diff options
Diffstat (limited to 'policy/modules/apps')
144 files changed, 14351 insertions, 0 deletions
diff --git a/policy/modules/apps/ada.fc b/policy/modules/apps/ada.fc new file mode 100644 index 00000000..f1502de8 --- /dev/null +++ b/policy/modules/apps/ada.fc @@ -0,0 +1,5 @@ +/usr/bin/gnatbind -- gen_context(system_u:object_r:ada_exec_t,s0) +/usr/bin/gnatls -- gen_context(system_u:object_r:ada_exec_t,s0) +/usr/bin/gnatmake -- gen_context(system_u:object_r:ada_exec_t,s0) + +/usr/libexec/gcc(/.*)?/gnat1 -- gen_context(system_u:object_r:ada_exec_t,s0) diff --git a/policy/modules/apps/ada.if b/policy/modules/apps/ada.if new file mode 100644 index 00000000..e514e8a9 --- /dev/null +++ b/policy/modules/apps/ada.if @@ -0,0 +1,45 @@ +## <summary>GNAT Ada95 compiler.</summary> + +######################################## +## <summary> +## Execute the ada program in the ada domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ada_domtrans',` + gen_require(` + type ada_t, ada_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ada_exec_t, ada_t) +') + +######################################## +## <summary> +## Execute ada in the ada domain, and +## allow the specified role the ada domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`ada_run',` + gen_require(` + attribute_role ada_roles; + ') + + ada_domtrans($1) + roleattribute $2 ada_roles; +') diff --git a/policy/modules/apps/ada.te b/policy/modules/apps/ada.te new file mode 100644 index 00000000..8d42c97a --- /dev/null +++ b/policy/modules/apps/ada.te @@ -0,0 +1,27 @@ +policy_module(ada, 1.5.0) + +######################################## +# +# Declarations +# + +attribute_role ada_roles; +roleattribute system_r ada_roles; + +type ada_t; +type ada_exec_t; +application_domain(ada_t, ada_exec_t) +role ada_roles types ada_t; + +######################################## +# +# Local policy +# + +allow ada_t self:process { execstack execmem }; + +userdom_use_user_terminals(ada_t) + +optional_policy(` + unconfined_domain(ada_t) +') diff --git a/policy/modules/apps/awstats.fc b/policy/modules/apps/awstats.fc new file mode 100644 index 00000000..11e6d5ff --- /dev/null +++ b/policy/modules/apps/awstats.fc @@ -0,0 +1,5 @@ +/usr/share/awstats/tools/.+\.pl -- gen_context(system_u:object_r:awstats_exec_t,s0) +/usr/share/awstats/wwwroot(/.*)? gen_context(system_u:object_r:httpd_awstats_content_t,s0) +/usr/share/awstats/wwwroot/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_awstats_script_exec_t,s0) + +/var/lib/awstats(/.*)? gen_context(system_u:object_r:awstats_var_lib_t,s0) diff --git a/policy/modules/apps/awstats.if b/policy/modules/apps/awstats.if new file mode 100644 index 00000000..e86fe87f --- /dev/null +++ b/policy/modules/apps/awstats.if @@ -0,0 +1,21 @@ +## <summary>Log file analyzer for advanced statistics.</summary> + +######################################## +## <summary> +## Execute the awstats program in +## the awstats domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`awstats_domtrans',` + gen_require(` + type awstats_t, awstats_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, awstats_exec_t, awstats_t) +') diff --git a/policy/modules/apps/awstats.te b/policy/modules/apps/awstats.te new file mode 100644 index 00000000..c1b16c39 --- /dev/null +++ b/policy/modules/apps/awstats.te @@ -0,0 +1,98 @@ +policy_module(awstats, 1.5.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether awstats can +## purge httpd log files. +## </p> +## </desc> +gen_tunable(awstats_purge_apache_log_files, false) + +type awstats_t; +type awstats_exec_t; +domain_type(awstats_t) +domain_entry_file(awstats_t, awstats_exec_t) +role system_r types awstats_t; + +type awstats_tmp_t; +files_tmp_file(awstats_tmp_t) + +type awstats_var_lib_t; +files_type(awstats_var_lib_t) + +apache_content_template(awstats) + +######################################## +# +# Local policy +# + +allow awstats_t self:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t) +manage_files_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t) +files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file }) + +manage_files_pattern(awstats_t, awstats_var_lib_t, awstats_var_lib_t) + +allow awstats_t { httpd_awstats_content_t httpd_awstats_script_exec_t }:dir search_dir_perms; + +can_exec(awstats_t, { awstats_exec_t httpd_awstats_script_exec_t }) + +kernel_dontaudit_read_system_state(awstats_t) + +corecmd_exec_bin(awstats_t) +corecmd_exec_shell(awstats_t) + +dev_read_urand(awstats_t) + +files_dontaudit_search_all_mountpoints(awstats_t) +files_read_etc_files(awstats_t) +files_read_usr_files(awstats_t) + +fs_list_inotifyfs(awstats_t) + +libs_read_lib_files(awstats_t) + +logging_read_generic_logs(awstats_t) + +miscfiles_read_localization(awstats_t) + +sysnet_dns_name_resolve(awstats_t) + +tunable_policy(`awstats_purge_apache_log_files',` + apache_write_log(awstats_t) +') + +optional_policy(` + apache_read_log(awstats_t) +') + +optional_policy(` + cron_system_entry(awstats_t, awstats_exec_t) +') + +optional_policy(` + nscd_dontaudit_search_pid(awstats_t) +') + +optional_policy(` + squid_read_log(awstats_t) +') + +######################################## +# +# CGI local policy +# + +allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms; + +read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t) +files_search_var_lib(httpd_awstats_script_t) + +apache_read_log(httpd_awstats_script_t) diff --git a/policy/modules/apps/calamaris.fc b/policy/modules/apps/calamaris.fc new file mode 100644 index 00000000..1bf35dbb --- /dev/null +++ b/policy/modules/apps/calamaris.fc @@ -0,0 +1,5 @@ +/etc/cron\.daily/calamaris -- gen_context(system_u:object_r:calamaris_exec_t,s0) + +/var/log/calamaris(/.*)? gen_context(system_u:object_r:calamaris_log_t,s0) + +/var/www/calamaris(/.*)? gen_context(system_u:object_r:calamaris_www_t,s0) diff --git a/policy/modules/apps/calamaris.if b/policy/modules/apps/calamaris.if new file mode 100644 index 00000000..cd9c5287 --- /dev/null +++ b/policy/modules/apps/calamaris.if @@ -0,0 +1,101 @@ +## <summary>Squid log analysis.</summary> + +######################################## +## <summary> +## Execute the calamaris in +## the calamaris domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`calamaris_domtrans',` + gen_require(` + type calamaris_t, calamaris_exec_t; + ') + + files_search_etc($1) + domtrans_pattern($1, calamaris_exec_t, calamaris_t) +') + +######################################## +## <summary> +## Execute calamaris in the +## calamaris domain, and allow the +## specified role the calamaris domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`calamaris_run',` + gen_require(` + attribute_role calamaris_roles; + ') + + lightsquid_domtrans($1) + roleattribute $2 calamaris_roles; +') + +####################################### +## <summary> +## Read calamaris www files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`calamaris_read_www_files',` + gen_require(` + type calamaris_www_t; + ') + + allow $1 calamaris_www_t:dir list_dir_perms; + read_files_pattern($1, calamaris_www_t, calamaris_www_t) + read_lnk_files_pattern($1, calamaris_www_t, calamaris_www_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an calamaris environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`calamaris_admin',` + gen_require(` + type calamaris_t, calamaris_log_t, calamaris_www_t; + ') + + allow $1 calamaris_t:process { ptrace signal_perms }; + ps_process_pattern($1, calamaris_t) + + calamaris_run($1, $2) + + logging_list_logs($1) + admin_pattern($1, calamaris_log_t) + + apache_list_sys_content($1) + admin_pattern($1, calamaris_www_t) +') diff --git a/policy/modules/apps/calamaris.te b/policy/modules/apps/calamaris.te new file mode 100644 index 00000000..7e574604 --- /dev/null +++ b/policy/modules/apps/calamaris.te @@ -0,0 +1,73 @@ +policy_module(calamaris, 1.8.0) + +######################################## +# +# Declarations +# + +attribute_role calamaris_roles; + +type calamaris_t; +type calamaris_exec_t; +application_domain(calamaris_t, calamaris_exec_t) +role calamaris_roles types calamaris_t; + +type calamaris_log_t; +logging_log_file(calamaris_log_t) + +type calamaris_www_t; +files_type(calamaris_www_t) + +######################################## +# +# Local policy +# + +allow calamaris_t self:capability dac_override; +allow calamaris_t self:process { signal_perms setsched }; +allow calamaris_t self:fifo_file rw_fifo_file_perms; +allow calamaris_t self:unix_stream_socket { accept listen }; +allow calamaris_t self:tcp_socket { accept listen }; + +manage_dirs_pattern(calamaris_t, calamaris_log_t, calamaris_log_t) +manage_files_pattern(calamaris_t, calamaris_log_t, calamaris_log_t) +logging_log_filetrans(calamaris_t, calamaris_log_t, { dir file }) + +manage_files_pattern(calamaris_t, calamaris_www_t, calamaris_www_t) +manage_lnk_files_pattern(calamaris_t, calamaris_www_t, calamaris_www_t) + +kernel_read_all_sysctls(calamaris_t) +kernel_read_system_state(calamaris_t) + +corecmd_exec_bin(calamaris_t) + +dev_read_urand(calamaris_t) + +files_read_usr_files(calamaris_t) +files_read_etc_runtime_files(calamaris_t) + +libs_read_lib_files(calamaris_t) + +auth_use_nsswitch(calamaris_t) + +logging_send_syslog_msg(calamaris_t) + +miscfiles_read_localization(calamaris_t) + +userdom_dontaudit_list_user_home_dirs(calamaris_t) + +optional_policy(` + apache_search_sys_content(calamaris_t) +') + +optional_policy(` + cron_system_entry(calamaris_t, calamaris_exec_t) +') + +optional_policy(` + mta_send_mail(calamaris_t) +') + +optional_policy(` + squid_read_log(calamaris_t) +') diff --git a/policy/modules/apps/cdrecord.fc b/policy/modules/apps/cdrecord.fc new file mode 100644 index 00000000..819562d0 --- /dev/null +++ b/policy/modules/apps/cdrecord.fc @@ -0,0 +1,3 @@ +/usr/bin/cdrecord -- gen_context(system_u:object_r:cdrecord_exec_t,s0) +/usr/bin/growisofs -- gen_context(system_u:object_r:cdrecord_exec_t,s0) +/usr/bin/wodim -- gen_context(system_u:object_r:cdrecord_exec_t,s0) diff --git a/policy/modules/apps/cdrecord.if b/policy/modules/apps/cdrecord.if new file mode 100644 index 00000000..fbc20f69 --- /dev/null +++ b/policy/modules/apps/cdrecord.if @@ -0,0 +1,32 @@ +## <summary>Record audio or data Compact Discs from a master.</summary> + +######################################## +## <summary> +## Role access for cdrecord. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`cdrecord_role',` + gen_require(` + attribute_role cdrecord_roles; + type cdrecord_t, cdrecord_exec_t; + ') + + roleattribute $1 cdrecord_roles; + + domtrans_pattern($2, cdrecord_exec_t, cdrecord_t) + + allow cdrecord_t $2:unix_stream_socket rw_socket_perms; + + allow $2 cdrecord_t:process { ptrace signal_perms }; + ps_process_pattern($2, cdrecord_t) +') diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te new file mode 100644 index 00000000..4af7717a --- /dev/null +++ b/policy/modules/apps/cdrecord.te @@ -0,0 +1,115 @@ +policy_module(cdrecord, 2.6.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether cdrecord can read +## various content. nfs, samba, removable +## devices, user temp and untrusted +## content files +## </p> +## </desc> +gen_tunable(cdrecord_read_content, false) + +attribute_role cdrecord_roles; + +type cdrecord_t; +type cdrecord_exec_t; +typealias cdrecord_t alias { user_cdrecord_t staff_cdrecord_t sysadm_cdrecord_t }; +typealias cdrecord_t alias { auditadm_cdrecord_t secadm_cdrecord_t }; +userdom_user_application_domain(cdrecord_t, cdrecord_exec_t) +role cdrecord_roles types cdrecord_t; + +######################################## +# +# Local policy +# + +allow cdrecord_t self:capability { dac_override ipc_lock setuid sys_nice sys_rawio }; +allow cdrecord_t self:process { getcap getsched setrlimit setsched sigkill }; +allow cdrecord_t self:unix_stream_socket { accept listen }; + +corecmd_exec_bin(cdrecord_t) + +dev_list_all_dev_nodes(cdrecord_t) +dev_read_sysfs(cdrecord_t) + +domain_interactive_fd(cdrecord_t) +domain_use_interactive_fds(cdrecord_t) + +files_read_etc_files(cdrecord_t) + +term_use_controlling_term(cdrecord_t) +term_list_ptys(cdrecord_t) + +storage_raw_read_removable_device(cdrecord_t) +storage_raw_write_removable_device(cdrecord_t) +storage_write_scsi_generic(cdrecord_t) + +logging_send_syslog_msg(cdrecord_t) + +miscfiles_read_localization(cdrecord_t) + +userdom_use_user_terminals(cdrecord_t) +userdom_read_user_home_content_files(cdrecord_t) + +tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',` + fs_list_auto_mountpoints(cdrecord_t) + files_list_home(cdrecord_t) + fs_read_nfs_files(cdrecord_t) + fs_read_nfs_symlinks(cdrecord_t) +',` + files_dontaudit_list_home(cdrecord_t) + fs_dontaudit_list_auto_mountpoints(cdrecord_t) + fs_dontaudit_read_nfs_files(cdrecord_t) + fs_dontaudit_list_nfs(cdrecord_t) +') + +tunable_policy(`cdrecord_read_content && use_samba_home_dirs',` + fs_list_auto_mountpoints(cdrecord_t) + files_list_home(cdrecord_t) + fs_read_cifs_files(cdrecord_t) + fs_read_cifs_symlinks(cdrecord_t) +',` + files_dontaudit_list_home(cdrecord_t) + fs_dontaudit_list_auto_mountpoints(cdrecord_t) + fs_dontaudit_read_cifs_files(cdrecord_t) + fs_dontaudit_list_cifs(cdrecord_t) +') + +tunable_policy(`cdrecord_read_content',` + userdom_list_user_tmp(cdrecord_t) + userdom_read_user_tmp_files(cdrecord_t) + userdom_read_user_tmp_symlinks(cdrecord_t) + userdom_read_user_home_content_files(cdrecord_t) + userdom_read_user_home_content_symlinks(cdrecord_t) + + ifndef(`enable_mls',` + fs_search_removable(cdrecord_t) + fs_read_removable_files(cdrecord_t) + fs_read_removable_symlinks(cdrecord_t) + ') +',` + files_dontaudit_list_tmp(cdrecord_t) + files_dontaudit_list_home(cdrecord_t) + fs_dontaudit_list_removable(cdrecord_t) + fs_dontaudit_read_removable_files(cdrecord_t) + userdom_dontaudit_list_user_tmp(cdrecord_t) + userdom_dontaudit_read_user_tmp_files(cdrecord_t) + userdom_dontaudit_list_user_home_dirs(cdrecord_t) + userdom_dontaudit_read_user_home_content_files(cdrecord_t) +') + +tunable_policy(`use_nfs_home_dirs',` + files_search_mnt(cdrecord_t) + fs_read_nfs_files(cdrecord_t) + fs_read_nfs_symlinks(cdrecord_t) +') + +optional_policy(` + resmgr_stream_connect(cdrecord_t) +') diff --git a/policy/modules/apps/cpufreqselector.fc b/policy/modules/apps/cpufreqselector.fc new file mode 100644 index 00000000..b187f0f7 --- /dev/null +++ b/policy/modules/apps/cpufreqselector.fc @@ -0,0 +1 @@ +/usr/bin/cpufreq-selector -- gen_context(system_u:object_r:cpufreqselector_exec_t,s0) diff --git a/policy/modules/apps/cpufreqselector.if b/policy/modules/apps/cpufreqselector.if new file mode 100644 index 00000000..932fa532 --- /dev/null +++ b/policy/modules/apps/cpufreqselector.if @@ -0,0 +1,22 @@ +## <summary>Command-line CPU frequency settings.</summary> + +######################################## +## <summary> +## Send and receive messages from +## cpufreq-selector over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cpufreqselector_dbus_chat',` + gen_require(` + type cpufreqselector_t; + class dbus send_msg; + ') + + allow $1 cpufreqselector_t:dbus send_msg; + allow cpufreqselector_t $1:dbus send_msg; +') diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te new file mode 100644 index 00000000..6cedb872 --- /dev/null +++ b/policy/modules/apps/cpufreqselector.te @@ -0,0 +1,53 @@ +policy_module(cpufreqselector, 1.4.0) + +######################################## +# +# Declarations +# + +type cpufreqselector_t; +type cpufreqselector_exec_t; +init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t) + +######################################## +# +# Local policy +# + +allow cpufreqselector_t self:capability { sys_nice sys_ptrace }; +allow cpufreqselector_t self:process getsched; +allow cpufreqselector_t self:fifo_file rw_fifo_file_perms; + +kernel_read_system_state(cpufreqselector_t) + +files_read_etc_files(cpufreqselector_t) +files_read_usr_files(cpufreqselector_t) + +dev_rw_sysfs(cpufreqselector_t) + +miscfiles_read_localization(cpufreqselector_t) + +userdom_read_all_users_state(cpufreqselector_t) +userdom_dontaudit_search_user_home_dirs(cpufreqselector_t) + +optional_policy(` + dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) + + optional_policy(` + consolekit_dbus_chat(cpufreqselector_t) + ') + + optional_policy(` + policykit_dbus_chat(cpufreqselector_t) + ') +') + +optional_policy(` + nscd_dontaudit_search_pid(cpufreqselector_t) +') + +optional_policy(` + policykit_domtrans_auth(cpufreqselector_t) + policykit_read_lib(cpufreqselector_t) + policykit_read_reload(cpufreqselector_t) +') diff --git a/policy/modules/apps/evolution.fc b/policy/modules/apps/evolution.fc new file mode 100644 index 00000000..7f5e8980 --- /dev/null +++ b/policy/modules/apps/evolution.fc @@ -0,0 +1,17 @@ +HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:evolution_home_t,s0) +HOME_DIR/\.config/evolution(/.*)? gen_context(system_u:object_r:evolution_xdg_config_t,s0) +HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0) +HOME_DIR/\.local/share/evolution(/.*)? gen_context(system_u:object_r:evolution_xdg_config_t,s0) +HOME_DIR/\.local/share/camel_certs(/.*)? gen_context(system_u:object_r:evolution_xdg_config_t,s0) + +/tmp/\.exchange-%{USERNAME}(/.*)? gen_context(system_u:object_r:evolution_exchange_tmp_t,s0) + +/usr/bin/evolution.* -- gen_context(system_u:object_r:evolution_exec_t,s0) + +/usr/lib/evolution/[^/]*/evolution-alarm-notify -- gen_context(system_u:object_r:evolution_alarm_exec_t,s0) +/usr/lib/evolution-webcal/evolution-webcal -- gen_context(system_u:object_r:evolution_webcal_exec_t,s0) + +/usr/libexec/evolution/.*evolution-alarm-notify.* -- gen_context(system_u:object_r:evolution_alarm_exec_t,s0) +/usr/libexec/evolution/.*evolution-exchange-storage.* -- gen_context(system_u:object_r:evolution_exchange_exec_t,s0) +/usr/libexec/evolution-data-server.* -- gen_context(system_u:object_r:evolution_server_exec_t,s0) +/usr/libexec/evolution-webcal.* -- gen_context(system_u:object_r:evolution_webcal_exec_t,s0) diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if new file mode 100644 index 00000000..32cc77f2 --- /dev/null +++ b/policy/modules/apps/evolution.if @@ -0,0 +1,228 @@ +## <summary>Evolution email client.</summary> + +######################################## +## <summary> +## Role access for evolution. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`evolution_role',` + gen_require(` + attribute_role evolution_roles; + type evolution_t, evolution_exec_t, evolution_home_t; + type evolution_alarm_t, evolution_alarm_exec_t, evolution_alarm_orbit_tmp_t; + type evolution_exchange_t, evolution_exchange_exec_t, evolution_exchange_tmp_t; + type evolution_exchange_orbit_tmp_t, evolution_orbit_tmp_t, evolution_server_orbit_tmp_t; + type evolution_server_t, evolution_server_exec_t, evolution_webcal_t; + type evolution_webcal_exec_t, evolution_alarm_tmpfs_t, evolution_exchange_tmpfs_t; + type evolution_tmpfs_t, evolution_webcal_tmpfs_t; + ') + + roleattribute $1 evolution_roles; + + domtrans_pattern($2, evolution_exec_t, evolution_t) + domtrans_pattern($2, evolution_alarm_exec_t, evolution_alarm_t) + domtrans_pattern($2, evolution_exchange_exec_t, evolution_exchange_t) + domtrans_pattern($2, evolution_server_exec_t, evolution_server_t) + domtrans_pattern($2, evolution_webcal_exec_t, evolution_webcal_t) + + allow $2 { evolution_t evolution_alarm_t evolution_exchange_t evolution_server_t evolution_webcal_t }:process { noatsecure ptrace signal_perms }; + ps_process_pattern($2, { evolution_t evolution_alarm_t evolution_exchange_t }) + ps_process_pattern($2, { evolution_server_t evolution_webcal_t }) + + allow evolution_t $2:dir search_dir_perms; + allow evolution_t $2:file read_file_perms; + allow evolution_t $2:lnk_file read_lnk_file_perms; + + allow $2 evolution_home_t:dir { relabel_dir_perms manage_dir_perms }; + allow $2 evolution_home_t:file { relabel_file_perms manage_file_perms }; + allow $2 evolution_home_t:lnk_file { relabel_lnk_file_perms manage_lnk_file_perms }; + + userdom_user_home_dir_filetrans($2, evolution_home_t, dir, ".camel_certs") + userdom_user_home_dir_filetrans($2, evolution_home_t, dir, ".evolution") + + allow $2 evolution_exchange_tmp_t:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { evolution_alarm_orbit_tmp_t evolution_exchange_orbit_tmp_t evolution_orbit_tmp_t evolution_server_orbit_tmp_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + + allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:file { manage_file_perms relabel_file_perms }; + allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; + allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; + + allow { evolution_t evolution_exchange_t } $2:unix_stream_socket connectto; + + stream_connect_pattern($2, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t) + stream_connect_pattern($2, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t) + + optional_policy(` + evolution_dbus_chat($2) + evolution_alarm_dbus_chat($2) + ') +') + +######################################## +## <summary> +## Create objects in the evolution home +## directories with a private type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="private_type"> +## <summary> +## Private file type. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`evolution_home_filetrans',` + gen_require(` + type evolution_home_t; + ') + + userdom_search_user_home_dirs($1) + filetrans_pattern($1, evolution_home_t, $2, $3, $4) +') + +######################################## +## <summary> +## Read evolution home files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`evolution_read_home_files',` + gen_require(` + type evolution_t, evolution_home_t; + ') + + read_files_pattern($1, evolution_home_t, evolution_home_t) +') + +######################################## +## <summary> +## Connect to evolution using a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`evolution_stream_connect',` + gen_require(` + type evolution_t, evolution_orbit_tmp_t; + ') + + + files_search_tmp($1) + stream_connect_pattern($1, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t) +') + +######################################## +## <summary> +## Read evolution orbit temporary +## files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`evolution_read_orbit_tmp_files',` + gen_require(` + type evolution_orbit_tmp_t; + ') + + files_search_tmp($1) + read_files_pattern($1, evolution_orbit_tmp_t, evolution_orbit_tmp_t) +') + + +######################################## +## <summary> +## Send and receive messages from +## evolution over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`evolution_dbus_chat',` + gen_require(` + type evolution_t; + class dbus send_msg; + ') + + allow $1 evolution_t:dbus send_msg; + allow evolution_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Send and receive messages from +## evolution_alarm over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`evolution_alarm_dbus_chat',` + gen_require(` + type evolution_alarm_t; + class dbus send_msg; + ') + + allow $1 evolution_alarm_t:dbus send_msg; + allow evolution_alarm_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Make a domain transition to the +## evolution target domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`evolution_domtrans',` + gen_require(` + type evolution_t, evolution_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, evolution_exec_t, evolution_t) +') diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te new file mode 100644 index 00000000..e8362b8a --- /dev/null +++ b/policy/modules/apps/evolution.te @@ -0,0 +1,548 @@ +policy_module(evolution, 2.8.2) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow evolution to create and write +## user certificates in addition to +## being able to read them +## </p> +## </desc> +gen_tunable(evolution_manage_user_certs, false) + +attribute_role evolution_roles; + +type evolution_t; +type evolution_exec_t; +typealias evolution_t alias { user_evolution_t staff_evolution_t sysadm_evolution_t }; +typealias evolution_t alias { auditadm_evolution_t secadm_evolution_t }; +userdom_user_application_domain(evolution_t, evolution_exec_t) +role evolution_roles types evolution_t; + +optional_policy(` + wm_application_domain(evolution_t, evolution_exec_t) +') + +type evolution_alarm_t; +type evolution_alarm_exec_t; +typealias evolution_alarm_t alias { user_evolution_alarm_t staff_evolution_alarm_t sysadm_evolution_alarm_t }; +typealias evolution_alarm_t alias { auditadm_evolution_alarm_t secadm_evolution_alarm_t }; +userdom_user_application_domain(evolution_alarm_t, evolution_alarm_exec_t) +role evolution_roles types evolution_alarm_t; + +type evolution_alarm_tmpfs_t; +typealias evolution_alarm_tmpfs_t alias { user_evolution_alarm_tmpfs_t staff_evolution_alarm_tmpfs_t sysadm_evolution_alarm_tmpfs_t }; +typealias evolution_alarm_tmpfs_t alias { auditadm_evolution_alarm_tmpfs_t secadm_evolution_alarm_tmpfs_t }; +userdom_user_tmpfs_file(evolution_alarm_tmpfs_t) + +type evolution_alarm_orbit_tmp_t; +typealias evolution_alarm_orbit_tmp_t alias { user_evolution_alarm_orbit_tmp_t staff_evolution_alarm_orbit_tmp_t sysadm_evolution_alarm_orbit_tmp_t }; +typealias evolution_alarm_orbit_tmp_t alias { auditadm_evolution_alarm_orbit_tmp_t secadm_evolution_alarm_orbit_tmp_t }; +userdom_user_tmp_file(evolution_alarm_orbit_tmp_t) + +type evolution_exchange_t; +type evolution_exchange_exec_t; +typealias evolution_exchange_t alias { user_evolution_exchange_t staff_evolution_exchange_t sysadm_evolution_exchange_t }; +typealias evolution_exchange_t alias { auditadm_evolution_exchange_t secadm_evolution_exchange_t }; +userdom_user_application_domain(evolution_exchange_t, evolution_exchange_exec_t) +role evolution_roles types evolution_exchange_t; + +type evolution_exchange_tmpfs_t; +typealias evolution_exchange_tmpfs_t alias { user_evolution_exchange_tmpfs_t staff_evolution_exchange_tmpfs_t sysadm_evolution_exchange_tmpfs_t }; +typealias evolution_exchange_tmpfs_t alias { auditadm_evolution_exchange_tmpfs_t secadm_evolution_exchange_tmpfs_t }; +userdom_user_tmpfs_file(evolution_exchange_tmpfs_t) + +type evolution_exchange_tmp_t; +typealias evolution_exchange_tmp_t alias { user_evolution_exchange_tmp_t staff_evolution_exchange_tmp_t sysadm_evolution_exchange_tmp_t }; +typealias evolution_exchange_tmp_t alias { auditadm_evolution_exchange_tmp_t secadm_evolution_exchange_tmp_t }; +userdom_user_tmp_file(evolution_exchange_tmp_t) + +type evolution_exchange_orbit_tmp_t; +typealias evolution_exchange_orbit_tmp_t alias { user_evolution_exchange_orbit_tmp_t staff_evolution_exchange_orbit_tmp_t sysadm_evolution_exchange_orbit_tmp_t }; +typealias evolution_exchange_orbit_tmp_t alias { auditadm_evolution_exchange_orbit_tmp_t secadm_evolution_exchange_orbit_tmp_t }; +userdom_user_tmp_file(evolution_exchange_orbit_tmp_t) + +type evolution_home_t; +typealias evolution_home_t alias { user_evolution_home_t staff_evolution_home_t sysadm_evolution_home_t }; +typealias evolution_home_t alias { auditadm_evolution_home_t secadm_evolution_home_t }; +userdom_user_home_content(evolution_home_t) + +type evolution_orbit_tmp_t; +typealias evolution_home_t alias { user_evolution_orbit_tmp_t staff_evolution_orbit_tmp_t sysadm_evolution_orbit_tmp_t }; +typealias evolution_home_t alias { auditadm_evolution_orbit_tmp_t secadm_evolution_orbit_tmp_t }; +userdom_user_tmp_file(evolution_orbit_tmp_t) + +type evolution_server_t; +type evolution_server_exec_t; +typealias evolution_server_t alias { user_evolution_server_t staff_evolution_server_t sysadm_evolution_server_t }; +typealias evolution_server_t alias { auditadm_evolution_server_t secadm_evolution_server_t }; +userdom_user_application_domain(evolution_server_t, evolution_server_exec_t) +role evolution_roles types evolution_server_t; + +type evolution_server_orbit_tmp_t; +typealias evolution_server_orbit_tmp_t alias { user_evolution_server_orbit_tmp_t staff_evolution_server_orbit_tmp_t sysadm_evolution_server_orbit_tmp_t }; +typealias evolution_server_orbit_tmp_t alias { auditadm_evolution_server_orbit_tmp_t secadm_evolution_server_orbit_tmp_t }; +userdom_user_tmp_file(evolution_server_orbit_tmp_t) + +type evolution_tmpfs_t; +typealias evolution_tmpfs_t alias { user_evolution_tmpfs_t staff_evolution_tmpfs_t sysadm_evolution_tmpfs_t }; +typealias evolution_tmpfs_t alias { auditadm_evolution_tmpfs_t secadm_evolution_tmpfs_t }; +userdom_user_tmpfs_file(evolution_tmpfs_t) + +type evolution_webcal_t; +type evolution_webcal_exec_t; +typealias evolution_webcal_t alias { user_evolution_webcal_t staff_evolution_webcal_t sysadm_evolution_webcal_t }; +typealias evolution_webcal_t alias { auditadm_evolution_webcal_t secadm_evolution_webcal_t }; +userdom_user_application_domain(evolution_webcal_t, evolution_webcal_exec_t) +role evolution_roles types evolution_webcal_t; + +type evolution_webcal_tmpfs_t; +typealias evolution_webcal_tmpfs_t alias { user_evolution_webcal_tmpfs_t staff_evolution_webcal_tmpfs_t sysadm_evolution_webcal_tmpfs_t }; +typealias evolution_webcal_tmpfs_t alias { auditadm_evolution_webcal_tmpfs_t secadm_evolution_webcal_tmpfs_t }; +userdom_user_tmpfs_file(evolution_webcal_tmpfs_t) + +type evolution_xdg_cache_t; +xdg_cache_content(evolution_xdg_cache_t) + +type evolution_xdg_config_t; +xdg_config_content(evolution_xdg_config_t) + +type evolution_xdg_data_t; +xdg_data_content(evolution_xdg_data_t) + +######################################## +# +# Local policy +# + +allow evolution_t self:capability { setgid setuid sys_nice }; +allow evolution_t self:process { execmem getsched setsched signal signull }; +allow evolution_t self:fifo_file rw_file_perms; + +allow evolution_t evolution_home_t:dir manage_dir_perms; +allow evolution_t evolution_home_t:file manage_file_perms; +allow evolution_t evolution_home_t:lnk_file manage_lnk_file_perms; +userdom_user_home_dir_filetrans(evolution_t, evolution_home_t, dir, ".evolution") +userdom_user_home_dir_filetrans(evolution_t, evolution_home_t, dir, ".camel_certs") + +allow evolution_t evolution_orbit_tmp_t:dir manage_dir_perms; +allow evolution_t evolution_orbit_tmp_t:file manage_file_perms; +files_tmp_filetrans(evolution_t, evolution_orbit_tmp_t, { dir file }) + +allow evolution_server_t evolution_orbit_tmp_t:dir manage_dir_perms; +allow evolution_server_t evolution_orbit_tmp_t:file manage_file_perms; +files_tmp_filetrans(evolution_server_t, evolution_orbit_tmp_t, { dir file }) + +allow evolution_t evolution_tmpfs_t:dir rw_dir_perms; +allow evolution_t evolution_tmpfs_t:file manage_file_perms; +allow evolution_t evolution_tmpfs_t:lnk_file manage_lnk_file_perms; +allow evolution_t evolution_tmpfs_t:sock_file manage_sock_file_perms; +allow evolution_t evolution_tmpfs_t:fifo_file manage_fifo_file_perms; +fs_tmpfs_filetrans(evolution_t, evolution_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +allow evolution_t { evolution_alarm_t evolution_server_t }:dir search_dir_perms; +allow evolution_t { evolution_alarm_t evolution_server_t }:file read_file_perms; + +stream_connect_pattern(evolution_t, evolution_alarm_orbit_tmp_t, evolution_alarm_orbit_tmp_t, evolution_alarm_t) +stream_connect_pattern(evolution_t, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t) +stream_connect_pattern(evolution_t, evolution_server_orbit_tmp_t, evolution_server_orbit_tmp_t, evolution_server_t) + +manage_files_pattern(evolution_t, evolution_xdg_cache_t, evolution_xdg_cache_t) +manage_dirs_pattern(evolution_t, evolution_xdg_cache_t, evolution_xdg_cache_t) +xdg_cache_filetrans(evolution_t, evolution_xdg_cache_t, { dir file } ) + +manage_files_pattern(evolution_t, evolution_xdg_config_t, evolution_xdg_config_t) +manage_dirs_pattern(evolution_t, evolution_xdg_config_t, evolution_xdg_config_t) +xdg_config_filetrans(evolution_t, evolution_xdg_config_t, { dir file } ) + +manage_files_pattern(evolution_t, evolution_xdg_data_t, evolution_xdg_data_t) +manage_dirs_pattern(evolution_t, evolution_xdg_data_t, evolution_xdg_data_t) +xdg_data_filetrans(evolution_t, evolution_xdg_data_t, { dir file } ) + +can_exec(evolution_t, { evolution_alarm_exec_t evolution_server_exec_t }) + +kernel_read_kernel_sysctls(evolution_t) +kernel_read_system_state(evolution_t) +kernel_read_network_state(evolution_t) +kernel_read_net_sysctls(evolution_t) + +corecmd_exec_bin(evolution_t) +corecmd_exec_shell(evolution_t) + +corenet_all_recvfrom_unlabeled(evolution_t) +corenet_all_recvfrom_netlabel(evolution_t) +corenet_tcp_sendrecv_generic_if(evolution_t) +corenet_udp_sendrecv_generic_if(evolution_t) +corenet_raw_sendrecv_generic_if(evolution_t) +corenet_tcp_sendrecv_generic_node(evolution_t) +corenet_udp_sendrecv_generic_node(evolution_t) +corenet_tcp_sendrecv_all_ports(evolution_t) +corenet_udp_sendrecv_all_ports(evolution_t) + +corenet_sendrecv_pop_client_packets(evolution_t) +corenet_tcp_connect_pop_port(evolution_t) + +corenet_sendrecv_smtp_client_packets(evolution_t) +corenet_tcp_connect_smtp_port(evolution_t) + +corenet_sendrecv_innd_client_packets(evolution_t) +corenet_tcp_connect_innd_port(evolution_t) + +corenet_sendrecv_ldap_client_packets(evolution_t) +corenet_tcp_connect_ldap_port(evolution_t) + +corenet_sendrecv_ipp_client_packets(evolution_t) +corenet_tcp_connect_ipp_port(evolution_t) + +dev_read_rand(evolution_t) +dev_read_urand(evolution_t) + +domain_dontaudit_read_all_domains_state(evolution_t) + +files_map_usr_files(evolution_t) +files_read_usr_files(evolution_t) + +fs_dontaudit_getattr_xattr_fs(evolution_t) +fs_getattr_tmpfs(evolution_t) +fs_search_auto_mountpoints(evolution_t) +fs_search_cgroup_dirs(evolution_t) + +auth_use_nsswitch(evolution_t) + +logging_send_syslog_msg(evolution_t) + +miscfiles_read_generic_certs(evolution_t) +miscfiles_read_localization(evolution_t) + +udev_read_state(evolution_t) + +userdom_use_user_terminals(evolution_t) + + +tunable_policy(`evolution_manage_user_certs',` + userdom_manage_user_certs(evolution_t) +',` + userdom_dontaudit_manage_user_certs(evolution_t) + userdom_read_user_certs(evolution_t) +') + +userdom_write_user_tmp_sockets(evolution_t) + +userdom_user_content_access_template(evolution, evolution_t) + +mta_read_config(evolution_t) + +xdg_manage_downloads(evolution_t) + +xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t) +xserver_read_xdm_tmp_files(evolution_t) + +ifndef(`enable_mls',` + fs_list_dos(evolution_t) + fs_read_dos_files(evolution_t) + + fs_search_removable(evolution_t) + fs_read_removable_files(evolution_t) + fs_read_removable_symlinks(evolution_t) + + fs_read_iso9660_files(evolution_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(evolution_t) + fs_manage_nfs_files(evolution_t) + fs_manage_nfs_symlinks(evolution_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(evolution_t) + fs_manage_cifs_files(evolution_t) + fs_manage_cifs_symlinks(evolution_t) +') + +optional_policy(` + automount_read_state(evolution_t) +') + +optional_policy(` + cups_read_rw_config(evolution_t) +') + +optional_policy(` + dbus_system_bus_client(evolution_t) + dbus_all_session_bus_client(evolution_t) +') + +optional_policy(` + gnome_stream_connect_gconf(evolution_t) +') + +optional_policy(` + gpg_domtrans(evolution_t) + gpg_signal(evolution_t) +') + +optional_policy(` + lpd_run_lpr(evolution_t, evolution_roles) +') + +optional_policy(` + mozilla_read_user_home_files(evolution_t) + mozilla_domtrans(evolution_t) +') + +optional_policy(` + ooffice_domtrans(evolution_t) + ooffice_rw_tmp_files(evolution_t) +') + +optional_policy(` + spamassassin_exec_spamd(evolution_t) + spamassassin_domtrans_client(evolution_t) + spamassassin_domtrans_local_client(evolution_t) + spamassassin_read_spamd_tmp_files(evolution_t) + spamassassin_signal_spamd(evolution_t) + spamassassin_dontaudit_getattr_spamd_tmp_sockets(evolution_t) +') + +######################################## +# +# Alarm local policy +# + +allow evolution_alarm_t self:process { signal getsched }; +allow evolution_alarm_t self:fifo_file rw_fifo_file_perms; + +allow evolution_alarm_t evolution_alarm_tmpfs_t:dir rw_dir_perms; +allow evolution_alarm_t evolution_alarm_tmpfs_t:file manage_file_perms; +allow evolution_alarm_t evolution_alarm_tmpfs_t:lnk_file manage_lnk_file_perms; +allow evolution_alarm_t evolution_alarm_tmpfs_t:sock_file manage_sock_file_perms; +allow evolution_alarm_t evolution_alarm_tmpfs_t:fifo_file manage_fifo_file_perms; +fs_tmpfs_filetrans(evolution_alarm_t, evolution_alarm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +allow evolution_alarm_t evolution_home_t:dir manage_dir_perms; +allow evolution_alarm_t evolution_home_t:file manage_file_perms; +allow evolution_alarm_t evolution_home_t:lnk_file manage_lnk_file_perms; +userdom_user_home_dir_filetrans(evolution_alarm_t, evolution_home_t, dir, ".evolution") +userdom_user_home_dir_filetrans(evolution_alarm_t, evolution_home_t, dir, ".camel_certs") + +stream_connect_pattern(evolution_alarm_t, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t) +stream_connect_pattern(evolution_alarm_t, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t) +stream_connect_pattern(evolution_alarm_t, evolution_server_orbit_tmp_t, evolution_server_orbit_tmp_t, evolution_server_t) + +kernel_dontaudit_read_system_state(evolution_alarm_t) + +dev_read_urand(evolution_alarm_t) + +files_read_usr_files(evolution_alarm_t) + +fs_dontaudit_getattr_xattr_fs(evolution_alarm_t) +fs_search_auto_mountpoints(evolution_alarm_t) + +auth_use_nsswitch(evolution_alarm_t) + +miscfiles_read_localization(evolution_alarm_t) + +userdom_dontaudit_read_user_home_content_files(evolution_alarm_t) + +xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(evolution_alarm_t) + fs_manage_nfs_files(evolution_alarm_t) + fs_manage_nfs_symlinks(evolution_alarm_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(evolution_alarm_t) + fs_manage_cifs_files(evolution_alarm_t) + fs_manage_cifs_symlinks(evolution_alarm_t) +') + +optional_policy(` + dbus_all_session_bus_client(evolution_alarm_t) + dbus_connect_all_session_bus(evolution_alarm_t) + + optional_policy(` + evolution_dbus_chat(evolution_alarm_t) + ') +') + +optional_policy(` + gnome_stream_connect_gconf(evolution_alarm_t) +') + +######################################## +# +# Exchange local policy +# + +allow evolution_exchange_t self:process getsched; +allow evolution_exchange_t self:fifo_file rw_fifo_file_perms; + +allow evolution_exchange_t evolution_home_t:dir manage_dir_perms; +allow evolution_exchange_t evolution_home_t:file manage_file_perms; +allow evolution_exchange_t evolution_home_t:lnk_file manage_lnk_file_perms; +userdom_user_home_dir_filetrans(evolution_exchange_t, evolution_home_t, dir, ".evolution") +userdom_user_home_dir_filetrans(evolution_exchange_t, evolution_home_t, dir, ".camel_certs") + +allow evolution_exchange_t evolution_exchange_tmp_t:dir manage_dir_perms; +allow evolution_exchange_t evolution_exchange_tmp_t:file manage_file_perms; +files_tmp_filetrans(evolution_exchange_t, evolution_exchange_tmp_t, { file dir }) + +allow evolution_exchange_t evolution_exchange_tmpfs_t:dir rw_dir_perms; +allow evolution_exchange_t evolution_exchange_tmpfs_t:file manage_file_perms; +allow evolution_exchange_t evolution_exchange_tmpfs_t:lnk_file manage_lnk_file_perms; +allow evolution_exchange_t evolution_exchange_tmpfs_t:sock_file manage_sock_file_perms; +allow evolution_exchange_t evolution_exchange_tmpfs_t:fifo_file manage_fifo_file_perms; +fs_tmpfs_filetrans(evolution_exchange_t, evolution_exchange_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +stream_connect_pattern(evolution_exchange_t, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t) +stream_connect_pattern(evolution_exchange_t, evolution_server_orbit_tmp_t, evolution_server_orbit_tmp_t, evolution_server_t) +stream_connect_pattern(evolution_exchange_t, evolution_alarm_orbit_tmp_t, evolution_alarm_orbit_tmp_t, evolution_alarm_t) + +kernel_read_network_state(evolution_exchange_t) +kernel_read_net_sysctls(evolution_exchange_t) + +corecmd_exec_bin(evolution_exchange_t) + +dev_read_urand(evolution_exchange_t) + +files_read_usr_files(evolution_exchange_t) + +fs_search_auto_mountpoints(evolution_exchange_t) + +auth_use_nsswitch(evolution_exchange_t) + +miscfiles_read_localization(evolution_exchange_t) + +userdom_dontaudit_read_user_home_content_files(evolution_exchange_t) + +userdom_write_user_tmp_sockets(evolution_exchange_t) + +xserver_user_x_domain_template(evolution_exchange, evolution_exchange_t, evolution_exchange_tmpfs_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(evolution_exchange_t) + fs_manage_nfs_files(evolution_exchange_t) + fs_manage_nfs_symlinks(evolution_exchange_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(evolution_exchange_t) + fs_manage_cifs_files(evolution_exchange_t) + fs_manage_cifs_symlinks(evolution_exchange_t) +') + +optional_policy(` + gnome_stream_connect_gconf(evolution_exchange_t) +') + +######################################## +# +# Server local policy +# + +allow evolution_server_t self:process { getsched signal }; + +allow evolution_server_t self:fifo_file { read write }; +allow evolution_server_t self:unix_stream_socket { accept connectto listen }; + +allow evolution_server_t evolution_home_t:dir manage_dir_perms; +allow evolution_server_t evolution_home_t:file manage_file_perms; +allow evolution_server_t evolution_home_t:lnk_file manage_lnk_file_perms; +userdom_user_home_dir_filetrans(evolution_server_t, evolution_home_t, dir, ".evolution") +userdom_user_home_dir_filetrans(evolution_server_t, evolution_home_t, dir, ".camel_certs") + +stream_connect_pattern(evolution_server_t, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t) +stream_connect_pattern(evolution_server_t, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t) +stream_connect_pattern(evolution_server_t, evolution_alarm_orbit_tmp_t, evolution_alarm_orbit_tmp_t, evolution_alarm_t) + +kernel_read_system_state(evolution_server_t) + +corecmd_exec_shell(evolution_server_t) + +corenet_all_recvfrom_unlabeled(evolution_server_t) +corenet_all_recvfrom_netlabel(evolution_server_t) +corenet_tcp_sendrecv_generic_if(evolution_server_t) +corenet_tcp_sendrecv_generic_node(evolution_server_t) + +corenet_sendrecv_http_cache_client_packets(evolution_server_t) +corenet_tcp_sendrecv_http_cache_port(evolution_server_t) +corenet_tcp_connect_http_cache_port(evolution_server_t) + +corenet_sendrecv_http_client_packets(evolution_server_t) +corenet_tcp_sendrecv_http_port(evolution_server_t) +corenet_tcp_connect_http_port(evolution_server_t) + +dev_read_urand(evolution_server_t) + +files_read_usr_files(evolution_server_t) + +fs_search_auto_mountpoints(evolution_server_t) + +auth_use_nsswitch(evolution_server_t) + +miscfiles_read_localization(evolution_server_t) +miscfiles_read_generic_certs(evolution_server_t) + +userdom_dontaudit_read_user_home_content_files(evolution_server_t) + +tunable_policy(`evolution_manage_user_certs',` + userdom_manage_user_certs(evolution_server_t) +',` + userdom_dontaudit_manage_user_certs(evolution_server_t) + userdom_read_user_certs(evolution_server_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(evolution_server_t) + fs_manage_nfs_files(evolution_server_t) + fs_manage_nfs_symlinks(evolution_server_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(evolution_server_t) + fs_manage_cifs_files(evolution_server_t) + fs_manage_cifs_symlinks(evolution_server_t) +') + +optional_policy(` + gnome_stream_connect_gconf(evolution_server_t) +') + +######################################## +# +# Webcal local policy +# + +allow evolution_webcal_t evolution_webcal_tmpfs_t:dir rw_dir_perms; +allow evolution_webcal_t evolution_webcal_tmpfs_t:file manage_file_perms; +allow evolution_webcal_t evolution_webcal_tmpfs_t:lnk_file manage_lnk_file_perms; +allow evolution_webcal_t evolution_webcal_tmpfs_t:sock_file manage_sock_file_perms; +allow evolution_webcal_t evolution_webcal_tmpfs_t:fifo_file manage_fifo_file_perms; +fs_tmpfs_filetrans(evolution_webcal_t, evolution_webcal_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +corenet_all_recvfrom_unlabeled(evolution_webcal_t) +corenet_all_recvfrom_netlabel(evolution_webcal_t) +corenet_tcp_sendrecv_generic_if(evolution_webcal_t) +corenet_tcp_sendrecv_generic_node(evolution_webcal_t) + +corenet_tcp_sendrecv_http_port(evolution_webcal_t) +corenet_tcp_connect_http_port(evolution_webcal_t) +corenet_sendrecv_http_client_packets(evolution_webcal_t) + +corenet_tcp_sendrecv_http_cache_port(evolution_webcal_t) +corenet_tcp_connect_http_cache_port(evolution_webcal_t) +corenet_sendrecv_http_cache_client_packets(evolution_webcal_t) + +auth_use_nsswitch(evolution_webcal_t) + +userdom_search_user_home_dirs(evolution_webcal_t) +userdom_dontaudit_read_user_home_content_files(evolution_webcal_t) + +xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t) diff --git a/policy/modules/apps/firewallgui.fc b/policy/modules/apps/firewallgui.fc new file mode 100644 index 00000000..94ab048b --- /dev/null +++ b/policy/modules/apps/firewallgui.fc @@ -0,0 +1 @@ +/usr/share/system-config-firewall/system-config-firewall-mechanism\.