diff --git a/strict/domains/program/NetworkManager.te b/strict/domains/program/NetworkManager.te index 1ef8916..e4efdd6 100644 --- a/strict/domains/program/NetworkManager.te +++ b/strict/domains/program/NetworkManager.te @@ -11,16 +11,16 @@ # NetworkManager_t is the domain for the NetworkManager daemon. # NetworkManager_exec_t is the type of the NetworkManager executable. # -daemon_domain(NetworkManager, `, nscd_client_domain, privsysmod' ) +daemon_domain(NetworkManager, `, nscd_client_domain, privsysmod, mlsfileread' ) can_network(NetworkManager_t) allow NetworkManager_t port_type:tcp_socket name_connect; -allow NetworkManager_t dhcpc_port_t:udp_socket name_bind; +allow NetworkManager_t { isakmp_port_t dhcpc_port_t }:udp_socket name_bind; allow NetworkManager_t dhcpc_t:process signal; can_ypbind(NetworkManager_t) uses_shlib(NetworkManager_t) -allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service sys_module}; +allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service sys_module ipc_lock}; allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read }; @@ -93,6 +93,9 @@ allow NetworkManager_t initrc_var_run_t:file { getattr read }; domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t) allow NetworkManager_t self:netlink_route_socket r_netlink_socket_perms; +# allow vpnc connections +allow NetworkManager_t self:rawip_socket create_socket_perms; +allow NetworkManager_t tun_tap_device_t:chr_file rw_file_perms; domain_auto_trans(NetworkManager_t, initrc_exec_t, initrc_t) domain_auto_trans(NetworkManager_t, dhcpc_exec_t, dhcpc_t) @@ -106,3 +109,4 @@ allow NetworkManager_t dhcpc_var_run_t:file { getattr read unlink }; ') allow NetworkManager_t var_lib_t:dir search; dontaudit NetworkManager_t user_tty_type:chr_file { read write }; +dontaudit NetworkManager_t security_t:dir search; diff --git a/strict/domains/program/alsa.te b/strict/domains/program/alsa.te index 5717244..ab80475 100644 --- a/strict/domains/program/alsa.te +++ b/strict/domains/program/alsa.te @@ -6,12 +6,19 @@ type alsa_t, domain, privlog, daemon; type alsa_exec_t, file_type, sysadmfile, exec_type; uses_shlib(alsa_t) -allow alsa_t self:sem create_sem_perms; -allow alsa_t self:shm create_shm_perms; +allow alsa_t { unpriv_userdomain self }:sem create_sem_perms; +allow alsa_t { unpriv_userdomain self }:shm create_shm_perms; allow alsa_t self:unix_stream_socket create_stream_socket_perms; +allow alsa_t self:unix_dgram_socket create_socket_perms; +allow unpriv_userdomain alsa_t:sem { unix_read unix_write associate read write }; +allow unpriv_userdomain alsa_t:shm { unix_read unix_write create_shm_perms }; + type alsa_etc_rw_t, file_type, sysadmfile, usercanread; rw_dir_create_file(alsa_t,alsa_etc_rw_t) allow alsa_t self:capability { setgid setuid ipc_owner }; +dontaudit alsa_t self:capability sys_admin; allow alsa_t devpts_t:chr_file { read write }; allow alsa_t etc_t:file { getattr read }; domain_auto_trans(pam_console_t, alsa_exec_t, alsa_t) +role system_r types alsa_t; +read_locale(alsa_t) diff --git a/strict/domains/program/amanda.te b/strict/domains/program/amanda.te index 2785acf..4b63f5f 100644 --- a/strict/domains/program/amanda.te +++ b/strict/domains/program/amanda.te @@ -84,7 +84,6 @@ domain_auto_trans(inetd_t, amanda_inetd_exec_t, amanda_t) # configuration files -> read only allow amanda_t amanda_config_t:file { getattr read }; -allow amanda_t amanda_config_t:dir search; # access to amanda_amandates_t allow amanda_t amanda_amandates_t:file { getattr