Research
Skip Research Menus
Research MenuSecurity Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links |
SELinux Mailing ListLatest diffs
From: Daniel J Walsh <dwalsh_at_redhat.com>
Date: Thu, 10 Feb 2005 18:24:01 -0500
Added dnssec for dns key files to be shared between named and dhcpd. Added java vm policy lots of new textrel_shlib_t specs Fixes to mailman policy to allow creation of new lists Add mplayer policy Fixes to make postfix work in targeted policy. Fixes to allow nmap to run under traceroute policy Addition of file_browse_domain macro. Added access_terminal macro Added legacy_domain macro Stop httpd_sys_script_t from transitioning in targeted policy if httpd_disable_trans is set. Cleanup tmpreaper, additional tmpfile file_contexts. Fixes for execmem and execmod Fixes to Makefile to create homedir_template Fixed to unconfined.te for targeted to allow sigchld and fd use
diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.21.12/attrib.te --- nsapolicy/attrib.te 2005-02-09 15:01:31.000000000 -0500@@ -221,6 +221,11 @@ # appropriate. attribute file_type;
+# The secure_file_type attribute identifies files diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.21.12/domains/program/ldconfig.te --- nsapolicy/domains/program/ldconfig.te 2005-02-10 14:48:38.000000000 -0500@@ -38,14 +38,14 @@ dontaudit ldconfig_t httpd_modules_t:dir search; ')
-ifdef(`distro_suse', `
-') +'); ')dnl end hide_broken_symptoms +ifdef(`targeted_policy', ` +allow ldconfig_t lib_t:file r_file_perms; +unconfined_domain(ldconfig_t) +') diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.21.12/domains/program/syslogd.te --- nsapolicy/domains/program/syslogd.te 2005-02-09 15:01:28.000000000 -0500@@ -103,3 +103,5 @@ allow syslogd_t { tmpfs_t devpts_t }:dir search; dontaudit syslogd_t unlabeled_t:file read; dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr; +allow syslogd_t self:capability net_admin; +allow syslogd_t self:netlink_route_socket r_netlink_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/tmpreaper.te policy-1.21.12/domains/program/tmpreaper.te --- nsapolicy/domains/program/tmpreaper.te 2005-02-10 14:48:38.000000000 -0500@@ -28,15 +28,6 @@ r_dir_file(tmpreaper_t, var_lib_t) allow tmpreaper_t device_t:dir { getattr search }; allow tmpreaper_t urandom_device_t:chr_file { getattr read }; -rw_dir_file(tmpreaper_t, var_spool_t) -allow tmpreaper_t var_spool_t:dir setattr; -allow tmpreaper_t print_spool_t:dir setattr; -rw_dir_file(tmpreaper_t, print_spool_t) -ifdef(`distro_redhat', ` -# for the Red Hat tmpreaper program which also manages tetex indexes -create_dir_file(tmpreaper_t, tetex_data_t)-allow tmpreaper_t catman_t:dir setattr; -') read_locale(tmpreaper_t) - +dontaudit tmpreaper_t init_t:fd use; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.21.12/domains/program/unused/apache.te --- nsapolicy/domains/program/unused/apache.te 2005-02-10 14:48:39.000000000 -0500@@ -305,7 +305,7 @@ # mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat # This is a bug but it still exists in FC2 # -type httpd_runtime_t, file_type, sysadmfile; +typealias httpd_log_t alias httpd_runtime_t; allow { httpd_t httpd_sys_script_t } httpd_runtime_t:file { getattr append }; ') dnl distro_redhat # @@ -322,7 +322,7 @@ create_dir_file(httpd_t, httpd_squirrelmail_t) allow httpd_sys_script_t httpd_squirrelmail_t:file { append read }; # File Type of squirrelmail attachments -type squirrelmail_spool_t, file_type, sysadmfile; +type squirrelmail_spool_t, file_type, sysadmfile, tmpfile; allow httpd_t var_spool_t:dir { getattr search }; create_dir_file(httpd_t, squirrelmail_spool_t) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cardmgr.te policy-1.21.12/domains/program/unused/cardmgr.te --- nsapolicy/domains/program/unused/cardmgr.te 2005-02-09 15:01:29.000000000 -0500@@ -44,9 +44,6 @@
# Create device files in /tmp.
-ifdef(`tmpreaper.te', ` -allow tmpreaper_t cardmgr_dev_t:chr_file { getattr unlink }; -') file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file })
# Create symbolic links in /dev.
--- nsapolicy/domains/program/unused/cups.te 2005-02-10 14:48:39.000000000 -0500@@ -33,10 +33,8 @@ # temporary solution, we need something better allow cupsd_t serial_device:chr_file rw_file_perms;
-ifdef(`usbmodules.te', `
ifdef(`logrotate.te', `
--- nsapolicy/domains/program/unused/dhcpd.te 2005-02-09 15:01:28.000000000 -0500@@ -75,3 +75,8 @@ ') r_dir_file(dhcpd_t, usr_t) allow dhcpd_t { urandom_device_t random_device_t }:chr_file r_file_perms; + +ifdef(`named.te', ` +allow dhcpd_t { named_conf_t named_zone_t }:dir search; +allow dhcpd_t dnssec_t:file { getattr read }; +') diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.21.12/domains/program/unused/ftpd.te --- nsapolicy/domains/program/unused/ftpd.te 2005-02-10 14:48:39.000000000 -0500@@ -90,9 +90,7 @@
dontaudit ftpd_t sysadm_home_dir_t:dir getattr;
dontaudit ftpd_t selinux_config_t:dir search;
-ifdef(`automount.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/java.te policy-1.21.12/domains/program/unused/java.te --- nsapolicy/domains/program/unused/java.te 1969-12-31 19:00:00.000000000 -0500@@ -0,0 +1,14 @@ +#DESC Java VM +# +# Authors: Dan Walsh <dwalsh@redhat.com> +# X-Debian-Packages: java +# + +# Type for the netscape, java or other browser executables. +type java_exec_t, file_type, sysadmfile, exec_type; + +# Allow java to read files in the user home directory +bool disable_java false; + +# Everything else is in the java_domain macro in +# macros/program/java_macros.te. diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kerberos.te policy-1.21.12/domains/program/unused/kerberos.te --- nsapolicy/domains/program/unused/kerberos.te 2005-02-09 15:01:29.000000000 -0500@@ -23,7 +23,7 @@ can_exec(kadmind_t, kadmind_exec_t)
# types for general configuration files in /etc
-type krb5_keytab_t, file_type, sysadmfile;
# types for KDC configs and principal file(s) type krb5kdc_conf_t, file_type, sysadmfile; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mailman.te policy-1.21.12/domains/program/unused/mailman.te --- nsapolicy/domains/program/unused/mailman.te 2005-02-09 15:01:28.000000000 -0500@@ -20,7 +20,7 @@ can_exec_any(mailman_$1_t) allow mailman_$1_t { proc_t sysctl_t sysctl_kernel_t }:dir search; allow mailman_$1_t { proc_t sysctl_kernel_t }:file { read getattr }; -allow mailman_$1_t var_lib_t:dir { getattr search read }; allow mailman_$1_t mailman_lock_t:dir rw_dir_perms; allow mailman_$1_t fs_t:filesystem getattr; can_network(mailman_$1_t) -allow mailman_$1_t self:unix_stream_socket create_socket_perms; +can_ypbind(mailman_$1_t) +allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms; allow mailman_$1_t var_t:dir r_dir_perms; +tmp_domain(mailman_$1) ')
mailman_domain(queue, `, auth_chkpwd, nscd_client_domain')
@@ -71,7 +73,7 @@
dontaudit mailman_cgi_t httpd_log_t:file append; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mplayer.te policy-1.21.12/domains/program/unused/mplayer.te --- nsapolicy/domains/program/unused/mplayer.te 1969-12-31 19:00:00.000000000 -0500@@ -0,0 +1,12 @@ +#DESC mplayer - media player +# +# Author: Ivan Gyurdiev <ivg2@cornell.edu> +# + +# Type for the mplayer executable. +type mplayer_exec_t, file_type, exec_type, sysadmfile; +type mencoder_exec_t, file_type, exec_type, sysadmfile; +type mplayer_etc_t, file_type, sysadmfile; + +# Everything else is in the mplayer_domain macro in +# macros/program/mplayer_macros.te. diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.21.12/domains/program/unused/mta.te --- nsapolicy/domains/program/unused/mta.te 2005-02-09 15:01:28.000000000 -0500@@ -20,7 +20,9 @@ # "mail user@domain" mail_domain(system) -ifdef(`targeted_policy', `', ` +ifdef(`targeted_policy', ` +ifdef(`postfix.te', `', `can_exec_any(system_mail_t)') +', ` ifdef(`sendmail.te', ` # sendmail has an ugly design, the one process parses input from the user and # then does system things with it. @@ -73,11 +75,11 @@ # targeted policy. We could move these rules permanantly here. ifdef(`targeted_policy', ` allow system_mail_t self:dir { search }; -allow system_mail_t proc_t:dir search; -allow system_mail_t proc_t:{ file lnk_file } { getattr read };allow system_mail_t fs_t:filesystem getattr; allow system_mail_t { var_t var_spool_t }:dir getattr; create_dir_file( system_mail_t, mqueue_spool_t) +allow system_mail_t mail_spool_t:fifo_file rw_file_perms; ') allow system_mail_t etc_runtime_t:file { getattr read }; allow system_mail_t urandom_device_t:chr_file read; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.21.12/domains/program/unused/named.te --- nsapolicy/domains/program/unused/named.te 2005-02-10 14:48:39.000000000 -0500@@ -42,6 +42,10 @@ # for secondary zone files type named_cache_t, file_type, sysadmfile;
+# for DNSSEC key files diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.21.12/domains/program/unused/nscd.te --- nsapolicy/domains/program/unused/nscd.te 2005-02-10 14:48:39.000000000 -0500@@ -72,4 +72,4 @@ allow nscd_t self:netlink_route_socket r_netlink_socket_perms; allow nscd_t tmp_t:dir { search getattr }; allow nscd_t tmp_t:lnk_file read; -allow nscd_t urandom_device_t:chr_file { getattr read }; +allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.21.12/domains/program/unused/samba.te --- nsapolicy/domains/program/unused/samba.te 2005-02-10 14:48:40.000000000 -0500@@ -164,9 +164,8 @@ r_dir_file(smbmount_t, proc_t)
# Fork smbmnt
# Mount
--- nsapolicy/domains/program/unused/traceroute.te 2005-02-09 15:01:29.000000000 -0500@@ -39,8 +39,8 @@ # for lft allow traceroute_t self:packet_socket create_socket_perms; -allow traceroute_t proc_t:dir search; -allow traceroute_t proc_t:file { getattr read }; +r_dir_file(traceroute_t, proc_t) +r_dir_file(traceroute_t, proc_net_t)