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0) diff --git a/policy/modules/apps/firewallgui.if b/policy/modules/apps/firewallgui.if new file mode 100644 index 00000000..e6866d1f --- /dev/null +++ b/policy/modules/apps/firewallgui.if @@ -0,0 +1,41 @@ +## <summary>system-config-firewall dbus system service.</summary> + +######################################## +## <summary> +## Send and receive messages from +## firewallgui over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`firewallgui_dbus_chat',` + gen_require(` + type firewallgui_t; + class dbus send_msg; + ') + + allow $1 firewallgui_t:dbus send_msg; + allow firewallgui_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Do not audit attempts to read and +## write firewallgui unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`firewallgui_dontaudit_rw_pipes',` + gen_require(` + type firewallgui_t; + ') + + dontaudit $1 firewallgui_t:fifo_file rw_fifo_file_perms; +') diff --git a/policy/modules/apps/firewallgui.te b/policy/modules/apps/firewallgui.te new file mode 100644 index 00000000..20945466 --- /dev/null +++ b/policy/modules/apps/firewallgui.te @@ -0,0 +1,73 @@ +policy_module(firewallgui, 1.1.0) + +######################################## +# +# Declarations +# + +type firewallgui_t; +type firewallgui_exec_t; +init_system_domain(firewallgui_t, firewallgui_exec_t) + +type firewallgui_tmp_t; +files_tmp_file(firewallgui_tmp_t) + +######################################## +# +# Local policy +# + +allow firewallgui_t self:capability { net_admin sys_rawio } ; +allow firewallgui_t self:fifo_file rw_fifo_file_perms; + +manage_files_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t) +manage_dirs_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t) +files_tmp_filetrans(firewallgui_t,firewallgui_tmp_t, { file dir }) + +kernel_read_system_state(firewallgui_t) +kernel_read_network_state(firewallgui_t) +kernel_rw_net_sysctls(firewallgui_t) +kernel_rw_kernel_sysctl(firewallgui_t) +kernel_rw_vm_sysctls(firewallgui_t) + +corecmd_exec_bin(firewallgui_t) +corecmd_exec_shell(firewallgui_t) + +dev_read_sysfs(firewallgui_t) +dev_read_urand(firewallgui_t) + +files_list_kernel_modules(firewallgui_t) +files_read_usr_files(firewallgui_t) + +auth_use_nsswitch(firewallgui_t) + +miscfiles_read_localization(firewallgui_t) + +seutil_read_config(firewallgui_t) + +userdom_dontaudit_search_user_home_dirs(firewallgui_t) + +optional_policy(` + consoletype_exec(firewallgui_t) +') + +optional_policy(` + dbus_system_domain(firewallgui_t, firewallgui_exec_t) + + optional_policy(` + policykit_dbus_chat(firewallgui_t) + ') +') + +optional_policy(` + gnome_read_generic_gconf_home_content(firewallgui_t) +') + +optional_policy(` + iptables_domtrans(firewallgui_t) + iptables_initrc_domtrans(firewallgui_t) +') + +optional_policy(` + modutils_getattr_module_deps(firewallgui_t) +') diff --git a/policy/modules/apps/games.fc b/policy/modules/apps/games.fc new file mode 100644 index 00000000..5e2e4f2a --- /dev/null +++ b/policy/modules/apps/games.fc @@ -0,0 +1,60 @@ +/usr/bin/atlantik -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/blackjack -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/civclient.* -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/civserver.* -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/gataxx -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/glines -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/gnect -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/gnibbles -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/gnobots2 -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/gnome-stones -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/gnomine -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/gnotravex -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/gnotski -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/gtali -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/iagno -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kasteroids -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/katomic -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kbackgammon -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kbattleship -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kblackbox -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kbounce -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kenolaba -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kfouleggs -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kgoldrunner -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kjumpingcube -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/klickety -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/klines -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kmahjongg -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kmines -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kolf -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/konquest -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kpat -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kpoker -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kreversi -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/ksame -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kshisen -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/ksirtet -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/ksmiletris -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/ksnake -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/ksokoban -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kspaceduel -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/ktron -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/ktuberling -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kwin4 -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kwin4proc -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/lskat -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/lskatproc -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/Maelstrom -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/mahjongg -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/micq -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/same-gnome -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/sol -- gen_context(system_u:object_r:games_exec_t,s0) + +/usr/games/.* -- gen_context(system_u:object_r:games_exec_t,s0) + +/usr/lib/games(/.*)? gen_context(system_u:object_r:games_exec_t,s0) + +/var/games(/.*)? gen_context(system_u:object_r:games_data_t,s0) + +/var/lib/games(/.*)? gen_context(system_u:object_r:games_data_t,s0) diff --git a/policy/modules/apps/games.if b/policy/modules/apps/games.if new file mode 100644 index 00000000..d29977b2 --- /dev/null +++ b/policy/modules/apps/games.if @@ -0,0 +1,99 @@ +## <summary>Various games.</summary> + +######################################## +## <summary> +## Role access for games. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`games_role',` + gen_require(` + attribute_role games_roles; + type games_t, games_exec_t, games_tmp_t; + type games_tmpfs_t; + ') + + roleattribute $1 games_roles; + + domtrans_pattern($2, games_exec_t, games_t) + + allow $2 games_tmp_t:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { games_tmp_t games_tmpfs_t }:file { manage_file_perms relabel_file_perms }; + allow $2 games_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; + allow $2 games_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + + allow $2 games_t:process { ptrace signal_perms }; + ps_process_pattern($2, games_t) + + stream_connect_pattern($2, games_tmpfs_t, games_tmpfs_t, games_t) + + allow games_t $2:unix_stream_socket connectto; +') + +######################################## +## <summary> +## Read and write games data files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`games_rw_data',` + gen_require(` + type games_data_t; + ') + + files_search_var_lib($1) + rw_files_pattern($1, games_data_t, games_data_t) +') + +######################################## +## <summary> +## Run a game in the game domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`games_domtrans',` + gen_require(` + type games_t, games_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, games_exec_t, games_t) +') + +######################################## +## <summary> +## Send and receive messages from +## games over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`games_dbus_chat',` + gen_require(` + type games_t; + class dbus send_msg; + ') + + allow $1 games_t:dbus send_msg; + allow games_t $1:dbus send_msg; +') diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te new file mode 100644 index 00000000..0cdebe62 --- /dev/null +++ b/policy/modules/apps/games.te @@ -0,0 +1,197 @@ +policy_module(games, 2.4.0) + +######################################## +# +# Declarations +# + +attribute_role games_roles; + +type games_t; +type games_exec_t; +typealias games_t alias { user_games_t staff_games_t sysadm_games_t }; +typealias games_t alias { auditadm_games_t secadm_games_t }; +userdom_user_application_domain(games_t, games_exec_t) +role games_roles types games_t; + +optional_policy(` + wm_application_domain(games_t, games_exec_t) +') + +type games_data_t; +typealias games_data_t alias { user_games_data_t staff_games_data_t sysadm_games_data_t }; +typealias games_data_t alias { auditadm_games_data_t secadm_games_data_t }; +files_type(games_data_t) +ubac_constrained(games_data_t) + +type games_devpts_t; +typealias games_devpts_t alias { user_games_devpts_t staff_games_devpts_t sysadm_games_devpts_t }; +typealias games_devpts_t alias { auditadm_games_devpts_t secadm_games_devpts_t }; +term_pty(games_devpts_t) +ubac_constrained(games_devpts_t) + +type games_srv_t; +init_system_domain(games_srv_t, games_exec_t) + +type games_srv_var_run_t; +files_pid_file(games_srv_var_run_t) + +type games_tmp_t; +typealias games_tmp_t alias { user_games_tmp_t staff_games_tmp_t sysadm_games_tmp_t }; +typealias games_tmp_t alias { auditadm_games_tmp_t secadm_games_tmp_t }; +userdom_user_tmp_file(games_tmp_t) + +type games_tmpfs_t; +typealias games_tmpfs_t alias { user_games_tmpfs_t staff_games_tmpfs_t sysadm_games_tmpfs_t }; +typealias games_tmpfs_t alias { auditadm_games_tmpfs_t secadm_games_tmpfs_t }; +userdom_user_tmpfs_file(games_tmpfs_t) + +optional_policy(` + pulseaudio_tmpfs_content(games_tmpfs_t) +') + +######################################## +# +# Server local policy +# + +dontaudit games_srv_t self:capability sys_tty_config; +allow games_srv_t self:process signal_perms; + +manage_files_pattern(games_srv_t, games_data_t, games_data_t) +manage_lnk_files_pattern(games_srv_t, games_data_t, games_data_t) + +manage_files_pattern(games_srv_t, games_srv_var_run_t, games_srv_var_run_t) +files_pid_filetrans(games_srv_t, games_srv_var_run_t, file) + +can_exec(games_srv_t, games_exec_t) + +kernel_read_kernel_sysctls(games_srv_t) +kernel_list_proc(games_srv_t) +kernel_read_proc_symlinks(games_srv_t) + +dev_read_sysfs(games_srv_t) + +fs_getattr_all_fs(games_srv_t) +fs_search_auto_mountpoints(games_srv_t) + +term_dontaudit_use_console(games_srv_t) + +domain_use_interactive_fds(games_srv_t) + +init_use_fds(games_srv_t) +init_use_script_ptys(games_srv_t) + +logging_send_syslog_msg(games_srv_t) + +miscfiles_read_localization(games_srv_t) + +userdom_dontaudit_use_unpriv_user_fds(games_srv_t) + +userdom_dontaudit_search_user_home_dirs(games_srv_t) + +optional_policy(` + seutil_sigchld_newrole(games_srv_t) +') + +optional_policy(` + udev_read_db(games_srv_t) +') + +######################################## +# +# Client local policy +# + +allow games_t self:fifo_file rw_file_perms; +allow games_t self:sem create_sem_perms; +allow games_t self:tcp_socket { accept listen }; + +manage_files_pattern(games_t, games_data_t, games_data_t) +manage_lnk_files_pattern(games_t, games_data_t, games_data_t) + +allow games_t games_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; +term_create_pty(games_t, games_devpts_t) + +manage_dirs_pattern(games_t, games_tmp_t, games_tmp_t) +manage_files_pattern(games_t, games_tmp_t, games_tmp_t) +files_tmp_filetrans(games_t, games_tmp_t, { file dir }) + +manage_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t) +manage_lnk_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t) +manage_fifo_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t) +manage_sock_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t) +fs_tmpfs_filetrans(games_t, games_tmpfs_t, { file lnk_file sock_file fifo_file }) + +can_exec(games_t, games_exec_t) + +kernel_read_system_state(games_t) + +corecmd_exec_bin(games_t) + +corenet_all_recvfrom_unlabeled(games_t) +corenet_all_recvfrom_netlabel(games_t) +corenet_tcp_sendrecv_generic_if(games_t) +corenet_tcp_sendrecv_generic_node(games_t) +corenet_tcp_sendrecv_all_ports(games_t) +corenet_tcp_bind_generic_node(games_t) + +corenet_sendrecv_generic_server_packets(games_t) +corenet_tcp_bind_generic_port(games_t) + +corenet_sendrecv_generic_client_packets(games_t) +corenet_tcp_connect_generic_port(games_t) + +dev_read_sound(games_t) +dev_read_input(games_t) +dev_read_mouse(games_t) +dev_read_urand(games_t) +dev_rw_dri(games_t) +dev_write_sound(games_t) + +files_list_var(games_t) +files_search_var_lib(games_t) +files_dontaudit_search_var(games_t) +files_read_etc_files(games_t) +files_read_usr_files(games_t) +files_read_var_files(games_t) + +fs_dontaudit_getattr_xattr_fs(games_t) + +init_dontaudit_rw_utmp(games_t) + +logging_dontaudit_search_logs(games_t) + +miscfiles_read_man_pages(games_t) +miscfiles_read_localization(games_t) + +sysnet_dns_name_resolve(games_t) + +userdom_manage_user_tmp_dirs(games_t) +userdom_manage_user_tmp_files(games_t) +userdom_manage_user_tmp_symlinks(games_t) +userdom_manage_user_tmp_sockets(games_t) +userdom_dontaudit_read_user_home_content_files(games_t) + +tunable_policy(`allow_execmem',` + allow games_t self:process execmem; +') + +optional_policy(` + dbus_all_session_bus_client(games_t) + dbus_connect_all_session_bus(games_t) +') + +optional_policy(` + nscd_use(games_t) +') + +optional_policy(` + pulseaudio_run(games_t, games_roles) +') + +optional_policy(` + xserver_user_x_domain_template(games, games_t, games_tmpfs_t) + xserver_create_xdm_tmp_sockets(games_t) + xserver_read_xdm_lib_files(games_t) +') diff --git a/policy/modules/apps/gift.fc b/policy/modules/apps/gift.fc new file mode 100644 index 00000000..e27fa519 --- /dev/null +++ b/policy/modules/apps/gift.fc @@ -0,0 +1,6 @@ +HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:gift_home_t,s0) + +/usr/bin/apollon -- gen_context(system_u:object_r:gift_exec_t,s0) +/usr/bin/giftd -- gen_context(system_u:object_r:giftd_exec_t,s0) +/usr/bin/giftui -- gen_context(system_u:object_r:gift_exec_t,s0) +/usr/bin/giFToxic -- gen_context(system_u:object_r:gift_exec_t,s0) diff --git a/policy/modules/apps/gift.if b/policy/modules/apps/gift.if new file mode 100644 index 00000000..e9023e56 --- /dev/null +++ b/policy/modules/apps/gift.if @@ -0,0 +1,40 @@ +## <summary>Peer to peer file sharing tool.</summary> + +######################################## +## <summary> +## Role access for gift. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`gift_role',` + gen_require(` + attribute_role gift_roles, giftd_roles; + type gift_t, gift_exec_t, gift_home_t; + type giftd_t, giftd_exec_t, gift_tmpfs_t; + ') + + roleattribute $1 gift_roles; + roleattribute $1 giftd_roles; + + domtrans_pattern($2, gift_exec_t, gift_t) + domtrans_pattern($2, giftd_exec_t, giftd_t) + + allow $2 gift_home_t:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { gift_home_t gift_tmpfs_t }:file { manage_file_perms relabel_file_perms }; + allow $2 { gift_home_t gift_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; + allow $2 gift_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; + allow $2 gift_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + userdom_user_home_dir_filetrans($2, gift_home_t, dir, ".giFT") + + ps_process_pattern($2, { gift_t giftd_t }) + allow $2 { gift_t giftd_t }:process { ptrace signal_perms }; +') diff --git a/policy/modules/apps/gift.te b/policy/modules/apps/gift.te new file mode 100644 index 00000000..21692909 --- /dev/null +++ b/policy/modules/apps/gift.te @@ -0,0 +1,144 @@ +policy_module(gift, 2.5.0) + +######################################## +# +# Declarations +# + +attribute_role gift_roles; +attribute_role giftd_roles; + +type gift_t; +type gift_exec_t; +typealias gift_t alias { user_gift_t staff_gift_t sysadm_gift_t }; +typealias gift_t alias { auditadm_gift_t secadm_gift_t }; +userdom_user_application_domain(gift_t, gift_exec_t) +role gift_roles types gift_t; + +type gift_home_t; +typealias gift_home_t alias { user_gift_home_t staff_gift_home_t sysadm_gift_home_t }; +typealias gift_home_t alias { auditadm_gift_home_t secadm_gift_home_t }; +userdom_user_home_content(gift_home_t) + +type gift_tmpfs_t; +typealias gift_tmpfs_t alias { user_gift_tmpfs_t staff_gift_tmpfs_t sysadm_gift_tmpfs_t }; +typealias gift_tmpfs_t alias { auditadm_gift_tmpfs_t secadm_gift_tmpfs_t }; +userdom_user_tmpfs_file(gift_tmpfs_t) + +type giftd_t; +type giftd_exec_t; +typealias giftd_t alias { user_giftd_t staff_giftd_t sysadm_giftd_t }; +typealias giftd_t alias { auditadm_giftd_t secadm_giftd_t }; +userdom_user_application_domain(giftd_t, giftd_exec_t) +role giftd_roles types giftd_t; + +optional_policy(` + wm_application_domain(gift_t, gift_exec_t) +') + +############################## +# +# Client local policy +# + +manage_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t) +manage_lnk_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t) +manage_fifo_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t) +manage_sock_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t) +fs_tmpfs_filetrans(gift_t, gift_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +manage_dirs_pattern(gift_t, gift_home_t, gift_home_t) +manage_files_pattern(gift_t, gift_home_t, gift_home_t) +manage_lnk_files_pattern(gift_t, gift_home_t, gift_home_t) +userdom_user_home_dir_filetrans(gift_t, gift_home_t, dir) + +domtrans_pattern(gift_t, giftd_exec_t, giftd_t) + +kernel_read_system_state(gift_t) + +corenet_all_recvfrom_unlabeled(gift_t) +corenet_all_recvfrom_netlabel(gift_t) +corenet_tcp_sendrecv_generic_if(gift_t) +corenet_tcp_sendrecv_generic_node(gift_t) + +corenet_sendrecv_giftd_client_packets(gift_t) +corenet_tcp_connect_giftd_port(gift_t) +corenet_tcp_sendrecv_giftd_port(gift_t) + +fs_search_auto_mountpoints(gift_t) + +auth_use_nsswitch(gift_t) + +userdom_dontaudit_read_user_home_content_files(gift_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(gift_t) + fs_manage_nfs_files(gift_t) + fs_manage_nfs_symlinks(gift_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(gift_t) + fs_manage_cifs_files(gift_t) + fs_manage_cifs_symlinks(gift_t) +') + +optional_policy(` + xserver_user_x_domain_template(gift, gift_t, gift_tmpfs_t) +') + +############################## +# +# Server local policy +# + +allow giftd_t self:process { signal setsched }; +allow giftd_t self:unix_stream_socket create_socket_perms; +allow giftd_t self:tcp_socket { accept listen }; + +manage_dirs_pattern(giftd_t, gift_home_t, gift_home_t) +manage_files_pattern(giftd_t, gift_home_t, gift_home_t) +manage_lnk_files_pattern(giftd_t, gift_home_t, gift_home_t) +userdom_user_home_dir_filetrans(giftd_t, gift_home_t, dir) + +kernel_read_system_state(giftd_t) +kernel_read_kernel_sysctls(giftd_t) + +corenet_all_recvfrom_unlabeled(giftd_t) +corenet_all_recvfrom_netlabel(giftd_t) +corenet_tcp_sendrecv_generic_if(giftd_t) +corenet_udp_sendrecv_generic_if(giftd_t) +corenet_tcp_sendrecv_generic_node(giftd_t) +corenet_udp_sendrecv_generic_node(giftd_t) +corenet_tcp_sendrecv_all_ports(giftd_t) +corenet_udp_sendrecv_all_ports(giftd_t) +corenet_tcp_bind_generic_node(giftd_t) +corenet_udp_bind_generic_node(giftd_t) + +corenet_sendrecv_all_server_packets(giftd_t) +corenet_tcp_bind_all_ports(giftd_t) +corenet_udp_bind_all_ports(giftd_t) + +corenet_sendrecv_all_client_packets(giftd_t) +corenet_tcp_connect_all_ports(giftd_t) + +files_read_etc_runtime_files(giftd_t) +files_read_usr_files(giftd_t) + +miscfiles_read_localization(giftd_t) + +sysnet_dns_name_resolve(giftd_t) + +userdom_use_user_terminals(giftd_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(giftd_t) + fs_manage_nfs_files(giftd_t) + fs_manage_nfs_symlinks(giftd_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(giftd_t) + fs_manage_cifs_files(giftd_t) + fs_manage_cifs_symlinks(giftd_t) +') diff --git a/policy/modules/apps/gitosis.fc b/policy/modules/apps/gitosis.fc new file mode 100644 index 00000000..b64de321 --- /dev/null +++ b/policy/modules/apps/gitosis.fc @@ -0,0 +1,7 @@ +/srv/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0) + +/usr/bin/gitosis-serve -- gen_context(system_u:object_r:gitosis_exec_t,s0) +/usr/bin/gl-auth-command -- gen_context(system_u:object_r:gitosis_exec_t,s0) + +/var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0) +/var/lib/gitolite(3)?(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0) diff --git a/policy/modules/apps/gitosis.if b/policy/modules/apps/gitosis.if new file mode 100644 index 00000000..f8ca38cb --- /dev/null +++ b/policy/modules/apps/gitosis.if @@ -0,0 +1,87 @@ +## <summary>Tools for managing and hosting git repositories.</summary> + +####################################### +## <summary> +## Execute a domain transition to run gitosis. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`gitosis_domtrans',` + gen_require(` + type gitosis_t, gitosis_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, gitosis_exec_t, gitosis_t) +') + +####################################### +## <summary> +## Execute gitosis-serve in the +## gitosis domain, and allow the +## specified role the gitosis domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`gitosis_run',` + gen_require(` + attribute_role gitosis_roles; + ') + + gitosis_domtrans($1) + roleattribute $2 gitosis_roles; +') + +####################################### +## <summary> +## Read gitosis lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gitosis_read_lib_files',` + gen_require(` + type gitosis_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) + read_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) + list_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) +') + +###################################### +## <summary> +## Create, read, write, and delete +## gitosis lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gitosis_manage_lib_files',` + gen_require(` + type gitosis_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) +') diff --git a/policy/modules/apps/gitosis.te b/policy/modules/apps/gitosis.te new file mode 100644 index 00000000..582db0a2 --- /dev/null +++ b/policy/modules/apps/gitosis.te @@ -0,0 +1,65 @@ +policy_module(gitosis, 1.4.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether Gitosis can send mail. +## </p> +## </desc> +gen_tunable(gitosis_can_sendmail, false) + +attribute_role gitosis_roles; +roleattribute system_r gitosis_roles; + +type gitosis_t; +type gitosis_exec_t; +application_domain(gitosis_t, gitosis_exec_t) +role gitosis_roles types gitosis_t; + +type gitosis_var_lib_t; +files_type(gitosis_var_lib_t) + +######################################## +# +# Local policy +# + +allow gitosis_t self:fifo_file rw_fifo_file_perms; + +exec_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t) +manage_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t) +manage_lnk_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t) +manage_dirs_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t) + +kernel_read_system_state(gitosis_t) + +corenet_all_recvfrom_unlabeled(gitosis_t) +corenet_all_recvfrom_netlabel(gitosis_t) +corenet_tcp_sendrecv_generic_if(gitosis_t) +corenet_tcp_sendrecv_generic_node(gitosis_t) +corenet_tcp_bind_generic_node(gitosis_t) + +corenet_sendrecv_ssh_server_packets(gitosis_t) +corenet_tcp_bind_ssh_port(gitosis_t) +corenet_tcp_sendrecv_ssh_port(gitosis_t) + +corecmd_exec_bin(gitosis_t) +corecmd_exec_shell(gitosis_t) + +dev_read_urand(gitosis_t) + +files_read_etc_files(gitosis_t) +files_read_usr_files(gitosis_t) +files_search_var_lib(gitosis_t) + +miscfiles_read_localization(gitosis_t) + +sysnet_read_config(gitosis_t) + +tunable_policy(`gitosis_can_sendmail',` + mta_send_mail(gitosis_t) +') diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc new file mode 100644 index 00000000..81e9716a --- /dev/null +++ b/policy/modules/apps/gnome.fc @@ -0,0 +1,28 @@ +HOME_DIR/\.cache/dconf(/.*)? gen_context(system_u:object_r:gnome_xdg_cache_t,s0) +HOME_DIR/\.cache/keyring-.* gen_context(system_u:object_r:gnome_xdg_cache_t,s0) +HOME_DIR/\.config/dconf(/.*)? gen_context(system_u:object_r:gnome_xdg_config_t,s0) +HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_xdg_config_t,s0) +HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) +HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) +HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0) +HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.local/share/keyrings(/.*)? gen_context(system_u:object_r:gnome_xdg_data_t,s0) + +HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0) + +/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) + +/tmp/gconfd-%{USERNAME}/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0) + +/usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0) +/usr/bin/mate-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0) + +/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) +/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) + +/run/user/%{USERID}/keyring(/.*)? gen_context(system_u:object_r:gnome_keyring_tmp_t,s0) +/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0) +/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0) +/run/user/%{USERID}/dconf(/.*)? gen_context(system_u:object_r:gconf_tmp_t,s0) diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if new file mode 100644 index 00000000..8b27d15a --- /dev/null +++ b/policy/modules/apps/gnome.if @@ -0,0 +1,809 @@ +## <summary>GNU network object model environment.</summary> + +####################################### +## <summary> +## The role template for gnome. +## </summary> +## <param name="role_prefix"> +## <summary> +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## </summary> +## </param> +## <param name="user_role"> +## <summary> +## The role associated with the user domain. +## </summary> +## </param> +## <param name="user_domain"> +## <summary> +## The type of the user domain. +## </summary> +## </param> +# +template(`gnome_role_template',` + gen_require(` + attribute gnomedomain, gkeyringd_domain; + attribute_role gconfd_roles; + type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t; + type gconfd_t, gconfd_exec_t, gconf_tmp_t; + type gconf_home_t; + ') + + ######################################## + # + # Gconf declarations + # + + roleattribute $2 gconfd_roles; + + ######################################## + # + # Gkeyringd declarations + # + + type $1_gkeyringd_t, gnomedomain, gkeyringd_domain; + userdom_user_application_domain($1_gkeyringd_t, gkeyringd_exec_t) + domain_user_exemption_target($1_gkeyringd_t) + + role $2 types $1_gkeyringd_t; + + ######################################## + # + # Gconf policy + # + + domtrans_pattern($3, gconfd_exec_t, gconfd_t) + + allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms }; + userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf") + userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd") + + allow $3 gconfd_t:process { ptrace signal_perms }; + ps_process_pattern($3, gconfd_t) + + ######################################## + # + # Gkeyringd policy + # + + domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) + + allow $3 { gnome_home_t gnome_keyring_home_t gnome_keyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms }; + allow $3 { gnome_home_t gnome_keyring_home_t }:file { relabel_file_perms manage_file_perms }; + + userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome") + userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2") + userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2_private") + + gnome_home_filetrans($3, gnome_keyring_home_t, dir, "keyrings") + + allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; + + ps_process_pattern($3, $1_gkeyringd_t) + allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; + + corecmd_bin_domtrans($1_gkeyringd_t, $3) + corecmd_shell_domtrans($1_gkeyringd_t, $3) + + gnome_stream_connect_gkeyringd($1, $3) + + optional_policy(` + dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t) + dbus_system_bus_client($1_gkeyringd_t) + + optional_policy(` + evolution_dbus_chat($1_gkeyringd_t) + ') + + optional_policy(` + gnome_dbus_chat_gconfd($3) + gnome_dbus_chat_gkeyringd($1, $3) + ') + + optional_policy(` + wm_dbus_chat($1, $1_gkeyringd_t) + ') + ') +') + +######################################## +## <summary> +## Execute gconf in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_exec_gconf',` + gen_require(` + type gconfd_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, gconfd_exec_t) +') + +######################################## +## <summary> +## Read gconf configuration content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_read_gconf_config',` + gen_require(` + type gconf_etc_t; + ') + + files_search_etc($1) + allow $1 gconf_etc_t:dir list_dir_perms; + allow $1 gconf_etc_t:file read_file_perms; + allow $1 gconf_etc_t:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to read +## inherited gconf configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`gnome_dontaudit_read_inherited_gconf_config_files',` + gen_require(` + type gconf_etc_t; + ') + + dontaudit $1 gconf_etc_t:file read; +') + +####################################### +## <summary> +## Create, read, write, and delete +## gconf configuration content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_manage_gconf_config',` + gen_require(` + type gconf_etc_t; + ') + + files_search_etc($1) + allow $1 gconf_etc_t:dir manage_dir_perms; + allow $1 gconf_etc_t:file manage_file_perms; + allow $1 gconf_etc_t:lnk_file manage_lnk_file_perms; +') + +######################################## +## <summary> +## Connect to gconf using a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_stream_connect_gconf',` + gen_require(` + type gconfd_t, gconf_tmp_t; + ') + + files_search_tmp($1) + stream_connect_pattern($1, gconf_tmp_t, gconf_tmp_t, gconfd_t) +') + +######################################## +## <summary> +## Run gconfd in gconfd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`gnome_domtrans_gconfd',` + gen_require(` + type gconfd_t, gconfd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, gconfd_exec_t, gconfd_t) +') + +######################################## +## <summary> +## Create generic gnome home directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_create_generic_home_dirs',` + gen_require(` + type gnome_home_t; + ') + + allow $1 gnome_home_t:dir create_dir_perms; +') + +######################################## +## <summary> +## Set attributes of generic gnome +## user home directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_setattr_generic_home_dirs',` + gen_require(` + type gnome_home_t; + ') + + userdom_search_user_home_dirs($1) + setattr_dirs_pattern($1, gnome_home_t, gnome_home_t) +') + +######################################## +## <summary> +## Read generic gnome home content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_read_generic_home_content',` + gen_require(` + type gnome_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 gnome_home_t:dir list_dir_perms; + allow $1 gnome_home_t:file { read_file_perms map }; + allow $1 gnome_home_t:fifo_file read_fifo_file_perms; + allow $1 gnome_home_t:lnk_file read_lnk_file_perms; + allow $1 gnome_home_t:sock_file read_sock_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## generic gnome home content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_manage_generic_home_content',` + gen_require(` + type gnome_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 gnome_home_t:dir manage_dir_perms; + allow $1 gnome_home_t:file manage_file_perms; + allow $1 gnome_home_t:fifo_file manage_fifo_file_perms; + allow $1 gnome_home_t:lnk_file manage_lnk_file_perms; + allow $1 gnome_home_t:sock_file manage_sock_file_perms; +') + +######################################## +## <summary> +## Search generic gnome home directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_search_generic_home',` + gen_require(` + type gnome_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 gnome_home_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Create objects in gnome user home +## directories with a private type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="private_type"> +## <summary> +## Private file type. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`gnome_home_filetrans',` + gen_require(` + type gnome_home_t; + ') + + userdom_search_user_home_dirs($1) + filetrans_pattern($1, gnome_home_t, $2, $3, $4) +') + +######################################## +## <summary> +## Create generic gconf home directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_create_generic_gconf_home_dirs',` + gen_require(` + type gconf_home_t; + ') + + allow $1 gconf_home_t:dir create_dir_perms; +') + +######################################## +## <summary> +## Read generic gconf home content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_read_generic_gconf_home_content',` + gen_require(` + type gconf_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 gconf_home_t:dir list_dir_perms; + allow $1 gconf_home_t:file read_file_perms; + allow $1 gconf_home_t:fifo_file read_fifo_file_perms; + allow $1 gconf_home_t:lnk_file read_lnk_file_perms; + allow $1 gconf_home_t:sock_file read_sock_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## generic gconf home content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_manage_generic_gconf_home_content',` + gen_require(` + type gconf_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 gconf_home_t:dir manage_dir_perms; + allow $1 gconf_home_t:file manage_file_perms; + allow $1 gconf_home_t:fifo_file manage_fifo_file_perms; + allow $1 gconf_home_t:lnk_file manage_lnk_file_perms; + allow $1 gconf_home_t:sock_file manage_sock_file_perms; +') + +######################################## +## <summary> +## Search generic gconf home directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_search_generic_gconf_home',` + gen_require(` + type gconf_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 gconf_home_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Create objects in user home +## directories with the generic gconf +## home type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`gnome_home_filetrans_gconf_home',` + gen_require(` + type gconf_home_t; + ') + + userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3) +') + +######################################## +## <summary> +## Create objects in user home +## directories with the generic gnome +## home type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`gnome_home_filetrans_gnome_home',` + gen_require(` + type gnome_home_t; + ') + + userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3) +') + +######################################## +## <summary> +## Create objects in gnome gconf home +## directories with a private type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="private_type"> +## <summary> +## Private file type. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`gnome_gconf_home_filetrans',` + gen_require(` + type gconf_home_t; + ') + + userdom_search_user_home_dirs($1) + filetrans_pattern($1, gconf_home_t, $2, $3, $4) +') + +######################################## +## <summary> +## Create objects in user home +## directories with the gstreamer +## orcexec type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`gnome_user_home_dir_filetrans_gstreamer_orcexec',` + gen_require(` + type gstreamer_orcexec_t; + ') + + userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3) +') + +######################################## +## <summary> +## Create objects in the user +## runtime directories with the +## gstreamer orcexec type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',` + gen_require(` + type gstreamer_orcexec_t; + ') + + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3) +') + +######################################## +## <summary> +## Read generic gnome keyring home files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_read_keyring_home_files',` + gen_require(` + type gnome_home_t, gnome_keyring_home_t; + ') + + userdom_search_user_home_dirs($1) + read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t) +') + +######################################## +## <summary> +## Send and receive messages from +## gnome configuration daemon over +## dbus. +## </summary> +## <param name="role_prefix"> +## <summary> +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## </summary> +## </param> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_dbus_chat_gconfd',` + gen_require(` + type gconfd_t; + class dbus send_msg; + ') + + allow $1 gconfd_t:dbus send_msg; + allow gconfd_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Send and receive messages from +## gnome keyring daemon over dbus. +## </summary> +## <param name="role_prefix"> +## <summary> +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## </summary> +## </param> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_dbus_chat_gkeyringd',` + gen_require(` + type $1_gkeyringd_t; + class dbus send_msg; + ') + + allow $2 $1_gkeyringd_t:dbus send_msg; + allow $1_gkeyringd_t $2:dbus send_msg; +') + +######################################## +## <summary> +## Send and receive messages from all +## gnome keyring daemon over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_dbus_chat_all_gkeyringd',` + gen_require(` + attribute gkeyringd_domain; + class dbus send_msg; + ') + + allow $1 gkeyringd_domain:dbus send_msg; + allow gkeyringd_domain $1:dbus send_msg; +') + +######################################## +## <summary> +## Run all gkeyringd in gkeyringd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`gnome_spec_domtrans_all_gkeyringd',` + gen_require(` + attribute gkeyringd_domain; + type gkeyringd_exec_t; + ') + + corecmd_search_bin($1) + spec_domtrans_pattern($1, gkeyringd_exec_t, gkeyringd_domain) +') + +######################################## +## <summary> +## Connect to gnome keyring daemon +## with a unix stream socket. +## </summary> +## <param name="role_prefix"> +## <summary> +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## </summary> +## </param> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_stream_connect_gkeyringd',` + gen_require(` + type $1_gkeyringd_t, gnome_keyring_tmp_t; + ') + + files_search_tmp($2) + userdom_search_user_runtime($2) + stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t) +') + +######################################## +## <summary> +## Connect to all gnome keyring daemon +## with a unix stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_stream_connect_all_gkeyringd',` + gen_require(` + attribute gkeyringd_domain; + type gnome_keyring_tmp_t; + ') + + files_search_tmp($1) + userdom_search_user_runtime($1) + stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain) +') + +######################################## +## <summary> +## Manage gstreamer ORC optimized +## code. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_manage_gstreamer_orcexec',` + gen_require(` + type gstreamer_orcexec_t; + ') + + allow $1 gstreamer_orcexec_t:file manage_file_perms; +') + +######################################## +## <summary> +## Mmap gstreamer ORC optimized +## code. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_mmap_gstreamer_orcexec',` + gen_require(` + type gstreamer_orcexec_t; + ') + + allow $1 gstreamer_orcexec_t:file mmap_exec_file_perms; +') diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te new file mode 100644 index 00000000..340e394a --- /dev/null +++ b/policy/modules/apps/gnome.te @@ -0,0 +1,215 @@ +policy_module(gnome, 2.9.2) + +############################## +# +# Declarations +# + +attribute gkeyringd_domain; +attribute gnomedomain; +attribute_role gconfd_roles; + +type gconf_etc_t; +files_config_file(gconf_etc_t) + +type gconf_home_t; +typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t }; +typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t }; +typealias gconf_home_t alias unconfined_gconf_home_t; +userdom_user_home_content(gconf_home_t) + +type gconf_tmp_t; +typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t }; +typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t }; +typealias gconf_tmp_t alias unconfined_gconf_tmp_t; +userdom_user_tmp_file(gconf_tmp_t) + +type gconfd_t, gnomedomain; +type gconfd_exec_t; +typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t }; +typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t }; +userdom_user_application_domain(gconfd_t, gconfd_exec_t) +role gconfd_roles types gconfd_t; + +type gnome_home_t; +typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t }; +typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t }; +typealias gnome_home_t alias unconfined_gnome_home_t; +userdom_user_home_content(gnome_home_t) + +type gkeyringd_exec_t; +application_executable_file(gkeyringd_exec_t) + +type gnome_keyring_home_t; +userdom_user_home_content(gnome_keyring_home_t) + +type gnome_keyring_tmp_t; +userdom_user_tmp_file(gnome_keyring_tmp_t) +userdom_user_runtime_content(gnome_keyring_tmp_t) + +type gnome_xdg_cache_t; +xdg_cache_content(gnome_xdg_cache_t) + +type gnome_xdg_config_t; +xdg_config_content(gnome_xdg_config_t) + +type gnome_xdg_data_t; +xdg_data_content(gnome_xdg_data_t) + +type gstreamer_orcexec_t; +application_executable_file(gstreamer_orcexec_t) +userdom_user_runtime_content(gstreamer_orcexec_t) + +############################## +# +# Common local Policy +# + +allow gnomedomain self:process { getsched signal }; +allow gnomedomain self:fifo_file rw_fifo_file_perms; + +dev_read_urand(gnomedomain) + +domain_use_interactive_fds(gnomedomain) + +files_read_etc_files(gnomedomain) + +miscfiles_read_localization(gnomedomain) + +logging_send_syslog_msg(gnomedomain) + +userdom_use_user_terminals(gnomedomain) + +optional_policy(` + xserver_rw_xsession_log(gnomedomain) + xserver_rw_xdm_pipes(gnomedomain) + xserver_use_xdm_fds(gnomedomain) +') + +############################## +# +# Conf daemon local Policy +# + +allow gconfd_t gconf_etc_t:dir list_dir_perms; +read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t) + +manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t) +manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t) +userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir) + +manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) +manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) +userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) + +manage_dirs_pattern(gconfd_t, gnome_xdg_cache_t, gnome_xdg_cache_t) +manage_files_pattern(gconfd_t, gnome_xdg_cache_t, gnome_xdg_cache_t) +xdg_cache_filetrans(gconfd_t, gnome_xdg_cache_t, dir) + +manage_dirs_pattern(gconfd_t, gnome_xdg_config_t, gnome_xdg_config_t) +manage_files_pattern(gconfd_t, gnome_xdg_config_t, gnome_xdg_config_t) +xdg_config_filetrans(gconfd_t, gnome_xdg_config_t, dir) + +manage_dirs_pattern(gconfd_t, gnome_xdg_data_t, gnome_xdg_data_t) +manage_files_pattern(gconfd_t, gnome_xdg_data_t, gnome_xdg_data_t) +xdg_data_filetrans(gconfd_t, gnome_xdg_data_t, dir) + +# for /proc/filesystems +kernel_read_system_state(gconfd_t) + +# for /var/lib/gconf/defaults +files_read_var_lib_files(gconfd_t) + +userdom_manage_user_tmp_dirs(gconfd_t) +userdom_manage_user_tmp_sockets(gconfd_t) +userdom_tmp_filetrans_user_tmp(gconfd_t, { dir sock_file }) +userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir) + +optional_policy(` + dbus_all_session_domain(gconfd_t, gconfd_exec_t) + + dbus_system_bus_client(gconfd_t) + + optional_policy(` + pulseaudio_dbus_chat(gconfd_t) + ') +') + +optional_policy(` + nscd_dontaudit_search_pid(gconfd_t) +') + +optional_policy(` + ooffice_stream_connect(gconfd_t) +') + +optional_policy(` + pulseaudio_stream_connect(gconfd_t) +') + +############################## +# +# Keyring-daemon local policy +# + +allow gkeyringd_domain self:capability ipc_lock; +allow gkeyringd_domain self:process { getcap setcap }; +allow gkeyringd_domain self:unix_stream_socket { connectto accept listen }; + +allow gkeyringd_domain gnome_home_t:dir create_dir_perms; +gnome_home_filetrans_gnome_home(gkeyringd_domain, dir, ".gnome2") + +manage_dirs_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t) +manage_files_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t) +gnome_home_filetrans(gkeyringd_domain, gnome_keyring_home_t, dir, "keyrings") + +manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t) +manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t) +files_tmp_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir) +userdom_user_runtime_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir) + +manage_dirs_pattern(gkeyringd_domain, gnome_xdg_cache_t, gnome_xdg_cache_t) +manage_files_pattern(gkeyringd_domain, gnome_xdg_cache_t, gnome_xdg_cache_t) +manage_sock_files_pattern(gkeyringd_domain, gnome_xdg_cache_t, gnome_xdg_cache_t) +xdg_cache_filetrans(gkeyringd_domain, gnome_xdg_cache_t, dir) + +manage_dirs_pattern(gkeyringd_domain, gnome_xdg_config_t, gnome_xdg_config_t) +manage_files_pattern(gkeyringd_domain, gnome_xdg_config_t, gnome_xdg_config_t) +xdg_config_filetrans(gkeyringd_domain, gnome_xdg_config_t, dir) + +manage_dirs_pattern(gkeyringd_domain, gnome_xdg_data_t, gnome_xdg_data_t) +manage_files_pattern(gkeyringd_domain, gnome_xdg_data_t, gnome_xdg_data_t) +xdg_data_filetrans(gkeyringd_domain, gnome_xdg_data_t, dir) + +kernel_read_crypto_sysctls(gkeyringd_domain) +kernel_read_kernel_sysctls(gkeyringd_domain) +kernel_read_system_state(gkeyringd_domain) + +dev_read_rand(gkeyringd_domain) +dev_read_sysfs(gkeyringd_domain) + +files_read_usr_files(gkeyringd_domain) + +fs_getattr_all_fs(gkeyringd_domain) + +selinux_getattr_fs(gkeyringd_domain) + +seutil_read_config(gkeyringd_domain) + +optional_policy(` + ssh_read_user_home_files(gkeyringd_domain) +') + +optional_policy(` + telepathy_mission_control_read_state(gkeyringd_domain) +') + +optional_policy(` + xserver_rw_xsession_log(gkeyringd_domain) +') + +ifdef(`distro_gentoo',` + typealias gnome_xdg_cache_t alias gnome_xdg_cache_home_t; + typealias gnome_xdg_config_t alias gnome_xdg_config_home_t; + typealias gnome_xdg_data_t alias gnome_xdg_data_home_t; +') diff --git a/policy/modules/apps/gpg.fc b/policy/modules/apps/gpg.fc new file mode 100644 index 00000000..c9362398 --- /dev/null +++ b/policy/modules/apps/gpg.fc @@ -0,0 +1,16 @@ +HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) +HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0) +HOME_DIR/\.gnupg/S\.gpg-agent.* -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0) +HOME_DIR/\.gnupg/S\.scdaemon -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0) + +/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) +/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0) +/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) +/usr/bin/pinentry.* -- gen_context(system_u:object_r:gpg_pinentry_exec_t,s0) + +/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) +/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) + +/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_runtime_t,s0) +/run/user/%{USERID}/gnupg/S\.gpg-agent.* -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0) +/run/user/%{USERID}/gnupg/S\.scdaemon -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0) diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if new file mode 100644 index 00000000..78efb186 --- /dev/null +++ b/policy/modules/apps/gpg.if @@ -0,0 +1,336 @@ +## <summary>Policy for GNU Privacy Guard and related programs.</summary> + +############################################################ +## <summary> +## Role access for gpg. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`gpg_role',` + gen_require(` + attribute_role gpg_roles, gpg_agent_roles, gpg_helper_roles, gpg_pinentry_roles; + type gpg_t, gpg_exec_t, gpg_agent_t; + type gpg_agent_exec_t, gpg_agent_tmp_t, gpg_helper_t; + type gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_secret_t; + ') + + roleattribute $1 gpg_roles; + roleattribute $1 gpg_agent_roles; + roleattribute $1 gpg_helper_roles; + roleattribute $1 gpg_pinentry_roles; + + domtrans_pattern($2, gpg_exec_t, gpg_t) + domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t) + + allow $2 self:process setrlimit; + allow $2 { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }:process { ptrace signal_perms }; + ps_process_pattern($2, { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }) + + allow gpg_pinentry_t $2:process signull; + allow gpg_helper_t $2:fd use; + allow { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t } $2:fifo_file { read write }; + + allow $2 { gpg_agent_tmp_t gpg_secret_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { gpg_agent_tmp_t gpg_secret_t }:file { manage_file_perms relabel_file_perms }; + allow $2 gpg_secret_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; + allow $2 { gpg_agent_tmp_t gpg_pinentry_tmp_t gpg_secret_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + filetrans_pattern($2, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket") + userdom_user_home_dir_filetrans($2, gpg_secret_t, dir, ".gnupg") + + optional_policy(` + gpg_pinentry_dbus_chat($2) + ') +') + +######################################## +## <summary> +## Execute the gpg in the gpg domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`gpg_domtrans',` + gen_require(` + type gpg_t, gpg_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, gpg_exec_t, gpg_t) +') + +######################################## +## <summary> +## Execute the gpg in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gpg_exec',` + gen_require(` + type gpg_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, gpg_exec_t) +') + +######################################## +## <summary> +## Execute gpg in a specified domain. +## </summary> +## <desc> +## <p> +## Execute gpg in a specified domain. +## </p> +## <p> +## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +## </p> +## </desc> +## <param name="source_domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="target_domain"> +## <summary> +## Domain to transition to. +## </summary> +## </param> +# +interface(`gpg_spec_domtrans',` + gen_require(` + type gpg_exec_t; + ') + + corecmd_search_bin($1) + domain_auto_transition_pattern($1, gpg_exec_t, $2) +') + +######################################## +## <summary> +## Execute the gpg-agent in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gpg_exec_agent',` + gen_require(` + type gpg_agent_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, gpg_agent_exec_t) +') + +###################################### +## <summary> +## Make gpg executable files an +## entrypoint for the specified domain. +## </summary> +## <param name="domain"> +## <summary> +## The domain for which gpg_exec_t is an entrypoint. +## </summary> +## </param> +# +interface(`gpg_entry_type',` + gen_require(` + type gpg_exec_t; + ') + + domain_entry_file($1, gpg_exec_t) +') + +######################################## +## <summary> +## Send generic signals to gpg. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gpg_signal',` + gen_require(` + type gpg_t; + ') + + allow $1 gpg_t:process signal; +') + +######################################## +## <summary> +## Read and write gpg agent pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gpg_rw_agent_pipes',` + gen_require(` + type gpg_agent_t; + ') + + allow $1 gpg_agent_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## <summary> +## Connect to gpg agent socket +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gpg_stream_connect_agent',` + gen_require(` + type gpg_agent_t, gpg_agent_tmp_t; + type gpg_secret_t, gpg_runtime_t; + ') + + stream_connect_pattern($1, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t) + allow $1 { gpg_secret_t gpg_runtime_t }:dir search_dir_perms; + userdom_search_user_runtime($1) + userdom_search_user_home_dirs($1) +') + +######################################## +## <summary> +## Search gpg agent dirs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gpg_search_agent_tmp_dirs',` + gen_require(` + type gpg_agent_tmp_t; + ') + + allow $1 gpg_agent_tmp_t:dir search_dir_perms; +') + +######################################## +## <summary> +## filetrans in gpg_agent_tmp_t dirs +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gpg_agent_tmp_filetrans',` + gen_require(` + type gpg_agent_tmp_t; + ') + + filetrans_pattern($1, gpg_agent_tmp_t, $2, $3, $4) + userdom_search_user_runtime($1) +') + +######################################## +## <summary> +## filetrans in gpg_runtime_t dirs +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gpg_runtime_filetrans',` + gen_require(` + type gpg_runtime_t; + ') + + filetrans_pattern($1, gpg_runtime_t, $2, $3, $4) + userdom_search_user_runtime($1) +') + +######################################## +## <summary> +## filetrans in gpg_secret_t dirs +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gpg_secret_filetrans',` + gen_require(` + type gpg_secret_t; + ') + + filetrans_pattern($1, gpg_secret_t, $2, $3, $4) + allow $1 gpg_secret_t:dir search_dir_perms; + userdom_search_user_home_dirs($1) +') + +######################################## +## <summary> +## Send messages to and from gpg +## pinentry over DBUS. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gpg_pinentry_dbus_chat',` + gen_require(` + type gpg_pinentry_t; + class dbus send_msg; + ') + + allow $1 gpg_pinentry_t:dbus send_msg; + allow gpg_pinentry_t $1:dbus send_msg; +') + +######################################## +## <summary> +## List gpg user secrets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gpg_list_user_secrets',` + gen_require(` + type gpg_secret_t; + ') + + list_dirs_pattern($1, gpg_secret_t, gpg_secret_t) + userdom_search_user_home_dirs($1) +') diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te new file mode 100644 index 00000000..e763b76b --- /dev/null +++ b/policy/modules/apps/gpg.te @@ -0,0 +1,404 @@ +policy_module(gpg, 2.13.2) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether GPG agent can manage +## generic user home content files. This is +## required by the --write-env-file option. +## </p> +## </desc> +gen_tunable(gpg_agent_env_file, false) + +## <desc> +## <p> +## Determine whether GPG agent can use OpenPGP +## cards or Yubikeys over USB +## </p> +## </desc> +gen_tunable(gpg_agent_use_card, false) + +attribute_role gpg_roles; +roleattribute system_r gpg_roles; + +attribute_role gpg_agent_roles; + +attribute_role gpg_helper_roles; +roleattribute system_r gpg_helper_roles; + +attribute_role gpg_pinentry_roles; + +type gpg_t; +type gpg_exec_t; +userdom_user_application_domain(gpg_t, gpg_exec_t) +role gpg_roles types gpg_t; + +type gpg_runtime_t; +files_pid_file(gpg_runtime_t) +userdom_user_runtime_content(gpg_runtime_t) + +type gpg_agent_t; +type gpg_agent_exec_t; +userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t) +role gpg_agent_roles types gpg_agent_t; + +type gpg_agent_tmp_t; +userdom_user_tmp_file(gpg_agent_tmp_t) +userdom_user_runtime_content(gpg_agent_tmp_t) + +type gpg_secret_t; +userdom_user_home_content(gpg_secret_t) + +type gpg_helper_t; +type gpg_helper_exec_t; +userdom_user_application_domain(gpg_helper_t, gpg_helper_exec_t) +role gpg_helper_roles types gpg_helper_t; + +type gpg_pinentry_t; +type gpg_pinentry_exec_t; +typealias gpg_pinentry_exec_t alias pinentry_exec_t; # 20170105 +userdom_user_application_domain(gpg_pinentry_t, gpg_pinentry_exec_t) +role gpg_pinentry_roles types gpg_pinentry_t; + +type gpg_pinentry_tmp_t; +userdom_user_tmp_file(gpg_pinentry_tmp_t) + +type gpg_pinentry_tmpfs_t; +userdom_user_tmpfs_file(gpg_pinentry_tmpfs_t) + +optional_policy(` + pulseaudio_tmpfs_content(gpg_pinentry_tmpfs_t) +') + +######################################## +# +# Local policy +# + +allow gpg_t self:capability { ipc_lock setuid }; +allow gpg_t self:process { signal signull setrlimit getcap setcap getsched setsched setpgid }; +dontaudit gpg_t self:netlink_audit_socket r_netlink_socket_perms; +allow gpg_t self:fifo_file rw_fifo_file_perms; +allow gpg_t self:tcp_socket { accept listen }; + +manage_dirs_pattern(gpg_t, gpg_runtime_t, gpg_runtime_t) +userdom_user_runtime_filetrans(gpg_t, gpg_runtime_t, dir, "gnupg") + +manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) +manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) +manage_sock_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) +files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file }) + +manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t) +manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) +manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) +manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) +userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir) + +gpg_stream_connect_agent(gpg_t) + +domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) +domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) + +kernel_read_crypto_sysctls(gpg_t) +kernel_read_sysctl(gpg_t) +# read /proc/cpuinfo +kernel_read_system_state(gpg_t) + +corecmd_exec_shell(gpg_t) +corecmd_exec_bin(gpg_t) + +corenet_all_recvfrom_unlabeled(gpg_t) +corenet_all_recvfrom_netlabel(gpg_t) +corenet_tcp_sendrecv_generic_if(gpg_t) +corenet_tcp_sendrecv_generic_node(gpg_t) + +corenet_sendrecv_all_client_packets(gpg_t) +corenet_tcp_connect_all_ports(gpg_t) +corenet_tcp_sendrecv_all_ports(gpg_t) + +dev_read_generic_usb_dev(gpg_t) +dev_read_rand(gpg_t) +dev_read_urand(gpg_t) + +files_read_usr_files(gpg_t) +files_dontaudit_search_var(gpg_t) + +fs_getattr_xattr_fs(gpg_t) +fs_list_inotifyfs(gpg_t) + +domain_use_interactive_fds(gpg_t) + +auth_use_nsswitch(gpg_t) + +logging_send_syslog_msg(gpg_t) + +miscfiles_read_localization(gpg_t) + +userdom_use_user_terminals(gpg_t) + +userdom_manage_user_tmp_dirs(gpg_t) +userdom_manage_user_tmp_files(gpg_t) + +userdom_user_content_access_template(gpg, gpg_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(gpg_t) + fs_manage_nfs_files(gpg_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(gpg_t) + fs_manage_cifs_files(gpg_t) +') + +optional_policy(` + dirmngr_domtrans(gpg_t) + dirmngr_stream_connect(gpg_t) +') + +optional_policy(` + evolution_read_orbit_tmp_files(gpg_t) +') + +optional_policy(` + gnome_read_generic_home_content(gpg_t) + gnome_stream_connect_all_gkeyringd(gpg_t) +') + +optional_policy(` + mozilla_dontaudit_rw_user_home_files(gpg_t) +') + +optional_policy(` + mta_read_spool_files(gpg_t) + mta_write_config(gpg_t) +') + +optional_policy(` + spamassassin_read_spamd_tmp_files(gpg_t) +') + +optional_policy(` + cron_system_entry(gpg_t, gpg_exec_t) + cron_read_system_job_tmp_files(gpg_t) +') + +optional_policy(` + xserver_use_xdm_fds(gpg_t) + xserver_rw_xdm_pipes(gpg_t) +') + +######################################## +# +# Helper local policy +# + +allow gpg_helper_t self:process { getsched setsched }; +allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms; + +dontaudit gpg_helper_t gpg_secret_t:file read_file_perms; + +corenet_all_recvfrom_unlabeled(gpg_helper_t) +corenet_all_recvfrom_netlabel(gpg_helper_t) +corenet_tcp_sendrecv_generic_if(gpg_helper_t) +corenet_tcp_sendrecv_generic_node(gpg_helper_t) +corenet_tcp_sendrecv_all_ports(gpg_helper_t) + +corenet_sendrecv_all_client_packets(gpg_helper_t) +corenet_tcp_connect_all_ports(gpg_helper_t) + +auth_use_nsswitch(gpg_helper_t) + +userdom_use_user_terminals(gpg_helper_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_dontaudit_rw_nfs_files(gpg_helper_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_dontaudit_rw_cifs_files(gpg_helper_t) +') + +######################################## +# +# Agent local policy +# + +allow gpg_agent_t self:process { setrlimit signal_perms }; +allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow gpg_agent_t self:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) +manage_sock_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) +manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) +manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) + +manage_dirs_pattern(gpg_agent_t, gpg_runtime_t, gpg_runtime_t) +userdom_user_runtime_filetrans(gpg_agent_t, gpg_runtime_t, dir, "gnupg") + +manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) +manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) +manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) +files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) + +filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file) +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file) + +domtrans_pattern(gpg_agent_t, gpg_pinentry_exec_t, gpg_pinentry_t) + +kernel_dontaudit_search_sysctl(gpg_agent_t) +kernel_read_core_if(gpg_agent_t) +kernel_read_system_state(gpg_agent_t) + +auth_use_nsswitch(gpg_agent_t) + +corecmd_exec_bin(gpg_agent_t) +corecmd_exec_shell(gpg_agent_t) + +dev_read_rand(gpg_agent_t) +dev_read_urand(gpg_agent_t) + +domain_use_interactive_fds(gpg_agent_t) + +fs_dontaudit_list_inotifyfs(gpg_agent_t) + +miscfiles_read_localization(gpg_agent_t) + +userdom_use_user_terminals(gpg_agent_t) +userdom_search_user_home_dirs(gpg_agent_t) +userdom_search_user_runtime(gpg_agent_t) +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir file sock_file }) + +ifdef(`hide_broken_symptoms',` + userdom_dontaudit_read_user_tmp_files(gpg_agent_t) +') + +tunable_policy(`gpg_agent_env_file',` + userdom_manage_user_home_content_dirs(gpg_agent_t) + userdom_manage_user_home_content_files(gpg_agent_t) + userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file) +') + +tunable_policy(`gpg_agent_use_card',` + dev_read_sysfs(gpg_agent_t) + dev_rw_generic_usb_dev(gpg_agent_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(gpg_agent_t) + fs_manage_nfs_files(gpg_agent_t) + fs_manage_nfs_symlinks(gpg_agent_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(gpg_agent_t) + fs_manage_cifs_files(gpg_agent_t) + fs_manage_cifs_symlinks(gpg_agent_t) +') + +optional_policy(` + dbus_system_bus_client(gpg_agent_t) +') + +optional_policy(` + mozilla_dontaudit_rw_user_home_files(gpg_agent_t) +') + +optional_policy(` + pcscd_stream_connect(gpg_agent_t) +') + +optional_policy(` + xserver_sigchld_xdm(gpg_agent_t) + xserver_read_user_xauth(gpg_agent_t) +') + +############################## +# +# Pinentry local policy +# + +allow gpg_pinentry_t self:process { getcap getsched setsched signal }; +allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms; +allow gpg_pinentry_t self:shm create_shm_perms; +allow gpg_pinentry_t self:tcp_socket { accept listen }; + +manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) +userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file) + +manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) +manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) +fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) + +can_exec(gpg_pinentry_t, gpg_pinentry_exec_t) + +kernel_dontaudit_search_sysctl(gpg_pinentry_t) +kernel_read_system_state(gpg_pinentry_t) + +corecmd_exec_shell(gpg_pinentry_t) +corecmd_exec_bin(gpg_pinentry_t) + +corenet_all_recvfrom_netlabel(gpg_pinentry_t) +corenet_all_recvfrom_unlabeled(gpg_pinentry_t) +corenet_tcp_sendrecv_generic_if(gpg_pinentry_t) +corenet_tcp_sendrecv_generic_node(gpg_pinentry_t) + +dev_read_urand(gpg_pinentry_t) +dev_read_rand(gpg_pinentry_t) + +domain_use_interactive_fds(gpg_pinentry_t) + +files_map_usr_files(gpg_pinentry_t) +files_read_usr_files(gpg_pinentry_t) + +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t) +fs_dontaudit_list_inotifyfs(gpg_pinentry_t) + +auth_use_nsswitch(gpg_pinentry_t) + +logging_send_syslog_msg(gpg_pinentry_t) + +miscfiles_read_fonts(gpg_pinentry_t) +miscfiles_read_localization(gpg_pinentry_t) + +userdom_use_user_terminals(gpg_pinentry_t) + +xdg_read_data_files(gpg_pinentry_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_read_nfs_files(gpg_pinentry_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_read_cifs_files(gpg_pinentry_t) +') + +optional_policy(` + dbus_all_session_bus_client(gpg_pinentry_t) + dbus_system_bus_client(gpg_pinentry_t) + + optional_policy(` + gnome_dbus_chat_all_gkeyringd(gpg_pinentry_t) + ') +') + +optional_policy(` + pulseaudio_run(gpg_pinentry_t, gpg_pinentry_roles) +') + +optional_policy(` + xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t) +') + +ifdef(`distro_gentoo',` + optional_policy(` + mutt_read_home_files(gpg_t) + mutt_read_tmp_files(gpg_t) + mutt_rw_tmp_files(gpg_t) + ') +') diff --git a/policy/modules/apps/irc.fc b/policy/modules/apps/irc.fc new file mode 100644 index 00000000..48e7739f --- /dev/null +++ b/policy/modules/apps/irc.fc @@ -0,0 +1,10 @@ +HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0) +HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irc_home_t,s0) +HOME_DIR/irclogs(/.*)? gen_context(system_u:object_r:irc_log_home_t,s0) + +/etc/irssi\.conf -- gen_context(system_u:object_r:irc_conf_t,s0) + +/usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0) +/usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0) +/usr/bin/irssi -- gen_context(system_u:object_r:irc_exec_t,s0) +/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0) diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if new file mode 100644 index 00000000..ac00fb0f --- /dev/null +++ b/policy/modules/apps/irc.if @@ -0,0 +1,48 @@ +## <summary>IRC client policy.</summary> + +######################################## +## <summary> +## Role access for IRC. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`irc_role',` + gen_require(` + attribute_role irc_roles; + type irc_t, irc_exec_t, irc_home_t; + type irc_tmp_t, irc_log_home_t; + ') + + ######################################## + # + # Declarations + # + + roleattribute $1 irc_roles; + + ######################################## + # + # Policy + # + + domtrans_pattern($2, irc_exec_t, irc_t) + + ps_process_pattern($2, irc_t) + allow $2 irc_t:process { ptrace signal_perms }; + + allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:file { manage_file_perms relabel_file_perms }; + allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; + userdom_user_home_dir_filetrans($2, irc_home_t, dir, ".irssi") + userdom_user_home_dir_filetrans($2, irc_home_t, file, ".ircmotd") + userdom_user_home_dir_filetrans($2, irc_log_home_t, dir, "irclogs") +') diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te new file mode 100644 index 00000000..99ddaecb --- /dev/null +++ b/policy/modules/apps/irc.te @@ -0,0 +1,144 @@ +policy_module(irc, 2.5.1) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether irc clients can +## listen on and connect to any +## unreserved TCP ports. +## </p> +## </desc> +gen_tunable(irc_use_any_tcp_ports, false) + +attribute_role irc_roles; + +type irc_t; +type irc_exec_t; +typealias irc_t alias { user_irc_t staff_irc_t sysadm_irc_t }; +typealias irc_t alias { auditadm_irc_t secadm_irc_t }; +userdom_user_application_domain(irc_t, irc_exec_t) +role irc_roles types irc_t; + +type irc_conf_t; +files_config_file(irc_conf_t) + +type irc_home_t; +typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t }; +typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t }; +userdom_user_home_content(irc_home_t) + +type irc_log_home_t; +userdom_user_home_content(irc_log_home_t) + +type irc_tmp_t; +typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t }; +typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t }; +userdom_user_tmp_file(irc_tmp_t) + +######################################## +# +# Local policy +# + +allow irc_t self:process { signal sigkill }; +allow irc_t self:fifo_file rw_fifo_file_perms; +allow irc_t self:unix_stream_socket { accept listen }; + +allow irc_t irc_conf_t:file read_file_perms; + +can_exec(irc_t, irc_exec_t) +corecmd_search_bin(irc_t) + +manage_dirs_pattern(irc_t, irc_home_t, irc_home_t) +manage_files_pattern(irc_t, irc_home_t, irc_home_t) +manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t) +userdom_user_home_dir_filetrans(irc_t, irc_home_t, dir, ".irssi") +userdom_user_home_dir_filetrans(irc_t, irc_home_t, file, ".ircmotd") + +manage_dirs_pattern(irc_t, irc_log_home_t, irc_log_home_t) +create_files_pattern(irc_t, irc_log_home_t, irc_log_home_t) +append_files_pattern(irc_t, irc_log_home_t, irc_log_home_t) +userdom_user_home_dir_filetrans(irc_t, irc_log_home_t, dir, "irclogs") + +manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t) +manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) +manage_lnk_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) +manage_fifo_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) +manage_sock_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) +files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file }) + +kernel_read_system_state(irc_t) + +corenet_all_recvfrom_unlabeled(irc_t) +corenet_all_recvfrom_netlabel(irc_t) +corenet_tcp_sendrecv_generic_if(irc_t) +corenet_tcp_sendrecv_generic_node(irc_t) +corenet_tcp_sendrecv_all_ports(irc_t) + +corenet_sendrecv_gatekeeper_client_packets(irc_t) +corenet_tcp_sendrecv_gatekeeper_port(irc_t) +corenet_tcp_connect_gatekeeper_port(irc_t) + +corenet_sendrecv_http_cache_client_packets(irc_t) +corenet_tcp_connect_http_cache_port(irc_t) +corenet_tcp_sendrecv_http_cache_port(irc_t) + +corenet_sendrecv_ircd_client_packets(irc_t) +corenet_tcp_connect_ircd_port(irc_t) +corenet_tcp_sendrecv_ircd_port(irc_t) + +dev_read_urand(irc_t) +dev_read_rand(irc_t) + +domain_use_interactive_fds(irc_t) + +files_read_usr_files(irc_t) + +fs_getattr_all_fs(irc_t) +fs_search_auto_mountpoints(irc_t) + +term_use_controlling_term(irc_t) +term_list_ptys(irc_t) + +auth_use_nsswitch(irc_t) + +init_read_utmp(irc_t) +init_dontaudit_lock_utmp(irc_t) + +miscfiles_read_generic_certs(irc_t) +miscfiles_read_localization(irc_t) + +userdom_use_user_terminals(irc_t) + +userdom_user_content_access_template(irc, irc_t) + +xdg_manage_downloads(irc_t) + +tunable_policy(`irc_use_any_tcp_ports',` + allow irc_t self:tcp_socket { accept listen }; + corenet_sendrecv_all_server_packets(irc_t) + corenet_tcp_bind_all_unreserved_ports(irc_t) + corenet_sendrecv_all_client_packets(irc_t) + corenet_tcp_connect_all_unreserved_ports(irc_t) + corenet_tcp_sendrecv_all_ports(irc_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(irc_t) + fs_manage_nfs_files(irc_t) + fs_manage_nfs_symlinks(irc_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(irc_t) + fs_manage_cifs_files(irc_t) + fs_manage_cifs_symlinks(irc_t) +') + +optional_policy(` + seutil_use_newrole_fds(irc_t) +') diff --git a/policy/modules/apps/java.fc b/policy/modules/apps/java.fc new file mode 100644 index 00000000..d2984281 --- /dev/null +++ b/policy/modules/apps/java.fc @@ -0,0 +1,38 @@ +HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:java_home_t,s0) + +/opt/(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) +/opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) +/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) +/opt/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) + +/usr/(.*/)?bin/java[^-]* -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/gij -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/gjarsigner -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/gkeytool -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) + +/usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0) + +/usr/lib/bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/lib/eclipse/eclipse -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/lib/icedtea[0-9]+/bin/.* -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/lib/icedtea[0-9]+/jre/bin/.* -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0) + +/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) + +/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) + +ifdef(`distro_gentoo',` +# Running maven (mvn) command needs read access to this, yet the file is marked as bin_t otherwise +/usr/share/maven-bin-[^/]*/bin/m2.conf -- gen_context(system_u:object_r:usr_t,s0) +') diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if new file mode 100644 index 00000000..c981fc41 --- /dev/null +++ b/policy/modules/apps/java.if @@ -0,0 +1,383 @@ +## <summary>Java virtual machine</summary> + +######################################## +## <summary> +## Role access for java. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`java_role',` + gen_require(` + attribute_role java_roles; + type java_t, java_exec_t, java_tmp_t; + type java_tmpfs_t; + ') + + ######################################## + # + # Declarations + # + + roleattribute $1 java_roles; + + ######################################## + # + # Policy + # + + domtrans_pattern($2, java_exec_t, java_t) + + allow $2 java_t:process { noatsecure siginh rlimitinh ptrace signal_perms }; + ps_process_pattern($2, java_t) + + allow $2 java_tmp_t:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { java_tmp_t java_tmpfs_t }:file { manage_file_perms relabel_file_perms }; + allow $2 java_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; + allow $2 java_tmpfs_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; + allow $2 java_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + + allow java_t $2:process signull; + allow java_t $2:unix_stream_socket connectto; + allow java_t $2:unix_stream_socket { read write }; + allow java_t $2:tcp_socket { read write }; + + ifdef(`distro_gentoo',` + gen_require(` + type java_home_t; + ') + + manage_files_pattern($2, java_home_t, java_home_t) + manage_dirs_pattern($2, java_home_t, java_home_t) + ') +') + +####################################### +## <summary> +## The role template for the java module. +## </summary> +## <desc> +## <p> +## This template creates a derived domains which are used +## for java applications. +## </p> +## </desc> +## <param name="role_prefix"> +## <summary> +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## </summary> +## </param> +## <param name="user_role"> +## <summary> +## The role associated with the user domain. +## </summary> +## </param> +## <param name="user_domain"> +## <summary> +## The type of the user domain. +## </summary> +## </param> +# +template(`java_role_template',` + gen_require(` + attribute java_domain; + type java_exec_t, java_tmp_t, java_tmpfs_t; + type java_home_t; + ') + + ######################################## + # + # Declarations + # + + type $1_java_t, java_domain; + userdom_user_application_domain($1_java_t, java_exec_t) + + role $2 types $1_java_t; + + ######################################## + # + # Policy + # + + domtrans_pattern($3, java_exec_t, $1_java_t) + + allow $3 $1_java_t:process { ptrace noatsecure siginh rlimitinh signal_perms }; + ps_process_pattern($3, $1_java_t) + + allow $3 { java_home_t java_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $3 { java_tmp_t java_tmpfs_t java_home_t }:file { manage_file_perms relabel_file_perms }; + allow $3 java_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; + allow $3 java_tmpfs_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; + allow $3 java_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + userdom_user_home_dir_filetrans($3, java_home_t, dir, ".java") + + allow $1_java_t $3:process signull; + allow $1_java_t $3:unix_stream_socket connectto; + allow $1_java_t $3:unix_stream_socket { read write }; + allow $1_java_t $3:tcp_socket { read write }; + + corecmd_bin_domtrans($1_java_t, $3) + + auth_use_nsswitch($1_java_t) + + optional_policy(` + xserver_role($2, $1_java_t) + ') +') + +######################################## +## <summary> +## Execute the java program in the java domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +template(`java_domtrans',` + gen_require(` + type java_t, java_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, java_exec_t, java_t) + + ifdef(`distro_gentoo',` + # /usr/bin/java is a symlink + files_read_usr_symlinks($1) + ') +') + +######################################## +## <summary> +## Execute java in the java domain, and +## allow the specified role the java domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`java_run',` + gen_require(` + attribute_role java_roles; + ') + + java_domtrans($1) + roleattribute $2 java_roles; +') + +######################################## +## <summary> +## Execute the java program in the +## unconfined java domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`java_domtrans_unconfined',` + gen_require(` + type unconfined_java_t, java_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, java_exec_t, unconfined_java_t) +') + +######################################## +## <summary> +## Execute the java program in the +## unconfined java domain and allow the +## specified role the java domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`java_run_unconfined',` + gen_require(` + attribute_role unconfined_java_roles; + ') + + java_domtrans_unconfined($1) + roleattribute $2 unconfined_java_roles; +') + +######################################## +## <summary> +## Execute the java program in +## the callers domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`java_exec',` + gen_require(` + type java_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, java_exec_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## generic java home content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`java_manage_generic_home_content',` + gen_require(` + type java_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 java_home_t:dir manage_dir_perms; + allow $1 java_home_t:file manage_file_perms; +') + +###################################### +## <summary> +## Create, read, write, and delete +## temporary java content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`java_manage_java_tmp',` + gen_require(` + type java_tmp_t; + ') + + allow $1 java_tmp_t:dir manage_dir_perms; + allow $1 java_tmp_t:file manage_file_perms; +') + +######################################## +## <summary> +## Create specified objects in user home +## directories with the generic java +## home type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`java_home_filetrans_java_home',` + gen_require(` + type java_home_t; + ') + + userdom_user_home_dir_filetrans($1, java_home_t, $2, $3) +') + +######################################## +## <summary> +## Run java in javaplugin domain and +## do not clean the environment (atsecure) +## </summary> +## <desc> +## <p> +## This is needed when java is called by an application with library +## settings (such as is the case when invoked as a browser plugin) +## </p> +## </desc> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +template(`java_noatsecure_domtrans',` + gen_require(` + type java_t; + ') + + allow $1 java_t:process noatsecure; + + java_domtrans($1) +') + +# everything after here is gentoo-specific. ifdef's are not allowed for this unfortunately + +####################################### +## <summary> +## The template for using java in a domain. +## </summary> +## <desc> +## <p> +## This template creates a derived domains which are used +## for java applications. +## </p> +## </desc> +## <param name="domain"> +## <summary> +## The type of the domain to be given java privs. +## </summary> +## </param> +# +template(`java_domain_type',` + gen_require(` + attribute java_domain; + ') + + ######################################## + # + # Policy + # + + typeattribute $1 java_domain; + + # cannot be called on the attribute, so do it now + auth_use_nsswitch($1) +') diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te new file mode 100644 index 00000000..c9b2487e --- /dev/null +++ b/policy/modules/apps/java.te @@ -0,0 +1,202 @@ +policy_module(java, 2.11.1) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether java can make +## its stack executable. +## </p> +## </desc> +gen_tunable(allow_java_execstack, false) + +attribute java_domain; + +attribute_role java_roles; +roleattribute system_r java_roles; + +attribute_role unconfined_java_roles; + +type java_t, java_domain; +type java_exec_t; +userdom_user_application_domain(java_t, java_exec_t) +typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t }; +typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t }; +role java_roles types java_t; + +optional_policy(` + wm_application_domain(java_t, java_exec_t) +') + +type java_home_t; +userdom_user_home_content(java_home_t) + +type java_tmp_t; +userdom_user_tmp_file(java_tmp_t) +typealias java_tmp_t alias { staff_javaplugin_tmp_t user_javaplugin_tmp_t sysadm_javaplugin_tmp_t }; +typealias java_tmp_t alias { auditadm_tmp_javaplugin_t secadm_javaplugin_tmp_t }; + +type java_tmpfs_t; +userdom_user_tmpfs_file(java_tmpfs_t) +typealias java_tmpfs_t alias { staff_javaplugin_tmpfs_t user_javaplugin_tmpfs_t sysadm_javaplugin_tmpfs_t }; +typealias java_tmpfs_t alias { auditadm_tmpfs_javaplugin_t secadm_tmpfs_javaplugin_t }; + +type unconfined_java_t; +init_system_domain(unconfined_java_t, java_exec_t) +role unconfined_java_roles types unconfined_java_t; + +######################################## +# +# Common local policy +# + +allow java_domain self:process { signal_perms getsched setsched }; +allow java_domain self:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(java_domain, java_home_t, java_home_t) +manage_files_pattern(java_domain, java_home_t, java_home_t) +userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".java") + +manage_dirs_pattern(java_domain, java_tmp_t, java_tmp_t) +manage_files_pattern(java_domain, java_tmp_t, java_tmp_t) +files_tmp_filetrans(java_domain, java_tmp_t, { file dir }) + +manage_files_pattern(java_domain, java_tmpfs_t, java_tmpfs_t) +manage_lnk_files_pattern(java_domain, java_tmpfs_t, java_tmpfs_t) +manage_fifo_files_pattern(java_domain, java_tmpfs_t, java_tmpfs_t) +manage_sock_files_pattern(java_domain, java_tmpfs_t, java_tmpfs_t) +fs_tmpfs_filetrans(java_domain, java_tmpfs_t, { file lnk_file sock_file fifo_file }) + +can_exec(java_domain, { java_exec_t java_tmp_t }) + +kernel_read_all_sysctls(java_domain) +kernel_search_vm_sysctl(java_domain) +kernel_read_network_state(java_domain) +kernel_read_system_state(java_domain) + +corecmd_search_bin(java_domain) + +corenet_all_recvfrom_unlabeled(java_domain) +corenet_all_recvfrom_netlabel(java_domain) +corenet_tcp_sendrecv_generic_if(java_domain) +corenet_tcp_sendrecv_generic_node(java_domain) + +corenet_sendrecv_all_client_packets(java_domain) +corenet_tcp_connect_all_ports(java_domain) +corenet_tcp_sendrecv_all_ports(java_domain) + +dev_read_sound(java_domain) +dev_write_sound(java_domain) +dev_read_urand(java_domain) +dev_read_rand(java_domain) +dev_dontaudit_append_rand(java_domain) + +files_read_usr_files(java_domain) +files_read_etc_files(java_domain) +files_read_etc_runtime_files(java_domain) + +fs_getattr_all_fs(java_domain) +fs_dontaudit_rw_tmpfs_files(java_domain) + +logging_send_syslog_msg(java_domain) + +miscfiles_read_generic_certs(java_domain) +miscfiles_read_localization(java_domain) +miscfiles_read_fonts(java_domain) + +userdom_dontaudit_use_user_terminals(java_domain) +userdom_dontaudit_exec_user_home_content_files(java_domain) + +userdom_user_content_access_template(java, java_domain) +userdom_write_user_tmp_sockets(java_domain) + +tunable_policy(`java_manage_generic_user_content',` + userdom_manage_user_home_content_pipes(java_domain) + userdom_manage_user_home_content_sockets(java_domain) + userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file sock_file fifo_file }) +') + +ifdef(`distro_gentoo',` + # For java browser plugin accessing internet resources + allow java_domain self:netlink_route_socket create_netlink_socket_perms; + allow java_domain self:sem create_sem_perms; + + manage_dirs_pattern(java_domain, java_home_t, java_home_t) + manage_files_pattern(java_domain, java_home_t, java_home_t) + userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea") + + manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t) + files_tmp_filetrans(java_domain, java_tmp_t, lnk_file) +') + +tunable_policy(`allow_java_execstack',` + allow java_domain self:process { execmem execstack }; + + libs_legacy_use_shared_libs(java_domain) + libs_legacy_use_ld_so(java_domain) + + miscfiles_legacy_read_localization(java_domain) +') + +######################################## +# +# Local policy +# + +auth_use_nsswitch(java_t) + +ifdef(`distro_gentoo',` + userdom_use_user_terminals(java_t) + + optional_policy(` + # Plugin communication + chromium_rw_tmp_pipes(java_t) + ') + + optional_policy(` + # Plugin communication + mozilla_rw_tmp_pipes(java_t) + ') + + ifdef(`use_alsa',` + optional_policy(` + alsa_domain(java_t, java_tmpfs_t) + ') + ') +') + +corecmd_search_bin(java_t) + +dev_read_sysfs(java_t) + +locallogin_use_fds(java_t) + +userdom_read_user_tmp_files(java_t) +userdom_use_user_terminals(java_t) + +optional_policy(` + xserver_user_x_domain_template(java, java_t, java_tmpfs_t) +') + +######################################## +# +# Unconfined local policy +# + +optional_policy(` + allow unconfined_java_t self:process { execstack execmem execheap }; + + files_execmod_all_files(unconfined_java_t) + + init_dbus_chat_script(unconfined_java_t) + + unconfined_domain_noaudit(unconfined_java_t) + unconfined_dbus_chat(unconfined_java_t) + + optional_policy(` + rpm_domtrans(unconfined_java_t) + ') +') diff --git a/policy/modules/apps/libmtp.fc b/policy/modules/apps/libmtp.fc new file mode 100644 index 00000000..f8b91c24 --- /dev/null +++ b/policy/modules/apps/libmtp.fc @@ -0,0 +1,3 @@ +HOME_DIR/\.mtpz-data -- gen_context(system_u:object_r:libmtp_home_t,s0) + +/usr/bin/mtp-.* -- gen_context(system_u:object_r:libmtp_exec_t,s0) diff --git a/policy/modules/apps/libmtp.if b/policy/modules/apps/libmtp.if new file mode 100644 index 00000000..c010842d --- /dev/null +++ b/policy/modules/apps/libmtp.if @@ -0,0 +1,30 @@ +## <summary>libmtp: An Initiatior implementation of the Media Transfer Protocol (MTP).</summary> + +########################################################### +## <summary> +## Role access for libmtp. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`libmtp_role',` + gen_require(` + attribute_role libmtp_roles; + type libmtp_t, libmtp_exec_t; + ') + + roleattribute $1 libmtp_roles; + + domtrans_pattern($2, libmtp_exec_t, libmtp_t) + + allow $2 libmtp_t:process { ptrace signal_perms }; + ps_process_pattern($2, libmtp_t) +') diff --git a/policy/modules/apps/libmtp.te b/policy/modules/apps/libmtp.te new file mode 100644 index 00000000..7eb27c40 --- /dev/null +++ b/policy/modules/apps/libmtp.te @@ -0,0 +1,60 @@ +policy_module(libmtp, 1.1.0) + +############################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether libmtp can read +## and manage the user home directories +## and files. +## </p> +## </desc> +gen_tunable(libmtp_enable_home_dirs, false) + +attribute_role libmtp_roles; + +type libmtp_t; +type libmtp_exec_t; +userdom_user_application_domain(libmtp_t, libmtp_exec_t) +role libmtp_roles types libmtp_t; + +type libmtp_home_t; +userdom_user_home_content(libmtp_home_t) + +############################## +# +# libmtp local policy +# + +allow libmtp_t self:capability sys_tty_config; +allow libmtp_t self:netlink_kobject_uevent_socket create_socket_perms; +allow libmtp_t self:fifo_file rw_fifo_file_perms; + +allow libmtp_t libmtp_home_t:file manage_file_perms; +userdom_user_home_dir_filetrans(libmtp_t, libmtp_home_t, file, ".mtpz-data") + +dev_read_sysfs(libmtp_t) +dev_rw_generic_usb_dev(libmtp_t) + +domain_use_interactive_fds(libmtp_t) + +files_read_etc_files(libmtp_t) + +term_use_unallocated_ttys(libmtp_t) + +miscfiles_read_localization(libmtp_t) + +userdom_use_inherited_user_terminals(libmtp_t) + +optional_policy(` + udev_read_pid_files(libmtp_t) +') + +tunable_policy(`libmtp_enable_home_dirs',` + userdom_manage_user_home_content_files(libmtp_t) + userdom_read_user_home_content_symlinks(libmtp_t) + userdom_user_home_dir_filetrans_user_home_content(libmtp_t, file ) +') diff --git a/policy/modules/apps/lightsquid.fc b/policy/modules/apps/lightsquid.fc new file mode 100644 index 00000000..044390c6 --- /dev/null +++ b/policy/modules/apps/lightsquid.fc @@ -0,0 +1,11 @@ +/etc/cron\.daily/lightsquid -- gen_context(system_u:object_r:lightsquid_exec_t,s0) + +/usr/lib/cgi-bin/lightsquid/.*\.cfg -- gen_context(system_u:object_r:httpd_lightsquid_content_t,s0) +/usr/lib/cgi-bin/lightsquid/.*\.cgi -- gen_context(system_u:object_r:httpd_lightsquid_script_exec_t,s0) + +/usr/share/lightsquid/cgi/.*\.cgi -- gen_context(system_u:object_r:httpd_lightsquid_script_exec_t,s0) + +/var/lightsquid(/.*)? gen_context(system_u:object_r:lightsquid_rw_content_t,s0) + +/var/www/html/lightsquid(/.*)? gen_context(system_u:object_r:httpd_lightsquid_content_t,s0) +/var/www/html/lightsquid/report(/.*)? gen_context(system_u:object_r:lightsquid_rw_content_t,s0) diff --git a/policy/modules/apps/lightsquid.if b/policy/modules/apps/lightsquid.if new file mode 100644 index 00000000..33a28b9a --- /dev/null +++ b/policy/modules/apps/lightsquid.if @@ -0,0 +1,80 @@ +## <summary>Log analyzer for squid proxy.</summary> + +######################################## +## <summary> +## Execute the lightsquid program in +## the lightsquid domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`lightsquid_domtrans',` + gen_require(` + type lightsquid_t, lightsquid_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, lightsquid_exec_t, lightsquid_t) +') + +######################################## +## <summary> +## Execute lightsquid in the +## lightsquid domain, and allow the +## specified role the lightsquid domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`lightsquid_run',` + gen_require(` + attribute_role lightsquid_roles; + ') + + lightsquid_domtrans($1) + roleattribute $2 lightsquid_roles; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an lightsquid environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`lightsquid_admin',` + gen_require(` + type lightsquid_t, lightsquid_rw_content_t; + ') + + allow $1 lightsquid_t:process { ptrace signal_perms }; + ps_process_pattern($1, lightsquid_t) + + lightsquid_run($1, $2) + + files_search_var_lib($1) + admin_pattern($1, lightsquid_rw_content_t) + + apache_list_sys_content($1) +') diff --git a/policy/modules/apps/lightsquid.te b/policy/modules/apps/lightsquid.te new file mode 100644 index 00000000..09c4f27b --- /dev/null +++ b/policy/modules/apps/lightsquid.te @@ -0,0 +1,52 @@ +policy_module(lightsquid, 1.1.0) + +######################################## +# +# Declarations +# + +attribute_role lightsquid_roles; +roleattribute system_r lightsquid_roles; + +type lightsquid_t; +type lightsquid_exec_t; +application_domain(lightsquid_t, lightsquid_exec_t) +role lightsquid_roles types lightsquid_t; + +type lightsquid_rw_content_t; +files_type(lightsquid_rw_content_t) + +######################################## +# +# Local policy +# + +manage_dirs_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t) +manage_files_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t) +manage_lnk_files_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t) +files_var_filetrans(lightsquid_t, lightsquid_rw_content_t, dir) + +corecmd_exec_bin(lightsquid_t) +corecmd_exec_shell(lightsquid_t) + +dev_read_urand(lightsquid_t) + +files_read_etc_files(lightsquid_t) +files_read_usr_files(lightsquid_t) + +miscfiles_read_localization(lightsquid_t) + +squid_read_config(lightsquid_t) +squid_read_log(lightsquid_t) + +optional_policy(` + apache_content_template(lightsquid) + + list_dirs_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t) + read_files_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t) + read_lnk_files_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t) +') + +optional_policy(` + cron_system_entry(lightsquid_t, lightsquid_exec_t) +') diff --git a/policy/modules/apps/livecd.fc b/policy/modules/apps/livecd.fc new file mode 100644 index 00000000..34937fcf --- /dev/null +++ b/policy/modules/apps/livecd.fc @@ -0,0 +1 @@ +/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0) diff --git a/policy/modules/apps/livecd.if b/policy/modules/apps/livecd.if new file mode 100644 index 00000000..e3541811 --- /dev/null +++ b/policy/modules/apps/livecd.if @@ -0,0 +1,102 @@ +## <summary>Tool for building alternate livecd for different os and policy versions.</summary> + +######################################## +## <summary> +## Execute a domain transition to run livecd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`livecd_domtrans',` + gen_require(` + type livecd_t, livecd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, livecd_exec_t, livecd_t) +') + +######################################## +## <summary> +## Execute livecd in the livecd +## domain, and allow the specified +## role the livecd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`livecd_run',` + gen_require(` + attribute_role livecd_roles; + ') + + livecd_domtrans($1) + roleattribute $2 livecd_roles; +') + +######################################## +## <summary> +## Read livecd temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`livecd_read_tmp_files',` + gen_require(` + type livecd_tmp_t; + ') + + files_search_tmp($1) + read_files_pattern($1, livecd_tmp_t, livecd_tmp_t) +') + +######################################## +## <summary> +## Read and write livecd temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`livecd_rw_tmp_files',` + gen_require(` + type livecd_tmp_t; + ') + + files_search_tmp($1) + rw_files_pattern($1, livecd_tmp_t, livecd_tmp_t) +') + +######################################## +## <summary> +## Read and write livecd semaphores. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`livecd_rw_semaphores',` + gen_require(` + type livecd_t; + ') + + allow $1 livecd_t:sem rw_sem_perms; +') diff --git a/policy/modules/apps/livecd.te b/policy/modules/apps/livecd.te new file mode 100644 index 00000000..2f974bf8 --- /dev/null +++ b/policy/modules/apps/livecd.te @@ -0,0 +1,48 @@ +policy_module(livecd, 1.3.0) + +######################################## +# +# Declarations +# + +attribute_role livecd_roles; +roleattribute system_r livecd_roles; + +type livecd_t; +type livecd_exec_t; +application_domain(livecd_t, livecd_exec_t) +role livecd_roles types livecd_t; + +type livecd_tmp_t; +files_tmp_file(livecd_tmp_t) + +######################################## +# +# Local policy +# + +dontaudit livecd_t self:capability2 mac_admin; + +domain_ptrace_all_domains(livecd_t) + +manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) +manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) +files_tmp_filetrans(livecd_t, livecd_tmp_t, { dir file }) + +sysnet_manage_config(livecd_t) +sysnet_etc_filetrans_config(livecd_t) + +optional_policy(` + hal_dbus_chat(livecd_t) +') +optional_policy(` + mount_run(livecd_t, livecd_roles) +') + +optional_policy(` + rpm_domtrans(livecd_t) +') + +optional_policy(` + unconfined_domain_noaudit(livecd_t) +') diff --git a/policy/modules/apps/loadkeys.fc b/policy/modules/apps/loadkeys.fc new file mode 100644 index 00000000..38f91fed --- /dev/null +++ b/policy/modules/apps/loadkeys.fc @@ -0,0 +1,2 @@ +/usr/bin/loadkeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0) +/usr/bin/unikeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0) diff --git a/policy/modules/apps/loadkeys.if b/policy/modules/apps/loadkeys.if new file mode 100644 index 00000000..101c925d --- /dev/null +++ b/policy/modules/apps/loadkeys.if @@ -0,0 +1,67 @@ +## <summary>Load keyboard mappings.</summary> + +######################################## +## <summary> +## Execute the loadkeys program in +## the loadkeys domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`loadkeys_domtrans',` + gen_require(` + type loadkeys_t, loadkeys_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, loadkeys_exec_t, loadkeys_t) +') + +######################################## +## <summary> +## Execute the loadkeys program in +## the loadkeys domain, and allow the +## specified role the loadkeys domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`loadkeys_run',` + gen_require(` + attribute_role loadkeys_roles; + ') + + loadkeys_domtrans($1) + roleattribute $2 loadkeys_roles; +') + +######################################## +## <summary> +## Execute the loadkeys in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`loadkeys_exec',` + gen_require(` + type loadkeys_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, loadkeys_exec_t) +') diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te new file mode 100644 index 00000000..1976e2cb --- /dev/null +++ b/policy/modules/apps/loadkeys.te @@ -0,0 +1,57 @@ +policy_module(loadkeys, 1.12.0) + +######################################## +# +# Declarations +# + +attribute_role loadkeys_roles; + +type loadkeys_t; +type loadkeys_exec_t; +init_system_domain(loadkeys_t, loadkeys_exec_t) +role loadkeys_roles types loadkeys_t; + +######################################## +# +# Local policy +# + +allow loadkeys_t self:capability { dac_override dac_read_search setuid sys_tty_config }; +allow loadkeys_t self:fifo_file rw_fifo_file_perms; +allow loadkeys_t self:unix_stream_socket { connect create }; + +kernel_read_system_state(loadkeys_t) + +init_use_fds(loadkeys_t) + +corecmd_exec_bin(loadkeys_t) +corecmd_exec_shell(loadkeys_t) + +files_read_etc_files(loadkeys_t) +files_read_etc_runtime_files(loadkeys_t) +# keymap files are in /usr/share/keymaps or /usr/share/kbd/keymaps +files_read_usr_files(loadkeys_t) +files_search_pids(loadkeys_t) +files_search_src(loadkeys_t) +files_search_tmp(loadkeys_t) + +term_dontaudit_use_console(loadkeys_t) +term_use_unallocated_ttys(loadkeys_t) + +init_read_script_tmp_files(loadkeys_t) + +locallogin_use_fds(loadkeys_t) + +miscfiles_read_localization(loadkeys_t) + +userdom_use_user_ttys(loadkeys_t) +userdom_list_user_home_content(loadkeys_t) + +optional_policy(` + keyboardd_read_pipes(loadkeys_t) +') + +optional_policy(` + nscd_dontaudit_search_pid(loadkeys_t) +') diff --git a/policy/modules/apps/lockdev.fc b/policy/modules/apps/lockdev.fc new file mode 100644 index 00000000..65ed30df --- /dev/null +++ b/policy/modules/apps/lockdev.fc @@ -0,0 +1,5 @@ +/usr/bin/lockdev -- gen_context(system_u:object_r:lockdev_exec_t,s0) + +/usr/sbin/lockdev -- gen_context(system_u:object_r:lockdev_exec_t,s0) + +/var/lock/lockdev(/.*)? gen_context(system_u:object_r:lockdev_lock_t,s0) diff --git a/policy/modules/apps/lockdev.if b/policy/modules/apps/lockdev.if new file mode 100644 index 00000000..4313b8bc --- /dev/null +++ b/policy/modules/apps/lockdev.if @@ -0,0 +1,42 @@ +## <summary>Library for locking devices.</summary> + +######################################## +## <summary> +## Role access for lockdev. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`lockdev_role',` + gen_require(` + attribute_role lockdev_roles; + type lockdev_t, lockdev_exec_t; + ') + + ######################################## + # + # Declarations + # + + roleattribute $1 lockdev_roles; + + ######################################## + # + # Policy + # + + domtrans_pattern($2, lockdev_exec_t, lockdev_t) + + allow $2 lockdev_t:process { ptrace signal_perms }; + ps_process_pattern($2, lockdev_t) + + allow lockdev_t $2:process signull; +') diff --git a/policy/modules/apps/lockdev.te b/policy/modules/apps/lockdev.te new file mode 100644 index 00000000..b9c34625 --- /dev/null +++ b/policy/modules/apps/lockdev.te @@ -0,0 +1,39 @@ +policy_module(lockdev, 1.6.0) + +######################################## +# +# Declarations +# + +attribute_role lockdev_roles; + +type lockdev_t; +type lockdev_exec_t; +typealias lockdev_t alias { user_lockdev_t staff_lockdev_t sysadm_lockdev_t }; +typealias lockdev_t alias { auditadm_lockdev_t secadm_lockdev_t }; +userdom_user_application_domain(lockdev_t, lockdev_exec_t) +role lockdev_roles types lockdev_t; + +type lockdev_lock_t; +typealias lockdev_lock_t alias { user_lockdev_lock_t staff_lockdev_lock_t sysadm_lockdev_lock_t }; +typealias lockdev_lock_t alias { auditadm_lockdev_lock_t secadm_lockdev_lock_t }; +files_lock_file(lockdev_lock_t) +ubac_constrained(lockdev_lock_t) + +######################################## +# +# Local policy +# + +allow lockdev_t self:capability setgid; + +manage_files_pattern(lockdev_t, lockdev_lock_t, lockdev_lock_t) +files_lock_filetrans(lockdev_t, lockdev_lock_t, file) + +files_read_all_locks(lockdev_t) + +fs_getattr_xattr_fs(lockdev_t) + +logging_send_syslog_msg(lockdev_t) + +userdom_use_user_terminals(lockdev_t) diff --git a/policy/modules/apps/man2html.fc b/policy/modules/apps/man2html.fc new file mode 100644 index 00000000..82f62555 --- /dev/null +++ b/policy/modules/apps/man2html.fc @@ -0,0 +1,5 @@ +/usr/lib/man2html/cgi-bin/man/man2html -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0) +/usr/lib/man2html/cgi-bin/man/mansec -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0) +/usr/lib/man2html/cgi-bin/man/manwhatis -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0) + +/var/cache/man2html(/.*)? gen_context(system_u:object_r:httpd_man2html_script_cache_t,s0) diff --git a/policy/modules/apps/man2html.if b/policy/modules/apps/man2html.if new file mode 100644 index 00000000..54ec04d3 --- /dev/null +++ b/policy/modules/apps/man2html.if @@ -0,0 +1 @@ +## <summary>A Unix manpage-to-HTML converter.</summary> diff --git a/policy/modules/apps/man2html.te b/policy/modules/apps/man2html.te new file mode 100644 index 00000000..e08c55d4 --- /dev/null +++ b/policy/modules/apps/man2html.te @@ -0,0 +1,26 @@ +policy_module(man2html, 1.0.0) + +######################################## +# +# Declarations +# + +apache_content_template(man2html) + +type httpd_man2html_script_cache_t; +files_type(httpd_man2html_script_cache_t) + +######################################## +# +# Local policy +# + +manage_dirs_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) +manage_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) +manage_lnk_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) +files_var_filetrans(httpd_man2html_script_t, httpd_man2html_script_cache_t, dir) + +files_read_etc_files(httpd_man2html_script_t) + +miscfiles_read_localization(httpd_man2html_script_t) +miscfiles_read_man_pages(httpd_man2html_script_t) diff --git a/policy/modules/apps/mandb.fc b/policy/modules/apps/mandb.fc new file mode 100644 index 00000000..d92a58fd --- /dev/null +++ b/policy/modules/apps/mandb.fc @@ -0,0 +1,3 @@ +/usr/bin/mandb -- gen_context(system_u:object_r:mandb_exec_t,s0) + +/usr/lib/systemd/system/[^/]*man-db.* -- gen_context(system_u:object_r:mandb_unit_t,s0) diff --git a/policy/modules/apps/mandb.if b/policy/modules/apps/mandb.if new file mode 100644 index 00000000..e880655d --- /dev/null +++ b/policy/modules/apps/mandb.if @@ -0,0 +1,74 @@ +## <summary>On-line manual database.</summary> + +######################################## +## <summary> +## Execute the mandb program in +## the mandb domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`mandb_domtrans',` + gen_require(` + type mandb_t, mandb_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, mandb_exec_t, mandb_t) +') + +######################################## +## <summary> +## Execute mandb in the mandb +## domain, and allow the specified +## role the mandb domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`mandb_run',` + gen_require(` + attribute_role mandb_roles; + ') + + mandb_domtrans($1) + roleattribute $2 mandb_roles; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an mandb environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`mandb_admin',` + gen_require(` + type mandb_t; + ') + + admin_process_pattern($1, mandb_t) + + mandb_run($1, $2) +') diff --git a/policy/modules/apps/mandb.te b/policy/modules/apps/mandb.te new file mode 100644 index 00000000..48c17bb8 --- /dev/null +++ b/policy/modules/apps/mandb.te @@ -0,0 +1,63 @@ +policy_module(mandb, 1.5.0) + +######################################## +# +# Declarations +# + +attribute_role mandb_roles; +roleattribute system_r mandb_roles; + +type mandb_t; +type mandb_exec_t; +init_system_domain(mandb_t, mandb_exec_t) +role mandb_roles types mandb_t; + +type mandb_unit_t; +init_unit_file(mandb_unit_t) + +######################################## +# +# Local policy +# + +# dac_override : write /var/cache/man/* +# fowner : chmod /var/cache/man/* +# chown : lchown32 /var/cache/man/* +# fsetid : chmod /var/cache/man/* +allow mandb_t self:capability { chown dac_override fowner fsetid setgid setuid }; +allow mandb_t self:process { setsched signal }; +allow mandb_t self:fifo_file rw_fifo_file_perms; +allow mandb_t self:unix_stream_socket create_stream_socket_perms; + +kernel_read_kernel_sysctls(mandb_t) +kernel_read_system_state(mandb_t) + +corecmd_exec_bin(mandb_t) +corecmd_exec_shell(mandb_t) + +domain_use_interactive_fds(mandb_t) + +files_dontaudit_search_home(mandb_t) +files_read_etc_files(mandb_t) +# /usr/local/man +files_read_usr_symlinks(mandb_t) +# search /var/run/nscd/socket +files_search_pids(mandb_t) + +fs_getattr_xattr_fs(mandb_t) + +miscfiles_manage_man_cache(mandb_t) +miscfiles_map_man_cache(mandb_t) +miscfiles_read_man_pages(mandb_t) +miscfiles_read_localization(mandb_t) + +userdom_use_inherited_user_terminals(mandb_t) + +ifdef(`init_systemd',` + init_search_run(mandb_t) +') + +optional_policy(` + cron_system_entry(mandb_t, mandb_exec_t) +') diff --git a/policy/modules/apps/mono.fc b/policy/modules/apps/mono.fc new file mode 100644 index 00000000..b01bc913 --- /dev/null +++ b/policy/modules/apps/mono.fc @@ -0,0 +1 @@ +/usr/bin/mono.* -- gen_context(system_u:object_r:mono_exec_t,s0) diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if new file mode 100644 index 00000000..70fe6457 --- /dev/null +++ b/policy/modules/apps/mono.if @@ -0,0 +1,149 @@ +## <summary>Run .NET server and client applications on Linux.</summary> + +####################################### +## <summary> +## The role template for the mono module. +## </summary> +## <desc> +## <p> +## This template creates a derived domains which are used +## for mono applications. +## </p> +## </desc> +## <param name="role_prefix"> +## <summary> +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## </summary> +## </param> +## <param name="user_role"> +## <summary> +## The role associated with the user domain. +## </summary> +## </param> +## <param name="user_domain"> +## <summary> +## The type of the user domain. +## </summary> +## </param> +# +template(`mono_role_template',` + gen_require(` + attribute mono_domain; + type mono_exec_t; + ') + + ######################################## + # + # Declarations + # + + type $1_mono_t, mono_domain; + domain_type($1_mono_t) + domain_entry_file($1_mono_t, mono_exec_t) + role $2 types $1_mono_t; + + domain_interactive_fd($1_mono_t) + application_type($1_mono_t) + + ######################################## + # + # Policy + # + + domtrans_pattern($3, mono_exec_t, $1_mono_t) + + allow $3 $1_mono_t:process { ptrace noatsecure signal_perms }; + ps_process_pattern($2, $1_mono_t) + + corecmd_bin_domtrans($1_mono_t, $3) + + userdom_manage_user_tmpfs_files($1_mono_t) + + optional_policy(` + fs_dontaudit_rw_tmpfs_files($1_mono_t) + + xserver_role($1_r, $1_mono_t) + ') +') + +######################################## +## <summary> +## Execute mono in the mono domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`mono_domtrans',` + gen_require(` + type mono_t, mono_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, mono_exec_t, mono_t) +') + +######################################## +## <summary> +## Execute mono in the mono domain, and +## allow the specified role the mono domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`mono_run',` + gen_require(` + attribute_role mono_roles; + ') + + mono_domtrans($1) + roleattribute $2 mono_roles; +') + +######################################## +## <summary> +## Execute mono in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mono_exec',` + gen_require(` + type mono_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, mono_exec_t) +') + +######################################## +## <summary> +## Read and write mono shared memory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mono_rw_shm',` + gen_require(` + type mono_t; + ') + + allow $1 mono_t:shm rw_shm_perms; +') diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te new file mode 100644 index 00000000..3bb756a5 --- /dev/null +++ b/policy/modules/apps/mono.te @@ -0,0 +1,67 @@ +policy_module(mono, 1.10.0) + +######################################## +# +# Declarations +# + +attribute mono_domain; + +attribute_role mono_roles; + +type mono_t, mono_domain; +type mono_exec_t; +init_system_domain(mono_t, mono_exec_t) +role mono_roles types mono_t; + +application_type(mono_t) + +optional_policy(` + wm_application_domain(mono_t, mono_exec_t) +') + +######################################## +# +# Common local policy +# + +allow mono_domain self:process { signal getsched execheap execmem execstack }; + +######################################## +# +# local policy +# + +userdom_user_home_dir_filetrans_user_home_content(mono_t, { dir file lnk_file fifo_file sock_file }) + +init_dbus_chat_script(mono_t) + +optional_policy(` + avahi_dbus_chat(mono_t) +') + +optional_policy(` + cups_dbus_chat(mono_t) +') + +optional_policy(` + hal_dbus_chat(mono_t) +') + +optional_policy(` + networkmanager_dbus_chat(mono_t) +') + +optional_policy(` + rpm_dbus_chat(mono_t) +') + +optional_policy(` + unconfined_domain(mono_t) + unconfined_dbus_chat(mono_t) + unconfined_dbus_connect(mono_t) +') + +optional_policy(` + xserver_rw_shm(mono_t) +') diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc new file mode 100644 index 00000000..15aa39b3 --- /dev/null +++ b/policy/modules/apps/mozilla.fc @@ -0,0 +1,50 @@ +HOME_DIR/\.cache/mozilla(/.*)? gen_context(system_u:object_r:mozilla_xdg_cache_t,s0) +HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) +HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.vimperator.* gen_context(system_u:object_r:mozilla_home_t,s0) + +HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) +HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) +HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) +HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) +HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) +HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) +HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) + +/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/bin/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) +/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) + +/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/firefox[^/]*/firefox-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/iceweasel/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) +/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/mozilla[^/]*/firefox-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0) +/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) +/usr/lib/[^/]*firefox[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) + +/opt/firefox/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/firefox/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/opt/firefox/run-mozilla\.sh -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/opt/firefox/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/opt/firefox/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if new file mode 100644 index 00000000..178d68d8 --- /dev/null +++ b/policy/modules/apps/mozilla.if @@ -0,0 +1,638 @@ +## <summary>Policy for Mozilla and related web browsers.</summary> + +######################################## +## <summary> +## Role access for mozilla. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`mozilla_role',` + gen_require(` + type mozilla_t, mozilla_exec_t, mozilla_home_t; + type mozilla_tmp_t, mozilla_tmpfs_t, mozilla_plugin_tmp_t; + type mozilla_plugin_tmpfs_t, mozilla_plugin_home_t; + attribute_role mozilla_roles; + ') + + ######################################## + # + # Declarations + # + + roleattribute $1 mozilla_roles; + + ######################################## + # + # Policy + # + + domtrans_pattern($2, mozilla_exec_t, mozilla_t) + + allow $2 mozilla_t:process { noatsecure siginh rlimitinh ptrace signal_perms }; + ps_process_pattern($2, mozilla_t) + + allow mozilla_t $2:process signull; + allow mozilla_t $2:unix_stream_socket connectto; + + allow $2 mozilla_t:fd use; + allow $2 mozilla_t:shm rw_shm_perms; + + stream_connect_pattern($2, mozilla_tmpfs_t, mozilla_tmpfs_t, mozilla_t) + + allow $2 { mozilla_home_t mozilla_plugin_home_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms relabel_file_perms }; + allow $2 mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; + userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".galeon") + userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla") + userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape") + userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix") + + filetrans_pattern($2, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") + + allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:file { manage_file_perms relabel_file_perms }; + allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; + + allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:file { manage_file_perms relabel_file_perms }; + allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; + allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + + optional_policy(` + mozilla_dbus_chat($2) + ') +') + +######################################## +## <summary> +## Role access for mozilla plugin. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`mozilla_role_plugin',` + gen_require(` + type mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_plugin_rw_t; + type mozilla_home_t; + ') + + mozilla_run_plugin($2, $1) + mozilla_run_plugin_config($2, $1) + + allow $2 { mozilla_plugin_t mozilla_plugin_config_t }:process { ptrace signal_perms }; + ps_process_pattern($2, { mozilla_plugin_t mozilla_plugin_config_t }) + + allow $2 mozilla_plugin_t:unix_stream_socket rw_socket_perms; + allow $2 mozilla_plugin_t:fd use; + + stream_connect_pattern($2, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t) + + allow mozilla_plugin_t $2:process signull; + allow mozilla_plugin_t $2:unix_stream_socket { connectto rw_socket_perms }; + allow mozilla_plugin_t $2:unix_dgram_socket { sendto rw_socket_perms }; + allow mozilla_plugin_t $2:shm { rw_shm_perms destroy }; + allow mozilla_plugin_t $2:sem create_sem_perms; + + allow $2 mozilla_home_t:dir { manage_dir_perms relabel_dir_perms }; + allow $2 mozilla_home_t:file { manage_file_perms relabel_file_perms }; + allow $2 mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; + userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".galeon") + userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla") + userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape") + userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix") + + allow $2 mozilla_plugin_tmp_t:dir { manage_dir_perms relabel_dir_perms }; + allow $2 mozilla_plugin_tmp_t:file { manage_file_perms relabel_file_perms }; + allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; + + allow $2 mozilla_plugin_tmpfs_t:dir { manage_dir_perms relabel_dir_perms }; + allow $2 mozilla_plugin_tmpfs_t:file { manage_file_perms relabel_file_perms }; + allow $2 mozilla_plugin_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; + allow $2 mozilla_plugin_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + + allow $2 mozilla_plugin_rw_t:dir list_dir_perms; + allow $2 mozilla_plugin_rw_t:file read_file_perms; + allow $2 mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; + + can_exec($2, mozilla_plugin_rw_t) + + optional_policy(` + mozilla_dbus_chat_plugin($2) + ') +') + +######################################## +## <summary> +## Read mozilla home directory content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mozilla_read_user_home',` + gen_require(` + type mozilla_home_t; + ') + + list_dirs_pattern($1, mozilla_home_t, mozilla_home_t) + read_files_pattern($1, mozilla_home_t, mozilla_home_t) + userdom_search_user_home_dirs($1) +') + + +######################################## +## <summary> +## Read mozilla home directory files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mozilla_read_user_home_files',` + gen_require(` + type mozilla_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 mozilla_home_t:dir list_dir_perms; + allow $1 mozilla_home_t:file read_file_perms; + allow $1 mozilla_home_t:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> +## Write mozilla home directory files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mozilla_write_user_home_files',` + gen_require(` + type mozilla_home_t; + ') + + userdom_search_user_home_dirs($1) + write_files_pattern($1, mozilla_home_t, mozilla_home_t) +') + +######################################## +## <summary> +## Do not audit attempts to read and +## write mozilla home directory files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`mozilla_dontaudit_rw_user_home_files',` + gen_require(` + type mozilla_home_t; + ') + + dontaudit $1 mozilla_home_t:file rw_file_perms; +') + +######################################## +## <summary> +## Do not audit attempt to Create, +## read, write, and delete mozilla +## home directory content. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`mozilla_dontaudit_manage_user_home_files',` + gen_require(` + type mozilla_home_t; + ') + + dontaudit $1 mozilla_home_t:dir manage_dir_perms; + dontaudit $1 mozilla_home_t:file manage_file_perms; + dontaudit $1 mozilla_home_t:lnk_file manage_lnk_file_perms; +') + +######################################## +## <summary> +## Execute mozilla plugin home directory files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mozilla_exec_user_plugin_home_files',` + gen_require(` + type mozilla_home_t, mozilla_plugin_home_t; + ') + + userdom_search_user_home_dirs($1) + exec_files_pattern($1, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) +') + +######################################## +## <summary> +## Mozilla plugin home directory file +## text relocation. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mozilla_execmod_user_plugin_home_files',` + gen_require(` + type mozilla_plugin_home_t; + ') + + allow $1 mozilla_plugin_home_t:file execmod; +') + +####################################### +## <summary> +## Read temporary mozilla files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mozilla_read_tmp_files',` + gen_require(` + type mozilla_tmp_t; + ') + + read_files_pattern($1, mozilla_tmp_t, mozilla_tmp_t) +') + +######################################## +## <summary> +## Run mozilla in the mozilla domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`mozilla_domtrans',` + gen_require(` + type mozilla_t, mozilla_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, mozilla_exec_t, mozilla_t) +') + +######################################## +## <summary> +## Execute a domain transition to +## run mozilla plugin. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`mozilla_domtrans_plugin',` + gen_require(` + type mozilla_plugin_t, mozilla_plugin_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t) +') + +######################################## +## <summary> +## Execute mozilla plugin in the +## mozilla plugin domain, and allow +## the specified role the mozilla +## plugin domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`mozilla_run_plugin',` + gen_require(` + attribute_role mozilla_plugin_roles; + ') + + mozilla_domtrans_plugin($1) + roleattribute $2 mozilla_plugin_roles; +') + +######################################## +## <summary> +## Execute a domain transition to +## run mozilla plugin config. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`mozilla_domtrans_plugin_config',` + gen_require(` + type mozilla_plugin_config_t, mozilla_plugin_config_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t) +') + +######################################## +## <summary> +## Execute mozilla plugin config in +## the mozilla plugin config domain, +## and allow the specified role the +## mozilla plugin config domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`mozilla_run_plugin_config',` + gen_require(` + attribute_role mozilla_plugin_config_roles; + ') + + mozilla_domtrans_plugin_config($1) + roleattribute $2 mozilla_plugin_config_roles; +') + +######################################## +## <summary> +## Send and receive messages from +## mozilla over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mozilla_dbus_chat',` + gen_require(` + type mozilla_t; + class dbus send_msg; + ') + + allow $1 mozilla_t:dbus send_msg; + allow mozilla_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Send and receive messages from +## mozilla plugin over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mozilla_dbus_chat_plugin',` + gen_require(` + type mozilla_plugin_t; + class dbus send_msg; + ') + + allow $1 mozilla_plugin_t:dbus send_msg; + allow mozilla_plugin_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Read and write mozilla TCP sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mozilla_rw_tcp_sockets',` + gen_require(` + type mozilla_t; + ') + + allow $1 mozilla_t:tcp_socket rw_socket_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## mozilla plugin rw files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mozilla_manage_plugin_rw_files',` + gen_require(` + type mozilla_plugin_rw_t; + ') + + libs_search_lib($1) + manage_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) +') + +######################################## +## <summary> +## Read mozilla_plugin tmpfs files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mozilla_plugin_read_tmpfs_files',` + gen_require(` + type mozilla_plugin_tmpfs_t; + ') + + fs_search_tmpfs($1) + allow $1 mozilla_plugin_tmpfs_t:file read_file_perms; +') + +######################################## +## <summary> +## Delete mozilla_plugin tmpfs files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mozilla_plugin_delete_tmpfs_files',` + gen_require(` + type mozilla_plugin_tmpfs_t; + ') + + fs_search_tmpfs($1) + allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms; +') + +######################################## +## <summary> +## Read/write to mozilla's tmp fifo files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`mozilla_rw_tmp_pipes',` + gen_require(` + type mozilla_tmp_t; + ') + + rw_fifo_files_pattern($1, mozilla_tmp_t, mozilla_tmp_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## generic mozilla plugin home content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mozilla_manage_generic_plugin_home_content',` + gen_require(` + type mozilla_plugin_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 mozilla_plugin_home_t:dir manage_dir_perms; + allow $1 mozilla_plugin_home_t:file manage_file_perms; + allow $1 mozilla_plugin_home_t:fifo_file manage_fifo_file_perms; + allow $1 mozilla_plugin_home_t:lnk_file manage_lnk_file_perms; + allow $1 mozilla_plugin_home_t:sock_file manage_sock_file_perms; +') + +######################################## +## <summary> +## Create objects in user home +## directories with the generic mozilla +## plugin home type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`mozilla_home_filetrans_plugin_home',` + gen_require(` + type mozilla_plugin_home_t; + ') + + userdom_user_home_dir_filetrans($1, mozilla_plugin_home_t, $2, $3) +') + +# This is gentoo specific but cannot use ifdef distro_gentoo + +######################################## +## <summary> +## Do not audit use of mozilla file descriptors +## </summary> +## <param name="domain"> +## <summary> +## Domain to dont audit access from +## </summary> +## </param> +# +interface(`mozilla_dontaudit_use_fds',` + gen_require(` + type mozilla_t; + ') + + dontaudit $1 mozilla_t:fd use; +') + +######################################## +## <summary> +## Send messages to mozilla plugin unix datagram sockets +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`mozilla_send_dgram_plugin',` + gen_require(` + type mozilla_plugin_t; + ') + + allow $1 mozilla_plugin_t:unix_dgram_socket sendto; +') diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te new file mode 100644 index 00000000..807d3431 --- /dev/null +++ b/policy/modules/apps/mozilla.te @@ -0,0 +1,833 @@ +policy_module(mozilla, 2.13.2) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether mozilla can +## make its stack executable. +## </p> +## </desc> +gen_tunable(mozilla_execstack, false) + +attribute_role mozilla_roles; +attribute_role mozilla_plugin_roles; +attribute_role mozilla_plugin_config_roles; + +type mozilla_t; +type mozilla_exec_t; +typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t }; +typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; +userdom_user_application_domain(mozilla_t, mozilla_exec_t) +role mozilla_roles types mozilla_t; + +optional_policy(` + wm_application_domain(mozilla_t, mozilla_exec_t) +') + +type mozilla_home_t; +typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t }; +typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t }; +userdom_user_home_content(mozilla_home_t) + +type mozilla_plugin_t; +type mozilla_plugin_exec_t; +userdom_user_application_domain(mozilla_plugin_t, mozilla_plugin_exec_t) +role mozilla_plugin_roles types mozilla_plugin_t; + +type mozilla_plugin_home_t; +userdom_user_home_content(mozilla_plugin_home_t) + +type mozilla_plugin_tmp_t; +userdom_user_tmp_file(mozilla_plugin_tmp_t) + +type mozilla_plugin_tmpfs_t; +userdom_user_tmpfs_file(mozilla_plugin_tmpfs_t) + +optional_policy(` + pulseaudio_tmpfs_content(mozilla_plugin_tmpfs_t) +') + +type mozilla_plugin_rw_t; +files_type(mozilla_plugin_rw_t) + +type mozilla_plugin_config_t; +type mozilla_plugin_config_exec_t; +userdom_user_application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t) +role mozilla_plugin_config_roles types mozilla_plugin_config_t; + +type mozilla_tmp_t; +userdom_user_tmp_file(mozilla_tmp_t) + +type mozilla_tmpfs_t; +typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sysadm_mozilla_tmpfs_t }; +typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t }; +userdom_user_tmpfs_file(mozilla_tmpfs_t) + +optional_policy(` + pulseaudio_tmpfs_content(mozilla_tmpfs_t) +') + +type mozilla_xdg_cache_t; +xdg_cache_content(mozilla_xdg_cache_t) + +######################################## +# +# Local policy +# + +allow mozilla_t self:capability { setgid setuid sys_nice }; +allow mozilla_t self:process { sigkill signal setsched getsched setrlimit }; +allow mozilla_t self:fifo_file rw_fifo_file_perms; +allow mozilla_t self:shm create_shm_perms; +allow mozilla_t self:sem create_sem_perms; +allow mozilla_t self:socket create_socket_perms; +allow mozilla_t self:unix_stream_socket { accept listen }; + +allow mozilla_t mozilla_plugin_t:unix_stream_socket rw_socket_perms; +allow mozilla_t mozilla_plugin_t:fd use; + +allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:dir manage_dir_perms; +allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms map }; +allow mozilla_t mozilla_home_t:lnk_file manage_lnk_file_perms; +userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".galeon") +userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".mozilla") +userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".netscape") +userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".phoenix") + +filetrans_pattern(mozilla_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") + +manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) +manage_lnk_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) +manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) +allow mozilla_t mozilla_tmp_t:file map; +files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir }) + +manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) +manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) +manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) +manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) +fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file }) +allow mozilla_t mozilla_plugin_tmpfs_t:file map; + +allow mozilla_t mozilla_plugin_rw_t:dir list_dir_perms; +allow mozilla_t mozilla_plugin_rw_t:file read_file_perms; +allow mozilla_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; + +stream_connect_pattern(mozilla_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t) + +manage_files_pattern(mozilla_t, mozilla_xdg_cache_t, mozilla_xdg_cache_t) +manage_dirs_pattern(mozilla_t, mozilla_xdg_cache_t, mozilla_xdg_cache_t) +xdg_cache_filetrans(mozilla_t, mozilla_xdg_cache_t, dir, "mozilla") + +can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t mozilla_plugin_home_t }) + +kernel_read_kernel_sysctls(mozilla_t) +kernel_read_network_state(mozilla_t) +kernel_read_system_state(mozilla_t) +kernel_read_net_sysctls(mozilla_t) + +corecmd_list_bin(mozilla_t) +corecmd_exec_shell(mozilla_t) +corecmd_exec_bin(mozilla_t) + +corenet_all_recvfrom_unlabeled(mozilla_t) +corenet_all_recvfrom_netlabel(mozilla_t) +corenet_tcp_sendrecv_generic_if(mozilla_t) +corenet_tcp_sendrecv_generic_node(mozilla_t) + +corenet_sendrecv_http_client_packets(mozilla_t) +corenet_tcp_connect_http_port(mozilla_t) +corenet_tcp_sendrecv_http_port(mozilla_t) + +corenet_sendrecv_http_cache_client_packets(mozilla_t) +corenet_tcp_connect_http_cache_port(mozilla_t) +corenet_tcp_sendrecv_http_cache_port(mozilla_t) + +corenet_sendrecv_squid_client_packets(mozilla_t) +corenet_tcp_connect_squid_port(mozilla_t) +corenet_tcp_sendrecv_squid_port(mozilla_t) + +corenet_sendrecv_ftp_client_packets(mozilla_t) +corenet_tcp_connect_ftp_port(mozilla_t) +corenet_tcp_sendrecv_ftp_port(mozilla_t) + +corenet_sendrecv_ipp_client_packets(mozilla_t) +corenet_tcp_connect_ipp_port(mozilla_t) +corenet_tcp_sendrecv_ipp_port(mozilla_t) + +corenet_sendrecv_soundd_client_packets(mozilla_t) +corenet_tcp_connect_soundd_port(mozilla_t) +corenet_tcp_sendrecv_soundd_port(mozilla_t) + +corenet_sendrecv_speech_client_packets(mozilla_t) +corenet_tcp_connect_speech_port(mozilla_t) +corenet_tcp_sendrecv_speech_port(mozilla_t) + +dev_getattr_sysfs_dirs(mozilla_t) +dev_read_sysfs(mozilla_t) +dev_read_sound(mozilla_t) +dev_read_rand(mozilla_t) +dev_read_urand(mozilla_t) +dev_rw_dri(mozilla_t) +dev_write_sound(mozilla_t) + +domain_dontaudit_read_all_domains_state(mozilla_t) + +files_read_etc_runtime_files(mozilla_t) +files_map_usr_files(mozilla_t) +files_read_usr_files(mozilla_t) +files_read_var_files(mozilla_t) +files_read_var_lib_files(mozilla_t) +files_read_var_symlinks(mozilla_t) +files_dontaudit_getattr_boot_dirs(mozilla_t) + +fs_getattr_all_fs(mozilla_t) +fs_search_auto_mountpoints(mozilla_t) +fs_list_inotifyfs(mozilla_t) +fs_rw_tmpfs_files(mozilla_t) + +term_dontaudit_getattr_pty_dirs(mozilla_t) + +auth_use_nsswitch(mozilla_t) + +logging_send_syslog_msg(mozilla_t) + +miscfiles_read_fonts(mozilla_t) +miscfiles_read_generic_certs(mozilla_t) +miscfiles_read_localization(mozilla_t) +miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) +miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_t) + +userdom_use_user_ptys(mozilla_t) + +userdom_manage_user_tmp_dirs(mozilla_t) +userdom_manage_user_tmp_files(mozilla_t) + +userdom_user_content_access_template(mozilla, { mozilla_t mozilla_plugin_t }) +userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file }) + +userdom_write_user_tmp_sockets(mozilla_t) + +mozilla_run_plugin(mozilla_t, mozilla_roles) +mozilla_run_plugin_config(mozilla_t, mozilla_roles) + +xdg_read_config_files(mozilla_t) +xdg_read_data_files(mozilla_t) +xdg_manage_downloads(mozilla_t) + +xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) +xserver_dontaudit_read_xdm_tmp_files(mozilla_t) +xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t) + +ifndef(`enable_mls',` + fs_list_dos(mozilla_t) + fs_read_dos_files(mozilla_t) + + fs_search_removable(mozilla_t) + fs_read_removable_files(mozilla_t) + fs_read_removable_symlinks(mozilla_t) + + fs_read_iso9660_files(mozilla_t) +') + +tunable_policy(`allow_execmem',` + allow mozilla_t self:process execmem; +') + +tunable_policy(`mozilla_execstack',` + allow mozilla_t self:process { execmem execstack }; +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(mozilla_t) + fs_manage_nfs_files(mozilla_t) + fs_manage_nfs_symlinks(mozilla_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(mozilla_t) + fs_manage_cifs_files(mozilla_t) + fs_manage_cifs_symlinks(mozilla_t) +') + +optional_policy(` + alsa_read_config(mozilla_t) + alsa_read_home_files(mozilla_t) +') + +optional_policy(` + apache_read_user_scripts(mozilla_t) + apache_read_user_content(mozilla_t) +') + +optional_policy(` + automount_dontaudit_getattr_tmp_dirs(mozilla_t) +') + +optional_policy(` + cups_read_rw_config(mozilla_t) + cups_stream_connect(mozilla_t) +') + +optional_policy(` + dbus_all_session_bus_client(mozilla_t) + dbus_connect_all_session_bus(mozilla_t) + dbus_system_bus_client(mozilla_t) + + optional_policy(` + cups_dbus_chat(mozilla_t) + ') + + optional_policy(` + mozilla_dbus_chat_plugin(mozilla_t) + ') + + optional_policy(` + networkmanager_dbus_chat(mozilla_t) + ') +') + +optional_policy(` + evolution_domtrans(mozilla_t) +') + +optional_policy(` + gnome_stream_connect_gconf(mozilla_t) + gnome_manage_generic_gconf_home_content(mozilla_t) + gnome_home_filetrans_gconf_home(mozilla_t, dir, ".gconf") + gnome_home_filetrans_gconf_home(mozilla_t, dir, ".gconfd") + gnome_manage_generic_home_content(mozilla_t) + gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome") + gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2") + gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private") +') + +optional_policy(` + java_exec(mozilla_t) + java_manage_generic_home_content(mozilla_t) + java_manage_java_tmp(mozilla_t) + java_home_filetrans_java_home(mozilla_t, dir, ".java") +') + +optional_policy(` + lpd_run_lpr(mozilla_t, mozilla_roles) +') + +optional_policy(` + mplayer_exec(mozilla_t) + mplayer_manage_generic_home_content(mozilla_t) + mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer") +') + +optional_policy(` + ooffice_domtrans(mozilla_t) + ooffice_rw_tmp_files(mozilla_t) +') + +optional_policy(` + pulseaudio_run(mozilla_t, mozilla_roles) +') + +optional_policy(` + thunderbird_domtrans(mozilla_t) +') + +######################################## +# +# Plugin local policy +# + +dontaudit mozilla_plugin_t self:capability { ipc_lock sys_nice sys_ptrace sys_tty_config }; +allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms setrlimit }; +allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms; +allow mozilla_plugin_t self:netlink_kobject_uevent_socket create_socket_perms; +allow mozilla_plugin_t self:sem create_sem_perms; +allow mozilla_plugin_t self:shm create_shm_perms; +allow mozilla_plugin_t self:tcp_socket { accept listen }; +allow mozilla_plugin_t self:unix_stream_socket { accept connectto listen }; + +allow mozilla_plugin_t mozilla_t:unix_stream_socket rw_socket_perms; +allow mozilla_plugin_t mozilla_t:unix_dgram_socket rw_socket_perms; +allow mozilla_plugin_t mozilla_t:shm { rw_shm_perms destroy }; +allow mozilla_plugin_t mozilla_t:sem create_sem_perms; + +manage_dirs_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t }) +manage_files_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) +manage_lnk_files_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) +allow mozilla_plugin_t mozilla_home_t:file map; + +userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".galeon") +userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".mozilla") +userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".netscape") +userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".phoenix") + +userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".adobe") +userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".macromedia") +userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".gnash") +userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".gcjwebplugin") +userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".icedteaplugin") +userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".spicec") +userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".ICAClient") +userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, "zimbrauserdata") + +filetrans_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") + +manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) +manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) +manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) +files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file }) +userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file }) + +allow mozilla_plugin_t mozilla_tmp_t:file rw_file_perms; + +manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) +manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) +manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) +manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) +fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) + +allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; +allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms; +allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; + +dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) + +can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t }) + +kernel_read_all_sysctls(mozilla_plugin_t) +kernel_read_system_state(mozilla_plugin_t) +kernel_read_network_state(mozilla_plugin_t) +kernel_request_load_module(mozilla_plugin_t) +kernel_dontaudit_getattr_core_if(mozilla_plugin_t) + +corecmd_exec_bin(mozilla_plugin_t) +corecmd_exec_shell(mozilla_plugin_t) + +corenet_all_recvfrom_netlabel(mozilla_plugin_t) +corenet_all_recvfrom_unlabeled(mozilla_plugin_t) +corenet_tcp_sendrecv_generic_if(mozilla_plugin_t) +corenet_tcp_sendrecv_generic_node(mozilla_plugin_t) + +corenet_sendrecv_asterisk_client_packets(mozilla_plugin_t) +corenet_tcp_connect_asterisk_port(mozilla_plugin_t) +corenet_tcp_sendrecv_asterisk_port(mozilla_plugin_t) + +corenet_sendrecv_ftp_client_packets(mozilla_plugin_t) +corenet_tcp_connect_ftp_port(mozilla_plugin_t) +corenet_tcp_sendrecv_ftp_port(mozilla_plugin_t) + +corenet_sendrecv_gatekeeper_client_packets(mozilla_plugin_t) +corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t) +corenet_tcp_sendrecv_gatekeeper_port(mozilla_plugin_t) + +corenet_sendrecv_http_client_packets(mozilla_plugin_t) +corenet_tcp_connect_http_port(mozilla_plugin_t) +corenet_tcp_sendrecv_http_port(mozilla_plugin_t) + +corenet_sendrecv_http_cache_client_packets(mozilla_plugin_t) +corenet_tcp_connect_http_cache_port(mozilla_plugin_t) +corenet_tcp_sendrecv_http_cache_port(mozilla_plugin_t) + +corenet_sendrecv_ipp_client_packets(mozilla_plugin_t) +corenet_tcp_connect_ipp_port(mozilla_plugin_t) +corenet_tcp_sendrecv_ipp_port(mozilla_plugin_t) + +corenet_sendrecv_ircd_client_packets(mozilla_plugin_t) +corenet_tcp_connect_ircd_port(mozilla_plugin_t) +corenet_tcp_sendrecv_ircd_port(mozilla_plugin_t) + +corenet_sendrecv_jabber_client_client_packets(mozilla_plugin_t) +corenet_tcp_connect_jabber_client_port(mozilla_plugin_t) +corenet_tcp_sendrecv_jabber_client_port(mozilla_plugin_t) + +corenet_sendrecv_mmcc_client_packets(mozilla_plugin_t) +corenet_tcp_connect_mmcc_port(mozilla_plugin_t) +corenet_tcp_sendrecv_mmcc_port(mozilla_plugin_t) + +corenet_sendrecv_monopd_client_packets(mozilla_plugin_t) +corenet_tcp_connect_monopd_port(mozilla_plugin_t) +corenet_tcp_sendrecv_monopd_port(mozilla_plugin_t) + +corenet_sendrecv_soundd_client_packets(mozilla_plugin_t) +corenet_tcp_connect_soundd_port(mozilla_plugin_t) +corenet_tcp_sendrecv_soundd_port(mozilla_plugin_t) + +corenet_sendrecv_speech_client_packets(mozilla_plugin_t) +corenet_tcp_connect_speech_port(mozilla_plugin_t) +corenet_tcp_sendrecv_speech_port(mozilla_plugin_t) + +corenet_sendrecv_squid_client_packets(mozilla_plugin_t) +corenet_tcp_connect_squid_port(mozilla_plugin_t) +corenet_tcp_sendrecv_squid_port(mozilla_plugin_t) + +corenet_sendrecv_vnc_client_packets(mozilla_plugin_t) +corenet_tcp_connect_vnc_port(mozilla_plugin_t) +corenet_tcp_sendrecv_vnc_port(mozilla_plugin_t) + +dev_read_generic_usb_dev(mozilla_plugin_t) +dev_read_rand(mozilla_plugin_t) +dev_read_realtime_clock(mozilla_plugin_t) +dev_read_sound(mozilla_plugin_t) +dev_read_sysfs(mozilla_plugin_t) +dev_read_urand(mozilla_plugin_t) +dev_read_video_dev(mozilla_plugin_t) +dev_write_sound(mozilla_plugin_t) +dev_write_video_dev(mozilla_plugin_t) +dev_rw_dri(mozilla_plugin_t) +dev_rw_xserver_misc(mozilla_plugin_t) + +dev_dontaudit_getattr_generic_files(mozilla_plugin_t) +dev_dontaudit_getattr_generic_pipes(mozilla_plugin_t) +dev_dontaudit_getattr_all_blk_files(mozilla_plugin_t) +dev_dontaudit_getattr_all_chr_files(mozilla_plugin_t) + +domain_use_interactive_fds(mozilla_plugin_t) +domain_dontaudit_read_all_domains_state(mozilla_plugin_t) + +files_exec_usr_files(mozilla_plugin_t) +files_list_mnt(mozilla_plugin_t) +files_read_config_files(mozilla_plugin_t) +files_read_usr_files(mozilla_plugin_t) +files_map_usr_files(mozilla_plugin_t) + +fs_getattr_all_fs(mozilla_plugin_t) +# fs_read_hugetlbfs_files(mozilla_plugin_t) +fs_search_auto_mountpoints(mozilla_plugin_t) + +term_getattr_all_ttys(mozilla_plugin_t) +term_getattr_all_ptys(mozilla_plugin_t) + +application_exec(mozilla_plugin_t) + +auth_use_nsswitch(mozilla_plugin_t) + +libs_exec_ld_so(mozilla_plugin_t) +libs_exec_lib_files(mozilla_plugin_t) + +logging_send_syslog_msg(mozilla_plugin_t) + +miscfiles_read_localization(mozilla_plugin_t) +miscfiles_read_fonts(mozilla_plugin_t) +miscfiles_read_generic_certs(mozilla_plugin_t) +miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t) +miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t) + +userdom_manage_user_tmp_dirs(mozilla_plugin_t) +userdom_manage_user_tmp_files(mozilla_plugin_t) + +userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file }) + +userdom_write_user_tmp_sockets(mozilla_plugin_t) + +userdom_dontaudit_use_user_terminals(mozilla_plugin_t) + +xdg_read_config_files(mozilla_plugin_t) + +ifndef(`enable_mls',` + fs_list_dos(mozilla_plugin_t) + fs_read_dos_files(mozilla_plugin_t) + + fs_search_removable(mozilla_plugin_t) + fs_read_removable_files(mozilla_plugin_t) + fs_read_removable_symlinks(mozilla_plugin_t) + + fs_read_iso9660_files(mozilla_plugin_t) +') + +tunable_policy(`allow_execmem',` + allow mozilla_plugin_t self:process execmem; +') + +tunable_policy(`mozilla_execstack',` + allow mozilla_plugin_t self:process { execmem execstack }; +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(mozilla_plugin_t) + fs_manage_nfs_files(mozilla_plugin_t) + fs_manage_nfs_symlinks(mozilla_plugin_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(mozilla_plugin_t) + fs_manage_cifs_files(mozilla_plugin_t) + fs_manage_cifs_symlinks(mozilla_plugin_t) +') + +optional_policy(` + alsa_read_config(mozilla_plugin_t) + alsa_read_home_files(mozilla_plugin_t) +') + +optional_policy(` + automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_t) +') + +optional_policy(` + dbus_all_session_bus_client(mozilla_plugin_t) + dbus_connect_all_session_bus(mozilla_plugin_t) + dbus_system_bus_client(mozilla_plugin_t) +') + +optional_policy(` + gnome_manage_generic_home_content(mozilla_plugin_t) + gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome") + gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2") + gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2_private") +') + +optional_policy(` + java_exec(mozilla_plugin_t) + java_manage_generic_home_content(mozilla_plugin_t) + java_manage_java_tmp(mozilla_plugin_t) + java_home_filetrans_java_home(mozilla_plugin_t, dir, ".java") +') + +optional_policy(` + lpd_run_lpr(mozilla_plugin_t, mozilla_plugin_roles) +') + +optional_policy(` + mplayer_exec(mozilla_plugin_t) + mplayer_manage_generic_home_content(mozilla_plugin_t) + mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer") +') + +optional_policy(` + pcscd_stream_connect(mozilla_plugin_t) +') + +optional_policy(` + pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles) +') + +optional_policy(` + udev_read_db(mozilla_plugin_t) +') + +optional_policy(` + xserver_read_user_xauth(mozilla_plugin_t) + xserver_read_xdm_pid(mozilla_plugin_t) + xserver_stream_connect(mozilla_plugin_t) + xserver_use_user_fonts(mozilla_plugin_t) + xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t) +') + +######################################## +# +# Plugin config local policy +# + +allow mozilla_plugin_config_t self:capability { dac_override dac_read_search setgid setuid sys_nice }; +allow mozilla_plugin_config_t self:process { setsched signal_perms getsched }; +allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms; +allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; + +allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms; +allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms; +allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms; + +manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t }) +manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) +manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) + +userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".galeon") +userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla") +userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape") +userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".phoenix") + +userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".adobe") +userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".macromedia") +userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".gnash") +userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".gcjwebplugin") +userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".icedteaplugin") +userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".spicec") +userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".ICAClient") +userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, "zimbrauserdata") + +filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") + +can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t }) + +ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t) + +kernel_read_system_state(mozilla_plugin_config_t) +kernel_request_load_module(mozilla_plugin_config_t) + +corecmd_exec_bin(mozilla_plugin_config_t) +corecmd_exec_shell(mozilla_plugin_config_t) + +dev_read_urand(mozilla_plugin_config_t) +dev_rw_dri(mozilla_plugin_config_t) +dev_search_sysfs(mozilla_plugin_config_t) +dev_dontaudit_read_rand(mozilla_plugin_config_t) + +domain_use_interactive_fds(mozilla_plugin_config_t) + +files_list_tmp(mozilla_plugin_config_t) +files_read_usr_files(mozilla_plugin_config_t) +files_dontaudit_search_home(mozilla_plugin_config_t) + +fs_getattr_all_fs(mozilla_plugin_config_t) +fs_search_auto_mountpoints(mozilla_plugin_config_t) +fs_list_inotifyfs(mozilla_plugin_config_t) + +auth_use_nsswitch(mozilla_plugin_config_t) + +miscfiles_read_localization(mozilla_plugin_config_t) +miscfiles_read_fonts(mozilla_plugin_config_t) + +userdom_read_user_home_content_symlinks(mozilla_plugin_config_t) +userdom_read_user_home_content_files(mozilla_plugin_config_t) + +userdom_use_user_ptys(mozilla_plugin_config_t) + +mozilla_run_plugin(mozilla_plugin_config_t, mozilla_plugin_config_roles) + +tunable_policy(`allow_execmem',` + allow mozilla_plugin_config_t self:process execmem; +') + +tunable_policy(`mozilla_execstack',` + allow mozilla_plugin_config_t self:process { execmem execstack }; +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(mozilla_plugin_config_t) + fs_manage_nfs_files(mozilla_plugin_config_t) + fs_manage_nfs_symlinks(mozilla_plugin_config_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(mozilla_plugin_config_t) + fs_manage_cifs_files(mozilla_plugin_config_t) + fs_manage_cifs_symlinks(mozilla_plugin_config_t) +') + +optional_policy(` + automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t) +') + +optional_policy(` + xserver_use_user_fonts(mozilla_plugin_config_t) +') + +ifdef(`distro_gentoo',` +## <desc> +## <p> +## Determine whether mozilla firefox can bind TCP sockets to all +## unreserved ports (for instance used with various Proxy +## management extensions). +## </p> +## </desc> +gen_tunable(mozilla_bind_all_unreserved_ports, false) + +## <desc> +## <p> +## Determine whether mozilla firefox plugins can connect to +## unreserved ports (for instance when dealing with Google Talk) +## </p> +## </desc> +gen_tunable(mozilla_plugin_connect_all_unreserved, false) + + ##################### + # + # Mozilla policy + # + + allow mozilla_t mozilla_plugin_t:process { rlimitinh siginh noatsecure }; + allow mozilla_t self:process execmem; # Startup of firefox (otherwise immediately killed) + + manage_fifo_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) + + allow mozilla_t mozilla_xdg_cache_t:file map; + + corenet_dontaudit_tcp_bind_generic_port(mozilla_t) + corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t) + corenet_sendrecv_tor_client_packets(mozilla_t) + corenet_tcp_connect_tor_port(mozilla_t) + corenet_tcp_sendrecv_tor_port(mozilla_t) + + domain_use_interactive_fds(mozilla_t) + + userdom_search_user_home_dirs(mozilla_t) + # This deprecates userdom_use_user_ptys(mozilla_t) mentioned earlier + userdom_use_user_terminals(mozilla_t) + + tunable_policy(`mozilla_bind_all_unreserved_ports',` + corenet_sendrecv_all_server_packets(mozilla_t) + corenet_tcp_bind_all_unreserved_ports(mozilla_t) + corenet_tcp_sendrecv_all_ports(mozilla_t) + ') + + optional_policy(` + # was in java tunable, upstream added unconditionally + chromium_tmp_filetrans(mozilla_t, mozilla_tmp_t, fifo_file) + ') + + optional_policy(` + nscd_socket_use(mozilla_t) + ') + + ifdef(`use_alsa',` + optional_policy(` + # HTML5 support is built-in (no plugin) - bug 464398 + alsa_domain(mozilla_t, mozilla_tmpfs_t) + ') + ') + + ########################### + # + # Mozilla plugin policy + # + + allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms; + allow mozilla_plugin_t self:udp_socket create_socket_perms; + allow mozilla_plugin_t self:process execmem; # Needed for flash plugin + + # Stupid google talk plugin runs find against /etc + files_dontaudit_getattr_all_dirs(mozilla_plugin_t) + + corenet_sendrecv_pulseaudio_client_packets(mozilla_plugin_t) + corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t) + corenet_tcp_sendrecv_pulseaudio_port(mozilla_plugin_t) + + userdom_dontaudit_use_user_terminals(mozilla_plugin_t) + userdom_rw_user_tmpfs_files(mozilla_plugin_t) + + xserver_user_x_domain_template(mozilla_plugin, mozilla_plugin_t, mozilla_plugin_tmpfs_t) + + tunable_policy(`mozilla_plugin_connect_all_unreserved', ` + corenet_sendrecv_all_client_packets(mozilla_plugin_t) + corenet_tcp_connect_all_unreserved_ports(mozilla_plugin_t) + ',` + corenet_dontaudit_tcp_connect_all_unreserved_ports(mozilla_plugin_t) + ') + + optional_policy(` + flash_manage_home(mozilla_plugin_t) + ') + + optional_policy(` + googletalk_domtrans_plugin(mozilla_plugin_t) + googletalk_generic_xdg_config_home_filetrans_plugin_xdg_config(mozilla_plugin_t, dir, "google-googletalkplugin") + googletalk_manage_plugin_xdg_config(mozilla_plugin_t) + googletalk_use_plugin_fds(mozilla_plugin_t) + googletalk_rw_inherited_plugin_unix_stream_sockets(mozilla_plugin_t) + ') + + ifdef(`use_alsa',` + optional_policy(` + alsa_domain(mozilla_plugin_t, mozilla_plugin_tmpfs_t) + ') + ') + + optional_policy(` + gnome_dbus_chat_gconfd(mozilla_t) + ') +') diff --git a/policy/modules/apps/mplayer.fc b/policy/modules/apps/mplayer.fc new file mode 100644 index 00000000..03ace714 --- /dev/null +++ b/policy/modules/apps/mplayer.fc @@ -0,0 +1,17 @@ +HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:mplayer_home_t,s0) + +/etc/mplayer(/.*)? gen_context(system_u:object_r:mplayer_etc_t,s0) + +/usr/bin/mplayer -- gen_context(system_u:object_r:mplayer_exec_t,s0) +/usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0) +/usr/bin/vlc -- gen_context(system_u:object_r:mplayer_exec_t,s0) +/usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0) + +ifdef(`distro_gentoo',` +HOME_DIR/\.mpv(/.*)? gen_context(system_u:object_r:mplayer_home_t,s0) + +/etc/mpv(/.*)? gen_context(system_u:object_r:mplayer_etc_t,s0) + +/usr/bin/mplayer2 -- gen_context(system_u:object_r:mplayer_exec_t,s0) +/usr/bin/mpv -- gen_context(system_u:object_r:mplayer_exec_t,s0) +') diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if new file mode 100644 index 00000000..861d5e97 --- /dev/null +++ b/policy/modules/apps/mplayer.if @@ -0,0 +1,163 @@ +## <summary>Mplayer media player and encoder.