|
Chris PeBenito |
0fbfa5 |
#DESC LoadPolicy - SELinux policy loading utilities
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Authors: Frank Mayer, mayerf@tresys.com
|
|
Chris PeBenito |
0fbfa5 |
# X-Debian-Packages: policycoreutils
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
###########################
|
|
Chris PeBenito |
0fbfa5 |
# load_policy_t is the domain type for load_policy
|
|
Chris PeBenito |
0fbfa5 |
# load_policy_exec_t is the file type for the executable
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
type load_policy_t, domain;
|
|
Chris PeBenito |
0fbfa5 |
role sysadm_r types load_policy_t;
|
|
Chris PeBenito |
5493c2 |
role secadm_r types load_policy_t;
|
|
Chris PeBenito |
0fbfa5 |
role system_r types load_policy_t;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
type load_policy_exec_t, file_type, exec_type, sysadmfile;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
##########################
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Rules
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
5493c2 |
domain_auto_trans(secadmin, load_policy_exec_t, load_policy_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow load_policy_t console_device_t:chr_file { read write };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Reload the policy configuration (sysadm_t no longer has this ability)
|
|
Chris PeBenito |
0fbfa5 |
can_loadpol(load_policy_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Reset policy boolean values.
|
|
Chris PeBenito |
0fbfa5 |
can_setbool(load_policy_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
###########################
|
|
Chris PeBenito |
0fbfa5 |
# constrain from where load_policy can load a policy, specifically
|
|
Chris PeBenito |
0fbfa5 |
# policy_config_t files
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# only allow read of policy config files
|
|
Chris PeBenito |
0fbfa5 |
allow load_policy_t policy_src_t:dir search;
|
|
Chris PeBenito |
2705f9 |
r_dir_file(load_policy_t, policy_config_t)
|
|
Chris PeBenito |
2705f9 |
r_dir_file(load_policy_t, selinux_config_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# directory search permissions for path to binary policy files
|
|
Chris PeBenito |
0fbfa5 |
allow load_policy_t root_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow load_policy_t etc_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Read the devpts root directory (needed?)
|
|
Chris PeBenito |
0fbfa5 |
allow load_policy_t devpts_t:dir r_dir_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Other access
|
|
Chris PeBenito |
0fbfa5 |
allow load_policy_t { admin_tty_type initrc_devpts_t devtty_t }:chr_file { read write ioctl getattr };
|
|
Chris PeBenito |
0fbfa5 |
uses_shlib(load_policy_t)
|
|
Chris PeBenito |
0fbfa5 |
allow load_policy_t self:capability dac_override;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow load_policy_t { userdomain privfd initrc_t }:fd use;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow load_policy_t fs_t:filesystem getattr;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
read_locale(load_policy_t)
|