# Access the terminal.
allow traceroute_t { ttyfile ptyfile }:chr_file rw_file_perms;
}
--- nsapolicy/file_contexts/distros.fc 2005-02-09 15:01:44.000000000 -0500# # /emul/ia32-linux/usr @@ -64,8 +65,81 @@ /var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t ')
-/usr/lib/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t
-/usr/X11R6/lib/modules/dri/.*\.so -- system_u:object_r:texrel_shlib_t
') diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/java.fc policy-1.21.12/file_contexts/program/java.fc --- nsapolicy/file_contexts/program/java.fc 1969-12-31 19:00:00.000000000 -0500@@ -0,0 +1,2 @@ +# java +/usr(/.*)?/bin/java.* -- system_u:object_r:java_exec_t diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mozilla.fc policy-1.21.12/file_contexts/program/mozilla.fc --- nsapolicy/file_contexts/program/mozilla.fc 2005-02-09 15:01:30.000000000 -0500@@ -0,0 +1,6 @@ +# mplayer +/usr/bin/mplayer -- system_u:object_r:mplayer_exec_t +/usr/bin/mencoder -- system_u:object_r:mencoder_exec_t + +/etc/mplayer(/.*)? system_u:object_r:mplayer_etc_t +HOME_DIR/\.mplayer(/.*)? system_u:object_r:ROLE_mplayer_rw_t diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mta.fc policy-1.21.12/file_contexts/program/mta.fc --- nsapolicy/file_contexts/program/mta.fc 2005-02-09 15:01:29.000000000 -0500+') + diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/named.fc policy-1.21.12/file_contexts/program/named.fc --- nsapolicy/file_contexts/program/named.fc 2005-02-09 15:01:30.000000000 -0500@@ -14,6 +14,7 @@ ') dnl distro_debian /etc/rndc.* -- system_u:object_r:named_conf_t') diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/udev.fc policy-1.21.12/file_contexts/program/udev.fc --- nsapolicy/file_contexts/program/udev.fc 2005-02-09 15:01:30.000000000 -0500+ ifdef(`distro_debian', ` /usr/share/selinux(/.*)? system_u:object_r:policy_src_t ') diff --exclude-from=exclude -N -u -r nsapolicy/local.users policy-1.21.12/local.users --- nsapolicy/local.users 2005-02-10 14:48:33.000000000 -0500@@ -14,4 +14,8 @@ # The MLS default level and allowed range should only be specified if # MLS was enabled in the policy.
+# sample for administrative user
+# sample for regular user --- nsapolicy/macros/base_user_macros.te 2005-02-10 14:48:42.000000000 -0500@@ -54,15 +54,15 @@ # for eject allow $1_t fixed_disk_device_t:blk_file getattr;
-allow $1_t fs_type:dir { getattr };
# open office is looking for the following allow $1_t dri_device_t:chr_file getattr; dontaudit $1_t dri_device_t:chr_file rw_file_perms; -# Do not flood message log, if the user does ls -lR / -dontaudit $1_t dev_fs:dir_file_class_set getattr; -dontaudit $1_t sysadmfile:file getattr; -dontaudit $1_t sysadmfile:dir read; + +file_browse_domain($1_t)
# allow ptrace
--- nsapolicy/macros/global_macros.te 2005-02-09 15:01:45.000000000 -0500@@ -157,6 +157,19 @@ ')
+################################### # # general_proc_read_access(domain) # @@ -491,6 +504,43 @@ allow $1_t etc_t:dir r_dir_perms; ')
+# Do not flood message log, if the user does a browse # # Define a domain that can do anything, so that it is # effectively unconfined by the SELinux policy. This diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.21.12/macros/program/apache_macros.te --- nsapolicy/macros/program/apache_macros.te 2005-02-09 15:01:45.000000000 -0500@@ -128,12 +128,16 @@ # # If a user starts a script by hand it gets the proper context # +if (httpd_enable_cgi ifdef(`targeted_policy', ` && ! httpd_disable_trans')) { domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t) +} role sysadm_r types httpd_$1_script_t; ', `
+if (httpd_enable_cgi ifdef(`targeted_policy', ` && ! httpd_disable_trans')) { ####################################### diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/cdrecord_macros.te policy-1.21.12/macros/program/cdrecord_macros.te --- nsapolicy/macros/program/cdrecord_macros.te 2005-02-09 15:01:31.000000000 -0500@@ -17,8 +17,7 @@ allow $1_t $1_cdrecord_t:process signal;
# write to the user domain tty.
allow $1_cdrecord_t $1_t:unix_stream_socket { getattr read write ioctl }; diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.21.12/macros/program/chkpwd_macros.te --- nsapolicy/macros/program/chkpwd_macros.te 2005-02-09 15:01:31.000000000 -0500@@ -43,8 +43,7 @@ role $1_r types $1_chkpwd_t;