lock read write }; @@ -97,43 +96,18 @@ allow amanda_t amanda_data_t:dir { read search write }; allow amanda_t amanda_data_t:file { read write }; # access to proc_t -allow amanda_t proc_t:dir { getattr search }; allow amanda_t proc_t:file { getattr read }; # access to etc_t and similar -allow amanda_t etc_t:dir { getattr search }; allow amanda_t etc_t:file { getattr read }; allow amanda_t etc_runtime_t:file { getattr read }; -# access to var_t and similar -allow amanda_t var_t:dir search; -allow amanda_t var_lib_t:dir search; -allow amanda_t amanda_var_lib_t:dir search; - # access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists) -allow amanda_t amanda_gnutarlists_t:dir { add_name read remove_name search write }; -allow amanda_t amanda_gnutarlists_t:file { create getattr read rename setattr unlink write }; - -# access to var_run_t -allow amanda_t var_run_t:dir search; - -# access to var_log_t -allow amanda_t var_log_t:dir getattr; - -# access to var_spool_t -allow amanda_t var_spool_t:dir getattr; - -# access to amanda_usr_lib_t -allow amanda_t amanda_usr_lib_t:dir search; +rw_dir_create_file(amanda_t, amanda_gnutarlists_t) # access to device_t and similar -allow amanda_t device_t:dir search; -allow amanda_t devpts_t:dir getattr; allow amanda_t devtty_t:chr_file { read write }; -# access to boot_t -allow amanda_t boot_t:dir getattr; - # access to fs_t allow amanda_t fs_t:filesystem getattr; @@ -158,7 +132,8 @@ allow amanda_t bin_t:file { execute execute_no_trans }; allow amanda_t self:capability { chown dac_override setuid }; allow amanda_t self:process { fork sigchld setpgid signal }; -allow amanda_t self:unix_dgram_socket create; +allow amanda_t self:dir search; +allow amanda_t self:file { getattr read }; ################################### @@ -170,7 +145,8 @@ can_ypbind(amanda_t); can_exec(amanda_t, sbin_t); allow amanda_t self:fifo_file { getattr read write ioctl lock }; -allow amanda_t self:unix_stream_socket { connect create read write }; +allow amanda_t self:unix_stream_socket create_stream_socket_perms; +allow amanda_t self:unix_dgram_socket create_socket_perms; ########################## @@ -192,18 +168,8 @@ allow inetd_t amanda_usr_lib_t:dir search; ######################## # access to user_home_t -allow amanda_t { user_home_dir_type user_home_type }:dir { search getattr read }; allow amanda_t user_home_type:file { getattr read }; -# access to file_t ( /floppy, /cdrom ) -allow amanda_t mnt_t:dir getattr; - -########### -# Dontaudit -########### -dontaudit amanda_t lost_found_t:dir { getattr read }; - - ############################################################################## # AMANDA RECOVER DECLARATIONS ############################################################################## @@ -214,7 +180,8 @@ dontaudit amanda_t lost_found_t:dir { getattr read }; # type for amrecover type amanda_recover_t, domain; -role sysadm_r types { amanda_recover_t amanda_recover_dir_t }; +role sysadm_r types amanda_recover_t; +role system_r types amanda_recover_t; # exec types for amrecover type amanda_recover_exec_t, file_type, sysadmfile, exec_type; @@ -236,22 +203,22 @@ file_type_auto_trans(amanda_recover_t, tmp_t, amanda_tmp_t) uses_shlib(amanda_recover_t) allow amanda_recover_t self:process { fork sigkill sigstop sigchld signal }; allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override net_bind_service }; -allow amanda_recover_t shell_exec_t:file { execute execute_no_trans getattr read }; +can_exec(amanda_recover_t, shell_exec_t) allow amanda_recover_t privfd:fd use; # amrecover network and process communication ############################################# -can_network_server(amanda_recover_t); +can_network(amanda_recover_t); +allow amanda_recover_t amanda_port_t:tcp_socket name_connect; can_ypbind(amanda_recover_t); +read_locale(amanda_recover_t); allow amanda_recover_t self:fifo_file { getattr ioctl read write }; allow amanda_recover_t self:unix_stream_socket { connect create read write }; - -allow amanda_t self:dir search; -allow amanda_t self:file { getattr read }; - +allow amanda_recover_t var_log_t:dir search; +rw_dir_create_file(amanda_recover_t, amanda_log_t) # amrecover file permissions ############################ @@ -301,22 +268,17 @@ allow amanda_recover_t tmp_t:dir search; # allow inetd_t amanda_port_t:{ tcp_socket udp_socket } name_bind; -allow amanda_t file_type:dir {getattr read search }; +#amanda needs to look at fs_type directories to decide whether it should backup +allow amanda_t { fs_type file_type }:dir {getattr read search }; allow amanda_t file_type:{ lnk_file file chr_file blk_file } {getattr read }; allow amanda_t device_type:{ blk_file chr_file } getattr; allow amanda_t fixed_disk_device_t:blk_file read; domain_auto_trans(amanda_t, fsadm_exec_t, fsadm_t) -dontaudit amanda_t file_type:sock_file getattr; +allow amanda_t file_type:sock_file getattr; logdir_domain(amanda) -dontaudit amanda_t autofs_t:dir { getattr read search }; -dontaudit amanda_t binfmt_misc_fs_t:dir getattr; -dontaudit amanda_t nfs_t:dir { getattr read }; -dontaudit amanda_t proc_t:dir read; dontaudit amanda_t proc_t:lnk_file read; -dontaudit amanda_t rpc_pipefs_t:dir { getattr read }; -dontaudit amanda_t security_t:dir { getattr read }; -dontaudit amanda_t sysfs_t:dir { getattr read }; dontaudit amanda_t unlabeled_t:file getattr; -dontaudit amanda_t usbfs_t:dir getattr; +#amanda wants to check attributes on fifo_files +allow amanda_t file_type:fifo_file getattr; diff --git a/strict/domains/program/bonobo.te b/strict/domains/program/bonobo.te new file mode 100644 index 0000000..c23f1d2 --- /dev/null +++ b/strict/domains/program/bonobo.te @@ -0,0 +1,9 @@ +# DESC - Bonobo Activation Server +# +# Author: Ivan Gyurdiev +# + +# Type for executable +type bonobo_exec_t, file_type, exec_type, sysadmfile; + +# Everything else is in macros/bonobo_macros.te diff --git a/strict/domains/program/cvs.te b/strict/domains/program/cvs.te new file mode 100644 index 0000000..324ddd3 --- /dev/null +++ b/strict/domains/program/cvs.te @@ -0,0 +1,28 @@ +#DESC cvs - Concurrent Versions System +# +# Author: Dan Walsh +# +# Depends: inetd.te + +################################# +# +# Rules for the cvs_t domain. +# +# cvs_exec_t is the type of the cvs executable. +# + +inetd_child_domain(cvs, tcp) +typeattribute cvs_t privmail; +typeattribute cvs_t auth_chkpwd; + +type cvs_data_t, file_type, sysadmfile, customizable; +create_dir_file(cvs_t, cvs_data_t) +can_exec(cvs_t, { bin_t sbin_t shell_exec_t }) +allow cvs_t bin_t:dir search; +allow cvs_t { bin_t sbin_t }:lnk_file read; +allow cvs_t etc_runtime_t:file { getattr read }; +allow system_mail_t cvs_data_t:file { getattr read }; +dontaudit cvs_t devtty_t:chr_file { read write }; +# Allow kerberos to work +allow cvs_t { krb5_keytab_t krb5_conf_t }:file r_file_perms; +dontaudit cvs_t krb5_conf_t:file write; diff --git a/strict/domains/program/ddcprobe.te b/strict/domains/program/ddcprobe.te new file mode 100644 index 