Chris PeBenito 31b7c0
#DESC LOCATE - Security Enhanced version of the GNU Locate
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Author:  Dan Walsh <dwalsh@redhat.com>
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
#################################
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Rules for the locate_t domain.
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# locate_exec_t is the type of the locate executable.
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
daemon_base_domain(locate)
Chris PeBenito 31b7c0
role system_r types locate_t;
Chris PeBenito 31b7c0
role sysadm_r types locate_t;
Chris PeBenito 31b7c0
allow locate_t fs_t:filesystem getattr;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
ifdef(`crond.te', `
Chris PeBenito 31b7c0
system_crond_entry(locate_exec_t, locate_t)
Chris PeBenito 31b7c0
allow system_crond_t locate_log_t:dir rw_dir_perms;
Chris PeBenito 31b7c0
allow system_crond_t locate_log_t:file { create append getattr };
Chris PeBenito 31b7c0
allow system_crond_t locate_etc_t:file { getattr read };
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow locate_t { userpty_type admin_tty_type }:chr_file rw_file_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow locate_t { fs_type file_type }:dir r_dir_perms;
Chris PeBenito 31b7c0
dontaudit locate_t sysctl_t:dir getattr;
Chris PeBenito 31b7c0
allow locate_t file_type:lnk_file r_file_perms;
Chris PeBenito 31b7c0
allow locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } getattr;
Chris PeBenito 31b7c0
dontaudit locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } read;
Chris PeBenito 31b7c0
dontaudit locate_t security_t:dir getattr;
Chris PeBenito 31b7c0
dontaudit locate_t shadow_t:file getattr;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow locate_t { ttyfile device_type device_t }:{ chr_file blk_file } getattr;
Chris PeBenito 31b7c0
allow locate_t unlabeled_t:dir_file_class_set getattr;
Chris PeBenito 31b7c0
allow locate_t unlabeled_t:dir read;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
logdir_domain(locate)
Chris PeBenito 31b7c0
etcdir_domain(locate)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
type locate_var_lib_t, file_type, sysadmfile;
Chris PeBenito 31b7c0
typealias locate_var_lib_t alias var_lib_locate_t;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
create_dir_file(locate_t, locate_var_lib_t)
Chris PeBenito 31b7c0
dontaudit locate_t sysadmfile:file getattr;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow locate_t proc_t:file { getattr read };
Chris PeBenito 31b7c0
allow locate_t self:unix_stream_socket create_socket_perms;
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Need to be able to exec renice
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
can_exec(locate_t, bin_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
dontaudit locate_t rpc_pipefs_t:dir r_dir_perms;
Chris PeBenito 31b7c0
dontaudit locate_t rpc_pipefs_t:file getattr;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Read Mtab file
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
allow locate_t etc_runtime_t:file { getattr read };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Read nsswitch file
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
allow locate_t etc_t:file { getattr read };
Chris PeBenito 31b7c0
dontaudit locate_t self:capability dac_override;
Chris PeBenito 31b7c0
allow locate_t self:capability dac_read_search;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# sysadm_t runs locate in his own domain.
Chris PeBenito 31b7c0
# We use a type alias to simplify the rest of the policy,
Chris PeBenito 31b7c0
# which often refers to $1_locate_t for the user domains.
Chris PeBenito 31b7c0
typealias sysadm_t alias sysadm_locate_t;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow locate_t userdomain:fd use;
Chris PeBenito 31b7c0
ifdef(`cardmgr.te', `
Chris PeBenito 31b7c0
allow locate_t cardmgr_var_run_t:chr_file getattr;
Chris PeBenito 31b7c0
')