# Write to the user domain tty.
allow $1_chkpwd_t privfd:fd use; diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/clamav_macros.te policy-1.21.12/macros/program/clamav_macros.te --- nsapolicy/macros/program/clamav_macros.te 2005-02-09 15:01:31.000000000 -0500@@ -48,8 +48,7 @@ clamscan_domain($1) role $1_r types $1_clamscan_t; domain_auto_trans($1_t, clamscan_exec_t, $1_clamscan_t) -allow $1_clamscan_t $1_tty_device_t:chr_file rw_file_perms; -allow $1_clamscan_t $1_devpts_t:chr_file rw_file_perms; +access_terminal($1_clamscan_t, $1) r_dir_file($1_clamscan_t,$1_home_t); r_dir_file($1_clamscan_t,$1_home_dir_t); allow $1_clamscan_t $1_home_t:file r_file_perms; diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/crontab_macros.te policy-1.21.12/macros/program/crontab_macros.te --- nsapolicy/macros/program/crontab_macros.te 2005-02-09 15:01:31.000000000 -0500@@ -87,8 +87,7 @@ # Access terminals. allow $1_crontab_t device_t:dir search; -allow $1_crontab_t $1_tty_device_t:chr_file rw_file_perms; -allow $1_crontab_t $1_devpts_t:chr_file rw_file_perms; +access_terminal($1_crontab_t, $1); allow $1_crontab_t fs_t:filesystem getattr; diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_agent_macros.te policy-1.21.12/macros/program/gpg_agent_macros.te --- nsapolicy/macros/program/gpg_agent_macros.te 2005-02-09 15:01:31.000000000 -0500@@ -25,9 +25,7 @@ allow $1_gpg_agent_t xdm_t:fd use; # Write to the user domain tty. -allow $1_gpg_agent_t $1_tty_device_t:chr_file rw_file_perms; -allow $1_gpg_agent_t $1_devpts_t:chr_file rw_file_perms; -allow $1_gpg_agent_t devtty_t:chr_file { read write }; +access_terminal($1_gpg_agent_t, $1) # Allow the user shell to signal the gpg-agent program. allow $1_t $1_gpg_agent_t:process { signal sigkill }; diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_macros.te policy-1.21.12/macros/program/gpg_macros.te --- nsapolicy/macros/program/gpg_macros.te 2005-02-09 15:01:31.000000000 -0500@@ -43,8 +43,7 @@ allow $1_gpg_t self:unix_stream_socket create_stream_socket_perms; allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
-allow $1_gpg_t devpts_t:dir search;
# Inherit and use descriptors
allow $1_gpg_t self:capability { ipc_lock setuid }; -allow $1_gpg_t devtty_t:chr_file rw_file_perms; rw_dir_create_file($1_gpg_t, $1_file_type) allow $1_gpg_t { etc_t usr_t }:dir r_dir_perms; diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/irc_macros.te policy-1.21.12/macros/program/irc_macros.te --- nsapolicy/macros/program/irc_macros.te 2005-02-09 15:01:31.000000000 -0500@@ -47,14 +47,13 @@ allow $1_irc_t usr_t:file { getattr read };
+access_terminal($1_irc_t, $1) allow $1_irc_t fs_t:filesystem getattr; allow $1_irc_t var_t:dir search; -allow $1_irc_t devpts_t:dir { getattr read search }; allow $1_irc_t device_t:dir search; -allow $1_irc_t devtty_t:chr_file rw_file_perms; allow $1_irc_t self:unix_stream_socket create_stream_socket_perms; allow $1_irc_t privfd:fd use; allow $1_irc_t proc_t:dir search; @@ -62,10 +61,6 @@ allow $1_irc_t self:dir search; dontaudit $1_irc_t var_run_t:dir search; -# Write to the user domain tty. -allow $1_irc_t $1_tty_device_t:chr_file rw_file_perms; -allow $1_irc_t $1_devpts_t:chr_file rw_file_perms; - # allow utmp access allow $1_irc_t initrc_var_run_t:file read; dontaudit $1_irc_t initrc_var_run_t:file lock; diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/java_macros.te policy-1.21.12/macros/program/java_macros.te --- nsapolicy/macros/program/java_macros.te 1969-12-31 19:00:00.000000000 -0500@@ -0,0 +1,117 @@ +# +# Macros for java/java (or other browser) domains. +# + +# +# Authors: Dan Walsh <dwalsh@redhat.com> and Timothy Fraser +# + +# +# java_domain(domain_prefix, user) +# +# Define a derived domain for the java/java program when executed by +# a web browser. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/java.te. +# +define(`java_domain',` +type $1_java_t, domain, privlog , nscd_client_domain, transitionbool; + +# The user role is authorized for this domain. +role $2_r types $1_java_t; +domain_auto_trans($1_t, java_exec_t, $1_java_t) + +allow $1_java_t sound_device_t:chr_file rw_file_perms; +# Unrestricted inheritance from the caller. +allow $1_t $1_java_t:process { noatsecure siginh rlimitinh }; +allow $1_java_t $1_t:process signull; + +can_unix_connect($1_java_t, $1_t) +allow $1_java_t $1_t:unix_stream_socket { read write }; + +# This domain is granted permissions common to most domains (including can_net) +can_network_client($1_java_t) +can_ypbind($1_java_t) +allow $1_java_t self:process { fork signal_perms getsched setsched }; +allow $1_java_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow $1_java_t self:fifo_file rw_file_perms; +allow $1_java_t etc_runtime_t:file { getattr read }; +allow $1_java_t fs_t:filesystem getattr; +read_locale($1_java_t) +r_dir_file($1_java_t, { proc_t proc_net_t }) +allow $1_java_t self:dir search; +allow $1_java_t self:lnk_file read; +allow $1_java_t self:file { getattr read }; + +read_sysctl($1_java_t) + +tmp_domain($1_java) +r_dir_file($1_java_t,{ fonts_t usr_t etc_t }) + +# Search bin directory under java for java executable +allow $1_java_t bin_t:dir search; +can_exec($1_java_t, java_exec_t) + +# Allow connections to X server. +ifdef(`xserver.te', ` + +ifdef(`xdm.te', ` +# for when /tmp/.X11-unix is created by the system +allow $1_java_t xdm_xserver_tmp_t:dir search; +allow $1_java_t xdm_t:fifo_file rw_file_perms; +allow $1_java_t xdm_tmp_t:dir search; +allow $1_java_t xdm_tmp_t:sock_file write; +') + +ifdef(`startx.te', ` +# for