0000000..4087126 --- /dev/null +++ b/strict/domains/program/ddcprobe.te @@ -0,0 +1,42 @@ +#DESC ddcprobe - output ddcprobe results from kudzu +# +# Author: dan walsh +# + +type ddcprobe_t, domain, privmem; +type ddcprobe_exec_t, file_type, exec_type, sysadmfile; + +# Allow execution by the sysadm +role sysadm_r types ddcprobe_t; +role system_r types ddcprobe_t; +domain_auto_trans(sysadm_t, ddcprobe_exec_t, ddcprobe_t) + +uses_shlib(ddcprobe_t) + +# Allow terminal access +access_terminal(ddcprobe_t, sysadm) + +# Allow ddcprobe to read /dev/mem +allow ddcprobe_t memory_device_t:chr_file read; +allow ddcprobe_t memory_device_t:chr_file { execute write }; +allow ddcprobe_t self:process execmem; +allow ddcprobe_t zero_device_t:chr_file { execute read }; + +allow ddcprobe_t proc_t:dir search; +allow ddcprobe_t proc_t:file { getattr read }; +can_exec(ddcprobe_t, sbin_t) +allow ddcprobe_t user_tty_type:chr_file rw_file_perms; +allow ddcprobe_t userdomain:fd use; +read_sysctl(ddcprobe_t) +allow ddcprobe_t urandom_device_t:chr_file { getattr read }; +allow ddcprobe_t { bin_t sbin_t }:dir r_dir_perms; +allow ddcprobe_t self:capability { sys_rawio sys_admin }; + +allow ddcprobe_t { etc_t etc_runtime_t }:file { getattr read }; +allow ddcprobe_t kudzu_exec_t:file getattr; +allow ddcprobe_t lib_t:file { getattr read }; +read_locale(ddcprobe_t) +allow ddcprobe_t modules_object_t:dir search; +allow ddcprobe_t modules_dep_t:file { getattr read }; +allow ddcprobe_t usr_t:file { getattr read }; +allow ddcprobe_t kernel_t:system syslog_console; diff --git a/strict/domains/program/ethereal.te b/strict/domains/program/ethereal.te new file mode 100644 index 0000000..a56d321 --- /dev/null +++ b/strict/domains/program/ethereal.te @@ -0,0 +1,48 @@ +# DESC - Ethereal +# +# Author: Ivan Gyurdiev +# + +# Type for executables +type tethereal_exec_t, file_type, exec_type, sysadmfile; +type ethereal_exec_t, file_type, exec_type, sysadmfile; + +######################################################## +# Tethereal +# + +# Type for program +type tethereal_t, domain, nscd_client_domain; + +# Transition from sysadm type +domain_auto_trans(sysadm_t, tethereal_exec_t, tethereal_t) +role sysadm_r types tethereal_t; + +uses_shlib(tethereal_t) +read_locale(tethereal_t) + +# Terminal output +access_terminal(tethereal_t, sysadm) + +# /proc +read_sysctl(tethereal_t) +allow tethereal_t { self proc_t }:dir { read search getattr }; +allow tethereal_t { self proc_t }:{ file lnk_file } { read getattr }; + +# Access root +allow tethereal_t root_t:dir search; + +# Read ethereal files in /usr +allow tethereal_t usr_t:file { read getattr }; + +# /etc/nsswitch.conf +allow tethereal_t etc_t:file { read getattr }; + +# Ethereal sysadm rules +ethereal_networking(tethereal) + +# FIXME: policy is incomplete + +##################################### +# Ethereal (GNOME) policy can be found +# in ethereal_macros.te diff --git a/strict/domains/program/evolution.te b/strict/domains/program/evolution.te new file mode 100644 index 0000000..c8a045e --- /dev/null +++ b/strict/domains/program/evolution.te @@ -0,0 +1,14 @@ +# DESC - Evolution +# +# Author: Ivan Gyurdiev +# + +# Type for executables +type evolution_exec_t, file_type, exec_type, sysadmfile; +type evolution_server_exec_t, file_type, exec_type, sysadmfile; +type evolution_webcal_exec_t, file_type, exec_type, sysadmfile; +type evolution_alarm_exec_t, file_type, exec_type, sysadmfile; +type evolution_exchange_exec_t, file_type, exec_type, sysadmfile; + +# Everything