helper_t) -files_read_usr_files(bluetooth_helper_t) -files_dontaudit_list_default(bluetooth_helper_t) - -term_dontaudit_use_all_ttys(bluetooth_helper_t) - -auth_use_nsswitch(bluetooth_helper_t) - -locallogin_dontaudit_use_fds(bluetooth_helper_t) - -logging_send_syslog_msg(bluetooth_helper_t) - -miscfiles_read_localization(bluetooth_helper_t) - -optional_policy(` - bluetooth_dbus_chat(bluetooth_helper_t) - - dbus_system_bus_client(bluetooth_helper_t) - dbus_connect_system_bus(bluetooth_helper_t) -') - -optional_policy(` - xserver_user_x_domain_template(bluetooth_helper, bluetooth_helper_t, bluetooth_helper_tmpfs_t) -') diff --git a/policy/modules/contrib/boinc.fc b/policy/modules/contrib/boinc.fc deleted file mode 100644 index 6d3ccad6..00000000 --- a/policy/modules/contrib/boinc.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0) - -/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0) - -/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0) -/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) -/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) - -/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0) diff --git a/policy/modules/contrib/boinc.if b/policy/modules/contrib/boinc.if deleted file mode 100644 index 02fefaaf..00000000 --- a/policy/modules/contrib/boinc.if +++ /dev/null @@ -1,44 +0,0 @@ -## <summary>Platform for computing using volunteered resources.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an boinc environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`boinc_admin',` - gen_require(` - - type boinc_t, boinc_project_t, boinc_log_t; - type boinc_var_lib_t, boinc_tmp_t, boinc_initrc_exec_t; - type boinc_project_var_lib_t, boinc_project_tmp_t; - ') - - allow $1 { boinc_t boinc_project_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { boinc_t boinc_project_t }) - - init_labeled_script_domtrans($1, boinc_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 boinc_initrc_exec_t system_r; - allow $2 system_r; - - logging_search_logs($1) - admin_pattern($1, boinc_log_t) - - files_search_tmp($1) - admin_pattern($1, { boinc_project_tmp_t boinc_tmp_t }) - - files_search_var_lib($1) - admin_pattern($1, { boinc_project_var_lib_t boinc_var_lib_t }) -') diff --git a/policy/modules/contrib/boinc.te b/policy/modules/contrib/boinc.te deleted file mode 100644 index 7c92aa10..00000000 --- a/policy/modules/contrib/boinc.te +++ /dev/null @@ -1,184 +0,0 @@ -policy_module(boinc, 1.0.3) - -######################################## -# -# Declarations -# - -type boinc_t; -type boinc_exec_t; -init_daemon_domain(boinc_t, boinc_exec_t) - -type boinc_initrc_exec_t; -init_script_file(boinc_initrc_exec_t) - -type boinc_tmp_t; -files_tmp_file(boinc_tmp_t) - -type boinc_tmpfs_t; -files_tmpfs_file(boinc_tmpfs_t) - -type boinc_var_lib_t; -files_type(boinc_var_lib_t) - -type boinc_project_var_lib_t; -files_type(boinc_project_var_lib_t) - -type boinc_log_t; -logging_log_file(boinc_log_t) - -type boinc_project_t; -domain_type(boinc_project_t) -domain_entry_file(boinc_project_t, boinc_project_var_lib_t) -role system_r types boinc_project_t; - -type boinc_project_tmp_t; -files_tmp_file(boinc_project_tmp_t) - -######################################## -# -# Local policy -# - -allow boinc_t self:process { setsched setpgid signull sigkill }; -allow boinc_t self:unix_stream_socket { accept listen }; -allow boinc_t self:tcp_socket { accept listen }; -allow boinc_t self:shm create_shm_perms; -allow boinc_t self:fifo_file rw_fifo_file_perms; -allow boinc_t self:sem create_sem_perms; - -manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) -manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) -files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file }) - -manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t) -fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file) - -manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) -manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) -manage_lnk_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) - -# entry files to the boinc_project_t domain -manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) -manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) -filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots") -filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects") - -append_files_pattern(boinc_t, boinc_log_t, boinc_log_t) -create_files_pattern(boinc_t, boinc_log_t, boinc_log_t) -setattr_files_pattern(boinc_t, boinc_log_t, boinc_log_t) -logging_log_filetrans(boinc_t, boinc_log_t, file) - -can_exec(boinc_t, boinc_var_lib_t) - -domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t) - -kernel_read_system_state(boinc_t) -kernel_search_vm_sysctl(boinc_t) - -corenet_all_recvfrom_unlabeled(boinc_t) -corenet_all_recvfrom_netlabel(boinc_t) -corenet_tcp_sendrecv_generic_if(boinc_t) -corenet_tcp_sendrecv_generic_node(boinc_t) -corenet_tcp_bind_generic_node(boinc_t) - -corenet_sendrecv_boinc_client_packets(boinc_t) -corenet_sendrecv_boinc_server_packets(boinc_t) -corenet_tcp_bind_boinc_port(boinc_t) -corenet_tcp_connect_boinc_port(boinc_t) -corenet_tcp_sendrecv_boinc_port(boinc_t) - -corenet_sendrecv_boinc_client_server_packets(boinc_t) -corenet_tcp_bind_boinc_client_port(boinc_t) -corenet_tcp_sendrecv_boinc_client_port(boinc_t) - -corenet_sendrecv_http_client_packets(boinc_t) -corenet_tcp_connect_http_port(boinc_t) -corenet_tcp_sendrecv_http_port(boinc_t) - -corenet_sendrecv_http_cache_client_packets(boinc_t) -corenet_tcp_connect_http_cache_port(boinc_t) -corenet_tcp_sendrecv_http_cache_port(boinc_t) - -corenet_sendrecv_squid_client_packets(boinc_t) -corenet_tcp_connect_squid_port(boinc_t) -corenet_tcp_sendrecv_squid_port(boinc_t) - -corecmd_exec_bin(boinc_t) -corecmd_exec_shell(boinc_t) - -dev_read_rand(boinc_t) -dev_read_urand(boinc_t) -dev_read_sysfs(boinc_t) -dev_rw_xserver_misc(boinc_t) - -domain_read_all_domains_state(boinc_t) - -files_dontaudit_getattr_boot_dirs(boinc_t) -files_getattr_all_dirs(boinc_t) -files_getattr_all_files(boinc_t) -files_read_etc_files(boinc_t) -files_read_etc_runtime_files(boinc_t) -files_read_usr_files(boinc_t) - -fs_getattr_all_fs(boinc_t) - -term_getattr_all_ptys(boinc_t) -term_getattr_unallocated_ttys(boinc_t) - -init_read_utmp(boinc_t) - -logging_send_syslog_msg(boinc_t) - -miscfiles_read_fonts(boinc_t) -miscfiles_read_localization(boinc_t) - -optional_policy(` - mta_send_mail(boinc_t) -') - -optional_policy(` - sysnet_dns_name_resolve(boinc_t) -') - -######################################## -# -# Project local policy -# - -allow boinc_project_t self:capability { setuid setgid }; -allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms }; - -manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) -manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) -manage_sock_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) -files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file sock_file}) - -manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) -manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) - -allow boinc_project_t boinc_project_var_lib_t:file execmod; -can_exec(boinc_project_t, boinc_project_var_lib_t) - -allow boinc_project_t boinc_t:shm rw_shm_perms; -allow boinc_project_t boinc_tmpfs_t:file { read write }; - -kernel_read_kernel_sysctls(boinc_project_t) -kernel_read_network_state(boinc_project_t) -kernel_search_vm_sysctl(boinc_project_t) - -corenet_all_recvfrom_unlabeled(boinc_project_t) -corenet_all_recvfrom_netlabel(boinc_project_t) -corenet_tcp_sendrecv_generic_if(boinc_project_t) -corenet_tcp_sendrecv_generic_node(boinc_project_t) -corenet_tcp_bind_generic_node(boinc_project_t) - -corenet_sendrecv_boinc_client_packets(boinc_project_t) -corenet_tcp_connect_boinc_port(boinc_project_t) -corenet_tcp_sendrecv_boinc_port(boinc_project_t) - -files_dontaudit_search_home(boinc_project_t) - -optional_policy(` - java_exec(boinc_project_t) -') diff --git a/policy/modules/contrib/brctl.fc b/policy/modules/contrib/brctl.fc deleted file mode 100644 index 32f8ee97..00000000 --- a/policy/modules/contrib/brctl.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0) diff --git a/policy/modules/contrib/brctl.if b/policy/modules/contrib/brctl.if deleted file mode 100644 index 422a5c66..00000000 --- a/policy/modules/contrib/brctl.if +++ /dev/null @@ -1,45 +0,0 @@ -## <summary>Utilities for configuring the Linux ethernet bridge.</summary> - -######################################## -## <summary> -## Execute a domain transition to run brctl. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`brctl_domtrans',` - gen_require(` - type brctl_t, brctl_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, brctl_exec_t, brctl_t) -') - -######################################## -## <summary> -## Execute brctl in the brctl domain, and -## allow the specified role the brctl domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`brctl_run',` - gen_require(` - attribute_role brctl_roles; - ') - - brctl_domtrans($1) - roleattribute $2 brctl_roles; -') diff --git a/policy/modules/contrib/brctl.te b/policy/modules/contrib/brctl.te deleted file mode 100644 index bcd1e877..00000000 --- a/policy/modules/contrib/brctl.te +++ /dev/null @@ -1,46 +0,0 @@ -policy_module(brctl, 1.6.2) - -######################################## -# -# Declarations -# - -attribute_role brctl_roles; - -type brctl_t; -type brctl_exec_t; -init_system_domain(brctl_t, brctl_exec_t) -role brctl_roles types brctl_t; - -######################################## -# -# Local policy -# - -allow brctl_t self:capability net_admin; -allow brctl_t self:fifo_file rw_fifo_file_perms; -allow brctl_t self:unix_stream_socket create_stream_socket_perms; -allow brctl_t self:unix_dgram_socket create_socket_perms; -allow brctl_t self:tcp_socket create_socket_perms; - -kernel_request_load_module(brctl_t) -kernel_read_network_state(brctl_t) -kernel_read_sysctl(brctl_t) - -corenet_rw_tun_tap_dev(brctl_t) - -dev_rw_sysfs(brctl_t) -dev_write_sysfs_dirs(brctl_t) - -domain_use_interactive_fds(brctl_t) - -files_read_etc_files(brctl_t) - -term_dontaudit_use_console(brctl_t) - -miscfiles_read_localization(brctl_t) - -optional_policy(` - xen_append_log(brctl_t) - xen_dontaudit_rw_unix_stream_sockets(brctl_t) -') diff --git a/policy/modules/contrib/bugzilla.fc b/policy/modules/contrib/bugzilla.fc deleted file mode 100644 index fce0b6eb..00000000 --- a/policy/modules/contrib/bugzilla.fc +++ /dev/null @@ -1,4 +0,0 @@ -/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0) -/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0) - -/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0) diff --git a/policy/modules/contrib/bugzilla.if b/policy/modules/contrib/bugzilla.if deleted file mode 100644 index 1b22262d..00000000 --- a/policy/modules/contrib/bugzilla.if +++ /dev/null @@ -1,80 +0,0 @@ -## <summary>Bugtracker.</summary> - -######################################## -## <summary> -## Search bugzilla directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`bugzilla_search_content',` - gen_require(` - type httpd_bugzilla_content_t; - ') - - allow $1 httpd_bugzilla_content_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Do not audit attempts to read and -## write bugzilla script unix domain -## stream sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`bugzilla_dontaudit_rw_stream_sockets',` - gen_require(` - type httpd_bugzilla_script_t; - ') - - dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write }; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an bugzilla environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`bugzilla_admin',` - gen_require(` - type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t; - type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t; - type httpd_bugzilla_htaccess_t; - ') - - allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms }; - ps_process_pattern($1, httpd_bugzilla_script_t) - - files_search_usr($1) - admin_pattern($1, httpd_bugzilla_script_exec_t) - admin_pattern($1, httpd_bugzilla_script_t) - admin_pattern($1, httpd_bugzilla_content_t) - admin_pattern($1, httpd_bugzilla_htaccess_t) - admin_pattern($1, httpd_bugzilla_ra_content_t) - - files_search_tmp($1) - files_search_var_lib($1) - admin_pattern($1, httpd_bugzilla_rw_content_t) - - apache_list_sys_content($1) -') diff --git a/policy/modules/contrib/bugzilla.te b/policy/modules/contrib/bugzilla.te deleted file mode 100644 index 41f8251e..00000000 --- a/policy/modules/contrib/bugzilla.te +++ /dev/null @@ -1,47 +0,0 @@ -policy_module(bugzilla, 1.0.4) - -######################################## -# -# Declarations -# - -apache_content_template(bugzilla) - -######################################## -# -# Local policy -# - -allow httpd_bugzilla_script_t self:tcp_socket { accept listen }; - -corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t) -corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t) -corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t) -corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t) - -corenet_sendrecv_http_client_packets(httpd_bugzilla_script_t) -corenet_tcp_connect_http_port(httpd_bugzilla_script_t) -corenet_tcp_sendrecv_http_port(httpd_bugzilla_script_t) - -corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t) -corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t) -corenet_tcp_sendrecv_smtp_port(httpd_bugzilla_script_t) - -files_search_var_lib(httpd_bugzilla_script_t) - -sysnet_dns_name_resolve(httpd_bugzilla_script_t) -sysnet_use_ldap(httpd_bugzilla_script_t) - -optional_policy(` - mta_send_mail(httpd_bugzilla_script_t) -') - -optional_policy(` - mysql_stream_connect(httpd_bugzilla_script_t) - mysql_tcp_connect(httpd_bugzilla_script_t) -') - -optional_policy(` - postgresql_stream_connect(httpd_bugzilla_script_t) - postgresql_tcp_connect(httpd_bugzilla_script_t) -') diff --git a/policy/modules/contrib/cachefilesd.fc b/policy/modules/contrib/cachefilesd.fc deleted file mode 100644 index 648c7902..00000000 --- a/policy/modules/contrib/cachefilesd.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/rc\.d/init\.d/cachefilesd -- gen_context(system_u:object_r:cachefilesd_initrc_exec_t,s0) - -/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0) - -/usr/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0) - -/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefilesd_cache_t,s0) - -/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefilesd_var_run_t,s0) diff --git a/policy/modules/contrib/cachefilesd.if b/policy/modules/contrib/cachefilesd.if deleted file mode 100644 index 8de2ab9c..00000000 --- a/policy/modules/contrib/cachefilesd.if +++ /dev/null @@ -1,39 +0,0 @@ -## <summary>CacheFiles user-space management daemon.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an cachefilesd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`cachefilesd_admin',` - gen_require(` - type cachefilesd_t, cachefilesd_initrc_exec_t, cachefilesd_cache_t; - type cachefilesd_var_run_t; - ') - - allow $1 cachefilesd_t:process { ptrace signal_perms }; - ps_process_pattern($1, cachefilesd_t) - - init_labeled_script_domtrans($1, cachefilesd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 cachefilesd_initrc_exec_t system_r; - allow $2 system_r; - - files_search_var($1) - admin_pattern($1, cachefilesd_cache_t) - - files_search_pids($1) - admin_pattern($1, cachefilesd_var_run_t) -') diff --git a/policy/modules/contrib/cachefilesd.te b/policy/modules/contrib/cachefilesd.te deleted file mode 100644 index 581c8efe..00000000 --- a/policy/modules/contrib/cachefilesd.te +++ /dev/null @@ -1,52 +0,0 @@ -policy_module(cachefilesd, 1.0.1) - -######################################## -# -# Declarations -# - -type cachefilesd_t; -type cachefilesd_exec_t; -init_daemon_domain(cachefilesd_t, cachefilesd_exec_t) - -type cachefilesd_initrc_exec_t; -init_script_file(cachefilesd_initrc_exec_t) - -type cachefilesd_cache_t; -files_type(cachefilesd_cache_t) - -type cachefilesd_var_run_t; -files_pid_file(cachefilesd_var_run_t) - -######################################## -# -# Local policy -# - -allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override }; - -manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t) -files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file) - -manage_dirs_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t) -manage_files_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t) - -dev_rw_cachefiles(cachefilesd_t) - -files_create_all_files_as(cachefilesd_t) -files_read_etc_files(cachefilesd_t) - -fs_getattr_xattr_fs(cachefilesd_t) - -term_dontaudit_use_generic_ptys(cachefilesd_t) -term_dontaudit_getattr_unallocated_ttys(cachefilesd_t) - -logging_send_syslog_msg(cachefilesd_t) - -miscfiles_read_localization(cachefilesd_t) - -init_dontaudit_use_script_ptys(cachefilesd_t) - -optional_policy(` - rpm_use_script_fds(cachefilesd_t) -') diff --git a/policy/modules/contrib/calamaris.fc b/policy/modules/contrib/calamaris.fc deleted file mode 100644 index 1bf35dbb..00000000 --- a/policy/modules/contrib/calamaris.fc +++ /dev/null @@ -1,5 +0,0 @@ -/etc/cron\.daily/calamaris -- gen_context(system_u:object_r:calamaris_exec_t,s0) - -/var/log/calamaris(/.*)? gen_context(system_u:object_r:calamaris_log_t,s0) - -/var/www/calamaris(/.*)? gen_context(system_u:object_r:calamaris_www_t,s0) diff --git a/policy/modules/contrib/calamaris.if b/policy/modules/contrib/calamaris.if deleted file mode 100644 index cd9c5287..00000000 --- a/policy/modules/contrib/calamaris.if +++ /dev/null @@ -1,101 +0,0 @@ -## <summary>Squid log analysis.</summary> - -######################################## -## <summary> -## Execute the calamaris in -## the calamaris domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`calamaris_domtrans',` - gen_require(` - type calamaris_t, calamaris_exec_t; - ') - - files_search_etc($1) - domtrans_pattern($1, calamaris_exec_t, calamaris_t) -') - -######################################## -## <summary> -## Execute calamaris in the -## calamaris domain, and allow the -## specified role the calamaris domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`calamaris_run',` - gen_require(` - attribute_role calamaris_roles; - ') - - lightsquid_domtrans($1) - roleattribute $2 calamaris_roles; -') - -####################################### -## <summary> -## Read calamaris www files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`calamaris_read_www_files',` - gen_require(` - type calamaris_www_t; - ') - - allow $1 calamaris_www_t:dir list_dir_perms; - read_files_pattern($1, calamaris_www_t, calamaris_www_t) - read_lnk_files_pattern($1, calamaris_www_t, calamaris_www_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an calamaris environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`calamaris_admin',` - gen_require(` - type calamaris_t, calamaris_log_t, calamaris_www_t; - ') - - allow $1 calamaris_t:process { ptrace signal_perms }; - ps_process_pattern($1, calamaris_t) - - calamaris_run($1, $2) - - logging_list_logs($1) - admin_pattern($1, calamaris_log_t) - - apache_list_sys_content($1) - admin_pattern($1, calamaris_www_t) -') diff --git a/policy/modules/contrib/calamaris.te b/policy/modules/contrib/calamaris.te deleted file mode 100644 index f4f21d36..00000000 --- a/policy/modules/contrib/calamaris.te +++ /dev/null @@ -1,73 +0,0 @@ -policy_module(calamaris, 1.7.2) - -######################################## -# -# Declarations -# - -attribute_role calamaris_roles; - -type calamaris_t; -type calamaris_exec_t; -application_domain(calamaris_t, calamaris_exec_t) -role calamaris_roles types calamaris_t; - -type calamaris_log_t; -logging_log_file(calamaris_log_t) - -type calamaris_www_t; -files_type(calamaris_www_t) - -######################################## -# -# Local policy -# - -allow calamaris_t self:capability dac_override; -allow calamaris_t self:process { signal_perms setsched }; -allow calamaris_t self:fifo_file rw_fifo_file_perms; -allow calamaris_t self:unix_stream_socket { accept listen }; -allow calamaris_t self:tcp_socket { accept listen }; - -manage_dirs_pattern(calamaris_t, calamaris_log_t, calamaris_log_t) -manage_files_pattern(calamaris_t, calamaris_log_t, calamaris_log_t) -logging_log_filetrans(calamaris_t, calamaris_log_t, { dir file }) - -manage_files_pattern(calamaris_t, calamaris_www_t, calamaris_www_t) -manage_lnk_files_pattern(calamaris_t, calamaris_www_t, calamaris_www_t) - -kernel_read_all_sysctls(calamaris_t) -kernel_read_system_state(calamaris_t) - -corecmd_exec_bin(calamaris_t) - -dev_read_urand(calamaris_t) - -files_read_usr_files(calamaris_t) -files_read_etc_runtime_files(calamaris_t) - -libs_read_lib_files(calamaris_t) - -auth_use_nsswitch(calamaris_t) - -logging_send_syslog_msg(calamaris_t) - -miscfiles_read_localization(calamaris_t) - -userdom_dontaudit_list_user_home_dirs(calamaris_t) - -optional_policy(` - apache_search_sys_content(calamaris_t) -') - -optional_policy(` - cron_system_entry(calamaris_t, calamaris_exec_t) -') - -optional_policy(` - mta_send_mail(calamaris_t) -') - -optional_policy(` - squid_read_log(calamaris_t) -') diff --git a/policy/modules/contrib/callweaver.fc b/policy/modules/contrib/callweaver.fc deleted file mode 100644 index 70397fb7..00000000 --- a/policy/modules/contrib/callweaver.fc +++ /dev/null @@ -1,11 +0,0 @@ -/etc/rc\.d/init\.d/callweaver -- gen_context(system_u:object_r:callweaver_initrc_exec_t,s0) - -/usr/sbin/callweaver -- gen_context(system_u:object_r:callweaver_exec_t,s0) - -/var/lib/callweaver(/.*)? gen_context(system_u:object_r:callweaver_var_lib_t,s0) - -/var/log/callweaver(/.*)? gen_context(system_u:object_r:callweaver_log_t,s0) - -/var/run/callweaver(/.*)? gen_context(system_u:object_r:callweaver_var_run_t,s0) - -/var/spool/callweaver(/.*)? gen_context(system_u:object_r:callweaver_spool_t,s0) diff --git a/policy/modules/contrib/callweaver.if b/policy/modules/contrib/callweaver.if deleted file mode 100644 index 16f1855f..00000000 --- a/policy/modules/contrib/callweaver.if +++ /dev/null @@ -1,81 +0,0 @@ -## <summary>PBX software.</summary> - -######################################## -## <summary> -## Execute callweaver in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`callweaver_exec',` - gen_require(` - type callweaver_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, callweaver_exec_t) -') - -######################################## -## <summary> -## Connect to callweaver over a -## unix stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`callweaver_stream_connect',` - gen_require(` - type callweaver_t, callweaver_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, callweaver_var_run_t, callweaver_var_run_t, callweaver_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an callweaver environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`callweaver_admin',` - gen_require(` - type callweaver_t, callweaver_initrc_exec_t, callweaver_log_t; - type callweaver_var_lib_t, callweaver_var_run_t, callweaver_spool_t; - ') - - allow $1 callweaver_t:process { ptrace signal_perms }; - ps_process_pattern($1, callweaver_t) - - init_labeled_script_domtrans($1, callweaver_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 callweaver_initrc_exec_t system_r; - allow $2 system_r; - - logging_search_logs($1) - admin_pattern($1, callweaver_log_t) - - files_search_pids($1) - admin_pattern($1, callweaver_var_run_t) - - files_search_var_lib($1) - admin_pattern($1, { callweaver_spool_t callweaver_var_lib_t }) -') diff --git a/policy/modules/contrib/callweaver.te b/policy/modules/contrib/callweaver.te deleted file mode 100644 index 528051e7..00000000 --- a/policy/modules/contrib/callweaver.te +++ /dev/null @@ -1,87 +0,0 @@ -policy_module(callweaver, 1.0.2) - -######################################## -# -# Declarations -# - -type callweaver_t; -type callweaver_exec_t; -init_daemon_domain(callweaver_t, callweaver_exec_t) - -type callweaver_initrc_exec_t; -init_script_file(callweaver_initrc_exec_t) - -type callweaver_log_t; -logging_log_file(callweaver_log_t) - -type callweaver_var_lib_t; -files_type(callweaver_var_lib_t) - -type callweaver_var_run_t; -files_pid_file(callweaver_var_run_t) - -type callweaver_spool_t; -files_type(callweaver_spool_t) - -######################################## -# -# Local policy -# - -allow callweaver_t self:capability { setuid sys_nice setgid }; -allow callweaver_t self:process { setsched signal }; -allow callweaver_t self:fifo_file rw_fifo_file_perms; -allow callweaver_t self:tcp_socket { accept listen }; -allow callweaver_t self:unix_stream_socket create_stream_socket_perms; - -manage_dirs_pattern(callweaver_t, callweaver_log_t, callweaver_log_t) -append_files_pattern(callweaver_t, callweaver_log_t, callweaver_log_t) -create_files_pattern(callweaver_t, callweaver_log_t, callweaver_log_t) -setattr_files_pattern(callweaver_t, callweaver_log_t, callweaver_log_t) -logging_log_filetrans(callweaver_t, callweaver_log_t, { dir file }) - -manage_dirs_pattern(callweaver_t, callweaver_var_lib_t, callweaver_var_lib_t) -manage_files_pattern(callweaver_t, callweaver_var_lib_t, callweaver_var_lib_t) -files_var_lib_filetrans(callweaver_t, callweaver_var_lib_t, { dir file }) - -manage_dirs_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t) -manage_files_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t) -manage_sock_files_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t) -files_pid_filetrans(callweaver_t, callweaver_var_run_t, { dir file sock_file }) - -manage_dirs_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t) -manage_files_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t) -manage_lnk_files_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t) -files_spool_filetrans(callweaver_t, callweaver_spool_t, { dir file }) - -kernel_read_kernel_sysctls(callweaver_t) -kernel_read_sysctl(callweaver_t) - -corenet_all_recvfrom_unlabeled(callweaver_t) -corenet_all_recvfrom_netlabel(callweaver_t) -corenet_udp_sendrecv_generic_if(callweaver_t) -corenet_udp_sendrecv_generic_node(callweaver_t) -corenet_udp_sendrecv_all_ports(callweaver_t) -corenet_udp_bind_generic_node(callweaver_t) - -corenet_sendrecv_asterisk_server_packets(callweaver_t) -corenet_udp_bind_asterisk_port(callweaver_t) - -corenet_sendrecv_generic_server_packets(callweaver_t) -corenet_udp_bind_generic_port(callweaver_t) - -corenet_sendrecv_sip_server_packets(callweaver_t) -corenet_udp_bind_sip_port(callweaver_t) - -dev_manage_generic_symlinks(callweaver_t) - -domain_use_interactive_fds(callweaver_t) - -term_getattr_pty_fs(callweaver_t) -term_use_generic_ptys(callweaver_t) -term_use_ptmx(callweaver_t) - -auth_use_nsswitch(callweaver_t) - -miscfiles_read_localization(callweaver_t) diff --git a/policy/modules/contrib/canna.fc b/policy/modules/contrib/canna.fc deleted file mode 100644 index ef746fd6..00000000 --- a/policy/modules/contrib/canna.fc +++ /dev/null @@ -1,17 +0,0 @@ -/etc/rc\.d/init\.d/canna -- gen_context(system_u:object_r:canna_initrc_exec_t,s0) - -/usr/bin/cannaping -- gen_context(system_u:object_r:canna_exec_t,s0) -/usr/bin/catdic -- gen_context(system_u:object_r:canna_exec_t,s0) - -/usr/sbin/cannaserver -- gen_context(system_u:object_r:canna_exec_t,s0) -/usr/sbin/jserver -- gen_context(system_u:object_r:canna_exec_t,s0) - -/var/lib/canna/dic(/.*)? gen_context(system_u:object_r:canna_var_lib_t,s0) -/var/lib/wnn/dic(/.*)? gen_context(system_u:object_r:canna_var_lib_t,s0) - -/var/log/canna(/.*)? gen_context(system_u:object_r:canna_log_t,s0) -/var/log/wnn(/.*)? gen_context(system_u:object_r:canna_log_t,s0) - -/var/run/\.iroha_unix -d gen_context(system_u:object_r:canna_var_run_t,s0) -/var/run/\.iroha_unix/.* -s gen_context(system_u:object_r:canna_var_run_t,s0) -/var/run/wnn-unix(/.*) gen_context(system_u:object_r:canna_var_run_t,s0) diff --git a/policy/modules/contrib/canna.if b/policy/modules/contrib/canna.if deleted file mode 100644 index 400db07a..00000000 --- a/policy/modules/contrib/canna.if +++ /dev/null @@ -1,62 +0,0 @@ -## <summary>Kana-kanji conversion server.</summary> - -######################################## -## <summary> -## Connect to Canna using a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`canna_stream_connect',` - gen_require(` - type canna_t, canna_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, canna_var_run_t, canna_var_run_t, canna_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an canna environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`canna_admin',` - gen_require(` - type canna_t, canna_log_t, canna_var_lib_t; - type canna_var_run_t, canna_initrc_exec_t; - ') - - allow $1 canna_t:process { ptrace signal_perms }; - ps_process_pattern($1, canna_t) - - init_labeled_script_domtrans($1, canna_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 canna_initrc_exec_t system_r; - allow $2 system_r; - - logging_list_logs($1) - admin_pattern($1, canna_log_t) - - files_list_var_lib($1) - admin_pattern($1, canna_var_lib_t) - - files_list_pids($1) - admin_pattern($1, canna_var_run_t) -') diff --git a/policy/modules/contrib/canna.te b/policy/modules/contrib/canna.te deleted file mode 100644 index 4ec06263..00000000 --- a/policy/modules/contrib/canna.te +++ /dev/null @@ -1,96 +0,0 @@ -policy_module(canna, 1.11.1) - -######################################## -# -# Declarations -# - -type canna_t; -type canna_exec_t; -init_daemon_domain(canna_t, canna_exec_t) - -type canna_initrc_exec_t; -init_script_file(canna_initrc_exec_t) - -type canna_log_t; -logging_log_file(canna_log_t) - -type canna_var_lib_t; -files_type(canna_var_lib_t) - -type canna_var_run_t; -files_pid_file(canna_var_run_t) - -######################################## -# -# Local policy -# - -allow canna_t self:capability { setgid setuid net_bind_service }; -dontaudit canna_t self:capability sys_tty_config; -allow canna_t self:process signal_perms; -allow canna_t self:unix_stream_socket { accept connectto listen }; -allow canna_t self:unix_dgram_socket { accept listen }; -allow canna_t self:tcp_socket create_stream_socket_perms; - -allow canna_t canna_log_t:dir setattr_dir_perms; -append_files_pattern(canna_t, canna_log_t, canna_log_t) -create_files_pattern(canna_t, canna_log_t, canna_log_t) -setattr_files_pattern(canna_t, canna_log_t, canna_log_t) -logging_log_filetrans(canna_t, canna_log_t, file) - -manage_dirs_pattern(canna_t, canna_var_lib_t, canna_var_lib_t) -manage_files_pattern(canna_t, canna_var_lib_t, canna_var_lib_t) -manage_lnk_files_pattern(canna_t, canna_var_lib_t, canna_var_lib_t) -files_var_lib_filetrans(canna_t, canna_var_lib_t, file) - -manage_dirs_pattern(canna_t, canna_var_run_t, canna_var_run_t) -manage_files_pattern(canna_t, canna_var_run_t, canna_var_run_t) -manage_sock_files_pattern(canna_t, canna_var_run_t, canna_var_run_t) -files_pid_filetrans(canna_t, canna_var_run_t, { dir sock_file }) - -kernel_read_kernel_sysctls(canna_t) -kernel_read_system_state(canna_t) - -corenet_all_recvfrom_unlabeled(canna_t) -corenet_all_recvfrom_netlabel(canna_t) -corenet_tcp_sendrecv_generic_if(canna_t) -corenet_tcp_sendrecv_generic_node(canna_t) - -corenet_sendrecv_all_client_packets(canna_t) -corenet_tcp_connect_all_ports(canna_t) -corenet_tcp_sendrecv_all_ports(canna_t) - -dev_read_sysfs(canna_t) - -fs_getattr_all_fs(canna_t) -fs_search_auto_mountpoints(canna_t) - -domain_use_interactive_fds(canna_t) - -files_read_etc_files(canna_t) -files_read_etc_runtime_files(canna_t) -files_read_usr_files(canna_t) -files_search_tmp(canna_t) -files_dontaudit_read_root_files(canna_t) - -logging_send_syslog_msg(canna_t) - -miscfiles_read_localization(canna_t) - -sysnet_read_config(canna_t) - -userdom_dontaudit_use_unpriv_user_fds(canna_t) -userdom_dontaudit_search_user_home_dirs(canna_t) - -optional_policy(` - nis_use_ypbind(canna_t) -') - -optional_policy(` - seutil_sigchld_newrole(canna_t) -') - -optional_policy(` - udev_read_db(canna_t) -') diff --git a/policy/modules/contrib/ccs.fc b/policy/modules/contrib/ccs.fc deleted file mode 100644 index 40128010..00000000 --- a/policy/modules/contrib/ccs.fc +++ /dev/null @@ -1,14 +0,0 @@ -/etc/cluster(/.*)? gen_context(system_u:object_r:cluster_conf_t,s0) - -/etc/rc\.d/init\.d/((ccs)|(ccsd)) -- gen_context(system_u:object_r:ccs_initrc_exec_t,s0) - -/sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0) - -/usr/sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0) - -/var/lib/cluster/((ccs)|(ccsd)).* gen_context(system_u:object_r:ccs_var_lib_t,s0) - -/var/log/cluster/((ccs)|(ccsd)).* gen_context(system_u:object_r:ccs_var_log_t,s0) - -/var/run/cluster/((ccs)|(ccsd))\.pid -- gen_context(system_u:object_r:ccs_var_run_t,s0) -/var/run/cluster/((ccs)|(ccsd))\.sock -s gen_context(system_u:object_r:ccs_var_run_t,s0) diff --git a/policy/modules/contrib/ccs.if b/policy/modules/contrib/ccs.if deleted file mode 100644 index 5ded72d3..00000000 --- a/policy/modules/contrib/ccs.if +++ /dev/null @@ -1,127 +0,0 @@ -## <summary>Cluster Configuration System.</summary> - -######################################## -## <summary> -## Execute a domain transition to run ccs. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`ccs_domtrans',` - gen_require(` - type ccs_t, ccs_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ccs_exec_t, ccs_t) -') - -######################################## -## <summary> -## Connect to ccs over an unix stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ccs_stream_connect',` - gen_require(` - type ccs_t, ccs_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, ccs_var_run_t, ccs_var_run_t, ccs_t) -') - -######################################## -## <summary> -## Read cluster configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ccs_read_config',` - gen_require(` - type cluster_conf_t; - ') - - files_search_etc($1) - read_files_pattern($1, cluster_conf_t, cluster_conf_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## cluster configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ccs_manage_config',` - gen_require(` - type cluster_conf_t; - ') - - files_search_etc($1) - manage_dirs_pattern($1, cluster_conf_t, cluster_conf_t) - manage_files_pattern($1, cluster_conf_t, cluster_conf_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an ccs environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`ccs_admin',` - gen_require(` - type ccs_t, ccs_initrc_exec_t, cluster_conf_t; - type ccs_var_lib_t_t, ccs_var_log_t; - type ccs_var_run_t, ccs_tmp_t; - ') - - allow $1 ccs_t:process { ptrace signal_perms }; - ps_process_pattern($1, ccs_t) - - init_labeled_script_domtrans($1, ccs_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ccs_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, ccs_conf_t) - - files_search_var_lib($1) - admin_pattern($1, ccs_var_lib_t) - - logging_search_logs($1) - admin_pattern($1, ccs_var_log_t) - - files_search_pids($1) - admin_pattern($1, ccs_var_run_t) - - files_search_tmp($1) - admin_pattern($1, ccs_tmp_t) -') diff --git a/policy/modules/contrib/ccs.te b/policy/modules/contrib/ccs.te deleted file mode 100644 index b85b53b3..00000000 --- a/policy/modules/contrib/ccs.te +++ /dev/null @@ -1,129 +0,0 @@ -policy_module(ccs, 1.5.2) - -######################################## -# -# Declarations -# - -type ccs_t; -type ccs_exec_t; -init_daemon_domain(ccs_t, ccs_exec_t) - -type ccs_initrc_exec_t; -init_script_file(ccs_initrc_exec_t) - -type cluster_conf_t; -files_config_file(cluster_conf_t) - -type ccs_tmp_t; -files_tmp_file(ccs_tmp_t) - -type ccs_tmpfs_t; -files_tmpfs_file(ccs_tmpfs_t) - -type ccs_var_lib_t; -logging_log_file(ccs_var_lib_t) - -type ccs_var_log_t; -logging_log_file(ccs_var_log_t) - -type ccs_var_run_t; -files_pid_file(ccs_var_run_t) - -######################################## -# -# Local policy -# - -allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin }; -allow ccs_t self:process { signal setrlimit setsched }; -dontaudit ccs_t self:process ptrace; -allow ccs_t self:fifo_file rw_fifo_file_perms; -allow ccs_t self:unix_stream_socket { accept connectto listen }; -allow ccs_t self:tcp_socket { accept listen }; -allow ccs_t self:udp_socket { accept listen recv_msg send_msg }; -allow ccs_t self:socket create_socket_perms; - -manage_files_pattern(ccs_t, cluster_conf_t, cluster_conf_t) - -allow ccs_t ccs_tmp_t:dir manage_dir_perms; -manage_dirs_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t) -manage_files_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t) -files_tmp_filetrans(ccs_t, ccs_tmp_t, { dir file }) - -manage_dirs_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t) -manage_files_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t) -fs_tmpfs_filetrans(ccs_t, ccs_tmpfs_t, { dir file }) - -manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t) -manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t) -files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { dir file }) - -allow ccs_t ccs_var_log_t:dir setattr_dir_perms; -append_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) -create_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) -setattr_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) -manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) -logging_log_filetrans(ccs_t, ccs_var_log_t, { file sock_file }) - -manage_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t) -manage_sock_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t) -files_pid_filetrans(ccs_t, ccs_var_run_t, { file sock_file }) - -kernel_read_kernel_sysctls(ccs_t) - -corecmd_list_bin(ccs_t) -corecmd_exec_bin(ccs_t) - -corenet_all_recvfrom_unlabeled(ccs_t) -corenet_all_recvfrom_netlabel(ccs_t) -corenet_tcp_sendrecv_generic_if(ccs_t) -corenet_udp_sendrecv_generic_if(ccs_t) -corenet_tcp_sendrecv_generic_node(ccs_t) -corenet_udp_sendrecv_generic_node(ccs_t) -corenet_tcp_bind_generic_node(ccs_t) -corenet_udp_bind_generic_node(ccs_t) - -corenet_sendrecv_cluster_server_packets(ccs_t) -corenet_tcp_bind_cluster_port(ccs_t) -corenet_tcp_sendrecv_cluster_port(ccs_t) -corenet_udp_bind_cluster_port(ccs_t) -corenet_udp_sendrecv_cluster_port(ccs_t) - -corenet_sendrecv_netsupport_server_packets(ccs_t) -corenet_udp_bind_netsupport_port(ccs_t) - -dev_read_urand(ccs_t) - -files_read_etc_files(ccs_t) -files_read_etc_runtime_files(ccs_t) - -init_rw_script_tmp_files(ccs_t) - -logging_send_syslog_msg(ccs_t) - -miscfiles_read_localization(ccs_t) - -sysnet_dns_name_resolve(ccs_t) - -userdom_manage_unpriv_user_shared_mem(ccs_t) -userdom_manage_unpriv_user_semaphores(ccs_t) - -ifdef(`hide_broken_symptoms',` - corecmd_dontaudit_write_bin_dirs(ccs_t) - files_manage_isid_type_files(ccs_t) -') - -optional_policy(` - aisexec_stream_connect(ccs_t) - corosync_stream_connect(ccs_t) -') - -optional_policy(` - qpidd_rw_semaphores(ccs_t) - qpidd_rw_shm(ccs_t) -') - -optional_policy(` - unconfined_use_fds(ccs_t) -') diff --git a/policy/modules/contrib/cdrecord.fc b/policy/modules/contrib/cdrecord.fc deleted file mode 100644 index 819562d0..00000000 --- a/policy/modules/contrib/cdrecord.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/bin/cdrecord -- gen_context(system_u:object_r:cdrecord_exec_t,s0) -/usr/bin/growisofs -- gen_context(system_u:object_r:cdrecord_exec_t,s0) -/usr/bin/wodim -- gen_context(system_u:object_r:cdrecord_exec_t,s0) diff --git a/policy/modules/contrib/cdrecord.if b/policy/modules/contrib/cdrecord.if deleted file mode 100644 index fbc20f69..00000000 --- a/policy/modules/contrib/cdrecord.if +++ /dev/null @@ -1,32 +0,0 @@ -## <summary>Record audio or data Compact Discs from a master.</summary> - -######################################## -## <summary> -## Role access for cdrecord. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`cdrecord_role',` - gen_require(` - attribute_role cdrecord_roles; - type cdrecord_t, cdrecord_exec_t; - ') - - roleattribute $1 cdrecord_roles; - - domtrans_pattern($2, cdrecord_exec_t, cdrecord_t) - - allow cdrecord_t $2:unix_stream_socket rw_socket_perms; - - allow $2 cdrecord_t:process { ptrace signal_perms }; - ps_process_pattern($2, cdrecord_t) -') diff --git a/policy/modules/contrib/cdrecord.te b/policy/modules/contrib/cdrecord.te deleted file mode 100644 index 55fb26a2..00000000 --- a/policy/modules/contrib/cdrecord.te +++ /dev/null @@ -1,115 +0,0 @@ -policy_module(cdrecord, 2.5.2) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether cdrecord can read -## various content. nfs, samba, removable -## devices, user temp and untrusted -## content files -## </p> -## </desc> -gen_tunable(cdrecord_read_content, false) - -attribute_role cdrecord_roles; - -type cdrecord_t; -type cdrecord_exec_t; -typealias cdrecord_t alias { user_cdrecord_t staff_cdrecord_t sysadm_cdrecord_t }; -typealias cdrecord_t alias { auditadm_cdrecord_t secadm_cdrecord_t }; -userdom_user_application_domain(cdrecord_t, cdrecord_exec_t) -role cdrecord_roles types cdrecord_t; - -######################################## -# -# Local policy -# - -allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio }; -allow cdrecord_t self:process { getcap getsched setrlimit setsched sigkill }; -allow cdrecord_t self:unix_stream_socket { accept listen }; - -corecmd_exec_bin(cdrecord_t) - -dev_list_all_dev_nodes(cdrecord_t) -dev_read_sysfs(cdrecord_t) - -domain_interactive_fd(cdrecord_t) -domain_use_interactive_fds(cdrecord_t) - -files_read_etc_files(cdrecord_t) - -term_use_controlling_term(cdrecord_t) -term_list_ptys(cdrecord_t) - -storage_raw_read_removable_device(cdrecord_t) -storage_raw_write_removable_device(cdrecord_t) -storage_write_scsi_generic(cdrecord_t) - -logging_send_syslog_msg(cdrecord_t) - -miscfiles_read_localization(cdrecord_t) - -userdom_use_user_terminals(cdrecord_t) -userdom_read_user_home_content_files(cdrecord_t) - -tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',` - fs_list_auto_mountpoints(cdrecord_t) - files_list_home(cdrecord_t) - fs_read_nfs_files(cdrecord_t) - fs_read_nfs_symlinks(cdrecord_t) -',` - files_dontaudit_list_home(cdrecord_t) - fs_dontaudit_list_auto_mountpoints(cdrecord_t) - fs_dontaudit_read_nfs_files(cdrecord_t) - fs_dontaudit_list_nfs(cdrecord_t) -') - -tunable_policy(`cdrecord_read_content && use_samba_home_dirs',` - fs_list_auto_mountpoints(cdrecord_t) - files_list_home(cdrecord_t) - fs_read_cifs_files(cdrecord_t) - fs_read_cifs_symlinks(cdrecord_t) -',` - files_dontaudit_list_home(cdrecord_t) - fs_dontaudit_list_auto_mountpoints(cdrecord_t) - fs_dontaudit_read_cifs_files(cdrecord_t) - fs_dontaudit_list_cifs(cdrecord_t) -') - -tunable_policy(`cdrecord_read_content',` - userdom_list_user_tmp(cdrecord_t) - userdom_read_user_tmp_files(cdrecord_t) - userdom_read_user_tmp_symlinks(cdrecord_t) - userdom_read_user_home_content_files(cdrecord_t) - userdom_read_user_home_content_symlinks(cdrecord_t) - - ifndef(`enable_mls',` - fs_search_removable(cdrecord_t) - fs_read_removable_files(cdrecord_t) - fs_read_removable_symlinks(cdrecord_t) - ') -',` - files_dontaudit_list_tmp(cdrecord_t) - files_dontaudit_list_home(cdrecord_t) - fs_dontaudit_list_removable(cdrecord_t) - fs_dontaudit_read_removable_files(cdrecord_t) - userdom_dontaudit_list_user_tmp(cdrecord_t) - userdom_dontaudit_read_user_tmp_files(cdrecord_t) - userdom_dontaudit_list_user_home_dirs(cdrecord_t) - userdom_dontaudit_read_user_home_content_files(cdrecord_t) -') - -tunable_policy(`use_nfs_home_dirs',` - files_search_mnt(cdrecord_t) - fs_read_nfs_files(cdrecord_t) - fs_read_nfs_symlinks(cdrecord_t) -') - -optional_policy(` - resmgr_stream_connect(cdrecord_t) -') diff --git a/policy/modules/contrib/ceph.fc b/policy/modules/contrib/ceph.fc new file mode 100644 index 00000000..4d1db681 --- /dev/null +++ b/policy/modules/contrib/ceph.fc @@ -0,0 +1,30 @@ +# +# /etc +# +/etc/ceph(/.*)? gen_context(system_u:object_r:ceph_conf_t,s0) +/etc/ceph/.*\.secret -- gen_context(system_u:object_r:ceph_key_t,s0) +/etc/ceph/.*\.keyring -- gen_context(system_u:object_r:ceph_key_t,s0) +/etc/rc\.d/init\.d/ceph.* gen_context(system_u:object_r:ceph_initrc_exec_t,s0) + +# +# /usr +# +/usr/bin/ceph-mds -- gen_context(system_u:object_r:ceph_mds_exec_t,s0) +/usr/bin/ceph-mon -- gen_context(system_u:object_r:ceph_mon_exec_t,s0) +/usr/bin/ceph-osd -- gen_context(system_u:object_r:ceph_osd_exec_t,s0) + +# +# /var +# +/var/lib/ceph(/.*)? gen_context(system_u:object_r:ceph_var_lib_t,s0) +/var/lib/ceph/mds(/.*)? gen_context(system_u:object_r:ceph_mds_data_t,s0) +/var/lib/ceph/mon(/.*)? gen_context(system_u:object_r:ceph_mon_data_t,s0) +/var/lib/ceph/osd(/.*)? gen_context(system_u:object_r:ceph_osd_data_t,s0) + +/var/log/ceph(/.*)? gen_context(system_u:object_r:ceph_log_t,s0) + +/run/ceph -d gen_context(system_u:object_r:ceph_runtime_t,s0) +/run/ceph/ceph-osd.* gen_context(system_u:object_r:ceph_osd_runtime_t,s0) +/run/ceph/ceph-mon.* gen_context(system_u:object_r:ceph_mon_runtime_t,s0) +/run/ceph/ceph-mds.* gen_context(system_u:object_r:ceph_mds_runtime_t,s0) +/run/ceph/mds.* -- gen_context(system_u:object_r:ceph_mds_runtime_t,s0) diff --git a/policy/modules/contrib/ceph.if b/policy/modules/contrib/ceph.if new file mode 100644 index 00000000..010c6b11 --- /dev/null +++ b/policy/modules/contrib/ceph.if @@ -0,0 +1,105 @@ +## <summary>Ceph distributed object storage</summary> + +######################################### +## <summary> +## Create the individual Ceph domains +## </summary> +## <param name="cephdaemon"> +## <summary> +## The daemon (osd, mds or mon) for which the rules are created +## </summary> +## </param> +# +template(`ceph_domain_template',` + gen_require(` + attribute cephdomain; + attribute cephdata; + attribute cephpidfile; + attribute_role ceph_roles; + + type ceph_runtime_t; + ') + + type ceph_$1_t, cephdomain; + type ceph_$1_exec_t; + init_system_domain(ceph_$1_t, ceph_$1_exec_t) + role ceph_roles types ceph_$1_t; + + type ceph_$1_data_t, cephdata; + files_type(ceph_$1_data_t) + + type ceph_$1_runtime_t, cephpidfile; + typealias ceph_$1_runtime_t alias ceph_$1_var_run_t; + files_runtime_file(ceph_$1_runtime_t) + + ######################################## + # + # Local policy + # + # Rules which cannot be made part of the domain + + allow ceph_$1_t ceph_$1_runtime_t:file manage_file_perms; + allow ceph_$1_t ceph_$1_runtime_t:sock_file manage_sock_file_perms; + allow ceph_$1_t ceph_$1_data_t:dir manage_dir_perms; + allow ceph_$1_t ceph_$1_data_t:file manage_file_perms; + + filetrans_pattern(ceph_$1_t, ceph_runtime_t, ceph_$1_runtime_t, { file sock_file }) + + files_var_lib_filetrans(ceph_$1_t, ceph_$1_data_t, { file dir }) +') + +######################################### +## <summary> +## Administrative access for Ceph +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +## <param name="role"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`ceph_admin',` + gen_require(` + attribute cephdomain, cephdata; + type ceph_initrc_exec_t, ceph_log_t; + type ceph_conf_t, ceph_key_t; + ') + + allow $1 cephdomain:process { ptrace signal_perms }; + ps_process_pattern($1, cephdomain) + + init_startstop_service($1, $2, cephdomain, ceph_initrc_exec_t) + allow $1 ceph_initrc_exec_t:lnk_file read_lnk_file_perms; + allow $1 ceph_initrc_exec_t:file read_file_perms; + + files_list_etc($1) + admin_pattern($1, ceph_conf_t) + admin_pattern($1, ceph_key_t) + + admin_pattern($1, cephdata) + + admin_pattern($1, ceph_log_t) +') + +######################################### +## <summary> +## Read Ceph key files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`ceph_read_key',` + gen_require(` + type ceph_key_t; + ') + + allow $1 ceph_key_t:file read_file_perms; +') diff --git a/policy/modules/contrib/ceph.te b/policy/modules/contrib/ceph.te new file mode 100644 index 00000000..b1994a53 --- /dev/null +++ b/policy/modules/contrib/ceph.te @@ -0,0 +1,92 @@ +policy_module(ceph, 1.0) + +attribute_role ceph_roles; + +# Attribute for all ceph runtime domains (not clients) +attribute cephdomain; + +# Attribute for the ceph runtime daemon data +attribute cephdata; + +# Attribute for the ceph pidfile data +attribute cephpidfile; + +# Init support +type ceph_initrc_exec_t; +init_script_file(ceph_initrc_exec_t) + +type ceph_conf_t; +files_config_file(ceph_conf_t) + +# Private / shared keys for cephx support +type ceph_key_t; +files_type(ceph_key_t) + +type ceph_log_t; +logging_log_file(ceph_log_t) + +type ceph_var_lib_t; +files_type(ceph_var_lib_t) + +type ceph_runtime_t alias ceph_var_run_t; +files_runtime_file(ceph_runtime_t) + +######################################### +# +# General Ceph domain rules +# + +ceph_domain_template(osd) +ceph_domain_template(mds) +ceph_domain_template(mon) + +allow cephdomain self:fifo_file rw_fifo_file_perms; + +read_files_pattern(cephdomain, ceph_conf_t, { ceph_conf_t ceph_key_t }) +allow cephdomain ceph_log_t:dir manage_dir_perms; +allow cephdomain ceph_log_t:file { create_file_perms rw_file_perms }; +allow cephdomain ceph_var_lib_t:dir search_dir_perms; +allow cephdomain self:netlink_route_socket { rw_netlink_socket_perms }; +allow cephdomain self:tcp_socket { create_socket_perms listen accept }; +allow cephdomain ceph_runtime_t:file manage_file_perms; +allow cephdomain ceph_runtime_t:dir manage_dir_perms; + +kernel_read_system_state(cephdomain) + +corenet_tcp_bind_generic_node(cephdomain) +corenet_tcp_bind_all_unreserved_ports(cephdomain) +corenet_tcp_connect_all_unreserved_ports(cephdomain) + +files_read_etc_files(cephdomain) +files_search_runtime(cephdomain) +files_search_var_lib(cephdomain) +files_runtime_filetrans(cephdomain, ceph_runtime_t, dir) + +fs_getattr_all_fs(cephdomain) + +logging_search_logs(cephdomain) + +miscfiles_read_localization(cephdomain) + +init_use_script_ptys(cephdomain) + + +######################################### +# +# Local OSD policy +# + +corecmd_exec_shell(ceph_osd_t) + + +######################################### +# +# Local MDS policy +# + + +######################################### +# +# Local MON policy +# + diff --git a/policy/modules/contrib/certmaster.fc b/policy/modules/contrib/certmaster.fc deleted file mode 100644 index dff1e70d..00000000 --- a/policy/modules/contrib/certmaster.fc +++ /dev/null @@ -1,11 +0,0 @@ -/etc/certmaster(/.*)? gen_context(system_u:object_r:certmaster_etc_rw_t,s0) - -/etc/rc\.d/init\.d/certmaster -- gen_context(system_u:object_r:certmaster_initrc_exec_t,s0) - -/usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0) - -/var/lib/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_lib_t,s0) - -/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0) - -/var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0) diff --git a/policy/modules/contrib/certmaster.if b/policy/modules/contrib/certmaster.if deleted file mode 100644 index 0c53b189..00000000 --- a/policy/modules/contrib/certmaster.if +++ /dev/null @@ -1,146 +0,0 @@ -## <summary>Remote certificate distribution framework.</summary> - -######################################## -## <summary> -## Execute a domain transition to run certmaster. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`certmaster_domtrans',` - gen_require(` - type certmaster_t, certmaster_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, certmaster_exec_t, certmaster_t) -') - -#################################### -## <summary> -## Execute certmaster in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`certmaster_exec',` - gen_require(` - type certmaster_exec_t; - ') - - can_exec($1, certmaster_exec_t) - corecmd_search_bin($1) -') - -####################################### -## <summary> -## read certmaster logs. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`certmaster_read_log',` - gen_require(` - type certmaster_var_log_t; - ') - - read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) - logging_search_logs($1) -') - -####################################### -## <summary> -## Append certmaster log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`certmaster_append_log',` - gen_require(` - type certmaster_var_log_t; - ') - - append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) - logging_search_logs($1) -') - -####################################### -## <summary> -## Create, read, write, and delete -## certmaster log content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`certmaster_manage_log',` - gen_require(` - type certmaster_var_log_t; - ') - - manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) - manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) - logging_search_logs($1) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an certmaster environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`certmaster_admin',` - gen_require(` - type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t; - type certmaster_etc_rw_t, certmaster_var_log_t; - type certmaster_initrc_exec_t; - ') - - allow $1 certmaster_t:process { ptrace signal_perms }; - ps_process_pattern($1, certmaster_t) - - init_labeled_script_domtrans($1, certmaster_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 certmaster_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - miscfiles_manage_generic_cert_dirs($1) - miscfiles_manage_generic_cert_files($1) - - admin_pattern($1, certmaster_etc_rw_t) - - files_list_pids($1) - admin_pattern($1, certmaster_var_run_t) - - logging_list_logs($1) - admin_pattern($1, certmaster_var_log_t) - - files_list_var_lib($1) - admin_pattern($1, certmaster_var_lib_t) -') diff --git a/policy/modules/contrib/certmaster.te b/policy/modules/contrib/certmaster.te deleted file mode 100644 index bf82163b..00000000 --- a/policy/modules/contrib/certmaster.te +++ /dev/null @@ -1,75 +0,0 @@ -policy_module(certmaster, 1.2.1) - -######################################## -# -# Declarations -# - -type certmaster_t; -type certmaster_exec_t; -init_daemon_domain(certmaster_t, certmaster_exec_t) - -type certmaster_initrc_exec_t; -init_script_file(certmaster_initrc_exec_t) - -type certmaster_etc_rw_t; -files_type(certmaster_etc_rw_t) - -type certmaster_var_lib_t; -files_type(certmaster_var_lib_t) - -type certmaster_var_log_t; -logging_log_file(certmaster_var_log_t) - -type certmaster_var_run_t; -files_pid_file(certmaster_var_run_t) - -########################################### -# -# Local policy -# - -allow certmaster_t self:capability { dac_read_search dac_override sys_tty_config }; -allow certmaster_t self:tcp_socket { accept listen }; - -list_dirs_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t) -manage_files_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t) - -manage_files_pattern(certmaster_t, certmaster_var_lib_t, certmaster_var_lib_t) -manage_dirs_pattern(certmaster_t, certmaster_var_lib_t, certmaster_var_lib_t) -files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { dir file }) - -append_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t) -create_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t) -setattr_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t) -logging_log_filetrans(certmaster_t, certmaster_var_log_t, file ) - -manage_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t) -manage_sock_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t) -files_pid_filetrans(certmaster_t ,certmaster_var_run_t, { file sock_file }) - -kernel_read_system_state(certmaster_t) - -corecmd_exec_bin(certmaster_t) - -corenet_all_recvfrom_unlabeled(certmaster_t) -corenet_all_recvfrom_netlabel(certmaster_t) -corenet_tcp_sendrecv_generic_if(certmaster_t) -corenet_tcp_sendrecv_generic_node(certmaster_t) -corenet_tcp_bind_generic_node(certmaster_t) - -corenet_sendrecv_certmaster_server_packets(certmaster_t) -corenet_tcp_bind_certmaster_port(certmaster_t) -corenet_tcp_sendrecv_certmaster_port(certmaster_t) - -dev_read_urand(certmaster_t) - -files_list_var(certmaster_t) -files_search_etc(certmaster_t) -files_read_usr_files(certmaster_t) - -auth_use_nsswitch(certmaster_t) - -miscfiles_read_localization(certmaster_t) -miscfiles_manage_generic_cert_dirs(certmaster_t) -miscfiles_manage_generic_cert_files(certmaster_t) diff --git a/policy/modules/contrib/certmonger.fc b/policy/modules/contrib/certmonger.fc deleted file mode 100644 index ed298d8b..00000000 --- a/policy/modules/contrib/certmonger.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rc\.d/init\.d/certmonger -- gen_context(system_u:object_r:certmonger_initrc_exec_t,s0) - -/usr/sbin/certmonger -- gen_context(system_u:object_r:certmonger_exec_t,s0) - -/var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0) - -/var/run/certmonger.* gen_context(system_u:object_r:certmonger_var_run_t,s0) diff --git a/policy/modules/contrib/certmonger.if b/policy/modules/contrib/certmonger.if deleted file mode 100644 index 008f8ef2..00000000 --- a/policy/modules/contrib/certmonger.if +++ /dev/null @@ -1,175 +0,0 @@ -## <summary>Certificate status monitor and PKI enrollment client.</summary> - -######################################## -## <summary> -## Execute a domain transition to run certmonger. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`certmonger_domtrans',` - gen_require(` - type certmonger_t, certmonger_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, certmonger_exec_t, certmonger_t) -') - -######################################## -## <summary> -## Send and receive messages from -## certmonger over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`certmonger_dbus_chat',` - gen_require(` - type certmonger_t; - class dbus send_msg; - ') - - allow $1 certmonger_t:dbus send_msg; - allow certmonger_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Execute certmonger server in -## the certmonger domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`certmonger_initrc_domtrans',` - gen_require(` - type certmonger_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, certmonger_initrc_exec_t) -') - -######################################## -## <summary> -## Read certmonger PID files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`certmonger_read_pid_files',` - gen_require(` - type certmonger_var_run_t; - ') - - files_search_pids($1) - allow $1 certmonger_var_run_t:file read_file_perms; -') - -######################################## -## <summary> -## Search certmonger lib directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`certmonger_search_lib',` - gen_require(` - type certmonger_var_lib_t; - ') - - allow $1 certmonger_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## <summary> -## Read certmonger lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`certmonger_read_lib_files',` - gen_require(` - type certmonger_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## certmonger lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`certmonger_manage_lib_files',` - gen_require(` - type certmonger_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an certmonger environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`certmonger_admin',` - gen_require(` - type certmonger_t, certmonger_initrc_exec_t; - type certmonger_var_lib_t, certmonger_var_run_t; - ') - - ps_process_pattern($1, certmonger_t) - allow $1 certmonger_t:process { ptrace signal_perms }; - - certmonger_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 certmonger_initrc_exec_t system_r; - allow $2 system_r; - - files_search_var_lib($1) - admin_pattern($1, certmonger_var_lib_t) - - files_search_pids($1) - admin_pattern($1, certmonger_var_run_t) -') diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te deleted file mode 100644 index 2354e213..00000000 --- a/policy/modules/contrib/certmonger.te +++ /dev/null @@ -1,102 +0,0 @@ -policy_module(certmonger, 1.1.5) - -######################################## -# -# Declarations -# - -type certmonger_t; -type certmonger_exec_t; -init_daemon_domain(certmonger_t, certmonger_exec_t) - -type certmonger_initrc_exec_t; -init_script_file(certmonger_initrc_exec_t) - -type certmonger_var_lib_t; -files_type(certmonger_var_lib_t) - -type certmonger_var_run_t; -files_pid_file(certmonger_var_run_t) - -######################################## -# -# Local policy -# - -allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice }; -dontaudit certmonger_t self:capability sys_tty_config; -allow certmonger_t self:capability2 block_suspend; -allow certmonger_t self:process { getsched setsched sigkill signal }; -allow certmonger_t self:fifo_file rw_fifo_file_perms; -allow certmonger_t self:unix_stream_socket { accept listen }; -allow certmonger_t self:tcp_socket { accept listen }; - -manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) -manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) -files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, dir) - -manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t) -manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t) -files_pid_filetrans(certmonger_t, certmonger_var_run_t, { dir file }) - -kernel_read_kernel_sysctls(certmonger_t) -kernel_read_system_state(certmonger_t) - -corenet_all_recvfrom_unlabeled(certmonger_t) -corenet_all_recvfrom_netlabel(certmonger_t) -corenet_tcp_sendrecv_generic_if(certmonger_t) -corenet_tcp_sendrecv_generic_node(certmonger_t) - -corenet_sendrecv_certmaster_client_packets(certmonger_t) -corenet_tcp_connect_certmaster_port(certmonger_t) -corenet_tcp_sendrecv_certmaster_port(certmonger_t) - -corecmd_exec_bin(certmonger_t) -corecmd_exec_shell(certmonger_t) - -dev_read_urand(certmonger_t) - -domain_use_interactive_fds(certmonger_t) - -files_read_usr_files(certmonger_t) -files_list_tmp(certmonger_t) - -fs_search_cgroup_dirs(certmonger_t) - -auth_use_nsswitch(certmonger_t) -auth_rw_cache(certmonger_t) - -init_getattr_all_script_files(certmonger_t) - -logging_send_syslog_msg(certmonger_t) - -miscfiles_read_localization(certmonger_t) -miscfiles_manage_generic_cert_files(certmonger_t) - -userdom_search_user_home_content(certmonger_t) - -optional_policy(` - apache_initrc_domtrans(certmonger_t) - apache_search_config(certmonger_t) - apache_signal(certmonger_t) - apache_signull(certmonger_t) -') - -optional_policy(` - bind_search_cache(certmonger_t) -') - -optional_policy(` - dbus_connect_system_bus(certmonger_t) - dbus_system_bus_client(certmonger_t) -') - -optional_policy(` - kerberos_read_keytab(certmonger_t) - kerberos_use(certmonger_t) -') - -optional_policy(` - pcscd_read_pid_files(certmonger_t) - pcscd_stream_connect(certmonger_t) -') diff --git a/policy/modules/contrib/certwatch.fc b/policy/modules/contrib/certwatch.fc deleted file mode 100644 index 726720cc..00000000 --- a/policy/modules/contrib/certwatch.fc +++ /dev/null @@ -1 +0,0 @@ -/etc/cron\.daily/certwatch -- gen_context(system_u:object_r:certwatch_exec_t,s0) diff --git a/policy/modules/contrib/certwatch.if b/policy/modules/contrib/certwatch.if deleted file mode 100644 index 9291c5cc..00000000 --- a/policy/modules/contrib/certwatch.if +++ /dev/null @@ -1,77 +0,0 @@ -## <summary>Digital Certificate Tracking.</summary> - -######################################## -## <summary> -## Domain transition to certwatch. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`certwatch_domtrans',` - gen_require(` - type certwatch_exec_t, certwatch_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, certwatch_exec_t, certwatch_t) -') - -######################################## -## <summary> -## Execute certwatch in the certwatch -## domain, and allow the specified role -## the certwatch domain. -## backchannel. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`certwatch_run',` - gen_require(` - attribute_role certwatch_roles; - ') - - certwatch_domtrans($1) - roleattribute $2 certwatch_roles; -') - -######################################## -## <summary> -## Execute certwatch in the certwatch domain, and -## allow the specified role the certwatch domain, -## and use the caller's terminal. Has a sigchld -## backchannel. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="terminal"> -## <summary> -## The type of the terminal allow the certwatch domain to use. -## </summary> -## </param> -## <rolecap/> -# -interface(`certwatach_run',` - refpolicywarn(`$0($*) has been deprecated, please use certwatch_run() instead.') - certwatch_run($*) -') diff --git a/policy/modules/contrib/certwatch.te b/policy/modules/contrib/certwatch.te deleted file mode 100644 index 403af41f..00000000 --- a/policy/modules/contrib/certwatch.te +++ /dev/null @@ -1,57 +0,0 @@ -policy_module(certwatch, 1.7.2) - -######################################## -# -# Declarations -# - -attribute_role certwatch_roles; -roleattribute system_r certwatch_roles; - -type certwatch_t; -type certwatch_exec_t; -application_domain(certwatch_t, certwatch_exec_t) -role certwatch_roles types certwatch_t; - -######################################## -# -# Local policy -# - -allow certwatch_t self:capability sys_nice; -allow certwatch_t self:process { setsched getsched }; - -dev_read_urand(certwatch_t) - -files_read_etc_files(certwatch_t) -files_read_usr_files(certwatch_t) -files_read_usr_symlinks(certwatch_t) -files_list_tmp(certwatch_t) - -fs_list_inotifyfs(certwatch_t) - -auth_manage_cache(certwatch_t) -auth_var_filetrans_cache(certwatch_t) - -logging_send_syslog_msg(certwatch_t) - -miscfiles_read_all_certs(certwatch_t) -miscfiles_read_localization(certwatch_t) - -userdom_use_user_terminals(certwatch_t) -userdom_dontaudit_list_user_home_dirs(certwatch_t) - -optional_policy(` - apache_exec_modules(certwatch_t) - apache_read_config(certwatch_t) -') - -optional_policy(` - cron_system_entry(certwatch_t, certwatch_exec_t) -') - -optional_policy(` - pcscd_domtrans(certwatch_t) - pcscd_read_pid_files(certwatch_t) - pcscd_stream_connect(certwatch_t) -') diff --git a/policy/modules/contrib/cfengine.fc b/policy/modules/contrib/cfengine.fc deleted file mode 100644 index 5b605d6b..00000000 --- a/policy/modules/contrib/cfengine.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/rc\.d/init\.d/((cf-serverd)|(cf-monitord)|(cf-execd)) -- gen_context(system_u:object_r:cfengine_initrc_exec_t,s0) - -/usr/sbin/cf-serverd -- gen_context(system_u:object_r:cfengine_serverd_exec_t,s0) -/usr/sbin/cf-execd -- gen_context(system_u:object_r:cfengine_execd_exec_t,s0) -/usr/sbin/cf-monitord -- gen_context(system_u:object_r:cfengine_monitord_exec_t,s0) - -/var/cfengine(/.*)? gen_context(system_u:object_r:cfengine_var_lib_t,s0) - -/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:cfengine_log_t,s0) diff --git a/policy/modules/contrib/cfengine.if b/policy/modules/contrib/cfengine.if deleted file mode 100644 index a7311229..00000000 --- a/policy/modules/contrib/cfengine.if +++ /dev/null @@ -1,107 +0,0 @@ -## <summary>System administration tool for networks.</summary> - -####################################### -## <summary> -## The template to define a cfengine domain. -## </summary> -## <param name="domain_prefix"> -## <summary> -## Domain prefix to be used. -## </summary> -## </param> -# -template(`cfengine_domain_template',` - gen_require(` - attribute cfengine_domain; - type cfengine_log_t, cfengine_var_lib_t; - ') - - ######################################## - # - # Declarations - # - - type cfengine_$1_t, cfengine_domain; - type cfengine_$1_exec_t; - init_daemon_domain(cfengine_$1_t, cfengine_$1_exec_t) - - ######################################## - # - # Policy - # - - auth_use_nsswitch(cfengine_$1_t) -') - -######################################## -## <summary> -## Read cfengine lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cfengine_read_lib_files',` - gen_require(` - type cfengine_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, cfengine_var_lib_t, cfengine_var_lib_t) -') - -#################################### -## <summary> -## Do not audit attempts to write -## cfengine log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`cfengine_dontaudit_write_log_files',` - gen_require(` - type cfengine_var_log_t; - ') - - dontaudit $1 cfengine_var_log_t:file write_file_perms; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an cfengine environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`cfengine_admin',` - gen_require(` - attribute cfengine_domain; - type cfengine_initrc_exec_t, cfengine_log_t, cfengine_var_lib_t; - ') - - allow $1 cfengine_domain:process { ptrace signal_perms }; - ps_process_pattern($1, cfengine_domain) - - init_labeled_script_domtrans($1, cfengine_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 cfengine_initrc_exec_t system_r; - allow $2 system_r; - - files_search_var_lib($1) - admin_pattern($1, { cfengine_log_t cfengine_var_lib_t }) -') diff --git a/policy/modules/contrib/cfengine.te b/policy/modules/contrib/cfengine.te deleted file mode 100644 index 8af5bbe5..00000000 --- a/policy/modules/contrib/cfengine.te +++ /dev/null @@ -1,77 +0,0 @@ -policy_module(cfengine, 1.0.2) - -######################################## -# -# Declarations -# - -attribute cfengine_domain; - -cfengine_domain_template(serverd) -cfengine_domain_template(execd) -cfengine_domain_template(monitord) - -type cfengine_initrc_exec_t; -init_script_file(cfengine_initrc_exec_t) - -type cfengine_var_lib_t; -files_type(cfengine_var_lib_t) - -type cfengine_log_t; -logging_log_file(cfengine_log_t) - -######################################## -# -# Common cfengine domain local policy -# - -allow cfengine_domain self:capability { chown kill setgid setuid sys_chroot }; -allow cfengine_domain self:process { setfscreate signal }; -allow cfengine_domain self:fifo_file rw_fifo_file_perms; -allow cfengine_domain self:unix_stream_socket { accept listen }; - -manage_dirs_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t) -manage_files_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t) -manage_lnk_files_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t) -files_var_lib_filetrans(cfengine_domain, cfengine_var_lib_t, dir) - -manage_dirs_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t) -append_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t) -create_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t) -setattr_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t) -logging_log_filetrans(cfengine_domain, cfengine_log_t, dir) - -kernel_read_system_state(cfengine_domain) - -corecmd_exec_bin(cfengine_domain) -corecmd_exec_shell(cfengine_domain) - -dev_read_urand(cfengine_domain) -dev_read_sysfs(cfengine_domain) - -logging_send_syslog_msg(cfengine_domain) - -miscfiles_read_localization(cfengine_domain) - -sysnet_domtrans_ifconfig(cfengine_domain) - -######################################## -# -# Exec local policy -# - -kernel_read_sysctl(cfengine_execd_t) - -domain_read_all_domains_state(cfengine_execd_t) - -######################################## -# -# Monitord local policy -# - -kernel_read_hotplug_sysctls(cfengine_monitord_t) -kernel_read_network_state(cfengine_monitord_t) - -domain_read_all_domains_state(cfengine_monitord_t) - -fs_getattr_xattr_fs(cfengine_monitord_t) diff --git a/policy/modules/contrib/cgroup.fc b/policy/modules/contrib/cgroup.fc deleted file mode 100644 index 0d250af8..00000000 --- a/policy/modules/contrib/cgroup.fc +++ /dev/null @@ -1,19 +0,0 @@ -/etc/cgconfig\.conf -- gen_context(system_u:object_r:cgconfig_etc_t,s0) -/etc/cgrules\.conf -- gen_context(system_u:object_r:cgrules_etc_t,s0) - -/etc/sysconfig/cgconfig -- gen_context(system_u:object_r:cgconfig_etc_t,s0) -/etc/sysconfig/cgred\.conf -- gen_context(system_u:object_r:cgrules_etc_t,s0) - -/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t,s0) -/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t,s0) - -/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0) -/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0) -/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0) - -/usr/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0) -/usr/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0) -/usr/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0) - -/var/log/cgrulesengd\.log.* -- gen_context(system_u:object_r:cgred_log_t,s0) -/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0) diff --git a/policy/modules/contrib/cgroup.if b/policy/modules/contrib/cgroup.if deleted file mode 100644 index 85ca63f9..00000000 --- a/policy/modules/contrib/cgroup.if +++ /dev/null @@ -1,190 +0,0 @@ -## <summary>libcg is a library that abstracts the control group file system in Linux.</summary> - -######################################## -## <summary> -## Execute a domain transition to run -## CG Clear. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`cgroup_domtrans_cgclear',` - gen_require(` - type cgclear_t, cgclear_exec_t; - ') - - domtrans_pattern($1, cgclear_exec_t, cgclear_t) - corecmd_search_bin($1) -') - -######################################## -## <summary> -## Execute a domain transition to run -## CG config parser. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`cgroup_domtrans_cgconfig',` - gen_require(` - type cgconfig_t, cgconfig_exec_t; - ') - - domtrans_pattern($1, cgconfig_exec_t, cgconfig_t) - corecmd_search_bin($1) -') - -######################################## -## <summary> -## Execute a domain transition to run -## CG config parser. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`cgroup_initrc_domtrans_cgconfig',` - gen_require(` - type cgconfig_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, cgconfig_initrc_exec_t) -') - -######################################## -## <summary> -## Execute a domain transition to run -## CG rules engine daemon. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`cgroup_domtrans_cgred',` - gen_require(` - type cgred_t, cgred_exec_t; - ') - - domtrans_pattern($1, cgred_exec_t, cgred_t) - corecmd_search_bin($1) -') - -######################################## -## <summary> -## Execute a domain transition to run -## CG rules engine daemon. -## domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`cgroup_initrc_domtrans_cgred',` - gen_require(` - type cgred_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, cgred_initrc_exec_t) -') - -######################################## -## <summary> -## Execute a domain transition to -## run CG Clear and allow the -## specified role the CG Clear -## domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`cgroup_run_cgclear',` - gen_require(` - type cgclear_t; - ') - - cgroup_domtrans_cgclear($1) - role $2 types cgclear_t; -') - -######################################## -## <summary> -## Connect to CG rules engine daemon -## over unix stream sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cgroup_stream_connect_cgred', ` - gen_require(` - type cgred_var_run_t, cgred_t; - ') - - stream_connect_pattern($1, cgred_var_run_t, cgred_var_run_t, cgred_t) - files_search_pids($1) -') - -######################################## -## <summary> -## All of the rules required to administrate -## an cgroup environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`cgroup_admin',` - gen_require(` - type cgred_t, cgconfig_t, cgred_var_run_t; - type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t; - type cgrules_etc_t, cgclear_t; - ') - - allow $1 { cgclear_t cgconfig_t cgred_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { cgclear_t cgconfig_t cgred_t }) - - admin_pattern($1, { cgconfig_etc_t cgrules_etc_t }) - files_list_etc($1) - - admin_pattern($1, cgred_var_run_t) - files_list_pids($1) - - cgroup_initrc_domtrans_cgconfig($1) - cgroup_initrc_domtrans_cgred($1) - domain_system_change_exemption($1) - role_transition $2 { cgconfig_initrc_exec_t cgred_initrc_exec_t } system_r; - allow $2 system_r; - - cgroup_run_cgclear($1, $2) -') diff --git a/policy/modules/contrib/cgroup.te b/policy/modules/contrib/cgroup.te deleted file mode 100644 index fdee1079..00000000 --- a/policy/modules/contrib/cgroup.te +++ /dev/null @@ -1,108 +0,0 @@ -policy_module(cgroup, 1.1.3) - -######################################## -# -# Declarations -# - -type cgclear_t; -type cgclear_exec_t; -init_daemon_domain(cgclear_t, cgclear_exec_t) - -type cgred_t; -type cgred_exec_t; -init_daemon_domain(cgred_t, cgred_exec_t) - -type cgred_initrc_exec_t; -init_script_file(cgred_initrc_exec_t) - -type cgred_log_t; -logging_log_file(cgred_log_t) - -type cgred_var_run_t; -files_pid_file(cgred_var_run_t) - -type cgrules_etc_t; -files_config_file(cgrules_etc_t) - -type cgconfig_t; -type cgconfig_exec_t; -init_daemon_domain(cgconfig_t, cgconfig_exec_t) - -type cgconfig_initrc_exec_t; -init_script_file(cgconfig_initrc_exec_t) - -type cgconfig_etc_t; -files_config_file(cgconfig_etc_t) - -######################################## -# -# cgclear local policy -# - -allow cgclear_t self:capability { dac_read_search dac_override sys_admin }; - -allow cgclear_t cgconfig_etc_t:file read_file_perms; - -kernel_read_system_state(cgclear_t) - -domain_setpriority_all_domains(cgclear_t) - -fs_manage_cgroup_dirs(cgclear_t) -fs_manage_cgroup_files(cgclear_t) -fs_unmount_cgroup(cgclear_t) - -######################################## -# -# cgconfig local policy -# - -allow cgconfig_t self:capability { dac_override fowner fsetid chown sys_admin sys_tty_config }; - -allow cgconfig_t cgconfig_etc_t:file read_file_perms; - -kernel_list_unlabeled(cgconfig_t) -kernel_read_system_state(cgconfig_t) - -files_read_etc_files(cgconfig_t) - -fs_manage_cgroup_dirs(cgconfig_t) -fs_manage_cgroup_files(cgconfig_t) -fs_mount_cgroup(cgconfig_t) -fs_mounton_cgroup(cgconfig_t) -fs_unmount_cgroup(cgconfig_t) - -######################################## -# -# cgred local policy -# - -allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override }; -allow cgred_t self:netlink_socket { write bind create read }; -allow cgred_t self:unix_dgram_socket { write create connect }; - -allow cgred_t cgrules_etc_t:file read_file_perms; - -allow cgred_t cgred_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(cgred_t, cgred_log_t, file) - -manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) -manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) -files_pid_filetrans(cgred_t, cgred_var_run_t, { file sock_file }) - -kernel_read_all_sysctls(cgred_t) -kernel_read_system_state(cgred_t) - -domain_read_all_domains_state(cgred_t) -domain_setpriority_all_domains(cgred_t) - -files_getattr_all_files(cgred_t) -files_getattr_all_sockets(cgred_t) -files_read_all_symlinks(cgred_t) -files_read_etc_files(cgred_t) - -fs_write_cgroup_files(cgred_t) - -logging_send_syslog_msg(cgred_t) - -miscfiles_read_localization(cgred_t) diff --git a/policy/modules/contrib/chromium.fc b/policy/modules/contrib/chromium.fc deleted file mode 100644 index 2302c85b..00000000 --- a/policy/modules/contrib/chromium.fc +++ /dev/null @@ -1,10 +0,0 @@ -/usr/lib/chromium-browser/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0) - -# Although this should be in the core definitions, it makes more sense to -# logically keep it close to the module(s) that use it. - -/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:bin_t,s0) - -HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chromium_xdg_cache_t,s0) -HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:chromium_xdg_config_t,s0) - diff --git a/policy/modules/contrib/chromium.if b/policy/modules/contrib/chromium.if deleted file mode 100644 index 5e158e77..00000000 --- a/policy/modules/contrib/chromium.if +++ /dev/null @@ -1,126 +0,0 @@ -## <summary> -## Chromium browser -## </summary> - -####################################### -## <summary> -## Role access for chromium -## </summary> -## <param name="role"> -## <summary> -## Role allowed access -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role -## </summary> -## </param> -# -interface(`chromium_role',` - gen_require(` - type chromium_t; - type chromium_renderer_t; - type chromium_exec_t; - ') - - role $1 types chromium_t; - role $1 types chromium_renderer_t; - - # Transition from the user domain to the derived domain - chromium_domtrans($2) - - # Allow ps to show chromium processes and allow the user to signal it - ps_process_pattern($2, chromium_t) - ps_process_pattern($2, chromium_renderer_t) - allow $2 chromium_t:process signal_perms; - allow $2 chromium_renderer_t:process signal_perms; -') -####################################### -## <summary> -## Read-write access to Chromiums' temporary fifo files -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access -## </summary> -## </param> -# -interface(`chromium_rw_tmp_pipes',` - gen_require(` - type chromium_tmp_t; - ') - - rw_fifo_files_pattern($1, chromium_tmp_t, chromium_tmp_t) -') -############################################## -## <summary> -## Automatically use the specified type for resources created in chromium's -## temporary locations -## </summary> -## <param name="domain"> -## <summary> -## Domain that creates the resource(s) -## </summary> -## </param> -## <param name="class"> -## <summary> -## Type of the resource created -## </summary> -## </param> -## <param name="filename" optional="true"> -## <summary> -## The name of the resource being created -## </summary> -## </param> -# -interface(`chromium_tmp_filetrans',` - gen_require(` - type chromium_tmp_t; - ') - - search_dirs_pattern($1, chromium_tmp_t, chromium_tmp_t) - filetrans_pattern($1, chromium_tmp_t, $2, $3, $4) -') -####################################### -## <summary> -## Execute a domain transition to the chromium domain (chromium_t) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access -## </summary> -## </param> -# -interface(`chromium_domtrans',` - gen_require(` - type chromium_t; - type chromium_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, chromium_exec_t, chromium_t) -') -####################################### -## <summary> -## Execute chromium in the chromium domain and allow the specified role to access the chromium domain -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access -## </summary> -## </param> -# -interface(`chromium_run',` - gen_require(` - type chromium_t; - ') - - chromium_domtrans($1) - role $2 types chromium_t; -') diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te deleted file mode 100644 index e8497a6f..00000000 --- a/policy/modules/contrib/chromium.te +++ /dev/null @@ -1,243 +0,0 @@ -policy_module(chromium, 1.0.0) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Allow the use of java plugins -## </p> -## <p> -## Some of these plugins require the use of named pipes (fifo files) that are -## created within the temporary directory of the first browser that instantiated -## the plugin. Hence, if other browsers need access to java plugins, they will -## get search rights in chromium's tmp locations -## </p> -## </desc> -gen_tunable(chromium_use_java, false) - -## <desc> -## <p> -## Allow chromium to read system information -## </p> -## <p> -## Although not needed for regular browsing, this will allow chromium to update -## its own memory consumption based on system state, support additional -## debugging, detect specific devices, etc. -## </p> -## </desc> -gen_tunable(chromium_read_system_info, false) - -type chromium_t; -domain_dyntrans_type(chromium_t) - -type chromium_exec_t; -application_domain(chromium_t, chromium_exec_t) - -type chromium_renderer_t; -domain_base_type(chromium_renderer_t) - -type chromium_tmp_t; -userdom_user_tmp_file(chromium_tmp_t) - -type chromium_tmpfs_t; -userdom_user_tmpfs_file(chromium_tmpfs_t) - -type chromium_xdg_config_t; -xdg_config_home_content(chromium_xdg_config_t) - -type chromium_xdg_cache_t; -xdg_cache_home_content(chromium_xdg_cache_t) - - - -######################################## -# -# chromium local policy -# - -allow chromium_t self:process { getsched setsched signal }; -allow chromium_t self:fifo_file rw_fifo_file_perms;; -allow chromium_t self:sem create_sem_perms; -allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms; - -allow chromium_t chromium_exec_t:file execute_no_trans; -allow chromium_t chromium_renderer_t:dir list_dir_perms; -allow chromium_t chromium_renderer_t:file rw_file_perms; -allow chromium_t chromium_renderer_t:fd use; -allow chromium_t chromium_renderer_t:process signal_perms; -allow chromium_t chromium_renderer_t:shm rw_shm_perms; -allow chromium_t chromium_renderer_t:unix_dgram_socket { read write }; -allow chromium_t chromium_renderer_t:unix_stream_socket { read write }; - -allow chromium_t self:process execmem; # Load in plugins - -# tmp has a wide class access (used for plugins) -manage_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t) -manage_dirs_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t) -manage_lnk_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t) -manage_sock_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t) -manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t) -files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file }) - -manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t) -fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file) -fs_tmpfs_filetrans(chromium_renderer_t, chromium_tmpfs_t, file) - -manage_files_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t) -manage_lnk_files_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t) -manage_dirs_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t) -xdg_config_home_filetrans(chromium_t, chromium_xdg_config_t, dir, "chromium") - -manage_files_pattern(chromium_t, chromium_xdg_cache_t, chromium_xdg_cache_t) -manage_dirs_pattern(chromium_t, chromium_xdg_cache_t, chromium_xdg_cache_t) -xdg_cache_home_filetrans(chromium_t, chromium_xdg_cache_t, dir, "chromium") - -dyntrans_pattern(chromium_t, chromium_renderer_t) - -corecmd_exec_bin(chromium_t) - -corenet_tcp_connect_all_unreserved_ports(chromium_t) -corenet_tcp_connect_ftp_port(chromium_t) -corenet_tcp_connect_http_port(chromium_t) - -dev_read_sound(chromium_t) -dev_write_sound(chromium_t) -dev_read_urand(chromium_t) - -domain_dontaudit_search_all_domains_state(chromium_t) - -files_search_home(chromium_t) -files_read_usr_files(chromium_t) -files_read_etc_files(chromium_t) - -fs_dontaudit_getattr_xattr_fs(chromium_t) - -getty_dontaudit_use_fds(chromium_t) - -miscfiles_manage_user_certs(chromium_t) -miscfiles_read_all_certs(chromium_t) -miscfiles_read_localization(chromium_t) -miscfiles_user_home_dir_filetrans_cert_home(chromium_t, dir, ".nss") - -sysnet_dns_name_resolve(chromium_t) - -userdom_user_content_access_template(chromium, chromium_t) -userdom_dontaudit_list_user_home_dirs(chromium_t) -# Debugging. Also on user_tty_device_t if X is started through "startx" for instance -userdom_use_user_terminals(chromium_t) - -xdg_create_cache_home_dirs(chromium_t) -xdg_create_config_home_dirs(chromium_t) -xdg_create_data_home_dirs(chromium_t) -xdg_generic_user_home_dir_filetrans_cache_home(chromium_t, dir, ".cache") -xdg_generic_user_home_dir_filetrans_config_home(chromium_t, dir, ".config") -xdg_read_config_home_files(chromium_t) -xdg_read_data_home_files(chromium_t) - -xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t) - -tunable_policy(`chromium_read_system_info',` - kernel_read_kernel_sysctls(chromium_t) - # Memory optimizations & optimizations based on OS/version - kernel_read_system_state(chromium_t) - - # Debugging (sys/kernel/debug) and device information (sys/bus and sys/devices). - dev_read_sysfs(chromium_t) - - files_read_etc_runtime_files(chromium_t) -',` - kernel_dontaudit_read_kernel_sysctls(chromium_t) - kernel_dontaudit_read_system_state(chromium_t) - - dev_dontaudit_read_sysfs(chromium_t) - - files_dontaudit_read_etc_runtime(chromium_t) -') - -optional_policy(` - alsa_domain(chromium_t, chromium_tmpfs_t) - alsa_read_rw_config(chromium_t) -') - -optional_policy(` - cups_read_config(chromium_t) - cups_stream_connect(chromium_t) -') - -optional_policy(` - dbus_all_session_bus_client(chromium_t) - dbus_system_bus_client(chromium_t) - - optional_policy(` - unconfined_dbus_chat(chromium_t) - ') -') - -optional_policy(` - flash_manage_home(chromium_t) -') - -optional_policy(` - # Java (iced-tea) plugin .so creates /tmp/icedteaplugin-<name> directory - # and fifo files within. These are then used by the renderer and a - # freshly forked java process to communicate between each other. - tunable_policy(`chromium_use_java',` - java_noatsecure_domtrans(chromium_t) - ') -') - -optional_policy(` - # Chromium reads in .mozilla for user plugins - mozilla_read_user_home(chromium_t) -') - -######################################## -# -# chromium_renderer local policy -# - -allow chromium_renderer_t self:process execmem; - -allow chromium_renderer_t self:fifo_file rw_fifo_file_perms; -allow chromium_renderer_t self:shm create_shm_perms; -allow chromium_renderer_t self:unix_dgram_socket { create read sendto }; -allow chromium_renderer_t self:unix_stream_socket { create getattr read write }; - -allow chromium_renderer_t chromium_t:fd use; -allow chromium_renderer_t chromium_t:unix_stream_socket rw_stream_socket_perms; -allow chromium_renderer_t chromium_tmpfs_t:file rw_file_perms; - -dontaudit chromium_renderer_t chromium_t:dir search; # /proc/... access -dontaudit chromium_renderer_t self:process getsched; - -read_files_pattern(chromium_renderer_t, chromium_xdg_config_t, chromium_xdg_config_t) - -rw_fifo_files_pattern(chromium_renderer_t, chromium_tmp_t, chromium_tmp_t) - -dev_read_urand(chromium_renderer_t) - -files_dontaudit_list_tmp(chromium_renderer_t) -files_dontaudit_read_etc_files(chromium_renderer_t) -files_search_var(chromium_renderer_t) - -init_sigchld(chromium_renderer_t) - -miscfiles_read_localization(chromium_renderer_t) - -userdom_dontaudit_use_all_users_fds(chromium_renderer_t) -userdom_use_user_terminals(chromium_renderer_t) - -xdg_read_config_home_files(chromium_renderer_t) - -xserver_user_x_domain_template(chromium_renderer, chromium_renderer_t, chromium_tmpfs_t) - -tunable_policy(`chromium_read_system_info',` - kernel_read_kernel_sysctls(chromium_renderer_t) - kernel_read_system_state(chromium_renderer_t) -',` - kernel_dontaudit_read_kernel_sysctls(chromium_renderer_t) - kernel_dontaudit_read_system_state(chromium_renderer_t) -') diff --git a/policy/modules/contrib/chronyd.fc b/policy/modules/contrib/chronyd.fc deleted file mode 100644 index 4e4143ed..00000000 --- a/policy/modules/contrib/chronyd.fc +++ /dev/null @@ -1,13 +0,0 @@ -/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0) - -/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0) - -/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) - -/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0) - -/var/log/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_log_t,s0) - -/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0) -/var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0) -/var/run/chronyd\.sock -s gen_context(system_u:object_r:chronyd_var_run_t,s0) diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if deleted file mode 100644 index 32e8265c..00000000 --- a/policy/modules/contrib/chronyd.if +++ /dev/null @@ -1,203 +0,0 @@ -## <summary>Chrony NTP background daemon.</summary> - -##################################### -## <summary> -## Execute chronyd in the chronyd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`chronyd_domtrans',` - gen_require(` - type chronyd_t, chronyd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, chronyd_exec_t, chronyd_t) -') - -######################################## -## <summary> -## Execute chronyd server in the -## chronyd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`chronyd_initrc_domtrans',` - gen_require(` - type chronyd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, chronyd_initrc_exec_t) -') - -#################################### -## <summary> -## Execute chronyd in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`chronyd_exec',` - gen_require(` - type chronyd_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, chronyd_exec_t) -') - -##################################### -## <summary> -## Read chronyd log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`chronyd_read_log',` - gen_require(` - type chronyd_var_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t) -') - -######################################## -## <summary> -## Read and write chronyd shared memory. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`chronyd_rw_shm',` - gen_require(` - type chronyd_t, chronyd_tmpfs_t; - ') - - allow $1 chronyd_t:shm rw_shm_perms; - allow $1 chronyd_tmpfs_t:dir list_dir_perms; - rw_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t) - read_lnk_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t) - fs_search_tmpfs($1) -') - -######################################## -## <summary> -## Connect to chronyd using a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`chronyd_stream_connect',` - gen_require(` - type chronyd_t, chronyd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) -') - -######################################## -## <summary> -## Send to chronyd using a unix domain -## datagram socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`chronyd_dgram_send',` - gen_require(` - type chronyd_t, chronyd_var_run_t; - ') - - files_search_pids($1) - dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) -') - -######################################## -## <summary> -## Read chronyd key files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`chronyd_read_key_files',` - gen_require(` - type chronyd_keys_t; - ') - - files_search_etc($1) - read_files_pattern($1, chronyd_keys_t, chronyd_keys_t) -') - -#################################### -## <summary> -## All of the rules required to -## administrate an chronyd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`chronyd_admin',` - gen_require(` - type chronyd_t, chronyd_var_log_t; - type chronyd_var_run_t, chronyd_var_lib_t; - type chronyd_initrc_exec_t, chronyd_keys_t; - ') - - allow $1 chronyd_t:process { ptrace signal_perms }; - ps_process_pattern($1, chronyd_t) - - chronyd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 chronyd_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, chronyd_keys_t) - - logging_search_logs($1) - admin_pattern($1, chronyd_var_log_t) - - files_search_var_lib($1) - admin_pattern($1, chronyd_var_lib_t) - - files_search_pids($1) - admin_pattern($1, chronyd_var_run_t) -') diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te deleted file mode 100644 index 914ee2d2..00000000 --- a/policy/modules/contrib/chronyd.te +++ /dev/null @@ -1,93 +0,0 @@ -policy_module(chronyd, 1.1.4) - -######################################## -# -# Declarations -# - -type chronyd_t; -type chronyd_exec_t; -init_daemon_domain(chronyd_t, chronyd_exec_t) - -type chronyd_initrc_exec_t; -init_script_file(chronyd_initrc_exec_t) - -type chronyd_keys_t; -files_type(chronyd_keys_t) - -type chronyd_tmpfs_t; -files_tmpfs_file(chronyd_tmpfs_t) - -type chronyd_var_lib_t; -files_type(chronyd_var_lib_t) - -type chronyd_var_log_t; -logging_log_file(chronyd_var_log_t) - -type chronyd_var_run_t; -files_pid_file(chronyd_var_run_t) - -######################################## -# -# Local policy -# - -allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time }; -allow chronyd_t self:process { getcap setcap setrlimit signal }; -allow chronyd_t self:shm create_shm_perms; -allow chronyd_t self:fifo_file rw_fifo_file_perms; - -allow chronyd_t chronyd_keys_t:file read_file_perms; - -manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t) -manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t) -fs_tmpfs_filetrans(chronyd_t, chronyd_tmpfs_t, { dir file }) - -manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) -manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) -manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) -files_var_lib_filetrans(chronyd_t, chronyd_var_lib_t, dir) - -manage_dirs_pattern(chronyd_t, chronyd_var_log_t, chronyd_var_log_t) -append_files_pattern(chronyd_t, chronyd_var_log_t, chronyd_var_log_t) -create_files_pattern(chronyd_t, chronyd_var_log_t, chronyd_var_log_t) -setattr_files_pattern(chronyd_t, chronyd_var_log_t, chronyd_var_log_t) -logging_log_filetrans(chronyd_t, chronyd_var_log_t, dir) - -manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t) -manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t) -manage_sock_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t) -files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file }) - -kernel_read_system_state(chronyd_t) -kernel_read_network_state(chronyd_t) - -corenet_all_recvfrom_unlabeled(chronyd_t) -corenet_all_recvfrom_netlabel(chronyd_t) -corenet_udp_sendrecv_generic_if(chronyd_t) -corenet_udp_sendrecv_generic_node(chronyd_t) -corenet_udp_bind_generic_node(chronyd_t) - -corenet_sendrecv_ntp_server_packets(chronyd_t) -corenet_udp_bind_ntp_port(chronyd_t) -corenet_udp_sendrecv_ntp_port(chronyd_t) - -corenet_sendrecv_chronyd_server_packets(chronyd_t) -corenet_udp_bind_chronyd_port(chronyd_t) -corenet_udp_sendrecv_chronyd_port(chronyd_t) - -dev_rw_realtime_clock(chronyd_t) - -auth_use_nsswitch(chronyd_t) - -logging_send_syslog_msg(chronyd_t) - -miscfiles_read_localization(chronyd_t) - -optional_policy(` - gpsd_rw_shm(chronyd_t) -') - -optional_policy(` - mta_send_mail(chronyd_t) -') diff --git a/policy/modules/contrib/cipe.fc b/policy/modules/contrib/cipe.fc deleted file mode 100644 index c7535226..00000000 --- a/policy/modules/contrib/cipe.fc +++ /dev/null @@ -1,3 +0,0 @@ -/etc/rc\.d/init\.d/ciped.* -- gen_context(system_u:object_r:ciped_initrc_exec_t,s0) - -/usr/sbin/ciped.* -- gen_context(system_u:object_r:ciped_exec_t,s0) diff --git a/policy/modules/contrib/cipe.if b/policy/modules/contrib/cipe.if deleted file mode 100644 index 5fb51b24..00000000 --- a/policy/modules/contrib/cipe.if +++ /dev/null @@ -1,32 +0,0 @@ -## <summary>Encrypted tunnel daemon.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an cipe environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`cipe_admin',` - gen_require(` - type ciped_t, ciped_initrc_exec_t; - ') - - allow $1 ciped_t:process { ptrace signal_perms }; - ps_process_pattern($1, ciped_t) - - init_labeled_script_domtrans($1, ciped_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ciped_initrc_exec_t system_r; - allow $2 system_r; -') diff --git a/policy/modules/contrib/cipe.te b/policy/modules/contrib/cipe.te deleted file mode 100644 index 28c84755..00000000 --- a/policy/modules/contrib/cipe.te +++ /dev/null @@ -1,72 +0,0 @@ -policy_module(cipe, 1.5.1) - -######################################## -# -# Declarations -# - -type ciped_t; -type ciped_exec_t; -init_daemon_domain(ciped_t, ciped_exec_t) - -type ciped_initrc_exec_t; -init_script_file(ciped_initrc_exec_t) - -######################################## -# -# Local policy -# - -allow ciped_t self:capability { net_admin ipc_lock sys_tty_config }; -dontaudit ciped_t self:capability sys_tty_config; -allow ciped_t self:process signal_perms; -allow ciped_t self:fifo_file rw_fifo_file_perms; -allow ciped_t self:udp_socket create_socket_perms; - -kernel_read_kernel_sysctls(ciped_t) -kernel_read_system_state(ciped_t) - -corecmd_exec_shell(ciped_t) -corecmd_exec_bin(ciped_t) - -corenet_all_recvfrom_unlabeled(ciped_t) -corenet_all_recvfrom_netlabel(ciped_t) -corenet_udp_sendrecv_generic_if(ciped_t) -corenet_udp_sendrecv_generic_node(ciped_t) -corenet_udp_bind_generic_node(ciped_t) - -corenet_sendrecv_afs_bos_server_packets(ciped_t) -corenet_udp_bind_afs_bos_port(ciped_t) -corenet_udp_sendrecv_afs_bos_port(ciped_t) - -dev_read_rand(ciped_t) -dev_read_sysfs(ciped_t) -dev_read_urand(ciped_t) - -domain_use_interactive_fds(ciped_t) - -files_read_etc_files(ciped_t) -files_read_etc_runtime_files(ciped_t) -files_dontaudit_search_var(ciped_t) - -fs_search_auto_mountpoints(ciped_t) - -logging_send_syslog_msg(ciped_t) - -miscfiles_read_localization(ciped_t) - -sysnet_read_config(ciped_t) - -userdom_dontaudit_use_unpriv_user_fds(ciped_t) - -optional_policy(` - nis_use_ypbind(ciped_t) -') - -optional_policy(` - seutil_sigchld_newrole(ciped_t) -') - -optional_policy(` - udev_read_db(ciped_t) -') diff --git a/policy/modules/contrib/clamav.fc b/policy/modules/contrib/clamav.fc deleted file mode 100644 index d72afcc3..00000000 --- a/policy/modules/contrib/clamav.fc +++ /dev/null @@ -1,26 +0,0 @@ -/etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0) - -/etc/rc\.d/init\.d/clamd.* -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0) - -/usr/bin/clamscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) -/usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) -/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0) - -/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0) -/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0) - -/var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) - -/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) -/var/lib/clamd.* gen_context(system_u:object_r:clamd_var_lib_t,s0) - -/var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0) -/var/log/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0) -/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0) -/var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0) - -/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0) -/var/run/clamav.* gen_context(system_u:object_r:clamd_var_run_t,s0) -/var/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0) - -/var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) diff --git a/policy/modules/contrib/clamav.if b/policy/modules/contrib/clamav.if deleted file mode 100644 index 4cc4a5cd..00000000 --- a/policy/modules/contrib/clamav.if +++ /dev/null @@ -1,227 +0,0 @@ -## <summary>ClamAV Virus Scanner.</summary> - -######################################## -## <summary> -## Execute a domain transition to run clamd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`clamav_domtrans',` - gen_require(` - type clamd_t, clamd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, clamd_exec_t, clamd_t) -') - -######################################## -## <summary> -## Connect to clamd using a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`clamav_stream_connect',` - gen_require(` - type clamd_t, clamd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t) -') - -######################################## -## <summary> -## Append clamav log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`clamav_append_log',` - gen_require(` - type clamd_var_log_t; - ') - - logging_search_logs($1) - allow $1 clamd_var_log_t:dir list_dir_perms; - append_files_pattern($1, clamd_var_log_t, clamd_var_log_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## clamav pid content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`clamav_manage_pid_content',` - gen_require(` - type clamd_var_run_t; - ') - - files_search_pids($1) - manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t) - manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t) -') - -######################################## -## <summary> -## Read clamav configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`clamav_read_config',` - gen_require(` - type clamd_etc_t; - ') - - files_search_etc($1) - allow $1 clamd_etc_t:file read_file_perms; -') - -######################################## -## <summary> -## Search clamav library directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`clamav_search_lib',` - gen_require(` - type clamd_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 clamd_var_lib_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Execute a domain transition to run clamscan. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`clamav_domtrans_clamscan',` - gen_require(` - type clamscan_t, clamscan_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, clamscan_exec_t, clamscan_t) -') - -######################################## -## <summary> -## Execute clamscan in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`clamav_exec_clamscan',` - gen_require(` - type clamscan_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, clamscan_exec_t) -') - -####################################### -## <summary> -## Read clamd process state files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`clamav_read_state_clamd',` - gen_require(` - type clamd_t; - ') - - kernel_search_proc($1) - allow $1 clamd_t:dir list_dir_perms; - read_files_pattern($1, clamd_t, clamd_t) - read_lnk_files_pattern($1, clamd_t, clamd_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an clamav environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`clamav_admin',` - gen_require(` - type clamd_t, clamd_etc_t, clamd_tmp_t; - type clamd_var_log_t, clamd_var_lib_t, clamd_initrc_exec_t; - type clamd_var_run_t, clamscan_t, clamscan_tmp_t; - type freshclam_t, freshclam_var_log_t; - ') - - allow $1 { clamd_t clamscan_t freshclam_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { clamd_t clamscan_t freshclam_t }) - - init_labeled_script_domtrans($1, clamd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 clamd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, clamd_etc_t) - - files_list_var_lib($1) - admin_pattern($1, clamd_var_lib_t) - - logging_list_logs($1) - admin_pattern($1, { clamd_var_log_t freshclam_var_log_t }) - - files_list_pids($1) - admin_pattern($1, clamd_var_run_t) - - files_list_tmp($1) - admin_pattern($1, { clamd_tmp_t clamscan_tmp_t }) -') diff --git a/policy/modules/contrib/clamav.te b/policy/modules/contrib/clamav.te deleted file mode 100644 index 8e1fef93..00000000 --- a/policy/modules/contrib/clamav.te +++ /dev/null @@ -1,323 +0,0 @@ -policy_module(clamav, 1.10.6) - -## <desc> -## <p> -## Determine whether clamscan can -## read user content files. -## </p> -## </desc> -gen_tunable(clamav_read_user_content_files_clamscan, false) - -## <desc> -## <p> -## Determine whether clamscan can read -## all non-security files. -## </p> -## </desc> -gen_tunable(clamav_read_all_non_security_files_clamscan, false) - -## <desc> -## <p> -## Determine whether can clamd use JIT compiler. -## </p> -## </desc> -gen_tunable(clamd_use_jit, false) - -######################################## -# -# Declarations -# - -type clamd_t; -type clamd_exec_t; -init_daemon_domain(clamd_t, clamd_exec_t) - -type clamd_etc_t; -files_config_file(clamd_etc_t) - -type clamd_initrc_exec_t; -init_script_file(clamd_initrc_exec_t) - -type clamd_tmp_t; -files_tmp_file(clamd_tmp_t) - -type clamd_var_log_t; -logging_log_file(clamd_var_log_t) - -type clamd_var_lib_t; -files_type(clamd_var_lib_t) - -type clamd_var_run_t; -files_pid_file(clamd_var_run_t) -typealias clamd_var_run_t alias clamd_sock_t; - -type clamscan_t; -type clamscan_exec_t; -init_daemon_domain(clamscan_t, clamscan_exec_t) - -type clamscan_tmp_t; -files_tmp_file(clamscan_tmp_t) - -type freshclam_t; -type freshclam_exec_t; -init_daemon_domain(freshclam_t, freshclam_exec_t) - -type freshclam_var_log_t; -logging_log_file(freshclam_var_log_t) - -######################################## -# -# Clamd local policy -# - -allow clamd_t self:capability { kill setgid setuid dac_override }; -dontaudit clamd_t self:capability sys_tty_config; -allow clamd_t self:process signal; -allow clamd_t self:fifo_file rw_fifo_file_perms; -allow clamd_t self:unix_stream_socket { accept connectto listen }; -allow clamd_t self:tcp_socket { listen accept }; - -allow clamd_t clamd_etc_t:dir list_dir_perms; -read_files_pattern(clamd_t, clamd_etc_t, clamd_etc_t) -read_lnk_files_pattern(clamd_t, clamd_etc_t, clamd_etc_t) - -manage_dirs_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t) -manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t) -files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir }) - -manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) -manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) -manage_sock_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) - -manage_dirs_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) -append_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) -create_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) -setattr_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) -logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file }) - -manage_dirs_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) -manage_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) -manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) -files_pid_filetrans(clamd_t, clamd_var_run_t, { dir file sock_file }) - -kernel_dontaudit_list_proc(clamd_t) -kernel_read_sysctl(clamd_t) -kernel_read_kernel_sysctls(clamd_t) -kernel_read_system_state(clamd_t) - -corecmd_exec_shell(clamd_t) - -corenet_all_recvfrom_unlabeled(clamd_t) -corenet_all_recvfrom_netlabel(clamd_t) -corenet_tcp_sendrecv_generic_if(clamd_t) -corenet_tcp_sendrecv_generic_node(clamd_t) -corenet_tcp_sendrecv_all_ports(clamd_t) -corenet_tcp_bind_generic_node(clamd_t) - -corenet_sendrecv_generic_server_packets(clamd_t) -corenet_tcp_bind_generic_port(clamd_t) - -corenet_sendrecv_generic_client_packets(clamd_t) -corenet_tcp_connect_generic_port(clamd_t) - -corenet_sendrecv_clamd_server_packets(clamd_t) -corenet_tcp_bind_clamd_port(clamd_t) - -dev_read_rand(clamd_t) -dev_read_urand(clamd_t) - -domain_use_interactive_fds(clamd_t) - -files_read_etc_runtime_files(clamd_t) -files_search_spool(clamd_t) - -auth_use_nsswitch(clamd_t) - -logging_send_syslog_msg(clamd_t) - -miscfiles_read_localization(clamd_t) - -tunable_policy(`clamd_use_jit',` - allow clamd_t self:process execmem; -',` - dontaudit clamd_t self:process execmem; -') - -optional_policy(` - amavis_read_lib_files(clamd_t) - amavis_read_spool_files(clamd_t) - amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file) - amavis_create_pid_files(clamd_t) -') - -optional_policy(` - cron_use_fds(clamd_t) - cron_use_system_job_fds(clamd_t) - cron_rw_pipes(clamd_t) -') - -optional_policy(` - exim_read_spool_files(clamd_t) -') - -optional_policy(` - mta_read_config(clamd_t) - mta_send_mail(clamd_t) -') - -######################################## -# -# Freshclam local policy -# - -allow freshclam_t self:capability { setgid setuid dac_override }; -allow freshclam_t self:fifo_file rw_fifo_file_perms; -allow freshclam_t self:unix_stream_socket { accept listen }; -allow freshclam_t self:tcp_socket { accept listen }; - -allow freshclam_t clamd_etc_t:dir list_dir_perms; -read_files_pattern(freshclam_t, clamd_etc_t, clamd_etc_t) -read_lnk_files_pattern(freshclam_t, clamd_etc_t, clamd_etc_t) - -manage_dirs_pattern(freshclam_t, clamd_var_lib_t, clamd_var_lib_t) -manage_files_pattern(freshclam_t, clamd_var_lib_t, clamd_var_lib_t) - -manage_files_pattern(freshclam_t, clamd_var_run_t, clamd_var_run_t) -files_pid_filetrans(freshclam_t, clamd_var_run_t, file) - -append_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t) -create_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t) -setattr_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t) -logging_log_filetrans(freshclam_t, freshclam_var_log_t, file) - -stream_connect_pattern(freshclam_t, clamd_var_run_t, clamd_var_run_t, clamd_t) - -read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t) - -kernel_dontaudit_list_proc(freshclam_t) -kernel_read_kernel_sysctls(freshclam_t) -kernel_read_network_state(freshclam_t) -kernel_read_system_state(freshclam_t) - -corenet_all_recvfrom_unlabeled(freshclam_t) -corenet_all_recvfrom_netlabel(freshclam_t) -corenet_tcp_sendrecv_generic_if(freshclam_t) -corenet_tcp_sendrecv_generic_node(freshclam_t) - -corenet_sendrecv_clamd_client_packets(freshclam_t) -corenet_tcp_connect_clamd_port(freshclam_t) -corenet_tcp_sendrecv_clamd_port(freshclam_t) - -corenet_sendrecv_http_client_packets(freshclam_t) -corenet_tcp_connect_http_port(freshclam_t) -corenet_tcp_sendrecv_http_port(freshclam_t) - -corenet_sendrecv_squid_client_packets(freshclam_t) -corenet_tcp_connect_squid_port(freshclam_t) -corenet_tcp_sendrecv_squid_port(freshclam_t) - -dev_read_rand(freshclam_t) -dev_read_urand(freshclam_t) - -domain_use_interactive_fds(freshclam_t) - -files_read_etc_runtime_files(freshclam_t) -files_search_var_lib(freshclam_t) - -auth_use_nsswitch(freshclam_t) - -logging_send_syslog_msg(freshclam_t) - -miscfiles_read_localization(freshclam_t) - -tunable_policy(`clamd_use_jit',` - allow freshclam_t self:process execmem; -',` - dontaudit freshclam_t self:process execmem; -') - -optional_policy(` - amavis_manage_spool_files(freshclam_t) -') - -optional_policy(` - cron_system_entry(freshclam_t, freshclam_exec_t) -') - -######################################## -# -# Clamscam local policy -# - -allow clamscan_t self:capability { setgid setuid dac_override }; -allow clamscan_t self:fifo_file rw_fifo_file_perms; -allow clamscan_t self:unix_stream_socket create_stream_socket_perms; -allow clamscan_t self:unix_dgram_socket create_socket_perms; -allow clamscan_t self:tcp_socket { accept listen }; - -allow clamscan_t clamd_etc_t:dir list_dir_perms; -read_files_pattern(clamscan_t, clamd_etc_t, clamd_etc_t) -read_lnk_files_pattern(clamscan_t, clamd_etc_t, clamd_etc_t) - -manage_dirs_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t) -manage_files_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t) -files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { dir file }) - -allow clamscan_t clamd_var_lib_t:dir list_dir_perms; -manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t) - -allow clamscan_t clamd_var_run_t:dir list_dir_perms; -read_files_pattern(clamscan_t, clamd_var_run_t, clamd_var_run_t) - -stream_connect_pattern(clamscan_t, clamd_var_run_t, clamd_var_run_t, clamd_t) - -kernel_dontaudit_list_proc(clamscan_t) -kernel_read_kernel_sysctls(clamscan_t) -kernel_read_system_state(clamscan_t) - -corenet_all_recvfrom_unlabeled(clamscan_t) -corenet_all_recvfrom_netlabel(clamscan_t) -corenet_tcp_sendrecv_generic_if(clamscan_t) -corenet_tcp_sendrecv_generic_node(clamscan_t) - -corenet_sendrecv_clamd_client_packets(clamscan_t) -corenet_tcp_connect_clamd_port(clamscan_t) -corenet_tcp_sendrecv_clamd_port(clamscan_t) - -corecmd_read_all_executables(clamscan_t) - -files_read_etc_files(clamscan_t) -files_read_etc_runtime_files(clamscan_t) -files_search_var_lib(clamscan_t) - -init_read_utmp(clamscan_t) -init_dontaudit_write_utmp(clamscan_t) - -miscfiles_read_localization(clamscan_t) -miscfiles_read_public_files(clamscan_t) - -sysnet_dns_name_resolve(clamscan_t) - -tunable_policy(`clamav_read_user_content_files_clamscan',` - userdom_read_user_home_content_files(clamscan_t) - userdom_dontaudit_read_user_home_content_files(clamscan_t) -') - -tunable_policy(`clamav_read_all_non_security_files_clamscan',` - files_read_non_security_files(clamscan_t) - files_getattr_all_pipes(clamscan_t) - files_getattr_all_sockets(clamscan_t) -') - -optional_policy(` - amavis_read_spool_files(clamscan_t) -') - -optional_policy(` - apache_read_sys_content(clamscan_t) -') - -optional_policy(` - mta_send_mail(clamscan_t) - mta_read_queue(clamscan_t) -') diff --git a/policy/modules/contrib/clockspeed.fc b/policy/modules/contrib/clockspeed.fc deleted file mode 100644 index 093366f1..00000000 --- a/policy/modules/contrib/clockspeed.fc +++ /dev/null @@ -1,7 +0,0 @@ -/usr/bin/clockadd -- gen_context(system_u:object_r:clockspeed_cli_exec_t,s0) -/usr/bin/clockspeed -- gen_context(system_u:object_r:clockspeed_srv_exec_t,s0) -/usr/bin/sntpclock -- gen_context(system_u:object_r:clockspeed_cli_exec_t,s0) -/usr/bin/taiclock -- gen_context(system_u:object_r:clockspeed_cli_exec_t,s0) -/usr/bin/taiclockd -- gen_context(system_u:object_r:clockspeed_srv_exec_t,s0) - -/var/lib/clockspeed(/.*)? gen_context(system_u:object_r:clockspeed_var_lib_t,s0) diff --git a/policy/modules/contrib/clockspeed.if b/policy/modules/contrib/clockspeed.if deleted file mode 100644 index 2cb7bf7c..00000000 --- a/policy/modules/contrib/clockspeed.if +++ /dev/null @@ -1,48 +0,0 @@ -## <summary>Clock speed measurement and manipulation.</summary> - -######################################## -## <summary> -## Execute clockspeed utilities in -## the clockspeed_cli domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`clockspeed_domtrans_cli',` - gen_require(` - type clockspeed_cli_t, clockspeed_cli_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, clockspeed_cli_exec_t, clockspeed_cli_t) -') - -######################################## -## <summary> -## Execute clockspeed utilities in the -## clockspeed cli domain, and allow the -## specified role the clockspeed cli domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`clockspeed_run_cli',` - gen_require(` - attribute_role clockspeed_cli_roles; - ') - - clockspeed_domtrans_cli($1) - roleattribute $2 clockspeed_cli_roles; -') diff --git a/policy/modules/contrib/clockspeed.te b/policy/modules/contrib/clockspeed.te deleted file mode 100644 index b59c592f..00000000 --- a/policy/modules/contrib/clockspeed.te +++ /dev/null @@ -1,77 +0,0 @@ -policy_module(clockspeed, 1.5.1) - -######################################## -# -# Declarations -# - -attribute_role clockspeed_cli_roles; - -type clockspeed_cli_t; -type clockspeed_cli_exec_t; -application_domain(clockspeed_cli_t, clockspeed_cli_exec_t) -role clockspeed_cli_roles types clockspeed_cli_t; - -type clockspeed_srv_t; -type clockspeed_srv_exec_t; -init_daemon_domain(clockspeed_srv_t, clockspeed_srv_exec_t) - -type clockspeed_var_lib_t; -files_type(clockspeed_var_lib_t) - -######################################## -# -# Client local policy -# - -allow clockspeed_cli_t self:capability sys_time; -allow clockspeed_cli_t self:udp_socket create_socket_perms; - -read_files_pattern(clockspeed_cli_t, clockspeed_var_lib_t, clockspeed_var_lib_t) - -corenet_all_recvfrom_unlabeled(clockspeed_cli_t) -corenet_all_recvfrom_netlabel(clockspeed_cli_t) -corenet_udp_sendrecv_generic_if(clockspeed_cli_t) -corenet_udp_sendrecv_generic_node(clockspeed_cli_t) - -corenet_sendrecv_ntp_client_packets(clockspeed_cli_t) -corenet_udp_sendrecv_ntp_port(clockspeed_cli_t) - -files_list_var_lib(clockspeed_cli_t) -files_read_etc_files(clockspeed_cli_t) - -miscfiles_read_localization(clockspeed_cli_t) - -userdom_use_user_terminals(clockspeed_cli_t) - -######################################## -# -# Server local policy -# - -allow clockspeed_srv_t self:capability { sys_time net_bind_service }; -allow clockspeed_srv_t self:udp_socket create_socket_perms; -allow clockspeed_srv_t self:unix_dgram_socket create_socket_perms; -allow clockspeed_srv_t self:unix_stream_socket create_socket_perms; - -manage_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t) -manage_fifo_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t) - -corenet_all_recvfrom_unlabeled(clockspeed_srv_t) -corenet_all_recvfrom_netlabel(clockspeed_srv_t) -corenet_udp_sendrecv_generic_if(clockspeed_srv_t) -corenet_udp_sendrecv_generic_node(clockspeed_srv_t) -corenet_udp_bind_generic_node(clockspeed_srv_t) - -corenet_sendrecv_clockspeed_server_packets(clockspeed_srv_t) -corenet_udp_bind_clockspeed_port(clockspeed_srv_t) -corenet_udp_sendrecv_clockspeed_port(clockspeed_srv_t) - -files_list_var_lib(clockspeed_srv_t) -files_read_etc_files(clockspeed_srv_t) - -miscfiles_read_localization(clockspeed_srv_t) - -optional_policy(` - daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t) -') diff --git a/policy/modules/contrib/clogd.fc b/policy/modules/contrib/clogd.fc deleted file mode 100644 index 514a203b..00000000 --- a/policy/modules/contrib/clogd.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/sbin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0) - -/var/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0) diff --git a/policy/modules/contrib/clogd.if b/policy/modules/contrib/clogd.if deleted file mode 100644 index 221d9143..00000000 --- a/policy/modules/contrib/clogd.if +++ /dev/null @@ -1,74 +0,0 @@ -## <summary>Clustered Mirror Log Server.</summary> - -###################################### -## <summary> -## Execute a domain transition to run clogd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`clogd_domtrans',` - gen_require(` - type clogd_t, clogd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, clogd_exec_t, clogd_t) -') - -##################################### -## <summary> -## Connect to clogd over a unix domain -## stream socket. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`clogd_stream_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') - -##################################### -## <summary> -## Read and write clogd semaphores. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`clogd_rw_semaphores',` - gen_require(` - type clogd_t; - ') - - allow $1 clogd_t:sem rw_sem_perms; -') - -######################################## -## <summary> -## Read and write clogd shared memory. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`clogd_rw_shm',` - gen_require(` - type clogd_t, clogd_tmpfs_t; - ') - - allow $1 clogd_t:shm rw_shm_perms; - allow $1 clogd_tmpfs_t:dir list_dir_perms; - rw_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t) - fs_search_tmpfs($1) -') diff --git a/policy/modules/contrib/clogd.te b/policy/modules/contrib/clogd.te deleted file mode 100644 index 29782b8d..00000000 --- a/policy/modules/contrib/clogd.te +++ /dev/null @@ -1,49 +0,0 @@ -policy_module(clogd, 1.0.1) - -######################################## -# -# Declarations -# - -type clogd_t; -type clogd_exec_t; -init_daemon_domain(clogd_t, clogd_exec_t) - -type clogd_tmpfs_t; -files_tmpfs_file(clogd_tmpfs_t) - -type clogd_var_run_t; -files_pid_file(clogd_var_run_t) - -######################################## -# -# Local policy -# - -allow clogd_t self:capability { net_admin mknod }; -allow clogd_t self:process signal; -allow clogd_t self:sem create_sem_perms; -allow clogd_t self:shm create_shm_perms; -allow clogd_t self:netlink_socket create_socket_perms; - -manage_dirs_pattern(clogd_t, clogd_tmpfs_t, clogd_tmpfs_t) -manage_files_pattern(clogd_t, clogd_tmpfs_t, clogd_tmpfs_t) -fs_tmpfs_filetrans(clogd_t, clogd_tmpfs_t, { dir file }) - -manage_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t) -files_pid_filetrans(clogd_t, clogd_var_run_t, file) - -dev_manage_generic_blk_files(clogd_t) -dev_read_lvm_control(clogd_t) - -storage_raw_read_fixed_disk(clogd_t) -storage_raw_write_fixed_disk(clogd_t) - -logging_send_syslog_msg(clogd_t) - -miscfiles_read_localization(clogd_t) - -optional_policy(` - aisexec_stream_connect(clogd_t) - corosync_stream_connect(clogd_t) -') diff --git a/policy/modules/contrib/cmirrord.fc b/policy/modules/contrib/cmirrord.fc deleted file mode 100644 index 4d5ab0df..00000000 --- a/policy/modules/contrib/cmirrord.fc +++ /dev/null @@ -1,5 +0,0 @@ -/etc/rc\.d/init\.d/cmirrord -- gen_context(system_u:object_r:cmirrord_initrc_exec_t,s0) - -/usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0) - -/var/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0) diff --git a/policy/modules/contrib/cmirrord.if b/policy/modules/contrib/cmirrord.if deleted file mode 100644 index cc4e7cb9..00000000 --- a/policy/modules/contrib/cmirrord.if +++ /dev/null @@ -1,116 +0,0 @@ -## <summary>Cluster mirror log daemon.</summary> - -######################################## -## <summary> -## Execute a domain transition to -## run cmirrord. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`cmirrord_domtrans',` - gen_require(` - type cmirrord_t, cmirrord_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, cmirrord_exec_t, cmirrord_t) -') - -######################################## -## <summary> -## Execute cmirrord server in the -## cmirrord domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`cmirrord_initrc_domtrans',` - gen_require(` - type cmirrord_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, cmirrord_initrc_exec_t) -') - -######################################## -## <summary> -## Read cmirrord PID files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cmirrord_read_pid_files',` - gen_require(` - type cmirrord_var_run_t; - ') - - files_search_pids($1) - allow $1 cmirrord_var_run_t:file read_file_perms; -') - -####################################### -## <summary> -## Read and write cmirrord shared memory. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cmirrord_rw_shm',` - gen_require(` - type cmirrord_t, cmirrord_tmpfs_t; - ') - - allow $1 cmirrord_t:shm rw_shm_perms; - - allow $1 cmirrord_tmpfs_t:dir list_dir_perms; - rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) - read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) - fs_search_tmpfs($1) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an cmirrord environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`cmirrord_admin',` - gen_require(` - type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t; - ') - - allow $1 cmirrord_t:process { ptrace signal_perms }; - ps_process_pattern($1, cmirrord_t) - - cmirrord_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 cmirrord_initrc_exec_t system_r; - allow $2 system_r; - - files_list_pids($1) - admin_pattern($1, cmirrord_var_run_t) -') diff --git a/policy/modules/contrib/cmirrord.te b/policy/modules/contrib/cmirrord.te deleted file mode 100644 index d8e99585..00000000 --- a/policy/modules/contrib/cmirrord.te +++ /dev/null @@ -1,57 +0,0 @@ -policy_module(cmirrord, 1.0.1) - -######################################## -# -# Declarations -# - -type cmirrord_t; -type cmirrord_exec_t; -init_daemon_domain(cmirrord_t, cmirrord_exec_t) - -type cmirrord_initrc_exec_t; -init_script_file(cmirrord_initrc_exec_t) - -type cmirrord_tmpfs_t; -files_tmpfs_file(cmirrord_tmpfs_t) - -type cmirrord_var_run_t; -files_pid_file(cmirrord_var_run_t) - -######################################## -# -# Local policy -# - -allow cmirrord_t self:capability { net_admin kill }; -dontaudit cmirrord_t self:capability sys_tty_config; -allow cmirrord_t self:process { setfscreate signal }; -allow cmirrord_t self:fifo_file rw_fifo_file_perms; -allow cmirrord_t self:sem create_sem_perms; -allow cmirrord_t self:shm create_shm_perms; -allow cmirrord_t self:netlink_socket create_socket_perms; -allow cmirrord_t self:unix_stream_socket { accept listen }; - -manage_dirs_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t) -manage_files_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t) -fs_tmpfs_filetrans(cmirrord_t, cmirrord_tmpfs_t, { dir file }) - -manage_files_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t) -files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file) - -domain_use_interactive_fds(cmirrord_t) -domain_obj_id_change_exemption(cmirrord_t) - -files_read_etc_files(cmirrord_t) - -storage_create_fixed_disk_dev(cmirrord_t) - -seutil_read_file_contexts(cmirrord_t) - -logging_send_syslog_msg(cmirrord_t) - -miscfiles_read_localization(cmirrord_t) - -optional_policy(` - corosync_stream_connect(cmirrord_t) -') diff --git a/policy/modules/contrib/cobbler.fc b/policy/modules/contrib/cobbler.fc deleted file mode 100644 index 973d208f..00000000 --- a/policy/modules/contrib/cobbler.fc +++ /dev/null @@ -1,22 +0,0 @@ -/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t,s0) - -/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t,s0) - -/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0) - -/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) - -/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -/var/lib/tftpboot/grub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_var_lib_t,s0) -/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0) -/var/lib/tftpboot/ppc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -/var/lib/tftpboot/pxelinux\.0 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0) -/var/lib/tftpboot/pxelinux\.cfg(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -/var/lib/tftpboot/s390x(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -/var/lib/tftpboot/yaboot -- gen_context(system_u:object_r:cobbler_var_lib_t,s0) - -/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t,s0) - -/var/www/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) diff --git a/policy/modules/contrib/cobbler.if b/policy/modules/contrib/cobbler.if deleted file mode 100644 index c223f813..00000000 --- a/policy/modules/contrib/cobbler.if +++ /dev/null @@ -1,205 +0,0 @@ -## <summary>Cobbler installation server.</summary> - -######################################## -## <summary> -## Execute a domain transition to run cobblerd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`cobblerd_domtrans',` - gen_require(` - type cobblerd_t, cobblerd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, cobblerd_exec_t, cobblerd_t) -') - -######################################## -## <summary> -## Execute cobblerd init scripts in -## the init script domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`cobblerd_initrc_domtrans',` - gen_require(` - type cobblerd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, cobblerd_initrc_exec_t) -') - -######################################## -## <summary> -## Read cobbler configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cobbler_read_config',` - gen_require(` - type cobbler_etc_t; - ') - - read_files_pattern($1, cobbler_etc_t, cobbler_etc_t) - files_search_etc($1) -') - -######################################## -## <summary> -## Do not audit attempts to read and write -## cobbler log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`cobbler_dontaudit_rw_log',` - gen_require(` - type cobbler_var_log_t; - ') - - dontaudit $1 cobbler_var_log_t:file rw_file_perms; -') - -######################################## -## <summary> -## Search cobbler lib directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cobbler_search_lib',` - gen_require(` - type cobbler_var_lib_t; - ') - - files_search_var_lib($1) - search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) -') - -######################################## -## <summary> -## Read cobbler lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cobbler_read_lib_files',` - gen_require(` - type cobbler_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## cobbler lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cobbler_manage_lib_files',` - gen_require(` - type cobbler_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an cobbler environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`cobblerd_admin',` - refpolicywarn(`$0($*) has been deprecated, use cobbler_admin() instead.') - cobbler_admin($1, $2) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an cobbler environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`cobbler_admin',` - gen_require(` - type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; - type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t; - type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, cobbler_tmp_t; - ') - - allow $1 cobblerd_t:process { ptrace signal_perms }; - ps_process_pattern($1, cobblerd_t) - - cobblerd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 cobblerd_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, cobbler_etc_t) - - files_search_tmp($1) - admin_pattern($1, cobbler_tmp_t) - - files_search_var_lib($1) - admin_pattern($1, cobbler_var_lib_t) - - logging_search_logs($1) - admin_pattern($1, cobbler_var_log_t) - - apache_search_sys_content($1) - admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t }) -') diff --git a/policy/modules/contrib/cobbler.te b/policy/modules/contrib/cobbler.te deleted file mode 100644 index 2a713469..00000000 --- a/policy/modules/contrib/cobbler.te +++ /dev/null @@ -1,204 +0,0 @@ -policy_module(cobbler, 1.1.4) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether Cobbler can modify -## public files used for public file -## transfer services. -## </p> -## </desc> -gen_tunable(cobbler_anon_write, false) - -## <desc> -## <p> -## Determine whether Cobbler can connect -## to the network using TCP. -## </p> -## </desc> -gen_tunable(cobbler_can_network_connect, false) - -## <desc> -## <p> -## Determine whether Cobbler can access -## cifs file systems. -## </p> -## </desc> -gen_tunable(cobbler_use_cifs, false) - -## <desc> -## <p> -## Determine whether Cobbler can access -## nfs file systems. -## </p> -## </desc> -gen_tunable(cobbler_use_nfs, false) - -type cobblerd_t; -type cobblerd_exec_t; -init_daemon_domain(cobblerd_t, cobblerd_exec_t) - -type cobblerd_initrc_exec_t; -init_script_file(cobblerd_initrc_exec_t) - -type cobbler_etc_t; -files_config_file(cobbler_etc_t) - -type cobbler_var_log_t; -logging_log_file(cobbler_var_log_t) - -type cobbler_var_lib_t alias cobbler_content_t; -files_type(cobbler_var_lib_t) - -type cobbler_tmp_t; -files_tmp_file(cobbler_tmp_t) - -######################################## -# -# Local policy -# - -allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice }; -dontaudit cobblerd_t self:capability sys_tty_config; -allow cobblerd_t self:process { getsched setsched signal }; -allow cobblerd_t self:fifo_file rw_fifo_file_perms; -allow cobblerd_t self:tcp_socket { accept listen }; - -allow cobblerd_t cobbler_etc_t:dir list_dir_perms; -allow cobblerd_t cobbler_etc_t:file read_file_perms; -allow cobblerd_t cobbler_etc_t:lnk_file read_lnk_file_perms; - -allow cobblerd_t cobbler_tmp_t:file mmap_file_perms; -manage_dirs_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t) -manage_files_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t) -files_tmp_filetrans(cobblerd_t, cobbler_tmp_t, { dir file }) - -manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) -manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) -manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) -files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, dir) - -append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) -create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) -read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) -setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) -logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file) - -kernel_read_system_state(cobblerd_t) -kernel_dontaudit_search_network_state(cobblerd_t) - -corecmd_exec_bin(cobblerd_t) -corecmd_exec_shell(cobblerd_t) - -corenet_all_recvfrom_netlabel(cobblerd_t) -corenet_all_recvfrom_unlabeled(cobblerd_t) -corenet_tcp_sendrecv_generic_if(cobblerd_t) -corenet_tcp_sendrecv_generic_node(cobblerd_t) -corenet_tcp_bind_generic_node(cobblerd_t) - -corenet_sendrecv_cobbler_server_packets(cobblerd_t) -corenet_tcp_bind_cobbler_port(cobblerd_t) -corenet_tcp_sendrecv_cobbler_port(cobblerd_t) - -corenet_sendrecv_ftp_client_packets(cobblerd_t) -corenet_tcp_connect_ftp_port(cobblerd_t) -corenet_tcp_sendrecv_ftp_port(cobblerd_t) - -corenet_tcp_sendrecv_http_port(cobblerd_t) -corenet_tcp_connect_http_port(cobblerd_t) -corenet_sendrecv_http_client_packets(cobblerd_t) - -dev_read_urand(cobblerd_t) - -files_list_boot(cobblerd_t) -files_list_tmp(cobblerd_t) -files_read_boot_files(cobblerd_t) -files_read_etc_files(cobblerd_t) -files_read_etc_runtime_files(cobblerd_t) -files_read_usr_files(cobblerd_t) - -fs_getattr_all_fs(cobblerd_t) -fs_read_iso9660_files(cobblerd_t) - -selinux_get_enforce_mode(cobblerd_t) - -term_use_console(cobblerd_t) - -logging_send_syslog_msg(cobblerd_t) - -miscfiles_read_localization(cobblerd_t) -miscfiles_read_public_files(cobblerd_t) - -sysnet_dns_name_resolve(cobblerd_t) -sysnet_rw_dhcp_config(cobblerd_t) -sysnet_write_config(cobblerd_t) - -tunable_policy(`cobbler_anon_write',` - miscfiles_manage_public_files(cobblerd_t) -') - -tunable_policy(`cobbler_can_network_connect',` - corenet_sendrecv_all_client_packets(cobblerd_t) - corenet_tcp_connect_all_ports(cobblerd_t) - corenet_tcp_sendrecv_all_ports(cobblerd_t) -') - -tunable_policy(`cobbler_use_cifs',` - fs_manage_cifs_dirs(cobblerd_t) - fs_manage_cifs_files(cobblerd_t) - fs_manage_cifs_symlinks(cobblerd_t) -') - -tunable_policy(`cobbler_use_nfs',` - fs_manage_nfs_dirs(cobblerd_t) - fs_manage_nfs_files(cobblerd_t) - fs_manage_nfs_symlinks(cobblerd_t) -') - -optional_policy(` - apache_search_sys_content(cobblerd_t) -') - -optional_policy(` - bind_read_config(cobblerd_t) - bind_write_config(cobblerd_t) - bind_domtrans_ndc(cobblerd_t) - bind_domtrans(cobblerd_t) - bind_initrc_domtrans(cobblerd_t) - bind_manage_zone(cobblerd_t) -') - -optional_policy(` - certmaster_exec(cobblerd_t) -') - -optional_policy(` - dhcpd_domtrans(cobblerd_t) - dhcpd_initrc_domtrans(cobblerd_t) -') - -optional_policy(` - dnsmasq_domtrans(cobblerd_t) - dnsmasq_initrc_domtrans(cobblerd_t) - dnsmasq_write_config(cobblerd_t) -') - -optional_policy(` - rpm_exec(cobblerd_t) -') - -optional_policy(` - rsync_read_config(cobblerd_t) - rsync_manage_config_files(cobblerd_t) - rsync_etc_filetrans_config(cobblerd_t, file, "rsync.conf") -') - -optional_policy(` - tftp_manage_config_files(cobblerd_t) - tftp_etc_filetrans_config(cobblerd_t, file, "tftp") - tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file }) -') diff --git a/policy/modules/contrib/collectd.fc b/policy/modules/contrib/collectd.fc deleted file mode 100644 index 79a3abe3..00000000 --- a/policy/modules/contrib/collectd.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0) - -/usr/sbin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0) - -/var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0) - -/var/run/collectd\.pid -- gen_context(system_u:object_r:collectd_var_run_t,s0) - -/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0) diff --git a/policy/modules/contrib/collectd.if b/policy/modules/contrib/collectd.if deleted file mode 100644 index 954309e6..00000000 --- a/policy/modules/contrib/collectd.if +++ /dev/null @@ -1,39 +0,0 @@ -## <summary>Statistics collection daemon for filling RRD files.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an collectd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`collectd_admin',` - gen_require(` - type collectd_t, collectd_initrc_exec_t, collectd_var_run_t; - type collectd_var_lib_t; - ') - - allow $1 collectd_t:process { ptrace signal_perms }; - ps_process_pattern($1, collectd_t) - - init_labeled_script_domtrans($1, collectd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 collectd_initrc_exec_t system_r; - allow $2 system_r; - - files_search_pids($1) - admin_pattern($1, collectd_var_run_t) - - files_search_var_lib($1) - admin_pattern($1, collectd_var_lib_t) -') diff --git a/policy/modules/contrib/collectd.te b/policy/modules/contrib/collectd.te deleted file mode 100644 index 6471fa8c..00000000 --- a/policy/modules/contrib/collectd.te +++ /dev/null @@ -1,90 +0,0 @@ -policy_module(collectd, 1.0.0) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether collectd can connect -## to the network using TCP. -## </p> -## </desc> -gen_tunable(collectd_tcp_network_connect, false) - -type collectd_t; -type collectd_exec_t; -init_daemon_domain(collectd_t, collectd_exec_t) - -type collectd_initrc_exec_t; -init_script_file(collectd_initrc_exec_t) - -type collectd_var_lib_t; -files_type(collectd_var_lib_t) - -type collectd_var_run_t; -files_pid_file(collectd_var_run_t) - -apache_content_template(collectd) - -######################################## -# -# Local policy -# - -allow collectd_t self:capability { ipc_lock sys_nice }; -allow collectd_t self:process { getsched setsched signal }; -allow collectd_t self:fifo_file rw_fifo_file_perms; -allow collectd_t self:packet_socket create_socket_perms; -allow collectd_t self:unix_stream_socket { accept listen }; - -manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t) -manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t) -files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir) - -manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t) -files_pid_filetrans(collectd_t, collectd_var_run_t, file) - -domain_use_interactive_fds(collectd_t) - -kernel_read_network_state(collectd_t) -kernel_read_net_sysctls(collectd_t) -kernel_read_system_state(collectd_t) - -dev_read_rand(collectd_t) -dev_read_sysfs(collectd_t) -dev_read_urand(collectd_t) - -files_getattr_all_dirs(collectd_t) -files_read_etc_files(collectd_t) -files_read_usr_files(collectd_t) - -fs_getattr_all_fs(collectd_t) - -miscfiles_read_localization(collectd_t) - -logging_send_syslog_msg(collectd_t) - -sysnet_dns_name_resolve(collectd_t) - -tunable_policy(`collectd_tcp_network_connect',` - corenet_sendrecv_all_client_packets(collectd_t) - corenet_tcp_connect_all_ports(collectd_t) - corenet_tcp_sendrecv_all_ports(collectd_t) -') - -optional_policy(` - virt_read_config(collectd_t) -') - -######################################## -# -# Web local policy -# - -optional_policy(` - read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t) - list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t) - miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t) -') diff --git a/policy/modules/contrib/colord.fc b/policy/modules/contrib/colord.fc deleted file mode 100644 index 717ea0b0..00000000 --- a/policy/modules/contrib/colord.fc +++ /dev/null @@ -1,8 +0,0 @@ -/usr/lib/[^/]*/colord/colord -- gen_context(system_u:object_r:colord_exec_t,s0) -/usr/lib/[^/]*/colord/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0) - -/usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0) -/usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0) - -/var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0) -/var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0) diff --git a/policy/modules/contrib/colord.if b/policy/modules/contrib/colord.if deleted file mode 100644 index 8e27a37c..00000000 --- a/policy/modules/contrib/colord.if +++ /dev/null @@ -1,60 +0,0 @@ -## <summary>GNOME color manager.</summary> - -######################################## -## <summary> -## Execute a domain transition to run colord. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`colord_domtrans',` - gen_require(` - type colord_t, colord_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, colord_exec_t, colord_t) -') - -######################################## -## <summary> -## Send and receive messages from -## colord over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`colord_dbus_chat',` - gen_require(` - type colord_t; - class dbus send_msg; - ') - - allow $1 colord_t:dbus send_msg; - allow colord_t $1:dbus send_msg; -') - -###################################### -## <summary> -## Read colord lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`colord_read_lib_files',` - gen_require(` - type colord_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, colord_var_lib_t, colord_var_lib_t) -') diff --git a/policy/modules/contrib/colord.te b/policy/modules/contrib/colord.te deleted file mode 100644 index 09f18e22..00000000 --- a/policy/modules/contrib/colord.te +++ /dev/null @@ -1,135 +0,0 @@ -policy_module(colord, 1.0.2) - -######################################## -# -# Declarations -# - -type colord_t; -type colord_exec_t; -dbus_system_domain(colord_t, colord_exec_t) - -type colord_tmp_t; -files_tmp_file(colord_tmp_t) - -type colord_tmpfs_t; -files_tmpfs_file(colord_tmpfs_t) - -type colord_var_lib_t; -files_type(colord_var_lib_t) - -######################################## -# -# Local policy -# - -allow colord_t self:capability { dac_read_search dac_override }; -dontaudit colord_t self:capability sys_admin; -allow colord_t self:process signal; -allow colord_t self:fifo_file rw_fifo_file_perms; -allow colord_t self:netlink_kobject_uevent_socket create_socket_perms; -allow colord_t self:tcp_socket { accept listen }; -allow colord_t self:shm create_shm_perms; - -manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t) -manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t) -files_tmp_filetrans(colord_t, colord_tmp_t, { file dir }) - -manage_dirs_pattern(colord_t, colord_tmpfs_t, colord_tmpfs_t) -manage_files_pattern(colord_t, colord_tmpfs_t, colord_tmpfs_t) -fs_tmpfs_filetrans(colord_t, colord_tmpfs_t, { dir file }) - -manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) -manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) -files_var_lib_filetrans(colord_t, colord_var_lib_t, dir) - -kernel_read_crypto_sysctls(colord_t) -kernel_read_device_sysctls(colord_t) -kernel_read_network_state(colord_t) -kernel_read_system_state(colord_t) -kernel_request_load_module(colord_t) - -corenet_all_recvfrom_netlabel(colord_t) -corenet_all_recvfrom_unlabeled(colord_t) -corenet_tcp_sendrecv_generic_if(colord_t) -corenet_udp_sendrecv_generic_if(colord_t) -corenet_tcp_sendrecv_generic_node(colord_t) -corenet_udp_sendrecv_generic_node(colord_t) -corenet_udp_bind_generic_node(colord_t) - -corenet_sendrecv_ipp_server_packets(colord_t) -corenet_udp_bind_ipp_port(colord_t) -corenet_udp_sendrecv_ipp_port(colord_t) - -corenet_sendrecv_ipp_client_packets(colord_t) -corenet_tcp_connect_ipp_port(colord_t) -corenet_tcp_sendrecv_ipp_port(colord_t) - -corecmd_exec_bin(colord_t) -corecmd_exec_shell(colord_t) - -dev_read_raw_memory(colord_t) -dev_write_raw_memory(colord_t) -dev_read_video_dev(colord_t) -dev_write_video_dev(colord_t) -dev_rw_printer(colord_t) -dev_read_rand(colord_t) -dev_read_sysfs(colord_t) -dev_read_urand(colord_t) -dev_list_sysfs(colord_t) -dev_rw_generic_usb_dev(colord_t) - -domain_use_interactive_fds(colord_t) - -files_list_mnt(colord_t) -files_read_usr_files(colord_t) - -fs_getattr_noxattr_fs(colord_t) -fs_getattr_tmpfs(colord_t) -fs_list_noxattr_fs(colord_t) -fs_read_noxattr_fs_files(colord_t) -fs_search_all(colord_t) -fs_dontaudit_getattr_all_fs(colord_t) - -storage_getattr_fixed_disk_dev(colord_t) -storage_getattr_removable_dev(colord_t) -storage_read_scsi_generic(colord_t) -storage_write_scsi_generic(colord_t) - -auth_use_nsswitch(colord_t) - -logging_send_syslog_msg(colord_t) - -miscfiles_read_localization(colord_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_getattr_nfs(colord_t) - fs_read_nfs_files(colord_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_getattr_cifs(colord_t) - fs_read_cifs_files(colord_t) -') - -optional_policy(` - cups_read_config(colord_t) - cups_read_rw_config(colord_t) - cups_stream_connect(colord_t) - cups_dbus_chat(colord_t) -') - -optional_policy(` - policykit_dbus_chat(colord_t) - policykit_domtrans_auth(colord_t) - policykit_read_lib(colord_t) - policykit_read_reload(colord_t) -') - -optional_policy(` - sysnet_exec_ifconfig(colord_t) -') - -optional_policy(` - udev_read_db(colord_t) -') diff --git a/policy/modules/contrib/comsat.fc b/policy/modules/contrib/comsat.fc deleted file mode 100644 index 90461f93..00000000 --- a/policy/modules/contrib/comsat.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/in\.comsat -- gen_context(system_u:object_r:comsat_exec_t,s0) diff --git a/policy/modules/contrib/comsat.if b/policy/modules/contrib/comsat.if deleted file mode 100644 index afc4dfe7..00000000 --- a/policy/modules/contrib/comsat.if +++ /dev/null @@ -1 +0,0 @@ -## <summary>Comsat, a biff server.</summary> diff --git a/policy/modules/contrib/comsat.te b/policy/modules/contrib/comsat.te deleted file mode 100644 index 3f6e4dcd..00000000 --- a/policy/modules/contrib/comsat.te +++ /dev/null @@ -1,59 +0,0 @@ -policy_module(comsat, 1.7.1) - -######################################## -# -# Declarations -# - -type comsat_t; -type comsat_exec_t; -inetd_udp_service_domain(comsat_t, comsat_exec_t) - -type comsat_tmp_t; -files_tmp_file(comsat_tmp_t) - -type comsat_var_run_t; -files_pid_file(comsat_var_run_t) - -######################################## -# -# Local policy -# - -allow comsat_t self:capability { setuid setgid }; -allow comsat_t self:process signal_perms; -allow comsat_t self:fifo_file rw_fifo_file_perms; -allow comsat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -allow comsat_t self:tcp_socket { accept listen }; - -manage_dirs_pattern(comsat_t, comsat_tmp_t, comsat_tmp_t) -manage_files_pattern(comsat_t, comsat_tmp_t, comsat_tmp_t) -files_tmp_filetrans(comsat_t, comsat_tmp_t, { file dir }) - -manage_files_pattern(comsat_t, comsat_var_run_t, comsat_var_run_t) -files_pid_filetrans(comsat_t, comsat_var_run_t, file) - -kernel_read_kernel_sysctls(comsat_t) -kernel_read_network_state(comsat_t) -kernel_read_system_state(comsat_t) - -dev_read_urand(comsat_t) - -fs_getattr_xattr_fs(comsat_t) - -files_list_usr(comsat_t) -files_search_spool(comsat_t) -files_search_home(comsat_t) - -auth_use_nsswitch(comsat_t) - -init_read_utmp(comsat_t) -init_dontaudit_write_utmp(comsat_t) - -logging_send_syslog_msg(comsat_t) - -miscfiles_read_localization(comsat_t) - -userdom_dontaudit_getattr_user_ttys(comsat_t) - -mta_getattr_spool(comsat_t) diff --git a/policy/modules/contrib/condor.fc b/policy/modules/contrib/condor.fc deleted file mode 100644 index 23dc348c..00000000 --- a/policy/modules/contrib/condor.fc +++ /dev/null @@ -1,21 +0,0 @@ -/etc/rc\.d/init\.d/condor -- gen_context(system_u:object_r:condor_initrc_exec_t,s0) - -/usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0) -/usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0) -/usr/sbin/condor_negotiator -- gen_context(system_u:object_r:condor_negotiator_exec_t,s0) -/usr/sbin/condor_procd -- gen_context(system_u:object_r:condor_procd_exec_t,s0) -/usr/sbin/condor_schedd -- gen_context(system_u:object_r:condor_schedd_exec_t,s0) -/usr/sbin/condor_startd -- gen_context(system_u:object_r:condor_startd_exec_t,s0) -/usr/sbin/condor_starter -- gen_context(system_u:object_r:condor_startd_exec_t,s0) - -/var/lib/condor(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0) - -/var/lib/condor/execute(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0) - -/var/lib/condor/spool(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0) - -/var/lock/condor(/.*)? gen_context(system_u:object_r:condor_var_lock_t,s0) - -/var/log/condor(/.*)? gen_context(system_u:object_r:condor_log_t,s0) - -/var/run/condor(/.*)? gen_context(system_u:object_r:condor_var_run_t,s0) diff --git a/policy/modules/contrib/condor.if b/policy/modules/contrib/condor.if deleted file mode 100644 index 3fe3cb84..00000000 --- a/policy/modules/contrib/condor.if +++ /dev/null @@ -1,88 +0,0 @@ -## <summary>High-Throughput Computing System.</summary> - -####################################### -## <summary> -## The template to define a condor domain. -## </summary> -## <param name="domain_prefix"> -## <summary> -## Domain prefix to be used. -## </summary> -## </param> -# -template(`condor_domain_template',` - gen_require(` - attribute condor_domain; - type condor_master_t; - ') - - ############################# - # - # Declarations - # - - type condor_$1_t, condor_domain; - type condor_$1_exec_t; - domain_type(condor_$1_t) - domain_entry_file(condor_$1_t, condor_$1_exec_t) - role system_r types condor_$1_t; - - ############################# - # - # Policy - # - - domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t) - allow condor_master_t condor_$1_exec_t:file ioctl; - - auth_use_nsswitch(condor_$1_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an condor environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`condor_admin',` - gen_require(` - attribute condor_domain; - type condor_initrc_exec_config_t, condor_log_t; - type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t; - type condor_var_run_t, condor_startd_tmp_t; - ') - - allow $1 condor_domain:process { ptrace signal_perms }; - ps_process_pattern($1, condor_domain) - - init_labeled_script_domtrans($1, condor_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 condor_initrc_exec_t system_r; - allow $2 system_r; - - logging_search_logs($1) - admin_pattern($1, condor_log_t) - - files_search_locks($1) - admin_pattern($1, condor_var_lock_t) - - files_search_var_lib($1) - admin_pattern($1, condor_var_lib_t) - - files_search_pids($1) - admin_pattern($1, condor_var_run_t) - - files_search_tmp($1) - admin_pattern($1, { condor_schedd_tmp_t condor_startd_tmp_t }) -') diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te deleted file mode 100644 index 3f2b672f..00000000 --- a/policy/modules/contrib/condor.te +++ /dev/null @@ -1,251 +0,0 @@ -policy_module(condor, 1.0.0) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether Condor can connect -## to the network using TCP. -## </p> -## </desc> -gen_tunable(condor_tcp_network_connect, false) - -attribute condor_domain; - -type condor_master_t, condor_domain; -type condor_master_exec_t; -init_daemon_domain(condor_master_t, condor_master_exec_t) - -type condor_master_tmp_t; -files_tmp_file(condor_master_tmp_t) - -type condor_initrc_exec_t; -init_script_file(condor_initrc_exec_t) - -type condor_schedd_tmp_t; -files_tmp_file(condor_schedd_tmp_t) - -type condor_startd_tmp_t; -files_tmp_file(condor_startd_tmp_t) - -type condor_startd_tmpfs_t; -files_tmpfs_file(condor_startd_tmpfs_t) - -type condor_log_t; -logging_log_file(condor_log_t) - -type condor_var_lib_t; -files_type(condor_var_lib_t) - -type condor_var_lock_t; -files_lock_file(condor_var_lock_t) - -type condor_var_run_t; -files_pid_file(condor_var_run_t) - -condor_domain_template(collector) -condor_domain_template(negotiator) -condor_domain_template(procd) -condor_domain_template(schedd) -condor_domain_template(startd) - -##################################### -# -# Global local policy -# - -allow condor_domain self:process signal_perms; -allow condor_domain self:fifo_file rw_fifo_file_perms; -allow condor_domain self:tcp_socket { accept listen }; -allow condor_domain self:unix_stream_socket { accept listen }; - -manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t) -append_files_pattern(condor_domain, condor_log_t, condor_log_t) -create_files_pattern(condor_domain, condor_log_t, condor_log_t) -getattr_files_pattern(condor_domain, condor_log_t, condor_log_t) -logging_log_filetrans(condor_domain, condor_log_t, { dir file }) - -manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t) -manage_files_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t) -files_var_lib_filetrans(condor_domain, condor_var_lib_t, { dir file }) - -manage_dirs_pattern(condor_domain, condor_var_lock_t, condor_var_lock_t) -manage_files_pattern(condor_domain, condor_var_lock_t, condor_var_lock_t) -files_lock_filetrans(condor_domain, condor_var_lock_t, { dir file }) - -manage_dirs_pattern(condor_domain, condor_var_run_t, condor_var_run_t) -manage_files_pattern(condor_domain, condor_var_run_t, condor_var_run_t) -manage_fifo_files_pattern(condor_domain, condor_var_run_t, condor_var_run_t) -files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file }) - -allow condor_domain condor_master_t:process signull; -allow condor_domain condor_master_t:tcp_socket getattr; - -kernel_read_kernel_sysctls(condor_domain) -kernel_read_network_state(condor_domain) -kernel_read_system_state(condor_domain) - -corecmd_exec_bin(condor_domain) -corecmd_exec_shell(condor_domain) - -corenet_all_recvfrom_netlabel(condor_domain) -corenet_all_recvfrom_unlabeled(condor_domain) -corenet_tcp_sendrecv_generic_if(condor_domain) -corenet_tcp_sendrecv_generic_node(condor_domain) - -corenet_sendrecv_condor_client_packets(condor_domain) -corenet_tcp_connect_condor_port(condor_domain) -corenet_tcp_sendrecv_condor_port(condor_domain) - -domain_use_interactive_fds(condor_domain) - -dev_read_rand(condor_domain) -dev_read_sysfs(condor_domain) -dev_read_urand(condor_domain) - -logging_send_syslog_msg(condor_domain) - -miscfiles_read_localization(condor_domain) - -tunable_policy(`condor_tcp_network_connect',` - corenet_sendrecv_all_client_packets(condor_domain) - corenet_tcp_connect_all_ports(condor_domain) - corenet_tcp_sendrecv_all_ports(condor_domain) -') - -optional_policy(` - rhcs_stream_connect_cluster(condor_domain) -') - -##################################### -# -# Master local policy -# - -allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace }; - -allow condor_master_t condor_domain:process { sigkill signal }; - -manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) -manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) -files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir }) - -corenet_udp_sendrecv_generic_if(condor_master_t) -corenet_udp_sendrecv_generic_node(condor_master_t) -corenet_tcp_bind_generic_node(condor_master_t) -corenet_udp_bind_generic_node(condor_master_t) - -corenet_sendrecv_condor_server_packets(condor_master_t) -corenet_tcp_bind_condor_port(condor_master_t) -corenet_tcp_sendrecv_condor_port(condor_master_t) -corenet_udp_bind_condor_port(condor_master_t) -corenet_udp_sendrecv_condor_port(condor_master_t) - -corenet_sendrecv_amqp_client_packets(condor_master_t) -corenet_tcp_connect_amqp_port(condor_master_t) -corenet_tcp_sendrecv_amqp_port(condor_master_t) - -domain_read_all_domains_state(condor_master_t) - -auth_use_nsswitch(condor_master_t) - -optional_policy(` - mta_send_mail(condor_master_t) - mta_read_config(condor_master_t) -') - -###################################### -# -# Collector local policy -# - -allow condor_collector_t self:capability { setuid setgid }; - -allow condor_collector_t condor_master_t:tcp_socket rw_stream_socket_perms; -allow condor_collector_t condor_master_t:udp_socket rw_socket_perms; - -kernel_read_network_state(condor_collector_t) - -##################################### -# -# Negotiator local policy -# - -allow condor_negotiator_t self:capability { setuid setgid }; -allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms; -allow condor_negotiator_t condor_master_t:udp_socket getattr; - -###################################### -# -# Procd local policy -# - -allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace }; - -allow condor_procd_t condor_startd_t:process sigkill; - -domain_read_all_domains_state(condor_procd_t) - -####################################### -# -# Schedd local policy -# - -allow condor_schedd_t self:capability { setuid chown setgid dac_override }; - -allow condor_schedd_t condor_master_t:tcp_socket rw_stream_socket_perms; -allow condor_schedd_t condor_master_t:udp_socket getattr; - -allow condor_schedd_t condor_var_lock_t:dir manage_file_perms; - -domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t) -domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t) - -manage_dirs_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) -manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) -relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) -files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir }) - -##################################### -# -# Startd local policy -# - -allow condor_startd_t self:capability { setuid net_admin setgid dac_override }; -allow condor_startd_t self:process execmem; - -manage_dirs_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t) -manage_files_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t) -relabel_files_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t) -files_tmp_filetrans(condor_startd_t, condor_startd_tmp_t, { file dir }) - -manage_dirs_pattern(condor_startd_t, condor_startd_tmpfs_t, condor_startd_tmpfs_t) -manage_files_pattern(condor_startd_t, condor_startd_tmpfs_t, condor_startd_tmpfs_t) -fs_tmpfs_filetrans(condor_startd_t, condor_startd_tmpfs_t, { dir file }) - -can_exec(condor_startd_t, condor_startd_exec_t) - -domain_read_all_domains_state(condor_startd_t) - -mcs_process_set_categories(condor_startd_t) - -init_domtrans_script(condor_startd_t) - -libs_exec_lib_files(condor_startd_t) - -files_read_usr_files(condor_startd_t) - -optional_policy(` - ssh_basic_client_template(condor_startd, condor_startd_t, system_r) - ssh_domtrans(condor_startd_t) - - manage_files_pattern(condor_startd_ssh_t, condor_var_lib_t, condor_var_lib_t) - manage_dirs_pattern(condor_startd_ssh_t, condor_var_lib_t, condor_var_lib_t) - - optional_policy(` - kerberos_use(condor_startd_ssh_t) - ') -') diff --git a/policy/modules/contrib/consolekit.fc b/policy/modules/contrib/consolekit.fc deleted file mode 100644 index 23c95582..00000000 --- a/policy/modules/contrib/consolekit.fc +++ /dev/null @@ -1,7 +0,0 @@ -/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) - -/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) - -/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0) -/var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) -/var/run/console-kit-daemon\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) diff --git a/policy/modules/contrib/consolekit.if b/policy/modules/contrib/consolekit.if deleted file mode 100644 index 5b830ec9..00000000 --- a/policy/modules/contrib/consolekit.if +++ /dev/null @@ -1,100 +0,0 @@ -## <summary>Framework for facilitating multiple user sessions on desktops.</summary> - -######################################## -## <summary> -## Execute a domain transition to run consolekit. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`consolekit_domtrans',` - gen_require(` - type consolekit_t, consolekit_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, consolekit_exec_t, consolekit_t) -') - -######################################## -## <summary> -## Send and receive messages from -## consolekit over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`consolekit_dbus_chat',` - gen_require(` - type consolekit_t; - class dbus send_msg; - ') - - allow $1 consolekit_t:dbus send_msg; - allow consolekit_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Read consolekit log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`consolekit_read_log',` - gen_require(` - type consolekit_log_t; - ') - - read_files_pattern($1, consolekit_log_t, consolekit_log_t) - logging_search_logs($1) -') - -######################################## -## <summary> -## Create, read, write, and delete -## consolekit log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`consolekit_manage_log',` - gen_require(` - type consolekit_log_t; - ') - - manage_files_pattern($1, consolekit_log_t, consolekit_log_t) - files_search_pids($1) -') - -######################################## -## <summary> -## Read consolekit PID files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`consolekit_read_pid_files',` - gen_require(` - type consolekit_var_run_t; - ') - - files_search_pids($1) - allow $1 consolekit_var_run_t:dir list_dir_perms; - read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t) -') diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te deleted file mode 100644 index ddd17c50..00000000 --- a/policy/modules/contrib/consolekit.te +++ /dev/null @@ -1,162 +0,0 @@ -policy_module(consolekit, 1.8.4) - -######################################## -# -# Declarations -# - -type consolekit_t; -type consolekit_exec_t; -init_daemon_domain(consolekit_t, consolekit_exec_t) - -type consolekit_log_t; -logging_log_file(consolekit_log_t) - -type consolekit_tmpfs_t; -files_tmpfs_file(consolekit_tmpfs_t) - -type consolekit_var_run_t; -files_pid_file(consolekit_var_run_t) -init_daemon_run_dir(consolekit_var_run_t, "ConsoleKit") - -######################################## -# -# Local policy -# - -allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace }; -allow consolekit_t self:process { getsched signal }; -allow consolekit_t self:fifo_file rw_fifo_file_perms; -allow consolekit_t self:unix_stream_socket { accept listen }; - -create_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) -append_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) -read_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) -setattr_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) -logging_log_filetrans(consolekit_t, consolekit_log_t, file) - -manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) -manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) -files_pid_filetrans(consolekit_t, consolekit_var_run_t, { dir file }) - -kernel_read_system_state(consolekit_t) - -corenet_all_recvfrom_unlabeled(consolekit_t) -corenet_all_recvfrom_netlabel(consolekit_t) -corenet_tcp_sendrecv_generic_if(consolekit_t) -corenet_tcp_sendrecv_generic_node(consolekit_t) - -corecmd_exec_bin(consolekit_t) -corecmd_exec_shell(consolekit_t) - -dev_read_urand(consolekit_t) -dev_read_sysfs(consolekit_t) - -domain_read_all_domains_state(consolekit_t) -domain_use_interactive_fds(consolekit_t) -domain_dontaudit_ptrace_all_domains(consolekit_t) - -files_read_usr_files(consolekit_t) -# needs to read /var/lib/dbus/machine-id -files_read_var_lib_files(consolekit_t) -files_search_all_mountpoints(consolekit_t) - -fs_list_inotifyfs(consolekit_t) - -mcs_ptrace_all(consolekit_t) - -term_use_all_terms(consolekit_t) - -auth_use_nsswitch(consolekit_t) -auth_manage_pam_console_data(consolekit_t) -auth_write_login_records(consolekit_t) - -logging_send_syslog_msg(consolekit_t) -logging_send_audit_msgs(consolekit_t) - -miscfiles_read_localization(consolekit_t) - -userdom_dontaudit_read_user_home_content_files(consolekit_t) -userdom_read_user_tmp_files(consolekit_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(consolekit_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(consolekit_t) -') - -ifdef(`distro_debian',` - auth_create_pam_console_data_dirs(consolekit_t) - auth_pid_filetrans_pam_var_console(consolekit_t, dir, "console") -') - -optional_policy(` - dbus_system_domain(consolekit_t, consolekit_exec_t) - - optional_policy(` - hal_dbus_chat(consolekit_t) - ') - - optional_policy(` - policykit_dbus_chat(consolekit_t) - ') - - optional_policy(` - rpm_dbus_chat(consolekit_t) - ') - - optional_policy(` - unconfined_dbus_chat(consolekit_t) - ') -') - -optional_policy(` - hal_ptrace(consolekit_t) -') - -optional_policy(` - networkmanager_append_log_files(consolekit_t) -') - -optional_policy(` - policykit_domtrans_auth(consolekit_t) - policykit_read_lib(consolekit_t) - policykit_read_reload(consolekit_t) -') - -optional_policy(` - shutdown_domtrans(consolekit_t) -') - -optional_policy(` - corenet_sendrecv_xserver_client_packets(consolekit_t) - corenet_tcp_connect_xserver_port(consolekit_t) - corenet_tcp_sendrecv_xserver_port(consolekit_t) - xserver_non_drawing_client(consolekit_t) - xserver_read_xdm_pid(consolekit_t) - xserver_read_user_xauth(consolekit_t) - xserver_stream_connect(consolekit_t) - xserver_user_x_domain_template(consolekit, consolekit_t, consolekit_tmpfs_t) -') - -optional_policy(` - udev_domtrans(consolekit_t) - udev_read_db(consolekit_t) - udev_signal(consolekit_t) -') - -optional_policy(` - unconfined_stream_connect(consolekit_t) -') - -ifdef(`distro_gentoo',` - # consolekit daemon creates /var/run/console for tagfiles - auth_pid_filetrans_pam_var_console(consolekit_t, dir, "console") - auth_create_pam_console_data_dirs(consolekit_t) - - optional_policy(` - dbus_read_lib_files(consolekit_t) - ') -') diff --git a/policy/modules/contrib/corosync.fc b/policy/modules/contrib/corosync.fc deleted file mode 100644 index da39f0fc..00000000 --- a/policy/modules/contrib/corosync.fc +++ /dev/null @@ -1,12 +0,0 @@ -/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0) - -/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0) -/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0) - -/var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0) - -/var/log/cluster/corosync\.log.* -- gen_context(system_u:object_r:corosync_var_log_t,s0) - -/var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0) -/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0) -/var/run/rsctmp(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0) diff --git a/policy/modules/contrib/corosync.if b/policy/modules/contrib/corosync.if deleted file mode 100644 index 694a037d..00000000 --- a/policy/modules/contrib/corosync.if +++ /dev/null @@ -1,186 +0,0 @@ -## <summary>Corosync Cluster Engine.</summary> - -######################################## -## <summary> -## Execute a domain transition to run corosync. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`corosync_domtrans',` - gen_require(` - type corosync_t, corosync_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, corosync_exec_t, corosync_t) -') - -######################################## -## <summary> -## Execute corosync init scripts in -## the init script domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`corosync_initrc_domtrans',` - gen_require(` - type corosync_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, corosync_initrc_exec_t) -') - -###################################### -## <summary> -## Execute corosync in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`corosync_exec',` - gen_require(` - type corosync_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, corosync_exec_t) -') - -####################################### -## <summary> -## Read corosync log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`corosync_read_log',` - gen_require(` - type corosync_var_log_t; - ') - - logging_search_logs($1) - list_dirs_pattern($1, corosync_var_log_t, corosync_var_log_t) - read_files_pattern($1, corosync_var_log_t, corosync_var_log_t) -') - -##################################### -## <summary> -## Connect to corosync over a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`corosync_stream_connect',` - gen_require(` - type corosync_t, corosync_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t) -') - -###################################### -## <summary> -## Read and write corosync tmpfs files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`corosync_rw_tmpfs',` - gen_require(` - type corosync_tmpfs_t; - ') - - fs_search_tmpfs($1) - rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t) -') - -###################################### -## <summary> -## All of the rules required to -## administrate an corosync environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`corosyncd_admin',` - refpolicywarn(`$0($*) has been deprecated, use corosync_admin() instead.') - corosync_admin($1, $2) -') - -###################################### -## <summary> -## All of the rules required to -## administrate an corosync environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`corosync_admin',` - gen_require(` - type corosync_t, corosync_var_lib_t, corosync_var_log_t; - type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t; - type corosync_initrc_exec_t; - ') - - allow $1 corosync_t:process { ptrace signal_perms }; - ps_process_pattern($1, corosync_t) - - corosync_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 corosync_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, corosync_tmp_t) - - admin_pattern($1, corosync_tmpfs_t) - - files_list_var_lib($1) - admin_pattern($1, corosync_var_lib_t) - - logging_list_logs($1) - admin_pattern($1, corosync_var_log_t) - - files_list_pids($1) - admin_pattern($1, corosync_var_run_t) -') diff --git a/policy/modules/contrib/corosync.te b/policy/modules/contrib/corosync.te deleted file mode 100644 index eeea48d9..00000000 --- a/policy/modules/contrib/corosync.te +++ /dev/null @@ -1,148 +0,0 @@ -policy_module(corosync, 1.0.7) - -######################################## -# -# Declarations -# - -type corosync_t; -type corosync_exec_t; -init_daemon_domain(corosync_t, corosync_exec_t) -domain_obj_id_change_exemption(corosync_t) - -type corosync_initrc_exec_t; -init_script_file(corosync_initrc_exec_t) - -type corosync_tmp_t; -files_tmp_file(corosync_tmp_t) - -type corosync_tmpfs_t; -files_tmpfs_file(corosync_tmpfs_t) - -type corosync_var_lib_t; -files_type(corosync_var_lib_t) - -type corosync_var_log_t; -logging_log_file(corosync_var_log_t) - -type corosync_var_run_t; -files_pid_file(corosync_var_run_t) - -######################################## -# -# Local policy -# - -allow corosync_t self:capability { dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock }; -# for hearbeat -allow corosync_t self:capability { net_raw chown }; -allow corosync_t self:process { setpgid setrlimit setsched signal signull }; -allow corosync_t self:fifo_file rw_fifo_file_perms; -allow corosync_t self:sem create_sem_perms; -allow corosync_t self:shm create_shm_perms; -allow corosync_t self:unix_dgram_socket sendto; -allow corosync_t self:unix_stream_socket { accept connectto listen }; - -manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t) -manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t) -relabel_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t) -files_tmp_filetrans(corosync_t, corosync_tmp_t, { dir file }) - -manage_dirs_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t) -manage_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t) -fs_tmpfs_filetrans(corosync_t, corosync_tmpfs_t, { dir file }) - -manage_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t) -manage_dirs_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t) -manage_sock_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t) -manage_fifo_files_pattern(corosync_t, corosync_var_lib_t,corosync_var_lib_t) -files_var_lib_filetrans(corosync_t,corosync_var_lib_t, { dir fifo_file file sock_file }) - -create_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t) -append_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t) -setattr_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t) -logging_log_filetrans(corosync_t, corosync_var_log_t, file) - -manage_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t) -manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t) -manage_dirs_pattern(corosync_t, corosync_var_run_t,corosync_var_run_t) -files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file dir }) - -can_exec(corosync_t, corosync_exec_t) - -kernel_read_all_sysctls(corosync_t) -kernel_read_network_state(corosync_t) -kernel_read_system_state(corosync_t) - -corecmd_exec_bin(corosync_t) -corecmd_exec_shell(corosync_t) - -corenet_all_recvfrom_unlabeled(corosync_t) -corenet_all_recvfrom_netlabel(corosync_t) -corenet_udp_sendrecv_generic_if(corosync_t) -corenet_udp_sendrecv_generic_node(corosync_t) -corenet_udp_bind_generic_node(corosync_t) - -corenet_sendrecv_netsupport_server_packets(corosync_t) -corenet_udp_bind_netsupport_port(corosync_t) -corenet_udp_sendrecv_netsupport_port(corosync_t) - -dev_read_sysfs(corosync_t) -dev_read_urand(corosync_t) - -domain_read_all_domains_state(corosync_t) - -files_manage_mounttab(corosync_t) -files_read_usr_files(corosync_t) - -auth_use_nsswitch(corosync_t) - -init_domtrans_script(corosync_t) -init_read_script_state(corosync_t) -init_rw_script_tmp_files(corosync_t) - -logging_send_syslog_msg(corosync_t) - -miscfiles_read_localization(corosync_t) - -userdom_read_user_tmp_files(corosync_t) -userdom_manage_user_tmpfs_files(corosync_t) - -optional_policy(` - ccs_read_config(corosync_t) -') - -optional_policy(` - cmirrord_rw_shm(corosync_t) -') - -optional_policy(` - consoletype_exec(corosync_t) -') - -optional_policy(` - dbus_system_bus_client(corosync_t) -') - -optional_policy(` - drbd_domtrans(corosync_t) -') - -optional_policy(` - qpidd_rw_shm(corosync_t) -') - -optional_policy(` - rhcs_getattr_fenced_exec_files(corosync_t) - rhcs_rw_cluster_shm(corosync_t) - rhcs_rw_cluster_semaphores(corosync_t) - rhcs_stream_connect_cluster(corosync_t) -') - -optional_policy(` - rgmanager_manage_tmpfs_files(corosync_t) -') - -optional_policy(` - rpc_search_nfs_state_data(corosync_t) -')
\ No newline at end of file diff --git a/policy/modules/contrib/couchdb.fc b/policy/modules/contrib/couchdb.fc deleted file mode 100644 index c0863022..00000000 --- a/policy/modules/contrib/couchdb.fc +++ /dev/null @@ -1,11 +0,0 @@ -/etc/couchdb(/.*)? gen_context(system_u:object_r:couchdb_conf_t,s0) - -/etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0) - -/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0) - -/var/lib/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_lib_t,s0) - -/var/log/couchdb(/.*)? gen_context(system_u:object_r:couchdb_log_t,s0) - -/var/run/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_run_t,s0) diff --git a/policy/modules/contrib/couchdb.if b/policy/modules/contrib/couchdb.if deleted file mode 100644 index 83d6744a..00000000 --- a/policy/modules/contrib/couchdb.if +++ /dev/null @@ -1,49 +0,0 @@ -## <summary>Document database server.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an couchdb environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`couchdb_admin',` - gen_require(` - type couchdb_t, couchdb_conf_t, couchdb_initrc_exec_t; - type couchdb_log_t, couchdb_var_lib_t, couchdb_var_run_t; - type couchdb_tmp_t; - ') - - allow $1 couchdb_t:process { ptrace signal_perms }; - ps_process_pattern($1, couchdb_t) - - init_labeled_script_domtrans($1, couchdb_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 couchdb_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, couchdb_conf_t) - - logging_search_logs($1) - admin_pattern($1, couchdb_log_t) - - files_search_tmp($1) - admin_pattern($1, couchdb_tmp_t) - - files_search_var_lib($1) - admin_pattern($1, couchdb_var_lib_t) - - files_search_pids($1) - admin_pattern($1, couchdb_var_run_t) -') diff --git a/policy/modules/contrib/couchdb.te b/policy/modules/contrib/couchdb.te deleted file mode 100644 index 503adab2..00000000 --- a/policy/modules/contrib/couchdb.te +++ /dev/null @@ -1,88 +0,0 @@ -policy_module(couchdb, 1.0.2) - -######################################## -# -# Declarations -# - -type couchdb_t; -type couchdb_exec_t; -init_daemon_domain(couchdb_t, couchdb_exec_t) - -type couchdb_initrc_exec_t; -init_script_file(couchdb_initrc_exec_t) - -type couchdb_conf_t; -files_config_file(couchdb_conf_t) - -type couchdb_log_t; -logging_log_file(couchdb_log_t) - -type couchdb_tmp_t; -files_tmp_file(couchdb_tmp_t) - -type couchdb_var_lib_t; -files_type(couchdb_var_lib_t) - -type couchdb_var_run_t; -files_pid_file(couchdb_var_run_t) - -######################################## -# -# Local policy -# - -allow couchdb_t self:process { setsched signal signull sigkill }; -allow couchdb_t self:fifo_file rw_fifo_file_perms; -allow couchdb_t self:unix_stream_socket create_stream_socket_perms; -allow couchdb_t self:tcp_socket { accept listen }; - -allow couchdb_t couchdb_conf_t:dir list_dir_perms; -allow couchdb_t couchdb_conf_t:file read_file_perms; - -manage_dirs_pattern(couchdb_t, couchdb_log_t, couchdb_log_t) -append_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t) -create_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t) -setattr_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t) -logging_log_filetrans(couchdb_t, couchdb_log_t, dir) - -manage_dirs_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t) -manage_files_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t) -files_tmp_filetrans(couchdb_t, couchdb_tmp_t, { dir file }) - -manage_dirs_pattern(couchdb_t, couchdb_var_lib_t, couchdb_var_lib_t) -manage_files_pattern(couchdb_t, couchdb_var_lib_t, couchdb_var_lib_t) -files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, dir) - -manage_dirs_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t) -manage_files_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t) -files_pid_filetrans(couchdb_t, couchdb_var_run_t, dir) - -can_exec(couchdb_t, couchdb_exec_t) - -kernel_read_system_state(couchdb_t) - -corecmd_exec_bin(couchdb_t) -corecmd_exec_shell(couchdb_t) - -corenet_all_recvfrom_unlabeled(couchdb_t) -corenet_all_recvfrom_netlabel(couchdb_t) -corenet_tcp_sendrecv_generic_if(couchdb_t) -corenet_tcp_sendrecv_generic_node(couchdb_t) -corenet_tcp_bind_generic_node(couchdb_t) - -corenet_sendrecv_couchdb_server_packets(couchdb_t) -corenet_tcp_bind_couchdb_port(couchdb_t) -corenet_tcp_sendrecv_couchdb_port(couchdb_t) - -dev_list_sysfs(couchdb_t) -dev_read_sysfs(couchdb_t) -dev_read_urand(couchdb_t) - -files_read_usr_files(couchdb_t) - -fs_getattr_xattr_fs(couchdb_t) - -auth_use_nsswitch(couchdb_t) - -miscfiles_read_localization(couchdb_t) diff --git a/policy/modules/contrib/courier.fc b/policy/modules/contrib/courier.fc deleted file mode 100644 index 69bdc680..00000000 --- a/policy/modules/contrib/courier.fc +++ /dev/null @@ -1,32 +0,0 @@ -/etc/courier(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) -/etc/courier-imap(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) - -/usr/bin/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) - -/usr/sbin/authdaemond -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) -/usr/sbin/courier-imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) -/usr/sbin/courierlogger -- gen_context(system_u:object_r:courier_exec_t,s0) -/usr/sbin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0) -/usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) -/usr/sbin/imaplogin -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) - -/usr/lib/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) -/usr/lib/courier/courier-authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) -/usr/lib/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0) -/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0) -/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0) -/usr/lib/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0) -/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) -/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0) -/usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) -/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0) -/usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) - - -/var/lib/courier(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0) -/var/lib/courier-imap(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0) - -/var/run/courier(/.*)? gen_context(system_u:object_r:courier_var_run_t,s0) - -/var/spool/authdaemon(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) -/var/spool/courier(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) diff --git a/policy/modules/contrib/courier.if b/policy/modules/contrib/courier.if deleted file mode 100644 index 0705659e..00000000 --- a/policy/modules/contrib/courier.if +++ /dev/null @@ -1,228 +0,0 @@ -## <summary>Courier IMAP and POP3 email servers.</summary> - -####################################### -## <summary> -## The template to define a courier domain. -## </summary> -## <param name="domain_prefix"> -## <summary> -## Domain prefix to be used. -## </summary> -## </param> -# -template(`courier_domain_template',` - gen_require(` - attribute courier_domain; - ') - - ######################################## - # - # Declarations - # - - type courier_$1_t, courier_domain; - type courier_$1_exec_t; - init_daemon_domain(courier_$1_t, courier_$1_exec_t) - - ######################################## - # - # Policy - # - - can_exec(courier_$1_t, courier_$1_exec_t) -') - -######################################## -## <summary> -## Execute the courier authentication -## daemon with a domain transition. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`courier_domtrans_authdaemon',` - gen_require(` - type courier_authdaemon_t, courier_authdaemon_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t) -') - -####################################### -## <summary> -## Connect to courier-authdaemon over -## a unix stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`courier_stream_connect_authdaemon',` - gen_require(` - type courier_authdaemon_t, courier_spool_t; - ') - - files_search_spool($1) - stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t) -') - -######################################## -## <summary> -## Execute the courier POP3 and IMAP -## server with a domain transition. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`courier_domtrans_pop',` - gen_require(` - type courier_pop_t, courier_pop_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, courier_pop_exec_t, courier_pop_t) -') - -######################################## -## <summary> -## Read courier config files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`courier_read_config',` - gen_require(` - type courier_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, courier_etc_t, courier_etc_t) -') - -######################################## -## <summary> -## Create, read, write, and delete courier -## spool directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`courier_manage_spool_dirs',` - gen_require(` - type courier_spool_t; - ') - - files_search_var($1) - manage_dirs_pattern($1, courier_spool_t, courier_spool_t) -') - -######################################## -## <summary> -## Create, read, write, and delete courier -## spool files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`courier_manage_spool_files',` - gen_require(` - type courier_spool_t; - ') - - files_search_var($1) - manage_files_pattern($1, courier_spool_t, courier_spool_t) -') - -######################################## -## <summary> -## Read courier spool files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`courier_read_spool',` - gen_require(` - type courier_spool_t; - ') - - files_search_var($1) - read_files_pattern($1, courier_spool_t, courier_spool_t) -') - -######################################## -## <summary> -## Read and write courier spool pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`courier_rw_spool_pipes',` - gen_require(` - type courier_spool_t; - ') - - files_search_var($1) - allow $1 courier_spool_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## <summary> -## Allow read/write operations on an inherited stream socket -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`courier_authdaemon_rw_inherited_stream_sockets',` - gen_require(` - type courier_authdaemon_t; - ') - allow $1 courier_authdaemon_t:unix_stream_socket { read write }; -') - - -######################################## -## <summary> -## Connect to Authdaemon using a unix domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`courier_authdaemon_stream_connect',` - gen_require(` - type courier_authdaemon_t, courier_var_run_t; - ') - - stream_connect_pattern($1, courier_var_run_t, courier_var_run_t, courier_authdaemon_t) -') diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te deleted file mode 100644 index cf44dcd9..00000000 --- a/policy/modules/contrib/courier.te +++ /dev/null @@ -1,209 +0,0 @@ -policy_module(courier, 1.13.2) - -######################################## -# -# Declarations -# - -attribute courier_domain; - -courier_domain_template(authdaemon) -courier_domain_template(pcp) -courier_domain_template(pop) -courier_domain_template(tcpd) -courier_domain_template(sqwebmail) -typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t; - -type courier_etc_t; -files_config_file(courier_etc_t) - -type courier_spool_t; -files_type(courier_spool_t) - -type courier_var_lib_t; -files_type(courier_var_lib_t) - -type courier_var_run_t; -files_pid_file(courier_var_run_t) - -type courier_exec_t; -mta_agent_executable(courier_exec_t) - -######################################## -# -# Common local policy -# - -allow courier_domain self:capability dac_override; -dontaudit courier_domain self:capability sys_tty_config; -allow courier_domain self:process { setpgid signal_perms }; -allow courier_domain self:fifo_file rw_fifo_file_perms; -allow courier_domain self:tcp_socket create_stream_socket_perms; -allow courier_domain self:udp_socket create_socket_perms; - -read_files_pattern(courier_domain, courier_etc_t, courier_etc_t) -allow courier_domain courier_etc_t:dir list_dir_perms; - -manage_dirs_pattern(courier_domain, courier_var_run_t, courier_var_run_t) -manage_files_pattern(courier_domain, courier_var_run_t, courier_var_run_t) -manage_lnk_files_pattern(courier_domain, courier_var_run_t, courier_var_run_t) -manage_sock_files_pattern(courier_domain, courier_var_run_t, courier_var_run_t) -files_pid_filetrans(courier_domain, courier_var_run_t, dir) - -kernel_read_kernel_sysctls(courier_domain) -kernel_read_system_state(courier_domain) - -corecmd_exec_bin(courier_domain) - -dev_read_sysfs(courier_domain) - -domain_use_interactive_fds(courier_domain) - -files_read_etc_files(courier_domain) -files_read_etc_runtime_files(courier_domain) -files_read_usr_files(courier_domain) - -fs_getattr_xattr_fs(courier_domain) -fs_search_auto_mountpoints(courier_domain) - -logging_send_syslog_msg(courier_domain) - -sysnet_read_config(courier_domain) - -userdom_dontaudit_use_unpriv_user_fds(courier_domain) - -optional_policy(` - seutil_sigchld_newrole(courier_domain) -') - -optional_policy(` - udev_read_db(courier_domain) -') - -######################################## -# -# Authdaemon local policy -# - -allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config }; -allow courier_authdaemon_t self:unix_stream_socket { accept connectto listen }; - -create_dirs_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) -manage_sock_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) - -manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t) - -allow courier_authdaemon_t courier_tcpd_t:process sigchld; -allow courier_authdaemon_t courier_tcpd_t:fd use; -allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_fifo_file_perms; -allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; -allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms; - -can_exec(courier_authdaemon_t, courier_exec_t) - -domtrans_pattern(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t) - -dev_read_urand(courier_authdaemon_t) - -files_getattr_tmp_dirs(courier_authdaemon_t) -files_search_spool(courier_authdaemon_t) - -auth_domtrans_chk_passwd(courier_authdaemon_t) - -libs_read_lib_files(courier_authdaemon_t) - -miscfiles_read_localization(courier_authdaemon_t) - -userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t) - -ifdef(`distro_gentoo',` - read_lnk_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) -') - -######################################## -# -# Calendar (PCP) local policy -# - -allow courier_pcp_t self:capability { setuid setgid }; - -dev_read_rand(courier_pcp_t) - -######################################## -# -# POP3/IMAP local policy -# - -allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms; -allow courier_pop_t courier_authdaemon_t:process sigchld; - -allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; - -allow courier_pop_t courier_var_lib_t:file { read write }; - -domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t) - -miscfiles_read_localization(courier_pop_t) - -userdom_manage_user_home_content_files(courier_pop_t) -userdom_manage_user_home_content_dirs(courier_pop_t) - -ifdef(`distro_gentoo',` - files_search_var_lib(courier_pop_t) - search_dirs_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t) - read_lnk_files_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t) - - courier_authdaemon_rw_inherited_stream_sockets(courier_pop_t) -') - -######################################## -# -# TCPd local policy -# - -allow courier_tcpd_t self:capability kill; - -manage_files_pattern(courier_tcpd_t, courier_var_lib_t, courier_var_lib_t) -manage_lnk_files_pattern(courier_tcpd_t, courier_var_lib_t, courier_var_lib_t) -files_search_var_lib(courier_tcpd_t) - -can_exec(courier_tcpd_t, courier_exec_t) - -domtrans_pattern(courier_tcpd_t, courier_pop_exec_t, courier_pop_t) - -corenet_all_recvfrom_unlabeled(courier_tcpd_t) -corenet_all_recvfrom_netlabel(courier_tcpd_t) -corenet_tcp_sendrecv_generic_if(courier_tcpd_t) -corenet_tcp_sendrecv_generic_node(courier_tcpd_t) -corenet_tcp_bind_generic_node(courier_tcpd_t) - -corenet_sendrecv_pop_server_packets(courier_tcpd_t) -corenet_tcp_bind_pop_port(courier_tcpd_t) -corenet_tcp_sendrecv_pop_port(courier_tcpd_t) - -dev_read_rand(courier_tcpd_t) -dev_read_urand(courier_tcpd_t) - -miscfiles_read_localization(courier_tcpd_t) - -ifdef(`distro_gentoo',` - courier_authdaemon_stream_connect(courier_tcpd_t) - courier_domtrans_authdaemon(courier_tcpd_t) -') - -######################################## -# -# Webmail local policy -# - -kernel_read_kernel_sysctls(courier_sqwebmail_t) - -ifdef(`distro_gentoo',` - optional_policy(` - mysql_stream_connect(courier_authdaemon_t) - ') -') - -optional_policy(` - cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t) -') diff --git a/policy/modules/contrib/cpucontrol.fc b/policy/modules/contrib/cpucontrol.fc deleted file mode 100644 index 3ffda4c3..00000000 --- a/policy/modules/contrib/cpucontrol.fc +++ /dev/null @@ -1,10 +0,0 @@ -/etc/firmware/.* -- gen_context(system_u:object_r:cpucontrol_conf_t,s0) - -/sbin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0) - -/usr/sbin/cpufreqd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0) -/usr/sbin/cpuspeed -- gen_context(system_u:object_r:cpuspeed_exec_t,s0) -/usr/sbin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0) -/usr/sbin/powernowd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0) - -/var/run/cpufreqd\.pid -- gen_context(system_u:object_r:cpuspeed_var_run_t,s0) diff --git a/policy/modules/contrib/cpucontrol.if b/policy/modules/contrib/cpucontrol.if deleted file mode 100644 index ff6310d4..00000000 --- a/policy/modules/contrib/cpucontrol.if +++ /dev/null @@ -1,17 +0,0 @@ -## <summary>Services for loading CPU microcode and CPU frequency scaling.</summary> - -######################################## -## <summary> -## CPUcontrol stub interface. No access allowed. -## </summary> -## <param name="domain" unused="true"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cpucontrol_stub',` - gen_require(` - type cpucontrol_t; - ') -') diff --git a/policy/modules/contrib/cpucontrol.te b/policy/modules/contrib/cpucontrol.te deleted file mode 100644 index 2f1aad66..00000000 --- a/policy/modules/contrib/cpucontrol.te +++ /dev/null @@ -1,104 +0,0 @@ -policy_module(cpucontrol, 1.3.2) - -######################################## -# -# Declarations -# - -attribute cpucontrol_domain; - -type cpucontrol_t, cpucontrol_domain; -type cpucontrol_exec_t; -init_system_domain(cpucontrol_t, cpucontrol_exec_t) - -type cpucontrol_conf_t; -files_config_file(cpucontrol_conf_t) - -type cpuspeed_t, cpucontrol_domain; -type cpuspeed_exec_t; -init_system_domain(cpuspeed_t, cpuspeed_exec_t) - -type cpuspeed_var_run_t; -files_pid_file(cpuspeed_var_run_t) - -######################################## -# -# Common local policy -# - -dontaudit cpucontrol_domain self:capability sys_tty_config; -allow cpucontrol_domain self:process signal_perms; - -kernel_read_kernel_sysctls(cpucontrol_domain) - -domain_use_interactive_fds(cpucontrol_domain) - -files_list_usr(cpucontrol_domain) - -fs_search_auto_mountpoints(cpucontrol_domain) - -term_dontaudit_use_console(cpucontrol_domain) - -init_use_fds(cpucontrol_domain) -init_use_script_ptys(cpucontrol_domain) - -logging_send_syslog_msg(cpucontrol_domain) - -userdom_dontaudit_use_unpriv_user_fds(cpucontrol_domain) - -optional_policy(` - nscd_use(cpucontrol_domain) -') - -optional_policy(` - seutil_sigchld_newrole(cpucontrol_domain) -') - -optional_policy(` - udev_read_db(cpucontrol_domain) -') - -######################################## -# -# Loader local policy -# - -allow cpucontrol_t self:capability { ipc_lock sys_rawio }; - -allow cpucontrol_t cpucontrol_conf_t:dir list_dir_perms; -read_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t) -read_lnk_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t) - -kernel_list_proc(cpucontrol_t) -kernel_read_proc_symlinks(cpucontrol_t) - -dev_read_sysfs(cpucontrol_t) -dev_rw_cpu_microcode(cpucontrol_t) - -optional_policy(` - rhgb_use_ptys(cpucontrol_t) -') - -######################################## -# -# Scaling local policy -# - -allow cpuspeed_t self:process setsched; -allow cpuspeed_t self:unix_dgram_socket create_socket_perms; - -allow cpuspeed_t cpuspeed_var_run_t:file manage_file_perms; -files_pid_filetrans(cpuspeed_t, cpuspeed_var_run_t, file) - -kernel_read_system_state(cpuspeed_t) - -# This doesnt make sense -dev_write_sysfs_dirs(cpuspeed_t) -dev_rw_sysfs(cpuspeed_t) - -domain_read_all_domains_state(cpuspeed_t) - -files_read_etc_files(cpuspeed_t) -files_read_etc_runtime_files(cpuspeed_t) - -miscfiles_read_localization(cpuspeed_t) diff --git a/policy/modules/contrib/cpufreqselector.fc b/policy/modules/contrib/cpufreqselector.fc deleted file mode 100644 index b187f0f7..00000000 --- a/policy/modules/contrib/cpufreqselector.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/cpufreq-selector -- gen_context(system_u:object_r:cpufreqselector_exec_t,s0) diff --git a/policy/modules/contrib/cpufreqselector.if b/policy/modules/contrib/cpufreqselector.if deleted file mode 100644 index 932fa532..00000000 --- a/policy/modules/contrib/cpufreqselector.if +++ /dev/null @@ -1,22 +0,0 @@ -## <summary>Command-line CPU frequency settings.</summary> - -######################################## -## <summary> -## Send and receive messages from -## cpufreq-selector over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cpufreqselector_dbus_chat',` - gen_require(` - type cpufreqselector_t; - class dbus send_msg; - ') - - allow $1 cpufreqselector_t:dbus send_msg; - allow cpufreqselector_t $1:dbus send_msg; -') diff --git a/policy/modules/contrib/cpufreqselector.te b/policy/modules/contrib/cpufreqselector.te deleted file mode 100644 index a3bbc21f..00000000 --- a/policy/modules/contrib/cpufreqselector.te +++ /dev/null @@ -1,53 +0,0 @@ -policy_module(cpufreqselector, 1.3.1) - -######################################## -# -# Declarations -# - -type cpufreqselector_t; -type cpufreqselector_exec_t; -init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t) - -######################################## -# -# Local policy -# - -allow cpufreqselector_t self:capability { sys_nice sys_ptrace }; -allow cpufreqselector_t self:process getsched; -allow cpufreqselector_t self:fifo_file rw_fifo_file_perms; - -kernel_read_system_state(cpufreqselector_t) - -files_read_etc_files(cpufreqselector_t) -files_read_usr_files(cpufreqselector_t) - -dev_rw_sysfs(cpufreqselector_t) - -miscfiles_read_localization(cpufreqselector_t) - -userdom_read_all_users_state(cpufreqselector_t) -userdom_dontaudit_search_user_home_dirs(cpufreqselector_t) - -optional_policy(` - dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) - - optional_policy(` - consolekit_dbus_chat(cpufreqselector_t) - ') - - optional_policy(` - policykit_dbus_chat(cpufreqselector_t) - ') -') - -optional_policy(` - nscd_dontaudit_search_pid(cpufreqselector_t) -') - -optional_policy(` - policykit_domtrans_auth(cpufreqselector_t) - policykit_read_lib(cpufreqselector_t) - policykit_read_reload(cpufreqselector_t) -') diff --git a/policy/modules/contrib/cron.fc b/policy/modules/contrib/cron.fc deleted file mode 100644 index 552de9cb..00000000 --- a/policy/modules/contrib/cron.fc +++ /dev/null @@ -1,54 +0,0 @@ -/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) -/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) - -/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0) - -/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0) -/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0) -/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0) -/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0) - -/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) - -/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0) -/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) - -/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) -/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) -/var/run/crond?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0) -/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) -/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) -/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0) - -/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) - -/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) -#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) -/var/spool/cron/[^/]* -- <<none>> - -/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0) -/var/spool/cron/crontabs/.* -- <<none>> -#/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) - -/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0) -/var/spool/fcron/.* <<none>> -/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0) -/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) -/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) - -ifdef(`distro_debian',` -/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0) -/var/spool/cron/atjobs/[^/]* -- <<none>> -/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0) -') - -ifdef(`distro_gentoo',` -/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) -/var/spool/cron/lastrun/[^/]* -- <<none>> -') - -ifdef(`distro_suse',` -/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) -/var/spool/cron/lastrun/[^/]* -- <<none>> -/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) -') diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if deleted file mode 100644 index a58ce501..00000000 --- a/policy/modules/contrib/cron.if +++ /dev/null @@ -1,832 +0,0 @@ -## <summary>Periodic execution of scheduled commands.</summary> - -####################################### -## <summary> -## The template to define a crontab domain. -## </summary> -## <param name="domain_prefix"> -## <summary> -## Domain prefix to be used. -## </summary> -## </param> -# -template(`cron_common_crontab_template',` - gen_require(` - attribute crontab_domain; - type crontab_exec_t; - ') - - ############################## - # - # Declarations - # - - type $1_t, crontab_domain; - userdom_user_application_domain($1_t, crontab_exec_t) - - type $1_tmp_t; - userdom_user_tmp_file($1_tmp_t) - - ############################## - # - # Local policy - # - - manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) - manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) - files_tmp_filetrans($1_t, $1_tmp_t, { dir file }) - - auth_domtrans_chk_passwd($1_t) - auth_use_nsswitch($1_t) -') - -######################################## -## <summary> -## Role access for cron. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -## <rolecap/> -# -interface(`cron_role',` - gen_require(` - type cronjob_t, crontab_t, crontab_exec_t; - type user_cron_spool_t, crond_t; - bool cron_userdomain_transition; - ') - - ############################## - # - # Declarations - # - - role $1 types { cronjob_t crontab_t }; - - ############################## - # - # Local policy - # - - domtrans_pattern($2, crontab_exec_t, crontab_t) - - dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; - allow $2 crond_t:process sigchld; - - allow $2 user_cron_spool_t:file { getattr read write ioctl }; - - allow $2 crontab_t:process { ptrace signal_perms }; - ps_process_pattern($2, crontab_t) - - corecmd_exec_bin(crontab_t) - corecmd_exec_shell(crontab_t) - - tunable_policy(`cron_userdomain_transition',` - allow crond_t $2:process transition; - allow crond_t $2:fd use; - allow crond_t $2:key manage_key_perms; - - allow $2 user_cron_spool_t:file entrypoint; - - allow $2 crond_t:fifo_file rw_fifo_file_perms; - - allow $2 cronjob_t:process { ptrace signal_perms }; - ps_process_pattern($2, cronjob_t) - ',` - dontaudit crond_t $2:process transition; - dontaudit crond_t $2:fd use; - dontaudit crond_t $2:key manage_key_perms; - - dontaudit $2 user_cron_spool_t:file entrypoint; - - dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; - - dontaudit $2 cronjob_t:process { ptrace signal_perms }; - ') - - optional_policy(` - gen_require(` - class dbus send_msg; - ') - - dbus_stub(cronjob_t) - - allow cronjob_t $2:dbus send_msg; - ') -') - -######################################## -## <summary> -## Role access for unconfined cron. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`cron_unconfined_role',` - gen_require(` - type unconfined_cronjob_t, crontab_t, crontab_exec_t; - type crond_t, user_cron_spool_t; - bool cron_userdomain_transition; - ') - - ############################## - # - # Declarations - # - - role $1 types { unconfined_cronjob_t crontab_t }; - - ############################## - # - # Local policy - # - - domtrans_pattern($2, crontab_exec_t, crontab_t) - - dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; - allow $2 crond_t:process sigchld; - - allow $2 user_cron_spool_t:file { getattr read write ioctl }; - - allow $2 crontab_t:process { ptrace signal_perms }; - ps_process_pattern($2, crontab_t) - - corecmd_exec_bin(crontab_t) - corecmd_exec_shell(crontab_t) - - tunable_policy(`cron_userdomain_transition',` - allow crond_t $2:process transition; - allow crond_t $2:fd use; - allow crond_t $2:key manage_key_perms; - - allow $2 user_cron_spool_t:file entrypoint; - - allow $2 crond_t:fifo_file rw_fifo_file_perms; - - allow $2 unconfined_cronjob_t:process { ptrace signal_perms }; - ps_process_pattern($2, unconfined_cronjob_t) - ',` - dontaudit crond_t $2:process transition; - dontaudit crond_t $2:fd use; - dontaudit crond_t $2:key manage_key_perms; - - dontaudit $2 user_cron_spool_t:file entrypoint; - - dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; - - dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms }; -') - - optional_policy(` - gen_require(` - class dbus send_msg; - ') - - dbus_stub(unconfined_cronjob_t) - - allow unconfined_cronjob_t $2:dbus send_msg; - ') -') - -######################################## -## <summary> -## Role access for admin cron. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`cron_admin_role',` - gen_require(` - type cronjob_t, crontab_exec_t, admin_crontab_t; - class passwd crontab; - type crond_t, user_cron_spool_t; - bool cron_userdomain_transition; - ') - - ############################## - # - # Declarations - # - - role $1 types { cronjob_t admin_crontab_t }; - - ############################## - # - # Local policy - # - - domtrans_pattern($2, crontab_exec_t, admin_crontab_t) - - dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; - allow $2 crond_t:process sigchld; - - allow $2 user_cron_spool_t:file { getattr read write ioctl }; - - allow $2 admin_crontab_t:process { ptrace signal_perms }; - ps_process_pattern($2, admin_crontab_t) - - # Manipulate other users crontab. - allow $2 self:passwd crontab; - - corecmd_exec_bin(admin_crontab_t) - corecmd_exec_shell(admin_crontab_t) - - tunable_policy(`cron_userdomain_transition',` - allow crond_t $2:process transition; - allow crond_t $2:fd use; - allow crond_t $2:key manage_key_perms; - - allow $2 user_cron_spool_t:file entrypoint; - - allow $2 crond_t:fifo_file rw_fifo_file_perms; - - allow $2 cronjob_t:process { ptrace signal_perms }; - ps_process_pattern($2, cronjob_t) - ',` - dontaudit crond_t $2:process transition; - dontaudit crond_t $2:fd use; - dontaudit crond_t $2:key manage_key_perms; - - dontaudit $2 user_cron_spool_t:file entrypoint; - - dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; - - dontaudit $2 cronjob_t:process { ptrace signal_perms }; - ') - - optional_policy(` - gen_require(` - class dbus send_msg; - ') - - dbus_stub(admin_cronjob_t) - - allow cronjob_t $2:dbus send_msg; - ') -') - -######################################## -## <summary> -## Make the specified program domain -## accessable from the system cron jobs. -## </summary> -## <param name="domain"> -## <summary> -## The type of the process to transition to. -## </summary> -## </param> -## <param name="entrypoint"> -## <summary> -## The type of the file used as an entrypoint to this domain. -## </summary> -## </param> -# -interface(`cron_system_entry',` - gen_require(` - type crond_t, system_cronjob_t; - ') - - domtrans_pattern(system_cronjob_t, $2, $1) - domtrans_pattern(crond_t, $2, $1) - - role system_r types $1; -') - -######################################## -## <summary> -## Execute cron in the cron system domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`cron_domtrans',` - gen_require(` - type system_cronjob_t, crond_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, crond_exec_t, system_cronjob_t) -') - -######################################## -## <summary> -## Execute crond in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cron_exec',` - gen_require(` - type crond_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, crond_exec_t) -') - -######################################## -## <summary> -## Execute crond server in the crond domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`cron_initrc_domtrans',` - gen_require(` - type crond_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, crond_initrc_exec_t) -') - -######################################## -## <summary> -## Use crond file descriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cron_use_fds',` - gen_require(` - type crond_t; - ') - - allow $1 crond_t:fd use; -') - -######################################## -## <summary> -## Send child terminated signals to crond. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cron_sigchld',` - gen_require(` - type crond_t; - ') - - allow $1 crond_t:process sigchld; -') - -######################################## -## <summary> -## Set the attributes of cron log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cron_setattr_log_files',` - gen_require(` - type cron_log_t; - ') - - allow $1 cron_log_t:file setattr_file_perms; -') - -######################################## -## <summary> -## Create cron log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cron_create_log_files',` - gen_require(` - type cron_log_t; - ') - - create_files_pattern($1, cron_log_t, cron_log_t) -') - -######################################## -## <summary> -## Write to cron log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cron_write_log_files',` - gen_require(` - type cron_log_t; - ') - - allow $1 cron_log_t:file write_file_perms; -') - -######################################## -## <summary> -## Create, read, write and delete -## cron log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cron_manage_log_files',` - gen_require(` - type cron_log_t; - ') - - manage_files_pattern($1, cron_log_t, cron_log_t) - - logging_search_logs($1) -') - -######################################## -## <summary> -## Create specified objects in generic -## log directories with the cron log file type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`cron_generic_log_filetrans_log',` - gen_require(` - type cron_log_t; - ') - - logging_log_filetrans($1, cron_log_t, $2, $3) -') - -######################################## -## <summary> -## Read cron daemon unnamed pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cron_read_pipes',` - gen_require(` - type crond_t; - ') - - allow $1 crond_t:fifo_file read_fifo_file_perms; -') - -######################################## -## <summary> -## Do not audit attempts to write -## cron daemon unnamed pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`cron_dontaudit_write_pipes',` - gen_require(` - type crond_t; - ') - - dontaudit $1 crond_t:fifo_file write; -') - -######################################## -## <summary> -## Read and write crond unnamed pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cron_rw_pipes',` - gen_require(` - type crond_t; - ') - - allow $1 crond_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## <summary> -## Read and write crond TCP sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cron_rw_tcp_sockets',` - gen_require(` - type crond_t; - ') - - allow $1 crond_t:tcp_socket { read write }; -') - -######################################## -## <summary> -## Do not audit attempts to read and -## write cron daemon TCP sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`cron_dontaudit_rw_tcp_sockets',` - gen_require(` - type crond_t; - ') - - dontaudit $1 crond_t:tcp_socket { read write }; -') - -######################################## -## <summary> -## Search cron spool directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cron_search_spool',` - gen_require(` - type cron_spool_t; - ') - - files_search_spool($1) - allow $1 cron_spool_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## crond pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cron_manage_pid_files',` - gen_require(` - type crond_var_run_t; - ') - - manage_files_pattern($1, crond_var_run_t, crond_var_run_t) -') - -######################################## -## <summary> -## Execute anacron in the cron -## system domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`cron_anacron_domtrans_system_job',` - gen_require(` - type system_cronjob_t, anacron_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, anacron_exec_t, system_cronjob_t) -') - -######################################## -## <summary> -## Use system cron job file descriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cron_use_system_job_fds',` - gen_require(` - type system_cronjob_t; - ') - - allow $1 system_cronjob_t:fd use; -') - -######################################## -## <summary> -## Read system cron job lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cron_read_system_job_lib_files',` - gen_require(` - type system_cronjob_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## system cron job lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cron_manage_system_job_lib_files',` - gen_require(` - type system_cronjob_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) -') - -######################################## -## <summary> -## Write system cron job unnamed pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cron_write_system_job_pipes',` - gen_require(` - type system_cronjob_t; - ') - - allow $1 system_cronjob_t:file write; -') - -######################################## -## <summary> -## Read and write system cron job -## unnamed pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cron_rw_system_job_pipes',` - gen_require(` - type system_cronjob_t; - ') - - allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## <summary> -## Read and write inherited system cron -## job unix domain stream sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cron_rw_system_job_stream_sockets',` - gen_require(` - type system_cronjob_t; - ') - - allow $1 system_cronjob_t:unix_stream_socket { read write }; -') - -######################################## -## <summary> -## Read system cron job temporary files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cron_read_system_job_tmp_files',` - gen_require(` - type system_cronjob_tmp_t; - ') - - files_search_tmp($1) - allow $1 system_cronjob_tmp_t:file read_file_perms; -') - -######################################## -## <summary> -## Do not audit attempts to append temporary -## system cron job files. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`cron_dontaudit_append_system_job_tmp_files',` - gen_require(` - type system_cronjob_tmp_t; - ') - - dontaudit $1 system_cronjob_tmp_t:file append_file_perms; -') - -######################################## -## <summary> -## Do not audit attempts to write temporary -## system cron job files. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`cron_dontaudit_write_system_job_tmp_files',` - gen_require(` - type system_cronjob_tmp_t; - ') - - dontaudit $1 system_cronjob_tmp_t:file write_file_perms; -') diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te deleted file mode 100644 index 2e78e62d..00000000 --- a/policy/modules/contrib/cron.te +++ /dev/null @@ -1,722 +0,0 @@ -policy_module(cron, 2.5.10) - -gen_require(` - class passwd rootok; -') - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether system cron jobs -## can relabel filesystem for -## restoring file contexts. -## </p> -## </desc> -gen_tunable(cron_can_relabel, false) - -## <desc> -## <p> -## Determine whether crond can execute jobs -## in the user domain as opposed to the -## the generic cronjob domain. -## </p> -## </desc> -gen_tunable(cron_userdomain_transition, false) - -## <desc> -## <p> -## Determine whether extra rules -## should be enabled to support fcron. -## </p> -## </desc> -gen_tunable(fcron_crond, false) - -attribute cron_spool_type; -attribute crontab_domain; - -type anacron_exec_t; -application_executable_file(anacron_exec_t) - -type cron_spool_t; -files_type(cron_spool_t) -mta_system_content(cron_spool_t) - -type cron_var_lib_t; -files_type(cron_var_lib_t) - -type cron_var_run_t; -files_pid_file(cron_var_run_t) - -type cron_log_t; -logging_log_file(cron_log_t) - -type cronjob_t; -typealias cronjob_t alias { user_crond_t staff_crond_t sysadm_crond_t }; -typealias cronjob_t alias { auditadm_crond_t secadm_crond_t }; -domain_type(cronjob_t) -domain_cron_exemption_target(cronjob_t) -corecmd_shell_entry_type(cronjob_t) -ubac_constrained(cronjob_t) - -type crond_t; -type crond_exec_t; -init_daemon_domain(crond_t, crond_exec_t) -domain_interactive_fd(crond_t) -domain_cron_exemption_source(crond_t) - -type crond_initrc_exec_t; -init_script_file(crond_initrc_exec_t) - -type crond_tmp_t; -files_tmp_file(crond_tmp_t) -files_poly_parent(crond_tmp_t) -mta_system_content(crond_tmp_t) - -type crond_var_run_t; -files_pid_file(crond_var_run_t) -mta_system_content(crond_var_run_t) - -type crontab_exec_t; -application_executable_file(crontab_exec_t) - -cron_common_crontab_template(admin_crontab) -typealias admin_crontab_t alias sysadm_crontab_t; -typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t; - -cron_common_crontab_template(crontab) -typealias crontab_t alias { user_crontab_t staff_crontab_t }; -typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; -typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; -typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; - -type system_cron_spool_t, cron_spool_type; -files_type(system_cron_spool_t) -mta_system_content(system_cron_spool_t) - -type system_cronjob_t alias system_crond_t; -init_daemon_domain(system_cronjob_t, anacron_exec_t) -corecmd_shell_entry_type(system_cronjob_t) -domain_entry_file(system_cronjob_t, system_cron_spool_t) - -type system_cronjob_lock_t alias system_crond_lock_t; -files_lock_file(system_cronjob_lock_t) - -type system_cronjob_tmp_t alias system_crond_tmp_t; -files_tmp_file(system_cronjob_tmp_t) - -type system_cronjob_var_lib_t; -files_type(system_cronjob_var_lib_t) - -type system_cronjob_var_run_t; -files_pid_file(system_cronjob_var_run_t) - -type user_cron_spool_t, cron_spool_type; -typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t }; -typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; -files_type(user_cron_spool_t) -ubac_constrained(user_cron_spool_t) -mta_system_content(user_cron_spool_t) - -ifdef(`distro_gentoo',` - # Logging for atd jobs - domain_interactive_fd(cronjob_t) - domain_interactive_fd(system_cronjob_t) - - logging_syslog_managed_log_file(cron_log_t, "cron.log") -') - -ifdef(`enable_mcs',` - init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh) -') - -############################## -# -# Common crontab local policy -# - -allow crontab_domain self:capability { fowner setuid setgid chown dac_override }; -allow crontab_domain self:process { getcap setsched signal_perms }; -allow crontab_domain self:fifo_file rw_fifo_file_perms; - -manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t) -filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file) - -allow crontab_domain cron_spool_t:dir setattr_dir_perms; - -allow crontab_domain crond_t:process signal; -allow crontab_domain crond_var_run_t:file read_file_perms; - -kernel_read_system_state(crontab_domain) - -selinux_dontaudit_search_fs(crontab_domain) - -files_list_spool(crontab_domain) -files_read_etc_files(crontab_domain) -files_read_usr_files(crontab_domain) -files_search_pids(crontab_domain) - -fs_getattr_xattr_fs(crontab_domain) -fs_manage_cgroup_dirs(crontab_domain) -fs_rw_cgroup_files(crontab_domain) - -domain_use_interactive_fds(crontab_domain) - -fs_dontaudit_rw_anon_inodefs_files(crontab_domain) - -auth_rw_var_auth(crontab_domain) - -logging_send_syslog_msg(crontab_domain) -logging_send_audit_msgs(crontab_domain) -logging_set_loginuid(crontab_domain) - -init_dontaudit_write_utmp(crontab_domain) -init_read_utmp(crontab_domain) -init_read_state(crontab_domain) - -miscfiles_read_localization(crontab_domain) - -seutil_read_config(crontab_domain) - -userdom_manage_user_tmp_dirs(crontab_domain) -userdom_manage_user_tmp_files(crontab_domain) -userdom_use_user_terminals(crontab_domain) -userdom_read_user_home_content_files(crontab_domain) -userdom_read_user_home_content_symlinks(crontab_domain) - -tunable_policy(`fcron_crond',` - dontaudit crontab_domain crond_t:process signal; -') - -######################################## -# -# Admin local policy -# - -allow admin_crontab_t crond_t:process signal; - -selinux_get_fs_mount(admin_crontab_t) -selinux_validate_context(admin_crontab_t) -selinux_compute_access_vector(admin_crontab_t) -selinux_compute_create_context(admin_crontab_t) -selinux_compute_relabel_context(admin_crontab_t) -selinux_compute_user_contexts(admin_crontab_t) - -tunable_policy(`fcron_crond',` - allow admin_crontab_t self:process setfscreate; -') - -######################################## -# -# Daemon local policy -# - -allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search }; -dontaudit crond_t self:capability { sys_resource sys_tty_config }; -allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; -allow crond_t self:process { setexec setfscreate }; -allow crond_t self:fd use; -allow crond_t self:fifo_file rw_fifo_file_perms; -allow crond_t self:unix_dgram_socket sendto; -allow crond_t self:unix_stream_socket { accept connectto listen }; -allow crond_t self:shm create_shm_perms; -allow crond_t self:sem create_sem_perms; -allow crond_t self:msgq create_msgq_perms; -allow crond_t self:msg { send receive }; -allow crond_t self:key { search write link }; -dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit; - -allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(crond_t, cron_log_t, file) - -manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t) -files_pid_filetrans(crond_t, crond_var_run_t, file) - -manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) - -manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t) -manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t) -files_tmp_filetrans(crond_t, crond_tmp_t, { dir file }) - -list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) -read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) - -rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) -read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) -manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) - -allow crond_t system_cronjob_t:process transition; -allow crond_t system_cronjob_t:fd use; -allow crond_t system_cronjob_t:key manage_key_perms; - -dontaudit crond_t { cronjob_t system_cronjob_t }:process { noatsecure siginh rlimitinh }; - -domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t) - -kernel_read_kernel_sysctls(crond_t) -kernel_read_fs_sysctls(crond_t) -kernel_search_key(crond_t) - -corecmd_exec_shell(crond_t) -corecmd_exec_bin(crond_t) -corecmd_list_bin(crond_t) - -dev_read_sysfs(crond_t) -dev_read_urand(crond_t) - -domain_use_interactive_fds(crond_t) -domain_subj_id_change_exemption(crond_t) -domain_role_change_exemption(crond_t) - -fs_getattr_all_fs(crond_t) -fs_list_inotifyfs(crond_t) -fs_manage_cgroup_dirs(crond_t) -fs_rw_cgroup_files(crond_t) -fs_search_auto_mountpoints(crond_t) - -files_read_usr_files(crond_t) -files_read_etc_runtime_files(crond_t) -files_read_generic_spool(crond_t) -files_list_usr(crond_t) -files_search_var_lib(crond_t) -files_search_default(crond_t) - -mls_fd_share_all_levels(crond_t) -mls_file_read_all_levels(crond_t) -mls_file_write_all_levels(crond_t) -mls_process_set_level(crond_t) -mls_trusted_object(crond_t) - -selinux_get_fs_mount(crond_t) -selinux_validate_context(crond_t) -selinux_compute_access_vector(crond_t) -selinux_compute_create_context(crond_t) -selinux_compute_relabel_context(crond_t) -selinux_compute_user_contexts(crond_t) - -init_read_state(crond_t) -init_rw_utmp(crond_t) -init_spec_domtrans_script(crond_t) - -auth_domtrans_chk_passwd(crond_t) -auth_manage_var_auth(crond_t) -auth_use_nsswitch(crond_t) - -logging_send_audit_msgs(crond_t) -logging_send_syslog_msg(crond_t) -logging_set_loginuid(crond_t) - -seutil_read_config(crond_t) -seutil_read_default_contexts(crond_t) - -miscfiles_read_localization(crond_t) - -userdom_list_user_home_dirs(crond_t) - -tunable_policy(`cron_userdomain_transition',` - dontaudit crond_t cronjob_t:process transition; - dontaudit crond_t cronjob_t:fd use; - dontaudit crond_t cronjob_t:key manage_key_perms; -',` - allow crond_t cronjob_t:process transition; - allow crond_t cronjob_t:fd use; - allow crond_t cronjob_t:key manage_key_perms; -') - -ifdef(`distro_debian',` - allow crond_t self:process setrlimit; - - optional_policy(` - logwatch_search_cache_dir(crond_t) - ') -') - -ifdef(`distro_redhat',` - optional_policy(` - rpm_manage_log(crond_t) - ') -') - -tunable_policy(`allow_polyinstantiation',` - files_polyinstantiate_all(crond_t) -') - -tunable_policy(`fcron_crond',` - allow crond_t { system_cron_spool_t user_cron_spool_t }:file manage_file_perms; -') - -optional_policy(` - apache_search_sys_content(crond_t) -') - -optional_policy(` - dbus_system_bus_client(crond_t) - - optional_policy(` - hal_dbus_chat(crond_t) - ') - - optional_policy(` - unconfined_dbus_send(crond_t) - ') -') - -optional_policy(` - amanda_search_var_lib(crond_t) -') - -optional_policy(` - amavis_search_lib(crond_t) -') - -optional_policy(` - djbdns_search_tinydns_keys(crond_t) - djbdns_link_tinydns_keys(crond_t) -') - -optional_policy(` - hal_write_log(crond_t) -') - -optional_policy(` - locallogin_search_keys(crond_t) - locallogin_link_keys(crond_t) -') - -optional_policy(` - mta_send_mail(crond_t) -') - -optional_policy(` - munin_search_lib(crond_t) -') - -optional_policy(` - postgresql_search_db(crond_t) -') - -optional_policy(` - rpc_search_nfs_state_data(crond_t) -') - -optional_policy(` - rpm_read_pipes(crond_t) -') - -optional_policy(` - seutil_sigchld_newrole(crond_t) -') - -optional_policy(` - udev_read_db(crond_t) -') - -######################################## -# -# System local policy -# - -allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice }; -allow system_cronjob_t self:process { signal_perms getsched setsched }; -allow system_cronjob_t self:fifo_file rw_fifo_file_perms; -allow system_cronjob_t self:passwd rootok; - -allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(system_cronjob_t, cron_log_t, file) - -allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms }; -files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) - -allow system_cronjob_t cron_var_run_t:file manage_file_perms; -files_pid_filetrans(system_cronjob_t, cron_var_run_t, file) - -manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t) - -allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; -files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file) - -manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) -manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) -filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) -files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) - -manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t) - -allow system_cronjob_t crond_t:fd use; -allow system_cronjob_t crond_t:fifo_file rw_fifo_file_perms; -allow system_cronjob_t crond_t:process sigchld; - -allow system_cronjob_t cron_spool_t:dir list_dir_perms; -allow system_cronjob_t cron_spool_t:file rw_file_perms; - -kernel_read_kernel_sysctls(system_cronjob_t) -kernel_read_network_state(system_cronjob_t) -kernel_read_system_state(system_cronjob_t) -kernel_read_software_raid_state(system_cronjob_t) - -files_dontaudit_search_boot(system_cronjob_t) - -corecmd_exec_all_executables(system_cronjob_t) - -corenet_all_recvfrom_unlabeled(system_cronjob_t) -corenet_all_recvfrom_netlabel(system_cronjob_t) -corenet_tcp_sendrecv_generic_if(system_cronjob_t) -corenet_udp_sendrecv_generic_if(system_cronjob_t) -corenet_tcp_sendrecv_generic_node(system_cronjob_t) -corenet_udp_sendrecv_generic_node(system_cronjob_t) -corenet_tcp_sendrecv_all_ports(system_cronjob_t) -corenet_udp_sendrecv_all_ports(system_cronjob_t) - -dev_getattr_all_blk_files(system_cronjob_t) -dev_getattr_all_chr_files(system_cronjob_t) -dev_read_urand(system_cronjob_t) -dev_read_sysfs(system_cronjob_t) - -fs_getattr_all_fs(system_cronjob_t) -fs_getattr_all_files(system_cronjob_t) -fs_getattr_all_symlinks(system_cronjob_t) -fs_getattr_all_pipes(system_cronjob_t) -fs_getattr_all_sockets(system_cronjob_t) - -domain_dontaudit_read_all_domains_state(system_cronjob_t) - -files_exec_etc_files(system_cronjob_t) -files_read_etc_runtime_files(system_cronjob_t) -files_list_all(system_cronjob_t) -files_getattr_all_dirs(system_cronjob_t) -files_getattr_all_files(system_cronjob_t) -files_getattr_all_symlinks(system_cronjob_t) -files_getattr_all_pipes(system_cronjob_t) -files_getattr_all_sockets(system_cronjob_t) -files_read_usr_files(system_cronjob_t) -files_read_var_files(system_cronjob_t) -files_dontaudit_search_pids(system_cronjob_t) -files_manage_generic_spool(system_cronjob_t) -files_create_boot_flag(system_cronjob_t) - -mls_file_read_to_clearance(system_cronjob_t) - -init_use_script_fds(system_cronjob_t) -init_domtrans_script(system_cronjob_t) - -auth_use_nsswitch(system_cronjob_t) - -libs_exec_lib_files(system_cronjob_t) -libs_exec_ld_so(system_cronjob_t) - -logging_read_generic_logs(system_cronjob_t) -logging_send_audit_msgs(system_cronjob_t) -logging_send_syslog_msg(system_cronjob_t) - -miscfiles_read_localization(system_cronjob_t) - -seutil_read_config(system_cronjob_t) - -ifdef(`distro_redhat',` - optional_policy(` - rpm_manage_log(system_cronjob_t) - ') -') - -tunable_policy(`cron_can_relabel',` - seutil_domtrans_setfiles(system_cronjob_t) -',` - selinux_get_fs_mount(system_cronjob_t) - selinux_validate_context(system_cronjob_t) - selinux_compute_access_vector(system_cronjob_t) - selinux_compute_create_context(system_cronjob_t) - selinux_compute_relabel_context(system_cronjob_t) - selinux_compute_user_contexts(system_cronjob_t) - seutil_read_file_contexts(system_cronjob_t) -') - -optional_policy(` - apache_exec_modules(system_cronjob_t) - apache_read_config(system_cronjob_t) - apache_read_log(system_cronjob_t) - apache_read_sys_content(system_cronjob_t) -') - -optional_policy(` - cyrus_manage_data(system_cronjob_t) -') - -optional_policy(` - dbus_system_bus_client(system_cronjob_t) - - optional_policy(` - networkmanager_dbus_chat(system_cronjob_t) - ') -') - -optional_policy(` - exim_read_spool_files(system_cronjob_t) -') - -optional_policy(` - ftp_read_log(system_cronjob_t) -') - -optional_policy(` - inn_manage_log(system_cronjob_t) - inn_manage_pid(system_cronjob_t) - inn_read_config(system_cronjob_t) -') - -optional_policy(` - livecd_read_tmp_files(system_cronjob_t) -') - -optional_policy(` - lpd_list_spool(system_cronjob_t) -') - -optional_policy(` - mrtg_append_create_logs(system_cronjob_t) -') - -optional_policy(` - mta_read_config(system_cronjob_t) - mta_send_mail(system_cronjob_t) -') - -optional_policy(` - mysql_read_config(system_cronjob_t) -') - -optional_policy(` - postfix_read_config(system_cronjob_t) -') - -optional_policy(` - prelink_delete_cache(system_cronjob_t) - prelink_manage_lib(system_cronjob_t) - prelink_manage_log(system_cronjob_t) - prelink_read_cache(system_cronjob_t) - prelink_relabelfrom_lib(system_cronjob_t) -') - -optional_policy(` - samba_read_config(system_cronjob_t) - samba_read_log(system_cronjob_t) -') - -optional_policy(` - spamassassin_manage_lib_files(system_cronjob_t) -') - -optional_policy(` - sysstat_manage_log(system_cronjob_t) -') - -optional_policy(` - userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) -') - -######################################## -# -# Cronjob local policy -# - -allow cronjob_t self:process { signal_perms setsched }; -allow cronjob_t self:fifo_file rw_fifo_file_perms; -allow cronjob_t self:unix_stream_socket create_stream_socket_perms; -allow cronjob_t self:unix_dgram_socket create_socket_perms; - -kernel_read_system_state(cronjob_t) -kernel_read_kernel_sysctls(cronjob_t) - -files_dontaudit_search_boot(cronjob_t) - -corenet_all_recvfrom_unlabeled(cronjob_t) -corenet_all_recvfrom_netlabel(cronjob_t) -corenet_tcp_sendrecv_generic_if(cronjob_t) -corenet_udp_sendrecv_generic_if(cronjob_t) -corenet_tcp_sendrecv_generic_node(cronjob_t) -corenet_udp_sendrecv_generic_node(cronjob_t) -corenet_tcp_sendrecv_all_ports(cronjob_t) -corenet_udp_sendrecv_all_ports(cronjob_t) - -corenet_sendrecv_all_client_packets(cronjob_t) -corenet_tcp_connect_all_ports(cronjob_t) - -corecmd_exec_all_executables(cronjob_t) - -dev_read_urand(cronjob_t) - -fs_getattr_all_fs(cronjob_t) - -domain_dontaudit_read_all_domains_state(cronjob_t) -domain_dontaudit_getattr_all_domains(cronjob_t) - -files_exec_etc_files(cronjob_t) -files_read_etc_runtime_files(cronjob_t) -files_read_var_files(cronjob_t) -files_read_usr_files(cronjob_t) -files_search_spool(cronjob_t) -files_dontaudit_search_pids(cronjob_t) - -libs_exec_lib_files(cronjob_t) -libs_exec_ld_so(cronjob_t) - -logging_search_logs(cronjob_t) - -seutil_read_config(cronjob_t) - -miscfiles_read_localization(cronjob_t) - -userdom_manage_user_tmp_files(cronjob_t) -userdom_manage_user_tmp_symlinks(cronjob_t) -userdom_manage_user_tmp_pipes(cronjob_t) -userdom_manage_user_tmp_sockets(cronjob_t) -userdom_exec_user_home_content_files(cronjob_t) -userdom_manage_user_home_content_files(cronjob_t) -userdom_manage_user_home_content_symlinks(cronjob_t) -userdom_manage_user_home_content_pipes(cronjob_t) -userdom_manage_user_home_content_sockets(cronjob_t) - -tunable_policy(`cron_userdomain_transition',` - dontaudit cronjob_t crond_t:fd use; - dontaudit cronjob_t crond_t:fifo_file rw_fifo_file_perms; - dontaudit cronjob_t crond_t:process sigchld; - - dontaudit cronjob_t user_cron_spool_t:file entrypoint; -',` - allow cronjob_t crond_t:fd use; - allow cronjob_t crond_t:fifo_file rw_fifo_file_perms; - allow cronjob_t crond_t:process sigchld; - - allow cronjob_t user_cron_spool_t:file entrypoint; -') - -optional_policy(` - nis_use_ypbind(cronjob_t) -') - -######################################## -# -# Unconfined local policy -# - -optional_policy(` - type unconfined_cronjob_t; - domain_type(unconfined_cronjob_t) - domain_cron_exemption_target(unconfined_cronjob_t) - - dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh }; - - unconfined_domain(unconfined_cronjob_t) - - tunable_policy(`cron_userdomain_transition',` - dontaudit crond_t unconfined_cronjob_t:process transition; - dontaudit crond_t unconfined_cronjob_t:fd use; - dontaudit crond_t unconfined_cronjob_t:key manage_key_perms; - ',` - allow crond_t unconfined_cronjob_t:process transition; - allow crond_t unconfined_cronjob_t:fd use; - allow crond_t unconfined_cronjob_t:key manage_key_perms; - ') -') diff --git a/policy/modules/contrib/ctdb.fc b/policy/modules/contrib/ctdb.fc deleted file mode 100644 index 8401fe6f..00000000 --- a/policy/modules/contrib/ctdb.fc +++ /dev/null @@ -1,12 +0,0 @@ -/etc/rc\.d/init\.d/ctdb -- gen_context(system_u:object_r:ctdbd_initrc_exec_t,s0) - -/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0) - -/var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) - -/var/log/ctdb\.log.* -- gen_context(system_u:object_r:ctdbd_log_t,s0) -/var/log/log\.ctdb.* -- gen_context(system_u:object_r:ctdbd_log_t,s0) - -/var/run/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0) - -/var/spool/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_spool_t,s0) diff --git a/policy/modules/contrib/ctdb.if b/policy/modules/contrib/ctdb.if deleted file mode 100644 index b25b01d1..00000000 --- a/policy/modules/contrib/ctdb.if +++ /dev/null @@ -1,85 +0,0 @@ -## <summary>Clustered Database based on Samba Trivial Database.</summary> - -######################################## -## <summary> -## Create, read, write, and delete -## ctdbd lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ctdbd_manage_lib_files',` - gen_require(` - type ctdbd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t) -') - -####################################### -## <summary> -## Connect to ctdbd with a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ctdbd_stream_connect',` - gen_require(` - type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, { ctdbd_tmp_t ctdbd_var_run_t }, { ctdbd_tmp_t ctdbd_var_run_t }, ctdbd_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an ctdb environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`ctdb_admin',` - gen_require(` - type ctdbd_t, ctdbd_initrc_exec_t, ctdbd_tmp_t; - type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t; - ') - - allow $1 ctdbd_t:process { ptrace signal_perms }; - ps_process_pattern($1, ctdbd_t) - - init_labeled_script_domtrans($1, ctdbd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ctdbd_initrc_exec_t system_r; - allow $2 system_r; - - logging_search_logs($1) - admin_pattern($1, ctdbd_log_t) - - files_search_tmp($1) - admin_pattern($1, ctdbd_tmp_t) - - files_search_var_lib($1) - admin_pattern($1, ctdbd_var_lib_t) - - files_search_pids($1) - admin_pattern($1, ctdbd_var_run_t) -') diff --git a/policy/modules/contrib/ctdb.te b/policy/modules/contrib/ctdb.te deleted file mode 100644 index 6ce66e72..00000000 --- a/policy/modules/contrib/ctdb.te +++ /dev/null @@ -1,116 +0,0 @@ -policy_module(ctdb, 1.0.3) - -######################################## -# -# Declarations -# - -type ctdbd_t; -type ctdbd_exec_t; -init_daemon_domain(ctdbd_t, ctdbd_exec_t) - -type ctdbd_initrc_exec_t; -init_script_file(ctdbd_initrc_exec_t) - -type ctdbd_log_t; -logging_log_file(ctdbd_log_t) - -type ctdbd_spool_t; -files_type(ctdbd_spool_t) - -type ctdbd_tmp_t; -files_tmp_file(ctdbd_tmp_t) - -type ctdbd_var_lib_t; -files_type(ctdbd_var_lib_t) - -type ctdbd_var_run_t; -files_pid_file(ctdbd_var_run_t) - -######################################## -# -# Local policy -# - -allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice }; -allow ctdbd_t self:process { setpgid signal_perms setsched }; -allow ctdbd_t self:fifo_file rw_fifo_file_perms; -allow ctdbd_t self:unix_stream_socket { accept connectto listen }; -allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms; -allow ctdbd_t self:packet_socket create_socket_perms; -allow ctdbd_t self:tcp_socket create_stream_socket_perms; - -append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t) -create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t) -setattr_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t) -logging_log_filetrans(ctdbd_t, ctdbd_log_t, file) - -manage_files_pattern(ctdbd_t, ctdbd_tmp_t, ctdbd_tmp_t) -manage_sock_files_pattern(ctdbd_t, ctdbd_tmp_t, ctdbd_tmp_t) -files_tmp_filetrans(ctdbd_t, ctdbd_tmp_t, { file sock_file }) - -manage_dirs_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t) -manage_files_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t) -manage_lnk_files_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t) -files_spool_filetrans(ctdbd_t, ctdbd_spool_t, dir) - -exec_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) -manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) -manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) -files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir) - -manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t) -manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t) -files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir) - -kernel_read_network_state(ctdbd_t) -kernel_read_system_state(ctdbd_t) -kernel_rw_net_sysctls(ctdbd_t) - -corenet_all_recvfrom_unlabeled(ctdbd_t) -corenet_all_recvfrom_netlabel(ctdbd_t) -corenet_tcp_sendrecv_generic_if(ctdbd_t) -corenet_tcp_sendrecv_generic_node(ctdbd_t) -corenet_tcp_bind_generic_node(ctdbd_t) - -corenet_sendrecv_ctdb_server_packets(ctdbd_t) -corenet_tcp_bind_ctdb_port(ctdbd_t) -corenet_tcp_sendrecv_ctdb_port(ctdbd_t) - -corecmd_exec_bin(ctdbd_t) -corecmd_exec_shell(ctdbd_t) - -dev_read_sysfs(ctdbd_t) -dev_read_urand(ctdbd_t) - -domain_dontaudit_read_all_domains_state(ctdbd_t) - -files_read_etc_files(ctdbd_t) -files_search_all_mountpoints(ctdbd_t) - -logging_send_syslog_msg(ctdbd_t) - -miscfiles_read_localization(ctdbd_t) -miscfiles_read_public_files(ctdbd_t) - -optional_policy(` - consoletype_exec(ctdbd_t) -') - -optional_policy(` - hostname_exec(ctdbd_t) -') - -optional_policy(` - iptables_domtrans(ctdbd_t) -') - -optional_policy(` - samba_initrc_domtrans(ctdbd_t) - samba_domtrans_net(ctdbd_t) - samba_rw_var_files(ctdbd_t) -') - -optional_policy(` - sysnet_domtrans_ifconfig(ctdbd_t) -') diff --git a/policy/modules/contrib/cups.fc b/policy/modules/contrib/cups.fc deleted file mode 100644 index 949011ec..00000000 --- a/policy/modules/contrib/cups.fc +++ /dev/null @@ -1,77 +0,0 @@ -/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - -/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) -/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0) - -/etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0) - -/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0) - -/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - -/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) - -/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - -/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0) - -/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0) -/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - -/usr/lib/cups-pk-helper/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) -/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) -/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) -/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) - -/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) - -/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - -/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0) -/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0) -/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0) -/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -/usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0) -/usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0) -/usr/sbin/ptal-photod -- gen_context(system_u:object_r:ptal_exec_t,s0) - -/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) -/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0) - -/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh) - -/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - -/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0) - -/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) -/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0) - -/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) -/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) -/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) -/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0) -/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0) -/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) -/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) -/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0) -/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) diff --git a/policy/modules/contrib/cups.if b/policy/modules/contrib/cups.if deleted file mode 100644 index 06da9a08..00000000 --- a/policy/modules/contrib/cups.if +++ /dev/null @@ -1,360 +0,0 @@ -## <summary>Common UNIX printing system.</summary> - -######################################## -## <summary> -## Create a domain which can be -## started by cupsd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="entry_point"> -## <summary> -## Type of the program to be used as an entry point to this domain. -## </summary> -## </param> -# -interface(`cups_backend',` - gen_require(` - type cupsd_t; - ') - - domain_type($1) - domain_entry_file($1, $2) - role system_r types $1; - - domtrans_pattern(cupsd_t, $2, $1) - allow cupsd_t $1:process signal; - allow $1 cupsd_t:unix_stream_socket connected_stream_socket_perms; - - cups_read_config($1) - cups_append_log($1) -') - -######################################## -## <summary> -## Execute cups in the cups domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`cups_domtrans',` - gen_require(` - type cupsd_t, cupsd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, cupsd_exec_t, cupsd_t) -') - -######################################## -## <summary> -## Connect to cupsd over an unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cups_stream_connect',` - gen_require(` - type cupsd_t, cupsd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) -') - -######################################## -## <summary> -## Connect to cups over TCP. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cups_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## <summary> -## Send and receive messages from -## cups over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cups_dbus_chat',` - gen_require(` - type cupsd_t; - class dbus send_msg; - ') - - allow $1 cupsd_t:dbus send_msg; - allow cupsd_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Read cups PID files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cups_read_pid_files',` - gen_require(` - type cupsd_var_run_t; - ') - - files_search_pids($1) - allow $1 cupsd_var_run_t:file read_file_perms; -') - -######################################## -## <summary> -## Execute cups_config in the -## cups config domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`cups_domtrans_config',` - gen_require(` - type cupsd_config_t, cupsd_config_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, cupsd_config_exec_t, cupsd_config_t) -') - -######################################## -## <summary> -## Send generic signals to the cups -## configuration daemon. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cups_signal_config',` - gen_require(` - type cupsd_config_t; - ') - - allow $1 cupsd_config_t:process signal; -') - -######################################## -## <summary> -## Send and receive messages from -## cupsd_config over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cups_dbus_chat_config',` - gen_require(` - type cupsd_config_t; - class dbus send_msg; - ') - - allow $1 cupsd_config_t:dbus send_msg; - allow cupsd_config_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Read cups configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`cups_read_config',` - gen_require(` - type cupsd_etc_t, cupsd_rw_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, cupsd_etc_t, { cupsd_etc_t cupsd_rw_etc_t }) -') - -######################################## -## <summary> -## Read cups-writable configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`cups_read_rw_config',` - gen_require(` - type cupsd_etc_t, cupsd_rw_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t) -') - -######################################## -## <summary> -## Read cups log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`cups_read_log',` - gen_require(` - type cupsd_log_t; - ') - - logging_search_logs($1) - allow $1 cupsd_log_t:file read_file_perms; -') - -######################################## -## <summary> -## Append cups log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cups_append_log',` - gen_require(` - type cupsd_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, cupsd_log_t, cupsd_log_t) -') - -######################################## -## <summary> -## Write cups log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cups_write_log',` - gen_require(` - type cupsd_log_t; - ') - - logging_search_logs($1) - allow $1 cupsd_log_t:file write_file_perms; -') - -######################################## -## <summary> -## Connect to ptal over an unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cups_stream_connect_ptal',` - gen_require(` - type ptal_t, ptal_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, ptal_var_run_t, ptal_var_run_t, ptal_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an cups environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`cups_admin',` - gen_require(` - type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t; - type cupsd_etc_t, cupsd_log_t, cupsd_spool_t; - type cupsd_config_var_run_t, cupsd_lpd_var_run_t; - type cupsd_var_run_t, ptal_etc_t, cupsd_rw_etc_t; - type ptal_var_run_t, hplip_var_run_t, cupsd_initrc_exec_t; - type cupsd_config_t, cupsd_lpd_t, cups_pdf_t; - type hplip_t, ptal_t; - ') - - allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { ptrace signal_perms }; - allow $1 { cups_pdf_t hplip_t ptal_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t }) - ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t }) - - init_labeled_script_domtrans($1, cupsd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 cupsd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, { cupsd_etc_t cupsd_rw_etc_t ptal_etc_t }) - - logging_list_logs($1) - admin_pattern($1, cupsd_log_t) - - files_list_spool($1) - admin_pattern($1, cupsd_spool_t) - - files_list_tmp($1) - admin_pattern($1, { cupsd_tmp_t cupsd_lpd_tmp_t }) - - files_list_pids($1) - admin_pattern($1, { cupsd_config_var_run_t cupsd_var_run_t hplip_var_run_t }) - admin_pattern($1, { ptal_var_run_t cupsd_lpd_var_run_t }) -') diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te deleted file mode 100644 index 9f34c2e2..00000000 --- a/policy/modules/contrib/cups.te +++ /dev/null @@ -1,771 +0,0 @@ -policy_module(cups, 1.15.9) - -######################################## -# -# Declarations -# - -type cupsd_config_t; -type cupsd_config_exec_t; -init_daemon_domain(cupsd_config_t, cupsd_config_exec_t) - -type cupsd_config_var_run_t; -files_pid_file(cupsd_config_var_run_t) - -type cupsd_t; -type cupsd_exec_t; -init_daemon_domain(cupsd_t, cupsd_exec_t) -mls_trusted_object(cupsd_t) - -type cupsd_etc_t; -files_config_file(cupsd_etc_t) - -type cupsd_initrc_exec_t; -init_script_file(cupsd_initrc_exec_t) - -type cupsd_interface_t; -files_type(cupsd_interface_t) - -type cupsd_rw_etc_t; -files_config_file(cupsd_rw_etc_t) - -type cupsd_lock_t; -files_lock_file(cupsd_lock_t) - -type cupsd_log_t; -logging_log_file(cupsd_log_t) - -type cupsd_lpd_t; -type cupsd_lpd_exec_t; -domain_type(cupsd_lpd_t) -domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t) -role system_r types cupsd_lpd_t; - -type cupsd_lpd_tmp_t; -files_tmp_file(cupsd_lpd_tmp_t) - -type cupsd_lpd_var_run_t; -files_pid_file(cupsd_lpd_var_run_t) - -type cups_pdf_t; -type cups_pdf_exec_t; -cups_backend(cups_pdf_t, cups_pdf_exec_t) - -type cups_pdf_tmp_t; -files_tmp_file(cups_pdf_tmp_t) - -type cupsd_tmp_t; -files_tmp_file(cupsd_tmp_t) - -type cupsd_var_run_t; -files_pid_file(cupsd_var_run_t) -init_daemon_run_dir(cupsd_var_run_t, "cups") -mls_trusted_object(cupsd_var_run_t) - -type hplip_t; -type hplip_exec_t; -init_daemon_domain(hplip_t, hplip_exec_t) -cups_backend(hplip_t, hplip_exec_t) - -type hplip_etc_t; -files_config_file(hplip_etc_t) - -type hplip_tmp_t; -files_tmp_file(hplip_tmp_t) - -type hplip_var_lib_t; -files_type(hplip_var_lib_t) - -type hplip_var_run_t; -files_pid_file(hplip_var_run_t) - -type ptal_t; -type ptal_exec_t; -init_daemon_domain(ptal_t, ptal_exec_t) - -type ptal_etc_t; -files_config_file(ptal_etc_t) - -type ptal_var_run_t; -files_pid_file(ptal_var_run_t) - -ifdef(`enable_mcs',` - init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, s0 - mcs_systemhigh) -') - -ifdef(`enable_mls',` - init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh) -') - -######################################## -# -# Cups local policy -# - -allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config }; -dontaudit cupsd_t self:capability { sys_tty_config net_admin }; -allow cupsd_t self:capability2 block_suspend; -allow cupsd_t self:process { getpgid setpgid setsched signal_perms }; -allow cupsd_t self:fifo_file rw_fifo_file_perms; -allow cupsd_t self:unix_stream_socket { accept connectto listen }; -allow cupsd_t self:netlink_selinux_socket create_socket_perms; -allow cupsd_t self:shm create_shm_perms; -allow cupsd_t self:sem create_sem_perms; -allow cupsd_t self:tcp_socket { accept listen }; -allow cupsd_t self:appletalk_socket create_socket_perms; - -allow cupsd_t cupsd_etc_t:dir setattr_dir_perms; -allow cupsd_t cupsd_etc_t:file setattr_file_perms; -read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) -read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) - -manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t) - -manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) -manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) -filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file) -files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file }) - -allow cupsd_t cupsd_exec_t:dir search_dir_perms; -allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms; - -allow cupsd_t cupsd_lock_t:file manage_file_perms; -files_lock_filetrans(cupsd_t, cupsd_lock_t, file) - -manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) -append_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) -create_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) -read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) -setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) -logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir }) - -manage_dirs_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) -manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) -manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) -files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file }) - -manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) -manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) -manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) -manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) -files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir fifo_file file }) - -allow cupsd_t hplip_t:process { signal sigkill }; - -read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) - -allow cupsd_t hplip_var_run_t:file read_file_perms; - -stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) -allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; - -can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t }) - -kernel_read_system_state(cupsd_t) -kernel_read_network_state(cupsd_t) -kernel_read_all_sysctls(cupsd_t) -kernel_request_load_module(cupsd_t) - -corenet_all_recvfrom_unlabeled(cupsd_t) -corenet_all_recvfrom_netlabel(cupsd_t) -corenet_tcp_sendrecv_generic_if(cupsd_t) -corenet_udp_sendrecv_generic_if(cupsd_t) -corenet_raw_sendrecv_generic_if(cupsd_t) -corenet_tcp_sendrecv_generic_node(cupsd_t) -corenet_udp_sendrecv_generic_node(cupsd_t) -corenet_raw_sendrecv_generic_node(cupsd_t) -corenet_tcp_sendrecv_all_ports(cupsd_t) -corenet_udp_sendrecv_all_ports(cupsd_t) -corenet_tcp_bind_generic_node(cupsd_t) -corenet_udp_bind_generic_node(cupsd_t) - -corenet_sendrecv_all_server_packets(cupsd_t) -corenet_sendrecv_all_client_packets(cupsd_t) -corenet_tcp_bind_ipp_port(cupsd_t) -corenet_udp_bind_ipp_port(cupsd_t) -corenet_udp_bind_howl_port(cupsd_t) -corenet_tcp_bind_reserved_port(cupsd_t) -corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) -corenet_tcp_bind_all_rpc_ports(cupsd_t) -corenet_tcp_connect_all_ports(cupsd_t) - -corecmd_exec_bin(cupsd_t) -corecmd_exec_shell(cupsd_t) - -dev_rw_printer(cupsd_t) -dev_read_urand(cupsd_t) -dev_read_sysfs(cupsd_t) -dev_rw_input_dev(cupsd_t) -dev_rw_generic_usb_dev(cupsd_t) -dev_rw_usbfs(cupsd_t) -dev_getattr_printer_dev(cupsd_t) - -domain_read_all_domains_state(cupsd_t) -domain_use_interactive_fds(cupsd_t) - -files_getattr_boot_dirs(cupsd_t) -files_list_spool(cupsd_t) -files_read_etc_runtime_files(cupsd_t) -files_read_usr_files(cupsd_t) -files_exec_usr_files(cupsd_t) -# for /var/lib/defoma -files_read_var_lib_files(cupsd_t) -files_list_world_readable(cupsd_t) -files_read_world_readable_files(cupsd_t) -files_read_world_readable_symlinks(cupsd_t) -files_read_var_files(cupsd_t) -files_read_var_symlinks(cupsd_t) -files_write_generic_pid_pipes(cupsd_t) -files_dontaudit_getattr_all_tmp_files(cupsd_t) -files_dontaudit_list_home(cupsd_t) -# for /etc/printcap -files_dontaudit_write_etc_files(cupsd_t) - -fs_getattr_all_fs(cupsd_t) -fs_search_auto_mountpoints(cupsd_t) -fs_search_fusefs(cupsd_t) -fs_read_anon_inodefs_files(cupsd_t) - -mls_fd_use_all_levels(cupsd_t) -mls_file_downgrade(cupsd_t) -mls_file_write_all_levels(cupsd_t) -mls_file_read_all_levels(cupsd_t) -mls_rangetrans_target(cupsd_t) -mls_socket_write_all_levels(cupsd_t) - -term_search_ptys(cupsd_t) -term_use_unallocated_ttys(cupsd_t) - -selinux_compute_access_vector(cupsd_t) -selinux_validate_context(cupsd_t) - -init_exec_script_files(cupsd_t) -init_read_utmp(cupsd_t) - -auth_domtrans_chk_passwd(cupsd_t) -auth_dontaudit_read_pam_pid(cupsd_t) -auth_rw_faillog(cupsd_t) -auth_use_nsswitch(cupsd_t) - -libs_read_lib_files(cupsd_t) -libs_exec_lib_files(cupsd_t) - -logging_send_audit_msgs(cupsd_t) -logging_send_syslog_msg(cupsd_t) - -miscfiles_read_localization(cupsd_t) -miscfiles_read_fonts(cupsd_t) -miscfiles_setattr_fonts_cache_dirs(cupsd_t) - -seutil_read_config(cupsd_t) - -sysnet_exec_ifconfig(cupsd_t) - -userdom_dontaudit_use_unpriv_user_fds(cupsd_t) -userdom_dontaudit_search_user_home_content(cupsd_t) - -optional_policy(` - apm_domtrans_client(cupsd_t) -') - -optional_policy(` - cron_system_entry(cupsd_t, cupsd_exec_t) -') - -optional_policy(` - dbus_system_bus_client(cupsd_t) - - userdom_dbus_send_all_users(cupsd_t) - - optional_policy(` - avahi_dbus_chat(cupsd_t) - ') - - optional_policy(` - hal_dbus_chat(cupsd_t) - ') - - optional_policy(` - unconfined_dbus_chat(cupsd_t) - ') -') - -optional_policy(` - hostname_exec(cupsd_t) -') - -optional_policy(` - inetd_core_service_domain(cupsd_t, cupsd_exec_t) -') - -optional_policy(` - kerberos_manage_host_rcache(cupsd_t) - kerberos_tmp_filetrans_host_rcache(cupsd_t, file, "host_0") -') - -optional_policy(` - logrotate_domtrans(cupsd_t) -') - -optional_policy(` - lpd_exec_lpr(cupsd_t) - lpd_manage_spool(cupsd_t) - lpd_read_config(cupsd_t) - lpd_relabel_spool(cupsd_t) -') - -optional_policy(` - mta_send_mail(cupsd_t) -') - -optional_policy(` - samba_read_config(cupsd_t) - samba_rw_var_files(cupsd_t) - samba_stream_connect_nmbd(cupsd_t) -') - -optional_policy(` - seutil_sigchld_newrole(cupsd_t) -') - -optional_policy(` - snmp_read_snmp_var_lib_files(cupsd_t) -') - -optional_policy(` - udev_read_db(cupsd_t) -') - -optional_policy(` - virt_rw_all_image_chr_files(cupsd_t) -') - -######################################## -# -# Configuration daemon local policy -# - -allow cupsd_config_t self:capability { chown dac_override sys_tty_config setuid setgid }; -dontaudit cupsd_config_t self:capability sys_tty_config; -allow cupsd_config_t self:process { getsched signal_perms }; -allow cupsd_config_t self:fifo_file rw_fifo_file_perms; -allow cupsd_config_t self:tcp_socket { accept listen }; - -allow cupsd_config_t cupsd_t:process signal; -ps_process_pattern(cupsd_config_t, cupsd_t) - -manage_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t) -manage_lnk_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t) -filetrans_pattern(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file) - -manage_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t) -manage_lnk_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t) -files_var_filetrans(cupsd_config_t, cupsd_rw_etc_t, file) - -allow cupsd_config_t cupsd_log_t:file { append_file_perms read_file_perms }; - -manage_lnk_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) -manage_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) -manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) -files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) - -allow cupsd_config_t cupsd_var_run_t:file read_file_perms; - -manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) -manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) -files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file }) - -read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t) - -stream_connect_pattern(cupsd_config_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) - -can_exec(cupsd_config_t, cupsd_config_exec_t) - -domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) - -kernel_read_system_state(cupsd_config_t) -kernel_read_all_sysctls(cupsd_config_t) - -corenet_all_recvfrom_unlabeled(cupsd_config_t) -corenet_all_recvfrom_netlabel(cupsd_config_t) -corenet_tcp_sendrecv_generic_if(cupsd_config_t) -corenet_tcp_sendrecv_generic_node(cupsd_config_t) -corenet_tcp_sendrecv_all_ports(cupsd_config_t) - -corenet_sendrecv_all_client_packets(cupsd_config_t) -corenet_tcp_connect_all_ports(cupsd_config_t) - -corecmd_exec_bin(cupsd_config_t) -corecmd_exec_shell(cupsd_config_t) - -dev_read_sysfs(cupsd_config_t) -dev_read_urand(cupsd_config_t) -dev_read_rand(cupsd_config_t) -dev_rw_generic_usb_dev(cupsd_config_t) - -files_read_etc_runtime_files(cupsd_config_t) -files_read_usr_files(cupsd_config_t) -files_read_var_symlinks(cupsd_config_t) -files_search_all_mountpoints(cupsd_config_t) - -fs_getattr_all_fs(cupsd_config_t) -fs_search_auto_mountpoints(cupsd_config_t) - -domain_use_interactive_fds(cupsd_config_t) -domain_dontaudit_search_all_domains_state(cupsd_config_t) - -init_getattr_all_script_files(cupsd_config_t) - -auth_use_nsswitch(cupsd_config_t) - -logging_send_syslog_msg(cupsd_config_t) - -miscfiles_read_localization(cupsd_config_t) -miscfiles_read_hwdata(cupsd_config_t) - -seutil_dontaudit_search_config(cupsd_config_t) - -userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) -userdom_dontaudit_search_user_home_dirs(cupsd_config_t) -userdom_read_all_users_state(cupsd_config_t) -userdom_read_user_tmp_symlinks(cupsd_config_t) -userdom_rw_user_tmp_files(cupsd_config_t) - -optional_policy(` - term_use_generic_ptys(cupsd_config_t) -') - -optional_policy(` - cron_system_entry(cupsd_config_t, cupsd_config_exec_t) -') - -optional_policy(` - dbus_system_domain(cupsd_config_t, cupsd_config_exec_t) - - optional_policy(` - hal_dbus_chat(cupsd_config_t) - ') - - optional_policy(` - policykit_dbus_chat(cupsd_config_t) - ') -') - -optional_policy(` - hal_domtrans(cupsd_config_t) - hal_read_tmp_files(cupsd_config_t) - hal_dontaudit_use_fds(hplip_t) -') - -optional_policy(` - hostname_exec(cupsd_config_t) -') - -optional_policy(` - logrotate_use_fds(cupsd_config_t) -') - -optional_policy(` - lpd_read_config(cupsd_config_t) -') - -optional_policy(` - rpm_read_db(cupsd_config_t) -') - -optional_policy(` - seutil_sigchld_newrole(cupsd_config_t) -') - -optional_policy(` - udev_read_db(cupsd_config_t) -') - -optional_policy(` - unconfined_stream_connect(cupsd_config_t) -') - -######################################## -# -# Lpd local policy -# - -allow cupsd_lpd_t self:capability { setuid setgid }; -allow cupsd_lpd_t self:process signal_perms; -allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms; -allow cupsd_lpd_t self:tcp_socket { accept listen }; -allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; - -allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms; -allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:file read_file_perms; -allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:lnk_file read_lnk_file_perms; - -manage_dirs_pattern(cupsd_lpd_t, cupsd_lpd_tmp_t, cupsd_lpd_tmp_t) -manage_files_pattern(cupsd_lpd_t, cupsd_lpd_tmp_t, cupsd_lpd_tmp_t) -files_tmp_filetrans(cupsd_lpd_t, cupsd_lpd_tmp_t, { dir file }) - -manage_files_pattern(cupsd_lpd_t, cupsd_lpd_var_run_t, cupsd_lpd_var_run_t) -files_pid_filetrans(cupsd_lpd_t, cupsd_lpd_var_run_t, file) - -stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) - -kernel_read_kernel_sysctls(cupsd_lpd_t) -kernel_read_system_state(cupsd_lpd_t) -kernel_read_network_state(cupsd_lpd_t) - -corenet_all_recvfrom_unlabeled(cupsd_lpd_t) -corenet_all_recvfrom_netlabel(cupsd_lpd_t) -corenet_tcp_sendrecv_generic_if(cupsd_lpd_t) -corenet_tcp_sendrecv_generic_node(cupsd_lpd_t) - -corenet_sendrecv_ipp_client_packets(cupsd_lpd_t) -corenet_tcp_connect_ipp_port(cupsd_lpd_t) -corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t) - -dev_read_urand(cupsd_lpd_t) -dev_read_rand(cupsd_lpd_t) - -fs_getattr_xattr_fs(cupsd_lpd_t) - -files_search_home(cupsd_lpd_t) - -auth_use_nsswitch(cupsd_lpd_t) - -logging_send_syslog_msg(cupsd_lpd_t) - -miscfiles_read_localization(cupsd_lpd_t) -miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t) - -optional_policy(` - inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) -') - -######################################## -# -# Pdf local policy -# - -allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; -allow cups_pdf_t self:fifo_file rw_fifo_file_perms; -allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; - -append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) -create_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) -setattr_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) - -manage_files_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) -manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) -files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { dir file }) - -fs_rw_anon_inodefs_files(cups_pdf_t) -fs_search_auto_mountpoints(cups_pdf_t) - -kernel_read_system_state(cups_pdf_t) - -files_read_usr_files(cups_pdf_t) - -corecmd_exec_bin(cups_pdf_t) -corecmd_exec_shell(cups_pdf_t) - -auth_use_nsswitch(cups_pdf_t) - -miscfiles_read_localization(cups_pdf_t) -miscfiles_read_fonts(cups_pdf_t) -miscfiles_setattr_fonts_cache_dirs(cups_pdf_t) - -userdom_manage_user_home_content_dirs(cups_pdf_t) -userdom_manage_user_home_content_files(cups_pdf_t) -userdom_home_filetrans_user_home_dir(cups_pdf_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(cups_pdf_t) - fs_manage_nfs_files(cups_pdf_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(cups_pdf_t) - fs_manage_cifs_files(cups_pdf_t) -') - -optional_policy(` - lpd_manage_spool(cups_pdf_t) -') - -######################################## -# -# HPLIP local policy -# - -allow hplip_t self:capability { dac_override dac_read_search net_raw }; -dontaudit hplip_t self:capability sys_tty_config; -allow hplip_t self:fifo_file rw_fifo_file_perms; -allow hplip_t self:process signal_perms; -allow hplip_t self:tcp_socket { accept listen }; -allow hplip_t self:rawip_socket create_socket_perms; - -allow hplip_t cupsd_etc_t:dir search_dir_perms; - -manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t) -manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t) -files_tmp_filetrans(hplip_t, cupsd_tmp_t, { dir file }) - -allow hplip_t hplip_etc_t:dir list_dir_perms; -allow hplip_t hplip_etc_t:file read_file_perms; -allow hplip_t hplip_etc_t:lnk_file read_lnk_file_perms; - -manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) -manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) - -manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) -files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file) - -manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) -files_pid_filetrans(hplip_t, hplip_var_run_t, file) - -stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) - -kernel_read_system_state(hplip_t) -kernel_read_kernel_sysctls(hplip_t) - -corenet_all_recvfrom_unlabeled(hplip_t) -corenet_all_recvfrom_netlabel(hplip_t) -corenet_tcp_sendrecv_generic_if(hplip_t) -corenet_udp_sendrecv_generic_if(hplip_t) -corenet_raw_sendrecv_generic_if(hplip_t) -corenet_tcp_sendrecv_generic_node(hplip_t) -corenet_udp_sendrecv_generic_node(hplip_t) -corenet_raw_sendrecv_generic_node(hplip_t) -corenet_tcp_sendrecv_all_ports(hplip_t) -corenet_udp_sendrecv_all_ports(hplip_t) -corenet_tcp_bind_generic_node(hplip_t) -corenet_udp_bind_generic_node(hplip_t) - -corenet_sendrecv_hplip_client_packets(hplip_t) -corenet_receive_hplip_server_packets(hplip_t) -corenet_tcp_bind_hplip_port(hplip_t) -corenet_tcp_connect_hplip_port(hplip_t) - -corenet_sendrecv_ipp_client_packets(hplip_t) -corenet_tcp_connect_ipp_port(hplip_t) - -corenet_sendrecv_howl_server_packets(hplip_t) -corenet_udp_bind_howl_port(hplip_t) - -corecmd_exec_bin(hplip_t) - -dev_read_sysfs(hplip_t) -dev_rw_printer(hplip_t) -dev_read_urand(hplip_t) -dev_read_rand(hplip_t) -dev_rw_generic_usb_dev(hplip_t) -dev_rw_usbfs(hplip_t) - -domain_use_interactive_fds(hplip_t) - -files_read_etc_files(hplip_t) -files_read_etc_runtime_files(hplip_t) -files_read_usr_files(hplip_t) - -fs_getattr_all_fs(hplip_t) -fs_search_auto_mountpoints(hplip_t) -fs_rw_anon_inodefs_files(hplip_t) - -logging_send_syslog_msg(hplip_t) - -miscfiles_read_localization(hplip_t) - -sysnet_dns_name_resolve(hplip_t) - -userdom_dontaudit_use_unpriv_user_fds(hplip_t) -userdom_dontaudit_search_user_home_dirs(hplip_t) -userdom_dontaudit_search_user_home_content(hplip_t) - -optional_policy(` - dbus_system_bus_client(hplip_t) - - optional_policy(` - userdom_dbus_send_all_users(hplip_t) - ') -') - -optional_policy(` - lpd_read_config(hplip_t) - lpd_manage_spool(hplip_t) -') - -optional_policy(` - seutil_sigchld_newrole(hplip_t) -') - -optional_policy(` - snmp_read_snmp_var_lib_files(hplip_t) -') - -optional_policy(` - udev_read_db(hplip_t) -') - -######################################## -# -# PTAL local policy -# - -allow ptal_t self:capability { chown sys_rawio }; -dontaudit ptal_t self:capability sys_tty_config; -allow ptal_t self:fifo_file rw_fifo_file_perms; -allow ptal_t self:unix_stream_socket { accept listen }; -allow ptal_t self:tcp_socket create_stream_socket_perms; - -allow ptal_t ptal_etc_t:dir list_dir_perms; -read_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t) -read_lnk_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t) - -manage_dirs_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) -manage_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) -manage_lnk_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) -manage_fifo_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) -manage_sock_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) -files_pid_filetrans(ptal_t, ptal_var_run_t, { dir file lnk_file sock_file fifo_file }) - -kernel_read_kernel_sysctls(ptal_t) -kernel_list_proc(ptal_t) -kernel_read_proc_symlinks(ptal_t) - -corenet_all_recvfrom_unlabeled(ptal_t) -corenet_all_recvfrom_netlabel(ptal_t) -corenet_tcp_sendrecv_generic_if(ptal_t) -corenet_tcp_sendrecv_generic_node(ptal_t) -corenet_tcp_bind_generic_node(ptal_t) - -corenet_sendrecv_ptal_server_packets(ptal_t) -corenet_tcp_bind_ptal_port(ptal_t) -corenet_tcp_sendrecv_ptal_port(ptal_t) - -dev_read_sysfs(ptal_t) -dev_read_usbfs(ptal_t) -dev_rw_printer(ptal_t) - -domain_use_interactive_fds(ptal_t) - -files_read_etc_files(ptal_t) -files_read_etc_runtime_files(ptal_t) - -fs_getattr_all_fs(ptal_t) -fs_search_auto_mountpoints(ptal_t) - -logging_send_syslog_msg(ptal_t) - -miscfiles_read_localization(ptal_t) - -sysnet_read_config(ptal_t) - -userdom_dontaudit_use_unpriv_user_fds(ptal_t) -userdom_dontaudit_search_user_home_content(ptal_t) - -optional_policy(` - seutil_sigchld_newrole(ptal_t) -') - -optional_policy(` - udev_read_db(ptal_t) -') diff --git a/policy/modules/contrib/cvs.fc b/policy/modules/contrib/cvs.fc deleted file mode 100644 index 75c8be90..00000000 --- a/policy/modules/contrib/cvs.fc +++ /dev/null @@ -1,13 +0,0 @@ -/etc/rc\.d/init\.d/cvs -- gen_context(system_u:object_r:cvs_initrc_exec_t,s0) - -/opt/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0) - -/usr/bin/cvs -- gen_context(system_u:object_r:cvs_exec_t,s0) - -/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) - -/var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0) - -/var/run/cvs\.pid -- gen_context(system_u:object_r:cvs_var_run_t,s0) - -/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) diff --git a/policy/modules/contrib/cvs.if b/policy/modules/contrib/cvs.if deleted file mode 100644 index 9fa7ffbf..00000000 --- a/policy/modules/contrib/cvs.if +++ /dev/null @@ -1,81 +0,0 @@ -## <summary>Concurrent versions system.</summary> - -######################################## -## <summary> -## Read CVS data and metadata content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cvs_read_data',` - gen_require(` - type cvs_data_t; - ') - - list_dirs_pattern($1, cvs_data_t, cvs_data_t) - read_files_pattern($1, cvs_data_t, cvs_data_t) - read_lnk_files_pattern($1, cvs_data_t, cvs_data_t) -') - -######################################## -## <summary> -## Execute cvs in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cvs_exec',` - gen_require(` - type cvs_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, cvs_exec_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an cvs environment -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`cvs_admin',` - gen_require(` - type cvs_t, cvs_tmp_t, cvs_initrc_exec_t; - type cvs_data_t, cvs_var_run_t; - ') - - allow $1 cvs_t:process { ptrace signal_perms }; - ps_process_pattern($1, cvs_t) - - init_labeled_script_domtrans($1, cvs_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 cvs_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, cvs_tmp_t) - - files_search_usr($1) - admin_pattern($1, cvs_data_t) - - files_list_pids($1) - admin_pattern($1, cvs_var_run_t) -') diff --git a/policy/modules/contrib/cvs.te b/policy/modules/contrib/cvs.te deleted file mode 100644 index 53fc3af5..00000000 --- a/policy/modules/contrib/cvs.te +++ /dev/null @@ -1,106 +0,0 @@ -policy_module(cvs, 1.9.1) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether cvs can read shadow -## password files. -## </p> -## </desc> -gen_tunable(allow_cvs_read_shadow, false) - -type cvs_t; -type cvs_exec_t; -inetd_tcp_service_domain(cvs_t, cvs_exec_t) -application_executable_file(cvs_exec_t) - -type cvs_data_t; # customizable -files_type(cvs_data_t) - -type cvs_initrc_exec_t; -init_script_file(cvs_initrc_exec_t) - -type cvs_tmp_t; -files_tmp_file(cvs_tmp_t) - -type cvs_var_run_t; -files_pid_file(cvs_var_run_t) - -######################################## -# -# Local policy -# - -allow cvs_t self:capability { setuid setgid }; -allow cvs_t self:process signal_perms; -allow cvs_t self:fifo_file rw_fifo_file_perms; -allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms; - -manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t) -manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t) -manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t) - -manage_dirs_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t) -manage_files_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t) -files_tmp_filetrans(cvs_t, cvs_tmp_t, { dir file }) - -manage_files_pattern(cvs_t, cvs_var_run_t, cvs_var_run_t) -files_pid_filetrans(cvs_t, cvs_var_run_t, file) - -kernel_read_kernel_sysctls(cvs_t) -kernel_read_system_state(cvs_t) -kernel_read_network_state(cvs_t) - -corecmd_exec_bin(cvs_t) -corecmd_exec_shell(cvs_t) - -dev_read_urand(cvs_t) - -files_read_etc_runtime_files(cvs_t) -files_search_home(cvs_t) - -fs_getattr_xattr_fs(cvs_t) - -auth_domtrans_chk_passwd(cvs_t) -auth_use_nsswitch(cvs_t) - -init_read_utmp(cvs_t) - -logging_send_syslog_msg(cvs_t) -logging_send_audit_msgs(cvs_t) - -miscfiles_read_localization(cvs_t) - -mta_send_mail(cvs_t) - -userdom_dontaudit_search_user_home_dirs(cvs_t) - -# cjp: typeattribute doesnt work in conditionals yet -auth_can_read_shadow_passwords(cvs_t) -tunable_policy(`allow_cvs_read_shadow',` - allow cvs_t self:capability dac_override; - auth_tunable_read_shadow(cvs_t) -') - -optional_policy(` - kerberos_keytab_template(cvs, cvs_t) - kerberos_read_config(cvs_t) - kerberos_dontaudit_write_config(cvs_t) -') - -######################################## -# -# CVSWeb local policy -# - -optional_policy(` - apache_content_template(cvs) - - read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) - manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) - manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) -') diff --git a/policy/modules/contrib/cyphesis.fc b/policy/modules/contrib/cyphesis.fc deleted file mode 100644 index 18135065..00000000 --- a/policy/modules/contrib/cyphesis.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rc\.d/init\.d/cyphesis -- gen_context(system_u:object_r:cyphesis_initrc_exec_t,s0) - -/usr/bin/cyphesis -- gen_context(system_u:object_r:cyphesis_exec_t,s0) - -/var/log/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_log_t,s0) - -/var/run/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_var_run_t,s0) diff --git a/policy/modules/contrib/cyphesis.if b/policy/modules/contrib/cyphesis.if deleted file mode 100644 index df8aa4aa..00000000 --- a/policy/modules/contrib/cyphesis.if +++ /dev/null @@ -1,61 +0,0 @@ -## <summary>Cyphesis WorldForge game server.</summary> - -######################################## -## <summary> -## Execute a domain transition to run cyphesis. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`cyphesis_domtrans',` - gen_require(` - type cyphesis_t, cyphesis_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, cyphesis_exec_t, cyphesis_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an cyphesis environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`cyphesis_admin',` - gen_require(` - type cyphesis_t, cyphesis_initrc_exec_t, cyphesis_log_t; - type cyphesis_var_run_t, cyphesis_tmp_t; - ') - - allow $1 cyphesis_t:process { ptrace signal_perms }; - ps_process_pattern($1, cyphesis_t) - - init_labeled_script_domtrans($1, cyphesis_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 cyphesis_initrc_exec_t system_r; - allow $2 system_r; - - logging_search_logs($1) - admin_pattern($1, cyphesis_log_t) - - files_search_pids($1) - admin_pattern($1, cyphesis_var_run_t) - - files_search_tmp($1) - admin_pattern($1, cyphesis_tmp_t) -') diff --git a/policy/modules/contrib/cyphesis.te b/policy/modules/contrib/cyphesis.te deleted file mode 100644 index 916427f9..00000000 --- a/policy/modules/contrib/cyphesis.te +++ /dev/null @@ -1,87 +0,0 @@ -policy_module(cyphesis, 1.2.2) - -######################################## -# -# Declarations -# - -type cyphesis_t; -type cyphesis_exec_t; -init_daemon_domain(cyphesis_t, cyphesis_exec_t) -application_executable_file(cyphesis_exec_t) - -type cyphesis_initrc_exec_t; -init_script_file(cyphesis_initrc_exec_t) - -type cyphesis_log_t; -logging_log_file(cyphesis_log_t) - -type cyphesis_tmp_t; -files_tmp_file(cyphesis_tmp_t) - -type cyphesis_var_run_t; -files_pid_file(cyphesis_var_run_t) - -######################################## -# -# Local policy -# - -allow cyphesis_t self:process { setfscreate setsched signal }; -allow cyphesis_t self:fifo_file rw_fifo_file_perms; -allow cyphesis_t self:tcp_socket { accept listen }; -allow cyphesis_t self:unix_stream_socket { accept listen }; - -append_files_pattern(cyphesis_t, cyphesis_log_t, cyphesis_log_t) -create_files_pattern(cyphesis_t, cyphesis_log_t, cyphesis_log_t) -setattr_files_pattern(cyphesis_t, cyphesis_log_t, cyphesis_log_t) -logging_log_filetrans(cyphesis_t, cyphesis_log_t, file) - -manage_dirs_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t) -manage_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t) -manage_sock_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t) -files_pid_filetrans(cyphesis_t, cyphesis_var_run_t, dir) - -kernel_read_system_state(cyphesis_t) -kernel_read_kernel_sysctls(cyphesis_t) - -corecmd_search_bin(cyphesis_t) -corecmd_getattr_bin_files(cyphesis_t) - -corenet_all_recvfrom_unlabeled(cyphesis_t) -corenet_tcp_sendrecv_generic_if(cyphesis_t) -corenet_tcp_sendrecv_generic_node(cyphesis_t) -corenet_tcp_bind_generic_node(cyphesis_t) - -corenet_sendrecv_cyphesis_server_packets(cyphesis_t) -corenet_tcp_bind_cyphesis_port(cyphesis_t) -corenet_tcp_sendrecv_cyphesis_port(cyphesis_t) - -dev_read_urand(cyphesis_t) - -domain_use_interactive_fds(cyphesis_t) - -files_read_etc_files(cyphesis_t) -files_read_usr_files(cyphesis_t) - -logging_send_syslog_msg(cyphesis_t) - -miscfiles_read_localization(cyphesis_t) - -sysnet_dns_name_resolve(cyphesis_t) - -optional_policy(` - dbus_system_bus_client(cyphesis_t) - - optional_policy(` - avahi_dbus_chat(cyphesis_t) - ') -') - -optional_policy(` - kerberos_use(cyphesis_t) -') - -optional_policy(` - postgresql_stream_connect(cyphesis_t) -') diff --git a/policy/modules/contrib/cyrus.fc b/policy/modules/contrib/cyrus.fc deleted file mode 100644 index ca70600f..00000000 --- a/policy/modules/contrib/cyrus.fc +++ /dev/null @@ -1,10 +0,0 @@ -/etc/rc\.d/init\.d/cyrus.* -- gen_context(system_u:object_r:cyrus_initrc_exec_t,s0) - -/usr/lib/cyrus/master -- gen_context(system_u:object_r:cyrus_exec_t,s0) -/usr/lib/cyrus-imapd/cyrus-master -- gen_context(system_u:object_r:cyrus_exec_t,s0) - -/var/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0) - -/var/lib/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0) - -/var/run/cyrus.* gen_context(system_u:object_r:cyrus_var_run_t,s0) diff --git a/policy/modules/contrib/cyrus.if b/policy/modules/contrib/cyrus.if deleted file mode 100644 index 6508280b..00000000 --- a/policy/modules/contrib/cyrus.if +++ /dev/null @@ -1,82 +0,0 @@ -## <summary>Cyrus is an IMAP service intended to be run on sealed servers.</summary> - -######################################## -## <summary> -## Create, read, write, and delete -## cyrus data files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cyrus_manage_data',` - gen_require(` - type cyrus_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t) -') - -######################################## -## <summary> -## Connect to Cyrus using a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`cyrus_stream_connect',` - gen_require(` - type cyrus_t, cyrus_var_lib_t; - ') - - files_search_var_lib($1) - stream_connect_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t, cyrus_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an cyrus environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`cyrus_admin',` - gen_require(` - type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t; - type cyrus_var_run_t, cyrus_initrc_exec_t; - ') - - allow $1 cyrus_t:process { ptrace signal_perms }; - ps_process_pattern($1, cyrus_t) - - init_labeled_script_domtrans($1, cyrus_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 cyrus_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, cyrus_tmp_t) - - files_list_var_lib($1) - admin_pattern($1, cyrus_var_lib_t) - - files_list_pids($1) - admin_pattern($1, cyrus_var_run_t) -') diff --git a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te deleted file mode 100644 index 395f97c9..00000000 --- a/policy/modules/contrib/cyrus.te +++ /dev/null @@ -1,138 +0,0 @@ -policy_module(cyrus, 1.12.2) - -######################################## -# -# Declarations -# - -type cyrus_t; -type cyrus_exec_t; -init_daemon_domain(cyrus_t, cyrus_exec_t) - -type cyrus_initrc_exec_t; -init_script_file(cyrus_initrc_exec_t) - -type cyrus_tmp_t; -files_tmp_file(cyrus_tmp_t) - -type cyrus_var_lib_t; -files_type(cyrus_var_lib_t) - -type cyrus_var_run_t; -files_pid_file(cyrus_var_run_t) - -######################################## -# -# Local policy -# - -allow cyrus_t self:capability { dac_override setgid setuid sys_resource }; -dontaudit cyrus_t self:capability sys_tty_config; -allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow cyrus_t self:process setrlimit; -allow cyrus_t self:fd use; -allow cyrus_t self:fifo_file rw_fifo_file_perms; -allow cyrus_t self:sock_file read_sock_file_perms; -allow cyrus_t self:shm create_shm_perms; -allow cyrus_t self:sem create_sem_perms; -allow cyrus_t self:msgq create_msgq_perms; -allow cyrus_t self:msg { send receive }; -allow cyrus_t self:unix_dgram_socket sendto; -allow cyrus_t self:unix_stream_socket { accept connectto listen }; -allow cyrus_t self:tcp_socket { accept listen }; - -manage_dirs_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t) -manage_files_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t) -files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { dir file }) - -manage_dirs_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t) -manage_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t) -manage_lnk_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t) -manage_sock_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t) - -manage_files_pattern(cyrus_t, cyrus_var_run_t, cyrus_var_run_t) -manage_sock_files_pattern(cyrus_t, cyrus_var_run_t, cyrus_var_run_t) -files_pid_filetrans(cyrus_t, cyrus_var_run_t, { file sock_file }) - -kernel_read_kernel_sysctls(cyrus_t) -kernel_read_system_state(cyrus_t) -kernel_read_all_sysctls(cyrus_t) - -corenet_all_recvfrom_unlabeled(cyrus_t) -corenet_all_recvfrom_netlabel(cyrus_t) -corenet_tcp_sendrecv_generic_if(cyrus_t) -corenet_tcp_sendrecv_generic_node(cyrus_t) -corenet_tcp_sendrecv_all_ports(cyrus_t) -corenet_tcp_bind_generic_node(cyrus_t) - -corenet_sendrecv_mail_server_packets(cyrus_t) -corenet_tcp_bind_mail_port(cyrus_t) - -corenet_sendrecv_lmtp_server_packets(cyrus_t) -corenet_tcp_bind_lmtp_port(cyrus_t) - -corenet_sendrecv_pop_server_packets(cyrus_t) -corenet_tcp_bind_pop_port(cyrus_t) - -corenet_sendrecv_sieve_server_packets(cyrus_t) -corenet_tcp_bind_sieve_port(cyrus_t) - -corenet_sendrecv_all_client_packets(cyrus_t) -corenet_tcp_connect_all_ports(cyrus_t) - -corecmd_exec_bin(cyrus_t) - -dev_read_rand(cyrus_t) -dev_read_urand(cyrus_t) -dev_read_sysfs(cyrus_t) - -domain_use_interactive_fds(cyrus_t) - -files_list_var_lib(cyrus_t) -files_read_etc_runtime_files(cyrus_t) -files_read_usr_files(cyrus_t) -files_dontaudit_write_usr_dirs(cyrus_t) - -fs_getattr_all_fs(cyrus_t) -fs_search_auto_mountpoints(cyrus_t) - -auth_use_nsswitch(cyrus_t) - -libs_exec_lib_files(cyrus_t) - -logging_send_syslog_msg(cyrus_t) - -miscfiles_read_localization(cyrus_t) -miscfiles_read_generic_certs(cyrus_t) - -userdom_use_unpriv_users_fds(cyrus_t) -userdom_dontaudit_search_user_home_dirs(cyrus_t) - -mta_manage_spool(cyrus_t) -mta_send_mail(cyrus_t) - -optional_policy(` - cron_system_entry(cyrus_t, cyrus_exec_t) -') - -optional_policy(` - kerberos_keytab_template(cyrus, cyrus_t) -') - -optional_policy(` - sasl_connect(cyrus_t) -') - -optional_policy(` - seutil_sigchld_newrole(cyrus_t) -') - -optional_policy(` - snmp_read_snmp_var_lib_files(cyrus_t) - snmp_dontaudit_write_snmp_var_lib_files(cyrus_t) - snmp_stream_connect(cyrus_t) -') - -optional_policy(` - udev_read_db(cyrus_t) -') diff --git a/policy/modules/contrib/daemontools.fc b/policy/modules/contrib/daemontools.fc deleted file mode 100644 index d5574cdc..00000000 --- a/policy/modules/contrib/daemontools.fc +++ /dev/null @@ -1,41 +0,0 @@ -/service -d gen_context(system_u:object_r:svc_svc_t,s0) -/service/.* gen_context(system_u:object_r:svc_svc_t,s0) - -/usr/bin/envdir -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/usr/bin/envuidgid -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/usr/bin/fghack -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/usr/bin/multilog -- gen_context(system_u:object_r:svc_multilog_exec_t,s0) -/usr/bin/pgrphack -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/usr/bin/setlock -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/usr/bin/setuidgid -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/usr/bin/softlimit -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/usr/bin/svc -- gen_context(system_u:object_r:svc_start_exec_t,s0) -/usr/bin/svok -- gen_context(system_u:object_r:svc_start_exec_t,s0) -/usr/bin/svscan -- gen_context(system_u:object_r:svc_start_exec_t,s0) -/usr/bin/svscanboot -- gen_context(system_u:object_r:svc_start_exec_t,s0) -/usr/bin/supervise -- gen_context(system_u:object_r:svc_start_exec_t,s0) - -/var/axfrdns(/.*)? gen_context(system_u:object_r:svc_svc_t,s0) -/var/axfrdns/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/var/axfrdns/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/var/axfrdns/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0) - -/var/dnscache(/.*)? gen_context(system_u:object_r:svc_svc_t,s0) -/var/dnscache/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0) -/var/dnscache/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/var/dnscache/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) - -/var/qmail/supervise(/.*)? gen_context(system_u:object_r:svc_svc_t,s0) -/var/qmail/supervise/.*/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/var/qmail/supervise/.*/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) - -/var/service/.* gen_context(system_u:object_r:svc_svc_t,s0) -/var/service/.*/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0) -/var/service/.*/log/main(/.*)? gen_context(system_u:object_r:svc_log_t,s0) -/var/service/.*/log/run gen_context(system_u:object_r:svc_run_exec_t,s0) -/var/service/.*/run.* gen_context(system_u:object_r:svc_run_exec_t,s0) - -/var/tinydns(/.*)? gen_context(system_u:object_r:svc_svc_t,s0) -/var/tinydns/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/var/tinydns/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/var/tinydns/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0) diff --git a/policy/modules/contrib/daemontools.if b/policy/modules/contrib/daemontools.if deleted file mode 100644 index 3b3d9a0b..00000000 --- a/policy/modules/contrib/daemontools.if +++ /dev/null @@ -1,220 +0,0 @@ -## <summary>Collection of tools for managing UNIX services.</summary> - -######################################## -## <summary> -## An ipc channel between the -## supervised domain and svc_start_t. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`daemontools_ipc_domain',` - gen_require(` - type svc_start_t; - ') - - allow $1 svc_start_t:process sigchld; - allow $1 svc_start_t:fd use; - allow $1 svc_start_t:fifo_file rw_fifo_file_perms; - allow svc_start_t $1:process signal; -') - -######################################## -## <summary> -## Create a domain which can be -## started by daemontools. -## </summary> -## <param name="domain"> -## <summary> -## Type to be used as a domain. -## </summary> -## </param> -## <param name="entrypoint"> -## <summary> -## Type of the program to be used as an entry point to this domain. -## </summary> -## </param> -# -interface(`daemontools_service_domain',` - gen_require(` - type svc_run_t; - ') - - domain_auto_trans(svc_run_t, $2, $1) - daemontools_ipc_domain($1) - - allow svc_run_t $1:process signal; - allow $1 svc_run_t:fd use; -') - -######################################## -## <summary> -## Execute svc start in the svc -## start domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`daemontools_domtrans_start',` - gen_require(` - type svc_start_t, svc_start_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, svc_start_exec_t, svc_start_t) -') - -###################################### -## <summary> -## Execute svc start in the svc -## start domain, and allow the -## specified role the svc start domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`daemonstools_run_start',` - gen_require(` - attribute_role svc_start_roles; - ') - - daemontools_domtrans_start($1) - roleattribute $2 svc_start_roles; -') - -######################################## -## <summary> -## Execute avc run in the svc run domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`daemontools_domtrans_run',` - gen_require(` - type svc_run_t, svc_run_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, svc_run_exec_t, svc_run_t) -') - -###################################### -## <summary> -## Send child terminated signals -## to svc run. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`daemontools_sigchld_run',` - gen_require(` - type svc_run_t; - ') - - allow $1 svc_run_t:process sigchld; -') - -######################################## -## <summary> -## Execute avc multilog in the svc -## multilog domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`daemontools_domtrans_multilog',` - gen_require(` - type svc_multilog_t, svc_multilog_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, svc_multilog_exec_t, svc_multilog_t) -') - -###################################### -## <summary> -## Search svc svc directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`daemontools_search_svc_dir',` - gen_require(` - type svc_svc_t; - ') - - files_search_var($1) - allow $1 svc_svc_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Read svc avc files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`daemontools_read_svc',` - gen_require(` - type svc_svc_t; - ') - - files_search_var($1) - allow $1 svc_svc_t:dir list_dir_perms; - allow $1 svc_svc_t:file read_file_perms; -') - -######################################## -## <summary> -## Create, read, write and delete -## svc svc content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`daemontools_manage_svc',` - gen_require(` - type svc_svc_t; - ') - - files_search_var($1) - allow $1 svc_svc_t:dir manage_dir_perms; - allow $1 svc_svc_t:fifo_file manage_fifo_file_perms; - allow $1 svc_svc_t:file manage_file_perms; - allow $1 svc_svc_t:lnk_file manage_lnk_file_perms; -') diff --git a/policy/modules/contrib/daemontools.te b/policy/modules/contrib/daemontools.te deleted file mode 100644 index 01659623..00000000 --- a/policy/modules/contrib/daemontools.te +++ /dev/null @@ -1,127 +0,0 @@ -policy_module(daemontools, 1.2.1) - -######################################## -# -# Declarations -# - -attribute_role svc_start_roles; -roleattribute system_r svc_start_roles; - -type svc_conf_t; -files_config_file(svc_conf_t) - -type svc_log_t; -files_type(svc_log_t) - -type svc_multilog_t; -type svc_multilog_exec_t; -application_domain(svc_multilog_t, svc_multilog_exec_t) -role system_r types svc_multilog_t; - -type svc_run_t; -type svc_run_exec_t; -application_domain(svc_run_t, svc_run_exec_t) -role system_r types svc_run_t; - -type svc_start_t; -type svc_start_exec_t; -init_domain(svc_start_t, svc_start_exec_t) -init_system_domain(svc_start_t, svc_start_exec_t) -role svc_start_roles types svc_start_t; - -type svc_svc_t; -files_type(svc_svc_t) - -######################################## -# -# Multilog local policy -# - -manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t) - -allow svc_multilog_t svc_start_t:process sigchld; -allow svc_multilog_t svc_start_t:fd use; -allow svc_multilog_t svc_start_t:fifo_file rw_fifo_file_perms; - -init_use_fds(svc_multilog_t) - -logging_manage_generic_logs(svc_multilog_t) - -######################################## -# -# local policy for binaries that impose -# a given environment to supervised daemons -# ie. softlimit, setuidgid, envuidgid, envdir, fghack .. -# - -allow svc_run_t self:capability { setgid setuid chown fsetid sys_resource }; -allow svc_run_t self:process setrlimit; -allow svc_run_t self:fifo_file rw_fifo_file_perms; -allow svc_run_t self:unix_stream_socket create_stream_socket_perms; - -allow svc_run_t svc_conf_t:dir list_dir_perms; -allow svc_run_t svc_conf_t:file read_file_perms; - -allow svc_run_t svc_svc_t:dir list_dir_perms; -allow svc_run_t svc_svc_t:file read_file_perms; - -can_exec(svc_run_t, svc_run_exec_t) - -domtrans_pattern(svc_run_t, svc_multilog_exec_t, svc_multilog_t) - -kernel_read_system_state(svc_run_t) - -dev_read_urand(svc_run_t) - -corecmd_exec_bin(svc_run_t) -corecmd_exec_shell(svc_run_t) - -files_read_etc_files(svc_run_t) -files_read_etc_runtime_files(svc_run_t) -files_search_pids(svc_run_t) -files_search_var_lib(svc_run_t) - -init_use_script_fds(svc_run_t) -init_use_fds(svc_run_t) - -optional_policy(` - qmail_read_config(svc_run_t) -') - -######################################## -# -# local policy for service monitoring programs -# ie svc, svscan, supervise ... -# - -allow svc_start_t self:capability kill; -allow svc_start_t self:fifo_file rw_fifo_file_perms; -allow svc_start_t self:tcp_socket create_stream_socket_perms; - -allow svc_start_t svc_svc_t:dir manage_dir_perms; -allow svc_start_t svc_svc_t:fifo_file manage_fifo_file_perms; -allow svc_start_t svc_svc_t:file manage_file_perms; -allow svc_start_t svc_svc_t:lnk_file manage_lnk_file_perms; - -allow svc_start_t svc_multilog_t:process signal; -allow svc_start_t svc_run_t:process { signal setrlimit }; - -can_exec(svc_start_t, svc_start_exec_t) - -domtrans_pattern(svc_start_t, svc_run_exec_t, svc_run_t) - -kernel_read_kernel_sysctls(svc_start_t) -kernel_read_system_state(svc_start_t) - -corecmd_exec_bin(svc_start_t) -corecmd_exec_shell(svc_start_t) - -files_read_etc_files(svc_start_t) -files_read_etc_runtime_files(svc_start_t) -files_search_var(svc_start_t) -files_search_pids(svc_start_t) - -logging_send_syslog_msg(svc_start_t) - -miscfiles_read_localization(svc_start_t) diff --git a/policy/modules/contrib/dante.fc b/policy/modules/contrib/dante.fc deleted file mode 100644 index 89021858..00000000 --- a/policy/modules/contrib/dante.fc +++ /dev/null @@ -1,10 +0,0 @@ -/etc/rc\.d/init\.d/danted -- gen_context(system_u:object_r:dante_initrc_exec_t,s0) - -/etc/danted\.conf -- gen_context(system_u:object_r:dante_conf_t,s0) -/etc/socks(/.*)? gen_context(system_u:object_r:dante_conf_t,s0) - -/usr/sbin/danted -- gen_context(system_u:object_r:dante_exec_t,s0) -/usr/sbin/sockd -- gen_context(system_u:object_r:dante_exec_t,s0) - -/var/run/danted\.pid -- gen_context(system_u:object_r:dante_var_run_t,s0) -/var/run/sockd\.pid -- gen_context(system_u:object_r:dante_var_run_t,s0) diff --git a/policy/modules/contrib/dante.if b/policy/modules/contrib/dante.if deleted file mode 100644 index e7091772..00000000 --- a/policy/modules/contrib/dante.if +++ /dev/null @@ -1,39 +0,0 @@ -## <summary>Dante msproxy and socks4/5 proxy server.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an dante environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`dante_admin',` - gen_require(` - type dante_t, dante_conf_t, dante_var_run_t; - type dante_initrc_exec_t; - ') - - allow $1 dante_t:process { ptrace signal_perms }; - ps_process_pattern($1, dante_t) - - init_labeled_script_domtrans($1, dante_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dante_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, dante_conf_t) - - files_search_pids($1) - admin_pattern($1, dante_var_run_t) -') diff --git a/policy/modules/contrib/dante.te b/policy/modules/contrib/dante.te deleted file mode 100644 index 98a2d6a9..00000000 --- a/policy/modules/contrib/dante.te +++ /dev/null @@ -1,79 +0,0 @@ -policy_module(dante, 1.8.2) - -######################################## -# -# Declarations -# - -type dante_t; -type dante_exec_t; -init_daemon_domain(dante_t, dante_exec_t) - -type dante_initrc_exec_t; -init_script_file(dante_initrc_exec_t) - -type dante_conf_t; -files_config_file(dante_conf_t) - -type dante_var_run_t; -files_pid_file(dante_var_run_t) - -######################################## -# -# Local policy -# - -allow dante_t self:capability { setuid setgid }; -dontaudit dante_t self:capability sys_tty_config; -allow dante_t self:process signal_perms; -allow dante_t self:fifo_file rw_fifo_file_perms; -allow dante_t self:tcp_socket { accept listen }; - -allow dante_t dante_conf_t:dir list_dir_perms; -allow dante_t dante_conf_t:file read_file_perms; - -manage_files_pattern(dante_t, dante_var_run_t, dante_var_run_t) -files_pid_filetrans(dante_t, dante_var_run_t, file) - -kernel_read_kernel_sysctls(dante_t) -kernel_list_proc(dante_t) -kernel_read_proc_symlinks(dante_t) - -corenet_all_recvfrom_unlabeled(dante_t) -corenet_all_recvfrom_netlabel(dante_t) -corenet_tcp_sendrecv_generic_if(dante_t) -corenet_tcp_sendrecv_generic_node(dante_t) -corenet_tcp_bind_generic_node(dante_t) - -corenet_sendrecv_socks_server_packets(dante_t) -corenet_tcp_bind_socks_port(dante_t) -corenet_tcp_sendrecv_socks_port(dante_t) - -dev_read_sysfs(dante_t) - -domain_use_interactive_fds(dante_t) - -files_read_etc_files(dante_t) -files_read_etc_runtime_files(dante_t) - -fs_getattr_all_fs(dante_t) -fs_search_auto_mountpoints(dante_t) - -init_write_utmp(dante_t) - -logging_send_syslog_msg(dante_t) - -miscfiles_read_localization(dante_t) - -sysnet_dns_name_resolve(dante_t) - -userdom_dontaudit_use_unpriv_user_fds(dante_t) -userdom_dontaudit_search_user_home_dirs(dante_t) - -optional_policy(` - seutil_sigchld_newrole(dante_t) -') - -optional_policy(` - udev_read_db(dante_t) -') diff --git a/policy/modules/contrib/dbadm.fc b/policy/modules/contrib/dbadm.fc deleted file mode 100644 index e6aa2fba..00000000 --- a/policy/modules/contrib/dbadm.fc +++ /dev/null @@ -1 +0,0 @@ -# No dbadm file contexts diff --git a/policy/modules/contrib/dbadm.if b/policy/modules/contrib/dbadm.if deleted file mode 100644 index d9ed6511..00000000 --- a/policy/modules/contrib/dbadm.if +++ /dev/null @@ -1,50 +0,0 @@ -## <summary>Database administrator role.</summary> - -######################################## -## <summary> -## Change to the database administrator role. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`dbadm_role_change',` - gen_require(` - role dbadm_r; - ') - - allow $1 dbadm_r; -') - -######################################## -## <summary> -## Change from the database administrator role. -## </summary> -## <desc> -## <p> -## Change from the database administrator role to -## the specified role. -## </p> -## <p> -## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -## </p> -## </desc> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`dbadm_role_change_to',` - gen_require(` - role dbadm_r; - ') - - allow dbadm_r $1; -') diff --git a/policy/modules/contrib/dbadm.te b/policy/modules/contrib/dbadm.te deleted file mode 100644 index a67870a1..00000000 --- a/policy/modules/contrib/dbadm.te +++ /dev/null @@ -1,62 +0,0 @@ -policy_module(dbadm, 1.0.1) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether dbadm can manage -## generic user files. -## </p> -## </desc> -gen_tunable(dbadm_manage_user_files, false) - -## <desc> -## <p> -## Determine whether dbadm can read -## generic user files. -## </p> -## </desc> -gen_tunable(dbadm_read_user_files, false) - -role dbadm_r; - -userdom_base_user_template(dbadm) - -######################################## -# -# Local policy -# - -allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace }; - -files_dontaudit_search_all_dirs(dbadm_t) -files_delete_generic_locks(dbadm_t) -files_list_var(dbadm_t) - -selinux_get_enforce_mode(dbadm_t) - -logging_send_syslog_msg(dbadm_t) - -userdom_dontaudit_search_user_home_dirs(dbadm_t) - -tunable_policy(`dbadm_manage_user_files',` - userdom_manage_user_home_content_files(dbadm_t) - userdom_read_user_tmp_files(dbadm_t) - userdom_write_user_tmp_files(dbadm_t) -') - -tunable_policy(`dbadm_read_user_files',` - userdom_read_user_home_content_files(dbadm_t) - userdom_read_user_tmp_files(dbadm_t) -') - -optional_policy(` - mysql_admin(dbadm_t, dbadm_r) -') - -optional_policy(` - postgresql_admin(dbadm_t, dbadm_r) -') diff --git a/policy/modules/contrib/dbskk.fc b/policy/modules/contrib/dbskk.fc deleted file mode 100644 index 7af25903..00000000 --- a/policy/modules/contrib/dbskk.fc +++ /dev/null @@ -1,2 +0,0 @@ - -/usr/sbin/dbskkd-cdb -- gen_context(system_u:object_r:dbskkd_exec_t,s0) diff --git a/policy/modules/contrib/dbskk.if b/policy/modules/contrib/dbskk.if deleted file mode 100644 index 9e710048..00000000 --- a/policy/modules/contrib/dbskk.if +++ /dev/null @@ -1 +0,0 @@ -## <summary>Dictionary server for the SKK Japanese input method system.</summary> diff --git a/policy/modules/contrib/dbskk.te b/policy/modules/contrib/dbskk.te deleted file mode 100644 index 188e2e61..00000000 --- a/policy/modules/contrib/dbskk.te +++ /dev/null @@ -1,58 +0,0 @@ -policy_module(dbskk, 1.5.1) - -######################################## -# -# Declarations -# - -type dbskkd_t; -type dbskkd_exec_t; -inetd_service_domain(dbskkd_t, dbskkd_exec_t) -role system_r types dbskkd_t; - -type dbskkd_tmp_t; -files_tmp_file(dbskkd_tmp_t) - -type dbskkd_var_run_t; -files_pid_file(dbskkd_var_run_t) - -######################################## -# -# Local policy -# - -allow dbskkd_t self:process signal_perms; -allow dbskkd_t self:fifo_file rw_fifo_file_perms; -allow dbskkd_t self:tcp_socket { accept listen }; - -manage_dirs_pattern(dbskkd_t, dbskkd_tmp_t, dbskkd_tmp_t) -manage_files_pattern(dbskkd_t, dbskkd_tmp_t, dbskkd_tmp_t) -files_tmp_filetrans(dbskkd_t, dbskkd_tmp_t, { file dir }) - -manage_files_pattern(dbskkd_t, dbskkd_var_run_t, dbskkd_var_run_t) -files_pid_filetrans(dbskkd_t, dbskkd_var_run_t, file) - -kernel_read_kernel_sysctls(dbskkd_t) -kernel_read_system_state(dbskkd_t) -kernel_read_network_state(dbskkd_t) - -corenet_all_recvfrom_unlabeled(dbskkd_t) -corenet_all_recvfrom_netlabel(dbskkd_t) -corenet_tcp_sendrecv_generic_if(dbskkd_t) -corenet_udp_sendrecv_generic_if(dbskkd_t) -corenet_tcp_sendrecv_generic_node(dbskkd_t) -corenet_udp_sendrecv_generic_node(dbskkd_t) -corenet_tcp_sendrecv_all_ports(dbskkd_t) -corenet_udp_sendrecv_all_ports(dbskkd_t) - -dev_read_urand(dbskkd_t) - -fs_getattr_xattr_fs(dbskkd_t) - -files_read_etc_files(dbskkd_t) - -auth_use_nsswitch(dbskkd_t) - -logging_send_syslog_msg(dbskkd_t) - -miscfiles_read_localization(dbskkd_t) diff --git a/policy/modules/contrib/dbus.fc b/policy/modules/contrib/dbus.fc deleted file mode 100644 index dda905b9..00000000 --- a/policy/modules/contrib/dbus.fc +++ /dev/null @@ -1,20 +0,0 @@ -HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0) - -/etc/dbus-.*(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0) - -/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0) - -/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) - -/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) - -/usr/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) - -/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) - -/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) - -/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) -/var/run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0) - -/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if deleted file mode 100644 index 365194a8..00000000 --- a/policy/modules/contrib/dbus.if +++ /dev/null @@ -1,679 +0,0 @@ -## <summary>Desktop messaging bus.</summary> - -######################################## -## <summary> -## DBUS stub interface. No access allowed. -## </summary> -## <param name="domain" unused="true"> -## <summary> -## Domain allowed access -## </summary> -## </param> -# -interface(`dbus_stub',` - gen_require(` - type system_dbusd_t; - class dbus all_dbus_perms; - ') -') - -######################################## -## <summary> -## Role access for dbus. -## </summary> -## <param name="role_prefix"> -## <summary> -## The prefix of the user role (e.g., user -## is the prefix for user_r). -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role -## </summary> -## </param> -# -template(`dbus_role_template',` - gen_require(` - class dbus { send_msg acquire_svc }; - attribute session_bus_type; - type system_dbusd_t, dbusd_exec_t; - type session_dbusd_tmp_t, session_dbusd_home_t; - ') - - ############################## - # - # Declarations - # - - type $1_dbusd_t, session_bus_type; - domain_type($1_dbusd_t) - domain_entry_file($1_dbusd_t, dbusd_exec_t) - ubac_constrained($1_dbusd_t) - - role $2 types $1_dbusd_t; - - ############################## - # - # Local policy - # - - allow $3 $1_dbusd_t:unix_stream_socket connectto; - allow $3 $1_dbusd_t:dbus { send_msg acquire_svc }; - allow $3 $1_dbusd_t:fd use; - - allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; - - allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:file { manage_file_perms relabel_file_perms }; - userdom_user_home_dir_filetrans($3, session_dbusd_home_t, dir, ".dbus") - - domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) - - ps_process_pattern($3, $1_dbusd_t) - allow $3 $1_dbusd_t:process { ptrace signal_perms }; - - allow $1_dbusd_t $3:process sigkill; - - corecmd_bin_domtrans($1_dbusd_t, $3) - corecmd_shell_domtrans($1_dbusd_t, $3) - - auth_use_nsswitch($1_dbusd_t) - - ifdef(`hide_broken_symptoms',` - dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; - ') - - ifdef(`distro_gentoo',` - optional_policy(` - xdg_read_data_home_files($1_dbusd_t) - ') - ') -') - -####################################### -## <summary> -## Template for creating connections to -## the system bus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dbus_system_bus_client',` - gen_require(` - attribute dbusd_system_bus_client; - type system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_lib_t; - class dbus send_msg; - ') - - typeattribute $1 dbusd_system_bus_client; - - allow $1 { system_dbusd_t self }:dbus send_msg; - allow system_dbusd_t $1:dbus send_msg; - - files_search_var_lib($1) - read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) - - files_search_pids($1) - stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) - - dbus_read_config($1) -') - -####################################### -## <summary> -## Acquire service on DBUS -## session bus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dbus_connect_session_bus',` - refpolicywarn(`$0($*) has been deprecated, use dbus_connect_all_session_bus() instead.') - dbus_connect_all_session_bus($1) -') - -####################################### -## <summary> -## Acquire service on all DBUS -## session busses. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dbus_connect_all_session_bus',` - gen_require(` - attribute session_bus_type; - class dbus acquire_svc; - ') - - allow $1 session_bus_type:dbus acquire_svc; -') - -####################################### -## <summary> -## Acquire service on specified -## DBUS session bus. -## </summary> -## <param name="role_prefix"> -## <summary> -## The prefix of the user role (e.g., user -## is the prefix for user_r). -## </summary> -## </param> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dbus_connect_spec_session_bus',` - gen_require(` - type $1_dbusd_t; - class dbus acquire_svc; - ') - - allow $2 $1_dbusd_t:dbus acquire_svc; -') - -####################################### -## <summary> -## Creating connections to DBUS -## session bus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dbus_session_bus_client',` - refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_bus_client() instead.') - dbus_all_session_bus_client($1) -') - -####################################### -## <summary> -## Creating connections to all -## DBUS session busses. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dbus_all_session_bus_client',` - gen_require(` - attribute session_bus_type, dbusd_session_bus_client; - class dbus send_msg; - ') - - typeattribute $1 dbusd_session_bus_client; - - allow $1 { session_bus_type self }:dbus send_msg; - allow session_bus_type $1:dbus send_msg; - - allow $1 session_bus_type:unix_stream_socket connectto; - allow $1 session_bus_type:fd use; -') - -####################################### -## <summary> -## Creating connections to specified -## DBUS session bus. -## </summary> -## <param name="role_prefix"> -## <summary> -## The prefix of the user role (e.g., user -## is the prefix for user_r). -## </summary> -## </param> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dbus_spec_session_bus_client',` - gen_require(` - attribute dbusd_session_bus_client; - type $1_dbusd_t; - class dbus send_msg; - ') - - typeattribute $2 dbusd_session_bus_client; - - allow $2 { $1_dbusd_t self }:dbus send_msg; - allow $1_dbusd_t $2:dbus send_msg; - - allow $2 $1_dbusd_t:unix_stream_socket connectto; - allow $2 $1_dbusd_t:fd use; -') - -####################################### -## <summary> -## Send messages to DBUS session bus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dbus_send_session_bus',` - refpolicywarn(`$0($*) has been deprecated, use dbus_send_all_session_bus() instead.') - dbus_send_all_session_bus($1) -') - -####################################### -## <summary> -## Send messages to all DBUS -## session busses. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dbus_send_all_session_bus',` - gen_require(` - attribute session_bus_type; - class dbus send_msg; - ') - - allow $1 dbus_session_bus_type:dbus send_msg; -') - -####################################### -## <summary> -## Send messages to specified -## DBUS session busses. -## </summary> -## <param name="role_prefix"> -## <summary> -## The prefix of the user role (e.g., user -## is the prefix for user_r). -## </summary> -## </param> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dbus_send_spec_session_bus',` - gen_require(` - type $1_dbusd_t; - class dbus send_msg; - ') - - allow $2 $1_dbusd_t:dbus send_msg; -') - -######################################## -## <summary> -## Read dbus configuration content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dbus_read_config',` - gen_require(` - type dbusd_etc_t; - ') - - allow $1 dbusd_etc_t:dir list_dir_perms; - allow $1 dbusd_etc_t:file read_file_perms; -') - -######################################## -## <summary> -## Read system dbus lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dbus_read_lib_files',` - gen_require(` - type system_dbusd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) - - ifdef(`distro_gentoo',` - read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) - ') -') - -######################################## -## <summary> -## Create, read, write, and delete -## system dbus lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dbus_manage_lib_files',` - gen_require(` - type system_dbusd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) -') - -######################################## -## <summary> -## Allow a application domain to be -## started by the specified session bus. -## </summary> -## <param name="role_prefix"> -## <summary> -## The prefix of the user role (e.g., user -## is the prefix for user_r). -## </summary> -## </param> -## <param name="domain"> -## <summary> -## Type to be used as a domain. -## </summary> -## </param> -## <param name="entry_point"> -## <summary> -## Type of the program to be used as an -## entry point to this domain. -## </summary> -## </param> -# -interface(`dbus_session_domain',` - refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_domain() instead.') - dbus_all_session_domain($1, $2) -') - -######################################## -## <summary> -## Allow a application domain to be -## started by the specified session bus. -## </summary> -## <param name="domain"> -## <summary> -## Type to be used as a domain. -## </summary> -## </param> -## <param name="entry_point"> -## <summary> -## Type of the program to be used as an -## entry point to this domain. -## </summary> -## </param> -# -interface(`dbus_all_session_domain',` - gen_require(` - type session_bus_type; - ') - - domtrans_pattern(session_bus_type, $2, $1) - - dbus_all_session_bus_client($1) - dbus_connect_all_session_bus($1) -') - -######################################## -## <summary> -## Allow a application domain to be -## started by the specified session bus. -## </summary> -## <param name="role_prefix"> -## <summary> -## The prefix of the user role (e.g., user -## is the prefix for user_r). -## </summary> -## </param> -## <param name="domain"> -## <summary> -## Type to be used as a domain. -## </summary> -## </param> -## <param name="entry_point"> -## <summary> -## Type of the program to be used as an -## entry point to this domain. -## </summary> -## </param> -# -interface(`dbus_spec_session_domain',` - gen_require(` - type $1_dbusd_t; - ') - - domtrans_pattern($1_dbusd_t, $2, $3) - - dbus_spec_session_bus_client($1, $2) - dbus_connect_spec_session_bus($1, $2) -') - -######################################## -## <summary> -## Acquire service on the DBUS system bus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dbus_connect_system_bus',` - gen_require(` - type system_dbusd_t; - class dbus acquire_svc; - ') - - allow $1 system_dbusd_t:dbus acquire_svc; -') - -######################################## -## <summary> -## Send messages to the DBUS system bus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dbus_send_system_bus',` - gen_require(` - type system_dbusd_t; - class dbus send_msg; - ') - - allow $1 system_dbusd_t:dbus send_msg; -') - -######################################## -## <summary> -## Unconfined access to DBUS system bus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dbus_system_bus_unconfined',` - gen_require(` - type system_dbusd_t; - class dbus all_dbus_perms; - ') - - allow $1 system_dbusd_t:dbus *; -') - -######################################## -## <summary> -## Create a domain for processes which -## can be started by the DBUS system bus. -## </summary> -## <param name="domain"> -## <summary> -## Type to be used as a domain. -## </summary> -## </param> -## <param name="entry_point"> -## <summary> -## Type of the program to be used as an entry point to this domain. -## </summary> -## </param> -# -interface(`dbus_system_domain',` - gen_require(` - type system_dbusd_t; - role system_r; - ') - - domain_type($1) - domain_entry_file($1, $2) - - role system_r types $1; - - domtrans_pattern(system_dbusd_t, $2, $1) - - dbus_system_bus_client($1) - dbus_connect_system_bus($1) - - ps_process_pattern(system_dbusd_t, $1) - - userdom_read_all_users_state($1) - - ifdef(`hide_broken_symptoms', ` - dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; - ') -') - -######################################## -## <summary> -## Use and inherit DBUS system bus -## file descriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dbus_use_system_bus_fds',` - gen_require(` - type system_dbusd_t; - ') - - allow $1 system_dbusd_t:fd use; -') - -######################################## -## <summary> -## Do not audit attempts to read and -## write DBUS system bus TCP sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` - gen_require(` - type system_dbusd_t; - ') - - dontaudit $1 system_dbusd_t:tcp_socket { read write }; -') - -######################################## -## <summary> -## Unconfined access to DBUS. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dbus_unconfined',` - gen_require(` - attribute dbusd_unconfined; - ') - - typeattribute $1 dbusd_unconfined; -') - -######################################## -## <summary> -## Create resources in /run or /var/run with the system_dbusd_var_run_t -## label. This method is deprecated in favor of the init_daemon_run_dir -## call. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access -## </summary> -## </param> -## <param name="class"> -## <summary> -## Classes supported for the created resources -## </summary> -## </param> -## <param name="filename" optional="true"> -## <summary> -## Optional file name used for the resource -## </summary> -## </param> -# -interface(`dbus_generic_pid_filetrans_system_dbusd_var_run',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## <summary> -## Create directories with the system_dbusd_var_run_t label -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access -## </summary> -## </param> -# -interface(`dbus_create_system_dbusd_var_run_dirs',` - gen_require(` - type system_dbusd_var_run_t; - ') - - create_dirs_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) -') - - diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te deleted file mode 100644 index 4b0cd4c6..00000000 --- a/policy/modules/contrib/dbus.te +++ /dev/null @@ -1,260 +0,0 @@ -policy_module(dbus, 1.18.8) - -gen_require(` - class dbus all_dbus_perms; -') - -######################################## -# -# Declarations -# - -attribute dbusd_unconfined; -attribute session_bus_type; - -attribute dbusd_system_bus_client; -attribute dbusd_session_bus_client; - -type dbusd_etc_t; -files_config_file(dbusd_etc_t) - -type dbusd_exec_t; -corecmd_executable_file(dbusd_exec_t) -typealias dbusd_exec_t alias system_dbusd_exec_t; - -type session_dbusd_home_t; -userdom_user_home_content(session_dbusd_home_t) - -type session_dbusd_tmp_t; -typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t }; -typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t }; -userdom_user_tmp_file(session_dbusd_tmp_t) - -type system_dbusd_t; -init_system_domain(system_dbusd_t, dbusd_exec_t) - -type system_dbusd_tmp_t; -files_tmp_file(system_dbusd_tmp_t) - -type system_dbusd_var_lib_t; -files_type(system_dbusd_var_lib_t) - -type system_dbusd_var_run_t; -files_pid_file(system_dbusd_var_run_t) -init_daemon_run_dir(system_dbusd_var_run_t, "dbus") - -ifdef(`enable_mcs',` - init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) -') - -ifdef(`enable_mls',` - init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh) -') - -######################################## -# -# Local policy -# - -allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid }; -dontaudit system_dbusd_t self:capability sys_tty_config; -allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit }; -allow system_dbusd_t self:fifo_file rw_fifo_file_perms; -allow system_dbusd_t self:dbus { send_msg acquire_svc }; -allow system_dbusd_t self:unix_stream_socket { accept connectto listen }; -allow system_dbusd_t self:netlink_selinux_socket { create bind read }; - -allow system_dbusd_t dbusd_etc_t:dir list_dir_perms; -read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) -read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) - -manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) -manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) -files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file }) - -read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t) - -manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) -manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) -manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) -files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { dir file }) - -can_exec(system_dbusd_t, dbusd_exec_t) - -kernel_read_system_state(system_dbusd_t) -kernel_read_kernel_sysctls(system_dbusd_t) - -corecmd_list_bin(system_dbusd_t) -corecmd_read_bin_pipes(system_dbusd_t) -corecmd_read_bin_sockets(system_dbusd_t) -corecmd_exec_shell(system_dbusd_t) - -dev_read_urand(system_dbusd_t) -dev_read_sysfs(system_dbusd_t) - -domain_use_interactive_fds(system_dbusd_t) -domain_read_all_domains_state(system_dbusd_t) - -files_list_home(system_dbusd_t) -files_read_usr_files(system_dbusd_t) - -fs_getattr_all_fs(system_dbusd_t) -fs_list_inotifyfs(system_dbusd_t) -fs_search_auto_mountpoints(system_dbusd_t) -fs_search_cgroup_dirs(system_dbusd_t) -fs_dontaudit_list_nfs(system_dbusd_t) - -mls_fd_use_all_levels(system_dbusd_t) -mls_rangetrans_target(system_dbusd_t) -mls_file_read_all_levels(system_dbusd_t) -mls_socket_write_all_levels(system_dbusd_t) -mls_socket_read_to_clearance(system_dbusd_t) -mls_dbus_recv_all_levels(system_dbusd_t) - -selinux_get_fs_mount(system_dbusd_t) -selinux_validate_context(system_dbusd_t) -selinux_compute_access_vector(system_dbusd_t) -selinux_compute_create_context(system_dbusd_t) -selinux_compute_relabel_context(system_dbusd_t) -selinux_compute_user_contexts(system_dbusd_t) - -term_dontaudit_use_console(system_dbusd_t) - -auth_use_nsswitch(system_dbusd_t) -auth_read_pam_console_data(system_dbusd_t) - -init_use_fds(system_dbusd_t) -init_use_script_ptys(system_dbusd_t) -init_all_labeled_script_domtrans(system_dbusd_t) - -logging_send_audit_msgs(system_dbusd_t) -logging_send_syslog_msg(system_dbusd_t) - -miscfiles_read_localization(system_dbusd_t) -miscfiles_read_generic_certs(system_dbusd_t) - -seutil_read_config(system_dbusd_t) -seutil_read_default_contexts(system_dbusd_t) - -userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t) -userdom_dontaudit_search_user_home_dirs(system_dbusd_t) - -ifdef(`distro_gentoo',` - optional_policy(` - cpufreqselector_dbus_chat(system_dbusd_t) - ') -') - -optional_policy(` - bluetooth_stream_connect(system_dbusd_t) -') - -optional_policy(` - policykit_read_lib(system_dbusd_t) -') - -optional_policy(` - seutil_sigchld_newrole(system_dbusd_t) -') - -optional_policy(` - udev_read_db(system_dbusd_t) -') - -######################################## -# -# Common session bus local policy -# - -dontaudit session_bus_type self:capability sys_resource; -allow session_bus_type self:process { getattr sigkill signal }; -dontaudit session_bus_type self:process { ptrace setrlimit }; -allow session_bus_type self:file { getattr read write }; -allow session_bus_type self:fifo_file rw_fifo_file_perms; -allow session_bus_type self:dbus { send_msg acquire_svc }; -allow session_bus_type self:unix_stream_socket { accept listen }; -allow session_bus_type self:tcp_socket { accept listen }; -allow session_bus_type self:netlink_selinux_socket create_socket_perms; - -allow session_bus_type dbusd_etc_t:dir list_dir_perms; -read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t) -read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t) - -manage_dirs_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t) -manage_files_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t) -userdom_user_home_dir_filetrans(session_bus_type, session_dbusd_home_t, dir, ".dbus") - -manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t) -manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t) -files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file }) - -kernel_read_system_state(session_bus_type) -kernel_read_kernel_sysctls(session_bus_type) - -corecmd_list_bin(session_bus_type) -corecmd_read_bin_symlinks(session_bus_type) -corecmd_read_bin_files(session_bus_type) -corecmd_read_bin_pipes(session_bus_type) -corecmd_read_bin_sockets(session_bus_type) - -corenet_all_recvfrom_unlabeled(session_bus_type) -corenet_all_recvfrom_netlabel(session_bus_type) -corenet_tcp_sendrecv_generic_if(session_bus_type) -corenet_tcp_sendrecv_generic_node(session_bus_type) -corenet_tcp_sendrecv_all_ports(session_bus_type) -corenet_tcp_bind_generic_node(session_bus_type) - -corenet_sendrecv_all_server_packets(session_bus_type) -corenet_tcp_bind_reserved_port(session_bus_type) - -dev_read_urand(session_bus_type) - -domain_read_all_domains_state(session_bus_type) -domain_use_interactive_fds(session_bus_type) - -files_list_home(session_bus_type) -files_read_usr_files(session_bus_type) -files_dontaudit_search_var(session_bus_type) - -fs_getattr_romfs(session_bus_type) -fs_getattr_xattr_fs(session_bus_type) -fs_list_inotifyfs(session_bus_type) -fs_dontaudit_list_nfs(session_bus_type) - -selinux_get_fs_mount(session_bus_type) -selinux_validate_context(session_bus_type) -selinux_compute_access_vector(session_bus_type) -selinux_compute_create_context(session_bus_type) -selinux_compute_relabel_context(session_bus_type) -selinux_compute_user_contexts(session_bus_type) - -auth_read_pam_console_data(session_bus_type) - -logging_send_audit_msgs(session_bus_type) -logging_send_syslog_msg(session_bus_type) - -miscfiles_read_localization(session_bus_type) - -seutil_read_config(session_bus_type) -seutil_read_default_contexts(session_bus_type) - -term_use_all_terms(session_bus_type) - -ifdef(`distro_gentoo',` - optional_policy(` - hal_dbus_chat(session_bus_type) - ') -') - -optional_policy(` - xserver_use_xdm_fds(session_bus_type) - xserver_rw_xdm_pipes(session_bus_type) -') - -######################################## -# -# Unconfined access to this module -# - -allow dbusd_unconfined { dbusd_session_bus_client dbusd_system_bus_client }:dbus send_msg; -allow dbusd_unconfined { system_dbusd_t session_bus_type }:dbus all_dbus_perms; diff --git a/policy/modules/contrib/dcc.fc b/policy/modules/contrib/dcc.fc deleted file mode 100644 index 62d3c4e6..00000000 --- a/policy/modules/contrib/dcc.fc +++ /dev/null @@ -1,26 +0,0 @@ -/etc/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) -/etc/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0) -/etc/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) - -/usr/bin/cdcc -- gen_context(system_u:object_r:cdcc_exec_t,s0) -/usr/bin/dccproc -- gen_context(system_u:object_r:dcc_client_exec_t,s0) - -/usr/libexec/dcc/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0) -/usr/libexec/dcc/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0) -/usr/libexec/dcc/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) -/usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0) - -/usr/sbin/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0) -/usr/sbin/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0) -/usr/sbin/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) -/usr/sbin/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0) - -/var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) -/var/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) - -/var/lib/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) -/var/lib/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) - -/var/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0) -/var/run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) -/var/run/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0) diff --git a/policy/modules/contrib/dcc.if b/policy/modules/contrib/dcc.if deleted file mode 100644 index a5c21e0e..00000000 --- a/policy/modules/contrib/dcc.if +++ /dev/null @@ -1,178 +0,0 @@ -## <summary>Distributed checksum clearinghouse spam filtering.</summary> - -######################################## -## <summary> -## Execute cdcc in the cdcc domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`dcc_domtrans_cdcc',` - gen_require(` - type cdcc_t, cdcc_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, cdcc_exec_t, cdcc_t) -') - -######################################## -## <summary> -## Execute cdcc in the cdcc domain, and -## allow the specified role the -## cdcc domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`dcc_run_cdcc',` - gen_require(` - attribute_role cdcc_roles; - ') - - dcc_domtrans_cdcc($1) - roleattribute $2 cdcc_roles; -') - -######################################## -## <summary> -## Execute dcc client in the dcc -## client domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`dcc_domtrans_client',` - gen_require(` - type dcc_client_t, dcc_client_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dcc_client_exec_t, dcc_client_t) -') - -######################################## -## <summary> -## Send generic signals to dcc client. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dcc_signal_client',` - gen_require(` - type dcc_client_t; - ') - - allow $1 dcc_client_t:process signal; -') - -######################################## -## <summary> -## Execute dcc client in the dcc -## client domain, and allow the -## specified role the dcc client domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`dcc_run_client',` - gen_require(` - attribute_role dcc_client_roles; - ') - - dcc_domtrans_client($1) - roleattribute $2 dcc_client_roles; -') - -######################################## -## <summary> -## Execute dbclean in the dcc dbclean domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`dcc_domtrans_dbclean',` - gen_require(` - type dcc_dbclean_t, dcc_dbclean_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dcc_dbclean_exec_t, dcc_dbclean_t) -') - -######################################## -## <summary> -## Execute dbclean in the dcc dbclean -## domain, and allow the specified -## role the dcc dbclean domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`dcc_run_dbclean',` - gen_require(` - attribute_role dcc_dbclean_roles; - ') - - dcc_domtrans_dbclean($1) - roleattribute $2 dcc_dbclean_roles; -') - -######################################## -## <summary> -## Connect to dccifd over a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dcc_stream_connect_dccifd',` - gen_require(` - type dcc_var_t, dccifd_var_run_t, dccifd_t; - ') - - files_search_var($1) - stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t) -') diff --git a/policy/modules/contrib/dcc.te b/policy/modules/contrib/dcc.te deleted file mode 100644 index 15d908f5..00000000 --- a/policy/modules/contrib/dcc.te +++ /dev/null @@ -1,351 +0,0 @@ -policy_module(dcc, 1.11.1) - -######################################## -# -# Declarations -# - -attribute_role cdcc_roles; -roleattribute system_r cdcc_roles; - -attribute_role dcc_client_roles; -roleattribute system_r dcc_client_roles; - -attribute_role dcc_dbclean_roles; -roleattribute system_r dcc_dbclean_roles; - -type cdcc_t; -type cdcc_exec_t; -application_domain(cdcc_t, cdcc_exec_t) -role cdcc_roles types cdcc_t; - -type cdcc_tmp_t; -files_tmp_file(cdcc_tmp_t) - -type dcc_client_t; -type dcc_client_exec_t; -application_domain(dcc_client_t, dcc_client_exec_t) -role dcc_client_roles types dcc_client_t; - -type dcc_client_map_t; -files_type(dcc_client_map_t) - -type dcc_client_tmp_t; -files_tmp_file(dcc_client_tmp_t) - -type dcc_dbclean_t; -type dcc_dbclean_exec_t; -application_domain(dcc_dbclean_t, dcc_dbclean_exec_t) -role dcc_dbclean_roles types dcc_dbclean_t; - -type dcc_dbclean_tmp_t; -files_tmp_file(dcc_dbclean_tmp_t) - -type dcc_var_t; -files_type(dcc_var_t) - -type dcc_var_run_t; -files_type(dcc_var_run_t) - -type dccd_t; -type dccd_exec_t; -init_daemon_domain(dccd_t, dccd_exec_t) - -type dccd_tmp_t; -files_tmp_file(dccd_tmp_t) - -type dccd_var_run_t; -files_pid_file(dccd_var_run_t) - -type dccifd_t; -type dccifd_exec_t; -init_daemon_domain(dccifd_t, dccifd_exec_t) - -type dccifd_tmp_t; -files_tmp_file(dccifd_tmp_t) - -type dccifd_var_run_t; -files_pid_file(dccifd_var_run_t) - -type dccm_t; -type dccm_exec_t; -init_daemon_domain(dccm_t, dccm_exec_t) - -type dccm_tmp_t; -files_tmp_file(dccm_tmp_t) - -type dccm_var_run_t; -files_pid_file(dccm_var_run_t) - -######################################## -# -# Daemon controller local policy -# - -allow cdcc_t self:capability { setuid setgid }; - -manage_dirs_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t) -manage_files_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t) -files_tmp_filetrans(cdcc_t, cdcc_tmp_t, { file dir }) - -allow cdcc_t dcc_client_map_t:file rw_file_perms; - -allow cdcc_t dcc_var_t:dir list_dir_perms; -read_files_pattern(cdcc_t, dcc_var_t, dcc_var_t) -read_lnk_files_pattern(cdcc_t, dcc_var_t, dcc_var_t) - -files_read_etc_runtime_files(cdcc_t) - -auth_use_nsswitch(cdcc_t) - -logging_send_syslog_msg(cdcc_t) - -miscfiles_read_localization(cdcc_t) - -userdom_use_user_terminals(cdcc_t) - -######################################## -# -# Procmail interface local policy -# - -allow dcc_client_t self:capability { setuid setgid }; - -allow dcc_client_t dcc_client_map_t:file rw_file_perms; - -manage_dirs_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t) -manage_files_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t) -files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir }) - -allow dcc_client_t dcc_var_t:dir list_dir_perms; -manage_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) -read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) - -kernel_read_system_state(dcc_client_t) - -files_read_etc_runtime_files(dcc_client_t) - -fs_getattr_all_fs(dcc_client_t) - -auth_use_nsswitch(dcc_client_t) - -logging_send_syslog_msg(dcc_client_t) - -miscfiles_read_localization(dcc_client_t) - -userdom_use_user_terminals(dcc_client_t) - -optional_policy(` - amavis_read_spool_files(dcc_client_t) -') - -optional_policy(` - spamassassin_read_spamd_tmp_files(dcc_client_t) -') - -######################################## -# -# Database cleanup local policy -# - -allow dcc_dbclean_t dcc_client_map_t:file rw_file_perms; - -manage_dirs_pattern(dcc_dbclean_t, dcc_dbclean_tmp_t, dcc_dbclean_tmp_t) -manage_files_pattern(dcc_dbclean_t, dcc_dbclean_tmp_t, dcc_dbclean_tmp_t) -files_tmp_filetrans(dcc_dbclean_t, dcc_dbclean_tmp_t, { file dir }) - -manage_dirs_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t) -manage_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t) -manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t) - -kernel_read_system_state(dcc_dbclean_t) - -files_read_etc_runtime_files(dcc_dbclean_t) - -auth_use_nsswitch(dcc_dbclean_t) - -logging_send_syslog_msg(dcc_dbclean_t) - -miscfiles_read_localization(dcc_dbclean_t) - -userdom_use_user_terminals(dcc_dbclean_t) - -######################################## -# -# Server local policy -# - -allow dccd_t self:capability net_admin; -dontaudit dccd_t self:capability sys_tty_config; -allow dccd_t self:process signal_perms; - -allow dccd_t dcc_client_map_t:file rw_file_perms; - -allow dccd_t dcc_var_t:dir list_dir_perms; -read_files_pattern(dccd_t, dcc_var_t, dcc_var_t) -read_lnk_files_pattern(dccd_t, dcc_var_t, dcc_var_t) - -domtrans_pattern(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t) - -manage_dirs_pattern(dccd_t, dcc_var_t, dcc_var_t) -manage_files_pattern(dccd_t, dcc_var_t, dcc_var_t) -manage_lnk_files_pattern(dccd_t, dcc_var_t, dcc_var_t) - -manage_dirs_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t) -manage_files_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t) -files_tmp_filetrans(dccd_t, dccd_tmp_t, { file dir }) - -manage_dirs_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t) -manage_files_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t) -files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file }) - -kernel_read_system_state(dccd_t) -kernel_read_kernel_sysctls(dccd_t) - -corenet_all_recvfrom_unlabeled(dccd_t) -corenet_all_recvfrom_netlabel(dccd_t) -corenet_udp_sendrecv_generic_if(dccd_t) -corenet_udp_sendrecv_generic_node(dccd_t) -corenet_udp_sendrecv_all_ports(dccd_t) -corenet_udp_bind_generic_node(dccd_t) - -corenet_udp_bind_dcc_port(dccd_t) -corenet_sendrecv_dcc_server_packets(dccd_t) - -corecmd_search_bin(dccd_t) - -dev_read_sysfs(dccd_t) - -domain_use_interactive_fds(dccd_t) - -files_read_etc_runtime_files(dccd_t) - -fs_getattr_all_fs(dccd_t) -fs_search_auto_mountpoints(dccd_t) - -auth_use_nsswitch(dccd_t) - -logging_send_syslog_msg(dccd_t) - -miscfiles_read_localization(dccd_t) - -userdom_dontaudit_use_unpriv_user_fds(dccd_t) -userdom_dontaudit_search_user_home_dirs(dccd_t) - -optional_policy(` - seutil_sigchld_newrole(dccd_t) -') - -optional_policy(` - udev_read_db(dccd_t) -') - -######################################## -# -# Spamassassin and general MTA persistent client local policy -# - -dontaudit dccifd_t self:capability sys_tty_config; -allow dccifd_t self:process signal_perms; -allow dccifd_t self:unix_stream_socket { accept listen }; - -allow dccifd_t dcc_client_map_t:file rw_file_perms; - -manage_dirs_pattern(dccifd_t, dcc_var_t, dcc_var_t) -manage_files_pattern(dccifd_t, dcc_var_t, dcc_var_t) -manage_lnk_files_pattern(dccifd_t, dcc_var_t, dcc_var_t) -manage_fifo_files_pattern(dccifd_t, dcc_var_t, dcc_var_t) -manage_sock_files_pattern(dccifd_t, dcc_var_t, dcc_var_t) - -manage_dirs_pattern(dccifd_t, dccifd_tmp_t, dccifd_tmp_t) -manage_files_pattern(dccifd_t, dccifd_tmp_t, dccifd_tmp_t) -files_tmp_filetrans(dccifd_t, dccifd_tmp_t, { file dir }) - -manage_files_pattern(dccifd_t, dccifd_var_run_t, dccifd_var_run_t) -manage_sock_files_pattern(dccifd_t, dccifd_var_run_t, dccifd_var_run_t) -filetrans_pattern(dccifd_t, dcc_var_t, dccifd_var_run_t, { file sock_file }) -files_pid_filetrans(dccifd_t, dccifd_var_run_t, file) - -kernel_read_system_state(dccifd_t) -kernel_read_kernel_sysctls(dccifd_t) - -dev_read_sysfs(dccifd_t) - -domain_use_interactive_fds(dccifd_t) - -files_read_etc_runtime_files(dccifd_t) - -fs_getattr_all_fs(dccifd_t) -fs_search_auto_mountpoints(dccifd_t) - -auth_use_nsswitch(dccifd_t) - -logging_send_syslog_msg(dccifd_t) - -miscfiles_read_localization(dccifd_t) - -userdom_dontaudit_use_unpriv_user_fds(dccifd_t) -userdom_dontaudit_search_user_home_dirs(dccifd_t) - -optional_policy(` - seutil_sigchld_newrole(dccifd_t) -') - -optional_policy(` - udev_read_db(dccifd_t) -') - -######################################## -# -# Sendmail milter client local policy -# - -dontaudit dccm_t self:capability sys_tty_config; -allow dccm_t self:process signal_perms; -allow dccm_t self:unix_stream_socket { accept listen }; - -allow dccm_t dcc_client_map_t:file rw_file_perms; - -manage_dirs_pattern(dccm_t, dcc_var_t, dcc_var_t) -manage_files_pattern(dccm_t, dcc_var_t, dcc_var_t) -manage_lnk_files_pattern(dccm_t, dcc_var_t, dcc_var_t) -manage_fifo_files_pattern(dccm_t, dcc_var_t, dcc_var_t) -manage_sock_files_pattern(dccm_t, dcc_var_t, dcc_var_t) - -manage_dirs_pattern(dccm_t, dccm_tmp_t, dccm_tmp_t) -manage_files_pattern(dccm_t, dccm_tmp_t, dccm_tmp_t) -files_tmp_filetrans(dccm_t, dccm_tmp_t, { file dir }) - -manage_files_pattern(dccm_t, dccm_var_run_t, dccm_var_run_t) -manage_sock_files_pattern(dccm_t, dccm_var_run_t, dccm_var_run_t) -filetrans_pattern(dccm_t, dcc_var_run_t, dccm_var_run_t, { file sock_file }) -files_pid_filetrans(dccm_t, dccm_var_run_t, file) - -kernel_read_system_state(dccm_t) -kernel_read_kernel_sysctls(dccm_t) - -dev_read_sysfs(dccm_t) - -domain_use_interactive_fds(dccm_t) - -files_read_etc_runtime_files(dccm_t) - -fs_getattr_all_fs(dccm_t) -fs_search_auto_mountpoints(dccm_t) - -auth_use_nsswitch(dccm_t) - -logging_send_syslog_msg(dccm_t) - -miscfiles_read_localization(dccm_t) - -userdom_dontaudit_use_unpriv_user_fds(dccm_t) -userdom_dontaudit_search_user_home_dirs(dccm_t) - -optional_policy(` - seutil_sigchld_newrole(dccm_t) -') - -optional_policy(` - udev_read_db(dccm_t) -') diff --git a/policy/modules/contrib/ddclient.fc b/policy/modules/contrib/ddclient.fc deleted file mode 100644 index 13c0c4a1..00000000 --- a/policy/modules/contrib/ddclient.fc +++ /dev/null @@ -1,16 +0,0 @@ -/etc/ddclient\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0) -/etc/ddtcd\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0) - -/etc/rc\.d/init\.d/ddclient -- gen_context(system_u:object_r:ddclient_initrc_exec_t,s0) - -/usr/sbin/ddclient -- gen_context(system_u:object_r:ddclient_exec_t,s0) -/usr/sbin/ddtcd -- gen_context(system_u:object_r:ddclient_exec_t,s0) - -/var/cache/ddclient(/.*)? gen_context(system_u:object_r:ddclient_var_t,s0) - -/var/lib/ddt-client(/.*)? gen_context(system_u:object_r:ddclient_var_lib_t,s0) - -/var/log/ddtcd\.log.* -- gen_context(system_u:object_r:ddclient_log_t,s0) - -/var/run/ddclient\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0) -/var/run/ddtcd\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0) diff --git a/policy/modules/contrib/ddclient.if b/policy/modules/contrib/ddclient.if deleted file mode 100644 index 5606b406..00000000 --- a/policy/modules/contrib/ddclient.if +++ /dev/null @@ -1,98 +0,0 @@ -## <summary>Update dynamic IP address at DynDNS.org.</summary> - -####################################### -## <summary> -## Execute ddclient in the ddclient domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`ddclient_domtrans',` - gen_require(` - type ddclient_t, ddclient_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ddclient_exec_t, ddclient_t) -') - -######################################## -## <summary> -## Execute ddclient in the ddclient -## domain, and allow the specified -## role the ddclient domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`ddclient_run',` - gen_require(` - attribute_role ddclient_roles; - ') - - ddclient_domtrans($1) - roleattribute $2 ddclient_roles; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an ddclient environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`ddclient_admin',` - gen_require(` - type ddclient_t, ddclient_etc_t, ddclient_log_t; - type ddclient_var_t, ddclient_var_lib_t, ddclient_tmp_t; - type ddclient_var_run_t, ddclient_initrc_exec_t; - ') - - allow $1 ddclient_t:process { ptrace signal_perms }; - ps_process_pattern($1, ddclient_t) - - init_labeled_script_domtrans($1, ddclient_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ddclient_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, ddclient_etc_t) - - logging_list_logs($1) - admin_pattern($1, ddclient_log_t) - - files_list_var($1) - admin_pattern($1, ddclient_var_t) - - files_list_var_lib($1) - admin_pattern($1, ddclient_var_lib_t) - - files_list_pids($1) - admin_pattern($1, ddclient_var_run_t) - - files_list_tmp($1) - admin_pattern($1, ddclient_tmp_t) -') diff --git a/policy/modules/contrib/ddclient.te b/policy/modules/contrib/ddclient.te deleted file mode 100644 index 0b4b8b98..00000000 --- a/policy/modules/contrib/ddclient.te +++ /dev/null @@ -1,118 +0,0 @@ -policy_module(ddclient, 1.9.2) - -######################################## -# -# Declarations -# - -attribute_role ddclient_roles; - -type ddclient_t; -type ddclient_exec_t; -init_daemon_domain(ddclient_t, ddclient_exec_t) -role ddclient_roles types ddclient_t; - -type ddclient_etc_t; -files_config_file(ddclient_etc_t) - -type ddclient_initrc_exec_t; -init_script_file(ddclient_initrc_exec_t) - -type ddclient_log_t; -logging_log_file(ddclient_log_t) - -type ddclient_tmp_t; -files_tmp_file(ddclient_tmp_t) - -type ddclient_var_t; -files_type(ddclient_var_t) - -type ddclient_var_lib_t; -files_type(ddclient_var_lib_t) - -type ddclient_var_run_t; -files_pid_file(ddclient_var_run_t) - -######################################## -# -# Declarations -# - -dontaudit ddclient_t self:capability sys_tty_config; -allow ddclient_t self:process signal_perms; -allow ddclient_t self:fifo_file rw_fifo_file_perms; - -read_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t) -setattr_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t) - -allow ddclient_t ddclient_log_t:file append_file_perms; -allow ddclient_t ddclient_log_t:file create_file_perms; -allow ddclient_t ddclient_log_t:file setattr_file_perms; -logging_log_filetrans(ddclient_t, ddclient_log_t, file) - -manage_files_pattern(ddclient_t, ddclient_tmp_t, ddclient_tmp_t) -files_tmp_filetrans(ddclient_t, ddclient_tmp_t, file) - -manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) -manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) -manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) -manage_fifo_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) -manage_sock_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) - -manage_files_pattern(ddclient_t, ddclient_var_lib_t, ddclient_var_lib_t) - -manage_files_pattern(ddclient_t, ddclient_var_run_t, ddclient_var_run_t) -files_pid_filetrans(ddclient_t, ddclient_var_run_t, file) - -kernel_getattr_core_if(ddclient_t) -kernel_getattr_message_if(ddclient_t) -kernel_read_kernel_sysctls(ddclient_t) -kernel_read_network_state(ddclient_t) -kernel_read_software_raid_state(ddclient_t) -kernel_read_system_state(ddclient_t) -kernel_search_network_sysctl(ddclient_t) - -corecmd_exec_shell(ddclient_t) -corecmd_exec_bin(ddclient_t) - -corenet_all_recvfrom_unlabeled(ddclient_t) -corenet_all_recvfrom_netlabel(ddclient_t) -corenet_tcp_sendrecv_generic_if(ddclient_t) -corenet_udp_sendrecv_generic_if(ddclient_t) -corenet_tcp_sendrecv_generic_node(ddclient_t) -corenet_udp_sendrecv_generic_node(ddclient_t) -corenet_tcp_sendrecv_all_ports(ddclient_t) -corenet_udp_sendrecv_all_ports(ddclient_t) - -corenet_sendrecv_all_client_packets(ddclient_t) -corenet_tcp_connect_all_ports(ddclient_t) - -dev_read_sysfs(ddclient_t) -dev_read_urand(ddclient_t) - -domain_use_interactive_fds(ddclient_t) - -files_read_etc_files(ddclient_t) -files_read_etc_runtime_files(ddclient_t) -files_read_usr_files(ddclient_t) - -fs_getattr_all_fs(ddclient_t) -fs_search_auto_mountpoints(ddclient_t) - -logging_send_syslog_msg(ddclient_t) - -miscfiles_read_localization(ddclient_t) - -sysnet_exec_ifconfig(ddclient_t) -sysnet_dns_name_resolve(ddclient_t) - -userdom_dontaudit_use_unpriv_user_fds(ddclient_t) -userdom_dontaudit_search_user_home_dirs(ddclient_t) - -optional_policy(` - seutil_sigchld_newrole(ddclient_t) -') - -optional_policy(` - udev_read_db(ddclient_t) -') diff --git a/policy/modules/contrib/ddcprobe.fc b/policy/modules/contrib/ddcprobe.fc deleted file mode 100644 index 9f2a27f5..00000000 --- a/policy/modules/contrib/ddcprobe.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/ddcprobe -- gen_context(system_u:object_r:ddcprobe_exec_t,s0) diff --git a/policy/modules/contrib/ddcprobe.if b/policy/modules/contrib/ddcprobe.if deleted file mode 100644 index aeddb697..00000000 --- a/policy/modules/contrib/ddcprobe.if +++ /dev/null @@ -1,47 +0,0 @@ -## <summary>ddcprobe retrieves monitor and graphics card information.</summary> - -######################################## -## <summary> -## Execute ddcprobe in the ddcprobe domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`ddcprobe_domtrans',` - gen_require(` - type ddcprobe_t, ddcprobe_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ddcprobe_exec_t, ddcprobe_t) -') - -######################################## -## <summary> -## Execute ddcprobe in the ddcprobe -## domain, and allow the specified -## role the ddcprobe domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`ddcprobe_run',` - gen_require(` - attribute_role ddcprobe_roles; - ') - - ddcprobe_domtrans($1) - roleattribute $2 ddcprobe_roles; -') diff --git a/policy/modules/contrib/ddcprobe.te b/policy/modules/contrib/ddcprobe.te deleted file mode 100644 index ceb9bf4d..00000000 --- a/policy/modules/contrib/ddcprobe.te +++ /dev/null @@ -1,55 +0,0 @@ -policy_module(ddcprobe, 1.2.1) - -######################################## -# -# Declarations -# - -attribute_role ddcprobe_roles; -roleattribute system_r ddcprobe_roles; - -type ddcprobe_t; -type ddcprobe_exec_t; -application_domain(ddcprobe_t, ddcprobe_exec_t) -role ddcprobe_roles types ddcprobe_t; - -######################################## -# -# Local policy -# - -allow ddcprobe_t self:capability { sys_rawio sys_admin }; -allow ddcprobe_t self:process execmem; - -kernel_read_system_state(ddcprobe_t) -kernel_read_kernel_sysctls(ddcprobe_t) -kernel_change_ring_buffer_level(ddcprobe_t) - -files_search_kernel_modules(ddcprobe_t) - -corecmd_list_bin(ddcprobe_t) -corecmd_exec_bin(ddcprobe_t) - -dev_read_urand(ddcprobe_t) -dev_read_raw_memory(ddcprobe_t) -dev_wx_raw_memory(ddcprobe_t) - -files_read_etc_files(ddcprobe_t) -files_read_etc_runtime_files(ddcprobe_t) -files_read_usr_files(ddcprobe_t) - -term_use_all_ttys(ddcprobe_t) -term_use_all_ptys(ddcprobe_t) - -libs_read_lib_files(ddcprobe_t) - -miscfiles_read_localization(ddcprobe_t) - -modutils_read_module_deps(ddcprobe_t) - -userdom_use_user_terminals(ddcprobe_t) -userdom_use_all_users_fds(ddcprobe_t) - -optional_policy(` - kudzu_getattr_exec_files(ddcprobe_t) -') diff --git a/policy/modules/contrib/denyhosts.fc b/policy/modules/contrib/denyhosts.fc deleted file mode 100644 index 89b0b77d..00000000 --- a/policy/modules/contrib/denyhosts.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/rc\.d/init\.d/denyhosts -- gen_context(system_u:object_r:denyhosts_initrc_exec_t,s0) - -/usr/bin/denyhosts\.py -- gen_context(system_u:object_r:denyhosts_exec_t,s0) - -/var/lib/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_lib_t,s0) - -/var/lock/subsys/denyhosts -- gen_context(system_u:object_r:denyhosts_var_lock_t,s0) - -/var/log/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_log_t,s0) diff --git a/policy/modules/contrib/denyhosts.if b/policy/modules/contrib/denyhosts.if deleted file mode 100644 index a7326da6..00000000 --- a/policy/modules/contrib/denyhosts.if +++ /dev/null @@ -1,79 +0,0 @@ -## <summary>SSH dictionary attack mitigation.</summary> - -######################################## -## <summary> -## Execute a domain transition to run denyhosts. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`denyhosts_domtrans',` - gen_require(` - type denyhosts_t, denyhosts_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, denyhosts_exec_t, denyhosts_t) -') - -######################################## -## <summary> -## Execute denyhost server in the -## denyhost domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`denyhosts_initrc_domtrans',` - gen_require(` - type denyhosts_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, denyhosts_initrc_exec_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an denyhosts environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`denyhosts_admin',` - gen_require(` - type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t; - type denyhosts_var_log_t, denyhosts_initrc_exec_t; - ') - - allow $1 denyhosts_t:process { ptrace signal_perms }; - ps_process_pattern($1, denyhosts_t) - - denyhosts_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 denyhosts_initrc_exec_t system_r; - allow $2 system_r; - - files_search_var_lib($1) - admin_pattern($1, denyhosts_var_lib_t) - - logging_search_logs($1) - admin_pattern($1, denyhosts_var_log_t) - - files_search_locks($1) - admin_pattern($1, denyhosts_var_lock_t) -') diff --git a/policy/modules/contrib/denyhosts.te b/policy/modules/contrib/denyhosts.te deleted file mode 100644 index bcb97705..00000000 --- a/policy/modules/contrib/denyhosts.te +++ /dev/null @@ -1,73 +0,0 @@ -policy_module(denyhosts, 1.0.2) - -######################################## -# -# Declarations -# - -type denyhosts_t; -type denyhosts_exec_t; -init_daemon_domain(denyhosts_t, denyhosts_exec_t) - -type denyhosts_initrc_exec_t; -init_script_file(denyhosts_initrc_exec_t) - -type denyhosts_var_lib_t; -files_type(denyhosts_var_lib_t) - -type denyhosts_var_lock_t; -files_lock_file(denyhosts_var_lock_t) - -type denyhosts_var_log_t; -logging_log_file(denyhosts_var_log_t) - -######################################## -# -# Local policy -# - -allow denyhosts_t self:capability sys_tty_config; -allow denyhosts_t self:fifo_file rw_fifo_file_perms; -allow denyhosts_t self:netlink_route_socket nlmsg_write; - -manage_files_pattern(denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lib_t) - -manage_dirs_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t) -manage_files_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t) -files_lock_filetrans(denyhosts_t, denyhosts_var_lock_t, { dir file }) - -append_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) -create_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) -read_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) -setattr_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) -logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file) - -kernel_read_network_state(denyhosts_t) -kernel_read_system_state(denyhosts_t) - -corecmd_exec_bin(denyhosts_t) -corecmd_exec_shell(denyhosts_t) - -corenet_all_recvfrom_unlabeled(denyhosts_t) -corenet_all_recvfrom_netlabel(denyhosts_t) -corenet_tcp_sendrecv_generic_if(denyhosts_t) -corenet_tcp_sendrecv_generic_node(denyhosts_t) - -corenet_sendrecv_smtp_client_packets(denyhosts_t) -corenet_tcp_connect_smtp_port(denyhosts_t) -corenet_tcp_sendrecv_smtp_port(denyhosts_t) - -dev_read_urand(denyhosts_t) - -logging_read_generic_logs(denyhosts_t) -logging_send_syslog_msg(denyhosts_t) - -miscfiles_read_localization(denyhosts_t) - -sysnet_dns_name_resolve(denyhosts_t) -sysnet_manage_config(denyhosts_t) -sysnet_etc_filetrans_config(denyhosts_t) - -optional_policy(` - cron_system_entry(denyhosts_t, denyhosts_exec_t) -') diff --git a/policy/modules/contrib/devicekit.fc b/policy/modules/contrib/devicekit.fc deleted file mode 100644 index ae49c9d9..00000000 --- a/policy/modules/contrib/devicekit.fc +++ /dev/null @@ -1,26 +0,0 @@ -/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) -/lib/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) - -/usr/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) -/usr/lib/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) -/usr/lib/udisks/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) -/usr/lib/upower/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) - -/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0) -/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) -/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) -/usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) -/usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) - -/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) -/var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) -/var/lib/udisks.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) - -/var/log/pm-powersave\.log.* -- gen_context(system_u:object_r:devicekit_var_log_t,s0) -/var/log/pm-suspend\.log.* -- gen_context(system_u:object_r:devicekit_var_log_t,s0) - -/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -/var/run/pm-utils(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -/var/run/udisks.* gen_context(system_u:object_r:devicekit_var_run_t,s0) -/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff --git a/policy/modules/contrib/devicekit.if b/policy/modules/contrib/devicekit.if deleted file mode 100644 index d294865e..00000000 --- a/policy/modules/contrib/devicekit.if +++ /dev/null @@ -1,239 +0,0 @@ -## <summary>Devicekit modular hardware abstraction layer.</summary> - -######################################## -## <summary> -## Execute a domain transition to run devicekit. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`devicekit_domtrans',` - gen_require(` - type devicekit_t, devicekit_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, devicekit_exec_t, devicekit_t) -') - -######################################## -## <summary> -## Send to devicekit over a unix domain -## datagram socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`devicekit_dgram_send',` - gen_require(` - type devicekit_t, devicekit_var_run_t; - ') - - files_search_pids($1) - dgram_send_pattern($1, devicekit_var_run_t, devicekit_var_run_t, devicekit_t) -') - -######################################## -## <summary> -## Send and receive messages from -## devicekit over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`devicekit_dbus_chat',` - gen_require(` - type devicekit_t; - class dbus send_msg; - ') - - allow $1 devicekit_t:dbus send_msg; - allow devicekit_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Send and receive messages from -## devicekit disk over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`devicekit_dbus_chat_disk',` - gen_require(` - type devicekit_disk_t; - class dbus send_msg; - ') - - allow $1 devicekit_disk_t:dbus send_msg; - allow devicekit_disk_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Send generic signals to devicekit power. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`devicekit_signal_power',` - gen_require(` - type devicekit_power_t; - ') - - allow $1 devicekit_power_t:process signal; -') - -######################################## -## <summary> -## Send and receive messages from -## devicekit power over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`devicekit_dbus_chat_power',` - gen_require(` - type devicekit_power_t; - class dbus send_msg; - ') - - allow $1 devicekit_power_t:dbus send_msg; - allow devicekit_power_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Create, read, write, and delete -## devicekit log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`devicekit_manage_log_files',` - gen_require(` - type devicekit_var_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t) -') - -######################################## -## <summary> -## Relabel devicekit log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`devicekit_relabel_log_files',` - gen_require(` - type devicekit_var_log_t; - ') - - logging_search_logs($1) - relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t) -') - -######################################## -## <summary> -## Read devicekit PID files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`devicekit_read_pid_files',` - gen_require(` - type devicekit_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## devicekit PID files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`devicekit_manage_pid_files',` - gen_require(` - type devicekit_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an devicekit environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`devicekit_admin',` - gen_require(` - type devicekit_t, devicekit_disk_t, devicekit_power_t; - type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; - type devicekit_var_log_t; - ') - - allow $1 { devicekit_t devicekit_disk_t devicekit_power_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { devicekit_t devicekit_disk_t devicekit_power_t }) - - files_search_tmp($1) - admin_pattern($1, devicekit_tmp_t) - - files_search_var_lib($1) - admin_pattern($1, devicekit_var_lib_t) - - logging_search_logs($1) - admin_pattern($1, devicekit_var_log_t) - - files_search_pids($1) - admin_pattern($1, devicekit_var_run_t) -') diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te deleted file mode 100644 index ff933af7..00000000 --- a/policy/modules/contrib/devicekit.te +++ /dev/null @@ -1,343 +0,0 @@ -policy_module(devicekit, 1.2.1) - -######################################## -# -# Declarations -# - -type devicekit_t; -type devicekit_exec_t; -dbus_system_domain(devicekit_t, devicekit_exec_t) - -type devicekit_power_t; -type devicekit_power_exec_t; -dbus_system_domain(devicekit_power_t, devicekit_power_exec_t) - -type devicekit_disk_t; -type devicekit_disk_exec_t; -dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t) - -type devicekit_tmp_t; -files_tmp_file(devicekit_tmp_t) - -type devicekit_var_run_t; -files_pid_file(devicekit_var_run_t) - -type devicekit_var_lib_t; -files_type(devicekit_var_lib_t) - -type devicekit_var_log_t; -logging_log_file(devicekit_var_log_t) - -######################################## -# -# Local policy -# - -allow devicekit_t self:unix_dgram_socket create_socket_perms; - -manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) -manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) -files_pid_filetrans(devicekit_t, devicekit_var_run_t, { dir file }) - -kernel_read_system_state(devicekit_t) - -dev_read_sysfs(devicekit_t) -dev_read_urand(devicekit_t) - -files_read_etc_files(devicekit_t) - -miscfiles_read_localization(devicekit_t) - -optional_policy(` - dbus_system_bus_client(devicekit_t) - - allow devicekit_t { devicekit_disk_t devicekit_power_t }:dbus send_msg; -') - -optional_policy(` - udev_read_db(devicekit_t) -') - -######################################## -# -# Disk local policy -# - -allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio }; -allow devicekit_disk_t self:process { getsched signal_perms }; -allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; -allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; - -manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) -manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) -files_tmp_filetrans(devicekit_disk_t, devicekit_tmp_t, { dir file }) - -manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) -manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) -files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir) - -allow devicekit_disk_t devicekit_var_run_t:dir mounton; -manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) -manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) -files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file }) - -kernel_getattr_message_if(devicekit_disk_t) -kernel_list_unlabeled(devicekit_disk_t) -kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t) -kernel_read_fs_sysctls(devicekit_disk_t) -kernel_read_network_state(devicekit_disk_t) -kernel_read_software_raid_state(devicekit_disk_t) -kernel_read_system_state(devicekit_disk_t) -kernel_request_load_module(devicekit_disk_t) -kernel_setsched(devicekit_disk_t) - -corecmd_exec_bin(devicekit_disk_t) -corecmd_exec_shell(devicekit_disk_t) -corecmd_getattr_all_executables(devicekit_disk_t) - -dev_getattr_all_chr_files(devicekit_disk_t) -dev_getattr_mtrr_dev(devicekit_disk_t) -dev_getattr_usbfs_dirs(devicekit_disk_t) -dev_manage_generic_files(devicekit_disk_t) -dev_read_urand(devicekit_disk_t) -dev_rw_sysfs(devicekit_disk_t) - -domain_getattr_all_pipes(devicekit_disk_t) -domain_getattr_all_sockets(devicekit_disk_t) -domain_getattr_all_stream_sockets(devicekit_disk_t) -domain_read_all_domains_state(devicekit_disk_t) - -files_dontaudit_read_all_symlinks(devicekit_disk_t) -files_getattr_all_sockets(devicekit_disk_t) -files_getattr_all_dirs(devicekit_disk_t) -files_getattr_all_files(devicekit_disk_t) -files_getattr_all_pipes(devicekit_disk_t) -files_manage_boot_dirs(devicekit_disk_t) -files_manage_isid_type_dirs(devicekit_disk_t) -files_manage_mnt_dirs(devicekit_disk_t) -files_read_etc_runtime_files(devicekit_disk_t) -files_read_usr_files(devicekit_disk_t) - -fs_getattr_all_fs(devicekit_disk_t) -fs_list_inotifyfs(devicekit_disk_t) -fs_manage_fusefs_dirs(devicekit_disk_t) -fs_mount_all_fs(devicekit_disk_t) -fs_unmount_all_fs(devicekit_disk_t) -fs_search_all(devicekit_disk_t) - -mls_file_read_all_levels(devicekit_disk_t) -mls_file_write_to_clearance(devicekit_disk_t) - -storage_raw_read_fixed_disk(devicekit_disk_t) -storage_raw_write_fixed_disk(devicekit_disk_t) -storage_raw_read_removable_device(devicekit_disk_t) -storage_raw_write_removable_device(devicekit_disk_t) - -term_use_all_terms(devicekit_disk_t) - -auth_use_nsswitch(devicekit_disk_t) - -miscfiles_read_localization(devicekit_disk_t) - -userdom_read_all_users_state(devicekit_disk_t) -userdom_search_user_home_dirs(devicekit_disk_t) - -optional_policy(` - dbus_system_bus_client(devicekit_disk_t) - - allow devicekit_disk_t devicekit_t:dbus send_msg; - - optional_policy(` - consolekit_dbus_chat(devicekit_disk_t) - ') - - optional_policy(` - policykit_dbus_chat(devicekit_disk_t) - ') -') - -optional_policy(` - fstools_domtrans(devicekit_disk_t) -') - -optional_policy(` - lvm_domtrans(devicekit_disk_t) -') - -optional_policy(` - mount_domtrans(devicekit_disk_t) -') - -optional_policy(` - policykit_domtrans_auth(devicekit_disk_t) - policykit_read_lib(devicekit_disk_t) - policykit_read_reload(devicekit_disk_t) -') - -optional_policy(` - raid_domtrans_mdadm(devicekit_disk_t) -') - -optional_policy(` - udev_domtrans(devicekit_disk_t) - udev_read_db(devicekit_disk_t) -') - -optional_policy(` - virt_manage_images(devicekit_disk_t) -') - -######################################## -# -# Power local policy -# - -allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace }; -allow devicekit_power_t self:process { getsched signal_perms }; -allow devicekit_power_t self:fifo_file rw_fifo_file_perms; -allow devicekit_power_t self:unix_dgram_socket create_socket_perms; -allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms; - -manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t) -manage_files_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t) -files_tmp_filetrans(devicekit_power_t, devicekit_tmp_t, { file dir }) - -manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) -manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) -files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir) - -allow devicekit_power_t devicekit_var_log_t:file append_file_perms; -allow devicekit_power_t devicekit_var_log_t:file create_file_perms; -allow devicekit_power_t devicekit_var_log_t:file setattr_file_perms; -logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file) - -manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t) -manage_files_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t) -files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, { dir file }) - -kernel_read_fs_sysctls(devicekit_power_t) -kernel_read_network_state(devicekit_power_t) -kernel_read_system_state(devicekit_power_t) -kernel_rw_hotplug_sysctls(devicekit_power_t) -kernel_rw_kernel_sysctl(devicekit_power_t) -kernel_rw_vm_sysctls(devicekit_power_t) -kernel_search_debugfs(devicekit_power_t) -kernel_write_proc_files(devicekit_power_t) -kernel_setsched(devicekit_power_t) - -corecmd_exec_bin(devicekit_power_t) -corecmd_exec_shell(devicekit_power_t) - -dev_read_input(devicekit_power_t) -dev_read_urand(devicekit_power_t) -dev_rw_generic_usb_dev(devicekit_power_t) -dev_rw_generic_chr_files(devicekit_power_t) -dev_rw_netcontrol(devicekit_power_t) -dev_rw_sysfs(devicekit_power_t) -dev_read_rand(devicekit_power_t) -dev_getattr_all_chr_files(devicekit_power_t) - -domain_read_all_domains_state(devicekit_power_t) - -files_read_kernel_img(devicekit_power_t) -files_read_etc_runtime_files(devicekit_power_t) -files_read_usr_files(devicekit_power_t) -files_dontaudit_list_mnt(devicekit_power_t) - -fs_getattr_all_fs(devicekit_power_t) -fs_list_inotifyfs(devicekit_power_t) - -term_use_all_terms(devicekit_power_t) - -auth_use_nsswitch(devicekit_power_t) - -miscfiles_read_localization(devicekit_power_t) - -sysnet_domtrans_ifconfig(devicekit_power_t) -sysnet_domtrans_dhcpc(devicekit_power_t) - -userdom_read_all_users_state(devicekit_power_t) - -optional_policy(` - bootloader_domtrans(devicekit_power_t) -') - -optional_policy(` - consoletype_exec(devicekit_power_t) -') - -optional_policy(` - cron_initrc_domtrans(devicekit_power_t) -') - -optional_policy(` - dbus_system_bus_client(devicekit_power_t) - - allow devicekit_power_t devicekit_t:dbus send_msg; - - optional_policy(` - consolekit_dbus_chat(devicekit_power_t) - ') - - optional_policy(` - hal_dbus_chat(devicekit_power_t) - ') - - optional_policy(` - networkmanager_dbus_chat(devicekit_power_t) - ') - - optional_policy(` - policykit_dbus_chat(devicekit_power_t) - ') - - optional_policy(` - rpm_dbus_chat(devicekit_power_t) - ') -') - -optional_policy(` - fstools_domtrans(devicekit_power_t) -') - -optional_policy(` - hal_domtrans_mac(devicekit_power_t) - hal_manage_log(devicekit_power_t) - hal_manage_pid_dirs(devicekit_power_t) - hal_manage_pid_files(devicekit_power_t) -') - -optional_policy(` - modutils_domtrans_insmod(devicekit_power_t) -') - -optional_policy(` - mount_domtrans(devicekit_power_t) -') - -optional_policy(` - networkmanager_domtrans(devicekit_power_t) -') - -optional_policy(` - policykit_domtrans_auth(devicekit_power_t) - policykit_read_lib(devicekit_power_t) - policykit_read_reload(devicekit_power_t) -') - -optional_policy(` - readahead_domtrans(devicekit_power_t) -') - -optional_policy(` - udev_read_db(devicekit_power_t) -') - -optional_policy(` - usbmuxd_stream_connect(devicekit_power_t) -') - -optional_policy(` - vbetool_domtrans(devicekit_power_t) -') diff --git a/policy/modules/contrib/dhcp.fc b/policy/modules/contrib/dhcp.fc deleted file mode 100644 index 7956248b..00000000 --- a/policy/modules/contrib/dhcp.fc +++ /dev/null @@ -1,8 +0,0 @@ -/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0) - -/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0) - -/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0) -/var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0) - -/var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0) diff --git a/policy/modules/contrib/dhcp.if b/policy/modules/contrib/dhcp.if deleted file mode 100644 index c697edbc..00000000 --- a/policy/modules/contrib/dhcp.if +++ /dev/null @@ -1,100 +0,0 @@ -## <summary>Dynamic host configuration protocol server.</summary> - -######################################## -## <summary> -## Execute a domain transition to run dhcpd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`dhcpd_domtrans',` - gen_require(` - type dhcpd_t, dhcpd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dhcpd_exec_t, dhcpd_t) -') - -######################################## -## <summary> -## Set attributes of dhcpd server -## state files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dhcpd_setattr_state_files',` - gen_require(` - type dhcpd_state_t; - ') - - sysnet_search_dhcp_state($1) - allow $1 dhcpd_state_t:file setattr; -') - -######################################## -## <summary> -## Execute dhcp server in the dhcp domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -# -interface(`dhcpd_initrc_domtrans',` - gen_require(` - type dhcpd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an dhcpd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`dhcpd_admin',` - gen_require(` - type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t; - type dhcpd_var_run_t, dhcpd_initrc_exec_t; - ') - - allow $1 dhcpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, dhcpd_t) - - init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dhcpd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, dhcpd_tmp_t) - - files_list_var_lib($1) - admin_pattern($1, dhcpd_state_t) - - files_list_pids($1) - admin_pattern($1, dhcpd_var_run_t) -') diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te deleted file mode 100644 index c93c3db5..00000000 --- a/policy/modules/contrib/dhcp.te +++ /dev/null @@ -1,131 +0,0 @@ -policy_module(dhcp, 1.10.1) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether DHCP daemon -## can use LDAP backends. -## </p> -## </desc> -gen_tunable(dhcpd_use_ldap, false) - -type dhcpd_t; -type dhcpd_exec_t; -init_daemon_domain(dhcpd_t, dhcpd_exec_t) - -type dhcpd_initrc_exec_t; -init_script_file(dhcpd_initrc_exec_t) - -type dhcpd_state_t; -files_type(dhcpd_state_t) - -type dhcpd_tmp_t; -files_tmp_file(dhcpd_tmp_t) - -type dhcpd_var_run_t; -files_pid_file(dhcpd_var_run_t) - -######################################## -# -# Local policy -# - -allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource }; -dontaudit dhcpd_t self:capability { net_admin sys_tty_config }; -allow dhcpd_t self:process { getcap setcap signal_perms }; -allow dhcpd_t self:fifo_file rw_fifo_file_perms; -allow dhcpd_t self:tcp_socket { accept listen }; -allow dhcpd_t self:packet_socket create_socket_perms; -allow dhcpd_t self:rawip_socket create_socket_perms; - -manage_files_pattern(dhcpd_t, dhcpd_state_t, dhcpd_state_t) -sysnet_dhcp_state_filetrans(dhcpd_t, dhcpd_state_t, file) - -manage_dirs_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t) -manage_files_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t) -files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t, { dir file }) - -manage_files_pattern(dhcpd_t, dhcpd_var_run_t, dhcpd_var_run_t) -files_pid_filetrans(dhcpd_t, dhcpd_var_run_t, file) - -can_exec(dhcpd_t, dhcpd_exec_t) - -kernel_read_system_state(dhcpd_t) -kernel_read_kernel_sysctls(dhcpd_t) -kernel_read_network_state(dhcpd_t) - -corenet_all_recvfrom_unlabeled(dhcpd_t) -corenet_all_recvfrom_netlabel(dhcpd_t) -corenet_tcp_sendrecv_generic_if(dhcpd_t) -corenet_udp_sendrecv_generic_if(dhcpd_t) -corenet_raw_sendrecv_generic_if(dhcpd_t) -corenet_tcp_sendrecv_generic_node(dhcpd_t) -corenet_udp_sendrecv_generic_node(dhcpd_t) -corenet_raw_sendrecv_generic_node(dhcpd_t) -corenet_tcp_sendrecv_all_ports(dhcpd_t) -corenet_udp_sendrecv_all_ports(dhcpd_t) -corenet_tcp_bind_generic_node(dhcpd_t) -corenet_udp_bind_generic_node(dhcpd_t) - -corenet_sendrecv_dhcpd_server_packets(dhcpd_t) -corenet_tcp_bind_dhcpd_port(dhcpd_t) -corenet_udp_bind_dhcpd_port(dhcpd_t) - -corenet_sendrecv_pxe_server_packets(dhcpd_t) -corenet_udp_bind_pxe_port(dhcpd_t) - -corenet_sendrecv_all_client_packets(dhcpd_t) -corenet_tcp_connect_all_ports(dhcpd_t) - -corenet_udp_bind_all_unreserved_ports(dhcpd_t) - -corecmd_exec_bin(dhcpd_t) - -dev_read_sysfs(dhcpd_t) -dev_read_rand(dhcpd_t) -dev_read_urand(dhcpd_t) - -fs_getattr_all_fs(dhcpd_t) -fs_search_auto_mountpoints(dhcpd_t) - -domain_use_interactive_fds(dhcpd_t) - -files_read_usr_files(dhcpd_t) -files_read_etc_runtime_files(dhcpd_t) -files_search_var_lib(dhcpd_t) - -auth_use_nsswitch(dhcpd_t) - -logging_send_syslog_msg(dhcpd_t) - -miscfiles_read_localization(dhcpd_t) - -sysnet_read_dhcp_config(dhcpd_t) - -userdom_dontaudit_use_unpriv_user_fds(dhcpd_t) -userdom_dontaudit_search_user_home_dirs(dhcpd_t) - -tunable_policy(`dhcpd_use_ldap',` - sysnet_use_ldap(dhcpd_t) -') - -optional_policy(` - bind_read_dnssec_keys(dhcpd_t) -') - -optional_policy(` - dbus_system_bus_client(dhcpd_t) - dbus_connect_system_bus(dhcpd_t) -') - -optional_policy(` - seutil_sigchld_newrole(dhcpd_t) -') - -optional_policy(` - udev_read_db(dhcpd_t) -') diff --git a/policy/modules/contrib/dictd.fc b/policy/modules/contrib/dictd.fc deleted file mode 100644 index 8a5f2351..00000000 --- a/policy/modules/contrib/dictd.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/rc\.d/init\.d/dictd -- gen_context(system_u:object_r:dictd_initrc_exec_t,s0) - -/etc/dictd\.conf -- gen_context(system_u:object_r:dictd_etc_t,s0) - -/usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0) - -/var/lib/dictd(/.*)? gen_context(system_u:object_r:dictd_var_lib_t,s0) - -/var/run/dictd\.pid -- gen_context(system_u:object_r:dictd_var_run_t,s0) diff --git a/policy/modules/contrib/dictd.if b/policy/modules/contrib/dictd.if deleted file mode 100644 index 3cc3494b..00000000 --- a/policy/modules/contrib/dictd.if +++ /dev/null @@ -1,57 +0,0 @@ -## <summary>Dictionary daemon.</summary> - -######################################## -## <summary> -## Use dictionary services by connecting -## over TCP. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dictd_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## <summary> -## All of the rules required to -## administrate an dictd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`dictd_admin',` - gen_require(` - type dictd_t, dictd_etc_t, dictd_var_lib_t; - type dictd_var_run_t, dictd_initrc_exec_t; - ') - - allow $1 dictd_t:process { ptrace signal_perms }; - ps_process_pattern($1, dictd_t) - - init_labeled_script_domtrans($1, dictd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dictd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, dictd_etc_t) - - files_list_var_lib($1) - admin_pattern($1, dictd_var_lib_t) - - files_list_pids($1) - admin_pattern($1, dictd_var_run_t) -') diff --git a/policy/modules/contrib/dictd.te b/policy/modules/contrib/dictd.te deleted file mode 100644 index fd4a6024..00000000 --- a/policy/modules/contrib/dictd.te +++ /dev/null @@ -1,81 +0,0 @@ -policy_module(dictd, 1.7.1) - -######################################## -# -# Declarations -# - -type dictd_t; -type dictd_exec_t; -init_daemon_domain(dictd_t, dictd_exec_t) - -type dictd_etc_t; -files_config_file(dictd_etc_t) - -type dictd_initrc_exec_t; -init_script_file(dictd_initrc_exec_t) - -type dictd_var_lib_t alias var_lib_dictd_t; -files_type(dictd_var_lib_t) - -type dictd_var_run_t; -files_pid_file(dictd_var_run_t) - -######################################## -# -# Local policy -# - -allow dictd_t self:capability { setuid setgid }; -dontaudit dictd_t self:capability sys_tty_config; -allow dictd_t self:process { signal_perms setpgid }; -allow dictd_t self:unix_stream_socket { accept listen }; -allow dictd_t self:tcp_socket { accept listen }; - -allow dictd_t dictd_etc_t:file read_file_perms; - -allow dictd_t dictd_var_lib_t:dir list_dir_perms; -allow dictd_t dictd_var_lib_t:file read_file_perms; - -manage_files_pattern(dictd_t, dictd_var_run_t, dictd_var_run_t) -files_pid_filetrans(dictd_t, dictd_var_run_t, file) - -kernel_read_system_state(dictd_t) -kernel_read_kernel_sysctls(dictd_t) - -corenet_all_recvfrom_unlabeled(dictd_t) -corenet_all_recvfrom_netlabel(dictd_t) -corenet_tcp_sendrecv_generic_if(dictd_t) -corenet_tcp_sendrecv_generic_node(dictd_t) -corenet_tcp_bind_generic_node(dictd_t) - -corenet_sendrecv_dict_server_packets(dictd_t) -corenet_tcp_bind_dict_port(dictd_t) -corenet_tcp_sendrecv_dict_port(dictd_t) - -dev_read_sysfs(dictd_t) - -domain_use_interactive_fds(dictd_t) - -files_read_etc_runtime_files(dictd_t) -files_read_usr_files(dictd_t) -files_search_var_lib(dictd_t) - -fs_getattr_xattr_fs(dictd_t) -fs_search_auto_mountpoints(dictd_t) - -auth_use_nsswitch(dictd_t) - -logging_send_syslog_msg(dictd_t) - -miscfiles_read_localization(dictd_t) - -userdom_dontaudit_use_unpriv_user_fds(dictd_t) - -optional_policy(` - seutil_sigchld_newrole(dictd_t) -') - -optional_policy(` - udev_read_db(dictd_t) -') diff --git a/policy/modules/contrib/dirmngr.fc b/policy/modules/contrib/dirmngr.fc deleted file mode 100644 index 6ce47dcf..00000000 --- a/policy/modules/contrib/dirmngr.fc +++ /dev/null @@ -1,13 +0,0 @@ -/etc/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_conf_t,s0) - -/etc/rc\.d/init\.d/dirmngr -- gen_context(system_u:object_r:dirmngr_initrc_exec_t,s0) - -/usr/bin/dirmngr -- gen_context(system_u:object_r:dirmngr_exec_t,s0) - -/var/log/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_log_t,s0) - -/var/lib/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_lib_t,s0) - -/var/run/dirmngr\.pid -- gen_context(system_u:object_r:dirmngr_var_run_t,s0) - -/var/run/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_run_t,s0) diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if deleted file mode 100644 index e5f6733b..00000000 --- a/policy/modules/contrib/dirmngr.if +++ /dev/null @@ -1,45 +0,0 @@ -## <summary>Server for managing and downloading certificate revocation lists.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an dirmngr environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`dirmngr_admin',` - gen_require(` - type dirmngr_t, dirmngr_initrc_exec_t, dirmngr_var_run_t; - type dirmngr_conf_t, dirmngr_var_lib_t, dirmngr_log_t; - ') - - allow $1 dirmngr_t:process { ptrace signal_perms }; - ps_process_pattern($1, dirmngr_t) - - init_labeled_script_domtrans($1, dirmngr_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dirmngr_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, dirmngr_conf_t) - - logging_search_logs($1) - admin_pattern($1, dirmngr_log_t) - - files_search_pids($1) - admin_pattern($1, dirmngr_var_run_t) - - files_search_var_lib($1) - admin_pattern($1, dirmngr_var_lib_t) -') diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te deleted file mode 100644 index b3b21881..00000000 --- a/policy/modules/contrib/dirmngr.te +++ /dev/null @@ -1,58 +0,0 @@ -policy_module(dirmngr, 1.0.0) - -######################################## -# -# Declarations -# - -type dirmngr_t; -type dirmngr_exec_t; -init_daemon_domain(dirmngr_t, dirmngr_exec_t) - -type dirmngr_conf_t; -files_config_file(dirmngr_conf_t) - -type dirmngr_initrc_exec_t; -init_script_file(dirmngr_initrc_exec_t) - -type dirmngr_log_t; -logging_log_file(dirmngr_log_t) - -type dirmngr_var_lib_t; -files_type(dirmngr_var_lib_t) - -type dirmngr_var_run_t; -files_pid_file(dirmngr_var_run_t) - -######################################## -# -# Local policy -# - -allow dirmngr_t self:fifo_file rw_file_perms; - -allow dirmngr_t dirmngr_conf_t:dir list_dir_perms; -allow dirmngr_t dirmngr_conf_t:file read_file_perms; -allow dirmngr_t dirmngr_conf_t:lnk_file read_lnk_file_perms; - -manage_dirs_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t) -append_files_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t) -create_files_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t) -setattr_files_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t) -logging_log_filetrans(dirmngr_t, dirmngr_log_t, dir) - -manage_dirs_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t) -manage_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t) -manage_lnk_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t) -files_var_lib_filetrans(dirmngr_t, dirmngr_var_lib_t, dir) - -manage_dirs_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) -manage_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) -manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) -files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file }) - -kernel_read_crypto_sysctls(dirmngr_t) - -files_read_etc_files(dirmngr_t) - -miscfiles_read_localization(dirmngr_t) diff --git a/policy/modules/contrib/dirsrv.fc b/policy/modules/contrib/dirsrv.fc index f7590a03..a675110f 100644 --- a/policy/modules/contrib/dirsrv.fc +++ b/policy/modules/contrib/dirsrv.fc @@ -5,8 +5,8 @@ /var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lib_t,s0) /var/lock/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lock_t,s0) /var/log/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_log_t,s0) -/var/log/dirsrv/ldap-agent.log gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0) -/var/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_run_t,s0) -/var/run/ldap-agent.pid gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0) +/var/log/dirsrv/ldap-agent\.log gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0) +/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_runtime_t,s0) +/run/ldap-agent\.pid gen_context(system_u:object_r:dirsrv_snmp_runtime_t,s0) /etc/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_config_t,s0) diff --git a/policy/modules/contrib/dirsrv.if b/policy/modules/contrib/dirsrv.if index af0aebe1..ac56f143 100644 --- a/policy/modules/contrib/dirsrv.if +++ b/policy/modules/contrib/dirsrv.if @@ -17,10 +17,10 @@ interface(`dirsrv_domtrans',` type dirsrv_t, dirsrv_exec_t; ') - domain_auto_trans($1,dirsrv_exec_t,dirsrv_t) + domain_auto_transition_pattern($1, dirsrv_exec_t, dirsrv_t) allow dirsrv_t $1:fd use; - allow dirsrv_t $1:fifo_file rw_file_perms; + allow dirsrv_t $1:fifo_file rw_fifo_file_perms; allow dirsrv_t $1:process sigchld; ') @@ -112,11 +112,11 @@ interface(`dirsrv_manage_var_lib',` # interface(`dirsrv_manage_var_run',` gen_require(` - type dirsrv_var_run_t; + type dirsrv_runtime_t; ') - allow $1 dirsrv_var_run_t:dir manage_dir_perms; - allow $1 dirsrv_var_run_t:file manage_file_perms; - allow $1 dirsrv_var_run_t:sock_file manage_file_perms; + allow $1 dirsrv_runtime_t:dir manage_dir_perms; + allow $1 dirsrv_runtime_t:file manage_file_perms; + allow $1 dirsrv_runtime_t:sock_file manage_sock_file_perms; ') ###################################### @@ -131,10 +131,10 @@ interface(`dirsrv_manage_var_run',` # interface(`dirsrv_pid_filetrans',` gen_require(` - type dirsrv_var_run_t; + type dirsrv_runtime_t; ') # Allow creating a dir in /var/run with this type - files_pid_filetrans($1, dirsrv_var_run_t, dir) + files_runtime_filetrans($1, dirsrv_runtime_t, dir) ') ####################################### @@ -149,10 +149,10 @@ interface(`dirsrv_pid_filetrans',` # interface(`dirsrv_read_var_run',` gen_require(` - type dirsrv_var_run_t; + type dirsrv_runtime_t; ') - allow $1 dirsrv_var_run_t:dir list_dir_perms; - allow $1 dirsrv_var_run_t:file read_file_perms; + allow $1 dirsrv_runtime_t:dir list_dir_perms; + allow $1 dirsrv_runtime_t:file read_file_perms; ') ######################################## diff --git a/policy/modules/contrib/dirsrv.te b/policy/modules/contrib/dirsrv.te index e9248d0e..80a24f24 100644 --- a/policy/modules/contrib/dirsrv.te +++ b/policy/modules/contrib/dirsrv.te @@ -32,12 +32,12 @@ type dirsrv_snmp_var_log_t; logging_log_file(dirsrv_snmp_var_log_t) # pid files -type dirsrv_var_run_t; -files_pid_file(dirsrv_var_run_t) +type dirsrv_runtime_t alias dirsrv_var_run_t; +files_runtime_file(dirsrv_runtime_t) # snmp pid file -type dirsrv_snmp_var_run_t; -files_pid_file(dirsrv_snmp_var_run_t) +type dirsrv_snmp_runtime_t alias dirsrv_snmp_var_run_t; +files_runtime_file(dirsrv_snmp_runtime_t) # lock files type dirsrv_var_lock_t; @@ -57,7 +57,7 @@ files_tmpfs_file(dirsrv_tmpfs_t) # shared files type dirsrv_share_t; -files_type(dirsrv_share_t); +files_type(dirsrv_share_t) ######################################## # @@ -66,13 +66,13 @@ files_type(dirsrv_share_t); # Some common macros files_read_etc_files(dirsrv_t) -corecmd_search_sbin(dirsrv_t) +corecmd_search_bin(dirsrv_t) files_read_usr_symlinks(dirsrv_t) miscfiles_read_localization(dirsrv_t) dev_read_urand(dirsrv_t) libs_use_ld_so(dirsrv_t) libs_use_shared_libs(dirsrv_t) -allow dirsrv_t self:fifo_file { read write }; +allow dirsrv_t self:fifo_file rw_inherited_fifo_file_perms; # process stuff allow dirsrv_t self:process { getsched setsched setfscreate signal_perms}; @@ -95,11 +95,11 @@ allow dirsrv_t dirsrv_var_log_t:dir { setattr }; logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir }) # pid files -manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t) -files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file sock_file }) +manage_files_pattern(dirsrv_t, dirsrv_runtime_t, dirsrv_runtime_t) +files_runtime_filetrans(dirsrv_t, dirsrv_runtime_t, { file sock_file }) # ldapi socket -manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t) +manage_sock_files_pattern(dirsrv_t, dirsrv_runtime_t, dirsrv_runtime_t) # lock files manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t) @@ -125,7 +125,6 @@ corenet_all_recvfrom_unlabeled(dirsrv_t) corenet_all_recvfrom_netlabel(dirsrv_t) corenet_tcp_sendrecv_generic_if(dirsrv_t) corenet_tcp_sendrecv_generic_node(dirsrv_t) -corenet_tcp_sendrecv_all_ports(dirsrv_t) corenet_tcp_bind_all_nodes(dirsrv_t) corenet_tcp_bind_ldap_port(dirsrv_t) corenet_tcp_bind_all_rpc_ports(dirsrv_t) @@ -161,7 +160,7 @@ dev_read_urand(dirsrv_snmp_t) files_read_usr_files(dirsrv_snmp_t) fs_getattr_tmpfs(dirsrv_snmp_t) fs_search_tmpfs(dirsrv_snmp_t) -allow dirsrv_snmp_t self:fifo_file { read write }; +allow dirsrv_snmp_t self:fifo_file rw_inherited_fifo_file_perms; sysnet_read_config(dirsrv_snmp_t) sysnet_dns_name_resolve(dirsrv_snmp_t) @@ -175,7 +174,7 @@ files_manage_var_files(dirsrv_snmp_t) rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t) # stats file -read_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t) +read_files_pattern(dirsrv_snmp_t, dirsrv_runtime_t, dirsrv_runtime_t) # process stuff allow dirsrv_snmp_t self:capability { dac_override dac_read_search }; @@ -184,12 +183,12 @@ allow dirsrv_snmp_t self:capability { dac_override dac_read_search }; read_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t) # pid file -manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_var_run_t, dirsrv_snmp_var_run_t) -files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_var_run_t, { file sock_file }) -search_dirs_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t) +manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_runtime_t, dirsrv_snmp_runtime_t) +files_runtime_filetrans(dirsrv_snmp_t, dirsrv_snmp_runtime_t, { file sock_file }) +search_dirs_pattern(dirsrv_snmp_t, dirsrv_runtime_t, dirsrv_runtime_t) # log file -manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t); +manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t) filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file) # Init script handling diff --git a/policy/modules/contrib/distcc.fc b/policy/modules/contrib/distcc.fc deleted file mode 100644 index 7b9fb3fb..00000000 --- a/policy/modules/contrib/distcc.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rc\.d/init\.d/distccd -- gen_context(system_u:object_r:distccd_initrc_exec_t,s0) - -/usr/bin/distccd -- gen_context(system_u:object_r:distccd_exec_t,s0) - -/var/log/distccd.* -- gen_context(system_u:object_r:distccd_log_t,s0) - -/var/run/distccd\.pid -- gen_context(system_u:object_r:distccd_var_run_t,s0) diff --git a/policy/modules/contrib/distcc.if b/policy/modules/contrib/distcc.if deleted file mode 100644 index 24d8c740..00000000 --- a/policy/modules/contrib/distcc.if +++ /dev/null @@ -1,42 +0,0 @@ -## <summary>Distributed compiler daemon.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an distcc environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`distcc_admin',` - gen_require(` - type distccd_t, distccd_t, distccd_log_t; - type disccd_var_run_t, distccd_tmp_t, distccd_initrc_exec_t; - ') - - allow $1 distccd_t:process { ptrace signal_perms }; - ps_process_pattern($1, distccd_t) - - init_labeled_script_domtrans($1, distccd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 distccd_initrc_exec_t system_r; - allow $2 system_r; - - logging_search_logs($1) - admin_pattern($1, distccd_log_t) - - files_search_tmp($1) - admin_pattern($1, distccd_tmp_t) - - files_search_pids($1) - admin_pattern($1, distccd_var_run_t) -') diff --git a/policy/modules/contrib/distcc.te b/policy/modules/contrib/distcc.te deleted file mode 100644 index b441a4dc..00000000 --- a/policy/modules/contrib/distcc.te +++ /dev/null @@ -1,88 +0,0 @@ -policy_module(distcc, 1.8.2) - -######################################## -# -# Declarations -# - -type distccd_t; -type distccd_exec_t; -init_daemon_domain(distccd_t, distccd_exec_t) - -type distccd_initrc_exec_t; -init_script_file(distccd_initrc_exec_t) - -type distccd_log_t; -logging_log_file(distccd_log_t) - -type distccd_tmp_t; -files_tmp_file(distccd_tmp_t) - -type distccd_var_run_t; -files_pid_file(distccd_var_run_t) - -######################################## -# -# Local policy -# - -allow distccd_t self:capability { setgid setuid }; -dontaudit distccd_t self:capability sys_tty_config; -allow distccd_t self:process { signal_perms setsched }; -allow distccd_t self:fifo_file rw_fifo_file_perms; -allow distccd_t self:tcp_socket { accept listen }; - -allow distccd_t distccd_log_t:file append_file_perms; -allow distccd_t distccd_log_t:file create_file_perms; -allow distccd_t distccd_log_t:file setattr_file_perms; -logging_log_filetrans(distccd_t, distccd_log_t, file) - -manage_dirs_pattern(distccd_t, distccd_tmp_t, distccd_tmp_t) -manage_files_pattern(distccd_t, distccd_tmp_t, distccd_tmp_t) -files_tmp_filetrans(distccd_t, distccd_tmp_t, { file dir }) - -manage_files_pattern(distccd_t, distccd_var_run_t, distccd_var_run_t) -files_pid_filetrans(distccd_t, distccd_var_run_t, file) - -kernel_read_system_state(distccd_t) -kernel_read_kernel_sysctls(distccd_t) - -corenet_all_recvfrom_unlabeled(distccd_t) -corenet_all_recvfrom_netlabel(distccd_t) -corenet_tcp_sendrecv_generic_if(distccd_t) -corenet_tcp_sendrecv_generic_node(distccd_t) -corenet_tcp_bind_generic_node(distccd_t) - -corenet_sendrecv_distccd_server_packets(distccd_t) -corenet_tcp_bind_distccd_port(distccd_t) -corenet_tcp_sendrecv_distccd_port(distccd_t) - -dev_read_sysfs(distccd_t) - -fs_getattr_all_fs(distccd_t) -fs_search_auto_mountpoints(distccd_t) - -corecmd_exec_bin(distccd_t) - -domain_use_interactive_fds(distccd_t) - -files_read_etc_runtime_files(distccd_t) - -auth_use_nsswitch(distccd_t) - -libs_exec_lib_files(distccd_t) - -logging_send_syslog_msg(distccd_t) - -miscfiles_read_localization(distccd_t) - -userdom_dontaudit_use_unpriv_user_fds(distccd_t) -userdom_dontaudit_search_user_home_dirs(distccd_t) - -optional_policy(` - seutil_sigchld_newrole(distccd_t) -') - -optional_policy(` - udev_read_db(distccd_t) -') diff --git a/policy/modules/contrib/djbdns.fc b/policy/modules/contrib/djbdns.fc deleted file mode 100644 index e9b1b32a..00000000 --- a/policy/modules/contrib/djbdns.fc +++ /dev/null @@ -1,7 +0,0 @@ -/usr/bin/axfrdns -- gen_context(system_u:object_r:djbdns_axfrdns_exec_t,s0) -/usr/bin/dnscache -- gen_context(system_u:object_r:djbdns_dnscache_exec_t,s0) -/usr/bin/tinydns -- gen_context(system_u:object_r:djbdns_tinydns_exec_t,s0) - -/var/axfrdns/root(/.*)? gen_context(system_u:object_r:djbdns_axfrdns_conf_t,s0) -/var/dnscache/root(/.*)? gen_context(system_u:object_r:djbdns_dnscache_conf_t,s0) -/var/tinydns/root(/.*)? gen_context(system_u:object_r:djbdns_tinydns_conf_t,s0) diff --git a/policy/modules/contrib/djbdns.if b/policy/modules/contrib/djbdns.if deleted file mode 100644 index 671d3c0a..00000000 --- a/policy/modules/contrib/djbdns.if +++ /dev/null @@ -1,78 +0,0 @@ -## <summary>Small and secure DNS daemon.</summary> - -####################################### -## <summary> -## The template to define a djbdns domain. -## </summary> -## <param name="domain_prefix"> -## <summary> -## Domain prefix to be used. -## </summary> -## </param> -# -template(`djbdns_daemontools_domain_template',` - gen_require(` - attribute djbdns_domain; - ') - - ######################################## - # - # Declarations - # - - type djbdns_$1_t, djbdns_domain; - type djbdns_$1_exec_t; - domain_type(djbdns_$1_t) - domain_entry_file(djbdns_$1_t, djbdns_$1_exec_t) - role system_r types djbdns_$1_t; - - type djbdns_$1_conf_t; - files_config_file(djbdns_$1_conf_t) - - ######################################## - # - # Local policy - # - - daemontools_service_domain(djbdns_$1_t, djbdns_$1_exec_t) - daemontools_read_svc(djbdns_$1_t) - - allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms; - allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms; -') - -##################################### -## <summary> -## Search djbdns-tinydns key ring. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`djbdns_search_tinydns_keys',` - gen_require(` - type djbdns_tinydns_t; - ') - - allow $1 djbdns_tinydns_t:key search; -') - -##################################### -## <summary> -## Link djbdns-tinydns key ring. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`djbdns_link_tinydns_keys',` - gen_require(` - type djbdns_tinydn_t; - ') - - allow $1 djbdns_tinydn_t:key link; -') diff --git a/policy/modules/contrib/djbdns.te b/policy/modules/contrib/djbdns.te deleted file mode 100644 index 463d290e..00000000 --- a/policy/modules/contrib/djbdns.te +++ /dev/null @@ -1,64 +0,0 @@ -policy_module(djbdns, 1.5.3) - -######################################## -# -# Declarations -# - -attribute djbdns_domain; - -djbdns_daemontools_domain_template(axfrdns) -ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t) - -djbdns_daemontools_domain_template(dnscache) -djbdns_daemontools_domain_template(tinydns) - -######################################## -# -# Common local policy -# - -allow djbdns_domain self:capability { setgid setuid sys_chroot }; -allow djbdns_domain self:process signal; -allow djbdns_domain self:fifo_file rw_fifo_file_perms; -allow djbdns_domain self:tcp_socket create_stream_socket_perms; -allow djbdns_domain self:udp_socket create_socket_perms; - -corenet_all_recvfrom_unlabeled(djbdns_domain) -corenet_all_recvfrom_netlabel(djbdns_domain) -corenet_tcp_sendrecv_generic_if(djbdns_domain) -corenet_udp_sendrecv_generic_if(djbdns_domain) -corenet_tcp_sendrecv_generic_node(djbdns_domain) -corenet_udp_sendrecv_generic_node(djbdns_domain) -corenet_tcp_sendrecv_all_ports(djbdns_domain) -corenet_udp_sendrecv_all_ports(djbdns_domain) -corenet_tcp_bind_generic_node(djbdns_domain) -corenet_udp_bind_generic_node(djbdns_domain) - -corenet_sendrecv_dns_server_packets(djbdns_domain) -corenet_tcp_bind_dns_port(djbdns_domain) -corenet_udp_bind_dns_port(djbdns_domain) - -corenet_sendrecv_dns_client_packets(djbdns_domain) -corenet_tcp_connect_dns_port(djbdns_domain) - -corenet_sendrecv_generic_server_packets(djbdns_domain) -corenet_tcp_bind_generic_port(djbdns_domain) -corenet_udp_bind_generic_port(djbdns_domain) - -files_search_var(djbdns_domain) - -######################################## -# -# axfrdns local policy -# - -allow djbdns_axfrdns_t { djbdns_tinydns_t djbdns_tinydns_conf_t }:dir list_dir_perms; -allow djbdns_axfrdns_t { djbdns_tinydns_t djbdns_tinydns_conf_t }:file read_file_perms; - -######################################## -# -# tinydns local policy -# - -init_dontaudit_use_script_fds(djbdns_tinydns_t) diff --git a/policy/modules/contrib/dkim.fc b/policy/modules/contrib/dkim.fc deleted file mode 100644 index 5818418a..00000000 --- a/policy/modules/contrib/dkim.fc +++ /dev/null @@ -1,18 +0,0 @@ -/etc/opendkim/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) - -/etc/rc\.d/init\.d/((opendkim)|(dkim-milter)) -- gen_context(system_u:object_r:dkim_milter_initrc_exec_t,s0) - -/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) -/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) - -/var/db/dkim(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) - -/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) - -/var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) -/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) -/var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0) - -/var/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) - -/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) diff --git a/policy/modules/contrib/dkim.if b/policy/modules/contrib/dkim.if deleted file mode 100644 index 386e4941..00000000 --- a/policy/modules/contrib/dkim.if +++ /dev/null @@ -1,39 +0,0 @@ -## <summary>DomainKeys Identified Mail milter.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an dkim environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`dkim_admin',` - gen_require(` - type dkim_milter_t, dkim_milter_initrc_exec_t, dkim_milter_private_key_t; - type dkim_milter_data_t; - ') - - allow $1 dkim_milter_t:process { ptrace signal_perms }; - ps_process_pattern($1, dkim_milter_t) - - init_labeled_script_domtrans($1, dkim_milter_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dkim_milter_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, dkim_milter_private_key_t) - - files_search_pids($1) - admin_pattern($1, dkim_milter_data_t) -') diff --git a/policy/modules/contrib/dkim.te b/policy/modules/contrib/dkim.te deleted file mode 100644 index 0d2eb211..00000000 --- a/policy/modules/contrib/dkim.te +++ /dev/null @@ -1,33 +0,0 @@ -policy_module(dkim, 1.1.3) - -######################################## -# -# Declarations -# - -milter_template(dkim) - -type dkim_milter_initrc_exec_t; -init_script_file(dkim_milter_initrc_exec_t) - -type dkim_milter_private_key_t; -files_type(dkim_milter_private_key_t) - -######################################## -# -# Local policy -# - -allow dkim_milter_t self:capability { setgid setuid }; -allow dkim_milter_t self:process signal; -allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms; - -read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t) - -kernel_read_kernel_sysctls(dkim_milter_t) - -dev_read_urand(dkim_milter_t) - -files_search_spool(dkim_milter_t) - -mta_read_config(dkim_milter_t) diff --git a/policy/modules/contrib/dmidecode.fc b/policy/modules/contrib/dmidecode.fc deleted file mode 100644 index c394e45d..00000000 --- a/policy/modules/contrib/dmidecode.fc +++ /dev/null @@ -1,4 +0,0 @@ -/usr/sbin/biosdecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0) -/usr/sbin/dmidecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0) -/usr/sbin/ownership -- gen_context(system_u:object_r:dmidecode_exec_t,s0) -/usr/sbin/vpddecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0) diff --git a/policy/modules/contrib/dmidecode.if b/policy/modules/contrib/dmidecode.if deleted file mode 100644 index 41c3f677..00000000 --- a/policy/modules/contrib/dmidecode.if +++ /dev/null @@ -1,47 +0,0 @@ -## <summary>Decode DMI data for x86/ia64 bioses.</summary> - -######################################## -## <summary> -## Execute dmidecode in the dmidecode domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`dmidecode_domtrans',` - gen_require(` - type dmidecode_t, dmidecode_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dmidecode_exec_t, dmidecode_t) -') - -######################################## -## <summary> -## Execute dmidecode in the dmidecode -## domain, and allow the specified -## role the dmidecode domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`dmidecode_run',` - gen_require(` - attribute_role dmidecode_roles; - ') - - dmidecode_domtrans($1) - roleattribute $2 dmidecode_roles; -') diff --git a/policy/modules/contrib/dmidecode.te b/policy/modules/contrib/dmidecode.te deleted file mode 100644 index c947c2c6..00000000 --- a/policy/modules/contrib/dmidecode.te +++ /dev/null @@ -1,32 +0,0 @@ -policy_module(dmidecode, 1.4.1) - -######################################## -# -# Declarations -# - -attribute_role dmidecode_roles; -roleattribute system_r dmidecode_roles; - -type dmidecode_t; -type dmidecode_exec_t; -application_domain(dmidecode_t, dmidecode_exec_t) -role dmidecode_roles types dmidecode_t; - -######################################## -# -# Local policy -# - -allow dmidecode_t self:capability sys_rawio; - -dev_read_sysfs(dmidecode_t) -dev_read_raw_memory(dmidecode_t) - -mls_file_read_all_levels(dmidecode_t) - -files_list_usr(dmidecode_t) - -locallogin_use_fds(dmidecode_t) - -userdom_use_user_terminals(dmidecode_t) diff --git a/policy/modules/contrib/dnsmasq.fc b/policy/modules/contrib/dnsmasq.fc deleted file mode 100644 index 23ab808d..00000000 --- a/policy/modules/contrib/dnsmasq.fc +++ /dev/null @@ -1,13 +0,0 @@ -/etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t,s0) - -/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0) - -/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0) - -/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) -/var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0) - -/var/log/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_log_t,s0) - -/var/run/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) -/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) diff --git a/policy/modules/contrib/dnsmasq.if b/policy/modules/contrib/dnsmasq.if deleted file mode 100644 index 19aa0b80..00000000 --- a/policy/modules/contrib/dnsmasq.if +++ /dev/null @@ -1,289 +0,0 @@ -## <summary>DNS forwarder and DHCP server.</summary> - -######################################## -## <summary> -## Execute dnsmasq server in the dnsmasq domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -# -interface(`dnsmasq_domtrans',` - gen_require(` - type dnsmasq_exec_t, dnsmasq_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t) -') - -######################################## -## <summary> -## Execute the dnsmasq init script in -## the init script domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -# -interface(`dnsmasq_initrc_domtrans',` - gen_require(` - type dnsmasq_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) -') - -######################################## -## <summary> -## Send generic signals to dnsmasq. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -# -interface(`dnsmasq_signal',` - gen_require(` - type dnsmasq_t; - ') - - allow $1 dnsmasq_t:process signal; -') - -######################################## -## <summary> -## Send null signals to dnsmasq. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -# -interface(`dnsmasq_signull',` - gen_require(` - type dnsmasq_t; - ') - - allow $1 dnsmasq_t:process signull; -') - -######################################## -## <summary> -## Send kill signals to dnsmasq. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -# -interface(`dnsmasq_kill',` - gen_require(` - type dnsmasq_t; - ') - - allow $1 dnsmasq_t:process sigkill; -') - -######################################## -## <summary> -## Read dnsmasq config files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dnsmasq_read_config',` - gen_require(` - type dnsmasq_etc_t; - ') - - read_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t) - files_search_etc($1) -') - -######################################## -## <summary> -## Write dnsmasq config files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dnsmasq_write_config',` - gen_require(` - type dnsmasq_etc_t; - ') - - write_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t) - files_search_etc($1) -') - -######################################## -## <summary> -## Delete dnsmasq pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -# -interface(`dnsmasq_delete_pid_files',` - gen_require(` - type dnsmasq_var_run_t; - ') - - delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## dnsmasq pid files -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dnsmasq_manage_pid_files',` - gen_require(` - type dnsmasq_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) -') - -######################################## -## <summary> -## Read dnsmasq pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -# -interface(`dnsmasq_read_pid_files',` - gen_require(` - type dnsmasq_var_run_t; - ') - - read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) -') - -######################################## -## <summary> -## Create dnsmasq pid directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dnsmasq_create_pid_dirs',` - gen_require(` - type dnsmasq_var_run_t; - ') - - files_search_pids($1) - allow $1 dnsmasq_var_run_t:dir create_dir_perms; -') - -######################################## -## <summary> -## Create specified objects in specified -## directories with a type transition to -## the dnsmasq pid file type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="file_type"> -## <summary> -## Directory to transition on. -## </summary> -## </param> -## <param name="object"> -## <summary> -## The object class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`dnsmasq_spec_filetrans_pid',` - gen_require(` - type dnsmasq_var_run_t; - ') - - filetrans_pattern($1, $2, dnsmasq_var_run_t, $3, $4) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an dnsmasq environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`dnsmasq_admin',` - gen_require(` - type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t; - type dnsmasq_initrc_exec_t, dnsmasq_var_log_t; - ') - - allow $1 dnsmasq_t:process { ptrace signal_perms }; - ps_process_pattern($1, dnsmasq_t) - - init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dnsmasq_initrc_exec_t system_r; - allow $2 system_r; - - files_list_var_lib($1) - admin_pattern($1, dnsmasq_lease_t) - - logging_seearch_logs($1) - admin_pattern($1, dnsmasq_var_log_t) - - files_list_pids($1) - admin_pattern($1, dnsmasq_var_run_t) -') diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te deleted file mode 100644 index ba14bcf5..00000000 --- a/policy/modules/contrib/dnsmasq.te +++ /dev/null @@ -1,129 +0,0 @@ -policy_module(dnsmasq, 1.9.3) - -######################################## -# -# Declarations -# - -type dnsmasq_t; -type dnsmasq_exec_t; -init_daemon_domain(dnsmasq_t, dnsmasq_exec_t) - -type dnsmasq_initrc_exec_t; -init_script_file(dnsmasq_initrc_exec_t) - -type dnsmasq_etc_t; -files_config_file(dnsmasq_etc_t) - -type dnsmasq_lease_t; -files_type(dnsmasq_lease_t) - -type dnsmasq_var_log_t; -logging_log_file(dnsmasq_var_log_t) - -type dnsmasq_var_run_t; -files_pid_file(dnsmasq_var_run_t) - -######################################## -# -# Local policy -# - -allow dnsmasq_t self:capability { chown dac_override net_admin setgid setuid net_raw }; -dontaudit dnsmasq_t self:capability sys_tty_config; -allow dnsmasq_t self:process { getcap setcap signal_perms }; -allow dnsmasq_t self:fifo_file rw_fifo_file_perms; -allow dnsmasq_t self:tcp_socket { accept listen }; -allow dnsmasq_t self:packet_socket create_socket_perms; -allow dnsmasq_t self:rawip_socket create_socket_perms; - -read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t) - -manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t) -files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file) - -allow dnsmasq_t dnsmasq_var_log_t:file append_file_perms; -allow dnsmasq_t dnsmasq_var_log_t:file create_file_perms; -allow dnsmasq_t dnsmasq_var_log_t:file setattr_file_perms; -logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file) - -manage_dirs_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t) -manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t) -files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file }) - -kernel_read_kernel_sysctls(dnsmasq_t) -kernel_read_network_state(dnsmasq_t) -kernel_read_system_state(dnsmasq_t) -kernel_request_load_module(dnsmasq_t) - -corenet_all_recvfrom_unlabeled(dnsmasq_t) -corenet_all_recvfrom_netlabel(dnsmasq_t) -corenet_tcp_sendrecv_generic_if(dnsmasq_t) -corenet_udp_sendrecv_generic_if(dnsmasq_t) -corenet_raw_sendrecv_generic_if(dnsmasq_t) -corenet_tcp_sendrecv_generic_node(dnsmasq_t) -corenet_udp_sendrecv_generic_node(dnsmasq_t) -corenet_raw_sendrecv_generic_node(dnsmasq_t) -corenet_tcp_sendrecv_all_ports(dnsmasq_t) -corenet_udp_sendrecv_all_ports(dnsmasq_t) -corenet_tcp_bind_generic_node(dnsmasq_t) -corenet_udp_bind_generic_node(dnsmasq_t) - -corenet_sendrecv_dns_server_packets(dnsmasq_t) -corenet_tcp_bind_dns_port(dnsmasq_t) -corenet_sendrecv_dhcpd_server_packets(dnsmasq_t) -corenet_udp_bind_all_ports(dnsmasq_t) - -dev_read_sysfs(dnsmasq_t) -dev_read_urand(dnsmasq_t) - -domain_use_interactive_fds(dnsmasq_t) - -files_read_etc_runtime_files(dnsmasq_t) - -fs_getattr_all_fs(dnsmasq_t) -fs_search_auto_mountpoints(dnsmasq_t) - -auth_use_nsswitch(dnsmasq_t) - -logging_send_syslog_msg(dnsmasq_t) - -miscfiles_read_localization(dnsmasq_t) - -userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) -userdom_dontaudit_search_user_home_dirs(dnsmasq_t) - -optional_policy(` - cobbler_read_lib_files(dnsmasq_t) -') - -optional_policy(` - dbus_connect_system_bus(dnsmasq_t) - dbus_system_bus_client(dnsmasq_t) -') - -optional_policy(` - networkmanager_read_pid_files(dnsmasq_t) -') - -optional_policy(` - ppp_read_pid_files(dnsmasq_t) -') - -optional_policy(` - seutil_sigchld_newrole(dnsmasq_t) -') - -optional_policy(` - tftp_read_content(dnsmasq_t) -') - -optional_policy(` - udev_read_db(dnsmasq_t) -') - -optional_policy(` - virt_manage_lib_files(dnsmasq_t) - virt_read_pid_files(dnsmasq_t) - virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file }) -') diff --git a/policy/modules/contrib/dnssectrigger.fc b/policy/modules/contrib/dnssectrigger.fc deleted file mode 100644 index c459b4ac..00000000 --- a/policy/modules/contrib/dnssectrigger.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/dnssec-trigger/dnssec-trigger\.conf -- gen_context(system_u:object_r:dnssec_trigger_conf_t,s0) - -/etc/rc\.d/init\.d/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_triggerd_initrc_exec_t,s0) - -/usr/sbin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_triggerd_exec_t,s0) - -/var/log/dnssec-trigger\.log.* -- gen_context(system_u:object_r:dnssec_trigger_log_t,s0) - -/var/run/dnssec-triggerd\.pid -- gen_context(system_u:object_r:dnssec_triggerd_var_run_t,s0) diff --git a/policy/modules/contrib/dnssectrigger.if b/policy/modules/contrib/dnssectrigger.if deleted file mode 100644 index 456da5ce..00000000 --- a/policy/modules/contrib/dnssectrigger.if +++ /dev/null @@ -1,42 +0,0 @@ -## <summary>Enables DNSSEC protection for DNS traffic.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an dnssec environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`dnssectrigger_admin',` - gen_require(` - type dnssec_triggerd_t, dnssec_triggerd_initrc_exec_t, dnssec_trigger_conf_t; - type dnssec_trigger_log_t, dnssec_triggerd_var_run_t; - ') - - allow $1 dnssec_triggerd_t:process { ptrace signal_perms }; - ps_process_pattern($1, dnssec_triggerd_t) - - init_labeled_script_domtrans($1, dnssec_triggerd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dnssec_triggerd_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, dnssec_trigger_conf_t) - - logging_search_logs($1) - admin_pattern($1, dnssec_trigger_log_t) - - files_search_pids($1) - admin_pattern($1, dnssec_triggerd_var_run_t) -') diff --git a/policy/modules/contrib/dnssectrigger.te b/policy/modules/contrib/dnssectrigger.te deleted file mode 100644 index ef36d733..00000000 --- a/policy/modules/contrib/dnssectrigger.te +++ /dev/null @@ -1,79 +0,0 @@ -policy_module(dnssectrigger, 1.0.1) - -######################################## -# -# Declarations -# - -type dnssec_triggerd_t; -type dnssec_triggerd_exec_t; -init_daemon_domain(dnssec_triggerd_t, dnssec_triggerd_exec_t) - -type dnssec_triggerd_initrc_exec_t; -init_script_file(dnssec_triggerd_initrc_exec_t) - -type dnssec_trigger_conf_t; -files_config_file(dnssec_trigger_conf_t) - -type dnssec_trigger_log_t; -logging_log_file(dnssec_trigger_log_t) - -type dnssec_triggerd_var_run_t; -files_pid_file(dnssec_triggerd_var_run_t) - -######################################## -# -# Local policy -# - -allow dnssec_triggerd_t self:capability linux_immutable; -allow dnssec_triggerd_t self:process signal; -allow dnssec_triggerd_t self:fifo_file rw_fifo_file_perms; -allow dnssec_triggerd_t self:unix_stream_socket { accept listen }; -allow dnssec_triggerd_t self:tcp_socket { accept listen }; - -allow dnssec_triggerd_t dnssec_trigger_conf_t:file read_file_perms; - -append_files_pattern(dnssec_triggerd_t, dnssec_trigger_log_t, dnssec_trigger_log_t) -create_files_pattern(dnssec_triggerd_t, dnssec_trigger_log_t, dnssec_trigger_log_t) -setattr_files_pattern(dnssec_triggerd_t, dnssec_trigger_log_t, dnssec_trigger_log_t) -logging_log_filetrans(dnssec_triggerd_t, dnssec_trigger_log_t, file) - -manage_files_pattern(dnssec_triggerd_t, dnssec_triggerd_var_run_t, dnssec_triggerd_var_run_t) -files_pid_filetrans(dnssec_triggerd_t, dnssec_triggerd_var_run_t, file) - -kernel_read_system_state(dnssec_triggerd_t) - -corecmd_exec_bin(dnssec_triggerd_t) -corecmd_exec_shell(dnssec_triggerd_t) - -corenet_all_recvfrom_unlabeled(dnssec_triggerd_t) -corenet_all_recvfrom_netlabel(dnssec_triggerd_t) -corenet_tcp_sendrecv_generic_if(dnssec_triggerd_t) -corenet_tcp_sendrecv_generic_node(dnssec_triggerd_t) -corenet_tcp_bind_generic_node(dnssec_triggerd_t) - -corenet_sendrecv_rndc_client_packets(dnssec_triggerd_t) -corenet_tcp_connect_rndc_port(dnssec_triggerd_t) -corenet_tcp_sendrecv_rndc_port(dnssec_triggerd_t) - -corenet_sendrecv_http_client_packets(dnssec_triggerd_t) -corenet_tcp_connect_http_port(dnssec_triggerd_t) -corenet_tcp_sendrecv_http_port(dnssec_triggerd_t) - -dev_read_urand(dnssec_triggerd_t) - -files_read_etc_runtime_files(dnssec_triggerd_t) - -logging_send_syslog_msg(dnssec_triggerd_t) - -miscfiles_read_localization(dnssec_triggerd_t) - -sysnet_dns_name_resolve(dnssec_triggerd_t) -sysnet_manage_config(dnssec_triggerd_t) -sysnet_etc_filetrans_config(dnssec_triggerd_t) - -optional_policy(` - bind_read_config(dnssec_triggerd_t) - bind_read_dnssec_keys(dnssec_triggerd_t) -') diff --git a/policy/modules/contrib/dovecot.fc b/policy/modules/contrib/dovecot.fc deleted file mode 100644 index c8800700..00000000 --- a/policy/modules/contrib/dovecot.fc +++ /dev/null @@ -1,36 +0,0 @@ -/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0) -/etc/dovecot/passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) - -/etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0) -/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) - -/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0) - -/etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0) - -/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0) - -/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) -/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) - -/etc/ssl/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0) - -/usr/lib/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) -/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) -/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) -/usr/lib/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) - -/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) -/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) -/usr/libexec/dovecot/deliver-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) -/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) - -/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) -/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0) - -/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) - -/var/log/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_log_t,s0) -/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) - -/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) diff --git a/policy/modules/contrib/dovecot.if b/policy/modules/contrib/dovecot.if deleted file mode 100644 index dbcac598..00000000 --- a/policy/modules/contrib/dovecot.if +++ /dev/null @@ -1,175 +0,0 @@ -## <summary>POP and IMAP mail server.</summary> - -####################################### -## <summary> -## Connect to dovecot using a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dovecot_stream_connect',` - gen_require(` - type dovecot_t, dovecot_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t) -') - -######################################## -## <summary> -## Connect to dovecot using a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`dovecot_stream_connect_auth',` - gen_require(` - type dovecot_auth_t, dovecot_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t) -') - -######################################## -## <summary> -## Execute dovecot_deliver in the -## dovecot_deliver domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`dovecot_domtrans_deliver',` - gen_require(` - type dovecot_deliver_t, dovecot_deliver_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## dovecot spool files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dovecot_manage_spool',` - gen_require(` - type dovecot_spool_t; - ') - - files_search_spool($1) - allow $1 dovecot_spool_t:dir manage_dir_perms; - allow $1 dovecot_spool_t:file manage_file_perms; - allow $1 dovecot_spool_t:lnk_file manage_lnk_file_perms; -') - -######################################## -## <summary> -## Do not audit attempts to delete -## dovecot lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`dovecot_dontaudit_unlink_lib_files',` - gen_require(` - type dovecot_var_lib_t; - ') - - dontaudit $1 dovecot_var_lib_t:file delete_file_perms; -') - -###################################### -## <summary> -## Write inherited dovecot tmp files. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`dovecot_write_inherited_tmp_files',` - gen_require(` - type dovecot_tmp_t; - ') - - allow $1 dovecot_tmp_t:file write; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an dovecot environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`dovecot_admin',` - gen_require(` - type dovecot_t, dovecot_etc_t, dovecot_var_log_t; - type dovecot_spool_t, dovecot_var_lib_t, dovecot_initrc_exec_t; - type dovecot_var_run_t, dovecot_cert_t, dovecot_passwd_t; - type dovecot_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t; - ') - - allow $1 dovecot_t:process { ptrace signal_perms }; - ps_process_pattern($1, dovecot_t) - - init_labeled_script_domtrans($1, dovecot_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dovecot_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, dovecot_etc_t) - - logging_list_logs($1) - admin_pattern($1, dovecot_var_log_t) - - files_list_spool($1) - admin_pattern($1, dovecot_spool_t) - - files_search_tmp($1) - admin_pattern($1, { dovecot_tmp_t dovecot_auth_tmp_t dovecot_deliver_tmp_t }) - - files_list_var_lib($1) - admin_pattern($1, dovecot_var_lib_t) - - files_list_pids($1) - admin_pattern($1, dovecot_var_run_t) - - admin_pattern($1, { dovecot_cert_t dovecot_passwd_t }) -') diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te deleted file mode 100644 index a7bfaf02..00000000 --- a/policy/modules/contrib/dovecot.te +++ /dev/null @@ -1,330 +0,0 @@ -policy_module(dovecot, 1.15.6) - -######################################## -# -# Declarations -# - -attribute dovecot_domain; - -type dovecot_t, dovecot_domain; -type dovecot_exec_t; -init_daemon_domain(dovecot_t, dovecot_exec_t) - -type dovecot_auth_t, dovecot_domain; -type dovecot_auth_exec_t; -domain_type(dovecot_auth_t) -domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t) -role system_r types dovecot_auth_t; - -type dovecot_auth_tmp_t; -files_tmp_file(dovecot_auth_tmp_t) - -type dovecot_cert_t; -miscfiles_cert_type(dovecot_cert_t) - -type dovecot_deliver_t, dovecot_domain; -type dovecot_deliver_exec_t; -domain_type(dovecot_deliver_t) -domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t) -role system_r types dovecot_deliver_t; - -type dovecot_deliver_tmp_t; -files_tmp_file(dovecot_deliver_tmp_t) - -type dovecot_etc_t; -files_config_file(dovecot_etc_t) - -type dovecot_initrc_exec_t; -init_script_file(dovecot_initrc_exec_t) - -type dovecot_passwd_t; -files_type(dovecot_passwd_t) - -type dovecot_spool_t; -files_type(dovecot_spool_t) - -type dovecot_tmp_t; -files_tmp_file(dovecot_tmp_t) - -type dovecot_var_lib_t; -files_type(dovecot_var_lib_t) - -type dovecot_var_log_t; -logging_log_file(dovecot_var_log_t) - -type dovecot_var_run_t; -files_pid_file(dovecot_var_run_t) - -######################################## -# -# Common local policy -# - -allow dovecot_domain self:capability2 block_suspend; -allow dovecot_domain self:fifo_file rw_fifo_file_perms; - -allow dovecot_domain dovecot_etc_t:dir list_dir_perms; -allow dovecot_domain dovecot_etc_t:file read_file_perms; -allow dovecot_domain dovecot_etc_t:lnk_file read_lnk_file_perms; - -kernel_read_all_sysctls(dovecot_domain) -kernel_read_system_state(dovecot_domain) - -corecmd_exec_bin(dovecot_domain) -corecmd_exec_shell(dovecot_domain) - -dev_read_sysfs(dovecot_domain) -dev_read_rand(dovecot_domain) -dev_read_urand(dovecot_domain) - -files_read_etc_runtime_files(dovecot_domain) - -logging_send_syslog_msg(dovecot_domain) - -miscfiles_read_localization(dovecot_domain) - -######################################## -# -# Local policy -# - -allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill setgid setuid sys_chroot }; -dontaudit dovecot_t self:capability sys_tty_config; -allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched }; -allow dovecot_t self:tcp_socket { accept listen }; -allow dovecot_t self:unix_stream_socket { accept connectto listen }; - -allow dovecot_t dovecot_cert_t:dir list_dir_perms; -allow dovecot_t dovecot_cert_t:file read_file_perms; -allow dovecot_t dovecot_cert_t:lnk_file read_lnk_file_perms; - -manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t) -manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t) -files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir }) - -manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t) - -manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) -append_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) -create_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) -setattr_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) -logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir }) - -manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) -manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) -manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) - -manage_dirs_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) -manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) -manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) -manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) -manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) -files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file }) - -can_exec(dovecot_t, dovecot_exec_t) - -allow dovecot_t dovecot_auth_t:process signal; - -domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t) - -corenet_all_recvfrom_unlabeled(dovecot_t) -corenet_all_recvfrom_netlabel(dovecot_t) -corenet_tcp_sendrecv_generic_if(dovecot_t) -corenet_tcp_sendrecv_generic_node(dovecot_t) -corenet_tcp_sendrecv_all_ports(dovecot_t) -corenet_tcp_bind_generic_node(dovecot_t) - -corenet_sendrecv_mail_server_packets(dovecot_t) -corenet_tcp_bind_mail_port(dovecot_t) -corenet_sendrecv_pop_server_packets(dovecot_t) -corenet_tcp_bind_pop_port(dovecot_t) -corenet_sendrecv_sieve_server_packets(dovecot_t) -corenet_tcp_bind_sieve_port(dovecot_t) - -corenet_sendrecv_all_client_packets(dovecot_t) -corenet_tcp_connect_all_ports(dovecot_t) -corenet_tcp_connect_postgresql_port(dovecot_t) - -domain_use_interactive_fds(dovecot_t) - -files_read_var_lib_files(dovecot_t) -files_read_var_symlinks(dovecot_t) -files_search_spool(dovecot_t) -files_dontaudit_list_default(dovecot_t) -files_dontaudit_search_all_dirs(dovecot_t) -files_search_all_mountpoints(dovecot_t) - -fs_getattr_all_fs(dovecot_t) -fs_getattr_all_dirs(dovecot_t) -fs_search_auto_mountpoints(dovecot_t) -fs_list_inotifyfs(dovecot_t) - -init_getattr_utmp(dovecot_t) - -auth_use_nsswitch(dovecot_t) - -miscfiles_read_generic_certs(dovecot_t) - -userdom_dontaudit_use_unpriv_user_fds(dovecot_t) -userdom_use_user_terminals(dovecot_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(dovecot_t) - fs_manage_nfs_files(dovecot_t) - fs_manage_nfs_symlinks(dovecot_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(dovecot_t) - fs_manage_cifs_files(dovecot_t) - fs_manage_cifs_symlinks(dovecot_t) -') - -optional_policy(` - kerberos_keytab_template(dovecot, dovecot_t) - kerberos_manage_host_rcache(dovecot_t) - kerberos_tmp_filetrans_host_rcache(dovecot_t, file, "imap_0") -') - -optional_policy(` - mta_manage_spool(dovecot_t) - mta_manage_mail_home_rw_content(dovecot_t) - mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir") - mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir") -') - -optional_policy(` - postgresql_stream_connect(dovecot_t) -') - -optional_policy(` - postfix_manage_private_sockets(dovecot_t) - postfix_search_spool(dovecot_t) -') - -optional_policy(` - sendmail_domtrans(dovecot_t) -') - -optional_policy(` - seutil_sigchld_newrole(dovecot_t) -') - -optional_policy(` - squid_dontaudit_search_cache(dovecot_t) -') - -optional_policy(` - udev_read_db(dovecot_t) -') - -######################################## -# -# Auth local policy -# - -allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice }; -allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap }; -allow dovecot_auth_t self:unix_stream_socket { accept connectto listen }; - -read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) - -manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) -manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) -files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) - -allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; -manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) - -allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; - -files_search_pids(dovecot_auth_t) -files_read_usr_files(dovecot_auth_t) -files_read_var_lib_files(dovecot_auth_t) - -auth_domtrans_chk_passwd(dovecot_auth_t) -auth_use_nsswitch(dovecot_auth_t) - -init_rw_utmp(dovecot_auth_t) - -logging_send_audit_msgs(dovecot_auth_t) - -seutil_dontaudit_search_config(dovecot_auth_t) - -sysnet_use_ldap(dovecot_auth_t) - -optional_policy(` - userdom_list_user_tmp(dovecot_auth_t) - userdom_read_user_tmp_files(dovecot_auth_t) - userdom_read_user_tmp_symlinks(dovecot_auth_t) -') - -optional_policy(` - mysql_stream_connect(dovecot_auth_t) - mysql_read_config(dovecot_auth_t) - mysql_tcp_connect(dovecot_auth_t) -') - -optional_policy(` - nis_authenticate(dovecot_auth_t) -') - -optional_policy(` - postfix_manage_private_sockets(dovecot_auth_t) - postfix_search_spool(dovecot_auth_t) -') - -######################################## -# -# Deliver local policy -# - -allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms; - -append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) - -manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t) -manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t) -files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir }) - -allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; -allow dovecot_deliver_t dovecot_var_run_t:file read_file_perms; -allow dovecot_deliver_t dovecot_var_run_t:sock_file read_sock_file_perms; - -stream_connect_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t, { dovecot_t dovecot_auth_t }) - -can_exec(dovecot_deliver_t, dovecot_deliver_exec_t) - -allow dovecot_deliver_t dovecot_t:process signull; - -fs_getattr_all_fs(dovecot_deliver_t) - -auth_use_nsswitch(dovecot_deliver_t) - -logging_search_logs(dovecot_deliver_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(dovecot_deliver_t) - fs_manage_nfs_files(dovecot_deliver_t) - fs_manage_nfs_symlinks(dovecot_deliver_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(dovecot_deliver_t) - fs_manage_cifs_files(dovecot_deliver_t) - fs_manage_cifs_symlinks(dovecot_deliver_t) -') - -optional_policy(` - mta_mailserver_delivery(dovecot_deliver_t) - mta_read_queue(dovecot_deliver_t) -') - -optional_policy(` - postfix_use_fds_master(dovecot_deliver_t) -') - -optional_policy(` - sendmail_domtrans(dovecot_deliver_t) -') diff --git a/policy/modules/contrib/dpkg.fc b/policy/modules/contrib/dpkg.fc deleted file mode 100644 index 751c2510..00000000 --- a/policy/modules/contrib/dpkg.fc +++ /dev/null @@ -1,9 +0,0 @@ -/usr/bin/debsums -- gen_context(system_u:object_r:dpkg_exec_t,s0) -/usr/bin/dpkg -- gen_context(system_u:object_r:dpkg_exec_t,s0) -/usr/bin/dselect -- gen_context(system_u:object_r:dpkg_exec_t,s0) - -/var/lib/dpkg(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0) -/var/lib/dpkg/(meth)?lock -- gen_context(system_u:object_r:dpkg_lock_t,s0) - -/usr/sbin/dpkg-preconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0) -/usr/sbin/dpkg-reconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0) diff --git a/policy/modules/contrib/dpkg.if b/policy/modules/contrib/dpkg.if deleted file mode 100644 index 9aa68a6c..00000000 --- a/policy/modules/contrib/dpkg.if +++ /dev/null @@ -1,225 +0,0 @@ -## <summary>Debian package manager.</summary> - -######################################## -## <summary> -## Execute dpkg programs in the dpkg domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`dpkg_domtrans',` - gen_require(` - type dpkg_t, dpkg_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dpkg_exec_t, dpkg_t) -') - -######################################## -## <summary> -## Execute dpkg_script programs in -## the dpkg_script domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`dpkg_domtrans_script',` - gen_require(` - type dpkg_script_t; - ') - - corecmd_shell_domtrans($1, dpkg_script_t) - allow dpkg_script_t $1:fd use; - allow dpkg_script_t $1:fifo_file rw_file_perms; - allow dpkg_script_t $1:process sigchld; -') - -######################################## -## <summary> -## Execute dpkg programs in the dpkg domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`dpkg_run',` - gen_require(` - attribute_role dpkg_roles; - ') - - dpkg_domtrans($1) - roleattribute $2 dpkg_roles; -') - -######################################## -## <summary> -## Inherit and use file descriptors from dpkg. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dpkg_use_fds',` - gen_require(` - type dpkg_t; - ') - - allow $1 dpkg_t:fd use; -') - -######################################## -## <summary> -## Read from unnamed dpkg pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dpkg_read_pipes',` - gen_require(` - type dpkg_t; - ') - - allow $1 dpkg_t:fifo_file read_fifo_file_perms; -') - -######################################## -## <summary> -## Read and write unnamed dpkg pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dpkg_rw_pipes',` - gen_require(` - type dpkg_t; - ') - - allow $1 dpkg_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## <summary> -## Inherit and use file descriptors -## from dpkg scripts. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dpkg_use_script_fds',` - gen_require(` - type dpkg_script_t; - ') - - allow $1 dpkg_script_t:fd use; -') - -######################################## -## <summary> -## Read dpkg package database content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dpkg_read_db',` - gen_require(` - type dpkg_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 dpkg_var_lib_t:dir list_dir_perms; - read_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t) - read_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## dpkg package database content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dpkg_manage_db',` - gen_require(` - type dpkg_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t) - manage_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t) -') - -######################################## -## <summary> -## Do not audit attempts to create, -## read, write, and delete dpkg -## package database content. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`dpkg_dontaudit_manage_db',` - gen_require(` - type dpkg_var_lib_t; - ') - - dontaudit $1 dpkg_var_lib_t:dir rw_dir_perms; - dontaudit $1 dpkg_var_lib_t:file manage_file_perms; - dontaudit $1 dpkg_var_lib_t:lnk_file manage_lnk_file_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## dpkg lock files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dpkg_lock_db',` - gen_require(` - type dpkg_lock_t, dpkg_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 dpkg_var_lib_t:dir list_dir_perms; - allow $1 dpkg_lock_t:file manage_file_perms; -') diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te deleted file mode 100644 index 998d7650..00000000 --- a/policy/modules/contrib/dpkg.te +++ /dev/null @@ -1,322 +0,0 @@ -policy_module(dpkg, 1.10.0) - -######################################## -# -# Declarations -# - -attribute_role dpkg_roles; -roleattribute system_r dpkg_roles; - -type dpkg_t; -type dpkg_exec_t; -init_system_domain(dpkg_t, dpkg_exec_t) -domain_obj_id_change_exemption(dpkg_t) -domain_role_change_exemption(dpkg_t) -domain_system_change_exemption(dpkg_t) -domain_interactive_fd(dpkg_t) -role dpkg_roles types dpkg_t; - -type dpkg_lock_t; -files_lock_file(dpkg_lock_t) - -type dpkg_tmp_t; -files_tmp_file(dpkg_tmp_t) - -type dpkg_tmpfs_t; -files_tmpfs_file(dpkg_tmpfs_t) - -type dpkg_var_lib_t alias var_lib_dpkg_t; -files_type(dpkg_var_lib_t) - -type dpkg_script_t; -domain_type(dpkg_script_t) -domain_entry_file(dpkg_t, dpkg_var_lib_t) -corecmd_shell_entry_type(dpkg_script_t) -domain_obj_id_change_exemption(dpkg_script_t) -domain_system_change_exemption(dpkg_script_t) -domain_interactive_fd(dpkg_script_t) -role dpkg_roles types dpkg_script_t; - -type dpkg_script_tmp_t; -files_tmp_file(dpkg_script_tmp_t) - -type dpkg_script_tmpfs_t; -files_tmpfs_file(dpkg_script_tmpfs_t) - -######################################## -# -# Local policy -# - -allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable }; -allow dpkg_t self:process { setpgid fork getsched setfscreate }; -allow dpkg_t self:fd use; -allow dpkg_t self:fifo_file rw_fifo_file_perms; -allow dpkg_t self:unix_dgram_socket create_socket_perms; -allow dpkg_t self:unix_stream_socket rw_stream_socket_perms; -allow dpkg_t self:unix_dgram_socket sendto; -allow dpkg_t self:unix_stream_socket connectto; -allow dpkg_t self:udp_socket { connect create_socket_perms }; -allow dpkg_t self:tcp_socket create_stream_socket_perms; -allow dpkg_t self:shm create_shm_perms; -allow dpkg_t self:sem create_sem_perms; -allow dpkg_t self:msgq create_msgq_perms; -allow dpkg_t self:msg { send receive }; - -allow dpkg_t dpkg_lock_t:file manage_file_perms; - -manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t) -manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t) -files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir }) - -manage_dirs_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) -manage_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) -manage_lnk_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) -manage_sock_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) -manage_fifo_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) -fs_tmpfs_filetrans(dpkg_t, dpkg_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -allow dpkg_t dpkg_var_lib_t:file mmap_file_perms; -manage_files_pattern(dpkg_t, dpkg_var_lib_t, dpkg_var_lib_t) -files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir) - -kernel_read_system_state(dpkg_t) -kernel_read_kernel_sysctls(dpkg_t) - -corecmd_exec_all_executables(dpkg_t) - -corenet_all_recvfrom_unlabeled(dpkg_t) -corenet_all_recvfrom_netlabel(dpkg_t) -corenet_tcp_sendrecv_generic_if(dpkg_t) -corenet_tcp_sendrecv_generic_node(dpkg_t) -corenet_tcp_sendrecv_all_ports(dpkg_t) - -corenet_sendrecv_all_client_packets(dpkg_t) -corenet_tcp_connect_all_ports(dpkg_t) - -dev_list_sysfs(dpkg_t) -dev_list_usbfs(dpkg_t) -dev_read_urand(dpkg_t) - -domain_read_all_domains_state(dpkg_t) -domain_getattr_all_domains(dpkg_t) -domain_dontaudit_ptrace_all_domains(dpkg_t) -domain_use_interactive_fds(dpkg_t) -domain_dontaudit_getattr_all_pipes(dpkg_t) -domain_dontaudit_getattr_all_tcp_sockets(dpkg_t) -domain_dontaudit_getattr_all_udp_sockets(dpkg_t) -domain_dontaudit_getattr_all_packet_sockets(dpkg_t) -domain_dontaudit_getattr_all_raw_sockets(dpkg_t) -domain_dontaudit_getattr_all_stream_sockets(dpkg_t) -domain_dontaudit_getattr_all_dgram_sockets(dpkg_t) - -files_exec_etc_files(dpkg_t) -files_relabel_non_auth_files(dpkg_t) -files_manage_non_auth_files(dpkg_t) - -fs_manage_nfs_dirs(dpkg_t) -fs_manage_nfs_files(dpkg_t) -fs_manage_nfs_symlinks(dpkg_t) -fs_getattr_all_fs(dpkg_t) -fs_search_auto_mountpoints(dpkg_t) - -mls_file_read_all_levels(dpkg_t) -mls_file_write_all_levels(dpkg_t) -mls_file_upgrade(dpkg_t) - -selinux_get_fs_mount(dpkg_t) -selinux_validate_context(dpkg_t) -selinux_compute_access_vector(dpkg_t) -selinux_compute_create_context(dpkg_t) -selinux_compute_relabel_context(dpkg_t) -selinux_compute_user_contexts(dpkg_t) - -storage_raw_write_fixed_disk(dpkg_t) -storage_raw_read_fixed_disk(dpkg_t) - -auth_dontaudit_read_shadow(dpkg_t) - -init_domtrans_script(dpkg_t) -init_use_script_ptys(dpkg_t) - -libs_exec_ld_so(dpkg_t) -libs_exec_lib_files(dpkg_t) -libs_run_ldconfig(dpkg_t, dpkg_roles) - -logging_send_syslog_msg(dpkg_t) - -seutil_manage_src_policy(dpkg_t) -seutil_manage_bin_policy(dpkg_t) - -sysnet_read_config(dpkg_t) - -userdom_use_user_terminals(dpkg_t) -userdom_use_unpriv_users_fds(dpkg_t) - -dpkg_domtrans_script(dpkg_t) - -optional_policy(` - apt_use_ptys(dpkg_t) -') - -optional_policy(` - cron_system_entry(dpkg_t, dpkg_exec_t) -') - -optional_policy(` - nis_use_ypbind(dpkg_t) -') - -optional_policy(` - unconfined_domain(dpkg_t) -') - -# TODO: the following was copied from dpkg_script_t, and could probably -# be removed again when dpkg_script_t is actually used... -domain_signal_all_domains(dpkg_t) -domain_signull_all_domains(dpkg_t) -files_read_etc_runtime_files(dpkg_t) -files_exec_usr_files(dpkg_t) -miscfiles_read_localization(dpkg_t) -modutils_run_depmod(dpkg_t, dpkg_roles) -modutils_run_insmod(dpkg_t, dpkg_roles) -seutil_run_loadpolicy(dpkg_t, dpkg_roles) -seutil_run_setfiles(dpkg_t, dpkg_roles) -userdom_use_all_users_fds(dpkg_t) - -optional_policy(` - mta_send_mail(dpkg_t) -') -optional_policy(` - usermanage_run_groupadd(dpkg_t, dpkg_roles) - usermanage_run_useradd(dpkg_t, dpkg_roles) -') - -######################################## -# -# Script Local policy -# - -allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill }; -allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow dpkg_script_t self:fd use; -allow dpkg_script_t self:fifo_file rw_fifo_file_perms; -allow dpkg_script_t self:unix_dgram_socket create_socket_perms; -allow dpkg_script_t self:unix_stream_socket rw_stream_socket_perms; -allow dpkg_script_t self:unix_dgram_socket sendto; -allow dpkg_script_t self:unix_stream_socket connectto; -allow dpkg_script_t self:shm create_shm_perms; -allow dpkg_script_t self:sem create_sem_perms; -allow dpkg_script_t self:msgq create_msgq_perms; -allow dpkg_script_t self:msg { send receive }; - -allow dpkg_script_t dpkg_tmp_t:file read_file_perms; - -allow dpkg_script_t dpkg_script_tmp_t:dir { manage_dir_perms mounton }; -allow dpkg_script_t dpkg_script_tmp_t:file manage_file_perms; -files_tmp_filetrans(dpkg_script_t, dpkg_script_tmp_t, { file dir }) - -allow dpkg_script_t dpkg_script_tmpfs_t:dir manage_dir_perms; -allow dpkg_script_t dpkg_script_tmpfs_t:file manage_file_perms; -allow dpkg_script_t dpkg_script_tmpfs_t:lnk_file manage_lnk_file_perms; -allow dpkg_script_t dpkg_script_tmpfs_t:sock_file manage_sock_file_perms; -allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_fifo_file_perms; -fs_tmpfs_filetrans(dpkg_script_t, dpkg_script_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -kernel_read_kernel_sysctls(dpkg_script_t) -kernel_read_system_state(dpkg_script_t) - -corecmd_exec_all_executables(dpkg_script_t) - -dev_list_sysfs(dpkg_script_t) -# Use named file transition to fix this -# dev_manage_generic_blk_files(dpkg_script_t) -# dev_manage_generic_chr_files(dpkg_script_t) -dev_manage_all_blk_files(dpkg_script_t) -dev_manage_all_chr_files(dpkg_script_t) - -domain_read_all_domains_state(dpkg_script_t) -domain_getattr_all_domains(dpkg_script_t) -domain_dontaudit_ptrace_all_domains(dpkg_script_t) -domain_use_interactive_fds(dpkg_script_t) -domain_signal_all_domains(dpkg_script_t) -domain_signull_all_domains(dpkg_script_t) - -files_exec_etc_files(dpkg_script_t) -files_read_etc_runtime_files(dpkg_script_t) -files_exec_usr_files(dpkg_script_t) - -fs_manage_nfs_files(dpkg_script_t) -fs_getattr_nfs(dpkg_script_t) -fs_getattr_xattr_fs(dpkg_script_t) -fs_mount_xattr_fs(dpkg_script_t) -fs_unmount_xattr_fs(dpkg_script_t) -fs_search_auto_mountpoints(dpkg_script_t) - -mls_file_read_all_levels(dpkg_script_t) -mls_file_write_all_levels(dpkg_script_t) - -selinux_get_fs_mount(dpkg_script_t) -selinux_validate_context(dpkg_script_t) -selinux_compute_access_vector(dpkg_script_t) -selinux_compute_create_context(dpkg_script_t) -selinux_compute_relabel_context(dpkg_script_t) -selinux_compute_user_contexts(dpkg_script_t) - -storage_raw_read_fixed_disk(dpkg_script_t) -storage_raw_write_fixed_disk(dpkg_script_t) - -term_use_all_terms(dpkg_script_t) - -auth_dontaudit_getattr_shadow(dpkg_script_t) -files_manage_non_auth_files(dpkg_script_t) - -init_domtrans_script(dpkg_script_t) -init_use_script_fds(dpkg_script_t) - -libs_exec_ld_so(dpkg_script_t) -libs_exec_lib_files(dpkg_script_t) -libs_run_ldconfig(dpkg_script_t, dpkg_roles) - -logging_send_syslog_msg(dpkg_script_t) - -miscfiles_read_localization(dpkg_script_t) - -modutils_run_depmod(dpkg_script_t, dpkg_roles) -modutils_run_insmod(dpkg_script_t, dpkg_roles) - -seutil_run_loadpolicy(dpkg_script_t, dpkg_roles) -seutil_run_setfiles(dpkg_script_t, dpkg_roles) - -userdom_use_all_users_fds(dpkg_script_t) - -tunable_policy(`allow_execmem',` - allow dpkg_script_t self:process execmem; -') - -optional_policy(` - apt_rw_pipes(dpkg_script_t) - apt_use_fds(dpkg_script_t) -') - -optional_policy(` - bootloader_run(dpkg_script_t, dpkg_roles) -') - -optional_policy(` - mta_send_mail(dpkg_script_t) -') - -optional_policy(` - nis_use_ypbind(dpkg_script_t) -') - -optional_policy(` - unconfined_domain(dpkg_script_t) -') - -optional_policy(` - usermanage_run_groupadd(dpkg_script_t, dpkg_roles) - usermanage_run_useradd(dpkg_script_t, dpkg_roles) -') diff --git a/policy/modules/contrib/dracut.te b/policy/modules/contrib/dracut.te index d61e49e2..ab748aa2 100644 --- a/policy/modules/contrib/dracut.te +++ b/policy/modules/contrib/dracut.te @@ -44,7 +44,7 @@ files_create_kernel_img(dracut_t) files_read_etc_files(dracut_t) files_read_kernel_modules(dracut_t) files_read_usr_files(dracut_t) -files_search_pids(dracut_t) +files_search_runtime(dracut_t) libs_exec_ldconfig(dracut_t) libs_exec_ld_so(dracut_t) @@ -52,7 +52,6 @@ libs_exec_lib_files(dracut_t) miscfiles_read_localization(dracut_t) -modutils_list_module_config(dracut_t) #find /etc/modprobe.d modutils_read_module_config(dracut_t) modutils_read_module_deps(dracut_t) diff --git a/policy/modules/contrib/drbd.fc b/policy/modules/contrib/drbd.fc deleted file mode 100644 index 671a3fb6..00000000 --- a/policy/modules/contrib/drbd.fc +++ /dev/null @@ -1,13 +0,0 @@ -/etc/rc\.d/init\.d/drbd -- gen_context(system_u:object_r:drbd_initrc_exec_t,s0) - -/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0) -/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0) - -/usr/lib/ocf/resource.\d/linbit/drbd -- gen_context(system_u:object_r:drbd_exec_t,s0) - -/usr/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0) -/usr/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0) - -/var/lib/drbd(/.*)? gen_context(system_u:object_r:drbd_var_lib_t,s0) - -/var/lock/subsys/drbd -- gen_context(system_u:object_r:drbd_lock_t,s0) diff --git a/policy/modules/contrib/drbd.if b/policy/modules/contrib/drbd.if deleted file mode 100644 index 9a216393..00000000 --- a/policy/modules/contrib/drbd.if +++ /dev/null @@ -1,59 +0,0 @@ -## <summary>Mirrors a block device over the network to another machine.</summary> - -######################################## -## <summary> -## Execute a domain transition to -## run drbd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`drbd_domtrans',` - gen_require(` - type drbd_t, drbd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, drbd_exec_t, drbd_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an drbd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`drbd_admin',` - gen_require(` - type drbd_t, drbd_initrc_exec_t, drbd_lock_t; - type drbd_var_lib_t; - ') - - allow $1 drbd_t:process { ptrace signal_perms }; - ps_process_pattern($1, drbd_t) - - init_labeled_script_domtrans($1, drbd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 drbd_initrc_exec_t system_r; - allow $2 system_r; - - files_search_locks($1) - admin_pattern($1, drbd_lock_t) - - files_search_var_lib($1) - admin_pattern($1, drbd_var_lib_t) -') diff --git a/policy/modules/contrib/drbd.te b/policy/modules/contrib/drbd.te deleted file mode 100644 index 8e5ee54e..00000000 --- a/policy/modules/contrib/drbd.te +++ /dev/null @@ -1,55 +0,0 @@ -policy_module(drbd, 1.0.1) - -######################################## -# -# Declarations -# - -type drbd_t; -type drbd_exec_t; -init_daemon_domain(drbd_t, drbd_exec_t) - -type drbd_initrc_exec_t; -init_script_file(drbd_initrc_exec_t) - -type drbd_var_lib_t; -files_type(drbd_var_lib_t) - -type drbd_lock_t; -files_lock_file(drbd_lock_t) - -######################################## -# -# Local policy -# - -allow drbd_t self:capability { kill net_admin }; -dontaudit drbd_t self:capability sys_tty_config; -allow drbd_t self:fifo_file rw_fifo_file_perms; -allow drbd_t self:unix_stream_socket create_stream_socket_perms; -allow drbd_t self:netlink_socket create_socket_perms; -allow drbd_t self:netlink_route_socket nlmsg_write; - -manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t) -manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t) -manage_lnk_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t) -files_var_lib_filetrans(drbd_t, drbd_var_lib_t, dir) - -manage_files_pattern(drbd_t, drbd_lock_t, drbd_lock_t) -files_lock_filetrans(drbd_t, drbd_lock_t, file) - -can_exec(drbd_t, drbd_exec_t) - -kernel_read_system_state(drbd_t) - -dev_read_rand(drbd_t) -dev_read_sysfs(drbd_t) -dev_read_urand(drbd_t) - -files_read_etc_files(drbd_t) - -storage_raw_read_fixed_disk(drbd_t) - -miscfiles_read_localization(drbd_t) - -sysnet_dns_name_resolve(drbd_t) diff --git a/policy/modules/contrib/dropbox.fc b/policy/modules/contrib/dropbox.fc new file mode 100644 index 00000000..1a9fdff7 --- /dev/null +++ b/policy/modules/contrib/dropbox.fc @@ -0,0 +1,10 @@ +HOME_DIR/Dropbox(/.*)? gen_context(system_u:object_r:dropbox_content_t,s0) + +HOME_DIR/\.dropbox(/.*)? gen_context(system_u:object_r:dropbox_home_t,s0) +HOME_DIR/\.dropbox-dist(/.*)? gen_context(system_u:object_r:dropbox_home_t,s0) +HOME_DIR/\.dropbox-master(/.*)? gen_context(system_u:object_r:dropbox_home_t,s0) + +HOME_DIR/\.dropbox-dist(/.*)?/dropboxd? -- gen_context(system_u:object_r:dropbox_exec_t,s0) + +/opt/bin/dropbox -l gen_context(system_u:object_r:dropbox_exec_t,s0) +/opt/dropbox/dropboxd? -- gen_context(system_u:object_r:dropbox_exec_t,s0) diff --git a/policy/modules/contrib/dropbox.if b/policy/modules/contrib/dropbox.if new file mode 100644 index 00000000..a010d912 --- /dev/null +++ b/policy/modules/contrib/dropbox.if @@ -0,0 +1,114 @@ +## <summary>Dropbox client - Store, Sync and Share Files Online</summary> + +####################################### +## <summary> +## The role for using the dropbox client. +## </summary> +## <param name="role"> +## <summary> +## The role associated with the user domain. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## The user domain. +## </summary> +## </param> +# +interface(`dropbox_role',` + gen_require(` + type dropbox_t; + type dropbox_content_t; + type dropbox_exec_t; + type dropbox_home_t; + type dropbox_tmp_t; + ') + + role $1 types dropbox_t; + + domtrans_pattern($2, dropbox_exec_t, dropbox_t) + + allow $2 dropbox_t:process { ptrace signal_perms }; + + manage_dirs_pattern($2, dropbox_home_t, dropbox_home_t) + manage_files_pattern($2, dropbox_home_t, dropbox_home_t) + manage_sock_files_pattern($2, dropbox_home_t, dropbox_home_t) + + manage_files_pattern($2, dropbox_home_t, dropbox_exec_t) + manage_lnk_files_pattern($2, dropbox_home_t, dropbox_exec_t) + + userdom_user_home_dir_filetrans($2, dropbox_home_t, dir, ".dropbox-dist") + filetrans_pattern($2, dropbox_home_t, dropbox_exec_t, file, "dropbox") + filetrans_pattern($2, dropbox_home_t, dropbox_exec_t, file, "dropboxd") + + manage_dirs_pattern($2, dropbox_tmp_t, dropbox_tmp_t) + manage_files_pattern($2, dropbox_tmp_t, dropbox_tmp_t) + + allow $2 dropbox_content_t:dir relabel_dir_perms; + allow $2 dropbox_content_t:file relabel_file_perms; + + dropbox_manage_content($2) + dropbox_dbus_chat($2) + + ps_process_pattern($2, dropbox_t) +') + +######################################### +## <summary> +## Send and receive messages from the dropbox daemon +## over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dropbox_dbus_chat',` + gen_require(` + type dropbox_t; + class dbus send_msg; + ') + + allow $1 dropbox_t:dbus send_msg; + allow dropbox_t $1:dbus send_msg; +') + +####################################### +## <summary> +## Allow other domains to read dropbox's content files +## </summary> +## <param name="domain"> +## <summary> +## The domain that is allowed read access to the dropbox_content_t files +## </summary> +## </param> +# +interface(`dropbox_read_content',` + gen_require(` + type dropbox_content_t; + ') + + list_dirs_pattern($1, dropbox_content_t, dropbox_content_t) + read_files_pattern($1, dropbox_content_t, dropbox_content_t) +') + +####################################### +## <summary> +## Allow other domains to manage dropbox's content files +## </summary> +## <param name="domain"> +## <summary> +## The domain that is allowed to manage the dropbox_content_t files and directories +## </summary> +## </param> +# +interface(`dropbox_manage_content',` + gen_require(` + type dropbox_content_t; + ') + + manage_dirs_pattern($1, dropbox_content_t, dropbox_content_t) + manage_files_pattern($1, dropbox_content_t, dropbox_content_t) +') + diff --git a/policy/modules/contrib/dropbox.te b/policy/modules/contrib/dropbox.te new file mode 100644 index 00000000..2aa9a93b --- /dev/null +++ b/policy/modules/contrib/dropbox.te @@ -0,0 +1,127 @@ +policy_module(dropbox, 0.0.1) + +############################ +# +# Declarations +# + +## <desc> +## <p> +## Determine whether dropbox can bind to +## local tcp and udp ports. +## Required for Dropbox' LAN Sync feature +## </p> +## </desc> +gen_tunable(dropbox_bind_port, false) + +type dropbox_t; +type dropbox_exec_t; +userdom_user_application_domain(dropbox_t, dropbox_exec_t) + +# the dropbox dirs eg. ~/.dropbox/ +type dropbox_home_t; +userdom_user_home_content(dropbox_home_t) + +# the type for the main ~/Dropbox folder +type dropbox_content_t; # customizable +userdom_user_home_content(dropbox_content_t) + +type dropbox_tmp_t; +userdom_user_tmp_file(dropbox_tmp_t) + +# for X server SHM +type dropbox_tmpfs_t; +userdom_user_tmpfs_file(dropbox_tmpfs_t) + +############################ +# +# Local Policy Rules +# + +allow dropbox_t self:process { execmem signal_perms }; +allow dropbox_t self:fifo_file rw_fifo_file_perms; +allow dropbox_t dropbox_home_t:file mmap_exec_file_perms; + +# dropbox updates itself in /tmp then in ~/.dropbox-dist/ +can_exec(dropbox_t, dropbox_exec_t) +can_exec(dropbox_t, dropbox_tmp_t) + +manage_dirs_pattern(dropbox_t, dropbox_home_t, dropbox_home_t) +manage_files_pattern(dropbox_t, dropbox_home_t, dropbox_home_t) +manage_lnk_files_pattern(dropbox_t, dropbox_home_t, dropbox_home_t) +manage_sock_files_pattern(dropbox_t, dropbox_home_t, dropbox_home_t) +userdom_user_home_dir_filetrans(dropbox_t, dropbox_home_t, { dir file }) + +manage_files_pattern(dropbox_t, dropbox_home_t, dropbox_exec_t) +manage_lnk_files_pattern(dropbox_t, dropbox_home_t, dropbox_exec_t) +filetrans_pattern(dropbox_t, dropbox_home_t, dropbox_exec_t, file, "dropbox") +filetrans_pattern(dropbox_t, dropbox_home_t, dropbox_exec_t, file, "dropboxd") + +manage_dirs_pattern(dropbox_t, dropbox_content_t, dropbox_content_t) +manage_files_pattern(dropbox_t, dropbox_content_t, dropbox_content_t) +userdom_user_home_dir_filetrans(dropbox_t, dropbox_content_t, dir, "Dropbox") + +manage_dirs_pattern(dropbox_t, dropbox_tmp_t, dropbox_tmp_t) +manage_files_pattern(dropbox_t, dropbox_tmp_t, dropbox_tmp_t) +files_tmp_filetrans(dropbox_t, dropbox_tmp_t, { file dir }) + +manage_dirs_pattern(dropbox_t, dropbox_tmpfs_t, dropbox_tmpfs_t) +manage_files_pattern(dropbox_t, dropbox_tmpfs_t, dropbox_tmpfs_t) +fs_tmpfs_filetrans(dropbox_t, dropbox_tmpfs_t, { file dir }) + +fs_getattr_xattr_fs(dropbox_t) +fs_getattr_tmpfs(dropbox_t) +kernel_read_system_state(dropbox_t) +kernel_read_vm_sysctls(dropbox_t) + +kernel_dontaudit_read_system_state(dropbox_t) +kernel_dontaudit_list_proc(dropbox_t) + +corecmd_exec_bin(dropbox_t) +corecmd_exec_shell(dropbox_t) + +domain_dontaudit_getattr_all_domains(dropbox_t) +domain_dontaudit_search_all_domains_state(dropbox_t) + +dev_read_rand(dropbox_t) +dev_read_urand(dropbox_t) + +libs_exec_ldconfig(dropbox_t) + +files_read_usr_files(dropbox_t) +files_map_usr_files(dropbox_t) +auth_use_nsswitch(dropbox_t) +miscfiles_read_localization(dropbox_t) + +userdom_search_user_home_content(dropbox_t) +userdom_use_user_terminals(dropbox_t) + +xserver_user_x_domain_template(dropbox, dropbox_t, dropbox_tmpfs_t) + +dbus_all_session_bus_client(dropbox_t) + +corenet_all_recvfrom_netlabel(dropbox_t) +corenet_all_recvfrom_unlabeled(dropbox_t) +corenet_tcp_connect_http_port(dropbox_t) +corenet_tcp_sendrecv_generic_if(dropbox_t) +corenet_tcp_sendrecv_generic_node(dropbox_t) + +tunable_policy(`dropbox_bind_port',` + allow dropbox_t self:tcp_socket { accept listen }; + + corenet_tcp_bind_dropbox_port(dropbox_t) + corenet_udp_bind_dropbox_port(dropbox_t) + corenet_tcp_bind_generic_node(dropbox_t) + corenet_udp_bind_generic_node(dropbox_t) +') + +ifdef(`distro_gentoo',` + optional_policy(` + xdg_read_config_home_files(dropbox_t) + xdg_read_data_home_files(dropbox_t) + ') + + optional_policy(` + userdom_user_content_access_template(dropbox, dropbox_t) + ') +') diff --git a/policy/modules/contrib/dspam.fc b/policy/modules/contrib/dspam.fc deleted file mode 100644 index 5eddac51..00000000 --- a/policy/modules/contrib/dspam.fc +++ /dev/null @@ -1,12 +0,0 @@ -/etc/rc\.d/init\.d/dspam -- gen_context(system_u:object_r:dspam_initrc_exec_t,s0) - -/usr/bin/dspam -- gen_context(system_u:object_r:dspam_exec_t,s0) - -/usr/share/dspam-web/dspam\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0) - -/var/lib/dspam(/.*)? gen_context(system_u:object_r:dspam_var_lib_t,s0) -/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_rw_content_t,s0) - -/var/log/dspam(/.*)? gen_context(system_u:object_r:dspam_log_t,s0) - -/var/run/dspam(/.*)? gen_context(system_u:object_r:dspam_var_run_t,s0) diff --git a/policy/modules/contrib/dspam.if b/policy/modules/contrib/dspam.if deleted file mode 100644 index 18f24525..00000000 --- a/policy/modules/contrib/dspam.if +++ /dev/null @@ -1,82 +0,0 @@ -## <summary>Content-based spam filter designed for multi-user enterprise systems.</summary> - -######################################## -## <summary> -## Execute a domain transition to run dspam. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dspam_domtrans',` - gen_require(` - type dspam_t, dspam_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dspam_exec_t, dspam_t) -') - -####################################### -## <summary> -## Connect to dspam using a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dspam_stream_connect',` - gen_require(` - type dspam_t, dspam_var_run_t, dspam_tmp_t; - ') - - files_search_pids($1) - files_search_tmp($1) - stream_connect_pattern($1, { dspam_tmp_t dspam_var_run_t }, { dspam_tmp_t dspam_var_run_t }, dspam_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an dspam environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`dspam_admin',` - gen_require(` - type dspam_t, dspam_initrc_exec_t, dspam_log_t; - type dspam_var_lib_t, dspam_var_run_t; - ') - - allow $1 dspam_t:process { ptrace signal_perms }; - ps_process_pattern($1, dspam_t) - - init_labeled_script_domtrans($1, dspam_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dspam_initrc_exec_t system_r; - allow $2 system_r; - - logging_search_logs($1) - admin_pattern($1, dspam_log_t) - - files_search_var_lib($1) - admin_pattern($1, dspam_var_lib_t) - - files_search_pids($1) - admin_pattern($1, dspam_var_run_t) -') diff --git a/policy/modules/contrib/dspam.te b/policy/modules/contrib/dspam.te deleted file mode 100644 index 266cb8f6..00000000 --- a/policy/modules/contrib/dspam.te +++ /dev/null @@ -1,89 +0,0 @@ -policy_module(dspam, 1.0.5) - -######################################## -# -# Declarations -# - -type dspam_t; -type dspam_exec_t; -init_daemon_domain(dspam_t, dspam_exec_t) - -type dspam_initrc_exec_t; -init_script_file(dspam_initrc_exec_t) - -type dspam_log_t; -logging_log_file(dspam_log_t) - -type dspam_var_lib_t; -files_type(dspam_var_lib_t) - -type dspam_var_run_t; -files_pid_file(dspam_var_run_t) - -######################################## -# -# Local policy -# - -allow dspam_t self:capability net_admin; -allow dspam_t self:process signal; -allow dspam_t self:fifo_file rw_fifo_file_perms; -allow dspam_t self:unix_stream_socket { accept listen }; - -manage_dirs_pattern(dspam_t, dspam_log_t, dspam_log_t) -append_files_pattern(dspam_t, dspam_log_t, dspam_log_t) -create_files_pattern(dspam_t, dspam_log_t, dspam_log_t) -setattr_files_pattern(dspam_t, dspam_log_t, dspam_log_t) -logging_log_filetrans(dspam_t, dspam_log_t, dir) - -manage_dirs_pattern(dspam_t, dspam_var_lib_t, dspam_var_lib_t) -manage_files_pattern(dspam_t, dspam_var_lib_t, dspam_var_lib_t) -files_var_lib_filetrans(dspam_t, dspam_var_lib_t, dir) - -manage_dirs_pattern(dspam_t, dspam_var_run_t, dspam_var_run_t) -manage_files_pattern(dspam_t, dspam_var_run_t, dspam_var_run_t) -manage_sock_files_pattern(dspam_t, dspam_var_run_t, dspam_var_run_t) -files_pid_filetrans(dspam_t, dspam_var_run_t, dir) - -corenet_all_recvfrom_unlabeled(dspam_t) -corenet_all_recvfrom_netlabel(dspam_t) -corenet_tcp_sendrecv_generic_if(dspam_t) -corenet_tcp_sendrecv_generic_node(dspam_t) -corenet_tcp_bind_generic_node(dspam_t) - -corenet_sendrecv_spamd_client_packets(dspam_t) -corenet_sendrecv_spamd_server_packets(dspam_t) -corenet_tcp_bind_spamd_port(dspam_t) -corenet_tcp_connect_spamd_port(dspam_t) -corenet_tcp_sendrecv_spamd_port(dspam_t) - -files_search_spool(dspam_t) - -auth_use_nsswitch(dspam_t) - -logging_send_syslog_msg(dspam_t) - -miscfiles_read_localization(dspam_t) - -optional_policy(` - apache_content_template(dspam) - - list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t) - manage_dirs_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t) - manage_files_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t) -') - -optional_policy(` - mysql_stream_connect(dspam_t) - mysql_read_config(dspam_t) - - mysql_tcp_connect(dspam_t) -') - -optional_policy(` - postgresql_stream_connect(dspam_t) - postgresql_unpriv_client(dspam_t) - - postgresql_tcp_connect(dspam_t) -') diff --git a/policy/modules/contrib/entropyd.fc b/policy/modules/contrib/entropyd.fc deleted file mode 100644 index c6987113..00000000 --- a/policy/modules/contrib/entropyd.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rc\.d/init\.d/((audio-entropyd)|(haveged)) -- gen_context(system_u:object_r:entropyd_initrc_exec_t,s0) - -/usr/sbin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0) -/usr/sbin/haveged -- gen_context(system_u:object_r:entropyd_exec_t,s0) - -/var/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0) -/var/run/haveged\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0) diff --git a/policy/modules/contrib/entropyd.if b/policy/modules/contrib/entropyd.if deleted file mode 100644 index 1161fbff..00000000 --- a/policy/modules/contrib/entropyd.if +++ /dev/null @@ -1,35 +0,0 @@ -## <summary>Generate entropy from audio input.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an entropyd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`entropyd_admin',` - gen_require(` - type entropyd_t, entropyd_initrc_exec_t, entropyd_var_run_t; - ') - - allow $1 entropyd_t:process { ptrace signal_perms }; - ps_process_pattern($1, entropyd_t) - - init_labeled_script_domtrans($1, entropyd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 entropyd_initrc_exec_t system_r; - allow $2 system_r; - - files_search_pids($1) - admin_pattern($1, entropyd_var_run_t) -') diff --git a/policy/modules/contrib/entropyd.te b/policy/modules/contrib/entropyd.te deleted file mode 100644 index a0da189e..00000000 --- a/policy/modules/contrib/entropyd.te +++ /dev/null @@ -1,81 +0,0 @@ -policy_module(entropyd, 1.7.2) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether entropyd can use -## audio devices as the source for -## the entropy feeds. -## </p> -## </desc> -gen_tunable(entropyd_use_audio, false) - -type entropyd_t; -type entropyd_exec_t; -init_daemon_domain(entropyd_t, entropyd_exec_t) - -type entropyd_initrc_exec_t; -init_script_file(entropyd_initrc_exec_t) - -type entropyd_var_run_t; -files_pid_file(entropyd_var_run_t) - -######################################## -# -# Local policy -# - -allow entropyd_t self:capability { dac_override ipc_lock sys_admin }; -dontaudit entropyd_t self:capability sys_tty_config; -allow entropyd_t self:process signal_perms; - -manage_files_pattern(entropyd_t, entropyd_var_run_t, entropyd_var_run_t) -files_pid_filetrans(entropyd_t, entropyd_var_run_t, file) - -kernel_read_system_state(entropyd_t) -kernel_rw_kernel_sysctl(entropyd_t) - -dev_read_sysfs(entropyd_t) -dev_read_urand(entropyd_t) -dev_write_urand(entropyd_t) -dev_read_rand(entropyd_t) -dev_write_rand(entropyd_t) - -files_read_etc_files(entropyd_t) -files_read_usr_files(entropyd_t) - -fs_getattr_all_fs(entropyd_t) -fs_search_auto_mountpoints(entropyd_t) - -domain_use_interactive_fds(entropyd_t) - -logging_send_syslog_msg(entropyd_t) - -miscfiles_read_localization(entropyd_t) - -userdom_dontaudit_use_unpriv_user_fds(entropyd_t) -userdom_dontaudit_search_user_home_dirs(entropyd_t) - -tunable_policy(`entropyd_use_audio',` - dev_read_sound(entropyd_t) - dev_write_sound(entropyd_t) -') - -optional_policy(` - tunable_policy(`entropyd_use_audio',` - alsa_read_lib(entropyd_t) - alsa_read_rw_config(entropyd_t) - ') -') - -optional_policy(` - seutil_sigchld_newrole(entropyd_t) -') - -optional_policy(` - udev_read_db(entropyd_t) -') diff --git a/policy/modules/contrib/evolution.fc b/policy/modules/contrib/evolution.fc deleted file mode 100644 index 597f305d..00000000 --- a/policy/modules/contrib/evolution.fc +++ /dev/null @@ -1,14 +0,0 @@ -HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:evolution_home_t,s0) -HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0) - -/tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:evolution_exchange_tmp_t,s0) - -/usr/bin/evolution.* -- gen_context(system_u:object_r:evolution_exec_t,s0) - -/usr/lib/evolution/[^/]*/evolution-alarm-notify -- gen_context(system_u:object_r:evolution_alarm_exec_t,s0) -/usr/lib/evolution-webcal/evolution-webcal -- gen_context(system_u:object_r:evolution_webcal_exec_t,s0) - -/usr/libexec/evolution/.*evolution-alarm-notify.* -- gen_context(system_u:object_r:evolution_alarm_exec_t,s0) -/usr/libexec/evolution/.*evolution-exchange-storage.* -- gen_context(system_u:object_r:evolution_exchange_exec_t,s0) -/usr/libexec/evolution-data-server.* -- gen_context(system_u:object_r:evolution_server_exec_t,s0) -/usr/libexec/evolution-webcal.* -- gen_context(system_u:object_r:evolution_webcal_exec_t,s0) diff --git a/policy/modules/contrib/evolution.if b/policy/modules/contrib/evolution.if deleted file mode 100644 index d9c17d2e..00000000 --- a/policy/modules/contrib/evolution.if +++ /dev/null @@ -1,169 +0,0 @@ -## <summary>Evolution email client.</summary> - -######################################## -## <summary> -## Role access for evolution. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`evolution_role',` - gen_require(` - attribute_role evolution_roles; - type evolution_t, evolution_exec_t, evolution_home_t; - type evolution_alarm_t, evolution_alarm_exec_t, evolution_alarm_orbit_tmp_t; - type evolution_exchange_t, evolution_exchange_exec_t, evolution_exchange_tmp_t; - type evolution_exchange_orbit_tmp_t, evolution_orbit_tmp_t, evolution_server_orbit_tmp_t; - type evolution_server_t, evolution_server_exec_t, evolution_webcal_t; - type evolution_webcal_exec_t, evolution_alarm_tmpfs_t, evolution_exchange_tmpfs_t; - type evolution_tmpfs_t, evolution_webcal_tmpfs_t; - ') - - roleattribute $1 evolution_roles; - - domtrans_pattern($2, evolution_exec_t, evolution_t) - domtrans_pattern($2, evolution_alarm_exec_t, evolution_alarm_t) - domtrans_pattern($2, evolution_exchange_exec_t, evolution_exchange_t) - domtrans_pattern($2, evolution_server_exec_t, evolution_server_t) - domtrans_pattern($2, evolution_webcal_exec_t, evolution_webcal_t) - - allow $2 { evolution_t evolution_alarm_t evolution_exchange_t evolution_server_t evolution_webcal_t }:process { noatsecure ptrace signal_perms }; - ps_process_pattern($2, { evolution_t evolution_alarm_t evolution_exchange_t }) - ps_process_pattern($2, { evolution_server_t evolution_webcal_t }) - - allow evolution_t $2:dir search_dir_perms; - allow evolution_t $2:file read_file_perms; - allow evolution_t $2:lnk_file read_lnk_file_perms; - - allow $2 evolution_home_t:dir { relabel_dir_perms manage_dir_perms }; - allow $2 evolution_home_t:file { relabel_file_perms manage_file_perms }; - allow $2 evolution_home_t:lnk_file { relabel_lnk_file_perms manage_lnk_file_perms }; - - userdom_user_home_dir_filetrans($2, evolution_home_t, dir, ".camel_certs") - userdom_user_home_dir_filetrans($2, evolution_home_t, dir, ".evolution") - - allow $2 evolution_exchange_tmp_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { evolution_alarm_orbit_tmp_t evolution_exchange_orbit_tmp_t evolution_orbit_tmp_t evolution_server_orbit_tmp_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - - allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:file { manage_file_perms relabel_file_perms }; - allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - - allow { evolution_t evolution_exchange_t } $2:unix_stream_socket connectto; - - stream_connect_pattern($2, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t) - stream_connect_pattern($2, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t) - - optional_policy(` - evolution_dbus_chat($2) - evolution_alarm_dbus_chat($2) - ') -') - -######################################## -## <summary> -## Create objects in the evolution home -## directories with a private type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="private_type"> -## <summary> -## Private file type. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`evolution_home_filetrans',` - gen_require(` - type evolution_home_t; - ') - - userdom_search_user_home_dirs($1) - filetrans_pattern($1, evolution_home_t, $2, $3, $4) -') - -######################################## -## <summary> -## Connect to evolution using a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`evolution_stream_connect',` - gen_require(` - type evolution_t, evolution_orbit_tmp_t; - ') - - - files_search_tmp($1) - stream_connect_pattern($1, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t) -') - -######################################## -## <summary> -## Send and receive messages from -## evolution over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`evolution_dbus_chat',` - gen_require(` - type evolution_t; - class dbus send_msg; - ') - - allow $1 evolution_t:dbus send_msg; - allow evolution_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Send and receive messages from -## evolution_alarm over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`evolution_alarm_dbus_chat',` - gen_require(` - type evolution_alarm_t; - class dbus send_msg; - ') - - allow $1 evolution_alarm_t:dbus send_msg; - allow evolution_alarm_t $1:dbus send_msg; -') diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te deleted file mode 100644 index 94fb6258..00000000 --- a/policy/modules/contrib/evolution.te +++ /dev/null @@ -1,483 +0,0 @@ -policy_module(evolution, 2.3.7) - -######################################## -# -# Declarations -# - -attribute_role evolution_roles; - -type evolution_t; -type evolution_exec_t; -typealias evolution_t alias { user_evolution_t staff_evolution_t sysadm_evolution_t }; -typealias evolution_t alias { auditadm_evolution_t secadm_evolution_t }; -userdom_user_application_domain(evolution_t, evolution_exec_t) -role evolution_roles types evolution_t; - -type evolution_alarm_t; -type evolution_alarm_exec_t; -typealias evolution_alarm_t alias { user_evolution_alarm_t staff_evolution_alarm_t sysadm_evolution_alarm_t }; -typealias evolution_alarm_t alias { auditadm_evolution_alarm_t secadm_evolution_alarm_t }; -userdom_user_application_domain(evolution_alarm_t, evolution_alarm_exec_t) -role evolution_roles types evolution_alarm_t; - -type evolution_alarm_tmpfs_t; -typealias evolution_alarm_tmpfs_t alias { user_evolution_alarm_tmpfs_t staff_evolution_alarm_tmpfs_t sysadm_evolution_alarm_tmpfs_t }; -typealias evolution_alarm_tmpfs_t alias { auditadm_evolution_alarm_tmpfs_t secadm_evolution_alarm_tmpfs_t }; -userdom_user_tmpfs_file(evolution_alarm_tmpfs_t) - -type evolution_alarm_orbit_tmp_t; -typealias evolution_alarm_orbit_tmp_t alias { user_evolution_alarm_orbit_tmp_t staff_evolution_alarm_orbit_tmp_t sysadm_evolution_alarm_orbit_tmp_t }; -typealias evolution_alarm_orbit_tmp_t alias { auditadm_evolution_alarm_orbit_tmp_t secadm_evolution_alarm_orbit_tmp_t }; -userdom_user_tmp_file(evolution_alarm_orbit_tmp_t) - -type evolution_exchange_t; -type evolution_exchange_exec_t; -typealias evolution_exchange_t alias { user_evolution_exchange_t staff_evolution_exchange_t sysadm_evolution_exchange_t }; -typealias evolution_exchange_t alias { auditadm_evolution_exchange_t secadm_evolution_exchange_t }; -userdom_user_application_domain(evolution_exchange_t, evolution_exchange_exec_t) -role evolution_roles types evolution_exchange_t; - -type evolution_exchange_tmpfs_t; -typealias evolution_exchange_tmpfs_t alias { user_evolution_exchange_tmpfs_t staff_evolution_exchange_tmpfs_t sysadm_evolution_exchange_tmpfs_t }; -typealias evolution_exchange_tmpfs_t alias { auditadm_evolution_exchange_tmpfs_t secadm_evolution_exchange_tmpfs_t }; -userdom_user_tmpfs_file(evolution_exchange_tmpfs_t) - -type evolution_exchange_tmp_t; -typealias evolution_exchange_tmp_t alias { user_evolution_exchange_tmp_t staff_evolution_exchange_tmp_t sysadm_evolution_exchange_tmp_t }; -typealias evolution_exchange_tmp_t alias { auditadm_evolution_exchange_tmp_t secadm_evolution_exchange_tmp_t }; -userdom_user_tmp_file(evolution_exchange_tmp_t) - -type evolution_exchange_orbit_tmp_t; -typealias evolution_exchange_orbit_tmp_t alias { user_evolution_exchange_orbit_tmp_t staff_evolution_exchange_orbit_tmp_t sysadm_evolution_exchange_orbit_tmp_t }; -typealias evolution_exchange_orbit_tmp_t alias { auditadm_evolution_exchange_orbit_tmp_t secadm_evolution_exchange_orbit_tmp_t }; -userdom_user_tmp_file(evolution_exchange_orbit_tmp_t) - -type evolution_home_t; -typealias evolution_home_t alias { user_evolution_home_t staff_evolution_home_t sysadm_evolution_home_t }; -typealias evolution_home_t alias { auditadm_evolution_home_t secadm_evolution_home_t }; -userdom_user_home_content(evolution_home_t) - -type evolution_orbit_tmp_t; -typealias evolution_home_t alias { user_evolution_orbit_tmp_t staff_evolution_orbit_tmp_t sysadm_evolution_orbit_tmp_t }; -typealias evolution_home_t alias { auditadm_evolution_orbit_tmp_t secadm_evolution_orbit_tmp_t }; -userdom_user_tmp_file(evolution_orbit_tmp_t) - -type evolution_server_t; -type evolution_server_exec_t; -typealias evolution_server_t alias { user_evolution_server_t staff_evolution_server_t sysadm_evolution_server_t }; -typealias evolution_server_t alias { auditadm_evolution_server_t secadm_evolution_server_t }; -userdom_user_application_domain(evolution_server_t, evolution_server_exec_t) -role evolution_roles types evolution_server_t; - -type evolution_server_orbit_tmp_t; -typealias evolution_server_orbit_tmp_t alias { user_evolution_server_orbit_tmp_t staff_evolution_server_orbit_tmp_t sysadm_evolution_server_orbit_tmp_t }; -typealias evolution_server_orbit_tmp_t alias { auditadm_evolution_server_orbit_tmp_t secadm_evolution_server_orbit_tmp_t }; -userdom_user_tmp_file(evolution_server_orbit_tmp_t) - -type evolution_tmpfs_t; -typealias evolution_tmpfs_t alias { user_evolution_tmpfs_t staff_evolution_tmpfs_t sysadm_evolution_tmpfs_t }; -typealias evolution_tmpfs_t alias { auditadm_evolution_tmpfs_t secadm_evolution_tmpfs_t }; -userdom_user_tmpfs_file(evolution_tmpfs_t) - -type evolution_webcal_t; -type evolution_webcal_exec_t; -typealias evolution_webcal_t alias { user_evolution_webcal_t staff_evolution_webcal_t sysadm_evolution_webcal_t }; -typealias evolution_webcal_t alias { auditadm_evolution_webcal_t secadm_evolution_webcal_t }; -userdom_user_application_domain(evolution_webcal_t, evolution_webcal_exec_t) -role evolution_roles types evolution_webcal_t; - -type evolution_webcal_tmpfs_t; -typealias evolution_webcal_tmpfs_t alias { user_evolution_webcal_tmpfs_t staff_evolution_webcal_tmpfs_t sysadm_evolution_webcal_tmpfs_t }; -typealias evolution_webcal_tmpfs_t alias { auditadm_evolution_webcal_tmpfs_t secadm_evolution_webcal_tmpfs_t }; -userdom_user_tmpfs_file(evolution_webcal_tmpfs_t) - -######################################## -# -# Local policy -# - -allow evolution_t self:capability { setuid setgid sys_nice }; -allow evolution_t self:process { signal getsched setsched }; -allow evolution_t self:fifo_file rw_file_perms; - -allow evolution_t evolution_home_t:dir manage_dir_perms; -allow evolution_t evolution_home_t:file manage_file_perms; -allow evolution_t evolution_home_t:lnk_file manage_lnk_file_perms; -userdom_user_home_dir_filetrans(evolution_t, evolution_home_t, dir, ".evolution") -userdom_user_home_dir_filetrans(evolution_t, evolution_home_t, dir, ".camel_certs") - -allow evolution_t evolution_orbit_tmp_t:dir manage_dir_perms; -allow evolution_t evolution_orbit_tmp_t:file manage_file_perms; -files_tmp_filetrans(evolution_t, evolution_orbit_tmp_t, { dir file }) - -allow evolution_server_t evolution_orbit_tmp_t:dir manage_dir_perms; -allow evolution_server_t evolution_orbit_tmp_t:file manage_file_perms; -files_tmp_filetrans(evolution_server_t, evolution_orbit_tmp_t, { dir file }) - -allow evolution_t evolution_tmpfs_t:dir rw_dir_perms; -allow evolution_t evolution_tmpfs_t:file manage_file_perms; -allow evolution_t evolution_tmpfs_t:lnk_file manage_lnk_file_perms; -allow evolution_t evolution_tmpfs_t:sock_file manage_sock_file_perms; -allow evolution_t evolution_tmpfs_t:fifo_file manage_fifo_file_perms; -fs_tmpfs_filetrans(evolution_t, evolution_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -allow evolution_t { evolution_alarm_t evolution_server_t }:dir search_dir_perms; -allow evolution_t { evolution_alarm_t evolution_server_t }:file read_file_perms; - -stream_connect_pattern(evolution_t, evolution_alarm_orbit_tmp_t, evolution_alarm_orbit_tmp_t, evolution_alarm_t) -stream_connect_pattern(evolution_t, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t) -stream_connect_pattern(evolution_t, evolution_server_orbit_tmp_t, evolution_server_orbit_tmp_t, evolution_server_t) - -can_exec(evolution_t, { evolution_alarm_exec_t evolution_server_exec_t }) - -kernel_read_kernel_sysctls(evolution_t) -kernel_read_system_state(evolution_t) -kernel_read_network_state(evolution_t) -kernel_read_net_sysctls(evolution_t) - -corecmd_exec_bin(evolution_t) -corecmd_exec_shell(evolution_t) - -corenet_all_recvfrom_unlabeled(evolution_t) -corenet_all_recvfrom_netlabel(evolution_t) -corenet_tcp_sendrecv_generic_if(evolution_t) -corenet_udp_sendrecv_generic_if(evolution_t) -corenet_raw_sendrecv_generic_if(evolution_t) -corenet_tcp_sendrecv_generic_node(evolution_t) -corenet_udp_sendrecv_generic_node(evolution_t) -corenet_tcp_sendrecv_all_ports(evolution_t) -corenet_udp_sendrecv_all_ports(evolution_t) - -corenet_sendrecv_pop_client_packets(evolution_t) -corenet_tcp_connect_pop_port(evolution_t) - -corenet_sendrecv_smtp_client_packets(evolution_t) -corenet_tcp_connect_smtp_port(evolution_t) - -corenet_sendrecv_innd_client_packets(evolution_t) -corenet_tcp_connect_innd_port(evolution_t) - -corenet_sendrecv_ldap_client_packets(evolution_t) -corenet_tcp_connect_ldap_port(evolution_t) - -corenet_sendrecv_ipp_client_packets(evolution_t) -corenet_tcp_connect_ipp_port(evolution_t) - -dev_read_urand(evolution_t) - -domain_dontaudit_read_all_domains_state(evolution_t) - -files_read_usr_files(evolution_t) - -fs_search_auto_mountpoints(evolution_t) - -auth_use_nsswitch(evolution_t) - -logging_send_syslog_msg(evolution_t) - -miscfiles_read_localization(evolution_t) - -udev_read_state(evolution_t) - -userdom_use_user_terminals(evolution_t) - -userdom_manage_user_tmp_dirs(evolution_t) -userdom_manage_user_tmp_files(evolution_t) - -userdom_manage_user_home_content_dirs(evolution_t) -userdom_manage_user_home_content_files(evolution_t) -userdom_user_home_dir_filetrans_user_home_content(evolution_t, { dir file }) - -userdom_write_user_tmp_sockets(evolution_t) - -mta_read_config(evolution_t) - -xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t) -xserver_read_xdm_tmp_files(evolution_t) - -ifndef(`enable_mls',` - fs_list_dos(evolution_t) - fs_read_dos_files(evolution_t) - - fs_search_removable(evolution_t) - fs_read_removable_files(evolution_t) - fs_read_removable_symlinks(evolution_t) - - fs_read_iso9660_files(evolution_t) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(evolution_t) - fs_manage_nfs_files(evolution_t) - fs_manage_nfs_symlinks(evolution_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(evolution_t) - fs_manage_cifs_files(evolution_t) - fs_manage_cifs_symlinks(evolution_t) -') - -optional_policy(` - automount_read_state(evolution_t) -') - -optional_policy(` - cups_read_rw_config(evolution_t) -') - -optional_policy(` - dbus_system_bus_client(evolution_t) - dbus_all_session_bus_client(evolution_t) -') - -optional_policy(` - gnome_stream_connect_gconf(evolution_t) -') - -optional_policy(` - gpg_domtrans(evolution_t) - gpg_signal(evolution_t) -') - -optional_policy(` - lpd_run_lpr(evolution_t, evolution_roles) -') - -optional_policy(` - mozilla_read_user_home_files(evolution_t) - mozilla_domtrans(evolution_t) -') - -optional_policy(` - spamassassin_exec_spamd(evolution_t) - spamassassin_domtrans_client(evolution_t) - spamassassin_domtrans_local_client(evolution_t) - spamassassin_read_spamd_tmp_files(evolution_t) - spamassassin_signal_spamd(evolution_t) - spamassassin_dontaudit_getattr_spamd_tmp_sockets(evolution_t) -') - -######################################## -# -# Alarm local policy -# - -allow evolution_alarm_t self:process { signal getsched }; -allow evolution_alarm_t self:fifo_file rw_fifo_file_perms; - -allow evolution_alarm_t evolution_alarm_tmpfs_t:dir rw_dir_perms; -allow evolution_alarm_t evolution_alarm_tmpfs_t:file manage_file_perms; -allow evolution_alarm_t evolution_alarm_tmpfs_t:lnk_file manage_lnk_file_perms; -allow evolution_alarm_t evolution_alarm_tmpfs_t:sock_file manage_sock_file_perms; -allow evolution_alarm_t evolution_alarm_tmpfs_t:fifo_file manage_fifo_file_perms; -fs_tmpfs_filetrans(evolution_alarm_t, evolution_alarm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -allow evolution_alarm_t evolution_home_t:dir manage_dir_perms; -allow evolution_alarm_t evolution_home_t:file manage_file_perms; -allow evolution_alarm_t evolution_home_t:lnk_file manage_lnk_file_perms; -userdom_user_home_dir_filetrans(evolution_alarm_t, evolution_home_t, dir, ".evolution") -userdom_user_home_dir_filetrans(evolution_alarm_t, evolution_home_t, dir, ".camel_certs") - -stream_connect_pattern(evolution_alarm_t, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t) -stream_connect_pattern(evolution_alarm_t, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t) -stream_connect_pattern(evolution_alarm_t, evolution_server_orbit_tmp_t, evolution_server_orbit_tmp_t, evolution_server_t) - -dev_read_urand(evolution_alarm_t) - -files_read_usr_files(evolution_alarm_t) - -fs_search_auto_mountpoints(evolution_alarm_t) - -auth_use_nsswitch(evolution_alarm_t) - -miscfiles_read_localization(evolution_alarm_t) - -userdom_dontaudit_read_user_home_content_files(evolution_alarm_t) - -xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(evolution_alarm_t) - fs_manage_nfs_files(evolution_alarm_t) - fs_manage_nfs_symlinks(evolution_alarm_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(evolution_alarm_t) - fs_manage_cifs_files(evolution_alarm_t) - fs_manage_cifs_symlinks(evolution_alarm_t) -') - -optional_policy(` - dbus_all_session_bus_client(evolution_alarm_t) -') - -optional_policy(` - gnome_stream_connect_gconf(evolution_alarm_t) -') - -######################################## -# -# Exchange local policy -# - -allow evolution_exchange_t self:process getsched; -allow evolution_exchange_t self:fifo_file rw_fifo_file_perms; - -allow evolution_exchange_t evolution_home_t:dir manage_dir_perms; -allow evolution_exchange_t evolution_home_t:file manage_file_perms; -allow evolution_exchange_t evolution_home_t:lnk_file manage_lnk_file_perms; -userdom_user_home_dir_filetrans(evolution_exchange_t, evolution_home_t, dir, ".evolution") -userdom_user_home_dir_filetrans(evolution_exchange_t, evolution_home_t, dir, ".camel_certs") - -allow evolution_exchange_t evolution_exchange_tmp_t:dir manage_dir_perms; -allow evolution_exchange_t evolution_exchange_tmp_t:file manage_file_perms; -files_tmp_filetrans(evolution_exchange_t, evolution_exchange_tmp_t, { file dir }) - -allow evolution_exchange_t evolution_exchange_tmpfs_t:dir rw_dir_perms; -allow evolution_exchange_t evolution_exchange_tmpfs_t:file manage_file_perms; -allow evolution_exchange_t evolution_exchange_tmpfs_t:lnk_file manage_lnk_file_perms; -allow evolution_exchange_t evolution_exchange_tmpfs_t:sock_file manage_sock_file_perms; -allow evolution_exchange_t evolution_exchange_tmpfs_t:fifo_file manage_fifo_file_perms; -fs_tmpfs_filetrans(evolution_exchange_t, evolution_exchange_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -stream_connect_pattern(evolution_exchange_t, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t) -stream_connect_pattern(evolution_exchange_t, evolution_server_orbit_tmp_t, evolution_server_orbit_tmp_t, evolution_server_t) -stream_connect_pattern(evolution_exchange_t, evolution_alarm_orbit_tmp_t, evolution_alarm_orbit_tmp_t, evolution_alarm_t) - -kernel_read_network_state(evolution_exchange_t) -kernel_read_net_sysctls(evolution_exchange_t) - -corecmd_exec_bin(evolution_exchange_t) - -dev_read_urand(evolution_exchange_t) - -files_read_usr_files(evolution_exchange_t) - -fs_search_auto_mountpoints(evolution_exchange_t) - -auth_use_nsswitch(evolution_exchange_t) - -miscfiles_read_localization(evolution_exchange_t) - -userdom_dontaudit_read_user_home_content_files(evolution_exchange_t) - -userdom_write_user_tmp_sockets(evolution_exchange_t) - -xserver_user_x_domain_template(evolution_exchange, evolution_exchange_t, evolution_exchange_tmpfs_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(evolution_exchange_t) - fs_manage_nfs_files(evolution_exchange_t) - fs_manage_nfs_symlinks(evolution_exchange_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(evolution_exchange_t) - fs_manage_cifs_files(evolution_exchange_t) - fs_manage_cifs_symlinks(evolution_exchange_t) -') - -optional_policy(` - gnome_stream_connect_gconf(evolution_exchange_t) -') - -######################################## -# -# Server local policy -# - -allow evolution_server_t self:process { getsched signal }; - -allow evolution_server_t self:fifo_file { read write }; -allow evolution_server_t self:unix_stream_socket { accept connectto listen }; - -allow evolution_server_t evolution_home_t:dir manage_dir_perms; -allow evolution_server_t evolution_home_t:file manage_file_perms; -allow evolution_server_t evolution_home_t:lnk_file manage_lnk_file_perms; -userdom_user_home_dir_filetrans(evolution_server_t, evolution_home_t, dir, ".evolution") -userdom_user_home_dir_filetrans(evolution_server_t, evolution_home_t, dir, ".camel_certs") - -stream_connect_pattern(evolution_server_t, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t) -stream_connect_pattern(evolution_server_t, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t) -stream_connect_pattern(evolution_server_t, evolution_alarm_orbit_tmp_t, evolution_alarm_orbit_tmp_t, evolution_alarm_t) - -kernel_read_system_state(evolution_server_t) - -corecmd_exec_shell(evolution_server_t) - -corenet_all_recvfrom_unlabeled(evolution_server_t) -corenet_all_recvfrom_netlabel(evolution_server_t) -corenet_tcp_sendrecv_generic_if(evolution_server_t) -corenet_tcp_sendrecv_generic_node(evolution_server_t) - -corenet_sendrecv_http_cache_client_packets(evolution_server_t) -corenet_tcp_sendrecv_http_cache_port(evolution_server_t) -corenet_tcp_connect_http_cache_port(evolution_server_t) - -corenet_sendrecv_http_client_packets(evolution_server_t) -corenet_tcp_sendrecv_http_port(evolution_server_t) -corenet_tcp_connect_http_port(evolution_server_t) - -dev_read_urand(evolution_server_t) - -files_read_usr_files(evolution_server_t) - -fs_search_auto_mountpoints(evolution_server_t) - -auth_use_nsswitch(evolution_server_t) - -miscfiles_read_localization(evolution_server_t) -miscfiles_read_generic_certs(evolution_server_t) - -userdom_dontaudit_read_user_home_content_files(evolution_server_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(evolution_server_t) - fs_manage_nfs_files(evolution_server_t) - fs_manage_nfs_symlinks(evolution_server_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(evolution_server_t) - fs_manage_cifs_files(evolution_server_t) - fs_manage_cifs_symlinks(evolution_server_t) -') - -optional_policy(` - gnome_stream_connect_gconf(evolution_server_t) -') - -######################################## -# -# Webcal local policy -# - -allow evolution_webcal_t evolution_webcal_tmpfs_t:dir rw_dir_perms; -allow evolution_webcal_t evolution_webcal_tmpfs_t:file manage_file_perms; -allow evolution_webcal_t evolution_webcal_tmpfs_t:lnk_file manage_lnk_file_perms; -allow evolution_webcal_t evolution_webcal_tmpfs_t:sock_file manage_sock_file_perms; -allow evolution_webcal_t evolution_webcal_tmpfs_t:fifo_file manage_fifo_file_perms; -fs_tmpfs_filetrans(evolution_webcal_t, evolution_webcal_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -corenet_all_recvfrom_unlabeled(evolution_webcal_t) -corenet_all_recvfrom_netlabel(evolution_webcal_t) -corenet_tcp_sendrecv_generic_if(evolution_webcal_t) -corenet_tcp_sendrecv_generic_node(evolution_webcal_t) - -corenet_tcp_sendrecv_http_port(evolution_webcal_t) -corenet_tcp_connect_http_port(evolution_webcal_t) -corenet_sendrecv_http_client_packets(evolution_webcal_t) - -corenet_tcp_sendrecv_http_cache_port(evolution_webcal_t) -corenet_tcp_connect_http_cache_port(evolution_webcal_t) -corenet_sendrecv_http_cache_client_packets(evolution_webcal_t) - -auth_use_nsswitch(evolution_webcal_t) - -userdom_search_user_home_dirs(evolution_webcal_t) -userdom_dontaudit_read_user_home_content_files(evolution_webcal_t) - -xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t) diff --git a/policy/modules/contrib/exim.fc b/policy/modules/contrib/exim.fc deleted file mode 100644 index dc0254b4..00000000 --- a/policy/modules/contrib/exim.fc +++ /dev/null @@ -1,11 +0,0 @@ -/etc/rc\.d/init\.d/exim -- gen_context(system_u:object_r:exim_initrc_exec_t,s0) - -/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0) -/usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0) - -/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0) - -/var/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_run_t,s0) -/var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0) - -/var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0) diff --git a/policy/modules/contrib/exim.if b/policy/modules/contrib/exim.if deleted file mode 100644 index 60411132..00000000 --- a/policy/modules/contrib/exim.if +++ /dev/null @@ -1,268 +0,0 @@ -## <summary>Mail transfer agent.</summary> - -######################################## -## <summary> -## Execute a domain transition to run exim. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`exim_domtrans',` - gen_require(` - type exim_t, exim_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, exim_exec_t, exim_t) -') - -######################################## -## <summary> -## Execute exim in the exim domain, -## and allow the specified role -## the exim domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`exim_run',` - gen_require(` - attribute_role exim_roles; - ') - - exim_domtrans($1) - roleattribute $2 exim_roles; -') - -######################################## -## <summary> -## Do not audit attempts to read exim -## temporary tmp files. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`exim_dontaudit_read_tmp_files',` - gen_require(` - type exim_tmp_t; - ') - - dontaudit $1 exim_tmp_t:file read_file_perms; -') - -######################################## -## <summary> -## Read exim temporary files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`exim_read_tmp_files',` - gen_require(` - type exim_tmp_t; - ') - - allow $1 exim_tmp_t:file read_file_perms; - files_search_tmp($1) -') - -######################################## -## <summary> -## Read exim pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`exim_read_pid_files',` - gen_require(` - type exim_var_run_t; - ') - - allow $1 exim_var_run_t:file read_file_perms; - files_search_pids($1) -') - -######################################## -## <summary> -## Read exim log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`exim_read_log',` - gen_require(` - type exim_log_t; - ') - - read_files_pattern($1, exim_log_t, exim_log_t) - logging_search_logs($1) -') - -######################################## -## <summary> -## Append exim log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`exim_append_log',` - gen_require(` - type exim_log_t; - ') - - append_files_pattern($1, exim_log_t, exim_log_t) - logging_search_logs($1) -') - -######################################## -## <summary> -## Create, read, write, and delete -## exim log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`exim_manage_log',` - gen_require(` - type exim_log_t; - ') - - manage_files_pattern($1, exim_log_t, exim_log_t) - logging_search_logs($1) -') - -######################################## -## <summary> -## Create, read, write, and delete -## exim spool directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`exim_manage_spool_dirs',` - gen_require(` - type exim_spool_t; - ') - - manage_dirs_pattern($1, exim_spool_t, exim_spool_t) - files_search_spool($1) -') - -######################################## -## <summary> -## Read exim spool files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`exim_read_spool_files',` - gen_require(` - type exim_spool_t; - ') - - allow $1 exim_spool_t:file read_file_perms; - allow $1 exim_spool_t:dir list_dir_perms; - files_search_spool($1) -') - -######################################## -## <summary> -## Create, read, write, and delete -## exim spool files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`exim_manage_spool_files',` - gen_require(` - type exim_spool_t; - ') - - manage_files_pattern($1, exim_spool_t, exim_spool_t) - files_search_spool($1) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an exim environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`exim_admin',` - gen_require(` - type exim_t, exim_spool_t, exim_log_t; - type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t; - ') - - allow $1 exim_t:process { ptrace signal_perms }; - ps_process_pattern($1, exim_t) - - init_labeled_script_domtrans($1, exim_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 exim_initrc_exec_t system_r; - allow $2 system_r; - - files_search_spool($1) - admin_pattern($1, exim_spool_t) - - logging_search_logs($1) - admin_pattern($1, exim_log_t) - - files_search_pids($1) - admin_pattern($1, exim_var_run_t) - - files_search_tmp($1) - admin_pattern($1, exim_tmp_t) -') diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te deleted file mode 100644 index 19325ce0..00000000 --- a/policy/modules/contrib/exim.te +++ /dev/null @@ -1,234 +0,0 @@ -policy_module(exim, 1.5.4) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether exim can connect to -## databases. -## </p> -## </desc> -gen_tunable(exim_can_connect_db, false) - -## <desc> -## <p> -## Determine whether exim can read generic -## user content files. -## </p> -## </desc> -gen_tunable(exim_read_user_files, false) - -## <desc> -## <p> -## Determine whether exim can create, -## read, write, and delete generic user -## content files. -## </p> -## </desc> -gen_tunable(exim_manage_user_files, false) - -attribute_role exim_roles; - -type exim_t; -type exim_exec_t; -init_daemon_domain(exim_t, exim_exec_t) -role exim_roles types exim_t; - -mta_mailserver(exim_t, exim_exec_t) -mta_mailserver_delivery(exim_t) -mta_mailserver_user_agent(exim_t) -mta_agent_executable(exim_exec_t) - -type exim_initrc_exec_t; -init_script_file(exim_initrc_exec_t) - -type exim_log_t; -logging_log_file(exim_log_t) - -type exim_spool_t; -files_type(exim_spool_t) - -type exim_tmp_t; -files_tmp_file(exim_tmp_t) - -type exim_var_run_t; -files_pid_file(exim_var_run_t) - -######################################## -# -# Local policy -# - -allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource }; -allow exim_t self:process { setrlimit setpgid }; -allow exim_t self:fifo_file rw_fifo_file_perms; -allow exim_t self:unix_stream_socket { accept listen }; -allow exim_t self:tcp_socket { accept listen }; - -append_files_pattern(exim_t, exim_log_t, exim_log_t) -create_files_pattern(exim_t, exim_log_t, exim_log_t) -setattr_files_pattern(exim_t, exim_log_t, exim_log_t) -logging_log_filetrans(exim_t, exim_log_t, file) - -manage_dirs_pattern(exim_t, exim_spool_t, exim_spool_t) -manage_files_pattern(exim_t, exim_spool_t, exim_spool_t) -manage_sock_files_pattern(exim_t, exim_spool_t, exim_spool_t) -files_spool_filetrans(exim_t, exim_spool_t, { dir file sock_file }) - -manage_dirs_pattern(exim_t, exim_tmp_t, exim_tmp_t) -manage_files_pattern(exim_t, exim_tmp_t, exim_tmp_t) -files_tmp_filetrans(exim_t, exim_tmp_t, { dir file }) - -manage_dirs_pattern(exim_t, exim_var_run_t, exim_var_run_t) -manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t) -files_pid_filetrans(exim_t, exim_var_run_t, { dir file }) - -can_exec(exim_t, exim_exec_t) - -kernel_read_kernel_sysctls(exim_t) -kernel_read_network_state(exim_t) -kernel_dontaudit_read_system_state(exim_t) - -corecmd_search_bin(exim_t) - -corenet_all_recvfrom_unlabeled(exim_t) -corenet_all_recvfrom_netlabel(exim_t) -corenet_tcp_sendrecv_generic_if(exim_t) -corenet_udp_sendrecv_generic_if(exim_t) -corenet_tcp_sendrecv_generic_node(exim_t) -corenet_udp_sendrecv_generic_node(exim_t) -corenet_tcp_sendrecv_all_ports(exim_t) -corenet_tcp_bind_generic_node(exim_t) - -corenet_sendrecv_smtp_server_packets(exim_t) -corenet_tcp_bind_smtp_port(exim_t) - -corenet_sendrecv_amavisd_send_server_packets(exim_t) -corenet_tcp_bind_amavisd_send_port(exim_t) - -corenet_sendrecv_auth_client_packets(exim_t) -corenet_tcp_connect_auth_port(exim_t) - -corenet_sendrecv_smtp_client_packets(exim_t) -corenet_tcp_connect_smtp_port(exim_t) - -corenet_sendrecv_inetd_child_client_packets(exim_t) -corenet_tcp_connect_inetd_child_port(exim_t) - -corenet_sendrecv_spamd_client_packets(exim_t) -corenet_tcp_connect_spamd_port(exim_t) - -dev_read_rand(exim_t) -dev_read_urand(exim_t) - -domain_use_interactive_fds(exim_t) - -files_search_usr(exim_t) -files_search_var(exim_t) -files_read_etc_runtime_files(exim_t) -files_getattr_all_mountpoints(exim_t) - -fs_getattr_xattr_fs(exim_t) -fs_list_inotifyfs(exim_t) - -auth_use_nsswitch(exim_t) - -logging_send_syslog_msg(exim_t) - -miscfiles_read_localization(exim_t) -miscfiles_read_generic_certs(exim_t) - -userdom_dontaudit_search_user_home_dirs(exim_t) - -mta_read_aliases(exim_t) -mta_read_config(exim_t) -mta_manage_spool(exim_t) - -tunable_policy(`exim_can_connect_db',` - corenet_sendrecv_gds_db_client_packets(exim_t) - corenet_tcp_connect_gds_db_port(exim_t) - corenet_tcp_sendrecv_gds_db_port(exim_t) - corenet_sendrecv_mssql_client_packets(exim_t) - corenet_tcp_connect_mssql_port(exim_t) - corenet_tcp_sendrecv_mssql_port(exim_t) - corenet_sendrecv_oracledb_client_packets(exim_t) - corenet_tcp_connect_oracledb_port(exim_t) - corenet_tcp_sendrecv_oracledb_port(exim_t) -') - -tunable_policy(`exim_read_user_files',` - userdom_read_user_home_content_files(exim_t) - userdom_read_user_tmp_files(exim_t) -') - -tunable_policy(`exim_manage_user_files',` - userdom_manage_user_home_content_dirs(exim_t) - userdom_manage_user_tmp_files(exim_t) -') - -optional_policy(` - clamav_domtrans_clamscan(exim_t) - clamav_stream_connect(exim_t) -') - -optional_policy(` - cron_read_pipes(exim_t) - cron_rw_system_job_pipes(exim_t) -') - -optional_policy(` - cyrus_stream_connect(exim_t) -') - -optional_policy(` - dovecot_stream_connect(exim_t) -') - -optional_policy(` - kerberos_keytab_template(exim, exim_t) -') - -optional_policy(` - mailman_read_data_files(exim_t) - mailman_domtrans(exim_t) -') - -optional_policy(` - nagios_search_spool(exim_t) -') - -optional_policy(` - tunable_policy(`exim_can_connect_db',` - mysql_stream_connect(exim_t) - mysql_tcp_connect(exim_t) - ') -') - -optional_policy(` - postgresql_unpriv_client(exim_t) - - tunable_policy(`exim_can_connect_db',` - postgresql_stream_connect(exim_t) - postgresql_tcp_connect(exim_t) - ') -') - -optional_policy(` - procmail_domtrans(exim_t) -') - -optional_policy(` - sasl_connect(exim_t) -') - -optional_policy(` - sendmail_manage_tmp_files(exim_t) -') - -optional_policy(` - spamassassin_exec(exim_t) - spamassassin_exec_client(exim_t) -') diff --git a/policy/modules/contrib/fail2ban.fc b/policy/modules/contrib/fail2ban.fc deleted file mode 100644 index 4da938ff..00000000 --- a/policy/modules/contrib/fail2ban.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/rc\.d/init\.d/fail2ban -- gen_context(system_u:object_r:fail2ban_initrc_exec_t,s0) - -/usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0) -/usr/bin/fail2ban-client -- gen_context(system_u:object_r:fail2ban_client_exec_t,s0) -/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0) - -/var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0) -/var/log/fail2ban\.log.* -- gen_context(system_u:object_r:fail2ban_log_t,s0) -/var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0) diff --git a/policy/modules/contrib/fail2ban.if b/policy/modules/contrib/fail2ban.if deleted file mode 100644 index 50d0084d..00000000 --- a/policy/modules/contrib/fail2ban.if +++ /dev/null @@ -1,287 +0,0 @@ -## <summary>Update firewall filtering to ban IP addresses with too many password failures.</summary> - -######################################## -## <summary> -## Execute a domain transition to run fail2ban. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`fail2ban_domtrans',` - gen_require(` - type fail2ban_t, fail2ban_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, fail2ban_exec_t, fail2ban_t) -') - -######################################## -## <summary> -## Execute the fail2ban client in -## the fail2ban client domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`fail2ban_domtrans_client',` - gen_require(` - type fail2ban_client_t, fail2ban_client_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t) -') - -######################################## -## <summary> -## Execute fail2ban client in the -## fail2ban client domain, and allow -## the specified role the fail2ban -## client domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`fail2ban_run_client',` - gen_require(` - attribute_role fail2ban_client_roles; - ') - - fail2ban_domtrans_client($1) - roleattribute $2 fail2ban_client_roles; -') - -##################################### -## <summary> -## Connect to fail2ban over a -## unix domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`fail2ban_stream_connect',` - gen_require(` - type fail2ban_t, fail2ban_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t) -') - -######################################## -## <summary> -## Read and write inherited temporary files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`fail2ban_rw_inherited_tmp_files',` - gen_require(` - type fail2ban_tmp_t; - ') - - files_search_tmp($1) - allow $1 fail2ban_tmp_t:file { read write }; -') - -######################################## -## <summary> -## Do not audit attempts to use -## fail2ban file descriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`fail2ban_dontaudit_use_fds',` - gen_require(` - type fail2ban_t; - ') - - dontaudit $1 fail2ban_t:fd use; -') - -######################################## -## <summary> -## Do not audit attempts to read and -## write fail2ban unix stream sockets -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`fail2ban_dontaudit_rw_stream_sockets',` - gen_require(` - type fail2ban_t; - ') - - dontaudit $1 fail2ban_t:unix_stream_socket { read write }; -') - -######################################## -## <summary> -## Read and write fail2ban unix -## stream sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`fail2ban_rw_stream_sockets',` - gen_require(` - type fail2ban_t; - ') - - allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms; -') - -######################################## -## <summary> -## Read fail2ban lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`fail2ban_read_lib_files',` - gen_require(` - type fail2ban_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 fail2ban_var_lib_t:file read_file_perms; -') - -######################################## -## <summary> -## Read fail2ban log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`fail2ban_read_log',` - gen_require(` - type fail2ban_log_t; - ') - - logging_search_logs($1) - allow $1 fail2ban_log_t:file read_file_perms; -') - -######################################## -## <summary> -## Append fail2ban log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`fail2ban_append_log',` - gen_require(` - type fail2ban_log_t; - ') - - logging_search_logs($1) - allow $1 fail2ban_log_t:file append_file_perms; -') - -######################################## -## <summary> -## Read fail2ban pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`fail2ban_read_pid_files',` - gen_require(` - type fail2ban_var_run_t; - ') - - files_search_pids($1) - allow $1 fail2ban_var_run_t:file read_file_perms; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an fail2ban environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`fail2ban_admin',` - gen_require(` - type fail2ban_t, fail2ban_log_t, fail2ban_tmp_t; - type fail2ban_var_run_t, fail2ban_initrc_exec_t; - type fail2ban_var_lib_t, fail2ban_client_t; - ') - - allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { fail2ban_t fail2ban_client_t }) - - init_labeled_script_domtrans($1, fail2ban_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 fail2ban_initrc_exec_t system_r; - allow $2 system_r; - - logging_list_logs($1) - admin_pattern($1, fail2ban_log_t) - - files_list_pids($1) - admin_pattern($1, fail2ban_var_run_t) - - files_search_var_lib($1) - admin_pattern($1, fail2ban_var_lib_t) - - files_search_tmp($1) - admin_pattern($1, fail2ban_tmp_t) - - fail2ban_run_client($1, $2) -') diff --git a/policy/modules/contrib/fail2ban.te b/policy/modules/contrib/fail2ban.te deleted file mode 100644 index 955be6e8..00000000 --- a/policy/modules/contrib/fail2ban.te +++ /dev/null @@ -1,157 +0,0 @@ -policy_module(fail2ban, 1.4.9) - -######################################## -# -# Declarations -# - -attribute_role fail2ban_client_roles; - -type fail2ban_t; -type fail2ban_exec_t; -init_daemon_domain(fail2ban_t, fail2ban_exec_t) - -type fail2ban_initrc_exec_t; -init_script_file(fail2ban_initrc_exec_t) - -type fail2ban_log_t; -logging_log_file(fail2ban_log_t) - -type fail2ban_var_lib_t; -files_type(fail2ban_var_lib_t) - -type fail2ban_var_run_t; -files_pid_file(fail2ban_var_run_t) - -type fail2ban_tmp_t; -files_tmp_file(fail2ban_tmp_t) - -type fail2ban_client_t; -type fail2ban_client_exec_t; -init_system_domain(fail2ban_client_t, fail2ban_client_exec_t) -role fail2ban_client_roles types fail2ban_client_t; - -######################################## -# -# Server Local policy -# - -allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config }; -allow fail2ban_t self:process signal; -allow fail2ban_t self:fifo_file rw_fifo_file_perms; -allow fail2ban_t self:unix_stream_socket { accept connectto listen }; -allow fail2ban_t self:tcp_socket { accept listen }; - -append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) -create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) -setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) -logging_log_filetrans(fail2ban_t, fail2ban_log_t, file) - -manage_dirs_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t) -manage_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t) -exec_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t) -files_tmp_filetrans(fail2ban_t, fail2ban_tmp_t, { dir file }) - -manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t) -manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t) - -manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) -manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) -manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) -files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, file) - -kernel_read_system_state(fail2ban_t) - -corecmd_exec_bin(fail2ban_t) -corecmd_exec_shell(fail2ban_t) - -corenet_all_recvfrom_unlabeled(fail2ban_t) -corenet_all_recvfrom_netlabel(fail2ban_t) -corenet_tcp_sendrecv_generic_if(fail2ban_t) -corenet_tcp_sendrecv_generic_node(fail2ban_t) - -corenet_sendrecv_whois_client_packets(fail2ban_t) -corenet_tcp_connect_whois_port(fail2ban_t) -corenet_tcp_sendrecv_whois_port(fail2ban_t) - -dev_read_urand(fail2ban_t) - -domain_use_interactive_fds(fail2ban_t) -domain_dontaudit_read_all_domains_state(fail2ban_t) - -files_read_etc_runtime_files(fail2ban_t) -files_read_usr_files(fail2ban_t) -files_list_var(fail2ban_t) -files_dontaudit_list_tmp(fail2ban_t) - -fs_list_inotifyfs(fail2ban_t) -fs_getattr_all_fs(fail2ban_t) - -auth_use_nsswitch(fail2ban_t) - -logging_read_all_logs(fail2ban_t) -logging_send_syslog_msg(fail2ban_t) - -miscfiles_read_localization(fail2ban_t) - -sysnet_manage_config(fail2ban_t) -sysnet_etc_filetrans_config(fail2ban_t) - -mta_send_mail(fail2ban_t) - -ifdef(`distro_gentoo',` - # FAM support needs this (/proc/self and parent stuff) - read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t) - # Python compilation - files_dontaudit_write_usr_dirs(fail2ban_t) -') - -optional_policy(` - apache_read_log(fail2ban_t) -') - -optional_policy(` - ftp_read_log(fail2ban_t) -') - -optional_policy(` - iptables_domtrans(fail2ban_t) -') - -optional_policy(` - libs_exec_ldconfig(fail2ban_t) -') - -optional_policy(` - shorewall_domtrans(fail2ban_t) -') - -######################################## -# -# Client Local policy -# - -allow fail2ban_client_t self:capability dac_read_search; -allow fail2ban_client_t self:unix_stream_socket { create connect write read }; - -domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t) - -stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t) - -kernel_read_system_state(fail2ban_client_t) - -corecmd_exec_bin(fail2ban_client_t) - -domain_use_interactive_fds(fail2ban_client_t) - -files_read_etc_files(fail2ban_client_t) -files_read_usr_files(fail2ban_client_t) -files_search_pids(fail2ban_client_t) - -logging_getattr_all_logs(fail2ban_client_t) -logging_search_all_logs(fail2ban_client_t) - -miscfiles_read_localization(fail2ban_client_t) - -userdom_dontaudit_search_user_home_dirs(fail2ban_client_t) -userdom_use_user_terminals(fail2ban_client_t) diff --git a/policy/modules/contrib/fcoe.fc b/policy/modules/contrib/fcoe.fc deleted file mode 100644 index d485e453..00000000 --- a/policy/modules/contrib/fcoe.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/rc\.d/init\.d/fcoe -- gen_context(system_u:object_r:fcoemon_initrc_exec_t,s0) - -/usr/sbin/fcoemon -- gen_context(system_u:object_r:fcoemon_exec_t,s0) - -/var/run/fcm(/.*)? gen_context(system_u:object_r:fcoemon_var_run_t,s0) -/var/run/fcoemon\.pid -- gen_context(system_u:object_r:fcoemon_var_run_t,s0) diff --git a/policy/modules/contrib/fcoe.if b/policy/modules/contrib/fcoe.if deleted file mode 100644 index c3484a94..00000000 --- a/policy/modules/contrib/fcoe.if +++ /dev/null @@ -1,54 +0,0 @@ -## <summary>Fibre Channel over Ethernet utilities.</summary> - -####################################### -## <summary> -## Send to fcoemon with a unix dgram socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`fcoe_dgram_send_fcoemon',` - gen_require(` - type fcoemon_t, fcoemon_var_run_t; - ') - - files_search_pids($1) - dgram_send_pattern($1, fcoemon_var_run_t, fcoemon_var_run_t, fcoemon_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an fcoemon environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`fcoe_admin',` - gen_require(` - type fcoemon_t, fcoemon_initrc_exec_t, fcoemon_var_run_t; - ') - - allow $1 fcoemon_t:process { ptrace signal_perms }; - ps_process_pattern($1, fcoemon_t) - - init_labeled_script_domtrans($1, fcoemon_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 fcoemon_initrc_exec_t system_r; - allow $2 system_r; - - files_search_pids($1) - admin_pattern($1, fcoemon_var_run_t) -') diff --git a/policy/modules/contrib/fcoe.te b/policy/modules/contrib/fcoe.te deleted file mode 100644 index 79b9273d..00000000 --- a/policy/modules/contrib/fcoe.te +++ /dev/null @@ -1,44 +0,0 @@ -policy_module(fcoe, 1.0.1) - -######################################## -# -# Declarations -# - -type fcoemon_t; -type fcoemon_exec_t; -init_daemon_domain(fcoemon_t, fcoemon_exec_t) - -type fcoemon_initrc_exec_t; -init_script_file(fcoemon_initrc_exec_t) - -type fcoemon_var_run_t; -files_pid_file(fcoemon_var_run_t) - -######################################## -# -# Local policy -# - -allow fcoemon_t self:capability { dac_override kill net_admin }; -allow fcoemon_t self:fifo_file rw_fifo_file_perms; -allow fcoemon_t self:unix_stream_socket { accept listen }; -allow fcoemon_t self:netlink_socket create_socket_perms; -allow fcoemon_t self:netlink_route_socket create_netlink_socket_perms; - -manage_dirs_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) -manage_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) -manage_sock_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) -files_pid_filetrans(fcoemon_t, fcoemon_var_run_t, { dir file }) - -files_read_etc_files(fcoemon_t) - -dev_read_sysfs(fcoemon_t) - -logging_send_syslog_msg(fcoemon_t) - -miscfiles_read_localization(fcoemon_t) - -optional_policy(` - lldpad_dgram_send(fcoemon_t) -') diff --git a/policy/modules/contrib/fetchmail.fc b/policy/modules/contrib/fetchmail.fc deleted file mode 100644 index 2486e2af..00000000 --- a/policy/modules/contrib/fetchmail.fc +++ /dev/null @@ -1,15 +0,0 @@ -HOME_DIR/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t,s0) - -/etc/fetchmailrc -- gen_context(system_u:object_r:fetchmail_etc_t,s0) - -/etc/rc\.d/init\.d/fetchmail -- gen_context(system_u:object_r:fetchmail_initrc_exec_t,s0) - -/usr/bin/fetchmail -- gen_context(system_u:object_r:fetchmail_exec_t,s0) - -/var/lib/fetchmail(/.*)? gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0) - -/var/log/fetchmail.* gen_context(system_u:object_r:fetchmail_log_t,s0) - -/var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0) - -/var/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0) diff --git a/policy/modules/contrib/fetchmail.if b/policy/modules/contrib/fetchmail.if deleted file mode 100644 index c3f79166..00000000 --- a/policy/modules/contrib/fetchmail.if +++ /dev/null @@ -1,45 +0,0 @@ -## <summary>Remote-mail retrieval and forwarding utility.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an fetchmail environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`fetchmail_admin',` - gen_require(` - type fetchmail_t, fetchmail_etc_t, fetchmail_uidl_cache_t; - type fetchmail_var_run_t, fetchmail_initrc_exec_t, fetchmail_log_t; - ') - - init_labeled_script_domtrans($1, fetchmail_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 fetchmail_initrc_exec_t system_r; - allow $2 system_r; - - allow $1 fetchmail_t:process { ptrace signal_perms }; - ps_process_pattern($1, fetchmail_t) - - files_list_etc($1) - admin_pattern($1, fetchmail_etc_t) - - files_search_var_lib($1) - admin_pattern($1, fetchmail_uidl_cache_t) - - files_list_pids($1) - admin_pattern($1, fetchmail_var_run_t) - - logging_search_logs($1) - admin_pattern($1, fetchmail_log_t) -') diff --git a/policy/modules/contrib/fetchmail.te b/policy/modules/contrib/fetchmail.te deleted file mode 100644 index f0388cbc..00000000 --- a/policy/modules/contrib/fetchmail.te +++ /dev/null @@ -1,111 +0,0 @@ -policy_module(fetchmail, 1.12.2) - -######################################## -# -# Declarations -# - -type fetchmail_t; -type fetchmail_exec_t; -init_daemon_domain(fetchmail_t, fetchmail_exec_t) -application_executable_file(fetchmail_exec_t) - -type fetchmail_initrc_exec_t; -init_script_file(fetchmail_initrc_exec_t) - -type fetchmail_etc_t; -files_config_file(fetchmail_etc_t) - -type fetchmail_home_t; -userdom_user_home_content(fetchmail_home_t) - -type fetchmail_log_t; -logging_log_file(fetchmail_log_t) - -type fetchmail_var_run_t; -files_pid_file(fetchmail_var_run_t) - -type fetchmail_uidl_cache_t; -files_type(fetchmail_uidl_cache_t) - -######################################## -# -# Local policy -# - -dontaudit fetchmail_t self:capability sys_tty_config; -allow fetchmail_t self:process { signal_perms setrlimit }; -allow fetchmail_t self:unix_stream_socket { accept listen }; - -allow fetchmail_t fetchmail_etc_t:file read_file_perms; - -read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t) - -manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t) -append_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t) -create_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t) -setattr_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t) -logging_log_filetrans(fetchmail_t, fetchmail_log_t, { dir file }) - -allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms; -mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file) - -manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t) -manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t) -files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, dir) - -kernel_read_kernel_sysctls(fetchmail_t) -kernel_list_proc(fetchmail_t) -kernel_getattr_proc_files(fetchmail_t) -kernel_read_proc_symlinks(fetchmail_t) -kernel_dontaudit_read_system_state(fetchmail_t) - -corecmd_exec_bin(fetchmail_t) -corecmd_exec_shell(fetchmail_t) - -corenet_all_recvfrom_unlabeled(fetchmail_t) -corenet_all_recvfrom_netlabel(fetchmail_t) -corenet_tcp_sendrecv_generic_if(fetchmail_t) -corenet_tcp_sendrecv_generic_node(fetchmail_t) -corenet_tcp_sendrecv_all_ports(fetchmail_t) - -corenet_sendrecv_all_client_packets(fetchmail_t) -corenet_tcp_connect_all_ports(fetchmail_t) - -dev_read_sysfs(fetchmail_t) -dev_read_rand(fetchmail_t) -dev_read_urand(fetchmail_t) - -files_read_etc_runtime_files(fetchmail_t) -files_dontaudit_search_home(fetchmail_t) - -fs_getattr_all_fs(fetchmail_t) -fs_search_auto_mountpoints(fetchmail_t) - -domain_use_interactive_fds(fetchmail_t) - -auth_use_nsswitch(fetchmail_t) - -logging_send_syslog_msg(fetchmail_t) - -miscfiles_read_localization(fetchmail_t) -miscfiles_read_generic_certs(fetchmail_t) - -userdom_dontaudit_use_unpriv_user_fds(fetchmail_t) -userdom_search_user_home_dirs(fetchmail_t) - -optional_policy(` - procmail_domtrans(fetchmail_t) -') - -optional_policy(` - sendmail_manage_log(fetchmail_t) -') - -optional_policy(` - seutil_sigchld_newrole(fetchmail_t) -') - -optional_policy(` - udev_read_db(fetchmail_t) -') diff --git a/policy/modules/contrib/finger.fc b/policy/modules/contrib/finger.fc deleted file mode 100644 index 843940b6..00000000 --- a/policy/modules/contrib/finger.fc +++ /dev/null @@ -1,10 +0,0 @@ -/etc/cfingerd(/.*)? gen_context(system_u:object_r:fingerd_etc_t,s0) - -/etc/cron\.weekly/(c)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0) - -/usr/sbin/in\.(x)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0) -/usr/sbin/[cef]fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0) - -/var/log/cfingerd\.log.* -- gen_context(system_u:object_r:fingerd_log_t,s0) - -/var/run/*.fingerd\.pid -- gen_context(system_u:object_r:fingerd_var_run_t,s0) diff --git a/policy/modules/contrib/finger.if b/policy/modules/contrib/finger.if deleted file mode 100644 index 2656d2b5..00000000 --- a/policy/modules/contrib/finger.if +++ /dev/null @@ -1,34 +0,0 @@ -## <summary>Finger user information service.</summary> - -######################################## -## <summary> -## Execute fingerd in the fingerd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`finger_domtrans',` - gen_require(` - type fingerd_t, fingerd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, fingerd_exec_t, fingerd_t) -') - -######################################## -## <summary> -## Connect to fingerd with a tcp socket. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`finger_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') diff --git a/policy/modules/contrib/finger.te b/policy/modules/contrib/finger.te deleted file mode 100644 index af4b6d73..00000000 --- a/policy/modules/contrib/finger.te +++ /dev/null @@ -1,104 +0,0 @@ -policy_module(finger, 1.9.1) - -######################################## -# -# Declarations -# - -type fingerd_t; -type fingerd_exec_t; -init_daemon_domain(fingerd_t, fingerd_exec_t) -inetd_tcp_service_domain(fingerd_t, fingerd_exec_t) - -type fingerd_etc_t; -files_config_file(fingerd_etc_t) - -type fingerd_log_t; -logging_log_file(fingerd_log_t) - -type fingerd_var_run_t; -files_pid_file(fingerd_var_run_t) - -######################################## -# -# Local policy -# - -allow fingerd_t self:capability { setgid setuid }; -dontaudit fingerd_t self:capability { sys_tty_config fsetid }; -allow fingerd_t self:process signal_perms; -allow fingerd_t self:fifo_file rw_fifo_file_perms; -allow fingerd_t self:tcp_socket connected_stream_socket_perms; - -manage_files_pattern(fingerd_t, fingerd_var_run_t, fingerd_var_run_t) -files_pid_filetrans(fingerd_t, fingerd_var_run_t, file) - -allow fingerd_t fingerd_etc_t:dir list_dir_perms; -read_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t) -read_lnk_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t) - -allow fingerd_t fingerd_log_t:file append_file_perms; -allow fingerd_t fingerd_log_t:file create_file_perms; -allow fingerd_t fingerd_log_t:file setattr_file_perms; -logging_log_filetrans(fingerd_t, fingerd_log_t, file) - -kernel_read_kernel_sysctls(fingerd_t) -kernel_read_system_state(fingerd_t) - -corenet_all_recvfrom_unlabeled(fingerd_t) -corenet_all_recvfrom_netlabel(fingerd_t) -corenet_tcp_sendrecv_generic_if(fingerd_t) -corenet_tcp_sendrecv_generic_node(fingerd_t) -corenet_tcp_bind_generic_node(fingerd_t) - -corenet_sendrecv_fingerd_server_packets(fingerd_t) -corenet_tcp_bind_fingerd_port(fingerd_t) -corenet_tcp_sendrecv_fingerd_port(fingerd_t) - -corecmd_exec_bin(fingerd_t) -corecmd_exec_shell(fingerd_t) - -dev_read_sysfs(fingerd_t) - -domain_use_interactive_fds(fingerd_t) - -files_read_etc_runtime_files(fingerd_t) - -fs_getattr_all_fs(fingerd_t) -fs_search_auto_mountpoints(fingerd_t) - -term_getattr_all_ttys(fingerd_t) -term_getattr_all_ptys(fingerd_t) - -auth_read_lastlog(fingerd_t) - -init_read_utmp(fingerd_t) -init_dontaudit_write_utmp(fingerd_t) - -logging_send_syslog_msg(fingerd_t) - -mta_getattr_spool(fingerd_t) - -miscfiles_read_localization(fingerd_t) - -userdom_dontaudit_use_unpriv_user_fds(fingerd_t) - -optional_policy(` - cron_system_entry(fingerd_t, fingerd_exec_t) -') - -optional_policy(` - logrotate_exec(fingerd_t) -') - -optional_policy(` - seutil_sigchld_newrole(fingerd_t) -') - -optional_policy(` - tcpd_wrapped_domain(fingerd_t, fingerd_exec_t) -') - -optional_policy(` - udev_read_db(fingerd_t) -') diff --git a/policy/modules/contrib/firewalld.fc b/policy/modules/contrib/firewalld.fc deleted file mode 100644 index 21d7b844..00000000 --- a/policy/modules/contrib/firewalld.fc +++ /dev/null @@ -1,10 +0,0 @@ -/etc/rc\.d/init\.d/firewalld -- gen_context(system_u:object_r:firewalld_initrc_exec_t,s0) - -/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0) - -/usr/sbin/firewalld -- gen_context(system_u:object_r:firewalld_exec_t,s0) - -/var/log/firewalld.* -- gen_context(system_u:object_r:firewalld_var_log_t,s0) - -/var/run/firewalld(/.*)? gen_context(system_u:object_r:firewalld_var_run_t,s0) -/var/run/firewalld\.pid -- gen_context(system_u:object_r:firewalld_var_run_t,s0) diff --git a/policy/modules/contrib/firewalld.if b/policy/modules/contrib/firewalld.if deleted file mode 100644 index 5cf6ac6a..00000000 --- a/policy/modules/contrib/firewalld.if +++ /dev/null @@ -1,64 +0,0 @@ -## <summary>Service daemon with a D-BUS interface that provides a dynamic managed firewall.</summary> - -######################################## -## <summary> -## Send and receive messages from -## firewalld over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`firewalld_dbus_chat',` - gen_require(` - type firewalld_t; - class dbus send_msg; - ') - - allow $1 firewalld_t:dbus send_msg; - allow firewalld_t $1:dbus send_msg; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an firewalld environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`firewalld_admin',` - gen_require(` - type firewalld_t, firewalld_initrc_exec_t; - type firewall_etc_rw_t, firewalld_var_run_t; - type firewalld_var_log_t; - ') - - allow $1 firewalld_t:process { ptrace signal_perms }; - ps_process_pattern($1, firewalld_t) - - init_labeled_script_domtrans($1, firewalld_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 firewalld_initrc_exec_t system_r; - allow $2 system_r; - - files_search_pids($1) - admin_pattern($1, firewalld_var_run_t) - - logging_search_logs($1) - admin_pattern($1, firewalld_var_log_t) - - files_search_etc($1) - admin_pattern($1, firewall_etc_rw_t) -') diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te deleted file mode 100644 index c8014f82..00000000 --- a/policy/modules/contrib/firewalld.te +++ /dev/null @@ -1,93 +0,0 @@ -policy_module(firewalld, 1.0.6) - -######################################## -# -# Declarations -# - -type firewalld_t; -type firewalld_exec_t; -init_daemon_domain(firewalld_t, firewalld_exec_t) - -type firewalld_initrc_exec_t; -init_script_file(firewalld_initrc_exec_t) - -type firewalld_etc_rw_t; -files_config_file(firewalld_etc_rw_t) - -type firewalld_var_log_t; -logging_log_file(firewalld_var_log_t) - -type firewalld_var_run_t; -files_pid_file(firewalld_var_run_t) - -######################################## -# -# Local policy -# - -dontaudit firewalld_t self:capability sys_tty_config; -allow firewalld_t self:fifo_file rw_fifo_file_perms; -allow firewalld_t self:unix_stream_socket { accept listen }; -allow firewalld_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) -manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) - -allow firewalld_t firewalld_var_log_t:file append_file_perms; -allow firewalld_t firewalld_var_log_t:file create_file_perms; -allow firewalld_t firewalld_var_log_t:file read_file_perms; -allow firewalld_t firewalld_var_log_t:file setattr_file_perms; -logging_log_filetrans(firewalld_t, firewalld_var_log_t, file) - -manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t) -files_pid_filetrans(firewalld_t, firewalld_var_run_t, file) - -kernel_read_network_state(firewalld_t) -kernel_read_system_state(firewalld_t) - -corecmd_exec_bin(firewalld_t) -corecmd_exec_shell(firewalld_t) - -dev_read_urand(firewalld_t) - -domain_use_interactive_fds(firewalld_t) - -files_read_etc_files(firewalld_t) -files_read_usr_files(firewalld_t) -files_dontaudit_list_tmp(firewalld_t) - -fs_getattr_xattr_fs(firewalld_t) - -logging_send_syslog_msg(firewalld_t) - -miscfiles_read_localization(firewalld_t) - -seutil_exec_setfiles(firewalld_t) -seutil_read_file_contexts(firewalld_t) - -sysnet_read_config(firewalld_t) - -optional_policy(` - dbus_system_domain(firewalld_t, firewalld_exec_t) - - optional_policy(` - devicekit_dbus_chat_power(firewalld_t) - ') - - optional_policy(` - policykit_dbus_chat(firewalld_t) - ') - - optional_policy(` - networkmanager_dbus_chat(firewalld_t) - ') -') - -optional_policy(` - iptables_domtrans(firewalld_t) -') - -optional_policy(` - modutils_domtrans_insmod(firewalld_t) -') diff --git a/policy/modules/contrib/firewallgui.fc b/policy/modules/contrib/firewallgui.fc deleted file mode 100644 index ef1f43de..00000000 --- a/policy/modules/contrib/firewallgui.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/share/system-config-firewall/system-config-firewall-mechanism.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0) diff --git a/policy/modules/contrib/firewallgui.if b/policy/modules/contrib/firewallgui.if deleted file mode 100644 index e6866d1f..00000000 --- a/policy/modules/contrib/firewallgui.if +++ /dev/null @@ -1,41 +0,0 @@ -## <summary>system-config-firewall dbus system service.</summary> - -######################################## -## <summary> -## Send and receive messages from -## firewallgui over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`firewallgui_dbus_chat',` - gen_require(` - type firewallgui_t; - class dbus send_msg; - ') - - allow $1 firewallgui_t:dbus send_msg; - allow firewallgui_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Do not audit attempts to read and -## write firewallgui unnamed pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`firewallgui_dontaudit_rw_pipes',` - gen_require(` - type firewallgui_t; - ') - - dontaudit $1 firewallgui_t:fifo_file rw_fifo_file_perms; -') diff --git a/policy/modules/contrib/firewallgui.te b/policy/modules/contrib/firewallgui.te deleted file mode 100644 index c5ceab10..00000000 --- a/policy/modules/contrib/firewallgui.te +++ /dev/null @@ -1,73 +0,0 @@ -policy_module(firewallgui, 1.0.1) - -######################################## -# -# Declarations -# - -type firewallgui_t; -type firewallgui_exec_t; -init_system_domain(firewallgui_t, firewallgui_exec_t) - -type firewallgui_tmp_t; -files_tmp_file(firewallgui_tmp_t) - -######################################## -# -# Local policy -# - -allow firewallgui_t self:capability { net_admin sys_rawio } ; -allow firewallgui_t self:fifo_file rw_fifo_file_perms; - -manage_files_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t) -manage_dirs_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t) -files_tmp_filetrans(firewallgui_t,firewallgui_tmp_t, { file dir }) - -kernel_read_system_state(firewallgui_t) -kernel_read_network_state(firewallgui_t) -kernel_rw_net_sysctls(firewallgui_t) -kernel_rw_kernel_sysctl(firewallgui_t) -kernel_rw_vm_sysctls(firewallgui_t) - -corecmd_exec_bin(firewallgui_t) -corecmd_exec_shell(firewallgui_t) - -dev_read_sysfs(firewallgui_t) -dev_read_urand(firewallgui_t) - -files_list_kernel_modules(firewallgui_t) -files_read_usr_files(firewallgui_t) - -auth_use_nsswitch(firewallgui_t) - -miscfiles_read_localization(firewallgui_t) - -seutil_read_config(firewallgui_t) - -userdom_dontaudit_search_user_home_dirs(firewallgui_t) - -optional_policy(` - consoletype_exec(firewallgui_t) -') - -optional_policy(` - dbus_system_domain(firewallgui_t, firewallgui_exec_t) - - optional_policy(` - policykit_dbus_chat(firewallgui_t) - ') -') - -optional_policy(` - gnome_read_generic_gconf_home_content(firewallgui_t) -') - -optional_policy(` - iptables_domtrans(firewallgui_t) - iptables_initrc_domtrans(firewallgui_t) -') - -optional_policy(` - modutils_getattr_module_deps(firewallgui_t) -') diff --git a/policy/modules/contrib/firstboot.fc b/policy/modules/contrib/firstboot.fc deleted file mode 100644 index 12c782c8..00000000 --- a/policy/modules/contrib/firstboot.fc +++ /dev/null @@ -1,5 +0,0 @@ -/etc/rc\.d/init\.d/firstboot.* -- gen_context(system_u:object_r:firstboot_initrc_exec_t,s0) - -/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0) - -/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0) diff --git a/policy/modules/contrib/firstboot.if b/policy/modules/contrib/firstboot.if deleted file mode 100644 index 280f875f..00000000 --- a/policy/modules/contrib/firstboot.if +++ /dev/null @@ -1,158 +0,0 @@ -## <summary>Initial system configuration utility.</summary> - -######################################## -## <summary> -## Execute firstboot in the firstboot domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`firstboot_domtrans',` - gen_require(` - type firstboot_t, firstboot_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, firstboot_exec_t, firstboot_t) -') - -######################################## -## <summary> -## Execute firstboot in the firstboot -## domain, and allow the specified role -## the firstboot domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`firstboot_run',` - gen_require(` - attribute_role firstboot_roles; - ') - - firstboot_domtrans($1) - roleattribute $2 firstboot_roles; -') - -######################################## -## <summary> -## Inherit and use firstboot file descriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`firstboot_use_fds',` - gen_require(` - type firstboot_t; - ') - - allow $1 firstboot_t:fd use; -') - -######################################## -## <summary> -## Do not audit attempts to inherit -## firstboot file descriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`firstboot_dontaudit_use_fds',` - gen_require(` - type firstboot_t; - ') - - dontaudit $1 firstboot_t:fd use; -') - -######################################## -## <summary> -## Write firstboot unnamed pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`firstboot_write_pipes',` - gen_require(` - type firstboot_t; - ') - - allow $1 firstboot_t:fifo_file write; -') - -######################################## -## <summary> -## Read and Write firstboot unnamed pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`firstboot_rw_pipes',` - gen_require(` - type firstboot_t; - ') - - allow $1 firstboot_t:fifo_file { read write }; -') - -######################################## -## <summary> -## Do not audit attemps to read and -## write firstboot unnamed pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`firstboot_dontaudit_rw_pipes',` - gen_require(` - type firstboot_t; - ') - - dontaudit $1 firstboot_t:fifo_file { read write }; -') - -######################################## -## <summary> -## Do not audit attemps to read and -## write firstboot unix domain -## stream sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`firstboot_dontaudit_rw_stream_sockets',` - gen_require(` - type firstboot_t; - ') - - dontaudit $1 firstboot_t:unix_stream_socket { read write }; -') diff --git a/policy/modules/contrib/firstboot.te b/policy/modules/contrib/firstboot.te deleted file mode 100644 index c12c067b..00000000 --- a/policy/modules/contrib/firstboot.te +++ /dev/null @@ -1,126 +0,0 @@ -policy_module(firstboot, 1.12.3) - -gen_require(` - class passwd { passwd chfn chsh rootok }; -') - -######################################## -# -# Declarations -# - -attribute_role firstboot_roles; - -type firstboot_t; -type firstboot_exec_t; -init_system_domain(firstboot_t, firstboot_exec_t) -domain_obj_id_change_exemption(firstboot_t) -domain_subj_id_change_exemption(firstboot_t) -role firstboot_roles types firstboot_t; - -type firstboot_initrc_exec_t; -init_script_file(firstboot_initrc_exec_t) - -type firstboot_etc_t; -files_config_file(firstboot_etc_t) - -######################################## -# -# Local policy -# - -allow firstboot_t self:capability { dac_override setgid }; -allow firstboot_t self:process setfscreate; -allow firstboot_t self:fifo_file rw_fifo_file_perms; -allow firstboot_t self:tcp_socket { accept listen }; -allow firstboot_t self:passwd { rootok passwd chfn chsh }; - -allow firstboot_t firstboot_etc_t:file read_file_perms; - -kernel_read_system_state(firstboot_t) -kernel_read_kernel_sysctls(firstboot_t) - -corecmd_exec_all_executables(firstboot_t) - -dev_read_urand(firstboot_t) - -files_exec_etc_files(firstboot_t) -files_manage_etc_files(firstboot_t) -files_manage_etc_runtime_files(firstboot_t) -files_read_usr_files(firstboot_t) -files_manage_var_dirs(firstboot_t) -files_manage_var_files(firstboot_t) -files_manage_var_symlinks(firstboot_t) -files_create_boot_flag(firstboot_t) -files_delete_boot_flag(firstboot_t) - -selinux_get_fs_mount(firstboot_t) -selinux_validate_context(firstboot_t) -selinux_compute_access_vector(firstboot_t) -selinux_compute_create_context(firstboot_t) -selinux_compute_relabel_context(firstboot_t) -selinux_compute_user_contexts(firstboot_t) - -auth_dontaudit_getattr_shadow(firstboot_t) - -init_domtrans_script(firstboot_t) -init_rw_utmp(firstboot_t) - -libs_exec_ld_so(firstboot_t) -libs_exec_lib_files(firstboot_t) - -locallogin_use_fds(firstboot_t) - -logging_send_syslog_msg(firstboot_t) - -miscfiles_read_localization(firstboot_t) - -sysnet_dns_name_resolve(firstboot_t) - -userdom_use_user_terminals(firstboot_t) -userdom_manage_user_home_content_dirs(firstboot_t) -userdom_manage_user_home_content_files(firstboot_t) -userdom_manage_user_home_content_symlinks(firstboot_t) -userdom_manage_user_home_content_pipes(firstboot_t) -userdom_manage_user_home_content_sockets(firstboot_t) -userdom_home_filetrans_user_home_dir(firstboot_t) -userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file }) - -optional_policy(` - dbus_system_bus_client(firstboot_t) - - optional_policy(` - hal_dbus_chat(firstboot_t) - ') -') - -optional_policy(` - modutils_domtrans_insmod(firstboot_t) - modutils_domtrans_depmod(firstboot_t) - modutils_read_module_config(firstboot_t) - modutils_read_module_deps(firstboot_t) -') - -optional_policy(` - nis_use_ypbind(firstboot_t) -') - -optional_policy(` - samba_rw_config(firstboot_t) -') - -optional_policy(` - unconfined_domtrans(firstboot_t) - unconfined_domain(firstboot_t) -') - -optional_policy(` - gnome_manage_generic_home_content(firstboot_t) -') - -optional_policy(` - xserver_domtrans(firstboot_t) - xserver_rw_shm(firstboot_t) - xserver_unconfined(firstboot_t) - xserver_stream_connect(firstboot_t) -') diff --git a/policy/modules/contrib/fprintd.fc b/policy/modules/contrib/fprintd.fc deleted file mode 100644 index d861e884..00000000 --- a/policy/modules/contrib/fprintd.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/libexec/fprintd -- gen_context(system_u:object_r:fprintd_exec_t,s0) - -/var/lib/fprint(/.*)? gen_context(system_u:object_r:fprintd_var_lib_t,s0) diff --git a/policy/modules/contrib/fprintd.if b/policy/modules/contrib/fprintd.if deleted file mode 100644 index 8081132c..00000000 --- a/policy/modules/contrib/fprintd.if +++ /dev/null @@ -1,41 +0,0 @@ -## <summary>DBus fingerprint reader service.</summary> - -######################################## -## <summary> -## Execute a domain transition to run fprintd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`fprintd_domtrans',` - gen_require(` - type fprintd_t, fprintd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, fprintd_exec_t, fprintd_t) -') - -######################################## -## <summary> -## Send and receive messages from -## fprintd over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`fprintd_dbus_chat',` - gen_require(` - type fprintd_t; - class dbus send_msg; - ') - - allow $1 fprintd_t:dbus send_msg; - allow fprintd_t $1:dbus send_msg; -') diff --git a/policy/modules/contrib/fprintd.te b/policy/modules/contrib/fprintd.te deleted file mode 100644 index c81b6e8f..00000000 --- a/policy/modules/contrib/fprintd.te +++ /dev/null @@ -1,61 +0,0 @@ -policy_module(fprintd, 1.1.1) - -######################################## -# -# Declarations -# - -type fprintd_t; -type fprintd_exec_t; -init_daemon_domain(fprintd_t, fprintd_exec_t) - -type fprintd_var_lib_t; -files_type(fprintd_var_lib_t) - -######################################## -# -# Local policy -# - -allow fprintd_t self:capability sys_nice; -allow fprintd_t self:process { getsched setsched signal sigkill }; -allow fprintd_t self:fifo_file rw_fifo_file_perms; - -manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) -manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) - -kernel_read_system_state(fprintd_t) - -dev_list_usbfs(fprintd_t) -dev_read_sysfs(fprintd_t) -dev_rw_generic_usb_dev(fprintd_t) - -files_read_usr_files(fprintd_t) - -fs_getattr_all_fs(fprintd_t) - -auth_use_nsswitch(fprintd_t) - -miscfiles_read_localization(fprintd_t) - -userdom_use_user_ptys(fprintd_t) -userdom_read_all_users_state(fprintd_t) - -optional_policy(` - dbus_system_domain(fprintd_t, fprintd_exec_t) - - optional_policy(` - consolekit_dbus_chat(fprintd_t) - ') - - optional_policy(` - policykit_dbus_chat(fprintd_t) - policykit_dbus_chat_auth(fprintd_t) - ') -') - -optional_policy(` - policykit_domtrans_auth(fprintd_t) - policykit_read_reload(fprintd_t) - policykit_read_lib(fprintd_t) -') diff --git a/policy/modules/contrib/ftp.fc b/policy/modules/contrib/ftp.fc deleted file mode 100644 index ddb75c12..00000000 --- a/policy/modules/contrib/ftp.fc +++ /dev/null @@ -1,28 +0,0 @@ -/etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0) - -/etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) - -/etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0) -/etc/rc\.d/init\.d/proftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0) - -/usr/bin/ftpdctl -- gen_context(system_u:object_r:ftpdctl_exec_t,s0) - -/usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) - -/usr/sbin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0) -/usr/sbin/in\.ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) -/usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) -/usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) -/usr/sbin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) - -/var/run/proftpd.* gen_context(system_u:object_r:ftpd_var_run_t,s0) - -/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0) - -/var/lock/subsys/*.ftpd -- gen_context(system_u:object_r:ftpd_lock_t,s0) - -/var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0) -/var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0) -/var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0) -/var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0) -/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0) diff --git a/policy/modules/contrib/ftp.if b/policy/modules/contrib/ftp.if deleted file mode 100644 index d0620807..00000000 --- a/policy/modules/contrib/ftp.if +++ /dev/null @@ -1,207 +0,0 @@ -## <summary>File transfer protocol service.</summary> - -####################################### -## <summary> -## Execute a dyntransition to run anon sftpd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`ftp_dyntrans_anon_sftpd',` - gen_require(` - type anon_sftpd_t; - ') - - dyntrans_pattern($1, anon_sftpd_t) -') - -######################################## -## <summary> -## Connect to over ftpd over TCP. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ftp_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## <summary> -## Read ftpd configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ftp_read_config',` - gen_require(` - type ftpd_etc_t; - ') - - files_search_etc($1) - allow $1 ftpd_etc_t:file read_file_perms; -') - -######################################## -## <summary> -## Execute FTP daemon entry point programs. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ftp_check_exec',` - gen_require(` - type ftpd_exec_t; - ') - - corecmd_search_bin($1) - allow $1 ftpd_exec_t:file mmap_file_perms; -') - -######################################## -## <summary> -## Read ftpd log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ftp_read_log',` - gen_require(` - type xferlog_t; - ') - - logging_search_logs($1) - allow $1 xferlog_t:file read_file_perms; -') - -######################################## -## <summary> -## Execute the ftpdctl in the ftpdctl domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`ftp_domtrans_ftpdctl',` - gen_require(` - type ftpdctl_t, ftpdctl_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ftpdctl_exec_t, ftpdctl_t) -') - -######################################## -## <summary> -## Execute the ftpdctl in the ftpdctl -## domain, and allow the specified -## role the ftpctl domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`ftp_run_ftpdctl',` - gen_require(` - attribute_role ftpdctl_roles; - ') - - ftp_domtrans_ftpdctl($1) - roleattribute $2 ftpdctl_roles; -') - -####################################### -## <summary> -## Execute a dyntransition to run sftpd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`ftp_dyntrans_sftpd',` - gen_require(` - type sftpd_t; - ') - - dyntrans_pattern($1, sftpd_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an ftp environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`ftp_admin',` - gen_require(` - type ftpd_t, ftpdctl_t, ftpd_tmp_t; - type ftpd_etc_t, ftpd_lock_t, sftpd_t; - type ftpd_var_run_t, xferlog_t, anon_sftpd_t; - type ftpd_initrc_exec_t, ftpdctl_tmp_t; - ') - - allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process { ptrace signal_perms }; - ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }) - - init_labeled_script_domtrans($1, ftpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ftpd_initrc_exec_t system_r; - allow $2 system_r; - - miscfiles_manage_public_files($1) - - files_list_tmp($1) - admin_pattern($1, { ftpd_tmp_t ftpdctl_tmp_t }) - - files_list_etc($1) - admin_pattern($1, ftpd_etc_t) - - files_list_var($1) - admin_pattern($1, ftpd_lock_t) - - files_list_pids($1) - admin_pattern($1, ftpd_var_run_t) - - logging_list_logs($1) - admin_pattern($1, xferlog_t) - - ftp_run_ftpdctl($1, $2) -') diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te deleted file mode 100644 index e50f33c5..00000000 --- a/policy/modules/contrib/ftp.te +++ /dev/null @@ -1,495 +0,0 @@ -policy_module(ftp, 1.14.1) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether ftpd can modify -## public files used for public file -## transfer services. Directories/Files must -## be labeled public_content_rw_t. -## </p> -## </desc> -gen_tunable(allow_ftpd_anon_write, false) - -## <desc> -## <p> -## Determine whether ftpd can login to -## local users and can read and write -## all files on the system, governed by DAC. -## </p> -## </desc> -gen_tunable(allow_ftpd_full_access, false) - -## <desc> -## <p> -## Determine whether ftpd can use CIFS -## used for public file transfer services. -## </p> -## </desc> -gen_tunable(allow_ftpd_use_cifs, false) - -## <desc> -## <p> -## Determine whether ftpd can use NFS -## used for public file transfer services. -## </p> -## </desc> -gen_tunable(allow_ftpd_use_nfs, false) - -## <desc> -## <p> -## Determine whether ftpd can connect to -## databases over the TCP network. -## </p> -## </desc> -gen_tunable(ftpd_connect_db, false) - -## <desc> -## <p> -## Determine whether ftpd can bind to all -## unreserved ports for passive mode. -## </p> -## </desc> -gen_tunable(ftpd_use_passive_mode, false) - -## <desc> -## <p> -## Determine whether ftpd can connect to -## all unreserved ports. -## </p> -## </desc> -gen_tunable(ftpd_connect_all_unreserved, false) - -## <desc> -## <p> -## Determine whether ftpd can read and write -## files in user home directories. -## </p> -## </desc> -gen_tunable(ftp_home_dir, false) - -## <desc> -## <p> -## Determine whether sftpd can modify -## public files used for public file -## transfer services. Directories/Files must -## be labeled public_content_rw_t. -## </p> -## </desc> -gen_tunable(sftpd_anon_write, false) - -## <desc> -## <p> -## Determine whether sftpd-can read and write -## files in user home directories. -## </p> -## </desc> -gen_tunable(sftpd_enable_homedirs, false) - -## <desc> -## <p> -## Determine whether sftpd-can login to -## local users and read and write all -## files on the system, governed by DAC. -## </p> -## </desc> -gen_tunable(sftpd_full_access, false) - -## <desc> -## <p> -## Determine whether sftpd can read and write -## files in user ssh home directories. -## </p> -## </desc> -gen_tunable(sftpd_write_ssh_home, false) - -attribute_role ftpdctl_roles; - -type anon_sftpd_t; -typealias anon_sftpd_t alias sftpd_anon_t; -domain_type(anon_sftpd_t) -role system_r types anon_sftpd_t; - -type ftpd_t; -type ftpd_exec_t; -init_daemon_domain(ftpd_t, ftpd_exec_t) - -type ftpd_etc_t; -files_config_file(ftpd_etc_t) - -type ftpd_initrc_exec_t; -init_script_file(ftpd_initrc_exec_t) - -type ftpd_lock_t; -files_lock_file(ftpd_lock_t) - -type ftpd_tmp_t; -files_tmp_file(ftpd_tmp_t) - -type ftpd_tmpfs_t; -files_tmpfs_file(ftpd_tmpfs_t) - -type ftpd_var_run_t; -files_pid_file(ftpd_var_run_t) - -type ftpdctl_t; -type ftpdctl_exec_t; -init_system_domain(ftpdctl_t, ftpdctl_exec_t) -role ftpdctl_roles types ftpdctl_t; - -type ftpdctl_tmp_t; -files_tmp_file(ftpdctl_tmp_t) - -type sftpd_t; -domain_type(sftpd_t) -role system_r types sftpd_t; - -type xferlog_t; -logging_log_file(xferlog_t) - -ifdef(`enable_mcs',` - init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh) -') - -ifdef(`enable_mls',` - init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh) -') - -######################################## -# -# Local policy -# - -allow ftpd_t self:capability { chown fowner fsetid ipc_lock kill setgid setuid sys_chroot sys_admin sys_nice sys_resource }; -dontaudit ftpd_t self:capability sys_tty_config; -allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms }; -allow ftpd_t self:fifo_file rw_fifo_file_perms; -allow ftpd_t self:unix_dgram_socket sendto; -allow ftpd_t self:unix_stream_socket { accept listen }; -allow ftpd_t self:tcp_socket { accept listen }; -allow ftpd_t self:shm create_shm_perms; -allow ftpd_t self:key manage_key_perms; - -allow ftpd_t ftpd_etc_t:file read_file_perms; - -allow ftpd_t ftpd_lock_t:file manage_file_perms; -files_lock_filetrans(ftpd_t, ftpd_lock_t, file) - -manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) -manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) -manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) -manage_fifo_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) -manage_sock_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) -fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) -manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) -manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) -files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir }) - -allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms; - -allow ftpd_t xferlog_t:dir setattr_dir_perms; -append_files_pattern(ftpd_t, xferlog_t, xferlog_t) -create_files_pattern(ftpd_t, xferlog_t, xferlog_t) -setattr_files_pattern(ftpd_t, xferlog_t, xferlog_t) -logging_log_filetrans(ftpd_t, xferlog_t, file) - -kernel_read_kernel_sysctls(ftpd_t) -kernel_read_system_state(ftpd_t) -kernel_search_network_state(ftpd_t) - -dev_read_sysfs(ftpd_t) -dev_read_urand(ftpd_t) - -corecmd_exec_bin(ftpd_t) - -corenet_all_recvfrom_unlabeled(ftpd_t) -corenet_all_recvfrom_netlabel(ftpd_t) -corenet_tcp_sendrecv_generic_if(ftpd_t) -corenet_udp_sendrecv_generic_if(ftpd_t) -corenet_tcp_sendrecv_generic_node(ftpd_t) -corenet_udp_sendrecv_generic_node(ftpd_t) -corenet_tcp_sendrecv_all_ports(ftpd_t) -corenet_udp_sendrecv_all_ports(ftpd_t) -corenet_tcp_bind_generic_node(ftpd_t) - -corenet_sendrecv_ftp_server_packets(ftpd_t) -corenet_tcp_bind_ftp_port(ftpd_t) - -corenet_sendrecv_ftp_data_server_packets(ftpd_t) -corenet_tcp_bind_ftp_data_port(ftpd_t) - -domain_use_interactive_fds(ftpd_t) - -files_read_etc_files(ftpd_t) -files_read_etc_runtime_files(ftpd_t) -files_search_var_lib(ftpd_t) - -fs_search_auto_mountpoints(ftpd_t) -fs_getattr_all_fs(ftpd_t) -fs_search_fusefs(ftpd_t) - -auth_use_pam(ftpd_t) -auth_write_login_records(ftpd_t) -auth_rw_faillog(ftpd_t) -auth_manage_var_auth(ftpd_t) - -init_rw_utmp(ftpd_t) - -logging_send_audit_msgs(ftpd_t) -logging_send_syslog_msg(ftpd_t) -logging_set_loginuid(ftpd_t) - -miscfiles_read_localization(ftpd_t) -miscfiles_read_public_files(ftpd_t) - -seutil_dontaudit_search_config(ftpd_t) - -sysnet_use_ldap(ftpd_t) - -userdom_dontaudit_use_unpriv_user_fds(ftpd_t) -userdom_dontaudit_search_user_home_dirs(ftpd_t) - -tunable_policy(`allow_ftpd_anon_write',` - miscfiles_manage_public_files(ftpd_t) -') - -tunable_policy(`allow_ftpd_use_cifs',` - fs_read_cifs_files(ftpd_t) - fs_read_cifs_symlinks(ftpd_t) -') - -tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',` - fs_manage_cifs_files(ftpd_t) -') - -tunable_policy(`allow_ftpd_use_nfs',` - fs_read_nfs_files(ftpd_t) - fs_read_nfs_symlinks(ftpd_t) -') - -tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',` - fs_manage_nfs_files(ftpd_t) -') - -tunable_policy(`allow_ftpd_full_access',` - allow ftpd_t self:capability { dac_override dac_read_search }; - files_manage_non_auth_files(ftpd_t) -') - -tunable_policy(`ftpd_use_passive_mode',` - corenet_sendrecv_all_server_packets(ftpd_t) - corenet_tcp_bind_all_unreserved_ports(ftpd_t) -') - -tunable_policy(`ftpd_connect_all_unreserved',` - corenet_sendrecv_all_client_packets(ftpd_t) - corenet_tcp_connect_all_unreserved_ports(ftpd_t) -') - -tunable_policy(`ftpd_connect_db',` - corenet_sendrecv_gds_db_client_packets(ftpd_t) - corenet_tcp_connect_gds_db_port(ftpd_t) - corenet_tcp_sendrecv_gds_db_port(ftpd_t) - corenet_sendrecv_mssql_client_packets(ftpd_t) - corenet_tcp_connect_mssql_port(ftpd_t) - corenet_tcp_sendrecv_mssql_port(ftpd_t) - corenet_sendrecv_oracledb_client_packets(ftpd_t) - corenet_tcp_connect_oracledb_port(ftpd_t) - corenet_tcp_sendrecv_oracledb_port(ftpd_t) -') - -tunable_policy(`ftp_home_dir',` - allow ftpd_t self:capability { dac_override dac_read_search }; - - userdom_manage_user_home_content_dirs(ftpd_t) - userdom_manage_user_home_content_files(ftpd_t) - userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file }) - userdom_manage_user_tmp_dirs(ftpd_t) - userdom_manage_user_tmp_files(ftpd_t) - userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file }) -',` - userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file }) - userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file }) -') - -tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` - fs_manage_nfs_dirs(ftpd_t) - fs_manage_nfs_files(ftpd_t) - fs_manage_nfs_symlinks(ftpd_t) -') - -tunable_policy(`ftp_home_dir && use_samba_home_dirs',` - fs_manage_cifs_dirs(ftpd_t) - fs_manage_cifs_files(ftpd_t) - fs_manage_cifs_symlinks(ftpd_t) -') - -optional_policy(` - tunable_policy(`ftp_home_dir',` - apache_search_sys_content(ftpd_t) - ') -') - -optional_policy(` - corecmd_exec_shell(ftpd_t) - - files_read_usr_files(ftpd_t) - - cron_system_entry(ftpd_t, ftpd_exec_t) - - optional_policy(` - logrotate_exec(ftpd_t) - ') -') - -optional_policy(` - daemontools_service_domain(ftpd_t, ftpd_exec_t) -') - -optional_policy(` - fail2ban_read_lib_files(ftpd_t) -') - -optional_policy(` - selinux_validate_context(ftpd_t) - - kerberos_keytab_template(ftpd, ftpd_t) - kerberos_tmp_filetrans_host_rcache(ftpd_t, file, "host_0") -') - -optional_policy(` - mysql_stream_connect(ftpd_t) - - tunable_policy(`ftpd_connect_db',` - mysql_tcp_connect(ftpd_t) - ') -') - -optional_policy(` - postgresql_stream_connect(ftpd_t) - - tunable_policy(`ftpd_connect_db',` - postgresql_tcp_connect(ftpd_t) - ') -') - -optional_policy(` - inetd_tcp_service_domain(ftpd_t, ftpd_exec_t) - - optional_policy(` - tcpd_domtrans(tcpd_t) - ') -') - -optional_policy(` - dbus_system_bus_client(ftpd_t) - - optional_policy(` - oddjob_dbus_chat(ftpd_t) - oddjob_domtrans_mkhomedir(ftpd_t) - ') -') - -optional_policy(` - seutil_sigchld_newrole(ftpd_t) -') - -optional_policy(` - udev_read_db(ftpd_t) -') - -######################################## -# -# Ctl local policy -# - -stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) - -allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms; -files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file) - -files_read_etc_files(ftpdctl_t) -files_search_pids(ftpdctl_t) - -userdom_use_user_terminals(ftpdctl_t) - -######################################## -# -# Anon sftpd local policy -# - -files_read_etc_files(anon_sftpd_t) - -miscfiles_read_public_files(anon_sftpd_t) - -tunable_policy(`sftpd_anon_write',` - miscfiles_manage_public_files(anon_sftpd_t) -') - -######################################## -# -# Sftpd local policy -# - -files_read_etc_files(sftpd_t) - -userdom_read_user_home_content_files(sftpd_t) -userdom_read_user_home_content_symlinks(sftpd_t) - -tunable_policy(`sftpd_enable_homedirs',` - allow sftpd_t self:capability { dac_override dac_read_search }; - - userdom_manage_user_home_content_dirs(sftpd_t) - userdom_manage_user_home_content_files(sftpd_t) - userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file }) - userdom_manage_user_tmp_dirs(sftpd_t) - userdom_manage_user_tmp_files(sftpd_t) - userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file }) -',` - userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file }) - userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file }) -') - -tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` - fs_manage_nfs_dirs(sftpd_t) - fs_manage_nfs_files(sftpd_t) - fs_manage_nfs_symlinks(sftpd_t) -') - -tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',` - fs_manage_cifs_dirs(sftpd_t) - fs_manage_cifs_files(sftpd_t) - fs_manage_cifs_symlinks(sftpd_t) -') - -tunable_policy(`sftpd_anon_write',` - miscfiles_manage_public_files(sftpd_t) -') - -tunable_policy(`sftpd_full_access',` - allow sftpd_t self:capability { dac_override dac_read_search }; - fs_read_noxattr_fs_files(sftpd_t) - files_manage_non_auth_files(sftpd_t) -') - -tunable_policy(`sftpd_write_ssh_home',` - ssh_manage_home_files(sftpd_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_list_cifs(sftpd_t) - fs_read_cifs_files(sftpd_t) - fs_read_cifs_symlinks(sftpd_t) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_list_nfs(sftpd_t) - fs_read_nfs_files(sftpd_t) - fs_read_nfs_symlinks(ftpd_t) -') diff --git a/policy/modules/contrib/games.fc b/policy/modules/contrib/games.fc deleted file mode 100644 index 5e2e4f2a..00000000 --- a/policy/modules/contrib/games.fc +++ /dev/null @@ -1,60 +0,0 @@ -/usr/bin/atlantik -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/blackjack -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/civclient.* -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/civserver.* -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/gataxx -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/glines -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/gnect -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/gnibbles -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/gnobots2 -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/gnome-stones -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/gnomine -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/gnotravex -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/gnotski -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/gtali -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/iagno -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kasteroids -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/katomic -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kbackgammon -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kbattleship -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kblackbox -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kbounce -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kenolaba -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kfouleggs -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kgoldrunner -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kjumpingcube -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/klickety -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/klines -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kmahjongg -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kmines -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kolf -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/konquest -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kpat -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kpoker -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kreversi -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/ksame -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kshisen -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/ksirtet -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/ksmiletris -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/ksnake -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/ksokoban -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kspaceduel -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/ktron -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/ktuberling -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kwin4 -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kwin4proc -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/lskat -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/lskatproc -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/Maelstrom -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/mahjongg -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/micq -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/same-gnome -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/sol -- gen_context(system_u:object_r:games_exec_t,s0) - -/usr/games/.* -- gen_context(system_u:object_r:games_exec_t,s0) - -/usr/lib/games(/.*)? gen_context(system_u:object_r:games_exec_t,s0) - -/var/games(/.*)? gen_context(system_u:object_r:games_data_t,s0) - -/var/lib/games(/.*)? gen_context(system_u:object_r:games_data_t,s0) diff --git a/policy/modules/contrib/games.if b/policy/modules/contrib/games.if deleted file mode 100644 index e2a3e0db..00000000 --- a/policy/modules/contrib/games.if +++ /dev/null @@ -1,60 +0,0 @@ -## <summary>Various games.</summary> - -######################################## -## <summary> -## Role access for games. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`games_role',` - gen_require(` - attribute_role games_roles; - type games_t, games_exec_t, games_tmp_t; - type games_tmpfs_t; - ') - - roleattribute $1 games_roles; - - domtrans_pattern($2, games_exec_t, games_t) - - allow $2 games_tmp_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { games_tmp_t games_tmpfs_t }:file { manage_file_perms relabel_file_perms }; - allow $2 games_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - allow $2 games_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - - allow $2 games_t:process { ptrace signal_perms }; - ps_process_pattern($2, games_t) - - stream_connect_pattern($2, games_tmpfs_t, games_tmpfs_t, games_t) - - allow games_t $2:unix_stream_socket connectto; -') - -######################################## -## <summary> -## Read and write games data files. -## games data. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`games_rw_data',` - gen_require(` - type games_data_t; - ') - - files_search_var_lib($1) - rw_files_pattern($1, games_data_t, games_data_t) -') diff --git a/policy/modules/contrib/games.te b/policy/modules/contrib/games.te deleted file mode 100644 index 572fb12a..00000000 --- a/policy/modules/contrib/games.te +++ /dev/null @@ -1,176 +0,0 @@ -policy_module(games, 2.2.4) - -######################################## -# -# Declarations -# - -attribute_role games_roles; - -type games_t; -type games_exec_t; -typealias games_t alias { user_games_t staff_games_t sysadm_games_t }; -typealias games_t alias { auditadm_games_t secadm_games_t }; -userdom_user_application_domain(games_t, games_exec_t) -role games_roles types games_t; - -type games_data_t; -typealias games_data_t alias { user_games_data_t staff_games_data_t sysadm_games_data_t }; -typealias games_data_t alias { auditadm_games_data_t secadm_games_data_t }; -files_type(games_data_t) -ubac_constrained(games_data_t) - -type games_devpts_t; -typealias games_devpts_t alias { user_games_devpts_t staff_games_devpts_t sysadm_games_devpts_t }; -typealias games_devpts_t alias { auditadm_games_devpts_t secadm_games_devpts_t }; -term_pty(games_devpts_t) -ubac_constrained(games_devpts_t) - -type games_srv_t; -init_system_domain(games_srv_t, games_exec_t) - -type games_srv_var_run_t; -files_pid_file(games_srv_var_run_t) - -type games_tmp_t; -typealias games_tmp_t alias { user_games_tmp_t staff_games_tmp_t sysadm_games_tmp_t }; -typealias games_tmp_t alias { auditadm_games_tmp_t secadm_games_tmp_t }; -userdom_user_tmp_file(games_tmp_t) - -type games_tmpfs_t; -typealias games_tmpfs_t alias { user_games_tmpfs_t staff_games_tmpfs_t sysadm_games_tmpfs_t }; -typealias games_tmpfs_t alias { auditadm_games_tmpfs_t secadm_games_tmpfs_t }; -userdom_user_tmpfs_file(games_tmpfs_t) - -######################################## -# -# Server local policy -# - -dontaudit games_srv_t self:capability sys_tty_config; -allow games_srv_t self:process signal_perms; - -manage_files_pattern(games_srv_t, games_data_t, games_data_t) -manage_lnk_files_pattern(games_srv_t, games_data_t, games_data_t) - -manage_files_pattern(games_srv_t, games_srv_var_run_t, games_srv_var_run_t) -files_pid_filetrans(games_srv_t, games_srv_var_run_t, file) - -can_exec(games_srv_t, games_exec_t) - -kernel_read_kernel_sysctls(games_srv_t) -kernel_list_proc(games_srv_t) -kernel_read_proc_symlinks(games_srv_t) - -dev_read_sysfs(games_srv_t) - -fs_getattr_all_fs(games_srv_t) -fs_search_auto_mountpoints(games_srv_t) - -term_dontaudit_use_console(games_srv_t) - -domain_use_interactive_fds(games_srv_t) - -init_use_fds(games_srv_t) -init_use_script_ptys(games_srv_t) - -logging_send_syslog_msg(games_srv_t) - -miscfiles_read_localization(games_srv_t) - -userdom_dontaudit_use_unpriv_user_fds(games_srv_t) - -userdom_dontaudit_search_user_home_dirs(games_srv_t) - -optional_policy(` - seutil_sigchld_newrole(games_srv_t) -') - -optional_policy(` - udev_read_db(games_srv_t) -') - -######################################## -# -# Client local policy -# - -allow games_t self:sem create_sem_perms; -allow games_t self:tcp_socket { accept listen }; - -manage_files_pattern(games_t, games_data_t, games_data_t) -manage_lnk_files_pattern(games_t, games_data_t, games_data_t) - -allow games_t games_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; -term_create_pty(games_t, games_devpts_t) - -manage_dirs_pattern(games_t, games_tmp_t, games_tmp_t) -manage_files_pattern(games_t, games_tmp_t, games_tmp_t) -files_tmp_filetrans(games_t, games_tmp_t, { file dir }) - -manage_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t) -manage_lnk_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t) -manage_fifo_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t) -manage_sock_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t) -fs_tmpfs_filetrans(games_t, games_tmpfs_t, { file lnk_file sock_file fifo_file }) - -can_exec(games_t, games_exec_t) - -kernel_read_system_state(games_t) - -corecmd_exec_bin(games_t) - -corenet_all_recvfrom_unlabeled(games_t) -corenet_all_recvfrom_netlabel(games_t) -corenet_tcp_sendrecv_generic_if(games_t) -corenet_tcp_sendrecv_generic_node(games_t) -corenet_tcp_sendrecv_all_ports(games_t) -corenet_tcp_bind_generic_node(games_t) - -corenet_sendrecv_generic_server_packets(games_t) -corenet_tcp_bind_generic_port(games_t) - -corenet_sendrecv_generic_client_packets(games_t) -corenet_tcp_connect_generic_port(games_t) - -dev_read_sound(games_t) -dev_read_input(games_t) -dev_read_mouse(games_t) -dev_read_urand(games_t) -dev_write_sound(games_t) - -files_list_var(games_t) -files_search_var_lib(games_t) -files_dontaudit_search_var(games_t) -files_read_etc_files(games_t) -files_read_usr_files(games_t) -files_read_var_files(games_t) - -init_dontaudit_rw_utmp(games_t) - -logging_dontaudit_search_logs(games_t) - -miscfiles_read_man_pages(games_t) -miscfiles_read_localization(games_t) - -sysnet_dns_name_resolve(games_t) - -userdom_manage_user_tmp_dirs(games_t) -userdom_manage_user_tmp_files(games_t) -userdom_manage_user_tmp_symlinks(games_t) -userdom_manage_user_tmp_sockets(games_t) -userdom_dontaudit_read_user_home_content_files(games_t) - -tunable_policy(`allow_execmem',` - allow games_t self:process execmem; -') - -optional_policy(` - nscd_use(games_t) -') - -optional_policy(` - xserver_user_x_domain_template(games, games_t, games_tmpfs_t) - xserver_create_xdm_tmp_sockets(games_t) - xserver_read_xdm_lib_files(games_t) -') diff --git a/policy/modules/contrib/gatekeeper.fc b/policy/modules/contrib/gatekeeper.fc deleted file mode 100644 index 9f44fb64..00000000 --- a/policy/modules/contrib/gatekeeper.fc +++ /dev/null @@ -1,11 +0,0 @@ -/etc/gatekeeper\.ini -- gen_context(system_u:object_r:gatekeeper_etc_t,s0) - -/etc/rc\.d/init\.d/gnugk -- gen_context(system_u:object_r:gatekeeper_initrc_exec_t,s0) - -/usr/sbin/gk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0) -/usr/sbin/gnugk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0) - -/var/log/gnugk(/.*)? gen_context(system_u:object_r:gatekeeper_log_t,s0) - -/var/run/gk\.pid -- gen_context(system_u:object_r:gatekeeper_var_run_t,s0) -/var/run/gnugk(/.*)? gen_context(system_u:object_r:gatekeeper_var_run_t,s0) diff --git a/policy/modules/contrib/gatekeeper.if b/policy/modules/contrib/gatekeeper.if deleted file mode 100644 index 30926d7b..00000000 --- a/policy/modules/contrib/gatekeeper.if +++ /dev/null @@ -1,45 +0,0 @@ -## <summary>OpenH.323 Voice-Over-IP Gatekeeper.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an gatekeeper environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`gatekeeper_admin',` - gen_require(` - type gatekeeper_t, gatekeeper_etc_t, gatekeeper_log_t; - type gatekeeper_var_run_t, gatekeeper_tmp_t, gatekeeper_initrc_exec_t; - ') - - allow $1 gatekeeper_t:process { ptrace signal_perms }; - ps_process_pattern($1, gatekeeper_t) - - init_labeled_script_domtrans($1, gatekeeper_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 gatekeeper_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, gatekeeper_etc_t) - - logging_search_logs($1) - admin_pattern($1, gatekeeper_log_t) - - files_search_tmp($1) - admin_pattern($1, gatekeeper_tmp_t) - - files_search_var_lib($1) - admin_pattern($1, gatekeeper_var_run_t) -') diff --git a/policy/modules/contrib/gatekeeper.te b/policy/modules/contrib/gatekeeper.te deleted file mode 100644 index fc3b0360..00000000 --- a/policy/modules/contrib/gatekeeper.te +++ /dev/null @@ -1,104 +0,0 @@ -policy_module(gatekeeper, 1.7.1) - -######################################## -# -# Declarations -# - -type gatekeeper_t; -type gatekeeper_exec_t; -init_daemon_domain(gatekeeper_t, gatekeeper_exec_t) - -type gatekeeper_initrc_exec_t; -init_script_file(gatekeeper_initrc_exec_t) - -type gatekeeper_etc_t; -files_config_file(gatekeeper_etc_t) - -type gatekeeper_log_t; -logging_log_file(gatekeeper_log_t) - -type gatekeeper_tmp_t; -files_tmp_file(gatekeeper_tmp_t) - -type gatekeeper_var_run_t; -files_pid_file(gatekeeper_var_run_t) - -######################################## -# -# Local policy -# - -dontaudit gatekeeper_t self:capability sys_tty_config; -allow gatekeeper_t self:process { setsched signal_perms }; -allow gatekeeper_t self:fifo_file rw_fifo_file_perms; -allow gatekeeper_t self:tcp_socket create_stream_socket_perms; -allow gatekeeper_t self:udp_socket create_socket_perms; - -allow gatekeeper_t gatekeeper_etc_t:lnk_file read_lnk_file_perms; -allow gatekeeper_t gatekeeper_etc_t:file read_file_perms; - -manage_dirs_pattern(gatekeeper_t, gatekeeper_log_t, gatekeeper_log_t) -append_files_pattern(gatekeeper_t, gatekeeper_log_t, gatekeeper_log_t) -create_files_pattern(gatekeeper_t, gatekeeper_log_t, gatekeeper_log_t) -setattr_files_pattern(gatekeeper_t, gatekeeper_log_t, gatekeeper_log_t) -logging_log_filetrans(gatekeeper_t, gatekeeper_log_t, { file dir }) - -manage_dirs_pattern(gatekeeper_t, gatekeeper_tmp_t, gatekeeper_tmp_t) -manage_files_pattern(gatekeeper_t, gatekeeper_tmp_t, gatekeeper_tmp_t) -files_tmp_filetrans(gatekeeper_t, gatekeeper_tmp_t, { file dir }) - -manage_dirs_pattern(gatekeeper_t, gatekeeper_var_run_t, gatekeeper_var_run_t) -manage_files_pattern(gatekeeper_t, gatekeeper_var_run_t, gatekeeper_var_run_t) -files_pid_filetrans(gatekeeper_t, gatekeeper_var_run_t, { dir file }) - -kernel_read_system_state(gatekeeper_t) -kernel_read_kernel_sysctls(gatekeeper_t) - -corecmd_list_bin(gatekeeper_t) - -corenet_all_recvfrom_unlabeled(gatekeeper_t) -corenet_all_recvfrom_netlabel(gatekeeper_t) -corenet_tcp_sendrecv_generic_if(gatekeeper_t) -corenet_udp_sendrecv_generic_if(gatekeeper_t) -corenet_tcp_sendrecv_generic_node(gatekeeper_t) -corenet_udp_sendrecv_generic_node(gatekeeper_t) -corenet_tcp_sendrecv_all_ports(gatekeeper_t) -corenet_udp_sendrecv_all_ports(gatekeeper_t) -corenet_tcp_bind_generic_node(gatekeeper_t) -corenet_udp_bind_generic_node(gatekeeper_t) - -corenet_sendrecv_gatekeeper_server_packets(gatekeeper_t) -corenet_tcp_bind_gatekeeper_port(gatekeeper_t) -corenet_udp_bind_gatekeeper_port(gatekeeper_t) - -dev_read_sysfs(gatekeeper_t) -dev_read_urand(gatekeeper_t) - -domain_use_interactive_fds(gatekeeper_t) - -files_read_etc_files(gatekeeper_t) - -fs_getattr_all_fs(gatekeeper_t) -fs_search_auto_mountpoints(gatekeeper_t) - -logging_send_syslog_msg(gatekeeper_t) - -miscfiles_read_localization(gatekeeper_t) - -sysnet_read_config(gatekeeper_t) - -userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t) -userdom_dontaudit_search_user_home_dirs(gatekeeper_t) - -optional_policy(` - nis_use_ypbind(gatekeeper_t) -') - -optional_policy(` - seutil_sigchld_newrole(gatekeeper_t) -') - -optional_policy(` - udev_read_db(gatekeeper_t) -') diff --git a/policy/modules/contrib/gift.fc b/policy/modules/contrib/gift.fc deleted file mode 100644 index e27fa519..00000000 --- a/policy/modules/contrib/gift.fc +++ /dev/null @@ -1,6 +0,0 @@ -HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:gift_home_t,s0) - -/usr/bin/apollon -- gen_context(system_u:object_r:gift_exec_t,s0) -/usr/bin/giftd -- gen_context(system_u:object_r:giftd_exec_t,s0) -/usr/bin/giftui -- gen_context(system_u:object_r:gift_exec_t,s0) -/usr/bin/giFToxic -- gen_context(system_u:object_r:gift_exec_t,s0) diff --git a/policy/modules/contrib/gift.if b/policy/modules/contrib/gift.if deleted file mode 100644 index e9023e56..00000000 --- a/policy/modules/contrib/gift.if +++ /dev/null @@ -1,40 +0,0 @@ -## <summary>Peer to peer file sharing tool.</summary> - -######################################## -## <summary> -## Role access for gift. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`gift_role',` - gen_require(` - attribute_role gift_roles, giftd_roles; - type gift_t, gift_exec_t, gift_home_t; - type giftd_t, giftd_exec_t, gift_tmpfs_t; - ') - - roleattribute $1 gift_roles; - roleattribute $1 giftd_roles; - - domtrans_pattern($2, gift_exec_t, gift_t) - domtrans_pattern($2, giftd_exec_t, giftd_t) - - allow $2 gift_home_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { gift_home_t gift_tmpfs_t }:file { manage_file_perms relabel_file_perms }; - allow $2 { gift_home_t gift_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - allow $2 gift_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - allow $2 gift_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - userdom_user_home_dir_filetrans($2, gift_home_t, dir, ".giFT") - - ps_process_pattern($2, { gift_t giftd_t }) - allow $2 { gift_t giftd_t }:process { ptrace signal_perms }; -') diff --git a/policy/modules/contrib/gift.te b/policy/modules/contrib/gift.te deleted file mode 100644 index 395238e4..00000000 --- a/policy/modules/contrib/gift.te +++ /dev/null @@ -1,140 +0,0 @@ -policy_module(gift, 2.3.4) - -######################################## -# -# Declarations -# - -attribute_role gift_roles; -attribute_role giftd_roles; - -type gift_t; -type gift_exec_t; -typealias gift_t alias { user_gift_t staff_gift_t sysadm_gift_t }; -typealias gift_t alias { auditadm_gift_t secadm_gift_t }; -userdom_user_application_domain(gift_t, gift_exec_t) -role gift_roles types gift_t; - -type gift_home_t; -typealias gift_home_t alias { user_gift_home_t staff_gift_home_t sysadm_gift_home_t }; -typealias gift_home_t alias { auditadm_gift_home_t secadm_gift_home_t }; -userdom_user_home_content(gift_home_t) - -type gift_tmpfs_t; -typealias gift_tmpfs_t alias { user_gift_tmpfs_t staff_gift_tmpfs_t sysadm_gift_tmpfs_t }; -typealias gift_tmpfs_t alias { auditadm_gift_tmpfs_t secadm_gift_tmpfs_t }; -userdom_user_tmpfs_file(gift_tmpfs_t) - -type giftd_t; -type giftd_exec_t; -typealias giftd_t alias { user_giftd_t staff_giftd_t sysadm_giftd_t }; -typealias giftd_t alias { auditadm_giftd_t secadm_giftd_t }; -userdom_user_application_domain(giftd_t, giftd_exec_t) -role giftd_roles types giftd_t; - -############################## -# -# Client local policy -# - -manage_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t) -manage_lnk_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t) -manage_fifo_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t) -manage_sock_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t) -fs_tmpfs_filetrans(gift_t, gift_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -manage_dirs_pattern(gift_t, gift_home_t, gift_home_t) -manage_files_pattern(gift_t, gift_home_t, gift_home_t) -manage_lnk_files_pattern(gift_t, gift_home_t, gift_home_t) -userdom_user_home_dir_filetrans(gift_t, gift_home_t, dir) - -domtrans_pattern(gift_t, giftd_exec_t, giftd_t) - -kernel_read_system_state(gift_t) - -corenet_all_recvfrom_unlabeled(gift_t) -corenet_all_recvfrom_netlabel(gift_t) -corenet_tcp_sendrecv_generic_if(gift_t) -corenet_tcp_sendrecv_generic_node(gift_t) - -corenet_sendrecv_giftd_client_packets(gift_t) -corenet_tcp_connect_giftd_port(gift_t) -corenet_tcp_sendrecv_giftd_port(gift_t) - -fs_search_auto_mountpoints(gift_t) - -auth_use_nsswitch(gift_t) - -userdom_dontaudit_read_user_home_content_files(gift_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(gift_t) - fs_manage_nfs_files(gift_t) - fs_manage_nfs_symlinks(gift_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(gift_t) - fs_manage_cifs_files(gift_t) - fs_manage_cifs_symlinks(gift_t) -') - -optional_policy(` - xserver_user_x_domain_template(gift, gift_t, gift_tmpfs_t) -') - -############################## -# -# Server local policy -# - -allow giftd_t self:process { signal setsched }; -allow giftd_t self:unix_stream_socket create_socket_perms; -allow giftd_t self:tcp_socket { accept listen }; - -manage_dirs_pattern(giftd_t, gift_home_t, gift_home_t) -manage_files_pattern(giftd_t, gift_home_t, gift_home_t) -manage_lnk_files_pattern(giftd_t, gift_home_t, gift_home_t) -userdom_user_home_dir_filetrans(giftd_t, gift_home_t, dir) - -kernel_read_system_state(giftd_t) -kernel_read_kernel_sysctls(giftd_t) - -corenet_all_recvfrom_unlabeled(giftd_t) -corenet_all_recvfrom_netlabel(giftd_t) -corenet_tcp_sendrecv_generic_if(giftd_t) -corenet_udp_sendrecv_generic_if(giftd_t) -corenet_tcp_sendrecv_generic_node(giftd_t) -corenet_udp_sendrecv_generic_node(giftd_t) -corenet_tcp_sendrecv_all_ports(giftd_t) -corenet_udp_sendrecv_all_ports(giftd_t) -corenet_tcp_bind_generic_node(giftd_t) -corenet_udp_bind_generic_node(giftd_t) - -corenet_sendrecv_all_server_packets(giftd_t) -corenet_tcp_bind_all_ports(giftd_t) -corenet_udp_bind_all_ports(giftd_t) - -corenet_sendrecv_all_client_packets(giftd_t) -corenet_tcp_connect_all_ports(giftd_t) - -files_read_etc_runtime_files(giftd_t) -files_read_usr_files(giftd_t) - -miscfiles_read_localization(giftd_t) - -sysnet_dns_name_resolve(giftd_t) - -userdom_use_user_terminals(giftd_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(giftd_t) - fs_manage_nfs_files(giftd_t) - fs_manage_nfs_symlinks(giftd_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(giftd_t) - fs_manage_cifs_files(giftd_t) - fs_manage_cifs_symlinks(giftd_t) -') diff --git a/policy/modules/contrib/git.fc b/policy/modules/contrib/git.fc deleted file mode 100644 index 24700f84..00000000 --- a/policy/modules/contrib/git.fc +++ /dev/null @@ -1,13 +0,0 @@ -HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0) - -/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0) - -/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) -/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) - -/var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0) - -/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) -/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) -/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) -/var/www/gitweb-caching/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) diff --git a/policy/modules/contrib/git.if b/policy/modules/contrib/git.if deleted file mode 100644 index 1e29af19..00000000 --- a/policy/modules/contrib/git.if +++ /dev/null @@ -1,81 +0,0 @@ -## <summary>GIT revision control system.</summary> - -######################################## -## <summary> -## Role access for Git session. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -template(`git_role',` - gen_require(` - attribute_role git_session_roles; - type git_session_t, gitd_exec_t, git_user_content_t; - ') - - ######################################## - # - # Declarations - # - - roleattribute $1 git_session_roles; - - ######################################## - # - # Policy - # - - allow $2 git_user_content_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 git_user_content_t:file { exec_file_perms manage_file_perms relabel_file_perms }; - userdom_user_home_dir_filetrans($2, git_user_content_t, dir, "public_git") - - allow $2 git_session_t:process { ptrace signal_perms }; - ps_process_pattern($2, git_session_t) - - tunable_policy(`git_session_users',` - domtrans_pattern($2, gitd_exec_t, git_session_t) - ',` - can_exec($2, gitd_exec_t) - ') -') - -######################################## -## <summary> -## Read generic system content files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`git_read_generic_sys_content_files',` - gen_require(` - type git_sys_content_t; - ') - - list_dirs_pattern($1, git_sys_content_t, git_sys_content_t) - read_files_pattern($1, git_sys_content_t, git_sys_content_t) - - files_search_var_lib($1) - - tunable_policy(`git_system_use_cifs',` - fs_getattr_cifs($1) - fs_list_cifs($1) - fs_read_cifs_files($1) - ') - - tunable_policy(`git_system_use_nfs',` - fs_getattr_nfs($1) - fs_list_nfs($1) - fs_read_nfs_files($1) - ') -') diff --git a/policy/modules/contrib/git.te b/policy/modules/contrib/git.te deleted file mode 100644 index 93b03011..00000000 --- a/policy/modules/contrib/git.te +++ /dev/null @@ -1,266 +0,0 @@ -policy_module(git, 1.2.3) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether Git CGI -## can search home directories. -## </p> -## </desc> -gen_tunable(git_cgi_enable_homedirs, false) - -## <desc> -## <p> -## Determine whether Git CGI -## can access cifs file systems. -## </p> -## </desc> -gen_tunable(git_cgi_use_cifs, false) - -## <desc> -## <p> -## Determine whether Git CGI -## can access nfs file systems. -## </p> -## </desc> -gen_tunable(git_cgi_use_nfs, false) - -## <desc> -## <p> -## Determine whether Git session daemon -## can bind TCP sockets to all -## unreserved ports. -## </p> -## </desc> -gen_tunable(git_session_bind_all_unreserved_ports, false) - -## <desc> -## <p> -## Determine whether calling user domains -## can execute Git daemon in the -## git_session_t domain. -## </p> -## </desc> -gen_tunable(git_session_users, false) - -## <desc> -## <p> -## Determine whether Git session daemons -## can send syslog messages. -## </p> -## </desc> -gen_tunable(git_session_send_syslog_msg, false) - -## <desc> -## <p> -## Determine whether Git system daemon -## can search home directories. -## </p> -## </desc> -gen_tunable(git_system_enable_homedirs, false) - -## <desc> -## <p> -## Determine whether Git system daemon -## can access cifs file systems. -## </p> -## </desc> -gen_tunable(git_system_use_cifs, false) - -## <desc> -## <p> -## Determine whether Git system daemon -## can access nfs file systems. -## </p> -## </desc> -gen_tunable(git_system_use_nfs, false) - -attribute git_daemon; -attribute_role git_session_roles; - -apache_content_template(git) - -type git_system_t, git_daemon; -type gitd_exec_t; -inetd_service_domain(git_system_t, gitd_exec_t) - -type git_session_t, git_daemon; -userdom_user_application_domain(git_session_t, gitd_exec_t) -role git_session_roles types git_session_t; - -type git_sys_content_t; -files_type(git_sys_content_t) - -type git_user_content_t; -userdom_user_home_content(git_user_content_t) - -######################################## -# -# Session policy -# - -allow git_session_t self:tcp_socket { accept listen }; - -list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t) -read_files_pattern(git_session_t, git_user_content_t, git_user_content_t) -userdom_search_user_home_dirs(git_session_t) - -corenet_all_recvfrom_netlabel(git_session_t) -corenet_all_recvfrom_unlabeled(git_session_t) -corenet_tcp_bind_generic_node(git_session_t) -corenet_tcp_sendrecv_generic_if(git_session_t) -corenet_tcp_sendrecv_generic_node(git_session_t) - -corenet_sendrecv_git_server_packets(git_session_t) -corenet_tcp_bind_git_port(git_session_t) -corenet_tcp_sendrecv_git_port(git_session_t) - -auth_use_nsswitch(git_session_t) - -userdom_use_user_terminals(git_session_t) - -tunable_policy(`git_session_bind_all_unreserved_ports',` - corenet_sendrecv_all_server_packets(git_session_t) - corenet_tcp_bind_all_unreserved_ports(git_session_t) - corenet_tcp_sendrecv_all_ports(git_session_t) -') - -tunable_policy(`git_session_send_syslog_msg',` - logging_send_syslog_msg(git_session_t) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_getattr_nfs(git_session_t) - fs_list_nfs(git_session_t) - fs_read_nfs_files(git_session_t) -',` - fs_dontaudit_read_nfs_files(git_session_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_getattr_cifs(git_session_t) - fs_list_cifs(git_session_t) - fs_read_cifs_files(git_session_t) -',` - fs_dontaudit_read_cifs_files(git_session_t) -') - -######################################## -# -# System policy -# - -list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t) -read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t) - -files_search_var_lib(git_system_t) - -auth_use_nsswitch(git_system_t) - -logging_send_syslog_msg(git_system_t) - -tunable_policy(`git_system_enable_homedirs',` - userdom_search_user_home_dirs(git_system_t) -') - -tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',` - fs_getattr_nfs(git_system_t) - fs_list_nfs(git_system_t) - fs_read_nfs_files(git_system_t) -',` - fs_dontaudit_read_nfs_files(git_system_t) -') - -tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',` - fs_getattr_cifs(git_system_t) - fs_list_cifs(git_system_t) - fs_read_cifs_files(git_system_t) -',` - fs_dontaudit_read_cifs_files(git_system_t) -') - -tunable_policy(`git_system_use_cifs',` - fs_getattr_cifs(git_system_t) - fs_list_cifs(git_system_t) - fs_read_cifs_files(git_system_t) -',` - fs_dontaudit_read_cifs_files(git_system_t) -') - -tunable_policy(`git_system_use_nfs',` - fs_getattr_nfs(git_system_t) - fs_list_nfs(git_system_t) - fs_read_nfs_files(git_system_t) -',` - fs_dontaudit_read_nfs_files(git_system_t) -') - -######################################## -# -# CGI policy -# - -list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t }) -read_files_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t }) -files_search_var_lib(httpd_git_script_t) - -files_dontaudit_getattr_tmp_dirs(httpd_git_script_t) - -auth_use_nsswitch(httpd_git_script_t) - -tunable_policy(`git_cgi_enable_homedirs',` - userdom_search_user_home_dirs(httpd_git_script_t) -') - -tunable_policy(`git_cgi_enable_homedirs && use_nfs_home_dirs',` - fs_getattr_nfs(httpd_git_script_t) - fs_list_nfs(httpd_git_script_t) - fs_read_nfs_files(httpd_git_script_t) -',` - fs_dontaudit_read_nfs_files(httpd_git_script_t) -') - -tunable_policy(`git_cgi_enable_homedirs && use_samba_home_dirs',` - fs_getattr_cifs(httpd_git_script_t) - fs_list_cifs(httpd_git_script_t) - fs_read_cifs_files(httpd_git_script_t) -',` - fs_dontaudit_read_cifs_files(httpd_git_script_t) -') - -tunable_policy(`git_cgi_use_cifs',` - fs_getattr_cifs(httpd_git_script_t) - fs_list_cifs(httpd_git_script_t) - fs_read_cifs_files(httpd_git_script_t) -',` - fs_dontaudit_read_cifs_files(httpd_git_script_t) -') - -tunable_policy(`git_cgi_use_nfs',` - fs_getattr_nfs(httpd_git_script_t) - fs_list_nfs(httpd_git_script_t) - fs_read_nfs_files(httpd_git_script_t) -',` - fs_dontaudit_read_nfs_files(httpd_git_script_t) -') - -######################################## -# -# Git global policy -# - -allow git_daemon self:fifo_file rw_fifo_file_perms; - -kernel_read_system_state(git_daemon) - -corecmd_exec_bin(git_daemon) - -files_read_usr_files(git_daemon) - -fs_search_auto_mountpoints(git_daemon) - -miscfiles_read_localization(git_daemon) diff --git a/policy/modules/contrib/gitosis.fc b/policy/modules/contrib/gitosis.fc deleted file mode 100644 index b64de321..00000000 --- a/policy/modules/contrib/gitosis.fc +++ /dev/null @@ -1,7 +0,0 @@ -/srv/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0) - -/usr/bin/gitosis-serve -- gen_context(system_u:object_r:gitosis_exec_t,s0) -/usr/bin/gl-auth-command -- gen_context(system_u:object_r:gitosis_exec_t,s0) - -/var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0) -/var/lib/gitolite(3)?(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0) diff --git a/policy/modules/contrib/gitosis.if b/policy/modules/contrib/gitosis.if deleted file mode 100644 index f8ca38cb..00000000 --- a/policy/modules/contrib/gitosis.if +++ /dev/null @@ -1,87 +0,0 @@ -## <summary>Tools for managing and hosting git repositories.</summary> - -####################################### -## <summary> -## Execute a domain transition to run gitosis. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`gitosis_domtrans',` - gen_require(` - type gitosis_t, gitosis_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, gitosis_exec_t, gitosis_t) -') - -####################################### -## <summary> -## Execute gitosis-serve in the -## gitosis domain, and allow the -## specified role the gitosis domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`gitosis_run',` - gen_require(` - attribute_role gitosis_roles; - ') - - gitosis_domtrans($1) - roleattribute $2 gitosis_roles; -') - -####################################### -## <summary> -## Read gitosis lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`gitosis_read_lib_files',` - gen_require(` - type gitosis_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) - read_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) - list_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) -') - -###################################### -## <summary> -## Create, read, write, and delete -## gitosis lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`gitosis_manage_lib_files',` - gen_require(` - type gitosis_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) -') diff --git a/policy/modules/contrib/gitosis.te b/policy/modules/contrib/gitosis.te deleted file mode 100644 index 3194b76c..00000000 --- a/policy/modules/contrib/gitosis.te +++ /dev/null @@ -1,65 +0,0 @@ -policy_module(gitosis, 1.3.2) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether Gitosis can send mail. -## </p> -## </desc> -gen_tunable(gitosis_can_sendmail, false) - -attribute_role gitosis_roles; -roleattribute system_r gitosis_roles; - -type gitosis_t; -type gitosis_exec_t; -application_domain(gitosis_t, gitosis_exec_t) -role gitosis_roles types gitosis_t; - -type gitosis_var_lib_t; -files_type(gitosis_var_lib_t) - -######################################## -# -# Local policy -# - -allow gitosis_t self:fifo_file rw_fifo_file_perms; - -exec_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t) -manage_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t) -manage_lnk_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t) -manage_dirs_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t) - -kernel_read_system_state(gitosis_t) - -corenet_all_recvfrom_unlabeled(gitosis_t) -corenet_all_recvfrom_netlabel(gitosis_t) -corenet_tcp_sendrecv_generic_if(gitosis_t) -corenet_tcp_sendrecv_generic_node(gitosis_t) -corenet_tcp_bind_generic_node(gitosis_t) - -corenet_sendrecv_ssh_server_packets(gitosis_t) -corenet_tcp_bind_ssh_port(gitosis_t) -corenet_tcp_sendrecv_ssh_port(gitosis_t) - -corecmd_exec_bin(gitosis_t) -corecmd_exec_shell(gitosis_t) - -dev_read_urand(gitosis_t) - -files_read_etc_files(gitosis_t) -files_read_usr_files(gitosis_t) -files_search_var_lib(gitosis_t) - -miscfiles_read_localization(gitosis_t) - -sysnet_read_config(gitosis_t) - -tunable_policy(`gitosis_can_sendmail',` - mta_send_mail(gitosis_t) -') diff --git a/policy/modules/contrib/glance.fc b/policy/modules/contrib/glance.fc deleted file mode 100644 index c21a528b..00000000 --- a/policy/modules/contrib/glance.fc +++ /dev/null @@ -1,11 +0,0 @@ -/etc/rc\.d/init\.d/openstack-glance-api -- gen_context(system_u:object_r:glance_api_initrc_exec_t,s0) -/etc/rc\.d/init\.d/openstack-glance-registry -- gen_context(system_u:object_r:glance_registry_initrc_exec_t,s0) - -/usr/bin/glance-api -- gen_context(system_u:object_r:glance_api_exec_t,s0) -/usr/bin/glance-registry -- gen_context(system_u:object_r:glance_registry_exec_t,s0) - -/var/lib/glance(/.*)? gen_context(system_u:object_r:glance_var_lib_t,s0) - -/var/log/glance(/.*)? gen_context(system_u:object_r:glance_log_t,s0) - -/var/run/glance(/.*)? gen_context(system_u:object_r:glance_var_run_t,s0) diff --git a/policy/modules/contrib/glance.if b/policy/modules/contrib/glance.if deleted file mode 100644 index 9eacb2c9..00000000 --- a/policy/modules/contrib/glance.if +++ /dev/null @@ -1,261 +0,0 @@ -## <summary>OpenStack image registry and delivery service.</summary> - -######################################## -## <summary> -## Execute a domain transition to -## run glance registry. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`glance_domtrans_registry',` - gen_require(` - type glance_registry_t, glance_registry_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, glance_registry_exec_t, glance_registry_t) -') - -######################################## -## <summary> -## Execute a domain transition to -## run glance api. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`glance_domtrans_api',` - gen_require(` - type glance_api_t, glance_api_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, glance_api_exec_t, glance_api_t) -') - -######################################## -## <summary> -## Read glance log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`glance_read_log',` - gen_require(` - type glance_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, glance_log_t, glance_log_t) -') - -######################################## -## <summary> -## Append glance log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`glance_append_log',` - gen_require(` - type glance_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, glance_log_t, glance_log_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## glance log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`glance_manage_log',` - gen_require(` - type glance_log_t; - ') - - logging_search_logs($1) - manage_dirs_pattern($1, glance_log_t, glance_log_t) - manage_files_pattern($1, glance_log_t, glance_log_t) - manage_lnk_files_pattern($1, glance_log_t, glance_log_t) -') - -######################################## -## <summary> -## Search glance lib directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`glance_search_lib',` - gen_require(` - type glance_var_lib_t; - ') - - allow $1 glance_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## <summary> -## Read glance lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`glance_read_lib_files',` - gen_require(` - type glance_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, glance_var_lib_t, glance_var_lib_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## glance lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`glance_manage_lib_files',` - gen_require(` - type glance_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, glance_var_lib_t, glance_var_lib_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## glance lib directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`glance_manage_lib_dirs',` - gen_require(` - type glance_var_lib_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, glance_var_lib_t, glance_var_lib_t) -') - -######################################## -## <summary> -## Read glance pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`glance_read_pid_files',` - gen_require(` - type glance_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, glance_var_run_t, glance_var_run_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## glance pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`glance_manage_pid_files',` - gen_require(` - type glance_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, glance_var_run_t, glance_var_run_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an glance environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`glance_admin',` - gen_require(` - type glance_registry_t, glance_api_t, glance_log_t; - type glance_var_lib_t, glance_var_run_t; - type glance_registry_initrc_exec_t, glance_api_initrc_exec_t; - ') - - allow $1 { glance_api_t glance_registry_t }:process signal_perms; - ps_process_pattern($1, { glance_api_t glance_registry_t }) - - init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t }) - domain_system_change_exemption($1) - role_transition $2 { glance_api_initrc_exec_t glance_registry_initrc_exec_t } system_r; - allow $2 system_r; - - logging_search_logs($1) - admin_pattern($1, glance_log_t) - - files_search_var_lib($1) - admin_pattern($1, glance_var_lib_t) - - files_search_pids($1) - admin_pattern($1, glance_var_run_t) -') diff --git a/policy/modules/contrib/glance.te b/policy/modules/contrib/glance.te deleted file mode 100644 index e0a4f465..00000000 --- a/policy/modules/contrib/glance.te +++ /dev/null @@ -1,120 +0,0 @@ -policy_module(glance, 1.0.2) - -######################################## -# -# Declarations -# - -attribute glance_domain; - -type glance_registry_t, glance_domain; -type glance_registry_exec_t; -init_daemon_domain(glance_registry_t, glance_registry_exec_t) - -type glance_registry_initrc_exec_t; -init_script_file(glance_registry_initrc_exec_t) - -type glance_registry_tmp_t; -files_tmp_file(glance_registry_tmp_t) - -type glance_api_t, glance_domain; -type glance_api_exec_t; -init_daemon_domain(glance_api_t, glance_api_exec_t) - -type glance_api_initrc_exec_t; -init_script_file(glance_api_initrc_exec_t) - -type glance_log_t; -logging_log_file(glance_log_t) - -type glance_var_lib_t; -files_type(glance_var_lib_t) - -type glance_tmp_t; -files_tmp_file(glance_tmp_t) - -type glance_var_run_t; -files_pid_file(glance_var_run_t) - -####################################### -# -# Common local policy -# - -allow glance_domain self:fifo_file rw_fifo_file_perms; -allow glance_domain self:unix_stream_socket create_stream_socket_perms; -allow glance_domain self:tcp_socket { accept listen }; - -manage_dirs_pattern(glance_domain, glance_log_t, glance_log_t) -append_files_pattern(glance_domain, glance_log_t, glance_log_t) -create_files_pattern(glance_domain, glance_log_t, glance_log_t) -setattr_files_pattern(glance_domain, glance_log_t, glance_log_t) - -manage_dirs_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t) -manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t) - -manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t) -manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t) - -kernel_read_system_state(glance_domain) - -corenet_all_recvfrom_unlabeled(glance_domain) -corenet_all_recvfrom_netlabel(glance_domain) -corenet_tcp_sendrecv_generic_if(glance_domain) -corenet_tcp_sendrecv_generic_node(glance_domain) -corenet_tcp_sendrecv_all_ports(glance_domain) -corenet_tcp_bind_generic_node(glance_domain) - -corecmd_exec_bin(glance_domain) -corecmd_exec_shell(glance_domain) - -dev_read_urand(glance_domain) - -files_read_etc_files(glance_domain) -files_read_usr_files(glance_domain) - -libs_exec_ldconfig(glance_domain) - -miscfiles_read_localization(glance_domain) - -sysnet_dns_name_resolve(glance_domain) - -######################################## -# -# Registry local policy -# - -manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t) -manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t) -files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file }) - -corenet_sendrecv_glance_registry_server_packets(glance_registry_t) -corenet_tcp_bind_glance_registry_port(glance_registry_t) - -logging_send_syslog_msg(glance_registry_t) - -optional_policy(` - mysql_stream_connect(glance_registry_t) - mysql_tcp_connect(glance_registry_t) -') - -######################################## -# -# Api local policy -# - -manage_dirs_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) -manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) -files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file }) -can_exec(glance_api_t, glance_tmp_t) - -corenet_sendrecv_armtechdaemon_server_packets(glance_api_t) -corenet_tcp_bind_armtechdaemon_port(glance_api_t) - -corenet_sendrecv_hplip_server_packets(glance_api_t) -corenet_tcp_bind_hplip_port(glance_api_t) - -corenet_sendrecv_glance_registry_client_packets(glance_api_t) -corenet_tcp_connect_glance_registry_port(glance_api_t) - -fs_getattr_xattr_fs(glance_api_t) diff --git a/policy/modules/contrib/glusterfs.fc b/policy/modules/contrib/glusterfs.fc deleted file mode 100644 index 4bd6ade4..00000000 --- a/policy/modules/contrib/glusterfs.fc +++ /dev/null @@ -1,16 +0,0 @@ -/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) - -/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) -/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) - -/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) -/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) - -/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) - -/var/lib/gluster.* gen_context(system_u:object_r:glusterd_var_lib_t,s0) - -/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) - -/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) -/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0) diff --git a/policy/modules/contrib/glusterfs.if b/policy/modules/contrib/glusterfs.if deleted file mode 100644 index 05233c86..00000000 --- a/policy/modules/contrib/glusterfs.if +++ /dev/null @@ -1,71 +0,0 @@ -## <summary>Cluster File System binary, daemon and command line.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an glusterfs environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`glusterd_admin',` - refpolicywarn(`$0($*) has been deprecated, use glusterfs_admin() instead.') - glusterfs_admin($1, $2) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an glusterfs environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`glusterfs_admin',` - gen_require(` - type glusterd_t, glusterd_initrc_exec_t, glusterd_log_t; - type glusterd_tmp_t, glusterd_conf_t, glusterd_var_lib_t; - type glusterd_var_run_t; - ') - - init_labeled_script_domtrans($1, glusterd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 glusterd_initrc_exec_t system_r; - allow $2 system_r; - - allow $1 glusterd_t:process { ptrace signal_perms }; - ps_process_pattern($1, glusterd_t) - - files_search_etc($1) - admin_pattern($1, glusterd_conf_t) - - logging_search_logs($1) - admin_pattern($1, glusterd_log_t) - - files_search_tmp($1) - admin_pattern($1, glusterd_tmp_t) - - files_search_var_lib($1) - admin_pattern($1, glusterd_var_lib_t) - - files_search_pids($1) - admin_pattern($1, glusterd_var_run_t) -') diff --git a/policy/modules/contrib/glusterfs.te b/policy/modules/contrib/glusterfs.te deleted file mode 100644 index fd02acc7..00000000 --- a/policy/modules/contrib/glusterfs.te +++ /dev/null @@ -1,102 +0,0 @@ -policy_module(glusterfs, 1.0.1) - -######################################## -# -# Declarations -# - -type glusterd_t; -type glusterd_exec_t; -init_daemon_domain(glusterd_t, glusterd_exec_t) - -type glusterd_conf_t; -files_type(glusterd_conf_t) - -type glusterd_initrc_exec_t; -init_script_file(glusterd_initrc_exec_t) - -type glusterd_tmp_t; -files_tmp_file(glusterd_tmp_t) - -type glusterd_log_t; -logging_log_file(glusterd_log_t) - -type glusterd_var_run_t; -files_pid_file(glusterd_var_run_t) - -type glusterd_var_lib_t; -files_type(glusterd_var_lib_t); - -######################################## -# -# Local policy -# - -allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner }; -allow glusterd_t self:process { setrlimit signal }; -allow glusterd_t self:fifo_file rw_fifo_file_perms; -allow glusterd_t self:tcp_socket { accept listen }; -allow glusterd_t self:unix_stream_socket { accept listen }; - -manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t) -manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t) -files_etc_filetrans(glusterd_t, glusterd_conf_t, dir) - -manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) -manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) -manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) -files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file }) - -manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) -append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) -create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) -setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) -logging_log_filetrans(glusterd_t, glusterd_log_t, dir) - -manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) -manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) -files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file }) - -manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) -manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) -files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir) - -can_exec(glusterd_t, glusterd_exec_t) - -kernel_read_system_state(glusterd_t) - -corecmd_exec_bin(glusterd_t) -corecmd_exec_shell(glusterd_t) - -corenet_all_recvfrom_unlabeled(glusterd_t) -corenet_all_recvfrom_netlabel(glusterd_t) -corenet_tcp_sendrecv_generic_if(glusterd_t) -corenet_udp_sendrecv_generic_if(glusterd_t) -corenet_tcp_sendrecv_generic_node(glusterd_t) -corenet_udp_sendrecv_generic_node(glusterd_t) -corenet_tcp_sendrecv_all_ports(glusterd_t) -corenet_udp_sendrecv_all_ports(glusterd_t) -corenet_tcp_bind_generic_node(glusterd_t) -corenet_udp_bind_generic_node(glusterd_t) - -# Too coarse? -corenet_sendrecv_all_server_packets(glusterd_t) -corenet_tcp_bind_all_reserved_ports(glusterd_t) -corenet_udp_bind_all_rpc_ports(glusterd_t) -corenet_udp_bind_ipp_port(glusterd_t) - -corenet_sendrecv_all_client_packets(glusterd_t) -corenet_tcp_connect_all_unreserved_ports(glusterd_t) - -dev_read_sysfs(glusterd_t) -dev_read_urand(glusterd_t) - -domain_use_interactive_fds(glusterd_t) - -files_read_usr_files(glusterd_t) - -auth_use_nsswitch(glusterd_t) - -logging_send_syslog_msg(glusterd_t) - -miscfiles_read_localization(glusterd_t) diff --git a/policy/modules/contrib/gnome.fc b/policy/modules/contrib/gnome.fc deleted file mode 100644 index c9221441..00000000 --- a/policy/modules/contrib/gnome.fc +++ /dev/null @@ -1,16 +0,0 @@ -HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_xdg_config_t,s0) - -HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) -HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) -HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) -HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) -HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0) -HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) - -/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) - -/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0) - -/usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0) -/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) -/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if deleted file mode 100644 index d03fd43d..00000000 --- a/policy/modules/contrib/gnome.if +++ /dev/null @@ -1,715 +0,0 @@ -## <summary>GNU network object model environment.</summary> - -######################################## -## <summary> -## Role access for gnome. (Deprecated) -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`gnome_role',` - refpolicywarn(`$0($*) has been deprecated') -') - -####################################### -## <summary> -## The role template for gnome. -## </summary> -## <param name="role_prefix"> -## <summary> -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## </summary> -## </param> -## <param name="user_role"> -## <summary> -## The role associated with the user domain. -## </summary> -## </param> -## <param name="user_domain"> -## <summary> -## The type of the user domain. -## </summary> -## </param> -# -template(`gnome_role_template',` - gen_require(` - attribute gnomedomain, gkeyringd_domain; - attribute_role gconfd_roles; - type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t; - type gconfd_t, gconfd_exec_t, gconf_tmp_t; - type gconf_home_t; - ') - - ######################################## - # - # Gconf declarations - # - - roleattribute $2 gconfd_roles; - - ######################################## - # - # Gkeyringd declarations - # - - type $1_gkeyringd_t, gnomedomain, gkeyringd_domain; - userdom_user_application_domain($1_gkeyringd_t, gkeyringd_exec_t) - domain_user_exemption_target($1_gkeyringd_t) - - role $2 types $1_gkeyringd_t; - - ######################################## - # - # Gconf policy - # - - domtrans_pattern($3, gconfd_exec_t, gconfd_t) - - allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms }; - userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf") - userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd") - - allow $3 gconfd_t:process { ptrace signal_perms }; - ps_process_pattern($3, gconfd_t) - - ######################################## - # - # Gkeyringd policy - # - - domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) - - allow $3 { gnome_home_t gnome_keyring_home_t gnome_keyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms }; - allow $3 { gnome_home_t gnome_keyring_home_t }:file { relabel_file_perms manage_file_perms }; - - userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome") - userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2") - userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2_private") - - gnome_home_filetrans($3, gnome_keyring_home_t, dir, "keyrings") - - allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; - - ps_process_pattern($3, $1_gkeyringd_t) - allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; - - corecmd_bin_domtrans($1_gkeyringd_t, $3) - corecmd_shell_domtrans($1_gkeyringd_t, $3) - - gnome_stream_connect_gkeyringd($1, $3) - - optional_policy(` - dbus_spec_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t) - - gnome_dbus_chat_gkeyringd($1, $3) - ') -') - -######################################## -## <summary> -## Execute gconf in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`gnome_exec_gconf',` - gen_require(` - type gconfd_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, gconfd_exec_t) -') - -######################################## -## <summary> -## Read gconf configuration content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`gnome_read_gconf_config',` - gen_require(` - type gconf_etc_t; - ') - - files_search_etc($1) - allow $1 gconf_etc_t:dir list_dir_perms; - allow $1 gconf_etc_t:file read_file_perms; - allow $1 gconf_etc_t:lnk_file read_lnk_file_perms; -') - -######################################## -## <summary> -## Do not audit attempts to read -## inherited gconf configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`gnome_dontaudit_read_inherited_gconf_config_files',` - gen_require(` - type gconf_etc_t; - ') - - dontaudit $1 gconf_etc_t:file read; -') - -####################################### -## <summary> -## Create, read, write, and delete -## gconf configuration content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`gnome_manage_gconf_config',` - gen_require(` - type gconf_etc_t; - ') - - files_search_etc($1) - allow $1 gconf_etc_t:dir manage_dir_perms; - allow $1 gconf_etc_t:file manage_file_perms; - allow $1 gconf_etc_t:lnk_file manage_lnk_file_perms; -') - -######################################## -## <summary> -## Connect to gconf using a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`gnome_stream_connect_gconf',` - gen_require(` - type gconfd_t, gconf_tmp_t; - ') - - files_search_tmp($1) - stream_connect_pattern($1, gconf_tmp_t, gconf_tmp_t, gconfd_t) -') - -######################################## -## <summary> -## Run gconfd in gconfd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`gnome_domtrans_gconfd',` - gen_require(` - type gconfd_t, gconfd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, gconfd_exec_t, gconfd_t) -') - -######################################## -## <summary> -## Create generic gnome home directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`gnome_create_generic_home_dirs',` - gen_require(` - type gnome_home_t; - ') - - allow $1 gnome_home_t:dir create_dir_perms; -') - -######################################## -## <summary> -## Set attributes of generic gnome -## user home directories. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`gnome_setattr_config_dirs',` - refpolicywarn(`$0($*) has been deprecated, use gnome_setattr_generic_home_dirs() instead.') - gnome_setattr_generic_home_dirs($1) -') - -######################################## -## <summary> -## Set attributes of generic gnome -## user home directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`gnome_setattr_generic_home_dirs',` - gen_require(` - type gnome_home_t; - ') - - userdom_search_user_home_dirs($1) - setattr_dirs_pattern($1, gnome_home_t, gnome_home_t) -') - -######################################## -## <summary> -## Read generic gnome user home content. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`gnome_read_config',` - refpolicywarn(`$0($*) has been deprecated, use gnome_read_generic_home_content() instead.') - gnome_read_generic_home_content($1) -') - -######################################## -## <summary> -## Read generic gnome home content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`gnome_read_generic_home_content',` - gen_require(` - type gnome_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 gnome_home_t:dir list_dir_perms; - allow $1 gnome_home_t:file read_file_perms; - allow $1 gnome_home_t:fifo_file read_fifo_file_perms; - allow $1 gnome_home_t:lnk_file read_lnk_file_perms; - allow $1 gnome_home_t:sock_file read_sock_file_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## generic gnome user home content. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`gnome_manage_config',` - refpolicywarn(`$0($*) has been deprecated, use gnome_manage_generic_home_content() instead.') - gnome_manage_generic_home_content($1) -') - -######################################## -## <summary> -## Create, read, write, and delete -## generic gnome home content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`gnome_manage_generic_home_content',` - gen_require(` - type gnome_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 gnome_home_t:dir manage_dir_perms; - allow $1 gnome_home_t:file manage_file_perms; - allow $1 gnome_home_t:fifo_file manage_fifo_file_perms; - allow $1 gnome_home_t:lnk_file manage_lnk_file_perms; - allow $1 gnome_home_t:sock_file manage_sock_file_perms; -') - -######################################## -## <summary> -## Search generic gnome home directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`gnome_search_generic_home',` - gen_require(` - type gnome_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 gnome_home_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Create objects in gnome user home -## directories with a private type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="private_type"> -## <summary> -## Private file type. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`gnome_home_filetrans',` - gen_require(` - type gnome_home_t; - ') - - userdom_search_user_home_dirs($1) - filetrans_pattern($1, gnome_home_t, $2, $3, $4) -') - -######################################## -## <summary> -## Create generic gconf home directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`gnome_create_generic_gconf_home_dirs',` - gen_require(` - type gconf_home_t; - ') - - allow $1 gconf_home_t:dir create_dir_perms; -') - -######################################## -## <summary> -## Read generic gconf home content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`gnome_read_generic_gconf_home_content',` - gen_require(` - type gconf_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 gconf_home_t:dir list_dir_perms; - allow $1 gconf_home_t:file read_file_perms; - allow $1 gconf_home_t:fifo_file read_fifo_file_perms; - allow $1 gconf_home_t:lnk_file read_lnk_file_perms; - allow $1 gconf_home_t:sock_file read_sock_file_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## generic gconf home content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`gnome_manage_generic_gconf_home_content',` - gen_require(` - type gconf_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 gconf_home_t:dir manage_dir_perms; - allow $1 gconf_home_t:file manage_file_perms; - allow $1 gconf_home_t:fifo_file manage_fifo_file_perms; - allow $1 gconf_home_t:lnk_file manage_lnk_file_perms; - allow $1 gconf_home_t:sock_file manage_sock_file_perms; -') - -######################################## -## <summary> -## Search generic gconf home directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`gnome_search_generic_gconf_home',` - gen_require(` - type gconf_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 gconf_home_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Create objects in user home -## directories with the generic gconf -## home type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`gnome_home_filetrans_gconf_home',` - gen_require(` - type gconf_home_t; - ') - - userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3) -') - -######################################## -## <summary> -## Create objects in user home -## directories with the generic gnome -## home type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`gnome_home_filetrans_gnome_home',` - gen_require(` - type gnome_home_t; - ') - - userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3) -') - -######################################## -## <summary> -## Create objects in gnome gconf home -## directories with a private type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="private_type"> -## <summary> -## Private file type. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`gnome_gconf_home_filetrans',` - gen_require(` - type gconf_home_t; - ') - - userdom_search_user_home_dirs($1) - filetrans_pattern($1, gconf_home_t, $2, $3, $4) -') - -######################################## -## <summary> -## Read generic gnome keyring home files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`gnome_read_keyring_home_files',` - gen_require(` - type gnome_home_t, gnome_keyring_home_t; - ') - - userdom_search_user_home_dirs($1) - read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t) -') - -######################################## -## <summary> -## Send and receive messages from -## gnome keyring daemon over dbus. -## </summary> -## <param name="role_prefix"> -## <summary> -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## </summary> -## </param> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`gnome_dbus_chat_gkeyringd',` - gen_require(` - type $1_gkeyringd_t; - class dbus send_msg; - ') - - allow $2 $1_gkeyringd_t:dbus send_msg; - allow $1_gkeyringd_t $2:dbus send_msg; -') - -######################################## -## <summary> -## Send and receive messages from all -## gnome keyring daemon over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`gnome_dbus_chat_all_gkeyringd',` - gen_require(` - attribute gkeyringd_domain; - class dbus send_msg; - ') - - allow $1 gkeyringd_domain:dbus send_msg; - allow gkeyringd_domain $1:dbus send_msg; -') - -######################################## -## <summary> -## Connect to gnome keyring daemon -## with a unix stream socket. -## </summary> -## <param name="role_prefix"> -## <summary> -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## </summary> -## </param> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`gnome_stream_connect_gkeyringd',` - gen_require(` - type $1_gkeyringd_t, gnome_keyring_tmp_t; - ') - - files_search_tmp($2) - stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t) -') - -######################################## -## <summary> -## Connect to all gnome keyring daemon -## with a unix stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`gnome_stream_connect_all_gkeyringd',` - gen_require(` - attribute gkeyringd_domain; - type gnome_keyring_tmp_t; - ') - - files_search_tmp($1) - stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain) -') diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te deleted file mode 100644 index e97cee34..00000000 --- a/policy/modules/contrib/gnome.te +++ /dev/null @@ -1,141 +0,0 @@ -policy_module(gnome, 2.2.5) - -############################## -# -# Declarations -# - -attribute gkeyringd_domain; -attribute gnomedomain; -attribute_role gconfd_roles; - -type gconf_etc_t; -files_config_file(gconf_etc_t) - -type gconf_home_t; -typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t }; -typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t }; -typealias gconf_home_t alias unconfined_gconf_home_t; -userdom_user_home_content(gconf_home_t) - -type gconf_tmp_t; -typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t }; -typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t }; -typealias gconf_tmp_t alias unconfined_gconf_tmp_t; -userdom_user_tmp_file(gconf_tmp_t) - -type gconfd_t, gnomedomain; -type gconfd_exec_t; -typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t }; -typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t }; -userdom_user_application_domain(gconfd_t, gconfd_exec_t) -role gconfd_roles types gconfd_t; - -type gnome_home_t; -typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t }; -typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t }; -typealias gnome_home_t alias unconfined_gnome_home_t; -userdom_user_home_content(gnome_home_t) - -type gkeyringd_exec_t; -application_executable_file(gkeyringd_exec_t) - -type gnome_keyring_home_t; -userdom_user_home_content(gnome_keyring_home_t) - -type gnome_keyring_tmp_t; -userdom_user_tmp_file(gnome_keyring_tmp_t) - -ifdef(`distro_gentoo',` - type gnome_xdg_config_t; - - xdg_config_home_content(gnome_xdg_config_t) -') - -############################## -# -# Common local Policy -# - -allow gnomedomain self:process { getsched signal }; -allow gnomedomain self:fifo_file rw_fifo_file_perms; - -dev_read_urand(gnomedomain) - -domain_use_interactive_fds(gnomedomain) - -files_read_etc_files(gnomedomain) - -miscfiles_read_localization(gnomedomain) - -logging_send_syslog_msg(gnomedomain) - -userdom_use_user_terminals(gnomedomain) - -optional_policy(` - xserver_rw_xdm_pipes(gnomedomain) - xserver_use_xdm_fds(gnomedomain) -') - -############################## -# -# Conf daemon local Policy -# - -allow gconfd_t gconf_etc_t:dir list_dir_perms; -read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t) - -manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t) -manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t) -userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir) - -manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) -manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) -userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) - -userdom_manage_user_tmp_dirs(gconfd_t) -userdom_tmp_filetrans_user_tmp(gconfd_t, dir) - -optional_policy(` - nscd_dontaudit_search_pid(gconfd_t) -') - -############################## -# -# Keyring-daemon local policy -# - -allow gkeyringd_domain self:capability ipc_lock; -allow gkeyringd_domain self:process { getcap setcap }; -allow gkeyringd_domain self:unix_stream_socket { connectto accept listen }; - -allow gkeyringd_domain gnome_home_t:dir create_dir_perms; -gnome_home_filetrans_gnome_home(gkeyringd_domain, dir, ".gnome2") - -manage_dirs_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t) -manage_files_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t) -gnome_home_filetrans(gkeyringd_domain, gnome_keyring_home_t, dir, "keyrings") - -manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t) -manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t) -files_tmp_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir) - -kernel_read_system_state(gkeyringd_domain) -kernel_read_crypto_sysctls(gkeyringd_domain) - -dev_read_rand(gkeyringd_domain) -dev_read_sysfs(gkeyringd_domain) - -files_read_usr_files(gkeyringd_domain) - -fs_getattr_all_fs(gkeyringd_domain) - -selinux_getattr_fs(gkeyringd_domain) - -optional_policy(` - ssh_read_user_home_files(gkeyringd_domain) -') - -optional_policy(` - telepathy_mission_control_read_state(gkeyringd_domain) -') diff --git a/policy/modules/contrib/gnomeclock.fc b/policy/modules/contrib/gnomeclock.fc deleted file mode 100644 index f9ba8cd9..00000000 --- a/policy/modules/contrib/gnomeclock.fc +++ /dev/null @@ -1,7 +0,0 @@ -/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) - -/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) - -/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) - -/usr/lib/gnome-settings-daemon/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) diff --git a/policy/modules/contrib/gnomeclock.if b/policy/modules/contrib/gnomeclock.if deleted file mode 100644 index 3f55702f..00000000 --- a/policy/modules/contrib/gnomeclock.if +++ /dev/null @@ -1,90 +0,0 @@ -## <summary>Gnome clock handler for setting the time.</summary> - -######################################## -## <summary> -## Execute a domain transition to -## run gnomeclock. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`gnomeclock_domtrans',` - gen_require(` - type gnomeclock_t, gnomeclock_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t) -') - -######################################## -## <summary> -## Execute gnomeclock in the gnomeclock -## domain, and allow the specified -## role the gnomeclock domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`gnomeclock_run',` - gen_require(` - attribute_role gnomeclock_roles; - ') - - gnomeclock_domtrans($1) - roleattribute $2 gnomeclock_roles; -') - -######################################## -## <summary> -## Send and receive messages from -## gnomeclock over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`gnomeclock_dbus_chat',` - gen_require(` - type gnomeclock_t; - class dbus send_msg; - ') - - allow $1 gnomeclock_t:dbus send_msg; - allow gnomeclock_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Do not audit attempts to send and -## receive messages from gnomeclock -## over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`gnomeclock_dontaudit_dbus_chat',` - gen_require(` - type gnomeclock_t; - class dbus send_msg; - ') - - dontaudit $1 gnomeclock_t:dbus send_msg; - dontaudit gnomeclock_t $1:dbus send_msg; -') diff --git a/policy/modules/contrib/gnomeclock.te b/policy/modules/contrib/gnomeclock.te deleted file mode 100644 index 0a82cf27..00000000 --- a/policy/modules/contrib/gnomeclock.te +++ /dev/null @@ -1,87 +0,0 @@ -policy_module(gnomeclock, 1.0.6) - -######################################## -# -# Declarations -# - -attribute_role gnomeclock_roles; - -type gnomeclock_t; -type gnomeclock_exec_t; -init_system_domain(gnomeclock_t, gnomeclock_exec_t) -role gnomeclock_roles types gnomeclock_t; - -######################################## -# -# Local policy -# - -allow gnomeclock_t self:capability { sys_nice sys_time }; -allow gnomeclock_t self:process { getattr getsched signal }; -allow gnomeclock_t self:fifo_file rw_fifo_file_perms; -allow gnomeclock_t self:unix_stream_socket { accept listen }; - -kernel_read_system_state(gnomeclock_t) - -corecmd_exec_bin(gnomeclock_t) -corecmd_exec_shell(gnomeclock_t) - -corenet_all_recvfrom_unlabeled(gnomeclock_t) -corenet_all_recvfrom_netlabel(gnomeclock_t) -corenet_tcp_sendrecv_generic_if(gnomeclock_t) -corenet_tcp_sendrecv_generic_node(gnomeclock_t) - -# tcp:37 (time) -corenet_sendrecv_inetd_child_client_packets(gnomeclock_t) -corenet_tcp_connect_inetd_child_port(gnomeclock_t) -corenet_tcp_sendrecv_inetd_child_port(gnomeclock_t) - -dev_read_sysfs(gnomeclock_t) -dev_read_urand(gnomeclock_t) -dev_rw_realtime_clock(gnomeclock_t) - -files_read_usr_files(gnomeclock_t) - -fs_getattr_xattr_fs(gnomeclock_t) - -auth_use_nsswitch(gnomeclock_t) - -logging_send_syslog_msg(gnomeclock_t) - -miscfiles_etc_filetrans_localization(gnomeclock_t) -miscfiles_manage_localization(gnomeclock_t) -miscfiles_read_localization(gnomeclock_t) - -userdom_read_all_users_state(gnomeclock_t) - -optional_policy(` - chronyd_initrc_domtrans(gnomeclock_t) -') - -optional_policy(` - clock_domtrans(gnomeclock_t) -') - -optional_policy(` - dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) - - optional_policy(` - consolekit_dbus_chat(gnomeclock_t) - ') - - optional_policy(` - policykit_dbus_chat(gnomeclock_t) - ') -') - -optional_policy(` - ntp_domtrans_ntpdate(gnomeclock_t) - ntp_initrc_domtrans(gnomeclock_t) -') - -optional_policy(` - policykit_domtrans_auth(gnomeclock_t) - policykit_read_lib(gnomeclock_t) - policykit_read_reload(gnomeclock_t) -') diff --git a/policy/modules/contrib/googletalk.fc b/policy/modules/contrib/googletalk.fc index fe415148..52d8f4ea 100644 --- a/policy/modules/contrib/googletalk.fc +++ b/policy/modules/contrib/googletalk.fc @@ -1,3 +1,3 @@ -HOME_DIR/\.config/google-googletalkplugin(/.*)? -- gen_context(system_u:object_r:googletalk_plugin_xdg_config_t,s0) +HOME_DIR/\.config/google-googletalkplugin(/.*)? gen_context(system_u:object_r:googletalk_plugin_xdg_config_t,s0) /opt/google/talkplugin/GoogleTalkPlugin -- gen_context(system_u:object_r:googletalk_plugin_exec_t,s0) diff --git a/policy/modules/contrib/googletalk.if b/policy/modules/contrib/googletalk.if index 356f5924..a88dcccc 100644 --- a/policy/modules/contrib/googletalk.if +++ b/policy/modules/contrib/googletalk.if @@ -2,6 +2,42 @@ ## Google Talk ## </summary> +########################################## +## <summary> +## Grant the plugin domain the needed privileges to launch and +## interact with the GoogleTalk application. Used for web browser +## plugin domains. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`googletalk_plugin_domain',` + gen_require(` + type googletalk_plugin_t; + type googletalk_plugin_xdg_config_t; + ') + + allow $1 googletalk_plugin_t:fd use; + allow $1 googletalk_plugin_t:unix_stream_socket { read write }; + + allow googletalk_plugin_t $1:unix_dgram_socket sendto; + + # GoogleTalk process binds on an unreserved port, the client (plugin) + # then connects to this port + corenet_tcp_connect_all_unreserved_ports($1) + + googletalk_domtrans_plugin($1) + + # Create .config/google-googletalkplugin with correct type + manage_dirs_pattern($1, googletalk_plugin_xdg_config_t, googletalk_plugin_xdg_config_t) + manage_files_pattern($1, googletalk_plugin_xdg_config_t, googletalk_plugin_xdg_config_t) + xdg_config_home_filetrans($1, googletalk_plugin_xdg_config_t, dir, "google-googletalkplugin") + xdg_search_config_home_dirs($1) +') + ####################################### ## <summary> ## Execute Google talk plugin in the Google talk plugin domain diff --git a/policy/modules/contrib/googletalk.te b/policy/modules/contrib/googletalk.te index 17690fa2..0736a7af 100644 --- a/policy/modules/contrib/googletalk.te +++ b/policy/modules/contrib/googletalk.te @@ -18,10 +18,12 @@ xdg_config_home_content(googletalk_plugin_xdg_config_t) # Google talk plugin policy # +allow googletalk_plugin_t self:process signal; allow googletalk_plugin_t self:fifo_file rw_fifo_file_perms; allow googletalk_plugin_t self:netlink_kobject_uevent_socket create_socket_perms; allow googletalk_plugin_t self:netlink_route_socket create_netlink_socket_perms; allow googletalk_plugin_t self:tcp_socket create_stream_socket_perms; +allow googletalk_plugin_t self:udp_socket create_socket_perms; allow googletalk_plugin_t self:unix_stream_socket create_stream_socket_perms; manage_files_pattern(googletalk_plugin_t, googletalk_plugin_tmp_t, googletalk_plugin_tmp_t) @@ -36,6 +38,15 @@ manage_files_pattern(googletalk_plugin_t, googletalk_plugin_xdg_config_t, google kernel_read_system_state(googletalk_plugin_t) +corecmd_exec_bin(googletalk_plugin_t) +corecmd_exec_shell(googletalk_plugin_t) + +corenet_tcp_bind_generic_node(googletalk_plugin_t) +corenet_tcp_sendrecv_generic_if(googletalk_plugin_t) +corenet_tcp_sendrecv_generic_node(googletalk_plugin_t) + +corenet_udp_bind_generic_node(googletalk_plugin_t) + dev_getattr_all_blk_files(googletalk_plugin_t) dev_getattr_all_chr_files(googletalk_plugin_t) dev_read_sound(googletalk_plugin_t) @@ -44,15 +55,6 @@ dev_search_sysfs(googletalk_plugin_t) dev_write_sound(googletalk_plugin_t) dev_write_video_dev(googletalk_plugin_t) -term_dontaudit_getattr_unallocated_ttys(googletalk_plugin_t) - -corecmd_exec_bin(googletalk_plugin_t) -corecmd_exec_shell(googletalk_plugin_t) - -corenet_tcp_bind_generic_node(googletalk_plugin_t) -corenet_tcp_sendrecv_generic_if(googletalk_plugin_t) -corenet_tcp_sendrecv_generic_node(googletalk_plugin_t) - # It runs find in /etc to find any release file for knowing the distribution it # runs on. Yes, great isnt it... files_dontaudit_getattr_all_dirs(googletalk_plugin_t) @@ -61,16 +63,21 @@ files_read_usr_files(googletalk_plugin_t) fs_getattr_tmpfs(googletalk_plugin_t) +term_dontaudit_getattr_unallocated_ttys(googletalk_plugin_t) + +# Needed to find video device? +init_getattr_initctl(googletalk_plugin_t) + logging_send_syslog_msg(googletalk_plugin_t) miscfiles_read_localization(googletalk_plugin_t) +sysnet_read_config(googletalk_plugin_t) + userdom_search_user_home_content(googletalk_plugin_t) +userdom_use_user_terminals(googletalk_plugin_t) -optional_policy(` - alsa_domain(googletalk_plugin_t, googletalk_plugin_tmpfs_t) - alsa_read_rw_config(googletalk_plugin_t) -') +googletalk_generic_xdg_config_home_filetrans_plugin_xdg_config(googletalk_plugin_t, dir, "google-googletalkplugin") optional_policy(` dbus_system_bus_client(googletalk_plugin_t) @@ -88,3 +95,9 @@ optional_policy(` optional_policy(` xserver_user_x_domain_template(googletalk_plugin, googletalk_plugin_t, googletalk_plugin_tmpfs_t) ') + +ifdef(`use_alsa',` + optional_policy(` + alsa_domain(googletalk_plugin_t, googletalk_plugin_tmpfs_t) + ') +') diff --git a/policy/modules/contrib/gorg.if b/policy/modules/contrib/gorg.if index 814d5593..6c5969c1 100644 --- a/policy/modules/contrib/gorg.if +++ b/policy/modules/contrib/gorg.if @@ -22,7 +22,7 @@ interface(`gorg_role',` role $1 types gorg_t; - domain_auto_trans($2, gorg_exec_t, gorg_t) + domain_auto_transition_pattern($2, gorg_exec_t, gorg_t) allow $2 gorg_t:process { noatsecure siginh rlimitinh }; allow gorg_t $2:fd use; allow gorg_t $2:process { sigchld signull }; diff --git a/policy/modules/contrib/gorg.te b/policy/modules/contrib/gorg.te index b0c8ae33..59befaaa 100644 --- a/policy/modules/contrib/gorg.te +++ b/policy/modules/contrib/gorg.te @@ -5,10 +5,10 @@ type gorg_exec_t; application_domain(gorg_t, gorg_exec_t) type gorg_cache_t; -files_type(gorg_cache_t); +files_type(gorg_cache_t) type gorg_config_t; -files_type(gorg_config_t); +files_type(gorg_config_t) ################################### # diff --git a/policy/modules/contrib/gpg.fc b/policy/modules/contrib/gpg.fc deleted file mode 100644 index 888cd2c6..00000000 --- a/policy/modules/contrib/gpg.fc +++ /dev/null @@ -1,10 +0,0 @@ -HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) -HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0) - -/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) -/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0) -/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) -/usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0) - -/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) -/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if deleted file mode 100644 index 180f1b7c..00000000 --- a/policy/modules/contrib/gpg.if +++ /dev/null @@ -1,232 +0,0 @@ -## <summary>Policy for GNU Privacy Guard and related programs.</summary> - -############################################################ -## <summary> -## Role access for gpg. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`gpg_role',` - gen_require(` - attribute_role gpg_roles, gpg_agent_roles, gpg_helper_roles, gpg_pinentry_roles; - type gpg_t, gpg_exec_t, gpg_agent_t; - type gpg_agent_exec_t, gpg_agent_tmp_t, gpg_helper_t; - type gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_secret_t; - ') - - roleattribute $1 gpg_roles; - roleattribute $1 gpg_agent_roles; - roleattribute $1 gpg_helper_roles; - roleattribute $1 gpg_pinentry_roles; - - domtrans_pattern($2, gpg_exec_t, gpg_t) - domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t) - - allow $2 { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }:process { ptrace signal_perms }; - ps_process_pattern($2, { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }) - - allow gpg_pinentry_t $2:process signull; - allow gpg_helper_t $2:fd use; - allow { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t } $2:fifo_file { read write }; - - allow $2 { gpg_agent_tmp_t gpg_secret_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { gpg_agent_tmp_t gpg_secret_t }:file { manage_file_perms relabel_file_perms }; - allow $2 gpg_secret_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - allow $2 { gpg_agent_tmp_t gpg_pinentry_tmp_t gpg_secret_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - filetrans_pattern($2, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket") - userdom_user_home_dir_filetrans($2, gpg_secret_t, dir, ".gnupg") - - optional_policy(` - gpg_pinentry_dbus_chat($2) - ') -') - -######################################## -## <summary> -## Execute the gpg in the gpg domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`gpg_domtrans',` - gen_require(` - type gpg_t, gpg_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, gpg_exec_t, gpg_t) -') - -######################################## -## <summary> -## Execute the gpg in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`gpg_exec',` - gen_require(` - type gpg_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, gpg_exec_t) -') - -######################################## -## <summary> -## Execute gpg in a specified domain. -## </summary> -## <desc> -## <p> -## Execute gpg in a specified domain. -## </p> -## <p> -## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -## </p> -## </desc> -## <param name="source_domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="target_domain"> -## <summary> -## Domain to transition to. -## </summary> -## </param> -# -interface(`gpg_spec_domtrans',` - gen_require(` - type gpg_exec_t; - ') - - corecmd_search_bin($1) - domain_auto_trans($1, gpg_exec_t, $2) -') - -###################################### -## <summary> -## Execute gpg in the gpg web domain. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`gpg_domtrans_web',` - refpolicywarn(`$0($*) has been deprecated.') -') - -###################################### -## <summary> -## Make gpg executable files an -## entrypoint for the specified domain. -## </summary> -## <param name="domain"> -## <summary> -## The domain for which gpg_exec_t is an entrypoint. -## </summary> -## </param> -# -interface(`gpg_entry_type',` - gen_require(` - type gpg_exec_t; - ') - - domain_entry_file($1, gpg_exec_t) -') - -######################################## -## <summary> -## Send generic signals to gpg. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`gpg_signal',` - gen_require(` - type gpg_t; - ') - - allow $1 gpg_t:process signal; -') - -######################################## -## <summary> -## Read and write gpg agent pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`gpg_rw_agent_pipes',` - gen_require(` - type gpg_agent_t; - ') - - allow $1 gpg_agent_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## <summary> -## Send messages to and from gpg -## pinentry over DBUS. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`gpg_pinentry_dbus_chat',` - gen_require(` - type gpg_pinentry_t; - class dbus send_msg; - ') - - allow $1 gpg_pinentry_t:dbus send_msg; - allow gpg_pinentry_t $1:dbus send_msg; -') - -######################################## -## <summary> -## List gpg user secrets. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`gpg_list_user_secrets',` - gen_require(` - type gpg_secret_t; - ') - - list_dirs_pattern($1, gpg_secret_t, gpg_secret_t) - userdom_search_user_home_dirs($1) -') diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te deleted file mode 100644 index e1423706..00000000 --- a/policy/modules/contrib/gpg.te +++ /dev/null @@ -1,347 +0,0 @@ -policy_module(gpg, 2.7.3) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether GPG agent can manage -## generic user home content files. This is -## required by the --write-env-file option. -## </p> -## </desc> -gen_tunable(gpg_agent_env_file, false) - -attribute_role gpg_roles; -roleattribute system_r gpg_roles; - -attribute_role gpg_agent_roles; - -attribute_role gpg_helper_roles; -roleattribute system_r gpg_helper_roles; - -attribute_role gpg_pinentry_roles; - -type gpg_t; -type gpg_exec_t; -typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t }; -typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t }; -userdom_user_application_domain(gpg_t, gpg_exec_t) -role gpg_roles types gpg_t; - -type gpg_agent_t; -type gpg_agent_exec_t; -typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t }; -typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t }; -userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t) -role gpg_agent_roles types gpg_agent_t; - -type gpg_agent_tmp_t; -typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t }; -typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t }; -userdom_user_tmp_file(gpg_agent_tmp_t) - -type gpg_secret_t; -typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t }; -typealias gpg_secret_t alias { auditadm_gpg_secret_t secadm_gpg_secret_t }; -userdom_user_home_content(gpg_secret_t) - -type gpg_helper_t; -type gpg_helper_exec_t; -typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t }; -typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t }; -userdom_user_application_domain(gpg_helper_t, gpg_helper_exec_t) -role gpg_helper_roles types gpg_helper_t; - -type gpg_pinentry_t; -type pinentry_exec_t; -typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t }; -typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t }; -userdom_user_application_domain(gpg_pinentry_t, pinentry_exec_t) -role gpg_pinentry_roles types gpg_pinentry_t; - -type gpg_pinentry_tmp_t; -userdom_user_tmp_file(gpg_pinentry_tmp_t) - -type gpg_pinentry_tmpfs_t; -userdom_user_tmpfs_file(gpg_pinentry_tmpfs_t) - -optional_policy(` - pulseaudio_tmpfs_content(gpg_pinentry_tmpfs_t) -') - -######################################## -# -# Local policy -# - -allow gpg_t self:capability { ipc_lock setuid }; -allow gpg_t self:process { signal signull setrlimit getcap setcap getsched setsched setpgid }; -dontaudit gpg_t self:netlink_audit_socket r_netlink_socket_perms; -allow gpg_t self:fifo_file rw_fifo_file_perms; -allow gpg_t self:tcp_socket { accept listen }; - -manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) -manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) -files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file }) - -manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t) -manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) -manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) -manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) -userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir) - -stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t) - -domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) -domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) - -kernel_read_sysctl(gpg_t) - -corecmd_exec_shell(gpg_t) -corecmd_exec_bin(gpg_t) - -corenet_all_recvfrom_unlabeled(gpg_t) -corenet_all_recvfrom_netlabel(gpg_t) -corenet_tcp_sendrecv_generic_if(gpg_t) -corenet_tcp_sendrecv_generic_node(gpg_t) - -corenet_sendrecv_all_client_packets(gpg_t) -corenet_tcp_connect_all_ports(gpg_t) -corenet_tcp_sendrecv_all_ports(gpg_t) - -dev_read_generic_usb_dev(gpg_t) -dev_read_rand(gpg_t) -dev_read_urand(gpg_t) - -files_read_usr_files(gpg_t) -files_dontaudit_search_var(gpg_t) - -fs_getattr_xattr_fs(gpg_t) -fs_list_inotifyfs(gpg_t) - -domain_use_interactive_fds(gpg_t) - -auth_use_nsswitch(gpg_t) - -logging_send_syslog_msg(gpg_t) - -miscfiles_read_localization(gpg_t) - -userdom_use_user_terminals(gpg_t) - -userdom_manage_user_tmp_files(gpg_t) -userdom_manage_user_home_content_files(gpg_t) -userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(gpg_t) - fs_manage_nfs_files(gpg_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(gpg_t) - fs_manage_cifs_files(gpg_t) -') - -optional_policy(` - gnome_read_generic_home_content(gpg_t) - gnome_stream_connect_all_gkeyringd(gpg_t) -') - -optional_policy(` - mozilla_dontaudit_rw_user_home_files(gpg_t) -') - -optional_policy(` - mta_read_spool_files(gpg_t) - mta_write_config(gpg_t) -') - -optional_policy(` - spamassassin_read_spamd_tmp_files(gpg_t) -') - -optional_policy(` - cron_system_entry(gpg_t, gpg_exec_t) - cron_read_system_job_tmp_files(gpg_t) -') - -optional_policy(` - xserver_use_xdm_fds(gpg_t) - xserver_rw_xdm_pipes(gpg_t) -') - -######################################## -# -# Helper local policy -# - -allow gpg_helper_t self:process { getsched setsched }; -allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms; - -dontaudit gpg_helper_t gpg_secret_t:file read_file_perms; - -corenet_all_recvfrom_unlabeled(gpg_helper_t) -corenet_all_recvfrom_netlabel(gpg_helper_t) -corenet_tcp_sendrecv_generic_if(gpg_helper_t) -corenet_tcp_sendrecv_generic_node(gpg_helper_t) -corenet_tcp_sendrecv_all_ports(gpg_helper_t) - -corenet_sendrecv_all_client_packets(gpg_helper_t) -corenet_tcp_connect_all_ports(gpg_helper_t) - -auth_use_nsswitch(gpg_helper_t) - -userdom_use_user_terminals(gpg_helper_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_dontaudit_rw_nfs_files(gpg_helper_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_dontaudit_rw_cifs_files(gpg_helper_t) -') - -######################################## -# -# Agent local policy -# - -allow gpg_agent_t self:process setrlimit; -allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow gpg_agent_t self:fifo_file rw_fifo_file_perms; - -manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) -manage_sock_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) -manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) -manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) - -manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) -manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) -manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) -files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) - -filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket") - -domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t) - -kernel_dontaudit_search_sysctl(gpg_agent_t) - -corecmd_exec_shell(gpg_agent_t) - -dev_read_rand(gpg_agent_t) -dev_read_urand(gpg_agent_t) - -domain_use_interactive_fds(gpg_agent_t) - -fs_dontaudit_list_inotifyfs(gpg_agent_t) - -miscfiles_read_localization(gpg_agent_t) - -userdom_use_user_terminals(gpg_agent_t) -userdom_search_user_home_dirs(gpg_agent_t) - -ifdef(`hide_broken_symptoms',` - userdom_dontaudit_read_user_tmp_files(gpg_agent_t) -') - -tunable_policy(`gpg_agent_env_file',` - userdom_manage_user_home_content_dirs(gpg_agent_t) - userdom_manage_user_home_content_files(gpg_agent_t) - userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(gpg_agent_t) - fs_manage_nfs_files(gpg_agent_t) - fs_manage_nfs_symlinks(gpg_agent_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(gpg_agent_t) - fs_manage_cifs_files(gpg_agent_t) - fs_manage_cifs_symlinks(gpg_agent_t) -') - -optional_policy(` - mozilla_dontaudit_rw_user_home_files(gpg_agent_t) -') - -############################## -# -# Pinentry local policy -# - -allow gpg_pinentry_t self:process { getcap getsched setsched signal }; -allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms; -allow gpg_pinentry_t self:shm create_shm_perms; -allow gpg_pinentry_t self:tcp_socket { accept listen }; - -manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) -userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file) - -manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) -manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) -fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) - -can_exec(gpg_pinentry_t, pinentry_exec_t) - -kernel_read_system_state(gpg_pinentry_t) - -corecmd_exec_shell(gpg_pinentry_t) -corecmd_exec_bin(gpg_pinentry_t) - -corenet_all_recvfrom_netlabel(gpg_pinentry_t) -corenet_all_recvfrom_unlabeled(gpg_pinentry_t) -corenet_tcp_sendrecv_generic_if(gpg_pinentry_t) -corenet_tcp_sendrecv_generic_node(gpg_pinentry_t) - -dev_read_urand(gpg_pinentry_t) -dev_read_rand(gpg_pinentry_t) - -domain_use_interactive_fds(gpg_pinentry_t) - -files_read_usr_files(gpg_pinentry_t) - -fs_dontaudit_list_inotifyfs(gpg_pinentry_t) - -auth_use_nsswitch(gpg_pinentry_t) - -logging_send_syslog_msg(gpg_pinentry_t) - -miscfiles_read_fonts(gpg_pinentry_t) -miscfiles_read_localization(gpg_pinentry_t) - -userdom_use_user_terminals(gpg_pinentry_t) - -ifdef(`distro_gentoo',` - optional_policy(` - mutt_read_home_files(gpg_t) - mutt_read_tmp_files(gpg_t) - mutt_rw_tmp_files(gpg_t) - ') -') - -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(gpg_pinentry_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(gpg_pinentry_t) -') - -optional_policy(` - dbus_all_session_bus_client(gpg_pinentry_t) - dbus_system_bus_client(gpg_pinentry_t) -') - -optional_policy(` - pulseaudio_run(gpg_pinentry_t, gpg_pinentry_roles) -') - -optional_policy(` - xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t) -') diff --git a/policy/modules/contrib/gpm.fc b/policy/modules/contrib/gpm.fc deleted file mode 100644 index 184680b1..00000000 --- a/policy/modules/contrib/gpm.fc +++ /dev/null @@ -1,11 +0,0 @@ -/dev/gpmctl -s gen_context(system_u:object_r:gpmctl_t,s0) -/dev/gpmdata -p gen_context(system_u:object_r:gpmctl_t,s0) - -/etc/gpm(/.*)? gen_context(system_u:object_r:gpm_conf_t,s0) -/etc/gpm-.*\.conf -- gen_context(system_u:object_r:gpm_conf_t,s0) - -/etc/rc\.d/init\.d/gpm -- gen_context(system_u:object_r:gpm_initrc_exec_t,s0) - -/usr/sbin/gpm -- gen_context(system_u:object_r:gpm_exec_t,s0) - -/var/run/gpm\.pid -- gen_context(system_u:object_r:gpm_var_run_t,s0) diff --git a/policy/modules/contrib/gpm.if b/policy/modules/contrib/gpm.if deleted file mode 100644 index f1528c9b..00000000 --- a/policy/modules/contrib/gpm.if +++ /dev/null @@ -1,122 +0,0 @@ -## <summary>General Purpose Mouse driver.</summary> - -######################################## -## <summary> -## Connect to GPM over a unix domain -## stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`gpm_stream_connect',` - gen_require(` - type gpmctl_t, gpm_t; - ') - - dev_list_all_dev_nodes($1) - stream_connect_pattern($1, gpmctl_t, gpmctl_t, gpm_t) -') - -######################################## -## <summary> -## Get attributes of gpm control -## channel named sock files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`gpm_getattr_gpmctl',` - gen_require(` - type gpmctl_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 gpmctl_t:sock_file getattr_sock_file_perms; -') - -######################################## -## <summary> -## Do not audit attempts to get -## attributes of gpm control channel -## named sock files. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`gpm_dontaudit_getattr_gpmctl',` - gen_require(` - type gpmctl_t; - ') - - dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms; -') - -######################################## -## <summary> -## Set attributes of gpm control -## channel named sock files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`gpm_setattr_gpmctl',` - gen_require(` - type gpmctl_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 gpmctl_t:sock_file setattr_sock_file_perms; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an gpm environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`gpm_admin',` - gen_require(` - type gpm_t, gpm_conf_t, gpm_initrc_exec_t; - type gpm_var_run_t, gpmctl_t; - ') - - allow $1 gpm_t:process { ptrace signal_perms }; - ps_process_pattern($1, gpm_t) - - init_labeled_script_domtrans($1, gpm_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 gpm_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, gpm_conf_t) - - dev_list_all_dev_nodes($1) - admin_pattern($1, gpmctl_t) - - files_search_pids($1) - admin_pattern($1, gpm_var_run_t) -') diff --git a/policy/modules/contrib/gpm.te b/policy/modules/contrib/gpm.te deleted file mode 100644 index 3226f529..00000000 --- a/policy/modules/contrib/gpm.te +++ /dev/null @@ -1,83 +0,0 @@ -policy_module(gpm, 1.8.2) - -######################################## -# -# Declarations -# - -type gpm_t; -type gpm_exec_t; -init_daemon_domain(gpm_t, gpm_exec_t) - -type gpm_initrc_exec_t; -init_script_file(gpm_initrc_exec_t) - -type gpm_conf_t; -files_type(gpm_conf_t) - -type gpm_tmp_t; -files_tmp_file(gpm_tmp_t) - -type gpm_var_run_t; -files_pid_file(gpm_var_run_t) - -type gpmctl_t; -files_type(gpmctl_t) - -######################################## -# -# Local policy -# - -allow gpm_t self:capability { setpcap setuid dac_override sys_admin sys_tty_config }; -allow gpm_t self:process { signal signull getcap setcap }; -allow gpm_t self:unix_stream_socket { accept listen }; - -allow gpm_t gpm_conf_t:dir list_dir_perms; -read_files_pattern(gpm_t, gpm_conf_t, gpm_conf_t) -read_lnk_files_pattern(gpm_t, gpm_conf_t, gpm_conf_t) - -manage_dirs_pattern(gpm_t, gpm_tmp_t, gpm_tmp_t) -manage_files_pattern(gpm_t, gpm_tmp_t, gpm_tmp_t) -files_tmp_filetrans(gpm_t, gpm_tmp_t, { file dir }) - -allow gpm_t gpm_var_run_t:file manage_file_perms; -files_pid_filetrans(gpm_t, gpm_var_run_t, file) - -allow gpm_t gpmctl_t:sock_file manage_sock_file_perms; -allow gpm_t gpmctl_t:fifo_file manage_fifo_file_perms; -dev_filetrans(gpm_t, gpmctl_t, { sock_file fifo_file }) - -kernel_read_kernel_sysctls(gpm_t) -kernel_list_proc(gpm_t) -kernel_read_proc_symlinks(gpm_t) - -dev_read_sysfs(gpm_t) -# Access the mouse. -dev_rw_input_dev(gpm_t) -dev_rw_mouse(gpm_t) - -files_read_etc_files(gpm_t) - -fs_getattr_all_fs(gpm_t) -fs_search_auto_mountpoints(gpm_t) - -term_use_unallocated_ttys(gpm_t) - -domain_use_interactive_fds(gpm_t) - -logging_send_syslog_msg(gpm_t) - -miscfiles_read_localization(gpm_t) - -userdom_use_user_terminals(gpm_t) -userdom_dontaudit_use_unpriv_user_fds(gpm_t) -userdom_dontaudit_search_user_home_dirs(gpm_t) - -optional_policy(` - seutil_sigchld_newrole(gpm_t) -') - -optional_policy(` - udev_read_db(gpm_t) -') diff --git a/policy/modules/contrib/gpsd.fc b/policy/modules/contrib/gpsd.fc deleted file mode 100644 index 21be63d6..00000000 --- a/policy/modules/contrib/gpsd.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/rc\.d/init\.d/gpsd -- gen_context(system_u:object_r:gpsd_initrc_exec_t,s0) - -/usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0) - -/var/run/gpsd\.pid -- gen_context(system_u:object_r:gpsd_var_run_t,s0) -/var/run/gpsd\.sock -s gen_context(system_u:object_r:gpsd_var_run_t,s0) diff --git a/policy/modules/contrib/gpsd.if b/policy/modules/contrib/gpsd.if deleted file mode 100644 index 92eb5641..00000000 --- a/policy/modules/contrib/gpsd.if +++ /dev/null @@ -1,103 +0,0 @@ -## <summary>gpsd monitor daemon.</summary> - -######################################## -## <summary> -## Execute a domain transition to run gpsd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`gpsd_domtrans',` - gen_require(` - type gpsd_t, gpsd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, gpsd_exec_t, gpsd_t) -') - -######################################## -## <summary> -## Execute gpsd in the gpsd domain, and -## allow the specified role the gpsd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`gpsd_run',` - gen_require(` - attribute_role gpsd_roles; - ') - - gpsd_domtrans($1) - roleattribute $2 gpsd_roles; -') - -######################################## -## <summary> -## Read and write gpsd shared memory. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`gpsd_rw_shm',` - gen_require(` - type gpsd_t, gpsd_tmpfs_t; - ') - - allow $1 gpsd_t:shm rw_shm_perms; - allow $1 gpsd_tmpfs_t:dir list_dir_perms; - rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) - read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) - fs_search_tmpfs($1) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an gpsd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`gpsd_admin',` - gen_require(` - type gpsd_t, gpsd_initrc_exec_t, gpsd_var_run_t; - ') - - allow $1 gpsd_t:process { ptrace signal_perms }; - ps_process_pattern($1, gpsd_t) - - init_labeled_script_domtrans($1, gpsd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 gpsd_initrc_exec_t system_r; - allow $2 system_r; - - files_search_pids($1) - admin_pattern($1, gpsd_var_run_t) - - gpsd_run($1, $2) -') diff --git a/policy/modules/contrib/gpsd.te b/policy/modules/contrib/gpsd.te deleted file mode 100644 index 25f09aef..00000000 --- a/policy/modules/contrib/gpsd.te +++ /dev/null @@ -1,84 +0,0 @@ -policy_module(gpsd, 1.1.1) - -######################################## -# -# Declarations -# - -attribute_role gpsd_roles; - -type gpsd_t; -type gpsd_exec_t; -application_domain(gpsd_t, gpsd_exec_t) -init_daemon_domain(gpsd_t, gpsd_exec_t) -role gpsd_roles types gpsd_t; - -type gpsd_initrc_exec_t; -init_script_file(gpsd_initrc_exec_t) - -type gpsd_tmpfs_t; -files_tmpfs_file(gpsd_tmpfs_t) - -type gpsd_var_run_t; -files_pid_file(gpsd_var_run_t) - -######################################## -# -# Local policy -# - -allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config }; -dontaudit gpsd_t self:capability { dac_read_search dac_override }; -allow gpsd_t self:process { setsched signal_perms }; -allow gpsd_t self:shm create_shm_perms; -allow gpsd_t self:unix_dgram_socket sendto; -allow gpsd_t self:tcp_socket { accept listen }; - -manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) -manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) -fs_tmpfs_filetrans(gpsd_t, gpsd_tmpfs_t, { dir file }) - -manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t) -manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t) -files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file }) - -kernel_list_proc(gpsd_t) -kernel_request_load_module(gpsd_t) - -corenet_all_recvfrom_unlabeled(gpsd_t) -corenet_all_recvfrom_netlabel(gpsd_t) -corenet_tcp_sendrecv_generic_if(gpsd_t) -corenet_tcp_sendrecv_generic_node(gpsd_t) -corenet_tcp_bind_all_nodes(gpsd_t) - -corenet_sendrecv_gpsd_server_packets(gpsd_t) -corenet_tcp_bind_gpsd_port(gpsd_t) -corenet_tcp_sendrecv_gpsd_port(gpsd_t) - -dev_read_sysfs(gpsd_t) -dev_rw_realtime_clock(gpsd_t) - -domain_dontaudit_read_all_domains_state(gpsd_t) - -term_use_unallocated_ttys(gpsd_t) -term_setattr_unallocated_ttys(gpsd_t) - -auth_use_nsswitch(gpsd_t) - -logging_send_syslog_msg(gpsd_t) - -miscfiles_read_localization(gpsd_t) - -optional_policy(` - chronyd_rw_shm(gpsd_t) - chronyd_stream_connect(gpsd_t) - chronyd_dgram_send(gpsd_t) -') - -optional_policy(` - dbus_system_bus_client(gpsd_t) -') - -optional_policy(` - ntp_rw_shm(gpsd_t) -') diff --git a/policy/modules/contrib/guest.fc b/policy/modules/contrib/guest.fc deleted file mode 100644 index 601a7b02..00000000 --- a/policy/modules/contrib/guest.fc +++ /dev/null @@ -1 +0,0 @@ -# file contexts handled by userdomain and genhomedircon diff --git a/policy/modules/contrib/guest.if b/policy/modules/contrib/guest.if deleted file mode 100644 index ad1653f9..00000000 --- a/policy/modules/contrib/guest.if +++ /dev/null @@ -1,50 +0,0 @@ -## <summary>Least privledge terminal user role.</summary> - -######################################## -## <summary> -## Change to the guest role. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`guest_role_change',` - gen_require(` - role guest_r; - ') - - allow $1 guest_r; -') - -######################################## -## <summary> -## Change from the guest role. -## </summary> -## <desc> -## <p> -## Change from the guest role to -## the specified role. -## </p> -## <p> -## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -## </p> -## </desc> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`guest_role_change_to',` - gen_require(` - role guest_r; - ') - - allow guest_r $1; -') diff --git a/policy/modules/contrib/guest.te b/policy/modules/contrib/guest.te deleted file mode 100644 index d9287110..00000000 --- a/policy/modules/contrib/guest.te +++ /dev/null @@ -1,23 +0,0 @@ -policy_module(guest, 1.2.1) - -######################################## -# -# Declarations -# - -role guest_r; - -userdom_restricted_user_template(guest) - -kernel_read_system_state(guest_t) - -######################################## -# -# Local policy -# - -optional_policy(` - apache_role(guest_r, guest_t) -') - -#gen_user(guest_u, user, guest_r, s0, s0) diff --git a/policy/modules/contrib/hadoop.fc b/policy/modules/contrib/hadoop.fc deleted file mode 100644 index d17ca702..00000000 --- a/policy/modules/contrib/hadoop.fc +++ /dev/null @@ -1,53 +0,0 @@ -/etc/hadoop.* gen_context(system_u:object_r:hadoop_etc_t,s0) - -/etc/rc\.d/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0) -/etc/rc\.d/init\.d/hadoop-(.*-)?jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0) -/etc/rc\.d/init\.d/hadoop-(.*-)?namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0) -/etc/rc\.d/init\.d/hadoop-(.*-)?secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0) -/etc/rc\.d/init\.d/hadoop-(.*-)?tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0) -/etc/rc\.d/init\.d/hadoop-zookeeper -- gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0) -/etc/rc\.d/init\.d/zookeeper -- gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0) - -/etc/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_etc_t,s0) -/etc/zookeeper\.dist(/.*)? gen_context(system_u:object_r:zookeeper_etc_t,s0) - -/usr/lib/hadoop.*/bin/hadoop -- gen_context(system_u:object_r:hadoop_exec_t,s0) - -/usr/bin/zookeeper-client -- gen_context(system_u:object_r:zookeeper_exec_t,s0) -/usr/bin/zookeeper-server -- gen_context(system_u:object_r:zookeeper_server_exec_t,s0) - -/var/lib/hadoop.* gen_context(system_u:object_r:hadoop_var_lib_t,s0) -/var/lib/hadoop.*/cache/hadoop/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0) -/var/lib/hadoop.*/cache/hadoop/dfs/name(/.*)? gen_context(system_u:object_r:hadoop_namenode_var_lib_t,s0) -/var/lib/hadoop.*/cache/hadoop/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0) -/var/lib/hadoop.*/cache/hadoop/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0) -/var/lib/hadoop.*/cache/hadoop/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0) -/var/lib/hadoop.*/cache/hdfs/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0) -/var/lib/hadoop.*/cache/hdfs/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0) -/var/lib/hadoop.*/cache/mapred/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0) -/var/lib/hadoop.*/cache/mapred/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0) -/var/lib/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_server_var_t,s0) - -/var/lock/subsys/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_lock_t,s0) -/var/lock/subsys/hadoop-jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_lock_t,s0) -/var/lock/subsys/hadoop-namenode -- gen_context(system_u:object_r:hadoop_namenode_lock_t,s0) -/var/lock/subsys/hadoop-secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_lock_t,s0) -/var/lock/subsys/hadoop-tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_lock_t,s0) - -/var/log/hadoop.* gen_context(system_u:object_r:hadoop_log_t,s0) -/var/log/hadoop.*/hadoop-hadoop-datanode(-.*)? gen_context(system_u:object_r:hadoop_datanode_log_t,s0) -/var/log/hadoop.*/hadoop-hadoop-jobtracker(-.*)? gen_context(system_u:object_r:hadoop_jobtracker_log_t,s0) -/var/log/hadoop.*/hadoop-hadoop-namenode(-.*)? gen_context(system_u:object_r:hadoop_namenode_log_t,s0) -/var/log/hadoop.*/hadoop-hadoop-secondarynamenode(-.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_log_t,s0) -/var/log/hadoop.*/hadoop-hadoop-tasktracker(-.*)? gen_context(system_u:object_r:hadoop_tasktracker_log_t,s0) -/var/log/hadoop.*/history(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_log_t,s0) -/var/log/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_log_t,s0) - -/var/run/hadoop.* -d gen_context(system_u:object_r:hadoop_var_run_t,s0) -/var/run/hadoop.*/hadoop-hadoop-datanode\.pid -- gen_context(system_u:object_r:hadoop_datanode_initrc_var_run_t,s0) -/var/run/hadoop.*/hadoop-hadoop-jobtracker\.pid -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_var_run_t,s0) -/var/run/hadoop.*/hadoop-hadoop-namenode\.pid -- gen_context(system_u:object_r:hadoop_namenode_initrc_var_run_t,s0) -/var/run/hadoop.*/hadoop-hadoop-secondarynamenode\.pid -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_var_run_t,s0) -/var/run/hadoop.*/hadoop-hadoop-tasktracker\.pid -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_var_run_t,s0) - -/var/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_server_var_t,s0) diff --git a/policy/modules/contrib/hadoop.if b/policy/modules/contrib/hadoop.if deleted file mode 100644 index d17a75fb..00000000 --- a/policy/modules/contrib/hadoop.if +++ /dev/null @@ -1,468 +0,0 @@ -## <summary>Software for reliable, scalable, distributed computing.</summary> - -####################################### -## <summary> -## The template to define a hadoop domain. -## </summary> -## <param name="domain_prefix"> -## <summary> -## Domain prefix to be used. -## </summary> -## </param> -# -template(`hadoop_domain_template',` - gen_require(` - attribute hadoop_domain, hadoop_initrc_domain, hadoop_init_script_file; - attribute hadoop_pid_file, hadoop_lock_file, hadoop_log_file; - attribute hadoop_tmp_file, hadoop_var_lib_file; - type hadoop_log_t, hadoop_var_lib_t, hadoop_var_run_t; - type hadoop_exec_t, hadoop_hsperfdata_t; - ') - - ######################################## - # - # Declarations - # - - type hadoop_$1_t, hadoop_domain; - domain_type(hadoop_$1_t) - domain_entry_file(hadoop_$1_t, hadoop_exec_t) - role system_r types hadoop_$1_t; - - type hadoop_$1_initrc_t, hadoop_initrc_domain; - type hadoop_$1_initrc_exec_t, hadoop_init_script_file; - init_script_domain(hadoop_$1_initrc_t, hadoop_$1_initrc_exec_t) - role system_r types hadoop_$1_initrc_t; - - type hadoop_$1_initrc_var_run_t, hadoop_pid_file; - files_pid_file(hadoop_$1_initrc_var_run_t) - - type hadoop_$1_lock_t, hadoop_lock_file; - files_lock_file(hadoop_$1_lock_t) - - type hadoop_$1_log_t, hadoop_log_file; - logging_log_file(hadoop_$1_log_t) - - type hadoop_$1_tmp_t, hadoop_tmp_file; - files_tmp_file(hadoop_$1_tmp_t) - - type hadoop_$1_var_lib_t, hadoop_var_lib_file; - files_type(hadoop_$1_var_lib_t) - - #################################### - # - # hadoop_domain policy - # - - manage_files_pattern(hadoop_$1_t, hadoop_$1_log_t, hadoop_$1_log_t) - filetrans_pattern(hadoop_$1_t, hadoop_log_t, hadoop_$1_log_t, { dir file }) - - manage_dirs_pattern(hadoop_$1_t, hadoop_$1_var_lib_t, hadoop_$1_var_lib_t) - manage_files_pattern(hadoop_$1_t, hadoop_$1_var_lib_t, hadoop_$1_var_lib_t) - filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file) - - manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t) - filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file) - - manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t) - filetrans_pattern(hadoop_$1_t, hadoop_hsperfdata_t, hadoop_$1_tmp_t, file) - - auth_use_nsswitch(hadoop_$1_t) - - #################################### - # - # hadoop_initrc_domain policy - # - - allow hadoop_$1_initrc_t hadoop_$1_t:process { signal signull }; - - domtrans_pattern(hadoop_$1_initrc_t, hadoop_exec_t, hadoop_$1_t) - - manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_lock_t, hadoop_$1_lock_t) - files_lock_filetrans(hadoop_$1_initrc_t, hadoop_$1_lock_t, file) - - manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t) - filetrans_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file) - - manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_log_t, hadoop_$1_log_t) - filetrans_pattern(hadoop_$1_initrc_t, hadoop_log_t, hadoop_$1_log_t, { dir file }) -') - -######################################## -## <summary> -## Role access for hadoop. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`hadoop_role',` - gen_require(` - attribute_role hadoop_roles, zookeeper_roles; - type hadoop_t, zookeeper_t, hadoop_home_t; - type hadoop_tmp_t, hadoop_hsperfdata_t, zookeeper_tmp_t; - ') - - hadoop_domtrans($2) - roleattribute $1 hadoop_roles; - - hadoop_domtrans_zookeeper_client($2) - roleattribute $1 zookeeper_roles; - - allow $2 { hadoop_t zookeeper_t }:process { ptrace signal_perms }; - ps_process_pattern($2, { hadoop_t zookeeper_t }) - - allow $2 { hadoop_home_t hadoop_tmp_t hadoop_hsperfdata_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { hadoop_home_t hadoop_tmp_t zookeeper_tmp_t }:file { manage_file_perms relabel_file_perms }; - allow $2 hadoop_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; -') - -######################################## -## <summary> -## Execute hadoop in the -## hadoop domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`hadoop_domtrans',` - gen_require(` - type hadoop_t, hadoop_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, hadoop_exec_t, hadoop_t) -') - -######################################## -## <summary> -## Receive from hadoop peer. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hadoop_recvfrom',` - gen_require(` - type hadoop_t; - ') - - allow $1 hadoop_t:peer recv; -') - -######################################## -## <summary> -## Execute zookeeper client in the -## zookeeper client domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`hadoop_domtrans_zookeeper_client',` - gen_require(` - type zookeeper_t, zookeeper_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, zookeeper_exec_t, zookeeper_t) -') - -######################################## -## <summary> -## Receive from zookeeper peer. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hadoop_recvfrom_zookeeper_client',` - gen_require(` - type zookeeper_t; - ') - - allow $1 zookeeper_t:peer recv; -') - -######################################## -## <summary> -## Execute zookeeper server in the -## zookeeper server domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`hadoop_domtrans_zookeeper_server',` - gen_require(` - type zookeeper_server_t, zookeeper_server_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, zookeeper_server_exec_t, zookeeper_server_t) -') - -######################################## -## <summary> -## Receive from zookeeper server peer. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hadoop_recvfrom_zookeeper_server',` - gen_require(` - type zookeeper_server_t; - ') - - allow $1 zookeeper_server_t:peer recv; -') - -######################################## -## <summary> -## Execute zookeeper server in the -## zookeeper domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`hadoop_initrc_domtrans_zookeeper_server',` - gen_require(` - type zookeeper_server_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, zookeeper_server_initrc_exec_t) -') - -######################################## -## <summary> -## Receive from datanode peer. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hadoop_recvfrom_datanode',` - gen_require(` - type hadoop_datanode_t; - ') - - allow $1 hadoop_datanode_t:peer recv; -') - -######################################## -## <summary> -## Read hadoop configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hadoop_read_config',` - gen_require(` - type hadoop_etc_t; - ') - - read_files_pattern($1, hadoop_etc_t, hadoop_etc_t) - read_lnk_files_pattern($1, hadoop_etc_t, hadoop_etc_t) -') - -######################################## -## <summary> -## Execute hadoop configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hadoop_exec_config',` - gen_require(` - type hadoop_etc_t; - ') - - hadoop_read_config($1) - allow $1 hadoop_etc_t:file exec_file_perms; -') - -######################################## -## <summary> -## Receive from jobtracker peer. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hadoop_recvfrom_jobtracker',` - gen_require(` - type hadoop_jobtracker_t; - ') - - allow $1 hadoop_jobtracker_t:peer recv; -') - -######################################## -## <summary> -## Match hadoop lan association. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hadoop_match_lan_spd',` - gen_require(` - type hadoop_lan_t; - ') - - allow $1 hadoop_lan_t:association polmatch; -') - -######################################## -## <summary> -## Receive from namenode peer. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hadoop_recvfrom_namenode',` - gen_require(` - type hadoop_namenode_t; - ') - - allow $1 hadoop_namenode_t:peer recv; -') - -######################################## -## <summary> -## Receive from secondary namenode peer. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hadoop_recvfrom_secondarynamenode',` - gen_require(` - type hadoop_secondarynamenode_t; - ') - - allow $1 hadoop_secondarynamenode_t:peer recv; -') - -######################################## -## <summary> -## Receive from tasktracker peer. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hadoop_recvfrom_tasktracker',` - gen_require(` - type hadoop_tasktracker_t; - ') - - allow $1 hadoop_tasktracker_t:peer recv; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an hadoop environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`hadoop_admin',` - gen_require(` - attribute hadoop_domain; - attribute hadoop_initrc_domain; - - attribute hadoop_init_script_file; - attribute hadoop_pid_file; - attribute hadoop_lock_file; - attribute hadoop_log_file; - attribute hadoop_tmp_file; - attribute hadoop_var_lib_file; - - type hadoop_t, hadoop_etc_t, hadoop_hsperfdata_t; - type zookeeper_t, zookeeper_etc_t, zookeeper_server_t; - type zookeeper_server_var_t; - ') - - allow $1 { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }) - - init_labeled_script_domtrans($1, hadoop_init_script_file) - domain_system_change_exemption($1) - role_transition $2 hadoop_init_script_file system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, { hadoop_etc_t zookeeper_etc_t }) - - logging_search_logs($1) - admin_pattern($1, hadoop_log_file) - - files_search_locks($1) - admin_pattern($1, hadoop_lock_file) - - files_search_pids($1) - admin_pattern($1, hadoop_pid_file) - - files_search_tmp($1) - admin_pattern($1, { hadoop_tmp_file hadoop_hsperfdata_t }) - - files_search_var_lib($1) - admin_pattern($1, { hadoop_var_lib_file zookeeper_server_var_t }) - - hadoop_role($2, $1) -') diff --git a/policy/modules/contrib/hadoop.te b/policy/modules/contrib/hadoop.te deleted file mode 100644 index e62bcb74..00000000 --- a/policy/modules/contrib/hadoop.te +++ /dev/null @@ -1,553 +0,0 @@ -policy_module(hadoop, 1.2.5) - -######################################## -# -# Declarations -# - -attribute hadoop_domain; -attribute hadoop_initrc_domain; - -attribute hadoop_init_script_file; -attribute hadoop_pid_file; -attribute hadoop_lock_file; -attribute hadoop_log_file; -attribute hadoop_tmp_file; -attribute hadoop_var_lib_file; - -attribute_role hadoop_roles; -attribute_role zookeeper_roles; - -type hadoop_t; -type hadoop_exec_t; -userdom_user_application_domain(hadoop_t, hadoop_exec_t) -role hadoop_roles types hadoop_t; - -type hadoop_etc_t; -files_config_file(hadoop_etc_t) - -type hadoop_home_t; -userdom_user_home_content(hadoop_home_t) - -type hadoop_lan_t; -corenet_spd_type(hadoop_lan_t) - -type hadoop_log_t, hadoop_log_file; -logging_log_file(hadoop_log_t) - -type hadoop_tmp_t, hadoop_tmp_file; -userdom_user_tmp_file(hadoop_tmp_t) - -type hadoop_var_lib_t, hadoop_var_lib_file; -files_type(hadoop_var_lib_t) - -type hadoop_var_run_t, hadoop_pid_file; -files_pid_file(hadoop_var_run_t) - -type hadoop_hsperfdata_t; -userdom_user_tmp_file(hadoop_hsperfdata_t) - -hadoop_domain_template(datanode) -hadoop_domain_template(jobtracker) -hadoop_domain_template(namenode) -hadoop_domain_template(secondarynamenode) -hadoop_domain_template(tasktracker) - -type zookeeper_t; -type zookeeper_exec_t; -userdom_user_application_domain(zookeeper_t, zookeeper_exec_t) -role zookeeper_roles types zookeeper_t; - -type zookeeper_etc_t; -files_config_file(zookeeper_etc_t) - -type zookeeper_log_t, hadoop_log_file; -logging_log_file(zookeeper_log_t) - -type zookeeper_server_t; -type zookeeper_server_exec_t; -init_daemon_domain(zookeeper_server_t, zookeeper_server_exec_t) - -type zookeeper_server_initrc_exec_t, hadoop_init_script_file; -init_script_file(zookeeper_server_initrc_exec_t) - -type zookeeper_server_tmp_t, hadoop_tmp_file; -files_tmp_file(zookeeper_server_tmp_t) - -type zookeeper_server_var_t; -files_type(zookeeper_server_var_t) - -type zookeeper_server_var_run_t, hadoop_pid_file; -files_pid_file(zookeeper_server_var_run_t) - -type zookeeper_tmp_t, hadoop_tmp_file; -userdom_user_tmp_file(zookeeper_tmp_t) - -######################################## -# -# Local policy -# - -allow hadoop_t self:capability sys_resource; -allow hadoop_t self:process { getsched setsched signal signull setrlimit execmem }; -allow hadoop_t self:fifo_file rw_fifo_file_perms; -allow hadoop_t self:key write; -allow hadoop_t self:peer recv; -allow hadoop_t self:tcp_socket { accept listen }; - -allow hadoop_t hadoop_domain:process signull; - -read_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t) -read_lnk_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t) -can_exec(hadoop_t, hadoop_etc_t) - -manage_dirs_pattern(hadoop_t, hadoop_home_t, hadoop_home_t) -manage_files_pattern(hadoop_t, hadoop_home_t, hadoop_home_t) -manage_lnk_files_pattern(hadoop_t, hadoop_home_t, hadoop_home_t) -userdom_user_home_content_filetrans(hadoop_t, hadoop_home_t, { file dir }) - -allow hadoop_t hadoop_hsperfdata_t:dir manage_dir_perms; -files_tmp_filetrans(hadoop_t, hadoop_hsperfdata_t, dir) - -manage_dirs_pattern(hadoop_t, hadoop_log_t, hadoop_log_t) - -manage_dirs_pattern(hadoop_t, hadoop_tmp_t, hadoop_tmp_t) -manage_files_pattern(hadoop_t, hadoop_tmp_t, hadoop_tmp_t) -filetrans_pattern(hadoop_t, hadoop_hsperfdata_t, hadoop_tmp_t, { dir file }) - -manage_dirs_pattern(hadoop_t, hadoop_var_lib_t, hadoop_var_lib_t) -manage_files_pattern(hadoop_t, hadoop_var_lib_t, hadoop_var_lib_t) -files_search_var_lib(hadoop_t) - -getattr_dirs_pattern(hadoop_t, hadoop_var_run_t, hadoop_var_run_t) - -kernel_read_network_state(hadoop_t) -kernel_read_system_state(hadoop_t) - -corecmd_exec_bin(hadoop_t) -corecmd_exec_shell(hadoop_t) - -corenet_all_recvfrom_unlabeled(hadoop_t) -corenet_all_recvfrom_netlabel(hadoop_t) -corenet_tcp_sendrecv_generic_if(hadoop_t) -corenet_tcp_sendrecv_generic_node(hadoop_t) -corenet_tcp_sendrecv_all_ports(hadoop_t) - -corenet_sendrecv_hadoop_namenode_client_packets(hadoop_t) -corenet_tcp_connect_hadoop_namenode_port(hadoop_t) - -corenet_sendrecv_hadoop_datanode_client_packets(hadoop_t) -corenet_tcp_connect_hadoop_datanode_port(hadoop_t) - -corenet_sendrecv_portmap_client_packets(hadoop_t) -corenet_tcp_connect_portmap_port(hadoop_t) - -corenet_sendrecv_zope_client_packets(hadoop_t) -corenet_tcp_connect_zope_port(hadoop_t) - -corenet_sendrecv_generic_client_packets(hadoop_t) -corenet_tcp_connect_generic_port(hadoop_t) - -dev_read_rand(hadoop_t) -dev_read_sysfs(hadoop_t) -dev_read_urand(hadoop_t) - -domain_use_interactive_fds(hadoop_t) - -files_dontaudit_search_spool(hadoop_t) -files_read_usr_files(hadoop_t) - -fs_getattr_xattr_fs(hadoop_t) - -auth_use_nsswitch(hadoop_t) - -miscfiles_read_localization(hadoop_t) - -userdom_use_user_terminals(hadoop_t) - -hadoop_match_lan_spd(hadoop_t) -hadoop_recvfrom_datanode(hadoop_t) -hadoop_recvfrom_jobtracker(hadoop_t) -hadoop_recvfrom_namenode(hadoop_t) -hadoop_recvfrom_tasktracker(hadoop_t) - -optional_policy(` - java_exec(hadoop_t) -') - -######################################## -# -# Common hadoop_domain local policy -# - -allow hadoop_domain self:capability { chown kill setgid setuid }; -allow hadoop_domain self:process { execmem getsched setsched sigkill signal }; -allow hadoop_domain self:fifo_file rw_fifo_file_perms; -allow hadoop_domain self:key search; -allow hadoop_domain self:peer recv; -allow hadoop_domain self:tcp_socket { accept listen }; - -allow hadoop_domain hadoop_domain:process signull; - -allow hadoop_domain hadoop_hsperfdata_t:dir manage_dir_perms; -files_tmp_filetrans(hadoop_domain, hadoop_hsperfdata_t, dir) - -hadoop_exec_config(hadoop_domain) -hadoop_match_lan_spd(hadoop_domain) - -kernel_read_kernel_sysctls(hadoop_domain) -kernel_read_network_state(hadoop_domain) -kernel_read_sysctl(hadoop_domain) -kernel_read_system_state(hadoop_domain) - -corecmd_exec_bin(hadoop_domain) -corecmd_exec_shell(hadoop_domain) - -corenet_all_recvfrom_unlabeled(hadoop_domain) -corenet_all_recvfrom_netlabel(hadoop_domain) -corenet_tcp_bind_all_nodes(hadoop_domain) -corenet_tcp_sendrecv_generic_if(hadoop_domain) -corenet_tcp_sendrecv_generic_node(hadoop_domain) -corenet_tcp_sendrecv_all_ports(hadoop_domain) - -corenet_sendrecv_generic_client_packets(hadoop_domain) -corenet_tcp_connect_generic_port(hadoop_domain) - -dev_read_rand(hadoop_domain) -dev_read_urand(hadoop_domain) -dev_read_sysfs(hadoop_domain) - -files_search_pids(hadoop_domain) -files_search_var_lib(hadoop_domain) - -auth_domtrans_chkpwd(hadoop_domain) - -init_read_utmp(hadoop_domain) -init_use_fds(hadoop_domain) -init_use_script_fds(hadoop_domain) -init_use_script_ptys(hadoop_domain) - -logging_search_logs(hadoop_domain) -logging_send_audit_msgs(hadoop_domain) -logging_send_syslog_msg(hadoop_domain) - -miscfiles_read_localization(hadoop_domain) - -optional_policy(` - java_exec(hadoop_domain) -') - -optional_policy(` - su_exec(hadoop_domain) -') - -######################################## -# -# Common hadoop_initrc_domain local policy -# - -allow hadoop_initrc_domain self:capability { setuid setgid }; -dontaudit hadoop_initrc_domain self:capability sys_tty_config; -allow hadoop_initrc_domain self:process setsched; -allow hadoop_initrc_domain self:fifo_file rw_fifo_file_perms; - -manage_dirs_pattern(hadoop_initrc_domain, hadoop_var_run_t, hadoop_var_run_t) -manage_files_pattern(hadoop_initrc_domain, hadoop_var_run_t, hadoop_var_run_t) - -hadoop_exec_config(hadoop_initrc_domain) - -kernel_read_kernel_sysctls(hadoop_initrc_domain) -kernel_read_sysctl(hadoop_initrc_domain) -kernel_read_system_state(hadoop_initrc_domain) - -corecmd_exec_bin(hadoop_initrc_domain) -corecmd_exec_shell(hadoop_initrc_domain) - -files_read_etc_files(hadoop_initrc_domain) -files_read_usr_files(hadoop_initrc_domain) -files_search_locks(hadoop_initrc_domain) -files_search_pids(hadoop_initrc_domain) - -fs_getattr_xattr_fs(hadoop_initrc_domain) -fs_search_cgroup_dirs(hadoop_initrc_domain) - -term_use_generic_ptys(hadoop_initrc_domain) - -init_rw_utmp(hadoop_initrc_domain) -init_use_fds(hadoop_initrc_domain) -init_use_script_ptys(hadoop_initrc_domain) - -logging_search_logs(hadoop_initrc_domain) -logging_send_syslog_msg(hadoop_initrc_domain) -logging_send_audit_msgs(hadoop_initrc_domain) - -miscfiles_read_localization(hadoop_initrc_domain) - -userdom_dontaudit_search_user_home_dirs(hadoop_initrc_domain) - -optional_policy(` - consoletype_exec(hadoop_initrc_domain) -') - -optional_policy(` - nscd_use(hadoop_initrc_domain) -') - -######################################## -# -# Datanode local policy -# - -manage_dirs_pattern(hadoop_datanode_t, hadoop_var_lib_t, hadoop_var_lib_t) - -corenet_sendrecv_hadoop_datanode_server_packets(hadoop_datanode_t) -corenet_tcp_bind_hadoop_datanode_port(hadoop_datanode_t) - -corenet_sendrecv_hadoop_datanode_client_packets(hadoop_datanode_t) -corenet_tcp_connect_hadoop_datanode_port(hadoop_datanode_t) - -corenet_sendrecv_hadoop_namenode_client_packets(hadoop_datanode_t) -corenet_tcp_connect_hadoop_namenode_port(hadoop_datanode_t) - -fs_getattr_xattr_fs(hadoop_datanode_t) - -hadoop_recvfrom_jobtracker(hadoop_datanode_t) -hadoop_recvfrom_namenode(hadoop_datanode_t) -hadoop_recvfrom(hadoop_datanode_t) -hadoop_recvfrom_tasktracker(hadoop_datanode_t) - -######################################## -# -# Jobtracker local policy -# - -create_dirs_pattern(hadoop_jobtracker_t, hadoop_jobtracker_log_t, hadoop_jobtracker_log_t) -setattr_dirs_pattern(hadoop_jobtracker_t, hadoop_jobtracker_log_t, hadoop_jobtracker_log_t) - -manage_dirs_pattern(hadoop_jobtracker_t, hadoop_var_lib_t, hadoop_var_lib_t) - -corenet_sendrecv_zope_server_packets(hadoop_jobtracker_t) -corenet_tcp_bind_zope_port(hadoop_jobtracker_t) - -corenet_sendrecv_hadoop_datanode_client_packets(hadoop_jobtracker_t) -corenet_tcp_connect_hadoop_datanode_port(hadoop_jobtracker_t) - -corenet_sendrecv_hadoop_namenode_client_packets(hadoop_jobtracker_t) -corenet_tcp_connect_hadoop_namenode_port(hadoop_jobtracker_t) - -hadoop_recvfrom_datanode(hadoop_jobtracker_t) -hadoop_recvfrom_namenode(hadoop_jobtracker_t) -hadoop_recvfrom(hadoop_jobtracker_t) -hadoop_recvfrom_tasktracker(hadoop_jobtracker_t) - -######################################## -# -# Namenode local policy -# - -manage_dirs_pattern(hadoop_namenode_t, hadoop_var_lib_t, hadoop_var_lib_t) -manage_files_pattern(hadoop_namenode_t, hadoop_var_lib_t, hadoop_var_lib_t) - -corenet_sendrecv_hadoop_namenode_server_packets(hadoop_namenode_t) -corenet_tcp_bind_hadoop_namenode_port(hadoop_namenode_t) - -corenet_sendrecv_hadoop_namenode_client_packets(hadoop_namenode_t) -corenet_tcp_connect_hadoop_namenode_port(hadoop_namenode_t) - -hadoop_recvfrom_datanode(hadoop_namenode_t) -hadoop_recvfrom_jobtracker(hadoop_namenode_t) -hadoop_recvfrom(hadoop_namenode_t) -hadoop_recvfrom_secondarynamenode(hadoop_namenode_t) -hadoop_recvfrom_tasktracker(hadoop_namenode_t) - -######################################## -# -# Secondary namenode local policy -# - -manage_dirs_pattern(hadoop_secondarynamenode_t, hadoop_var_lib_t, hadoop_var_lib_t) - -corenet_sendrecv_hadoop_namenode_client_packets(hadoop_secondarynamenode_t) -corenet_tcp_connect_hadoop_namenode_port(hadoop_secondarynamenode_t) - -hadoop_recvfrom_namenode(hadoop_secondarynamenode_t) - -######################################## -# -# Tasktracker local policy -# - -manage_dirs_pattern(hadoop_tasktracker_t, hadoop_tasktracker_log_t, hadoop_tasktracker_log_t) -setattr_dirs_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_log_t) -filetrans_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_tasktracker_log_t, dir) - -manage_lnk_files_pattern(hadoop_tasktracker_t, hadoop_tasktracker_var_lib_t, hadoop_tasktracker_var_lib_t) -filetrans_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_tasktracker_var_lib_t, lnk_file) - -manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t) - -corenet_sendrecv_hadoop_datanode_client_packets(hadoop_tasktracker_t) -corenet_tcp_connect_hadoop_datanode_port(hadoop_tasktracker_t) - -corenet_sendrecv_hadoop_namenode_client_packets(hadoop_tasktracker_t) -corenet_tcp_connect_hadoop_namenode_port(hadoop_tasktracker_t) - -corenet_sendrecv_zope_client_packets(hadoop_tasktracker_t) -corenet_tcp_connect_zope_port(hadoop_tasktracker_t) - -fs_getattr_xattr_fs(hadoop_tasktracker_t) - -hadoop_recvfrom_datanode(hadoop_tasktracker_t) -hadoop_recvfrom_jobtracker(hadoop_tasktracker_t) -hadoop_recvfrom(hadoop_tasktracker_t) -hadoop_recvfrom_namenode(hadoop_tasktracker_t) - -######################################## -# -# Zookeeper client local policy -# - -allow zookeeper_t self:process { getsched sigkill signal signull execmem }; -allow zookeeper_t self:fifo_file rw_fifo_file_perms; -allow zookeeper_t self:tcp_socket { accept listen }; - -read_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t) -read_lnk_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t) - -can_exec(zookeeper_t, zookeeper_exec_t) - -allow zookeeper_t hadoop_hsperfdata_t:dir manage_dir_perms; -files_tmp_filetrans(zookeeper_t, hadoop_hsperfdata_t, dir) - -allow zookeeper_t zookeeper_log_t:dir { rw_dir_perms setattr_dir_perms }; -allow zookeeper_t zookeeper_log_t:file { create_file_perms append_file_perms read_file_perms setattr_file_perms }; -append_files_pattern(zookeeper_t, zookeeper_log_t, zookeeper_log_t) -logging_log_filetrans(zookeeper_t, zookeeper_log_t, file) - -allow zookeeper_t zookeeper_server_t:process signull; - -manage_files_pattern(zookeeper_t, zookeeper_tmp_t, zookeeper_tmp_t) -filetrans_pattern(zookeeper_t, hadoop_hsperfdata_t, zookeeper_tmp_t, file) - -kernel_read_network_state(zookeeper_t) -kernel_read_system_state(zookeeper_t) - -corecmd_exec_bin(zookeeper_t) -corecmd_exec_shell(zookeeper_t) - -corenet_all_recvfrom_unlabeled(zookeeper_t) -corenet_all_recvfrom_netlabel(zookeeper_t) -corenet_tcp_sendrecv_generic_if(zookeeper_t) -corenet_tcp_sendrecv_generic_node(zookeeper_t) -corenet_tcp_sendrecv_all_ports(zookeeper_t) - -corenet_sendrecv_zookeeper_client_client_packets(zookeeper_t) -corenet_tcp_connect_zookeeper_client_port(zookeeper_t) - -corenet_sendrecv_generic_client_packets(zookeeper_t) -corenet_tcp_connect_generic_port(zookeeper_t) - -dev_read_rand(zookeeper_t) -dev_read_sysfs(zookeeper_t) -dev_read_urand(zookeeper_t) - -domain_use_interactive_fds(zookeeper_t) - -files_read_usr_files(zookeeper_t) - -auth_use_nsswitch(zookeeper_t) - -miscfiles_read_localization(zookeeper_t) - -userdom_use_user_terminals(zookeeper_t) -userdom_dontaudit_search_user_home_dirs(zookeeper_t) - -hadoop_match_lan_spd(zookeeper_t) -hadoop_recvfrom_zookeeper_server(zookeeper_t) - -optional_policy(` - java_exec(zookeeper_t) -') - -######################################## -# -# Zookeeper server local policy -# - -allow zookeeper_server_t self:capability kill; -allow zookeeper_server_t self:process { execmem getsched sigkill signal signull }; -allow zookeeper_server_t self:fifo_file rw_fifo_file_perms; -allow zookeeper_server_t self:peer recv; -allow zookeeper_server_t self:tcp_socket { accept listen }; - -allow zookeeper_server_t hadoop_hsperfdata_t:dir manage_dir_perms; -files_tmp_filetrans(zookeeper_server_t, hadoop_hsperfdata_t, dir) - -read_files_pattern(zookeeper_server_t, zookeeper_etc_t, zookeeper_etc_t) -read_lnk_files_pattern(zookeeper_server_t, zookeeper_etc_t, zookeeper_etc_t) - -manage_dirs_pattern(zookeeper_server_t, zookeeper_server_var_t, zookeeper_server_var_t) -manage_files_pattern(zookeeper_server_t, zookeeper_server_var_t, zookeeper_server_var_t) -files_var_lib_filetrans(zookeeper_server_t, zookeeper_server_var_t, { dir file }) - -allow zookeeper_server_t zookeeper_log_t:dir { rw_dir_perms setattr_dir_perms }; -allow zookeeper_server_t zookeeper_log_t:file { create_file_perms append_file_perms read_file_perms setattr_file_perms }; -logging_log_filetrans(zookeeper_server_t, zookeeper_log_t, file) - -manage_files_pattern(zookeeper_server_t, zookeeper_server_tmp_t, zookeeper_server_tmp_t) -filetrans_pattern(zookeeper_server_t, hadoop_hsperfdata_t, zookeeper_server_tmp_t, file) - -manage_files_pattern(zookeeper_server_t, zookeeper_server_var_run_t, zookeeper_server_var_run_t) -files_pid_filetrans(zookeeper_server_t, zookeeper_server_var_run_t, file) - -can_exec(zookeeper_server_t, zookeeper_server_exec_t) - -kernel_read_network_state(zookeeper_server_t) -kernel_read_system_state(zookeeper_server_t) - -corecmd_exec_bin(zookeeper_server_t) -corecmd_exec_shell(zookeeper_server_t) - -corenet_all_recvfrom_unlabeled(zookeeper_server_t) -corenet_all_recvfrom_netlabel(zookeeper_server_t) -corenet_tcp_sendrecv_generic_if(zookeeper_server_t) -corenet_tcp_sendrecv_generic_node(zookeeper_server_t) -corenet_tcp_sendrecv_all_ports(zookeeper_server_t) -corenet_tcp_bind_generic_node(zookeeper_server_t) - -corenet_sendrecv_zookeeper_client_server_packets(zookeeper_server_t) -corenet_tcp_bind_zookeeper_client_port(zookeeper_server_t) - -corenet_sendrecv_zookeeper_election_server_packets(zookeeper_server_t) -corenet_tcp_bind_zookeeper_election_port(zookeeper_server_t) - -corenet_sendrecv_zookeeper_leader_server_packets(zookeeper_server_t) -corenet_tcp_bind_zookeeper_leader_port(zookeeper_server_t) - -corenet_sendrecv_zookeeper_election_client_packets(zookeeper_server_t) -corenet_tcp_connect_zookeeper_election_port(zookeeper_server_t) - -corenet_tcp_connect_zookeeper_leader_port(zookeeper_server_t) -corenet_sendrecv_zookeeper_leader_client_packets(zookeeper_server_t) - -corenet_sendrecv_generic_client_packets(zookeeper_server_t) -corenet_tcp_connect_generic_port(zookeeper_server_t) - -dev_read_rand(zookeeper_server_t) -dev_read_sysfs(zookeeper_server_t) -dev_read_urand(zookeeper_server_t) - -files_read_usr_files(zookeeper_server_t) - -fs_getattr_xattr_fs(zookeeper_server_t) - -logging_send_syslog_msg(zookeeper_server_t) - -miscfiles_read_localization(zookeeper_server_t) - -hadoop_match_lan_spd(zookeeper_server_t) -hadoop_recvfrom_zookeeper_client(zookeeper_server_t) - -optional_policy(` - java_exec(zookeeper_server_t) -') diff --git a/policy/modules/contrib/hal.fc b/policy/modules/contrib/hal.fc deleted file mode 100644 index 2899bad6..00000000 --- a/policy/modules/contrib/hal.fc +++ /dev/null @@ -1,27 +0,0 @@ -/etc/hal/device\.d/printer_remove\.hal -- gen_context(system_u:object_r:hald_exec_t,s0) -/etc/hal/capability\.d/printer_update\.hal -- gen_context(system_u:object_r:hald_exec_t,s0) - -/usr/bin/hal-setup-keymap -- gen_context(system_u:object_r:hald_keymap_exec_t,s0) - -/usr/libexec/hal-acl-tool -- gen_context(system_u:object_r:hald_acl_exec_t,s0) -/usr/libexec/hal-dccm -- gen_context(system_u:object_r:hald_dccm_exec_t,s0) -/usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0) -/usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0) -/usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) -/usr/libexec/hald-addon-macbook-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) -/usr/sbin/radeontool -- gen_context(system_u:object_r:hald_mac_exec_t,s0) - -/usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0) - -/var/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0) - -/var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0) -/var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0) - -/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0) - -/var/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) -/var/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0) -/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) -/var/run/synce.* gen_context(system_u:object_r:hald_var_run_t,s0) -/var/run/vbe.* -- gen_context(system_u:object_r:hald_var_run_t,s0) diff --git a/policy/modules/contrib/hal.if b/policy/modules/contrib/hal.if deleted file mode 100644 index 5e94c213..00000000 --- a/policy/modules/contrib/hal.if +++ /dev/null @@ -1,440 +0,0 @@ -## <summary>Hardware abstraction layer.</summary> - -######################################## -## <summary> -## Execute hal in the hal domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`hal_domtrans',` - gen_require(` - type hald_t, hald_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, hald_exec_t, hald_t) -') - -######################################## -## <summary> -## Get attributes of hald processes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hal_getattr',` - gen_require(` - type hald_t; - ') - - allow $1 hald_t:process getattr; -') - -######################################## -## <summary> -## Read hal process state files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hal_read_state',` - gen_require(` - type hald_t; - ') - - ps_process_pattern($1, hald_t) -') - -######################################## -## <summary> -## Trace hald processes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hal_ptrace',` - gen_require(` - type hald_t; - ') - - allow $1 hald_t:process ptrace; -') - -######################################## -## <summary> -## Inherit and use hald file descriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hal_use_fds',` - gen_require(` - type hald_t; - ') - - allow $1 hald_t:fd use; -') - -######################################## -## <summary> -## Do not audit attempts to inherited -## and use hald file descriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`hal_dontaudit_use_fds',` - gen_require(` - type hald_t; - ') - - dontaudit $1 hald_t:fd use; -') - -######################################## -## <summary> -## Read and write hald unnamed pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hal_rw_pipes',` - gen_require(` - type hald_t; - ') - - allow $1 hald_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## <summary> -## Do not audit attempts to read and -## write hald unnamed pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`hal_dontaudit_rw_pipes',` - gen_require(` - type hald_t; - ') - - dontaudit $1 hald_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## <summary> -## Send to hald over a unix domain -## datagram socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hal_dgram_send',` - gen_require(` - type hald_t, hald_var_lib_t; - ') - - files_search_var_lib($1) - dgram_send_pattern($1, hald_var_lib_t, hald_var_lib_t, hald_t) -') - -######################################## -## <summary> -## Send to hald over a unix domain -## stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hal_stream_connect',` - gen_require(` - type hald_t, hald_var_lib_t; - ') - - files_search_var_lib($1) - stream_connect_pattern($1, hald_var_lib_t, hald_var_lib_t, hald_t) -') - -######################################## -## <summary> -## Do not audit attempts to read and -## write hald unix datagram sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`hal_dontaudit_rw_dgram_sockets',` - gen_require(` - type hald_t; - ') - - dontaudit $1 hald_t:unix_dgram_socket { read write }; -') - -######################################## -## <summary> -## Send messages to hald over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hal_dbus_send',` - gen_require(` - type hald_t; - class dbus send_msg; - ') - - allow $1 hald_t:dbus send_msg; -') - -######################################## -## <summary> -## Send and receive messages from -## hald over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hal_dbus_chat',` - gen_require(` - type hald_t; - class dbus send_msg; - ') - - allow $1 hald_t:dbus send_msg; - allow hald_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Execute hal mac in the hal mac domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`hal_domtrans_mac',` - gen_require(` - type hald_mac_t, hald_mac_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, hald_mac_exec_t, hald_mac_t) -') - -######################################## -## <summary> -## Write hald log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hal_write_log',` - gen_require(` - type hald_log_t; - ') - - logging_search_logs($1) - write_files_pattern($1, hald_log_t, hald_log_t) -') - -######################################## -## <summary> -## Do not audit attempts to write hald -## log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`hal_dontaudit_write_log',` - gen_require(` - type hald_log_t; - ') - - dontaudit $1 hald_log_t:file { append write }; -') - -######################################## -## <summary> -## Create, read, write, and delete -## hald log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hal_manage_log',` - gen_require(` - type hald_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, hald_log_t, hald_log_t) -') - -######################################## -## <summary> -## Read hald temporary files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hal_read_tmp_files',` - gen_require(` - type hald_tmp_t; - ') - - files_search_tmp($1) - allow $1 hald_tmp_t:file read_file_perms; -') - -######################################## -## <summary> -## Do not audit attempts to append -## hald libraries files. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`hal_dontaudit_append_lib_files',` - gen_require(` - type hald_var_lib_t; - ') - - dontaudit $1 hald_var_lib_t:file append_file_perms; -') - -######################################## -## <summary> -## Read hald pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hal_read_pid_files',` - gen_require(` - type hald_var_run_t; - ') - - files_search_pids($1) - allow $1 hald_var_run_t:file read_file_perms; -') - -######################################## -## <summary> -## Read and write hald pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hal_rw_pid_files',` - gen_require(` - type hald_var_run_t; - ') - - files_search_pids($1) - allow $1 hald_var_run_t:file rw_file_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## hald pid directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hal_manage_pid_dirs',` - gen_require(` - type hald_var_run_t; - ') - - files_search_pids($1) - manage_dirs_pattern($1, hald_var_run_t, hald_var_run_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## hald pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hal_manage_pid_files',` - gen_require(` - type hald_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, hald_var_run_t, hald_var_run_t) -') diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te deleted file mode 100644 index 0801fe1d..00000000 --- a/policy/modules/contrib/hal.te +++ /dev/null @@ -1,500 +0,0 @@ -policy_module(hal, 1.14.5) - -######################################## -# -# Declarations -# - -attribute hald_domain; - -type hald_t, hald_domain; -type hald_exec_t; -init_daemon_domain(hald_t, hald_exec_t) - -type hald_acl_t, hald_domain; -type hald_acl_exec_t; -domain_type(hald_acl_t) -domain_entry_file(hald_acl_t, hald_acl_exec_t) -role system_r types hald_acl_t; - -type hald_cache_t; -files_pid_file(hald_cache_t) - -type hald_dccm_t, hald_domain; -type hald_dccm_exec_t; -domain_type(hald_dccm_t) -domain_entry_file(hald_dccm_t, hald_dccm_exec_t) -role system_r types hald_dccm_t; - -type hald_keymap_t, hald_domain; -type hald_keymap_exec_t; -domain_type(hald_keymap_t) -domain_entry_file(hald_keymap_t, hald_keymap_exec_t) -role system_r types hald_keymap_t; - -type hald_log_t; -logging_log_file(hald_log_t) - -type hald_mac_t, hald_domain; -type hald_mac_exec_t; -domain_type(hald_mac_t) -domain_entry_file(hald_mac_t, hald_mac_exec_t) -role system_r types hald_mac_t; - -type hald_sonypic_t, hald_domain; -type hald_sonypic_exec_t; -domain_type(hald_sonypic_t) -domain_entry_file(hald_sonypic_t, hald_sonypic_exec_t) -role system_r types hald_sonypic_t; - -type hald_tmp_t; -files_tmp_file(hald_tmp_t) - -type hald_var_run_t; -files_pid_file(hald_var_run_t) - -type hald_var_lib_t; -files_type(hald_var_lib_t) - -######################################## -# -# Common local policy -# - -files_read_usr_files(hald_domain) - -miscfiles_read_localization(hald_domain) - -hal_stream_connect(hald_domain) - -######################################## -# -# Local policy -# - -allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config }; -dontaudit hald_t self:capability { sys_ptrace sys_tty_config }; -allow hald_t self:process { getsched getattr signal_perms }; -allow hald_t self:fifo_file rw_fifo_file_perms; -allow hald_t self:unix_stream_socket { accept listen }; -allow hald_t self:netlink_kobject_uevent_socket create_socket_perms; -allow hald_t self:tcp_socket { accept listen }; - -manage_files_pattern(hald_t, hald_cache_t, hald_cache_t) - -append_files_pattern(hald_t, hald_log_t, hald_log_t) -create_files_pattern(hald_t, hald_log_t, hald_log_t) -setattr_files_pattern(hald_t, hald_log_t, hald_log_t) -logging_log_filetrans(hald_t, hald_log_t, file) - -manage_dirs_pattern(hald_t, hald_tmp_t, hald_tmp_t) -manage_files_pattern(hald_t, hald_tmp_t, hald_tmp_t) -files_tmp_filetrans(hald_t, hald_tmp_t, { file dir }) - -manage_dirs_pattern(hald_t, hald_var_lib_t, hald_var_lib_t) -manage_files_pattern(hald_t, hald_var_lib_t, hald_var_lib_t) -manage_sock_files_pattern(hald_t, hald_var_lib_t, hald_var_lib_t) - -manage_dirs_pattern(hald_t, hald_var_run_t, hald_var_run_t) -manage_files_pattern(hald_t, hald_var_run_t, hald_var_run_t) -files_pid_filetrans(hald_t, hald_var_run_t, { dir file }) - -domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t) -domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t) -domtrans_pattern(hald_t, hald_sonypic_exec_t, hald_sonypic_t) -domtrans_pattern(hald_t, hald_keymap_exec_t, hald_keymap_t) -domtrans_pattern(hald_t, hald_dccm_exec_t, hald_dccm_t) - -allow hald_t hald_domain:process signal; - -kernel_read_system_state(hald_t) -kernel_read_network_state(hald_t) -kernel_read_software_raid_state(hald_t) -kernel_rw_kernel_sysctl(hald_t) -kernel_read_fs_sysctls(hald_t) -kernel_rw_irq_sysctls(hald_t) -kernel_rw_vm_sysctls(hald_t) -kernel_write_proc_files(hald_t) -kernel_rw_net_sysctls(hald_t) -kernel_setsched(hald_t) -kernel_request_load_module(hald_t) - -corecmd_exec_all_executables(hald_t) - -dev_rw_usbfs(hald_t) -dev_read_rand(hald_t) -dev_read_urand(hald_t) -dev_read_input(hald_t) -dev_read_mouse(hald_t) -dev_rw_printer(hald_t) -dev_read_lvm_control(hald_t) -dev_getattr_all_chr_files(hald_t) -dev_rw_generic_usb_dev(hald_t) -dev_setattr_generic_usb_dev(hald_t) -dev_setattr_usbfs_files(hald_t) -dev_rw_power_management(hald_t) -dev_read_raw_memory(hald_t) -dev_rw_sysfs(hald_t) -dev_read_video_dev(hald_t) - -domain_use_interactive_fds(hald_t) -domain_read_all_domains_state(hald_t) -domain_dontaudit_ptrace_all_domains(hald_t) - -files_exec_etc_files(hald_t) -files_getattr_all_mountpoints(hald_t) -files_rw_etc_runtime_files(hald_t) -files_manage_mnt_dirs(hald_t) -files_manage_mnt_files(hald_t) -files_manage_mnt_symlinks(hald_t) -files_create_boot_flag(hald_t) -files_getattr_all_dirs(hald_t) -files_getattr_all_files(hald_t) -files_read_kernel_img(hald_t) -files_rw_lock_dirs(hald_t) -files_read_generic_pids(hald_t) - -fs_getattr_all_fs(hald_t) -fs_search_all(hald_t) -fs_list_inotifyfs(hald_t) -fs_list_auto_mountpoints(hald_t) -fs_mount_dos_fs(hald_t) -fs_unmount_dos_fs(hald_t) -fs_manage_dos_files(hald_t) -fs_manage_fusefs_dirs(hald_t) -fs_rw_removable_blk_files(hald_t) - -mls_file_read_all_levels(hald_t) - -selinux_get_fs_mount(hald_t) -selinux_validate_context(hald_t) -selinux_compute_access_vector(hald_t) -selinux_compute_create_context(hald_t) -selinux_compute_relabel_context(hald_t) -selinux_compute_user_contexts(hald_t) - -storage_raw_read_removable_device(hald_t) -storage_raw_write_removable_device(hald_t) -storage_raw_read_fixed_disk(hald_t) -storage_raw_write_fixed_disk(hald_t) - -term_setattr_unallocated_ttys(hald_t) -term_use_unallocated_ttys(hald_t) - -auth_use_nsswitch(hald_t) -auth_read_pam_console_data(hald_t) - -fstools_getattr_swap_files(hald_t) - -init_domtrans_script(hald_t) -init_read_utmp(hald_t) - -libs_exec_ld_so(hald_t) -libs_exec_lib_files(hald_t) - -logging_send_audit_msgs(hald_t) -logging_send_syslog_msg(hald_t) - -miscfiles_read_hwdata(hald_t) - -modutils_domtrans_insmod(hald_t) -modutils_read_module_deps(hald_t) - -seutil_read_config(hald_t) -seutil_read_default_contexts(hald_t) -seutil_read_file_contexts(hald_t) - -sysnet_domtrans_dhcpc(hald_t) -sysnet_domtrans_ifconfig(hald_t) -sysnet_read_dhcp_config(hald_t) - -userdom_dontaudit_use_unpriv_user_fds(hald_t) -userdom_dontaudit_search_user_home_dirs(hald_t) - -optional_policy(` - alsa_domtrans(hald_t) - alsa_read_rw_config(hald_t) -') - -optional_policy(` - bootloader_domtrans(hald_t) -') - -optional_policy(` - apm_stream_connect(hald_t) -') - -optional_policy(` - bind_search_cache(hald_t) -') - -optional_policy(` - bluetooth_domtrans(hald_t) -') - -optional_policy(` - clock_domtrans(hald_t) -') - -optional_policy(` - cups_domtrans_config(hald_t) - cups_signal_config(hald_t) -') - -optional_policy(` - dbus_system_bus_client(hald_t) - dbus_connect_system_bus(hald_t) - - init_dbus_chat_script(hald_t) - - optional_policy(` - networkmanager_dbus_chat(hald_t) - ') - - optional_policy(` - policykit_dbus_chat(hald_t) - ') -') - -optional_policy(` - dmidecode_domtrans(hald_t) -') - -optional_policy(` - gpm_dontaudit_getattr_gpmctl(hald_t) -') - -optional_policy(` - hotplug_read_config(hald_t) -') - -optional_policy(` - lvm_domtrans(hald_t) -') - -optional_policy(` - mount_domtrans(hald_t) -') - -optional_policy(` - ntp_domtrans(hald_t) -') - -optional_policy(` - pcmcia_manage_pid(hald_t) - pcmcia_manage_pid_chr_files(hald_t) -') - -optional_policy(` - podsleuth_domtrans(hald_t) -') - -optional_policy(` - ppp_domtrans(hald_t) - ppp_read_rw_config(hald_t) -') - -optional_policy(` - policykit_domtrans_auth(hald_t) - policykit_domtrans_resolve(hald_t) - policykit_read_lib(hald_t) - policykit_read_reload(hald_t) -') - -optional_policy(` - rpc_search_nfs_state_data(hald_t) -') - -optional_policy(` - seutil_sigchld_newrole(hald_t) -') - -optional_policy(` - shutdown_domtrans(hald_t) -') - -optional_policy(` - udev_domtrans(hald_t) - udev_read_db(hald_t) -') - -optional_policy(` - usbmuxd_stream_connect(hald_t) -') - -optional_policy(` - updfstab_domtrans(hald_t) -') - -optional_policy(` - vbetool_domtrans(hald_t) -') - -optional_policy(` - virt_manage_images(hald_t) -') - -######################################## -# -# ACL local policy -# - -allow hald_acl_t self:capability { dac_override fowner sys_resource }; -allow hald_acl_t self:process { getattr signal }; -allow hald_acl_t self:fifo_file rw_fifo_file_perms; - -manage_dirs_pattern(hald_acl_t, hald_var_lib_t, hald_var_lib_t) -manage_files_pattern(hald_acl_t, hald_var_lib_t, hald_var_lib_t) - -manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) -manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) -files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file }) - -corecmd_exec_bin(hald_acl_t) - -dev_getattr_all_chr_files(hald_acl_t) -dev_setattr_all_chr_files(hald_acl_t) -dev_getattr_generic_usb_dev(hald_acl_t) -dev_getattr_video_dev(hald_acl_t) -dev_setattr_video_dev(hald_acl_t) -dev_getattr_sound_dev(hald_acl_t) -dev_setattr_sound_dev(hald_acl_t) -dev_setattr_generic_usb_dev(hald_acl_t) -dev_setattr_usbfs_files(hald_acl_t) - -fs_getattr_all_fs(hald_acl_t) - -storage_getattr_removable_dev(hald_acl_t) -storage_setattr_removable_dev(hald_acl_t) -storage_getattr_fixed_disk_dev(hald_acl_t) -storage_setattr_fixed_disk_dev(hald_acl_t) - -auth_use_nsswitch(hald_acl_t) - -logging_send_syslog_msg(hald_acl_t) - -optional_policy(` - dbus_system_bus_client(hald_acl_t) - - optional_policy(` - policykit_dbus_chat(hald_acl_t) - ') -') - -optional_policy(` - policykit_domtrans_auth(hald_acl_t) - policykit_read_lib(hald_acl_t) - policykit_read_reload(hald_acl_t) -') - -######################################## -# -# MAC local policy -# - -allow hald_mac_t self:capability { setgid setuid sys_admin }; - -manage_dirs_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t) -manage_files_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t) - -append_files_pattern(hald_mac_t, hald_log_t, hald_log_t) - -kernel_read_system_state(hald_mac_t) - -dev_read_raw_memory(hald_mac_t) -dev_write_raw_memory(hald_mac_t) -dev_read_sysfs(hald_mac_t) - -auth_use_nsswitch(hald_mac_t) - -logging_send_syslog_msg(hald_mac_t) -logging_search_logs(hald_mac_t) - -######################################## -# -# Sonypic local policy -# - -dev_read_video_dev(hald_sonypic_t) -dev_write_video_dev(hald_sonypic_t) - -manage_dirs_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t) -manage_files_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t) - -append_files_pattern(hald_sonypic_t, hald_log_t, hald_log_t) - -logging_search_logs(hald_sonypic_t) - -######################################## -# -# Keymap local policy -# - -manage_dirs_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t) -manage_files_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t) - -write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t) - -dev_rw_input_dev(hald_keymap_t) - -files_read_etc_files(hald_keymap_t) - -logging_search_logs(hald_keymap_t) - -######################################## -# -# Dccm local policy -# - -allow hald_dccm_t self:capability chown; -allow hald_dccm_t self:process getsched; -allow hald_dccm_t self:fifo_file rw_fifo_file_perms; -allow hald_dccm_t self:tcp_socket create_stream_socket_perms; -allow hald_dccm_t self:udp_socket create_socket_perms; -allow hald_dccm_t self:netlink_route_socket rw_netlink_socket_perms; - -manage_dirs_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) -manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) - -manage_dirs_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t) -manage_files_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t) -manage_sock_files_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t) -files_pid_filetrans(hald_dccm_t, hald_var_run_t, { dir file sock_file }) - -manage_sock_files_pattern(hald_dccm_t, hald_tmp_t, hald_tmp_t) -files_tmp_filetrans(hald_dccm_t, hald_tmp_t, sock_file) - -append_files_pattern(hald_dccm_t, hald_log_t, hald_log_t) - -kernel_search_network_sysctl(hald_dccm_t) - -corenet_all_recvfrom_unlabeled(hald_dccm_t) -corenet_all_recvfrom_netlabel(hald_dccm_t) -corenet_tcp_sendrecv_generic_if(hald_dccm_t) -corenet_udp_sendrecv_generic_if(hald_dccm_t) -corenet_tcp_sendrecv_generic_node(hald_dccm_t) -corenet_udp_sendrecv_generic_node(hald_dccm_t) -corenet_tcp_sendrecv_all_ports(hald_dccm_t) -corenet_udp_sendrecv_all_ports(hald_dccm_t) -corenet_tcp_bind_generic_node(hald_dccm_t) -corenet_udp_bind_generic_node(hald_dccm_t) - -corenet_sendrecv_dhcpc_server_packets(hald_dccm_t) -corenet_udp_bind_dhcpc_port(hald_dccm_t) - -corenet_sendrecv_ftp_server_packets(hald_dccm_t) -corenet_tcp_bind_ftp_port(hald_dccm_t) - -corenet_sendrecv_dccm_server_packets(hald_dccm_t) -corenet_tcp_bind_dccm_port(hald_dccm_t) - -dev_read_urand(hald_dccm_t) - -logging_send_syslog_msg(hald_dccm_t) -logging_search_logs(hald_dccm_t) - -hal_dontaudit_rw_dgram_sockets(hald_dccm_t) - -optional_policy(` - dbus_system_bus_client(hald_dccm_t) -') diff --git a/policy/modules/contrib/hddtemp.fc b/policy/modules/contrib/hddtemp.fc deleted file mode 100644 index 993b14ac..00000000 --- a/policy/modules/contrib/hddtemp.fc +++ /dev/null @@ -1,5 +0,0 @@ -/etc/rc\.d/init\.d/hddtemp -- gen_context(system_u:object_r:hddtemp_initrc_exec_t,s0) - -/etc/sysconfig/hddtemp -- gen_context(system_u:object_r:hddtemp_etc_t,s0) - -/usr/sbin/hddtemp -- gen_context(system_u:object_r:hddtemp_exec_t,s0) diff --git a/policy/modules/contrib/hddtemp.if b/policy/modules/contrib/hddtemp.if deleted file mode 100644 index 1728071d..00000000 --- a/policy/modules/contrib/hddtemp.if +++ /dev/null @@ -1,73 +0,0 @@ -## <summary>Hard disk temperature tool running as a daemon.</summary> - -####################################### -## <summary> -## Execute a domain transition to run hddtemp. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`hddtemp_domtrans',` - gen_require(` - type hddtemp_t, hddtemp_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, hddtemp_exec_t, hddtemp_t) -') - -###################################### -## <summary> -## Execute hddtemp in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hddtemp_exec',` - gen_require(` - type hddtemp_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, hddtemp_exec_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an hddtemp environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`hddtemp_admin',` - gen_require(` - type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t; - ') - - allow $1 hddtemp_t:process { ptrace signal_perms }; - ps_process_pattern($1, hddtemp_t) - - init_labeled_script_domtrans($1, hddtemp_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 hddtemp_initrc_exec_t system_r; - allow $2 system_r; - - admin_pattern($1, hddtemp_etc_t) - files_search_etc($1) -') diff --git a/policy/modules/contrib/hddtemp.te b/policy/modules/contrib/hddtemp.te deleted file mode 100644 index 18d76bbc..00000000 --- a/policy/modules/contrib/hddtemp.te +++ /dev/null @@ -1,49 +0,0 @@ -policy_module(hddtemp, 1.1.1) - -######################################## -# -# Declarations -# - -type hddtemp_t; -type hddtemp_exec_t; -init_daemon_domain(hddtemp_t, hddtemp_exec_t) - -type hddtemp_initrc_exec_t; -init_script_file(hddtemp_initrc_exec_t) - -type hddtemp_etc_t; -files_config_file(hddtemp_etc_t) - -######################################## -# -# Local policy -# - -allow hddtemp_t self:capability sys_rawio; -dontaudit hddtemp_t self:capability sys_admin; -allow hddtemp_t self:tcp_socket { accept listen }; - -allow hddtemp_t hddtemp_etc_t:file read_file_perms; - -corenet_all_recvfrom_unlabeled(hddtemp_t) -corenet_all_recvfrom_netlabel(hddtemp_t) -corenet_tcp_sendrecv_generic_if(hddtemp_t) -corenet_tcp_sendrecv_generic_node(hddtemp_t) -corenet_tcp_bind_generic_node(hddtemp_t) - -corenet_tcp_bind_hddtemp_port(hddtemp_t) -corenet_sendrecv_hddtemp_server_packets(hddtemp_t) -corenet_tcp_sendrecv_hddtemp_port(hddtemp_t) - -files_search_etc(hddtemp_t) -files_read_usr_files(hddtemp_t) - -storage_raw_read_fixed_disk(hddtemp_t) -storage_raw_read_removable_device(hddtemp_t) - -auth_use_nsswitch(hddtemp_t) - -logging_send_syslog_msg(hddtemp_t) - -miscfiles_read_localization(hddtemp_t) diff --git a/policy/modules/contrib/howl.fc b/policy/modules/contrib/howl.fc deleted file mode 100644 index 20fb2511..00000000 --- a/policy/modules/contrib/howl.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/rc\.d/init\.d/((nifd)|(mDNSResponder)) -- gen_context(system_u:object_r:howl_initrc_exec_t,s0) - -/usr/bin/mDNSResponder -- gen_context(system_u:object_r:howl_exec_t,s0) -/usr/bin/nifd -- gen_context(system_u:object_r:howl_exec_t,s0) - -/var/run/nifd\.pid -- gen_context(system_u:object_r:howl_var_run_t,s0) diff --git a/policy/modules/contrib/howl.if b/policy/modules/contrib/howl.if deleted file mode 100644 index dc609f07..00000000 --- a/policy/modules/contrib/howl.if +++ /dev/null @@ -1,53 +0,0 @@ -## <summary>Port of Apple Rendezvous multicast DNS.</summary> - -######################################## -## <summary> -## Send generic signals to howl. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`howl_signal',` - gen_require(` - type howl_t; - ') - - allow $1 howl_t:process signal; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an howl environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`howl_admin',` - gen_require(` - type howl_t, howl_initrc_exec_t, howl_var_run_t; - ') - - allow $1 howl_t:process { ptrace signal_perms }; - ps_process_pattern($1, howl_t) - - init_labeled_script_domtrans($1, howl_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 howl_initrc_exec_t system_r; - allow $2 system_r; - - files_search_pids($1) - admin_pattern($1, howl_var_run_t) -') diff --git a/policy/modules/contrib/howl.te b/policy/modules/contrib/howl.te deleted file mode 100644 index e2078239..00000000 --- a/policy/modules/contrib/howl.te +++ /dev/null @@ -1,79 +0,0 @@ -policy_module(howl, 1.9.1) - -######################################## -# -# Declarations -# - -type howl_t; -type howl_exec_t; -application_executable_file(howl_exec_t) -init_daemon_domain(howl_t, howl_exec_t) - -type howl_initrc_exec_t; -init_script_file(howl_initrc_exec_t) - -type howl_var_run_t; -files_pid_file(howl_var_run_t) - -######################################## -# -# Local policy -# - -allow howl_t self:capability { kill net_admin }; -dontaudit howl_t self:capability sys_tty_config; -allow howl_t self:process signal_perms; -allow howl_t self:fifo_file rw_fifo_file_perms; -allow howl_t self:tcp_socket { accept listen }; - -manage_files_pattern(howl_t, howl_var_run_t, howl_var_run_t) -files_pid_filetrans(howl_t, howl_var_run_t, file) - -kernel_read_network_state(howl_t) -kernel_read_kernel_sysctls(howl_t) -kernel_request_load_module(howl_t) -kernel_list_proc(howl_t) -kernel_read_proc_symlinks(howl_t) - -corenet_all_recvfrom_unlabeled(howl_t) -corenet_all_recvfrom_netlabel(howl_t) -corenet_tcp_sendrecv_generic_if(howl_t) -corenet_udp_sendrecv_generic_if(howl_t) -corenet_tcp_sendrecv_generic_node(howl_t) -corenet_udp_sendrecv_generic_node(howl_t) -corenet_tcp_bind_generic_node(howl_t) -corenet_udp_bind_generic_node(howl_t) - -corenet_sendrecv_howl_server_packets(howl_t) -corenet_tcp_bind_howl_port(howl_t) -corenet_tcp_sendrecv_howl_port(howl_t) -corenet_udp_bind_howl_port(howl_t) -corenet_udp_sendrecv_howl_port(howl_t) - -dev_read_sysfs(howl_t) - -fs_getattr_all_fs(howl_t) -fs_search_auto_mountpoints(howl_t) - -domain_use_interactive_fds(howl_t) - -auth_use_nsswitch(howl_t) - -init_read_utmp(howl_t) -init_dontaudit_write_utmp(howl_t) - -logging_send_syslog_msg(howl_t) - -miscfiles_read_localization(howl_t) - -userdom_dontaudit_use_unpriv_user_fds(howl_t) -userdom_dontaudit_search_user_home_dirs(howl_t) - -optional_policy(` - seutil_sigchld_newrole(howl_t) -') - -optional_policy(` - udev_read_db(howl_t) -') diff --git a/policy/modules/contrib/i18n_input.fc b/policy/modules/contrib/i18n_input.fc deleted file mode 100644 index 3ddc58f6..00000000 --- a/policy/modules/contrib/i18n_input.fc +++ /dev/null @@ -1,16 +0,0 @@ -/etc/init\.d/((iiimf-htt-server)|(iiimf-server)|(iiim)) -- gen_context(system_u:object_r:i18n_input_initrc_exec_t,s0) - -/usr/bin/iiimd -- gen_context(system_u:object_r:i18n_input_exec_t,s0) -/usr/bin/iiimd\.bin -- gen_context(system_u:object_r:i18n_input_exec_t,s0) -/usr/bin/httx -- gen_context(system_u:object_r:i18n_input_exec_t,s0) -/usr/bin/htt_xbe -- gen_context(system_u:object_r:i18n_input_exec_t,s0) -/usr/bin/iiimx -- gen_context(system_u:object_r:i18n_input_exec_t,s0) - -/usr/lib/iiim/iiim-xbe -- gen_context(system_u:object_r:i18n_input_exec_t,s0) - -/usr/sbin/htt -- gen_context(system_u:object_r:i18n_input_exec_t,s0) -/usr/sbin/htt_server -- gen_context(system_u:object_r:i18n_input_exec_t,s0) - -/var/log/iiim(/.*)? gen_context(system_u:object_r:i18n_input_log_t,s0) - -/var/run/iiim(/.*)? gen_context(system_u:object_r:i18n_input_var_run_t,s0) diff --git a/policy/modules/contrib/i18n_input.if b/policy/modules/contrib/i18n_input.if deleted file mode 100644 index 5eab254b..00000000 --- a/policy/modules/contrib/i18n_input.if +++ /dev/null @@ -1,53 +0,0 @@ -## <summary>IIIMF htt server.</summary> - -######################################## -## <summary> -## Use i18n_input over a TCP connection. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`i18n_use',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## <summary> -## All of the rules required to -## administrate an i18n input environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`i18n_input_admin',` - gen_require(` - type i18n_input_t, i18n_input_initrc_exec_t, i18n_input_var_run_t; - type i18n_input_log_t; - ') - - allow $1 i18n_input_t:process { ptrace signal_perms }; - ps_process_pattern($1, i18n_input_t) - - init_labeled_script_domtrans($1, i18n_input_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 i18n_input_initrc_exec_t system_r; - allow $2 system_r; - - files_search_pids($1) - admin_pattern($1, i18n_input_var_run_t) - - logging_search_logs($1) - admin_pattern($1, i18n_input_log_t) -') diff --git a/policy/modules/contrib/i18n_input.te b/policy/modules/contrib/i18n_input.te deleted file mode 100644 index 3bed8fa9..00000000 --- a/policy/modules/contrib/i18n_input.te +++ /dev/null @@ -1,104 +0,0 @@ -policy_module(i18n_input, 1.8.1) - -######################################## -# -# Declarations -# - -type i18n_input_t; -type i18n_input_exec_t; -init_daemon_domain(i18n_input_t, i18n_input_exec_t) - -type i18n_input_initrc_exec_t; -init_script_file(i18n_input_initrc_exec_t) - -type i18n_input_log_t; -logging_log_file(i18n_input_log_t) - -type i18n_input_var_run_t; -files_pid_file(i18n_input_var_run_t) - -######################################## -# -# Local policy -# - -allow i18n_input_t self:capability { kill setgid setuid }; -dontaudit i18n_input_t self:capability sys_tty_config; -allow i18n_input_t self:process { signal_perms setsched setpgid }; -allow i18n_input_t self:fifo_file rw_fifo_file_perms; -allow i18n_input_t self:unix_stream_socket { accept listen }; -allow i18n_input_t self:tcp_socket { accept listen }; - -allow i18n_input_t i18n_input_log_t:dir setattr_dir_perms; -append_files_pattern(i18n_input_t, i18n_input_log_t, i18n_input_log_t) -create_files_pattern(i18n_input_t, i18n_input_log_t, i18n_input_log_t) -setattr_files_pattern(i18n_input_t, i18n_input_log_t, i18n_input_log_t) - -manage_dirs_pattern(i18n_input_t, i18n_input_var_run_t, i18n_input_var_run_t) -manage_files_pattern(i18n_input_t, i18n_input_var_run_t, i18n_input_var_run_t) -manage_sock_files_pattern(i18n_input_t, i18n_input_var_run_t, i18n_input_var_run_t) -files_pid_filetrans(i18n_input_t, i18n_input_var_run_t, file) - -can_exec(i18n_input_t, i18n_input_exec_t) - -kernel_read_kernel_sysctls(i18n_input_t) -kernel_read_system_state(i18n_input_t) - -corenet_all_recvfrom_unlabeled(i18n_input_t) -corenet_all_recvfrom_netlabel(i18n_input_t) -corenet_tcp_sendrecv_generic_if(i18n_input_t) -corenet_tcp_sendrecv_generic_node(i18n_input_t) -corenet_tcp_sendrecv_all_ports(i18n_input_t) -corenet_tcp_bind_generic_node(i18n_input_t) - -corenet_sendrecv_i18n_input_server_packets(i18n_input_t) -corenet_tcp_bind_i18n_input_port(i18n_input_t) - -corenet_sendrecv_all_client_packets(i18n_input_t) -corenet_tcp_connect_all_ports(i18n_input_t) - -corecmd_exec_bin(i18n_input_t) - -dev_read_sysfs(i18n_input_t) - -domain_use_interactive_fds(i18n_input_t) - -fs_getattr_all_fs(i18n_input_t) -fs_search_auto_mountpoints(i18n_input_t) - -files_read_etc_runtime_files(i18n_input_t) -files_read_usr_files(i18n_input_t) - -auth_use_nsswitch(i18n_input_t) - -init_stream_connect_script(i18n_input_t) - -logging_send_syslog_msg(i18n_input_t) - -miscfiles_read_localization(i18n_input_t) - -userdom_dontaudit_use_unpriv_user_fds(i18n_input_t) -userdom_read_user_home_content_files(i18n_input_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(i18n_input_t) - fs_read_nfs_symlinks(i18n_input_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(i18n_input_t) - fs_read_cifs_symlinks(i18n_input_t) -') - -optional_policy(` - canna_stream_connect(i18n_input_t) -') - -optional_policy(` - seutil_sigchld_newrole(i18n_input_t) -') - -optional_policy(` - udev_read_db(i18n_input_t) -') diff --git a/policy/modules/contrib/icecast.fc b/policy/modules/contrib/icecast.fc deleted file mode 100644 index 728c7c1a..00000000 --- a/policy/modules/contrib/icecast.fc +++ /dev/null @@ -1,8 +0,0 @@ -/etc/rc\.d/init\.d/icecast -- gen_context(system_u:object_r:icecast_initrc_exec_t,s0) - -/usr/bin/icecast -- gen_context(system_u:object_r:icecast_exec_t,s0) - -/var/log/icecast(/.*)? gen_context(system_u:object_r:icecast_log_t,s0) - -/var/run/icecast(/.*)? gen_context(system_u:object_r:icecast_var_run_t,s0) -/var/run/icecast\.pid -- gen_context(system_u:object_r:icecast_var_run_t,s0) diff --git a/policy/modules/contrib/icecast.if b/policy/modules/contrib/icecast.if deleted file mode 100644 index 580b533c..00000000 --- a/policy/modules/contrib/icecast.if +++ /dev/null @@ -1,192 +0,0 @@ -## <summary>ShoutCast compatible streaming media server.</summary> - -######################################## -## <summary> -## Execute a domain transition to run icecast. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`icecast_domtrans',` - gen_require(` - type icecast_t, icecast_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, icecast_exec_t, icecast_t) -') - -######################################## -## <summary> -## Send generic signals to icecast. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`icecast_signal',` - gen_require(` - type icecast_t; - ') - - allow $1 icecast_t:process signal; -') - -######################################## -## <summary> -## Execute icecast server in the icecast domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`icecast_initrc_domtrans',` - gen_require(` - type icecast_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, icecast_initrc_exec_t) -') - -######################################## -## <summary> -## Read icecast pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`icecast_read_pid_files',` - gen_require(` - type icecast_var_run_t; - ') - - files_search_pids($1) - allow $1 icecast_var_run_t:file read_file_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## icecast pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`icecast_manage_pid_files',` - gen_require(` - type icecast_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, icecast_var_run_t, icecast_var_run_t) -') - -######################################## -## <summary> -## Read icecast log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`icecast_read_log',` - gen_require(` - type icecast_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, icecast_log_t, icecast_log_t) -') - -######################################## -## <summary> -## Append icecast log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`icecast_append_log',` - gen_require(` - type icecast_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, icecast_log_t, icecast_log_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## icecast log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allow access. -## </summary> -## </param> -# -interface(`icecast_manage_log',` - gen_require(` - type icecast_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, icecast_log_t, icecast_log_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an icecast environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`icecast_admin',` - gen_require(` - type icecast_t, icecast_initrc_exec_t, icecast_log_t; - type icecast_var_run_t; - ') - - icecast_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 icecast_initrc_exec_t system_r; - allow $2 system_r; - - allow $1 icecast_t:process { ptrace signal_perms }; - ps_process_pattern($1, icecast_t) - - logging_search_logs($1) - admin_pattern($1, icecast_log_t) - - files_search_pids($1) - admin_pattern($1, icecast_var_run_t) -') diff --git a/policy/modules/contrib/icecast.te b/policy/modules/contrib/icecast.te deleted file mode 100644 index ac6f9d58..00000000 --- a/policy/modules/contrib/icecast.te +++ /dev/null @@ -1,88 +0,0 @@ -policy_module(icecast, 1.1.1) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether icecast can listen -## on and connect to any TCP port. -## </p> -## </desc> -gen_tunable(icecast_use_any_tcp_ports, false) - -type icecast_t; -type icecast_exec_t; -application_executable_file(icecast_exec_t) -init_daemon_domain(icecast_t, icecast_exec_t) - -type icecast_initrc_exec_t; -init_script_file(icecast_initrc_exec_t) - -type icecast_log_t; -logging_log_file(icecast_log_t) - -type icecast_var_run_t; -files_pid_file(icecast_var_run_t) - -######################################## -# -# Local policy -# - -allow icecast_t self:capability { dac_override setgid setuid sys_nice }; -allow icecast_t self:process { getsched setsched signal }; -allow icecast_t self:fifo_file rw_fifo_file_perms; -allow icecast_t self:unix_stream_socket create_stream_socket_perms; -allow icecast_t self:tcp_socket { accept listen }; - -allow icecast_t icecast_log_t:dir setattr_dir_perms; -append_files_pattern(icecast_t, icecast_log_t, icecast_log_t) -create_files_pattern(icecast_t, icecast_log_t, icecast_log_t) -setattr_files_pattern(icecast_t, icecast_log_t, icecast_log_t) - -manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) -manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) -files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir }) - -kernel_read_system_state(icecast_t) - -corenet_all_recvfrom_unlabeled(icecast_t) -corenet_all_recvfrom_netlabel(icecast_t) -corenet_tcp_sendrecv_generic_if(icecast_t) -corenet_tcp_sendrecv_generic_node(icecast_t) -corenet_tcp_bind_generic_node(icecast_t) - -corenet_sendrecv_soundd_server_packets(icecast_t) -corenet_tcp_bind_soundd_port(icecast_t) -corenet_sendrecv_soundd_client_packets(icecast_t) -corenet_tcp_connect_soundd_port(icecast_t) -corenet_tcp_sendrecv_soundd_port(icecast_t) - -dev_read_sysfs(icecast_t) -dev_read_urand(icecast_t) -dev_read_rand(icecast_t) - -domain_use_interactive_fds(icecast_t) - -auth_use_nsswitch(icecast_t) - -miscfiles_read_localization(icecast_t) - -tunable_policy(`icecast_use_any_tcp_ports',` - corenet_tcp_connect_all_ports(icecast_t) - corenet_sendrecv_all_client_packets(icecast_t) - corenet_tcp_bind_all_ports(icecast_t) - corenet_sendrecv_all_server_packets(icecast_t) - corenet_tcp_sendrecv_all_ports(icecast_t) -') - -optional_policy(` - apache_read_sys_content(icecast_t) -') - -optional_policy(` - rtkit_scheduled(icecast_t) -') diff --git a/policy/modules/contrib/ifplugd.fc b/policy/modules/contrib/ifplugd.fc deleted file mode 100644 index 0c95c98e..00000000 --- a/policy/modules/contrib/ifplugd.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/ifplugd(/.*)? gen_context(system_u:object_r:ifplugd_etc_t,s0) - -/etc/rc\.d/init\.d/ifplugd -- gen_context(system_u:object_r:ifplugd_initrc_exec_t,s0) - -/usr/sbin/ifplugd -- gen_context(system_u:object_r:ifplugd_exec_t,s0) - -/var/run/ifplugd.* gen_context(system_u:object_r:ifplugd_var_run_t,s0) diff --git a/policy/modules/contrib/ifplugd.if b/policy/modules/contrib/ifplugd.if deleted file mode 100644 index 89998999..00000000 --- a/policy/modules/contrib/ifplugd.if +++ /dev/null @@ -1,135 +0,0 @@ -## <summary>Bring up/down ethernet interfaces based on cable detection.</summary> - -######################################## -## <summary> -## Execute a domain transition to run ifplugd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`ifplugd_domtrans',` - gen_require(` - type ifplugd_t, ifplugd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ifplugd_exec_t, ifplugd_t) -') - -######################################## -## <summary> -## Send generic signals to ifplugd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ifplugd_signal',` - gen_require(` - type ifplugd_t; - ') - - allow $1 ifplugd_t:process signal; -') - -######################################## -## <summary> -## Read ifplugd configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ifplugd_read_config',` - gen_require(` - type ifplugd_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## ifplugd configuration content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ifplugd_manage_config',` - gen_require(` - type ifplugd_etc_t; - ') - - files_search_etc($1) - manage_dirs_pattern($1, ifplugd_etc_t, ifplugd_etc_t) - manage_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t) -') - -######################################## -## <summary> -## Read ifplugd pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ifplugd_read_pid_files',` - gen_require(` - type ifplugd_var_run_t; - ') - - files_search_pids($1) - allow $1 ifplugd_var_run_t:file read_file_perms; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an ifplugd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`ifplugd_admin',` - gen_require(` - type ifplugd_t, ifplugd_etc_t, ifplugd_var_run_t; - type ifplugd_initrc_exec_t; - ') - - allow $1 ifplugd_t:process { ptrace signal_perms }; - ps_process_pattern($1, ifplugd_t) - - init_labeled_script_domtrans($1, ifplugd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ifplugd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, ifplugd_etc_t) - - files_list_pids($1) - admin_pattern($1, ifplugd_var_run_t) -') diff --git a/policy/modules/contrib/ifplugd.te b/policy/modules/contrib/ifplugd.te deleted file mode 100644 index 6910e49c..00000000 --- a/policy/modules/contrib/ifplugd.te +++ /dev/null @@ -1,70 +0,0 @@ -policy_module(ifplugd, 1.0.1) - -######################################## -# -# Declarations -# - -type ifplugd_t; -type ifplugd_exec_t; -init_daemon_domain(ifplugd_t, ifplugd_exec_t) - -type ifplugd_etc_t; -files_type(ifplugd_etc_t) - -type ifplugd_initrc_exec_t; -init_script_file(ifplugd_initrc_exec_t) - -type ifplugd_var_run_t; -files_pid_file(ifplugd_var_run_t) - -######################################## -# -# Local policy -# - -allow ifplugd_t self:capability { net_admin sys_nice net_bind_service }; -dontaudit ifplugd_t self:capability sys_tty_config; -allow ifplugd_t self:process { signal signull }; -allow ifplugd_t self:fifo_file rw_fifo_file_perms; -allow ifplugd_t self:tcp_socket { accept listen }; -allow ifplugd_t self:packet_socket create_socket_perms; -allow ifplugd_t self:netlink_route_socket nlmsg_write; - -read_files_pattern(ifplugd_t, ifplugd_etc_t, ifplugd_etc_t) -exec_files_pattern(ifplugd_t, ifplugd_etc_t, ifplugd_etc_t) - -manage_files_pattern(ifplugd_t, ifplugd_var_run_t, ifplugd_var_run_t) -manage_sock_files_pattern(ifplugd_t, ifplugd_var_run_t, ifplugd_var_run_t) -files_pid_filetrans(ifplugd_t, ifplugd_var_run_t, { file sock_file }) - -kernel_read_kernel_sysctls(ifplugd_t) -kernel_read_network_state(ifplugd_t) -kernel_read_system_state(ifplugd_t) -kernel_rw_net_sysctls(ifplugd_t) - -corecmd_exec_bin(ifplugd_t) -corecmd_exec_shell(ifplugd_t) - -dev_read_sysfs(ifplugd_t) - -domain_read_confined_domains_state(ifplugd_t) -domain_dontaudit_read_all_domains_state(ifplugd_t) - -auth_use_nsswitch(ifplugd_t) - -logging_send_syslog_msg(ifplugd_t) - -miscfiles_read_localization(ifplugd_t) - -netutils_domtrans(ifplugd_t) - -sysnet_domtrans_ifconfig(ifplugd_t) -sysnet_domtrans_dhcpc(ifplugd_t) -sysnet_delete_dhcpc_pid(ifplugd_t) -sysnet_read_dhcpc_pid(ifplugd_t) -sysnet_signal_dhcpc(ifplugd_t) - -optional_policy(` - consoletype_exec(ifplugd_t) -') diff --git a/policy/modules/contrib/imaze.fc b/policy/modules/contrib/imaze.fc deleted file mode 100644 index 16f104c5..00000000 --- a/policy/modules/contrib/imaze.fc +++ /dev/null @@ -1,7 +0,0 @@ -/usr/games/imazesrv -- gen_context(system_u:object_r:imazesrv_exec_t,s0) - -/usr/share/games/imaze(/.*)? gen_context(system_u:object_r:imazesrv_data_t,s0) - -/var/log/imaze\.log.* -- gen_context(system_u:object_r:imazesrv_log_t,s0) - -/var/run/imaze\.pid -- gen_context(system_u:object_r:imazesrv_var_run_t,s0) diff --git a/policy/modules/contrib/imaze.if b/policy/modules/contrib/imaze.if deleted file mode 100644 index db53881d..00000000 --- a/policy/modules/contrib/imaze.if +++ /dev/null @@ -1 +0,0 @@ -## <summary>iMaze game server.</summary> diff --git a/policy/modules/contrib/imaze.te b/policy/modules/contrib/imaze.te deleted file mode 100644 index 05387d16..00000000 --- a/policy/modules/contrib/imaze.te +++ /dev/null @@ -1,85 +0,0 @@ -policy_module(imaze, 1.7.1) - -######################################## -# -# Declarations -# - -type imazesrv_t; -type imazesrv_exec_t; -application_executable_file(imazesrv_exec_t) -init_daemon_domain(imazesrv_t, imazesrv_exec_t) - -type imazesrv_data_t; -files_type(imazesrv_data_t) - -type imazesrv_log_t; -logging_log_file(imazesrv_log_t) - -type imazesrv_var_run_t; -files_pid_file(imazesrv_var_run_t) - -######################################## -# -# Local policy -# - -dontaudit imazesrv_t self:capability sys_tty_config; -allow imazesrv_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow imazesrv_t self:fifo_file rw_fifo_file_perms; -allow imazesrv_t self:tcp_socket { accept listen }; -allow imazesrv_t self:unix_dgram_socket sendto; -allow imazesrv_t self:unix_stream_socket { accept connectto listen }; - -allow imazesrv_t imazesrv_data_t:dir list_dir_perms; -read_files_pattern(imazesrv_t, imazesrv_data_t, imazesrv_data_t) -read_lnk_files_pattern(imazesrv_t, imazesrv_data_t, imazesrv_data_t) - -allow imazesrv_t imazesrv_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(imazesrv_t, imazesrv_log_t, file) - -manage_files_pattern(imazesrv_t, imazesrv_var_run_t, imazesrv_var_run_t) -files_pid_filetrans(imazesrv_t, imazesrv_var_run_t, file) - -kernel_list_proc(imazesrv_t) -kernel_read_kernel_sysctls(imazesrv_t) -kernel_read_proc_symlinks(imazesrv_t) - -corenet_all_recvfrom_unlabeled(imazesrv_t) -corenet_all_recvfrom_netlabel(imazesrv_t) -corenet_tcp_sendrecv_generic_if(imazesrv_t) -corenet_udp_sendrecv_generic_if(imazesrv_t) -corenet_tcp_sendrecv_generic_node(imazesrv_t) -corenet_udp_sendrecv_generic_node(imazesrv_t) -corenet_tcp_bind_generic_node(imazesrv_t) -corenet_udp_bind_generic_node(imazesrv_t) - -corenet_sendrecv_imaze_server_packets(imazesrv_t) -corenet_tcp_bind_imaze_port(imazesrv_t) -corenet_tcp_sendrecv_imaze_port(imazesrv_t) -corenet_udp_bind_imaze_port(imazesrv_t) -corenet_udp_sendrecv_imaze_port(imazesrv_t) - -dev_read_sysfs(imazesrv_t) - -domain_use_interactive_fds(imazesrv_t) - -fs_getattr_all_fs(imazesrv_t) -fs_search_auto_mountpoints(imazesrv_t) - -auth_use_nsswitch(imazesrv_t) - -logging_send_syslog_msg(imazesrv_t) - -miscfiles_read_localization(imazesrv_t) - -userdom_use_unpriv_users_fds(imazesrv_t) -userdom_dontaudit_search_user_home_dirs(imazesrv_t) - -optional_policy(` - seutil_sigchld_newrole(imazesrv_t) -') - -optional_policy(` - udev_read_db(imazesrv_t) -') diff --git a/policy/modules/contrib/inetd.fc b/policy/modules/contrib/inetd.fc deleted file mode 100644 index 2a5a6869..00000000 --- a/policy/modules/contrib/inetd.fc +++ /dev/null @@ -1,14 +0,0 @@ -/usr/lib/pysieved/pysieved.*\.py -- gen_context(system_u:object_r:inetd_child_exec_t,s0) - -/usr/local/lib/pysieved/pysieved.*\.py -- gen_context(system_u:object_r:inetd_child_exec_t,s0) - -/usr/sbin/identd -- gen_context(system_u:object_r:inetd_child_exec_t,s0) -/usr/sbin/in\..*d -- gen_context(system_u:object_r:inetd_child_exec_t,s0) - -/usr/sbin/inetd -- gen_context(system_u:object_r:inetd_exec_t,s0) -/usr/sbin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0) -/usr/sbin/xinetd -- gen_context(system_u:object_r:inetd_exec_t,s0) - -/var/log/(x)?inetd\.log.* -- gen_context(system_u:object_r:inetd_log_t,s0) - -/var/run/(x)?inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0) diff --git a/policy/modules/contrib/inetd.if b/policy/modules/contrib/inetd.if deleted file mode 100644 index fbb54e7d..00000000 --- a/policy/modules/contrib/inetd.if +++ /dev/null @@ -1,205 +0,0 @@ -## <summary>Internet services daemon.</summary> - -######################################## -## <summary> -## Define the specified domain as a inetd service. -## </summary> -## <desc> -## <p> -## Define the specified domain as a inetd service. The -## inetd_service_domain(), inetd_tcp_service_domain(), -## or inetd_udp_service_domain() interfaces should be used -## instead of this interface, as this interface only provides -## the common rules to these three interfaces. -## </p> -## </desc> -## <param name="domain"> -## <summary> -## The type associated with the inetd service process. -## </summary> -## </param> -## <param name="entrypoint"> -## <summary> -## The type associated with the process program. -## </summary> -## </param> -# -interface(`inetd_core_service_domain',` - gen_require(` - type inetd_t; - role system_r; - ') - - domain_type($1) - domain_entry_file($1, $2) - - role system_r types $1; - - domtrans_pattern(inetd_t, $2, $1) - allow inetd_t $1:process { siginh sigkill }; -') - -######################################## -## <summary> -## Define the specified domain as a TCP inetd service. -## </summary> -## <param name="domain"> -## <summary> -## The type associated with the inetd service process. -## </summary> -## </param> -## <param name="entrypoint"> -## <summary> -## The type associated with the process program. -## </summary> -## </param> -# -interface(`inetd_tcp_service_domain',` - - gen_require(` - type inetd_t; - ') - - inetd_core_service_domain($1, $2) - - allow $1 inetd_t:tcp_socket rw_stream_socket_perms; -') - -######################################## -## <summary> -## Define the specified domain as a UDP inetd service. -## </summary> -## <param name="domain"> -## <summary> -## The type associated with the inetd service process. -## </summary> -## </param> -## <param name="entrypoint"> -## <summary> -## The type associated with the process program. -## </summary> -## </param> -# -interface(`inetd_udp_service_domain',` - gen_require(` - type inetd_t; - ') - - inetd_core_service_domain($1, $2) - - allow $1 inetd_t:udp_socket rw_socket_perms; -') - -######################################## -## <summary> -## Define the specified domain as a TCP and UDP inetd service. -## </summary> -## <param name="domain"> -## <summary> -## The type associated with the inetd service process. -## </summary> -## </param> -## <param name="entrypoint"> -## <summary> -## The type associated with the process program. -## </summary> -## </param> -# -interface(`inetd_service_domain',` - gen_require(` - type inetd_t; - ') - - inetd_core_service_domain($1, $2) - - allow $1 inetd_t:tcp_socket rw_stream_socket_perms; - allow $1 inetd_t:udp_socket rw_socket_perms; - - optional_policy(` - stunnel_service_domain($1, $2) - ') -') - -######################################## -## <summary> -## Inherit and use inetd file descriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`inetd_use_fds',` - gen_require(` - type inetd_t; - ') - - allow $1 inetd_t:fd use; -') - -######################################## -## <summary> -## Connect to the inetd service using a TCP connection. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`inetd_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## <summary> -## Run inetd child process in the -## inet child domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`inetd_domtrans_child',` - gen_require(` - type inetd_child_t, inetd_child_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, inetd_child_exec_t, inetd_child_t) -') - -######################################## -## <summary> -## Send UDP network traffic to inetd. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`inetd_udp_send',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## <summary> -## Read and write inetd TCP sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`inetd_rw_tcp_sockets',` - gen_require(` - type inetd_t; - ') - - allow $1 inetd_t:tcp_socket rw_stream_socket_perms; -') diff --git a/policy/modules/contrib/inetd.te b/policy/modules/contrib/inetd.te deleted file mode 100644 index 1a5ed622..00000000 --- a/policy/modules/contrib/inetd.te +++ /dev/null @@ -1,237 +0,0 @@ -policy_module(inetd, 1.12.2) - -######################################## -# -# Declarations -# - -type inetd_t; -type inetd_exec_t; -init_daemon_domain(inetd_t, inetd_exec_t) - -type inetd_log_t; -logging_log_file(inetd_log_t) - -type inetd_tmp_t; -files_tmp_file(inetd_tmp_t) - -type inetd_var_run_t; -files_pid_file(inetd_var_run_t) - -type inetd_child_t; -type inetd_child_exec_t; -inetd_service_domain(inetd_child_t, inetd_child_exec_t) - -type inetd_child_tmp_t; -files_tmp_file(inetd_child_tmp_t) - -type inetd_child_var_run_t; -files_pid_file(inetd_child_var_run_t) - -ifdef(`enable_mcs',` - init_ranged_daemon_domain(inetd_t, inetd_exec_t, s0 - mcs_systemhigh) -') - -######################################## -# -# Local policy -# - -allow inetd_t self:capability { setuid setgid sys_resource }; -dontaudit inetd_t self:capability sys_tty_config; -allow inetd_t self:process { setsched setexec setrlimit }; -allow inetd_t self:fifo_file rw_fifo_file_perms; -allow inetd_t self:tcp_socket { accept listen }; -allow inetd_t self:fd use; - -allow inetd_t inetd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(inetd_t, inetd_log_t, file) - -manage_dirs_pattern(inetd_t, inetd_tmp_t, inetd_tmp_t) -manage_files_pattern(inetd_t, inetd_tmp_t, inetd_tmp_t) -files_tmp_filetrans(inetd_t, inetd_tmp_t, { file dir }) - -allow inetd_t inetd_var_run_t:file manage_file_perms; -files_pid_filetrans(inetd_t, inetd_var_run_t, file) - -kernel_read_kernel_sysctls(inetd_t) -kernel_list_proc(inetd_t) -kernel_read_proc_symlinks(inetd_t) -kernel_read_system_state(inetd_t) -kernel_tcp_recvfrom_unlabeled(inetd_t) - -corecmd_bin_domtrans(inetd_t, inetd_child_t) - -corenet_all_recvfrom_unlabeled(inetd_t) -corenet_all_recvfrom_netlabel(inetd_t) -corenet_tcp_sendrecv_generic_if(inetd_t) -corenet_udp_sendrecv_generic_if(inetd_t) -corenet_tcp_sendrecv_generic_node(inetd_t) -corenet_udp_sendrecv_generic_node(inetd_t) -corenet_tcp_sendrecv_all_ports(inetd_t) -corenet_udp_sendrecv_all_ports(inetd_t) -corenet_tcp_bind_generic_node(inetd_t) -corenet_udp_bind_generic_node(inetd_t) - -corenet_sendrecv_all_client_packets(inetd_t) -corenet_tcp_connect_all_ports(inetd_t) - -corenet_sendrecv_amanda_server_packets(inetd_t) -corenet_tcp_bind_amanda_port(inetd_t) -corenet_udp_bind_amanda_port(inetd_t) - -corenet_sendrecv_auth_server_packets(inetd_t) -corenet_tcp_bind_auth_port(inetd_t) - -corenet_sendrecv_comsat_server_packets(inetd_t) -corenet_udp_bind_comsat_port(inetd_t) - -corenet_sendrecv_dbskkd_server_packets(inetd_t) -corenet_tcp_bind_dbskkd_port(inetd_t) -corenet_udp_bind_dbskkd_port(inetd_t) - -corenet_sendrecv_ftp_server_packets(inetd_t) -corenet_tcp_bind_ftp_port(inetd_t) -corenet_udp_bind_ftp_port(inetd_t) - -corenet_sendrecv_inetd_child_server_packets(inetd_t) -corenet_tcp_bind_inetd_child_port(inetd_t) -corenet_udp_bind_inetd_child_port(inetd_t) - -corenet_sendrecv_ircd_server_packets(inetd_t) -corenet_tcp_bind_ircd_port(inetd_t) - -corenet_sendrecv_ktalkd_server_packets(inetd_t) -corenet_udp_bind_ktalkd_port(inetd_t) - -corenet_sendrecv_pop_server_packets(inetd_t) -corenet_tcp_bind_pop_port(inetd_t) - -corenet_sendrecv_printer_server_packets(inetd_t) -corenet_tcp_bind_printer_port(inetd_t) - -corenet_sendrecv_rlogind_server_packets(inetd_t) -corenet_udp_bind_rlogind_port(inetd_t) - -corenet_sendrecv_rsh_server_packets(inetd_t) -corenet_udp_bind_rsh_port(inetd_t) -corenet_tcp_bind_rsh_port(inetd_t) - -corenet_sendrecv_rsync_server_packets(inetd_t) -corenet_tcp_bind_rsync_port(inetd_t) -corenet_udp_bind_rsync_port(inetd_t) - -corenet_sendrecv_stunnel_server_packets(inetd_t) -corenet_tcp_bind_stunnel_port(inetd_t) - -corenet_sendrecv_swat_server_packets(inetd_t) -corenet_tcp_bind_swat_port(inetd_t) -corenet_udp_bind_swat_port(inetd_t) - -corenet_sendrecv_telnetd_server_packets(inetd_t) -corenet_tcp_bind_telnetd_port(inetd_t) - -corenet_sendrecv_tftp_server_packets(inetd_t) -corenet_udp_bind_tftp_port(inetd_t) - -corenet_sendrecv_ssh_server_packets(inetd_t) -corenet_tcp_bind_ssh_port(inetd_t) - -corenet_sendrecv_git_server_packets(inetd_t) -corenet_tcp_bind_git_port(inetd_t) -corenet_udp_bind_git_port(inetd_t) - -dev_read_sysfs(inetd_t) - -domain_use_interactive_fds(inetd_t) - -fs_getattr_all_fs(inetd_t) -fs_search_auto_mountpoints(inetd_t) - -selinux_validate_context(inetd_t) -selinux_compute_create_context(inetd_t) - -files_read_etc_runtime_files(inetd_t) - -auth_use_nsswitch(inetd_t) - -logging_send_syslog_msg(inetd_t) - -miscfiles_read_localization(inetd_t) - -mls_fd_share_all_levels(inetd_t) -mls_socket_read_to_clearance(inetd_t) -mls_socket_write_to_clearance(inetd_t) -mls_net_outbound_all_levels(inetd_t) -mls_process_set_level(inetd_t) - -userdom_dontaudit_use_unpriv_user_fds(inetd_t) -userdom_dontaudit_search_user_home_dirs(inetd_t) - -ifdef(`distro_redhat',` - optional_policy(` - unconfined_domain(inetd_t) - ') -') - -ifdef(`enable_mls',` - corenet_tcp_recvfrom_netlabel(inetd_t) - corenet_udp_recvfrom_netlabel(inetd_t) -') - -optional_policy(` - amanda_search_lib(inetd_t) -') - -optional_policy(` - seutil_sigchld_newrole(inetd_t) -') - -optional_policy(` - tftp_read_config_files(inetd_t) -') - -optional_policy(` - udev_read_db(inetd_t) -') - -optional_policy(` - unconfined_domtrans(inetd_t) -') - -######################################## -# -# Child local policy -# - -allow inetd_child_t self:capability { setuid setgid }; -allow inetd_child_t self:process signal_perms; -allow inetd_child_t self:fifo_file rw_fifo_file_perms; -allow inetd_child_t self:tcp_socket { accept listen }; - -manage_dirs_pattern(inetd_child_t, inetd_child_tmp_t, inetd_child_tmp_t) -manage_files_pattern(inetd_child_t, inetd_child_tmp_t, inetd_child_tmp_t) -files_tmp_filetrans(inetd_child_t, inetd_child_tmp_t, { file dir }) - -manage_files_pattern(inetd_child_t, inetd_child_var_run_t, inetd_child_var_run_t) -files_pid_filetrans(inetd_child_t, inetd_child_var_run_t, file) - -kernel_read_kernel_sysctls(inetd_child_t) -kernel_read_network_state(inetd_child_t) -kernel_read_system_state(inetd_child_t) - -dev_read_urand(inetd_child_t) - -fs_getattr_xattr_fs(inetd_child_t) - -files_read_etc_runtime_files(inetd_child_t) - -auth_use_nsswitch(inetd_child_t) - -logging_send_syslog_msg(inetd_child_t) - -miscfiles_read_localization(inetd_child_t) - -optional_policy(` - unconfined_domain(inetd_child_t) -') diff --git a/policy/modules/contrib/inn.fc b/policy/modules/contrib/inn.fc deleted file mode 100644 index 8c0a48b1..00000000 --- a/policy/modules/contrib/inn.fc +++ /dev/null @@ -1,58 +0,0 @@ -/etc/news(/.*)? gen_context(system_u:object_r:innd_etc_t,s0) -/etc/news/boot -- gen_context(system_u:object_r:innd_exec_t,s0) - -/etc/rc\.d/init\.d/innd -- gen_context(system_u:object_r:innd_initrc_exec_t,s0) - -/usr/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/bin/rpost -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/bin/suck -- gen_context(system_u:object_r:innd_exec_t,s0) - -/usr/sbin/in\.nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/sbin/innd.* -- gen_context(system_u:object_r:innd_exec_t,s0) - -/var/lib/news(/.*)? gen_context(system_u:object_r:innd_var_lib_t,s0) - -/usr/lib/news/bin/actsync -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/archive -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/batcher -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/buffchan -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/convdate -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/ctlinnd -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/cvtbatch -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/expire -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/expireover -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/fastrm -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/filechan -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/getlist -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/grephistory -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/innconfval -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/innd -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/inndf -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/inndstart -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/innfeed -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/innxbatch -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/innxmit -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/makedbz -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/makehistory -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/newsrequeue -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/nntpget -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/ovdb_recover -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/overchan -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/prunehistory -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/shlock -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/shrinkfile -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/sm -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/startinnfeed -- gen_context(system_u:object_r:innd_exec_t,s0) - -/var/log/news.* -- gen_context(system_u:object_r:innd_log_t,s0) - -/var/run/innd(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0) -/var/run/innd\.pid -- gen_context(system_u:object_r:innd_var_run_t,s0) -/var/run/news(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0) -/var/run/news\.pid -- gen_context(system_u:object_r:innd_var_run_t,s0) - -/var/spool/news(/.*)? gen_context(system_u:object_r:news_spool_t,s0) diff --git a/policy/modules/contrib/inn.if b/policy/modules/contrib/inn.if deleted file mode 100644 index eb87f234..00000000 --- a/policy/modules/contrib/inn.if +++ /dev/null @@ -1,255 +0,0 @@ -## <summary>Internet News NNTP server.</summary> - -######################################## -## <summary> -## Execute innd in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`inn_exec',` - gen_require(` - type innd_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, innd_exec_t) -') - -######################################## -## <summary> -## Execute inn configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`inn_exec_config',` - gen_require(` - type innd_etc_t; - ') - - files_search_etc($1) - exec_files_pattern($1, innd_etc_t, innd_etc_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## innd log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`inn_manage_log',` - gen_require(` - type innd_log_t; - ') - - manage_files_pattern($1, innd_log_t, innd_log_t) -') - -######################################## -## <summary> -## Create specified objects in generic -## log directories with the innd log file type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`inn_generic_log_filetrans_innd_log',` - gen_require(` - type innd_log_t; - ') - - logging_log_filetrans($1, innd_log_t, $2, $3) -') - -######################################## -## <summary> -## Create, read, write, and delete -## innd pid content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`inn_manage_pid',` - gen_require(` - type innd_var_run_t; - ') - - files_search_pids($1) - allow $1 innd_var_run_t:dir manage_dir_perms; - allow $1 innd_var_run_t:file manage_file_perms; - allow $1 innd_var_run_t:sock_file manage_sock_file_perms; -') - -######################################## -## <summary> -## Read innd configuration content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> - -# -interface(`inn_read_config',` - gen_require(` - type innd_etc_t; - ') - - allow $1 innd_etc_t:dir list_dir_perms; - allow $1 innd_etc_t:file read_file_perms; - allow $1 innd_etc_t:lnk_file read_lnk_file_perms; -') - -######################################## -## <summary> -## Read innd news library content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`inn_read_news_lib',` - gen_require(` - type innd_var_lib_t; - ') - - allow $1 innd_var_lib_t:dir list_dir_perms; - allow $1 innd_var_lib_t:file read_file_perms; -') - -######################################## -## <summary> -## Read innd news spool content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`inn_read_news_spool',` - gen_require(` - type news_spool_t; - ') - - allow $1 news_spool_t:dir list_dir_perms; - allow $1 news_spool_t:file read_file_perms; - allow $1 news_spool_t:lnk_file read_lnk_file_perms; -') - -######################################## -## <summary> -## Send to a innd unix dgram socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`inn_dgram_send',` - gen_require(` - type innd_t, innd_var_run_t; - ') - - files_search_pids($1) - dgram_send_pattern($1, innd_var_run_t, innd_var_run_t, innd_t) -') - -######################################## -## <summary> -## Execute innd in the innd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`inn_domtrans',` - gen_require(` - type innd_t, innd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, innd_exec_t, innd_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an inn environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`inn_admin',` - gen_require(` - type innd_t, innd_etc_t, innd_log_t; - type news_spool_t, innd_var_lib_t; - type innd_var_run_t, innd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, innd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 innd_initrc_exec_t system_r; - allow $2 system_r; - - allow $1 innd_t:process { ptrace signal_perms }; - ps_process_pattern($1, innd_t) - - files_list_etc($1) - admin_pattern($1, innd_etc_t) - - logging_list_logs($1) - admin_pattern($1, innd_log_t) - - files_list_var_lib($1) - admin_pattern($1, innd_var_lib_t) - - files_list_pids($1) - admin_pattern($1, innd_var_run_t) - - files_list_spool($1) - admin_pattern($1, news_spool_t) -') diff --git a/policy/modules/contrib/inn.te b/policy/modules/contrib/inn.te deleted file mode 100644 index 56404c59..00000000 --- a/policy/modules/contrib/inn.te +++ /dev/null @@ -1,129 +0,0 @@ -policy_module(inn, 1.10.3) - -######################################## -# -# Declarations -# - -type innd_t; -type innd_exec_t; -init_daemon_domain(innd_t, innd_exec_t) - -type innd_etc_t; -files_config_file(innd_etc_t) - -type innd_initrc_exec_t; -init_script_file(innd_initrc_exec_t) - -type innd_log_t; -logging_log_file(innd_log_t) - -type innd_var_lib_t; -files_type(innd_var_lib_t) - -type innd_var_run_t; -files_pid_file(innd_var_run_t) - -type news_spool_t; -files_mountpoint(news_spool_t) - -######################################## -# -# Local policy -# - -allow innd_t self:capability { dac_override kill setgid setuid }; -dontaudit innd_t self:capability sys_tty_config; -allow innd_t self:process { setsched signal_perms }; -allow innd_t self:fifo_file rw_fifo_file_perms; -allow innd_t self:unix_dgram_socket sendto; -allow innd_t self:unix_stream_socket { accept connectto listen }; -allow innd_t self:tcp_socket { accept listen }; - -read_files_pattern(innd_t, innd_etc_t, innd_etc_t) -read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t) - -allow innd_t innd_log_t:dir setattr_dir_perms; -append_files_pattern(innd_t, innd_log_t, innd_log_t) -create_files_pattern(innd_t, innd_log_t, innd_log_t) -setattr_files_pattern(innd_t, innd_log_t, innd_log_t) - -manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t) -manage_files_pattern(innd_t, innd_var_lib_t, innd_var_lib_t) - -manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t) -manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) -manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) -files_pid_filetrans(innd_t, innd_var_run_t, file) - -manage_dirs_pattern(innd_t, news_spool_t, news_spool_t) -manage_files_pattern(innd_t, news_spool_t, news_spool_t) -manage_lnk_files_pattern(innd_t, news_spool_t, news_spool_t) - -can_exec(innd_t, innd_exec_t) - -kernel_read_kernel_sysctls(innd_t) -kernel_read_system_state(innd_t) - -corenet_all_recvfrom_unlabeled(innd_t) -corenet_all_recvfrom_netlabel(innd_t) -corenet_tcp_sendrecv_generic_if(innd_t) -corenet_tcp_sendrecv_generic_node(innd_t) -corenet_tcp_sendrecv_all_ports(innd_t) -corenet_tcp_bind_generic_node(innd_t) - -corenet_sendrecv_innd_server_packets(innd_t) -corenet_tcp_bind_innd_port(innd_t) - -corenet_sendrecv_all_client_packets(innd_t) -corenet_tcp_connect_all_ports(innd_t) - -corecmd_exec_bin(innd_t) -corecmd_exec_shell(innd_t) - -dev_read_sysfs(innd_t) -dev_read_urand(innd_t) - -domain_use_interactive_fds(innd_t) - -fs_getattr_all_fs(innd_t) -fs_search_auto_mountpoints(innd_t) - -files_list_spool(innd_t) -files_read_etc_runtime_files(innd_t) -files_read_usr_files(innd_t) - -auth_use_nsswitch(innd_t) - -logging_send_syslog_msg(innd_t) - -miscfiles_read_localization(innd_t) - -seutil_dontaudit_search_config(innd_t) - -userdom_dontaudit_use_unpriv_user_fds(innd_t) -userdom_dontaudit_search_user_home_dirs(innd_t) - -mta_send_mail(innd_t) - -ifdef(`distro_gentoo',` - logging_syslog_managed_log_file(innd_log_t, "news.crit") - logging_syslog_managed_log_file(innd_log_t, "news.err") - logging_syslog_managed_log_file(innd_log_t, "news.notice") -') - -optional_policy(` - cron_system_entry(innd_t, innd_exec_t) -') - -optional_policy(` - hostname_exec(innd_t) -') - -optional_policy(` - seutil_sigchld_newrole(innd_t) -') - -optional_policy(` - udev_read_db(innd_t) -') diff --git a/policy/modules/contrib/iodine.fc b/policy/modules/contrib/iodine.fc deleted file mode 100644 index ca07a874..00000000 --- a/policy/modules/contrib/iodine.fc +++ /dev/null @@ -1,3 +0,0 @@ -/etc/rc\.d/init\.d/((iodined)|(iodine-server)) -- gen_context(system_u:object_r:iodined_initrc_exec_t,s0) - -/usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0) diff --git a/policy/modules/contrib/iodine.if b/policy/modules/contrib/iodine.if deleted file mode 100644 index a0bfbd04..00000000 --- a/policy/modules/contrib/iodine.if +++ /dev/null @@ -1,54 +0,0 @@ -## <summary>IP over DNS tunneling daemon.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an iodined environment -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`iodined_admin',` - refpolicywarn(`$0($*) has been deprecated, use iodine_admin() instead.') - iodine_admin($1, $2) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an iodined environment -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`iodine_admin',` - gen_require(` - type iodined_t, iodined_initrc_exec_t; - ') - - allow $1 iodined_t:process { ptrace signal_perms }; - ps_process_pattern($1, iodined_t) - - init_labeled_script_domtrans($1, iodined_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 iodined_initrc_exec_t system_r; - allow $2 system_r; -') diff --git a/policy/modules/contrib/iodine.te b/policy/modules/contrib/iodine.te deleted file mode 100644 index 94ec5f8c..00000000 --- a/policy/modules/contrib/iodine.te +++ /dev/null @@ -1,50 +0,0 @@ -policy_module(iodine, 1.0.2) - -######################################## -# -# Declarations -# - -type iodined_t; -type iodined_exec_t; -init_daemon_domain(iodined_t, iodined_exec_t) - -type iodined_initrc_exec_t; -init_script_file(iodined_initrc_exec_t) - -######################################## -# -# Local policy -# - -allow iodined_t self:capability { net_admin net_raw sys_chroot setgid setuid }; -allow iodined_t self:rawip_socket create_socket_perms; -allow iodined_t self:tun_socket create_socket_perms; -allow iodined_t self:udp_socket connected_socket_perms; - -kernel_read_net_sysctls(iodined_t) -kernel_read_network_state(iodined_t) -kernel_read_system_state(iodined_t) -kernel_request_load_module(iodined_t) - -corenet_all_recvfrom_netlabel(iodined_t) -corenet_all_recvfrom_unlabeled(iodined_t) -corenet_raw_sendrecv_generic_if(iodined_t) -corenet_udp_sendrecv_generic_if(iodined_t) -corenet_raw_sendrecv_generic_node(iodined_t) -corenet_udp_sendrecv_generic_node(iodined_t) -corenet_udp_bind_generic_node(iodined_t) - -corenet_rw_tun_tap_dev(iodined_t) - -corenet_sendrecv_dns_server_packets(iodined_t) -corenet_udp_bind_dns_port(iodined_t) -corenet_udp_sendrecv_dns_port(iodined_t) - -corecmd_exec_shell(iodined_t) - -files_read_etc_files(iodined_t) - -logging_send_syslog_msg(iodined_t) - -sysnet_domtrans_ifconfig(iodined_t) diff --git a/policy/modules/contrib/irc.fc b/policy/modules/contrib/irc.fc deleted file mode 100644 index 48e7739f..00000000 --- a/policy/modules/contrib/irc.fc +++ /dev/null @@ -1,10 +0,0 @@ -HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0) -HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irc_home_t,s0) -HOME_DIR/irclogs(/.*)? gen_context(system_u:object_r:irc_log_home_t,s0) - -/etc/irssi\.conf -- gen_context(system_u:object_r:irc_conf_t,s0) - -/usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0) -/usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0) -/usr/bin/irssi -- gen_context(system_u:object_r:irc_exec_t,s0) -/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0) diff --git a/policy/modules/contrib/irc.if b/policy/modules/contrib/irc.if deleted file mode 100644 index ac00fb0f..00000000 --- a/policy/modules/contrib/irc.if +++ /dev/null @@ -1,48 +0,0 @@ -## <summary>IRC client policy.</summary> - -######################################## -## <summary> -## Role access for IRC. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`irc_role',` - gen_require(` - attribute_role irc_roles; - type irc_t, irc_exec_t, irc_home_t; - type irc_tmp_t, irc_log_home_t; - ') - - ######################################## - # - # Declarations - # - - roleattribute $1 irc_roles; - - ######################################## - # - # Policy - # - - domtrans_pattern($2, irc_exec_t, irc_t) - - ps_process_pattern($2, irc_t) - allow $2 irc_t:process { ptrace signal_perms }; - - allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:file { manage_file_perms relabel_file_perms }; - allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - userdom_user_home_dir_filetrans($2, irc_home_t, dir, ".irssi") - userdom_user_home_dir_filetrans($2, irc_home_t, file, ".ircmotd") - userdom_user_home_dir_filetrans($2, irc_log_home_t, dir, "irclogs") -') diff --git a/policy/modules/contrib/irc.te b/policy/modules/contrib/irc.te deleted file mode 100644 index ecad9c78..00000000 --- a/policy/modules/contrib/irc.te +++ /dev/null @@ -1,139 +0,0 @@ -policy_module(irc, 2.2.3) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether irc clients can -## listen on and connect to any -## unreserved TCP ports. -## </p> -## </desc> -gen_tunable(irc_use_any_tcp_ports, false) - -attribute_role irc_roles; - -type irc_t; -type irc_exec_t; -typealias irc_t alias { user_irc_t staff_irc_t sysadm_irc_t }; -typealias irc_t alias { auditadm_irc_t secadm_irc_t }; -userdom_user_application_domain(irc_t, irc_exec_t) -role irc_roles types irc_t; - -type irc_conf_t; -files_config_file(irc_conf_t) - -type irc_home_t; -typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t }; -typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t }; -userdom_user_home_content(irc_home_t) - -type irc_log_home_t; -userdom_user_home_content(irc_log_home_t) - -type irc_tmp_t; -typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t }; -typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t }; -userdom_user_tmp_file(irc_tmp_t) - -######################################## -# -# Local policy -# - -allow irc_t self:process { signal sigkill }; -allow irc_t self:fifo_file rw_fifo_file_perms; -allow irc_t self:unix_stream_socket { accept listen }; - -allow irc_t irc_conf_t:file read_file_perms; - -manage_dirs_pattern(irc_t, irc_home_t, irc_home_t) -manage_files_pattern(irc_t, irc_home_t, irc_home_t) -manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t) -userdom_user_home_dir_filetrans(irc_t, irc_home_t, dir, ".irssi") -userdom_user_home_dir_filetrans(irc_t, irc_home_t, file, ".ircmotd") - -manage_dirs_pattern(irc_t, irc_log_home_t, irc_log_home_t) -create_files_pattern(irc_t, irc_log_home_t, irc_log_home_t) -append_files_pattern(irc_t, irc_log_home_t, irc_log_home_t) -userdom_user_home_dir_filetrans(irc_t, irc_log_home_t, dir, "irclogs") - -manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t) -manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) -manage_lnk_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) -manage_fifo_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) -manage_sock_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) -files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file }) - -kernel_read_system_state(irc_t) - -corenet_all_recvfrom_unlabeled(irc_t) -corenet_all_recvfrom_netlabel(irc_t) -corenet_tcp_sendrecv_generic_if(irc_t) -corenet_tcp_sendrecv_generic_node(irc_t) -corenet_tcp_sendrecv_all_ports(irc_t) - -corenet_sendrecv_gatekeeper_client_packets(irc_t) -corenet_tcp_sendrecv_gatekeeper_port(irc_t) -corenet_tcp_connect_gatekeeper_port(irc_t) - -corenet_sendrecv_http_cache_client_packets(irc_t) -corenet_tcp_connect_http_cache_port(irc_t) -corenet_tcp_sendrecv_http_cache_port(irc_t) - -corenet_sendrecv_ircd_client_packets(irc_t) -corenet_tcp_connect_ircd_port(irc_t) -corenet_tcp_sendrecv_ircd_port(irc_t) - -dev_read_urand(irc_t) -dev_read_rand(irc_t) - -domain_use_interactive_fds(irc_t) - -files_read_usr_files(irc_t) - -fs_getattr_all_fs(irc_t) -fs_search_auto_mountpoints(irc_t) - -term_use_controlling_term(irc_t) -term_list_ptys(irc_t) - -auth_use_nsswitch(irc_t) - -init_read_utmp(irc_t) -init_dontaudit_lock_utmp(irc_t) - -miscfiles_read_localization(irc_t) - -userdom_use_user_terminals(irc_t) - -userdom_manage_user_home_content_dirs(irc_t) -userdom_manage_user_home_content_files(irc_t) -userdom_user_home_dir_filetrans_user_home_content(irc_t, { dir file }) - -tunable_policy(`irc_use_any_tcp_ports',` - corenet_sendrecv_all_server_packets(irc_t) - corenet_tcp_bind_all_unreserved_ports(irc_t) - corenet_sendrecv_all_client_packets(irc_t) - corenet_tcp_connect_all_unreserved_ports(irc_t) - corenet_tcp_sendrecv_all_ports(irc_t) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(irc_t) - fs_manage_nfs_files(irc_t) - fs_manage_nfs_symlinks(irc_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(irc_t) - fs_manage_cifs_files(irc_t) - fs_manage_cifs_symlinks(irc_t) -') - -optional_policy(` - seutil_use_newrole_fds(irc_t) -') diff --git a/policy/modules/contrib/ircd.fc b/policy/modules/contrib/ircd.fc deleted file mode 100644 index f37eed8d..00000000 --- a/policy/modules/contrib/ircd.fc +++ /dev/null @@ -1,21 +0,0 @@ -/etc/dancer-ircd(/.*)? gen_context(system_u:object_r:ircd_etc_t,s0) -/etc/ircd(/.*)? gen_context(system_u:object_r:ircd_etc_t,s0) -/etc/ngircd\.conf -- gen_context(system_u:object_r:ircd_etc_t,s0) -/etc/ngircd\.motd -- gen_context(system_u:object_r:ircd_etc_t,s0) - -/etc/rc\.d/init\.d/((ircd)|(ngircd)|(dancer-ircd)) -- gen_context(system_u:object_r:ircd_initrc_exec_t,s0) - -/usr/bin/ircd -- gen_context(system_u:object_r:ircd_exec_t,s0) - -/usr/sbin/dancer-ircd -- gen_context(system_u:object_r:ircd_exec_t,s0) -/usr/sbin/ircd -- gen_context(system_u:object_r:ircd_exec_t,s0) -/usr/sbin/ngircd -- gen_context(system_u:object_r:ircd_exec_t,s0) - -/var/lib/dancer-ircd(/.*)? gen_context(system_u:object_r:ircd_var_lib_t,s0) - -/var/log/dancer-ircd(/.*)? gen_context(system_u:object_r:ircd_log_t,s0) -/var/log/ircd(/.*)? gen_context(system_u:object_r:ircd_log_t,s0) -/var/log/ngircd\.log.* -- gen_context(system_u:object_r:ircd_log_t,s0) - -/var/run/dancer-ircd(/.*)? gen_context(system_u:object_r:ircd_var_run_t,s0) -/var/run/ngircd(/.*)? gen_context(system_u:object_r:ircd_var_run_t,s0) diff --git a/policy/modules/contrib/ircd.if b/policy/modules/contrib/ircd.if deleted file mode 100644 index ade98032..00000000 --- a/policy/modules/contrib/ircd.if +++ /dev/null @@ -1,45 +0,0 @@ -## <summary>IRC servers.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an ircd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`ircd_admin',` - gen_require(` - type ircd_t, ircd_initrc_exec_t, ircd_etc_t; - type ircd_log_t, ircd_var_lib_t, ircd_var_run_t; - ') - - init_labeled_script_domtrans($1, ircd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ircd_initrc_exec_t system_r; - allow $2 system_r; - - allow $1 ircd_t:process { ptrace signal_perms }; - ps_process_pattern($1, ircd_t) - - files_search_etc($1) - admin_pattern($1, ircd_etc_t) - - logging_search_log($1) - admin_pattern($1, ircd_log_t) - - files_search_var_lib($1) - admin_pattern($1, ircd_var_lib_t) - - files_search_pids($1) - admin_pattern($1, ircd_var_run_t) -') diff --git a/policy/modules/contrib/ircd.te b/policy/modules/contrib/ircd.te deleted file mode 100644 index e9f746ee..00000000 --- a/policy/modules/contrib/ircd.te +++ /dev/null @@ -1,89 +0,0 @@ -policy_module(ircd, 1.7.1) - -######################################## -# -# Declarations -# - -type ircd_t; -type ircd_exec_t; -init_daemon_domain(ircd_t, ircd_exec_t) - -type ircd_initrc_exec_t; -init_script_file(ircd_initrc_exec_t) - -type ircd_etc_t; -files_config_file(ircd_etc_t) - -type ircd_log_t; -logging_log_file(ircd_log_t) - -type ircd_var_lib_t; -files_type(ircd_var_lib_t) - -type ircd_var_run_t; -files_pid_file(ircd_var_run_t) - -######################################## -# -# Local policy -# - -dontaudit ircd_t self:capability sys_tty_config; -allow ircd_t self:process signal_perms; -allow ircd_t self:tcp_socket { accept listen }; - -read_files_pattern(ircd_t, ircd_etc_t, ircd_etc_t) -read_lnk_files_pattern(ircd_t, ircd_etc_t, ircd_etc_t) - -allow ircd_t ircd_log_t:dir setattr_dir_perms; -append_files_pattern(ircd_t, ircd_log_t, ircd_log_t) -create_files_pattern(ircd_t, ircd_log_t, ircd_log_t) -setattr_files_pattern(ircd_t, ircd_log_t, ircd_log_t) -logging_log_filetrans(ircd_t, ircd_log_t, file) - -manage_files_pattern(ircd_t, ircd_var_lib_t, ircd_var_lib_t) - -manage_files_pattern(ircd_t, ircd_var_run_t, ircd_var_run_t) -files_pid_filetrans(ircd_t, ircd_var_run_t, file) - -kernel_read_system_state(ircd_t) -kernel_read_kernel_sysctls(ircd_t) - -corecmd_exec_bin(ircd_t) - -corenet_all_recvfrom_unlabeled(ircd_t) -corenet_all_recvfrom_netlabel(ircd_t) -corenet_tcp_sendrecv_generic_if(ircd_t) -corenet_tcp_sendrecv_generic_node(ircd_t) -corenet_tcp_bind_generic_node(ircd_t) - -corenet_sendrecv_ircd_server_packets(ircd_t) -corenet_tcp_bind_ircd_port(ircd_t) -corenet_tcp_sendrecv_ircd_port(ircd_t) - -dev_read_sysfs(ircd_t) - -domain_use_interactive_fds(ircd_t) - -files_read_etc_runtime_files(ircd_t) - -fs_getattr_all_fs(ircd_t) -fs_search_auto_mountpoints(ircd_t) - -auth_use_nsswitch(ircd_t) - -logging_send_syslog_msg(ircd_t) - -miscfiles_read_localization(ircd_t) - -userdom_dontaudit_use_unpriv_user_fds(ircd_t) -userdom_dontaudit_search_user_home_dirs(ircd_t) - -optional_policy(` - seutil_sigchld_newrole(ircd_t) -') - -optional_policy(` - udev_read_db(ircd_t) -') diff --git a/policy/modules/contrib/irqbalance.fc b/policy/modules/contrib/irqbalance.fc deleted file mode 100644 index e45f9916..00000000 --- a/policy/modules/contrib/irqbalance.fc +++ /dev/null @@ -1,5 +0,0 @@ -/etc/rc\.d/init\.d/irqbalance -- gen_context(system_u:object_r:irqbalance_initrc_exec_t,s0) - -/usr/sbin/irqbalance -- gen_context(system_u:object_r:irqbalance_exec_t,s0) - -/var/run/irqbalance\.pid -- gen_context(system_u:object_r:irqbalance_var_run_t,s0) diff --git a/policy/modules/contrib/irqbalance.if b/policy/modules/contrib/irqbalance.if deleted file mode 100644 index d7113e7c..00000000 --- a/policy/modules/contrib/irqbalance.if +++ /dev/null @@ -1,35 +0,0 @@ -## <summary>IRQ balancing daemon.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an irqbalance environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`irqbalance_admin',` - gen_require(` - type irqbalance_t, irqbalance_initrc_exec_t, irqbalance_var_run_t; - ') - - allow $1 irqbalance_t:process { ptrace signal_perms }; - ps_process_pattern($1, irqbalance_t) - - init_labeled_script_domtrans($1, irqbalance_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 irqbalance_initrc_exec_t system_r; - allow $2 system_r; - - files_search_pids($1) - admin_pattern($1, irqbalance_var_run_t) -') diff --git a/policy/modules/contrib/irqbalance.te b/policy/modules/contrib/irqbalance.te deleted file mode 100644 index c5a81122..00000000 --- a/policy/modules/contrib/irqbalance.te +++ /dev/null @@ -1,63 +0,0 @@ -policy_module(irqbalance, 1.5.1) - -######################################## -# -# Declarations -# - -type irqbalance_t; -type irqbalance_exec_t; -init_daemon_domain(irqbalance_t, irqbalance_exec_t) - -type irqbalance_initrc_exec_t; -init_script_file(irqbalance_initrc_exec_t) - -type irqbalance_var_run_t; -files_pid_file(irqbalance_var_run_t) - -######################################## -# -# Local policy -# - -allow irqbalance_t self:capability { setpcap net_admin }; -dontaudit irqbalance_t self:capability sys_tty_config; -allow irqbalance_t self:process { getcap setcap signal_perms }; -allow irqbalance_t self:udp_socket create_socket_perms; - -manage_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t) -files_pid_filetrans(irqbalance_t, irqbalance_var_run_t, file) - -kernel_read_network_state(irqbalance_t) -kernel_read_system_state(irqbalance_t) -kernel_read_kernel_sysctls(irqbalance_t) -kernel_rw_irq_sysctls(irqbalance_t) - -dev_read_sysfs(irqbalance_t) - -files_read_etc_files(irqbalance_t) -files_read_etc_runtime_files(irqbalance_t) - -fs_getattr_all_fs(irqbalance_t) -fs_search_auto_mountpoints(irqbalance_t) - -domain_use_interactive_fds(irqbalance_t) - -logging_send_syslog_msg(irqbalance_t) - -miscfiles_read_localization(irqbalance_t) - -userdom_dontaudit_use_unpriv_user_fds(irqbalance_t) -userdom_dontaudit_search_user_home_dirs(irqbalance_t) - -ifdef(`hide_broken_symptoms',` - dontaudit irqbalance_t self:capability sys_module; -') - -optional_policy(` - seutil_sigchld_newrole(irqbalance_t) -') - -optional_policy(` - udev_read_db(irqbalance_t) -') diff --git a/policy/modules/contrib/iscsi.fc b/policy/modules/contrib/iscsi.fc deleted file mode 100644 index 08b75604..00000000 --- a/policy/modules/contrib/iscsi.fc +++ /dev/null @@ -1,19 +0,0 @@ -/etc/rc\.d/init\.d/((iscsi)|(iscsid)) -- gen_context(system_u:object_r:iscsi_initrc_exec_t,s0) - -/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) -/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) -/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) - -/usr/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) -/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) -/usr/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) - -/var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0) - -/var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0) - -/var/log/brcm-iscsi\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0) -/var/log/iscsiuio\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0) - -/var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) -/var/run/iscsiuio\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) diff --git a/policy/modules/contrib/iscsi.if b/policy/modules/contrib/iscsi.if deleted file mode 100644 index 1a354203..00000000 --- a/policy/modules/contrib/iscsi.if +++ /dev/null @@ -1,127 +0,0 @@ -## <summary>Establish connections to iSCSI devices.</summary> - -######################################## -## <summary> -## Execute a domain transition to run iscsid. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`iscsid_domtrans',` - gen_require(` - type iscsid_t, iscsid_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, iscsid_exec_t, iscsid_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## iscsid sempaphores. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`iscsi_manage_semaphores',` - gen_require(` - type iscsid_t; - ') - - allow $1 iscsid_t:sem create_sem_perms; -') - -######################################## -## <summary> -## Connect to iscsid using a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`iscsi_stream_connect',` - gen_require(` - type iscsid_t, iscsi_var_lib_t; - ') - - files_search_var_lib($1) - stream_connect_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t, iscsid_t) -') - -######################################## -## <summary> -## Read iscsid lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`iscsi_read_lib_files',` - gen_require(` - type iscsi_var_lib_t; - ') - - read_files_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t) - allow $1 iscsi_var_lib_t:dir list_dir_perms; - files_search_var_lib($1) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an iscsi environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`iscsi_admin',` - gen_require(` - type iscsid_t, iscsi_lock_t, iscsi_log_t; - type iscsi_var_lib_t, iscsi_var_run_t, iscsi_tmp_t; - type iscsi_initrc_exec_t; - ') - - allow $1 iscsid_t:process { ptrace signal_perms }; - ps_process_pattern($1, iscsid_t) - - init_labeled_script_domtrans($1, iscsi_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 iscsi_initrc_exec_t system_r; - allow $2 system_r; - - logging_search_logs($1) - admin_pattern($1, iscsi_log_t) - - files_search_locks($1) - admin_pattern($1, iscsi_lock_t) - - files_search_var_lib($1) - admin_pattern($1, iscsi_var_lib_t) - - files_search_pids($1) - admin_pattern($1, iscsi_var_run_t) - - files_search_tmp($1) - admin_pattern($1, iscsi_tmp_t) -') diff --git a/policy/modules/contrib/iscsi.te b/policy/modules/contrib/iscsi.te deleted file mode 100644 index 57304e4f..00000000 --- a/policy/modules/contrib/iscsi.te +++ /dev/null @@ -1,106 +0,0 @@ -policy_module(iscsi, 1.8.2) - -######################################## -# -# Declarations -# - -type iscsid_t; -type iscsid_exec_t; -init_daemon_domain(iscsid_t, iscsid_exec_t) - -type iscsi_initrc_exec_t; -init_script_file(iscsi_initrc_exec_t) - -type iscsi_lock_t; -files_lock_file(iscsi_lock_t) - -type iscsi_log_t; -logging_log_file(iscsi_log_t) - -type iscsi_tmp_t; -files_tmp_file(iscsi_tmp_t) - -type iscsi_var_lib_t; -files_type(iscsi_var_lib_t) - -type iscsi_var_run_t; -files_pid_file(iscsi_var_run_t) - -######################################## -# -# Local policy -# - -allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource }; -dontaudit iscsid_t self:capability sys_ptrace; -allow iscsid_t self:process { setrlimit setsched signal }; -allow iscsid_t self:fifo_file rw_fifo_file_perms; -allow iscsid_t self:unix_stream_socket { accept connectto listen }; -allow iscsid_t self:sem create_sem_perms; -allow iscsid_t self:shm create_shm_perms; -allow iscsid_t self:netlink_socket create_socket_perms; -allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms; -allow iscsid_t self:netlink_route_socket nlmsg_write; -allow iscsid_t self:tcp_socket { listen accept }; - -manage_dirs_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t) -manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t) -files_lock_filetrans(iscsid_t, iscsi_lock_t, { dir file }) - -allow iscsid_t iscsi_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(iscsid_t, iscsi_log_t, file) - -manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t) -manage_files_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t) -fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, { dir file }) - -allow iscsid_t iscsi_var_lib_t:dir list_dir_perms; -read_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t) -read_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t) - -manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t) -files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) - -can_exec(iscsid_t, iscsid_exec_t) - -kernel_read_network_state(iscsid_t) -kernel_read_system_state(iscsid_t) -kernel_setsched(iscsid_t) - -corenet_all_recvfrom_unlabeled(iscsid_t) -corenet_all_recvfrom_netlabel(iscsid_t) -corenet_tcp_sendrecv_generic_if(iscsid_t) -corenet_tcp_sendrecv_generic_node(iscsid_t) - -corenet_sendrecv_http_client_packets(iscsid_t) -corenet_tcp_connect_http_port(iscsid_t) -corenet_tcp_sendrecv_http_port(iscsid_t) - -corenet_sendrecv_iscsi_client_packets(iscsid_t) -corenet_tcp_connect_iscsi_port(iscsid_t) -corenet_tcp_sendrecv_iscsi_port(iscsid_t) - -corenet_sendrecv_isns_client_packets(iscsid_t) -corenet_tcp_connect_isns_port(iscsid_t) -corenet_tcp_sendrecv_isns_port(iscsid_t) - -dev_read_raw_memory(iscsid_t) -dev_rw_sysfs(iscsid_t) -dev_rw_userio_dev(iscsid_t) -dev_write_raw_memory(iscsid_t) - -domain_use_interactive_fds(iscsid_t) -domain_dontaudit_read_all_domains_state(iscsid_t) - -auth_use_nsswitch(iscsid_t) - -init_stream_connect_script(iscsid_t) - -logging_send_syslog_msg(iscsid_t) - -miscfiles_read_localization(iscsid_t) - -optional_policy(` - tgtd_manage_semaphores(iscsid_t) -') diff --git a/policy/modules/contrib/isns.fc b/policy/modules/contrib/isns.fc deleted file mode 100644 index a0852ec3..00000000 --- a/policy/modules/contrib/isns.fc +++ /dev/null @@ -1,8 +0,0 @@ -/etc/rc\.d/init\.d/isnsd -- gen_context(system_u:object_r:isnsd_initrc_exec_t,s0) - -/usr/sbin/isnsd -- gen_context(system_u:object_r:isnsd_exec_t,s0) - -/var/lib/isns(/.*)? gen_context(system_u:object_r:isnsd_var_lib_t,s0) - -/var/run/isnsd\.pid -- gen_context(system_u:object_r:isnsd_var_run_t,s0) -/var/run/isnsctl -s gen_context(system_u:object_r:isnsd_var_run_t,s0) diff --git a/policy/modules/contrib/isns.if b/policy/modules/contrib/isns.if deleted file mode 100644 index da7e970e..00000000 --- a/policy/modules/contrib/isns.if +++ /dev/null @@ -1,39 +0,0 @@ -## <summary>Internet Storage Name Service.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an isnsd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`isnsd_admin',` - gen_require(` - type isnsd_t, isnsd_initrc_exec_t, isnsd_var_lib_t; - type isnsd_var_run_t; - ') - - allow $1 isnsd_t:process { ptrace signal_perms }; - ps_process_pattern($1, isnsd_t) - - init_labeled_script_domtrans($1, isnsd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 isnsd_initrc_exec_t system_r; - allow $2 system_r; - - files_search_var_lib($1) - admin_pattern($1, isnsd_var_lib_t) - - files_search_pids($1) - admin_pattern($1, isnsd_var_run_t) -') diff --git a/policy/modules/contrib/isns.te b/policy/modules/contrib/isns.te deleted file mode 100644 index bc110349..00000000 --- a/policy/modules/contrib/isns.te +++ /dev/null @@ -1,55 +0,0 @@ -policy_module(isns, 1.0.0) - -######################################## -# -# Declarations -# - -type isnsd_t; -type isnsd_exec_t; -init_daemon_domain(isnsd_t, isnsd_exec_t) - -type isnsd_initrc_exec_t; -init_script_file(isnsd_initrc_exec_t) - -type isnsd_var_lib_t; -files_type(isnsd_var_lib_t) - -type isnsd_var_run_t; -files_pid_file(isnsd_var_run_t) - -######################################## -# -# Local policy -# - -allow isnsd_t self:capability kill; -allow isnsd_t self:process signal; -allow isnsd_t self:fifo_file rw_fifo_file_perms; -allow isnsd_t self:udp_socket { accept listen }; -allow isnsd_t self:unix_stream_socket { accept listen }; - -manage_dirs_pattern(isnsd_t, isnsd_var_lib_t, isnsd_var_lib_t) -manage_files_pattern(isnsd_t, isnsd_var_lib_t, isnsd_var_lib_t) -files_var_lib_filetrans(isnsd_t, isnsd_var_lib_t, dir) - -manage_sock_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t) -manage_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t) -files_pid_filetrans(isnsd_t, isnsd_var_run_t, { file sock_file }) - -corenet_all_recvfrom_unlabeled(isnsd_t) -corenet_all_recvfrom_netlabel(isnsd_t) -corenet_tcp_sendrecv_generic_if(isnsd_t) -corenet_tcp_sendrecv_generic_node(isnsd_t) -corenet_tcp_sendrecv_isns_port(isnsd_t) -corenet_tcp_bind_generic_node(isnsd_t) -corenet_sendrecv_isns_server_packets(isnsd_t) -corenet_tcp_bind_isns_port(isnsd_t) - -files_read_etc_files(isnsd_t) - -logging_send_syslog_msg(isnsd_t) - -miscfiles_read_localization(isnsd_t) - -sysnet_dns_name_resolve(isnsd_t) diff --git a/policy/modules/contrib/jabber.fc b/policy/modules/contrib/jabber.fc deleted file mode 100644 index 59ad3b3c..00000000 --- a/policy/modules/contrib/jabber.fc +++ /dev/null @@ -1,25 +0,0 @@ -/etc/rc\.d/init\.d/((jabber)|(ejabberd)|(jabberd)) -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0) - -/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0) -/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0) -/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0) -/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0) - -/usr/sbin/ejabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0) -/usr/sbin/ejabberdctl -- gen_context(system_u:object_r:jabberd_exec_t,s0) -/usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0) - -/var/lock/ejabberdctl(/.*) gen_context(system_u:object_r:jabberd_lock_t,s0) - -/var/log/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) -/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) - -/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) -/var/lib/ejabberd/spool(/.*)? gen_context(system_u:object_r:jabberd_spool_t,s0) -/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) -/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) -/var/lib/jabberd/log(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) -/var/lib/jabberd/pid(/.*)? gen_context(system_u:object_r:jabberd_var_run_t,s0) - -/var/run/ejabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0) -/var/run/jabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0) diff --git a/policy/modules/contrib/jabber.if b/policy/modules/contrib/jabber.if deleted file mode 100644 index 16b16662..00000000 --- a/policy/modules/contrib/jabber.if +++ /dev/null @@ -1,103 +0,0 @@ -## <summary>Jabber instant messaging servers.</summary> - -####################################### -## <summary> -## The template to define a jabber domain. -## </summary> -## <param name="domain_prefix"> -## <summary> -## Domain prefix to be used. -## </summary> -## </param> -# -template(`jabber_domain_template',` - gen_require(` - attribute jabberd_domain; - ') - - type $1_t, jabberd_domain; - type $1_exec_t; - init_daemon_domain($1_t, $1_exec_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## jabber lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`jabber_manage_lib_files',` - gen_require(` - type jabberd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t) -') - -######################################## -## <summary> -## Connect to jabber over a TCP socket (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`jabber_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## <summary> -## All of the rules required to -## administrate an jabber environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`jabber_admin',` - gen_require(` - attribute jabberd_domain; - type jabberd_lock_t, jabberd_log_t, jabberd_spool_t; - type jabberd_var_lib_t, jabberd_var_run_t, jabberd_initrc_exec_t; - ') - - allow $1 jabberd_domain:process { ptrace signal_perms }; - ps_process_pattern($1, jabberd_domain) - - init_labeled_script_domtrans($1, jabberd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 jabberd_initrc_exec_t system_r; - allow $2 system_r; - - files_search_locks($1)) - admin_pattern($1, jabberd_lock_t) - - logging_search_logs($1) - admin_pattern($1, jabberd_log_t) - - files_search_spool($1) - admin_pattern($1, jabberd_spool_t) - - files_search_var_lib($1) - admin_pattern($1, jabberd_var_lib_t) - - files_search_pids($1) - admin_pattern($1, jabberd_var_run_t) -') diff --git a/policy/modules/contrib/jabber.te b/policy/modules/contrib/jabber.te deleted file mode 100644 index bb12c904..00000000 --- a/policy/modules/contrib/jabber.te +++ /dev/null @@ -1,137 +0,0 @@ -policy_module(jabber, 1.9.1) - -######################################## -# -# Declarations -# - -attribute jabberd_domain; - -jabber_domain_template(jabberd) -jabber_domain_template(jabberd_router) - -type jabberd_initrc_exec_t; -init_script_file(jabberd_initrc_exec_t) - -type jabberd_lock_t; -files_lock_file(jabberd_lock_t) - -type jabberd_log_t; -logging_log_file(jabberd_log_t) - -type jabberd_spool_t; -files_type(jabberd_spool_t) - -type jabberd_var_lib_t; -files_type(jabberd_var_lib_t) - -type jabberd_var_run_t; -files_pid_file(jabberd_var_run_t) - -######################################## -# -# Common local policy -# - -allow jabberd_domain self:process signal_perms; -allow jabberd_domain self:fifo_file rw_fifo_file_perms; -allow jabberd_domain self:tcp_socket { accept listen }; - -manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t) - -kernel_read_system_state(jabberd_domain) - -corenet_all_recvfrom_unlabeled(jabberd_domain) -corenet_all_recvfrom_netlabel(jabberd_domain) -corenet_tcp_sendrecv_generic_if(jabberd_domain) -corenet_tcp_sendrecv_generic_node(jabberd_domain) -corenet_tcp_bind_generic_node(jabberd_domain) - -dev_read_urand(jabberd_domain) -dev_read_sysfs(jabberd_domain) - -fs_getattr_all_fs(jabberd_domain) - -logging_send_syslog_msg(jabberd_domain) - -miscfiles_read_localization(jabberd_domain) - -optional_policy(` - nis_use_ypbind(jabberd_domain) -') - -optional_policy(` - seutil_sigchld_newrole(jabberd_domain) -') - -######################################## -# -# Local policy -# - -allow jabberd_t self:capability dac_override; -dontaudit jabberd_t self:capability sys_tty_config; -allow jabberd_t self:tcp_socket create_socket_perms; -allow jabberd_t self:udp_socket create_socket_perms; - -manage_files_pattern(jabberd_t, jabberd_lock_t, jabberd_lock_t) - -allow jabberd_t jabberd_log_t:dir setattr_dir_perms; -append_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t) -create_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t) -setattr_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t) -logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir }) - -manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t) - -manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t) -files_pid_filetrans(jabberd_t, jabberd_var_run_t, file) - -kernel_read_kernel_sysctls(jabberd_t) - -corenet_sendrecv_jabber_client_server_packets(jabberd_t) -corenet_tcp_bind_jabber_client_port(jabberd_t) -corenet_tcp_sendrecv_jabber_client_port(jabberd_t) - -corenet_sendrecv_jabber_interserver_server_packets(jabberd_t) -corenet_tcp_bind_jabber_interserver_port(jabberd_t) -corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t) - -dev_read_rand(jabberd_t) - -domain_use_interactive_fds(jabberd_t) - -files_read_etc_files(jabberd_t) -files_read_etc_runtime_files(jabberd_t) - -fs_search_auto_mountpoints(jabberd_t) - -sysnet_read_config(jabberd_t) - -userdom_dontaudit_use_unpriv_user_fds(jabberd_t) -userdom_dontaudit_search_user_home_dirs(jabberd_t) - -optional_policy(` - udev_read_db(jabberd_t) -') - -######################################## -# -# Router local policy -# - -manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t) - -kernel_read_network_state(jabberd_router_t) - -corenet_sendrecv_jabber_client_server_packets(jabberd_router_t) -corenet_tcp_bind_jabber_client_port(jabberd_router_t) -corenet_tcp_sendrecv_jabber_client_port(jabberd_router_t) - -# corenet_sendrecv_jabber_router_server_packets(jabberd_router_t) -# corenet_tcp_bind_jabber_router_port(jabberd_router_t) -# corenet_sendrecv_jabber_router_client_packets(jabberd_router_t) -# corenet_tcp_connect_jabber_router_port(jabberd_router_t) -# corenet_tcp_sendrecv_jabber_router_port(jabberd_router_t) - -auth_use_nsswitch(jabberd_router_t) diff --git a/policy/modules/contrib/java.fc b/policy/modules/contrib/java.fc deleted file mode 100644 index e3be797f..00000000 --- a/policy/modules/contrib/java.fc +++ /dev/null @@ -1,31 +0,0 @@ -HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:java_home_t,s0) - -/opt/(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) -/opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) -/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) -/opt/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) - -/usr/(.*/)?bin/java[^-]* -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/bin/gij -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/bin/gjarsigner -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/bin/gkeytool -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) - -/usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0) - -/usr/lib/bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/lib/eclipse/eclipse -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0) - -/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) - -/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if deleted file mode 100644 index acf6a632..00000000 --- a/policy/modules/contrib/java.if +++ /dev/null @@ -1,329 +0,0 @@ -## <summary>Java virtual machine</summary> - -######################################## -## <summary> -## Role access for java. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`java_role',` - gen_require(` - attribute_role java_roles; - type java_t, java_exec_t, java_tmp_t; - type java_tmpfs_t; - ') - - ######################################## - # - # Declarations - # - - roleattribute $1 java_roles; - - ######################################## - # - # Policy - # - - domtrans_pattern($2, java_exec_t, java_t) - - allow $2 java_t:process { noatsecure siginh rlimitinh ptrace signal_perms }; - ps_process_pattern($2, java_t) - - allow $2 java_tmp_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { java_tmp_t java_tmpfs_t }:file { manage_file_perms relabel_file_perms }; - allow $2 java_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - allow $2 java_tmpfs_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - allow $2 java_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - - allow java_t $2:process signull; - allow java_t $2:unix_stream_socket connectto; - allow java_t $2:unix_stream_socket { read write }; - allow java_t $2:tcp_socket { read write }; - - ifdef(`distro_gentoo',` - gen_require(` - type java_home_t; - ') - - manage_files_pattern($2, java_home_t, java_home_t) - manage_dirs_pattern($2, java_home_t, java_home_t) - ') -') - -####################################### -## <summary> -## The role template for the java module. -## </summary> -## <desc> -## <p> -## This template creates a derived domains which are used -## for java applications. -## </p> -## </desc> -## <param name="role_prefix"> -## <summary> -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## </summary> -## </param> -## <param name="user_role"> -## <summary> -## The role associated with the user domain. -## </summary> -## </param> -## <param name="user_domain"> -## <summary> -## The type of the user domain. -## </summary> -## </param> -# -template(`java_role_template',` - gen_require(` - attribute java_domain; - type java_exec_t, java_tmp_t, java_tmpfs_t; - type java_home_t; - ') - - ######################################## - # - # Declarations - # - - type $1_java_t, java_domain; - userdom_user_application_domain($1_java_t, java_exec_t) - - role $2 types $1_java_t; - - ######################################## - # - # Policy - # - - domtrans_pattern($3, java_exec_t, $1_java_t) - - allow $3 $1_java_t:process { ptrace noatsecure siginh rlimitinh signal_perms }; - ps_process_pattern($3, $1_java_t) - - allow $3 { java_home_t java_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $3 { java_tmp_t java_tmpfs_t java_home_t }:file { manage_file_perms relabel_file_perms }; - allow $3 java_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - allow $3 java_tmpfs_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - allow $3 java_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - userdom_user_home_dir_filetrans($3, java_home_t, dir, ".java") - - allow $1_java_t $3:process signull; - allow $1_java_t $3:unix_stream_socket connectto; - allow $1_java_t $3:unix_stream_socket { read write }; - allow $1_java_t $3:tcp_socket { read write }; - - corecmd_bin_domtrans($1_java_t, $3) - - auth_use_nsswitch($1_java_t) - - optional_policy(` - xserver_role($2, $1_java_t) - ') -') - -######################################## -## <summary> -## Execute the java program in the java domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -template(`java_domtrans',` - gen_require(` - type java_t, java_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, java_exec_t, java_t) - - ifdef(`distro_gentoo',` - # /usr/bin/java is a symlink - files_read_usr_symlinks($1) - ') -') - -######################################## -## <summary> -## Execute java in the java domain, and -## allow the specified role the java domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`java_run',` - gen_require(` - attribute_role java_roles; - ') - - java_domtrans($1) - roleattribute $2 java_roles; -') - -######################################## -## <summary> -## Execute the java program in the -## unconfined java domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`java_domtrans_unconfined',` - gen_require(` - type unconfined_java_t, java_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, java_exec_t, unconfined_java_t) -') - -######################################## -## <summary> -## Execute the java program in the -## unconfined java domain and allow the -## specified role the java domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`java_run_unconfined',` - gen_require(` - attribute_role unconfined_java_roles; - ') - - java_domtrans_unconfined($1) - roleattribute $2 unconfined_java_roles; -') - -######################################## -## <summary> -## Execute the java program in -## the callers domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`java_exec',` - gen_require(` - type java_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, java_exec_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## generic java home content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`java_manage_generic_home_content',` - gen_require(` - type java_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 java_home_t:dir manage_dir_perms; - allow $1 java_home_t:file manage_file_perms; -') - -######################################## -## <summary> -## Create specified objects in user home -## directories with the generic java -## home type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`java_home_filetrans_java_home',` - gen_require(` - type java_home_t; - ') - - userdom_user_home_dir_filetrans($1, java_home_t, $2, $3) -') - -######################################## -## <summary> -## Run java in javaplugin domain and -## do not clean the environment (atsecure) -## </summary> -## <desc> -## <p> -## This is needed when java is called by an application with library -## settings (such as is the case when invoked as a browser plugin) -## </p> -## </desc> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -template(`java_noatsecure_domtrans',` - gen_require(` - type java_t; - ') - - allow $1 java_t:process noatsecure; - - java_domtrans($1) -') diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te deleted file mode 100644 index 5828d935..00000000 --- a/policy/modules/contrib/java.te +++ /dev/null @@ -1,182 +0,0 @@ -policy_module(java, 2.6.3) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether java can make -## its stack executable. -## </p> -## </desc> -gen_tunable(allow_java_execstack, false) - -attribute java_domain; - -attribute_role java_roles; -roleattribute system_r java_roles; - -attribute_role unconfined_java_roles; - -type java_t, java_domain; -type java_exec_t; -userdom_user_application_domain(java_t, java_exec_t) -typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t }; -typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t }; -role java_roles types java_t; - -type java_home_t; -userdom_user_home_content(java_home_t) - -type java_tmp_t; -userdom_user_tmp_file(java_tmp_t) -typealias java_tmp_t alias { staff_javaplugin_tmp_t user_javaplugin_tmp_t sysadm_javaplugin_tmp_t }; -typealias java_tmp_t alias { auditadm_tmp_javaplugin_t secadm_javaplugin_tmp_t }; - -type java_tmpfs_t; -userdom_user_tmpfs_file(java_tmpfs_t) -typealias java_tmpfs_t alias { staff_javaplugin_tmpfs_t user_javaplugin_tmpfs_t sysadm_javaplugin_tmpfs_t }; -typealias java_tmpfs_t alias { auditadm_tmpfs_javaplugin_t secadm_tmpfs_javaplugin_t }; - -type unconfined_java_t; -init_system_domain(unconfined_java_t, java_exec_t) -role unconfined_java_roles types unconfined_java_t; - -######################################## -# -# Common local policy -# - -allow java_domain self:process { signal_perms getsched setsched }; -allow java_domain self:fifo_file rw_fifo_file_perms; - -manage_dirs_pattern(java_domain, java_home_t, java_home_t) -manage_files_pattern(java_domain, java_home_t, java_home_t) -userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".java") - -manage_dirs_pattern(java_domain, java_tmp_t, java_tmp_t) -manage_files_pattern(java_domain, java_tmp_t, java_tmp_t) -files_tmp_filetrans(java_domain, java_tmp_t, { file dir }) - -manage_files_pattern(java_domain, java_tmpfs_t, java_tmpfs_t) -manage_lnk_files_pattern(java_domain, java_tmpfs_t, java_tmpfs_t) -manage_fifo_files_pattern(java_domain, java_tmpfs_t, java_tmpfs_t) -manage_sock_files_pattern(java_domain, java_tmpfs_t, java_tmpfs_t) -fs_tmpfs_filetrans(java_domain, java_tmpfs_t, { file lnk_file sock_file fifo_file }) - -can_exec(java_domain, { java_exec_t java_tmp_t }) - -kernel_read_all_sysctls(java_domain) -kernel_search_vm_sysctl(java_domain) -kernel_read_network_state(java_domain) -kernel_read_system_state(java_domain) - -corecmd_search_bin(java_domain) - -corenet_all_recvfrom_unlabeled(java_domain) -corenet_all_recvfrom_netlabel(java_domain) -corenet_tcp_sendrecv_generic_if(java_domain) -corenet_tcp_sendrecv_generic_node(java_domain) - -corenet_sendrecv_all_client_packets(java_domain) -corenet_tcp_connect_all_ports(java_domain) -corenet_tcp_sendrecv_all_ports(java_domain) - -dev_read_sound(java_domain) -dev_write_sound(java_domain) -dev_read_urand(java_domain) -dev_read_rand(java_domain) -dev_dontaudit_append_rand(java_domain) - -files_read_usr_files(java_domain) -files_read_etc_runtime_files(java_domain) - -fs_getattr_all_fs(java_domain) -fs_dontaudit_rw_tmpfs_files(java_domain) - -logging_send_syslog_msg(java_domain) - -miscfiles_read_localization(java_domain) -miscfiles_read_fonts(java_domain) - -userdom_dontaudit_use_user_terminals(java_domain) -userdom_dontaudit_exec_user_home_content_files(java_domain) -userdom_manage_user_home_content_dirs(java_domain) -userdom_manage_user_home_content_files(java_domain) -userdom_manage_user_home_content_symlinks(java_domain) -userdom_manage_user_home_content_pipes(java_domain) -userdom_manage_user_home_content_sockets(java_domain) -userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file sock_file fifo_file }) - -userdom_write_user_tmp_sockets(java_domain) - -ifdef(`distro_gentoo',` - # For java browser plugin accessing internet resources - allow java_domain self:netlink_route_socket create_netlink_socket_perms; - allow java_domain self:sem create_sem_perms; - - manage_dirs_pattern(java_domain, java_home_t, java_home_t) - manage_files_pattern(java_domain, java_home_t, java_home_t) - userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea") -') - -tunable_policy(`allow_java_execstack',` - allow java_domain self:process { execmem execstack }; - - libs_legacy_use_shared_libs(java_domain) - libs_legacy_use_ld_so(java_domain) - - miscfiles_legacy_read_localization(java_domain) -') - -######################################## -# -# Local policy -# - -auth_use_nsswitch(java_t) - -ifdef(`distro_gentoo',` - userdom_use_user_terminals(java_t) - - optional_policy(` - alsa_domain(java_t, java_tmpfs_t) - alsa_read_rw_config(java_t) - ') - - optional_policy(` - # Plugin communication - chromium_rw_tmp_pipes(java_t) - ') - - optional_policy(` - # Plugin communication - mozilla_rw_tmp_pipes(java_t) - ') -') - -optional_policy(` - xserver_user_x_domain_template(java, java_t, java_tmpfs_t) -') - -######################################## -# -# Unconfined local policy -# - -optional_policy(` - allow unconfined_java_t self:process { execstack execmem execheap }; - - files_execmod_all_files(unconfined_java_t) - - init_dbus_chat_script(unconfined_java_t) - - unconfined_domain_noaudit(unconfined_java_t) - unconfined_dbus_chat(unconfined_java_t) - - optional_policy(` - rpm_domtrans(unconfined_java_t) - ') -') diff --git a/policy/modules/contrib/jockey.fc b/policy/modules/contrib/jockey.fc deleted file mode 100644 index d57dad40..00000000 --- a/policy/modules/contrib/jockey.fc +++ /dev/null @@ -1,6 +0,0 @@ -/usr/share/jockey/jockey-backend -- gen_context(system_u:object_r:jockey_exec_t,s0) - -/var/cache/jockey(/.*)? gen_context(system_u:object_r:jockey_cache_t,s0) - -/var/log/jockey(/.*)? gen_context(system_u:object_r:jockey_var_log_t,s0) -/var/log/jockey\.log.* -- gen_context(system_u:object_r:jockey_var_log_t,s0) diff --git a/policy/modules/contrib/jockey.if b/policy/modules/contrib/jockey.if deleted file mode 100644 index 2fb7a20f..00000000 --- a/policy/modules/contrib/jockey.if +++ /dev/null @@ -1 +0,0 @@ -## <summary>Jockey driver manager.</summary> diff --git a/policy/modules/contrib/jockey.te b/policy/modules/contrib/jockey.te deleted file mode 100644 index d59ec10a..00000000 --- a/policy/modules/contrib/jockey.te +++ /dev/null @@ -1,59 +0,0 @@ -policy_module(jockey, 1.0.0) - -######################################## -# -# Declarations -# - -type jockey_t; -type jockey_exec_t; -init_daemon_domain(jockey_t, jockey_exec_t) - -type jockey_cache_t; -files_type(jockey_cache_t) - -type jockey_var_log_t; -logging_log_file(jockey_var_log_t) - -######################################## -# -# Local policy -# - -allow jockey_t self:fifo_file rw_fifo_file_perms; - -manage_dirs_pattern(jockey_t, jockey_cache_t, jockey_cache_t) -manage_files_pattern(jockey_t, jockey_cache_t, jockey_cache_t) -manage_lnk_files_pattern(jockey_t, jockey_cache_t, jockey_cache_t) -files_var_filetrans(jockey_t, jockey_cache_t, { dir file }) - -manage_dirs_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t) -append_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t) -create_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t) -setattr_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t) -logging_log_filetrans(jockey_t, jockey_var_log_t, { file dir }) - -kernel_read_system_state(jockey_t) - -corecmd_exec_bin(jockey_t) -corecmd_exec_shell(jockey_t) - -dev_read_rand(jockey_t) -dev_read_sysfs(jockey_t) -dev_read_urand(jockey_t) - -domain_use_interactive_fds(jockey_t) - -files_read_etc_files(jockey_t) -files_read_usr_files(jockey_t) - -miscfiles_read_localization(jockey_t) - -optional_policy(` - dbus_system_domain(jockey_t, jockey_exec_t) -') - -optional_policy(` - modutils_domtrans_insmod(jockey_t) - modutils_read_module_config(jockey_t) -') diff --git a/policy/modules/contrib/kdeconnect.fc b/policy/modules/contrib/kdeconnect.fc new file mode 100644 index 00000000..797a7a00 --- /dev/null +++ b/policy/modules/contrib/kdeconnect.fc @@ -0,0 +1 @@ +/usr/lib/libexec/kdeconnectd -- gen_context(system_u:object_r:kdeconnect_exec_t,s0) diff --git a/policy/modules/contrib/kdeconnect.if b/policy/modules/contrib/kdeconnect.if new file mode 100644 index 00000000..f07be14d --- /dev/null +++ b/policy/modules/contrib/kdeconnect.if @@ -0,0 +1,97 @@ +## <summary>policy for kdeconnect</summary> + +######################################## +## <summary> +## Execute kdeconnect in the kdeconnect domin. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`kdeconnect_domtrans',` + gen_require(` + type kdeconnect_t, kdeconnect_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, kdeconnect_exec_t, kdeconnect_t) +') + +######################################## +## <summary> +## Execute kdeconnect in the kdeconnect domain, and +## allow the specified role the kdeconnect domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed the kdeconnect domain. +## </summary> +## </param> +# +interface(`kdeconnect_run',` + gen_require(` + type kdeconnect_t; + ') + + kdeconnect_domtrans($1) + role $2 types kdeconnect_t; +') + +######################################## +## <summary> +## Role access for kdeconnect +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`kdeconnect_role',` + gen_require(` + type kdeconnect_t; + ') + + role $1 types kdeconnect_t; + + kdeconnect_domtrans($2) + + allow $2 kdeconnect_t:unix_stream_socket connectto; + allow kdeconnect_t $2:unix_stream_socket { read write connectto }; + + ps_process_pattern($2, kdeconnect_t) + allow $2 kdeconnect_t:process { signull signal sigkill }; +') + +######################################### +## <summary> +## Send and receive messages from the kdeconnect daemon +## over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kdeconnect_dbus_chat',` + gen_require(` + type kdeconnect_t; + class dbus send_msg; + ') + + allow $1 kdeconnect_t:dbus send_msg; + allow kdeconnect_t $1:dbus send_msg; +') diff --git a/policy/modules/contrib/kdeconnect.te b/policy/modules/contrib/kdeconnect.te new file mode 100644 index 00000000..fa18d16f --- /dev/null +++ b/policy/modules/contrib/kdeconnect.te @@ -0,0 +1,111 @@ +policy_module(kdeconnect, 1.0.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow KDEConnect to read user home files +## </p> +## </desc> +gen_tunable(kdeconnect_read_user_files, true) + +type kdeconnect_t; +type kdeconnect_exec_t; +application_domain(kdeconnect_t, kdeconnect_exec_t) + +type kdeconnect_xdg_cache_home_t; +xdg_cache_home_content(kdeconnect_xdg_cache_home_t) + +type kdeconnect_tmp_t; +userdom_user_tmp_file(kdeconnect_tmp_t) + +type kdeconnect_xdg_config_home_t; +xdg_config_home_content(kdeconnect_xdg_config_home_t) + +type kdeconnect_xdg_data_home_t; +xdg_data_home_content(kdeconnect_xdg_data_home_t) + +type kdeconnect_tmpfs_t; +userdom_user_tmpfs_file(kdeconnect_tmpfs_t) + +######################################## +# +# kdeconnect local policy +# + +allow kdeconnect_t self:fifo_file manage_fifo_file_perms; +allow kdeconnect_t self:unix_stream_socket create_stream_socket_perms; +allow kdeconnect_t self:unix_dgram_socket { write getopt create setopt }; +allow kdeconnect_t self:netlink_route_socket create_netlink_socket_perms; +allow kdeconnect_t self:netlink_kobject_uevent_socket create_socket_perms; +allow kdeconnect_t self:tcp_socket create_stream_socket_perms; +allow kdeconnect_t self:udp_socket create_stream_socket_perms; +allow kdeconnect_t self:process { execmem signal }; + +kernel_read_system_state(kdeconnect_t) + +manage_dirs_pattern(kdeconnect_t, kdeconnect_tmp_t, kdeconnect_tmp_t) +manage_files_pattern(kdeconnect_t, kdeconnect_tmp_t, kdeconnect_tmp_t) +files_tmp_filetrans(kdeconnect_t, kdeconnect_tmp_t, { dir file }) + +manage_files_pattern(kdeconnect_t, kdeconnect_xdg_cache_home_t, kdeconnect_xdg_cache_home_t) +manage_dirs_pattern(kdeconnect_t, kdeconnect_xdg_cache_home_t, kdeconnect_xdg_cache_home_t) +xdg_cache_home_filetrans(kdeconnect_t, kdeconnect_xdg_cache_home_t, dir) + +manage_files_pattern(kdeconnect_t, kdeconnect_xdg_config_home_t, kdeconnect_xdg_config_home_t) +manage_dirs_pattern(kdeconnect_t, kdeconnect_xdg_config_home_t, kdeconnect_xdg_config_home_t) +xdg_config_home_filetrans(kdeconnect_t, kdeconnect_xdg_config_home_t, { dir file }) + +manage_files_pattern(kdeconnect_t, kdeconnect_xdg_data_home_t, kdeconnect_xdg_data_home_t) +manage_dirs_pattern(kdeconnect_t, kdeconnect_xdg_data_home_t, kdeconnect_xdg_data_home_t) +xdg_data_home_filetrans(kdeconnect_t, kdeconnect_xdg_data_home_t, { dir file }) + +manage_dirs_pattern(kdeconnect_t, kdeconnect_tmpfs_t, kdeconnect_tmpfs_t) +manage_files_pattern(kdeconnect_t, kdeconnect_tmpfs_t, kdeconnect_tmpfs_t) +fs_tmpfs_filetrans(kdeconnect_t, kdeconnect_tmpfs_t, { dir file }) + +corenet_sendrecv_kdeconnect_client_packets(kdeconnect_t) +corenet_sendrecv_kdeconnect_server_packets(kdeconnect_t) +corenet_tcp_bind_kdeconnect_port(kdeconnect_t) +corenet_tcp_bind_generic_node(kdeconnect_t) +corenet_tcp_connect_kdeconnect_port(kdeconnect_t) +corenet_udp_bind_kdeconnect_port(kdeconnect_t) +corenet_udp_bind_generic_node(kdeconnect_t) + +dev_read_sysfs(kdeconnect_t) +domain_use_interactive_fds(kdeconnect_t) + +files_manage_generic_tmp_files(kdeconnect_t) +files_read_etc_files(kdeconnect_t) +files_read_usr_files(kdeconnect_t) +fs_getattr_xattr_fs(kdeconnect_t) + +miscfiles_read_localization(kdeconnect_t) + +userdom_manage_user_tmp_files(kdeconnect_t) +userdom_manage_user_tmp_sockets(kdeconnect_t) +userdom_use_user_ptys(kdeconnect_t) +# KDEConnect needs access to some global config/cache/data files +xdg_manage_cache_home(kdeconnect_t) +xdg_manage_config_home(kdeconnect_t) +xdg_manage_data_home(kdeconnect_t) + +xserver_stream_connect(kdeconnect_t) +xserver_user_x_domain_template(kdeconnect, kdeconnect_t, kdeconnect_tmpfs_t) + +tunable_policy(`kdeconnect_read_user_files',` + userdom_read_user_home_content_files(kdeconnect_t) +') + +####################################### +# +# Allow KDEConnect to talk to DBUS +# + +dbus_all_session_bus_client(kdeconnect_t) +dbus_connect_all_session_bus(kdeconnect_t) +dbus_connect_system_bus(kdeconnect_t) +dbus_system_bus_client(kdeconnect_t) diff --git a/policy/modules/contrib/kdump.fc b/policy/modules/contrib/kdump.fc deleted file mode 100644 index a49ae4e9..00000000 --- a/policy/modules/contrib/kdump.fc +++ /dev/null @@ -1,13 +0,0 @@ -/etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0) - -/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0) - -/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0) - -/usr/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0) - -/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) -/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) - -/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) -/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) diff --git a/policy/modules/contrib/kdump.if b/policy/modules/contrib/kdump.if deleted file mode 100644 index 3a00b3a1..00000000 --- a/policy/modules/contrib/kdump.if +++ /dev/null @@ -1,115 +0,0 @@ -## <summary>Kernel crash dumping mechanism.</summary> - -###################################### -## <summary> -## Execute kdump in the kdump domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`kdump_domtrans',` - gen_require(` - type kdump_t, kdump_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, kdump_exec_t, kdump_t) -') - -####################################### -## <summary> -## Execute kdump in the kdump domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`kdump_initrc_domtrans',` - gen_require(` - type kdump_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, kdump_initrc_exec_t) -') - -##################################### -## <summary> -## Read kdump configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`kdump_read_config',` - gen_require(` - type kdump_etc_t; - ') - - files_search_etc($1) - allow $1 kdump_etc_t:file read_file_perms; -') - -#################################### -## <summary> -## Create, read, write, and delete -## kdmup configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`kdump_manage_config',` - gen_require(` - type kdump_etc_t; - ') - - files_search_etc($1) - allow $1 kdump_etc_t:file manage_file_perms; -') - -###################################### -## <summary> -## All of the rules required to -## administrate an kdump environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`kdump_admin',` - gen_require(` - type kdump_t, kdump_etc_t, kdumpctl_tmp_t; - type kdump_initrc_exec_t, kdumpctl_t; - ') - - allow $1 { kdump_t kdumpctl_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { kdump_t kdumpctl_t }) - - init_labeled_script_domtrans($1, kdump_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 kdump_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, kdump_etc_t) - - files_search_tmp($1) - admin_pattern($1, kdumpctl_tmp_t) -') diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te deleted file mode 100644 index 70f30078..00000000 --- a/policy/modules/contrib/kdump.te +++ /dev/null @@ -1,116 +0,0 @@ -policy_module(kdump, 1.2.3) - -####################################### -# -# Declarations -# - -type kdump_t; -type kdump_exec_t; -init_system_domain(kdump_t, kdump_exec_t) - -type kdump_etc_t; -files_config_file(kdump_etc_t) - -type kdump_initrc_exec_t; -init_script_file(kdump_initrc_exec_t) - -type kdumpctl_t; -type kdumpctl_exec_t; -init_daemon_domain(kdumpctl_t, kdumpctl_exec_t) -application_executable_file(kdumpctl_exec_t) - -type kdumpctl_tmp_t; -files_tmp_file(kdumpctl_tmp_t) - -##################################### -# -# Local policy -# - -allow kdump_t self:capability { sys_boot dac_override }; - -allow kdump_t kdump_etc_t:file read_file_perms; - -files_read_etc_files(kdump_t) -files_read_etc_runtime_files(kdump_t) -files_read_kernel_img(kdump_t) - -kernel_read_core_if(kdump_t) -kernel_read_debugfs(kdump_t) -kernel_read_system_state(kdump_t) -kernel_request_load_module(kdump_t) - -dev_read_framebuffer(kdump_t) -dev_read_sysfs(kdump_t) - -term_use_console(kdump_t) - -####################################### -# -# Ctl local policy -# - -allow kdumpctl_t self:capability { dac_override sys_chroot }; -allow kdumpctl_t self:process setfscreate; -allow kdumpctl_t self:fifo_file rw_fifo_file_perms; -allow kdumpctl_t self:unix_stream_socket { accept listen }; - -allow kdumpctl_t kdump_etc_t:file read_file_perms; - -manage_dirs_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) -manage_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) -manage_lnk_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) -files_tmp_filetrans(kdumpctl_t, kdumpctl_tmp_t, { file dir lnk_file }) - -domtrans_pattern(kdumpctl_t, kdump_exec_t, kdump_t) - -kernel_read_system_state(kdumpctl_t) - -corecmd_exec_bin(kdumpctl_t) -corecmd_exec_shell(kdumpctl_t) - -dev_read_sysfs(kdumpctl_t) -dev_manage_all_dev_nodes(kdumpctl_t) - -domain_use_interactive_fds(kdumpctl_t) - -files_create_kernel_img(kdumpctl_t) -files_read_etc_files(kdumpctl_t) -files_read_etc_runtime_files(kdumpctl_t) -files_read_usr_files(kdumpctl_t) -files_read_kernel_modules(kdumpctl_t) -files_getattr_all_dirs(kdumpctl_t) - -fs_getattr_all_fs(kdumpctl_t) -fs_search_all(kdumpctl_t) - -init_domtrans_script(kdumpctl_t) -init_exec(kdumpctl_t) - -libs_exec_ld_so(kdumpctl_t) - -logging_send_syslog_msg(kdumpctl_t) - -miscfiles_read_localization(kdumpctl_t) - -optional_policy(` - gpg_exec(kdumpctl_t) -') - -optional_policy(` - lvm_read_config(kdumpctl_t) -') - -optional_policy(` - modutils_domtrans_insmod(kdumpctl_t) - modutils_read_module_config(kdumpctl_t) -') - -optional_policy(` - plymouthd_domtrans_plymouth(kdumpctl_t) -') - -optional_policy(` - ssh_exec(kdumpctl_t) -') diff --git a/policy/modules/contrib/kdumpgui.fc b/policy/modules/contrib/kdumpgui.fc deleted file mode 100644 index 250679cd..00000000 --- a/policy/modules/contrib/kdumpgui.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/share/system-config-kdump/system-config-kdump-backend\.py -- gen_context(system_u:object_r:kdumpgui_exec_t,s0) diff --git a/policy/modules/contrib/kdumpgui.if b/policy/modules/contrib/kdumpgui.if deleted file mode 100644 index 182ab8b5..00000000 --- a/policy/modules/contrib/kdumpgui.if +++ /dev/null @@ -1 +0,0 @@ -## <summary>System-config-kdump GUI.</summary> diff --git a/policy/modules/contrib/kdumpgui.te b/policy/modules/contrib/kdumpgui.te deleted file mode 100644 index e7f5c814..00000000 --- a/policy/modules/contrib/kdumpgui.te +++ /dev/null @@ -1,90 +0,0 @@ -policy_module(kdumpgui, 1.1.4) - -######################################## -# -# Declarations -# - -type kdumpgui_t; -type kdumpgui_exec_t; -init_system_domain(kdumpgui_t, kdumpgui_exec_t) - -type kdumpgui_tmp_t; -files_tmp_file(kdumpgui_tmp_t) - -###################################### -# -# Local policy -# - -allow kdumpgui_t self:capability { net_admin sys_admin sys_nice sys_rawio }; -allow kdumpgui_t self:process { setsched sigkill }; -allow kdumpgui_t self:fifo_file rw_fifo_file_perms; -allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms; - -manage_dirs_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t) -manage_files_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t) -files_tmp_filetrans(kdumpgui_t, kdumpgui_tmp_t, { dir file }) - -kernel_getattr_core_if(kdumpgui_t) -kernel_read_system_state(kdumpgui_t) -kernel_read_network_state(kdumpgui_t) - -corecmd_exec_bin(kdumpgui_t) -corecmd_exec_shell(kdumpgui_t) - -dev_getattr_all_blk_files(kdumpgui_t) -dev_dontaudit_getattr_all_chr_files(kdumpgui_t) -dev_read_sysfs(kdumpgui_t) - -files_manage_boot_files(kdumpgui_t) -files_manage_boot_symlinks(kdumpgui_t) -files_manage_etc_symlinks(kdumpgui_t) -files_manage_etc_runtime_files(kdumpgui_t) -files_etc_filetrans_etc_runtime(kdumpgui_t, file) -files_read_usr_files(kdumpgui_t) - -fs_getattr_all_fs(kdumpgui_t) -fs_list_hugetlbfs(kdumpgui_t) -fs_read_dos_files(kdumpgui_t) - -storage_raw_read_fixed_disk(kdumpgui_t) -storage_raw_write_fixed_disk(kdumpgui_t) - -auth_use_nsswitch(kdumpgui_t) - -logging_list_logs(kdumpgui_t) -logging_read_generic_logs(kdumpgui_t) -logging_send_syslog_msg(kdumpgui_t) - -miscfiles_read_localization(kdumpgui_t) - -mount_exec(kdumpgui_t) - -init_dontaudit_read_all_script_files(kdumpgui_t) - -optional_policy(` - bootloader_exec(kdumpgui_t) - bootloader_rw_config(kdumpgui_t) -') - -optional_policy(` - consoletype_exec(kdumpgui_t) -') - -optional_policy(` - dbus_system_domain(kdumpgui_t, kdumpgui_exec_t) - - optional_policy(` - policykit_dbus_chat(kdumpgui_t) - ') -') - -optional_policy(` - dev_rw_lvm_control(kdumpgui_t) -') - -optional_policy(` - kdump_manage_config(kdumpgui_t) - kdump_initrc_domtrans(kdumpgui_t) -') diff --git a/policy/modules/contrib/kerberos.fc b/policy/modules/contrib/kerberos.fc deleted file mode 100644 index 4fe75fd6..00000000 --- a/policy/modules/contrib/kerberos.fc +++ /dev/null @@ -1,52 +0,0 @@ -HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) -/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) - -/etc/krb5\.conf -- gen_context(system_u:object_r:krb5_conf_t,s0) -/etc/krb5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) - -/etc/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -/etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) -/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) - -/etc/rc\.d/init\.d/kadmind -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) -/etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) -/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) -/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) - -/usr/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) -/usr/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) -/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0) -/usr/kerberos/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0) - -/usr/local/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) -/usr/local/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) - -/usr/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) -/usr/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) - -/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) - -/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) - -/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0) - -/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) -/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) -/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) -/var/kerberos/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0) - -/var/log/krb5kdc\.log.* -- gen_context(system_u:object_r:krb5kdc_log_t,s0) -/var/log/kadmin\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0) -/var/log/kadmind\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0) - -/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) -/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) -/var/tmp/HTTP_48 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) -/var/tmp/imap_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) -/var/tmp/nfs_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) -/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) -/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) -/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if deleted file mode 100644 index f9de9fc3..00000000 --- a/policy/modules/contrib/kerberos.if +++ /dev/null @@ -1,546 +0,0 @@ -## <summary>MIT Kerberos admin and KDC.</summary> - -######################################## -## <summary> -## Role access for kerberos. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -template(`kerberos_role',` - refpolicywarn(`$0($*) has been deprecated') -') - -######################################## -## <summary> -## Execute kadmind in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`kerberos_exec_kadmind',` - gen_require(` - type kadmind_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, kadmind_exec_t) -') - -######################################## -## <summary> -## Execute a domain transition to run kpropd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`kerberos_domtrans_kpropd',` - gen_require(` - type kpropd_t, kpropd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, kpropd_exec_t, kpropd_t) -') - -######################################## -## <summary> -## Support kerberos services. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`kerberos_use',` - gen_require(` - type krb5kdc_conf_t, krb5_host_rcache_t; - ') - - kerberos_read_config($1) - - dontaudit $1 krb5_conf_t:file write_file_perms; - dontaudit $1 krb5kdc_conf_t:dir list_dir_perms; - dontaudit $1 krb5kdc_conf_t:file rw_file_perms; - - dontaudit $1 self:process setfscreate; - - selinux_dontaudit_validate_context($1) - seutil_dontaudit_read_file_contexts($1) - - tunable_policy(`allow_kerberos',` - allow $1 self:tcp_socket create_socket_perms; - allow $1 self:udp_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled($1) - corenet_all_recvfrom_netlabel($1) - corenet_tcp_sendrecv_generic_if($1) - corenet_udp_sendrecv_generic_if($1) - corenet_tcp_sendrecv_generic_node($1) - corenet_udp_sendrecv_generic_node($1) - - corenet_sendrecv_kerberos_client_packets($1) - corenet_tcp_connect_kerberos_port($1) - corenet_tcp_sendrecv_kerberos_port($1) - corenet_udp_sendrecv_kerberos_port($1) - - corenet_sendrecv_ocsp_client_packets($1) - corenet_tcp_connect_ocsp_port($1) - corenet_tcp_sendrecv_ocsp_port($1) - - allow $1 krb5_host_rcache_t:file getattr_file_perms; - ') - - optional_policy(` - tunable_policy(`allow_kerberos',` - pcscd_stream_connect($1) - ') - ') - - optional_policy(` - sssd_read_public_files($1) - ') -') - -######################################## -## <summary> -## Read kerberos configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`kerberos_read_config',` - gen_require(` - type krb5_conf_t, krb5_home_t; - ') - - files_search_etc($1) - allow $1 krb5_conf_t:file read_file_perms; - - userdom_search_user_home_dirs($1) - allow $1 krb5_home_t:file read_file_perms; -') - -######################################## -## <summary> -## Do not audit attempts to write -## kerberos configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`kerberos_dontaudit_write_config',` - gen_require(` - type krb5_conf_t; - ') - - dontaudit $1 krb5_conf_t:file write_file_perms; -') - -######################################## -## <summary> -## Read and write kerberos -## configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`kerberos_rw_config',` - gen_require(` - type krb5_conf_t; - ') - - files_search_etc($1) - allow $1 krb5_conf_t:file rw_file_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## kerberos home files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`kerberos_manage_krb5_home_files',` - gen_require(` - type krb5_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 krb5_home_t:file manage_file_perms; -') - -######################################## -## <summary> -## Relabel kerberos home files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`kerberos_relabel_krb5_home_files',` - gen_require(` - type krb5_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 krb5_home_t:file relabel_file_perms; -') - -######################################## -## <summary> -## Create objects in user home -## directories with the krb5 home type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`kerberos_home_filetrans_krb5_home',` - gen_require(` - type krb5_home_t; - ') - - userdom_user_home_dir_filetrans($1, krb5_home_t, $2, $3) -') - -######################################## -## <summary> -## Read kerberos key table files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`kerberos_read_keytab',` - gen_require(` - type krb5_keytab_t; - ') - - files_search_etc($1) - allow $1 krb5_keytab_t:file read_file_perms; -') - -######################################## -## <summary> -## Read and write kerberos key table files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`kerberos_rw_keytab',` - gen_require(` - type krb5_keytab_t; - ') - - files_search_etc($1) - allow $1 krb5_keytab_t:file rw_file_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## kerberos key table files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`kerberos_manage_keytab_files',` - gen_require(` - type krb5_keytab_t; - ') - - files_search_etc($1) - allow $1 krb5_keytab_t:file manage_file_perms; -') - -######################################## -## <summary> -## Create specified objects in generic -## etc directories with the kerberos -## keytab file type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`kerberos_etc_filetrans_keytab',` - gen_require(` - type krb5_keytab_t; - ') - - files_etc_filetrans($1, krb5_keytab_t, $2, $3) -') - -######################################## -## <summary> -## Create a derived type for kerberos -## keytab files. -## </summary> -## <param name="prefix"> -## <summary> -## The prefix to be used for deriving type names. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -template(`kerberos_keytab_template',` - - ######################################## - # - # Declarations - # - - type $1_keytab_t; - files_type($1_keytab_t) - - ######################################## - # - # Policy - # - - allow $2 $1_keytab_t:file read_file_perms; - - kerberos_read_keytab($2) - kerberos_use($2) -') - -######################################## -## <summary> -## Read kerberos kdc configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`kerberos_read_kdc_config',` - gen_require(` - type krb5kdc_conf_t; - ') - - files_search_etc($1) - read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## kerberos host rcache files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`kerberos_manage_host_rcache',` - gen_require(` - type krb5_host_rcache_t; - ') - - domain_obj_id_change_exemption($1) - - tunable_policy(`allow_kerberos',` - allow $1 self:process setfscreate; - - selinux_validate_context($1) - - seutil_read_file_contexts($1) - - files_search_tmp($1) - allow $1 krb5_host_rcache_t:file manage_file_perms; - ') -') - -######################################## -## <summary> -## Create objects in generic temporary -## directories with the kerberos host -## rcache type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`kerberos_tmp_filetrans_host_rcache',` - gen_require(` - type krb5_host_rcache_t; - ') - - files_tmp_filetrans($1, krb5_host_rcache_t, $2, $3) -') - -######################################## -## <summary> -## Connect to krb524 service. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`kerberos_connect_524',` - tunable_policy(`allow_kerberos',` - allow $1 self:udp_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled($1) - corenet_all_recvfrom_netlabel($1) - corenet_udp_sendrecv_generic_if($1) - corenet_udp_sendrecv_generic_node($1) - - corenet_sendrecv_kerberos_master_client_packets($1) - corenet_udp_sendrecv_kerberos_master_port($1) - ') -') - -######################################## -## <summary> -## All of the rules required to -## administrate an kerberos environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`kerberos_admin',` - gen_require(` - type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t; - type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t; - type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; - type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t; - type krb5kdc_var_run_t, krb5_host_rcache_t; - ') - - allow $1 { kadmind_t krb5kdc_t kpropd }:process { ptrace signal_perms }; - ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd }) - - init_labeled_script_domtrans($1, kerberos_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 kerberos_initrc_exec_t system_r; - allow $2 system_r; - - logging_list_logs($1) - admin_pattern($1, kadmind_log_t) - - files_list_tmp($1) - admin_pattern($1, { kadmind_tmp_t krb5_host_rcache_t krb5kdc_tmp_t }) - - kerberos_tmp_filetrans_host_rcache($1, file, "host_0") - kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23") - kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48") - kerberos_tmp_filetrans_host_rcache($1, file, "imap_0") - kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0") - kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0") - kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487") - kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55") - - files_list_pids($1) - admin_pattern($1, { kadmind_var_run_t krb5kdc_var_run_t }) - - files_list_etc($1) - admin_pattern($1, krb5_conf_t) - - files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf") - - admin_pattern($1, { krb5_keytab_t krb5kdc_principal_t }) - - filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal") - filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0") - filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") - - kerberos_etc_filetrans_keytab($1, file, "kadm5.keytab") -') diff --git a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te deleted file mode 100644 index 3465a9ad..00000000 --- a/policy/modules/contrib/kerberos.te +++ /dev/null @@ -1,330 +0,0 @@ -policy_module(kerberos, 1.11.7) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether kerberos is supported. -## </p> -## </desc> -gen_tunable(allow_kerberos, false) - -type kadmind_t; -type kadmind_exec_t; -init_daemon_domain(kadmind_t, kadmind_exec_t) -domain_obj_id_change_exemption(kadmind_t) - -type kadmind_log_t; -logging_log_file(kadmind_log_t) - -type kadmind_tmp_t; -files_tmp_file(kadmind_tmp_t) - -type kadmind_var_run_t; -files_pid_file(kadmind_var_run_t) - -type kerberos_initrc_exec_t; -init_script_file(kerberos_initrc_exec_t) - -type kpropd_t; -type kpropd_exec_t; -init_daemon_domain(kpropd_t, kpropd_exec_t) -domain_obj_id_change_exemption(kpropd_t) - -type krb5_conf_t; -files_type(krb5_conf_t) - -type krb5_home_t; -userdom_user_home_content(krb5_home_t) - -type krb5_host_rcache_t; -files_tmp_file(krb5_host_rcache_t) - -type krb5_keytab_t; -files_security_file(krb5_keytab_t) - -type krb5kdc_conf_t; -files_type(krb5kdc_conf_t) - -type krb5kdc_lock_t; -files_type(krb5kdc_lock_t) - -type krb5kdc_principal_t; -files_type(krb5kdc_principal_t) - -type krb5kdc_t; -type krb5kdc_exec_t; -init_daemon_domain(krb5kdc_t, krb5kdc_exec_t) -domain_obj_id_change_exemption(krb5kdc_t) - -type krb5kdc_log_t; -logging_log_file(krb5kdc_log_t) - -type krb5kdc_tmp_t; -files_tmp_file(krb5kdc_tmp_t) - -type krb5kdc_var_run_t; -files_pid_file(krb5kdc_var_run_t) - -######################################## -# -# kadmind local policy -# - -allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice }; -dontaudit kadmind_t self:capability sys_tty_config; -allow kadmind_t self:capability2 block_suspend; -allow kadmind_t self:process { setfscreate setsched getsched signal_perms }; -allow kadmind_t self:netlink_route_socket r_netlink_socket_perms; -allow kadmind_t self:tcp_socket { accept listen }; -allow kadmind_t self:udp_socket create_socket_perms; - -allow kadmind_t kadmind_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(kadmind_t, kadmind_log_t, file) - -allow kadmind_t krb5_conf_t:file read_file_perms; -dontaudit kadmind_t krb5_conf_t:file write_file_perms; - -read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t) -dontaudit kadmind_t krb5kdc_conf_t:file { write_file_perms setattr_file_perms }; - -allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms }; - -allow kadmind_t krb5kdc_principal_t:file manage_file_perms; -filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file) - -manage_dirs_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t) -manage_files_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t) -files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir }) - -manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t) -files_pid_filetrans(kadmind_t, kadmind_var_run_t, file) - -can_exec(kadmind_t, kadmind_exec_t) - -kernel_read_kernel_sysctls(kadmind_t) -kernel_read_network_state(kadmind_t) -kernel_read_system_state(kadmind_t) - -corenet_all_recvfrom_unlabeled(kadmind_t) -corenet_all_recvfrom_netlabel(kadmind_t) -corenet_tcp_sendrecv_generic_if(kadmind_t) -corenet_udp_sendrecv_generic_if(kadmind_t) -corenet_tcp_sendrecv_generic_node(kadmind_t) -corenet_udp_sendrecv_generic_node(kadmind_t) -corenet_tcp_sendrecv_all_ports(kadmind_t) -corenet_udp_sendrecv_all_ports(kadmind_t) -corenet_tcp_bind_generic_node(kadmind_t) -corenet_udp_bind_generic_node(kadmind_t) - -corenet_sendrecv_all_server_packets(kadmind_t) -corenet_tcp_bind_kerberos_admin_port(kadmind_t) -corenet_udp_bind_kerberos_admin_port(kadmind_t) -corenet_tcp_bind_reserved_port(kadmind_t) - -dev_read_sysfs(kadmind_t) - -fs_getattr_all_fs(kadmind_t) -fs_search_auto_mountpoints(kadmind_t) - -domain_use_interactive_fds(kadmind_t) - -files_read_etc_files(kadmind_t) -files_read_usr_files(kadmind_t) -files_read_var_files(kadmind_t) - -selinux_validate_context(kadmind_t) - -logging_send_syslog_msg(kadmind_t) - -miscfiles_read_localization(kadmind_t) - -seutil_read_file_contexts(kadmind_t) - -sysnet_use_ldap(kadmind_t) - -userdom_dontaudit_use_unpriv_user_fds(kadmind_t) -userdom_dontaudit_search_user_home_dirs(kadmind_t) - -optional_policy(` - ldap_stream_connect(kadmind_t) -') - -optional_policy(` - nis_use_ypbind(kadmind_t) -') - -optional_policy(` - sssd_read_public_files(kadmind_t) -') - -optional_policy(` - seutil_sigchld_newrole(kadmind_t) -') - -optional_policy(` - udev_read_db(kadmind_t) -') - -######################################## -# -# Krb5kdc local policy -# - -allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice }; -dontaudit krb5kdc_t self:capability sys_tty_config; -allow krb5kdc_t self:capability2 block_suspend; -allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms }; -allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms; -allow krb5kdc_t self:tcp_socket { accept listen }; -allow krb5kdc_t self:udp_socket create_socket_perms; -allow krb5kdc_t self:fifo_file rw_fifo_file_perms; - -allow krb5kdc_t krb5_conf_t:file read_file_perms; -dontaudit krb5kdc_t krb5_conf_t:file write; - -read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t) -dontaudit krb5kdc_t krb5kdc_conf_t:file write_file_perms; - -allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms }; - -allow krb5kdc_t krb5kdc_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file) - -allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms; - -manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) -manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) -files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir }) - -manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t) -files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file) - -can_exec(krb5kdc_t, krb5kdc_exec_t) - -kernel_read_system_state(krb5kdc_t) -kernel_read_kernel_sysctls(krb5kdc_t) -kernel_read_network_state(krb5kdc_t) -kernel_search_network_sysctl(krb5kdc_t) - -corecmd_exec_bin(krb5kdc_t) - -corenet_all_recvfrom_unlabeled(krb5kdc_t) -corenet_all_recvfrom_netlabel(krb5kdc_t) -corenet_tcp_sendrecv_generic_if(krb5kdc_t) -corenet_udp_sendrecv_generic_if(krb5kdc_t) -corenet_tcp_sendrecv_generic_node(krb5kdc_t) -corenet_udp_sendrecv_generic_node(krb5kdc_t) -corenet_tcp_bind_generic_node(krb5kdc_t) -corenet_udp_bind_generic_node(krb5kdc_t) - -corenet_sendrecv_kerberos_server_packets(krb5kdc_t) -corenet_tcp_bind_kerberos_port(krb5kdc_t) -corenet_udp_bind_kerberos_port(krb5kdc_t) -corenet_tcp_sendrecv_kerberos_port(krb5kdc_t) -corenet_udp_sendrecv_kerberos_port(krb5kdc_t) - -corenet_sendrecv_ocsp_client_packets(krb5kdc_t) -corenet_tcp_connect_ocsp_port(krb5kdc_t) -corenet_tcp_sendrecv_ocsp_port(krb5kdc_t) - -dev_read_sysfs(krb5kdc_t) - -fs_getattr_all_fs(krb5kdc_t) -fs_search_auto_mountpoints(krb5kdc_t) - -domain_use_interactive_fds(krb5kdc_t) - -files_read_etc_files(krb5kdc_t) -files_read_usr_symlinks(krb5kdc_t) -files_read_var_files(krb5kdc_t) - -selinux_validate_context(krb5kdc_t) - -logging_send_syslog_msg(krb5kdc_t) - -miscfiles_read_generic_certs(krb5kdc_t) -miscfiles_read_localization(krb5kdc_t) - -seutil_read_file_contexts(krb5kdc_t) - -sysnet_use_ldap(krb5kdc_t) - -userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) -userdom_dontaudit_search_user_home_dirs(krb5kdc_t) - -optional_policy(` - ldap_stream_connect(krb5kdc_t) -') - -optional_policy(` - nis_use_ypbind(krb5kdc_t) -') - -optional_policy(` - sssd_read_public_files(krb5kdc_t) -') - -optional_policy(` - seutil_sigchld_newrole(krb5kdc_t) -') - -optional_policy(` - udev_read_db(krb5kdc_t) -') - -######################################## -# -# kpropd local policy -# - -allow kpropd_t self:process setfscreate; -allow kpropd_t self:fifo_file rw_fifo_file_perms; -allow kpropd_t self:unix_stream_socket { accept listen }; -allow kpropd_t self:tcp_socket { accept listen }; - -allow kpropd_t krb5_host_rcache_t:file manage_file_perms; - -allow kpropd_t krb5_keytab_t:file read_file_perms; - -read_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_conf_t) - -manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t) -filetrans_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t, file) - -manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t) - -manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t) -manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t) -files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) - -corecmd_exec_bin(kpropd_t) - -corenet_all_recvfrom_unlabeled(kpropd_t) -corenet_tcp_sendrecv_generic_if(kpropd_t) -corenet_tcp_sendrecv_generic_node(kpropd_t) -corenet_tcp_bind_generic_node(kpropd_t) - -corenet_sendrecv_kprop_server_packets(kpropd_t) -corenet_tcp_bind_kprop_port(kpropd_t) -corenet_tcp_sendrecv_kprop_port(kpropd_t) - -dev_read_urand(kpropd_t) - -files_read_etc_files(kpropd_t) -files_search_tmp(kpropd_t) - -selinux_validate_context(kpropd_t) - -logging_send_syslog_msg(kpropd_t) - -miscfiles_read_localization(kpropd_t) - -seutil_read_file_contexts(kpropd_t) - -sysnet_dns_name_resolve(kpropd_t) - -kerberos_use(kpropd_t) diff --git a/policy/modules/contrib/kerneloops.fc b/policy/modules/contrib/kerneloops.fc deleted file mode 100644 index 5ef261a3..00000000 --- a/policy/modules/contrib/kerneloops.fc +++ /dev/null @@ -1,3 +0,0 @@ -/etc/rc\.d/init\.d/kerneloops -- gen_context(system_u:object_r:kerneloops_initrc_exec_t,s0) - -/usr/sbin/kerneloops -- gen_context(system_u:object_r:kerneloops_exec_t,s0) diff --git a/policy/modules/contrib/kerneloops.if b/policy/modules/contrib/kerneloops.if deleted file mode 100644 index 714448f8..00000000 --- a/policy/modules/contrib/kerneloops.if +++ /dev/null @@ -1,118 +0,0 @@ -## <summary>Service for reporting kernel oopses to kerneloops.org.</summary> - -######################################## -## <summary> -## Execute a domain transition to run kerneloops. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`kerneloops_domtrans',` - gen_require(` - type kerneloops_t, kerneloops_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, kerneloops_exec_t, kerneloops_t) -') - -######################################## -## <summary> -## Send and receive messages from -## kerneloops over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`kerneloops_dbus_chat',` - gen_require(` - type kerneloops_t; - class dbus send_msg; - ') - - allow $1 kerneloops_t:dbus send_msg; - allow kerneloops_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Do not audit attempts to Send and -## receive messages from kerneloops -## over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`kerneloops_dontaudit_dbus_chat',` - gen_require(` - type kerneloops_t; - class dbus send_msg; - ') - - dontaudit $1 kerneloops_t:dbus send_msg; - dontaudit kerneloops_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Create, read, write, and delete -## kerneloops temporary files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`kerneloops_manage_tmp_files',` - gen_require(` - type kerneloops_tmp_t; - ') - - files_search_tmp($1) - allow $1 kerneloops_tmp_t:file manage_file_perms; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an kerneloops environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`kerneloops_admin',` - gen_require(` - type kerneloops_t, kerneloops_initrc_exec_t; - type kerneloops_tmp_t; - ') - - allow $1 kerneloops_t:process { ptrace signal_perms }; - ps_process_pattern($1, kerneloops_t) - - init_labeled_script_domtrans($1, kerneloops_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 kerneloops_initrc_exec_t system_r; - allow $2 system_r; - - files_search_tmp($1) - admin_pattern($1, kerneloops_tmp_t) -') diff --git a/policy/modules/contrib/kerneloops.te b/policy/modules/contrib/kerneloops.te deleted file mode 100644 index 11019854..00000000 --- a/policy/modules/contrib/kerneloops.te +++ /dev/null @@ -1,52 +0,0 @@ -policy_module(kerneloops, 1.4.1) - -######################################## -# -# Declarations -# - -type kerneloops_t; -type kerneloops_exec_t; -init_daemon_domain(kerneloops_t, kerneloops_exec_t) - -type kerneloops_initrc_exec_t; -init_script_file(kerneloops_initrc_exec_t) - -type kerneloops_tmp_t; -files_tmp_file(kerneloops_tmp_t) - -######################################## -# -# Local policy -# - -allow kerneloops_t self:capability sys_nice; -allow kerneloops_t self:process { getcap setcap setsched getsched signal }; -allow kerneloops_t self:fifo_file rw_fifo_file_perms; - -manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t) -files_tmp_filetrans(kerneloops_t, kerneloops_tmp_t, file) - -kernel_read_ring_buffer(kerneloops_t) - -domain_use_interactive_fds(kerneloops_t) - -corenet_all_recvfrom_unlabeled(kerneloops_t) -corenet_all_recvfrom_netlabel(kerneloops_t) -corenet_tcp_sendrecv_generic_if(kerneloops_t) -corenet_tcp_sendrecv_generic_node(kerneloops_t) - -corenet_sendrecv_http_client_packets(kerneloops_t) -corenet_tcp_connect_http_port(kerneloops_t) -corenet_tcp_sendrecv_http_port(kerneloops_t) - -auth_use_nsswitch(kerneloops_t) - -logging_send_syslog_msg(kerneloops_t) -logging_read_generic_logs(kerneloops_t) - -miscfiles_read_localization(kerneloops_t) - -optional_policy(` - dbus_system_domain(kerneloops_t, kerneloops_exec_t) -') diff --git a/policy/modules/contrib/keyboardd.fc b/policy/modules/contrib/keyboardd.fc deleted file mode 100644 index 647a5593..00000000 --- a/policy/modules/contrib/keyboardd.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/system-setup-keyboard -- gen_context(system_u:object_r:keyboardd_exec_t,s0) diff --git a/policy/modules/contrib/keyboardd.if b/policy/modules/contrib/keyboardd.if deleted file mode 100644 index 8982b910..00000000 --- a/policy/modules/contrib/keyboardd.if +++ /dev/null @@ -1,19 +0,0 @@ -## <summary>Xorg.conf keyboard layout callout.</summary> - -###################################### -## <summary> -## Read keyboardd unnamed pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`keyboardd_read_pipes',` - gen_require(` - type keyboardd_t; - ') - - allow $1 keyboardd_t:fifo_file read_fifo_file_perms; -') diff --git a/policy/modules/contrib/keyboardd.te b/policy/modules/contrib/keyboardd.te deleted file mode 100644 index adfe3dc0..00000000 --- a/policy/modules/contrib/keyboardd.te +++ /dev/null @@ -1,24 +0,0 @@ -policy_module(keyboardd, 1.0.1) - -######################################## -# -# Declarations -# - -type keyboardd_t; -type keyboardd_exec_t; -init_daemon_domain(keyboardd_t, keyboardd_exec_t) - -######################################## -# -# Local policy -# - -allow keyboardd_t self:fifo_file rw_fifo_file_perms; -allow keyboardd_t self:unix_stream_socket create_stream_socket_perms; - -files_manage_etc_runtime_files(keyboardd_t) -files_etc_filetrans_etc_runtime(keyboardd_t, file) -files_read_etc_files(keyboardd_t) - -miscfiles_read_localization(keyboardd_t) diff --git a/policy/modules/contrib/keystone.fc b/policy/modules/contrib/keystone.fc deleted file mode 100644 index b273d803..00000000 --- a/policy/modules/contrib/keystone.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rc\.d/init\.d/openstack-keystone -- gen_context(system_u:object_r:keystone_initrc_exec_t,s0) - -/usr/bin/keystone-all -- gen_context(system_u:object_r:keystone_exec_t,s0) - -/var/lib/keystone(/.*)? gen_context(system_u:object_r:keystone_var_lib_t,s0) - -/var/log/keystone(/.*)? gen_context(system_u:object_r:keystone_log_t,s0) diff --git a/policy/modules/contrib/keystone.if b/policy/modules/contrib/keystone.if deleted file mode 100644 index d3e7fc97..00000000 --- a/policy/modules/contrib/keystone.if +++ /dev/null @@ -1,42 +0,0 @@ -## <summary>Python implementation of the OpenStack identity service API.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an keystone environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`keystone_admin',` - gen_require(` - type keystone_t, keystone_initrc_exec_t, keystone_log_t; - type keystone_var_lib_t, keystone_tmp_t; - ') - - allow $1 keystone_t:process { ptrace signal_perms }; - ps_process_pattern($1, keystone_t) - - init_labeled_script_domtrans($1, keystone_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 keystone_initrc_exec_t system_r; - allow $2 system_r; - - logging_search_logs($1) - admin_pattern($1, keystone_log_t) - - files_search_var_lib($1 - admin_pattern($1, keystone_var_lib_t) - - files_search_tmp($1) - admin_pattern($1, keystone_tmp_t) -') diff --git a/policy/modules/contrib/keystone.te b/policy/modules/contrib/keystone.te deleted file mode 100644 index 3494d9bf..00000000 --- a/policy/modules/contrib/keystone.te +++ /dev/null @@ -1,76 +0,0 @@ -policy_module(keystone, 1.0.1) - -######################################## -# -# Declarations -# - -type keystone_t; -type keystone_exec_t; -init_daemon_domain(keystone_t, keystone_exec_t) - -type keystone_initrc_exec_t; -init_script_file(keystone_initrc_exec_t) - -type keystone_log_t; -logging_log_file(keystone_log_t) - -type keystone_var_lib_t; -files_type(keystone_var_lib_t) - -type keystone_tmp_t; -files_tmp_file(keystone_tmp_t) - -######################################## -# -# Local policy -# - -allow keystone_t self:fifo_file rw_fifo_file_perms; -allow keystone_t self:unix_stream_socket { accept listen }; -allow keystone_t self:tcp_socket { accept listen }; - -manage_dirs_pattern(keystone_t, keystone_log_t, keystone_log_t) -append_files_pattern(keystone_t, keystone_log_t, keystone_log_t) -create_files_pattern(keystone_t, keystone_log_t, keystone_log_t) -setattr_files_pattern(keystone_t, keystone_log_t, keystone_log_t) -logging_log_filetrans(keystone_t, keystone_log_t, dir) - -manage_dirs_pattern(keystone_t, keystone_tmp_t, keystone_tmp_t) -manage_files_pattern(keystone_t, keystone_tmp_t, keystone_tmp_t) -manage_lnk_files_pattern(keystone_t, keystone_tmp_t, keystone_tmp_t) -files_tmp_filetrans(keystone_t, keystone_tmp_t, { dir file lnk_file }) - -manage_dirs_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t) -manage_files_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t) -files_var_lib_filetrans(keystone_t, keystone_var_lib_t, dir) - -can_exec(keystone_t, keystone_tmp_t) - -kernel_read_system_state(keystone_t) - -corecmd_exec_bin(keystone_t) -corecmd_exec_shell(keystone_t) - -corenet_all_recvfrom_unlabeled(keystone_t) -corenet_all_recvfrom_netlabel(keystone_t) -corenet_tcp_sendrecv_generic_if(keystone_t) -corenet_tcp_sendrecv_generic_node(keystone_t) -corenet_tcp_bind_generic_node(keystone_t) - -corenet_sendrecv_commplex_main_server_packets(keystone_t) -corenet_tcp_bind_commplex_main_port(keystone_t) -corenet_tcp_sendrecv_commplex_main_port(keystone_t) - -files_read_usr_files(keystone_t) - -auth_use_pam(keystone_t) - -libs_exec_ldconfig(keystone_t) - -miscfiles_read_localization(keystone_t) - -optional_policy(` - mysql_stream_connect(keystone_t) - mysql_tcp_connect(keystone_t) -') diff --git a/policy/modules/contrib/kismet.fc b/policy/modules/contrib/kismet.fc deleted file mode 100644 index 2a556ce7..00000000 --- a/policy/modules/contrib/kismet.fc +++ /dev/null @@ -1,13 +0,0 @@ -HOME_DIR/\.kismet(/.*)? gen_context(system_u:object_r:kismet_home_t,s0) - -/etc/rc\.d/init\.d/kismet.* -- gen_context(system_u:object_r:kismet_initrc_exec_t,s0) - -/usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0) -/usr/bin/kismet_server -- gen_context(system_u:object_r:kismet_exec_t,s0) -/usr/bin/kismet_drone -- gen_context(system_u:object_r:kismet_exec_t,s0) - -/var/lib/kismet(/.*)? gen_context(system_u:object_r:kismet_var_lib_t,s0) - -/var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0) - -/var/run/kismet_server\.pid -- gen_context(system_u:object_r:kismet_var_run_t,s0) diff --git a/policy/modules/contrib/kismet.if b/policy/modules/contrib/kismet.if deleted file mode 100644 index aa2a3379..00000000 --- a/policy/modules/contrib/kismet.if +++ /dev/null @@ -1,310 +0,0 @@ -## <summary>IEEE 802.11 wireless LAN sniffer.</summary> - -######################################## -## <summary> -## Role access for kismet. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -template(`kismet_role',` - gen_require(` - type kismet_exec_t, kismet_home_t, kismet_tmp_t; - type kistmet_tmpfs_t, kismet_t; - ') - - kismet_run($1, $2) - - allow $2 kistmet_t:process { ptrace signal_perms }; - ps_process_pattern($2, kismet_t) - - allow $2 kismet_home_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 kismet_home_t:file { manage_file_perms relabel_file_perms }; - userdom_user_home_dir_filetrans($2, kismet_home_t, dir, ".kismet") - - allow $2 kismet_tmp_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 kismet_tmp_t:file { manage_file_perms relabel_file_perms }; - allow $2 kismet_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - - allow $2 kismet_tmpfs_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 kismet_tmpfs_t:file { manage_file_perms relabel_file_perms }; -') - -######################################## -## <summary> -## Execute a domain transition to run kismet. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`kismet_domtrans',` - gen_require(` - type kismet_t, kismet_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, kismet_exec_t, kismet_t) -') - -######################################## -## <summary> -## Execute kismet in the kismet domain, and -## allow the specified role the kismet domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`kismet_run',` - gen_require(` - attribute_role kismet_roles; - ') - - kismet_domtrans($1) - roleattribute $2 kismet_roles; -') - -######################################## -## <summary> -## Read kismet pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`kismet_read_pid_files',` - gen_require(` - type kismet_var_run_t; - ') - - files_search_pids($1) - allow $1 kismet_var_run_t:file read_file_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## kismet pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`kismet_manage_pid_files',` - gen_require(` - type kismet_var_run_t; - ') - - files_search_pids($1) - allow $1 kismet_var_run_t:file manage_file_perms; -') - -######################################## -## <summary> -## Search kismet lib directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`kismet_search_lib',` - gen_require(` - type kismet_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 kismet_var_lib_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Read kismet lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`kismet_read_lib_files',` - gen_require(` - type kismet_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 kismet_var_lib_t:dir list_dir_perms; - allow $1 kismet_var_lib_t:file read_file_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## kismet lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`kismet_manage_lib_files',` - gen_require(` - type kismet_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## kismet lib content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`kismet_manage_lib',` - gen_require(` - type kismet_var_lib_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, kismet_var_lib_t, kismet_var_lib_t) - manage_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t) - manage_lnk_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t) -') - -######################################## -## <summary> -## Read kismet log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`kismet_read_log',` - gen_require(` - type kismet_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, kismet_log_t, kismet_log_t) -') - -######################################## -## <summary> -## Append kismet log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`kismet_append_log',` - gen_require(` - type kismet_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, kismet_log_t, kismet_log_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## kismet log content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`kismet_manage_log',` - gen_require(` - type kismet_log_t; - ') - - logging_search_logs($1) - manage_dirs_pattern($1, kismet_log_t, kismet_log_t) - manage_files_pattern($1, kismet_log_t, kismet_log_t) - manage_lnk_files_pattern($1, kismet_log_t, kismet_log_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an kismet environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`kismet_admin',` - gen_require(` - type kismet_t, kismet_var_lib_t, kismet_var_run_t; - type kismet_log_t, kismet_tmp_t; - ') - - init_labeled_script_domtrans($1, kismet_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 kismet_initrc_exec_t system_r; - allow $2 system_r; - - ps_process_pattern($1, kismet_t) - allow $1 kismet_t:process { ptrace signal_perms }; - - files_search_var_lib($1) - admin_pattern($1, kismet_var_lib_t) - - files_search_pids($1) - admin_pattern($1, kismet_var_run_t) - - logging_search_logs($1) - admin_pattern($1, kismet_log_t) - - files_search_tmp($1) - admin_pattern($1, kismet_tmp_t) - - kismet_run($1, $2) -') diff --git a/policy/modules/contrib/kismet.te b/policy/modules/contrib/kismet.te deleted file mode 100644 index ea64ed58..00000000 --- a/policy/modules/contrib/kismet.te +++ /dev/null @@ -1,110 +0,0 @@ -policy_module(kismet, 1.6.1) - -######################################## -# -# Declarations -# - -attribute_role kismet_roles; - -type kismet_t; -type kismet_exec_t; -init_system_domain(kismet_t, kismet_exec_t) -role kismet_roles types kismet_t; - -type kismet_initrc_exec_t; -init_script_file(kismet_initrc_exec_t) - -type kismet_home_t; -userdom_user_home_content(kismet_home_t) - -type kismet_log_t; -logging_log_file(kismet_log_t) - -type kismet_tmp_t; -files_tmp_file(kismet_tmp_t) - -type kismet_tmpfs_t; -files_tmp_file(kismet_tmpfs_t) - -type kismet_var_lib_t; -files_type(kismet_var_lib_t) - -type kismet_var_run_t; -files_pid_file(kismet_var_run_t) - -######################################## -# -# Local policy -# - -allow kismet_t self:capability { dac_override kill net_admin net_raw setuid setgid }; -allow kismet_t self:process signal_perms; -allow kismet_t self:fifo_file rw_fifo_file_perms; -allow kismet_t self:packet_socket create_socket_perms; -allow kismet_t self:unix_dgram_socket { create_socket_perms sendto }; -allow kismet_t self:unix_stream_socket create_stream_socket_perms; -allow kismet_t self:tcp_socket { accept listen }; - -manage_dirs_pattern(kismet_t, kismet_home_t, kismet_home_t) -manage_files_pattern(kismet_t, kismet_home_t, kismet_home_t) -manage_lnk_files_pattern(kismet_t, kismet_home_t, kismet_home_t) -userdom_user_home_dir_filetrans(kismet_t, kismet_home_t, dir) - -allow kismet_t kismet_log_t:dir setattr_dir_perms; -append_files_pattern(kismet_t, kismet_log_t, kismet_log_t) -create_files_pattern(kismet_t, kismet_log_t, kismet_log_t) -getattr_files_pattern(kismet_t, kismet_log_t, kismet_log_t) -logging_log_filetrans(kismet_t, kismet_log_t, dir) - -manage_dirs_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t) -manage_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t) -manage_sock_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t) -files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir sock_file }) - -manage_dirs_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t) -manage_files_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t) -fs_tmpfs_filetrans(kismet_t, kismet_tmpfs_t, { dir file }) - -allow kismet_t kismet_var_lib_t:file manage_file_perms; -allow kismet_t kismet_var_lib_t:dir manage_dir_perms; -files_var_lib_filetrans(kismet_t, kismet_var_lib_t, { file dir }) - -allow kismet_t kismet_var_run_t:dir manage_dir_perms; -files_pid_filetrans(kismet_t, kismet_var_run_t, file) - -can_exec(kismet_t, kismet_exec_t) - -kernel_search_debugfs(kismet_t) -kernel_read_system_state(kismet_t) -kernel_read_network_state(kismet_t) - -corecmd_exec_bin(kismet_t) - -corenet_all_recvfrom_unlabeled(kismet_t) -corenet_all_recvfrom_netlabel(kismet_t) -corenet_tcp_sendrecv_generic_if(kismet_t) -corenet_tcp_sendrecv_generic_node(kismet_t) -corenet_tcp_bind_generic_node(kismet_t) - -corenet_sendrecv_kismet_server_packets(kismet_t) -corenet_tcp_bind_kismet_port(kismet_t) -corenet_sendrecv_kismet_client_packets(kismet_t) -corenet_tcp_connect_kismet_port(kismet_t) -corenet_tcp_sendrecv_kismet_port(kismet_t) - -auth_use_nsswitch(kismet_t) - -files_read_usr_files(kismet_t) - -miscfiles_read_localization(kismet_t) - -userdom_use_user_terminals(kismet_t) - -optional_policy(` - dbus_system_bus_client(kismet_t) - - optional_policy(` - networkmanager_dbus_chat(kismet_t) - ') -') diff --git a/policy/modules/contrib/ksmtuned.fc b/policy/modules/contrib/ksmtuned.fc deleted file mode 100644 index e736c450..00000000 --- a/policy/modules/contrib/ksmtuned.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0) - -/usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0) - -/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0) - -/var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0) diff --git a/policy/modules/contrib/ksmtuned.if b/policy/modules/contrib/ksmtuned.if deleted file mode 100644 index c5302145..00000000 --- a/policy/modules/contrib/ksmtuned.if +++ /dev/null @@ -1,77 +0,0 @@ -## <summary>Kernel Samepage Merging Tuning Daemon.</summary> - -######################################## -## <summary> -## Execute a domain transition to run ksmtuned. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`ksmtuned_domtrans',` - gen_require(` - type ksmtuned_t, ksmtuned_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ksmtuned_exec_t, ksmtuned_t) -') - -######################################## -## <summary> -## Execute ksmtuned server in -## the ksmtuned domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`ksmtuned_initrc_domtrans',` - gen_require(` - type ksmtuned_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, ksmtuned_initrc_exec_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an ksmtuned environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`ksmtuned_admin',` - gen_require(` - type ksmtuned_t, ksmtuned_var_run_t; - type ksmtuned_initrc_exec_t, ksmtuned_log_t; - ') - - ksmtuned_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 ksmtuned_initrc_exec_t system_r; - allow $2 system_r; - - allow $1 ksmtuned_t:process { ptrace signal_perms }; - ps_process_pattern(ksmtumed_t) - - files_list_pids($1) - admin_pattern($1, ksmtuned_var_run_t) - - logging_search_logs($1) - admin_pattern($1, ksmtuned_log_t) -') diff --git a/policy/modules/contrib/ksmtuned.te b/policy/modules/contrib/ksmtuned.te deleted file mode 100644 index c1539b58..00000000 --- a/policy/modules/contrib/ksmtuned.te +++ /dev/null @@ -1,55 +0,0 @@ -policy_module(ksmtuned, 1.0.1) - -######################################## -# -# Declarations -# - -type ksmtuned_t; -type ksmtuned_exec_t; -init_daemon_domain(ksmtuned_t, ksmtuned_exec_t) - -type ksmtuned_initrc_exec_t; -init_script_file(ksmtuned_initrc_exec_t) - -type ksmtuned_log_t; -logging_log_file(ksmtuned_log_t) - -type ksmtuned_var_run_t; -files_pid_file(ksmtuned_var_run_t) - -######################################## -# -# Local policy -# - -allow ksmtuned_t self:capability { sys_ptrace sys_tty_config }; -allow ksmtuned_t self:fifo_file rw_fifo_file_perms; - -manage_dirs_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t) -append_files_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t) -create_files_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t) -setattr_files_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t) -logging_log_filetrans(ksmtuned_t, ksmtuned_log_t, { file dir }) - -manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t) -files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file) - -kernel_read_system_state(ksmtuned_t) - -corecmd_exec_bin(ksmtuned_t) -corecmd_exec_shell(ksmtuned_t) - -dev_rw_sysfs(ksmtuned_t) - -domain_read_all_domains_state(ksmtuned_t) - -mls_file_read_to_clearance(ksmtuned_t) - -term_use_all_terms(ksmtuned_t) - -auth_use_nsswitch(ksmtuned_t) - -logging_send_syslog_msg(ksmtuned_t) - -miscfiles_read_localization(ksmtuned_t) diff --git a/policy/modules/contrib/ktalk.fc b/policy/modules/contrib/ktalk.fc deleted file mode 100644 index 38ecb07d..00000000 --- a/policy/modules/contrib/ktalk.fc +++ /dev/null @@ -1,7 +0,0 @@ -/usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) - -/usr/sbin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) -/usr/sbin/in\.ntalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) -/usr/sbin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) - -/var/log/talkd.* -- gen_context(system_u:object_r:ktalkd_log_t,s0) diff --git a/policy/modules/contrib/ktalk.if b/policy/modules/contrib/ktalk.if deleted file mode 100644 index 19777b80..00000000 --- a/policy/modules/contrib/ktalk.if +++ /dev/null @@ -1 +0,0 @@ -## <summary>KDE Talk daemon.</summary> diff --git a/policy/modules/contrib/ktalk.te b/policy/modules/contrib/ktalk.te deleted file mode 100644 index 2cf3815f..00000000 --- a/policy/modules/contrib/ktalk.te +++ /dev/null @@ -1,50 +0,0 @@ -policy_module(ktalk, 1.8.1) - -######################################## -# -# Declarations -# - -type ktalkd_t; -type ktalkd_exec_t; -inetd_udp_service_domain(ktalkd_t, ktalkd_exec_t) - -type ktalkd_log_t; -logging_log_file(ktalkd_log_t) - -type ktalkd_tmp_t; -files_tmp_file(ktalkd_tmp_t) - -######################################## -# -# Local policy -# - -allow ktalkd_t self:process signal_perms; -allow ktalkd_t self:fifo_file rw_fifo_file_perms; -allow ktalkd_t self:tcp_socket { accept listen }; - -allow ktalkd_t ktalkd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(ktalkd_t, ktalkd_log_t, file) - -manage_dirs_pattern(ktalkd_t, ktalkd_tmp_t, ktalkd_tmp_t) -manage_files_pattern(ktalkd_t, ktalkd_tmp_t, ktalkd_tmp_t) -files_tmp_filetrans(ktalkd_t, ktalkd_tmp_t, { file dir }) - -kernel_read_kernel_sysctls(ktalkd_t) -kernel_read_system_state(ktalkd_t) -kernel_read_network_state(ktalkd_t) - -dev_read_urand(ktalkd_t) - -fs_getattr_xattr_fs(ktalkd_t) - -term_use_all_terms(ktalkd_t) - -auth_use_nsswitch(ktalkd_t) - -init_read_utmp(ktalkd_t) - -logging_send_syslog_msg(ktalkd_t) - -miscfiles_read_localization(ktalkd_t) diff --git a/policy/modules/contrib/kudzu.fc b/policy/modules/contrib/kudzu.fc deleted file mode 100644 index 7a2e5beb..00000000 --- a/policy/modules/contrib/kudzu.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/rc\.d/init\.d/kudzu -- gen_context(system_u:object_r:kudzu_initrc_exec_t,s0) - -/sbin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0) -/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0) - -/usr/sbin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0) -/usr/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0) - -/var/run/kudzu(/.*)? gen_context(system_u:object_r:kudzu_var_run_t,s0) diff --git a/policy/modules/contrib/kudzu.if b/policy/modules/contrib/kudzu.if deleted file mode 100644 index 52970645..00000000 --- a/policy/modules/contrib/kudzu.if +++ /dev/null @@ -1,104 +0,0 @@ -## <summary>Hardware detection and configuration tools.</summary> - -######################################## -## <summary> -## Execute kudzu in the kudzu domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`kudzu_domtrans',` - gen_require(` - type kudzu_t, kudzu_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, kudzu_exec_t, kudzu_t) -') - -######################################## -## <summary> -## Execute kudzu in the kudzu domain, and -## allow the specified role the kudzu domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`kudzu_run',` - gen_require(` - attribute_role kudzu_roles; - ') - - kudzu_domtrans($1) - roleattribute $2 kudzu_roles; -') - -######################################## -## <summary> -## Get attributes of kudzu executable files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`kudzu_getattr_exec_files',` - gen_require(` - type kudzu_exec_t; - ') - - allow $1 kudzu_exec_t:file getattr_file_perms; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an kudzu environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`kudzu_admin',` - gen_require(` - type kudzu_t, kudzu_initrc_exec_t, kudzu_var_run_t; - type kudzu_tmp_t; - ') - - allow $1 kudzu_t:process { ptrace signal_perms }; - ps_process_pattern($1, kudzu_t) - - init_labeled_script_domtrans($1, kudzu_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 kudzu_initrc_exec_t system_r; - allow $2 system_r; - - files_search_tmp($1) - admin_pattern($1, kudzu_tmp_t) - - files_search_pids($1) - admin_pattern($1, kudzu_var_run_t) - - kudzu_run($1, $2) -') diff --git a/policy/modules/contrib/kudzu.te b/policy/modules/contrib/kudzu.te deleted file mode 100644 index 9725f1a4..00000000 --- a/policy/modules/contrib/kudzu.te +++ /dev/null @@ -1,138 +0,0 @@ -policy_module(kudzu, 1.8.2) - -######################################## -# -# Declarations -# - -attribute_role kudzu_roles; - -type kudzu_t; -type kudzu_exec_t; -init_system_domain(kudzu_t, kudzu_exec_t) -role kudzu_roles types kudzu_t; - -type kudzu_initrc_exec_t; -init_script_file(kudzu_initrc_exec_t) - -type kudzu_tmp_t; -files_tmp_file(kudzu_tmp_t) - -type kudzu_var_run_t; -files_pid_file(kudzu_var_run_t) - -######################################## -# -# Local policy -# - -allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod }; -dontaudit kudzu_t self:capability sys_tty_config; -allow kudzu_t self:process { signal_perms execmem }; -allow kudzu_t self:fifo_file rw_fifo_file_perms; -allow kudzu_t self:unix_stream_socket { accept connectto listen }; -allow kudzu_t self:udp_socket { create ioctl }; - -manage_dirs_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t) -manage_files_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t) -manage_chr_files_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t) -files_tmp_filetrans(kudzu_t, kudzu_tmp_t, { file dir chr_file }) - -manage_dirs_pattern(kudzu_t, kudzu_var_run_t, kudzu_var_run_t) -manage_files_pattern(kudzu_t, kudzu_var_run_t, kudzu_var_run_t) -files_pid_filetrans(kudzu_t, kudzu_var_run_t, file) - -kernel_change_ring_buffer_level(kudzu_t) -kernel_read_device_sysctls(kudzu_t) -kernel_read_kernel_sysctls(kudzu_t) -kernel_read_network_state(kudzu_t) -kernel_read_system_state(kudzu_t) -kernel_rw_hotplug_sysctls(kudzu_t) -kernel_rw_kernel_sysctl(kudzu_t) - -corecmd_exec_all_executables(kudzu_t) - -dev_list_sysfs(kudzu_t) -dev_read_usbfs(kudzu_t) -dev_read_sysfs(kudzu_t) -dev_rx_raw_memory(kudzu_t) -dev_wx_raw_memory(kudzu_t) -dev_rw_mouse(kudzu_t) -dev_rwx_zero(kudzu_t) - -domain_use_interactive_fds(kudzu_t) - -files_read_kernel_modules(kudzu_t) -files_read_usr_files(kudzu_t) -files_search_locks(kudzu_t) -files_manage_etc_files(kudzu_t) -files_manage_etc_runtime_files(kudzu_t) -files_etc_filetrans_etc_runtime(kudzu_t, file) -files_manage_mnt_files(kudzu_t) -files_manage_mnt_symlinks(kudzu_t) -files_dontaudit_search_src(kudzu_t) -files_dontaudit_search_isid_type_dirs(kudzu_t) - -fs_search_auto_mountpoints(kudzu_t) -fs_write_ramfs_sockets(kudzu_t) - -mls_file_read_all_levels(kudzu_t) -mls_file_write_all_levels(kudzu_t) - -storage_read_scsi_generic(kudzu_t) -storage_read_tape(kudzu_t) -storage_raw_write_fixed_disk(kudzu_t) -storage_raw_write_removable_device(kudzu_t) -storage_raw_read_fixed_disk(kudzu_t) -storage_raw_read_removable_device(kudzu_t) - -term_dontaudit_use_console(kudzu_t) -term_use_unallocated_ttys(kudzu_t) - -init_use_fds(kudzu_t) -init_use_script_ptys(kudzu_t) -init_stream_connect_script(kudzu_t) -init_read_state(kudzu_t) -init_ptrace(kudzu_t) -init_telinit(kudzu_t) - -libs_read_lib_files(kudzu_t) - -logging_send_syslog_msg(kudzu_t) - -miscfiles_read_hwdata(kudzu_t) -miscfiles_read_localization(kudzu_t) - -sysnet_read_config(kudzu_t) - -userdom_use_user_terminals(kudzu_t) -userdom_dontaudit_use_unpriv_user_fds(kudzu_t) -userdom_search_user_home_dirs(kudzu_t) - -optional_policy(` - gpm_getattr_gpmctl(kudzu_t) -') - -optional_policy(` - modutils_read_module_config(kudzu_t) - modutils_read_module_deps(kudzu_t) - modutils_rename_module_config(kudzu_t) - modutils_delete_module_config(kudzu_t) - modutils_domtrans_insmod(kudzu_t) -') - -optional_policy(` - nscd_use(kudzu_t) -') - -optional_policy(` - seutil_sigchld_newrole(kudzu_t) -') - -optional_policy(` - udev_read_db(kudzu_t) -') - -optional_policy(` - unconfined_domtrans(kudzu_t) -') diff --git a/policy/modules/contrib/l2tp.fc b/policy/modules/contrib/l2tp.fc deleted file mode 100644 index d5d1572b..00000000 --- a/policy/modules/contrib/l2tp.fc +++ /dev/null @@ -1,11 +0,0 @@ -/etc/.*l2tp(/.*)? gen_context(system_u:object_r:l2tp_conf_t,s0) - -/etc/rc\.d/init\.d/.*l2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0) - -/etc/sysconfig/.*l2tpd -- gen_context(system_u:object_r:l2tp_conf_t,s0) - -/usr/sbin/.*l2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0) - -/var/run/.*l2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0) -/var/run/prol2tpd\.ctl -s gen_context(system_u:object_r:l2tpd_var_run_t,s0) -/var/run/.*l2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0) diff --git a/policy/modules/contrib/l2tp.if b/policy/modules/contrib/l2tp.if deleted file mode 100644 index 73e2803e..00000000 --- a/policy/modules/contrib/l2tp.if +++ /dev/null @@ -1,102 +0,0 @@ -## <summary>Layer 2 Tunneling Protocol.</summary> - -######################################## -## <summary> -## Send to l2tpd with a unix -## domain dgram socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`l2tpd_dgram_send',` - gen_require(` - type l2tpd_t, l2tpd_tmp_t, l2tpd_var_run_t; - ') - - files_search_pids($1) - files_search_tmp($1) - dgram_send_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t) -') - -######################################## -## <summary> -## Read and write l2tpd sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`l2tpd_rw_socket',` - gen_require(` - type l2tpd_t; - ') - - allow $1 l2tpd_t:socket rw_socket_perms; -') - -##################################### -## <summary> -## Connect to l2tpd with a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`l2tpd_stream_connect',` - gen_require(` - type l2tpd_t, l2tpd_var_run_t, l2tpd_tmp_t; - ') - - files_search_pids($1) - files_search_tmp($1) - stream_connect_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an l2tp environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`l2tp_admin',` - gen_require(` - type l2tpd_t, l2tpd_initrc_exec_t, l2tpd_var_run_t; - type l2tp_conf_t, l2tpd_tmp_t; - ') - - allow $1 l2tpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, l2tpd_t) - - init_labeled_script_domtrans($1, l2tpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 l2tpd_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, l2tp_conf_t) - - files_search_pids($1) - admin_pattern($1, l2tpd_var_run_t) - - files_search_tmp($1) - admin_pattern($1, l2tpd_tmp_t) -') diff --git a/policy/modules/contrib/l2tp.te b/policy/modules/contrib/l2tp.te deleted file mode 100644 index 19f2b97f..00000000 --- a/policy/modules/contrib/l2tp.te +++ /dev/null @@ -1,94 +0,0 @@ -policy_module(l2tp, 1.0.5) - -######################################## -# -# Declarations -# - -type l2tpd_t; -type l2tpd_exec_t; -init_daemon_domain(l2tpd_t, l2tpd_exec_t) - -type l2tpd_initrc_exec_t; -init_script_file(l2tpd_initrc_exec_t) - -type l2tp_conf_t; -files_config_file(l2tp_conf_t) - -type l2tpd_tmp_t; -files_tmp_file(l2tpd_tmp_t) - -type l2tpd_var_run_t; -files_pid_file(l2tpd_var_run_t) - -######################################## -# -# Local policy -# - -allow l2tpd_t self:capability net_admin; -allow l2tpd_t self:process signal; -allow l2tpd_t self:fifo_file rw_fifo_file_perms; -allow l2tpd_t self:netlink_socket create_socket_perms; -allow l2tpd_t self:rawip_socket create_socket_perms; -allow l2tpd_t self:socket create_socket_perms; -allow l2tpd_t self:tcp_socket { accept listen }; -allow l2tpd_t self:unix_dgram_socket sendto; -allow l2tpd_t self:unix_stream_socket { accept listen }; - -read_files_pattern(l2tpd_t, l2tp_conf_t, l2tp_conf_t) - -manage_dirs_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) -manage_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) -manage_sock_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) -manage_fifo_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) -files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file }) - -manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t) -files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file) - -corenet_all_recvfrom_unlabeled(l2tpd_t) -corenet_all_recvfrom_netlabel(l2tpd_t) -corenet_raw_sendrecv_generic_if(l2tpd_t) -corenet_tcp_sendrecv_generic_if(l2tpd_t) -corenet_udp_sendrecv_generic_if(l2tpd_t) -corenet_raw_bind_generic_node(l2tpd_t) -corenet_tcp_bind_generic_node(l2tpd_t) -corenet_udp_bind_generic_node(l2tpd_t) -corenet_raw_sendrecv_generic_node(l2tpd_t) -corenet_tcp_sendrecv_generic_node(l2tpd_t) -corenet_udp_sendrecv_generic_node(l2tpd_t) -corenet_tcp_sendrecv_all_ports(l2tpd_t) -corenet_udp_sendrecv_all_ports(l2tpd_t) - -corenet_sendrecv_all_server_packets(l2tpd_t) -corenet_tcp_bind_all_rpc_ports(l2tpd_t) -corenet_udp_bind_all_rpc_ports(l2tpd_t) - -corenet_udp_bind_l2tp_port(l2tpd_t) - -kernel_read_network_state(l2tpd_t) -kernel_read_system_state(l2tpd_t) -kernel_request_load_module(l2tpd_t) - -corecmd_exec_bin(l2tpd_t) - -dev_read_urand(l2tpd_t) - -files_read_etc_files(l2tpd_t) - -term_setattr_generic_ptys(l2tpd_t) -term_use_generic_ptys(l2tpd_t) -term_use_ptmx(l2tpd_t) - -logging_send_syslog_msg(l2tpd_t) - -miscfiles_read_localization(l2tpd_t) - -sysnet_dns_name_resolve(l2tpd_t) - -optional_policy(` - ppp_domtrans(l2tpd_t) - ppp_signal(l2tpd_t) - ppp_kill(l2tpd_t) -') diff --git a/policy/modules/contrib/ldap.fc b/policy/modules/contrib/ldap.fc deleted file mode 100644 index 4787a075..00000000 --- a/policy/modules/contrib/ldap.fc +++ /dev/null @@ -1,29 +0,0 @@ -/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) -/etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0) -/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) - -/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) - -/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) - -/usr/lib/openldap/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) -/usr/lib/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) - -/var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) -/var/lib/ldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0) - -/var/lock/subsys/ldap -- gen_context(system_u:object_r:slapd_lock_t,s0) -/var/lock/subsys/slapd -- gen_context(system_u:object_r:slapd_lock_t,s0) - -/var/log/ldap.* gen_context(system_u:object_r:slapd_log_t,s0) -/var/log/slapd.* gen_context(system_u:object_r:slapd_log_t,s0) - -/var/lib/openldap-data(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) -/var/lib/openldap-ldbm(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) -/var/lib/openldap-slurpd(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) - -/var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0) -/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0) -/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) -/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) -/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) diff --git a/policy/modules/contrib/ldap.if b/policy/modules/contrib/ldap.if deleted file mode 100644 index de2508eb..00000000 --- a/policy/modules/contrib/ldap.if +++ /dev/null @@ -1,173 +0,0 @@ -## <summary>OpenLDAP directory server.</summary> - -######################################## -## <summary> -## List ldap database directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ldap_list_db',` - gen_require(` - type slapd_db_t; - ') - - files_search_etc($1) - allow $1 slapd_db_t:dir list_dir_perms; -') - -######################################## -## <summary> -## Read ldap configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`ldap_read_config',` - gen_require(` - type slapd_etc_t; - ') - - files_search_etc($1) - allow $1 slapd_etc_t:file read_file_perms; -') - -######################################## -## <summary> -## Use LDAP over TCP connection. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ldap_use',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## <summary> -## Connect to slapd over an unix -## stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ldap_stream_connect',` - gen_require(` - type slapd_t, slapd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t) -') - -######################################## -## <summary> -## Connect to ldap over the network. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ldap_tcp_connect',` - gen_require(` - type slapd_t; - ') - - corenet_sendrecv_ldap_client_packets($1) - corenet_tcp_connect_ldap_port($1) - corenet_tcp_recvfrom_labeled($1, slapd_t) - corenet_tcp_sendrecv_ldap_port($1) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an ldap environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`ldap_admin',` - gen_require(` - type slapd_t, slapd_tmp_t, slapd_replog_t; - type slapd_lock_t, slapd_etc_t, slapd_var_run_t; - type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t; - type slapd_db_t; - ') - - allow $1 slapd_t:process { ptrace signal_perms }; - ps_process_pattern($1, slapd_t) - - init_labeled_script_domtrans($1, slapd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 slapd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t }) - - files_list_locks($1) - admin_pattern($1, slapd_lock_t) - - logging_list_logs($1) - admin_pattern($1, slapd_log_t) - - files_search_var_lib($1) - admin_pattern($1, slapd_replog_t) - - files_list_tmp($1) - admin_pattern($1, slapd_tmp_t) - - files_list_pids($1) - admin_pattern($1, slapd_var_run_t) -') - -######################################## -## <summary> -## Execute slapd in the slapd domain, and -## allow the given role the slapd_t type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`ldap_run',` - gen_require(` - type slapd_t; - type slapd_exec_t; - ') - - role $2 types slapd_t; - domtrans_pattern($1, slapd_exec_t, slapd_t) -') diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te deleted file mode 100644 index 7968e390..00000000 --- a/policy/modules/contrib/ldap.te +++ /dev/null @@ -1,151 +0,0 @@ -policy_module(ldap, 1.10.2) - -######################################## -# -# Declarations -# - -type slapd_t; -type slapd_exec_t; -init_daemon_domain(slapd_t, slapd_exec_t) - -type slapd_cert_t; -miscfiles_cert_type(slapd_cert_t) - -type slapd_db_t; -files_type(slapd_db_t) - -type slapd_etc_t; -files_config_file(slapd_etc_t) - -type slapd_initrc_exec_t; -init_script_file(slapd_initrc_exec_t) - -type slapd_lock_t; -files_lock_file(slapd_lock_t) - -type slapd_log_t; -logging_log_file(slapd_log_t) - -type slapd_replog_t; -files_type(slapd_replog_t) - -type slapd_tmp_t; -files_tmp_file(slapd_tmp_t) - -type slapd_tmpfs_t; -files_tmpfs_file(slapd_tmpfs_t) - -type slapd_var_run_t; -files_pid_file(slapd_var_run_t) - -######################################## -# -# Local policy -# - -allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search }; -dontaudit slapd_t self:capability sys_tty_config; -allow slapd_t self:process setsched; -allow slapd_t self:fifo_file rw_fifo_file_perms; -allow slapd_t self:tcp_socket { accept listen }; - -allow slapd_t slapd_cert_t:dir list_dir_perms; -read_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t) -read_lnk_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t) - -manage_dirs_pattern(slapd_t, slapd_db_t, slapd_db_t) -manage_files_pattern(slapd_t, slapd_db_t, slapd_db_t) -manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t) - -allow slapd_t slapd_etc_t:file read_file_perms; - -allow slapd_t slapd_lock_t:file manage_file_perms; -files_lock_filetrans(slapd_t, slapd_lock_t, file) - -manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t) -append_files_pattern(slapd_t, slapd_log_t, slapd_log_t) -create_files_pattern(slapd_t, slapd_log_t, slapd_log_t) -setattr_files_pattern(slapd_t, slapd_log_t, slapd_log_t) -logging_log_filetrans(slapd_t, slapd_log_t, { file dir }) - -manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t) -manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t) -manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t) - -manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t) -manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t) -files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir }) - -manage_files_pattern(slapd_t, slapd_tmpfs_t, slapd_tmpfs_t) -fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t, file) - -manage_dirs_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) -manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) -manage_sock_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) -files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file }) - -kernel_read_system_state(slapd_t) -kernel_read_kernel_sysctls(slapd_t) - -corenet_all_recvfrom_unlabeled(slapd_t) -corenet_all_recvfrom_netlabel(slapd_t) -corenet_tcp_sendrecv_generic_if(slapd_t) -corenet_tcp_sendrecv_generic_node(slapd_t) -corenet_tcp_sendrecv_all_ports(slapd_t) -corenet_tcp_bind_generic_node(slapd_t) - -corenet_sendrecv_ldap_server_packets(slapd_t) -corenet_tcp_bind_ldap_port(slapd_t) - -corenet_sendrecv_all_client_packets(slapd_t) -corenet_tcp_connect_all_ports(slapd_t) - -dev_read_urand(slapd_t) -dev_read_sysfs(slapd_t) - -domain_use_interactive_fds(slapd_t) - -fs_getattr_all_fs(slapd_t) -fs_search_auto_mountpoints(slapd_t) - -files_read_etc_runtime_files(slapd_t) -files_read_usr_files(slapd_t) -files_list_var_lib(slapd_t) - -auth_use_nsswitch(slapd_t) - -logging_send_syslog_msg(slapd_t) - -miscfiles_read_generic_certs(slapd_t) -miscfiles_read_localization(slapd_t) - -userdom_dontaudit_use_unpriv_user_fds(slapd_t) -userdom_dontaudit_search_user_home_dirs(slapd_t) - -ifdef(`distro_gentoo',` - allow slapd_t self:process signal; - allow slapd_t self:unix_stream_socket listen; - - userdom_use_user_terminals(slapd_t) -') - -optional_policy(` - kerberos_keytab_template(slapd, slapd_t) - kerberos_manage_host_rcache(slapd_t) - kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldapmap1_0") - kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_487") - kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_55") -') - -optional_policy(` - sasl_connect(slapd_t) -') - -optional_policy(` - seutil_sigchld_newrole(slapd_t) -') - -optional_policy(` - udev_read_db(slapd_t) -') diff --git a/policy/modules/contrib/lightsquid.fc b/policy/modules/contrib/lightsquid.fc deleted file mode 100644 index 044390c6..00000000 --- a/policy/modules/contrib/lightsquid.fc +++ /dev/null @@ -1,11 +0,0 @@ -/etc/cron\.daily/lightsquid -- gen_context(system_u:object_r:lightsquid_exec_t,s0) - -/usr/lib/cgi-bin/lightsquid/.*\.cfg -- gen_context(system_u:object_r:httpd_lightsquid_content_t,s0) -/usr/lib/cgi-bin/lightsquid/.*\.cgi -- gen_context(system_u:object_r:httpd_lightsquid_script_exec_t,s0) - -/usr/share/lightsquid/cgi/.*\.cgi -- gen_context(system_u:object_r:httpd_lightsquid_script_exec_t,s0) - -/var/lightsquid(/.*)? gen_context(system_u:object_r:lightsquid_rw_content_t,s0) - -/var/www/html/lightsquid(/.*)? gen_context(system_u:object_r:httpd_lightsquid_content_t,s0) -/var/www/html/lightsquid/report(/.*)? gen_context(system_u:object_r:lightsquid_rw_content_t,s0) diff --git a/policy/modules/contrib/lightsquid.if b/policy/modules/contrib/lightsquid.if deleted file mode 100644 index 33a28b9a..00000000 --- a/policy/modules/contrib/lightsquid.if +++ /dev/null @@ -1,80 +0,0 @@ -## <summary>Log analyzer for squid proxy.</summary> - -######################################## -## <summary> -## Execute the lightsquid program in -## the lightsquid domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`lightsquid_domtrans',` - gen_require(` - type lightsquid_t, lightsquid_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, lightsquid_exec_t, lightsquid_t) -') - -######################################## -## <summary> -## Execute lightsquid in the -## lightsquid domain, and allow the -## specified role the lightsquid domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`lightsquid_run',` - gen_require(` - attribute_role lightsquid_roles; - ') - - lightsquid_domtrans($1) - roleattribute $2 lightsquid_roles; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an lightsquid environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`lightsquid_admin',` - gen_require(` - type lightsquid_t, lightsquid_rw_content_t; - ') - - allow $1 lightsquid_t:process { ptrace signal_perms }; - ps_process_pattern($1, lightsquid_t) - - lightsquid_run($1, $2) - - files_search_var_lib($1) - admin_pattern($1, lightsquid_rw_content_t) - - apache_list_sys_content($1) -') diff --git a/policy/modules/contrib/lightsquid.te b/policy/modules/contrib/lightsquid.te deleted file mode 100644 index 40a26077..00000000 --- a/policy/modules/contrib/lightsquid.te +++ /dev/null @@ -1,52 +0,0 @@ -policy_module(lightsquid, 1.0.2) - -######################################## -# -# Declarations -# - -attribute_role lightsquid_roles; -roleattribute system_r lightsquid_roles; - -type lightsquid_t; -type lightsquid_exec_t; -application_domain(lightsquid_t, lightsquid_exec_t) -role lightsquid_roles types lightsquid_t; - -type lightsquid_rw_content_t; -files_type(lightsquid_rw_content_t) - -######################################## -# -# Local policy -# - -manage_dirs_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t) -manage_files_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t) -manage_lnk_files_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t) -files_var_filetrans(lightsquid_t, lightsquid_rw_content_t, dir) - -corecmd_exec_bin(lightsquid_t) -corecmd_exec_shell(lightsquid_t) - -dev_read_urand(lightsquid_t) - -files_read_etc_files(lightsquid_t) -files_read_usr_files(lightsquid_t) - -miscfiles_read_localization(lightsquid_t) - -squid_read_config(lightsquid_t) -squid_read_log(lightsquid_t) - -optional_policy(` - apache_content_template(lightsquid) - - list_dirs_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t) - read_files_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t) - read_lnk_files_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t) -') - -optional_policy(` - cron_system_entry(lightsquid_t, lightsquid_exec_t) -') diff --git a/policy/modules/contrib/likewise.fc b/policy/modules/contrib/likewise.fc deleted file mode 100644 index 5758403f..00000000 --- a/policy/modules/contrib/likewise.fc +++ /dev/null @@ -1,100 +0,0 @@ -/etc/likewise-open(/.*)? gen_context(system_u:object_r:likewise_etc_t,s0) -/etc/likewise-open/\.pstore\.lock -- gen_context(system_u:object_r:likewise_pstore_lock_t,s0) -/etc/likewise-open/likewise-krb5-ad\.conf -- gen_context(system_u:object_r:likewise_krb5_ad_t,s0) - -/etc/rc\.d/init\.d/dcerpcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) -/etc/rc\.d/init\.d/eventlogd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) -/etc/rc\.d/init\.d/likewise -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) -/etc/rc\.d/init\.d/lsassd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) -/etc/rc\.d/init\.d/lwiod -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) -/etc/rc\.d/init\.d/lwregd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) -/etc/rc\.d/init\.d/lwsmd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) -/etc/rc\.d/init\.d/netlogond -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) -/etc/rc\.d/init\.d/srvsvcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) - -/opt/likewise/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0) -/opt/likewise/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0) -/opt/likewise/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0) -/opt/likewise/sbin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0) -/opt/likewise/sbin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0) -/opt/likewise/sbin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0) -/opt/likewise/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0) -/opt/likewise/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0) - -/usr/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0) -/usr/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0) -/usr/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0) -/usr/sbin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0) -/usr/sbin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0) -/usr/sbin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0) -/usr/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0) -/usr/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0) - -/var/lib/likewise(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0) -/var/lib/likewise/\.eventlog -s gen_context(system_u:object_r:eventlogd_var_socket_t,s0) -/var/lib/likewise/\.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0) -/var/lib/likewise/\.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s0) -/var/lib/likewise/\.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t,s0) -/var/lib/likewise/\.lwsm -s gen_context(system_u:object_r:lwsmd_var_socket_t,s0) -/var/lib/likewise/\.lwsmd-lock -- gen_context(system_u:object_r:lwsmd_var_lib_t,s0) -/var/lib/likewise/\.netlogond -s gen_context(system_u:object_r:netlogond_var_socket_t,s0) -/var/lib/likewise/\.ntlmd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0) -/var/lib/likewise/\.pstore\.lock -- gen_context(system_u:object_r:likewise_pstore_lock_t,s0) -/var/lib/likewise/krb5-affinity\.conf -- gen_context(system_u:object_r:netlogond_var_lib_t,s0) -/var/lib/likewise/krb5cc.* -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) -/var/lib/likewise/krb5ccr_lsass -- gen_context(system_u:object_r:lsassd_var_lib_t, s0) -/var/lib/likewise/krb5ccr_lsass\..* -- gen_context(system_u:object_r:lsassd_var_lib_t, s0) -/var/lib/likewise/LWNetsd\.err -- gen_context(system_u:object_r:netlogond_var_lib_t,s0) -/var/lib/likewise/lsasd\.err -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) -/var/lib/likewise/regsd\.err -- gen_context(system_u:object_r:lwregd_var_lib_t,s0) -/var/lib/likewise/db -d gen_context(system_u:object_r:likewise_var_lib_t,s0) -/var/lib/likewise/db/lwi_events\.db -- gen_context(system_u:object_r:eventlogd_var_lib_t,s0) -/var/lib/likewise/db/sam\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) -/var/lib/likewise/db/lsass-adcache\.filedb\..* -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) -/var/lib/likewise/db/lsass-adcache\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) -/var/lib/likewise/db/lsass-adstate\.filedb -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) -/var/lib/likewise/db/registry\.db -- gen_context(system_u:object_r:lwregd_var_lib_t,s0) -/var/lib/likewise/rpc -d gen_context(system_u:object_r:likewise_var_lib_t,s0) -/var/lib/likewise/rpc/epmapper -s gen_context(system_u:object_r:dcerpcd_var_socket_t, s0) -/var/lib/likewise/rpc/lsass -s gen_context(system_u:object_r:lsassd_var_socket_t, s0) -/var/lib/likewise/rpc/socket -s gen_context(system_u:object_r:eventlogd_var_socket_t, s0) -/var/lib/likewise/run -d gen_context(system_u:object_r:likewise_var_lib_t,s0) -/var/lib/likewise/run/rpcdep\.dat -- gen_context(system_u:object_r:dcerpcd_var_lib_t, s0) - -/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0) -/var/lib/likewise-open/\.eventlog -s gen_context(system_u:object_r:eventlogd_var_socket_t,s0) -/var/lib/likewise-open/\.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0) -/var/lib/likewise-open/\.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s0) -/var/lib/likewise-open/\.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t,s0) -/var/lib/likewise-open/\.lwsm -s gen_context(system_u:object_r:lwsmd_var_socket_t,s0) -/var/lib/likewise-open/\.lwsmd-lock -- gen_context(system_u:object_r:lwsmd_var_lib_t,s0) -/var/lib/likewise-open/\.netlogond -s gen_context(system_u:object_r:netlogond_var_socket_t,s0) -/var/lib/likewise-open/\.ntlmd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0) -/var/lib/likewise-open/\.pstore\.lock -- gen_context(system_u:object_r:likewise_pstore_lock_t,s0) -/var/lib/likewise-open/krb5-affinity\.conf -- gen_context(system_u:object_r:netlogond_var_lib_t,s0) -/var/lib/likewise-open/krb5cc.* -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) -/var/lib/likewise-open/krb5ccr_lsass -- gen_context(system_u:object_r:lsassd_var_lib_t, s0) -/var/lib/likewise-open/krb5ccr_lsass\..* -- gen_context(system_u:object_r:lsassd_var_lib_t, s0) -/var/lib/likewise-open/LWNetsd\.err -- gen_context(system_u:object_r:netlogond_var_lib_t,s0) -/var/lib/likewise-open/lsasd\.err -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) -/var/lib/likewise-open/regsd\.err -- gen_context(system_u:object_r:lwregd_var_lib_t,s0) -/var/lib/likewise-open/db -d gen_context(system_u:object_r:likewise_var_lib_t,s0) -/var/lib/likewise-open/db/lwi_events\.db -- gen_context(system_u:object_r:eventlogd_var_lib_t,s0) -/var/lib/likewise-open/db/sam\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) -/var/lib/likewise-open/db/lsass-adcache\.filedb\..* -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) -/var/lib/likewise-open/db/lsass-adcache\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) -/var/lib/likewise-open/db/lsass-adstate\.filedb -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) -/var/lib/likewise-open/db/registry\.db -- gen_context(system_u:object_r:lwregd_var_lib_t,s0) -/var/lib/likewise-open/rpc -d gen_context(system_u:object_r:likewise_var_lib_t,s0) -/var/lib/likewise-open/rpc/epmapper -s gen_context(system_u:object_r:dcerpcd_var_socket_t,s0) -/var/lib/likewise-open/rpc/lsass -s gen_context(system_u:object_r:lsassd_var_socket_t, s0) -/var/lib/likewise-open/rpc/socket -s gen_context(system_u:object_r:eventlogd_var_socket_t,s0) -/var/lib/likewise-open/run -d gen_context(system_u:object_r:likewise_var_lib_t,s0) -/var/lib/likewise-open/run/rpcdep\.dat -- gen_context(system_u:object_r:dcerpcd_var_lib_t,s0) - -/var/run/eventlogd\.pid -- gen_context(system_u:object_r:eventlogd_var_run_t,s0) -/var/run/lsassd\.pid -- gen_context(system_u:object_r:lsassd_var_run_t,s0) -/var/run/lwiod\.pid -- gen_context(system_u:object_r:lwiod_var_run_t,s0) -/var/run/lwregd\.pid -- gen_context(system_u:object_r:lwregd_var_run_t,s0) -/var/run/netlogond\.pid -- gen_context(system_u:object_r:netlogond_var_run_t,s0) -/var/run/srvsvcd\.pid -- gen_context(system_u:object_r:srvsvcd_var_run_t,s0) diff --git a/policy/modules/contrib/likewise.if b/policy/modules/contrib/likewise.if deleted file mode 100644 index bd20e8cc..00000000 --- a/policy/modules/contrib/likewise.if +++ /dev/null @@ -1,134 +0,0 @@ -## <summary>Likewise Active Directory support for UNIX.</summary> - -####################################### -## <summary> -## The template to define a likewise domain. -## </summary> -## <param name="userdomain_prefix"> -## <summary> -## The type of daemon to be used. -## </summary> -## </param> -# -template(`likewise_domain_template',` - gen_require(` - attribute likewise_domains; - type likewise_var_lib_t; - ') - - ######################################## - # - # Declarations - # - - type $1_t; - type $1_exec_t; - init_daemon_domain($1_t, $1_exec_t) - - typeattribute $1_t likewise_domains; - - type $1_var_run_t; - files_pid_file($1_var_run_t) - - type $1_var_socket_t; - files_type($1_var_socket_t) - - type $1_var_lib_t; - files_type($1_var_lib_t) - - #################################### - # - # Policy - # - - allow $1_t self:process { signal_perms getsched setsched }; - allow $1_t self:fifo_file rw_fifo_file_perms; - allow $1_t self:unix_stream_socket { accept listen }; - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; - - manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - files_pid_filetrans($1_t, $1_var_run_t, file) - - manage_files_pattern($1_t, likewise_var_lib_t, $1_var_lib_t) - filetrans_pattern($1_t, likewise_var_lib_t, $1_var_lib_t, file) - - manage_sock_files_pattern($1_t, likewise_var_lib_t, $1_var_socket_t) - filetrans_pattern($1_t, likewise_var_lib_t, $1_var_socket_t, sock_file) -') - -######################################## -## <summary> -## Connect to lsassd with a unix domain -## stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`likewise_stream_connect_lsassd',` - gen_require(` - type likewise_var_lib_t, lsassd_var_socket_t, lsassd_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an likewise environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`likewise_admin',` - gen_require(` - attribute likewise_domains; - type likewise_initrc_exec_t, likewise_etc_t, likewise_pstore_lock_t; - type likewise_krb5_ad_t, likewise_var_lib_t, eventlogd_var_socket_t; - type lsassd_var_socket_t, lwiod_var_socket_t, lwregd_var_socket_t; - type lwsmd_var_socket_t, lwsmd_var_lib_t, netlogond_var_socket_t; - type netlogond_var_lib_t, lsassd_var_lib_t, lwregd_var_lib_t; - type eventlogd_var_lib_t, dcerpcd_var_lib_t, lsassd_tmp_t; - type eventlogd_var_run_t, lsassd_var_run_t, lwiod_var_run_t; - type lwregd_var_run_t, netlogond_var_run_t, srvsvcd_var_run_t; - ') - - allow $1 likewise_domains:process { ptrace signal_perms }; - ps_process_pattern($1, likewise_domains) - - init_labeled_script_domtrans($1, likewise_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 likewise_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, { likewise_etc_t likewise_pstore_lock_t likewise_krb5_ad_t }) - - files_search_var_lib($1) - admin_pattern($1, { likewise_var_lib_t eventlogd_var_socket_t lsassd_var_socket_t }) - admin_pattern($1, { lwiod_var_socket_t lwregd_var_socket_t lwsmd_var_socket_t }) - admin_pattern($1, { lwsmd_var_lib_t netlogond_var_socket_t netlogond_var_lib_t }) - admin_pattern($1, { lsassd_var_lib_t lwregd_var_lib_t eventlogd_var_lib_t }) - admin_pattern($1, dcerpcd_var_lib_t) - - files_list_tmp($1) - admin_pattern($1, lsassd_tmp_t) - - files_list_pids($1) - admin_pattern($1, { eventlogd_var_run_t lsassd_var_run_t lwiod_var_run_t }) - admin_pattern($1, { lwregd_var_run_t netlogond_var_run_t srvsvcd_var_run_t }) -') diff --git a/policy/modules/contrib/likewise.te b/policy/modules/contrib/likewise.te deleted file mode 100644 index 408fbe3c..00000000 --- a/policy/modules/contrib/likewise.te +++ /dev/null @@ -1,254 +0,0 @@ -policy_module(likewise, 1.2.1) - -################################# -# -# Declarations -# - -attribute likewise_domains; - -likewise_domain_template(dcerpcd) -likewise_domain_template(eventlogd) -likewise_domain_template(lsassd) -likewise_domain_template(lwiod) -likewise_domain_template(lwregd) -likewise_domain_template(lwsmd) -likewise_domain_template(netlogond) -likewise_domain_template(srvsvcd) - -type likewise_etc_t; -files_config_file(likewise_etc_t) - -type likewise_initrc_exec_t; -init_script_file(likewise_initrc_exec_t) - -type likewise_var_lib_t; -files_type(likewise_var_lib_t) - -type likewise_pstore_lock_t; -files_type(likewise_pstore_lock_t) - -type likewise_krb5_ad_t; -files_type(likewise_krb5_ad_t) - -type lsassd_tmp_t; -files_tmp_file(lsassd_tmp_t) - -################################# -# -# Common local policy -# - -allow likewise_domains likewise_var_lib_t:dir setattr_dir_perms; - -kernel_read_system_state(likewise_domains) - -dev_read_rand(likewise_domains) -dev_read_urand(likewise_domains) - -domain_use_interactive_fds(likewise_domains) - -files_read_etc_files(likewise_domains) -files_search_var_lib(likewise_domains) - -logging_send_syslog_msg(likewise_domains) - -miscfiles_read_localization(likewise_domains) - -################################# -# -# dcerpcd local policy -# - -stream_connect_pattern(dcerpcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) - -corenet_all_recvfrom_netlabel(dcerpcd_t) -corenet_all_recvfrom_unlabeled(dcerpcd_t) -corenet_tcp_sendrecv_generic_if(dcerpcd_t) -corenet_tcp_sendrecv_generic_node(dcerpcd_t) -corenet_tcp_sendrecv_generic_port(dcerpcd_t) -corenet_tcp_bind_generic_node(dcerpcd_t) -corenet_udp_bind_generic_node(dcerpcd_t) -corenet_udp_sendrecv_generic_if(dcerpcd_t) -corenet_udp_sendrecv_generic_node(dcerpcd_t) -corenet_udp_sendrecv_generic_port(dcerpcd_t) - -corenet_sendrecv_epmap_server_packets(dcerpcd_t) -corenet_tcp_bind_epmap_port(dcerpcd_t) -corenet_udp_bind_epmap_port(dcerpcd_t) - -corenet_sendrecv_generic_client_packets(dcerpcd_t) -corenet_tcp_connect_generic_port(dcerpcd_t) - -################################# -# -# eventlogd local policy -# - -stream_connect_pattern(eventlogd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t) -stream_connect_pattern(eventlogd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) - -corenet_all_recvfrom_netlabel(eventlogd_t) -corenet_all_recvfrom_unlabeled(eventlogd_t) -corenet_tcp_sendrecv_generic_if(eventlogd_t) -corenet_tcp_sendrecv_generic_node(eventlogd_t) - -corenet_sendrecv_epmap_client_packets(eventlogd_t) -corenet_tcp_connect_epmap_port(eventlogd_t) -corenet_tcp_sendrecv_epmap_port(eventlogd_t) - -################################# -# -# lsassd local policy -# - -allow lsassd_t self:capability { fowner chown fsetid dac_override sys_time }; -allow lsassd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms; - -allow lsassd_t likewise_krb5_ad_t:file read_file_perms; -allow lsassd_t netlogond_var_lib_t:file read_file_perms; - -manage_files_pattern(lsassd_t, likewise_etc_t, likewise_etc_t) - -manage_files_pattern(lsassd_t, lsassd_tmp_t, lsassd_tmp_t) -files_tmp_filetrans(lsassd_t, lsassd_tmp_t, file) - -stream_connect_pattern(lsassd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t) -stream_connect_pattern(lsassd_t, likewise_var_lib_t, eventlogd_var_socket_t, eventlogd_t) -stream_connect_pattern(lsassd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t) -stream_connect_pattern(lsassd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) -stream_connect_pattern(lsassd_t, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t) - -kernel_list_all_proc(lsassd_t) - -corecmd_exec_bin(lsassd_t) -corecmd_exec_shell(lsassd_t) - -corenet_all_recvfrom_netlabel(lsassd_t) -corenet_all_recvfrom_unlabeled(lsassd_t) -corenet_tcp_sendrecv_generic_if(lsassd_t) -corenet_tcp_sendrecv_generic_node(lsassd_t) - -corenet_sendrecv_epmap_client_packets(lsassd_t) -corenet_tcp_connect_epmap_port(lsassd_t) -corenet_tcp_sendrecv_epmap_port(lsassd_t) - -domain_obj_id_change_exemption(lsassd_t) -domain_dontaudit_search_all_domains_state(lsassd_t) - -files_manage_etc_files(lsassd_t) -files_manage_etc_symlinks(lsassd_t) -files_manage_etc_runtime_files(lsassd_t) -files_relabelto_home(lsassd_t) - -selinux_get_fs_mount(lsassd_t) -selinux_validate_context(lsassd_t) - -seutil_read_config(lsassd_t) -seutil_read_default_contexts(lsassd_t) -seutil_read_file_contexts(lsassd_t) -seutil_run_semanage(lsassd_t, system_r) - -sysnet_use_ldap(lsassd_t) - -userdom_home_filetrans_user_home_dir(lsassd_t) -userdom_manage_user_home_content_files(lsassd_t) - -optional_policy(` - kerberos_rw_keytab(lsassd_t) - kerberos_use(lsassd_t) -') - -################################# -# -# lwiod local policy -# - -allow lwiod_t self:capability { fowner chown fsetid dac_override sys_resource }; -allow lwiod_t self:process setrlimit; -allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms; - -allow lwiod_t { likewise_krb5_ad_t netlogond_var_lib_t }:file read_file_perms; - -stream_connect_pattern(lwiod_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) -stream_connect_pattern(lwiod_t, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t) -stream_connect_pattern(lwiod_t, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t) - -corenet_all_recvfrom_netlabel(lwiod_t) -corenet_all_recvfrom_unlabeled(lwiod_t) -corenet_tcp_sendrecv_generic_if(lwiod_t) -corenet_tcp_sendrecv_generic_node(lwiod_t) -corenet_tcp_bind_generic_node(lwiod_t) - -corenet_sendrecv_smbd_server_packets(lwiod_t) -corenet_tcp_bind_smbd_port(lwiod_t) -corenet_sendrecv_smbd_client_packets(lwiod_t) -corenet_tcp_connect_smbd_port(lwiod_t) -corenet_tcp_sendrecv_smbd_port(lwiod_t) - -sysnet_read_config(lwiod_t) - -optional_policy(` - kerberos_rw_config(lwiod_t) - kerberos_use(lwiod_t) -') - -################################# -# -# lwsmd local policy -# - -allow lwsmd_t self:process setpgid; - -allow lwsmd_t likewise_domains:process signal; - -allow lwsmd_t { likewise_krb5_ad_t netlogond_var_lib_t }:file read_file_perms; - -domtrans_pattern(lwsmd_t, dcerpcd_exec_t, dcerpcd_t) -domtrans_pattern(lwsmd_t, eventlogd_exec_t, eventlogd_t) -domtrans_pattern(lwsmd_t, lsassd_exec_t, lsassd_t) -domtrans_pattern(lwsmd_t, lwiod_exec_t, lwiod_t) -domtrans_pattern(lwsmd_t, lwregd_exec_t, lwregd_t) -domtrans_pattern(lwsmd_t, netlogond_exec_t, netlogond_t) -domtrans_pattern(lwsmd_t, srvsvcd_exec_t, srvsvcd_t) - -stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t) -stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) - -################################# -# -# netlogond local policy -# - -allow netlogond_t self:capability dac_override; - -manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t) - -stream_connect_pattern(netlogond_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) - -sysnet_dns_name_resolve(netlogond_t) -sysnet_use_ldap(netlogond_t) - -################################# -# -# srvsvcd local policy -# - -allow srvsvcd_t likewise_etc_t:dir search_dir_perms; - -stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t) -stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t) -stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) - -corenet_all_recvfrom_netlabel(srvsvcd_t) -corenet_all_recvfrom_unlabeled(srvsvcd_t) -corenet_sendrecv_generic_server_packets(srvsvcd_t) -corenet_tcp_sendrecv_generic_if(srvsvcd_t) -corenet_tcp_sendrecv_generic_node(srvsvcd_t) -corenet_tcp_sendrecv_generic_port(srvsvcd_t) -corenet_tcp_bind_generic_node(srvsvcd_t) - -optional_policy(` - kerberos_use(srvsvcd_t) -') diff --git a/policy/modules/contrib/links.fc b/policy/modules/contrib/links.fc index d973b307..1bf9f543 100644 --- a/policy/modules/contrib/links.fc +++ b/policy/modules/contrib/links.fc @@ -1,2 +1,5 @@ /usr/bin/links -- gen_context(system_u:object_r:links_exec_t,s0) HOME_DIR/\.links(/.*)? gen_context(system_u:object_r:links_home_t,s0) + +/usr/bin/elinks -- gen_context(system_u:object_r:links_exec_t,s0) +HOME_DIR/\.elinks(/.*)? gen_context(system_u:object_r:links_home_t,s0) diff --git a/policy/modules/contrib/links.if b/policy/modules/contrib/links.if index 61254fc3..b3ad618e 100644 --- a/policy/modules/contrib/links.if +++ b/policy/modules/contrib/links.if @@ -17,14 +17,14 @@ # interface(`links_role',` gen_require(` - type links_t, links_exec_t, links_tmpfs_t, links_home_t; + type links_t, links_exec_t, links_home_t; ') ####################################### # # Declarations # - + role $1 types links_t; ############################ @@ -43,4 +43,4 @@ interface(`links_role',` domtrans_pattern($2, links_exec_t, links_t) ps_process_pattern($2, links_t) -') +') diff --git a/policy/modules/contrib/links.te b/policy/modules/contrib/links.te index a36703f2..a09692a9 100644 --- a/policy/modules/contrib/links.te +++ b/policy/modules/contrib/links.te @@ -1,7 +1,7 @@ policy_module(links, 1.0.0) ############################ -# +# # Declarations # @@ -45,7 +45,6 @@ manage_fifo_files_pattern(links_t, links_tmpfs_t, links_tmpfs_t) manage_sock_files_pattern(links_t, links_tmpfs_t, links_tmpfs_t) fs_tmpfs_filetrans(links_t, links_tmpfs_t, { file lnk_file sock_file fifo_file }) - domain_use_interactive_fds(links_t) auth_use_nsswitch(links_t) @@ -54,6 +53,7 @@ userdom_use_user_terminals(links_t) corenet_tcp_connect_http_port(links_t) +miscfiles_read_all_certs(links_t) miscfiles_read_localization(links_t) tunable_policy(`links_manage_user_files',` diff --git a/policy/modules/contrib/lircd.fc b/policy/modules/contrib/lircd.fc deleted file mode 100644 index c7a726af..00000000 --- a/policy/modules/contrib/lircd.fc +++ /dev/null @@ -1,12 +0,0 @@ -/dev/lircd -s gen_context(system_u:object_r:lircd_var_run_t,s0) - -/etc/lirc(/.*)? gen_context(system_u:object_r:lircd_etc_t,s0) -/etc/lircd\.conf -- gen_context(system_u:object_r:lircd_etc_t,s0) - -/etc/rc\.d/init\.d/lirc -- gen_context(system_u:object_r:lircd_initrc_exec_t,s0) - -/usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0) - -/var/run/lirc(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0) -/var/run/lircd(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0) -/var/run/lircd\.pid -- gen_context(system_u:object_r:lircd_var_run_t,s0) diff --git a/policy/modules/contrib/lircd.if b/policy/modules/contrib/lircd.if deleted file mode 100644 index dff21a7c..00000000 --- a/policy/modules/contrib/lircd.if +++ /dev/null @@ -1,98 +0,0 @@ -## <summary>Linux infared remote control daemon.</summary> - -######################################## -## <summary> -## Execute a domain transition to run lircd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`lircd_domtrans',` - gen_require(` - type lircd_t, lircd_exec_t; - ') - - corecmd_search_bin($1) - domain_auto_trans($1, lircd_exec_t, lircd_t) -') - -###################################### -## <summary> -## Connect to lircd over a unix domain -## stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`lircd_stream_connect',` - gen_require(` - type lircd_var_run_t, lircd_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, lircd_var_run_t, lircd_var_run_t, lircd_t) -') - -####################################### -## <summary> -## Read lircd etc files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`lircd_read_config',` - gen_require(` - type lircd_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, lircd_etc_t, lircd_etc_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate a lircd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`lircd_admin',` - gen_require(` - type lircd_t, lircd_var_run_t; - type lircd_initrc_exec_t, lircd_etc_t; - ') - - allow $1 lircd_t:process { ptrace signal_perms }; - ps_process_pattern($1, lircd_t) - - init_labeled_script_domtrans($1, lircd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 lircd_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, lircd_etc_t) - - files_search_pids($1) - admin_pattern($1, lircd_var_run_t) - dev_list_all_dev_nodes($1) -') diff --git a/policy/modules/contrib/lircd.te b/policy/modules/contrib/lircd.te deleted file mode 100644 index 98b5405d..00000000 --- a/policy/modules/contrib/lircd.te +++ /dev/null @@ -1,72 +0,0 @@ -policy_module(lircd, 1.1.2) - -######################################## -# -# Declarations -# - -type lircd_t; -type lircd_exec_t; -init_daemon_domain(lircd_t, lircd_exec_t) - -type lircd_initrc_exec_t; -init_script_file(lircd_initrc_exec_t) - -type lircd_etc_t; -files_type(lircd_etc_t) - -type lircd_var_run_t alias lircd_sock_t; -files_pid_file(lircd_var_run_t) - -######################################## -# -# Local policy -# - -allow lircd_t self:capability { chown kill sys_admin }; -allow lircd_t self:process signal; -allow lircd_t self:fifo_file rw_fifo_file_perms; -allow lircd_t self:tcp_socket { accept listen }; - -read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t) - -manage_dirs_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) -manage_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) -manage_sock_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) -files_pid_filetrans(lircd_t, lircd_var_run_t, { dir file }) - -dev_filetrans(lircd_t, lircd_var_run_t, sock_file) - -kernel_request_load_module(lircd_t) - -corenet_all_recvfrom_unlabeled(lircd_t) -corenet_all_recvfrom_netlabel(lircd_t) -corenet_tcp_sendrecv_generic_if(lircd_t) -corenet_tcp_sendrecv_generic_node(lircd_t) -corenet_tcp_bind_generic_node(lircd_t) - -corenet_sendrecv_lirc_server_packets(lircd_t) -corenet_tcp_bind_lirc_port(lircd_t) -corenet_sendrecv_lirc_client_packets(lircd_t) -corenet_tcp_connect_lirc_port(lircd_t) -corenet_tcp_sendrecv_lirc_port(lircd_t) - -dev_rw_generic_usb_dev(lircd_t) -dev_read_mouse(lircd_t) -dev_filetrans_lirc(lircd_t) -dev_rw_lirc(lircd_t) -dev_rw_input_dev(lircd_t) -dev_read_sysfs(lircd_t) - -files_read_config_files(lircd_t) -files_list_var(lircd_t) -files_manage_generic_locks(lircd_t) -files_read_all_locks(lircd_t) - -term_use_ptmx(lircd_t) - -logging_send_syslog_msg(lircd_t) - -miscfiles_read_localization(lircd_t) - -sysnet_dns_name_resolve(lircd_t) diff --git a/policy/modules/contrib/livecd.fc b/policy/modules/contrib/livecd.fc deleted file mode 100644 index 34937fcf..00000000 --- a/policy/modules/contrib/livecd.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0) diff --git a/policy/modules/contrib/livecd.if b/policy/modules/contrib/livecd.if deleted file mode 100644 index e3541811..00000000 --- a/policy/modules/contrib/livecd.if +++ /dev/null @@ -1,102 +0,0 @@ -## <summary>Tool for building alternate livecd for different os and policy versions.</summary> - -######################################## -## <summary> -## Execute a domain transition to run livecd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`livecd_domtrans',` - gen_require(` - type livecd_t, livecd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, livecd_exec_t, livecd_t) -') - -######################################## -## <summary> -## Execute livecd in the livecd -## domain, and allow the specified -## role the livecd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`livecd_run',` - gen_require(` - attribute_role livecd_roles; - ') - - livecd_domtrans($1) - roleattribute $2 livecd_roles; -') - -######################################## -## <summary> -## Read livecd temporary files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`livecd_read_tmp_files',` - gen_require(` - type livecd_tmp_t; - ') - - files_search_tmp($1) - read_files_pattern($1, livecd_tmp_t, livecd_tmp_t) -') - -######################################## -## <summary> -## Read and write livecd temporary files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`livecd_rw_tmp_files',` - gen_require(` - type livecd_tmp_t; - ') - - files_search_tmp($1) - rw_files_pattern($1, livecd_tmp_t, livecd_tmp_t) -') - -######################################## -## <summary> -## Read and write livecd semaphores. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`livecd_rw_semaphores',` - gen_require(` - type livecd_t; - ') - - allow $1 livecd_t:sem rw_sem_perms; -') diff --git a/policy/modules/contrib/livecd.te b/policy/modules/contrib/livecd.te deleted file mode 100644 index 33f64b5d..00000000 --- a/policy/modules/contrib/livecd.te +++ /dev/null @@ -1,48 +0,0 @@ -policy_module(livecd, 1.2.1) - -######################################## -# -# Declarations -# - -attribute_role livecd_roles; -roleattribute system_r livecd_roles; - -type livecd_t; -type livecd_exec_t; -application_domain(livecd_t, livecd_exec_t) -role livecd_roles types livecd_t; - -type livecd_tmp_t; -files_tmp_file(livecd_tmp_t) - -######################################## -# -# Local policy -# - -dontaudit livecd_t self:capability2 mac_admin; - -domain_ptrace_all_domains(livecd_t) - -manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) -manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) -files_tmp_filetrans(livecd_t, livecd_tmp_t, { dir file }) - -sysnet_manage_config(livecd_t) -sysnet_etc_filetrans_config(livecd_t) - -optional_policy(` - hal_dbus_chat(livecd_t) -') -optional_policy(` - mount_run(livecd_t, livecd_roles) -') - -optional_policy(` - rpm_domtrans(livecd_t) -') - -optional_policy(` - unconfined_domain_noaudit(livecd_t) -') diff --git a/policy/modules/contrib/lldpad.fc b/policy/modules/contrib/lldpad.fc deleted file mode 100644 index 8031a78e..00000000 --- a/policy/modules/contrib/lldpad.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rc\.d/init\.d/lldpad -- gen_context(system_u:object_r:lldpad_initrc_exec_t,s0) - -/usr/sbin/lldpad -- gen_context(system_u:object_r:lldpad_exec_t,s0) - -/var/lib/lldpad(/.*)? gen_context(system_u:object_r:lldpad_var_lib_t,s0) - -/var/run/lldpad.* gen_context(system_u:object_r:lldpad_var_run_t,s0) diff --git a/policy/modules/contrib/lldpad.if b/policy/modules/contrib/lldpad.if deleted file mode 100644 index d18c9602..00000000 --- a/policy/modules/contrib/lldpad.if +++ /dev/null @@ -1,58 +0,0 @@ -## <summary>Intel LLDP Agent.</summary> - -####################################### -## <summary> -## Send to lldpad with a unix dgram socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`lldpad_dgram_send',` - gen_require(` - type lldpad_t, lldpad_var_run_t; - ') - - files_search_pids($1) - dgram_send_pattern($1, lldpad_var_run_t, lldpad_var_run_t, lldpad_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an lldpad environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`lldpad_admin',` - gen_require(` - type lldpad_t, lldpad_initrc_exec_t, lldpad_var_lib_t; - type lldpad_var_run_t; - ') - - allow $1 lldpad_t:process { ptrace signal_perms }; - ps_process_pattern($1, lldpad_t) - - init_labeled_script_domtrans($1, lldpad_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 lldpad_initrc_exec_t system_r; - allow $2 system_r; - - files_search_var_lib($1) - admin_pattern($1, lldpad_var_lib_t) - - files_search_pids($1) - admin_pattern($1, lldpad_var_run_t) -') diff --git a/policy/modules/contrib/lldpad.te b/policy/modules/contrib/lldpad.te deleted file mode 100644 index 648def03..00000000 --- a/policy/modules/contrib/lldpad.te +++ /dev/null @@ -1,62 +0,0 @@ -policy_module(lldpad, 1.0.1) - -######################################## -# -# Declarations -# - -type lldpad_t; -type lldpad_exec_t; -init_daemon_domain(lldpad_t, lldpad_exec_t) - -type lldpad_initrc_exec_t; -init_script_file(lldpad_initrc_exec_t) - -type lldpad_tmpfs_t; -files_tmpfs_file(lldpad_tmpfs_t) - -type lldpad_var_lib_t; -files_type(lldpad_var_lib_t) - -type lldpad_var_run_t; -files_pid_file(lldpad_var_run_t) - -######################################## -# -# Local policy -# - -allow lldpad_t self:capability { net_admin net_raw }; -allow lldpad_t self:shm create_shm_perms; -allow lldpad_t self:fifo_file rw_fifo_file_perms; -allow lldpad_t self:unix_stream_socket { accept listen }; -allow lldpad_t self:netlink_route_socket create_netlink_socket_perms; -allow lldpad_t self:packet_socket create_socket_perms; -allow lldpad_t self:udp_socket create_socket_perms; - -manage_files_pattern(lldpad_t, lldpad_tmpfs_t, lldpad_tmpfs_t) -fs_tmpfs_filetrans(lldpad_t, lldpad_tmpfs_t, file) - -manage_dirs_pattern(lldpad_t, lldpad_var_lib_t, lldpad_var_lib_t) -manage_files_pattern(lldpad_t, lldpad_var_lib_t, lldpad_var_lib_t) - -manage_dirs_pattern(lldpad_t, lldpad_var_run_t, lldpad_var_run_t) -manage_files_pattern(lldpad_t, lldpad_var_run_t, lldpad_var_run_t) -manage_sock_files_pattern(lldpad_t, lldpad_var_run_t, lldpad_var_run_t) -files_pid_filetrans(lldpad_t, lldpad_var_run_t, { dir file sock_file }) - -kernel_read_all_sysctls(lldpad_t) -kernel_read_network_state(lldpad_t) -kernel_request_load_module(lldpad_t) - -dev_read_sysfs(lldpad_t) - -files_read_etc_files(lldpad_t) - -logging_send_syslog_msg(lldpad_t) - -miscfiles_read_localization(lldpad_t) - -optional_policy(` - fcoe_dgram_send_fcoemon(lldpad_t) -') diff --git a/policy/modules/contrib/loadkeys.fc b/policy/modules/contrib/loadkeys.fc deleted file mode 100644 index e50749fe..00000000 --- a/policy/modules/contrib/loadkeys.fc +++ /dev/null @@ -1,5 +0,0 @@ -/bin/loadkeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0) -/bin/unikeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0) - -/usr/bin/loadkeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0) -/usr/bin/unikeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0) diff --git a/policy/modules/contrib/loadkeys.if b/policy/modules/contrib/loadkeys.if deleted file mode 100644 index 101c925d..00000000 --- a/policy/modules/contrib/loadkeys.if +++ /dev/null @@ -1,67 +0,0 @@ -## <summary>Load keyboard mappings.</summary> - -######################################## -## <summary> -## Execute the loadkeys program in -## the loadkeys domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`loadkeys_domtrans',` - gen_require(` - type loadkeys_t, loadkeys_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, loadkeys_exec_t, loadkeys_t) -') - -######################################## -## <summary> -## Execute the loadkeys program in -## the loadkeys domain, and allow the -## specified role the loadkeys domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`loadkeys_run',` - gen_require(` - attribute_role loadkeys_roles; - ') - - loadkeys_domtrans($1) - roleattribute $2 loadkeys_roles; -') - -######################################## -## <summary> -## Execute the loadkeys in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`loadkeys_exec',` - gen_require(` - type loadkeys_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, loadkeys_exec_t) -') diff --git a/policy/modules/contrib/loadkeys.te b/policy/modules/contrib/loadkeys.te deleted file mode 100644 index 6cbb977f..00000000 --- a/policy/modules/contrib/loadkeys.te +++ /dev/null @@ -1,54 +0,0 @@ -policy_module(loadkeys, 1.8.1) - -######################################## -# -# Declarations -# - -attribute_role loadkeys_roles; - -type loadkeys_t; -type loadkeys_exec_t; -init_system_domain(loadkeys_t, loadkeys_exec_t) -role loadkeys_roles types loadkeys_t; - -######################################## -# -# Local policy -# - -allow loadkeys_t self:capability { dac_override dac_read_search setuid sys_tty_config }; -allow loadkeys_t self:fifo_file rw_fifo_file_perms; - -kernel_read_system_state(loadkeys_t) - -corecmd_exec_bin(loadkeys_t) -corecmd_exec_shell(loadkeys_t) - -files_read_etc_files(loadkeys_t) -files_read_etc_runtime_files(loadkeys_t) - -term_dontaudit_use_console(loadkeys_t) -term_use_unallocated_ttys(loadkeys_t) - -init_dontaudit_use_fds(loadkeys_t) -init_dontaudit_use_script_ptys(loadkeys_t) - -locallogin_use_fds(loadkeys_t) - -miscfiles_read_localization(loadkeys_t) - -userdom_use_user_ttys(loadkeys_t) -userdom_list_user_home_content(loadkeys_t) - -ifdef(`hide_broken_symptoms',` - dev_dontaudit_rw_lvm_control(loadkeys_t) -') - -optional_policy(` - keyboardd_read_pipes(loadkeys_t) -') - -optional_policy(` - nscd_dontaudit_search_pid(loadkeys_t) -') diff --git a/policy/modules/contrib/lockdev.fc b/policy/modules/contrib/lockdev.fc deleted file mode 100644 index 4fd0fda9..00000000 --- a/policy/modules/contrib/lockdev.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/sbin/lockdev -- gen_context(system_u:object_r:lockdev_exec_t,s0) - -/var/lock/lockdev(/.*)? gen_context(system_u:object_r:lockdev_lock_t,s0) diff --git a/policy/modules/contrib/lockdev.if b/policy/modules/contrib/lockdev.if deleted file mode 100644 index 4313b8bc..00000000 --- a/policy/modules/contrib/lockdev.if +++ /dev/null @@ -1,42 +0,0 @@ -## <summary>Library for locking devices.</summary> - -######################################## -## <summary> -## Role access for lockdev. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`lockdev_role',` - gen_require(` - attribute_role lockdev_roles; - type lockdev_t, lockdev_exec_t; - ') - - ######################################## - # - # Declarations - # - - roleattribute $1 lockdev_roles; - - ######################################## - # - # Policy - # - - domtrans_pattern($2, lockdev_exec_t, lockdev_t) - - allow $2 lockdev_t:process { ptrace signal_perms }; - ps_process_pattern($2, lockdev_t) - - allow lockdev_t $2:process signull; -') diff --git a/policy/modules/contrib/lockdev.te b/policy/modules/contrib/lockdev.te deleted file mode 100644 index db878313..00000000 --- a/policy/modules/contrib/lockdev.te +++ /dev/null @@ -1,39 +0,0 @@ -policy_module(lockdev, 1.4.1) - -######################################## -# -# Declarations -# - -attribute_role lockdev_roles; - -type lockdev_t; -type lockdev_exec_t; -typealias lockdev_t alias { user_lockdev_t staff_lockdev_t sysadm_lockdev_t }; -typealias lockdev_t alias { auditadm_lockdev_t secadm_lockdev_t }; -userdom_user_application_domain(lockdev_t, lockdev_exec_t) -role lockdev_roles types lockdev_t; - -type lockdev_lock_t; -typealias lockdev_lock_t alias { user_lockdev_lock_t staff_lockdev_lock_t sysadm_lockdev_lock_t }; -typealias lockdev_lock_t alias { auditadm_lockdev_lock_t secadm_lockdev_lock_t }; -files_lock_file(lockdev_lock_t) -ubac_constrained(lockdev_lock_t) - -######################################## -# -# Local policy -# - -allow lockdev_t self:capability setgid; - -manage_files_pattern(lockdev_t, lockdev_lock_t, lockdev_lock_t) -files_lock_filetrans(lockdev_t, lockdev_lock_t, file) - -files_read_all_locks(lockdev_t) - -fs_getattr_xattr_fs(lockdev_t) - -logging_send_syslog_msg(lockdev_t) - -userdom_use_user_terminals(lockdev_t) diff --git a/policy/modules/contrib/logrotate.fc b/policy/modules/contrib/logrotate.fc deleted file mode 100644 index a11d5be9..00000000 --- a/policy/modules/contrib/logrotate.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0) - -/usr/sbin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0) - -/var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0) -/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0) diff --git a/policy/modules/contrib/logrotate.if b/policy/modules/contrib/logrotate.if deleted file mode 100644 index dd8e01af..00000000 --- a/policy/modules/contrib/logrotate.if +++ /dev/null @@ -1,122 +0,0 @@ -## <summary>Rotates, compresses, removes and mails system log files.</summary> - -######################################## -## <summary> -## Execute logrotate in the logrotate domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`logrotate_domtrans',` - gen_require(` - type logrotate_t, logrotate_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, logrotate_exec_t, logrotate_t) -') - -######################################## -## <summary> -## Execute logrotate in the logrotate -## domain, and allow the specified -## role the logrotate domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`logrotate_run',` - gen_require(` - attribute_role logrotate_roles; - ') - - logrotate_domtrans($1) - roleattribute $2 logrotate_roles; -') - -######################################## -## <summary> -## Execute logrotate in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`logrotate_exec',` - gen_require(` - type logrotate_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, logrotate_exec_t) -') - -######################################## -## <summary> -## Inherit and use logrotate file descriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`logrotate_use_fds',` - gen_require(` - type logrotate_t; - ') - - allow $1 logrotate_t:fd use; -') - -######################################## -## <summary> -## Do not audit attempts to inherit -## logrotate file descriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`logrotate_dontaudit_use_fds',` - gen_require(` - type logrotate_t; - ') - - dontaudit $1 logrotate_t:fd use; -') - -######################################## -## <summary> -## Read logrotate temporary files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`logrotate_read_tmp_files',` - gen_require(` - type logrotate_tmp_t; - ') - - files_search_tmp($1) - allow $1 logrotate_tmp_t:file read_file_perms; -') diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te deleted file mode 100644 index 7bab8e5b..00000000 --- a/policy/modules/contrib/logrotate.te +++ /dev/null @@ -1,253 +0,0 @@ -policy_module(logrotate, 1.14.5) - -######################################## -# -# Declarations -# - -attribute_role logrotate_roles; -roleattribute system_r logrotate_roles; - -type logrotate_t; -type logrotate_exec_t; -domain_type(logrotate_t) -domain_obj_id_change_exemption(logrotate_t) -domain_system_change_exemption(logrotate_t) -domain_entry_file(logrotate_t, logrotate_exec_t) -role logrotate_roles types logrotate_t; - -type logrotate_lock_t; -files_lock_file(logrotate_lock_t) - -type logrotate_tmp_t; -files_tmp_file(logrotate_tmp_t) - -type logrotate_var_lib_t; -files_type(logrotate_var_lib_t) - -mta_base_mail_template(logrotate) -role system_r types logrotate_mail_t; - -######################################## -# -# Local policy -# - -allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice }; -allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; -allow logrotate_t self:fd use; -allow logrotate_t self:key manage_key_perms; -allow logrotate_t self:fifo_file rw_fifo_file_perms; -allow logrotate_t self:unix_dgram_socket sendto; -allow logrotate_t self:unix_stream_socket { accept connectto listen }; -allow logrotate_t self:shm create_shm_perms; -allow logrotate_t self:sem create_sem_perms; -allow logrotate_t self:msgq create_msgq_perms; -allow logrotate_t self:msg { send receive }; - -allow logrotate_t logrotate_lock_t:file manage_file_perms; -files_lock_filetrans(logrotate_t, logrotate_lock_t, file) - -manage_dirs_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t) -manage_files_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t) -files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir }) - -create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) -manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) -read_lnk_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) -files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file) - -can_exec(logrotate_t, logrotate_tmp_t) - -kernel_read_system_state(logrotate_t) -kernel_read_kernel_sysctls(logrotate_t) - -corecmd_exec_bin(logrotate_t) -corecmd_exec_shell(logrotate_t) -corecmd_getattr_all_executables(logrotate_t) - -dev_read_urand(logrotate_t) - -domain_signal_all_domains(logrotate_t) -domain_use_interactive_fds(logrotate_t) -domain_getattr_all_entry_files(logrotate_t) -domain_read_all_domains_state(logrotate_t) - -files_read_usr_files(logrotate_t) -files_read_etc_runtime_files(logrotate_t) -files_read_all_pids(logrotate_t) -files_search_all(logrotate_t) -files_read_var_lib_files(logrotate_t) -files_manage_generic_spool(logrotate_t) -files_manage_generic_spool_dirs(logrotate_t) -files_getattr_generic_locks(logrotate_t) -files_dontaudit_list_mnt(logrotate_t) - -fs_search_auto_mountpoints(logrotate_t) -fs_getattr_xattr_fs(logrotate_t) -fs_list_inotifyfs(logrotate_t) - -mls_file_read_all_levels(logrotate_t) -mls_file_write_all_levels(logrotate_t) -mls_file_upgrade(logrotate_t) -mls_process_write_to_clearance(logrotate_t) - -selinux_get_fs_mount(logrotate_t) -selinux_get_enforce_mode(logrotate_t) - -auth_manage_login_records(logrotate_t) -auth_use_nsswitch(logrotate_t) - -init_domtrans_script(logrotate_t) - -logging_manage_all_logs(logrotate_t) -logging_send_syslog_msg(logrotate_t) -logging_send_audit_msgs(logrotate_t) -logging_exec_all_logs(logrotate_t) - -miscfiles_read_localization(logrotate_t) - -seutil_dontaudit_read_config(logrotate_t) - -userdom_use_user_terminals(logrotate_t) -userdom_list_user_home_dirs(logrotate_t) -userdom_use_unpriv_users_fds(logrotate_t) - -mta_sendmail_domtrans(logrotate_t, logrotate_mail_t) - -ifdef(`distro_debian',` - allow logrotate_t logrotate_tmp_t:file relabel_file_perms; - can_exec(logrotate_t, logrotate_exec_t) - - logging_check_exec_syslog(logrotate_t) - logging_read_syslog_config(logrotate_t) -') - -optional_policy(` - abrt_manage_cache(logrotate_t) -') - -optional_policy(` - acct_domtrans(logrotate_t) - acct_manage_data(logrotate_t) - acct_exec_data(logrotate_t) -') - -optional_policy(` - apache_read_config(logrotate_t) - apache_domtrans(logrotate_t) - apache_signull(logrotate_t) -') - -optional_policy(` - asterisk_domtrans(logrotate_t) -') - -optional_policy(` - awstats_domtrans(logrotate_t) -') - -optional_policy(` - bind_manage_cache(logrotate_t) -') - -optional_policy(` - callweaver_exec(logrotate_t) - callweaver_stream_connect(logrotate_t) -') - -optional_policy(` - consoletype_exec(logrotate_t) -') - -optional_policy(` - cron_system_entry(logrotate_t, logrotate_exec_t) - cron_search_spool(logrotate_t) -') - -optional_policy(` - cups_domtrans(logrotate_t) -') - -optional_policy(` - fail2ban_stream_connect(logrotate_t) -') - -optional_policy(` - hostname_exec(logrotate_t) -') - -optional_policy(` - chronyd_read_key_files(logrotate_t) -') - -optional_policy(` - icecast_signal(logrotate_t) -') - -optional_policy(` - mailman_domtrans(logrotate_t) - mailman_search_data(logrotate_t) - mailman_manage_log(logrotate_t) -') - -optional_policy(` - munin_read_config(logrotate_t) - munin_stream_connect(logrotate_t) - munin_search_lib(logrotate_t) -') - -optional_policy(` - mysql_read_config(logrotate_t) - mysql_stream_connect(logrotate_t) -') - -optional_policy(` - openvswitch_read_pid_files(logrotate_t) - openvswitch_domtrans(logrotate_t) -') - -optional_policy(` - polipo_log_filetrans_log(logrotate_t, file, "polipo") -') - -optional_policy(` - psad_domtrans(logrotate_t) -') - -optional_policy(` - samba_exec_log(logrotate_t) -') - -optional_policy(` - sssd_domtrans(logrotate_t) -') - -optional_policy(` - slrnpull_manage_spool(logrotate_t) -') - -optional_policy(` - squid_domtrans(logrotate_t) -') - -optional_policy(` - su_exec(logrotate_t) -') - -optional_policy(` - varnishd_manage_log(logrotate_t) -') - -####################################### -# -# Mail local policy -# - -allow logrotate_mail_t logrotate_t:fd use; -allow logrotate_mail_t logrotate_t:fifo_file rw_fifo_file_perms; -allow logrotate_mail_t logrotate_t:process sigchld; - -manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) - -logging_read_all_logs(logrotate_mail_t) diff --git a/policy/modules/contrib/logsentry.te b/policy/modules/contrib/logsentry.te index 3cdfcbe9..5863369b 100644 --- a/policy/modules/contrib/logsentry.te +++ b/policy/modules/contrib/logsentry.te @@ -1,7 +1,7 @@ policy_module(logsentry, 0.2) ####################################### -# +# # Declarations # @@ -11,10 +11,10 @@ application_domain(logsentry_t, logsentry_exec_t) role system_r types logsentry_t; type logsentry_etc_t; -files_type(logsentry_etc_t); +files_type(logsentry_etc_t) type logsentry_tmp_t; -files_tmp_file(logsentry_tmp_t); +files_tmp_file(logsentry_tmp_t) type logsentry_filter_t; files_type(logsentry_filter_t) @@ -24,7 +24,7 @@ files_type(logsentry_filter_t) # Local Policy # -allow logsentry_t self:fifo_file { read write getattr ioctl }; +allow logsentry_t self:fifo_file rw_inherited_fifo_file_perms; allow logsentry_t self:capability { setuid setgid }; allow logsentry_t logsentry_exec_t:file execute_no_trans; diff --git a/policy/modules/contrib/logwatch.fc b/policy/modules/contrib/logwatch.fc deleted file mode 100644 index 935147d8..00000000 --- a/policy/modules/contrib/logwatch.fc +++ /dev/null @@ -1,14 +0,0 @@ -/usr/sbin/epylog -- gen_context(system_u:object_r:logwatch_exec_t,s0) -/usr/sbin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0) -/usr/sbin/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t,s0) - -/usr/share/logwatch/scripts/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t, s0) - -/var/cache/logwatch(/.*)? gen_context(system_u:object_r:logwatch_cache_t, s0) - -/var/lib/logcheck(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0) -/var/lib/epylog(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0) - -/var/lock/logcheck.* gen_context(system_u:object_r:logwatch_lock_t,s0) - -/var/run/epylog\.pid -- gen_context(system_u:object_r:logwatch_var_run_t,s0) diff --git a/policy/modules/contrib/logwatch.if b/policy/modules/contrib/logwatch.if deleted file mode 100644 index 06c3d36c..00000000 --- a/policy/modules/contrib/logwatch.if +++ /dev/null @@ -1,39 +0,0 @@ -## <summary>System log analyzer and reporter.