when /tmp/.X11-unix is created by the X server +allow $1_java_t $2_xserver_tmp_t:dir search; + +# for /tmp/.X0-lock +allow $1_java_t $2_xserver_tmp_t:file getattr; + +allow $1_java_t $2_xserver_tmp_t:sock_file rw_file_perms; +can_unix_connect($1_java_t, $2_xserver_t) +')dnl end startx + +can_unix_connect($1_java_t, xdm_xserver_t) +allow xdm_xserver_t $1_java_t:fd use; +allow xdm_xserver_t $1_java_t:shm { associate getattr read unix_read }; +dontaudit xdm_xserver_t $1_java_t:shm { unix_write write }; + +')dnl end xserver + +allow $1_java_t self:shm create_shm_perms; + +legacy_domain($1_java) + +uses_shlib($1_java_t) +read_locale($1_java_t) +rw_dir_file($1_java_t, $1_rw_t) + +allow $1_java_t ld_so_cache_t:file execute; +allow $1_java_t lib_t:file execute; +allow $1_java_t locale_t:file execute; +allow $1_java_t $1_java_tmp_t:file execute; + +allow $1_java_t { random_device_t urandom_device_t }:chr_file ra_file_perms; + +allow $1_java_t home_root_t:dir { getattr search }; +file_type_auto_trans($1_java_t, $2_home_dir_t, $1_rw_t) +allow $1_java_t $2_home_xauth_t:file { getattr read }; +allow $1_java_t $2_tmp_t:sock_file write; +allow $1_java_t $2_t:fd use; + +allow $1_java_t var_t:dir getattr; +allow $1_java_t var_lib_t:dir { getattr search }; + +dontaudit $1_java_t fonts_t:file execute; +dontaudit $1_java_t sound_device_t:chr_file execute; +dontaudit $1_java_t $2_devpts_t:chr_file { read write }; +dontaudit $1_java_t sysadm_devpts_t:chr_file { read write }; +dontaudit $1_java_t devtty_t:chr_file { read write }; +dontaudit $1_java_t tmpfs_t:file { execute read write }; +dontaudit $1_java_t $1_rw_t:file { execute setattr }; + +') diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/lockdev_macros.te policy-1.21.12/macros/program/lockdev_macros.te --- nsapolicy/macros/program/lockdev_macros.te 2005-02-09 15:01:31.000000000 -0500@@ -36,7 +36,7 @@ allow $1_lockdev_t device_t:dir search; allow $1_lockdev_t null_device_t:chr_file rw_file_perms; -allow $1_lockdev_t { $1_tty_device_t $1_devpts_t }:chr_file rw_file_perms; +access_terminal($1_lockdev_t, $1) dontaudit $1_lockdev_t root_t:dir search;
uses_shlib($1_lockdev_t)
--- nsapolicy/macros/program/lpr_macros.te 2005-02-09 15:01:31.000000000 -0500@@ -64,8 +64,7 @@ allow $1_lpr_t device_t:dir search;
# Access the terminal.
# Inherit and use descriptors from gnome-pty-helper. ifdef(`gnome-pty-helper.te', `allow $1_lpr_t $1_gph_t:fd use;') diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mount_macros.te policy-1.21.12/macros/program/mount_macros.te --- nsapolicy/macros/program/mount_macros.te 2005-02-09 15:01:31.000000000 -0500@@ -62,8 +62,7 @@ allow $2_t sbin_t:dir search;
# Access the terminal.
--- nsapolicy/macros/program/mozilla_macros.te 2005-02-09 15:01:45.000000000 -0500@@ -18,6 +18,9 @@ define(`mozilla_domain',` x_client_domain($1, mozilla, `, web_client_domain, privlog, transitionbool')
+# Allow mozilla to browse files
# Unrestricted inheritance from the caller.
@@ -50,18 +53,16 @@
-dontaudit $1_mozilla_t tty_device_t:chr_file getattr; - -dontaudit $1_mozilla_t proc_t:dir read;
allow $1_mozilla_t { var_t var_lib_t }:dir search;
-dontaudit $1_mozilla_t var_run_t:dir { getattr search };
# Execute downloaded programs.
-dontaudit $1_mozilla_t tmpfile:dir { setattr getattr search }; -dontaudit $1_mozilla_t tmpfile:{ file fifo_file sock_file } getattr; +dontaudit $1_mozilla_t tmpfile:dir setattr;
# Use printer
-r_dir_file($1_mozilla_t, $1_home_t) -dontaudit $1_mozilla_t $1_file_type:{ file dir } getattr; -file_type_auto_trans($1_mozilla_t, tmp_t, $1_tmp_t) +r_dir_file($1_mozilla_t, { $1_home_t $1_tmp_t }) } else { -file_type_auto_trans($1_mozilla_t, tmp_t, $1_mozilla_rw_t) -dontaudit $1_mozilla_t $1_home_t:dir { setattr read search getattr }; -dontaudit $1_mozilla_t $1_home_t:file { setattr getattr }; +dontaudit $1_mozilla_t $1_home_t:dir setattr; +dontaudit $1_mozilla_t $1_home_t:file setattr; } +file_type_auto_trans($1_mozilla_t, tmp_t, $1_mozilla_rw_t) +file_type_auto_trans($1_mozilla_t, $1_tmp_t, $1_mozilla_rw_t)
if (mozilla_writehome) {
allow $1_mozilla_t $1_t:unix_stream_socket connectto; allow $1_mozilla_t sysctl_net_t:dir search; allow $1_mozilla_t sysctl_t:dir search;-dontaudit $1_mozilla_t boot_t:dir getattr; ifdef(`cups.te', ` allow $1_mozilla_t cupsd_etc_t:dir search; allow $1_mozilla_t cupsd_rw_etc_t:file { getattr read }; @@ -104,32 +103,25 @@ allow $1_mozilla_t $1_t:tcp_socket { read write }; allow $1_mozilla_t mozilla_conf_t:file r_file_perms; -dontaudit $1_mozilla_t bin_t:dir getattr; dontaudit $1_mozilla_t port_type:tcp_socket name_bind; dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms;-# running mplayer within firefox asks for this -allow $1_mozilla_t clock_device_t:chr_file r_file_perms; # Mozilla tries to delete .fonts.cache-1 dontaudit $1_mozilla_t $1_home_t:file unlink; -dontaudit $1_mozilla_t tmpfile:file getattr; -# -# Eliminate errors from scanning with the -# -dontaudit $1_mozilla_t file_type:dir getattr;allow $1_mozilla_t self:sem create_sem_perms; -dontaudit $1_mozilla_t selinux_config_t:dir search; - # # Rules needed to run java apps -# -allow $1_mozilla_t ld_so_cache_t:file execute; -allow $1_mozilla_t locale_t:file execute; -dontaudit $1_mozilla_t device_type:{ chr_file file } execute;-dontaudit $1_t ld_so_cache_t:file execute; -dontaudit $1_t locale_t:file execute;
-dontaudit $1_mozilla_t selinux_config_t:dir search;
