diff --git a/strict/domains/program/NetworkManager.te b/strict/domains/program/NetworkManager.te new file mode 100644 index 0000000..1ef8916 --- /dev/null +++ b/strict/domains/program/NetworkManager.te @@ -0,0 +1,108 @@ +#DESC NetworkManager - +# +# Authors: Dan Walsh +# +# + +################################# +# +# Rules for the NetworkManager_t domain. +# +# NetworkManager_t is the domain for the NetworkManager daemon. +# NetworkManager_exec_t is the type of the NetworkManager executable. +# +daemon_domain(NetworkManager, `, nscd_client_domain, privsysmod' ) + +can_network(NetworkManager_t) +allow NetworkManager_t port_type:tcp_socket name_connect; +allow NetworkManager_t dhcpc_port_t:udp_socket name_bind; +allow NetworkManager_t dhcpc_t:process signal; + +can_ypbind(NetworkManager_t) +uses_shlib(NetworkManager_t) +allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service sys_module}; + +allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read }; + +allow NetworkManager_t self:process { setcap getsched }; +allow NetworkManager_t self:fifo_file rw_file_perms; +allow NetworkManager_t self:unix_dgram_socket create_socket_perms; +allow NetworkManager_t self:file { getattr read }; +allow NetworkManager_t self:packet_socket create_socket_perms; +allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; + + +# +# Communicate with Caching Name Server +# +ifdef(`named.te', ` +allow NetworkManager_t named_zone_t:dir search; +rw_dir_create_file(NetworkManager_t, named_cache_t) +domain_auto_trans(NetworkManager_t, named_exec_t, named_t) +allow named_t NetworkManager_t:udp_socket { read write }; +allow named_t NetworkManager_t:netlink_route_socket { read write }; +allow NetworkManager_t named_t:process signal; +allow named_t NetworkManager_t:packet_socket { read write }; +') + +allow NetworkManager_t selinux_config_t:dir search; +allow NetworkManager_t selinux_config_t:file { getattr read }; + +ifdef(`dbusd.te', ` +dbusd_client(system, NetworkManager) +allow NetworkManager_t system_dbusd_t:dbus { acquire_svc send_msg }; +allow NetworkManager_t self:dbus send_msg; +ifdef(`hald.te', ` +allow NetworkManager_t hald_t:dbus send_msg; +allow hald_t NetworkManager_t:dbus send_msg; +') +allow NetworkManager_t initrc_t:dbus send_msg; +allow initrc_t NetworkManager_t:dbus send_msg; +ifdef(`targeted_policy', ` +allow NetworkManager_t unconfined_t:dbus send_msg; +allow unconfined_t NetworkManager_t:dbus send_msg; +') +allow NetworkManager_t userdomain:dbus send_msg; +allow userdomain NetworkManager_t:dbus send_msg; +') + +allow NetworkManager_t usr_t:file { getattr read }; + +ifdef(`ifconfig.te', ` +domain_auto_trans(NetworkManager_t, ifconfig_exec_t, ifconfig_t) +')dnl end if def ifconfig + +allow NetworkManager_t { sbin_t bin_t }:dir search; +allow NetworkManager_t bin_t:lnk_file read; +can_exec(NetworkManager_t, { ls_exec_t sbin_t bin_t shell_exec_t }) + +# in /etc created by NetworkManager will be labelled net_conf_t. +file_type_auto_trans(NetworkManager_t, etc_t, net_conf_t, file) + +allow NetworkManager_t { etc_t etc_runtime_t }:file { getattr read }; +allow NetworkManager_t proc_t:file { getattr read }; +r_dir_file(NetworkManager_t, proc_net_t) + +allow NetworkManager_t { domain -unrestricted }:dir search; +allow NetworkManager_t { domain -unrestricted }:file { getattr read }; +dontaudit NetworkManager_t unrestricted:dir search; +dontaudit NetworkManager_t unrestricted:file { getattr read }; + +allow NetworkManager_t howl_t:process signal; +allow NetworkManager_t initrc_var_run_t:file { getattr read }; + +domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t) +allow NetworkManager_t self:netlink_route_socket r_netlink_socket_perms; + +domain_auto_trans(NetworkManager_t, initrc_exec_t, initrc_t) +domain_auto_trans(NetworkManager_t, dhcpc_exec_t, dhcpc_t) +ifdef(`vpnc.te', ` +domain_auto_trans(NetworkManager_t, vpnc_exec_t, vpnc_t) +') + +ifdef(`dhcpc.te', ` +allow