diff --git a/refpolicy/policy/modules/admin/usermanage.fc b/refpolicy/policy/modules/admin/usermanage.fc new file mode 100644 index 0000000..695d17a --- /dev/null +++ b/refpolicy/policy/modules/admin/usermanage.fc @@ -0,0 +1,28 @@ +# Copyright (C) 2005 Tresys Technology, LLC + +/usr/bin/chage -- system_u:object_r:passwd_exec_t +/usr/bin/chfn -- system_u:object_r:chfn_exec_t +/usr/bin/chsh -- system_u:object_r:chfn_exec_t +/usr/bin/gpasswd -- system_u:object_r:groupadd_exec_t +/usr/bin/passwd -- system_u:object_r:passwd_exec_t +/usr/bin/vigr -- system_u:object_r:admin_passwd_exec_t +/usr/bin/vipw -- system_u:object_r:admin_passwd_exec_t + +/usr/lib(64)?/cracklib_dict.* -- system_u:object_r:crack_db_t + +/usr/sbin/crack_[a-z]* -- system_u:object_r:crack_exec_t +/usr/sbin/gpasswd -- system_u:object_r:groupadd_exec_t +/usr/sbin/groupadd -- system_u:object_r:groupadd_exec_t +/usr/sbin/groupdel -- system_u:object_r:groupadd_exec_t +/usr/sbin/groupmod -- system_u:object_r:groupadd_exec_t +/usr/sbin/grpconv -- system_u:object_r:admin_passwd_exec_t +/usr/sbin/grpunconv -- system_u:object_r:admin_passwd_exec_t +/usr/sbin/pwconv -- system_u:object_r:admin_passwd_exec_t +/usr/sbin/pwunconv -- system_u:object_r:admin_passwd_exec_t +/usr/sbin/useradd -- system_u:object_r:useradd_exec_t +/usr/sbin/userdel -- system_u:object_r:useradd_exec_t +/usr/sbin/usermod -- system_u:object_r:useradd_exec_t +/usr/sbin/vigr -- system_u:object_r:admin_passwd_exec_t +/usr/sbin/vipw -- system_u:object_r:admin_passwd_exec_t + +/var/cache/cracklib(/.*)? system_u:object_r:crack_db_t diff --git a/refpolicy/policy/modules/system/authlogin.fc b/refpolicy/policy/modules/system/authlogin.fc new file mode 100644 index 0000000..22384ce --- /dev/null +++ b/refpolicy/policy/modules/system/authlogin.fc @@ -0,0 +1,36 @@ +# Copyright (C) 2005 Tresys Technology, LLC + +/bin/login -- system_u:object_r:login_exec_t + +/etc/\.pwd\.lock -- system_u:object_r:shadow_t +/etc/group\.lock -- system_u:object_r:shadow_t +/etc/gshadow.* -- system_u:object_r:shadow_t +/etc/passwd\.lock -- system_u:object_r:shadow_t +/etc/shadow.* -- system_u:object_r:shadow_t + +/lib(64)?/security/pam_krb5/pam_krb5_storetmp -- system_u:object_r:pam_exec_t + +/sbin/pam_console_apply -- system_u:object_r:pam_console_exec_t +/sbin/pam_timestamp_check -- system_u:object_r:pam_exec_t +/sbin/unix_chkpwd -- system_u:object_r:chkpwd_exec_t +/sbin/unix_verify -- system_u:object_r:chkpwd_exec_t +ifdef(`distro_suse', ` +/sbin/unix2_chkpwd -- system_u:object_r:chkpwd_exec_t +') + +/usr/kerberos/sbin/login\.krb5 -- system_u:object_r:login_exec_t + +/usr/sbin/utempter -- system_u:object_r:utempter_exec_t + +/var/db/shadow.* -- system_u:object_r:shadow_t + +/var/log/btmp.* -- system_u:object_r:faillog_t +/var/log/dmesg -- system_u:object_r:var_log_t +/var/log/faillog -- system_u:object_r:faillog_t +/var/log/lastlog -- system_u:object_r:lastlog_t +/var/log/syslog -- system_u:object_r:var_log_t +/var/log/wtmp.* -- system_u:object_r:wtmp_t + +/var/run/console(/.*)? system_u:object_r:pam_var_console_t + +/var/run/sudo(/.*)? system_u:object_r:pam_var_run_t diff --git a/refpolicy/policy/modules/system/corecommands.fc b/refpolicy/policy/modules/system/corecommands.fc new file mode 100644 index 0000000..67b7ef6 --- /dev/null +++ b/refpolicy/policy/modules/system/corecommands.fc @@ -0,0 +1,86 @@ +# Copyright (C) 2005 Tresys Technology, LLC + +# +# /bin +# +/bin(/.*)? system_u:object_r:bin_t +/bin/d?ash -- system_u:object_r:shell_exec_t +/bin/bash -- system_u:object_r:shell_exec_t +/bin/bash2 -- system_u:object_r:shell_exec_t +/bin/ls -- system_u:object_r:ls_exec_t +/bin/sash -- system_u:object_r:shell_exec_t +/bin/tcsh -- system_u:object_r:shell_exec_t +/bin/zsh.* -- system_u:object_r:shell_exec_t + +# +# /dev +# +/dev/MAKEDEV -- system_u:object_r:sbin_t + +# +# /etc +# +/etc/hotplug/.*agent -- system_u:object_r:sbin_t +/etc/hotplug/.*rc -- system_u:object_r:sbin_t + +/etc/hotplug/hotplug\.functions -- system_u:object_r:sbin_t + +/etc/hotplug\.d/default/default.* system_u:object_r:sbin_t + +/etc/netplug\.d(/.*)? system_u:object_r:sbin_t + +ifdef(`targeted_policy', ` +/etc/X11/prefdm -- system_u:object_r:bin_t +') + +# +# /sbin +# +/sbin(/.*)? system_u:object_r:sbin_t +/sbin/insmod_ksymoops_clean -- system_u:object_r:sbin_t + +# +# /opt +# +/opt/.*/bin(/.*)? system_u:object_r:bin_t + +/opt/.*/libexec(/.*)? system_u:object_r:bin_t + +/opt/.*/sbin(/.*)? system_u:object_r:sbin_t + +# +# /usr +# +ifdef(`distro_gentoo', ` +/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? system_u:object_r:bin_t +') + +/usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t + +/usr(/.*)?/bin(/.*)? system_u:object_r:bin_t + +/usr(/.*)?/sbin(/.*)? system_u:object_r:sbin_t + +/usr/lib(64)?/emacsen-common/.* system_u:object_r:bin_t + +/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- system_u:object_r:bin_t +/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- system_u:object_r:bin_t +/usr/lib(64)?/[^/]*thunderbird[^/]*/run-mozilla\.sh -- system_u:object_r:bin_t +/usr/lib(64)?/[^/]*thunderbird[^/]*/mozilla-xremote-client -- system_u:object_r:bin_t + +/usr/libexec(/.*)? system_u:object_r:bin_t + +/usr/sbin/sesh -- system_u:object_r:shell_exec_t + +/usr/share/gnucash/finance-quote-check -- system_u:object_r:bin_t +/usr/share/gnucash/finance-quote-helper -- system_u:object_r:bin_t + +/usr/share/mc/extfs/.* -- system_u:object_r:bin_t + +# +# /var +# +/var/mailman/bin(/.*)? system_u:object_r:bin_t + +/var/ftp/bin(/.*)? system_u:object_r:bin_t +/var/ftp/bin/ls -- system_u:object_r:ls_exec_t diff --git a/refpolicy/policy/modules/system/files.fc b/refpolicy/policy/modules/system/files.fc new file mode 100644 index 0000000..84ea47c --- /dev/null +++ b/refpolicy/policy/modules/system/files.fc @@ -0,0 +1,157 @@ +# Copyright (C) 2005 Tresys Technology, LLC + +# +# / +# +/.* system_u:object_r:default_t +/ -d system_u:object_r:root_t +/\.journal <> + +# +# /boot +# +/boot/\.journal <> + +/boot/lost\+found(/.*)? system_u:object_r:lost_found_t + +# +# /etc +# +/etc(/.*)? system_u:object_r:etc_t +/etc/\.fstab\.hal\..