ifdef(`xdm.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mplayer_macros.te policy-1.21.12/macros/program/mplayer_macros.te --- nsapolicy/macros/program/mplayer_macros.te 1969-12-31 19:00:00.000000000 -0500@@ -0,0 +1,115 @@ +# +# Macros for mplayer +# +# Author: Ivan Gyurdiev <ivg2@cornell.edu> +# +# +# mplayer_domain(domain_prefix) +# mencoder_domain(domain_prefix) + +################################################ +# mplayer_common(prefix, mplayer domain) # +################################################ + +define(`mplayer_common',` + +# Home directory stuff +if (use_nfs_home_dirs) { +create_dir_file($1_$2_t, nfs_t) +} +if (use_samba_home_dirs) { +create_dir_file($1_$2_t, cifs_t) +} +allow $1_$2_t autofs_t:dir { search getattr }; + +# Read local config +r_dir_file($1_$2_t, $1_mplayer_rw_t) + +# Read global config +r_dir_file($1_$2_t, mplayer_etc_t) + +# Read data in /usr/share (fonts, icons..) +r_dir_file($1_$2_t, usr_t) + +# Read /proc files and directories +# Necessary for /proc/meminfo, /proc/cpuinfo, etc.. +allow $1_$2_t proc_t:dir search; +allow $1_$2_t proc_t:file { getattr read }; + +# Sysctl on kernel version +allow $1_$2_t sysctl_kernel_t:dir search; +allow $1_$2_t sysctl_kernel_t:file { getattr read }; + +# Allow ps, shared libs, locale, terminal access +can_ps($1_t, $1_$2_t) +uses_shlib($1_$2_t) +read_locale($1_$2_t) +access_terminal($1_$2_t, $1) + +# Required for win32 binary loader +allow $1_$2_t zero_device_t:chr_file { read write execute }; +if (allow_execmem) { +allow $1_$2_t self:process execmem; +} + +if (allow_execmod) { +allow $1_$2_t zero_device_t:chr_file execmod; +allow $1_$2_t texrel_shlib_t:file execmod; +} + +# Access to DVD/CD/V4L +allow $1_$2_t device_t:dir r_dir_perms; +allow $1_$2_t device_t:lnk_file { getattr read }; +allow $1_$2_t removable_device_t:blk_file { getattr read }; +allow $1_$2_t v4l_device_t:chr_file { getattr read }; +') + +############################## +# mplayer_domain(prefix) # +############################## + +define(`mplayer_domain',` + +# Derive from X client domain +x_client_domain($1, `mplayer', `') + +# Allow mplayer to browse files +file_browse_domain($1_mplayer_t) + +# Mplayer common stuff +mplayer_common($1, mplayer) + +# Additional rules for search /tmp/.X11-unix +ifdef(`xdm.te', ` +allow $1_mplayer_t xdm_tmp_t:dir search; +')dnl end if xdm.te + +# Audio +allow $1_mplayer_t sound_device_t:chr_file rw_file_perms; + +# RTC clock +allow $1_mplayer_t clock_device_t:chr_file { ioctl read }; + +# Read home directory content +r_dir_file($1_mplayer_t, $1_home_t); + +') dnl end mplayer_domain + +############################## +# mencoder_domain(prefix) # +############################## + +define(`mencoder_domain',` + +# Privhome type transitions to $1_home_t in home dir. +type $1_mencoder_t, domain, privhome; + +# Transition +domain_auto_trans($1_t, mencoder_exec_t, $1_mencoder_t) +can_exec($1_mencoder_t, mencoder_exec_t) +role $1_r types $1_mencoder_t; + +# Mplayer common stuff +mplayer_common($1, mencoder) + +') dnl end mencoder_domain diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mta_macros.te policy-1.21.12/macros/program/mta_macros.te --- nsapolicy/macros/program/mta_macros.te 2005-02-09 15:01:31.000000000 -0500@@ -87,10 +87,9 @@ allow mta_user_agent $1_tmp_t:file { read getattr };
-allow mta_user_agent { $1_devpts_t $1_tty_device_t }:chr_file { getattr read write };
-
# Inherit and use descriptors from gnome-pty-helper. ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;') diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/samba_macros.te policy-1.21.12/macros/program/samba_macros.te --- nsapolicy/macros/program/samba_macros.te 2005-02-10 14:48:42.000000000 -0500@@ -21,6 +21,7 @@ if ( samba_enable_home_dirs ) { allow smbd_t home_root_t:dir r_dir_perms; file_type_auto_trans(smbd_t, $1_home_dir_t, $1_home_t) +dontaudit smbd_t $1_file_type:dir_file_class_set getattr; } ') ', ` diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/slocate_macros.te policy-1.21.12/macros/program/slocate_macros.te --- nsapolicy/macros/program/slocate_macros.te 2005-02-09 15:01:31.000000000 -0500@@ -47,10 +47,7 @@ allow $1_t $1_locate_t:process signal; uses_shlib($1_locate_t) - -# Write to the user domain tty. -allow $1_locate_t $1_tty_device_t:chr_file rw_file_perms; -allow $1_locate_t $1_devpts_t:chr_file rw_file_perms; +access_terminal($1_locate_t, $1) allow $1_locate_t { home_root_t $1_home_dir_t $1_file_type }:dir { getattr search }; allow $1_locate_t $1_file_type:{ file lnk_file } { getattr read }; diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_agent_macros.te policy-1.21.12/macros/program/ssh_agent_macros.te --- nsapolicy/macros/program/ssh_agent_macros.te 2005-02-09 15:01:45.000000000 -0500@@ -27,9 +27,7 @@ allow $1_ssh_agent_t privfd:fd use; # Write to the user domain tty. -allow $1_ssh_agent_t $1_tty_device_t:chr_file rw_file_perms; -allow $1_ssh_agent_t $1_devpts_t:chr_file rw_file_perms; -allow $1_ssh_agent_t devtty_t:chr_file { read write }; +access_terminal($1_ssh_agent_t, $1) # Allow the user shell to signal the ssh program. allow $1_t $1_ssh_agent_t:process signal; diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.21.12/macros/program/ssh_macros.te --- nsapolicy/macros/program/ssh_macros.te 2005-02-09 15:01:45.000000000 -0500@@ -52,9 +52,6 @@ base_file_read_access($1_ssh_t) -# Read the devpts root directory. -allow $1_ssh_t devpts_t:dir r_dir_perms; - # Read /var. allow $1_ssh_t var_t:dir r_dir_perms; allow $1_ssh_t var_t:notdevfile_class_set r_file_perms; @@ -77,8 +74,7 @@ # Read /dev/urandom. allow $1_ssh_t urandom_device_t:chr_file r_file_perms;
-# Read and write /dev/tty and /dev/null.
