diff --git a/refpolicy/policy/modules/admin/dmesg.fc b/refpolicy/policy/modules/admin/dmesg.fc index 1969a01..232c7e7 100644 --- a/refpolicy/policy/modules/admin/dmesg.fc +++ b/refpolicy/policy/modules/admin/dmesg.fc @@ -1,2 +1,2 @@ -/bin/dmesg -- system_u:object_r:dmesg_exec_t +/bin/dmesg -- context_template(system_u:object_r:dmesg_exec_t,s0) diff --git a/refpolicy/policy/modules/admin/logrotate.fc b/refpolicy/policy/modules/admin/logrotate.fc index 618ff00..f95e91a 100644 --- a/refpolicy/policy/modules/admin/logrotate.fc +++ b/refpolicy/policy/modules/admin/logrotate.fc @@ -1,16 +1,16 @@ -/etc/cron\.(daily|weekly)/sysklogd -- system_u:object_r:logrotate_exec_t +/etc/cron\.(daily|weekly)/sysklogd -- context_template(system_u:object_r:logrotate_exec_t,s0) -/usr/sbin/logcheck -- system_u:object_r:logrotate_exec_t -/usr/sbin/logrotate -- system_u:object_r:logrotate_exec_t +/usr/sbin/logcheck -- context_template(system_u:object_r:logrotate_exec_t,s0) +/usr/sbin/logrotate -- context_template(system_u:object_r:logrotate_exec_t,s0) -/var/lib/logcheck(/.*)? system_u:object_r:logrotate_var_lib_t +/var/lib/logcheck(/.*)? context_template(system_u:object_r:logrotate_var_lib_t,s0) # using a hard-coded name under /var/tmp is a bug - new version fixes it -/var/tmp/logcheck -d system_u:object_r:logrotate_tmp_t +/var/tmp/logcheck -d context_template(system_u:object_r:logrotate_tmp_t,s0) ifdef(`distro_debian', ` -/usr/bin/savelog -- system_u:object_r:logrotate_exec_t -/var/lib/logrotate(/.*)? system_u:object_r:logrotate_var_lib_t +/usr/bin/savelog -- context_template(system_u:object_r:logrotate_exec_t,s0) +/var/lib/logrotate(/.*)? context_template(system_u:object_r:logrotate_var_lib_t,s0) ', ` -/var/lib/logrotate\.status -- system_u:object_r:logrotate_var_lib_t +/var/lib/logrotate\.status -- context_template(system_u:object_r:logrotate_var_lib_t,s0) ') diff --git a/refpolicy/policy/modules/admin/rpm.fc b/refpolicy/policy/modules/admin/rpm.fc index d45164b..c7b02a4 100644 --- a/refpolicy/policy/modules/admin/rpm.fc +++ b/refpolicy/policy/modules/admin/rpm.fc @@ -1,32 +1,32 @@ -/bin/rpm -- system_u:object_r:rpm_exec_t +/bin/rpm -- context_template(system_u:object_r:rpm_exec_t,s0) -/usr/bin/apt-get -- system_u:object_r:rpm_exec_t -/usr/bin/apt-shell -- system_u:object_r:rpm_exec_t -/usr/bin/synaptic -- system_u:object_r:rpm_exec_t -/usr/bin/yum -- system_u:object_r:rpm_exec_t +/usr/bin/apt-get -- context_template(system_u:object_r:rpm_exec_t,s0) +/usr/bin/apt-shell -- context_template(system_u:object_r:rpm_exec_t,s0) +/usr/bin/synaptic -- context_template(system_u:object_r:rpm_exec_t,s0) +/usr/bin/yum -- context_template(system_u:object_r:rpm_exec_t,s0) -/usr/lib(64)?/rpm/rpmd -- system_u:object_r:bin_t -/usr/lib(64)?/rpm/rpmq -- system_u:object_r:bin_t -/usr/lib(64)?/rpm/rpmk -- system_u:object_r:bin_t -/usr/lib(64)?/rpm/rpmv -- system_u:object_r:bin_t +/usr/lib(64)?/rpm/rpmd -- context_template(system_u:object_r:bin_t,s0) +/usr/lib(64)?/rpm/rpmq -- context_template(system_u:object_r:bin_t,s0) +/usr/lib(64)?