rpms / selinux-policy

Clone
Source Code
GIT

Blame targeted/domains/program/setfiles.te

c10s-sig-hyperscale c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   ab58ad00cd257a0b150954ef2892565aecb0d782
  2.   targeted
  3.   domains
  4.   program
  5.   setfiles.te
Blob History Raw
Chris PeBenito ab58ad 
#DESC Setfiles - SELinux filesystem labeling utilities
Chris PeBenito ab58ad 
#
Chris PeBenito ab58ad 
# Authors:  Russell Coker <russell@coker.com.au>
Chris PeBenito ab58ad 
# X-Debian-Packages: policycoreutils
Chris PeBenito ab58ad 
#
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
#################################
Chris PeBenito ab58ad 
#
Chris PeBenito ab58ad 
# Rules for the setfiles_t domain.
Chris PeBenito ab58ad 
#
Chris PeBenito ab58ad 
# setfiles_exec_t is the type of the setfiles executable.
Chris PeBenito ab58ad 
#
Chris PeBenito ab58ad 
# needs auth_write attribute because it has relabelfrom/relabelto
Chris PeBenito ab58ad 
# access to shadow_t
Chris PeBenito ab58ad 
type setfiles_t, domain, privlog, privowner, auth_write, change_context, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade;
Chris PeBenito ab58ad 
type setfiles_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
role system_r types setfiles_t;
Chris PeBenito ab58ad 
role sysadm_r types setfiles_t;
Chris PeBenito ab58ad 
role secadm_r types setfiles_t;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
ifdef(`distro_redhat', `
Chris PeBenito ab58ad 
domain_auto_trans(initrc_t, setfiles_exec_t, setfiles_t)
Chris PeBenito ab58ad 
')
Chris PeBenito ab58ad 
can_access_pty(hostname_t, initrc)
Chris PeBenito ab58ad 
allow setfiles_t { ttyfile ptyfile tty_device_t admin_tty_type devtty_t }:chr_file { read write ioctl };
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
allow setfiles_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
domain_auto_trans(secadmin, setfiles_exec_t, setfiles_t)
Chris PeBenito ab58ad 
allow setfiles_t { userdomain privfd initrc_t init_t }:fd use;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
uses_shlib(setfiles_t)
Chris PeBenito ab58ad 
allow setfiles_t self:capability { dac_override dac_read_search fowner };
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# for upgrading glibc and other shared objects - without this the upgrade
Chris PeBenito ab58ad 
# scripts will put things in a state such that setfiles can not be run!
Chris PeBenito ab58ad 
allow setfiles_t lib_t:file { read execute };
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Get security policy decisions.
Chris PeBenito ab58ad 
can_getsecurity(setfiles_t)
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
r_dir_file(setfiles_t, { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t })
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
allow setfiles_t file_type:dir r_dir_perms;
Chris PeBenito ab58ad 
allow setfiles_t { file_type unlabeled_t device_type }:dir_file_class_set { getattr relabelfrom };
Chris PeBenito ab58ad 
allow setfiles_t file_type:{ dir file lnk_file sock_file fifo_file } relabelto;
Chris PeBenito ab58ad 
allow setfiles_t unlabeled_t:dir read;
Chris PeBenito ab58ad 
allow setfiles_t { device_type device_t }:{ chr_file blk_file } { getattr relabelfrom relabelto };
Chris PeBenito ab58ad 
allow setfiles_t { ttyfile ptyfile }:chr_file getattr;
Chris PeBenito ab58ad 
# dontaudit access to ttyfile - we do not want setfiles to relabel our terminal
Chris PeBenito ab58ad 
dontaudit setfiles_t ttyfile:chr_file relabelfrom;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
allow setfiles_t fs_t:filesystem getattr;
Chris PeBenito ab58ad 
allow setfiles_t fs_type:dir r_dir_perms;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
read_locale(setfiles_t)
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
allow setfiles_t etc_runtime_t:file { getattr read };
Chris PeBenito ab58ad 
allow setfiles_t etc_t:file { getattr read };
Chris PeBenito ab58ad 
allow setfiles_t proc_t:file { getattr read };
Chris PeBenito ab58ad 
dontaudit setfiles_t proc_t:lnk_file { getattr read };
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# for config files in a home directory
Chris PeBenito ab58ad 
allow setfiles_t home_type:file r_file_perms;
Chris PeBenito ab58ad 
dontaudit setfiles_t sysadm_tty_device_t:chr_file relabelfrom;

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation