|
Chris PeBenito |
0fbfa5 |
#DESC PRELINK - Security Enhanced version of the GNU Prelink
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Author: Dan Walsh <dwalsh@redhat.com>
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#################################
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Rules for the prelink_t domain.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# prelink_exec_t is the type of the prelink executable.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
daemon_base_domain(prelink, `, admin')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
if (allow_execmem) {
|
|
Chris PeBenito |
0fbfa5 |
allow prelink_t self:process execmem;
|
|
Chris PeBenito |
0fbfa5 |
}
|
|
Chris PeBenito |
0fbfa5 |
if (allow_execmod) {
|
|
Chris PeBenito |
0fbfa5 |
allow prelink_t texrel_shlib_t:file execmod;
|
|
Chris PeBenito |
0fbfa5 |
}
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow prelink_t fs_t:filesystem getattr;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`crond.te', `
|
|
Chris PeBenito |
0fbfa5 |
system_crond_entry(prelink_exec_t, prelink_t)
|
|
Chris PeBenito |
0fbfa5 |
allow system_crond_t prelink_log_t:dir rw_dir_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow system_crond_t prelink_log_t:file create_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow system_crond_t prelink_cache_t:file { getattr read unlink };
|
|
Chris PeBenito |
0fbfa5 |
allow prelink_t crond_log_t:file append;
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
logdir_domain(prelink)
|
|
Chris PeBenito |
0fbfa5 |
type etc_prelink_t, file_type, sysadmfile;
|
|
Chris PeBenito |
0fbfa5 |
type var_lock_prelink_t, file_type, sysadmfile, lockfile;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow prelink_t etc_prelink_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
allow prelink_t file_type:dir rw_dir_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow prelink_t file_type:lnk_file r_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow prelink_t file_type:file getattr;
|
|
Chris PeBenito |
0fbfa5 |
allow prelink_t { ifdef(`amanda.te', `amanda_usr_lib_t') admin_passwd_exec_t ifdef(`apache.te', `httpd_modules_t') ifdef(`xserver.te', `var_lib_xkb_t') ld_so_t su_exec_t texrel_shlib_t shlib_t sbin_t bin_t lib_t exec_type }:file { create_file_perms execute relabelto relabelfrom };
|
|
Chris PeBenito |
0fbfa5 |
allow prelink_t ld_so_t:file execute_no_trans;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow prelink_t self:capability { chown dac_override fowner fsetid };
|
|
Chris PeBenito |
0fbfa5 |
allow prelink_t self:fifo_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow prelink_t self:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
dontaudit prelink_t sysctl_kernel_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
dontaudit prelink_t sysctl_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow prelink_t etc_runtime_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
read_locale(prelink_t)
|
|
Chris PeBenito |
0fbfa5 |
allow prelink_t urandom_device_t:chr_file read;
|
|
Chris PeBenito |
0fbfa5 |
allow prelink_t proc_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# prelink_cache_t is the type of /etc/prelink.cache.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
type prelink_cache_t, file_type, sysadmfile;
|
|
Chris PeBenito |
0fbfa5 |
file_type_auto_trans(prelink_t, etc_t, prelink_cache_t, file)
|