</summary> - -######################################## -## <summary> -## Read logwatch temporary files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`logwatch_read_tmp_files',` - gen_require(` - type logwatch_tmp_t; - ') - - files_search_tmp($1) - allow $1 logwatch_tmp_t:file read_file_perms; -') - -######################################## -## <summary> -## Search logwatch cache directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`logwatch_search_cache_dir',` - gen_require(` - type logwatch_cache_t; - ') - - files_search_var($1) - allow $1 logwatch_cache_t:dir search_dir_perms; -') diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te deleted file mode 100644 index 4256a4c8..00000000 --- a/policy/modules/contrib/logwatch.te +++ /dev/null @@ -1,169 +0,0 @@ -policy_module(logwatch, 1.11.6) - -################################# -# -# Declarations -# - -type logwatch_t; -type logwatch_exec_t; -init_system_domain(logwatch_t, logwatch_exec_t) - -type logwatch_cache_t; -files_type(logwatch_cache_t) - -type logwatch_lock_t; -files_lock_file(logwatch_lock_t) - -type logwatch_tmp_t; -files_tmp_file(logwatch_tmp_t) - -type logwatch_var_run_t; -files_pid_file(logwatch_var_run_t) - -mta_base_mail_template(logwatch) -role system_r types logwatch_mail_t; - -######################################## -# -# Local policy -# - -allow logwatch_t self:capability { dac_override dac_read_search setgid }; -allow logwatch_t self:process signal; -allow logwatch_t self:fifo_file rw_fifo_file_perms; -allow logwatch_t self:unix_stream_socket { accept listen }; - -manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) -manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) - -allow logwatch_t logwatch_lock_t:file manage_file_perms; -files_lock_filetrans(logwatch_t, logwatch_lock_t, file) - -manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t) -manage_files_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t) -files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir }) - -allow logwatch_t logwatch_var_run_t:file manage_file_perms; -files_pid_filetrans(logwatch_t, logwatch_var_run_t, file) - -kernel_read_fs_sysctls(logwatch_t) -kernel_read_kernel_sysctls(logwatch_t) -kernel_read_system_state(logwatch_t) -kernel_read_net_sysctls(logwatch_t) -kernel_read_network_state(logwatch_t) - -corecmd_exec_bin(logwatch_t) -corecmd_exec_shell(logwatch_t) - -dev_read_urand(logwatch_t) -dev_read_sysfs(logwatch_t) - -domain_read_all_domains_state(logwatch_t) - -files_getattr_all_files(logwatch_t) -files_getattr_all_file_type_fs(logwatch_t) -files_list_var(logwatch_t) -files_search_all(logwatch_t) -files_read_var_symlinks(logwatch_t) -files_read_etc_runtime_files(logwatch_t) -files_read_usr_files(logwatch_t) - -fs_getattr_all_dirs(logwatch_t) -fs_getattr_all_fs(logwatch_t) -fs_dontaudit_list_auto_mountpoints(logwatch_t) -fs_list_inotifyfs(logwatch_t) - -storage_dontaudit_getattr_fixed_disk_dev(logwatch_t) - -mls_file_read_to_clearance(logwatch_t) - -term_dontaudit_getattr_pty_dirs(logwatch_t) -term_dontaudit_list_ptys(logwatch_t) - -auth_use_nsswitch(logwatch_t) -auth_dontaudit_read_shadow(logwatch_t) - -init_read_utmp(logwatch_t) -init_dontaudit_write_utmp(logwatch_t) - -libs_read_lib_files(logwatch_t) - -logging_read_all_logs(logwatch_t) -logging_send_syslog_msg(logwatch_t) - -miscfiles_read_localization(logwatch_t) - -selinux_dontaudit_getattr_dir(logwatch_t) - -sysnet_exec_ifconfig(logwatch_t) - -userdom_dontaudit_search_user_home_dirs(logwatch_t) - -mta_sendmail_domtrans(logwatch_t, logwatch_mail_t) -mta_getattr_spool(logwatch_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_list_nfs(logwatch_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_list_cifs(logwatch_t) -') - -optional_policy(` - apache_read_log(logwatch_t) -') - -optional_policy(` - avahi_dontaudit_search_pid(logwatch_t) -') - -optional_policy(` - bind_read_config(logwatch_t) - bind_read_zone(logwatch_t) -') - -optional_policy(` - cron_system_entry(logwatch_t, logwatch_exec_t) -') - -optional_policy(` - hostname_exec(logwatch_t) -') - -optional_policy(` - ntp_domtrans(logwatch_t) -') - -optional_policy(` - rpc_search_nfs_state_data(logwatch_t) -') - -optional_policy(` - samba_read_log(logwatch_t) - samba_read_share_files(logwatch_t) -') - -######################################## -# -# Mail local policy -# - -allow logwatch_mail_t self:capability { dac_read_search dac_override }; - -allow logwatch_mail_t logwatch_t:fd use; -allow logwatch_mail_t logwatch_t:fifo_file rw_fifo_file_perms; -allow logwatch_mail_t logwatch_t:process sigchld; - -manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t) - -dev_read_rand(logwatch_mail_t) -dev_read_urand(logwatch_mail_t) -dev_read_sysfs(logwatch_mail_t) - -logging_read_all_logs(logwatch_mail_t) - -optional_policy(` - cron_use_system_job_fds(logwatch_mail_t) -') diff --git a/policy/modules/contrib/lpd.fc b/policy/modules/contrib/lpd.fc deleted file mode 100644 index 2fb9b2ec..00000000 --- a/policy/modules/contrib/lpd.fc +++ /dev/null @@ -1,32 +0,0 @@ -/dev/printer -s gen_context(system_u:object_r:printer_t,s0) - -/opt/gutenprint/bin(/.*)? gen_context(system_u:object_r:lpr_exec_t,s0) -/opt/gutenprint/sbin(/.*)? gen_context(system_u:object_r:lpr_exec_t,s0) - -/usr/bin/cancel(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) -/usr/bin/lp(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) -/usr/bin/lpoptions -- gen_context(system_u:object_r:lpr_exec_t,s0) -/usr/bin/lpq(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) -/usr/bin/lpr(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) -/usr/bin/lprm(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) -/usr/bin/lpstat(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) - -/usr/sbin/accept -- gen_context(system_u:object_r:lpr_exec_t,s0) -/usr/sbin/checkpc -- gen_context(system_u:object_r:checkpc_exec_t,s0) -/usr/sbin/lpd -- gen_context(system_u:object_r:lpd_exec_t,s0) -/usr/sbin/lpadmin -- gen_context(system_u:object_r:lpr_exec_t,s0) -/usr/sbin/lpc(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) -/usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0) -/usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0) - -/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0) - -/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0) - -/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh) -/var/spool/cups-pdf(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh) -/var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0) - -/var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0) - -/var/spool/turboprint(/.*)? gen_context(system_u:object_r:lpd_var_run_t,mls_systemhigh) diff --git a/policy/modules/contrib/lpd.if b/policy/modules/contrib/lpd.if deleted file mode 100644 index 62563717..00000000 --- a/policy/modules/contrib/lpd.if +++ /dev/null @@ -1,255 +0,0 @@ -## <summary>Line printer daemon.</summary> - -######################################## -## <summary> -## Role access for lpd. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`lpd_role',` - gen_require(` - attribute_role lpr_roles; - type lpr_t, lpr_exec_t; - ') - - ######################################## - # - # Declarations - # - - roleattribute $1 lpr_roles; - - ######################################## - # - # Policy - # - - domtrans_pattern($2, lpr_exec_t, lpr_t) - - allow $2 lpr_t:process { ptrace signal_perms }; - ps_process_pattern($2, lpr_t) - - dontaudit lpr_t $2:unix_stream_socket { read write }; - - optional_policy(` - cups_read_config($2) - ') -') - -######################################## -## <summary> -## Execute lpd in the lpd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`lpd_domtrans_checkpc',` - gen_require(` - type checkpc_t, checkpc_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, checkpc_exec_t, checkpc_t) -') - -######################################## -## <summary> -## Execute amrecover in the lpd -## domain, and allow the specified -## role the lpd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`lpd_run_checkpc',` - gen_require(` - attribute_role checkpc_roles; - ') - - lpd_domtrans_checkpc($1) - roleattribute $2 checkpc_roles; -') - -######################################## -## <summary> -## List printer spool directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`lpd_list_spool',` - gen_require(` - type print_spool_t; - ') - - files_search_spool($1) - allow $1 print_spool_t:dir list_dir_perms; -') - -######################################## -## <summary> -## Read printer spool files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`lpd_read_spool',` - gen_require(` - type print_spool_t; - ') - - files_search_spool($1) - read_files_pattern($1, print_spool_t, print_spool_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## printer spool content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`lpd_manage_spool',` - gen_require(` - type print_spool_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, print_spool_t, print_spool_t) - manage_files_pattern($1, print_spool_t, print_spool_t) - manage_lnk_files_pattern($1, print_spool_t, print_spool_t) -') - -######################################## -## <summary> -## Relabel spool files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`lpd_relabel_spool',` - gen_require(` - type print_spool_t; - ') - - files_search_spool($1) - allow $1 print_spool_t:file relabel_file_perms; -') - -######################################## -## <summary> -## Read printer configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`lpd_read_config',` - gen_require(` - type printconf_t; - ') - - allow $1 printconf_t:dir list_dir_perms; - read_files_pattern($1, printconf_t, printconf_t) -') - -######################################## -## <summary> -## Transition to a user lpr domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -template(`lpd_domtrans_lpr',` - gen_require(` - type lpr_t, lpr_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, lpr_exec_t, lpr_t) -') - -######################################## -## <summary> -## Execute lpr in the lpr domain, and -## allow the specified role the lpr domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`lpd_run_lpr',` - gen_require(` - attribute_role lpr_roles; - ') - - lpd_domtrans_lpr($1) - roleattribute $2 lpr_roles; -') - -######################################## -## <summary> -## Execute lpr in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`lpd_exec_lpr',` - gen_require(` - type lpr_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, lpr_exec_t) -') diff --git a/policy/modules/contrib/lpd.te b/policy/modules/contrib/lpd.te deleted file mode 100644 index b9270f77..00000000 --- a/policy/modules/contrib/lpd.te +++ /dev/null @@ -1,302 +0,0 @@ -policy_module(lpd, 1.13.5) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether to support lpd server. -## </p> -## </desc> -gen_tunable(use_lpd_server, false) - -attribute_role checkpc_roles; -attribute_role lpr_roles; - -type checkpc_t; -type checkpc_exec_t; -init_system_domain(checkpc_t, checkpc_exec_t) -role checkpc_roles types checkpc_t; - -type checkpc_log_t; -logging_log_file(checkpc_log_t) - -type lpd_t; -type lpd_exec_t; -init_daemon_domain(lpd_t, lpd_exec_t) - -type lpd_tmp_t; -files_tmp_file(lpd_tmp_t) - -type lpd_var_run_t; -files_pid_file(lpd_var_run_t) - -type lpr_t; -type lpr_exec_t; -typealias lpr_t alias { user_lpr_t staff_lpr_t sysadm_lpr_t }; -typealias lpr_t alias { auditadm_lpr_t secadm_lpr_t }; -userdom_user_application_domain(lpr_t, lpr_exec_t) -role lpr_roles types lpr_t; - -type lpr_tmp_t; -typealias lpr_tmp_t alias { user_lpr_tmp_t staff_lpr_tmp_t sysadm_lpr_tmp_t }; -typealias lpr_tmp_t alias { auditadm_lpr_tmp_t secadm_lpr_tmp_t }; -userdom_user_tmp_file(lpr_tmp_t) - -type print_spool_t; -typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t }; -typealias print_spool_t alias { auditadm_print_spool_t secadm_print_spool_t }; -files_type(print_spool_t) -ubac_constrained(print_spool_t) - -type printer_t; -files_type(printer_t) - -type printconf_t; -files_config_file(printconf_t) - -######################################## -# -# Checkpc local policy -# - -allow checkpc_t self:capability { setgid setuid dac_override }; -allow checkpc_t self:process signal_perms; -allow checkpc_t self:unix_stream_socket create_socket_perms; -allow checkpc_t self:tcp_socket create_socket_perms; -allow checkpc_t self:udp_socket create_socket_perms; - -allow checkpc_t checkpc_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(checkpc_t, checkpc_log_t, file) - -allow checkpc_t lpd_var_run_t:dir search_dir_perms; - -rw_files_pattern(checkpc_t, print_spool_t, print_spool_t) -delete_files_pattern(checkpc_t, print_spool_t, print_spool_t) - -allow checkpc_t printconf_t:file getattr_file_perms; -allow checkpc_t printconf_t:dir list_dir_perms; - -kernel_read_system_state(checkpc_t) - -corenet_all_recvfrom_unlabeled(checkpc_t) -corenet_all_recvfrom_netlabel(checkpc_t) -corenet_tcp_sendrecv_generic_if(checkpc_t) -corenet_tcp_sendrecv_generic_node(checkpc_t) -corenet_tcp_sendrecv_all_ports(checkpc_t) - -corenet_sendrecv_all_client_packets(checkpc_t) -corenet_tcp_connect_all_ports(checkpc_t) - -corecmd_exec_shell(checkpc_t) -corecmd_exec_bin(checkpc_t) - -dev_append_printer(checkpc_t) - -domain_use_interactive_fds(checkpc_t) - -files_read_etc_files(checkpc_t) -files_read_etc_runtime_files(checkpc_t) -files_search_pids(checkpc_t) -files_search_spool(checkpc_t) - -init_use_script_ptys(checkpc_t) -init_use_fds(checkpc_t) - -sysnet_read_config(checkpc_t) - -userdom_use_user_terminals(checkpc_t) - -optional_policy(` - cron_system_entry(checkpc_t, checkpc_exec_t) -') - -optional_policy(` - logging_send_syslog_msg(checkpc_t) -') - -optional_policy(` - nis_use_ypbind(checkpc_t) -') - -######################################## -# -# Lpd local policy -# - -allow lpd_t self:capability { setgid setuid dac_read_search dac_override chown fowner }; -dontaudit lpd_t self:capability sys_tty_config; -allow lpd_t self:process signal_perms; -allow lpd_t self:fifo_file rw_fifo_file_perms; -allow lpd_t self:unix_stream_socket { accept listen }; -allow lpd_t self:tcp_socket create_stream_socket_perms; -allow lpd_t self:udp_socket create_stream_socket_perms; - -manage_dirs_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t) -manage_files_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t) -files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir }) - -manage_dirs_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t) -manage_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t) -manage_sock_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t) -files_pid_filetrans(lpd_t, lpd_var_run_t, { dir file }) - -manage_files_pattern(lpd_t, print_spool_t, print_spool_t) - -allow lpd_t printconf_t:dir list_dir_perms; - -allow lpd_t printer_t:sock_file manage_sock_file_perms; -dev_filetrans(lpd_t, printer_t, sock_file) - -can_exec(lpd_t, printconf_t) - -kernel_read_kernel_sysctls(lpd_t) -kernel_read_system_state(lpd_t) - -corenet_all_recvfrom_unlabeled(lpd_t) -corenet_all_recvfrom_netlabel(lpd_t) -corenet_tcp_sendrecv_generic_if(lpd_t) -corenet_tcp_sendrecv_generic_node(lpd_t) -corenet_tcp_bind_generic_node(lpd_t) - -corenet_sendrecv_printer_server_packets(lpd_t) -corenet_tcp_bind_printer_port(lpd_t) -corenet_tcp_sendrecv_printer_port(lpd_t) - -corecmd_exec_bin(lpd_t) -corecmd_exec_shell(lpd_t) - -dev_read_sysfs(lpd_t) -dev_rw_printer(lpd_t) - -domain_use_interactive_fds(lpd_t) - -files_read_etc_runtime_files(lpd_t) -files_read_usr_files(lpd_t) -files_list_world_readable(lpd_t) -files_read_world_readable_files(lpd_t) -files_read_world_readable_symlinks(lpd_t) -files_list_var_lib(lpd_t) -files_read_var_lib_files(lpd_t) -files_read_var_lib_symlinks(lpd_t) -files_read_etc_files(lpd_t) -files_search_spool(lpd_t) - -fs_getattr_all_fs(lpd_t) -fs_search_auto_mountpoints(lpd_t) - -logging_send_syslog_msg(lpd_t) - -miscfiles_read_fonts(lpd_t) -miscfiles_read_localization(lpd_t) - -sysnet_read_config(lpd_t) - -userdom_dontaudit_use_unpriv_user_fds(lpd_t) -userdom_dontaudit_search_user_home_dirs(lpd_t) - -optional_policy(` - nis_use_ypbind(lpd_t) -') - -optional_policy(` - seutil_sigchld_newrole(lpd_t) -') - -optional_policy(` - udev_read_db(lpd_t) -') - -############################## -# -# Lpr local policy -# - -allow lpr_t self:capability { setuid dac_override net_bind_service chown }; -allow lpr_t self:unix_stream_socket { accept listen }; - -allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms }; - -can_exec(lpr_t, lpr_exec_t) - -kernel_read_crypto_sysctls(lpr_t) -kernel_read_kernel_sysctls(lpr_t) - -corenet_all_recvfrom_unlabeled(lpr_t) -corenet_all_recvfrom_netlabel(lpr_t) -corenet_tcp_sendrecv_generic_if(lpr_t) -corenet_tcp_sendrecv_generic_node(lpr_t) -corenet_tcp_sendrecv_all_ports(lpr_t) - -corenet_sendrecv_all_client_packets(lpr_t) -corenet_tcp_connect_all_ports(lpr_t) - -dev_read_rand(lpr_t) -dev_read_urand(lpr_t) - -domain_use_interactive_fds(lpr_t) - -files_search_spool(lpr_t) -files_read_usr_files(lpr_t) -files_list_home(lpr_t) - -fs_getattr_all_fs(lpr_t) - -term_use_controlling_term(lpr_t) -term_use_generic_ptys(lpr_t) - -auth_use_nsswitch(lpr_t) - -logging_send_syslog_msg(lpr_t) - -miscfiles_read_fonts(lpr_t) -miscfiles_read_localization(lpr_t) - -userdom_read_user_tmp_symlinks(lpr_t) -userdom_use_user_terminals(lpr_t) -userdom_read_user_home_content_files(lpr_t) -userdom_read_user_tmp_files(lpr_t) - -tunable_policy(`use_lpd_server',` - allow lpr_t lpd_t:process signal; - - write_sock_files_pattern(lpr_t, lpd_var_run_t, lpd_var_run_t) - files_read_var_files(lpr_t) - - stream_connect_pattern(lpr_t, printer_t, printer_t, lpd_t) - - manage_dirs_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t) - manage_files_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t) - files_tmp_filetrans(lpr_t, lpr_tmp_t, { file dir }) - - manage_files_pattern(lpr_t, print_spool_t, print_spool_t) - filetrans_pattern(lpr_t, print_spool_t, print_spool_t, file) - - allow lpr_t printconf_t:dir list_dir_perms; - allow lpr_t printconf_t:file read_file_perms; - allow lpr_t printconf_t:lnk_file read_lnk_file_perms; -') - -tunable_policy(`use_nfs_home_dirs',` - fs_list_auto_mountpoints(lpr_t) - fs_read_nfs_files(lpr_t) - fs_read_nfs_symlinks(lpr_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_list_auto_mountpoints(lpr_t) - fs_read_cifs_files(lpr_t) - fs_read_cifs_symlinks(lpr_t) -') - -optional_policy(` - cups_read_config(lpr_t) - cups_stream_connect(lpr_t) - cups_read_pid_files(lpr_t) -') - -optional_policy(` - gnome_stream_connect_all_gkeyringd(lpr_t) -') diff --git a/policy/modules/contrib/mailman.fc b/policy/modules/contrib/mailman.fc deleted file mode 100644 index 7fa381b5..00000000 --- a/policy/modules/contrib/mailman.fc +++ /dev/null @@ -1,30 +0,0 @@ -/etc/cron\.daily/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) -/etc/cron\.monthly/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) - -/etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) - -/usr/lib/mailman.*/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -/usr/lib/mailman.*/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -/usr/lib/mailman.*/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) -/var/lib/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) -/var/lib/mailman.*/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0) - -/var/lock/mailman.* gen_context(system_u:object_r:mailman_lock_t,s0) -/var/lock/subsys/mailman.* -- gen_context(system_u:object_r:mailman_lock_t,s0) - -/var/log/mailman.* gen_context(system_u:object_r:mailman_log_t,s0) - -/var/run/mailman.* gen_context(system_u:object_r:mailman_var_run_t,s0) - -/var/spool/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) - -/usr/lib/cgi-bin/mailman.*/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) -/usr/lib/mailman.*/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) -/usr/lib/mailman.*/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) -/usr/lib/mailman.*/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -/usr/lib/mailman.*/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -/usr/lib/mailman.*/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) - -/usr/mailman.*/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) - -/usr/share/doc/mailman.*/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) diff --git a/policy/modules/contrib/mailman.if b/policy/modules/contrib/mailman.if deleted file mode 100644 index 108c0f1f..00000000 --- a/policy/modules/contrib/mailman.if +++ /dev/null @@ -1,343 +0,0 @@ -## <summary>Manage electronic mail discussion and e-newsletter lists.</summary> - -####################################### -## <summary> -## The template to define a mailman domain. -## </summary> -## <param name="domain_prefix"> -## <summary> -## Domain prefix to be used. -## </summary> -## </param> -# -template(`mailman_domain_template',` - gen_require(` - attribute mailman_domain; - ') - - ######################################## - # - # Declarations - # - - type mailman_$1_t; - type mailman_$1_exec_t; - domain_type(mailman_$1_t) - domain_entry_file(mailman_$1_t, mailman_$1_exec_t) - role system_r types mailman_$1_t; - - type mailman_$1_tmp_t; - files_tmp_file(mailman_$1_tmp_t) - - #################################### - # - # Policy - # - - manage_dirs_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t) - manage_files_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t) - files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir }) - - auth_use_nsswitch(mailman_$1_t) -') - -####################################### -## <summary> -## Execute mailman in the mailman domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`mailman_domtrans',` - gen_require(` - type mailman_mail_exec_t, mailman_mail_t; - ') - - libs_search_lib($1) - domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t) -') - -######################################## -## <summary> -## Execute the mailman program in the -## mailman domain and allow the -## specified role the mailman domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`mailman_run',` - gen_require(` - attribute_role mailman_roles; - ') - - mailman_domtrans($1) - roleattribute $2 mailman_roles; -') - -####################################### -## <summary> -## Execute mailman CGI scripts in the -## mailman CGI domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`mailman_domtrans_cgi',` - gen_require(` - type mailman_cgi_exec_t, mailman_cgi_t; - ') - - libs_search_lib($1) - domtrans_pattern($1, mailman_cgi_exec_t, mailman_cgi_t) -') - -####################################### -## <summary> -## Execute mailman in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowd access. -## </summary> -## </param> -# -interface(`mailman_exec',` - gen_require(` - type mailman_mail_exec_t; - ') - - libs_search_lib($1) - can_exec($1, mailman_mail_exec_t) -') - -####################################### -## <summary> -## Send generic signals to mailman cgi. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mailman_signal_cgi',` - gen_require(` - type mailman_cgi_t; - ') - - allow $1 mailman_cgi_t:process signal; -') - -####################################### -## <summary> -## Search mailman data directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mailman_search_data',` - gen_require(` - type mailman_data_t; - ') - - files_search_spool($1) - allow $1 mailman_data_t:dir search_dir_perms; -') - -####################################### -## <summary> -## Read mailman data content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mailman_read_data_files',` - gen_require(` - type mailman_data_t; - ') - - files_search_spool($1) - list_dirs_pattern($1, mailman_data_t, mailman_data_t) - read_files_pattern($1, mailman_data_t, mailman_data_t) - read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) -') - -####################################### -## <summary> -## Create, read, write, and delete -## mailman data files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mailman_manage_data_files',` - gen_require(` - type mailman_data_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, mailman_data_t, mailman_data_t) - manage_files_pattern($1, mailman_data_t, mailman_data_t) -') - -####################################### -## <summary> -## List mailman data directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mailman_list_data',` - gen_require(` - type mailman_data_t; - ') - - files_search_spool($1) - allow $1 mailman_data_t:dir list_dir_perms; -') - -####################################### -## <summary> -## Read mailman data symbolic links. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mailman_read_data_symlinks',` - gen_require(` - type mailman_data_t; - ') - - read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) -') - -####################################### -## <summary> -## Read mailman log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mailman_read_log',` - gen_require(` - type mailman_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, mailman_log_t, mailman_log_t) -') - -####################################### -## <summary> -## Append mailman log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mailman_append_log',` - gen_require(` - type mailman_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, mailman_log_t, mailman_log_t) -') - -####################################### -## <summary> -## Create, read, write, and delete -## mailman log content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mailman_manage_log',` - gen_require(` - type mailman_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, mailman_log_t, mailman_log_t) - manage_lnk_files_pattern($1, mailman_log_t, mailman_log_t) -') - -####################################### -## <summary> -## Read mailman archive content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mailman_read_archive',` - gen_require(` - type mailman_archive_t; - ') - - files_search_var_lib($1) - allow $1 mailman_archive_t:dir list_dir_perms; - read_files_pattern($1, mailman_archive_t, mailman_archive_t) - read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t) -') - -####################################### -## <summary> -## Execute mailman_queue in the -## mailman_queue domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`mailman_domtrans_queue',` - gen_require(` - type mailman_queue_exec_t, mailman_queue_t; - ') - - libs_search_lib($1) - domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t) -') diff --git a/policy/modules/contrib/mailman.te b/policy/modules/contrib/mailman.te deleted file mode 100644 index 8eaf51ba..00000000 --- a/policy/modules/contrib/mailman.te +++ /dev/null @@ -1,184 +0,0 @@ -policy_module(mailman, 1.9.4) - -######################################## -# -# Declarations -# - -attribute mailman_domain; - -attribute_role mailman_roles; - -mailman_domain_template(cgi) - -type mailman_data_t; -files_type(mailman_data_t) - -type mailman_archive_t; -files_type(mailman_archive_t) - -type mailman_log_t; -logging_log_file(mailman_log_t) - -type mailman_lock_t; -files_lock_file(mailman_lock_t) - -type mailman_var_run_t; -files_pid_file(mailman_var_run_t) - -mailman_domain_template(mail) -init_daemon_domain(mailman_mail_t, mailman_mail_exec_t) -role mailman_roles types mailman_mail_t; - -mailman_domain_template(queue) - -######################################## -# -# Common local policy -# - -allow mailman_domain self:tcp_socket { accept listen }; - -manage_dirs_pattern(mailman_domain, mailman_archive_t, mailman_archive_t) -manage_files_pattern(mailman_domain, mailman_archive_t, mailman_archive_t) -manage_lnk_files_pattern(mailman_domain, mailman_archive_t, mailman_archive_t) - -manage_dirs_pattern(mailman_domain, mailman_data_t, mailman_data_t) -manage_files_pattern(mailman_domain, mailman_data_t, mailman_data_t) -manage_lnk_files_pattern(mailman_domain, mailman_data_t, mailman_data_t) - -manage_files_pattern(mailman_domain, mailman_lock_t, mailman_lock_t) -files_lock_filetrans(mailman_domain, mailman_lock_t, file) - -append_files_pattern(mailman_domain, mailman_log_t, mailman_log_t) -create_files_pattern(mailman_domain, mailman_log_t, mailman_log_t) -setattr_files_pattern(mailman_domain, mailman_log_t, mailman_log_t) -logging_log_filetrans(mailman_domain, mailman_log_t, file) - -kernel_read_kernel_sysctls(mailman_domain) -kernel_read_system_state(mailman_domain) - -corenet_all_recvfrom_unlabeled(mailman_domain) -corenet_all_recvfrom_netlabel(mailman_domain) -corenet_tcp_sendrecv_generic_if(mailman_domain) -corenet_tcp_sendrecv_generic_node(mailman_domain) - -corenet_sendrecv_smtp_client_packets(mailman_domain) -corenet_tcp_connect_smtp_port(mailman_domain) -corenet_tcp_sendrecv_smtp_port(mailman_domain) - -corecmd_exec_all_executables(mailman_domain) - -files_exec_etc_files(mailman_domain) -files_list_usr(mailman_domain) -files_list_var(mailman_domain) -files_list_var_lib(mailman_domain) -files_read_var_lib_symlinks(mailman_domain) -files_read_etc_runtime_files(mailman_domain) -files_search_spool(mailman_domain) - -fs_getattr_all_fs(mailman_domain) - -libs_exec_ld_so(mailman_domain) -libs_exec_lib_files(mailman_domain) - -logging_send_syslog_msg(mailman_domain) - -miscfiles_read_localization(mailman_domain) - -######################################## -# -# CGI local policy -# - -dev_read_urand(mailman_cgi_t) - -term_use_controlling_term(mailman_cgi_t) - -libs_dontaudit_write_lib_dirs(mailman_cgi_t) - -optional_policy(` - apache_sigchld(mailman_cgi_t) - apache_use_fds(mailman_cgi_t) - apache_dontaudit_append_log(mailman_cgi_t) - apache_search_sys_script_state(mailman_cgi_t) - apache_read_config(mailman_cgi_t) - apache_dontaudit_rw_stream_sockets(mailman_cgi_t) -') - -optional_policy(` - postfix_read_config(mailman_cgi_t) -') - -######################################## -# -# Mail local policy -# - -allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config }; -allow mailman_mail_t self:process { signal signull }; - -manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) -manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) -files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir }) - -corenet_sendrecv_innd_client_packets(mailman_mail_t) -corenet_tcp_connect_innd_port(mailman_mail_t) -corenet_tcp_sendrecv_innd_port(mailman_mail_t) - -corenet_sendrecv_spamd_client_packets(mailman_mail_t) -corenet_tcp_connect_spamd_port(mailman_mail_t) -corenet_tcp_sendrecv_spamd_port(mailman_mail_t) - -dev_read_urand(mailman_mail_t) - -fs_rw_anon_inodefs_files(mailman_mail_t) - -mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t) -mta_dontaudit_rw_queue(mailman_mail_t) - -optional_policy(` - courier_read_spool(mailman_mail_t) -') - -optional_policy(` - cron_read_pipes(mailman_mail_t) -') - -optional_policy(` - postfix_search_spool(mailman_mail_t) - postfix_rw_inherited_master_pipes(mailman_mail_t) -') - -######################################## -# -# Queue local policy -# - -allow mailman_queue_t self:capability { setgid setuid }; -allow mailman_queue_t self:process { setsched signal_perms }; -allow mailman_queue_t self:fifo_file rw_fifo_file_perms; - -corenet_sendrecv_innd_client_packets(mailman_queue_t) -corenet_tcp_connect_innd_port(mailman_queue_t) -corenet_tcp_sendrecv_innd_port(mailman_queue_t) - -auth_domtrans_chk_passwd(mailman_queue_t) - -files_dontaudit_search_pids(mailman_queue_t) - -seutil_dontaudit_search_config(mailman_queue_t) - -userdom_search_user_home_dirs(mailman_queue_t) - -optional_policy(` - apache_read_config(mailman_queue_t) -') - -optional_policy(` - cron_system_entry(mailman_queue_t, mailman_queue_exec_t) -') - -optional_policy(` - su_exec(mailman_queue_t) -') diff --git a/policy/modules/contrib/mailscanner.fc b/policy/modules/contrib/mailscanner.fc deleted file mode 100644 index 3698276b..00000000 --- a/policy/modules/contrib/mailscanner.fc +++ /dev/null @@ -1,13 +0,0 @@ -/etc/MailScanner(/.*)? gen_context(system_u:object_r:mscan_etc_t,s0) - -/etc/rc\.d/init\.d/MailScanner -- gen_context(system_u:object_r:mscan_initrc_exec_t,s0) - -/etc/sysconfig/MailScanner -- gen_context(system_u:object_r:mscan_etc_t,s0) - -/etc/sysconfig/update_spamassassin -- gen_context(system_u:object_r:mscan_etc_t,s0) - -/usr/sbin/MailScanner -- gen_context(system_u:object_r:mscan_exec_t,s0) - -/var/run/MailScanner\.pid -- gen_context(system_u:object_r:mscan_var_run_t,s0) - -/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:mscan_spool_t,s0) diff --git a/policy/modules/contrib/mailscanner.if b/policy/modules/contrib/mailscanner.if deleted file mode 100644 index 0293f343..00000000 --- a/policy/modules/contrib/mailscanner.if +++ /dev/null @@ -1,63 +0,0 @@ -## <summary>E-mail security and anti-spam package for e-mail gateway systems.</summary> - -######################################## -## <summary> -## Create, read, write, and delete -## mscan spool content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mscan_manage_spool_content',` - gen_require(` - type mscan_spool_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, mscan_spool_t, mscan_spool_t) - manage_files_pattern($1, mscan_spool_t, mscan_spool_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an mscan environment -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`mscan_admin',` - gen_require(` - type mscan_t, mscan_etc_t, mscan_initrc_exec_t; - type mscan_var_run_t, mscan_spool_t; - ') - - allow $1 mscan_t:process { ptrace signal_perms }; - ps_process_pattern($1, mscan_t) - - init_labeled_script_domtrans($1, mscan_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 mscan_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, mscan_etc_t) - - files_search_pids($1 - admin_pattern($1, mscan_var_run_t) - - files_search_spool($1) - admin_pattern($1, mscan_spool_t) -') diff --git a/policy/modules/contrib/mailscanner.te b/policy/modules/contrib/mailscanner.te deleted file mode 100644 index 725ba32f..00000000 --- a/policy/modules/contrib/mailscanner.te +++ /dev/null @@ -1,101 +0,0 @@ -policy_module(mailscanner, 1.0.2) - -######################################## -# -# Declarations -# - -type mscan_t; -type mscan_exec_t; -init_daemon_domain(mscan_t, mscan_exec_t) - -type mscan_initrc_exec_t; -init_script_file(mscan_initrc_exec_t) - -type mscan_etc_t; -files_config_file(mscan_etc_t) - -type mscan_spool_t; -files_type(mscan_spool_t) - -type mscan_tmp_t; -files_tmp_file(mscan_tmp_t) - -type mscan_var_run_t; -files_pid_file(mscan_var_run_t) - -######################################## -# -# Local policy -# - -allow mscan_t self:capability { setuid chown setgid dac_override }; -allow mscan_t self:process signal; -allow mscan_t self:fifo_file rw_fifo_file_perms; - -read_files_pattern(mscan_t, mscan_etc_t, mscan_etc_t) - -manage_files_pattern(mscan_t, mscan_var_run_t, mscan_var_run_t) -files_pid_filetrans(mscan_t, mscan_var_run_t, file) - -manage_dirs_pattern(mscan_t, mscan_spool_t, mscan_spool_t) -manage_files_pattern(mscan_t, mscan_spool_t, mscan_spool_t) -files_spool_filetrans(mscan_t, mscan_spool_t, dir) - -manage_dirs_pattern(mscan_t, mscan_tmp_t, mscan_tmp_t) -manage_files_pattern(mscan_t, mscan_tmp_t, mscan_tmp_t) -files_tmp_filetrans(mscan_t, mscan_tmp_t, { dir file }) - -can_exec(mscan_t, mscan_exec_t) - -kernel_read_system_state(mscan_t) - -corecmd_exec_bin(mscan_t) -corecmd_exec_shell(mscan_t) - -corenet_all_recvfrom_netlabel(mscan_t) -corenet_all_recvfrom_unlabeled(mscan_t) -corenet_tcp_bind_generic_node(mscan_t) -corenet_udp_bind_generic_node(mscan_t) -corenet_tcp_sendrecv_generic_if(mscan_t) -corenet_udp_sendrecv_generic_if(mscan_t) -corenet_tcp_sendrecv_generic_node(mscan_t) -corenet_udp_sendrecv_generic_node(mscan_t) - -corenet_sendrecv_trisoap_client_packets(mscan_t) -corenet_tcp_connect_trisoap_port(mscan_t) -corenet_tcp_sendrecv_trisoap_port(mscan_t) - -corenet_sendrecv_generic_server_packets(mscan_t) -corenet_udp_bind_generic_port(mscan_t) -corenet_udp_sendrecv_all_ports(mscan_t) - -dev_read_urand(mscan_t) - -files_read_usr_files(mscan_t) - -fs_getattr_xattr_fs(mscan_t) - -auth_dontaudit_read_shadow(mscan_t) -auth_use_nsswitch(mscan_t) - -logging_send_syslog_msg(mscan_t) - -miscfiles_read_localization(mscan_t) - -optional_policy(` - clamav_domtrans_clamscan(mscan_t) -') - -optional_policy(` - mta_send_mail(mscan_t) - mta_manage_queue(mscan_t) -') - -optional_policy(` - procmail_domtrans(mscan_t) -') - -optional_policy(` - spamassassin_read_lib_files(mscan_t) -') diff --git a/policy/modules/contrib/man2html.fc b/policy/modules/contrib/man2html.fc deleted file mode 100644 index 82f62555..00000000 --- a/policy/modules/contrib/man2html.fc +++ /dev/null @@ -1,5 +0,0 @@ -/usr/lib/man2html/cgi-bin/man/man2html -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0) -/usr/lib/man2html/cgi-bin/man/mansec -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0) -/usr/lib/man2html/cgi-bin/man/manwhatis -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0) - -/var/cache/man2html(/.*)? gen_context(system_u:object_r:httpd_man2html_script_cache_t,s0) diff --git a/policy/modules/contrib/man2html.if b/policy/modules/contrib/man2html.if deleted file mode 100644 index 54ec04d3..00000000 --- a/policy/modules/contrib/man2html.if +++ /dev/null @@ -1 +0,0 @@ -## <summary>A Unix manpage-to-HTML converter.</summary> diff --git a/policy/modules/contrib/man2html.te b/policy/modules/contrib/man2html.te deleted file mode 100644 index e08c55d4..00000000 --- a/policy/modules/contrib/man2html.te +++ /dev/null @@ -1,26 +0,0 @@ -policy_module(man2html, 1.0.0) - -######################################## -# -# Declarations -# - -apache_content_template(man2html) - -type httpd_man2html_script_cache_t; -files_type(httpd_man2html_script_cache_t) - -######################################## -# -# Local policy -# - -manage_dirs_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) -manage_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) -manage_lnk_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) -files_var_filetrans(httpd_man2html_script_t, httpd_man2html_script_cache_t, dir) - -files_read_etc_files(httpd_man2html_script_t) - -miscfiles_read_localization(httpd_man2html_script_t) -miscfiles_read_man_pages(httpd_man2html_script_t) diff --git a/policy/modules/contrib/mandb.fc b/policy/modules/contrib/mandb.fc deleted file mode 100644 index 2de0f649..00000000 --- a/policy/modules/contrib/mandb.fc +++ /dev/null @@ -1 +0,0 @@ -/etc/cron.daily/man-db\.cron -- gen_context(system_u:object_r:mandb_exec_t,s0) diff --git a/policy/modules/contrib/mandb.if b/policy/modules/contrib/mandb.if deleted file mode 100644 index 327f3f72..00000000 --- a/policy/modules/contrib/mandb.if +++ /dev/null @@ -1,135 +0,0 @@ -## <summary>On-line manual database.</summary> - -######################################## -## <summary> -## Execute the mandb program in -## the mandb domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`mandb_domtrans',` - gen_require(` - type mandb_t, mandb_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, mandb_exec_t, mandb_t) -') - -######################################## -## <summary> -## Execute mandb in the mandb -## domain, and allow the specified -## role the mandb domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`mandb_run',` - gen_require(` - attribute_role mandb_roles; - ') - - lightsquid_domtrans($1) - roleattribute $2 mandb_roles; -') - -######################################## -## <summary> -## Search mandb cache directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mandb_search_cache',` - refpolicywarn(`$0($*) has been deprecated') -') - -######################################## -## <summary> -## Delete mandb cache content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mandb_delete_cache_content',` - refpolicywarn(`$0($*) has been deprecated') -') - -######################################## -## <summary> -## Read mandb cache content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mandb_read_cache_content',` - refpolicywarn(`$0($*) has been deprecated') -') - -######################################## -## <summary> -## Create, read, write, and delete -## mandb cache files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mandb_manage_cache_content',` - refpolicywarn(`$0($*) has been deprecated') -') - -######################################## -## <summary> -## All of the rules required to -## administrate an mandb environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`mandb_admin',` - gen_require(` - type mandb_t, mandb_cache_t; - ') - - allow $1 mandb_t:process { ptrace signal_perms }; - ps_process_pattern($1, mandb_t) - - mandb_run($1, $2) - - # pending - # miscfiles_manage_man_cache_content(mandb_t) -') diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te deleted file mode 100644 index 5a414e08..00000000 --- a/policy/modules/contrib/mandb.te +++ /dev/null @@ -1,37 +0,0 @@ -policy_module(mandb, 1.0.3) - -######################################## -# -# Declarations -# - -attribute_role mandb_roles; -roleattribute system_r mandb_roles; - -type mandb_t; -type mandb_exec_t; -application_domain(mandb_t, mandb_exec_t) -role mandb_roles types mandb_t; - -######################################## -# -# Local policy -# - -allow mandb_t self:process signal; -allow mandb_t self:fifo_file rw_fifo_file_perms; -allow mandb_t self:unix_stream_socket create_stream_socket_perms; - -kernel_read_system_state(mandb_t) - -corecmd_exec_bin(mandb_t) - -domain_use_interactive_fds(mandb_t) - -files_read_etc_files(mandb_t) - -miscfiles_manage_man_cache(mandb_t) - -optional_policy(` - cron_system_entry(mandb_t, mandb_exec_t) -') diff --git a/policy/modules/contrib/mcelog.fc b/policy/modules/contrib/mcelog.fc deleted file mode 100644 index c16f5928..00000000 --- a/policy/modules/contrib/mcelog.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/mcelog(/.*)? gen_context(system_u:object_r:mcelog_etc_t,s0) - -/etc/rc\.d/init\.d/mcelog -- gen_context(system_u:object_r:mcelog_initrc_exec_t,s0) - -/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0) - -/var/log/mcelog.* -- gen_context(system_u:object_r:mcelog_log_t,s0) - -/var/run/mcelog.* gen_context(system_u:object_r:mcelog_var_run_t,s0) diff --git a/policy/modules/contrib/mcelog.if b/policy/modules/contrib/mcelog.if deleted file mode 100644 index f89651e7..00000000 --- a/policy/modules/contrib/mcelog.if +++ /dev/null @@ -1,61 +0,0 @@ -## <summary>Linux hardware error daemon.</summary> - -######################################## -## <summary> -## Execute a domain transition to run mcelog. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`mcelog_domtrans',` - gen_require(` - type mcelog_t, mcelog_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, mcelog_exec_t, mcelog_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an mcelog environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`mcelog_admin',` - gen_require(` - type mcelog_t, mcelog_initrc_exec_t, mcelog_log_t; - type mcelog_var_run_t, mcelog_etc_t; - ') - - allow $1 mcelog_t:process { ptrace signal_perms }; - ps_process_pattern($1, mcelog_t) - - init_labeled_script_domtrans($1, mcelog_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 mcelog_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, mcelog_etc_t) - - logging_search_logs($1) - admin_pattern($1, mcelog_log_t) - - files_search_pids($1) - admin_pattern($1, mcelog_var_run_t) -') diff --git a/policy/modules/contrib/mcelog.te b/policy/modules/contrib/mcelog.te deleted file mode 100644 index 13ea191f..00000000 --- a/policy/modules/contrib/mcelog.te +++ /dev/null @@ -1,123 +0,0 @@ -policy_module(mcelog, 1.1.3) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether mcelog supports -## client mode. -## </p> -## </desc> -gen_tunable(mcelog_client, false) - -## <desc> -## <p> -## Determine whether mcelog can execute scripts. -## </p> -## </desc> -gen_tunable(mcelog_exec_scripts, true) - -## <desc> -## <p> -## Determine whether mcelog can use all -## the user ttys. -## </p> -## </desc> -gen_tunable(mcelog_foreground, false) - -## <desc> -## <p> -## Determine whether mcelog supports -## server mode. -## </p> -## </desc> -gen_tunable(mcelog_server, false) - -## <desc> -## <p> -## Determine whether mcelog can use syslog. -## </p> -## </desc> -gen_tunable(mcelog_syslog, false) - -type mcelog_t; -type mcelog_exec_t; -init_daemon_domain(mcelog_t, mcelog_exec_t) -application_executable_file(mcelog_exec_t) - -type mcelog_initrc_exec_t; -init_script_file(mcelog_initrc_exec_t) - -type mcelog_etc_t; -files_config_file(mcelog_etc_t) - -type mcelog_log_t; -logging_log_file(mcelog_log_t) - -type mcelog_var_run_t; -files_pid_file(mcelog_var_run_t) - -######################################## -# -# Local policy -# - -allow mcelog_t self:capability sys_admin; -allow mcelog_t self:unix_stream_socket connected_socket_perms; - -allow mcelog_t mcelog_etc_t:dir list_dir_perms; -read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t) - -manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t) -append_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t) -create_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t) -setattr_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t) -logging_log_filetrans(mcelog_t, mcelog_log_t, { dir file }) - -manage_dirs_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) -manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) -manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) -files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file }) - -kernel_read_system_state(mcelog_t) - -dev_read_raw_memory(mcelog_t) -dev_read_kmsg(mcelog_t) -dev_rw_sysfs(mcelog_t) - -files_read_etc_files(mcelog_t) - -mls_file_read_all_levels(mcelog_t) - -locallogin_use_fds(mcelog_t) - -miscfiles_read_localization(mcelog_t) - -tunable_policy(`mcelog_client',` - allow mcelog_t self:unix_stream_socket connectto; -') - -tunable_policy(`mcelog_exec_scripts',` - allow mcelog_t self:fifo_file rw_fifo_file_perms; - corecmd_exec_bin(mcelog_t) - corecmd_exec_shell(mcelog_t) -') - -tunable_policy(`mcelog_foreground',` - userdom_use_user_terminals(mcelog_t) -') - -tunable_policy(`mcelog_server',` - allow mcelog_t self:unix_stream_socket { listen accept }; -') - -tunable_policy(`mcelog_syslog',` - logging_send_syslog_msg(mcelog_t) -') - -optional_policy(` - cron_system_entry(mcelog_t, mcelog_exec_t) -') diff --git a/policy/modules/contrib/mediawiki.fc b/policy/modules/contrib/mediawiki.fc deleted file mode 100644 index 99f7c418..00000000 --- a/policy/modules/contrib/mediawiki.fc +++ /dev/null @@ -1,8 +0,0 @@ -/usr/lib/mediawiki/math/texvc -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0) -/usr/lib/mediawiki/math/texvc_tex -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0) -/usr/lib/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0) - -/usr/share/mediawiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_content_t,s0) - -/var/www/wiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0) -/var/www/wiki/.*\.php -- gen_context(system_u:object_r:httpd_mediawiki_content_t,s0) diff --git a/policy/modules/contrib/mediawiki.if b/policy/modules/contrib/mediawiki.if deleted file mode 100644 index 9771b4ba..00000000 --- a/policy/modules/contrib/mediawiki.if +++ /dev/null @@ -1 +0,0 @@ -## <summary>Open source wiki package written in PHP.</summary> diff --git a/policy/modules/contrib/mediawiki.te b/policy/modules/contrib/mediawiki.te deleted file mode 100644 index c528b9fa..00000000 --- a/policy/modules/contrib/mediawiki.te +++ /dev/null @@ -1,17 +0,0 @@ -policy_module(mediawiki, 1.0.0) - -######################################## -# -# Declarations -# - -apache_content_template(mediawiki) - -######################################## -# -# Local policy -# - -files_search_var_lib(httpd_mediawiki_script_t) - -miscfiles_read_tetex_data(httpd_mediawiki_script_t) diff --git a/policy/modules/contrib/memcached.fc b/policy/modules/contrib/memcached.fc deleted file mode 100644 index 51497bec..00000000 --- a/policy/modules/contrib/memcached.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/rc\.d/init\.d/memcached -- gen_context(system_u:object_r:memcached_initrc_exec_t,s0) - -/usr/bin/memcached -- gen_context(system_u:object_r:memcached_exec_t,s0) - -/var/run/ipa_memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0) -/var/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0) diff --git a/policy/modules/contrib/memcached.if b/policy/modules/contrib/memcached.if deleted file mode 100644 index 1d4eb19b..00000000 --- a/policy/modules/contrib/memcached.if +++ /dev/null @@ -1,134 +0,0 @@ -## <summary>High-performance memory object caching system.</summary> - -######################################## -## <summary> -## Execute a domain transition to run memcached. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`memcached_domtrans',` - gen_require(` - type memcached_t,memcached_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, memcached_exec_t, memcached_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## memcached pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`memcached_manage_pid_files',` - gen_require(` - type memcached_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, memcached_var_run_t, memcached_var_run_t) -') - -######################################## -## <summary> -## Read memcached pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`memcached_read_pid_files',` - gen_require(` - type memcached_var_run_t; - ') - - files_search_pids($1) - allow $1 memcached_var_run_t:file read_file_perms; -') - -######################################## -## <summary> -## Connect to memcached using a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`memcached_stream_connect',` - gen_require(` - type memcached_t, memcached_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, memcached_var_run_t, memcached_var_run_t, memcached_t) -') - -######################################## -## <summary> -## Connect to memcache over the network. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`memcached_tcp_connect',` - gen_require(` - type memcached_t; - ') - - corenet_sendrecv_memcache_client_packets($1) - corenet_tcp_connect_memcache_port($1) - corenet_tcp_recvfrom_labeled($1, memcached_t) - corenet_tcp_sendrecv_memcache_port($1) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an memcached environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`memcached_admin',` - gen_require(` - type memcached_t, memcached_initrc_exec_t, memcached_var_run_t; - ') - - allow $1 memcached_t:process { ptrace signal_perms }; - ps_process_pattern($1, memcached_t) - - init_labeled_script_domtrans($1, memcached_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 memcached_initrc_exec_t system_r; - allow $2 system_r; - - files_search_pids($1) - admin_pattern($1, memcached_var_run_t) -') diff --git a/policy/modules/contrib/memcached.te b/policy/modules/contrib/memcached.te deleted file mode 100644 index 49262089..00000000 --- a/policy/modules/contrib/memcached.te +++ /dev/null @@ -1,60 +0,0 @@ -policy_module(memcached, 1.2.3) - -######################################## -# -# Declarations -# - -type memcached_t; -type memcached_exec_t; -init_daemon_domain(memcached_t, memcached_exec_t) - -type memcached_initrc_exec_t; -init_script_file(memcached_initrc_exec_t) - -type memcached_var_run_t; -files_pid_file(memcached_var_run_t) - -######################################## -# -# Local policy -# - -allow memcached_t self:capability { setuid setgid }; -dontaudit memcached_t self:capability sys_tty_config; -allow memcached_t self:process { setrlimit signal_perms }; -allow memcached_t self:tcp_socket { accept listen }; -allow memcached_t self:udp_socket { accept listen }; -allow memcached_t self:fifo_file rw_fifo_file_perms; -allow memcached_t self:unix_stream_socket create_stream_socket_perms; - -manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) -manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) -manage_sock_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) -files_pid_filetrans(memcached_t, memcached_var_run_t, dir) - -kernel_read_kernel_sysctls(memcached_t) -kernel_read_system_state(memcached_t) - -corenet_all_recvfrom_unlabeled(memcached_t) -corenet_all_recvfrom_netlabel(memcached_t) -corenet_tcp_sendrecv_generic_if(memcached_t) -corenet_udp_sendrecv_generic_if(memcached_t) -corenet_tcp_sendrecv_generic_node(memcached_t) -corenet_udp_sendrecv_generic_node(memcached_t) -corenet_tcp_bind_generic_node(memcached_t) -corenet_udp_bind_generic_node(memcached_t) - -corenet_sendrecv_memcache_server_packets(memcached_t) -corenet_tcp_bind_memcache_port(memcached_t) -corenet_tcp_sendrecv_all_ports(memcached_t) -corenet_udp_bind_memcache_port(memcached_t) -corenet_udp_sendrecv_all_ports(memcached_t) - -term_dontaudit_use_all_ptys(memcached_t) -term_dontaudit_use_all_ttys(memcached_t) -term_dontaudit_use_console(memcached_t) - -auth_use_nsswitch(memcached_t) - -miscfiles_read_localization(memcached_t) diff --git a/policy/modules/contrib/metadata.xml b/policy/modules/contrib/metadata.xml index 71d9e256..4e10f228 100644 --- a/policy/modules/contrib/metadata.xml +++ b/policy/modules/contrib/metadata.xml @@ -1 +1 @@ -<summary>Contributed Reference Policy modules.</summary> +<summary>Gentoo-specific policy modules</summary> diff --git a/policy/modules/contrib/milter.fc b/policy/modules/contrib/milter.fc deleted file mode 100644 index 89409ebb..00000000 --- a/policy/modules/contrib/milter.fc +++ /dev/null @@ -1,18 +0,0 @@ -/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) -/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) -/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0) -/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0) - -/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) -/var/lib/sqlgrey(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) -/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0) - -/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) -/var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) -/var/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) -/var/run/sqlgrey\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) -/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) -/var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0) - -/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0) -/var/spool/postfix/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) diff --git a/policy/modules/contrib/milter.if b/policy/modules/contrib/milter.if deleted file mode 100644 index cba62db1..00000000 --- a/policy/modules/contrib/milter.if +++ /dev/null @@ -1,99 +0,0 @@ -## <summary>Milter mail filters.</summary> - -####################################### -## <summary> -## The template to define a milter domain. -## </summary> -## <param name="domain_prefix"> -## <summary> -## Domain prefix to be used. -## </summary> -## </param> -# -template(`milter_template',` - gen_require(` - attribute milter_data_type, milter_domains; - ') - - ######################################## - # - # Declarations - # - - type $1_milter_t, milter_domains; - type $1_milter_exec_t; - init_daemon_domain($1_milter_t, $1_milter_exec_t) - - type $1_milter_data_t, milter_data_type; - files_pid_file($1_milter_data_t) - - ######################################## - # - # Policy - # - - manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) - manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) - - auth_use_nsswitch($1_milter_t) -') - -######################################## -## <summary> -## connect to all milter domains using -## a unix domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`milter_stream_connect_all',` - gen_require(` - attribute milter_data_type, milter_domains; - ') - - files_search_pids($1) - stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains) -') - -######################################## -## <summary> -## Get attributes of all milter sock files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`milter_getattr_all_sockets',` - gen_require(` - attribute milter_data_type; - ') - - getattr_sock_files_pattern($1, milter_data_type, milter_data_type) -') - -######################################## -## <summary> -## Create, read, write, and delete -## spamassissin milter data content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`milter_manage_spamass_state',` - gen_require(` - type spamass_milter_state_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t) - manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t) - manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t) -') diff --git a/policy/modules/contrib/milter.te b/policy/modules/contrib/milter.te deleted file mode 100644 index 92508b24..00000000 --- a/policy/modules/contrib/milter.te +++ /dev/null @@ -1,108 +0,0 @@ -policy_module(milter, 1.4.2) - -######################################## -# -# Declarations -# - -attribute milter_domains; -attribute milter_data_type; - -milter_template(greylist) -milter_template(regex) -milter_template(spamass) - -type spamass_milter_state_t; -files_type(spamass_milter_state_t) - -####################################### -# -# Common local policy -# - -allow milter_domains self:fifo_file rw_fifo_file_perms; -allow milter_domains self:tcp_socket { accept listen }; - -kernel_dontaudit_read_system_state(milter_domains) - -corenet_all_recvfrom_unlabeled(milter_domains) -corenet_all_recvfrom_netlabel(milter_domains) -corenet_tcp_sendrecv_generic_if(milter_domains) -corenet_tcp_sendrecv_generic_node(milter_domains) -corenet_tcp_bind_generic_node(milter_domains) - -corenet_tcp_bind_milter_port(milter_domains) -corenet_tcp_sendrecv_all_ports(milter_domains) - -miscfiles_read_localization(milter_domains) - -logging_send_syslog_msg(milter_domains) - -######################################## -# -# greylist local policy -# - -allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice }; -allow greylist_milter_t self:process { setsched getsched }; - -files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file) - -kernel_read_kernel_sysctls(greylist_milter_t) - -corenet_sendrecv_movaz_ssc_server_packets(greylist_milter_t) -corenet_tcp_bind_movaz_ssc_port(greylist_milter_t) -corenet_sendrecv_movaz_ssc_client_packets(greylist_milter_t) -corenet_tcp_connect_movaz_ssc_port(greylist_milter_t) -corenet_tcp_sendrecv_movaz_ssc_port(greylist_milter_t) - -corenet_sendrecv_kismet_server_packets(greylist_milter_t) -corenet_tcp_bind_kismet_port(greylist_milter_t) -corenet_tcp_sendrecv_kismet_port(greylist_milter_t) - -corecmd_exec_bin(greylist_milter_t) -corecmd_exec_shell(greylist_milter_t) - -dev_read_rand(greylist_milter_t) -dev_read_urand(greylist_milter_t) - -files_read_usr_files(greylist_milter_t) -files_search_var_lib(greylist_milter_t) - -mta_read_config(greylist_milter_t) - -miscfiles_read_localization(greylist_milter_t) - -optional_policy(` - mysql_stream_connect(greylist_milter_t) -') - -######################################## -# -# regex local policy -# - -allow regex_milter_t self:capability { setuid setgid dac_override }; - -files_search_spool(regex_milter_t) - -mta_read_config(regex_milter_t) - -######################################## -# -# spamass local policy -# - -allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms; - -kernel_read_system_state(spamass_milter_t) - -corecmd_exec_shell(spamass_milter_t) - -files_search_var_lib(spamass_milter_t) - -mta_send_mail(spamass_milter_t) - -optional_policy(` - spamassassin_domtrans_client(spamass_milter_t) -') diff --git a/policy/modules/contrib/modemmanager.fc b/policy/modules/contrib/modemmanager.fc deleted file mode 100644 index a83894c6..00000000 --- a/policy/modules/contrib/modemmanager.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/modem-manager -- gen_context(system_u:object_r:modemmanager_exec_t,s0) diff --git a/policy/modules/contrib/modemmanager.if b/policy/modules/contrib/modemmanager.if deleted file mode 100644 index b1ac8b5d..00000000 --- a/policy/modules/contrib/modemmanager.if +++ /dev/null @@ -1,41 +0,0 @@ -## <summary>Provides a DBus interface to communicate with mobile broadband (GSM, CDMA, UMTS, ...) cards.</summary> - -######################################## -## <summary> -## Execute a domain transition to run modemmanager. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`modemmanager_domtrans',` - gen_require(` - type modemmanager_t, modemmanager_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, modemmanager_exec_t, modemmanager_t) -') - -######################################## -## <summary> -## Send and receive messages from -## modemmanager over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`modemmanager_dbus_chat',` - gen_require(` - type modemmanager_t; - class dbus send_msg; - ') - - allow $1 modemmanager_t:dbus send_msg; - allow modemmanager_t $1:dbus send_msg; -') diff --git a/policy/modules/contrib/modemmanager.te b/policy/modules/contrib/modemmanager.te deleted file mode 100644 index cb4c13d0..00000000 --- a/policy/modules/contrib/modemmanager.te +++ /dev/null @@ -1,57 +0,0 @@ -policy_module(modemmanager, 1.1.1) - -######################################## -# -# Declarations -# - -type modemmanager_t; -type modemmanager_exec_t; -init_daemon_domain(modemmanager_t, modemmanager_exec_t) -typealias modemmanager_t alias ModemManager_t; -typealias modemmanager_exec_t alias ModemManager_exec_t; - -######################################## -# -# Local policy -# - -allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config }; -allow modemmanager_t self:process { getsched signal }; -allow modemmanager_t self:fifo_file rw_fifo_file_perms; -allow modemmanager_t self:unix_stream_socket create_stream_socket_perms; -allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms; - -kernel_read_system_state(modemmanager_t) - -dev_read_sysfs(modemmanager_t) -dev_rw_modem(modemmanager_t) - -files_read_etc_files(modemmanager_t) - -term_use_generic_ptys(modemmanager_t) -term_use_unallocated_ttys(modemmanager_t) - -miscfiles_read_localization(modemmanager_t) - -logging_send_syslog_msg(modemmanager_t) - -optional_policy(` - dbus_system_domain(modemmanager_t, modemmanager_exec_t) - - optional_policy(` - devicekit_dbus_chat_power(modemmanager_t) - ') - - optional_policy(` - networkmanager_dbus_chat(modemmanager_t) - ') - - optional_policy(` - policykit_dbus_chat(modemmanager_t) - ') -') - -optional_policy(` - udev_read_db(modemmanager_t) -') diff --git a/policy/modules/contrib/mojomojo.fc b/policy/modules/contrib/mojomojo.fc deleted file mode 100644 index 7b827ca7..00000000 --- a/policy/modules/contrib/mojomojo.fc +++ /dev/null @@ -1,5 +0,0 @@ -/usr/bin/mojomojo_fastcgi\.pl -- gen_context(system_u:object_r:httpd_mojomojo_script_exec_t,s0) - -/usr/share/mojomojo/root(/.*)? gen_context(system_u:object_r:httpd_mojomojo_content_t,s0) - -/var/lib/mojomojo(/.*)? gen_context(system_u:object_r:httpd_mojomojo_rw_content_t,s0) diff --git a/policy/modules/contrib/mojomojo.if b/policy/modules/contrib/mojomojo.if deleted file mode 100644 index 73952f4c..00000000 --- a/policy/modules/contrib/mojomojo.if +++ /dev/null @@ -1,23 +0,0 @@ -## <summary>MojoMojo Wiki.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an mojomojo environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`mojomojo_admin',` - refpolicywarn(`$0($*) has been deprecated, use apache_admin() instead.') - apache_admin($1, $2) -') diff --git a/policy/modules/contrib/mojomojo.te b/policy/modules/contrib/mojomojo.te deleted file mode 100644 index 7e534cfc..00000000 --- a/policy/modules/contrib/mojomojo.te +++ /dev/null @@ -1,25 +0,0 @@ -policy_module(mojomojo, 1.0.1) - -######################################## -# -# Declarations -# - -apache_content_template(mojomojo) - -######################################## -# -# Local policy -# - -allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; - -corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t) -corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t) -corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t) - -files_search_var_lib(httpd_mojomojo_script_t) - -sysnet_dns_name_resolve(httpd_mojomojo_script_t) - -mta_send_mail(httpd_mojomojo_script_t) diff --git a/policy/modules/contrib/mongodb.fc b/policy/modules/contrib/mongodb.fc deleted file mode 100644 index 6fcfc31b..00000000 --- a/policy/modules/contrib/mongodb.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0) - -/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0) - -/var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0) - -/var/log/mongo.* gen_context(system_u:object_r:mongod_log_t,s0) - -/var/run/mongo.* gen_context(system_u:object_r:mongod_var_run_t,s0) diff --git a/policy/modules/contrib/mongodb.if b/policy/modules/contrib/mongodb.if deleted file mode 100644 index b247d258..00000000 --- a/policy/modules/contrib/mongodb.if +++ /dev/null @@ -1,42 +0,0 @@ -## <summary>Scalable, high-performance, open source NoSQL database.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an mongodb environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`mongodb_admin',` - gen_require(` - type mongod_t, mongod_initrc_exec_t, mongod_log_t; - type mongod_var_lib_t, mongod_var_run_t; - ') - - allow $1 mongod_t:process { ptrace signal_perms }; - ps_process_pattern($1, mongod_t) - - init_labeled_script_domtrans($1, mongod_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 mongod_initrc_exec_t system_r; - allow $2 system_r; - - logging_search_logs($1) - admin_pattern($1, mongod_log_t) - - files_search_var_lib($1) - admin_pattern($1, mongod_var_lib_t) - - files_search_pids($1) - admin_pattern($1, mongod_var_run_t) -') diff --git a/policy/modules/contrib/mongodb.te b/policy/modules/contrib/mongodb.te deleted file mode 100644 index 4de89497..00000000 --- a/policy/modules/contrib/mongodb.te +++ /dev/null @@ -1,61 +0,0 @@ -policy_module(mongodb, 1.0.2) - -######################################## -# -# Declarations -# - -type mongod_t; -type mongod_exec_t; -init_daemon_domain(mongod_t, mongod_exec_t) - -type mongod_initrc_exec_t; -init_script_file(mongod_initrc_exec_t) - -type mongod_log_t; -logging_log_file(mongod_log_t) - -type mongod_var_lib_t; -files_type(mongod_var_lib_t) - -type mongod_var_run_t; -files_pid_file(mongod_var_run_t) - -######################################## -# -# Local policy -# - -allow mongod_t self:process signal; -allow mongod_t self:fifo_file rw_fifo_file_perms; - -manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t) -append_files_pattern(mongod_t, mongod_log_t, mongod_log_t) -create_files_pattern(mongod_t, mongod_log_t, mongod_log_t) -setattr_files_pattern(mongod_t, mongod_log_t, mongod_log_t) -logging_log_filetrans(mongod_t, mongod_log_t, dir) - -manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) -manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) -files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir) - -manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) -manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) -files_pid_filetrans(mongod_t, mongod_var_run_t, dir) - -kernel_read_system_state(mongod_t) - -corenet_all_recvfrom_unlabeled(mongod_t) -corenet_all_recvfrom_netlabel(mongod_t) -corenet_tcp_sendrecv_generic_if(mongod_t) -corenet_tcp_sendrecv_generic_node(mongod_t) -corenet_tcp_bind_generic_node(mongod_t) - -dev_read_sysfs(mongod_t) -dev_read_urand(mongod_t) - -files_read_etc_files(mongod_t) - -fs_getattr_all_fs(mongod_t) - -miscfiles_read_localization(mongod_t) diff --git a/policy/modules/contrib/mono.fc b/policy/modules/contrib/mono.fc deleted file mode 100644 index b01bc913..00000000 --- a/policy/modules/contrib/mono.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/mono.* -- gen_context(system_u:object_r:mono_exec_t,s0) diff --git a/policy/modules/contrib/mono.if b/policy/modules/contrib/mono.if deleted file mode 100644 index 70fe6457..00000000 --- a/policy/modules/contrib/mono.if +++ /dev/null @@ -1,149 +0,0 @@ -## <summary>Run .NET server and client applications on Linux.</summary> - -####################################### -## <summary> -## The role template for the mono module. -## </summary> -## <desc> -## <p> -## This template creates a derived domains which are used -## for mono applications. -## </p> -## </desc> -## <param name="role_prefix"> -## <summary> -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## </summary> -## </param> -## <param name="user_role"> -## <summary> -## The role associated with the user domain. -## </summary> -## </param> -## <param name="user_domain"> -## <summary> -## The type of the user domain. -## </summary> -## </param> -# -template(`mono_role_template',` - gen_require(` - attribute mono_domain; - type mono_exec_t; - ') - - ######################################## - # - # Declarations - # - - type $1_mono_t, mono_domain; - domain_type($1_mono_t) - domain_entry_file($1_mono_t, mono_exec_t) - role $2 types $1_mono_t; - - domain_interactive_fd($1_mono_t) - application_type($1_mono_t) - - ######################################## - # - # Policy - # - - domtrans_pattern($3, mono_exec_t, $1_mono_t) - - allow $3 $1_mono_t:process { ptrace noatsecure signal_perms }; - ps_process_pattern($2, $1_mono_t) - - corecmd_bin_domtrans($1_mono_t, $3) - - userdom_manage_user_tmpfs_files($1_mono_t) - - optional_policy(` - fs_dontaudit_rw_tmpfs_files($1_mono_t) - - xserver_role($1_r, $1_mono_t) - ') -') - -######################################## -## <summary> -## Execute mono in the mono domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`mono_domtrans',` - gen_require(` - type mono_t, mono_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, mono_exec_t, mono_t) -') - -######################################## -## <summary> -## Execute mono in the mono domain, and -## allow the specified role the mono domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`mono_run',` - gen_require(` - attribute_role mono_roles; - ') - - mono_domtrans($1) - roleattribute $2 mono_roles; -') - -######################################## -## <summary> -## Execute mono in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mono_exec',` - gen_require(` - type mono_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, mono_exec_t) -') - -######################################## -## <summary> -## Read and write mono shared memory. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mono_rw_shm',` - gen_require(` - type mono_t; - ') - - allow $1 mono_t:shm rw_shm_perms; -') diff --git a/policy/modules/contrib/mono.te b/policy/modules/contrib/mono.te deleted file mode 100644 index d287fe92..00000000 --- a/policy/modules/contrib/mono.te +++ /dev/null @@ -1,63 +0,0 @@ -policy_module(mono, 1.8.1) - -######################################## -# -# Declarations -# - -attribute mono_domain; - -attribute_role mono_roles; - -type mono_t, mono_domain; -type mono_exec_t; -init_system_domain(mono_t, mono_exec_t) -role mono_roles types mono_t; - -application_type(mono_t) - -######################################## -# -# Common local policy -# - -allow mono_domain self:process { signal getsched execheap execmem execstack }; - -######################################## -# -# local policy -# - -userdom_user_home_dir_filetrans_user_home_content(mono_t, { dir file lnk_file fifo_file sock_file }) - -init_dbus_chat_script(mono_t) - -optional_policy(` - avahi_dbus_chat(mono_t) -') - -optional_policy(` - cups_dbus_chat(mono_t) -') - -optional_policy(` - hal_dbus_chat(mono_t) -') - -optional_policy(` - networkmanager_dbus_chat(mono_t) -') - -optional_policy(` - rpm_dbus_chat(mono_t) -') - -optional_policy(` - unconfined_domain(mono_t) - unconfined_dbus_chat(mono_t) - unconfined_dbus_connect(mono_t) -') - -optional_policy(` - xserver_rw_shm(mono_t) -') diff --git a/policy/modules/contrib/monop.fc b/policy/modules/contrib/monop.fc deleted file mode 100644 index a2b2a26e..00000000 --- a/policy/modules/contrib/monop.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/rc\.d/init\.d/monopd -- gen_context(system_u:object_r:monopd_initrc_exec_t,s0) - -/etc/monopd\.conf -- gen_context(system_u:object_r:monopd_etc_t,s0) - -/usr/sbin/monopd -- gen_context(system_u:object_r:monopd_exec_t,s0) - -/usr/share/monopd/games(/.*)? gen_context(system_u:object_r:monopd_share_t,s0) - -/var/run/monopd\.pid -- gen_context(system_u:object_r:monopd_var_run_t,s0) diff --git a/policy/modules/contrib/monop.if b/policy/modules/contrib/monop.if deleted file mode 100644 index 8fdaecea..00000000 --- a/policy/modules/contrib/monop.if +++ /dev/null @@ -1,42 +0,0 @@ -## <summary>Monopoly daemon.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an monop environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`monop_admin',` - gen_require(` - type monopd_t, monopd_initrc_exec_t, monopd_share_t; - type monopd_etc_t, monopd_var_run_t; - ') - - allow $1 monopd_t:process { ptrace signal_perms }; - ps_process_pattern($1, monopd_t) - - init_labeled_script_domtrans($1, monopd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 monopd_initrc_exec_t system_r; - allow $2 system_r; - - logging_search_etc($1) - admin_pattern($1, monopd_etc_t) - - files_search_pids($1) - admin_pattern($1, monopd_var_run_t) - - files_search_usr($1) - admin_pattern($1, monopd_share_t) -') diff --git a/policy/modules/contrib/monop.te b/policy/modules/contrib/monop.te deleted file mode 100644 index 4462c0e3..00000000 --- a/policy/modules/contrib/monop.te +++ /dev/null @@ -1,84 +0,0 @@ -policy_module(monop, 1.7.1) - -######################################## -# -# Declarations -# - -type monopd_t; -type monopd_exec_t; -init_daemon_domain(monopd_t, monopd_exec_t) - -type monopd_initrc_exec_t; -init_script_file(monopd_initrc_exec_t) - -type monopd_etc_t; -files_config_file(monopd_etc_t) - -type monopd_share_t; -files_type(monopd_share_t) - -type monopd_var_run_t; -files_pid_file(monopd_var_run_t) - -######################################## -# -# Local policy -# - -dontaudit monopd_t self:capability sys_tty_config; -allow monopd_t self:process signal_perms; -allow monopd_t self:tcp_socket { accept listen }; - -allow monopd_t monopd_etc_t:file read_file_perms; - -allow monopd_t monopd_share_t:dir list_dir_perms; -read_files_pattern(monopd_t, monopd_share_t, monopd_share_t) -read_lnk_files_pattern(monopd_t, monopd_share_t, monopd_share_t) - -manage_files_pattern(monopd_t, monopd_var_run_t, monopd_var_run_t) -files_pid_filetrans(monopd_t, monopd_var_run_t, file) - -kernel_read_kernel_sysctls(monopd_t) -kernel_list_proc(monopd_t) -kernel_read_proc_symlinks(monopd_t) - -corenet_all_recvfrom_unlabeled(monopd_t) -corenet_all_recvfrom_netlabel(monopd_t) -corenet_tcp_sendrecv_generic_if(monopd_t) -corenet_tcp_sendrecv_generic_node(monopd_t) -corenet_tcp_bind_generic_node(monopd_t) - -corenet_sendrecv_monopd_server_packets(monopd_t) -corenet_tcp_bind_monopd_port(monopd_t) -corenet_tcp_sendrecv_monopd_port(monopd_t) - -dev_read_sysfs(monopd_t) - -domain_use_interactive_fds(monopd_t) - -files_read_etc_files(monopd_t) - -fs_getattr_all_fs(monopd_t) -fs_search_auto_mountpoints(monopd_t) - -logging_send_syslog_msg(monopd_t) - -miscfiles_read_localization(monopd_t) - -sysnet_dns_name_resolve(monopd_t) - -userdom_dontaudit_use_unpriv_user_fds(monopd_t) -userdom_dontaudit_search_user_home_dirs(monopd_t) - -optional_policy(` - nis_use_ypbind(monopd_t) -') - -optional_policy(` - seutil_sigchld_newrole(monopd_t) -') - -optional_policy(` - udev_read_db(monopd_t) -') diff --git a/policy/modules/contrib/mozilla.fc b/policy/modules/contrib/mozilla.fc deleted file mode 100644 index 9e74bfa9..00000000 --- a/policy/modules/contrib/mozilla.fc +++ /dev/null @@ -1,37 +0,0 @@ -HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) -HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) - -/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/bin/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) -/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) - -/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0) -/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) -/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) -/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) -/usr/lib/[^/]*firefox[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) - -/opt/firefox/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/opt/firefox/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/opt/firefox/run-mozilla\.sh -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/opt/firefox/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/opt/firefox/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) diff --git a/policy/modules/contrib/mozilla.if b/policy/modules/contrib/mozilla.if deleted file mode 100644 index ffda45d3..00000000 --- a/policy/modules/contrib/mozilla.if +++ /dev/null @@ -1,651 +0,0 @@ -## <summary>Policy for Mozilla and related web browsers.</summary> - -######################################## -## <summary> -## Role access for mozilla. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`mozilla_role',` - gen_require(` - type mozilla_t, mozilla_exec_t, mozilla_home_t; - type mozilla_tmp_t, mozilla_tmpfs_t, mozilla_plugin_tmp_t; - type mozilla_plugin_tmpfs_t, mozilla_plugin_home_t; - attribute_role mozilla_roles; - ') - - ######################################## - # - # Declarations - # - - roleattribute $1 mozilla_roles; - - ######################################## - # - # Policy - # - - domtrans_pattern($2, mozilla_exec_t, mozilla_t) - - allow $2 mozilla_t:process { noatsecure siginh rlimitinh ptrace signal_perms }; - ps_process_pattern($2, mozilla_t) - - allow mozilla_t $2:process signull; - allow mozilla_t $2:unix_stream_socket connectto; - - allow $2 mozilla_t:fd use; - allow $2 mozilla_t:shm rw_shm_perms; - - stream_connect_pattern($2, mozilla_tmpfs_t, mozilla_tmpfs_t, mozilla_t) - - allow $2 { mozilla_home_t mozilla_plugin_home_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms relabel_file_perms }; - allow $2 mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".galeon") - userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla") - userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape") - userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix") - - filetrans_pattern($2, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") - - allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:file { manage_file_perms relabel_file_perms }; - allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - - allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:file { manage_file_perms relabel_file_perms }; - allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - - optional_policy(` - mozilla_dbus_chat($2) - ') -') - -######################################## -## <summary> -## Role access for mozilla plugin. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`mozilla_role_plugin',` - gen_require(` - type mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_plugin_rw_t; - type mozilla_home_t; - ') - - mozilla_run_plugin($2, $1) - mozilla_run_plugin_config($2, $1) - - allow $2 { mozilla_plugin_t mozilla_plugin_config_t }:process { ptrace signal_perms }; - ps_process_pattern($2, { mozilla_plugin_t mozilla_plugin_config_t }) - - allow $2 mozilla_plugin_t:unix_stream_socket rw_socket_perms; - allow $2 mozilla_plugin_t:fd use; - - stream_connect_pattern($2, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t) - - allow mozilla_plugin_t $2:process signull; - allow mozilla_plugin_t $2:unix_stream_socket { connectto rw_socket_perms }; - allow mozilla_plugin_t $2:unix_dgram_socket { sendto rw_socket_perms }; - allow mozilla_plugin_t $2:shm { rw_shm_perms destroy }; - allow mozilla_plugin_t $2:sem create_sem_perms; - - allow $2 mozilla_home_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 mozilla_home_t:file { manage_file_perms relabel_file_perms }; - allow $2 mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".galeon") - userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla") - userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape") - userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix") - - allow $2 mozilla_plugin_tmp_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 mozilla_plugin_tmp_t:file { manage_file_perms relabel_file_perms }; - allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - - allow $2 mozilla_plugin_tmpfs_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 mozilla_plugin_tmpfs_t:file { manage_file_perms relabel_file_perms }; - allow $2 mozilla_plugin_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - allow $2 mozilla_plugin_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - - allow $2 mozilla_plugin_rw_t:dir list_dir_perms; - allow $2 mozilla_plugin_rw_t:file read_file_perms; - allow $2 mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; - - can_exec($2, mozilla_plugin_rw_t) - - optional_policy(` - mozilla_dbus_chat_plugin($2) - ') -') - -######################################## -## <summary> -## Read mozilla home directory content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mozilla_read_user_home',` - gen_require(` - type mozilla_home_t; - ') - - list_dirs_pattern($1, mozilla_home_t, mozilla_home_t) - read_files_pattern($1, mozilla_home_t, mozilla_home_t) - userdom_search_user_home_dirs($1) -') - - -######################################## -## <summary> -## Read mozilla home directory files -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mozilla_read_user_home_files',` - gen_require(` - type mozilla_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 mozilla_home_t:dir list_dir_perms; - allow $1 mozilla_home_t:file read_file_perms; - allow $1 mozilla_home_t:lnk_file read_lnk_file_perms; -') - -######################################## -## <summary> -## Write mozilla home directory files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mozilla_write_user_home_files',` - gen_require(` - type mozilla_home_t; - ') - - userdom_search_user_home_dirs($1) - write_files_pattern($1, mozilla_home_t, mozilla_home_t) -') - -######################################## -## <summary> -## Do not audit attempts to read and -## write mozilla home directory files. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`mozilla_dontaudit_rw_user_home_files',` - gen_require(` - type mozilla_home_t; - ') - - dontaudit $1 mozilla_home_t:file rw_file_perms; -') - -######################################## -## <summary> -## Do not audit attempt to Create, -## read, write, and delete mozilla -## home directory content. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`mozilla_dontaudit_manage_user_home_files',` - gen_require(` - type mozilla_home_t; - ') - - dontaudit $1 mozilla_home_t:dir manage_dir_perms; - dontaudit $1 mozilla_home_t:file manage_file_perms; - dontaudit $1 mozilla_home_t:lnk_file manage_lnk_file_perms; -') - -######################################## -## <summary> -## Execute mozilla home directory files. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mozilla_exec_user_home_files',` - refpolicywarn(`$0($*) has been deprecated, use mozilla_exec_user_plugin_home_files() instead.') - mozilla_exec_user_plugin_home_files($1) -') - -######################################## -## <summary> -## Execute mozilla plugin home directory files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mozilla_exec_user_plugin_home_files',` - gen_require(` - type mozilla_home_t, mozilla_plugin_home_t; - ') - - userdom_search_user_home_dirs($1) - exec_files_pattern($1, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) -') - -######################################## -## <summary> -## Mozilla home directory file -## text relocation. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mozilla_execmod_user_home_files',` - refpolicywarn(`$0($*) has been deprecated, use mozilla_execmod_user_plugin_home_files() instead.') - mozilla_execmod_user_plugin_home_files($1) -') - -######################################## -## <summary> -## Mozilla plugin home directory file -## text relocation. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mozilla_execmod_user_plugin_home_files',` - gen_require(` - type mozilla_plugin_home_t; - ') - - allow $1 mozilla_plugin_home_t:file execmod; -') - -######################################## -## <summary> -## Run mozilla in the mozilla domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`mozilla_domtrans',` - gen_require(` - type mozilla_t, mozilla_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, mozilla_exec_t, mozilla_t) -') - -######################################## -## <summary> -## Execute a domain transition to -## run mozilla plugin. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`mozilla_domtrans_plugin',` - gen_require(` - type mozilla_plugin_t, mozilla_plugin_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t) -') - -######################################## -## <summary> -## Execute mozilla plugin in the -## mozilla plugin domain, and allow -## the specified role the mozilla -## plugin domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`mozilla_run_plugin',` - gen_require(` - attribute_role mozilla_plugin_roles; - ') - - mozilla_domtrans_plugin($1) - roleattribute $2 mozilla_plugin_roles; -') - -######################################## -## <summary> -## Execute a domain transition to -## run mozilla plugin config. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`mozilla_domtrans_plugin_config',` - gen_require(` - type mozilla_plugin_config_t, mozilla_plugin_config_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t) -') - -######################################## -## <summary> -## Execute mozilla plugin config in -## the mozilla plugin config domain, -## and allow the specified role the -## mozilla plugin config domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`mozilla_run_plugin_config',` - gen_require(` - attribute_role mozilla_plugin_config_roles; - ') - - mozilla_domtrans_plugin_config($1) - roleattribute $2 mozilla_plugin_config_roles; -') - -######################################## -## <summary> -## Send and receive messages from -## mozilla over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mozilla_dbus_chat',` - gen_require(` - type mozilla_t; - class dbus send_msg; - ') - - allow $1 mozilla_t:dbus send_msg; - allow mozilla_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Send and receive messages from -## mozilla plugin over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mozilla_dbus_chat_plugin',` - gen_require(` - type mozilla_plugin_t; - class dbus send_msg; - ') - - allow $1 mozilla_plugin_t:dbus send_msg; - allow mozilla_plugin_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Read and write mozilla TCP sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mozilla_rw_tcp_sockets',` - gen_require(` - type mozilla_t; - ') - - allow $1 mozilla_t:tcp_socket rw_socket_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## mozilla plugin rw files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mozilla_manage_plugin_rw_files',` - gen_require(` - type mozilla_plugin_rw_t; - ') - - libs_search_lib($1) - manage_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) -') - -######################################## -## <summary> -## Read mozilla_plugin tmpfs files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mozilla_plugin_read_tmpfs_files',` - gen_require(` - type mozilla_plugin_tmpfs_t; - ') - - fs_search_tmpfs($1) - allow $1 mozilla_plugin_tmpfs_t:file read_file_perms; -') - -######################################## -## <summary> -## Delete mozilla_plugin tmpfs files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mozilla_plugin_delete_tmpfs_files',` - gen_require(` - type mozilla_plugin_tmpfs_t; - ') - - fs_search_tmpfs($1) - allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms; -') - -######################################## -## <summary> -## Read/write to mozilla's tmp fifo files -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access -## </summary> -## </param> -# -interface(`mozilla_rw_tmp_pipes',` - gen_require(` - type mozilla_tmp_t; - ') - - rw_fifo_files_pattern($1, mozilla_tmp_t, mozilla_tmp_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## generic mozilla plugin home content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mozilla_manage_generic_plugin_home_content',` - gen_require(` - type mozilla_plugin_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 mozilla_plugin_home_t:dir manage_dir_perms; - allow $1 mozilla_plugin_home_t:file manage_file_perms; - allow $1 mozilla_plugin_home_t:fifo_file manage_fifo_file_perms; - allow $1 mozilla_plugin_home_t:lnk_file manage_lnk_file_perms; - allow $1 mozilla_plugin_home_t:sock_file manage_sock_file_perms; -') - -######################################## -## <summary> -## Create objects in user home -## directories with the generic mozilla -## plugin home type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`mozilla_home_filetrans_plugin_home',` - gen_require(` - type mozilla_plugin_home_t; - ') - - userdom_user_home_dir_filetrans($1, mozilla_plugin_home_t, $2, $3) -') - -# This is gentoo specific but cannot use ifdef distro_gentoo - -######################################## -## <summary> -## Do not audit use of mozilla file descriptors -## </summary> -## <param name="domain"> -## <summary> -## Domain to dont audit access from -## </summary> -## </param> -# -interface(`mozilla_dontaudit_use_fds',` - gen_require(` - type mozilla_t; - ') - - dontaudit $1 mozilla_t:fd use; -') - -######################################## -## <summary> -## Send messages to mozilla plugin unix datagram sockets -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access -## </summary> -## </param> -# -interface(`mozilla_send_dgram_plugin',` - gen_require(` - type mozilla_plugin_t; - ') - - allow $1 mozilla_plugin_t:unix_dgram_socket sendto; -') diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te deleted file mode 100644 index b1bf1887..00000000 --- a/policy/modules/contrib/mozilla.te +++ /dev/null @@ -1,748 +0,0 @@ -policy_module(mozilla, 2.7.4) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether mozilla can -## make its stack executable. -## </p> -## </desc> -gen_tunable(mozilla_execstack, false) - -## <desc> -## <p> -## Allow mozilla to use java plugins -## </p> -## <p> -## Some plugins use named pipes inside temporary directories created -## by the browser to communicate with the java process. If other browsers -## need to use java plugins as well, they will get search privileges within -## the temporary directories of mozilla -## </p> -## </desc> -gen_tunable(mozilla_use_java, false) - -attribute_role mozilla_roles; -attribute_role mozilla_plugin_roles; -attribute_role mozilla_plugin_config_roles; - -type mozilla_t; -type mozilla_exec_t; -typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t }; -typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; -userdom_user_application_domain(mozilla_t, mozilla_exec_t) -role mozilla_roles types mozilla_t; - -type mozilla_home_t; -typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t }; -typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t }; -userdom_user_home_content(mozilla_home_t) - -type mozilla_plugin_t; -type mozilla_plugin_exec_t; -userdom_user_application_domain(mozilla_plugin_t, mozilla_plugin_exec_t) -role mozilla_plugin_roles types mozilla_plugin_t; - -type mozilla_plugin_home_t; -userdom_user_home_content(mozilla_plugin_home_t) - -type mozilla_plugin_tmp_t; -userdom_user_tmp_file(mozilla_plugin_tmp_t) - -type mozilla_plugin_tmpfs_t; -userdom_user_tmpfs_file(mozilla_plugin_tmpfs_t) - -optional_policy(` - pulseaudio_tmpfs_content(mozilla_plugin_tmpfs_t) -') - -type mozilla_plugin_rw_t; -files_type(mozilla_plugin_rw_t) - -type mozilla_plugin_config_t; -type mozilla_plugin_config_exec_t; -userdom_user_application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t) -role mozilla_plugin_config_roles types mozilla_plugin_config_t; - -type mozilla_tmp_t; -userdom_user_tmp_file(mozilla_tmp_t) - -type mozilla_tmpfs_t; -typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sysadm_mozilla_tmpfs_t }; -typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t }; -userdom_user_tmpfs_file(mozilla_tmpfs_t) - -optional_policy(` - pulseaudio_tmpfs_content(mozilla_tmpfs_t) -') - -######################################## -# -# Local policy -# - -allow mozilla_t self:capability { sys_nice setgid setuid }; -allow mozilla_t self:process { sigkill signal setsched getsched setrlimit }; -allow mozilla_t self:fifo_file rw_fifo_file_perms; -allow mozilla_t self:shm create_shm_perms; -allow mozilla_t self:sem create_sem_perms; -allow mozilla_t self:socket create_socket_perms; -allow mozilla_t self:unix_stream_socket { accept listen }; - -allow mozilla_t mozilla_plugin_t:unix_stream_socket rw_socket_perms; -allow mozilla_t mozilla_plugin_t:fd use; - -allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:dir manage_dir_perms; -allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file manage_file_perms; -allow mozilla_t mozilla_home_t:lnk_file manage_lnk_file_perms; -userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".galeon") -userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".mozilla") -userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".netscape") -userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".phoenix") - -filetrans_pattern(mozilla_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") - -manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) -manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) -files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir }) - -manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) -manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) -manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) -manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) -fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file }) - -allow mozilla_t mozilla_plugin_rw_t:dir list_dir_perms; -allow mozilla_t mozilla_plugin_rw_t:file read_file_perms; -allow mozilla_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; - -stream_connect_pattern(mozilla_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t) - -kernel_read_kernel_sysctls(mozilla_t) -kernel_read_network_state(mozilla_t) -kernel_read_system_state(mozilla_t) -kernel_read_net_sysctls(mozilla_t) - -corecmd_list_bin(mozilla_t) -corecmd_exec_shell(mozilla_t) -corecmd_exec_bin(mozilla_t) - -corenet_all_recvfrom_unlabeled(mozilla_t) -corenet_all_recvfrom_netlabel(mozilla_t) -corenet_tcp_sendrecv_generic_if(mozilla_t) -corenet_tcp_sendrecv_generic_node(mozilla_t) - -corenet_sendrecv_http_client_packets(mozilla_t) -corenet_tcp_connect_http_port(mozilla_t) -corenet_tcp_sendrecv_http_port(mozilla_t) - -corenet_sendrecv_http_cache_client_packets(mozilla_t) -corenet_tcp_connect_http_cache_port(mozilla_t) -corenet_tcp_sendrecv_http_cache_port(mozilla_t) - -corenet_sendrecv_squid_client_packets(mozilla_t) -corenet_tcp_connect_squid_port(mozilla_t) -corenet_tcp_sendrecv_squid_port(mozilla_t) - -corenet_sendrecv_ftp_client_packets(mozilla_t) -corenet_tcp_connect_ftp_port(mozilla_t) -corenet_tcp_sendrecv_ftp_port(mozilla_t) - -corenet_sendrecv_ipp_client_packets(mozilla_t) -corenet_tcp_connect_ipp_port(mozilla_t) -corenet_tcp_sendrecv_ipp_port(mozilla_t) - -corenet_sendrecv_soundd_client_packets(mozilla_t) -corenet_tcp_connect_soundd_port(mozilla_t) -corenet_tcp_sendrecv_soundd_port(mozilla_t) - -corenet_sendrecv_speech_client_packets(mozilla_t) -corenet_tcp_connect_speech_port(mozilla_t) -corenet_tcp_sendrecv_speech_port(mozilla_t) - -dev_getattr_sysfs_dirs(mozilla_t) -dev_read_sound(mozilla_t) -dev_read_rand(mozilla_t) -dev_read_urand(mozilla_t) -dev_rw_dri(mozilla_t) -dev_write_sound(mozilla_t) - -domain_dontaudit_read_all_domains_state(mozilla_t) - -files_read_etc_runtime_files(mozilla_t) -files_read_usr_files(mozilla_t) -files_read_var_files(mozilla_t) -files_read_var_lib_files(mozilla_t) -files_read_var_symlinks(mozilla_t) -files_dontaudit_getattr_boot_dirs(mozilla_t) - -fs_getattr_all_fs(mozilla_t) -fs_search_auto_mountpoints(mozilla_t) -fs_list_inotifyfs(mozilla_t) -fs_rw_tmpfs_files(mozilla_t) - -term_dontaudit_getattr_pty_dirs(mozilla_t) - -auth_use_nsswitch(mozilla_t) - -logging_send_syslog_msg(mozilla_t) - -miscfiles_read_fonts(mozilla_t) -miscfiles_read_localization(mozilla_t) -miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) - -userdom_use_user_ptys(mozilla_t) - -mozilla_run_plugin(mozilla_t, mozilla_roles) -mozilla_run_plugin_config(mozilla_t, mozilla_roles) - -xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) -xserver_dontaudit_read_xdm_tmp_files(mozilla_t) -xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t) - -tunable_policy(`allow_execmem',` - allow mozilla_t self:process execmem; -') - -tunable_policy(`mozilla_execstack',` - allow mozilla_t self:process { execmem execstack }; -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(mozilla_t) - fs_manage_nfs_files(mozilla_t) - fs_manage_nfs_symlinks(mozilla_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(mozilla_t) - fs_manage_cifs_files(mozilla_t) - fs_manage_cifs_symlinks(mozilla_t) -') - -optional_policy(` - apache_read_user_scripts(mozilla_t) - apache_read_user_content(mozilla_t) -') - -optional_policy(` - automount_dontaudit_getattr_tmp_dirs(mozilla_t) -') - -optional_policy(` - cups_read_rw_config(mozilla_t) -') - -optional_policy(` - dbus_all_session_bus_client(mozilla_t) - dbus_system_bus_client(mozilla_t) - - optional_policy(` - cups_dbus_chat(mozilla_t) - ') - - optional_policy(` - mozilla_dbus_chat_plugin(mozilla_t) - ') - - optional_policy(` - networkmanager_dbus_chat(mozilla_t) - ') -') - -optional_policy(` - gnome_stream_connect_gconf(mozilla_t) - gnome_manage_generic_gconf_home_content(mozilla_t) - gnome_home_filetrans_gconf_home(mozilla_t, dir, ".gconf") - gnome_home_filetrans_gconf_home(mozilla_t, dir, ".gconfd") - gnome_manage_generic_home_content(mozilla_t) - gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome") - gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2") - gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private") -') - -optional_policy(` - lpd_run_lpr(mozilla_t, mozilla_roles) -') - -optional_policy(` - mplayer_exec(mozilla_t) - mplayer_manage_generic_home_content(mozilla_t) - mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer") -') - -optional_policy(` - pulseaudio_run(mozilla_t, mozilla_roles) -') - -optional_policy(` - thunderbird_domtrans(mozilla_t) -') - -######################################## -# -# Plugin local policy -# - -dontaudit mozilla_plugin_t self:capability { ipc_lock sys_nice sys_ptrace sys_tty_config }; -allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms setrlimit }; -allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms; -allow mozilla_plugin_t self:netlink_kobject_uevent_socket create_socket_perms; -allow mozilla_plugin_t self:sem create_sem_perms; -allow mozilla_plugin_t self:shm create_shm_perms; -allow mozilla_plugin_t self:tcp_socket { accept listen }; -allow mozilla_plugin_t self:unix_stream_socket { accept connectto listen }; - -allow mozilla_plugin_t mozilla_t:unix_stream_socket rw_socket_perms; -allow mozilla_plugin_t mozilla_t:unix_dgram_socket rw_socket_perms; -allow mozilla_plugin_t mozilla_t:shm { rw_shm_perms destroy }; -allow mozilla_plugin_t mozilla_t:sem create_sem_perms; - -manage_dirs_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t }) -manage_files_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) -manage_lnk_files_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) - -userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".galeon") -userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".mozilla") -userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".netscape") -userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".phoenix") - -filetrans_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") - -manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) -manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) -manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) -files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file }) -userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file }) - -manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) -manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) -manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) -manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) -fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) - -allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; - -dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) -stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) - -can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t }) - -kernel_read_all_sysctls(mozilla_plugin_t) -kernel_read_system_state(mozilla_plugin_t) -kernel_read_network_state(mozilla_plugin_t) -kernel_request_load_module(mozilla_plugin_t) -kernel_dontaudit_getattr_core_if(mozilla_plugin_t) - -corecmd_exec_bin(mozilla_plugin_t) -corecmd_exec_shell(mozilla_plugin_t) - -corenet_all_recvfrom_netlabel(mozilla_plugin_t) -corenet_all_recvfrom_unlabeled(mozilla_plugin_t) - -corenet_sendrecv_asterisk_client_packets(mozilla_plugin_t) -corenet_tcp_connect_asterisk_port(mozilla_plugin_t) -corenet_tcp_sendrecv_asterisk_port(mozilla_plugin_t) - -corenet_sendrecv_ftp_client_packets(mozilla_plugin_t) -corenet_tcp_connect_ftp_port(mozilla_plugin_t) -corenet_tcp_sendrecv_ftp_port(mozilla_plugin_t) - -corenet_sendrecv_gatekeeper_client_packets(mozilla_plugin_t) -corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t) -corenet_tcp_sendrecv_gatekeeper_port(mozilla_plugin_t) - -corenet_sendrecv_http_client_packets(mozilla_plugin_t) -corenet_tcp_connect_http_port(mozilla_plugin_t) -corenet_tcp_sendrecv_http_port(mozilla_plugin_t) - -corenet_sendrecv_http_cache_client_packets(mozilla_plugin_t) -corenet_tcp_connect_http_cache_port(mozilla_plugin_t) -corenet_tcp_sendrecv_http_cache_port(mozilla_plugin_t) - -corenet_sendrecv_ipp_client_packets(mozilla_plugin_t) -corenet_tcp_connect_ipp_port(mozilla_plugin_t) -corenet_tcp_sendrecv_ipp_port(mozilla_plugin_t) - -corenet_sendrecv_ircd_client_packets(mozilla_plugin_t) -corenet_tcp_connect_ircd_port(mozilla_plugin_t) -corenet_tcp_sendrecv_ircd_port(mozilla_plugin_t) - -corenet_sendrecv_jabber_client_client_packets(mozilla_plugin_t) -corenet_tcp_connect_jabber_client_port(mozilla_plugin_t) -corenet_tcp_sendrecv_jabber_client_port(mozilla_plugin_t) - -corenet_sendrecv_mmcc_client_packets(mozilla_plugin_t) -corenet_tcp_connect_mmcc_port(mozilla_plugin_t) -corenet_tcp_sendrecv_mmcc_port(mozilla_plugin_t) - -corenet_sendrecv_monopd_client_packets(mozilla_plugin_t) -corenet_tcp_connect_monopd_port(mozilla_plugin_t) -corenet_tcp_sendrecv_monopd_port(mozilla_plugin_t) - -corenet_sendrecv_soundd_client_packets(mozilla_plugin_t) -corenet_tcp_connect_soundd_port(mozilla_plugin_t) -corenet_tcp_sendrecv_soundd_port(mozilla_plugin_t) - -corenet_sendrecv_speech_client_packets(mozilla_plugin_t) -corenet_tcp_connect_speech_port(mozilla_plugin_t) -corenet_tcp_sendrecv_speech_port(mozilla_plugin_t) - -corenet_sendrecv_squid_client_packets(mozilla_plugin_t) -corenet_tcp_connect_squid_port(mozilla_plugin_t) -corenet_tcp_sendrecv_squid_port(mozilla_plugin_t) - -corenet_sendrecv_vnc_client_packets(mozilla_plugin_t) -corenet_tcp_connect_vnc_port(mozilla_plugin_t) -corenet_tcp_sendrecv_vnc_port(mozilla_plugin_t) - -dev_read_generic_usb_dev(mozilla_plugin_t) -dev_read_rand(mozilla_plugin_t) -dev_read_realtime_clock(mozilla_plugin_t) -dev_read_sound(mozilla_plugin_t) -dev_read_sysfs(mozilla_plugin_t) -dev_read_urand(mozilla_plugin_t) -dev_read_video_dev(mozilla_plugin_t) -dev_write_sound(mozilla_plugin_t) -dev_write_video_dev(mozilla_plugin_t) -dev_rw_dri(mozilla_plugin_t) -dev_rw_xserver_misc(mozilla_plugin_t) - -dev_dontaudit_getattr_generic_files(mozilla_plugin_t) -dev_dontaudit_getattr_generic_pipes(mozilla_plugin_t) -dev_dontaudit_getattr_all_blk_files(mozilla_plugin_t) -dev_dontaudit_getattr_all_chr_files(mozilla_plugin_t) - -domain_use_interactive_fds(mozilla_plugin_t) -domain_dontaudit_read_all_domains_state(mozilla_plugin_t) - -files_list_mnt(mozilla_plugin_t) -files_read_config_files(mozilla_plugin_t) -files_read_usr_files(mozilla_plugin_t) - -fs_getattr_all_fs(mozilla_plugin_t) -# fs_read_hugetlbfs_files(mozilla_plugin_t) -fs_search_auto_mountpoints(mozilla_plugin_t) - -term_getattr_all_ttys(mozilla_plugin_t) -term_getattr_all_ptys(mozilla_plugin_t) - -auth_use_nsswitch(mozilla_plugin_t) - -logging_send_syslog_msg(mozilla_plugin_t) - -miscfiles_read_localization(mozilla_plugin_t) -miscfiles_read_fonts(mozilla_plugin_t) -miscfiles_read_generic_certs(mozilla_plugin_t) - - -tunable_policy(`allow_execmem',` - allow mozilla_plugin_t self:process execmem; -') - -tunable_policy(`mozilla_execstack',` - allow mozilla_plugin_t self:process { execmem execstack }; -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(mozilla_plugin_t) - fs_manage_nfs_files(mozilla_plugin_t) - fs_manage_nfs_symlinks(mozilla_plugin_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(mozilla_plugin_t) - fs_manage_cifs_files(mozilla_plugin_t) - fs_manage_cifs_symlinks(mozilla_plugin_t) -') - -optional_policy(` - alsa_read_rw_config(mozilla_plugin_t) - alsa_read_home_files(mozilla_plugin_t) -') - -optional_policy(` - automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_t) -') - -optional_policy(` - dbus_all_session_bus_client(mozilla_plugin_t) - dbus_connect_all_session_bus(mozilla_plugin_t) - dbus_system_bus_client(mozilla_plugin_t) -') - -optional_policy(` - gnome_manage_generic_home_content(mozilla_plugin_t) - gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome") - gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2") - gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2_private") -') - -optional_policy(` - java_exec(mozilla_plugin_t) - java_manage_generic_home_content(mozilla_plugin_t) - java_home_filetrans_java_home(mozilla_plugin_t, dir, ".java") -') - -optional_policy(` - lpd_run_lpr(mozilla_plugin_t, mozilla_plugin_roles) -') - -optional_policy(` - mplayer_exec(mozilla_plugin_t) - mplayer_manage_generic_home_content(mozilla_plugin_t) - mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer") -') - -optional_policy(` - pcscd_stream_connect(mozilla_plugin_t) -') - -optional_policy(` - pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles) -') - -optional_policy(` - udev_read_db(mozilla_plugin_t) -') - -optional_policy(` - xserver_read_user_xauth(mozilla_plugin_t) - xserver_read_xdm_pid(mozilla_plugin_t) - xserver_stream_connect(mozilla_plugin_t) - xserver_use_user_fonts(mozilla_plugin_t) - xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t) -') - -######################################## -# -# Plugin config local policy -# - -allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid }; -allow mozilla_plugin_config_t self:process { setsched signal_perms getsched }; -allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms; -allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; - -allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms; -allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms; -allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms; - -manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t }) -manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) -manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) - -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".galeon") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".phoenix") - -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".adobe") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".macromedia") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".gnash") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".gcjwebplugin") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".icedteaplugin") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".spicec") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".ICAClient") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, "zimbrauserdata") - -filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") - -can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t }) - -ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t) - -kernel_read_system_state(mozilla_plugin_config_t) -kernel_request_load_module(mozilla_plugin_config_t) - -corecmd_exec_bin(mozilla_plugin_config_t) -corecmd_exec_shell(mozilla_plugin_config_t) - -dev_read_urand(mozilla_plugin_config_t) -dev_rw_dri(mozilla_plugin_config_t) -dev_search_sysfs(mozilla_plugin_config_t) -dev_dontaudit_read_rand(mozilla_plugin_config_t) - -domain_use_interactive_fds(mozilla_plugin_config_t) - -files_list_tmp(mozilla_plugin_config_t) -files_read_usr_files(mozilla_plugin_config_t) -files_dontaudit_search_home(mozilla_plugin_config_t) - -fs_getattr_all_fs(mozilla_plugin_config_t) -fs_search_auto_mountpoints(mozilla_plugin_config_t) -fs_list_inotifyfs(mozilla_plugin_config_t) - -auth_use_nsswitch(mozilla_plugin_config_t) - -miscfiles_read_localization(mozilla_plugin_config_t) -miscfiles_read_fonts(mozilla_plugin_config_t) - -userdom_read_user_home_content_symlinks(mozilla_plugin_config_t) -userdom_read_user_home_content_files(mozilla_plugin_config_t) - -userdom_use_user_ptys(mozilla_plugin_config_t) - -mozilla_run_plugin(mozilla_plugin_config_t, mozilla_plugin_config_roles) - -tunable_policy(`allow_execmem',` - allow mozilla_plugin_config_t self:process execmem; -') - -tunable_policy(`mozilla_execstack',` - allow mozilla_plugin_config_t self:process { execmem execstack }; -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(mozilla_plugin_config_t) - fs_manage_nfs_files(mozilla_plugin_config_t) - fs_manage_nfs_symlinks(mozilla_plugin_config_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(mozilla_plugin_config_t) - fs_manage_cifs_files(mozilla_plugin_config_t) - fs_manage_cifs_symlinks(mozilla_plugin_config_t) -') - -optional_policy(` - automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t) -') - -optional_policy(` - xserver_use_user_fonts(mozilla_plugin_config_t) -') - -ifdef(`distro_gentoo',` -## <desc> -## <p> -## Determine whether mozilla firefox can bind TCP sockets to all -## unreserved ports (for instance used with various Proxy -## management extensions). -## </p> -## </desc> -gen_tunable(mozilla_bind_all_unreserved_ports, false) - -## <desc> -## <p> -## Determine whether mozilla firefox plugins can connect to -## unreserved ports (for instance when dealing with Google Talk) -## </p> -## </desc> -gen_tunable(mozilla_plugin_connect_all_unreserved, false) - - ##################### - # - # Mozilla policy - # - - allow mozilla_t mozilla_plugin_t:process { rlimitinh siginh noatsecure }; - - manage_fifo_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) - - corenet_dontaudit_tcp_bind_generic_port(mozilla_t) - corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t) - corenet_sendrecv_tor_client_packets(mozilla_t) - corenet_tcp_connect_tor_port(mozilla_t) - corenet_tcp_sendrecv_tor_port(mozilla_t) - - domain_use_interactive_fds(mozilla_t) - - userdom_search_user_home_dirs(mozilla_t) - # This deprecates userdom_use_user_ptys(mozilla_t) mentioned earlier - userdom_use_user_terminals(mozilla_t) - - xdg_manage_downloads_home(mozilla_t) - xdg_read_config_home_files(mozilla_t) - xdg_read_data_home_files(mozilla_t) - - #xserver_common_x_domain_template(mozilla_t, mozilla_tmpfs_t) is this - #not better than user_x_domain_template ? - - # main refpolicy does not make this distinction anymore - # (allows manage rights automatically) - userdom_user_content_access_template(mozilla, { mozilla_t mozilla_plugin_t }) - - tunable_policy(`mozilla_bind_all_unreserved_ports',` - corenet_sendrecv_all_server_packets(mozilla_t) - corenet_tcp_bind_all_unreserved_ports(mozilla_t) - corenet_tcp_sendrecv_all_ports(mozilla_t) - ') - - optional_policy(` - tunable_policy(`mozilla_use_java',` - #java_noatsecure_domtrans(mozilla_t) - # refpolicy method below, but we might want to introduce - # specific domains for this (like mozilla_java_t)? TODO - java_exec(mozilla_t) - java_manage_generic_home_content(mozilla_t) - ') - - java_home_filetrans_java_home(mozilla_t, dir, ".java") - - # Cannot handle optional_policy within tunable_policy - optional_policy(` - tunable_policy(`mozilla_use_java',` - chromium_tmp_filetrans(mozilla_t, mozilla_tmp_t, fifo_file) - ') - ') - ') - - optional_policy(` - nscd_socket_use(mozilla_t) - ') - - ########################### - # - # Mozilla plugin policy - # - - allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms; - allow mozilla_plugin_t self:udp_socket create_socket_perms; - - read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) - - # Stupid google talk plugin runs find against /etc - files_dontaudit_getattr_all_dirs(mozilla_plugin_t) - - corenet_sendrecv_pulseaudio_client_packets(mozilla_plugin_t) - corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t) - corenet_tcp_sendrecv_pulseaudio_port(mozilla_plugin_t) - - miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t) - miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t) - - userdom_dontaudit_use_user_terminals(mozilla_plugin_t) - userdom_rw_user_tmpfs_files(mozilla_plugin_t) - - xdg_read_config_home_files(mozilla_plugin_t) - - xserver_user_x_domain_template(mozilla_plugin, mozilla_plugin_t, mozilla_plugin_tmpfs_t) - - tunable_policy(`mozilla_plugin_connect_all_unreserved', ` - corenet_sendrecv_all_client_packets(mozilla_plugin_t) - corenet_tcp_connect_all_unreserved_ports(mozilla_plugin_t) - ') - - optional_policy(` - alsa_domain(mozilla_plugin_t, mozilla_plugin_tmpfs_t) - ') - - optional_policy(` - flash_manage_home(mozilla_plugin_t) - ') - - optional_policy(` - googletalk_domtrans_plugin(mozilla_plugin_t) - googletalk_generic_xdg_config_home_filetrans_plugin_xdg_config(mozilla_plugin_t, dir, "google-googletalkplugin") - googletalk_manage_plugin_xdg_config(mozilla_plugin_t) - googletalk_use_plugin_fds(mozilla_plugin_t) - googletalk_rw_inherited_plugin_unix_stream_sockets(mozilla_plugin_t) - ') -') diff --git a/policy/modules/contrib/mpd.fc b/policy/modules/contrib/mpd.fc deleted file mode 100644 index 313ce521..00000000 --- a/policy/modules/contrib/mpd.fc +++ /dev/null @@ -1,11 +0,0 @@ -/etc/mpd\.conf -- gen_context(system_u:object_r:mpd_etc_t,s0) - -/etc/rc\.d/init\.d/mpd -- gen_context(system_u:object_r:mpd_initrc_exec_t,s0) - -/usr/bin/mpd -- gen_context(system_u:object_r:mpd_exec_t,s0) - -/var/lib/mpd(/.*)? gen_context(system_u:object_r:mpd_var_lib_t,s0) -/var/lib/mpd/music(/.*)? gen_context(system_u:object_r:mpd_data_t,s0) -/var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0) - -/var/log/mpd(/.*)? gen_context(system_u:object_r:mpd_log_t,s0) diff --git a/policy/modules/contrib/mpd.if b/policy/modules/contrib/mpd.if deleted file mode 100644 index 5fa77c7e..00000000 --- a/policy/modules/contrib/mpd.if +++ /dev/null @@ -1,369 +0,0 @@ -## <summary>Music Player Daemon.</summary> - -######################################## -## <summary> -## Role access for mpd. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -template(`mpd_role',` - refpolicywarn(`$0($*) has been deprecated') -') - -######################################## -## <summary> -## Execute a domain transition to run mpd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`mpd_domtrans',` - gen_require(` - type mpd_t, mpd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, mpd_exec_t, mpd_t) -') - -######################################## -## <summary> -## Execute mpd server in the mpd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`mpd_initrc_domtrans',` - gen_require(` - type mpd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, mpd_initrc_exec_t) -') - -####################################### -## <summary> -## Read mpd data files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mpd_read_data_files',` - gen_require(` - type mpd_data_t; - ') - - mpd_search_lib($1) - read_files_pattern($1, mpd_data_t, mpd_data_t) -') - -###################################### -## <summary> -## Create, read, write, and delete -## mpd data files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mpd_manage_data_files',` - gen_require(` - type mpd_data_t; - ') - - mpd_search_lib($1) - manage_files_pattern($1, mpd_data_t, mpd_data_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## mpd user data content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mpd_manage_user_data_content',` - gen_require(` - type mpd_user_data_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 mpd_user_data_t:dir manage_dir_perms; - allow $1 mpd_user_data_t:file manage_file_perms; - allow $1 mpd_user_data_t:lnk_file manage_lnk_file_perms; -') - -######################################## -## <summary> -## Relabel mpd user data content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mpd_relabel_user_data_content',` - gen_require(` - type mpd_user_data_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 mpd_user_data_t:dir relabel_dir_perms; - allow $1 mpd_user_data_t:file relabel_file_perms; - allow $1 mpd_user_data_t:lnk_file relabel_lnk_file_perms; -') - -######################################## -## <summary> -## Create objects in user home -## directories with the mpd user data type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`mpd_home_filetrans_user_data',` - gen_require(` - type mpd_user_data_t; - ') - - userdom_user_home_dir_filetrans($1, mpd_user_data_t, $2, $3) -') - -####################################### -## <summary> -## Read mpd tmpfs files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mpd_read_tmpfs_files',` - gen_require(` - type mpd_tmpfs_t; - ') - - fs_search_tmpfs($1) - read_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) -') - -################################### -## <summary> -## Create, read, write, and delete -## mpd tmpfs files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mpd_manage_tmpfs_files',` - gen_require(` - type mpd_tmpfs_t; - ') - - fs_search_tmpfs($1) - manage_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) - manage_lnk_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) -') - -######################################## -## <summary> -## Search mpd lib directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mpd_search_lib',` - gen_require(` - type mpd_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 mpd_var_lib_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Read mpd lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mpd_read_lib_files',` - gen_require(` - type mpd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## mpd lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mpd_manage_lib_files',` - gen_require(` - type mpd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t) -') - -####################################### -## <summary> -## Create specified objects in mpd -## lib directories with a private type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="private type"> -## <summary> -## The type of the object to be created. -## </summary> -## </param> -## <param name="object"> -## <summary> -## The object class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`mpd_var_lib_filetrans',` - gen_require(` - type mpd_var_lib_t; - ') - - files_search_var_lib($1) - filetrans_pattern($1, mpd_var_lib_t, $2, $3, $4) -') - -######################################## -## <summary> -## Create, read, write, and delete -## mpd lib dirs. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mpd_manage_lib_dirs',` - gen_require(` - type mpd_var_lib_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, mpd_var_lib_t, mpd_var_lib_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an mpd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`mpd_admin',` - gen_require(` - type mpd_t, mpd_initrc_exec_t, mpd_etc_t; - type mpd_data_t, mpd_log_t, mpd_var_lib_t; - type mpd_tmpfs_t, mpd_tmp_t, mpd_user_data_t; - ') - - allow $1 mpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, mpd_t) - - mpd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 mpd_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, mpd_etc_t) - - files_search_var_lib($1) - admin_pattern($1, { mpd_data_t mpd_user_data_t mpd_var_lib_t }) - - logging_search_logs($1) - admin_pattern($1, mpd_log_t) - - files_search_tmp($1) - admin_pattern($1, mpd_tmp_t) - - fs_search_tmpfs($1) - admin_pattern($1, mpd_tmpfs_t) -') diff --git a/policy/modules/contrib/mpd.te b/policy/modules/contrib/mpd.te deleted file mode 100644 index 7c8afccf..00000000 --- a/policy/modules/contrib/mpd.te +++ /dev/null @@ -1,208 +0,0 @@ -policy_module(mpd, 1.0.4) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether mpd can traverse -## user home directories. -## </p> -## </desc> -gen_tunable(mpd_enable_homedirs, false) - -## <desc> -## <p> -## Determine whether mpd can use -## cifs file systems. -## </p> -## </desc> -gen_tunable(mpd_use_cifs, false) - -## <desc> -## <p> -## Determine whether mpd can use -## nfs file systems. -## </p> -## </desc> -gen_tunable(mpd_use_nfs, false) - -type mpd_t; -type mpd_exec_t; -init_daemon_domain(mpd_t, mpd_exec_t) -application_executable_file(mpd_exec_t) - -type mpd_data_t; -files_type(mpd_data_t) - -type mpd_etc_t; -files_config_file(mpd_etc_t) - -type mpd_initrc_exec_t; -init_script_file(mpd_initrc_exec_t) - -type mpd_log_t; -logging_log_file(mpd_log_t) - -type mpd_tmp_t; -files_tmp_file(mpd_tmp_t) - -type mpd_tmpfs_t; -files_tmpfs_file(mpd_tmpfs_t) - -optional_policy(` - pulseaudio_tmpfs_content(mpd_tmpfs_t) -') - -type mpd_var_lib_t; -files_type(mpd_var_lib_t) - -type mpd_user_data_t; -userdom_user_home_content(mpd_user_data_t) # customizable - -######################################## -# -# Local policy -# - -allow mpd_t self:capability { dac_override kill setgid setuid }; -allow mpd_t self:process { getsched setsched setrlimit signal signull }; -allow mpd_t self:fifo_file rw_fifo_file_perms; -allow mpd_t self:unix_stream_socket { accept connectto listen }; -allow mpd_t self:unix_dgram_socket sendto; -allow mpd_t self:tcp_socket { accept listen }; -allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms; - -allow mpd_t mpd_data_t:dir manage_dir_perms; -allow mpd_t mpd_data_t:file manage_file_perms; -allow mpd_t mpd_data_t:lnk_file read_lnk_file_perms; - -read_files_pattern(mpd_t, mpd_etc_t, mpd_etc_t) - -allow mpd_t mpd_log_t:dir setattr_dir_perms; -append_files_pattern(mpd_t, mpd_log_t, mpd_log_t) -create_files_pattern(mpd_t, mpd_log_t, mpd_log_t) -setattr_files_pattern(mpd_t, mpd_log_t, mpd_log_t) -logging_log_filetrans(mpd_t, mpd_log_t, { dir file }) - -manage_dirs_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) -manage_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) -manage_sock_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) -files_tmp_filetrans(mpd_t, mpd_tmp_t, { dir file sock_file }) - -allow mpd_t mpd_tmpfs_t:file manage_file_perms; -fs_tmpfs_filetrans(mpd_t, mpd_tmpfs_t, file) - -allow mpd_t mpd_user_data_t:dir list_dir_perms; -allow mpd_t mpd_user_data_t:file read_file_perms; -allow mpd_t mpd_user_data_t:lnk_file read_lnk_file_perms; - -manage_dirs_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t) -manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t) -manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t) -files_var_lib_filetrans(mpd_t, mpd_var_lib_t, dir) - -kernel_getattr_proc(mpd_t) -kernel_read_system_state(mpd_t) -kernel_read_kernel_sysctls(mpd_t) - -corecmd_exec_bin(mpd_t) - -corenet_all_recvfrom_unlabeled(mpd_t) -corenet_all_recvfrom_netlabel(mpd_t) -corenet_tcp_sendrecv_generic_if(mpd_t) -corenet_tcp_sendrecv_generic_node(mpd_t) -corenet_tcp_bind_generic_node(mpd_t) - -corenet_sendrecv_mpd_server_packets(mpd_t) -corenet_tcp_bind_mpd_port(mpd_t) -corenet_tcp_sendrecv_mpd_port(mpd_t) - -corenet_sendrecv_soundd_server_packets(mpd_t) -corenet_tcp_bind_soundd_port(mpd_t) -corenet_sendrecv_soundd_client_packets(mpd_t) -corenet_tcp_connect_soundd_port(mpd_t) -corenet_tcp_sendrecv_soundd_port(mpd_t) - -corenet_sendrecv_http_client_packets(mpd_t) -corenet_tcp_connect_http_port(mpd_t) -corenet_tcp_sendrecv_http_port(mpd_t) - -corenet_sendrecv_http_cache_client_packets(mpd_t) -corenet_tcp_connect_http_cache_port(mpd_t) -corenet_tcp_sendrecv_http_cache_port(mpd_t) - -dev_read_urand(mpd_t) -dev_read_sound(mpd_t) -dev_write_sound(mpd_t) -dev_read_sysfs(mpd_t) - -files_read_usr_files(mpd_t) - -fs_getattr_all_fs(mpd_t) -fs_list_inotifyfs(mpd_t) -fs_rw_anon_inodefs_files(mpd_t) -fs_search_auto_mountpoints(mpd_t) - -auth_use_nsswitch(mpd_t) - -logging_send_syslog_msg(mpd_t) - -miscfiles_read_localization(mpd_t) - -tunable_policy(`mpd_enable_homedirs',` - userdom_search_user_home_dirs(mpd_t) -') - -tunable_policy(`mpd_enable_homedirs && use_nfs_home_dirs',` - fs_read_nfs_files(mpd_t) - fs_read_nfs_symlinks(mpd_t) -') - -tunable_policy(`mpd_enable_homedirs && use_samba_home_dirs',` - fs_read_cifs_files(mpd_t) - fs_read_cifs_symlinks(mpd_t) -') - -tunable_policy(`mpd_use_cifs',` - fs_manage_cifs_dirs(mpd_t) - fs_manage_cifs_files(mpd_t) - fs_manage_cifs_symlinks(mpd_t) -') - -tunable_policy(`mpd_use_nfs',` - fs_manage_nfs_dirs(mpd_t) - fs_manage_nfs_files(mpd_t) - fs_manage_nfs_symlinks(mpd_t) -') - -optional_policy(` - alsa_read_rw_config(mpd_t) -') - -optional_policy(` - dbus_system_bus_client(mpd_t) - - optional_policy(` - consolekit_dbus_chat(mpd_t) - ') -') - -optional_policy(` - pulseaudio_domtrans(mpd_t) -') - -optional_policy(` - rpc_search_nfs_state_data(mpd_t) -') - -optional_policy(` - udev_read_db(mpd_t) -') - -optional_policy(` - xserver_stream_connect(mpd_t) - xserver_read_xdm_pid(mpd_t) -') diff --git a/policy/modules/contrib/mplayer.fc b/policy/modules/contrib/mplayer.fc deleted file mode 100644 index 755ebe2f..00000000 --- a/policy/modules/contrib/mplayer.fc +++ /dev/null @@ -1,8 +0,0 @@ -HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:mplayer_home_t,s0) - -/etc/mplayer(/.*)? gen_context(system_u:object_r:mplayer_etc_t,s0) - -/usr/bin/mplayer -- gen_context(system_u:object_r:mplayer_exec_t,s0) -/usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0) -/usr/bin/vlc -- gen_context(system_u:object_r:mplayer_exec_t,s0) -/usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0) diff --git a/policy/modules/contrib/mplayer.if b/policy/modules/contrib/mplayer.if deleted file mode 100644 index 861d5e97..00000000 --- a/policy/modules/contrib/mplayer.if +++ /dev/null @@ -1,163 +0,0 @@ -## <summary>Mplayer media player and encoder.</summary> - -######################################## -## <summary> -## Role access for mplayer -## </summary> -## <param name="role"> -## <summary> -## Role allowed access -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role -## </summary> -## </param> -# -interface(`mplayer_role',` - gen_require(` - attribute_role mencoder_roles, mplayer_roles; - type mencoder_t, mencoder_exec_t, mplayer_home_t; - type mplayer_t, mplayer_exec_t, mplayer_tmpfs_t; - ') - - ######################################## - # - # Declarations - # - - roleattribute $1 mencoder_roles; - roleattribute $1 mplayer_roles; - - ######################################## - # - # Policy - # - - domtrans_pattern($2, mencoder_exec_t, mencoder_t) - domtrans_pattern($2, mplayer_exec_t, mplayer_t) - - allow $2 { mplayer_t mencoder_t }:process { ptrace signal_perms }; - ps_process_pattern($2, { mplayer_t mencoder_t }) - - allow $2 mplayer_home_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 mplayer_home_t:file { manage_file_perms relabel_file_perms }; - allow $2 mplayer_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - userdom_user_home_dir_filetrans($2, mplayer_home_t, dir, ".mplayer") - - allow $2 mplayer_tmpfs_t:file { manage_file_perms relabel_file_perms }; - allow $2 mplayer_tmpfs_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - allow $2 mplayer_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - allow $2 mplayer_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; -') - -######################################## -## <summary> -## Run mplayer in mplayer domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`mplayer_domtrans',` - gen_require(` - type mplayer_t, mplayer_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, mplayer_exec_t, mplayer_t) -') - -######################################## -## <summary> -## Execute mplayer in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -# -interface(`mplayer_exec',` - gen_require(` - type mplayer_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, mplayer_exec_t) -') - -######################################## -## <summary> -## Read mplayer user home content files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mplayer_read_user_home_files',` - gen_require(` - type mplayer_home_t; - ') - - userdom_search_user_home_dirs($1) - read_files_pattern($1, mplayer_home_t, mplayer_home_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## generic mplayer home content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mplayer_manage_generic_home_content',` - gen_require(` - type mplayer_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 mplayer_home_t:dir manage_dir_perms; - allow $1 mplayer_home_t:file manage_file_perms; - allow $1 mplayer_home_t:lnk_file manage_lnk_file_perms; -') - -######################################## -## <summary> -## Create specified objects in user home -## directories with the generic mplayer -## home type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`mplayer_home_filetrans_mplayer_home',` - gen_require(` - type mplayer_home_t; - ') - - userdom_user_home_dir_filetrans($1, mplayer_home_t, $2, $3) -') diff --git a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te deleted file mode 100644 index aa06187f..00000000 --- a/policy/modules/contrib/mplayer.te +++ /dev/null @@ -1,278 +0,0 @@ -policy_module(mplayer, 2.4.4) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether mplayer can make -## its stack executable. -## </p> -## </desc> -gen_tunable(allow_mplayer_execstack, false) - -## <desc> -## <p> -## Allow mplayer to read user content -## </p> -## </desc> -gen_tunable(mplayer_read_user_content, true) - -## <desc> -## <p> -## Allow mplayer to manage user content -## </p> -## </desc> -gen_tunable(mplayer_manage_user_content, false) - - -attribute_role mencoder_roles; -attribute_role mplayer_roles; - -type mencoder_t; -type mencoder_exec_t; -typealias mencoder_t alias { user_mencoder_t staff_mencoder_t sysadm_mencoder_t }; -typealias mencoder_t alias { auditadm_mencoder_t secadm_mencoder_t }; -userdom_user_application_domain(mencoder_t, mencoder_exec_t) -role mencoder_roles types mencoder_t; - -type mplayer_t; -type mplayer_exec_t; -typealias mplayer_t alias { user_mplayer_t staff_mplayer_t sysadm_mplayer_t }; -typealias mplayer_t alias { auditadm_mplayer_t secadm_mplayer_t }; -userdom_user_application_domain(mplayer_t, mplayer_exec_t) -role mplayer_roles types mplayer_t; - -type mplayer_etc_t; -files_config_file(mplayer_etc_t) - -type mplayer_home_t; -typealias mplayer_home_t alias { user_mplayer_home_t staff_mplayer_home_t sysadm_mplayer_home_t }; -typealias mplayer_home_t alias { auditadm_mplayer_home_t secadm_mplayer_home_t }; -userdom_user_home_content(mplayer_home_t) - -type mplayer_tmpfs_t; -typealias mplayer_tmpfs_t alias { user_mplayer_tmpfs_t staff_mplayer_tmpfs_t sysadm_mplayer_tmpfs_t }; -typealias mplayer_tmpfs_t alias { auditadm_mplayer_tmpfs_t secadm_mplayer_tmpfs_t }; -userdom_user_tmpfs_file(mplayer_tmpfs_t) - -optional_policy(` - pulseaudio_tmpfs_content(mplayer_tmpfs_t) -') - -######################################## -# -# Mencoder local policy -# - -allow mencoder_t mplayer_etc_t:dir list_dir_perms; -allow mencoder_t mplayer_etc_t:file read_file_perms; -allow mencoder_t mplayer_etc_t:lnk_file read_lnk_file_perms; - -allow mencoder_t mplayer_home_t:dir manage_dir_perms; -allow mencoder_t mplayer_home_t:file manage_file_perms; -allow mencoder_t mplayer_home_t:lnk_file manage_lnk_file_perms; -userdom_user_home_dir_filetrans(mencoder_t, mplayer_home_t, dir, ".mplayer") - -kernel_read_system_state(mencoder_t) -kernel_read_kernel_sysctls(mencoder_t) - -dev_rwx_zero(mencoder_t) -dev_read_video_dev(mencoder_t) - -files_read_usr_files(mencoder_t) - -fs_search_auto_mountpoints(mencoder_t) - -storage_raw_read_removable_device(mencoder_t) - -miscfiles_read_localization(mencoder_t) - -userdom_use_user_terminals(mencoder_t) - -userdom_manage_user_tmp_dirs(mencoder_t) -userdom_manage_user_tmp_files(mencoder_t) -userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file }) - -userdom_manage_user_home_content_dirs(mencoder_t) -userdom_manage_user_home_content_files(mencoder_t) -userdom_user_home_dir_filetrans_user_home_content(mencoder_t, { dir file }) - -ifndef(`enable_mls',` - fs_list_dos(mencoder_t) - fs_read_dos_files(mencoder_t) - - fs_search_removable(mencoder_t) - fs_read_removable_files(mencoder_t) - fs_read_removable_symlinks(mencoder_t) - - fs_read_iso9660_files(mencoder_t) -') - -tunable_policy(`allow_execmem',` - allow mencoder_t self:process execmem; -') - -tunable_policy(`allow_execmod',` - dev_execmod_zero(mencoder_t) -') - -tunable_policy(`allow_mplayer_execstack',` - allow mencoder_t self:process { execmem execstack }; -') - -tunable_policy(`use_nfs_home_dirs',` - fs_getattr_nfs(mencoder_t) - fs_manage_nfs_dirs(mencoder_t) - fs_manage_nfs_files(mencoder_t) - fs_manage_nfs_symlinks(mencoder_t) - -') - -tunable_policy(`use_samba_home_dirs',` - fs_getattr_cifs(mencoder_t) - fs_manage_cifs_dirs(mencoder_t) - fs_manage_cifs_files(mencoder_t) - fs_manage_cifs_symlinks(mencoder_t) -') - -######################################## -# -# Mplayer local policy -# - -allow mplayer_t self:process { signal_perms getsched }; -allow mplayer_t self:fifo_file rw_fifo_file_perms; -allow mplayer_t self:sem create_sem_perms; - -allow mplayer_t mplayer_etc_t:dir list_dir_perms; -allow mplayer_t mplayer_etc_t:file read_file_perms; -allow mplayer_t mplayer_etc_t:lnk_file read_lnk_file_perms; - -allow mplayer_t mplayer_home_t:dir manage_dir_perms; -allow mplayer_t mplayer_home_t:file manage_file_perms; -allow mplayer_t mplayer_home_t:lnk_file manage_lnk_file_perms; -userdom_user_home_dir_filetrans(mplayer_t, mplayer_home_t, dir, ".mplayer") - -manage_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) -manage_lnk_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) -manage_fifo_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) -manage_sock_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) -fs_tmpfs_filetrans(mplayer_t, mplayer_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) - -kernel_dontaudit_list_unlabeled(mplayer_t) -kernel_dontaudit_getattr_unlabeled_files(mplayer_t) -kernel_dontaudit_read_unlabeled_files(mplayer_t) -kernel_read_system_state(mplayer_t) -kernel_read_kernel_sysctls(mplayer_t) - -corecmd_exec_bin(mplayer_t) -corecmd_exec_shell(mplayer_t) - -dev_read_rand(mplayer_t) -dev_read_realtime_clock(mplayer_t) -dev_read_sound_mixer(mplayer_t) -dev_read_urand(mplayer_t) -dev_read_video_dev(mplayer_t) -dev_write_sound_mixer(mplayer_t) -dev_write_video_dev(mplayer_t) -dev_rwx_zero(mplayer_t) - -domain_use_interactive_fds(mplayer_t) - -storage_raw_read_removable_device(mplayer_t) - -files_dontaudit_list_non_security(mplayer_t) -files_dontaudit_getattr_non_security_files(mplayer_t) -files_read_non_security_files(mplayer_t) -files_list_home(mplayer_t) -files_read_etc_runtime_files(mplayer_t) -files_read_usr_files(mplayer_t) - -fs_getattr_all_fs(mplayer_t) -fs_search_auto_mountpoints(mplayer_t) -fs_list_inotifyfs(mplayer_t) - -auth_use_nsswitch(mplayer_t) - -logging_send_syslog_msg(mplayer_t) - -miscfiles_read_localization(mplayer_t) -miscfiles_read_fonts(mplayer_t) - -userdom_use_user_terminals(mplayer_t) - -xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t) - -ifdef(`distro_gentoo',` - xdg_manage_videos_home(mplayer_t) - - tunable_policy(`mplayer_read_user_content',` - userdom_read_user_home_content_files(mplayer_t) - userdom_read_user_home_content_symlinks(mplayer_t) - ') - - tunable_policy(`mplayer_manage_user_content',` - userdom_manage_user_tmp_dirs(mplayer_t) - userdom_manage_user_tmp_files(mplayer_t) - userdom_user_home_dir_filetrans_user_home_content(mplayer_t, { dir file }) - - userdom_manage_user_home_content_dirs(mplayer_t) - userdom_manage_user_home_content_files(mplayer_t) - - userdom_write_user_tmp_sockets(mplayer_t) - ') - - optional_policy(` - alsa_domain(mplayer_t, mplayer_tmpfs_t) - ') -') - -ifndef(`enable_mls',` - fs_list_dos(mplayer_t) - fs_read_dos_files(mplayer_t) - - fs_search_removable(mplayer_t) - fs_read_removable_files(mplayer_t) - fs_read_removable_symlinks(mplayer_t) - - fs_read_iso9660_files(mplayer_t) -') - -tunable_policy(`allow_execmem',` - allow mplayer_t self:process execmem; -') - -tunable_policy(`allow_execmod',` - dev_execmod_zero(mplayer_t) -') - -tunable_policy(`allow_mplayer_execstack',` - allow mplayer_t self:process { execmem execstack }; -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(mplayer_t) - fs_manage_nfs_files(mplayer_t) - fs_manage_nfs_symlinks(mplayer_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(mplayer_t) - fs_manage_cifs_files(mplayer_t) - fs_manage_cifs_symlinks(mplayer_t) -') - -tunable_policy(`allow_mplayer_execstack',` - allow mplayer_t mplayer_tmpfs_t:file execute; -') - -optional_policy(` - alsa_read_rw_config(mplayer_t) -') - -optional_policy(` - pulseaudio_run(mplayer_t, mplayer_roles) -') diff --git a/policy/modules/contrib/mrtg.fc b/policy/modules/contrib/mrtg.fc deleted file mode 100644 index 340735d0..00000000 --- a/policy/modules/contrib/mrtg.fc +++ /dev/null @@ -1,16 +0,0 @@ -/etc/mrtg.* gen_context(system_u:object_r:mrtg_etc_t,s0) -/etc/mrtg/mrtg\.ok -- gen_context(system_u:object_r:mrtg_lock_t,s0) - -/etc/rc\.d/init\.d/mrtg -- gen_context(system_u:object_r:mrtg_initrc_exec_t,s0) - -/usr/bin/mrtg -- gen_context(system_u:object_r:mrtg_exec_t,s0) - -/var/lib/mrtg(/.*)? gen_context(system_u:object_r:mrtg_var_lib_t,s0) - -/var/lock/mrtg(/.*)? gen_context(system_u:object_r:mrtg_lock_t,s0) -/var/lock/mrtg-rrd(/.*)? gen_context(system_u:object_r:mrtg_lock_t,s0) -/var/lock/subsys/mrtg -- gen_context(system_u:object_r:mrtg_lock_t,s0) - -/var/log/mrtg.* gen_context(system_u:object_r:mrtg_log_t,s0) - -/var/run/mrtg\.pid -- gen_context(system_u:object_r:mrtg_var_run_t,s0) diff --git a/policy/modules/contrib/mrtg.if b/policy/modules/contrib/mrtg.if deleted file mode 100644 index c595094a..00000000 --- a/policy/modules/contrib/mrtg.if +++ /dev/null @@ -1,69 +0,0 @@ -## <summary>Network traffic graphing.</summary> - -######################################## -## <summary> -## Create and append mrtg log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mrtg_append_create_logs',` - gen_require(` - type mrtg_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, mrtg_log_t, mrtg_log_t) - create_files_pattern($1, mrtg_log_t, mrtg_log_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an mrtg environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`mrtg_admin',` - gen_require(` - type mrtg_t, mrtg_var_run_t, mrtg_initrc_exec_t; - type mrtg_var_lib_t, mrtg_lock_t, mrtg_log_t; - type mrtg_etc_t; - ') - - allow $1 mrtg_t:process { ptrace signal_perms }; - ps_process_pattern($1, mrtg_t) - - init_labeled_script_domtrans($1, mrtg_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 mrtg_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, mrtg_etc_t) - - files_search_locks($1) - admin_pattern($1, mrtg_lock_t) - - logging_search_logs($1) - admin_pattern($1, mrtg_log_t) - - files_search_pids($1) - admin_pattern($1, mrtg_var_run_t) - - files_search_var_lib($1) - admin_pattern($1, mrtg_var_lib_t) -') diff --git a/policy/modules/contrib/mrtg.te b/policy/modules/contrib/mrtg.te deleted file mode 100644 index c97c1771..00000000 --- a/policy/modules/contrib/mrtg.te +++ /dev/null @@ -1,152 +0,0 @@ -policy_module(mrtg, 1.8.2) - -######################################## -# -# Declarations -# - -type mrtg_t; -type mrtg_exec_t; -init_system_domain(mrtg_t, mrtg_exec_t) - -type mrtg_initrc_exec_t; -init_script_file(mrtg_initrc_exec_t) - -type mrtg_etc_t; -files_config_file(mrtg_etc_t) - -type mrtg_lock_t; -files_lock_file(mrtg_lock_t) - -type mrtg_log_t; -logging_log_file(mrtg_log_t) - -type mrtg_var_lib_t; -files_type(mrtg_var_lib_t) - -type mrtg_var_run_t; -files_pid_file(mrtg_var_run_t) - -######################################## -# -# Local policy -# - -allow mrtg_t self:capability { setgid setuid chown }; -dontaudit mrtg_t self:capability sys_tty_config; -allow mrtg_t self:process signal_perms; -allow mrtg_t self:fifo_file rw_fifo_file_perms; - -allow mrtg_t mrtg_etc_t:dir list_dir_perms; -allow mrtg_t mrtg_etc_t:file read_file_perms; -allow mrtg_t mrtg_etc_t:lnk_file read_lnk_file_perms; - -allow mrtg_t mrtg_lock_t:dir manage_dir_perms; -allow mrtg_t mrtg_lock_t:file manage_file_perms; -allow mrtg_t mrtg_lock_t:lnk_file manage_lnk_file_perms; -files_lock_filetrans(mrtg_t, mrtg_lock_t, { dir file }) - -manage_dirs_pattern(mrtg_t, mrtg_log_t, mrtg_log_t) -append_files_pattern(mrtg_t, mrtg_log_t, mrtg_log_t) -create_files_pattern(mrtg_t, mrtg_log_t, mrtg_log_t) -setattr_files_pattern(mrtg_t, mrtg_log_t, mrtg_log_t) -logging_log_filetrans(mrtg_t, mrtg_log_t, { dir file }) - -manage_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t) -manage_lnk_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t) - -allow mrtg_t mrtg_var_run_t:file manage_file_perms; -files_pid_filetrans(mrtg_t, mrtg_var_run_t, file) - -kernel_read_system_state(mrtg_t) -kernel_read_network_state(mrtg_t) -kernel_read_kernel_sysctls(mrtg_t) - -corecmd_exec_bin(mrtg_t) -corecmd_exec_shell(mrtg_t) - -corenet_all_recvfrom_unlabeled(mrtg_t) -corenet_all_recvfrom_netlabel(mrtg_t) -corenet_tcp_sendrecv_generic_if(mrtg_t) -corenet_tcp_sendrecv_generic_node(mrtg_t) - -corenet_sendrecv_all_client_packets(mrtg_t) -corenet_tcp_connect_all_ports(mrtg_t) -corenet_tcp_sendrecv_all_ports(mrtg_t) - -dev_read_sysfs(mrtg_t) -dev_read_urand(mrtg_t) - -domain_use_interactive_fds(mrtg_t) -domain_dontaudit_search_all_domains_state(mrtg_t) - -files_getattr_tmp_dirs(mrtg_t) -files_read_etc_runtime_files(mrtg_t) -files_read_usr_files(mrtg_t) -files_search_var(mrtg_t) -files_search_locks(mrtg_t) -files_search_var_lib(mrtg_t) -files_search_spool(mrtg_t) - -fs_search_auto_mountpoints(mrtg_t) -fs_getattr_all_fs(mrtg_t) -fs_list_inotifyfs(mrtg_t) - -term_dontaudit_use_console(mrtg_t) - -init_use_fds(mrtg_t) -init_use_script_ptys(mrtg_t) -init_read_utmp(mrtg_t) -init_dontaudit_write_utmp(mrtg_t) - -auth_use_nsswitch(mrtg_t) - -libs_read_lib_files(mrtg_t) - -logging_send_syslog_msg(mrtg_t) - -miscfiles_read_localization(mrtg_t) - -selinux_dontaudit_getattr_dir(mrtg_t) - -userdom_use_user_terminals(mrtg_t) -userdom_dontaudit_read_user_home_content_files(mrtg_t) -userdom_dontaudit_use_unpriv_user_fds(mrtg_t) - -netutils_domtrans_ping(mrtg_t) - -ifdef(`enable_mls',` - corenet_udp_sendrecv_lo_if(mrtg_t) -') - -optional_policy(` - apache_manage_sys_content(mrtg_t) -') - -optional_policy(` - cron_system_entry(mrtg_t, mrtg_exec_t) -') - -optional_policy(` - hostname_exec(mrtg_t) -') - -optional_policy(` - hddtemp_domtrans(mrtg_t) -') - -optional_policy(` - seutil_sigchld_newrole(mrtg_t) -') - -optional_policy(` - quota_dontaudit_getattr_db(mrtg_t) -') - -optional_policy(` - snmp_read_snmp_var_lib_files(mrtg_t) -') - -optional_policy(` - udev_read_db(mrtg_t) -') diff --git a/policy/modules/contrib/mta.fc b/policy/modules/contrib/mta.fc deleted file mode 100644 index f42896cb..00000000 --- a/policy/modules/contrib/mta.fc +++ /dev/null @@ -1,34 +0,0 @@ -HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0) -HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0) -HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0) -HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0) -HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) -HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) - -/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) - -/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) -/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) -/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0) -/etc/mail/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0) -/etc/postfix/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0) - -/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) -/usr/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) - -/usr/lib/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) -/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) - -/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) -/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) -/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) -/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) - -/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) - -/var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) - -/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) -/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) -/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) -/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/policy/modules/contrib/mta.if b/policy/modules/contrib/mta.if deleted file mode 100644 index 48a28450..00000000 --- a/policy/modules/contrib/mta.if +++ /dev/null @@ -1,1119 +0,0 @@ -## <summary>Common e-mail transfer agent policy.</summary> - -######################################## -## <summary> -## MTA stub interface. No access allowed. -## </summary> -## <param name="domain" unused="true"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_stub',` - gen_require(` - type sendmail_exec_t; - ') -') - -####################################### -## <summary> -## The template to define a mail domain. -## </summary> -## <param name="domain_prefix"> -## <summary> -## Domain prefix to be used. -## </summary> -## </param> -# -template(`mta_base_mail_template',` - gen_require(` - attribute user_mail_domain; - type sendmail_exec_t; - ') - - ######################################## - # - # Declarations - # - - type $1_mail_t, user_mail_domain; - application_domain($1_mail_t, sendmail_exec_t) - - type $1_mail_tmp_t; - files_tmp_file($1_mail_tmp_t) - - ######################################## - # - # Declarations - # - - manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) - manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) - files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir }) - - auth_use_nsswitch($1_mail_t) - - optional_policy(` - postfix_domtrans_user_mail_handler($1_mail_t) - ') -') - -######################################## -## <summary> -## Role access for mta. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`mta_role',` - gen_require(` - attribute mta_user_agent; - attribute_role user_mail_roles; - type user_mail_t, sendmail_exec_t, mail_home_t; - type user_mail_tmp_t, mail_home_rw_t; - ') - - roleattribute $1 user_mail_roles; - - # this is something i need to fix - # i dont know if and why it is needed - # will role attribute work? - role $1 types mta_user_agent; - - domtrans_pattern($2, sendmail_exec_t, user_mail_t) - allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms; - - allow $2 { user_mail_t mta_user_agent }:process { ptrace signal_perms }; - ps_process_pattern($2, { user_mail_t mta_user_agent }) - - allow $2 mail_home_t:file { manage_file_perms relabel_file_perms }; - userdom_user_home_dir_filetrans($2, mail_home_t, file, ".esmtp_queue") - userdom_user_home_dir_filetrans($2, mail_home_t, file, ".forward") - userdom_user_home_dir_filetrans($2, mail_home_t, file, ".mailrc") - userdom_user_home_dir_filetrans($2, mail_home_t, file, "dead.letter") - - allow $2 mail_home_rw_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 mail_home_rw_t:file { manage_file_perms relabel_file_perms }; - allow $2 mail_home_rw_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, "Maildir") - userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, ".maildir") - - allow $2 user_mail_tmp_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 user_mail_tmp_t:file { manage_file_perms relabel_file_perms }; - - optional_policy(` - exim_run($2, $1) - ') - - optional_policy(` - mailman_run($2, $1) - ') -') - -######################################## -## <summary> -## Make the specified domain usable for a mail server. -## </summary> -## <param name="type"> -## <summary> -## Type to be used as a mail server domain. -## </summary> -## </param> -## <param name="entry_point"> -## <summary> -## Type of the program to be used as an entry point to this domain. -## </summary> -## </param> -# -interface(`mta_mailserver',` - gen_require(` - attribute mailserver_domain; - ') - - init_daemon_domain($1, $2) - typeattribute $1 mailserver_domain; -') - -######################################## -## <summary> -## Make the specified type a MTA executable file. -## </summary> -## <param name="type"> -## <summary> -## Type to be used as a mail client. -## </summary> -## </param> -# -interface(`mta_agent_executable',` - gen_require(` - attribute mta_exec_type; - ') - - typeattribute $1 mta_exec_type; - - application_executable_file($1) -') - -####################################### -## <summary> -## Read mta mail home files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_read_mail_home_files',` - gen_require(` - type mail_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 mail_home_t:file read_file_perms; -') - -####################################### -## <summary> -## Create, read, write, and delete -## mta mail home files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_manage_mail_home_files',` - gen_require(` - type mail_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 mail_home_t:file manage_file_perms; -') - -######################################## -## <summary> -## Create specified objects in user home -## directories with the generic mail -## home type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`mta_home_filetrans_mail_home',` - gen_require(` - type mail_home_t; - ') - - userdom_user_home_dir_filetrans($1, mail_home_t, $2, $3) -') - -####################################### -## <summary> -## Create, read, write, and delete -## mta mail home rw content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_manage_mail_home_rw_content',` - gen_require(` - type mail_home_rw_t; - ') - - userdom_search_user_home_dirs($1) - manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t) - manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t) - manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t) -') - -######################################## -## <summary> -## Create specified objects in user home -## directories with the generic mail -## home rw type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`mta_home_filetrans_mail_home_rw',` - gen_require(` - type mail_home_rw_t; - ') - - userdom_user_home_dir_filetrans($1, mail_home_rw_t, $2, $3) -') - -######################################## -## <summary> -## Make the specified type by a system MTA. -## </summary> -## <param name="type"> -## <summary> -## Type to be used as a mail client. -## </summary> -## </param> -# -interface(`mta_system_content',` - gen_require(` - attribute mailcontent_type; - ') - - typeattribute $1 mailcontent_type; -') - -######################################## -## <summary> -## Modified mailserver interface for -## sendmail daemon use. -## </summary> -## <desc> -## <p> -## A modified MTA mail server interface for -## the sendmail program. It's design does -## not fit well with policy, and using the -## regular interface causes a type_transition -## conflict if direct running of init scripts -## is enabled. -## </p> -## <p> -## This interface should most likely only be used -## by the sendmail policy. -## </p> -## </desc> -## <param name="domain"> -## <summary> -## The type to be used for the mail server. -## </summary> -## </param> -# -interface(`mta_sendmail_mailserver',` - gen_require(` - attribute mailserver_domain; - type sendmail_exec_t; - ') - - init_system_domain($1, sendmail_exec_t) - - typeattribute $1 mailserver_domain; -') - -####################################### -## <summary> -## Make a type a mailserver type used -## for sending mail. -## </summary> -## <param name="domain"> -## <summary> -## Mail server domain type used for sending mail. -## </summary> -## </param> -# -interface(`mta_mailserver_sender',` - gen_require(` - attribute mailserver_sender; - ') - - typeattribute $1 mailserver_sender; -') - -####################################### -## <summary> -## Make a type a mailserver type used -## for delivering mail to local users. -## </summary> -## <param name="domain"> -## <summary> -## Mail server domain type used for delivering mail. -## </summary> -## </param> -# -interface(`mta_mailserver_delivery',` - gen_require(` - attribute mailserver_delivery; - ') - - typeattribute $1 mailserver_delivery; -') - -####################################### -## <summary> -## Make a type a mailserver type used -## for sending mail on behalf of local -## users to the local mail spool. -## </summary> -## <param name="domain"> -## <summary> -## Mail server domain type used for sending local mail. -## </summary> -## </param> -# -interface(`mta_mailserver_user_agent',` - gen_require(` - attribute mta_user_agent; - ') - - typeattribute $1 mta_user_agent; -') - -######################################## -## <summary> -## Send mail from the system. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`mta_send_mail',` - gen_require(` - type system_mail_t; - attribute mta_exec_type; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, mta_exec_type, system_mail_t) - - allow $1 mta_exec_type:lnk_file read_lnk_file_perms; - - ifdef(`distro_gentoo',` - gen_require(` - attribute mta_user_agent; - ') - - dontaudit mta_user_agent $1:fd use; - ') -') - -######################################## -## <summary> -## Execute send mail in a specified domain. -## </summary> -## <desc> -## <p> -## Execute send mail in a specified domain. -## </p> -## <p> -## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -## </p> -## </desc> -## <param name="source_domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="target_domain"> -## <summary> -## Domain to transition to. -## </summary> -## </param> -# -interface(`mta_sendmail_domtrans',` - gen_require(` - type sendmail_exec_t; - ') - - corecmd_search_bin($1) - domain_auto_trans($1, sendmail_exec_t, $2) - - allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms; -') - -######################################## -## <summary> -## Send signals to system mail. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -# -interface(`mta_signal_system_mail',` - gen_require(` - type system_mail_t; - ') - - allow $1 system_mail_t:process signal; -') - -######################################## -## <summary> -## Send kill signals to system mail. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_kill_system_mail',` - gen_require(` - type system_mail_t; - ') - - allow $1 system_mail_t:process sigkill; -') - -######################################## -## <summary> -## Execute sendmail in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_sendmail_exec',` - gen_require(` - type sendmail_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, sendmail_exec_t) -') - -######################################## -## <summary> -## Read mail server configuration content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`mta_read_config',` - gen_require(` - type etc_mail_t; - ') - - files_search_etc($1) - allow $1 etc_mail_t:dir list_dir_perms; - allow $1 etc_mail_t:file read_file_perms; - allow $1 etc_mail_t:lnk_file read_lnk_file_perms; -') - -######################################## -## <summary> -## Write mail server configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`mta_write_config',` - gen_require(` - type etc_mail_t; - ') - - files_search_etc($1) - write_files_pattern($1, etc_mail_t, etc_mail_t) -') - -######################################## -## <summary> -## Read mail address alias files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_read_aliases',` - gen_require(` - type etc_aliases_t; - ') - - files_search_etc($1) - allow $1 etc_aliases_t:file read_file_perms; - - ifdef(`distro_gentoo',` - gen_require(` - type etc_mail_t; - ') - - search_dirs_pattern($1, etc_mail_t, etc_aliases_t) - read_files_pattern($1, etc_mail_t, etc_aliases_t) - ') -') - -######################################## -## <summary> -## Create, read, write, and delete -## mail address alias content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_manage_aliases',` - gen_require(` - type etc_aliases_t; - ') - - files_search_etc($1) - manage_files_pattern($1, etc_aliases_t, etc_aliases_t) - manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t) - - ifdef(`distro_gentoo',` - gen_require(` - type etc_mail_t; - ') - - search_dirs_pattern($1, etc_mail_t, etc_aliases_t) - manage_files_pattern($1, etc_mail_t, etc_aliases_t) - manage_lnk_files_pattern($1, etc_mail_t, etc_aliases_t) - ') -') - -######################################## -## <summary> -## Create specified object in generic -## etc directories with the mail address -## alias type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object"> -## <summary> -## The object class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`mta_etc_filetrans_aliases',` - gen_require(` - type etc_aliases_t; - ') - - files_etc_filetrans($1, etc_aliases_t, $2, $3) -') - -######################################## -## <summary> -## Create specified objects in specified -## directories with a type transition to -## the mail address alias type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="file_type"> -## <summary> -## Directory to transition on. -## </summary> -## </param> -## <param name="object"> -## <summary> -## The object class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`mta_spec_filetrans_aliases',` - gen_require(` - type etc_aliases_t; - ') - - filetrans_pattern($1, $2, etc_aliases_t, $3, $4) -') - -######################################## -## <summary> -## Read and write mail alias files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`mta_rw_aliases',` - gen_require(` - type etc_aliases_t; - ') - - files_search_etc($1) - allow $1 etc_aliases_t:file rw_file_perms; - - ifdef(`distro_gentoo',` - gen_require(` - type etc_mail_t; - ') - - search_dirs_pattern($1, etc_mail_t, etc_aliases_t) - rw_files_pattern($1, etc_mail_t, etc_aliases_t) - ') -') - -####################################### -## <summary> -## Do not audit attempts to read -## and write TCP sockets of mail -## delivery domains. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`mta_dontaudit_rw_delivery_tcp_sockets',` - gen_require(` - attribute mailserver_delivery; - ') - - dontaudit $1 mailserver_delivery:tcp_socket { read write }; -') - -####################################### -## <summary> -## Connect to all mail servers over TCP. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_tcp_connect_all_mailservers',` - refpolicywarn(`$0($*) has been deprecated.') -') - -####################################### -## <summary> -## Do not audit attempts to read -## mail spool symlinks. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`mta_dontaudit_read_spool_symlinks',` - gen_require(` - type mail_spool_t; - ') - - dontaudit $1 mail_spool_t:lnk_file read; -') - -######################################## -## <summary> -## Get attributes of mail spool content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_getattr_spool',` - gen_require(` - type mail_spool_t; - ') - - files_search_spool($1) - allow $1 mail_spool_t:dir list_dir_perms; - getattr_files_pattern($1, mail_spool_t, mail_spool_t) - read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) -') - -######################################## -## <summary> -## Do not audit attempts to get -## attributes of mail spool files. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`mta_dontaudit_getattr_spool_files',` - gen_require(` - type mail_spool_t; - ') - - files_dontaudit_search_spool($1) - dontaudit $1 mail_spool_t:dir search_dir_perms; - dontaudit $1 mail_spool_t:lnk_file read_lnk_file_perms; - dontaudit $1 mail_spool_t:file getattr_file_perms; -') - -####################################### -## <summary> -## Create specified objects in the -## mail spool directory with a -## private type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="private type"> -## <summary> -## The type of the object to be created. -## </summary> -## </param> -## <param name="object"> -## <summary> -## The object class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`mta_spool_filetrans',` - gen_require(` - type mail_spool_t; - ') - - files_search_spool($1) - filetrans_pattern($1, mail_spool_t, $2, $3, $4) -') - -####################################### -## <summary> -## Read mail spool files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_read_spool_files',` - gen_require(` - type mail_spool_t; - ') - - files_search_spool($1) - read_files_pattern($1, mail_spool_t, mail_spool_t) -') - -######################################## -## <summary> -## Read and write mail spool files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_rw_spool',` - gen_require(` - type mail_spool_t; - ') - - files_search_spool($1) - allow $1 mail_spool_t:dir list_dir_perms; - allow $1 mail_spool_t:file rw_file_perms; - allow $1 mail_spool_t:lnk_file read_lnk_file_perms; -') - -####################################### -## <summary> -## Create, read, and write mail spool files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_append_spool',` - gen_require(` - type mail_spool_t; - ') - - files_search_spool($1) - allow $1 mail_spool_t:dir list_dir_perms; - manage_files_pattern($1, mail_spool_t, mail_spool_t) - allow $1 mail_spool_t:lnk_file read_lnk_file_perms; -') - -####################################### -## <summary> -## Delete mail spool files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_delete_spool',` - gen_require(` - type mail_spool_t; - ') - - files_search_spool($1) - delete_files_pattern($1, mail_spool_t, mail_spool_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## mail spool content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_manage_spool',` - gen_require(` - type mail_spool_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, mail_spool_t, mail_spool_t) - manage_files_pattern($1, mail_spool_t, mail_spool_t) - manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t) -') - -####################################### -## <summary> -## Create specified objects in the -## mail queue spool directory with a -## private type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="private type"> -## <summary> -## The type of the object to be created. -## </summary> -## </param> -## <param name="object"> -## <summary> -## The object class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`mta_queue_filetrans',` - gen_require(` - type mqueue_spool_t; - ') - - files_search_spool($1) - filetrans_pattern($1, mqueue_spool_t, $2, $3, $4) -') - -######################################## -## <summary> -## Search mail queue directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_search_queue',` - gen_require(` - type mqueue_spool_t; - ') - - files_search_spool($1) - allow $1 mqueue_spool_t:dir search_dir_perms; -') - -####################################### -## <summary> -## List mail queue directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_list_queue',` - gen_require(` - type mqueue_spool_t; - ') - - files_search_spool($1) - allow $1 mqueue_spool_t:dir list_dir_perms; -') - -####################################### -## <summary> -## Read mail queue files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_read_queue',` - gen_require(` - type mqueue_spool_t; - ') - - files_search_spool($1) - read_files_pattern($1, mqueue_spool_t, mqueue_spool_t) -') - -####################################### -## <summary> -## Do not audit attempts to read and -## write mail queue content. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`mta_dontaudit_rw_queue',` - gen_require(` - type mqueue_spool_t; - ') - - dontaudit $1 mqueue_spool_t:dir search_dir_perms; - dontaudit $1 mqueue_spool_t:file rw_file_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## mail queue content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_manage_queue',` - gen_require(` - type mqueue_spool_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, mqueue_spool_t, mqueue_spool_t) - manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t) -') - -####################################### -## <summary> -## Read sendmail binary. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_read_sendmail_bin',` - gen_require(` - type sendmail_exec_t; - ') - - allow $1 sendmail_exec_t:file read_file_perms; -') - -####################################### -## <summary> -## Read and write unix domain stream -## sockets of all base mail domains. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_rw_user_mail_stream_sockets',` - gen_require(` - attribute user_mail_domain; - ') - - allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; -') diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te deleted file mode 100644 index 32bcd86d..00000000 --- a/policy/modules/contrib/mta.te +++ /dev/null @@ -1,416 +0,0 @@ -policy_module(mta, 2.6.5) - -######################################## -# -# Declarations -# - -attribute mailcontent_type; -attribute mta_exec_type; -attribute mta_user_agent; -attribute mailserver_delivery; -attribute mailserver_domain; -attribute mailserver_sender; - -attribute user_mail_domain; - -attribute_role user_mail_roles; - -type etc_aliases_t; -files_type(etc_aliases_t) - -type etc_mail_t; -files_config_file(etc_mail_t) - -type mail_home_t alias mail_forward_t; -userdom_user_home_content(mail_home_t) - -type mail_home_rw_t; -userdom_user_home_content(mail_home_rw_t) - -type mqueue_spool_t; -files_mountpoint(mqueue_spool_t) - -type mail_spool_t; -files_mountpoint(mail_spool_t) - -type sendmail_exec_t; -mta_agent_executable(sendmail_exec_t) - -mta_base_mail_template(system) -role system_r types system_mail_t; - -mta_base_mail_template(user) -typealias user_mail_t alias { staff_mail_t sysadm_mail_t }; -typealias user_mail_t alias { auditadm_mail_t secadm_mail_t }; -userdom_user_application_type(user_mail_t) -role user_mail_roles types user_mail_t; - -typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t }; -typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t }; -userdom_user_tmp_file(user_mail_tmp_t) - -######################################## -# -# Common base mail policy -# - -allow user_mail_domain self:capability { setuid setgid chown }; -allow user_mail_domain self:process { signal_perms setrlimit }; -allow user_mail_domain self:fifo_file rw_fifo_file_perms; - -allow user_mail_domain mta_exec_type:file entrypoint; - -allow user_mail_domain mail_home_t:file { append_file_perms read_file_perms }; - -manage_dirs_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t) -manage_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t) -manage_lnk_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t) -userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, "Maildir") -userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, ".maildir") - -read_files_pattern(user_mail_domain, { etc_mail_t etc_aliases_t }, { etc_mail_t etc_aliases_t }) - -manage_files_pattern(user_mail_domain, { mqueue_spool_t mail_spool_t }, { mqueue_spool_t mail_spool_t }) -read_lnk_files_pattern(user_mail_domain, { mqueue_spool_t mail_spool_t }, { mqueue_spool_t mail_spool_t }) - -allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms; - -can_exec(user_mail_domain, { mta_exec_type sendmail_exec_t }) - -kernel_read_system_state(user_mail_domain) -kernel_read_kernel_sysctls(user_mail_domain) -kernel_read_network_state(user_mail_domain) -kernel_request_load_module(user_mail_domain) - -corenet_all_recvfrom_netlabel(user_mail_domain) -corenet_tcp_sendrecv_generic_if(user_mail_domain) -corenet_tcp_sendrecv_generic_node(user_mail_domain) - -corenet_sendrecv_all_client_packets(user_mail_domain) -corenet_tcp_connect_all_ports(user_mail_domain) -corenet_tcp_sendrecv_all_ports(user_mail_domain) - -corecmd_exec_bin(user_mail_domain) - -dev_read_urand(user_mail_domain) - -domain_use_interactive_fds(user_mail_domain) - -files_read_etc_runtime_files(user_mail_domain) -files_read_usr_files(user_mail_domain) -files_search_spool(user_mail_domain) -files_dontaudit_search_pids(user_mail_domain) - -fs_getattr_all_fs(user_mail_domain) - -init_dontaudit_rw_utmp(user_mail_domain) - -logging_send_syslog_msg(user_mail_domain) - -miscfiles_read_localization(user_mail_domain) - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(user_mail_domain) - fs_manage_cifs_files(user_mail_domain) - fs_read_cifs_symlinks(user_mail_domain) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(user_mail_domain) - fs_manage_nfs_files(user_mail_domain) - fs_read_nfs_symlinks(user_mail_domain) -') - -optional_policy(` - courier_manage_spool_dirs(user_mail_domain) - courier_manage_spool_files(user_mail_domain) - courier_rw_spool_pipes(user_mail_domain) -') - -optional_policy(` - exim_domtrans(user_mail_domain) - exim_manage_log(user_mail_domain) - exim_manage_spool_files(user_mail_domain) -') - -optional_policy(` - files_getattr_tmp_dirs(user_mail_domain) - - postfix_exec_master(user_mail_domain) - postfix_read_config(user_mail_domain) - postfix_search_spool(user_mail_domain) - postfix_rw_inherited_master_pipes(user_mail_domain) - - ifdef(`distro_redhat',` - postfix_config_filetrans(user_mail_domain, etc_aliases_t, { dir file lnk_file sock_file fifo_file }) - ') -') - -optional_policy(` - procmail_exec(user_mail_domain) -') - -optional_policy(` - qmail_domtrans_inject(user_mail_domain) -') - -optional_policy(` - sendmail_manage_log(user_mail_domain) - sendmail_log_filetrans_sendmail_log(user_mail_domain, file) -') - -optional_policy(` - uucp_manage_spool(user_mail_domain) -') - -######################################## -# -# System local policy -# - -allow system_mail_t self:capability { dac_override fowner }; - -read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t) - -read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) - -allow system_mail_t mail_home_t:file manage_file_perms; -userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".esmtp_queue") -userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".forward") -userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".mailrc") -userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, "dead.letter") - -allow system_mail_t user_mail_domain:dir list_dir_perms; -allow system_mail_t user_mail_domain:file read_file_perms; -allow system_mail_t user_mail_domain:lnk_file read_lnk_file_perms; - -corecmd_exec_shell(system_mail_t) - -dev_read_rand(system_mail_t) -dev_read_sysfs(system_mail_t) - -fs_rw_anon_inodefs_files(system_mail_t) - -selinux_getattr_fs(system_mail_t) - -term_dontaudit_use_unallocated_ttys(system_mail_t) - -init_use_script_ptys(system_mail_t) - -userdom_use_user_terminals(system_mail_t) - -optional_policy(` - apache_read_squirrelmail_data(system_mail_t) - apache_append_squirrelmail_data(system_mail_t) - apache_dontaudit_append_log(system_mail_t) - apache_dontaudit_rw_stream_sockets(system_mail_t) - apache_dontaudit_rw_tcp_sockets(system_mail_t) - apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) -') - -optional_policy(` - arpwatch_manage_tmp_files(system_mail_t) - - ifdef(`hide_broken_symptoms',` - arpwatch_dontaudit_rw_packet_sockets(system_mail_t) - ') -') - -optional_policy(` - bugzilla_search_content(system_mail_t) - bugzilla_dontaudit_rw_stream_sockets(system_mail_t) -') - -optional_policy(` - clamav_stream_connect(system_mail_t) - clamav_append_log(system_mail_t) -') - -optional_policy(` - cron_read_system_job_tmp_files(system_mail_t) - cron_dontaudit_write_pipes(system_mail_t) - cron_rw_system_job_stream_sockets(system_mail_t) -') - -optional_policy(` - courier_stream_connect_authdaemon(system_mail_t) - courier_manage_spool_dirs(system_mail_t) - courier_manage_spool_files(system_mail_t) - courier_rw_spool_pipes(system_mail_t) -') - -optional_policy(` - cvs_read_data(system_mail_t) -') - -optional_policy(` - exim_domtrans(system_mail_t) - exim_manage_log(system_mail_t) -') - -optional_policy(` - fail2ban_dontaudit_rw_stream_sockets(system_mail_t) - fail2ban_append_log(system_mail_t) - fail2ban_rw_inherited_tmp_files(system_mail_t) -') - -optional_policy(` - logrotate_read_tmp_files(system_mail_t) -') - -optional_policy(` - logwatch_read_tmp_files(system_mail_t) -') - -optional_policy(` - milter_getattr_all_sockets(system_mail_t) -') - -optional_policy(` - nagios_read_tmp_files(system_mail_t) -') - -optional_policy(` - manage_dirs_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) - manage_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) - manage_lnk_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) - manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) - manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) - files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) -') - -optional_policy(` - sxid_read_log(system_mail_t) -') - -optional_policy(` - userdom_dontaudit_use_user_ptys(system_mail_t) - - optional_policy(` - cron_dontaudit_append_system_job_tmp_files(system_mail_t) - ') -') - -optional_policy(` - spamassassin_stream_connect_spamd(system_mail_t) -') - -optional_policy(` - smartmon_read_tmp_files(system_mail_t) -') - -######################################## -# -# MTA user agent local policy -# - -userdom_use_user_terminals(mta_user_agent) - -optional_policy(` - apache_append_log(mta_user_agent) -') - -optional_policy(` - arpwatch_manage_tmp_files(mta_user_agent) - - ifdef(`hide_broken_symptoms',` - arpwatch_dontaudit_rw_packet_sockets(mta_user_agent) - ') - - optional_policy(` - cron_read_system_job_tmp_files(mta_user_agent) - ') -') - -######################################## -# -# Mailserver delivery local policy -# - -allow mailserver_delivery self:fifo_file rw_fifo_file_perms; - -allow mailserver_delivery mail_spool_t:dir list_dir_perms; -create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -read_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) - -manage_dirs_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t) -manage_files_pattern(mailserver_delivery, { mail_home_t mail_home_rw_t }, { mail_home_t mail_home_rw_t }) -manage_lnk_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t) -userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".esmtp_queue") -userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".forward") -userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".mailrc") -userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, "dead.letter") -userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir, "Maildir") -userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir, ".maildir") - -read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(mailserver_delivery) - fs_manage_cifs_files(mailserver_delivery) - fs_read_cifs_symlinks(mailserver_delivery) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(mailserver_delivery) - fs_manage_nfs_files(mailserver_delivery) - fs_read_nfs_symlinks(mailserver_delivery) -') - -optional_policy(` - arpwatch_search_data(mailserver_delivery) -') - -optional_policy(` - dovecot_manage_spool(mailserver_delivery) - dovecot_domtrans_deliver(mailserver_delivery) -') - -optional_policy(` - files_search_var_lib(mailserver_delivery) - - mailman_domtrans(mailserver_delivery) - mailman_read_data_symlinks(mailserver_delivery) -') - -optional_policy(` - postfix_rw_inherited_master_pipes(mailserver_delivery) -') - -optional_policy(` - uucp_domtrans_uux(mailserver_delivery) -') - -######################################## -# -# User local policy -# - -manage_files_pattern(user_mail_t, mail_home_t, mail_home_t) -userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".esmtp_queue") -userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".forward") -userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".mailrc") -userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, "dead.letter") - -dev_read_sysfs(user_mail_t) - -userdom_use_user_terminals(user_mail_t) - -optional_policy(` - allow user_mail_t self:capability dac_override; - - userdom_rw_user_tmp_files(user_mail_t) - - postfix_read_config(user_mail_t) - postfix_list_spool(user_mail_t) -') - -ifdef(`distro_gentoo',` - optional_policy(` - at_rw_inherited_job_log_files(system_mail_t) - ') -') diff --git a/policy/modules/contrib/munin.fc b/policy/modules/contrib/munin.fc deleted file mode 100644 index eb4b72a9..00000000 --- a/policy/modules/contrib/munin.fc +++ /dev/null @@ -1,77 +0,0 @@ -/etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0) - -/etc/rc\.d/init\.d/munin-node -- gen_context(system_u:object_r:munin_initrc_exec_t,s0) - -/usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) - -/usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) - -/usr/share/munin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) - -/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:unconfined_munin_plugin_exec_t,s0) - -/usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/df.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/hddtemp.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/smart_.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) - -/usr/share/munin/plugins/courier_mta_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/exim_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/mailman -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/mailscanner -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/postfix_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/sendmail_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/qmail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) - -/usr/share/munin/plugins/apache_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/asterisk_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/http_loadtime -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/fail2ban -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/lpstat -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/mysql_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/named -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/ntp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/nut.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/openvpn -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/ping_ -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/postgres_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/samba -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/slapd_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/snmp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/squid_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) - -/usr/share/munin/plugins/selinux_avcstat -- gen_context(system_u:object_r:selinux_munin_plugin_exec_t,s0) - -/usr/share/munin/plugins/acpi -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/cpu.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/forks -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/if_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/iostat.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/interrupts -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/munin_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/proc_pri -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/swap -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/unbound -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/uptime -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/users -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) - -/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) -/var/lib/munin/plugin-state(/.*)? gen_context(system_u:object_r:munin_plugin_state_t,s0) - -/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) - -/var/run/munin.* gen_context(system_u:object_r:munin_var_run_t,s0) - -/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) -/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) diff --git a/policy/modules/contrib/munin.if b/policy/modules/contrib/munin.if deleted file mode 100644 index b744fe35..00000000 --- a/policy/modules/contrib/munin.if +++ /dev/null @@ -1,197 +0,0 @@ -## <summary>Munin network-wide load graphing.</summary> - -####################################### -## <summary> -## The template to define a munin plugin domain. -## </summary> -## <param name="domain_prefix"> -## <summary> -## Domain prefix to be used. -## </summary> -## </param> -# -template(`munin_plugin_template',` - gen_require(` - attribute munin_plugin_domain, munin_plugin_tmp_content; - type munin_t; - ') - - ######################################## - # - # Declarations - # - - type $1_munin_plugin_t, munin_plugin_domain; - type $1_munin_plugin_exec_t; - typealias $1_munin_plugin_t alias munin_$1_plugin_t; - typealias $1_munin_plugin_exec_t alias munin_$1_plugin_exec_t; - application_domain($1_munin_plugin_t, $1_munin_plugin_exec_t) - role system_r types $1_munin_plugin_t; - - type $1_munin_plugin_tmp_t, munin_plugin_tmp_content; - typealias $1_munin_plugin_tmp_t alias munin_$1_plugin_tmp_t; - files_tmp_file($1_munin_plugin_tmp_t) - - ######################################## - # - # Policy - # - - domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t) - - manage_files_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t) - manage_dirs_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t) - files_tmp_filetrans($1_munin_plugin_t, $1_munin_plugin_tmp_t, { dir file }) -') - -######################################## -## <summary> -## Connect to munin over a unix domain -## stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`munin_stream_connect',` - gen_require(` - type munin_var_run_t, munin_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, munin_var_run_t, munin_var_run_t, munin_t) -') - -####################################### -## <summary> -## Read munin configuration content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`munin_read_config',` - gen_require(` - type munin_etc_t; - ') - - files_search_etc($1) - allow $1 munin_etc_t:dir list_dir_perms; - allow $1 munin_etc_t:file read_file_perms; - allow $1 munin_etc_t:lnk_file read_lnk_file_perms; -') - -####################################### -## <summary> -## Append munin log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`munin_append_log',` - gen_require(` - type munin_log_t; - ') - - logging_search_logs($1) - allow $1 munin_log_t:dir list_dir_perms; - append_files_pattern($1, munin_log_t, munin_log_t) -') - -####################################### -## <summary> -## Search munin library directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`munin_search_lib',` - gen_require(` - type munin_var_lib_t; - ') - - allow $1 munin_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -####################################### -## <summary> -## Do not audit attempts to search -## munin library directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`munin_dontaudit_search_lib',` - gen_require(` - type munin_var_lib_t; - ') - - dontaudit $1 munin_var_lib_t:dir search_dir_perms; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an munin environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`munin_admin',` - gen_require(` - attribute munin_plugin_domain, munin_plugin_tmp_content; - type munin_t, munin_etc_t, munin_tmp_t; - type munin_log_t, munin_var_lib_t, munin_var_run_t; - type httpd_munin_content_t, munin_plugin_state_t, munin_initrc_exec_t; - ') - - allow $1 { munin_plugin_domain munin_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { munin_plugin_domain munin_t }) - - init_labeled_script_domtrans($1, munin_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 munin_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, { munin_tmp_t munin_plugin_tmp_content }) - - logging_list_logs($1) - admin_pattern($1, munin_log_t) - - files_list_etc($1) - admin_pattern($1, munin_etc_t) - - files_list_var_lib($1) - admin_pattern($1, { munin_var_lib_t munin_plugin_state_t }) - - files_list_pids($1) - admin_pattern($1, munin_var_run_t) - - admin_pattern($1, httpd_munin_content_t) -') diff --git a/policy/modules/contrib/munin.te b/policy/modules/contrib/munin.te deleted file mode 100644 index 97370e4f..00000000 --- a/policy/modules/contrib/munin.te +++ /dev/null @@ -1,415 +0,0 @@ -policy_module(munin, 1.8.10) - -######################################## -# -# Declarations -# - -attribute munin_plugin_domain; -attribute munin_plugin_tmp_content; - -type munin_t alias lrrd_t; -type munin_exec_t alias lrrd_exec_t; -init_daemon_domain(munin_t, munin_exec_t) - -type munin_etc_t alias lrrd_etc_t; -files_config_file(munin_etc_t) - -type munin_initrc_exec_t; -init_script_file(munin_initrc_exec_t) - -type munin_log_t alias lrrd_log_t; -logging_log_file(munin_log_t) - -type munin_tmp_t alias lrrd_tmp_t; -files_tmp_file(munin_tmp_t) - -type munin_var_lib_t alias lrrd_var_lib_t; -files_type(munin_var_lib_t) - -type munin_plugin_state_t; -files_type(munin_plugin_state_t) - -type munin_var_run_t alias lrrd_var_run_t; -files_pid_file(munin_var_run_t) - -munin_plugin_template(disk) -munin_plugin_template(mail) -munin_plugin_template(selinux) -munin_plugin_template(services) -munin_plugin_template(system) -munin_plugin_template(unconfined) - -################################ -# -# Common munin plugin local policy -# - -allow munin_plugin_domain self:process signal; -allow munin_plugin_domain self:fifo_file rw_fifo_file_perms; - -allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms; - -read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t) - -allow munin_plugin_domain munin_exec_t:file read_file_perms; - -allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms; - -manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t) - -kernel_read_system_state(munin_plugin_domain) - -corenet_all_recvfrom_unlabeled(munin_plugin_domain) -corenet_all_recvfrom_netlabel(munin_plugin_domain) -corenet_tcp_sendrecv_generic_if(munin_plugin_domain) -corenet_tcp_sendrecv_generic_node(munin_plugin_domain) - -corecmd_exec_bin(munin_plugin_domain) -corecmd_exec_shell(munin_plugin_domain) - -files_read_etc_files(munin_plugin_domain) -files_read_usr_files(munin_plugin_domain) -files_search_var_lib(munin_plugin_domain) - -fs_getattr_all_fs(munin_plugin_domain) - -miscfiles_read_localization(munin_plugin_domain) - -optional_policy(` - nscd_use(munin_plugin_domain) -') - -######################################## -# -# Local policy -# - -allow munin_t self:capability { chown dac_override kill setgid setuid sys_rawio }; -dontaudit munin_t self:capability sys_tty_config; -allow munin_t self:process { getsched setsched signal_perms }; -allow munin_t self:unix_stream_socket { accept connectto listen }; -allow munin_t self:unix_dgram_socket sendto; -allow munin_t self:tcp_socket { accept listen }; -allow munin_t self:fifo_file manage_fifo_file_perms; - -allow munin_t munin_plugin_domain:process signal_perms; - -allow munin_t munin_etc_t:dir list_dir_perms; -allow munin_t munin_etc_t:file read_file_perms; -allow munin_t munin_etc_t:lnk_file read_lnk_file_perms; - -manage_dirs_pattern(munin_t, munin_log_t, munin_log_t) -append_files_pattern(munin_t, munin_log_t, munin_log_t) -create_files_pattern(munin_t, munin_log_t, munin_log_t) -setattr_files_pattern(munin_t, munin_log_t, munin_log_t) -logging_log_filetrans(munin_t, munin_log_t, { file dir }) - -manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t) -manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t) -manage_sock_files_pattern(munin_t, munin_tmp_t, munin_tmp_t) -files_tmp_filetrans(munin_t, munin_tmp_t, { file dir sock_file }) - -manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) -manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) -manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) - -read_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t) - -manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t) -manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) -manage_sock_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) -files_pid_filetrans(munin_t, munin_var_run_t, { dir file }) - -can_exec(munin_t, munin_exec_t) - -kernel_read_system_state(munin_t) -kernel_read_network_state(munin_t) -kernel_read_all_sysctls(munin_t) - -corecmd_exec_bin(munin_t) -corecmd_exec_shell(munin_t) - -corenet_all_recvfrom_unlabeled(munin_t) -corenet_all_recvfrom_netlabel(munin_t) -corenet_tcp_sendrecv_generic_if(munin_t) -corenet_tcp_sendrecv_generic_node(munin_t) -corenet_tcp_bind_generic_node(munin_t) - -corenet_sendrecv_munin_server_packets(munin_t) -corenet_tcp_bind_munin_port(munin_t) -corenet_sendrecv_munin_client_packets(munin_t) -corenet_tcp_connect_munin_port(munin_t) -corenet_tcp_sendrecv_munin_port(munin_t) - -corenet_sendrecv_http_client_packets(munin_t) -corenet_tcp_connect_http_port(munin_t) -corenet_tcp_sendrecv_http_port(munin_t) - -dev_read_sysfs(munin_t) -dev_read_urand(munin_t) - -domain_use_interactive_fds(munin_t) -domain_read_all_domains_state(munin_t) - -files_read_etc_runtime_files(munin_t) -files_read_usr_files(munin_t) -files_list_spool(munin_t) - -fs_getattr_all_fs(munin_t) -fs_search_auto_mountpoints(munin_t) - -auth_use_nsswitch(munin_t) - -logging_send_syslog_msg(munin_t) -logging_read_all_logs(munin_t) - -miscfiles_read_fonts(munin_t) -miscfiles_read_localization(munin_t) -miscfiles_setattr_fonts_cache_dirs(munin_t) - -sysnet_exec_ifconfig(munin_t) - -userdom_dontaudit_use_unpriv_user_fds(munin_t) -userdom_dontaudit_search_user_home_dirs(munin_t) - -optional_policy(` - apache_content_template(munin) - - manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) - manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) - apache_search_sys_content(munin_t) -') - -optional_policy(` - cron_system_entry(munin_t, munin_exec_t) -') - -optional_policy(` - fstools_domtrans(munin_t) -') - -optional_policy(` - lpd_domtrans_lpr(munin_t) -') - -optional_policy(` - mta_list_queue(munin_t) - mta_read_config(munin_t) - mta_read_queue(munin_t) - mta_send_mail(munin_t) -') - -optional_policy(` - mysql_read_config(munin_t) - mysql_stream_connect(munin_t) -') - -optional_policy(` - netutils_domtrans_ping(munin_t) - netutils_kill_ping(munin_t) - netutils_signal_ping(munin_t) -') - -optional_policy(` - postfix_list_spool(munin_t) - postfix_getattr_all_spool_files(munin_t) -') - -optional_policy(` - rpc_search_nfs_state_data(munin_t) -') - -optional_policy(` - sendmail_read_log(munin_t) -') - -optional_policy(` - seutil_sigchld_newrole(munin_t) -') - -optional_policy(` - udev_read_db(munin_t) -') - -################################### -# -# Disk local policy -# - -allow disk_munin_plugin_t self:capability { sys_admin sys_rawio }; -allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; - -rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) - -corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t) -corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t) -corenet_tcp_sendrecv_hddtemp_port(disk_munin_plugin_t) - -dev_getattr_all_blk_files(disk_munin_plugin_t) -dev_getattr_lvm_control(disk_munin_plugin_t) -dev_read_sysfs(disk_munin_plugin_t) -dev_read_urand(disk_munin_plugin_t) - -files_read_etc_runtime_files(disk_munin_plugin_t) - -fs_getattr_all_fs(disk_munin_plugin_t) -fs_getattr_all_dirs(disk_munin_plugin_t) - -storage_getattr_fixed_disk_dev(disk_munin_plugin_t) - -sysnet_read_config(disk_munin_plugin_t) - -optional_policy(` - hddtemp_exec(disk_munin_plugin_t) -') - -optional_policy(` - fstools_exec(disk_munin_plugin_t) -') - -#################################### -# -# Mail local policy -# - -allow mail_munin_plugin_t self:capability dac_override; - -rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) - -dev_read_urand(mail_munin_plugin_t) - -logging_read_generic_logs(mail_munin_plugin_t) - -optional_policy(` - mta_list_queue(mail_munin_plugin_t) - mta_read_config(mail_munin_plugin_t) - mta_read_queue(mail_munin_plugin_t) - mta_send_mail(mail_munin_plugin_t) -') - -optional_policy(` - nscd_use(mail_munin_plugin_t) -') - -optional_policy(` - postfix_getattr_all_spool_files(mail_munin_plugin_t) - postfix_read_config(mail_munin_plugin_t) - postfix_list_spool(mail_munin_plugin_t) -') - -optional_policy(` - sendmail_read_log(mail_munin_plugin_t) -') - -################################## -# -# Selinux local policy -# - -selinux_get_enforce_mode(selinux_munin_plugin_t) - -################################### -# -# Service local policy -# - -allow services_munin_plugin_t self:shm create_sem_perms; -allow services_munin_plugin_t self:sem create_sem_perms; -allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms; -allow services_munin_plugin_t self:udp_socket create_socket_perms; -allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; - -corenet_sendrecv_all_client_packets(services_munin_plugin_t) -corenet_tcp_connect_all_ports(services_munin_plugin_t) -corenet_tcp_connect_http_port(services_munin_plugin_t) -corenet_tcp_sendrecv_all_ports(services_munin_plugin_t) - -dev_read_urand(services_munin_plugin_t) -dev_read_rand(services_munin_plugin_t) - -sysnet_read_config(services_munin_plugin_t) - -optional_policy(` - bind_read_config(munin_services_plugin_t) -') - -optional_policy(` - cups_read_config(services_munin_plugin_t) - cups_stream_connect(services_munin_plugin_t) -') - -optional_policy(` - lpd_exec_lpr(services_munin_plugin_t) -') - -optional_policy(` - mysql_read_config(services_munin_plugin_t) - mysql_stream_connect(services_munin_plugin_t) -') - -optional_policy(` - netutils_domtrans_ping(services_munin_plugin_t) -') - -optional_policy(` - nscd_use(services_munin_plugin_t) -') - -optional_policy(` - postgresql_stream_connect(services_munin_plugin_t) -') - -optional_policy(` - snmp_read_snmp_var_lib_files(services_munin_plugin_t) -') - -optional_policy(` - sssd_stream_connect(services_munin_plugin_t) -') - -optional_policy(` - varnishd_read_lib_files(services_munin_plugin_t) -') - -################################## -# -# System local policy -# - -allow system_munin_plugin_t self:udp_socket create_socket_perms; - -rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) - -read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t) - -kernel_read_network_state(system_munin_plugin_t) -kernel_read_all_sysctls(system_munin_plugin_t) - -dev_read_sysfs(system_munin_plugin_t) -dev_read_urand(system_munin_plugin_t) - -domain_read_all_domains_state(system_munin_plugin_t) - -init_read_utmp(system_munin_plugin_t) - -logging_search_logs(system_munin_plugin_t) - -sysnet_exec_ifconfig(system_munin_plugin_t) - -term_getattr_unallocated_ttys(system_munin_plugin_t) -term_getattr_all_ttys(system_munin_plugin_t) -term_getattr_all_ptys(system_munin_plugin_t) - -optional_policy(` - bind_read_config(system_munin_plugin_t) -') - -####################################### -# -# Unconfined plugin local policy -# - -optional_policy(` - unconfined_domain(unconfined_munin_plugin_t) -') diff --git a/policy/modules/contrib/mutt.if b/policy/modules/contrib/mutt.if index 5327f866..596b0fd1 100644 --- a/policy/modules/contrib/mutt.if +++ b/policy/modules/contrib/mutt.if @@ -17,25 +17,25 @@ # interface(`mutt_role',` gen_require(` - type mutt_t, mutt_exec_t, mutt_home_t, mutt_conf_t, mutt_etc_t; + type mutt_t, mutt_exec_t, mutt_home_t, mutt_conf_t; type mutt_tmp_t; ') role $1 types mutt_t; domtrans_pattern($2, mutt_exec_t, mutt_t) - + allow $2 mutt_t:process { ptrace signal_perms }; manage_dirs_pattern($2, mutt_home_t, mutt_home_t) manage_files_pattern($2, mutt_home_t, mutt_home_t) - + manage_dirs_pattern($2, mutt_conf_t, mutt_conf_t) manage_files_pattern($2, mutt_conf_t, mutt_conf_t) relabel_dirs_pattern($2, mutt_home_t, mutt_home_t) relabel_files_pattern($2, mutt_home_t, mutt_home_t) - + relabel_dirs_pattern($2, mutt_conf_t, mutt_conf_t) relabel_files_pattern($2, mutt_conf_t, mutt_conf_t) @@ -47,7 +47,7 @@ interface(`mutt_role',` ####################################### ## <summary> -## Allow other domains to read mutt's home files +## Allow other domains to read mutt's home files ## </summary> ## <param name="domain"> ## <summary> @@ -99,6 +99,6 @@ interface(`mutt_rw_tmp_files',` # The use of rw_files_pattern here is not needed, since this incurs the open privilege as well allow $1 mutt_tmp_t:dir search_dir_perms; - allow $1 mutt_tmp_t:file { read write }; + allow $1 mutt_tmp_t:file rw_inherited_file_perms; files_search_tmp($1) ') diff --git a/policy/modules/contrib/mutt.te b/policy/modules/contrib/mutt.te index 22253088..ed3f970b 100644 --- a/policy/modules/contrib/mutt.te +++ b/policy/modules/contrib/mutt.te @@ -1,17 +1,10 @@ policy_module(mutt, 1.0.0) ############################ -# +# # Declarations # -## <desc> -## <p> -## Be able to manage user files (needed to support attachment handling) -## </p> -## </desc> -gen_tunable(mutt_manage_user_content, false) - type mutt_t; type mutt_exec_t; application_domain(mutt_t, mutt_exec_t) @@ -66,8 +59,6 @@ corenet_tcp_connect_pop_port(mutt_t) corenet_tcp_connect_smtp_port(mutt_t) corenet_tcp_sendrecv_generic_if(mutt_t) corenet_tcp_sendrecv_generic_node(mutt_t) -corenet_tcp_sendrecv_pop_port(mutt_t) -corenet_tcp_sendrecv_smtp_port(mutt_t) dev_read_rand(mutt_t) dev_read_urand(mutt_t) @@ -79,11 +70,15 @@ files_read_usr_files(mutt_t) auth_use_nsswitch(mutt_t) +logging_send_syslog_msg(mutt_t) + miscfiles_read_localization(mutt_t) userdom_search_user_home_content(mutt_t) userdom_use_user_terminals(mutt_t) +userdom_user_content_access_template(mutt, mutt_t) + optional_policy(` gpg_domtrans(mutt_t) ') @@ -94,12 +89,7 @@ optional_policy(` optional_policy(` xdg_manage_cache_home(mutt_t) + # Save and send attachments + xdg_manage_downloads_home(mutt_t) xdg_read_config_home_files(mutt_t) ') - -tunable_policy(`mutt_manage_user_content',` - # Needed for handling attachments - userdom_manage_user_home_content_files(mutt_t) - userdom_manage_user_home_content_dirs(mutt_t) -') - diff --git a/policy/modules/contrib/mysql.fc b/policy/modules/contrib/mysql.fc deleted file mode 100644 index c48dc172..00000000 --- a/policy/modules/contrib/mysql.fc +++ /dev/null @@ -1,25 +0,0 @@ -HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) - -/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0) -/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0) - -/etc/rc\.d/init\.d/mysqld? -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0) -/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0) - -/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) -/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0) - -/usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0) - -/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) -/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0) -/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0) - -/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) -/var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_var_run_t,s0) - -/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) - -/var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0) -/var/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) -/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) diff --git a/policy/modules/contrib/mysql.if b/policy/modules/contrib/mysql.if deleted file mode 100644 index 590748a2..00000000 --- a/policy/modules/contrib/mysql.if +++ /dev/null @@ -1,537 +0,0 @@ -## <summary>Open source database.</summary> - -######################################## -## <summary> -## Role access for mysql. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`mysql_role',` - refpolicywarn(`$0($*) has been deprecated') -') - -###################################### -## <summary> -## Execute MySQL in the mysql domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`mysql_domtrans',` - gen_require(` - type mysqld_t, mysqld_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, mysqld_exec_t, mysqld_t) -') - -######################################## -## <summary> -## Execute mysqld in the mysqld domain, and -## allow the specified role the mysqld domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`mysql_run_mysqld',` - gen_require(` - attribute_role mysqld_roles; - ') - - mysql_domtrans($1) - roleattribute $2 mysqld_roles; -') - -######################################## -## <summary> -## Send generic signals to mysqld. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mysql_signal',` - gen_require(` - type mysqld_t; - ') - - allow $1 mysqld_t:process signal; -') - -######################################## -## <summary> -## Connect to mysqld with a tcp socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mysql_tcp_connect',` - gen_require(` - type mysqld_t; - ') - - corenet_tcp_recvfrom_labeled($1, mysqld_t) - corenet_tcp_sendrecv_mysqld_port($1) - corenet_tcp_connect_mysqld_port($1) - corenet_sendrecv_mysqld_client_packets($1) -') - -######################################## -## <summary> -## Connect to mysqld with a unix -# domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`mysql_stream_connect',` - gen_require(` - type mysqld_t, mysqld_var_run_t, mysqld_db_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t, mysqld_t) -') - -######################################## -## <summary> -## Read mysqld configuration content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`mysql_read_config',` - gen_require(` - type mysqld_etc_t; - ') - - files_search_etc($1) - allow $1 mysqld_etc_t:dir list_dir_perms; - allow $1 mysqld_etc_t:file read_file_perms; - allow $1 mysqld_etc_t:lnk_file read_lnk_file_perms; -') - -######################################## -## <summary> -## Search mysqld db directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mysql_search_db',` - gen_require(` - type mysqld_db_t; - ') - - files_search_var_lib($1) - allow $1 mysqld_db_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Read and write mysqld database directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mysql_rw_db_dirs',` - gen_require(` - type mysqld_db_t; - ') - - files_search_var_lib($1) - allow $1 mysqld_db_t:dir rw_dir_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## mysqld database directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mysql_manage_db_dirs',` - gen_require(` - type mysqld_db_t; - ') - - files_search_var_lib($1) - allow $1 mysqld_db_t:dir manage_dir_perms; -') - -####################################### -## <summary> -## Append mysqld database files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mysql_append_db_files',` - gen_require(` - type mysqld_db_t; - ') - - files_search_var_lib($1) - append_files_pattern($1, mysqld_db_t, mysqld_db_t) -') - -####################################### -## <summary> -## Read and write mysqld database files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mysql_rw_db_files',` - gen_require(` - type mysqld_db_t; - ') - - files_search_var_lib($1) - rw_files_pattern($1, mysqld_db_t, mysqld_db_t) -') - -####################################### -## <summary> -## Create, read, write, and delete -## mysqld database files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mysql_manage_db_files',` - gen_require(` - type mysqld_db_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, mysqld_db_t, mysqld_db_t) -') - -######################################## -## <summary> -## Read and write mysqld database sockets. -## named socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mysql_rw_db_sockets',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## <summary> -## Create, read, write, and delete -## mysqld home files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mysql_manage_mysqld_home_files',` - gen_require(` - type mysqld_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 mysqld_home_t:file manage_file_perms; -') - -######################################## -## <summary> -## Relabel mysqld home files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mysql_relabel_mysqld_home_files',` - gen_require(` - type mysqld_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 mysqld_home_t:file relabel_file_perms; -') - -######################################## -## <summary> -## Create objects in user home -## directories with the mysqld home type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`mysql_home_filetrans_mysqld_home',` - gen_require(` - type mysqld_home_t; - ') - - userdom_user_home_dir_filetrans($1, mysqld_home_t, $2, $3) -') - -######################################## -## <summary> -## Write mysqld log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mysql_write_log',` - gen_require(` - type mysqld_log_t; - ') - - logging_search_logs($1) - allow $1 mysqld_log_t:file write_file_perms; -') - -###################################### -## <summary> -## Execute mysqld safe in the -## mysqld safe domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`mysql_domtrans_mysql_safe',` - gen_require(` - type mysqld_safe_t, mysqld_safe_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t) -') - -##################################### -## <summary> -## Read mysqld pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mysql_read_pid_files',` - gen_require(` - type mysqld_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t) -') - -##################################### -## <summary> -## Search mysqld pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## -# -interface(`mysql_search_pid_files',` - gen_require(` - type mysqld_var_run_t; - ') - - files_search_pids($1) - search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an mysqld environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`mysql_admin',` - gen_require(` - type mysqld_t, mysqld_var_run_t, mysqld_etc_t; - type mysqld_tmp_t, mysqld_db_t, mysqld_log_t; - type mysqld_safe_t, mysqlmanagerd_t, mysqlmanagerd_var_run_t; - type mysqld_initrc_exec_t, mysqlmanagerd_initrc_exec_t, mysqld_home_t; - ') - - allow $1 { mysqld_safe_t mysqld_t mysqlmanagerd_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { mysqld_safe_t mysqld_t mysqlmanagerd_t }) - - init_labeled_script_domtrans($1, { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t }) - domain_system_change_exemption($1) - role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r; - allow $2 system_r; - - files_search_pids($1) - admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t }) - - files_search_var_lib($1) - admin_pattern($1, mysqld_db_t) - - files_search_etc($1) - admin_pattern($1, { mysqld_etc_t mysqld_home_t }) - - logging_search_logs($1) - admin_pattern($1, mysqld_log_t) - - files_search_tmp($1) - admin_pattern($1, mysqld_tmp_t) - - mysql_run_mysqld($1, $2) -') - -####################################### -## <summary> -## Set the attributes of the MySQL run directories -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access -## </summary> -## </param> -# -interface(`mysql_setattr_run_dirs',` - gen_require(` - type mysqld_var_run_t; - ') - - setattr_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t) -') - -####################################### -## <summary> -## Create MySQL run directories -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access -## </summary> -## </param> -# -interface(`mysql_create_run_dirs',` - gen_require(` - type mysqld_var_run_t; - ') - - create_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t) -') - -####################################### -## <summary> -## Automatically use the MySQL run label for created resources in generic -## run locations. This method is deprecated in favor of the -## init_daemon_run_dir call. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access -## </summary> -## </param> -## <param name="class"> -## <summary> -## Type of the resource created for which the automatic file transition -## should occur -## </summary> -## </param> -## <param name="filename" optional="true"> -## <summary> -## The name of the resource being created -## </summary> -## </param> -# -interface(`mysql_generic_run_filetrans_run',` - refpolicywarn(`$0($*) has been deprecated.') -') diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te deleted file mode 100644 index 9f6179e8..00000000 --- a/policy/modules/contrib/mysql.te +++ /dev/null @@ -1,256 +0,0 @@ -policy_module(mysql, 1.13.5) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether mysqld can -## connect to all TCP ports. -## </p> -## </desc> -gen_tunable(mysql_connect_any, false) - -attribute_role mysqld_roles; - -type mysqld_t; -type mysqld_exec_t; -init_daemon_domain(mysqld_t, mysqld_exec_t) -application_domain(mysqld_t, mysqld_exec_t) -role mysqld_roles types mysqld_t; - -type mysqld_safe_t; -type mysqld_safe_exec_t; -init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t) - -type mysqld_var_run_t; -files_pid_file(mysqld_var_run_t) -init_daemon_run_dir(mysqld_var_run_t, "mysqld") - -type mysqld_db_t; -files_type(mysqld_db_t) - -type mysqld_etc_t alias etc_mysqld_t; -files_config_file(mysqld_etc_t) - -type mysqld_home_t; -userdom_user_home_content(mysqld_home_t) - -type mysqld_initrc_exec_t; -init_script_file(mysqld_initrc_exec_t) - -type mysqld_log_t; -logging_log_file(mysqld_log_t) - -type mysqld_tmp_t; -files_tmp_file(mysqld_tmp_t) - -type mysqlmanagerd_t; -type mysqlmanagerd_exec_t; -init_daemon_domain(mysqlmanagerd_t, mysqlmanagerd_exec_t) - -type mysqlmanagerd_initrc_exec_t; -init_script_file(mysqlmanagerd_initrc_exec_t) - -type mysqlmanagerd_var_run_t; -files_pid_file(mysqlmanagerd_var_run_t) - -######################################## -# -# Local policy -# - -allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource }; -dontaudit mysqld_t self:capability sys_tty_config; -allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; -allow mysqld_t self:fifo_file rw_fifo_file_perms; -allow mysqld_t self:shm create_shm_perms; -allow mysqld_t self:unix_stream_socket { accept listen }; -allow mysqld_t self:tcp_socket { accept listen }; - -manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) -manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) -manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) -files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file }) - -filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file) - -allow mysqld_t mysqld_etc_t:dir list_dir_perms; -allow mysqld_t { mysqld_etc_t mysqld_home_t }:file read_file_perms; -allow mysqld_t mysqld_etc_t:lnk_file read_lnk_file_perms; - -allow mysqld_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(mysqld_t, mysqld_log_t, file) - -manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) -manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) -files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir }) - -manage_dirs_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) -manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) -manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) -files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file }) - -kernel_read_kernel_sysctls(mysqld_t) -kernel_read_network_state(mysqld_t) -kernel_read_system_state(mysqld_t) - -corenet_all_recvfrom_unlabeled(mysqld_t) -corenet_all_recvfrom_netlabel(mysqld_t) -corenet_tcp_sendrecv_generic_if(mysqld_t) -corenet_tcp_sendrecv_generic_node(mysqld_t) -corenet_tcp_bind_generic_node(mysqld_t) - -corenet_sendrecv_mysqld_server_packets(mysqld_t) -corenet_tcp_bind_mysqld_port(mysqld_t) -corenet_sendrecv_mysqld_client_packets(mysqld_t) -corenet_tcp_connect_mysqld_port(mysqld_t) -corenet_tcp_sendrecv_mysqld_port(mysqld_t) - -corecmd_exec_bin(mysqld_t) -corecmd_exec_shell(mysqld_t) - -dev_read_sysfs(mysqld_t) -dev_read_urand(mysqld_t) - -domain_use_interactive_fds(mysqld_t) - -fs_getattr_all_fs(mysqld_t) -fs_search_auto_mountpoints(mysqld_t) -fs_rw_hugetlbfs_files(mysqld_t) - -files_read_etc_runtime_files(mysqld_t) -files_read_usr_files(mysqld_t) - -auth_use_nsswitch(mysqld_t) - -logging_send_syslog_msg(mysqld_t) - -miscfiles_read_localization(mysqld_t) - -userdom_search_user_home_dirs(mysqld_t) -userdom_dontaudit_use_unpriv_user_fds(mysqld_t) - -tunable_policy(`mysql_connect_any',` - corenet_sendrecv_all_client_packets(mysqld_t) - corenet_tcp_connect_all_ports(mysqld_t) - corenet_tcp_sendrecv_all_ports(mysqld_t) -') - -optional_policy(` - daemontools_service_domain(mysqld_t, mysqld_exec_t) -') - -optional_policy(` - seutil_sigchld_newrole(mysqld_t) -') - -optional_policy(` - udev_read_db(mysqld_t) -') - -####################################### -# -# Safe local policy -# - -allow mysqld_safe_t self:capability { chown dac_override fowner kill }; -allow mysqld_safe_t self:process { setsched getsched setrlimit }; -allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; - -allow mysqld_safe_t mysqld_t:process signull; - -read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) -manage_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) - -allow mysqld_safe_t mysqld_etc_t:dir list_dir_perms; -allow mysqld_safe_t { mysqld_etc_t mysqld_home_t }:file read_file_perms; -allow mysqld_safe_t mysqld_etc_t:lnk_file read_lnk_file_perms; - -allow mysqld_safe_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) - -manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) -delete_sock_files_pattern(mysqld_safe_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t) - -domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) - -kernel_read_system_state(mysqld_safe_t) -kernel_read_kernel_sysctls(mysqld_safe_t) - -corecmd_exec_bin(mysqld_safe_t) -corecmd_exec_shell(mysqld_safe_t) - -dev_list_sysfs(mysqld_safe_t) - -domain_read_all_domains_state(mysqld_safe_t) - -files_read_etc_files(mysqld_safe_t) -files_read_usr_files(mysqld_safe_t) -files_search_pids(mysqld_safe_t) -files_dontaudit_getattr_all_dirs(mysqld_safe_t) -files_dontaudit_search_all_mountpoints(mysqld_safe_t) - -logging_send_syslog_msg(mysqld_safe_t) - -miscfiles_read_localization(mysqld_safe_t) - -userdom_search_user_home_dirs(mysqld_safe_t) - -optional_policy(` - hostname_exec(mysqld_safe_t) -') - -######################################## -# -# Manager local policy -# - -allow mysqlmanagerd_t self:capability { dac_override kill }; -allow mysqlmanagerd_t self:process signal; -allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; -allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; -allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; - -allow mysqlmanagerd_t mysqld_t:process signal; - -allow mysqlmanagerd_t mysqld_etc_t:dir list_dir_perms; -allow mysqlmanagerd_t { mysqld_etc_t mysqld_home_t }:file read_file_perms; -allow mysqlmanagerd_t mysqld_etc_t:lnk_file read_lnk_file_perms; - -domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) - -manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) -manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) -filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) - -stream_connect_pattern(mysqlmanagerd_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t, mysqld_t) - -kernel_read_system_state(mysqlmanagerd_t) - -corecmd_exec_shell(mysqlmanagerd_t) - -corenet_all_recvfrom_unlabeled(mysqlmanagerd_t) -corenet_all_recvfrom_netlabel(mysqlmanagerd_t) -corenet_tcp_sendrecv_generic_if(mysqlmanagerd_t) -corenet_tcp_sendrecv_generic_node(mysqlmanagerd_t) -corenet_tcp_bind_generic_node(mysqlmanagerd_t) - -corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_t) -corenet_tcp_bind_mysqlmanagerd_port(mysqlmanagerd_t) -corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t) -corenet_tcp_connect_mysqlmanagerd_port(mysqlmanagerd_t) -corenet_tcp_sendrecv_mysqlmanagerd_port(mysqlmanagerd_t) - -dev_read_urand(mysqlmanagerd_t) - -files_read_etc_files(mysqlmanagerd_t) -files_read_usr_files(mysqlmanagerd_t) -files_search_pids(mysqlmanagerd_t) -files_search_var_lib(mysqlmanagerd_t) - -miscfiles_read_localization(mysqlmanagerd_t) - -userdom_search_user_home_dirs(mysqlmanagerd_t) diff --git a/policy/modules/contrib/nagios.fc b/policy/modules/contrib/nagios.fc deleted file mode 100644 index d78dfc38..00000000 --- a/policy/modules/contrib/nagios.fc +++ /dev/null @@ -1,88 +0,0 @@ -/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) -/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) - -/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) -/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) - -/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) -/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) - -/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) -/usr/sbin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) - -/usr/lib/cgi-bin/nagios(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) - -/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) - -/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0) - -/usr/lib/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0) - -/usr/lib/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) - -/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0) - -/usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - -/usr/lib/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - -/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) - -/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0) - -/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) -/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) - -/var/run/nagios.* -- gen_context(system_u:object_r:nagios_var_run_t,s0) -/var/run/nrpe.* -- gen_context(system_u:object_r:nrpe_var_run_t,s0) - -/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) diff --git a/policy/modules/contrib/nagios.if b/policy/modules/contrib/nagios.if deleted file mode 100644 index 0641e970..00000000 --- a/policy/modules/contrib/nagios.if +++ /dev/null @@ -1,229 +0,0 @@ -## <summary>Network monitoring server.</summary> - -####################################### -## <summary> -## The template to define a nagios plugin domain. -## </summary> -## <param name="domain_prefix"> -## <summary> -## Domain prefix to be used. -## </summary> -## </param> -# -template(`nagios_plugin_template',` - gen_require(` - attribute nagios_plugin_domain; - type nagios_t, nrpe_t; - ') - - ######################################## - # - # Declarations - # - - type nagios_$1_plugin_t, nagios_plugin_domain; - type nagios_$1_plugin_exec_t; - application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t) - role system_r types nagios_$1_plugin_t; - - ######################################## - # - # Policy - # - - domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) - allow nagios_t nagios_$1_plugin_exec_t:file ioctl; - - domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) -') - -######################################## -## <summary> -## Do not audit attempts to read or -## write nagios unnamed pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -## <rolecap/> -# -interface(`nagios_dontaudit_rw_pipes',` - gen_require(` - type nagios_t; - ') - - dontaudit $1 nagios_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## <summary> -## Read nagios configuration content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`nagios_read_config',` - gen_require(` - type nagios_etc_t; - ') - - files_search_etc($1) - allow $1 nagios_etc_t:dir list_dir_perms; - allow $1 nagios_etc_t:file read_file_perms; - allow $1 nagios_etc_t:lnk_file read_lnk_file_perms; -') - -###################################### -## <summary> -## Read nagios log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`nagios_read_log',` - gen_require(` - type nagios_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, nagios_log_t, nagios_log_t) -') - -######################################## -## <summary> -## Do not audit attempts to read or -## write nagios log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`nagios_dontaudit_rw_log',` - gen_require(` - type nagios_log_t; - ') - - dontaudit $1 nagios_log_t:file rw_file_perms; -') - -######################################## -## <summary> -## Search nagios spool directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`nagios_search_spool',` - gen_require(` - type nagios_spool_t; - ') - - files_search_spool($1) - allow $1 nagios_spool_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Read nagios temporary files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`nagios_read_tmp_files',` - gen_require(` - type nagios_tmp_t; - ') - - files_search_tmp($1) - allow $1 nagios_tmp_t:file read_file_perms; -') - -######################################## -## <summary> -## Execute nrpe with a domain transition. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`nagios_domtrans_nrpe',` - gen_require(` - type nrpe_t, nrpe_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, nrpe_exec_t, nrpe_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an nagios environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`nagios_admin',` - gen_require(` - attribute nagios_plugin_domain; - type nagios_t, nrpe_t, nagios_initrc_exec_t; - type nagios_tmp_t, nagios_log_t, nagios_var_lib_t; - type nagios_etc_t, nrpe_etc_t, nrpe_var_run_t; - type nagios_spool_t, nagios_var_run_t, nagios_system_plugin_tmp_t; - type nagios_eventhandler_plugin_tmp_t; - ') - - allow $1 { nagios_t nrpe_t nagios_plugin_domain }:process { ptrace signal_perms }; - ps_process_pattern($1, { nagios_t nrpe_t nagios_plugin_domain }) - - init_labeled_script_domtrans($1, nagios_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 nagios_initrc_exec_t system_r; - allow $2 system_r; - - files_search_tmp($1) - admin_pattern($1, { nagios_eventhandler_plugin_tmp_t nagios_tmp_t nagios_system_plugin_tmp_t }) - - logging_search_logs($1) - admin_pattern($1, nagios_log_t) - - files_search_etc($1) - admin_pattern($1, { nrpe_etc_t nagios_etc_t }) - - files_search_spool($1) - admin_pattern($1, nagios_spool_t) - - files_search_pids($1) - admin_pattern($1, { nrpe_var_run_t nagios_var_run_t }) - - files_search_var_lib($1) - admin_pattern($1, nagios_var_lib_t) -') diff --git a/policy/modules/contrib/nagios.te b/policy/modules/contrib/nagios.te deleted file mode 100644 index 44ad3b7a..00000000 --- a/policy/modules/contrib/nagios.te +++ /dev/null @@ -1,452 +0,0 @@ -policy_module(nagios, 1.12.3) - -######################################## -# -# Declarations -# - -attribute nagios_plugin_domain; - -type nagios_t; -type nagios_exec_t; -init_daemon_domain(nagios_t, nagios_exec_t) - -type nagios_etc_t; -files_config_file(nagios_etc_t) - -type nagios_initrc_exec_t; -init_script_file(nagios_initrc_exec_t) - -type nagios_log_t; -logging_log_file(nagios_log_t) - -type nagios_tmp_t; -files_tmp_file(nagios_tmp_t) - -type nagios_var_run_t; -files_pid_file(nagios_var_run_t) - -type nagios_spool_t; -files_type(nagios_spool_t) - -type nagios_var_lib_t; -files_type(nagios_var_lib_t) - -nagios_plugin_template(admin) -nagios_plugin_template(checkdisk) -nagios_plugin_template(mail) -nagios_plugin_template(services) -nagios_plugin_template(system) -nagios_plugin_template(unconfined) -nagios_plugin_template(eventhandler) - -type nagios_eventhandler_plugin_tmp_t; -files_tmp_file(nagios_eventhandler_plugin_tmp_t) - -type nagios_system_plugin_tmp_t; -files_tmp_file(nagios_system_plugin_tmp_t) - -type nrpe_t; -type nrpe_exec_t; -init_daemon_domain(nrpe_t, nrpe_exec_t) - -type nrpe_etc_t; -files_config_file(nrpe_etc_t) - -type nrpe_var_run_t; -files_pid_file(nrpe_var_run_t) - -###################################### -# -# Common plugin domain local policy -# - -allow nagios_plugin_domain self:fifo_file rw_fifo_file_perms; - -dontaudit nagios_plugin_domain nrpe_t:tcp_socket { read write }; -dontaudit nagios_plugin_domain nagios_log_t:file { read write }; - -kernel_read_system_state(nagios_plugin_domain) - -dev_read_urand(nagios_plugin_domain) -dev_read_rand(nagios_plugin_domain) - -files_read_usr_files(nagios_plugin_domain) - -miscfiles_read_localization(nagios_plugin_domain) - -userdom_use_user_terminals(nagios_plugin_domain) - -######################################## -# -# Nagios local policy -# - -allow nagios_t self:capability { dac_override setgid setuid }; -dontaudit nagios_t self:capability sys_tty_config; -allow nagios_t self:process { setpgid signal_perms }; -allow nagios_t self:fifo_file rw_fifo_file_perms; -allow nagios_t self:tcp_socket { accept listen }; - -allow nagios_t nagios_plugin_domain:process signal_perms; - -allow nagios_t nagios_eventhandler_plugin_exec_t:dir list_dir_perms; - -allow nagios_t nagios_etc_t:dir list_dir_perms; -allow nagios_t nagios_etc_t:file read_file_perms; -allow nagios_t nagios_etc_t:lnk_file read_lnk_file_perms; - -allow nagios_t nagios_log_t:dir setattr_dir_perms; -append_files_pattern(nagios_t, nagios_log_t, nagios_log_t) -create_files_pattern(nagios_t, nagios_log_t, nagios_log_t) -setattr_files_pattern(nagios_t, nagios_log_t, nagios_log_t) -logging_log_filetrans(nagios_t, nagios_log_t, file) - -manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t) -manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t) -files_tmp_filetrans(nagios_t, nagios_tmp_t, { dir file }) - -manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) -files_pid_filetrans(nagios_t, nagios_var_run_t, file) - -manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) -files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file) - -manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) -manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) -files_var_lib_filetrans(nagios_t, nagios_var_lib_t, { file fifo_file }) - -kernel_read_system_state(nagios_t) -kernel_read_kernel_sysctls(nagios_t) -kernel_read_software_raid_state(nagios_t) - -corecmd_exec_bin(nagios_t) -corecmd_exec_shell(nagios_t) - -corenet_all_recvfrom_unlabeled(nagios_t) -corenet_all_recvfrom_netlabel(nagios_t) -corenet_tcp_sendrecv_generic_if(nagios_t) -corenet_tcp_sendrecv_generic_node(nagios_t) - -corenet_sendrecv_all_client_packets(nagios_t) -corenet_tcp_connect_all_ports(nagios_t) -corenet_tcp_sendrecv_all_ports(nagios_t) - -corenet_dontaudit_tcp_bind_all_reserved_ports(nagios_t) -corenet_dontaudit_udp_bind_all_reserved_ports(nagios_t) - -dev_read_sysfs(nagios_t) -dev_read_urand(nagios_t) - -domain_use_interactive_fds(nagios_t) -domain_read_all_domains_state(nagios_t) - -files_read_etc_runtime_files(nagios_t) -files_read_kernel_symbol_table(nagios_t) -files_read_usr_files(nagios_t) -files_search_spool(nagios_t) - -fs_getattr_all_fs(nagios_t) -fs_search_auto_mountpoints(nagios_t) - -auth_use_nsswitch(nagios_t) - -logging_send_syslog_msg(nagios_t) - -miscfiles_read_localization(nagios_t) - -userdom_dontaudit_use_unpriv_user_fds(nagios_t) -userdom_dontaudit_search_user_home_dirs(nagios_t) - -mta_send_mail(nagios_t) -mta_signal_system_mail(nagios_t) -mta_kill_system_mail(nagios_t) - -optional_policy(` - netutils_kill_ping(nagios_t) -') - -optional_policy(` - seutil_sigchld_newrole(nagios_t) -') - -optional_policy(` - udev_read_db(nagios_t) -') - -######################################## -# -# CGI local policy -# -optional_policy(` - apache_content_template(nagios) - typealias httpd_nagios_script_t alias nagios_cgi_t; - typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t; - - allow httpd_nagios_script_t self:process signal_perms; - - read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) - read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) - - allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms; - allow httpd_nagios_script_t nagios_etc_t:file read_file_perms; - allow httpd_nagios_script_t nagios_etc_t:lnk_file read_lnk_file_perms; - - files_search_spool(httpd_nagios_script_t) - rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t) - - allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms; - read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) - read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) - - kernel_read_system_state(httpd_nagios_script_t) - - domain_dontaudit_read_all_domains_state(httpd_nagios_script_t) - - files_read_etc_runtime_files(httpd_nagios_script_t) - files_read_kernel_symbol_table(httpd_nagios_script_t) - - logging_send_syslog_msg(httpd_nagios_script_t) -') - -######################################## -# -# Nrpe local policy -# - -allow nrpe_t self:capability { setuid setgid }; -dontaudit nrpe_t self:capability { sys_tty_config sys_resource }; -allow nrpe_t self:process { setpgid signal_perms setsched setrlimit }; -allow nrpe_t self:fifo_file rw_fifo_file_perms; -allow nrpe_t self:tcp_socket { accept listen }; - -allow nrpe_t nagios_plugin_domain:process { signal sigkill }; - -read_files_pattern(nrpe_t, nagios_etc_t, nrpe_etc_t) - -manage_files_pattern(nrpe_t, nrpe_var_run_t, nrpe_var_run_t) -files_pid_filetrans(nrpe_t, nrpe_var_run_t, file) - -domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) - -kernel_read_kernel_sysctls(nrpe_t) -kernel_read_software_raid_state(nrpe_t) -kernel_read_system_state(nrpe_t) - -corecmd_exec_bin(nrpe_t) -corecmd_exec_shell(nrpe_t) - -corenet_all_recvfrom_unlabeled(nrpe_t) -corenet_all_recvfrom_netlabel(nrpe_t) -corenet_tcp_sendrecv_generic_if(nrpe_t) -corenet_tcp_sendrecv_generic_node(nrpe_t) -corenet_tcp_bind_generic_node(nrpe_t) - -corenet_sendrecv_inetd_child_server_packets(nrpe_t) -corenet_tcp_bind_inetd_child_port(nrpe_t) -corenet_tcp_sendrecv_inetd_child_port(nrpe_t) - -dev_read_sysfs(nrpe_t) -dev_read_urand(nrpe_t) - -domain_use_interactive_fds(nrpe_t) -domain_read_all_domains_state(nrpe_t) - -files_read_etc_runtime_files(nrpe_t) -files_read_usr_files(nrpe_t) - -fs_getattr_all_fs(nrpe_t) -fs_search_auto_mountpoints(nrpe_t) - -auth_use_nsswitch(nrpe_t) - -logging_send_syslog_msg(nrpe_t) - -miscfiles_read_localization(nrpe_t) - -userdom_dontaudit_use_unpriv_user_fds(nrpe_t) - -optional_policy(` - inetd_tcp_service_domain(nrpe_t, nrpe_exec_t) -') - -optional_policy(` - mta_send_mail(nrpe_t) -') - -optional_policy(` - seutil_sigchld_newrole(nrpe_t) -') - -optional_policy(` - tcpd_wrapped_domain(nrpe_t, nrpe_exec_t) -') - -optional_policy(` - udev_read_db(nrpe_t) -') - -##################################### -# -# Admin local policy -# - -corecmd_read_bin_files(nagios_admin_plugin_t) -corecmd_read_bin_symlinks(nagios_admin_plugin_t) - -dev_getattr_all_chr_files(nagios_admin_plugin_t) -dev_getattr_all_blk_files(nagios_admin_plugin_t) - -files_getattr_all_dirs(nagios_admin_plugin_t) -files_getattr_all_files(nagios_admin_plugin_t) -files_getattr_all_symlinks(nagios_admin_plugin_t) -files_getattr_all_pipes(nagios_admin_plugin_t) -files_getattr_all_sockets(nagios_admin_plugin_t) -files_getattr_all_file_type_fs(nagios_admin_plugin_t) - -###################################### -# -# Mail local policy -# - -allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; -allow nagios_mail_plugin_t self:tcp_socket { accept listen }; - -kernel_read_kernel_sysctls(nagios_mail_plugin_t) - -corecmd_read_bin_files(nagios_mail_plugin_t) -corecmd_read_bin_symlinks(nagios_mail_plugin_t) - -files_read_etc_files(nagios_mail_plugin_t) - -logging_send_syslog_msg(nagios_mail_plugin_t) - -sysnet_dns_name_resolve(nagios_mail_plugin_t) - -optional_policy(` - mta_send_mail(nagios_mail_plugin_t) -') - -optional_policy(` - nscd_dontaudit_search_pid(nagios_mail_plugin_t) -') - -optional_policy(` - postfix_stream_connect_master(nagios_mail_plugin_t) - postfix_exec_postqueue(nagios_mail_plugin_t) -') - -###################################### -# -# Disk local policy -# - -allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; - -kernel_read_software_raid_state(nagios_checkdisk_plugin_t) - -files_getattr_all_mountpoints(nagios_checkdisk_plugin_t) -files_read_etc_runtime_files(nagios_checkdisk_plugin_t) - -fs_getattr_all_fs(nagios_checkdisk_plugin_t) - -storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) - -####################################### -# -# Services local policy -# - -allow nagios_services_plugin_t self:capability net_raw; -allow nagios_services_plugin_t self:process { signal sigkill }; -allow nagios_services_plugin_t self:tcp_socket { accept listen }; - -corecmd_exec_bin(nagios_services_plugin_t) - -corenet_all_recvfrom_unlabeled(nagios_services_plugin_t) -corenet_all_recvfrom_netlabel(nagios_services_plugin_t) -corenet_tcp_sendrecv_generic_if(nagios_services_plugin_t) -corenet_udp_sendrecv_generic_if(nagios_services_plugin_t) -corenet_tcp_sendrecv_generic_node(nagios_services_plugin_t) -corenet_udp_sendrecv_generic_node(nagios_services_plugin_t) -corenet_udp_bind_generic_node(nagios_services_plugin_t) - -corenet_sendrecv_all_client_packets(nagios_services_plugin_t) -corenet_tcp_connect_all_ports(nagios_services_plugin_t) -corenet_tcp_sendrecv_all_ports(nagios_services_plugin_t) - -corenet_sendrecv_dhcpc_server_packets(nagios_services_plugin_t) -corenet_udp_bind_dhcpc_port(nagios_services_plugin_t) -corenet_udp_sendrecv_dhcpc_port(nagios_services_plugin_t) - -auth_use_nsswitch(nagios_services_plugin_t) - -domain_read_all_domains_state(nagios_services_plugin_t) - -optional_policy(` - netutils_domtrans_ping(nagios_services_plugin_t) - netutils_signal_ping(nagios_services_plugin_t) - netutils_kill_ping(nagios_services_plugin_t) -') - -optional_policy(` - mysql_stream_connect(nagios_services_plugin_t) -') - -optional_policy(` - snmp_read_snmp_var_lib_files(nagios_services_plugin_t) -') - -###################################### -# -# System local policy -# - -allow nagios_system_plugin_t self:capability dac_override; -dontaudit nagios_system_plugin_t self:capability { setuid setgid }; - -read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t) - -manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) -manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) -files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file }) - -kernel_read_kernel_sysctls(nagios_system_plugin_t) - -corecmd_exec_bin(nagios_system_plugin_t) -corecmd_exec_shell(nagios_system_plugin_t) - -dev_read_sysfs(nagios_system_plugin_t) - -domain_read_all_domains_state(nagios_system_plugin_t) - -files_read_etc_files(nagios_system_plugin_t) - -fs_getattr_all_fs(nagios_system_plugin_t) - -optional_policy(` - init_read_utmp(nagios_system_plugin_t) -') - -####################################### -# -# Event local policy -# - -manage_files_pattern(nagios_eventhandler_plugin_t, nagios_eventhandler_plugin_tmp_t, nagios_eventhandler_plugin_tmp_t) -manage_dirs_pattern(nagios_eventhandler_plugin_t, nagios_eventhandler_plugin_tmp_t, nagios_eventhandler_plugin_tmp_t) -files_tmp_filetrans(nagios_eventhandler_plugin_t, nagios_eventhandler_plugin_tmp_t, { dir file }) - -corecmd_exec_bin(nagios_eventhandler_plugin_t) -corecmd_exec_shell(nagios_eventhandler_plugin_t) - -init_domtrans_script(nagios_eventhandler_plugin_t) - -######################################## -# -# Unconfined plugin policy -# - -optional_policy(` - unconfined_domain(nagios_unconfined_plugin_t) -') diff --git a/policy/modules/contrib/ncftool.fc b/policy/modules/contrib/ncftool.fc deleted file mode 100644 index ca1a0e28..00000000 --- a/policy/modules/contrib/ncftool.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/ncftool -- gen_context(system_u:object_r:ncftool_exec_t,s0) diff --git a/policy/modules/contrib/ncftool.if b/policy/modules/contrib/ncftool.if deleted file mode 100644 index db9578f4..00000000 --- a/policy/modules/contrib/ncftool.if +++ /dev/null @@ -1,46 +0,0 @@ -## <summary>Cross-platform network configuration library.</summary> - -######################################## -## <summary> -## Execute a domain transition to run ncftool. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`ncftool_domtrans',` - gen_require(` - type ncftool_t, ncftool_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ncftool_exec_t, ncftool_t) -') - -######################################## -## <summary> -## Execute ncftool in the ncftool -## domain, and allow the specified -## role the ncftool domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`ncftool_run',` - gen_require(` - attribute_role ncftool_roles; - ') - - ncftool_domtrans($1) - roleattribute $2 ncftool_roles; -') diff --git a/policy/modules/contrib/ncftool.te b/policy/modules/contrib/ncftool.te deleted file mode 100644 index b13c0b19..00000000 --- a/policy/modules/contrib/ncftool.te +++ /dev/null @@ -1,85 +0,0 @@ -policy_module(ncftool, 1.1.2) - -######################################## -# -# Declarations -# - -attribute_role ncftool_roles; -roleattribute system_r ncftool_roles; - -type ncftool_t; -type ncftool_exec_t; -application_domain(ncftool_t, ncftool_exec_t) -domain_obj_id_change_exemption(ncftool_t) -domain_system_change_exemption(ncftool_t) -role ncftool_roles types ncftool_t; - -######################################## -# -# Local policy -# - -allow ncftool_t self:capability net_admin; -allow ncftool_t self:process signal; -allow ncftool_t self:fifo_file manage_fifo_file_perms; -allow ncftool_t self:unix_stream_socket create_stream_socket_perms; -allow ncftool_t self:netlink_route_socket create_netlink_socket_perms; -allow ncftool_t self:tcp_socket create_stream_socket_perms; - -kernel_read_kernel_sysctls(ncftool_t) -kernel_read_modprobe_sysctls(ncftool_t) -kernel_read_network_state(ncftool_t) -kernel_read_system_state(ncftool_t) -kernel_request_load_module(ncftool_t) -kernel_rw_net_sysctls(ncftool_t) - -corecmd_exec_bin(ncftool_t) -corecmd_exec_shell(ncftool_t) - -domain_read_all_domains_state(ncftool_t) - -dev_read_sysfs(ncftool_t) - -files_read_etc_files(ncftool_t) -files_read_etc_runtime_files(ncftool_t) -files_read_usr_files(ncftool_t) - -miscfiles_read_localization(ncftool_t) - -sysnet_delete_dhcpc_pid(ncftool_t) -sysnet_run_dhcpc(ncftool_t, ncftool_roles) -sysnet_run_ifconfig(ncftool_t, ncftool_roles) -sysnet_etc_filetrans_config(ncftool_t) -sysnet_manage_config(ncftool_t) -sysnet_read_dhcpc_state(ncftool_t) -sysnet_read_dhcpc_pid(ncftool_t) -sysnet_signal_dhcpc(ncftool_t) - -userdom_use_user_terminals(ncftool_t) -userdom_read_user_tmp_files(ncftool_t) - -optional_policy(` - brctl_run(ncftool_t, ncftool_roles) -') - -optional_policy(` - consoletype_exec(ncftool_t) -') - -optional_policy(` - dbus_system_bus_client(ncftool_t) -') - -optional_policy(` - iptables_initrc_domtrans(ncftool_t) -') - -optional_policy(` - modutils_read_module_config(ncftool_t) - modutils_run_insmod(ncftool_t, ncftool_roles) -') - -optional_policy(` - netutils_run(ncftool_t, ncftool_roles) -') diff --git a/policy/modules/contrib/nessus.fc b/policy/modules/contrib/nessus.fc deleted file mode 100644 index bb89a1dc..00000000 --- a/policy/modules/contrib/nessus.fc +++ /dev/null @@ -1,13 +0,0 @@ -/etc/nessus/nessusd\.conf -- gen_context(system_u:object_r:nessusd_etc_t,s0) - -/etc/rc\.d/init\.d/nessusd -- gen_context(system_u:object_r:nessusd_initrc_exec_t,s0) - -/usr/lib/nessus/plugins/.* -- gen_context(system_u:object_r:nessusd_exec_t,s0) - -/usr/sbin/nessusd -- gen_context(system_u:object_r:nessusd_exec_t,s0) - -/var/lib/nessus(/.*)? gen_context(system_u:object_r:nessusd_db_t,s0) - -/var/log/nessus(/.*)? gen_context(system_u:object_r:nessusd_log_t,s0) - -/var/run/nessus.* -- gen_context(system_u:object_r:nessusd_var_run_t,s0) diff --git a/policy/modules/contrib/nessus.if b/policy/modules/contrib/nessus.if deleted file mode 100644 index 42e9ed41..00000000 --- a/policy/modules/contrib/nessus.if +++ /dev/null @@ -1,59 +0,0 @@ -## <summary>Network scanning daemon.</summary> - -######################################## -## <summary> -## Connect to nessus over a TCP socket (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`nessus_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## <summary> -## All of the rules required to -## administrate an nessus environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`nessus_admin',` - gen_require(` - type nessusd_t, nessusd_db_t, nessusd_initrc_exec_t; - type nessusd_etc_t, nessusd_log_t, nessusd_var_run_t; - ') - - allow $1 nessusd_t:process { ptrace signal_perms }; - ps_process_pattern($1, nessusd_t) - - init_labeled_script_domtrans($1, nessusd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 nessusd_initrc_exec_t system_r; - allow $2 system_r; - - logging_search_logs($1) - admin_pattern($1, nessusd_log_t) - - files_search_etc($1) - admin_pattern($1, nessusd_etc_t) - - files_search_pids($1) - admin_pattern($1, nessusd_var_run_t) - - files_search_var_lib($1) - admin_pattern($1, nessusd_db_t) -') diff --git a/policy/modules/contrib/nessus.te b/policy/modules/contrib/nessus.te deleted file mode 100644 index 56c0fbda..00000000 --- a/policy/modules/contrib/nessus.te +++ /dev/null @@ -1,110 +0,0 @@ -policy_module(nessus, 1.8.1) - -######################################## -# -# Local policy -# - -type nessusd_t; -type nessusd_exec_t; -init_daemon_domain(nessusd_t, nessusd_exec_t) - -type nessusd_initrc_exec_t; -init_script_file(nessusd_initrc_exec_t) - -type nessusd_db_t; -files_type(nessusd_db_t) - -type nessusd_etc_t; -files_config_file(nessusd_etc_t) - -type nessusd_log_t; -logging_log_file(nessusd_log_t) - -type nessusd_var_run_t; -files_pid_file(nessusd_var_run_t) - -######################################## -# -# Declarations -# - -allow nessusd_t self:capability net_raw; -dontaudit nessusd_t self:capability sys_tty_config; -allow nessusd_t self:process { setsched signal_perms }; -allow nessusd_t self:fifo_file rw_fifo_file_perms; -allow nessusd_t self:tcp_socket create_stream_socket_perms; -allow nessusd_t self:udp_socket create_socket_perms; -allow nessusd_t self:rawip_socket create_socket_perms; -allow nessusd_t self:packet_socket create_socket_perms; - -manage_dirs_pattern(nessusd_t, nessusd_db_t, nessusd_db_t) -manage_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t) -manage_lnk_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t) - -allow nessusd_t nessusd_etc_t:file read_file_perms; - -allow nessusd_t nessusd_log_t:dir setattr_dir_perms; -append_files_pattern(nessusd_t, nessusd_log_t, nessusd_log_t) -create_files_pattern(nessusd_t, nessusd_log_t, nessusd_log_t) -setattr_files_pattern(nessusd_t, nessusd_log_t, nessusd_log_t) -logging_log_filetrans(nessusd_t, nessusd_log_t, file) - -manage_files_pattern(nessusd_t, nessusd_var_run_t, nessusd_var_run_t) -files_pid_filetrans(nessusd_t, nessusd_var_run_t, file) - -kernel_read_system_state(nessusd_t) -kernel_read_kernel_sysctls(nessusd_t) - -corecmd_exec_bin(nessusd_t) - -corenet_all_recvfrom_unlabeled(nessusd_t) -corenet_all_recvfrom_netlabel(nessusd_t) -corenet_tcp_sendrecv_generic_if(nessusd_t) -corenet_udp_sendrecv_generic_if(nessusd_t) -corenet_raw_sendrecv_generic_if(nessusd_t) -corenet_tcp_sendrecv_generic_node(nessusd_t) -corenet_udp_sendrecv_generic_node(nessusd_t) -corenet_raw_sendrecv_generic_node(nessusd_t) -corenet_tcp_sendrecv_all_ports(nessusd_t) -corenet_udp_sendrecv_all_ports(nessusd_t) -corenet_tcp_bind_generic_node(nessusd_t) - -corenet_sendrecv_nessus_server_packets(nessusd_t) -corenet_tcp_bind_nessus_port(nessusd_t) - -corenet_sendrecv_all_client_packets(nessusd_t) -corenet_tcp_connect_all_ports(nessusd_t) - -dev_read_sysfs(nessusd_t) -dev_read_urand(nessusd_t) - -domain_use_interactive_fds(nessusd_t) - -files_list_var_lib(nessusd_t) -files_read_etc_files(nessusd_t) -files_read_etc_runtime_files(nessusd_t) - -fs_getattr_all_fs(nessusd_t) -fs_search_auto_mountpoints(nessusd_t) - -logging_send_syslog_msg(nessusd_t) - -miscfiles_read_localization(nessusd_t) - -sysnet_read_config(nessusd_t) - -userdom_dontaudit_use_unpriv_user_fds(nessusd_t) -userdom_dontaudit_search_user_home_dirs(nessusd_t) - -optional_policy(` - nis_use_ypbind(nessusd_t) -') - -optional_policy(` - seutil_sigchld_newrole(nessusd_t) -') - -optional_policy(` - udev_read_db(nessusd_t) -') diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc deleted file mode 100644 index 180078e5..00000000 --- a/policy/modules/contrib/networkmanager.fc +++ /dev/null @@ -1,45 +0,0 @@ -/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) - -/etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_etc_t,s0) -/etc/NetworkManager/NetworkManager\.conf gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0) -/etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0) -/etc/NetworkManager/dispatcher\.d(/.*)? gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) - -/etc/dhcp/manager-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) -/etc/dhcp/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) -/etc/dhcp/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) - -/etc/wicd/manager-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) -/etc/wicd/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) -/etc/wicd/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) - -/usr/lib/NetworkManager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) -/usr/libexec/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) - -/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) -/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) - -/usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -/usr/bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) - -/usr/sbin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -/usr/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) -/usr/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) - -/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) -/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) - -/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0) -/var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) - -/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -/var/run/nm-dns-dnsmasq\.conf -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -/var/run/wpa_cli-.* -- gen_context(system_u:object_r:wpa_cli_var_run_t,s0) -/usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) diff --git a/policy/modules/contrib/networkmanager.if b/policy/modules/contrib/networkmanager.if deleted file mode 100644 index 15484ffa..00000000 --- a/policy/modules/contrib/networkmanager.if +++ /dev/null @@ -1,323 +0,0 @@ -## <summary>Manager for dynamically switching between networks.</summary> - -######################################## -## <summary> -## Read and write networkmanager udp sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`networkmanager_rw_udp_sockets',` - gen_require(` - type NetworkManager_t; - ') - - allow $1 NetworkManager_t:udp_socket { read write }; -') - -######################################## -## <summary> -## Read and write networkmanager packet sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`networkmanager_rw_packet_sockets',` - gen_require(` - type NetworkManager_t; - ') - - allow $1 NetworkManager_t:packet_socket { read write }; -') - -####################################### -## <summary> -## Relabel networkmanager tun socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`networkmanager_attach_tun_iface',` - gen_require(` - type NetworkManager_t; - ') - - allow $1 NetworkManager_t:tun_socket relabelfrom; - allow $1 self:tun_socket relabelto; -') - -######################################## -## <summary> -## Read and write networkmanager netlink -## routing sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`networkmanager_rw_routing_sockets',` - gen_require(` - type NetworkManager_t; - ') - - allow $1 NetworkManager_t:netlink_route_socket { read write }; -') - -######################################## -## <summary> -## Execute networkmanager with a domain transition. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`networkmanager_domtrans',` - gen_require(` - type NetworkManager_t, NetworkManager_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t) -') - -######################################## -## <summary> -## Execute networkmanager scripts with -## an automatic domain transition to initrc. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`networkmanager_initrc_domtrans',` - gen_require(` - type NetworkManager_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) -') - -######################################## -## <summary> -## Send and receive messages from -## networkmanager over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`networkmanager_dbus_chat',` - gen_require(` - type NetworkManager_t; - class dbus send_msg; - ') - - allow $1 NetworkManager_t:dbus send_msg; - allow NetworkManager_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Send generic signals to networkmanager. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`networkmanager_signal',` - gen_require(` - type NetworkManager_t; - ') - - allow $1 NetworkManager_t:process signal; -') - -######################################## -## <summary> -## Read networkmanager lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`networkmanager_read_lib_files',` - gen_require(` - type NetworkManager_var_lib_t; - ') - - files_search_var_lib($1) - list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) - read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) -') - -######################################## -## <summary> -## Append networkmanager log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`networkmanager_append_log_files',` - gen_require(` - type NetworkManager_log_t; - ') - - logging_search_logs($1) - allow $1 NetworkManager_log_t:dir list_dir_perms; - append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) -') - -######################################## -## <summary> -## Read networkmanager pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`networkmanager_read_pid_files',` - gen_require(` - type NetworkManager_var_run_t; - ') - - files_search_pids($1) - allow $1 NetworkManager_var_run_t:file read_file_perms; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an networkmanager environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`networkmanager_admin',` - gen_require(` - type NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_etc_t; - type NetworkManager_etc_rw_t, NetworkManager_log_t, NetworkManager_tmp_t; - type NetworkManager_var_lib_t, NetworkManager_var_run_t, wpa_cli_t; - ') - - allow $1 { wpa_cli_t NetworkManager_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { wpa_cli_t NetworkManager_t }) - - init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 NetworkManager_initrc_exec_t system_r; - allow $2 system_r; - - logging_search_etc($1) - admin_pattern($1, { NetworkManager_etc_t NetworkManager_etc_rw_t }) - - logging_search_logs($1) - admin_pattern($1, NetworkManager_log_t) - - files_search_var_lib($1) - admin_pattern($1, NetworkManager_var_lib_t) - - files_search_pids($1) - admin_pattern($1, NetworkManager_var_run_t) - - files_search_tmp($1) - admin_pattern($1, NetworkManager_tmp_t) -') - -######################################## -## <summary> -## Do not audit use of wpa_cli file descriptors -## </summary> -## <param name="domain"> -## <summary> -## Domain to dontaudit access. -## </summary> -## </param> -# -interface(`networkmanager_dontaudit_use_wpa_cli_fds',` - gen_require(` - type wpa_cli_t; - ') - - dontaudit $1 wpa_cli_t:fd use; -') - - -######################################## -## <summary> -## Execute wpa_cli in the wpa_cli domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`networkmanager_domtrans_wpa_cli',` - gen_require(` - type wpa_cli_t, wpa_cli_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, wpa_cli_exec_t, wpa_cli_t) -') - -######################################## -## <summary> -## Execute wpa cli in the wpa_cli domain, and -## allow the specified role the wpa_cli domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`networkmanager_run_wpa_cli',` - gen_require(` - type wpa_cli_exec_t; - ') - - networkmanager_domtrans_wpa_cli($1) - role $2 types wpa_cli_t; -') diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te deleted file mode 100644 index 2280d850..00000000 --- a/policy/modules/contrib/networkmanager.te +++ /dev/null @@ -1,391 +0,0 @@ -policy_module(networkmanager, 1.14.7) - -######################################## -# -# Declarations -# - -type NetworkManager_t; -type NetworkManager_exec_t; -init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) - -type NetworkManager_etc_t; -files_config_file(NetworkManager_etc_t) - -type NetworkManager_etc_rw_t; -files_config_file(NetworkManager_etc_rw_t) - -type NetworkManager_initrc_exec_t; -init_script_file(NetworkManager_initrc_exec_t) - -type NetworkManager_log_t; -logging_log_file(NetworkManager_log_t) - -type NetworkManager_tmp_t; -files_tmp_file(NetworkManager_tmp_t) - -type NetworkManager_var_lib_t; -files_type(NetworkManager_var_lib_t) - -type NetworkManager_var_run_t; -files_pid_file(NetworkManager_var_run_t) - -type wpa_cli_t; -type wpa_cli_exec_t; -init_system_domain(wpa_cli_t, wpa_cli_exec_t) - -ifdef(`distro_gentoo',` - type wpa_cli_var_run_t; - files_pid_file(wpa_cli_var_run_t) -') - -######################################## -# -# Local policy -# - -allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock }; -dontaudit NetworkManager_t self:capability { sys_tty_config sys_module sys_ptrace }; -allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; -allow NetworkManager_t self:fifo_file rw_fifo_file_perms; -allow NetworkManager_t self:unix_dgram_socket sendto; -allow NetworkManager_t self:unix_stream_socket { accept listen }; -allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms; -allow NetworkManager_t self:netlink_socket create_socket_perms; -allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms; -allow NetworkManager_t self:tcp_socket { accept listen }; -allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto }; -allow NetworkManager_t self:packet_socket create_socket_perms; - -allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto; - -allow NetworkManager_t NetworkManager_etc_t:dir list_dir_perms; -allow NetworkManager_t NetworkManager_etc_t:file read_file_perms; -allow NetworkManager_t NetworkManager_etc_t:lnk_file read_lnk_file_perms; - -manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) -manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) -filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file }) - -allow NetworkManager_t NetworkManager_log_t:dir setattr_dir_perms; -append_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) -create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) -setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) -logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) - -manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) -manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) -files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) - -manage_dirs_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t) -manage_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t) -files_var_lib_filetrans(NetworkManager_t, NetworkManager_var_lib_t, dir) - -manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) -manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) -manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) -files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file }) - -can_exec(NetworkManager_t, { NetworkManager_exec_t wpa_cli_exec_t NetworkManager_tmp_t }) - -kernel_read_crypto_sysctls(NetworkManager_t) -kernel_read_system_state(NetworkManager_t) -kernel_read_network_state(NetworkManager_t) -kernel_read_kernel_sysctls(NetworkManager_t) -kernel_request_load_module(NetworkManager_t) -kernel_read_debugfs(NetworkManager_t) -kernel_rw_net_sysctls(NetworkManager_t) - -corenet_all_recvfrom_unlabeled(NetworkManager_t) -corenet_all_recvfrom_netlabel(NetworkManager_t) -corenet_tcp_sendrecv_generic_if(NetworkManager_t) -corenet_udp_sendrecv_generic_if(NetworkManager_t) -corenet_raw_sendrecv_generic_if(NetworkManager_t) -corenet_tcp_sendrecv_generic_node(NetworkManager_t) -corenet_udp_sendrecv_generic_node(NetworkManager_t) -corenet_raw_sendrecv_generic_node(NetworkManager_t) -corenet_tcp_sendrecv_all_ports(NetworkManager_t) -corenet_udp_sendrecv_all_ports(NetworkManager_t) -corenet_udp_bind_generic_node(NetworkManager_t) - -corenet_sendrecv_isakmp_server_packets(NetworkManager_t) -corenet_udp_bind_isakmp_port(NetworkManager_t) - -corenet_sendrecv_dhcpc_server_packets(NetworkManager_t) -corenet_udp_bind_dhcpc_port(NetworkManager_t) - -corenet_sendrecv_all_client_packets(NetworkManager_t) -corenet_tcp_connect_all_ports(NetworkManager_t) - -corenet_rw_tun_tap_dev(NetworkManager_t) -corenet_getattr_ppp_dev(NetworkManager_t) - -corecmd_exec_shell(NetworkManager_t) -corecmd_exec_bin(NetworkManager_t) - -dev_rw_sysfs(NetworkManager_t) -dev_read_rand(NetworkManager_t) -dev_read_urand(NetworkManager_t) -dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) -dev_getattr_all_chr_files(NetworkManager_t) -dev_rw_wireless(NetworkManager_t) - -domain_use_interactive_fds(NetworkManager_t) -domain_read_all_domains_state(NetworkManager_t) - -files_read_etc_runtime_files(NetworkManager_t) -files_read_usr_files(NetworkManager_t) -files_read_usr_src_files(NetworkManager_t) - -fs_getattr_all_fs(NetworkManager_t) -fs_search_auto_mountpoints(NetworkManager_t) -fs_list_inotifyfs(NetworkManager_t) - -mls_file_read_all_levels(NetworkManager_t) - -selinux_dontaudit_search_fs(NetworkManager_t) - -storage_getattr_fixed_disk_dev(NetworkManager_t) - -init_read_utmp(NetworkManager_t) -init_dontaudit_write_utmp(NetworkManager_t) -init_domtrans_script(NetworkManager_t) - -auth_use_nsswitch(NetworkManager_t) - -logging_send_syslog_msg(NetworkManager_t) - -miscfiles_read_generic_certs(NetworkManager_t) -miscfiles_read_localization(NetworkManager_t) - -seutil_read_config(NetworkManager_t) - -sysnet_domtrans_ifconfig(NetworkManager_t) -sysnet_domtrans_dhcpc(NetworkManager_t) -sysnet_signal_dhcpc(NetworkManager_t) -sysnet_signull_dhcpc(NetworkManager_t) -sysnet_read_dhcpc_pid(NetworkManager_t) -sysnet_read_dhcp_config(NetworkManager_t) -sysnet_delete_dhcpc_pid(NetworkManager_t) -sysnet_kill_dhcpc(NetworkManager_t) -sysnet_read_dhcpc_state(NetworkManager_t) -sysnet_delete_dhcpc_state(NetworkManager_t) -sysnet_search_dhcp_state(NetworkManager_t) -sysnet_manage_config(NetworkManager_t) -sysnet_etc_filetrans_config(NetworkManager_t) - -# certificates in user home directories (cert_home_t in ~/\.pki) -userdom_read_user_home_content_files(NetworkManager_t) - -userdom_write_user_tmp_sockets(NetworkManager_t) -userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) -userdom_dontaudit_use_user_ttys(NetworkManager_t) - -optional_policy(` - avahi_domtrans(NetworkManager_t) - avahi_kill(NetworkManager_t) - avahi_signal(NetworkManager_t) - avahi_signull(NetworkManager_t) -') - -optional_policy(` - bind_domtrans(NetworkManager_t) - bind_manage_cache(NetworkManager_t) - bind_kill(NetworkManager_t) - bind_signal(NetworkManager_t) - bind_signull(NetworkManager_t) -') - -optional_policy(` - bluetooth_dontaudit_read_helper_state(NetworkManager_t) -') - -optional_policy(` - consolekit_read_pid_files(NetworkManager_t) -') - -optional_policy(` - consoletype_exec(NetworkManager_t) -') - -optional_policy(` - cron_read_system_job_lib_files(NetworkManager_t) -') - -optional_policy(` - dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) - - optional_policy(` - avahi_dbus_chat(NetworkManager_t) - ') - - optional_policy(` - consolekit_dbus_chat(NetworkManager_t) - ') - - optional_policy(` - policykit_dbus_chat(NetworkManager_t) - ') -') - -optional_policy(` - dnsmasq_read_pid_files(NetworkManager_t) - dnsmasq_delete_pid_files(NetworkManager_t) - dnsmasq_domtrans(NetworkManager_t) - dnsmasq_initrc_domtrans(NetworkManager_t) - dnsmasq_kill(NetworkManager_t) - dnsmasq_signal(NetworkManager_t) - dnsmasq_signull(NetworkManager_t) -') - -optional_policy(` - gnome_stream_connect_all_gkeyringd(NetworkManager_t) -') - -optional_policy(` - hal_write_log(NetworkManager_t) -') - -optional_policy(` - howl_signal(NetworkManager_t) -') - -optional_policy(` - ipsec_domtrans_mgmt(NetworkManager_t) - ipsec_kill_mgmt(NetworkManager_t) - ipsec_signal_mgmt(NetworkManager_t) - ipsec_signull_mgmt(NetworkManager_t) -') - -optional_policy(` - iptables_domtrans(NetworkManager_t) -') - -optional_policy(` - libs_exec_ldconfig(NetworkManager_t) -') - -optional_policy(` - modutils_domtrans_insmod(NetworkManager_t) -') - -optional_policy(` - netutils_exec_ping(NetworkManager_t) -') - -optional_policy(` - nscd_domtrans(NetworkManager_t) - nscd_signal(NetworkManager_t) - nscd_signull(NetworkManager_t) - nscd_kill(NetworkManager_t) - nscd_initrc_domtrans(NetworkManager_t) -') - -optional_policy(` - ntp_initrc_domtrans(NetworkManager_t) -') - -optional_policy(` - openvpn_read_config(NetworkManager_t) - openvpn_domtrans(NetworkManager_t) - openvpn_kill(NetworkManager_t) - openvpn_signal(NetworkManager_t) - openvpn_signull(NetworkManager_t) -') - -optional_policy(` - policykit_domtrans_auth(NetworkManager_t) - policykit_read_lib(NetworkManager_t) - policykit_read_reload(NetworkManager_t) - userdom_read_all_users_state(NetworkManager_t) -') - -optional_policy(` - polipo_initrc_domtrans(NetworkManager_t) -') - -optional_policy(` - ppp_initrc_domtrans(NetworkManager_t) - ppp_domtrans(NetworkManager_t) - ppp_manage_pid_files(NetworkManager_t) - ppp_kill(NetworkManager_t) - ppp_signal(NetworkManager_t) - ppp_signull(NetworkManager_t) - ppp_read_config(NetworkManager_t) -') - -optional_policy(` - rpm_exec(NetworkManager_t) - rpm_read_db(NetworkManager_t) - rpm_dontaudit_manage_db(NetworkManager_t) -') - -optional_policy(` - seutil_sigchld_newrole(NetworkManager_t) -') - -optional_policy(` - udev_exec(NetworkManager_t) - udev_read_db(NetworkManager_t) -') - -optional_policy(` - # unconfined_dgram_send(NetworkManager_t) - unconfined_stream_connect(NetworkManager_t) -') - -optional_policy(` - vpn_domtrans(NetworkManager_t) - vpn_kill(NetworkManager_t) - vpn_signal(NetworkManager_t) - vpn_signull(NetworkManager_t) - vpn_relabelfrom_tun_socket(NetworkManager_t) -') - -######################################## -# -# wpa_cli local policy -# - -allow wpa_cli_t self:capability dac_override; -allow wpa_cli_t self:unix_dgram_socket create_socket_perms; - -allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto; - -manage_sock_files_pattern(wpa_cli_t, NetworkManager_tmp_t, NetworkManager_tmp_t) -files_tmp_filetrans(wpa_cli_t, NetworkManager_tmp_t, sock_file) - -list_dirs_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t) -rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t) - -init_dontaudit_use_fds(wpa_cli_t) -init_use_script_ptys(wpa_cli_t) - -miscfiles_read_localization(wpa_cli_t) - -term_dontaudit_use_console(wpa_cli_t) - -ifdef(`distro_gentoo',` - manage_files_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t) - files_pid_filetrans(wpa_cli_t, wpa_cli_var_run_t, file) - - corecmd_exec_bin(wpa_cli_t) - corecmd_exec_shell(wpa_cli_t) - - domain_use_interactive_fds(wpa_cli_t) - - files_read_etc_files(wpa_cli_t) - files_search_pids(wpa_cli_t) - - term_dontaudit_use_console(wpa_cli_t) - - getty_use_fds(wpa_cli_t) - - init_domtrans_script(wpa_cli_t) - - logging_send_syslog_msg(wpa_cli_t) - - sysnet_domtrans_dhcpc(wpa_cli_t) - - userdom_use_user_terminals(wpa_cli_t) -') diff --git a/policy/modules/contrib/nginx.fc b/policy/modules/contrib/nginx.fc index 8a1cc51d..62f12620 100644 --- a/policy/modules/contrib/nginx.fc +++ b/policy/modules/contrib/nginx.fc @@ -59,5 +59,6 @@ # # /var # +/var/lib/nginx/tmp(/.*)? gen_context(system_u:object_r:nginx_tmp_t,s0) /var/log/nginx(/.*)? gen_context(system_u:object_r:nginx_log_t,s0) /var/tmp/nginx(/.*)? gen_context(system_u:object_r:nginx_tmp_t,s0) diff --git a/policy/modules/contrib/nginx.if b/policy/modules/contrib/nginx.if index 6fa607a5..d39b0964 100644 --- a/policy/modules/contrib/nginx.if +++ b/policy/modules/contrib/nginx.if @@ -57,10 +57,10 @@ interface(`nginx_domtrans',` type nginx_t, nginx_exec_t; ') allow nginx_t $1:fd use; - allow nginx_t $1:fifo_file rw_file_perms; + allow nginx_t $1:fifo_file rw_fifo_file_perms; allow nginx_t $1:process sigchld; - domain_auto_trans($1,nginx_exec_t,nginx_t) + domain_auto_transition_pattern($1, nginx_exec_t, nginx_t) ') ######################################## @@ -81,7 +81,7 @@ interface(`nginx_domtrans',` # interface(`nginx_admin',` gen_require(` - type nginx_t, nginx_conf_t, nginx_log_t, nginx_var_lib_t, nginx_var_run_t; + type nginx_t, nginx_conf_t, nginx_log_t, nginx_var_lib_t, nginx_runtime_t; type nginx_exec_t; ') @@ -99,6 +99,6 @@ interface(`nginx_admin',` logging_list_logs($1) admin_pattern($1, nginx_log_t) - files_list_pids($1) - admin_pattern($1, nginx_var_run_t) + files_list_runtime($1) + admin_pattern($1, nginx_runtime_t) ') diff --git a/policy/modules/contrib/nginx.te b/policy/modules/contrib/nginx.te index 3a30d69e..0c935bb6 100644 --- a/policy/modules/contrib/nginx.te +++ b/policy/modules/contrib/nginx.te @@ -69,15 +69,15 @@ type nginx_var_lib_t; files_type(nginx_var_lib_t) # pid files -type nginx_var_run_t; -files_pid_file(nginx_var_run_t) +type nginx_runtime_t alias nginx_var_run_t; +files_runtime_file(nginx_runtime_t) ######################################## # # nginx local policy # -allow nginx_t self:fifo_file { read write }; +allow nginx_t self:fifo_file rw_inherited_fifo_file_perms; allow nginx_t self:unix_stream_socket create_stream_socket_perms; allow nginx_t self:tcp_socket { listen accept }; allow nginx_t self:capability { setuid net_bind_service setgid chown }; @@ -92,9 +92,9 @@ logging_log_filetrans(nginx_t, nginx_log_t, { file dir }) # pid file -manage_dirs_pattern(nginx_t, nginx_var_run_t, nginx_var_run_t) -manage_files_pattern(nginx_t, nginx_var_run_t, nginx_var_run_t) -files_pid_filetrans(nginx_t, nginx_var_run_t, file) +manage_dirs_pattern(nginx_t, nginx_runtime_t, nginx_runtime_t) +manage_files_pattern(nginx_t, nginx_runtime_t, nginx_runtime_t) +files_runtime_filetrans(nginx_t, nginx_runtime_t, file) # tmp files manage_files_pattern(nginx_t, nginx_tmp_t, nginx_tmp_t) @@ -119,15 +119,31 @@ domain_use_interactive_fds(nginx_t) files_read_etc_files(nginx_t) +auth_use_nsswitch(nginx_t) +logging_send_syslog_msg(nginx_t) + +miscfiles_read_generic_certs(nginx_t) miscfiles_read_localization(nginx_t) + sysnet_dns_name_resolve(nginx_t) +optional_policy(` + apache_read_config(nginx_t) + apache_read_module_files(nginx_t) + apache_manage_log(nginx_t) +') + +tunable_policy(`httpd_read_user_content',` + userdom_list_user_home_content(nginx_t) + userdom_read_user_home_content_files(nginx_t) +') tunable_policy(`nginx_enable_http_server',` corenet_tcp_bind_http_port(nginx_t) apache_read_all_content(nginx_t) apache_manage_all_rw_content(nginx_t) + apache_list_sys_content(nginx_t) ') # We enable both binding and connecting, since nginx acts here as a reverse proxy @@ -155,5 +171,19 @@ tunable_policy(`nginx_can_network_connect',` ') optional_policy(` + certbot_read_lib(nginx_t) +') + +optional_policy(` phpfpm_stream_connect(nginx_t) ') + +ifdef(`distro_gentoo',` + + # needs to be able to signal its children + allow nginx_t self:process { signal sigchld }; + + optional_policy(` + uwsgi_stream_connect(nginx_t) + ') +') diff --git a/policy/modules/contrib/nis.fc b/policy/modules/contrib/nis.fc deleted file mode 100644 index 8aa1bfa2..00000000 --- a/policy/modules/contrib/nis.fc +++ /dev/null @@ -1,22 +0,0 @@ -/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0) -/etc/rc\.d/init\.d/yppasswd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) -/etc/rc\.d/init\.d/ypserv -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) -/etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) - -/etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0) - -/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) - -/usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) - -/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) -/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) -/usr/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) -/usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0) - -/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0) - -/var/run/ypxfrd.* -- gen_context(system_u:object_r:ypxfr_var_run_t,s0) -/var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0) -/var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0) -/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0) diff --git a/policy/modules/contrib/nis.if b/policy/modules/contrib/nis.if deleted file mode 100644 index 46e55c3f..00000000 --- a/policy/modules/contrib/nis.if +++ /dev/null @@ -1,403 +0,0 @@ -## <summary>Policy for NIS (YP) servers and clients.</summary> - -######################################## -## <summary> -## Use the ypbind service to access NIS services -## unconditionally. -## </summary> -## <desc> -## <p> -## Use the ypbind service to access NIS services -## unconditionally. -## </p> -## <p> -## This interface was added because of apache and -## spamassassin, to fix a nested conditionals problem. -## When that support is added, this should be removed, -## and the regular interface should be used. -## </p> -## </desc> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`nis_use_ypbind_uncond',` - gen_require(` - type var_yp_t; - ') - - allow $1 self:capability net_bind_service; - - allow $1 self:tcp_socket create_stream_socket_perms; - allow $1 self:udp_socket create_socket_perms; - - allow $1 var_yp_t:dir list_dir_perms; - allow $1 var_yp_t:file read_file_perms; - allow $1 var_yp_t:lnk_file read_lnk_file_perms; - - corenet_all_recvfrom_unlabeled($1) - corenet_all_recvfrom_netlabel($1) - corenet_tcp_sendrecv_generic_if($1) - corenet_udp_sendrecv_generic_if($1) - corenet_tcp_sendrecv_generic_node($1) - corenet_udp_sendrecv_generic_node($1) - corenet_tcp_sendrecv_all_ports($1) - corenet_udp_sendrecv_all_ports($1) - corenet_tcp_bind_generic_node($1) - corenet_udp_bind_generic_node($1) - corenet_tcp_bind_generic_port($1) - corenet_udp_bind_generic_port($1) - corenet_dontaudit_tcp_bind_all_reserved_ports($1) - corenet_dontaudit_udp_bind_all_reserved_ports($1) - corenet_dontaudit_tcp_bind_all_ports($1) - corenet_dontaudit_udp_bind_all_ports($1) - corenet_tcp_connect_portmap_port($1) - corenet_tcp_connect_reserved_port($1) - corenet_tcp_connect_generic_port($1) - corenet_dontaudit_tcp_connect_all_ports($1) - corenet_sendrecv_portmap_client_packets($1) - corenet_sendrecv_generic_client_packets($1) - corenet_sendrecv_generic_server_packets($1) - - sysnet_read_config($1) -') - -######################################## -## <summary> -## Use the ypbind service to access NIS services. -## </summary> -## <desc> -## <p> -## Allow the specified domain to use the ypbind service -## to access Network Information Service (NIS) services. -## Information that can be retreived from NIS includes -## usernames, passwords, home directories, and groups. -## If the network is configured to have a single sign-on -## using NIS, it is likely that any program that does -## authentication will need this access. -## </p> -## </desc> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <infoflow type="both" weight="10"/> -## <rolecap/> -# -interface(`nis_use_ypbind',` - tunable_policy(`allow_ypbind',` - nis_use_ypbind_uncond($1) - ') -') - -######################################## -## <summary> -## Use nis to authenticate passwords. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`nis_authenticate',` - tunable_policy(`allow_ypbind',` - nis_use_ypbind_uncond($1) - corenet_tcp_bind_all_rpc_ports($1) - corenet_udp_bind_all_rpc_ports($1) - ') -') - -######################################## -## <summary> -## Execute ypbind in the ypbind domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`nis_domtrans_ypbind',` - gen_require(` - type ypbind_t, ypbind_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ypbind_exec_t, ypbind_t) -') - -####################################### -## <summary> -## Execute ypbind in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`nis_exec_ypbind',` - gen_require(` - type ypbind_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, ypbind_exec_t) -') - -######################################## -## <summary> -## Execute ypbind in the ypbind domain, and -## allow the specified role the ypbind domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`nis_run_ypbind',` - gen_require(` - attribute_role ypbind_roles; - ') - - nis_domtrans_ypbind($1) - roleattribute $2 ypbind_roles; -') - -######################################## -## <summary> -## Send generic signals to ypbind. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`nis_signal_ypbind',` - gen_require(` - type ypbind_t; - ') - - allow $1 ypbind_t:process signal; -') - -######################################## -## <summary> -## List nis data directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`nis_list_var_yp',` - gen_require(` - type var_yp_t; - ') - - files_search_var($1) - allow $1 var_yp_t:dir list_dir_perms; -') - -######################################## -## <summary> -## Send UDP network traffic to NIS clients. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`nis_udp_send_ypbind',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## <summary> -## Connect to ypbind over TCP. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`nis_tcp_connect_ypbind',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## <summary> -## Read ypbind pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`nis_read_ypbind_pid',` - gen_require(` - type ypbind_var_run_t; - ') - - files_search_pids($1) - allow $1 ypbind_var_run_t:file read_file_perms; -') - -######################################## -## <summary> -## Delete ypbind pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`nis_delete_ypbind_pid',` - gen_require(` - type ypbind_var_run_t; - ') - - allow $1 ypbind_var_run_t:file delete_file_perms; -') - -######################################## -## <summary> -## Read ypserv configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`nis_read_ypserv_config',` - gen_require(` - type ypserv_conf_t; - ') - - files_search_etc($1) - allow $1 ypserv_conf_t:file read_file_perms; -') - -######################################## -## <summary> -## Execute ypxfr in the ypxfr domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`nis_domtrans_ypxfr',` - gen_require(` - type ypxfr_t, ypxfr_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ypxfr_exec_t, ypxfr_t) -') - -######################################## -## <summary> -## Execute nis server in the nis domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -# -interface(`nis_initrc_domtrans',` - gen_require(` - type nis_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, nis_initrc_exec_t) -') - -######################################## -## <summary> -## Execute nis server in the nis domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`nis_initrc_domtrans_ypbind',` - gen_require(` - type ypbind_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, ypbind_initrc_exec_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an nis environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`nis_admin',` - gen_require(` - type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t; - type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t; - type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t; - type ypbind_initrc_exec_t, nis_initrc_exec_t, var_yp_t; - ') - - allow $1 { ypbind_t yppasswdd_t ypserv_t ypxfr_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { ypbind_t yppasswdd_t ypserv_t ypxfr_t }) - - nis_initrc_domtrans($1) - nis_initrc_domtrans_ypbind($1) - domain_system_change_exemption($1) - role_transition $2 { nis_initrc_exec_t ypbind_initrc_exec_t } system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, { ypserv_tmp_t ypbind_tmp_t }) - - files_list_pids($1) - admin_pattern($1, { ypserv_var_run_t ypbind_var_run_t yppasswdd_var_run_t }) - - files_list_etc($1) - admin_pattern($1, ypserv_conf_t) - - files_search_var($1) - admin_pattern($1, var_yp_t) - - nis_run_ypbind($1, $2) -') diff --git a/policy/modules/contrib/nis.te b/policy/modules/contrib/nis.te deleted file mode 100644 index 3e4a31c0..00000000 --- a/policy/modules/contrib/nis.te +++ /dev/null @@ -1,358 +0,0 @@ -policy_module(nis, 1.11.1) - -######################################## -# -# Declarations -# - -attribute_role ypbind_roles; - -type nis_initrc_exec_t; -init_script_file(nis_initrc_exec_t) - -type var_yp_t; -files_type(var_yp_t) - -type ypbind_t; -type ypbind_exec_t; -init_daemon_domain(ypbind_t, ypbind_exec_t) -role ypbind_roles types ypbind_t; - -type ypbind_initrc_exec_t; -init_script_file(ypbind_initrc_exec_t) - -type ypbind_tmp_t; -files_tmp_file(ypbind_tmp_t) - -type ypbind_var_run_t; -files_pid_file(ypbind_var_run_t) - -type yppasswdd_t; -type yppasswdd_exec_t; -init_daemon_domain(yppasswdd_t, yppasswdd_exec_t) -domain_obj_id_change_exemption(yppasswdd_t) - -type yppasswdd_var_run_t; -files_pid_file(yppasswdd_var_run_t) - -type ypserv_t; -type ypserv_exec_t; -init_daemon_domain(ypserv_t, ypserv_exec_t) - -type ypserv_conf_t; -files_type(ypserv_conf_t) - -type ypserv_tmp_t; -files_tmp_file(ypserv_tmp_t) - -type ypserv_var_run_t; -files_pid_file(ypserv_var_run_t) - -type ypxfr_t; -type ypxfr_exec_t; -init_daemon_domain(ypxfr_t, ypxfr_exec_t) - -type ypxfr_var_run_t; -files_pid_file(ypxfr_var_run_t) - -######################################## -# -# ypbind local policy - -dontaudit ypbind_t self:capability { net_admin sys_tty_config }; -allow ypbind_t self:fifo_file rw_fifo_file_perms; -allow ypbind_t self:process signal_perms; -allow ypbind_t self:netlink_route_socket r_netlink_socket_perms; -allow ypbind_t self:tcp_socket create_stream_socket_perms; -allow ypbind_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(ypbind_t, ypbind_tmp_t, ypbind_tmp_t) -manage_files_pattern(ypbind_t, ypbind_tmp_t, ypbind_tmp_t) -files_tmp_filetrans(ypbind_t, ypbind_tmp_t, { file dir }) - -manage_files_pattern(ypbind_t, ypbind_var_run_t, ypbind_var_run_t) -files_pid_filetrans(ypbind_t, ypbind_var_run_t, file) - -manage_files_pattern(ypbind_t, var_yp_t, var_yp_t) - -kernel_read_system_state(ypbind_t) -kernel_read_kernel_sysctls(ypbind_t) - -corenet_all_recvfrom_unlabeled(ypbind_t) -corenet_all_recvfrom_netlabel(ypbind_t) -corenet_tcp_sendrecv_generic_if(ypbind_t) -corenet_udp_sendrecv_generic_if(ypbind_t) -corenet_tcp_sendrecv_generic_node(ypbind_t) -corenet_udp_sendrecv_generic_node(ypbind_t) -corenet_tcp_sendrecv_all_ports(ypbind_t) -corenet_udp_sendrecv_all_ports(ypbind_t) -corenet_tcp_bind_generic_node(ypbind_t) -corenet_udp_bind_generic_node(ypbind_t) - -corenet_tcp_bind_generic_port(ypbind_t) -corenet_udp_bind_generic_port(ypbind_t) -corenet_tcp_bind_reserved_port(ypbind_t) -corenet_udp_bind_reserved_port(ypbind_t) -corenet_tcp_bind_all_rpc_ports(ypbind_t) -corenet_udp_bind_all_rpc_ports(ypbind_t) -corenet_tcp_connect_all_ports(ypbind_t) -corenet_sendrecv_all_client_packets(ypbind_t) -corenet_sendrecv_generic_server_packets(ypbind_t) - -corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t) -corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t) - -dev_read_sysfs(ypbind_t) - -fs_getattr_all_fs(ypbind_t) -fs_search_auto_mountpoints(ypbind_t) - -domain_use_interactive_fds(ypbind_t) - -files_read_etc_files(ypbind_t) -files_list_var(ypbind_t) - -logging_send_syslog_msg(ypbind_t) - -miscfiles_read_localization(ypbind_t) - -sysnet_read_config(ypbind_t) - -userdom_dontaudit_use_unpriv_user_fds(ypbind_t) -userdom_dontaudit_search_user_home_dirs(ypbind_t) - -optional_policy(` - dbus_system_bus_client(ypbind_t) - dbus_connect_system_bus(ypbind_t) - - init_dbus_chat_script(ypbind_t) - - optional_policy(` - networkmanager_dbus_chat(ypbind_t) - ') -') - -optional_policy(` - seutil_sigchld_newrole(ypbind_t) -') - -optional_policy(` - udev_read_db(ypbind_t) -') - -######################################## -# -# yppasswdd local policy -# - -allow yppasswdd_t self:capability dac_override; -dontaudit yppasswdd_t self:capability sys_tty_config; -allow yppasswdd_t self:fifo_file rw_fifo_file_perms; -allow yppasswdd_t self:process { getsched setfscreate signal_perms }; -allow yppasswdd_t self:unix_stream_socket { accept listen }; -allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms; -allow yppasswdd_t self:tcp_socket create_stream_socket_perms; -allow yppasswdd_t self:udp_socket create_socket_perms; - -manage_files_pattern(yppasswdd_t, yppasswdd_var_run_t, yppasswdd_var_run_t) -files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file) - -manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t) -manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t) - -can_exec(yppasswdd_t, yppasswdd_exec_t) - -kernel_list_proc(yppasswdd_t) -kernel_read_proc_symlinks(yppasswdd_t) -kernel_getattr_proc_files(yppasswdd_t) -kernel_read_kernel_sysctls(yppasswdd_t) - -corenet_all_recvfrom_unlabeled(yppasswdd_t) -corenet_all_recvfrom_netlabel(yppasswdd_t) -corenet_tcp_sendrecv_generic_if(yppasswdd_t) -corenet_udp_sendrecv_generic_if(yppasswdd_t) -corenet_tcp_sendrecv_generic_node(yppasswdd_t) -corenet_udp_sendrecv_generic_node(yppasswdd_t) -corenet_tcp_sendrecv_all_ports(yppasswdd_t) -corenet_udp_sendrecv_all_ports(yppasswdd_t) -corenet_tcp_bind_generic_node(yppasswdd_t) -corenet_udp_bind_generic_node(yppasswdd_t) - -corenet_tcp_bind_all_rpc_ports(yppasswdd_t) -corenet_udp_bind_all_rpc_ports(yppasswdd_t) -corenet_sendrecv_generic_server_packets(yppasswdd_t) - -corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t) -corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t) - -corecmd_exec_bin(yppasswdd_t) -corecmd_exec_shell(yppasswdd_t) - -domain_use_interactive_fds(yppasswdd_t) - -files_read_etc_files(yppasswdd_t) -files_read_etc_runtime_files(yppasswdd_t) -files_relabel_etc_files(yppasswdd_t) - -dev_read_sysfs(yppasswdd_t) - -fs_getattr_all_fs(yppasswdd_t) -fs_search_auto_mountpoints(yppasswdd_t) - -selinux_get_fs_mount(yppasswdd_t) - -auth_manage_shadow(yppasswdd_t) -auth_relabel_shadow(yppasswdd_t) -auth_etc_filetrans_shadow(yppasswdd_t) - -logging_send_syslog_msg(yppasswdd_t) - -miscfiles_read_localization(yppasswdd_t) - -sysnet_read_config(yppasswdd_t) - -userdom_dontaudit_use_unpriv_user_fds(yppasswdd_t) -userdom_dontaudit_search_user_home_dirs(yppasswdd_t) - -optional_policy(` - hostname_exec(yppasswdd_t) -') - -optional_policy(` - seutil_sigchld_newrole(yppasswdd_t) -') - -optional_policy(` - udev_read_db(yppasswdd_t) -') - -######################################## -# -# ypserv local policy -# - -dontaudit ypserv_t self:capability sys_tty_config; -allow ypserv_t self:fifo_file rw_fifo_file_perms; -allow ypserv_t self:process signal_perms; -allow ypserv_t self:unix_stream_socket { accept listen }; -allow ypserv_t self:netlink_route_socket r_netlink_socket_perms; -allow ypserv_t self:tcp_socket connected_stream_socket_perms; -allow ypserv_t self:udp_socket create_socket_perms; - -manage_files_pattern(ypserv_t, var_yp_t, var_yp_t) - -allow ypserv_t ypserv_conf_t:file read_file_perms; - -manage_dirs_pattern(ypserv_t, ypserv_tmp_t, ypserv_tmp_t) -manage_files_pattern(ypserv_t, ypserv_tmp_t, ypserv_tmp_t) -files_tmp_filetrans(ypserv_t, ypserv_tmp_t, { file dir }) - -manage_files_pattern(ypserv_t, ypserv_var_run_t, ypserv_var_run_t) -files_pid_filetrans(ypserv_t, ypserv_var_run_t, file) - -kernel_read_kernel_sysctls(ypserv_t) -kernel_list_proc(ypserv_t) -kernel_read_proc_symlinks(ypserv_t) - -corenet_all_recvfrom_unlabeled(ypserv_t) -corenet_all_recvfrom_netlabel(ypserv_t) -corenet_tcp_sendrecv_generic_if(ypserv_t) -corenet_udp_sendrecv_generic_if(ypserv_t) -corenet_tcp_sendrecv_generic_node(ypserv_t) -corenet_udp_sendrecv_generic_node(ypserv_t) -corenet_tcp_sendrecv_all_ports(ypserv_t) -corenet_udp_sendrecv_all_ports(ypserv_t) -corenet_tcp_bind_generic_node(ypserv_t) -corenet_udp_bind_generic_node(ypserv_t) - -corenet_tcp_bind_reserved_port(ypserv_t) -corenet_udp_bind_reserved_port(ypserv_t) -corenet_tcp_bind_all_rpc_ports(ypserv_t) -corenet_udp_bind_all_rpc_ports(ypserv_t) -corenet_sendrecv_generic_server_packets(ypserv_t) - -corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t) -corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t) - -corecmd_exec_bin(ypserv_t) - -files_read_etc_files(ypserv_t) -files_read_var_files(ypserv_t) - -dev_read_sysfs(ypserv_t) - -domain_use_interactive_fds(ypserv_t) - -fs_getattr_all_fs(ypserv_t) -fs_search_auto_mountpoints(ypserv_t) - -logging_send_syslog_msg(ypserv_t) - -miscfiles_read_localization(ypserv_t) - -nis_domtrans_ypxfr(ypserv_t) - -sysnet_read_config(ypserv_t) - -userdom_dontaudit_use_unpriv_user_fds(ypserv_t) -userdom_dontaudit_search_user_home_dirs(ypserv_t) - -optional_policy(` - seutil_sigchld_newrole(ypserv_t) -') - -optional_policy(` - udev_read_db(ypserv_t) -') - -######################################## -# -# ypxfr local policy -# - -allow ypxfr_t self:unix_stream_socket { accept listen }; -allow ypxfr_t self:unix_dgram_socket { accept listen }; -allow ypxfr_t self:tcp_socket create_stream_socket_perms; -allow ypxfr_t self:udp_socket create_socket_perms; -allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms; - -manage_files_pattern(ypxfr_t, var_yp_t, var_yp_t) - -allow ypxfr_t ypserv_t:tcp_socket { read write }; -allow ypxfr_t ypserv_t:udp_socket { read write }; - -allow ypxfr_t ypserv_conf_t:file read_file_perms; - -manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t) -files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file) - -corenet_all_recvfrom_unlabeled(ypxfr_t) -corenet_all_recvfrom_netlabel(ypxfr_t) -corenet_tcp_sendrecv_generic_if(ypxfr_t) -corenet_udp_sendrecv_generic_if(ypxfr_t) -corenet_tcp_sendrecv_generic_node(ypxfr_t) -corenet_udp_sendrecv_generic_node(ypxfr_t) -corenet_tcp_sendrecv_all_ports(ypxfr_t) -corenet_udp_sendrecv_all_ports(ypxfr_t) -corenet_tcp_bind_generic_node(ypxfr_t) -corenet_udp_bind_generic_node(ypxfr_t) - -corenet_tcp_bind_reserved_port(ypxfr_t) -corenet_udp_bind_reserved_port(ypxfr_t) -corenet_tcp_bind_all_rpc_ports(ypxfr_t) -corenet_udp_bind_all_rpc_ports(ypxfr_t) -corenet_tcp_connect_all_ports(ypxfr_t) -corenet_sendrecv_generic_server_packets(ypxfr_t) -corenet_sendrecv_all_client_packets(ypxfr_t) - -corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) -corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t) - -files_read_etc_files(ypxfr_t) -files_search_usr(ypxfr_t) - -logging_send_syslog_msg(ypxfr_t) - -miscfiles_read_localization(ypxfr_t) - -sysnet_read_config(ypxfr_t) diff --git a/policy/modules/contrib/nscd.fc b/policy/modules/contrib/nscd.fc deleted file mode 100644 index ba644850..00000000 --- a/policy/modules/contrib/nscd.fc +++ /dev/null @@ -1,13 +0,0 @@ -/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0) - -/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) - -/var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) - -/var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) - -/var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0) - -/var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) -/var/run/nscd\.pid -- gen_context(system_u:object_r:nscd_var_run_t,s0) -/var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0) diff --git a/policy/modules/contrib/nscd.if b/policy/modules/contrib/nscd.if deleted file mode 100644 index 8f2ab09f..00000000 --- a/policy/modules/contrib/nscd.if +++ /dev/null @@ -1,314 +0,0 @@ -## <summary>Name service cache daemon.</summary> - -######################################## -## <summary> -## Send generic signals to nscd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`nscd_signal',` - gen_require(` - type nscd_t; - ') - - allow $1 nscd_t:process signal; -') - -######################################## -## <summary> -## Send kill signals to nscd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`nscd_kill',` - gen_require(` - type nscd_t; - ') - - allow $1 nscd_t:process sigkill; -') - -######################################## -## <summary> -## Send null signals to nscd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`nscd_signull',` - gen_require(` - type nscd_t; - ') - - allow $1 nscd_t:process signull; -') - -######################################## -## <summary> -## Execute nscd in the nscd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`nscd_domtrans',` - gen_require(` - type nscd_t, nscd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, nscd_exec_t, nscd_t) -') - -######################################## -## <summary> -## Execute nscd in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`nscd_exec',` - gen_require(` - type nscd_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, nscd_exec_t) -') - -######################################## -## <summary> -## Use nscd services by connecting using -## a unix domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`nscd_socket_use',` - gen_require(` - type nscd_t, nscd_var_run_t; - class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv }; - ') - - allow $1 self:unix_stream_socket create_socket_perms; - - allow $1 nscd_t:nscd { getpwd getgrp gethost }; - - dontaudit $1 nscd_t:fd use; - dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv }; - - files_search_pids($1) - stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) - dontaudit $1 nscd_var_run_t:file read_file_perms; - - ps_process_pattern(nscd_t, $1) -') - -######################################## -## <summary> -## Use nscd services by mapping the -## database from an inherited nscd -## file descriptor. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`nscd_shm_use',` - gen_require(` - type nscd_t, nscd_var_run_t; - class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; - ') - - allow $1 self:unix_stream_socket create_stream_socket_perms; - - allow $1 nscd_t:nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; - allow $1 nscd_t:fd use; - - files_search_pids($1) - stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) - dontaudit $1 nscd_var_run_t:file read_file_perms; - - allow $1 nscd_var_run_t:dir list_dir_perms; - allow $1 nscd_var_run_t:sock_file read_sock_file_perms; -') - -######################################## -## <summary> -## Use nscd services. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`nscd_use',` - tunable_policy(`nscd_use_shm',` - nscd_shm_use($1) - ',` - nscd_socket_use($1) - ') -') - -######################################## -## <summary> -## Do not audit attempts to search -## nscd pid directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`nscd_dontaudit_search_pid',` - gen_require(` - type nscd_var_run_t; - ') - - dontaudit $1 nscd_var_run_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Read nscd pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`nscd_read_pid',` - gen_require(` - type nscd_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, nscd_var_run_t, nscd_var_run_t) -') - -######################################## -## <summary> -## Unconfined access to nscd services. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`nscd_unconfined',` - gen_require(` - type nscd_t; - class nscd all_nscd_perms; - ') - - allow $1 nscd_t:nscd *; -') - -######################################## -## <summary> -## Execute nscd in the nscd domain, and -## allow the specified role the nscd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`nscd_run',` - gen_require(` - attribute_role nscd_roles; - ') - - nscd_domtrans($1) - roleattribute $2 nscd_roles; -') - -######################################## -## <summary> -## Execute the nscd server init -## script in the initrc domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`nscd_initrc_domtrans',` - gen_require(` - type nscd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, nscd_initrc_exec_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an nscd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`nscd_admin',` - gen_require(` - type nscd_t, nscd_log_t, nscd_var_run_t; - type nscd_initrc_exec_t; - ') - - allow $1 nscd_t:process { ptrace signal_perms }; - ps_process_pattern($1, nscd_t) - - init_labeled_script_domtrans($1, nscd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 nscd_initrc_exec_t system_r; - allow $2 system_r; - - logging_list_logs($1) - admin_pattern($1, nscd_log_t) - - files_list_pids($1) - admin_pattern($1, nscd_var_run_t) - - nscd_run($1, $2) -') diff --git a/policy/modules/contrib/nscd.te b/policy/modules/contrib/nscd.te deleted file mode 100644 index df4c10f3..00000000 --- a/policy/modules/contrib/nscd.te +++ /dev/null @@ -1,140 +0,0 @@ -policy_module(nscd, 1.10.3) - -gen_require(` - class nscd all_nscd_perms; -') - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether confined applications -## can use nscd shared memory. -## </p> -## </desc> -gen_tunable(nscd_use_shm, false) - -attribute_role nscd_roles; - -type nscd_var_run_t; -files_pid_file(nscd_var_run_t) -init_daemon_run_dir(nscd_var_run_t, "nscd") - -type nscd_t; -type nscd_exec_t; -init_daemon_domain(nscd_t, nscd_exec_t) -role nscd_roles types nscd_t; - -type nscd_initrc_exec_t; -init_script_file(nscd_initrc_exec_t) - -type nscd_log_t; -logging_log_file(nscd_log_t) - -######################################## -# -# Local policy -# - -allow nscd_t self:capability { kill setgid setuid }; -dontaudit nscd_t self:capability sys_tty_config; -allow nscd_t self:process { getattr getcap setcap setsched signal_perms }; -allow nscd_t self:fifo_file read_fifo_file_perms; -allow nscd_t self:unix_stream_socket { accept listen }; -allow nscd_t self:netlink_selinux_socket create_socket_perms; - -allow nscd_t self:nscd { admin getstat }; - -allow nscd_t nscd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(nscd_t, nscd_log_t, file) - -manage_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) -manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) -files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file }) - -can_exec(nscd_t, nscd_exec_t) - -kernel_list_proc(nscd_t) -kernel_read_kernel_sysctls(nscd_t) -kernel_read_network_state(nscd_t) -kernel_read_proc_symlinks(nscd_t) - -corecmd_search_bin(nscd_t) - -dev_read_sysfs(nscd_t) -dev_read_rand(nscd_t) -dev_read_urand(nscd_t) - -domain_search_all_domains_state(nscd_t) -domain_use_interactive_fds(nscd_t) - -files_read_generic_tmp_symlinks(nscd_t) -files_read_etc_runtime_files(nscd_t) - -fs_getattr_all_fs(nscd_t) -fs_search_auto_mountpoints(nscd_t) -fs_list_inotifyfs(nscd_t) - -auth_getattr_shadow(nscd_t) -auth_use_nsswitch(nscd_t) - -corenet_all_recvfrom_unlabeled(nscd_t) -corenet_all_recvfrom_netlabel(nscd_t) -corenet_tcp_sendrecv_generic_if(nscd_t) -corenet_tcp_sendrecv_generic_node(nscd_t) - -corenet_sendrecv_all_client_packets(nscd_t) -corenet_tcp_connect_all_ports(nscd_t) -corenet_tcp_sendrecv_all_ports(nscd_t) - -corenet_rw_tun_tap_dev(nscd_t) - -selinux_get_fs_mount(nscd_t) -selinux_validate_context(nscd_t) -selinux_compute_access_vector(nscd_t) -selinux_compute_create_context(nscd_t) -selinux_compute_relabel_context(nscd_t) -selinux_compute_user_contexts(nscd_t) - -logging_send_audit_msgs(nscd_t) -logging_send_syslog_msg(nscd_t) - -miscfiles_read_localization(nscd_t) - -seutil_read_config(nscd_t) -seutil_read_default_contexts(nscd_t) -seutil_sigchld_newrole(nscd_t) - -userdom_dontaudit_use_user_terminals(nscd_t) -userdom_dontaudit_use_unpriv_user_fds(nscd_t) -userdom_dontaudit_search_user_home_dirs(nscd_t) - -optional_policy(` - accountsd_dontaudit_rw_fifo_file(nscd_t) -') - -optional_policy(` - cron_read_system_job_tmp_files(nscd_t) -') - -optional_policy(` - tunable_policy(`samba_domain_controller',` - samba_append_log(nscd_t) - samba_dontaudit_use_fds(nscd_t) - ') - - samba_read_config(nscd_t) - samba_read_var_files(nscd_t) -') - -optional_policy(` - udev_read_db(nscd_t) -') - -optional_policy(` - xen_dontaudit_rw_unix_stream_sockets(nscd_t) - xen_append_log(nscd_t) -') diff --git a/policy/modules/contrib/nsd.fc b/policy/modules/contrib/nsd.fc deleted file mode 100644 index 4f2b1b66..00000000 --- a/policy/modules/contrib/nsd.fc +++ /dev/null @@ -1,16 +0,0 @@ -/etc/rc\.d/init\.d/nsd -- gen_context(system_u:object_r:nsd_initrc_exec_t,s0) - -/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0) -/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0) -/etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) -/etc/nsd/secondary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) - -/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0) -/usr/sbin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0) -/usr/sbin/nsd-notify -- gen_context(system_u:object_r:nsd_exec_t,s0) -/usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0) - -/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) -/var/lib/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0) - -/var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0) diff --git a/policy/modules/contrib/nsd.if b/policy/modules/contrib/nsd.if deleted file mode 100644 index a9c60ff8..00000000 --- a/policy/modules/contrib/nsd.if +++ /dev/null @@ -1,70 +0,0 @@ -## <summary>Authoritative only name server.</summary> - -######################################## -## <summary> -## Send and receive datagrams from NSD. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`nsd_udp_chat',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## <summary> -## Connect to NSD over a TCP socket (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`nsd_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## <summary> -## All of the rules required to -## administrate an nsd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`nsd_admin',` - gen_require(` - type nsd_t, nsd_conf_t, nsd_var_run_t; - type nsd_initrc_exec_t, nsd_db_t, nsd_zone_t; - ') - - allow $1 nsd_t:process { ptrace signal_perms }; - ps_process_pattern($1, nsd_t) - - init_labeled_script_domtrans($1, nsd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 nsd_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, { nsd_conf_t nsd_db_t }) - - files_search_var_lib($1) - admin_pattern($1, nsd_zone_t) - - files_list_pids($1) - admin_pattern($1, nsd_var_run_t) -') diff --git a/policy/modules/contrib/nsd.te b/policy/modules/contrib/nsd.te deleted file mode 100644 index dde7f42e..00000000 --- a/policy/modules/contrib/nsd.te +++ /dev/null @@ -1,161 +0,0 @@ -policy_module(nsd, 1.7.1) - -######################################## -# -# Declarations -# - -type nsd_t; -type nsd_exec_t; -init_daemon_domain(nsd_t, nsd_exec_t) - -type nsd_initrc_exec_t; -init_script_file(nsd_initrc_exec_t) - -type nsd_conf_t; -files_type(nsd_conf_t) - -type nsd_crond_t; -domain_type(nsd_crond_t) -domain_entry_file(nsd_crond_t, nsd_exec_t) -role system_r types nsd_crond_t; - -type nsd_db_t; -files_type(nsd_db_t) - -type nsd_var_run_t; -files_pid_file(nsd_var_run_t) - -type nsd_zone_t; -files_type(nsd_zone_t) - -######################################## -# -# Local policy -# - -allow nsd_t self:capability { chown dac_override kill setgid setuid }; -dontaudit nsd_t self:capability sys_tty_config; -allow nsd_t self:process signal_perms; -allow nsd_t self:fifo_file rw_fifo_file_perms; -allow nsd_t self:tcp_socket { accept listen }; - -allow nsd_t nsd_conf_t:dir list_dir_perms; -allow nsd_t nsd_conf_t:file read_file_perms; -allow nsd_t nsd_conf_t:lnk_file read_lnk_file_perms; - -allow nsd_t nsd_db_t:file manage_file_perms; -filetrans_pattern(nsd_t, nsd_zone_t, nsd_db_t, file) - -manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t) -files_pid_filetrans(nsd_t, nsd_var_run_t, file) - -manage_dirs_pattern(nsd_t, nsd_zone_t, nsd_zone_t) -manage_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t) -manage_lnk_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t) -files_var_lib_filetrans(nsd_t, nsd_zone_t, dir) - -can_exec(nsd_t, nsd_exec_t) - -kernel_read_system_state(nsd_t) -kernel_read_kernel_sysctls(nsd_t) - -corecmd_exec_bin(nsd_t) - -corenet_all_recvfrom_unlabeled(nsd_t) -corenet_all_recvfrom_netlabel(nsd_t) -corenet_tcp_sendrecv_generic_if(nsd_t) -corenet_udp_sendrecv_generic_if(nsd_t) -corenet_tcp_sendrecv_generic_node(nsd_t) -corenet_udp_sendrecv_generic_node(nsd_t) -corenet_tcp_sendrecv_all_ports(nsd_t) -corenet_udp_sendrecv_all_ports(nsd_t) -corenet_tcp_bind_generic_node(nsd_t) -corenet_udp_bind_generic_node(nsd_t) - -corenet_sendrecv_dns_server_packets(nsd_t) -corenet_tcp_bind_dns_port(nsd_t) -corenet_udp_bind_dns_port(nsd_t) - -dev_read_sysfs(nsd_t) - -domain_use_interactive_fds(nsd_t) - -files_read_etc_runtime_files(nsd_t) - -fs_getattr_all_fs(nsd_t) -fs_search_auto_mountpoints(nsd_t) - -auth_use_nsswitch(nsd_t) - -logging_send_syslog_msg(nsd_t) - -miscfiles_read_localization(nsd_t) - -userdom_dontaudit_use_unpriv_user_fds(nsd_t) -userdom_dontaudit_search_user_home_dirs(nsd_t) - -optional_policy(` - seutil_sigchld_newrole(nsd_t) -') - -optional_policy(` - udev_read_db(nsd_t) -') - -######################################## -# -# Cron local policy -# - -allow nsd_crond_t self:capability { dac_override kill }; -dontaudit nsd_crond_t self:capability sys_nice; -allow nsd_crond_t self:process { setsched signal_perms }; -allow nsd_crond_t self:fifo_file rw_fifo_file_perms; - -allow nsd_crond_t nsd_t:process signal; -ps_process_pattern(nsd_crond_t, nsd_t) - -allow nsd_crond_t nsd_conf_t:dir list_dir_perms; -allow nsd_crond_t nsd_conf_t:file read_file_perms; -allow nsd_crond_t nsd_conf_t:lnk_file read_lnk_file_perms; - -allow nsd_crond_t nsd_db_t:file manage_file_perms; -filetrans_pattern(nsd_crond_t, nsd_zone_t, nsd_db_t, file) - -manage_files_pattern(nsd_crond_t, nsd_zone_t, nsd_zone_t) -filetrans_pattern(nsd_crond_t, nsd_conf_t, nsd_zone_t, file) - -can_exec(nsd_crond_t, nsd_exec_t) - -kernel_read_system_state(nsd_crond_t) - -corecmd_exec_bin(nsd_crond_t) -corecmd_exec_shell(nsd_crond_t) - -corenet_all_recvfrom_unlabeled(nsd_crond_t) -corenet_all_recvfrom_netlabel(nsd_crond_t) -corenet_tcp_sendrecv_generic_if(nsd_crond_t) -corenet_tcp_sendrecv_generic_node(nsd_crond_t) - -corenet_sendrecv_all_client_packets(nsd_crond_t) -corenet_tcp_connect_all_ports(nsd_crond_t) -corenet_tcp_sendrecv_all_ports(nsd_crond_t) - -dev_read_urand(nsd_crond_t) - -domain_dontaudit_read_all_domains_state(nsd_crond_t) - -files_read_etc_runtime_files(nsd_crond_t) - -auth_use_nsswitch(nsd_crond_t) - -logging_send_syslog_msg(nsd_crond_t) - -miscfiles_read_localization(nsd_crond_t) - -userdom_dontaudit_search_user_home_dirs(nsd_crond_t) - -optional_policy(` - cron_system_entry(nsd_crond_t, nsd_exec_t) -') diff --git a/policy/modules/contrib/nslcd.fc b/policy/modules/contrib/nslcd.fc deleted file mode 100644 index 402100e4..00000000 --- a/policy/modules/contrib/nslcd.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/nss-ldapd\.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0) - -/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0) - -/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0) - -/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0) diff --git a/policy/modules/contrib/nslcd.if b/policy/modules/contrib/nslcd.if deleted file mode 100644 index 97df768d..00000000 --- a/policy/modules/contrib/nslcd.if +++ /dev/null @@ -1,115 +0,0 @@ -## <summary>Local LDAP name service daemon.</summary> - -######################################## -## <summary> -## Execute a domain transition to run nslcd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`nslcd_domtrans',` - gen_require(` - type nslcd_t, nslcd_exec_t; - ') - - corecmd_searh_bin($1) - domtrans_pattern($1, nslcd_exec_t, nslcd_t) -') - -######################################## -## <summary> -## Execute nslcd server in the nslcd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`nslcd_initrc_domtrans',` - gen_require(` - type nslcd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, nslcd_initrc_exec_t) -') - -######################################## -## <summary> -## Read nslcd pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`nslcd_read_pid_files',` - gen_require(` - type nslcd_var_run_t; - ') - - files_search_pids($1) - allow $1 nslcd_var_run_t:file read_file_perms; -') - -######################################## -## <summary> -## Connect to nslcd over an unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`nslcd_stream_connect',` - gen_require(` - type nslcd_t, nslcd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, nslcd_var_run_t, nslcd_var_run_t, nslcd_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an nslcd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`nslcd_admin',` - gen_require(` - type nslcd_t, nslcd_initrc_exec_t, nslcd_var_run_t; - type nslcd_conf_t; - ') - - allow $1 nslcd_t:process { ptrace signal_perms }; - ps_process_pattern($1, nslcd_t) - - nslcd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 nslcd_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, nslcd_conf_t) - - files_search_pids($1) - admin_pattern($1, nslcd_var_run_t) -') diff --git a/policy/modules/contrib/nslcd.te b/policy/modules/contrib/nslcd.te deleted file mode 100644 index a3e56f08..00000000 --- a/policy/modules/contrib/nslcd.te +++ /dev/null @@ -1,61 +0,0 @@ -policy_module(nslcd, 1.3.1) - -######################################## -# -# Declarations -# - -type nslcd_t; -type nslcd_exec_t; -init_daemon_domain(nslcd_t, nslcd_exec_t) - -type nslcd_initrc_exec_t; -init_script_file(nslcd_initrc_exec_t) - -type nslcd_var_run_t; -files_pid_file(nslcd_var_run_t) - -type nslcd_conf_t; -files_config_file(nslcd_conf_t) - -######################################## -# -# Local policy -# - -allow nslcd_t self:capability { setgid setuid dac_override }; -allow nslcd_t self:process signal; -allow nslcd_t self:unix_stream_socket { accept listen }; - -allow nslcd_t nslcd_conf_t:file read_file_perms; - -manage_dirs_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t) -manage_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t) -manage_sock_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t) -files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir }) - -kernel_read_system_state(nslcd_t) - -corenet_all_recvfrom_unlabeled(nslcd_t) -corenet_all_recvfrom_netlabel(nslcd_t) -corenet_tcp_sendrecv_generic_if(nslcd_t) -corenet_tcp_sendrecv_generic_node(nslcd_t) - -corenet_sendrecv_ldap_client_packets(nslcd_t) -corenet_tcp_connect_ldap_port(nslcd_t) -corenet_tcp_sendrecv_ldap_port(nslcd_t) - -files_read_usr_symlinks(nslcd_t) -files_list_tmp(nslcd_t) - -auth_use_nsswitch(nslcd_t) - -logging_send_syslog_msg(nslcd_t) - -miscfiles_read_localization(nslcd_t) - -userdom_read_user_tmp_files(nslcd_t) - -optional_policy(` - ldap_stream_connect(nslcd_t) -') diff --git a/policy/modules/contrib/ntop.fc b/policy/modules/contrib/ntop.fc deleted file mode 100644 index 52e27ef1..00000000 --- a/policy/modules/contrib/ntop.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/ntop.* gen_context(system_u:object_r:ntop_etc_t,s0) - -/etc/rc\.d/init\.d/ntop -- gen_context(system_u:object_r:ntop_initrc_exec_t,s0) - -/usr/sbin/ntop -- gen_context(system_u:object_r:ntop_exec_t,s0) - -/var/lib/ntop(/.*)? gen_context(system_u:object_r:ntop_var_lib_t,s0) - -/var/run/ntop\.pid -- gen_context(system_u:object_r:ntop_var_run_t,s0) diff --git a/policy/modules/contrib/ntop.if b/policy/modules/contrib/ntop.if deleted file mode 100644 index beaee73e..00000000 --- a/policy/modules/contrib/ntop.if +++ /dev/null @@ -1,42 +0,0 @@ -## <summary>A network traffic probe similar to the UNIX top command.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an ntop environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`ntop_admin',` - gen_require(` - type ntop_t, ntop_etc_t, ntop_var_run_t; - type ntop_initrc_exec_t, ntop_var_lib_t; - ') - - allow $1 ntop_t:process { ptrace signal_perms }; - ps_process_pattern($1, ntop_t) - - init_labeled_script_domtrans($1, ntop_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ntop_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, ntop_etc_t) - - files_search_var_lib($1) - admin_pattern($1, ntop_var_lib_t) - - files_list_pids($1) - admin_pattern($1, ntop_var_run_t) -') diff --git a/policy/modules/contrib/ntop.te b/policy/modules/contrib/ntop.te deleted file mode 100644 index 52757d83..00000000 --- a/policy/modules/contrib/ntop.te +++ /dev/null @@ -1,109 +0,0 @@ -policy_module(ntop, 1.9.2) - -######################################## -# -# Declarations -# - -type ntop_t; -type ntop_exec_t; -init_daemon_domain(ntop_t, ntop_exec_t) - -type ntop_initrc_exec_t; -init_script_file(ntop_initrc_exec_t) - -type ntop_etc_t; -files_config_file(ntop_etc_t) - -type ntop_tmp_t; -files_tmp_file(ntop_tmp_t) - -type ntop_var_lib_t; -files_type(ntop_var_lib_t) - -type ntop_var_run_t; -files_pid_file(ntop_var_run_t) - -######################################## -# -# Local Policy -# - -allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin }; -dontaudit ntop_t self:capability sys_tty_config; -allow ntop_t self:process signal_perms; -allow ntop_t self:fifo_file rw_fifo_file_perms; -allow ntop_t self:tcp_socket { accept listen }; -allow ntop_t self:unix_stream_socket { accept listen }; -allow ntop_t self:packet_socket create_socket_perms; -allow ntop_t self:socket create_socket_perms; - -allow ntop_t ntop_etc_t:dir list_dir_perms; -allow ntop_t ntop_etc_t:file read_file_perms; -allow ntop_t ntop_etc_t:lnk_file read_lnk_file_perms; - -manage_dirs_pattern(ntop_t, ntop_tmp_t, ntop_tmp_t) -manage_files_pattern(ntop_t, ntop_tmp_t, ntop_tmp_t) -files_tmp_filetrans(ntop_t, ntop_tmp_t, { file dir }) - -manage_dirs_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t) -manage_files_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t) -files_var_lib_filetrans(ntop_t, ntop_var_lib_t, { file dir } ) - -manage_files_pattern(ntop_t, ntop_var_run_t, ntop_var_run_t) -files_pid_filetrans(ntop_t, ntop_var_run_t, file) - -kernel_request_load_module(ntop_t) -kernel_read_system_state(ntop_t) -kernel_read_network_state(ntop_t) -kernel_read_kernel_sysctls(ntop_t) - -corenet_all_recvfrom_unlabeled(ntop_t) -corenet_all_recvfrom_netlabel(ntop_t) -corenet_tcp_sendrecv_generic_if(ntop_t) -corenet_raw_sendrecv_generic_if(ntop_t) -corenet_tcp_sendrecv_generic_node(ntop_t) -corenet_raw_sendrecv_generic_node(ntop_t) -corenet_tcp_bind_generic_node(ntop_t) - -corenet_sendrecv_ntop_server_packets(ntop_t) -corenet_tcp_bind_ntop_port(ntop_t) -corenet_sendrecv_ntop_client_packets(ntop_t) -corenet_tcp_connect_ntop_port(ntop_t) -corenet_tcp_sendrecv_ntop_port(ntop_t) - -corenet_sendrecv_http_client_packets(ntop_t) -corenet_tcp_connect_http_port(ntop_t) -corenet_tcp_sendrecv_http_port(ntop_t) - -dev_read_sysfs(ntop_t) -dev_rw_generic_usb_dev(ntop_t) - -domain_use_interactive_fds(ntop_t) - -files_read_usr_files(ntop_t) - -fs_getattr_all_fs(ntop_t) -fs_search_auto_mountpoints(ntop_t) - -auth_use_nsswitch(ntop_t) - -logging_send_syslog_msg(ntop_t) - -miscfiles_read_fonts(ntop_t) -miscfiles_read_localization(ntop_t) - -userdom_dontaudit_use_unpriv_user_fds(ntop_t) -userdom_dontaudit_search_user_home_dirs(ntop_t) - -optional_policy(` - apache_read_sys_content(ntop_t) -') - -optional_policy(` - seutil_sigchld_newrole(ntop_t) -') - -optional_policy(` - udev_read_db(ntop_t) -') diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc deleted file mode 100644 index af3c91e7..00000000 --- a/policy/modules/contrib/ntp.fc +++ /dev/null @@ -1,23 +0,0 @@ -/etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0) -/etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0) - -/etc/ntpd.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0) -/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0) -/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) -/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0) -/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0) - -/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0) - -/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) -/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) -/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0) - -/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) -/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) - -/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0) -/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0) -/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) - -/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0) diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if deleted file mode 100644 index b59196f0..00000000 --- a/policy/modules/contrib/ntp.if +++ /dev/null @@ -1,168 +0,0 @@ -## <summary>Network time protocol daemon.</summary> - -######################################## -## <summary> -## NTP stub interface. No access allowed. -## </summary> -## <param name="domain" unused="true"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ntp_stub',` - gen_require(` - type ntpd_t; - ') -') - -######################################## -## <summary> -## Execute ntp server in the ntpd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`ntp_domtrans',` - gen_require(` - type ntpd_t, ntpd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ntpd_exec_t, ntpd_t) -') - -######################################## -## <summary> -## Execute ntp in the ntp domain, and -## allow the specified role the ntp domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`ntp_run',` - gen_require(` - attribute_role ntpd_roles; - ') - - ntp_domtrans($1) - roleattribute $2 ntpd_roles; -') - -######################################## -## <summary> -## Execute ntp server in the ntpd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`ntp_domtrans_ntpdate',` - gen_require(` - type ntpd_t, ntpdate_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ntpdate_exec_t, ntpd_t) -') - -######################################## -## <summary> -## Execute ntp server in the ntpd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`ntp_initrc_domtrans',` - gen_require(` - type ntpd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, ntpd_initrc_exec_t) -') - -######################################## -## <summary> -## Read and write ntpd shared memory. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ntp_rw_shm',` - gen_require(` - type ntpd_t, ntpd_tmpfs_t; - ') - - allow $1 ntpd_t:shm rw_shm_perms; - list_dirs_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) - rw_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) - read_lnk_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) - fs_search_tmpfs($1) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an ntp environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`ntp_admin',` - gen_require(` - type ntpd_t, ntpd_tmp_t, ntpd_log_t; - type ntpd_key_t, ntpd_var_run_t, ntp_conf_t; - type ntpd_initrc_exec_t, ntp_drift_t; - ') - - allow $1 ntpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, ntpd_t) - - init_labeled_script_domtrans($1, ntpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ntpd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, { ntpd_key_t ntp_conf_t ntp_drift_t }) - - logging_list_logs($1) - admin_pattern($1, ntpd_log_t) - - files_list_tmp($1) - admin_pattern($1, ntpd_tmp_t) - - files_list_pids($1) - admin_pattern($1, ntpd_var_run_t) - - ntp_run($1, $2) -') diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te deleted file mode 100644 index b90e343c..00000000 --- a/policy/modules/contrib/ntp.te +++ /dev/null @@ -1,160 +0,0 @@ -policy_module(ntp, 1.10.3) - -######################################## -# -# Declarations -# - -attribute_role ntpd_roles; - -type ntp_drift_t; -files_type(ntp_drift_t) - -type ntpd_t; -type ntpd_exec_t; -init_daemon_domain(ntpd_t, ntpd_exec_t) -role ntpd_roles types ntpd_t; - -type ntpd_initrc_exec_t; -init_script_file(ntpd_initrc_exec_t) - -type ntp_conf_t; -files_config_file(ntp_conf_t) - -type ntpd_key_t; -files_type(ntpd_key_t) - -type ntpd_log_t; -logging_log_file(ntpd_log_t) - -type ntpd_tmp_t; -files_tmp_file(ntpd_tmp_t) - -type ntpd_tmpfs_t; -files_tmpfs_file(ntpd_tmpfs_t) - -type ntpd_var_run_t; -files_pid_file(ntpd_var_run_t) - -type ntpdate_exec_t; -init_system_domain(ntpd_t, ntpdate_exec_t) - -######################################## -# -# Local policy -# - -allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource }; -dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; -allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit }; -allow ntpd_t self:fifo_file rw_fifo_file_perms; -allow ntpd_t self:shm create_shm_perms; -allow ntpd_t self:tcp_socket { accept listen }; - -manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) -manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) - -allow ntpd_t ntp_conf_t:file read_file_perms; - -read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) -read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) - -allow ntpd_t ntpd_log_t:dir setattr_dir_perms; -append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) -create_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) -setattr_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) -logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir }) - -manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t) -manage_files_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t) -files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir }) - -manage_dirs_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t) -manage_files_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t) -fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file }) - -manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t) -files_pid_filetrans(ntpd_t, ntpd_var_run_t, file) - -can_exec(ntpd_t, ntpd_exec_t) - -kernel_read_kernel_sysctls(ntpd_t) -kernel_read_system_state(ntpd_t) -kernel_read_network_state(ntpd_t) -kernel_request_load_module(ntpd_t) - -corenet_all_recvfrom_unlabeled(ntpd_t) -corenet_all_recvfrom_netlabel(ntpd_t) -corenet_tcp_sendrecv_generic_if(ntpd_t) -corenet_udp_sendrecv_generic_if(ntpd_t) -corenet_tcp_sendrecv_generic_node(ntpd_t) -corenet_udp_sendrecv_generic_node(ntpd_t) -corenet_udp_bind_generic_node(ntpd_t) - -corenet_sendrecv_ntp_server_packets(ntpd_t) -corenet_udp_bind_ntp_port(ntpd_t) -corenet_udp_sendrecv_ntp_port(ntpd_t) - -corenet_sendrecv_ntp_client_packets(ntpd_t) -corenet_tcp_connect_ntp_port(ntpd_t) -corenet_tcp_sendrecv_ntp_port(ntpd_t) - -corecmd_exec_bin(ntpd_t) -corecmd_exec_shell(ntpd_t) - -dev_read_sysfs(ntpd_t) -dev_read_urand(ntpd_t) -dev_rw_realtime_clock(ntpd_t) - -domain_use_interactive_fds(ntpd_t) -domain_dontaudit_list_all_domains_state(ntpd_t) - -files_read_etc_runtime_files(ntpd_t) -files_read_usr_files(ntpd_t) -files_list_var_lib(ntpd_t) - -fs_getattr_all_fs(ntpd_t) -fs_search_auto_mountpoints(ntpd_t) - -term_use_ptmx(ntpd_t) - -auth_use_nsswitch(ntpd_t) - -init_exec_script_files(ntpd_t) - -logging_send_syslog_msg(ntpd_t) - -miscfiles_read_localization(ntpd_t) - -userdom_dontaudit_use_unpriv_user_fds(ntpd_t) -userdom_list_user_home_dirs(ntpd_t) - -optional_policy(` - cron_system_entry(ntpd_t, ntpdate_exec_t) -') - -optional_policy(` - gpsd_rw_shm(ntpd_t) -') - -optional_policy(` - firstboot_dontaudit_use_fds(ntpd_t) - firstboot_dontaudit_rw_pipes(ntpd_t) - firstboot_dontaudit_rw_stream_sockets(ntpd_t) -') - -optional_policy(` - hal_dontaudit_write_log(ntpd_t) -') - -optional_policy(` - logrotate_exec(ntpd_t) -') - -optional_policy(` - seutil_sigchld_newrole(ntpd_t) -') - -optional_policy(` - udev_read_db(ntpd_t) -') diff --git a/policy/modules/contrib/numad.fc b/policy/modules/contrib/numad.fc deleted file mode 100644 index 3488bb0d..00000000 --- a/policy/modules/contrib/numad.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rc\.d/init\.d/numad -- gen_context(system_u:object_r:numad_initrc_exec_t,s0) - -/usr/bin/numad -- gen_context(system_u:object_r:numad_exec_t,s0) - -/var/log/numad\.log.* -- gen_context(system_u:object_r:numad_log_t,s0) - -/var/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0) diff --git a/policy/modules/contrib/numad.if b/policy/modules/contrib/numad.if deleted file mode 100644 index 0d3c270b..00000000 --- a/policy/modules/contrib/numad.if +++ /dev/null @@ -1,39 +0,0 @@ -## <summary>Non-Uniform Memory Alignment Daemon.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an numad environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`numad_admin',` - gen_require(` - type numad_t, numad_initrc_exec_t, numad_log_t; - type numad_var_run_t; - ') - - allow $1 numad_t:process { ptrace signal_perms }; - ps_process_pattern($1, numad_t) - - init_labeled_script_domtrans($1, numad_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 numad_initrc_exec_t system_r; - allow $2 system_r; - - logging_search_logs($1) - admin_pattern($1, numad_log_t) - - files_search_pids($1) - admin_pattern($1, numad_var_run_t) -') diff --git a/policy/modules/contrib/numad.te b/policy/modules/contrib/numad.te deleted file mode 100644 index f5d145d0..00000000 --- a/policy/modules/contrib/numad.te +++ /dev/null @@ -1,44 +0,0 @@ -policy_module(numad, 1.0.3) - -######################################## -# -# Declarations -# - -type numad_t; -type numad_exec_t; -init_daemon_domain(numad_t, numad_exec_t) -application_executable_file(numad_exec_t) - -type numad_initrc_exec_t; -init_script_file(numad_initrc_exec_t) - -type numad_log_t; -logging_log_file(numad_log_t) - -type numad_var_run_t; -files_pid_file(numad_var_run_t) - -######################################## -# -# Local policy -# - -allow numad_t self:fifo_file rw_fifo_file_perms; -allow numad_t self:msg { send receive }; -allow numad_t self:msgq create_msgq_perms; -allow numad_t self:unix_stream_socket create_stream_socket_perms; - -allow numad_t numad_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(numad_t, numad_log_t, file) - -manage_files_pattern(numad_t, numad_var_run_t, numad_var_run_t) -files_pid_filetrans(numad_t, numad_var_run_t, file) - -kernel_read_system_state(numad_t) - -dev_read_sysfs(numad_t) - -files_read_etc_files(numad_t) - -miscfiles_read_localization(numad_t) diff --git a/policy/modules/contrib/nut.fc b/policy/modules/contrib/nut.fc deleted file mode 100644 index 379af962..00000000 --- a/policy/modules/contrib/nut.fc +++ /dev/null @@ -1,23 +0,0 @@ -/etc/nut(/.*)? gen_context(system_u:object_r:nut_conf_t,s0) -/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0) - -/etc/rc\.d/init\.d/nut-driver -- gen_context(system_u:object_r:nut_initrc_exec_t,s0) -/etc/rc\.d/init\.d/nut-server -- gen_context(system_u:object_r:nut_initrc_exec_t,s0) - -/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0) -/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) -/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0) - -/usr/lib/cgi-bin/nut/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) -/usr/lib/cgi-bin/nut/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) -/usr/lib/cgi-bin/nut/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) - -/usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0) -/usr/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) -/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0) - -/var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0) - -/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) -/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) -/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) diff --git a/policy/modules/contrib/nut.if b/policy/modules/contrib/nut.if deleted file mode 100644 index 57c0161e..00000000 --- a/policy/modules/contrib/nut.if +++ /dev/null @@ -1,39 +0,0 @@ -## <summary>Network UPS Tools </summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an nut environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`nut_admin',` - gen_require(` - attribute nut_domain; - type nut_initrc_exec_t, nut_var_run_t, nut_conf_t; - ') - - allow $1 nut_domain:process { ptrace signal_perms }; - ps_process_pattern($1, nut_domain_t) - - init_labeled_script_domtrans($1, nut_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 nut_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, nut_conf_t) - - files_search_pids($1) - admin_pattern($1, nut_var_run_t) -') diff --git a/policy/modules/contrib/nut.te b/policy/modules/contrib/nut.te deleted file mode 100644 index 0c9deb70..00000000 --- a/policy/modules/contrib/nut.te +++ /dev/null @@ -1,160 +0,0 @@ -policy_module(nut, 1.2.4) - -######################################## -# -# Declarations -# - -attribute nut_domain; - -type nut_conf_t; -files_config_file(nut_conf_t) - -type nut_upsd_t, nut_domain; -type nut_upsd_exec_t; -init_daemon_domain(nut_upsd_t, nut_upsd_exec_t) - -type nut_upsmon_t, nut_domain; -type nut_upsmon_exec_t; -init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t) - -type nut_upsdrvctl_t, nut_domain; -type nut_upsdrvctl_exec_t; -init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t) - -type nut_initrc_exec_t; -init_script_file(nut_initrc_exec_t) - -type nut_var_run_t; -files_pid_file(nut_var_run_t) -init_daemon_run_dir(nut_var_run_t, "nut") - -######################################## -# -# Common nut domain local policy -# - -allow nut_domain self:capability { setgid setuid dac_override kill }; -allow nut_domain self:process signal_perms; -allow nut_domain self:fifo_file rw_fifo_file_perms; -allow nut_domain self:unix_dgram_socket sendto; - -allow nut_domain nut_conf_t:dir list_dir_perms; -allow nut_domain nut_conf_t:file read_file_perms; -allow nut_domain nut_conf_t:lnk_file read_lnk_file_perms; - -manage_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t) -manage_dirs_pattern(nut_domain, nut_var_run_t, nut_var_run_t) -files_pid_filetrans(nut_domain, nut_var_run_t, { dir file }) - -kernel_read_kernel_sysctls(nut_domain) - -logging_send_syslog_msg(nut_domain) - -miscfiles_read_localization(nut_domain) - -######################################## -# -# Upsd local policy -# - -allow nut_upsd_t self:tcp_socket { accept listen }; - -manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) -files_pid_filetrans(nut_upsd_t, nut_var_run_t, sock_file) - -stream_connect_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t, nut_upsdrvctl_t) - -corenet_all_recvfrom_unlabeled(nut_upsd_t) -corenet_all_recvfrom_netlabel(nut_upsd_t) -corenet_tcp_sendrecv_generic_if(nut_upsd_t) -corenet_tcp_sendrecv_generic_node(nut_upsd_t) -corenet_tcp_sendrecv_all_ports(nut_upsd_t) -corenet_tcp_bind_generic_node(nut_upsd_t) - -corenet_sendrecv_ups_server_packets(nut_upsd_t) -corenet_tcp_bind_ups_port(nut_upsd_t) - -corenet_sendrecv_generic_server_packets(nut_upsd_t) -corenet_tcp_bind_generic_port(nut_upsd_t) - -files_read_usr_files(nut_upsd_t) - -auth_use_nsswitch(nut_upsd_t) - -######################################## -# -# Upsmon local policy -# - -allow nut_upsmon_t self:capability dac_read_search; -allow nut_upsmon_t self:unix_stream_socket connectto; - -kernel_read_system_state(nut_upsmon_t) - -corecmd_exec_bin(nut_upsmon_t) -corecmd_exec_shell(nut_upsmon_t) - -corenet_all_recvfrom_unlabeled(nut_upsmon_t) -corenet_all_recvfrom_netlabel(nut_upsmon_t) -corenet_tcp_sendrecv_generic_if(nut_upsmon_t) -corenet_tcp_sendrecv_generic_node(nut_upsmon_t) -corenet_tcp_sendrecv_all_ports(nut_upsmon_t) -corenet_tcp_bind_generic_node(nut_upsmon_t) - -corenet_sendrecv_ups_client_packets(nut_upsmon_t) -corenet_tcp_connect_ups_port(nut_upsmon_t) - -corenet_sendrecv_generic_client_packets(nut_upsmon_t) -corenet_tcp_connect_generic_port(nut_upsmon_t) - -files_manage_etc_runtime_files(nut_upsmon_t) -files_etc_filetrans_etc_runtime(nut_upsmon_t, file) -files_search_usr(nut_upsmon_t) - -term_write_all_terms(nut_upsmon_t) - -auth_use_nsswitch(nut_upsmon_t) - -mta_send_mail(nut_upsmon_t) - -optional_policy(` - shutdown_domtrans(nut_upsmon_t) -') - -######################################## -# -# Upsdrvctl local policy -# - -allow nut_upsdrvctl_t self:fd use; - -manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) -files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, sock_file) - -corecmd_exec_bin(nut_upsdrvctl_t) - -dev_read_sysfs(nut_upsdrvctl_t) -dev_read_urand(nut_upsdrvctl_t) -dev_rw_generic_usb_dev(nut_upsdrvctl_t) - -term_use_unallocated_ttys(nut_upsdrvctl_t) - -auth_use_nsswitch(nut_upsdrvctl_t) - -init_sigchld(nut_upsdrvctl_t) - -####################################### -# -# Cgi local policy -# - -optional_policy(` - apache_content_template(nutups_cgi) - - allow httpd_nutups_cgi_script_t nut_conf_t:dir list_dir_perms; - allow httpd_nutups_cgi_script_t nut_conf_t:file read_file_perms; - allow httpd_nutups_cgi_script_t nut_conf_t:lnk_file read_lnk_file_perms; - - sysnet_dns_name_resolve(httpd_nutups_cgi_script_t) -') diff --git a/policy/modules/contrib/nx.fc b/policy/modules/contrib/nx.fc deleted file mode 100644 index 73b84d80..00000000 --- a/policy/modules/contrib/nx.fc +++ /dev/null @@ -1,13 +0,0 @@ -/opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) -/opt/NX/home(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0) -/opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) -/opt/NX/var(/.*)? gen_context(system_u:object_r:nx_server_var_run_t,s0) - -/usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) - -/usr/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) -/usr/NX/home(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0) -/usr/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) - -/var/lib/nxserver(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0) -/var/lib/nxserver/home/.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) diff --git a/policy/modules/contrib/nx.if b/policy/modules/contrib/nx.if deleted file mode 100644 index 251d6816..00000000 --- a/policy/modules/contrib/nx.if +++ /dev/null @@ -1,92 +0,0 @@ -## <summary>NX remote desktop.</summary> - -######################################## -## <summary> -## Transition to nx server. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`nx_spec_domtrans_server',` - gen_require(` - type nx_server_t, nx_server_exec_t; - ') - - corecmd_search_bin($1) - spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t) -') - -######################################## -## <summary> -## Read nx home directory content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`nx_read_home_files',` - gen_require(` - type nx_server_home_ssh_t, nx_server_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, { nx_server_var_lib_t nx_server_home_ssh_t }, nx_server_home_ssh_t) -') - -######################################## -## <summary> -## Search nx lib directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`nx_search_var_lib',` - gen_require(` - type nx_server_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 nx_server_var_lib_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Create specified objects in nx lib -## directories with a private type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="private type"> -## <summary> -## The type of the object to be created. -## </summary> -## </param> -## <param name="object"> -## <summary> -## The object class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`nx_var_lib_filetrans',` - gen_require(` - type nx_server_var_lib_t; - ') - - filetrans_pattern($1, nx_server_var_lib_t, $2, $3, $4) -') diff --git a/policy/modules/contrib/nx.te b/policy/modules/contrib/nx.te deleted file mode 100644 index b1832ca5..00000000 --- a/policy/modules/contrib/nx.te +++ /dev/null @@ -1,80 +0,0 @@ -policy_module(nx, 1.6.1) - -######################################## -# -# Declarations -# - -type nx_server_t; -type nx_server_exec_t; -domain_type(nx_server_t) -domain_entry_file(nx_server_t, nx_server_exec_t) -domain_user_exemption_target(nx_server_t) - -role nx_server_r; -role nx_server_r types nx_server_t; -allow system_r nx_server_r; - -type nx_server_devpts_t; -term_user_pty(nx_server_t, nx_server_devpts_t) - -type nx_server_tmp_t; -files_tmp_file(nx_server_tmp_t) - -type nx_server_var_lib_t; -files_type(nx_server_var_lib_t) - -type nx_server_var_run_t; -files_pid_file(nx_server_var_run_t) - -######################################## -# -# Local policy -# - -allow nx_server_t self:fifo_file rw_fifo_file_perms; -allow nx_server_t self:tcp_socket create_socket_perms; -allow nx_server_t self:udp_socket create_socket_perms; - -allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; -term_create_pty(nx_server_t, nx_server_devpts_t) - -manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t) -manage_files_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t) -files_tmp_filetrans(nx_server_t, nx_server_tmp_t, { file dir }) - -manage_files_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t) -manage_dirs_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t) -files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir }) - -manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t) -files_pid_filetrans(nx_server_t, nx_server_var_run_t, file) - -kernel_read_system_state(nx_server_t) -kernel_read_kernel_sysctls(nx_server_t) - -corecmd_exec_shell(nx_server_t) -corecmd_exec_bin(nx_server_t) - -corenet_all_recvfrom_unlabeled(nx_server_t) -corenet_all_recvfrom_netlabel(nx_server_t) -corenet_tcp_sendrecv_generic_if(nx_server_t) -corenet_tcp_sendrecv_generic_node(nx_server_t) -corenet_tcp_sendrecv_all_ports(nx_server_t) - -corenet_tcp_connect_all_ports(nx_server_t) -corenet_sendrecv_all_client_packets(nx_server_t) - -dev_read_urand(nx_server_t) - -files_read_etc_files(nx_server_t) -files_read_etc_runtime_files(nx_server_t) -files_read_usr_files(nx_server_t) - -miscfiles_read_localization(nx_server_t) - -seutil_dontaudit_search_config(nx_server_t) - -sysnet_read_config(nx_server_t) - -ssh_basic_client_template(nx_server, nx_server_t, nx_server_r) diff --git a/policy/modules/contrib/oav.fc b/policy/modules/contrib/oav.fc deleted file mode 100644 index 2448426e..00000000 --- a/policy/modules/contrib/oav.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/oav-update(/.*)? gen_context(system_u:object_r:oav_update_etc_t,s0) -/etc/scannerdaemon/scannerdaemon\.conf -- gen_context(system_u:object_r:scannerdaemon_etc_t,s0) - -/usr/sbin/oav-update -- gen_context(system_u:object_r:oav_update_exec_t,s0) -/usr/sbin/scannerdaemon -- gen_context(system_u:object_r:scannerdaemon_exec_t,s0) - -/var/lib/oav-virussignatures -- gen_context(system_u:object_r:oav_update_var_lib_t,s0) -/var/lib/oav-update(/.*)? gen_context(system_u:object_r:oav_update_var_lib_t,s0) -/var/log/scannerdaemon\.log.* -- gen_context(system_u:object_r:scannerdaemon_log_t,s0) diff --git a/policy/modules/contrib/oav.if b/policy/modules/contrib/oav.if deleted file mode 100644 index b096e3fb..00000000 --- a/policy/modules/contrib/oav.if +++ /dev/null @@ -1,47 +0,0 @@ -## <summary>Open AntiVirus scannerdaemon and signature update.</summary> - -######################################## -## <summary> -## Execute oav_update in the oav_update domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`oav_domtrans_update',` - gen_require(` - type oav_update_t, oav_update_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, oav_update_exec_t, oav_update_t) -') - -######################################## -## <summary> -## Execute oav_update in the oav update -## domain, and allow the specified role -## the oav_update domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`oav_run_update',` - gen_require(` - attribute_role oav_update_roles; - ') - - oav_domtrans_update($1) - roleattribute $2 oav_update_roles; -') diff --git a/policy/modules/contrib/oav.te b/policy/modules/contrib/oav.te deleted file mode 100644 index 75fdf582..00000000 --- a/policy/modules/contrib/oav.te +++ /dev/null @@ -1,125 +0,0 @@ -policy_module(oav, 1.9.1) - -######################################## -# -# Declarations -# - -attribute_role oav_update_roles; - -type oav_update_t; -type oav_update_exec_t; -application_domain(oav_update_t, oav_update_exec_t) -role oav_update_roles types oav_update_t; - -type oav_update_etc_t; -files_config_file(oav_update_etc_t) - -type oav_update_var_lib_t; -files_type(oav_update_var_lib_t) - -type scannerdaemon_t; -type scannerdaemon_exec_t; -init_daemon_domain(scannerdaemon_t, scannerdaemon_exec_t) - -type scannerdaemon_etc_t; -files_config_file(scannerdaemon_etc_t) - -type scannerdaemon_log_t; -logging_log_file(scannerdaemon_log_t) - -type scannerdaemon_var_run_t; -files_pid_file(scannerdaemon_var_run_t) - -######################################## -# -# Update local policy -# - -allow oav_update_t self:tcp_socket create_stream_socket_perms; -allow oav_update_t self:udp_socket create_socket_perms; - -allow oav_update_t oav_update_etc_t:dir list_dir_perms; -allow oav_update_t oav_update_etc_t:file read_file_perms; - -manage_dirs_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t) -manage_files_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t) -read_lnk_files_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t) - -corecmd_exec_all_executables(oav_update_t) - -files_exec_etc_files(oav_update_t) - -libs_exec_ld_so(oav_update_t) -libs_exec_lib_files(oav_update_t) - -logging_send_syslog_msg(oav_update_t) - -sysnet_read_config(oav_update_t) - -userdom_use_user_terminals(oav_update_t) - -optional_policy(` - cron_system_entry(oav_update_t, oav_update_exec_t) -') - -######################################## -# -# Scannerdaemon local policy -# - -dontaudit scannerdaemon_t self:capability sys_tty_config; -allow scannerdaemon_t self:process signal_perms; -allow scannerdaemon_t self:fifo_file rw_fifo_file_perms; -allow scannerdaemon_t self:tcp_socket create_stream_socket_perms; -allow scannerdaemon_t self:udp_socket create_socket_perms; - -allow scannerdaemon_t oav_update_var_lib_t:dir list_dir_perms; -allow scannerdaemon_t oav_update_var_lib_t:file read_file_perms; - -allow scannerdaemon_t scannerdaemon_etc_t:file read_file_perms; - -allow scannerdaemon_t scannerdaemon_log_t:file manage_file_perms; -logging_log_filetrans(scannerdaemon_t, scannerdaemon_log_t, file) - -manage_files_pattern(scannerdaemon_t, scannerdaemon_var_run_t, scannerdaemon_var_run_t) -files_pid_filetrans(scannerdaemon_t, scannerdaemon_var_run_t, file) - -kernel_read_system_state(scannerdaemon_t) -kernel_read_kernel_sysctls(scannerdaemon_t) - -corecmd_exec_all_executables(scannerdaemon_t) - -dev_read_sysfs(scannerdaemon_t) - -domain_use_interactive_fds(scannerdaemon_t) - -files_exec_etc_files(scannerdaemon_t) -files_read_etc_files(scannerdaemon_t) -files_read_etc_runtime_files(scannerdaemon_t) -files_search_var_lib(scannerdaemon_t) - -fs_getattr_all_fs(scannerdaemon_t) -fs_search_auto_mountpoints(scannerdaemon_t) - -auth_dontaudit_read_shadow(scannerdaemon_t) - -libs_exec_ld_so(scannerdaemon_t) -libs_exec_lib_files(scannerdaemon_t) - -logging_send_syslog_msg(scannerdaemon_t) - -miscfiles_read_localization(scannerdaemon_t) - -sysnet_read_config(scannerdaemon_t) - -userdom_dontaudit_use_unpriv_user_fds(scannerdaemon_t) -userdom_dontaudit_search_user_home_dirs(scannerdaemon_t) - -optional_policy(` - seutil_sigchld_newrole(scannerdaemon_t) -') - -optional_policy(` - udev_read_db(scannerdaemon_t) -') diff --git a/policy/modules/contrib/obex.fc b/policy/modules/contrib/obex.fc deleted file mode 100644 index 03fa5604..00000000 --- a/policy/modules/contrib/obex.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/obex-data-server -- gen_context(system_u:object_r:obex_exec_t,s0) diff --git a/policy/modules/contrib/obex.if b/policy/modules/contrib/obex.if deleted file mode 100644 index 8635ea20..00000000 --- a/policy/modules/contrib/obex.if +++ /dev/null @@ -1,88 +0,0 @@ -## <summary>D-Bus service providing high-level OBEX client and server side functionality.</summary> - -####################################### -## <summary> -## The role template for obex. -## </summary> -## <param name="role_prefix"> -## <summary> -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## </summary> -## </param> -## <param name="user_role"> -## <summary> -## The role associated with the user domain. -## </summary> -## </param> -## <param name="user_domain"> -## <summary> -## The type of the user domain. -## </summary> -## </param> -# -template(`obex_role_template',` - gen_require(` - attribute_role obex_roles; - type obex_t, obex_exec_exec_t; - ') - - ######################################## - # - # Declarations - # - - roleattribute $2 obex_roles; - - ######################################## - # - # Policy - # - - allow $3 obex_t:process { ptrace signal_perms }; - ps_process_pattern($3, obex_t) - - dbus_spec_session_domain($1, obex_exec_t, obex_t) - - obex_dbus_chat($3) -') - -######################################## -## <summary> -## Execute obex in the obex domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`obex_domtrans',` - gen_require(` - type obex_t, obex_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, obex_exec_t, obex_t) -') - -######################################## -## <summary> -## Send and receive messages from -## obex over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`obex_dbus_chat',` - gen_require(` - type obex_t; - class dbus send_msg; - ') - - allow $1 obex_t:dbus send_msg; - allow obex_t $1:dbus send_msg; -') diff --git a/policy/modules/contrib/obex.te b/policy/modules/contrib/obex.te deleted file mode 100644 index cd29ea89..00000000 --- a/policy/modules/contrib/obex.te +++ /dev/null @@ -1,43 +0,0 @@ -policy_module(obex, 1.0.0) - -######################################## -# -# Declarations -# - -attribute_role obex_roles; - -type obex_t; -type obex_exec_t; -userdom_user_application_domain(obex_t, obex_exec_t) -role obex_roles types obex_t; - -######################################## -# -# Local policy -# - -allow obex_t self:fifo_file rw_fifo_file_perms; -allow obex_t self:socket create_stream_socket_perms; - -dev_read_urand(obex_t) - -files_read_etc_files(obex_t) - -logging_send_syslog_msg(obex_t) - -miscfiles_read_localization(obex_t) - -userdom_search_user_home_content(obex_t) - -optional_policy(` - bluetooth_stream_connect(obex_t) -') - -optional_policy(` - dbus_system_bus_client(obex_t) - - optional_policy(` - bluetooth_dbus_chat(obex_t) - ') -') diff --git a/policy/modules/contrib/oddjob.fc b/policy/modules/contrib/oddjob.fc deleted file mode 100644 index dd1d9ef5..00000000 --- a/policy/modules/contrib/oddjob.fc +++ /dev/null @@ -1,10 +0,0 @@ -/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) - -/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) - -/usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) - -/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) -/usr/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) - -/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0) diff --git a/policy/modules/contrib/oddjob.if b/policy/modules/contrib/oddjob.if deleted file mode 100644 index c87bd2a3..00000000 --- a/policy/modules/contrib/oddjob.if +++ /dev/null @@ -1,150 +0,0 @@ -## <summary>D-BUS service which runs odd jobs on behalf of client applications.</summary> - -######################################## -## <summary> -## Execute a domain transition to run oddjob. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`oddjob_domtrans',` - gen_require(` - type oddjob_t, oddjob_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, oddjob_exec_t, oddjob_t) -') - -######################################## -## <summary> -## Make the specified program domain -## accessable from the oddjob. -## </summary> -## <param name="domain"> -## <summary> -## The type of the process to transition to. -## </summary> -## </param> -## <param name="entrypoint"> -## <summary> -## The type of the file used as an entrypoint to this domain. -## </summary> -## </param> -# -interface(`oddjob_system_entry',` - gen_require(` - type oddjob_t; - ') - - domtrans_pattern(oddjob_t, $2, $1) -') - -######################################## -## <summary> -## Send and receive messages from -## oddjob over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`oddjob_dbus_chat',` - gen_require(` - type oddjob_t; - class dbus send_msg; - ') - - allow $1 oddjob_t:dbus send_msg; - allow oddjob_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Execute a domain transition to -## run oddjob mkhomedir. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`oddjob_domtrans_mkhomedir',` - gen_require(` - type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t) -') - -######################################## -## <summary> -## Execute oddjob mkhomedir in the -## oddjob mkhomedir domain and allow -## the specified role the oddjob -## mkhomedir domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`oddjob_run_mkhomedir',` - gen_require(` - attribute_role oddjob_mkhomedir_roles; - ') - - oddjob_domtrans_mkhomedir($1) - roleattribute $2 oddjob_mkhomedir_roles; -') - -##################################### -## <summary> -## Do not audit attempts to read and write -## oddjob fifo files. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`oddjob_dontaudit_rw_fifo_files',` - gen_require(` - type oddjob_t; - ') - - dontaudit $1 oddjob_t:fifo_file rw_fifo_file_perms; -') - -###################################### -## <summary> -## Send child terminated signals to oddjob. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`oddjob_sigchld',` - gen_require(` - type oddjob_t; - ') - - allow $1 oddjob_t:process sigchld; -') diff --git a/policy/modules/contrib/oddjob.te b/policy/modules/contrib/oddjob.te deleted file mode 100644 index 296a1d3c..00000000 --- a/policy/modules/contrib/oddjob.te +++ /dev/null @@ -1,105 +0,0 @@ -policy_module(oddjob, 1.9.2) - -######################################## -# -# Declarations -# - -attribute_role oddjob_mkhomedir_roles; - -type oddjob_t; -type oddjob_exec_t; -domain_type(oddjob_t) -init_daemon_domain(oddjob_t, oddjob_exec_t) -domain_obj_id_change_exemption(oddjob_t) -domain_role_change_exemption(oddjob_t) -domain_subj_id_change_exemption(oddjob_t) - -type oddjob_mkhomedir_t; -type oddjob_mkhomedir_exec_t; -domain_type(oddjob_mkhomedir_t) -domain_obj_id_change_exemption(oddjob_mkhomedir_t) -init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) -role oddjob_mkhomedir_roles types oddjob_mkhomedir_t; - -type oddjob_var_run_t; -files_pid_file(oddjob_var_run_t) - -ifdef(`enable_mcs',` - init_ranged_daemon_domain(oddjob_t, oddjob_exec_t, s0 - mcs_systemhigh) -') - -######################################## -# -# Local policy -# - -allow oddjob_t self:capability setgid; -allow oddjob_t self:process { setexec signal }; -allow oddjob_t self:fifo_file rw_fifo_file_perms; -allow oddjob_t self:unix_stream_socket create_stream_socket_perms; - -manage_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t) -manage_sock_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t) -files_pid_filetrans(oddjob_t, oddjob_var_run_t, { file sock_file }) - -domtrans_pattern(oddjob_t, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t) - -kernel_read_system_state(oddjob_t) - -corecmd_exec_bin(oddjob_t) -corecmd_exec_shell(oddjob_t) - -mcs_process_set_categories(oddjob_t) - -selinux_compute_create_context(oddjob_t) - -auth_use_nsswitch(oddjob_t) - -miscfiles_read_localization(oddjob_t) - -locallogin_dontaudit_use_fds(oddjob_t) - -optional_policy(` - dbus_system_bus_client(oddjob_t) - dbus_connect_system_bus(oddjob_t) -') - -optional_policy(` - unconfined_domtrans(oddjob_t) -') - -######################################## -# -# Mkhomedir local policy -# - -allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override }; -allow oddjob_mkhomedir_t self:process setfscreate; -allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms; -allow oddjob_mkhomedir_t self:unix_stream_socket { accept listen }; - -kernel_read_system_state(oddjob_mkhomedir_t) - -auth_use_nsswitch(oddjob_mkhomedir_t) - -logging_send_syslog_msg(oddjob_mkhomedir_t) - -miscfiles_read_localization(oddjob_mkhomedir_t) - -selinux_get_fs_mount(oddjob_mkhomedir_t) -selinux_validate_context(oddjob_mkhomedir_t) -selinux_compute_access_vector(oddjob_mkhomedir_t) -selinux_compute_create_context(oddjob_mkhomedir_t) -selinux_compute_relabel_context(oddjob_mkhomedir_t) -selinux_compute_user_contexts(oddjob_mkhomedir_t) - -seutil_read_config(oddjob_mkhomedir_t) -seutil_read_file_contexts(oddjob_mkhomedir_t) -seutil_read_default_contexts(oddjob_mkhomedir_t) - -userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t) -userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) -userdom_manage_user_home_content_files(oddjob_mkhomedir_t) -userdom_manage_user_home_dirs(oddjob_mkhomedir_t) -userdom_user_home_dir_filetrans_user_home_content(oddjob_mkhomedir_t, notdevfile_class_set) diff --git a/policy/modules/contrib/oident.fc b/policy/modules/contrib/oident.fc deleted file mode 100644 index df3b9758..00000000 --- a/policy/modules/contrib/oident.fc +++ /dev/null @@ -1,8 +0,0 @@ -HOME_DIR/\.oidentd\.conf -- gen_context(system_u:object_r:oidentd_home_t,s0) - -/etc/oidentd\.conf -- gen_context(system_u:object_r:oidentd_config_t,s0) -/etc/oidentd_masq\.conf -- gen_context(system_u:object_r:oidentd_config_t,s0) - -/etc/rc\.d/init\.d/oidentd -- gen_context(system_u:object_r:oidentd_initrc_exec_t,s0) - -/usr/sbin/oidentd -- gen_context(system_u:object_r:oidentd_exec_t,s0) diff --git a/policy/modules/contrib/oident.if b/policy/modules/contrib/oident.if deleted file mode 100644 index 513f452c..00000000 --- a/policy/modules/contrib/oident.if +++ /dev/null @@ -1,141 +0,0 @@ -## <summary>An ident daemon with IP masq/NAT support and the ability to specify responses.</summary> - -######################################## -## <summary> -## Role access for oident. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`oident_role',` - refpolicywarn(`$0($*) has been deprecated') -') - -######################################## -## <summary> -## Read oidentd user home content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`oident_read_user_content', ` - gen_require(` - type oidentd_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 oidentd_home_t:file read_file_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## oidentd user home content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`oident_manage_user_content', ` - gen_require(` - type oidentd_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 oidentd_home_t:file manage_file_perms; -') - -######################################## -## <summary> -## Relabel oidentd user home content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`oident_relabel_user_content', ` - gen_require(` - type oidentd_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 oidentd_home_t:file relabel_file_perms; -') - -######################################## -## <summary> -## Create objects in user home -## directories with the oidentd home type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`oident_home_filetrans_oidentd_home',` - gen_require(` - type oidentd_home_t; - ') - - userdom_user_home_dir_filetrans($1, oidentd_home_t, $2, $3) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an oident environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`oident_admin',` - gen_require(` - type oidentd_t, oidentd_initrc_exec_t, oidentd_config_t; - ') - - allow $1 oidentd_t:process { ptrace signal_perms }; - ps_process_pattern($1, oidentd_t) - - init_labeled_script_domtrans($1, oidentd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 oidentd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, oidentd_config_t) -') diff --git a/policy/modules/contrib/oident.te b/policy/modules/contrib/oident.te deleted file mode 100644 index cd22d872..00000000 --- a/policy/modules/contrib/oident.te +++ /dev/null @@ -1,71 +0,0 @@ -policy_module(oident, 2.2.1) - -######################################## -# -# Declarations -# - -type oidentd_t; -type oidentd_exec_t; -init_daemon_domain(oidentd_t, oidentd_exec_t) - -type oidentd_home_t; -typealias oidentd_home_t alias { oidentd_user_content_t oidentd_staff_content_t oidentd_sysadm_content_t }; -typealias oidentd_home_t alias { oidentd_secadm_content_t oidentd_auditadm_content_t }; -userdom_user_home_content(oidentd_home_t) - -type oidentd_initrc_exec_t; -init_script_file(oidentd_initrc_exec_t) - -type oidentd_config_t; -files_config_file(oidentd_config_t) - -######################################## -# -# Local policy -# - -allow oidentd_t self:capability { setuid setgid }; -allow oidentd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -allow oidentd_t self:tcp_socket { accept listen }; - -allow oidentd_t oidentd_config_t:file read_file_perms; - -allow oidentd_t oidentd_home_t:file read_file_perms; - -kernel_read_kernel_sysctls(oidentd_t) -kernel_read_network_state(oidentd_t) -kernel_read_network_state_symlinks(oidentd_t) -kernel_read_sysctl(oidentd_t) -kernel_request_load_module(oidentd_t) - -corenet_all_recvfrom_unlabeled(oidentd_t) -corenet_all_recvfrom_netlabel(oidentd_t) -corenet_tcp_sendrecv_generic_if(oidentd_t) -corenet_tcp_sendrecv_generic_node(oidentd_t) -corenet_tcp_bind_generic_node(oidentd_t) - -corenet_sendrecv_auth_server_packets(oidentd_t) -corenet_tcp_bind_auth_port(oidentd_t) -corenet_tcp_sendrecv_auth_port(oidentd_t) - -fs_getattr_all_fs(oidentd_t) -fs_search_auto_mountpoints(oidentd_t) - -auth_use_nsswitch(oidentd_t) - -logging_send_syslog_msg(oidentd_t) - -miscfiles_read_localization(oidentd_t) - -userdom_search_user_home_dirs(oidentd_t) - -tunable_policy(`use_samba_home_dirs',` - fs_list_cifs(oidentd_t) - fs_read_cifs_files(oidentd_t) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_list_nfs(oidentd_t) - fs_read_nfs_files(oidentd_t) -') diff --git a/policy/modules/contrib/openca.fc b/policy/modules/contrib/openca.fc deleted file mode 100644 index 2e485b91..00000000 --- a/policy/modules/contrib/openca.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/openca(/.*)? gen_context(system_u:object_r:openca_etc_t,s0) -/etc/openca/.*\.in(/.*)? gen_context(system_u:object_r:openca_etc_in_t,s0) -/etc/openca/rbac(/.*)? gen_context(system_u:object_r:openca_etc_writeable_t,s0) - -/usr/share/openca(/.*)? gen_context(system_u:object_r:openca_usr_share_t,s0) -/usr/share/openca/cgi-bin/ca/.+ -- gen_context(system_u:object_r:openca_ca_exec_t,s0) - -/var/lib/openca(/.*)? gen_context(system_u:object_r:openca_var_lib_t,s0) -/var/lib/openca/crypto/keys(/.*)? gen_context(system_u:object_r:openca_var_lib_keys_t,s0) diff --git a/policy/modules/contrib/openca.if b/policy/modules/contrib/openca.if deleted file mode 100644 index e20879ef..00000000 --- a/policy/modules/contrib/openca.if +++ /dev/null @@ -1,76 +0,0 @@ -## <summary>Open Certificate Authority.</summary> - -######################################## -## <summary> -## Execute the openca with -## a domain transition. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`openca_domtrans',` - gen_require(` - type openca_ca_t, openca_ca_exec_t, openca_usr_share_t; - ') - - files_search_usr($1) - allow $1 openca_usr_share_t:dir search_dir_perms; - domtrans_pattern($1, openca_ca_exec_t, openca_ca_t) -') - -######################################## -## <summary> -## Send generic signals to openca. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`openca_signal',` - gen_require(` - type openca_ca_t; - ') - - allow $1 openca_ca_t:process signal; -') - -######################################## -## <summary> -## Send stop signals to openca. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`openca_sigstop',` - gen_require(` - type openca_ca_t; - ') - - allow $1 openca_ca_t:process sigstop; -') - -######################################## -## <summary> -## Send kill signals to openca. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`openca_kill',` - gen_require(` - type openca_ca_t; - ') - - allow $1 openca_ca_t:process sigkill; -') diff --git a/policy/modules/contrib/openca.te b/policy/modules/contrib/openca.te deleted file mode 100644 index d808ab07..00000000 --- a/policy/modules/contrib/openca.te +++ /dev/null @@ -1,66 +0,0 @@ -policy_module(openca, 1.2.1) - -######################################## -# -# Declarations -# - -type openca_ca_t; -type openca_ca_exec_t; -domain_type(openca_ca_t) -domain_entry_file(openca_ca_t, openca_ca_exec_t) -role system_r types openca_ca_t; - -type openca_etc_t; -files_config_file(openca_etc_t) - -type openca_etc_in_t; -files_type(openca_etc_in_t) - -type openca_etc_writeable_t; -files_type(openca_etc_writeable_t) - -type openca_usr_share_t; -files_type(openca_usr_share_t) - -type openca_var_lib_t; -files_type(openca_var_lib_t) - -type openca_var_lib_keys_t; -files_type(openca_var_lib_keys_t) - -######################################## -# -# Local policy -# - -allow openca_ca_t openca_etc_t:dir list_dir_perms; -allow openca_ca_t openca_etc_t:file read_file_perms; -allow openca_ca_t openca_etc_t:lnk_file read_lnk_file_perms; - -manage_dirs_pattern(openca_ca_t, openca_etc_writeable_t, openca_etc_writeable_t) -manage_files_pattern(openca_ca_t, openca_etc_writeable_t, openca_etc_writeable_t) - -manage_dirs_pattern(openca_ca_t, openca_var_lib_t, openca_var_lib_t) -manage_files_pattern(openca_ca_t, openca_var_lib_t, openca_var_lib_t) - -manage_dirs_pattern(openca_ca_t, openca_var_lib_keys_t, openca_var_lib_keys_t) -manage_files_pattern(openca_ca_t, openca_var_lib_keys_t, openca_var_lib_keys_t) - -allow openca_ca_t openca_usr_share_t:dir list_dir_perms; -allow openca_ca_t openca_usr_share_t:file read_file_perms; -allow openca_ca_t openca_usr_share_t:lnk_file read_lnk_file_perms; - -corecmd_exec_bin(openca_ca_t) - -dev_read_rand(openca_ca_t) - -files_list_default(openca_ca_t) - -init_use_fds(openca_ca_t) -init_use_script_fds(openca_ca_t) - -libs_exec_lib_files(openca_ca_t) - -apache_append_log(openca_ca_t) -apache_rw_cache_files(openca_ca_t) diff --git a/policy/modules/contrib/openct.fc b/policy/modules/contrib/openct.fc deleted file mode 100644 index 9af56197..00000000 --- a/policy/modules/contrib/openct.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/rc\.d/init\.d/openct -- gen_context(system_u:object_r:openct_initrc_exec_t,s0) - -/usr/sbin/ifdhandler -- gen_context(system_u:object_r:openct_exec_t,s0) -/usr/sbin/openct-control -- gen_context(system_u:object_r:openct_exec_t,s0) - -/var/run/openct(/.*)? gen_context(system_u:object_r:openct_var_run_t,s0) diff --git a/policy/modules/contrib/openct.if b/policy/modules/contrib/openct.if deleted file mode 100644 index a55238b0..00000000 --- a/policy/modules/contrib/openct.if +++ /dev/null @@ -1,130 +0,0 @@ -## <summary>Service for handling smart card readers.</summary> - -######################################## -## <summary> -## Send null signals to openct. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`openct_signull',` - gen_require(` - type openct_t; - ') - - allow $1 openct_t:process signull; -') - -######################################## -## <summary> -## Execute openct in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`openct_exec',` - gen_require(` - type openct_t, openct_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, openct_exec_t) -') - -######################################## -## <summary> -## Execute a domain transition to run openct. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`openct_domtrans',` - gen_require(` - type openct_t, openct_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, openct_exec_t, openct_t) -') - -######################################## -## <summary> -## Read openct pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`openct_read_pid_files',` - gen_require(` - type openct_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, openct_var_run_t, openct_var_run_t) -') - -######################################## -## <summary> -## Connect to openct over an unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`openct_stream_connect',` - gen_require(` - type openct_t, openct_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, openct_var_run_t, openct_var_run_t, openct_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an openct environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`openct_admin',` - gen_require(` - type openct_t, openct_initrc_exec_t, openct_var_run_t; - ') - - allow $1 openct_t:process { ptrace signal_perms }; - ps_process_pattern($1, openct_t) - - init_labeled_script_domtrans($1, openct_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 openct_initrc_exec_t system_r; - allow $2 system_r; - - files_search_pids($1) - admin_pattern($1, openct_var_run_t) -') diff --git a/policy/modules/contrib/openct.te b/policy/modules/contrib/openct.te deleted file mode 100644 index 84675960..00000000 --- a/policy/modules/contrib/openct.te +++ /dev/null @@ -1,66 +0,0 @@ -policy_module(openct, 1.5.1) - -######################################## -# -# Declarations -# - -type openct_t; -type openct_exec_t; -init_daemon_domain(openct_t, openct_exec_t) - -type openct_initrc_exec_t; -init_script_file(openct_initrc_exec_t) - -type openct_var_run_t; -files_pid_file(openct_var_run_t) - -######################################## -# -# Local policy -# - -dontaudit openct_t self:capability sys_tty_config; -allow openct_t self:process signal_perms; - -manage_dirs_pattern(openct_t, openct_var_run_t, openct_var_run_t) -manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) -manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) -files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file }) - -can_exec(openct_t, openct_exec_t) - -kernel_read_kernel_sysctls(openct_t) -kernel_list_proc(openct_t) -kernel_read_proc_symlinks(openct_t) - -dev_read_sysfs(openct_t) -dev_rw_usbfs(openct_t) -dev_rw_smartcard(openct_t) -dev_rw_generic_usb_dev(openct_t) - -domain_use_interactive_fds(openct_t) - -files_read_etc_files(openct_t) - -fs_getattr_all_fs(openct_t) -fs_search_auto_mountpoints(openct_t) - -logging_send_syslog_msg(openct_t) - -miscfiles_read_localization(openct_t) - -userdom_dontaudit_use_unpriv_user_fds(openct_t) -userdom_dontaudit_search_user_home_dirs(openct_t) - -optional_policy(` - pcscd_stream_connect(openct_t) -') - -optional_policy(` - seutil_sigchld_newrole(openct_t) -') - -optional_policy(` - udev_read_db(openct_t) -') diff --git a/policy/modules/contrib/openhpi.fc b/policy/modules/contrib/openhpi.fc deleted file mode 100644 index 727b47e7..00000000 --- a/policy/modules/contrib/openhpi.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rc\.d/init\.d/openhpid -- gen_context(system_u:object_r:openhpid_initrc_exec_t,s0) - -/usr/sbin/openhpid -- gen_context(system_u:object_r:openhpid_exec_t,s0) - -/var/lib/openhpi(/.*)? gen_context(system_u:object_r:openhpid_var_lib_t,s0) - -/var/run/openhpid\.pid -- gen_context(system_u:object_r:openhpid_var_run_t,s0) diff --git a/policy/modules/contrib/openhpi.if b/policy/modules/contrib/openhpi.if deleted file mode 100644 index 3c869585..00000000 --- a/policy/modules/contrib/openhpi.if +++ /dev/null @@ -1,39 +0,0 @@ -## <summary>Open source implementation of the Service Availability Forum Hardware Platform Interface.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an openhpi environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`openhpi_admin',` - gen_require(` - type openhpid_t, openhpid_initrc_exec_t, openhpid_var_lib_t; - type openhpid_var_run_t; - ') - - allow $1 openhpid_t:process { ptrace signal_perms }; - ps_process_pattern($1, openhpid_t) - - init_labeled_script_domtrans($1, openhpid_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 openhpid_initrc_exec_t system_r; - allow $2 system_r; - - files_search_var_lib($1) - admin_pattern($1, openhpid_var_lib_t) - - files_search_pids($1) - admin_pattern($1, openhpid_var_run_t) -') diff --git a/policy/modules/contrib/openhpi.te b/policy/modules/contrib/openhpi.te deleted file mode 100644 index 7f398c04..00000000 --- a/policy/modules/contrib/openhpi.te +++ /dev/null @@ -1,57 +0,0 @@ -policy_module(openhpi, 1.0.1) - -######################################## -# -# Declarations -# - -type openhpid_t; -type openhpid_exec_t; -init_daemon_domain(openhpid_t, openhpid_exec_t) - -type openhpid_initrc_exec_t; -init_script_file(openhpid_initrc_exec_t) - -type openhpid_var_lib_t; -files_type(openhpid_var_lib_t) - -type openhpid_var_run_t; -files_pid_file(openhpid_var_run_t) - -######################################## -# -# Local policy -# - -allow openhpid_t self:capability kill; -allow openhpid_t self:process signal; -allow openhpid_t self:fifo_file rw_fifo_file_perms; -allow openhpid_t self:netlink_route_socket r_netlink_socket_perms; -allow openhpid_t self:unix_stream_socket { accept listen }; -allow openhpid_t self:tcp_socket create_stream_socket_perms; -allow openhpid_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t) -manage_files_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t) -files_var_lib_filetrans(openhpid_t, openhpid_var_lib_t, dir) - -manage_files_pattern(openhpid_t, openhpid_var_run_t, openhpid_var_run_t) -files_pid_filetrans(openhpid_t, openhpid_var_run_t, file) - -corenet_all_recvfrom_unlabeled(openhpid_t) -corenet_all_recvfrom_netlabel(openhpid_t) -corenet_tcp_sendrecv_generic_if(openhpid_t) -corenet_tcp_sendrecv_generic_node(openhpid_t) -corenet_tcp_bind_generic_node(openhpid_t) - -corenet_sendrecv_openhpid_server_packets(openhpid_t) -corenet_tcp_bind_openhpid_port(openhpid_t) -corenet_tcp_sendrecv_openhpid_port(openhpid_t) - -dev_read_urand(openhpid_t) - -files_read_etc_files(openhpid_t) - -logging_send_syslog_msg(openhpid_t) - -miscfiles_read_localization(openhpid_t) diff --git a/policy/modules/contrib/openrc.fc b/policy/modules/contrib/openrc.fc index 25c063fe..11bfd461 100644 --- a/policy/modules/contrib/openrc.fc +++ b/policy/modules/contrib/openrc.fc @@ -1 +1 @@ -/lib/rc/sh/cgroup-release-agent.sh -- gen_context(system_u:object_r:openrc_cgroup_release_exec_t,s0) +/usr/lib/rc/sh/cgroup-release-agent\.sh -- gen_context(system_u:object_r:openrc_cgroup_release_exec_t,s0) diff --git a/policy/modules/contrib/openrc.te b/policy/modules/contrib/openrc.te index 08792395..dace0ada 100644 --- a/policy/modules/contrib/openrc.te +++ b/policy/modules/contrib/openrc.te @@ -13,6 +13,7 @@ role system_r types openrc_cgroup_release_t; # OpenRC cgroup release policy # +allow openrc_cgroup_release_t self:capability dac_override; allow openrc_cgroup_release_t self:unix_stream_socket create_socket_perms; kernel_domtrans_to(openrc_cgroup_release_t, openrc_cgroup_release_exec_t) @@ -23,7 +24,12 @@ corecmd_exec_shell(openrc_cgroup_release_t) # The following two I cannot find out why they are needed, but they are. files_read_etc_files(openrc_cgroup_release_t) -files_search_pids(openrc_cgroup_release_t) +files_search_runtime(openrc_cgroup_release_t) fs_manage_cgroup_dirs(openrc_cgroup_release_t) fs_manage_cgroup_files(openrc_cgroup_release_t) +# /sys/fs/cgroup is by default mounted as tmpfs_t +# Allow search until we can have it mounted correctly (TODO) +fs_search_tmpfs(openrc_cgroup_release_t) + +auth_use_nsswitch(openrc_cgroup_release_t) diff --git a/policy/modules/contrib/openvpn.fc b/policy/modules/contrib/openvpn.fc deleted file mode 100644 index 300213f8..00000000 --- a/policy/modules/contrib/openvpn.fc +++ /dev/null @@ -1,12 +0,0 @@ -/etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0) -/etc/openvpn/ipp\.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0) - -/etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0) - -/usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0) - -/var/log/openvpn-status\.log.* -- gen_context(system_u:object_r:openvpn_status_t,s0) -/var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0) - -/var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0) -/var/run/openvpn\.client.* -- gen_context(system_u:object_r:openvpn_var_run_t,s0) diff --git a/policy/modules/contrib/openvpn.if b/policy/modules/contrib/openvpn.if deleted file mode 100644 index a88cccb3..00000000 --- a/policy/modules/contrib/openvpn.if +++ /dev/null @@ -1,174 +0,0 @@ -## <summary>full-featured SSL VPN solution.</summary> - -######################################## -## <summary> -## Execute openvpn clients in the -## openvpn domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`openvpn_domtrans',` - gen_require(` - type openvpn_t, openvpn_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, openvpn_exec_t, openvpn_t) -') - -######################################## -## <summary> -## Execute openvpn clients in the -## openvpn domain, and allow the -## specified role the openvpn domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`openvpn_run',` - gen_require(` - attribute_role openvpn_roles; - ') - - openvpn_domtrans($1) - roleattribute $2 openvpn_roles; -') - -######################################## -## <summary> -## Send kill signals to openvpn. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`openvpn_kill',` - gen_require(` - type openvpn_t; - ') - - allow $1 openvpn_t:process sigkill; -') - -######################################## -## <summary> -## Send generic signals to openvpn. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`openvpn_signal',` - gen_require(` - type openvpn_t; - ') - - allow $1 openvpn_t:process signal; -') - -######################################## -## <summary> -## Send null signals to openvpn. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`openvpn_signull',` - gen_require(` - type openvpn_t; - ') - - allow $1 openvpn_t:process signull; -') - -######################################## -## <summary> -## Read openvpn configuration content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`openvpn_read_config',` - gen_require(` - type openvpn_etc_t; - ') - - files_search_etc($1) - allow $1 openvpn_etc_t:dir list_dir_perms; - allow $1 openvpn_etc_t:file read_file_perms; - allow $1 openvpn_etc_t:lnk_file read_lnk_file_perms; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an openvpn environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`openvpn_admin',` - gen_require(` - type openvpn_t, openvpn_etc_t, openvpn_var_log_t; - type openvpn_var_run_t, openvpn_initrc_exec_t, openvpn_etc_rw_t; - type openvpn_status_t; - ') - - allow $1 openvpn_t:process { ptrace signal_perms }; - ps_process_pattern($1, openvpn_t) - - init_labeled_script_domtrans($1, openvpn_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 openvpn_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, { openvpn_etc_t openvpn_etc_rw_t }) - - logging_list_logs($1) - admin_pattern($1, { openvpn_status_t openvpn_var_log_t }) - - files_list_pids($1) - admin_pattern($1, openvpn_var_run_t) - - ifdef(`distro_gentoo',` - gen_require(` - type openvpn_status_t; - ') - - admin_pattern($1, openvpn_status_t) - ') -') diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te deleted file mode 100644 index 3270ff90..00000000 --- a/policy/modules/contrib/openvpn.te +++ /dev/null @@ -1,157 +0,0 @@ -policy_module(openvpn, 1.11.3) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether openvpn can -## read generic user home content files. -## </p> -## </desc> -gen_tunable(openvpn_enable_homedirs, false) - -attribute_role openvpn_roles; - -type openvpn_t; -type openvpn_exec_t; -init_daemon_domain(openvpn_t, openvpn_exec_t) -role openvpn_roles types openvpn_t; - -type openvpn_etc_t; -files_config_file(openvpn_etc_t) - -type openvpn_etc_rw_t; -files_config_file(openvpn_etc_rw_t) - -type openvpn_initrc_exec_t; -init_script_file(openvpn_initrc_exec_t) - -type openvpn_status_t; -logging_log_file(openvpn_status_t) - -type openvpn_var_log_t; -logging_log_file(openvpn_var_log_t) - -type openvpn_var_run_t; -files_pid_file(openvpn_var_run_t) - -######################################## -# -# Local policy -# - -allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_admin setgid setuid sys_chroot sys_tty_config sys_nice }; -allow openvpn_t self:process { signal getsched setsched }; -allow openvpn_t self:fifo_file rw_fifo_file_perms; -allow openvpn_t self:unix_dgram_socket sendto; -allow openvpn_t self:unix_stream_socket { accept connectto listen }; -allow openvpn_t self:tcp_socket server_stream_socket_perms; -allow openvpn_t self:tun_socket { create_socket_perms relabelfrom relabelto }; -allow openvpn_t self:netlink_route_socket nlmsg_write; - -allow openvpn_t openvpn_etc_t:dir list_dir_perms; -allow openvpn_t openvpn_etc_t:file read_file_perms; -allow openvpn_t openvpn_etc_t:lnk_file read_lnk_file_perms; - -manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t) -filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) - -allow openvpn_t openvpn_status_t:file manage_file_perms; -logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log") - -manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) -append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) -create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) -setattr_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) -logging_log_filetrans(openvpn_t, openvpn_var_log_t, file) - -manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) -manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) -files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir }) - -can_exec(openvpn_t, openvpn_etc_t) - -kernel_read_kernel_sysctls(openvpn_t) -kernel_read_net_sysctls(openvpn_t) -kernel_read_network_state(openvpn_t) -kernel_read_system_state(openvpn_t) -kernel_request_load_module(openvpn_t) - -corecmd_exec_bin(openvpn_t) -corecmd_exec_shell(openvpn_t) - -corenet_all_recvfrom_unlabeled(openvpn_t) -corenet_all_recvfrom_netlabel(openvpn_t) -corenet_tcp_sendrecv_generic_if(openvpn_t) -corenet_udp_sendrecv_generic_if(openvpn_t) -corenet_tcp_sendrecv_generic_node(openvpn_t) -corenet_udp_sendrecv_generic_node(openvpn_t) -corenet_tcp_bind_generic_node(openvpn_t) -corenet_udp_bind_generic_node(openvpn_t) - -corenet_sendrecv_openvpn_server_packets(openvpn_t) -corenet_tcp_bind_openvpn_port(openvpn_t) -corenet_udp_bind_openvpn_port(openvpn_t) -corenet_sendrecv_openvpn_client_packets(openvpn_t) -corenet_tcp_connect_openvpn_port(openvpn_t) -corenet_tcp_sendrecv_openvpn_port(openvpn_t) -corenet_udp_sendrecv_openvpn_port(openvpn_t) - -corenet_sendrecv_http_server_packets(openvpn_t) -corenet_tcp_bind_http_port(openvpn_t) -corenet_sendrecv_http_client_packets(openvpn_t) -corenet_tcp_connect_http_port(openvpn_t) -corenet_tcp_sendrecv_http_port(openvpn_t) - -corenet_sendrecv_http_cache_client_packets(openvpn_t) -corenet_tcp_connect_http_cache_port(openvpn_t) -corenet_tcp_sendrecv_http_cache_port(openvpn_t) - -corenet_rw_tun_tap_dev(openvpn_t) - -dev_read_rand(openvpn_t) - -files_read_etc_runtime_files(openvpn_t) - -fs_getattr_all_fs(openvpn_t) -fs_search_auto_mountpoints(openvpn_t) - -auth_use_pam(openvpn_t) - -miscfiles_read_localization(openvpn_t) -miscfiles_read_all_certs(openvpn_t) - -sysnet_exec_ifconfig(openvpn_t) -sysnet_manage_config(openvpn_t) -sysnet_etc_filetrans_config(openvpn_t) -sysnet_use_ldap(openvpn_t) - -userdom_use_user_terminals(openvpn_t) - -tunable_policy(`openvpn_enable_homedirs',` - userdom_read_user_home_content_files(openvpn_t) -') - -tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',` - fs_read_nfs_files(openvpn_t) -') - -tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',` - fs_read_cifs_files(openvpn_t) -') - -optional_policy(` - daemontools_service_domain(openvpn_t, openvpn_exec_t) -') - -optional_policy(` - dbus_system_bus_client(openvpn_t) - dbus_connect_system_bus(openvpn_t) - - optional_policy(` - networkmanager_dbus_chat(openvpn_t) - ') -') diff --git a/policy/modules/contrib/openvswitch.fc b/policy/modules/contrib/openvswitch.fc deleted file mode 100644 index 45d7cc50..00000000 --- a/policy/modules/contrib/openvswitch.fc +++ /dev/null @@ -1,12 +0,0 @@ -/etc/rc\.d/init\.d/openvswitch -- gen_context(system_u:object_r:openvswitch_initrc_exec_t,s0) - -/etc/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_conf_t,s0) - -/usr/share/openvswitch/scripts/ovs-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0) -/usr/share/openvswitch/scripts/openvswitch\.init -- gen_context(system_u:object_r:openvswitch_exec_t,s0) - -/var/lib/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_lib_t,s0) - -/var/log/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_log_t,s0) - -/var/run/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_run_t,s0) diff --git a/policy/modules/contrib/openvswitch.if b/policy/modules/contrib/openvswitch.if deleted file mode 100644 index 9b157305..00000000 --- a/policy/modules/contrib/openvswitch.if +++ /dev/null @@ -1,83 +0,0 @@ -## <summary>Multilayer virtual switch.</summary> - -######################################## -## <summary> -## Execute openvswitch in the openvswitch domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`openvswitch_domtrans',` - gen_require(` - type openvswitch_t, openvswitch_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, openvswitch_exec_t, openvswitch_t) -') - -######################################## -## <summary> -## Read openvswitch pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`openvswitch_read_pid_files',` - gen_require(` - type openvswitch_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, openvswitch_var_run_t, openvswitch_var_run_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an openvswitch environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`openvswitch_admin',` - gen_require(` - type openvswitch_t, openvswitch_initrc_exec_t, openvswitch_conf_t; - type openvswitch_var_lib_t, openvswitch_log_t, openvswitch_var_run_t; - ') - - allow $1 openvswitch_t:process { ptrace signal_perms }; - ps_process_pattern($1, openvswitch_t) - - init_labeled_script_domtrans($1, openvswitch_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 openvswitch_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, openvswitch_conf_t) - - files_search_var_lib($1) - admin_pattern($1, openvswitch_var_lib_t) - - logging_search_logs($1) - admin_pattern($1, openvswitch_log_t) - - files_search_pids($1) - admin_pattern($1, openvswitch_var_run_t) -') diff --git a/policy/modules/contrib/openvswitch.te b/policy/modules/contrib/openvswitch.te deleted file mode 100644 index 508fedf2..00000000 --- a/policy/modules/contrib/openvswitch.te +++ /dev/null @@ -1,89 +0,0 @@ -policy_module(openvswitch, 1.0.1) - -######################################## -# -# Declarations -# - -type openvswitch_t; -type openvswitch_exec_t; -init_daemon_domain(openvswitch_t, openvswitch_exec_t) - -type openvswitch_initrc_exec_t; -init_script_file(openvswitch_initrc_exec_t) - -type openvswitch_conf_t; -files_config_file(openvswitch_conf_t) - -type openvswitch_var_lib_t; -files_type(openvswitch_var_lib_t) - -type openvswitch_log_t; -logging_log_file(openvswitch_log_t) - -type openvswitch_var_run_t; -files_pid_file(openvswitch_var_run_t) - -######################################## -# -# Local policy -# - -allow openvswitch_t self:capability { net_admin sys_nice sys_resource ipc_lock }; -allow openvswitch_t self:process { setrlimit setsched signal }; -allow openvswitch_t self:fifo_file rw_fifo_file_perms; -allow openvswitch_t self:rawip_socket create_socket_perms; -allow openvswitch_t self:unix_stream_socket { accept connectto listen }; - -manage_dirs_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t) -manage_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t) -manage_lnk_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t) - -manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) -manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) -manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) -files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file }) - -manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) -append_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) -create_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) -setattr_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) -manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) -logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file }) - -manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) -manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) -manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) -manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) -files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file }) - -can_exec(openvswitch_t, openvswitch_exec_t) - -kernel_read_network_state(openvswitch_t) -kernel_read_system_state(openvswitch_t) - -corenet_all_recvfrom_unlabeled(openvswitch_t) -corenet_all_recvfrom_netlabel(openvswitch_t) -corenet_raw_sendrecv_generic_if(openvswitch_t) -corenet_raw_sendrecv_generic_node(openvswitch_t) - -corecmd_exec_bin(openvswitch_t) - -dev_read_urand(openvswitch_t) - -domain_use_interactive_fds(openvswitch_t) - -files_read_etc_files(openvswitch_t) - -fs_getattr_all_fs(openvswitch_t) -fs_search_cgroup_dirs(openvswitch_t) - -logging_send_syslog_msg(openvswitch_t) - -miscfiles_read_localization(openvswitch_t) - -sysnet_dns_name_resolve(openvswitch_t) - -optional_policy(` - iptables_domtrans(openvswitch_t) -') diff --git a/policy/modules/contrib/pacemaker.fc b/policy/modules/contrib/pacemaker.fc deleted file mode 100644 index 2f0ad56d..00000000 --- a/policy/modules/contrib/pacemaker.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/rc\.d/init\.d/pacemaker -- gen_context(system_u:object_r:pacemaker_initrc_exec_t,s0) - -/usr/sbin/pacemakerd -- gen_context(system_u:object_r:pacemaker_exec_t,s0) - -/var/lib/heartbeat/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0) -/var/lib/pacemaker(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0) -/var/lib/pengine(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0) - -/var/run/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_run_t,s0) diff --git a/policy/modules/contrib/pacemaker.if b/policy/modules/contrib/pacemaker.if deleted file mode 100644 index 9682d9af..00000000 --- a/policy/modules/contrib/pacemaker.if +++ /dev/null @@ -1,39 +0,0 @@ -## <summary>A scalable high-availability cluster resource manager.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an pacemaker environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`pacemaker_admin',` - gen_require(` - type pacemaker_t, pacemaker_initrc_exec_t, pacemaker_var_lib_t; - type pacemaker_var_run_t; - ') - - allow $1 pacemaker_t:process { ptrace signal_perms }; - ps_process_pattern($1, pacemaker_t) - - init_labeled_script_domtrans($1, pacemaker_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 pacemaker_initrc_exec_t system_r; - allow $2 system_r; - - files_search_var_lib($1) - admin_pattern($1, pacemaker_var_lib_t) - - files_search_pids($1) - admin_pattern($1, pacemaker_var_run_t) -') diff --git a/policy/modules/contrib/pacemaker.te b/policy/modules/contrib/pacemaker.te deleted file mode 100644 index 3dd8ada1..00000000 --- a/policy/modules/contrib/pacemaker.te +++ /dev/null @@ -1,83 +0,0 @@ -policy_module(pacemaker, 1.0.2) - -######################################## -# -# Declarations -# - -type pacemaker_t; -type pacemaker_exec_t; -init_daemon_domain(pacemaker_t, pacemaker_exec_t) - -type pacemaker_initrc_exec_t; -init_script_file(pacemaker_initrc_exec_t) - -type pacemaker_tmp_t; -files_tmp_file(pacemaker_tmp_t) - -type pacemaker_tmpfs_t; -files_tmpfs_file(pacemaker_tmpfs_t) - -type pacemaker_var_lib_t; -files_type(pacemaker_var_lib_t) - -type pacemaker_var_run_t; -files_pid_file(pacemaker_var_run_t) - -######################################## -# -# Local policy -# - -allow pacemaker_t self:capability { fowner fsetid kill chown dac_override setuid }; -allow pacemaker_t self:process { setrlimit signal setpgid }; -allow pacemaker_t self:fifo_file rw_fifo_file_perms; -allow pacemaker_t self:unix_stream_socket { connectto accept listen }; - -manage_dirs_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t) -manage_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t) -files_tmp_filetrans(pacemaker_t, pacemaker_tmp_t, { file dir }) - -manage_dirs_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t) -manage_files_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t) -fs_tmpfs_filetrans(pacemaker_t, pacemaker_tmpfs_t, { dir file }) - -manage_dirs_pattern(pacemaker_t, pacemaker_var_lib_t, pacemaker_var_lib_t) -manage_files_pattern(pacemaker_t, pacemaker_var_lib_t, pacemaker_var_lib_t) -files_var_lib_filetrans(pacemaker_t, pacemaker_var_lib_t, { dir file }) - -manage_dirs_pattern(pacemaker_t, pacemaker_var_run_t, pacemaker_var_run_t) -manage_files_pattern(pacemaker_t, pacemaker_var_run_t, pacemaker_var_run_t) -files_pid_filetrans(pacemaker_t, pacemaker_var_run_t, { dir file }) - -kernel_getattr_core_if(pacemaker_t) -kernel_read_all_sysctls(pacemaker_t) -kernel_read_messages(pacemaker_t) -kernel_read_network_state(pacemaker_t) -kernel_read_software_raid_state(pacemaker_t) -kernel_read_system_state(pacemaker_t) - -corecmd_exec_bin(pacemaker_t) -corecmd_exec_shell(pacemaker_t) - -dev_getattr_mtrr_dev(pacemaker_t) -dev_read_rand(pacemaker_t) -dev_read_urand(pacemaker_t) - -domain_read_all_domains_state(pacemaker_t) -domain_use_interactive_fds(pacemaker_t) - -files_read_kernel_symbol_table(pacemaker_t) - -fs_getattr_all_fs(pacemaker_t) - -auth_use_nsswitch(pacemaker_t) - -logging_send_syslog_msg(pacemaker_t) - -miscfiles_read_localization(pacemaker_t) - -optional_policy(` - corosync_read_log(pacemaker_t) - corosync_stream_connect(pacemaker_t) -') diff --git a/policy/modules/contrib/pads.fc b/policy/modules/contrib/pads.fc deleted file mode 100644 index d4797b34..00000000 --- a/policy/modules/contrib/pads.fc +++ /dev/null @@ -1,10 +0,0 @@ -/etc/pads-ether-codes -- gen_context(system_u:object_r:pads_config_t,s0) -/etc/pads-signature-list -- gen_context(system_u:object_r:pads_config_t,s0) -/etc/pads\.conf -- gen_context(system_u:object_r:pads_config_t,s0) -/etc/pads-assets\.csv -- gen_context(system_u:object_r:pads_config_t,s0) - -/etc/rc\.d/init\.d/pads -- gen_context(system_u:object_r:pads_initrc_exec_t,s0) - -/usr/bin/pads -- gen_context(system_u:object_r:pads_exec_t,s0) - -/var/run/pads\.pid -- gen_context(system_u:object_r:pads_var_run_t,s0) diff --git a/policy/modules/contrib/pads.if b/policy/modules/contrib/pads.if deleted file mode 100644 index 6e097c91..00000000 --- a/policy/modules/contrib/pads.if +++ /dev/null @@ -1,39 +0,0 @@ -## <summary>Passive Asset Detection System.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an pads environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`pads_admin', ` - gen_require(` - type pads_t, pads_config_t, pads_var_run_t; - type pads_initrc_exec_t; - ') - - allow $1 pads_t:process { ptrace signal_perms }; - ps_process_pattern($1, pads_t) - - init_labeled_script_domtrans($1, pads_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 pads_initrc_exec_t system_r; - allow $2 system_r; - - files_search_pids($1) - admin_pattern($1, pads_var_run_t) - - files_search_etc($1) - admin_pattern($1, pads_config_t) -') diff --git a/policy/modules/contrib/pads.te b/policy/modules/contrib/pads.te deleted file mode 100644 index 29a73644..00000000 --- a/policy/modules/contrib/pads.te +++ /dev/null @@ -1,66 +0,0 @@ -policy_module(pads, 1.0.1) - -######################################## -# -# Declarations -# - -type pads_t; -type pads_exec_t; -init_daemon_domain(pads_t, pads_exec_t) -application_executable_file(pads_exec_t) - -type pads_initrc_exec_t; -init_script_file(pads_initrc_exec_t) - -type pads_config_t; -files_config_file(pads_config_t) - -type pads_var_run_t; -files_pid_file(pads_var_run_t) - -######################################## -# -# Declarations -# - -allow pads_t self:capability { dac_override net_raw }; -allow pads_t self:packet_socket create_socket_perms; -allow pads_t self:socket create_socket_perms; - -allow pads_t pads_config_t:file manage_file_perms; -files_etc_filetrans(pads_t, pads_config_t, file) - -allow pads_t pads_var_run_t:file manage_file_perms; -files_pid_filetrans(pads_t, pads_var_run_t, file) - -kernel_read_sysctl(pads_t) -kernel_read_network_state(pads_t) - -corecmd_search_bin(pads_t) - -corenet_all_recvfrom_unlabeled(pads_t) -corenet_all_recvfrom_netlabel(pads_t) -corenet_tcp_sendrecv_generic_if(pads_t) -corenet_tcp_sendrecv_generic_node(pads_t) - -corenet_sendrecv_prelude_client_packets(pads_t) -corenet_tcp_connect_prelude_port(pads_t) -corenet_tcp_sendrecv_prelude_port(pads_t) - -dev_read_rand(pads_t) -dev_read_urand(pads_t) -dev_read_sysfs(pads_t) - -files_read_etc_files(pads_t) -files_search_spool(pads_t) - -miscfiles_read_localization(pads_t) - -logging_send_syslog_msg(pads_t) - -sysnet_dns_name_resolve(pads_t) - -optional_policy(` - prelude_manage_spool(pads_t) -') diff --git a/policy/modules/contrib/pan.te b/policy/modules/contrib/pan.te index 89bc61d0..ad60d29d 100644 --- a/policy/modules/contrib/pan.te +++ b/policy/modules/contrib/pan.te @@ -33,7 +33,7 @@ ubac_constrained(pan_tmpfs_t) # allow pan_t self:process { getsched signal }; allow pan_t self:fifo_file rw_fifo_file_perms; -allow pan_t pan_tmpfs_t:file { read write }; +allow pan_t pan_tmpfs_t:file rw_inherited_file_perms; # Allow pan to work with its ~/.pan2 location manage_dirs_pattern(pan_t, pan_home_t, pan_home_t) @@ -51,7 +51,6 @@ corenet_sendrecv_innd_client_packets(pan_t) corenet_tcp_connect_innd_port(pan_t) corenet_tcp_sendrecv_generic_if(pan_t) corenet_tcp_sendrecv_generic_node(pan_t) -corenet_tcp_sendrecv_innd_port(pan_t) domain_dontaudit_use_interactive_fds(pan_t) diff --git a/policy/modules/contrib/passenger.fc b/policy/modules/contrib/passenger.fc deleted file mode 100644 index 2c389ea7..00000000 --- a/policy/modules/contrib/passenger.fc +++ /dev/null @@ -1,10 +0,0 @@ -/usr/.*/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0) -/usr/.*/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0) -/usr/.*/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) -/usr/.*/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) - -/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0) - -/var/log/passenger.* gen_context(system_u:object_r:passenger_log_t,s0) - -/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0) diff --git a/policy/modules/contrib/passenger.if b/policy/modules/contrib/passenger.if deleted file mode 100644 index bf59ef73..00000000 --- a/policy/modules/contrib/passenger.if +++ /dev/null @@ -1,58 +0,0 @@ -## <summary>Ruby on rails deployment for Apache and Nginx servers.</summary> - -###################################### -## <summary> -## Execute passenger in the passenger domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`passenger_domtrans',` - gen_require(` - type passenger_t, passenger_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, passenger_exec_t, passenger_t) -') - -###################################### -## <summary> -## Execute passenger in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`passenger_exec',` - gen_require(` - type passenger_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, passenger_exec_t) -') - -######################################## -## <summary> -## Read passenger lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`passenger_read_lib_files',` - gen_require(` - type passenger_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) -') diff --git a/policy/modules/contrib/passenger.te b/policy/modules/contrib/passenger.te deleted file mode 100644 index 4e114fff..00000000 --- a/policy/modules/contrib/passenger.te +++ /dev/null @@ -1,103 +0,0 @@ -policy_module(passanger, 1.0.3) - -######################################## -# -# Declarations -# - -type passenger_t; -type passenger_exec_t; -domain_type(passenger_t) -domain_entry_file(passenger_t, passenger_exec_t) -role system_r types passenger_t; - -type passenger_log_t; -logging_log_file(passenger_log_t) - -type passenger_var_lib_t; -files_type(passenger_var_lib_t) - -type passenger_var_run_t; -files_pid_file(passenger_var_run_t) - -######################################## -# -# Local policy -# - -allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource }; -allow passenger_t self:process { setpgid setsched sigkill signal }; -allow passenger_t self:fifo_file rw_fifo_file_perms; -allow passenger_t self:unix_stream_socket { accept connectto listen }; - -manage_dirs_pattern(passenger_t, passenger_log_t, passenger_log_t) -append_files_pattern(passenger_t, passenger_log_t, passenger_log_t) -create_files_pattern(passenger_t, passenger_log_t, passenger_log_t) -setattr_files_pattern(passenger_t, passenger_log_t, passenger_log_t) -logging_log_filetrans(passenger_t, passenger_log_t, file) - -manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t) -manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t) - -manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) -manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) -manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) -manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) -files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file }) - -can_exec(passenger_t, passenger_exec_t) - -kernel_read_system_state(passenger_t) -kernel_read_kernel_sysctls(passenger_t) - -corenet_all_recvfrom_netlabel(passenger_t) -corenet_all_recvfrom_unlabeled(passenger_t) -corenet_tcp_sendrecv_generic_if(passenger_t) -corenet_tcp_sendrecv_generic_node(passenger_t) - -corenet_sendrecv_http_client_packets(passenger_t) -corenet_tcp_connect_http_port(passenger_t) -corenet_tcp_sendrecv_http_port(passenger_t) - -corecmd_exec_bin(passenger_t) -corecmd_exec_shell(passenger_t) - -dev_read_urand(passenger_t) - -domain_read_all_domains_state(passenger_t) - -files_read_etc_files(passenger_t) - -auth_use_nsswitch(passenger_t) - -logging_send_syslog_msg(passenger_t) - -miscfiles_read_localization(passenger_t) - -userdom_dontaudit_use_user_terminals(passenger_t) - -optional_policy(` - apache_append_log(passenger_t) - apache_read_sys_content(passenger_t) -') - -optional_policy(` - hostname_exec(passenger_t) -') - -optional_policy(` - mta_send_mail(passenger_t) -') - -optional_policy(` - puppet_manage_lib_files(passenger_t) - puppet_read_config(passenger_t) - puppet_append_log_files(passenger_t) - puppet_create_log_files(passenger_t) - puppet_read_log_files(passenger_t) -') - -optional_policy(` - rpm_exec(passenger_t) - rpm_read_db(passenger_t) -') diff --git a/policy/modules/contrib/pcmcia.fc b/policy/modules/contrib/pcmcia.fc deleted file mode 100644 index b1d66a96..00000000 --- a/policy/modules/contrib/pcmcia.fc +++ /dev/null @@ -1,12 +0,0 @@ -/etc/apm/event\.d/pcmcia -- gen_context(system_u:object_r:cardmgr_exec_t,s0) - -/sbin/cardctl -- gen_context(system_u:object_r:cardctl_exec_t,s0) -/sbin/cardmgr -- gen_context(system_u:object_r:cardmgr_exec_t,s0) - -/usr/sbin/cardctl -- gen_context(system_u:object_r:cardctl_exec_t,s0) -/usr/sbin/cardmgr -- gen_context(system_u:object_r:cardmgr_exec_t,s0) - -/var/lib/pcmcia(/.*)? gen_context(system_u:object_r:cardmgr_var_run_t,s0) - -/var/run/cardmgr\.pid -- gen_context(system_u:object_r:cardmgr_var_run_t,s0) -/var/run/stab -- gen_context(system_u:object_r:cardmgr_var_run_t,s0) diff --git a/policy/modules/contrib/pcmcia.if b/policy/modules/contrib/pcmcia.if deleted file mode 100644 index 965b4086..00000000 --- a/policy/modules/contrib/pcmcia.if +++ /dev/null @@ -1,159 +0,0 @@ -## <summary>PCMCIA card management services.</summary> - -######################################## -## <summary> -## PCMCIA stub interface. No access allowed. -## </summary> -## <param name="domain" unused="true"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`pcmcia_stub',` - gen_require(` - type cardmgr_t; - ') -') - -######################################## -## <summary> -## Execute cardmgr in the cardmgr domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`pcmcia_domtrans_cardmgr',` - gen_require(` - type cardmgr_t, cardmgr_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, cardmgr_exec_t, cardmgr_t) -') - -######################################## -## <summary> -## Inherit and use cardmgr file descriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`pcmcia_use_cardmgr_fds',` - gen_require(` - type cardmgr_t; - ') - - allow $1 cardmgr_t:fd use; -') - -######################################## -## <summary> -## Execute cardctl in the cardmgr domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`pcmcia_domtrans_cardctl',` - gen_require(` - type cardmgr_t, cardctl_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, cardctl_exec_t, cardmgr_t) -') - -######################################## -## <summary> -## Execute cardctl in the cardmgr -## domain, and allow the specified -## role the cardmgr domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`pcmcia_run_cardctl',` - gen_require(` - attribute_role cardmgr_roles; - ') - - pcmcia_domtrans_cardctl($1) - roleattribute $2 cardmgr_roles; -') - -######################################## -## <summary> -## Read cardmgr pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`pcmcia_read_pid',` - gen_require(` - type cardmgr_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, cardmgr_var_run_t, cardmgr_var_run_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## cardmgr pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`pcmcia_manage_pid',` - gen_require(` - type cardmgr_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, cardmgr_var_run_t, cardmgr_var_run_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## cardmgr runtime character nodes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`pcmcia_manage_pid_chr_files',` - gen_require(` - type cardmgr_var_run_t; - ') - - files_search_pids($1) - manage_chr_files_pattern($1, cardmgr_var_run_t, cardmgr_var_run_t) -') diff --git a/policy/modules/contrib/pcmcia.te b/policy/modules/contrib/pcmcia.te deleted file mode 100644 index 3ad10b5f..00000000 --- a/policy/modules/contrib/pcmcia.te +++ /dev/null @@ -1,121 +0,0 @@ -policy_module(pcmcia, 1.6.1) - -######################################## -# -# Declarations -# - -attribute_role cardmgr_roles; - -type cardmgr_t; -type cardmgr_exec_t; -init_daemon_domain(cardmgr_t, cardmgr_exec_t) - -type cardmgr_lnk_t; -files_type(cardmgr_lnk_t) - -type cardmgr_var_lib_t; -files_type(cardmgr_var_lib_t) - -type cardmgr_var_run_t; -files_pid_file(cardmgr_var_run_t) - -type cardctl_exec_t; -application_domain(cardmgr_t, cardctl_exec_t) -role cardmgr_roles types cardmgr_t; - -######################################## -# -# Local policy -# - -allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod }; -dontaudit cardmgr_t self:capability sys_tty_config; -allow cardmgr_t self:process signal_perms; -allow cardmgr_t self:fifo_file rw_fifo_file_perms; -allow cardmgr_t self:unix_stream_socket { accept listen }; - -allow cardmgr_t cardmgr_lnk_t:lnk_file manage_lnk_file_perms; -dev_filetrans(cardmgr_t, cardmgr_lnk_t, lnk_file) - -manage_files_pattern(cardmgr_t, cardmgr_var_lib_t, cardmgr_var_lib_t) -files_var_lib_filetrans(cardmgr_t, cardmgr_var_lib_t, file) - -allow cardmgr_t cardmgr_var_run_t:file manage_file_perms; -files_pid_filetrans(cardmgr_t, cardmgr_var_run_t, file) - -kernel_read_kernel_sysctls(cardmgr_t) -kernel_read_system_state(cardmgr_t) -kernel_dontaudit_getattr_message_if(cardmgr_t) - -corecmd_exec_all_executables(cardmgr_t) - -dev_getattr_all_chr_files(cardmgr_t) -dev_getattr_all_blk_files(cardmgr_t) -dev_filetrans_cardmgr(cardmgr_t) -dev_manage_cardmgr_dev(cardmgr_t) -dev_read_sysfs(cardmgr_t) -dev_read_urand(cardmgr_t) - -domain_getattr_confined_domains(cardmgr_t) -domain_read_confined_domains_state(cardmgr_t) -domain_use_interactive_fds(cardmgr_t) -domain_dontaudit_ptrace_confined_domains(cardmgr_t) -domain_dontaudit_getattr_all_pipes(cardmgr_t) -domain_dontaudit_getattr_all_sockets(cardmgr_t) - -files_exec_etc_files(cardmgr_t) -files_list_usr(cardmgr_t) -files_read_etc_runtime_files(cardmgr_t) -files_read_var_lib_files(cardmgr_t) -files_search_kernel_modules(cardmgr_t) -files_search_home(cardmgr_t) -files_dontaudit_getattr_all_dirs(cardmgr_t) -files_dontaudit_getattr_all_files(cardmgr_t) -files_dontaudit_getattr_all_symlinks(cardmgr_t) -files_dontaudit_getattr_all_pipes(cardmgr_t) -files_dontaudit_getattr_all_sockets(cardmgr_t) - -fs_getattr_all_fs(cardmgr_t) -fs_search_auto_mountpoints(cardmgr_t) - -term_use_unallocated_ttys(cardmgr_t) -term_getattr_all_ttys(cardmgr_t) -term_dontaudit_getattr_all_ptys(cardmgr_t) - -libs_exec_ld_so(cardmgr_t) -libs_exec_lib_files(cardmgr_t) - -logging_send_syslog_msg(cardmgr_t) - -miscfiles_read_localization(cardmgr_t) - -modutils_domtrans_insmod(cardmgr_t) - -sysnet_domtrans_ifconfig(cardmgr_t) -sysnet_etc_filetrans_config(cardmgr_t) -sysnet_manage_config(cardmgr_t) - -userdom_use_user_terminals(cardmgr_t) -userdom_dontaudit_use_unpriv_user_fds(cardmgr_t) -userdom_dontaudit_search_user_home_dirs(cardmgr_t) - -optional_policy(` - seutil_dontaudit_read_config(cardmgr_t) - seutil_sigchld_newrole(cardmgr_t) -') - -optional_policy(` - sysnet_domtrans_dhcpc(cardmgr_t) - sysnet_read_dhcpc_pid(cardmgr_t) - sysnet_delete_dhcpc_pid(cardmgr_t) - sysnet_kill_dhcpc(cardmgr_t) - sysnet_sigchld_dhcpc(cardmgr_t) - sysnet_signal_dhcpc(cardmgr_t) - sysnet_signull_dhcpc(cardmgr_t) - sysnet_sigstop_dhcpc(cardmgr_t) -') - -optional_policy(` - udev_read_db(cardmgr_t) -') diff --git a/policy/modules/contrib/pcscd.fc b/policy/modules/contrib/pcscd.fc deleted file mode 100644 index 58363c7a..00000000 --- a/policy/modules/contrib/pcscd.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/rc\.d/init\.d/pcscd -- gen_context(system_u:object_r:pcscd_initrc_exec_t,s0) - -/usr/sbin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0) - -/var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0) -/var/run/pcscd(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0) -/var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0) -/var/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0) -/var/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0) diff --git a/policy/modules/contrib/pcscd.if b/policy/modules/contrib/pcscd.if deleted file mode 100644 index 43d50f95..00000000 --- a/policy/modules/contrib/pcscd.if +++ /dev/null @@ -1,138 +0,0 @@ -## <summary>PCSC smart card service.</summary> - -######################################## -## <summary> -## Execute a domain transition to run pcscd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`pcscd_domtrans',` - gen_require(` - type pcscd_t, pcscd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, pcscd_exec_t, pcscd_t) -') - -######################################## -## <summary> -## Read pcscd pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`pcscd_read_pub_files',` - refpolicywarn(`$0($*) has been deprecated, use pcscd_read_pid_files() instead.') - pcscd_read_pid_files($1) -') - -######################################## -## <summary> -## Read pcscd pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`pcscd_read_pid_files',` - gen_require(` - type pcscd_var_run_t; - ') - - files_search_pids($1) - allow $1 pcscd_var_run_t:file read_file_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## pcscd pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`pcscd_manage_pub_files',` - refpolicywarn(`$0($*) has been deprecated') -') - -######################################## -## <summary> -## Create, read, write, and delete -## pcscd pid fifo files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`pcscd_manage_pub_pipes',` - refpolicywarn(`$0($*) has been deprecated') -') - -######################################## -## <summary> -## Connect to pcscd over an unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`pcscd_stream_connect',` - gen_require(` - type pcscd_t, pcscd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, pcscd_var_run_t, pcscd_var_run_t, pcscd_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an pcscd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`pcscd_admin',` - gen_require(` - type pcscd_t, pcscd_initrc_exec_t, pcscd_var_run_t; - ') - - allow $1 pcscd_t:process { ptrace signal_perms }; - ps_process_pattern($1, pcscd_t) - - init_labeled_script_domtrans($1, pcscd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 pcscd_initrc_exec_t system_r; - allow $2 system_r; - - files_search_pids($1) - admin_pattern($1, pcscd_var_run_t) -') diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te deleted file mode 100644 index 96db6540..00000000 --- a/policy/modules/contrib/pcscd.te +++ /dev/null @@ -1,87 +0,0 @@ -policy_module(pcscd, 1.7.3) - -######################################## -# -# Declarations -# - -type pcscd_t; -type pcscd_exec_t; -init_daemon_domain(pcscd_t, pcscd_exec_t) - -type pcscd_initrc_exec_t; -init_script_file(pcscd_initrc_exec_t) - -type pcscd_var_run_t; -files_pid_file(pcscd_var_run_t) -init_daemon_run_dir(pcscd_var_run_t, "pcscd") - -######################################## -# -# Local policy -# - -allow pcscd_t self:capability { dac_override dac_read_search fsetid }; -allow pcscd_t self:process signal; -allow pcscd_t self:fifo_file rw_fifo_file_perms; -allow pcscd_t self:unix_stream_socket { accept listen }; -allow pcscd_t self:tcp_socket { accept listen }; -allow pcscd_t self:netlink_kobject_uevent_socket create_socket_perms; - -manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) -manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) -manage_fifo_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) -manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) -files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir }) - -kernel_read_system_state(pcscd_t) - -corenet_all_recvfrom_unlabeled(pcscd_t) -corenet_all_recvfrom_netlabel(pcscd_t) -corenet_tcp_sendrecv_generic_if(pcscd_t) -corenet_tcp_sendrecv_generic_node(pcscd_t) - -corenet_sendrecv_http_client_packets(pcscd_t) -corenet_tcp_connect_http_port(pcscd_t) -corenet_tcp_sendrecv_http_port(pcscd_t) - -dev_rw_generic_usb_dev(pcscd_t) -dev_rw_smartcard(pcscd_t) -dev_rw_usbfs(pcscd_t) -dev_read_sysfs(pcscd_t) - -files_read_etc_files(pcscd_t) -files_read_etc_runtime_files(pcscd_t) - -term_use_unallocated_ttys(pcscd_t) -term_dontaudit_getattr_pty_dirs(pcscd_t) - -locallogin_use_fds(pcscd_t) - -logging_send_syslog_msg(pcscd_t) - -miscfiles_read_localization(pcscd_t) - -sysnet_dns_name_resolve(pcscd_t) - -optional_policy(` - dbus_system_bus_client(pcscd_t) - - optional_policy(` - hal_dbus_chat(pcscd_t) - ') -') - -optional_policy(` - openct_stream_connect(pcscd_t) - openct_read_pid_files(pcscd_t) - openct_signull(pcscd_t) -') - -optional_policy(` - rpm_use_script_fds(pcscd_t) -') - -optional_policy(` - udev_read_db(pcscd_t) -') diff --git a/policy/modules/contrib/pegasus.fc b/policy/modules/contrib/pegasus.fc deleted file mode 100644 index dfd46e41..00000000 --- a/policy/modules/contrib/pegasus.fc +++ /dev/null @@ -1,15 +0,0 @@ -/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) -/etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0) - -/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0) - -/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) -/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) - -/var/cache/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_cache_t,s0) - -/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) - -/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) - -/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) diff --git a/policy/modules/contrib/pegasus.if b/policy/modules/contrib/pegasus.if deleted file mode 100644 index d2fc677c..00000000 --- a/policy/modules/contrib/pegasus.if +++ /dev/null @@ -1,52 +0,0 @@ -## <summary>The Open Group Pegasus CIM/WBEM Server.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an pegasus environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`pegasus_admin',` - gen_require(` - type pegasus_t, pegasus_initrc_exec_t, pegasus_tmp_t; - type pegasus_cache_t, pegasus_data_t, pegasus_conf_t; - type pegasus_mof_t, pegasus_var_run_t; - ') - - allow $1 pegasus_t:process { ptrace signal_perms }; - ps_process_pattern($1, pegasus_t) - - init_labeled_script_domtrans($1, pegasus_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 pegasus_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, pegasus_conf_t) - - files_search_usr($1) - admin_pattern($1, pegasus_mof_t) - - files_search_tmp($1) - admin_pattern($1, pegasus_tmp_t) - - files_search_var($1) - admin_pattern($1, pegasus_cache_t) - - files_search_var_lib($1) - admin_pattern($1, pegasus_data_t) - - files_search_pids($1) - admin_pattern($1, pegasus_var_run_t) -') diff --git a/policy/modules/contrib/pegasus.te b/policy/modules/contrib/pegasus.te deleted file mode 100644 index 7bcf3277..00000000 --- a/policy/modules/contrib/pegasus.te +++ /dev/null @@ -1,191 +0,0 @@ -policy_module(pegasus, 1.8.3) - -######################################## -# -# Declarations -# - -type pegasus_t; -type pegasus_exec_t; -init_daemon_domain(pegasus_t, pegasus_exec_t) - -type pegasus_initrc_exec_t; -init_script_file(pegasus_initrc_exec_t) - -type pegasus_cache_t; -files_type(pegasus_cache_t) - -type pegasus_data_t; -files_type(pegasus_data_t) - -type pegasus_tmp_t; -files_tmp_file(pegasus_tmp_t) - -type pegasus_conf_t; -files_config_file(pegasus_conf_t) - -type pegasus_mof_t; -files_type(pegasus_mof_t) - -type pegasus_var_run_t; -files_pid_file(pegasus_var_run_t) - -######################################## -# -# Local policy -# - -allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service }; -dontaudit pegasus_t self:capability sys_tty_config; -allow pegasus_t self:process signal; -allow pegasus_t self:fifo_file rw_fifo_file_perms; -allow pegasus_t self:unix_stream_socket { connectto accept listen }; -allow pegasus_t self:tcp_socket { accept listen }; - -allow pegasus_t pegasus_conf_t:dir rw_dir_perms; -allow pegasus_t pegasus_conf_t:file { read_file_perms delete_file_perms rename_file_perms }; -allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; - -manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -manage_files_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -manage_lnk_files_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) - -manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) -manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) -manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) -filetrans_pattern(pegasus_t, pegasus_conf_t, pegasus_data_t, { dir file }) - -allow pegasus_t pegasus_mof_t:dir list_dir_perms; -allow pegasus_t pegasus_mof_t:file read_file_perms; -allow pegasus_t pegasus_mof_t:lnk_file read_lnk_file_perms; - -manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t) -manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t) -files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { dir file }) - -manage_dirs_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) -manage_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) -manage_sock_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) -files_pid_filetrans(pegasus_t, pegasus_var_run_t, { dir file sock_file }) - -can_exec(pegasus_t, pegasus_exec_t) - -kernel_read_network_state(pegasus_t) -kernel_read_kernel_sysctls(pegasus_t) -kernel_read_fs_sysctls(pegasus_t) -kernel_read_system_state(pegasus_t) -kernel_search_vm_sysctl(pegasus_t) -kernel_read_net_sysctls(pegasus_t) -kernel_read_xen_state(pegasus_t) -kernel_write_xen_state(pegasus_t) - -corenet_all_recvfrom_unlabeled(pegasus_t) -corenet_all_recvfrom_netlabel(pegasus_t) -corenet_tcp_sendrecv_generic_if(pegasus_t) -corenet_tcp_sendrecv_generic_node(pegasus_t) -corenet_tcp_sendrecv_all_ports(pegasus_t) -corenet_tcp_bind_generic_node(pegasus_t) - -corenet_sendrecv_pegasus_http_server_packets(pegasus_t) -corenet_tcp_bind_pegasus_http_port(pegasus_t) - -corenet_sendrecv_pegasus_https_server_packets(pegasus_t) -corenet_tcp_bind_pegasus_https_port(pegasus_t) - -corenet_sendrecv_pegasus_http_client_packets(pegasus_t) -corenet_tcp_connect_pegasus_http_port(pegasus_t) - -corenet_sendrecv_pegasus_https_client_packets(pegasus_t) -corenet_tcp_connect_pegasus_https_port(pegasus_t) - -corenet_sendrecv_generic_client_packets(pegasus_t) -corenet_tcp_connect_generic_port(pegasus_t) - -corecmd_exec_bin(pegasus_t) -corecmd_exec_shell(pegasus_t) - -dev_rw_sysfs(pegasus_t) -dev_read_urand(pegasus_t) - -fs_getattr_all_fs(pegasus_t) -fs_search_auto_mountpoints(pegasus_t) -files_getattr_all_dirs(pegasus_t) - -auth_use_nsswitch(pegasus_t) -auth_domtrans_chk_passwd(pegasus_t) - -domain_use_interactive_fds(pegasus_t) -domain_read_all_domains_state(pegasus_t) - -files_list_var_lib(pegasus_t) -files_read_var_lib_files(pegasus_t) -files_read_var_lib_symlinks(pegasus_t) - -init_rw_utmp(pegasus_t) -init_stream_connect_script(pegasus_t) - -logging_send_audit_msgs(pegasus_t) -logging_send_syslog_msg(pegasus_t) - -miscfiles_read_localization(pegasus_t) - -userdom_dontaudit_use_unpriv_user_fds(pegasus_t) -userdom_dontaudit_search_user_home_dirs(pegasus_t) - -optional_policy(` - dbus_system_bus_client(pegasus_t) - dbus_connect_system_bus(pegasus_t) - - optional_policy(` - networkmanager_dbus_chat(pegasus_t) - ') -') - -optional_policy(` - hostname_exec(pegasus_t) -') - -optional_policy(` - lldpad_dgram_send(pegasus_t) -') - -optional_policy(` - rpm_exec(pegasus_t) -') - -optional_policy(` - samba_manage_config(pegasus_t) -') - -optional_policy(` - seutil_sigchld_newrole(pegasus_t) - seutil_dontaudit_read_config(pegasus_t) -') - -optional_policy(` - ssh_exec(pegasus_t) -') - -optional_policy(` - sysnet_domtrans_ifconfig(pegasus_t) -') - -optional_policy(` - udev_read_db(pegasus_t) -') - -optional_policy(` - unconfined_signull(pegasus_t) -') - -optional_policy(` - virt_domtrans(pegasus_t) - virt_stream_connect(pegasus_t) - virt_manage_config(pegasus_t) -') - -optional_policy(` - xen_stream_connect(pegasus_t) - xen_stream_connect_xenstore(pegasus_t) -') diff --git a/policy/modules/contrib/perdition.fc b/policy/modules/contrib/perdition.fc deleted file mode 100644 index ad0cf85c..00000000 --- a/policy/modules/contrib/perdition.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rc\.d/init\.d/perdition -- gen_context(system_u:object_r:perdition_initrc_exec_t,s0) - -/etc/perdition(/.*)? gen_context(system_u:object_r:perdition_etc_t,s0) - -/usr/sbin/perdition -- gen_context(system_u:object_r:perdition_exec_t,s0) - -/var/run/perdition\.pid -- gen_context(system_u:object_r:perdition_var_run_t,s0) diff --git a/policy/modules/contrib/perdition.if b/policy/modules/contrib/perdition.if deleted file mode 100644 index 47e09e1d..00000000 --- a/policy/modules/contrib/perdition.if +++ /dev/null @@ -1,53 +0,0 @@ -## <summary>Perdition POP and IMAP proxy.</summary> - -######################################## -## <summary> -## Connect to perdition over a TCP socket (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`perdition_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## <summary> -## All of the rules required to -## administrate an perdition environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`perdition_admin',` - gen_require(` - type perdition_t, perdition_initrc_exec_t, perdition_etc_t; - type perdition_var_run_t; - ') - - allow $1 perdition_t:process { ptrace signal_perms }; - ps_process_pattern($1, perdition_t) - - init_labeled_script_domtrans($1, perdition_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 perdition_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, perdition_etc_t) - - files_search_pids($1) - admin_pattern($1, perdition_var_run_t) -') diff --git a/policy/modules/contrib/perdition.te b/policy/modules/contrib/perdition.te deleted file mode 100644 index 39027dec..00000000 --- a/policy/modules/contrib/perdition.te +++ /dev/null @@ -1,75 +0,0 @@ -policy_module(perdition, 1.7.1) - -######################################## -# -# Declarations -# - -type perdition_t; -type perdition_exec_t; -init_daemon_domain(perdition_t, perdition_exec_t) - -type perdition_initrc_exec_t; -init_script_file(perdition_initrc_exec_t) - -type perdition_etc_t; -files_config_file(perdition_etc_t) - -type perdition_var_run_t; -files_pid_file(perdition_var_run_t) - -######################################## -# -# Local policy -# - -allow perdition_t self:capability { setgid setuid }; -dontaudit perdition_t self:capability sys_tty_config; -allow perdition_t self:process signal_perms; -allow perdition_t self:tcp_socket { accept listen }; - -allow perdition_t perdition_etc_t:dir list_dir_perms; -allow perdition_t perdition_etc_t:file read_file_perms; -allow perdition_t perdition_etc_t:lnk_file read_lnk_file_perms; - -manage_files_pattern(perdition_t, perdition_var_run_t, perdition_var_run_t) -files_pid_filetrans(perdition_t, perdition_var_run_t, file) - -kernel_read_kernel_sysctls(perdition_t) -kernel_list_proc(perdition_t) -kernel_read_proc_symlinks(perdition_t) - -corenet_all_recvfrom_unlabeled(perdition_t) -corenet_all_recvfrom_netlabel(perdition_t) -corenet_tcp_sendrecv_generic_if(perdition_t) -corenet_tcp_sendrecv_generic_node(perdition_t) -corenet_tcp_sendrecv_all_ports(perdition_t) -corenet_tcp_bind_generic_node(perdition_t) - -corenet_sendrecv_pop_server_packets(perdition_t) -corenet_tcp_bind_pop_port(perdition_t) -corenet_tcp_sendrecv_pop_port(perdition_t) - -dev_read_sysfs(perdition_t) - -domain_use_interactive_fds(perdition_t) - -fs_getattr_all_fs(perdition_t) -fs_search_auto_mountpoints(perdition_t) - -auth_use_nsswitch(perdition_t) - -logging_send_syslog_msg(perdition_t) - -miscfiles_read_localization(perdition_t) - -userdom_dontaudit_use_unpriv_user_fds(perdition_t) -userdom_dontaudit_search_user_home_dirs(perdition_t) - -optional_policy(` - seutil_sigchld_newrole(perdition_t) -') - -optional_policy(` - udev_read_db(perdition_t) -') diff --git a/policy/modules/contrib/phpfpm.fc b/policy/modules/contrib/phpfpm.fc index 51da02a9..5592e409 100644 --- a/policy/modules/contrib/phpfpm.fc +++ b/policy/modules/contrib/phpfpm.fc @@ -1,5 +1,5 @@ -/usr/lib(64)?/php.*/bin/php-fpm gen_context(system_u:object_r:phpfpm_exec_t,s0) -/var/run/php*-fpm/*.sock gen_context(system_u:object_r:phpfpm_var_run_t,s0) +/usr/lib/php[^/]*/bin/php-fpm gen_context(system_u:object_r:phpfpm_exec_t,s0) +/run/php[^/]*-fpm/[^/]*\.sock gen_context(system_u:object_r:phpfpm_runtime_t,s0) -/var/log/php-fpm.log gen_context(system_u:object_r:phpfpm_log_t,s0) -/var/run/php-fpm.pid gen_context(system_u:object_r:phpfpm_var_run_t,s0) +/var/log/php-fpm\.log gen_context(system_u:object_r:phpfpm_log_t,s0) +/run/php-fpm\.pid gen_context(system_u:object_r:phpfpm_runtime_t,s0) diff --git a/policy/modules/contrib/phpfpm.if b/policy/modules/contrib/phpfpm.if index fee2c174..8bca45d5 100644 --- a/policy/modules/contrib/phpfpm.if +++ b/policy/modules/contrib/phpfpm.if @@ -9,11 +9,11 @@ ## Domain allowed access ## </summary> ## </param> -# +# interface(`phpfpm_admin',` gen_require(` type phpfpm_t; - type phpfpm_log_t, phpfpm_tmp_t, phpfpm_var_run_t; + type phpfpm_log_t, phpfpm_tmp_t, phpfpm_runtime_t; ') allow $1 phpfpm_t:process { ptrace signal_perms }; @@ -25,8 +25,8 @@ interface(`phpfpm_admin',` files_list_tmp($1) admin_pattern($1, phpfpm_tmp_t) - files_list_pids($1) - admin_pattern($1, phpfpm_var_run_t) + files_list_runtime($1) + admin_pattern($1, phpfpm_runtime_t) ') ######################################## @@ -42,7 +42,7 @@ interface(`phpfpm_admin',` # interface(`phpfpm_stream_connect',` gen_require(` - type phpfpm_t, phpfpm_var_run_t; + type phpfpm_t, phpfpm_runtime_t; ') - stream_connect_pattern($1, phpfpm_var_run_t, phpfpm_var_run_t, phpfpm_t) + stream_connect_pattern($1, phpfpm_runtime_t, phpfpm_runtime_t, phpfpm_t) ') diff --git a/policy/modules/contrib/phpfpm.te b/policy/modules/contrib/phpfpm.te index 89ed6c9e..a1044f31 100644 --- a/policy/modules/contrib/phpfpm.te +++ b/policy/modules/contrib/phpfpm.te @@ -12,6 +12,56 @@ policy_module(phpfpm, 1.1) ## </desc> gen_tunable(phpfpm_use_ldap, false) +## <desc> +## <p> +## Allow phpfpm to send syslog messages +## </p> +## </desc> +gen_tunable(phpfpm_send_syslog_msg, false) + +## <desc> +## <p> +## Allow phpfpm to execute shells. This +## is needed by some webapps. +## </p> +## </desc> +gen_tunable(phpfpm_exec_shell, false) + +## <desc> +## <p> +## Allow phpfpm to connect to http ports. +## </p> +## </desc> +gen_tunable(phpfpm_connect_http, false) + +## <desc> +## <p> +## Allow phpfpm to connect to pop ports. +## </p> +## </desc> +gen_tunable(phpfpm_connect_pop, false) + +## <desc> +## <p> +## Allow phpfpm to connect to redis ports. +## </p> +## </desc> +gen_tunable(phpfpm_connect_redis, false) + +## <desc> +## <p> +## Allow phpfpm to connect to sieve ports. +## </p> +## </desc> +gen_tunable(phpfpm_connect_sieve, false) + +## <desc> +## <p> +## Allow phpfpm to connect to smtp ports. +## </p> +## </desc> +gen_tunable(phpfpm_connect_smtp, false) + type phpfpm_t; type phpfpm_exec_t; init_daemon_domain(phpfpm_t, phpfpm_exec_t) @@ -19,8 +69,8 @@ init_daemon_domain(phpfpm_t, phpfpm_exec_t) type phpfpm_tmp_t; files_tmp_file(phpfpm_tmp_t) -type phpfpm_var_run_t; -files_pid_file(phpfpm_var_run_t) +type phpfpm_runtime_t alias phpfpm_var_run_t; +files_runtime_file(phpfpm_runtime_t) type phpfpm_log_t; logging_log_file(phpfpm_log_t) @@ -37,6 +87,8 @@ allow phpfpm_t self:fifo_file rw_fifo_file_perms; allow phpfpm_t self:tcp_socket rw_stream_socket_perms; allow phpfpm_t self:udp_socket connected_socket_perms; allow phpfpm_t self:unix_stream_socket { accept create_stream_socket_perms }; +allow phpfpm_t self:unix_dgram_socket { create_socket_perms }; +dontaudit phpfpm_t self:capability net_admin; manage_files_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t) logging_log_filetrans(phpfpm_t, phpfpm_log_t, file) @@ -45,14 +97,13 @@ manage_files_pattern(phpfpm_t, phpfpm_tmp_t, phpfpm_tmp_t) manage_dirs_pattern(phpfpm_t, phpfpm_tmp_t, phpfpm_tmp_t) files_tmp_filetrans(phpfpm_t, phpfpm_tmp_t, {file dir}) -manage_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t) -files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file }) +manage_files_pattern(phpfpm_t, phpfpm_runtime_t, phpfpm_runtime_t) +files_runtime_filetrans(phpfpm_t, phpfpm_runtime_t, { file sock_file }) -manage_sock_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t) +manage_sock_files_pattern(phpfpm_t, phpfpm_runtime_t, phpfpm_runtime_t) kernel_read_kernel_sysctls(phpfpm_t) -corecmd_read_bin_symlinks(phpfpm_t) corecmd_search_bin(phpfpm_t) corenet_tcp_bind_all_unreserved_ports(phpfpm_t) @@ -81,6 +132,10 @@ apache_read_sys_content(phpfpm_t) apache_dontaudit_search_modules(phpfpm_t) optional_policy(` + apache_map_sys_content(phpfpm_t) +') + +optional_policy(` mysql_stream_connect(phpfpm_t) mysql_tcp_connect(phpfpm_t) ') @@ -99,3 +154,31 @@ optional_policy(` sysnet_use_ldap(phpfpm_t) ') ') + +tunable_policy(`phpfpm_exec_shell',` + corecmd_exec_shell(phpfpm_t) +') + +tunable_policy(`phpfpm_connect_http',` + corenet_tcp_connect_http_port(phpfpm_t) +') + +tunable_policy(`phpfpm_connect_pop',` + corenet_tcp_connect_pop_port(phpfpm_t) +') + +tunable_policy(`phpfpm_connect_redis',` + corenet_tcp_connect_redis_port(phpfpm_t) +') + +tunable_policy(`phpfpm_connect_sieve',` + corenet_tcp_connect_sieve_port(phpfpm_t) +') + +tunable_policy(`phpfpm_connect_smtp',` + corenet_tcp_connect_smtp_port(phpfpm_t) +') + +tunable_policy(`phpfpm_send_syslog_msg',` + logging_send_syslog_msg(phpfpm_t) +') diff --git a/policy/modules/contrib/pingd.fc b/policy/modules/contrib/pingd.fc deleted file mode 100644 index 494a24cc..00000000 --- a/policy/modules/contrib/pingd.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/pingd\.conf -- gen_context(system_u:object_r:pingd_etc_t,s0) - -/etc/rc\.d/init\.d/whatsup-pingd -- gen_context(system_u:object_r:pingd_initrc_exec_t,s0) - -/usr/lib/pingd(/.*)? gen_context(system_u:object_r:pingd_modules_t,s0) - -/usr/sbin/pingd -- gen_context(system_u:object_r:pingd_exec_t,s0) diff --git a/policy/modules/contrib/pingd.if b/policy/modules/contrib/pingd.if deleted file mode 100644 index 21a6ecbe..00000000 --- a/policy/modules/contrib/pingd.if +++ /dev/null @@ -1,97 +0,0 @@ -## <summary>Pingd of the Whatsup cluster node up/down detection utility.</summary> - -######################################## -## <summary> -## Execute a domain transition to run pingd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`pingd_domtrans',` - gen_require(` - type pingd_t, pingd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, pingd_exec_t, pingd_t) -') - -####################################### -## <summary> -## Read pingd etc configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`pingd_read_config',` - gen_require(` - type pingd_etc_t; - ') - - files_search_etc($1) - allow $1 pingd_etc_t:file read_file_perms; -') - -####################################### -## <summary> -## Create, read, write, and delete -## pingd etc configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`pingd_manage_config',` - gen_require(` - type pingd_etc_t; - ') - - files_search_etc($1) - allow $1 pingd_etc_t:file manage_file_perms; -') - -####################################### -## <summary> -## All of the rules required to -## administrate an pingd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`pingd_admin',` - gen_require(` - type pingd_t, pingd_etc_t, pingd_modules_t; - type pingd_initrc_exec_t; - ') - - allow $1 pingd_t:process { ptrace signal_perms }; - ps_process_pattern($1, pingd_t) - - init_labeled_script_domtrans($1, pingd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 pingd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, pingd_etc_t) - - files_list_usr($1) - admin_pattern($1, pingd_modules_t) -') diff --git a/policy/modules/contrib/pingd.te b/policy/modules/contrib/pingd.te deleted file mode 100644 index 0f77942a..00000000 --- a/policy/modules/contrib/pingd.te +++ /dev/null @@ -1,54 +0,0 @@ -policy_module(pingd, 1.0.1) - -######################################## -# -# Declarations -# - -type pingd_t; -type pingd_exec_t; -init_daemon_domain(pingd_t, pingd_exec_t) - -type pingd_etc_t; -files_type(pingd_etc_t) - -type pingd_initrc_exec_t; -init_script_file(pingd_initrc_exec_t) - -type pingd_modules_t; -files_type(pingd_modules_t) - -######################################## -# -# Local policy -# - -allow pingd_t self:capability net_raw; -allow pingd_t self:tcp_socket { accept listen }; -allow pingd_t self:rawip_socket create_socket_perms; - -allow pingd_t pingd_etc_t:file read_file_perms; - -read_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t) -mmap_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t) - -corenet_all_recvfrom_unlabeled(pingd_t) -corenet_all_recvfrom_netlabel(pingd_t) -corenet_tcp_sendrecv_generic_if(pingd_t) -corenet_raw_sendrecv_generic_if(pingd_t) -corenet_tcp_sendrecv_generic_node(pingd_t) -corenet_raw_sendrecv_generic_node(pingd_t) -corenet_tcp_sendrecv_all_ports(pingd_t) -corenet_raw_bind_generic_node(pingd_t) -corenet_tcp_bind_generic_node(pingd_t) - -corenet_sendrecv_pingd_server_packets(pingd_t) -corenet_tcp_bind_pingd_port(pingd_t) - -auth_use_nsswitch(pingd_t) - -files_search_usr(pingd_t) - -logging_send_syslog_msg(pingd_t) - -miscfiles_read_localization(pingd_t) diff --git a/policy/modules/contrib/pkcs.fc b/policy/modules/contrib/pkcs.fc deleted file mode 100644 index f9dc0be5..00000000 --- a/policy/modules/contrib/pkcs.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rc\.d/init\.d/pkcsslotd -- gen_context(system_u:object_r:pkcs_slotd_initrc_exec_t,s0) - -/usr/sbin/pkcsslotd -- gen_context(system_u:object_r:pkcs_slotd_exec_t,s0) - -/var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_var_lib_t,s0) - -/var/run/pkcsslotd\.pid -- gen_context(system_u:object_r:pkcs_slotd_var_run_t,s0) diff --git a/policy/modules/contrib/pkcs.if b/policy/modules/contrib/pkcs.if deleted file mode 100644 index 69be2aaf..00000000 --- a/policy/modules/contrib/pkcs.if +++ /dev/null @@ -1,45 +0,0 @@ -## <summary>Implementations of the Cryptoki specification.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an pkcs slotd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`pkcs_admin_slotd',` - gen_require(` - type pkcs_slotd_t, pkcs_slotd_initrc_exec_t, pkcs_slotd_var_lib_t; - type pkcs_slotd_var_run_t, pkcs_slotd_tmp_t, pkcs_slotd_tmpfs_t; - ') - - allow $1 pkcs_slotd_t:process { ptrace signal_perms }; - ps_process_pattern($1, pkcs_slotd_t) - - init_labeled_script_domtrans($1, pkcs_slotd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 pkcs_slotd_initrc_exec_t system_r; - allow $2 system_r; - - files_search_var_lib($1) - admin_pattern($1, pkcs_slotd_var_lib_t) - - files_search_pids($1) - admin_pattern($1, pkcs_slotd_var_run_t) - - files_search_tmp($1) - admin_pattern($1, pkcs_slotd_tmp_t) - - fs_search_tmpfs($1) - admin_pattern($1, pkcs_slotd_tmpfs_t) -') diff --git a/policy/modules/contrib/pkcs.te b/policy/modules/contrib/pkcs.te deleted file mode 100644 index 977b9722..00000000 --- a/policy/modules/contrib/pkcs.te +++ /dev/null @@ -1,58 +0,0 @@ -policy_module(pkcs, 1.0.0) - -######################################## -# -# Declarations -# - -type pkcs_slotd_t; -type pkcs_slotd_exec_t; -init_daemon_domain(pkcs_slotd_t, pkcs_slotd_exec_t) - -type pkcs_slotd_initrc_exec_t; -init_script_file(pkcs_slotd_initrc_exec_t) - -type pkcs_slotd_var_lib_t; -files_type(pkcs_slotd_var_lib_t) - -type pkcs_slotd_var_run_t; -files_pid_file(pkcs_slotd_var_run_t) - -type pkcs_slotd_tmp_t; -files_tmp_file(pkcs_slotd_tmp_t) - -type pkcs_slotd_tmpfs_t; -files_tmpfs_file(pkcs_slotd_tmpfs_t) - -######################################## -# -# Local policy -# - -allow pkcs_slotd_t self:capability kill; -allow pkcs_slotd_t self:fifo_file rw_fifo_file_perms; -allow pkcs_slotd_t self:sem create_sem_perms; -allow pkcs_slotd_t self:shm create_shm_perms; -allow pkcs_slotd_t self:unix_stream_socket { accept listen }; - -manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t) -manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t) -manage_lnk_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t) -files_var_lib_filetrans(pkcs_slotd_t, pkcs_slotd_var_lib_t, dir) - -manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t) -files_pid_filetrans(pkcs_slotd_t, pkcs_slotd_var_run_t, file) - -manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmp_t, pkcs_slotd_tmp_t) -manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmp_t, pkcs_slotd_tmp_t) -files_tmp_filetrans(pkcs_slotd_t, pkcs_slotd_tmp_t, dir) - -manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t) -manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t) -fs_tmpfs_filetrans(pkcs_slotd_t, pkcs_slotd_tmpfs_t, dir) - -files_read_etc_files(pkcs_slotd_t) - -logging_send_syslog_msg(pkcs_slotd_t) - -miscfiles_read_localization(pkcs_slotd_t) diff --git a/policy/modules/contrib/plymouthd.fc b/policy/modules/contrib/plymouthd.fc deleted file mode 100644 index 735500fd..00000000 --- a/policy/modules/contrib/plymouthd.fc +++ /dev/null @@ -1,15 +0,0 @@ -/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0) - -/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) - -/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0) - -/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) - -/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0) - -/var/log/boot\.log.* -- gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh) - -/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0) - -/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0) diff --git a/policy/modules/contrib/plymouthd.if b/policy/modules/contrib/plymouthd.if deleted file mode 100644 index 30e751f1..00000000 --- a/policy/modules/contrib/plymouthd.if +++ /dev/null @@ -1,268 +0,0 @@ -## <summary>Plymouth graphical boot.</summary> - -######################################## -## <summary> -## Execute a domain transition to run plymouthd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`plymouthd_domtrans',` - gen_require(` - type plymouthd_t, plymouthd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, plymouthd_exec_t, plymouthd_t) -') - -######################################## -## <summary> -## Execute plymouthd in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`plymouthd_exec',` - gen_require(` - type plymouthd_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, plymouthd_exec_t) -') - -######################################## -## <summary> -## Connect to plymouthd using a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`plymouthd_stream_connect',` - gen_require(` - type plymouthd_t, plymouthd_spool_t; - ') - - files_search_spool($1) - stream_connect_pattern($1, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t) -') - -######################################## -## <summary> -## Execute plymouth in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`plymouthd_exec_plymouth',` - gen_require(` - type plymouth_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, plymouth_exec_t) -') - -######################################## -## <summary> -## Execute a domain transition to run plymouth. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`plymouthd_domtrans_plymouth',` - gen_require(` - type plymouth_t, plymouth_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, plymouth_exec_t, plymouth_t) -') - -######################################## -## <summary> -## Search plymouthd spool directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`plymouthd_search_spool',` - gen_require(` - type plymouthd_spool_t; - ') - - files_search_spool($1) - allow $1 plymouthd_spool_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Read plymouthd spool files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`plymouthd_read_spool_files',` - gen_require(` - type plymouthd_spool_t; - ') - - files_search_spool($1) - read_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## plymouthd spool files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`plymouthd_manage_spool_files',` - gen_require(` - type plymouthd_spool_t; - ') - - files_search_spool($1) - manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t) -') - -######################################## -## <summary> -## Search plymouthd lib directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`plymouthd_search_lib',` - gen_require(` - type plymouthd_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 plymouthd_var_lib_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Read plymouthd lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`plymouthd_read_lib_files',` - gen_require(` - type plymouthd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## plymouthd lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`plymouthd_manage_lib_files',` - gen_require(` - type plymouthd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t) -') - -######################################## -## <summary> -## Read plymouthd pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`plymouthd_read_pid_files',` - gen_require(` - type plymouthd_var_run_t; - ') - - files_search_pids($1) - allow $1 plymouthd_var_run_t:file read_file_perms; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an plymouthd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`plymouthd_admin',` - gen_require(` - type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t; - type plymouthd_var_run_t; - ') - - allow $1 plymouthd_t:process { ptrace signal_perms }; - read_files_pattern($1, plymouthd_t, plymouthd_t) - - files_search_spool($1) - admin_pattern($1, plymouthd_spool_t) - - files_search_var_lib($1) - admin_pattern($1, plymouthd_var_lib_t) - - files_search_pids($1) - admin_pattern($1, plymouthd_var_run_t) -') diff --git a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te deleted file mode 100644 index b1f412be..00000000 --- a/policy/modules/contrib/plymouthd.te +++ /dev/null @@ -1,130 +0,0 @@ -policy_module(plymouthd, 1.1.4) - -######################################## -# -# Declarations -# - -type plymouth_t; -type plymouth_exec_t; -application_domain(plymouth_t, plymouth_exec_t) -role system_r types plymouth_t; - -type plymouthd_t; -type plymouthd_exec_t; -init_daemon_domain(plymouthd_t, plymouthd_exec_t) - -type plymouthd_spool_t; -files_type(plymouthd_spool_t) - -type plymouthd_var_lib_t; -files_type(plymouthd_var_lib_t) - -type plymouthd_var_log_t; -logging_log_file(plymouthd_var_log_t) - -type plymouthd_var_run_t; -files_pid_file(plymouthd_var_run_t) - -######################################## -# -# Daemon local policy -# - -allow plymouthd_t self:capability { sys_admin sys_tty_config }; -dontaudit plymouthd_t self:capability dac_override; -allow plymouthd_t self:capability2 block_suspend; -allow plymouthd_t self:process { signal getsched }; -allow plymouthd_t self:fifo_file rw_fifo_file_perms; -allow plymouthd_t self:unix_stream_socket create_stream_socket_perms; - -manage_dirs_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t) -manage_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t) -manage_sock_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t) -files_spool_filetrans(plymouthd_t, plymouthd_spool_t, { file dir sock_file }) - -manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t) -manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t) -files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir }) - -manage_dirs_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) -append_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) -create_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) -setattr_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) -logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir }) - -manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) -manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) -files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir }) - -kernel_read_system_state(plymouthd_t) -kernel_request_load_module(plymouthd_t) -kernel_change_ring_buffer_level(plymouthd_t) - -dev_rw_dri(plymouthd_t) -dev_read_sysfs(plymouthd_t) -dev_read_framebuffer(plymouthd_t) -dev_write_framebuffer(plymouthd_t) - -domain_use_interactive_fds(plymouthd_t) - -fs_getattr_all_fs(plymouthd_t) - -files_read_etc_files(plymouthd_t) -files_read_usr_files(plymouthd_t) - -term_getattr_pty_fs(plymouthd_t) -term_use_all_terms(plymouthd_t) -term_use_ptmx(plymouthd_t) - -miscfiles_read_localization(plymouthd_t) -miscfiles_read_fonts(plymouthd_t) -miscfiles_manage_fonts_cache(plymouthd_t) - -optional_policy(` - gnome_read_generic_home_content(plymouthd_t) -') - -optional_policy(` - sssd_stream_connect(plymouthd_t) -') - -optional_policy(` - xserver_manage_xdm_spool_files(plymouthd_t) - xserver_read_xdm_state(plymouthd_t) -') - -######################################## -# -# Client local policy -# - -allow plymouth_t self:process signal; -allow plymouth_t self:fifo_file rw_fifo_file_perms; -allow plymouth_t self:unix_stream_socket create_stream_socket_perms; - -stream_connect_pattern(plymouth_t, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t) - -kernel_read_system_state(plymouth_t) -kernel_stream_connect(plymouth_t) - -domain_use_interactive_fds(plymouth_t) - -files_read_etc_files(plymouth_t) - -term_use_ptmx(plymouth_t) - -miscfiles_read_localization(plymouth_t) - -sysnet_read_config(plymouth_t) - -ifdef(`hide_broken_symptoms',` - optional_policy(` - hal_dontaudit_write_log(plymouth_t) - hal_dontaudit_rw_pipes(plymouth_t) - ') -') - -optional_policy(` - lvm_domtrans(plymouth_t) -') diff --git a/policy/modules/contrib/podsleuth.fc b/policy/modules/contrib/podsleuth.fc deleted file mode 100644 index c32a4f30..00000000 --- a/policy/modules/contrib/podsleuth.fc +++ /dev/null @@ -1,5 +0,0 @@ -/usr/bin/podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0) - -/usr/libexec/hal-podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0) - -/var/cache/podsleuth(/.*)? gen_context(system_u:object_r:podsleuth_cache_t,s0) diff --git a/policy/modules/contrib/podsleuth.if b/policy/modules/contrib/podsleuth.if deleted file mode 100644 index a9427b4a..00000000 --- a/policy/modules/contrib/podsleuth.if +++ /dev/null @@ -1,46 +0,0 @@ -## <summary>Podsleuth is a tool to get information about an Apple (TM) iPod (TM).</summary> - -######################################## -## <summary> -## Execute a domain transition to run podsleuth. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`podsleuth_domtrans',` - gen_require(` - type podsleuth_t, podsleuth_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, podsleuth_exec_t, podsleuth_t) -') - -######################################## -## <summary> -## Execute podsleuth in the podsleuth -## domain, and allow the specified role -## the podsleuth domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`podsleuth_run',` - gen_require(` - attribute_role podsleuth_roles; - ') - - podsleuth_domtrans($1) - roleattribute $2 podsleuth_roles; -') diff --git a/policy/modules/contrib/podsleuth.te b/policy/modules/contrib/podsleuth.te deleted file mode 100644 index a14b3bcd..00000000 --- a/policy/modules/contrib/podsleuth.te +++ /dev/null @@ -1,97 +0,0 @@ -policy_module(podsleuth, 1.6.1) - -######################################## -# -# Declarations -# - -attribute_role podsleuth_roles; -roleattribute system_r podsleuth_roles; - -type podsleuth_t; -type podsleuth_exec_t; -application_domain(podsleuth_t, podsleuth_exec_t) -role podsleuth_roles types podsleuth_t; - -type podsleuth_cache_t; -files_type(podsleuth_cache_t) -ubac_constrained(podsleuth_cache_t) - -type podsleuth_tmp_t; -userdom_user_tmp_file(podsleuth_tmp_t) - -type podsleuth_tmpfs_t; -userdom_user_tmpfs_file(podsleuth_tmpfs_t) - -######################################## -# -# Local policy -# - -allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio }; -allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack }; -allow podsleuth_t self:fifo_file rw_fifo_file_perms; -allow podsleuth_t self:unix_stream_socket create_stream_socket_perms; -allow podsleuth_t self:sem create_sem_perms; -allow podsleuth_t self:tcp_socket { accept listen }; - -manage_dirs_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t) -manage_files_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t) -files_var_filetrans(podsleuth_t, podsleuth_cache_t, { file dir }) - -allow podsleuth_t podsleuth_tmp_t:dir mounton; -manage_dirs_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t) -manage_files_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t) -files_tmp_filetrans(podsleuth_t, podsleuth_tmp_t, { file dir }) - -manage_dirs_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t) -manage_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t) -manage_lnk_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t) -fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file }) - -kernel_read_system_state(podsleuth_t) -kernel_request_load_module(podsleuth_t) - -corecmd_exec_bin(podsleuth_t) - -corenet_all_recvfrom_unlabeled(podsleuth_t) -corenet_all_recvfrom_netlabel(podsleuth_t) -corenet_tcp_sendrecv_generic_if(podsleuth_t) -corenet_tcp_sendrecv_generic_node(podsleuth_t) - -corenet_sendrecv_http_client_packets(podsleuth_t) -corenet_tcp_connect_http_port(podsleuth_t) -corenet_tcp_sendrecv_http_port(podsleuth_t) - -dev_read_urand(podsleuth_t) - -files_read_etc_files(podsleuth_t) - -fs_mount_dos_fs(podsleuth_t) -fs_unmount_dos_fs(podsleuth_t) -fs_getattr_dos_fs(podsleuth_t) -fs_read_dos_files(podsleuth_t) -fs_search_dos(podsleuth_t) -fs_getattr_tmpfs(podsleuth_t) -fs_list_tmpfs(podsleuth_t) -fs_rw_removable_blk_files(podsleuth_t) - -miscfiles_read_localization(podsleuth_t) - -sysnet_dns_name_resolve(podsleuth_t) - -userdom_signal_unpriv_users(podsleuth_t) -userdom_signull_unpriv_users(podsleuth_t) -userdom_read_user_tmpfs_files(podsleuth_t) - -optional_policy(` - dbus_system_bus_client(podsleuth_t) - - optional_policy(` - hal_dbus_chat(podsleuth_t) - ') -') - -optional_policy(` - mono_exec(podsleuth_t) -') diff --git a/policy/modules/contrib/policykit.fc b/policy/modules/contrib/policykit.fc deleted file mode 100644 index 1d76c728..00000000 --- a/policy/modules/contrib/policykit.fc +++ /dev/null @@ -1,23 +0,0 @@ -/usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) -/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) - -/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) -/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) -/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) -/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) -/usr/lib/policykit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) -/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) - -/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) -/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) -/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) -/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0) -/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) -/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0) - -/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0) -/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) -/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) -/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) - -/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) diff --git a/policy/modules/contrib/policykit.if b/policy/modules/contrib/policykit.if deleted file mode 100644 index 032a84d1..00000000 --- a/policy/modules/contrib/policykit.if +++ /dev/null @@ -1,229 +0,0 @@ -## <summary>Policy framework for controlling privileges for system-wide services.</summary> - -######################################## -## <summary> -## Send and receive messages from -## policykit over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`policykit_dbus_chat',` - gen_require(` - type policykit_t; - class dbus send_msg; - ') - - allow $1 policykit_t:dbus send_msg; - allow policykit_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Send and receive messages from -## policykit auth over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`policykit_dbus_chat_auth',` - gen_require(` - type policykit_auth_t; - class dbus send_msg; - ') - - allow $1 policykit_auth_t:dbus send_msg; - allow policykit_auth_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Execute a domain transition to run polkit_auth. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`policykit_domtrans_auth',` - gen_require(` - type policykit_auth_t, policykit_auth_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, policykit_auth_exec_t, policykit_auth_t) -') - -######################################## -## <summary> -## Execute a policy_auth in the policy -## auth domain, and allow the specified -## role the policy auth domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`policykit_run_auth',` - gen_require(` - attribute_role policykit_auth_roles; - ') - - policykit_domtrans_auth($1) - roleattribute $2 policykit_auth_roles; -') - -######################################## -## <summary> -## Execute a domain transition to run polkit grant. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`policykit_domtrans_grant',` - gen_require(` - type policykit_grant_t, policykit_grant_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, policykit_grant_exec_t, policykit_grant_t) -') - -######################################## -## <summary> -## Execute a policy_grant in the policy -## grant domain, and allow the specified -## role the policy grant domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`policykit_run_grant',` - gen_require(` - attribute_role policykit_grant_roles; - ') - - policykit_domtrans_grant($1) - roleattribute $2 policykit_grant_roles; -') - -######################################## -## <summary> -## Read policykit reload files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`policykit_read_reload',` - gen_require(` - type policykit_reload_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, policykit_reload_t, policykit_reload_t) -') - -######################################## -## <summary> -## Read and write policykit reload files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`policykit_rw_reload',` - gen_require(` - type policykit_reload_t; - ') - - files_search_var_lib($1) - rw_files_pattern($1, policykit_reload_t, policykit_reload_t) -') - -######################################## -## <summary> -## Execute a domain transition to run polkit resolve. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`policykit_domtrans_resolve',` - gen_require(` - type policykit_resolve_t, policykit_resolve_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, policykit_resolve_exec_t, policykit_resolve_t) -') - -######################################## -## <summary> -## Search policykit lib directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`policykit_search_lib',` - gen_require(` - type policykit_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 policykit_var_lib_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Read policykit lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`policykit_read_lib',` - gen_require(` - type policykit_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t) -') diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te deleted file mode 100644 index 49694e8d..00000000 --- a/policy/modules/contrib/policykit.te +++ /dev/null @@ -1,271 +0,0 @@ -policy_module(policykit, 1.2.8) - -######################################## -# -# Declarations -# - -attribute policykit_domain; - -attribute_role policykit_auth_roles; -attribute_role policykit_grant_roles; - -type policykit_t, policykit_domain; -type policykit_exec_t; -init_daemon_domain(policykit_t, policykit_exec_t) - -type policykit_auth_t, policykit_domain; -type policykit_auth_exec_t; -init_daemon_domain(policykit_auth_t, policykit_auth_exec_t) -role policykit_auth_roles types policykit_auth_t; - -type policykit_grant_t, policykit_domain; -type policykit_grant_exec_t; -init_system_domain(policykit_grant_t, policykit_grant_exec_t) -role policykit_grant_roles types policykit_grant_t; - -type policykit_resolve_t, policykit_domain; -type policykit_resolve_exec_t; -init_system_domain(policykit_resolve_t, policykit_resolve_exec_t) - -type policykit_reload_t alias polkit_reload_t; -files_type(policykit_reload_t) - -type policykit_tmp_t; -files_tmp_file(policykit_tmp_t) - -type policykit_var_lib_t alias polkit_var_lib_t; -files_type(policykit_var_lib_t) - -type policykit_var_run_t alias polkit_var_run_t; -files_pid_file(policykit_var_run_t) - -####################################### -# -# Common policykit domain local policy -# - -allow policykit_domain self:process { execmem getattr }; -allow policykit_domain self:fifo_file rw_fifo_file_perms; - -kernel_search_proc(policykit_domain) - -corecmd_exec_bin(policykit_domain) - -dev_read_sysfs(policykit_domain) - -files_read_usr_files(policykit_domain) - -logging_send_syslog_msg(policykit_domain) - -miscfiles_read_localization(policykit_domain) - -######################################## -# -# Local policy -# - -allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace }; -allow policykit_t self:process { getsched setsched signal }; -allow policykit_t self:unix_stream_socket { accept connectto listen }; - -rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t) - -manage_files_pattern(policykit_t, policykit_var_lib_t, policykit_var_lib_t) - -manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) -manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) -files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir }) - -can_exec(policykit_t, policykit_exec_t) - -domtrans_pattern(policykit_t, policykit_auth_exec_t, policykit_auth_t) -domtrans_pattern(policykit_t, policykit_resolve_exec_t, policykit_resolve_t) - -kernel_read_kernel_sysctls(policykit_t) -kernel_read_system_state(policykit_t) - -domain_read_all_domains_state(policykit_t) - -files_dontaudit_search_all_mountpoints(policykit_t) - -fs_list_inotifyfs(policykit_t) - -auth_use_nsswitch(policykit_t) - -userdom_getattr_all_users(policykit_t) -userdom_read_all_users_state(policykit_t) - -optional_policy(` - dbus_system_domain(policykit_t, policykit_exec_t) - - optional_policy(` - consolekit_dbus_chat(policykit_t) - ') - - optional_policy(` - rpm_dbus_chat(policykit_t) - ') -') - -optional_policy(` - consolekit_read_pid_files(policykit_t) -') - -optional_policy(` - gnome_read_generic_home_content(policykit_t) -') - -optional_policy(` - kerberos_manage_host_rcache(policykit_t) - kerberos_tmp_filetrans_host_rcache(policykit_t, file, "host_0") -') - -######################################## -# -# Auth local policy -# - -allow policykit_auth_t self:capability { ipc_lock setgid setuid sys_nice }; -dontaudit policykit_auth_t self:capability sys_tty_config; -allow policykit_auth_t self:process { getsched setsched signal }; -allow policykit_auth_t self:unix_stream_socket { accept listen }; - -ps_process_pattern(policykit_auth_t, policykit_domain) - -rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t) - -manage_dirs_pattern(policykit_auth_t, policykit_tmp_t, policykit_tmp_t) -manage_files_pattern(policykit_auth_t, policykit_tmp_t, policykit_tmp_t) -files_tmp_filetrans(policykit_auth_t, policykit_tmp_t, { file dir }) - -manage_files_pattern(policykit_auth_t, policykit_var_lib_t, policykit_var_lib_t) - -manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) -manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) -files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir }) - -can_exec(policykit_auth_t, policykit_auth_exec_t) - -kernel_read_system_state(policykit_auth_t) -kernel_dontaudit_search_kernel_sysctl(policykit_auth_t) - -dev_read_video_dev(policykit_auth_t) - -files_read_etc_runtime_files(policykit_auth_t) -files_search_home(policykit_auth_t) - -fs_getattr_all_fs(policykit_auth_t) -fs_search_tmpfs(policykit_auth_t) - -auth_rw_var_auth(policykit_auth_t) -auth_use_nsswitch(policykit_auth_t) -auth_domtrans_chk_passwd(policykit_auth_t) - -miscfiles_read_fonts(policykit_auth_t) -miscfiles_setattr_fonts_cache_dirs(policykit_auth_t) - -userdom_dontaudit_read_user_home_content_files(policykit_auth_t) - -optional_policy(` - dbus_system_domain(policykit_auth_t, policykit_auth_exec_t) - dbus_all_session_bus_client(policykit_auth_t) - - optional_policy(` - consolekit_dbus_chat(policykit_auth_t) - ') - - optional_policy(` - policykit_dbus_chat(policykit_auth_t) - ') -') - -optional_policy(` - hal_read_state(policykit_auth_t) -') - -optional_policy(` - kerberos_manage_host_rcache(policykit_auth_t) - kerberos_tmp_filetrans_host_rcache(policykit_auth_t, file, "host_0") -') - -optional_policy(` - xserver_stream_connect(policykit_auth_t) - xserver_read_xdm_pid(policykit_auth_t) -') - -######################################## -# -# Grant local policy -# - -allow policykit_grant_t self:capability setuid; -allow policykit_grant_t self:unix_dgram_socket create_socket_perms; -allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; - -ps_process_pattern(policykit_grant_t, policykit_domain) - -rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t) - -manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t) - -manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t) - -can_exec(policykit_grant_t, policykit_grant_exec_t) - -domtrans_pattern(policykit_grant_t, policykit_auth_exec_t, policykit_auth_t) -domtrans_pattern(policykit_grant_t, policykit_resolve_exec_t, policykit_resolve_t) - -auth_domtrans_chk_passwd(policykit_grant_t) -auth_use_nsswitch(policykit_grant_t) - -userdom_read_all_users_state(policykit_grant_t) - -optional_policy(` - cron_manage_system_job_lib_files(policykit_grant_t) -') - -optional_policy(` - dbus_system_bus_client(policykit_grant_t) - - optional_policy(` - consolekit_dbus_chat(policykit_grant_t) - ') -') - -######################################## -# -# Resolve local policy -# - -allow policykit_resolve_t self:capability { setuid sys_nice }; -allow policykit_resolve_t self:unix_stream_socket { accept listen }; - -ps_process_pattern(policykit_resolve_t, policykit_domain) - -read_files_pattern(policykit_resolve_t, policykit_reload_t, policykit_reload_t) - -read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t) - -can_exec(policykit_resolve_t, policykit_resolve_exec_t) - -domtrans_pattern(policykit_resolve_t, policykit_auth_exec_t, policykit_auth_t) - -mcs_ptrace_all(policykit_resolve_t) - -auth_use_nsswitch(policykit_resolve_t) - -userdom_read_all_users_state(policykit_resolve_t) - -optional_policy(` - dbus_system_bus_client(policykit_resolve_t) - - optional_policy(` - consolekit_dbus_chat(policykit_resolve_t) - ') -') - -optional_policy(` - hal_read_state(policykit_resolve_t) -') - diff --git a/policy/modules/contrib/polipo.fc b/policy/modules/contrib/polipo.fc deleted file mode 100644 index d35614b7..00000000 --- a/policy/modules/contrib/polipo.fc +++ /dev/null @@ -1,15 +0,0 @@ -HOME_DIR/\.forbidden -- gen_context(system_u:object_r:polipo_config_home_t,s0) -HOME_DIR/\.polipo -- gen_context(system_u:object_r:polipo_config_home_t,s0) -HOME_DIR/\.polipo-cache(/.*)? gen_context(system_u:object_r:polipo_cache_home_t,s0) - -/etc/polipo(/.*)? gen_context(system_u:object_r:polipo_conf_t,s0) - -/etc/rc\.d/init\.d/polipo -- gen_context(system_u:object_r:polipo_initrc_exec_t,s0) - -/usr/bin/polipo -- gen_context(system_u:object_r:polipo_exec_t,s0) - -/var/cache/polipo(/.*)? gen_context(system_u:object_r:polipo_cache_t,s0) - -/var/log/polipo.* -- gen_context(system_u:object_r:polipo_log_t,s0) - -/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_var_run_t,s0) diff --git a/policy/modules/contrib/polipo.if b/policy/modules/contrib/polipo.if deleted file mode 100644 index ae27bb7f..00000000 --- a/policy/modules/contrib/polipo.if +++ /dev/null @@ -1,144 +0,0 @@ -## <summary>Lightweight forwarding and caching proxy server.</summary> - -######################################## -## <summary> -## Role access for Polipo session. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -template(`polipo_role',` - gen_require(` - type polipo_session_t, polipo_exec_t, polipo_config_home_t; - type polipo_cache_home_t; - ') - - ######################################## - # - # Declarations - # - - role $1 types polipo_session_t; - - ######################################## - # - # Policy - # - - allow $2 polipo_cache_home_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { polipo_cache_home_t polipo_config_home_t }:file { manage_file_perms relabel_file_perms }; - - userdom_user_home_dir_filetrans($2, polipo_config_home_t, file, ".forbidden") - userdom_user_home_dir_filetrans($2, polipo_config_home_t, file, ".polipo") - userdom_user_home_dir_filetrans($2, polipo_cache_home_t, dir, ".polipo-cache") - - allow $2 polipo_session_t:process { ptrace signal_perms }; - ps_process_pattern($2, polipo_session_t) - - tunable_policy(`polipo_session_users',` - domtrans_pattern($2, polipo_exec_t, polipo_session_t) - ',` - can_exec($2, polipo_exec_t) - ') -') - -######################################## -## <summary> -## Execute Polipo in the Polipo -## system domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`polipo_initrc_domtrans',` - gen_require(` - type polipo_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, polipo_initrc_exec_t) -') - -######################################## -## <summary> -## Create specified objects in generic -## log directories with the polipo -## log file type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`polipo_log_filetrans_log',` - gen_require(` - type polipo_log_t; - ') - - logging_log_filetrans($1, polipo_log_t, $2, $3) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an polipo environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`polipo_admin',` - gen_require(` - type polipo_system_t, polipo_initrc_exec_t, polipo_cache_t; - type polipo_conf_t, polipo_log_t, polipo_var_run_t; - ') - - allow $1 polipo_system_t:process { ptrace signal_perms }; - ps_process_pattern($1, polipo_system_t) - - polipo_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 polipo_initrc_exec_t system_r; - allow $2 system_r; - - files_search_var($1) - admin_pattern($1, polipo_cache_t) - - files_search_etc($1) - admin_pattern($1, polipo_conf_t) - - logging_search_logs($1) - admin_pattern($1, polipo_log_t) - - files_search_pids($1) - admin_pattern($1, polipo_var_run_t) -') diff --git a/policy/modules/contrib/polipo.te b/policy/modules/contrib/polipo.te deleted file mode 100644 index 316d53a3..00000000 --- a/policy/modules/contrib/polipo.te +++ /dev/null @@ -1,167 +0,0 @@ -policy_module(polipo, 1.0.4) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether Polipo system -## daemon can access CIFS file systems. -## </p> -## </desc> -gen_tunable(polipo_system_use_cifs, false) - -## <desc> -## <p> -## Determine whether Polipo system -## daemon can access NFS file systems. -## </p> -## </desc> -gen_tunable(polipo_system_use_nfs, false) - -## <desc> -## <p> -## Determine whether calling user domains -## can execute Polipo daemon in the -## polipo_session_t domain. -## </p> -## </desc> -gen_tunable(polipo_session_users, false) - -## <desc> -## <p> -## Determine whether Polipo session daemon -## can send syslog messages. -## </p> -## </desc> -gen_tunable(polipo_session_send_syslog_msg, false) - -attribute polipo_daemon; - -type polipo_system_t, polipo_daemon; -type polipo_exec_t; -init_daemon_domain(polipo_system_t, polipo_exec_t) - -type polipo_initrc_exec_t; -init_script_file(polipo_initrc_exec_t) - -type polipo_conf_t; -files_config_file(polipo_conf_t) - -type polipo_cache_t; -files_type(polipo_cache_t) - -type polipo_log_t; -logging_log_file(polipo_log_t) - -type polipo_var_run_t; -files_pid_file(polipo_var_run_t) - -type polipo_session_t, polipo_daemon; -userdom_user_application_domain(polipo_session_t, polipo_exec_t) - -type polipo_cache_home_t; -userdom_user_home_content(polipo_cache_home_t) - -type polipo_config_home_t; -userdom_user_home_content(polipo_config_home_t) - -######################################## -# -# Session local policy -# - -allow polipo_session_t polipo_config_home_t:file read_file_perms; - -manage_dirs_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t) -manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t) -userdom_user_home_dir_filetrans(polipo_session_t, polipo_cache_home_t, dir, ".polipo-cache") - -auth_use_nsswitch(polipo_session_t) - -userdom_use_user_terminals(polipo_session_t) - -tunable_policy(`polipo_session_send_syslog_msg',` - logging_send_syslog_msg(polipo_session_t) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(polipo_session_t) -',` - fs_dontaudit_read_nfs_files(polipo_session_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(polipo_session_t) -',` - fs_dontaudit_read_cifs_files(polipo_session_t) -') - -######################################## -# -# System local policy -# - -read_files_pattern(polipo_system_t, polipo_conf_t, polipo_conf_t) - -manage_files_pattern(polipo_system_t, polipo_cache_t, polipo_cache_t) -manage_dirs_pattern(polipo_system_t, polipo_cache_t, polipo_cache_t) -files_var_filetrans(polipo_system_t, polipo_cache_t, dir) - -append_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t) -create_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t) -setattr_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t) -logging_log_filetrans(polipo_system_t, polipo_log_t, file) - -manage_files_pattern(polipo_system_t, polipo_var_run_t, polipo_var_run_t) -files_pid_filetrans(polipo_system_t, polipo_var_run_t, file) - -auth_use_nsswitch(polipo_system_t) - -logging_send_syslog_msg(polipo_system_t) - -optional_policy(` - cron_system_entry(polipo_system_t, polipo_exec_t) -') - -tunable_policy(`polipo_system_use_cifs',` - fs_manage_cifs_files(polipo_system_t) -',` - fs_dontaudit_read_cifs_files(polipo_system_t) -') - -tunable_policy(`polipo_system_use_nfs',` - fs_manage_nfs_files(polipo_system_t) -',` - fs_dontaudit_read_nfs_files(polipo_system_t) -') - -######################################## -# -# Polipo global local policy -# - -allow polipo_daemon self:fifo_file rw_fifo_file_perms; -allow polipo_daemon self:tcp_socket { listen accept }; - -corenet_all_recvfrom_unlabeled(polipo_daemon) -corenet_all_recvfrom_netlabel(polipo_daemon) -corenet_tcp_sendrecv_generic_if(polipo_daemon) -corenet_tcp_sendrecv_generic_node(polipo_daemon) -corenet_tcp_bind_generic_node(polipo_daemon) - -corenet_sendrecv_http_client_packets(polipo_daemon) -corenet_tcp_sendrecv_http_port(polipo_daemon) -corenet_tcp_connect_http_port(polipo_daemon) - -corenet_sendrecv_http_cache_server_packets(polipo_daemon) -corenet_tcp_sendrecv_http_cache_port(polipo_daemon) -corenet_tcp_bind_http_cache_port(polipo_daemon) - -files_read_usr_files(polipo_daemon) - -fs_search_auto_mountpoints(polipo_daemon) - -miscfiles_read_localization(polipo_daemon) diff --git a/policy/modules/contrib/portage.fc b/policy/modules/contrib/portage.fc deleted file mode 100644 index 8584af44..00000000 --- a/policy/modules/contrib/portage.fc +++ /dev/null @@ -1,40 +0,0 @@ -/etc/make\.conf -- gen_context(system_u:object_r:portage_conf_t,s0) -/etc/make\.globals -- gen_context(system_u:object_r:portage_conf_t,s0) -/etc/make\.profile -l gen_context(system_u:object_r:portage_conf_t,s0) -/etc/portage(/.*)? gen_context(system_u:object_r:portage_conf_t,s0) -/etc/portage/gpg(/.*)? gen_context(system_u:object_r:portage_gpg_t,s0) - -/usr/bin/gcc-config -- gen_context(system_u:object_r:gcc_config_exec_t,s0) -/usr/bin/glsa-check -- gen_context(system_u:object_r:portage_exec_t,s0) -/usr/bin/layman -- gen_context(system_u:object_r:portage_fetch_exec_t,s0) -/usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) - -/usr/lib/portage/bin/ebuild -- gen_context(system_u:object_r:portage_exec_t,s0) -/usr/lib/portage/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0) -/usr/lib/portage/bin/emerge-webrsync -- gen_context(system_u:object_r:portage_fetch_exec_t,s0) -/usr/lib/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0) -/usr/lib/portage/bin/ebuild\.sh -- gen_context(system_u:object_r:portage_exec_t,s0) -/usr/lib/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0) -/usr/lib/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) - -/usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) -/usr/portage/distfiles/cvs-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) -/usr/portage/distfiles/egit-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) -/usr/portage/distfiles/git-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) -/usr/portage/distfiles/svn-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) - -/var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0) -/var/cache/edb(/.*)? gen_context(system_u:object_r:portage_cache_t,s0) -/var/log/emerge\.log.* -- gen_context(system_u:object_r:portage_log_t,s0) -/var/log/emerge-fetch.log -- gen_context(system_u:object_r:portage_log_t,s0) -/var/log/portage(/.*)? gen_context(system_u:object_r:portage_log_t,s0) -/var/lib/layman(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) -/var/lib/portage(/.*)? gen_context(system_u:object_r:portage_cache_t,s0) -/var/tmp/binpkgs(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) -/var/tmp/emerge-webrsync(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) -/var/tmp/portage(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) -/var/tmp/portage-pkg(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) - -ifdef(`distro_gentoo',` -/var/log/sandbox(/.*)? gen_context(system_u:object_r:portage_log_t,s0) -') diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if deleted file mode 100644 index 06655e11..00000000 --- a/policy/modules/contrib/portage.if +++ /dev/null @@ -1,445 +0,0 @@ -## <summary>Package Management System.</summary> - -######################################## -## <summary> -## Execute emerge in the portage domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`portage_domtrans',` - gen_require(` - type portage_t, portage_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, portage_exec_t, portage_t) -') - -######################################## -## <summary> -## Execute emerge in the portage domain, -## and allow the specified role the -## portage domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`portage_run',` - gen_require(` - attribute_role portage_roles; - ') - - portage_domtrans($1) - roleattribute $2 portage_roles; -') - -######################################## -## <summary> -## Template for portage sandbox. -## </summary> -## <desc> -## <p> -## Template for portage sandbox. Portage -## does all compiling in the sandbox. -## </p> -## </desc> -## <param name="domain"> -## <summary> -## Domain Allowed Access -## </summary> -## </param> -# -interface(`portage_compile_domain',` - gen_require(` - class dbus send_msg; - type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t; - type portage_tmpfs_t; - ') - - allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw }; - dontaudit $1 self:capability sys_chroot; - allow $1 self:process { setpgid setsched setrlimit signal_perms execmem setfscreate }; - allow $1 self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; - allow $1 self:fd use; - allow $1 self:fifo_file rw_fifo_file_perms; - allow $1 self:shm create_shm_perms; - allow $1 self:sem create_sem_perms; - allow $1 self:msgq create_msgq_perms; - allow $1 self:msg { send receive }; - allow $1 self:unix_dgram_socket create_socket_perms; - allow $1 self:unix_stream_socket create_stream_socket_perms; - allow $1 self:unix_dgram_socket sendto; - allow $1 self:unix_stream_socket connectto; - # really shouldnt need this - allow $1 self:tcp_socket create_stream_socket_perms; - allow $1 self:udp_socket create_socket_perms; - # misc networking stuff (esp needed for compiling perl): - allow $1 self:rawip_socket { create ioctl }; - # needed for merging dbus: - allow $1 self:netlink_selinux_socket { bind create read }; - allow $1 self:dbus send_msg; - - allow $1 portage_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; - term_create_pty($1, portage_devpts_t) - - # write compile logs - allow $1 portage_log_t:dir setattr_dir_perms; - allow $1 portage_log_t:file { write_file_perms setattr_file_perms }; - - # Support live ebuilds (-9999) - manage_dirs_pattern($1, portage_srcrepo_t, portage_srcrepo_t) - manage_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t) - manage_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t) - - # run scripts out of the build directory - can_exec(portage_sandbox_t, portage_tmp_t) - - manage_dirs_pattern($1, portage_tmp_t, portage_tmp_t) - manage_files_pattern($1, portage_tmp_t, portage_tmp_t) - manage_lnk_files_pattern($1, portage_tmp_t, portage_tmp_t) - manage_fifo_files_pattern($1, portage_tmp_t, portage_tmp_t) - manage_sock_files_pattern($1, portage_tmp_t, portage_tmp_t) - files_tmp_filetrans($1, portage_tmp_t, { dir file lnk_file sock_file fifo_file }) - # SELinux-enabled programs running in the sandbox - allow $1 portage_tmp_t:file relabel_file_perms; - - manage_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) - manage_lnk_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) - manage_fifo_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) - manage_sock_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) - fs_tmpfs_filetrans($1, portage_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - - kernel_read_system_state($1) - kernel_read_network_state($1) - kernel_read_software_raid_state($1) - kernel_getattr_core_if($1) - kernel_getattr_message_if($1) - kernel_read_kernel_sysctls($1) - - corecmd_exec_all_executables($1) - - # really shouldnt need this but some packages test - # network access, such as during configure - # also distcc--need to reinvestigate confining distcc client - corenet_all_recvfrom_unlabeled($1) - corenet_all_recvfrom_netlabel($1) - corenet_tcp_sendrecv_generic_if($1) - corenet_udp_sendrecv_generic_if($1) - corenet_raw_sendrecv_generic_if($1) - corenet_tcp_sendrecv_generic_node($1) - corenet_udp_sendrecv_generic_node($1) - corenet_raw_sendrecv_generic_node($1) - corenet_tcp_sendrecv_all_ports($1) - corenet_udp_sendrecv_all_ports($1) - corenet_tcp_connect_all_reserved_ports($1) - corenet_tcp_connect_distccd_port($1) - corenet_tcp_connect_git_port($1) - - dev_read_sysfs($1) - dev_read_rand($1) - dev_read_urand($1) - - domain_use_interactive_fds($1) - domain_dontaudit_read_all_domains_state($1) - # SELinux-aware installs doing relabels in the sandbox - domain_obj_id_change_exemption($1) - - files_exec_etc_files($1) - files_exec_usr_src_files($1) - - fs_getattr_xattr_fs($1) - fs_list_noxattr_fs($1) - fs_read_noxattr_fs_files($1) - fs_read_noxattr_fs_symlinks($1) - fs_search_auto_mountpoints($1) - - selinux_validate_context($1) - # needed for merging dbus: - selinux_compute_access_vector($1) - - files_list_non_auth_dirs($1) - files_read_non_auth_files($1) - files_read_non_auth_symlinks($1) - - libs_exec_lib_files($1) - # some config scripts use ldd - libs_exec_ld_so($1) - libs_exec_ldconfig($1) - - logging_send_syslog_msg($1) - - userdom_use_user_terminals($1) - - # SELinux-enabled programs running in the sandbox - seutil_libselinux_linked($1) - - tunable_policy(`portage_use_nfs',` - fs_getattr_nfs($1) - fs_manage_nfs_dirs($1) - fs_manage_nfs_files($1) - fs_manage_nfs_symlinks($1) - ') - - ifdef(`TODO',` - # some gui ebuilds want to interact with X server, like xawtv - optional_policy(` - allow $1 xdm_xserver_tmp_t:dir { add_entry_dir_perms del_entry_dir_perms }; - allow $1 xdm_xserver_tmp_t:sock_file { create_file_perms delete_file_perms write_file_perms }; - ') - ') dnl end TODO -') - -######################################## -## <summary> -## Execute tree management functions -## (fetching, layman, ...) in the -## portage fetch domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`portage_domtrans_fetch',` - gen_require(` - type portage_fetch_t, portage_fetch_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, portage_fetch_exec_t, portage_fetch_t) -') - -######################################## -## <summary> -## Execute tree management functions -## (fetching, layman, ...) in the -## portage fetch domain, and allow -## the specified role the portage -## fetch domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`portage_run_fetch',` - gen_require(` - attribute_role portage_fetch_roles; - ') - - portage_domtrans_fetch($1) - roleattribute $2 portage_fetch_roles; -') - -######################################## -## <summary> -## Execute gcc-config in the gcc config domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`portage_domtrans_gcc_config',` - gen_require(` - type gcc_config_t, gcc_config_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, gcc_config_exec_t, gcc_config_t) -') - -######################################## -## <summary> -## Execute gcc-config in the gcc config -## domain, and allow the specified role -## the gcc_config domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`portage_run_gcc_config',` - gen_require(` - attribute_role gcc_config_roles; - ') - - portage_domtrans_gcc_config($1) - roleattribute $2 gcc_config_roles; -') - -######################################## -## <summary> -## Do not audit attempts to use -## portage file descriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`portage_dontaudit_use_fds',` - gen_require(` - type portage_t; - ') - - dontaudit $1 portage_t:fd use; -') - -######################################## -## <summary> -## Do not audit attempts to search the -## portage temporary directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`portage_dontaudit_search_tmp',` - gen_require(` - type portage_tmp_t; - ') - - dontaudit $1 portage_tmp_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Do not audit attempts to read and write -## the portage temporary files. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`portage_dontaudit_rw_tmp_files',` - gen_require(` - type portage_tmp_t; - ') - - dontaudit $1 portage_tmp_t:file rw_file_perms; -') - -######################################## -## <summary> -## Allow the domain to run within an eselect module script. -## </summary> -## <param name="domain"> -## <summary> -## Domain to allow within an eselect module -## </summary> -## </param> -# Specific to Gentoo, -# eselect modules allow users to switch between different flavors or versions -# of underlying components. In return, eselect makes a wrapper binary which -# makes the proper selections. If this binary is different from bin_t, it might -# not hold the necessary privileges for the wrapper to function. However, just -# marking the target binaries doesn't always work, since for python scripts the -# wrapper doesn't execute it, but treats the target as a library. -# -interface(`portage_eselect_module',` - gen_require(` - attribute portage_eselect_domain; - ') - - typeattribute $1 portage_eselect_domain; -') - -######################################## -## <summary> -## Read portage cache files -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access -## </summary> -## </param> -# -interface(`portage_read_cache',` - gen_require(` - type portage_cache_t; - ') - - files_search_var($1) - list_dirs_pattern($1, portage_cache_t, portage_cache_t) - read_files_pattern($1, portage_cache_t, portage_cache_t) - read_lnk_files_pattern($1, portage_cache_t, portage_cache_t) -') - -######################################## -## <summary> -## Read portage configuration files -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access -## </summary> -## </param> -# -interface(`portage_read_config',` - gen_require(` - type portage_conf_t; - ') - - files_search_etc($1) - list_dirs_pattern($1, portage_conf_t, portage_conf_t) - read_files_pattern($1, portage_conf_t, portage_conf_t) - read_lnk_files_pattern($1, portage_conf_t, portage_conf_t) -') - -######################################## -## <summary> -## Read portage ebuild files -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access -## </summary> -## </param> -# -interface(`portage_read_ebuild',` - gen_require(` - type portage_ebuild_t; - ') - - files_search_usr($1) - list_dirs_pattern($1, portage_ebuild_t, portage_ebuild_t) - read_files_pattern($1, portage_ebuild_t, portage_ebuild_t) - read_lnk_files_pattern($1, portage_ebuild_t, portage_ebuild_t) -') - diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te deleted file mode 100644 index 15c709f9..00000000 --- a/policy/modules/contrib/portage.te +++ /dev/null @@ -1,408 +0,0 @@ -policy_module(portage, 1.13.7) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether portage can -## use nfs filesystems. -## </p> -## </desc> -gen_tunable(portage_use_nfs, false) - -attribute_role gcc_config_roles; -attribute_role portage_roles; -attribute_role portage_fetch_roles; - -type gcc_config_t; -type gcc_config_exec_t; -application_domain(gcc_config_t, gcc_config_exec_t) -role gcc_config_roles types gcc_config_t; - -# constraining type -type portage_t; -type portage_exec_t; -application_domain(portage_t, portage_exec_t) -domain_obj_id_change_exemption(portage_t) -rsync_entry_type(portage_t) -corecmd_shell_entry_type(portage_t) -role portage_roles types portage_t; - -# portage compile sandbox domain -type portage_sandbox_t; -application_domain(portage_sandbox_t, portage_exec_t) -# the shell is the entrypoint if regular sandbox is disabled -# portage_exec_t is the entrypoint if regular sandbox is enabled -corecmd_shell_entry_type(portage_sandbox_t) -role portage_roles types portage_sandbox_t; - -# portage package fetching domain -type portage_fetch_t; -type portage_fetch_exec_t; -application_domain(portage_fetch_t, portage_fetch_exec_t) -corecmd_shell_entry_type(portage_fetch_t) -rsync_entry_type(portage_fetch_t) -role portage_fetch_roles types portage_fetch_t; - -type portage_devpts_t; -term_pty(portage_devpts_t) - -type portage_ebuild_t; -files_mountpoint(portage_ebuild_t) - -type portage_fetch_tmp_t; -files_tmp_file(portage_fetch_tmp_t) - -type portage_db_t; -files_type(portage_db_t) - -type portage_conf_t; -files_type(portage_conf_t) - -type portage_cache_t; -files_type(portage_cache_t) - -type portage_gpg_t; -files_type(portage_gpg_t) - -type portage_log_t; -logging_log_file(portage_log_t) - -type portage_srcrepo_t; -files_type(portage_srcrepo_t) - -type portage_tmp_t; -files_tmp_file(portage_tmp_t) - -type portage_tmpfs_t; -files_tmpfs_file(portage_tmpfs_t) - -######################################## -# -# gcc-config policy -# - -allow gcc_config_t self:capability { chown fsetid }; -allow gcc_config_t self:fifo_file rw_fifo_file_perms; - -manage_files_pattern(gcc_config_t, portage_cache_t, portage_cache_t) - -read_files_pattern(gcc_config_t, portage_conf_t, portage_conf_t) - -allow gcc_config_t portage_ebuild_t:dir list_dir_perms; -read_files_pattern(gcc_config_t, portage_ebuild_t, portage_ebuild_t) - -allow gcc_config_t portage_exec_t:file mmap_file_perms; - -kernel_read_system_state(gcc_config_t) -kernel_read_kernel_sysctls(gcc_config_t) - -corecmd_exec_shell(gcc_config_t) -corecmd_exec_bin(gcc_config_t) -corecmd_manage_bin_files(gcc_config_t) - -domain_use_interactive_fds(gcc_config_t) - -files_manage_etc_files(gcc_config_t) -files_rw_etc_runtime_files(gcc_config_t) -files_read_usr_files(gcc_config_t) -files_search_var_lib(gcc_config_t) -files_search_pids(gcc_config_t) -# complains loudly about not being able to list -# the directory it is being run from -files_list_all(gcc_config_t) - -# seems to be ok without this -init_dontaudit_read_script_status_files(gcc_config_t) - -libs_read_lib_files(gcc_config_t) -libs_run_ldconfig(gcc_config_t, portage_roles) -libs_manage_shared_libs(gcc_config_t) -# gcc-config creates a temp dir for the libs -libs_manage_lib_dirs(gcc_config_t) - -logging_send_syslog_msg(gcc_config_t) - -miscfiles_read_localization(gcc_config_t) - -userdom_use_user_terminals(gcc_config_t) - -consoletype_exec(gcc_config_t) - -ifdef(`distro_gentoo',` - init_exec_rc(gcc_config_t) -') - -tunable_policy(`portage_use_nfs',` - fs_read_nfs_files(gcc_config_t) -') - -optional_policy(` - seutil_use_newrole_fds(gcc_config_t) -') - -######################################## -# -# Portage Merging Rules -# - -# - setfscreate for merging to live fs -allow portage_t self:process { setfscreate }; -# - kill for mysql merging, at least -allow portage_t self:capability { sys_nice kill setfcap }; -dontaudit portage_t self:capability { dac_read_search }; -dontaudit portage_t self:netlink_route_socket rw_netlink_socket_perms; - -# user post-sync scripts -can_exec(portage_t, portage_conf_t) - -allow portage_t portage_log_t:file manage_file_perms; -logging_log_filetrans(portage_t, portage_log_t, file) - -allow portage_t { portage_fetch_t portage_sandbox_t }:process signal; - -# transition for rsync and wget -corecmd_shell_spec_domtrans(portage_t, portage_fetch_t) -rsync_entry_domtrans(portage_t, portage_fetch_t) -allow portage_fetch_t portage_t:fd use; -allow portage_fetch_t portage_t:fifo_file rw_fifo_file_perms; -allow portage_fetch_t portage_t:process sigchld; -dontaudit portage_fetch_t portage_devpts_t:chr_file { read write }; - -# transition to sandbox for compiling -spec_domtrans_pattern(portage_t, portage_exec_t, portage_sandbox_t) -corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t) - -# run scripts out of the build directory -can_exec(portage_t, portage_tmp_t) - -kernel_dontaudit_request_load_module(portage_t) -# merging baselayout will need this: -kernel_write_proc_files(portage_t) - -domain_dontaudit_read_all_domains_state(portage_t) - -# modify any files in the system -files_manage_all_files(portage_t) - -selinux_get_fs_mount(portage_t) - -auth_manage_shadow(portage_t) - -# merging baselayout will need this: -init_exec(portage_t) - -# run setfiles -r -seutil_run_setfiles(portage_t, portage_roles) -# run semodule -seutil_run_semanage(portage_t, portage_roles) - -portage_run_gcc_config(portage_t, portage_roles) -# if sesandbox is disabled, compiling is performed in this domain -portage_compile_domain(portage_t) - -optional_policy(` - bootloader_run(portage_t, portage_roles) -') - -optional_policy(` - cron_system_entry(portage_t, portage_exec_t) - cron_system_entry(portage_fetch_t, portage_fetch_exec_t) -') - -optional_policy(` - modutils_run_depmod(portage_t, portage_roles) - modutils_run_update_mods(portage_t, portage_roles) - #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms; -') - -optional_policy(` - usermanage_run_groupadd(portage_t, portage_roles) - usermanage_run_useradd(portage_t, portage_roles) -') - -ifdef(`TODO',` -# seems to work ok without these -dontaudit portage_t device_t:{ blk_file chr_file } getattr; -dontaudit portage_t proc_t:dir setattr_dir_perms; -dontaudit portage_t device_type:chr_file read_chr_file_perms; -dontaudit portage_t device_type:blk_file read_blk_file_perms; -') - -########################################## -# -# Portage fetch domain -# - for rsync and distfile fetching -# - -allow portage_fetch_t self:process signal; -allow portage_fetch_t self:capability { dac_override fowner fsetid chown }; -allow portage_fetch_t self:fifo_file rw_fifo_file_perms; -allow portage_fetch_t self:tcp_socket { accept listen }; -allow portage_fetch_t self:unix_stream_socket create_socket_perms; - -allow portage_fetch_t portage_conf_t:dir list_dir_perms; - -allow portage_fetch_t portage_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; - -allow portage_fetch_t portage_gpg_t:dir rw_dir_perms; -allow portage_fetch_t portage_gpg_t:file manage_file_perms; - -allow portage_fetch_t portage_tmp_t:dir manage_dir_perms; -allow portage_fetch_t portage_tmp_t:file manage_file_perms; - -read_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t) - -manage_dirs_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t) -manage_files_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t) - -manage_dirs_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t) -manage_files_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t) -files_tmp_filetrans(portage_fetch_t, portage_fetch_tmp_t, { file dir }) - -kernel_read_system_state(portage_fetch_t) -kernel_read_kernel_sysctls(portage_fetch_t) - -corecmd_exec_bin(portage_fetch_t) -corecmd_exec_shell(portage_fetch_t) - -corenet_all_recvfrom_unlabeled(portage_fetch_t) -corenet_all_recvfrom_netlabel(portage_fetch_t) -corenet_tcp_sendrecv_generic_if(portage_fetch_t) -corenet_tcp_sendrecv_generic_node(portage_fetch_t) -corenet_tcp_sendrecv_all_ports(portage_fetch_t) -corenet_tcp_connect_http_cache_port(portage_fetch_t) -corenet_tcp_connect_git_port(portage_fetch_t) -corenet_tcp_connect_rsync_port(portage_fetch_t) -corenet_sendrecv_http_client_packets(portage_fetch_t) -corenet_sendrecv_http_cache_client_packets(portage_fetch_t) -corenet_sendrecv_git_client_packets(portage_fetch_t) -corenet_sendrecv_rsync_client_packets(portage_fetch_t) -# would rather not connect to unspecified ports, but -# it occasionally comes up -corenet_tcp_connect_all_reserved_ports(portage_fetch_t) -corenet_tcp_connect_generic_port(portage_fetch_t) - -dev_dontaudit_read_rand(portage_fetch_t) - -domain_use_interactive_fds(portage_fetch_t) - -files_read_etc_runtime_files(portage_fetch_t) -files_read_usr_files(portage_fetch_t) -files_dontaudit_search_pids(portage_fetch_t) - -fs_search_auto_mountpoints(portage_fetch_t) - -logging_list_logs(portage_fetch_t) -logging_dontaudit_search_logs(portage_fetch_t) - -term_search_ptys(portage_fetch_t) - -auth_use_nsswitch(portage_fetch_t) - -miscfiles_read_generic_certs(portage_fetch_t) -miscfiles_read_localization(portage_fetch_t) - -userdom_use_user_terminals(portage_fetch_t) -userdom_dontaudit_read_user_home_content_files(portage_fetch_t) - -rsync_exec(portage_fetch_t) - -ifdef(`hide_broken_symptoms',` - dontaudit portage_fetch_t portage_cache_t:file read; -') - -tunable_policy(`portage_use_nfs',` - fs_getattr_nfs(portage_fetch_t) - fs_manage_nfs_dirs(portage_fetch_t) - fs_manage_nfs_files(portage_fetch_t) - fs_manage_nfs_symlinks(portage_fetch_t) -') - -optional_policy(` - gpg_exec(portage_fetch_t) -') - -########################################## -# -# Portage sandbox domain -# - SELinux-enforced sandbox -# - -allow portage_sandbox_t self:process ptrace; -dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms; - -allow portage_sandbox_t portage_log_t:file { create_file_perms delete_file_perms setattr_file_perms append_file_perms }; -logging_log_filetrans(portage_sandbox_t, portage_log_t, file) - -portage_compile_domain(portage_sandbox_t) - -auth_use_nsswitch(portage_sandbox_t) - -ifdef(`hide_broken_symptoms',` - # leaked descriptors - dontaudit portage_sandbox_t portage_cache_t:dir { setattr_dir_perms }; - dontaudit portage_sandbox_t portage_cache_t:file { setattr_file_perms write }; -') - -ifdef(`distro_gentoo',` - allow portage_t self:capability2 block_suspend; - - ########################################## - # - # Type declarations - # - - type gcc_config_tmp_t; - files_tmp_file(gcc_config_tmp_t) - - # Assigned to domains that are managed by eselect - attribute portage_eselect_domain; - - ########################################## - # - # Portage fetch local policy - # - - dev_rw_autofs(portage_fetch_t) - - ########################################## - # - # GCC config local policy - # - - allow gcc_config_t gcc_config_tmp_t:file manage_file_perms; - files_tmp_filetrans(gcc_config_t, gcc_config_tmp_t, file) - - - files_manage_etc_runtime_files(gcc_config_t) - files_manage_etc_runtime_lnk_files(gcc_config_t) - - ########################################## - # - # Portage local policy - # - - libs_generic_etc_filetrans_ld_so_cache(portage_t, file, "ld.so.cache~") - - ########################################## - # - # Portage sandbox local policy - # - - rw_dirs_pattern(portage_sandbox_t, portage_log_t, portage_log_t) - - ########################################## - # - # Portage eselect module domain - # - - allow portage_eselect_domain self:fifo_file { read write }; - - corecmd_exec_shell(portage_eselect_domain) - - files_manage_etc_runtime_files(portage_eselect_domain) -') diff --git a/policy/modules/contrib/portmap.fc b/policy/modules/contrib/portmap.fc deleted file mode 100644 index cd45831c..00000000 --- a/policy/modules/contrib/portmap.fc +++ /dev/null @@ -1,12 +0,0 @@ -/etc/rc\.d/init\.d/portmap -- gen_context(system_u:object_r:portmap_initrc_exec_t,s0) - -/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) -/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) -/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0) - -/usr/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) -/usr/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) -/usr/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0) - -/var/run/portmap\.upgrade-state -- gen_context(system_u:object_r:portmap_var_run_t,s0) -/var/run/portmap_mapping -- gen_context(system_u:object_r:portmap_var_run_t,s0) diff --git a/policy/modules/contrib/portmap.if b/policy/modules/contrib/portmap.if deleted file mode 100644 index 9f982b56..00000000 --- a/policy/modules/contrib/portmap.if +++ /dev/null @@ -1,129 +0,0 @@ -## <summary>RPC port mapping service.</summary> - -######################################## -## <summary> -## Execute portmap helper in the helper domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`portmap_domtrans_helper',` - gen_require(` - type portmap_helper_t, portmap_helper_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, portmap_helper_exec_t, portmap_helper_t) -') - -######################################## -## <summary> -## Execute portmap helper in the helper -## domain, and allow the specified role -## the helper domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`portmap_run_helper',` - gen_require(` - attribute_role portmap_helper_roles; - ') - - portmap_domtrans_helper($1) - roleattribute $2 portmap_helper_roles; -') - -######################################## -## <summary> -## Send UDP network traffic to portmap. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`portmap_udp_send',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## <summary> -## Send and receive UDP network traffic from portmap. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`portmap_udp_chat',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## <summary> -## Connect to portmap over a TCP socket (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`portmap_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## <summary> -## All of the rules required to -## administrate an portmap environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`portmap_admin',` - gen_require(` - type portmap_t, portmap_initrc_exec_t, portmap_helper_t; - type portmap_var_run_t, portmap_tmp_t; - ') - - allow $1 { portmap_t portmap_helper_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { portmap_t portmap_helper_t }) - - init_labeled_script_domtrans($1, portmap_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 portmap_initrc_exec_t system_r; - allow $2 system_r; - - files_search_pids($1) - admin_pattern($1, portmap_var_run_t) - - files_search_tmp($1) - admin_pattern($1, portmap_tmp_t) - - portmap_run_helper($1, $2) -') diff --git a/policy/modules/contrib/portmap.te b/policy/modules/contrib/portmap.te deleted file mode 100644 index 738c13b2..00000000 --- a/policy/modules/contrib/portmap.te +++ /dev/null @@ -1,142 +0,0 @@ -policy_module(portmap, 1.10.1) - -######################################## -# -# Declarations -# - -attribute_role portmap_helper_roles; - -type portmap_t; -type portmap_exec_t; -init_daemon_domain(portmap_t, portmap_exec_t) - -type portmap_helper_t; -type portmap_helper_exec_t; -init_system_domain(portmap_helper_t, portmap_helper_exec_t) -role portmap_helper_roles types portmap_helper_t; - -type portmap_initrc_exec_t; -init_script_file(portmap_initrc_exec_t) - -type portmap_tmp_t; -files_tmp_file(portmap_tmp_t) - -type portmap_var_run_t; -files_pid_file(portmap_var_run_t) - -######################################## -# -# Local policy -# - -allow portmap_t self:capability { setuid setgid }; -dontaudit portmap_t self:capability sys_tty_config; -allow portmap_t self:unix_stream_socket { accept listen }; -allow portmap_t self:tcp_socket { accept listen }; - -manage_dirs_pattern(portmap_t, portmap_tmp_t, portmap_tmp_t) -manage_files_pattern(portmap_t, portmap_tmp_t, portmap_tmp_t) -files_tmp_filetrans(portmap_t, portmap_tmp_t, { file dir }) - -manage_files_pattern(portmap_t, portmap_var_run_t, portmap_var_run_t) -files_pid_filetrans(portmap_t, portmap_var_run_t, file) - -kernel_read_system_state(portmap_t) -kernel_read_kernel_sysctls(portmap_t) - -corenet_all_recvfrom_unlabeled(portmap_t) -corenet_all_recvfrom_netlabel(portmap_t) -corenet_tcp_sendrecv_generic_if(portmap_t) -corenet_udp_sendrecv_generic_if(portmap_t) -corenet_tcp_sendrecv_generic_node(portmap_t) -corenet_udp_sendrecv_generic_node(portmap_t) -corenet_tcp_sendrecv_all_ports(portmap_t) -corenet_udp_sendrecv_all_ports(portmap_t) -corenet_tcp_bind_generic_node(portmap_t) -corenet_udp_bind_generic_node(portmap_t) - -corenet_sendrecv_all_client_packets(portmap_t) -corenet_sendrecv_all_server_packets(portmap_t) - -corenet_tcp_bind_portmap_port(portmap_t) -corenet_udp_bind_portmap_port(portmap_t) - -corenet_tcp_connect_all_ports(portmap_t) - -corenet_tcp_bind_generic_port(portmap_t) -corenet_udp_bind_generic_port(portmap_t) - -corenet_tcp_bind_reserved_port(portmap_t) -corenet_udp_bind_reserved_port(portmap_t) - -corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_t) -corenet_dontaudit_udp_bind_all_ports(portmap_t) - -dev_read_sysfs(portmap_t) - -fs_getattr_all_fs(portmap_t) -fs_search_auto_mountpoints(portmap_t) - -domain_use_interactive_fds(portmap_t) - -logging_send_syslog_msg(portmap_t) - -miscfiles_read_localization(portmap_t) - -userdom_dontaudit_use_unpriv_user_fds(portmap_t) -userdom_dontaudit_search_user_home_dirs(portmap_t) - -optional_policy(` - seutil_sigchld_newrole(portmap_t) -') - -optional_policy(` - udev_read_db(portmap_t) -') - -######################################## -# -# Helper local policy -# - -dontaudit portmap_helper_t self:capability net_admin; -allow portmap_helper_t self:tcp_socket { accept listen }; - -allow portmap_helper_t portmap_var_run_t:file manage_file_perms; -files_pid_filetrans(portmap_helper_t, portmap_var_run_t, file) - -corenet_all_recvfrom_unlabeled(portmap_helper_t) -corenet_all_recvfrom_netlabel(portmap_helper_t) -corenet_tcp_sendrecv_generic_if(portmap_helper_t) -corenet_udp_sendrecv_generic_if(portmap_helper_t) -corenet_tcp_sendrecv_generic_node(portmap_helper_t) -corenet_udp_sendrecv_generic_node(portmap_helper_t) -corenet_tcp_sendrecv_all_ports(portmap_helper_t) -corenet_udp_sendrecv_all_ports(portmap_helper_t) -corenet_tcp_bind_generic_node(portmap_helper_t) -corenet_udp_bind_generic_node(portmap_helper_t) - -corenet_sendrecv_all_client_packets(portmap_helper_t) -corenet_sendrecv_all_server_packets(portmap_helper_t) - -corenet_tcp_bind_reserved_port(portmap_helper_t) -corenet_udp_bind_reserved_port(portmap_helper_t) - -corenet_tcp_connect_all_ports(portmap_helper_t) - -corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_helper_t) -corenet_dontaudit_udp_bind_all_reserved_ports(portmap_helper_t) - -domain_dontaudit_use_interactive_fds(portmap_helper_t) - -files_rw_generic_pids(portmap_helper_t) - -auth_use_nsswitch(portmap_helper_t) - -init_rw_utmp(portmap_helper_t) - -logging_send_syslog_msg(portmap_helper_t) - -userdom_use_user_terminals(portmap_helper_t) -userdom_dontaudit_use_all_users_fds(portmap_helper_t) diff --git a/policy/modules/contrib/portreserve.fc b/policy/modules/contrib/portreserve.fc deleted file mode 100644 index 1b2b4f90..00000000 --- a/policy/modules/contrib/portreserve.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0) - -/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0) - -/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) - -/usr/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) - -/var/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_var_run_t,s0) diff --git a/policy/modules/contrib/portreserve.if b/policy/modules/contrib/portreserve.if deleted file mode 100644 index 5ad52915..00000000 --- a/policy/modules/contrib/portreserve.if +++ /dev/null @@ -1,121 +0,0 @@ -## <summary>Reserve well-known ports in the RPC port range.</summary> - -######################################## -## <summary> -## Execute a domain transition to run portreserve. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`portreserve_domtrans',` - gen_require(` - type portreserve_t, portreserve_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, portreserve_exec_t, portreserve_t) -') - -####################################### -## <summary> -## Read portreserve configuration content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`portreserve_read_config',` - gen_require(` - type portreserve_etc_t; - ') - - files_search_etc($1) - allow $1 portreserve_etc_t:dir list_dir_perms; - allow $1 portreserve_etc_t:file read_file_perms; - allow $1 portreserve_etc_t:lnk_file read_lnk_file_perms; -') - -####################################### -## <summary> -## Create, read, write, and delete -## portreserve configuration content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`portreserve_manage_config',` - gen_require(` - type portreserve_etc_t; - ') - - files_search_etc($1) - allow $1 portreserve_etc_t:dir manage_dir_perms; - allow $1 portreserve_etc_t:file manage_file_perms; - allow $1 portreserve_etc_t:lnk_file manage_lnk_file_perms; -') - -######################################## -## <summary> -## Execute portreserve init scripts in -## the init script domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`portreserve_initrc_domtrans',` - gen_require(` - type portreserve_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, portreserve_initrc_exec_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an portreserve environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`portreserve_admin',` - gen_require(` - type portreserve_t, portreserve_etc_t, portreserve_var_run_t; - type portreserve_initrc_exec_t; - ') - - allow $1 portreserve_t:process { ptrace signal_perms }; - ps_process_pattern($1, portreserve_t) - - portreserve_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 portreserve_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, portreserve_etc_t) - - files_list_pids($1) - admin_pattern($1, portreserve_var_run_t) -') diff --git a/policy/modules/contrib/portreserve.te b/policy/modules/contrib/portreserve.te deleted file mode 100644 index a38b57a2..00000000 --- a/policy/modules/contrib/portreserve.te +++ /dev/null @@ -1,61 +0,0 @@ -policy_module(portreserve, 1.3.1) - -######################################## -# -# Declarations -# - -type portreserve_t; -type portreserve_exec_t; -init_daemon_domain(portreserve_t, portreserve_exec_t) - -type portreserve_initrc_exec_t; -init_script_file(portreserve_initrc_exec_t) - -type portreserve_etc_t; -files_config_file(portreserve_etc_t) - -type portreserve_var_run_t; -files_pid_file(portreserve_var_run_t) - -######################################## -# -# Local policy -# - -allow portreserve_t self:capability { dac_read_search dac_override }; -allow portreserve_t self:fifo_file rw_fifo_file_perms; -allow portreserve_t self:unix_stream_socket create_stream_socket_perms; -allow portreserve_t self:unix_dgram_socket { create_socket_perms sendto }; -allow portreserve_t self:tcp_socket create_socket_perms; -allow portreserve_t self:udp_socket create_socket_perms; - -allow portreserve_t portreserve_etc_t:dir list_dir_perms; -allow portreserve_t portreserve_etc_t:file read_file_perms; -allow portreserve_t portreserve_etc_t:lnk_file read_lnk_file_perms; - -manage_dirs_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) -manage_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) -manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) -files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir }) - -corecmd_getattr_bin_files(portreserve_t) - -corenet_all_recvfrom_unlabeled(portreserve_t) -corenet_all_recvfrom_netlabel(portreserve_t) -corenet_tcp_sendrecv_generic_if(portreserve_t) -corenet_udp_sendrecv_generic_if(portreserve_t) -corenet_tcp_sendrecv_generic_node(portreserve_t) -corenet_udp_sendrecv_generic_node(portreserve_t) -corenet_tcp_sendrecv_all_ports(portreserve_t) -corenet_udp_sendrecv_all_ports(portreserve_t) -corenet_tcp_bind_generic_node(portreserve_t) -corenet_udp_bind_generic_node(portreserve_t) - -corenet_sendrecv_all_server_packets(portreserve_t) -corenet_tcp_bind_all_ports(portreserve_t) -corenet_udp_bind_all_ports(portreserve_t) - -files_read_etc_files(portreserve_t) - -userdom_dontaudit_search_user_home_content(portreserve_t) diff --git a/policy/modules/contrib/portslave.fc b/policy/modules/contrib/portslave.fc deleted file mode 100644 index 22ca4a50..00000000 --- a/policy/modules/contrib/portslave.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/portslave(/.*)? gen_context(system_u:object_r:portslave_etc_t,s0) - -/usr/sbin/ctlportslave -- gen_context(system_u:object_r:portslave_exec_t,s0) -/usr/sbin/portslave -- gen_context(system_u:object_r:portslave_exec_t,s0) - -/var/lock/subsys/portslave -- gen_context(system_u:object_r:portslave_lock_t,s0) diff --git a/policy/modules/contrib/portslave.if b/policy/modules/contrib/portslave.if deleted file mode 100644 index c2919e26..00000000 --- a/policy/modules/contrib/portslave.if +++ /dev/null @@ -1,20 +0,0 @@ -## <summary>Portslave terminal server software.</summary> - -######################################## -## <summary> -## Execute portslave with a domain transition. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`portslave_domtrans',` - gen_require(` - type portslave_t, portslave_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, portslave_exec_t, portslave_t) -') diff --git a/policy/modules/contrib/portslave.te b/policy/modules/contrib/portslave.te deleted file mode 100644 index e85e33dd..00000000 --- a/policy/modules/contrib/portslave.te +++ /dev/null @@ -1,112 +0,0 @@ -policy_module(portslave, 1.7.2) - -######################################## -# -# Declarations -# - -type portslave_t; -type portslave_exec_t; -init_domain(portslave_t, portslave_exec_t) -init_daemon_domain(portslave_t, portslave_exec_t) - -type portslave_etc_t; -files_config_file(portslave_etc_t) - -type portslave_lock_t; -files_lock_file(portslave_lock_t) - -######################################## -# -# Local policy -# - -allow portslave_t self:capability { setuid setgid net_admin fsetid net_bind_service sys_tty_config }; -dontaudit portslave_t self:capability sys_admin; -allow portslave_t self:process signal_perms; -allow portslave_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow portslave_t self:fd use; -allow portslave_t self:fifo_file rw_fifo_file_perms; -allow portslave_t self:unix_dgram_socket sendto; -allow portslave_t self:unix_stream_socket { accept connectto listen }; -allow portslave_t self:shm create_shm_perms; -allow portslave_t self:sem create_sem_perms; -allow portslave_t self:msgq create_msgq_perms; -allow portslave_t self:msg { send receive }; -allow portslave_t self:tcp_socket { accept listen }; - -allow portslave_t portslave_etc_t:dir list_dir_perms; -allow portslave_t portslave_etc_t:file read_file_perms; -allow portslave_t portslave_etc_t:lnk_file read_lnk_file_perms; - -allow portslave_t portslave_lock_t:file manage_file_perms; -files_lock_filetrans(portslave_t, portslave_lock_t, file) - -kernel_read_system_state(portslave_t) -kernel_read_kernel_sysctls(portslave_t) - -corecmd_exec_bin(portslave_t) -corecmd_exec_shell(portslave_t) - -corenet_all_recvfrom_unlabeled(portslave_t) -corenet_all_recvfrom_netlabel(portslave_t) -corenet_tcp_sendrecv_generic_if(portslave_t) -corenet_udp_sendrecv_generic_if(portslave_t) -corenet_tcp_sendrecv_generic_node(portslave_t) -corenet_udp_sendrecv_generic_node(portslave_t) -corenet_tcp_sendrecv_all_ports(portslave_t) -corenet_udp_sendrecv_all_ports(portslave_t) - -corenet_rw_ppp_dev(portslave_t) - -dev_read_sysfs(portslave_t) -dev_read_urand(portslave_t) - -domain_use_interactive_fds(portslave_t) - -files_read_etc_runtime_files(portslave_t) -files_exec_etc_files(portslave_t) - -fs_search_auto_mountpoints(portslave_t) -fs_getattr_xattr_fs(portslave_t) - -term_use_unallocated_ttys(portslave_t) -term_setattr_unallocated_ttys(portslave_t) -term_use_all_ttys(portslave_t) -term_search_ptys(portslave_t) - -auth_domtrans_chk_passwd(portslave_t) -auth_rw_login_records(portslave_t) -auth_use_nsswitch(portslave_t) - -init_rw_utmp(portslave_t) - -logging_send_syslog_msg(portslave_t) -logging_search_logs(portslave_t) - -userdom_use_unpriv_users_fds(portslave_t) - -ppp_read_home_files(portslave_t) -ppp_read_rw_config(portslave_t) -ppp_exec(portslave_t) -ppp_read_secrets(portslave_t) -ppp_manage_pid_files(portslave_t) -ppp_pid_filetrans(portslave_t, file) - -ssh_exec(portslave_t) - -optional_policy(` - inetd_tcp_service_domain(portslave_t, portslave_exec_t) -') - -optional_policy(` - mta_send_mail(portslave_t) -') - -optional_policy(` - seutil_sigchld_newrole(portslave_t) -') - -optional_policy(` - udev_read_db(portslave_t) -') diff --git a/policy/modules/contrib/postfix.fc b/policy/modules/contrib/postfix.fc deleted file mode 100644 index c0e87853..00000000 --- a/policy/modules/contrib/postfix.fc +++ /dev/null @@ -1,57 +0,0 @@ -/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0) -/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0) -/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0) - -/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0) - -/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) -/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) -/usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0) -/usr/lib/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -/usr/lib/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0) -/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) -/usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) -/usr/lib/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) -/usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) -/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) -/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) -/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) -/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) - -/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) -/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) -/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) -/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0) -/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0) -/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) -/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0) -/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) -/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) -/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) -/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) -/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) -/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) - -/usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) -/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -/usr/sbin/postlock -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -/usr/sbin/postlog -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -/usr/sbin/postmap -- gen_context(system_u:object_r:postfix_map_exec_t,s0) -/usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0) -/usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0) - -/var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0) - -/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0) -/var/spool/postfix/deferred(/.*)? -d gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) -/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) -/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) -/var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_var_run_t,s0) -/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) -/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0) -/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) -/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0) diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if deleted file mode 100644 index 6e26d71a..00000000 --- a/policy/modules/contrib/postfix.if +++ /dev/null @@ -1,757 +0,0 @@ -## <summary>Postfix email server.</summary> - -######################################## -## <summary> -## Postfix stub interface. No access allowed. -## </summary> -## <param name="domain" unused="true"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_stub',` - gen_require(` - type postfix_master_t; - ') -') - -####################################### -## <summary> -## The template to define a postfix domain. -## </summary> -## <param name="domain_prefix"> -## <summary> -## Domain prefix to be used. -## </summary> -## </param> -# -template(`postfix_domain_template',` - gen_require(` - attribute postfix_domain; - ') - - ######################################## - # - # Declarations - # - - type postfix_$1_t, postfix_domain; - type postfix_$1_exec_t; - domain_type(postfix_$1_t) - domain_entry_file(postfix_$1_t, postfix_$1_exec_t) - role system_r types postfix_$1_t; - - ######################################## - # - # Policy - # - - can_exec(postfix_$1_t, postfix_$1_exec_t) - - auth_use_nsswitch(postfix_$1_t) -') - -####################################### -## <summary> -## The template to define a postfix server domain. -## </summary> -## <param name="domain_prefix"> -## <summary> -## Domain prefix to be used. -## </summary> -## </param> -# -template(`postfix_server_domain_template',` - gen_require(` - attribute postfix_server_domain, postfix_server_tmp_content; - ') - - ######################################## - # - # Declarations - # - - postfix_domain_template($1) - - typeattribute postfix_$1_t postfix_server_domain; - - type postfix_$1_tmp_t, postfix_server_tmp_content; - files_tmp_file(postfix_$1_tmp_t) - - ######################################## - # - # Declarations - # - - manage_dirs_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t) - manage_files_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t) - files_tmp_filetrans(postfix_$1_t, postfix_$1_tmp_t, { file dir }) - - domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t) -') - -####################################### -## <summary> -## The template to define a postfix user domain. -## </summary> -## <param name="domain_prefix"> -## <summary> -## Domain prefix to be used. -## </summary> -## </param> -# -template(`postfix_user_domain_template',` - gen_require(` - attribute postfix_user_domains, postfix_user_domtrans; - ') - - ######################################## - # - # Declarations - # - - postfix_domain_template($1) - - typeattribute postfix_$1_t postfix_user_domains; - - ######################################## - # - # Policy - # - - allow postfix_$1_t self:capability dac_override; - - domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t) - - domain_use_interactive_fds(postfix_$1_t) -') - -######################################## -## <summary> -## Read postfix configuration content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`postfix_read_config',` - gen_require(` - type postfix_etc_t; - ') - - files_search_etc($1) - allow $1 postfix_etc_t:dir list_dir_perms; - allow $1 postfix_etc_t:file read_file_perms; - allow $1 postfix_etc_t:lnk_file read_lnk_file_perms; -') - -######################################## -## <summary> -## Create specified object in postfix -## etc directories with a type transition. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="private type"> -## <summary> -## The type of the object to be created. -## </summary> -## </param> -## <param name="object"> -## <summary> -## The object class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`postfix_config_filetrans',` - gen_require(` - type postfix_etc_t; - ') - - filetrans_pattern($1, postfix_etc_t, $2, $3, $4) -') - -######################################## -## <summary> -## Do not audit attempts to read and -## write postfix local delivery -## TCP sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`postfix_dontaudit_rw_local_tcp_sockets',` - gen_require(` - type postfix_local_t; - ') - - dontaudit $1 postfix_local_t:tcp_socket { read write }; -') - -######################################## -## <summary> -## Read and write postfix local pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_rw_local_pipes',` - gen_require(` - type postfix_local_t; - ') - - allow $1 postfix_local_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## <summary> -## Read postfix local process state files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_read_local_state',` - gen_require(` - type postfix_local_t; - ') - - kernel_search_proc($1) - allow $1 postfix_local_t:dir list_dir_perms; - allow $1 postfix_local_t:file read_file_perms; - allow $1 postfix_local_t:lnk_file read_lnk_file_perms; -') - -######################################## -## <summary> -## Read and write inherited postfix master pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_rw_inherited_master_pipes',` - gen_require(` - type postfix_master_t; - ') - - allow $1 postfix_master_t:fd use; - allow $1 postfix_master_t:fifo_file { getattr write append lock ioctl read }; -') - -######################################## -## <summary> -## Read postfix master process state files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_read_master_state',` - gen_require(` - type postfix_master_t; - ') - - kernel_search_proc($1) - allow $1 postfix_master_t:dir list_dir_perms; - allow $1 postfix_master_t:file read_file_perms; - allow $1 postfix_master_t:lnk_file read_lnk_file_perms; -') - -######################################## -## <summary> -## Use postfix master file descriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_use_fds_master',` - gen_require(` - type postfix_master_t; - ') - - allow $1 postfix_master_t:fd use; -') - -######################################## -## <summary> -## Do not audit attempts to use -## postfix master process file -## file descriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`postfix_dontaudit_use_fds',` - gen_require(` - type postfix_master_t; - ') - - dontaudit $1 postfix_master_t:fd use; -') - -######################################## -## <summary> -## Execute postfix_map in the postfix_map domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`postfix_domtrans_map',` - gen_require(` - type postfix_map_t, postfix_map_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, postfix_map_exec_t, postfix_map_t) -') - -######################################## -## <summary> -## Execute postfix map in the postfix -## map domain, and allow the specified -## role the postfix_map domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`postfix_run_map',` - gen_require(` - attribute_role postfix_map_roles; - ') - - postfix_domtrans_map($1) - roleattribute $2 postfix_map_roles; -') - -######################################## -## <summary> -## Execute the master postfix program -## in the postfix_master domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`postfix_domtrans_master',` - gen_require(` - type postfix_master_t, postfix_master_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, postfix_master_exec_t, postfix_master_t) -') - -######################################## -## <summary> -## Execute the master postfix program -## in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_exec_master',` - gen_require(` - type postfix_master_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, postfix_master_exec_t) -') - -####################################### -## <summary> -## Connect to postfix master process -## using a unix domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`postfix_stream_connect_master',` - gen_require(` - type postfix_master_t, postfix_public_t; - ') - - stream_connect_pattern($1, postfix_public_t, postfix_public_t, postfix_master_t) -') - -######################################## -## <summary> -## Read and write postfix master -## unnamed pipes. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_rw_master_pipes',` - refpolicywarn(`$0($*) has been deprecated, use postfix_rw_inherited_master_pipes() instead.') - postfix_rw_inherited_master_pipes($1) -') - -######################################## -## <summary> -## Execute the master postdrop in the -## postfix postdrop domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`postfix_domtrans_postdrop',` - gen_require(` - type postfix_postdrop_t, postfix_postdrop_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t) -') - -######################################## -## <summary> -## Execute the master postqueue in the -## postfix postqueue domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`postfix_domtrans_postqueue',` - gen_require(` - type postfix_postqueue_t, postfix_postqueue_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t) -') - -####################################### -## <summary> -## Execute the master postqueue in -## the caller domain. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`posftix_exec_postqueue',` - refpolicywarn(`$0($*) has been deprecated.') - postfix_exec_postqueue($1) -') - -####################################### -## <summary> -## Execute postfix postqueue in -## the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_exec_postqueue',` - gen_require(` - type postfix_postqueue_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, postfix_postqueue_exec_t) -') - -######################################## -## <summary> -## Create postfix private sock files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_create_private_sockets',` - gen_require(` - type postfix_private_t; - ') - - create_sock_files_pattern($1, postfix_private_t, postfix_private_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## postfix private sock files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_manage_private_sockets',` - gen_require(` - type postfix_private_t; - ') - - manage_sock_files_pattern($1, postfix_private_t, postfix_private_t) -') - -######################################## -## <summary> -## Execute the smtp postfix program -## in the postfix smtp domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`postfix_domtrans_smtp',` - gen_require(` - type postfix_smtp_t, postfix_smtp_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, postfix_smtp_exec_t, postfix_smtp_t) -') - -######################################## -## <summary> -## Get attributes of all postfix mail -## spool files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_getattr_all_spool_files',` - gen_require(` - attribute postfix_spool_type; - ') - - files_search_spool($1) - getattr_files_pattern($1, postfix_spool_type, postfix_spool_type) -') - -######################################## -## <summary> -## Search postfix mail spool directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_search_spool',` - gen_require(` - type postfix_spool_t; - ') - - files_search_spool($1) - allow $1 postfix_spool_t:dir search_dir_perms; -') - -######################################## -## <summary> -## List postfix mail spool directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_list_spool',` - gen_require(` - type postfix_spool_t; - ') - - files_search_spool($1) - allow $1 postfix_spool_t:dir list_dir_perms; -') - -######################################## -## <summary> -## Read postfix mail spool files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_read_spool_files',` - gen_require(` - type postfix_spool_t; - ') - - files_search_spool($1) - read_files_pattern($1, postfix_spool_t, postfix_spool_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## postfix mail spool files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_manage_spool_files',` - gen_require(` - type postfix_spool_t; - ') - - files_search_spool($1) - manage_files_pattern($1, postfix_spool_t, postfix_spool_t) -') - -######################################## -## <summary> -## Execute postfix user mail programs -## in their respective domains. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postfix_domtrans_user_mail_handler',` - gen_require(` - attribute postfix_user_domtrans; - ') - - typeattribute $1 postfix_user_domtrans; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an postfix environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`postfix_admin',` - gen_require(` - attribute postfix_domain, postfix_spool_type, postfix_server_tmp_content; - type postfix_initrc_exec_t, postfix_prng_t, postfix_etc_t; - type postfix_data_t, postfix_var_run_t, postfix_public_t; - type postfix_private_t, postfix_map_tmp_t, postfix_exec_t; - ') - - allow $1 postfix_domain:process { ptrace signal_perms }; - ps_process_pattern($1, postfix_domain) - - init_labeled_script_domtrans($1, postfix_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 postfix_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t }) - - files_search_spool($1) - admin_pattern($1, { postfix_public_t postfix_private_t postfix_spool_type }) - - files_search_var_lib($1) - admin_pattern($1, postfix_data_t) - - files_search_pids($1) - admin_pattern($1, postfix_var_run_t) - - files_search_tmp($1) - admin_pattern($1, { postfix_server_tmp_content postfix_map_tmp_t }) - - postfix_exec_master($1) - postfix_exec_postqueue($1) - postfix_stream_connect_master($1) - postfix_run_map($1, $2) - - ifdef(`distro_gentoo',` - gen_require(` - type postfix_showq_exec_t; - type postfix_postqueue_t; - ') - - allow postfix_postqueue_t $1:process sigchld; - - can_exec($1, postfix_showq_exec_t) - ') -') diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te deleted file mode 100644 index 9361cf8c..00000000 --- a/policy/modules/contrib/postfix.te +++ /dev/null @@ -1,799 +0,0 @@ -policy_module(postfix, 1.14.10) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether postfix local -## can manage mail spool content. -## </p> -## </desc> -gen_tunable(postfix_local_write_mail_spool, true) - -attribute postfix_domain; -attribute postfix_server_domain; -attribute postfix_server_tmp_content; -attribute postfix_spool_type; -attribute postfix_user_domains; -attribute postfix_user_domtrans; - -attribute_role postfix_map_roles; -roleattribute system_r postfix_map_roles; - -postfix_server_domain_template(bounce) - -type postfix_spool_bounce_t, postfix_spool_type; -files_type(postfix_spool_bounce_t) - -postfix_server_domain_template(cleanup) - -type postfix_etc_t; -files_config_file(postfix_etc_t) - -type postfix_exec_t; -application_executable_file(postfix_exec_t) - -postfix_server_domain_template(local) -mta_mailserver_delivery(postfix_local_t) - -type postfix_map_t; -type postfix_map_exec_t; -application_domain(postfix_map_t, postfix_map_exec_t) -role postfix_map_roles types postfix_map_t; - -type postfix_map_tmp_t; -files_tmp_file(postfix_map_tmp_t) - -postfix_domain_template(master) -typealias postfix_master_t alias postfix_t; -mta_mailserver(postfix_t, postfix_master_exec_t) - -type postfix_initrc_exec_t; -init_script_file(postfix_initrc_exec_t) - -postfix_server_domain_template(pickup) - -postfix_server_domain_template(pipe) - -postfix_user_domain_template(postdrop) -mta_mailserver_user_agent(postfix_postdrop_t) - -postfix_user_domain_template(postqueue) -mta_mailserver_user_agent(postfix_postqueue_t) - -type postfix_private_t; -files_type(postfix_private_t) - -type postfix_prng_t; -files_type(postfix_prng_t) - -postfix_server_domain_template(qmgr) - -postfix_user_domain_template(showq) - -postfix_server_domain_template(smtp) -mta_mailserver_sender(postfix_smtp_t) - -postfix_server_domain_template(smtpd) - -type postfix_spool_t, postfix_spool_type; -files_type(postfix_spool_t) - -type postfix_spool_maildrop_t, postfix_spool_type; -files_type(postfix_spool_maildrop_t) - -type postfix_spool_flush_t, postfix_spool_type; -files_type(postfix_spool_flush_t) - -type postfix_public_t; -files_type(postfix_public_t) - -type postfix_var_run_t; -files_pid_file(postfix_var_run_t) - -type postfix_data_t; -files_type(postfix_data_t) - -postfix_server_domain_template(virtual) -mta_mailserver_delivery(postfix_virtual_t) - -######################################## -# -# Common postfix domain local policy -# - -allow postfix_domain self:capability { sys_nice sys_chroot }; -dontaudit postfix_domain self:capability sys_tty_config; -allow postfix_domain self:process { signal_perms setpgid setsched }; -allow postfix_domain self:fifo_file rw_fifo_file_perms; -allow postfix_domain self:unix_stream_socket { accept connectto listen }; - -allow postfix_domain postfix_etc_t:dir list_dir_perms; -allow postfix_domain postfix_etc_t:file read_file_perms; -allow postfix_domain postfix_etc_t:lnk_file read_lnk_file_perms; - -allow postfix_domain postfix_master_t:file read_file_perms; - -allow postfix_domain postfix_exec_t:file { mmap_file_perms lock }; - -allow postfix_domain postfix_master_t:process sigchld; - -allow postfix_domain postfix_spool_t:dir list_dir_perms; - -manage_files_pattern(postfix_domain, postfix_var_run_t, postfix_var_run_t) -files_pid_filetrans(postfix_domain, postfix_var_run_t, file) - -kernel_read_system_state(postfix_domain) -kernel_read_network_state(postfix_domain) -kernel_read_all_sysctls(postfix_domain) - -dev_read_sysfs(postfix_domain) -dev_read_rand(postfix_domain) -dev_read_urand(postfix_domain) - -fs_search_auto_mountpoints(postfix_domain) -fs_getattr_all_fs(postfix_domain) -fs_rw_anon_inodefs_files(postfix_domain) - -term_dontaudit_use_console(postfix_domain) - -corecmd_exec_shell(postfix_domain) - -files_read_etc_runtime_files(postfix_domain) -files_read_usr_files(postfix_domain) -files_search_spool(postfix_domain) -files_getattr_tmp_dirs(postfix_domain) -files_search_all_mountpoints(postfix_domain) - -init_dontaudit_use_fds(postfix_domain) -init_sigchld(postfix_domain) - -logging_send_syslog_msg(postfix_domain) - -miscfiles_read_localization(postfix_domain) -miscfiles_read_generic_certs(postfix_domain) - -userdom_dontaudit_use_unpriv_user_fds(postfix_domain) - -optional_policy(` - udev_read_db(postfix_domain) -') - -######################################## -# -# Common postfix server domain local policy -# - -allow postfix_server_domain self:capability { setuid setgid dac_override }; - -allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; - -corenet_all_recvfrom_unlabeled(postfix_server_domain) -corenet_all_recvfrom_netlabel(postfix_server_domain) -corenet_tcp_sendrecv_generic_if(postfix_server_domain) -corenet_tcp_sendrecv_generic_node(postfix_server_domain) - -corenet_sendrecv_all_client_packets(postfix_server_domain) -corenet_tcp_connect_all_ports(postfix_server_domain) -corenet_tcp_sendrecv_all_ports(postfix_server_domain) - -######################################## -# -# Common postfix user domain local policy -# - -allow postfix_user_domains self:capability dac_override; - -domain_use_interactive_fds(postfix_user_domains) - -######################################## -# -# Master local policy -# - -allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config }; -allow postfix_master_t self:capability2 block_suspend; -allow postfix_master_t self:process setrlimit; -allow postfix_master_t self:tcp_socket create_stream_socket_perms; -allow postfix_master_t self:udp_socket create_socket_perms; - -allow postfix_master_t postfix_domain:fifo_file rw_fifo_file_perms; -allow postfix_master_t postfix_domain:process signal; - -allow postfix_master_t postfix_etc_t:dir rw_dir_perms; -allow postfix_master_t postfix_etc_t:file rw_file_perms; - -allow postfix_master_t postfix_data_t:dir manage_dir_perms; -allow postfix_master_t postfix_data_t:file manage_file_perms; - -allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock }; - -allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms; - -allow postfix_master_t postfix_prng_t:file rw_file_perms; - -manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) -manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) -files_spool_filetrans(postfix_master_t, postfix_spool_t, dir) - -allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms; -allow postfix_master_t postfix_spool_bounce_t:file getattr_file_perms; -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_bounce_t, dir, "bounce") - -manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) -manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) -manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_flush_t, dir, "flush") - -create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_private_t) -manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) -manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) -setattr_dirs_pattern(postfix_master_t, postfix_private_t, postfix_private_t) -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_private_t, dir, "private") - -create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_public_t) -manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t) -manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t) -setattr_dirs_pattern(postfix_master_t, postfix_public_t, postfix_public_t) -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_public_t, dir, "public") - -create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t) -delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop") - -create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t) -setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t) -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid") - -can_exec(postfix_master_t, postfix_exec_t) - -domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) -domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) - -corenet_all_recvfrom_unlabeled(postfix_master_t) -corenet_all_recvfrom_netlabel(postfix_master_t) -corenet_tcp_sendrecv_generic_if(postfix_master_t) -corenet_udp_sendrecv_generic_if(postfix_master_t) -corenet_tcp_sendrecv_generic_node(postfix_master_t) -corenet_udp_sendrecv_generic_node(postfix_master_t) -corenet_tcp_sendrecv_all_ports(postfix_master_t) -corenet_udp_sendrecv_all_ports(postfix_master_t) -corenet_tcp_bind_generic_node(postfix_master_t) - -corenet_sendrecv_amavisd_send_server_packets(postfix_master_t) -corenet_tcp_bind_amavisd_send_port(postfix_master_t) - -corenet_sendrecv_smtp_server_packets(postfix_master_t) -corenet_tcp_bind_smtp_port(postfix_master_t) - -corenet_sendrecv_spamd_server_packets(postfix_master_t) -corenet_tcp_bind_spamd_port(postfix_master_t) - -corenet_sendrecv_all_client_packets(postfix_master_t) -corenet_tcp_connect_all_ports(postfix_master_t) - -# Can this be conditional? -corenet_sendrecv_all_server_packets(postfix_master_t) -corenet_udp_bind_all_unreserved_ports(postfix_master_t) -corenet_dontaudit_udp_bind_all_ports(postfix_master_t) - -selinux_dontaudit_search_fs(postfix_master_t) - -corecmd_exec_bin(postfix_master_t) - -domain_use_interactive_fds(postfix_master_t) - -files_search_tmp(postfix_master_t) - -mcs_file_read_all(postfix_master_t) - -term_dontaudit_search_ptys(postfix_master_t) - -miscfiles_read_man_pages(postfix_master_t) - -seutil_sigchld_newrole(postfix_master_t) -seutil_dontaudit_search_config(postfix_master_t) - -mta_manage_aliases(postfix_master_t) -mta_etc_filetrans_aliases(postfix_master_t, file, "aliases") -mta_etc_filetrans_aliases(postfix_master_t, file, "aliases.db") -mta_etc_filetrans_aliases(postfix_master_t, file, "aliasesdb-stamp") -mta_spec_filetrans_aliases(postfix_master_t, postfix_etc_t, file) -mta_read_sendmail_bin(postfix_master_t) -mta_getattr_spool(postfix_master_t) - -ifdef(`distro_gentoo',` - filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "defer") - filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "deferred") -') - -optional_policy(` - cyrus_stream_connect(postfix_master_t) -') - -optional_policy(` - kerberos_keytab_template(postfix, postfix_t) -') - -optional_policy(` - mailman_manage_data_files(postfix_master_t) -') - -optional_policy(` - mysql_stream_connect(postfix_master_t) -') - -optional_policy(` - postgrey_search_spool(postfix_master_t) -') - -optional_policy(` - sendmail_signal(postfix_master_t) -') - -######################################## -# -# Bounce local policy -# - -allow postfix_bounce_t self:capability dac_read_search; - -write_sock_files_pattern(postfix_bounce_t, postfix_public_t, postfix_public_t) - -manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) -manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) -manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) -files_spool_filetrans(postfix_bounce_t, postfix_spool_t, dir) - -manage_files_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -manage_dirs_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -allow postfix_bounce_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; - -manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) -manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) -manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) - -######################################## -# -# Cleanup local policy -# - -allow postfix_cleanup_t self:process setrlimit; - -allow postfix_cleanup_t postfix_smtpd_t:tcp_socket rw_stream_socket_perms; -allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms; - -allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms; -allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms; -allow postfix_cleanup_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; - -stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, postfix_master_t) - -rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t) -write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t) - -manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) -manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) -manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) -files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir) - -allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms; - -corecmd_exec_bin(postfix_cleanup_t) - -corenet_sendrecv_kismet_client_packets(postfix_cleanup_t) -corenet_tcp_connect_kismet_port(postfix_cleanup_t) -corenet_tcp_sendrecv_kismet_port(postfix_cleanup_t) - -mta_read_aliases(postfix_cleanup_t) - -optional_policy(` - mailman_read_data_files(postfix_cleanup_t) -') - -######################################## -# -# Local local policy -# - -allow postfix_local_t self:capability chown; -allow postfix_local_t self:process setrlimit; - -stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t) - -rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t) - -allow postfix_local_t postfix_spool_t:file rw_file_perms; - -domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t) - -corecmd_exec_bin(postfix_local_t) - -logging_dontaudit_search_logs(postfix_local_t) - -mta_delete_spool(postfix_local_t) -mta_read_aliases(postfix_local_t) -mta_read_config(postfix_local_t) -mta_send_mail(postfix_local_t) - -tunable_policy(`postfix_local_write_mail_spool',` - mta_manage_spool(postfix_local_t) -') - -optional_policy(` - clamav_search_lib(postfix_local_t) - clamav_exec_clamscan(postfix_local_t) -') - -optional_policy(` - dovecot_domtrans_deliver(postfix_local_t) -') - -optional_policy(` - dspam_domtrans(postfix_local_t) -') - -optional_policy(` - mailman_manage_data_files(postfix_local_t) - mailman_append_log(postfix_local_t) - mailman_read_log(postfix_local_t) -') - -optional_policy(` - nagios_search_spool(postfix_local_t) -') - -optional_policy(` - procmail_domtrans(postfix_local_t) -') - -optional_policy(` - sendmail_rw_pipes(postfix_local_t) -') - -optional_policy(` - zarafa_domtrans_deliver(postfix_local_t) - zarafa_stream_connect_server(postfix_local_t) -') - -######################################## -# -# Map local policy -# - -allow postfix_map_t self:capability { dac_override setgid setuid }; -allow postfix_map_t self:tcp_socket { accept listen }; - -allow postfix_map_t postfix_etc_t:dir manage_dir_perms; -allow postfix_map_t postfix_etc_t:file manage_file_perms; -allow postfix_map_t postfix_etc_t:lnk_file manage_lnk_file_perms; - -manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) -manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) -files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir }) - -kernel_read_kernel_sysctls(postfix_map_t) -kernel_dontaudit_list_proc(postfix_map_t) -kernel_dontaudit_read_system_state(postfix_map_t) - -corenet_all_recvfrom_unlabeled(postfix_map_t) -corenet_all_recvfrom_netlabel(postfix_map_t) -corenet_tcp_sendrecv_generic_if(postfix_map_t) -corenet_tcp_sendrecv_generic_node(postfix_map_t) - -corenet_sendrecv_all_client_packets(postfix_map_t) -corenet_tcp_connect_all_ports(postfix_map_t) -corenet_tcp_sendrecv_all_ports(postfix_map_t) - -corecmd_list_bin(postfix_map_t) -corecmd_read_bin_symlinks(postfix_map_t) -corecmd_read_bin_files(postfix_map_t) -corecmd_read_bin_pipes(postfix_map_t) -corecmd_read_bin_sockets(postfix_map_t) - -files_list_home(postfix_map_t) -files_read_usr_files(postfix_map_t) -files_read_etc_runtime_files(postfix_map_t) -files_dontaudit_search_var(postfix_map_t) - -auth_use_nsswitch(postfix_map_t) - -logging_send_syslog_msg(postfix_map_t) - -miscfiles_read_localization(postfix_map_t) - -optional_policy(` - locallogin_dontaudit_use_fds(postfix_map_t) -') - -optional_policy(` - mailman_manage_data_files(postfix_map_t) -') - -######################################## -# -# Pickup local policy -# - -stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t) - -rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) -rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) - -allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; -read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) -delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) - -allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms; -read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) - -mcs_file_read_all(postfix_pickup_t) -mcs_file_write_all(postfix_pickup_t) - -######################################## -# -# Pipe local policy -# - -allow postfix_pipe_t self:process setrlimit; - -write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) - -write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t) - -rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) - -domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) - -corecmd_exec_bin(postfix_pipe_t) - -optional_policy(` - dovecot_domtrans_deliver(postfix_pipe_t) -') - -optional_policy(` - procmail_domtrans(postfix_pipe_t) -') - -optional_policy(` - mailman_domtrans_queue(postfix_pipe_t) -') - -optional_policy(` - mta_manage_spool(postfix_pipe_t) - mta_send_mail(postfix_pipe_t) -') - -optional_policy(` - spamassassin_domtrans_client(postfix_pipe_t) - spamassassin_kill_client(postfix_pipe_t) -') - -optional_policy(` - uucp_domtrans_uux(postfix_pipe_t) -') - -######################################## -# -# Postdrop local policy -# - -allow postfix_postdrop_t self:capability sys_resource; - -rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t) - -manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) - -allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write }; - -mcs_file_read_all(postfix_postdrop_t) -mcs_file_write_all(postfix_postdrop_t) - -term_dontaudit_use_all_ptys(postfix_postdrop_t) -term_dontaudit_use_all_ttys(postfix_postdrop_t) - -mta_rw_user_mail_stream_sockets(postfix_postdrop_t) - -optional_policy(` - apache_dontaudit_rw_fifo_file(postfix_postdrop_t) -') - -optional_policy(` - cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) -') - -optional_policy(` - fail2ban_dontaudit_use_fds(postfix_postdrop_t) -') - -optional_policy(` - fstools_read_pipes(postfix_postdrop_t) -') - -optional_policy(` - sendmail_rw_unix_stream_sockets(postfix_postdrop_t) -') - -optional_policy(` - uucp_manage_spool(postfix_postdrop_t) -') - -####################################### -# -# Postqueue local policy -# - -stream_connect_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t, postfix_master_t) - -write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t) - -domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) - -term_use_all_ptys(postfix_postqueue_t) -term_use_all_ttys(postfix_postqueue_t) - -init_sigchld_script(postfix_postqueue_t) -init_use_script_fds(postfix_postqueue_t) - -optional_policy(` - cron_system_entry(postfix_postqueue_t, postfix_postqueue_exec_t) -') - -optional_policy(` - ppp_use_fds(postfix_postqueue_t) - ppp_sigchld(postfix_postqueue_t) -') - -######################################## -# -# Qmgr local policy -# - -allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; -allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; -allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms; - -stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) - -rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t) - -manage_files_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -manage_dirs_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; - -manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) -manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) -manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) -files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) - -corecmd_exec_bin(postfix_qmgr_t) - -######################################## -# -# Showq local policy -# - -allow postfix_showq_t self:capability { setuid setgid }; - -allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms }; - -allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; -allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; -allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; - -allow postfix_showq_t postfix_spool_t:file read_file_perms; - -mcs_file_read_all(postfix_showq_t) - -term_use_all_ptys(postfix_showq_t) -term_use_all_ttys(postfix_showq_t) - -######################################## -# -# Smtp delivery local policy -# - -allow postfix_smtp_t self:capability sys_chroot; - -stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) - -allow postfix_smtp_t { postfix_prng_t postfix_spool_t }:file rw_file_perms; - -rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) - -optional_policy(` - cyrus_stream_connect(postfix_smtp_t) -') - -optional_policy(` - dovecot_stream_connect(postfix_smtp_t) -') - -optional_policy(` - dspam_stream_connect(postfix_smtp_t) -') - -optional_policy(` - milter_stream_connect_all(postfix_smtp_t) -') - -######################################## -# -# Smtpd local policy -# - -allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms; - -stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) - -manage_dirs_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t) -manage_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t) -manage_lnk_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t) -allow postfix_smtpd_t postfix_prng_t:file rw_file_perms; - -corenet_sendrecv_postfix_policyd_client_packets(postfix_smtpd_t) -corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t) -corenet_tcp_sendrecv_postfix_policyd_port(postfix_smtpd_t) - -corecmd_exec_bin(postfix_smtpd_t) - -fs_getattr_all_dirs(postfix_smtpd_t) -fs_getattr_all_fs(postfix_smtpd_t) - -mta_read_aliases(postfix_smtpd_t) - -optional_policy(` - dovecot_stream_connect_auth(postfix_smtpd_t) - dovecot_stream_connect(postfix_smtpd_t) -') - -optional_policy(` - mailman_read_data_files(postfix_smtpd_t) -') - -optional_policy(` - milter_stream_connect_all(postfix_smtpd_t) -') - -optional_policy(` - postgrey_stream_connect(postfix_smtpd_t) -') - -optional_policy(` - sasl_connect(postfix_smtpd_t) -') - -optional_policy(` - spamassassin_read_spamd_pid_files(postfix_smtpd_t) - spamassassin_stream_connect_spamd(postfix_smtpd_t) -') - -######################################## -# -# Virtual local policy -# - -allow postfix_virtual_t self:process setrlimit; - -allow postfix_virtual_t postfix_spool_t:file rw_file_perms; - -stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) - -corecmd_exec_bin(postfix_virtual_t) - -mta_read_aliases(postfix_virtual_t) -mta_delete_spool(postfix_virtual_t) -mta_read_config(postfix_virtual_t) -mta_manage_spool(postfix_virtual_t) - -userdom_manage_user_home_dirs(postfix_virtual_t) -userdom_manage_user_home_content_dirs(postfix_virtual_t) -userdom_manage_user_home_content_files(postfix_virtual_t) -userdom_home_filetrans_user_home_dir(postfix_virtual_t) -userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, { file dir }) diff --git a/policy/modules/contrib/postfixpolicyd.fc b/policy/modules/contrib/postfixpolicyd.fc deleted file mode 100644 index 2b58a688..00000000 --- a/policy/modules/contrib/postfixpolicyd.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/policyd\.conf -- gen_context(system_u:object_r:postfix_policyd_conf_t,s0) - -/etc/rc\.d/init\.d/postfixpolicyd -- gen_context(system_u:object_r:postfix_policyd_initrc_exec_t,s0) - -/usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t,s0) - -/var/run/policyd\.pid -- gen_context(system_u:object_r:postfix_policyd_var_run_t,s0) diff --git a/policy/modules/contrib/postfixpolicyd.if b/policy/modules/contrib/postfixpolicyd.if deleted file mode 100644 index 5de81736..00000000 --- a/policy/modules/contrib/postfixpolicyd.if +++ /dev/null @@ -1,39 +0,0 @@ -## <summary>Postfix policy server.</summary> - -######################################## -## <summary> -## All of the rules required to administrate -## an postfixpolicyd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`postfixpolicyd_admin',` - gen_require(` - type postfix_policyd_t, postfix_policyd_conf_t; - type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t; - ') - - allow $1 postfix_policyd_t:process { ptrace signal_perms }; - ps_process_pattern($1, postfix_policyd_t) - - init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 postfix_policyd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, postfix_policyd_conf_t) - - files_list_pids($1) - admin_pattern($1, postfix_policyd_var_run_t) -') diff --git a/policy/modules/contrib/postfixpolicyd.te b/policy/modules/contrib/postfixpolicyd.te deleted file mode 100644 index 70f05333..00000000 --- a/policy/modules/contrib/postfixpolicyd.te +++ /dev/null @@ -1,57 +0,0 @@ -policy_module(postfixpolicyd, 1.2.1) - -######################################## -# -# Declarations -# - -type postfix_policyd_t; -type postfix_policyd_exec_t; -init_daemon_domain(postfix_policyd_t, postfix_policyd_exec_t) - -type postfix_policyd_conf_t; -files_config_file(postfix_policyd_conf_t) - -type postfix_policyd_initrc_exec_t; -init_script_file(postfix_policyd_initrc_exec_t) - -type postfix_policyd_var_run_t; -files_pid_file(postfix_policyd_var_run_t) - -######################################## -# -# Local policy -# - -allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid }; -allow postfix_policyd_t self:process setrlimit; -allow postfix_policyd_t self:tcp_socket { accept listen }; - -allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms; -allow postfix_policyd_t postfix_policyd_conf_t:file read_file_perms; -allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms; - -manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t) -files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file) - -corenet_all_recvfrom_unlabeled(postfix_policyd_t) -corenet_tcp_sendrecv_generic_if(postfix_policyd_t) -corenet_tcp_sendrecv_generic_node(postfix_policyd_t) -corenet_tcp_bind_generic_node(postfix_policyd_t) - -corenet_sendrecv_postfix_policyd_server_packets(postfix_policyd_t) -corenet_tcp_bind_postfix_policyd_port(postfix_policyd_t) -corenet_tcp_sendrecv_postfix_policyd_port(postfix_policyd_t) - -corenet_sendrecv_mysqld_server_packets(postfix_policyd_t) -corenet_tcp_bind_mysqld_port(postfix_policyd_t) -corenet_tcp_sendrecv_mysqld_port(postfix_policyd_t) - -files_read_etc_files(postfix_policyd_t) -files_read_usr_files(postfix_policyd_t) - -logging_send_syslog_msg(postfix_policyd_t) - -miscfiles_read_localization(postfix_policyd_t) - -sysnet_dns_name_resolve(postfix_policyd_t) diff --git a/policy/modules/contrib/postgrey.fc b/policy/modules/contrib/postgrey.fc deleted file mode 100644 index ed6eda5b..00000000 --- a/policy/modules/contrib/postgrey.fc +++ /dev/null @@ -1,12 +0,0 @@ -/etc/postgrey(/.*)? gen_context(system_u:object_r:postgrey_etc_t,s0) - -/etc/rc\.d/init\.d/postgrey -- gen_context(system_u:object_r:postgrey_initrc_exec_t,s0) - -/usr/sbin/postgrey -- gen_context(system_u:object_r:postgrey_exec_t,s0) - -/var/lib/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_lib_t,s0) - -/var/run/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_run_t,s0) -/var/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0) - -/var/spool/postfix/postgrey(/.*)? gen_context(system_u:object_r:postgrey_spool_t,s0) diff --git a/policy/modules/contrib/postgrey.if b/policy/modules/contrib/postgrey.if deleted file mode 100644 index b9e71b53..00000000 --- a/policy/modules/contrib/postgrey.if +++ /dev/null @@ -1,86 +0,0 @@ -## <summary>Postfix grey-listing server.</summary> - -######################################## -## <summary> -## Connect to postgrey using a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postgrey_stream_connect',` - gen_require(` - type postgrey_var_run_t, postgrey_t, postgrey_spool_t; - ') - - files_search_pids($1) - files_search_spool($1) - stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t) -') - -######################################## -## <summary> -## Search spool directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`postgrey_search_spool',` - gen_require(` - type postgrey_spool_t; - ') - - files_search_spool($1) - allow $1 postgrey_spool_t:dir search_dir_perms; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an postgrey environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`postgrey_admin',` - gen_require(` - type postgrey_t, postgrey_etc_t, postgrey_spool_t; - type postgrey_var_lib_t, postgrey_var_run_t; - type postgrey_initrc_exec_t; - ') - - allow $1 postgrey_t:process { ptrace signal_perms }; - ps_process_pattern($1, postgrey_t) - - init_labeled_script_domtrans($1, postgrey_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 postgrey_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, postgrey_etc_t) - - files_list_var_lib($1) - admin_pattern($1, postgrey_var_lib_t) - - files_list_spool($1) - admin_pattern($1, postgrey_spool_t) - - files_list_pids($1) - admin_pattern($1, postgrey_var_run_t) -') diff --git a/policy/modules/contrib/postgrey.te b/policy/modules/contrib/postgrey.te deleted file mode 100644 index 3b114964..00000000 --- a/policy/modules/contrib/postgrey.te +++ /dev/null @@ -1,107 +0,0 @@ -policy_module(postgrey, 1.8.1) - -######################################## -# -# Declarations -# - -type postgrey_t; -type postgrey_exec_t; -init_daemon_domain(postgrey_t, postgrey_exec_t) - -type postgrey_etc_t; -files_config_file(postgrey_etc_t) - -type postgrey_initrc_exec_t; -init_script_file(postgrey_initrc_exec_t) - -type postgrey_spool_t; -files_type(postgrey_spool_t) - -type postgrey_var_lib_t; -files_type(postgrey_var_lib_t) - -type postgrey_var_run_t; -files_pid_file(postgrey_var_run_t) - -######################################## -# -# Local policy -# - -allow postgrey_t self:capability { chown dac_override setgid setuid }; -dontaudit postgrey_t self:capability sys_tty_config; -allow postgrey_t self:process signal_perms; -allow postgrey_t self:fifo_file create_fifo_file_perms; -allow postgrey_t self:tcp_socket create_stream_socket_perms; - -allow postgrey_t postgrey_etc_t:dir list_dir_perms; -allow postgrey_t postgrey_etc_t:file read_file_perms; -allow postgrey_t postgrey_etc_t:lnk_file read_lnk_file_perms; - -manage_dirs_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) -manage_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) -manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) -manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) - -manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t) -files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file) - -manage_dirs_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t) -manage_files_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t) -manage_sock_files_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t) -files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file }) - -kernel_read_system_state(postgrey_t) -kernel_read_kernel_sysctls(postgrey_t) - -corecmd_search_bin(postgrey_t) - -corenet_all_recvfrom_unlabeled(postgrey_t) -corenet_all_recvfrom_netlabel(postgrey_t) -corenet_tcp_sendrecv_generic_if(postgrey_t) -corenet_tcp_sendrecv_generic_node(postgrey_t) -corenet_tcp_bind_generic_node(postgrey_t) - -corenet_sendrecv_postgrey_server_packets(postgrey_t) -corenet_tcp_bind_postgrey_port(postgrey_t) -corenet_tcp_sendrecv_postgrey_port(postgrey_t) - -dev_read_urand(postgrey_t) -dev_read_sysfs(postgrey_t) - -domain_use_interactive_fds(postgrey_t) - -files_read_etc_files(postgrey_t) -files_read_etc_runtime_files(postgrey_t) -files_read_usr_files(postgrey_t) -files_getattr_tmp_dirs(postgrey_t) - -fs_getattr_all_fs(postgrey_t) -fs_search_auto_mountpoints(postgrey_t) - -logging_send_syslog_msg(postgrey_t) - -miscfiles_read_localization(postgrey_t) - -sysnet_read_config(postgrey_t) - -userdom_dontaudit_use_unpriv_user_fds(postgrey_t) -userdom_dontaudit_search_user_home_dirs(postgrey_t) - -optional_policy(` - nis_use_ypbind(postgrey_t) -') - -optional_policy(` - postfix_read_config(postgrey_t) - postfix_manage_spool_files(postgrey_t) -') - -optional_policy(` - seutil_sigchld_newrole(postgrey_t) -') - -optional_policy(` - udev_read_db(postgrey_t) -') diff --git a/policy/modules/contrib/ppp.fc b/policy/modules/contrib/ppp.fc deleted file mode 100644 index efcb6532..00000000 --- a/policy/modules/contrib/ppp.fc +++ /dev/null @@ -1,30 +0,0 @@ -HOME_DIR/\.ppprc -- gen_context(system_u:object_r:ppp_home_t,s0) - -/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) - -/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0) -/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) -/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0) -/etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0) -/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) -/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) - -/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0) -/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0) - -/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0) -/usr/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0) -/usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0) -/usr/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0) -/usr/sbin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0) - -/var/lock/ppp(/.*)? gen_context(system_u:object_r:pppd_lock_t,s0) - -/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0) -/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0) -/var/log/pptp.* -- gen_context(system_u:object_r:pptp_log_t,s0) - -/var/run/(i)?ppp.*pid[^/]* -- gen_context(system_u:object_r:pppd_var_run_t,s0) -/var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0) -/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0) -/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0) diff --git a/policy/modules/contrib/ppp.if b/policy/modules/contrib/ppp.if deleted file mode 100644 index cd8b8b9c..00000000 --- a/policy/modules/contrib/ppp.if +++ /dev/null @@ -1,509 +0,0 @@ -## <summary>Point to Point Protocol daemon creates links in ppp networks.</summary> - -######################################## -## <summary> -## Role access for ppp. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`ppp_role',` - refpolicywarn(`$0($*) has been deprecated') -') - -######################################## -## <summary> -## Create, read, write, and delete -## ppp home files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ppp_manage_home_files',` - gen_require(` - type ppp_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 ppp_home_t:file manage_file_perms; -') - -######################################## -## <summary> -## Read ppp user home content files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ppp_read_home_files',` - gen_require(` - type ppp_home_t; - - ') - - userdom_search_user_home_dirs($1) - allow $1 ppp_home_t:file read_file_perms; -') - -######################################## -## <summary> -## Relabel ppp home files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ppp_relabel_home_files',` - gen_require(` - type ppp_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 ppp_home_t:file relabel_file_perms; -') - -######################################## -## <summary> -## Create objects in user home -## directories with the ppp home type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`ppp_home_filetrans_ppp_home',` - gen_require(` - type ppp_home_t; - ') - - userdom_user_home_dir_filetrans($1, ppp_home_t, $2, $3) -') - -######################################## -## <summary> -## Inherit and use ppp file discriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ppp_use_fds',` - gen_require(` - type pppd_t; - ') - - allow $1 pppd_t:fd use; -') - -######################################## -## <summary> -## Do not audit attempts to inherit -## and use ppp file discriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`ppp_dontaudit_use_fds',` - gen_require(` - type pppd_t; - ') - - dontaudit $1 pppd_t:fd use; -') - -######################################## -## <summary> -## Send child terminated signals to ppp. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ppp_sigchld',` - gen_require(` - type pppd_t; - - ') - - allow $1 pppd_t:process sigchld; -') - -######################################## -## <summary> -## Send kill signals to ppp. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -# -interface(`ppp_kill',` - gen_require(` - type pppd_t; - ') - - allow $1 pppd_t:process sigkill; -') - -######################################## -## <summary> -## Send generic signals to ppp. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ppp_signal',` - gen_require(` - type pppd_t; - ') - - allow $1 pppd_t:process signal; -') - -######################################## -## <summary> -## Send null signals to ppp. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ppp_signull',` - gen_require(` - type pppd_t; - ') - - allow $1 pppd_t:process signull; -') - -######################################## -## <summary> -## Execute pppd in the pppd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`ppp_domtrans',` - gen_require(` - type pppd_t, pppd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, pppd_exec_t, pppd_t) -') - -######################################## -## <summary> -## Conditionally execute pppd on -## behalf of a user or staff type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`ppp_run_cond',` - gen_require(` - attribute_role pppd_roles; - ') - - roleattribute $2 pppd_roles; - - tunable_policy(`pppd_for_user',` - ppp_domtrans($1) - ') -') - -######################################## -## <summary> -## Unconditionally execute ppp daemon -## on behalf of a user or staff type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`ppp_run',` - gen_require(` - attribute_role pppd_roles; - ') - - ppp_domtrans($1) - roleattribute $2 pppd_roles; -') - -######################################## -## <summary> -## Execute domain in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ppp_exec',` - gen_require(` - type pppd_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, pppd_exec_t) -') - -######################################## -## <summary> -## Read ppp configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ppp_read_config',` - gen_require(` - type pppd_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, pppd_etc_t, pppd_etc_t) -') - -######################################## -## <summary> -## Read ppp writable configuration content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ppp_read_rw_config',` - gen_require(` - type pppd_etc_t, pppd_etc_rw_t; - ') - - files_search_etc($1) - allow $1 { pppd_etc_t pppd_etc_rw_t }:dir list_dir_perms; - allow $1 pppd_etc_rw_t:file read_file_perms; - allow $1 { pppd_etc_t pppd_etc_rw_t }:lnk_file read_lnk_file_perms; -') - -######################################## -## <summary> -## Read ppp secret files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ppp_read_secrets',` - gen_require(` - type pppd_etc_t, pppd_secret_t; - ') - - files_search_etc($1) - allow $1 pppd_etc_t:dir list_dir_perms; - allow $1 pppd_secret_t:file read_file_perms; - allow $1 pppd_etc_t:lnk_file read_lnk_file_perms; -') - -######################################## -## <summary> -## Read ppp pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ppp_read_pid_files',` - gen_require(` - type pppd_var_run_t; - ') - - files_search_pids($1) - allow $1 pppd_var_run_t:file read_file_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## ppp pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ppp_manage_pid_files',` - gen_require(` - type pppd_var_run_t; - ') - - files_search_pids($1) - allow $1 pppd_var_run_t:file manage_file_perms; -') - -######################################## -## <summary> -## Create specified pppd pid objects -## with a type transition. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`ppp_pid_filetrans',` - gen_require(` - type pppd_var_run_t; - ') - - files_pid_filetrans($1, pppd_var_run_t, $2, $3) -') - -######################################## -## <summary> -## Execute pppd init script in -## the initrc domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`ppp_initrc_domtrans',` - gen_require(` - type pppd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, pppd_initrc_exec_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an ppp environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`ppp_admin',` - gen_require(` - type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t; - type pppd_etc_t, pppd_secret_t, pppd_etc_rw_t; - type pppd_var_run_t, pppd_initrc_exec_t; - type pptp_t, pptp_log_t, pptp_var_run_t; - ') - - allow $1 { pptp_t pppd_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { pptp_t pppd_t }) - - ppp_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 pppd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, pppd_tmp_t) - - logging_list_logs($1) - admin_pattern($1, { pptp_log_t pppd_log_t }) - - files_list_locks($1) - admin_pattern($1, pppd_lock_t) - - files_list_etc($1) - admin_pattern($1, { pppd_etc_rw_t pppd_secret_t pppd_etc_t }) - - files_list_pids($1) - admin_pattern($1, { pptp_var_run_t pppd_var_run_t }) -') diff --git a/policy/modules/contrib/ppp.te b/policy/modules/contrib/ppp.te deleted file mode 100644 index b2b5dba7..00000000 --- a/policy/modules/contrib/ppp.te +++ /dev/null @@ -1,323 +0,0 @@ -policy_module(ppp, 1.13.5) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether pppd can -## load kernel modules. -## </p> -## </desc> -gen_tunable(pppd_can_insmod, false) - -## <desc> -## <p> -## Determine whether common users can -## run pppd with a domain transition. -## </p> -## </desc> -gen_tunable(pppd_for_user, false) - -attribute_role pppd_roles; -attribute_role pptp_roles; - -type pppd_t; -type pppd_exec_t; -init_daemon_domain(pppd_t, pppd_exec_t) -role pppd_roles types pppd_t; - -type pppd_devpts_t; -term_pty(pppd_devpts_t) - -type pppd_etc_t; -files_config_file(pppd_etc_t) - -type pppd_etc_rw_t; -files_type(pppd_etc_rw_t) - -type pppd_initrc_exec_t alias pppd_script_exec_t; -init_script_file(pppd_initrc_exec_t) - -type pppd_secret_t; -files_type(pppd_secret_t) - -type pppd_log_t; -logging_log_file(pppd_log_t) - -type pppd_lock_t; -files_lock_file(pppd_lock_t) - -type pppd_tmp_t; -files_tmp_file(pppd_tmp_t) - -type pppd_var_run_t; -files_pid_file(pppd_var_run_t) - -type pptp_t; -type pptp_exec_t; -init_daemon_domain(pptp_t, pptp_exec_t) -role pptp_roles types pptp_t; - -type pptp_log_t; -logging_log_file(pptp_log_t) - -type pptp_var_run_t; -files_pid_file(pptp_var_run_t) - -type ppp_home_t; -userdom_user_home_content(ppp_home_t) - -######################################## -# -# PPPD local policy -# - -allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice }; -dontaudit pppd_t self:capability sys_tty_config; -allow pppd_t self:process { getsched setsched signal }; -allow pppd_t self:fifo_file rw_fifo_file_perms; -allow pppd_t self:socket create_socket_perms; -allow pppd_t self:netlink_route_socket nlmsg_write; -allow pppd_t self:tcp_socket { accept listen }; -allow pppd_t self:packet_socket create_socket_perms; - -allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; - -allow pppd_t pppd_etc_t:dir rw_dir_perms; -allow pppd_t { pppd_etc_t ppp_home_t }:file read_file_perms; -allow pppd_t pppd_etc_t:lnk_file read_lnk_file_perms; - -manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t) -filetrans_pattern(pppd_t, pppd_etc_t, pppd_etc_rw_t, file) - -allow pppd_t pppd_lock_t:file manage_file_perms; -files_lock_filetrans(pppd_t, pppd_lock_t, file) - -allow pppd_t pppd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(pppd_t, pppd_log_t, file) - -manage_dirs_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t) -manage_files_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t) -files_tmp_filetrans(pppd_t, pppd_tmp_t, { dir file}) - -manage_dirs_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) -manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) -files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file }) - -can_exec(pppd_t, pppd_exec_t) - -domtrans_pattern(pppd_t, pptp_exec_t, pptp_t) - -allow pppd_t pptp_t:process signal; - -allow pppd_t pppd_secret_t:file read_file_perms; - -kernel_read_kernel_sysctls(pppd_t) -kernel_read_system_state(pppd_t) -kernel_rw_net_sysctls(pppd_t) -kernel_read_network_state(pppd_t) -kernel_request_load_module(pppd_t) - -dev_read_urand(pppd_t) -dev_read_sysfs(pppd_t) -dev_rw_modem(pppd_t) - -corenet_all_recvfrom_unlabeled(pppd_t) -corenet_all_recvfrom_netlabel(pppd_t) -corenet_tcp_sendrecv_generic_if(pppd_t) -corenet_raw_sendrecv_generic_if(pppd_t) -corenet_udp_sendrecv_generic_if(pppd_t) -corenet_tcp_sendrecv_generic_node(pppd_t) -corenet_raw_sendrecv_generic_node(pppd_t) -corenet_udp_sendrecv_generic_node(pppd_t) -corenet_tcp_sendrecv_all_ports(pppd_t) -corenet_udp_sendrecv_all_ports(pppd_t) - -corenet_rw_ppp_dev(pppd_t) - -corecmd_exec_bin(pppd_t) -corecmd_exec_shell(pppd_t) - -domain_use_interactive_fds(pppd_t) - -files_exec_etc_files(pppd_t) -files_manage_etc_runtime_files(pppd_t) -files_dontaudit_write_etc_files(pppd_t) - -fs_getattr_all_fs(pppd_t) -fs_search_auto_mountpoints(pppd_t) - -term_use_unallocated_ttys(pppd_t) -term_setattr_unallocated_ttys(pppd_t) -term_ioctl_generic_ptys(pppd_t) -term_create_pty(pppd_t, pppd_devpts_t) -term_use_generic_ptys(pppd_t) - -init_labeled_script_domtrans(pppd_t, pppd_initrc_exec_t) -init_read_utmp(pppd_t) -init_signal_script(pppd_t) -init_dontaudit_write_utmp(pppd_t) - -auth_run_chk_passwd(pppd_t, pppd_roles) -auth_use_nsswitch(pppd_t) -auth_write_login_records(pppd_t) - -logging_send_syslog_msg(pppd_t) -logging_send_audit_msgs(pppd_t) - -miscfiles_read_localization(pppd_t) - -sysnet_exec_ifconfig(pppd_t) -sysnet_manage_config(pppd_t) -sysnet_etc_filetrans_config(pppd_t) - -userdom_use_user_terminals(pppd_t) -userdom_dontaudit_use_unpriv_user_fds(pppd_t) -userdom_search_user_home_dirs(pppd_t) - -optional_policy(` - ddclient_run(pppd_t, pppd_roles) -') - -optional_policy(` - l2tpd_dgram_send(pppd_t) - l2tpd_rw_socket(pppd_t) - l2tpd_stream_connect(pppd_t) -') - -optional_policy(` - tunable_policy(`pppd_can_insmod',` - modutils_domtrans_insmod(pppd_t) - ') -') - -optional_policy(` - mta_send_mail(pppd_t) - mta_system_content(pppd_etc_t) - mta_system_content(pppd_etc_rw_t) -') - -optional_policy(` - networkmanager_signal(pppd_t) -') - -optional_policy(` - postfix_domtrans_master(pppd_t) -') - -optional_policy(` - seutil_sigchld_newrole(pppd_t) -') - -optional_policy(` - udev_read_db(pppd_t) -') - -######################################## -# -# PPTP local policy -# - -allow pptp_t self:capability { dac_override dac_read_search net_raw net_admin }; -dontaudit pptp_t self:capability sys_tty_config; -allow pptp_t self:process signal; -allow pptp_t self:fifo_file rw_fifo_file_perms; -allow pptp_t self:unix_stream_socket { accept connectto listen }; -allow pptp_t self:rawip_socket create_socket_perms; -allow pptp_t self:netlink_route_socket nlmsg_write; - -allow pptp_t pppd_etc_t:dir list_dir_perms; -allow pptp_t pppd_etc_t:file read_file_perms; -allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; - -allow pptp_t pppd_etc_rw_t:dir list_dir_perms; -allow pptp_t pppd_etc_rw_t:file read_file_perms; -allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms; - -allow pptp_t pppd_log_t:file append_file_perms; - -allow pptp_t pptp_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(pptp_t, pptp_log_t, file) - -manage_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) -manage_sock_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) -files_pid_filetrans(pptp_t, pptp_var_run_t, file) - -can_exec(pptp_t, pppd_etc_rw_t) - -kernel_read_kernel_sysctls(pptp_t) -kernel_read_network_state(pptp_t) -kernel_read_system_state(pptp_t) -kernel_signal(pptp_t) - -corecmd_exec_shell(pptp_t) -corecmd_read_bin_symlinks(pptp_t) - -corenet_all_recvfrom_unlabeled(pptp_t) -corenet_all_recvfrom_netlabel(pptp_t) -corenet_tcp_sendrecv_generic_if(pptp_t) -corenet_raw_sendrecv_generic_if(pptp_t) -corenet_tcp_sendrecv_generic_node(pptp_t) -corenet_raw_sendrecv_generic_node(pptp_t) -corenet_tcp_sendrecv_all_ports(pptp_t) - -corenet_tcp_connect_all_reserved_ports(pptp_t) -corenet_tcp_connect_generic_port(pptp_t) -corenet_sendrecv_generic_client_packets(pptp_t) - -corenet_sendrecv_pptp_client_packets(pptp_t) -corenet_tcp_connect_pptp_port(pptp_t) - -dev_read_sysfs(pptp_t) - -domain_use_interactive_fds(pptp_t) - -fs_getattr_all_fs(pptp_t) -fs_search_auto_mountpoints(pptp_t) - -term_ioctl_generic_ptys(pptp_t) -term_search_ptys(pptp_t) -term_use_ptmx(pptp_t) - -auth_use_nsswitch(pptp_t) - -logging_send_syslog_msg(pptp_t) - -miscfiles_read_localization(pptp_t) - -sysnet_exec_ifconfig(pptp_t) - -userdom_dontaudit_use_unpriv_user_fds(pptp_t) -userdom_dontaudit_search_user_home_dirs(pptp_t) -userdom_signal_unpriv_users(pptp_t) - -optional_policy(` - consoletype_exec(pppd_t) -') - -optional_policy(` - dbus_system_domain(pppd_t, pppd_exec_t) - - optional_policy(` - networkmanager_dbus_chat(pppd_t) - ') -') - -optional_policy(` - hostname_exec(pptp_t) -') - -optional_policy(` - seutil_sigchld_newrole(pptp_t) -') - -optional_policy(` - udev_read_db(pptp_t) -') - -optional_policy(` - postfix_read_config(pppd_t) -') diff --git a/policy/modules/contrib/prelink.fc b/policy/modules/contrib/prelink.fc deleted file mode 100644 index a90d6231..00000000 --- a/policy/modules/contrib/prelink.fc +++ /dev/null @@ -1,11 +0,0 @@ -/etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0) - -/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0) - -/usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0) - -/var/log/prelink\.log.* -- gen_context(system_u:object_r:prelink_log_t,s0) -/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0) - -/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0) -/var/lib/prelink(/.*)? gen_context(system_u:object_r:prelink_var_lib_t,s0) diff --git a/policy/modules/contrib/prelink.if b/policy/modules/contrib/prelink.if deleted file mode 100644 index 20d46979..00000000 --- a/policy/modules/contrib/prelink.if +++ /dev/null @@ -1,205 +0,0 @@ -## <summary>Prelink ELF shared library mappings.</summary> - -######################################## -## <summary> -## Execute prelink in the prelink domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`prelink_domtrans',` - gen_require(` - type prelink_t, prelink_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, prelink_exec_t, prelink_t) - - ifdef(`hide_broken_symptoms',` - dontaudit prelink_t $1:socket_class_set { read write }; - dontaudit prelink_t $1:fifo_file setattr_fifo_file_perms; - ') -') - -######################################## -## <summary> -## Execute prelink in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`prelink_exec',` - gen_require(` - type prelink_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, prelink_exec_t) -') - -######################################## -## <summary> -## Execute prelink in the prelink -## domain, and allow the specified role -## the prelink domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`prelink_run',` - gen_require(` - attribute_role prelink_roles; - ') - - prelink_domtrans($1) - roleattribute $2 prelink_roles; -') - -######################################## -## <summary> -## Make the specified file type prelinkable. -## </summary> -## <param name="file_type"> -## <summary> -## File type to be prelinked. -## </summary> -## </param> -# -interface(`prelink_object_file',` - gen_require(` - attribute prelink_object; - ') - - typeattribute $1 prelink_object; -') - -######################################## -## <summary> -## Read prelink cache files. -## </summary> -## <param name="file_type"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`prelink_read_cache',` - gen_require(` - type prelink_cache_t; - ') - - files_search_etc($1) - allow $1 prelink_cache_t:file read_file_perms; -') - -######################################## -## <summary> -## Delete prelink cache files. -## </summary> -## <param name="file_type"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`prelink_delete_cache',` - gen_require(` - type prelink_cache_t; - ') - - files_rw_etc_dirs($1) - allow $1 prelink_cache_t:file delete_file_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## prelink log files. -## </summary> -## <param name="file_type"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`prelink_manage_log',` - gen_require(` - type prelink_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, prelink_log_t, prelink_log_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## prelink var_lib files. -## </summary> -## <param name="file_type"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`prelink_manage_lib',` - gen_require(` - type prelink_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) -') - -######################################## -## <summary> -## Relabel from prelink lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`prelink_relabelfrom_lib',` - gen_require(` - type prelink_var_lib_t; - ') - - files_search_var_lib($1) - relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) -') - -######################################## -## <summary> -## Relabel prelink lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`prelink_relabel_lib',` - gen_require(` - type prelink_var_lib_t; - ') - - files_search_var_lib($1) - relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) -') diff --git a/policy/modules/contrib/prelink.te b/policy/modules/contrib/prelink.te deleted file mode 100644 index c0f047a0..00000000 --- a/policy/modules/contrib/prelink.te +++ /dev/null @@ -1,206 +0,0 @@ -policy_module(prelink, 1.10.2) - -######################################## -# -# Declarations - -attribute prelink_object; - -attribute_role prelink_roles; - -type prelink_t; -type prelink_exec_t; -init_system_domain(prelink_t, prelink_exec_t) -domain_obj_id_change_exemption(prelink_t) -role prelink_roles types prelink_t; - -type prelink_cache_t; -files_type(prelink_cache_t) - -type prelink_cron_system_t; -type prelink_cron_system_exec_t; -domain_type(prelink_cron_system_t) -domain_entry_file(prelink_cron_system_t, prelink_cron_system_exec_t) -domain_obj_id_change_exemption(prelink_cron_system_t) - -type prelink_log_t; -logging_log_file(prelink_log_t) - -type prelink_tmp_t; -files_tmp_file(prelink_tmp_t) - -type prelink_tmpfs_t; -files_tmpfs_file(prelink_tmpfs_t) - -type prelink_var_lib_t; -files_type(prelink_var_lib_t) - -######################################## -# -# Local policy -# - -allow prelink_t self:capability { chown dac_override fowner fsetid setfcap sys_resource }; -allow prelink_t self:process { execheap execmem execstack signal }; -allow prelink_t self:fifo_file rw_fifo_file_perms; - -allow prelink_t prelink_cache_t:file manage_file_perms; -files_etc_filetrans(prelink_t, prelink_cache_t, file) - -allow prelink_t prelink_log_t:dir setattr_dir_perms; -create_files_pattern(prelink_t, prelink_log_t, prelink_log_t) -append_files_pattern(prelink_t, prelink_log_t, prelink_log_t) -read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t) -logging_log_filetrans(prelink_t, prelink_log_t, file) - -allow prelink_t prelink_tmp_t:file { manage_file_perms mmap_file_perms relabel_file_perms execmod }; -files_tmp_filetrans(prelink_t, prelink_tmp_t, file) - -allow prelink_t prelink_tmpfs_t:file { manage_file_perms mmap_file_perms relabel_file_perms execmod }; -fs_tmpfs_filetrans(prelink_t, prelink_tmpfs_t, file) - -manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) -manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) -relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) -files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file }) - -allow prelink_t prelink_object:file { manage_file_perms mmap_file_perms relabel_file_perms }; - -kernel_read_system_state(prelink_t) -kernel_read_kernel_sysctls(prelink_t) - -corecmd_manage_all_executables(prelink_t) -corecmd_relabel_all_executables(prelink_t) -corecmd_mmap_all_executables(prelink_t) -corecmd_read_bin_symlinks(prelink_t) - -dev_read_urand(prelink_t) - -files_getattr_all_files(prelink_t) -files_list_all(prelink_t) -files_manage_usr_files(prelink_t) -files_manage_var_files(prelink_t) -files_read_etc_files(prelink_t) -files_read_etc_runtime_files(prelink_t) -files_relabelfrom_usr_files(prelink_t) -files_search_var_lib(prelink_t) -files_write_non_security_dirs(prelink_t) -files_dontaudit_read_all_symlinks(prelink_t) - -fs_getattr_all_fs(prelink_t) -fs_search_auto_mountpoints(prelink_t) - -selinux_get_enforce_mode(prelink_t) - -storage_getattr_fixed_disk_dev(prelink_t) - -libs_exec_ld_so(prelink_t) -libs_legacy_use_shared_libs(prelink_t) -libs_manage_ld_so(prelink_t) -libs_relabel_ld_so(prelink_t) -libs_manage_shared_libs(prelink_t) -libs_relabel_shared_libs(prelink_t) -libs_delete_lib_symlinks(prelink_t) - -miscfiles_read_localization(prelink_t) - -userdom_use_user_terminals(prelink_t) -userdom_manage_user_home_content_files(prelink_t) -# pending -# userdom_relabel_user_home_content_files(prelink_t) -# userdom_execmod_user_home_content_files(prelink_t) -userdom_exec_user_home_content_files(prelink_t) - -ifdef(`hide_broken_symptoms',` - miscfiles_read_man_pages(prelink_t) - - optional_policy(` - dbus_read_config(prelink_t) - ') -') - -tunable_policy(`use_nfs_home_dirs',` - fs_exec_nfs_files(prelink_t) - fs_manage_nfs_files(prelink_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_exec_cifs_files(prelink_t) - fs_manage_cifs_files(prelink_t) -') - -optional_policy(` - amanda_manage_lib(prelink_t) -') - -optional_policy(` - cron_system_entry(prelink_t, prelink_exec_t) -') - -optional_policy(` - gnome_dontaudit_read_inherited_gconf_config_files(prelink_t) -') - -optional_policy(` - mozilla_manage_plugin_rw_files(prelink_t) -') - -optional_policy(` - rpm_manage_tmp_files(prelink_t) -') - -optional_policy(` - unconfined_domain(prelink_t) -') - -######################################## -# -# Cron system local policy -# - -optional_policy(` - allow prelink_cron_system_t self:capability setuid; - allow prelink_cron_system_t self:process { setsched setfscreate signal }; - allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms; - allow prelink_cron_system_t self:unix_dgram_socket create_socket_perms; - - read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t) - allow prelink_cron_system_t prelink_cache_t:file delete_file_perms; - - domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) - allow prelink_cron_system_t prelink_t:process noatsecure; - - manage_files_pattern(prelink_cron_system_t, prelink_log_t, prelink_log_t) - - manage_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t) - files_var_lib_filetrans(prelink_cron_system_t, prelink_var_lib_t, file) - allow prelink_cron_system_t prelink_var_lib_t:file relabel_file_perms; - - kernel_read_system_state(prelink_cron_system_t) - - corecmd_exec_bin(prelink_cron_system_t) - corecmd_exec_shell(prelink_cron_system_t) - - dev_list_sysfs(prelink_cron_system_t) - dev_read_sysfs(prelink_cron_system_t) - - files_rw_etc_dirs(prelink_cron_system_t) - files_dontaudit_search_all_mountpoints(prelink_cron_system_t) - - auth_use_nsswitch(prelink_cron_system_t) - - init_telinit(prelink_cron_system_t) - init_exec(prelink_cron_system_t) - - libs_exec_ld_so(prelink_cron_system_t) - - logging_search_logs(prelink_cron_system_t) - - miscfiles_read_localization(prelink_cron_system_t) - - cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t) - - optional_policy(` - rpm_read_db(prelink_cron_system_t) - ') -') diff --git a/policy/modules/contrib/prelude.fc b/policy/modules/contrib/prelude.fc deleted file mode 100644 index 8dbc7637..00000000 --- a/policy/modules/contrib/prelude.fc +++ /dev/null @@ -1,25 +0,0 @@ -/etc/prelude-correlator(/.*)? gen_context(system_u:object_r:prelude_correlator_config_t, s0) - -/etc/rc\.d/init\.d/prelude-correlator -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0) -/etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0) -/etc/rc\.d/init\.d/prelude-manager -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0) - -/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0) - -/usr/bin/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_exec_t,s0) -/usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0) -/usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0) - -/usr/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0) - -/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0) - -/var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0) - -/var/log/prelude.* gen_context(system_u:object_r:prelude_log_t,s0) - -/var/run/prelude-lml\.pid -- gen_context(system_u:object_r:prelude_lml_var_run_t,s0) -/var/run/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_var_run_t,s0) - -/var/spool/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) -/var/spool/prelude(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) diff --git a/policy/modules/contrib/prelude.if b/policy/modules/contrib/prelude.if deleted file mode 100644 index c83a838d..00000000 --- a/policy/modules/contrib/prelude.if +++ /dev/null @@ -1,147 +0,0 @@ -## <summary>Prelude hybrid intrusion detection system.</summary> - -######################################## -## <summary> -## Execute a domain transition to run prelude. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`prelude_domtrans',` - gen_require(` - type prelude_t, prelude_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, prelude_exec_t, prelude_t) -') - -######################################## -## <summary> -## Execute a domain transition to -## run prelude audisp. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`prelude_domtrans_audisp',` - gen_require(` - type prelude_audisp_t, prelude_audisp_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, prelude_audisp_exec_t, prelude_audisp_t) -') - -######################################## -## <summary> -## Send generic signals to prelude audisp. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`prelude_signal_audisp',` - gen_require(` - type prelude_audisp_t; - ') - - allow $1 prelude_audisp_t:process signal; -') - -######################################## -## <summary> -## Read prelude spool files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`prelude_read_spool',` - gen_require(` - type prelude_spool_t; - ') - - files_search_spool($1) - read_files_pattern($1, prelude_spool_t, prelude_spool_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## prelude manager spool files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`prelude_manage_spool',` - gen_require(` - type prelude_spool_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, prelude_spool_t, prelude_spool_t) - manage_files_pattern($1, prelude_spool_t, prelude_spool_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an prelude environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`prelude_admin',` - gen_require(` - type prelude_t, prelude_spool_t, prelude_lml_var_run_t; - type prelude_var_run_t, prelude_var_lib_t, prelude_log_t; - type prelude_audisp_t, prelude_audisp_var_run_t; - type prelude_initrc_exec_t, prelude_lml_t, prelude_lml_tmp_t; - ') - - allow $1 { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }) - - init_labeled_script_domtrans($1, prelude_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 prelude_initrc_exec_t system_r; - allow $2 system_r; - - files_search_spool($1) - admin_pattern($1, prelude_spool_t) - - logging_search_logs($1) - admin_pattern($1, prelude_log_t) - - files_search_var_lib($1) - admin_pattern($1, prelude_var_lib_t) - - files_search_pids($1) - admin_pattern($1, { prelude_audisp_var_run_t prelude_var_run_t prelude_lml_var_run_t }) - - files_search_tmp($1) - admin_pattern($1, prelude_lml_tmp_t) -') diff --git a/policy/modules/contrib/prelude.te b/policy/modules/contrib/prelude.te deleted file mode 100644 index db864dfb..00000000 --- a/policy/modules/contrib/prelude.te +++ /dev/null @@ -1,304 +0,0 @@ -policy_module(prelude, 1.3.2) - -######################################## -# -# Declarations -# - -type prelude_t; -type prelude_exec_t; -init_daemon_domain(prelude_t, prelude_exec_t) - -type prelude_initrc_exec_t; -init_script_file(prelude_initrc_exec_t) - -type prelude_spool_t; -files_type(prelude_spool_t) - -type prelude_log_t; -logging_log_file(prelude_log_t) - -type prelude_var_run_t; -files_pid_file(prelude_var_run_t) - -type prelude_var_lib_t; -files_type(prelude_var_lib_t) - -type prelude_audisp_t; -type prelude_audisp_exec_t; -init_daemon_domain(prelude_audisp_t, prelude_audisp_exec_t) -logging_dispatcher_domain(prelude_audisp_t, prelude_audisp_exec_t) - -type prelude_audisp_var_run_t; -files_pid_file(prelude_audisp_var_run_t) - -type prelude_correlator_t; -type prelude_correlator_exec_t; -init_daemon_domain(prelude_correlator_t, prelude_correlator_exec_t) - -type prelude_correlator_config_t; -files_config_file(prelude_correlator_config_t) - -type prelude_lml_t; -type prelude_lml_exec_t; -init_daemon_domain(prelude_lml_t, prelude_lml_exec_t) - -type prelude_lml_tmp_t; -files_tmp_file(prelude_lml_tmp_t) - -type prelude_lml_var_run_t; -files_pid_file(prelude_lml_var_run_t) - -######################################## -# -# Prelude local policy -# - -allow prelude_t self:capability { dac_override sys_tty_config }; -allow prelude_t self:fifo_file rw_fifo_file_perms; -allow prelude_t self:unix_stream_socket { accept listen }; -allow prelude_t self:tcp_socket { accept listen }; - -allow prelude_t prelude_log_t:dir setattr_dir_perms; -append_files_pattern(prelude_t, prelude_log_t, prelude_log_t) -create_files_pattern(prelude_t, prelude_log_t, prelude_log_t) -setattr_files_pattern(prelude_t, prelude_log_t, prelude_log_t) -logging_log_filetrans(prelude_t, prelude_log_t, file) - -manage_dirs_pattern(prelude_t, prelude_spool_t, prelude_spool_t) -manage_files_pattern(prelude_t, prelude_spool_t, prelude_spool_t) - -manage_dirs_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t) -manage_files_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t) - -manage_dirs_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) -manage_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) -manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) -files_pid_filetrans(prelude_t, prelude_var_run_t, { dir file }) - -kernel_read_system_state(prelude_t) -kernel_read_sysctl(prelude_t) - -corecmd_search_bin(prelude_t) - -corenet_all_recvfrom_unlabeled(prelude_t) -corenet_all_recvfrom_netlabel(prelude_t) -corenet_tcp_sendrecv_generic_if(prelude_t) -corenet_tcp_sendrecv_generic_node(prelude_t) -corenet_tcp_bind_generic_node(prelude_t) - -corenet_sendrecv_prelude_server_packets(prelude_t) -corenet_tcp_bind_prelude_port(prelude_t) -corenet_sendrecv_prelude_client_packets(prelude_t) -corenet_tcp_connect_prelude_port(prelude_t) -corenet_tcp_sendrecv_prelude_port(prelude_t) - -dev_read_rand(prelude_t) -dev_read_urand(prelude_t) - -files_read_etc_runtime_files(prelude_t) -files_read_usr_files(prelude_t) -files_search_spool(prelude_t) -files_search_tmp(prelude_t) - -fs_rw_anon_inodefs_files(prelude_t) - -auth_use_nsswitch(prelude_t) - -logging_send_audit_msgs(prelude_t) -logging_send_syslog_msg(prelude_t) - -miscfiles_read_localization(prelude_t) - -optional_policy(` - mysql_stream_connect(prelude_t) - mysql_tcp_connect(prelude_t) -') - -optional_policy(` - postgresql_stream_connect(prelude_t) - postgresql_tcp_connect(prelude_t) -') - -######################################## -# -# Audisp local policy -# - -allow prelude_audisp_t self:capability { dac_override ipc_lock setpcap }; -allow prelude_audisp_t self:process { getcap setcap }; -allow prelude_audisp_t self:fifo_file rw_fifo_file_perms; -allow prelude_audisp_t self:unix_stream_socket { accept listen }; - -manage_dirs_pattern(prelude_audisp_t, prelude_spool_t, prelude_spool_t) -manage_files_pattern(prelude_audisp_t, prelude_spool_t, prelude_spool_t) - -manage_sock_files_pattern(prelude_audisp_t, prelude_audisp_var_run_t, prelude_audisp_var_run_t) -files_pid_filetrans(prelude_audisp_t, prelude_audisp_var_run_t, sock_file) - -kernel_read_sysctl(prelude_audisp_t) -kernel_read_system_state(prelude_audisp_t) - -corecmd_search_bin(prelude_audisp_t) - -corenet_all_recvfrom_unlabeled(prelude_audisp_t) -corenet_all_recvfrom_netlabel(prelude_audisp_t) -corenet_tcp_sendrecv_generic_if(prelude_audisp_t) -corenet_tcp_sendrecv_generic_node(prelude_audisp_t) - -corenet_sendrecv_prelude_client_packets(prelude_audisp_t) -corenet_tcp_connect_prelude_port(prelude_audisp_t) -corenet_tcp_sendrecv_prelude_port(prelude_audisp_t) - -dev_read_rand(prelude_audisp_t) -dev_read_urand(prelude_audisp_t) - -domain_use_interactive_fds(prelude_audisp_t) - -files_read_etc_files(prelude_audisp_t) -files_read_etc_runtime_files(prelude_audisp_t) -files_search_spool(prelude_audisp_t) -files_search_tmp(prelude_audisp_t) - -logging_send_syslog_msg(prelude_audisp_t) - -miscfiles_read_localization(prelude_audisp_t) - -sysnet_dns_name_resolve(prelude_audisp_t) - -######################################## -# -# Correlator local policy -# - -allow prelude_correlator_t self:capability dac_override; -allow prelude_correlator_t self:tcp_socket { accept listen }; - -manage_dirs_pattern(prelude_correlator_t, prelude_spool_t, prelude_spool_t) -manage_files_pattern(prelude_correlator_t, prelude_spool_t, prelude_spool_t) - -allow prelude_correlator_t prelude_correlator_config_t:dir list_dir_perms; -read_files_pattern(prelude_correlator_t, prelude_correlator_config_t, prelude_correlator_config_t) - -kernel_read_sysctl(prelude_correlator_t) - -corecmd_search_bin(prelude_correlator_t) - -corenet_all_recvfrom_unlabeled(prelude_correlator_t) -corenet_all_recvfrom_netlabel(prelude_correlator_t) -corenet_tcp_sendrecv_generic_if(prelude_correlator_t) -corenet_tcp_sendrecv_generic_node(prelude_correlator_t) - -corenet_sendrecv_prelude_client_packets(prelude_correlator_t) -corenet_tcp_connect_prelude_port(prelude_correlator_t) -corenet_tcp_sendrecv_prelude_port(prelude_correlator_t) - -dev_read_rand(prelude_correlator_t) -dev_read_urand(prelude_correlator_t) - -files_read_etc_files(prelude_correlator_t) -files_read_usr_files(prelude_correlator_t) -files_search_spool(prelude_correlator_t) - -logging_send_syslog_msg(prelude_correlator_t) - -miscfiles_read_localization(prelude_correlator_t) - -sysnet_dns_name_resolve(prelude_correlator_t) - -######################################## -# -# Lml local declarations -# - -allow prelude_lml_t self:capability dac_override; -allow prelude_lml_t self:fifo_file rw_fifo_file_perms; -allow prelude_lml_t self:unix_stream_socket connectto; - -manage_dirs_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t) -manage_files_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t) -files_tmp_filetrans(prelude_lml_t, prelude_lml_tmp_t, { file dir }) - -manage_dirs_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t) -manage_files_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t) - -manage_dirs_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t) -manage_files_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t) - -manage_files_pattern(prelude_lml_t, prelude_lml_var_run_t, prelude_lml_var_run_t) -files_pid_filetrans(prelude_lml_t, prelude_lml_var_run_t, file) - -kernel_read_system_state(prelude_lml_t) -kernel_read_sysctl(prelude_lml_t) - -corecmd_exec_bin(prelude_lml_t) - -corenet_all_recvfrom_unlabeled(prelude_lml_t) -corenet_all_recvfrom_netlabel(prelude_lml_t) -corenet_tcp_sendrecv_generic_if(prelude_lml_t) -corenet_tcp_sendrecv_generic_node(prelude_lml_t) - -corenet_sendrecv_prelude_client_packets(prelude_lml_t) -corenet_tcp_connect_prelude_port(prelude_lml_t) -corenet_tcp_sendrecv_prelude_port(prelude_lml_t) - -dev_read_rand(prelude_lml_t) -dev_read_urand(prelude_lml_t) - -files_list_etc(prelude_lml_t) -files_list_tmp(prelude_lml_t) -files_read_etc_runtime_files(prelude_lml_t) -files_search_spool(prelude_lml_t) - -fs_getattr_all_fs(prelude_lml_t) -fs_list_inotifyfs(prelude_lml_t) -fs_rw_anon_inodefs_files(prelude_lml_t) - -auth_use_nsswitch(prelude_lml_t) - -libs_exec_lib_files(prelude_lml_t) -libs_read_lib_files(prelude_lml_t) - -logging_send_syslog_msg(prelude_lml_t) -logging_read_generic_logs(prelude_lml_t) - -miscfiles_read_localization(prelude_lml_t) - -userdom_read_all_users_state(prelude_lml_t) - -optional_policy(` - apache_search_sys_content(prelude_lml_t) - apache_read_log(prelude_lml_t) -') - -######################################## -# -# Cgi Declarations -# - -optional_policy(` - apache_content_template(prewikka) - - can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t) - - files_search_tmp(httpd_prewikka_script_t) - - kernel_read_sysctl(httpd_prewikka_script_t) - kernel_search_network_sysctl(httpd_prewikka_script_t) - - auth_use_nsswitch(httpd_prewikka_script_t) - - logging_send_syslog_msg(httpd_prewikka_script_t) - - apache_search_sys_content(httpd_prewikka_script_t) - - optional_policy(` - mysql_stream_connect(httpd_prewikka_script_t) - mysql_tcp_connect(httpd_prewikka_script_t) - ') - - optional_policy(` - postgresql_stream_connect(httpd_prewikka_script_t) - postgresql_tcp_connect(httpd_prewikka_script_t) - ') -') diff --git a/policy/modules/contrib/privoxy.fc b/policy/modules/contrib/privoxy.fc deleted file mode 100644 index 78197972..00000000 --- a/policy/modules/contrib/privoxy.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/privoxy/[^/]*\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0) - -/etc/rc\.d/init\.d/privoxy -- gen_context(system_u:object_r:privoxy_initrc_exec_t,s0) - -/usr/sbin/privoxy -- gen_context(system_u:object_r:privoxy_exec_t,s0) - -/var/log/privoxy(/.*)? gen_context(system_u:object_r:privoxy_log_t,s0) - -/var/run/privoxy\.pid -- gen_context(system_u:object_r:privoxy_var_run_t,s0) diff --git a/policy/modules/contrib/privoxy.if b/policy/modules/contrib/privoxy.if deleted file mode 100644 index bdcee30f..00000000 --- a/policy/modules/contrib/privoxy.if +++ /dev/null @@ -1,42 +0,0 @@ -## <summary>Privacy enhancing web proxy.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an privoxy environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`privoxy_admin',` - gen_require(` - type privoxy_t, privoxy_log_t, privoxy_initrc_exec_t; - type privoxy_etc_rw_t, privoxy_var_run_t; - ') - - allow $1 privoxy_t:process { ptrace signal_perms }; - ps_process_pattern($1, privoxy_t) - - init_labeled_script_domtrans($1, privoxy_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 privoxy_initrc_exec_t system_r; - allow $2 system_r; - - logging_list_logs($1) - admin_pattern($1, privoxy_log_t) - - files_list_etc($1) - admin_pattern($1, privoxy_etc_rw_t) - - files_list_pids($1) - admin_pattern($1, privoxy_var_run_t) -') diff --git a/policy/modules/contrib/privoxy.te b/policy/modules/contrib/privoxy.te deleted file mode 100644 index 85b1c9af..00000000 --- a/policy/modules/contrib/privoxy.te +++ /dev/null @@ -1,116 +0,0 @@ -policy_module(privoxy, 1.11.1) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether privoxy can -## connect to all tcp ports. -## </p> -## </desc> -gen_tunable(privoxy_connect_any, false) - -type privoxy_t; -type privoxy_exec_t; -init_daemon_domain(privoxy_t, privoxy_exec_t) - -type privoxy_initrc_exec_t; -init_script_file(privoxy_initrc_exec_t) - -type privoxy_etc_rw_t; -files_type(privoxy_etc_rw_t) - -type privoxy_log_t; -logging_log_file(privoxy_log_t) - -type privoxy_var_run_t; -files_pid_file(privoxy_var_run_t) - -######################################## -# -# Local Policy -# - -allow privoxy_t self:capability { setgid setuid }; -dontaudit privoxy_t self:capability sys_tty_config; -allow privoxy_t self:tcp_socket { accept listen }; - -allow privoxy_t privoxy_etc_rw_t:file rw_file_perms; - -allow privoxy_t privoxy_log_t:dir setattr_dir_perms; -append_files_pattern(privoxy_t, privoxy_log_t, privoxy_log_t) -create_files_pattern(privoxy_t, privoxy_log_t, privoxy_log_t) -setattr_files_pattern(privoxy_t, privoxy_log_t, privoxy_log_t) -logging_log_filetrans(privoxy_t, privoxy_log_t, file) - -manage_files_pattern(privoxy_t, privoxy_var_run_t, privoxy_var_run_t) -files_pid_filetrans(privoxy_t, privoxy_var_run_t, file) - -kernel_read_kernel_sysctls(privoxy_t) -kernel_read_network_state(privoxy_t) -kernel_read_system_state(privoxy_t) - -corenet_all_recvfrom_unlabeled(privoxy_t) -corenet_all_recvfrom_netlabel(privoxy_t) -corenet_tcp_sendrecv_generic_if(privoxy_t) -corenet_tcp_sendrecv_generic_node(privoxy_t) -corenet_tcp_bind_generic_node(privoxy_t) - -corenet_sendrecv_http_client_packets(privoxy_t) -corenet_tcp_connect_http_port(privoxy_t) -corenet_tcp_sendrecv_http_port(privoxy_t) - -corenet_sendrecv_http_cache_server_packets(privoxy_t) -corenet_tcp_bind_http_cache_port(privoxy_t) -corenet_sendrecv_http_cache_client_packets(privoxy_t) -corenet_tcp_connect_http_cache_port(privoxy_t) -corenet_tcp_sendrecv_http_cache_port(privoxy_t) - -corenet_sendrecv_squid_client_packets(privoxy_t) -corenet_tcp_connect_squid_port(privoxy_t) -corenet_tcp_sendrecv_squid_port(privoxy_t) - -corenet_sendrecv_ftp_client_packets(privoxy_t) -corenet_tcp_connect_ftp_port(privoxy_t) -corenet_tcp_sendrecv_ftp_port(privoxy_t) - -corenet_sendrecv_pgpkeyserver_client_packets(privoxy_t) -corenet_tcp_connect_pgpkeyserver_port(privoxy_t) -corenet_tcp_sendrecv_pgpkeyserver_port(privoxy_t) - -corenet_sendrecv_tor_client_packets(privoxy_t) -corenet_tcp_connect_tor_port(privoxy_t) -corenet_tcp_sendrecv_tor_port(privoxy_t) - -dev_read_sysfs(privoxy_t) - -domain_use_interactive_fds(privoxy_t) - -fs_getattr_all_fs(privoxy_t) -fs_search_auto_mountpoints(privoxy_t) - -auth_use_nsswitch(privoxy_t) - -logging_send_syslog_msg(privoxy_t) - -miscfiles_read_localization(privoxy_t) - -userdom_dontaudit_use_unpriv_user_fds(privoxy_t) -userdom_dontaudit_search_user_home_dirs(privoxy_t) - -tunable_policy(`privoxy_connect_any',` - corenet_sendrecv_all_client_packets(privoxy_t) - corenet_tcp_connect_all_ports(privoxy_t) - corenet_tcp_sendrecv_all_ports(privoxy_t) -') - -optional_policy(` - seutil_sigchld_newrole(privoxy_t) -') - -optional_policy(` - udev_read_db(privoxy_t) -') diff --git a/policy/modules/contrib/procmail.fc b/policy/modules/contrib/procmail.fc deleted file mode 100644 index bdff6c93..00000000 --- a/policy/modules/contrib/procmail.fc +++ /dev/null @@ -1,6 +0,0 @@ -HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t,s0) - -/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0) - -/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0) -/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0) diff --git a/policy/modules/contrib/procmail.if b/policy/modules/contrib/procmail.if deleted file mode 100644 index 00edeab1..00000000 --- a/policy/modules/contrib/procmail.if +++ /dev/null @@ -1,165 +0,0 @@ -## <summary>Procmail mail delivery agent.</summary> - -######################################## -## <summary> -## Execute procmail with a domain transition. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`procmail_domtrans',` - gen_require(` - type procmail_exec_t, procmail_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, procmail_exec_t, procmail_t) -') - -######################################## -## <summary> -## Execute procmail in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`procmail_exec',` - gen_require(` - type procmail_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, procmail_exec_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## procmail home files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`procmail_manage_home_files',` - gen_require(` - type procmail_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 procmail_home_t:file manage_file_perms; -') - -######################################## -## <summary> -## Read procmail user home content files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`procmail_read_home_files',` - gen_require(` - type procmail_home_t; - - ') - - userdom_search_user_home_dirs($1) - allow $1 procmail_home_t:file read_file_perms; -') - -######################################## -## <summary> -## Relabel procmail home files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`procmail_relabel_home_files',` - gen_require(` - type ppp_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 procmail_home_t:file relabel_file_perms; -') - -######################################## -## <summary> -## Create objects in user home -## directories with the procmail home type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`procmail_home_filetrans_procmail_home',` - gen_require(` - type procmail_home_t; - ') - - userdom_user_home_dir_filetrans($1, procmail_home_t, $2, $3) -') - -######################################## -## <summary> -## Read procmail tmp files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`procmail_read_tmp_files',` - gen_require(` - type procmail_tmp_t; - ') - - files_search_tmp($1) - allow $1 procmail_tmp_t:file read_file_perms; -') - -######################################## -## <summary> -## Read and write procmail tmp files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`procmail_rw_tmp_files',` - gen_require(` - type procmail_tmp_t; - ') - - files_search_tmp($1) - rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t) -') diff --git a/policy/modules/contrib/procmail.te b/policy/modules/contrib/procmail.te deleted file mode 100644 index d4471521..00000000 --- a/policy/modules/contrib/procmail.te +++ /dev/null @@ -1,147 +0,0 @@ -policy_module(procmail, 1.12.2) - -######################################## -# -# Declarations -# - -type procmail_t; -type procmail_exec_t; -application_domain(procmail_t, procmail_exec_t) -role system_r types procmail_t; - -type procmail_home_t; -userdom_user_home_content(procmail_home_t) - -type procmail_log_t; -logging_log_file(procmail_log_t) - -type procmail_tmp_t; -files_tmp_file(procmail_tmp_t) - -######################################## -# -# Local policy -# - -allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_override }; -allow procmail_t self:process { setsched signal signull }; -allow procmail_t self:fifo_file rw_fifo_file_perms; -allow procmail_t self:tcp_socket { accept listen }; - -allow procmail_t procmail_home_t:file read_file_perms; - -allow procmail_t procmail_log_t:dir setattr_dir_perms; -create_files_pattern(procmail_t, procmail_log_t, procmail_log_t) -append_files_pattern(procmail_t, procmail_log_t, procmail_log_t) -read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t) -logging_log_filetrans(procmail_t, procmail_log_t, { file dir }) - -allow procmail_t procmail_tmp_t:file manage_file_perms; -files_tmp_filetrans(procmail_t, procmail_tmp_t, file) - -can_exec(procmail_t, procmail_exec_t) - -kernel_read_system_state(procmail_t) -kernel_read_kernel_sysctls(procmail_t) - -corenet_all_recvfrom_unlabeled(procmail_t) -corenet_all_recvfrom_netlabel(procmail_t) -corenet_tcp_sendrecv_generic_if(procmail_t) -corenet_tcp_sendrecv_generic_node(procmail_t) - -corenet_sendrecv_spamd_client_packets(procmail_t) -corenet_tcp_connect_spamd_port(procmail_t) -corenet_tcp_sendrecv_spamd_port(procmail_t) - -corenet_sendrecv_comsat_client_packets(procmail_t) -corenet_tcp_connect_comsat_port(procmail_t) -corenet_tcp_sendrecv_comsat_port(procmail_t) - -corecmd_exec_bin(procmail_t) -corecmd_exec_shell(procmail_t) - -dev_read_urand(procmail_t) - -fs_getattr_all_fs(procmail_t) -fs_search_auto_mountpoints(procmail_t) -fs_rw_anon_inodefs_files(procmail_t) - -auth_use_nsswitch(procmail_t) - -files_read_etc_runtime_files(procmail_t) -files_read_usr_files(procmail_t) - -logging_send_syslog_msg(procmail_t) - -miscfiles_read_localization(procmail_t) - -userdom_search_user_home_dirs(procmail_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(procmail_t) - fs_manage_nfs_files(procmail_t) - fs_manage_nfs_symlinks(procmail_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(procmail_t) - fs_manage_cifs_files(procmail_t) - fs_manage_cifs_symlinks(procmail_t) -') - -optional_policy(` - clamav_domtrans_clamscan(procmail_t) - clamav_search_lib(procmail_t) -') - -optional_policy(` - cyrus_stream_connect(procmail_t) -') - -optional_policy(` - mta_manage_spool(procmail_t) - mta_read_config(procmail_t) - mta_read_queue(procmail_t) - mta_manage_mail_home_rw_content(procmail_t) - mta_home_filetrans_mail_home_rw(procmail_t, dir, "Maildir") - mta_home_filetrans_mail_home_rw(procmail_t, dir, ".maildir") -') - -optional_policy(` - munin_dontaudit_search_lib(procmail_t) -') - -optional_policy(` - nagios_search_spool(procmail_t) -') - -optional_policy(` - postfix_dontaudit_rw_local_tcp_sockets(procmail_t) - postfix_dontaudit_use_fds(procmail_t) - postfix_read_spool_files(procmail_t) - postfix_read_local_state(procmail_t) - postfix_read_master_state(procmail_t) - postfix_rw_master_pipes(procmail_t) -') - -optional_policy(` - pyzor_domtrans(procmail_t) - pyzor_signal(procmail_t) -') - -optional_policy(` - sendmail_domtrans(procmail_t) - sendmail_signal(procmail_t) - sendmail_dontaudit_rw_tcp_sockets(procmail_t) - sendmail_dontaudit_rw_unix_stream_sockets(procmail_t) -') - -optional_policy(` - corenet_udp_bind_generic_port(procmail_t) - corenet_dontaudit_udp_bind_all_ports(procmail_t) - - spamassassin_domtrans_local_client(procmail_t) - spamassassin_domtrans_client(procmail_t) - spamassassin_read_lib_files(procmail_t) -') diff --git a/policy/modules/contrib/psad.fc b/policy/modules/contrib/psad.fc deleted file mode 100644 index 50528e97..00000000 --- a/policy/modules/contrib/psad.fc +++ /dev/null @@ -1,11 +0,0 @@ -/etc/psad(/.*)? gen_context(system_u:object_r:psad_etc_t,s0) - -/etc/rc\.d/init\.d/psad -- gen_context(system_u:object_r:psad_initrc_exec_t,s0) - -/usr/sbin/psad -- gen_context(system_u:object_r:psad_exec_t,s0) - -/var/lib/psad(/.*)? gen_context(system_u:object_r:psad_var_lib_t,s0) - -/var/log/psad(/.*)? gen_context(system_u:object_r:psad_var_log_t,s0) - -/var/run/psad(/.*)? gen_context(system_u:object_r:psad_var_run_t,s0) diff --git a/policy/modules/contrib/psad.if b/policy/modules/contrib/psad.if deleted file mode 100644 index d4dcf782..00000000 --- a/policy/modules/contrib/psad.if +++ /dev/null @@ -1,264 +0,0 @@ -## <summary>Intrusion Detection and Log Analysis with iptables.</summary> - -######################################## -## <summary> -## Execute a domain transition to run psad. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`psad_domtrans',` - gen_require(` - type psad_t, psad_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, psad_exec_t, psad_t) -') - -######################################## -## <summary> -## Send generic signals to psad. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`psad_signal',` - gen_require(` - type psad_t; - ') - - allow $1 psad_t:process signal; -') - -####################################### -## <summary> -## Send null signals to psad. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`psad_signull',` - gen_require(` - type psad_t; - ') - - allow $1 psad_t:process signull; -') - -######################################## -## <summary> -## Read psad configuration content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`psad_read_config',` - gen_require(` - type psad_etc_t; - ') - - files_search_etc($1) - allow $1 psad_etc_t:dir list_dir_perms; - allow $1 psad_etc_t:file read_file_perms; - allow $1 psad_etc_t:lnk_file read_lnk_file_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## psad configuration content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`psad_manage_config',` - gen_require(` - type psad_etc_t; - ') - - files_search_etc($1) - allow $1 psad_etc_t:dir manage_dir_perms; - allow $1 psad_etc_t:file manage_file_perms; - allow $1 psad_etc_t:lnk_file manage_lnk_file_perms; -') - -######################################## -## <summary> -## Read psad pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`psad_read_pid_files',` - gen_require(` - type psad_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, psad_var_run_t, psad_var_run_t) -') - -######################################## -## <summary> -## Read and write psad pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`psad_rw_pid_files',` - gen_require(` - type psad_var_run_t; - ') - - files_search_pids($1) - rw_files_pattern($1, psad_var_run_t, psad_var_run_t) -') - -######################################## -## <summary> -## Read psad log content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`psad_read_log',` - gen_require(` - type psad_var_log_t; - ') - - logging_search_logs($1) - allow $1 psad_var_log_t:dir list_dir_perms; - allow $1 psad_var_log_t:file read_file_perms; -') - -######################################## -## <summary> -## Append psad log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`psad_append_log',` - gen_require(` - type psad_var_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, psad_var_log_t, psad_var_log_t) -') - -######################################## -## <summary> -## Read and write psad fifo files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`psad_rw_fifo_file',` - gen_require(` - type psad_var_lib_t; - ') - - files_search_var_lib($1) - rw_fifo_files_pattern($1, psad_var_lib_t, psad_var_lib_t) -') - -####################################### -## <summary> -## Read and write psad temporary files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`psad_rw_tmp_files',` - gen_require(` - type psad_tmp_t; - ') - - files_search_tmp($1) - rw_files_pattern($1, psad_tmp_t, psad_tmp_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an psad environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`psad_admin',` - gen_require(` - type psad_t, psad_var_run_t, psad_var_log_t; - type psad_initrc_exec_t, psad_var_lib_t; - type psad_tmp_t; - ') - - allow $1 psad_t:process { ptrace signal_perms }; - ps_process_pattern($1, psad_t) - - init_labeled_script_domtrans($1, psad_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 psad_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, psad_etc_t) - - files_search_pids($1) - admin_pattern($1, psad_var_run_t) - - logging_search_logs($1) - admin_pattern($1, psad_var_log_t) - - files_search_var_lib($1) - admin_pattern($1, psad_var_lib_t) - - files_search_tmp($1) - admin_pattern($1, psad_tmp_t) -') diff --git a/policy/modules/contrib/psad.te b/policy/modules/contrib/psad.te deleted file mode 100644 index 5427bb66..00000000 --- a/policy/modules/contrib/psad.te +++ /dev/null @@ -1,102 +0,0 @@ -policy_module(psad, 1.0.1) - -######################################## -# -# Declarations -# - -type psad_t; -type psad_exec_t; -init_daemon_domain(psad_t, psad_exec_t) - -type psad_etc_t; -files_config_file(psad_etc_t) - -type psad_initrc_exec_t; -init_script_file(psad_initrc_exec_t) - -type psad_var_lib_t; -files_type(psad_var_lib_t) - -type psad_var_log_t; -logging_log_file(psad_var_log_t) - -type psad_var_run_t; -files_pid_file(psad_var_run_t) - -type psad_tmp_t; -files_tmp_file(psad_tmp_t) - -######################################## -# -# Local policy -# - -allow psad_t self:capability { net_admin net_raw setuid setgid dac_override }; -dontaudit psad_t self:capability sys_tty_config; -allow psad_t self:process signal_perms; -allow psad_t self:fifo_file rw_fifo_file_perms; -allow psad_t self:rawip_socket create_socket_perms; - -allow psad_t psad_etc_t:dir list_dir_perms; -allow psad_t psad_etc_t:file read_file_perms; -allow psad_t psad_etc_t:lnk_file read_lnk_file_perms; - -manage_dirs_pattern(psad_t, psad_var_log_t, psad_var_log_t) -append_files_pattern(psad_t, psad_var_log_t, psad_var_log_t) -create_files_pattern(psad_t, psad_var_log_t, psad_var_log_t) -setattr_files_pattern(psad_t, psad_var_log_t, psad_var_log_t) -logging_log_filetrans(psad_t, psad_var_log_t, { file dir }) - -manage_dirs_pattern(psad_t, psad_var_run_t, psad_var_run_t) -manage_files_pattern(psad_t, psad_var_run_t, psad_var_run_t) -manage_sock_files_pattern(psad_t, psad_var_run_t, psad_var_run_t) -files_pid_filetrans(psad_t, psad_var_run_t, { dir file sock_file }) - -manage_dirs_pattern(psad_t, psad_tmp_t, psad_tmp_t) -manage_files_pattern(psad_t, psad_tmp_t, psad_tmp_t) -files_tmp_filetrans(psad_t, psad_tmp_t, { file dir }) - -manage_fifo_files_pattern(psad_t, psad_var_lib_t, psad_var_lib_t) - -kernel_read_system_state(psad_t) -kernel_read_network_state(psad_t) -kernel_read_net_sysctls(psad_t) - -corecmd_exec_bin(psad_t) -corecmd_exec_shell(psad_t) - -corenet_all_recvfrom_unlabeled(psad_t) -corenet_all_recvfrom_netlabel(psad_t) -corenet_tcp_sendrecv_generic_if(psad_t) -corenet_tcp_sendrecv_generic_node(psad_t) - -corenet_sendrecv_whois_client_packets(psad_t) -corenet_tcp_connect_whois_port(psad_t) -corenet_tcp_sendrecv_whois_port(psad_t) - -dev_read_urand(psad_t) - -files_read_etc_runtime_files(psad_t) -files_read_usr_files(psad_t) - -fs_getattr_all_fs(psad_t) - -auth_use_nsswitch(psad_t) - -logging_read_generic_logs(psad_t) -logging_read_syslog_config(psad_t) -logging_send_syslog_msg(psad_t) - -miscfiles_read_localization(psad_t) - -sysnet_exec_ifconfig(psad_t) - -optional_policy(` - iptables_domtrans(psad_t) -') - -optional_policy(` - mta_send_mail(psad_t) - mta_read_queue(psad_t) -') diff --git a/policy/modules/contrib/ptchown.fc b/policy/modules/contrib/ptchown.fc deleted file mode 100644 index dd96822d..00000000 --- a/policy/modules/contrib/ptchown.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/libexec/pt_chown -- gen_context(system_u:object_r:ptchown_exec_t,s0) - -/usr/lib/pt_chown -- gen_context(system_u:object_r:ptchown_exec_t,s0) diff --git a/policy/modules/contrib/ptchown.if b/policy/modules/contrib/ptchown.if deleted file mode 100644 index 97a1e7b1..00000000 --- a/policy/modules/contrib/ptchown.if +++ /dev/null @@ -1,65 +0,0 @@ -## <summary>helper function for grantpt(3), changes ownship and permissions of pseudotty.</summary> - -######################################## -## <summary> -## Execute a domain transition to run ptchown. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`ptchown_domtrans',` - gen_require(` - type ptchown_t, ptchown_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ptchown_exec_t, ptchown_t) -') - -####################################### -## <summary> -## Execute ptchown in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ptchown_exec',` - gen_require(` - type ptchown_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, ptchown_exec_t) -') - -######################################## -## <summary> -## Execute ptchown in the ptchown -## domain, and allow the specified -## role the ptchown domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`ptchown_run',` - gen_require(` - attribute_role ptchown_roles; - ') - - ptchown_domtrans($1) - roleattribute $2 ptchown_roles; -') diff --git a/policy/modules/contrib/ptchown.te b/policy/modules/contrib/ptchown.te deleted file mode 100644 index fb37f186..00000000 --- a/policy/modules/contrib/ptchown.te +++ /dev/null @@ -1,34 +0,0 @@ -policy_module(ptchown, 1.1.3) - -######################################## -# -# Declarations -# - -attribute_role ptchown_roles; -roleattribute system_r ptchown_roles; - -type ptchown_t; -type ptchown_exec_t; -application_domain(ptchown_t, ptchown_exec_t) -role ptchown_roles types ptchown_t; - -######################################## -# -# Local policy -# - -allow ptchown_t self:capability { chown fowner fsetid setuid }; -allow ptchown_t self:process { getcap setcap }; - -files_read_etc_files(ptchown_t) - -fs_rw_anon_inodefs_files(ptchown_t) - -term_setattr_generic_ptys(ptchown_t) -term_getattr_all_ptys(ptchown_t) -term_setattr_all_ptys(ptchown_t) -term_use_generic_ptys(ptchown_t) -term_use_ptmx(ptchown_t) - -miscfiles_read_localization(ptchown_t) diff --git a/policy/modules/contrib/publicfile.fc b/policy/modules/contrib/publicfile.fc deleted file mode 100644 index 68bd5f50..00000000 --- a/policy/modules/contrib/publicfile.fc +++ /dev/null @@ -1,6 +0,0 @@ -/usr/bin/publicfile-ftpd -- gen_context(system_u:object_r:publicfile_exec_t,s0) -/usr/bin/publicfile-httpd -- gen_context(system_u:object_r:publicfile_exec_t,s0) - -# this is the place where online content located -# set this to suit your needs -#/var/www(/.*)? gen_context(system_u:object_r:publicfile_content_t,s0) diff --git a/policy/modules/contrib/publicfile.if b/policy/modules/contrib/publicfile.if deleted file mode 100644 index f39eec61..00000000 --- a/policy/modules/contrib/publicfile.if +++ /dev/null @@ -1 +0,0 @@ -## <summary>publicfile supplies files to the public through HTTP and FTP.</summary> diff --git a/policy/modules/contrib/publicfile.te b/policy/modules/contrib/publicfile.te deleted file mode 100644 index d7df1b3b..00000000 --- a/policy/modules/contrib/publicfile.te +++ /dev/null @@ -1,34 +0,0 @@ -policy_module(publicfile, 1.1.1) - -######################################## -# -# Declarations -# - -type publicfile_t; -type publicfile_exec_t; -init_daemon_domain(publicfile_t, publicfile_exec_t) - -type publicfile_content_t; -files_type(publicfile_content_t) - -######################################## -# -# Local policy -# - -allow publicfile_t self:capability { dac_override setgid setuid sys_chroot }; - -allow publicfile_t publicfile_content_t:dir list_dir_perms; -allow publicfile_t publicfile_content_t:file read_file_perms; -allow publicfile_t publicfile_content_t:lnk_file read_lnk_file_perms; - -files_search_var(publicfile_t) - -optional_policy(` - daemontools_ipc_domain(publicfile_t) -') - -optional_policy(` - ucspitcp_service_domain(publicfile_t, publicfile_exec_t) -') diff --git a/policy/modules/contrib/pulseaudio.fc b/policy/modules/contrib/pulseaudio.fc deleted file mode 100644 index 6864479a..00000000 --- a/policy/modules/contrib/pulseaudio.fc +++ /dev/null @@ -1,9 +0,0 @@ -HOME_DIR/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0) -HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) -HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0) - -/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) - -/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0) - -/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0) diff --git a/policy/modules/contrib/pulseaudio.if b/policy/modules/contrib/pulseaudio.if deleted file mode 100644 index fa3dc8ef..00000000 --- a/policy/modules/contrib/pulseaudio.if +++ /dev/null @@ -1,352 +0,0 @@ -## <summary>Pulseaudio network sound server.</summary> - -######################################## -## <summary> -## Role access for pulseaudio. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`pulseaudio_role',` - gen_require(` - attribute pulseaudio_tmpfsfile; - type pulseaudio_t, pulseaudio_home_t, pulseaudio_tmpfs_t; - type pulseaudio_tmp_t; - ') - - pulseaudio_run($2, $1) - - allow $2 pulseaudio_t:process { ptrace signal_perms }; - ps_process_pattern($2, pulseaudio_t) - - allow $2 pulseaudio_home_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 pulseaudio_home_t:file { manage_file_perms relabel_file_perms }; - allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - - userdom_user_home_dir_filetrans($2, pulseaudio_home_t, dir, ".pulse") - userdom_user_home_dir_filetrans($2, pulseaudio_home_t, file, ".esd_auth") - userdom_user_home_dir_filetrans($2, pulseaudio_home_t, file, ".pulse-cookie") - - allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms }; - - allow $2 pulseaudio_tmp_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms }; - allow $2 pulseaudio_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - - allow pulseaudio_t $2:unix_stream_socket connectto; -') - -######################################## -## <summary> -## Execute a domain transition to run pulseaudio. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`pulseaudio_domtrans',` - gen_require(` - attribute pulseaudio_client; - type pulseaudio_t, pulseaudio_exec_t; - ') - - typeattribute $1 pulseaudio_client; - - corecmd_search_bin($1) - domtrans_pattern($1, pulseaudio_exec_t, pulseaudio_t) -') - -######################################## -## <summary> -## Execute pulseaudio in the pulseaudio -## domain, and allow the specified role -## the pulseaudio domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`pulseaudio_run',` - gen_require(` - attribute_role pulseaudio_roles; - ') - - pulseaudio_domtrans($1) - roleattribute $2 pulseaudio_roles; -') - -######################################## -## <summary> -## Execute pulseaudio in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`pulseaudio_exec',` - gen_require(` - type pulseaudio_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, pulseaudio_exec_t) -') - -######################################## -## <summary> -## Do not audit attempts to execute pulseaudio. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`pulseaudio_dontaudit_exec',` - gen_require(` - type pulseaudio_exec_t; - ') - - dontaudit $1 pulseaudio_exec_t:file exec_file_perms; -') - -######################################## -## <summary> -## Send null signals to pulseaudio. -## processes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`pulseaudio_signull',` - gen_require(` - type pulseaudio_t; - ') - - allow $1 pulseaudio_t:process signull; -') - -##################################### -## <summary> -## Connect to pulseaudio with a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`pulseaudio_stream_connect',` - gen_require(` - type pulseaudio_t, pulseaudio_var_run_t, pulseaudio_tmp_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, { pulseaudio_tmp_t pulseaudio_var_run_t }, { pulseaudio_tmp_t pulseaudio_var_run_t }, pulseaudio_t) -') - -######################################## -## <summary> -## Send and receive messages from -## pulseaudio over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`pulseaudio_dbus_chat',` - gen_require(` - type pulseaudio_t; - class dbus send_msg; - ') - - allow $1 pulseaudio_t:dbus send_msg; - allow pulseaudio_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Set attributes of pulseaudio home directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`pulseaudio_setattr_home_dir',` - gen_require(` - type pulseaudio_home_t; - ') - - allow $1 pulseaudio_home_t:dir setattr_dir_perms; -') - -######################################## -## <summary> -## Read pulseaudio home content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`pulseaudio_read_home_files',` - refpolicywarn(`$0($*) has been deprecated, use pulseaudio_read_home() instead.') - pulseaudio_read_home($1) -') - -######################################## -## <summary> -## Read pulseaudio home content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`pulseaudio_read_home',` - gen_require(` - type pulseaudio_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 pulseaudio_home_t:dir list_dir_perms; - allow $1 pulseaudio_home_t:file read_file_perms; - allow $1 pulseaudio_home_t:lnk_file read_lnk_file_perms; -') - -######################################## -## <summary> -## Read and write Pulse Audio files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`pulseaudio_rw_home_files',` - gen_require(` - type pulseaudio_home_t; - ') - - userdom_search_user_home_dirs($1) - rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) - read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## pulseaudio home content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`pulseaudio_manage_home_files',` - refpolicywarn(`$0($*) has been deprecated, use pulseaudio_manage_home() instead.') - pulseaudio_manage_home($1) -') - -######################################## -## <summary> -## Create, read, write, and delete -## pulseaudio home content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`pulseaudio_manage_home',` - gen_require(` - type pulseaudio_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 pulseaudio_home_t:dir manage_dir_perms; - allow $1 pulseaudio_home_t:file manage_file_perms; - allow $1 pulseaudio_home_t:lnk_file manage_lnk_file_perms; -') - -######################################## -## <summary> -## Create objects in user home -## directories with the pulseaudio -## home type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`pulseaudio_home_filetrans_pulseaudio_home',` - gen_require(` - type pulseaudio_home_t; - ') - - userdom_user_home_dir_filetrans($1, pulseaudio_home_t, $2, $3) -') - -######################################## -## <summary> -## Make the specified tmpfs file type -## pulseaudio tmpfs content. -## </summary> -## <param name="file_type"> -## <summary> -## File type to make pulseaudio tmpfs content. -## </summary> -## </param> -# -interface(`pulseaudio_tmpfs_content',` - gen_require(` - attribute pulseaudio_tmpfsfile; - ') - - typeattribute $1 pulseaudio_tmpfsfile; -') diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te deleted file mode 100644 index 09cd4ad4..00000000 --- a/policy/modules/contrib/pulseaudio.te +++ /dev/null @@ -1,254 +0,0 @@ -policy_module(pulseaudio, 1.5.4) - -######################################## -# -# Declarations -# - -attribute pulseaudio_client; -attribute pulseaudio_tmpfsfile; - -attribute_role pulseaudio_roles; - -type pulseaudio_t; -type pulseaudio_exec_t; -init_daemon_domain(pulseaudio_t, pulseaudio_exec_t) -userdom_user_application_domain(pulseaudio_t, pulseaudio_exec_t) -role pulseaudio_roles types pulseaudio_t; - -type pulseaudio_home_t; -userdom_user_home_content(pulseaudio_home_t) - -type pulseaudio_tmp_t; -userdom_user_tmp_file(pulseaudio_tmp_t) - -type pulseaudio_tmpfs_t; -userdom_user_tmpfs_file(pulseaudio_tmpfs_t) - -type pulseaudio_var_lib_t; -files_type(pulseaudio_var_lib_t) - -type pulseaudio_var_run_t; -files_pid_file(pulseaudio_var_run_t) - -######################################## -# -# Local policy -# - -allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config }; -allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull }; -allow pulseaudio_t self:fifo_file rw_fifo_file_perms; -allow pulseaudio_t self:unix_stream_socket { accept connectto listen }; -allow pulseaudio_t self:unix_dgram_socket sendto; -allow pulseaudio_t self:tcp_socket { accept listen }; -allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; - -allow pulseaudio_t pulseaudio_home_t:dir manage_dir_perms; -allow pulseaudio_t pulseaudio_home_t:file manage_file_perms; -allow pulseaudio_t pulseaudio_home_t:lnk_file manage_lnk_file_perms; - -userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, dir, ".pulse") -userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, file, ".esd_auth") -userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, file, ".pulse-cookie") - -manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t) -manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t) -manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t) -files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir) -userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid") -userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "dbus-socket") -userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "native") - -manage_dirs_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) -manage_files_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) -fs_tmpfs_filetrans(pulseaudio_t, pulseaudio_tmpfs_t, { dir file }) - -manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) -manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) -manage_lnk_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) -files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file }) - -manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) -manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) -manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) -files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file }) - -allow pulseaudio_t pulseaudio_client:process signull; -ps_process_pattern(pulseaudio_t, pulseaudio_client) - -can_exec(pulseaudio_t, pulseaudio_exec_t) - -kernel_getattr_proc(pulseaudio_t) -kernel_read_system_state(pulseaudio_t) -kernel_read_kernel_sysctls(pulseaudio_t) - -corecmd_exec_bin(pulseaudio_t) - -corenet_all_recvfrom_unlabeled(pulseaudio_t) -corenet_all_recvfrom_netlabel(pulseaudio_t) -corenet_tcp_sendrecv_generic_if(pulseaudio_t) -corenet_udp_sendrecv_generic_if(pulseaudio_t) -corenet_tcp_sendrecv_generic_node(pulseaudio_t) -corenet_udp_sendrecv_generic_node(pulseaudio_t) - -corenet_sendrecv_pulseaudio_server_packets(pulseaudio_t) -corenet_tcp_bind_pulseaudio_port(pulseaudio_t) -corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_t) - -corenet_sendrecv_soundd_server_packets(pulseaudio_t) -corenet_tcp_bind_soundd_port(pulseaudio_t) -corenet_tcp_sendrecv_soundd_port(pulseaudio_t) - -corenet_sendrecv_sap_server_packets(pulseaudio_t) -corenet_udp_bind_sap_port(pulseaudio_t) -corenet_udp_sendrecv_sap_port(pulseaudio_t) - -dev_read_sound(pulseaudio_t) -dev_write_sound(pulseaudio_t) -dev_read_sysfs(pulseaudio_t) -dev_read_urand(pulseaudio_t) - -files_read_usr_files(pulseaudio_t) - -fs_getattr_tmpfs(pulseaudio_t) -fs_getattr_all_fs(pulseaudio_t) -fs_list_inotifyfs(pulseaudio_t) -fs_rw_anon_inodefs_files(pulseaudio_t) -fs_search_auto_mountpoints(pulseaudio_t) - -term_use_all_ttys(pulseaudio_t) -term_use_all_ptys(pulseaudio_t) - -auth_use_nsswitch(pulseaudio_t) - -logging_send_syslog_msg(pulseaudio_t) - -miscfiles_read_localization(pulseaudio_t) - -userdom_search_user_home_dirs(pulseaudio_t) -userdom_write_user_tmp_sockets(pulseaudio_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(pulseaudio_t) - fs_manage_nfs_files(pulseaudio_t) - fs_manage_nfs_symlinks(pulseaudio_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(pulseaudio_t) - fs_manage_cifs_files(pulseaudio_t) - fs_manage_cifs_symlinks(pulseaudio_t) -') - -optional_policy(` - alsa_read_rw_config(pulseaudio_t) -') - -optional_policy(` - bluetooth_stream_connect(pulseaudio_t) -') - -optional_policy(` - dbus_system_domain(pulseaudio_t, pulseaudio_exec_t) - dbus_all_session_bus_client(pulseaudio_t) - dbus_connect_all_session_bus(pulseaudio_t) - - optional_policy(` - consolekit_dbus_chat(pulseaudio_t) - ') - - optional_policy(` - hal_dbus_chat(pulseaudio_t) - ') - - optional_policy(` - policykit_dbus_chat(pulseaudio_t) - ') - - optional_policy(` - rpm_dbus_chat(pulseaudio_t) - ') -') - -optional_policy(` - rtkit_scheduled(pulseaudio_t) -') - -optional_policy(` - policykit_domtrans_auth(pulseaudio_t) - policykit_read_lib(pulseaudio_t) - policykit_read_reload(pulseaudio_t) -') - -optional_policy(` - udev_read_state(pulseaudio_t) - udev_read_db(pulseaudio_t) -') - -optional_policy(` - xserver_stream_connect(pulseaudio_t) - xserver_manage_xdm_tmp_files(pulseaudio_t) - xserver_read_xdm_lib_files(pulseaudio_t) - xserver_read_xdm_pid(pulseaudio_t) - xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t) -') - -######################################## -# -# Client local policy -# - -allow pulseaudio_client self:unix_dgram_socket sendto; - -allow pulseaudio_client pulseaudio_client:process signull; - -read_files_pattern(pulseaudio_client, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t }, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t }) -delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfile) - -fs_getattr_tmpfs(pulseaudio_client) - -corenet_all_recvfrom_unlabeled(pulseaudio_client) -corenet_all_recvfrom_netlabel(pulseaudio_client) -corenet_tcp_sendrecv_generic_if(pulseaudio_client) -corenet_tcp_sendrecv_generic_node(pulseaudio_client) - -corenet_sendrecv_pulseaudio_client_packets(pulseaudio_client) -corenet_tcp_connect_pulseaudio_port(pulseaudio_client) -corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_client) - -pulseaudio_stream_connect(pulseaudio_client) -pulseaudio_manage_home(pulseaudio_client) -pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, dir, ".pulse") -pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".esd_auth") -pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cookie") -pulseaudio_signull(pulseaudio_client) - - -# TODO: ~/.cache -userdom_manage_user_home_content_files(pulseaudio_client) - -userdom_read_user_tmpfs_files(pulseaudio_client) -# userdom_delete_user_tmpfs_files(pulseaudio_client) - -tunable_policy(`use_nfs_home_dirs',` - fs_getattr_nfs(pulseaudio_client) - fs_manage_nfs_dirs(pulseaudio_client) - fs_manage_nfs_files(pulseaudio_client) - fs_read_nfs_symlinks(pulseaudio_client) -') - -tunable_policy(`use_samba_home_dirs',` - fs_getattr_cifs(pulseaudio_client) - fs_manage_cifs_dirs(pulseaudio_client) - fs_manage_cifs_files(pulseaudio_client) - fs_read_cifs_symlinks(pulseaudio_client) -') - -optional_policy(` - pulseaudio_dbus_chat(pulseaudio_client) -') - -optional_policy(` - rtkit_scheduled(pulseaudio_client) -') diff --git a/policy/modules/contrib/puppet.fc b/policy/modules/contrib/puppet.fc deleted file mode 100644 index 04240b02..00000000 --- a/policy/modules/contrib/puppet.fc +++ /dev/null @@ -1,17 +0,0 @@ -/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) - -/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0) -/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0) - -/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) -/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) -/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) -/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) -/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) -/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) - -/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) - -/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) - -/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0) diff --git a/policy/modules/contrib/puppet.if b/policy/modules/contrib/puppet.if deleted file mode 100644 index 7cb8b1f9..00000000 --- a/policy/modules/contrib/puppet.if +++ /dev/null @@ -1,235 +0,0 @@ -## <summary>Configuration management system.