/rpm/rpmk -- context_template(system_u:object_r:bin_t,s0) +/usr/lib(64)?/rpm/rpmv -- context_template(system_u:object_r:bin_t,s0) ifdef(`distro_redhat', ` -/usr/sbin/up2date -- system_u:object_r:rpm_exec_t -/usr/sbin/rhn_check -- system_u:object_r:rpm_exec_t +/usr/sbin/up2date -- context_template(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/rhn_check -- context_template(system_u:object_r:rpm_exec_t,s0) ') -/var/lib/alternatives(/.*)? system_u:object_r:rpm_var_lib_t +/var/lib/alternatives(/.*)? context_template(system_u:object_r:rpm_var_lib_t,s0) -/var/lib/rpm(/.*)? system_u:object_r:rpm_var_lib_t +/var/lib/rpm(/.*)? context_template(system_u:object_r:rpm_var_lib_t,s0) -/var/log/rpmpkgs.* -- system_u:object_r:rpm_log_t -/var/log/yum\.log -- system_u:object_r:rpm_log_t +/var/log/rpmpkgs.* -- context_template(system_u:object_r:rpm_log_t,s0) +/var/log/yum\.log -- context_template(system_u:object_r:rpm_log_t,s0) # SuSE ifdef(`distro_suse', ` -/usr/bin/online_update -- system_u:object_r:rpm_exec_t -/sbin/yast2 -- system_u:object_r:rpm_exec_t -/var/lib/YaST2(/.*)? system_u:object_r:rpm_var_lib_t -/var/log/YaST2(/.*)? system_u:object_r:rpm_log_t +/usr/bin/online_update -- context_template(system_u:object_r:rpm_exec_t,s0) +/sbin/yast2 -- context_template(system_u:object_r:rpm_exec_t,s0) +/var/lib/YaST2(/.*)? context_template(system_u:object_r:rpm_var_lib_t,s0) +/var/log/YaST2(/.*)? context_template(system_u:object_r:rpm_log_t,s0) ') diff --git a/refpolicy/policy/modules/services/cron.fc b/refpolicy/policy/modules/services/cron.fc index 2a07a13..a9e2714 100644 --- a/refpolicy/policy/modules/services/cron.fc +++ b/refpolicy/policy/modules/services/cron.fc @@ -1,40 +1,38 @@ -/etc/cron\.d(/.*)? system_u:object_r:system_cron_spool_t -/etc/crontab -- system_u:object_r:system_cron_spool_t +/etc/cron\.d(/.*)? context_template(system_u:object_r:system_cron_spool_t,s0) +/etc/crontab -- context_template(system_u:object_r:system_cron_spool_t,s0) -/usr/bin/at -- system_u:object_r:crontab_exec_t -/usr/bin/(f)?crontab -- system_u:object_r:crontab_exec_t +/usr/bin/at -- context_template(system_u:object_r:crontab_exec_t,s0) +/usr/bin/(f)?crontab -- context_template(system_u:object_r:crontab_exec_t,s0) -/usr/sbin/anacron -- system_u:object_r:anacron_exec_t -/usr/sbin/atd -- system_u:object_r:crond_exec_t -/usr/sbin/cron(d)? -- system_u:object_r:crond_exec_t -/usr/sbin/fcron -- system_u:object_r:crond_exec_t +/usr/sbin/anacron -- context_template(system_u:object_r:anacron_exec_t,s0) +/usr/sbin/atd -- context_template(system_u:object_r:crond_exec_t,s0) +/usr/sbin/cron(d)? -- context_template(system_u:object_r:crond_exec_t,s0) +/usr/sbin/fcron -- context_template(system_u:object_r:crond_exec_t,s0) -/var/log/cron.* -- system_u:object_r:crond_log_t +/var/log/cron.* -- context_template(system_u:object_r:crond_log_t,s0) -/var/run/atd\.pid -- system_u:object_r:crond_var_run_t -/var/run/crond?