else is in macros/evolution_macros.te +bool disable_evolution_trans false; diff --git a/strict/domains/program/fontconfig.te b/strict/domains/program/fontconfig.te new file mode 100644 index 0000000..836470a --- /dev/null +++ b/strict/domains/program/fontconfig.te @@ -0,0 +1,7 @@ +# +# Fontconfig related types +# +# Author: Ivan Gyurdiev +# + +# Look in fontconfig_macros.te diff --git a/strict/domains/program/gconf.te b/strict/domains/program/gconf.te new file mode 100644 index 0000000..e4dfa4b --- /dev/null +++ b/strict/domains/program/gconf.te @@ -0,0 +1,12 @@ +# DESC - GConf preference daemon +# +# Author: Ivan Gyurdiev +# + +# Type for executable +type gconfd_exec_t, file_type, exec_type, sysadmfile; + +# Type for /etc files +type gconf_etc_t, file_type, sysadmfile; + +# Everything else is in macros/gconfd_macros.te diff --git a/strict/domains/program/gnome.te b/strict/domains/program/gnome.te new file mode 100644 index 0000000..b45ea8e --- /dev/null +++ b/strict/domains/program/gnome.te @@ -0,0 +1,7 @@ +# +# GNOME related types +# +# Author: Ivan Gyurdiev +# + +# Look in gnome_macros.te diff --git a/strict/domains/program/gnome_vfs.te b/strict/domains/program/gnome_vfs.te new file mode 100644 index 0000000..d4cabb6 --- /dev/null +++ b/strict/domains/program/gnome_vfs.te @@ -0,0 +1,9 @@ +# DESC - GNOME VFS Daemon +# +# Author: Ivan Gyurdiev +# + +# Type for executable +type gnome_vfs_exec_t, file_type, exec_type, sysadmfile; + +# Everything else is in macros/gnome_vfs_macros.te diff --git a/strict/domains/program/iceauth.te b/strict/domains/program/iceauth.te new file mode 100644 index 0000000..f41ad9e --- /dev/null +++ b/strict/domains/program/iceauth.te @@ -0,0 +1,12 @@ +#DESC ICEauth - ICE authority file utility +# +# Domains for the iceauth program. +# +# Author: Ivan Gyurdiev +# +# iceauth_exec_t is the type of the xauth executable. +# +type iceauth_exec_t, file_type, exec_type, sysadmfile; + +# Everything else is in the iceauth_domain macro in +# macros/program/iceauth_macros.te. diff --git a/strict/domains/program/openct.te b/strict/domains/program/openct.te new file mode 100644 index 0000000..244fc2f --- /dev/null +++ b/strict/domains/program/openct.te @@ -0,0 +1,16 @@ +#DESC openct - read files in page cache +# +# Author: Dan Walsh (dwalsh@redhat.com) +# + +################################# +# +# Declarations for openct +# + +daemon_domain(openct) +# +# openct asks for these +# +rw_dir_file(openct_t, usbfs_t) +allow openct_t etc_t:file r_file_perms; diff --git a/strict/domains/program/orbit.te b/strict/domains/program/orbit.te new file mode 100644 index 0000000..dad353b --- /dev/null +++ b/strict/domains/program/orbit.te @@ -0,0 +1,7 @@ +# +# ORBit related types +# +# Author: Ivan Gyurdiev +# + +# Look in orbit_macros.te diff --git a/strict/domains/program/thunderbird.te b/strict/domains/program/thunderbird.te new file mode 100644 index 0000000..c640f87 --- /dev/null +++ b/strict/domains/program/thunderbird.te @@ -0,0 +1,10 @@ +# DESC - Thunderbird +# +# Author: Ivan Gyurdiev +# + +# Type for executables +type thunderbird_exec_t, file_type, exec_type, sysadmfile; + +# Everything else is in macros/thunderbird_macros.te +bool disable_thunderbird_trans false; diff --git a/strict/domains/program/unused/backup.te b/strict/domains/program/unused/backup.te index 89c5171..628527d 100644 --- a/strict/domains/program/unused/backup.te +++ b/strict/domains/program/unused/backup.te @@ -16,7 +16,9 @@ type backup_store_t, file_type, sysadmfile; role system_r types backup_t; role sysadm_r types backup_t; +ifdef(`targeted_policy', `', ` domain_auto_trans(sysadm_t, backup_exec_t, backup_t) +') allow backup_t privfd:fd use; ifdef(`crond.te', ` system_crond_entry(backup_exec_t, backup_t) diff --git a/strict/domains/program/unused/bonobo.te b/strict/domains/program/unused/bonobo.te deleted file mode 100644 index c23f1d2..0000000 --- a/strict/domains/program/unused/bonobo.te +++ /dev/null @@ -1,9 +0,0 @@ -# DESC - Bonobo Activation Server -# -# Author: Ivan Gyurdiev -# - -# Type for executable -type bonobo_exec_t, file_type, exec_type, sysadmfile; - -# Everything else is in macros/bonobo_macros.te diff --git a/strict/domains/program/unused/cvs.te b/strict/domains/program/unused/cvs.te deleted file mode 100644 index 324ddd3..0000000 --- a/strict/domains/program/unused/cvs.te +++ /dev/null @@ -1,28 +0,0 @@ -#DESC cvs - Concurrent Versions System -# -# Author: Dan Walsh -# -# Depends: inetd.te - -################################# -# -# Rules for the cvs_t domain. -# -# cvs_exec_t is the type of the cvs executable. -# - -inetd_child_domain(cvs, tcp) -typeattribute cvs_t privmail; -typeattribute cvs_t auth_chkpwd; - -type cvs_data_t, file_type, sysadmfile, customizable; -create_dir_file(cvs_t, cvs_data_t) -can_exec(cvs_t, { bin_t sbin_t shell_exec_t }) -allow cvs_t bin_t:dir search; -allow cvs_t { bin_t sbin_t }:lnk_file read; -allow cvs_t etc_runtime_t:file { getattr read }; -allow system_mail_t cvs_data_t:file { getattr read }; -dontaudit cvs_t devtty_t:chr_file { read write }; -# Allow kerberos to work -allow cvs_t { krb5_keytab_t krb5_conf_t }:file r_file_perms; -dontaudit cvs_t krb5_conf_t:file write; diff --git a/strict/domains/program/unused/ddcprobe.te b/strict/domains/program/unused/ddcprobe.te deleted file mode 100644 index 4087126..0000000 --- a/strict/domains/program/unused/ddcprobe.te +++ /dev/null @@ -1,42 +0,0 @@ -#DESC ddcprobe - output ddcprobe results from kudzu -# -# Author: dan walsh -# - -type ddcprobe_t, domain, privmem; -type ddcprobe_exec_t, file_type, exec_type, sysadmfile; - -# Allow execution by the sysadm -role sysadm_r types ddcprobe_t; -role system_r types ddcprobe_t; -domain_auto_trans(sysadm_t, ddcprobe_exec_t, ddcprobe_t) - -uses_shlib(ddcprobe_t) - -# Allow terminal access -access_terminal(ddcprobe_t, sysadm) - -# Allow ddcprobe to read /dev/mem -allow ddcprobe_t memory_device_t:chr_file read; -allow ddcprobe_t memory_device_t:chr_file { execute write }; -allow ddcprobe_t self:process execmem; -allow ddcprobe_t zero_device_t:chr_file { execute read }; - -allow ddcprobe_t proc_t:dir search; -allow ddcprobe_t proc_t:file { getattr read }; -can_exec(ddcprobe_t, sbin_t) -allow ddcprobe_t user_tty_type:chr_file rw_file_perms; -allow ddcprobe_t userdomain:fd use; -read_sysctl(ddcprobe_t) -allow ddcprobe_t urandom_device_t:chr_file { getattr read }; -allow ddcprobe_t { bin_t sbin_t }:dir r_dir_perms; -allow ddcprobe_t self:capability { sys_rawio sys_admin }; - -allow ddcprobe_t { etc_t etc_runtime_t }:file { getattr read }; -allow ddcprobe_t kudzu_exec_t:file getattr; -allow ddcprobe_t lib_t:file { getattr read }; -read_locale(ddcprobe_t) -allow ddcprobe_t modules_object_t:dir search; -allow ddcprobe_t modules_dep_t:file { getattr read }; -allow ddcprobe_t usr_t:file { getattr read }; -allow ddcprobe_t kernel_t:system syslog_console; diff --git a/strict/domains/program/unused/ethereal.te b/strict/domains/program/unused/ethereal.te deleted file mode 100644 index a56d321..0000000 --- a/strict/domains/program/unused/ethereal.te +++ /dev/null @@ -1,48 +0,0 @@ -# DESC - Ethereal -# -# Author: Ivan Gyurdiev -# - -# Type for executables -type tethereal_exec_t, file_type, exec_type, sysadmfile; -type ethereal_exec_t, file_type, exec_type, sysadmfile; - -######################################################## -# Tethereal -# - -# Type for program -type tethereal_t, domain, nscd_client_domain; - -# Transition from sysadm type -domain_auto_trans(sysadm_t, tethereal_exec_t, tethereal_t) -role sysadm_r types tethereal_t; - -uses_shlib(tethereal_t) -read_locale(tethereal_t) - -# Terminal output -access_terminal(tethereal_t, sysadm) - -# /proc -read_sysctl(tethereal_t) -allow tethereal_t { self proc_t }:dir { read search getattr }; -allow tethereal_t { self proc_t }:{ file lnk_file } { read getattr }; - -# Access root -allow tethereal_t root_t:dir search; - -# Read ethereal files in /usr -allow tethereal_t usr_t:file { read getattr }; - -# /etc/nsswitch.conf -allow tethereal_t etc_t:file { read getattr }; - -# Ethereal sysadm rules -ethereal_networking(tethereal) - -# FIXME: policy is incomplete - -##################################### -# Ethereal (GNOME) policy can be found -# in ethereal_macros.te diff --git a/strict/domains/program/unused/evolution.te b/strict/domains/program/unused/evolution.te deleted file mode 100644 index c8a045e..0000000 --- a/strict/domains/program/unused/evolution.te +++ /dev/null @@ -1,14 +0,0 @@ -# DESC - Evolution -# -# Author: Ivan Gyurdiev -# - -# Type for executables -type evolution_exec_t, file_type, exec_type, sysadmfile; -type evolution_server_exec_t, file_type, exec_type, sysadmfile; -type evolution_webcal_exec_t, file_type, exec_type, sysadmfile; -type evolution_alarm_exec_t, file_type, exec_type, sysadmfile; -type evolution_exchange_exec_t, file_type, exec_type, sysadmfile; - -# Everything else is in macros/evolution_macros.te -bool disable_evolution_trans false; diff --git a/strict/domains/program/unused/fontconfig.te b/strict/domains/program/unused/fontconfig.te deleted file mode 100644 index 836470a..0000000 --- a/strict/domains/program/unused/fontconfig.te +++ /dev/null @@ -1,7 +0,0 @@ -# -# Fontconfig related types -# -# Author: Ivan Gyurdiev -# - -# Look in fontconfig_macros.te diff --git a/strict/domains/program/unused/gconf.te b/strict/domains/program/unused/gconf.te deleted file mode 100644 index e4dfa4b..0000000 --- a/strict/domains/program/unused/gconf.te +++ /dev/null @@ -1,12 +0,0 @@ -# DESC - GConf preference daemon -# -# Author: Ivan Gyurdiev -# - -# Type for executable -type gconfd_exec_t, file_type, exec_type, sysadmfile; - -# Type for /etc files -type gconf_etc_t, file_type, sysadmfile; - -# Everything else is in macros/gconfd_macros.te diff --git a/strict/domains/program/unused/gnome.te b/strict/domains/program/unused/gnome.te deleted file mode 100644 index b45ea8e..0000000 --- a/strict/domains/program/unused/gnome.te +++ /dev/null @@ -1,7 +0,0 @@ -# -# GNOME related types -# -# Author: Ivan Gyurdiev -# - -# Look in gnome_macros.te diff --git a/strict/domains/program/unused/gnome_vfs.te b/strict/domains/program/unused/gnome_vfs.te deleted file mode 100644 index d4cabb6..0000000 --- a/strict/domains/program/unused/gnome_vfs.te +++ /dev/null @@ -1,9 +0,0 @@ -# DESC - GNOME VFS Daemon -# -# Author: Ivan Gyurdiev -# - -# Type for executable -type gnome_vfs_exec_t, file_type, exec_type, sysadmfile; - -# Everything else is in macros/gnome_vfs_macros.te diff --git a/strict/domains/program/unused/iceauth.te b/strict/domains/program/unused/iceauth.te deleted file mode 100644 index f41ad9e..0000000 --- a/strict/domains/program/unused/iceauth.te +++ /dev/null @@ -1,12 +0,0 @@ -#DESC ICEauth - ICE authority file utility -# -# Domains for the iceauth program. -# -# Author: Ivan Gyurdiev -# -# iceauth_exec_t is the type of the xauth executable. -# -type iceauth_exec_t, file_type, exec_type, sysadmfile; - -# Everything else is in the iceauth_domain macro in -# macros/program/iceauth_macros.te. diff --git a/strict/domains/program/unused/orbit.te b/strict/domains/program/unused/orbit.te deleted file mode 100644 index dad353b..0000000 --- a/strict/domains/program/unused/orbit.te +++ /dev/null @@ -1,7 +0,0 @@ -# -# ORBit related types -# -# Author: Ivan Gyurdiev -# - -# Look in orbit_macros.te diff --git a/strict/domains/program/unused/thunderbird.te b/strict/domains/program/unused/thunderbird.te deleted file mode 100644 index c640f87..0000000 --- a/strict/domains/program/unused/thunderbird.te +++ /dev/null @@ -1,10 +0,0 @@ -# DESC - Thunderbird -# -# Author: Ivan Gyurdiev -# - -# Type for executables -type thunderbird_exec_t, file_type, exec_type, sysadmfile; - -# Everything else is in macros/thunderbird_macros.te -bool disable_thunderbird_trans false; diff --git a/strict/file_contexts/program/openct.fc b/strict/file_contexts/program/openct.fc new file mode 100644 index 0000000..43d656e --- /dev/null +++ b/strict/file_contexts/program/openct.fc @@ -0,0 +1,2 @@ +/usr/sbin/openct-control -- system_u:object_r:openct_exec_t +/var/run/openct(/.*)? system_u:object_r:openct_var_run_t diff --git a/strict/file_contexts/program/pegasus.fc b/strict/file_contexts/program/pegasus.fc new file mode 100644 index 0000000..d81b968 --- /dev/null +++ b/strict/file_contexts/program/pegasus.fc @@ -0,0 +1,11 @@ +# File Contexts for The Open Group Pegasus (tog-pegasus) cimserver +/usr/sbin/cimserver -- system_u:object_r:pegasus_exec_t +/usr/sbin/cimconfig -- system_u:object_r:pegasus_conf_exec_t +/usr/sbin/cimuser -- system_u:object_r:pegasus_conf_exec_t +/usr/sbin/cimauth -- system_u:object_r:pegasus_conf_exec_t +/usr/sbin/init_repository -- system_u:object_r:pegasus_exec_t +/usr/lib(64)?/Pegasus/providers/.*\.so.* system_u:object_r:shlib_t +/etc/Pegasus(/.*)? system_u:object_r:pegasus_conf_t +/var/lib/Pegasus(/.*)? system_u:object_r:pegasus_data_t +/var/run/tog-pegasus(/.*)? system_u:object_r:pegasus_var_run_t +/usr/share/Pegasus/mof(/.*)?/.*\.mof system_u:object_r:pegasus_mof_t diff --git a/strict/file_contexts/program/readahead.fc b/strict/file_contexts/program/readahead.fc new file mode 100644 index 0000000..0755fef --- /dev/null +++ b/strict/file_contexts/program/readahead.fc @@ -0,0 +1 @@ +/usr/sbin/readahead -- system_u:object_r:readahead_exec_t diff --git a/strict/file_contexts/program/roundup.fc b/strict/file_contexts/program/roundup.fc new file mode 100644 index 0000000..99b2700 --- /dev/null +++ b/strict/file_contexts/program/roundup.fc @@ -0,0 +1,2 @@ +/usr/bin/roundup-server -- system_u:object_r:roundup_exec_t +/var/lib/roundup(/.*)? -- system_u:object_r:roundup_var_lib_t diff --git a/strict/file_contexts/program/yppasswdd.fc b/strict/file_contexts/program/yppasswdd.fc new file mode 100644 index 0000000..e390bd8 --- /dev/null +++ b/strict/file_contexts/program/yppasswdd.fc @@ -0,0 +1,2 @@ +# yppasswd +/usr/sbin/rpc.yppasswdd -- system_u:object_r:yppasswdd_exec_t