</summary> - -######################################## -## <summary> -## Execute puppetca in the puppetca -## domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`puppet_domtrans_puppetca',` - gen_require(` - type puppetca_t, puppetca_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, puppetca_exec_t, puppetca_t) -') - -##################################### -## <summary> -## Execute puppetca in the puppetca -## domain and allow the specified -## role the puppetca domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`puppet_run_puppetca',` - gen_require(` - attribute_role puppetca_roles; - ') - - puppet_domtrans_puppetca($1) - roleattribute $2 puppetca_roles; -') - -#################################### -## <summary> -## Read puppet configuration content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`puppet_read_config',` - gen_require(` - type puppet_etc_t; - ') - - files_search_etc($1) - allow $1 puppet_etc_t:dir list_dir_perms; - allow $1 puppet_etc_t:file read_file_perms; - allow $1 puppet_etc_t:lnk_file read_lnk_file_perms; -') - -################################################ -## <summary> -## Read Puppet lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`puppet_read_lib_files',` - gen_require(` - type puppet_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t) -') - -############################################### -## <summary> -## Create, read, write, and delete -## puppet lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`puppet_manage_lib_files',` - gen_require(` - type puppet_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t) -') - -##################################### -## <summary> -## Append puppet log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`puppet_append_log_files',` - gen_require(` - type puppet_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, puppet_log_t, puppet_log_t) -') - -##################################### -## <summary> -## Create puppet log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`puppet_create_log_files',` - gen_require(` - type puppet_log_t; - ') - - logging_search_logs($1) - create_files_pattern($1, puppet_log_t, puppet_log_t) -') - -##################################### -## <summary> -## Read puppet log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`puppet_read_log_files',` - gen_require(` - type puppet_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, puppet_log_t, puppet_log_t) -') - -################################################ -## <summary> -## Read and write to puppet tempoprary files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`puppet_rw_tmp', ` - gen_require(` - type puppet_tmp_t; - ') - - files_search_tmp($1) - allow $1 puppet_tmp_t:file rw_file_perms; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an puppet environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`puppet_admin',` - gen_require(` - type puppet_initrc_exec_t, puppetmaster_initrc_exec_t, puppet_log_t; - type puppet_var_lib_t, puppet_tmp_t, puppet_etc_t; - type puppet_var_run_t, puppetmaster_tmp_t; - type puppet_t, puppetca_t, puppetmaster_t; - ') - - allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t }) - - init_labeled_script_domtrans($1, { puppet_initrc_exec_t puppetmaster_initrc_exec_t }) - domain_system_change_exemption($1) - role_transition $2 { puppet_initrc_exec_t puppetmaster_initrc_exec_t } system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, puppet_etc_t) - - logging_search_logs($1) - admin_pattern($1, puppet_log_t) - - files_search_var_lib($1) - admin_pattern($1, puppet_var_lib_t) - - files_search_pids($1) - admin_pattern($1, puppet_var_run_t) - - files_search_tmp($1) - admin_pattern($1, { puppet_tmp_t puppetmaster_tmp_t }) - - puppet_run_puppetca($1, $2) -') diff --git a/policy/modules/contrib/puppet.te b/policy/modules/contrib/puppet.te deleted file mode 100644 index 9f89323d..00000000 --- a/policy/modules/contrib/puppet.te +++ /dev/null @@ -1,409 +0,0 @@ -policy_module(puppet, 1.3.7) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether puppet can -## manage all non-security files. -## </p> -## </desc> -gen_tunable(puppet_manage_all_files, false) - -attribute_role puppetca_roles; -roleattribute system_r puppetca_roles; - -type puppet_t; -type puppet_exec_t; -init_daemon_domain(puppet_t, puppet_exec_t) - -type puppet_etc_t; -files_config_file(puppet_etc_t) - -type puppet_initrc_exec_t; -init_script_file(puppet_initrc_exec_t) - -type puppet_log_t; -logging_log_file(puppet_log_t) - -type puppet_tmp_t; -files_tmp_file(puppet_tmp_t) - -type puppet_var_lib_t; -files_type(puppet_var_lib_t) - -type puppet_var_run_t; -files_pid_file(puppet_var_run_t) -init_daemon_run_dir(puppet_var_run_t, "puppet") - -type puppetca_t; -type puppetca_exec_t; -application_domain(puppetca_t, puppetca_exec_t) -role puppetca_roles types puppetca_t; - -type puppetmaster_t; -type puppetmaster_exec_t; -init_daemon_domain(puppetmaster_t, puppetmaster_exec_t) - -type puppetmaster_initrc_exec_t; -init_script_file(puppetmaster_initrc_exec_t) - -type puppetmaster_tmp_t; -files_tmp_file(puppetmaster_tmp_t) - -######################################## -# -# Local policy -# - -allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_admin sys_nice sys_tty_config }; -allow puppet_t self:process { signal signull getsched setsched }; -allow puppet_t self:fifo_file rw_fifo_file_perms; -allow puppet_t self:netlink_route_socket create_netlink_socket_perms; -allow puppet_t self:tcp_socket { accept listen }; -allow puppet_t self:udp_socket create_socket_perms; - -allow puppet_t puppet_etc_t:dir list_dir_perms; -allow puppet_t puppet_etc_t:file read_file_perms; -allow puppet_t puppet_etc_t:lnk_file read_lnk_file_perms; - -manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) -manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) -can_exec(puppet_t, puppet_var_lib_t) - -setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) -manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) -files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir }) - -allow puppet_t puppet_log_t:dir { create_dir_perms setattr_dir_perms }; -append_files_pattern(puppet_t, puppet_log_t, puppet_log_t) -create_files_pattern(puppet_t, puppet_log_t, puppet_log_t) -read_files_pattern(puppet_t, puppet_log_t, puppet_log_t) -setattr_files_pattern(puppet_t, puppet_log_t, puppet_log_t) -logging_log_filetrans(puppet_t, puppet_log_t, { file dir }) - -manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t) -manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t) -files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir }) - -kernel_dontaudit_search_sysctl(puppet_t) -kernel_dontaudit_search_kernel_sysctl(puppet_t) -kernel_read_crypto_sysctls(puppet_t) -kernel_read_kernel_sysctls(puppet_t) -kernel_read_net_sysctls(puppet_t) -kernel_read_network_state(puppet_t) - -corecmd_exec_bin(puppet_t) -corecmd_exec_shell(puppet_t) -corecmd_read_all_executables(puppet_t) - -corenet_all_recvfrom_netlabel(puppet_t) -corenet_all_recvfrom_unlabeled(puppet_t) -corenet_tcp_sendrecv_generic_if(puppet_t) -corenet_tcp_sendrecv_generic_node(puppet_t) - -corenet_sendrecv_puppet_client_packets(puppet_t) -corenet_tcp_connect_puppet_port(puppet_t) -corenet_tcp_sendrecv_puppet_port(puppet_t) - -dev_read_rand(puppet_t) -dev_read_sysfs(puppet_t) -dev_read_urand(puppet_t) - -domain_interactive_fd(puppet_t) -domain_read_all_domains_state(puppet_t) - -files_manage_config_files(puppet_t) -files_manage_config_dirs(puppet_t) -files_manage_etc_dirs(puppet_t) -files_manage_etc_files(puppet_t) -files_read_usr_files(puppet_t) -files_read_usr_symlinks(puppet_t) -files_relabel_config_dirs(puppet_t) -files_relabel_config_files(puppet_t) -files_search_var_lib(puppet_t) - -selinux_get_fs_mount(puppet_t) -selinux_search_fs(puppet_t) -selinux_set_all_booleans(puppet_t) -selinux_set_generic_booleans(puppet_t) -selinux_validate_context(puppet_t) - -term_dontaudit_getattr_unallocated_ttys(puppet_t) -term_dontaudit_getattr_all_ttys(puppet_t) - -init_all_labeled_script_domtrans(puppet_t) -init_domtrans_script(puppet_t) -init_read_utmp(puppet_t) -init_signull_script(puppet_t) - -logging_send_syslog_msg(puppet_t) - -miscfiles_read_hwdata(puppet_t) -miscfiles_read_localization(puppet_t) - -mount_domtrans(puppet_t) - -seutil_domtrans_setfiles(puppet_t) -seutil_domtrans_semanage(puppet_t) - -sysnet_run_ifconfig(puppet_t, system_r) -sysnet_use_ldap(puppet_t) - -tunable_policy(`puppet_manage_all_files',` - files_manage_non_auth_files(puppet_t) -') - -optional_policy(` - cfengine_read_lib_files(puppet_t) -') - -optional_policy(` - consoletype_exec(puppet_t) -') - -optional_policy(` - hostname_exec(puppet_t) -') - -optional_policy(` - mount_domtrans(puppet_t) -') - -optional_policy(` - mta_send_mail(puppet_t) -') - -optional_policy(` - portage_domtrans(puppet_t) - portage_domtrans_fetch(puppet_t) - portage_domtrans_gcc_config(puppet_t) -') - -optional_policy(` - files_rw_var_files(puppet_t) - - rpm_domtrans(puppet_t) - rpm_manage_db(puppet_t) - rpm_manage_log(puppet_t) -') - -optional_policy(` - unconfined_domain(puppet_t) -') - -optional_policy(` - usermanage_domtrans_groupadd(puppet_t) - usermanage_domtrans_useradd(puppet_t) -') - -######################################## -# -# Ca local policy -# - -allow puppetca_t self:capability { dac_override setgid setuid }; -allow puppetca_t self:fifo_file rw_fifo_file_perms; - -allow puppetca_t puppet_etc_t:dir list_dir_perms; -allow puppetca_t puppet_etc_t:file read_file_perms; -allow puppetca_t puppet_etc_t:lnk_file read_lnk_file_perms; - -allow puppetca_t puppet_var_lib_t:dir list_dir_perms; -manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t) -manage_dirs_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t) - -allow puppetca_t puppet_log_t:dir search_dir_perms; - -allow puppetca_t puppet_var_run_t:dir search_dir_perms; - -kernel_read_system_state(puppetca_t) -kernel_read_kernel_sysctls(puppetca_t) - -corecmd_exec_bin(puppetca_t) -corecmd_exec_shell(puppetca_t) - -dev_read_urand(puppetca_t) -dev_search_sysfs(puppetca_t) - -files_read_etc_files(puppetca_t) -files_search_pids(puppetca_t) -files_search_var_lib(puppetca_t) - -selinux_validate_context(puppetca_t) - -logging_search_logs(puppetca_t) - -miscfiles_read_localization(puppetca_t) -miscfiles_read_generic_certs(puppetca_t) - -seutil_read_file_contexts(puppetca_t) - -optional_policy(` - hostname_exec(puppetca_t) -') - -######################################## -# -# Master local policy -# - -allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config }; -allow puppetmaster_t self:process { signal_perms getsched setsched }; -allow puppetmaster_t self:fifo_file rw_fifo_file_perms; -allow puppetmaster_t self:netlink_route_socket nlmsg_write; -allow puppetmaster_t self:socket create; -allow puppetmaster_t self:tcp_socket { accept listen }; - -allow puppetmaster_t puppet_etc_t:dir list_dir_perms; -allow puppetmaster_t puppet_etc_t:file read_file_perms; -allow puppetmaster_t puppet_etc_t:lnk_file read_lnk_file_perms; - -allow puppetmaster_t puppet_log_t:dir setattr_dir_perms; -append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) -create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) -setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) -logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) - -allow puppetmaster_t puppet_var_lib_t:dir { manage_dir_perms relabel_dir_perms }; -allow puppetmaster_t puppet_var_lib_t:file { manage_file_perms relabel_file_perms }; - -allow puppetmaster_t puppet_var_run_t:dir { create_dir_perms setattr_dir_perms relabel_dir_perms }; -allow puppetmaster_t puppet_var_run_t:file manage_file_perms; -files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir }) - -allow puppetmaster_t puppetmaster_tmp_t:dir { manage_dir_perms relabel_dir_perms }; -allow puppetmaster_t puppetmaster_tmp_t:file manage_file_perms; -files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir }) - -kernel_dontaudit_search_kernel_sysctl(puppetmaster_t) -kernel_read_network_state(puppetmaster_t) -kernel_read_system_state(puppetmaster_t) -kernel_read_crypto_sysctls(puppetmaster_t) -kernel_read_kernel_sysctls(puppetmaster_t) - -corecmd_exec_bin(puppetmaster_t) -corecmd_exec_shell(puppetmaster_t) - -corenet_all_recvfrom_netlabel(puppetmaster_t) -corenet_all_recvfrom_unlabeled(puppetmaster_t) -corenet_tcp_sendrecv_generic_if(puppetmaster_t) -corenet_tcp_sendrecv_generic_node(puppetmaster_t) -corenet_tcp_bind_generic_node(puppetmaster_t) - -corenet_sendrecv_puppet_server_packets(puppetmaster_t) -corenet_tcp_bind_puppet_port(puppetmaster_t) -corenet_tcp_sendrecv_puppet_port(puppetmaster_t) - -dev_read_rand(puppetmaster_t) -dev_read_urand(puppetmaster_t) -dev_search_sysfs(puppetmaster_t) - -domain_obj_id_change_exemption(puppetmaster_t) -domain_read_all_domains_state(puppetmaster_t) - -files_read_usr_files(puppetmaster_t) - -selinux_validate_context(puppetmaster_t) - -auth_use_nsswitch(puppetmaster_t) - -logging_send_syslog_msg(puppetmaster_t) - -miscfiles_read_generic_certs(puppetmaster_t) -miscfiles_read_localization(puppetmaster_t) - -seutil_read_file_contexts(puppetmaster_t) - -sysnet_run_ifconfig(puppetmaster_t, system_r) - -optional_policy(` - hostname_exec(puppetmaster_t) -') - -optional_policy(` - mta_send_mail(puppetmaster_t) -') - -optional_policy(` - mysql_stream_connect(puppetmaster_t) -') - -optional_policy(` - postgresql_stream_connect(puppetmaster_t) -') - -optional_policy(` - files_read_usr_symlinks(puppetmaster_t) - - rpm_exec(puppetmaster_t) - rpm_read_db(puppetmaster_t) -') - -ifdef(`distro_gentoo',` - ########################################## - # - # Puppet master policy - # - - rw_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) - - manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) - - optional_policy(` - usermanage_check_exec_passwd(puppetmaster_t) - usermanage_check_exec_useradd(puppetmaster_t) - ') - - ########################################### - # - # Puppet client policy - # - corenet_tcp_bind_generic_node(puppet_t) - - corenet_sendrecv_puppetclient_server_packets(puppet_t) - corenet_tcp_bind_puppetclient_port(puppet_t) - corenet_tcp_sendrecv_puppetclient_port(puppet_t) - - usermanage_domtrans_passwd(puppet_t) - - tunable_policy(`puppet_manage_all_files',` - # We should use files_relabel_all_files here, but it calls - # seutil_relabelto_bin_policy which sets a "typeattribute type attr", - # which is not allowed within a tunable_policy. - # So, we duplicate the content of files_relabel_all_files except for - # the policy configuration stuff and hope users do that through Portage - - gen_require(` - attribute file_type; - attribute security_file_type; - type policy_config_t; - ') - - allow puppet_t { file_type -policy_config_t -security_file_type }:dir list_dir_perms; - relabel_dirs_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) - relabel_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) - relabel_lnk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) - relabel_fifo_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) - relabel_sock_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) - # this is only relabelfrom since there should be no - # device nodes with file types. - relabelfrom_blk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) - relabelfrom_chr_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) - ') - - optional_policy(` - dmidecode_domtrans(puppet_t) - ') - - optional_policy(` - init_exec_rc(puppet_t) - portage_read_cache(puppet_t) - portage_read_config(puppet_t) - portage_read_ebuild(puppet_t) - portage_run(puppet_t, system_r) - ') -') diff --git a/policy/modules/contrib/pwauth.fc b/policy/modules/contrib/pwauth.fc deleted file mode 100644 index 7e7b4443..00000000 --- a/policy/modules/contrib/pwauth.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/bin/pwauth -- gen_context(system_u:object_r:pwauth_exec_t,s0) - -/var/run/pwauth\.lock -- gen_context(system_u:object_r:pwauth_var_run_t,s0) diff --git a/policy/modules/contrib/pwauth.if b/policy/modules/contrib/pwauth.if deleted file mode 100644 index 1148dce1..00000000 --- a/policy/modules/contrib/pwauth.if +++ /dev/null @@ -1,72 +0,0 @@ -## <summary>External plugin for mod_authnz_external authenticator.</summary> - -######################################## -## <summary> -## Role access for pwauth. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`pwauth_role',` - gen_require(` - type pwauth_t; - ') - - pwauth_run($2, $1) - - ps_process_pattern($2, pwauth_t) - allow $2 pwauth_t:process { ptrace signal_perms }; -') - -######################################## -## <summary> -## Execute pwauth in the pwauth domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`pwauth_domtrans',` - gen_require(` - type pwauth_t, pwauth_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, pwauth_exec_t, pwauth_t) -') - -######################################## -## <summary> -## Execute pwauth in the pwauth -## domain, and allow the specified -## role the pwauth domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`pwauth_run',` - gen_require(` - attribute_role pwauth_roles; - ') - - pwauth_domtrans($1) - roleattribute $2 pwauth_roles; -') diff --git a/policy/modules/contrib/pwauth.te b/policy/modules/contrib/pwauth.te deleted file mode 100644 index 3078e349..00000000 --- a/policy/modules/contrib/pwauth.te +++ /dev/null @@ -1,42 +0,0 @@ -policy_module(pwauth, 1.0.0) - -######################################## -# -# Declarations -# - -attribute_role pwauth_roles; -roleattribute system_r pwauth_roles; - -type pwauth_t; -type pwauth_exec_t; -application_domain(pwauth_t, pwauth_exec_t) -role pwauth_roles types pwauth_t; - -type pwauth_var_run_t; -files_pid_file(pwauth_var_run_t) - -######################################## -# -# Local policy -# - -allow pwauth_t self:capability setuid; -allow pwauth_t self:process setrlimit; -allow pwauth_t self:fifo_file manage_fifo_file_perms; -allow pwauth_t self:unix_stream_socket { accept listen }; - -manage_files_pattern(pwauth_t, pwauth_var_run_t, pwauth_var_run_t) -files_pid_filetrans(pwauth_t, pwauth_var_run_t, file) - -domain_use_interactive_fds(pwauth_t) - -auth_domtrans_chkpwd(pwauth_t) -auth_use_nsswitch(pwauth_t) - -init_read_utmp(pwauth_t) - -logging_send_syslog_msg(pwauth_t) -logging_send_audit_msgs(pwauth_t) - -miscfiles_read_localization(pwauth_t) diff --git a/policy/modules/contrib/pxe.fc b/policy/modules/contrib/pxe.fc deleted file mode 100644 index 132ad02c..00000000 --- a/policy/modules/contrib/pxe.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rc\.d/init\.d/pxe -- gen_context(system_u:object_r:pxe_initrc_exec_t,s0) - -/usr/sbin/pxe -- gen_context(system_u:object_r:pxe_exec_t,s0) - -/var/log/pxe\.log.* -- gen_context(system_u:object_r:pxe_log_t,s0) - -/var/run/pxe\.pid -- gen_context(system_u:object_r:pxe_var_run_t,s0) diff --git a/policy/modules/contrib/pxe.if b/policy/modules/contrib/pxe.if deleted file mode 100644 index 7da286fb..00000000 --- a/policy/modules/contrib/pxe.if +++ /dev/null @@ -1,39 +0,0 @@ -## <summary>Server for the PXE network boot protocol.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an pxe environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`pxe_admin',` - gen_require(` - type pxe_t, pxe_initrc_exec_t, pxe_log_t; - type pxe_var_run_t; - ') - - allow $1 pxe_t:process { ptrace signal_perms }; - ps_process_pattern($1, pxe_t) - - init_labeled_script_domtrans($1, pxe_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 pxe_initrc_exec_t system_r; - allow $2 system_r; - - logging_search_logs($1) - admin_pattern($1, pxe_log_t) - - files_search_pids($1) - admin_pattern($1, pxe_var_run_t) -') diff --git a/policy/modules/contrib/pxe.te b/policy/modules/contrib/pxe.te deleted file mode 100644 index 72db7079..00000000 --- a/policy/modules/contrib/pxe.te +++ /dev/null @@ -1,71 +0,0 @@ -policy_module(pxe, 1.4.1) - -######################################## -# -# Declarations -# - -type pxe_t; -type pxe_exec_t; -init_daemon_domain(pxe_t, pxe_exec_t) - -type pxe_initrc_exec_t; -init_script_file(pxe_initrc_exec_t) - -type pxe_log_t; -logging_log_file(pxe_log_t) - -type pxe_var_run_t; -files_pid_file(pxe_var_run_t) - -######################################## -# -# Local policy -# - -allow pxe_t self:capability { chown setgid setuid }; -dontaudit pxe_t self:capability sys_tty_config; -allow pxe_t self:process signal_perms; - -allow pxe_t pxe_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(pxe_t, pxe_log_t, file) - -manage_files_pattern(pxe_t, pxe_var_run_t, pxe_var_run_t) -files_pid_filetrans(pxe_t, pxe_var_run_t, file) - -kernel_read_kernel_sysctls(pxe_t) -kernel_read_system_state(pxe_t) - -corenet_all_recvfrom_unlabeled(pxe_t) -corenet_all_recvfrom_netlabel(pxe_t) -corenet_udp_sendrecv_generic_if(pxe_t) -corenet_udp_sendrecv_generic_node(pxe_t) -corenet_udp_bind_generic_node(pxe_t) - -corenet_sendrecv_pxe_server_packets(pxe_t) -corenet_udp_bind_pxe_port(pxe_t) -corenet_udp_sendrecv_pxe_port(pxe_t) - -dev_read_sysfs(pxe_t) - -domain_use_interactive_fds(pxe_t) - -files_read_etc_files(pxe_t) - -fs_getattr_all_fs(pxe_t) -fs_search_auto_mountpoints(pxe_t) - -logging_send_syslog_msg(pxe_t) - -miscfiles_read_localization(pxe_t) - -userdom_dontaudit_use_unpriv_user_fds(pxe_t) -userdom_dontaudit_search_user_home_dirs(pxe_t) - -optional_policy(` - seutil_sigchld_newrole(pxe_t) -') - -optional_policy(` - udev_read_db(pxe_t) -') diff --git a/policy/modules/contrib/pyicqt.fc b/policy/modules/contrib/pyicqt.fc deleted file mode 100644 index 0c143e3e..00000000 --- a/policy/modules/contrib/pyicqt.fc +++ /dev/null @@ -1,11 +0,0 @@ -/etc/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_conf_t,s0) - -/etc/rc\.d/init\.d/pyicq-t -- gen_context(system_u:object_r:pyicqt_initrc_exec_t,s0) - -/usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0) - -/var/log/pyicq-t\.log.* -- gen_context(system_u:object_r:pyicqt_log_t,s0) - -/var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0) - -/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_spool_t,s0) diff --git a/policy/modules/contrib/pyicqt.if b/policy/modules/contrib/pyicqt.if deleted file mode 100644 index 0ccea828..00000000 --- a/policy/modules/contrib/pyicqt.if +++ /dev/null @@ -1,45 +0,0 @@ -## <summary>ICQ transport for XMPP server.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an pyicqt environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`pyicqt_admin',` - gen_require(` - type pyicqt_t, pyicqt_log_t, pyicqt_spool_t; - type pyicqt_var_run_t, pyicqt_initrc_exec_t, pyicqt_conf_t; - ') - - allow $1 pyicqt_t:process { ptrace signal_perms }; - ps_process_pattern($1, pyicqt_t) - - init_labeled_script_domtrans($1, pyicqt_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 pyicqt_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, pyicqt_conf_t) - - logging_search_logs($1) - admin_pattern($1, pyicqt_log_t) - - files_search_spool($1) - admin_pattern($1, pyicqt_spool_t) - - files_search_pids($1) - admin_pattern($1, pyicqt_var_run_t) -') diff --git a/policy/modules/contrib/pyicqt.te b/policy/modules/contrib/pyicqt.te deleted file mode 100644 index 99bebbd7..00000000 --- a/policy/modules/contrib/pyicqt.te +++ /dev/null @@ -1,92 +0,0 @@ -policy_module(pyicqt, 1.0.1) - -######################################## -# -# Declarations -# - -type pyicqt_t; -type pyicqt_exec_t; -init_daemon_domain(pyicqt_t, pyicqt_exec_t) - -type pyicqt_initrc_exec_t; -init_script_file(pyicqt_initrc_exec_t) - -type pyicqt_conf_t; -files_config_file(pyicqt_conf_t) - -type pyicqt_log_t; -logging_log_file(pyicqt_log_t) - -type pyicqt_spool_t; -files_type(pyicqt_spool_t) - -type pyicqt_var_run_t; -files_pid_file(pyicqt_var_run_t) - -######################################## -# -# Local policy -# - -allow pyicqt_t self:process signal_perms; -allow pyicqt_t self:fifo_file rw_fifo_file_perms; -allow pyicqt_t self:tcp_socket { accept listen }; - -read_files_pattern(pyicqt_t, pyicqt_conf_t, pyicqt_conf_t) - -allow pyicqt_t pyicqt_log_t:file append_file_perms; -allow pyicqt_t pyicqt_log_t:file create_file_perms; -allow pyicqt_t pyicqt_log_t:file setattr_file_perms; -logging_log_filetrans(pyicqt_t, pyicqt_log_t, file) - -manage_dirs_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t) -manage_files_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t) -files_spool_filetrans(pyicqt_t, pyicqt_spool_t, dir) - -manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t) -files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file) - -kernel_read_system_state(pyicqt_t) - -corecmd_exec_bin(pyicqt_t) - -corenet_all_recvfrom_unlabeled(pyicqt_t) -corenet_all_recvfrom_netlabel(pyicqt_t) -corenet_tcp_sendrecv_generic_if(pyicqt_t) -corenet_tcp_sendrecv_generic_node(pyicqt_t) -corenet_tcp_bind_generic_node(pyicqt_t) - -# corenet_sendrecv_jabber_router_server_packets(pyicqt_t) -# corenet_tcp_bind_jabber_router_port(pyicqt_t) -# corenet_sendrecv_jabber_router_client_packets(pyicqt_t) -# corenet_tcp_connect_jabber_router_port(pyicqt_t) -# corenet_tcp_sendrecv_jabber_router_port(pyicqt_t) - -dev_read_sysfs(pyicqt_t) -dev_read_urand(pyicqt_t) - -files_read_usr_files(pyicqt_t) - -fs_getattr_all_fs(pyicqt_t) - -auth_use_nsswitch(pyicqt_t) - -libs_read_lib_files(pyicqt_t) - -logging_send_syslog_msg(pyicqt_t) - -miscfiles_read_localization(pyicqt_t) - -optional_policy(` - jabber_manage_lib_files(pyicqt_t) -') - -optional_policy(` - mysql_stream_connect(pyicqt_t) - mysql_tcp_connect(pyicqt_t) -') - -optional_policy(` - seutil_sigchld_newrole(pyicqt_t) -') diff --git a/policy/modules/contrib/pyzor.fc b/policy/modules/contrib/pyzor.fc deleted file mode 100644 index af13139a..00000000 --- a/policy/modules/contrib/pyzor.fc +++ /dev/null @@ -1,12 +0,0 @@ -HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) - -/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) - -/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) - -/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) -/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) - -/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0) - -/var/log/pyzord\.log.* -- gen_context(system_u:object_r:pyzord_log_t,s0) diff --git a/policy/modules/contrib/pyzor.if b/policy/modules/contrib/pyzor.if deleted file mode 100644 index 593c03d0..00000000 --- a/policy/modules/contrib/pyzor.if +++ /dev/null @@ -1,136 +0,0 @@ -## <summary>Pyzor is a distributed, collaborative spam detection and filtering network.</summary> - -######################################## -## <summary> -## Role access for pyzor. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role -## </summary> -## </param> -# -interface(`pyzor_role',` - gen_require(` - attribute_role pyzor_roles; - type pyzor_t, pyzor_exec_t, pyzor_home_t; - type pyzor_tmp_t; - ') - - roleattribute $1 pyzor_roles; - - domtrans_pattern($2, pyzor_exec_t, pyzor_t) - - allow $2 pyzor_t:process { ptrace signal_perms }; - ps_process_pattern($2, pyzor_t) - - allow $2 { pyzor_home_t pyzor_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { pyzor_home_t pyzor_tmp_t }:file { manage_file_perms relabel_file_perms }; - allow $2 pyzor_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - - userdom_user_home_dir_filetrans($2, pyzor_home_t, dir, ".pyzor") -') - -######################################## -## <summary> -## Send generic signals to pyzor. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`pyzor_signal',` - gen_require(` - type pyzor_t; - ') - - allow $1 pyzor_t:process signal; -') - -######################################## -## <summary> -## Execute pyzor with a domain transition. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`pyzor_domtrans',` - gen_require(` - type pyzor_exec_t, pyzor_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, pyzor_exec_t, pyzor_t) -') - -######################################## -## <summary> -## Execute pyzor in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`pyzor_exec',` - gen_require(` - type pyzor_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, pyzor_exec_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an pyzor environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`pyzor_admin',` - gen_require(` - type pyzord_t, pyzord_initrc_exec_t, pyzord_log_t; - type pyzor_var_lib_t, pyzor_etc_t; - ') - - allow $1 pyzord_t:process { ptrace signal_perms }; - ps_process_pattern($1, pyzord_t) - - init_labeled_script_domtrans($1, pyzord_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 pyzord_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, pyzor_etc_t) - - logging_search_logs($1) - admin_pattern($1, pyzord_log_t) - - files_search_var_lib($1) - admin_pattern($1, pyzor_var_lib_t) - - pyzor_role($2, $1) -') diff --git a/policy/modules/contrib/pyzor.te b/policy/modules/contrib/pyzor.te deleted file mode 100644 index 6c456d22..00000000 --- a/policy/modules/contrib/pyzor.te +++ /dev/null @@ -1,160 +0,0 @@ -policy_module(pyzor, 2.2.1) - -######################################## -# -# Declarations -# - -attribute_role pyzor_roles; -roleattribute system_r pyzor_roles; - -type pyzor_t; -type pyzor_exec_t; -typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t }; -typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t }; -userdom_user_application_domain(pyzor_t, pyzor_exec_t) -role pyzor_roles types pyzor_t; - -type pyzor_etc_t; -files_type(pyzor_etc_t) - -type pyzor_home_t; -typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t }; -typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t }; -userdom_user_home_content(pyzor_home_t) - -type pyzor_tmp_t; -typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t }; -typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t }; -userdom_user_tmp_file(pyzor_tmp_t) - -type pyzor_var_lib_t; -typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t }; -typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t }; -files_type(pyzor_var_lib_t) -ubac_constrained(pyzor_var_lib_t) - -type pyzord_t; -type pyzord_exec_t; -init_daemon_domain(pyzord_t, pyzord_exec_t) - -type pyzord_initrc_exec_t; -init_script_file(pyzord_initrc_exec_t) - -type pyzord_log_t; -logging_log_file(pyzord_log_t) - -######################################## -# -# Local policy -# - -manage_dirs_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) -manage_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) -manage_lnk_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) -userdom_user_home_dir_filetrans(pyzor_t, pyzor_home_t, dir, ".pyzor") - -allow pyzor_t pyzor_var_lib_t:dir list_dir_perms; -read_files_pattern(pyzor_t, pyzor_var_lib_t, pyzor_var_lib_t) - -manage_files_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t) -manage_dirs_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t) -files_tmp_filetrans(pyzor_t, pyzor_tmp_t, { file dir }) - -kernel_read_kernel_sysctls(pyzor_t) -kernel_read_system_state(pyzor_t) - -corecmd_list_bin(pyzor_t) -corecmd_getattr_bin_files(pyzor_t) - -corenet_all_recvfrom_unlabeled(pyzor_t) -corenet_all_recvfrom_netlabel(pyzor_t) -corenet_tcp_sendrecv_generic_if(pyzor_t) -corenet_tcp_sendrecv_generic_node(pyzor_t) - -corenet_sendrecv_http_client_packets(pyzor_t) -corenet_tcp_connect_http_port(pyzor_t) -corenet_tcp_sendrecv_http_port(pyzor_t) - -dev_read_urand(pyzor_t) - -fs_getattr_all_fs(pyzor_t) -fs_search_auto_mountpoints(pyzor_t) - -auth_use_nsswitch(pyzor_t) - -miscfiles_read_localization(pyzor_t) - -mta_read_queue(pyzor_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(pyzor_t) - fs_manage_nfs_files(pyzor_t) - fs_manage_nfs_symlinks(pyzor_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(pyzor_t) - fs_manage_cifs_files(pyzor_t) - fs_manage_cifs_symlinks(pyzor_t) -') - -optional_policy(` - amavis_manage_lib_files(pyzor_t) - amavis_manage_spool_files(pyzor_t) -') - -optional_policy(` - spamassassin_signal_spamd(pyzor_t) - spamassassin_read_spamd_tmp_files(pyzor_t) -') - -######################################## -# -# Daemon local policy -# - -allow pyzord_t pyzor_var_lib_t:dir setattr_dir_perms; -manage_files_pattern(pyzord_t, pyzor_var_lib_t, pyzor_var_lib_t) -files_var_lib_filetrans(pyzord_t, pyzor_var_lib_t, { file dir }) - -allow pyzord_t pyzor_etc_t:dir list_dir_perms; -allow pyzord_t pyzor_etc_t:file read_file_perms; -allow pyzord_t pyzor_etc_t:lnk_file read_lnk_file_perms; - -allow pyzord_t pyzord_log_t:dir setattr_dir_perms; -append_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t) -create_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t) -setattr_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t) -logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir }) - -can_exec(pyzord_t, pyzor_exec_t) - -kernel_read_kernel_sysctls(pyzord_t) -kernel_read_system_state(pyzord_t) - -dev_read_urand(pyzord_t) - -corecmd_exec_bin(pyzord_t) - -corenet_all_recvfrom_unlabeled(pyzord_t) -corenet_all_recvfrom_netlabel(pyzord_t) -corenet_udp_sendrecv_generic_if(pyzord_t) -corenet_udp_sendrecv_generic_node(pyzord_t) -corenet_udp_bind_generic_node(pyzord_t) - -corenet_sendrecv_pyzor_server_packets(pyzord_t) -corenet_udp_bind_pyzor_port(pyzord_t) -corenet_udp_sendrecv_pyzor_port(pyzord_t) - -auth_use_nsswitch(pyzord_t) - -logging_send_syslog_msg(pyzord_t) - -locallogin_dontaudit_use_fds(pyzord_t) - -miscfiles_read_localization(pyzord_t) - -userdom_dontaudit_search_user_home_dirs(pyzord_t) - -mta_manage_spool(pyzord_t) diff --git a/policy/modules/contrib/qemu.fc b/policy/modules/contrib/qemu.fc deleted file mode 100644 index 86ea53ce..00000000 --- a/policy/modules/contrib/qemu.fc +++ /dev/null @@ -1,6 +0,0 @@ -/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) -/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0) -/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) -/usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) - -/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) diff --git a/policy/modules/contrib/qemu.if b/policy/modules/contrib/qemu.if deleted file mode 100644 index eaf56b8b..00000000 --- a/policy/modules/contrib/qemu.if +++ /dev/null @@ -1,376 +0,0 @@ -## <summary>QEMU machine emulator and virtualizer.</summary> - -####################################### -## <summary> -## The template to define a qemu domain. -## </summary> -## <param name="domain_prefix"> -## <summary> -## Domain prefix to be used. -## </summary> -## </param> -# -template(`qemu_domain_template',` - ############################## - # - # Declarations - # - - type $1_t; - domain_type($1_t) - - type $1_tmp_t; - files_tmp_file($1_tmp_t) - - ############################## - # - # Policy - # - - allow $1_t self:capability { dac_read_search dac_override }; - allow $1_t self:process { execstack execmem signal getsched }; - allow $1_t self:fifo_file rw_file_perms; - allow $1_t self:shm create_shm_perms; - allow $1_t self:unix_stream_socket create_stream_socket_perms; - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:tun_socket create; - - manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) - manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) - files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) - - kernel_read_system_state($1_t) - - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) - corenet_tcp_sendrecv_generic_if($1_t) - corenet_tcp_sendrecv_generic_node($1_t) - corenet_tcp_sendrecv_all_ports($1_t) - corenet_tcp_bind_generic_node($1_t) - corenet_tcp_bind_vnc_port($1_t) - corenet_rw_tun_tap_dev($1_t) - -# dev_rw_kvm($1_t) - - domain_use_interactive_fds($1_t) - - files_read_etc_files($1_t) - files_read_usr_files($1_t) - files_read_var_files($1_t) - files_search_all($1_t) - - fs_list_inotifyfs($1_t) - fs_rw_anon_inodefs_files($1_t) - fs_rw_tmpfs_files($1_t) - - storage_raw_write_removable_device($1_t) - storage_raw_read_removable_device($1_t) - - term_use_ptmx($1_t) - term_getattr_pty_fs($1_t) - term_use_generic_ptys($1_t) - - miscfiles_read_localization($1_t) - - sysnet_read_config($1_t) - - userdom_use_user_terminals($1_t) - userdom_attach_admin_tun_iface($1_t) - - optional_policy(` - samba_domtrans_smbd($1_t) - ') - - optional_policy(` - virt_manage_images($1_t) - virt_read_config($1_t) - virt_read_lib_files($1_t) - virt_attach_tun_iface($1_t) - ') - - optional_policy(` - xserver_stream_connect($1_t) - xserver_read_xdm_tmp_files($1_t) - xserver_read_xdm_pid($1_t) -# xserver_xdm_rw_shm($1_t) - ') -') - -######################################## -## <summary> -## Role access for qemu. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -template(`qemu_role',` - gen_require(` - type qemu_t; - ') - - qemu_run($2, $1) - - allow $2 qemu_t:process { ptrace signal_perms }; - ps_process_pattern($2, qemu_t) -') - -######################################## -## <summary> -## Execute a domain transition to run qemu. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`qemu_domtrans',` - gen_require(` - type qemu_t, qemu_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, qemu_exec_t, qemu_t) -') - -######################################## -## <summary> -## Execute a qemu in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`qemu_exec',` - gen_require(` - type qemu_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, qemu_exec_t) -') - -######################################## -## <summary> -## Execute qemu in the qemu domain, -## and allow the specified role the -## qemu domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`qemu_run',` - gen_require(` - attribute_role qemu_roles; - ') - - qemu_domtrans($1) - roleattribute $2 qemu_roles; -') - -######################################## -## <summary> -## Read qemu process state files. -## </summary> -## <param name="domain"> -## <summary> -## Domain to allow access. -## </summary> -## </param> -# -interface(`qemu_read_state',` - gen_require(` - type qemu_t; - ') - - kernel_search_proc($1) - allow $1 qemu_t:dir list_dir_perms; - allow $1 qemu_t:file read_file_perms; - allow $1 qemu_t:lnk_file read_lnk_file_perms; -') - -######################################## -## <summary> -## Set qemu scheduler. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`qemu_setsched',` - gen_require(` - type qemu_t; - ') - - allow $1 qemu_t:process setsched; -') - -######################################## -## <summary> -## Send generic signals to qemu. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`qemu_signal',` - gen_require(` - type qemu_t; - ') - - allow $1 qemu_t:process signal; -') - -######################################## -## <summary> -## Send kill signals to qemu. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`qemu_kill',` - gen_require(` - type qemu_t; - ') - - allow $1 qemu_t:process sigkill; -') - -######################################## -## <summary> -## Execute a domain transition to -## run qemu unconfined. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`qemu_domtrans_unconfined',` - gen_require(` - type unconfined_qemu_t, qemu_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## qemu temporary directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`qemu_manage_tmp_dirs',` - gen_require(` - type qemu_tmp_t; - ') - - files_search_tmp($1) - manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## qemu temporary files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`qemu_manage_tmp_files',` - gen_require(` - type qemu_tmp_t; - ') - - files_search_tmp($1) - manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) -') - -######################################## -## <summary> -## Execute qemu in a specified domain. -## </summary> -## <desc> -## <p> -## Execute qemu in a specified domain. -## </p> -## <p> -## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -## </p> -## </desc> -## <param name="source_domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="target_domain"> -## <summary> -## Domain to transition to. -## </summary> -## </param> -# -interface(`qemu_spec_domtrans',` - gen_require(` - type qemu_exec_t; - ') - - corecmd_search_bin($1) - domain_auto_trans($1, qemu_exec_t, $2) -') - -###################################### -## <summary> -## Make qemu executable files an -## entrypoint for the specified domain. -## </summary> -## <param name="domain"> -## <summary> -## The domain for which qemu_exec_t is an entrypoint. -## </summary> -## </param> -# -interface(`qemu_entry_type',` - gen_require(` - type qemu_exec_t; - ') - - domain_entry_file($1, qemu_exec_t) -') diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te deleted file mode 100644 index 81205b16..00000000 --- a/policy/modules/contrib/qemu.te +++ /dev/null @@ -1,70 +0,0 @@ -policy_module(qemu, 1.7.5) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether qemu has full -## access to the network. -## </p> -## </desc> -gen_tunable(qemu_full_network, false) - -attribute_role qemu_roles; -roleattribute system_r qemu_roles; - -type qemu_exec_t; -application_executable_file(qemu_exec_t) - -virt_domain_template(qemu) -role qemu_roles types qemu_t; - -######################################## -# -# Local policy -# - -tunable_policy(`qemu_full_network',` - corenet_udp_sendrecv_generic_if(qemu_t) - corenet_udp_sendrecv_generic_node(qemu_t) - corenet_udp_sendrecv_all_ports(qemu_t) - corenet_udp_bind_generic_node(qemu_t) - corenet_udp_bind_all_ports(qemu_t) - corenet_tcp_bind_all_ports(qemu_t) - corenet_tcp_connect_all_ports(qemu_t) -') - -optional_policy(` - xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t) -') - -######################################## -# -# Unconfined local policy -# - -optional_policy(` - type unconfined_qemu_t; - typealias unconfined_qemu_t alias qemu_unconfined_t; - application_type(unconfined_qemu_t) - unconfined_domain(unconfined_qemu_t) - - allow unconfined_qemu_t self:process { execstack execmem }; - allow unconfined_qemu_t qemu_exec_t:file execmod; -') - -ifdef(`distro_gentoo',` - - ################################# - # - # Local policy - # - allow qemu_t self:tcp_socket create_stream_socket_perms; - - optional_policy(` - vde_connect(qemu_t) - ') -') diff --git a/policy/modules/contrib/qmail.fc b/policy/modules/contrib/qmail.fc deleted file mode 100644 index e53fe5a9..00000000 --- a/policy/modules/contrib/qmail.fc +++ /dev/null @@ -1,37 +0,0 @@ -/etc/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) - -/usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0) - -/usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0) -/usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0) -/usr/sbin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0) -/usr/sbin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0) -/usr/sbin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0) -/usr/sbin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0) -/usr/sbin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0) -/usr/sbin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0) -/usr/sbin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0) -/usr/sbin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0) -/usr/sbin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0) -/usr/sbin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0) - -/var/qmail/alias -d gen_context(system_u:object_r:qmail_alias_home_t,s0) -/var/qmail/alias(/.*)? gen_context(system_u:object_r:qmail_alias_home_t,s0) - -/var/qmail/bin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0) -/var/qmail/bin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0) -/var/qmail/bin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0) -/var/qmail/bin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0) -/var/qmail/bin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0) -/var/qmail/bin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0) -/var/qmail/bin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0) -/var/qmail/bin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0) -/var/qmail/bin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0) -/var/qmail/bin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0) -/var/qmail/bin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0) -/var/qmail/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0) -/var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0) - -/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) - -/var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0) diff --git a/policy/modules/contrib/qmail.if b/policy/modules/contrib/qmail.if deleted file mode 100644 index e4f0000e..00000000 --- a/policy/modules/contrib/qmail.if +++ /dev/null @@ -1,143 +0,0 @@ -## <summary>Qmail Mail Server.</summary> - -######################################## -## <summary> -## Template for qmail parent/sub-domain pairs. -## </summary> -## <param name="child_prefix"> -## <summary> -## The prefix of the child domain. -## </summary> -## </param> -## <param name="parent_domain"> -## <summary> -## The name of the parent domain. -## </summary> -## </param> -# -template(`qmail_child_domain_template',` - gen_require(` - attribute qmail_child_domain; - ') - - ######################################## - # - # Declarations - # - - type $1_t, qmail_child_domain; - type $1_exec_t; - domain_type($1_t) - domain_entry_file($1_t, $1_exec_t) - - role system_r types $1_t; - - ######################################## - # - # Policy - # - - domtrans_pattern($2, $1_exec_t, $1_t) - - kernel_read_system_state($2) -') - -######################################## -## <summary> -## Transition to qmail_inject_t. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`qmail_domtrans_inject',` - gen_require(` - type qmail_inject_t, qmail_inject_exec_t; - ') - - domtrans_pattern($1, qmail_inject_exec_t, qmail_inject_t) - - ifdef(`distro_debian',` - files_search_usr($1) - corecmd_search_bin($1) - ',` - files_search_var($1) - ') -') - -######################################## -## <summary> -## Transition to qmail_queue_t. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`qmail_domtrans_queue',` - gen_require(` - type qmail_queue_t, qmail_queue_exec_t; - ') - - domtrans_pattern($1, qmail_queue_exec_t, qmail_queue_t) - - ifdef(`distro_debian',` - files_search_usr($1) - corecmd_search_bin($1) - ',` - files_search_var($1) - ') -') - -######################################## -## <summary> -## Read qmail configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`qmail_read_config',` - gen_require(` - type qmail_etc_t; - ') - - files_search_var($1) - allow $1 qmail_etc_t:dir list_dir_perms; - allow $1 qmail_etc_t:file read_file_perms; - allow $1 qmail_etc_t:lnk_file read_lnk_file_perms; - - ifdef(`distro_debian',` - files_search_etc($1) - ') -') - -######################################## -## <summary> -## Define the specified domain as a -## qmail-smtp service. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access -## </summary> -## </param> -## <param name="entrypoint"> -## <summary> -## The type associated with the process program. -## </summary> -## </param> -# -interface(`qmail_smtpd_service_domain',` - gen_require(` - type qmail_smtpd_t; - ') - - domtrans_pattern(qmail_smtpd_t, $2, $1) -') diff --git a/policy/modules/contrib/qmail.te b/policy/modules/contrib/qmail.te deleted file mode 100644 index 1bef5132..00000000 --- a/policy/modules/contrib/qmail.te +++ /dev/null @@ -1,316 +0,0 @@ -policy_module(qmail, 1.5.1) - -######################################## -# -# Declarations -# - -attribute qmail_child_domain; - -type qmail_alias_home_t; -files_type(qmail_alias_home_t) - -qmail_child_domain_template(qmail_clean, qmail_start_t) - -type qmail_etc_t; -files_config_file(qmail_etc_t) - -type qmail_exec_t; -files_type(qmail_exec_t) - -type qmail_inject_t; -type qmail_inject_exec_t; -domain_type(qmail_inject_t) -domain_entry_file(qmail_inject_t, qmail_inject_exec_t) -mta_mailserver_user_agent(qmail_inject_t) -role system_r types qmail_inject_t; - -qmail_child_domain_template(qmail_local, qmail_lspawn_t) -mta_mailserver_delivery(qmail_local_t) - -qmail_child_domain_template(qmail_lspawn, qmail_start_t) -mta_mailserver_delivery(qmail_lspawn_t) - -qmail_child_domain_template(qmail_queue, qmail_inject_t) -mta_mailserver_user_agent(qmail_queue_t) - -qmail_child_domain_template(qmail_remote, qmail_rspawn_t) -mta_mailserver_sender(qmail_remote_t) - -qmail_child_domain_template(qmail_rspawn, qmail_start_t) -qmail_child_domain_template(qmail_send, qmail_start_t) -qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t) -qmail_child_domain_template(qmail_splogger, qmail_start_t) - -type qmail_spool_t; -files_type(qmail_spool_t) - -type qmail_start_t; -type qmail_start_exec_t; -init_daemon_domain(qmail_start_t, qmail_start_exec_t) - -type qmail_tcp_env_t; -type qmail_tcp_env_exec_t; -application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t) - -######################################## -# -# Common qmail child domain local policy -# - -allow qmail_child_domain self:process signal_perms; - -allow qmail_child_domain qmail_etc_t:dir list_dir_perms; -allow qmail_child_domain qmail_etc_t:file read_file_perms; -allow qmail_child_domain qmail_etc_t:lnk_file read_lnk_file_perms; - -allow qmail_child_domain qmail_start_t:fd use; - -corecmd_search_bin(qmail_child_domain) - -files_search_var(qmail_child_domain) - -fs_getattr_xattr_fs(qmail_child_domain) - -miscfiles_read_localization(qmail_child_domain) - -######################################## -# -# Clean local policy -# - -read_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t) -delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t) - -######################################## -# -# Inject local policy -# - -allow qmail_inject_t self:fifo_file write_fifo_file_perms; -allow qmail_inject_t self:process signal_perms; - -allow qmail_inject_t qmail_queue_exec_t:file read_file_perms; - -corecmd_search_bin(qmail_inject_t) - -files_search_var(qmail_inject_t) - -miscfiles_read_localization(qmail_inject_t) - -qmail_read_config(qmail_inject_t) - -######################################## -# -# Local local policy -# - -allow qmail_local_t self:fifo_file write_fifo_file_perms; -allow qmail_local_t self:process signal_perms; -allow qmail_local_t self:unix_stream_socket { accept listen }; - -manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t) -manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t) - -can_exec(qmail_local_t, qmail_local_exec_t) - -allow qmail_local_t qmail_queue_exec_t:file read_file_perms; - -allow qmail_local_t qmail_spool_t:file read_file_perms; - -kernel_read_system_state(qmail_local_t) - -corecmd_exec_bin(qmail_local_t) -corecmd_exec_shell(qmail_local_t) - -files_read_etc_runtime_files(qmail_local_t) - -auth_use_nsswitch(qmail_local_t) - -logging_send_syslog_msg(qmail_local_t) - -mta_append_spool(qmail_local_t) - -qmail_domtrans_queue(qmail_local_t) - -optional_policy(` - spamassassin_domtrans_client(qmail_local_t) -') - -######################################## -# -# Lspawn local policy -# - -allow qmail_lspawn_t self:capability { setuid setgid }; -allow qmail_lspawn_t self:process signal_perms; -allow qmail_lspawn_t self:fifo_file rw_fifo_file_perms; -allow qmail_lspawn_t self:unix_stream_socket create_socket_perms; - -can_exec(qmail_lspawn_t, qmail_exec_t) - -allow qmail_lspawn_t qmail_local_exec_t:file read_file_perms; - -read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t) - -files_read_etc_files(qmail_lspawn_t) -files_search_pids(qmail_lspawn_t) -files_search_tmp(qmail_lspawn_t) - -######################################## -# -# Queue local policy -# - -allow qmail_queue_t qmail_lspawn_t:fd use; -allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms; - -allow qmail_queue_t qmail_smtpd_t:fd use; -allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms; -allow qmail_queue_t qmail_smtpd_t:process sigchld; - -manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) -manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) -rw_fifo_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) - -corecmd_exec_bin(qmail_queue_t) - -logging_send_syslog_msg(qmail_queue_t) - -optional_policy(` - daemontools_ipc_domain(qmail_queue_t) -') - -######################################## -# -# Remote local policy -# - -rw_files_pattern(qmail_remote_t, qmail_spool_t, qmail_spool_t) - -corenet_all_recvfrom_unlabeled(qmail_remote_t) -corenet_all_recvfrom_netlabel(qmail_remote_t) -corenet_tcp_sendrecv_generic_if(qmail_remote_t) -corenet_tcp_sendrecv_generic_node(qmail_remote_t) - -corenet_sendrecv_smtp_client_packets(qmail_remote_t) -corenet_tcp_connect_smtp_port(qmail_remote_t) -corenet_tcp_sendrecv_smtp_port(qmail_remote_t) - -dev_read_rand(qmail_remote_t) -dev_read_urand(qmail_remote_t) - -sysnet_dns_name_resolve(qmail_remote_t) - -######################################## -# -# Rspawn local policy -# - -allow qmail_rspawn_t self:process signal_perms; -allow qmail_rspawn_t self:fifo_file read_fifo_file_perms; - -allow qmail_rspawn_t qmail_remote_exec_t:file read_file_perms; - -rw_files_pattern(qmail_rspawn_t, qmail_spool_t, qmail_spool_t) - -######################################## -# -# Send local policy -# - -allow qmail_send_t self:process signal_perms; -allow qmail_send_t self:fifo_file write_fifo_file_perms; - -manage_dirs_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t) -manage_files_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t) -read_fifo_files_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t) - -qmail_domtrans_queue(qmail_send_t) - -optional_policy(` - daemontools_ipc_domain(qmail_send_t) -') - -######################################## -# -# Smtpd local policy -# - -allow qmail_smtpd_t self:process signal_perms; -allow qmail_smtpd_t self:fifo_file write_fifo_file_perms; -allow qmail_smtpd_t self:tcp_socket create_socket_perms; - -allow qmail_smtpd_t qmail_queue_exec_t:file read_file_perms; - -dev_read_rand(qmail_smtpd_t) -dev_read_urand(qmail_smtpd_t) - -qmail_domtrans_queue(qmail_smtpd_t) - -optional_policy(` - daemontools_ipc_domain(qmail_smtpd_t) -') - -optional_policy(` - kerberos_keytab_template(qmail, qmail_smtpd_t) -') - -optional_policy(` - ucspitcp_service_domain(qmail_smtpd_t, qmail_smtpd_exec_t) -') - -######################################## -# -# Splogger local policy -# - -allow qmail_splogger_t self:unix_dgram_socket create_socket_perms; - -files_read_etc_files(qmail_splogger_t) - -init_dontaudit_use_script_fds(qmail_splogger_t) - -miscfiles_read_localization(qmail_splogger_t) - -######################################## -# -# Start local policy -# - -allow qmail_start_t self:capability { setgid setuid }; -dontaudit qmail_start_t self:capability sys_tty_config; -allow qmail_start_t self:fifo_file rw_fifo_file_perms; -allow qmail_start_t self:process signal_perms; - -can_exec(qmail_start_t, qmail_start_exec_t) - -corecmd_search_bin(qmail_start_t) - -files_search_var(qmail_start_t) - -qmail_read_config(qmail_start_t) - -optional_policy(` - daemontools_service_domain(qmail_start_t, qmail_start_exec_t) - daemontools_ipc_domain(qmail_start_t) -') - -######################################## -# -# Tcp-env local policy -# - -allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms; - -corecmd_search_bin(qmail_tcp_env_t) - -sysnet_read_config(qmail_tcp_env_t) - -optional_policy(` - inetd_tcp_service_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t) -') - -optional_policy(` - ucspitcp_service_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t) -') diff --git a/policy/modules/contrib/qpid.fc b/policy/modules/contrib/qpid.fc deleted file mode 100644 index 43287033..00000000 --- a/policy/modules/contrib/qpid.fc +++ /dev/null @@ -1,8 +0,0 @@ -/etc/rc\.d/init\.d/qpidd -- gen_context(system_u:object_r:qpidd_initrc_exec_t,s0) - -/usr/sbin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0) - -/var/lib/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_lib_t,s0) - -/var/run/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_run_t,s0) -/var/run/qpidd\.pid -- gen_context(system_u:object_r:qpidd_var_run_t,s0) diff --git a/policy/modules/contrib/qpid.if b/policy/modules/contrib/qpid.if deleted file mode 100644 index cd51b96d..00000000 --- a/policy/modules/contrib/qpid.if +++ /dev/null @@ -1,190 +0,0 @@ -## <summary>Apache QPID AMQP messaging server.</summary> - -######################################## -## <summary> -## Execute a domain transition to run qpidd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`qpidd_domtrans',` - gen_require(` - type qpidd_t, qpidd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, qpidd_exec_t, qpidd_t) -') - -##################################### -## <summary> -## Read and write access qpidd semaphores. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`qpidd_rw_semaphores',` - gen_require(` - type qpidd_t; - ') - - allow $1 qpidd_t:sem rw_sem_perms; -') - -######################################## -## <summary> -## Read and write qpidd shared memory. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`qpidd_rw_shm',` - gen_require(` - type qpidd_t; - ') - - allow $1 qpidd_t:shm rw_shm_perms; -') - -######################################## -## <summary> -## Execute qpidd init script in -## the initrc domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`qpidd_initrc_domtrans',` - gen_require(` - type qpidd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, qpidd_initrc_exec_t) -') - -######################################## -## <summary> -## Read qpidd pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`qpidd_read_pid_files',` - gen_require(` - type qpidd_var_run_t; - ') - - files_search_pids($1) - allow $1 qpidd_var_run_t:file read_file_perms; -') - -######################################## -## <summary> -## Search qpidd lib directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`qpidd_search_lib',` - gen_require(` - type qpidd_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 qpidd_var_lib_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Read qpidd lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`qpidd_read_lib_files',` - gen_require(` - type qpidd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## qpidd lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`qpidd_manage_lib_files',` - gen_require(` - type qpidd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an qpidd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`qpidd_admin',` - gen_require(` - type qpidd_t, qpidd_initrc_exec_t, qpidd_var_lib_t; - type qpidd_var_run_t; - ') - - allow $1 qpidd_t:process { ptrace signal_perms }; - ps_process_pattern($1, qpidd_t) - - qpidd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 qpidd_initrc_exec_t system_r; - allow $2 system_r; - - files_search_var_lib($1( - admin_pattern($1, qpidd_var_lib_t) - - files_search_pids($1) - admin_pattern($1, qpidd_var_run_t) -') diff --git a/policy/modules/contrib/qpid.te b/policy/modules/contrib/qpid.te deleted file mode 100644 index 76f5b395..00000000 --- a/policy/modules/contrib/qpid.te +++ /dev/null @@ -1,73 +0,0 @@ -policy_module(qpid, 1.0.1) - -######################################## -# -# Declarations -# - -type qpidd_t; -type qpidd_exec_t; -init_daemon_domain(qpidd_t, qpidd_exec_t) - -type qpidd_initrc_exec_t; -init_script_file(qpidd_initrc_exec_t) - -type qpidd_tmpfs_t; -files_tmpfs_file(qpidd_tmpfs_t) - -type qpidd_var_lib_t; -files_type(qpidd_var_lib_t) - -type qpidd_var_run_t; -files_pid_file(qpidd_var_run_t) - -######################################## -# -# Local policy -# - -allow qpidd_t self:process { setsched signull }; -allow qpidd_t self:fifo_file rw_fifo_file_perms; -allow qpidd_t self:sem create_sem_perms; -allow qpidd_t self:shm create_shm_perms; -allow qpidd_t self:tcp_socket { accept listen }; -allow qpidd_t self:unix_stream_socket { accept listen }; - -manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t) -manage_files_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t) -fs_tmpfs_filetrans(qpidd_t, qpidd_tmpfs_t, { dir file }) - -manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) -manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) -files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir }) - -manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) -manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) -files_pid_filetrans(qpidd_t, qpidd_var_run_t, { file dir }) - -kernel_read_system_state(qpidd_t) - -corenet_all_recvfrom_unlabeled(qpidd_t) -corenet_all_recvfrom_netlabel(qpidd_t) -corenet_tcp_sendrecv_generic_if(qpidd_t) -corenet_tcp_sendrecv_generic_node(qpidd_t) -corenet_tcp_bind_generic_node(qpidd_t) - -corenet_sendrecv_amqp_server_packets(qpidd_t) -corenet_tcp_bind_amqp_port(qpidd_t) -corenet_tcp_sendrecv_amqp_port(qpidd_t) - -dev_read_sysfs(qpidd_t) -dev_read_urand(qpidd_t) - -files_read_etc_files(qpidd_t) - -logging_send_syslog_msg(qpidd_t) - -miscfiles_read_localization(qpidd_t) - -sysnet_dns_name_resolve(qpidd_t) - -optional_policy(` - corosync_stream_connect(qpidd_t) -') diff --git a/policy/modules/contrib/quantum.fc b/policy/modules/contrib/quantum.fc deleted file mode 100644 index 70ab68b0..00000000 --- a/policy/modules/contrib/quantum.fc +++ /dev/null @@ -1,10 +0,0 @@ -/etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:quantum_initrc_exec_t,s0) - -/usr/bin/quantum-server -- gen_context(system_u:object_r:quantum_exec_t,s0) -/usr/bin/quantum-openvswitch-agent -- gen_context(system_u:object_r:quantum_exec_t,s0) -/usr/bin/quantum-linuxbridge-agent -- gen_context(system_u:object_r:quantum_exec_t,s0) -/usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:quantum_exec_t,s0) - -/var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0) - -/var/log/quantum(/.*)? gen_context(system_u:object_r:quantum_log_t,s0) diff --git a/policy/modules/contrib/quantum.if b/policy/modules/contrib/quantum.if deleted file mode 100644 index afc00688..00000000 --- a/policy/modules/contrib/quantum.if +++ /dev/null @@ -1,42 +0,0 @@ -## <summary>Virtual network service for Openstack.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an quantum environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`quantum_admin',` - gen_require(` - type quantum_t, quantum_initrc_exec_t, quantum_log_t; - type quantum_var_lib_t, quantum_tmp_t; - ') - - allow $1 quantum_t:process { ptrace signal_perms }; - ps_process_pattern($1, quantum_t) - - init_labeled_script_domtrans($1, quantum_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 quantum_initrc_exec_t system_r; - allow $2 system_r; - - logging_search_logs($1) - admin_pattern($1, quantum_log_t) - - files_search_var_lib($1) - admin_pattern($1, quantum_var_lib_t) - - files_search_tmp($1) - admin_pattern($1, quantum_tmp_t) -') diff --git a/policy/modules/contrib/quantum.te b/policy/modules/contrib/quantum.te deleted file mode 100644 index 769d1fda..00000000 --- a/policy/modules/contrib/quantum.te +++ /dev/null @@ -1,96 +0,0 @@ -policy_module(quantum, 1.0.2) - -######################################## -# -# Declarations -# - -type quantum_t; -type quantum_exec_t; -init_daemon_domain(quantum_t, quantum_exec_t) - -type quantum_initrc_exec_t; -init_script_file(quantum_initrc_exec_t) - -type quantum_log_t; -logging_log_file(quantum_log_t) - -type quantum_tmp_t; -files_tmp_file(quantum_tmp_t) - -type quantum_var_lib_t; -files_type(quantum_var_lib_t) - -######################################## -# -# Local policy -# - -allow quantum_t self:capability { setgid setuid sys_resource }; -allow quantum_t self:process { setsched setrlimit }; -allow quantum_t self:fifo_file rw_fifo_file_perms; -allow quantum_t self:key manage_key_perms; -allow quantum_t self:tcp_socket { accept listen }; -allow quantum_t self:unix_stream_socket { accept listen }; - -manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t) -append_files_pattern(quantum_t, quantum_log_t, quantum_log_t) -create_files_pattern(quantum_t, quantum_log_t, quantum_log_t) -setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t) -logging_log_filetrans(quantum_t, quantum_log_t, dir) - -manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t) -files_tmp_filetrans(quantum_t, quantum_tmp_t, file) - -manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t) -manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t) -files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir) - -can_exec(quantum_t, quantum_tmp_t) - -kernel_read_kernel_sysctls(quantum_t) -kernel_read_system_state(quantum_t) - -corecmd_exec_shell(quantum_t) -corecmd_exec_bin(quantum_t) - -corenet_all_recvfrom_unlabeled(quantum_t) -corenet_all_recvfrom_netlabel(quantum_t) -corenet_tcp_sendrecv_generic_if(quantum_t) -corenet_tcp_sendrecv_generic_node(quantum_t) -corenet_tcp_sendrecv_all_ports(quantum_t) -corenet_tcp_bind_generic_node(quantum_t) - -dev_list_sysfs(quantum_t) -dev_read_urand(quantum_t) - -files_read_usr_files(quantum_t) - -auth_use_nsswitch(quantum_t) - -libs_exec_ldconfig(quantum_t) - -logging_send_audit_msgs(quantum_t) -logging_send_syslog_msg(quantum_t) - -miscfiles_read_localization(quantum_t) - -sysnet_domtrans_ifconfig(quantum_t) - -optional_policy(` - brctl_domtrans(quantum_t) -') - -optional_policy(` - mysql_stream_connect(quantum_t) - mysql_read_config(quantum_t) - - mysql_tcp_connect(quantum_t) -') - -optional_policy(` - postgresql_stream_connect(quantum_t) - postgresql_unpriv_client(quantum_t) - - postgresql_tcp_connect(quantum_t) -') diff --git a/policy/modules/contrib/quota.fc b/policy/modules/contrib/quota.fc deleted file mode 100644 index cadabe36..00000000 --- a/policy/modules/contrib/quota.fc +++ /dev/null @@ -1,31 +0,0 @@ -HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - -HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - -/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - -/boot/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - -/etc/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - -/etc/rc\.d/init\.d/quota_nld -- gen_context(system_u:object_r:quota_nld_initrc_exec_t,s0) - -/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0) -/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0) - -/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0) -/usr/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0) -/usr/sbin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0) - -/var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - -/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0) - -/var/run/quota_nld\.pid -- gen_context(system_u:object_r:quota_nld_var_run_t,s0) - -/var/spool/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - -/var/spool/imap/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) -/var/spool/(client)?mqueue/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) -/var/spool/mqueue\.in/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) -/var/spool/mail/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) diff --git a/policy/modules/contrib/quota.if b/policy/modules/contrib/quota.if deleted file mode 100644 index da642186..00000000 --- a/policy/modules/contrib/quota.if +++ /dev/null @@ -1,196 +0,0 @@ -## <summary>File system quota management.</summary> - -######################################## -## <summary> -## Execute quota management tools in the quota domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`quota_domtrans',` - gen_require(` - type quota_t, quota_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, quota_exec_t, quota_t) -') - -######################################## -## <summary> -## Execute quota management tools in -## the quota domain, and allow the -## specified role the quota domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`quota_run',` - gen_require(` - attribute_role quota_roles; - ') - - quota_domtrans($1) - roleattribute $2 quota_roles; -') - -####################################### -## <summary> -## Execute quota nld in the quota nld domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`quota_domtrans_nld',` - gen_require(` - type quota_nld_t, quota_nld_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, quota_nld_exec_t, quota_nld_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## quota db files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`quota_manage_db_files',` - gen_require(` - type quota_db_t; - ') - - allow $1 quota_db_t:file manage_file_perms; -') - -######################################## -## <summary> -## Create specified objects in specified -## directories with a type transition to -## the quota db file type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="file_type"> -## <summary> -## Directory to transition on. -## </summary> -## </param> -## <param name="object"> -## <summary> -## The object class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`quota_spec_filetrans_db',` - gen_require(` - type quota_db_t; - ') - - filetrans_pattern($1, $2, quota_db_t, $3, $4) -') - -######################################## -## <summary> -## Do not audit attempts to get attributes -## of filesystem quota data files. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`quota_dontaudit_getattr_db',` - gen_require(` - type quota_db_t; - ') - - dontaudit $1 quota_db_t:file getattr_file_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## quota flag files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`quota_manage_flags',` - gen_require(` - type quota_flag_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, quota_flag_t, quota_flag_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an quota environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`quota_admin',` - gen_require(` - type quota_nld_t, quota_t, quota_db_t; - type quota_nld_initrc_exec_t, quota_flag_t, quota_nld_var_run_t; - ') - - allow $1 { quota_nld_t quota_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { quota_nld_t quota_t }) - - init_labeled_script_domtrans($1, quota_nld_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 quota_nld_initrc_exec_t system_r; - allow $2 system_r; - - files_list_all($1) - admin_pattern($1, { quota_db_t quota_flag quota_nld_var_run_t }) - - quota_run($1, $2) -') diff --git a/policy/modules/contrib/quota.te b/policy/modules/contrib/quota.te deleted file mode 100644 index 4b2c272a..00000000 --- a/policy/modules/contrib/quota.te +++ /dev/null @@ -1,131 +0,0 @@ -policy_module(quota, 1.5.2) - -######################################## -# -# Declarations -# - -attribute_role quota_roles; - -type quota_t; -type quota_exec_t; -init_system_domain(quota_t, quota_exec_t) -role quota_roles types quota_t; - -type quota_db_t; -files_type(quota_db_t) - -type quota_flag_t; -files_type(quota_flag_t) - -type quota_nld_t; -type quota_nld_exec_t; -init_daemon_domain(quota_nld_t, quota_nld_exec_t) - -type quota_nld_initrc_exec_t; -init_script_file(quota_nld_initrc_exec_t) - -type quota_nld_var_run_t; -files_pid_file(quota_nld_var_run_t) - -######################################## -# -# Local policy -# - -allow quota_t self:capability { sys_admin dac_override }; -dontaudit quota_t self:capability sys_tty_config; -allow quota_t self:process signal_perms; - -allow quota_t quota_db_t:file { manage_file_perms quotaon }; -files_root_filetrans(quota_t, quota_db_t, file) -files_boot_filetrans(quota_t, quota_db_t, file) -files_etc_filetrans(quota_t, quota_db_t, file) -files_tmp_filetrans(quota_t, quota_db_t, file) -files_home_filetrans(quota_t, quota_db_t, file) -files_usr_filetrans(quota_t, quota_db_t, file) -files_var_filetrans(quota_t, quota_db_t, file) -files_spool_filetrans(quota_t, quota_db_t, file) -userdom_user_home_dir_filetrans(quota_t, quota_db_t, file) - -kernel_request_load_module(quota_t) -kernel_list_proc(quota_t) -kernel_read_proc_symlinks(quota_t) -kernel_read_kernel_sysctls(quota_t) -kernel_setsched(quota_t) - -dev_read_sysfs(quota_t) -dev_getattr_all_blk_files(quota_t) -dev_getattr_all_chr_files(quota_t) - -files_list_all(quota_t) -files_read_all_files(quota_t) -files_read_all_symlinks(quota_t) -files_getattr_all_pipes(quota_t) -files_getattr_all_sockets(quota_t) -files_getattr_all_file_type_fs(quota_t) -files_read_etc_runtime_files(quota_t) - -fs_get_xattr_fs_quotas(quota_t) -fs_set_xattr_fs_quotas(quota_t) -fs_getattr_xattr_fs(quota_t) -fs_remount_xattr_fs(quota_t) -fs_search_auto_mountpoints(quota_t) - -mls_file_read_all_levels(quota_t) - -storage_raw_read_fixed_disk(quota_t) - -term_dontaudit_use_console(quota_t) - -domain_use_interactive_fds(quota_t) - -init_use_fds(quota_t) -init_use_script_ptys(quota_t) - -logging_send_syslog_msg(quota_t) - -userdom_use_user_terminals(quota_t) -userdom_dontaudit_use_unpriv_user_fds(quota_t) - -optional_policy(` - mta_queue_filetrans(quota_t, quota_db_t, file) - mta_spool_filetrans(quota_t, quota_db_t, file) -') - -optional_policy(` - seutil_sigchld_newrole(quota_t) -') - -optional_policy(` - udev_read_db(quota_t) -') - -####################################### -# -# Nld local policy -# - -allow quota_nld_t self:fifo_file rw_fifo_file_perms; -allow quota_nld_t self:netlink_socket create_socket_perms; -allow quota_nld_t self:unix_stream_socket { accept listen }; - -manage_files_pattern(quota_nld_t, quota_nld_var_run_t, quota_nld_var_run_t) -files_pid_filetrans(quota_nld_t, quota_nld_var_run_t, { file }) - -kernel_read_network_state(quota_nld_t) - -auth_use_nsswitch(quota_nld_t) - -init_read_utmp(quota_nld_t) - -logging_send_syslog_msg(quota_nld_t) - -miscfiles_read_localization(quota_nld_t) - -userdom_use_user_terminals(quota_nld_t) - -optional_policy(` - dbus_system_bus_client(quota_nld_t) - dbus_connect_system_bus(quota_nld_t) -') diff --git a/policy/modules/contrib/rabbitmq.fc b/policy/modules/contrib/rabbitmq.fc deleted file mode 100644 index c5ad6de7..00000000 --- a/policy/modules/contrib/rabbitmq.fc +++ /dev/null @@ -1,10 +0,0 @@ -/etc/rc\.d/init\.d/rabbitmq-server -- gen_context(system_u:object_r:rabbitmq_initrc_exec_t,s0) - -/usr/lib/erlang/erts.*/bin/beam.* -- gen_context(system_u:object_r:rabbitmq_beam_exec_t,s0) -/usr/lib/erlang/erts.*/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0) - -/var/lib/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0) - -/var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0) - -/var/run/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_run_t,s0) diff --git a/policy/modules/contrib/rabbitmq.if b/policy/modules/contrib/rabbitmq.if deleted file mode 100644 index 2c3d3389..00000000 --- a/policy/modules/contrib/rabbitmq.if +++ /dev/null @@ -1,61 +0,0 @@ -## <summary>AMQP server written in Erlang.</summary> - -######################################## -## <summary> -## Execute rabbitmq in the rabbitmq domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`rabbitmq_domtrans',` - gen_require(` - type rabbitmq_t, rabbitmq_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rabbitmq_exec_t, rabbitmq_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an rabbitmq environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`rabbitmq_admin',` - gen_require(` - type rabbitmq_epmd_t, rabbitmq_beam_t, rabbitmq_initrc_exec_t; - type rabbitmq_var_lib_t, rabbitmq_var_log_t, rabbitmq_var_run_t; - ') - - allow $1 { rabbitmq_epmd_t rabbitmq_beam_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { rabbitmq_epmd_t rabbitmq_beam_t }) - - init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 rabbitmq_initrc_exec_t system_r; - allow $2 system_r; - - logging_search_logs($1) - admin_pattern($1, rabbitmq_var_log_t) - - files_search_var_lib($1) - admin_pattern($1, rabbitmq_var_lib_t) - - files_search_pids($1) - admin_pattern($1, rabbitmq_var_run_t) -') diff --git a/policy/modules/contrib/rabbitmq.te b/policy/modules/contrib/rabbitmq.te deleted file mode 100644 index 3698b512..00000000 --- a/policy/modules/contrib/rabbitmq.te +++ /dev/null @@ -1,106 +0,0 @@ -policy_module(rabbitmq, 1.0.0) - -######################################## -# -# Declarations -# - -type rabbitmq_epmd_t; -type rabbitmq_epmd_exec_t; -init_daemon_domain(rabbitmq_epmd_t, rabbitmq_epmd_exec_t) - -type rabbitmq_beam_t; -type rabbitmq_beam_exec_t; -init_daemon_domain(rabbitmq_beam_t, rabbitmq_beam_exec_t) - -type rabbitmq_initrc_exec_t; -init_script_file(rabbitmq_initrc_exec_t) - -type rabbitmq_var_lib_t; -files_type(rabbitmq_var_lib_t) - -type rabbitmq_var_log_t; -logging_log_file(rabbitmq_var_log_t) - -type rabbitmq_var_run_t; -files_pid_file(rabbitmq_var_run_t) - -###################################### -# -# Beam local policy -# - -allow rabbitmq_beam_t self:process { setsched signal signull }; -allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms; -allow rabbitmq_beam_t self:tcp_socket { accept listen }; - -manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) -manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) - -manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) -append_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) -create_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) -setattr_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) - -manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t) -manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t) - -can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t) - -domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t) - -kernel_read_system_state(rabbitmq_beam_t) - -corecmd_exec_bin(rabbitmq_beam_t) -corecmd_exec_shell(rabbitmq_beam_t) - -corenet_all_recvfrom_unlabeled(rabbitmq_beam_t) -corenet_all_recvfrom_netlabel(rabbitmq_beam_t) -corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t) -corenet_tcp_sendrecv_generic_node(rabbitmq_beam_t) -corenet_tcp_bind_generic_node(rabbitmq_beam_t) - -corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t) -corenet_tcp_bind_amqp_port(rabbitmq_beam_t) -corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t) - -corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t) -corenet_tcp_connect_epmd_port(rabbitmq_beam_t) -corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t) - -dev_read_sysfs(rabbitmq_beam_t) - -files_read_etc_files(rabbitmq_beam_t) - -miscfiles_read_localization(rabbitmq_beam_t) - -sysnet_dns_name_resolve(rabbitmq_beam_t) - -######################################## -# -# Epmd local policy -# - - -allow rabbitmq_epmd_t self:process signal; -allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms; -allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms; -allow rabbitmq_epmd_t self:unix_stream_socket { accept listen }; - -allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms; - -corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t) -corenet_all_recvfrom_netlabel(rabbitmq_epmd_t) -corenet_tcp_sendrecv_generic_if(rabbitmq_epmd_t) -corenet_tcp_sendrecv_generic_node(rabbitmq_epmd_t) -corenet_tcp_bind_generic_node(rabbitmq_epmd_t) - -corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) -corenet_tcp_bind_epmd_port(rabbitmq_epmd_t) -corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t) - -files_read_etc_files(rabbitmq_epmd_t) - -logging_send_syslog_msg(rabbitmq_epmd_t) - -miscfiles_read_localization(rabbitmq_epmd_t) diff --git a/policy/modules/contrib/radius.fc b/policy/modules/contrib/radius.fc deleted file mode 100644 index c84b7ae9..00000000 --- a/policy/modules/contrib/radius.fc +++ /dev/null @@ -1,23 +0,0 @@ -/etc/cron\.(daily|monthly)/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0) -/etc/cron\.(daily|weekly|monthly)/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0) - -/etc/rc\.d/init\.d/radiusd -- gen_context(system_u:object_r:radiusd_initrc_exec_t,s0) - -/etc/raddb(/.*)? gen_context(system_u:object_r:radiusd_etc_t,s0) -/etc/raddb/db\.daily -- gen_context(system_u:object_r:radiusd_etc_rw_t,s0) - -/usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0) -/usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0) - -/var/lib/radiousd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0) - -/var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) -/var/log/radacct(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) -/var/log/radius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) -/var/log/radius\.log.* -- gen_context(system_u:object_r:radiusd_log_t,s0) -/var/log/radiusd-freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) -/var/log/radutmp.* -- gen_context(system_u:object_r:radiusd_log_t,s0) -/var/log/radwtmp.* -- gen_context(system_u:object_r:radiusd_log_t,s0) - -/var/run/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_run_t,s0) -/var/run/radiusd\.pid -- gen_context(system_u:object_r:radiusd_var_run_t,s0) diff --git a/policy/modules/contrib/radius.if b/policy/modules/contrib/radius.if deleted file mode 100644 index 44605825..00000000 --- a/policy/modules/contrib/radius.if +++ /dev/null @@ -1,60 +0,0 @@ -## <summary>RADIUS authentication and accounting server.</summary> - -######################################## -## <summary> -## Use radius over a UDP connection. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`radius_use',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## <summary> -## All of the rules required to -## administrate an radius environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`radius_admin',` - gen_require(` - type radiusd_t, radiusd_etc_t, radiusd_log_t; - type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t; - type radiusd_initrc_exec_t; - ') - - allow $1 radiusd_t:process { ptrace signal_perms }; - ps_process_pattern($1, radiusd_t) - - init_labeled_script_domtrans($1, radiusd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 radiusd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, { radiusd_etc_t radiusd_etc_rw_t }) - - logging_list_logs($1) - admin_pattern($1, radiusd_log_t) - - files_list_var_lib($1) - admin_pattern($1, radiusd_var_lib_t) - - files_list_pids($1) - admin_pattern($1, radiusd_var_run_t) -') diff --git a/policy/modules/contrib/radius.te b/policy/modules/contrib/radius.te deleted file mode 100644 index 1e7927f8..00000000 --- a/policy/modules/contrib/radius.te +++ /dev/null @@ -1,144 +0,0 @@ -policy_module(radius, 1.12.1) - -######################################## -# -# Declarations -# - -type radiusd_t; -type radiusd_exec_t; -init_daemon_domain(radiusd_t, radiusd_exec_t) - -type radiusd_etc_t; -files_config_file(radiusd_etc_t) - -type radiusd_etc_rw_t; -files_type(radiusd_etc_rw_t) - -type radiusd_initrc_exec_t; -init_script_file(radiusd_initrc_exec_t) - -type radiusd_log_t; -logging_log_file(radiusd_log_t) - -type radiusd_var_lib_t; -files_type(radiusd_var_lib_t) - -type radiusd_var_run_t; -files_pid_file(radiusd_var_run_t) - -######################################## -# -# Local policy -# - -allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; -dontaudit radiusd_t self:capability sys_tty_config; -allow radiusd_t self:process { getsched setrlimit setsched sigkill signal }; -allow radiusd_t self:fifo_file rw_fifo_file_perms; -allow radiusd_t self:unix_stream_socket { accept listen }; -allow radiusd_t self:tcp_socket { accept listen }; - -allow radiusd_t radiusd_etc_t:dir list_dir_perms; -allow radiusd_t radiusd_etc_t:file read_file_perms; -allow radiusd_t radiusd_etc_t:lnk_file read_lnk_file_perms; - -manage_dirs_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t) -manage_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t) -manage_lnk_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t) -filetrans_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_rw_t, { dir file lnk_file }) - -manage_dirs_pattern(radiusd_t, radiusd_log_t, radiusd_log_t) -append_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t) -create_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t) -setattr_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t) -logging_log_filetrans(radiusd_t, radiusd_log_t, { file dir }) - -manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t) - -manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) -manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) -manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) -files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir }) - -kernel_read_kernel_sysctls(radiusd_t) -kernel_read_system_state(radiusd_t) - -corenet_all_recvfrom_unlabeled(radiusd_t) -corenet_all_recvfrom_netlabel(radiusd_t) -corenet_tcp_sendrecv_generic_if(radiusd_t) -corenet_udp_sendrecv_generic_if(radiusd_t) -corenet_tcp_sendrecv_generic_node(radiusd_t) -corenet_udp_sendrecv_generic_node(radiusd_t) -corenet_tcp_sendrecv_all_ports(radiusd_t) -corenet_udp_sendrecv_all_ports(radiusd_t) -corenet_udp_bind_generic_node(radiusd_t) - -corenet_sendrecv_radacct_server_packets(radiusd_t) -corenet_udp_bind_radacct_port(radiusd_t) - -corenet_sendrecv_radius_server_packets(radiusd_t) -corenet_udp_bind_radius_port(radiusd_t) - -corenet_sendrecv_snmp_client_packets(radiusd_t) -corenet_tcp_connect_snmp_port(radiusd_t) - -corenet_sendrecv_generic_server_packets(radiusd_t) -corenet_udp_bind_generic_port(radiusd_t) -corenet_dontaudit_udp_bind_all_ports(radiusd_t) - -corecmd_exec_bin(radiusd_t) -corecmd_exec_shell(radiusd_t) - -dev_read_sysfs(radiusd_t) - -domain_use_interactive_fds(radiusd_t) - -fs_getattr_all_fs(radiusd_t) -fs_search_auto_mountpoints(radiusd_t) - -files_read_usr_files(radiusd_t) -files_read_etc_runtime_files(radiusd_t) -files_dontaudit_list_tmp(radiusd_t) - -auth_use_nsswitch(radiusd_t) -auth_read_shadow(radiusd_t) -auth_domtrans_chk_passwd(radiusd_t) - -libs_exec_lib_files(radiusd_t) - -logging_send_syslog_msg(radiusd_t) - -miscfiles_read_localization(radiusd_t) -miscfiles_read_generic_certs(radiusd_t) - -sysnet_use_ldap(radiusd_t) - -userdom_dontaudit_use_unpriv_user_fds(radiusd_t) -userdom_dontaudit_search_user_home_dirs(radiusd_t) - -optional_policy(` - cron_system_entry(radiusd_t, radiusd_exec_t) -') - -optional_policy(` - logrotate_exec(radiusd_t) -') - -optional_policy(` - mysql_read_config(radiusd_t) - mysql_stream_connect(radiusd_t) - mysql_tcp_connect(radiusd_t) -') - -optional_policy(` - samba_domtrans_winbind_helper(radiusd_t) -') - -optional_policy(` - seutil_sigchld_newrole(radiusd_t) -') - -optional_policy(` - udev_read_db(radiusd_t) -') diff --git a/policy/modules/contrib/radvd.fc b/policy/modules/contrib/radvd.fc deleted file mode 100644 index dda06cc2..00000000 --- a/policy/modules/contrib/radvd.fc +++ /dev/null @@ -1,8 +0,0 @@ -/etc/radvd\.conf -- gen_context(system_u:object_r:radvd_etc_t,s0) - -/etc/rc\.d/init\.d/radvd -- gen_context(system_u:object_r:radvd_initrc_exec_t,s0) - -/usr/sbin/radvd -- gen_context(system_u:object_r:radvd_exec_t,s0) - -/var/run/radvd(/.*)? gen_context(system_u:object_r:radvd_var_run_t,s0) -/var/run/radvd\.pid -- gen_context(system_u:object_r:radvd_var_run_t,s0) diff --git a/policy/modules/contrib/radvd.if b/policy/modules/contrib/radvd.if deleted file mode 100644 index ac7058d1..00000000 --- a/policy/modules/contrib/radvd.if +++ /dev/null @@ -1,39 +0,0 @@ -## <summary>IPv6 router advertisement daemon.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an radvd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`radvd_admin',` - gen_require(` - type radvd_t, radvd_etc_t, radvd_initrc_exec_t; - type radvd_var_run_t; - ') - - allow $1 radvd_t:process { ptrace signal_perms }; - ps_process_pattern($1, radvd_t) - - init_labeled_script_domtrans($1, radvd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 radvd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, radvd_etc_t) - - files_list_pids($1) - admin_pattern($1, radvd_var_run_t) -') diff --git a/policy/modules/contrib/radvd.te b/policy/modules/contrib/radvd.te deleted file mode 100644 index b31f2d79..00000000 --- a/policy/modules/contrib/radvd.te +++ /dev/null @@ -1,79 +0,0 @@ -policy_module(radvd, 1.13.1) - -######################################## -# -# Declarations -# -type radvd_t; -type radvd_exec_t; -init_daemon_domain(radvd_t, radvd_exec_t) - -type radvd_etc_t; -files_config_file(radvd_etc_t) - -type radvd_initrc_exec_t; -init_script_file(radvd_initrc_exec_t) - -type radvd_var_run_t; -files_pid_file(radvd_var_run_t) - -######################################## -# -# Local policy -# - -allow radvd_t self:capability { kill setgid setuid net_raw net_admin }; -dontaudit radvd_t self:capability sys_tty_config; -allow radvd_t self:process signal_perms; -allow radvd_t self:fifo_file rw_fifo_file_perms; -allow radvd_t self:rawip_socket create_socket_perms; -allow radvd_t self:tcp_socket { accept listen }; - -allow radvd_t radvd_etc_t:file read_file_perms; - -manage_dirs_pattern(radvd_t, radvd_var_run_t, radvd_var_run_t) -manage_files_pattern(radvd_t, radvd_var_run_t, radvd_var_run_t) -files_pid_filetrans(radvd_t, radvd_var_run_t, { dir file }) - -kernel_read_kernel_sysctls(radvd_t) -kernel_rw_net_sysctls(radvd_t) -kernel_read_network_state(radvd_t) -kernel_read_system_state(radvd_t) -kernel_request_load_module(radvd_t) - -corenet_all_recvfrom_netlabel(radvd_t) -corenet_all_recvfrom_unlabeled(radvd_t) -corenet_tcp_sendrecv_generic_if(radvd_t) -corenet_udp_sendrecv_generic_if(radvd_t) -corenet_raw_sendrecv_generic_if(radvd_t) -corenet_tcp_sendrecv_generic_node(radvd_t) -corenet_udp_sendrecv_generic_node(radvd_t) -corenet_raw_sendrecv_generic_node(radvd_t) -corenet_tcp_sendrecv_all_ports(radvd_t) -corenet_udp_sendrecv_all_ports(radvd_t) - -dev_read_sysfs(radvd_t) - -domain_use_interactive_fds(radvd_t) - -files_list_usr(radvd_t) - -fs_getattr_all_fs(radvd_t) -fs_search_auto_mountpoints(radvd_t) - -auth_use_nsswitch(radvd_t) - -logging_send_syslog_msg(radvd_t) - -miscfiles_read_localization(radvd_t) - -userdom_dontaudit_use_unpriv_user_fds(radvd_t) -userdom_dontaudit_search_user_home_dirs(radvd_t) - -optional_policy(` - seutil_sigchld_newrole(radvd_t) -') - -optional_policy(` - udev_read_db(radvd_t) -') diff --git a/policy/modules/contrib/raid.fc b/policy/modules/contrib/raid.fc deleted file mode 100644 index 5806046b..00000000 --- a/policy/modules/contrib/raid.fc +++ /dev/null @@ -1,21 +0,0 @@ -/dev/\.mdadm\.map -- gen_context(system_u:object_r:mdadm_var_run_t,s0) -/dev/md/.* -- gen_context(system_u:object_r:mdadm_var_run_t,s0) - -/etc/rc\.d/init\.d/mdmonitor -- gen_context(system_u:object_r:mdadm_initrc_exec_t,s0) - -/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0) -/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0) -/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0) -/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0) -/sbin/mdmon -- gen_context(system_u:object_r:mdadm_exec_t,s0) -/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) -/sbin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0) - -/usr/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0) -/usr/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0) -/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0) -/usr/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0) -/usr/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) -/usr/sbin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0) - -/var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0) diff --git a/policy/modules/contrib/raid.if b/policy/modules/contrib/raid.if deleted file mode 100644 index 951db7f1..00000000 --- a/policy/modules/contrib/raid.if +++ /dev/null @@ -1,103 +0,0 @@ -## <summary>RAID array management tools.</summary> - -######################################## -## <summary> -## Execute software raid tools in -## the mdadm domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`raid_domtrans_mdadm',` - gen_require(` - type mdadm_t, mdadm_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, mdadm_exec_t, mdadm_t) -') - -###################################### -## <summary> -## Execute mdadm in the mdadm -## domain, and allow the specified -## role the mdadm domain. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`raid_run_mdadm',` - gen_require(` - attribute_role mdadm_roles; - ') - - raid_domtrans_mdadm($2) - roleattribute $1 mdadm_roles; -') - -######################################## -## <summary> -## Create, read, write, and delete -## mdadm pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`raid_manage_mdadm_pid',` - gen_require(` - type mdadm_var_run_t; - ') - - files_search_pids($1) - allow $1 mdadm_var_run_t:file manage_file_perms; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an mdadm environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`raid_admin_mdadm',` - gen_require(` - type mdadm_t, mdadm_initrc_exec_t, mdadm_var_run_t; - ') - - allow $1 mdadm_t:process { ptrace signal_perms }; - ps_process_pattern($1, mdadm_t) - - init_labeled_script_domtrans($1, mdadm_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 mdadm_initrc_exec_t system_r; - allow $2 system_r; - - files_search_pids($1) - admin_pattern($1, mdadm_var_run_t) - - raid_run_mdadm($2, $1) -') diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te deleted file mode 100644 index 2c1730be..00000000 --- a/policy/modules/contrib/raid.te +++ /dev/null @@ -1,105 +0,0 @@ -policy_module(raid, 1.12.5) - -######################################## -# -# Declarations -# - -attribute_role mdadm_roles; - -type mdadm_t; -type mdadm_exec_t; -init_daemon_domain(mdadm_t, mdadm_exec_t) -role mdadm_roles types mdadm_t; - -type mdadm_initrc_exec_t; -init_script_file(mdadm_initrc_exec_t) - -type mdadm_var_run_t alias mdadm_map_t; -files_pid_file(mdadm_var_run_t) -dev_associate(mdadm_var_run_t) - -######################################## -# -# Local policy -# - -allow mdadm_t self:capability { dac_override sys_admin ipc_lock }; -dontaudit mdadm_t self:capability sys_tty_config; -allow mdadm_t self:process { getsched setsched signal_perms }; -allow mdadm_t self:fifo_file rw_fifo_file_perms; -allow mdadm_t self:netlink_kobject_uevent_socket create_socket_perms; - -manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) -manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) -manage_lnk_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) -manage_sock_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) -dev_filetrans(mdadm_t, mdadm_var_run_t, file) -files_pid_filetrans(mdadm_t, mdadm_var_run_t, { dir file }) - -kernel_getattr_core_if(mdadm_t) -kernel_read_system_state(mdadm_t) -kernel_read_kernel_sysctls(mdadm_t) -kernel_request_load_module(mdadm_t) -kernel_rw_software_raid_state(mdadm_t) - -corecmd_exec_bin(mdadm_t) -corecmd_exec_shell(mdadm_t) - -dev_rw_sysfs(mdadm_t) -dev_dontaudit_getattr_all_blk_files(mdadm_t) -dev_dontaudit_getattr_all_chr_files(mdadm_t) -dev_read_realtime_clock(mdadm_t) -dev_read_raw_memory(mdadm_t) - -domain_use_interactive_fds(mdadm_t) - -files_read_etc_files(mdadm_t) -files_read_etc_runtime_files(mdadm_t) -files_dontaudit_getattr_all_files(mdadm_t) - -fs_list_auto_mountpoints(mdadm_t) -fs_list_hugetlbfs(mdadm_t) -fs_rw_cgroup_files(mdadm_t) -fs_dontaudit_list_tmpfs(mdadm_t) - -mls_file_read_all_levels(mdadm_t) -mls_file_write_all_levels(mdadm_t) - -storage_dev_filetrans_fixed_disk(mdadm_t) -storage_manage_fixed_disk(mdadm_t) -storage_read_scsi_generic(mdadm_t) -storage_write_scsi_generic(mdadm_t) - -term_dontaudit_list_ptys(mdadm_t) -term_dontaudit_use_unallocated_ttys(mdadm_t) - -init_dontaudit_getattr_initctl(mdadm_t) - -logging_send_syslog_msg(mdadm_t) - -miscfiles_read_localization(mdadm_t) - -userdom_dontaudit_use_unpriv_user_fds(mdadm_t) -userdom_dontaudit_search_user_home_content(mdadm_t) -userdom_dontaudit_use_user_terminals(mdadm_t) - -optional_policy(` - cron_system_entry(mdadm_t, mdadm_exec_t) -') - -optional_policy(` - gpm_dontaudit_getattr_gpmctl(mdadm_t) -') - -optional_policy(` - mta_send_mail(mdadm_t) -') - -optional_policy(` - seutil_sigchld_newrole(mdadm_t) -') - -optional_policy(` - udev_read_db(mdadm_t) -') diff --git a/policy/modules/contrib/razor.fc b/policy/modules/contrib/razor.fc deleted file mode 100644 index 6723f4d3..00000000 --- a/policy/modules/contrib/razor.fc +++ /dev/null @@ -1,9 +0,0 @@ -HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) - -/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) - -/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0) - -/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0) - -/var/log/razor-agent\.log.* -- gen_context(system_u:object_r:razor_log_t,s0) diff --git a/policy/modules/contrib/razor.if b/policy/modules/contrib/razor.if deleted file mode 100644 index 1e4b523b..00000000 --- a/policy/modules/contrib/razor.if +++ /dev/null @@ -1,130 +0,0 @@ -## <summary>A distributed, collaborative, spam detection and filtering network.</summary> - -####################################### -## <summary> -## The template to define a razor domain. -## </summary> -## <param name="domain_prefix"> -## <summary> -## Domain prefix to be used. -## </summary> -## </param> -# -template(`razor_common_domain_template',` - gen_require(` - attribute razor_domain; - type razor_exec_t; - ') - - ######################################## - # - # Declarations - # - - type $1_t, razor_domain; - domain_type($1_t) - domain_entry_file($1_t, razor_exec_t) - - ######################################## - # - # Declarations - # - - auth_use_nsswitch($1_t) -') - -######################################## -## <summary> -## Role access for razor. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`razor_role',` - gen_require(` - attribute_role razor_roles; - type razor_t, razor_exec_t, razor_home_t; - type razor_tmp_t; - ') - - roleattribute $1 razor_roles; - - domtrans_pattern($2, razor_exec_t, razor_t) - - ps_process_pattern($2, razor_t) - allow $2 razor_t:process signal; - - allow $2 { razor_home_t razor_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { razor_home_t razor_tmp_t }:file { manage_file_perms relabel_file_perms }; - allow $2 razor_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - - userdom_user_home_dir_filetrans($2, razor_home_t, dir, ".razor") -') - -######################################## -## <summary> -## Execute razor in the system razor domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`razor_domtrans',` - gen_require(` - type system_razor_t, razor_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, razor_exec_t, system_razor_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## razor home content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`razor_manage_home_content',` - gen_require(` - type razor_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 razor_home_t:dir manage_dir_perms; - allow $1 razor_home_t:file manage_file_perms; - allow $1 razor_home_t:lnk_file manage_lnk_file_perms; -') - -######################################## -## <summary> -## Read razor lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`razor_read_lib_files',` - gen_require(` - type razor_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) -') diff --git a/policy/modules/contrib/razor.te b/policy/modules/contrib/razor.te deleted file mode 100644 index 5ddedbc8..00000000 --- a/policy/modules/contrib/razor.te +++ /dev/null @@ -1,139 +0,0 @@ -policy_module(razor, 2.3.2) - -######################################## -# -# Declarations -# - -attribute razor_domain; - -attribute_role razor_roles; - -type razor_exec_t; -corecmd_executable_file(razor_exec_t) - -type razor_etc_t; -files_config_file(razor_etc_t) - -type razor_home_t; -typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; -typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; -userdom_user_home_content(razor_home_t) - -type razor_log_t; -logging_log_file(razor_log_t) - -type razor_tmp_t; -typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; -typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; -userdom_user_tmp_file(razor_tmp_t) - -type razor_var_lib_t; -files_type(razor_var_lib_t) - -razor_common_domain_template(razor) -typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t }; -typealias razor_t alias { auditadm_razor_t secadm_razor_t }; -userdom_user_application_type(razor_t) -role razor_roles types razor_t; - -razor_common_domain_template(system_razor) -role system_r types system_razor_t; - -######################################## -# -# Common razor domain local policy -# - -allow razor_domain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow razor_domain self:fd use; -allow razor_domain self:fifo_file rw_fifo_file_perms; -allow razor_domain self:unix_dgram_socket sendto; -allow razor_domain self:unix_stream_socket { accept connectto listen }; - -allow razor_domain razor_etc_t:dir list_dir_perms; -allow razor_domain razor_etc_t:file read_file_perms; -allow razor_domain razor_etc_t:lnk_file read_lnk_file_perms; - -allow razor_domain razor_exec_t:file read_file_perms; -allow razor_domain razor_exec_t:lnk_file read_lnk_file_perms; - -kernel_read_system_state(razor_domain) -kernel_read_network_state(razor_domain) -kernel_read_software_raid_state(razor_domain) -kernel_getattr_core_if(razor_domain) -kernel_getattr_message_if(razor_domain) -kernel_read_kernel_sysctls(razor_domain) - -corecmd_exec_bin(razor_domain) - -corenet_all_recvfrom_unlabeled(razor_domain) -corenet_all_recvfrom_netlabel(razor_domain) -corenet_tcp_sendrecv_generic_if(razor_domain) -corenet_tcp_sendrecv_generic_node(razor_domain) - -corenet_tcp_sendrecv_razor_port(razor_domain) -corenet_tcp_connect_razor_port(razor_domain) -corenet_sendrecv_razor_client_packets(razor_domain) - -dev_read_rand(razor_domain) -dev_read_urand(razor_domain) - -files_read_etc_runtime_files(razor_domain) - -libs_read_lib_files(razor_domain) - -miscfiles_read_localization(razor_domain) - -######################################## -# -# System local policy -# - -manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t) -manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) -manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) - -manage_dirs_pattern(system_razor_t, razor_log_t, razor_log_t) -append_files_pattern(system_razor_t, razor_log_t, razor_log_t) -create_files_pattern(system_razor_t, razor_log_t, razor_log_t) -setattr_files_pattern(system_razor_t, razor_log_t, razor_log_t) -manage_lnk_files_pattern(system_razor_t, razor_log_t, razor_log_t) -logging_log_filetrans(system_razor_t, razor_log_t, file) - -manage_dirs_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t) -manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t) -manage_lnk_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t) -files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file) - -######################################## -# -# Session local policy -# - -manage_dirs_pattern(razor_t, razor_home_t, razor_home_t) -manage_files_pattern(razor_t, razor_home_t, razor_home_t) -manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t) -userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir, ".razor") - -manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t) -manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t) -files_tmp_filetrans(razor_t, razor_tmp_t, { file dir }) - -fs_getattr_all_fs(razor_t) -fs_search_auto_mountpoints(razor_t) - -userdom_use_unpriv_users_fds(razor_t) -userdom_use_user_terminals(razor_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(razor_t) - fs_manage_nfs_files(razor_t) - fs_manage_nfs_symlinks(razor_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(razor_t) - fs_manage_cifs_files(razor_t) - fs_manage_cifs_symlinks(razor_t) -') diff --git a/policy/modules/contrib/rdisc.fc b/policy/modules/contrib/rdisc.fc deleted file mode 100644 index e9765c0f..00000000 --- a/policy/modules/contrib/rdisc.fc +++ /dev/null @@ -1,3 +0,0 @@ -/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0) - -/usr/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0) diff --git a/policy/modules/contrib/rdisc.if b/policy/modules/contrib/rdisc.if deleted file mode 100644 index 170ef52f..00000000 --- a/policy/modules/contrib/rdisc.if +++ /dev/null @@ -1,20 +0,0 @@ -## <summary>Network router discovery daemon.</summary> - -###################################### -## <summary> -## Execute rdisc in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rdisc_exec',` - gen_require(` - type rdisc_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, rdisc_exec_t) -') diff --git a/policy/modules/contrib/rdisc.te b/policy/modules/contrib/rdisc.te deleted file mode 100644 index 9196c1db..00000000 --- a/policy/modules/contrib/rdisc.te +++ /dev/null @@ -1,58 +0,0 @@ -policy_module(rdisc, 1.8.0) - -######################################## -# -# Declarations -# - -type rdisc_t; -type rdisc_exec_t; -init_daemon_domain(rdisc_t, rdisc_exec_t) - -######################################## -# -# Local policy -# - -allow rdisc_t self:capability net_raw; -dontaudit rdisc_t self:capability sys_tty_config; -allow rdisc_t self:process signal_perms; -allow rdisc_t self:unix_stream_socket { accept listen }; -allow rdisc_t self:udp_socket create_socket_perms; -allow rdisc_t self:rawip_socket create_socket_perms; - -kernel_list_proc(rdisc_t) -kernel_read_proc_symlinks(rdisc_t) -kernel_read_kernel_sysctls(rdisc_t) - -corenet_all_recvfrom_unlabeled(rdisc_t) -corenet_all_recvfrom_netlabel(rdisc_t) -corenet_udp_sendrecv_generic_if(rdisc_t) -corenet_raw_sendrecv_generic_if(rdisc_t) -corenet_udp_sendrecv_generic_node(rdisc_t) -corenet_raw_sendrecv_generic_node(rdisc_t) -corenet_udp_sendrecv_all_ports(rdisc_t) - -dev_read_sysfs(rdisc_t) - -fs_search_auto_mountpoints(rdisc_t) - -domain_use_interactive_fds(rdisc_t) - -files_read_etc_files(rdisc_t) - -logging_send_syslog_msg(rdisc_t) - -miscfiles_read_localization(rdisc_t) - -sysnet_read_config(rdisc_t) - -userdom_dontaudit_use_unpriv_user_fds(rdisc_t) - -optional_policy(` - seutil_sigchld_newrole(rdisc_t) -') - -optional_policy(` - udev_read_db(rdisc_t) -') diff --git a/policy/modules/contrib/readahead.fc b/policy/modules/contrib/readahead.fc deleted file mode 100644 index f307db43..00000000 --- a/policy/modules/contrib/readahead.fc +++ /dev/null @@ -1,7 +0,0 @@ -/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) - -/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) - -/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0) - -/var/run/readahead,* gen_context(system_u:object_r:readahead_var_run_t,s0) diff --git a/policy/modules/contrib/readahead.if b/policy/modules/contrib/readahead.if deleted file mode 100644 index 661bb88f..00000000 --- a/policy/modules/contrib/readahead.if +++ /dev/null @@ -1,21 +0,0 @@ -## <summary>Read files into page cache for improved performance.</summary> - -######################################## -## <summary> -## Execute a domain transition -## to run readahead. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`readahead_domtrans',` - gen_require(` - type readahead_t, readahead_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, readahead_exec_t, readahead_t) -') diff --git a/policy/modules/contrib/readahead.te b/policy/modules/contrib/readahead.te deleted file mode 100644 index f1512d67..00000000 --- a/policy/modules/contrib/readahead.te +++ /dev/null @@ -1,103 +0,0 @@ -policy_module(readahead, 1.12.2) - -######################################## -# -# Declarations -# - -type readahead_t; -type readahead_exec_t; -init_system_domain(readahead_t, readahead_exec_t) - -type readahead_var_lib_t; -files_type(readahead_var_lib_t) -typealias readahead_var_lib_t alias readahead_etc_rw_t; - -type readahead_var_run_t; -files_pid_file(readahead_var_run_t) -init_daemon_run_dir(readahead_var_run_t, "readahead") - -######################################## -# -# Local policy -# - -allow readahead_t self:capability { sys_admin fowner dac_override dac_read_search }; -dontaudit readahead_t self:capability { net_admin sys_tty_config }; -allow readahead_t self:process { setsched signal_perms }; - -manage_dirs_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t) -manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t) - -manage_dirs_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t) -manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t) -files_pid_filetrans(readahead_t, readahead_var_run_t, { dir file }) - -kernel_read_all_sysctls(readahead_t) -kernel_read_system_state(readahead_t) -kernel_dontaudit_getattr_core_if(readahead_t) - -dev_read_sysfs(readahead_t) -dev_getattr_generic_chr_files(readahead_t) -dev_getattr_generic_blk_files(readahead_t) -dev_getattr_all_chr_files(readahead_t) -dev_getattr_all_blk_files(readahead_t) -dev_dontaudit_read_all_blk_files(readahead_t) -dev_dontaudit_getattr_memory_dev(readahead_t) -dev_dontaudit_getattr_nvram_dev(readahead_t) -dev_dontaudit_rw_generic_chr_files(readahead_t) - -domain_use_interactive_fds(readahead_t) -domain_read_all_domains_state(readahead_t) - -files_create_boot_flag(readahead_t) -files_getattr_all_pipes(readahead_t) -files_list_non_security(readahead_t) -files_read_non_security_files(readahead_t) -files_search_var_lib(readahead_t) -files_dontaudit_getattr_all_sockets(readahead_t) -files_dontaudit_getattr_non_security_blk_files(readahead_t) - -fs_getattr_all_fs(readahead_t) -fs_search_auto_mountpoints(readahead_t) -fs_getattr_all_pipes(readahead_t) -fs_getattr_all_files(readahead_t) -fs_read_cgroup_files(readahead_t) -fs_read_tmpfs_files(readahead_t) -fs_read_tmpfs_symlinks(readahead_t) -fs_list_inotifyfs(readahead_t) -fs_dontaudit_search_ramfs(readahead_t) -fs_dontaudit_read_ramfs_pipes(readahead_t) -fs_dontaudit_read_ramfs_files(readahead_t) -fs_dontaudit_use_tmpfs_chr_dev(readahead_t) - -mcs_file_read_all(readahead_t) - -mls_file_read_all_levels(readahead_t) - -storage_raw_read_fixed_disk(readahead_t) - -term_dontaudit_use_console(readahead_t) - -auth_dontaudit_read_shadow(readahead_t) - -init_use_fds(readahead_t) -init_use_script_ptys(readahead_t) -init_getattr_initctl(readahead_t) - -logging_send_syslog_msg(readahead_t) -logging_set_audit_parameters(readahead_t) -logging_dontaudit_search_audit_config(readahead_t) - -miscfiles_read_localization(readahead_t) - -userdom_dontaudit_use_unpriv_user_fds(readahead_t) -userdom_dontaudit_search_user_home_dirs(readahead_t) - -optional_policy(` - cron_system_entry(readahead_t, readahead_exec_t) -') - -optional_policy(` - seutil_sigchld_newrole(readahead_t) -') diff --git a/policy/modules/contrib/realmd.fc b/policy/modules/contrib/realmd.fc deleted file mode 100644 index 04babe3d..00000000 --- a/policy/modules/contrib/realmd.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0) diff --git a/policy/modules/contrib/realmd.if b/policy/modules/contrib/realmd.if deleted file mode 100644 index bff31dfd..00000000 --- a/policy/modules/contrib/realmd.if +++ /dev/null @@ -1,41 +0,0 @@ -## <summary>Dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA.</summary> - -######################################## -## <summary> -## Execute realmd in the realmd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`realmd_domtrans',` - gen_require(` - type realmd_t, realmd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, realmd_exec_t, realmd_t) -') - -######################################## -## <summary> -## Send and receive messages from -## realmd over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`realmd_dbus_chat',` - gen_require(` - type realmd_t; - class dbus send_msg; - ') - - allow $1 realmd_t:dbus send_msg; - allow realmd_t $1:dbus send_msg; -') diff --git a/policy/modules/contrib/realmd.te b/policy/modules/contrib/realmd.te deleted file mode 100644 index 9a8f0529..00000000 --- a/policy/modules/contrib/realmd.te +++ /dev/null @@ -1,90 +0,0 @@ -policy_module(realmd, 1.0.2) - -######################################## -# -# Declarations -# - -type realmd_t; -type realmd_exec_t; -init_system_domain(realmd_t, realmd_exec_t) - -######################################## -# -# Local policy -# - -allow realmd_t self:capability sys_nice; -allow realmd_t self:process setsched; - -kernel_read_system_state(realmd_t) - -corecmd_exec_bin(realmd_t) -corecmd_exec_shell(realmd_t) - -corenet_all_recvfrom_unlabeled(realmd_t) -corenet_all_recvfrom_netlabel(realmd_t) -corenet_tcp_sendrecv_generic_if(realmd_t) -corenet_tcp_sendrecv_generic_node(realmd_t) - -corenet_sendrecv_http_client_packets(realmd_t) -corenet_tcp_connect_http_port(realmd_t) -corenet_tcp_sendrecv_http_port(realmd_t) - -domain_use_interactive_fds(realmd_t) - -dev_read_rand(realmd_t) -dev_read_urand(realmd_t) - -fs_getattr_all_fs(realmd_t) - -files_read_usr_files(realmd_t) - -auth_use_nsswitch(realmd_t) - -logging_send_syslog_msg(realmd_t) - -optional_policy(` - dbus_system_domain(realmd_t, realmd_exec_t) - - optional_policy(` - networkmanager_dbus_chat(realmd_t) - ') - - optional_policy(` - policykit_dbus_chat(realmd_t) - ') -') - -optional_policy(` - hostname_exec(realmd_t) -') - -optional_policy(` - kerberos_use(realmd_t) - kerberos_rw_keytab(realmd_t) -') - -optional_policy(` - nis_exec_ypbind(realmd_t) - nis_initrc_domtrans(realmd_t) -') - -optional_policy(` - gnome_read_generic_home_content(realmd_t) -') - -optional_policy(` - samba_domtrans_net(realmd_t) - samba_manage_config(realmd_t) - samba_getattr_winbind_exec(realmd_t) -') - -optional_policy(` - sssd_getattr_exec(realmd_t) - sssd_manage_config(realmd_t) - sssd_manage_lib_files(realmd_t) - sssd_manage_public_files(realmd_t) - sssd_read_pid_files(realmd_t) - sssd_initrc_domtrans(realmd_t) -') diff --git a/policy/modules/contrib/remotelogin.fc b/policy/modules/contrib/remotelogin.fc deleted file mode 100644 index 327baf05..00000000 --- a/policy/modules/contrib/remotelogin.fc +++ /dev/null @@ -1 +0,0 @@ -# Remote login currently has no file contexts. diff --git a/policy/modules/contrib/remotelogin.if b/policy/modules/contrib/remotelogin.if deleted file mode 100644 index a9ce68e3..00000000 --- a/policy/modules/contrib/remotelogin.if +++ /dev/null @@ -1,79 +0,0 @@ -## <summary>Rshd, rlogind, and telnetd.</summary> - -######################################## -## <summary> -## Domain transition to the remote login domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`remotelogin_domtrans',` - gen_require(` - type remote_login_t; - ') - - corecmd_search_bin($1) - auth_domtrans_login_program($1, remote_login_t) -') - -######################################## -## <summary> -## Send generic signals to remote login. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`remotelogin_signal',` - gen_require(` - type remote_login_t; - ') - - allow $1 remote_login_t:process signal; -') - -######################################## -## <summary> -## Create, read, write, and delete -## remote login temporary content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`remotelogin_manage_tmp_content',` - gen_require(` - type remote_login_tmp_t; - ') - - files_search_tmp($1) - allow $1 remote_login_tmp_t:dir manage_dir_perms; - allow $1 remote_login_tmp_t:file manage_file_perms; -') - -######################################## -## <summary> -## Relabel remote login temporary content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`remotelogin_relabel_tmp_content',` - gen_require(` - type remote_login_tmp_t; - ') - - files_search_tmp($1) - allow $1 remote_login_tmp_t:dir relabel_dir_perms; - allow $1 remote_login_tmp_t:file relabel_file_perms; -') diff --git a/policy/modules/contrib/remotelogin.te b/policy/modules/contrib/remotelogin.te deleted file mode 100644 index c51a32c4..00000000 --- a/policy/modules/contrib/remotelogin.te +++ /dev/null @@ -1,101 +0,0 @@ -policy_module(remotelogin, 1.7.2) - -######################################## -# -# Declarations -# - -type remote_login_t; -domain_interactive_fd(remote_login_t) -auth_login_pgm_domain(remote_login_t) -auth_login_entry_type(remote_login_t) - -type remote_login_tmp_t; -files_tmp_file(remote_login_tmp_t) - -######################################## -# -# Local policy -# - -allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config }; -allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow remote_login_t self:process { setrlimit setexec }; -allow remote_login_t self:fd use; -allow remote_login_t self:fifo_file rw_fifo_file_perms; -allow remote_login_t self:unix_dgram_socket sendto; -allow remote_login_t self:unix_stream_socket { accept connectto listen }; - -manage_dirs_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t) -manage_files_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t) -files_tmp_filetrans(remote_login_t, remote_login_tmp_t, { file dir }) - -kernel_read_system_state(remote_login_t) -kernel_read_kernel_sysctls(remote_login_t) - -dev_getattr_mouse_dev(remote_login_t) -dev_setattr_mouse_dev(remote_login_t) - -fs_getattr_xattr_fs(remote_login_t) - -term_relabel_all_ptys(remote_login_t) -term_use_all_ptys(remote_login_t) -term_setattr_all_ptys(remote_login_t) - -auth_manage_pam_console_data(remote_login_t) -auth_domtrans_pam_console(remote_login_t) -auth_rw_login_records(remote_login_t) -auth_rw_faillog(remote_login_t) - -corecmd_list_bin(remote_login_t) -corecmd_read_bin_symlinks(remote_login_t) - -domain_read_all_entry_files(remote_login_t) - -files_read_etc_runtime_files(remote_login_t) -files_list_home(remote_login_t) -files_read_usr_files(remote_login_t) -files_list_world_readable(remote_login_t) -files_read_world_readable_files(remote_login_t) -files_read_world_readable_symlinks(remote_login_t) -files_read_world_readable_pipes(remote_login_t) -files_read_world_readable_sockets(remote_login_t) -files_list_mnt(remote_login_t) -files_read_var_symlinks(remote_login_t) - -miscfiles_read_localization(remote_login_t) - -userdom_use_unpriv_users_fds(remote_login_t) -userdom_search_user_home_content(remote_login_t) -userdom_signal_unpriv_users(remote_login_t) -userdom_spec_domtrans_unpriv_users(remote_login_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(remote_login_t) - fs_read_nfs_symlinks(remote_login_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(remote_login_t) - fs_read_cifs_symlinks(remote_login_t) -') - -optional_policy(` - alsa_domtrans(remote_login_t) -') - -optional_policy(` - mta_getattr_spool(remote_login_t) -') - -optional_policy(` - telnet_use_ptys(remote_login_t) -') - -optional_policy(` - unconfined_shell_domtrans(remote_login_t) -') - -optional_policy(` - usermanage_read_crack_db(remote_login_t) -') diff --git a/policy/modules/contrib/resmgr.fc b/policy/modules/contrib/resmgr.fc deleted file mode 100644 index e5bcdf5c..00000000 --- a/policy/modules/contrib/resmgr.fc +++ /dev/null @@ -1,10 +0,0 @@ -/etc/resmgr\.conf -- gen_context(system_u:object_r:resmgrd_etc_t,s0) - -/etc/rc\.d/init\.d/resmgr -- gen_context(system_u:object_r:resmgrd_initrc_exec_t,s0) - -/sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0) - -/usr/sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0) - -/var/run/\.resmgr_socket -s gen_context(system_u:object_r:resmgrd_var_run_t,s0) -/var/run/resmgr\.pid -- gen_context(system_u:object_r:resmgrd_var_run_t,s0) diff --git a/policy/modules/contrib/resmgr.if b/policy/modules/contrib/resmgr.if deleted file mode 100644 index 0d93db64..00000000 --- a/policy/modules/contrib/resmgr.if +++ /dev/null @@ -1,59 +0,0 @@ -## <summary>Resource management daemon.</summary> - -######################################## -## <summary> -## Connect to resmgrd over a unix domain -## stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`resmgr_stream_connect',` - gen_require(` - type resmgrd_var_run_t, resmgrd_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, resmgrd_var_run_t, resmgrd_var_run_t, resmgrd_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an resmgr environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`resmgr_admin',` - gen_require(` - type resmgrd_t, resmgrd_initrc_exec_t, resmgrd_var_run_t; - type resmgrd_etc_t; - ') - - allow $1 resmgrd_t:process { ptrace signal_perms }; - ps_process_pattern($1, resmgrd_t) - - init_labeled_script_domtrans($1, resmgrd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 resmgrd_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, resmgrd_etc_t) - - files_search_pids($1) - admin_pattern($1, resmgrd_var_run_t) -') diff --git a/policy/modules/contrib/resmgr.te b/policy/modules/contrib/resmgr.te deleted file mode 100644 index 6f219b33..00000000 --- a/policy/modules/contrib/resmgr.te +++ /dev/null @@ -1,67 +0,0 @@ -policy_module(resmgr, 1.2.2) - -######################################## -# -# Declarations -# - -type resmgrd_t; -type resmgrd_exec_t; -init_daemon_domain(resmgrd_t, resmgrd_exec_t) - -type resmgrd_initrc_exec_t; -init_script_file(resmgrd_initrc_exec_t) - -type resmgrd_etc_t; -files_config_file(resmgrd_etc_t) - -type resmgrd_var_run_t; -files_pid_file(resmgrd_var_run_t) - -######################################## -# -# Local policy -# - -allow resmgrd_t self:capability { dac_override sys_admin sys_rawio }; -dontaudit resmgrd_t self:capability sys_tty_config; -allow resmgrd_t self:process signal_perms; - -allow resmgrd_t resmgrd_etc_t:file read_file_perms; - -allow resmgrd_t resmgrd_var_run_t:file manage_file_perms; -allow resmgrd_t resmgrd_var_run_t:sock_file manage_sock_file_perms; -files_pid_filetrans(resmgrd_t, resmgrd_var_run_t, { file sock_file }) - -kernel_list_proc(resmgrd_t) -kernel_read_proc_symlinks(resmgrd_t) -kernel_read_kernel_sysctls(resmgrd_t) - -dev_read_sysfs(resmgrd_t) -dev_getattr_scanner_dev(resmgrd_t) - -domain_use_interactive_fds(resmgrd_t) - -files_read_etc_files(resmgrd_t) - -fs_search_auto_mountpoints(resmgrd_t) - -storage_dontaudit_read_fixed_disk(resmgrd_t) -storage_read_scsi_generic(resmgrd_t) -storage_raw_read_removable_device(resmgrd_t) -storage_raw_write_removable_device(resmgrd_t) -storage_write_scsi_generic(resmgrd_t) - -logging_send_syslog_msg(resmgrd_t) - -miscfiles_read_localization(resmgrd_t) - -userdom_dontaudit_use_unpriv_user_fds(resmgrd_t) - -optional_policy(` - seutil_sigchld_newrole(resmgrd_t) -') - -optional_policy(` - udev_read_db(resmgrd_t) -') diff --git a/policy/modules/contrib/resolvconf.fc b/policy/modules/contrib/resolvconf.fc new file mode 100644 index 00000000..fcfa9b7d --- /dev/null +++ b/policy/modules/contrib/resolvconf.fc @@ -0,0 +1,5 @@ +/etc/resolvconf\.conf -- gen_context(system_u:object_r:resolvconf_conf_t,s0) + +/usr/sbin/resolvconf -- gen_context(system_u:object_r:resolvconf_exec_t,s0) + +/run/resolvconf(/.*)? gen_context(system_u:object_r:resolvconf_runtime_t,s0) diff --git a/policy/modules/contrib/resolvconf.if b/policy/modules/contrib/resolvconf.if new file mode 100644 index 00000000..fa117520 --- /dev/null +++ b/policy/modules/contrib/resolvconf.if @@ -0,0 +1,102 @@ +## <summary>OpenResolv network configuration management</summary> + +######################################### +## <summary> +## Mark the domain as a resolvconf client, automatically granting +## the necessary privileges (execute resolvconf and type access). +## </summary> +## <param name="domain"> +## <summary> +## Domain to mark as a resolvconf client +## </summary> +## </param> +# +interface(`resolvconf_client_domain',` + gen_require(` + attribute resolvconf_client; + ') + + typeattribute $1 resolvconf_client; +') + +######################################### +## <summary> +## Assign the proper permissions to the domain, such as +## executing resolvconf and accessing its types. +## </summary> +## <param name="domain"> +## <summary> +## Domain to assign proper permissions to +## </summary> +## </param> +# +interface(`resolvconf_client_domain_privs',` + resolvconf_domtrans($1) + resolvconf_generic_run_filetrans_run($1, dir, "resolvconf") +') + +######################################### +## <summary> +## Execute resolvconf and transition to the resolvconf_t domain +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition +## </summary> +## </param> +# +interface(`resolvconf_domtrans',` + gen_require(` + type resolvconf_t; + type resolvconf_exec_t; + ') + + domtrans_pattern($1, resolvconf_exec_t, resolvconf_t) +') + +######################################### +## <summary> +## Execute resolvconf in the calling domain (no transition) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to execute +## </summary> +## </param> +# +interface(`resolvconf_exec',` + gen_require(` + type resolvconf_exec_t; + ') + + can_exec($1, resolvconf_exec_t) +') + +######################################### +## <summary> +## Transition to resolvconf_run_t when creating resources +## inside the generic run directory +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +## <param name="class"> +## <summary> +## Class on which a file transition has to occur +## </summary> +## </param> +## <param name="filename" optional="true"> +## <summary> +## Name of the resource on which a file transition has to occur +## </summary> +## </param> +# +interface(`resolvconf_generic_run_filetrans_run',` + gen_require(` + type resolvconf_runtime_t; + ') + + files_runtime_filetrans($1, resolvconf_runtime_t, $2, $3) +') diff --git a/policy/modules/contrib/resolvconf.te b/policy/modules/contrib/resolvconf.te new file mode 100644 index 00000000..28ecd4d4 --- /dev/null +++ b/policy/modules/contrib/resolvconf.te @@ -0,0 +1,63 @@ +policy_module(resolvconf, 0.1) + +type resolvconf_t; +type resolvconf_exec_t; +domain_type(resolvconf_t) +domain_entry_file(resolvconf_t, resolvconf_exec_t) +role system_r types resolvconf_t; + +attribute resolvconf_client; + +type resolvconf_conf_t; +files_config_file(resolvconf_conf_t) + +type resolvconf_runtime_t alias resolvconf_var_run_t; +files_runtime_file(resolvconf_runtime_t) + +######################################### +# +# OpenResolv policy +# + +allow resolvconf_t self:fifo_file manage_fifo_file_perms; +allow resolvconf_t resolvconf_conf_t:file read_file_perms; + +manage_dirs_pattern(resolvconf_t, resolvconf_runtime_t, resolvconf_runtime_t) +manage_files_pattern(resolvconf_t, resolvconf_runtime_t, resolvconf_runtime_t) + +corecmd_exec_bin(resolvconf_t) +corecmd_exec_shell(resolvconf_t) + +files_runtime_filetrans(resolvconf_t, resolvconf_runtime_t, { dir file }) +files_read_etc_files(resolvconf_t) + +miscfiles_read_localization(resolvconf_t) + +sysnet_manage_config(resolvconf_t) + +optional_policy(` + init_domtrans_script(resolvconf_t) + init_read_script_status_files(resolvconf_t) + init_use_script_fds(resolvconf_t) + init_use_script_ptys(resolvconf_t) +') + +optional_policy(` + term_dontaudit_use_console(resolvconf_t) +') + +optional_policy(` + dnsmasq_read_config(resolvconf_t) + dnsmasq_write_config(resolvconf_t) +') + +optional_policy(` + networkmanager_rw_rawip_sockets(resolvconf_t) +') + +######################################### +# +# Resolvconf client policy +# + +resolvconf_client_domain_privs(resolvconf_client) diff --git a/policy/modules/contrib/rgmanager.fc b/policy/modules/contrib/rgmanager.fc deleted file mode 100644 index 5421af0b..00000000 --- a/policy/modules/contrib/rgmanager.fc +++ /dev/null @@ -1,12 +0,0 @@ -/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0) - -/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0) - -/usr/sbin/ccs_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0) -/usr/sbin/cman_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0) - -/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0) - -/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0) - -/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0) diff --git a/policy/modules/contrib/rgmanager.if b/policy/modules/contrib/rgmanager.if deleted file mode 100644 index 1c2f9aa1..00000000 --- a/policy/modules/contrib/rgmanager.if +++ /dev/null @@ -1,123 +0,0 @@ -## <summary>Resource Group Manager.</summary> - -####################################### -## <summary> -## Execute a domain transition to run rgmanager. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`rgmanager_domtrans',` - gen_require(` - type rgmanager_t, rgmanager_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rgmanager_exec_t, rgmanager_t) -') - -######################################## -## <summary> -## Connect to rgmanager with a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rgmanager_stream_connect',` - gen_require(` - type rgmanager_t, rgmanager_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t) -') - -###################################### -## <summary> -## Create, read, write, and delete -## rgmanager tmp files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rgmanager_manage_tmp_files',` - gen_require(` - type rgmanager_tmp_t; - ') - - files_search_tmp($1) - manage_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t) -') - -###################################### -## <summary> -## Create, read, write, and delete -## rgmanager tmpfs files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rgmanager_manage_tmpfs_files',` - gen_require(` - type rgmanager_tmpfs_t; - ') - - fs_search_tmpfs($1) - manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t) -') - -###################################### -## <summary> -## All of the rules required to -## administrate an rgmanager environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`rgmanager_admin',` - gen_require(` - type rgmanager_t, rgmanager_initrc_exec_t, rgmanager_tmp_t; - type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t; - ') - - allow $1 rgmanager_t:process { ptrace signal_perms }; - ps_process_pattern($1, rgmanager_t) - - init_labeled_script_domtrans($1, rgmanager_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 rgmanager_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, rgmanager_tmp_t) - - admin_pattern($1, rgmanager_tmpfs_t) - - logging_list_logs($1) - admin_pattern($1, rgmanager_var_log_t) - - files_list_pids($1) - admin_pattern($1, rgmanager_var_run_t) -') diff --git a/policy/modules/contrib/rgmanager.te b/policy/modules/contrib/rgmanager.te deleted file mode 100644 index b418d1c2..00000000 --- a/policy/modules/contrib/rgmanager.te +++ /dev/null @@ -1,205 +0,0 @@ -policy_module(rgmanager, 1.2.2) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether rgmanager can -## connect to the network using TCP. -## </p> -## </desc> -gen_tunable(rgmanager_can_network_connect, false) - -type rgmanager_t; -type rgmanager_exec_t; -init_daemon_domain(rgmanager_t, rgmanager_exec_t) - -type rgmanager_initrc_exec_t; -init_script_file(rgmanager_initrc_exec_t) - -type rgmanager_tmp_t; -files_tmp_file(rgmanager_tmp_t) - -type rgmanager_tmpfs_t; -files_tmpfs_file(rgmanager_tmpfs_t) - -type rgmanager_var_log_t; -logging_log_file(rgmanager_var_log_t) - -type rgmanager_var_run_t; -files_pid_file(rgmanager_var_run_t) - -######################################## -# -# Local policy -# - -allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock }; -allow rgmanager_t self:process { setsched signal }; -allow rgmanager_t self:fifo_file rw_fifo_file_perms; -allow rgmanager_t self:unix_stream_socket { accept listen }; -allow rgmanager_t self:tcp_socket { accept listen }; - -manage_dirs_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t) -manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t) -files_tmp_filetrans(rgmanager_t, rgmanager_tmp_t, { file dir }) - -manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t) -manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t) -fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file }) - -allow rgmanager_t rgmanager_var_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, file) - -manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) -manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) -files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file }) - -kernel_read_kernel_sysctls(rgmanager_t) -kernel_read_system_state(rgmanager_t) -kernel_rw_rpc_sysctls(rgmanager_t) -kernel_search_debugfs(rgmanager_t) -kernel_search_network_state(rgmanager_t) - -corenet_all_recvfrom_unlabeled(rgmanager_t) -corenet_all_recvfrom_netlabel(rgmanager_t) -corenet_tcp_sendrecv_generic_if(rgmanager_t) -corenet_tcp_sendrecv_generic_node(rgmanager_t) - -corecmd_exec_bin(rgmanager_t) -corecmd_exec_shell(rgmanager_t) - -dev_rw_dlm_control(rgmanager_t) -dev_setattr_dlm_control(rgmanager_t) -dev_search_sysfs(rgmanager_t) - -domain_read_all_domains_state(rgmanager_t) -domain_getattr_all_domains(rgmanager_t) -domain_dontaudit_ptrace_all_domains(rgmanager_t) - -files_list_all(rgmanager_t) -files_getattr_all_symlinks(rgmanager_t) -files_manage_mnt_dirs(rgmanager_t) -files_manage_isid_type_dirs(rgmanager_t) -files_read_non_security_files(rgmanager_t) - -fs_getattr_all_fs(rgmanager_t) - -storage_raw_read_fixed_disk(rgmanager_t) - -term_getattr_pty_fs(rgmanager_t) - -auth_dontaudit_getattr_shadow(rgmanager_t) -auth_use_nsswitch(rgmanager_t) - -init_domtrans_script(rgmanager_t) - -logging_send_syslog_msg(rgmanager_t) - -miscfiles_read_localization(rgmanager_t) - -tunable_policy(`rgmanager_can_network_connect',` - corenet_sendrecv_all_client_packets(rgmanager_t) - corenet_tcp_connect_all_ports(rgmanager_t) - corenet_tcp_sendrecv_all_ports(rgmanager_t) -') - -optional_policy(` - aisexec_stream_connect(rgmanager_t) -') - -optional_policy(` - consoletype_exec(rgmanager_t) -') - -optional_policy(` - corosync_stream_connect(rgmanager_t) -') - -optional_policy(` - apache_domtrans(rgmanager_t) - apache_signal(rgmanager_t) -') - -optional_policy(` - fstools_domtrans(rgmanager_t) -') - -optional_policy(` - rhcs_stream_connect_groupd(rgmanager_t) - rhcs_stream_connect_gfs_controld(rgmanager_t) -') - -optional_policy(` - hostname_exec(rgmanager_t) -') - -optional_policy(` - ccs_manage_config(rgmanager_t) - ccs_stream_connect(rgmanager_t) -') - -optional_policy(` - lvm_domtrans(rgmanager_t) -') - -optional_policy(` - mount_domtrans(rgmanager_t) -') - -optional_policy(` - mysql_domtrans_mysql_safe(rgmanager_t) - mysql_stream_connect(rgmanager_t) -') - -optional_policy(` - netutils_domtrans(rgmanager_t) - netutils_domtrans_ping(rgmanager_t) -') - -optional_policy(` - postgresql_domtrans(rgmanager_t) - postgresql_signal(rgmanager_t) -') - -optional_policy(` - rdisc_exec(rgmanager_t) -') - -optional_policy(` - ricci_dontaudit_rw_modcluster_pipes(rgmanager_t) -') - -optional_policy(` - rpc_domtrans_nfsd(rgmanager_t) - rpc_domtrans_rpcd(rgmanager_t) - rpc_manage_nfs_state_data(rgmanager_t) -') - -optional_policy(` - samba_domtrans_smbd(rgmanager_t) - samba_domtrans_nmbd(rgmanager_t) - samba_manage_var_files(rgmanager_t) - samba_rw_config(rgmanager_t) - samba_signal_smbd(rgmanager_t) - samba_signal_nmbd(rgmanager_t) -') - -optional_policy(` - sysnet_domtrans_ifconfig(rgmanager_t) -') - -optional_policy(` - udev_read_db(rgmanager_t) -') - -optional_policy(` - virt_stream_connect(rgmanager_t) -') - -optional_policy(` - xen_domtrans_xm(rgmanager_t) -') diff --git a/policy/modules/contrib/rhcs.fc b/policy/modules/contrib/rhcs.fc deleted file mode 100644 index 47de2d68..00000000 --- a/policy/modules/contrib/rhcs.fc +++ /dev/null @@ -1,31 +0,0 @@ -/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0) -/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0) - -/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) -/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0) -/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0) -/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0) -/usr/sbin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0) -/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0) -/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0) -/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0) - -/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0) - -/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0) - -/var/log/cluster/.*\.*log <<none>> -/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0) -/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0) -/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0) -/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0) -/var/log/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_log_t,s0) - -/var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0) -/var/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0) -/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0) -/var/run/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_run_t,s0) -/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0) -/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0) -/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0) -/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0) diff --git a/policy/modules/contrib/rhcs.if b/policy/modules/contrib/rhcs.if deleted file mode 100644 index 56bc01f5..00000000 --- a/policy/modules/contrib/rhcs.if +++ /dev/null @@ -1,497 +0,0 @@ -## <summary>Red Hat Cluster Suite.</summary> - -####################################### -## <summary> -## The template to define a rhcs domain. -## </summary> -## <param name="domain_prefix"> -## <summary> -## Domain prefix to be used. -## </summary> -## </param> -# -template(`rhcs_domain_template',` - gen_require(` - attribute cluster_domain, cluster_pid, cluster_tmpfs; - attribute cluster_log; - ') - - ############################## - # - # Declarations - # - - type $1_t, cluster_domain; - type $1_exec_t; - init_daemon_domain($1_t, $1_exec_t) - - type $1_tmpfs_t, cluster_tmpfs; - files_tmpfs_file($1_tmpfs_t) - - type $1_var_log_t, cluster_log; - logging_log_file($1_var_log_t) - - type $1_var_run_t, cluster_pid; - files_pid_file($1_var_run_t) - - ############################## - # - # Local policy - # - - manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file }) - - manage_dirs_pattern($1_t, $1_var_log_t, $1_var_log_t) - append_files_pattern($1_t, $1_var_log_t, $1_var_log_t) - create_files_pattern($1_t, $1_var_log_t, $1_var_log_t) - setattr_files_pattern($1_t, $1_var_log_t, $1_var_log_t) - manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t) - logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file }) - - manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) - manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - files_pid_filetrans($1_t, $1_var_run_t, { dir file fifo_file }) - - optional_policy(` - dbus_system_bus_client($1_t) - ') -') - -###################################### -## <summary> -## Execute a domain transition to -## run dlm_controld. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`rhcs_domtrans_dlm_controld',` - gen_require(` - type dlm_controld_t, dlm_controld_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dlm_controld_exec_t, dlm_controld_t) -') - -##################################### -## <summary> -## Get attributes of fenced -## executable files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rhcs_getattr_fenced_exec_files',` - gen_require(` - type fenced_exec_t; - ') - - allow $1 fenced_exec_t:file getattr_file_perms; -') - -##################################### -## <summary> -## Connect to dlm_controld with a -## unix domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rhcs_stream_connect_dlm_controld',` - gen_require(` - type dlm_controld_t, dlm_controld_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t) -') - -##################################### -## <summary> -## Read and write dlm_controld semaphores. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rhcs_rw_dlm_controld_semaphores',` - gen_require(` - type dlm_controld_t, dlm_controld_tmpfs_t; - ') - - allow $1 dlm_controld_t:sem { rw_sem_perms destroy }; - - fs_search_tmpfs($1) - manage_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t) -') - -###################################### -## <summary> -## Execute a domain transition to run fenced. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`rhcs_domtrans_fenced',` - gen_require(` - type fenced_t, fenced_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, fenced_exec_t, fenced_t) -') - -###################################### -## <summary> -## Read and write fenced semaphores. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rhcs_rw_fenced_semaphores',` - gen_require(` - type fenced_t, fenced_tmpfs_t; - ') - - allow $1 fenced_t:sem { rw_sem_perms destroy }; - - fs_search_tmpfs($1) - manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t) -') - -#################################### -## <summary> -## Connect to all cluster domains -## with a unix domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rhcs_stream_connect_cluster',` - gen_require(` - attribute cluster_domain, cluster_pid; - ') - - files_search_pids($1) - stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain) -') - -###################################### -## <summary> -## Connect to fenced with an unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rhcs_stream_connect_fenced',` - gen_require(` - type fenced_var_run_t, fenced_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t) -') - -##################################### -## <summary> -## Execute a domain transition -## to run gfs_controld. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`rhcs_domtrans_gfs_controld',` - gen_require(` - type gfs_controld_t, gfs_controld_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, gfs_controld_exec_t, gfs_controld_t) -') - -#################################### -## <summary> -## Read and write gfs_controld semaphores. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rhcs_rw_gfs_controld_semaphores',` - gen_require(` - type gfs_controld_t, gfs_controld_tmpfs_t; - ') - - allow $1 gfs_controld_t:sem { rw_sem_perms destroy }; - - fs_search_tmpfs($1) - manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t) -') - -######################################## -## <summary> -## Read and write gfs_controld_t shared memory. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rhcs_rw_gfs_controld_shm',` - gen_require(` - type gfs_controld_t, gfs_controld_tmpfs_t; - ') - - allow $1 gfs_controld_t:shm { rw_shm_perms destroy }; - - fs_search_tmpfs($1) - manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t) -') - -##################################### -## <summary> -## Connect to gfs_controld_t with -## a unix domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rhcs_stream_connect_gfs_controld',` - gen_require(` - type gfs_controld_t, gfs_controld_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, gfs_controld_var_run_t, gfs_controld_var_run_t, gfs_controld_t) -') - -###################################### -## <summary> -## Execute a domain transition to run groupd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`rhcs_domtrans_groupd',` - gen_require(` - type groupd_t, groupd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, groupd_exec_t, groupd_t) -') - -##################################### -## <summary> -## Connect to groupd with a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rhcs_stream_connect_groupd',` - gen_require(` - type groupd_t, groupd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t) -') - -######################################## -## <summary> -## Read and write all cluster domains -## shared memory. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rhcs_rw_cluster_shm',` - gen_require(` - attribute cluster_domain, cluster_tmpfs; - ') - - allow $1 cluster_domain:shm { rw_shm_perms destroy }; - - fs_search_tmpfs($1) - manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs) -') - -#################################### -## <summary> -## Read and write all cluster -## domains semaphores. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rhcs_rw_cluster_semaphores',` - gen_require(` - attribute cluster_domain; - ') - - allow $1 cluster_domain:sem { rw_sem_perms destroy }; -') - -##################################### -## <summary> -## Read and write groupd semaphores. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rhcs_rw_groupd_semaphores',` - gen_require(` - type groupd_t, groupd_tmpfs_t; - ') - - allow $1 groupd_t:sem { rw_sem_perms destroy }; - - fs_search_tmpfs($1) - manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) -') - -######################################## -## <summary> -## Read and write groupd shared memory. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rhcs_rw_groupd_shm',` - gen_require(` - type groupd_t, groupd_tmpfs_t; - ') - - allow $1 groupd_t:shm { rw_shm_perms destroy }; - - fs_search_tmpfs($1) - manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) -') - -###################################### -## <summary> -## Execute a domain transition to run qdiskd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`rhcs_domtrans_qdiskd',` - gen_require(` - type qdiskd_t, qdiskd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, qdiskd_exec_t, qdiskd_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an rhcs environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`rhcs_admin',` - gen_require(` - attribute cluster_domain, cluster_pid, cluster_tmpfs; - attribute cluster_log; - type dlm_controld_initrc_exec_t, foghorn_initrc_exec_t, fenced_lock_t; - type fenced_tmp_t, qdiskd_var_lib_t; - ') - - allow $1 cluster_domain:process { ptrace signal_perms }; - ps_process_pattern($1, cluster_domain) - - init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t }) - domain_system_change_exemption($1) - role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r; - allow $2 system_r; - - files_search_pids($1) - admin_pattern($1, cluster_pid) - - files_search_locks($1) - admin_pattern($1, fenced_lock_t) - - files_search_tmp($1) - admin_pattern($1, fenced_tmp_t) - - files_search_var_lib($1) - admin_pattern($1, qdiskd_var_lib_t) - - fs_search_tmpfs($1) - admin_pattern($1, cluster_tmpfs) - - logging_search_logs($1) - admin_pattern($1, cluster_log) -') diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te deleted file mode 100644 index 2c2de9a4..00000000 --- a/policy/modules/contrib/rhcs.te +++ /dev/null @@ -1,330 +0,0 @@ -policy_module(rhcs, 1.1.4) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether fenced can -## connect to the TCP network. -## </p> -## </desc> -gen_tunable(fenced_can_network_connect, false) - -## <desc> -## <p> -## Determine whether fenced can use ssh. -## </p> -## </desc> -gen_tunable(fenced_can_ssh, false) - -attribute cluster_domain; -attribute cluster_log; -attribute cluster_pid; -attribute cluster_tmpfs; - -rhcs_domain_template(dlm_controld) - -type dlm_controld_initrc_exec_t; -init_script_file(dlm_controld_initrc_exec_t) - -rhcs_domain_template(fenced) - -type fenced_lock_t; -files_lock_file(fenced_lock_t) - -type fenced_tmp_t; -files_tmp_file(fenced_tmp_t) - -rhcs_domain_template(foghorn) - -type foghorn_initrc_exec_t; -init_script_file(foghorn_initrc_exec_t) - -rhcs_domain_template(gfs_controld) -rhcs_domain_template(groupd) -rhcs_domain_template(qdiskd) - -type qdiskd_var_lib_t; -files_type(qdiskd_var_lib_t) - -##################################### -# -# Common cluster domains local policy -# - -allow cluster_domain self:capability sys_nice; -allow cluster_domain self:process setsched; -allow cluster_domain self:sem create_sem_perms; -allow cluster_domain self:fifo_file rw_fifo_file_perms; -allow cluster_domain self:unix_stream_socket create_stream_socket_perms; -allow cluster_domain self:unix_dgram_socket create_socket_perms; - -logging_send_syslog_msg(cluster_domain) - -miscfiles_read_localization(cluster_domain) - -optional_policy(` - ccs_stream_connect(cluster_domain) -') - -optional_policy(` - corosync_stream_connect(cluster_domain) -') - -##################################### -# -# dlm_controld local policy -# - -allow dlm_controld_t self:capability { net_admin sys_admin sys_resource }; -allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms; - -stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) -stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) - -kernel_read_system_state(dlm_controld_t) -kernel_rw_net_sysctls(dlm_controld_t) - -corecmd_exec_bin(dlm_controld_t) - -dev_rw_dlm_control(dlm_controld_t) -dev_rw_sysfs(dlm_controld_t) - -fs_manage_configfs_files(dlm_controld_t) -fs_manage_configfs_dirs(dlm_controld_t) - -init_rw_script_tmp_files(dlm_controld_t) - -####################################### -# -# fenced local policy -# - -allow fenced_t self:capability { sys_rawio sys_resource }; -allow fenced_t self:process { getsched signal_perms }; -allow fenced_t self:tcp_socket { accept listen }; -allow fenced_t self:unix_stream_socket connectto; - -manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t) -files_lock_filetrans(fenced_t, fenced_lock_t, file) - -manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) -manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) -manage_fifo_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) -files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) - -stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) - -can_exec(fenced_t, fenced_exec_t) - -kernel_read_system_state(fenced_t) - -corecmd_exec_bin(fenced_t) -corecmd_exec_shell(fenced_t) - -corenet_all_recvfrom_unlabeled(fenced_t) -corenet_all_recvfrom_netlabel(fenced_t) -corenet_tcp_sendrecv_generic_if(fenced_t) -corenet_udp_sendrecv_generic_if(fenced_t) -corenet_tcp_sendrecv_generic_node(fenced_t) -corenet_udp_sendrecv_generic_node(fenced_t) -corenet_tcp_bind_generic_node(fenced_t) -corenet_udp_bind_generic_node(fenced_t) - -corenet_sendrecv_ionixnetmon_server_packets(fenced_t) -corenet_udp_bind_ionixnetmon_port(fenced_t) -corenet_udp_sendrecv_ionixnetmon_port(fenced_t) - -corenet_sendrecv_zented_server_packets(fenced_t) -corenet_tcp_bind_zented_port(fenced_t) -corenet_tcp_sendrecv_zented_port(fenced_t) - -corenet_sendrecv_http_client_packets(fenced_t) -corenet_tcp_connect_http_port(fenced_t) -corenet_tcp_sendrecv_http_port(fenced_t) - -dev_read_sysfs(fenced_t) -dev_read_urand(fenced_t) - -files_read_usr_files(fenced_t) -files_read_usr_symlinks(fenced_t) - -storage_raw_read_fixed_disk(fenced_t) -storage_raw_write_fixed_disk(fenced_t) -storage_raw_read_removable_device(fenced_t) - -term_getattr_pty_fs(fenced_t) -term_use_generic_ptys(fenced_t) -term_use_ptmx(fenced_t) - -auth_use_nsswitch(fenced_t) - -tunable_policy(`fenced_can_network_connect',` - corenet_sendrecv_all_client_packets(fenced_t) - corenet_tcp_connect_all_ports(fenced_t) - corenet_tcp_sendrecv_all_ports(fenced_t) -') - -optional_policy(` - tunable_policy(`fenced_can_ssh',` - allow fenced_t self:capability { setuid setgid }; - - corenet_sendrecv_ssh_client_packets(fenced_t) - corenet_tcp_connect_ssh_port(fenced_t) - corenet_tcp_sendrecv_ssh_port(fenced_t) - - ssh_exec(fenced_t) - ssh_read_user_home_files(fenced_t) - ') -') - -optional_policy(` - corosync_exec(fenced_t) -') - -optional_policy(` - ccs_read_config(fenced_t) -') - -optional_policy(` - gnome_read_generic_home_content(fenced_t) -') - -optional_policy(` - lvm_domtrans(fenced_t) - lvm_read_config(fenced_t) -') - -optional_policy(` - snmp_manage_var_lib_files(fenced_t) - snmp_manage_var_lib_dirs(fenced_t) -') - -####################################### -# -# foghorn local policy -# - -allow foghorn_t self:process signal; -allow foghorn_t self:tcp_socket create_stream_socket_perms; -allow foghorn_t self:udp_socket create_socket_perms; - -corenet_all_recvfrom_unlabeled(foghorn_t) -corenet_all_recvfrom_netlabel(foghorn_t) -corenet_tcp_sendrecv_generic_if(foghorn_t) -corenet_tcp_sendrecv_generic_node(foghorn_t) - -corenet_sendrecv_agentx_client_packets(foghorn_t) -corenet_tcp_connect_agentx_port(foghorn_t) -corenet_tcp_sendrecv_agentx_port(foghorn_t) - -dev_read_urand(foghorn_t) - -files_read_usr_files(foghorn_t) - -optional_policy(` - dbus_connect_system_bus(foghorn_t) -') - -optional_policy(` - snmp_read_snmp_var_lib_files(foghorn_t) - snmp_stream_connect(foghorn_t) -') - -###################################### -# -# gfs_controld local policy -# - -allow gfs_controld_t self:capability { net_admin sys_resource }; -allow gfs_controld_t self:shm create_shm_perms; -allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms; - -stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t) -stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) -stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) - -kernel_read_system_state(gfs_controld_t) - -dev_rw_dlm_control(gfs_controld_t) -dev_setattr_dlm_control(gfs_controld_t) -dev_rw_sysfs(gfs_controld_t) - -storage_getattr_removable_dev(gfs_controld_t) - -init_rw_script_tmp_files(gfs_controld_t) - -optional_policy(` - lvm_exec(gfs_controld_t) - dev_rw_lvm_control(gfs_controld_t) -') - -####################################### -# -# groupd local policy -# - -allow groupd_t self:capability { sys_nice sys_resource }; -allow groupd_t self:process setsched; -allow groupd_t self:shm create_shm_perms; - -domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) - -dev_list_sysfs(groupd_t) - -files_read_etc_files(groupd_t) - -init_rw_script_tmp_files(groupd_t) - -###################################### -# -# qdiskd local policy -# - -allow qdiskd_t self:capability { ipc_lock sys_boot }; -allow qdiskd_t self:tcp_socket { accept listen }; - -manage_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) -manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) -manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) -files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file }) - -kernel_read_system_state(qdiskd_t) -kernel_read_software_raid_state(qdiskd_t) -kernel_getattr_core_if(qdiskd_t) - -corecmd_exec_bin(qdiskd_t) -corecmd_exec_shell(qdiskd_t) - -dev_read_sysfs(qdiskd_t) -dev_list_all_dev_nodes(qdiskd_t) -dev_getattr_all_blk_files(qdiskd_t) -dev_getattr_all_chr_files(qdiskd_t) -dev_manage_generic_blk_files(qdiskd_t) -dev_manage_generic_chr_files(qdiskd_t) - -domain_dontaudit_getattr_all_pipes(qdiskd_t) -domain_dontaudit_getattr_all_sockets(qdiskd_t) - -files_dontaudit_getattr_all_sockets(qdiskd_t) -files_dontaudit_getattr_all_pipes(qdiskd_t) - -fs_list_hugetlbfs(qdiskd_t) - -storage_raw_read_removable_device(qdiskd_t) -storage_raw_write_removable_device(qdiskd_t) -storage_raw_read_fixed_disk(qdiskd_t) -storage_raw_write_fixed_disk(qdiskd_t) - -auth_use_nsswitch(qdiskd_t) - -optional_policy(` - netutils_domtrans_ping(qdiskd_t) -') - -optional_policy(` - udev_read_db(qdiskd_t) -') diff --git a/policy/modules/contrib/rhgb.fc b/policy/modules/contrib/rhgb.fc deleted file mode 100644 index b83c05f9..00000000 --- a/policy/modules/contrib/rhgb.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/rhgb -- gen_context(system_u:object_r:rhgb_exec_t,s0) diff --git a/policy/modules/contrib/rhgb.if b/policy/modules/contrib/rhgb.if deleted file mode 100644 index 1a134a72..00000000 --- a/policy/modules/contrib/rhgb.if +++ /dev/null @@ -1,205 +0,0 @@ -## <summary> Red Hat Graphical Boot.</summary> - -######################################## -## <summary> -## RHGB stub interface. No access allowed. -## </summary> -## <param name="domain" unused="true"> -## <summary> -## N/A -## </summary> -## </param> -# -interface(`rhgb_stub',` - gen_require(` - type rhgb_t; - ') -') - -######################################## -## <summary> -## Inherit and use rhgb file descriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rhgb_use_fds',` - gen_require(` - type rhgb_t; - ') - - allow $1 rhgb_t:fd use; -') - -######################################## -## <summary> -## Get the process group of rhgb. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rhgb_getpgid',` - gen_require(` - type rhgb_t; - ') - - allow $1 rhgb_t:process getpgid; -') - -######################################## -## <summary> -## Send generic signals to rhgb. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rhgb_signal',` - gen_require(` - type rhgb_t; - ') - - allow $1 rhgb_t:process signal; -') - -######################################## -## <summary> -## Read and write inherited rhgb unix -## domain stream sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rhgb_rw_stream_sockets',` - gen_require(` - type rhgb_t; - ') - - allow $1 rhgb_t:unix_stream_socket { read write }; -') - -######################################## -## <summary> -## Do not audit attempts to read and write -## rhgb unix domain stream sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`rhgb_dontaudit_rw_stream_sockets',` - gen_require(` - type rhgb_t; - ') - - dontaudit $1 rhgb_t:unix_stream_socket { read write }; -') - -######################################## -## <summary> -## Connected to rhgb with a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rhgb_stream_connect',` - gen_require(` - type rhgb_t, rhgb_tmpfs_t; - ') - - fs_search_tmpfs($1) - stream_connect_pattern($1, rhgb_tmpfs_t, rhgb_tmpfs_t, rhgb_t) -') - -######################################## -## <summary> -## Read and write to rhgb shared memory. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rhgb_rw_shm',` - gen_require(` - type rhgb_t; - ') - - allow $1 rhgb_t:shm rw_shm_perms; -') - -######################################## -## <summary> -## Read and write rhgb pty devices. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rhgb_use_ptys',` - gen_require(` - type rhgb_devpts_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 rhgb_devpts_t:chr_file rw_term_perms; -') - -######################################## -## <summary> -## Do not audit attempts to read and -## write rhgb pty devices. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`rhgb_dontaudit_use_ptys',` - gen_require(` - type rhgb_devpts_t; - ') - - dontaudit $1 rhgb_devpts_t:chr_file rw_term_perms; -') - -######################################## -## <summary> -## Read and write to rhgb tmpfs files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rhgb_rw_tmpfs_files',` - gen_require(` - type rhgb_tmpfs_t; - ') - - - fs_search_tmpfs($1) - allow $1 rhgb_tmpfs_t:file rw_file_perms; -') diff --git a/policy/modules/contrib/rhgb.te b/policy/modules/contrib/rhgb.te deleted file mode 100644 index 3f32e4bb..00000000 --- a/policy/modules/contrib/rhgb.te +++ /dev/null @@ -1,127 +0,0 @@ -policy_module(rhgb, 1.9.0) - -######################################## -# -# Declarations -# - -type rhgb_t; -type rhgb_exec_t; -init_daemon_domain(rhgb_t, rhgb_exec_t) - -type rhgb_tmpfs_t; -files_tmpfs_file(rhgb_tmpfs_t) - -type rhgb_devpts_t; -term_pty(rhgb_devpts_t) - -######################################## -# -# Local policy -# - -allow rhgb_t self:capability { fsetid setgid setuid sys_admin sys_tty_config }; -dontaudit rhgb_t self:capability sys_tty_config; -allow rhgb_t self:process { setpgid signal_perms }; -allow rhgb_t self:shm create_shm_perms; -allow rhgb_t self:unix_stream_socket { accept listen }; -allow rhgb_t self:fifo_file rw_fifo_file_perms; - -allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; -term_create_pty(rhgb_t, rhgb_devpts_t) - -manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) -manage_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) -manage_lnk_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) -manage_fifo_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) -manage_sock_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) -fs_tmpfs_filetrans(rhgb_t, rhgb_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -kernel_read_kernel_sysctls(rhgb_t) -kernel_read_system_state(rhgb_t) - -corecmd_exec_bin(rhgb_t) -corecmd_exec_shell(rhgb_t) - -corenet_all_recvfrom_unlabeled(rhgb_t) -corenet_all_recvfrom_netlabel(rhgb_t) -corenet_tcp_sendrecv_generic_if(rhgb_t) -corenet_tcp_sendrecv_generic_node(rhgb_t) -corenet_tcp_sendrecv_all_ports(rhgb_t) - -corenet_sendrecv_all_client_packets(rhgb_t) -corenet_tcp_connect_all_ports(rhgb_t) - -dev_read_sysfs(rhgb_t) -dev_read_urand(rhgb_t) - -domain_use_interactive_fds(rhgb_t) - -files_read_etc_files(rhgb_t) -files_read_var_files(rhgb_t) -files_read_etc_runtime_files(rhgb_t) -files_search_tmp(rhgb_t) -files_read_usr_files(rhgb_t) -files_mounton_mnt(rhgb_t) -files_dontaudit_rw_root_dir(rhgb_t) -files_dontaudit_read_default_files(rhgb_t) -files_dontaudit_search_pids(rhgb_t) -files_dontaudit_search_var(rhgb_t) - -fs_search_auto_mountpoints(rhgb_t) -fs_mount_ramfs(rhgb_t) -fs_unmount_ramfs(rhgb_t) -fs_getattr_tmpfs(rhgb_t) -fs_manage_ramfs_dirs(rhgb_t) -fs_manage_ramfs_files(rhgb_t) -fs_manage_ramfs_pipes(rhgb_t) -fs_manage_ramfs_sockets(rhgb_t) - -selinux_dontaudit_read_fs(rhgb_t) - -term_use_unallocated_ttys(rhgb_t) -term_use_ptmx(rhgb_t) -term_getattr_pty_fs(rhgb_t) - -init_write_initctl(rhgb_t) - -libs_read_lib_files(rhgb_t) - -logging_send_syslog_msg(rhgb_t) - -miscfiles_read_localization(rhgb_t) -miscfiles_read_fonts(rhgb_t) -miscfiles_dontaudit_write_fonts(rhgb_t) - -seutil_search_default_contexts(rhgb_t) -seutil_read_config(rhgb_t) - -sysnet_dns_name_resolve(rhgb_t) -sysnet_domtrans_ifconfig(rhgb_t) - -userdom_dontaudit_use_unpriv_user_fds(rhgb_t) -userdom_dontaudit_search_user_home_content(rhgb_t) - -xserver_read_tmp_files(rhgb_t) -xserver_kill(rhgb_t) -xserver_read_xkb_libs(rhgb_t) -xserver_domtrans(rhgb_t) -xserver_signal(rhgb_t) -xserver_read_xdm_tmp_files(rhgb_t) -xserver_stream_connect(rhgb_t) - -optional_policy(` - consoletype_exec(rhgb_t) -') - -optional_policy(` - nis_use_ypbind(rhgb_t) -') - -optional_policy(` - seutil_sigchld_newrole(rhgb_t) -') - -optional_policy(` - udev_read_db(rhgb_t) -') diff --git a/policy/modules/contrib/rhsmcertd.fc b/policy/modules/contrib/rhsmcertd.fc deleted file mode 100644 index 8c028041..00000000 --- a/policy/modules/contrib/rhsmcertd.fc +++ /dev/null @@ -1,11 +0,0 @@ -/etc/rc\.d/init\.d/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_initrc_exec_t,s0) - -/usr/bin/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_exec_t,s0) - -/var/lib/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_lib_t,s0) - -/var/lock/subsys/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_lock_t,s0) - -/var/log/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_log_t,s0) - -/var/run/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_run_t,s0) diff --git a/policy/modules/contrib/rhsmcertd.if b/policy/modules/contrib/rhsmcertd.if deleted file mode 100644 index 6dbc905b..00000000 --- a/policy/modules/contrib/rhsmcertd.if +++ /dev/null @@ -1,304 +0,0 @@ -## <summary>Subscription Management Certificate Daemon.</summary> - -######################################## -## <summary> -## Execute rhsmcertd in the rhsmcertd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`rhsmcertd_domtrans',` - gen_require(` - type rhsmcertd_t, rhsmcertd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rhsmcertd_exec_t, rhsmcertd_t) -') - -######################################## -## <summary> -## Execute rhsmcertd init scripts -## in the initrc domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`rhsmcertd_initrc_domtrans',` - gen_require(` - type rhsmcertd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, rhsmcertd_initrc_exec_t) -') - -######################################## -## <summary> -## Read rhsmcertd log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`rhsmcertd_read_log',` - gen_require(` - type rhsmcertd_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t) -') - -######################################## -## <summary> -## Append rhsmcertd log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rhsmcertd_append_log',` - gen_require(` - type rhsmcertd_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## rhsmcertd log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rhsmcertd_manage_log',` - gen_require(` - type rhsmcertd_log_t; - ') - - logging_search_logs($1) - manage_dirs_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t) - manage_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t) - manage_lnk_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t) -') - -######################################## -## <summary> -## Search rhsmcertd lib directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rhsmcertd_search_lib',` - gen_require(` - type rhsmcertd_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 rhsmcertd_var_lib_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Read rhsmcertd lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rhsmcertd_read_lib_files',` - gen_require(` - type rhsmcertd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## rhsmcertd lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rhsmcertd_manage_lib_files',` - gen_require(` - type rhsmcertd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## rhsmcertd lib directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rhsmcertd_manage_lib_dirs',` - gen_require(` - type rhsmcertd_var_lib_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) -') - -######################################## -## <summary> -## Read rhsmcertd pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rhsmcertd_read_pid_files',` - gen_require(` - type rhsmcertd_var_run_t; - ') - - files_search_pids($1) - allow $1 rhsmcertd_var_run_t:file read_file_perms; -') - -#################################### -## <summary> -## Connect to rhsmcertd with a -## unix domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rhsmcertd_stream_connect',` - gen_require(` - type rhsmcertd_t, rhsmcertd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, rhsmcertd_var_run_t, rhsmcertd_var_run_t, rhsmcertd_t) -') - -####################################### -## <summary> -## Send and receive messages from -## rhsmcertd over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rhsmcertd_dbus_chat',` - gen_require(` - type rhsmcertd_t; - class dbus send_msg; - ') - - allow $1 rhsmcertd_t:dbus send_msg; - allow rhsmcertd_t $1:dbus send_msg; -') - -###################################### -## <summary> -## Do not audit attempts to send -## and receive messages from -## rhsmcertd over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`rhsmcertd_dontaudit_dbus_chat',` - gen_require(` - type rhsmcertd_t; - class dbus send_msg; - ') - - dontaudit $1 rhsmcertd_t:dbus send_msg; - dontaudit rhsmcertd_t $1:dbus send_msg; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an rhsmcertd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`rhsmcertd_admin',` - gen_require(` - type rhsmcertd_t, rhsmcertd_initrc_exec_t, rhsmcertd_log_t; - type rhsmcertd_var_lib_t, rhsmcertd_var_run_t, rhsmcertd_lock_t; - ') - - allow $1 rhsmcertd_t:process { ptrace signal_perms }; - ps_process_pattern($1, rhsmcertd_t) - - rhsmcertd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 rhsmcertd_initrc_exec_t system_r; - allow $2 system_r; - - logging_search_logs($1) - admin_pattern($1, rhsmcertd_log_t) - - files_search_var_lib($1) - admin_pattern($1, rhsmcertd_var_lib_t) - - files_search_pids($1) - admin_pattern($1, rhsmcertd_var_run_t) - - files_search_locks($1) - admin_pattern($1, rhsmcertd_lock_t) -') diff --git a/policy/modules/contrib/rhsmcertd.te b/policy/modules/contrib/rhsmcertd.te deleted file mode 100644 index 1cedd704..00000000 --- a/policy/modules/contrib/rhsmcertd.te +++ /dev/null @@ -1,72 +0,0 @@ -policy_module(rhsmcertd, 1.0.2) - -######################################## -# -# Declarations -# - -type rhsmcertd_t; -type rhsmcertd_exec_t; -init_daemon_domain(rhsmcertd_t, rhsmcertd_exec_t) - -type rhsmcertd_initrc_exec_t; -init_script_file(rhsmcertd_initrc_exec_t) - -type rhsmcertd_log_t; -logging_log_file(rhsmcertd_log_t) - -type rhsmcertd_lock_t; -files_lock_file(rhsmcertd_lock_t) - -type rhsmcertd_var_lib_t; -files_type(rhsmcertd_var_lib_t) - -type rhsmcertd_var_run_t; -files_pid_file(rhsmcertd_var_run_t) - -######################################## -# -# Local policy -# - -allow rhsmcertd_t self:capability sys_nice; -allow rhsmcertd_t self:process { signal setsched }; -allow rhsmcertd_t self:fifo_file rw_fifo_file_perms; -allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms; - -manage_dirs_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t) -append_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t) -create_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t) -setattr_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t) - -manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t) -files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file) - -manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) -manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) - -manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) -manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) -files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) - -kernel_read_network_state(rhsmcertd_t) -kernel_read_system_state(rhsmcertd_t) - -corecmd_exec_bin(rhsmcertd_t) - -dev_read_sysfs(rhsmcertd_t) -dev_read_rand(rhsmcertd_t) -dev_read_urand(rhsmcertd_t) - -files_list_tmp(rhsmcertd_t) -files_read_etc_files(rhsmcertd_t) -files_read_usr_files(rhsmcertd_t) - -miscfiles_read_localization(rhsmcertd_t) -miscfiles_read_generic_certs(rhsmcertd_t) - -sysnet_dns_name_resolve(rhsmcertd_t) - -optional_policy(` - rpm_read_db(rhsmcertd_t) -') diff --git a/policy/modules/contrib/ricci.fc b/policy/modules/contrib/ricci.fc deleted file mode 100644 index 7cf119e3..00000000 --- a/policy/modules/contrib/ricci.fc +++ /dev/null @@ -1,18 +0,0 @@ -/etc/rc\.d/init\.d/ricci -- gen_context(system_u:object_r:ricci_initrc_exec_t,s0) - -/usr/libexec/modcluster -- gen_context(system_u:object_r:ricci_modcluster_exec_t,s0) -/usr/libexec/ricci-modlog -- gen_context(system_u:object_r:ricci_modlog_exec_t,s0) -/usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0) -/usr/libexec/ricci-modservice -- gen_context(system_u:object_r:ricci_modservice_exec_t,s0) -/usr/libexec/ricci-modstorage -- gen_context(system_u:object_r:ricci_modstorage_exec_t,s0) - -/usr/sbin/modclusterd -- gen_context(system_u:object_r:ricci_modclusterd_exec_t,s0) -/usr/sbin/ricci -- gen_context(system_u:object_r:ricci_exec_t,s0) - -/var/lib/ricci(/.*)? gen_context(system_u:object_r:ricci_var_lib_t,s0) - -/var/log/clumond\.log.* -- gen_context(system_u:object_r:ricci_modcluster_var_log_t,s0) - -/var/run/clumond\.sock -s gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0) -/var/run/modclusterd\.pid -- gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0) -/var/run/ricci\.pid -- gen_context(system_u:object_r:ricci_var_run_t,s0) diff --git a/policy/modules/contrib/ricci.if b/policy/modules/contrib/ricci.if deleted file mode 100644 index 2ab3ed1d..00000000 --- a/policy/modules/contrib/ricci.if +++ /dev/null @@ -1,222 +0,0 @@ -## <summary>Ricci cluster management agent.</summary> - -######################################## -## <summary> -## Execute a domain transition to run ricci. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`ricci_domtrans',` - gen_require(` - type ricci_t, ricci_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ricci_exec_t, ricci_t) -') - -######################################## -## <summary> -## Execute a domain transition to -## run ricci modcluster. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`ricci_domtrans_modcluster',` - gen_require(` - type ricci_modcluster_t, ricci_modcluster_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ricci_modcluster_exec_t, ricci_modcluster_t) -') - -######################################## -## <summary> -## Do not audit attempts to use -## ricci modcluster file descriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`ricci_dontaudit_use_modcluster_fds',` - gen_require(` - type ricci_modcluster_t; - ') - - dontaudit $1 ricci_modcluster_t:fd use; -') - -######################################## -## <summary> -## Do not audit attempts to read write -## ricci modcluster unamed pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`ricci_dontaudit_rw_modcluster_pipes',` - gen_require(` - type ricci_modcluster_t; - ') - - dontaudit $1 ricci_modcluster_t:fifo_file { read write }; -') - -######################################## -## <summary> -## Connect to ricci_modclusterd with -## a unix domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ricci_stream_connect_modclusterd',` - gen_require(` - type ricci_modclusterd_t, ricci_modcluster_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t, ricci_modclusterd_t) -') - -######################################## -## <summary> -## Execute a domain transition to -## run ricci modlog. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`ricci_domtrans_modlog',` - gen_require(` - type ricci_modlog_t, ricci_modlog_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ricci_modlog_exec_t, ricci_modlog_t) -') - -######################################## -## <summary> -## Execute a domain transition to -## run ricci modrpm. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`ricci_domtrans_modrpm',` - gen_require(` - type ricci_modrpm_t, ricci_modrpm_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ricci_modrpm_exec_t, ricci_modrpm_t) -') - -######################################## -## <summary> -## Execute a domain transition to -## run ricci modservice. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`ricci_domtrans_modservice',` - gen_require(` - type ricci_modservice_t, ricci_modservice_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ricci_modservice_exec_t, ricci_modservice_t) -') - -######################################## -## <summary> -## Execute a domain transition to -## run ricci modstorage. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`ricci_domtrans_modstorage',` - gen_require(` - type ricci_modstorage_t, ricci_modstorage_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an ricci environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`ricci_admin',` - gen_require(` - type ricci_t, ricci_initrc_exec_t, ricci_tmp_t; - type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t; - ') - - allow $1 ricci_t:process { ptrace signal_perms }; - ps_process_pattern($1, ricci_t) - - init_labeled_script_domtrans($1, ricci_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ricci_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, ricci_tmp_t) - - files_list_var_lib($1) - admin_pattern($1, ricci_var_lib_t) - - logging_list_logs($1) - admin_pattern($1, ricci_var_log_t) - - files_list_pids($1) - admin_pattern($1, ricci_var_run_t) -') diff --git a/policy/modules/contrib/ricci.te b/policy/modules/contrib/ricci.te deleted file mode 100644 index 9702ed2b..00000000 --- a/policy/modules/contrib/ricci.te +++ /dev/null @@ -1,531 +0,0 @@ -policy_module(ricci, 1.7.4) - -######################################## -# -# Declarations -# - -type ricci_t; -type ricci_exec_t; -init_daemon_domain(ricci_t, ricci_exec_t) - -type ricci_initrc_exec_t; -init_script_file(ricci_initrc_exec_t) - -type ricci_tmp_t; -files_tmp_file(ricci_tmp_t) - -type ricci_var_lib_t; -files_type(ricci_var_lib_t) - -type ricci_var_log_t; -logging_log_file(ricci_var_log_t) - -type ricci_var_run_t; -files_pid_file(ricci_var_run_t) - -type ricci_modcluster_t; -type ricci_modcluster_exec_t; -domain_type(ricci_modcluster_t) -domain_entry_file(ricci_modcluster_t, ricci_modcluster_exec_t) -role system_r types ricci_modcluster_t; - -type ricci_modcluster_var_lib_t; -files_type(ricci_modcluster_var_lib_t) - -type ricci_modcluster_var_log_t; -logging_log_file(ricci_modcluster_var_log_t) - -type ricci_modcluster_var_run_t; -files_pid_file(ricci_modcluster_var_run_t) - -type ricci_modclusterd_t; -type ricci_modclusterd_exec_t; -init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t) - -type ricci_modclusterd_tmpfs_t; -files_tmpfs_file(ricci_modclusterd_tmpfs_t) - -type ricci_modlog_t; -type ricci_modlog_exec_t; -domain_type(ricci_modlog_t) -domain_entry_file(ricci_modlog_t, ricci_modlog_exec_t) -role system_r types ricci_modlog_t; - -type ricci_modrpm_t; -type ricci_modrpm_exec_t; -domain_type(ricci_modrpm_t) -domain_entry_file(ricci_modrpm_t, ricci_modrpm_exec_t) -role system_r types ricci_modrpm_t; - -type ricci_modservice_t; -type ricci_modservice_exec_t; -domain_type(ricci_modservice_t) -domain_entry_file(ricci_modservice_t, ricci_modservice_exec_t) -role system_r types ricci_modservice_t; - -type ricci_modstorage_t; -type ricci_modstorage_exec_t; -domain_type(ricci_modstorage_t) -domain_entry_file(ricci_modstorage_t, ricci_modstorage_exec_t) -role system_r types ricci_modstorage_t; - -type ricci_modstorage_lock_t; -files_lock_file(ricci_modstorage_lock_t) - -######################################## -# -# Local policy -# - -allow ricci_t self:capability { setuid sys_nice sys_boot }; -allow ricci_t self:process setsched; -allow ricci_t self:fifo_file rw_fifo_file_perms; -allow ricci_t self:unix_stream_socket { accept connectto listen }; -allow ricci_t self:tcp_socket { accept listen }; - -domtrans_pattern(ricci_t, ricci_modcluster_exec_t, ricci_modcluster_t) -domtrans_pattern(ricci_t, ricci_modlog_exec_t, ricci_modlog_t) -domtrans_pattern(ricci_t, ricci_modrpm_exec_t, ricci_modrpm_t) -domtrans_pattern(ricci_t, ricci_modservice_exec_t, ricci_modservice_t) -domtrans_pattern(ricci_t, ricci_modstorage_exec_t, ricci_modstorage_t) - -manage_dirs_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t) -manage_files_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t) -files_tmp_filetrans(ricci_t, ricci_tmp_t, { file dir }) - -manage_dirs_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t) -manage_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t) -manage_sock_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t) -files_var_lib_filetrans(ricci_t, ricci_var_lib_t, { file dir sock_file }) - -allow ricci_t ricci_var_log_t:dir setattr_dir_perms; -append_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t) -create_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t) -setattr_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t) -manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t) -logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir }) - -manage_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t) -manage_sock_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t) -files_pid_filetrans(ricci_t, ricci_var_run_t, { file sock_file }) - -kernel_read_kernel_sysctls(ricci_t) -kernel_read_system_state(ricci_t) - -corecmd_exec_bin(ricci_t) - -corenet_all_recvfrom_unlabeled(ricci_t) -corenet_all_recvfrom_netlabel(ricci_t) -corenet_tcp_sendrecv_generic_if(ricci_t) -corenet_tcp_sendrecv_generic_node(ricci_t) -corenet_tcp_bind_generic_node(ricci_t) -corenet_udp_bind_generic_node(ricci_t) - -corenet_sendrecv_ricci_server_packets(ricci_t) -corenet_tcp_bind_ricci_port(ricci_t) -corenet_tcp_sendrecv_ricci_port(ricci_t) -corenet_udp_bind_ricci_port(ricci_t) -corenet_udp_sendrecv_ricci_port(ricci_t) - -corenet_sendrecv_http_client_packets(ricci_t) -corenet_tcp_connect_http_port(ricci_t) -corenet_tcp_sendrecv_http_port(ricci_t) - -dev_read_urand(ricci_t) - -domain_read_all_domains_state(ricci_t) - -files_read_etc_files(ricci_t) -files_read_etc_runtime_files(ricci_t) -files_create_boot_flag(ricci_t) - -auth_domtrans_chk_passwd(ricci_t) -auth_append_login_records(ricci_t) - -init_stream_connect_script(ricci_t) - -locallogin_dontaudit_use_fds(ricci_t) - -logging_send_syslog_msg(ricci_t) - -miscfiles_read_localization(ricci_t) - -sysnet_dns_name_resolve(ricci_t) - -optional_policy(` - ccs_read_config(ricci_t) -') - -optional_policy(` - dbus_system_bus_client(ricci_t) - - optional_policy(` - oddjob_dbus_chat(ricci_t) - ') -') - -optional_policy(` - corecmd_bin_entry_type(ricci_t) - term_dontaudit_search_ptys(ricci_t) - init_exec(ricci_t) - - oddjob_system_entry(ricci_t, ricci_exec_t) -') - -optional_policy(` - rpm_use_script_fds(ricci_t) -') - -optional_policy(` - sasl_connect(ricci_t) -') - -optional_policy(` - shutdown_domtrans(ricci_t) -') - -optional_policy(` - unconfined_use_fds(ricci_t) -') - -optional_policy(` - xen_domtrans_xm(ricci_t) -') - -######################################## -# -# Modcluster local policy -# - -allow ricci_modcluster_t self:capability sys_nice; -allow ricci_modcluster_t self:process setsched; -allow ricci_modcluster_t self:fifo_file rw_fifo_file_perms; - -kernel_read_kernel_sysctls(ricci_modcluster_t) -kernel_read_system_state(ricci_modcluster_t) - -corecmd_exec_bin(ricci_modcluster_t) -corecmd_exec_shell(ricci_modcluster_t) - -corenet_all_recvfrom_unlabeled(ricci_modcluster_t) -corenet_all_recvfrom_netlabel(ricci_modcluster_t) -corenet_tcp_sendrecv_generic_if(ricci_modcluster_t) -corenet_tcp_sendrecv_generic_node(ricci_modcluster_t) -corenet_tcp_sendrecv_all_ports(ricci_modcluster_t) -corenet_tcp_bind_generic_node(ricci_modcluster_t) - -corenet_sendrecv_all_server_packets(ricci_modcluster_t) -corenet_tcp_bind_all_rpc_ports(ricci_modcluster_t) - -corenet_tcp_bind_cluster_port(ricci_modcluster_t) -corenet_sendrecv_cluster_client_packets(ricci_modcluster_t) -corenet_tcp_connect_cluster_port(ricci_modcluster_t) - -domain_read_all_domains_state(ricci_modcluster_t) - -files_search_locks(ricci_modcluster_t) -files_read_etc_runtime_files(ricci_modcluster_t) -files_search_usr(ricci_modcluster_t) - -auth_use_nsswitch(ricci_modcluster_t) - -init_exec(ricci_modcluster_t) -init_domtrans_script(ricci_modcluster_t) - -logging_send_syslog_msg(ricci_modcluster_t) - -miscfiles_read_localization(ricci_modcluster_t) - -ricci_stream_connect_modclusterd(ricci_modcluster_t) - -optional_policy(` - aisexec_stream_connect(ricci_modcluster_t) - corosync_stream_connect(ricci_modcluster_t) -') - -optional_policy(` - ccs_stream_connect(ricci_modcluster_t) - ccs_domtrans(ricci_modcluster_t) - ccs_manage_config(ricci_modcluster_t) -') - -optional_policy(` - lvm_domtrans(ricci_modcluster_t) -') - -optional_policy(` - modutils_domtrans_insmod(ricci_modcluster_t) -') - -optional_policy(` - mount_domtrans(ricci_modcluster_t) -') - -optional_policy(` - consoletype_exec(ricci_modcluster_t) -') - -optional_policy(` - oddjob_system_entry(ricci_modcluster_t, ricci_modcluster_exec_t) -') - -optional_policy(` - rgmanager_stream_connect(ricci_modcluster_t) -') - -######################################## -# -# Modclusterd local policy -# - -allow ricci_modclusterd_t self:capability { sys_nice sys_tty_config }; -allow ricci_modclusterd_t self:process { signal sigkill setsched }; -allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms; -allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms; -allow ricci_modclusterd_t self:tcp_socket create_stream_socket_perms; -allow ricci_modclusterd_t self:socket create_socket_perms; - -allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto; -allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_fifo_file_perms; - -manage_dirs_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t) -manage_files_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t) -fs_tmpfs_filetrans(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, { dir file }) - -allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr_dir_perms; -append_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) -create_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) -setattr_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) -manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) -logging_log_filetrans(ricci_modclusterd_t, ricci_modcluster_var_log_t, { sock_file file dir }) - -manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t) -manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t) -files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock_file }) - -kernel_read_kernel_sysctls(ricci_modclusterd_t) -kernel_read_system_state(ricci_modclusterd_t) -kernel_request_load_module(ricci_modclusterd_t) - -corecmd_exec_bin(ricci_modclusterd_t) - -corenet_all_recvfrom_unlabeled(ricci_modclusterd_t) -corenet_all_recvfrom_netlabel(ricci_modclusterd_t) -corenet_tcp_sendrecv_generic_if(ricci_modclusterd_t) -corenet_tcp_sendrecv_generic_node(ricci_modclusterd_t) -corenet_tcp_bind_generic_node(ricci_modclusterd_t) - -corenet_sendrecv_ricci_modcluster_server_packets(ricci_modclusterd_t) -corenet_tcp_bind_ricci_modcluster_port(ricci_modclusterd_t) -corenet_sendrecv_ricci_modcluster_client_packets(ricci_modclusterd_t) -corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t) -corenet_tcp_sendrecv_ricci_modcluster_port(ricci_modclusterd_t) - -domain_read_all_domains_state(ricci_modclusterd_t) - -files_read_etc_runtime_files(ricci_modclusterd_t) - -fs_getattr_xattr_fs(ricci_modclusterd_t) - -auth_use_nsswitch(ricci_modclusterd_t) - -init_stream_connect_script(ricci_modclusterd_t) - -locallogin_dontaudit_use_fds(ricci_modclusterd_t) - -logging_send_syslog_msg(ricci_modclusterd_t) - -miscfiles_read_localization(ricci_modclusterd_t) - -sysnet_domtrans_ifconfig(ricci_modclusterd_t) - -optional_policy(` - aisexec_stream_connect(ricci_modclusterd_t) - corosync_stream_connect(ricci_modclusterd_t) -') - -optional_policy(` - ccs_domtrans(ricci_modclusterd_t) - ccs_stream_connect(ricci_modclusterd_t) - ccs_read_config(ricci_modclusterd_t) -') - -optional_policy(` - rgmanager_stream_connect(ricci_modclusterd_t) -') - -optional_policy(` - unconfined_use_fds(ricci_modclusterd_t) -') - -######################################## -# -# Modlog local policy -# - -allow ricci_modlog_t self:capability sys_nice; -allow ricci_modlog_t self:process setsched; - -kernel_read_kernel_sysctls(ricci_modlog_t) -kernel_read_system_state(ricci_modlog_t) - -corecmd_exec_bin(ricci_modlog_t) - -domain_read_all_domains_state(ricci_modlog_t) - -files_read_etc_files(ricci_modlog_t) -files_search_usr(ricci_modlog_t) - -logging_read_generic_logs(ricci_modlog_t) - -miscfiles_read_localization(ricci_modlog_t) - -optional_policy(` - nscd_dontaudit_search_pid(ricci_modlog_t) -') - -optional_policy(` - oddjob_system_entry(ricci_modlog_t, ricci_modlog_exec_t) -') - -######################################## -# -# Modrpm local policy -# - -allow ricci_modrpm_t self:fifo_file read_fifo_file_perms; - -kernel_read_kernel_sysctls(ricci_modrpm_t) - -corecmd_exec_bin(ricci_modrpm_t) - -files_search_usr(ricci_modrpm_t) -files_read_etc_files(ricci_modrpm_t) - -miscfiles_read_localization(ricci_modrpm_t) - -optional_policy(` - oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t) -') - -optional_policy(` - rpm_domtrans(ricci_modrpm_t) -') - -######################################## -# -# Modservice local policy -# - -allow ricci_modservice_t self:capability { dac_override sys_nice }; -allow ricci_modservice_t self:process setsched; -allow ricci_modservice_t self:fifo_file rw_fifo_file_perms; - -kernel_read_kernel_sysctls(ricci_modservice_t) -kernel_read_system_state(ricci_modservice_t) - -corecmd_exec_bin(ricci_modservice_t) -corecmd_exec_shell(ricci_modservice_t) - -files_read_etc_files(ricci_modservice_t) -files_read_etc_runtime_files(ricci_modservice_t) -files_search_usr(ricci_modservice_t) -files_manage_etc_symlinks(ricci_modservice_t) - -init_domtrans_script(ricci_modservice_t) - -miscfiles_read_localization(ricci_modservice_t) - -optional_policy(` - ccs_read_config(ricci_modservice_t) -') - -optional_policy(` - consoletype_exec(ricci_modservice_t) -') - -optional_policy(` - nscd_dontaudit_search_pid(ricci_modservice_t) -') - -optional_policy(` - oddjob_system_entry(ricci_modservice_t, ricci_modservice_exec_t) -') - -######################################## -# -# Modstorage local policy -# - -allow ricci_modstorage_t self:capability { mknod sys_nice }; -allow ricci_modstorage_t self:process { setsched signal }; -dontaudit ricci_modstorage_t self:process ptrace; -allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms; - -kernel_read_kernel_sysctls(ricci_modstorage_t) -kernel_read_system_state(ricci_modstorage_t) - -create_files_pattern(ricci_modstorage_t, ricci_modstorage_lock_t, ricci_modstorage_lock_t) -files_lock_filetrans(ricci_modstorage_t, ricci_modstorage_lock_t, file) - -corecmd_exec_bin(ricci_modstorage_t) -corecmd_exec_shell(ricci_modstorage_t) - -dev_read_sysfs(ricci_modstorage_t) -dev_read_urand(ricci_modstorage_t) -dev_manage_generic_blk_files(ricci_modstorage_t) - -domain_read_all_domains_state(ricci_modstorage_t) - -files_manage_etc_files(ricci_modstorage_t) -files_read_etc_runtime_files(ricci_modstorage_t) -files_read_usr_files(ricci_modstorage_t) -files_read_kernel_modules(ricci_modstorage_t) - -storage_raw_read_fixed_disk(ricci_modstorage_t) - -term_dontaudit_use_console(ricci_modstorage_t) - -logging_send_syslog_msg(ricci_modstorage_t) - -miscfiles_read_localization(ricci_modstorage_t) - -optional_policy(` - aisexec_stream_connect(ricci_modstorage_t) - corosync_stream_connect(ricci_modstorage_t) -') - -optional_policy(` - ccs_stream_connect(ricci_modstorage_t) - ccs_read_config(ricci_modstorage_t) -') - -optional_policy(` - consoletype_exec(ricci_modstorage_t) -') - -optional_policy(` - fstools_domtrans(ricci_modstorage_t) -') - -optional_policy(` - lvm_domtrans(ricci_modstorage_t) - lvm_manage_config(ricci_modstorage_t) -') - -optional_policy(` - modutils_read_module_deps(ricci_modstorage_t) -') - -optional_policy(` - mount_domtrans(ricci_modstorage_t) -') - -optional_policy(` - oddjob_system_entry(ricci_modstorage_t, ricci_modstorage_exec_t) -') - -optional_policy(` - raid_domtrans_mdadm(ricci_modstorage_t) -') diff --git a/policy/modules/contrib/rlogin.fc b/policy/modules/contrib/rlogin.fc deleted file mode 100644 index f1118772..00000000 --- a/policy/modules/contrib/rlogin.fc +++ /dev/null @@ -1,8 +0,0 @@ -HOME_DIR/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0) -HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0) - -/usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0) - -/usr/lib/telnetlogin -- gen_context(system_u:object_r:rlogind_exec_t,s0) - -/usr/sbin/in\.rlogind -- gen_context(system_u:object_r:rlogind_exec_t,s0) diff --git a/policy/modules/contrib/rlogin.if b/policy/modules/contrib/rlogin.if deleted file mode 100644 index 050479de..00000000 --- a/policy/modules/contrib/rlogin.if +++ /dev/null @@ -1,150 +0,0 @@ -## <summary>Remote login daemon.</summary> - -######################################## -## <summary> -## Execute rlogind in the rlogin domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`rlogin_domtrans',` - gen_require(` - type rlogind_t, rlogind_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rlogind_exec_t, rlogind_t) -') - -######################################## -## <summary> -## Read rlogin user home content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -template(`rlogin_read_home_content',` - gen_require(` - type rlogind_home_t; - ') - - userdom_search_user_home_dirs($1) - list_dirs_pattern($1, rlogind_home_t, rlogind_home_t) - read_files_pattern($1, rlogind_home_t, rlogind_home_t) - read_lnk_files_pattern($1, rlogind_home_t, rlogind_home_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## rlogind home files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rlogin_manage_rlogind_home_files',` - gen_require(` - type rlogind_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 rlogind_home_t:file manage_file_perms; -') - -######################################## -## <summary> -## Relabel rlogind home files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rlogin_relabel_rlogind_home_files',` - gen_require(` - type rlogind_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 rlogind_home_t:file relabel_file_perms; -') - -######################################## -## <summary> -## Create objects in user home -## directories with the rlogind home type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`rlogin_home_filetrans_logind_home',` - gen_require(` - type rlogind_home_t; - ') - - userdom_user_home_dir_filetrans($1, rlogind_home_t, $2, $3) -') - -######################################## -## <summary> -## Create, read, write, and delete -## rlogind temporary content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rlogin_manage_rlogind_tmp_content',` - gen_require(` - type rlogind_tmp_t; - ') - - files_search_tmp($1) - allow $1 rlogind_tmp_t:dir manage_dir_perms; - allow $1 rlogind_tmp_t:file manage_file_perms; -') - -######################################## -## <summary> -## Relabel rlogind temporary content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rlogin_relabel_rlogind_tmp_content',` - gen_require(` - type rlogind_tmp_t; - ') - - files_search_tmp($1) - allow $1 rlogind_tmp_t:dir relabel_dir_perms; - allow $1 rlogind_tmp_t:file relabel_file_perms; -') diff --git a/policy/modules/contrib/rlogin.te b/policy/modules/contrib/rlogin.te deleted file mode 100644 index d34cdec1..00000000 --- a/policy/modules/contrib/rlogin.te +++ /dev/null @@ -1,113 +0,0 @@ -policy_module(rlogin, 1.10.1) - -######################################## -# -# Declarations -# - -type rlogind_t; -type rlogind_exec_t; -auth_login_pgm_domain(rlogind_t) -inetd_service_domain(rlogind_t, rlogind_exec_t) - -type rlogind_devpts_t; -term_login_pty(rlogind_devpts_t) - -type rlogind_home_t; -userdom_user_home_content(rlogind_home_t) - -type rlogind_tmp_t; -files_tmp_file(rlogind_tmp_t) - -type rlogind_var_run_t; -files_pid_file(rlogind_var_run_t) - -######################################## -# -# Local policy -# - -allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override }; -allow rlogind_t self:process signal_perms; -allow rlogind_t self:fifo_file rw_fifo_file_perms; -allow rlogind_t self:tcp_socket { accept listen }; - -allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; -term_create_pty(rlogind_t, rlogind_devpts_t) - -allow rlogind_t rlogind_home_t:file read_file_perms; - -manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) -manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) -files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { dir file }) - -manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t) -files_pid_filetrans(rlogind_t, rlogind_var_run_t, file) - -can_exec(rlogind_t, rlogind_exec_t) - -kernel_read_kernel_sysctls(rlogind_t) -kernel_read_system_state(rlogind_t) -kernel_read_network_state(rlogind_t) - -corenet_all_recvfrom_unlabeled(rlogind_t) -corenet_all_recvfrom_netlabel(rlogind_t) -corenet_tcp_sendrecv_generic_if(rlogind_t) -corenet_udp_sendrecv_generic_if(rlogind_t) -corenet_tcp_sendrecv_generic_node(rlogind_t) -corenet_udp_sendrecv_generic_node(rlogind_t) -corenet_tcp_sendrecv_all_ports(rlogind_t) -corenet_udp_sendrecv_all_ports(rlogind_t) - -dev_read_urand(rlogind_t) - -domain_interactive_fd(rlogind_t) - -fs_getattr_all_fs(rlogind_t) -fs_search_auto_mountpoints(rlogind_t) - -auth_domtrans_chk_passwd(rlogind_t) -auth_rw_login_records(rlogind_t) -auth_use_nsswitch(rlogind_t) - -files_read_etc_runtime_files(rlogind_t) -files_search_default(rlogind_t) - -init_rw_utmp(rlogind_t) - -logging_send_syslog_msg(rlogind_t) - -miscfiles_read_localization(rlogind_t) - -seutil_read_config(rlogind_t) - -userdom_search_user_home_dirs(rlogind_t) -userdom_setattr_user_ptys(rlogind_t) -userdom_use_user_terminals(rlogind_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_list_nfs(rlogind_t) - fs_read_nfs_files(rlogind_t) - fs_read_nfs_symlinks(rlogind_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_list_cifs(rlogind_t) - fs_read_cifs_files(rlogind_t) - fs_read_cifs_symlinks(rlogind_t) -') - -optional_policy(` - kerberos_keytab_template(rlogind, rlogind_t) - kerberos_tmp_filetrans_host_rcache(rlogind_t, file, "host_0") - kerberos_manage_host_rcache(rlogind_t) -') - -optional_policy(` - remotelogin_domtrans(rlogind_t) - remotelogin_signal(rlogind_t) -') - -optional_policy(` - tcpd_wrapped_domain(rlogind_t, rlogind_exec_t) -') diff --git a/policy/modules/contrib/rngd.fc b/policy/modules/contrib/rngd.fc deleted file mode 100644 index 5dd779e1..00000000 --- a/policy/modules/contrib/rngd.fc +++ /dev/null @@ -1,3 +0,0 @@ -/etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0) - -/usr/sbin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0) diff --git a/policy/modules/contrib/rngd.if b/policy/modules/contrib/rngd.if deleted file mode 100644 index 0e759a26..00000000 --- a/policy/modules/contrib/rngd.if +++ /dev/null @@ -1,32 +0,0 @@ -## <summary>Check and feed random data from hardware device to kernel random device.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an rng environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`rngd_admin',` - gen_require(` - type rngd_t, rngd_initrc_exec_t; - ') - - allow $1 rngd_t:process { ptrace signal_perms }; - ps_process_pattern($1, rngd_t) - - init_labeled_script_domtrans($1, rngd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 rngd_initrc_exec_t system_r; - allow $2 system_r; -') diff --git a/policy/modules/contrib/rngd.te b/policy/modules/contrib/rngd.te deleted file mode 100644 index 35c1427a..00000000 --- a/policy/modules/contrib/rngd.te +++ /dev/null @@ -1,36 +0,0 @@ -policy_module(rngd, 1.0.2) - -######################################## -# -# Declarations -# - -type rngd_t; -type rngd_exec_t; -init_daemon_domain(rngd_t, rngd_exec_t) - -type rngd_initrc_exec_t; -init_script_file(rngd_initrc_exec_t) - -######################################## -# -# Local policy -# - -allow rngd_t self:capability sys_admin; -allow rngd_t self:process signal; -allow rngd_t self:fifo_file rw_fifo_file_perms; -allow rngd_t self:unix_stream_socket { accept listen }; - -kernel_rw_kernel_sysctl(rngd_t) - -dev_read_rand(rngd_t) -dev_read_urand(rngd_t) -dev_rw_tpm(rngd_t) -dev_write_rand(rngd_t) - -files_read_etc_files(rngd_t) - -logging_send_syslog_msg(rngd_t) - -miscfiles_read_localization(rngd_t) diff --git a/policy/modules/contrib/roundup.fc b/policy/modules/contrib/roundup.fc deleted file mode 100644 index 6f05cd06..00000000 --- a/policy/modules/contrib/roundup.fc +++ /dev/null @@ -1,5 +0,0 @@ -/etc/rc\.d/init\.d/roundup -- gen_context(system_u:object_r:roundup_initrc_exec_t,s0) - -/usr/bin/roundup-server -- gen_context(system_u:object_r:roundup_exec_t,s0) - -/var/lib/roundup(/.*)? -- gen_context(system_u:object_r:roundup_var_lib_t,s0) diff --git a/policy/modules/contrib/roundup.if b/policy/modules/contrib/roundup.if deleted file mode 100644 index 975bb6a4..00000000 --- a/policy/modules/contrib/roundup.if +++ /dev/null @@ -1,39 +0,0 @@ -## <summary>Roundup Issue Tracking System.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an roundup environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`roundup_admin',` - gen_require(` - type roundup_t, roundup_var_lib_t, roundup_var_run_t; - type roundup_initrc_exec_t; - ') - - allow $1 roundup_t:process { ptrace signal_perms }; - ps_process_pattern($1, roundup_t) - - init_labeled_script_domtrans($1, roundup_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 roundup_initrc_exec_t system_r; - allow $2 system_r; - - files_list_var_lib($1) - admin_pattern($1, roundup_var_lib_t) - - files_list_pids($1) - admin_pattern($1, roundup_var_run_t) -') diff --git a/policy/modules/contrib/roundup.te b/policy/modules/contrib/roundup.te deleted file mode 100644 index 353960ce..00000000 --- a/policy/modules/contrib/roundup.te +++ /dev/null @@ -1,89 +0,0 @@ -policy_module(roundup, 1.7.1) - -######################################## -# -# Declarations -# - -type roundup_t; -type roundup_exec_t; -init_daemon_domain(roundup_t, roundup_exec_t) - -type roundup_initrc_exec_t; -init_script_file(roundup_initrc_exec_t) - -type roundup_var_run_t; -files_pid_file(roundup_var_run_t) - -type roundup_var_lib_t; -files_type(roundup_var_lib_t) - -######################################## -# -# Local policy -# - -allow roundup_t self:capability { setgid setuid }; -dontaudit roundup_t self:capability sys_tty_config; -allow roundup_t self:process signal_perms; -allow roundup_t self:unix_stream_socket { accept listen }; -allow roundup_t self:tcp_socket { accept listen }; - -manage_files_pattern(roundup_t, roundup_var_lib_t, roundup_var_lib_t) -files_var_lib_filetrans(roundup_t, roundup_var_lib_t, file) - -manage_files_pattern(roundup_t, roundup_var_run_t, roundup_var_run_t) -files_pid_filetrans(roundup_t, roundup_var_run_t, file) - -kernel_read_kernel_sysctls(roundup_t) -kernel_list_proc(roundup_t) -kernel_read_proc_symlinks(roundup_t) - -corecmd_exec_bin(roundup_t) - -corenet_all_recvfrom_unlabeled(roundup_t) -corenet_all_recvfrom_netlabel(roundup_t) -corenet_tcp_sendrecv_generic_if(roundup_t) -corenet_tcp_sendrecv_generic_node(roundup_t) -corenet_tcp_bind_generic_node(roundup_t) - -corenet_sendrecv_http_cache_server_packets(roundup_t) -corenet_tcp_bind_http_cache_port(roundup_t) -corenet_tcp_sendrecv_http_cache_port(roundup_t) - -corenet_sendrecv_smtp_client_packets(roundup_t) -corenet_tcp_connect_smtp_port(roundup_t) -corenet_tcp_sendrecv_smtp_port(roundup_t) - -dev_read_sysfs(roundup_t) -dev_read_urand(roundup_t) - -domain_use_interactive_fds(roundup_t) - -files_read_etc_files(roundup_t) -files_read_usr_files(roundup_t) - -fs_getattr_all_fs(roundup_t) -fs_search_auto_mountpoints(roundup_t) - -logging_send_syslog_msg(roundup_t) - -miscfiles_read_localization(roundup_t) - -sysnet_dns_name_resolve(roundup_t) - -userdom_dontaudit_use_unpriv_user_fds(roundup_t) -userdom_dontaudit_search_user_home_dirs(roundup_t) - -optional_policy(` - mysql_stream_connect(roundup_t) - mysql_tcp_connect(roundup_t) -') - -optional_policy(` - seutil_sigchld_newrole(roundup_t) -') - -optional_policy(` - udev_read_db(roundup_t) -') diff --git a/policy/modules/contrib/rpc.fc b/policy/modules/contrib/rpc.fc deleted file mode 100644 index a6fb30cb..00000000 --- a/policy/modules/contrib/rpc.fc +++ /dev/null @@ -1,22 +0,0 @@ -/etc/exports -- gen_context(system_u:object_r:exports_t,s0) - -/etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0) -/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) -/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) - -/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) -/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) - -/usr/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) -/usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0) -/usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0) -/usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0) -/usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0) -/usr/sbin/rpc\.rquotad -- gen_context(system_u:object_r:rpcd_exec_t,s0) -/usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0) -/usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) - -/var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0) - -/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0) -/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) diff --git a/policy/modules/contrib/rpc.if b/policy/modules/contrib/rpc.if deleted file mode 100644 index 07f5eb0e..00000000 --- a/policy/modules/contrib/rpc.if +++ /dev/null @@ -1,424 +0,0 @@ -## <summary>Remote Procedure Call Daemon.</summary> - -######################################## -## <summary> -## RPC stub interface. No access allowed. -## </summary> -## <param name="domain" unused="true"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpc_stub',` - gen_require(` - type exports_t; - ') -') - -####################################### -## <summary> -## The template to define a rpc domain. -## </summary> -## <param name="domain_prefix"> -## <summary> -## Domain prefix to be used. -## </summary> -## </param> -# -template(`rpc_domain_template',` - gen_require(` - attribute rpc_domain; - ') - - ######################################## - # - # Declarations - # - - type $1_t, rpc_domain; - type $1_exec_t; - init_daemon_domain($1_t, $1_exec_t) - - domain_use_interactive_fds($1_t) - - ######################################## - # - # Policy - # - - auth_use_nsswitch($1_t) -') - -######################################## -## <summary> -## Send UDP network traffic to rpc and recieve UDP traffic from rpc. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpc_udp_send',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## <summary> -## Do not audit attempts to get -## attributes of export files. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`rpc_dontaudit_getattr_exports',` - gen_require(` - type exports_t; - ') - - dontaudit $1 exports_t:file getattr; -') - -######################################## -## <summary> -## Read export files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpc_read_exports',` - gen_require(` - type exports_t; - ') - - allow $1 exports_t:file read_file_perms; -') - -######################################## -## <summary> -## Write export files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpc_write_exports',` - gen_require(` - type exports_t; - ') - - allow $1 exports_t:file write; -') - -######################################## -## <summary> -## Execute nfsd in the nfsd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`rpc_domtrans_nfsd',` - gen_require(` - type nfsd_t, nfsd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, nfsd_exec_t, nfsd_t) -') - -####################################### -## <summary> -## Execute nfsd init scripts in -## the initrc domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`rpc_initrc_domtrans_nfsd',` - gen_require(` - type nfsd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, nfsd_initrc_exec_t) -') - -######################################## -## <summary> -## Execute rpcd in the rpcd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`rpc_domtrans_rpcd',` - gen_require(` - type rpcd_t, rpcd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rpcd_exec_t, rpcd_t) -') - -####################################### -## <summary> -## Execute rpcd init scripts in -## the initrc domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`rpc_initrc_domtrans_rpcd',` - gen_require(` - type rpcd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, rpcd_initrc_exec_t) -') - -######################################## -## <summary> -## Read nfs exported content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`rpc_read_nfs_content',` - gen_require(` - type nfsd_ro_t, nfsd_rw_t; - ') - - allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms; - allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms; - allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file read_lnk_file_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## nfs exported read write content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`rpc_manage_nfs_rw_content',` - gen_require(` - type nfsd_rw_t; - ') - - manage_dirs_pattern($1, nfsd_rw_t, nfsd_rw_t) - manage_files_pattern($1, nfsd_rw_t, nfsd_rw_t) - manage_lnk_files_pattern($1, nfsd_rw_t, nfsd_rw_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## nfs exported read only content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`rpc_manage_nfs_ro_content',` - gen_require(` - type nfsd_ro_t; - ') - - manage_dirs_pattern($1, nfsd_ro_t, nfsd_ro_t) - manage_files_pattern($1, nfsd_ro_t, nfsd_ro_t) - manage_lnk_files_pattern($1, nfsd_ro_t, nfsd_ro_t) -') - -######################################## -## <summary> -## Read and write to nfsd tcp sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpc_tcp_rw_nfs_sockets',` - gen_require(` - type nfsd_t; - ') - - allow $1 nfsd_t:tcp_socket rw_socket_perms; -') - -######################################## -## <summary> -## Read and write to nfsd udp sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpc_udp_rw_nfs_sockets',` - gen_require(` - type nfsd_t; - ') - - allow $1 nfsd_t:udp_socket rw_socket_perms; -') - -######################################## -## <summary> -## Send UDP traffic to NFSd. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpc_udp_send_nfs',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## <summary> -## Search nfs lib directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpc_search_nfs_state_data',` - gen_require(` - type var_lib_nfs_t; - ') - - files_search_var_lib($1) - allow $1 var_lib_nfs_t:dir search; -') - -######################################## -## <summary> -## Read nfs lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpc_read_nfs_state_data',` - gen_require(` - type var_lib_nfs_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## nfs lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpc_manage_nfs_state_data',` - gen_require(` - type var_lib_nfs_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) - - ifdef(`distro_gentoo',` - rw_dirs_pattern($1, var_lib_nfs_t, var_lib_nfs_t) - ') -') - -######################################## -## <summary> -## All of the rules required to -## administrate an rpc environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`rpc_admin',` - gen_require(` - attribute rpc_domain; - type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t; - type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t; - type nfsd_ro_t, nfsd_rw_t; - ') - - allow $1 rpc_domain:process { ptrace signal_perms }; - ps_process_pattern($1, rpc_domain) - - init_labeled_script_domtrans($1, { nfsd_initrc_exec_t rpcd_initrc_exec_t }) - domain_system_change_exemption($1) - role_transition $2 { nfsd_initrc_exec_t rpcd_initrc_exec_t } system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, exports_t) - - files_list_var_lib($1) - admin_pattern($1, var_lib_nfs_t) - - files_list_pids($1) - admin_pattern($1, rpcd_var_run_t) - - files_list_all($1) - admin_pattern($1, { nfsd_ro_t nfsd_rw_t }) - - files_list_tmp($1) - admin_pattern($1, gssd_tmp_t) - - fs_search_nfsd_fs($1) -') diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te deleted file mode 100644 index 9abcbc84..00000000 --- a/policy/modules/contrib/rpc.te +++ /dev/null @@ -1,327 +0,0 @@ -policy_module(rpc, 1.14.6) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether gssd can read -## generic user temporary content. -## </p> -## </desc> -gen_tunable(allow_gssd_read_tmp, false) - -## <desc> -## <p> -## Determine whether nfs can modify -## public files used for public file -## transfer services. Directories/Files must -## be labeled public_content_rw_t. -## </p> -## </desc> -gen_tunable(allow_nfsd_anon_write, false) - -attribute rpc_domain; - -type exports_t; -files_config_file(exports_t) - -rpc_domain_template(gssd) - -type gssd_tmp_t; -files_tmp_file(gssd_tmp_t) - -type rpcd_var_run_t; -files_pid_file(rpcd_var_run_t) - -rpc_domain_template(rpcd) - -type rpcd_initrc_exec_t; -init_script_file(rpcd_initrc_exec_t) - -rpc_domain_template(nfsd) - -type nfsd_initrc_exec_t; -init_script_file(nfsd_initrc_exec_t) - -type nfsd_rw_t; -files_type(nfsd_rw_t) - -type nfsd_ro_t; -files_type(nfsd_ro_t) - -type var_lib_nfs_t; -files_mountpoint(var_lib_nfs_t) - -######################################## -# -# Common rpc domain local policy -# - -dontaudit rpc_domain self:capability { net_admin sys_tty_config }; -allow rpc_domain self:process signal_perms; -allow rpc_domain self:unix_stream_socket { accept listen }; -allow rpc_domain self:tcp_socket { accept listen }; - -manage_dirs_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t) -manage_files_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t) - -kernel_read_system_state(rpc_domain) -kernel_read_kernel_sysctls(rpc_domain) -kernel_rw_rpc_sysctls(rpc_domain) - -dev_read_sysfs(rpc_domain) -dev_read_urand(rpc_domain) -dev_read_rand(rpc_domain) - -corenet_all_recvfrom_unlabeled(rpc_domain) -corenet_all_recvfrom_netlabel(rpc_domain) -corenet_tcp_sendrecv_generic_if(rpc_domain) -corenet_udp_sendrecv_generic_if(rpc_domain) -corenet_tcp_sendrecv_generic_node(rpc_domain) -corenet_udp_sendrecv_generic_node(rpc_domain) -corenet_tcp_sendrecv_all_ports(rpc_domain) -corenet_udp_sendrecv_all_ports(rpc_domain) -corenet_tcp_bind_generic_node(rpc_domain) -corenet_udp_bind_generic_node(rpc_domain) - -corenet_sendrecv_all_server_packets(rpc_domain) -corenet_tcp_bind_reserved_port(rpc_domain) -corenet_tcp_connect_all_ports(rpc_domain) -corenet_sendrecv_portmap_client_packets(rpc_domain) -corenet_dontaudit_tcp_bind_all_ports(rpc_domain) -corenet_dontaudit_udp_bind_all_ports(rpc_domain) -corenet_tcp_bind_generic_port(rpc_domain) -corenet_udp_bind_generic_port(rpc_domain) -corenet_tcp_bind_all_rpc_ports(rpc_domain) -corenet_udp_bind_all_rpc_ports(rpc_domain) - -fs_rw_rpc_named_pipes(rpc_domain) -fs_search_auto_mountpoints(rpc_domain) - -files_read_etc_runtime_files(rpc_domain) -files_read_usr_files(rpc_domain) -files_list_home(rpc_domain) - -logging_send_syslog_msg(rpc_domain) - -miscfiles_read_localization(rpc_domain) - -userdom_dontaudit_use_unpriv_user_fds(rpc_domain) - -optional_policy(` - rpcbind_stream_connect(rpc_domain) -') - -optional_policy(` - seutil_sigchld_newrole(rpc_domain) -') - -optional_policy(` - udev_read_db(rpc_domain) -') - -######################################## -# -# Local policy -# - -allow rpcd_t self:capability { setpcap sys_admin chown dac_override setgid setuid }; -allow rpcd_t self:capability2 block_suspend; -allow rpcd_t self:process { getcap setcap }; -allow rpcd_t self:fifo_file rw_fifo_file_perms; - -manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) -manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) -files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir }) - -can_exec(rpcd_t, rpcd_exec_t) - -kernel_read_network_state(rpcd_t) -kernel_read_sysctl(rpcd_t) -kernel_rw_fs_sysctls(rpcd_t) -kernel_dontaudit_getattr_core_if(rpcd_t) -kernel_signal(rpcd_t) - -corecmd_exec_bin(rpcd_t) - -files_manage_mounttab(rpcd_t) -files_getattr_all_dirs(rpcd_t) - -fs_list_rpc(rpcd_t) -fs_read_rpc_files(rpcd_t) -fs_read_rpc_symlinks(rpcd_t) -fs_rw_rpc_sockets(rpcd_t) -fs_get_all_fs_quotas(rpcd_t) -fs_set_xattr_fs_quotas(rpcd_t) -fs_getattr_all_fs(rpcd_t) - -storage_getattr_fixed_disk_dev(rpcd_t) - -selinux_dontaudit_read_fs(rpcd_t) - -miscfiles_read_generic_certs(rpcd_t) - -seutil_dontaudit_search_config(rpcd_t) - -userdom_signal_all_users(rpcd_t) - -optional_policy(` - automount_signal(rpcd_t) - automount_dontaudit_write_pipes(rpcd_t) -') - -optional_policy(` - nis_read_ypserv_config(rpcd_t) -') - -optional_policy(` - quota_manage_db_files(rpcd_t) -') - -optional_policy(` - rgmanager_manage_tmp_files(rpcd_t) -') - -optional_policy(` - unconfined_signal(rpcd_t) -') - -######################################## -# -# NFSD local policy -# - -allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; - -allow nfsd_t exports_t:file read_file_perms; -allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; - -kernel_read_network_state(nfsd_t) -kernel_dontaudit_getattr_core_if(nfsd_t) -kernel_setsched(nfsd_t) -kernel_request_load_module(nfsd_t) -# kernel_mounton_proc(nfsd_t) - -corenet_sendrecv_nfs_server_packets(nfsd_t) -corenet_tcp_bind_nfs_port(nfsd_t) -corenet_udp_bind_nfs_port(nfsd_t) - -corecmd_exec_shell(nfsd_t) - -dev_dontaudit_getattr_all_blk_files(nfsd_t) -dev_dontaudit_getattr_all_chr_files(nfsd_t) -dev_rw_lvm_control(nfsd_t) - -files_getattr_tmp_dirs(nfsd_t) -files_manage_mounttab(nfsd_t) - -fs_mount_nfsd_fs(nfsd_t) -fs_getattr_all_fs(nfsd_t) -fs_getattr_all_dirs(nfsd_t) -fs_rw_nfsd_fs(nfsd_t) -# fs_manage_nfsd_fs(nfsd_t) - -storage_dontaudit_read_fixed_disk(nfsd_t) -storage_raw_read_removable_device(nfsd_t) - -miscfiles_read_public_files(nfsd_t) - -ifdef(`distro_gentoo',` - allow nfsd_t self:udp_socket listen; -') - -tunable_policy(`allow_nfsd_anon_write',` - miscfiles_manage_public_files(nfsd_t) -') - -tunable_policy(`nfs_export_all_rw',` - dev_getattr_all_blk_files(nfsd_t) - dev_getattr_all_chr_files(nfsd_t) - - fs_read_noxattr_fs_files(nfsd_t) - files_manage_non_auth_files(nfsd_t) -') - -tunable_policy(`nfs_export_all_ro',` - dev_getattr_all_blk_files(nfsd_t) - dev_getattr_all_chr_files(nfsd_t) - - files_getattr_all_pipes(nfsd_t) - files_getattr_all_sockets(nfsd_t) - - fs_read_noxattr_fs_files(nfsd_t) - - files_list_non_auth_dirs(nfsd_t) - files_read_non_auth_files(nfsd_t) -') - -optional_policy(` - mount_exec(nfsd_t) -') - -######################################## -# -# GSSD local policy -# - -allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice }; -allow gssd_t self:process { getsched setsched }; -allow gssd_t self:fifo_file rw_fifo_file_perms; - -manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) -manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) -files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) - -kernel_read_network_state(gssd_t) -kernel_read_network_state_symlinks(gssd_t) -kernel_request_load_module(gssd_t) -kernel_search_network_sysctl(gssd_t) -kernel_signal(gssd_t) - -corecmd_exec_bin(gssd_t) - -fs_list_inotifyfs(gssd_t) -fs_list_rpc(gssd_t) -fs_rw_rpc_sockets(gssd_t) -fs_read_rpc_files(gssd_t) -fs_read_nfs_files(gssd_t) - -files_list_tmp(gssd_t) -files_dontaudit_write_var_dirs(gssd_t) - -auth_manage_cache(gssd_t) - -miscfiles_read_generic_certs(gssd_t) - -userdom_signal_all_users(gssd_t) - -tunable_policy(`allow_gssd_read_tmp',` - userdom_list_user_tmp(gssd_t) - userdom_read_user_tmp_files(gssd_t) - userdom_read_user_tmp_symlinks(gssd_t) -') - -optional_policy(` - automount_signal(gssd_t) -') - -optional_policy(` - kerberos_keytab_template(gssd, gssd_t) - kerberos_manage_host_rcache(gssd_t) - kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0") -') - -optional_policy(` - mount_signal(gssd_t) -') - -optional_policy(` - pcscd_read_pid_files(gssd_t) -') - -optional_policy(` - xserver_rw_xdm_tmp_files(gssd_t) -') diff --git a/policy/modules/contrib/rpcbind.fc b/policy/modules/contrib/rpcbind.fc deleted file mode 100644 index d31220e0..00000000 --- a/policy/modules/contrib/rpcbind.fc +++ /dev/null @@ -1,12 +0,0 @@ -/etc/rc\.d/init\.d/rpcbind -- gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0) - -/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0) - -/usr/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0) - -/var/cache/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0) - -/var/lib/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0) - -/var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) -/var/run/rpcbind.* gen_context(system_u:object_r:rpcbind_var_run_t,s0) diff --git a/policy/modules/contrib/rpcbind.if b/policy/modules/contrib/rpcbind.if deleted file mode 100644 index 3b5e9eed..00000000 --- a/policy/modules/contrib/rpcbind.if +++ /dev/null @@ -1,173 +0,0 @@ -## <summary>Universal Addresses to RPC Program Number Mapper.</summary> - -######################################## -## <summary> -## Execute a domain transition to run rpcbind. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`rpcbind_domtrans',` - gen_require(` - type rpcbind_t, rpcbind_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rpcbind_exec_t, rpcbind_t) -') - -######################################## -## <summary> -## Connect to rpcbindd with a -## unix domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpcbind_stream_connect',` - gen_require(` - type rpcbind_t, rpcbind_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, rpcbind_var_run_t, rpcbind_var_run_t, rpcbind_t) -') - -######################################## -## <summary> -## Read rpcbind pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpcbind_read_pid_files',` - gen_require(` - type rpcbind_var_run_t; - ') - - files_search_pids($1) - allow $1 rpcbind_var_run_t:file read_file_perms; -') - -######################################## -## <summary> -## Search rpcbind lib directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpcbind_search_lib',` - gen_require(` - type rpcbind_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 rpcbind_var_lib_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Read rpcbind lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpcbind_read_lib_files',` - gen_require(` - type rpcbind_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## rpcbind lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpcbind_manage_lib_files',` - gen_require(` - type rpcbind_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t) -') - -######################################## -## <summary> -## Send null signals to rpcbind. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpcbind_signull',` - gen_require(` - type rpcbind_t; - ') - - allow $1 rpcbind_t:process signull; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an rpcbind environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`rpcbind_admin',` - gen_require(` - type rpcbind_t, rpcbind_var_lib_t, rpcbind_var_run_t; - type rpcbind_initrc_exec_t; - ') - - allow $1 rpcbind_t:process { ptrace signal_perms }; - ps_process_pattern($1, rpcbind_t) - - init_labeled_script_domtrans($1, rbcbind_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 rpcbind_initrc_exec_t system_r; - allow $2 system_r; - - files_search_pids($1) - admin_pattern($1, rpcbind_var_run_t) - - files_search_var_lib($1) - admin_pattern($1, rpcbind_var_lib_t) -') diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te deleted file mode 100644 index c49828cd..00000000 --- a/policy/modules/contrib/rpcbind.te +++ /dev/null @@ -1,76 +0,0 @@ -policy_module(rpcbind, 1.5.4) - -######################################## -# -# Declarations -# - -type rpcbind_t; -type rpcbind_exec_t; -init_daemon_domain(rpcbind_t, rpcbind_exec_t) - -type rpcbind_initrc_exec_t; -init_script_file(rpcbind_initrc_exec_t) - -type rpcbind_var_run_t; -files_pid_file(rpcbind_var_run_t) -init_daemon_run_dir(rpcbind_var_run_t, "rpcbind") - -type rpcbind_var_lib_t; -files_type(rpcbind_var_lib_t) - -######################################## -# -# Local policy -# - -allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config }; -allow rpcbind_t self:fifo_file rw_fifo_file_perms; -allow rpcbind_t self:unix_stream_socket { accept listen }; -allow rpcbind_t self:tcp_socket { accept listen }; - -manage_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t) -manage_sock_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t) -files_pid_filetrans(rpcbind_t, rpcbind_var_run_t, { file sock_file }) - -manage_dirs_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t) -manage_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t) -manage_sock_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t) -files_var_lib_filetrans(rpcbind_t, rpcbind_var_lib_t, { file dir sock_file }) - -kernel_read_system_state(rpcbind_t) -kernel_read_network_state(rpcbind_t) -kernel_request_load_module(rpcbind_t) - -corenet_all_recvfrom_unlabeled(rpcbind_t) -corenet_all_recvfrom_netlabel(rpcbind_t) -corenet_tcp_sendrecv_generic_if(rpcbind_t) -corenet_udp_sendrecv_generic_if(rpcbind_t) -corenet_tcp_sendrecv_generic_node(rpcbind_t) -corenet_udp_sendrecv_generic_node(rpcbind_t) -corenet_tcp_sendrecv_all_ports(rpcbind_t) -corenet_udp_sendrecv_all_ports(rpcbind_t) -corenet_tcp_bind_generic_node(rpcbind_t) -corenet_udp_bind_generic_node(rpcbind_t) - -corenet_sendrecv_all_server_packets(rpcbind_t) -corenet_tcp_bind_portmap_port(rpcbind_t) -corenet_udp_bind_portmap_port(rpcbind_t) -corenet_udp_bind_all_rpc_ports(rpcbind_t) - -corecmd_exec_shell(rpcbind_t) - -domain_use_interactive_fds(rpcbind_t) - -files_read_etc_files(rpcbind_t) -files_read_etc_runtime_files(rpcbind_t) - -logging_send_syslog_msg(rpcbind_t) - -miscfiles_read_localization(rpcbind_t) - -sysnet_dns_name_resolve(rpcbind_t) - -optional_policy(` - nis_use_ypbind(rpcbind_t) -') diff --git a/policy/modules/contrib/rpm.fc b/policy/modules/contrib/rpm.fc deleted file mode 100644 index ebe91fc7..00000000 --- a/policy/modules/contrib/rpm.fc +++ /dev/null @@ -1,61 +0,0 @@ -/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) - -/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0) - -/sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0) - -/usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0) -/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0) - -/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) - -/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) - -ifdef(`distro_redhat',` -/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/bin/aptitude -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0) -/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) -/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -') - -/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0) - -/var/cache/bcfg2(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) -/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) - -/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) - -/var/lock/bcfg2\.run -- gen_context(system_u:object_r:rpm_lock_t,s0) - -/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0) -/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) - -/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) - -/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) -/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) - -ifdef(`enable_mls',` -/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) -') diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if deleted file mode 100644 index 0628d50d..00000000 --- a/policy/modules/contrib/rpm.if +++ /dev/null @@ -1,666 +0,0 @@ -## <summary>Redhat package manager.</summary> - -######################################## -## <summary> -## Execute rpm in the rpm domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`rpm_domtrans',` - gen_require(` - type rpm_t, rpm_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rpm_exec_t, rpm_t) -') - -######################################## -## <summary> -## Execute debuginfo install -## in the rpm domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`rpm_debuginfo_domtrans',` - gen_require(` - type rpm_t, debuginfo_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, debuginfo_exec_t, rpm_t) -') - -######################################## -## <summary> -## Execute rpm scripts in the rpm script domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`rpm_domtrans_script',` - gen_require(` - type rpm_script_t; - ') - - corecmd_shell_domtrans($1, rpm_script_t) - - allow rpm_script_t $1:fd use; - allow rpm_script_t $1:fifo_file rw_fifo_file_perms; - allow rpm_script_t $1:process sigchld; -') - -######################################## -## <summary> -## Execute rpm in the rpm domain, -## and allow the specified roles the -## rpm domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`rpm_run',` - gen_require(` - attribute_role rpm_roles; - ') - - rpm_domtrans($1) - roleattribute $2 rpm_roles; -') - -######################################## -## <summary> -## Execute the rpm in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_exec',` - gen_require(` - type rpm_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, rpm_exec_t) -') - -######################################## -## <summary> -## Send null signals to rpm. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_signull',` - gen_require(` - type rpm_t; - ') - - allow $1 rpm_t:process signull; -') - -######################################## -## <summary> -## Inherit and use file descriptors from rpm. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_use_fds',` - gen_require(` - type rpm_t; - ') - - allow $1 rpm_t:fd use; -') - -######################################## -## <summary> -## Read rpm unnamed pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_read_pipes',` - gen_require(` - type rpm_t; - ') - - allow $1 rpm_t:fifo_file read_fifo_file_perms; -') - -######################################## -## <summary> -## Read and write rpm unnamed pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_rw_pipes',` - gen_require(` - type rpm_t; - ') - - allow $1 rpm_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## <summary> -## Send and receive messages from -## rpm over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_dbus_chat',` - gen_require(` - type rpm_t; - class dbus send_msg; - ') - - allow $1 rpm_t:dbus send_msg; - allow rpm_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Do not audit attempts to send and -## receive messages from rpm over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`rpm_dontaudit_dbus_chat',` - gen_require(` - type rpm_t; - class dbus send_msg; - ') - - dontaudit $1 rpm_t:dbus send_msg; - dontaudit rpm_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Send and receive messages from -## rpm script over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_script_dbus_chat',` - gen_require(` - type rpm_script_t; - class dbus send_msg; - ') - - allow $1 rpm_script_t:dbus send_msg; - allow rpm_script_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Search rpm log directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_search_log',` - gen_require(` - type rpm_log_t; - ') - - logging_search_logs($1) - allow $1 rpm_log_t:dir search_dir_perms; -') - -##################################### -## <summary> -## Append rpm log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_append_log',` - gen_require(` - type rpm_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, rpm_log_t, rpm_log_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## rpm log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_manage_log',` - gen_require(` - type rpm_log_t; - ') - - logging_rw_generic_log_dirs($1) - allow $1 rpm_log_t:file manage_file_perms; -') - -######################################## -## <summary> -## Inherit and use rpm script file descriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_use_script_fds',` - gen_require(` - type rpm_script_t; - ') - - allow $1 rpm_script_t:fd use; -') - -######################################## -## <summary> -## Create, read, write, and delete -## rpm script temporary files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_manage_script_tmp_files',` - gen_require(` - type rpm_script_tmp_t; - ') - - files_search_tmp($1) - manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) -') - -##################################### -## <summary> -## Append rpm temporary files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_append_tmp_files',` - gen_require(` - type rpm_tmp_t; - ') - - files_search_tmp($1) - append_files_pattern($1, rpm_tmp_t, rpm_tmp_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## rpm temporary files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_manage_tmp_files',` - gen_require(` - type rpm_tmp_t; - ') - - files_search_tmp($1) - manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t) -') - -######################################## -## <summary> -## Read rpm script temporary files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_read_script_tmp_files',` - gen_require(` - type rpm_script_tmp_t; - ') - - files_search_tmp($1) - read_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) - read_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) -') - -######################################## -## <summary> -## Read rpm cache content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_read_cache',` - gen_require(` - type rpm_var_cache_t; - ') - - files_search_var($1) - allow $1 rpm_var_cache_t:dir list_dir_perms; - read_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) - read_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## rpm cache content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_manage_cache',` - gen_require(` - type rpm_var_cache_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, rpm_var_cache_t, rpm_var_cache_t) - manage_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) - manage_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) -') - -######################################## -## <summary> -## Read rpm lib content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_read_db',` - gen_require(` - type rpm_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 rpm_var_lib_t:dir list_dir_perms; - read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) - read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) -') - -######################################## -## <summary> -## Delete rpm lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_delete_db',` - gen_require(` - type rpm_var_lib_t; - ') - - files_search_var_lib($1) - delete_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## rpm lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_manage_db',` - gen_require(` - type rpm_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) - manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) -') - -######################################## -## <summary> -## Do not audit attempts to create, read, -## write, and delete rpm lib content. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`rpm_dontaudit_manage_db',` - gen_require(` - type rpm_var_lib_t; - ') - - dontaudit $1 rpm_var_lib_t:dir rw_dir_perms; - dontaudit $1 rpm_var_lib_t:file manage_file_perms; - dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; -') - -##################################### -## <summary> -## Read rpm pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_read_pid_files',` - gen_require(` - type rpm_var_run_t; - ') - - read_files_pattern($1, rpm_var_run_t, rpm_var_run_t) - files_search_pids($1) -') - -##################################### -## <summary> -## Create, read, write, and delete -## rpm pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_manage_pid_files',` - gen_require(` - type rpm_var_run_t; - ') - - manage_files_pattern($1, rpm_var_run_t, rpm_var_run_t) - files_search_pids($1) -') - -###################################### -## <summary> -## Create files in pid directories -## with the rpm pid file type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_pid_filetrans',` - refpolicywarn(`$0($*) has been deprecated, rpm_pid_filetrans_rpm_pid() instead.') - rpm_pid_filetrans_rpm_pid($1, file) -') - -######################################## -## <summary> -## Create specified objects in pid directories -## with the rpm pid file type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`rpm_pid_filetrans_rpm_pid',` - gen_require(` - type rpm_var_run_t; - ') - - files_pid_filetrans($1, rpm_var_run_t, $3, $4) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an rpm environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`rpm_admin',` - gen_require(` - type rpm_t, rpm_script_t, rpm_initrc_exec_t; - type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t; - type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t; - type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t; - ') - - allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { rpm_t rpm_script_t }) - - init_labeled_script_domtrans($1, rpm_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 rpm_initrc_exec_t system_r; - allow $2 system_r; - - admin_pattern($1, rpm_file_t) - - files_list_var($1) - admin_pattern($1, rpm_cache_t) - - files_list_tmp($1) - admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t }) - - files_list_var_lib($1) - admin_pattern($1, rpm_var_lib_t) - - files_search_locks($1) - admin_pattern($1, rpm_lock_t) - - logging_list_logs($1) - admin_pattern($1, rpm_log_t) - - files_list_pids($1) - admin_pattern($1, rpm_var_run_t) - - fs_search_tmpfs($1) - admin_pattern($1, { rpm_tmpfs_t rpm_script_tmpfs_t } - - rpm_run($1, $2) -') diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te deleted file mode 100644 index 5cbe81c2..00000000 --- a/policy/modules/contrib/rpm.te +++ /dev/null @@ -1,414 +0,0 @@ -policy_module(rpm, 1.15.3) - -######################################## -# -# Declarations -# - -attribute_role rpm_roles; - -type debuginfo_exec_t; -domain_entry_file(rpm_t, debuginfo_exec_t) - -type rpm_t; -type rpm_exec_t; -init_system_domain(rpm_t, rpm_exec_t) -domain_obj_id_change_exemption(rpm_t) -domain_role_change_exemption(rpm_t) -domain_system_change_exemption(rpm_t) -domain_interactive_fd(rpm_t) -role rpm_roles types rpm_t; - -type rpm_initrc_exec_t; -init_script_file(rpm_initrc_exec_t) - -type rpm_file_t; -files_type(rpm_file_t) - -type rpm_tmp_t; -files_tmp_file(rpm_tmp_t) - -type rpm_tmpfs_t; -files_tmpfs_file(rpm_tmpfs_t) - -type rpm_lock_t; -files_lock_file(rpm_lock_t) - -type rpm_log_t; -logging_log_file(rpm_log_t) - -type rpm_var_lib_t; -files_type(rpm_var_lib_t) -typealias rpm_var_lib_t alias var_lib_rpm_t; - -type rpm_var_cache_t; -files_type(rpm_var_cache_t) - -type rpm_var_run_t; -files_pid_file(rpm_var_run_t) - -type rpm_script_t; -type rpm_script_exec_t; -domain_obj_id_change_exemption(rpm_script_t) -domain_system_change_exemption(rpm_script_t) -corecmd_shell_entry_type(rpm_script_t) -corecmd_bin_entry_type(rpm_script_t) -domain_type(rpm_script_t) -domain_entry_file(rpm_t, rpm_script_exec_t) -domain_interactive_fd(rpm_script_t) -role rpm_roles types rpm_script_t; -role system_r types rpm_script_t; - -type rpm_script_tmp_t; -files_tmp_file(rpm_script_tmp_t) - -type rpm_script_tmpfs_t; -files_tmpfs_file(rpm_script_tmpfs_t) - -######################################## -# -# rpm Local policy -# - -allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod }; -allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap }; -allow rpm_t self:process { getattr setexec setfscreate setrlimit }; -allow rpm_t self:fd use; -allow rpm_t self:fifo_file rw_fifo_file_perms; -allow rpm_t self:unix_dgram_socket sendto; -allow rpm_t self:unix_stream_socket { accept connectto listen }; -allow rpm_t self:udp_socket connect; -allow rpm_t self:tcp_socket { accept listen }; -allow rpm_t self:shm create_shm_perms; -allow rpm_t self:sem create_sem_perms; -allow rpm_t self:msgq create_msgq_perms; -allow rpm_t self:msg { send receive }; -allow rpm_t self:file rw_file_perms; -allow rpm_t self:netlink_kobject_uevent_socket create_socket_perms; - -allow rpm_t rpm_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(rpm_t, rpm_log_t, file) - -manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t) -manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t) -files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir }) - -manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) -manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) -manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) -manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) -manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) -fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) -manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) -files_var_filetrans(rpm_t, rpm_var_cache_t, dir) - -manage_files_pattern(rpm_t, rpm_lock_t, rpm_lock_t) -files_lock_filetrans(rpm_t, rpm_lock_t, file) - -manage_dirs_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t) -manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t) -files_var_lib_filetrans(rpm_t, rpm_var_lib_t, { dir file }) - -manage_dirs_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t) -manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t) -files_pid_filetrans(rpm_t, rpm_var_run_t, { dir file }) - -can_exec(rpm_t, { rpm_tmp_t rpm_tmpfs_t }) - -kernel_read_crypto_sysctls(rpm_t) -kernel_read_network_state(rpm_t) -kernel_read_system_state(rpm_t) -kernel_read_kernel_sysctls(rpm_t) -kernel_read_network_state_symlinks(rpm_t) -kernel_rw_irq_sysctls(rpm_t) - -corecmd_exec_all_executables(rpm_t) - -corenet_all_recvfrom_unlabeled(rpm_t) -corenet_all_recvfrom_netlabel(rpm_t) -corenet_tcp_sendrecv_generic_if(rpm_t) -corenet_tcp_sendrecv_generic_node(rpm_t) -corenet_tcp_sendrecv_all_ports(rpm_t) - -corenet_sendrecv_all_client_packets(rpm_t) -corenet_tcp_connect_all_ports(rpm_t) - -dev_list_sysfs(rpm_t) -dev_list_usbfs(rpm_t) -dev_read_urand(rpm_t) -dev_read_raw_memory(rpm_t) - -dev_manage_all_dev_nodes(rpm_t) -dev_relabel_all_dev_nodes(rpm_t) - -dev_create_generic_blk_files(rpm_t) -dev_create_generic_chr_files(rpm_t) - -domain_read_all_domains_state(rpm_t) -domain_getattr_all_domains(rpm_t) -domain_use_interactive_fds(rpm_t) -domain_dontaudit_getattr_all_pipes(rpm_t) -domain_dontaudit_getattr_all_tcp_sockets(rpm_t) -domain_dontaudit_getattr_all_udp_sockets(rpm_t) -domain_dontaudit_getattr_all_packet_sockets(rpm_t) -domain_dontaudit_getattr_all_raw_sockets(rpm_t) -domain_dontaudit_getattr_all_stream_sockets(rpm_t) -domain_dontaudit_getattr_all_dgram_sockets(rpm_t) -domain_signull_all_domains(rpm_t) - -files_exec_etc_files(rpm_t) -files_relabel_non_auth_files(rpm_t) -files_manage_non_auth_files(rpm_t) - -fs_getattr_all_dirs(rpm_t) -fs_list_inotifyfs(rpm_t) -fs_manage_nfs_dirs(rpm_t) -fs_manage_nfs_files(rpm_t) -fs_manage_nfs_symlinks(rpm_t) -fs_getattr_all_fs(rpm_t) -fs_search_auto_mountpoints(rpm_t) - -mls_file_read_all_levels(rpm_t) -mls_file_write_all_levels(rpm_t) -mls_file_upgrade(rpm_t) -mls_file_downgrade(rpm_t) - -selinux_get_fs_mount(rpm_t) -selinux_validate_context(rpm_t) -selinux_compute_access_vector(rpm_t) -selinux_compute_create_context(rpm_t) -selinux_compute_relabel_context(rpm_t) -selinux_compute_user_contexts(rpm_t) - -storage_raw_write_fixed_disk(rpm_t) -storage_raw_read_fixed_disk(rpm_t) - -term_list_ptys(rpm_t) - -auth_dontaudit_read_shadow(rpm_t) -auth_use_nsswitch(rpm_t) - -rpm_domtrans_script(rpm_t) - -init_domtrans_script(rpm_t) -init_use_script_ptys(rpm_t) -init_signull_script(rpm_t) - -libs_exec_ld_so(rpm_t) -libs_exec_lib_files(rpm_t) -libs_run_ldconfig(rpm_t, rpm_roles) - -logging_send_syslog_msg(rpm_t) - -seutil_manage_src_policy(rpm_t) -seutil_manage_bin_policy(rpm_t) - -userdom_use_user_terminals(rpm_t) -userdom_use_unpriv_users_fds(rpm_t) - -optional_policy(` - cron_system_entry(rpm_t, rpm_exec_t) -') - -optional_policy(` - dbus_system_domain(rpm_t, rpm_exec_t) - dbus_system_domain(rpm_t, debuginfo_exec_t) - - optional_policy(` - hal_dbus_chat(rpm_t) - ') - - optional_policy(` - networkmanager_dbus_chat(rpm_t) - ') - - optional_policy(` - unconfined_dbus_chat(rpm_t) - ') -') - -optional_policy(` - prelink_run(rpm_t, rpm_roles) -') - -######################################## -# -# rpm-script Local policy -# - -allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin }; -allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap }; -allow rpm_script_t self:fd use; -allow rpm_script_t self:fifo_file rw_fifo_file_perms; -allow rpm_script_t self:unix_dgram_socket sendto; -allow rpm_script_t self:unix_stream_socket { accept connectto listen }; -allow rpm_script_t self:shm create_shm_perms; -allow rpm_script_t self:sem create_sem_perms; -allow rpm_script_t self:msgq create_msgq_perms; -allow rpm_script_t self:msg { send receive }; -allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms; - -allow rpm_script_t rpm_t:netlink_route_socket { read write }; - -allow rpm_script_t rpm_tmp_t:file read_file_perms; - -allow rpm_script_t rpm_script_tmp_t:dir mounton; -manage_dirs_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) -manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) -manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) -manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) -files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir }) - -manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) -manage_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) -manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) -manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) -manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) -fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -can_exec(rpm_script_t, { rpm_script_tmp_t rpm_script_tmpfs_t }) - -kernel_read_crypto_sysctls(rpm_script_t) -kernel_read_kernel_sysctls(rpm_script_t) -kernel_read_system_state(rpm_script_t) -kernel_read_network_state(rpm_script_t) -kernel_list_all_proc(rpm_script_t) -kernel_read_software_raid_state(rpm_script_t) - -corenet_all_recvfrom_unlabeled(rpm_script_t) -corenet_all_recvfrom_netlabel(rpm_script_t) -corenet_tcp_sendrecv_generic_if(rpm_script_t) -corenet_tcp_sendrecv_generic_node(rpm_script_t) - -corenet_sendrecv_http_client_packets(rpm_script_t) -corenet_tcp_connect_http_port(rpm_script_t) -corenet_tcp_sendrecv_http_port(rpm_script_t) - -corecmd_exec_all_executables(rpm_script_t) - -dev_list_sysfs(rpm_script_t) -dev_manage_generic_blk_files(rpm_script_t) -dev_manage_generic_chr_files(rpm_script_t) -dev_manage_all_blk_files(rpm_script_t) -dev_manage_all_chr_files(rpm_script_t) - -domain_read_all_domains_state(rpm_script_t) -domain_getattr_all_domains(rpm_script_t) -domain_use_interactive_fds(rpm_script_t) -domain_signal_all_domains(rpm_script_t) -domain_signull_all_domains(rpm_script_t) - -files_exec_etc_files(rpm_script_t) -files_exec_usr_files(rpm_script_t) -files_manage_non_auth_files(rpm_script_t) -files_relabel_non_auth_files(rpm_script_t) - -fs_manage_nfs_files(rpm_script_t) -fs_getattr_nfs(rpm_script_t) -fs_search_all(rpm_script_t) -fs_getattr_all_fs(rpm_script_t) -fs_getattr_xattr_fs(rpm_script_t) -fs_mount_xattr_fs(rpm_script_t) -fs_unmount_xattr_fs(rpm_script_t) -fs_search_auto_mountpoints(rpm_script_t) - -mcs_killall(rpm_script_t) - -mls_file_read_all_levels(rpm_script_t) -mls_file_write_all_levels(rpm_script_t) - -selinux_get_fs_mount(rpm_script_t) -selinux_validate_context(rpm_script_t) -selinux_compute_access_vector(rpm_script_t) -selinux_compute_create_context(rpm_script_t) -selinux_compute_relabel_context(rpm_script_t) -selinux_compute_user_contexts(rpm_script_t) - -storage_raw_read_fixed_disk(rpm_script_t) -storage_raw_write_fixed_disk(rpm_script_t) - -term_getattr_unallocated_ttys(rpm_script_t) -term_list_ptys(rpm_script_t) -term_use_all_terms(rpm_script_t) - -auth_dontaudit_getattr_shadow(rpm_script_t) -auth_use_nsswitch(rpm_script_t) - -init_domtrans_script(rpm_script_t) -init_telinit(rpm_script_t) - -libs_exec_ld_so(rpm_script_t) -libs_exec_lib_files(rpm_script_t) -libs_run_ldconfig(rpm_script_t, rpm_roles) - -logging_send_syslog_msg(rpm_script_t) - -miscfiles_read_localization(rpm_script_t) - -modutils_run_depmod(rpm_script_t, rpm_roles) -modutils_run_insmod(rpm_script_t, rpm_roles) - -seutil_run_loadpolicy(rpm_script_t, rpm_roles) -seutil_run_setfiles(rpm_script_t, rpm_roles) -seutil_run_semanage(rpm_script_t, rpm_roles) - -userdom_use_all_users_fds(rpm_script_t) - -ifdef(`distro_redhat',` - optional_policy(` - mta_send_mail(rpm_script_t) - mta_system_content(rpm_var_run_t) - ') -') - -tunable_policy(`allow_execmem',` - allow rpm_script_t self:process execmem; -') - -optional_policy(` - bootloader_run(rpm_script_t, rpm_roles) -') - -optional_policy(` - dbus_system_bus_client(rpm_script_t) - - optional_policy(` - unconfined_dbus_chat(rpm_script_t) - ') -') - -optional_policy(` - lvm_run(rpm_script_t, rpm_roles) -') - -optional_policy(` - ntp_domtrans(rpm_script_t) -') - -optional_policy(` - tzdata_run(rpm_t, rpm_roles) - tzdata_run(rpm_script_t, rpm_roles) -') - -optional_policy(` - udev_domtrans(rpm_script_t) -') - -optional_policy(` - unconfined_domtrans(rpm_script_t) - - optional_policy(` - java_domtrans_unconfined(rpm_script_t) - ') - - optional_policy(` - mono_domtrans(rpm_script_t) - ') -') - -optional_policy(` - usermanage_run_groupadd(rpm_script_t, rpm_roles) - usermanage_run_useradd(rpm_script_t, rpm_roles) -') diff --git a/policy/modules/contrib/rshd.fc b/policy/modules/contrib/rshd.fc deleted file mode 100644 index 9ad0d58d..00000000 --- a/policy/modules/contrib/rshd.fc +++ /dev/null @@ -1,4 +0,0 @@ -/usr/kerberos/sbin/kshd -- gen_context(system_u:object_r:rshd_exec_t,s0) - -/usr/sbin/in\.rexecd -- gen_context(system_u:object_r:rshd_exec_t,s0) -/usr/sbin/in\.rshd -- gen_context(system_u:object_r:rshd_exec_t,s0) diff --git a/policy/modules/contrib/rshd.if b/policy/modules/contrib/rshd.if deleted file mode 100644 index 7ad29c04..00000000 --- a/policy/modules/contrib/rshd.if +++ /dev/null @@ -1,20 +0,0 @@ -## <summary>Remote shell service.</summary> - -######################################## -## <summary> -## Execute rshd in the rshd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`rshd_domtrans',` - gen_require(` - type rshd_exec_t, rshd_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rshd_exec_t, rshd_t) -') diff --git a/policy/modules/contrib/rshd.te b/policy/modules/contrib/rshd.te deleted file mode 100644 index f8428253..00000000 --- a/policy/modules/contrib/rshd.te +++ /dev/null @@ -1,73 +0,0 @@ -policy_module(rshd, 1.7.1) - -######################################## -# -# Declarations -# - -type rshd_t; -type rshd_exec_t; -auth_login_pgm_domain(rshd_t) -inetd_tcp_service_domain(rshd_t, rshd_exec_t) - -######################################## -# -# Local policy -# - -allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override }; -allow rshd_t self:process { signal_perms setsched setpgid setexec }; -allow rshd_t self:fifo_file rw_fifo_file_perms; -allow rshd_t self:tcp_socket create_stream_socket_perms; - -kernel_read_kernel_sysctls(rshd_t) - -corenet_all_recvfrom_unlabeled(rshd_t) -corenet_all_recvfrom_netlabel(rshd_t) -corenet_tcp_sendrecv_generic_if(rshd_t) -corenet_tcp_sendrecv_generic_node(rshd_t) -corenet_tcp_sendrecv_all_ports(rshd_t) -corenet_tcp_bind_generic_node(rshd_t) - -corenet_sendrecv_all_server_packets(rshd_t) -corenet_tcp_bind_rsh_port(rshd_t) -corenet_tcp_bind_all_rpc_ports(rshd_t) -corenet_tcp_connect_all_ports(rshd_t) -corenet_tcp_connect_all_rpc_ports(rshd_t) - -corecmd_read_bin_symlinks(rshd_t) - -files_list_home(rshd_t) - -logging_search_logs(rshd_t) - -miscfiles_read_localization(rshd_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(rshd_t) - fs_read_nfs_symlinks(rshd_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(rshd_t) - fs_read_cifs_symlinks(rshd_t) -') - -optional_policy(` - kerberos_keytab_template(rshd, rshd_t) - kerberos_manage_host_rcache(rshd_t) - kerberos_tmp_filetrans_host_rcache(rshd_t, file, "host_0") -') - -optional_policy(` - rlogin_read_home_content(rshd_t) -') - -optional_policy(` - tcpd_wrapped_domain(rshd_t, rshd_exec_t) -') - -optional_policy(` - unconfined_shell_domtrans(rshd_t) - unconfined_signal(rshd_t) -') diff --git a/policy/modules/contrib/rssh.fc b/policy/modules/contrib/rssh.fc deleted file mode 100644 index c0768426..00000000 --- a/policy/modules/contrib/rssh.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/bin/rssh -- gen_context(system_u:object_r:rssh_exec_t,s0) - -/usr/libexec/rssh_chroot_helper -- gen_context(system_u:object_r:rssh_chroot_helper_exec_t,s0) diff --git a/policy/modules/contrib/rssh.if b/policy/modules/contrib/rssh.if deleted file mode 100644 index 6ecadcbc..00000000 --- a/policy/modules/contrib/rssh.if +++ /dev/null @@ -1,112 +0,0 @@ -## <summary>Restricted (scp/sftp) only shell.</summary> - -######################################## -## <summary> -## Role access for rssh. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`rssh_role',` - gen_require(` - attribute_role rssh_roles; - type rssh_t, rssh_exec_t, rssh_ro_t; - type rssh_rw_t; - ') - - roleattribute $1 rssh_roles; - - domtrans_pattern($2, rssh_exec_t, rssh_t) - - allow $2 rssh_t:process { ptrace signal_perms }; - ps_process_pattern($2, rssh_t) - - allow $2 { rssh_ro_t rssh_rw_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { rssh_ro_t rssh_rw_t }:file { manage_file_perms relabel_file_perms }; -') - -######################################## -## <summary> -## Execute rssh in the rssh domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`rssh_spec_domtrans',` - gen_require(` - type rssh_t, rssh_exec_t; - ') - - corecmd_search_bin($1) - spec_domtrans_pattern($1, rssh_exec_t, rssh_t) -') - -######################################## -## <summary> -## Execute the rssh program -## in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rssh_exec',` - gen_require(` - type rssh_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, rssh_exec_t) -') - -######################################## -## <summary> -## Execute a domain transition to -## run rssh chroot helper. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`rssh_domtrans_chroot_helper',` - gen_require(` - type rssh_chroot_helper_t, rssh_chroot_helper_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rssh_chroot_helper_exec_t, rssh_chroot_helper_t) -') - -######################################## -## <summary> -## Read users rssh read-only content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rssh_read_ro_content',` - gen_require(` - type rssh_ro_t; - ') - - allow $1 rssh_ro_t:dir list_dir_perms; - allow $1 rssh_ro_t:file read_file_perms; -') diff --git a/policy/modules/contrib/rssh.te b/policy/modules/contrib/rssh.te deleted file mode 100644 index d1fd97fa..00000000 --- a/policy/modules/contrib/rssh.te +++ /dev/null @@ -1,99 +0,0 @@ -policy_module(rssh, 2.2.1) - -######################################## -# -# Declarations -# - -attribute_role rssh_roles; -roleattribute system_r rssh_roles; - -type rssh_t; -type rssh_exec_t; -typealias rssh_t alias { user_rssh_t staff_rssh_t sysadm_rssh_t }; -typealias rssh_t alias { auditadm_rssh_t secadm_rssh_t }; -userdom_user_application_domain(rssh_t, rssh_exec_t) -domain_user_exemption_target(rssh_t) -domain_interactive_fd(rssh_t) -role rssh_roles types rssh_t; - -type rssh_chroot_helper_t; -type rssh_chroot_helper_exec_t; -init_system_domain(rssh_chroot_helper_t, rssh_chroot_helper_exec_t) - -type rssh_devpts_t; -typealias rssh_devpts_t alias { user_rssh_devpts_t staff_rssh_devpts_t sysadm_rssh_devpts_t }; -typealias rssh_devpts_t alias { auditadm_rssh_devpts_t secadm_rssh_devpts_t }; -term_user_pty(rssh_t, rssh_devpts_t) -ubac_constrained(rssh_devpts_t) - -type rssh_ro_t; # customizable -typealias rssh_ro_t alias { user_rssh_ro_t staff_rssh_ro_t sysadm_rssh_ro_t }; -typealias rssh_ro_t alias { auditadm_rssh_ro_t secadm_rssh_ro_t }; -userdom_user_home_content(rssh_ro_t) - -type rssh_rw_t; # customizable -typealias rssh_rw_t alias { user_rssh_rw_t staff_rssh_rw_t sysadm_rssh_rw_t }; -typealias rssh_rw_t alias { auditadm_rssh_rw_t secadm_rssh_rw_t }; -userdom_user_home_content(rssh_rw_t) - -############################## -# -# Local policy -# - -allow rssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow rssh_t self:fd use; -allow rssh_t self:fifo_file rw_fifo_file_perms; -allow rssh_t self:unix_dgram_socket sendto; -allow rssh_t self:unix_stream_socket { accept connectto listen }; - -allow rssh_t rssh_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; -term_create_pty(rssh_t, rssh_devpts_t) - -allow rssh_t rssh_ro_t:dir list_dir_perms; -read_files_pattern(rssh_t, rssh_ro_t, rssh_ro_t) - -manage_dirs_pattern(rssh_t, rssh_rw_t, rssh_rw_t) -manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t) - -kernel_read_system_state(rssh_t) -kernel_read_kernel_sysctls(rssh_t) - -files_read_etc_files(rssh_t) -files_read_etc_runtime_files(rssh_t) -files_list_home(rssh_t) -files_read_usr_files(rssh_t) -files_list_var(rssh_t) - -fs_search_auto_mountpoints(rssh_t) - -logging_send_syslog_msg(rssh_t) - -miscfiles_read_localization(rssh_t) - -rssh_domtrans_chroot_helper(rssh_t) - -ssh_rw_tcp_sockets(rssh_t) -ssh_rw_stream_sockets(rssh_t) - -optional_policy(` - nis_use_ypbind(rssh_t) -') - -######################################## -# -# Chroot helper local policy -# - -allow rssh_chroot_helper_t self:capability { sys_chroot setuid }; -allow rssh_chroot_helper_t self:fifo_file rw_fifo_file_perms; -allow rssh_chroot_helper_t self:unix_stream_socket { accept listen }; - -domain_use_interactive_fds(rssh_chroot_helper_t) - -auth_use_nsswitch(rssh_chroot_helper_t) - -logging_send_syslog_msg(rssh_chroot_helper_t) - -miscfiles_read_localization(rssh_chroot_helper_t) diff --git a/policy/modules/contrib/rsync.fc b/policy/modules/contrib/rsync.fc deleted file mode 100644 index d25301b8..00000000 --- a/policy/modules/contrib/rsync.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rsyncd\.conf -- gen_context(system_u:object_r:rsync_etc_t, s0) - -/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) - -/var/log/rsync\.log.* -- gen_context(system_u:object_r:rsync_log_t,s0) - -/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0) diff --git a/policy/modules/contrib/rsync.if b/policy/modules/contrib/rsync.if deleted file mode 100644 index f1140efe..00000000 --- a/policy/modules/contrib/rsync.if +++ /dev/null @@ -1,281 +0,0 @@ -## <summary>Fast incremental file transfer for synchronization.</summary> - -######################################## -## <summary> -## Make rsync executable file an -## entry point for the specified domain. -## </summary> -## <param name="domain"> -## <summary> -## The domain for which rsync_exec_t is an entrypoint. -## </summary> -## </param> -# -interface(`rsync_entry_type',` - gen_require(` - type rsync_exec_t; - ') - - domain_entry_file($1, rsync_exec_t) -') - -######################################## -## <summary> -## Execute a rsync in a specified domain. -## </summary> -## <desc> -## <p> -## Execute a rsync in a specified domain. -## </p> -## <p> -## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -## </p> -## </desc> -## <param name="source_domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="target_domain"> -## <summary> -## Domain to transition to. -## </summary> -## </param> -# -interface(`rsync_entry_spec_domtrans',` - gen_require(` - type rsync_exec_t; - ') - - corecmd_search_bin($1) - auto_trans($1, rsync_exec_t, $2) -') - -######################################## -## <summary> -## Execute a rsync in a specified domain. -## </summary> -## <desc> -## <p> -## Execute a rsync in a specified domain. -## </p> -## <p> -## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -## </p> -## </desc> -## <param name="source_domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="target_domain"> -## <summary> -## Domain to transition to. -## </summary> -## </param> -# -interface(`rsync_entry_domtrans',` - gen_require(` - type rsync_exec_t; - ') - - corecmd_search_bin($1) - domain_auto_trans($1, rsync_exec_t, $2) -') - -######################################## -## <summary> -## Execute the rsync program in the rsync domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`rsync_domtrans',` - gen_require(` - type rsync_t, rsync_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rsync_exec_t, rsync_t) -') - -######################################## -## <summary> -## Execute rsync in the rsync domain, and -## allow the specified role the rsync domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`rsync_run',` - gen_require(` - attribute_role rsync_roles; - ') - - rsync_domtrans($1) - roleattribute $2 rsync_roles; -') - -######################################## -## <summary> -## Execute rsync in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rsync_exec',` - gen_require(` - type rsync_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, rsync_exec_t) -') - -######################################## -## <summary> -## Read rsync config files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rsync_read_config',` - gen_require(` - type rsync_etc_t; - ') - - files_search_etc($1) - allow $1 rsync_etc_t:file read_file_perms; -') - -######################################## -## <summary> -## Write rsync config files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rsync_write_config',` - gen_require(` - type rsync_etc_t; - ') - - files_search_etc($1) - allow $1 rsync_etc_t:file write_file_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## rsync config files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rsync_manage_config_files',` - gen_require(` - type rsync_etc_t; - ') - - files_search_etc($1) - manage_files_pattern($1, rsync_etc_t, rsync_etc_t) -') - -######################################## -## <summary> -## Create specified objects in etc directories -## with rsync etc type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`rsync_etc_filetrans_config',` - gen_require(` - type rsync_etc_t; - ') - - files_etc_filetrans($1, rsync_etc_t, $2, $3) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an rsync environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`rsync_admin',` - gen_require(` - type rsync_t, rsync_etc_t, rsync_data_t; - type rsync_log_t, rsync_tmp_t. rsync_var_run_t; - ') - - allow $1 rsync_t:process { ptrace signal_perms }; - ps_process_pattern($1, rsync_t) - - files_search_etc($1) - admin_pattern($1, rsync_etc_t) - - admin_pattern($1, rsync_data_t) - - logging_search_logs($1) - admin_pattern($1, rsync_log_t) - - files_search_tmp($1) - admin_pattern($1, rsync_tmp_t) - - files_search_pids($1) - admin_pattern($1, rsync_var_run_t) - - rsync_run($1, $2) -') diff --git a/policy/modules/contrib/rsync.te b/policy/modules/contrib/rsync.te deleted file mode 100644 index e3e7c961..00000000 --- a/policy/modules/contrib/rsync.te +++ /dev/null @@ -1,198 +0,0 @@ -policy_module(rsync, 1.12.2) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether rsync can use -## cifs file systems. -## </p> -## </desc> -gen_tunable(rsync_use_cifs, false) - -## <desc> -## <p> -## Determine whether rsync can -## use fuse file systems. -## </p> -## </desc> -gen_tunable(rsync_use_fusefs, false) - -## <desc> -## <p> -## Determine whether rsync can use -## nfs file systems. -## </p> -## </desc> -gen_tunable(rsync_use_nfs, false) - -## <desc> -## <p> -## Determine whether rsync can -## run as a client -## </p> -## </desc> -gen_tunable(rsync_client, false) - -## <desc> -## <p> -## Determine whether rsync can -## export all content read only. -## </p> -## </desc> -gen_tunable(rsync_export_all_ro, false) - -## <desc> -## <p> -## Determine whether rsync can modify -## public files used for public file -## transfer services. Directories/Files must -## be labeled public_content_rw_t. -## </p> -## </desc> -gen_tunable(allow_rsync_anon_write, false) - -attribute_role rsync_roles; - -type rsync_t; -type rsync_exec_t; -init_daemon_domain(rsync_t, rsync_exec_t) -application_domain(rsync_t, rsync_exec_t) -role rsync_roles types rsync_t; - -type rsync_etc_t; -files_config_file(rsync_etc_t) - -type rsync_data_t; # customizable -files_type(rsync_data_t) - -type rsync_log_t; -logging_log_file(rsync_log_t) - -type rsync_tmp_t; -files_tmp_file(rsync_tmp_t) - -type rsync_var_run_t; -files_pid_file(rsync_var_run_t) - -######################################## -# -# Local policy -# - -allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot }; -allow rsync_t self:process signal_perms; -allow rsync_t self:fifo_file rw_fifo_file_perms; -allow rsync_t self:tcp_socket { accept listen }; - -allow rsync_t rsync_etc_t:file read_file_perms; - -allow rsync_t rsync_data_t:dir list_dir_perms; -allow rsync_t rsync_data_t:file read_file_perms; -allow rsync_t rsync_data_t:lnk_file read_lnk_file_perms; - -allow rsync_t rsync_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(rsync_t, rsync_log_t, file) - -manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t) -manage_files_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t) -files_tmp_filetrans(rsync_t, rsync_tmp_t, { file dir }) - -manage_files_pattern(rsync_t, rsync_var_run_t, rsync_var_run_t) -files_pid_filetrans(rsync_t, rsync_var_run_t, file) - -kernel_read_kernel_sysctls(rsync_t) -kernel_read_system_state(rsync_t) -kernel_read_network_state(rsync_t) - -corenet_all_recvfrom_unlabeled(rsync_t) -corenet_all_recvfrom_netlabel(rsync_t) -corenet_tcp_sendrecv_generic_if(rsync_t) -corenet_tcp_sendrecv_generic_node(rsync_t) -corenet_tcp_bind_generic_node(rsync_t) - -corenet_sendrecv_rsync_server_packets(rsync_t) -corenet_tcp_bind_rsync_port(rsync_t) -corenet_tcp_sendrecv_rsync_port(rsync_t) - -dev_read_urand(rsync_t) - -fs_getattr_all_fs(rsync_t) -fs_search_auto_mountpoints(rsync_t) - -files_search_home(rsync_t) - -auth_can_read_shadow_passwords(rsync_t) -auth_use_nsswitch(rsync_t) - -logging_send_syslog_msg(rsync_t) - -miscfiles_read_localization(rsync_t) -miscfiles_read_public_files(rsync_t) - -tunable_policy(`allow_rsync_anon_write',` - miscfiles_manage_public_files(rsync_t) -') - -tunable_policy(`rsync_client',` - corenet_sendrecv_rsync_client_packets(rsync_t) - corenet_tcp_connect_rsync_port(rsync_t) - - corenet_sendrecv_ssh_client_packets(rsync_t) - corenet_tcp_connect_ssh_port(rsync_t) - corenet_tcp_sendrecv_ssh_port(rsync_t) - - manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t) - manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t) - manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t) -') - -tunable_policy(`rsync_export_all_ro',` - fs_read_noxattr_fs_files(rsync_t) - fs_read_nfs_files(rsync_t) - fs_read_fusefs_files(rsync_t) - fs_read_cifs_files(rsync_t) - files_list_non_auth_dirs(rsync_t) - files_read_non_auth_files(rsync_t) - files_read_non_auth_symlinks(rsync_t) - auth_tunable_read_shadow(rsync_t) -') - -tunable_policy(`rsync_use_cifs',` - fs_list_cifs(rsync_t) - fs_read_cifs_files(rsync_t) - fs_read_cifs_symlinks(rsync_t) -') - -tunable_policy(`rsync_use_fusefs',` - fs_search_fusefs(rsync_t) - fs_read_fusefs_files(rsync_t) - fs_read_fusefs_symlinks(rsync_t) -') - -tunable_policy(`rsync_use_nfs',` - fs_list_nfs(rsync_t) - fs_read_nfs_files(rsync_t) - fs_read_nfs_symlinks(rsync_t) -') - -optional_policy(` - tunable_policy(`rsync_client',` - ssh_exec(rsync_t) - ') -') - -optional_policy(` - daemontools_service_domain(rsync_t, rsync_exec_t) -') - -optional_policy(` - kerberos_use(rsync_t) -') - -optional_policy(` - inetd_service_domain(rsync_t, rsync_exec_t) -') diff --git a/policy/modules/contrib/rtkit.fc b/policy/modules/contrib/rtkit.fc deleted file mode 100644 index 75bbf382..00000000 --- a/policy/modules/contrib/rtkit.fc +++ /dev/null @@ -1,5 +0,0 @@ -/etc/rc\.d/init\.d/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_initrc_exec_t,s0) - -/usr/libexec/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0) - -/usr/lib/rtkit/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0) diff --git a/policy/modules/contrib/rtkit.if b/policy/modules/contrib/rtkit.if deleted file mode 100644 index bd35afe8..00000000 --- a/policy/modules/contrib/rtkit.if +++ /dev/null @@ -1,96 +0,0 @@ -## <summary>Realtime scheduling for user processes.</summary> - -######################################## -## <summary> -## Execute a domain transition to run rtkit_daemon. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`rtkit_daemon_domtrans',` - gen_require(` - type rtkit_daemon_t, rtkit_daemon_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rtkit_daemon_exec_t, rtkit_daemon_t) -') - -######################################## -## <summary> -## Send and receive messages from -## rtkit_daemon over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rtkit_daemon_dbus_chat',` - gen_require(` - type rtkit_daemon_t; - class dbus send_msg; - ') - - allow $1 rtkit_daemon_t:dbus send_msg; - allow rtkit_daemon_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Allow rtkit to control scheduling for your process. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rtkit_scheduled',` - gen_require(` - type rtkit_daemon_t; - ') - - allow rtkit_daemon_t $1:process { getsched setsched }; - - ps_process_pattern(rtkit_daemon_t, $1) - - optional_policy(` - rtkit_daemon_dbus_chat($1) - ') -') - -######################################## -## <summary> -## All of the rules required to -## administrate an rtkit environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`rtkit_admin',` - gen_require(` - type rtkit_daemon_t, rtkit_daemon_initrc_exec_t; - ') - - allow $1 rtkit_daemon_t:process { ptrace signal_perms }; - ps_process_pattern($1, rtkit_daemon_t) - - init_labeled_script_domtrans($1, rtkit_daemon_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 rtkit_daemon_initrc_exec_t system_r; - allow $2 system_r; -') diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te deleted file mode 100644 index 3f5a8ef6..00000000 --- a/policy/modules/contrib/rtkit.te +++ /dev/null @@ -1,42 +0,0 @@ -policy_module(rtkit, 1.1.2) - -######################################## -# -# Declarations -# - -type rtkit_daemon_t; -type rtkit_daemon_exec_t; -init_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t) - -type rtkit_daemon_initrc_exec_t; -init_script_file(rtkit_daemon_initrc_exec_t) - -######################################## -# -# Local policy -# - -allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace }; -allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit }; - -kernel_read_system_state(rtkit_daemon_t) - -domain_getsched_all_domains(rtkit_daemon_t) -domain_read_all_domains_state(rtkit_daemon_t) - -fs_rw_anon_inodefs_files(rtkit_daemon_t) - -auth_use_nsswitch(rtkit_daemon_t) - -logging_send_syslog_msg(rtkit_daemon_t) - -miscfiles_read_localization(rtkit_daemon_t) - -optional_policy(` - dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t) - - optional_policy(` - policykit_dbus_chat(rtkit_daemon_t) - ') -') diff --git a/policy/modules/contrib/rtorrent.fc b/policy/modules/contrib/rtorrent.fc index f8fcf7c4..5e248d1e 100644 --- a/policy/modules/contrib/rtorrent.fc +++ b/policy/modules/contrib/rtorrent.fc @@ -1,4 +1,5 @@ -HOME_DIR/.rtorrent.rc -- gen_context(system_u:object_r:rtorrent_home_t,s0) -HOME_DIR/.rtsession(/.*)? gen_context(system_u:object_r:rtorrent_session_t,s0) +HOME_DIR/\.rtorrent\.rc -- gen_context(system_u:object_r:rtorrent_home_t,s0) +HOME_DIR/\.rtsession(/.*)? gen_context(system_u:object_r:rtorrent_session_t,s0) +HOME_DIR/\.rtorrent(/.*)? gen_context(system_u:object_r:rtorrent_session_t,s0) -/usr/bin/rtorrent -- gen_context(system_u:object_r:rtorrent_exec_t,s0,s0) +/usr/bin/rtorrent -- gen_context(system_u:object_r:rtorrent_exec_t,s0) diff --git a/policy/modules/contrib/rtorrent.if b/policy/modules/contrib/rtorrent.if index 790f8893..8818b654 100644 --- a/policy/modules/contrib/rtorrent.if +++ b/policy/modules/contrib/rtorrent.if @@ -28,8 +28,8 @@ interface(`rtorrent_role',` manage_files_pattern($2, rtorrent_home_t, rtorrent_home_t) - read_files_pattern($2, rtorrent_session_t, rtorrent_session_t) - list_dirs_pattern($2, rtorrent_session_t, rtorrent_session_t) + manage_files_pattern($2, rtorrent_session_t, rtorrent_session_t) + manage_dirs_pattern($2, rtorrent_session_t, rtorrent_session_t) ps_process_pattern($2, rtorrent_t) ') diff --git a/policy/modules/contrib/rtorrent.te b/policy/modules/contrib/rtorrent.te index 746b5f5f..34fad1c5 100644 --- a/policy/modules/contrib/rtorrent.te +++ b/policy/modules/contrib/rtorrent.te @@ -44,19 +44,24 @@ read_files_pattern(rtorrent_t, rtorrent_home_t, rtorrent_home_t) manage_dirs_pattern(rtorrent_t, rtorrent_session_t, rtorrent_session_t) manage_files_pattern(rtorrent_t, rtorrent_session_t, rtorrent_session_t) +allow rtorrent_t rtorrent_session_t:file map; corenet_tcp_bind_generic_node(rtorrent_t) corenet_tcp_bind_rtorrent_port(rtorrent_t) corenet_tcp_connect_all_ports(rtorrent_t) -corenet_tcp_sendrecv_all_ports(rtorrent_t) domain_use_interactive_fds(rtorrent_t) files_list_home(rtorrent_t) +files_list_tmp(rtorrent_t) +files_list_var(rtorrent_t) files_read_etc_files(rtorrent_t) fs_getattr_xattr_fs(rtorrent_t) +kernel_read_system_state(rtorrent_t) + +miscfiles_read_generic_certs(rtorrent_t) miscfiles_read_localization(rtorrent_t) sysnet_read_config(rtorrent_t) @@ -74,7 +79,8 @@ tunable_policy(`rtorrent_use_dht',` tunable_policy(`rtorrent_use_rsync',` allow rtorrent_t self:unix_stream_socket { create connect write read }; - corecmd_search_bin(rtorrent_t) + corecmd_exec_bin(rtorrent_t) + corecmd_exec_shell(rtorrent_t) corenet_sendrecv_rsync_client_packets(rtorrent_t) corenet_tcp_connect_rsync_port(rtorrent_t) diff --git a/policy/modules/contrib/rwho.fc b/policy/modules/contrib/rwho.fc deleted file mode 100644 index 5a630a99..00000000 --- a/policy/modules/contrib/rwho.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rc\.d/init\.d/rwhod -- gen_context(system_u:object_r:rwho_initrc_exec_t,s0) - -/usr/sbin/rwhod -- gen_context(system_u:object_r:rwho_exec_t,s0) - -/var/spool/rwho(/.*)? gen_context(system_u:object_r:rwho_spool_t,s0) - -/var/log/rwhod(/.*)? gen_context(system_u:object_r:rwho_log_t,s0) diff --git a/policy/modules/contrib/rwho.if b/policy/modules/contrib/rwho.if deleted file mode 100644 index 0360ff01..00000000 --- a/policy/modules/contrib/rwho.if +++ /dev/null @@ -1,155 +0,0 @@ -## <summary>Who is logged in on other machines?</summary> - -######################################## -## <summary> -## Execute a domain transition to run rwho. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`rwho_domtrans',` - gen_require(` - type rwho_t, rwho_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rwho_exec_t, rwho_t) -') - -######################################## -## <summary> -## Search rwho log directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rwho_search_log',` - gen_require(` - type rwho_log_t; - ') - - logging_search_logs($1) - allow $1 rwho_log_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Read rwho log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rwho_read_log_files',` - gen_require(` - type rwho_log_t; - ') - - logging_search_logs($1) - allow $1 rwho_log_t:dir list_dir_perms; - allow $1 rwho_log_t:file read_file_perms; -') - -######################################## -## <summary> -## Search rwho spool directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rwho_search_spool',` - gen_require(` - type rwho_spool_t; - ') - - files_search_spool($1) - allow $1 rwho_spool_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Read rwho spool files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rwho_read_spool_files',` - gen_require(` - type rwho_spool_t; - ') - - files_search_spool($1) - read_files_pattern($1, rwho_spool_t, rwho_spool_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## rwho spool files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rwho_manage_spool_files',` - gen_require(` - type rwho_spool_t; - ') - - files_search_spool($1) - manage_files_pattern($1, rwho_spool_t, rwho_spool_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an rwho environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`rwho_admin',` - gen_require(` - type rwho_t, rwho_log_t, rwho_spool_t; - type rwho_initrc_exec_t; - ') - - allow $1 rwho_t:process { ptrace signal_perms }; - ps_process_pattern($1, rwho_t) - - init_labeled_script_domtrans($1, rwho_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 rwho_initrc_exec_t system_r; - allow $2 system_r; - - logging_list_logs($1) - admin_pattern($1, rwho_log_t) - - files_list_spool($1) - admin_pattern($1, rwho_spool_t) -') diff --git a/policy/modules/contrib/rwho.te b/policy/modules/contrib/rwho.te deleted file mode 100644 index 9927d29a..00000000 --- a/policy/modules/contrib/rwho.te +++ /dev/null @@ -1,64 +0,0 @@ -policy_module(rwho, 1.6.1) - -######################################## -# -# Declarations -# - -type rwho_t; -type rwho_exec_t; -init_daemon_domain(rwho_t, rwho_exec_t) - -type rwho_initrc_exec_t; -init_script_file(rwho_initrc_exec_t) - -type rwho_log_t; -files_type(rwho_log_t) - -type rwho_spool_t; -files_type(rwho_spool_t) - -######################################## -# -# Local policy -# - -allow rwho_t self:capability sys_chroot; -allow rwho_t self:process signal; -allow rwho_t self:fifo_file rw_fifo_file_perms; -allow rwho_t self:unix_stream_socket { accept listen }; - -allow rwho_t rwho_log_t:dir manage_dir_perms; -allow rwho_t rwho_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(rwho_t, rwho_log_t, { file dir }) - -allow rwho_t rwho_spool_t:dir manage_dir_perms; -allow rwho_t rwho_spool_t:file manage_file_perms; -files_spool_filetrans(rwho_t, rwho_spool_t, { file dir }) - -kernel_read_system_state(rwho_t) - -corenet_all_recvfrom_unlabeled(rwho_t) -corenet_all_recvfrom_netlabel(rwho_t) -corenet_udp_sendrecv_generic_if(rwho_t) -corenet_udp_sendrecv_generic_node(rwho_t) -corenet_udp_bind_generic_node(rwho_t) - -corenet_sendrecv_rwho_server_packets(rwho_t) -corenet_udp_bind_rwho_port(rwho_t) -corenet_udp_sendrecv_rwho_port(rwho_t) - -domain_use_interactive_fds(rwho_t) - -files_read_etc_files(rwho_t) - -init_read_utmp(rwho_t) -init_dontaudit_write_utmp(rwho_t) - -logging_send_syslog_msg(rwho_t) - -miscfiles_read_localization(rwho_t) - -sysnet_dns_name_resolve(rwho_t) - -# userdom_getattr_user_terminals(rwho_t) diff --git a/policy/modules/contrib/salt.fc b/policy/modules/contrib/salt.fc new file mode 100644 index 00000000..1dbef661 --- /dev/null +++ b/policy/modules/contrib/salt.fc @@ -0,0 +1,30 @@ +/etc/salt(/.*)? gen_context(system_u:object_r:salt_etc_t,s0) +/etc/salt/pki(/.*)? gen_context(system_u:object_r:salt_pki_t,s0) +/etc/salt/pki/master(/.*)? gen_context(system_u:object_r:salt_master_pki_t,s0) +/etc/salt/pki/minion(/.*)? gen_context(system_u:object_r:salt_minion_pki_t,s0) + +/etc/rc\.d/init\.d/salt-master -- gen_context(system_u:object_r:salt_master_initrc_exec_t,s0) +/etc/rc\.d/init\.d/salt-minion -- gen_context(system_u:object_r:salt_minion_initrc_exec_t,s0) + +/usr/lib/python-exec/python[0-9]?\.[0-9]?/salt-master -- gen_context(system_u:object_r:salt_master_exec_t,s0) +/usr/lib/python-exec/python[0-9]?\.[0-9]?/salt-minion -- gen_context(system_u:object_r:salt_minion_exec_t,s0) + +/usr/bin/salt-master -- gen_context(system_u:object_r:salt_master_exec_t,s0) +/usr/bin/salt-minion -- gen_context(system_u:object_r:salt_minion_exec_t,s0) + +/var/log/salt -d gen_context(system_u:object_r:salt_log_t,s0) +/var/log/salt/master -- gen_context(system_u:object_r:salt_master_log_t,s0) +/var/log/salt/minion -- gen_context(system_u:object_r:salt_minion_log_t,s0) + +/run/salt -d gen_context(system_u:object_r:salt_runtime_t,s0) +/run/salt/master(/.*)? gen_context(system_u:object_r:salt_master_runtime_t,s0) +/run/salt/minion(/.*)? gen_context(system_u:object_r:salt_minion_runtime_t,s0) +/run/salt-master\.pid -- gen_context(system_u:object_r:salt_master_runtime_t,s0) +/run/salt-minion\.pid -- gen_context(system_u:object_r:salt_minion_runtime_t,s0) + +/var/cache/salt -d gen_context(system_u:object_r:salt_cache_t,s0) +/var/cache/salt/master(/.*)? gen_context(system_u:object_r:salt_master_cache_t,s0) +/var/cache/salt/minion(/.*)? gen_context(system_u:object_r:salt_minion_cache_t,s0) + +/srv/salt(/.*)? gen_context(system_u:object_r:salt_sls_t,s0) +/srv/pillar(/.*)? gen_context(system_u:object_r:salt_sls_t,s0) diff --git a/policy/modules/contrib/salt.if b/policy/modules/contrib/salt.if new file mode 100644 index 00000000..a26d6380 --- /dev/null +++ b/policy/modules/contrib/salt.if @@ -0,0 +1,84 @@ +## <summary>Infrastructure management toolset</summary> + +######################################### +## <summary> +## All the rules required to administer a salt master environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +# +interface(`salt_admin_master',` + gen_require(` + type salt_master_t; + type salt_master_initrc_exec_t; + type salt_master_exec_t; + type salt_etc_t; + type salt_runtime_t; + type salt_master_runtime_t; + attribute_role salt_master_roles; + ') + + allow $1 salt_master_t:process { ptrace signal_perms }; + ps_process_pattern($1, salt_master_t) + + init_startstop_service($1, $2, salt_master_t, salt_master_initrc_exec_t) + + # for debugging? + role_transition $2 salt_master_exec_t system_r; + domtrans_pattern($1, salt_master_exec_t, salt_master_t) + + roleattribute $2 salt_master_roles; + + files_list_etc($1) + admin_pattern($1, salt_etc_t, salt_etc_t) + + allow $1 salt_runtime_t:dir search_dir_perms; + stream_connect_pattern($1, salt_master_runtime_t, salt_master_runtime_t, salt_master_t) +') + +######################################### +## <summary> +## All the rules required to administer a salt minion environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +# +interface(`salt_admin_minion',` + gen_require(` + type salt_minion_t; + type salt_minion_initrc_exec_t; + type salt_minion_exec_t; + type salt_etc_t; + attribute_role salt_minion_roles; + ') + + allow $1 salt_minion_t:process { ptrace signal_perms }; + ps_process_pattern($1, salt_minion_t) + + init_startstop_service($1, $2, salt_minion_t, salt_minion_initrc_exec_t) + + # for debugging + role_transition $2 salt_minion_exec_t system_r; + domtrans_pattern($1, salt_minion_exec_t, salt_minion_t) + + roleattribute $2 salt_minion_roles; + + files_list_etc($1) + admin_pattern($1, salt_etc_t, salt_etc_t) +') diff --git a/policy/modules/contrib/salt.rst b/policy/modules/contrib/salt.rst new file mode 100644 index 00000000..ad4ce7d6 --- /dev/null +++ b/policy/modules/contrib/salt.rst @@ -0,0 +1,166 @@ +============ +salt_selinux +============ + +------------------------------ +SELinux policy module for Salt +------------------------------ + +:Author: Sven Vermeulen <swift@gentoo.org> +:Date: 2014-08-15 +:Manual section: 8 +:Manual group: SELinux + +DESCRIPTION +=========== + +The **salt** SELinux module supports the Salt configuration management (as +offered by Saltstack) tools and resources. + +BOOLEANS +======== + +The following booleans are defined through the **salt** SELinux policy module. +They can be toggled using ``setsebool``, like so:: + + setsebool -P salt_master_read_nfs on + +salt_master_read_nfs + Should be enabled if the Salt state files (SLS) are stored on an NFS mount + +salt_minion_manage_nfs + Should be enabled if the Salt minion needs manage privileges on NFS mounts + +DOMAINS +======= + +salt_master_t +------------- + +The **salt_master_t** domain is used by the Salt master. It is usually launched +by the init script ``salt-master`` although it can also be launched through the +command line command **salt-master -d**. + +This domain is responsible for servicing the Salt minions. Unlike the Salt +minion domain (**salt_minion_t**) the master domain is not very privileged as it +only provides access to the Salt state files. + +salt_minion_t +------------- + +The **salt_minion_t** domain is used by the Salt minion. It is usually launched +by the init script ``salt-minion`` although it can also be launched through the +command line command **salt-minion -d**. + +This domain is responsible for enforcing the state as provided by the Salt +master on the system. This makes the **salt_minion_t** domain a *very +privileged* domain. + +LOCATIONS +========= + +FUNCTIONAL +---------- + +The following list of locations identify file resources that are used by the +Salt domains. They are by default allocated towards the default locations for +Salt, so if you use a different location, you will need to properly address +this. You can do so through ``semanage``, like so:: + + semanage fcontext -a -t salt_sls_t "/var/lib/salt/state(/.*)?" + +The above example marks the */var/lib/salt/state* location as the location where +the Salt state files (``*.sls``) are stored (identified through the +**salt_sls_t** type). + +salt_sls_t + is used for the Salt state files (*/srv/salt*) + +salt_pki_t + is used as the parent directory in which the master and minion keys are stored + (*/etc/salt/pki*) + +salt_master_pki_t + is used for the private and public keys managed by the Salt master + (*/etc/salt/pki/master*) + +salt_minion_pki_t + is used for the private and public keys managed by the Salt minion + (*/etc/salt/pki/minion*) + +EXEUTABLES +---------- + +salt_master_exec_t + is used as entry point for the Salt master (**salt_master_t**) + +salt_minion_exec_t + is used as entry point for the Salt minion (**salt_minion_t**) + +salt_master_initrc_exec_t + is used for the init script to launch the salt master + +salt_minion_initrc_exec_t + is used for the init script to launch the salt minion + +DAEMON FILES +------------ + +salt_cache_t + is used for the parent directory for Salt caches (*/var/cache/salt*) + +salt_master_cache_t + is used to store the Salt master cache (*/var/cache/salt/master*) + +salt_minion_cache_t + is used to store the Salt minion cache (*/var/cache/salt/minion*) + +salt_log_t + is used for the parent directory for Salt log files (*/var/log/salt*) + +salt_master_log_t + is used for the Salt master log file (*/var/log/salt/master*) + +salt_minion_log_t + is used for the Salt minion log file (*/var/log/salt/minion*) + +salt_runtime_t + is used for the parent directory for Salt run-time files (*/var/run/salt*) + +salt_master_runtime_t + is used for the Salt master variable run-time files (*/var/run/salt/master*) + +salt_minion_runtime_t + is used for the Salt minion variable run-time files (*/var/run/salt/minion*) + +CONFIGURATION FILES +------------------- + +salt_etc_t + is used for the Salt configuration (*/etc/salt*) + +POLICY +====== + +The following interfaces can be used to enhance the default policy with +Salt-related provileges. More details on these interfaces can be found in the +interface HTML documentation, we will not list all available interfaces here. + +Role interfaces +--------------- + +The following role interfaces allow users and roles access to the specified +domains. Only to be used for user domains and roles. + +salt_admin_master + is used for user domains to allow administration of a Salt master environment + +salt_minion_master + is used for user domains to allow administration of a Salt minion environment + +SEE ALSO +======== + +* Gentoo and SELinux at https://wiki.gentoo.org/wiki/SELinux +* Gentoo Hardened SELinux Project at + https://wiki.gentoo.org/wiki/Project:Hardened diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te new file mode 100644 index 00000000..c1e8cdbc --- /dev/null +++ b/policy/modules/contrib/salt.te @@ -0,0 +1,356 @@ +policy_module(salt, 1.0) + +######################################### +# +# Declarations +# + +## <desc> +## <p> +## Determine wether the salt master can read NFS files +## </p> +## </desc> +gen_tunable(salt_master_read_nfs, false) + +## <desc> +## <p> +## Determine wether the salt minion can manage NFS files +## </p> +## </desc> +gen_tunable(salt_minion_manage_nfs, false) + +attribute_role salt_master_roles; +roleattribute system_r salt_master_roles; + +attribute_role salt_minion_roles; +roleattribute system_r salt_minion_roles; + +type salt_master_t; +type salt_master_exec_t; +init_daemon_domain(salt_master_t, salt_master_exec_t) +role salt_master_roles types salt_master_t; + +type salt_master_cache_t; +files_type(salt_master_cache_t) + +type salt_master_initrc_exec_t; +init_script_file(salt_master_initrc_exec_t) + +type salt_master_log_t; +logging_log_file(salt_master_log_t) + +type salt_master_pki_t; +files_type(salt_master_pki_t) + +type salt_master_tmp_t; +files_tmp_file(salt_master_tmp_t) + +type salt_master_tmpfs_t; +files_tmpfs_file(salt_master_tmpfs_t) + +type salt_master_runtime_t alias salt_master_var_run_t; +init_daemon_runtime_file(salt_master_runtime_t, file, "salt-master.pid") +files_runtime_file(salt_master_runtime_t) + +type salt_minion_t; +type salt_minion_exec_t; +init_daemon_domain(salt_minion_t, salt_minion_exec_t) +role salt_minion_roles types salt_minion_t; + +type salt_minion_cache_t; +files_type(salt_minion_cache_t) + +type salt_minion_initrc_exec_t; +init_script_file(salt_minion_initrc_exec_t) + +type salt_minion_log_t; +logging_log_file(salt_minion_log_t) + +type salt_minion_pki_t; +files_type(salt_minion_pki_t) + +type salt_minion_tmp_t; +files_tmp_file(salt_minion_tmp_t) + +type salt_minion_tmpfs_t; +files_tmpfs_file(salt_minion_tmpfs_t) + +type salt_minion_runtime_t alias salt_minion_var_run_t; +init_daemon_runtime_file(salt_minion_runtime_t, file, "salt-minion.pid") +files_runtime_file(salt_minion_runtime_t) + +type salt_cache_t; +files_type(salt_cache_t) + +type salt_etc_t; +files_config_file(salt_etc_t) + +type salt_log_t; +logging_log_file(salt_log_t) + +type salt_sls_t; +files_type(salt_sls_t) + +type salt_pki_t; +files_type(salt_pki_t) + +type salt_runtime_t alias salt_var_run_t; +files_runtime_file(salt_runtime_t) + +######################################### +# +# salt_master_t policy +# + +allow salt_master_t self:capability { net_admin sys_admin sys_nice sys_tty_config }; +allow salt_master_t self:capability2 block_suspend; +allow salt_master_t self:process { getsched setsched signal }; +allow salt_master_t self:tcp_socket create_stream_socket_perms; +allow salt_master_t self:udp_socket create_socket_perms; +allow salt_master_t self:fifo_file rw_fifo_file_perms; +allow salt_master_t self:netlink_route_socket rw_netlink_socket_perms; +allow salt_master_t self:unix_stream_socket connectto; +allow salt_master_t self:unix_dgram_socket create_socket_perms; + +# salt_cache_t +allow salt_master_t salt_cache_t:dir create_dir_perms; +files_var_filetrans(salt_master_t, salt_cache_t, dir, "salt") + +# salt_etc_t +read_files_pattern(salt_master_t, salt_etc_t, salt_etc_t) +list_dirs_pattern(salt_master_t, salt_etc_t, salt_etc_t) + +# salt_log_t +allow salt_master_t salt_log_t:dir create_dir_perms; +logging_log_filetrans(salt_master_t, salt_log_t, dir, "salt") + +# salt_master_cache_t +manage_dirs_pattern(salt_master_t, salt_cache_t, salt_master_cache_t) +allow salt_master_t salt_master_cache_t:file manage_file_perms; +filetrans_pattern(salt_master_t, salt_cache_t, salt_master_cache_t, dir, "master") + +# salt_master_log_t +manage_files_pattern(salt_master_t, salt_log_t, salt_master_log_t) +manage_dirs_pattern(salt_master_t, salt_log_t, salt_master_log_t) +filetrans_pattern(salt_master_t, salt_log_t, salt_master_log_t, { file dir }) + +# salt_master_pki_t +manage_dirs_pattern(salt_master_t, salt_pki_t, salt_master_pki_t) +allow salt_master_t salt_master_pki_t:file manage_file_perms; +filetrans_pattern(salt_master_t, salt_pki_t, salt_master_pki_t, dir, "master") + +# salt_master_tmp_t +manage_files_pattern(salt_master_t, salt_master_tmp_t, salt_master_tmp_t) +manage_dirs_pattern(salt_master_t, salt_master_tmp_t, salt_master_tmp_t) +files_tmp_filetrans(salt_master_t, salt_master_tmp_t, { file dir }) +# libffi, screw you +can_exec(salt_master_t, salt_master_tmp_t) + +# salt_master_tmpfs_t +allow salt_master_t salt_master_tmpfs_t:file mmap_manage_file_perms; +fs_tmpfs_filetrans(salt_master_t, salt_master_tmpfs_t, file) + +# salt_master_runtime_t +allow salt_master_t salt_master_runtime_t:file manage_file_perms; +allow salt_master_t salt_master_runtime_t:sock_file manage_sock_file_perms; +manage_dirs_pattern(salt_master_t, salt_runtime_t, salt_master_runtime_t) +filetrans_pattern(salt_master_t, salt_runtime_t, salt_master_runtime_t, dir) + +# salt_pki_t +create_dirs_pattern(salt_master_t, salt_etc_t, salt_pki_t) +filetrans_pattern(salt_master_t, salt_etc_t, salt_pki_t, dir, "pki") + +# salt_sls_t +read_files_pattern(salt_master_t, salt_sls_t, salt_sls_t) +allow salt_master_t salt_sls_t:dir list_dir_perms; + +# salt_runtime_t +allow salt_master_t salt_runtime_t:dir create_dir_perms; +files_runtime_filetrans(salt_master_t, salt_runtime_t, dir) +files_runtime_filetrans(salt_master_t, salt_master_runtime_t, file, "salt-master.pid") + +kernel_read_network_state(salt_master_t) +kernel_read_software_raid_state(salt_master_t) +kernel_read_system_state(salt_master_t) + +corecmd_exec_bin(salt_master_t) +corecmd_exec_shell(salt_master_t) + +corenet_tcp_bind_generic_node(salt_master_t) +corenet_tcp_bind_salt_port(salt_master_t) + +dev_read_sysfs(salt_master_t) + +domain_dontaudit_exec_all_entry_files(salt_master_t) +domain_dontaudit_search_all_domains_state(salt_master_t) +domain_use_interactive_fds(salt_master_t) + +files_dontaudit_search_all_dirs(salt_master_t) +files_read_etc_files(salt_master_t) +files_read_usr_files(salt_master_t) + +fs_getattr_tmpfs(salt_master_t) + +getty_use_fds(salt_master_t) + +# Actually seems to require getattr read execute on init_exec_t +init_exec(salt_master_t) +init_read_state(salt_master_t) + +libs_exec_ldconfig(salt_master_t) + +miscfiles_read_localization(salt_master_t) +miscfiles_read_generic_certs(salt_master_t) + +selinux_get_enforce_mode(salt_master_t) +selinux_getattr_fs(salt_master_t) + +sysnet_exec_ifconfig(salt_master_t) +sysnet_read_config(salt_master_t) + +userdom_dontaudit_list_user_home_dirs(salt_master_t) +userdom_use_user_terminals(salt_master_t) + +tunable_policy(`salt_master_read_nfs',` + fs_read_nfs_files(salt_master_t) +') + + +######################################### +# +# salt_minion_t policy +# + +allow salt_minion_t self:capability { fowner fsetid chown dac_override dac_read_search net_admin setgid setuid sys_admin sys_nice sys_tty_config }; +allow salt_minion_t self:capability2 block_suspend; +allow salt_minion_t self:process { getsched setsched signal signull }; +allow salt_minion_t self:tcp_socket create_stream_socket_perms; +allow salt_minion_t self:udp_socket create_socket_perms; +allow salt_minion_t self:unix_dgram_socket create_socket_perms; +allow salt_minion_t self:fifo_file rw_fifo_file_perms; +allow salt_minion_t self:netlink_route_socket rw_netlink_socket_perms; +allow salt_minion_t self:unix_stream_socket connectto; + +# salt_cache_t +allow salt_minion_t salt_cache_t:dir create_dir_perms; +files_var_filetrans(salt_minion_t, salt_cache_t, dir, "salt") + +# salt_etc_t +read_files_pattern(salt_minion_t, salt_etc_t, salt_etc_t) +list_dirs_pattern(salt_minion_t, salt_etc_t, salt_etc_t) + +# salt_log_t +allow salt_minion_t salt_log_t:dir create_dir_perms; +logging_log_filetrans(salt_minion_t, salt_log_t, dir, "salt") + +# salt_minion_cache_t +manage_dirs_pattern(salt_minion_t, salt_cache_t, salt_minion_cache_t) +allow salt_minion_t salt_minion_cache_t:file manage_file_perms; +filetrans_pattern(salt_minion_t, salt_cache_t, salt_minion_cache_t, dir, "minion") + +# salt_minion_log_t +manage_files_pattern(salt_minion_t, salt_log_t, salt_minion_log_t) +manage_dirs_pattern(salt_minion_t, salt_log_t, salt_minion_log_t) +filetrans_pattern(salt_minion_t, salt_log_t, salt_minion_log_t, { file dir }) + +# salt_minion_pki_t +manage_dirs_pattern(salt_minion_t, salt_pki_t, salt_minion_pki_t) +allow salt_minion_t salt_minion_pki_t:file manage_file_perms; +filetrans_pattern(salt_minion_t, salt_pki_t, salt_minion_pki_t, dir, "minion") + +# salt_minion_tmp_t +manage_files_pattern(salt_minion_t, salt_minion_tmp_t, salt_minion_tmp_t) +manage_dirs_pattern(salt_minion_t, salt_minion_tmp_t, salt_minion_tmp_t) +files_tmp_filetrans(salt_minion_t, salt_minion_tmp_t, { file dir }) +# libffi, screw you +can_exec(salt_minion_t, salt_minion_tmp_t) + +# salt_minion_tmpfs_t +allow salt_minion_t salt_minion_tmpfs_t:file mmap_manage_file_perms; +fs_tmpfs_filetrans(salt_minion_t, salt_minion_tmpfs_t, file) + +# salt_minion_runtime_t +allow salt_minion_t salt_minion_runtime_t:file manage_file_perms; +allow salt_minion_t salt_minion_runtime_t:sock_file manage_sock_file_perms; +manage_dirs_pattern(salt_minion_t, salt_runtime_t, salt_minion_runtime_t) +filetrans_pattern(salt_minion_t, salt_runtime_t, salt_minion_runtime_t, dir) + +# salt_pki_t +create_dirs_pattern(salt_minion_t, salt_etc_t, salt_pki_t) +filetrans_pattern(salt_minion_t, salt_etc_t, salt_pki_t, dir, "pki") + +# salt_runtime_t +allow salt_minion_t salt_runtime_t:dir create_dir_perms; +files_runtime_filetrans(salt_minion_t, salt_runtime_t, dir) +files_runtime_filetrans(salt_minion_t, salt_minion_runtime_t, file, "salt-minion.pid") + +kernel_read_network_state(salt_minion_t) +kernel_read_software_raid_state(salt_minion_t) +kernel_read_system_state(salt_minion_t) +kernel_rw_all_sysctls(salt_minion_t) + +corecmd_exec_bin(salt_minion_t) +corecmd_exec_shell(salt_minion_t) + +corenet_tcp_connect_salt_port(salt_minion_t) + +dev_read_sysfs(salt_minion_t) + +domain_dontaudit_exec_all_entry_files(salt_minion_t) +domain_read_all_domains_state(salt_minion_t) + +files_manage_all_non_security_file_types(salt_minion_t) + +fs_getattr_all_fs(salt_minion_t) + +fstools_domtrans(salt_minion_t) + +getty_use_fds(salt_minion_t) + +init_exec(salt_minion_t) +init_exec_rc(salt_minion_t) + +miscfiles_read_localization(salt_minion_t) + +seutil_domtrans_setfiles(salt_minion_t) + +sysnet_exec_ifconfig(salt_minion_t) +sysnet_read_config(salt_minion_t) + +userdom_dontaudit_list_user_home_dirs(salt_minion_t) +userdom_use_user_terminals(salt_minion_t) + +optional_policy(` + auth_read_shadow(salt_minion_t) +') + +optional_policy(` + ssh_manage_home_files(salt_minion_t) +') + +optional_policy(` + mount_domtrans(salt_minion_t) +') + +optional_policy(` + portage_run(salt_minion_t, salt_minion_roles) +') + +optional_policy(` + postfix_domtrans_master(salt_minion_t) + postfix_run_map(salt_minion_t, salt_minion_roles) +') + +optional_policy(` + shutdown_domtrans(salt_minion_t) +') + +optional_policy(` + usermanage_run_groupadd(salt_minion_t, salt_minion_roles) + usermanage_run_passwd(salt_minion_t, salt_minion_roles) + usermanage_run_useradd(salt_minion_t, salt_minion_roles) +') + +tunable_policy(`salt_minion_manage_nfs',` + fs_manage_nfs_files(salt_master_t) +') diff --git a/policy/modules/contrib/samba.fc b/policy/modules/contrib/samba.fc deleted file mode 100644 index b8b66ff4..00000000 --- a/policy/modules/contrib/samba.fc +++ /dev/null @@ -1,51 +0,0 @@ -/etc/rc\.d/init\.d/nmb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) -/etc/rc\.d/init\.d/smb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) -/etc/rc\.d/init\.d/winbind -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) - -/etc/samba/MACHINE\.SID -- gen_context(system_u:object_r:samba_secrets_t,s0) -/etc/samba/passdb\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) -/etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) -/etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0) -/etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0) - -/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0) -/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) -/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) -/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0) -/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0) - -/usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0) -/usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0) -/usr/sbin/smbd -- gen_context(system_u:object_r:smbd_exec_t,s0) -/usr/sbin/winbindd -- gen_context(system_u:object_r:winbind_exec_t,s0) - -/var/cache/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) -/var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) - -/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) -/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) - -/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0) - -/var/nmbd(/.*)? gen_context(system_u:object_r:samba_var_t,s0) - -/var/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0) -/var/run/samba/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0) - -/var/run/samba(/.*)? gen_context(system_u:object_r:smbd_var_run_t,s0) -/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) -/var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) -/var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) -/var/run/samba/locking\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) -/var/run/samba/messages\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0) -/var/run/samba/namelist\.debug -- gen_context(system_u:object_r:nmbd_var_run_t,s0) -/var/run/samba/nmbd\.pid -- gen_context(system_u:object_r:nmbd_var_run_t,s0) -/var/run/samba/sessionid\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) -/var/run/samba/share_info\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) -/var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0) -/var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0) - -/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) -/var/run/samba/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) - -/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) diff --git a/policy/modules/contrib/samba.if b/policy/modules/contrib/samba.if deleted file mode 100644 index aee75af5..00000000 --- a/policy/modules/contrib/samba.if +++ /dev/null @@ -1,724 +0,0 @@ -## <summary>SMB and CIFS client/server programs.</summary> - -######################################## -## <summary> -## Execute nmbd in the nmbd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`samba_domtrans_nmbd',` - gen_require(` - type nmbd_t, nmbd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, nmbd_exec_t, nmbd_t) -') - -####################################### -## <summary> -## Send generic signals to nmbd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samba_signal_nmbd',` - gen_require(` - type nmbd_t; - ') - allow $1 nmbd_t:process signal; -') - -######################################## -## <summary> -## Connect to nmbd with a unix domain -## stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samba_stream_connect_nmbd',` - gen_require(` - type samba_var_t, nmbd_t, nmbd_var_run_t, smbd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, { smbd_var_run_t samba_var_t nmbd_var_run_t }, nmbd_var_run_t, nmbd_t) -') - -######################################## -## <summary> -## Execute samba init scripts in -## the init script domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`samba_initrc_domtrans',` - gen_require(` - type samba_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, samba_initrc_exec_t) -') - -######################################## -## <summary> -## Execute samba net in the samba net domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`samba_domtrans_net',` - gen_require(` - type samba_net_t, samba_net_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, samba_net_exec_t, samba_net_t) -') - -######################################## -## <summary> -## Execute samba net in the samba net -## domain, and allow the specified -## role the samba net domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`samba_run_net',` - gen_require(` - attribute_role samba_net_roles; - ') - - samba_domtrans_net($1) - roleattribute $2 samba_net_roles; -') - -######################################## -## <summary> -## Execute smbmount in the smbmount domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`samba_domtrans_smbmount',` - gen_require(` - type smbmount_t, smbmount_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, smbmount_exec_t, smbmount_t) -') - -######################################## -## <summary> -## Execute smbmount in the smbmount -## domain, and allow the specified -## role the smbmount domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`samba_run_smbmount',` - gen_require(` - attribute_role smbmount_roles; - ') - - samba_domtrans_smbmount($1) - roleattribute $2 smbmount_roles; -') - -######################################## -## <summary> -## Read samba configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`samba_read_config',` - gen_require(` - type samba_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, samba_etc_t, samba_etc_t) -') - -######################################## -## <summary> -## Read and write samba configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`samba_rw_config',` - gen_require(` - type samba_etc_t; - ') - - files_search_etc($1) - rw_files_pattern($1, samba_etc_t, samba_etc_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## samba configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`samba_manage_config',` - gen_require(` - type samba_etc_t; - ') - - files_search_etc($1) - manage_dirs_pattern($1, samba_etc_t, samba_etc_t) - manage_files_pattern($1, samba_etc_t, samba_etc_t) -') - -######################################## -## <summary> -## Read samba log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`samba_read_log',` - gen_require(` - type samba_log_t; - ') - - logging_search_logs($1) - allow $1 samba_log_t:dir list_dir_perms; - read_files_pattern($1, samba_log_t, samba_log_t) -') - -######################################## -## <summary> -## Append to samba log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`samba_append_log',` - gen_require(` - type samba_log_t; - ') - - logging_search_logs($1) - allow $1 samba_log_t:dir list_dir_perms; - allow $1 samba_log_t:file append_file_perms; -') - -######################################## -## <summary> -## Execute samba log files in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samba_exec_log',` - gen_require(` - type samba_log_t; - ') - - logging_search_logs($1) - can_exec($1, samba_log_t) -') - -######################################## -## <summary> -## Read samba secret files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samba_read_secrets',` - gen_require(` - type samba_secrets_t; - ') - - files_search_etc($1) - allow $1 samba_secrets_t:file read_file_perms; -') - -######################################## -## <summary> -## Read samba share files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samba_read_share_files',` - gen_require(` - type samba_share_t; - ') - - allow $1 samba_share_t:filesystem getattr; - read_files_pattern($1, samba_share_t, samba_share_t) -') - -######################################## -## <summary> -## Search samba var directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samba_search_var',` - gen_require(` - type samba_var_t; - ') - - files_search_var_lib($1) - allow $1 samba_var_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Read samba var files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samba_read_var_files',` - gen_require(` - type samba_var_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, samba_var_t, samba_var_t) -') - -######################################## -## <summary> -## Do not audit attempts to write -## samba var files. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`samba_dontaudit_write_var_files',` - gen_require(` - type samba_var_t; - ') - - dontaudit $1 samba_var_t:file write; -') - -######################################## -## <summary> -## Read and write samba var files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samba_rw_var_files',` - gen_require(` - type samba_var_t; - ') - - files_search_var_lib($1) - rw_files_pattern($1, samba_var_t, samba_var_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## samba var files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samba_manage_var_files',` - gen_require(` - type samba_var_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, samba_var_t, samba_var_t) -') - -######################################## -## <summary> -## Execute smbcontrol in the smbcontrol domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`samba_domtrans_smbcontrol',` - gen_require(` - type smbcontrol_t, smbcontrol_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t) -') - -######################################## -## <summary> -## Execute smbcontrol in the smbcontrol -## domain, and allow the specified -## role the smbcontrol domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`samba_run_smbcontrol',` - gen_require(` - attribute_role smbcontrol_roles; - ') - - samba_domtrans_smbcontrol($1) - roleattribute $2 smbcontrol_roles; -') - -######################################## -## <summary> -## Execute smbd in the smbd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`samba_domtrans_smbd',` - gen_require(` - type smbd_t, smbd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, smbd_exec_t, smbd_t) -') - -###################################### -## <summary> -## Send generic signals to smbd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samba_signal_smbd',` - gen_require(` - type smbd_t; - ') - allow $1 smbd_t:process signal; -') - -######################################## -## <summary> -## Do not audit attempts to inherit -## and use smbd file descriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`samba_dontaudit_use_fds',` - gen_require(` - type smbd_t; - ') - - dontaudit $1 smbd_t:fd use; -') - -######################################## -## <summary> -## Write smbmount tcp sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samba_write_smbmount_tcp_sockets',` - gen_require(` - type smbmount_t; - ') - - allow $1 smbmount_t:tcp_socket write; -') - -######################################## -## <summary> -## Read and write smbmount tcp sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samba_rw_smbmount_tcp_sockets',` - gen_require(` - type smbmount_t; - ') - - allow $1 smbmount_t:tcp_socket { read write }; -') - -######################################## -## <summary> -## Execute winbind helper in the -## winbind helper domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`samba_domtrans_winbind_helper',` - gen_require(` - type winbind_helper_t, winbind_helper_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) -') - -####################################### -## <summary> -## Get attributes of winbind executable files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samba_getattr_winbind_exec',` - gen_require(` - type winbind_exec_t; - ') - - allow $1 winbind_exec_t:file getattr_file_perms; -') - -######################################## -## <summary> -## Execute winbind helper in the winbind -## helper domain, and allow the specified -## role the winbind helper domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`samba_run_winbind_helper',` - gen_require(` - attribute_role winbind_helper_roles; - ') - - samba_domtrans_winbind_helper($1) - roleattribute $2 winbind_helper_roles; -') - -######################################## -## <summary> -## Read winbind pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samba_read_winbind_pid',` - gen_require(` - type winbind_var_run_t, smbd_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t) -') - -######################################## -## <summary> -## Connect to winbind with a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samba_stream_connect_winbind',` - gen_require(` - type samba_var_t, winbind_t, winbind_var_run_t, smbd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, { smbd_var_run_t samba_var_t winbind_var_run_t }, winbind_var_run_t, winbind_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an samba environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`samba_admin',` - gen_require(` - type nmbd_t, nmbd_var_run_t, smbd_var_run_t; - type smbd_t, smbd_tmp_t, smbd_spool_t; - type samba_log_t, samba_var_t, samba_secrets_t; - type samba_etc_t, samba_share_t, samba_initrc_exec_t; - type swat_var_run_t, swat_tmp_t, winbind_log_t; - type winbind_var_run_t, winbind_tmp_t; - ') - - allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { nmbd_t smbd_t }) - - init_labeled_script_domtrans($1, samba_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 samba_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, samba_etc_t) - - logging_list_logs($1) - admin_pattern($1, { samba_log_t winbind_log_t }) - - files_list_var($1) - admin_pattern($1, { samba_share_t samba_var_t samba_secrets_t }) - - files_list_spool($1) - admin_pattern($1, smbd_spool_t) - - files_list_pids($1) - admin_pattern($1, { winbind_var_run_t smbd_var_run_t swat_var_run_t nmbd_var_run_t }) - - files_list_tmp($1) - admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t }) - - samba_run_smbcontrol($1, $2) - samba_run_winbind_helper($1, $2) - samba_run_smbmount($1, $2) - samba_run_net($1, $2) -') diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te deleted file mode 100644 index 57c034b9..00000000 --- a/policy/modules/contrib/samba.te +++ /dev/null @@ -1,1014 +0,0 @@ -policy_module(samba, 1.15.7) - -################################# -# -# Declarations -# - -## <desc> -## <p> -## Determine whether samba can modify -## public files used for public file -## transfer services. Directories/Files must -## be labeled public_content_rw_t. -## </p> -## </desc> -gen_tunable(allow_smbd_anon_write, false) - -## <desc> -## <p> -## Determine whether samba can -## create home directories via pam. -## </p> -## </desc> -gen_tunable(samba_create_home_dirs, false) - -## <desc> -## <p> -## Determine whether samba can act as the -## domain controller, add users, groups -## and change passwords. -## </p> -## </desc> -gen_tunable(samba_domain_controller, false) - -## <desc> -## <p> -## Determine whether samba can -## act as a portmapper. -## </p> -## </desc> -gen_tunable(samba_portmapper, false) - -## <desc> -## <p> -## Determine whether samba can share -## users home directories. -## </p> -## </desc> -gen_tunable(samba_enable_home_dirs, false) - -## <desc> -## <p> -## Determine whether samba can share -## any content read only. -## </p> -## </desc> -gen_tunable(samba_export_all_ro, false) - -## <desc> -## <p> -## Determine whether samba can share any -## content readable and writable. -## </p> -## </desc> -gen_tunable(samba_export_all_rw, false) - -## <desc> -## <p> -## Determine whether samba can -## run unconfined scripts. -## </p> -## </desc> -gen_tunable(samba_run_unconfined, false) - -## <desc> -## <p> -## Determine whether samba can -## use nfs file systems. -## </p> -## </desc> -gen_tunable(samba_share_nfs, false) - -## <desc> -## <p> -## Determine whether samba can -## use fuse file systems. -## </p> -## </desc> -gen_tunable(samba_share_fusefs, false) - -attribute_role samba_net_roles; -roleattribute system_r samba_net_roles; - -attribute_role smbcontrol_roles; -roleattribute system_r smbcontrol_roles; - -attribute_role smbmount_roles; -roleattribute system_r smbmount_roles; - -attribute_role winbind_helper_roles; -roleattribute system_r winbind_helper_roles; - -type nmbd_t; -type nmbd_exec_t; -init_daemon_domain(nmbd_t, nmbd_exec_t) - -type nmbd_var_run_t; -files_pid_file(nmbd_var_run_t) - -type samba_etc_t; -files_config_file(samba_etc_t) - -type samba_initrc_exec_t; -init_script_file(samba_initrc_exec_t) - -type samba_log_t; -logging_log_file(samba_log_t) - -type samba_net_t; -type samba_net_exec_t; -application_domain(samba_net_t, samba_net_exec_t) -role samba_net_roles types samba_net_t; - -type samba_net_tmp_t; -files_tmp_file(samba_net_tmp_t) - -type samba_secrets_t; -files_type(samba_secrets_t) - -type samba_share_t; # customizable -files_type(samba_share_t) - -type samba_var_t; -files_type(samba_var_t) - -type smbcontrol_t; -type smbcontrol_exec_t; -application_domain(smbcontrol_t, smbcontrol_exec_t) -role smbcontrol_roles types smbcontrol_t; - -type smbd_t; -type smbd_exec_t; -init_daemon_domain(smbd_t, smbd_exec_t) - -type smbd_tmp_t; -files_tmp_file(smbd_tmp_t) - -type smbd_var_run_t; -files_pid_file(smbd_var_run_t) - -type smbmount_t; -type smbmount_exec_t; -application_domain(smbmount_t, smbmount_exec_t) -role smbmount_roles types smbmount_t; - -type swat_t; -type swat_exec_t; -domain_type(swat_t) -domain_entry_file(swat_t, swat_exec_t) -role system_r types swat_t; - -type swat_tmp_t; -files_tmp_file(swat_tmp_t) - -type swat_var_run_t; -files_pid_file(swat_var_run_t) - -type winbind_t; -type winbind_exec_t; -init_daemon_domain(winbind_t, winbind_exec_t) - -type winbind_helper_t; -type winbind_helper_exec_t; -application_domain(winbind_helper_t, winbind_helper_exec_t) -role winbind_helper_roles types winbind_helper_t; - -type winbind_log_t; -logging_log_file(winbind_log_t) - -type winbind_tmp_t; -files_tmp_file(winbind_tmp_t) - -type winbind_var_run_t; -files_pid_file(winbind_var_run_t) - -######################################## -# -# Net local policy -# - -allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search dac_override }; -allow samba_net_t self:process { getsched setsched }; -allow samba_net_t self:unix_stream_socket { accept listen }; - -allow samba_net_t samba_etc_t:file read_file_perms; - -manage_files_pattern(samba_net_t, samba_etc_t, samba_secrets_t) -filetrans_pattern(samba_net_t, samba_etc_t, samba_secrets_t, file) - -manage_dirs_pattern(samba_net_t, samba_net_tmp_t, samba_net_tmp_t) -manage_files_pattern(samba_net_t, samba_net_tmp_t, samba_net_tmp_t) -files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir }) - -manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t) -manage_files_pattern(samba_net_t, samba_var_t, samba_var_t) -manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t) -files_var_filetrans(samba_net_t, samba_var_t, dir, "samba") - -kernel_read_system_state(samba_net_t) -kernel_read_network_state(samba_net_t) - -corenet_all_recvfrom_unlabeled(samba_net_t) -corenet_all_recvfrom_netlabel(samba_net_t) -corenet_udp_sendrecv_generic_if(samba_net_t) -corenet_tcp_sendrecv_generic_node(samba_net_t) - -corenet_sendrecv_smbd_client_packets(samba_net_t) -corenet_tcp_connect_smbd_port(samba_net_t) -corenet_tcp_sendrecv_smbd_port(samba_net_t) - -dev_read_urand(samba_net_t) - -domain_use_interactive_fds(samba_net_t) - -files_read_usr_symlinks(samba_net_t) - -auth_use_nsswitch(samba_net_t) -auth_manage_cache(samba_net_t) - -logging_send_syslog_msg(samba_net_t) - -miscfiles_read_localization(samba_net_t) - -samba_read_var_files(samba_net_t) - -userdom_use_user_terminals(samba_net_t) -userdom_list_user_home_dirs(samba_net_t) - -optional_policy(` - ldap_stream_connect(samba_net_t) -') - -optional_policy(` - pcscd_read_pid_files(samba_net_t) -') - -optional_policy(` - kerberos_use(samba_net_t) - kerberos_etc_filetrans_keytab(samba_net_t, file) -') - -######################################## -# -# Smbd Local policy -# - -allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search }; -dontaudit smbd_t self:capability sys_tty_config; -allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; -allow smbd_t self:fd use; -allow smbd_t self:fifo_file rw_fifo_file_perms; -allow smbd_t self:msg { send receive }; -allow smbd_t self:msgq create_msgq_perms; -allow smbd_t self:sem create_sem_perms; -allow smbd_t self:shm create_shm_perms; -allow smbd_t self:tcp_socket { accept listen }; -allow smbd_t self:unix_dgram_socket sendto; -allow smbd_t self:unix_stream_socket { accept connectto listen }; - -allow smbd_t { swat_t winbind_t smbcontrol_t nmbd_t }:process { signal signull }; - -allow smbd_t samba_etc_t:file { rw_file_perms setattr_file_perms }; - -manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t) -append_files_pattern(smbd_t, samba_log_t, samba_log_t) -create_files_pattern(smbd_t, samba_log_t, samba_log_t) -setattr_files_pattern(smbd_t, samba_log_t, samba_log_t) - -allow smbd_t samba_net_tmp_t:file getattr_file_perms; - -manage_files_pattern(smbd_t, samba_secrets_t, samba_secrets_t) -filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file) - -manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t) -manage_files_pattern(smbd_t, samba_share_t, samba_share_t) -manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) -allow smbd_t samba_share_t:filesystem { getattr quotaget }; - -manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t) -manage_files_pattern(smbd_t, samba_var_t, samba_var_t) -manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) -manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t) -files_var_filetrans(smbd_t, samba_var_t, dir, "samba") - -manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) -manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) -files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) - -manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) -manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) -manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) -files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file }) - -allow smbd_t winbind_var_run_t:sock_file read_sock_file_perms; -stream_connect_pattern(smbd_t, winbind_var_run_t, winbind_var_run_t, winbind_t) - -allow smbd_t nmbd_var_run_t:file read_file_perms; -stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) - -kernel_getattr_core_if(smbd_t) -kernel_getattr_message_if(smbd_t) -kernel_read_network_state(smbd_t) -kernel_read_fs_sysctls(smbd_t) -kernel_read_kernel_sysctls(smbd_t) -kernel_read_software_raid_state(smbd_t) -kernel_read_system_state(smbd_t) - -corecmd_exec_bin(smbd_t) -corecmd_exec_shell(smbd_t) - -corenet_all_recvfrom_unlabeled(smbd_t) -corenet_all_recvfrom_netlabel(smbd_t) -corenet_tcp_sendrecv_generic_if(smbd_t) -corenet_tcp_sendrecv_generic_node(smbd_t) -corenet_tcp_bind_generic_node(smbd_t) - -corenet_sendrecv_smbd_client_packets(smbd_t) -corenet_tcp_connect_smbd_port(smbd_t) -corenet_sendrecv_smbd_server_packets(smbd_t) -corenet_tcp_bind_smbd_port(smbd_t) -corenet_tcp_sendrecv_smbd_port(smbd_t) - -corenet_sendrecv_ipp_client_packets(smbd_t) -corenet_tcp_connect_ipp_port(smbd_t) -corenet_tcp_sendrecv_ipp_port(smbd_t) - -dev_read_sysfs(smbd_t) -dev_read_urand(smbd_t) -dev_getattr_mtrr_dev(smbd_t) -dev_dontaudit_getattr_usbfs_dirs(smbd_t) -dev_getattr_all_blk_files(smbd_t) -dev_getattr_all_chr_files(smbd_t) - -domain_use_interactive_fds(smbd_t) -domain_dontaudit_list_all_domains_state(smbd_t) - -files_list_var_lib(smbd_t) -files_read_etc_runtime_files(smbd_t) -files_read_usr_files(smbd_t) -files_search_spool(smbd_t) -files_dontaudit_getattr_all_dirs(smbd_t) -files_dontaudit_list_all_mountpoints(smbd_t) -files_list_mnt(smbd_t) - -fs_getattr_all_fs(smbd_t) -fs_getattr_all_dirs(smbd_t) -fs_get_xattr_fs_quotas(smbd_t) -fs_search_auto_mountpoints(smbd_t) -fs_getattr_rpc_dirs(smbd_t) -fs_list_inotifyfs(smbd_t) -fs_get_all_fs_quotas(smbd_t) - -term_use_ptmx(smbd_t) - -auth_use_nsswitch(smbd_t) -auth_domtrans_chk_passwd(smbd_t) -auth_domtrans_upd_passwd(smbd_t) -auth_manage_cache(smbd_t) -auth_write_login_records(smbd_t) - -init_rw_utmp(smbd_t) - -logging_search_logs(smbd_t) -logging_send_syslog_msg(smbd_t) - -miscfiles_read_localization(smbd_t) -miscfiles_read_public_files(smbd_t) - -sysnet_use_ldap(smbd_t) - -userdom_use_unpriv_users_fds(smbd_t) -userdom_signal_all_users(smbd_t) -userdom_home_filetrans_user_home_dir(smbd_t) -userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file }) - -usermanage_read_crack_db(smbd_t) - -ifdef(`hide_broken_symptoms',` - files_dontaudit_getattr_default_dirs(smbd_t) - files_dontaudit_getattr_boot_dirs(smbd_t) - fs_dontaudit_getattr_tmpfs_dirs(smbd_t) -') - -tunable_policy(`allow_smbd_anon_write',` - miscfiles_manage_public_files(smbd_t) -') - -tunable_policy(`samba_create_home_dirs',` - allow smbd_t self:capability chown; - userdom_create_user_home_dirs(smbd_t) -') - -tunable_policy(`samba_domain_controller',` - gen_require(` - class passwd passwd; - ') - - usermanage_domtrans_passwd(smbd_t) - usermanage_kill_passwd(smbd_t) - usermanage_domtrans_useradd(smbd_t) - usermanage_domtrans_groupadd(smbd_t) - allow smbd_t self:passwd passwd; -') - -tunable_policy(`samba_enable_home_dirs',` - userdom_manage_user_home_content_dirs(smbd_t) - userdom_manage_user_home_content_files(smbd_t) - userdom_manage_user_home_content_symlinks(smbd_t) - userdom_manage_user_home_content_sockets(smbd_t) - userdom_manage_user_home_content_pipes(smbd_t) -') - -tunable_policy(`samba_portmapper',` - corenet_sendrecv_all_server_packets(smbd_t) - corenet_tcp_bind_epmap_port(smbd_t) - corenet_tcp_bind_all_unreserved_ports(smbd_t) - corenet_tcp_sendrecv_all_ports(smbd_t) -') - -tunable_policy(`samba_share_nfs',` - fs_manage_nfs_dirs(smbd_t) - fs_manage_nfs_files(smbd_t) - fs_manage_nfs_symlinks(smbd_t) - fs_manage_nfs_named_pipes(smbd_t) - fs_manage_nfs_named_sockets(smbd_t) -') - -tunable_policy(`samba_share_fusefs',` - fs_manage_fusefs_dirs(smbd_t) - fs_manage_fusefs_files(smbd_t) -',` - fs_search_fusefs(smbd_t) -') - -tunable_policy(`samba_export_all_ro',` - fs_read_noxattr_fs_files(smbd_t) - files_list_non_auth_dirs(smbd_t) - files_read_non_auth_files(smbd_t) -') - -tunable_policy(`samba_export_all_rw',` - fs_read_noxattr_fs_files(smbd_t) - files_manage_non_auth_files(smbd_t) -') - -optional_policy(` - ccs_read_config(smbd_t) -') - -optional_policy(` - ctdbd_stream_connect(smbd_t) - ctdbd_manage_lib_files(smbd_t) -') - -optional_policy(` - cups_read_rw_config(smbd_t) - cups_stream_connect(smbd_t) -') - -optional_policy(` - kerberos_use(smbd_t) - kerberos_keytab_template(smbd, smbd_t) -') - -optional_policy(` - lpd_exec_lpr(smbd_t) -') - -optional_policy(` - qemu_manage_tmp_dirs(smbd_t) - qemu_manage_tmp_files(smbd_t) -') - -optional_policy(` - rpc_search_nfs_state_data(smbd_t) -') - -optional_policy(` - seutil_sigchld_newrole(smbd_t) -') - -optional_policy(` - udev_read_db(smbd_t) -') - -######################################## -# -# Nmbd Local policy -# - -dontaudit nmbd_t self:capability sys_tty_config; -allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow nmbd_t self:fd use; -allow nmbd_t self:fifo_file rw_fifo_file_perms; -allow nmbd_t self:msg { send receive }; -allow nmbd_t self:msgq create_msgq_perms; -allow nmbd_t self:sem create_sem_perms; -allow nmbd_t self:shm create_shm_perms; -allow nmbd_t self:tcp_socket { accept listen }; -allow nmbd_t self:unix_dgram_socket sendto; -allow nmbd_t self:unix_stream_socket { accept connectto listen }; - -manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) -manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -manage_sock_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -files_pid_filetrans(nmbd_t, nmbd_var_run_t, { dir file sock_file }) -filetrans_pattern(nmbd_t, smbd_var_run_t, nmbd_var_run_t, dir) - -read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) -read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) - -manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) -append_files_pattern(nmbd_t, samba_log_t, samba_log_t) -create_files_pattern(nmbd_t, samba_log_t, samba_log_t) -setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t) - -manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) -manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) -manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t) -manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t) -files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd") -files_var_filetrans(nmbd_t, samba_var_t, dir, "samba") - -allow nmbd_t { swat_t smbcontrol_t }:process signal; - -allow nmbd_t smbd_var_run_t:dir rw_dir_perms; - -kernel_getattr_core_if(nmbd_t) -kernel_getattr_message_if(nmbd_t) -kernel_read_kernel_sysctls(nmbd_t) -kernel_read_network_state(nmbd_t) -kernel_read_software_raid_state(nmbd_t) -kernel_read_system_state(nmbd_t) - -corenet_all_recvfrom_unlabeled(nmbd_t) -corenet_all_recvfrom_netlabel(nmbd_t) -corenet_tcp_sendrecv_generic_if(nmbd_t) -corenet_udp_sendrecv_generic_if(nmbd_t) -corenet_tcp_sendrecv_generic_node(nmbd_t) -corenet_udp_sendrecv_generic_node(nmbd_t) -corenet_udp_bind_generic_node(nmbd_t) - -corenet_sendrecv_nmbd_server_packets(nmbd_t) -corenet_udp_bind_nmbd_port(nmbd_t) -corenet_udp_sendrecv_nmbd_port(nmbd_t) - -corenet_sendrecv_smbd_client_packets(nmbd_t) -corenet_tcp_connect_smbd_port(nmbd_t) -corenet_tcp_sendrecv_smbd_port(nmbd_t) - -dev_read_sysfs(nmbd_t) -dev_getattr_mtrr_dev(nmbd_t) - -domain_use_interactive_fds(nmbd_t) - -files_read_usr_files(nmbd_t) -files_list_var_lib(nmbd_t) - -fs_getattr_all_fs(nmbd_t) -fs_search_auto_mountpoints(nmbd_t) - -auth_use_nsswitch(nmbd_t) - -logging_search_logs(nmbd_t) -logging_send_syslog_msg(nmbd_t) - -miscfiles_read_localization(nmbd_t) - -userdom_use_unpriv_users_fds(nmbd_t) -userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) - -tunable_policy(`samba_export_all_ro',` - fs_read_noxattr_fs_files(nmbd_t) - files_list_non_auth_dirs(nmbd_t) - files_read_non_auth_files(nmbd_t) -') - -tunable_policy(`samba_export_all_rw',` - fs_read_noxattr_fs_files(nmbd_t) - files_manage_non_auth_files(nmbd_t) -') - -optional_policy(` - seutil_sigchld_newrole(nmbd_t) -') - -optional_policy(` - udev_read_db(nmbd_t) -') - -######################################## -# -# Smbcontrol local policy -# - -allow smbcontrol_t self:process signal; -allow smbcontrol_t self:fifo_file rw_fifo_file_perms; -allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; -allow smbcontrol_t self:process { signal signull }; - -allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull }; -read_files_pattern(smbcontrol_t, { nmbd_var_run_t smbd_var_run_t }, { nmbd_var_run_t smbd_var_run_t }) - -samba_read_config(smbcontrol_t) -samba_rw_var_files(smbcontrol_t) -samba_search_var(smbcontrol_t) -samba_read_winbind_pid(smbcontrol_t) - -domain_use_interactive_fds(smbcontrol_t) - -dev_read_urand(smbcontrol_t) - -files_read_etc_files(smbcontrol_t) -files_search_var_lib(smbcontrol_t) - -term_use_console(smbcontrol_t) - -miscfiles_read_localization(smbcontrol_t) - -sysnet_use_ldap(smbcontrol_t) - -userdom_use_user_terminals(smbcontrol_t) - -optional_policy(` - ctdbd_stream_connect(smbcontrol_t) -') - -######################################## -# -# Smbmount Local policy -# - -allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown }; -allow smbmount_t self:process signal_perms; -allow smbmount_t self:tcp_socket { accept listen }; -allow smbmount_t self:unix_dgram_socket create_socket_perms; -allow smbmount_t self:unix_stream_socket create_socket_perms; - -allow smbmount_t samba_etc_t:dir list_dir_perms; -allow smbmount_t samba_etc_t:file read_file_perms; - -allow smbmount_t samba_log_t:dir list_dir_perms; -append_files_pattern(smbmount_t, samba_log_t, samba_log_t) -create_files_pattern(smbmount_t, samba_log_t, samba_log_t) -setattr_files_pattern(smbmount_t, samba_log_t, samba_log_t) - -allow smbmount_t samba_secrets_t:file manage_file_perms; - -manage_dirs_pattern(smbmount_t, samba_var_t, samba_var_t) -manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) -manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) -files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") - -can_exec(smbmount_t, smbmount_exec_t) - -kernel_read_system_state(smbmount_t) - -corenet_all_recvfrom_unlabeled(smbmount_t) -corenet_all_recvfrom_netlabel(smbmount_t) -corenet_tcp_sendrecv_generic_if(smbmount_t) -corenet_tcp_sendrecv_generic_node(smbmount_t) - -corenet_sendrecv_all_client_packets(smbmount_t) -corenet_tcp_connect_all_ports(smbmount_t) -corenet_tcp_sendrecv_all_ports(smbmount_t) - -corecmd_list_bin(smbmount_t) - -files_list_mnt(smbmount_t) -files_list_var_lib(smbmount_t) -files_mounton_mnt(smbmount_t) -files_manage_etc_runtime_files(smbmount_t) -files_etc_filetrans_etc_runtime(smbmount_t, file) - -fs_getattr_cifs(smbmount_t) -fs_mount_cifs(smbmount_t) -fs_remount_cifs(smbmount_t) -fs_unmount_cifs(smbmount_t) -fs_list_cifs(smbmount_t) -fs_read_cifs_files(smbmount_t) - -storage_raw_read_fixed_disk(smbmount_t) -storage_raw_write_fixed_disk(smbmount_t) - -auth_use_nsswitch(smbmount_t) - -miscfiles_read_localization(smbmount_t) - -mount_use_fds(smbmount_t) - -locallogin_use_fds(smbmount_t) - -logging_search_logs(smbmount_t) - -userdom_use_user_terminals(smbmount_t) -userdom_use_all_users_fds(smbmount_t) - -optional_policy(` - cups_read_rw_config(smbmount_t) -') - -######################################## -# -# Swat Local policy -# - -allow swat_t self:capability { dac_override setuid setgid sys_resource }; -allow swat_t self:process { setrlimit signal_perms }; -allow swat_t self:fifo_file rw_fifo_file_perms; -allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -allow swat_t self:tcp_socket { accept listen }; -allow swat_t self:unix_stream_socket connectto; - -allow swat_t { nmbd_t smbd_t }:process { signal signull }; - -allow swat_t smbd_var_run_t:file read_file_perms; -allow swat_t smbd_var_run_t:file { lock delete_file_perms }; - -rw_files_pattern(swat_t, samba_etc_t, samba_etc_t) -read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t) - -manage_dirs_pattern(swat_t, samba_log_t, samba_log_t) -append_files_pattern(swat_t, samba_log_t, samba_log_t) -create_files_pattern(swat_t, samba_log_t, samba_log_t) -setattr_files_pattern(swat_t, samba_log_t, samba_log_t) - -manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) - -manage_dirs_pattern(swat_t, samba_var_t, samba_var_t) -manage_files_pattern(swat_t, samba_var_t, samba_var_t) -manage_lnk_files_pattern(swat_t, samba_var_t, samba_var_t) -files_var_filetrans(swat_t, samba_var_t, dir, "samba") - -allow swat_t smbd_exec_t:file mmap_file_perms ; - -allow swat_t { winbind_t smbd_t }:process { signal signull }; - -manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) -manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) - -manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) -files_pid_filetrans(swat_t, swat_var_run_t, file) - -read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t) -allow swat_t winbind_var_run_t:dir { add_entry_dir_perms del_entry_dir_perms }; -allow swat_t winbind_var_run_t:sock_file { create_sock_file_perms delete_sock_file_perms }; - -read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t) -stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) - -samba_domtrans_smbd(swat_t) -samba_domtrans_nmbd(swat_t) - -domtrans_pattern(swat_t, winbind_exec_t, winbind_t) - -kernel_read_kernel_sysctls(swat_t) -kernel_read_system_state(swat_t) -kernel_read_network_state(swat_t) - -corecmd_search_bin(swat_t) - -corenet_all_recvfrom_unlabeled(swat_t) -corenet_all_recvfrom_netlabel(swat_t) -corenet_tcp_sendrecv_generic_if(swat_t) -corenet_udp_sendrecv_generic_if(swat_t) -corenet_tcp_sendrecv_generic_node(swat_t) -corenet_udp_sendrecv_generic_node(swat_t) -corenet_tcp_bind_generic_node(swat_t) -corenet_udp_bind_generic_node(swat_t) - -corenet_sendrecv_nmbd_server_packets(swat_t) -corenet_udp_bind_nmbd_port(swat_t) -corenet_udp_sendrecv_nmbd_port(swat_t) - -corenet_sendrecv_smbd_client_packets(swat_t) -corenet_tcp_connect_smbd_port(swat_t) -corenet_sendrecv_smbd_server_packets(swat_t) -corenet_tcp_bind_smbd_port(swat_t) -corenet_tcp_sendrecv_smbd_port(swat_t) - -corenet_sendrecv_ipp_client_packets(swat_t) -corenet_tcp_connect_ipp_port(swat_t) -corenet_tcp_sendrecv_ipp_port(swat_t) - -dev_read_urand(swat_t) - -files_list_var_lib(swat_t) -files_search_home(swat_t) -files_read_usr_files(swat_t) -fs_getattr_xattr_fs(swat_t) -files_list_var_lib(swat_t) - -auth_domtrans_chk_passwd(swat_t) -auth_use_nsswitch(swat_t) - -init_read_utmp(swat_t) -init_dontaudit_write_utmp(swat_t) - -logging_send_syslog_msg(swat_t) -logging_send_audit_msgs(swat_t) -logging_search_logs(swat_t) - -miscfiles_read_localization(swat_t) - -sysnet_use_ldap(swat_t) - -optional_policy(` - cups_read_rw_config(swat_t) - cups_stream_connect(swat_t) -') - -optional_policy(` - inetd_service_domain(swat_t, swat_exec_t) -') - -optional_policy(` - kerberos_use(swat_t) -') - -######################################## -# -# Winbind local policy -# - -allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; -dontaudit winbind_t self:capability sys_tty_config; -allow winbind_t self:process { signal_perms getsched setsched }; -allow winbind_t self:fifo_file rw_fifo_file_perms; -allow winbind_t self:unix_stream_socket { accept listen }; -allow winbind_t self:tcp_socket { accept listen }; - -allow winbind_t nmbd_t:process { signal signull }; - -allow winbind_t nmbd_var_run_t:file read_file_perms; -stream_connect_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) - -allow winbind_t samba_etc_t:dir list_dir_perms; -read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -read_lnk_files_pattern(winbind_t, samba_etc_t, samba_etc_t) - -manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) -filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) - -manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) -append_files_pattern(winbind_t, samba_log_t, samba_log_t) -create_files_pattern(winbind_t, samba_log_t, samba_log_t) -setattr_files_pattern(winbind_t, samba_log_t, samba_log_t) -manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) - -manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -manage_files_pattern(winbind_t, samba_var_t, samba_var_t) -manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t) -manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t) -files_var_filetrans(winbind_t, samba_var_t, dir, "samba") - -rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) - -# This needs a file context specification -allow winbind_t winbind_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(winbind_t, winbind_log_t, file) - -manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) -manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) -manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) -files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir }) - -manage_dirs_pattern(winbind_t, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t) -manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) -manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) -files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file file dir }) -filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir) - -manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) -manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) -manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) - -kernel_read_network_state(winbind_t) -kernel_read_kernel_sysctls(winbind_t) -kernel_read_system_state(winbind_t) - -corecmd_exec_bin(winbind_t) - -corenet_all_recvfrom_unlabeled(winbind_t) -corenet_all_recvfrom_netlabel(winbind_t) -corenet_tcp_sendrecv_generic_if(winbind_t) -corenet_tcp_sendrecv_generic_node(winbind_t) -corenet_tcp_sendrecv_all_ports(winbind_t) - -corenet_sendrecv_all_client_packets(winbind_t) -corenet_tcp_connect_smbd_port(winbind_t) -corenet_tcp_connect_epmap_port(winbind_t) -corenet_tcp_connect_all_unreserved_ports(winbind_t) - -dev_read_sysfs(winbind_t) -dev_read_urand(winbind_t) - -domain_use_interactive_fds(winbind_t) - -files_read_usr_symlinks(winbind_t) -files_list_var_lib(winbind_t) - -fs_getattr_all_fs(winbind_t) -fs_search_auto_mountpoints(winbind_t) - -auth_domtrans_chk_passwd(winbind_t) -auth_use_nsswitch(winbind_t) -auth_manage_cache(winbind_t) - -logging_send_syslog_msg(winbind_t) - -miscfiles_read_localization(winbind_t) -miscfiles_read_generic_certs(winbind_t) - -userdom_dontaudit_use_unpriv_user_fds(winbind_t) -userdom_manage_user_home_content_dirs(winbind_t) -userdom_manage_user_home_content_files(winbind_t) -userdom_manage_user_home_content_symlinks(winbind_t) -userdom_manage_user_home_content_pipes(winbind_t) -userdom_manage_user_home_content_sockets(winbind_t) -userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file }) - -optional_policy(` - ctdbd_stream_connect(winbind_t) - ctdbd_manage_lib_files(winbind_t) -') - -optional_policy(` - kerberos_use(winbind_t) -') - -optional_policy(` - seutil_sigchld_newrole(winbind_t) -') - -optional_policy(` - udev_read_db(winbind_t) -') - -######################################## -# -# Winbind helper local policy -# - -allow winbind_helper_t self:unix_stream_socket { accept listen }; - -allow winbind_helper_t samba_etc_t:dir list_dir_perms; -read_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t) -read_lnk_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t) - -allow winbind_helper_t samba_var_t:dir search_dir_perms; - -allow winbind_t smbcontrol_t:process signal; - -stream_connect_pattern(winbind_helper_t, winbind_var_run_t, winbind_var_run_t, winbind_t) - -domain_use_interactive_fds(winbind_helper_t) - -files_list_var_lib(winbind_helper_t) - -term_list_ptys(winbind_helper_t) - -auth_use_nsswitch(winbind_helper_t) - -logging_send_syslog_msg(winbind_helper_t) - -miscfiles_read_localization(winbind_helper_t) - -userdom_use_user_terminals(winbind_helper_t) - -optional_policy(` - apache_append_log(winbind_helper_t) -') - -optional_policy(` - squid_read_log(winbind_helper_t) - squid_append_log(winbind_helper_t) - squid_rw_stream_sockets(winbind_helper_t) -') - -######################################## -# -# Unconfined script local policy -# - -optional_policy(` - type samba_unconfined_script_t; - type samba_unconfined_script_exec_t; - domain_type(samba_unconfined_script_t) - domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t) - corecmd_shell_entry_type(samba_unconfined_script_t) - role system_r types samba_unconfined_script_t; - - allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; - allow smbd_t samba_unconfined_script_exec_t:file ioctl; - - unconfined_domain(samba_unconfined_script_t) - - tunable_policy(`samba_run_unconfined',` - domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) - ',` - can_exec(smbd_t, samba_unconfined_script_exec_t) - ') -') diff --git a/policy/modules/contrib/sambagui.fc b/policy/modules/contrib/sambagui.fc deleted file mode 100644 index 2640dcf0..00000000 --- a/policy/modules/contrib/sambagui.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/share/system-config-samba/system-config-samba-mechanism\.py -- gen_context(system_u:object_r:sambagui_exec_t,s0) diff --git a/policy/modules/contrib/sambagui.if b/policy/modules/contrib/sambagui.if deleted file mode 100644 index d9c7bb65..00000000 --- a/policy/modules/contrib/sambagui.if +++ /dev/null @@ -1 +0,0 @@ -## <summary>system-config-samba dbus service.</summary> diff --git a/policy/modules/contrib/sambagui.te b/policy/modules/contrib/sambagui.te deleted file mode 100644 index d9f87840..00000000 --- a/policy/modules/contrib/sambagui.te +++ /dev/null @@ -1,66 +0,0 @@ -policy_module(sambagui, 1.1.2) - -######################################## -# -# Declarations -# - -attribute_role sambagui_roles; -roleattribute system_r sambagui_roles; - -type sambagui_t; -type sambagui_exec_t; -application_domain(sambagui_t, sambagui_exec_t) -role sambagui_roles types sambagui_t; - -######################################## -# -# Local policy -# - -allow sambagui_t self:capability dac_override; -allow sambagui_t self:fifo_file rw_fifo_file_perms; - -kernel_read_system_state(sambagui_t) - -corecmd_exec_bin(sambagui_t) -corecmd_exec_shell(sambagui_t) - -dev_dontaudit_read_urand(sambagui_t) - -files_read_usr_files(sambagui_t) - -auth_use_nsswitch(sambagui_t) -auth_dontaudit_read_shadow(sambagui_t) - -logging_send_syslog_msg(sambagui_t) - -miscfiles_read_localization(sambagui_t) - -sysnet_use_ldap(sambagui_t) - -optional_policy(` - consoletype_exec(sambagui_t) -') - -optional_policy(` - nscd_dontaudit_search_pid(sambagui_t) -') - -optional_policy(` - dbus_system_domain(sambagui_t, sambagui_exec_t) - - optional_policy(` - policykit_dbus_chat(sambagui_t) - ') -') - -optional_policy(` - samba_append_log(sambagui_t) - samba_manage_config(sambagui_t) - samba_manage_var_files(sambagui_t) - samba_read_secrets(sambagui_t) - samba_initrc_domtrans(sambagui_t) - samba_domtrans_smbd(sambagui_t) - samba_domtrans_nmbd(sambagui_t) -') diff --git a/policy/modules/contrib/samhain.fc b/policy/modules/contrib/samhain.fc deleted file mode 100644 index 0e179837..00000000 --- a/policy/modules/contrib/samhain.fc +++ /dev/null @@ -1,13 +0,0 @@ -/etc/rc\.d/init\.d/samhain -- gen_context(system_u:object_r:samhain_initrc_exec_t,s0) - -/etc/samhainrc -- gen_context(system_u:object_r:samhain_etc_t,mls_systemhigh) - -/usr/sbin/samhain -- gen_context(system_u:object_r:samhain_exec_t,s0) -/usr/sbin/samhain_setpwd -- gen_context(system_u:object_r:samhain_exec_t,s0) - -/var/lib/samhain(/.*)? gen_context(system_u:object_r:samhain_db_t,mls_systemhigh) - -/var/log/samhain_log.* -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh) -/var/log/samhain_log\.lock -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh) - -/var/run/samhain\.pid -- gen_context(system_u:object_r:samhain_var_run_t,mls_systemhigh) diff --git a/policy/modules/contrib/samhain.if b/policy/modules/contrib/samhain.if deleted file mode 100644 index f0236d67..00000000 --- a/policy/modules/contrib/samhain.if +++ /dev/null @@ -1,242 +0,0 @@ -## <summary>Check file integrity.</summary> - -####################################### -## <summary> -## The template to define a samhain domain. -## </summary> -## <param name="domain_prefix"> -## <summary> -## Domain prefix to be used. -## </summary> -## </param> -# -template(`samhain_service_template',` - gen_require(` - attribute samhain_domain; - type samhain_exec_t; - ') - - type $1_t; - domain_type($1_t) - domain_entry_file($1_t, samhain_exec_t) - - files_read_all_files($1_t) - - mls_file_write_all_levels($1_t) -') - -######################################## -## <summary> -## Execute samhain in the samhain domain -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`samhain_domtrans',` - gen_require(` - type samhain_t, samhain_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, samhain_exec_t, samhain_t) -') - -######################################## -## <summary> -## Execute samhain in the samhain -## domain with the clearance security -## level and allow the specifiled role -## the samhain domain. -## </summary> -## <desc> -## <p> -## Execute samhain in the samhain -## domain with the clearance security -## level and allow the specifiled role -## the samhain domain. -## </p> -## <p> -## The range_transition rule used in -## this interface requires that the -## calling domain should have the -## clearance security level otherwise -## the MLS constraint for process -## transition would fail. -## </p> -## </desc> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed to access. -## </summary> -## </param> -## <rolecap/> -# -interface(`samhain_run',` - gen_require(` - attribute_role samhain_roles; - type samhain_exec_t; - ') - - samhain_domtrans($1) - roleattribute $2 samhain_roles; - - ifdef(`enable_mls', ` - range_transition $1 samhain_exec_t:process mls_systemhigh; - ') -') - -######################################## -## <summary> -## Create, read, write, and delete -## samhain configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samhain_manage_config_files',` - gen_require(` - type samhain_etc_t; - ') - - files_rw_etc_dirs($1) - allow $1 samhain_etc_t:file manage_file_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## samhain database files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samhain_manage_db_files',` - gen_require(` - type samhain_db_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, samhain_db_t, samhain_db_t) -') - -####################################### -## <summary> -## Create, read, write, and delete -## samhain init script files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samhain_manage_init_script_files',` - gen_require(` - type samhain_initrc_exec_t; - ') - - files_search_etc($1) - manage_files_pattern($1, samhain_initrc_exec_t, samhain_initrc_exec_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## samhain log and log.lock files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samhain_manage_log_files',` - gen_require(` - type samhain_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, samhain_log_t, samhain_log_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## samhain pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samhain_manage_pid_files',` - gen_require(` - type samhain_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, samhain_var_run_t, samhain_var_run_t) -') - -####################################### -## <summary> -## All of the rules required to -## administrate the samhain environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`samhain_admin',` - gen_require(` - attribute samhain_domain; - type samhain_t, samhaind_t, samhain_db_t, samhain_etc_t; - type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t; - ') - - allow $1 samhain_domain:process { ptrace signal_perms }; - ps_process_pattern($1, samhain_domain) - - # pending - # init_labeled_script_domtrans($1, samhain_initrc_exec_t) - # domain_system_change_exemption($1) - # role_transition $2 samhain_initrc_exec_t system_r; - # allow $2 system_r; - - files_list_var_lib($1) - admin_pattern($1, samhain_db_t) - - files_list_etc($1) - admin_pattern($1, { samhain_initrc_exec_t samhain_etc_t }) - - logging_list_logs($1) - admin_pattern($1, samhain_log_t) - - files_list_pids($1) - admin_pattern($1, samhain_var_run_t) - - # samhain_run($1, $2) -') diff --git a/policy/modules/contrib/samhain.te b/policy/modules/contrib/samhain.te deleted file mode 100644 index 931312bb..00000000 --- a/policy/modules/contrib/samhain.te +++ /dev/null @@ -1,118 +0,0 @@ -policy_module(samhain, 1.1.1) - -######################################## -# -# Declarations -# - -attribute samhain_domain; - -attribute_role samhain_roles; -roleattribute system_r samhain_roles; - -type samhain_etc_t; -files_config_file(samhain_etc_t) - -type samhain_exec_t; -corecmd_executable_file(samhain_exec_t) - -type samhain_log_t; -logging_log_file(samhain_log_t) - -type samhain_db_t; -files_type(samhain_db_t) - -type samhain_initrc_exec_t; -init_script_file(samhain_initrc_exec_t) - -type samhain_var_run_t; -files_pid_file(samhain_var_run_t) - -samhain_service_template(samhain) -application_domain(samhain_t, samhain_exec_t) -role samhain_roles types samhain_t; - -samhain_service_template(samhaind) -init_system_domain(samhaind_t, samhain_exec_t) - -ifdef(`enable_mcs',` - init_ranged_system_domain(samhaind_t, samhain_exec_t, mcs_systemhigh) -') - -ifdef(`enable_mls',` - init_ranged_system_domain(samhaind_t, samhain_exec_t, mls_systemhigh) -') - -######################################## -# -# Common samhain domain local policy -# - -allow samhain_domain self:capability { dac_override dac_read_search fowner ipc_lock }; -dontaudit samhain_domain self:capability { sys_resource sys_ptrace }; -allow samhain_domain self:fd use; -allow samhain_domain self:process { setsched setrlimit signull }; - -allow samhain_domain samhain_etc_t:file read_file_perms; - -manage_files_pattern(samhain_domain, samhain_log_t, samhain_log_t) -logging_log_filetrans(samhain_domain, samhain_log_t, file) - -manage_files_pattern(samhain_domain, samhain_var_run_t, samhain_var_run_t) -files_pid_filetrans(samhain_domain, samhain_var_run_t, file) - -kernel_getattr_core_if(samhain_domain) - -corecmd_list_bin(samhain_domain) -corecmd_read_bin_symlinks(samhain_domain) - -dev_read_urand(samhain_domain) -dev_dontaudit_read_rand(samhain_domain) -dev_getattr_all_blk_files(samhain_domain) -dev_getattr_all_chr_files(samhain_domain) -dev_getattr_generic_blk_files(samhain_domain) -dev_getattr_generic_chr_files(samhain_domain) - -files_getattr_all_dirs(samhain_domain) -files_getattr_all_files(samhain_domain) -files_getattr_all_symlinks(samhain_domain) -files_getattr_all_pipes(samhain_domain) -files_getattr_all_sockets(samhain_domain) -files_getattr_all_mountpoints(samhain_domain) -files_read_all_symlinks(samhain_domain) -files_search_etc(samhain_domain) - -fs_getattr_all_dirs(samhain_domain) - -auth_read_login_records(samhain_domain) - -init_read_utmp(samhain_domain) - -logging_send_syslog_msg(samhain_domain) - -######################################## -# -# Client local policy -# - -manage_files_pattern(samhain_t, samhain_db_t, samhain_db_t) -files_var_lib_filetrans(samhain_t, samhain_db_t, { file dir }) - -domain_use_interactive_fds(samhain_t) - -seutil_sigchld_newrole(samhain_t) - -userdom_use_user_terminals(samhain_t) - -######################################## -# -# Server local policy -# - -allow samhaind_t { samhain_t self }:process signal_perms; - -can_exec(samhaind_t, samhain_exec_t) - -read_files_pattern(samhaind_t, samhain_db_t, samhain_db_t) - -init_use_script_ptys(samhaind_t) diff --git a/policy/modules/contrib/sanlock.fc b/policy/modules/contrib/sanlock.fc deleted file mode 100644 index 3df2a0f1..00000000 --- a/policy/modules/contrib/sanlock.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rc\.d/init\.d/sanlock -- gen_context(system_u:object_r:sanlock_initrc_exec_t,s0) - -/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0) - -/var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0) - -/var/log/sanlock\.log.* -- gen_context(system_u:object_r:sanlock_log_t,s0) diff --git a/policy/modules/contrib/sanlock.if b/policy/modules/contrib/sanlock.if deleted file mode 100644 index cd6c213d..00000000 --- a/policy/modules/contrib/sanlock.if +++ /dev/null @@ -1,117 +0,0 @@ -## <summary>shared storage lock manager.</summary> - -######################################## -## <summary> -## Execute a domain transition to run sanlock. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sanlock_domtrans',` - gen_require(` - type sanlock_t, sanlock_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, sanlock_exec_t, sanlock_t) -') - -######################################## -## <summary> -## Execute sanlock init scripts in -## the initrc domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`sanlock_initrc_domtrans',` - gen_require(` - type sanlock_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, sanlock_initrc_exec_t) -') - -###################################### -## <summary> -## Create, read, write, and delete -## sanlock pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sanlock_manage_pid_files',` - gen_require(` - type sanlock_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, sanlock_var_run_t, sanlock_var_run_t) -') - -######################################## -## <summary> -## Connect to sanlock with a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sanlock_stream_connect',` - gen_require(` - type sanlock_t, sanlock_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, sanlock_var_run_t, sanlock_var_run_t, sanlock_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an sanlock environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`sanlock_admin',` - gen_require(` - type sanlock_t, sanlock_initrc_exec_t, sanlock_var_run_t; - type sanlock_log_t; - ') - - allow $1 sanlock_t:process { ptrace signal_perms }; - ps_process_pattern($1, sanlock_t) - - sanlock_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 sanlock_initrc_exec_t system_r; - allow $2 system_r; - - files_search_pids($1) - admin_pattern($1, sanlock_var_run_t) - - logging_search_logs($1) - admin_pattern($1, sanlock_log_t) -') diff --git a/policy/modules/contrib/sanlock.te b/policy/modules/contrib/sanlock.te deleted file mode 100644 index a34eac42..00000000 --- a/policy/modules/contrib/sanlock.te +++ /dev/null @@ -1,106 +0,0 @@ -policy_module(sanlock, 1.0.2) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether sanlock can use -## nfs file systems. -## </p> -## </desc> -gen_tunable(sanlock_use_nfs, false) - -## <desc> -## <p> -## Determine whether sanlock can use -## cifs file systems. -## </p> -## </desc> -gen_tunable(sanlock_use_samba, false) - -type sanlock_t; -type sanlock_exec_t; -init_daemon_domain(sanlock_t, sanlock_exec_t) - -type sanlock_var_run_t; -files_pid_file(sanlock_var_run_t) - -type sanlock_log_t; -logging_log_file(sanlock_log_t) - -type sanlock_initrc_exec_t; -init_script_file(sanlock_initrc_exec_t) - -ifdef(`enable_mcs',` - init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mcs_systemhigh) -') - -ifdef(`enable_mls',` - init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mls_systemhigh) -') - -######################################## -# -# Local policy -# - -allow sanlock_t self:capability { chown dac_override ipc_lock kill setgid setuid sys_nice sys_resource }; -allow sanlock_t self:process { setrlimit setsched signull signal sigkill }; -allow sanlock_t self:fifo_file rw_fifo_file_perms; -allow sanlock_t self:unix_stream_socket { accept listen }; - -append_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) -create_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) -setattr_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) -logging_log_filetrans(sanlock_t, sanlock_log_t, file) - -manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t) -manage_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t) -manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t) -files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file }) - -kernel_read_system_state(sanlock_t) -kernel_read_kernel_sysctls(sanlock_t) - -dev_read_rand(sanlock_t) -dev_read_urand(sanlock_t) - -domain_use_interactive_fds(sanlock_t) - -storage_raw_rw_fixed_disk(sanlock_t) - -auth_use_nsswitch(sanlock_t) - -init_read_utmp(sanlock_t) -init_dontaudit_write_utmp(sanlock_t) - -logging_send_syslog_msg(sanlock_t) - -miscfiles_read_localization(sanlock_t) - -tunable_policy(`sanlock_use_nfs',` - fs_manage_nfs_dirs(sanlock_t) - fs_manage_nfs_files(sanlock_t) - fs_manage_nfs_named_sockets(sanlock_t) - fs_read_nfs_symlinks(sanlock_t) -') - -tunable_policy(`sanlock_use_samba',` - fs_manage_cifs_dirs(sanlock_t) - fs_manage_cifs_files(sanlock_t) - fs_manage_cifs_named_sockets(sanlock_t) - fs_read_cifs_symlinks(sanlock_t) -') - -optional_policy(` - wdmd_stream_connect(sanlock_t) -') - -optional_policy(` - virt_kill_all_virt_domains(sanlock_t) - virt_manage_lib_files(sanlock_t) - virt_signal_all_virt_domains(sanlock_t) -') diff --git a/policy/modules/contrib/sasl.fc b/policy/modules/contrib/sasl.fc deleted file mode 100644 index 54f41c2b..00000000 --- a/policy/modules/contrib/sasl.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rc\.d/init\.d/sasl -- gen_context(system_u:object_r:saslauthd_initrc_exec_t,s0) - -/usr/sbin/saslauthd -- gen_context(system_u:object_r:saslauthd_exec_t,s0) - -/var/lib/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0) - -/var/run/saslauthd(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0) diff --git a/policy/modules/contrib/sasl.if b/policy/modules/contrib/sasl.if deleted file mode 100644 index b2f388a3..00000000 --- a/policy/modules/contrib/sasl.if +++ /dev/null @@ -1,54 +0,0 @@ -## <summary>SASL authentication server.</summary> - -######################################## -## <summary> -## Connect to SASL. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sasl_connect',` - gen_require(` - type saslauthd_t, saslauthd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, saslauthd_var_run_t, saslauthd_var_run_t, saslauthd_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an sasl environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`sasl_admin',` - gen_require(` - type saslauthd_t, saslauthd_var_run_t, saslauthd_initrc_exec_t; - ') - - allow $1 saslauthd_t:process { ptrace signal_perms }; - ps_process_pattern($1, saslauthd_t) - - init_labeled_script_domtrans($1, saslauthd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 saslauthd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_pids($1) - admin_pattern($1, saslauthd_var_run_t) -') diff --git a/policy/modules/contrib/sasl.te b/policy/modules/contrib/sasl.te deleted file mode 100644 index a63b875f..00000000 --- a/policy/modules/contrib/sasl.te +++ /dev/null @@ -1,111 +0,0 @@ -policy_module(sasl, 1.14.3) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether sasl can -## read shadow files. -## </p> -## </desc> -gen_tunable(allow_saslauthd_read_shadow, false) - -type saslauthd_t; -type saslauthd_exec_t; -init_daemon_domain(saslauthd_t, saslauthd_exec_t) - -type saslauthd_initrc_exec_t; -init_script_file(saslauthd_initrc_exec_t) - -type saslauthd_var_run_t; -files_pid_file(saslauthd_var_run_t) - -######################################## -# -# Local policy -# - -allow saslauthd_t self:capability { setgid setuid sys_nice }; -dontaudit saslauthd_t self:capability sys_tty_config; -allow saslauthd_t self:process { setsched signal_perms }; -allow saslauthd_t self:fifo_file rw_fifo_file_perms; -allow saslauthd_t self:unix_stream_socket { accept listen }; - -manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) -manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) -manage_sock_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) -files_pid_filetrans(saslauthd_t, saslauthd_var_run_t, { file dir }) - -kernel_read_kernel_sysctls(saslauthd_t) -kernel_read_system_state(saslauthd_t) -kernel_rw_afs_state(saslauthd_t) - -corenet_all_recvfrom_unlabeled(saslauthd_t) -corenet_all_recvfrom_netlabel(saslauthd_t) -corenet_tcp_sendrecv_generic_if(saslauthd_t) -corenet_tcp_sendrecv_generic_node(saslauthd_t) - -corenet_sendrecv_pop_client_packets(saslauthd_t) -corenet_tcp_connect_pop_port(saslauthd_t) -corenet_tcp_sendrecv_pop_port(saslauthd_t) - -corenet_sendrecv_zarafa_client_packets(saslauthd_t) -corenet_tcp_connect_zarafa_port(saslauthd_t) -corenet_tcp_sendrecv_zarafa_port(saslauthd_t) - -corecmd_exec_bin(saslauthd_t) - -dev_read_urand(saslauthd_t) - -domain_use_interactive_fds(saslauthd_t) - -files_dontaudit_read_etc_runtime_files(saslauthd_t) -files_dontaudit_getattr_home_dir(saslauthd_t) -files_dontaudit_getattr_tmp_dirs(saslauthd_t) - -fs_getattr_all_fs(saslauthd_t) -fs_search_auto_mountpoints(saslauthd_t) - -selinux_compute_access_vector(saslauthd_t) - -auth_use_pam(saslauthd_t) - -init_dontaudit_stream_connect_script(saslauthd_t) - -logging_send_syslog_msg(saslauthd_t) - -miscfiles_read_localization(saslauthd_t) -miscfiles_read_generic_certs(saslauthd_t) - -seutil_dontaudit_read_config(saslauthd_t) - -userdom_dontaudit_use_unpriv_user_fds(saslauthd_t) -userdom_dontaudit_search_user_home_dirs(saslauthd_t) - -auth_can_read_shadow_passwords(saslauthd_t) -tunable_policy(`allow_saslauthd_read_shadow',` - allow saslauthd_t self:capability dac_override; - auth_tunable_read_shadow(saslauthd_t) -') - -optional_policy(` - kerberos_keytab_template(saslauthd, saslauthd_t) - kerberos_manage_host_rcache(saslauthd_t) - kerberos_tmp_filetrans_host_rcache(saslauthd_t, file, "host_0") -') - -optional_policy(` - mysql_stream_connect(saslauthd_t) - mysql_tcp_connect(saslauthd_t) -') - -optional_policy(` - seutil_sigchld_newrole(saslauthd_t) -') - -optional_policy(` - udev_read_db(saslauthd_t) -') diff --git a/policy/modules/contrib/sblim.fc b/policy/modules/contrib/sblim.fc deleted file mode 100644 index 68a550d5..00000000 --- a/policy/modules/contrib/sblim.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/rc\.d/init\.d/gatherer -- gen_context(system_u:object_r:sblim_initrc_exec_t,s0) - -/usr/sbin/gatherd -- gen_context(system_u:object_r:sblim_gatherd_exec_t,s0) -/usr/sbin/reposd -- gen_context(system_u:object_r:sblim_reposd_exec_t,s0) - -/var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0) diff --git a/policy/modules/contrib/sblim.if b/policy/modules/contrib/sblim.if deleted file mode 100644 index 98c9e0a8..00000000 --- a/policy/modules/contrib/sblim.if +++ /dev/null @@ -1,74 +0,0 @@ -## <summary>Standards Based Linux Instrumentation for Manageability.</summary> - -######################################## -## <summary> -## Execute gatherd in the gatherd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`sblim_domtrans_gatherd',` - gen_require(` - type sblim_gatherd_t, sblim_gatherd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, sblim_gatherd_exec_t, sblim_gatherd_t) -') - -######################################## -## <summary> -## Read gatherd pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sblim_read_pid_files',` - gen_require(` - type sblim_var_run_t; - ') - - files_search_pids($1) - allow $1 sblim_var_run_t:file read_file_perms; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an sblim environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`sblim_admin',` - gen_require(` - attribute sblim_domain; - type sblim_initrc_exec_t, sblim_var_run_t; - ') - - allow $1 sblim_domain:process { ptrace signal_perms }; - ps_process_pattern($1, sblim_domain) - - init_labeled_script_domtrans($1, sblim_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 sblim_initrc_exec_t system_r; - allow $2 system_r; - - files_search_pids($1) - admin_pattern($1, sblim_var_run_t) -') diff --git a/policy/modules/contrib/sblim.te b/policy/modules/contrib/sblim.te deleted file mode 100644 index 4a23d842..00000000 --- a/policy/modules/contrib/sblim.te +++ /dev/null @@ -1,122 +0,0 @@ -policy_module(sblim, 1.0.3) - -######################################## -# -# Declarations -# - -attribute sblim_domain; - -type sblim_gatherd_t, sblim_domain; -type sblim_gatherd_exec_t; -init_daemon_domain(sblim_gatherd_t, sblim_gatherd_exec_t) - -type sblim_reposd_t, sblim_domain; -type sblim_reposd_exec_t; -init_daemon_domain(sblim_reposd_t, sblim_reposd_exec_t) - -type sblim_initrc_exec_t; -init_script_file(sblim_initrc_exec_t) - -type sblim_var_run_t; -files_pid_file(sblim_var_run_t) - -###################################### -# -# Common sblim domain local policy -# - -allow sblim_domain self:tcp_socket create_stream_socket_perms; - -manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) -manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) -manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) - -kernel_read_network_state(sblim_domain) -kernel_read_system_state(sblim_domain) - -corenet_all_recvfrom_unlabeled(sblim_domain) -corenet_all_recvfrom_netlabel(sblim_domain) -corenet_tcp_sendrecv_generic_if(sblim_domain) -corenet_tcp_sendrecv_generic_node(sblim_domain) - -corenet_tcp_sendrecv_repository_port(sblim_domain) - -dev_read_sysfs(sblim_domain) - -logging_send_syslog_msg(sblim_domain) - -files_read_etc_files(sblim_domain) - -miscfiles_read_localization(sblim_domain) - -######################################## -# -# Gatherd local policy -# - -allow sblim_gatherd_t self:capability dac_override; -allow sblim_gatherd_t self:process signal; -allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms; -allow sblim_gatherd_t self:unix_stream_socket { accept listen }; - -domtrans_pattern(sblim_gatherd_t, sblim_reposd_exec_t, sblim_reposd_t) - -kernel_read_fs_sysctls(sblim_gatherd_t) -kernel_read_kernel_sysctls(sblim_gatherd_t) - -corecmd_exec_bin(sblim_gatherd_t) -corecmd_exec_shell(sblim_gatherd_t) - -corenet_sendrecv_repository_client_packets(sblim_gatherd_t) -corenet_tcp_connect_repository_port(sblim_gatherd_t) - -dev_read_rand(sblim_gatherd_t) -dev_read_urand(sblim_gatherd_t) - -domain_read_all_domains_state(sblim_gatherd_t) - -fs_getattr_all_fs(sblim_gatherd_t) -fs_search_cgroup_dirs(sblim_gatherd_t) - -storage_raw_read_fixed_disk(sblim_gatherd_t) -storage_raw_read_removable_device(sblim_gatherd_t) - -init_read_utmp(sblim_gatherd_t) - -sysnet_dns_name_resolve(sblim_gatherd_t) - -term_getattr_pty_fs(sblim_gatherd_t) - -userdom_signull_unpriv_users(sblim_gatherd_t) - -optional_policy(` - locallogin_signull(sblim_gatherd_t) -') - -optional_policy(` - rpc_search_nfs_state_data(sblim_gatherd_t) -') - -optional_policy(` - ssh_signull(sblim_gatherd_t) -') - -optional_policy(` - virt_getattr_virtd_exec_files(sblim_gatherd_t) - virt_stream_connect(sblim_gatherd_t) -') - -optional_policy(` - xen_stream_connect(sblim_gatherd_t) - xen_stream_connect_xenstore(sblim_gatherd_t) -') - -####################################### -# -# Reposd local policy -# - -corenet_sendrecv_repository_server_packets(sblim_reposd_t) -corenet_tcp_bind_repository_port(sblim_reposd_t) -corenet_tcp_bind_generic_node(sblim_domain) diff --git a/policy/modules/contrib/screen.fc b/policy/modules/contrib/screen.fc deleted file mode 100644 index ac04d278..00000000 --- a/policy/modules/contrib/screen.fc +++ /dev/null @@ -1,8 +0,0 @@ -HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0) -HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0) - -/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) -/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) - -/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) -/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) diff --git a/policy/modules/contrib/screen.if b/policy/modules/contrib/screen.if deleted file mode 100644 index c21ddcce..00000000 --- a/policy/modules/contrib/screen.if +++ /dev/null @@ -1,89 +0,0 @@ -## <summary>GNU terminal multiplexer.</summary> - -####################################### -## <summary> -## The role template for the screen module. -## </summary> -## <param name="role_prefix"> -## <summary> -## The prefix of the user role (e.g., user -## is the prefix for user_r). -## </summary> -## </param> -## <param name="user_role"> -## <summary> -## The role associated with the user domain. -## </summary> -## </param> -## <param name="user_domain"> -## <summary> -## The type of the user domain. -## </summary> -## </param> -# -template(`screen_role_template',` - gen_require(` - attribute screen_domain; - attribute_role screen_roles; - type screen_exec_t, screen_tmp_t; - type screen_home_t, screen_var_run_t; - ') - - ######################################## - # - # Declarations - # - - type $1_screen_t, screen_domain; - userdom_user_application_domain($1_screen_t, screen_exec_t) - domain_interactive_fd($1_screen_t) - role screen_roles types $1_screen_t; - - roleattribute $2 screen_roles; - - ######################################## - # - # Local policy - # - - domtrans_pattern($3, screen_exec_t, $1_screen_t) - - ps_process_pattern($3, $1_screen_t) - allow $3 $1_screen_t:process { ptrace signal_perms }; - - dontaudit $3 $1_screen_t:unix_stream_socket { read write }; - allow $1_screen_t $3:process signal; - - allow $3 screen_tmp_t:dir { manage_dir_perms relabel_dir_perms }; - allow $3 screen_tmp_t:file { manage_file_perms relabel_file_perms }; - allow $3 screen_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - - allow $3 screen_home_t:dir { manage_dir_perms relabel_dir_perms }; - allow $3 screen_home_t:file { manage_file_perms relabel_file_perms }; - allow $3 screen_home_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - allow $3 screen_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - - userdom_user_home_dir_filetrans($3, screen_home_t, dir, ".screen") - userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc") - - manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t) - manage_files_pattern($3, screen_var_run_t, screen_var_run_t) - manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t) - manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t) - - corecmd_bin_domtrans($1_screen_t, $3) - corecmd_shell_domtrans($1_screen_t, $3) - - auth_domtrans_chk_passwd($1_screen_t) - auth_use_nsswitch($1_screen_t) - - userdom_user_home_domtrans($1_screen_t, $3) - - tunable_policy(`use_samba_home_dirs',` - fs_cifs_domtrans($1_screen_t, $3) - ') - - tunable_policy(`use_nfs_home_dirs',` - fs_nfs_domtrans($1_screen_t, $3) - ') -') diff --git a/policy/modules/contrib/screen.te b/policy/modules/contrib/screen.te deleted file mode 100644 index f0950813..00000000 --- a/policy/modules/contrib/screen.te +++ /dev/null @@ -1,119 +0,0 @@ -policy_module(screen, 2.5.3) - -######################################## -# -# Declarations -# - -attribute screen_domain; - -attribute_role screen_roles; - -type screen_exec_t; -application_executable_file(screen_exec_t) - -type screen_home_t; -typealias screen_home_t alias { user_screen_home_t staff_screen_home_t sysadm_screen_home_t }; -typealias screen_home_t alias { auditadm_screen_home_t secadm_screen_home_t }; -userdom_user_home_content(screen_home_t) - -type screen_tmp_t; -typealias screen_tmp_t alias { user_screen_tmp_t staff_screen_tmp_t sysadm_screen_tmp_t }; -typealias screen_tmp_t alias { auditadm_screen_tmp_t secadm_screen_tmp_t }; -userdom_user_tmp_file(screen_tmp_t) - -type screen_var_run_t; -typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t }; -typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t }; -files_pid_file(screen_var_run_t) -ubac_constrained(screen_var_run_t) - -######################################## -# -# Common screen domain local policy -# - -allow screen_domain self:capability { setuid setgid fsetid }; -allow screen_domain self:process signal_perms; -allow screen_domain self:fd use; -allow screen_domain self:fifo_file rw_fifo_file_perms; -allow screen_domain self:tcp_socket { accept listen }; -allow screen_domain self:unix_stream_socket connectto; - -manage_dirs_pattern(screen_domain, screen_tmp_t, screen_tmp_t) -manage_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t) -manage_fifo_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t) -files_tmp_filetrans(screen_domain, screen_tmp_t, { file dir }) - -manage_fifo_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t) -manage_dirs_pattern(screen_domain, screen_var_run_t, screen_var_run_t) -manage_sock_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t) -files_pid_filetrans(screen_domain, screen_var_run_t, dir) - -manage_dirs_pattern(screen_domain, screen_home_t, screen_home_t) -read_files_pattern(screen_domain, screen_home_t, screen_home_t) -manage_fifo_files_pattern(screen_domain, screen_home_t, screen_home_t) -read_lnk_files_pattern(screen_domain, screen_home_t, screen_home_t) -userdom_user_home_dir_filetrans(screen_domain, screen_home_t, dir, ".screen") - -kernel_read_system_state(screen_domain) -kernel_read_kernel_sysctls(screen_domain) - -corecmd_list_bin(screen_domain) -corecmd_read_bin_files(screen_domain) -corecmd_read_bin_symlinks(screen_domain) -corecmd_read_bin_pipes(screen_domain) -corecmd_read_bin_sockets(screen_domain) - -corenet_all_recvfrom_unlabeled(screen_domain) -corenet_all_recvfrom_netlabel(screen_domain) -corenet_tcp_sendrecv_generic_if(screen_domain) -corenet_tcp_sendrecv_generic_node(screen_domain) -corenet_tcp_sendrecv_all_ports(screen_domain) - -corenet_sendrecv_all_client_packets(screen_domain) -corenet_tcp_connect_all_ports(screen_domain) - -dev_dontaudit_getattr_all_chr_files(screen_domain) -dev_dontaudit_getattr_all_blk_files(screen_domain) -dev_read_urand(screen_domain) - -domain_use_interactive_fds(screen_domain) -domain_sigchld_interactive_fds(screen_domain) -domain_read_all_domains_state(screen_domain) - -files_list_home(screen_domain) -files_read_usr_files(screen_domain) - -fs_search_auto_mountpoints(screen_domain) -fs_getattr_all_fs(screen_domain) - -auth_dontaudit_read_shadow(screen_domain) -auth_dontaudit_exec_utempter(screen_domain) - -init_rw_utmp(screen_domain) - -logging_send_syslog_msg(screen_domain) - -miscfiles_read_localization(screen_domain) - -seutil_read_config(screen_domain) - -userdom_use_user_terminals(screen_domain) -userdom_create_user_pty(screen_domain) -userdom_setattr_user_ptys(screen_domain) -userdom_setattr_user_ttys(screen_domain) - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(screen_domain) - fs_read_cifs_files(screen_domain) - fs_manage_cifs_named_pipes(screen_domain) - fs_read_cifs_symlinks(screen_domain) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(screen_domain) - fs_read_nfs_files(screen_domain) - fs_manage_nfs_named_pipes(screen_domain) - fs_read_nfs_symlinks(screen_domain) -') diff --git a/policy/modules/contrib/sectoolm.fc b/policy/modules/contrib/sectoolm.fc deleted file mode 100644 index 64a23945..00000000 --- a/policy/modules/contrib/sectoolm.fc +++ /dev/null @@ -1,5 +0,0 @@ -/usr/libexec/sectool-mechanism\.py -- gen_context(system_u:object_r:sectoolm_exec_t,s0) - -/var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0) - -/var/log/sectool\.log.* -- gen_context(system_u:object_r:sectool_var_log_t,s0) diff --git a/policy/modules/contrib/sectoolm.if b/policy/modules/contrib/sectoolm.if deleted file mode 100644 index c78a569c..00000000 --- a/policy/modules/contrib/sectoolm.if +++ /dev/null @@ -1,24 +0,0 @@ -## <summary>Sectool security audit tool.</summary> - -######################################## -## <summary> -## Role access for sectoolm. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`sectoolm_role',` - gen_require(` - type sectoolm_t; - ') - - allow sectoolm_t $2:unix_dgram_socket sendto; -') diff --git a/policy/modules/contrib/sectoolm.te b/policy/modules/contrib/sectoolm.te deleted file mode 100644 index 8193bf1b..00000000 --- a/policy/modules/contrib/sectoolm.te +++ /dev/null @@ -1,108 +0,0 @@ -policy_module(sectoolm, 1.0.1) - -######################################## -# -# Declarations -# - -type sectoolm_t; -type sectoolm_exec_t; -init_system_domain(sectoolm_t, sectoolm_exec_t) - -type sectool_var_lib_t; -files_type(sectool_var_lib_t) - -type sectool_var_log_t; -logging_log_file(sectool_var_log_t) - -type sectool_tmp_t; -files_tmp_file(sectool_tmp_t) - -######################################## -# -# Local policy -# - -allow sectoolm_t self:capability { dac_override net_admin sys_nice }; -allow sectoolm_t self:process { getcap getsched signull setsched }; -dontaudit sectoolm_t self:process { execstack execmem }; -allow sectoolm_t self:fifo_file rw_fifo_file_perms; -allow sectoolm_t self:unix_dgram_socket sendto; - -manage_dirs_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t) -manage_files_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t) -files_tmp_filetrans(sectoolm_t, sectool_tmp_t, { file dir }) - -manage_files_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t) -manage_dirs_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t) -files_var_lib_filetrans(sectoolm_t, sectool_var_lib_t, { file dir }) - -allow sectoolm_t sectool_var_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(sectoolm_t, sectool_var_log_t, file) - -kernel_read_net_sysctls(sectoolm_t) -kernel_read_network_state(sectoolm_t) -kernel_read_kernel_sysctls(sectoolm_t) - -corecmd_exec_bin(sectoolm_t) -corecmd_exec_shell(sectoolm_t) - -dev_read_sysfs(sectoolm_t) -dev_read_urand(sectoolm_t) -dev_getattr_all_blk_files(sectoolm_t) -dev_getattr_all_chr_files(sectoolm_t) - -domain_getattr_all_domains(sectoolm_t) -domain_read_all_domains_state(sectoolm_t) - -files_getattr_all_pipes(sectoolm_t) -files_getattr_all_sockets(sectoolm_t) -files_read_all_files(sectoolm_t) -files_read_all_symlinks(sectoolm_t) - -fs_getattr_all_fs(sectoolm_t) -fs_list_noxattr_fs(sectoolm_t) - -selinux_validate_context(sectoolm_t) - -application_exec_all(sectoolm_t) - -auth_use_nsswitch(sectoolm_t) - -libs_exec_ld_so(sectoolm_t) - -logging_send_syslog_msg(sectoolm_t) - -sysnet_domtrans_ifconfig(sectoolm_t) - -userdom_write_user_tmp_sockets(sectoolm_t) - -optional_policy(` - mount_exec(sectoolm_t) -') - -optional_policy(` - dbus_system_domain(sectoolm_t, sectoolm_exec_t) - - optional_policy(` - policykit_dbus_chat(sectoolm_t) - ') -') - -optional_policy(` - hostname_exec(sectoolm_t) -') - -optional_policy(` - iptables_domtrans(sectoolm_t) -') - -optional_policy(` - prelink_domtrans(sectoolm_t) -') - -optional_policy(` - rpm_exec(sectoolm_t) - rpm_dontaudit_manage_db(sectoolm_t) -') - diff --git a/policy/modules/contrib/sendmail.fc b/policy/modules/contrib/sendmail.fc deleted file mode 100644 index d14b6bfc..00000000 --- a/policy/modules/contrib/sendmail.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0) - -/var/log/sendmail\.st.* -- gen_context(system_u:object_r:sendmail_log_t,s0) -/var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0) - -/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) -/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) diff --git a/policy/modules/contrib/sendmail.if b/policy/modules/contrib/sendmail.if deleted file mode 100644 index 88e753f3..00000000 --- a/policy/modules/contrib/sendmail.if +++ /dev/null @@ -1,377 +0,0 @@ -## <summary>Internetwork email routing facility.</summary> - -######################################## -## <summary> -## Sendmail stub interface. No access allowed. -## </summary> -## <param name="domain" unused="true"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sendmail_stub',` - gen_require(` - type sendmail_t; - ') -') - -######################################## -## <summary> -## Read and write sendmail unnamed pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sendmail_rw_pipes',` - gen_require(` - type sendmail_t; - ') - - allow $1 sendmail_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## <summary> -## Execute a domain transition to run sendmail. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`sendmail_domtrans',` - gen_require(` - type sendmail_t; - ') - - corecmd_search_bin($1) - mta_sendmail_domtrans($1, sendmail_t) - - allow sendmail_t $1:fd use; - allow sendmail_t $1:fifo_file rw_fifo_file_perms; - allow sendmail_t $1:process sigchld; -') - -######################################## -## <summary> -## Execute the sendmail program in the -## sendmail domain, and allow the -## specified role the sendmail domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`sendmail_run',` - gen_require(` - attribute_role sendmail_roles; - ') - - sendmail_domtrans($1) - roleattribute $2 sendmail_roles; -') - -######################################## -## <summary> -## Send generic signals to sendmail. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sendmail_signal',` - gen_require(` - type sendmail_t; - ') - - allow $1 sendmail_t:process signal; -') - -######################################## -## <summary> -## Read and write sendmail TCP sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sendmail_rw_tcp_sockets',` - gen_require(` - type sendmail_t; - ') - - allow $1 sendmail_t:tcp_socket { read write }; -') - -######################################## -## <summary> -## Do not audit attempts to read and write -## sendmail TCP sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`sendmail_dontaudit_rw_tcp_sockets',` - gen_require(` - type sendmail_t; - ') - - dontaudit $1 sendmail_t:tcp_socket { read write }; -') - -######################################## -## <summary> -## Read and write sendmail unix -## domain stream sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sendmail_rw_unix_stream_sockets',` - gen_require(` - type sendmail_t; - ') - - allow $1 sendmail_t:unix_stream_socket rw_socket_perms; -') - -######################################## -## <summary> -## Do not audit attempts to read and write -## sendmail unix_stream_sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`sendmail_dontaudit_rw_unix_stream_sockets',` - gen_require(` - type sendmail_t; - ') - - dontaudit $1 sendmail_t:unix_stream_socket rw_socket_perms; -') - -######################################## -## <summary> -## Read sendmail log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`sendmail_read_log',` - gen_require(` - type sendmail_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, sendmail_log_t, sendmail_log_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## sendmail log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`sendmail_manage_log',` - gen_require(` - type sendmail_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, sendmail_log_t, sendmail_log_t) -') - -######################################## -## <summary> -## Create specified objects in generic -## log directories sendmail log file type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sendmail_create_log',` - refpolicywarn(`$0($*) has been deprecated, use sendmail_log_filetrans_sendmail_log() instead.') - sendmail_log_filetrans_sendmail_log($1, $2, $3) -') - -######################################## -## <summary> -## Create specified objects in generic -## log directories sendmail log file type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`sendmail_log_filetrans_sendmail_log',` - gen_require(` - type sendmail_log_t; - ') - - logging_log_filetrans($1, sendmail_log_t, $2, $3) -') - -######################################## -## <summary> -## Create, read, write, and delete -## sendmail tmp files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sendmail_manage_tmp_files',` - gen_require(` - type sendmail_tmp_t; - ') - - files_search_tmp($1) - manage_files_pattern($1, sendmail_tmp_t, sendmail_tmp_t) -') - -######################################## -## <summary> -## Execute sendmail in the unconfined sendmail domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`sendmail_domtrans_unconfined',` - gen_require(` - type unconfined_sendmail_t; - ') - - mta_sendmail_domtrans($1, unconfined_sendmail_t) - - allow unconfined_sendmail_t $1:fd use; - allow unconfined_sendmail_t $1:fifo_file rw_fifo_file_perms; - allow unconfined_sendmail_t $1:process sigchld; -') - -######################################## -## <summary> -## Execute sendmail in the unconfined -## sendmail domain, and allow the -## specified role the unconfined -## sendmail domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`sendmail_run_unconfined',` - gen_require(` - attribute_role sendmail_unconfined_roles; - ') - - sendmail_domtrans_unconfined($1) - roleattribute $2 sendmail_unconfined_roles; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an sendmail environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`sendmail_admin',` - gen_require(` - type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t; - type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t; - ') - - allow $1 { unconfined_sendmail_t sendmail_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { unconfined_sendmail_t sendmail_t }) - - init_labeled_script_domtrans($1, sendmail_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 sendmail_initrc_exec_t system_r; - - logging_list_logs($1) - admin_pattern($1, sendmail_log_t) - - files_list_tmp($1) - admin_pattern($1, sendmail_tmp_t) - - files_list_pids($1) - admin_pattern($1, sendmail_var_run_t) - - sendmail_run($1, $2) - sendmail_run_unconfined($1, $2) -') diff --git a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te deleted file mode 100644 index 5f35d783..00000000 --- a/policy/modules/contrib/sendmail.te +++ /dev/null @@ -1,207 +0,0 @@ -policy_module(sendmail, 1.11.5) - -######################################## -# -# Declarations -# - -attribute_role sendmail_roles; - -attribute_role sendmail_unconfined_roles; -roleattribute system_r sendmail_unconfined_roles; - -type sendmail_initrc_exec_t; -init_script_file(sendmail_initrc_exec_t) - -type sendmail_log_t; -logging_log_file(sendmail_log_t) - -type sendmail_tmp_t; -files_tmp_file(sendmail_tmp_t) - -type sendmail_var_run_t; -files_pid_file(sendmail_var_run_t) - -type sendmail_t; -mta_sendmail_mailserver(sendmail_t) -mta_mailserver_delivery(sendmail_t) -mta_mailserver_sender(sendmail_t) -role sendmail_roles types sendmail_t; - -type unconfined_sendmail_t; -application_domain(unconfined_sendmail_t, sendmail_exec_t) -role sendmail_unconfined_roles types unconfined_sendmail_t; - -######################################## -# -# Local policy -# - -allow sendmail_t self:capability { dac_override setuid setgid sys_nice chown sys_tty_config }; -allow sendmail_t self:process { setsched setpgid setrlimit signal signull }; -allow sendmail_t self:fifo_file rw_fifo_file_perms; -allow sendmail_t self:unix_stream_socket { accept listen }; -allow sendmail_t self:tcp_socket { accept listen }; - -allow sendmail_t sendmail_log_t:dir setattr_dir_perms; -append_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t) -create_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t) -setattr_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t) -logging_log_filetrans(sendmail_t, sendmail_log_t, { file dir }) - -manage_dirs_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t) -manage_files_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t) -files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir }) - -allow sendmail_t sendmail_var_run_t:file manage_file_perms; -files_pid_filetrans(sendmail_t, sendmail_var_run_t, file) - -kernel_read_network_state(sendmail_t) -kernel_read_kernel_sysctls(sendmail_t) -kernel_read_system_state(sendmail_t) - -corenet_all_recvfrom_unlabeled(sendmail_t) -corenet_all_recvfrom_netlabel(sendmail_t) -corenet_tcp_sendrecv_generic_if(sendmail_t) -corenet_tcp_sendrecv_generic_node(sendmail_t) -corenet_tcp_sendrecv_all_ports(sendmail_t) -corenet_tcp_bind_generic_node(sendmail_t) - -corenet_sendrecv_smtp_server_packets(sendmail_t) -corenet_tcp_bind_smtp_port(sendmail_t) - -corenet_sendrecv_all_client_packets(sendmail_t) -corenet_tcp_connect_all_ports(sendmail_t) - -corecmd_exec_bin(sendmail_t) -corecmd_exec_shell(sendmail_t) - -dev_read_sysfs(sendmail_t) -dev_read_urand(sendmail_t) - -domain_use_interactive_fds(sendmail_t) - -files_read_all_tmp_files(sendmail_t) -files_read_etc_runtime_files(sendmail_t) -files_read_usr_files(sendmail_t) -files_search_spool(sendmail_t) - -fs_getattr_all_fs(sendmail_t) -fs_search_auto_mountpoints(sendmail_t) -fs_rw_anon_inodefs_files(sendmail_t) - -term_dontaudit_use_console(sendmail_t) -term_dontaudit_use_generic_ptys(sendmail_t) - -init_use_fds(sendmail_t) -init_use_script_ptys(sendmail_t) -init_read_utmp(sendmail_t) -init_dontaudit_write_utmp(sendmail_t) -init_rw_script_tmp_files(sendmail_t) - -auth_use_nsswitch(sendmail_t) - -libs_read_lib_files(sendmail_t) - -logging_send_syslog_msg(sendmail_t) -logging_dontaudit_write_generic_logs(sendmail_t) - -miscfiles_read_generic_certs(sendmail_t) -miscfiles_read_localization(sendmail_t) - -userdom_dontaudit_use_unpriv_user_fds(sendmail_t) - -mta_etc_filetrans_aliases(sendmail_t, file, "aliases") -mta_etc_filetrans_aliases(sendmail_t, file, "aliases.db") -mta_etc_filetrans_aliases(sendmail_t, file, "aliasesdb-stamp") -mta_manage_aliases(sendmail_t) -mta_manage_queue(sendmail_t) -mta_manage_spool(sendmail_t) -mta_read_config(sendmail_t) -mta_sendmail_exec(sendmail_t) - -optional_policy(` - cfengine_dontaudit_write_log_files(sendmail_t) -') - -optional_policy(` - cron_read_pipes(sendmail_t) -') - -optional_policy(` - clamav_search_lib(sendmail_t) - clamav_stream_connect(sendmail_t) -') - -optional_policy(` - cyrus_stream_connect(sendmail_t) -') - -optional_policy(` - dovecot_write_inherited_tmp_files(sendmail_t) -') - -optional_policy(` - exim_domtrans(sendmail_t) - exim_manage_spool_files(sendmail_t) - exim_manage_spool_dirs(sendmail_t) - exim_read_log(sendmail_t) -') - -optional_policy(` - fail2ban_read_lib_files(sendmail_t) - fail2ban_rw_stream_sockets(sendmail_t) -') - -optional_policy(` - kerberos_keytab_template(sendmail, sendmail_t) -') - -optional_policy(` - milter_stream_connect_all(sendmail_t) -') - -optional_policy(` - munin_dontaudit_search_lib(sendmail_t) -') - -optional_policy(` - postfix_domtrans_postdrop(sendmail_t) - postfix_domtrans_master(sendmail_t) - postfix_domtrans_postqueue(sendmail_t) - postfix_read_config(sendmail_t) - postfix_search_spool(sendmail_t) -') - -optional_policy(` - procmail_domtrans(sendmail_t) - procmail_rw_tmp_files(sendmail_t) -') - -optional_policy(` - seutil_sigchld_newrole(sendmail_t) -') - -optional_policy(` - sasl_connect(sendmail_t) -') - -optional_policy(` - udev_read_db(sendmail_t) -') - -optional_policy(` - uucp_domtrans_uux(sendmail_t) -') - -######################################## -# -# Unconfined local policy -# - -optional_policy(` - mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliases") - mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliases.db") - mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliasesdb-stamp") - unconfined_domain(unconfined_sendmail_t) -') diff --git a/policy/modules/contrib/sensord.fc b/policy/modules/contrib/sensord.fc deleted file mode 100644 index 8185d5a6..00000000 --- a/policy/modules/contrib/sensord.fc +++ /dev/null @@ -1,5 +0,0 @@ -/etc/rc\.d/init\.d/sensord -- gen_context(system_u:object_r:sensord_initrc_exec_t,s0) - -/usr/sbin/sensord -- gen_context(system_u:object_r:sensord_exec_t,s0) - -/var/run/sensord\.pid -- gen_context(system_u:object_r:sensord_var_run_t,s0) diff --git a/policy/modules/contrib/sensord.if b/policy/modules/contrib/sensord.if deleted file mode 100644 index d204752b..00000000 --- a/policy/modules/contrib/sensord.if +++ /dev/null @@ -1,35 +0,0 @@ -## <summary>Sensor information logging daemon.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an sensord environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`sensord_admin',` - gen_require(` - type sensord_t, sensord_initrc_exec_t, sensord_var_run_t; - ') - - allow $1 sensord_t:process { ptrace signal_perms }; - ps_process_pattern($1, sensord_t) - - init_labeled_script_domtrans($1, sensord_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 sensord_initrc_exec_t system_r; - allow $2 system_r; - - files_search_pids($1) - admin_pattern($1, sensord_var_run_t) -') diff --git a/policy/modules/contrib/sensord.te b/policy/modules/contrib/sensord.te deleted file mode 100644 index 5e82fd61..00000000 --- a/policy/modules/contrib/sensord.te +++ /dev/null @@ -1,35 +0,0 @@ -policy_module(sensord, 1.0.0) - -######################################## -# -# Declarations -# - -type sensord_t; -type sensord_exec_t; -init_daemon_domain(sensord_t, sensord_exec_t) - -type sensord_initrc_exec_t; -init_script_file(sensord_initrc_exec_t) - -type sensord_var_run_t; -files_pid_file(sensord_var_run_t) - -######################################## -# -# Local policy -# - -allow sensord_t self:fifo_file rw_fifo_file_perms; -allow sensord_t self:unix_stream_socket create_stream_socket_perms; - -manage_files_pattern(sensord_t, sensord_var_run_t, sensord_var_run_t) -files_pid_filetrans(sensord_t, sensord_var_run_t, file) - -dev_read_sysfs(sensord_t) - -files_read_etc_files(sensord_t) - -logging_send_syslog_msg(sensord_t) - -miscfiles_read_localization(sensord_t) diff --git a/policy/modules/contrib/setroubleshoot.fc b/policy/modules/contrib/setroubleshoot.fc deleted file mode 100644 index 0b3a971f..00000000 --- a/policy/modules/contrib/setroubleshoot.fc +++ /dev/null @@ -1,9 +0,0 @@ -/usr/sbin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0) - -/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0) - -/var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0) - -/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0) - -/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0) diff --git a/policy/modules/contrib/setroubleshoot.if b/policy/modules/contrib/setroubleshoot.if deleted file mode 100644 index 3a9a70be..00000000 --- a/policy/modules/contrib/setroubleshoot.if +++ /dev/null @@ -1,137 +0,0 @@ -## <summary>SELinux troubleshooting service.</summary> - -######################################## -## <summary> -## Connect to setroubleshootd with a -## unix domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`setroubleshoot_stream_connect',` - gen_require(` - type setroubleshootd_t, setroubleshoot_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, setroubleshoot_var_run_t, setroubleshoot_var_run_t, setroubleshootd_t) - allow $1 setroubleshoot_var_run_t:sock_file read; -') - -######################################## -## <summary> -## Do not audit attempts to connect to -## setroubleshootd with a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`setroubleshoot_dontaudit_stream_connect',` - gen_require(` - type setroubleshootd_t, setroubleshoot_var_run_t; - ') - - dontaudit $1 setroubleshoot_var_run_t:sock_file rw_sock_file_perms; - dontaudit $1 setroubleshootd_t:unix_stream_socket connectto; -') - -######################################## -## <summary> -## Send and receive messages from -## setroubleshoot over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`setroubleshoot_dbus_chat',` - gen_require(` - type setroubleshootd_t; - class dbus send_msg; - ') - - allow $1 setroubleshootd_t:dbus send_msg; - allow setroubleshootd_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Do not audit send and receive messages from -## setroubleshoot over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`setroubleshoot_dontaudit_dbus_chat',` - gen_require(` - type setroubleshootd_t; - class dbus send_msg; - ') - - dontaudit $1 setroubleshootd_t:dbus send_msg; - dontaudit setroubleshootd_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Send and receive messages from -## setroubleshoot fixit over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`setroubleshoot_dbus_chat_fixit',` - gen_require(` - type setroubleshoot_fixit_t; - class dbus send_msg; - ') - - allow $1 setroubleshoot_fixit_t:dbus send_msg; - allow setroubleshoot_fixit_t $1:dbus send_msg; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an setroubleshoot environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`setroubleshoot_admin',` - gen_require(` - type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_fixit_t; - type setroubleshoot_var_lib_t, setroubleshoot_var_run_t; - ') - - allow $1 { setroubleshoot_fixit_t setroubleshootd_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { setroubleshootd_t setroubleshoot_fixit_t }) - - logging_list_logs($1) - admin_pattern($1, setroubleshoot_var_log_t) - - files_list_var_lib($1) - admin_pattern($1, setroubleshoot_var_lib_t) - - files_list_pids($1) - admin_pattern($1, setroubleshoot_var_run_t) -') diff --git a/policy/modules/contrib/setroubleshoot.te b/policy/modules/contrib/setroubleshoot.te deleted file mode 100644 index 49b12ae6..00000000 --- a/policy/modules/contrib/setroubleshoot.te +++ /dev/null @@ -1,197 +0,0 @@ -policy_module(setroubleshoot, 1.11.2) - -######################################## -# -# Declarations -# - -type setroubleshootd_t alias setroubleshoot_t; -type setroubleshootd_exec_t; -init_system_domain(setroubleshootd_t, setroubleshootd_exec_t) - -type setroubleshoot_fixit_t; -type setroubleshoot_fixit_exec_t; -init_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t) - -type setroubleshoot_var_lib_t; -files_type(setroubleshoot_var_lib_t) - -type setroubleshoot_var_log_t; -logging_log_file(setroubleshoot_var_log_t) - -type setroubleshoot_var_run_t; -files_pid_file(setroubleshoot_var_run_t) - -######################################## -# -# Local policy -# - -allow setroubleshootd_t self:capability { dac_override sys_nice sys_ptrace sys_tty_config }; -allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal execmem execstack }; -allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; -allow setroubleshootd_t self:tcp_socket { accept listen }; -allow setroubleshootd_t self:unix_stream_socket { accept connectto listen }; - -allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr_dir_perms; -manage_files_pattern(setroubleshootd_t, setroubleshoot_var_lib_t, setroubleshoot_var_lib_t) -files_var_lib_filetrans(setroubleshootd_t, setroubleshoot_var_lib_t, { file dir }) - -allow setroubleshootd_t setroubleshoot_var_log_t:dir setattr_dir_perms; -append_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) -create_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) -setattr_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) -manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) -logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir }) - -manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) -manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) -manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) -files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file dir }) - -kernel_read_kernel_sysctls(setroubleshootd_t) -kernel_read_system_state(setroubleshootd_t) -kernel_read_net_sysctls(setroubleshootd_t) -kernel_read_network_state(setroubleshootd_t) -kernel_dontaudit_list_all_proc(setroubleshootd_t) -kernel_read_irq_sysctls(setroubleshootd_t) -kernel_read_unlabeled_state(setroubleshootd_t) - -corecmd_exec_bin(setroubleshootd_t) -corecmd_exec_shell(setroubleshootd_t) -corecmd_read_all_executables(setroubleshootd_t) - -corenet_all_recvfrom_unlabeled(setroubleshootd_t) -corenet_all_recvfrom_netlabel(setroubleshootd_t) -corenet_tcp_sendrecv_generic_if(setroubleshootd_t) -corenet_tcp_sendrecv_generic_node(setroubleshootd_t) - -corenet_sendrecv_smtp_client_packets(setroubleshootd_t) -corenet_tcp_connect_smtp_port(setroubleshootd_t) -corenet_tcp_sendrecv_smtp_port(setroubleshootd_t) - -dev_read_urand(setroubleshootd_t) -dev_read_sysfs(setroubleshootd_t) -dev_getattr_all_blk_files(setroubleshootd_t) -dev_getattr_all_chr_files(setroubleshootd_t) -dev_getattr_mtrr_dev(setroubleshootd_t) - -domain_dontaudit_search_all_domains_state(setroubleshootd_t) -domain_signull_all_domains(setroubleshootd_t) - -files_read_usr_files(setroubleshootd_t) -files_list_all(setroubleshootd_t) -files_getattr_all_files(setroubleshootd_t) -files_getattr_all_pipes(setroubleshootd_t) -files_getattr_all_sockets(setroubleshootd_t) -files_read_all_symlinks(setroubleshootd_t) -files_read_mnt_files(setroubleshootd_t) - -fs_getattr_all_dirs(setroubleshootd_t) -fs_getattr_all_files(setroubleshootd_t) -fs_read_fusefs_symlinks(setroubleshootd_t) -fs_list_inotifyfs(setroubleshootd_t) -fs_dontaudit_read_nfs_files(setroubleshootd_t) -fs_dontaudit_read_cifs_files(setroubleshootd_t) - -selinux_get_enforce_mode(setroubleshootd_t) -selinux_validate_context(setroubleshootd_t) -selinux_read_policy(setroubleshootd_t) - -term_dontaudit_use_all_ptys(setroubleshootd_t) -term_dontaudit_use_all_ttys(setroubleshootd_t) - -auth_use_nsswitch(setroubleshootd_t) - -init_read_utmp(setroubleshootd_t) -init_dontaudit_write_utmp(setroubleshootd_t) - -libs_exec_ld_so(setroubleshootd_t) - -locallogin_dontaudit_use_fds(setroubleshootd_t) - -logging_send_audit_msgs(setroubleshootd_t) -logging_send_syslog_msg(setroubleshootd_t) -logging_stream_connect_dispatcher(setroubleshootd_t) - -miscfiles_read_localization(setroubleshootd_t) - -seutil_read_config(setroubleshootd_t) -seutil_read_file_contexts(setroubleshootd_t) -seutil_read_bin_policy(setroubleshootd_t) - -userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) - -optional_policy(` - dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) - - optional_policy(` - abrt_dbus_chat(setroubleshootd_t) - ') -') - -optional_policy(` - locate_read_lib_files(setroubleshootd_t) -') - -optional_policy(` - modutils_read_module_config(setroubleshootd_t) -') - -optional_policy(` - rpm_exec(setroubleshootd_t) - rpm_signull(setroubleshootd_t) - rpm_read_db(setroubleshootd_t) - rpm_dontaudit_manage_db(setroubleshootd_t) - rpm_use_script_fds(setroubleshootd_t) -') - -######################################## -# -# Fixit local policy -# - -allow setroubleshoot_fixit_t self:capability sys_nice; -allow setroubleshoot_fixit_t self:process { setsched getsched }; -allow setroubleshoot_fixit_t self:fifo_file rw_fifo_file_perms; - -allow setroubleshoot_fixit_t setroubleshootd_t:process signull; - -setroubleshoot_stream_connect(setroubleshoot_fixit_t) - -kernel_read_system_state(setroubleshoot_fixit_t) - -corecmd_exec_bin(setroubleshoot_fixit_t) -corecmd_exec_shell(setroubleshoot_fixit_t) -corecmd_getattr_all_executables(setroubleshoot_fixit_t) - -seutil_domtrans_setfiles(setroubleshoot_fixit_t) - -files_read_usr_files(setroubleshoot_fixit_t) -files_list_tmp(setroubleshoot_fixit_t) - -auth_use_nsswitch(setroubleshoot_fixit_t) - -logging_send_audit_msgs(setroubleshoot_fixit_t) -logging_send_syslog_msg(setroubleshoot_fixit_t) - -miscfiles_read_localization(setroubleshoot_fixit_t) - -userdom_read_all_users_state(setroubleshoot_fixit_t) -userdom_signull_unpriv_users(setroubleshoot_fixit_t) - -optional_policy(` - dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t) - setroubleshoot_dbus_chat(setroubleshoot_fixit_t) - - optional_policy(` - policykit_dbus_chat(setroubleshoot_fixit_t) - ') -') - -optional_policy(` - rpm_signull(setroubleshoot_fixit_t) - rpm_read_db(setroubleshoot_fixit_t) - rpm_dontaudit_manage_db(setroubleshoot_fixit_t) - rpm_use_script_fds(setroubleshoot_fixit_t) -') diff --git a/policy/modules/contrib/shorewall.fc b/policy/modules/contrib/shorewall.fc deleted file mode 100644 index 3349532e..00000000 --- a/policy/modules/contrib/shorewall.fc +++ /dev/null @@ -1,29 +0,0 @@ -/etc/rc\.d/init\.d/shorewall.* -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0) - -/etc/shorewall(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0) -/etc/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0) - -/sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0) -/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0) - -/usr/sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0) -/usr/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0) - -/var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) -/var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) -/var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) - -/var/lock/subsys/shorewall -- gen_context(system_u:object_r:shorewall_lock_t,s0) - -/var/log/shorewall.* gen_context(system_u:object_r:shorewall_log_t,s0) - -ifdef(`distro_gentoo',` -/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/shorewall/getparams -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/shorewall/wait4ifup -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) -') diff --git a/policy/modules/contrib/shorewall.if b/policy/modules/contrib/shorewall.if deleted file mode 100644 index 1aeef8ac..00000000 --- a/policy/modules/contrib/shorewall.if +++ /dev/null @@ -1,203 +0,0 @@ -## <summary>Shoreline Firewall high-level tool for configuring netfilter.</summary> - -######################################## -## <summary> -## Execute a domain transition to run shorewall. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`shorewall_domtrans',` - gen_require(` - type shorewall_t, shorewall_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, shorewall_exec_t, shorewall_t) -') - -###################################### -## <summary> -## Execute a domain transition to run shorewall. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`shorewall_lib_domtrans',` - gen_require(` - type shorewall_t, shorewall_var_lib_t; - ') - - files_search_var_lib($1) - domtrans_pattern($1, shorewall_var_lib_t, shorewall_t) -') - -####################################### -## <summary> -## Read shorewall configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`shorewall_read_config',` - gen_require(` - type shorewall_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, shorewall_etc_t, shorewall_etc_t) -') - -####################################### -## <summary> -## Read shorewall pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`shorewall_read_pid_files',` - gen_require(` - type shorewall_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t) -') - -####################################### -## <summary> -## Read and write shorewall pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`shorewall_rw_pid_files',` - gen_require(` - type shorewall_var_run_t; - ') - - files_search_pids($1) - rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t) -') - -###################################### -## <summary> -## Read shorewall lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`shorewall_read_lib_files',` - gen_require(` - type shorewall_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) -') - -####################################### -## <summary> -## Read and write shorewall lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`shorewall_rw_lib_files',` - gen_require(` - type shorewall_var_lib_t; - ') - - files_search_var_lib($1) - rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) -') - -####################################### -## <summary> -## Read shorewall temporary files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`shorewall_read_tmp_files',` - gen_require(` - type shorewall_tmp_t; - ') - - files_search_tmp($1) - read_files_pattern($1, shorewall_tmp_t, shorewall_tmp_t) -') - -####################################### -## <summary> -## All of the rules required to -## administrate an shorewall environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`shorewall_admin',` - gen_require(` - type shorewall_t, shorewall_lock_t, shorewall_log_t; - type shorewall_exec_t, shorewall_initrc_exec_t, shorewall_var_lib_t; - type shorewall_tmp_t, shorewall_etc_t; - ') - - allow $1 shorewall_t:process { ptrace signal_perms }; - ps_process_pattern($1, shorewall_t) - - init_labeled_script_domtrans($1, shorewall_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 shorewall_initrc_exec_t system_r; - allow $2 system_r; - - can_exec($1, shorewall_exec_t) - - files_list_etc($1) - admin_pattern($1, shorewall_etc_t) - - files_list_locks($1) - admin_pattern($1, shorewall_lock_t) - - logging_list_logs($1) - admin_pattern($1, shorewall_log_t) - - files_list_var_lib($1) - admin_pattern($1, shorewall_var_lib_t) - - files_list_tmp($1) - admin_pattern($1, shorewall_tmp_t) -') diff --git a/policy/modules/contrib/shorewall.te b/policy/modules/contrib/shorewall.te deleted file mode 100644 index ca03de61..00000000 --- a/policy/modules/contrib/shorewall.te +++ /dev/null @@ -1,114 +0,0 @@ -policy_module(shorewall, 1.3.5) - -######################################## -# -# Declarations -# - -type shorewall_t; -type shorewall_exec_t; -init_daemon_domain(shorewall_t, shorewall_exec_t) - -type shorewall_initrc_exec_t; -init_script_file(shorewall_initrc_exec_t) - -type shorewall_etc_t; -files_config_file(shorewall_etc_t) - -type shorewall_lock_t; -files_lock_file(shorewall_lock_t) - -type shorewall_tmp_t; -files_tmp_file(shorewall_tmp_t) - -type shorewall_var_lib_t; -domain_entry_file(shorewall_t, shorewall_var_lib_t) - -type shorewall_log_t; -logging_log_file(shorewall_log_t) - -######################################## -# -# Local policy -# - -allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_admin }; -dontaudit shorewall_t self:capability sys_tty_config; -allow shorewall_t self:fifo_file rw_fifo_file_perms; -allow shorewall_t self:netlink_socket create_socket_perms; - -read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t) -list_dirs_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t) - -manage_files_pattern(shorewall_t, shorewall_lock_t, shorewall_lock_t) -files_lock_filetrans(shorewall_t, shorewall_lock_t, file) - -manage_dirs_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) -append_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) -create_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) -setattr_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) -logging_log_filetrans(shorewall_t, shorewall_log_t, { file dir }) - -manage_dirs_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t) -manage_files_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t) -files_tmp_filetrans(shorewall_t, shorewall_tmp_t, { file dir }) - -exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) -manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) -manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) -files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file }) - -allow shorewall_t shorewall_initrc_exec_t:file read_file_perms; - -kernel_read_kernel_sysctls(shorewall_t) -kernel_read_network_state(shorewall_t) -kernel_read_system_state(shorewall_t) -kernel_rw_net_sysctls(shorewall_t) - -corecmd_exec_bin(shorewall_t) -corecmd_exec_shell(shorewall_t) - -dev_read_sysfs(shorewall_t) -dev_read_urand(shorewall_t) - -domain_read_all_domains_state(shorewall_t) - -files_getattr_kernel_modules(shorewall_t) -files_read_usr_files(shorewall_t) -files_search_kernel_modules(shorewall_t) - -fs_getattr_all_fs(shorewall_t) - -auth_use_nsswitch(shorewall_t) - -init_rw_utmp(shorewall_t) - -logging_read_generic_logs(shorewall_t) -logging_send_syslog_msg(shorewall_t) - -miscfiles_read_localization(shorewall_t) - -sysnet_domtrans_ifconfig(shorewall_t) - -userdom_dontaudit_list_user_home_dirs(shorewall_t) -userdom_use_user_terminals(shorewall_t) - -optional_policy(` - brctl_domtrans(shorewall_t) -') - -optional_policy(` - hostname_exec(shorewall_t) -') - -optional_policy(` - iptables_domtrans(shorewall_t) -') - -optional_policy(` - modutils_domtrans_insmod(shorewall_t) -') - -optional_policy(` - ulogd_search_log(shorewall_t) -') diff --git a/policy/modules/contrib/shutdown.fc b/policy/modules/contrib/shutdown.fc deleted file mode 100644 index a91f33b0..00000000 --- a/policy/modules/contrib/shutdown.fc +++ /dev/null @@ -1,11 +0,0 @@ -/etc/nologin -- gen_context(system_u:object_r:shutdown_etc_t,s0) - -/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) - -/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) - -/usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) - -/usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) - -/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) diff --git a/policy/modules/contrib/shutdown.if b/policy/modules/contrib/shutdown.if deleted file mode 100644 index d1706bf8..00000000 --- a/policy/modules/contrib/shutdown.if +++ /dev/null @@ -1,109 +0,0 @@ -## <summary>System shutdown command.</summary> - -######################################## -## <summary> -## Role access for shutdown. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`shutdown_role',` - gen_require(` - type shutdown_t; - ') - - shutdown_run($2, $1) - - allow $2 shutdown_t:process { ptrace signal_perms }; - ps_process_pattern($2, shutdown_t) -') - -######################################## -## <summary> -## Execute a domain transition to run shutdown. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`shutdown_domtrans',` - gen_require(` - type shutdown_t, shutdown_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, shutdown_exec_t, shutdown_t) -') - -######################################## -## <summary> -## Execute shutdown in the shutdown -## domain, and allow the specified role -## the shutdown domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`shutdown_run',` - gen_require(` - attribute_role shutdown_roles; - ') - - shutdown_domtrans($1) - roleattribute $2 shutdown_roles; -') - -######################################## -## <summary> -## Send generic signals to shutdown. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`shutdown_signal',` - gen_require(` - type shutdown_t; - ') - - allow shutdown_t $1:process signal; -') - -######################################## -## <summary> -## Get attributes of shutdown executable files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`shutdown_getattr_exec_files',` - gen_require(` - type shutdown_exec_t; - ') - - corecmd_search_bin($1) - allow $1 shutdown_exec_t:file getattr_file_perms; -') diff --git a/policy/modules/contrib/shutdown.te b/policy/modules/contrib/shutdown.te deleted file mode 100644 index 7880d1f5..00000000 --- a/policy/modules/contrib/shutdown.te +++ /dev/null @@ -1,77 +0,0 @@ -policy_module(shutdown, 1.1.2) - -######################################## -# -# Declarations -# - -attribute_role shutdown_roles; - -type shutdown_t; -type shutdown_exec_t; -init_system_domain(shutdown_t, shutdown_exec_t) -application_domain(shutdown_t, shutdown_exec_t) -role shutdown_roles types shutdown_t; - -type shutdown_etc_t; -files_config_file(shutdown_etc_t) - -type shutdown_var_run_t; -files_pid_file(shutdown_var_run_t) - -######################################## -# -# Local policy -# - -allow shutdown_t self:capability { dac_override kill setuid sys_nice sys_tty_config }; -allow shutdown_t self:process { setsched signal signull }; -allow shutdown_t self:fifo_file manage_fifo_file_perms; -allow shutdown_t self:unix_stream_socket create_stream_socket_perms; - -manage_files_pattern(shutdown_t, shutdown_etc_t, shutdown_etc_t) -files_etc_filetrans(shutdown_t, shutdown_etc_t, file) - -manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t) -files_pid_filetrans(shutdown_t, shutdown_var_run_t, file) - -kernel_read_system_state(shutdown_t) - -domain_use_interactive_fds(shutdown_t) - -files_delete_boot_flag(shutdown_t) -files_read_generic_pids(shutdown_t) - -mls_file_write_to_clearance(shutdown_t) - -term_use_all_terms(shutdown_t) - -auth_use_nsswitch(shutdown_t) -auth_write_login_records(shutdown_t) - -init_rw_utmp(shutdown_t) -init_stream_connect(shutdown_t) -init_telinit(shutdown_t) - -logging_search_logs(shutdown_t) -logging_send_audit_msgs(shutdown_t) - -miscfiles_read_localization(shutdown_t) - -optional_policy(` - cron_system_entry(shutdown_t, shutdown_exec_t) -') - -optional_policy(` - dbus_system_bus_client(shutdown_t) - dbus_connect_system_bus(shutdown_t) -') - -optional_policy(` - oddjob_dontaudit_rw_fifo_files(shutdown_t) - oddjob_sigchld(shutdown_t) -') - -optional_policy(` - xserver_dontaudit_write_log(shutdown_t) -') diff --git a/policy/modules/contrib/skype.if b/policy/modules/contrib/skype.if index 789b8f8a..88c9849c 100644 --- a/policy/modules/contrib/skype.if +++ b/policy/modules/contrib/skype.if @@ -17,11 +17,11 @@ # interface(`skype_role',` gen_require(` - type skype_t, skype_exec_t, skype_tmpfs_t, skype_home_t; + type skype_t, skype_exec_t, skype_home_t; ') - + role $1 types skype_t; - + domtrans_pattern($2, skype_exec_t, skype_t) allow $2 skype_t:process { ptrace signal_perms }; @@ -36,4 +36,4 @@ interface(`skype_role',` relabel_lnk_files_pattern($2, skype_home_t, skype_home_t) ps_process_pattern($2, skype_t) -') +') diff --git a/policy/modules/contrib/skype.te b/policy/modules/contrib/skype.te index c6fffc04..5450b798 100644 --- a/policy/modules/contrib/skype.te +++ b/policy/modules/contrib/skype.te @@ -1,7 +1,7 @@ policy_module(skype, 0.0.2) ############################ -# +# # Declarations # @@ -29,6 +29,9 @@ ubac_constrained(skype_tmp_t) type skype_tmpfs_t; files_tmpfs_file(skype_tmpfs_t) ubac_constrained(skype_tmpfs_t) +optional_policy(` + pulseaudio_tmpfs_content(skype_tmpfs_t) +') ############################ # @@ -41,6 +44,8 @@ allow skype_t self:unix_stream_socket create_socket_perms; allow skype_t self:sem create_sem_perms; allow skype_t self:tcp_socket create_stream_socket_perms; +allow skype_t skype_exec_t:file execmod; + # Allow skype to work with its ~/.skype location manage_dirs_pattern(skype_t, skype_home_t, skype_home_t) manage_files_pattern(skype_t, skype_home_t, skype_home_t) @@ -53,12 +58,13 @@ manage_fifo_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t) manage_sock_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t) fs_tmpfs_filetrans(skype_t, skype_tmpfs_t, { file lnk_file sock_file fifo_file }) +manage_dirs_pattern(skype_t, skype_tmp_t, skype_tmp_t) manage_files_pattern(skype_t, skype_tmp_t, skype_tmp_t) manage_sock_files_pattern(skype_t, skype_tmp_t, skype_tmp_t) -files_tmp_filetrans(skype_t, skype_tmp_t, { file sock_file }) +files_tmp_filetrans(skype_t, skype_tmp_t, { dir file sock_file }) kernel_dontaudit_search_sysctl(skype_t) -kernel_dontaudit_read_kernel_sysctls(skype_t) +kernel_dontaudit_read_kernel_sysctl(skype_t) kernel_read_network_state(skype_t) kernel_read_system_state(skype_t) @@ -71,15 +77,15 @@ corenet_all_recvfrom_netlabel(skype_t) corenet_all_recvfrom_unlabeled(skype_t) corenet_sendrecv_http_client_packets(skype_t) corenet_tcp_bind_generic_node(skype_t) -corenet_tcp_bind_generic_port(skype_t) +corenet_tcp_bind_generic_port(skype_t) corenet_tcp_connect_all_unreserved_ports(skype_t) corenet_tcp_connect_generic_port(skype_t) corenet_tcp_connect_http_port(skype_t) -corenet_tcp_sendrecv_http_port(skype_t) corenet_udp_bind_generic_node(skype_t) -corenet_udp_bind_generic_port(skype_t) +corenet_udp_bind_generic_port(skype_t) dev_dontaudit_search_sysfs(skype_t) +dev_dontaudit_read_sysfs(skype_t) dev_read_sound(skype_t) dev_read_video_dev(skype_t) dev_write_sound(skype_t) @@ -96,6 +102,7 @@ fs_dontaudit_getattr_xattr_fs(skype_t) auth_use_nsswitch(skype_t) miscfiles_dontaudit_setattr_fonts_dirs(skype_t) +miscfiles_read_generic_certs(skype_t) miscfiles_read_localization(skype_t) userdom_dontaudit_use_user_ttys(skype_t) @@ -109,7 +116,7 @@ tunable_policy(`skype_manage_user_content',` ') optional_policy(` - alsa_read_rw_config(skype_t) + pulseaudio_domtrans(skype_t) ') optional_policy(` @@ -120,3 +127,13 @@ optional_policy(` optional_policy(` xdg_manage_config_home(skype_t) ') + +optional_policy(` + mozilla_dontaudit_manage_user_home_files(skype_t) +') + +ifdef(`use_alsa',` + optional_policy(` + alsa_domain(skype_t, skype_tmpfs_t) + ') +') diff --git a/policy/modules/contrib/slocate.fc b/policy/modules/contrib/slocate.fc deleted file mode 100644 index 6eede98b..00000000 --- a/policy/modules/contrib/slocate.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/bin/updatedb -- gen_context(system_u:object_r:locate_exec_t, s0) - -/var/lib/[sm]locate(/.*)? gen_context(system_u:object_r:locate_var_lib_t,s0) diff --git a/policy/modules/contrib/slocate.if b/policy/modules/contrib/slocate.if deleted file mode 100644 index 1f25803d..00000000 --- a/policy/modules/contrib/slocate.if +++ /dev/null @@ -1,35 +0,0 @@ -## <summary>Update database for mlocate.</summary> - -######################################## -## <summary> -## Create the locate log with append mode. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`slocate_create_append_log',` - refpolicywarn(`$0($*) has been deprecated') -') - -######################################## -## <summary> -## Read locate lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`locate_read_lib_files',` - gen_require(` - type locate_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, locate_var_lib_t, locate_var_lib_t) - allow $1 locate_var_lib_t:dir list_dir_perms; -') diff --git a/policy/modules/contrib/slocate.te b/policy/modules/contrib/slocate.te deleted file mode 100644 index ba26427e..00000000 --- a/policy/modules/contrib/slocate.te +++ /dev/null @@ -1,64 +0,0 @@ -policy_module(slocate, 1.11.1) - -################################# -# -# Declarations -# - -type locate_t; -type locate_exec_t; -init_system_domain(locate_t, locate_exec_t) - -type locate_var_lib_t; -files_type(locate_var_lib_t) - -######################################## -# -# Local policy -# - -allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid }; -allow locate_t self:process { execmem execheap execstack signal }; -allow locate_t self:fifo_file rw_fifo_file_perms; -allow locate_t self:unix_stream_socket create_socket_perms; - -manage_dirs_pattern(locate_t, locate_var_lib_t, locate_var_lib_t) -manage_files_pattern(locate_t, locate_var_lib_t, locate_var_lib_t) - -kernel_read_system_state(locate_t) -kernel_dontaudit_search_network_state(locate_t) -kernel_dontaudit_search_sysctl(locate_t) - -corecmd_exec_bin(locate_t) - -dev_getattr_all_blk_files(locate_t) -dev_getattr_all_chr_files(locate_t) - -files_list_all(locate_t) -files_dontaudit_read_all_symlinks(locate_t) -files_getattr_all_files(locate_t) -files_getattr_all_pipes(locate_t) -files_getattr_all_sockets(locate_t) -files_read_etc_runtime_files(locate_t) - -fs_getattr_all_fs(locate_t) -fs_getattr_all_files(locate_t) -fs_getattr_all_pipes(locate_t) -fs_getattr_all_symlinks(locate_t) -fs_getattr_all_blk_files(locate_t) -fs_getattr_all_chr_files(locate_t) -fs_list_all(locate_t) -fs_list_inotifyfs(locate_t) -fs_read_noxattr_fs_symlinks(locate_t) - -auth_use_nsswitch(locate_t) - -miscfiles_read_localization(locate_t) - -ifdef(`enable_mls',` - files_dontaudit_getattr_all_dirs(locate_t) -') - -optional_policy(` - cron_system_entry(locate_t, locate_exec_t) -') diff --git a/policy/modules/contrib/slpd.fc b/policy/modules/contrib/slpd.fc deleted file mode 100644 index 5d4a71cb..00000000 --- a/policy/modules/contrib/slpd.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rc\.d/init\.d/slpd -- gen_context(system_u:object_r:slpd_initrc_exec_t,s0) - -/usr/sbin/slpd -- gen_context(system_u:object_r:slpd_exec_t,s0) - -/var/log/slpd\.log.* -- gen_context(system_u:object_r:slpd_log_t,s0) - -/var/run/slpd\.pid -- gen_context(system_u:object_r:slpd_var_run_t,s0) diff --git a/policy/modules/contrib/slpd.if b/policy/modules/contrib/slpd.if deleted file mode 100644 index ca32e894..00000000 --- a/policy/modules/contrib/slpd.if +++ /dev/null @@ -1,39 +0,0 @@ -## <summary>OpenSLP server daemon to dynamically register services.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an slpd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`slpd_admin',` - gen_require(` - type slpd_t, slpd_initrc_exec_t, slpd_log_t; - type slpd_var_run_t; - ') - - allow $1 slpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, slpd_t) - - init_labeled_script_domtrans($1, slpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 slpd_initrc_exec_t system_r; - allow $2 system_r; - - logging_search_logs($1) - admin_pattern($1, slpd_log_t) - - files_search_pids($1) - admin_pattern($1, slpd_var_run_t) -') diff --git a/policy/modules/contrib/slpd.te b/policy/modules/contrib/slpd.te deleted file mode 100644 index 66ac42a9..00000000 --- a/policy/modules/contrib/slpd.te +++ /dev/null @@ -1,55 +0,0 @@ -policy_module(slpd, 1.0.3) - -######################################## -# -# Declarations -# - -type slpd_t; -type slpd_exec_t; -init_daemon_domain(slpd_t, slpd_exec_t) - -type slpd_initrc_exec_t; -init_script_file(slpd_initrc_exec_t) - -type slpd_log_t; -logging_log_file(slpd_log_t) - -type slpd_var_run_t; -files_pid_file(slpd_var_run_t) - -######################################## -# -# Local policy -# - -allow slpd_t self:capability { kill setgid setuid }; -allow slpd_t self:process signal; -allow slpd_t self:fifo_file rw_fifo_file_perms; -allow slpd_t self:tcp_socket { accept listen }; -allow slpd_t self:unix_stream_socket create_stream_socket_perms; - -allow slpd_t slpd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(slpd_t, slpd_log_t, file) - -manage_files_pattern(slpd_t, slpd_var_run_t, slpd_var_run_t) -files_pid_filetrans(slpd_t, slpd_var_run_t, file) - -corenet_all_recvfrom_unlabeled(slpd_t) -corenet_all_recvfrom_netlabel(slpd_t) -corenet_tcp_sendrecv_generic_if(slpd_t) -corenet_udp_sendrecv_generic_if(slpd_t) -corenet_tcp_sendrecv_generic_node(slpd_t) -corenet_udp_sendrecv_generic_node(slpd_t) -corenet_tcp_sendrecv_all_ports(slpd_t) -corenet_udp_sendrecv_all_ports(slpd_t) -corenet_tcp_bind_generic_node(slpd_t) -corenet_udp_bind_generic_node(slpd_t) - -corenet_sendrecv_svrloc_server_packets(slpd_t) -corenet_tcp_bind_svrloc_port(slpd_t) -corenet_udp_bind_svrloc_port(slpd_t) - -auth_use_nsswitch(slpd_t) - -miscfiles_read_localization(slpd_t) diff --git a/policy/modules/contrib/slrnpull.fc b/policy/modules/contrib/slrnpull.fc deleted file mode 100644 index 72f0b321..00000000 --- a/policy/modules/contrib/slrnpull.fc +++ /dev/null @@ -1,7 +0,0 @@ -/usr/bin/slrnpull -- gen_context(system_u:object_r:slrnpull_exec_t,s0) - -/var/log/slrnpull\.log.* -- gen_context(system_u:object_r:slrnpull_log_t,s0) - -/var/run/slrnpull\.pid -- gen_context(system_u:object_r:slrnpull_var_run_t,s0) - -/var/spool/slrnpull(/.*)? gen_context(system_u:object_r:slrnpull_spool_t,s0) diff --git a/policy/modules/contrib/slrnpull.if b/policy/modules/contrib/slrnpull.if deleted file mode 100644 index a0b17340..00000000 --- a/policy/modules/contrib/slrnpull.if +++ /dev/null @@ -1,42 +0,0 @@ -## <summary>Service for downloading news feeds the slrn newsreader.</summary> - -######################################## -## <summary> -## Search slrnpull spool directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`slrnpull_search_spool',` - gen_require(` - type slrnpull_spool_t; - ') - - files_search_spool($1) - allow $1 slrnpull_spool_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## slrnpull spool content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`slrnpull_manage_spool',` - gen_require(` - type slrnpull_spool_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, slrnpull_spool_t, slrnpull_spool_t) - manage_files_pattern($1, slrnpull_spool_t, slrnpull_spool_t) - manage_lnk_files_pattern($1, slrnpull_spool_t, slrnpull_spool_t) -') diff --git a/policy/modules/contrib/slrnpull.te b/policy/modules/contrib/slrnpull.te deleted file mode 100644 index 54372373..00000000 --- a/policy/modules/contrib/slrnpull.te +++ /dev/null @@ -1,70 +0,0 @@ -policy_module(slrnpull, 1.4.1) - -######################################## -# -# Declarations -# - -type slrnpull_t; -type slrnpull_exec_t; -init_system_domain(slrnpull_t, slrnpull_exec_t) - -type slrnpull_var_run_t; -files_pid_file(slrnpull_var_run_t) - -type slrnpull_spool_t; -files_type(slrnpull_spool_t) - -type slrnpull_log_t; -logging_log_file(slrnpull_log_t) - -######################################## -# -# Local policy -# - -dontaudit slrnpull_t self:capability sys_tty_config; -allow slrnpull_t self:process signal_perms; - -allow slrnpull_t slrnpull_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(slrnpull_t, slrnpull_log_t, file) - -manage_dirs_pattern(slrnpull_t, slrnpull_spool_t, slrnpull_spool_t) -manage_files_pattern(slrnpull_t, slrnpull_spool_t, slrnpull_spool_t) -manage_lnk_files_pattern(slrnpull_t, slrnpull_spool_t, slrnpull_spool_t) - -manage_files_pattern(slrnpull_t, slrnpull_var_run_t, slrnpull_var_run_t) -files_pid_filetrans(slrnpull_t, slrnpull_var_run_t, file) - -kernel_list_proc(slrnpull_t) -kernel_read_kernel_sysctls(slrnpull_t) -kernel_read_proc_symlinks(slrnpull_t) - -dev_read_sysfs(slrnpull_t) - -domain_use_interactive_fds(slrnpull_t) - -files_read_etc_files(slrnpull_t) -files_search_spool(slrnpull_t) - -fs_getattr_all_fs(slrnpull_t) -fs_search_auto_mountpoints(slrnpull_t) - -logging_send_syslog_msg(slrnpull_t) - -miscfiles_read_localization(slrnpull_t) - -userdom_dontaudit_use_unpriv_user_fds(slrnpull_t) -userdom_dontaudit_search_user_home_dirs(slrnpull_t) - -optional_policy(` - cron_system_entry(slrnpull_t, slrnpull_exec_t) -') - -optional_policy(` - seutil_sigchld_newrole(slrnpull_t) -') - -optional_policy(` - udev_read_db(slrnpull_t) -') diff --git a/policy/modules/contrib/smartmon.fc b/policy/modules/contrib/smartmon.fc deleted file mode 100644 index 8cf2020c..00000000 --- a/policy/modules/contrib/smartmon.fc +++ /dev/null @@ -1,8 +0,0 @@ -/etc/rc\.d/init\.d/smartd -- gen_context(system_u:object_r:fsdaemon_initrc_exec_t,s0) -/etc/rc\.d/init\.d/smartmontools -- gen_context(system_u:object_r:fsdaemon_initrc_exec_t,s0) - -/usr/sbin/smartd -- gen_context(system_u:object_r:fsdaemon_exec_t,s0) - -/var/run/smartd\.pid -- gen_context(system_u:object_r:fsdaemon_var_run_t,s0) - -/var/lib/smartmontools(/.*)? gen_context(system_u:object_r:fsdaemon_var_lib_t,s0) diff --git a/policy/modules/contrib/smartmon.if b/policy/modules/contrib/smartmon.if deleted file mode 100644 index e0644b5c..00000000 --- a/policy/modules/contrib/smartmon.if +++ /dev/null @@ -1,61 +0,0 @@ -## <summary>Smart disk monitoring daemon.</summary> - -####################################### -## <summary> -## Read smartmon temporary files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`smartmon_read_tmp_files',` - gen_require(` - type fsdaemon_tmp_t; - ') - - files_search_tmp($1) - allow $1 fsdaemon_tmp_t:file read_file_perms; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an smartmon environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`smartmon_admin',` - gen_require(` - type fsdaemon_t, fsdaemon_tmp_t, fsdaemon_var_run_t; - type fsdaemon_var_lib_t, fsdaemon_initrc_exec_t; - ') - - allow $1 fsdaemon_t:process { ptrace signal_perms }; - ps_process_pattern($1, fsdaemon_t) - - init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 fsdaemon_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, fsdaemon_tmp_t) - - files_list_pids($1) - admin_pattern($1, fsdaemon_var_run_t) - - files_list_var_lib($1) - admin_pattern($1, fsdaemon_var_lib_t) -') diff --git a/policy/modules/contrib/smartmon.te b/policy/modules/contrib/smartmon.te deleted file mode 100644 index 9ade9c5a..00000000 --- a/policy/modules/contrib/smartmon.te +++ /dev/null @@ -1,124 +0,0 @@ -policy_module(smartmon, 1.11.3) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether smartmon can support -## devices on 3ware controllers. -## </p> -## </desc> -gen_tunable(smartmon_3ware, false) - -type fsdaemon_t; -type fsdaemon_exec_t; -init_daemon_domain(fsdaemon_t, fsdaemon_exec_t) - -type fsdaemon_initrc_exec_t; -init_script_file(fsdaemon_initrc_exec_t) - -type fsdaemon_var_run_t; -files_pid_file(fsdaemon_var_run_t) - -type fsdaemon_var_lib_t; -files_type(fsdaemon_var_lib_t) - -type fsdaemon_tmp_t; -files_tmp_file(fsdaemon_tmp_t) - -ifdef(`enable_mls',` - init_ranged_daemon_domain(fsdaemon_t, fsdaemon_exec_t, mls_systemhigh) -') - -######################################## -# -# Local policy -# - -allow fsdaemon_t self:capability { dac_override kill setpcap setgid sys_rawio sys_admin }; -dontaudit fsdaemon_t self:capability sys_tty_config; -allow fsdaemon_t self:process { getcap setcap signal_perms }; -allow fsdaemon_t self:fifo_file rw_fifo_file_perms; -allow fsdaemon_t self:unix_stream_socket { accept listen }; - -manage_dirs_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t) -manage_files_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t) -files_tmp_filetrans(fsdaemon_t, fsdaemon_tmp_t, { file dir }) - -manage_files_pattern(fsdaemon_t, fsdaemon_var_run_t, fsdaemon_var_run_t) -files_pid_filetrans(fsdaemon_t, fsdaemon_var_run_t, file) - -manage_files_pattern(fsdaemon_t, fsdaemon_var_lib_t, fsdaemon_var_lib_t) - -kernel_read_kernel_sysctls(fsdaemon_t) -kernel_read_network_state(fsdaemon_t) -kernel_read_software_raid_state(fsdaemon_t) -kernel_read_system_state(fsdaemon_t) - -corecmd_exec_all_executables(fsdaemon_t) - -dev_read_sysfs(fsdaemon_t) -dev_read_urand(fsdaemon_t) - -domain_use_interactive_fds(fsdaemon_t) - -files_exec_etc_files(fsdaemon_t) -files_read_etc_files(fsdaemon_t) -files_read_etc_runtime_files(fsdaemon_t) -files_read_usr_files(fsdaemon_t) - -fs_getattr_all_fs(fsdaemon_t) -fs_search_auto_mountpoints(fsdaemon_t) - -mls_file_read_all_levels(fsdaemon_t) - -storage_raw_read_fixed_disk(fsdaemon_t) -storage_raw_write_fixed_disk(fsdaemon_t) -storage_raw_read_removable_device(fsdaemon_t) -storage_read_scsi_generic(fsdaemon_t) -storage_write_scsi_generic(fsdaemon_t) - -term_dontaudit_search_ptys(fsdaemon_t) - -application_signull(fsdaemon_t) - -init_read_utmp(fsdaemon_t) - -libs_exec_ld_so(fsdaemon_t) -libs_exec_lib_files(fsdaemon_t) - -logging_send_syslog_msg(fsdaemon_t) - -miscfiles_read_localization(fsdaemon_t) - -sysnet_dns_name_resolve(fsdaemon_t) - -userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t) -userdom_dontaudit_search_user_home_dirs(fsdaemon_t) - -tunable_policy(`smartmon_3ware',` - allow fsdaemon_t self:process setfscreate; - - storage_create_fixed_disk_dev(fsdaemon_t) - storage_delete_fixed_disk_dev(fsdaemon_t) - storage_dev_filetrans_fixed_disk(fsdaemon_t) - - selinux_validate_context(fsdaemon_t) - - seutil_read_file_contexts(fsdaemon_t) -') - -optional_policy(` - mta_send_mail(fsdaemon_t) -') - -optional_policy(` - seutil_sigchld_newrole(fsdaemon_t) -') - -optional_policy(` - udev_read_db(fsdaemon_t) -') diff --git a/policy/modules/contrib/smokeping.fc b/policy/modules/contrib/smokeping.fc deleted file mode 100644 index 33598194..00000000 --- a/policy/modules/contrib/smokeping.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/rc\.d/init\.d/smokeping -- gen_context(system_u:object_r:smokeping_initrc_exec_t,s0) - -/usr/sbin/smokeping -- gen_context(system_u:object_r:smokeping_exec_t,s0) - -/usr/share/smokeping/cgi(/.*)? gen_context(system_u:object_r:httpd_smokeping_cgi_script_exec_t,s0) - -/var/lib/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_lib_t,s0) - -/var/run/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_run_t,s0) diff --git a/policy/modules/contrib/smokeping.if b/policy/modules/contrib/smokeping.if deleted file mode 100644 index 1fa51c11..00000000 --- a/policy/modules/contrib/smokeping.if +++ /dev/null @@ -1,174 +0,0 @@ -## <summary>Smokeping network latency measurement.</summary> - -######################################## -## <summary> -## Execute a domain transition to run smokeping. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`smokeping_domtrans',` - gen_require(` - type smokeping_t, smokeping_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, smokeping_exec_t, smokeping_t) -') - -######################################## -## <summary> -## Execute smokeping init scripts in -## the initrc domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`smokeping_initrc_domtrans',` - gen_require(` - type smokeping_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, smokeping_initrc_exec_t) -') - -######################################## -## <summary> -## Read smokeping pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`smokeping_read_pid_files',` - gen_require(` - type smokeping_var_run_t; - ') - - files_search_pids($1) - allow $1 smokeping_var_run_t:file read_file_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## smokeping pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`smokeping_manage_pid_files',` - gen_require(` - type smokeping_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, smokeping_var_run_t, smokeping_var_run_t) -') - -######################################## -## <summary> -## Get attributes of smokeping lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`smokeping_getattr_lib_files',` - gen_require(` - type smokeping_var_lib_t; - ') - - files_search_var_lib($1) - getattr_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t) -') - -######################################## -## <summary> -## Read smokeping lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`smokeping_read_lib_files',` - gen_require(` - type smokeping_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## smokeping lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`smokeping_manage_lib_files',` - gen_require(` - type smokeping_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate a smokeping environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`smokeping_admin',` - gen_require(` - type smokeping_t, smokeping_initrc_exec_t, smokeping_var_lib_t; - type smokeping_var_run_t; - ') - - allow $1 smokeping_t:process { ptrace signal_perms }; - ps_process_pattern($1, smokeping_t) - - smokeping_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 smokeping_initrc_exec_t system_r; - allow $2 system_r; - - files_search_var_lib($1) - admin_pattern($1, smokeping_var_lib_t) - - files_search_pids($1) - admin_pattern($1, smokeping_var_run_t) -') diff --git a/policy/modules/contrib/smokeping.te b/policy/modules/contrib/smokeping.te deleted file mode 100644 index a8b1aaf2..00000000 --- a/policy/modules/contrib/smokeping.te +++ /dev/null @@ -1,76 +0,0 @@ -policy_module(smokeping, 1.1.2) - -######################################## -# -# Declarations -# - -type smokeping_t; -type smokeping_exec_t; -init_daemon_domain(smokeping_t, smokeping_exec_t) - -type smokeping_initrc_exec_t; -init_script_file(smokeping_initrc_exec_t) - -type smokeping_var_run_t; -files_pid_file(smokeping_var_run_t) - -type smokeping_var_lib_t; -files_type(smokeping_var_lib_t) - -######################################## -# -# Local policy -# - -dontaudit smokeping_t self:capability { dac_read_search dac_override }; -allow smokeping_t self:fifo_file rw_fifo_file_perms; -allow smokeping_t self:unix_stream_socket { accept listen }; - -manage_dirs_pattern(smokeping_t, smokeping_var_run_t, smokeping_var_run_t) -manage_files_pattern(smokeping_t, smokeping_var_run_t, smokeping_var_run_t) -files_pid_filetrans(smokeping_t, smokeping_var_run_t, { file dir }) - -manage_dirs_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t) -manage_files_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t) -files_var_lib_filetrans(smokeping_t, smokeping_var_lib_t, { file dir }) - -corecmd_exec_bin(smokeping_t) - -dev_read_urand(smokeping_t) - -files_read_usr_files(smokeping_t) -files_search_tmp(smokeping_t) - -auth_use_nsswitch(smokeping_t) -auth_dontaudit_read_shadow(smokeping_t) - -logging_send_syslog_msg(smokeping_t) - -miscfiles_read_localization(smokeping_t) - -mta_send_mail(smokeping_t) - -netutils_domtrans_ping(smokeping_t) - -####################################### -# -# Cgi local policy -# - -optional_policy(` - apache_content_template(smokeping_cgi) - - manage_dirs_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t) - manage_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t) - - getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t) - - files_read_etc_files(httpd_smokeping_cgi_script_t) - files_search_tmp(httpd_smokeping_cgi_script_t) - files_search_var_lib(httpd_smokeping_cgi_script_t) - - sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t) - - netutils_domtrans_ping(httpd_smokeping_cgi_script_t) -') diff --git a/policy/modules/contrib/smoltclient.fc b/policy/modules/contrib/smoltclient.fc deleted file mode 100644 index 27ddf8de..00000000 --- a/policy/modules/contrib/smoltclient.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/share/smolt/client/sendProfile.py -- gen_context(system_u:object_r:smoltclient_exec_t,s0) diff --git a/policy/modules/contrib/smoltclient.if b/policy/modules/contrib/smoltclient.if deleted file mode 100644 index 44a8ff1f..00000000 --- a/policy/modules/contrib/smoltclient.if +++ /dev/null @@ -1 +0,0 @@ -## <summary>The Fedora hardware profiler client.</summary> diff --git a/policy/modules/contrib/smoltclient.te b/policy/modules/contrib/smoltclient.te deleted file mode 100644 index 9c8f9a50..00000000 --- a/policy/modules/contrib/smoltclient.te +++ /dev/null @@ -1,82 +0,0 @@ -policy_module(smoltclient, 1.1.1) - -######################################## -# -# Declarations -# - -type smoltclient_t; -type smoltclient_exec_t; -application_domain(smoltclient_t, smoltclient_exec_t) - -type smoltclient_tmp_t; -files_tmp_file(smoltclient_tmp_t) - -######################################## -# -# Local policy -# - -allow smoltclient_t self:process { setsched getsched }; -allow smoltclient_t self:fifo_file rw_fifo_file_perms; - -manage_dirs_pattern(smoltclient_t, smoltclient_tmp_t, smoltclient_tmp_t) -manage_files_pattern(smoltclient_t, smoltclient_tmp_t, smoltclient_tmp_t) -files_tmp_filetrans(smoltclient_t, smoltclient_tmp_t, { dir file }) - -can_exec(smoltclient_t, smoltclient_tmp_t) - -kernel_read_system_state(smoltclient_t) -kernel_read_network_state(smoltclient_t) -kernel_read_kernel_sysctls(smoltclient_t) - -corecmd_exec_bin(smoltclient_t) -corecmd_exec_shell(smoltclient_t) - -corenet_all_recvfrom_unlabeled(smoltclient_t) -corenet_all_recvfrom_netlabel(smoltclient_t) -corenet_tcp_sendrecv_generic_if(smoltclient_t) -corenet_tcp_sendrecv_generic_node(smoltclient_t) - -corenet_sendrecv_http_client_packets(smoltclient_t) -corenet_tcp_connect_http_port(smoltclient_t) -corenet_tcp_sendrecv_http_port(smoltclient_t) - -dev_read_sysfs(smoltclient_t) -dev_read_urand(smoltclient_t) - -fs_getattr_all_fs(smoltclient_t) -fs_getattr_all_dirs(smoltclient_t) -fs_list_auto_mountpoints(smoltclient_t) - -files_getattr_generic_locks(smoltclient_t) -files_read_etc_runtime_files(smoltclient_t) -files_read_usr_files(smoltclient_t) - -auth_use_nsswitch(smoltclient_t) - -logging_send_syslog_msg(smoltclient_t) - -miscfiles_read_hwdata(smoltclient_t) -miscfiles_read_localization(smoltclient_t) - -optional_policy(` - abrt_stream_connect(smoltclient_t) -') - -optional_policy(` - cron_system_entry(smoltclient_t, smoltclient_exec_t) -') - -optional_policy(` - dbus_system_bus_client(smoltclient_t) - - optional_policy(` - hal_dbus_chat(smoltclient_t) - ') -') - -optional_policy(` - rpm_exec(smoltclient_t) - rpm_read_db(smoltclient_t) -') diff --git a/policy/modules/contrib/smstools.fc b/policy/modules/contrib/smstools.fc deleted file mode 100644 index 8e7d8253..00000000 --- a/policy/modules/contrib/smstools.fc +++ /dev/null @@ -1,13 +0,0 @@ -/etc/smsd\.conf -- gen_context(system_u:object_r:smsd_conf_t,s0) - -/etc/rc\.d/init\.d/((smsd)|(smstools)) -- gen_context(system_u:object_r:smsd_initrc_exec_t,s0) - -/usr/sbin/smsd -- gen_context(system_u:object_r:smsd_exec_t,s0) - -/var/lib/smstools(/.*)? gen_context(system_u:object_r:smsd_var_lib_t,s0) - -/var/log/smsd(/.*)? gen_context(system_u:object_r:smsd_log_t,s0) - -/var/run/smsd(/.*)? gen_context(system_u:object_r:smsd_var_run_t,s0) - -/var/spool/sms(/.*)? gen_context(system_u:object_r:smsd_spool_t,s0) diff --git a/policy/modules/contrib/smstools.if b/policy/modules/contrib/smstools.if deleted file mode 100644 index cbfe369a..00000000 --- a/policy/modules/contrib/smstools.if +++ /dev/null @@ -1,49 +0,0 @@ -## <summary> Tools to send and receive short messages through GSM modems or mobile phones.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an smstools environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`smstools_admin',` - gen_require(` - type smsd_t, smsd_initrc_exec_t, smsd_conf_t; - type smsd_log_t, smsd_var_lib_t, smsd_var_run_t; - type smsd_spool_t; - ') - - allow $1 smsd_t:process { ptrace signal_perms }; - ps_process_pattern($1, smsd_t) - - init_labeled_script_domtrans($1, smsd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 smsd_initrc_exec_t system_r; - allow $2 system_r; - - files_search_config($1) - admin_pattern($1, smsd_conf_t) - - files_search_var_lib($1) - admin_pattern($1, smsd_var_lib_t) - - files_search_spool($1) - admin_pattern($1, smsd_spool_t) - - files_search_pids($1) - admin_pattern($1, smsd_var_run_t) - - logging_search_logs($1) - admin_pattern($1, smsd_log_t) -') diff --git a/policy/modules/contrib/smstools.te b/policy/modules/contrib/smstools.te deleted file mode 100644 index 5ccf83cf..00000000 --- a/policy/modules/contrib/smstools.te +++ /dev/null @@ -1,74 +0,0 @@ -policy_module(smstools, 1.0.0) - -######################################## -# -# Declarations -# - -type smsd_t; -type smsd_exec_t; -init_daemon_domain(smsd_t, smsd_exec_t) - -type smsd_initrc_exec_t; -init_script_file(smsd_initrc_exec_t) - -type smsd_conf_t; -files_config_file(smsd_conf_t) - -type smsd_log_t; -logging_log_file(smsd_log_t) - -type smsd_var_lib_t; -files_type(smsd_var_lib_t) - -type smsd_var_run_t; -files_pid_file(smsd_var_run_t) - -type smsd_spool_t; -files_type(smsd_spool_t) - -######################################## -# -# Local policy -# - -allow smsd_t self:capability { kill setgid setuid }; -allow smsd_t self:process signal; -allow smsd_t self:fifo_file rw_fifo_file_perms; -allow smsd_t self:unix_stream_socket { accept listen }; - -allow smsd_t smsd_conf_t:file read_file_perms; - -manage_dirs_pattern(smsd_t, smsd_log_t, smsd_log_t) -create_files_pattern(smsd_t, smsd_log_t, smsd_log_t) -append_files_pattern(smsd_t, smsd_log_t, smsd_log_t) -setattr_files_pattern(smsd_t, smsd_log_t, smsd_log_t) -manage_lnk_files_pattern(smsd_t, smsd_log_t, smsd_log_t) -logging_log_filetrans(smsd_t, smsd_log_t, { dir file }) - -manage_dirs_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t) -manage_files_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t) -manage_lnk_files_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t) - -manage_dirs_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t) -manage_files_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t) -manage_lnk_files_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t) -files_pid_filetrans(smsd_t, smsd_var_run_t, { dir file }) - -manage_dirs_pattern(smsd_t, smsd_spool_t, smsd_spool_t) -manage_files_pattern(smsd_t, smsd_spool_t, smsd_spool_t) -manage_lnk_files_pattern(smsd_t, smsd_spool_t, smsd_spool_t) -files_spool_filetrans(smsd_t, smsd_spool_t, dir) - -kernel_read_kernel_sysctls(smsd_t) -kernel_read_system_state(smsd_t) - -corecmd_exec_shell(smsd_t) - -auth_use_nsswitch(smsd_t) - -logging_send_syslog_msg(smsd_t) - -optional_policy(` - mysql_stream_connect(smsd_t) -') diff --git a/policy/modules/contrib/snmp.fc b/policy/modules/contrib/snmp.fc deleted file mode 100644 index c73fa248..00000000 --- a/policy/modules/contrib/snmp.fc +++ /dev/null @@ -1,18 +0,0 @@ -/etc/rc\.d/init\.d/((snmpd)|(snmptrapd)) -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0) - -/usr/sbin/snmptrap -- gen_context(system_u:object_r:snmpd_exec_t,s0) -/usr/sbin/snmptrapd -- gen_context(system_u:object_r:snmpd_exec_t,s0) - -/usr/share/snmp/mibs/\.index -- gen_context(system_u:object_r:snmpd_var_lib_t,s0) - -/var/agentx(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) -/var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0) - -/var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) -/var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) - -/var/log/snmpd\.log.* -- gen_context(system_u:object_r:snmpd_log_t,s0) - -/var/run/net-snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) -/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) -/var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) diff --git a/policy/modules/contrib/snmp.if b/policy/modules/contrib/snmp.if deleted file mode 100644 index bf78fa94..00000000 --- a/policy/modules/contrib/snmp.if +++ /dev/null @@ -1,218 +0,0 @@ -## <summary>Simple network management protocol services.</summary> - -######################################## -## <summary> -## Connect to snmpd with a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`snmp_stream_connect',` - gen_require(` - type snmpd_t, snmpd_var_lib_t; - ') - - files_search_var_lib($1) - stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t) -') - -######################################## -## <summary> -## Connect to snmp over the TCP network. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`snmp_tcp_connect',` - gen_require(` - type snmpd_t; - ') - - corenet_tcp_recvfrom_labeled($1, snmpd_t) - corenet_tcp_sendrecv_snmp_port($1) - corenet_tcp_connect_snmp_port($1) - corenet_sendrecv_snmp_client_packets($1) -') - -######################################## -## <summary> -## Send and receive UDP traffic to SNMP (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`snmp_udp_chat',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## <summary> -## Create, read, write, and delete -## snmp lib directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`snmp_manage_var_lib_dirs',` - gen_require(` - type snmpd_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 snmpd_var_lib_t:dir manage_dir_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## snmp lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`snmp_manage_var_lib_files',` - gen_require(` - type snmpd_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 snmpd_var_lib_t:dir list_dir_perms; - manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) -') - -######################################## -## <summary> -## Read snmpd lib content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`snmp_read_snmp_var_lib_files',` - gen_require(` - type snmpd_var_lib_t; - ') - - allow $1 snmpd_var_lib_t:dir list_dir_perms; - read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) - read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) -') - -######################################## -## <summary> -## Do not audit attempts to read -## snmpd lib content. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`snmp_dontaudit_read_snmp_var_lib_files',` - gen_require(` - type snmpd_var_lib_t; - ') - - dontaudit $1 snmpd_var_lib_t:dir list_dir_perms; - dontaudit $1 snmpd_var_lib_t:file read_file_perms; - dontaudit $1 snmpd_var_lib_t:lnk_file read_lnk_file_perms; -') - -######################################## -## <summary> -## Do not audit attempts to write -## snmpd lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`snmp_dontaudit_write_snmp_var_lib_files',` - gen_require(` - type snmpd_var_lib_t; - ') - - dontaudit $1 snmpd_var_lib_t:file write; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an snmp environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`snmp_admin',` - gen_require(` - type snmpd_t, snmpd_log_t, snmpd_initrc_exec_t; - type snmpd_var_lib_t, snmpd_var_run_t; - ') - - allow $1 snmpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, snmpd_t) - - init_labeled_script_domtrans($1, snmpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 snmpd_initrc_exec_t system_r; - allow $2 system_r; - - logging_list_logs($1) - admin_pattern($1, snmpd_log_t) - - files_list_var_lib($1) - admin_pattern($1, snmpd_var_lib_t) - - files_list_pids($1) - admin_pattern($1, snmpd_var_run_t) -') - -# Gentoo stuff but cannot use ifdef distro_gentoo - -######################################## -## <summary> -## Append to the snmp variable lib data -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`snmp_append_var_lib_files',` - gen_require(` - type snmp_var_lib_t; - ') - - allow $1 snmp_var_lib_t:file append_file_perms; -') diff --git a/policy/modules/contrib/snmp.te b/policy/modules/contrib/snmp.te deleted file mode 100644 index 81864ce2..00000000 --- a/policy/modules/contrib/snmp.te +++ /dev/null @@ -1,185 +0,0 @@ -policy_module(snmp, 1.13.4) - -######################################## -# -# Declarations -# - -type snmpd_t; -type snmpd_exec_t; -init_daemon_domain(snmpd_t, snmpd_exec_t) - -type snmpd_initrc_exec_t; -init_script_file(snmpd_initrc_exec_t) - -type snmpd_log_t; -logging_log_file(snmpd_log_t) - -type snmpd_var_run_t; -files_pid_file(snmpd_var_run_t) - -type snmpd_var_lib_t; -files_type(snmpd_var_lib_t) - -######################################## -# -# Local policy -# - -allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace }; -dontaudit snmpd_t self:capability { sys_module sys_tty_config }; -allow snmpd_t self:process { signal_perms getsched setsched }; -allow snmpd_t self:fifo_file rw_fifo_file_perms; -allow snmpd_t self:unix_stream_socket { accept connectto listen }; -allow snmpd_t self:tcp_socket { accept listen }; -allow snmpd_t self:udp_socket connected_stream_socket_perms; - -allow snmpd_t snmpd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(snmpd_t, snmpd_log_t, file) - -manage_dirs_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) -manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) -manage_sock_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) -files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file) -files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file }) -files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, { dir file }) - -manage_dirs_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t) -manage_files_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t) -files_pid_filetrans(snmpd_t, snmpd_var_run_t, { file dir }) - -kernel_read_device_sysctls(snmpd_t) -kernel_read_kernel_sysctls(snmpd_t) -kernel_read_fs_sysctls(snmpd_t) -kernel_read_net_sysctls(snmpd_t) -kernel_read_network_state(snmpd_t) -kernel_read_system_state(snmpd_t) - -corecmd_exec_bin(snmpd_t) -corecmd_exec_shell(snmpd_t) - -corenet_all_recvfrom_unlabeled(snmpd_t) -corenet_all_recvfrom_netlabel(snmpd_t) -corenet_tcp_sendrecv_generic_if(snmpd_t) -corenet_udp_sendrecv_generic_if(snmpd_t) -corenet_tcp_sendrecv_generic_node(snmpd_t) -corenet_udp_sendrecv_generic_node(snmpd_t) -corenet_tcp_bind_generic_node(snmpd_t) -corenet_udp_bind_generic_node(snmpd_t) - -corenet_sendrecv_snmp_server_packets(snmpd_t) -corenet_sendrecv_snmp_client_packets(snmpd_t) -corenet_tcp_bind_snmp_port(snmpd_t) -corenet_tcp_connect_snmp_port(snmpd_t) -corenet_udp_bind_snmp_port(snmpd_t) -corenet_tcp_sendrecv_snmp_port(snmpd_t) -corenet_udp_sendrecv_snmp_port(snmpd_t) - -corenet_sendrecv_snmp_client_packets(snmpd_t) -corenet_tcp_connect_agentx_port(snmpd_t) -corenet_sendrecv_snmp_server_packets(snmpd_t) -corenet_tcp_bind_agentx_port(snmpd_t) -corenet_udp_bind_agentx_port(snmpd_t) -corenet_tcp_sendrecv_agentx_port(snmpd_t) -corenet_udp_sendrecv_agentx_port(snmpd_t) - -dev_list_sysfs(snmpd_t) -dev_read_sysfs(snmpd_t) -dev_read_urand(snmpd_t) -dev_read_rand(snmpd_t) -dev_getattr_usbfs_dirs(snmpd_t) - -domain_use_interactive_fds(snmpd_t) -domain_signull_all_domains(snmpd_t) -domain_read_all_domains_state(snmpd_t) -domain_exec_all_entry_files(snmpd_t) - -files_read_usr_files(snmpd_t) -files_read_etc_runtime_files(snmpd_t) -files_search_home(snmpd_t) - -fs_getattr_all_dirs(snmpd_t) -fs_getattr_all_fs(snmpd_t) -files_list_all(snmpd_t) -files_search_all_mountpoints(snmpd_t) -fs_search_auto_mountpoints(snmpd_t) - -storage_dontaudit_read_fixed_disk(snmpd_t) -storage_dontaudit_read_removable_device(snmpd_t) -storage_dontaudit_write_removable_device(snmpd_t) - -auth_use_nsswitch(snmpd_t) - -init_read_utmp(snmpd_t) -init_dontaudit_write_utmp(snmpd_t) - -logging_send_syslog_msg(snmpd_t) - -miscfiles_read_localization(snmpd_t) - -seutil_dontaudit_search_config(snmpd_t) - -userdom_dontaudit_use_unpriv_user_fds(snmpd_t) -userdom_dontaudit_search_user_home_dirs(snmpd_t) - -optional_policy(` - amanda_dontaudit_read_dumpdates(snmpd_t) -') - -optional_policy(` - consoletype_exec(snmpd_t) -') - -optional_policy(` - corosync_stream_connect(snmpd_t) -') - -optional_policy(` - cups_read_rw_config(snmpd_t) -') - -optional_policy(` - mta_read_config(snmpd_t) - mta_search_queue(snmpd_t) -') - -optional_policy(` - ricci_stream_connect_modclusterd(snmpd_t) -') - -optional_policy(` - rpc_search_nfs_state_data(snmpd_t) -') - -optional_policy(` - rpm_read_db(snmpd_t) - rpm_dontaudit_manage_db(snmpd_t) -') - -optional_policy(` - sendmail_read_log(snmpd_t) -') - -optional_policy(` - seutil_sigchld_newrole(snmpd_t) -') - -optional_policy(` - squid_read_config(snmpd_t) -') - -optional_policy(` - udev_read_db(snmpd_t) -') - -optional_policy(` - virt_stream_connect(snmpd_t) -') - -optional_policy(` - kernel_read_xen_state(snmpd_t) - kernel_write_xen_state(snmpd_t) - - xen_stream_connect(snmpd_t) - xen_stream_connect_xenstore(snmpd_t) -') diff --git a/policy/modules/contrib/snort.fc b/policy/modules/contrib/snort.fc deleted file mode 100644 index 24a8e1b8..00000000 --- a/policy/modules/contrib/snort.fc +++ /dev/null @@ -1,12 +0,0 @@ -/etc/rc\.d/init\.d/snortd -- gen_context(system_u:object_r:snort_initrc_exec_t,s0) - -/etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0) - -/usr/bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0) - -/usr/sbin/snort -- gen_context(system_u:object_r:snort_exec_t,s0) -/usr/sbin/snort-plain -- gen_context(system_u:object_r:snort_exec_t,s0) - -/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0) - -/var/run/snort.* -- gen_context(system_u:object_r:snort_var_run_t,s0) diff --git a/policy/modules/contrib/snort.if b/policy/modules/contrib/snort.if deleted file mode 100644 index 7d86b348..00000000 --- a/policy/modules/contrib/snort.if +++ /dev/null @@ -1,61 +0,0 @@ -## <summary>Snort network intrusion detection system.</summary> - -######################################## -## <summary> -## Execute a domain transition to run snort. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`snort_domtrans',` - gen_require(` - type snort_t, snort_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, snort_exec_t, snort_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an snort environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`snort_admin',` - gen_require(` - type snort_t, snort_var_run_t, snort_log_t; - type snort_etc_t, snort_initrc_exec_t; - ') - - allow $1 snort_t:process { ptrace signal_perms }; - ps_process_pattern($1, snort_t) - - init_labeled_script_domtrans($1, snort_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 snort_initrc_exec_t system_r; - allow $2 system_r; - - admin_pattern($1, snort_etc_t) - files_search_etc($1) - - admin_pattern($1, snort_log_t) - logging_search_logs($1) - - admin_pattern($1, snort_var_run_t) - files_search_pids($1) -') diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te deleted file mode 100644 index ccd28bbc..00000000 --- a/policy/modules/contrib/snort.te +++ /dev/null @@ -1,116 +0,0 @@ -policy_module(snort, 1.10.1) - -######################################## -# -# Declarations -# - -type snort_t; -type snort_exec_t; -init_daemon_domain(snort_t, snort_exec_t) - -type snort_etc_t; -files_config_file(snort_etc_t) - -type snort_initrc_exec_t; -init_script_file(snort_initrc_exec_t) - -type snort_log_t; -logging_log_file(snort_log_t) - -type snort_tmp_t; -files_tmp_file(snort_tmp_t) - -type snort_var_run_t; -files_pid_file(snort_var_run_t) - -######################################## -# -# Local policy -# - -allow snort_t self:capability { setgid setuid net_admin net_raw dac_override }; -dontaudit snort_t self:capability sys_tty_config; -allow snort_t self:process signal_perms; -allow snort_t self:netlink_socket create_socket_perms; -allow snort_t self:tcp_socket { accept listen }; -allow snort_t self:packet_socket create_socket_perms; -allow snort_t self:socket create_socket_perms; -allow snort_t self:netlink_firewall_socket create_socket_perms; - -allow snort_t snort_etc_t:dir list_dir_perms; -allow snort_t snort_etc_t:file read_file_perms; -allow snort_t snort_etc_t:lnk_file read_lnk_file_perms; - -manage_dirs_pattern(snort_t, snort_log_t, snort_log_t) -append_files_pattern(snort_t, snort_log_t, snort_log_t) -create_files_pattern(snort_t, snort_log_t, snort_log_t) -setattr_files_pattern(snort_t, snort_log_t, snort_log_t) -logging_log_filetrans(snort_t, snort_log_t, { file dir }) - -manage_dirs_pattern(snort_t, snort_tmp_t, snort_tmp_t) -manage_files_pattern(snort_t, snort_tmp_t, snort_tmp_t) -files_tmp_filetrans(snort_t, snort_tmp_t, { file dir }) - -manage_files_pattern(snort_t, snort_var_run_t, snort_var_run_t) -files_pid_filetrans(snort_t, snort_var_run_t, file) - -kernel_read_kernel_sysctls(snort_t) -kernel_read_sysctl(snort_t) -kernel_list_proc(snort_t) -kernel_read_proc_symlinks(snort_t) -kernel_request_load_module(snort_t) -kernel_dontaudit_read_system_state(snort_t) -kernel_read_network_state(snort_t) - -corenet_all_recvfrom_unlabeled(snort_t) -corenet_all_recvfrom_netlabel(snort_t) -corenet_tcp_sendrecv_generic_if(snort_t) -corenet_udp_sendrecv_generic_if(snort_t) -corenet_raw_sendrecv_generic_if(snort_t) -corenet_tcp_sendrecv_generic_node(snort_t) -corenet_udp_sendrecv_generic_node(snort_t) -corenet_raw_sendrecv_generic_node(snort_t) -corenet_tcp_sendrecv_all_ports(snort_t) -corenet_udp_sendrecv_all_ports(snort_t) - -corenet_sendrecv_prelude_client_packets(snort_t) -corenet_tcp_connect_prelude_port(snort_t) -corenet_tcp_sendrecv_prelude_port(snort_t) - -dev_read_sysfs(snort_t) -dev_read_rand(snort_t) -dev_read_urand(snort_t) -dev_read_usbmon_dev(snort_t) -dev_rw_generic_usb_dev(snort_t) - -domain_use_interactive_fds(snort_t) - -files_read_etc_files(snort_t) -files_dontaudit_read_etc_runtime_files(snort_t) - -fs_getattr_all_fs(snort_t) -fs_search_auto_mountpoints(snort_t) - -init_read_utmp(snort_t) - -logging_send_syslog_msg(snort_t) - -miscfiles_read_localization(snort_t) - -sysnet_dns_name_resolve(snort_t) - -userdom_dontaudit_use_unpriv_user_fds(snort_t) -userdom_dontaudit_search_user_home_dirs(snort_t) - -optional_policy(` - prelude_manage_spool(snort_t) -') - -optional_policy(` - seutil_sigchld_newrole(snort_t) -') - -optional_policy(` - udev_read_db(snort_t) -') diff --git a/policy/modules/contrib/sosreport.fc b/policy/modules/contrib/sosreport.fc deleted file mode 100644 index 704e2dab..00000000 --- a/policy/modules/contrib/sosreport.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0) - -/\.ismount-test-file -- gen_context(system_u:object_r:sosreport_tmp_t,s0) diff --git a/policy/modules/contrib/sosreport.if b/policy/modules/contrib/sosreport.if deleted file mode 100644 index 634c6b4f..00000000 --- a/policy/modules/contrib/sosreport.if +++ /dev/null @@ -1,129 +0,0 @@ -## <summary>Generate debugging information for system.</summary> - -######################################## -## <summary> -## Execute a domain transition to run sosreport. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`sosreport_domtrans',` - gen_require(` - type sosreport_t, sosreport_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, sosreport_exec_t, sosreport_t) -') - -######################################## -## <summary> -## Execute sosreport in the sosreport -## domain, and allow the specified -## role the sosreport domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`sosreport_run',` - gen_require(` - attribute_role sosreport_roles; - ') - - sosreport_domtrans($1) - roleattribute $2 sospreport_roles; -') - -######################################## -## <summary> -## Role access for sosreport. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`sosreport_role',` - gen_require(` - type sosreport_t; - ') - - sosreport_run($2, $1) - - allow $2 sosreport_t:process { ptrace signal_perms }; - ps_process_pattern($2, sosreport_t) -') - -######################################## -## <summary> -## Read sosreport temporary files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sosreport_read_tmp_files',` - gen_require(` - type sosreport_tmp_t; - ') - - files_search_tmp($1) - read_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t) -') - -######################################## -## <summary> -## Append sosreport temporary files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sosreport_append_tmp_files',` - gen_require(` - type sosreport_tmp_t; - ') - - files_search_tmp($1) - append_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t) -') - -######################################## -## <summary> -## Delete sosreport temporary files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sosreport_delete_tmp_files',` - gen_require(` - type sosreport_tmp_t; - ') - - files_delete_tmp_dir_entry($1) - delete_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t) -') diff --git a/policy/modules/contrib/sosreport.te b/policy/modules/contrib/sosreport.te deleted file mode 100644 index 703efa33..00000000 --- a/policy/modules/contrib/sosreport.te +++ /dev/null @@ -1,145 +0,0 @@ -policy_module(sosreport, 1.2.2) - -######################################## -# -# Declarations -# - -attribute_role sosreport_roles; -roleattribute system_r sosreport_roles; - -type sosreport_t; -type sosreport_exec_t; -application_domain(sosreport_t, sosreport_exec_t) -role sosreport_roles types sosreport_t; - -type sosreport_tmp_t; -files_tmp_file(sosreport_tmp_t) - -type sosreport_tmpfs_t; -files_tmpfs_file(sosreport_tmpfs_t) - -optional_policy(` - pulseaudio_tmpfs_content(sosreport_tmpfs_t) -') - -######################################## -# -# Local policy -# - -allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override }; -allow sosreport_t self:process { setsched signull }; -allow sosreport_t self:fifo_file rw_fifo_file_perms; -allow sosreport_t self:tcp_socket { accept listen }; -allow sosreport_t self:unix_stream_socket { accept listen }; - -manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) -manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) -manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) -files_root_filetrans(sosreport_t, sosreport_tmp_t, file, ".ismount-test-file") -files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir }) - -manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t) -fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file) - -kernel_read_network_state(sosreport_t) -kernel_read_all_sysctls(sosreport_t) -kernel_read_software_raid_state(sosreport_t) -kernel_search_debugfs(sosreport_t) -kernel_read_messages(sosreport_t) - -corecmd_exec_all_executables(sosreport_t) - -dev_getattr_all_chr_files(sosreport_t) -dev_getattr_all_blk_files(sosreport_t) -dev_getattr_mtrr_dev(sosreport_t) -dev_read_rand(sosreport_t) -dev_read_urand(sosreport_t) -dev_read_raw_memory(sosreport_t) -dev_read_sysfs(sosreport_t) - -domain_getattr_all_domains(sosreport_t) -domain_read_all_domains_state(sosreport_t) -domain_getattr_all_sockets(sosreport_t) -domain_getattr_all_pipes(sosreport_t) - -files_getattr_all_sockets(sosreport_t) -files_exec_etc_files(sosreport_t) -files_list_all(sosreport_t) -files_read_config_files(sosreport_t) -files_read_generic_tmp_files(sosreport_t) -files_read_non_auth_files(sosreport_t) -files_read_usr_files(sosreport_t) -files_read_var_lib_files(sosreport_t) -files_read_var_symlinks(sosreport_t) -files_read_kernel_modules(sosreport_t) -files_read_all_symlinks(sosreport_t) -files_manage_etc_runtime_files(sosreport_t) -files_etc_filetrans_etc_runtime(sosreport_t, file) - -fs_getattr_all_fs(sosreport_t) -fs_list_inotifyfs(sosreport_t) - -storage_dontaudit_read_fixed_disk(sosreport_t) -storage_dontaudit_read_removable_device(sosreport_t) - -auth_use_nsswitch(sosreport_t) - -init_domtrans_script(sosreport_t) - -libs_domtrans_ldconfig(sosreport_t) - -logging_read_all_logs(sosreport_t) -logging_send_syslog_msg(sosreport_t) - -miscfiles_read_localization(sosreport_t) - -modutils_read_module_deps(sosreport_t) - -optional_policy(` - abrt_manage_pid_files(sosreport_t) - abrt_manage_cache(sosreport_t) -') - -optional_policy(` - cups_stream_connect(sosreport_t) -') - -optional_policy(` - dmesg_domtrans(sosreport_t) -') - -optional_policy(` - fstools_domtrans(sosreport_t) -') - -optional_policy(` - dbus_system_bus_client(sosreport_t) - - optional_policy(` - hal_dbus_chat(sosreport_t) - ') -') - -optional_policy(` - lvm_domtrans(sosreport_t) -') - -optional_policy(` - mount_domtrans(sosreport_t) -') - -optional_policy(` - pulseaudio_run(sosreport_t, sosreport_roles) -') - -optional_policy(` - rpm_exec(sosreport_t) - rpm_dontaudit_manage_db(sosreport_t) - rpm_read_db(sosreport_t) -') - -optional_policy(` - xserver_stream_connect(sosreport_t) -') diff --git a/policy/modules/contrib/soundserver.fc b/policy/modules/contrib/soundserver.fc deleted file mode 100644 index 02c23b33..00000000 --- a/policy/modules/contrib/soundserver.fc +++ /dev/null @@ -1,14 +0,0 @@ -/etc/nas(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0) -/etc/yiff(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0) - -/etc/rc\.d/init\.d/nasd -- gen_context(system_u:object_r:soundd_initrc_exec_t,s0) - -/usr/bin/nasd -- gen_context(system_u:object_r:soundd_exec_t,s0) -/usr/bin/gpe-soundserver -- gen_context(system_u:object_r:soundd_exec_t,s0) - -/usr/sbin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0) - -/var/run/nasd(/.*)? gen_context(system_u:object_r:soundd_var_run_t,s0) -/var/run/yiff-[0-9]+\.pid -- gen_context(system_u:object_r:soundd_var_run_t,s0) - -/var/state/yiff(/.*)? gen_context(system_u:object_r:soundd_state_t,s0) diff --git a/policy/modules/contrib/soundserver.if b/policy/modules/contrib/soundserver.if deleted file mode 100644 index a5abc5a8..00000000 --- a/policy/modules/contrib/soundserver.if +++ /dev/null @@ -1,63 +0,0 @@ -## <summary>sound server for network audio server programs, nasd, yiff, etc</summary> - -######################################## -## <summary> -## Connect to the sound server over a TCP socket (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`soundserver_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## <summary> -## All of the rules required to -## administrate an soundd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`soundserver_admin',` - gen_require(` - type soundd_t, soundd_etc_t, soundd_initrc_exec_t; - type soundd_tmp_t, soundd_var_run_t, soundd_tmpfs_t; - type soundd_state_t; - ') - - allow $1 soundd_t:process { ptrace signal_perms }; - ps_process_pattern($1, soundd_t) - - init_labeled_script_domtrans($1, soundd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 soundd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, soundd_etc_t) - - files_list_tmp($1) - admin_pattern($1, soundd_tmp_t) - - fs_list_tmpfs($1) - admin_pattern($1, soundd_tmpfs_t) - - files_list_var($1) - admin_pattern($1, soundd_state_t) - - files_list_pids($1) - admin_pattern($1, soundd_var_run_t) -') diff --git a/policy/modules/contrib/soundserver.te b/policy/modules/contrib/soundserver.te deleted file mode 100644 index db1bc6f2..00000000 --- a/policy/modules/contrib/soundserver.te +++ /dev/null @@ -1,109 +0,0 @@ -policy_module(soundserver, 1.8.1) - -######################################## -# -# Declarations -# - -type soundd_t; -type soundd_exec_t; -init_daemon_domain(soundd_t, soundd_exec_t) - -type soundd_etc_t alias etc_soundd_t; -files_config_file(soundd_etc_t) - -type soundd_initrc_exec_t; -init_script_file(soundd_initrc_exec_t) - -type soundd_state_t; -files_type(soundd_state_t) - -type soundd_tmp_t; -files_tmp_file(soundd_tmp_t) - -type soundd_tmpfs_t; -files_tmpfs_file(soundd_tmpfs_t) - -type soundd_var_run_t; -files_pid_file(soundd_var_run_t) - -######################################## -# -# Declarations -# - -allow soundd_t self:capability dac_override; -dontaudit soundd_t self:capability sys_tty_config; -allow soundd_t self:process { setpgid signal_perms }; -allow soundd_t self:shm create_shm_perms; -allow soundd_t self:tcp_socket create_stream_socket_perms; -allow soundd_t self:udp_socket create_socket_perms; -allow soundd_t self:unix_stream_socket { accept connectto listen }; - -read_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t) -read_lnk_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t) - -manage_files_pattern(soundd_t, soundd_state_t, soundd_state_t) -manage_lnk_files_pattern(soundd_t, soundd_state_t, soundd_state_t) - -manage_dirs_pattern(soundd_t, soundd_tmp_t, soundd_tmp_t) -manage_files_pattern(soundd_t, soundd_tmp_t, soundd_tmp_t) -files_tmp_filetrans(soundd_t, soundd_tmp_t, { file dir }) - -manage_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t) -manage_lnk_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t) -manage_fifo_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t) -manage_sock_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t) -fs_tmpfs_filetrans(soundd_t, soundd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -manage_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t) -manage_dirs_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t) -manage_sock_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t) -files_pid_filetrans(soundd_t, soundd_var_run_t, { file dir }) - -kernel_read_kernel_sysctls(soundd_t) -kernel_list_proc(soundd_t) -kernel_read_proc_symlinks(soundd_t) - -corenet_all_recvfrom_unlabeled(soundd_t) -corenet_all_recvfrom_netlabel(soundd_t) -corenet_tcp_sendrecv_generic_if(soundd_t) -corenet_tcp_sendrecv_generic_node(soundd_t) -corenet_tcp_bind_generic_node(soundd_t) - -corenet_sendrecv_soundd_server_packets(soundd_t) -corenet_tcp_bind_soundd_port(soundd_t) -corenet_tcp_sendrecv_soundd_port(soundd_t) - -dev_read_sysfs(soundd_t) -dev_read_sound(soundd_t) -dev_write_sound(soundd_t) - -domain_use_interactive_fds(soundd_t) - -files_read_etc_files(soundd_t) -files_read_etc_runtime_files(soundd_t) - -fs_getattr_all_fs(soundd_t) -fs_search_auto_mountpoints(soundd_t) - -logging_send_syslog_msg(soundd_t) - -miscfiles_read_localization(soundd_t) - -sysnet_read_config(soundd_t) - -userdom_dontaudit_use_unpriv_user_fds(soundd_t) -userdom_dontaudit_search_user_home_dirs(soundd_t) - -optional_policy(` - alsa_domtrans(soundd_t) -') - -optional_policy(` - seutil_sigchld_newrole(soundd_t) -') - -optional_policy(` - udev_read_db(soundd_t) -') diff --git a/policy/modules/contrib/spamassassin.fc b/policy/modules/contrib/spamassassin.fc deleted file mode 100644 index e9bd097b..00000000 --- a/policy/modules/contrib/spamassassin.fc +++ /dev/null @@ -1,31 +0,0 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) -HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0) - -/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) -/etc/rc\.d/init\.d/spampd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) -/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) - -/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0) -/usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0) -/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0) -/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) -/usr/bin/sa-update -- gen_context(system_u:object_r:spamd_update_exec_t,s0) - -/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) -/usr/sbin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0) -/usr/bin/mimedefang -- gen_context(system_u:object_r:spamd_exec_t,s0) -/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0) - -/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) -/var/lib/spamassassin/compiled(/.*)? gen_context(system_u:object_r:spamd_compiled_t,s0) - -/var/log/spamd\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0) -/var/log/mimedefang.* -- gen_context(system_u:object_r:spamd_log_t,s0) - -/var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) - -/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) -/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) -/var/spool/spampd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) -/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) -/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) diff --git a/policy/modules/contrib/spamassassin.if b/policy/modules/contrib/spamassassin.if deleted file mode 100644 index 1499b0bb..00000000 --- a/policy/modules/contrib/spamassassin.if +++ /dev/null @@ -1,408 +0,0 @@ -## <summary>Filter used for removing unsolicited email.</summary> - -######################################## -## <summary> -## Role access for spamassassin. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`spamassassin_role',` - gen_require(` - type spamc_t, spamc_exec_t, spamc_tmp_t; - type spamassassin_t, spamassassin_exec_t, spamd_home_t; - type spamassassin_home_t, spamassassin_tmp_t; - ') - - role $1 types { spamc_t spamassassin_t }; - - domtrans_pattern($2, spamassassin_exec_t, spamassassin_t) - domtrans_pattern($2, spamc_exec_t, spamc_t) - - allow $2 { spamc_t spamassassin_t}:process { ptrace signal_perms }; - ps_process_pattern($2, { spamc_t spamassassin_t }) - - allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:file { manage_file_perms relabel_file_perms }; - allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - userdom_user_home_dir_filetrans($2, spamassassin_home_t, dir, ".spamassassin") - userdom_user_home_dir_filetrans($2, spamd_home_t, dir, ".spamd") -') - -######################################## -## <summary> -## Execute the standalone spamassassin -## program in the caller directory. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`spamassassin_exec',` - gen_require(` - type spamassassin_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, spamassassin_exec_t) -') - -######################################## -## <summary> -## Send generic signals to spamd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`spamassassin_signal_spamd',` - gen_require(` - type spamd_t; - ') - - allow $1 spamd_t:process signal; -') - -######################################## -## <summary> -## Execute spamd in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`spamassassin_exec_spamd',` - gen_require(` - type spamd_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, spamd_exec_t) -') - -######################################## -## <summary> -## Execute spamc in the spamc domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`spamassassin_domtrans_client',` - gen_require(` - type spamc_t, spamc_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, spamc_exec_t, spamc_t) -') - -######################################## -## <summary> -## Execute spamc in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`spamassassin_exec_client',` - gen_require(` - type spamc_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, spamc_exec_t) -') - -######################################## -## <summary> -## Send kill signals to spamc. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`spamassassin_kill_client',` - gen_require(` - type spamc_t; - ') - - allow $1 spamc_t:process sigkill; -') - -######################################## -## <summary> -## Execute spamassassin standalone client -## in the user spamassassin domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`spamassassin_domtrans_local_client',` - gen_require(` - type spamassassin_t, spamassassin_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, spamassassin_exec_t, spamassassin_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## spamd home content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`spamassassin_manage_spamd_home_content',` - gen_require(` - type spamd_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 spamd_home_t:dir manage_dir_perms; - allow $1 spamd_home_t:file manage_file_perms; - allow $1 spamd_home_t:lnk_file manage_lnk_file_perms; -') - -######################################## -## <summary> -## Relabel spamd home content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`spamassassin_relabel_spamd_home_content',` - gen_require(` - type spamd_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 spamd_home_t:dir relabel_dir_perms; - allow $1 spamd_home_t:file relabel_file_perms; - allow $1 spamd_home_t:lnk_file relabel_lnk_file_perms; -') - -######################################## -## <summary> -## Create objects in user home -## directories with the spamd home type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`spamassassin_home_filetrans_spamd_home',` - gen_require(` - type spamd_home_t; - ') - - userdom_user_home_dir_filetrans($1, spamd_home_t, $2, $3) -') - -######################################## -## <summary> -## Read spamd lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`spamassassin_read_lib_files',` - gen_require(` - type spamd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## spamd lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`spamassassin_manage_lib_files',` - gen_require(` - type spamd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) -') - -######################################## -## <summary> -## Read spamd pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`spamassassin_read_spamd_pid_files',` - gen_require(` - type spamd_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, spamd_var_run_t, spamd_var_run_t) -') - -######################################## -## <summary> -## Read temporary spamd files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`spamassassin_read_spamd_tmp_files',` - gen_require(` - type spamd_tmp_t; - ') - - allow $1 spamd_tmp_t:file read_file_perms; -') - -######################################## -## <summary> -## Do not audit attempts to get -## attributes of temporary spamd sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` - gen_require(` - type spamd_tmp_t; - ') - - dontaudit $1 spamd_tmp_t:sock_file getattr; -') - -######################################## -## <summary> -## Connect to spamd with a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`spamassassin_stream_connect_spamd',` - gen_require(` - type spamd_t, spamd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an spamassassin environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`spamassassin_admin',` - gen_require(` - type spamd_t, spamd_tmp_t, spamd_log_t; - type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t; - type spamd_initrc_exec_t; - ') - - allow $1 spamd_t:process { ptrace signal_perms }; - ps_process_pattern($1, spamd_t) - - init_labeled_script_domtrans($1, spamd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 spamd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, spamd_tmp_t) - - logging_list_logs($1) - admin_pattern($1, spamd_log_t) - - files_list_spool($1) - admin_pattern($1, spamd_spool_t) - - files_list_var_lib($1) - admin_pattern($1, spamd_var_lib_t) - - files_list_pids($1) - admin_pattern($1, spamd_var_run_t) - - spamassassin_role($2, $1) -') diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te deleted file mode 100644 index 4faa7e0e..00000000 --- a/policy/modules/contrib/spamassassin.te +++ /dev/null @@ -1,532 +0,0 @@ -policy_module(spamassassin, 2.5.8) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether spamassassin -## clients can use the network. -## </p> -## </desc> -gen_tunable(spamassassin_can_network, false) - -## <desc> -## <p> -## Determine whether spamd can manage -## generic user home content. -## </p> -## </desc> -gen_tunable(spamd_enable_home_dirs, false) - -type spamd_update_t; -type spamd_update_exec_t; -init_system_domain(spamd_update_t, spamd_update_exec_t) - -type spamassassin_t; -type spamassassin_exec_t; -typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t }; -typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t }; -userdom_user_application_domain(spamassassin_t, spamassassin_exec_t) - -type spamassassin_home_t; -typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; -typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; -userdom_user_home_content(spamassassin_home_t) - -type spamassassin_tmp_t; -typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; -typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; -userdom_user_tmp_file(spamassassin_tmp_t) - -type spamc_t; -type spamc_exec_t; -typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t }; -typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t }; -userdom_user_application_domain(spamc_t, spamc_exec_t) - -type spamc_tmp_t; -typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; -typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; -userdom_user_tmp_file(spamc_tmp_t) - -type spamd_t; -type spamd_exec_t; -init_daemon_domain(spamd_t, spamd_exec_t) - -type spamd_compiled_t; -files_type(spamd_compiled_t) - -type spamd_etc_t; -files_config_file(spamd_etc_t) - -type spamd_home_t; -userdom_user_home_content(spamd_home_t) - -type spamd_initrc_exec_t; -init_script_file(spamd_initrc_exec_t) - -type spamd_log_t; -logging_log_file(spamd_log_t) - -type spamd_spool_t; -files_type(spamd_spool_t) - -type spamd_tmp_t; -files_tmp_file(spamd_tmp_t) - -type spamd_var_lib_t; -files_type(spamd_var_lib_t) - -type spamd_var_run_t; -files_pid_file(spamd_var_run_t) - -######################################## -# -# Standalone local policy -# - -allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow spamassassin_t self:fd use; -allow spamassassin_t self:fifo_file rw_fifo_file_perms; -allow spamassassin_t self:unix_dgram_socket sendto; -allow spamassassin_t self:unix_stream_socket { accept connectto listen }; - -manage_dirs_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) -manage_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) -manage_lnk_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) -manage_fifo_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) -manage_sock_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) -userdom_user_home_dir_filetrans(spamassassin_t, spamassassin_home_t, dir, ".spamassassin") - -manage_dirs_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t) -manage_files_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t) -files_tmp_filetrans(spamassassin_t, spamassassin_tmp_t, { file dir }) - -kernel_read_kernel_sysctls(spamassassin_t) - -dev_read_urand(spamassassin_t) - -fs_getattr_all_fs(spamassassin_t) -fs_search_auto_mountpoints(spamassassin_t) - -domain_use_interactive_fds(spamassassin_t) - -files_read_etc_files(spamassassin_t) -files_read_etc_runtime_files(spamassassin_t) -files_list_home(spamassassin_t) -files_read_usr_files(spamassassin_t) -files_dontaudit_search_var(spamassassin_t) - -logging_send_syslog_msg(spamassassin_t) - -miscfiles_read_localization(spamassassin_t) - -sysnet_dns_name_resolve(spamassassin_t) - -tunable_policy(`spamassassin_can_network',` - allow spamassassin_t self:tcp_socket { accept listen }; - - corenet_all_recvfrom_unlabeled(spamassassin_t) - corenet_all_recvfrom_netlabel(spamassassin_t) - corenet_tcp_sendrecv_generic_if(spamassassin_t) - corenet_tcp_sendrecv_generic_node(spamassassin_t) - corenet_tcp_sendrecv_all_ports(spamassassin_t) - - corenet_tcp_connect_all_ports(spamassassin_t) - corenet_sendrecv_all_client_packets(spamassassin_t) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(spamassassin_t) - fs_manage_nfs_files(spamassassin_t) - fs_manage_nfs_symlinks(spamassassin_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(spamassassin_t) - fs_manage_cifs_files(spamassassin_t) - fs_manage_cifs_symlinks(spamassassin_t) -') - -optional_policy(` - tunable_policy(`spamassassin_can_network && allow_ypbind',` - nis_use_ypbind_uncond(spamassassin_t) - ') -') - -optional_policy(` - mta_read_config(spamassassin_t) - sendmail_stub(spamassassin_t) -') - -######################################## -# -# Client local policy -# - -allow spamc_t self:capability dac_override; -allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow spamc_t self:fd use; -allow spamc_t self:fifo_file rw_fifo_file_perms; -allow spamc_t self:unix_dgram_socket sendto; -allow spamc_t self:unix_stream_socket { accept connectto listen }; -allow spamc_t self:tcp_socket { accept listen }; - -manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) -manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) -files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir }) - -manage_dirs_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t) -manage_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t) -manage_lnk_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t) -manage_fifo_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t) -manage_sock_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t) -userdom_user_home_dir_filetrans(spamc_t, spamassassin_home_t, dir, ".spamassassin") - -list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) -read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) - -stream_connect_pattern(spamc_t, { spamd_var_run_t spamd_tmp_t }, { spamd_var_run_t spamd_tmp_t }, spamd_t) - -kernel_read_kernel_sysctls(spamc_t) -kernel_read_system_state(spamc_t) - -corenet_all_recvfrom_unlabeled(spamc_t) -corenet_all_recvfrom_netlabel(spamc_t) -corenet_tcp_sendrecv_generic_if(spamc_t) -corenet_tcp_sendrecv_generic_node(spamc_t) -corenet_tcp_sendrecv_all_ports(spamc_t) - -corenet_sendrecv_all_client_packets(spamc_t) -corenet_tcp_connect_all_ports(spamc_t) - -corecmd_exec_bin(spamc_t) - -domain_use_interactive_fds(spamc_t) - -fs_getattr_all_fs(spamc_t) -fs_search_auto_mountpoints(spamc_t) - -files_read_etc_runtime_files(spamc_t) -files_read_usr_files(spamc_t) -files_dontaudit_search_var(spamc_t) -files_list_home(spamc_t) -files_list_var_lib(spamc_t) - -auth_use_nsswitch(spamc_t) - -logging_send_syslog_msg(spamc_t) - -miscfiles_read_localization(spamc_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(spamc_t) - fs_manage_nfs_files(spamc_t) - fs_manage_nfs_symlinks(spamc_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(spamc_t) - fs_manage_cifs_files(spamc_t) - fs_manage_cifs_symlinks(spamc_t) -') - -optional_policy(` - abrt_stream_connect(spamc_t) -') - -optional_policy(` - amavis_manage_spool_files(spamc_t) -') - -optional_policy(` - evolution_stream_connect(spamc_t) -') - -optional_policy(` - milter_manage_spamass_state(spamc_t) -') - -optional_policy(` - mta_send_mail(spamc_t) - mta_read_config(spamc_t) - mta_read_queue(spamc_t) - sendmail_rw_pipes(spamc_t) - sendmail_stub(spamc_t) -') - -optional_policy(` - postfix_domtrans_postdrop(spamc_t) - postfix_search_spool(spamc_t) - postfix_rw_local_pipes(spamc_t) - postfix_rw_master_pipes(spamc_t) -') - -######################################## -# -# Daemon local policy -# - -allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config }; -dontaudit spamd_t self:capability sys_tty_config; -allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow spamd_t self:fd use; -allow spamd_t self:fifo_file rw_fifo_file_perms; -allow spamd_t self:unix_dgram_socket sendto; -allow spamd_t self:unix_stream_socket { accept connectto listen }; -allow spamd_t self:tcp_socket { accept listen }; - -manage_dirs_pattern(spamd_t, spamd_home_t, spamd_home_t) -manage_files_pattern(spamd_t, spamd_home_t, spamd_home_t) -manage_lnk_files_pattern(spamd_t, spamd_home_t, spamd_home_t) -manage_fifo_files_pattern(spamd_t, spamd_home_t, spamd_home_t) -manage_sock_files_pattern(spamd_t, spamd_home_t, spamd_home_t) -userdom_user_home_dir_filetrans(spamd_t, spamd_home_t, dir, ".spamd") - -manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) -manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) -manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) -manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) -manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) -userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, dir, ".spamassassin") - -manage_dirs_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t) -manage_files_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t) - -allow spamd_t spamd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(spamd_t, spamd_log_t, file) - -manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t) -manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t) -manage_sock_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t) -files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) - -manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) -manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) -files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) - -allow spamd_t spamd_var_lib_t:dir list_dir_perms; -manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) -manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) - -manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) -manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) -manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) -files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir }) - -can_exec(spamd_t, { spamd_exec_t spamd_compiled_t }) - -kernel_read_all_sysctls(spamd_t) -kernel_read_system_state(spamd_t) - -corenet_all_recvfrom_unlabeled(spamd_t) -corenet_all_recvfrom_netlabel(spamd_t) -corenet_tcp_sendrecv_generic_if(spamd_t) -corenet_udp_sendrecv_generic_if(spamd_t) -corenet_tcp_sendrecv_generic_node(spamd_t) -corenet_udp_sendrecv_generic_node(spamd_t) -corenet_tcp_sendrecv_all_ports(spamd_t) -corenet_udp_sendrecv_all_ports(spamd_t) -corenet_tcp_bind_generic_node(spamd_t) -corenet_udp_bind_generic_node(spamd_t) - -corenet_sendrecv_spamd_server_packets(spamd_t) -corenet_tcp_bind_spamd_port(spamd_t) - -corenet_sendrecv_razor_client_packets(spamd_t) -corenet_tcp_connect_razor_port(spamd_t) - -corenet_sendrecv_smtp_client_packets(spamd_t) -corenet_tcp_connect_smtp_port(spamd_t) - -corenet_sendrecv_generic_server_packets(spamd_t) -corenet_udp_bind_generic_port(spamd_t) - -corenet_sendrecv_imaze_server_packets(spamd_t) -corenet_udp_bind_imaze_port(spamd_t) - -corenet_dontaudit_udp_bind_all_ports(spamd_t) - -corecmd_exec_bin(spamd_t) - -dev_read_sysfs(spamd_t) -dev_read_urand(spamd_t) - -domain_use_interactive_fds(spamd_t) - -files_read_usr_files(spamd_t) -files_read_etc_runtime_files(spamd_t) - -fs_getattr_all_fs(spamd_t) -fs_search_auto_mountpoints(spamd_t) - -auth_use_nsswitch(spamd_t) -auth_dontaudit_read_shadow(spamd_t) - -init_dontaudit_rw_utmp(spamd_t) - -libs_use_ld_so(spamd_t) -libs_use_shared_libs(spamd_t) - -logging_send_syslog_msg(spamd_t) - -miscfiles_read_localization(spamd_t) - -sysnet_use_ldap(spamd_t) - -userdom_use_unpriv_users_fds(spamd_t) - -tunable_policy(`spamd_enable_home_dirs',` - userdom_manage_user_home_content_dirs(spamd_t) - userdom_manage_user_home_content_files(spamd_t) - userdom_manage_user_home_content_symlinks(spamd_t) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(spamd_t) - fs_manage_nfs_files(spamd_t) - fs_manage_nfs_symlinks(spamd_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(spamd_t) - fs_manage_cifs_files(spamd_t) - fs_manage_cifs_symlinks(spamd_t) -') - -optional_policy(` - amavis_manage_lib_files(spamd_t) -') - -optional_policy(` - clamav_stream_connect(spamd_t) -') - -optional_policy(` - cron_system_entry(spamd_t, spamd_exec_t) -') - -optional_policy(` - daemontools_service_domain(spamd_t, spamd_exec_t) -') - -optional_policy(` - dcc_domtrans_cdcc(spamd_t) - dcc_domtrans_client(spamd_t) - dcc_signal_client(spamd_t) - dcc_stream_connect_dccifd(spamd_t) -') - -optional_policy(` - evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file }) -') - -optional_policy(` - exim_manage_spool_dirs(spamd_t) - exim_manage_spool_files(spamd_t) -') - -optional_policy(` - milter_manage_spamass_state(spamd_t) -') - -optional_policy(` - mysql_stream_connect(spamd_t) - mysql_tcp_connect(spamd_t) -') - -optional_policy(` - postfix_read_config(spamd_t) -') - -optional_policy(` - postgresql_stream_connect(spamd_t) - postgresql_tcp_connect(spamd_t) -') - -optional_policy(` - pyzor_domtrans(spamd_t) - pyzor_signal(spamd_t) -') - -optional_policy(` - razor_domtrans(spamd_t) - razor_read_lib_files(spamd_t) - razor_manage_home_content(spamd_t) -') - -optional_policy(` - seutil_sigchld_newrole(spamd_t) -') - -optional_policy(` - sendmail_stub(spamd_t) - mta_read_config(spamd_t) - mta_send_mail(spamd_t) -') - -optional_policy(` - udev_read_db(spamd_t) -') - -######################################## -# -# Update local policy -# - -allow spamd_update_t self:capability dac_override; -allow spamd_update_t self:fifo_file manage_fifo_file_perms; -allow spamd_update_t self:unix_stream_socket create_stream_socket_perms; - -manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t) -manage_files_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t) -files_tmp_filetrans(spamd_update_t, spamd_tmp_t, { file dir }) - -manage_dirs_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) -manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) -manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) - -kernel_read_system_state(spamd_update_t) - -corenet_all_recvfrom_unlabeled(spamd_update_t) -corenet_all_recvfrom_netlabel(spamd_update_t) -corenet_tcp_sendrecv_generic_if(spamd_update_t) -corenet_tcp_sendrecv_generic_node(spamd_update_t) -corenet_tcp_sendrecv_all_ports(spamd_update_t) - -corenet_sendrecv_http_client_packets(spamd_update_t) -corenet_tcp_connect_http_port(spamd_update_t) -corenet_tcp_sendrecv_http_port(spamd_update_t) - -corecmd_exec_bin(spamd_update_t) -corecmd_exec_shell(spamd_update_t) - -dev_read_urand(spamd_update_t) - -domain_use_interactive_fds(spamd_update_t) - -files_read_usr_files(spamd_update_t) - -auth_use_nsswitch(spamd_update_t) -auth_dontaudit_read_shadow(spamd_update_t) - -miscfiles_read_localization(spamd_update_t) - -userdom_use_user_terminals(spamd_update_t) - -optional_policy(` - cron_system_entry(spamd_update_t, spamd_update_exec_t) -') - -# probably want a solution same as httpd_use_gpg since this will -# give spamd_update a path to users gpg keys -# optional_policy(` -# gpg_domtrans(spamd_update_t) -# ') - -optional_policy(` - mta_read_config(spamd_update_t) -') diff --git a/policy/modules/contrib/speedtouch.fc b/policy/modules/contrib/speedtouch.fc deleted file mode 100644 index 57539d02..00000000 --- a/policy/modules/contrib/speedtouch.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/sbin/speedmgmt -- gen_context(system_u:object_r:speedmgmt_exec_t,s0) - -/var/run/speedmgmt\.pid -- gen_context(system_u:object_r:speedmgmt_var_run_t,s0) diff --git a/policy/modules/contrib/speedtouch.if b/policy/modules/contrib/speedtouch.if deleted file mode 100644 index 826e2db0..00000000 --- a/policy/modules/contrib/speedtouch.if +++ /dev/null @@ -1 +0,0 @@ -## <summary>Alcatel speedtouch USB ADSL modem</summary> diff --git a/policy/modules/contrib/speedtouch.te b/policy/modules/contrib/speedtouch.te deleted file mode 100644 index 9025dbd4..00000000 --- a/policy/modules/contrib/speedtouch.te +++ /dev/null @@ -1,61 +0,0 @@ -policy_module(speedtouch, 1.4.1) - -####################################### -# -# Declarations -# - -type speedmgmt_t; -type speedmgmt_exec_t; -init_daemon_domain(speedmgmt_t, speedmgmt_exec_t) - -type speedmgmt_tmp_t; -files_tmp_file(speedmgmt_tmp_t) - -type speedmgmt_var_run_t; -files_pid_file(speedmgmt_var_run_t) - -######################################## -# -# Local policy -# - -dontaudit speedmgmt_t self:capability sys_tty_config; -allow speedmgmt_t self:process signal_perms; - -manage_dirs_pattern(speedmgmt_t, speedmgmt_tmp_t, speedmgmt_tmp_t) -manage_files_pattern(speedmgmt_t, speedmgmt_tmp_t, speedmgmt_tmp_t) -files_tmp_filetrans(speedmgmt_t, speedmgmt_tmp_t, { file dir }) - -manage_files_pattern(speedmgmt_t, speedmgmt_var_run_t, speedmgmt_var_run_t) -files_pid_filetrans(speedmgmt_t, speedmgmt_var_run_t, file) - -kernel_read_kernel_sysctls(speedmgmt_t) -kernel_list_proc(speedmgmt_t) -kernel_read_proc_symlinks(speedmgmt_t) - -dev_read_sysfs(speedmgmt_t) -dev_read_usbfs(speedmgmt_t) - -domain_use_interactive_fds(speedmgmt_t) - -files_read_etc_files(speedmgmt_t) -files_read_usr_files(speedmgmt_t) - -fs_getattr_all_fs(speedmgmt_t) -fs_search_auto_mountpoints(speedmgmt_t) - -logging_send_syslog_msg(speedmgmt_t) - -miscfiles_read_localization(speedmgmt_t) - -userdom_dontaudit_use_unpriv_user_fds(speedmgmt_t) -userdom_dontaudit_search_user_home_dirs(speedmgmt_t) - -optional_policy(` - seutil_sigchld_newrole(speedmgmt_t) -') - -optional_policy(` - udev_read_db(speedmgmt_t) -') diff --git a/policy/modules/contrib/squid.fc b/policy/modules/contrib/squid.fc deleted file mode 100644 index 0a8b0f7c..00000000 --- a/policy/modules/contrib/squid.fc +++ /dev/null @@ -1,20 +0,0 @@ -/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) - -/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0) - -/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) - -/usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0) - -/usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) - -/var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) - -/var/log/squid(/.*)? gen_context(system_u:object_r:squid_log_t,s0) -/var/log/squidGuard(/.*)? gen_context(system_u:object_r:squid_log_t,s0) - -/var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0) - -/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) - -/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) diff --git a/policy/modules/contrib/squid.if b/policy/modules/contrib/squid.if deleted file mode 100644 index 5e1f0534..00000000 --- a/policy/modules/contrib/squid.if +++ /dev/null @@ -1,241 +0,0 @@ -## <summary>Squid caching http proxy server.</summary> - -######################################## -## <summary> -## Execute squid in the squid domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`squid_domtrans',` - gen_require(` - type squid_t, squid_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, squid_exec_t, squid_t) -') - -######################################## -## <summary> -## Execute squid in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`squid_exec',` - gen_require(` - type squid_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, squid_exec_t) -') - -######################################## -## <summary> -## Send generic signals to squid. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`squid_signal',` - gen_require(` - type squid_t; - ') - - allow $1 squid_t:process signal; -') - -######################################## -## <summary> -## Read and write squid unix -## domain stream sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`squid_rw_stream_sockets',` - gen_require(` - type squid_t; - ') - - allow $1 squid_t:unix_stream_socket { getattr read write }; -') - -######################################## -## <summary> -## Do not audit attempts to search -## squid cache directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -## <rolecap/> -# -interface(`squid_dontaudit_search_cache',` - gen_require(` - type squid_cache_t; - ') - - dontaudit $1 squid_cache_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Read squid configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`squid_read_config',` - gen_require(` - type squid_conf_t; - ') - - files_search_etc($1) - read_files_pattern($1, squid_conf_t, squid_conf_t) -') - -######################################## -## <summary> -## Read squid log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`squid_read_log',` - gen_require(` - type squid_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, squid_log_t, squid_log_t) -') - -######################################## -## <summary> -## Append squid log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`squid_append_log',` - gen_require(` - type squid_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, squid_log_t, squid_log_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## squid log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`squid_manage_logs',` - gen_require(` - type squid_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, squid_log_t, squid_log_t) -') - -######################################## -## <summary> -## Use squid services by connecting over TCP. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`squid_use',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## <summary> -## All of the rules required to -## administrate an squid environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`squid_admin',` - gen_require(` - type squid_t, squid_cache_t, squid_conf_t; - type squid_log_t, squid_var_run_t, squid_tmpfs_t; - type squid_initrc_exec_t, squid_tmp_t; - ') - - allow $1 squid_t:process { ptrace signal_perms }; - ps_process_pattern($1, squid_t) - - init_labeled_script_domtrans($1, squid_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 squid_initrc_exec_t system_r; - allow $2 system_r; - - files_list_var($1) - admin_pattern($1, squid_cache_t) - - files_list_etc($1) - admin_pattern($1, squid_conf_t) - - logging_list_logs($1) - admin_pattern($1, squid_log_t) - - files_list_pids($1) - admin_pattern($1, squid_var_run_t) - - fs_list_tmpfs($1) - admin_pattern($1, squid_tmpfs_t) - - files_list_tmp($1) - admin_pattern($1, squid_tmp_t) -') diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te deleted file mode 100644 index 221c5609..00000000 --- a/policy/modules/contrib/squid.te +++ /dev/null @@ -1,240 +0,0 @@ -policy_module(squid, 1.11.2) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether squid can -## connect to all TCP ports. -## </p> -## </desc> -gen_tunable(squid_connect_any, false) - -## <desc> -## <p> -## Determine whether squid can run -## as a transparent proxy. -## </p> -## </desc> -gen_tunable(squid_use_tproxy, false) - -type squid_t; -type squid_exec_t; -init_daemon_domain(squid_t, squid_exec_t) - -type squid_cache_t; -files_type(squid_cache_t) - -type squid_conf_t; -files_type(squid_conf_t) - -type squid_initrc_exec_t; -init_script_file(squid_initrc_exec_t) - -type squid_log_t; -logging_log_file(squid_log_t) - -type squid_tmp_t; -files_tmp_file(squid_tmp_t) - -type squid_tmpfs_t; -files_tmpfs_file(squid_tmpfs_t) - -type squid_var_run_t; -files_pid_file(squid_var_run_t) - -######################################## -# -# Local policy -# - -allow squid_t self:capability { setgid kill setuid dac_override sys_resource }; -dontaudit squid_t self:capability sys_tty_config; -allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; -allow squid_t self:fifo_file rw_fifo_file_perms; -allow squid_t self:fd use; -allow squid_t self:shm create_shm_perms; -allow squid_t self:sem create_sem_perms; -allow squid_t self:msgq create_msgq_perms; -allow squid_t self:msg { send receive }; -allow squid_t self:unix_dgram_socket sendto; -allow squid_t self:unix_stream_socket { accept connectto listen }; -allow squid_t self:tcp_socket { accept listen }; - -manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t) -manage_files_pattern(squid_t, squid_cache_t, squid_cache_t) -manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t) -files_var_filetrans(squid_t, squid_cache_t, dir, "squid") - -allow squid_t squid_conf_t:dir list_dir_perms; -allow squid_t squid_conf_t:file read_file_perms; -allow squid_t squid_conf_t:lnk_file read_lnk_file_perms; - -manage_dirs_pattern(squid_t, squid_log_t, squid_log_t) -append_files_pattern(squid_t, squid_log_t, squid_log_t) -create_files_pattern(squid_t, squid_log_t, squid_log_t) -setattr_files_pattern(squid_t, squid_log_t, squid_log_t) -manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t) -logging_log_filetrans(squid_t, squid_log_t, { file dir }) - -manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t) -manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t) -files_tmp_filetrans(squid_t, squid_tmp_t, { file dir }) - -manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t) -fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file) - -manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t) -files_pid_filetrans(squid_t, squid_var_run_t, file) - -can_exec(squid_t, squid_exec_t) - -kernel_read_kernel_sysctls(squid_t) -kernel_read_system_state(squid_t) -kernel_read_network_state(squid_t) - -corenet_all_recvfrom_unlabeled(squid_t) -corenet_all_recvfrom_netlabel(squid_t) -corenet_tcp_sendrecv_generic_if(squid_t) -corenet_udp_sendrecv_generic_if(squid_t) -corenet_tcp_sendrecv_generic_node(squid_t) -corenet_udp_sendrecv_generic_node(squid_t) -corenet_tcp_bind_generic_node(squid_t) -corenet_udp_bind_generic_node(squid_t) - -corenet_sendrecv_http_client_packets(squid_t) -corenet_tcp_connect_http_port(squid_t) -corenet_sendrecv_http_server_packets(squid_t) -corenet_tcp_bind_http_port(squid_t) -corenet_tcp_sendrecv_http_port(squid_t) - -corenet_sendrecv_http_cache_client_packets(squid_t) -corenet_tcp_connect_http_cache_port(squid_t) -corenet_sendrecv_http_cache_server_packets(squid_t) -corenet_tcp_bind_http_cache_port(squid_t) -corenet_udp_bind_http_cache_port(squid_t) -corenet_tcp_sendrecv_http_cache_port(squid_t) -corenet_udp_sendrecv_http_cache_port(squid_t) - -corenet_sendrecv_ftp_client_packets(squid_t) -corenet_tcp_connect_ftp_port(squid_t) -corenet_sendrecv_ftp_server_packets(squid_t) -corenet_tcp_bind_ftp_port(squid_t) -corenet_tcp_sendrecv_ftp_port(squid_t) - -corenet_sendrecv_gopher_client_packets(squid_t) -corenet_tcp_connect_gopher_port(squid_t) -corenet_sendrecv_gopher_server_packets(squid_t) -corenet_tcp_bind_gopher_port(squid_t) -corenet_udp_bind_gopher_port(squid_t) -corenet_tcp_sendrecv_gopher_port(squid_t) -corenet_udp_sendrecv_gopher_port(squid_t) - -corenet_sendrecv_squid_server_packets(squid_t) -corenet_tcp_bind_squid_port(squid_t) -corenet_udp_bind_squid_port(squid_t) -corenet_tcp_sendrecv_squid_port(squid_t) -corenet_udp_sendrecv_squid_port(squid_t) - -corenet_sendrecv_wccp_server_packets(squid_t) -corenet_udp_bind_wccp_port(squid_t) -corenet_udp_sendrecv_wccp_port(squid_t) - -corenet_sendrecv_pgpkeyserver_client_packets(squid_t) -corenet_tcp_connect_pgpkeyserver_port(squid_t) -corenet_tcp_sendrecv_pgpkeyserver_port(squid_t) - -corecmd_exec_bin(squid_t) -corecmd_exec_shell(squid_t) - -dev_read_sysfs(squid_t) -dev_read_urand(squid_t) - -domain_use_interactive_fds(squid_t) - -files_read_etc_runtime_files(squid_t) -files_read_usr_files(squid_t) -files_search_spool(squid_t) -files_dontaudit_getattr_tmp_dirs(squid_t) -files_getattr_home_dir(squid_t) -files_dontaudit_getattr_boot_dirs(squid_t) - -fs_getattr_all_fs(squid_t) -fs_search_auto_mountpoints(squid_t) -fs_list_inotifyfs(squid_t) - -selinux_dontaudit_getattr_dir(squid_t) - -term_dontaudit_getattr_pty_dirs(squid_t) - -auth_use_nsswitch(squid_t) -auth_domtrans_chk_passwd(squid_t) - -libs_exec_lib_files(squid_t) - -logging_send_syslog_msg(squid_t) - -miscfiles_read_generic_certs(squid_t) -miscfiles_read_localization(squid_t) - -userdom_use_unpriv_users_fds(squid_t) -userdom_dontaudit_search_user_home_dirs(squid_t) - -tunable_policy(`squid_connect_any',` - corenet_tcp_connect_all_ports(squid_t) - corenet_tcp_bind_all_ports(squid_t) - corenet_sendrecv_all_packets(squid_t) - corenet_tcp_sendrecv_all_ports(squid_t) -') - -tunable_policy(`squid_use_tproxy',` - allow squid_t self:capability net_admin; - corenet_sendrecv_netport_server_packets(squid_t) - corenet_tcp_bind_netport_port(squid_t) - corenet_tcp_sendrecv_netport_port(squid_t) -') - -optional_policy(` - apache_content_template(squid) - - corenet_all_recvfrom_unlabeled(httpd_squid_script_t) - corenet_all_recvfrom_netlabel(httpd_squid_script_t) - corenet_tcp_sendrecv_generic_if(httpd_squid_script_t) - corenet_tcp_sendrecv_generic_node(httpd_squid_script_t) - - corenet_sendrecv_http_cache_client_packets(httpd_squid_script_t) - corenet_tcp_connect_http_cache_port(httpd_squid_script_t) - corenet_tcp_sendrecv_http_cache_port(httpd_squid_script_t) - - sysnet_dns_name_resolve(httpd_squid_script_t) - - squid_read_config(httpd_squid_script_t) -') - -optional_policy(` - cron_system_entry(squid_t, squid_exec_t) -') - -optional_policy(` - kerberos_manage_host_rcache(squid_t) - kerberos_tmp_filetrans_host_rcache(squid_t, file, "host_0") -') - -optional_policy(` - mysql_stream_connect(squid_t) -') - -optional_policy(` - samba_domtrans_winbind_helper(squid_t) -') - -optional_policy(` - seutil_sigchld_newrole(squid_t) -') - -optional_policy(` - udev_read_db(squid_t) -') diff --git a/policy/modules/contrib/sssd.fc b/policy/modules/contrib/sssd.fc deleted file mode 100644 index dbb005ac..00000000 --- a/policy/modules/contrib/sssd.fc +++ /dev/null @@ -1,15 +0,0 @@ -/etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0) - -/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0) - -/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0) - -/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) - -/var/lib/sss/mc(/.*)? gen_context(system_u:object_r:sssd_public_t,s0) - -/var/lib/sss/pubconf(/.*)? gen_context(system_u:object_r:sssd_public_t,s0) - -/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0) - -/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) diff --git a/policy/modules/contrib/sssd.if b/policy/modules/contrib/sssd.if deleted file mode 100644 index a2404551..00000000 --- a/policy/modules/contrib/sssd.if +++ /dev/null @@ -1,361 +0,0 @@ -## <summary>System Security Services Daemon.</summary> - -####################################### -## <summary> -## Get attributes of sssd executable files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sssd_getattr_exec',` - gen_require(` - type sssd_exec_t; - ') - - allow $1 sssd_exec_t:file getattr_file_perms; -') - -######################################## -## <summary> -## Execute a domain transition to run sssd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`sssd_domtrans',` - gen_require(` - type sssd_t, sssd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, sssd_exec_t, sssd_t) -') - -######################################## -## <summary> -## Execute sssd init scripts in -## the initrc domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`sssd_initrc_domtrans',` - gen_require(` - type sssd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, sssd_initrc_exec_t) -') - -####################################### -## <summary> -## Read sssd configuration content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sssd_read_config',` - gen_require(` - type sssd_conf_t; - ') - - files_search_etc($1) - list_dirs_pattern($1, sssd_conf_t, sssd_conf_t) - read_files_pattern($1, sssd_conf_t, sssd_conf_t) -') - -###################################### -## <summary> -## Write sssd configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sssd_write_config',` - gen_require(` - type sssd_conf_t; - ') - - files_search_etc($1) - write_files_pattern($1, sssd_conf_t, sssd_conf_t) -') - -#################################### -## <summary> -## Create, read, write, and delete -## sssd configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sssd_manage_config',` - gen_require(` - type sssd_conf_t; - ') - - files_search_etc($1) - manage_files_pattern($1, sssd_conf_t, sssd_conf_t) -') - -######################################## -## <summary> -## Read sssd public files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sssd_read_public_files',` - gen_require(` - type sssd_public_t; - ') - - sssd_search_lib($1) - allow $1 sssd_public_t:dir list_dir_perms; - read_files_pattern($1, sssd_public_t, sssd_public_t) -') - -####################################### -## <summary> -## Create, read, write, and delete -## sssd public files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sssd_manage_public_files',` - gen_require(` - type sssd_public_t; - ') - - sssd_search_lib($1) - manage_files_pattern($1, sssd_public_t, sssd_public_t) -') - -######################################## -## <summary> -## Read sssd pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sssd_read_pid_files',` - gen_require(` - type sssd_var_run_t; - ') - - files_search_pids($1) - allow $1 sssd_var_run_t:file read_file_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## sssd pid content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sssd_manage_pids',` - gen_require(` - type sssd_var_run_t; - ') - - files_search_pids($1) - manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t) - manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t) -') - -######################################## -## <summary> -## Search sssd lib directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sssd_search_lib',` - gen_require(` - type sssd_var_lib_t; - ') - - allow $1 sssd_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## <summary> -## Do not audit attempts to search -## sssd lib directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`sssd_dontaudit_search_lib',` - gen_require(` - type sssd_var_lib_t; - ') - - dontaudit $1 sssd_var_lib_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Read sssd lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sssd_read_lib_files',` - gen_require(` - type sssd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) - read_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## sssd lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sssd_manage_lib_files',` - gen_require(` - type sssd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) - manage_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) -') - -######################################## -## <summary> -## Send and receive messages from -## sssd over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sssd_dbus_chat',` - gen_require(` - type sssd_t; - class dbus send_msg; - ') - - allow $1 sssd_t:dbus send_msg; - allow sssd_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Connect to sssd with a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sssd_stream_connect',` - gen_require(` - type sssd_t, sssd_var_lib_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, sssd_var_lib_t, sssd_var_lib_t, sssd_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an sssd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`sssd_admin',` - gen_require(` - type sssd_t, sssd_public_t, sssd_initrc_exec_t; - type sssd_var_lib_t, sssd_var_run_t, sssd_conf_t; - type sssd_log_t; - ') - - allow $1 sssd_t:process { ptrace signal_perms }; - ps_process_pattern($1, sssd_t) - - sssd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 sssd_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, sssd_conf_t) - - files_search_var_lib($1) - admin_pattern($1, { sssd_var_lib_t sssd_public_t }) - - files_search_pids($1) - admin_pattern($1, sssd_var_run_t) - - logging_search_logs($1) - admin_pattern($1, sssd_log_t) -') diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te deleted file mode 100644 index 8b537aae..00000000 --- a/policy/modules/contrib/sssd.te +++ /dev/null @@ -1,129 +0,0 @@ -policy_module(sssd, 1.1.4) - -######################################## -# -# Declarations -# - -type sssd_t; -type sssd_exec_t; -init_daemon_domain(sssd_t, sssd_exec_t) - -type sssd_initrc_exec_t; -init_script_file(sssd_initrc_exec_t) - -type sssd_conf_t; -files_config_file(sssd_conf_t) - -type sssd_public_t; -files_pid_file(sssd_public_t) - -type sssd_var_lib_t; -files_type(sssd_var_lib_t) -mls_trusted_object(sssd_var_lib_t) - -type sssd_var_log_t; -logging_log_file(sssd_var_log_t) - -type sssd_var_run_t; -files_pid_file(sssd_var_run_t) - -######################################## -# -# Local policy -# - -allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource }; -allow sssd_t self:capability2 block_suspend; -allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit }; -allow sssd_t self:fifo_file rw_fifo_file_perms; -allow sssd_t self:key manage_key_perms; -allow sssd_t self:unix_stream_socket { accept connectto listen }; - -read_files_pattern(sssd_t, sssd_conf_t, sssd_conf_t) - -manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t) -manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t) - -manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) -manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) -manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) -manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) -files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir }) - -append_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) -create_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) -setattr_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) -logging_log_filetrans(sssd_t, sssd_var_log_t, file) - -manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) -manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) -files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) - -kernel_read_network_state(sssd_t) -kernel_read_system_state(sssd_t) - -corenet_all_recvfrom_unlabeled(sssd_t) -corenet_all_recvfrom_netlabel(sssd_t) -corenet_udp_sendrecv_generic_if(sssd_t) -corenet_udp_sendrecv_generic_node(sssd_t) -corenet_udp_sendrecv_all_ports(sssd_t) -corenet_udp_bind_generic_node(sssd_t) - -corenet_sendrecv_generic_server_packets(sssd_t) -corenet_udp_bind_generic_port(sssd_t) -corenet_dontaudit_udp_bind_all_ports(sssd_t) - -corecmd_exec_bin(sssd_t) - -dev_read_urand(sssd_t) -dev_read_sysfs(sssd_t) - -domain_read_all_domains_state(sssd_t) -domain_obj_id_change_exemption(sssd_t) - -files_list_tmp(sssd_t) -files_read_etc_files(sssd_t) -files_read_etc_runtime_files(sssd_t) -files_read_usr_files(sssd_t) -files_list_var_lib(sssd_t) - -fs_list_inotifyfs(sssd_t) - -selinux_validate_context(sssd_t) - -seutil_read_file_contexts(sssd_t) -# sssd wants to write /etc/selinux/<policy>/logins/ for SELinux PAM module -# seutil_rw_login_config_dirs(sssd_t) -# seutil_manage_login_config_files(sssd_t) - -mls_file_read_to_clearance(sssd_t) -mls_socket_read_to_clearance(sssd_t) -mls_socket_write_to_clearance(sssd_t) -mls_trusted_object(sssd_t) - -auth_domtrans_chk_passwd(sssd_t) -auth_domtrans_upd_passwd(sssd_t) -auth_manage_cache(sssd_t) - -init_read_utmp(sssd_t) - -logging_send_syslog_msg(sssd_t) -logging_send_audit_msgs(sssd_t) - -miscfiles_read_generic_certs(sssd_t) -miscfiles_read_localization(sssd_t) - -sysnet_dns_name_resolve(sssd_t) -sysnet_use_ldap(sssd_t) - -optional_policy(` - dbus_system_bus_client(sssd_t) - dbus_connect_system_bus(sssd_t) -') - -optional_policy(` - kerberos_read_config(sssd_t) - kerberos_manage_host_rcache(sssd_t) - kerberos_tmp_filetrans_host_rcache(sssd_t, file, "host_0") -') diff --git a/policy/modules/contrib/stunnel.fc b/policy/modules/contrib/stunnel.fc deleted file mode 100644 index 49dd63ca..00000000 --- a/policy/modules/contrib/stunnel.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/stunnel(/.*)? gen_context(system_u:object_r:stunnel_etc_t,s0) - -/usr/bin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0) - -/usr/sbin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0) - -/var/run/stunnel(/.*)? gen_context(system_u:object_r:stunnel_var_run_t,s0) diff --git a/policy/modules/contrib/stunnel.if b/policy/modules/contrib/stunnel.if deleted file mode 100644 index 038efa89..00000000 --- a/policy/modules/contrib/stunnel.if +++ /dev/null @@ -1,46 +0,0 @@ -## <summary>SSL Tunneling Proxy.</summary> - -######################################## -## <summary> -## Define the specified domain as a stunnel inetd service. -## </summary> -## <param name="domain"> -## <summary> -## The type associated with the stunnel inetd service process. -## </summary> -## </param> -## <param name="entrypoint"> -## <summary> -## The type associated with the process program. -## </summary> -## </param> -# -interface(`stunnel_service_domain',` - gen_require(` - type stunnel_t; - ') - - domtrans_pattern(stunnel_t, $2, $1) - allow $1 stunnel_t:tcp_socket rw_socket_perms; -') - -######################################## -## <summary> -## Read stunnel configuration content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`stunnel_read_config',` - gen_require(` - type stunnel_etc_t; - ') - - files_search_etc($1) - allow $1 stunnel_etc_t:dir list_dir_perms; - allow $1 stunnel_etc_t:file read_file_perms; - allow $1 stunnel_etc_t:lnk_file read_lnk_file_perms; -') diff --git a/policy/modules/contrib/stunnel.te b/policy/modules/contrib/stunnel.te deleted file mode 100644 index 9992e623..00000000 --- a/policy/modules/contrib/stunnel.te +++ /dev/null @@ -1,108 +0,0 @@ -policy_module(stunnel, 1.10.2) - -######################################## -# -# Declarations -# - -type stunnel_t; -type stunnel_exec_t; -init_daemon_domain(stunnel_t, stunnel_exec_t) - -type stunnel_etc_t; -files_config_file(stunnel_etc_t) - -type stunnel_tmp_t; -files_tmp_file(stunnel_tmp_t) - -type stunnel_var_run_t; -files_pid_file(stunnel_var_run_t) - -######################################## -# -# Local policy -# - -allow stunnel_t self:capability { setgid setuid sys_chroot }; -dontaudit stunnel_t self:capability sys_tty_config; -allow stunnel_t self:process signal_perms; -allow stunnel_t self:fifo_file rw_fifo_file_perms; -allow stunnel_t self:tcp_socket { accept listen }; -allow stunnel_t self:netlink_tcpdiag_socket r_netlink_socket_perms; - -allow stunnel_t stunnel_etc_t:dir list_dir_perms; -allow stunnel_t stunnel_etc_t:file read_file_perms; -allow stunnel_t stunnel_etc_t:lnk_file read_lnk_file_perms; - -manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) -manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) -files_tmp_filetrans(stunnel_t, stunnel_tmp_t, { file dir }) - -manage_dirs_pattern(stunnel_t, stunnel_var_run_t, stunnel_var_run_t) -manage_files_pattern(stunnel_t, stunnel_var_run_t, stunnel_var_run_t) -files_pid_filetrans(stunnel_t, stunnel_var_run_t, { dir file }) - -kernel_read_kernel_sysctls(stunnel_t) -kernel_read_system_state(stunnel_t) -kernel_read_network_state(stunnel_t) - -corecmd_exec_bin(stunnel_t) - -corenet_all_recvfrom_unlabeled(stunnel_t) -corenet_all_recvfrom_netlabel(stunnel_t) -corenet_tcp_sendrecv_generic_if(stunnel_t) -corenet_tcp_sendrecv_generic_node(stunnel_t) -corenet_tcp_sendrecv_all_ports(stunnel_t) -corenet_tcp_bind_all_ports(stunnel_t) -corenet_tcp_bind_generic_node(stunnel_t) - -corenet_sendrecv_all_client_packets(stunnel_t) -corenet_tcp_connect_all_ports(stunnel_t) - -dev_read_sysfs(stunnel_t) -dev_read_urand(stunnel_t) - -domain_use_interactive_fds(stunnel_t) - -files_read_etc_runtime_files(stunnel_t) -files_search_home(stunnel_t) - -fs_getattr_all_fs(stunnel_t) -fs_search_auto_mountpoints(stunnel_t) - -auth_use_nsswitch(stunnel_t) - -logging_send_syslog_msg(stunnel_t) - -miscfiles_read_generic_certs(stunnel_t) -miscfiles_read_localization(stunnel_t) - -userdom_dontaudit_use_unpriv_user_fds(stunnel_t) -userdom_dontaudit_search_user_home_dirs(stunnel_t) - -optional_policy(` - daemontools_service_domain(stunnel_t, stunnel_exec_t) -') - -optional_policy(` - inetd_tcp_service_domain(stunnel_t, stunnel_exec_t) -') - -optional_policy(` - kerberos_use(stunnel_t) -') - -optional_policy(` - seutil_sigchld_newrole(stunnel_t) -') - -optional_policy(` - udev_read_db(stunnel_t) -') - -# hack since this port has no interfaces since it doesnt -# have net_contexts -gen_require(` - type stunnel_port_t; -') -allow stunnel_t stunnel_port_t:tcp_socket name_bind; diff --git a/policy/modules/contrib/subsonic.fc b/policy/modules/contrib/subsonic.fc new file mode 100644 index 00000000..df15d39e --- /dev/null +++ b/policy/modules/contrib/subsonic.fc @@ -0,0 +1,6 @@ + +/usr/bin/subsonic -- gen_context(system_u:object_r:subsonic_exec_t,s0) + +/var/lib/subsonic(/.*)? gen_context(system_u:object_r:subsonic_var_lib_t,s0) + +/run/subsonic(/.*)? gen_context(system_u:object_r:subsonic_run_t,s0) diff --git a/policy/modules/contrib/subsonic.if b/policy/modules/contrib/subsonic.if new file mode 100644 index 00000000..97e7342b --- /dev/null +++ b/policy/modules/contrib/subsonic.if @@ -0,0 +1 @@ +## <summary>Subsonic Music Streaming Server</summary> diff --git a/policy/modules/contrib/subsonic.te b/policy/modules/contrib/subsonic.te new file mode 100644 index 00000000..f3d805b9 --- /dev/null +++ b/policy/modules/contrib/subsonic.te @@ -0,0 +1,49 @@ +policy_module(subsonic, 0.1.0) + +######################################## +# +# Declarations +# + +type subsonic_t; +type subsonic_exec_t; +init_daemon_domain(subsonic_t, subsonic_exec_t) + +type subsonic_var_lib_t; +files_type(subsonic_var_lib_t) + +type subsonic_run_t; +files_runtime_file(subsonic_run_t) + +############################## +# +# Subsonic local policy +# + +allow subsonic_t self:tcp_socket { listen accept }; + +java_domain_type(subsonic_t) + +kernel_dontaudit_list_all_proc(subsonic_t) + +manage_dirs_pattern(subsonic_t, subsonic_run_t, subsonic_run_t) +manage_files_pattern(subsonic_t, subsonic_run_t, subsonic_run_t) +files_runtime_filetrans(subsonic_t, subsonic_run_t, dir) + +manage_dirs_pattern(subsonic_t, subsonic_var_lib_t, subsonic_var_lib_t) +manage_files_pattern(subsonic_t, subsonic_var_lib_t, subsonic_var_lib_t) +allow subsonic_t subsonic_var_lib_t:lnk_file manage_lnk_file_perms; +files_var_lib_filetrans(subsonic_t, subsonic_var_lib_t, dir) + +corecmd_exec_bin(subsonic_t) +corecmd_exec_shell(subsonic_t) + +corenet_tcp_bind_all_unreserved_ports(subsonic_t) +corenet_tcp_bind_generic_node(subsonic_t) +corenet_tcp_connect_http_port(subsonic_t) + +domain_use_interactive_fds(subsonic_t) + +optional_policy(` + miscfiles_read_public_files(subsonic_t) +') diff --git a/policy/modules/contrib/svnserve.fc b/policy/modules/contrib/svnserve.fc deleted file mode 100644 index effffd02..00000000 --- a/policy/modules/contrib/svnserve.fc +++ /dev/null @@ -1,8 +0,0 @@ -/etc/rc\.d/init\.d/svnserve -- gen_context(system_u:object_r:svnserve_initrc_exec_t,s0) - -/usr/bin/svnserve -- gen_context(system_u:object_r:svnserve_exec_t,s0) - -/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0) - -/var/run/svnserve(/.*)? gen_context(system_u:object_r:svnserve_var_run_t,s0) -/var/run/svnserve\.pid -- gen_context(system_u:object_r:svnserve_var_run_t,s0) diff --git a/policy/modules/contrib/svnserve.if b/policy/modules/contrib/svnserve.if deleted file mode 100644 index 2ac91b6e..00000000 --- a/policy/modules/contrib/svnserve.if +++ /dev/null @@ -1,35 +0,0 @@ -## <summary>Server for the svn repository access method.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an svnserve environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`svnserve_admin',` - gen_require(` - type svnserve_t, svnserve_initrc_exec_t, svnserve_var_run_t; - ') - - allow $1 svnserve_t:process { ptrace signal_perms }; - ps_process_pattern($1, svnserve_t) - - init_labeled_script_domtrans($1, svnserve_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 svnserve_initrc_exec_t system_r; - allow $2 system_r; - - files_search_pids($1) - admin_pattern($1, httpd_var_run_t) -') diff --git a/policy/modules/contrib/svnserve.te b/policy/modules/contrib/svnserve.te deleted file mode 100644 index c6aaac7f..00000000 --- a/policy/modules/contrib/svnserve.te +++ /dev/null @@ -1,59 +0,0 @@ -policy_module(svnserve, 1.0.2) - -######################################## -# -# Declarations -# - -type svnserve_t; -type svnserve_exec_t; -init_daemon_domain(svnserve_t, svnserve_exec_t) - -type svnserve_initrc_exec_t; -init_script_file(svnserve_initrc_exec_t) - -type svnserve_content_t; -files_type(svnserve_content_t) - -type svnserve_var_run_t; -files_pid_file(svnserve_var_run_t) - -######################################## -# -# Local policy -# - -allow svnserve_t self:fifo_file rw_fifo_file_perms; -allow svnserve_t self:tcp_socket create_stream_socket_perms; -allow svnserve_t self:unix_stream_socket { listen accept }; - -manage_dirs_pattern(svnserve_t, svnserve_content_t, svnserve_content_t) -manage_files_pattern(svnserve_t, svnserve_content_t, svnserve_content_t) - -manage_dirs_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t) -manage_files_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t) -files_pid_filetrans(svnserve_t, svnserve_var_run_t, { dir file }) - -files_read_etc_files(svnserve_t) -files_read_usr_files(svnserve_t) - -corenet_all_recvfrom_unlabeled(svnserve_t) -corenet_all_recvfrom_netlabel(svnserve_t) -corenet_tcp_sendrecv_generic_if(svnserve_t) -corenet_udp_sendrecv_generic_if(svnserve_t) -corenet_tcp_sendrecv_generic_node(svnserve_t) -corenet_udp_sendrecv_generic_node(svnserve_t) -corenet_tcp_bind_generic_node(svnserve_t) -corenet_udp_bind_generic_node(svnserve_t) - -corenet_sendrecv_svn_server_packets(svnserve_t) -corenet_tcp_bind_svn_port(svnserve_t) -corenet_tcp_sendrecv_svn_port(svnserve_t) -corenet_udp_bind_svn_port(svnserve_t) -corenet_udp_sendrecv_svn_port(svnserve_t) - -logging_send_syslog_msg(svnserve_t) - -miscfiles_read_localization(svnserve_t) - -sysnet_dns_name_resolve(svnserve_t) diff --git a/policy/modules/contrib/sxid.fc b/policy/modules/contrib/sxid.fc deleted file mode 100644 index 95299487..00000000 --- a/policy/modules/contrib/sxid.fc +++ /dev/null @@ -1,7 +0,0 @@ -/usr/bin/sxid -- gen_context(system_u:object_r:sxid_exec_t,s0) - -/usr/sbin/checksecurity\.se -- gen_context(system_u:object_r:sxid_exec_t,s0) - -/var/log/setuid.* -- gen_context(system_u:object_r:sxid_log_t,s0) -/var/log/setuid\.today.* -- gen_context(system_u:object_r:sxid_log_t,s0) -/var/log/sxid\.log.* -- gen_context(system_u:object_r:sxid_log_t,s0) diff --git a/policy/modules/contrib/sxid.if b/policy/modules/contrib/sxid.if deleted file mode 100644 index 83d2e94c..00000000 --- a/policy/modules/contrib/sxid.if +++ /dev/null @@ -1,21 +0,0 @@ -## <summary>SUID/SGID program monitoring.</summary> - -######################################## -## <summary> -## Read sxid log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`sxid_read_log',` - gen_require(` - type sxid_log_t; - ') - - logging_search_logs($1) - allow $1 sxid_log_t:file read_file_perms; -') diff --git a/policy/modules/contrib/sxid.te b/policy/modules/contrib/sxid.te deleted file mode 100644 index c9824cb9..00000000 --- a/policy/modules/contrib/sxid.te +++ /dev/null @@ -1,101 +0,0 @@ -policy_module(sxid, 1.7.1) - -######################################## -# -# Declarations -# - -type sxid_t; -type sxid_exec_t; -application_domain(sxid_t, sxid_exec_t) - -type sxid_log_t; -logging_log_file(sxid_log_t) - -type sxid_tmp_t; -files_tmp_file(sxid_tmp_t) - -######################################## -# -# Local policy -# - -allow sxid_t self:capability { dac_override dac_read_search fsetid }; -dontaudit sxid_t self:capability { setuid setgid sys_tty_config }; -allow sxid_t self:process signal_perms; -allow sxid_t self:fifo_file rw_fifo_file_perms; -allow sxid_t self:tcp_socket create_stream_socket_perms; -allow sxid_t self:udp_socket create_socket_perms; - -allow sxid_t sxid_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(sxid_t, sxid_log_t, file) - -manage_dirs_pattern(sxid_t, sxid_tmp_t, sxid_tmp_t) -manage_files_pattern(sxid_t, sxid_tmp_t, sxid_tmp_t) -files_tmp_filetrans(sxid_t, sxid_tmp_t, { file dir }) - -kernel_read_system_state(sxid_t) -kernel_read_kernel_sysctls(sxid_t) - -corecmd_exec_bin(sxid_t) -corecmd_exec_shell(sxid_t) - -corenet_all_recvfrom_unlabeled(sxid_t) -corenet_all_recvfrom_netlabel(sxid_t) -corenet_tcp_sendrecv_generic_if(sxid_t) -corenet_udp_sendrecv_generic_if(sxid_t) -corenet_tcp_sendrecv_generic_node(sxid_t) -corenet_udp_sendrecv_generic_node(sxid_t) -corenet_tcp_sendrecv_all_ports(sxid_t) -corenet_udp_sendrecv_all_ports(sxid_t) - -dev_read_sysfs(sxid_t) -dev_getattr_all_blk_files(sxid_t) -dev_getattr_all_chr_files(sxid_t) - -domain_use_interactive_fds(sxid_t) - -files_list_all(sxid_t) -files_getattr_all_symlinks(sxid_t) -files_getattr_all_pipes(sxid_t) -files_getattr_all_sockets(sxid_t) - -fs_getattr_xattr_fs(sxid_t) -fs_search_auto_mountpoints(sxid_t) -fs_list_all(sxid_t) - -term_dontaudit_use_console(sxid_t) - -files_read_non_auth_files(sxid_t) -auth_dontaudit_getattr_shadow(sxid_t) - -init_use_fds(sxid_t) -init_use_script_ptys(sxid_t) - -logging_send_syslog_msg(sxid_t) - -miscfiles_read_localization(sxid_t) - -sysnet_read_config(sxid_t) - -userdom_dontaudit_use_unpriv_user_fds(sxid_t) - -optional_policy(` - cron_system_entry(sxid_t, sxid_exec_t) -') - -optional_policy(` - mount_exec(sxid_t) -') - -optional_policy(` - mta_send_mail(sxid_t) -') - -optional_policy(` - seutil_sigchld_newrole(sxid_t) -') - -optional_policy(` - udev_read_db(sxid_t) -') diff --git a/policy/modules/contrib/sysstat.fc b/policy/modules/contrib/sysstat.fc deleted file mode 100644 index b660cfc3..00000000 --- a/policy/modules/contrib/sysstat.fc +++ /dev/null @@ -1,11 +0,0 @@ -/etc/rc\.d/init\.d/sysstat -- gen_context(system_u:object_r:sysstat_initrc_exec_t,s0) - -/opt/sartest(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0) - -/usr/lib/atsar/atsa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) -/usr/lib/sa/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) -/usr/lib/sysstat/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) - -/var/log/atsar(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0) -/var/log/sa(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0) -/var/log/sysstat(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0) diff --git a/policy/modules/contrib/sysstat.if b/policy/modules/contrib/sysstat.if deleted file mode 100644 index 14ae3f2a..00000000 --- a/policy/modules/contrib/sysstat.if +++ /dev/null @@ -1,56 +0,0 @@ -## <summary>Reports on various system states.</summary> - -######################################## -## <summary> -## Create, read, write, and delete -## sysstat log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`sysstat_manage_log',` - gen_require(` - type sysstat_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, sysstat_log_t, sysstat_log_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an sysstat environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`sysstat_admin',` - gen_require(` - type sysstat_t, sysstat_initrc_exec_t, sysstat_log_t; - ') - - allow $1 sysstat_t:process { ptrace signal_perms }; - ps_process_pattern($1, sysstat_t) - - init_labeled_script_domtrans($1, sysstat_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 sysstat_initrc_exec_t system_r; - allow $2 system_r; - - logging_search_logs($1) - admin_pattern($1, sysstat_log_t) -') diff --git a/policy/modules/contrib/sysstat.te b/policy/modules/contrib/sysstat.te deleted file mode 100644 index c8b80b27..00000000 --- a/policy/modules/contrib/sysstat.te +++ /dev/null @@ -1,69 +0,0 @@ -policy_module(sysstat, 1.7.1) - -######################################## -# -# Declarations -# - -type sysstat_t; -type sysstat_exec_t; -init_system_domain(sysstat_t, sysstat_exec_t) - -type sysstat_initrc_exec_t; -init_script_file(sysstat_initrc_exec_t) - -type sysstat_log_t; -logging_log_file(sysstat_log_t) - -######################################## -# -# Local policy -# - -allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_config }; -allow sysstat_t self:fifo_file rw_fifo_file_perms; - -manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t) -append_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) -create_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) -setattr_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) -manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t) -logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir }) - -can_exec(sysstat_t, sysstat_exec_t) - -kernel_read_system_state(sysstat_t) -kernel_read_network_state(sysstat_t) -kernel_read_kernel_sysctls(sysstat_t) -kernel_read_fs_sysctls(sysstat_t) -kernel_read_rpc_sysctls(sysstat_t) - -corecmd_exec_bin(sysstat_t) - -dev_read_sysfs(sysstat_t) -dev_read_urand(sysstat_t) - -files_search_var(sysstat_t) -files_read_etc_runtime_files(sysstat_t) - -fs_getattr_xattr_fs(sysstat_t) -fs_list_inotifyfs(sysstat_t) - -term_use_console(sysstat_t) -term_use_all_terms(sysstat_t) - -auth_use_nsswitch(sysstat_t) - -init_use_fds(sysstat_t) - -locallogin_use_fds(sysstat_t) - -logging_send_syslog_msg(sysstat_t) - -miscfiles_read_localization(sysstat_t) - -userdom_dontaudit_list_user_home_dirs(sysstat_t) - -optional_policy(` - cron_system_entry(sysstat_t, sysstat_exec_t) -') diff --git a/policy/modules/contrib/systemtap.fc b/policy/modules/contrib/systemtap.fc deleted file mode 100644 index 1710cbbe..00000000 --- a/policy/modules/contrib/systemtap.fc +++ /dev/null @@ -1,11 +0,0 @@ -/etc/stap-server(/.*)? -- gen_context(system_u:object_r:stapserver_conf_t,s0) - -/etc/rc\.d/init\.d/stap-server -- gen_context(system_u:object_r:stapserver_initrc_exec_t,s0) - -/usr/bin/stap-server -- gen_context(system_u:object_r:stapserver_exec_t,s0) - -/var/lib/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_lib_t,s0) - -/var/log/stap-server(/.*)? gen_context(system_u:object_r:stapserver_log_t,s0) - -/var/run/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_run_t,s0) diff --git a/policy/modules/contrib/systemtap.if b/policy/modules/contrib/systemtap.if deleted file mode 100644 index c755e2d9..00000000 --- a/policy/modules/contrib/systemtap.if +++ /dev/null @@ -1,45 +0,0 @@ -## <summary>instrumentation system for Linux.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an stapserver environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`stapserver_admin',` - gen_require(` - type stapserver_t, stapserver_conf_t, stapserver_log_t; - type stap_server_var_run_t, stapserver_initrc_exec_t, stapserver_var_lib_t; - ') - - allow $1 stapserver_t:process { ptrace signal_perms }; - ps_process_pattern($1, stapserver_t) - - init_labeled_script_domtrans($1, stapserver_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 stapserver_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, stapserver_conf_t) - - files_search_var_lib($1) - admin_pattern($1, stapserver_var_lib_t) - - logging_search_logs($1) - admin_pattern($1, stapserver_log_t) - - files_search_pids($1) - admin_pattern($1, stapserver_var_run_t) -') diff --git a/policy/modules/contrib/systemtap.te b/policy/modules/contrib/systemtap.te deleted file mode 100644 index 6c06a845..00000000 --- a/policy/modules/contrib/systemtap.te +++ /dev/null @@ -1,101 +0,0 @@ -policy_module(systemtap, 1.0.2) - -######################################## -# -# Declarations -# - -type stapserver_t; -type stapserver_exec_t; -init_daemon_domain(stapserver_t, stapserver_exec_t) - -type stapserver_initrc_exec_t; -init_script_file(stapserver_initrc_exec_t) - -type stapserver_conf_t; -files_config_file(stapserver_conf_t) - -type stapserver_var_lib_t; -files_type(stapserver_var_lib_t) - -type stapserver_log_t; -logging_log_file(stapserver_log_t) - -type stapserver_var_run_t; -files_pid_file(stapserver_var_run_t) - -######################################## -# -# Local policy -# - -allow stapserver_t self:capability { dac_override kill setuid setgid }; -allow stapserver_t self:process { setrlimit setsched signal }; -allow stapserver_t self:fifo_file rw_fifo_file_perms; -allow stapserver_t self:key write; -allow stapserver_t self:unix_stream_socket { accept listen }; -allow stapserver_t self:tcp_socket create_stream_socket_perms; - -allow stapserver_t stapserver_conf_t:file read_file_perms; - -manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) -manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) -files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir) - -manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) -append_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) -create_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) -setattr_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) -logging_log_filetrans(stapserver_t, stapserver_log_t, dir ) - -manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) -manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) -files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir ) - -kernel_read_kernel_sysctls(stapserver_t) -kernel_read_system_state(stapserver_t) - -corecmd_exec_bin(stapserver_t) -corecmd_exec_shell(stapserver_t) - -domain_read_all_domains_state(stapserver_t) - -dev_read_rand(stapserver_t) -dev_read_sysfs(stapserver_t) -dev_read_urand(stapserver_t) - -files_list_tmp(stapserver_t) -files_read_usr_files(stapserver_t) -files_search_kernel_modules(stapserver_t) - -auth_use_nsswitch(stapserver_t) - -init_read_utmp(stapserver_t) - -logging_send_audit_msgs(stapserver_t) -logging_send_syslog_msg(stapserver_t) - -miscfiles_read_localization(stapserver_t) -miscfiles_read_hwdata(stapserver_t) - -userdom_use_user_terminals(stapserver_t) - -optional_policy(` - consoletype_exec(stapserver_t) -') - -optional_policy(` - dbus_system_bus_client(stapserver_t) -') - -optional_policy(` - hostname_exec(stapserver_t) -') - -optional_policy(` - plymouthd_exec_plymouth(stapserver_t) -') - -optional_policy(` - rpm_exec(stapserver_t) -') diff --git a/policy/modules/contrib/tcpd.fc b/policy/modules/contrib/tcpd.fc deleted file mode 100644 index 034ec7f6..00000000 --- a/policy/modules/contrib/tcpd.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/tcpd -- gen_context(system_u:object_r:tcpd_exec_t,s0) diff --git a/policy/modules/contrib/tcpd.if b/policy/modules/contrib/tcpd.if deleted file mode 100644 index 9eb34fd0..00000000 --- a/policy/modules/contrib/tcpd.if +++ /dev/null @@ -1,46 +0,0 @@ -## <summary>TCP daemon.</summary> - -######################################## -## <summary> -## Execute tcpd in the tcpd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`tcpd_domtrans',` - gen_require(` - type tcpd_t, tcpd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, tcpd_exec_t, tcpd_t) -') - -######################################## -## <summary> -## Create a domain for services that -## utilize tcp wrappers. -## </summary> -## <param name="domain"> -## <summary> -## Type to be used as a domain. -## </summary> -## </param> -## <param name="entry_point"> -## <summary> -## Type of the program to be used as an entry point to this domain. -## </summary> -## </param> -# -interface(`tcpd_wrapped_domain',` - gen_require(` - type tcpd_t; - role system_r; - ') - - domtrans_pattern(tcpd_t, $2, $1) - role system_r types $1; -') diff --git a/policy/modules/contrib/tcpd.te b/policy/modules/contrib/tcpd.te deleted file mode 100644 index f388db3d..00000000 --- a/policy/modules/contrib/tcpd.te +++ /dev/null @@ -1,49 +0,0 @@ -policy_module(tcpd, 1.4.1) - -######################################## -# -# Declarations -# - -type tcpd_t; -type tcpd_exec_t; -inetd_tcp_service_domain(tcpd_t, tcpd_exec_t) - -type tcpd_tmp_t; -files_tmp_file(tcpd_tmp_t) - -######################################## -# -# Local policy -# - -allow tcpd_t self:tcp_socket create_stream_socket_perms; - -manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t) -manage_files_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t) -files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir }) - -corenet_all_recvfrom_unlabeled(tcpd_t) -corenet_all_recvfrom_netlabel(tcpd_t) -corenet_tcp_sendrecv_generic_if(tcpd_t) -corenet_tcp_sendrecv_generic_node(tcpd_t) -corenet_tcp_sendrecv_all_ports(tcpd_t) - -fs_getattr_xattr_fs(tcpd_t) - -corecmd_search_bin(tcpd_t) - -files_read_etc_files(tcpd_t) -files_dontaudit_search_var(tcpd_t) - -logging_send_syslog_msg(tcpd_t) - -miscfiles_read_localization(tcpd_t) - -sysnet_read_config(tcpd_t) - -inetd_domtrans_child(tcpd_t) - -optional_policy(` - nis_use_ypbind(tcpd_t) -') diff --git a/policy/modules/contrib/tcsd.fc b/policy/modules/contrib/tcsd.fc deleted file mode 100644 index a38b9542..00000000 --- a/policy/modules/contrib/tcsd.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/rc\.d/init\.d/tcsd -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0) -/etc/rc\.d/init\.d/trousers -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0) - -/usr/sbin/tcsd -- gen_context(system_u:object_r:tcsd_exec_t,s0) - -/var/lib/tpm(/.*)? gen_context(system_u:object_r:tcsd_var_lib_t,s0) diff --git a/policy/modules/contrib/tcsd.if b/policy/modules/contrib/tcsd.if deleted file mode 100644 index b42ec1d8..00000000 --- a/policy/modules/contrib/tcsd.if +++ /dev/null @@ -1,151 +0,0 @@ -## <summary>TSS Core Services daemon.</summary> - -######################################## -## <summary> -## Execute a domain transition to run tcsd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`tcsd_domtrans',` - gen_require(` - type tcsd_t, tcsd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, tcsd_exec_t, tcsd_t) -') - -######################################## -## <summary> -## Execute tcsd init scripts in the -## initrc domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`tcsd_initrc_domtrans',` - gen_require(` - type tcsd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, tcsd_initrc_exec_t) -') - -######################################## -## <summary> -## Search tcsd lib directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`tcsd_search_lib',` - gen_require(` - type tcsd_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 tcsd_var_lib_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## tcsd lib directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`tcsd_manage_lib_dirs',` - gen_require(` - type tcsd_var_lib_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t) -') - -######################################## -## <summary> -## Read tcsd lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`tcsd_read_lib_files',` - gen_require(` - type tcsd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## tcsd lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`tcsd_manage_lib_files',` - gen_require(` - type tcsd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an tcsd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`tcsd_admin',` - gen_require(` - type tcsd_t, tcsd_initrc_exec_t, tcsd_var_lib_t; - ') - - allow $1 tcsd_t:process { ptrace signal_perms }; - ps_process_pattern($1, tcsd_t) - - tcsd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 tcsd_initrc_exec_t system_r; - allow $2 system_r; - - files_search_var_lib($1) - admin_pattern($1, tcsd_var_lib_t) -') diff --git a/policy/modules/contrib/tcsd.te b/policy/modules/contrib/tcsd.te deleted file mode 100644 index ac8213ad..00000000 --- a/policy/modules/contrib/tcsd.te +++ /dev/null @@ -1,50 +0,0 @@ -policy_module(tcsd, 1.0.3) - -######################################## -# -# Declarations -# - -type tcsd_t; -type tcsd_exec_t; -init_daemon_domain(tcsd_t, tcsd_exec_t) - -type tcsd_initrc_exec_t; -init_script_file(tcsd_initrc_exec_t) - -type tcsd_var_lib_t; -files_type(tcsd_var_lib_t) - -######################################## -# -# Local policy -# - -allow tcsd_t self:capability { dac_override setuid }; -allow tcsd_t self:process { signal sigkill }; -allow tcsd_t self:tcp_socket { accept listen }; - -manage_dirs_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t) -manage_files_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t) -files_var_lib_filetrans(tcsd_t, tcsd_var_lib_t, dir) - -corenet_all_recvfrom_unlabeled(tcsd_t) -corenet_all_recvfrom_netlabel(tcsd_t) -corenet_tcp_sendrecv_generic_if(tcsd_t) -corenet_tcp_sendrecv_generic_node(tcsd_t) -corenet_tcp_bind_generic_node(tcsd_t) - -corenet_sendrecv_tcs_server_packets(tcsd_t) -corenet_tcp_bind_tcs_port(tcsd_t) -corenet_tcp_sendrecv_tcs_port(tcsd_t) - -dev_read_urand(tcsd_t) -dev_rw_tpm(tcsd_t) - -files_read_usr_files(tcsd_t) - -auth_use_nsswitch(tcsd_t) - -logging_send_syslog_msg(tcsd_t) - -miscfiles_read_localization(tcsd_t) diff --git a/policy/modules/contrib/telepathy.fc b/policy/modules/contrib/telepathy.fc deleted file mode 100644 index c7de0cf9..00000000 --- a/policy/modules/contrib/telepathy.fc +++ /dev/null @@ -1,34 +0,0 @@ -HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t,s0) -HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_cache_home_t, s0) -HOME_DIR/\.cache/telepathy/logger(/.*)? gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0) -HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0) -HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0) -HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t,s0) -HOME_DIR/\.local/share/telepathy(/.*)? gen_context(system_u:object_r:telepathy_data_home_t,s0) -HOME_DIR/\.local/share/telepathy/mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_data_home_t,s0) -HOME_DIR/\.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t,s0) -HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0) - -/usr/lib/telepathy/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t,s0) -/usr/lib/telepathy/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0) -/usr/lib/telepathy/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t,s0) -/usr/lib/telepathy/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0) -/usr/lib/telepathy/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t,s0) -/usr/lib/telepathy/telepathy-logger -- gen_context(system_u:object_r:telepathy_logger_exec_t,s0) -/usr/lib/telepathy/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t,s0) -/usr/lib/telepathy/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0) -/usr/lib/telepathy/telepathy-rakia -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0) -/usr/lib/telepathy/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t,s0) -/usr/lib/telepathy/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t,s0) - -/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t,s0) -/usr/libexec/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0) -/usr/libexec/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t,s0) -/usr/libexec/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0) -/usr/libexec/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t,s0) -/usr/libexec/telepathy-logger -- gen_context(system_u:object_r:telepathy_logger_exec_t,s0) -/usr/libexec/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t, s0) -/usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0) -/usr/libexec/telepathy-rakia -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0) -/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t,s0) -/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t,s0) diff --git a/policy/modules/contrib/telepathy.if b/policy/modules/contrib/telepathy.if deleted file mode 100644 index 42946bc1..00000000 --- a/policy/modules/contrib/telepathy.if +++ /dev/null @@ -1,219 +0,0 @@ -## <summary>Telepathy communications framework.</summary> - -####################################### -## <summary> -## The template to define a telepathy domain. -## </summary> -## <param name="domain_prefix"> -## <summary> -## Domain prefix to be used. -## </summary> -## </param> -# -template(`telepathy_domain_template',` - gen_require(` - attribute telepathy_domain, telepathy_executable, telepathy_tmp_content; - ') - - type telepathy_$1_t, telepathy_domain; - type telepathy_$1_exec_t, telepathy_executable; - userdom_user_application_domain(telepathy_$1_t, telepathy_$1_exec_t) - - type telepathy_$1_tmp_t, telepathy_tmp_content; - userdom_user_tmp_file(telepathy_$1_tmp_t) - - auth_use_nsswitch(telepathy_$1_t) -') - -####################################### -## <summary> -## The role template for the telepathy module. -## </summary> -## <desc> -## <p> -## This template creates a derived domains which are used -## for window manager applications. -## </p> -## </desc> -## <param name="role_prefix"> -## <summary> -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## </summary> -## </param> -## <param name="user_role"> -## <summary> -## The role associated with the user domain. -## </summary> -## </param> -## <param name="user_domain"> -## <summary> -## The type of the user domain. -## </summary> -## </param> -# -template(`telepathy_role_template',` - gen_require(` - attribute telepathy_domain, telepathy_tmp_content; - type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t; - type telepathy_mission_control_t, telepathy_salut_t, telepathy_sunshine_t; - type telepathy_stream_engine_t, telepathy_msn_t, telepathy_gabble_exec_t; - type telepathy_sofiasip_exec_t, telepathy_idle_exec_t; - type telepathy_logger_t, telepathy_logger_exec_t; - type telepathy_mission_control_exec_t, telepathy_salut_exec_t; - type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t; - type telepathy_msn_exec_t; - - type telepathy_mission_control_cache_home_t, telepathy_cache_home_t, telepathy_logger_cache_home_t; - type telepathy_gabble_cache_home_t, telepathy_mission_control_home_t, telepathy_data_home_t; - type telepathy_mission_control_data_home_t, telepathy_sunshine_home_t, telepathy_logger_data_home_t; - ') - - role $2 types telepathy_domain; - - allow $3 telepathy_domain:process { ptrace signal_perms }; - ps_process_pattern($3, telepathy_domain) - - telepathy_gabble_stream_connect($3) - telepathy_msn_stream_connect($3) - telepathy_salut_stream_connect($3) - - dbus_spec_session_domain($1, telepathy_gabble_exec_t, telepathy_gabble_t) - dbus_spec_session_domain($1, telepathy_sofiasip_exec_t, telepathy_sofiasip_t) - dbus_spec_session_domain($1, telepathy_idle_exec_t, telepathy_idle_t) - dbus_spec_session_domain($1, telepathy_logger_exec_t, telepathy_logger_t) - dbus_spec_session_domain($1, telepathy_mission_control_exec_t, telepathy_mission_control_t) - dbus_spec_session_domain($1, telepathy_salut_exec_t, telepathy_salut_t) - dbus_spec_session_domain($1, telepathy_sunshine_exec_t, telepathy_sunshine_t) - dbus_spec_session_domain($1, telepathy_stream_engine_exec_t, telepathy_stream_engine_t) - dbus_spec_session_domain($1, telepathy_msn_exec_t, telepathy_msn_t) - - allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:dir { manage_dir_perms relabel_dir_perms }; - - allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:file { manage_file_perms relabel_file_perms }; - allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:file { manage_file_perms relabel_file_perms }; - allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:file { manage_file_perms relabel_file_perms }; - - filetrans_pattern($3, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble") - # gnome_cache_filetrans($3, telepathy_gabble_cache_home_t, dir, "wocky") - - filetrans_pattern($3, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger") - # gnome_data_filetrans($3, telepathy_logger_data_home_t, dir, "TpLogger") - - userdom_user_home_dir_filetrans($3, telepathy_mission_control_home_t, dir, ".mission-control") - filetrans_pattern($3, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control") - # gnome_cache_filetrans($3, telepathy_mission_control_cache_home_t, file, ".mc_connections") - - userdom_user_home_dir_filetrans($3, telepathy_sunshine_home_t, dir, ".telepathy-sunshine") - - # gnome_cache_filetrans($3, telepathy_cache_home_t, dir, "telepathy") - # gnome_data_filetrans($3, telepathy_data_home_t, dir, "telepathy") - - allow $3 telepathy_tmp_content:dir { manage_dir_perms relabel_dir_perms }; - allow $3 telepathy_tmp_content:file { manage_file_perms relabel_file_perms }; - allow $3 telepathy_tmp_content:sock_file { manage_sock_file_perms relabel_sock_file_perms }; -') - -######################################## -## <summary> -## Connect to gabble with a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`telepathy_gabble_stream_connect',` - gen_require(` - type telepathy_gabble_t, telepathy_gabble_tmp_t; - ') - - files_search_tmp($1) - stream_connect_pattern($1, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t, telepathy_gabble_t) -') - -######################################## -## <summary> -## Send dbus messages to and from -## gabble. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`telepathy_gabble_dbus_chat',` - gen_require(` - type telepathy_gabble_t; - class dbus send_msg; - ') - - allow $1 telepathy_gabble_t:dbus send_msg; - allow telepathy_gabble_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Read mission control process state files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`telepathy_mission_control_read_state',` - gen_require(` - type telepathy_mission_control_t; - ') - - kernel_search_proc($1) - allow $1 telepathy_mission_control_t:dir list_dir_perms; - allow $1 telepathy_mission_control_t:file read_file_perms; - allow $1 telepathy_mission_control_t:lnk_file read_lnk_file_perms; -') - -####################################### -## <summary> -## Connect to msn with a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`telepathy_msn_stream_connect',` - gen_require(` - type telepathy_msn_t, telepathy_msn_tmp_t; - ') - - files_search_tmp($1) - stream_connect_pattern($1, telepathy_msn_tmp_t, telepathy_msn_tmp_t, telepathy_msn_t) -') - -######################################## -## <summary> -## Connect to salut with a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`telepathy_salut_stream_connect',` - gen_require(` - type telepathy_salut_t, telepathy_salut_tmp_t; - ') - - files_search_tmp($1) - stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t) -') diff --git a/policy/modules/contrib/telepathy.te b/policy/modules/contrib/telepathy.te deleted file mode 100644 index e9c09642..00000000 --- a/policy/modules/contrib/telepathy.te +++ /dev/null @@ -1,482 +0,0 @@ -policy_module(telepathy, 1.3.5) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether telepathy connection -## managers can connect to generic tcp ports. -## </p> -## </desc> -gen_tunable(telepathy_tcp_connect_generic_network_ports, false) - -## <desc> -## <p> -## Determine whether telepathy connection -## managers can connect to any port. -## </p> -## </desc> -gen_tunable(telepathy_connect_all_ports, false) - -attribute telepathy_domain; -attribute telepathy_executable; -attribute telepathy_tmp_content; - -telepathy_domain_template(gabble) - -type telepathy_cache_home_t; -userdom_user_home_content(telepathy_cache_home_t) - -type telepathy_gabble_cache_home_t; -userdom_user_home_content(telepathy_gabble_cache_home_t) - -telepathy_domain_template(idle) -telepathy_domain_template(logger) - -type telepathy_data_home_t; -userdom_user_home_content(telepathy_data_home_t) - -type telepathy_logger_cache_home_t; -userdom_user_home_content(telepathy_logger_cache_home_t) - -type telepathy_logger_data_home_t; -userdom_user_home_content(telepathy_logger_data_home_t) - -telepathy_domain_template(mission_control) - -type telepathy_mission_control_home_t; -userdom_user_home_content(telepathy_mission_control_home_t) - -type telepathy_mission_control_data_home_t; -userdom_user_home_content(telepathy_mission_control_data_home_t) - -type telepathy_mission_control_cache_home_t; -userdom_user_home_content(telepathy_mission_control_cache_home_t) - -telepathy_domain_template(msn) -telepathy_domain_template(salut) -telepathy_domain_template(sofiasip) -telepathy_domain_template(stream_engine) -telepathy_domain_template(sunshine) - -type telepathy_sunshine_home_t; -userdom_user_home_content(telepathy_sunshine_home_t) - -####################################### -# -# Gabble local policy -# - -allow telepathy_gabble_t self:tcp_socket { accept listen }; -allow telepathy_gabble_t self:unix_dgram_socket { create_socket_perms sendto }; - -# ~/.cache/telepathy/gabble/caps-cache.db-journal -manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) -manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) -filetrans_pattern(telepathy_gabble_t, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble") -# gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_cache_home_t, dir, "wocky") - -manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t) -manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t) -files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file }) - -corenet_all_recvfrom_unlabeled(telepathy_gabble_t) -corenet_all_recvfrom_netlabel(telepathy_gabble_t) -corenet_tcp_sendrecv_generic_if(telepathy_gabble_t) -corenet_tcp_sendrecv_generic_node(telepathy_gabble_t) - -corenet_sendrecv_http_client_packets(telepathy_gabble_t) -corenet_tcp_connect_http_port(telepathy_gabble_t) -corenet_tcp_sendrecv_http_port(telepathy_gabble_t) - -corenet_sendrecv_jabber_client_client_packets(telepathy_gabble_t) -corenet_tcp_connect_jabber_client_port(telepathy_gabble_t) -corenet_tcp_sendrecv_jabber_client_port(telepathy_gabble_t) - -corenet_sendrecv_vnc_client_packets(telepathy_gabble_t) -corenet_tcp_connect_vnc_port(telepathy_gabble_t) -corenet_tcp_sendrecv_vnc_port(telepathy_gabble_t) - -dev_read_rand(telepathy_gabble_t) - -files_read_config_files(telepathy_gabble_t) -files_read_usr_files(telepathy_gabble_t) - -miscfiles_read_all_certs(telepathy_gabble_t) - -tunable_policy(`telepathy_connect_all_ports',` - corenet_sendrecv_all_client_packets(telepathy_gabble_t) - corenet_tcp_connect_all_ports(telepathy_gabble_t) - corenet_tcp_sendrecv_all_ports(telepathy_gabble_t) -') - -tunable_policy(`telepathy_tcp_connect_generic_network_ports',` - corenet_sendrecv_generic_client_packets(telepathy_gabble_t) - corenet_tcp_connect_generic_port(telepathy_gabble_t) - corenet_tcp_sendrecv_generic_port(telepathy_gabble_t) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(telepathy_gabble_t) - fs_manage_nfs_files(telepathy_gabble_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(telepathy_gabble_t) - fs_manage_cifs_files(telepathy_gabble_t) -') - -optional_policy(` - dbus_system_bus_client(telepathy_gabble_t) -') - -# optional_policy(` - # ~/.config/dconf/user - # gnome_manage_generic_home_content(telepathy_gabble_t) -# ') - -####################################### -# -# Idle local policy -# - -corenet_all_recvfrom_netlabel(telepathy_idle_t) -corenet_all_recvfrom_unlabeled(telepathy_idle_t) -corenet_tcp_sendrecv_generic_if(telepathy_idle_t) -corenet_tcp_sendrecv_generic_node(telepathy_idle_t) - -corenet_sendrecv_gatekeeper_client_packets(telepathy_idle_t) -corenet_tcp_connect_gatekeeper_port(telepathy_idle_t) -corenet_tcp_sendrecv_gatekeeper_port(telepathy_idle_t) - -corenet_sendrecv_ircd_client_packets(telepathy_idle_t) -corenet_tcp_connect_ircd_port(telepathy_idle_t) -corenet_tcp_sendrecv_ircd_port(telepathy_idle_t) - -dev_read_rand(telepathy_idle_t) - -files_read_usr_files(telepathy_idle_t) - -tunable_policy(`telepathy_connect_all_ports',` - corenet_sendrecv_all_client_packets(telepathy_idle_t) - corenet_tcp_connect_all_ports(telepathy_idle_t) - corenet_tcp_sendrecv_all_ports(telepathy_idle_t) -') - -tunable_policy(`telepathy_tcp_connect_generic_network_ports',` - corenet_sendrecv_generic_client_packets(telepathy_idle_t) - corenet_tcp_connect_generic_port(telepathy_idle_t) - corenet_tcp_sendrecv_generic_port(telepathy_idle_t) -') - -####################################### -# -# Logger local policy -# - -allow telepathy_logger_t self:unix_stream_socket create_socket_perms; - -manage_dirs_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t) -manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t) -filetrans_pattern(telepathy_logger_t, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger") - -manage_dirs_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t) -manage_files_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t) -# gnome_data_filetrans(telepathy_logger_t, telepathy_logger_data_home_t, dir, "TpLogger") - -files_read_usr_files(telepathy_logger_t) -files_search_pids(telepathy_logger_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(telepathy_logger_t) - fs_manage_nfs_files(telepathy_logger_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(telepathy_logger_t) - fs_manage_cifs_files(telepathy_logger_t) -') - -# optional_policy(` - # ~/.config/dconf/user - # gnome_manage_generic_home_content(telepathy_logger_t) -# ') - -####################################### -# -# Mission-Control local policy -# - -allow telepathy_mission_control_t self:process setsched; - -manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) -manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) -userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, dir, ".mission-control") - -manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t) -manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t) -filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control") - -manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t) -# gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file, ".mc_connections") - -dev_read_rand(telepathy_mission_control_t) - -files_list_tmp(telepathy_mission_control_t) -files_read_usr_files(telepathy_mission_control_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(telepathy_mission_control_t) - fs_manage_nfs_files(telepathy_mission_control_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(telepathy_mission_control_t) - fs_manage_cifs_files(telepathy_mission_control_t) -') - -optional_policy(` - dbus_system_bus_client(telepathy_mission_control_t) - - optional_policy(` - devicekit_dbus_chat_power(telepathy_mission_control_t) - ') - optional_policy(` - gnome_dbus_chat_all_gkeyringd(telepathy_mission_control_t) - ') - optional_policy(` - networkmanager_dbus_chat(telepathy_mission_control_t) - ') -') - -# optional_policy(` - # ~/.config/dconf/user - # gnome_manage_generic_home_content(telepathy_mission_control_t) -# ') - -####################################### -# -# Butterfly and Haze local policy -# - -allow telepathy_msn_t self:process setsched; - -manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) -manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) -manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) -files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file }) - -userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file }) - -can_exec(telepathy_msn_t, telepathy_msn_tmp_t) - -corenet_all_recvfrom_netlabel(telepathy_msn_t) -corenet_all_recvfrom_unlabeled(telepathy_msn_t) -corenet_tcp_sendrecv_generic_if(telepathy_msn_t) -corenet_tcp_sendrecv_generic_node(telepathy_msn_t) - -corenet_sendrecv_http_client_packets(telepathy_msn_t) -corenet_tcp_connect_http_port(telepathy_msn_t) -corenet_tcp_sendrecv_http_port(telepathy_msn_t) - -corenet_sendrecv_mmcc_client_packets(telepathy_msn_t) -corenet_tcp_connect_mmcc_port(telepathy_msn_t) -corenet_tcp_sendrecv_mmcc_port(telepathy_msn_t) - -corenet_sendrecv_msnp_client_packets(telepathy_msn_t) -corenet_tcp_connect_msnp_port(telepathy_msn_t) -corenet_tcp_sendrecv_msnp_port(telepathy_msn_t) - -corenet_sendrecv_sip_client_packets(telepathy_msn_t) -corenet_tcp_connect_sip_port(telepathy_msn_t) -corenet_tcp_sendrecv_sip_port(telepathy_msn_t) - -corecmd_exec_bin(telepathy_msn_t) -corecmd_exec_shell(telepathy_msn_t) - -files_read_usr_files(telepathy_msn_t) - -init_read_state(telepathy_msn_t) - -libs_exec_ldconfig(telepathy_msn_t) - -logging_send_syslog_msg(telepathy_msn_t) - -miscfiles_read_all_certs(telepathy_msn_t) - -# userdom_dontaudit_setattr_user_tmp(telepathy_msn_t) - -tunable_policy(`telepathy_connect_all_ports',` - corenet_sendrecv_all_client_packets(telepathy_msn_t) - corenet_tcp_connect_all_ports(telepathy_msn_t) - corenet_tcp_sendrecv_all_ports(telepathy_msn_t) -') - -tunable_policy(`telepathy_tcp_connect_generic_network_ports',` - corenet_sendrecv_generic_client_packets(telepathy_msn_t) - corenet_tcp_connect_generic_port(telepathy_msn_t) - corenet_tcp_sendrecv_generic_port(telepathy_msn_t) -') - -optional_policy(` - dbus_system_bus_client(telepathy_msn_t) - - optional_policy(` - networkmanager_dbus_chat(telepathy_msn_t) - ') -') - -# optional_policy(` - # ~/.config/dconf/user - # gnome_manage_generic_home_content(telepathy_msn_t) -# ') - -####################################### -# -# Salut local policy -# - -allow telepathy_salut_t self:tcp_socket { accept listen }; - -manage_sock_files_pattern(telepathy_salut_t, telepathy_salut_tmp_t, telepathy_salut_tmp_t) -files_tmp_filetrans(telepathy_salut_t, telepathy_salut_tmp_t, sock_file) - -corenet_all_recvfrom_netlabel(telepathy_salut_t) -corenet_all_recvfrom_unlabeled(telepathy_salut_t) -corenet_tcp_sendrecv_generic_if(telepathy_salut_t) -corenet_tcp_sendrecv_generic_node(telepathy_salut_t) -corenet_tcp_bind_generic_node(telepathy_salut_t) - -corenet_sendrecv_presence_server_packets(telepathy_salut_t) -corenet_tcp_bind_presence_port(telepathy_salut_t) -corenet_sendrecv_presence_client_packets(telepathy_salut_t) -corenet_tcp_connect_presence_port(telepathy_salut_t) -corenet_tcp_sendrecv_presence_port(telepathy_salut_t) - -tunable_policy(`telepathy_connect_all_ports',` - corenet_sendrecv_all_client_packets(telepathy_salut_t) - corenet_tcp_connect_all_ports(telepathy_salut_t) - corenet_tcp_sendrecv_all_ports(telepathy_salut_t) -') - -tunable_policy(`telepathy_tcp_connect_generic_network_ports',` - corenet_sendrecv_generic_client_packets(telepathy_salut_t) - corenet_tcp_connect_generic_port(telepathy_salut_t) - corenet_tcp_sendrecv_generic_port(telepathy_salut_t) -') - -optional_policy(` - dbus_system_bus_client(telepathy_salut_t) - - optional_policy(` - avahi_dbus_chat(telepathy_salut_t) - ') -') - -####################################### -# -# Sofiasip local policy -# - -allow telepathy_sofiasip_t self:rawip_socket create_stream_socket_perms; -allow telepathy_sofiasip_t self:tcp_socket { accept listen }; - -corenet_all_recvfrom_netlabel(telepathy_sofiasip_t) -corenet_all_recvfrom_unlabeled(telepathy_sofiasip_t) -corenet_tcp_sendrecv_generic_if(telepathy_sofiasip_t) -corenet_raw_sendrecv_generic_if(telepathy_sofiasip_t) -corenet_raw_sendrecv_generic_node(telepathy_sofiasip_t) -corenet_tcp_sendrecv_generic_node(telepathy_sofiasip_t) -corenet_tcp_bind_generic_node(telepathy_sofiasip_t) -corenet_raw_bind_generic_node(telepathy_sofiasip_t) - -corenet_sendrecv_all_server_packets(telepathy_sofiasip_t) -corenet_tcp_bind_all_unreserved_ports(telepathy_sofiasip_t) -corenet_tcp_sendrecv_all_ports(telepathy_sofiasip_t) - -corenet_dontaudit_tcp_bind_all_ports(telepathy_sofiasip_t) - -corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t) -corenet_tcp_connect_sip_port(telepathy_sofiasip_t) -corenet_tcp_sendrecv_sip_port(telepathy_sofiasip_t) - -kernel_request_load_module(telepathy_sofiasip_t) - -tunable_policy(`telepathy_connect_all_ports',` - corenet_sendrecv_all_client_packets(telepathy_sofiasip_t) - corenet_tcp_connect_all_ports(telepathy_sofiasip_t) - corenet_tcp_sendrecv_all_ports(telepathy_sofiasip_t) -') - -tunable_policy(`telepathy_tcp_connect_generic_network_ports',` - corenet_sendrecv_generic_client_packets(telepathy_sofiasip_t) - corenet_tcp_connect_generic_port(telepathy_sofiasip_t) - corenet_tcp_sendrecv_generic_port(telepathy_sofiasip_t) -') - -####################################### -# -# Sunshine local policy -# - -manage_dirs_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t) -manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t) -userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, dir, ".telepathy-sunshine") - -manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t) -files_tmp_filetrans(telepathy_sunshine_t, telepathy_sunshine_tmp_t, file) - -can_exec(telepathy_sunshine_t, telepathy_sunshine_tmp_t) - -corecmd_exec_bin(telepathy_sunshine_t) - -files_read_usr_files(telepathy_sunshine_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(telepathy_sunshine_t) - fs_manage_nfs_files(telepathy_sunshine_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(telepathy_sunshine_t) - fs_manage_cifs_files(telepathy_sunshine_t) -') - -optional_policy(` - xserver_read_xdm_pid(telepathy_sunshine_t) - xserver_stream_connect(telepathy_sunshine_t) -') - -####################################### -# -# Common telepathy domain local policy -# - -allow telepathy_domain self:process { getsched signal sigkill }; -allow telepathy_domain self:fifo_file rw_fifo_file_perms; - -manage_dirs_pattern(telepathy_domain, telepathy_cache_home_t, telepathy_cache_home_t) -# gnome_cache_filetrans(telepathy_domain, telepathy_cache_home_t, dir, "telepathy") - -manage_dirs_pattern(telepathy_domain, telepathy_data_home_t, telepathy_data_home_t) -# gnome_data_filetrans(telepathy_domain, telepathy_data_home_t, dir, "telepathy") - -dev_read_urand(telepathy_domain) - -kernel_read_system_state(telepathy_domain) - -fs_getattr_all_fs(telepathy_domain) -fs_search_auto_mountpoints(telepathy_domain) - -miscfiles_read_localization(telepathy_domain) - -optional_policy(` - automount_dontaudit_getattr_tmp_dirs(telepathy_domain) -') - -optional_policy(` - xserver_rw_xdm_pipes(telepathy_domain) -') diff --git a/policy/modules/contrib/telnet.fc b/policy/modules/contrib/telnet.fc deleted file mode 100644 index 3d7d07aa..00000000 --- a/policy/modules/contrib/telnet.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/sbin/in\.telnetd -- gen_context(system_u:object_r:telnetd_exec_t,s0) - -/usr/kerberos/sbin/telnetd -- gen_context(system_u:object_r:telnetd_exec_t,s0) diff --git a/policy/modules/contrib/telnet.if b/policy/modules/contrib/telnet.if deleted file mode 100644 index 42a17ca3..00000000 --- a/policy/modules/contrib/telnet.if +++ /dev/null @@ -1,20 +0,0 @@ -## <summary>Telnet daemon.</summary> - -######################################## -## <summary> -## Read and write telnetd pty devices. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`telnet_use_ptys',` - gen_require(` - type telnetd_devpts_t; - ') - - term_list_ptys($1) - allow $1 telnetd_devpts_t:chr_file rw_term_perms; -') diff --git a/policy/modules/contrib/telnet.te b/policy/modules/contrib/telnet.te deleted file mode 100644 index 9f899161..00000000 --- a/policy/modules/contrib/telnet.te +++ /dev/null @@ -1,95 +0,0 @@ -policy_module(telnet, 1.10.2) - -######################################## -# -# Declarations -# - -type telnetd_t; -type telnetd_exec_t; -inetd_service_domain(telnetd_t, telnetd_exec_t) - -type telnetd_devpts_t; -term_login_pty(telnetd_devpts_t) - -type telnetd_tmp_t; -files_tmp_file(telnetd_tmp_t) - -type telnetd_var_run_t; -files_pid_file(telnetd_var_run_t) - -######################################## -# -# Local policy -# - -allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override }; -allow telnetd_t self:process signal_perms; -allow telnetd_t self:fifo_file rw_fifo_file_perms; - -allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; -term_create_pty(telnetd_t, telnetd_devpts_t) - -manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t) -manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t) -files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir }) - -manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t) -files_pid_filetrans(telnetd_t, telnetd_var_run_t, file) - -kernel_read_kernel_sysctls(telnetd_t) -kernel_read_system_state(telnetd_t) -kernel_read_network_state(telnetd_t) - -corenet_all_recvfrom_unlabeled(telnetd_t) -corenet_all_recvfrom_netlabel(telnetd_t) -corenet_tcp_sendrecv_generic_if(telnetd_t) -corenet_udp_sendrecv_generic_if(telnetd_t) -corenet_tcp_sendrecv_generic_node(telnetd_t) -corenet_udp_sendrecv_generic_node(telnetd_t) -corenet_tcp_sendrecv_all_ports(telnetd_t) -corenet_udp_sendrecv_all_ports(telnetd_t) - -corecmd_search_bin(telnetd_t) - -dev_read_urand(telnetd_t) - -domain_interactive_fd(telnetd_t) - -files_read_usr_files(telnetd_t) -files_read_etc_runtime_files(telnetd_t) -files_search_home(telnetd_t) - -fs_getattr_xattr_fs(telnetd_t) - -auth_rw_login_records(telnetd_t) -auth_use_nsswitch(telnetd_t) - -init_rw_utmp(telnetd_t) - -logging_send_syslog_msg(telnetd_t) - -miscfiles_read_localization(telnetd_t) - -seutil_read_config(telnetd_t) - -userdom_search_user_home_dirs(telnetd_t) -userdom_setattr_user_ptys(telnetd_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_search_nfs(telnetd_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_search_cifs(telnetd_t) -') - -optional_policy(` - kerberos_keytab_template(telnetd, telnetd_t) - kerberos_tmp_filetrans_host_rcache(telnetd_t, file, "host_0") - kerberos_manage_host_rcache(telnetd_t) -') - -optional_policy(` - remotelogin_domtrans(telnetd_t) -') diff --git a/policy/modules/contrib/tftp.fc b/policy/modules/contrib/tftp.fc deleted file mode 100644 index 93a5bf40..00000000 --- a/policy/modules/contrib/tftp.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/xinetd\.d/tftp -- gen_context(system_u:object_r:tftpd_conf_t,s0) - -/usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0) -/usr/sbin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0) - -/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0) -/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0) - -/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0) diff --git a/policy/modules/contrib/tftp.if b/policy/modules/contrib/tftp.if deleted file mode 100644 index 9957e300..00000000 --- a/policy/modules/contrib/tftp.if +++ /dev/null @@ -1,178 +0,0 @@ -## <summary>Trivial file transfer protocol daemon.</summary> - -######################################## -## <summary> -## Read tftp content files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`tftp_read_content',` - gen_require(` - type tftpdir_t; - ') - - files_search_var_lib($1) - allow $1 tftpdir_t:dir list_dir_perms; - allow $1 tftpdir_t:file read_file_perms; - allow $1 tftpdir_t:lnk_file read_lnk_file_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## tftp rw content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`tftp_manage_rw_content',` - gen_require(` - type tftpdir_rw_t; - ') - - files_search_var_lib($1) - allow $1 tftpdir_rw_t:dir manage_dir_perms; - allow $1 tftpdir_rw_t:file manage_file_perms; - allow $1 tftpdir_rw_t:lnk_file manage_lnk_file_perms; -') - -######################################## -## <summary> -## Read tftpd configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`tftp_read_config_files',` - gen_require(` - type tftpd_conf_t; - ') - - files_search_etc($1) - allow $1 tftpd_conf_t:file read_file_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## tftpd configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`tftp_manage_config_files',` - gen_require(` - type tftpd_conf_t; - ') - - files_search_etc($1) - allow $1 tftpd_conf_t:file manage_file_perms; -') - -######################################## -## <summary> -## Create objects in etc directories -## with tftp conf type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`tftp_etc_filetrans_config',` - gen_require(` - type tftp_conf_t; - ') - - files_etc_filetrans($1, tftp_conf_t, $2, $3) -') - -######################################## -## <summary> -## Create objects in tftpdir directories -## with a private type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="private_type"> -## <summary> -## Private file type. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`tftp_filetrans_tftpdir',` - gen_require(` - type tftpdir_rw_t; - ') - - files_search_var_lib($1) - filetrans_pattern($1, tftpdir_rw_t, $2, $3, $4) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an tftp environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`tftp_admin',` - gen_require(` - type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t; - type tftpd_conf_t; - ') - - allow $1 tftpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, tftpd_t) - - files_search_etc($1) - admin_pattern($1, tftpd_conf_t) - - files_search_var_lib($1) - admin_pattern($1, { tftpdir_t tftpdir_rw_t }) - - files_list_pids($1) - admin_pattern($1, tftpd_var_run_t) -') diff --git a/policy/modules/contrib/tftp.te b/policy/modules/contrib/tftp.te deleted file mode 100644 index f455e70b..00000000 --- a/policy/modules/contrib/tftp.te +++ /dev/null @@ -1,140 +0,0 @@ -policy_module(tftp, 1.12.4) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether tftp can modify -## public files used for public file -## transfer services. Directories/Files must -## be labeled public_content_rw_t. -## </p> -## </desc> -gen_tunable(tftp_anon_write, false) - -## <desc> -## <p> -## Determine whether tftp can manage -## generic user home content. -## </p> -## </desc> -gen_tunable(tftp_enable_homedir, false) - -type tftpd_t; -type tftpd_exec_t; -init_daemon_domain(tftpd_t, tftpd_exec_t) - -type tftpd_conf_t; -files_config_file(tftpd_conf_t) - -type tftpd_var_run_t; -files_pid_file(tftpd_var_run_t) - -type tftpdir_t; -files_type(tftpdir_t) - -type tftpdir_rw_t; -files_type(tftpdir_rw_t) - -######################################## -# -# Local policy -# - -allow tftpd_t self:capability { setgid setuid sys_chroot }; -dontaudit tftpd_t self:capability sys_tty_config; -allow tftpd_t self:tcp_socket { accept listen }; -allow tftpd_t self:unix_stream_socket { accept listen }; - -allow tftpd_t tftpd_conf_t:file read_file_perms; - -allow tftpd_t tftpdir_t:dir list_dir_perms; -allow tftpd_t tftpdir_t:file read_file_perms; -allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms; - -manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) -manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) -manage_lnk_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) - -manage_files_pattern(tftpd_t, tftpd_var_run_t, tftpd_var_run_t) -files_pid_filetrans(tftpd_t, tftpd_var_run_t, file) - -kernel_read_system_state(tftpd_t) -kernel_read_kernel_sysctls(tftpd_t) - -corenet_all_recvfrom_unlabeled(tftpd_t) -corenet_all_recvfrom_netlabel(tftpd_t) -corenet_udp_sendrecv_generic_if(tftpd_t) -corenet_udp_sendrecv_generic_node(tftpd_t) -corenet_udp_bind_generic_node(tftpd_t) - -corenet_sendrecv_tftp_server_packets(tftpd_t) -corenet_udp_bind_tftp_port(tftpd_t) -corenet_udp_sendrecv_tftp_port(tftpd_t) - -dev_read_sysfs(tftpd_t) - -domain_use_interactive_fds(tftpd_t) - -files_read_etc_runtime_files(tftpd_t) -files_read_var_files(tftpd_t) -files_read_var_symlinks(tftpd_t) -files_search_var(tftpd_t) - -fs_getattr_all_fs(tftpd_t) -fs_search_auto_mountpoints(tftpd_t) - -auth_use_nsswitch(tftpd_t) - -logging_send_syslog_msg(tftpd_t) - -miscfiles_read_localization(tftpd_t) -miscfiles_read_public_files(tftpd_t) - -userdom_dontaudit_use_unpriv_user_fds(tftpd_t) -userdom_dontaudit_use_user_terminals(tftpd_t) -userdom_user_home_dir_filetrans_user_home_content(tftpd_t, { dir file lnk_file }) - -tunable_policy(`tftp_anon_write',` - miscfiles_manage_public_files(tftpd_t) -') - -tunable_policy(`tftp_enable_homedir',` - allow tftpd_t self:capability { dac_override dac_read_search }; - - files_list_home(tftpd_t) - userdom_manage_user_home_content_dirs(tftpd_t) - userdom_manage_user_home_content_files(tftpd_t) - userdom_manage_user_home_content_symlinks(tftpd_t) -') - -tunable_policy(`tftp_enable_homedir && use_nfs_home_dirs',` - fs_manage_nfs_dirs(tftpd_t) - fs_manage_nfs_files(tftpd_t) - fs_read_nfs_symlinks(tftpd_t) -') - -tunable_policy(`tftp_enable_homedir && use_samba_home_dirs',` - fs_manage_cifs_dirs(tftpd_t) - fs_manage_cifs_files(tftpd_t) - fs_read_cifs_symlinks(tftpd_t) -') - -optional_policy(` - cobbler_read_lib_files(tftpd_t) -') - -optional_policy(` - inetd_udp_service_domain(tftpd_t, tftpd_exec_t) -') - -optional_policy(` - seutil_sigchld_newrole(tftpd_t) -') - -optional_policy(` - udev_read_db(tftpd_t) -') diff --git a/policy/modules/contrib/tgtd.fc b/policy/modules/contrib/tgtd.fc deleted file mode 100644 index 38389e67..00000000 --- a/policy/modules/contrib/tgtd.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0) - -/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0) - -/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0) - -/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0) diff --git a/policy/modules/contrib/tgtd.if b/policy/modules/contrib/tgtd.if deleted file mode 100644 index 5406b6ee..00000000 --- a/policy/modules/contrib/tgtd.if +++ /dev/null @@ -1,102 +0,0 @@ -## <summary>Linux Target Framework Daemon.</summary> - -##################################### -## <summary> -## Read and write tgtd semaphores. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`tgtd_rw_semaphores',` - gen_require(` - type tgtd_t; - ') - - allow $1 tgtd_t:sem rw_sem_perms; -') - -###################################### -## <summary> -## Create, read, write, and delete -## tgtd sempaphores. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`tgtd_manage_semaphores',` - gen_require(` - type tgtd_t; - ') - - allow $1 tgtd_t:sem create_sem_perms; -') - -###################################### -## <summary> -## Connect to tgtd with a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`tgtd_stream_connect',` - gen_require(` - type tgtd_t, tgtd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, tgtd_var_run_t, tgtd_var_run_t, tgtd_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an tgtd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`tgtd_admin',` - gen_require(` - type tgtd_t, tgtd_initrc_exec_t, tgtd_var_lib_t; - type tgtd_var_run_t, tgtd_tmp_t, tgtd_tmpfs_t; - ') - - allow $1 tgtd_t:process { ptrace signal_perms }; - ps_process_pattern($1, tgtd_t) - - init_labeled_script_domtrans($1, tgtd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 tgtd_initrc_exec_t system_r; - allow $2 system_r; - - files_search_var_lib($1) - admin_pattern($1, tgtd_var_lib_t) - - files_search_pids($1) - admin_pattern($1, tgtd_var_run_t) - - files_search_tmp($1) - admin_pattern($1, tgtd_tmp_t) - - files_search_tmpfs($1) - admin_pattern($1, tgtd_tmpfs_t) -') diff --git a/policy/modules/contrib/tgtd.te b/policy/modules/contrib/tgtd.te deleted file mode 100644 index c93c973a..00000000 --- a/policy/modules/contrib/tgtd.te +++ /dev/null @@ -1,84 +0,0 @@ -policy_module(tgtd, 1.2.3) - -######################################## -# -# Declarations -# - -type tgtd_t; -type tgtd_exec_t; -init_daemon_domain(tgtd_t, tgtd_exec_t) - -type tgtd_initrc_exec_t; -init_script_file(tgtd_initrc_exec_t) - -type tgtd_tmp_t; -files_tmp_file(tgtd_tmp_t) - -type tgtd_tmpfs_t; -files_tmpfs_file(tgtd_tmpfs_t) - -type tgtd_var_lib_t; -files_type(tgtd_var_lib_t) - -type tgtd_var_run_t; -files_pid_file(tgtd_var_run_t) - -######################################## -# -# Local policy -# - -allow tgtd_t self:capability sys_resource; -allow tgtd_t self:capability2 block_suspend; -allow tgtd_t self:process { setrlimit signal }; -allow tgtd_t self:fifo_file rw_fifo_file_perms; -allow tgtd_t self:netlink_route_socket r_netlink_socket_perms; -allow tgtd_t self:shm create_shm_perms; -allow tgtd_t self:sem create_sem_perms; -allow tgtd_t self:tcp_socket create_stream_socket_perms; -allow tgtd_t self:udp_socket create_socket_perms; - -manage_sock_files_pattern(tgtd_t, tgtd_tmp_t, tgtd_tmp_t) -files_tmp_filetrans(tgtd_t, tgtd_tmp_t, sock_file) - -manage_files_pattern(tgtd_t, tgtd_tmpfs_t, tgtd_tmpfs_t) -fs_tmpfs_filetrans(tgtd_t, tgtd_tmpfs_t, file) - -manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) -manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) -files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file }) - -manage_dirs_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t) -manage_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t) -manage_sock_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t) -files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file }) - -kernel_read_system_state(tgtd_t) -kernel_read_fs_sysctls(tgtd_t) - -corenet_all_recvfrom_netlabel(tgtd_t) -corenet_all_recvfrom_unlabeled(tgtd_t) -corenet_tcp_sendrecv_generic_if(tgtd_t) -corenet_tcp_sendrecv_generic_node(tgtd_t) -corenet_tcp_bind_generic_node(tgtd_t) - -corenet_sendrecv_iscsi_server_packets(tgtd_t) -corenet_tcp_bind_iscsi_port(tgtd_t) -corenet_tcp_sendrecv_iscsi_port(tgtd_t) - -dev_read_sysfs(tgtd_t) - -files_read_etc_files(tgtd_t) - -fs_read_anon_inodefs_files(tgtd_t) - -storage_manage_fixed_disk(tgtd_t) - -logging_send_syslog_msg(tgtd_t) - -miscfiles_read_localization(tgtd_t) - -optional_policy(` - iscsi_manage_semaphores(tgtd_t) -') diff --git a/policy/modules/contrib/thunderbird.fc b/policy/modules/contrib/thunderbird.fc deleted file mode 100644 index c01805ad..00000000 --- a/policy/modules/contrib/thunderbird.fc +++ /dev/null @@ -1,3 +0,0 @@ -HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:thunderbird_home_t,s0) - -/usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0) diff --git a/policy/modules/contrib/thunderbird.if b/policy/modules/contrib/thunderbird.if deleted file mode 100644 index 9c5f0b91..00000000 --- a/policy/modules/contrib/thunderbird.if +++ /dev/null @@ -1,59 +0,0 @@ -## <summary>Thunderbird email client.</summary> - -######################################## -## <summary> -## Role access for thunderbird. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`thunderbird_role',` - gen_require(` - attribute_role thunderbird_roles; - type thunderbird_t, thunderbird_exec_t, thunderbird_home_t; - type thunderbird_tmpfs_t; - ') - - roleattribute $1 thunderbird_roles; - - domtrans_pattern($2, thunderbird_exec_t, thunderbird_t) - - stream_connect_pattern($2, thunderbird_tmpfs_t, thunderbird_tmpfs_t, thunderbird_t) - - allow thunderbird_t $2:unix_stream_socket connectto; - - allow $2 thunderbird_t:process { ptrace signal_perms }; - ps_process_pattern($2, thunderbird_t) - - allow $2 thunderbird_home_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 thunderbird_home_t:file { manage_file_perms relabel_file_perms }; - allow $2 thunderbird_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - userdom_user_home_dir_filetrans($2, thunderbird_home_t, dir, ".thunderbird") -') - -######################################## -## <summary> -## Execute thunderbird in the thunderbird domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`thunderbird_domtrans',` - gen_require(` - type thunderbird_t, thunderbird_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, thunderbird_exec_t, thunderbird_t) -') diff --git a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te deleted file mode 100644 index 4257ede6..00000000 --- a/policy/modules/contrib/thunderbird.te +++ /dev/null @@ -1,168 +0,0 @@ -policy_module(thunderbird, 2.3.4) - -######################################## -# -# Declarations -# - -attribute_role thunderbird_roles; - -type thunderbird_t; -type thunderbird_exec_t; -typealias thunderbird_t alias { user_thunderbird_t staff_thunderbird_t sysadm_thunderbird_t }; -typealias thunderbird_t alias { auditadm_thunderbird_t secadm_thunderbird_t }; -userdom_user_application_domain(thunderbird_t, thunderbird_exec_t) -role thunderbird_roles types thunderbird_t; - -type thunderbird_home_t; -typealias thunderbird_home_t alias { user_thunderbird_home_t staff_thunderbird_home_t sysadm_thunderbird_home_t }; -typealias thunderbird_home_t alias { auditadm_thunderbird_home_t secadm_thunderbird_home_t }; -userdom_user_home_content(thunderbird_home_t) - -type thunderbird_tmpfs_t; -typealias thunderbird_tmpfs_t alias { user_thunderbird_tmpfs_t staff_thunderbird_tmpfs_t sysadm_thunderbird_tmpfs_t }; -typealias thunderbird_tmpfs_t alias { auditadm_thunderbird_tmpfs_t secadm_thunderbird_tmpfs_t }; -userdom_user_tmpfs_file(thunderbird_tmpfs_t) - -######################################## -# -# Local policy -# - -allow thunderbird_t self:capability sys_nice; -allow thunderbird_t self:process { signal_perms setsched getsched execheap execmem execstack }; -allow thunderbird_t self:fifo_file rw_fifo_file_perms; -allow thunderbird_t self:unix_dgram_socket create_socket_perms; -allow thunderbird_t self:unix_stream_socket create_stream_socket_perms; -allow thunderbird_t self:shm create_shm_perms; - -manage_dirs_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t) -manage_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t) -manage_lnk_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t) -userdom_user_home_dir_filetrans(thunderbird_t, thunderbird_home_t, dir, ".thunderbird") - -manage_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) -manage_lnk_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) -manage_fifo_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) -manage_sock_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) -fs_tmpfs_filetrans(thunderbird_t, thunderbird_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) - -kernel_read_network_state(thunderbird_t) -kernel_read_net_sysctls(thunderbird_t) -kernel_read_system_state(thunderbird_t) - -corecmd_exec_shell(thunderbird_t) - -corenet_all_recvfrom_unlabeled(thunderbird_t) -corenet_all_recvfrom_netlabel(thunderbird_t) -corenet_tcp_sendrecv_generic_if(thunderbird_t) -corenet_tcp_sendrecv_generic_node(thunderbird_t) - -corenet_sendrecv_ipp_client_packets(thunderbird_t) -corenet_tcp_connect_ipp_port(thunderbird_t) -corenet_tcp_sendrecv_ipp_port(thunderbird_t) - -corenet_sendrecv_innd_client_packets(thunderbird_t) -corenet_tcp_connect_innd_port(thunderbird_t) -corenet_tcp_sendrecv_innd_port(thunderbird_t) - -corenet_sendrecv_smtp_client_packets(thunderbird_t) -corenet_tcp_connect_smtp_port(thunderbird_t) -corenet_tcp_sendrecv_smtp_port(thunderbird_t) - -corenet_sendrecv_pop_client_packets(thunderbird_t) -corenet_tcp_connect_pop_port(thunderbird_t) -corenet_tcp_sendrecv_pop_port(thunderbird_t) - -corenet_sendrecv_http_client_packets(thunderbird_t) -corenet_tcp_connect_http_port(thunderbird_t) -corenet_tcp_sendrecv_http_port(thunderbird_t) - -dev_read_urand(thunderbird_t) -dev_dontaudit_search_sysfs(thunderbird_t) - -files_list_tmp(thunderbird_t) -files_read_usr_files(thunderbird_t) -files_read_etc_runtime_files(thunderbird_t) -files_read_var_files(thunderbird_t) -files_read_var_symlinks(thunderbird_t) -files_dontaudit_getattr_all_tmp_files(thunderbird_t) -files_dontaudit_getattr_boot_dirs(thunderbird_t) -files_dontaudit_getattr_lost_found_dirs(thunderbird_t) -files_dontaudit_search_mnt(thunderbird_t) - -fs_getattr_all_fs(thunderbird_t) -fs_list_inotifyfs(thunderbird_t) -fs_search_auto_mountpoints(thunderbird_t) - -auth_use_nsswitch(thunderbird_t) - -miscfiles_read_fonts(thunderbird_t) -miscfiles_read_localization(thunderbird_t) - -userdom_write_user_tmp_sockets(thunderbird_t) - -userdom_manage_user_tmp_dirs(thunderbird_t) -userdom_manage_user_tmp_files(thunderbird_t) - -userdom_manage_user_home_content_dirs(thunderbird_t) -userdom_manage_user_home_content_files(thunderbird_t) -userdom_user_home_dir_filetrans_user_home_content(thunderbird_t, { dir file }) - -xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t) -xserver_read_xdm_tmp_files(thunderbird_t) -xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(thunderbird_t) - fs_manage_nfs_files(thunderbird_t) - fs_manage_nfs_symlinks(thunderbird_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(thunderbird_t) - fs_manage_cifs_files(thunderbird_t) - fs_manage_cifs_symlinks(thunderbird_t) -') - -ifndef(`enable_mls',` - fs_search_removable(thunderbird_t) - fs_read_removable_files(thunderbird_t) - fs_read_removable_symlinks(thunderbird_t) -') - -optional_policy(` - dbus_system_bus_client(thunderbird_t) - dbus_all_session_bus_client(thunderbird_t) - - optional_policy(` - cups_dbus_chat(thunderbird_t) - ') - - optional_policy(` - mozilla_dbus_chat(thunderbird_t) - ') -') - -optional_policy(` - cups_read_rw_config(thunderbird_t) -') - -optional_policy(` - gnome_stream_connect_gconf(thunderbird_t) - gnome_domtrans_gconfd(thunderbird_t) - gnome_manage_generic_home_content(thunderbird_t) -') - -optional_policy(` - gpg_domtrans(thunderbird_t) -') - -optional_policy(` - lpd_run_lpr(thunderbird_t, thunderbird_roles) -') - -optional_policy(` - mozilla_read_user_home_files(thunderbird_t) - mozilla_domtrans(thunderbird_t) -') diff --git a/policy/modules/contrib/timidity.fc b/policy/modules/contrib/timidity.fc deleted file mode 100644 index 1c703ecb..00000000 --- a/policy/modules/contrib/timidity.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/timidity -- gen_context(system_u:object_r:timidity_exec_t,s0) diff --git a/policy/modules/contrib/timidity.if b/policy/modules/contrib/timidity.if deleted file mode 100644 index b6ff6dc7..00000000 --- a/policy/modules/contrib/timidity.if +++ /dev/null @@ -1 +0,0 @@ -## <summary>MIDI to WAV converter and player configured as a service.</summary> diff --git a/policy/modules/contrib/timidity.te b/policy/modules/contrib/timidity.te deleted file mode 100644 index 67ca5c5c..00000000 --- a/policy/modules/contrib/timidity.te +++ /dev/null @@ -1,75 +0,0 @@ -policy_module(timidity, 1.9.1) - -######################################## -# -# Declarations -# - -type timidity_t; -type timidity_exec_t; -init_daemon_domain(timidity_t, timidity_exec_t) -application_executable_file(timidity_exec_t) - -type timidity_tmpfs_t; -files_tmpfs_file(timidity_tmpfs_t) - -######################################## -# -# Local policy -# - -allow timidity_t self:capability { dac_override dac_read_search }; -dontaudit timidity_t self:capability sys_tty_config; -allow timidity_t self:process { signal_perms getsched }; -allow timidity_t self:shm create_shm_perms; -allow timidity_t self:unix_stream_socket { accept listen }; -allow timidity_t self:tcp_socket create_stream_socket_perms; -allow timidity_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t) -manage_files_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t) -manage_lnk_files_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t) -manage_fifo_files_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t) -manage_sock_files_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t) -fs_tmpfs_filetrans(timidity_t, timidity_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -kernel_read_kernel_sysctls(timidity_t) -kernel_read_system_state(timidity_t) - -corenet_all_recvfrom_unlabeled(timidity_t) -corenet_all_recvfrom_netlabel(timidity_t) -corenet_tcp_sendrecv_generic_if(timidity_t) -corenet_udp_sendrecv_generic_if(timidity_t) -corenet_tcp_sendrecv_generic_node(timidity_t) -corenet_udp_sendrecv_generic_node(timidity_t) -corenet_tcp_sendrecv_all_ports(timidity_t) -corenet_udp_sendrecv_all_ports(timidity_t) - -dev_read_sysfs(timidity_t) -dev_read_sound(timidity_t) -dev_write_sound(timidity_t) - -domain_use_interactive_fds(timidity_t) - -files_read_etc_files(timidity_t) -files_read_usr_files(timidity_t) -files_search_tmp(timidity_t) - -fs_search_auto_mountpoints(timidity_t) - -libs_read_lib_files(timidity_t) - -logging_send_syslog_msg(timidity_t) - -sysnet_read_config(timidity_t) - -userdom_dontaudit_use_unpriv_user_fds(timidity_t) -userdom_search_user_home_dirs(timidity_t) - -optional_policy(` - seutil_sigchld_newrole(timidity_t) -') - -optional_policy(` - udev_read_db(timidity_t) -') diff --git a/policy/modules/contrib/tmpreaper.fc b/policy/modules/contrib/tmpreaper.fc deleted file mode 100644 index ed08c94d..00000000 --- a/policy/modules/contrib/tmpreaper.fc +++ /dev/null @@ -1,5 +0,0 @@ -/etc/rc\.d/init\.d/mountall-bootclean.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) -/etc/rc\.d/init\.d/mountnfs-bootclean.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) - -/usr/sbin/tmpreaper -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) -/usr/sbin/tmpwatch -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) diff --git a/policy/modules/contrib/tmpreaper.if b/policy/modules/contrib/tmpreaper.if deleted file mode 100644 index f621a275..00000000 --- a/policy/modules/contrib/tmpreaper.if +++ /dev/null @@ -1,20 +0,0 @@ -## <summary>Manage temporary directory sizes and file ages.</summary> - -######################################## -## <summary> -## Execute tmpreaper in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`tmpreaper_exec',` - gen_require(` - type tmpreaper_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, tmpreaper_exec_t) -') diff --git a/policy/modules/contrib/tmpreaper.te b/policy/modules/contrib/tmpreaper.te deleted file mode 100644 index a4a949cf..00000000 --- a/policy/modules/contrib/tmpreaper.te +++ /dev/null @@ -1,77 +0,0 @@ -policy_module(tmpreaper, 1.6.3) - -######################################## -# -# Declarations -# - -type tmpreaper_t; -type tmpreaper_exec_t; -init_system_domain(tmpreaper_t, tmpreaper_exec_t) - -######################################## -# -# Local Policy -# - -allow tmpreaper_t self:capability { dac_override dac_read_search fowner }; - -kernel_list_unlabeled(tmpreaper_t) -kernel_read_system_state(tmpreaper_t) - -dev_read_urand(tmpreaper_t) - -fs_getattr_xattr_fs(tmpreaper_t) -fs_list_all(tmpreaper_t) - -files_getattr_all_dirs(tmpreaper_t) -files_getattr_all_files(tmpreaper_t) -files_read_var_lib_files(tmpreaper_t) -files_purge_tmp(tmpreaper_t) -files_setattr_all_tmp_dirs(tmpreaper_t) - -mcs_file_read_all(tmpreaper_t) -mcs_file_write_all(tmpreaper_t) -mls_file_read_all_levels(tmpreaper_t) -mls_file_write_all_levels(tmpreaper_t) - -auth_use_nsswitch(tmpreaper_t) - -logging_send_syslog_msg(tmpreaper_t) - -miscfiles_read_localization(tmpreaper_t) -miscfiles_delete_man_pages(tmpreaper_t) - -ifdef(`distro_redhat',` - userdom_list_all_user_home_content(tmpreaper_t) - userdom_delete_all_user_home_content_dirs(tmpreaper_t) - userdom_delete_all_user_home_content_files(tmpreaper_t) - userdom_delete_all_user_home_content_symlinks(tmpreaper_t) -') - -optional_policy(` - amavis_manage_spool_files(tmpreaper_t) -') - -optional_policy(` - apache_list_cache(tmpreaper_t) - apache_delete_cache_dirs(tmpreaper_t) - apache_delete_cache_files(tmpreaper_t) - apache_setattr_cache_dirs(tmpreaper_t) -') - -optional_policy(` - cron_system_entry(tmpreaper_t, tmpreaper_exec_t) -') - -optional_policy(` - kismet_manage_log(tmpreaper_t) -') - -optional_policy(` - lpd_manage_spool(tmpreaper_t) -') - -optional_policy(` - rpm_manage_cache(tmpreaper_t) -') diff --git a/policy/modules/contrib/tor.fc b/policy/modules/contrib/tor.fc deleted file mode 100644 index 6b9d4494..00000000 --- a/policy/modules/contrib/tor.fc +++ /dev/null @@ -1,14 +0,0 @@ -/etc/tor(/.*)? gen_context(system_u:object_r:tor_etc_t,s0) - -/etc/rc\.d/init\.d/tor -- gen_context(system_u:object_r:tor_initrc_exec_t,s0) - -/usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) - -/usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) - -/var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) -/var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) - -/var/log/tor(/.*)? gen_context(system_u:object_r:tor_var_log_t,s0) - -/var/run/tor(/.*)? gen_context(system_u:object_r:tor_var_run_t,s0) diff --git a/policy/modules/contrib/tor.if b/policy/modules/contrib/tor.if deleted file mode 100644 index 61c2e07d..00000000 --- a/policy/modules/contrib/tor.if +++ /dev/null @@ -1,64 +0,0 @@ -## <summary>The onion router.</summary> - -######################################## -## <summary> -## Execute a domain transition to run tor. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`tor_domtrans',` - gen_require(` - type tor_t, tor_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, tor_exec_t, tor_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an tor environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`tor_admin',` - gen_require(` - type tor_t, tor_var_log_t, tor_etc_t; - type tor_var_lib_t, tor_var_run_t, tor_initrc_exec_t; - ') - - allow $1 tor_t:process { ptrace signal_perms }; - ps_process_pattern($1, tor_t) - - init_labeled_script_domtrans($1, tor_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 tor_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, tor_etc_t) - - files_list_var_lib($1) - admin_pattern($1, tor_var_lib_t) - - logging_list_logs($1) - admin_pattern($1, tor_var_log_t) - - files_list_pids($1) - admin_pattern($1, tor_var_run_t) -') diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te deleted file mode 100644 index 964a395b..00000000 --- a/policy/modules/contrib/tor.te +++ /dev/null @@ -1,116 +0,0 @@ -policy_module(tor, 1.8.4) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether tor can bind -## tcp sockets to all unreserved ports. -## </p> -## </desc> -gen_tunable(tor_bind_all_unreserved_ports, false) - -type tor_t; -type tor_exec_t; -init_daemon_domain(tor_t, tor_exec_t) - -type tor_etc_t; -files_config_file(tor_etc_t) - -type tor_initrc_exec_t; -init_script_file(tor_initrc_exec_t) - -type tor_var_lib_t; -files_type(tor_var_lib_t) - -type tor_var_log_t; -logging_log_file(tor_var_log_t) - -type tor_var_run_t; -files_pid_file(tor_var_run_t) -init_daemon_run_dir(tor_var_run_t, "tor") - -######################################## -# -# Local policy -# - -allow tor_t self:capability { setgid setuid sys_tty_config }; -allow tor_t self:process signal; -allow tor_t self:fifo_file rw_fifo_file_perms; -allow tor_t self:unix_stream_socket { accept listen }; -allow tor_t self:tcp_socket { accept listen }; - -allow tor_t tor_etc_t:dir list_dir_perms; -allow tor_t tor_etc_t:file read_file_perms; -allow tor_t tor_etc_t:lnk_file read_lnk_file_perms; - -manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) -manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) -manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) -files_var_lib_filetrans(tor_t, tor_var_lib_t, dir) - -allow tor_t tor_var_log_t:dir setattr_dir_perms; -append_files_pattern(tor_t, tor_var_log_t, tor_var_log_t) -create_files_pattern(tor_t, tor_var_log_t, tor_var_log_t) -setattr_files_pattern(tor_t, tor_var_log_t, tor_var_log_t) -manage_sock_files_pattern(tor_t, tor_var_log_t, tor_var_log_t) -logging_log_filetrans(tor_t, tor_var_log_t, { sock_file file dir }) - -manage_dirs_pattern(tor_t, tor_var_run_t, tor_var_run_t) -manage_files_pattern(tor_t, tor_var_run_t, tor_var_run_t) -manage_sock_files_pattern(tor_t, tor_var_run_t, tor_var_run_t) -files_pid_filetrans(tor_t, tor_var_run_t, { dir file sock_file }) - -kernel_read_kernel_sysctls(tor_t) -kernel_read_net_sysctls(tor_t) -kernel_read_system_state(tor_t) - -corenet_all_recvfrom_unlabeled(tor_t) -corenet_all_recvfrom_netlabel(tor_t) -corenet_tcp_sendrecv_generic_if(tor_t) -corenet_udp_sendrecv_generic_if(tor_t) -corenet_tcp_sendrecv_generic_node(tor_t) -corenet_udp_sendrecv_generic_node(tor_t) -corenet_tcp_bind_generic_node(tor_t) -corenet_udp_bind_generic_node(tor_t) - -corenet_sendrecv_dns_server_packets(tor_t) -corenet_udp_bind_dns_port(tor_t) -corenet_udp_sendrecv_dns_port(tor_t) - -corenet_sendrecv_tor_server_packets(tor_t) -corenet_tcp_bind_tor_port(tor_t) -corenet_tcp_sendrecv_tor_port(tor_t) - -corenet_sendrecv_all_client_packets(tor_t) -corenet_tcp_connect_all_ports(tor_t) -corenet_tcp_connect_all_reserved_ports(tor_t) -corenet_tcp_sendrecv_all_ports(tor_t) -corenet_tcp_sendrecv_all_reserved_ports(tor_t) - -dev_read_sysfs(tor_t) -dev_read_urand(tor_t) - -domain_use_interactive_fds(tor_t) - -files_read_etc_runtime_files(tor_t) -files_read_usr_files(tor_t) - -auth_use_nsswitch(tor_t) - -logging_send_syslog_msg(tor_t) - -miscfiles_read_localization(tor_t) - -tunable_policy(`tor_bind_all_unreserved_ports',` - corenet_sendrecv_all_server_packets(tor_t) - corenet_tcp_bind_all_unreserved_ports(tor_t) -') - -optional_policy(` - seutil_sigchld_newrole(tor_t) -') diff --git a/policy/modules/contrib/transproxy.fc b/policy/modules/contrib/transproxy.fc deleted file mode 100644 index 14fdae36..00000000 --- a/policy/modules/contrib/transproxy.fc +++ /dev/null @@ -1,5 +0,0 @@ -/etc/rc\.d/init\.d/transproxy -- gen_context(system_u:object_r:transproxy_initrc_exec_t,s0) - -/usr/sbin/tproxy -- gen_context(system_u:object_r:transproxy_exec_t,s0) - -/var/run/tproxy\.pid -- gen_context(system_u:object_r:transproxy_var_run_t,s0) diff --git a/policy/modules/contrib/transproxy.if b/policy/modules/contrib/transproxy.if deleted file mode 100644 index 81a83511..00000000 --- a/policy/modules/contrib/transproxy.if +++ /dev/null @@ -1,35 +0,0 @@ -## <summary>Portable Transparent Proxy Solution.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an transproxy environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`transproxy_admin',` - gen_require(` - type transproxy_t, transproxy_initrc_exec_t, transproxy_var_run_t; - ') - - allow $1 transproxy_t:process { ptrace signal_perms }; - ps_process_pattern($1, transproxy_t) - - init_labeled_script_domtrans($1, transproxy_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 transproxy_initrc_exec_t system_r; - allow $2 system_r; - - files_search_pids($1) - admin_pattern($1, transproxy_var_run_t) -') diff --git a/policy/modules/contrib/transproxy.te b/policy/modules/contrib/transproxy.te deleted file mode 100644 index 20d1a284..00000000 --- a/policy/modules/contrib/transproxy.te +++ /dev/null @@ -1,69 +0,0 @@ -policy_module(transproxy, 1.7.1) - -######################################## -# -# Declarations -# - -type transproxy_t; -type transproxy_exec_t; -init_daemon_domain(transproxy_t, transproxy_exec_t) - -type transproxy_initrc_exec_t; -init_script_file(transproxy_initrc_exec_t) - -type transproxy_var_run_t; -files_pid_file(transproxy_var_run_t) - -######################################## -# -# Local policy -# - -allow transproxy_t self:capability { setgid setuid }; -dontaudit transproxy_t self:capability sys_tty_config; -allow transproxy_t self:process signal_perms; -allow transproxy_t self:tcp_socket create_stream_socket_perms; - -manage_files_pattern(transproxy_t, transproxy_var_run_t, transproxy_var_run_t) -files_pid_filetrans(transproxy_t, transproxy_var_run_t, file) - -kernel_read_kernel_sysctls(transproxy_t) -kernel_list_proc(transproxy_t) -kernel_read_proc_symlinks(transproxy_t) - -corenet_all_recvfrom_unlabeled(transproxy_t) -corenet_all_recvfrom_netlabel(transproxy_t) -corenet_tcp_sendrecv_generic_if(transproxy_t) -corenet_tcp_sendrecv_generic_node(transproxy_t) -corenet_tcp_bind_generic_node(transproxy_t) - -corenet_sendrecv_transproxy_server_packets(transproxy_t) -corenet_tcp_bind_transproxy_port(transproxy_t) -corenet_tcp_sendrecv_transproxy_port(transproxy_t) - -dev_read_sysfs(transproxy_t) - -domain_use_interactive_fds(transproxy_t) - -files_read_etc_files(transproxy_t) - -fs_getattr_all_fs(transproxy_t) -fs_search_auto_mountpoints(transproxy_t) - -logging_send_syslog_msg(transproxy_t) - -miscfiles_read_localization(transproxy_t) - -sysnet_read_config(transproxy_t) - -userdom_dontaudit_use_unpriv_user_fds(transproxy_t) -userdom_dontaudit_search_user_home_dirs(transproxy_t) - -optional_policy(` - seutil_sigchld_newrole(transproxy_t) -') - -optional_policy(` - udev_read_db(transproxy_t) -') diff --git a/policy/modules/contrib/tripwire.fc b/policy/modules/contrib/tripwire.fc deleted file mode 100644 index a27298be..00000000 --- a/policy/modules/contrib/tripwire.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/tripwire(/.*)? gen_context(system_u:object_r:tripwire_etc_t,s0) - -/usr/sbin/siggen -- gen_context(system_u:object_r:siggen_exec_t,s0) -/usr/sbin/tripwire -- gen_context(system_u:object_r:tripwire_exec_t,s0) -/usr/sbin/twadmin -- gen_context(system_u:object_r:twadmin_exec_t,s0) -/usr/sbin/twprint -- gen_context(system_u:object_r:twprint_exec_t,s0) - -/var/lib/tripwire(/.*)? gen_context(system_u:object_r:tripwire_var_lib_t,s0) -/var/lib/tripwire/report(/.*)? gen_context(system_u:object_r:tripwire_report_t,s0) diff --git a/policy/modules/contrib/tripwire.if b/policy/modules/contrib/tripwire.if deleted file mode 100644 index a3a4d91b..00000000 --- a/policy/modules/contrib/tripwire.if +++ /dev/null @@ -1,185 +0,0 @@ -## <summary>File integrity checker.</summary> - -######################################## -## <summary> -## Execute tripwire in the tripwire domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`tripwire_domtrans_tripwire',` - gen_require(` - type tripwire_t, tripwire_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, tripwire_exec_t, tripwire_t) -') - -######################################## -## <summary> -## Execute tripwire in the tripwire -## domain, and allow the specified -## role the tripwire domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`tripwire_run_tripwire',` - gen_require(` - attribute_role tripwire_roles; - ') - - tripwire_domtrans_tripwire($1) - roleattribute $2 tripwire_roles; -') - -######################################## -## <summary> -## Execute twadmin in the twadmin domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`tripwire_domtrans_twadmin',` - gen_require(` - type twadmin_t, twadmin_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, twadmin_exec_t, twadmin_t) -') - -######################################## -## <summary> -## Execute twadmin in the twadmin -## domain, and allow the specified -## role the twadmin domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`tripwire_run_twadmin',` - gen_require(` - attribute_role twadmin_roles; - ') - - tripwire_domtrans_twadmin($1) - roleattribute $2 twadmin_roles; -') - -######################################## -## <summary> -## Execute twprint in the twprint domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`tripwire_domtrans_twprint',` - gen_require(` - type twprint_t, twprint_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, twprint_exec_t, twprint_t) -') - -######################################## -## <summary> -## Execute twprint in the twprint -## domain, and allow the specified -## role the twprint domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`tripwire_run_twprint',` - gen_require(` - attribute_role twprint_roles; - ') - - tripwire_domtrans_twprint($1) - roleattribute $2 twprint_roles; -') - -######################################## -## <summary> -## Execute siggen in the siggen domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`tripwire_domtrans_siggen',` - gen_require(` - type siggen_t, siggen_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, siggen_exec_t, siggen_t) -') - -######################################## -## <summary> -## Execute siggen in the siggen domain, -## and allow the specified role -## the siggen domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`tripwire_run_siggen',` - gen_require(` - attribute_role siggen_roles; - ') - - tripwire_domtrans_siggen($1) - roleattribute $2 siggen_roles; -') diff --git a/policy/modules/contrib/tripwire.te b/policy/modules/contrib/tripwire.te deleted file mode 100644 index 2e1110d3..00000000 --- a/policy/modules/contrib/tripwire.te +++ /dev/null @@ -1,155 +0,0 @@ -policy_module(tripwire, 1.2.1) - -######################################## -# -# Declarations -# - -attribute_role siggen_roles; -attribute_role tripwire_roles; -attribute_role twadmin_roles; -attribute_role twprint_roles; - -type siggen_t; -type siggen_exec_t; -application_domain(siggen_t, siggen_exec_t) -role siggen_roles types siggen_t; - -type tripwire_t; -type tripwire_exec_t; -application_domain(tripwire_t, tripwire_exec_t) -role tripwire_roles types tripwire_t; - -type tripwire_etc_t; -files_config_file(tripwire_etc_t) - -type tripwire_report_t; -files_type(tripwire_report_t) - -type tripwire_tmp_t; -files_tmp_file(tripwire_tmp_t) - -type tripwire_var_lib_t; -files_type(tripwire_var_lib_t) - -type twadmin_t; -type twadmin_exec_t; -application_domain(twadmin_t, twadmin_exec_t) -role twadmin_roles types twadmin_t; - -type twprint_t; -type twprint_exec_t; -application_domain(twprint_t, twprint_exec_t) -role twprint_roles types twprint_t; - -######################################## -# -# Local policy -# - -allow tripwire_t self:capability { setgid setuid dac_override }; - -allow tripwire_t tripwire_etc_t:dir list_dir_perms; -allow tripwire_t tripwire_etc_t:file read_file_perms; -allow tripwire_t tripwire_etc_t:lnk_file read_lnk_file_perms; - -manage_dirs_pattern(tripwire_t, tripwire_report_t, tripwire_report_t) -manage_files_pattern(tripwire_t, tripwire_report_t, tripwire_report_t) -manage_lnk_files_pattern(tripwire_t, tripwire_report_t, tripwire_report_t) - -manage_dirs_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t) -manage_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t) -manage_lnk_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t) -manage_fifo_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t) -manage_sock_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t) -files_tmp_filetrans(tripwire_t, tripwire_tmp_t,{ dir file lnk_file sock_file fifo_file }) - -manage_files_pattern(tripwire_t, tripwire_var_lib_t, tripwire_var_lib_t) -files_var_lib_filetrans(tripwire_t, tripwire_var_lib_t, file) - -kernel_read_system_state(tripwire_t) -kernel_read_network_state(tripwire_t) -kernel_read_software_raid_state(tripwire_t) -kernel_getattr_core_if(tripwire_t) -kernel_getattr_message_if(tripwire_t) -kernel_read_kernel_sysctls(tripwire_t) - -corecmd_exec_bin(tripwire_t) -corecmd_exec_shell(tripwire_t) - -domain_use_interactive_fds(tripwire_t) - -files_read_all_files(tripwire_t) -files_read_all_symlinks(tripwire_t) -files_getattr_all_pipes(tripwire_t) -files_getattr_all_sockets(tripwire_t) - -logging_send_syslog_msg(tripwire_t) - -userdom_use_user_terminals(tripwire_t) - -optional_policy(` - cron_system_entry(tripwire_t, tripwire_exec_t) -') - -######################################## -# -# Twadmin local policy -# - -allow twadmin_t tripwire_etc_t:dir list_dir_perms; -allow twadmin_t tripwire_etc_t:file read_file_perms; -allow twadmin_t tripwire_etc_t:lnk_file read_lnk_file_perms; - -domain_use_interactive_fds(twadmin_t) - -files_search_etc(twadmin_t) - -logging_send_syslog_msg(twadmin_t) - -miscfiles_read_localization(twadmin_t) - -userdom_use_user_terminals(twadmin_t) - -######################################## -# -# Twprint local policy -# - -allow twprint_t tripwire_etc_t:dir list_dir_perms; -allow twprint_t tripwire_etc_t:file read_file_perms; -allow twprint_t tripwire_etc_t:lnk_file read_lnk_file_perms; - -allow twprint_t tripwire_report_t:dir list_dir_perms; -allow twprint_t tripwire_report_t:file read_file_perms; -allow twprint_t tripwire_report_t:lnk_file read_lnk_file_perms; - -allow twprint_t tripwire_var_lib_t:dir list_dir_perms; -allow twprint_t tripwire_var_lib_t:file read_file_perms; -allow twprint_t tripwire_var_lib_t:lnk_file read_lnk_file_perms; - -domain_use_interactive_fds(twprint_t) - -files_search_etc(twprint_t) -files_search_var_lib(twprint_t) - -logging_send_syslog_msg(twprint_t) - -miscfiles_read_localization(twprint_t) - -userdom_use_user_terminals(twprint_t) - -######################################## -# -# Siggen local policy -# - -domain_use_interactive_fds(siggen_t) - -files_read_all_files(siggen_t) - -logging_send_syslog_msg(siggen_t) - -miscfiles_read_localization(siggen_t) - -userdom_use_user_terminals(siggen_t) diff --git a/policy/modules/contrib/tuned.fc b/policy/modules/contrib/tuned.fc deleted file mode 100644 index 23ba2728..00000000 --- a/policy/modules/contrib/tuned.fc +++ /dev/null @@ -1,12 +0,0 @@ -/etc/rc\.d/init\.d/tuned -- gen_context(system_u:object_r:tuned_initrc_exec_t,s0) - -/etc/tuned(/.)? gen_context(system_u:object_r:tuned_etc_t,s0) -/etc/tuned/active_profile -- gen_context(system_u:object_r:tuned_rw_etc_t,s0) - -/usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0) - -/var/log/tuned(/.*)? gen_context(system_u:object_r:tuned_log_t,s0) -/var/log/tuned\.log.* -- gen_context(system_u:object_r:tuned_log_t,s0) - -/var/run/tuned(/.*)? gen_context(system_u:object_r:tuned_var_run_t,s0) -/var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0) diff --git a/policy/modules/contrib/tuned.if b/policy/modules/contrib/tuned.if deleted file mode 100644 index e29db63a..00000000 --- a/policy/modules/contrib/tuned.if +++ /dev/null @@ -1,138 +0,0 @@ -## <summary>Dynamic adaptive system tuning daemon.</summary> - -######################################## -## <summary> -## Execute a domain transition to run tuned. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`tuned_domtrans',` - gen_require(` - type tuned_t, tuned_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, tuned_exec_t, tuned_t) -') - -####################################### -## <summary> -## Execute tuned in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`tuned_exec',` - gen_require(` - type tuned_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, tuned_exec_t) -') - -###################################### -## <summary> -## Read tuned pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`tuned_read_pid_files',` - gen_require(` - type tuned_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, tuned_var_run_t, tuned_var_run_t) -') - -####################################### -## <summary> -## Create, read, write, and delete -## tuned pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`tuned_manage_pid_files',` - gen_require(` - type tuned_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, tuned_var_run_t, tuned_var_run_t) -') - -######################################## -## <summary> -## Execute tuned init scripts in -## the initrc domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`tuned_initrc_domtrans',` - gen_require(` - type tuned_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, tuned_initrc_exec_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an tuned environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`tuned_admin',` - gen_require(` - type tuned_t, tuned_var_run_t, tuned_initrc_exec_t; - type tuned_etc_t, tuned_rw_etc_t, tuned_log_t; - ') - - allow $1 tuned_t:process { ptrace signal_perms }; - ps_process_pattern($1, tuned_t) - - tuned_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 tuned_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, { tuned_etc_t tuned_rw_etc_t }) - - logging_search_logs($1) - admin_pattern($1, tuned_log_t) - - files_search_pids($1) - admin_pattern($1, tuned_var_run_t) -') diff --git a/policy/modules/contrib/tuned.te b/policy/modules/contrib/tuned.te deleted file mode 100644 index 7116181d..00000000 --- a/policy/modules/contrib/tuned.te +++ /dev/null @@ -1,98 +0,0 @@ -policy_module(tuned, 1.1.4) - -######################################## -# -# Declarations -# - -type tuned_t; -type tuned_exec_t; -init_daemon_domain(tuned_t, tuned_exec_t) - -type tuned_initrc_exec_t; -init_script_file(tuned_initrc_exec_t) - -type tuned_etc_t; -files_config_file(tuned_etc_t) - -type tuned_rw_etc_t; -files_config_file(tuned_rw_etc_t) - -type tuned_log_t; -logging_log_file(tuned_log_t) - -type tuned_var_run_t; -files_pid_file(tuned_var_run_t) - -######################################## -# -# Local policy -# - -allow tuned_t self:capability { sys_admin sys_nice }; -dontaudit tuned_t self:capability { dac_override sys_tty_config }; -allow tuned_t self:process { setsched signal }; -allow tuned_t self:fifo_file rw_fifo_file_perms; - -read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t) -exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t) - -manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t) -files_etc_filetrans(tuned_t, tuned_rw_etc_t, file, "active_profile") - -manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t) -append_files_pattern(tuned_t, tuned_log_t, tuned_log_t) -create_files_pattern(tuned_t, tuned_log_t, tuned_log_t) -setattr_files_pattern(tuned_t, tuned_log_t, tuned_log_t) -logging_log_filetrans(tuned_t, tuned_log_t, file) - -manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) -manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) -files_pid_filetrans(tuned_t, tuned_var_run_t, { dir file }) - -kernel_read_system_state(tuned_t) -kernel_read_network_state(tuned_t) -kernel_read_kernel_sysctls(tuned_t) -kernel_request_load_module(tuned_t) -kernel_rw_kernel_sysctl(tuned_t) -kernel_rw_hotplug_sysctls(tuned_t) -kernel_rw_vm_sysctls(tuned_t) - -corecmd_exec_bin(tuned_t) -corecmd_exec_shell(tuned_t) - -dev_getattr_all_blk_files(tuned_t) -dev_getattr_all_chr_files(tuned_t) -dev_read_urand(tuned_t) -dev_rw_sysfs(tuned_t) -dev_rw_netcontrol(tuned_t) - -files_read_usr_files(tuned_t) -files_dontaudit_search_home(tuned_t) -files_dontaudit_list_tmp(tuned_t) - -fs_getattr_xattr_fs(tuned_t) - -logging_send_syslog_msg(tuned_t) - -miscfiles_read_localization(tuned_t) - -udev_read_pid_files(tuned_t) - -userdom_dontaudit_search_user_home_dirs(tuned_t) - -optional_policy(` - fstools_domtrans(tuned_t) -') - -optional_policy(` - mount_domtrans(tuned_t) -') - -optional_policy(` - sysnet_domtrans_ifconfig(tuned_t) -') - -optional_policy(` - unconfined_dbus_send(tuned_t) -') diff --git a/policy/modules/contrib/tvtime.fc b/policy/modules/contrib/tvtime.fc deleted file mode 100644 index 92cb760a..00000000 --- a/policy/modules/contrib/tvtime.fc +++ /dev/null @@ -1,3 +0,0 @@ -HOME_DIR/\.tvtime(/.*)? gen_context(system_u:object_r:tvtime_home_t,s0) - -/usr/bin/tvtime -- gen_context(system_u:object_r:tvtime_exec_t,s0) diff --git a/policy/modules/contrib/tvtime.if b/policy/modules/contrib/tvtime.if deleted file mode 100644 index 1bb0f7c7..00000000 --- a/policy/modules/contrib/tvtime.if +++ /dev/null @@ -1,38 +0,0 @@ -## <summary>High quality television application.</summary> - -######################################## -## <summary> -## Role access for tvtime -## </summary> -## <param name="role"> -## <summary> -## Role allowed access -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role -## </summary> -## </param> -# -interface(`tvtime_role',` - gen_require(` - attribute_role tvtime_roles; - type tvtime_t, tvtime_exec_t, tvtime_tmp_t; - type tvtime_home_t, tvtime_tmpfs_t; - ') - - roleattribute $1 tvtime_roles; - - domtrans_pattern($2, tvtime_exec_t, tvtime_t) - - ps_process_pattern($2, tvtime_t) - allow $2 tvtime_t:process { ptrace signal_perms }; - - allow $2 { tvtime_home_t tvtime_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { tvtime_home_t tvtime_tmpfs_t tvtime_tmp_t }:file { manage_file_perms relabel_file_perms }; - allow $2 { tvtime_home_t tvtime_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - allow $2 tvtime_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - allow $2 tvtime_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - userdom_user_home_dir_filetrans($2, tvtime_home_t, dir, ".tvtime") -') diff --git a/policy/modules/contrib/tvtime.te b/policy/modules/contrib/tvtime.te deleted file mode 100644 index 3292fcc9..00000000 --- a/policy/modules/contrib/tvtime.te +++ /dev/null @@ -1,90 +0,0 @@ -policy_module(tvtime, 2.2.1) - -######################################## -# -# Declarations -# - -attribute_role tvtime_roles; - -type tvtime_t; -type tvtime_exec_t; -typealias tvtime_t alias { user_tvtime_t staff_tvtime_t sysadm_tvtime_t }; -typealias tvtime_t alias { auditadm_tvtime_t secadm_tvtime_t }; -userdom_user_application_domain(tvtime_t, tvtime_exec_t) -role tvtime_roles types tvtime_t; - -type tvtime_home_t alias tvtime_rw_t; -typealias tvtime_home_t alias { user_tvtime_home_t staff_tvtime_home_t sysadm_tvtime_home_t }; -typealias tvtime_home_t alias { auditadm_tvtime_home_t secadm_tvtime_home_t }; -userdom_user_home_content(tvtime_home_t) - -type tvtime_tmp_t; -typealias tvtime_tmp_t alias { user_tvtime_tmp_t staff_tvtime_tmp_t sysadm_tvtime_tmp_t }; -typealias tvtime_tmp_t alias { auditadm_tvtime_tmp_t secadm_tvtime_tmp_t }; -userdom_user_tmp_file(tvtime_tmp_t) - -type tvtime_tmpfs_t; -typealias tvtime_tmpfs_t alias { user_tvtime_tmpfs_t staff_tvtime_tmpfs_t sysadm_tvtime_tmpfs_t }; -typealias tvtime_tmpfs_t alias { auditadm_tvtime_tmpfs_t secadm_tvtime_tmpfs_t }; -userdom_user_tmpfs_file(tvtime_tmpfs_t) - -######################################## -# -# Local policy -# - -allow tvtime_t self:capability { setuid sys_nice sys_resource }; -allow tvtime_t self:process setsched; -allow tvtime_t self:unix_dgram_socket rw_socket_perms; -allow tvtime_t self:unix_stream_socket rw_stream_socket_perms; - -manage_dirs_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) -manage_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) -manage_lnk_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) -userdom_user_home_dir_filetrans(tvtime_t, tvtime_home_t, dir) - -manage_dirs_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t) -manage_files_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t) -files_tmp_filetrans(tvtime_t, tvtime_tmp_t,{ file dir }) - -manage_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t) -manage_lnk_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t) -manage_fifo_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t) -manage_sock_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t) -fs_tmpfs_filetrans(tvtime_t, tvtime_tmpfs_t,{ file lnk_file sock_file fifo_file }) - -kernel_read_all_sysctls(tvtime_t) -kernel_get_sysvipc_info(tvtime_t) - -dev_read_realtime_clock(tvtime_t) -dev_read_sound(tvtime_t) -dev_read_urand(tvtime_t) - -files_read_usr_files(tvtime_t) - -fs_getattr_all_fs(tvtime_t) -fs_search_auto_mountpoints(tvtime_t) - -auth_use_nsswitch(tvtime_t) - -miscfiles_read_fonts(tvtime_t) -miscfiles_read_localization(tvtime_t) - -userdom_use_user_terminals(tvtime_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(tvtime_t) - fs_manage_nfs_files(tvtime_t) - fs_manage_nfs_symlinks(tvtime_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(tvtime_t) - fs_manage_cifs_files(tvtime_t) - fs_manage_cifs_symlinks(tvtime_t) -') - -optional_policy(` - xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t) -') diff --git a/policy/modules/contrib/tzdata.fc b/policy/modules/contrib/tzdata.fc deleted file mode 100644 index 04b85488..00000000 --- a/policy/modules/contrib/tzdata.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/tzdata-update -- gen_context(system_u:object_r:tzdata_exec_t,s0) diff --git a/policy/modules/contrib/tzdata.if b/policy/modules/contrib/tzdata.if deleted file mode 100644 index 53ecd0de..00000000 --- a/policy/modules/contrib/tzdata.if +++ /dev/null @@ -1,47 +0,0 @@ -## <summary>Time zone updater.</summary> - -######################################## -## <summary> -## Execute a domain transition to run tzdata. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`tzdata_domtrans',` - gen_require(` - type tzdata_t, tzdata_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, tzdata_exec_t, tzdata_t) -') - -######################################## -## <summary> -## Execute tzdata in the tzdata domain, -## and allow the specified role -## the tzdata domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`tzdata_run',` - gen_require(` - attribute_role tzdata_roles; - ') - - tzdata_domtrans($1) - roleattribute $2 tzdata_roles; -') diff --git a/policy/modules/contrib/tzdata.te b/policy/modules/contrib/tzdata.te deleted file mode 100644 index aa6ae968..00000000 --- a/policy/modules/contrib/tzdata.te +++ /dev/null @@ -1,38 +0,0 @@ -policy_module(tzdata, 1.4.1) - -######################################## -# -# Declarations -# - -attribute_role tzdata_roles; - -type tzdata_t; -type tzdata_exec_t; -init_daemon_domain(tzdata_t, tzdata_exec_t) -application_domain(tzdata_t, tzdata_exec_t) -role tzdata_roles types tzdata_t; - -######################################## -# -# Local policy -# - -files_read_config_files(tzdata_t) -files_search_spool(tzdata_t) - -fs_getattr_xattr_fs(tzdata_t) - -term_dontaudit_list_ptys(tzdata_t) - -locallogin_dontaudit_use_fds(tzdata_t) - -miscfiles_read_localization(tzdata_t) -miscfiles_manage_localization(tzdata_t) -miscfiles_etc_filetrans_localization(tzdata_t) - -userdom_use_user_terminals(tzdata_t) - -optional_policy(` - postfix_search_spool(tzdata_t) -') diff --git a/policy/modules/contrib/ucspitcp.fc b/policy/modules/contrib/ucspitcp.fc deleted file mode 100644 index f2b4e91e..00000000 --- a/policy/modules/contrib/ucspitcp.fc +++ /dev/null @@ -1,2 +0,0 @@ -/usr/bin/rblsmtpd -- gen_context(system_u:object_r:rblsmtpd_exec_t,s0) -/usr/bin/tcpserver -- gen_context(system_u:object_r:ucspitcp_exec_t,s0) diff --git a/policy/modules/contrib/ucspitcp.if b/policy/modules/contrib/ucspitcp.if deleted file mode 100644 index b729778e..00000000 --- a/policy/modules/contrib/ucspitcp.if +++ /dev/null @@ -1,29 +0,0 @@ -## <summary>UNIX Client-Server Program Interface for TCP.</summary> - -######################################## -## <summary> -## Define a specified domain as a ucspitcp service. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="entrypoint"> -## <summary> -## The type associated with the process program. -## </summary> -## </param> -# -interface(`ucspitcp_service_domain',` - gen_require(` - type ucspitcp_t; - ') - - domain_type($1) - domain_entry_file($1, $2) - - role system_r types $1; - - domtrans_pattern(ucspitcp_t, $2, $1) -') diff --git a/policy/modules/contrib/ucspitcp.te b/policy/modules/contrib/ucspitcp.te deleted file mode 100644 index 5e365c2d..00000000 --- a/policy/modules/contrib/ucspitcp.te +++ /dev/null @@ -1,93 +0,0 @@ -policy_module(ucspitcp, 1.3.1) - -######################################## -# -# Declarations -# - -type rblsmtpd_t; -type rblsmtpd_exec_t; -init_system_domain(rblsmtpd_t, rblsmtpd_exec_t) - -type ucspitcp_t; -type ucspitcp_exec_t; -init_system_domain(ucspitcp_t, ucspitcp_exec_t) - -######################################## -# -# Smtpd local policy -# - -ucspitcp_service_domain(rblsmtpd_t, rblsmtpd_exec_t) - -corecmd_search_bin(rblsmtpd_t) - -corenet_all_recvfrom_unlabeled(rblsmtpd_t) -corenet_all_recvfrom_netlabel(rblsmtpd_t) -corenet_tcp_sendrecv_generic_if(rblsmtpd_t) -corenet_udp_sendrecv_generic_if(rblsmtpd_t) -corenet_tcp_sendrecv_generic_node(rblsmtpd_t) -corenet_udp_sendrecv_generic_node(rblsmtpd_t) -corenet_tcp_sendrecv_all_ports(rblsmtpd_t) -corenet_udp_sendrecv_all_ports(rblsmtpd_t) -corenet_tcp_bind_generic_node(rblsmtpd_t) -corenet_udp_bind_generic_port(rblsmtpd_t) - -files_read_etc_files(rblsmtpd_t) -files_search_var(rblsmtpd_t) - -optional_policy(` - daemontools_ipc_domain(rblsmtpd_t) -') - -######################################## -# -# Tcp local policy -# - -allow ucspitcp_t self:capability { setgid setuid }; -allow ucspitcp_t self:fifo_file rw_fifo_file_perms; -allow ucspitcp_t self:tcp_socket create_stream_socket_perms; -allow ucspitcp_t self:udp_socket create_socket_perms; - -corecmd_search_bin(ucspitcp_t) - -corenet_all_recvfrom_unlabeled(ucspitcp_t) -corenet_all_recvfrom_netlabel(ucspitcp_t) -corenet_tcp_sendrecv_generic_if(ucspitcp_t) -corenet_udp_sendrecv_generic_if(ucspitcp_t) -corenet_tcp_sendrecv_generic_node(ucspitcp_t) -corenet_udp_sendrecv_generic_node(ucspitcp_t) -corenet_tcp_sendrecv_all_ports(ucspitcp_t) -corenet_udp_sendrecv_all_ports(ucspitcp_t) -corenet_tcp_bind_generic_node(ucspitcp_t) -corenet_udp_bind_generic_node(ucspitcp_t) - -corenet_sendrecv_ftp_server_packets(ucspitcp_t) -corenet_tcp_bind_ftp_port(ucspitcp_t) - -corenet_sendrecv_ftp_data_server_packets(ucspitcp_t) -corenet_tcp_bind_ftp_data_port(ucspitcp_t) - -corenet_sendrecv_http_server_packets(ucspitcp_t) -corenet_tcp_bind_http_port(ucspitcp_t) - -corenet_sendrecv_smtp_server_packets(ucspitcp_t) -corenet_tcp_bind_smtp_port(ucspitcp_t) - -corenet_sendrecv_dns_server_packets(ucspitcp_t) -corenet_tcp_bind_dns_port(ucspitcp_t) -corenet_udp_bind_dns_port(ucspitcp_t) - -corenet_sendrecv_generic_server_packets(ucspitcp_t) -corenet_udp_bind_generic_port(ucspitcp_t) - -files_read_etc_files(ucspitcp_t) -files_search_var(ucspitcp_t) - -sysnet_read_config(ucspitcp_t) - -optional_policy(` - daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t) - daemontools_read_svc(ucspitcp_t) -') diff --git a/policy/modules/contrib/ulogd.fc b/policy/modules/contrib/ulogd.fc deleted file mode 100644 index d5f8ac0b..00000000 --- a/policy/modules/contrib/ulogd.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/ulogd\.conf -- gen_context(system_u:object_r:ulogd_etc_t,s0) - -/etc/rc\.d/init\.d/ulogd -- gen_context(system_u:object_r:ulogd_initrc_exec_t,s0) - -/usr/lib/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0) - -/usr/sbin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0) - -/var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0) diff --git a/policy/modules/contrib/ulogd.if b/policy/modules/contrib/ulogd.if deleted file mode 100644 index 9b95c3ef..00000000 --- a/policy/modules/contrib/ulogd.if +++ /dev/null @@ -1,142 +0,0 @@ -## <summary>Iptables/netfilter userspace logging daemon.</summary> - -######################################## -## <summary> -## Execute a domain transition to run ulogd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`ulogd_domtrans',` - gen_require(` - type ulogd_t, ulogd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ulogd_exec_t, ulogd_t) -') - -######################################## -## <summary> -## Read ulogd configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`ulogd_read_config',` - gen_require(` - type ulogd_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, ulogd_etc_t, ulogd_etc_t) -') - -######################################## -## <summary> -## Read ulogd log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`ulogd_read_log',` - gen_require(` - type ulogd_var_log_t; - ') - - logging_search_logs($1) - allow $1 ulogd_var_log_t:dir list_dir_perms; - read_files_pattern($1, ulogd_var_log_t, ulogd_var_log_t) -') - -####################################### -## <summary> -## Search ulogd log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`ulogd_search_log',` - gen_require(` - type ulogd_var_log_t; - ') - - logging_search_logs($1) - allow $1 ulogd_var_log_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Append to ulogd log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`ulogd_append_log',` - gen_require(` - type ulogd_var_log_t; - ') - - logging_search_logs($1) - allow $1 ulogd_var_log_t:dir list_dir_perms; - allow $1 ulogd_var_log_t:file append_file_perms; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an ulogd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`ulogd_admin',` - gen_require(` - type ulogd_t, ulogd_etc_t, ulogd_modules_t; - type ulogd_var_log_t, ulogd_initrc_exec_t; - ') - - allow $1 ulogd_t:process { ptrace signal_perms }; - ps_process_pattern($1, ulogd_t) - - init_labeled_script_domtrans($1, ulogd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ulogd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, ulogd_etc_t) - - logging_list_logs($1) - admin_pattern($1, ulogd_var_log_t) - - files_list_usr($1) - admin_pattern($1, ulogd_modules_t) -') diff --git a/policy/modules/contrib/ulogd.te b/policy/modules/contrib/ulogd.te deleted file mode 100644 index c6acbbe6..00000000 --- a/policy/modules/contrib/ulogd.te +++ /dev/null @@ -1,60 +0,0 @@ -policy_module(ulogd, 1.2.1) - -######################################## -# -# Declarations -# - -type ulogd_t; -type ulogd_exec_t; -init_daemon_domain(ulogd_t, ulogd_exec_t) - -type ulogd_etc_t; -files_config_file(ulogd_etc_t) - -type ulogd_initrc_exec_t; -init_script_file(ulogd_initrc_exec_t) - -type ulogd_modules_t; -files_type(ulogd_modules_t) - -type ulogd_var_log_t; -logging_log_file(ulogd_var_log_t) - -######################################## -# -# Local policy -# - -allow ulogd_t self:capability { net_admin sys_nice }; -allow ulogd_t self:process setsched; -allow ulogd_t self:netlink_nflog_socket create_socket_perms; -allow ulogd_t self:netlink_socket create_socket_perms; -allow ulogd_t self:tcp_socket create_stream_socket_perms; - -read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t) - -list_dirs_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t) -mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t) - -append_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) -create_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) -setattr_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) -logging_log_filetrans(ulogd_t, ulogd_var_log_t, file) - -files_read_etc_files(ulogd_t) -files_read_usr_files(ulogd_t) - -miscfiles_read_localization(ulogd_t) - -sysnet_dns_name_resolve(ulogd_t) - -optional_policy(` - mysql_stream_connect(ulogd_t) - mysql_tcp_connect(ulogd_t) -') - -optional_policy(` - postgresql_stream_connect(ulogd_t) - postgresql_tcp_connect(ulogd_t) -') diff --git a/policy/modules/contrib/uml.fc b/policy/modules/contrib/uml.fc deleted file mode 100644 index c3849683..00000000 --- a/policy/modules/contrib/uml.fc +++ /dev/null @@ -1,5 +0,0 @@ -HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:uml_rw_t,s0) - -/usr/bin/uml_switch -- gen_context(system_u:object_r:uml_switch_exec_t,s0) - -/var/run/uml-utilities(/.*)? gen_context(system_u:object_r:uml_switch_var_run_t,s0) diff --git a/policy/modules/contrib/uml.if b/policy/modules/contrib/uml.if deleted file mode 100644 index ab5c1d0d..00000000 --- a/policy/modules/contrib/uml.if +++ /dev/null @@ -1,81 +0,0 @@ -## <summary>User mode linux tools and services.</summary> - -######################################## -## <summary> -## Role access for uml. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`uml_role',` - gen_require(` - attribute_role uml_roles; - type uml_t, uml_exec_t; - type uml_ro_t, uml_rw_t, uml_tmp_t; - type uml_devpts_t, uml_tmpfs_t; - ') - - roleattribute $1 uml_roles; - - domtrans_pattern($2, uml_exec_t, uml_t) - - dgram_send_pattern($2, uml_tmpfs_t, uml_tmpfs_t, uml_t) - - allow uml_t $2:unix_dgram_socket sendto; - - ps_process_pattern($2, uml_t) - allow $2 uml_t:process { ptrace signal_perms }; - - allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_exec_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_tmpfs_t uml_exec_t }:file { manage_file_perms relabel_file_perms }; - allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - userdom_user_home_dir_filetrans($2, uml_rw_t, dir, ".uml") -') - -######################################## -## <summary> -## Set attributes of uml pid sock files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`uml_setattr_util_sockets',` - gen_require(` - type uml_switch_var_run_t; - ') - - allow $1 uml_switch_var_run_t:sock_file setattr_sock_file_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## uml pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`uml_manage_util_files',` - gen_require(` - type uml_switch_var_run_t; - ') - - manage_files_pattern($1, uml_switch_var_run_t, uml_switch_var_run_t) - manage_lnk_files_pattern($1, uml_switch_var_run_t, uml_switch_var_run_t) -') diff --git a/policy/modules/contrib/uml.te b/policy/modules/contrib/uml.te deleted file mode 100644 index dc03cc5c..00000000 --- a/policy/modules/contrib/uml.te +++ /dev/null @@ -1,185 +0,0 @@ -policy_module(uml, 2.2.1) - -######################################## -# -# Declarations -# - -attribute_role uml_roles; - -type uml_t; -type uml_exec_t; # customizable -typealias uml_t alias { user_uml_t staff_uml_t sysadm_uml_t }; -typealias uml_t alias { auditadm_uml_t secadm_uml_t }; -userdom_user_application_domain(uml_t, uml_exec_t) -role uml_roles types uml_t; - -type uml_ro_t; # customizable -typealias uml_ro_t alias { user_uml_ro_t staff_uml_ro_t sysadm_uml_ro_t }; -typealias uml_ro_t alias { auditadm_uml_ro_t secadm_uml_ro_t }; -userdom_user_home_content(uml_ro_t) - -type uml_rw_t; -typealias uml_rw_t alias { user_uml_rw_t staff_uml_rw_t sysadm_uml_rw_t }; -typealias uml_rw_t alias { auditadm_uml_rw_t secadm_uml_rw_t }; -userdom_user_home_content(uml_rw_t) - -type uml_tmp_t; -typealias uml_tmp_t alias { user_uml_tmp_t staff_uml_tmp_t sysadm_uml_tmp_t }; -typealias uml_tmp_t alias { auditadm_uml_tmp_t secadm_uml_tmp_t }; -userdom_user_tmp_file(uml_tmp_t) - -type uml_tmpfs_t; -typealias uml_tmpfs_t alias { user_uml_tmpfs_t staff_uml_tmpfs_t sysadm_uml_tmpfs_t }; -typealias uml_tmpfs_t alias { auditadm_uml_tmpfs_t secadm_uml_tmpfs_t }; -userdom_user_tmpfs_file(uml_tmpfs_t) - -type uml_devpts_t; -typealias uml_devpts_t alias { user_uml_devpts_t staff_uml_devpts_t sysadm_uml_devpts_t }; -typealias uml_devpts_t alias { auditadm_uml_devpts_t secadm_uml_devpts_t }; -term_pty(uml_devpts_t) -ubac_constrained(uml_devpts_t) - -type uml_switch_t; -type uml_switch_exec_t; -init_daemon_domain(uml_switch_t, uml_switch_exec_t) - -type uml_switch_var_run_t; -files_pid_file(uml_switch_var_run_t) - -######################################## -# -# Local policy -# - -allow uml_t self:process signal_perms; -allow uml_t self:fifo_file rw_fifo_file_perms; -allow uml_t self:unix_stream_socket create_stream_socket_perms; -allow uml_t self:tcp_socket { accept listen }; -allow uml_t self:tun_socket create; -allow uml_t self:unix_dgram_socket { create_socket_perms sendto }; - -allow uml_t uml_devpts_t:chr_file { rw_file_perms setattr_chr_file_perms }; -term_create_pty(uml_t, uml_devpts_t) - -manage_dirs_pattern(uml_t, uml_tmp_t, uml_tmp_t) -manage_files_pattern(uml_t, uml_tmp_t, uml_tmp_t) -files_tmp_filetrans(uml_t, uml_tmp_t, { file dir }) - -manage_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t) -manage_lnk_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t) -manage_fifo_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t) -manage_sock_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t) -fs_tmpfs_filetrans(uml_t, uml_tmpfs_t, { file lnk_file sock_file fifo_file }) - -allow uml_t uml_ro_t:dir list_dir_perms; -allow uml_t uml_ro_t:file read_file_perms; -allow uml_t uml_ro_t:lnk_file read_lnk_file_perms; - -manage_dirs_pattern(uml_t, uml_rw_t, uml_rw_t) -manage_files_pattern(uml_t, uml_rw_t, uml_rw_t) -manage_lnk_files_pattern(uml_t, uml_rw_t, uml_rw_t) -manage_fifo_files_pattern(uml_t, uml_rw_t, uml_rw_t) -manage_sock_files_pattern(uml_t, uml_rw_t, uml_rw_t) -userdom_user_home_dir_filetrans(uml_t, uml_rw_t, dir, ".uml") - -can_exec(uml_t, { uml_exec_t uml_tmp_t uml_tmpfs_t }) - -kernel_read_system_state(uml_t) -kernel_write_proc_files(uml_t) - -corecmd_exec_bin(uml_t) - -corenet_all_recvfrom_unlabeled(uml_t) -corenet_all_recvfrom_netlabel(uml_t) -corenet_tcp_sendrecv_generic_if(uml_t) -corenet_tcp_sendrecv_generic_node(uml_t) -corenet_tcp_sendrecv_all_ports(uml_t) - -corenet_sendrecv_all_client_packets(uml_t) -corenet_tcp_connect_all_ports(uml_t) - -corenet_rw_tun_tap_dev(uml_t) - -domain_use_interactive_fds(uml_t) - -files_dontaudit_read_etc_runtime_files(uml_t) - -fs_getattr_all_fs(uml_t) -fs_search_auto_mountpoints(uml_t) - -auth_use_nsswitch(uml_t) - -init_read_utmp(uml_t) -init_dontaudit_write_utmp(uml_t) - -libs_exec_lib_files(uml_t) - -userdom_use_user_terminals(uml_t) -userdom_attach_admin_tun_iface(uml_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(uml_t) - fs_manage_nfs_files(uml_t) - fs_manage_nfs_named_pipes(uml_t) - fs_manage_nfs_symlinks(uml_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(uml_t) - fs_manage_cifs_files(uml_t) - fs_manage_cifs_named_pipes(uml_t) - fs_manage_cifs_symlinks(uml_t) -') - -optional_policy(` - seutil_use_newrole_fds(uml_t) -') - -optional_policy(` - virt_attach_tun_iface(uml_t) -') - -######################################## -# -# Switch local policy -# - -dontaudit uml_switch_t self:capability sys_tty_config; -allow uml_switch_t self:process signal_perms; -allow uml_switch_t self:unix_stream_socket { accept listen }; - -manage_files_pattern(uml_switch_t, uml_switch_var_run_t, uml_switch_var_run_t) -manage_sock_files_pattern(uml_switch_t, uml_switch_var_run_t, uml_switch_var_run_t) -files_pid_filetrans(uml_switch_t, uml_switch_var_run_t, file) - -kernel_read_kernel_sysctls(uml_switch_t) -kernel_list_proc(uml_switch_t) -kernel_read_proc_symlinks(uml_switch_t) - -dev_read_sysfs(uml_switch_t) - -domain_use_interactive_fds(uml_switch_t) - -fs_getattr_all_fs(uml_switch_t) -fs_search_auto_mountpoints(uml_switch_t) - -term_dontaudit_use_console(uml_switch_t) - -init_use_fds(uml_switch_t) -init_use_script_ptys(uml_switch_t) - -logging_send_syslog_msg(uml_switch_t) - -miscfiles_read_localization(uml_switch_t) - -userdom_dontaudit_use_unpriv_user_fds(uml_switch_t) -userdom_dontaudit_search_user_home_dirs(uml_switch_t) - -optional_policy(` - seutil_sigchld_newrole(uml_switch_t) -') - -optional_policy(` - udev_read_db(uml_switch_t) -') diff --git a/policy/modules/contrib/updfstab.fc b/policy/modules/contrib/updfstab.fc deleted file mode 100644 index b62ab19e..00000000 --- a/policy/modules/contrib/updfstab.fc +++ /dev/null @@ -1,2 +0,0 @@ -/usr/sbin/fstab-sync -- gen_context(system_u:object_r:updfstab_exec_t,s0) -/usr/sbin/updfstab -- gen_context(system_u:object_r:updfstab_exec_t,s0) diff --git a/policy/modules/contrib/updfstab.if b/policy/modules/contrib/updfstab.if deleted file mode 100644 index ec0800bb..00000000 --- a/policy/modules/contrib/updfstab.if +++ /dev/null @@ -1,20 +0,0 @@ -## <summary>Red Hat utility to change fstab.</summary> - -######################################## -## <summary> -## Execute updfstab in the updfstab domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`updfstab_domtrans',` - gen_require(` - type updfstab_t, updfstab_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, updfstab_exec_t, updfstab_t) -') diff --git a/policy/modules/contrib/updfstab.te b/policy/modules/contrib/updfstab.te deleted file mode 100644 index 2d871b84..00000000 --- a/policy/modules/contrib/updfstab.te +++ /dev/null @@ -1,116 +0,0 @@ -policy_module(updfstab, 1.5.1) - -######################################## -# -# Declarations -# - -type updfstab_t; -type updfstab_exec_t; -init_system_domain(updfstab_t, updfstab_exec_t) - -######################################## -# -# Local policy -# - -allow updfstab_t self:capability dac_override; -dontaudit updfstab_t self:capability { sys_admin sys_tty_config }; -allow updfstab_t self:process signal_perms; -allow updfstab_t self:fifo_file rw_fifo_file_perms; - -kernel_use_fds(updfstab_t) -kernel_read_kernel_sysctls(updfstab_t) -kernel_dontaudit_write_kernel_sysctl(updfstab_t) -kernel_read_system_state(updfstab_t) -kernel_change_ring_buffer_level(updfstab_t) - -corecmd_exec_bin(updfstab_t) - -dev_read_sysfs(updfstab_t) -dev_manage_generic_symlinks(updfstab_t) - -domain_use_interactive_fds(updfstab_t) - -files_manage_mnt_files(updfstab_t) -files_manage_mnt_dirs(updfstab_t) -files_manage_mnt_symlinks(updfstab_t) -files_manage_etc_files(updfstab_t) -files_dontaudit_search_home(updfstab_t) -files_read_etc_runtime_files(updfstab_t) - -fs_getattr_xattr_fs(updfstab_t) -fs_getattr_tmpfs(updfstab_t) -fs_getattr_tmpfs_dirs(updfstab_t) -fs_search_auto_mountpoints(updfstab_t) - -selinux_get_fs_mount(updfstab_t) -selinux_validate_context(updfstab_t) -selinux_compute_access_vector(updfstab_t) -selinux_compute_create_context(updfstab_t) -selinux_compute_relabel_context(updfstab_t) -selinux_compute_user_contexts(updfstab_t) - -storage_raw_read_fixed_disk(updfstab_t) -storage_raw_write_fixed_disk(updfstab_t) -storage_raw_read_removable_device(updfstab_t) -storage_raw_write_removable_device(updfstab_t) -storage_read_scsi_generic(updfstab_t) -storage_write_scsi_generic(updfstab_t) - -term_dontaudit_use_console(updfstab_t) - -init_use_fds(updfstab_t) -init_use_script_ptys(updfstab_t) - -logging_search_logs(updfstab_t) -logging_send_syslog_msg(updfstab_t) - -miscfiles_read_localization(updfstab_t) - -seutil_read_config(updfstab_t) -seutil_read_default_contexts(updfstab_t) -seutil_read_file_contexts(updfstab_t) - -userdom_dontaudit_search_user_home_content(updfstab_t) -userdom_dontaudit_use_unpriv_user_fds(updfstab_t) - -optional_policy(` - auth_domtrans_pam_console(updfstab_t) -') - -optional_policy(` - dbus_system_bus_client(updfstab_t) - - init_dbus_chat_script(updfstab_t) - - optional_policy(` - hal_dbus_chat(updfstab_t) - ') -') - -optional_policy(` - fstools_getattr_swap_files(updfstab_t) -') - -optional_policy(` - hal_stream_connect(updfstab_t) -') - -optional_policy(` - modutils_read_module_config(updfstab_t) - modutils_exec_insmod(updfstab_t) - modutils_read_module_deps(updfstab_t) -') - -optional_policy(` - nscd_use(updfstab_t) -') - -optional_policy(` - seutil_sigchld_newrole(updfstab_t) -') - -optional_policy(` - udev_read_db(updfstab_t) -') diff --git a/policy/modules/contrib/uptime.fc b/policy/modules/contrib/uptime.fc deleted file mode 100644 index a72670a4..00000000 --- a/policy/modules/contrib/uptime.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/uptimed\.conf -- gen_context(system_u:object_r:uptimed_etc_t,s0) - -/etc/rc\.d/init\.d/uptimed -- gen_context(system_u:object_r:uptimed_initrc_exec_t,s0) - -/usr/sbin/uptimed -- gen_context(system_u:object_r:uptimed_exec_t,s0) - -/var/run/uptimed\.pid -- gen_context(system_u:object_r:uptimed_var_run_t,s0) - -/var/spool/uptimed(/.*)? gen_context(system_u:object_r:uptimed_spool_t,s0) diff --git a/policy/modules/contrib/uptime.if b/policy/modules/contrib/uptime.if deleted file mode 100644 index 01a3234b..00000000 --- a/policy/modules/contrib/uptime.if +++ /dev/null @@ -1,42 +0,0 @@ -## <summary>Daemon to record and keep track of system up times.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an uptime environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`uptime_admin',` - gen_require(` - type uptimed_t, uptimed_initrc_exec_t. uptimed_etc_t; - type uptimed_spool_t, uptimed_var_run_t; - ') - - allow $1 uptimed_t:process { ptrace signal_perms }; - ps_process_pattern($1, uptimed_t) - - init_labeled_script_domtrans($1, uptimed_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 uptimed_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, uptimed_etc_t) - - files_search_spool($1) - admin_pattern($1, uptimed_spool_t) - - files_search_pids($1) - admin_pattern($1, uptimed_var_run_t) -') diff --git a/policy/modules/contrib/uptime.te b/policy/modules/contrib/uptime.te deleted file mode 100644 index 09741f6f..00000000 --- a/policy/modules/contrib/uptime.te +++ /dev/null @@ -1,73 +0,0 @@ -policy_module(uptime, 1.4.1) - -######################################## -# -# Declarations -# - -type uptimed_t; -type uptimed_exec_t; -init_daemon_domain(uptimed_t, uptimed_exec_t) - -type uptimed_etc_t alias etc_uptimed_t; -files_config_file(uptimed_etc_t) - -type uptimed_initrc_exec_t; -init_script_file(uptimed_initrc_exec_t) - -type uptimed_spool_t; -files_type(uptimed_spool_t) - -type uptimed_var_run_t; -files_pid_file(uptimed_var_run_t) - -######################################## -# -# Local policy -# - -dontaudit uptimed_t self:capability sys_tty_config; -allow uptimed_t self:process signal_perms; -allow uptimed_t self:fifo_file rw_fifo_file_perms; - -allow uptimed_t uptimed_etc_t:file read_file_perms; - -manage_files_pattern(uptimed_t, uptimed_var_run_t, uptimed_var_run_t) -files_pid_filetrans(uptimed_t, uptimed_var_run_t, file) - -manage_dirs_pattern(uptimed_t, uptimed_spool_t, uptimed_spool_t) -manage_files_pattern(uptimed_t, uptimed_spool_t, uptimed_spool_t) -files_spool_filetrans(uptimed_t, uptimed_spool_t, { dir file }) - -kernel_read_system_state(uptimed_t) -kernel_read_kernel_sysctls(uptimed_t) - -corecmd_exec_shell(uptimed_t) - -dev_read_sysfs(uptimed_t) - -domain_use_interactive_fds(uptimed_t) - -files_read_etc_runtime_files(uptimed_t) - -fs_getattr_all_fs(uptimed_t) -fs_search_auto_mountpoints(uptimed_t) - -logging_send_syslog_msg(uptimed_t) - -miscfiles_read_localization(uptimed_t) - -userdom_dontaudit_use_unpriv_user_fds(uptimed_t) -userdom_dontaudit_search_user_home_dirs(uptimed_t) - -optional_policy(` - mta_send_mail(uptimed_t) -') - -optional_policy(` - seutil_sigchld_newrole(uptimed_t) -') - -optional_policy(` - udev_read_db(uptimed_t) -') diff --git a/policy/modules/contrib/usbmodules.fc b/policy/modules/contrib/usbmodules.fc deleted file mode 100644 index 02d72531..00000000 --- a/policy/modules/contrib/usbmodules.fc +++ /dev/null @@ -1,3 +0,0 @@ -/sbin/usbmodules -- gen_context(system_u:object_r:usbmodules_exec_t,s0) - -/usr/sbin/usbmodules -- gen_context(system_u:object_r:usbmodules_exec_t,s0) diff --git a/policy/modules/contrib/usbmodules.if b/policy/modules/contrib/usbmodules.if deleted file mode 100644 index c5881ea5..00000000 --- a/policy/modules/contrib/usbmodules.if +++ /dev/null @@ -1,47 +0,0 @@ -## <summary>List kernel modules of USB devices.</summary> - -######################################## -## <summary> -## Execute usbmodules in the usbmodules domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`usbmodules_domtrans',` - gen_require(` - type usbmodules_t, usbmodules_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, usbmodules_exec_t, usbmodules_t) -') - -######################################## -## <summary> -## Execute usbmodules in the usbmodules -## domain, and allow the specified -## role the usbmodules domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`usbmodules_run',` - gen_require(` - attribute_role usbmodules_roles; - ') - - usbmodules_domtrans($1) - roleattribute $2 usbmodules_roles; -') diff --git a/policy/modules/contrib/usbmodules.te b/policy/modules/contrib/usbmodules.te deleted file mode 100644 index cb9b5bb1..00000000 --- a/policy/modules/contrib/usbmodules.te +++ /dev/null @@ -1,44 +0,0 @@ -policy_module(usbmodules, 1.2.1) - -######################################## -# -# Declarations -# - -attribute_role usbmodules_roles; - -type usbmodules_t; -type usbmodules_exec_t; -init_system_domain(usbmodules_t, usbmodules_exec_t) -role usbmodules_roles types usbmodules_t; - -######################################## -# -# Local policy -# - -kernel_list_proc(usbmodules_t) - -files_list_kernel_modules(usbmodules_t) - -dev_list_usbfs(usbmodules_t) -dev_rw_usbfs(usbmodules_t) - -files_list_etc(usbmodules_t) - -term_read_console(usbmodules_t) -term_write_console(usbmodules_t) - -init_use_fds(usbmodules_t) - -logging_send_syslog_msg(usbmodules_t) - -miscfiles_read_hwdata(usbmodules_t) - -modutils_read_module_deps(usbmodules_t) - -userdom_use_user_terminals(usbmodules_t) - -optional_policy(` - hotplug_read_config(usbmodules_t) -') diff --git a/policy/modules/contrib/usbmuxd.fc b/policy/modules/contrib/usbmuxd.fc deleted file mode 100644 index 220f6add..00000000 --- a/policy/modules/contrib/usbmuxd.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0) - -/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0) diff --git a/policy/modules/contrib/usbmuxd.if b/policy/modules/contrib/usbmuxd.if deleted file mode 100644 index 1ec5e996..00000000 --- a/policy/modules/contrib/usbmuxd.if +++ /dev/null @@ -1,40 +0,0 @@ -## <summary>USB multiplexing daemon for communicating with Apple iPod Touch and iPhone.</summary> - -######################################## -## <summary> -## Execute a domain transition to run usbmuxd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`usbmuxd_domtrans',` - gen_require(` - type usbmuxd_t, usbmuxd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, usbmuxd_exec_t, usbmuxd_t) -') - -##################################### -## <summary> -## Connect to usbmuxd with a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`usbmuxd_stream_connect',` - gen_require(` - type usbmuxd_t, usbmuxd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t) -') diff --git a/policy/modules/contrib/usbmuxd.te b/policy/modules/contrib/usbmuxd.te deleted file mode 100644 index 8840be61..00000000 --- a/policy/modules/contrib/usbmuxd.te +++ /dev/null @@ -1,43 +0,0 @@ -policy_module(usbmuxd, 1.1.1) - -######################################## -# -# Declarations -# - -attribute_role usbmuxd_roles; -roleattribute system_r usbmuxd_roles; - -type usbmuxd_t; -type usbmuxd_exec_t; -application_domain(usbmuxd_t, usbmuxd_exec_t) -role usbmuxd_roles types usbmuxd_t; - -type usbmuxd_var_run_t; -files_pid_file(usbmuxd_var_run_t) - -######################################## -# -# Local policy -# - -allow usbmuxd_t self:capability { kill setgid setuid }; -allow usbmuxd_t self:process { signal signull }; -allow usbmuxd_t self:fifo_file rw_fifo_file_perms; - -manage_dirs_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) -manage_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) -manage_sock_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) -files_pid_filetrans(usbmuxd_t, usbmuxd_var_run_t, { file dir sock_file }) - -kernel_read_kernel_sysctls(usbmuxd_t) -kernel_read_system_state(usbmuxd_t) - -dev_read_sysfs(usbmuxd_t) -dev_rw_generic_usb_dev(usbmuxd_t) - -auth_use_nsswitch(usbmuxd_t) - -miscfiles_read_localization(usbmuxd_t) - -logging_send_syslog_msg(usbmuxd_t) diff --git a/policy/modules/contrib/userhelper.fc b/policy/modules/contrib/userhelper.fc deleted file mode 100644 index c416a833..00000000 --- a/policy/modules/contrib/userhelper.fc +++ /dev/null @@ -1,5 +0,0 @@ -/etc/security/console\.apps(/.*)? gen_context(system_u:object_r:userhelper_conf_t,s0) - -/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0) - -/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
\ No newline at end of file diff --git a/policy/modules/contrib/userhelper.if b/policy/modules/contrib/userhelper.if deleted file mode 100644 index cf118fdf..00000000 --- a/policy/modules/contrib/userhelper.if +++ /dev/null @@ -1,211 +0,0 @@ -## <summary>A wrapper that helps users run system programs.</summary> - -####################################### -## <summary> -## The role template for the userhelper module. -## </summary> -## <param name="userrole_prefix"> -## <summary> -## The prefix of the user role (e.g., user -## is the prefix for user_r). -## </summary> -## </param> -## <param name="user_role"> -## <summary> -## The user role. -## </summary> -## </param> -## <param name="user_domain"> -## <summary> -## The user domain associated with the role. -## </summary> -## </param> -# -template(`userhelper_role_template',` - gen_require(` - attribute userhelper_type, consolehelper_type; - attribute_role userhelper_roles, consolehelper_roles; - type userhelper_exec_t, consolehelper_exec_t, userhelper_conf_t; - ') - - ######################################## - # - # Declarations - # - - type $1_consolehelper_t, consolehelper_type; - userdom_user_application_domain($1_consolehelper_t, consolehelper_exec_t) - - role consolehelper_roles types $1_consolehelper_t; - roleattribute $2 consolehelper_roles; - - type $1_userhelper_t, userhelper_type; - userdom_user_application_domain($1_userhelper_t, userhelper_exec_t) - - domain_role_change_exemption($1_userhelper_t) - domain_obj_id_change_exemption($1_userhelper_t) - domain_interactive_fd($1_userhelper_t) - domain_subj_id_change_exemption($1_userhelper_t) - - role userhelper_roles types $1_userhelper_t; - roleattribute $2 userhelper_roles; - - ######################################## - # - # Consolehelper local policy - # - - allow $1_consolehelper_t $3:unix_stream_socket connectto; - - domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t) - - allow $3 $1_consolehelper_t:process { ptrace signal_perms }; - ps_process_pattern($3, $1_consolehelper_t) - - auth_use_pam($1_consolehelper_t) - - optional_policy(` - dbus_connect_all_session_bus($1_consolehelper_t) - - optional_policy(` - userhelper_dbus_chat_all_consolehelper($3) - ') - ') - - ######################################## - # - # Userhelper local policy - # - - domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t) - - dontaudit $3 $1_userhelper_t:process signal; - - corecmd_bin_domtrans($1_userhelper_t, $3) - - auth_domtrans_chk_passwd($1_userhelper_t) - auth_use_nsswitch($1_userhelper_t) - - userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t) - userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t) - - optional_policy(` - tunable_policy(`! secure_mode',` - sysadm_bin_spec_domtrans($1_userhelper_t) - sysadm_entry_spec_domtrans($1_userhelper_t) - ') - ') -') - -######################################## -## <summary> -## Search userhelper configuration directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`userhelper_search_config',` - gen_require(` - type userhelper_conf_t; - ') - - allow $1 userhelper_conf_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Do not audit attempts to search -## userhelper configuration directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`userhelper_dontaudit_search_config',` - gen_require(` - type userhelper_conf_t; - ') - - dontaudit $1 userhelper_conf_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Send and receive messages from -## consolehelper over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`userhelper_dbus_chat_all_consolehelper',` - gen_require(` - attribute consolehelper_type; - class dbus send_msg; - ') - - allow $1 consolehelper_type:dbus send_msg; - allow consolehelper_type $1:dbus send_msg; -') - -######################################## -## <summary> -## Use userhelper all userhelper file descriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`userhelper_use_fd',` - gen_require(` - attribute userhelper_type; - ') - - allow $1 userhelper_type:fd use; -') - -######################################## -## <summary> -## Send child terminated signals to all userhelper. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`userhelper_sigchld',` - gen_require(` - attribute userhelper_type; - ') - - allow $1 userhelper_type:process sigchld; -') - -######################################## -## <summary> -## Execute the userhelper program in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`userhelper_exec',` - gen_require(` - type userhelper_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, userhelper_exec_t) -') diff --git a/policy/modules/contrib/userhelper.te b/policy/modules/contrib/userhelper.te deleted file mode 100644 index 274ed9cd..00000000 --- a/policy/modules/contrib/userhelper.te +++ /dev/null @@ -1,162 +0,0 @@ -policy_module(userhelper, 1.7.3) - -######################################## -# -# Declarations -# - -attribute consolehelper_type; -attribute userhelper_type; - -attribute_role consolehelper_roles; -attribute_role userhelper_roles; - -type userhelper_conf_t; -files_config_file(userhelper_conf_t) - -type userhelper_exec_t; -application_executable_file(userhelper_exec_t) - -type consolehelper_exec_t; -application_executable_file(consolehelper_exec_t) - -######################################## -# -# Common consolehelper domain local policy -# - -allow consolehelper_type self:capability { setgid setuid dac_override }; -allow consolehelper_type self:process signal; -allow consolehelper_type self:fifo_file rw_fifo_file_perms; -allow consolehelper_type self:unix_stream_socket create_stream_socket_perms; -allow consolehelper_type self:shm create_shm_perms; - -dontaudit consolehelper_type userhelper_conf_t:file audit_access; -read_files_pattern(consolehelper_type, userhelper_conf_t, userhelper_conf_t) - -domain_use_interactive_fds(consolehelper_type) - -kernel_read_system_state(consolehelper_type) -kernel_read_kernel_sysctls(consolehelper_type) - -corecmd_exec_bin(consolehelper_type) - -dev_getattr_all_chr_files(consolehelper_type) -dev_dontaudit_list_all_dev_nodes(consolehelper_type) - -files_read_config_files(consolehelper_type) -files_read_usr_files(consolehelper_type) - -fs_getattr_all_dirs(consolehelper_type) -fs_getattr_all_fs(consolehelper_type) -fs_search_auto_mountpoints(consolehelper_type) -files_search_mnt(consolehelper_type) - -term_list_ptys(consolehelper_type) - -auth_search_pam_console_data(consolehelper_type) -auth_read_pam_pid(consolehelper_type) - -miscfiles_read_localization(consolehelper_type) -miscfiles_read_fonts(consolehelper_type) - -userhelper_exec(consolehelper_type) - -userdom_use_user_terminals(consolehelper_type) - -# might want to make this consolehelper_tmp_t -userdom_manage_user_tmp_dirs(consolehelper_type) -userdom_manage_user_tmp_files(consolehelper_type) -userdom_tmp_filetrans_user_tmp(consolehelper_type, { dir file }) - -tunable_policy(`use_nfs_home_dirs',` - fs_search_nfs(consolehelper_type) -') - -tunable_policy(`use_samba_home_dirs',` - fs_search_cifs(consolehelper_type) -') - -optional_policy(` - shutdown_run(consolehelper_type, consolehelper_roles) - shutdown_signal(consolehelper_type) -') - -optional_policy(` - xserver_domtrans_xauth(consolehelper_type) - xserver_read_xdm_pid(consolehelper_type) - xserver_stream_connect(consolehelper_type) -') - -######################################## -# -# Common userhelper domain local policy -# - -allow userhelper_type self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config }; -allow userhelper_type self:process ~{ ptrace setcurrent setfscreate setrlimit execmem execstack execheap }; -allow userhelper_type self:fd use; -allow userhelper_type self:fifo_file rw_fifo_file_perms; -allow userhelper_type self:shm create_shm_perms; -allow userhelper_type self:sem create_sem_perms; -allow userhelper_type self:msgq create_msgq_perms; -allow userhelper_type self:msg { send receive }; -allow userhelper_type self:unix_dgram_socket sendto; -allow userhelper_type self:unix_stream_socket { accept connectto listen }; - -dontaudit userhelper_type userhelper_conf_t:file audit_access; -read_files_pattern(userhelper_type, userhelper_conf_t, userhelper_conf_t) - -can_exec(userhelper_type, userhelper_exec_t) - -kernel_read_all_sysctls(userhelper_type) -kernel_getattr_debugfs(userhelper_type) -kernel_read_system_state(userhelper_type) - -corecmd_exec_shell(userhelper_type) - -domain_use_interactive_fds(userhelper_type) -domain_sigchld_interactive_fds(userhelper_type) - -dev_read_urand(userhelper_type) -dev_list_all_dev_nodes(userhelper_type) - -files_list_var_lib(userhelper_type) -files_read_var_files(userhelper_type) -files_read_var_symlinks(userhelper_type) -files_search_home(userhelper_type) - -fs_getattr_all_fs(userhelper_type) -fs_search_auto_mountpoints(userhelper_type) - -selinux_get_fs_mount(userhelper_type) -selinux_validate_context(userhelper_type) -selinux_compute_access_vector(userhelper_type) -selinux_compute_create_context(userhelper_type) -selinux_compute_relabel_context(userhelper_type) -selinux_compute_user_contexts(userhelper_type) - -term_list_ptys(userhelper_type) -term_relabel_all_ttys(userhelper_type) -term_relabel_all_ptys(userhelper_type) -term_use_all_ttys(userhelper_type) -term_use_all_ptys(userhelper_type) - -auth_manage_pam_pid(userhelper_type) -auth_manage_var_auth(userhelper_type) -auth_search_pam_console_data(userhelper_type) - -init_use_fds(userhelper_type) -init_manage_utmp(userhelper_type) -init_pid_filetrans_utmp(userhelper_type) - -logging_send_syslog_msg(userhelper_type) - -miscfiles_read_localization(userhelper_type) - -seutil_read_config(userhelper_type) -seutil_read_default_contexts(userhelper_type) - -optional_policy(` - rpm_domtrans(userhelper_type) -') diff --git a/policy/modules/contrib/usernetctl.fc b/policy/modules/contrib/usernetctl.fc deleted file mode 100644 index ddaf787d..00000000 --- a/policy/modules/contrib/usernetctl.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/usernetctl -- gen_context(system_u:object_r:usernetctl_exec_t,s0) diff --git a/policy/modules/contrib/usernetctl.if b/policy/modules/contrib/usernetctl.if deleted file mode 100644 index 7deec55c..00000000 --- a/policy/modules/contrib/usernetctl.if +++ /dev/null @@ -1,47 +0,0 @@ -## <summary>User network interface configuration helper.</summary> - -######################################## -## <summary> -## Execute usernetctl in the usernetctl domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`usernetctl_domtrans',` - gen_require(` - type usernetctl_t, usernetctl_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, usernetctl_exec_t, usernetctl_t) -') - -######################################## -## <summary> -## Execute usernetctl in the usernetctl -## domain, and allow the specified role -## the usernetctl domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`usernetctl_run',` - gen_require(` - attribute_role usernetctl_roles; - ') - - usernetctl_domtrans($1) - roleattribute $2 usernetctl_roles; -') diff --git a/policy/modules/contrib/usernetctl.te b/policy/modules/contrib/usernetctl.te deleted file mode 100644 index dd3f01ee..00000000 --- a/policy/modules/contrib/usernetctl.te +++ /dev/null @@ -1,78 +0,0 @@ -policy_module(usernetctl, 1.6.1) - -######################################## -# -# Declarations -# - -attribute_role usernetctl_roles; - -type usernetctl_t; -type usernetctl_exec_t; -application_domain(usernetctl_t, usernetctl_exec_t) -domain_interactive_fd(usernetctl_t) -role usernetctl_roles types usernetctl_t; - -######################################## -# -# Local policy -# - -allow usernetctl_t self:capability { setuid setgid dac_override }; -allow usernetctl_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow usernetctl_t self:fd use; -allow usernetctl_t self:fifo_file rw_fifo_file_perms; -allow usernetctl_t self:unix_dgram_socket sendto; -allow usernetctl_t self:unix_stream_socket { accept connectto listen }; - -can_exec(usernetctl_t, usernetctl_exec_t) - -kernel_read_system_state(usernetctl_t) -kernel_read_kernel_sysctls(usernetctl_t) - -corecmd_list_bin(usernetctl_t) -corecmd_exec_bin(usernetctl_t) -corecmd_exec_shell(usernetctl_t) - -domain_dontaudit_read_all_domains_state(usernetctl_t) - -files_exec_etc_files(usernetctl_t) -files_read_etc_runtime_files(usernetctl_t) -files_list_pids(usernetctl_t) -files_list_home(usernetctl_t) -files_read_usr_files(usernetctl_t) - -fs_search_auto_mountpoints(usernetctl_t) - -auth_use_nsswitch(usernetctl_t) - -logging_send_syslog_msg(usernetctl_t) - -miscfiles_read_localization(usernetctl_t) - -seutil_read_config(usernetctl_t) - -sysnet_run_ifconfig(usernetctl_t, usernetctl_roles) -sysnet_run_dhcpc(usernetctl_t, usernetctl_roles) - -userdom_use_user_terminals(usernetctl_t) - -optional_policy(` - consoletype_run(usernetctl_t, usernetctl_roles) -') - -optional_policy(` - hostname_exec(usernetctl_t) -') - -optional_policy(` - iptables_run(usernetctl_t, usernetctl_roles) -') - -optional_policy(` - modutils_run_insmod(usernetctl_t, usernetctl_roles) -') - -optional_policy(` - ppp_run(usernetctl_t, usernetctl_roles) -') diff --git a/policy/modules/contrib/uucp.fc b/policy/modules/contrib/uucp.fc deleted file mode 100644 index ec159fe5..00000000 --- a/policy/modules/contrib/uucp.fc +++ /dev/null @@ -1,12 +0,0 @@ -/etc/rc\.d/init\.d/uucp -- gen_context(system_u:object_r:uucpd_initrc_exec_t,s0) - -/usr/bin/uux -- gen_context(system_u:object_r:uux_exec_t,s0) - -/usr/sbin/uucico -- gen_context(system_u:object_r:uucpd_exec_t,s0) - -/var/spool/uucp(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0) -/var/spool/uucppublic(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0) - -/var/lock/uucp(/.*)? gen_context(system_u:object_r:uucpd_lock_t,s0) - -/var/log/uucp(/.*)? gen_context(system_u:object_r:uucpd_log_t,s0) diff --git a/policy/modules/contrib/uucp.if b/policy/modules/contrib/uucp.if deleted file mode 100644 index af9acc0d..00000000 --- a/policy/modules/contrib/uucp.if +++ /dev/null @@ -1,128 +0,0 @@ -## <summary>Unix to Unix Copy.</summary> - -######################################## -## <summary> -## Execute uucico in the uucpd_t domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`uucp_domtrans',` - gen_require(` - type uucpd_t, uucpd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, uucpd_exec_t, uucpd_t) -') - -######################################## -## <summary> -## Append uucp log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`uucp_append_log',` - gen_require(` - type uucpd_log_t; - ') - - logging_search_logs($1) - allow $1 uucpd_log_t:dir list_dir_perms; - append_files_pattern($1, uucpd_log_t, uucpd_log_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## uucp spool files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`uucp_manage_spool',` - gen_require(` - type uucpd_spool_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, uucpd_spool_t, uucpd_spool_t) - manage_files_pattern($1, uucpd_spool_t, uucpd_spool_t) - manage_lnk_files_pattern($1, uucpd_spool_t, uucpd_spool_t) -') - -######################################## -## <summary> -## Execute uux in the uux_t domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`uucp_domtrans_uux',` - gen_require(` - type uux_t, uux_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, uux_exec_t, uux_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an uucp environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`uucp_admin',` - gen_require(` - type uucpd_t, uucpd_tmp_t, uucpd_log_t; - type uucpd_spool_t, uucpd_ro_t, uucpd_rw_t; - type uucpd_var_run_t, uucpd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, uucpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 uucpd_initrc_exec_t system_r; - allow $2 system_r; - - allow $1 uucpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, uucpd_t) - - logging_list_logs($1) - admin_pattern($1, uucpd_log_t) - - files_list_spool($1) - admin_pattern($1, uucpd_spool_t) - - admin_pattern($1, { uucpd_rw_t uucpd_ro_t }) - - files_list_tmp($1) - admin_pattern($1, uucpd_tmp_t) - - files_list_pids($1) - admin_pattern($1, uucpd_var_run_t) -') diff --git a/policy/modules/contrib/uucp.te b/policy/modules/contrib/uucp.te deleted file mode 100644 index 380902ce..00000000 --- a/policy/modules/contrib/uucp.te +++ /dev/null @@ -1,169 +0,0 @@ -policy_module(uucp, 1.12.1) - -######################################## -# -# Declarations -# - -attribute_role uux_roles; -roleattribute system_r uux_roles; - -type uucpd_t; -type uucpd_exec_t; -init_daemon_domain(uucpd_t, uucpd_exec_t) - -type uucpd_initrc_exec_t; -init_script_file(uucpd_initrc_exec_t) - -type uucpd_lock_t; -files_lock_file(uucpd_lock_t) - -type uucpd_tmp_t; -files_tmp_file(uucpd_tmp_t) - -type uucpd_var_run_t; -files_pid_file(uucpd_var_run_t) - -type uucpd_rw_t; -files_type(uucpd_rw_t) - -type uucpd_ro_t; -files_type(uucpd_ro_t) - -type uucpd_spool_t; -files_type(uucpd_spool_t) - -type uucpd_log_t; -logging_log_file(uucpd_log_t) - -type uux_t; -type uux_exec_t; -application_domain(uux_t, uux_exec_t) -role uux_roles types uux_t; - -######################################## -# -# Local policy -# - -allow uucpd_t self:capability { setuid setgid }; -allow uucpd_t self:process signal_perms; -allow uucpd_t self:fifo_file rw_fifo_file_perms; -allow uucpd_t self:tcp_socket { accept listen }; -allow uucpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; - -allow uucpd_t uucpd_log_t:dir setattr_dir_perms; -append_files_pattern(uucpd_t, uucpd_log_t, uucpd_log_t) -create_files_pattern(uucpd_t, uucpd_log_t, uucpd_log_t) -setattr_files_pattern(uucpd_t, uucpd_log_t, uucpd_log_t) -logging_log_filetrans(uucpd_t, uucpd_log_t, { file dir }) - -allow uucpd_t uucpd_ro_t:dir list_dir_perms; -allow uucpd_t uucpd_ro_t:file read_file_perms; -allow uucpd_t uucpd_ro_t:lnk_file read_lnk_file_perms; - -manage_dirs_pattern(uucpd_t, uucpd_rw_t, uucpd_rw_t) -manage_files_pattern(uucpd_t, uucpd_rw_t, uucpd_rw_t) -manage_lnk_files_pattern(uucpd_t, uucpd_rw_t, uucpd_rw_t) - -manage_dirs_pattern(uucpd_t, uucpd_spool_t, uucpd_spool_t) -manage_files_pattern(uucpd_t, uucpd_spool_t, uucpd_spool_t) -manage_lnk_files_pattern(uucpd_t, uucpd_spool_t, uucpd_spool_t) - -manage_dirs_pattern(uucpd_t, uucpd_lock_t, uucpd_lock_t) -manage_files_pattern(uucpd_t, uucpd_lock_t, uucpd_lock_t) - -manage_dirs_pattern(uucpd_t, uucpd_tmp_t, uucpd_tmp_t) -manage_files_pattern(uucpd_t, uucpd_tmp_t, uucpd_tmp_t) -files_tmp_filetrans(uucpd_t, uucpd_tmp_t, { file dir }) - -manage_files_pattern(uucpd_t, uucpd_var_run_t, uucpd_var_run_t) -files_pid_filetrans(uucpd_t, uucpd_var_run_t, file) - -kernel_read_kernel_sysctls(uucpd_t) -kernel_read_system_state(uucpd_t) -kernel_read_network_state(uucpd_t) - -corenet_all_recvfrom_unlabeled(uucpd_t) -corenet_all_recvfrom_netlabel(uucpd_t) -corenet_tcp_sendrecv_generic_if(uucpd_t) -corenet_tcp_sendrecv_generic_node(uucpd_t) - -corenet_sendrecv_ssh_client_packets(uucpd_t) -corenet_tcp_connect_ssh_port(uucpd_t) -corenet_tcp_sendrecv_ssh_port(uucpd_t) - -corecmd_exec_bin(uucpd_t) -corecmd_exec_shell(uucpd_t) - -dev_read_urand(uucpd_t) - -files_search_home(uucpd_t) -files_search_locks(uucpd_t) -files_search_spool(uucpd_t) - -fs_getattr_xattr_fs(uucpd_t) - -term_setattr_controlling_term(uucpd_t) - -auth_use_nsswitch(uucpd_t) - -logging_send_syslog_msg(uucpd_t) - -miscfiles_read_localization(uucpd_t) - -optional_policy(` - cron_system_entry(uucpd_t, uucpd_exec_t) -') - -optional_policy(` - inetd_tcp_service_domain(uucpd_t, uucpd_exec_t) -') - -optional_policy(` - kerberos_use(uucpd_t) -') - -optional_policy(` - mta_send_mail(uucpd_t) -') - -optional_policy(` - ssh_exec(uucpd_t) -') - -######################################## -# -# UUX Local policy -# - -allow uux_t self:capability { setuid setgid }; -allow uux_t self:fifo_file write_fifo_file_perms; - -domtrans_pattern(uux_t, uucpd_exec_t, uucpd_t) - -allow uux_t uucpd_log_t:dir list_dir_perms; -append_files_pattern(uux_t, uucpd_log_t, uucpd_log_t) - -manage_dirs_pattern(uux_t, uucpd_spool_t, uucpd_spool_t) -manage_files_pattern(uux_t, uucpd_spool_t, uucpd_spool_t) -manage_lnk_files_pattern(uux_t, uucpd_spool_t, uucpd_spool_t) - -corecmd_exec_bin(uux_t) - -files_search_spool(uux_t) - -fs_rw_anon_inodefs_files(uux_t) - -auth_use_nsswitch(uux_t) - -logging_search_logs(uux_t) -logging_send_syslog_msg(uux_t) - -miscfiles_read_localization(uux_t) - -optional_policy(` - mta_send_mail(uux_t) - mta_read_queue(uux_t) - sendmail_dontaudit_rw_unix_stream_sockets(uux_t) -') diff --git a/policy/modules/contrib/uuidd.fc b/policy/modules/contrib/uuidd.fc deleted file mode 100644 index ef3c47d5..00000000 --- a/policy/modules/contrib/uuidd.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rc\.d/init\.d/uuidd -- gen_context(system_u:object_r:uuidd_initrc_exec_t,s0) - -/usr/sbin/uuidd -- gen_context(system_u:object_r:uuidd_exec_t,s0) - -/var/lib/libuuid(/.*)? gen_context(system_u:object_r:uuidd_var_lib_t,s0) - -/var/run/uuidd(/.*)? gen_context(system_u:object_r:uuidd_var_run_t,s0) diff --git a/policy/modules/contrib/uuidd.if b/policy/modules/contrib/uuidd.if deleted file mode 100644 index 6e486533..00000000 --- a/policy/modules/contrib/uuidd.if +++ /dev/null @@ -1,194 +0,0 @@ -## <summary>UUID generation daemon.</summary> - -######################################## -## <summary> -## Execute uuidd in the uuidd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`uuidd_domtrans',` - gen_require(` - type uuidd_t, uuidd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, uuidd_exec_t, uuidd_t) -') - -######################################## -## <summary> -## Execute uuidd init scripts in -## the initrc domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`uuidd_initrc_domtrans',` - gen_require(` - type uuidd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, uuidd_initrc_exec_t) -') - -######################################## -## <summary> -## Search uuidd lib directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`uuidd_search_lib',` - gen_require(` - type uuidd_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 uuidd_var_lib_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Read uuidd lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`uuidd_read_lib_files',` - gen_require(` - type uuidd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## uuidd lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`uuidd_manage_lib_files',` - gen_require(` - type uuidd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## uuidd lib directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`uuidd_manage_lib_dirs',` - gen_require(` - type uuidd_var_lib_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t) -') - -######################################## -## <summary> -## Read uuidd pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`uuidd_read_pid_files',` - gen_require(` - type uuidd_var_run_t; - ') - - files_search_pids($1) - allow $1 uuidd_var_run_t:file read_file_perms; -') - -######################################## -## <summary> -## Connect to uuidd with an unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`uuidd_stream_connect_manager',` - gen_require(` - type uuidd_t, uuidd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, uuidd_var_run_t, uuidd_var_run_t, uuidd_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an uuidd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`uuidd_admin',` - gen_require(` - type uuidd_t, uuidd_initrc_exec_t; - type uuidd_var_run_t, uuidd_var_lib_t; - ') - - allow $1 uuidd_t:process signal_perms; - ps_process_pattern($1, uuidd_t) - - uuidd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 uuidd_initrc_exec_t system_r; - allow $2 system_r; - - files_search_var_lib($1) - admin_pattern($1, uuidd_var_lib_t) - - files_search_pids($1) - admin_pattern($1, uuidd_var_run_t) -') diff --git a/policy/modules/contrib/uuidd.te b/policy/modules/contrib/uuidd.te deleted file mode 100644 index e670f55b..00000000 --- a/policy/modules/contrib/uuidd.te +++ /dev/null @@ -1,47 +0,0 @@ -policy_module(uuidd, 1.0.1) - -######################################## -# -# Declarations -# - -type uuidd_t; -type uuidd_exec_t; -init_daemon_domain(uuidd_t, uuidd_exec_t) - -type uuidd_initrc_exec_t; -init_script_file(uuidd_initrc_exec_t) - -type uuidd_var_lib_t; -files_type(uuidd_var_lib_t) - -type uuidd_var_run_t; -files_pid_file(uuidd_var_run_t) - -######################################## -# -# Local policy -# - -allow uuidd_t self:capability setuid; -allow uuidd_t self:process signal; -allow uuidd_t self:fifo_file rw_fifo_file_perms; -allow uuidd_t self:unix_stream_socket create_stream_socket_perms; -allow uuidd_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(uuidd_t, uuidd_var_lib_t, uuidd_var_lib_t) -manage_files_pattern(uuidd_t, uuidd_var_lib_t, uuidd_var_lib_t) -files_var_lib_filetrans(uuidd_t, uuidd_var_lib_t, { dir file }) - -manage_dirs_pattern(uuidd_t, uuidd_var_run_t, uuidd_var_run_t) -manage_files_pattern(uuidd_t, uuidd_var_run_t, uuidd_var_run_t) -manage_sock_files_pattern(uuidd_t, uuidd_var_run_t, uuidd_var_run_t) -files_pid_filetrans(uuidd_t, uuidd_var_run_t, { dir file sock_file }) - -dev_read_urand(uuidd_t) - -domain_use_interactive_fds(uuidd_t) - -files_read_etc_files(uuidd_t) - -miscfiles_read_localization(uuidd_t) diff --git a/policy/modules/contrib/uwimap.fc b/policy/modules/contrib/uwimap.fc deleted file mode 100644 index 3c504c68..00000000 --- a/policy/modules/contrib/uwimap.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/sbin/imapd -- gen_context(system_u:object_r:imapd_exec_t,s0) - -/var/run/imapd\.pid -- gen_context(system_u:object_r:imapd_var_run_t,s0) diff --git a/policy/modules/contrib/uwimap.if b/policy/modules/contrib/uwimap.if deleted file mode 100644 index 42f34a69..00000000 --- a/policy/modules/contrib/uwimap.if +++ /dev/null @@ -1,20 +0,0 @@ -## <summary>University of Washington IMAP toolkit POP3 and IMAP mail server.</summary> - -######################################## -## <summary> -## Execute imapd in the imapd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`uwimap_domtrans',` - gen_require(` - type imapd_t, imapd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, imapd_exec_t, imapd_t) -') diff --git a/policy/modules/contrib/uwimap.te b/policy/modules/contrib/uwimap.te deleted file mode 100644 index b81e5c82..00000000 --- a/policy/modules/contrib/uwimap.te +++ /dev/null @@ -1,107 +0,0 @@ -policy_module(uwimap, 1.9.3) - -######################################## -# -# Declarations -# - -type imapd_t; -type imapd_exec_t; -init_daemon_domain(imapd_t, imapd_exec_t) - -type imapd_tmp_t; -files_tmp_file(imapd_tmp_t) - -type imapd_var_run_t; -files_pid_file(imapd_var_run_t) - -######################################## -# -# Local policy -# - -allow imapd_t self:capability { dac_override setgid setuid sys_resource }; -dontaudit imapd_t self:capability sys_tty_config; -allow imapd_t self:process signal_perms; -allow imapd_t self:fifo_file rw_fifo_file_perms; -allow imapd_t self:tcp_socket { accept listen }; - -manage_dirs_pattern(imapd_t, imapd_tmp_t, imapd_tmp_t) -manage_files_pattern(imapd_t, imapd_tmp_t, imapd_tmp_t) -files_tmp_filetrans(imapd_t, imapd_tmp_t, { file dir }) - -manage_files_pattern(imapd_t, imapd_var_run_t, imapd_var_run_t) -files_pid_filetrans(imapd_t, imapd_var_run_t, file) - -kernel_read_kernel_sysctls(imapd_t) -kernel_list_proc(imapd_t) -kernel_read_proc_symlinks(imapd_t) - -corenet_all_recvfrom_unlabeled(imapd_t) -corenet_all_recvfrom_netlabel(imapd_t) -corenet_tcp_sendrecv_generic_if(imapd_t) -corenet_tcp_sendrecv_generic_node(imapd_t) -corenet_tcp_sendrecv_all_ports(imapd_t) -corenet_tcp_bind_generic_node(imapd_t) - -corenet_sendrecv_pop_server_packets(imapd_t) -corenet_tcp_bind_pop_port(imapd_t) - -corenet_sendrecv_all_client_packets(imapd_t) -corenet_tcp_connect_all_ports(imapd_t) - -dev_read_rand(imapd_t) -dev_read_sysfs(imapd_t) -dev_read_urand(imapd_t) - -domain_use_interactive_fds(imapd_t) - -files_read_etc_files(imapd_t) - -fs_getattr_all_fs(imapd_t) -fs_search_auto_mountpoints(imapd_t) - -auth_domtrans_chk_passwd(imapd_t) - -logging_send_syslog_msg(imapd_t) - -miscfiles_read_localization(imapd_t) - -sysnet_dns_name_resolve(imapd_t) - -userdom_dontaudit_use_unpriv_user_fds(imapd_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(imapd_t) - fs_manage_nfs_files(imapd_t) - fs_manage_nfs_symlinks(imapd_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(imapd_t) - fs_manage_cifs_files(imapd_t) - fs_manage_cifs_symlinks(imapd_t) -') - -optional_policy(` - inetd_tcp_service_domain(imapd_t, imapd_exec_t) -') - -optional_policy(` - mta_manage_spool(imapd_t) - mta_manage_mail_home_rw_content(imapd_t) - mta_home_filetrans_mail_home_rw(imapd_t, dir, "Maildir") - mta_home_filetrans_mail_home_rw(imapd_t, dir, ".maildir") -') - -optional_policy(` - seutil_sigchld_newrole(imapd_t) -') - -optional_policy(` - tcpd_wrapped_domain(imapd_t, imapd_exec_t) -') - -optional_policy(` - udev_read_db(imapd_t) -') diff --git a/policy/modules/contrib/uwsgi.fc b/policy/modules/contrib/uwsgi.fc new file mode 100644 index 00000000..49580994 --- /dev/null +++ b/policy/modules/contrib/uwsgi.fc @@ -0,0 +1,11 @@ +/etc/uwsgi\.d(/.*)? gen_context(system_u:object_r:uwsgi_conf_t,s0) + +/usr/bin/uwsgi.* -- gen_context(system_u:object_r:uwsgi_exec_t,s0) + +/run/uwsgi(/.*)? gen_context(system_u:object_r:uwsgi_run_t,s0) + +/var/log/uwsgi(/.*)? gen_context(system_u:object_r:uwsgi_var_log_t,s0) + +/var/www/wsgi/.*\.so -- gen_context(system_u:object_r:uwsgi_content_exec_t,s0) +/var/www/wsgi/.*/bin/.* gen_context(system_u:object_r:uwsgi_content_exec_t,s0) +/var/www/wsgi(/.*)? gen_context(system_u:object_r:uwsgi_content_t,s0) diff --git a/policy/modules/contrib/uwsgi.if b/policy/modules/contrib/uwsgi.if new file mode 100644 index 00000000..f5a54aa7 --- /dev/null +++ b/policy/modules/contrib/uwsgi.if @@ -0,0 +1,140 @@ +## <summary>uWSGI server for Python web applications</summary> + +######################################## +## <summary> +## Connect to uwsgi using a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`uwsgi_stream_connect',` + gen_require(` + type uwsgi_t, uwsgi_run_t; + ') + + files_search_runtime($1) + list_dirs_pattern($1, uwsgi_run_t, uwsgi_run_t) + stream_connect_pattern($1, uwsgi_run_t, uwsgi_run_t, uwsgi_t) +') + +######################################## +## <summary> +## Manage uwsgi content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`uwsgi_manage_content',` + gen_require(` + type uwsgi_content_t, uwsgi_content_exec_t; + ') + + files_search_runtime($1) + manage_dirs_pattern($1, uwsgi_content_t, uwsgi_content_t) + manage_files_pattern($1, uwsgi_content_t, uwsgi_content_t) + manage_lnk_files_pattern($1, uwsgi_content_t, uwsgi_content_t) + + manage_files_pattern($1, uwsgi_content_exec_t, uwsgi_content_exec_t) + manage_lnk_files_pattern($1, uwsgi_content_exec_t, uwsgi_content_exec_t) + + optional_policy(` + apache_manage_sys_content($1) + ') +') + +######################################## +## <summary> +## Execute uwsgi in the uwsgi domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`uwsgi_domtrans',` + gen_require(` + type uwsgi_t, uwsgi_exec_t, uwsgi_content_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, uwsgi_exec_t, uwsgi_t) + domtrans_pattern($1, uwsgi_content_exec_t, uwsgi_t) +') + +######################################## +## <summary> +## Execute uwsgi in the callers domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`uwsgi_content_exec',` + gen_require(` + type uwsgi_content_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, uwsgi_content_exec_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate a uWSGI environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`uwsgi_admin',` + gen_require(` + type uwsgi_t, uwsgi_exec_t, uwsgi_conf_t; + type uwsgi_run_t, uwsgi_var_log_t, uwsgi_tmp_t; + type uwsgi_content_t, uwsgi_content_exec_t; + ') + + allow $1 uwsgi_t:process { ptrace signal_perms }; + ps_process_pattern($1, uwsgi_t) + + files_search_etc($1) + admin_pattern($1, { uwsgi_conf_t uwsgi_exec_t }) + + files_search_var($1) + admin_pattern($1, { uwsgi_content_t uwsgi_content_exec_t }) + + logging_search_logs($1) + admin_pattern($1, { uwsgi_var_log_t }) + + files_search_runtime($1) + admin_pattern($1, uwsgi_run_t) + + files_search_tmp($1) + admin_pattern($1, uwsgi_tmp_t) + + corecmd_search_bin($1) + domtrans_pattern($1, uwsgi_exec_t, uwsgi_t) + can_exec($1, uwsgi_content_exec_t) + + optional_policy(` + apache_manage_sys_content($1) + ') +') diff --git a/policy/modules/contrib/uwsgi.te b/policy/modules/contrib/uwsgi.te new file mode 100644 index 00000000..83328c34 --- /dev/null +++ b/policy/modules/contrib/uwsgi.te @@ -0,0 +1,91 @@ +policy_module(uwsgi, 1.0) + +######################################## +# +# Declarations +# + +type uwsgi_t; +type uwsgi_exec_t; +init_daemon_domain(uwsgi_t, uwsgi_exec_t) + +type uwsgi_conf_t; +files_config_file(uwsgi_conf_t) + +type uwsgi_run_t; +init_daemon_runtime_file(uwsgi_run_t, dir, "uwsgi") + +type uwsgi_var_log_t; +logging_log_file(uwsgi_var_log_t) + +type uwsgi_tmp_t; +files_tmp_file(uwsgi_tmp_t) + +type uwsgi_content_t; +files_type(uwsgi_content_t) + +type uwsgi_content_exec_t; +domain_entry_file(uwsgi_t, uwsgi_content_exec_t) + +######################################## +# +# uwsgi local policy +# + +allow uwsgi_t self:fifo_file rw_fifo_file_perms; +allow uwsgi_t self:process { signal sigchld }; + +can_exec(uwsgi_t, uwsgi_exec_t) +can_exec(uwsgi_t, uwsgi_tmp_t) +can_exec(uwsgi_t, uwsgi_content_exec_t) + +list_dirs_pattern(uwsgi_t, uwsgi_conf_t, uwsgi_conf_t) +read_files_pattern(uwsgi_t, uwsgi_conf_t, uwsgi_conf_t) + +list_dirs_pattern(uwsgi_t, uwsgi_content_t, uwsgi_content_t) +read_files_pattern(uwsgi_t, uwsgi_content_t, uwsgi_content_t) +read_lnk_files_pattern(uwsgi_t, uwsgi_content_t, uwsgi_content_t) + +list_dirs_pattern(uwsgi_t, uwsgi_content_exec_t, uwsgi_content_exec_t) +read_files_pattern(uwsgi_t, uwsgi_content_exec_t, uwsgi_content_exec_t) +read_lnk_files_pattern(uwsgi_t, uwsgi_content_exec_t, uwsgi_content_exec_t) + +read_files_pattern(uwsgi_t, uwsgi_var_log_t, uwsgi_var_log_t) +append_files_pattern(uwsgi_t, uwsgi_var_log_t, uwsgi_var_log_t) +logging_log_filetrans(uwsgi_t, uwsgi_var_log_t, { file dir }) +logging_search_logs(uwsgi_t) + +manage_dirs_pattern(uwsgi_t, uwsgi_run_t, uwsgi_run_t) +manage_files_pattern(uwsgi_t, uwsgi_run_t, uwsgi_run_t) +manage_sock_files_pattern(uwsgi_t, uwsgi_run_t, uwsgi_run_t) + +manage_dirs_pattern(uwsgi_t, uwsgi_tmp_t, uwsgi_tmp_t) +manage_files_pattern(uwsgi_t, uwsgi_tmp_t, uwsgi_tmp_t) +files_tmp_filetrans(uwsgi_t, uwsgi_tmp_t, { file dir }) + +files_read_usr_files(uwsgi_t) + +auth_use_nsswitch(uwsgi_t) + +corecmd_exec_bin(uwsgi_t) +corecmd_exec_shell(uwsgi_t) + +kernel_read_system_state(uwsgi_t) +kernel_read_net_sysctls(uwsgi_t) + +libs_exec_ldconfig(uwsgi_t) + +miscfiles_read_localization(uwsgi_t) + +optional_policy(` + apache_read_all_content(uwsgi_t) + apache_manage_all_rw_content(uwsgi_t) +') + +optional_policy(` + cron_system_entry(uwsgi_t, uwsgi_content_exec_t) +') + +optional_policy(` + mysql_stream_connect(uwsgi_t) +') diff --git a/policy/modules/contrib/varnishd.fc b/policy/modules/contrib/varnishd.fc deleted file mode 100644 index 19bdce37..00000000 --- a/policy/modules/contrib/varnishd.fc +++ /dev/null @@ -1,18 +0,0 @@ -/etc/rc\.d/init\.d/varnish -- gen_context(system_u:object_r:varnishd_initrc_exec_t,s0) -/etc/rc\.d/init\.d/varnishlog -- gen_context(system_u:object_r:varnishlog_initrc_exec_t,s0) -/etc/rc\.d/init\.d/varnishncsa -- gen_context(system_u:object_r:varnishlog_initrc_exec_t,s0) - -/etc/varnish(/.*)? gen_context(system_u:object_r:varnishd_etc_t,s0) - -/usr/bin/varnishlog -- gen_context(system_u:object_r:varnishlog_exec_t,s0) -/usr/bin/varnisncsa -- gen_context(system_u:object_r:varnishlog_exec_t,s0) - -/usr/sbin/varnishd -- gen_context(system_u:object_r:varnishd_exec_t,s0) - -/var/lib/varnish(/.*)? gen_context(system_u:object_r:varnishd_var_lib_t,s0) - -/var/log/varnish(/.*)? gen_context(system_u:object_r:varnishlog_log_t,s0) - -/var/run/varnish\.pid -- gen_context(system_u:object_r:varnishd_var_run_t,s0) -/var/run/varnishlog\.pid -- gen_context(system_u:object_r:varnishlog_var_run_t,s0) -/var/run/varnishncsa\.pid -- gen_context(system_u:object_r:varnishlog_var_run_t,s0) diff --git a/policy/modules/contrib/varnishd.if b/policy/modules/contrib/varnishd.if deleted file mode 100644 index 1c35171d..00000000 --- a/policy/modules/contrib/varnishd.if +++ /dev/null @@ -1,218 +0,0 @@ -## <summary>Varnishd http accelerator daemon.</summary> - -####################################### -## <summary> -## Execute varnishd in the varnishd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`varnishd_domtrans',` - gen_require(` - type varnishd_t, varnishd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, varnishd_exec_t, varnishd_t) -') - -####################################### -## <summary> -## Execute varnishd in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`varnishd_exec',` - gen_require(` - type varnishd_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, varnishd_exec_t) -') - -###################################### -## <summary> -## Read varnishd configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`varnishd_read_config',` - gen_require(` - type varnishd_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, varnishd_etc_t, varnishd_etc_t) -') - -##################################### -## <summary> -## Read varnish lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`varnishd_read_lib_files',` - gen_require(` - type varnishd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, varnishd_var_lib_t, varnishd_var_lib_t) -') - -####################################### -## <summary> -## Read varnish log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`varnishd_read_log',` - gen_require(` - type varnishlog_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, varnishlog_log_t, varnishlog_log_t) -') - -###################################### -## <summary> -## Append varnish log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`varnishd_append_log',` - gen_require(` - type varnishlog_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, varnishlog_log_t, varnishlog_log_t) -') - -##################################### -## <summary> -## Create, read, write, and delete -## varnish log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`varnishd_manage_log',` - gen_require(` - type varnishlog_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, varnishlog_log_t, varnishlog_log_t) -') - -###################################### -## <summary> -## All of the rules required to -## administrate an varnishlog environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`varnishd_admin_varnishlog',` - gen_require(` - type varnishlog_t, varnishlog_initrc_exec_t, varnishlog_log_t; - type varnishlog_var_run_t; - ') - - allow $1 varnishlog_t:process { ptrace signal_perms }; - ps_process_pattern($1, varnishlog_t) - - init_labeled_script_domtrans($1, varnishlog_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 varnishlog_initrc_exec_t system_r; - allow $2 system_r; - - files_list_pids($1) - admin_pattern($1, varnishlog_var_run_t) - - logging_list_logs($1) - admin_pattern($1, varnishlog_log_t) -') - -####################################### -## <summary> -## All of the rules required to -## administrate an varnishd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`varnishd_admin',` - gen_require(` - type varnishd_t, varnishd_var_lib_t, varnishd_etc_t; - type varnishd_var_run_t, varnishd_tmp_t; - type varnishd_initrc_exec_t; - ') - - allow $1 varnishd_t:process { ptrace signal_perms }; - ps_process_pattern($1, varnishd_t) - - init_labeled_script_domtrans($1, varnishd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 varnishd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_var_lib($1) - admin_pattern($1, varnishd_var_lib_t) - - files_list_etc($1) - admin_pattern($1, varnishd_etc_t) - - files_list_pids($1) - admin_pattern($1, varnishd_var_run_t) - - files_list_tmp($1) - admin_pattern($1, varnishd_tmp_t) -') diff --git a/policy/modules/contrib/varnishd.te b/policy/modules/contrib/varnishd.te deleted file mode 100644 index 9d4d8cbb..00000000 --- a/policy/modules/contrib/varnishd.te +++ /dev/null @@ -1,140 +0,0 @@ -policy_module(varnishd, 1.2.0) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether varnishd can -## use the full TCP network. -## </p> -## </desc> -gen_tunable(varnishd_connect_any, false) - -type varnishd_t; -type varnishd_exec_t; -init_daemon_domain(varnishd_t, varnishd_exec_t) - -type varnishd_initrc_exec_t; -init_script_file(varnishd_initrc_exec_t) - -type varnishd_etc_t; -files_type(varnishd_etc_t) - -type varnishd_tmp_t; -files_tmp_file(varnishd_tmp_t) - -type varnishd_var_lib_t; -files_type(varnishd_var_lib_t) - -type varnishd_var_run_t; -files_pid_file(varnishd_var_run_t) - -type varnishlog_t; -type varnishlog_exec_t; -init_daemon_domain(varnishlog_t, varnishlog_exec_t) - -type varnishlog_initrc_exec_t; -init_script_file(varnishlog_initrc_exec_t) - -type varnishlog_var_run_t; -files_pid_file(varnishlog_var_run_t) - -type varnishlog_log_t; -files_type(varnishlog_log_t) - -######################################## -# -# Local policy -# - -allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid }; -dontaudit varnishd_t self:capability sys_tty_config; -allow varnishd_t self:process signal; -allow varnishd_t self:fifo_file rw_fifo_file_perms; -allow varnishd_t self:tcp_socket { accept listen }; - -allow varnishd_t varnishd_etc_t:dir list_dir_perms; -allow varnishd_t varnishd_etc_t:file read_file_perms; -allow varnishd_t varnishd_etc_t:lnk_file read_lnk_file_perms; - -manage_dirs_pattern(varnishd_t, varnishd_tmp_t, varnishd_tmp_t) -manage_files_pattern(varnishd_t, varnishd_tmp_t, varnishd_tmp_t) -files_tmp_filetrans(varnishd_t, varnishd_tmp_t, { file dir }) - -manage_dirs_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t) -manage_files_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t) -files_var_lib_filetrans(varnishd_t, varnishd_var_lib_t, { dir file }) - -manage_files_pattern(varnishd_t, varnishd_var_run_t, varnishd_var_run_t) -files_pid_filetrans(varnishd_t, varnishd_var_run_t, file) - -can_exec(varnishd_t, varnishd_var_lib_t) - -kernel_read_system_state(varnishd_t) - -corecmd_exec_bin(varnishd_t) -corecmd_exec_shell(varnishd_t) - -corenet_all_recvfrom_unlabeled(varnishd_t) -corenet_all_recvfrom_netlabel(varnishd_t) -corenet_tcp_sendrecv_generic_if(varnishd_t) -corenet_tcp_sendrecv_generic_node(varnishd_t) -corenet_tcp_sendrecv_all_ports(varnishd_t) -corenet_tcp_bind_generic_node(varnishd_t) - -corenet_sendrecv_http_server_packets(varnishd_t) -corenet_tcp_bind_http_port(varnishd_t) -corenet_sendrecv_http_client_packets(varnishd_t) -corenet_tcp_connect_http_port(varnishd_t) -corenet_tcp_sendrecv_http_port(varnishd_t) - -corenet_sendrecv_http_cache_server_packets(varnishd_t) -corenet_tcp_bind_http_cache_port(varnishd_t) -corenet_sendrecv_http_cache_client_packets(varnishd_t) -corenet_tcp_connect_http_cache_port(varnishd_t) -corenet_tcp_sendrecv_http_cache_port(varnishd_t) - -corenet_sendrecv_varnishd_server_packets(varnishd_t) -corenet_tcp_bind_varnishd_port(varnishd_t) -corenet_tcp_sendrecv_varnishd_port(varnishd_t) - -dev_read_urand(varnishd_t) - -files_read_usr_files(varnishd_t) - -fs_getattr_all_fs(varnishd_t) - -auth_use_nsswitch(varnishd_t) - -logging_send_syslog_msg(varnishd_t) - -miscfiles_read_localization(varnishd_t) - -tunable_policy(`varnishd_connect_any',` - corenet_sendrecv_all_client_packets(varnishd_t) - corenet_tcp_connect_all_ports(varnishd_t) - corenet_sendrecv_all_server_packets(varnishd_t) - corenet_tcp_bind_all_ports(varnishd_t) - corenet_tcp_sendrecv_all_ports(varnishd_t) -') - -####################################### -# -# Log local policy -# - -manage_files_pattern(varnishlog_t, varnishlog_var_run_t, varnishlog_var_run_t) -files_pid_filetrans(varnishlog_t, varnishlog_var_run_t, file) - -manage_dirs_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t) -append_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t) -create_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t) -setattr_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t) -logging_log_filetrans(varnishlog_t, varnishlog_log_t, { file dir }) - -read_files_pattern(varnishlog_t, varnishd_var_lib_t, varnishd_var_lib_t) - -files_search_var_lib(varnishlog_t) diff --git a/policy/modules/contrib/vbetool.fc b/policy/modules/contrib/vbetool.fc deleted file mode 100644 index d00970f1..00000000 --- a/policy/modules/contrib/vbetool.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/vbetool -- gen_context(system_u:object_r:vbetool_exec_t,s0) diff --git a/policy/modules/contrib/vbetool.if b/policy/modules/contrib/vbetool.if deleted file mode 100644 index 4e648ba8..00000000 --- a/policy/modules/contrib/vbetool.if +++ /dev/null @@ -1,46 +0,0 @@ -## <summary>run real-mode video BIOS code to alter hardware state.</summary> - -######################################## -## <summary> -## Execute vbetool in the vbetool domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`vbetool_domtrans',` - gen_require(` - type vbetool_t, vbetool_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, vbetool_exec_t, vbetool_t) -') - -######################################## -## <summary> -## Execute vbetool in the vbetool -## domain, and allow the specified -## role the vbetool domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`vbetool_run',` - gen_require(` - attribute_role vbetool_roles; - ') - - vbetool_domtrans($1) - roleattribute $2 vbetool_roles; -') diff --git a/policy/modules/contrib/vbetool.te b/policy/modules/contrib/vbetool.te deleted file mode 100644 index 14e1eecf..00000000 --- a/policy/modules/contrib/vbetool.te +++ /dev/null @@ -1,56 +0,0 @@ -policy_module(vbetool, 1.6.1) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether attempts by -## vbetool to mmap low regions should -## be silently blocked. -## </p> -## </desc> -gen_tunable(vbetool_mmap_zero_ignore, false) - -attribute_role vbetool_roles; - -type vbetool_t; -type vbetool_exec_t; -init_system_domain(vbetool_t, vbetool_exec_t) -role vbetool_roles types vbetool_t; - -######################################## -# -# Local policy -# - -allow vbetool_t self:capability { dac_override sys_tty_config sys_admin }; -allow vbetool_t self:process execmem; - -dev_wx_raw_memory(vbetool_t) -dev_read_raw_memory(vbetool_t) -dev_rwx_zero(vbetool_t) -dev_rw_sysfs(vbetool_t) -dev_rw_xserver_misc(vbetool_t) -dev_rw_mtrr(vbetool_t) - -domain_mmap_low(vbetool_t) - -mls_file_read_all_levels(vbetool_t) -mls_file_write_all_levels(vbetool_t) - -term_use_unallocated_ttys(vbetool_t) - -miscfiles_read_localization(vbetool_t) - -tunable_policy(`vbetool_mmap_zero_ignore',` - dontaudit vbetool_t self:memprotect mmap_zero; -') - -optional_policy(` - hal_rw_pid_files(vbetool_t) - hal_write_log(vbetool_t) - hal_dontaudit_append_lib_files(vbetool_t) -') diff --git a/policy/modules/contrib/vdagent.fc b/policy/modules/contrib/vdagent.fc deleted file mode 100644 index 45b6dded..00000000 --- a/policy/modules/contrib/vdagent.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/rc\.d/init\.d/spice-vdagentd -- gen_context(system_u:object_r:vdagentd_initrc_exec_t,s0) - -/usr/sbin/spice-vdagentd -- gen_context(system_u:object_r:vdagent_exec_t,s0) - -/var/log/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_log_t,s0) -/var/log/spice-vdagentd\.log.* -- gen_context(system_u:object_r:vdagent_log_t,s0) - -/var/run/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_var_run_t,s0) -/var/run/spice-vdagentd\.pid -- gen_context(system_u:object_r:vdagent_var_run_t,s0) diff --git a/policy/modules/contrib/vdagent.if b/policy/modules/contrib/vdagent.if deleted file mode 100644 index 31c752ea..00000000 --- a/policy/modules/contrib/vdagent.if +++ /dev/null @@ -1,134 +0,0 @@ -## <summary>Spice agent for Linux.</summary> - -######################################## -## <summary> -## Execute a domain transition to run vdagent. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`vdagent_domtrans',` - gen_require(` - type vdagent_t, vdagent_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, vdagent_exec_t, vdagent_t) -') - -##################################### -## <summary> -## Get attributes of vdagent executable files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`vdagent_getattr_exec_files',` - gen_require(` - type vdagent_exec_t; - ') - - allow $1 vdagent_exec_t:file getattr_file_perms; -') - -####################################### -## <summary> -## Get attributes of vdagent log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`vdagent_getattr_log',` - gen_require(` - type vdagent_log_t; - ') - - logging_search_logs($1) - allow $1 vdagent_log_t:file getattr_file_perms; -') - -######################################## -## <summary> -## Read vdagent pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`vdagent_read_pid_files',` - gen_require(` - type vdagent_var_run_t; - ') - - files_search_pids($1) - allow $1 vdagent_var_run_t:file read_file_perms; -') - -##################################### -## <summary> -## Connect to vdagent with a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`vdagent_stream_connect',` - gen_require(` - type vdagent_var_run_t, vdagent_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an vdagent environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`vdagent_admin',` - gen_require(` - type vdagent_t, vdagent_var_run_t, vdagentd_initrc_exec_t; - type vdagent_log_t; - ') - - allow $1 vdagent_t:process signal_perms; - ps_process_pattern($1, vdagent_t) - - init_labeled_script_domtrans($1, vdagentd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 vdagentd_initrc_exec_t system_r; - allow $2 system_r; - - logging_search_logs($1) - admin_pattern($1, vdagent_log_t) - - files_search_pids($1) - admin_pattern($1, vdagent_var_run_t) -') diff --git a/policy/modules/contrib/vdagent.te b/policy/modules/contrib/vdagent.te deleted file mode 100644 index 77be35a7..00000000 --- a/policy/modules/contrib/vdagent.te +++ /dev/null @@ -1,62 +0,0 @@ -policy_module(vdagent, 1.0.2) - -######################################## -# -# Declarations -# - -type vdagent_t; -type vdagent_exec_t; -init_daemon_domain(vdagent_t, vdagent_exec_t) - -type vdagentd_initrc_exec_t; -init_script_file(vdagentd_initrc_exec_t) - -type vdagent_var_run_t; -files_pid_file(vdagent_var_run_t) - -type vdagent_log_t; -logging_log_file(vdagent_log_t) - -######################################## -# -# Local policy -# - -dontaudit vdagent_t self:capability sys_admin; -allow vdagent_t self:process signal; -allow vdagent_t self:fifo_file rw_fifo_file_perms; -allow vdagent_t self:unix_stream_socket { accept listen }; - -manage_dirs_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t) -manage_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t) -manage_sock_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t) -files_pid_filetrans(vdagent_t, vdagent_var_run_t, { dir file sock_file }) - -manage_dirs_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) -append_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) -create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) -setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) -logging_log_filetrans(vdagent_t, vdagent_log_t, file) - -dev_rw_input_dev(vdagent_t) -dev_read_sysfs(vdagent_t) -dev_dontaudit_write_mtrr(vdagent_t) - -files_read_etc_files(vdagent_t) - -init_read_state(vdagent_t) - -logging_send_syslog_msg(vdagent_t) - -miscfiles_read_localization(vdagent_t) - -userdom_read_all_users_state(vdagent_t) - -optional_policy(` - dbus_system_bus_client(vdagent_t) - - optional_policy(` - consolekit_dbus_chat(vdagent_t) - ') -') diff --git a/policy/modules/contrib/vde.fc b/policy/modules/contrib/vde.fc index d449e06d..6ba4cc75 100644 --- a/policy/modules/contrib/vde.fc +++ b/policy/modules/contrib/vde.fc @@ -1,5 +1,5 @@ /etc/rc\.d/init\.d/vde -- gen_context(system_u:object_r:vde_initrc_exec_t,s0) /usr/bin/vde_switch -- gen_context(system_u:object_r:vde_exec_t,s0) /usr/sbin/vde_tunctl -- gen_context(system_u:object_r:vde_exec_t,s0) -/var/run/vde\.ctl(/.*)? gen_context(system_u:object_r:vde_var_run_t,s0) -/tmp/vde.[0-9-]* -s gen_context(system_u:object_r:vde_tmp_t,s0) +/run/vde\.ctl(/.*)? gen_context(system_u:object_r:vde_runtime_t,s0) +/tmp/vde\.[^/]* -s gen_context(system_u:object_r:vde_tmp_t,s0) diff --git a/policy/modules/contrib/vde.if b/policy/modules/contrib/vde.if index af85ea3c..437b65ed 100644 --- a/policy/modules/contrib/vde.if +++ b/policy/modules/contrib/vde.if @@ -18,26 +18,26 @@ # interface(`vde_role',` gen_require(` - type vde_t, vde_tmp_t; - type vde_var_run_t; - type vde_initrc_exec_t, vde_exec_t; + type vde_t; + type vde_exec_t; ') role $1 types vde_t; allow $2 vde_t:process { ptrace signal_perms }; + allow $2 vde_t:unix_stream_socket connectto; allow vde_t $2:process { sigchld signull }; allow vde_t $2:fd use; allow vde_t $2:tun_socket { relabelfrom }; allow vde_t self:tun_socket { relabelfrom relabelto }; ps_process_pattern($2, vde_t) - domain_auto_trans($2, vde_exec_t, vde_t) + domain_auto_transition_pattern($2, vde_exec_t, vde_t) ') ######################################## ## <summary> -# Allow communication with the VDE service +# Allow communication with the VDE service ## </summary> ## <param name="domain"> ## <summary> @@ -48,10 +48,10 @@ interface(`vde_role',` # interface(`vde_connect',` gen_require(` - type vde_t, vde_var_run_t, vde_tmp_t; + type vde_t, vde_runtime_t, vde_tmp_t; ') - allow $1 vde_var_run_t:sock_file write_sock_file_perms; + allow $1 vde_runtime_t:sock_file write_sock_file_perms; allow $1 vde_t:unix_stream_socket { connectto }; allow $1 vde_t:unix_dgram_socket { sendto }; allow vde_t $1:unix_dgram_socket { sendto }; diff --git a/policy/modules/contrib/vde.te b/policy/modules/contrib/vde.te index 3b894916..dbcc08b3 100644 --- a/policy/modules/contrib/vde.te +++ b/policy/modules/contrib/vde.te @@ -15,8 +15,8 @@ init_script_file(vde_initrc_exec_t) type vde_var_lib_t; files_type(vde_var_lib_t) -type vde_var_run_t; -files_pid_file(vde_var_run_t) +type vde_runtime_t alias vde_var_run_t; +files_runtime_file(vde_runtime_t) type vde_tmp_t; files_tmp_file(vde_tmp_t) @@ -34,10 +34,10 @@ allow vde_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow vde_t self:unix_dgram_socket create_socket_perms; files_tmp_filetrans(vde_t, vde_tmp_t, sock_file) -manage_dirs_pattern(vde_t, vde_var_run_t, vde_var_run_t) -manage_files_pattern(vde_t, vde_var_run_t, vde_var_run_t) -manage_sock_files_pattern(vde_t, vde_var_run_t, vde_var_run_t) -files_pid_filetrans(vde_t, vde_var_run_t, { dir file sock_file unix_dgram_socket }) +manage_dirs_pattern(vde_t, vde_runtime_t, vde_runtime_t) +manage_files_pattern(vde_t, vde_runtime_t, vde_runtime_t) +manage_sock_files_pattern(vde_t, vde_runtime_t, vde_runtime_t) +files_runtime_filetrans(vde_t, vde_runtime_t, { dir file sock_file unix_dgram_socket }) files_read_etc_files(vde_t) @@ -47,3 +47,7 @@ miscfiles_read_localization(vde_t) corenet_rw_tun_tap_dev(vde_t) logging_send_syslog_msg(vde_t) + +optional_policy(` + qemu_rw_pid_sock_files(vde_t) +') diff --git a/policy/modules/contrib/vhostmd.fc b/policy/modules/contrib/vhostmd.fc deleted file mode 100644 index 6a96da3c..00000000 --- a/policy/modules/contrib/vhostmd.fc +++ /dev/null @@ -1,5 +0,0 @@ -/etc/rc\.d/init\.d/vhostmd -- gen_context(system_u:object_r:vhostmd_initrc_exec_t,s0) - -/usr/sbin/vhostmd -- gen_context(system_u:object_r:vhostmd_exec_t,s0) - -/var/run/vhostmd.* gen_context(system_u:object_r:vhostmd_var_run_t,s0) diff --git a/policy/modules/contrib/vhostmd.if b/policy/modules/contrib/vhostmd.if deleted file mode 100644 index 22edd58f..00000000 --- a/policy/modules/contrib/vhostmd.if +++ /dev/null @@ -1,232 +0,0 @@ -## <summary>Virtual host metrics daemon.</summary> - -######################################## -## <summary> -## Execute a domain transition to run vhostmd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`vhostmd_domtrans',` - gen_require(` - type vhostmd_t, vhostmd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, vhostmd_exec_t, vhostmd_t) -') - -######################################## -## <summary> -## Execute vhostmd init scripts in -## the initrc domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`vhostmd_initrc_domtrans',` - gen_require(` - type vhostmd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, vhostmd_initrc_exec_t) -') - -######################################## -## <summary> -## Read vhostmd tmpfs files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`vhostmd_read_tmpfs_files',` - gen_require(` - type vhostmd_tmpfs_t; - ') - - fs_search_tmpfs($1) - allow $1 vhostmd_tmpfs_t:file read_file_perms; -') - -######################################## -## <summary> -## Do not audit attempts to read -## vhostmd tmpfs files -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`vhostmd_dontaudit_read_tmpfs_files',` - gen_require(` - type vhostmd_tmpfs_t; - ') - - dontaudit $1 vhostmd_tmpfs_t:file read_file_perms; -') - -####################################### -## <summary> -## Read and write vhostmd tmpfs files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`vhostmd_rw_tmpfs_files',` - gen_require(` - type vhostmd_tmpfs_t; - ') - - fs_search_tmpfs($1) - rw_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## vhostmd tmpfs files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`vhostmd_manage_tmpfs_files',` - gen_require(` - type vhostmd_tmpfs_t; - ') - - fs_search_tmpfs($1) - manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t) -') - -######################################## -## <summary> -## Read vhostmd pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`vhostmd_read_pid_files',` - gen_require(` - type vhostmd_var_run_t; - ') - - files_search_pids($1) - allow $1 vhostmd_var_run_t:file read_file_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## vhostmd pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`vhostmd_manage_pid_files',` - gen_require(` - type vhostmd_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t) -') - -######################################## -## <summary> -## Connect to vhostmd with a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`vhostmd_stream_connect',` - gen_require(` - type vhostmd_t, vhostmd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t, vhostmd_t) -') - -####################################### -## <summary> -## Do not audit attempts to read and -## write vhostmd unix domain stream sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`vhostmd_dontaudit_rw_stream_connect',` - gen_require(` - type vhostmd_t; - ') - - dontaudit $1 vhostmd_t:unix_stream_socket { read write }; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an vhostmd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`vhostmd_admin',` - gen_require(` - type vhostmd_t, vhostmd_initrc_exec_t, vhostmd_var_run_t; - type vhostmd_tmpfs_t; - ') - - allow $1 vhostmd_t:process { ptrace signal_perms }; - ps_process_pattern($1, vhostmd_t) - - vhostmd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 vhostmd_initrc_exec_t system_r; - allow $2 system_r; - - fs_search_tmpfs($1) - admin_pattern($1, vhostmd_tmpfs_t) - - files_search_pids($1) - admin_pattern($1, vhostmd_var_run_t) -') diff --git a/policy/modules/contrib/vhostmd.te b/policy/modules/contrib/vhostmd.te deleted file mode 100644 index 0be8535e..00000000 --- a/policy/modules/contrib/vhostmd.te +++ /dev/null @@ -1,87 +0,0 @@ -policy_module(vhostmd, 1.0.1) - -######################################## -# -# Declarations -# - -type vhostmd_t; -type vhostmd_exec_t; -init_daemon_domain(vhostmd_t, vhostmd_exec_t) - -type vhostmd_initrc_exec_t; -init_script_file(vhostmd_initrc_exec_t) - -type vhostmd_tmpfs_t; -files_tmpfs_file(vhostmd_tmpfs_t) - -type vhostmd_var_run_t; -files_pid_file(vhostmd_var_run_t) - -######################################## -# -# Local policy -# - -allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid }; -allow vhostmd_t self:process { setsched getsched signal }; -allow vhostmd_t self:fifo_file rw_fifo_file_perms; - -manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t) -manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t) -fs_tmpfs_filetrans(vhostmd_t, vhostmd_tmpfs_t, { file dir }) - -manage_dirs_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t) -manage_files_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t) -manage_sock_files_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t) -files_pid_filetrans(vhostmd_t, vhostmd_var_run_t, { file dir sock_file }) - -kernel_read_kernel_sysctls(vhostmd_t) -kernel_read_system_state(vhostmd_t) -kernel_read_network_state(vhostmd_t) -kernel_write_xen_state(vhostmd_t) - -corecmd_exec_bin(vhostmd_t) -corecmd_exec_shell(vhostmd_t) - -corenet_all_recvfrom_unlabeled(vhostmd_t) -corenet_all_recvfrom_netlabel(vhostmd_t) -corenet_tcp_sendrecv_generic_if(vhostmd_t) -corenet_tcp_sendrecv_generic_node(vhostmd_t) - -corenet_sendrecv_soundd_client_packets(vhostmd_t) -corenet_tcp_connect_soundd_port(vhostmd_t) -corenet_tcp_sendrecv_soundd_port(vhostmd_t) - -dev_read_rand(vhostmd_t) -dev_read_urand(vhostmd_t) -dev_read_sysfs(vhostmd_t) - -files_list_tmp(vhostmd_t) -files_read_usr_files(vhostmd_t) - -auth_use_nsswitch(vhostmd_t) - -logging_send_syslog_msg(vhostmd_t) - -miscfiles_read_localization(vhostmd_t) - -optional_policy(` - hostname_exec(vhostmd_t) -') - -optional_policy(` - rpm_exec(vhostmd_t) - rpm_read_db(vhostmd_t) -') - -optional_policy(` - virt_stream_connect(vhostmd_t) -') - -optional_policy(` - xen_domtrans_xm(vhostmd_t) - xen_stream_connect(vhostmd_t) - xen_stream_connect_xenstore(vhostmd_t) - xen_stream_connect_xm(vhostmd_t) -') diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc deleted file mode 100644 index c30da4cf..00000000 --- a/policy/modules/contrib/virt.fc +++ /dev/null @@ -1,52 +0,0 @@ -HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) - -/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) -/etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) -/etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) -/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) - -/etc/rc\.d/init\.d/libvirt-bin -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) -/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) - -/etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0) -/etc/xen/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) -/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) -/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) - -/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0) -/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0) - -/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0) -/usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0) - -/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/sbin/fence_virtd -- gen_context(system_u:object_r:virsh_exec_t,s0) -/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0) -/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) - -/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) - -/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) -/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) -/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh) - -/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) -/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) -/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0) - -/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) - -/var/run/libguestfs(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) -/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0) -/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) -/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0) -/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0) -/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh) -/var/run/user/[^/]*/libguestfs(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if deleted file mode 100644 index e30a42e3..00000000 --- a/policy/modules/contrib/virt.if +++ /dev/null @@ -1,1190 +0,0 @@ -## <summary>Libvirt virtualization API.</summary> - -####################################### -## <summary> -## The template to define a virt domain. -## </summary> -## <param name="domain_prefix"> -## <summary> -## Domain prefix to be used. -## </summary> -## </param> -# -template(`virt_domain_template',` - gen_require(` - attribute_role virt_domain_roles; - attribute virt_image_type, virt_domain, virt_tmpfs_type; - attribute virt_ptynode, virt_tmp_type; - ') - - ######################################## - # - # Declarations - # - - type $1_t, virt_domain; - application_type($1_t) - domain_user_exemption_target($1_t) - mls_rangetrans_target($1_t) - mcs_constrained($1_t) - role virt_domain_roles types $1_t; - - type $1_devpts_t, virt_ptynode; - term_pty($1_devpts_t) - - type $1_tmp_t, virt_tmp_type; - files_tmp_file($1_tmp_t) - - type $1_tmpfs_t, virt_tmpfs_type; - files_tmpfs_file($1_tmpfs_t) - - optional_policy(` - pulseaudio_tmpfs_content($1_tmpfs_t) - ') - - type $1_image_t, virt_image_type; - files_type($1_image_t) - dev_node($1_image_t) - dev_associate_sysfs($1_image_t) - - ifdef(`distro_gentoo',` - optional_policy(` - qemu_entry_type($1_t) - ') - ') - - ######################################## - # - # Policy - # - - allow $1_t $1_devpts_t:chr_file { rw_term_perms setattr_chr_file_perms }; - term_create_pty($1_t, $1_devpts_t) - - manage_dirs_pattern($1_t, $1_image_t, $1_image_t) - manage_files_pattern($1_t, $1_image_t, $1_image_t) - manage_fifo_files_pattern($1_t, $1_image_t, $1_image_t) - read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) - manage_sock_files_pattern($1_t, $1_image_t, $1_image_t) - rw_chr_files_pattern($1_t, $1_image_t, $1_image_t) - rw_blk_files_pattern($1_t, $1_image_t, $1_image_t) - fs_hugetlbfs_filetrans($1_t, $1_image_t, file) - - manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) - manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) - manage_lnk_files_pattern($1_t, $1_tmp_t, $1_tmp_t) - files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) - - manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) - - optional_policy(` - pulseaudio_run($1_t, virt_domain_roles) - ') - - optional_policy(` - xserver_rw_shm($1_t) - ') -') - -####################################### -## <summary> -## The template to define a virt lxc domain. -## </summary> -## <param name="domain_prefix"> -## <summary> -## Domain prefix to be used. -## </summary> -## </param> -# -template(`virt_lxc_domain_template',` - gen_require(` - attribute_role svirt_lxc_domain_roles; - attribute svirt_lxc_domain; - ') - - type $1_t, svirt_lxc_domain; - domain_type($1_t) - domain_user_exemption_target($1_t) - mls_rangetrans_target($1_t) - mcs_constrained($1_t) - role svirt_lxc_domain_roles types $1_t; -') - -######################################## -## <summary> -## Make the specified type virt image type. -## </summary> -## <param name="type"> -## <summary> -## Type to be used as a virtual image. -## </summary> -## </param> -# -interface(`virt_image',` - gen_require(` - attribute virt_image_type; - ') - - typeattribute $1 virt_image_type; - files_type($1) - dev_node($1) -') - -######################################## -## <summary> -## Execute a domain transition to run virtd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`virt_domtrans',` - gen_require(` - type virtd_t, virtd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, virtd_exec_t, virtd_t) -') - -######################################## -## <summary> -## Execute a domain transition to run virt qmf. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`virt_domtrans_qmf',` - gen_require(` - type virt_qmf_t, virt_qmf_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t) -') - -######################################## -## <summary> -## Execute a domain transition to -## run virt bridgehelper. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`virt_domtrans_bridgehelper',` - gen_require(` - type virt_bridgehelper_t, virt_bridgehelper_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t) -') - -######################################## -## <summary> -## Execute bridgehelper in the bridgehelper -## domain, and allow the specified role -## the bridgehelper domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`virt_run_bridgehelper',` - gen_require(` - attribute_role virt_bridgehelper_roles; - ') - - virt_domtrans_bridgehelper($1) - roleattribute $2 virt_bridgehelper_roles; -') - -######################################## -## <summary> -## Execute virt domain in the their -## domain, and allow the specified -## role that virt domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`virt_run_virt_domain',` - gen_require(` - attribute virt_domain; - attribute_role virt_domain_roles; - ') - - allow $1 virt_domain:process { signal transition }; - roleattribute $2 virt_domain_roles; - - allow virt_domain $1:fd use; - allow virt_domain $1:fifo_file rw_fifo_file_perms; - allow virt_domain $1:process sigchld; -') - -######################################## -## <summary> -## Send generic signals to all virt domains. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_signal_all_virt_domains',` - gen_require(` - attribute virt_domain; - ') - - allow $1 virt_domain:process signal; -') - -######################################## -## <summary> -## Send kill signals to all virt domains. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_kill_all_virt_domains',` - gen_require(` - attribute virt_domain; - ') - - allow $1 virt_domain:process sigkill; -') - -######################################## -## <summary> -## Execute svirt lxc domains in their -## domain, and allow the specified -## role that svirt lxc domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`virt_run_svirt_lxc_domain',` - gen_require(` - attribute svirt_lxc_domain; - attribute_role svirt_lxc_domain_roles; - ') - - allow $1 svirt_lxc_domain:process { signal transition }; - roleattribute $2 svirt_lxc_domain_roles; - - allow svirt_lxc_domain $1:fd use; - allow svirt_lxc_domain $1:fifo_file rw_fifo_file_perms; - allow svirt_lxc_domain $1:process sigchld; -') - -####################################### -## <summary> -## Get attributes of virtd executable files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_getattr_virtd_exec_files',` - gen_require(` - type virtd_exec_t; - ') - - allow $1 virtd_exec_t:file getattr_file_perms; -') - -####################################### -## <summary> -## Connect to virt with a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_stream_connect',` - gen_require(` - type virtd_t, virt_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) -') - -######################################## -## <summary> -## Attach to virt tun devices. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_attach_tun_iface',` - gen_require(` - type virtd_t; - ') - - allow $1 virtd_t:tun_socket relabelfrom; - allow $1 self:tun_socket relabelto; -') - -######################################## -## <summary> -## Read virt configuration content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_read_config',` - gen_require(` - type virt_etc_t, virt_etc_rw_t; - ') - - files_search_etc($1) - allow $1 { virt_etc_t virt_etc_rw_t }:dir list_dir_perms; - read_files_pattern($1, virt_etc_t, virt_etc_t) - read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) - read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## virt configuration content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_manage_config',` - gen_require(` - type virt_etc_t, virt_etc_rw_t; - ') - - files_search_etc($1) - allow $1 { virt_etc_t virt_etc_rw_t }:dir manage_dir_perms; - manage_files_pattern($1, virt_etc_t, virt_etc_t) - manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) - manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## virt image files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_read_content',` - gen_require(` - type virt_content_t; - ') - - virt_search_lib($1) - allow $1 virt_content_t:dir list_dir_perms; - list_dirs_pattern($1, virt_content_t, virt_content_t) - read_files_pattern($1, virt_content_t, virt_content_t) - read_lnk_files_pattern($1, virt_content_t, virt_content_t) - read_blk_files_pattern($1, virt_content_t, virt_content_t) - - tunable_policy(`virt_use_nfs',` - fs_list_nfs($1) - fs_read_nfs_files($1) - fs_read_nfs_symlinks($1) - ') - - tunable_policy(`virt_use_samba',` - fs_list_cifs($1) - fs_read_cifs_files($1) - fs_read_cifs_symlinks($1) - ') -') - -######################################## -## <summary> -## Create, read, write, and delete -## virt content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_manage_virt_content',` - gen_require(` - type virt_content_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 virt_content_t:dir manage_dir_perms; - allow $1 virt_content_t:file manage_file_perms; - allow $1 virt_content_t:fifo_file manage_fifo_file_perms; - allow $1 virt_content_t:lnk_file manage_lnk_file_perms; - allow $1 virt_content_t:sock_file manage_sock_file_perms; - allow $1 virt_content_t:blk_file manage_blk_file_perms; - - tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs($1) - fs_manage_nfs_files($1) - fs_manage_nfs_symlinks($1) - ') - - tunable_policy(`virt_use_samba',` - fs_manage_cifs_dirs($1) - fs_manage_cifs_files($1) - fs_manage_cifs_symlinks($1) - ') -') - -######################################## -## <summary> -## Relabel virt content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_relabel_virt_content',` - gen_require(` - type virt_content_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 virt_content_t:dir relabel_dir_perms; - allow $1 virt_content_t:file relabel_file_perms; - allow $1 virt_content_t:fifo_file relabel_fifo_file_perms; - allow $1 virt_content_t:lnk_file relabel_lnk_file_perms; - allow $1 virt_content_t:sock_file relabel_sock_file_perms; - allow $1 virt_content_t:blk_file relabel_blk_file_perms; -') - -######################################## -## <summary> -## Create specified objects in user home -## directories with the virt content type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`virt_home_filetrans_virt_content',` - gen_require(` - type virt_content_t; - ') - - virt_home_filetrans($1, virt_content_t, $2, $3) -') - -######################################## -## <summary> -## Create, read, write, and delete -## svirt home content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_manage_svirt_home_content',` - gen_require(` - type svirt_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 svirt_home_t:dir manage_dir_perms; - allow $1 svirt_home_t:file manage_file_perms; - allow $1 svirt_home_t:fifo_file manage_fifo_file_perms; - allow $1 svirt_home_t:lnk_file manage_lnk_file_perms; - allow $1 svirt_home_t:sock_file manage_sock_file_perms; - - tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs($1) - fs_manage_nfs_files($1) - fs_manage_nfs_symlinks($1) - ') - - tunable_policy(`virt_use_samba',` - fs_manage_cifs_dirs($1) - fs_manage_cifs_files($1) - fs_manage_cifs_symlinks($1) - ') -') - -######################################## -## <summary> -## Relabel svirt home content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_relabel_svirt_home_content',` - gen_require(` - type svirt_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 svirt_home_t:dir relabel_dir_perms; - allow $1 svirt_home_t:file relabel_file_perms; - allow $1 svirt_home_t:fifo_file relabel_fifo_file_perms; - allow $1 svirt_home_t:lnk_file relabel_lnk_file_perms; - allow $1 svirt_home_t:sock_file relabel_sock_file_perms; -') - -######################################## -## <summary> -## Create specified objects in user home -## directories with the svirt home type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`virt_home_filetrans_svirt_home',` - gen_require(` - type svirt_home_t; - ') - - virt_home_filetrans($1, svirt_home_t, $2, $3) -') - -######################################## -## <summary> -## Create specified objects in generic -## virt home directories with private -## home type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="private_type"> -## <summary> -## Private file type. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`virt_home_filetrans',` - gen_require(` - type virt_home_t; - ') - - userdom_search_user_home_dirs($1) - filetrans_pattern($1, virt_home_t, $2, $3, $4) -') - -######################################## -## <summary> -## Create, read, write, and delete -## virt home files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_manage_home_files',` - gen_require(` - type virt_home_t; - ') - - userdom_search_user_home_dirs($1) - manage_files_pattern($1, virt_home_t, virt_home_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## virt home content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_manage_generic_virt_home_content',` - gen_require(` - type virt_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 virt_home_t:dir manage_dir_perms; - allow $1 virt_home_t:file manage_file_perms; - allow $1 virt_home_t:fifo_file manage_fifo_file_perms; - allow $1 virt_home_t:lnk_file manage_lnk_file_perms; - allow $1 virt_home_t:sock_file manage_sock_file_perms; - - tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs($1) - fs_manage_nfs_files($1) - fs_manage_nfs_symlinks($1) - ') - - tunable_policy(`virt_use_samba',` - fs_manage_cifs_dirs($1) - fs_manage_cifs_files($1) - fs_manage_cifs_symlinks($1) - ') -') - -######################################## -## <summary> -## Relabel virt home content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_relabel_generic_virt_home_content',` - gen_require(` - type virt_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 virt_home_t:dir relabel_dir_perms; - allow $1 virt_home_t:file relabel_file_perms; - allow $1 virt_home_t:fifo_file relabel_fifo_file_perms; - allow $1 virt_home_t:lnk_file relabel_lnk_file_perms; - allow $1 virt_home_t:sock_file relabel_sock_file_perms; -') - -######################################## -## <summary> -## Create specified objects in user home -## directories with the generic virt -## home type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`virt_home_filetrans_virt_home',` - gen_require(` - type virt_home_t; - ') - - userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3) -') - -######################################## -## <summary> -## Read virt pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_read_pid_files',` - gen_require(` - type virt_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, virt_var_run_t, virt_var_run_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## virt pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_manage_pid_files',` - gen_require(` - type virt_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, virt_var_run_t, virt_var_run_t) -') - -######################################## -## <summary> -## Search virt lib directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_search_lib',` - gen_require(` - type virt_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 virt_var_lib_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Read virt lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_read_lib_files',` - gen_require(` - type virt_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) - read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## virt lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_manage_lib_files',` - gen_require(` - type virt_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t) -') - -######################################## -## <summary> -## Create objects in virt pid -## directories with a private type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="private type"> -## <summary> -## The type of the object to be created. -## </summary> -## </param> -## <param name="object"> -## <summary> -## The object class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -## <infoflow type="write" weight="10"/> -# -interface(`virt_pid_filetrans',` - gen_require(` - type virt_var_run_t; - ') - - files_search_pids($1) - filetrans_pattern($1, virt_var_run_t, $2, $3, $4) -') - -######################################## -## <summary> -## Read virt log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`virt_read_log',` - gen_require(` - type virt_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, virt_log_t, virt_log_t) -') - -######################################## -## <summary> -## Append virt log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_append_log',` - gen_require(` - type virt_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, virt_log_t, virt_log_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## virt log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_manage_log',` - gen_require(` - type virt_log_t; - ') - - logging_search_logs($1) - manage_dirs_pattern($1, virt_log_t, virt_log_t) - manage_files_pattern($1, virt_log_t, virt_log_t) - manage_lnk_files_pattern($1, virt_log_t, virt_log_t) -') - -######################################## -## <summary> -## Search virt image directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_search_images',` - gen_require(` - attribute virt_image_type; - ') - - virt_search_lib($1) - allow $1 virt_image_type:dir search_dir_perms; -') - -######################################## -## <summary> -## Read virt image files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_read_images',` - gen_require(` - type virt_var_lib_t; - attribute virt_image_type; - ') - - virt_search_lib($1) - allow $1 virt_image_type:dir list_dir_perms; - list_dirs_pattern($1, virt_image_type, virt_image_type) - read_files_pattern($1, virt_image_type, virt_image_type) - read_lnk_files_pattern($1, virt_image_type, virt_image_type) - read_blk_files_pattern($1, virt_image_type, virt_image_type) - - tunable_policy(`virt_use_nfs',` - fs_list_nfs($1) - fs_read_nfs_files($1) - fs_read_nfs_symlinks($1) - ') - - tunable_policy(`virt_use_samba',` - fs_list_cifs($1) - fs_read_cifs_files($1) - fs_read_cifs_symlinks($1) - ') -') - -######################################## -## <summary> -## Read and write all virt image -## character files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_rw_all_image_chr_files',` - gen_require(` - attribute virt_image_type; - ') - - virt_search_lib($1) - allow $1 virt_image_type:dir list_dir_perms; - rw_chr_files_pattern($1, virt_image_type, virt_image_type) -') - -######################################## -## <summary> -## Create, read, write, and delete -## svirt cache files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_manage_svirt_cache',` - refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.') - virt_manage_virt_cache($1) -') - -######################################## -## <summary> -## Create, read, write, and delete -## virt cache content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_manage_virt_cache',` - gen_require(` - type virt_cache_t; - ') - - files_search_var($1) - manage_dirs_pattern($1, virt_cache_t, virt_cache_t) - manage_files_pattern($1, virt_cache_t, virt_cache_t) - manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## virt image files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_manage_images',` - gen_require(` - type virt_var_lib_t; - attribute virt_image_type; - ') - - virt_search_lib($1) - allow $1 virt_image_type:dir list_dir_perms; - manage_dirs_pattern($1, virt_image_type, virt_image_type) - manage_files_pattern($1, virt_image_type, virt_image_type) - read_lnk_files_pattern($1, virt_image_type, virt_image_type) - rw_blk_files_pattern($1, virt_image_type, virt_image_type) - - tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs($1) - fs_manage_nfs_files($1) - fs_read_nfs_symlinks($1) - ') - - tunable_policy(`virt_use_samba',` - fs_manage_cifs_files($1) - fs_manage_cifs_files($1) - fs_read_cifs_symlinks($1) - ') -') - -######################################## -## <summary> -## All of the rules required to -## administrate an virt environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`virt_admin',` - gen_require(` - attribute virt_domain, virt_image_type, virt_tmpfs_type; - attribute virt_ptynode, svirt_lxc_domain, virt_tmp_type; - type virtd_t, virtd_initrc_exec_t, virtd_lxc_t; - type virsh_t, virtd_lxc_var_run_t, svirt_lxc_file_t; - type virt_bridgehelper_t, virt_qmf_t, virt_var_lib_t; - type virt_var_run_t, virt_tmp_t, virt_log_t; - type virt_lock_t, svirt_var_run_t, virt_etc_rw_t; - type virt_etc_t, svirt_cache_t; - ') - - allow $1 { virt_domain svirt_lxc_domain virtd_t }:process { ptrace signal_perms }; - allow $1 { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t }) - ps_process_pattern($1, { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }) - - init_labeled_script_domtrans($1, virtd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 virtd_initrc_exec_t system_r; - allow $2 system_r; - - fs_search_tmpfs($1) - admin_pattern($1, virt_tmpfs_type) - - files_search_tmp($1) - admin_pattern($1, { virt_tmp_type virt_tmp_t }) - - files_search_etc($1) - admin_pattern($1, { virt_etc_t virt_etc_rw_t }) - - logging_search_logs($1) - admin_pattern($1, virt_log_t) - - files_search_pids($1) - admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t }) - - files_search_var($1) - admin_pattern($1, svirt_cache_t) - - files_search_var_lib($1) - admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t }) - - files_search_locks($1) - admin_pattern($1, virt_lock_t) - - dev_list_all_dev_nodes($1) - allow $1 virt_ptynode:chr_file rw_term_perms; -') diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te deleted file mode 100644 index 65735c23..00000000 --- a/policy/modules/contrib/virt.te +++ /dev/null @@ -1,1206 +0,0 @@ -policy_module(virt, 1.6.10) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether confined virtual guests -## can use serial/parallel communication ports. -## </p> -## </desc> -gen_tunable(virt_use_comm, false) - -## <desc> -## <p> -## Determine whether confined virtual guests -## can use executable memory and can make -## their stack executable. -## </p> -## </desc> -gen_tunable(virt_use_execmem, false) - -## <desc> -## <p> -## Determine whether confined virtual guests -## can use fuse file systems. -## </p> -## </desc> -gen_tunable(virt_use_fusefs, false) - -## <desc> -## <p> -## Determine whether confined virtual guests -## can use nfs file systems. -## </p> -## </desc> -gen_tunable(virt_use_nfs, false) - -## <desc> -## <p> -## Determine whether confined virtual guests -## can use cifs file systems. -## </p> -## </desc> -gen_tunable(virt_use_samba, false) - -## <desc> -## <p> -## Determine whether confined virtual guests -## can manage device configuration. -## </p> -## </desc> -gen_tunable(virt_use_sysfs, false) - -## <desc> -## <p> -## Determine whether confined virtual guests -## can use usb devices. -## </p> -## </desc> -gen_tunable(virt_use_usb, false) - -## <desc> -## <p> -## Determine whether confined virtual guests -## can interact with xserver. -## </p> -## </desc> -gen_tunable(virt_use_xserver, false) - -attribute virt_ptynode; -attribute virt_domain; -attribute virt_image_type; -attribute virt_tmp_type; -attribute virt_tmpfs_type; - -attribute svirt_lxc_domain; - -attribute_role virt_domain_roles; -roleattribute system_r virt_domain_roles; - -attribute_role virt_bridgehelper_roles; -roleattribute system_r virt_bridgehelper_roles; - -attribute_role svirt_lxc_domain_roles; -roleattribute system_r svirt_lxc_domain_roles; - -virt_domain_template(svirt) -virt_domain_template(svirt_prot_exec) - -type virt_cache_t alias svirt_cache_t; -files_type(virt_cache_t) - -type virt_etc_t; -files_config_file(virt_etc_t) - -type virt_etc_rw_t; -files_type(virt_etc_rw_t) - -type virt_home_t; -userdom_user_home_content(virt_home_t) - -type svirt_home_t; -userdom_user_home_content(svirt_home_t) - -type svirt_var_run_t; -files_pid_file(svirt_var_run_t) -mls_trusted_object(svirt_var_run_t) - -type virt_image_t; # customizable -virt_image(virt_image_t) -files_mountpoint(virt_image_t) - -type virt_content_t; # customizable -virt_image(virt_content_t) -userdom_user_home_content(virt_content_t) - -type virt_lock_t; -files_lock_file(virt_lock_t) - -type virt_log_t; -logging_log_file(virt_log_t) -mls_trusted_object(virt_log_t) - -type virt_tmp_t; -files_tmp_file(virt_tmp_t) - -type virt_var_run_t; -files_pid_file(virt_var_run_t) - -type virt_var_lib_t; -files_mountpoint(virt_var_lib_t) - -type virtd_t; -type virtd_exec_t; -init_daemon_domain(virtd_t, virtd_exec_t) -domain_obj_id_change_exemption(virtd_t) -domain_subj_id_change_exemption(virtd_t) - -type virtd_initrc_exec_t; -init_script_file(virtd_initrc_exec_t) - -ifdef(`enable_mcs',` - init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) -') - -ifdef(`enable_mls',` - init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) -') - -type virt_qmf_t; -type virt_qmf_exec_t; -init_daemon_domain(virt_qmf_t, virt_qmf_exec_t) - -type virt_bridgehelper_t; -type virt_bridgehelper_exec_t; -domain_type(virt_bridgehelper_t) -domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t) -role virt_bridgehelper_roles types virt_bridgehelper_t; - -type virtd_lxc_t; -type virtd_lxc_exec_t; -init_system_domain(virtd_lxc_t, virtd_lxc_exec_t) - -type virtd_lxc_var_run_t; -files_pid_file(virtd_lxc_var_run_t) - -type svirt_lxc_file_t; -files_mountpoint(svirt_lxc_file_t) -fs_noxattr_type(svirt_lxc_file_t) -term_pty(svirt_lxc_file_t) - -virt_lxc_domain_template(svirt_lxc_net) - -type virsh_t; -type virsh_exec_t; -init_system_domain(virsh_t, virsh_exec_t) - -######################################## -# -# Common virt domain local policy -# - -allow virt_domain self:process { signal getsched signull }; -allow virt_domain self:fifo_file rw_fifo_file_perms; -allow virt_domain self:netlink_route_socket r_netlink_socket_perms; -allow virt_domain self:shm create_shm_perms; -allow virt_domain self:tcp_socket create_stream_socket_perms; -allow virt_domain self:unix_stream_socket { accept listen }; -allow virt_domain self:unix_dgram_socket sendto; - -allow virt_domain virtd_t:fd use; -allow virt_domain virtd_t:fifo_file rw_fifo_file_perms; -allow virt_domain virtd_t:process sigchld; - -dontaudit virt_domain virtd_t:unix_stream_socket { read write }; - -manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) -manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t) -files_var_filetrans(virt_domain, virt_cache_t, { file dir }) - -manage_dirs_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t) -manage_files_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t) -manage_sock_files_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t) -manage_lnk_files_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t) -files_pid_filetrans(virt_domain, svirt_var_run_t, { dir file }) - -stream_connect_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t, virtd_t) - -dontaudit virt_domain virt_tmpfs_type:file { read write }; - -append_files_pattern(virt_domain, virt_log_t, virt_log_t) - -append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) - -kernel_read_system_state(virt_domain) - -fs_getattr_xattr_fs(virt_domain) - -corecmd_exec_bin(virt_domain) -corecmd_exec_shell(virt_domain) - -corenet_all_recvfrom_unlabeled(virt_domain) -corenet_all_recvfrom_netlabel(virt_domain) -corenet_tcp_sendrecv_generic_if(virt_domain) -corenet_tcp_sendrecv_generic_node(virt_domain) -corenet_tcp_bind_generic_node(virt_domain) - -corenet_sendrecv_vnc_server_packets(virt_domain) -corenet_tcp_bind_vnc_port(virt_domain) -corenet_tcp_sendrecv_vnc_port(virt_domain) - -corenet_sendrecv_virt_migration_server_packets(virt_domain) -corenet_tcp_bind_virt_migration_port(virt_domain) -corenet_sendrecv_virt_migration_client_packets(virt_domain) -corenet_tcp_connect_virt_migration_port(virt_domain) -corenet_tcp_sendrecv_virt_migration_port(virt_domain) - -corenet_rw_tun_tap_dev(virt_domain) - -dev_getattr_fs(virt_domain) -dev_list_sysfs(virt_domain) -dev_read_generic_symlinks(virt_domain) -dev_read_rand(virt_domain) -dev_read_sound(virt_domain) -dev_read_urand(virt_domain) -dev_write_sound(virt_domain) -dev_rw_ksm(virt_domain) -dev_rw_kvm(virt_domain) -dev_rw_qemu(virt_domain) -dev_rw_vhost(virt_domain) - -domain_use_interactive_fds(virt_domain) - -files_read_etc_files(virt_domain) -files_read_mnt_symlinks(virt_domain) -files_read_usr_files(virt_domain) -files_read_var_files(virt_domain) -files_search_all(virt_domain) - -fs_getattr_all_fs(virt_domain) -fs_rw_anon_inodefs_files(virt_domain) -fs_rw_tmpfs_files(virt_domain) -fs_getattr_hugetlbfs(virt_domain) - -# fs_rw_inherited_nfs_files(virt_domain) -# fs_rw_inherited_cifs_files(virt_domain) -# fs_rw_inherited_noxattr_fs_files(virt_domain) - -storage_raw_write_removable_device(virt_domain) -storage_raw_read_removable_device(virt_domain) - -term_use_all_terms(virt_domain) -term_getattr_pty_fs(virt_domain) -term_use_generic_ptys(virt_domain) -term_use_ptmx(virt_domain) - -logging_send_syslog_msg(virt_domain) - -miscfiles_read_localization(virt_domain) -miscfiles_read_public_files(virt_domain) - -sysnet_read_config(virt_domain) - -userdom_search_user_home_dirs(virt_domain) -userdom_read_all_users_state(virt_domain) - -virt_run_bridgehelper(virt_domain, virt_domain_roles) -virt_read_config(virt_domain) -virt_read_lib_files(virt_domain) -virt_read_content(virt_domain) -virt_stream_connect(virt_domain) - -ifdef(`distro_gentoo',` - optional_policy(` - qemu_exec(virt_domain) - ') -') - -tunable_policy(`virt_use_execmem',` - allow virt_domain self:process { execmem execstack }; -') - -tunable_policy(`virt_use_comm',` - term_use_unallocated_ttys(virt_domain) - dev_rw_printer(virt_domain) -') - -tunable_policy(`virt_use_fusefs',` - fs_manage_fusefs_dirs(virt_domain) - fs_manage_fusefs_files(virt_domain) - fs_read_fusefs_symlinks(virt_domain) -') - -tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs(virt_domain) - fs_manage_nfs_files(virt_domain) - fs_manage_nfs_named_sockets(virt_domain) - fs_read_nfs_symlinks(virt_domain) -') - -tunable_policy(`virt_use_samba',` - fs_manage_cifs_dirs(virt_domain) - fs_manage_cifs_files(virt_domain) - fs_manage_cifs_named_sockets(virt_domain) - fs_read_cifs_symlinks(virt_domain) -') - -tunable_policy(`virt_use_sysfs',` - dev_rw_sysfs(virt_domain) -') - -tunable_policy(`virt_use_usb',` - dev_rw_usbfs(virt_domain) - dev_read_sysfs(virt_domain) - fs_manage_dos_dirs(virt_domain) - fs_manage_dos_files(virt_domain) -') - -optional_policy(` - tunable_policy(`virt_use_xserver',` - xserver_read_xdm_pid(virt_domain) - xserver_stream_connect(virt_domain) - ') -') - -optional_policy(` - dbus_read_lib_files(virt_domain) -') - -optional_policy(` - nscd_use(virt_domain) -') - -optional_policy(` - samba_domtrans_smbd(virt_domain) -') - -optional_policy(` - xen_rw_image_files(virt_domain) -') - -######################################## -# -# svirt local policy -# - -list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) -read_files_pattern(svirt_t, virt_content_t, virt_content_t) - -dontaudit svirt_t virt_content_t:file write_file_perms; -dontaudit svirt_t virt_content_t:dir rw_dir_perms; - -append_files_pattern(svirt_t, virt_home_t, virt_home_t) -manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t) - -filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") - -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) - -corenet_udp_sendrecv_generic_if(svirt_t) -corenet_udp_sendrecv_generic_node(svirt_t) -corenet_udp_sendrecv_all_ports(svirt_t) -corenet_udp_bind_generic_node(svirt_t) - -corenet_all_recvfrom_unlabeled(svirt_t) -corenet_all_recvfrom_netlabel(svirt_t) -corenet_tcp_sendrecv_generic_if(svirt_t) -corenet_udp_sendrecv_generic_if(svirt_t) -corenet_tcp_sendrecv_generic_node(svirt_t) -corenet_udp_sendrecv_generic_node(svirt_t) -corenet_tcp_sendrecv_all_ports(svirt_t) -corenet_udp_sendrecv_all_ports(svirt_t) -corenet_tcp_bind_generic_node(svirt_t) -corenet_udp_bind_generic_node(svirt_t) - -corenet_sendrecv_all_server_packets(svirt_t) -corenet_udp_bind_all_ports(svirt_t) -corenet_tcp_bind_all_ports(svirt_t) - -corenet_sendrecv_all_client_packets(svirt_t) -corenet_tcp_connect_all_ports(svirt_t) - -######################################## -# -# virtd local policy -# - -allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice }; -allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; -allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; -allow virtd_t self:unix_stream_socket { accept connectto listen }; -allow virtd_t self:tcp_socket { accept listen }; -allow virtd_t self:tun_socket { create_socket_perms relabelfrom relabelto }; -allow virtd_t self:rawip_socket create_socket_perms; -allow virtd_t self:packet_socket create_socket_perms; -allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms; -allow virtd_t self:netlink_route_socket nlmsg_write; - -allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill }; -dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; - -allow virtd_t svirt_lxc_domain:unix_stream_socket { create_stream_socket_perms connectto }; -allow virtd_t svirt_lxc_domain:process signal_perms; - -allow virtd_t virtd_lxc_t:process { signal signull sigkill }; - -domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t) - -manage_dirs_pattern(virtd_t, virt_cache_t, virt_cache_t) -manage_files_pattern(virtd_t, virt_cache_t, virt_cache_t) - -manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t) -manage_files_pattern(virtd_t, virt_content_t, virt_content_t) -filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos") - -allow virtd_t svirt_var_run_t:file relabel_file_perms; -manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) -manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) -manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) -filetrans_pattern(virtd_t, virt_var_run_t, svirt_var_run_t, dir, "qemu") - -read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) - -manage_dirs_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) -manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) -manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) -filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) - -manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t) -manage_files_pattern(virtd_t, virt_home_t, virt_home_t) -manage_sock_files_pattern(virtd_t, virt_home_t, virt_home_t) -manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t) - -userdom_user_home_dir_filetrans(virtd_t, virt_home_t, dir, ".libvirt") -userdom_user_home_dir_filetrans(virtd_t, virt_home_t, dir, ".virtinst") -userdom_user_home_dir_filetrans(virtd_t, virt_home_t, dir, "VirtualMachines") - -manage_files_pattern(virtd_t, virt_image_type, virt_image_type) -manage_chr_files_pattern(virtd_t, virt_image_type, virt_image_type) -manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) -manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type) - -allow virtd_t virt_image_type:file relabel_file_perms; -allow virtd_t virt_image_type:blk_file relabel_blk_file_perms; -allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; -allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; - -allow virtd_t virt_ptynode:chr_file rw_term_perms; - -manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t) -manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t) -files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir }) - -# This needs a file context specification -manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t) -manage_files_pattern(virtd_t, virt_lock_t, virt_lock_t) -manage_lnk_files_pattern(virtd_t, virt_lock_t, virt_lock_t) -files_lock_filetrans(virtd_t, virt_lock_t, { dir file lnk_file }) - -manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) -append_files_pattern(virtd_t, virt_log_t, virt_log_t) -create_files_pattern(virtd_t, virt_log_t, virt_log_t) -read_files_pattern(virtd_t, virt_log_t, virt_log_t) -setattr_files_pattern(virtd_t, virt_log_t, virt_log_t) -logging_log_filetrans(virtd_t, virt_log_t, { file dir }) - -manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -files_var_lib_filetrans(virtd_t, virt_var_lib_t, { file dir }) - -manage_dirs_pattern(virtd_t, virt_var_run_t, virt_var_run_t) -manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) -manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) -files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) - -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") - -stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) - -can_exec(virtd_t, virt_tmp_t) - -kernel_read_crypto_sysctls(virtd_t) -kernel_read_system_state(virtd_t) -kernel_read_network_state(virtd_t) -kernel_rw_net_sysctls(virtd_t) -kernel_read_kernel_sysctls(virtd_t) -kernel_request_load_module(virtd_t) -kernel_search_debugfs(virtd_t) -kernel_setsched(virtd_t) - -corecmd_exec_bin(virtd_t) -corecmd_exec_shell(virtd_t) - -corenet_all_recvfrom_netlabel(virtd_t) -corenet_tcp_sendrecv_generic_if(virtd_t) -corenet_tcp_sendrecv_generic_node(virtd_t) -corenet_tcp_bind_generic_node(virtd_t) - -corenet_sendrecv_virt_server_packets(virtd_t) -corenet_tcp_bind_virt_port(virtd_t) -corenet_tcp_sendrecv_virt_port(virtd_t) - -corenet_sendrecv_vnc_server_packets(virtd_t) -corenet_tcp_bind_vnc_port(virtd_t) -corenet_sendrecv_vnc_client_packets(virtd_t) -corenet_tcp_connect_vnc_port(virtd_t) -corenet_tcp_sendrecv_vnc_port(virtd_t) - -corenet_sendrecv_soundd_client_packets(virtd_t) -corenet_tcp_connect_soundd_port(virtd_t) -corenet_tcp_sendrecv_soundd_port(virtd_t) - -corenet_rw_tun_tap_dev(virtd_t) - -dev_rw_sysfs(virtd_t) -dev_read_urand(virtd_t) -dev_read_rand(virtd_t) -dev_rw_kvm(virtd_t) -dev_getattr_all_chr_files(virtd_t) -dev_rw_mtrr(virtd_t) -dev_rw_vhost(virtd_t) -dev_setattr_generic_usb_dev(virtd_t) -dev_relabel_generic_usb_dev(virtd_t) - -domain_use_interactive_fds(virtd_t) -domain_read_all_domains_state(virtd_t) - -files_read_usr_files(virtd_t) -files_read_etc_runtime_files(virtd_t) -files_search_all(virtd_t) -files_read_kernel_modules(virtd_t) -files_read_usr_src_files(virtd_t) - -# Manages /etc/sysconfig/system-config-firewall -# files_relabelto_system_conf_files(virtd_t) -# files_relabelfrom_system_conf_files(virtd_t) -# files_manage_system_conf_files(virtd_t) - -fs_list_auto_mountpoints(virtd_t) -fs_getattr_all_fs(virtd_t) -fs_rw_anon_inodefs_files(virtd_t) -fs_list_inotifyfs(virtd_t) -fs_manage_cgroup_dirs(virtd_t) -fs_rw_cgroup_files(virtd_t) -fs_manage_hugetlbfs_dirs(virtd_t) -fs_rw_hugetlbfs_files(virtd_t) - -mls_fd_share_all_levels(virtd_t) -mls_file_read_to_clearance(virtd_t) -mls_file_write_to_clearance(virtd_t) -mls_process_read_to_clearance(virtd_t) -mls_process_write_to_clearance(virtd_t) -mls_net_write_within_range(virtd_t) -mls_socket_write_to_clearance(virtd_t) -mls_socket_read_to_clearance(virtd_t) -mls_rangetrans_source(virtd_t) - -mcs_process_set_categories(virtd_t) - -storage_manage_fixed_disk(virtd_t) -storage_relabel_fixed_disk(virtd_t) -storage_raw_write_removable_device(virtd_t) -storage_raw_read_removable_device(virtd_t) - -term_getattr_pty_fs(virtd_t) -term_use_generic_ptys(virtd_t) -term_use_ptmx(virtd_t) - -auth_use_nsswitch(virtd_t) - -miscfiles_read_localization(virtd_t) -miscfiles_read_generic_certs(virtd_t) -miscfiles_read_hwdata(virtd_t) - -modutils_read_module_deps(virtd_t) -modutils_manage_module_config(virtd_t) - -logging_send_syslog_msg(virtd_t) -logging_send_audit_msgs(virtd_t) - -selinux_validate_context(virtd_t) - -seutil_read_config(virtd_t) -seutil_read_default_contexts(virtd_t) -seutil_read_file_contexts(virtd_t) - -sysnet_signull_ifconfig(virtd_t) -sysnet_signal_ifconfig(virtd_t) -sysnet_domtrans_ifconfig(virtd_t) - -userdom_read_all_users_state(virtd_t) - -ifdef(`hide_broken_symptoms',` - dontaudit virtd_t self:capability { sys_module sys_ptrace }; -') - -tunable_policy(`virt_use_fusefs',` - fs_manage_fusefs_dirs(virtd_t) - fs_manage_fusefs_files(virtd_t) - fs_read_fusefs_symlinks(virtd_t) -') - -tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs(virtd_t) - fs_manage_nfs_files(virtd_t) - fs_read_nfs_symlinks(virtd_t) -') - -tunable_policy(`virt_use_samba',` - fs_manage_cifs_files(virtd_t) - fs_manage_cifs_files(virtd_t) - fs_read_cifs_symlinks(virtd_t) -') - -optional_policy(` - brctl_domtrans(virtd_t) -') - -optional_policy(` - consoletype_exec(virtd_t) -') - -optional_policy(` - dbus_system_bus_client(virtd_t) - - optional_policy(` - avahi_dbus_chat(virtd_t) - ') - - optional_policy(` - consolekit_dbus_chat(virtd_t) - ') - - optional_policy(` - firewalld_dbus_chat(virtd_t) - ') - - optional_policy(` - hal_dbus_chat(virtd_t) - ') - - optional_policy(` - networkmanager_dbus_chat(virtd_t) - ') - - optional_policy(` - policykit_dbus_chat(virtd_t) - ') -') - -optional_policy(` - dmidecode_domtrans(virtd_t) -') - -optional_policy(` - dnsmasq_domtrans(virtd_t) - dnsmasq_signal(virtd_t) - dnsmasq_kill(virtd_t) - dnsmasq_signull(virtd_t) - dnsmasq_create_pid_dirs(virtd_t) - dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, dir, "network") - dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, file, "dnsmasq.pid") - dnsmasq_manage_pid_files(virtd_t) -') - -optional_policy(` - iptables_domtrans(virtd_t) - iptables_initrc_domtrans(virtd_t) - iptables_manage_config(virtd_t) -') - -optional_policy(` - kerberos_keytab_template(virtd, virtd_t) -') - -optional_policy(` - lvm_domtrans(virtd_t) -') - -optional_policy(` - mount_domtrans(virtd_t) - mount_signal(virtd_t) -') - -optional_policy(` - policykit_domtrans_auth(virtd_t) - policykit_domtrans_resolve(virtd_t) - policykit_read_lib(virtd_t) -') - -optional_policy(` - qemu_exec(virtd_t) -') - -optional_policy(` - sasl_connect(virtd_t) -') - -optional_policy(` - kernel_read_xen_state(virtd_t) - kernel_write_xen_state(virtd_t) - - xen_exec(virtd_t) - xen_stream_connect(virtd_t) - xen_stream_connect_xenstore(virtd_t) - xen_read_image_files(virtd_t) -') - -optional_policy(` - udev_domtrans(virtd_t) - udev_read_db(virtd_t) -') - -######################################## -# -# Virsh local policy -# - -allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config }; -allow virsh_t self:process { getcap getsched setsched setcap signal }; -allow virsh_t self:fifo_file rw_fifo_file_perms; -allow virsh_t self:unix_stream_socket { accept connectto listen }; -allow virsh_t self:tcp_socket { accept listen }; - -manage_files_pattern(virsh_t, virt_image_type, virt_image_type) -manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) -manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type) - -manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) - -manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") - -dontaudit virsh_t virt_var_lib_t:file read_file_perms; - -allow virsh_t svirt_lxc_domain:process transition; - -can_exec(virsh_t, virsh_exec_t) - -virt_domtrans(virsh_t) -virt_manage_images(virsh_t) -virt_manage_config(virsh_t) -virt_stream_connect(virsh_t) - -kernel_read_crypto_sysctls(virsh_t) -kernel_read_system_state(virsh_t) -kernel_read_network_state(virsh_t) -kernel_read_kernel_sysctls(virsh_t) -kernel_read_sysctl(virsh_t) -kernel_read_xen_state(virsh_t) -kernel_write_xen_state(virsh_t) - -corecmd_exec_bin(virsh_t) -corecmd_exec_shell(virsh_t) - -corenet_all_recvfrom_unlabeled(virsh_t) -corenet_all_recvfrom_netlabel(virsh_t) -corenet_tcp_sendrecv_generic_if(virsh_t) -corenet_tcp_sendrecv_generic_node(virsh_t) -corenet_tcp_bind_generic_node(virsh_t) - -corenet_sendrecv_soundd_client_packets(virsh_t) -corenet_tcp_connect_soundd_port(virsh_t) -corenet_tcp_sendrecv_soundd_port(virsh_t) - -dev_read_rand(virsh_t) -dev_read_urand(virsh_t) -dev_read_sysfs(virsh_t) - -files_read_etc_runtime_files(virsh_t) -files_read_etc_files(virsh_t) -files_read_usr_files(virsh_t) -files_list_mnt(virsh_t) -files_list_tmp(virsh_t) - -fs_getattr_all_fs(virsh_t) -fs_manage_xenfs_dirs(virsh_t) -fs_manage_xenfs_files(virsh_t) -fs_search_auto_mountpoints(virsh_t) - -storage_raw_read_fixed_disk(virsh_t) - -term_use_all_terms(virsh_t) - -init_stream_connect_script(virsh_t) -init_rw_script_stream_sockets(virsh_t) -init_use_fds(virsh_t) - -logging_send_syslog_msg(virsh_t) - -miscfiles_read_localization(virsh_t) - -sysnet_dns_name_resolve(virsh_t) - -tunable_policy(`virt_use_fusefs',` - fs_manage_fusefs_dirs(virsh_t) - fs_manage_fusefs_files(virsh_t) - fs_read_fusefs_symlinks(virsh_t) -') - -tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs(virsh_t) - fs_manage_nfs_files(virsh_t) - fs_read_nfs_symlinks(virsh_t) -') - -tunable_policy(`virt_use_samba',` - fs_manage_cifs_files(virsh_t) - fs_manage_cifs_files(virsh_t) - fs_read_cifs_symlinks(virsh_t) -') - -optional_policy(` - cron_system_entry(virsh_t, virsh_exec_t) -') - -optional_policy(` - rpm_exec(virsh_t) -') - -optional_policy(` - xen_manage_image_dirs(virsh_t) - xen_append_log(virsh_t) - xen_domtrans(virsh_t) - xen_read_xenstored_pid_files(virsh_t) - xen_stream_connect(virsh_t) - xen_stream_connect_xenstore(virsh_t) -') - -optional_policy(` - dbus_system_bus_client(virsh_t) - - optional_policy(` - hal_dbus_chat(virsh_t) - ') -') - -optional_policy(` - vhostmd_rw_tmpfs_files(virsh_t) - vhostmd_stream_connect(virsh_t) - vhostmd_dontaudit_rw_stream_connect(virsh_t) -') - -optional_policy(` - ssh_basic_client_template(virsh, virsh_t, system_r) - - kernel_read_xen_state(virsh_ssh_t) - kernel_write_xen_state(virsh_ssh_t) - - files_search_tmp(virsh_ssh_t) - - fs_manage_xenfs_dirs(virsh_ssh_t) - fs_manage_xenfs_files(virsh_ssh_t) -') - -######################################## -# -# Lxc local policy -# - -allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource }; -allow virtd_lxc_t self:process { setexec setrlimit setsched getcap setcap signal_perms }; -allow virtd_lxc_t self:fifo_file rw_fifo_file_perms; -allow virtd_lxc_t self:netlink_route_socket nlmsg_write; -allow virtd_lxc_t self:unix_stream_socket { accept listen }; -allow virtd_lxc_t self:packet_socket create_socket_perms; - -allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill }; - -allow virtd_lxc_t virt_image_type:dir mounton; -manage_files_pattern(virtd_lxc_t, virt_image_t, virt_image_t) - -allow virtd_lxc_t virt_var_run_t:dir search_dir_perms; -manage_dirs_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_sock_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -files_pid_filetrans(virtd_lxc_t, virtd_lxc_var_run_t, { file dir }) - -manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) -manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) -manage_chr_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) -manage_lnk_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) -manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) -manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) -allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom }; -allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom }; - -storage_manage_fixed_disk(virtd_lxc_t) - -kernel_read_all_sysctls(virtd_lxc_t) -kernel_read_network_state(virtd_lxc_t) -kernel_read_system_state(virtd_lxc_t) - -corecmd_exec_bin(virtd_lxc_t) -corecmd_exec_shell(virtd_lxc_t) - -dev_relabel_all_dev_nodes(virtd_lxc_t) -dev_rw_sysfs(virtd_lxc_t) -dev_read_sysfs(virtd_lxc_t) -dev_read_urand(virtd_lxc_t) - -domain_use_interactive_fds(virtd_lxc_t) - -files_associate_rootfs(svirt_lxc_file_t) -files_search_all(virtd_lxc_t) -files_getattr_all_files(virtd_lxc_t) -files_read_usr_files(virtd_lxc_t) -files_relabel_rootfs(virtd_lxc_t) -files_mounton_non_security(virtd_lxc_t) -files_mount_all_file_type_fs(virtd_lxc_t) -files_unmount_all_file_type_fs(virtd_lxc_t) -files_list_isid_type_dirs(virtd_lxc_t) -files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set) - -fs_getattr_all_fs(virtd_lxc_t) -fs_manage_tmpfs_dirs(virtd_lxc_t) -fs_manage_tmpfs_chr_files(virtd_lxc_t) -fs_manage_tmpfs_symlinks(virtd_lxc_t) -fs_manage_cgroup_dirs(virtd_lxc_t) -fs_mounton_tmpfs(virtd_lxc_t) -fs_remount_all_fs(virtd_lxc_t) -fs_rw_cgroup_files(virtd_lxc_t) -fs_unmount_all_fs(virtd_lxc_t) -fs_relabelfrom_tmpfs(virtd_lxc_t) - -selinux_mount_fs(virtd_lxc_t) -selinux_unmount_fs(virtd_lxc_t) -selinux_get_enforce_mode(virtd_lxc_t) -selinux_get_fs_mount(virtd_lxc_t) -selinux_validate_context(virtd_lxc_t) -selinux_compute_access_vector(virtd_lxc_t) -selinux_compute_create_context(virtd_lxc_t) -selinux_compute_relabel_context(virtd_lxc_t) -selinux_compute_user_contexts(virtd_lxc_t) - -term_use_generic_ptys(virtd_lxc_t) -term_use_ptmx(virtd_lxc_t) -term_relabel_pty_fs(virtd_lxc_t) - -auth_use_nsswitch(virtd_lxc_t) - -logging_send_syslog_msg(virtd_lxc_t) - -miscfiles_read_localization(virtd_lxc_t) - -seutil_domtrans_setfiles(virtd_lxc_t) -seutil_read_config(virtd_lxc_t) -seutil_read_default_contexts(virtd_lxc_t) - -sysnet_domtrans_ifconfig(virtd_lxc_t) - -######################################## -# -# Common virt lxc domain local policy -# - -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; -allow svirt_lxc_domain self:fifo_file manage_file_perms; -allow svirt_lxc_domain self:sem create_sem_perms; -allow svirt_lxc_domain self:shm create_shm_perms; -allow svirt_lxc_domain self:msgq create_msgq_perms; -allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; -allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; - -allow svirt_lxc_domain virtd_lxc_t:fd use; -allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms; -allow svirt_lxc_domain virtd_lxc_t:process sigchld; - -allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; - -allow svirt_lxc_domain virsh_t:fd use; -allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms; -allow svirt_lxc_domain virsh_t:process sigchld; - -allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms; -allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms; - -manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) - -allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton; -allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr; - -can_exec(svirt_lxc_domain, svirt_lxc_file_t) - -kernel_getattr_proc(svirt_lxc_domain) -kernel_list_all_proc(svirt_lxc_domain) -kernel_read_kernel_sysctls(svirt_lxc_domain) -kernel_rw_net_sysctls(svirt_lxc_domain) -kernel_read_system_state(svirt_lxc_domain) -kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) - -corecmd_exec_all_executables(svirt_lxc_domain) - -files_dontaudit_getattr_all_dirs(svirt_lxc_domain) -files_dontaudit_getattr_all_files(svirt_lxc_domain) -files_dontaudit_getattr_all_symlinks(svirt_lxc_domain) -files_dontaudit_getattr_all_pipes(svirt_lxc_domain) -files_dontaudit_getattr_all_sockets(svirt_lxc_domain) -files_dontaudit_list_all_mountpoints(svirt_lxc_domain) -files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) -# files_entrypoint_all_files(svirt_lxc_domain) -files_list_var(svirt_lxc_domain) -files_list_var_lib(svirt_lxc_domain) -files_search_all(svirt_lxc_domain) -files_read_config_files(svirt_lxc_domain) -files_read_usr_files(svirt_lxc_domain) -files_read_usr_symlinks(svirt_lxc_domain) - -fs_getattr_all_fs(svirt_lxc_domain) -fs_list_inotifyfs(svirt_lxc_domain) - -# fs_rw_inherited_tmpfs_files(svirt_lxc_domain) -# fs_rw_inherited_cifs_files(svirt_lxc_domain) -# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain) - -auth_dontaudit_read_login_records(svirt_lxc_domain) -auth_dontaudit_write_login_records(svirt_lxc_domain) -auth_search_pam_console_data(svirt_lxc_domain) - -clock_read_adjtime(svirt_lxc_domain) - -init_read_utmp(svirt_lxc_domain) -init_dontaudit_write_utmp(svirt_lxc_domain) - -libs_dontaudit_setattr_lib_files(svirt_lxc_domain) - -miscfiles_read_localization(svirt_lxc_domain) -miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain) -miscfiles_read_fonts(svirt_lxc_domain) - -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) - -optional_policy(` - udev_read_pid_files(svirt_lxc_domain) -') - -optional_policy(` - apache_exec_modules(svirt_lxc_domain) - apache_read_sys_content(svirt_lxc_domain) -') - -######################################## -# -# Lxc net local policy -# - -allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap }; -dontaudit svirt_lxc_net_t self:capability2 block_suspend; -allow svirt_lxc_net_t self:process setrlimit; -allow svirt_lxc_net_t self:tcp_socket { accept listen }; -allow svirt_lxc_net_t self:netlink_route_socket nlmsg_write; -allow svirt_lxc_net_t self:packet_socket create_socket_perms; -allow svirt_lxc_net_t self:socket create_socket_perms; -allow svirt_lxc_net_t self:rawip_socket create_socket_perms; -allow svirt_lxc_net_t self:netlink_socket create_socket_perms; -allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms; -allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms; - -kernel_read_network_state(svirt_lxc_net_t) -kernel_read_irq_sysctls(svirt_lxc_net_t) - -corenet_all_recvfrom_unlabeled(svirt_lxc_net_t) -corenet_all_recvfrom_netlabel(svirt_lxc_net_t) -corenet_tcp_sendrecv_generic_if(svirt_lxc_net_t) -corenet_udp_sendrecv_generic_if(svirt_lxc_net_t) -corenet_tcp_sendrecv_generic_node(svirt_lxc_net_t) -corenet_udp_sendrecv_generic_node(svirt_lxc_net_t) -corenet_tcp_sendrecv_all_ports(svirt_lxc_net_t) -corenet_udp_sendrecv_all_ports(svirt_lxc_net_t) -corenet_tcp_bind_generic_node(svirt_lxc_net_t) -corenet_udp_bind_generic_node(svirt_lxc_net_t) - -corenet_sendrecv_all_server_packets(svirt_lxc_net_t) -corenet_udp_bind_all_ports(svirt_lxc_net_t) -corenet_tcp_bind_all_ports(svirt_lxc_net_t) - -corenet_sendrecv_all_client_packets(svirt_lxc_net_t) -corenet_tcp_connect_all_ports(svirt_lxc_net_t) - -dev_getattr_mtrr_dev(svirt_lxc_net_t) -dev_read_rand(svirt_lxc_net_t) -dev_read_sysfs(svirt_lxc_net_t) -dev_read_urand(svirt_lxc_net_t) - -files_read_kernel_modules(svirt_lxc_net_t) - -fs_mount_cgroup(svirt_lxc_net_t) -fs_manage_cgroup_dirs(svirt_lxc_net_t) -fs_rw_cgroup_files(svirt_lxc_net_t) - -auth_use_nsswitch(svirt_lxc_net_t) - -logging_send_audit_msgs(svirt_lxc_net_t) - -userdom_use_user_ptys(svirt_lxc_net_t) - -optional_policy(` - rpm_read_db(svirt_lxc_net_t) -') - -####################################### -# -# Prot exec local policy -# - -allow svirt_prot_exec_t self:process { execmem execstack }; - -######################################## -# -# Qmf local policy -# - -allow virt_qmf_t self:capability { sys_nice sys_tty_config }; -allow virt_qmf_t self:process { setsched signal }; -allow virt_qmf_t self:fifo_file rw_fifo_file_perms; -allow virt_qmf_t self:unix_stream_socket { accept listen }; -allow virt_qmf_t self:tcp_socket create_stream_socket_perms; -allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; - -can_exec(virt_qmf_t, virtd_exec_t) - -kernel_read_system_state(virt_qmf_t) -kernel_read_network_state(virt_qmf_t) - -dev_read_sysfs(virt_qmf_t) -dev_read_rand(virt_qmf_t) -dev_read_urand(virt_qmf_t) - -domain_use_interactive_fds(virt_qmf_t) - -logging_send_syslog_msg(virt_qmf_t) - -miscfiles_read_localization(virt_qmf_t) - -sysnet_read_config(virt_qmf_t) - -optional_policy(` - dbus_read_lib_files(virt_qmf_t) -') - -optional_policy(` - virt_stream_connect(virt_qmf_t) -') - -######################################## -# -# Bridgehelper local policy -# - -allow virt_bridgehelper_t self:process { setcap getcap }; -allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; -allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -allow virt_bridgehelper_t self:tun_socket create_socket_perms; -allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; - -manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t) - -kernel_read_network_state(virt_bridgehelper_t) - -corenet_rw_tun_tap_dev(virt_bridgehelper_t) - -userdom_search_user_home_dirs(virt_bridgehelper_t) -userdom_use_user_ptys(virt_bridgehelper_t) diff --git a/policy/modules/contrib/vlock.fc b/policy/modules/contrib/vlock.fc deleted file mode 100644 index f84b61a5..00000000 --- a/policy/modules/contrib/vlock.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/bin/vlock -- gen_context(system_u:object_r:vlock_exec_t,s0) - -/usr/sbin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0) diff --git a/policy/modules/contrib/vlock.if b/policy/modules/contrib/vlock.if deleted file mode 100644 index d5fc09ac..00000000 --- a/policy/modules/contrib/vlock.if +++ /dev/null @@ -1,47 +0,0 @@ -## <summary>Lock one or more sessions on the Linux console.</summary> - -####################################### -## <summary> -## Execute vlock in the vlock domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`vlock_domtrans',` - gen_require(` - type vlock_t, vlock_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, vlock_exec_t, vlock_t) -') - -######################################## -## <summary> -## Execute vlock in the vlock domain, -## and allow the specified role -## the vlock domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed to access. -## </summary> -## </param> -## <rolecap/> -# -interface(`vlock_run',` - gen_require(` - attribute_role vlock_roles; - ') - - vlock_domtrans($1) - roleattribute $2 vlock_roles; -') diff --git a/policy/modules/contrib/vlock.te b/policy/modules/contrib/vlock.te deleted file mode 100644 index 9ead7755..00000000 --- a/policy/modules/contrib/vlock.te +++ /dev/null @@ -1,44 +0,0 @@ -policy_module(vlock, 1.1.1) - -######################################## -# -# Declarations -# - -attribute_role vlock_roles; - -type vlock_t; -type vlock_exec_t; -application_domain(vlock_t, vlock_exec_t) -role vlock_roles types vlock_t; - -######################################## -# -# Local policy -# - -dontaudit vlock_t self:capability { setuid setgid }; -allow vlock_t self:fd use; -allow vlock_t self:fifo_file rw_fifo_file_perms; - -kernel_read_system_state(vlock_t) - -corecmd_list_bin(vlock_t) -corecmd_read_bin_symlinks(vlock_t) - -domain_use_interactive_fds(vlock_t) - -files_dontaudit_search_home(vlock_t) - -mls_file_write_all_levels(vlock_t) - -selinux_dontaudit_getattr_fs(vlock_t) - -auth_use_pam(vlock_t) - -init_dontaudit_rw_utmp(vlock_t) - -miscfiles_read_localization(vlock_t) - -userdom_dontaudit_search_user_home_dirs(vlock_t) -userdom_use_user_terminals(vlock_t) diff --git a/policy/modules/contrib/vmware.fc b/policy/modules/contrib/vmware.fc deleted file mode 100644 index 7273b9c0..00000000 --- a/policy/modules/contrib/vmware.fc +++ /dev/null @@ -1,52 +0,0 @@ -HOME_DIR/\.vmware(/.*)? gen_context(system_u:object_r:vmware_file_t,s0) -HOME_DIR/\.vmware[^/]*/.*\.cfg -- gen_context(system_u:object_r:vmware_conf_t,s0) -HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:vmware_file_t,s0) - -/etc/vmware.*(/.*)? gen_context(system_u:object_r:vmware_sys_conf_t,s0) - -/usr/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/bin/vmnet-dhcpd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/bin/vmnet-netifup -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/bin/vmnet-sniffer -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/bin/vmware-network -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/bin/vmware-ping -- gen_context(system_u:object_r:vmware_exec_t,s0) -/usr/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0) -/usr/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0) - -/usr/lib/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0) -/usr/lib/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0) -/usr/lib/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0) -/usr/lib/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0) -/usr/lib/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0) - -/usr/lib/vmware-tools/sbin32/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/lib/vmware-tools/sbin64/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) - -/usr/sbin/vmware-guest.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/sbin/vmware-serverd -- gen_context(system_u:object_r:vmware_exec_t,s0) - -/opt/vmware/(workstation|player)/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/opt/vmware/(workstation|player)/bin/vmnet-dhcpd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/opt/vmware/(workstation|player)/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/opt/vmware/(workstation|player)/bin/vmnet-netifup -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/opt/vmware/(workstation|player)/bin/vmnet-sniffer -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/opt/vmware/(workstation|player)/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/opt/vmware/(workstation|player)/bin/vmware-ping -- gen_context(system_u:object_r:vmware_exec_t,s0) -/opt/vmware/(workstation|player)/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/opt/vmware/(workstation|player)/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/opt/vmware/(workstation|player)/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/opt/vmware/(workstation|player)/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0) -/opt/vmware/(workstation|player)/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0) - -/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0) -/var/log/vnetlib.* -- gen_context(system_u:object_r:vmware_log_t,s0) - -/var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0) -/var/run/vmnet.* gen_context(system_u:object_r:vmware_var_run_t,s0) -/var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0) diff --git a/policy/modules/contrib/vmware.if b/policy/modules/contrib/vmware.if deleted file mode 100644 index 20a1fb29..00000000 --- a/policy/modules/contrib/vmware.if +++ /dev/null @@ -1,114 +0,0 @@ -## <summary>VMWare Workstation virtual machines.</summary> - -######################################## -## <summary> -## Role access for vmware. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`vmware_role',` - gen_require(` - type vmware_t, vmware_exec_t, vmware_file_t; - type vmware_conf_t, vmware_tmp_t, vmware_tmpfs_t; - ') - - role $1 types vmware_t; - - domtrans_pattern($2, vmware_exec_t, vmware_t) - - ps_process_pattern($2, vmware_t) - allow $2 vmware_t:process { ptrace signal_perms }; - - allow $2 { vmware_tmp_t vmware_file_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { vmware_conf_t vmware_file_t vmware_tmp_t vmware_tmpfs_t }:file { manage_file_perms relabel_file_perms }; - allow $2 { vmware_tmp_t vmware_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - allow $2 vmware_tmpfs_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - allow $2 vmware_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - userdom_user_home_dir_filetrans($2, vmware_file_t, dir, ".vmware") - userdom_user_home_dir_filetrans($2, vmware_file_t, dir, "vmware") -') - -######################################## -## <summary> -## Execute vmware host executables -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`vmware_exec_host',` - gen_require(` - type vmware_host_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, vmware_host_exec_t) -') - -######################################## -## <summary> -## Read vmware system configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`vmware_read_system_config',` - gen_require(` - type vmware_sys_conf_t; - ') - - files_search_etc($1) - allow $1 vmware_sys_conf_t:file read_file_perms; -') - -######################################## -## <summary> -## Append vmware system configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`vmware_append_system_config',` - gen_require(` - type vmware_sys_conf_t; - ') - - files_search_etc($1) - allow $1 vmware_sys_conf_t:file append_file_perms; -') - -######################################## -## <summary> -## Append vmware log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`vmware_append_log',` - gen_require(` - type vmware_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, vmware_log_t, vmware_log_t) -') diff --git a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te deleted file mode 100644 index 3a565137..00000000 --- a/policy/modules/contrib/vmware.te +++ /dev/null @@ -1,280 +0,0 @@ -policy_module(vmware, 2.6.1) - -######################################## -# -# Declarations -# - -type vmware_t; -type vmware_exec_t; -typealias vmware_t alias { user_vmware_t staff_vmware_t sysadm_vmware_t }; -typealias vmware_t alias { auditadm_vmware_t secadm_vmware_t }; -userdom_user_application_domain(vmware_t, vmware_exec_t) - -type vmware_conf_t; -typealias vmware_conf_t alias { user_vmware_conf_t staff_vmware_conf_t sysadm_vmware_conf_t }; -typealias vmware_conf_t alias { auditadm_vmware_conf_t secadm_vmware_conf_t }; -userdom_user_home_content(vmware_conf_t) - -type vmware_file_t; -typealias vmware_file_t alias { user_vmware_file_t staff_vmware_file_t sysadm_vmware_file_t }; -typealias vmware_file_t alias { auditadm_vmware_file_t secadm_vmware_file_t }; -userdom_user_home_content(vmware_file_t) - -type vmware_host_t; -type vmware_host_exec_t; -init_daemon_domain(vmware_host_t, vmware_host_exec_t) - -type vmware_host_pid_t alias vmware_var_run_t; -files_pid_file(vmware_host_pid_t) - -type vmware_host_tmp_t; -userdom_user_tmp_file(vmware_host_tmp_t) - -type vmware_log_t; -typealias vmware_log_t alias { user_vmware_log_t staff_vmware_log_t sysadm_vmware_log_t }; -typealias vmware_log_t alias { auditadm_vmware_log_t secadm_vmware_log_t }; -logging_log_file(vmware_log_t) -ubac_constrained(vmware_log_t) - -type vmware_pid_t; -typealias vmware_pid_t alias { user_vmware_pid_t staff_vmware_pid_t sysadm_vmware_pid_t }; -typealias vmware_pid_t alias { auditadm_vmware_pid_t secadm_vmware_pid_t }; -files_pid_file(vmware_pid_t) -ubac_constrained(vmware_pid_t) - -type vmware_sys_conf_t; -files_config_file(vmware_sys_conf_t) - -type vmware_tmp_t; -typealias vmware_tmp_t alias { user_vmware_tmp_t staff_vmware_tmp_t sysadm_vmware_tmp_t }; -typealias vmware_tmp_t alias { auditadm_vmware_tmp_t secadm_vmware_tmp_t }; -userdom_user_tmp_file(vmware_tmp_t) - -type vmware_tmpfs_t; -typealias vmware_tmpfs_t alias { user_vmware_tmpfs_t staff_vmware_tmpfs_t sysadm_vmware_tmpfs_t }; -typealias vmware_tmpfs_t alias { auditadm_vmware_tmpfs_t secadm_vmware_tmpfs_t }; -userdom_user_tmpfs_file(vmware_tmpfs_t) - -ifdef(`enable_mcs',` - init_ranged_daemon_domain(vmware_host_t, vmware_host_exec_t, s0 - mcs_systemhigh) -') - -######################################## -# -# Host local policy -# - -allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override }; -dontaudit vmware_host_t self:capability sys_tty_config; -allow vmware_host_t self:process { execstack execmem signal_perms }; -allow vmware_host_t self:fifo_file rw_fifo_file_perms; -allow vmware_host_t self:unix_stream_socket { accept listen }; -allow vmware_host_t self:rawip_socket create_socket_perms; - -manage_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t) -manage_lnk_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t) - -manage_dirs_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t) -manage_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t) -manage_sock_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t) -files_tmp_filetrans(vmware_host_t, vmware_host_tmp_t, { file dir }) - -manage_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t) -manage_sock_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t) -files_pid_filetrans(vmware_host_t, vmware_var_run_t, { file sock_file }) - -append_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t) -create_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t) -setattr_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t) -logging_log_filetrans(vmware_host_t, vmware_log_t, file) - -can_exec(vmware_host_t, vmware_host_exec_t) - -kernel_read_kernel_sysctls(vmware_host_t) -kernel_read_system_state(vmware_host_t) -kernel_read_network_state(vmware_host_t) - -corenet_all_recvfrom_unlabeled(vmware_host_t) -corenet_all_recvfrom_netlabel(vmware_host_t) -corenet_tcp_sendrecv_generic_if(vmware_host_t) -corenet_udp_sendrecv_generic_if(vmware_host_t) -corenet_raw_sendrecv_generic_if(vmware_host_t) -corenet_tcp_sendrecv_generic_node(vmware_host_t) -corenet_udp_sendrecv_generic_node(vmware_host_t) -corenet_raw_sendrecv_generic_node(vmware_host_t) -corenet_tcp_sendrecv_all_ports(vmware_host_t) - -corenet_sendrecv_all_client_packets(vmware_host_t) -corenet_tcp_connect_all_ports(vmware_host_t) - -corecmd_exec_bin(vmware_host_t) -corecmd_exec_shell(vmware_host_t) - -dev_getattr_all_blk_files(vmware_host_t) -dev_read_sysfs(vmware_host_t) -dev_read_urand(vmware_host_t) -dev_rw_vmware(vmware_host_t) - -domain_use_interactive_fds(vmware_host_t) -domain_dontaudit_read_all_domains_state(vmware_host_t) - -files_list_tmp(vmware_host_t) -files_read_etc_files(vmware_host_t) -files_read_etc_runtime_files(vmware_host_t) -files_read_usr_files(vmware_host_t) - -fs_getattr_all_fs(vmware_host_t) -fs_search_auto_mountpoints(vmware_host_t) - -storage_getattr_fixed_disk_dev(vmware_host_t) - -term_dontaudit_use_console(vmware_host_t) - -init_use_fds(vmware_host_t) -init_use_script_ptys(vmware_host_t) - -libs_exec_ld_so(vmware_host_t) - -logging_send_syslog_msg(vmware_host_t) - -miscfiles_read_localization(vmware_host_t) - -sysnet_dns_name_resolve(vmware_host_t) -sysnet_domtrans_ifconfig(vmware_host_t) - -userdom_dontaudit_use_unpriv_user_fds(vmware_host_t) -userdom_dontaudit_search_user_home_dirs(vmware_host_t) - -netutils_domtrans_ping(vmware_host_t) - -optional_policy(` - hostname_exec(vmware_host_t) -') - -optional_policy(` - modutils_domtrans_insmod(vmware_host_t) -') - -optional_policy(` - samba_read_config(vmware_host_t) -') - -optional_policy(` - seutil_sigchld_newrole(vmware_host_t) -') - -optional_policy(` - shutdown_domtrans(vmware_host_t) -') - -optional_policy(` - udev_read_db(vmware_host_t) -') - -optional_policy(` - xserver_read_tmp_files(vmware_host_t) - xserver_read_xdm_pid(vmware_host_t) -') - -######################################## -# -# Guest local policy -# - -allow vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown }; -dontaudit vmware_t self:capability sys_tty_config; -allow vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow vmware_t self:process { execmem execstack }; -allow vmware_t self:fd use; -allow vmware_t self:fifo_file rw_fifo_file_perms; -allow vmware_t self:unix_dgram_socket { create_socket_perms sendto }; -allow vmware_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow vmware_t self:shm create_shm_perms; -allow vmware_t self:sem create_sem_perms; -allow vmware_t self:msgq create_msgq_perms; -allow vmware_t self:msg { send receive }; - -allow vmware_t vmware_conf_t:file manage_file_perms; - -manage_dirs_pattern(vmware_t, vmware_file_t, vmware_file_t) -manage_files_pattern(vmware_t, vmware_file_t, vmware_file_t) -manage_lnk_files_pattern(vmware_t, vmware_file_t, vmware_file_t) -userdom_user_home_dir_filetrans(vmware_t, vmware_file_t, dir, ".vmware") -userdom_user_home_dir_filetrans(vmware_t, vmware_file_t, dir, "vmware") - -manage_dirs_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t) -manage_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t) -manage_sock_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t) -files_tmp_filetrans(vmware_t, vmware_tmp_t, { file dir }) - -manage_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t) -manage_lnk_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t) -manage_fifo_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t) -manage_sock_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t) -fs_tmpfs_filetrans(vmware_t, vmware_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -allow vmware_t vmware_sys_conf_t:dir list_dir_perms; -read_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t) -read_lnk_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t) - -manage_dirs_pattern(vmware_t, vmware_pid_t, vmware_pid_t) -manage_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t) -manage_lnk_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t) -manage_sock_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t) -files_pid_filetrans(vmware_t, vmware_pid_t, { dir file lnk_file }) - -can_exec(vmware_t, { vmware_tmp_t vmware_exec_t }) - -kernel_read_system_state(vmware_t) -kernel_read_network_state(vmware_t) -kernel_read_kernel_sysctls(vmware_t) - -corecmd_exec_bin(vmware_t) -corecmd_exec_shell(vmware_t) - -dev_read_raw_memory(vmware_t) -dev_write_raw_memory(vmware_t) -dev_read_mouse(vmware_t) -dev_write_sound(vmware_t) -dev_read_realtime_clock(vmware_t) -dev_rwx_vmware(vmware_t) -dev_rw_usbfs(vmware_t) -dev_search_sysfs(vmware_t) - -domain_use_interactive_fds(vmware_t) - -files_read_etc_files(vmware_t) -files_read_etc_runtime_files(vmware_t) -files_read_usr_files(vmware_t) -files_list_home(vmware_t) - -fs_getattr_all_fs(vmware_t) -fs_search_auto_mountpoints(vmware_t) - -storage_raw_read_removable_device(vmware_t) -storage_raw_write_removable_device(vmware_t) - -libs_exec_ld_so(vmware_t) -libs_read_lib_files(vmware_t) - -miscfiles_read_localization(vmware_t) - -userdom_use_user_terminals(vmware_t) -userdom_list_user_home_dirs(vmware_t) - -sysnet_dns_name_resolve(vmware_t) - -xserver_user_x_domain_template(vmware, vmware_t, vmware_tmpfs_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(vmware_t) - fs_manage_nfs_files(vmware_t) - fs_manage_nfs_symlinks(vmware_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(vmware_t) - fs_manage_cifs_files(vmware_t) - fs_manage_cifs_symlinks(vmware_t) -') diff --git a/policy/modules/contrib/vnstatd.fc b/policy/modules/contrib/vnstatd.fc deleted file mode 100644 index 24228b6c..00000000 --- a/policy/modules/contrib/vnstatd.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/rc\.d/init\.d/vnstat -- gen_context(system_u:object_r:vnstatd_initrc_exec_t,s0) - -/usr/bin/vnstat -- gen_context(system_u:object_r:vnstat_exec_t,s0) - -/usr/sbin/vnstatd -- gen_context(system_u:object_r:vnstatd_exec_t,s0) - -/var/lib/vnstat(/.*)? gen_context(system_u:object_r:vnstatd_var_lib_t,s0) - -/var/run/vnstat.* gen_context(system_u:object_r:vnstatd_var_run_t,s0) diff --git a/policy/modules/contrib/vnstatd.if b/policy/modules/contrib/vnstatd.if deleted file mode 100644 index 137ac445..00000000 --- a/policy/modules/contrib/vnstatd.if +++ /dev/null @@ -1,183 +0,0 @@ -## <summary>Console network traffic monitor.</summary> - -######################################## -## <summary> -## Execute a domain transition to run vnstat. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`vnstatd_domtrans_vnstat',` - gen_require(` - type vnstat_t, vnstat_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, vnstat_exec_t, vnstat_t) -') - -######################################## -## <summary> -## Execute vnstat in the vnstat domain, -## and allow the specified role -## the vnstat domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`vnstatd_run_vnstat',` - gen_require(` - attribute_role vnstat_roles; - ') - - vnstatd_domtrans_vnstat($1) - roleattribute $2 vnstat_roles; -') - -######################################## -## <summary> -## Execute a domain transition to run vnstatd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`vnstatd_domtrans',` - gen_require(` - type vnstatd_t, vnstatd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, vnstatd_exec_t, vnstatd_t) -') - -######################################## -## <summary> -## Search vnstatd lib directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`vnstatd_search_lib',` - gen_require(` - type vnstatd_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 vnstatd_var_lib_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## vnstatd lib directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`vnstatd_manage_lib_dirs',` - gen_require(` - type vnstatd_var_lib_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) -') - -######################################## -## <summary> -## Read vnstatd lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`vnstatd_read_lib_files',` - gen_require(` - type vnstatd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## vnstatd lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`vnstatd_manage_lib_files',` - gen_require(` - type vnstatd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an vnstatd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`vnstatd_admin',` - gen_require(` - type vnstatd_t, vnstatd_var_lib_t, vnstatd_initrc_exec_t; - type vnstatd_var_run_t; - ') - - allow $1 vnstatd_t:process { ptrace signal_perms }; - ps_process_pattern($1, vnstatd_t) - - init_labeled_script_domtrans($1, vnstatd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 vnstatd_initrc_exec_t system_r; - allow $2 system_r; - - files_search_pids($1) - admin_pattern($1, vnstatd_var_run_t) - - files_list_var_lib($1) - admin_pattern($1, vnstatd_var_lib_t) - - vnstatd_run_vnstat($1, $2) -') diff --git a/policy/modules/contrib/vnstatd.te b/policy/modules/contrib/vnstatd.te deleted file mode 100644 index febc3e5b..00000000 --- a/policy/modules/contrib/vnstatd.te +++ /dev/null @@ -1,86 +0,0 @@ -policy_module(vnstatd, 1.0.1) - -######################################## -# -# Declarations -# - -attribute_role vnstat_roles; - -type vnstat_t; -type vnstat_exec_t; -application_domain(vnstat_t, vnstat_exec_t) -role vnstat_roles types vnstat_t; - -type vnstatd_t; -type vnstatd_exec_t; -init_daemon_domain(vnstatd_t, vnstatd_exec_t) - -type vnstatd_initrc_exec_t; -init_script_file(vnstatd_initrc_exec_t) - -type vnstatd_var_lib_t; -files_type(vnstatd_var_lib_t) - -type vnstatd_var_run_t; -files_pid_file(vnstatd_var_run_t) - -######################################## -# -# Daemon local policy -# - -allow vnstatd_t self:process signal; -allow vnstatd_t self:fifo_file rw_fifo_file_perms; -allow vnstatd_t self:unix_stream_socket { accept listen }; - -manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) -manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) -files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file }) - -manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t) -manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t) -files_pid_filetrans(vnstatd_t, vnstatd_var_run_t, { dir file }) - -kernel_read_network_state(vnstatd_t) -kernel_read_system_state(vnstatd_t) - -domain_use_interactive_fds(vnstatd_t) - -files_read_etc_files(vnstatd_t) - -fs_getattr_xattr_fs(vnstatd_t) - -logging_send_syslog_msg(vnstatd_t) - -miscfiles_read_localization(vnstatd_t) - -######################################## -# -# Client local policy -# - -allow vnstat_t self:process signal; -allow vnstat_t self:fifo_file rw_fifo_file_perms; -allow vnstat_t self:unix_stream_socket { accept listen }; - -manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t) -manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t) -files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file }) - -kernel_read_network_state(vnstat_t) -kernel_read_system_state(vnstat_t) - -domain_use_interactive_fds(vnstat_t) - -files_read_etc_files(vnstat_t) - -fs_getattr_xattr_fs(vnstat_t) - -logging_send_syslog_msg(vnstat_t) - -miscfiles_read_localization(vnstat_t) - -optional_policy(` - cron_system_entry(vnstat_t, vnstat_exec_t) -') diff --git a/policy/modules/contrib/vpn.fc b/policy/modules/contrib/vpn.fc deleted file mode 100644 index 524ac2f7..00000000 --- a/policy/modules/contrib/vpn.fc +++ /dev/null @@ -1,7 +0,0 @@ -/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) - -/usr/bin/openconnect -- gen_context(system_u:object_r:vpnc_exec_t,s0) - -/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) - -/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0) diff --git a/policy/modules/contrib/vpn.if b/policy/modules/contrib/vpn.if deleted file mode 100644 index 7a7f3429..00000000 --- a/policy/modules/contrib/vpn.if +++ /dev/null @@ -1,140 +0,0 @@ -## <summary>Virtual Private Networking client.</summary> - -######################################## -## <summary> -## Execute vpn clients in the vpnc domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`vpn_domtrans',` - gen_require(` - type vpnc_t, vpnc_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, vpnc_exec_t, vpnc_t) -') - -######################################## -## <summary> -## Execute vpn clients in the vpnc -## domain, and allow the specified -## role the vpnc domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`vpn_run',` - gen_require(` - attribute_role vpnc_roles; - ') - - vpn_domtrans($1) - roleattribute $2 vpnc_roles; -') - -######################################## -## <summary> -## Send kill signals to vpnc. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`vpn_kill',` - gen_require(` - type vpnc_t; - ') - - allow $1 vpnc_t:process sigkill; -') - -######################################## -## <summary> -## Send generic signals to vpnc. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`vpn_signal',` - gen_require(` - type vpnc_t; - ') - - allow $1 vpnc_t:process signal; -') - -######################################## -## <summary> -## Send null signals to vpnc. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`vpn_signull',` - gen_require(` - type vpnc_t; - ') - - allow $1 vpnc_t:process signull; -') - -######################################## -## <summary> -## Send and receive messages from -## vpnc over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`vpn_dbus_chat',` - gen_require(` - type vpnc_t; - class dbus send_msg; - ') - - allow $1 vpnc_t:dbus send_msg; - allow vpnc_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Relabelfrom from vpnc socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`vpn_relabelfrom_tun_socket',` - gen_require(` - type vpnc_t; - ') - - allow $1 vpnc_t:tun_socket relabelfrom; -') diff --git a/policy/modules/contrib/vpn.te b/policy/modules/contrib/vpn.te deleted file mode 100644 index 9329eae3..00000000 --- a/policy/modules/contrib/vpn.te +++ /dev/null @@ -1,131 +0,0 @@ -policy_module(vpn, 1.15.1) - -######################################## -# -# Declarations -# - -attribute_role vpnc_roles; - -type vpnc_t; -type vpnc_exec_t; -init_system_domain(vpnc_t, vpnc_exec_t) -application_domain(vpnc_t, vpnc_exec_t) -role vpnc_roles types vpnc_t; - -type vpnc_tmp_t; -files_tmp_file(vpnc_tmp_t) - -type vpnc_var_run_t; -files_pid_file(vpnc_var_run_t) - -######################################## -# -# Local policy -# - -allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw setuid }; -allow vpnc_t self:process { getsched signal }; -allow vpnc_t self:fifo_file rw_fifo_file_perms; -allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms; -allow vpnc_t self:tcp_socket { accept listen }; -allow vpnc_t self:rawip_socket create_socket_perms; -allow vpnc_t self:tun_socket { create_socket_perms relabelfrom }; -allow vpnc_t self:socket create_socket_perms; - -manage_dirs_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t) -manage_files_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t) -files_tmp_filetrans(vpnc_t, vpnc_tmp_t, { file dir }) - -manage_dirs_pattern(vpnc_t, vpnc_var_run_t, vpnc_var_run_t) -manage_files_pattern(vpnc_t, vpnc_var_run_t, vpnc_var_run_t) -files_pid_filetrans(vpnc_t, vpnc_var_run_t, { file dir}) - -kernel_read_system_state(vpnc_t) -kernel_read_network_state(vpnc_t) -kernel_read_all_sysctls(vpnc_t) -kernel_request_load_module(vpnc_t) -kernel_rw_net_sysctls(vpnc_t) - -corenet_all_recvfrom_unlabeled(vpnc_t) -corenet_all_recvfrom_netlabel(vpnc_t) -corenet_tcp_sendrecv_generic_if(vpnc_t) -corenet_udp_sendrecv_generic_if(vpnc_t) -corenet_raw_sendrecv_generic_if(vpnc_t) -corenet_tcp_sendrecv_generic_node(vpnc_t) -corenet_udp_sendrecv_generic_node(vpnc_t) -corenet_raw_sendrecv_generic_node(vpnc_t) -corenet_tcp_sendrecv_all_ports(vpnc_t) -corenet_udp_sendrecv_all_ports(vpnc_t) -corenet_udp_bind_generic_node(vpnc_t) - -corenet_sendrecv_all_server_packets(vpnc_t) -corenet_udp_bind_generic_port(vpnc_t) - -corenet_sendrecv_isakmp_server_packets(vpnc_t) -corenet_udp_bind_isakmp_port(vpnc_t) - -corenet_sendrecv_generic_server_packets(vpnc_t) -corenet_udp_bind_ipsecnat_port(vpnc_t) - -corenet_sendrecv_all_client_packets(vpnc_t) -corenet_tcp_connect_all_ports(vpnc_t) - -corenet_rw_tun_tap_dev(vpnc_t) - -corecmd_exec_all_executables(vpnc_t) - -dev_read_rand(vpnc_t) -dev_read_urand(vpnc_t) -dev_read_sysfs(vpnc_t) - -domain_use_interactive_fds(vpnc_t) - -files_exec_etc_files(vpnc_t) -files_read_etc_runtime_files(vpnc_t) -files_dontaudit_search_home(vpnc_t) - -fs_getattr_xattr_fs(vpnc_t) -fs_getattr_tmpfs(vpnc_t) - -term_use_all_ptys(vpnc_t) -term_use_all_ttys(vpnc_t) - -auth_use_nsswitch(vpnc_t) - -init_dontaudit_use_fds(vpnc_t) - -libs_exec_ld_so(vpnc_t) -libs_exec_lib_files(vpnc_t) - -locallogin_use_fds(vpnc_t) - -logging_send_syslog_msg(vpnc_t) -logging_dontaudit_search_logs(vpnc_t) - -miscfiles_read_localization(vpnc_t) - -seutil_dontaudit_search_config(vpnc_t) - -sysnet_run_ifconfig(vpnc_t, vpnc_roles) -sysnet_etc_filetrans_config(vpnc_t) -sysnet_manage_config(vpnc_t) - -userdom_use_all_users_fds(vpnc_t) -userdom_dontaudit_search_user_home_content(vpnc_t) - -optional_policy(` - dbus_system_bus_client(vpnc_t) - - optional_policy(` - networkmanager_dbus_chat(vpnc_t) - ') -') - -optional_policy(` - networkmanager_attach_tun_iface(vpnc_t) -') - -optional_policy(` - seutil_use_newrole_fds(vpnc_t) -') diff --git a/policy/modules/contrib/w3c.fc b/policy/modules/contrib/w3c.fc deleted file mode 100644 index 48347966..00000000 --- a/policy/modules/contrib/w3c.fc +++ /dev/null @@ -1,4 +0,0 @@ -/usr/lib/cgi-bin/check gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0) - -/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0) -/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0) diff --git a/policy/modules/contrib/w3c.if b/policy/modules/contrib/w3c.if deleted file mode 100644 index 6a4204bc..00000000 --- a/policy/modules/contrib/w3c.if +++ /dev/null @@ -1 +0,0 @@ -## <summary>W3C Markup Validator.</summary> diff --git a/policy/modules/contrib/w3c.te b/policy/modules/contrib/w3c.te deleted file mode 100644 index bcb76b61..00000000 --- a/policy/modules/contrib/w3c.te +++ /dev/null @@ -1,34 +0,0 @@ -policy_module(w3c, 1.0.1) - -######################################## -# -# Declarations -# - -apache_content_template(w3c_validator) - -######################################## -# -# Local policy -# - -corenet_all_recvfrom_unlabeled(httpd_w3c_validator_script_t) -corenet_all_recvfrom_netlabel(httpd_w3c_validator_script_t) -corenet_tcp_sendrecv_generic_if(httpd_w3c_validator_script_t) -corenet_tcp_sendrecv_generic_node(httpd_w3c_validator_script_t) - -corenet_sendrecv_ftp_client_packets(httpd_w3c_validator_script_t) -corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t) -corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) - -corenet_sendrecv_http_client_packets(httpd_w3c_validator_script_t) -corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) -corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t) - -corenet_sendrecv_http_cache_client_packets(httpd_w3c_validator_script_t) -corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t) -corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t) - -miscfiles_read_generic_certs(httpd_w3c_validator_script_t) - -sysnet_dns_name_resolve(httpd_w3c_validator_script_t) diff --git a/policy/modules/contrib/watchdog.fc b/policy/modules/contrib/watchdog.fc deleted file mode 100644 index eecd0e03..00000000 --- a/policy/modules/contrib/watchdog.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rc\.d/init\.d/watchdog -- gen_context(system_u:object_r:watchdog_initrc_exec_t,s0) - -/usr/sbin/watchdog -- gen_context(system_u:object_r:watchdog_exec_t,s0) - -/var/log/watchdog.* gen_context(system_u:object_r:watchdog_log_t,s0) - -/var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0) diff --git a/policy/modules/contrib/watchdog.if b/policy/modules/contrib/watchdog.if deleted file mode 100644 index 6461a774..00000000 --- a/policy/modules/contrib/watchdog.if +++ /dev/null @@ -1,39 +0,0 @@ -## <summary>Software watchdog.</summary> - -######################################## -## <summary> -## All of the rules required to -## administrate an watchdog environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`watchdog_admin',` - gen_require(` - type watchdog_t, watchdog_initrc_exec_t, watchdog_log_t; - type watchdog_var_run_t; - ') - - allow $1 watchdog_t:process { ptrace signal_perms }; - ps_process_pattern($1, watchdog_t) - - init_labeled_script_domtrans($1, watchdog_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 watchdog_initrc_exec_t system_r; - allow $2 system_r; - - logging_search_logs($1) - admin_pattern($1, watchdog_log_t) - - files_search_pids($1) - admin_pattern($1, watchdog_var_run_t) -') diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te deleted file mode 100644 index 29f79e8c..00000000 --- a/policy/modules/contrib/watchdog.te +++ /dev/null @@ -1,99 +0,0 @@ -policy_module(watchdog, 1.7.1) - -################################# -# -# Declarations -# - -type watchdog_t; -type watchdog_exec_t; -init_daemon_domain(watchdog_t, watchdog_exec_t) - -type watchdog_initrc_exec_t; -init_script_file(watchdog_initrc_exec_t) - -type watchdog_log_t; -logging_log_file(watchdog_log_t) - -type watchdog_var_run_t; -files_pid_file(watchdog_var_run_t) - -######################################## -# -# Local policy -# - -allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource }; -dontaudit watchdog_t self:capability sys_tty_config; -allow watchdog_t self:process { setsched signal_perms }; -allow watchdog_t self:fifo_file rw_fifo_file_perms; -allow watchdog_t self:tcp_socket { accept listen }; - -allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(watchdog_t, watchdog_log_t, file) - -manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t) -files_pid_filetrans(watchdog_t, watchdog_var_run_t, file) - -kernel_read_system_state(watchdog_t) -kernel_read_kernel_sysctls(watchdog_t) -kernel_unmount_proc(watchdog_t) - -corecmd_exec_shell(watchdog_t) - -corenet_all_recvfrom_unlabeled(watchdog_t) -corenet_all_recvfrom_netlabel(watchdog_t) -corenet_tcp_sendrecv_generic_if(watchdog_t) -corenet_tcp_sendrecv_generic_node(watchdog_t) -corenet_tcp_sendrecv_all_ports(watchdog_t) - -corenet_sendrecv_all_client_packets(watchdog_t) -corenet_tcp_connect_all_ports(watchdog_t) - -dev_read_sysfs(watchdog_t) -dev_write_watchdog(watchdog_t) -dev_dontaudit_read_rand(watchdog_t) -dev_dontaudit_read_urand(watchdog_t) - -domain_use_interactive_fds(watchdog_t) -domain_getsession_all_domains(watchdog_t) -domain_sigchld_all_domains(watchdog_t) -domain_sigstop_all_domains(watchdog_t) -domain_signull_all_domains(watchdog_t) -domain_signal_all_domains(watchdog_t) -domain_kill_all_domains(watchdog_t) - -files_read_etc_files(watchdog_t) -files_manage_etc_runtime_files(watchdog_t) -files_etc_filetrans_etc_runtime(watchdog_t, file) - -fs_unmount_xattr_fs(watchdog_t) -fs_getattr_all_fs(watchdog_t) -fs_search_auto_mountpoints(watchdog_t) - -auth_append_login_records(watchdog_t) - -logging_send_syslog_msg(watchdog_t) - -miscfiles_read_localization(watchdog_t) - -sysnet_dns_name_resolve(watchdog_t) - -userdom_dontaudit_use_unpriv_user_fds(watchdog_t) -userdom_dontaudit_search_user_home_dirs(watchdog_t) - -optional_policy(` - mta_send_mail(watchdog_t) -') - -optional_policy(` - nis_use_ypbind(watchdog_t) -') - -optional_policy(` - seutil_sigchld_newrole(watchdog_t) -') - -optional_policy(` - udev_read_db(watchdog_t) -') diff --git a/policy/modules/contrib/wdmd.fc b/policy/modules/contrib/wdmd.fc deleted file mode 100644 index 66f11f72..00000000 --- a/policy/modules/contrib/wdmd.fc +++ /dev/null @@ -1,5 +0,0 @@ -/etc/rc\.d/init\.d/wdmd -- gen_context(system_u:object_r:wdmd_initrc_exec_t,s0) - -/usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0) - -/var/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_var_run_t,s0) diff --git a/policy/modules/contrib/wdmd.if b/policy/modules/contrib/wdmd.if deleted file mode 100644 index 1e3aec07..00000000 --- a/policy/modules/contrib/wdmd.if +++ /dev/null @@ -1,55 +0,0 @@ -## <summary>Watchdog multiplexing daemon.</summary> - -######################################## -## <summary> -## Connect to wdmd with a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`wdmd_stream_connect',` - gen_require(` - type wdmd_t, wdmd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, wdmd_var_run_t, wdmd_var_run_t, wdmd_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an wdmd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`wdmd_admin',` - gen_require(` - type wdmd_t, wdmd_initrc_exec_t, wdmd_var_run_t; - ') - - allow $1 wdmd_t:process { ptrace signal_perms }; - ps_process_pattern($1, wdmd_t) - - init_labeled_script_domtrans($1, wdmd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 wdmd_initrc_exec_t system_r; - allow $2 system_r; - - files_search_pids($1) - admin_pattern($1, wdmd_var_run_t) -') diff --git a/policy/modules/contrib/wdmd.te b/policy/modules/contrib/wdmd.te deleted file mode 100644 index ebbdaf68..00000000 --- a/policy/modules/contrib/wdmd.te +++ /dev/null @@ -1,60 +0,0 @@ -policy_module(wdmd, 1.0.3) - -######################################## -# -# Declarations -# - -type wdmd_t; -type wdmd_exec_t; -init_daemon_domain(wdmd_t, wdmd_exec_t) - -type wdmd_initrc_exec_t; -init_script_file(wdmd_initrc_exec_t) - -type wdmd_tmpfs_t; -files_tmpfs_file(wdmd_tmpfs_t) - -type wdmd_var_run_t; -files_pid_file(wdmd_var_run_t) - -######################################## -# -# Local policy -# - -allow wdmd_t self:capability { chown sys_nice ipc_lock }; -allow wdmd_t self:process { setsched signal }; -allow wdmd_t self:fifo_file rw_fifo_file_perms; -allow wdmd_t self:unix_stream_socket { accept listen }; - -manage_dirs_pattern(wdmd_t, wdmd_var_run_t, wdmd_var_run_t) -manage_files_pattern(wdmd_t, wdmd_var_run_t, wdmd_var_run_t) -manage_sock_files_pattern(wdmd_t, wdmd_var_run_t, wdmd_var_run_t) -files_pid_filetrans(wdmd_t, wdmd_var_run_t, { file dir sock_file }) - -manage_dirs_pattern(wdmd_t, wdmd_tmpfs_t, wdmd_tmpfs_t) -manage_files_pattern(wdmd_t, wdmd_tmpfs_t, wdmd_tmpfs_t) -fs_tmpfs_filetrans(wdmd_t, wdmd_tmpfs_t, { dir file }) - -kernel_read_system_state(wdmd_t) - -corecmd_exec_bin(wdmd_t) -corecmd_exec_shell(wdmd_t) - -dev_read_watchdog(wdmd_t) -dev_write_watchdog(wdmd_t) - -fs_read_anon_inodefs_files(wdmd_t) - -auth_use_nsswitch(wdmd_t) - -logging_send_syslog_msg(wdmd_t) - -miscfiles_read_localization(wdmd_t) - -optional_policy(` - corosync_initrc_domtrans(wdmd_t) - corosync_stream_connect(wdmd_t) - corosync_rw_tmpfs(wdmd_t) -') diff --git a/policy/modules/contrib/webadm.fc b/policy/modules/contrib/webadm.fc deleted file mode 100644 index d46378a0..00000000 --- a/policy/modules/contrib/webadm.fc +++ /dev/null @@ -1 +0,0 @@ -# No webadm file contexts. diff --git a/policy/modules/contrib/webadm.if b/policy/modules/contrib/webadm.if deleted file mode 100644 index e1a7350a..00000000 --- a/policy/modules/contrib/webadm.if +++ /dev/null @@ -1,50 +0,0 @@ -## <summary>Web administrator role.</summary> - -######################################## -## <summary> -## Change to the web administrator role. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`webadm_role_change',` - gen_require(` - role webadm_r; - ') - - allow $1 webadm_r; -') - -######################################## -## <summary> -## Change from the web administrator role. -## </summary> -## <desc> -## <p> -## Change from the web administrator role to -## the specified role. -## </p> -## <p> -## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -## </p> -## </desc> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`webadm_role_change_to',` - gen_require(` - role webadm_r; - ') - - allow webadm_r $1; -') diff --git a/policy/modules/contrib/webadm.te b/policy/modules/contrib/webadm.te deleted file mode 100644 index 708254fc..00000000 --- a/policy/modules/contrib/webadm.te +++ /dev/null @@ -1,57 +0,0 @@ -policy_module(webadm, 1.1.1) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether webadm can -## manage generic user files. -## </p> -## </desc> -gen_tunable(webadm_manage_user_files, false) - -## <desc> -## <p> -## Determine whether webadm can -## read generic user files. -## </p> -## </desc> -gen_tunable(webadm_read_user_files, false) - -role webadm_r; - -userdom_base_user_template(webadm) - -######################################## -# -# Local policy -# - -allow webadm_t self:capability { dac_override dac_read_search kill sys_nice }; - -files_dontaudit_search_all_dirs(webadm_t) -files_list_var(webadm_t) - -selinux_get_enforce_mode(webadm_t) -seutil_domtrans_setfiles(webadm_t) - -logging_send_audit_msgs(webadm_t) -logging_send_syslog_msg(webadm_t) - -userdom_dontaudit_search_user_home_dirs(webadm_t) - -apache_admin(webadm_t, webadm_r) - -tunable_policy(`webadm_manage_user_files',` - userdom_manage_user_home_content_files(webadm_t) - userdom_read_user_tmp_files(webadm_t) - userdom_write_user_tmp_files(webadm_t) -') - -tunable_policy(`webadm_read_user_files',` - userdom_read_user_home_content_files(webadm_t) - userdom_read_user_tmp_files(webadm_t) -') diff --git a/policy/modules/contrib/webalizer.fc b/policy/modules/contrib/webalizer.fc deleted file mode 100644 index 64baf679..00000000 --- a/policy/modules/contrib/webalizer.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/webalizer\.conf -- gen_context(system_u:object_r:webalizer_etc_t,s0) - -/usr/bin/awffull -- gen_context(system_u:object_r:webalizer_exec_t,s0) -/usr/bin/webalizer -- gen_context(system_u:object_r:webalizer_exec_t,s0) -/usr/bin/webazolver -- gen_context(system_u:object_r:webalizer_exec_t,s0) - -/var/lib/webalizer(/.*)? gen_context(system_u:object_r:webalizer_var_lib_t,s0) - -/var/www/usage(/.*)? gen_context(system_u:object_r:httpd_webalizer_content_t,s0) diff --git a/policy/modules/contrib/webalizer.if b/policy/modules/contrib/webalizer.if deleted file mode 100644 index fa283536..00000000 --- a/policy/modules/contrib/webalizer.if +++ /dev/null @@ -1,47 +0,0 @@ -## <summary>Web server log analysis.</summary> - -######################################## -## <summary> -## Execute webalizer in the webalizer domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`webalizer_domtrans',` - gen_require(` - type webalizer_t, webalizer_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, webalizer_exec_t, webalizer_t) -') - -######################################## -## <summary> -## Execute webalizer in the webalizer -## domain, and allow the specified -## role the webalizer domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`webalizer_run',` - gen_require(` - attribute_role webalizer_roles; - ') - - webalizer_domtrans($1) - roleattribute $2 webalizer_roles; -') diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te deleted file mode 100644 index eab24f6b..00000000 --- a/policy/modules/contrib/webalizer.te +++ /dev/null @@ -1,99 +0,0 @@ -policy_module(webalizer, 1.12.1) - -######################################## -# -# Declarations -# - -attribute_role webalizer_roles; -roleattribute system_r webalizer_roles; - -type webalizer_t; -type webalizer_exec_t; -application_domain(webalizer_t, webalizer_exec_t) -role webalizer_roles types webalizer_t; - -type webalizer_etc_t; -files_config_file(webalizer_etc_t) - -type webalizer_usage_t; -files_type(webalizer_usage_t) - -type webalizer_tmp_t; -files_tmp_file(webalizer_tmp_t) - -type webalizer_var_lib_t; -files_type(webalizer_var_lib_t) - -type webalizer_write_t; -files_type(webalizer_write_t) - -######################################## -# -# Local policy -# - -allow webalizer_t self:capability dac_override; -allow webalizer_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow webalizer_t self:fd use; -allow webalizer_t self:fifo_file rw_fifo_file_perms; -allow webalizer_t self:unix_dgram_socket sendto; -allow webalizer_t self:unix_stream_socket { accept connectto listen }; -allow webalizer_t self:tcp_socket { accept listen }; - -allow webalizer_t webalizer_etc_t:file read_file_perms; - -manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t) -manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t) -files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir }) - -manage_files_pattern(webalizer_t, webalizer_var_lib_t, webalizer_var_lib_t) -files_var_lib_filetrans(webalizer_t, webalizer_var_lib_t, file) - -can_exec(webalizer_t, webalizer_exec_t) - -kernel_read_kernel_sysctls(webalizer_t) -kernel_read_system_state(webalizer_t) - -files_read_etc_runtime_files(webalizer_t) - -fs_search_auto_mountpoints(webalizer_t) -fs_getattr_xattr_fs(webalizer_t) -fs_rw_anon_inodefs_files(webalizer_t) - -auth_use_nsswitch(webalizer_t) - -logging_list_logs(webalizer_t) -logging_send_syslog_msg(webalizer_t) - -miscfiles_read_localization(webalizer_t) -miscfiles_read_public_files(webalizer_t) - -userdom_use_user_terminals(webalizer_t) -userdom_use_unpriv_users_fds(webalizer_t) -userdom_dontaudit_search_user_home_content(webalizer_t) - -ifdef(`distro_gentoo',` - optional_policy(` - nscd_socket_use(webalizer_t) - ') -') - -optional_policy(` - apache_read_log(webalizer_t) - apache_content_template(webalizer) - manage_dirs_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t) - manage_files_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t) -') - -optional_policy(` - cron_system_entry(webalizer_t, webalizer_exec_t) -') - -optional_policy(` - ftp_read_log(webalizer_t) -') - -optional_policy(` - squid_read_log(webalizer_t) -') diff --git a/policy/modules/contrib/wine.fc b/policy/modules/contrib/wine.fc deleted file mode 100644 index 786a51e2..00000000 --- a/policy/modules/contrib/wine.fc +++ /dev/null @@ -1,24 +0,0 @@ -HOME_DIR/\.wine(/.*)? gen_context(system_u:object_r:wine_home_t,s0) -HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0) - -/opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) - -/opt/google/picasa(/.*)?/Picasa3/.*exe -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/google/picasa(/.*)?/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/google/picasa(/.*)?/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/google/picasa(/.*)?/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/google/picasa(/.*)?/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/google/picasa(/.*)?/bin/wdi -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/teamviewer(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) - -/opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) - -/usr/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0) -/usr/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0) -/usr/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0) -/usr/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0) -/usr/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0) -/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) diff --git a/policy/modules/contrib/wine.if b/policy/modules/contrib/wine.if deleted file mode 100644 index fd2b6cc1..00000000 --- a/policy/modules/contrib/wine.if +++ /dev/null @@ -1,167 +0,0 @@ -## <summary>Run Windows programs in Linux.</summary> - -######################################## -## <summary> -## Role access for wine. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`wine_role',` - gen_require(` - attribute_role wine_roles; - type wine_exec_t, wine_t, wine_tmp_t; - type wine_home_t; - ') - - roleattribute $1 wine_roles; - - domtrans_pattern($2, wine_exec_t, wine_t) - - allow wine_t $2:unix_stream_socket connectto; - allow wine_t $2:process signull; - - ps_process_pattern($2, wine_t) - allow $2 wine_t:process { ptrace signal_perms }; - - allow $2 wine_t:fd use; - allow $2 wine_t:shm { associate getattr }; - allow $2 wine_t:shm rw_shm_perms; - allow $2 wine_t:unix_stream_socket connectto; - - allow $2 { wine_tmp_t wine_home_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { wine_tmp_t wine_home_t }:file { manage_file_perms relabel_file_perms }; - allow $2 wine_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - userdom_user_home_dir_filetrans($2, wine_home_t, dir, ".wine") -') - -####################################### -## <summary> -## The role template for the wine module. -## </summary> -## <desc> -## <p> -## This template creates a derived domains which are used -## for wine applications. -## </p> -## </desc> -## <param name="role_prefix"> -## <summary> -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## </summary> -## </param> -## <param name="user_role"> -## <summary> -## The role associated with the user domain. -## </summary> -## </param> -## <param name="user_domain"> -## <summary> -## The type of the user domain. -## </summary> -## </param> -# -template(`wine_role_template',` - gen_require(` - type wine_exec_t; - ') - - type $1_wine_t; - userdom_user_application_domain($1_wine_t, wine_exec_t) - role $2 types $1_wine_t; - - allow $1_wine_t self:process { execmem execstack }; - - allow $3 $1_wine_t:process { ptrace noatsecure signal_perms }; - ps_process_pattern($3, $1_wine_t) - - domtrans_pattern($3, wine_exec_t, $1_wine_t) - - corecmd_bin_domtrans($1_wine_t, $3) - - userdom_unpriv_usertype($1, $1_wine_t) - userdom_manage_user_tmpfs_files($1_wine_t) - - domain_mmap_low($1_wine_t) - - tunable_policy(`wine_mmap_zero_ignore',` - dontaudit $1_wine_t self:memprotect mmap_zero; - ') - - optional_policy(` - xserver_role($1_r, $1_wine_t) - ') -') - -######################################## -## <summary> -## Execute the wine program in the wine domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`wine_domtrans',` - gen_require(` - type wine_t, wine_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, wine_exec_t, wine_t) -') - -######################################## -## <summary> -## Execute wine in the wine domain, -## and allow the specified role -## the wine domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`wine_run',` - gen_require(` - attribute_role wine_roles; - ') - - wine_domtrans($1) - roleattribute $2 wine_roles; -') - -######################################## -## <summary> -## Read and write wine Shared -## memory segments. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`wine_rw_shm',` - gen_require(` - type wine_t; - ') - - allow $1 wine_t:shm rw_shm_perms; -') diff --git a/policy/modules/contrib/wine.te b/policy/modules/contrib/wine.te deleted file mode 100644 index b51923cc..00000000 --- a/policy/modules/contrib/wine.te +++ /dev/null @@ -1,80 +0,0 @@ -policy_module(wine, 1.10.1) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether attempts by -## wine to mmap low regions should -## be silently blocked. -## </p> -## </desc> -gen_tunable(wine_mmap_zero_ignore, false) - -attribute_role wine_roles; -roleattribute system_r wine_roles; - -type wine_t; -type wine_exec_t; -userdom_user_application_domain(wine_t, wine_exec_t) -role wine_roles types wine_t; - -type wine_home_t; -userdom_user_home_content(wine_home_t) - -type wine_tmp_t; -userdom_user_tmp_file(wine_tmp_t) - -######################################## -# -# Local policy -# - -allow wine_t self:process { execstack execmem execheap }; -allow wine_t self:fifo_file manage_fifo_file_perms; - -can_exec(wine_t, wine_exec_t) - -userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine") - -manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t) -manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t) -files_tmp_filetrans(wine_t, wine_tmp_t, { file dir }) - -domain_mmap_low(wine_t) - -files_execmod_all_files(wine_t) - -userdom_use_user_terminals(wine_t) - -tunable_policy(`wine_mmap_zero_ignore',` - dontaudit wine_t self:memprotect mmap_zero; -') - -optional_policy(` - dbus_system_bus_client(wine_t) - - optional_policy(` - hal_dbus_chat(wine_t) - ') - - optional_policy(` - policykit_dbus_chat(wine_t) - ') -') - -optional_policy(` - rtkit_scheduled(wine_t) -') - -optional_policy(` - unconfined_domain(wine_t) -') - -optional_policy(` - xserver_read_xdm_pid(wine_t) - xserver_rw_shm(wine_t) -') diff --git a/policy/modules/contrib/wireshark.fc b/policy/modules/contrib/wireshark.fc deleted file mode 100644 index 7b07a705..00000000 --- a/policy/modules/contrib/wireshark.fc +++ /dev/null @@ -1,3 +0,0 @@ -HOME_DIR/\.wireshark(/.*)? gen_context(system_u:object_r:wireshark_home_t,s0) - -/usr/bin/wireshark -- gen_context(system_u:object_r:wireshark_exec_t,s0) diff --git a/policy/modules/contrib/wireshark.if b/policy/modules/contrib/wireshark.if deleted file mode 100644 index 9cad4afe..00000000 --- a/policy/modules/contrib/wireshark.if +++ /dev/null @@ -1,57 +0,0 @@ -## <summary>Wireshark packet capture tool.</summary> - -############################################################ -## <summary> -## Role access for wireshark. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`wireshark_role',` - gen_require(` - attribute_role wireshark_roles; - type wireshark_t, wireshark_exec_t, wireshark_home_t; - type wireshark_tmp_t, wireshark_tmpfs_t; - ') - - roleattribute $1 wireshark_roles; - - domtrans_pattern($2, wireshark_exec_t, wireshark_t) - - allow $2 wireshark_t:process { ptrace signal_perms }; - ps_process_pattern($2, wireshark_t) - - allow $2 { wireshark_tmp_t wireshark_home_t wireshark_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { wireshark_tmp_t wireshark_home_t wireshark_tmpfs_t }:file { manage_file_perms relabel_file_perms }; - allow $2 { wireshark_home_t wireshark_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - allow $2 wireshark_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - allow $2 wireshark_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - userdom_user_home_dir_filetrans($2, wireshark_home_t, dir, ".wireshark") -') - -######################################## -## <summary> -## Execute wireshark in wireshark domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`wireshark_domtrans',` - gen_require(` - type wireshark_t, wireshark_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, wireshark_exec_t, wireshark_t) -') diff --git a/policy/modules/contrib/wireshark.te b/policy/modules/contrib/wireshark.te deleted file mode 100644 index cf5cab67..00000000 --- a/policy/modules/contrib/wireshark.te +++ /dev/null @@ -1,127 +0,0 @@ -policy_module(wireshark, 2.3.1) - -######################################## -# -# Declarations -# - -attribute_role wireshark_roles; - -type wireshark_t; -type wireshark_exec_t; -typealias wireshark_t alias { user_wireshark_t staff_wireshark_t sysadm_wireshark_t }; -typealias wireshark_t alias { auditadm_wireshark_t secadm_wireshark_t }; -userdom_user_application_domain(wireshark_t, wireshark_exec_t) -role wireshark_roles types wireshark_t; - -type wireshark_home_t; -typealias wireshark_home_t alias { user_wireshark_home_t staff_wireshark_home_t sysadm_wireshark_home_t }; -typealias wireshark_home_t alias { auditadm_wireshark_home_t secadm_wireshark_home_t }; -userdom_user_home_content(wireshark_home_t) - -type wireshark_tmp_t; -typealias wireshark_tmp_t alias { user_wireshark_tmp_t staff_wireshark_tmp_t sysadm_wireshark_tmp_t }; -typealias wireshark_tmp_t alias { auditadm_wireshark_tmp_t secadm_wireshark_tmp_t }; -userdom_user_tmp_file(wireshark_tmp_t) - -type wireshark_tmpfs_t; -typealias wireshark_tmpfs_t alias { user_wireshark_tmpfs_t staff_wireshark_tmpfs_t sysadm_wireshark_tmpfs_t }; -typealias wireshark_tmpfs_t alias { auditadm_wireshark_tmpfs_t secadm_wireshark_tmpfs_t }; -userdom_user_tmpfs_file(wireshark_tmpfs_t) - -############################## -# -# Local Policy -# - -allow wireshark_t self:capability { net_admin net_raw setgid }; -allow wireshark_t self:process { signal getsched }; -allow wireshark_t self:fifo_file rw_fifo_file_perms; -allow wireshark_t self:shm create_shm_perms; -allow wireshark_t self:packet_socket create_socket_perms; - -manage_dirs_pattern(wireshark_t, wireshark_home_t, wireshark_home_t) -manage_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t) -manage_lnk_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t) -userdom_user_home_dir_filetrans(wireshark_t, wireshark_home_t, dir, ".wireshark") - -manage_dirs_pattern(wireshark_t, wireshark_tmp_t, wireshark_tmp_t) -manage_files_pattern(wireshark_t, wireshark_tmp_t, wireshark_tmp_t) -files_tmp_filetrans(wireshark_t, wireshark_tmp_t, { dir file }) - -manage_dirs_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t) -manage_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t) -manage_lnk_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t) -manage_sock_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t) -manage_fifo_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t) -fs_tmpfs_filetrans(wireshark_t, wireshark_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -can_exec(wireshark_t, wireshark_exec_t) - -kernel_read_kernel_sysctls(wireshark_t) -kernel_read_system_state(wireshark_t) -kernel_read_sysctl(wireshark_t) - -corecmd_exec_bin(wireshark_t) - -corenet_all_recvfrom_unlabeled(wireshark_t) -corenet_all_recvfrom_netlabel(wireshark_t) -corenet_tcp_sendrecv_generic_if(wireshark_t) -corenet_udp_sendrecv_generic_if(wireshark_t) -corenet_raw_sendrecv_generic_if(wireshark_t) -corenet_tcp_sendrecv_generic_node(wireshark_t) -corenet_udp_sendrecv_generic_node(wireshark_t) -corenet_raw_sendrecv_generic_node(wireshark_t) -corenet_tcp_sendrecv_all_ports(wireshark_t) -corenet_udp_sendrecv_all_ports(wireshark_t) - -corenet_sendrecv_generic_client_packets(wireshark_t) -corenet_tcp_connect_generic_port(wireshark_t) - -dev_read_rand(wireshark_t) -dev_read_sysfs(wireshark_t) -dev_read_urand(wireshark_t) - -files_read_usr_files(wireshark_t) - -fs_getattr_all_fs(wireshark_t) -fs_list_inotifyfs(wireshark_t) -fs_search_auto_mountpoints(wireshark_t) - -auth_use_nsswitch(wireshark_t) - -libs_read_lib_files(wireshark_t) - -miscfiles_read_fonts(wireshark_t) -miscfiles_read_localization(wireshark_t) - -userdom_use_user_terminals(wireshark_t) - -userdom_manage_user_home_content_files(wireshark_t) -userdom_user_home_dir_filetrans_user_home_content(wireshark_t, file) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(wireshark_t) - fs_manage_nfs_files(wireshark_t) - fs_manage_nfs_symlinks(wireshark_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(wireshark_t) - fs_manage_cifs_files(wireshark_t) - fs_manage_cifs_symlinks(wireshark_t) -') - -optional_policy(` - seutil_use_newrole_fds(wireshark_t) -') - -optional_policy(` - userhelper_use_fd(wireshark_t) - userhelper_sigchld(wireshark_t) -') - -optional_policy(` - xserver_user_x_domain_template(wireshark, wireshark_t, wireshark_tmpfs_t) - xserver_create_xdm_tmp_sockets(wireshark_t) -') diff --git a/policy/modules/contrib/wm.fc b/policy/modules/contrib/wm.fc deleted file mode 100644 index 304ae09d..00000000 --- a/policy/modules/contrib/wm.fc +++ /dev/null @@ -1,4 +0,0 @@ -/usr/bin/gnome-shell -- gen_context(system_u:object_r:wm_exec_t,s0) -/usr/bin/openbox -- gen_context(system_u:object_r:wm_exec_t,s0) -/usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0) -/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0) diff --git a/policy/modules/contrib/wm.if b/policy/modules/contrib/wm.if deleted file mode 100644 index 25b702db..00000000 --- a/policy/modules/contrib/wm.if +++ /dev/null @@ -1,134 +0,0 @@ -## <summary>X Window Managers.</summary> - -####################################### -## <summary> -## The role template for the wm module. -## </summary> -## <desc> -## <p> -## This template creates a derived domains which are used -## for window manager applications. -## </p> -## </desc> -## <param name="role_prefix"> -## <summary> -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## </summary> -## </param> -## <param name="user_role"> -## <summary> -## The role associated with the user domain. -## </summary> -## </param> -## <param name="user_domain"> -## <summary> -## The type of the user domain. -## </summary> -## </param> -# -template(`wm_role_template',` - gen_require(` - attribute wm_domain; - type wm_exec_t; - ') - - ######################################## - # - # Declarations - # - - type $1_wm_t, wm_domain; - userdom_user_application_domain($1_wm_t, wm_exec_t) - role $2 types $1_wm_t; - - ######################################## - # - # Policy - # - - allow $1_wm_t $3:unix_stream_socket connectto; - allow $3 $1_wm_t:unix_stream_socket connectto; - - allow $3 $1_wm_t:process { ptrace signal_perms }; - ps_process_pattern($3, $1_wm_t) - - allow $1_wm_t $3:process { signull sigkill }; - - domtrans_pattern($3, wm_exec_t, $1_wm_t) - - corecmd_bin_domtrans($1_wm_t, $3) - corecmd_shell_domtrans($1_wm_t, $3) - - mls_file_read_all_levels($1_wm_t) - mls_file_write_all_levels($1_wm_t) - mls_xwin_read_all_levels($1_wm_t) - mls_xwin_write_all_levels($1_wm_t) - mls_fd_use_all_levels($1_wm_t) - - auth_use_nsswitch($1_wm_t) - - optional_policy(` - dbus_spec_session_bus_client($1, $1_wm_t) - dbus_system_bus_client($1_wm_t) - - optional_policy(` - wm_dbus_chat($1, $3) - ') - ') - - optional_policy(` - pulseaudio_run($1_wm_t, $2) - ') - - optional_policy(` - xserver_role($2, $1_wm_t) - xserver_manage_core_devices($1_wm_t) - ') -') - -######################################## -## <summary> -## Execute wm in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`wm_exec',` - gen_require(` - type wm_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, wm_exec_t) -') - -######################################## -## <summary> -## Send and receive messages from -## specified wm over dbus. -## </summary> -## <param name="role_prefix"> -## <summary> -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## </summary> -## </param> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`wm_dbus_chat',` - gen_require(` - type $1_wm_t; - class dbus send_msg; - ') - - allow $2 $1_wm_t:dbus send_msg; - allow $1_wm_t $2:dbus send_msg; -') diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te deleted file mode 100644 index 7c7f7fa8..00000000 --- a/policy/modules/contrib/wm.te +++ /dev/null @@ -1,36 +0,0 @@ -policy_module(wm, 1.2.5) - -######################################## -# -# Declarations -# - -attribute wm_domain; - -type wm_exec_t; - -######################################## -# -# Common wm domain local policy -# - -allow wm_domain self:fifo_file rw_fifo_file_perms; -allow wm_domain self:process getsched; -allow wm_domain self:shm create_shm_perms; -allow wm_domain self:unix_dgram_socket create_socket_perms; - -kernel_read_system_state(wm_domain) - -dev_read_urand(wm_domain) - -files_read_usr_files(wm_domain) - -miscfiles_read_fonts(wm_domain) -miscfiles_read_localization(wm_domain) - -userdom_manage_user_tmp_sockets(wm_domain) -userdom_tmp_filetrans_user_tmp(wm_domain, sock_file) - -userdom_manage_user_home_content_dirs(wm_domain) -userdom_manage_user_home_content_files(wm_domain) -userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file }) diff --git a/policy/modules/contrib/xdg.fc b/policy/modules/contrib/xdg.fc deleted file mode 100644 index 49a52d98..00000000 --- a/policy/modules/contrib/xdg.fc +++ /dev/null @@ -1,8 +0,0 @@ -HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:xdg_cache_home_t,s0) -HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:xdg_config_home_t,s0) -HOME_DIR/\.local(/.*)? gen_context(system_u:object_r:xdg_data_home_t,s0) - -# -# /run -# -/run/user/USER(/.*)? gen_context(system_u:object_r:xdg_runtime_home_t,s0) diff --git a/policy/modules/contrib/xdg.if b/policy/modules/contrib/xdg.if deleted file mode 100644 index 3613a656..00000000 --- a/policy/modules/contrib/xdg.if +++ /dev/null @@ -1,1025 +0,0 @@ -## <summary> -## XDG Desktop Standard locations -## </summary> - - -######################################## -## <summary> -## Mark the selected type as an xdg_cache_home_type -## </summary> -## <param name="type"> -## <summary> -## Type to give the xdg_cache_home_type attribute to -## </summary> -## </param> -# -interface(`xdg_cache_home_content',` - gen_require(` - attribute xdg_cache_home_type; - ') - - typeattribute $1 xdg_cache_home_type; - - userdom_user_home_content($1) -') - -######################################## -## <summary> -## Mark the selected type as an xdg_config_home_type -## </summary> -## <param name="type"> -## <summary> -## Type to give the xdg_config_home_type attribute to -## </summary> -## </param> -# -interface(`xdg_config_home_content',` - gen_require(` - attribute xdg_config_home_type; - ') - - typeattribute $1 xdg_config_home_type; - - userdom_user_home_content($1) -') - -######################################## -## <summary> -## Mark the selected type as an xdg_data_home_type -## </summary> -## <param name="type"> -## <summary> -## Type to give the xdg_data_home_type attribute to -## </summary> -## </param> -# -interface(`xdg_data_home_content',` - gen_require(` - attribute xdg_data_home_type; - ') - - typeattribute $1 xdg_data_home_type; - - userdom_user_home_content($1) -') - -######################################## -## <summary> -## Mark the selected type as an xdg_runtime_home_type -## </summary> -## <param name="type"> -## <summary> -## Type to give the xdg_runtime_home_type attribute to -## </summary> -## </param> -# -interface(`xdg_runtime_home_content',` - gen_require(` - attribute xdg_runtime_home_type; - ') - - typeattribute $1 xdg_runtime_home_type; - - userdom_user_home_content($1) -') - -######################################## -## <summary> -## Read the xdg cache home files -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xdg_read_cache_home_files',` - gen_require(` - type xdg_cache_home_t; - ') - - read_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) - list_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t) - - userdom_search_user_home_dirs($1) -') - -######################################## -## <summary> -## Read all xdg_cache_home_type files -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xdg_read_all_cache_home_files',` - gen_require(` - attribute xdg_cache_home_type; - ') - - read_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type) - - userdom_search_user_home_dirs($1) -') - -######################################## -## <summary> -## Create objects in an xdg_cache_home directory -## with an automatic type transition to -## a specified private type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="private_type"> -## <summary> -## The type of the object to create. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## The class of the object to be created. -## </summary> -## </param> -## <param name="filename" optional="true"> -## <summary> -## Name of the file or directory created -## </summary> -## </param> -# -interface(`xdg_cache_home_filetrans',` - gen_require(` - type xdg_cache_home_t; - ') - - userdom_search_user_home_dirs($1) - - filetrans_pattern($1, xdg_cache_home_t, $2, $3, $4) -') - -######################################## -## <summary> -## Create objects in the user home dir with an automatic type transition to -## the xdg_cache_home_t type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## The class of the object to be created. -## </summary> -## </param> -## <param name="filename" optional="true"> -## <summary> -## Name of the directory created -## </summary> -## </param> -# -interface(`xdg_generic_user_home_dir_filetrans_cache_home',` - gen_require(` - type xdg_cache_home_t; - ') - - userdom_user_home_dir_filetrans($1, xdg_cache_home_t, $2, $3) -') - -######################################## -## <summary> -## Create xdg cache home directories -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access -## </summary> -## </param> -# -interface(`xdg_create_cache_home_dirs',` - gen_require(` - type xdg_cache_home_t; - ') - - allow $1 xdg_cache_home_t:dir create_dir_perms; -') - -######################################## -## <summary> -## Manage the xdg cache home files -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xdg_manage_cache_home',` - gen_require(` - type xdg_cache_home_t; - ') - - manage_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t) - manage_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) - manage_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) - manage_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) - manage_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) - - userdom_search_user_home_dirs($1) -') - -######################################## -## <summary> -## Manage all the xdg cache home files regardless of their specific type -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xdg_manage_all_cache_home',` - gen_require(` - attribute xdg_cache_home_type; - ') - - manage_dirs_pattern($1, xdg_cache_home_type, xdg_cache_home_type) - manage_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type) - manage_lnk_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type) - manage_fifo_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type) - manage_sock_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type) - - userdom_search_user_home_dirs($1) -') - -######################################## -## <summary> -## Allow relabeling the xdg cache home files -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xdg_relabel_cache_home',` - gen_require(` - type xdg_cache_home_t; - ') - - relabel_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t) - relabel_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) - relabel_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) - relabel_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) - relabel_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) - - userdom_search_user_home_dirs($1) -') - -######################################## -## <summary> -## Allow relabeling the xdg cache home files, regardless of their specific type -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xdg_relabel_all_cache_home',` - gen_require(` - attribute xdg_cache_home_type; - ') - - relabel_dirs_pattern($1, xdg_cache_home_type, xdg_cache_home_type) - relabel_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type) - relabel_lnk_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type) - relabel_fifo_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type) - relabel_sock_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type) - - userdom_search_user_home_dirs($1) -') - -######################################## -## <summary> -## Search through the xdg config home directories -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xdg_search_config_home_dirs',` - gen_require(` - type xdg_config_home_t; - ') - - search_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t) - - userdom_search_user_home_dirs($1) -') - -######################################## -## <summary> -## Read the xdg config home files -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xdg_read_config_home_files',` - gen_require(` - type xdg_config_home_t; - ') - - read_files_pattern($1, xdg_config_home_t, xdg_config_home_t) - list_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t) - - userdom_search_user_home_dirs($1) -') - -######################################## -## <summary> -## Read all xdg_config_home_type files -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xdg_read_all_config_home_files',` - gen_require(` - attribute xdg_config_home_type; - ') - - read_files_pattern($1, xdg_config_home_type, xdg_config_home_type) - - userdom_search_user_home_dirs($1) -') - -######################################## -## <summary> -## Create objects in an xdg_config_home directory -## with an automatic type transition to -## a specified private type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="private_type"> -## <summary> -## The type of the object to create. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## The class of the object to be created. -## </summary> -## </param> -## <param name="filename" optional="true"> -## <summary> -## Name of the file or directory created -## </summary> -## </param> -# -interface(`xdg_config_home_filetrans',` - gen_require(` - type xdg_config_home_t; - ') - - userdom_search_user_home_dirs($1) - - filetrans_pattern($1, xdg_config_home_t, $2, $3, $4) -') - -######################################## -## <summary> -## Create objects in the user home dir with an automatic type transition to -## the xdg_config_home_t type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## The class of the object to be created. -## </summary> -## </param> -## <param name="filename" optional="true"> -## <summary> -## Name of the directory created -## </summary> -## </param> -# -interface(`xdg_generic_user_home_dir_filetrans_config_home',` - gen_require(` - type xdg_config_home_t; - ') - - userdom_user_home_dir_filetrans($1, xdg_config_home_t, $2, $3) -') - -######################################## -## <summary> -## Create xdg config home directories -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access -## </summary> -## </param> -# -interface(`xdg_create_config_home_dirs',` - gen_require(` - type xdg_config_home_t; - ') - - allow $1 xdg_config_home_t:dir create_dir_perms; -') - -######################################## -## <summary> -## Manage the xdg config home files -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xdg_manage_config_home',` - gen_require(` - type xdg_config_home_t; - ') - - manage_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t) - manage_files_pattern($1, xdg_config_home_t, xdg_config_home_t) - manage_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t) - manage_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t) - manage_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t) - - userdom_search_user_home_dirs($1) -') - -######################################## -## <summary> -## Manage all the xdg config home files regardless of their specific type -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xdg_manage_all_config_home',` - gen_require(` - attribute xdg_config_home_type; - ') - - manage_dirs_pattern($1, xdg_config_home_type, xdg_config_home_type) - manage_files_pattern($1, xdg_config_home_type, xdg_config_home_type) - manage_lnk_files_pattern($1, xdg_config_home_type, xdg_config_home_type) - manage_fifo_files_pattern($1, xdg_config_home_type, xdg_config_home_type) - manage_sock_files_pattern($1, xdg_config_home_type, xdg_config_home_type) - - userdom_search_user_home_dirs($1) -') - -######################################## -## <summary> -## Allow relabeling the xdg config home files -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xdg_relabel_config_home',` - gen_require(` - type xdg_config_home_t; - ') - - relabel_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t) - relabel_files_pattern($1, xdg_config_home_t, xdg_config_home_t) - relabel_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t) - relabel_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t) - relabel_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t) - - userdom_search_user_home_dirs($1) -') - -######################################## -## <summary> -## Allow relabeling the xdg config home files, regardless of their specific type -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xdg_relabel_all_config_home',` - gen_require(` - attribute xdg_config_home_type; - ') - - relabel_dirs_pattern($1, xdg_config_home_type, xdg_config_home_type) - relabel_files_pattern($1, xdg_config_home_type, xdg_config_home_type) - relabel_lnk_files_pattern($1, xdg_config_home_type, xdg_config_home_type) - relabel_fifo_files_pattern($1, xdg_config_home_type, xdg_config_home_type) - relabel_sock_files_pattern($1, xdg_config_home_type, xdg_config_home_type) - - userdom_search_user_home_dirs($1) -') - -######################################## -## <summary> -## Read the xdg data home files -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xdg_read_data_home_files',` - gen_require(` - type xdg_data_home_t; - ') - - read_files_pattern($1, xdg_data_home_t, xdg_data_home_t) - list_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t) - - userdom_search_user_home_dirs($1) -') - -######################################## -## <summary> -## Read all xdg_data_home_type files -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xdg_read_all_data_home_files',` - gen_require(` - attribute xdg_data_home_type; - ') - - read_files_pattern($1, xdg_data_home_type, xdg_data_home_type) - - userdom_search_user_home_dirs($1) -') - -######################################## -## <summary> -## Create objects in an xdg_data_home directory -## with an automatic type transition to -## a specified private type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="private_type"> -## <summary> -## The type of the object to create. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## The class of the object to be created. -## </summary> -## </param> -## <param name="filename" optional="true"> -## <summary> -## Optional name of the file or directory created -## </summary> -## </param> -# -interface(`xdg_data_home_filetrans',` - gen_require(` - type xdg_data_home_t; - ') - - userdom_search_user_home_dirs($1) - - filetrans_pattern($1, xdg_data_home_t, $2, $3, $4) -') - -######################################## -## <summary> -## Create objects in the user home dir with an automatic type transition to -## the xdg_data_home_t type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## The class of the object to be created. -## </summary> -## </param> -## <param name="filename" optional="true"> -## <summary> -## Name of the directory created -## </summary> -## </param> -# -interface(`xdg_generic_user_home_dir_filetrans_data_home',` - gen_require(` - type xdg_data_home_t; - ') - - userdom_user_home_dir_filetrans($1, xdg_data_home_t, $2, $3) -') - -######################################## -## <summary> -## Create xdg data home directories -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access -## </summary> -## </param> -# -interface(`xdg_create_data_home_dirs',` - gen_require(` - type xdg_data_home_t; - ') - - allow $1 xdg_data_home_t:dir create_dir_perms; -') - -######################################## -## <summary> -## Manage the xdg data home files -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xdg_manage_data_home',` - gen_require(` - type xdg_data_home_t; - ') - - manage_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t) - manage_files_pattern($1, xdg_data_home_t, xdg_data_home_t) - manage_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t) - manage_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t) - manage_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t) - - userdom_search_user_home_dirs($1) -') - -######################################## -## <summary> -## Manage all the xdg data home files, regardless of their specific type -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xdg_manage_all_data_home',` - gen_require(` - attribute xdg_data_home_type; - ') - - manage_dirs_pattern($1, xdg_data_home_type, xdg_data_home_type) - manage_files_pattern($1, xdg_data_home_type, xdg_data_home_type) - manage_lnk_files_pattern($1, xdg_data_home_type, xdg_data_home_type) - manage_fifo_files_pattern($1, xdg_data_home_type, xdg_data_home_type) - manage_sock_files_pattern($1, xdg_data_home_type, xdg_data_home_type) - - userdom_search_user_home_dirs($1) -') - -######################################## -## <summary> -## Allow relabeling the xdg data home files -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xdg_relabel_data_home',` - gen_require(` - type xdg_data_home_t; - ') - - relabel_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t) - relabel_files_pattern($1, xdg_data_home_t, xdg_data_home_t) - relabel_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t) - relabel_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t) - relabel_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t) - - userdom_search_user_home_dirs($1) -') - -######################################## -## <summary> -## Allow relabeling the xdg data home files, regardless of their type -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xdg_relabel_all_data_home',` - gen_require(` - attribute xdg_data_home_type; - ') - - relabel_dirs_pattern($1, xdg_data_home_type, xdg_data_home_type) - relabel_files_pattern($1, xdg_data_home_type, xdg_data_home_type) - relabel_lnk_files_pattern($1, xdg_data_home_type, xdg_data_home_type) - relabel_fifo_files_pattern($1, xdg_data_home_type, xdg_data_home_type) - relabel_sock_files_pattern($1, xdg_data_home_type, xdg_data_home_type) - - userdom_search_user_home_dirs($1) -') -######################################### -## <summary> -## Manage downloaded content -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access -## </summary> -## </param> -# -interface(`xdg_manage_downloads_home',` - gen_require(` - type xdg_downloads_home_t; - ') - - manage_dirs_pattern($1, xdg_downloads_home_t, xdg_downloads_home_t) - manage_files_pattern($1, xdg_downloads_home_t, xdg_downloads_home_t) -') - -######################################## -## <summary> -## Read the xdg runtime home files -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xdg_read_runtime_home_files',` - gen_require(` - type xdg_runtime_home_t; - ') - - read_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) - list_dirs_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) - - files_search_pids($1) -') - -######################################## -## <summary> -## Read all xdg_runtime_home_type files -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xdg_read_all_runtime_home_files',` - gen_require(` - attribute xdg_runtime_home_type; - ') - - read_files_pattern($1, xdg_runtime_home_type, xdg_runtime_home_type) - - files_search_pids($1) -') - -######################################## -## <summary> -## Create objects in an xdg_runtime_home directory -## with an automatic type transition to -## a specified private type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="private_type"> -## <summary> -## The type of the object to create. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## The class of the object to be created. -## </summary> -## </param> -## <param name="filename" optional="true"> -## <summary> -## Name of the file or directory created -## </summary> -## </param> -# -interface(`xdg_runtime_home_filetrans',` - gen_require(` - type xdg_runtime_home_t; - ') - - files_search_pids($1) - - filetrans_pattern($1, xdg_runtime_home_t, $2, $3) -') - -######################################## -## <summary> -## Create objects in the user home dir with an automatic type transition to -## the xdg_runtime_home_t type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## The class of the object to be created. -## </summary> -## </param> -## <param name="filename" optional="true"> -## <summary> -## Name of the directory created -## </summary> -## </param> -# -interface(`xdg_generic_user_home_dir_filetrans_runtime_home',` - gen_require(` - type xdg_runtime_home_t; - ') - - userdom_user_home_dir_filetrans($1, xdg_runtime_home_t, $2, $3) -') - -######################################## -## <summary> -## Create xdg runtime home directories -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access -## </summary> -## </param> -# -interface(`xdg_create_runtime_home_dirs',` - gen_require(` - type xdg_runtime_home_t; - ') - - allow $1 xdg_runtime_home_t:dir create_dir_perms; -') - -######################################## -## <summary> -## Manage the xdg runtime home files -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xdg_manage_runtime_home',` - gen_require(` - type xdg_runtime_home_t; - ') - - manage_dirs_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) - manage_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) - manage_lnk_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) - manage_fifo_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) - manage_sock_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) - - files_search_pids($1) -') - -######################################## -## <summary> -## Manage all the xdg runtime home files, regardless of their specific type -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xdg_manage_all_runtime_home',` - gen_require(` - attribute xdg_runtime_home_type; - ') - - manage_dirs_pattern($1, xdg_runtime_home_type, xdg_runtime_home_type) - manage_files_pattern($1, xdg_runtime_home_type, xdg_runtime_home_type) - manage_lnk_files_pattern($1, xdg_runtime_home_type, xdg_runtime_home_type) - manage_fifo_files_pattern($1, xdg_runtime_home_type, xdg_runtime_home_type) - manage_sock_files_pattern($1, xdg_runtime_home_type, xdg_runtime_home_type) - - files_search_pids($1) -') - -######################################## -## <summary> -## Allow relabeling the xdg runtime home files -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xdg_relabel_runtime_home',` - gen_require(` - type xdg_runtime_home_t; - ') - - relabel_dirs_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) - relabel_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) - relabel_lnk_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) - relabel_fifo_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) - relabel_sock_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) - - files_search_pids($1) -') - -######################################## -## <summary> -## Allow relabeling the xdg runtime home files, regardless of the specific type -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xdg_relabel_all_runtime_home',` - gen_require(` - attribute xdg_runtime_home_type; - ') - - relabel_dirs_pattern($1, xdg_runtime_home_type, xdg_runtime_home_type) - relabel_files_pattern($1, xdg_runtime_home_type, xdg_runtime_home_type) - relabel_lnk_files_pattern($1, xdg_runtime_home_type, xdg_runtime_home_type) - relabel_fifo_files_pattern($1, xdg_runtime_home_type, xdg_runtime_home_type) - relabel_sock_files_pattern($1, xdg_runtime_home_type, xdg_runtime_home_type) - - files_search_pids($1) -') - -######################################### -## <summary> -## Manage video content -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access -## </summary> -## </param> -# -interface(`xdg_manage_videos_home',` - gen_require(` - type xdg_videos_home_t; - ') - - manage_dirs_pattern($1, xdg_videos_home_t, xdg_videos_home_t) - manage_files_pattern($1, xdg_videos_home_t, xdg_videos_home_t) -') diff --git a/policy/modules/contrib/xdg.te b/policy/modules/contrib/xdg.te deleted file mode 100644 index 96c865c9..00000000 --- a/policy/modules/contrib/xdg.te +++ /dev/null @@ -1,42 +0,0 @@ -policy_module(xdg, 1.0.0) - -######################################## -# -# Declarations -# - -attribute xdg_data_home_type; - -attribute xdg_config_home_type; - -attribute xdg_cache_home_type; - -attribute xdg_runtime_home_type; - -type xdg_data_home_t; -xdg_data_home_content(xdg_data_home_t) - -type xdg_config_home_t; -xdg_config_home_content(xdg_config_home_t) - -type xdg_cache_home_t; -xdg_cache_home_content(xdg_cache_home_t) - -type xdg_runtime_home_t; -xdg_runtime_home_content(xdg_runtime_home_t) - -# Various user location types (see ~/.config/user-dirs.dirs) -type xdg_downloads_home_t; # customizable -userdom_user_home_content(xdg_downloads_home_t) - -type xdg_documents_home_t; # customizable -userdom_user_home_content(xdg_documents_home_t) - -type xdg_music_home_t; # customizable -userdom_user_home_content(xdg_documents_home_t) - -type xdg_pictures_home_t; # customizable -userdom_user_home_content(xdg_pictures_home_t) - -type xdg_videos_home_t; # customizable -userdom_user_home_content(xdg_videos_home_t) diff --git a/policy/modules/contrib/xen.fc b/policy/modules/contrib/xen.fc deleted file mode 100644 index 42d83b02..00000000 --- a/policy/modules/contrib/xen.fc +++ /dev/null @@ -1,38 +0,0 @@ -/dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0) - -/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) -/usr/lib/xen-[^/]*/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) -/usr/lib/xen-[^/]*/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) -/usr/lib/xen-[^/]*/bin/xl -- gen_context(system_u:object_r:xm_exec_t,s0) -/usr/lib/xen-[^/]*/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) - -/usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0) -/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0) -/usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0) -/usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) -/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) -/usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) -/usr/sbin/xl -- gen_context(system_u:object_r:xm_exec_t,s0) -/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) - -/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) -/var/lib/xen/images(/.*)? gen_context(system_u:object_r:xen_image_t,s0) -/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) -/var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0) - -/var/log/evtchnd\.log.* -- gen_context(system_u:object_r:evtchnd_var_log_t,s0) -/var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0) -/var/log/xen-hotplug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) -/var/log/xend\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) -/var/log/xend-debug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) - -/var/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0) -/var/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0) -/var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0) -/var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) -/var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0) -/var/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) -/var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0) -/var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0) - -/xen(/.*)? gen_context(system_u:object_r:xen_image_t,s0) diff --git a/policy/modules/contrib/xen.if b/policy/modules/contrib/xen.if deleted file mode 100644 index f93558c5..00000000 --- a/policy/modules/contrib/xen.if +++ /dev/null @@ -1,297 +0,0 @@ -## <summary>Xen hypervisor.</summary> - -######################################## -## <summary> -## Execute a domain transition to run xend. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`xen_domtrans',` - gen_require(` - type xend_t, xend_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, xend_exec_t, xend_t) -') - -######################################## -## <summary> -## Execute xend in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xen_exec',` - gen_require(` - type xend_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, xend_exec_t) -') - -######################################## -## <summary> -## Inherit and use xen file descriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xen_use_fds',` - gen_require(` - type xend_t; - ') - - allow $1 xend_t:fd use; -') - -######################################## -## <summary> -## Do not audit attempts to inherit -## xen file descriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`xen_dontaudit_use_fds',` - gen_require(` - type xend_t; - ') - - dontaudit $1 xend_t:fd use; -') - -######################################## -## <summary> -## Create, read, write, and delete -## xend image directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xen_manage_image_dirs',` - gen_require(` - type xend_var_lib_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t) -') - -######################################## -## <summary> -## Read xend image files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xen_read_image_files',` - gen_require(` - type xen_image_t, xend_var_lib_t; - ') - - files_list_var_lib($1) - list_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t) - read_files_pattern($1, { xend_var_lib_t xen_image_t }, xen_image_t) -') - -######################################## -## <summary> -## Read and write xend image files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xen_rw_image_files',` - gen_require(` - type xen_image_t, xend_var_lib_t; - ') - - files_list_var_lib($1) - allow $1 xend_var_lib_t:dir search_dir_perms; - rw_files_pattern($1, xen_image_t, xen_image_t) -') - -######################################## -## <summary> -## Append xend log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xen_append_log',` - gen_require(` - type xend_var_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, xend_var_log_t, xend_var_log_t) - dontaudit $1 xend_var_log_t:file write; -') - -######################################## -## <summary> -## Create, read, write, and delete -## xend log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xen_manage_log',` - gen_require(` - type xend_var_log_t; - ') - - logging_search_logs($1) - manage_dirs_pattern($1, xend_var_log_t, xend_var_log_t) - manage_files_pattern($1, xend_var_log_t, xend_var_log_t) -') - -####################################### -## <summary> -## Read xenstored pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xen_read_xenstored_pid_files',` - gen_require(` - type xenstored_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, xenstored_var_run_t, xenstored_var_run_t) -') - -######################################## -## <summary> -## Do not audit attempts to read and write -## Xen unix domain stream sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`xen_dontaudit_rw_unix_stream_sockets',` - gen_require(` - type xend_t; - ') - - dontaudit $1 xend_t:unix_stream_socket { read write }; -') - -######################################## -## <summary> -## Connect to xenstored with a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xen_stream_connect_xenstore',` - gen_require(` - type xenstored_t, xenstored_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, xenstored_var_run_t, xenstored_var_run_t, xenstored_t) -') - -######################################## -## <summary> -## Connect to xend with a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xen_stream_connect',` - gen_require(` - type xend_t, xend_var_run_t, xend_var_lib_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, xend_var_run_t, xend_var_run_t, xend_t) - - files_search_var_lib($1) - stream_connect_pattern($1, xend_var_lib_t, xend_var_lib_t, xend_t) -') - -######################################## -## <summary> -## Execute a domain transition to run xm. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`xen_domtrans_xm',` - gen_require(` - type xm_t, xm_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, xm_exec_t, xm_t) -') - -######################################## -## <summary> -## Connect to xm with a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xen_stream_connect_xm',` - gen_require(` - type xm_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, xenstored_var_run_t, xenstored_var_run_t, xm_t) -') diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te deleted file mode 100644 index ed40676f..00000000 --- a/policy/modules/contrib/xen.te +++ /dev/null @@ -1,604 +0,0 @@ -policy_module(xen, 1.12.5) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether xend can -## run blktapctrl and tapdisk. -## </p> -## </desc> -gen_tunable(xend_run_blktap, false) - -## <desc> -## <p> -## Determine whether xen can -## use fusefs file systems. -## </p> -## </desc> -gen_tunable(xen_use_fusefs, false) - -## <desc> -## <p> -## Determine whether xen can -## use nfs file systems. -## </p> -## </desc> -gen_tunable(xen_use_nfs, false) - -## <desc> -## <p> -## Determine whether xen can -## use samba file systems. -## </p> -## </desc> -gen_tunable(xen_use_samba, false) - -type blktap_t; -type blktap_exec_t; -domain_type(blktap_t) -domain_entry_file(blktap_t, blktap_exec_t) -role system_r types blktap_t; - -type blktap_var_run_t; -files_pid_file(blktap_var_run_t) - -type evtchnd_t; -type evtchnd_exec_t; -init_daemon_domain(evtchnd_t, evtchnd_exec_t) - -type evtchnd_var_log_t; -logging_log_file(evtchnd_var_log_t) - -type evtchnd_var_run_t; -files_pid_file(evtchnd_var_run_t) - -type xen_devpts_t; -term_pty(xen_devpts_t) -files_type(xen_devpts_t) - -type xen_image_t; # customizable -files_type(xen_image_t) -dev_node(xen_image_t) - -optional_policy(` - virt_image(xen_image_t) -') - -type xenctl_t; -files_type(xenctl_t) - -type xend_t; -type xend_exec_t; -init_daemon_domain(xend_t, xend_exec_t) - -type xend_tmp_t; -files_tmp_file(xend_tmp_t) - -type xend_var_lib_t; -files_type(xend_var_lib_t) -files_mountpoint(xend_var_lib_t) - -type xend_var_log_t; -logging_log_file(xend_var_log_t) - -type xend_var_run_t; -files_pid_file(xend_var_run_t) -files_mountpoint(xend_var_run_t) - -type xenstored_t; -type xenstored_exec_t; -init_daemon_domain(xenstored_t, xenstored_exec_t) - -type xenstored_tmp_t; -files_tmp_file(xenstored_tmp_t) - -type xenstored_var_lib_t; -files_type(xenstored_var_lib_t) -files_mountpoint(xenstored_var_lib_t) - -type xenstored_var_log_t; -logging_log_file(xenstored_var_log_t) - -type xenstored_var_run_t; -files_pid_file(xenstored_var_run_t) -init_daemon_run_dir(xenstored_var_run_t, "xenstored") - -type xenconsoled_t; -type xenconsoled_exec_t; -init_daemon_domain(xenconsoled_t, xenconsoled_exec_t) - -type xenconsoled_var_run_t; -files_pid_file(xenconsoled_var_run_t) - -type xm_t; -type xm_exec_t; -init_system_domain(xm_t, xm_exec_t) - -######################################## -# -# blktap local policy -# - -tunable_policy(`xend_run_blktap',` - domtrans_pattern(xend_t, blktap_exec_t, blktap_t) - - allow blktap_t self:fifo_file { read write }; - - dev_read_sysfs(blktap_t) - dev_rw_xen(blktap_t) - - files_read_etc_files(blktap_t) - - logging_send_syslog_msg(blktap_t) - - miscfiles_read_localization(blktap_t) - - xen_stream_connect_xenstore(blktap_t) -',` - dontaudit xend_t blktap_exec_t:file { execute execute_no_trans }; -') - -####################################### -# -# evtchnd local policy -# - -manage_dirs_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) -append_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) -create_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) -setattr_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) -logging_log_filetrans(evtchnd_t, evtchnd_var_log_t, { file dir }) - -manage_dirs_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t) -manage_files_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t) -manage_sock_files_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t) -files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir }) - -######################################## -# -# xend local policy -# - -allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_resource sys_rawio }; -dontaudit xend_t self:capability { sys_ptrace }; -allow xend_t self:process { setrlimit signal sigkill }; -dontaudit xend_t self:process ptrace; -allow xend_t self:fifo_file rw_fifo_file_perms; -allow xend_t self:unix_stream_socket { accept listen }; -allow xend_t self:tcp_socket { accept listen }; -allow xend_t self:packet_socket create_socket_perms; -allow xend_t self:tun_socket create_socket_perms; - -allow xend_t xen_image_t:dir list_dir_perms; -manage_dirs_pattern(xend_t, xen_image_t, xen_image_t) -manage_fifo_files_pattern(xend_t, xen_image_t, xen_image_t) -manage_files_pattern(xend_t, xen_image_t, xen_image_t) -read_lnk_files_pattern(xend_t, xen_image_t, xen_image_t) -read_sock_files_pattern(xend_t, xen_image_t, xen_image_t) -rw_chr_files_pattern(xend_t, xen_image_t, xen_image_t) -rw_blk_files_pattern(xend_t, xen_image_t, xen_image_t) -fs_hugetlbfs_filetrans(xend_t, xen_image_t, file) - -allow xend_t xenctl_t:fifo_file manage_fifo_file_perms; -dev_filetrans(xend_t, xenctl_t, fifo_file) - -manage_files_pattern(xend_t, xend_tmp_t, xend_tmp_t) -manage_dirs_pattern(xend_t, xend_tmp_t, xend_tmp_t) -files_tmp_filetrans(xend_t, xend_tmp_t, { file dir }) - -manage_dirs_pattern(xend_t, xend_var_run_t, xend_var_run_t) -manage_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) -manage_sock_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) -manage_fifo_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) -files_pid_filetrans(xend_t, xend_var_run_t, { file sock_file fifo_file dir }) - -manage_dirs_pattern(xend_t, xend_var_log_t, xend_var_log_t) -append_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) -create_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) -setattr_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) -manage_sock_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) -logging_log_filetrans(xend_t, xend_var_log_t, { sock_file file dir }) - -manage_dirs_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) -manage_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) -manage_sock_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) -manage_fifo_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) -files_var_lib_filetrans(xend_t, xend_var_lib_t, { file dir }) - -manage_files_pattern(xend_t, xenstored_var_run_t, xenstored_var_run_t) - -allow xend_t xenstored_var_lib_t:dir list_dir_perms; - -domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t) -domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t) - -xen_stream_connect_xenstore(xend_t) - -kernel_read_kernel_sysctls(xend_t) -kernel_read_system_state(xend_t) -kernel_write_xen_state(xend_t) -kernel_read_xen_state(xend_t) -kernel_rw_net_sysctls(xend_t) -kernel_read_network_state(xend_t) - -corecmd_exec_bin(xend_t) -corecmd_exec_shell(xend_t) - -corenet_all_recvfrom_unlabeled(xend_t) -corenet_all_recvfrom_netlabel(xend_t) -corenet_tcp_sendrecv_generic_if(xend_t) -corenet_tcp_sendrecv_generic_node(xend_t) -corenet_tcp_sendrecv_all_ports(xend_t) -corenet_tcp_bind_generic_node(xend_t) - -corenet_sendrecv_xen_server_packets(xend_t) -corenet_tcp_bind_xen_port(xend_t) - -corenet_sendrecv_soundd_server_packets(xend_t) -corenet_tcp_bind_soundd_port(xend_t) - -corenet_sendrecv_generic_server_packets(xend_t) -corenet_tcp_bind_generic_port(xend_t) - -corenet_sendrecv_vnc_server_packets(xend_t) -corenet_tcp_bind_vnc_port(xend_t) - -corenet_sendrecv_xserver_client_packets(xend_t) -corenet_tcp_connect_xserver_port(xend_t) - -corenet_sendrecv_xen_client_packets(xend_t) -corenet_tcp_connect_xen_port(xend_t) - -corenet_rw_tun_tap_dev(xend_t) - -dev_getattr_all_chr_files(xend_t) -dev_read_urand(xend_t) -dev_filetrans_xen(xend_t) -dev_rw_sysfs(xend_t) -dev_rw_xen(xend_t) - -domain_dontaudit_read_all_domains_state(xend_t) -domain_dontaudit_ptrace_all_domains(xend_t) - -files_read_etc_files(xend_t) -files_read_kernel_symbol_table(xend_t) -files_read_kernel_img(xend_t) -files_manage_etc_runtime_files(xend_t) -files_etc_filetrans_etc_runtime(xend_t, file) -files_read_usr_files(xend_t) -files_read_default_symlinks(xend_t) -files_search_mnt(xend_t) - -fs_getattr_all_fs(xend_t) -fs_list_auto_mountpoints(xend_t) -fs_read_dos_files(xend_t) -fs_read_removable_blk_files(xend_t) -fs_manage_xenfs_dirs(xend_t) -fs_manage_xenfs_files(xend_t) - -storage_read_scsi_generic(xend_t) - -term_setattr_generic_ptys(xend_t) -term_getattr_all_ptys(xend_t) -term_setattr_all_ptys(xend_t) -term_use_generic_ptys(xend_t) -term_use_ptmx(xend_t) -term_getattr_pty_fs(xend_t) - -init_stream_connect_script(xend_t) - -locallogin_dontaudit_use_fds(xend_t) - -logging_send_syslog_msg(xend_t) - -miscfiles_read_localization(xend_t) -miscfiles_read_hwdata(xend_t) - -sysnet_domtrans_dhcpc(xend_t) -sysnet_signal_dhcpc(xend_t) -sysnet_domtrans_ifconfig(xend_t) -sysnet_dns_name_resolve(xend_t) -sysnet_delete_dhcpc_pid(xend_t) -sysnet_read_dhcpc_pid(xend_t) -sysnet_rw_dhcp_config(xend_t) - -userdom_dontaudit_search_user_home_dirs(xend_t) - -tunable_policy(`xen_use_fusefs',` - fs_manage_fusefs_dirs(xend_t) - fs_manage_fusefs_files(xend_t) - fs_read_fusefs_symlinks(xend_t) -') - -tunable_policy(`xen_use_nfs',` - fs_manage_nfs_dirs(xend_t) - fs_manage_nfs_files(xend_t) - fs_read_nfs_symlinks(xend_t) -') - -tunable_policy(`xen_use_samba',` - fs_manage_cifs_dirs(xend_t) - fs_manage_cifs_files(xend_t) - fs_read_cifs_symlinks(xend_t) -') - -optional_policy(` - brctl_domtrans(xend_t) -') - -optional_policy(` - consoletype_exec(xend_t) -') - -optional_policy(` - lvm_domtrans(xend_t) -') - -optional_policy(` - mount_domtrans(xend_t) -') - -optional_policy(` - netutils_domtrans(xend_t) -') - -optional_policy(` - ptchown_exec(xend_t) -') - -optional_policy(` - virt_search_images(xend_t) - virt_read_config(xend_t) -') - -######################################## -# -# Xen console local policy -# - -allow xenconsoled_t self:capability { dac_override fsetid ipc_lock }; -allow xenconsoled_t self:process setrlimit; -allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms; -allow xenconsoled_t self:fifo_file rw_fifo_file_perms; - -allow xenconsoled_t xen_devpts_t:chr_file { rw_term_perms setattr_chr_file_perms }; - -manage_dirs_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t) -append_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t) -create_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t) -setattr_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t) - -manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t) -manage_sock_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t) -files_pid_filetrans(xenconsoled_t, xenconsoled_var_run_t, { file sock_file }) - -kernel_read_kernel_sysctls(xenconsoled_t) -kernel_write_xen_state(xenconsoled_t) -kernel_read_xen_state(xenconsoled_t) - -dev_rw_xen(xenconsoled_t) -dev_filetrans_xen(xenconsoled_t) -dev_rw_sysfs(xenconsoled_t) - -domain_dontaudit_ptrace_all_domains(xenconsoled_t) - -files_read_etc_files(xenconsoled_t) -files_read_usr_files(xenconsoled_t) - -fs_list_tmpfs(xenconsoled_t) -fs_manage_xenfs_dirs(xenconsoled_t) -fs_manage_xenfs_files(xenconsoled_t) - -term_create_pty(xenconsoled_t, xen_devpts_t) -term_use_generic_ptys(xenconsoled_t) -term_use_console(xenconsoled_t) - -init_use_fds(xenconsoled_t) -init_use_script_ptys(xenconsoled_t) - -logging_search_logs(xenconsoled_t) - -miscfiles_read_localization(xenconsoled_t) - -xen_stream_connect_xenstore(xenconsoled_t) - -optional_policy(` - ptchown_domtrans(xenconsoled_t) -') - -######################################## -# -# Xen store local policy -# - -allow xenstored_t self:capability { dac_override ipc_lock sys_resource }; -allow xenstored_t self:unix_stream_socket { accept listen }; - -manage_files_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) -manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) -files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) - -manage_dirs_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) -manage_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) -manage_sock_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) -files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file dir }) - -manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -append_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -create_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -setattr_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -manage_sock_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -logging_log_filetrans(xenstored_t, xenstored_var_log_t, { sock_file file dir }) - -manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) -manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) -manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) -files_var_lib_filetrans(xenstored_t, xenstored_var_lib_t, { file dir sock_file }) - -stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchnd_t) - -kernel_write_xen_state(xenstored_t) -kernel_read_xen_state(xenstored_t) - -dev_filetrans_xen(xenstored_t) -dev_rw_xen(xenstored_t) -dev_read_sysfs(xenstored_t) - -files_read_etc_files(xenstored_t) -files_read_usr_files(xenstored_t) - -fs_search_xenfs(xenstored_t) -fs_manage_xenfs_files(xenstored_t) - -term_use_generic_ptys(xenstored_t) - -init_use_fds(xenstored_t) -init_use_script_ptys(xenstored_t) - -logging_send_syslog_msg(xenstored_t) - -miscfiles_read_localization(xenstored_t) - -xen_append_log(xenstored_t) - -######################################## -# -# xm local policy -# - -allow xm_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config }; -allow xm_t self:process { getcap getsched setsched setcap signal }; -allow xm_t self:fifo_file rw_fifo_file_perms; -allow xm_t self:unix_stream_socket { accept connectto listen }; -allow xm_t self:tcp_socket { accept listen }; - -manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) -manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) -manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) - -manage_files_pattern(xm_t, xen_image_t, xen_image_t) -manage_blk_files_pattern(xm_t, xen_image_t, xen_image_t) -manage_lnk_files_pattern(xm_t, xen_image_t, xen_image_t) - -read_files_pattern(xm_t, xenstored_var_run_t, xenstored_var_run_t) - -xen_manage_image_dirs(xm_t) -xen_append_log(xm_t) -xen_domtrans(xm_t) -xen_stream_connect(xm_t) -xen_stream_connect_xenstore(xm_t) - -can_exec(xm_t, xm_exec_t) - -kernel_read_system_state(xm_t) -kernel_read_network_state(xm_t) -kernel_read_kernel_sysctls(xm_t) -kernel_read_sysctl(xm_t) -kernel_read_xen_state(xm_t) -kernel_write_xen_state(xm_t) - -corecmd_exec_bin(xm_t) -corecmd_exec_shell(xm_t) - -corenet_all_recvfrom_unlabeled(xm_t) -corenet_all_recvfrom_netlabel(xm_t) -corenet_tcp_sendrecv_generic_if(xm_t) -corenet_tcp_sendrecv_generic_node(xm_t) - -corenet_sendrecv_soundd_client_packets(xm_t) -corenet_tcp_connect_soundd_port(xm_t) -corenet_tcp_sendrecv_soundd_port(xm_t) - -dev_read_rand(xm_t) -dev_read_urand(xm_t) -dev_read_sysfs(xm_t) - -files_read_etc_runtime_files(xm_t) -files_read_etc_files(xm_t) -files_read_usr_files(xm_t) -files_search_pids(xm_t) -files_search_var_lib(xm_t) -files_list_mnt(xm_t) -files_list_tmp(xm_t) - -fs_getattr_all_fs(xm_t) -fs_manage_xenfs_dirs(xm_t) -fs_manage_xenfs_files(xm_t) -fs_search_auto_mountpoints(xm_t) - -storage_raw_read_fixed_disk(xm_t) - -term_use_all_terms(xm_t) - -init_stream_connect_script(xm_t) -init_rw_script_stream_sockets(xm_t) -init_use_fds(xm_t) - -logging_send_syslog_msg(xm_t) - -miscfiles_read_localization(xm_t) - -sysnet_dns_name_resolve(xm_t) - -tunable_policy(`xen_use_fusefs',` - fs_manage_fusefs_dirs(xm_t) - fs_manage_fusefs_files(xm_t) - fs_read_fusefs_symlinks(xm_t) -') - -tunable_policy(`xen_use_nfs',` - fs_manage_nfs_dirs(xm_t) - fs_manage_nfs_files(xm_t) - fs_read_nfs_symlinks(xm_t) -') - -tunable_policy(`xen_use_samba',` - fs_manage_cifs_dirs(xm_t) - fs_manage_cifs_files(xm_t) - fs_read_cifs_symlinks(xm_t) -') - -optional_policy(` - cron_system_entry(xm_t, xm_exec_t) -') - -optional_policy(` - dbus_system_bus_client(xm_t) - - optional_policy(` - hal_dbus_chat(xm_t) - ') -') - -optional_policy(` - rpm_exec(xm_t) -') - -optional_policy(` - vhostmd_rw_tmpfs_files(xm_t) - vhostmd_stream_connect(xm_t) - vhostmd_dontaudit_rw_stream_connect(xm_t) -') - -optional_policy(` - virt_domtrans(xm_t) - virt_manage_images(xm_t) - virt_manage_config(xm_t) - virt_stream_connect(xm_t) -') - -optional_policy(` - ssh_basic_client_template(xm, xm_t, system_r) - - kernel_read_xen_state(xm_ssh_t) - kernel_write_xen_state(xm_ssh_t) - - files_search_tmp(xm_ssh_t) - - fs_manage_xenfs_dirs(xm_ssh_t) - fs_manage_xenfs_files(xm_ssh_t) -') diff --git a/policy/modules/contrib/xfs.fc b/policy/modules/contrib/xfs.fc deleted file mode 100644 index 85b9c0f0..00000000 --- a/policy/modules/contrib/xfs.fc +++ /dev/null @@ -1,11 +0,0 @@ -/etc/rc\.d/init\.d/xfs -- gen_context(system_u:object_r:xfs_initrc_exec_t,s0) - -/tmp/\.font-unix(/.*)? gen_context(system_u:object_r:xfs_tmp_t,s0) - -/usr/bin/xfs -- gen_context(system_u:object_r:xfs_exec_t,s0) -/usr/bin/xfstt -- gen_context(system_u:object_r:xfs_exec_t,s0) - -/usr/X11R6/bin/xfs -- gen_context(system_u:object_r:xfs_exec_t,s0) -/usr/X11R6/bin/xfs-xtt -- gen_context(system_u:object_r:xfs_exec_t,s0) - -/var/run/xfs.* -- gen_context(system_u:object_r:xfs_var_run_t,s0) diff --git a/policy/modules/contrib/xfs.if b/policy/modules/contrib/xfs.if deleted file mode 100644 index 4570b863..00000000 --- a/policy/modules/contrib/xfs.if +++ /dev/null @@ -1,97 +0,0 @@ -## <summary>X Windows Font Server.</summary> - -######################################## -## <summary> -## Read xfs temporary sock files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xfs_read_sockets',` - gen_require(` - type xfs_tmp_t; - ') - - files_search_tmp($1) - read_sock_files_pattern($1, xfs_tmp_t, xfs_tmp_t) -') - -######################################## -## <summary> -## Connect to xfs with a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xfs_stream_connect',` - gen_require(` - type xfs_tmp_t, xfs_t; - ') - - files_search_tmp($1) - stream_connect_pattern($1, xfs_tmp_t, xfs_tmp_t, xfs_t) -') - -######################################## -## <summary> -## Execute xfs in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xfs_exec',` - gen_require(` - type xfs_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, xfs_exec_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an xfs environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`xfs_admin',` - gen_require(` - type xfs_t, xfs_initrc_exec_t, xfs_var_run_t; - type xfs_tmp_t; - ') - - allow $1 xfs_t:process { ptrace signal_perms }; - ps_process_pattern($1, xfs_t) - - init_labeled_script_domtrans($1, xfs_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 xfs_initrc_exec_t system_r; - allow $2 system_r; - - files_search_pids($1) - admin_pattern($1, xfs_var_run_t) - - files_search_tmp($1) - admin_pattern($1, xfs_tmp_t) -') diff --git a/policy/modules/contrib/xfs.te b/policy/modules/contrib/xfs.te deleted file mode 100644 index 0cea2cd8..00000000 --- a/policy/modules/contrib/xfs.te +++ /dev/null @@ -1,86 +0,0 @@ -policy_module(xfs, 1.6.1) - -######################################## -# -# Declarations -# - -type xfs_t; -type xfs_exec_t; -init_daemon_domain(xfs_t, xfs_exec_t) - -type xfs_initrc_exec_t; -init_script_file(xfs_initrc_exec_t) - -type xfs_tmp_t; -files_tmp_file(xfs_tmp_t) - -type xfs_var_run_t; -files_pid_file(xfs_var_run_t) - -######################################## -# -# Local policy -# - -allow xfs_t self:capability { dac_override setgid setuid }; -dontaudit xfs_t self:capability sys_tty_config; -allow xfs_t self:process { signal_perms setpgid }; -allow xfs_t self:unix_stream_socket { accept listen }; -allow xfs_t self:tcp_socket { accept listen }; - -manage_dirs_pattern(xfs_t, xfs_tmp_t, xfs_tmp_t) -manage_sock_files_pattern(xfs_t, xfs_tmp_t, xfs_tmp_t) -files_tmp_filetrans(xfs_t, xfs_tmp_t, { sock_file dir }) - -manage_files_pattern(xfs_t, xfs_var_run_t, xfs_var_run_t) -files_pid_filetrans(xfs_t, xfs_var_run_t, file) - -can_exec(xfs_t, xfs_exec_t) - -kernel_read_kernel_sysctls(xfs_t) -kernel_read_system_state(xfs_t) - -corenet_all_recvfrom_unlabeled(xfs_t) -corenet_all_recvfrom_netlabel(xfs_t) -corenet_tcp_sendrecv_generic_if(xfs_t) -corenet_tcp_sendrecv_generic_node(xfs_t) -corenet_tcp_bind_generic_node(xfs_t) - -corenet_sendrecv_xfs_server_packets(xfs_t) -corenet_tcp_bind_xfs_port(xfs_t) -corenet_tcp_sendrecv_xfs_port(xfs_t) - -corecmd_list_bin(xfs_t) - -dev_read_sysfs(xfs_t) -dev_read_urand(xfs_t) -dev_read_rand(xfs_t) - -fs_getattr_all_fs(xfs_t) -fs_search_auto_mountpoints(xfs_t) - -domain_use_interactive_fds(xfs_t) - -files_read_etc_runtime_files(xfs_t) -files_read_usr_files(xfs_t) - -auth_use_nsswitch(xfs_t) - -init_script_tmp_filetrans(xfs_t, xfs_tmp_t, sock_file, "fs7100") - -logging_send_syslog_msg(xfs_t) - -miscfiles_read_localization(xfs_t) -miscfiles_read_fonts(xfs_t) - -userdom_dontaudit_use_unpriv_user_fds(xfs_t) -userdom_dontaudit_search_user_home_dirs(xfs_t) - -optional_policy(` - seutil_sigchld_newrole(xfs_t) -') - -optional_policy(` - udev_read_db(xfs_t) -') diff --git a/policy/modules/contrib/xguest.fc b/policy/modules/contrib/xguest.fc deleted file mode 100644 index 601a7b02..00000000 --- a/policy/modules/contrib/xguest.fc +++ /dev/null @@ -1 +0,0 @@ -# file contexts handled by userdomain and genhomedircon diff --git a/policy/modules/contrib/xguest.if b/policy/modules/contrib/xguest.if deleted file mode 100644 index 4f1d07d7..00000000 --- a/policy/modules/contrib/xguest.if +++ /dev/null @@ -1,50 +0,0 @@ -## <summary>Least privledge xwindows user role.</summary> - -######################################## -## <summary> -## Change to the xguest role. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`xguest_role_change',` - gen_require(` - role xguest_r; - ') - - allow $1 xguest_r; -') - -######################################## -## <summary> -## Change from the xguest role. -## </summary> -## <desc> -## <p> -## Change from the xguest role to -## the specified role. -## </p> -## <p> -## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -## </p> -## </desc> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`xguest_role_change_to',` - gen_require(` - role xguest_r; - ') - - allow xguest_r $1; -') diff --git a/policy/modules/contrib/xguest.te b/policy/modules/contrib/xguest.te deleted file mode 100644 index 2882821a..00000000 --- a/policy/modules/contrib/xguest.te +++ /dev/null @@ -1,171 +0,0 @@ -policy_module(xguest, 1.1.2) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether xguest can -## mount removable media. -## </p> -## </desc> -gen_tunable(xguest_mount_media, false) - -## <desc> -## <p> -## Determine whether xguest can -## configure network manager. -## </p> -## </desc> -gen_tunable(xguest_connect_network, false) - -## <desc> -## <p> -## Determine whether xguest can -## use blue tooth devices. -## </p> -## </desc> -gen_tunable(xguest_use_bluetooth, false) - -role xguest_r; - -userdom_restricted_xwindows_user_template(xguest) - -######################################## -# -# Local policy -# - -kernel_dontaudit_request_load_module(xguest_t) - -ifndef(`enable_mls',` - fs_exec_noxattr(xguest_t) - - tunable_policy(`user_rw_noexattrfile',` - fs_manage_noxattr_fs_files(xguest_t) - fs_manage_noxattr_fs_dirs(xguest_t) - storage_raw_read_removable_device(xguest_t) - storage_raw_write_removable_device(xguest_t) - ',` - storage_raw_read_removable_device(xguest_t) - ') -') - -optional_policy(` - tunable_policy(`xguest_mount_media',` - kernel_read_fs_sysctls(xguest_t) - - files_dontaudit_getattr_boot_dirs(xguest_t) - files_search_mnt(xguest_t) - - fs_manage_noxattr_fs_files(xguest_t) - fs_manage_noxattr_fs_dirs(xguest_t) - fs_manage_noxattr_fs_dirs(xguest_t) - fs_getattr_noxattr_fs(xguest_t) - fs_read_noxattr_fs_symlinks(xguest_t) - - auth_list_pam_console_data(xguest_t) - - init_read_utmp(xguest_t) - ') -') - -optional_policy(` - tunable_policy(`xguest_use_bluetooth',` - bluetooth_dbus_chat(xguest_t) - ') -') - -optional_policy(` - tunable_policy(`xguest_use_bluetooth',` - blueman_dbus_chat(xguest_t) - ') -') - -optional_policy(` - apache_role(xguest_r, xguest_t) -') - -optional_policy(` - gnomeclock_dontaudit_dbus_chat(xguest_t) -') - -optional_policy(` - hal_dbus_chat(xguest_t) -') - -optional_policy(` - java_role(xguest_r, xguest_t) -') - -optional_policy(` - mozilla_role(xguest_r, xguest_t) -') - -optional_policy(` - tunable_policy(`xguest_connect_network',` - kernel_read_network_state(xguest_t) - - networkmanager_dbus_chat(xguest_t) - networkmanager_read_lib_files(xguest_t) - - corenet_all_recvfrom_unlabeled(xguest_t) - corenet_all_recvfrom_netlabel(xguest_t) - corenet_tcp_sendrecv_generic_if(xguest_t) - corenet_raw_sendrecv_generic_if(xguest_t) - corenet_tcp_sendrecv_generic_node(xguest_t) - corenet_raw_sendrecv_generic_node(xguest_t) - - corenet_sendrecv_pulseaudio_client_packets(xguest_t) - corenet_tcp_connect_pulseaudio_port(xguest_t) - corenet_tcp_sendrecv_pulseaudio_port(xguest_t) - - corenet_sendrecv_http_client_packets(xguest_t) - corenet_tcp_connect_http_port(xguest_t) - corenet_tcp_sendrecv_http_port(xguest_t) - - corenet_sendrecv_http_cache_client_packets(xguest_t) - corenet_tcp_connect_http_cache_port(xguest_t) - corenet_tcp_sendrecv_http_cache_port(xguest_t) - - corenet_sendrecv_squid_client_packets(xguest_t) - corenet_tcp_connect_squid_port(xguest_t) - corenet_tcp_sendrecv_squid_port(xguest_t) - - corenet_sendrecv_ftp_client_packets(xguest_t) - corenet_tcp_connect_ftp_port(xguest_t) - corenet_tcp_sendrecv_ftp_port(xguest_t) - - corenet_sendrecv_ipp_client_packets(xguest_t) - corenet_tcp_connect_ipp_port(xguest_t) - corenet_tcp_sendrecv_ipp_port(xguest_t) - - corenet_sendrecv_generic_client_packets(xguest_t) - corenet_tcp_connect_generic_port(xguest_t) - corenet_tcp_sendrecv_generic_port(xguest_t) - - corenet_sendrecv_soundd_client_packets(xguest_t) - corenet_tcp_connect_soundd_port(xguest_t) - corenet_tcp_sendrecv_soundd_port(xguest_t) - - corenet_sendrecv_speech_client_packets(xguest_t) - corenet_tcp_connect_speech_port(xguest_t) - corenet_tcp_sendrecv_speech_port(xguest_t) - - corenet_sendrecv_transproxy_client_packets(xguest_t) - corenet_tcp_connect_transproxy_port(xguest_t) - corenet_tcp_sendrecv_transproxy_port(xguest_t) - - corenet_dontaudit_tcp_sendrecv_generic_port(xguest_t) - corenet_dontaudit_tcp_bind_generic_port(xguest_t) - ') -') - -optional_policy(` - pcscd_read_pid_files(xguest_t) - pcscd_stream_connect(xguest_t) -') - -#gen_user(xguest_u,, xguest_r, s0, s0) diff --git a/policy/modules/contrib/xprint.fc b/policy/modules/contrib/xprint.fc deleted file mode 100644 index 6a857fff..00000000 --- a/policy/modules/contrib/xprint.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/Xprt -- gen_context(system_u:object_r:xprint_exec_t,s0) diff --git a/policy/modules/contrib/xprint.if b/policy/modules/contrib/xprint.if deleted file mode 100644 index f684288e..00000000 --- a/policy/modules/contrib/xprint.if +++ /dev/null @@ -1 +0,0 @@ -## <summary>A X11-based print system and API.</summary> diff --git a/policy/modules/contrib/xprint.te b/policy/modules/contrib/xprint.te deleted file mode 100644 index 3c44d849..00000000 --- a/policy/modules/contrib/xprint.te +++ /dev/null @@ -1,82 +0,0 @@ -policy_module(xprint, 1.7.0) - -######################################## -# -# Declarations -# - -type xprint_t; -type xprint_exec_t; -init_daemon_domain(xprint_t, xprint_exec_t) - -type xprint_var_run_t; -files_pid_file(xprint_var_run_t) - -######################################## -# -# Local policy -# - -dontaudit xprint_t self:capability sys_tty_config; -allow xprint_t self:process signal_perms; -allow xprint_t self:fifo_file rw_fifo_file_perms; -allow xprint_t self:tcp_socket create_stream_socket_perms; -allow xprint_t self:udp_socket create_socket_perms; - -manage_files_pattern(xprint_t, xprint_var_run_t, xprint_var_run_t) -files_pid_filetrans(xprint_t, xprint_var_run_t, file) - -kernel_read_system_state(xprint_t) -kernel_read_kernel_sysctls(xprint_t) - -corecmd_exec_bin(xprint_t) -corecmd_exec_shell(xprint_t) - -corenet_all_recvfrom_unlabeled(xprint_t) -corenet_all_recvfrom_netlabel(xprint_t) -corenet_tcp_sendrecv_generic_if(xprint_t) -corenet_udp_sendrecv_generic_if(xprint_t) -corenet_tcp_sendrecv_generic_node(xprint_t) -corenet_udp_sendrecv_generic_node(xprint_t) -corenet_tcp_sendrecv_all_ports(xprint_t) -corenet_udp_sendrecv_all_ports(xprint_t) - -dev_read_sysfs(xprint_t) -dev_read_urand(xprint_t) - -domain_use_interactive_fds(xprint_t) - -files_read_etc_files(xprint_t) -files_read_etc_runtime_files(xprint_t) -files_read_usr_files(xprint_t) -files_search_var_lib(xprint_t) -files_search_tmp(xprint_t) - -fs_getattr_all_fs(xprint_t) -fs_search_auto_mountpoints(xprint_t) - -logging_send_syslog_msg(xprint_t) - -miscfiles_read_fonts(xprint_t) -miscfiles_read_localization(xprint_t) - -sysnet_read_config(xprint_t) - -userdom_dontaudit_use_unpriv_user_fds(xprint_t) -userdom_dontaudit_search_user_home_dirs(xprint_t) - -optional_policy(` - cups_read_config(xprint_t) -') - -optional_policy(` - nis_use_ypbind(xprint_t) -') - -optional_policy(` - seutil_sigchld_newrole(xprint_t) -') - -optional_policy(` - udev_read_db(xprint_t) -') diff --git a/policy/modules/contrib/xscreensaver.fc b/policy/modules/contrib/xscreensaver.fc deleted file mode 100644 index 29396daa..00000000 --- a/policy/modules/contrib/xscreensaver.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/xscreensaver -- gen_context(system_u:object_r:xscreensaver_exec_t,s0) diff --git a/policy/modules/contrib/xscreensaver.if b/policy/modules/contrib/xscreensaver.if deleted file mode 100644 index 2e0b29b5..00000000 --- a/policy/modules/contrib/xscreensaver.if +++ /dev/null @@ -1,33 +0,0 @@ -## <summary>Modular screen saver and locker for X11.</summary> - -######################################## -## <summary> -## Role access for xscreensaver. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`xscreensaver_role',` - gen_require(` - attribute_role xscreensaver_roles; - type xscreensaver_t, xscreensaver_exec_t, xscreensaver_tmpfs_t; - ') - - roleattribute $1 xscreensaver_roles; - - domtrans_pattern($2, xscreensaver_exec_t, xscreensaver_t) - - allow $2 xscreensaver_t:process { ptrace signal_perms }; - ps_process_pattern($2, xscreensaver_t) - - allow $2 xscreensaver_tmpfs_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 xscreensaver_tmpfs_t:file { manage_file_perms relabel_file_perms }; -') diff --git a/policy/modules/contrib/xscreensaver.te b/policy/modules/contrib/xscreensaver.te deleted file mode 100644 index c9c96505..00000000 --- a/policy/modules/contrib/xscreensaver.te +++ /dev/null @@ -1,43 +0,0 @@ -policy_module(xscreensaver, 1.1.1) - -######################################## -# -# Declarations -# - -attribute_role xscreensaver_roles; - -type xscreensaver_t; -type xscreensaver_exec_t; -userdom_user_application_domain(xscreensaver_t, xscreensaver_exec_t) -role xscreensaver_roles types xscreensaver_t; - -type xscreensaver_tmpfs_t; -userdom_user_tmpfs_file(xscreensaver_tmpfs_t) - -######################################## -# -# Local policy -# - -allow xscreensaver_t self:process signal; -allow xscreensaver_t self:fifo_file rw_fifo_file_perms; - -kernel_read_system_state(xscreensaver_t) - -files_read_usr_files(xscreensaver_t) - -auth_use_nsswitch(xscreensaver_t) -auth_domtrans_chk_passwd(xscreensaver_t) - -init_read_utmp(xscreensaver_t) - -logging_send_audit_msgs(xscreensaver_t) -logging_send_syslog_msg(xscreensaver_t) - -miscfiles_read_localization(xscreensaver_t) - -userdom_use_user_terminals(xscreensaver_t) -userdom_read_user_home_content_files(xscreensaver_t) - -xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t) diff --git a/policy/modules/contrib/yam.fc b/policy/modules/contrib/yam.fc deleted file mode 100644 index 74401d54..00000000 --- a/policy/modules/contrib/yam.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/yam\.conf -- gen_context(system_u:object_r:yam_etc_t,s0) - -/usr/bin/yam -- gen_context(system_u:object_r:yam_exec_t,s0) - -/var/yam(/.*)? gen_context(system_u:object_r:yam_content_t,s0) -/var/www/yam(/.*)? gen_context(system_u:object_r:yam_content_t,s0) diff --git a/policy/modules/contrib/yam.if b/policy/modules/contrib/yam.if deleted file mode 100644 index ba7c8c88..00000000 --- a/policy/modules/contrib/yam.if +++ /dev/null @@ -1,66 +0,0 @@ -## <summary>Yum/Apt Mirroring.</summary> - -######################################## -## <summary> -## Execute yam in the yam domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`yam_domtrans',` - gen_require(` - type yam_t, yam_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, yam_exec_t, yam_t) -') - -######################################## -## <summary> -## Execute yam in the yam domain, and -## allow the specified role the yam domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`yam_run',` - gen_require(` - attribute_role yam_roles; - ') - - yam_domtrans($1) - roleattribute $2 yam_roles; -') - -######################################## -## <summary> -## Read yam content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`yam_read_content',` - gen_require(` - type yam_content_t; - ') - - allow $1 yam_content_t:dir list_dir_perms; - read_files_pattern($1, yam_content_t, yam_content_t) - read_lnk_files_pattern($1, yam_content_t, yam_content_t) -') diff --git a/policy/modules/contrib/yam.te b/policy/modules/contrib/yam.te deleted file mode 100644 index d837e887..00000000 --- a/policy/modules/contrib/yam.te +++ /dev/null @@ -1,96 +0,0 @@ -policy_module(yam, 1.4.1) - -######################################## -# -# Declarations -# - -attribute_role yam_roles; - -type yam_t alias yam_crond_t; -type yam_exec_t; -application_domain(yam_t, yam_exec_t) -role yam_roles types yam_t; - -type yam_content_t; -files_mountpoint(yam_content_t) - -type yam_etc_t; -files_config_file(yam_etc_t) - -type yam_tmp_t; -files_tmp_file(yam_tmp_t) - -######################################## -# -# Local policy -# - -allow yam_t self:capability { chown fowner fsetid dac_override }; -allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap }; -allow yam_t self:fd use; -allow yam_t self:fifo_file rw_fifo_file_perms; -allow yam_t self:unix_stream_socket { accept connectto listen }; -allow yam_t self:unix_dgram_socket sendto; - -manage_dirs_pattern(yam_t, yam_content_t, yam_content_t) -manage_files_pattern(yam_t, yam_content_t, yam_content_t) -manage_lnk_files_pattern(yam_t, yam_content_t, yam_content_t) - -allow yam_t yam_etc_t:file read_file_perms; - -manage_files_pattern(yam_t, yam_tmp_t, yam_tmp_t) -manage_dirs_pattern(yam_t, yam_tmp_t, yam_tmp_t) -files_tmp_filetrans(yam_t, yam_tmp_t, { file dir }) - -kernel_read_system_state(yam_t) - -corecmd_exec_bin(yam_t) -corecmd_exec_shell(yam_t) - -corenet_all_recvfrom_unlabeled(yam_t) -corenet_all_recvfrom_netlabel(yam_t) -corenet_tcp_sendrecv_generic_if(yam_t) -corenet_tcp_sendrecv_generic_node(yam_t) - -corenet_sendrecv_http_client_packets(yam_t) -corenet_tcp_connect_http_port(yam_t) -corenet_tcp_sendrecv_http_port(yam_t) - -corenet_sendrecv_rsync_client_packets(yam_t) -corenet_tcp_connect_rsync_port(yam_t) -corenet_tcp_sendrecv_rsync_port(yam_t) - -dev_read_urand(yam_t) - -files_read_etc_runtime_files(yam_t) -files_exec_usr_files(yam_t) - -fs_search_auto_mountpoints(yam_t) -fs_read_iso9660_files(yam_t) - -auth_use_nsswitch(yam_t) - -logging_send_syslog_msg(yam_t) - -miscfiles_read_localization(yam_t) - -seutil_read_config(yam_t) - -userdom_use_user_terminals(yam_t) -userdom_use_unpriv_users_fds(yam_t) -userdom_search_user_home_dirs(yam_t) - -apache_search_sys_content(yam_t) - -optional_policy(` - cron_system_entry(yam_t, yam_exec_t) -') - -optional_policy(` - mount_domtrans(yam_t) -') - -optional_policy(` - rsync_exec(yam_t) -') diff --git a/policy/modules/contrib/zabbix.fc b/policy/modules/contrib/zabbix.fc deleted file mode 100644 index ce10cb18..00000000 --- a/policy/modules/contrib/zabbix.fc +++ /dev/null @@ -1,15 +0,0 @@ -/etc/rc\.d/init\.d/((zabbix)|(zabbix-server)) -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0) -/etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0) - -/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) -/usr/bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0) - -/usr/sbin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) -/usr/sbin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0) -/usr/sbin/zabbix_server_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0) -/usr/sbin/zabbix_server_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0) -/usr/sbin/zabbix_server_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0) - -/var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0) - -/var/run/zabbix(/.*)? gen_context(system_u:object_r:zabbix_var_run_t,s0) diff --git a/policy/modules/contrib/zabbix.if b/policy/modules/contrib/zabbix.if deleted file mode 100644 index dd63de02..00000000 --- a/policy/modules/contrib/zabbix.if +++ /dev/null @@ -1,165 +0,0 @@ -## <summary>Distributed infrastructure monitoring.</summary> - -######################################## -## <summary> -## Execute a domain transition to run zabbix. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`zabbix_domtrans',` - gen_require(` - type zabbix_t, zabbix_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, zabbix_exec_t, zabbix_t) -') - -######################################## -## <summary> -## Connect to zabbit on the TCP network. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`zabbix_tcp_connect',` - gen_require(` - type zabbix_t; - ') - - corenet_sendrecv_zabbix_client_packets($1) - corenet_tcp_connect_zabbix_port($1) - corenet_tcp_recvfrom_labeled($1, zabbix_t) - corenet_tcp_sendrecv_zabbix_port($1) -') - -######################################## -## <summary> -## Read zabbix log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`zabbix_read_log',` - gen_require(` - type zabbix_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, zabbix_log_t, zabbix_log_t) -') - -######################################## -## <summary> -## Append zabbix log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`zabbix_append_log',` - gen_require(` - type zabbix_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, zabbix_log_t, zabbix_log_t) -') - -######################################## -## <summary> -## Read zabbix pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`zabbix_read_pid_files',` - gen_require(` - type zabbix_var_run_t; - ') - - files_search_pids($1) - allow $1 zabbix_var_run_t:file read_file_perms; -') - -######################################## -## <summary> -## Connect to zabbix agent on the TCP network. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`zabbix_agent_tcp_connect',` - gen_require(` - type zabbix_agent_t; - ') - - corenet_sendrecv_zabbix_agent_client_packets($1) - corenet_tcp_connect_zabbix_agent_port($1) - corenet_tcp_recvfrom_labeled($1, zabbix_t) - corenet_tcp_sendrecv_zabbix_agent_port($1) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an zabbix environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`zabbix_admin',` - gen_require(` - type zabbix_t, zabbix_log_t, zabbix_var_run_t; - type zabbix_initrc_exec_t, zabbit_agent_initrc_exec_t, zabbix_tmp_t; - type zabbit_tmpfs_t; - ') - - allow $1 { zabbix_t zabbix_agent_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { zabbix_t zabbix_agent_t }) - - init_labeled_script_domtrans($1, { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t }) - domain_system_change_exemption($1) - role_transition $2 { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t } system_r; - allow $2 system_r; - - logging_list_logs($1) - admin_pattern($1, zabbix_log_t) - - files_list_pids($1) - admin_pattern($1, zabbix_var_run_t) - - files_list_tmp($1) - admin_pattern($1, zabbix_tmp_t) - - fs_list_tmpfs($1) - admin_pattern($1, zabbix_tmpfs_t) -') diff --git a/policy/modules/contrib/zabbix.te b/policy/modules/contrib/zabbix.te deleted file mode 100644 index 46e4cd35..00000000 --- a/policy/modules/contrib/zabbix.te +++ /dev/null @@ -1,197 +0,0 @@ -policy_module(zabbix, 1.5.3) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether zabbix can -## connect to all TCP ports -## </p> -## </desc> -gen_tunable(zabbix_can_network, false) - -type zabbix_t; -type zabbix_exec_t; -init_daemon_domain(zabbix_t, zabbix_exec_t) - -type zabbix_initrc_exec_t; -init_script_file(zabbix_initrc_exec_t) - -type zabbix_agent_t; -type zabbix_agent_exec_t; -init_daemon_domain(zabbix_agent_t, zabbix_agent_exec_t) - -type zabbix_agent_initrc_exec_t; -init_script_file(zabbix_agent_initrc_exec_t) - -type zabbix_log_t; -logging_log_file(zabbix_log_t) - -type zabbix_tmp_t; -files_tmp_file(zabbix_tmp_t) - -type zabbix_tmpfs_t; -files_tmpfs_file(zabbix_tmpfs_t) - -type zabbix_var_run_t; -files_pid_file(zabbix_var_run_t) - -######################################## -# -# Local policy -# - -allow zabbix_t self:capability { dac_read_search dac_override setuid setgid }; -allow zabbix_t self:process { setsched signal_perms }; -allow zabbix_t self:fifo_file rw_fifo_file_perms; -allow zabbix_t self:unix_stream_socket create_stream_socket_perms; -allow zabbix_t self:sem create_sem_perms; -allow zabbix_t self:shm create_shm_perms; -allow zabbix_t self:tcp_socket create_stream_socket_perms; - -allow zabbix_t zabbix_log_t:dir setattr_dir_perms; -append_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) -create_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) -setattr_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) -logging_log_filetrans(zabbix_t, zabbix_log_t, file) - -manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t) -manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t) -files_tmp_filetrans(zabbix_t, zabbix_tmp_t, { dir file }) - -rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t) -fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file) - -manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) -manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) -files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file }) - -kernel_read_system_state(zabbix_t) -kernel_read_kernel_sysctls(zabbix_t) - -corenet_all_recvfrom_unlabeled(zabbix_t) -corenet_all_recvfrom_netlabel(zabbix_t) -corenet_tcp_sendrecv_generic_if(zabbix_t) -corenet_tcp_sendrecv_generic_node(zabbix_t) -corenet_tcp_bind_generic_node(zabbix_t) - -corenet_sendrecv_ftp_client_packets(zabbix_t) -corenet_tcp_connect_ftp_port(zabbix_t) -corenet_tcp_sendrecv_ftp_port(zabbix_t) - -corenet_sendrecv_http_client_packets(zabbix_t) -corenet_tcp_connect_http_port(zabbix_t) -corenet_tcp_sendrecv_http_port(zabbix_t) - -corenet_sendrecv_zabbix_server_packets(zabbix_t) -corenet_tcp_bind_zabbix_port(zabbix_t) -corenet_tcp_sendrecv_zabbix_port(zabbix_t) - -corecmd_exec_bin(zabbix_t) -corecmd_exec_shell(zabbix_t) - -dev_read_urand(zabbix_t) - -files_read_usr_files(zabbix_t) - -auth_use_nsswitch(zabbix_t) - -miscfiles_read_localization(zabbix_t) - -zabbix_agent_tcp_connect(zabbix_t) - -tunable_policy(`zabbix_can_network',` - corenet_sendrecv_all_client_packets(zabbix_t) - corenet_tcp_connect_all_ports(zabbix_t) - corenet_tcp_sendrecv_all_ports(zabbix_t) -') - -optional_policy(` - netutils_domtrans_ping(zabbix_t) -') - -optional_policy(` - mysql_stream_connect(zabbix_t) - mysql_tcp_connect(zabbix_t) -') - -optional_policy(` - postgresql_stream_connect(zabbix_t) - postgresql_tcp_connect(zabbix_t) -') - -optional_policy(` - snmp_read_snmp_var_lib_files(zabbix_t) -') - -######################################## -# -# Agent local policy -# - -allow zabbix_agent_t self:capability { setuid setgid }; -allow zabbix_agent_t self:process { setsched getsched signal }; -allow zabbix_agent_t self:fifo_file rw_fifo_file_perms; -allow zabbix_agent_t self:sem create_sem_perms; -allow zabbix_agent_t self:shm create_shm_perms; -allow zabbix_agent_t self:tcp_socket { accept listen }; -allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms; - -append_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) -create_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) -setattr_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) -filetrans_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t, file) - -rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t) -fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) - -manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t) -files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file) - -kernel_read_all_sysctls(zabbix_agent_t) -kernel_read_system_state(zabbix_agent_t) - -corecmd_read_all_executables(zabbix_agent_t) - -corenet_all_recvfrom_unlabeled(zabbix_agent_t) -corenet_all_recvfrom_netlabel(zabbix_agent_t) -corenet_tcp_sendrecv_generic_if(zabbix_agent_t) -corenet_tcp_sendrecv_generic_node(zabbix_agent_t) -corenet_tcp_bind_generic_node(zabbix_agent_t) - -corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t) -corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t) -corenet_tcp_sendrecv_zabbix_agent_port(zabbix_agent_t) - -corenet_sendrecv_ssh_client_packets(zabbix_agent_t) -corenet_tcp_connect_ssh_port(zabbix_agent_t) -corenet_tcp_sendrecv_ssh_port(zabbix_agent_t) - -corenet_sendrecv_zabbix_client_packets(zabbix_agent_t) -corenet_tcp_connect_zabbix_port(zabbix_agent_t) -corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) - -dev_getattr_all_blk_files(zabbix_agent_t) -dev_getattr_all_chr_files(zabbix_agent_t) - -domain_search_all_domains_state(zabbix_agent_t) - -files_getattr_all_dirs(zabbix_agent_t) -files_getattr_all_files(zabbix_agent_t) -files_read_all_symlinks(zabbix_agent_t) -files_read_etc_files(zabbix_agent_t) - -fs_getattr_all_fs(zabbix_agent_t) - -init_read_utmp(zabbix_agent_t) - -logging_search_logs(zabbix_agent_t) - -miscfiles_read_localization(zabbix_agent_t) - -sysnet_dns_name_resolve(zabbix_agent_t) - -zabbix_tcp_connect(zabbix_agent_t) diff --git a/policy/modules/contrib/zarafa.fc b/policy/modules/contrib/zarafa.fc deleted file mode 100644 index faf99ed5..00000000 --- a/policy/modules/contrib/zarafa.fc +++ /dev/null @@ -1,33 +0,0 @@ -/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0) - -/etc/rc\.d/init\.d/zarafa.* -- gen_context(system_u:object_r:zarafa_initrc_exec_t,s0) - -/usr/bin/zarafa-dagent -- gen_context(system_u:object_r:zarafa_deliver_exec_t,s0) -/usr/bin/zarafa-gateway -- gen_context(system_u:object_r:zarafa_gateway_exec_t,s0) -/usr/bin/zarafa-ical -- gen_context(system_u:object_r:zarafa_ical_exec_t,s0) -/usr/bin/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_exec_t,s0) -/usr/bin/zarafa-monitor -- gen_context(system_u:object_r:zarafa_monitor_exec_t,s0) -/usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0) -/usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0) - -/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) -/var/lib/zarafa-webaccess(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) -/var/lib/zarafa-webapp(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) - -/var/log/zarafa/dagent\.log.* -- gen_context(system_u:object_r:zarafa_deliver_log_t,s0) -/var/log/zarafa/gateway\.log.* -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0) -/var/log/zarafa/ical\.log.* -- gen_context(system_u:object_r:zarafa_ical_log_t,s0) -/var/log/zarafa/indexer\.log.* -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0) -/var/log/zarafa/monitor\.log.* -- gen_context(system_u:object_r:zarafa_monitor_log_t,s0) -/var/log/zarafa/server\.log.* -- gen_context(system_u:object_r:zarafa_server_log_t,s0) -/var/log/zarafa/spooler\.log.* -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0) - -/var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0) -/var/run/zarafa-dagent\.pid -- gen_context(system_u:object_r:zarafa_deliver_var_run_t,s0) -/var/run/zarafa-gateway\.pid -- gen_context(system_u:object_r:zarafa_gateway_var_run_t,s0) -/var/run/zarafa-ical\.pid -- gen_context(system_u:object_r:zarafa_ical_var_run_t,s0) -/var/run/zarafa-indexer -s gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0) -/var/run/zarafa-indexer\.pid -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0) -/var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0) -/var/run/zarafa-server\.pid -- gen_context(system_u:object_r:zarafa_server_var_run_t,s0) -/var/run/zarafa-spooler\.pid -- gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0) diff --git a/policy/modules/contrib/zarafa.if b/policy/modules/contrib/zarafa.if deleted file mode 100644 index 36e32df6..00000000 --- a/policy/modules/contrib/zarafa.if +++ /dev/null @@ -1,174 +0,0 @@ -## <summary>Zarafa collaboration platform.</summary> - -####################################### -## <summary> -## The template to define a zarafa domain. -## </summary> -## <param name="domain_prefix"> -## <summary> -## Domain prefix to be used. -## </summary> -## </param> -# -template(`zarafa_domain_template',` - gen_require(` - attribute zarafa_domain, zarafa_logfile, zarafa_pidfile; - ') - - ######################################## - # - # Declarations - # - - type zarafa_$1_t, zarafa_domain; - type zarafa_$1_exec_t; - init_daemon_domain(zarafa_$1_t, zarafa_$1_exec_t) - - type zarafa_$1_log_t, zarafa_logfile; - logging_log_file(zarafa_$1_log_t) - - type zarafa_$1_var_run_t, zarafa_pidfile; - files_pid_file(zarafa_$1_var_run_t) - - ######################################## - # - # Policy - # - - manage_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) - manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) - files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file }) - - append_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) - create_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) - setattr_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) - logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, file) - - auth_use_nsswitch(zarafa_$1_t) -') - -###################################### -## <summary> -## search zarafa configuration directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`zarafa_search_config',` - gen_require(` - type zarafa_etc_t; - ') - - files_search_etc($1) - allow $1 zarafa_etc_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Execute a domain transition to run zarafa deliver. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`zarafa_domtrans_deliver',` - gen_require(` - type zarafa_deliver_t, zarafa_deliver_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, zarafa_deliver_exec_t, zarafa_deliver_t) -') - -######################################## -## <summary> -## Execute a domain transition to run zarafa server. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`zarafa_domtrans_server',` - gen_require(` - type zarafa_server_t, zarafa_server_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t) -') - -####################################### -## <summary> -## Connect to zarafa server with a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`zarafa_stream_connect_server',` - gen_require(` - type zarafa_server_t, zarafa_server_var_run_t; - ') - - files_search_var_lib($1) - stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an zarafa environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`zarafa_admin',` - gen_require(` - attribute zarafa_domain, zarafa_logfile, zarafa_pidfile; - type zarafa_etc_t, zarafa_initrc_exec_t, zarafa_deliver_tmp_t; - type zarafa_indexer_tmp_t, zarafa_server_tmp_t, zarafa_share_t; - type zarafa_var_lib_t; - ') - - allow $1 zarafa_domain:process { ptrace signal_perms }; - ps_process_pattern($1, zarafa_domain) - - init_labeled_script_domtrans($1, zarafa_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 zarafa_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, zarafa_etc_t) - - files_search_tmp($1) - admin_pattern($1, { zarafa_deliver_tmp_t zarafa_indexer_tmp_t zarafa_server_tmp_t }) - - logging_search_log($1) - admin_pattern($1, zarafa_logfile) - - files_search_var_lib($1) - admin_pattern($1, { zarafa_var_lib_t zarafa_share_t }) - - files_search_pids($1) - admin_pattern($1, zarafa_pidfile) -') diff --git a/policy/modules/contrib/zarafa.te b/policy/modules/contrib/zarafa.te deleted file mode 100644 index a4479b1d..00000000 --- a/policy/modules/contrib/zarafa.te +++ /dev/null @@ -1,178 +0,0 @@ -policy_module(zarafa, 1.1.4) - -######################################## -# -# Declarations -# - -attribute zarafa_domain; -attribute zarafa_logfile; -attribute zarafa_pidfile; - -zarafa_domain_template(deliver) - -type zarafa_deliver_tmp_t; -files_tmp_file(zarafa_deliver_tmp_t) - -type zarafa_etc_t; -files_config_file(zarafa_etc_t) - -type zarafa_initrc_exec_t; -init_script_file(zarafa_initrc_exec_t) - -zarafa_domain_template(gateway) -zarafa_domain_template(ical) -zarafa_domain_template(indexer) - -type zarafa_indexer_tmp_t; -files_tmp_file(zarafa_indexer_tmp_t) - -zarafa_domain_template(monitor) -zarafa_domain_template(server) - -type zarafa_server_tmp_t; -files_tmp_file(zarafa_server_tmp_t) - -type zarafa_share_t; -files_type(zarafa_share_t) - -zarafa_domain_template(spooler) - -type zarafa_var_lib_t; -files_tmp_file(zarafa_var_lib_t) - -######################################## -# -# Deliver local policy -# - -manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t) -manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t) -files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir }) - -######################################## -# -# Gateway local policy -# - -corenet_all_recvfrom_unlabeled(zarafa_gateway_t) -corenet_all_recvfrom_netlabel(zarafa_gateway_t) -corenet_tcp_sendrecv_generic_if(zarafa_gateway_t) -corenet_tcp_sendrecv_generic_node(zarafa_gateway_t) -corenet_tcp_bind_generic_node(zarafa_gateway_t) - -corenet_sendrecv_pop_server_packets(zarafa_gateway_t) -corenet_tcp_bind_pop_port(zarafa_gateway_t) -corenet_tcp_sendrecv_pop_port(zarafa_gateway_t) - -####################################### -# -# Ical local policy -# - -corenet_all_recvfrom_unlabeled(zarafa_ical_t) -corenet_all_recvfrom_netlabel(zarafa_ical_t) -corenet_tcp_sendrecv_generic_if(zarafa_ical_t) -corenet_tcp_sendrecv_generic_node(zarafa_ical_t) -corenet_tcp_bind_generic_node(zarafa_ical_t) - -corenet_sendrecv_http_cache_client_packets(zarafa_ical_t) -corenet_tcp_bind_http_cache_port(zarafa_ical_t) -corenet_tcp_sendrecv_http_cache_port(zarafa_ical_t) - -###################################### -# -# Indexer local policy -# - -manage_dirs_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t) -manage_files_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t) -files_tmp_filetrans(zarafa_indexer_t, zarafa_indexer_tmp_t, { file dir }) - -manage_dirs_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) -manage_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) -manage_lnk_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) - -######################################## -# -# Server local policy -# - -manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t) -manage_files_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t) -files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir }) - -manage_dirs_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t) -manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t) -manage_lnk_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t) -files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir lnk_file }) - -stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t) - -corenet_all_recvfrom_unlabeled(zarafa_server_t) -corenet_all_recvfrom_netlabel(zarafa_server_t) -corenet_tcp_sendrecv_generic_if(zarafa_server_t) -corenet_tcp_sendrecv_generic_node(zarafa_server_t) -corenet_tcp_bind_generic_node(zarafa_server_t) - -corenet_sendrecv_zarafa_server_packets(zarafa_server_t) -corenet_tcp_bind_zarafa_port(zarafa_server_t) -corenet_tcp_sendrecv_zarafa_port(zarafa_server_t) - -files_read_usr_files(zarafa_server_t) - -logging_send_audit_msgs(zarafa_server_t) - -optional_policy(` - kerberos_use(zarafa_server_t) -') - -optional_policy(` - mysql_stream_connect(zarafa_server_t) - mysql_tcp_connect(zarafa_server_t) -') - -optional_policy(` - postgresql_stream_connect(zarafa_server_t) - postgresql_tcp_connect(zarafa_server_t) -') - -######################################## -# -# Spooler local policy -# - -can_exec(zarafa_spooler_t, zarafa_spooler_exec_t) - -corenet_all_recvfrom_unlabeled(zarafa_spooler_t) -corenet_all_recvfrom_netlabel(zarafa_spooler_t) -corenet_tcp_sendrecv_generic_if(zarafa_spooler_t) -corenet_tcp_sendrecv_generic_node(zarafa_spooler_t) - -corenet_sendrecv_smtp_client_packets(zarafa_spooler_t) -corenet_tcp_connect_smtp_port(zarafa_spooler_t) -corenet_tcp_sendrecv_smtp_port(zarafa_spooler_t) - -######################################## -# -# Zarafa domain local policy -# - -allow zarafa_domain self:capability { kill dac_override chown setgid setuid }; -allow zarafa_domain self:process { setrlimit signal }; -allow zarafa_domain self:fifo_file rw_fifo_file_perms; -allow zarafa_domain self:tcp_socket { accept listen }; -allow zarafa_domain self:unix_stream_socket { accept listen }; - -stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t) - -read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t) - -kernel_read_system_state(zarafa_domain) - -dev_read_rand(zarafa_domain) -dev_read_urand(zarafa_domain) - -logging_send_syslog_msg(zarafa_domain) - -miscfiles_read_localization(zarafa_domain) diff --git a/policy/modules/contrib/zebra.fc b/policy/modules/contrib/zebra.fc deleted file mode 100644 index 28ee4cac..00000000 --- a/policy/modules/contrib/zebra.fc +++ /dev/null @@ -1,21 +0,0 @@ -/etc/quagga(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0) -/etc/zebra(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0) - -/etc/rc\.d/init\.d/bgpd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) -/etc/rc\.d/init\.d/ospf6d -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) -/etc/rc\.d/init\.d/ospfd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) -/etc/rc\.d/init\.d/ripd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) -/etc/rc\.d/init\.d/ripngd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) -/etc/rc\.d/init\.d/zebra -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) - -/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0) -/usr/sbin/ospf.* -- gen_context(system_u:object_r:zebra_exec_t,s0) -/usr/sbin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0) -/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0) - -/var/log/quagga(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) -/var/log/zebra(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) - -/var/run/\.zebra -s gen_context(system_u:object_r:zebra_var_run_t,s0) -/var/run/\.zserv -s gen_context(system_u:object_r:zebra_var_run_t,s0) -/var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0) diff --git a/policy/modules/contrib/zebra.if b/policy/modules/contrib/zebra.if deleted file mode 100644 index 34164017..00000000 --- a/policy/modules/contrib/zebra.if +++ /dev/null @@ -1,88 +0,0 @@ -## <summary>Zebra border gateway protocol network routing service.</summary> - -######################################## -## <summary> -## Read zebra configuration content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`zebra_read_config',` - gen_require(` - type zebra_conf_t; - ') - - files_search_etc($1) - allow $1 zebra_conf_t:dir list_dir_perms; - allow $1 zebra_conf_t:file read_file_perms; - allow $1 zebra_conf_t:lnk_file read_lnk_file_perms; -') - -######################################## -## <summary> -## Connect to zebra with a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`zebra_stream_connect',` - gen_require(` - type zebra_t, zebra_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an zebra environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`zebra_admin',` - gen_require(` - type zebra_t, zebra_tmp_t, zebra_log_t; - type zebra_conf_t, zebra_var_run_t; - type zebra_initrc_exec_t; - ') - - allow $1 zebra_t:process { ptrace signal_perms }; - ps_process_pattern($1, zebra_t) - - init_labeled_script_domtrans($1, zebra_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 zebra_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, zebra_conf_t) - - logging_list_logs($1) - admin_pattern($1, zebra_log_t) - - files_list_tmp($1) - admin_pattern($1, zebra_tmp_t) - - files_list_pids($1) - admin_pattern($1, zebra_var_run_t) -') diff --git a/policy/modules/contrib/zebra.te b/policy/modules/contrib/zebra.te deleted file mode 100644 index b0803c2f..00000000 --- a/policy/modules/contrib/zebra.te +++ /dev/null @@ -1,141 +0,0 @@ -policy_module(zebra, 1.12.1) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether zebra daemon can -## manage its configuration files. -## </p> -## </desc> -gen_tunable(allow_zebra_write_config, false) - -type zebra_t; -type zebra_exec_t; -init_daemon_domain(zebra_t, zebra_exec_t) - -type zebra_conf_t; -files_type(zebra_conf_t) - -type zebra_initrc_exec_t; -init_script_file(zebra_initrc_exec_t) - -type zebra_log_t; -logging_log_file(zebra_log_t) - -type zebra_tmp_t; -files_tmp_file(zebra_tmp_t) - -type zebra_var_run_t; -files_pid_file(zebra_var_run_t) - -######################################## -# -# Local policy -# - -allow zebra_t self:capability { setgid setuid net_admin net_raw }; -dontaudit zebra_t self:capability sys_tty_config; -allow zebra_t self:process { signal_perms getcap setcap }; -allow zebra_t self:fifo_file rw_fifo_file_perms; -allow zebra_t self:unix_stream_socket { accept connectto listen }; -allow zebra_t self:netlink_route_socket rw_netlink_socket_perms; -allow zebra_t self:tcp_socket { connect connected_stream_socket_perms }; -allow zebra_t self:udp_socket create_socket_perms; -allow zebra_t self:rawip_socket create_socket_perms; - -allow zebra_t zebra_conf_t:dir list_dir_perms; -allow zebra_t zebra_conf_t:file read_file_perms; -allow zebra_t zebra_conf_t:lnk_file read_lnk_file_perms; - -allow zebra_t zebra_log_t:dir setattr_dir_perms; -append_files_pattern(zebra_t, zebra_log_t, zebra_log_t) -create_files_pattern(zebra_t, zebra_log_t, zebra_log_t) -setattr_files_pattern(zebra_t, zebra_log_t, zebra_log_t) -manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t) -logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir }) - -allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms; -files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file) - -manage_dirs_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) -manage_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) -manage_sock_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) -files_pid_filetrans(zebra_t, zebra_var_run_t, { dir file sock_file }) - -kernel_read_system_state(zebra_t) -kernel_read_network_state(zebra_t) -kernel_read_kernel_sysctls(zebra_t) -kernel_rw_net_sysctls(zebra_t) - -corenet_all_recvfrom_unlabeled(zebra_t) -corenet_all_recvfrom_netlabel(zebra_t) -corenet_tcp_sendrecv_generic_if(zebra_t) -corenet_udp_sendrecv_generic_if(zebra_t) -corenet_raw_sendrecv_generic_if(zebra_t) -corenet_tcp_sendrecv_generic_node(zebra_t) -corenet_udp_sendrecv_generic_node(zebra_t) -corenet_raw_sendrecv_generic_node(zebra_t) -corenet_tcp_bind_generic_node(zebra_t) -corenet_udp_bind_generic_node(zebra_t) - -corenet_sendrecv_bgp_server_packets(zebra_t) -corenet_tcp_bind_bgp_port(zebra_t) -corenet_sendrecv_bgp_client_packets(zebra_t) -corenet_tcp_connect_bgp_port(zebra_t) -corenet_tcp_sendrecv_bgp_port(zebra_t) - -corenet_sendrecv_zebra_server_packets(zebra_t) -corenet_tcp_bind_zebra_port(zebra_t) -corenet_tcp_sendrecv_zebra_port(zebra_t) - -corenet_sendrecv_router_server_packets(zebra_t) -corenet_udp_bind_router_port(zebra_t) -corenet_udp_sendrecv_router_port(zebra_t) - -dev_associate_usbfs(zebra_var_run_t) -dev_list_all_dev_nodes(zebra_t) -dev_read_sysfs(zebra_t) -dev_rw_zero(zebra_t) - -domain_use_interactive_fds(zebra_t) - -files_read_etc_files(zebra_t) -files_read_etc_runtime_files(zebra_t) - -fs_getattr_all_fs(zebra_t) -fs_search_auto_mountpoints(zebra_t) - -term_list_ptys(zebra_t) - -logging_send_syslog_msg(zebra_t) - -miscfiles_read_localization(zebra_t) - -sysnet_read_config(zebra_t) - -userdom_dontaudit_use_unpriv_user_fds(zebra_t) -userdom_dontaudit_search_user_home_dirs(zebra_t) - -tunable_policy(`allow_zebra_write_config',` - manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) -') - -optional_policy(` - nis_use_ypbind(zebra_t) -') - -optional_policy(` - rpm_read_pipes(zebra_t) -') - -optional_policy(` - seutil_sigchld_newrole(zebra_t) -') - -optional_policy(` - udev_read_db(zebra_t) -') diff --git a/policy/modules/contrib/zosremote.fc b/policy/modules/contrib/zosremote.fc deleted file mode 100644 index 7a7fc614..00000000 --- a/policy/modules/contrib/zosremote.fc +++ /dev/null @@ -1,3 +0,0 @@ -/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0) - -/usr/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0) diff --git a/policy/modules/contrib/zosremote.if b/policy/modules/contrib/zosremote.if deleted file mode 100644 index b14698c4..00000000 --- a/policy/modules/contrib/zosremote.if +++ /dev/null @@ -1,46 +0,0 @@ -## <summary>z/OS Remote-services Audit dispatcher plugin.</summary> - -######################################## -## <summary> -## Execute a domain transition to run audispd-zos-remote. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`zosremote_domtrans',` - gen_require(` - type zos_remote_t, zos_remote_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, zos_remote_exec_t, zos_remote_t) -') - -######################################## -## <summary> -## Execute zos remote in the zos remote -## domain, and allow the specified role -## the zos remote domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`zosremote_run',` - gen_require(` - attribute_role zos_remote_roles; - ') - - zosremote_domtrans($1) - roleattribute $2 zos_remote_roles; -') diff --git a/policy/modules/contrib/zosremote.te b/policy/modules/contrib/zosremote.te deleted file mode 100644 index 9ba9f819..00000000 --- a/policy/modules/contrib/zosremote.te +++ /dev/null @@ -1,29 +0,0 @@ -policy_module(zosremote, 1.1.1) - -######################################## -# -# Declarations -# - -attribute_role zos_remote_roles; - -type zos_remote_t; -type zos_remote_exec_t; -init_system_domain(zos_remote_t, zos_remote_exec_t) -logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t) -role zos_remote_roles types zos_remote_t; - -######################################## -# -# Local policy -# - -allow zos_remote_t self:process signal; -allow zos_remote_t self:fifo_file rw_file_perms; -allow zos_remote_t self:unix_stream_socket { accept listen }; - -auth_use_nsswitch(zos_remote_t) - -miscfiles_read_localization(zos_remote_t) - -logging_send_syslog_msg(zos_remote_t) |