\.pid -- system_u:object_r:crond_var_run_t -/var/run/crond\.reboot -- system_u:object_r:crond_var_run_t -/var/run/fcron\.fifo -s system_u:object_r:crond_var_run_t -/var/run/fcron\.pid -- system_u:object_r:crond_var_run_t +/var/run/atd\.pid -- context_template(system_u:object_r:crond_var_run_t,s0) +/var/run/crond?\.pid -- context_template(system_u:object_r:crond_var_run_t,s0) +/var/run/crond\.reboot -- context_template(system_u:object_r:crond_var_run_t,s0) +/var/run/fcron\.fifo -s context_template(system_u:object_r:crond_var_run_t,s0) +/var/run/fcron\.pid -- context_template(system_u:object_r:crond_var_run_t,s0) -/var/spool/at -d system_u:object_r:cron_spool_t -/var/spool/at/spool -d system_u:object_r:cron_spool_t +/var/spool/at -d context_template(system_u:object_r:cron_spool_t,s0) +/var/spool/at/spool -d context_template(system_u:object_r:cron_spool_t,s0) /var/spool/at/[^/]* -- <> -/var/spool/cron -d system_u:object_r:cron_spool_t -/var/spool/cron/root -- system_u:object_r:sysadm_cron_spool_t +/var/spool/cron -d context_template(system_u:object_r:cron_spool_t,s0) +/var/spool/cron/root -- context_template(system_u:object_r:sysadm_cron_spool_t,s0) /var/spool/cron/[^/]* -- <> -/var/spool/cron/crontabs -d system_u:object_r:cron_spool_t +/var/spool/cron/crontabs -d context_template(system_u:object_r:cron_spool_t,s0) /var/spool/cron/crontabs/.* -- <> -/var/spool/cron/crontabs/root -- system_u:object_r:sysadm_cron_spool_t +/var/spool/cron/crontabs/root -- context_template(system_u:object_r:sysadm_cron_spool_t,s0) -/var/spool/fcron -d system_u:object_r:cron_spool_t +/var/spool/fcron -d context_template(system_u:object_r:cron_spool_t,s0) /var/spool/fcron/.* <> -/var/spool/fcron/systab\.orig -- system_u:object_r:system_cron_spool_t -/var/spool/fcron/systab -- system_u:object_r:system_cron_spool_t -/var/spool/fcron/new\.systab -- system_u:object_r:system_cron_spool_t - - +/var/spool/fcron/systab\.orig -- context_template(system_u:object_r:system_cron_spool_t,s0) +/var/spool/fcron/systab -- context_template(system_u:object_r:system_cron_spool_t,s0) +/var/spool/fcron/new\.systab -- context_template(system_u:object_r:system_cron_spool_t,s0) diff --git a/refpolicy/policy/modules/services/inetd.fc b/refpolicy/policy/modules/services/inetd.fc index bd8d9a1..eb76afb 100644 --- a/refpolicy/policy/modules/services/inetd.fc +++ b/refpolicy/policy/modules/services/inetd.fc @@ -1,10 +1,10 @@ -/usr/sbin/identd -- system_u:object_r:inetd_child_exec_t -/usr/sbin/in\..*d -- system_u:object_r:inetd_child_exec_t -/usr/sbin/inetd -- system_u:object_r:inetd_exec_t -/usr/sbin/rlinetd -- system_u:object_r:inetd_exec_t -/usr/sbin/xinetd -- system_u:object_r:inetd_exec_t +/usr/sbin/identd -- context_template(system_u:object_r:inetd_child_exec_t,s0) +/usr/sbin/in\..*d -- context_template(system_u:object_r:inetd_child_exec_t,s0) +/usr/sbin/inetd -- context_template(system_u:object_r:inetd_exec_t,s0) +/usr/sbin/rlinetd -- context_template(system_u:object_r:inetd_exec_t,s0) +/usr/sbin/xinetd -- context_template(system_u:object_r:inetd_exec_t,s0) -/var/log/(x)?inetd\.log -- system_u:object_r:inetd_log_t +/var/log/(x)?inetd\.log -- context_template(system_u:object_r:inetd_log_t,s0) -/var/run/inetd\.pid -- system_u:object_r:inetd_var_run_t +/var/run/inetd\.pid -- context_template(system_u:object_r:inetd_var_run_t,s0) diff --git a/refpolicy/policy/modules/services/kerberos.fc b/refpolicy/policy/modules/services/kerberos.fc index a7eef84..830b095 100644 --- a/refpolicy/policy/modules/services/kerberos.fc +++ b/refpolicy/policy/modules/services/kerberos.fc @@ -1,17 +1,17 @@ -/etc/krb5\.conf -- system_u:object_r:krb5_conf_t -/etc/krb5\.keytab system_u:object_r:krb5_keytab_t +/etc/krb5\.conf -- context_template(system_u:object_r:krb5_conf_t,s0) +/etc/krb5\.keytab context_template(system_u:object_r:krb5_keytab_t,s0) -/usr(/local)?(/kerberos)?/sbin/krb5kdc -- system_u:object_r:krb5kdc_exec_t -/usr(/local)?(/kerberos)?/sbin/kadmind -- system_u:object_r:kadmind_exec_t +/usr(/local)?(/kerberos)?/sbin/krb5kdc -- context_template(system_u:object_r:krb5kdc_exec_t,s0) +/usr(/local)?(/kerberos)?/sbin/kadmind -- context_template(system_u:object_r:kadmind_exec_t,s0) -/usr/local/var/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t -/usr/local/var/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t +/usr/local/var/krb5kdc(/.*)? context_template(system_u:object_r:krb5kdc_conf_t,s0) +/usr/local/var/krb5kdc/principal.* context_template(system_u:object_r:krb5kdc_principal_t,s0) -/var/kerberos/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t -/var/kerberos/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t +/var/kerberos/krb5kdc(/.*)? context_template(system_u:object_r:krb5kdc_conf_t,s0) +/var/kerberos/krb5kdc/principal.* context_template(system_u:object_r:krb5kdc_principal_t,s0) -/var/log/krb5kdc\.log system_u:object_r:krb5kdc_log_t -/var/log/kadmind\.log system_u:object_r:kadmind_log_t +/var/log/krb5kdc\.log context_template(system_u:object_r:krb5kdc_log_t,s0) +/var/log/kadmind\.log context_template(system_u:object_r:kadmind_log_t,s0) #this goes to su: -#/usr(/local)?/bin/ksu -- system_u:object_r:su_exec_t +#/usr(/local)?/bin/ksu -- context_template(system_u:object_r:su_exec_t,s0) diff --git a/refpolicy/policy/modules/services/nis.fc b/refpolicy/policy/modules/services/nis.fc index 82cfe93..efa8b7c 100644 --- a/refpolicy/policy/modules/services/nis.fc +++ b/refpolicy/policy/modules/services/nis.fc @@ -1,6 +1,6 @@ -/etc/ypserv\.conf -- system_u:object_r:ypserv_conf_t +/etc/ypserv\.conf -- context_template(system_u:object_r:ypserv_conf_t,s0) -/sbin/ypbind -- system_u:object_r:ypbind_exec_t +/sbin/ypbind -- context_template(system_u:object_r:ypbind_exec_t,s0) -/usr/sbin/ypserv -- system_u:object_r:ypserv_exec_t +/usr/sbin/ypserv -- context_template(system_u:object_r:ypserv_exec_t,s0) diff --git a/refpolicy/policy/modules/services/ssh.fc b/refpolicy/policy/modules/services/ssh.fc index 7dde1fd..46d3cb8 100644 --- a/refpolicy/policy/modules/services/ssh.fc +++ b/refpolicy/policy/modules/services/ssh.fc @@ -1,16 +1,16 @@ -/etc/ssh/primes -- system_u:object_r:sshd_key_t -/etc/ssh/ssh_host_key -- system_u:object_r:sshd_key_t -/etc/ssh/ssh_host_dsa_key -- system_u:object_r:sshd_key_t -/etc/ssh/ssh_host_rsa_key -- system_u:object_r:sshd_key_t +/etc/ssh/primes -- context_template(system_u:object_r:sshd_key_t,s0) +/etc/ssh/ssh_host_key -- context_template(system_u:object_r:sshd_key_t,s0) +/etc/ssh/ssh_host_dsa_key -- context_template(system_u:object_r:sshd_key_t,s0) +/etc/ssh/ssh_host_rsa_key -- context_template(system_u:object_r:sshd_key_t,s0) -/usr/bin/ssh -- system_u:object_r:ssh_exec_t -/usr/bin/ssh-agent -- system_u:object_r:ssh_agent_exec_t -/usr/bin/ssh-keygen -- system_u:object_r:ssh_keygen_exec_t +/usr/bin/ssh -- context_template(system_u:object_r:ssh_exec_t,s0) +/usr/bin/ssh-agent -- context_template(system_u:object_r:ssh_agent_exec_t,s0) +/usr/bin/ssh-keygen -- context_template(system_u:object_r:ssh_keygen_exec_t,s0) -/usr/sbin/sshd -- system_u:object_r:sshd_exec_t +/usr/sbin/sshd -- context_template(system_u:object_r:sshd_exec_t,s0) -/var/run/sshd\.init\.pid -- system_u:object_r:sshd_var_run_t +/var/run/sshd\.init\.pid -- context_template(system_u:object_r:sshd_var_run_t,s0) ifdef(`targeted_policy', `', ` -HOME_DIR/\.ssh(/.*)? system_u:object_r:ROLE_home_ssh_t +HOME_DIR/\.ssh(/.*)? context_template(system_u:object_r:ROLE_home_ssh_t,s0) ') diff --git a/refpolicy/policy/modules/system/fstools.fc b/refpolicy/policy/modules/system/fstools.fc index cc1d414..f24fd8c 100644 --- a/refpolicy/policy/modules/system/fstools.fc +++ b/refpolicy/policy/modules/system/fstools.fc @@ -1,36 +1,36 @@ -/sbin/blockdev -- system_u:object_r:fsadm_exec_t -/sbin/cfdisk -- system_u:object_r:fsadm_exec_t -/sbin/dosfsck -- system_u:object_r:fsadm_exec_t -/sbin/dumpe2fs -- system_u:object_r:fsadm_exec_t -/sbin/e2fsck -- system_u:object_r:fsadm_exec_t -/sbin/e2label -- system_u:object_r:fsadm_exec_t -/sbin/fdisk -- system_u:object_r:fsadm_exec_t -/sbin/findfs -- system_u:object_r:fsadm_exec_t -/sbin/fsck.* -- system_u:object_r:fsadm_exec_t -/sbin/hdparm -- system_u:object_r:fsadm_exec_t -/sbin/install-mbr -- system_u:object_r:fsadm_exec_t -/sbin/jfs_.* -- system_u:object_r:fsadm_exec_t -/sbin/losetup.* -- system_u:object_r:fsadm_exec_t -/sbin/lsraid -- system_u:object_r:fsadm_exec_t -/sbin/mkdosfs -- system_u:object_r:fsadm_exec_t -/sbin/mke2fs -- system_u:object_r:fsadm_exec_t -/sbin/mkfs.* -- system_u:object_r:fsadm_exec_t -/sbin/mkraid -- system_u:object_r:fsadm_exec_t -/sbin/mkreiserfs -- system_u:object_r:fsadm_exec_t -/sbin/mkswap -- system_u:object_r:fsadm_exec_t -/sbin/parted -- system_u:object_r:fsadm_exec_t -/sbin/partprobe -- system_u:object_r:fsadm_exec_t -/sbin/partx -- system_u:object_r:fsadm_exec_t -/sbin/raidstart -- system_u:object_r:fsadm_exec_t -/sbin/reiserfs(ck|tune) -- system_u:object_r:fsadm_exec_t -/sbin/resize.*fs -- system_u:object_r:fsadm_exec_t -/sbin/scsi_info -- system_u:object_r:fsadm_exec_t -/sbin/sfdisk -- system_u:object_r:fsadm_exec_t -/sbin/swapon.* -- system_u:object_r:fsadm_exec_t -/sbin/tune2fs -- system_u:object_r:fsadm_exec_t +/sbin/blockdev -- context_template(system_u:object_r:fsadm_exec_t,s0) +/sbin/cfdisk -- context_template(system_u:object_r:fsadm_exec_t,s0) +/sbin/dosfsck -- context_template(system_u:object_r:fsadm_exec_t,s0) +/sbin/dumpe2fs -- context_template(system_u:object_r:fsadm_exec_t,s0) +/sbin/e2fsck -- context_template(system_u:object_r:fsadm_exec_t,s0) +/sbin/e2label -- context_template(system_u:object_r:fsadm_exec_t,s0) +/sbin/fdisk -- context_template(system_u:object_r:fsadm_exec_t,s0) +/sbin/findfs -- context_template(system_u:object_r:fsadm_exec_t,s0) +/sbin/fsck.* -- context_template(system_u:object_r:fsadm_exec_t,s0) +/sbin/hdparm -- context_template(system_u:object_r:fsadm_exec_t,s0) +/sbin/install-mbr -- context_template(system_u:object_r:fsadm_exec_t,s0) +/sbin/jfs_.* -- context_template(system_u:object_r:fsadm_exec_t,s0) +/sbin/losetup.* -- context_template(system_u:object_r:fsadm_exec_t,s0) +/sbin/lsraid -- context_template(system_u:object_r:fsadm_exec_t,s0) +/sbin/mkdosfs -- context_template(system_u:object_r:fsadm_exec_t,s0) +/sbin/mke2fs -- context_template(system_u:object_r:fsadm_exec_t,s0) +/sbin/mkfs.* -- context_template(system_u:object_r:fsadm_exec_t,s0) +/sbin/mkraid -- context_template(system_u:object_r:fsadm_exec_t,s0) +/sbin/mkreiserfs -- context_template(system_u:object_r:fsadm_exec_t,s0) +/sbin/mkswap -- context_template(system_u:object_r:fsadm_exec_t,s0) +/sbin/parted -- context_template(system_u:object_r:fsadm_exec_t,s0) +/sbin/partprobe -- context_template(system_u:object_r:fsadm_exec_t,s0) +/sbin/partx -- context_template(system_u:object_r:fsadm_exec_t,s0) +/sbin/raidstart -- context_template(system_u:object_r:fsadm_exec_t,s0) +/sbin/reiserfs(ck|tune) -- context_template(system_u:object_r:fsadm_exec_t,s0) +/sbin/resize.*fs -- context_template(system_u:object_r:fsadm_exec_t,s0) +/sbin/scsi_info -- context_template(system_u:object_r:fsadm_exec_t,s0) +/sbin/sfdisk -- context_template(system_u:object_r:fsadm_exec_t,s0) +/sbin/swapon.* -- context_template(system_u:object_r:fsadm_exec_t,s0) +/sbin/tune2fs -- context_template(system_u:object_r:fsadm_exec_t,s0) -/usr/bin/partition_uuid -- system_u:object_r:fsadm_exec_t -/usr/bin/raw -- system_u:object_r:fsadm_exec_t -/usr/bin/scsi_unique_id -- system_u:object_r:fsadm_exec_t +/usr/bin/partition_uuid -- context_template(system_u:object_r:fsadm_exec_t,s0) +/usr/bin/raw -- context_template(system_u:object_r:fsadm_exec_t,s0) +/usr/bin/scsi_unique_id -- context_template(system_u:object_r:fsadm_exec_t,s0) -/usr/sbin/smartctl -- system_u:object_r:fsadm_exec_t +/usr/sbin/smartctl -- context_template(system_u:object_r:fsadm_exec_t,s0) diff --git a/refpolicy/policy/modules/system/unconfined.fc b/refpolicy/policy/modules/system/unconfined.fc index c3a6c12..cc078b1 100644 --- a/refpolicy/policy/modules/system/unconfined.fc +++ b/refpolicy/policy/modules/system/unconfined.fc @@ -1,3 +1,3 @@ # Add programs here which should not be confined by SELinux # e.g.: -# /usr/local/bin/appsrv -- system_u:object_r:unconfined_exec_t +# /usr/local/bin/appsrv -- context_template(system_u:object_r:unconfined_exec_t,s0)