+ -- system_u:object_r:etc_runtime_t +/etc/asound\.state -- system_u:object_r:etc_runtime_t +/etc/blkid\.tab.* -- system_u:object_r:etc_runtime_t +/etc/fstab\.REVOKE -- system_u:object_r:etc_runtime_t +/etc/HOSTNAME -- system_u:object_r:etc_runtime_t +/etc/ioctl\.save -- system_u:object_r:etc_runtime_t +/etc/issue -- system_u:object_r:etc_runtime_t +/etc/issue\.net -- system_u:object_r:etc_runtime_t +/etc/localtime -l system_u:object_r:etc_t +/etc/mtab -- system_u:object_r:etc_runtime_t +/etc/motd -- system_u:object_r:etc_runtime_t +/etc/nohotplug -- system_u:object_r:etc_runtime_t +/etc/nologin.* -- system_u:object_r:etc_runtime_t + +/etc/init\.d/functions -- system_u:object_r:etc_t + +/etc/ptal/ptal-printd-like -- system_u:object_r:etc_runtime_t + +/etc/rc\.d/init\.d/functions -- system_u:object_r:etc_t + +/etc/sysconfig/hwconf -- system_u:object_r:etc_runtime_t +/etc/sysconfig/iptables\.save -- system_u:object_r:etc_runtime_t +/etc/sysconfig/firstboot -- system_u:object_r:etc_runtime_t + +ifdef(`distro_gentoo', ` +/etc/profile\.env -- system_u:object_r:etc_runtime_t +/etc/csh\.env -- system_u:object_r:etc_runtime_t +/etc/env\.d/.* -- system_u:object_r:etc_runtime_t +') + +# +# /initrd +# +# initrd mount point, only used during boot +/initrd -d system_u:object_r:root_t + +# +# /lost+found +# +/lost\+found(/.*)? system_u:object_r:lost_found_t + +# +# /media +# +# Mount points; do not relabel subdirectories, since +# we don't want to change any removable media by default. +/media(/[^/]*)? -d system_u:object_r:mnt_t +/media/[^/]*/.* <> + +# +# /mnt +# +/mnt(/[^/]*)? -d system_u:object_r:mnt_t +/mnt/[^/]*/.* <> + +# +# /opt +# +/opt(/.*)? system_u:object_r:usr_t + +/opt/.*/var/lib(64)?(/.*)? system_u:object_r:var_lib_t + +# +# /proc +# +/proc(/.*)? <> + +# +# /selinux +# +/selinux(/.*)? <> + +# +# /sys +# +/sys(/.*)? <> + +# +# /tmp +# +/tmp -d system_u:object_r:tmp_t +/tmp/.* <> +/tmp/\.journal <> + +/tmp/lost\+found(/.*)? system_u:object_r:lost_found_t + +# +# /usr +# +/usr(/.*)? system_u:object_r:usr_t +/usr/\.journal <> + +/usr/lost\+found(/.*)? system_u:object_r:lost_found_t + +/usr/etc(/.*)? system_u:object_r:etc_t + +/usr/inclu.e(/.*)? system_u:object_r:usr_t + +/usr/local/\.journal <> +/usr/local/lost\+found(/.*)? system_u:object_r:lost_found_t + +/usr/share(/.*)?/lib(64)?(/.*)? system_u:object_r:usr_t + +/usr/src(/.*)? system_u:object_r:src_t + +/usr/tmp -d system_u:object_r:tmp_t +/usr/tmp/.* <> + +# +# /var +# +/var(/.*)? system_u:object_r:var_t +/var/\.journal <> + +/var/lost\+found(/.*)? system_u:object_r:lost_found_t + +/var/db/.*\.db -- system_u:object_r:etc_t + +/var/ftp/etc(/.*)? system_u:object_r:etc_t + +/var/lib/nfs/rpc_pipefs(/.*)? <> + +/usr/local/etc(/.*)? system_u:object_r:etc_t + +/usr/local/src(/.*)? system_u:object_r:src_t + +/var/lock(/.*)? system_u:object_r:var_lock_t + +/var/run(/.*)? system_u:object_r:var_run_t +/var/run/.*\.*pid <> + +/var/spool(/.*)? system_u:object_r:var_spool_t + +/var/tmp -d system_u:object_r:tmp_t +/var/tmp/.* <> + +/var/tmp/vi\.recover -d system_u:object_r:tmp_t diff --git a/refpolicy/policy/modules/system/hotplug.fc b/refpolicy/policy/modules/system/hotplug.fc new file mode 100644 index 0000000..62fa976 --- /dev/null +++ b/refpolicy/policy/modules/system/hotplug.fc @@ -0,0 +1,12 @@ +# Copyright (C) 2005 Tresys Technology, LLC + +/etc/hotplug(/.*)? system_u:object_r:hotplug_etc_t +/etc/hotplug/firmware.agent -- system_u:object_r:hotplug_exec_t + +/etc/hotplug\.d/.* -- system_u:object_r:hotplug_exec_t + +/sbin/hotplug -- system_u:object_r:hotplug_exec_t +/sbin/netplugd -- system_u:object_r:hotplug_exec_t + +/var/run/usb(/.*)? system_u:object_r:hotplug_var_run_t +/var/run/hotplug(/.*)? system_u:object_r:hotplug_var_run_t diff --git a/refpolicy/policy/modules/system/init.fc b/refpolicy/policy/modules/system/init.fc new file mode 100644 index 0000000..90c61fe --- /dev/null +++ b/refpolicy/policy/modules/system/init.fc @@ -0,0 +1,64 @@ +# Copyright (C) 2005 Tresys Technology, LLC + +# +# / +# +ifdef(`distro_redhat', ` +/\.autofsck -- system_u:object_r:etc_runtime_t +/halt -- system_u:object_r:etc_runtime_t +') + +# +# /etc +# +/etc/init\.d/.* -- system_u:object_r:initrc_exec_t + +/etc/rc\.d/rc -- system_u:object_r:initrc_exec_t +/etc/rc\.d/rc\.sysinit -- system_u:object_r:initrc_exec_t +/etc/rc\.d/rc\.local -- system_u:object_r:initrc_exec_t + +/etc/rc\.d/init\.d/.* -- system_u:object_r:initrc_exec_t + +ifdef(`targeted_policy', `', ` +/etc/X11/prefdm -- system_u:object_r:initrc_exec_t +') + +# +# /dev +# +/dev/initctl -p system_u:object_r:initctl_t + +# +# /sbin +# +/sbin/init -- system_u:object_r:init_exec_t +ifdef(`distro_gentoo', ` +/sbin/rc -- system_u:object_r:initrc_exec_t +/sbin/runscript -- system_u:object_r:initrc_exec_t +/sbin/runscript\.sh -- system_u:object_r:initrc_exec_t +') + +# +# /usr +# +/usr/sbin/run_init -- system_u:object_r:run_init_exec_t +/usr/sbin/open_init_pty -- system_u:object_r:initrc_exec_t + +# +# /var +# +ifdef(`distro_gentoo', ` +/var/lib/init\.d(/.*)? system_u:object_r:initrc_state_t +') + +/var/run/utmp -- system_u:object_r:initrc_var_run_t +/var/run/runlevel\.dir system_u:object_r:initrc_var_run_t +/var/run/random-seed -- system_u:object_r:initrc_var_run_t +/var/run/setmixer_flag -- system_u:object_r:initrc_var_run_t + +ifdef(`distro_suse', ` +/var/run/sysconfig(/.*)? system_u:object_r:initrc_var_run_t +/var/run/keymap -- system_u:object_r:initrc_var_run_t +/var/run/numlock-on -- system_u:object_r:initrc_var_run_t +') + diff --git a/refpolicy/policy/modules/system/iptables.fc b/refpolicy/policy/modules/system/iptables.fc new file mode 100644 index 0000000..6957600 --- /dev/null +++ b/refpolicy/policy/modules/system/iptables.fc @@ -0,0 +1,9 @@ +# Copyright (C) 2005 Tresys Technology, LLC + +/sbin/ip6tables.* -- system_u:object_r:iptables_exec_t +/sbin/ipchains.* -- system_u:object_r:iptables_exec_t +/sbin/iptables.* -- system_u:object_r:iptables_exec_t + +/usr/sbin/ip6tables.* -- system_u:object_r:iptables_exec_t +/usr/sbin/ipchains.* -- system_u:object_r:iptables_exec_t +/usr/sbin/iptables.