1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
|
policy_module(gift, 2.3.0)
########################################
#
# Declarations
#
type gift_t;
type gift_exec_t;
typealias gift_t alias { user_gift_t staff_gift_t sysadm_gift_t };
typealias gift_t alias { auditadm_gift_t secadm_gift_t };
userdom_user_application_domain(gift_t, gift_exec_t)
type gift_home_t;
typealias gift_home_t alias { user_gift_home_t staff_gift_home_t sysadm_gift_home_t };
typealias gift_home_t alias { auditadm_gift_home_t secadm_gift_home_t };
userdom_user_home_content(gift_home_t)
type gift_tmpfs_t;
typealias gift_tmpfs_t alias { user_gift_tmpfs_t staff_gift_tmpfs_t sysadm_gift_tmpfs_t };
typealias gift_tmpfs_t alias { auditadm_gift_tmpfs_t secadm_gift_tmpfs_t };
userdom_user_tmpfs_file(gift_tmpfs_t)
type giftd_t;
type giftd_exec_t;
typealias giftd_t alias { user_giftd_t staff_giftd_t sysadm_giftd_t };
typealias giftd_t alias { auditadm_giftd_t secadm_giftd_t };
userdom_user_application_domain(giftd_t, giftd_exec_t)
##############################
#
# giFT user interface local policy
#
allow gift_t self:tcp_socket create_socket_perms;
manage_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
manage_lnk_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
manage_fifo_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
manage_sock_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
fs_tmpfs_filetrans(gift_t, gift_tmpfs_t, { dir file lnk_file sock_file fifo_file })
manage_dirs_pattern(gift_t, gift_home_t, gift_home_t)
manage_files_pattern(gift_t, gift_home_t, gift_home_t)
manage_lnk_files_pattern(gift_t, gift_home_t, gift_home_t)
userdom_user_home_dir_filetrans(gift_t, gift_home_t, dir)
# Launch gift daemon
domtrans_pattern(gift_t, giftd_exec_t, giftd_t)
# Read /proc/meminfo
kernel_read_system_state(gift_t)
# Connect to gift daemon
corenet_all_recvfrom_unlabeled(gift_t)
corenet_all_recvfrom_netlabel(gift_t)
corenet_tcp_sendrecv_generic_if(gift_t)
corenet_tcp_sendrecv_generic_node(gift_t)
corenet_tcp_sendrecv_giftd_port(gift_t)
corenet_tcp_connect_giftd_port(gift_t)
corenet_sendrecv_giftd_client_packets(gift_t)
fs_search_auto_mountpoints(gift_t)
sysnet_read_config(gift_t)
# giftui looks in .icons, .themes.
userdom_dontaudit_read_user_home_content_files(gift_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(gift_t)
fs_manage_nfs_files(gift_t)
fs_manage_nfs_symlinks(gift_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(gift_t)
fs_manage_cifs_files(gift_t)
fs_manage_cifs_symlinks(gift_t)
')
optional_policy(`
nscd_socket_use(gift_t)
')
optional_policy(`
xserver_user_x_domain_template(gift, gift_t, gift_tmpfs_t)
')
##############################
#
# giFT server local policy
#
allow giftd_t self:process { signal setsched };
allow giftd_t self:unix_stream_socket create_socket_perms;
allow giftd_t self:tcp_socket create_stream_socket_perms;
allow giftd_t self:udp_socket create_socket_perms;
manage_dirs_pattern(giftd_t, gift_home_t, gift_home_t)
manage_files_pattern(giftd_t, gift_home_t, gift_home_t)
manage_lnk_files_pattern(giftd_t, gift_home_t, gift_home_t)
userdom_user_home_dir_filetrans(giftd_t, gift_home_t, dir)
kernel_read_system_state(giftd_t)
kernel_read_kernel_sysctls(giftd_t)
# Serve content on various p2p networks. Ports can be random.
corenet_all_recvfrom_unlabeled(giftd_t)
corenet_all_recvfrom_netlabel(giftd_t)
corenet_tcp_sendrecv_generic_if(giftd_t)
corenet_udp_sendrecv_generic_if(giftd_t)
corenet_tcp_sendrecv_generic_node(giftd_t)
corenet_udp_sendrecv_generic_node(giftd_t)
corenet_tcp_sendrecv_all_ports(giftd_t)
corenet_udp_sendrecv_all_ports(giftd_t)
corenet_tcp_bind_generic_node(giftd_t)
corenet_udp_bind_generic_node(giftd_t)
corenet_tcp_bind_all_ports(giftd_t)
corenet_udp_bind_all_ports(giftd_t)
corenet_tcp_connect_all_ports(giftd_t)
corenet_sendrecv_all_client_packets(giftd_t)
files_read_usr_files(giftd_t)
# Read /etc/mtab
files_read_etc_runtime_files(giftd_t)
miscfiles_read_localization(giftd_t)
sysnet_read_config(giftd_t)
userdom_use_user_terminals(giftd_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(giftd_t)
fs_manage_nfs_files(giftd_t)
fs_manage_nfs_symlinks(giftd_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(giftd_t)
fs_manage_cifs_files(giftd_t)
fs_manage_cifs_symlinks(giftd_t)
')
|
GitWeb