</summary> + +######################################## +## <summary> +## Role access for mplayer +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`mplayer_role',` + gen_require(` + attribute_role mencoder_roles, mplayer_roles; + type mencoder_t, mencoder_exec_t, mplayer_home_t; + type mplayer_t, mplayer_exec_t, mplayer_tmpfs_t; + ') + + ######################################## + # + # Declarations + # + + roleattribute $1 mencoder_roles; + roleattribute $1 mplayer_roles; + + ######################################## + # + # Policy + # + + domtrans_pattern($2, mencoder_exec_t, mencoder_t) + domtrans_pattern($2, mplayer_exec_t, mplayer_t) + + allow $2 { mplayer_t mencoder_t }:process { ptrace signal_perms }; + ps_process_pattern($2, { mplayer_t mencoder_t }) + + allow $2 mplayer_home_t:dir { manage_dir_perms relabel_dir_perms }; + allow $2 mplayer_home_t:file { manage_file_perms relabel_file_perms }; + allow $2 mplayer_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; + userdom_user_home_dir_filetrans($2, mplayer_home_t, dir, ".mplayer") + + allow $2 mplayer_tmpfs_t:file { manage_file_perms relabel_file_perms }; + allow $2 mplayer_tmpfs_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; + allow $2 mplayer_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; + allow $2 mplayer_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; +') + +######################################## +## <summary> +## Run mplayer in mplayer domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`mplayer_domtrans',` + gen_require(` + type mplayer_t, mplayer_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, mplayer_exec_t, mplayer_t) +') + +######################################## +## <summary> +## Execute mplayer in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +# +interface(`mplayer_exec',` + gen_require(` + type mplayer_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, mplayer_exec_t) +') + +######################################## +## <summary> +## Read mplayer user home content files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mplayer_read_user_home_files',` + gen_require(` + type mplayer_home_t; + ') + + userdom_search_user_home_dirs($1) + read_files_pattern($1, mplayer_home_t, mplayer_home_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## generic mplayer home content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mplayer_manage_generic_home_content',` + gen_require(` + type mplayer_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 mplayer_home_t:dir manage_dir_perms; + allow $1 mplayer_home_t:file manage_file_perms; + allow $1 mplayer_home_t:lnk_file manage_lnk_file_perms; +') + +######################################## +## <summary> +## Create specified objects in user home +## directories with the generic mplayer +## home type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`mplayer_home_filetrans_mplayer_home',` + gen_require(` + type mplayer_home_t; + ') + + userdom_user_home_dir_filetrans($1, mplayer_home_t, $2, $3) +') diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te new file mode 100644 index 00000000..91b9569d --- /dev/null +++ b/policy/modules/apps/mplayer.te @@ -0,0 +1,282 @@ +policy_module(mplayer, 2.7.1) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether mplayer can make +## its stack executable. +## </p> +## </desc> +gen_tunable(allow_mplayer_execstack, false) + +attribute_role mencoder_roles; +attribute_role mplayer_roles; + +type mencoder_t; +type mencoder_exec_t; +typealias mencoder_t alias { user_mencoder_t staff_mencoder_t sysadm_mencoder_t }; +typealias mencoder_t alias { auditadm_mencoder_t secadm_mencoder_t }; +userdom_user_application_domain(mencoder_t, mencoder_exec_t) +role mencoder_roles types mencoder_t; + +type mplayer_t; +type mplayer_exec_t; +typealias mplayer_t alias { user_mplayer_t staff_mplayer_t sysadm_mplayer_t }; +typealias mplayer_t alias { auditadm_mplayer_t secadm_mplayer_t }; +userdom_user_application_domain(mplayer_t, mplayer_exec_t) +role mplayer_roles types mplayer_t; + +optional_policy(` + wm_application_domain(mplayer_t, mplayer_exec_t) +') + +type mplayer_etc_t; +files_config_file(mplayer_etc_t) + +type mplayer_home_t; +typealias mplayer_home_t alias { user_mplayer_home_t staff_mplayer_home_t sysadm_mplayer_home_t }; +typealias mplayer_home_t alias { auditadm_mplayer_home_t secadm_mplayer_home_t }; +userdom_user_home_content(mplayer_home_t) + +type mplayer_tmpfs_t; +typealias mplayer_tmpfs_t alias { user_mplayer_tmpfs_t staff_mplayer_tmpfs_t sysadm_mplayer_tmpfs_t }; +typealias mplayer_tmpfs_t alias { auditadm_mplayer_tmpfs_t secadm_mplayer_tmpfs_t }; +userdom_user_tmpfs_file(mplayer_tmpfs_t) + +optional_policy(` + pulseaudio_tmpfs_content(mplayer_tmpfs_t) +') + +######################################## +# +# Mencoder local policy +# + +allow mencoder_t mplayer_etc_t:dir list_dir_perms; +allow mencoder_t mplayer_etc_t:file read_file_perms; +allow mencoder_t mplayer_etc_t:lnk_file read_lnk_file_perms; + +allow mencoder_t mplayer_home_t:dir manage_dir_perms; +allow mencoder_t mplayer_home_t:file manage_file_perms; +allow mencoder_t mplayer_home_t:lnk_file manage_lnk_file_perms; +userdom_user_home_dir_filetrans(mencoder_t, mplayer_home_t, dir, ".mplayer") + +kernel_read_system_state(mencoder_t) +kernel_read_kernel_sysctls(mencoder_t) + +dev_rwx_zero(mencoder_t) +dev_read_video_dev(mencoder_t) + +files_read_usr_files(mencoder_t) + +fs_search_auto_mountpoints(mencoder_t) + +storage_raw_read_removable_device(mencoder_t) + +miscfiles_read_localization(mencoder_t) + +userdom_use_user_terminals(mencoder_t) + +userdom_manage_user_tmp_dirs(mencoder_t) +userdom_manage_user_tmp_files(mencoder_t) + +userdom_user_content_access_template(mplayer_mencoder, mencoder_t) + +xdg_manage_music(mencoder_t) +xdg_manage_videos(mencoder_t) + +ifndef(`enable_mls',` + fs_list_dos(mencoder_t) + fs_read_dos_files(mencoder_t) + + fs_search_removable(mencoder_t) + fs_read_removable_files(mencoder_t) + fs_read_removable_symlinks(mencoder_t) + + fs_read_iso9660_files(mencoder_t) +') + +tunable_policy(`allow_execmem',` + allow mencoder_t self:process execmem; +') + +tunable_policy(`allow_execmod',` + dev_execmod_zero(mencoder_t) +') + +tunable_policy(`allow_mplayer_execstack',` + allow mencoder_t self:process { execmem execstack }; +') + +tunable_policy(`use_nfs_home_dirs',` + fs_getattr_nfs(mencoder_t) + fs_manage_nfs_dirs(mencoder_t) + fs_manage_nfs_files(mencoder_t) + fs_manage_nfs_symlinks(mencoder_t) + +') + +tunable_policy(`use_samba_home_dirs',` + fs_getattr_cifs(mencoder_t) + fs_manage_cifs_dirs(mencoder_t) + fs_manage_cifs_files(mencoder_t) + fs_manage_cifs_symlinks(mencoder_t) +') + +######################################## +# +# Mplayer local policy +# + +allow mplayer_t self:process { signal_perms getsched }; +allow mplayer_t self:fifo_file rw_fifo_file_perms; +allow mplayer_t self:sem create_sem_perms; +allow mplayer_t self:udp_socket create_socket_perms; + +allow mplayer_t mplayer_etc_t:dir list_dir_perms; +allow mplayer_t mplayer_etc_t:file read_file_perms; +allow mplayer_t mplayer_etc_t:lnk_file read_lnk_file_perms; + +allow mplayer_t mplayer_home_t:dir manage_dir_perms; +allow mplayer_t mplayer_home_t:file manage_file_perms; +allow mplayer_t mplayer_home_t:lnk_file manage_lnk_file_perms; +userdom_user_home_dir_filetrans(mplayer_t, mplayer_home_t, dir, ".mplayer") + +manage_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) +manage_lnk_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) +manage_fifo_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) +manage_sock_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) +fs_tmpfs_filetrans(mplayer_t, mplayer_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + +kernel_dontaudit_list_unlabeled(mplayer_t) +kernel_dontaudit_getattr_unlabeled_files(mplayer_t) +kernel_dontaudit_read_unlabeled_files(mplayer_t) +kernel_read_system_state(mplayer_t) +kernel_read_kernel_sysctls(mplayer_t) + +corecmd_exec_bin(mplayer_t) +corecmd_exec_shell(mplayer_t) + +corenet_all_recvfrom_unlabeled(mplayer_t) +corenet_all_recvfrom_netlabel(mplayer_t) +corenet_tcp_sendrecv_generic_if(mplayer_t) +corenet_tcp_sendrecv_generic_node(mplayer_t) + +corenet_tcp_connect_http_port(mplayer_t) +corenet_tcp_sendrecv_http_port(mplayer_t) +corenet_sendrecv_http_client_packets(mplayer_t) + +dev_read_rand(mplayer_t) +dev_read_realtime_clock(mplayer_t) +dev_read_sound_mixer(mplayer_t) +dev_read_urand(mplayer_t) +dev_read_video_dev(mplayer_t) +dev_write_sound_mixer(mplayer_t) +dev_write_video_dev(mplayer_t) +dev_rwx_zero(mplayer_t) + +domain_use_interactive_fds(mplayer_t) + +storage_raw_read_removable_device(mplayer_t) + +files_dontaudit_list_non_security(mplayer_t) +files_dontaudit_getattr_non_security_files(mplayer_t) +files_read_non_security_files(mplayer_t) +files_list_home(mplayer_t) +files_read_etc_runtime_files(mplayer_t) +files_read_usr_files(mplayer_t) + +fs_getattr_all_fs(mplayer_t) +fs_search_auto_mountpoints(mplayer_t) +fs_list_inotifyfs(mplayer_t) + +auth_use_nsswitch(mplayer_t) + +logging_send_syslog_msg(mplayer_t) + +miscfiles_read_localization(mplayer_t) +miscfiles_read_fonts(mplayer_t) + +userdom_use_user_terminals(mplayer_t) + +userdom_manage_user_tmp_dirs(mplayer_t) +userdom_manage_user_tmp_files(mplayer_t) +userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file }) +userdom_user_runtime_filetrans_user_tmp(mplayer_t, { dir file }) + +userdom_user_content_access_template(mplayer, mplayer_t) + +userdom_write_user_tmp_sockets(mplayer_t) + +xdg_read_music(mplayer_t) +xdg_read_videos(mplayer_t) + +xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t) + +ifndef(`enable_mls',` + fs_list_dos(mplayer_t) + fs_read_dos_files(mplayer_t) + + fs_search_removable(mplayer_t) + fs_read_removable_files(mplayer_t) + fs_read_removable_symlinks(mplayer_t) + + fs_read_iso9660_files(mplayer_t) +') + +tunable_policy(`allow_execmem',` + allow mplayer_t self:process execmem; +') + +tunable_policy(`allow_execmod',` + dev_execmod_zero(mplayer_t) +') + +tunable_policy(`allow_mplayer_execstack',` + allow mplayer_t self:process { execmem execstack }; +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(mplayer_t) + fs_manage_nfs_files(mplayer_t) + fs_manage_nfs_symlinks(mplayer_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(mplayer_t) + fs_manage_cifs_files(mplayer_t) + fs_manage_cifs_symlinks(mplayer_t) +') + +tunable_policy(`allow_mplayer_execstack',` + allow mplayer_t mplayer_tmpfs_t:file execute; +') + +optional_policy(` + alsa_read_config(mplayer_t) +') + +optional_policy(` + pulseaudio_run(mplayer_t, mplayer_roles) +') + +ifdef(`distro_gentoo',` + ###################################### + # + # Local mplayer_t policy + # + + tunable_policy(`mplayer_manage_generic_user_content',` + userdom_user_home_dir_filetrans_user_home_content(mplayer_t, { dir file }) + ') + + ifdef(`use_alsa',` + optional_policy(` + alsa_domain(mplayer_t, mplayer_tmpfs_t) + ') + ') +') diff --git a/policy/modules/apps/openoffice.fc b/policy/modules/apps/openoffice.fc new file mode 100644 index 00000000..6613bb44 --- /dev/null +++ b/policy/modules/apps/openoffice.fc @@ -0,0 +1,30 @@ +HOME_DIR/\.openoffice(\.org)?(/.*)? gen_context(system_u:object_r:ooffice_home_t,s0) + +/opt/openoffice(.*)?/program/cde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/gnome-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/gnome-open-url\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/javaldx -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/kde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/pagein -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/regcomp\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/regmerge -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/regview -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/sbase -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/scalc -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/sdraw -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/senddoc -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/simpress -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/smath -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/soffice -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/soffice\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/spadmin -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/spadmin\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/startup\.sh -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/swriter -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/uno\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/unoinfo -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/unopkg -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/unopkg\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/unpack_update -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/uri-encode -- gen_context(system_u:object_r:ooffice_exec_t,s0) diff --git a/policy/modules/apps/openoffice.if b/policy/modules/apps/openoffice.if new file mode 100644 index 00000000..5580aaf7 --- /dev/null +++ b/policy/modules/apps/openoffice.if @@ -0,0 +1,134 @@ +## <summary>Openoffice suite.</summary> + +############################################################ +## <summary> +## Role access for openoffice. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`ooffice_role',` + gen_require(` + attribute_role ooffice_roles; + type ooffice_t, ooffice_exec_t; + ') + + roleattribute $1 ooffice_roles; + + allow ooffice_t $2:unix_stream_socket connectto; + + domtrans_pattern($2, ooffice_exec_t, ooffice_t) + + allow $2 ooffice_t:process { ptrace signal_perms }; + ps_process_pattern($2, ooffice_t) + + optional_policy(` + ooffice_dbus_chat($2) + ') +') + +######################################## +## <summary> +## Run openoffice in its own domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ooffice_domtrans',` + gen_require(` + type ooffice_t, ooffice_exec_t; + ') + + domtrans_pattern($1, ooffice_exec_t, ooffice_t) +') + +######################################## +## <summary> +## Do not audit attempts to execute +## files in temporary directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`ooffice_dontaudit_exec_tmp_files',` + gen_require(` + type ooffice_tmp_t; + ') + + dontaudit $1 ooffice_tmp_t:file exec_file_perms; +') + +######################################## +## <summary> +## Read and write temporary +## openoffice files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ooffice_rw_tmp_files',` + gen_require(` + type ooffice_tmp_t; + ') + + rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t) +') + +####################################### +## <summary> +## Send and receive dbus messages +## from and to the openoffice +## domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ooffice_dbus_chat',` + gen_require(` + type ooffice_t; + class dbus send_msg; + ') + + allow $1 ooffice_t:dbus send_msg; + allow ooffice_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Connect to openoffice using a +## unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ooffice_stream_connect',` + gen_require(` + type ooffice_t, ooffice_tmp_t; + ') + + files_search_tmp($1) + stream_connect_pattern($1, ooffice_tmp_t, ooffice_tmp_t, ooffice_t) +') diff --git a/policy/modules/apps/openoffice.te b/policy/modules/apps/openoffice.te new file mode 100644 index 00000000..2cb4d6d2 --- /dev/null +++ b/policy/modules/apps/openoffice.te @@ -0,0 +1,158 @@ +policy_module(openoffice, 1.3.1) + +############################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether openoffice can +## download software updates from the +## network (application and/or +## extensions). +## </p> +## </desc> +gen_tunable(openoffice_allow_update, true) + +## <desc> +## <p> +## Determine whether openoffice writer +## can send emails directly (print to +## email). This is different from the +## functionality of sending emails +## through external clients which is +## always enabled. +## </p> +## </desc> +gen_tunable(openoffice_allow_email, false) + +attribute_role ooffice_roles; + +type ooffice_t; +type ooffice_exec_t; +userdom_user_application_domain(ooffice_t, ooffice_exec_t) +role ooffice_roles types ooffice_t; + +optional_policy(` + wm_application_domain(ooffice_t, ooffice_exec_t) +') + +type ooffice_home_t; +userdom_user_home_content(ooffice_home_t) + +type ooffice_tmp_t; +files_tmp_file(ooffice_tmp_t) + +############################## +# +# Openoffice local policy +# + +allow ooffice_t self:process { execmem getsched signal }; +allow ooffice_t self:shm create_shm_perms; +allow ooffice_t self:fifo_file rw_fifo_file_perms; +allow ooffice_t self:unix_stream_socket connectto; + +allow ooffice_t ooffice_home_t:dir manage_dir_perms; +allow ooffice_t ooffice_home_t:file manage_file_perms; +allow ooffice_t ooffice_home_t:lnk_file manage_lnk_file_perms; +userdom_user_home_dir_filetrans(ooffice_t, ooffice_home_t, dir, ".openoffice") + +manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) +manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) +manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) +files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file }) + +can_exec(ooffice_t, ooffice_exec_t) + +kernel_dontaudit_read_system_state(ooffice_t) + +corecmd_exec_bin(ooffice_t) +corecmd_exec_shell(ooffice_t) + +dev_read_sysfs(ooffice_t) +dev_read_urand(ooffice_t) + +domain_use_interactive_fds(ooffice_t) + +files_getattr_all_dirs(ooffice_t) +files_getattr_all_files(ooffice_t) +files_getattr_all_symlinks(ooffice_t) +files_read_etc_files(ooffice_t) +files_map_usr_files(ooffice_t) +files_read_usr_files(ooffice_t) + +fs_getattr_xattr_fs(ooffice_t) + +miscfiles_read_fonts(ooffice_t) +miscfiles_read_localization(ooffice_t) + +ooffice_dontaudit_exec_tmp_files(ooffice_t) + +sysnet_dns_name_resolve(ooffice_t) + +userdom_dontaudit_exec_user_home_content_files(ooffice_t) +userdom_dontaudit_manage_user_tmp_dirs(ooffice_t) +userdom_manage_user_tmp_dirs(ooffice_t) +userdom_manage_user_tmp_sockets(ooffice_t) +userdom_use_inherited_user_terminals(ooffice_t) + +userdom_user_content_access_template(openoffice, ooffice_t) + +xdg_manage_documents(ooffice_t) + +tunable_policy(`openoffice_allow_update',` + corenet_tcp_connect_http_port(ooffice_t) +') + +tunable_policy(`openoffice_allow_email',` + corenet_tcp_connect_smtp_port(ooffice_t) + corenet_tcp_sendrecv_smtp_port(ooffice_t) + corenet_sendrecv_smtp_client_packets(ooffice_t) +') + +optional_policy(` + cups_read_config(ooffice_t) + cups_stream_connect(ooffice_t) +') + +optional_policy(` + dbus_all_session_bus_client(ooffice_t) +') + +optional_policy(` + evolution_domtrans(ooffice_t) + evolution_read_home_files(ooffice_t) +') + +optional_policy(` + gnome_dbus_chat_gconfd(ooffice_t) + gnome_stream_connect_gconf(ooffice_t) +') + +optional_policy(` + hostname_exec(ooffice_t) +') + +optional_policy(` + java_exec(ooffice_t) +') + +optional_policy(` + mozilla_domtrans(ooffice_t) + mozilla_read_tmp_files(ooffice_t) +') + +optional_policy(` + thunderbird_domtrans(ooffice_t) +') + +optional_policy(` + xserver_rw_xsession_log(ooffice_t) + xserver_read_user_iceauth(ooffice_t) + xserver_read_user_xauth(ooffice_t) + xserver_read_xdm_tmp_files(ooffice_t) + xserver_stream_connect(ooffice_t) + xserver_stream_connect_xdm(ooffice_t) +') diff --git a/policy/modules/apps/podsleuth.fc b/policy/modules/apps/podsleuth.fc new file mode 100644 index 00000000..c32a4f30 --- /dev/null +++ b/policy/modules/apps/podsleuth.fc @@ -0,0 +1,5 @@ +/usr/bin/podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0) + +/usr/libexec/hal-podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0) + +/var/cache/podsleuth(/.*)? gen_context(system_u:object_r:podsleuth_cache_t,s0) diff --git a/policy/modules/apps/podsleuth.if b/policy/modules/apps/podsleuth.if new file mode 100644 index 00000000..a9427b4a --- /dev/null +++ b/policy/modules/apps/podsleuth.if @@ -0,0 +1,46 @@ +## <summary>Podsleuth is a tool to get information about an Apple (TM) iPod (TM).</summary> + +######################################## +## <summary> +## Execute a domain transition to run podsleuth. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`podsleuth_domtrans',` + gen_require(` + type podsleuth_t, podsleuth_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, podsleuth_exec_t, podsleuth_t) +') + +######################################## +## <summary> +## Execute podsleuth in the podsleuth +## domain, and allow the specified role +## the podsleuth domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`podsleuth_run',` + gen_require(` + attribute_role podsleuth_roles; + ') + + podsleuth_domtrans($1) + roleattribute $2 podsleuth_roles; +') diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te new file mode 100644 index 00000000..83dc77b5 --- /dev/null +++ b/policy/modules/apps/podsleuth.te @@ -0,0 +1,97 @@ +policy_module(podsleuth, 1.7.0) + +######################################## +# +# Declarations +# + +attribute_role podsleuth_roles; +roleattribute system_r podsleuth_roles; + +type podsleuth_t; +type podsleuth_exec_t; +application_domain(podsleuth_t, podsleuth_exec_t) +role podsleuth_roles types podsleuth_t; + +type podsleuth_cache_t; +files_type(podsleuth_cache_t) +ubac_constrained(podsleuth_cache_t) + +type podsleuth_tmp_t; +userdom_user_tmp_file(podsleuth_tmp_t) + +type podsleuth_tmpfs_t; +userdom_user_tmpfs_file(podsleuth_tmpfs_t) + +######################################## +# +# Local policy +# + +allow podsleuth_t self:capability { dac_override kill sys_admin sys_rawio }; +allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack }; +allow podsleuth_t self:fifo_file rw_fifo_file_perms; +allow podsleuth_t self:unix_stream_socket create_stream_socket_perms; +allow podsleuth_t self:sem create_sem_perms; +allow podsleuth_t self:tcp_socket { accept listen }; + +manage_dirs_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t) +manage_files_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t) +files_var_filetrans(podsleuth_t, podsleuth_cache_t, { file dir }) + +allow podsleuth_t podsleuth_tmp_t:dir mounton; +manage_dirs_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t) +manage_files_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t) +files_tmp_filetrans(podsleuth_t, podsleuth_tmp_t, { file dir }) + +manage_dirs_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t) +manage_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t) +manage_lnk_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t) +fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file }) + +kernel_read_system_state(podsleuth_t) +kernel_request_load_module(podsleuth_t) + +corecmd_exec_bin(podsleuth_t) + +corenet_all_recvfrom_unlabeled(podsleuth_t) +corenet_all_recvfrom_netlabel(podsleuth_t) +corenet_tcp_sendrecv_generic_if(podsleuth_t) +corenet_tcp_sendrecv_generic_node(podsleuth_t) + +corenet_sendrecv_http_client_packets(podsleuth_t) +corenet_tcp_connect_http_port(podsleuth_t) +corenet_tcp_sendrecv_http_port(podsleuth_t) + +dev_read_urand(podsleuth_t) + +files_read_etc_files(podsleuth_t) + +fs_mount_dos_fs(podsleuth_t) +fs_unmount_dos_fs(podsleuth_t) +fs_getattr_dos_fs(podsleuth_t) +fs_read_dos_files(podsleuth_t) +fs_search_dos(podsleuth_t) +fs_getattr_tmpfs(podsleuth_t) +fs_list_tmpfs(podsleuth_t) +fs_rw_removable_blk_files(podsleuth_t) + +miscfiles_read_localization(podsleuth_t) + +sysnet_dns_name_resolve(podsleuth_t) + +userdom_signal_unpriv_users(podsleuth_t) +userdom_signull_unpriv_users(podsleuth_t) +userdom_read_user_tmpfs_files(podsleuth_t) + +optional_policy(` + dbus_system_bus_client(podsleuth_t) + + optional_policy(` + hal_dbus_chat(podsleuth_t) + ') +') + +optional_policy(` + mono_exec(podsleuth_t) +') diff --git a/policy/modules/apps/ptchown.fc b/policy/modules/apps/ptchown.fc new file mode 100644 index 00000000..dd96822d --- /dev/null +++ b/policy/modules/apps/ptchown.fc @@ -0,0 +1,3 @@ +/usr/libexec/pt_chown -- gen_context(system_u:object_r:ptchown_exec_t,s0) + +/usr/lib/pt_chown -- gen_context(system_u:object_r:ptchown_exec_t,s0) diff --git a/policy/modules/apps/ptchown.if b/policy/modules/apps/ptchown.if new file mode 100644 index 00000000..97a1e7b1 --- /dev/null +++ b/policy/modules/apps/ptchown.if @@ -0,0 +1,65 @@ +## <summary>helper function for grantpt(3), changes ownship and permissions of pseudotty.</summary> + +######################################## +## <summary> +## Execute a domain transition to run ptchown. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ptchown_domtrans',` + gen_require(` + type ptchown_t, ptchown_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ptchown_exec_t, ptchown_t) +') + +####################################### +## <summary> +## Execute ptchown in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ptchown_exec',` + gen_require(` + type ptchown_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, ptchown_exec_t) +') + +######################################## +## <summary> +## Execute ptchown in the ptchown +## domain, and allow the specified +## role the ptchown domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`ptchown_run',` + gen_require(` + attribute_role ptchown_roles; + ') + + ptchown_domtrans($1) + roleattribute $2 ptchown_roles; +') diff --git a/policy/modules/apps/ptchown.te b/policy/modules/apps/ptchown.te new file mode 100644 index 00000000..28d2abc0 --- /dev/null +++ b/policy/modules/apps/ptchown.te @@ -0,0 +1,34 @@ +policy_module(ptchown, 1.2.0) + +######################################## +# +# Declarations +# + +attribute_role ptchown_roles; +roleattribute system_r ptchown_roles; + +type ptchown_t; +type ptchown_exec_t; +application_domain(ptchown_t, ptchown_exec_t) +role ptchown_roles types ptchown_t; + +######################################## +# +# Local policy +# + +allow ptchown_t self:capability { chown fowner fsetid setuid }; +allow ptchown_t self:process { getcap setcap }; + +files_read_etc_files(ptchown_t) + +fs_rw_anon_inodefs_files(ptchown_t) + +term_setattr_generic_ptys(ptchown_t) +term_getattr_all_ptys(ptchown_t) +term_setattr_all_ptys(ptchown_t) +term_use_generic_ptys(ptchown_t) +term_use_ptmx(ptchown_t) + +miscfiles_read_localization(ptchown_t) diff --git a/policy/modules/apps/pulseaudio.fc b/policy/modules/apps/pulseaudio.fc new file mode 100644 index 00000000..0d9bc354 --- /dev/null +++ b/policy/modules/apps/pulseaudio.fc @@ -0,0 +1,11 @@ +HOME_DIR/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0) +HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) +HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0) +HOME_DIR/\.config/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_xdg_config_t,s0) + +/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) + +/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0) + +/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0) +/run/user/%{USERID}/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_tmp_t,s0) diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if new file mode 100644 index 00000000..ca005df0 --- /dev/null +++ b/policy/modules/apps/pulseaudio.if @@ -0,0 +1,422 @@ +## <summary>Pulseaudio network sound server.</summary> + +######################################## +## <summary> +## Role access for pulseaudio. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`pulseaudio_role',` + gen_require(` + attribute pulseaudio_tmpfsfile; + type pulseaudio_t, pulseaudio_home_t, pulseaudio_tmpfs_t; + type pulseaudio_tmp_t; + ') + + pulseaudio_run($2, $1) + + allow $2 pulseaudio_t:process { ptrace signal_perms }; + allow $2 pulseaudio_t:fd use; + ps_process_pattern($2, pulseaudio_t) + + allow $2 pulseaudio_home_t:dir { manage_dir_perms relabel_dir_perms }; + allow $2 pulseaudio_home_t:file { manage_file_perms relabel_file_perms }; + allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; + + allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms map }; + + allow $2 pulseaudio_tmp_t:dir { manage_dir_perms relabel_dir_perms }; + allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms }; + allow $2 pulseaudio_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + + allow pulseaudio_t $2:unix_stream_socket connectto; + allow pulseaudio_t $2:process signull; +') + +######################################## +## <summary> +## Execute a domain transition to run pulseaudio. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`pulseaudio_domtrans',` + gen_require(` + attribute pulseaudio_client; + type pulseaudio_t, pulseaudio_exec_t; + ') + + typeattribute $1 pulseaudio_client; + + corecmd_search_bin($1) + domtrans_pattern($1, pulseaudio_exec_t, pulseaudio_t) +') + +######################################## +## <summary> +## Execute pulseaudio in the pulseaudio +## domain, and allow the specified role +## the pulseaudio domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`pulseaudio_run',` + gen_require(` + attribute_role pulseaudio_roles; + ') + + pulseaudio_domtrans($1) + roleattribute $2 pulseaudio_roles; +') + +######################################## +## <summary> +## Execute pulseaudio in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pulseaudio_exec',` + gen_require(` + type pulseaudio_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, pulseaudio_exec_t) +') + +######################################## +## <summary> +## Do not audit attempts to execute pulseaudio. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`pulseaudio_dontaudit_exec',` + gen_require(` + type pulseaudio_exec_t; + ') + + dontaudit $1 pulseaudio_exec_t:file exec_file_perms; +') + +######################################## +## <summary> +## Send null signals to pulseaudio. +## processes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pulseaudio_signull',` + gen_require(` + type pulseaudio_t; + ') + + allow $1 pulseaudio_t:process signull; +') + +######################################## +## <summary> +## Use file descriptors for +## pulseaudio. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pulseaudio_use_fds',` + gen_require(` + type pulseaudio_t; + ') + + allow $1 pulseaudio_t:fd use; +') + +######################################## +## <summary> +## Do not audit attempts to use the +## file descriptors for pulseaudio. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pulseaudio_dontaudit_use_fds',` + gen_require(` + type pulseaudio_t; + ') + + dontaudit $1 pulseaudio_t:fd use; +') + +##################################### +## <summary> +## Connect to pulseaudio with a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pulseaudio_stream_connect',` + gen_require(` + type pulseaudio_t, pulseaudio_var_run_t, pulseaudio_tmp_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, { pulseaudio_tmp_t pulseaudio_var_run_t }, { pulseaudio_tmp_t pulseaudio_var_run_t }, pulseaudio_t) +') + +######################################## +## <summary> +## Send and receive messages from +## pulseaudio over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pulseaudio_dbus_chat',` + gen_require(` + type pulseaudio_t; + class dbus send_msg; + ') + + allow $1 pulseaudio_t:dbus send_msg; + allow pulseaudio_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Set attributes of pulseaudio home directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pulseaudio_setattr_home_dir',` + gen_require(` + type pulseaudio_home_t; + ') + + allow $1 pulseaudio_home_t:dir setattr_dir_perms; +') + +######################################## +## <summary> +## Read pulseaudio home content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pulseaudio_read_home',` + gen_require(` + type pulseaudio_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 pulseaudio_home_t:dir list_dir_perms; + allow $1 pulseaudio_home_t:file read_file_perms; + allow $1 pulseaudio_home_t:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> +## Read and write Pulse Audio files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pulseaudio_rw_home_files',` + gen_require(` + type pulseaudio_home_t; + ') + + userdom_search_user_home_dirs($1) + rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) + read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## pulseaudio home content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pulseaudio_manage_home',` + gen_require(` + type pulseaudio_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 pulseaudio_home_t:dir manage_dir_perms; + allow $1 pulseaudio_home_t:file manage_file_perms; + allow $1 pulseaudio_home_t:lnk_file manage_lnk_file_perms; +') + +######################################## +## <summary> +## Create objects in user home +## directories with the pulseaudio +## home type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`pulseaudio_home_filetrans_pulseaudio_home',` + gen_require(` + type pulseaudio_home_t; + ') + + userdom_user_home_dir_filetrans($1, pulseaudio_home_t, $2, $3) +') + +######################################## +## <summary> +## Make the specified tmpfs file type +## pulseaudio tmpfs content. +## </summary> +## <param name="file_type"> +## <summary> +## File type to make pulseaudio tmpfs content. +## </summary> +## </param> +# +interface(`pulseaudio_tmpfs_content',` + gen_require(` + attribute pulseaudio_tmpfsfile; + ') + + typeattribute $1 pulseaudio_tmpfsfile; +') + +####################################### +## <summary> +## Read pulseaudio tmpfs files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pulseaudio_read_tmpfs_files',` + gen_require(` + type pulseaudio_tmpfs_t; + ') + + fs_search_tmpfs($1) + read_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) +') + +####################################### +## <summary> +## Read and write pulseaudio tmpfs +## files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pulseaudio_rw_tmpfs_files',` + gen_require(` + type pulseaudio_tmpfs_t; + ') + + fs_search_tmpfs($1) + rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) +') + +# Below are Gentoo specifics but ifdef distro_gentoo cannot be used in interfaces + +######################################## +## <summary> +## Mark the specified domain as a PulseAudio client domain +## and the related tmpfs file type as a (shared) PulseAudio tmpfs +## file type used for the shared memory access +## </summary> +## <param name="domain"> +## <summary> +## Domain to become a PulseAudio client domain +## </summary> +## </param> +## <param name="tmpfstype"> +## <summary> +## Tmpfs type used for shared memory of the given domain +## </summary> +## </param> +# +interface(`pulseaudio_client_domain',` + refpolicywarn(`$0($*) has been deprecated') + + pulseaudio_domtrans($1) + pulseaudio_tmpfs_content($2) +') diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te new file mode 100644 index 00000000..1a58bde5 --- /dev/null +++ b/policy/modules/apps/pulseaudio.te @@ -0,0 +1,308 @@ +policy_module(pulseaudio, 1.11.1) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow pulseaudio to execute code in +## writable memory +## </p> +## </desc> +gen_tunable(pulseaudio_execmem, false) + +attribute pulseaudio_client; +attribute pulseaudio_tmpfsfile; + +attribute_role pulseaudio_roles; + +type pulseaudio_t; +type pulseaudio_exec_t; +# init_daemon_domain(pulseaudio_t, pulseaudio_exec_t) +userdom_user_application_domain(pulseaudio_t, pulseaudio_exec_t) +role pulseaudio_roles types pulseaudio_t; + +type pulseaudio_home_t; +userdom_user_home_content(pulseaudio_home_t) + +type pulseaudio_tmp_t; +userdom_user_tmp_file(pulseaudio_tmp_t) +userdom_user_runtime_content(pulseaudio_tmp_t) + +type pulseaudio_tmpfs_t; +userdom_user_tmpfs_file(pulseaudio_tmpfs_t) + +type pulseaudio_var_lib_t; +files_type(pulseaudio_var_lib_t) + +type pulseaudio_var_run_t; +files_pid_file(pulseaudio_var_run_t) + +type pulseaudio_xdg_config_t; +xdg_config_content(pulseaudio_xdg_config_t) + +######################################## +# +# Local policy +# + +allow pulseaudio_t self:capability { chown fowner fsetid setgid setuid sys_nice sys_resource sys_tty_config }; +allow pulseaudio_t self:process { getcap getsched setcap setrlimit setsched signal signull }; + +allow pulseaudio_t self:fifo_file rw_fifo_file_perms; +allow pulseaudio_t self:unix_stream_socket { accept connectto listen }; +allow pulseaudio_t self:unix_dgram_socket sendto; +allow pulseaudio_t self:tcp_socket { accept listen }; +allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; + +allow pulseaudio_t pulseaudio_home_t:dir manage_dir_perms; +allow pulseaudio_t pulseaudio_home_t:file { manage_file_perms map }; +allow pulseaudio_t pulseaudio_home_t:lnk_file manage_lnk_file_perms; + +userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, dir, ".pulse") +userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, file, ".esd_auth") +userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, file, ".pulse-cookie") + +manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t) +manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t) +manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t) +files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir) +userdom_user_runtime_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir) +userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "autospawn.lock") +userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid") +userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "dbus-socket") +userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "native") + +manage_dirs_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) +manage_files_pattern(pulseaudio_t, pulseaudio_tmpfs_t, { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }) +allow pulseaudio_t { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file map; +fs_tmpfs_filetrans(pulseaudio_t, pulseaudio_tmpfs_t, { dir file }) + +manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) +manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) +manage_lnk_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) +files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file }) + +manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) +manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) +manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) +files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file }) + +manage_dirs_pattern(pulseaudio_t, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t) +manage_files_pattern(pulseaudio_t, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t) +xdg_config_filetrans(pulseaudio_t, pulseaudio_xdg_config_t, dir, "pulse") + +allow pulseaudio_t pulseaudio_client:process signull; +ps_process_pattern(pulseaudio_t, pulseaudio_client) + +can_exec(pulseaudio_t, pulseaudio_exec_t) + +kernel_getattr_proc(pulseaudio_t) +kernel_read_system_state(pulseaudio_t) +kernel_read_kernel_sysctls(pulseaudio_t) + +corecmd_exec_bin(pulseaudio_t) + +corenet_all_recvfrom_unlabeled(pulseaudio_t) +corenet_all_recvfrom_netlabel(pulseaudio_t) +corenet_tcp_sendrecv_generic_if(pulseaudio_t) +corenet_udp_sendrecv_generic_if(pulseaudio_t) +corenet_tcp_sendrecv_generic_node(pulseaudio_t) +corenet_udp_sendrecv_generic_node(pulseaudio_t) + +corenet_sendrecv_pulseaudio_server_packets(pulseaudio_t) +corenet_tcp_bind_pulseaudio_port(pulseaudio_t) +corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_t) + +corenet_sendrecv_soundd_server_packets(pulseaudio_t) +corenet_tcp_bind_soundd_port(pulseaudio_t) +corenet_tcp_sendrecv_soundd_port(pulseaudio_t) + +corenet_sendrecv_sap_server_packets(pulseaudio_t) +corenet_udp_bind_sap_port(pulseaudio_t) +corenet_udp_sendrecv_sap_port(pulseaudio_t) + +dev_read_sound(pulseaudio_t) +dev_write_sound(pulseaudio_t) +dev_read_sysfs(pulseaudio_t) +dev_read_urand(pulseaudio_t) + +files_read_usr_files(pulseaudio_t) + +fs_getattr_tmpfs(pulseaudio_t) +fs_getattr_all_fs(pulseaudio_t) +fs_list_inotifyfs(pulseaudio_t) +fs_rw_anon_inodefs_files(pulseaudio_t) +fs_search_auto_mountpoints(pulseaudio_t) + +term_use_all_ttys(pulseaudio_t) +term_use_all_ptys(pulseaudio_t) + +auth_use_nsswitch(pulseaudio_t) + +logging_send_syslog_msg(pulseaudio_t) + +miscfiles_read_localization(pulseaudio_t) + +seutil_read_config(pulseaudio_t) + +userdom_read_user_tmpfs_files(pulseaudio_t) +userdom_map_user_tmpfs_files(pulseaudio_t) +userdom_delete_user_tmpfs_files(pulseaudio_t) +userdom_search_user_home_dirs(pulseaudio_t) +userdom_search_user_home_content(pulseaudio_t) + +userdom_manage_user_tmp_dirs(pulseaudio_t) +userdom_manage_user_tmp_sockets(pulseaudio_t) + +tunable_policy(`pulseaudio_execmem',` + allow pulseaudio_t self:process execmem; +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(pulseaudio_t) + fs_manage_nfs_files(pulseaudio_t) + fs_manage_nfs_symlinks(pulseaudio_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(pulseaudio_t) + fs_manage_cifs_files(pulseaudio_t) + fs_manage_cifs_symlinks(pulseaudio_t) +') + +optional_policy(` + alsa_read_config(pulseaudio_t) + alsa_read_home_files(pulseaudio_t) +') + +optional_policy(` + bluetooth_stream_connect(pulseaudio_t) +') + +optional_policy(` + dbus_system_domain(pulseaudio_t, pulseaudio_exec_t) + dbus_all_session_bus_client(pulseaudio_t) + dbus_connect_all_session_bus(pulseaudio_t) + + optional_policy(` + consolekit_dbus_chat(pulseaudio_t) + ') + + optional_policy(` + hal_dbus_chat(pulseaudio_t) + ') + + optional_policy(` + policykit_dbus_chat(pulseaudio_t) + ') + + optional_policy(` + rpm_dbus_chat(pulseaudio_t) + ') +') + +optional_policy(` + gnome_stream_connect_gconf(pulseaudio_t) + + # OIL Runtime Compiler (ORC) optimized code execution + gnome_manage_gstreamer_orcexec(pulseaudio_t) + gnome_mmap_gstreamer_orcexec(pulseaudio_t) + gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_t, file) + gnome_user_home_dir_filetrans_gstreamer_orcexec(pulseaudio_t, file) +') + +optional_policy(` + rtkit_scheduled(pulseaudio_t) +') + +optional_policy(` + policykit_domtrans_auth(pulseaudio_t) + policykit_read_lib(pulseaudio_t) + policykit_read_reload(pulseaudio_t) +') + +optional_policy(` + udev_read_pid_files(pulseaudio_t) + udev_read_state(pulseaudio_t) + udev_read_db(pulseaudio_t) +') + +optional_policy(` + xserver_stream_connect(pulseaudio_t) + xserver_manage_xdm_tmp_files(pulseaudio_t) + xserver_read_xdm_lib_files(pulseaudio_t) + xserver_read_xdm_pid(pulseaudio_t) + xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t) +') + +######################################## +# +# Client local policy +# + +allow pulseaudio_client self:unix_dgram_socket sendto; +allow pulseaudio_client self:process signull; + +allow pulseaudio_client pulseaudio_tmp_t:dir manage_dir_perms; +allow pulseaudio_client pulseaudio_tmp_t:file manage_file_perms; +allow pulseaudio_client pulseaudio_tmp_t:sock_file manage_sock_file_perms; + +rw_files_pattern(pulseaudio_client, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t }, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t }) +allow pulseaudio_client pulseaudio_tmpfs_t:file map; +delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfile) + +manage_dirs_pattern(pulseaudio_client, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t) +manage_files_pattern(pulseaudio_client, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t) +xdg_config_filetrans(pulseaudio_client, pulseaudio_xdg_config_t, dir, "pulse") + +fs_getattr_tmpfs(pulseaudio_client) + +corenet_all_recvfrom_unlabeled(pulseaudio_client) +corenet_all_recvfrom_netlabel(pulseaudio_client) +corenet_tcp_sendrecv_generic_if(pulseaudio_client) +corenet_tcp_sendrecv_generic_node(pulseaudio_client) + +corenet_sendrecv_pulseaudio_client_packets(pulseaudio_client) +corenet_tcp_connect_pulseaudio_port(pulseaudio_client) +corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_client) + +pulseaudio_stream_connect(pulseaudio_client) +pulseaudio_manage_home(pulseaudio_client) +pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, dir, ".pulse") +pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".esd_auth") +pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cookie") +pulseaudio_signull(pulseaudio_client) +pulseaudio_use_fds(pulseaudio_client) + +userdom_read_user_tmpfs_files(pulseaudio_client) +userdom_user_runtime_filetrans(pulseaudio_client, pulseaudio_tmp_t, dir, "pulse") +# userdom_delete_user_tmpfs_files(pulseaudio_client) + +tunable_policy(`use_nfs_home_dirs',` + fs_getattr_nfs(pulseaudio_client) + fs_manage_nfs_dirs(pulseaudio_client) + fs_manage_nfs_files(pulseaudio_client) + fs_read_nfs_symlinks(pulseaudio_client) +') + +tunable_policy(`use_samba_home_dirs',` + fs_getattr_cifs(pulseaudio_client) + fs_manage_cifs_dirs(pulseaudio_client) + fs_manage_cifs_files(pulseaudio_client) + fs_read_cifs_symlinks(pulseaudio_client) +') + +optional_policy(` + pulseaudio_dbus_chat(pulseaudio_client) +') + +optional_policy(` + rtkit_scheduled(pulseaudio_client) +') + +optional_policy(` + unconfined_signull(pulseaudio_client) +') diff --git a/policy/modules/apps/qemu.fc b/policy/modules/apps/qemu.fc new file mode 100644 index 00000000..1fc79800 --- /dev/null +++ b/policy/modules/apps/qemu.fc @@ -0,0 +1,19 @@ +/run/xen/qmp.