-allow $1_ssh_t devtty_t:chr_file rw_file_perms;
# Grant permissions needed to create TCP and UDP sockets and
@@ -127,8 +123,7 @@
# Write to the user domain tty.
# Allow the user shell to signal the ssh program.
allow $1_t $1_ssh_t:process signal;
+#allow ssh to access keys stored on removable media --- nsapolicy/macros/program/su_macros.te 2005-02-09 15:01:45.000000000 -0500@@ -99,7 +99,7 @@ } # Relabel ttys and ptys. -allow $1_su_t { device_t devpts_t }:dir { getattr read search }; +allow $1_su_t device_t:dir { getattr read search }; allow $1_su_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto };
# Close and re-open ttys and ptys to get the fd into the correct domain.
@@ -121,9 +121,8 @@
# Write to the user domain tty. -allow $1_su_t $1_tty_device_t:chr_file rw_file_perms; -allow $1_su_t $1_devpts_t:chr_file rw_file_perms; -allow $1_su_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file { getattr ioctl }; +access_terminal($1_su_t, $1) +allow $1_su_t { $1_devpts_t $1_tty_device_t }:chr_file ioctl; allow $1_su_t { home_root_t $1_home_dir_t }:dir search; allow $1_su_t $1_home_t:file create_file_perms; diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/uml_macros.te policy-1.21.12/macros/program/uml_macros.te --- nsapolicy/macros/program/uml_macros.te 2005-02-09 15:01:31.000000000 -0500@@ -110,7 +110,6 @@ dontaudit $1_uml_t initrc_var_run_t:file { write lock }; allow $1_uml_t device_t:dir search; -allow $1_uml_t devtty_t:chr_file rw_file_perms; allow $1_uml_t self:unix_stream_socket create_stream_socket_perms; allow $1_uml_t self:unix_dgram_socket create_socket_perms; allow $1_uml_t privfd:fd use; @@ -121,8 +120,7 @@ allow $1_uml_t proc_t:file write;
# Write to the user domain tty.
# access config files
--- nsapolicy/macros/program/xauth_macros.te 2005-02-09 15:01:45.000000000 -0500@@ -66,8 +66,7 @@ allow $1_xauth_t fs_t:filesystem getattr;
# Write to the user domain tty.
# Scan /var/run.
--- nsapolicy/macros/program/x_client_macros.te 2005-02-09 15:01:45.000000000 -0500@@ -57,9 +57,9 @@ allow $1_$2_t etc_runtime_t:file { getattr read }; allow $1_$2_t etc_t:lnk_file read; allow $1_$2_t fs_t:filesystem getattr; +access_terminal($1_$2_t, $1) read_locale($1_$2_t) r_dir_file($1_$2_t, readable_t) -allow $1_$2_t devtty_t:chr_file { read write }; allow $1_$2_t proc_t:dir search; allow $1_$2_t proc_t:lnk_file read; allow $1_$2_t self:dir search; @@ -143,11 +143,6 @@ can_tcp_connect($1_$2_t, sshd_t) ') -# Access the terminal. -allow $1_$2_t devpts_t:dir search; -allow $1_$2_t $1_tty_device_t:chr_file rw_file_perms; -allow $1_$2_t $1_devpts_t:chr_file rw_file_perms; - # Read the home directory, e.g. for .Xauthority and to get to config files allow $1_$2_t home_root_t:dir { search getattr }; file_type_auto_trans($1_$2_t, $1_home_dir_t, $1_$2_rw_t) diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xserver_macros.te policy-1.21.12/macros/program/xserver_macros.te --- nsapolicy/macros/program/xserver_macros.te 2005-02-09 15:01:45.000000000 -0500@@ -51,6 +51,11 @@ can_exec($1_xserver_t, xserver_exec_t)
uses_shlib($1_xserver_t)
--- nsapolicy/macros/user_macros.te 2005-02-09 15:01:45.000000000 -0500@@ -34,21 +34,11 @@ # do not allow privhome access to sysadm_home_dir_t file_type_auto_trans(privhome, $1_home_dir_t, $1_home_t) -# for ifconfig which is run all the time -dontaudit $1_t sysctl_t:dir search; - -# for ls -l /proc -dontaudit $1_t { sysctl_irq_t sysctl_t }:dir getattr; -dontaudit $1_t proc_fs:file getattr; - allow $1_t boot_t:dir { getattr search }; -dontaudit $1_t boot_t:dir read; -dontaudit $1_t boot_t:lnk_file { getattr read }; -dontaudit $1_t boot_t:file { getattr read }; +dontaudit $1_t boot_t:lnk_file read; +dontaudit $1_t boot_t:file read; allow $1_t system_map_t:file { getattr read };
-dontaudit $1_t security_t:dir getattr;
# Instantiate derived domains for a number of programs. # These derived domains encode both information about the calling # user domain and the program, and allow us to maintain separation@@ -94,11 +84,8 @@ dontaudit $1_t initrc_var_run_t:file write; -# do not audit getattr on tmpfile, otherwise ls -l /tmp fills the logs -dontaudit $1_t tmpfile:dir_file_class_set getattr; - -# do not audit getattr on disk devices, otherwise KDE fills the logs -dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file {getattr read}; +# do not audit read on disk devices +dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read;
ifdef(`xdm.te', `