NetworkManager_t dhcp_state_t:dir search; +allow NetworkManager_t dhcpc_var_run_t:file { getattr read unlink }; +') +allow NetworkManager_t var_lib_t:dir search; +dontaudit NetworkManager_t user_tty_type:chr_file { read write }; diff --git a/strict/domains/program/alsa.te b/strict/domains/program/alsa.te new file mode 100644 index 0000000..5717244 --- /dev/null +++ b/strict/domains/program/alsa.te @@ -0,0 +1,17 @@ +#DESC ainit - configuration tool for ALSA +# +# Author: Dan Walsh +# +# +type alsa_t, domain, privlog, daemon; +type alsa_exec_t, file_type, sysadmfile, exec_type; +uses_shlib(alsa_t) +allow alsa_t self:sem create_sem_perms; +allow alsa_t self:shm create_shm_perms; +allow alsa_t self:unix_stream_socket create_stream_socket_perms; +type alsa_etc_rw_t, file_type, sysadmfile, usercanread; +rw_dir_create_file(alsa_t,alsa_etc_rw_t) +allow alsa_t self:capability { setgid setuid ipc_owner }; +allow alsa_t devpts_t:chr_file { read write }; +allow alsa_t etc_t:file { getattr read }; +domain_auto_trans(pam_console_t, alsa_exec_t, alsa_t) diff --git a/strict/domains/program/dmidecode.te b/strict/domains/program/dmidecode.te new file mode 100644 index 0000000..05b93f7 --- /dev/null +++ b/strict/domains/program/dmidecode.te @@ -0,0 +1,22 @@ +#DESC dmidecode - decodes DMI data for x86/ia64 bioses +# +# Author: Ivan Gyurdiev +# + +type dmidecode_t, domain, privmem; +type dmidecode_exec_t, file_type, exec_type, sysadmfile; + +# Allow execution by the sysadm +role sysadm_r types dmidecode_t; +role system_r types dmidecode_t; +domain_auto_trans(sysadm_t, dmidecode_exec_t, dmidecode_t) + +uses_shlib(dmidecode_t) + +# Allow terminal access +access_terminal(dmidecode_t, sysadm) + +# Allow dmidecode to read /dev/mem +allow dmidecode_t memory_device_t:chr_file read; + +allow dmidecode_t self:capability sys_rawio; diff --git a/strict/domains/program/unused/NetworkManager.te b/strict/domains/program/unused/NetworkManager.te deleted file mode 100644 index 1ef8916..0000000 --- a/strict/domains/program/unused/NetworkManager.te +++ /dev/null @@ -1,108 +0,0 @@ -#DESC NetworkManager - -# -# Authors: Dan Walsh -# -# - -################################# -# -# Rules for the NetworkManager_t domain. -# -# NetworkManager_t is the domain for the NetworkManager daemon. -# NetworkManager_exec_t is the type of the NetworkManager executable. -# -daemon_domain(NetworkManager, `, nscd_client_domain, privsysmod' ) - -can_network(NetworkManager_t) -allow NetworkManager_t port_type:tcp_socket name_connect; -allow NetworkManager_t dhcpc_port_t:udp_socket name_bind; -allow NetworkManager_t dhcpc_t:process signal; - -can_ypbind(NetworkManager_t) -uses_shlib(NetworkManager_t) -allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service sys_module}; - -allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read }; - -allow NetworkManager_t self:process { setcap getsched }; -allow NetworkManager_t self:fifo_file rw_file_perms; -allow NetworkManager_t self:unix_dgram_socket create_socket_perms; -allow NetworkManager_t self:file { getattr read }; -allow NetworkManager_t self:packet_socket create_socket_perms; -allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; - - -# -# Communicate with Caching Name Server -# -ifdef(`named.te', ` -allow NetworkManager_t named_zone_t:dir search; -rw_dir_create_file(NetworkManager_t, named_cache_t) -domain_auto_trans(NetworkManager_t, named_exec_t, named_t) -allow named_t NetworkManager_t:udp_socket { read write }; -allow named_t NetworkManager_t:netlink_route_socket { read write }; -allow NetworkManager_t named_t:process signal; -allow named_t NetworkManager_t:packet_socket { read write }; -') - -allow NetworkManager_t selinux_config_t:dir search; -allow NetworkManager_t selinux_config_t:file { getattr read }; - -ifdef(`dbusd.te', ` -dbusd_client(system, NetworkManager) -allow NetworkManager_t system_dbusd_t:dbus { acquire_svc send_msg }; -allow NetworkManager_t self:dbus send_msg; -ifdef(`hald.te', ` -allow NetworkManager_t hald_t:dbus send_msg; -allow hald_t NetworkManager_t:dbus send_msg; -') -allow NetworkManager_t initrc_t:dbus send_msg; -allow initrc_t NetworkManager_t:dbus send_msg; -ifdef(`targeted_policy', ` -allow NetworkManager_t unconfined_t:dbus send_msg; -allow unconfined_t NetworkManager_t:dbus send_msg; -') -allow NetworkManager_t userdomain:dbus send_msg; -allow userdomain NetworkManager_t:dbus send_msg; -') - -allow NetworkManager_t usr_t:file { getattr read }; - -ifdef(`ifconfig.te', ` -domain_auto_trans(NetworkManager_t, ifconfig_exec_t, ifconfig_t) -')dnl end if def ifconfig - -allow NetworkManager_t { sbin_t bin_t }:dir search; -allow NetworkManager_t bin_t:lnk_file read; -can_exec(NetworkManager_t, { ls_exec_t sbin_t bin_t shell_exec_t }) - -# in /etc created by NetworkManager will be labelled net_conf_t. -file_type_auto_trans(NetworkManager_t, etc_t, net_conf_t, file) - -allow NetworkManager_t { etc_t etc_runtime_t }:file { getattr read }; -allow NetworkManager_t proc_t:file { getattr read }; -r_dir_file(NetworkManager_t, proc_net_t) - -allow NetworkManager_t { domain -unrestricted }:dir search; -allow NetworkManager_t { domain -unrestricted }:file { getattr read }; -dontaudit NetworkManager_t unrestricted:dir search; -dontaudit NetworkManager_t unrestricted:file { getattr read }; - -allow NetworkManager_t howl_t:process signal; -allow NetworkManager_t initrc_var_run_t:file { getattr read }; - -domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t) -allow NetworkManager_t self:netlink_route_socket r_netlink_socket_perms; - -domain_auto_trans(NetworkManager_t, initrc_exec_t, initrc_t) -domain_auto_trans(NetworkManager_t, dhcpc_exec_t, dhcpc_t) -ifdef(`vpnc.te', ` -domain_auto_trans(NetworkManager_t, vpnc_exec_t, vpnc_t) -') - -ifdef(`dhcpc.te', ` -allow NetworkManager_t dhcp_state_t:dir search; -allow NetworkManager_t dhcpc_var_run_t:file { getattr read unlink }; -') -allow NetworkManager_t var_lib_t:dir search; -dontaudit NetworkManager_t user_tty_type:chr_file { read write }; diff --git a/strict/domains/program/unused/alsa.te b/strict/domains/program/unused/alsa.te deleted file mode 100644 index 5717244..0000000 --- a/strict/domains/program/unused/alsa.te +++ /dev/null @@ -1,17 +0,0 @@ -#DESC ainit - configuration tool for ALSA -# -# Author: Dan Walsh -# -# -type alsa_t, domain, privlog, daemon; -type alsa_exec_t, file_type, sysadmfile, exec_type; -uses_shlib(alsa_t) -allow alsa_t self:sem create_sem_perms; -allow alsa_t self:shm create_shm_perms; -allow alsa_t self:unix_stream_socket create_stream_socket_perms; -type alsa_etc_rw_t, file_type, sysadmfile, usercanread; -rw_dir_create_file(alsa_t,alsa_etc_rw_t) -allow alsa_t self:capability { setgid setuid ipc_owner }; -allow alsa_t devpts_t:chr_file { read write }; -allow alsa_t etc_t:file { getattr read }; -domain_auto_trans(pam_console_t, alsa_exec_t, alsa_t) diff --git a/strict/domains/program/unused/dmidecode.te b/strict/domains/program/unused/dmidecode.te deleted file mode 100644 index 05b93f7..0000000 --- a/strict/domains/program/unused/dmidecode.te +++ /dev/null @@ -1,22 +0,0 @@ -#DESC dmidecode - decodes DMI data for x86/ia64 bioses -# -# Author: Ivan Gyurdiev -# - -type dmidecode_t, domain, privmem; -type dmidecode_exec_t, file_type, exec_type, sysadmfile; - -# Allow execution by the sysadm -role sysadm_r types dmidecode_t; -role system_r types dmidecode_t; -domain_auto_trans(sysadm_t, dmidecode_exec_t, dmidecode_t) - -uses_shlib(dmidecode_t) - -# Allow terminal access -access_terminal(dmidecode_t, sysadm) - -# Allow dmidecode to read /dev/mem -allow dmidecode_t memory_device_t:chr_file read; - -allow dmidecode_t self:capability sys_rawio;