* -- gen_context(system_u:object_r:qemu_var_run_t,s0) + +/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) + +/usr/lib/systemd/system/[^/]*qemu-guest-agent.* -- gen_context(system_u:object_r:qemu_unit_t,s0) + +/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) + +ifdef(`distro_gentoo',` +/usr/bin/qemu-ga -- gen_context(system_u:object_r:qemu_ga_exec_t,s0) + +/var/log/qemu-ga.log -- gen_context(system_u:object_r:qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? -- gen_context(system_u:object_r:qemu_ga_log_t,s0) + +/run/qemu-ga.pid -- gen_context(system_u:object_r:qemu_ga_run_t,s0) +') diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if new file mode 100644 index 00000000..b6d8e1c2 --- /dev/null +++ b/policy/modules/apps/qemu.if @@ -0,0 +1,434 @@ +## <summary>QEMU machine emulator and virtualizer.</summary> + +####################################### +## <summary> +## The template to define a qemu domain. +## </summary> +## <param name="domain_prefix"> +## <summary> +## Domain prefix to be used. +## </summary> +## </param> +# +template(`qemu_domain_template',` + ############################## + # + # Declarations + # + + type $1_t; + domain_type($1_t) + + type $1_tmp_t; + files_tmp_file($1_tmp_t) + + ############################## + # + # Policy + # + + allow $1_t self:capability { dac_override dac_read_search }; + allow $1_t self:process { execstack execmem signal getsched }; + allow $1_t self:fifo_file rw_file_perms; + allow $1_t self:shm create_shm_perms; + allow $1_t self:unix_stream_socket create_stream_socket_perms; + allow $1_t self:tcp_socket create_stream_socket_perms; + allow $1_t self:tun_socket create; + + manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) + manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) + files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) + + kernel_read_system_state($1_t) + + corenet_all_recvfrom_unlabeled($1_t) + corenet_all_recvfrom_netlabel($1_t) + corenet_tcp_sendrecv_generic_if($1_t) + corenet_tcp_sendrecv_generic_node($1_t) + corenet_tcp_sendrecv_all_ports($1_t) + corenet_tcp_bind_generic_node($1_t) + corenet_tcp_bind_vnc_port($1_t) + corenet_rw_tun_tap_dev($1_t) + +# dev_rw_kvm($1_t) + + domain_use_interactive_fds($1_t) + + files_read_etc_files($1_t) + files_read_usr_files($1_t) + files_read_var_files($1_t) + files_search_all($1_t) + + fs_list_inotifyfs($1_t) + fs_rw_anon_inodefs_files($1_t) + fs_rw_tmpfs_files($1_t) + + storage_raw_write_removable_device($1_t) + storage_raw_read_removable_device($1_t) + + term_use_ptmx($1_t) + term_getattr_pty_fs($1_t) + term_use_generic_ptys($1_t) + + miscfiles_read_localization($1_t) + + sysnet_read_config($1_t) + + userdom_use_user_terminals($1_t) + userdom_attach_admin_tun_iface($1_t) + + optional_policy(` + samba_domtrans_smbd($1_t) + ') + + optional_policy(` + virt_manage_images($1_t) + virt_read_config($1_t) + virt_read_lib_files($1_t) + virt_attach_tun_iface($1_t) + ') + + optional_policy(` + xserver_stream_connect($1_t) + xserver_read_xdm_tmp_files($1_t) + xserver_read_xdm_pid($1_t) +# xserver_xdm_rw_shm($1_t) + ') +') + +######################################## +## <summary> +## Role access for qemu. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +template(`qemu_role',` + gen_require(` + type qemu_t; + ') + + qemu_run($2, $1) + + allow $2 qemu_t:process { ptrace signal_perms }; + ps_process_pattern($2, qemu_t) +') + +######################################## +## <summary> +## Execute a domain transition to run qemu. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`qemu_domtrans',` + gen_require(` + type qemu_t, qemu_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, qemu_exec_t, qemu_t) +') + +######################################## +## <summary> +## Execute a qemu in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`qemu_exec',` + gen_require(` + type qemu_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, qemu_exec_t) +') + +######################################## +## <summary> +## Execute qemu in the qemu domain, +## and allow the specified role the +## qemu domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`qemu_run',` + gen_require(` + attribute_role qemu_roles; + ') + + qemu_domtrans($1) + roleattribute $2 qemu_roles; +') + +######################################## +## <summary> +## Read qemu process state files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to allow access. +## </summary> +## </param> +# +interface(`qemu_read_state',` + gen_require(` + type qemu_t; + ') + + kernel_search_proc($1) + allow $1 qemu_t:dir list_dir_perms; + allow $1 qemu_t:file read_file_perms; + allow $1 qemu_t:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> +## Set qemu scheduler. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`qemu_setsched',` + gen_require(` + type qemu_t; + ') + + allow $1 qemu_t:process setsched; +') + +######################################## +## <summary> +## Send generic signals to qemu. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`qemu_signal',` + gen_require(` + type qemu_t; + ') + + allow $1 qemu_t:process signal; +') + +######################################## +## <summary> +## Send kill signals to qemu. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`qemu_kill',` + gen_require(` + type qemu_t; + ') + + allow $1 qemu_t:process sigkill; +') + +######################################## +## <summary> +## Connect to qemu with a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`qemu_stream_connect',` + gen_require(` + type qemu_t, qemu_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, qemu_var_run_t, qemu_var_run_t, qemu_t) +') + +######################################## +## <summary> +## Unlink qemu socket +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`qemu_delete_pid_sock_file',` + gen_require(` + type qemu_var_run_t; + ') + + allow $1 qemu_var_run_t:sock_file unlink; +') + +######################################## +## <summary> +## Execute a domain transition to +## run qemu unconfined. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`qemu_domtrans_unconfined',` + gen_require(` + type unconfined_qemu_t, qemu_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## qemu temporary directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`qemu_manage_tmp_dirs',` + gen_require(` + type qemu_tmp_t; + ') + + files_search_tmp($1) + manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## qemu temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`qemu_manage_tmp_files',` + gen_require(` + type qemu_tmp_t; + ') + + files_search_tmp($1) + manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) +') + +######################################## +## <summary> +## Execute qemu in a specified domain. +## </summary> +## <desc> +## <p> +## Execute qemu in a specified domain. +## </p> +## <p> +## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +## </p> +## </desc> +## <param name="source_domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="target_domain"> +## <summary> +## Domain to transition to. +## </summary> +## </param> +# +interface(`qemu_spec_domtrans',` + gen_require(` + type qemu_exec_t; + ') + + corecmd_search_bin($1) + domain_auto_transition_pattern($1, qemu_exec_t, $2) +') + +###################################### +## <summary> +## Make qemu executable files an +## entrypoint for the specified domain. +## </summary> +## <param name="domain"> +## <summary> +## The domain for which qemu_exec_t is an entrypoint. +## </summary> +## </param> +# +interface(`qemu_entry_type',` + gen_require(` + type qemu_exec_t; + ') + + domain_entry_file($1, qemu_exec_t) +') + +# Gentoo specific but cannot use ifdef distro_gentoo here + +####################################### +## <summary> +## Read/write to qemu socket files in /var/run +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`qemu_rw_pid_sock_files',` + gen_require(` + type qemu_var_run_t; + ') + + allow $1 qemu_var_run_t:sock_file rw_sock_file_perms; +') diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te new file mode 100644 index 00000000..a27624d8 --- /dev/null +++ b/policy/modules/apps/qemu.te @@ -0,0 +1,136 @@ +policy_module(qemu, 1.10.1) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether qemu has full +## access to the network. +## </p> +## </desc> +gen_tunable(qemu_full_network, false) + +attribute_role qemu_roles; +roleattribute system_r qemu_roles; + +type qemu_exec_t; +application_executable_file(qemu_exec_t) + +virt_domain_template(qemu) +role qemu_roles types qemu_t; + +type qemu_unit_t; +init_unit_file(qemu_unit_t) + +type qemu_var_run_t; +files_pid_file(qemu_var_run_t) + +######################################## +# +# Local policy +# + +kernel_read_crypto_sysctls(qemu_t) + +dev_read_sysfs(qemu_t) + +allow qemu_t qemu_var_run_t:sock_file create_sock_file_perms; +files_pid_filetrans(qemu_t, qemu_var_run_t, sock_file) + +tunable_policy(`qemu_full_network',` + corenet_udp_sendrecv_generic_if(qemu_t) + corenet_udp_sendrecv_generic_node(qemu_t) + corenet_udp_sendrecv_all_ports(qemu_t) + corenet_udp_bind_generic_node(qemu_t) + corenet_udp_bind_all_ports(qemu_t) + corenet_tcp_bind_all_ports(qemu_t) + corenet_tcp_connect_all_ports(qemu_t) +') + +optional_policy(` + fs_manage_xenfs_files(qemu_t) + + dev_rw_xen(qemu_t) + + xen_stream_connect_xenstore(qemu_t) + xen_append_log(qemu_t) + xen_pid_filetrans(qemu_t, qemu_var_run_t, sock_file) +') + +optional_policy(` + xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t) +') + +######################################## +# +# Unconfined local policy +# + +optional_policy(` + type unconfined_qemu_t; + typealias unconfined_qemu_t alias qemu_unconfined_t; + application_type(unconfined_qemu_t) + unconfined_domain(unconfined_qemu_t) + + allow unconfined_qemu_t self:process { execstack execmem }; + allow unconfined_qemu_t qemu_exec_t:file execmod; +') + +ifdef(`distro_gentoo',` + + ################################# + # + # Local policy + # + + # VNC/GDB support + allow qemu_t self:tcp_socket create_stream_socket_perms; + allow qemu_t self:udp_socket create_socket_perms; + + # Network related socket + allow qemu_t qemu_var_run_t:sock_file manage_sock_file_perms; + + files_pid_filetrans(qemu_t, qemu_var_run_t, sock_file) + + optional_policy(` + vde_connect(qemu_t) + ') + + ################################# + # + # QEMU Guest Agent policy + # + type qemu_ga_t; + type qemu_ga_exec_t; + init_system_domain(qemu_ga_t, qemu_ga_exec_t) + + type qemu_ga_log_t; + logging_log_file(qemu_ga_log_t) + + type qemu_ga_run_t; + files_pid_file(qemu_ga_run_t) + + allow qemu_ga_t self:capability sys_admin; + allow qemu_ga_t self:unix_dgram_socket create_socket_perms; + + manage_dirs_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t) + append_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t) + create_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t) + setattr_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t) + logging_log_filetrans(qemu_ga_t, qemu_ga_log_t, { dir file }) + + allow qemu_ga_t qemu_ga_run_t:file manage_file_perms; + files_pid_filetrans(qemu_ga_t, qemu_ga_run_t, file) + + corecmd_exec_bin(qemu_ga_t) + corecmd_exec_shell(qemu_ga_t) + + miscfiles_read_localization(qemu_ga_t) + + userdom_use_user_terminals(qemu_ga_t) + + term_use_virtio_console(qemu_ga_t) +') diff --git a/policy/modules/apps/rssh.fc b/policy/modules/apps/rssh.fc new file mode 100644 index 00000000..c0768426 --- /dev/null +++ b/policy/modules/apps/rssh.fc @@ -0,0 +1,3 @@ +/usr/bin/rssh -- gen_context(system_u:object_r:rssh_exec_t,s0) + +/usr/libexec/rssh_chroot_helper -- gen_context(system_u:object_r:rssh_chroot_helper_exec_t,s0) diff --git a/policy/modules/apps/rssh.if b/policy/modules/apps/rssh.if new file mode 100644 index 00000000..6ecadcbc --- /dev/null +++ b/policy/modules/apps/rssh.if @@ -0,0 +1,112 @@ +## <summary>Restricted (scp/sftp) only shell.</summary> + +######################################## +## <summary> +## Role access for rssh. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`rssh_role',` + gen_require(` + attribute_role rssh_roles; + type rssh_t, rssh_exec_t, rssh_ro_t; + type rssh_rw_t; + ') + + roleattribute $1 rssh_roles; + + domtrans_pattern($2, rssh_exec_t, rssh_t) + + allow $2 rssh_t:process { ptrace signal_perms }; + ps_process_pattern($2, rssh_t) + + allow $2 { rssh_ro_t rssh_rw_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { rssh_ro_t rssh_rw_t }:file { manage_file_perms relabel_file_perms }; +') + +######################################## +## <summary> +## Execute rssh in the rssh domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rssh_spec_domtrans',` + gen_require(` + type rssh_t, rssh_exec_t; + ') + + corecmd_search_bin($1) + spec_domtrans_pattern($1, rssh_exec_t, rssh_t) +') + +######################################## +## <summary> +## Execute the rssh program +## in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rssh_exec',` + gen_require(` + type rssh_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, rssh_exec_t) +') + +######################################## +## <summary> +## Execute a domain transition to +## run rssh chroot helper. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rssh_domtrans_chroot_helper',` + gen_require(` + type rssh_chroot_helper_t, rssh_chroot_helper_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, rssh_chroot_helper_exec_t, rssh_chroot_helper_t) +') + +######################################## +## <summary> +## Read users rssh read-only content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rssh_read_ro_content',` + gen_require(` + type rssh_ro_t; + ') + + allow $1 rssh_ro_t:dir list_dir_perms; + allow $1 rssh_ro_t:file read_file_perms; +') diff --git a/policy/modules/apps/rssh.te b/policy/modules/apps/rssh.te new file mode 100644 index 00000000..91a89f65 --- /dev/null +++ b/policy/modules/apps/rssh.te @@ -0,0 +1,99 @@ +policy_module(rssh, 2.3.0) + +######################################## +# +# Declarations +# + +attribute_role rssh_roles; +roleattribute system_r rssh_roles; + +type rssh_t; +type rssh_exec_t; +typealias rssh_t alias { user_rssh_t staff_rssh_t sysadm_rssh_t }; +typealias rssh_t alias { auditadm_rssh_t secadm_rssh_t }; +userdom_user_application_domain(rssh_t, rssh_exec_t) +domain_user_exemption_target(rssh_t) +domain_interactive_fd(rssh_t) +role rssh_roles types rssh_t; + +type rssh_chroot_helper_t; +type rssh_chroot_helper_exec_t; +init_system_domain(rssh_chroot_helper_t, rssh_chroot_helper_exec_t) + +type rssh_devpts_t; +typealias rssh_devpts_t alias { user_rssh_devpts_t staff_rssh_devpts_t sysadm_rssh_devpts_t }; +typealias rssh_devpts_t alias { auditadm_rssh_devpts_t secadm_rssh_devpts_t }; +term_user_pty(rssh_t, rssh_devpts_t) +ubac_constrained(rssh_devpts_t) + +type rssh_ro_t; # customizable +typealias rssh_ro_t alias { user_rssh_ro_t staff_rssh_ro_t sysadm_rssh_ro_t }; +typealias rssh_ro_t alias { auditadm_rssh_ro_t secadm_rssh_ro_t }; +userdom_user_home_content(rssh_ro_t) + +type rssh_rw_t; # customizable +typealias rssh_rw_t alias { user_rssh_rw_t staff_rssh_rw_t sysadm_rssh_rw_t }; +typealias rssh_rw_t alias { auditadm_rssh_rw_t secadm_rssh_rw_t }; +userdom_user_home_content(rssh_rw_t) + +############################## +# +# Local policy +# + +allow rssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow rssh_t self:fd use; +allow rssh_t self:fifo_file rw_fifo_file_perms; +allow rssh_t self:unix_dgram_socket sendto; +allow rssh_t self:unix_stream_socket { accept connectto listen }; + +allow rssh_t rssh_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; +term_create_pty(rssh_t, rssh_devpts_t) + +allow rssh_t rssh_ro_t:dir list_dir_perms; +read_files_pattern(rssh_t, rssh_ro_t, rssh_ro_t) + +manage_dirs_pattern(rssh_t, rssh_rw_t, rssh_rw_t) +manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t) + +kernel_read_system_state(rssh_t) +kernel_read_kernel_sysctls(rssh_t) + +files_read_etc_files(rssh_t) +files_read_etc_runtime_files(rssh_t) +files_list_home(rssh_t) +files_read_usr_files(rssh_t) +files_list_var(rssh_t) + +fs_search_auto_mountpoints(rssh_t) + +logging_send_syslog_msg(rssh_t) + +miscfiles_read_localization(rssh_t) + +rssh_domtrans_chroot_helper(rssh_t) + +ssh_rw_tcp_sockets(rssh_t) +ssh_rw_stream_sockets(rssh_t) + +optional_policy(` + nis_use_ypbind(rssh_t) +') + +######################################## +# +# Chroot helper local policy +# + +allow rssh_chroot_helper_t self:capability { setuid sys_chroot }; +allow rssh_chroot_helper_t self:fifo_file rw_fifo_file_perms; +allow rssh_chroot_helper_t self:unix_stream_socket { accept listen }; + +domain_use_interactive_fds(rssh_chroot_helper_t) + +auth_use_nsswitch(rssh_chroot_helper_t) + +logging_send_syslog_msg(rssh_chroot_helper_t) + +miscfiles_read_localization(rssh_chroot_helper_t) diff --git a/policy/modules/apps/sambagui.fc b/policy/modules/apps/sambagui.fc new file mode 100644 index 00000000..2640dcf0 --- /dev/null +++ b/policy/modules/apps/sambagui.fc @@ -0,0 +1 @@ +/usr/share/system-config-samba/system-config-samba-mechanism\.py -- gen_context(system_u:object_r:sambagui_exec_t,s0) diff --git a/policy/modules/apps/sambagui.if b/policy/modules/apps/sambagui.if new file mode 100644 index 00000000..d9c7bb65 --- /dev/null +++ b/policy/modules/apps/sambagui.if @@ -0,0 +1 @@ +## <summary>system-config-samba dbus service.</summary> diff --git a/policy/modules/apps/sambagui.te b/policy/modules/apps/sambagui.te new file mode 100644 index 00000000..e18b0a28 --- /dev/null +++ b/policy/modules/apps/sambagui.te @@ -0,0 +1,66 @@ +policy_module(sambagui, 1.2.0) + +######################################## +# +# Declarations +# + +attribute_role sambagui_roles; +roleattribute system_r sambagui_roles; + +type sambagui_t; +type sambagui_exec_t; +application_domain(sambagui_t, sambagui_exec_t) +role sambagui_roles types sambagui_t; + +######################################## +# +# Local policy +# + +allow sambagui_t self:capability dac_override; +allow sambagui_t self:fifo_file rw_fifo_file_perms; + +kernel_read_system_state(sambagui_t) + +corecmd_exec_bin(sambagui_t) +corecmd_exec_shell(sambagui_t) + +dev_dontaudit_read_urand(sambagui_t) + +files_read_usr_files(sambagui_t) + +auth_use_nsswitch(sambagui_t) +auth_dontaudit_read_shadow(sambagui_t) + +logging_send_syslog_msg(sambagui_t) + +miscfiles_read_localization(sambagui_t) + +sysnet_use_ldap(sambagui_t) + +optional_policy(` + consoletype_exec(sambagui_t) +') + +optional_policy(` + nscd_dontaudit_search_pid(sambagui_t) +') + +optional_policy(` + dbus_system_domain(sambagui_t, sambagui_exec_t) + + optional_policy(` + policykit_dbus_chat(sambagui_t) + ') +') + +optional_policy(` + samba_append_log(sambagui_t) + samba_manage_config(sambagui_t) + samba_manage_var_files(sambagui_t) + samba_read_secrets(sambagui_t) + samba_initrc_domtrans(sambagui_t) + samba_domtrans_smbd(sambagui_t) + samba_domtrans_nmbd(sambagui_t) +') diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc new file mode 100644 index 00000000..7196c598 --- /dev/null +++ b/policy/modules/apps/screen.fc @@ -0,0 +1,9 @@ +HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0) +HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0) +HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0) + +/run/screen(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0) +/run/tmux(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0) + +/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) +/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if new file mode 100644 index 00000000..884e261a --- /dev/null +++ b/policy/modules/apps/screen.if @@ -0,0 +1,92 @@ +## <summary>GNU terminal multiplexer.</summary> + +####################################### +## <summary> +## The role template for the screen module. +## </summary> +## <param name="role_prefix"> +## <summary> +## The prefix of the user role (e.g., user +## is the prefix for user_r). +## </summary> +## </param> +## <param name="user_role"> +## <summary> +## The role associated with the user domain. +## </summary> +## </param> +## <param name="user_domain"> +## <summary> +## The type of the user domain. +## </summary> +## </param> +# +template(`screen_role_template',` + gen_require(` + attribute screen_domain; + attribute_role screen_roles; + type screen_exec_t, screen_tmp_t; + type screen_home_t, screen_runtime_t; + ') + + ######################################## + # + # Declarations + # + + type $1_screen_t, screen_domain; + userdom_user_application_domain($1_screen_t, screen_exec_t) + domain_interactive_fd($1_screen_t) + role screen_roles types $1_screen_t; + + roleattribute $2 screen_roles; + + ######################################## + # + # Local policy + # + + dontaudit $1_screen_t self:capability sys_tty_config; + + domtrans_pattern($3, screen_exec_t, $1_screen_t) + + ps_process_pattern($3, $1_screen_t) + allow $3 $1_screen_t:process { ptrace signal_perms }; + + dontaudit $3 $1_screen_t:unix_stream_socket { read write }; + allow $1_screen_t $3:process signal; + + allow $3 screen_tmp_t:dir { manage_dir_perms relabel_dir_perms }; + allow $3 screen_tmp_t:file { manage_file_perms relabel_file_perms }; + allow $3 screen_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; + + allow $3 screen_home_t:dir { manage_dir_perms relabel_dir_perms }; + allow $3 screen_home_t:file { manage_file_perms relabel_file_perms }; + allow $3 screen_home_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; + allow $3 screen_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; + + userdom_user_home_dir_filetrans($3, screen_home_t, dir, ".screen") + userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc") + userdom_user_home_dir_filetrans($3, screen_home_t, file, ".tmux.conf") + + manage_dirs_pattern($3, screen_runtime_t, screen_runtime_t) + manage_files_pattern($3, screen_runtime_t, screen_runtime_t) + manage_lnk_files_pattern($3, screen_runtime_t, screen_runtime_t) + manage_fifo_files_pattern($3, screen_runtime_t, screen_runtime_t) + + corecmd_bin_domtrans($1_screen_t, $3) + corecmd_shell_domtrans($1_screen_t, $3) + + auth_domtrans_chk_passwd($1_screen_t) + auth_use_nsswitch($1_screen_t) + + userdom_user_home_domtrans($1_screen_t, $3) + + tunable_policy(`use_samba_home_dirs',` + fs_cifs_domtrans($1_screen_t, $3) + ') + + tunable_policy(`use_nfs_home_dirs',` + fs_nfs_domtrans($1_screen_t, $3) + ') +') diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te new file mode 100644 index 00000000..845c61c8 --- /dev/null +++ b/policy/modules/apps/screen.te @@ -0,0 +1,126 @@ +policy_module(screen, 2.9.0) + +######################################## +# +# Declarations +# + +attribute screen_domain; + +attribute_role screen_roles; + +type screen_exec_t; +application_executable_file(screen_exec_t) + +type screen_home_t; +userdom_user_home_content(screen_home_t) + +type screen_tmp_t; +userdom_user_tmp_file(screen_tmp_t) + +type screen_runtime_t; +typealias screen_runtime_t alias screen_var_run_t; +files_pid_file(screen_runtime_t) +ubac_constrained(screen_runtime_t) + +######################################## +# +# Common screen domain local policy +# + +# dac_override : read /dev/pts/ID +allow screen_domain self:capability { dac_override fsetid setgid setuid }; +allow screen_domain self:process signal_perms; +allow screen_domain self:fd use; +allow screen_domain self:fifo_file rw_fifo_file_perms; +allow screen_domain self:tcp_socket { accept listen }; +allow screen_domain self:unix_stream_socket { accept connectto listen }; + +manage_dirs_pattern(screen_domain, screen_tmp_t, screen_tmp_t) +manage_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t) +manage_fifo_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t) +files_tmp_filetrans(screen_domain, screen_tmp_t, { file dir }) +filetrans_pattern(screen_domain, screen_tmp_t, screen_runtime_t, sock_file) + +manage_fifo_files_pattern(screen_domain, screen_runtime_t, screen_runtime_t) +manage_dirs_pattern(screen_domain, screen_runtime_t, screen_runtime_t) +manage_sock_files_pattern(screen_domain, screen_runtime_t, screen_runtime_t) +files_pid_filetrans(screen_domain, screen_runtime_t, dir) + +manage_dirs_pattern(screen_domain, screen_home_t, screen_home_t) +read_files_pattern(screen_domain, screen_home_t, screen_home_t) +manage_fifo_files_pattern(screen_domain, screen_home_t, screen_home_t) +read_lnk_files_pattern(screen_domain, screen_home_t, screen_home_t) +userdom_user_home_dir_filetrans(screen_domain, screen_home_t, dir, ".screen") + +kernel_read_system_state(screen_domain) +kernel_read_kernel_sysctls(screen_domain) + +corecmd_list_bin(screen_domain) +corecmd_read_bin_files(screen_domain) +corecmd_read_bin_pipes(screen_domain) +corecmd_read_bin_sockets(screen_domain) + +corenet_all_recvfrom_unlabeled(screen_domain) +corenet_all_recvfrom_netlabel(screen_domain) +corenet_tcp_sendrecv_generic_if(screen_domain) +corenet_tcp_sendrecv_generic_node(screen_domain) +corenet_tcp_sendrecv_all_ports(screen_domain) + +corenet_sendrecv_all_client_packets(screen_domain) +corenet_tcp_connect_all_ports(screen_domain) + +dev_dontaudit_getattr_all_chr_files(screen_domain) +dev_dontaudit_getattr_all_blk_files(screen_domain) +dev_read_urand(screen_domain) + +domain_use_interactive_fds(screen_domain) +domain_sigchld_interactive_fds(screen_domain) +domain_read_all_domains_state(screen_domain) + +files_list_home(screen_domain) +files_read_usr_files(screen_domain) + +fs_search_auto_mountpoints(screen_domain) +fs_getattr_all_fs(screen_domain) + +auth_dontaudit_read_shadow(screen_domain) +auth_dontaudit_exec_utempter(screen_domain) + +init_rw_utmp(screen_domain) + +logging_send_syslog_msg(screen_domain) + +miscfiles_read_localization(screen_domain) + +seutil_read_config(screen_domain) + +userdom_use_user_terminals(screen_domain) +userdom_create_user_pty(screen_domain) +userdom_setattr_user_ptys(screen_domain) +userdom_setattr_user_ttys(screen_domain) + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(screen_domain) + fs_read_cifs_files(screen_domain) + fs_manage_cifs_named_pipes(screen_domain) + fs_read_cifs_symlinks(screen_domain) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(screen_domain) + fs_read_nfs_files(screen_domain) + fs_manage_nfs_named_pipes(screen_domain) + fs_read_nfs_symlinks(screen_domain) +') + +ifdef(`distro_gentoo',` + ###################################### + # + # screen domain policy + # + + # Bug #463222 - Create and listen on socket (/tmp/tmux-*/default) + allow screen_domain screen_tmp_t:sock_file manage_sock_file_perms; + allow screen_domain self:unix_stream_socket { accept listen }; +') diff --git a/policy/modules/apps/slocate.fc b/policy/modules/apps/slocate.fc new file mode 100644 index 00000000..264e1bed --- /dev/null +++ b/policy/modules/apps/slocate.fc @@ -0,0 +1,7 @@ +/etc/cron\.daily/[sm]locate -- gen_context(system_u:object_r:locate_exec_t,s0) + +/usr/bin/updatedb.* -- gen_context(system_u:object_r:locate_exec_t,s0) + +/var/lib/[sm]locate(/.*)? gen_context(system_u:object_r:locate_var_lib_t,s0) + +/run/mlocate\.daily\.lock -- gen_context(system_u:object_r:locate_var_run_t,s0) diff --git a/policy/modules/apps/slocate.if b/policy/modules/apps/slocate.if new file mode 100644 index 00000000..82de1b68 --- /dev/null +++ b/policy/modules/apps/slocate.if @@ -0,0 +1,21 @@ +## <summary>Update database for mlocate.</summary> + +######################################## +## <summary> +## Read locate lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`locate_read_lib_files',` + gen_require(` + type locate_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, locate_var_lib_t, locate_var_lib_t) + allow $1 locate_var_lib_t:dir list_dir_perms; +') diff --git a/policy/modules/apps/slocate.te b/policy/modules/apps/slocate.te new file mode 100644 index 00000000..2bf0fed4 --- /dev/null +++ b/policy/modules/apps/slocate.te @@ -0,0 +1,73 @@ +policy_module(slocate, 1.14.0) + +################################# +# +# Declarations +# + +type locate_t; +type locate_exec_t; +init_system_domain(locate_t, locate_exec_t) + +type locate_var_lib_t; +files_type(locate_var_lib_t) + +type locate_var_run_t; +files_pid_file(locate_var_run_t) + +######################################## +# +# Local policy +# + +allow locate_t self:capability { chown dac_override dac_read_search fowner fsetid }; +allow locate_t self:process { execmem execheap execstack signal setsched }; +allow locate_t self:fifo_file rw_fifo_file_perms; +allow locate_t self:unix_stream_socket create_socket_perms; + +manage_dirs_pattern(locate_t, locate_var_lib_t, locate_var_lib_t) +manage_files_pattern(locate_t, locate_var_lib_t, locate_var_lib_t) + +allow locate_t locate_var_run_t:file manage_file_perms; +files_pid_filetrans(locate_t, locate_var_run_t, file, "mlocate.daily.lock") + +can_exec(locate_t, locate_exec_t) + +kernel_read_system_state(locate_t) +kernel_dontaudit_search_network_state(locate_t) +kernel_dontaudit_search_sysctl(locate_t) + +corecmd_exec_bin(locate_t) +corecmd_exec_shell(locate_t) + +dev_getattr_all_blk_files(locate_t) +dev_getattr_all_chr_files(locate_t) + +files_list_all(locate_t) +files_dontaudit_read_all_symlinks(locate_t) +files_getattr_all_files(locate_t) +files_getattr_all_pipes(locate_t) +files_getattr_all_sockets(locate_t) +files_read_etc_runtime_files(locate_t) + +fs_getattr_all_fs(locate_t) +fs_getattr_all_files(locate_t) +fs_getattr_all_pipes(locate_t) +fs_getattr_all_symlinks(locate_t) +fs_getattr_all_blk_files(locate_t) +fs_getattr_all_chr_files(locate_t) +fs_list_all(locate_t) +fs_list_inotifyfs(locate_t) +fs_read_noxattr_fs_symlinks(locate_t) + +auth_use_nsswitch(locate_t) + +miscfiles_read_localization(locate_t) + +ifdef(`enable_mls',` + files_dontaudit_getattr_all_dirs(locate_t) +') + +optional_policy(` + cron_system_entry(locate_t, locate_exec_t) +') diff --git a/policy/modules/apps/syncthing.fc b/policy/modules/apps/syncthing.fc new file mode 100644 index 00000000..e95b451e --- /dev/null +++ b/policy/modules/apps/syncthing.fc @@ -0,0 +1,3 @@ +/usr/bin/syncthing -- gen_context(system_u:object_r:syncthing_exec_t,s0) + +HOME_DIR/\.config/syncthing(/.*)? gen_context(system_u:object_r:syncthing_xdg_config_t,s0) diff --git a/policy/modules/apps/syncthing.if b/policy/modules/apps/syncthing.if new file mode 100644 index 00000000..2c0eb24c --- /dev/null +++ b/policy/modules/apps/syncthing.if @@ -0,0 +1,31 @@ +## <summary>Application that lets you synchronize your files across multiple devices.</summary> + +######################################## +## <summary> +## Role access for Syncthing +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`syncthing_role', ` + gen_require(` + attribute_role syncthing_roles; + type syncthing_t, syncthing_exec_t, syncthing_xdg_config_t; + ') + + roleattribute $1 syncthing_roles; + + domtrans_pattern($2, syncthing_exec_t, syncthing_t) + + allow $2 syncthing_xdg_config_t:file { manage_file_perms relabel_file_perms }; + allow $2 syncthing_xdg_config_t:dir { manage_dir_perms relabel_dir_perms }; + allow $2 syncthing_xdg_config_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; +') diff --git a/policy/modules/apps/syncthing.te b/policy/modules/apps/syncthing.te new file mode 100644 index 00000000..5799b8e2 --- /dev/null +++ b/policy/modules/apps/syncthing.te @@ -0,0 +1,69 @@ +policy_module(syncthing, 1.0.1) + +######################################## +# +# Declarations +# + +attribute_role syncthing_roles; +role syncthing_roles types syncthing_t; + +type syncthing_t; +type syncthing_exec_t; +init_daemon_domain(syncthing_t, syncthing_exec_t) +userdom_user_application_domain(syncthing_t, syncthing_exec_t) + +type syncthing_xdg_config_t alias syncthing_config_home_t; +xdg_config_content(syncthing_xdg_config_t) + +######################################## +# +# Declarations +# + +allow syncthing_t self:process getsched; +allow syncthing_t self:fifo_file rw_fifo_file_perms; +allow syncthing_t self:tcp_socket { listen accept }; + +can_exec(syncthing_t, syncthing_exec_t) + +manage_dirs_pattern(syncthing_t, syncthing_xdg_config_t, syncthing_xdg_config_t) +manage_files_pattern(syncthing_t, syncthing_xdg_config_t, syncthing_xdg_config_t) +manage_lnk_files_pattern(syncthing_t, syncthing_xdg_config_t, syncthing_xdg_config_t) +xdg_config_filetrans(syncthing_t, syncthing_xdg_config_t, dir) + +kernel_read_kernel_sysctls(syncthing_t) +kernel_read_net_sysctls(syncthing_t) +kernel_read_system_state(syncthing_t) + +corenet_tcp_sendrecv_generic_if(syncthing_t) +corenet_udp_sendrecv_generic_if(syncthing_t) +corenet_tcp_bind_generic_node(syncthing_t) +corenet_tcp_sendrecv_generic_node(syncthing_t) +corenet_tcp_sendrecv_all_ports(syncthing_t) +corenet_udp_bind_generic_node(syncthing_t) +corenet_udp_sendrecv_generic_node(syncthing_t) +corenet_udp_sendrecv_all_ports(syncthing_t) +corenet_tcp_connect_all_ports(syncthing_t) +corenet_tcp_bind_syncthing_port(syncthing_t) +corenet_udp_bind_syncthing_discovery_port(syncthing_t) +corenet_tcp_bind_syncthing_admin_port(syncthing_t) + +dev_read_rand(syncthing_t) +dev_read_urand(syncthing_t) + +fs_getattr_xattr_fs(syncthing_t) + +auth_use_nsswitch(syncthing_t) + +miscfiles_read_generic_certs(syncthing_t) +miscfiles_read_localization(syncthing_t) + +userdom_user_content_access_template(syncthing, syncthing_t) + +userdom_use_user_terminals(syncthing_t) + +optional_policy(` + # temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve() + networkmanager_read_pid_files(syncthing_t) +') diff --git a/policy/modules/apps/telepathy.fc b/policy/modules/apps/telepathy.fc new file mode 100644 index 00000000..4600d815 --- /dev/null +++ b/policy/modules/apps/telepathy.fc @@ -0,0 +1,35 @@ +HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_xdg_cache_t,s0) +HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_xdg_cache_t, s0) +HOME_DIR/\.cache/telepathy/avatars/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_xdg_cache_t, s0) +HOME_DIR/\.cache/telepathy/logger(/.*)? gen_context(system_u:object_r:telepathy_logger_xdg_cache_t,s0) +HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_xdg_cache_t,s0) +HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_xdg_cache_t,s0) +HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t,s0) +HOME_DIR/\.local/share/telepathy(/.