-dontaudit $1_t sysadm_home_t:dir { read search getattr }; -dontaudit $1_t sysadm_home_t:file { read getattr append }; -ifdef(`distro_redhat', ` -# gam_server fires off these when exploring with mozilla/nautilous -dontaudit $1_t file_type:dir getattr; -') +dontaudit $1_t sysadm_home_t:file { read append };
ifdef(`syslogd.te', `
-# stop warnings about "ls -l" on directories with unlabelled files
-dontaudit $1_t default_t:{ dir file lnk_file } getattr;
# Stop warnings about access to /dev/console
dontaudit $1_t init_t:fd use;
--- nsapolicy/Makefile 2005-02-10 14:48:31.000000000 -0500@@ -36,6 +36,7 @@ CONTEXTPATH = $(INSTALLDIR)/contexts LOADPATH = $(POLICYPATH)/$(POLICYVER) FCPATH = $(CONTEXTPATH)/files/file_contexts +HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
ALL_PROGRAM_MACROS := $(wildcard macros/program/*.te)
ALL_MACROS := $(ALL_PROGRAM_MACROS) $(wildcard macros/*.te)
@@ -50,16 +51,19 @@
POLICYFILES += $(ALL_TUNABLES) $(TE_RBAC_FILES) POLICYFILES += $(USER_FILES) POLICYFILES += $(wildcard $(USERPATH)/local.users) POLICYFILES += constraints -POLICYFILES += initial_sid_contexts fs_use genfs_contexts net_contexts -CONTEXTFILES = initial_sid_contexts fs_use genfs_contexts net_contexts +POLICYFILES += $(DEFCONTEXTFILES) +CONTEXTFILES = $(DEFCONTEXTFILES) +POLICY_DIRS = domains/program domains/misc UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)
FC = file_contexts/file_contexts
grep -v dontaudit policy.conf > policy.audit mv policy.audit policy.conf
-policy.conf: $(POLICYFILES)
mkdir -p tmp - m4 $(M4PARAM) -Imacros -s $^ > $@.tmp
install-src:
@mkdir -p $(CONTEXTPATH)/files install -m 644 $(FC) $(FCPATH)
# Create a tags-file for the policy:
--- nsapolicy/targeted/domains/unconfined.te 2005-02-09 15:01:45.000000000 -0500@@ -9,6 +9,8 @@ role user_r types unconfined_t; role sysadm_r types unconfined_t; unconfined_domain(unconfined_t) +allow domain $1:fd use; +allow domain $1:process sigchld; # Define some type aliases to help with compatibility with # macros and domains from the "strict" policy. @@ -37,6 +39,9 @@ user_typealias(sysadm) user_typealias(staff) user_typealias(user) +attribute user_file_type; +attribute staff_file_type; +attribute sysadm_file_type;
allow unconfined_t unlabeled_t:filesystem *;
allow unlabeled_t self:filesystem associate;
@@ -45,14 +50,18 @@
# Allow execution of anonymous mappings, e.g. executable stack.
-bool allow_execmem false;
# Support Share libraries with Text Relocation
-bool allow_execmod false;
# Support SAMBA home directories
+if (allow_execmod) {
# Allow system to run with NIS
--- nsapolicy/tunables/distro.tun 2005-02-09 15:01:31.000000000 -0500@@ -5,7 +5,7 @@ # appropriate ifdefs.
-dnl define(`distro_redhat')
dnl define(`distro_suse') diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.21.12/tunables/tunable.tun --- nsapolicy/tunables/tunable.tun 2005-02-09 15:01:31.000000000 -0500@@ -1,27 +1,27 @@ # Allow users to execute the mount command -dnl define(`user_can_mount') +define(`user_can_mount')
# Allow rpm to run unconfined.
# Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
# Allow rc scripts to run unconfined, including any daemon # started by an rc script that does not have a domain transition # explicitly defined. -dnl define(`unlimitedRC') +define(`unlimitedRC') # Allow sysadm_t to directly start daemons define(`direct_sysadm_daemon')
# Do not audit things that we know to be broken but which
# are not security risks
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
# Allow xinetd to run unconfined, including any services it starts # that do not have a domain transition explicitly defined. diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.21.12/types/file.te --- nsapolicy/types/file.te 2005-02-09 15:01:45.000000000 -0500@@ -87,7 +87,7 @@ # # shadow_t is the type of the /etc/shadow file # -type shadow_t, file_type; +type shadow_t, file_type, secure_file_type; allow auth shadow_t:file { getattr read };
#
# # cert_t is the type of files in the system certs directories. # -type cert_t, file_type, sysadmfile; +type cert_t, file_type, sysadmfile, secure_file_type;
#
# Type for /var/log/ksyms.
# # print_spool_t is the type for /var/spool/lpd and /var/spool/cups. # -type print_spool_t, file_type, sysadmfile; +type print_spool_t, file_type, sysadmfile, tmpfile;
#
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Fri 11 Feb 2005 - 11:14:16 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |