|
Chris PeBenito |
31b7c0 |
#DESC Ldconfig - Configure dynamic linker bindings
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
# Author: Russell Coker <russell@coker.com.au>
|
|
Chris PeBenito |
31b7c0 |
# X-Debian-Packages: libc6
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
#################################
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
# Rules for the ldconfig_t domain.
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
type ldconfig_t, domain, privlog, etc_writer;
|
|
Chris PeBenito |
31b7c0 |
type ldconfig_exec_t, file_type, sysadmfile, exec_type;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
role sysadm_r types ldconfig_t;
|
|
Chris PeBenito |
31b7c0 |
role system_r types ldconfig_t;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
domain_auto_trans({ sysadm_t initrc_t }, ldconfig_exec_t, ldconfig_t)
|
|
Chris PeBenito |
31b7c0 |
dontaudit ldconfig_t device_t:dir search;
|
|
Chris PeBenito |
31b7c0 |
can_access_pty(ldconfig_t, initrc)
|
|
Chris PeBenito |
31b7c0 |
allow ldconfig_t admin_tty_type:chr_file rw_file_perms;
|
|
Chris PeBenito |
31b7c0 |
allow ldconfig_t privfd:fd use;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
uses_shlib(ldconfig_t)
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
file_type_auto_trans(ldconfig_t, etc_t, ld_so_cache_t, file)
|
|
Chris PeBenito |
31b7c0 |
allow ldconfig_t lib_t:dir rw_dir_perms;
|
|
Chris PeBenito |
31b7c0 |
allow ldconfig_t lib_t:lnk_file create_lnk_perms;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow ldconfig_t userdomain:fd use;
|
|
Chris PeBenito |
31b7c0 |
# unlink for when /etc/ld.so.cache is mislabeled
|
|
Chris PeBenito |
31b7c0 |
allow ldconfig_t etc_t:file { getattr read unlink };
|
|
Chris PeBenito |
31b7c0 |
allow ldconfig_t etc_t:lnk_file read;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow ldconfig_t fs_t:filesystem getattr;
|
|
Chris PeBenito |
31b7c0 |
allow ldconfig_t tmp_t:dir search;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
ifdef(`apache.te', `
|
|
Chris PeBenito |
31b7c0 |
# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
|
|
Chris PeBenito |
31b7c0 |
dontaudit ldconfig_t httpd_modules_t:dir search;
|
|
Chris PeBenito |
31b7c0 |
')
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow ldconfig_t { var_t var_lib_t }:dir search;
|
|
Chris PeBenito |
31b7c0 |
allow ldconfig_t proc_t:file { getattr read };
|
|
Chris PeBenito |
31b7c0 |
ifdef(`hide_broken_symptoms', `
|
|
Chris PeBenito |
31b7c0 |
ifdef(`unconfined.te',`
|
|
Chris PeBenito |
31b7c0 |
dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
|
|
Chris PeBenito |
31b7c0 |
');
|
|
Chris PeBenito |
31b7c0 |
')dnl end hide_broken_symptoms
|
|
Chris PeBenito |
31b7c0 |
ifdef(`targeted_policy', `
|
|
Chris PeBenito |
31b7c0 |
allow ldconfig_t lib_t:file r_file_perms;
|
|
Chris PeBenito |
31b7c0 |
unconfined_domain(ldconfig_t)
|
|
Chris PeBenito |
31b7c0 |
')
|