* -- system_u:object_r:iptables_exec_t diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc new file mode 100644 index 0000000..a4bab59 --- /dev/null +++ b/refpolicy/policy/modules/system/libraries.fc @@ -0,0 +1,50 @@ +# Copyright (C) 2005 Tresys Technology, LLC + +# +# /etc +# +/etc/ld\.so\.cache -- system_u:object_r:ld_so_cache_t +/etc/ld\.so\.preload -- system_u:object_r:ld_so_cache_t + +# +# /lib(64)? +# +/lib(64)?(/.*)? system_u:object_r:lib_t +/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t +/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t + +# +# /opt +# +/opt/.*/lib(64)?(/.*)? system_u:object_r:lib_t +/opt/.*/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t + +# +# /usr +# +/usr(/.*)?/HelixPlayer/.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t + +/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t +/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t +/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t + +/usr(/.*)?/lib(64)?(/.*)? system_u:object_r:lib_t +/usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t + +/usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t + +/usr(/.*)?/nvidia/.*\.so(\..*)? -- system_u:object_r:texrel_shlib_t + +/usr/lib/win32/.* -- system_u:object_r:shlib_t + +/usr/X11R6/lib/libGL\.so.* -- system_u:object_r:texrel_shlib_t +/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- system_u:object_r:texrel_shlib_t + +# +# /var +# +/var/ftp/lib(64)?(/.*)? system_u:object_r:lib_t +/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t +/var/ftp/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t + +/var/mailman/pythonlib(/.*)?/.*\.so(\..*)? -- system_u:object_r:shlib_t diff --git a/refpolicy/policy/modules/system/locallogin.fc b/refpolicy/policy/modules/system/locallogin.fc new file mode 100644 index 0000000..f30b68a --- /dev/null +++ b/refpolicy/policy/modules/system/locallogin.fc @@ -0,0 +1,3 @@ +# Copyright (C) 2005 Tresys Technology, LLC + +/sbin/sulogin -- system_u:object_r:sulogin_exec_t diff --git a/refpolicy/policy/modules/system/miscfiles.fc b/refpolicy/policy/modules/system/miscfiles.fc new file mode 100644 index 0000000..2fb5a58 --- /dev/null +++ b/refpolicy/policy/modules/system/miscfiles.fc @@ -0,0 +1,55 @@ +# Copyright (C) 2005 Tresys Technology, LLC + +# +# /etc +# +/etc/localtime -- system_u:object_r:locale_t + +# +# /opt +# +/opt/.*/man(/.*)? system_u:object_r:man_t + +# +# /usr +# +/usr/lib/locale(/.*)? system_u:object_r:locale_t + +/usr/lib(64)?/perl5/man(/.*)? system_u:object_r:man_t + +/usr/local/man(/.*)? system_u:object_r:man_t + +/usr/local/share/fonts(/.*)? system_u:object_r:fonts_t + +/usr/man(/.*)? system_u:object_r:man_t + +/usr/share/fonts(/.*)? system_u:object_r:fonts_t + +/usr/share/ghostscript/fonts(/.*)? system_u:object_r:fonts_t + +/usr/share/locale(/.*)? system_u:object_r:locale_t + +/usr/share/man(/.*)? system_u:object_r:man_t + +/usr/share/zoneinfo(/.*)? system_u:object_r:locale_t + +/usr/X11R6/lib/X11/fonts(/.*)? system_u:object_r:fonts_t + +/usr/X11R6/man(/.*)? system_u:object_r:man_t + +# +# /var +# +ifdef(`distro_debian', ` +/var/lib/msttcorefonts(/.*)? system_u:object_r:fonts_t +') + +/var/lib/texmf(/.*)? system_u:object_r:tetex_data_t + +/var/cache/fonts(/.*)? system_u:object_r:tetex_data_t + +/var/cache/man(/.*)? system_u:object_r:catman_t + +/var/catman(/.*)? system_u:object_r:catman_t + +/var/spool/texmf(/.*)? system_u:object_r:tetex_data_t diff --git a/refpolicy/policy/modules/system/modutils.fc b/refpolicy/policy/modules/system/modutils.fc new file mode 100644 index 0000000..0525164 --- /dev/null +++ b/refpolicy/policy/modules/system/modutils.fc @@ -0,0 +1,15 @@ +# Copyright (C) 2005 Tresys Technology, LLC + +/etc/modules\.conf.* -- system_u:object_r:modules_conf_t +/etc/modprobe\.conf.* -- system_u:object_r:modules_conf_t + +/lib(64)?/modules/[^/]+/modules\..+ -- system_u:object_r:modules_dep_t + +/lib(64)?/modules/modprobe\.conf -- system_u:object_r:modules_conf_t + +/sbin/depmod.* -- system_u:object_r:depmod_exec_t +/sbin/generate-modprobe\.conf -- system_u:object_r:update_modules_exec_t +/sbin/insmod.* -- system_u:object_r:insmod_exec_t +/sbin/modprobe.* -- system_u:object_r:insmod_exec_t +/sbin/rmmod.* -- system_u:object_r:insmod_exec_t +/sbin/update-modules -- system_u:object_r:update_modules_exec_t diff --git a/refpolicy/policy/modules/system/selinux.fc b/refpolicy/policy/modules/system/selinux.fc new file mode 100644 index 0000000..596f6a9 --- /dev/null +++ b/refpolicy/policy/modules/system/selinux.fc @@ -0,0 +1,40 @@ +# Copyright (C) 2005 Tresys Technology, LLC + +# +# /etc +# +/etc/selinux(/.*)? system_u:object_r:selinux_config_t + +/etc/selinux/([^/]*/)?contexts(/.*)? system_u:object_r:default_context_t + +/etc/selinux/([^/]*/)?contexts/files(/.*)? system_u:object_r:file_context_t + +/etc/selinux/([^/]*/)?policy(/.*)? system_u:object_r:policy_config_t + +/etc/selinux/([^/]*/)?src(/.*)? system_u:object_r:policy_src_t + +# +# /root +# +/root/\.default_contexts -- system_u:object_r:default_context_t + +# +# /sbin +# +/sbin/load_policy -- system_u:object_r:load_policy_exec_t +/sbin/restorecon -- system_u:object_r:restorecon_exec_t + +# +# /usr +# +/usr/bin/checkpolicy -- system_u:object_r:checkpolicy_exec_t +/usr/bin/newrole -- system_u:object_r:newrole_exec_t + +/usr/lib(64)?/selinux(/.*)? system_u:object_r:policy_src_t + +/usr/sbin/load_policy -- system_u:object_r:load_policy_exec_t +/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t + +ifdef(`distro_debian', ` +/usr/share/selinux(/.*)? system_u:object_r:policy_src_t +') diff --git a/refpolicy/policy/modules/system/selinuxutil.fc b/refpolicy/policy/modules/system/selinuxutil.fc new file mode 100644 index 0000000..596f6a9 --- /dev/null +++ b/refpolicy/policy/modules/system/selinuxutil.fc @@ -0,0 +1,40 @@ +# Copyright (C) 2005 Tresys Technology, LLC + +# +# /etc +# +/etc/selinux(/.*)? system_u:object_r:selinux_config_t + +/etc/selinux/([^/]*/)?contexts(/.*)? system_u:object_r:default_context_t + +/etc/selinux/([^/]*/)?contexts/files(/.*)? system_u:object_r:file_context_t + +/etc/selinux/([^/]*/)?policy(/.*)? system_u:object_r:policy_config_t + +/etc/selinux/([^/]*/)?src(/.*)? system_u:object_r:policy_src_t + +# +# /root +# +/root/\.default_contexts -- system_u:object_r:default_context_t + +# +# /sbin +# +/sbin/load_policy -- system_u:object_r:load_policy_exec_t +/sbin/restorecon -- system_u:object_r:restorecon_exec_t + +# +# /usr +# +/usr/bin/checkpolicy -- system_u:object_r:checkpolicy_exec_t +/usr/bin/newrole -- system_u:object_r:newrole_exec_t + +/usr/lib(64)?/selinux(/.*)? system_u:object_r:policy_src_t + +/usr/sbin/load_policy -- system_u:object_r:load_policy_exec_t +/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t + +ifdef(`distro_debian', ` +/usr/share/selinux(/.*)? system_u:object_r:policy_src_t +') diff --git a/refpolicy/policy/modules/system/sysnetwork.fc b/refpolicy/policy/modules/system/sysnetwork.fc new file mode 100644 index 0000000..3327046 --- /dev/null +++ b/refpolicy/policy/modules/system/sysnetwork.fc @@ -0,0 +1,47 @@ +# Copyright (C) 2005 Tresys Technology, LLC + +# +# /bin +# +/bin/ip -- system_u:object_r:ifconfig_exec_t + +# +# /etc +# +/etc/dhclient.*conf -- system_u:object_r:dhcp_etc_t +/etc/dhclient-script -- system_u:object_r:dhcp_etc_t +/etc/dhcpc.* system_u:object_r:dhcp_etc_t +/etc/resolv\.conf.* -- system_u:object_r:net_conf_t +/etc/yp\.conf.* -- system_u:object_r:net_conf_t + +/etc/dhcp3?/dhclient.* system_u:object_r:dhcp_etc_t + +# +# /sbin +# +/sbin/dhclient.* -- system_u:object_r:dhcpc_exec_t +/sbin/dhcpcd -- system_u:object_r:dhcpc_exec_t +/sbin/ethtool -- system_u:object_r:ifconfig_exec_t +/sbin/ifconfig -- system_u:object_r:ifconfig_exec_t +/sbin/ip -- system_u:object_r:ifconfig_exec_t +/sbin/ipx_configure -- system_u:object_r:ifconfig_exec_t +/sbin/ipx_interface -- system_u:object_r:ifconfig_exec_t +/sbin/ipx_internal_net -- system_u:object_r:ifconfig_exec_t +/sbin/iwconfig -- system_u:object_r:ifconfig_exec_t +/sbin/mii-tool -- system_u:object_r:ifconfig_exec_t +/sbin/pump -- system_u:object_r:dhcpc_exec_t +/sbin/tc -- system_u:object_r:ifconfig_exec_t + +# +# /usr +# +/usr/sbin/tc -- system_u:object_r:ifconfig_exec_t + +# +# /var +# +/var/lib/dhcp3? -d system_u:object_r:dhcp_state_t +/var/lib/dhcp3?/dhclient.* system_u:object_r:dhcpc_state_t + +/var/run/dhclient.*\.pid -- system_u:object_r:dhcpc_var_run_t +/var/run/dhclient.*\.leases -- system_u:object_r:dhcpc_var_run_t diff --git a/refpolicy/policy/modules/system/udev.fc b/refpolicy/policy/modules/system/udev.fc new file mode 100644 index 0000000..732d738 --- /dev/null +++ b/refpolicy/policy/modules/system/udev.fc @@ -0,0 +1,18 @@ +# udev + +/dev/\.udev\.tdb -- system_u:object_r:udev_tbl_t +/dev/udev\.tbl -- system_u:object_r:udev_tbl_t + +/etc/dev\.d/.+ -- system_u:object_r:udev_helper_exec_t + +/etc/hotplug\.d/default/udev.* -- system_u:object_r:udev_helper_exec_t + +/etc/udev/scripts/.+ -- system_u:object_r:udev_helper_exec_t + +/sbin/start_udev -- system_u:object_r:udev_exec_t +/sbin/udev -- system_u:object_r:udev_exec_t +/sbin/udevd -- system_u:object_r:udev_exec_t +/sbin/udevsend -- system_u:object_r:udev_exec_t +/sbin/wait_for_sysfs -- system_u:object_r:udev_exec_t + +/usr/bin/udevinfo -- system_u:object_r:udev_exec_t