*)? gen_context(system_u:object_r:telepathy_xdg_data_t,s0) +HOME_DIR/\.local/share/telepathy/mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_xdg_data_t,s0) +HOME_DIR/\.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t,s0) +HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_xdg_data_t,s0) + +/usr/lib/telepathy/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t,s0) +/usr/lib/telepathy/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0) +/usr/lib/telepathy/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t,s0) +/usr/lib/telepathy/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0) +/usr/lib/telepathy/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t,s0) +/usr/lib/telepathy/telepathy-logger -- gen_context(system_u:object_r:telepathy_logger_exec_t,s0) +/usr/lib/telepathy/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t,s0) +/usr/lib/telepathy/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0) +/usr/lib/telepathy/telepathy-rakia -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0) +/usr/lib/telepathy/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t,s0) +/usr/lib/telepathy/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t,s0) + +/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t,s0) +/usr/libexec/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0) +/usr/libexec/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t,s0) +/usr/libexec/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0) +/usr/libexec/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t,s0) +/usr/libexec/telepathy-logger -- gen_context(system_u:object_r:telepathy_logger_exec_t,s0) +/usr/libexec/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t, s0) +/usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0) +/usr/libexec/telepathy-rakia -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0) +/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t,s0) +/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t,s0) diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if new file mode 100644 index 00000000..d81dc193 --- /dev/null +++ b/policy/modules/apps/telepathy.if @@ -0,0 +1,247 @@ +## <summary>Telepathy communications framework.</summary> + +####################################### +## <summary> +## The template to define a telepathy domain. +## </summary> +## <param name="domain_prefix"> +## <summary> +## Domain prefix to be used. +## </summary> +## </param> +# +template(`telepathy_domain_template',` + gen_require(` + attribute telepathy_domain, telepathy_executable, telepathy_tmp_content; + ') + + type telepathy_$1_t, telepathy_domain; + type telepathy_$1_exec_t, telepathy_executable; + userdom_user_application_domain(telepathy_$1_t, telepathy_$1_exec_t) + + type telepathy_$1_tmp_t, telepathy_tmp_content; + userdom_user_tmp_file(telepathy_$1_tmp_t) + + optional_policy(` + wm_application_domain(telepathy_$1_t, telepathy_$1_exec_t) + ') + + auth_use_nsswitch(telepathy_$1_t) +') + +####################################### +## <summary> +## The role template for the telepathy module. +## </summary> +## <desc> +## <p> +## This template creates a derived domains which are used +## for window manager applications. +## </p> +## </desc> +## <param name="role_prefix"> +## <summary> +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## </summary> +## </param> +## <param name="user_role"> +## <summary> +## The role associated with the user domain. +## </summary> +## </param> +## <param name="user_domain"> +## <summary> +## The type of the user domain. +## </summary> +## </param> +# +template(`telepathy_role_template',` + gen_require(` + attribute telepathy_domain, telepathy_tmp_content; + type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t; + type telepathy_mission_control_t, telepathy_salut_t, telepathy_sunshine_t; + type telepathy_stream_engine_t, telepathy_msn_t, telepathy_gabble_exec_t; + type telepathy_sofiasip_exec_t, telepathy_idle_exec_t; + type telepathy_logger_t, telepathy_logger_exec_t; + type telepathy_mission_control_exec_t, telepathy_salut_exec_t; + type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t; + type telepathy_msn_exec_t; + + type telepathy_mission_control_xdg_cache_t, telepathy_xdg_cache_t, telepathy_logger_xdg_cache_t; + type telepathy_gabble_xdg_cache_t, telepathy_mission_control_t, telepathy_xdg_data_t; + type telepathy_mission_control_xdg_data_t, telepathy_sunshine_home_t, telepathy_logger_xdg_data_t; + type telepathy_mission_control_home_t; + ') + + role $2 types telepathy_domain; + + allow $3 telepathy_domain:process { ptrace signal_perms }; + ps_process_pattern($3, telepathy_domain) + + telepathy_gabble_stream_connect($3) + telepathy_msn_stream_connect($3) + telepathy_salut_stream_connect($3) + + dbus_spec_session_domain($1, telepathy_gabble_t, telepathy_gabble_exec_t) + dbus_spec_session_domain($1, telepathy_sofiasip_t, telepathy_sofiasip_exec_t) + dbus_spec_session_domain($1, telepathy_idle_t, telepathy_idle_exec_t) + dbus_spec_session_domain($1, telepathy_logger_t, telepathy_logger_exec_t) + dbus_spec_session_domain($1, telepathy_mission_control_t, telepathy_mission_control_exec_t) + dbus_spec_session_domain($1, telepathy_salut_t, telepathy_salut_exec_t) + dbus_spec_session_domain($1, telepathy_sunshine_t, telepathy_sunshine_exec_t) + dbus_spec_session_domain($1, telepathy_stream_engine_t, telepathy_stream_engine_exec_t) + dbus_spec_session_domain($1, telepathy_msn_t, telepathy_msn_exec_t) + + allow $3 { telepathy_mission_control_xdg_cache_t telepathy_xdg_cache_t telepathy_logger_xdg_cache_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $3 { telepathy_gabble_xdg_cache_t telepathy_mission_control_home_t telepathy_xdg_data_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $3 { telepathy_mission_control_xdg_data_t telepathy_sunshine_home_t telepathy_logger_xdg_data_t }:dir { manage_dir_perms relabel_dir_perms }; + + allow $3 { telepathy_mission_control_xdg_cache_t telepathy_xdg_cache_t telepathy_logger_xdg_cache_t }:file { manage_file_perms relabel_file_perms }; + allow $3 { telepathy_gabble_xdg_cache_t telepathy_mission_control_home_t telepathy_xdg_data_t }:file { manage_file_perms relabel_file_perms }; + allow $3 { telepathy_mission_control_xdg_data_t telepathy_sunshine_home_t telepathy_logger_xdg_data_t }:file { manage_file_perms relabel_file_perms }; + + filetrans_pattern($3, telepathy_xdg_cache_t, telepathy_gabble_xdg_cache_t, dir, "gabble") + # gnome_cache_filetrans($3, telepathy_gabble_cache_home_t, dir, "wocky") + + filetrans_pattern($3, telepathy_xdg_cache_t, telepathy_logger_xdg_cache_t, dir, "logger") + # gnome_data_filetrans($3, telepathy_logger_data_home_t, dir, "TpLogger") + + userdom_user_home_dir_filetrans($3, telepathy_mission_control_home_t, dir, ".mission-control") + filetrans_pattern($3, telepathy_xdg_data_t, telepathy_mission_control_xdg_data_t, dir, "mission-control") + # gnome_cache_filetrans($3, telepathy_mission_control_cache_home_t, file, ".mc_connections") + + userdom_user_home_dir_filetrans($3, telepathy_sunshine_home_t, dir, ".telepathy-sunshine") + + # gnome_cache_filetrans($3, telepathy_cache_home_t, dir, "telepathy") + # gnome_data_filetrans($3, telepathy_data_home_t, dir, "telepathy") + + allow $3 telepathy_tmp_content:dir { manage_dir_perms relabel_dir_perms }; + allow $3 telepathy_tmp_content:file { manage_file_perms relabel_file_perms }; + allow $3 telepathy_tmp_content:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + + telepathy_mission_control_dbus_chat($3) +') + +######################################## +## <summary> +## Connect to gabble with a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`telepathy_gabble_stream_connect',` + gen_require(` + type telepathy_gabble_t, telepathy_gabble_tmp_t; + ') + + files_search_tmp($1) + stream_connect_pattern($1, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t, telepathy_gabble_t) +') + +######################################## +## <summary> +## Send dbus messages to and from +## gabble. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`telepathy_gabble_dbus_chat',` + gen_require(` + type telepathy_gabble_t; + class dbus send_msg; + ') + + allow $1 telepathy_gabble_t:dbus send_msg; + allow telepathy_gabble_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Send dbus messages to and from +## mission control. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`telepathy_mission_control_dbus_chat',` + gen_require(` + type telepathy_mission_control_t; + class dbus send_msg; + ') + + allow $1 telepathy_mission_control_t:dbus send_msg; + allow telepathy_mission_control_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Read mission control process state files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`telepathy_mission_control_read_state',` + gen_require(` + type telepathy_mission_control_t; + ') + + kernel_search_proc($1) + allow $1 telepathy_mission_control_t:dir list_dir_perms; + allow $1 telepathy_mission_control_t:file read_file_perms; + allow $1 telepathy_mission_control_t:lnk_file read_lnk_file_perms; +') + +####################################### +## <summary> +## Connect to msn with a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`telepathy_msn_stream_connect',` + gen_require(` + type telepathy_msn_t, telepathy_msn_tmp_t; + ') + + files_search_tmp($1) + stream_connect_pattern($1, telepathy_msn_tmp_t, telepathy_msn_tmp_t, telepathy_msn_t) +') + +######################################## +## <summary> +## Connect to salut with a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`telepathy_salut_stream_connect',` + gen_require(` + type telepathy_salut_t, telepathy_salut_tmp_t; + ') + + files_search_tmp($1) + stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t) +') diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te new file mode 100644 index 00000000..8f0997d9 --- /dev/null +++ b/policy/modules/apps/telepathy.te @@ -0,0 +1,485 @@ +policy_module(telepathy, 1.8.1) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether telepathy connection +## managers can connect to generic tcp ports. +## </p> +## </desc> +gen_tunable(telepathy_tcp_connect_generic_network_ports, false) + +## <desc> +## <p> +## Determine whether telepathy connection +## managers can connect to any port. +## </p> +## </desc> +gen_tunable(telepathy_connect_all_ports, false) + +attribute telepathy_domain; +attribute telepathy_executable; +attribute telepathy_tmp_content; + +telepathy_domain_template(gabble) + +type telepathy_xdg_cache_t alias telepathy_cache_home_t; +xdg_cache_content(telepathy_xdg_cache_t) + +type telepathy_gabble_xdg_cache_t alias telepathy_gabble_cache_home_t; +xdg_cache_content(telepathy_gabble_xdg_cache_t) + +telepathy_domain_template(idle) +telepathy_domain_template(logger) + +type telepathy_xdg_data_t alias telepathy_data_home_t; +xdg_data_content(telepathy_xdg_data_t) + +type telepathy_logger_xdg_cache_t alias telepathy_logger_cache_home_t; +xdg_cache_content(telepathy_logger_xdg_cache_t) + +type telepathy_logger_xdg_data_t alias telepathy_logger_data_home_t; +xdg_data_content(telepathy_logger_xdg_data_t) + +telepathy_domain_template(mission_control) + +type telepathy_mission_control_home_t; +userdom_user_home_content(telepathy_mission_control_home_t) + +type telepathy_mission_control_xdg_data_t alias telepathy_mission_control_data_home_t; +xdg_data_content(telepathy_mission_control_xdg_data_t) + +type telepathy_mission_control_xdg_cache_t alias telepathy_mission_control_cache_home_t; +xdg_cache_content(telepathy_mission_control_xdg_cache_t) + +telepathy_domain_template(msn) +telepathy_domain_template(salut) +telepathy_domain_template(sofiasip) +telepathy_domain_template(stream_engine) +telepathy_domain_template(sunshine) + +type telepathy_sunshine_home_t; +userdom_user_home_content(telepathy_sunshine_home_t) + +####################################### +# +# Gabble local policy +# + +allow telepathy_gabble_t self:tcp_socket { accept listen }; +allow telepathy_gabble_t self:unix_dgram_socket { create_socket_perms sendto }; + +# ~/.cache/telepathy/gabble/caps-cache.db-journal +manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_xdg_cache_t, telepathy_gabble_xdg_cache_t) +manage_files_pattern(telepathy_gabble_t, telepathy_gabble_xdg_cache_t, telepathy_gabble_xdg_cache_t) +filetrans_pattern(telepathy_gabble_t, telepathy_xdg_cache_t, telepathy_gabble_xdg_cache_t, dir, "gabble") +# gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_xdg_cache_t, dir, "wocky") + +manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t) +manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t) +files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file }) + +corenet_all_recvfrom_unlabeled(telepathy_gabble_t) +corenet_all_recvfrom_netlabel(telepathy_gabble_t) +corenet_tcp_sendrecv_generic_if(telepathy_gabble_t) +corenet_tcp_sendrecv_generic_node(telepathy_gabble_t) + +corenet_sendrecv_http_client_packets(telepathy_gabble_t) +corenet_tcp_connect_http_port(telepathy_gabble_t) +corenet_tcp_sendrecv_http_port(telepathy_gabble_t) + +corenet_sendrecv_jabber_client_client_packets(telepathy_gabble_t) +corenet_tcp_connect_jabber_client_port(telepathy_gabble_t) +corenet_tcp_sendrecv_jabber_client_port(telepathy_gabble_t) + +corenet_sendrecv_vnc_client_packets(telepathy_gabble_t) +corenet_tcp_connect_vnc_port(telepathy_gabble_t) +corenet_tcp_sendrecv_vnc_port(telepathy_gabble_t) + +dev_read_rand(telepathy_gabble_t) + +files_read_config_files(telepathy_gabble_t) +files_read_usr_files(telepathy_gabble_t) + +miscfiles_read_all_certs(telepathy_gabble_t) + +tunable_policy(`telepathy_connect_all_ports',` + corenet_sendrecv_all_client_packets(telepathy_gabble_t) + corenet_tcp_connect_all_ports(telepathy_gabble_t) + corenet_tcp_sendrecv_all_ports(telepathy_gabble_t) +') + +tunable_policy(`telepathy_tcp_connect_generic_network_ports',` + corenet_sendrecv_generic_client_packets(telepathy_gabble_t) + corenet_tcp_connect_generic_port(telepathy_gabble_t) + corenet_tcp_sendrecv_generic_port(telepathy_gabble_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(telepathy_gabble_t) + fs_manage_nfs_files(telepathy_gabble_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(telepathy_gabble_t) + fs_manage_cifs_files(telepathy_gabble_t) +') + +optional_policy(` + dbus_system_bus_client(telepathy_gabble_t) +') + +# optional_policy(` + # ~/.config/dconf/user + # gnome_manage_generic_home_content(telepathy_gabble_t) +# ') + +####################################### +# +# Idle local policy +# + +corenet_all_recvfrom_netlabel(telepathy_idle_t) +corenet_all_recvfrom_unlabeled(telepathy_idle_t) +corenet_tcp_sendrecv_generic_if(telepathy_idle_t) +corenet_tcp_sendrecv_generic_node(telepathy_idle_t) + +corenet_sendrecv_gatekeeper_client_packets(telepathy_idle_t) +corenet_tcp_connect_gatekeeper_port(telepathy_idle_t) +corenet_tcp_sendrecv_gatekeeper_port(telepathy_idle_t) + +corenet_sendrecv_ircd_client_packets(telepathy_idle_t) +corenet_tcp_connect_ircd_port(telepathy_idle_t) +corenet_tcp_sendrecv_ircd_port(telepathy_idle_t) + +dev_read_rand(telepathy_idle_t) + +files_read_usr_files(telepathy_idle_t) + +tunable_policy(`telepathy_connect_all_ports',` + corenet_sendrecv_all_client_packets(telepathy_idle_t) + corenet_tcp_connect_all_ports(telepathy_idle_t) + corenet_tcp_sendrecv_all_ports(telepathy_idle_t) +') + +tunable_policy(`telepathy_tcp_connect_generic_network_ports',` + corenet_sendrecv_generic_client_packets(telepathy_idle_t) + corenet_tcp_connect_generic_port(telepathy_idle_t) + corenet_tcp_sendrecv_generic_port(telepathy_idle_t) +') + +####################################### +# +# Logger local policy +# + +allow telepathy_logger_t self:unix_stream_socket create_socket_perms; + +manage_dirs_pattern(telepathy_logger_t, telepathy_logger_xdg_cache_t, telepathy_logger_xdg_cache_t) +manage_files_pattern(telepathy_logger_t, telepathy_logger_xdg_cache_t, telepathy_logger_xdg_cache_t) +filetrans_pattern(telepathy_logger_t, telepathy_xdg_cache_t, telepathy_logger_xdg_cache_t, dir, "logger") + +manage_dirs_pattern(telepathy_logger_t, telepathy_logger_xdg_data_t, telepathy_logger_xdg_data_t) +manage_files_pattern(telepathy_logger_t, telepathy_logger_xdg_data_t, telepathy_logger_xdg_data_t) +# gnome_data_filetrans(telepathy_logger_t, telepathy_logger_xdg_data_t, dir, "TpLogger") + +files_read_usr_files(telepathy_logger_t) +files_search_pids(telepathy_logger_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(telepathy_logger_t) + fs_manage_nfs_files(telepathy_logger_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(telepathy_logger_t) + fs_manage_cifs_files(telepathy_logger_t) +') + +# optional_policy(` + # ~/.config/dconf/user + # gnome_manage_generic_home_content(telepathy_logger_t) +# ') + +####################################### +# +# Mission-Control local policy +# + +allow telepathy_mission_control_t self:process setsched; + +manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) +manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) +userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, dir, ".mission-control") + +manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_xdg_data_t, telepathy_mission_control_xdg_data_t) +manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_xdg_data_t, telepathy_mission_control_xdg_data_t) +filetrans_pattern(telepathy_mission_control_t, telepathy_xdg_data_t, telepathy_mission_control_xdg_data_t, dir, "mission-control") + +manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_xdg_cache_t, telepathy_mission_control_xdg_cache_t) +# gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_xdg_cache_t, file, ".mc_connections") + +manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_xdg_cache_t, telepathy_gabble_xdg_cache_t) +manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_xdg_cache_t, telepathy_gabble_xdg_cache_t) + +dev_read_rand(telepathy_mission_control_t) + +files_list_tmp(telepathy_mission_control_t) +files_read_usr_files(telepathy_mission_control_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(telepathy_mission_control_t) + fs_manage_nfs_files(telepathy_mission_control_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(telepathy_mission_control_t) + fs_manage_cifs_files(telepathy_mission_control_t) +') + +optional_policy(` + dbus_system_bus_client(telepathy_mission_control_t) + + optional_policy(` + devicekit_dbus_chat_power(telepathy_mission_control_t) + ') + optional_policy(` + gnome_dbus_chat_all_gkeyringd(telepathy_mission_control_t) + ') + optional_policy(` + networkmanager_dbus_chat(telepathy_mission_control_t) + ') +') + +# optional_policy(` + # ~/.config/dconf/user + # gnome_manage_generic_home_content(telepathy_mission_control_t) +# ') + +####################################### +# +# Butterfly and Haze local policy +# + +allow telepathy_msn_t self:process setsched; + +manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) +manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) +manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) +files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file }) + +userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file }) + +can_exec(telepathy_msn_t, telepathy_msn_tmp_t) + +corenet_all_recvfrom_netlabel(telepathy_msn_t) +corenet_all_recvfrom_unlabeled(telepathy_msn_t) +corenet_tcp_sendrecv_generic_if(telepathy_msn_t) +corenet_tcp_sendrecv_generic_node(telepathy_msn_t) + +corenet_sendrecv_http_client_packets(telepathy_msn_t) +corenet_tcp_connect_http_port(telepathy_msn_t) +corenet_tcp_sendrecv_http_port(telepathy_msn_t) + +corenet_sendrecv_mmcc_client_packets(telepathy_msn_t) +corenet_tcp_connect_mmcc_port(telepathy_msn_t) +corenet_tcp_sendrecv_mmcc_port(telepathy_msn_t) + +corenet_sendrecv_msnp_client_packets(telepathy_msn_t) +corenet_tcp_connect_msnp_port(telepathy_msn_t) +corenet_tcp_sendrecv_msnp_port(telepathy_msn_t) + +corenet_sendrecv_sip_client_packets(telepathy_msn_t) +corenet_tcp_connect_sip_port(telepathy_msn_t) +corenet_tcp_sendrecv_sip_port(telepathy_msn_t) + +corecmd_exec_bin(telepathy_msn_t) +corecmd_exec_shell(telepathy_msn_t) + +files_read_usr_files(telepathy_msn_t) + +init_read_state(telepathy_msn_t) + +libs_exec_ldconfig(telepathy_msn_t) + +logging_send_syslog_msg(telepathy_msn_t) + +miscfiles_read_all_certs(telepathy_msn_t) + +# userdom_dontaudit_setattr_user_tmp(telepathy_msn_t) + +tunable_policy(`telepathy_connect_all_ports',` + corenet_sendrecv_all_client_packets(telepathy_msn_t) + corenet_tcp_connect_all_ports(telepathy_msn_t) + corenet_tcp_sendrecv_all_ports(telepathy_msn_t) +') + +tunable_policy(`telepathy_tcp_connect_generic_network_ports',` + corenet_sendrecv_generic_client_packets(telepathy_msn_t) + corenet_tcp_connect_generic_port(telepathy_msn_t) + corenet_tcp_sendrecv_generic_port(telepathy_msn_t) +') + +optional_policy(` + dbus_system_bus_client(telepathy_msn_t) + + optional_policy(` + networkmanager_dbus_chat(telepathy_msn_t) + ') +') + +# optional_policy(` + # ~/.config/dconf/user + # gnome_manage_generic_home_content(telepathy_msn_t) +# ') + +####################################### +# +# Salut local policy +# + +allow telepathy_salut_t self:tcp_socket { accept listen }; + +manage_sock_files_pattern(telepathy_salut_t, telepathy_salut_tmp_t, telepathy_salut_tmp_t) +files_tmp_filetrans(telepathy_salut_t, telepathy_salut_tmp_t, sock_file) + +corenet_all_recvfrom_netlabel(telepathy_salut_t) +corenet_all_recvfrom_unlabeled(telepathy_salut_t) +corenet_tcp_sendrecv_generic_if(telepathy_salut_t) +corenet_tcp_sendrecv_generic_node(telepathy_salut_t) +corenet_tcp_bind_generic_node(telepathy_salut_t) + +corenet_sendrecv_presence_server_packets(telepathy_salut_t) +corenet_tcp_bind_presence_port(telepathy_salut_t) +corenet_sendrecv_presence_client_packets(telepathy_salut_t) +corenet_tcp_connect_presence_port(telepathy_salut_t) +corenet_tcp_sendrecv_presence_port(telepathy_salut_t) + +tunable_policy(`telepathy_connect_all_ports',` + corenet_sendrecv_all_client_packets(telepathy_salut_t) + corenet_tcp_connect_all_ports(telepathy_salut_t) + corenet_tcp_sendrecv_all_ports(telepathy_salut_t) +') + +tunable_policy(`telepathy_tcp_connect_generic_network_ports',` + corenet_sendrecv_generic_client_packets(telepathy_salut_t) + corenet_tcp_connect_generic_port(telepathy_salut_t) + corenet_tcp_sendrecv_generic_port(telepathy_salut_t) +') + +optional_policy(` + dbus_system_bus_client(telepathy_salut_t) + + optional_policy(` + avahi_dbus_chat(telepathy_salut_t) + ') +') + +####################################### +# +# Sofiasip local policy +# + +allow telepathy_sofiasip_t self:rawip_socket create_stream_socket_perms; +allow telepathy_sofiasip_t self:tcp_socket { accept listen }; + +corenet_all_recvfrom_netlabel(telepathy_sofiasip_t) +corenet_all_recvfrom_unlabeled(telepathy_sofiasip_t) +corenet_tcp_sendrecv_generic_if(telepathy_sofiasip_t) +corenet_raw_sendrecv_generic_if(telepathy_sofiasip_t) +corenet_raw_sendrecv_generic_node(telepathy_sofiasip_t) +corenet_tcp_sendrecv_generic_node(telepathy_sofiasip_t) +corenet_tcp_bind_generic_node(telepathy_sofiasip_t) +corenet_raw_bind_generic_node(telepathy_sofiasip_t) + +corenet_sendrecv_all_server_packets(telepathy_sofiasip_t) +corenet_tcp_bind_all_unreserved_ports(telepathy_sofiasip_t) +corenet_tcp_sendrecv_all_ports(telepathy_sofiasip_t) + +corenet_dontaudit_tcp_bind_all_ports(telepathy_sofiasip_t) + +corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t) +corenet_tcp_connect_sip_port(telepathy_sofiasip_t) +corenet_tcp_sendrecv_sip_port(telepathy_sofiasip_t) + +kernel_request_load_module(telepathy_sofiasip_t) + +tunable_policy(`telepathy_connect_all_ports',` + corenet_sendrecv_all_client_packets(telepathy_sofiasip_t) + corenet_tcp_connect_all_ports(telepathy_sofiasip_t) + corenet_tcp_sendrecv_all_ports(telepathy_sofiasip_t) +') + +tunable_policy(`telepathy_tcp_connect_generic_network_ports',` + corenet_sendrecv_generic_client_packets(telepathy_sofiasip_t) + corenet_tcp_connect_generic_port(telepathy_sofiasip_t) + corenet_tcp_sendrecv_generic_port(telepathy_sofiasip_t) +') + +####################################### +# +# Sunshine local policy +# + +manage_dirs_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t) +manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t) +userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, dir, ".telepathy-sunshine") + +manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t) +files_tmp_filetrans(telepathy_sunshine_t, telepathy_sunshine_tmp_t, file) + +can_exec(telepathy_sunshine_t, telepathy_sunshine_tmp_t) + +corecmd_exec_bin(telepathy_sunshine_t) + +files_read_usr_files(telepathy_sunshine_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(telepathy_sunshine_t) + fs_manage_nfs_files(telepathy_sunshine_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(telepathy_sunshine_t) + fs_manage_cifs_files(telepathy_sunshine_t) +') + +optional_policy(` + xserver_read_xdm_pid(telepathy_sunshine_t) + xserver_stream_connect(telepathy_sunshine_t) +') + +####################################### +# +# Common telepathy domain local policy +# + +allow telepathy_domain self:process { getsched signal sigkill }; +allow telepathy_domain self:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(telepathy_domain, telepathy_xdg_cache_t, telepathy_xdg_cache_t) +xdg_cache_filetrans(telepathy_domain, telepathy_xdg_cache_t, dir, "telepathy") + +manage_dirs_pattern(telepathy_domain, telepathy_xdg_data_t, telepathy_xdg_data_t) +xdg_data_filetrans(telepathy_domain, telepathy_xdg_data_t, dir, "telepathy") + +dev_read_urand(telepathy_domain) + +kernel_read_system_state(telepathy_domain) + +fs_getattr_all_fs(telepathy_domain) +fs_search_auto_mountpoints(telepathy_domain) + +miscfiles_read_localization(telepathy_domain) + +optional_policy(` + automount_dontaudit_getattr_tmp_dirs(telepathy_domain) +') + +optional_policy(` + xserver_rw_xdm_pipes(telepathy_domain) +') diff --git a/policy/modules/apps/thunderbird.fc b/policy/modules/apps/thunderbird.fc new file mode 100644 index 00000000..eacb7a17 --- /dev/null +++ b/policy/modules/apps/thunderbird.fc @@ -0,0 +1,13 @@ +HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:thunderbird_home_t,s0) + +/usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0) + +ifdef(`distro_gentoo',` +/usr/lib/thunderbird/thunderbird -- gen_context(system_u:object_r:thunderbird_exec_t,s0) + +/opt/thunderbird/plugin-container -- gen_context(system_u:object_r:thunderbird_exec_t,s0) +/opt/thunderbird/run-mozilla\.sh -- gen_context(system_u:object_r:thunderbird_exec_t,s0) +/opt/thunderbird/thunderbird -- gen_context(system_u:object_r:thunderbird_exec_t,s0) +/opt/thunderbird/thunderbird-bin -- gen_context(system_u:object_r:thunderbird_exec_t,s0) +/opt/thunderbird/updater -- gen_context(system_u:object_r:thunderbird_exec_t,s0) +') diff --git a/policy/modules/apps/thunderbird.if b/policy/modules/apps/thunderbird.if new file mode 100644 index 00000000..9c5f0b91 --- /dev/null +++ b/policy/modules/apps/thunderbird.if @@ -0,0 +1,59 @@ +## <summary>Thunderbird email client.</summary> + +######################################## +## <summary> +## Role access for thunderbird. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`thunderbird_role',` + gen_require(` + attribute_role thunderbird_roles; + type thunderbird_t, thunderbird_exec_t, thunderbird_home_t; + type thunderbird_tmpfs_t; + ') + + roleattribute $1 thunderbird_roles; + + domtrans_pattern($2, thunderbird_exec_t, thunderbird_t) + + stream_connect_pattern($2, thunderbird_tmpfs_t, thunderbird_tmpfs_t, thunderbird_t) + + allow thunderbird_t $2:unix_stream_socket connectto; + + allow $2 thunderbird_t:process { ptrace signal_perms }; + ps_process_pattern($2, thunderbird_t) + + allow $2 thunderbird_home_t:dir { manage_dir_perms relabel_dir_perms }; + allow $2 thunderbird_home_t:file { manage_file_perms relabel_file_perms }; + allow $2 thunderbird_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; + userdom_user_home_dir_filetrans($2, thunderbird_home_t, dir, ".thunderbird") +') + +######################################## +## <summary> +## Execute thunderbird in the thunderbird domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`thunderbird_domtrans',` + gen_require(` + type thunderbird_t, thunderbird_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, thunderbird_exec_t, thunderbird_t) +') diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te new file mode 100644 index 00000000..1f39efce --- /dev/null +++ b/policy/modules/apps/thunderbird.te @@ -0,0 +1,217 @@ +policy_module(thunderbird, 2.7.1) + +######################################## +# +# Declarations +# + +attribute_role thunderbird_roles; + +type thunderbird_t; +type thunderbird_exec_t; +typealias thunderbird_t alias { user_thunderbird_t staff_thunderbird_t sysadm_thunderbird_t }; +typealias thunderbird_t alias { auditadm_thunderbird_t secadm_thunderbird_t }; +userdom_user_application_domain(thunderbird_t, thunderbird_exec_t) +role thunderbird_roles types thunderbird_t; + +type thunderbird_home_t; +typealias thunderbird_home_t alias { user_thunderbird_home_t staff_thunderbird_home_t sysadm_thunderbird_home_t }; +typealias thunderbird_home_t alias { auditadm_thunderbird_home_t secadm_thunderbird_home_t }; +userdom_user_home_content(thunderbird_home_t) + +type thunderbird_tmpfs_t; +typealias thunderbird_tmpfs_t alias { user_thunderbird_tmpfs_t staff_thunderbird_tmpfs_t sysadm_thunderbird_tmpfs_t }; +typealias thunderbird_tmpfs_t alias { auditadm_thunderbird_tmpfs_t secadm_thunderbird_tmpfs_t }; +userdom_user_tmpfs_file(thunderbird_tmpfs_t) + +type thunderbird_xdg_cache_t; +xdg_cache_content(thunderbird_xdg_cache_t) + +optional_policy(` + wm_application_domain(thunderbird_t, thunderbird_exec_t) +') + +######################################## +# +# Local policy +# + +allow thunderbird_t self:capability sys_nice; +allow thunderbird_t self:process { signal_perms setsched getsched execheap execmem execstack }; +allow thunderbird_t self:fifo_file rw_fifo_file_perms; +allow thunderbird_t self:unix_dgram_socket create_socket_perms; +allow thunderbird_t self:unix_stream_socket create_stream_socket_perms; +allow thunderbird_t self:shm create_shm_perms; + +manage_dirs_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t) +manage_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t) +manage_lnk_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t) +userdom_user_home_dir_filetrans(thunderbird_t, thunderbird_home_t, dir, ".thunderbird") + +manage_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) +manage_lnk_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) +manage_fifo_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) +manage_sock_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) +fs_tmpfs_filetrans(thunderbird_t, thunderbird_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + +manage_files_pattern(thunderbird_t, thunderbird_xdg_cache_t, thunderbird_xdg_cache_t) +manage_dirs_pattern(thunderbird_t, thunderbird_xdg_cache_t, thunderbird_xdg_cache_t) +xdg_cache_filetrans(thunderbird_t, thunderbird_xdg_cache_t, dir, "thunderbird") + +kernel_read_network_state(thunderbird_t) +kernel_read_net_sysctls(thunderbird_t) +kernel_read_system_state(thunderbird_t) + +corecmd_exec_shell(thunderbird_t) + +corenet_all_recvfrom_unlabeled(thunderbird_t) +corenet_all_recvfrom_netlabel(thunderbird_t) +corenet_tcp_sendrecv_generic_if(thunderbird_t) +corenet_tcp_sendrecv_generic_node(thunderbird_t) + +corenet_sendrecv_ipp_client_packets(thunderbird_t) +corenet_tcp_connect_ipp_port(thunderbird_t) +corenet_tcp_sendrecv_ipp_port(thunderbird_t) + +corenet_sendrecv_innd_client_packets(thunderbird_t) +corenet_tcp_connect_innd_port(thunderbird_t) +corenet_tcp_sendrecv_innd_port(thunderbird_t) + +corenet_sendrecv_smtp_client_packets(thunderbird_t) +corenet_tcp_connect_smtp_port(thunderbird_t) +corenet_tcp_sendrecv_smtp_port(thunderbird_t) + +corenet_sendrecv_pop_client_packets(thunderbird_t) +corenet_tcp_connect_pop_port(thunderbird_t) +corenet_tcp_sendrecv_pop_port(thunderbird_t) + +corenet_sendrecv_http_client_packets(thunderbird_t) +corenet_tcp_connect_http_port(thunderbird_t) +corenet_tcp_sendrecv_http_port(thunderbird_t) + +dev_read_urand(thunderbird_t) +dev_dontaudit_search_sysfs(thunderbird_t) + +files_list_tmp(thunderbird_t) +files_map_usr_files(thunderbird_t) +files_read_usr_files(thunderbird_t) +files_read_etc_runtime_files(thunderbird_t) +files_read_var_files(thunderbird_t) +files_read_var_symlinks(thunderbird_t) +files_dontaudit_getattr_all_tmp_files(thunderbird_t) +files_dontaudit_getattr_boot_dirs(thunderbird_t) +files_dontaudit_getattr_lost_found_dirs(thunderbird_t) +files_dontaudit_search_mnt(thunderbird_t) + +fs_getattr_all_fs(thunderbird_t) +fs_list_inotifyfs(thunderbird_t) +fs_search_auto_mountpoints(thunderbird_t) + +auth_use_nsswitch(thunderbird_t) + +miscfiles_read_fonts(thunderbird_t) +miscfiles_read_localization(thunderbird_t) + +userdom_write_user_tmp_sockets(thunderbird_t) +userdom_manage_user_tmp_dirs(thunderbird_t) +userdom_manage_user_tmp_files(thunderbird_t) +userdom_user_content_access_template(thunderbird, thunderbird_t) + +xdg_read_data_files(thunderbird_t) +xdg_manage_downloads(thunderbird_t) + +xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t) +xserver_read_xdm_tmp_files(thunderbird_t) +xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(thunderbird_t) + fs_manage_nfs_files(thunderbird_t) + fs_manage_nfs_symlinks(thunderbird_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(thunderbird_t) + fs_manage_cifs_files(thunderbird_t) + fs_manage_cifs_symlinks(thunderbird_t) +') + +ifndef(`enable_mls',` + fs_search_removable(thunderbird_t) + fs_read_removable_files(thunderbird_t) + fs_read_removable_symlinks(thunderbird_t) +') + +optional_policy(` + dbus_system_bus_client(thunderbird_t) + dbus_all_session_bus_client(thunderbird_t) + + optional_policy(` + cups_dbus_chat(thunderbird_t) + ') + + optional_policy(` + mozilla_dbus_chat(thunderbird_t) + ') +') + +optional_policy(` + cups_read_rw_config(thunderbird_t) + cups_stream_connect(thunderbird_t) +') + +optional_policy(` + gnome_stream_connect_gconf(thunderbird_t) + gnome_domtrans_gconfd(thunderbird_t) + gnome_manage_generic_home_content(thunderbird_t) +') + +optional_policy(` + gpg_domtrans(thunderbird_t) +') + +optional_policy(` + lpd_run_lpr(thunderbird_t, thunderbird_roles) +') + +optional_policy(` + mozilla_read_user_home_files(thunderbird_t) + mozilla_domtrans(thunderbird_t) +') + +ifdef(`distro_gentoo',` + typealias thunderbird_xdg_cache_t alias thunderbird_xdg_cache_home_t; + + type thunderbird_tmp_t; + userdom_user_tmp_file(thunderbird_tmp_t) + + ################################ + # + # Thunderbird local policy + # + + # thunderbird-bin to execute stuff in /opt/thunderbird/ + can_exec(thunderbird_t, thunderbird_exec_t) + + manage_dirs_pattern(thunderbird_t, thunderbird_tmp_t, thunderbird_tmp_t) + manage_files_pattern(thunderbird_t, thunderbird_tmp_t, thunderbird_tmp_t) + files_tmp_filetrans(thunderbird_t, thunderbird_tmp_t, { dir file }) + + # File preview apps for instance + corecmd_exec_bin(thunderbird_t) + + dev_read_sysfs(thunderbird_t) + dev_rw_dri(thunderbird_t) + + userdom_use_user_ptys(thunderbird_t) + + optional_policy(` + pulseaudio_domtrans(thunderbird_t) + pulseaudio_tmpfs_content(thunderbird_tmpfs_t) + ') +') + +optional_policy(` + ooffice_domtrans(thunderbird_t) + ooffice_rw_tmp_files(thunderbird_t) +') diff --git a/policy/modules/apps/tvtime.fc b/policy/modules/apps/tvtime.fc new file mode 100644 index 00000000..92cb760a --- /dev/null +++ b/policy/modules/apps/tvtime.fc @@ -0,0 +1,3 @@ +HOME_DIR/\.tvtime(/.*)? gen_context(system_u:object_r:tvtime_home_t,s0) + +/usr/bin/tvtime -- gen_context(system_u:object_r:tvtime_exec_t,s0) diff --git a/policy/modules/apps/tvtime.if b/policy/modules/apps/tvtime.if new file mode 100644 index 00000000..1bb0f7c7 --- /dev/null +++ b/policy/modules/apps/tvtime.if @@ -0,0 +1,38 @@ +## <summary>High quality television application.</summary> + +######################################## +## <summary> +## Role access for tvtime +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`tvtime_role',` + gen_require(` + attribute_role tvtime_roles; + type tvtime_t, tvtime_exec_t, tvtime_tmp_t; + type tvtime_home_t, tvtime_tmpfs_t; + ') + + roleattribute $1 tvtime_roles; + + domtrans_pattern($2, tvtime_exec_t, tvtime_t) + + ps_process_pattern($2, tvtime_t) + allow $2 tvtime_t:process { ptrace signal_perms }; + + allow $2 { tvtime_home_t tvtime_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { tvtime_home_t tvtime_tmpfs_t tvtime_tmp_t }:file { manage_file_perms relabel_file_perms }; + allow $2 { tvtime_home_t tvtime_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; + allow $2 tvtime_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; + allow $2 tvtime_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + userdom_user_home_dir_filetrans($2, tvtime_home_t, dir, ".tvtime") +') diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te new file mode 100644 index 00000000..1b138dd8 --- /dev/null +++ b/policy/modules/apps/tvtime.te @@ -0,0 +1,94 @@ +policy_module(tvtime, 2.4.0) + +######################################## +# +# Declarations +# + +attribute_role tvtime_roles; + +type tvtime_t; +type tvtime_exec_t; +typealias tvtime_t alias { user_tvtime_t staff_tvtime_t sysadm_tvtime_t }; +typealias tvtime_t alias { auditadm_tvtime_t secadm_tvtime_t }; +userdom_user_application_domain(tvtime_t, tvtime_exec_t) +role tvtime_roles types tvtime_t; + +type tvtime_home_t alias tvtime_rw_t; +typealias tvtime_home_t alias { user_tvtime_home_t staff_tvtime_home_t sysadm_tvtime_home_t }; +typealias tvtime_home_t alias { auditadm_tvtime_home_t secadm_tvtime_home_t }; +userdom_user_home_content(tvtime_home_t) + +type tvtime_tmp_t; +typealias tvtime_tmp_t alias { user_tvtime_tmp_t staff_tvtime_tmp_t sysadm_tvtime_tmp_t }; +typealias tvtime_tmp_t alias { auditadm_tvtime_tmp_t secadm_tvtime_tmp_t }; +userdom_user_tmp_file(tvtime_tmp_t) + +type tvtime_tmpfs_t; +typealias tvtime_tmpfs_t alias { user_tvtime_tmpfs_t staff_tvtime_tmpfs_t sysadm_tvtime_tmpfs_t }; +typealias tvtime_tmpfs_t alias { auditadm_tvtime_tmpfs_t secadm_tvtime_tmpfs_t }; +userdom_user_tmpfs_file(tvtime_tmpfs_t) + +optional_policy(` + wm_application_domain(tvtime_t, tvtime_exec_t) +') + +######################################## +# +# Local policy +# + +allow tvtime_t self:capability { setuid sys_nice sys_resource }; +allow tvtime_t self:process setsched; +allow tvtime_t self:unix_dgram_socket rw_socket_perms; +allow tvtime_t self:unix_stream_socket rw_stream_socket_perms; + +manage_dirs_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) +manage_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) +manage_lnk_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) +userdom_user_home_dir_filetrans(tvtime_t, tvtime_home_t, dir) + +manage_dirs_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t) +manage_files_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t) +files_tmp_filetrans(tvtime_t, tvtime_tmp_t,{ file dir }) + +manage_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t) +manage_lnk_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t) +manage_fifo_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t) +manage_sock_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t) +fs_tmpfs_filetrans(tvtime_t, tvtime_tmpfs_t,{ file lnk_file sock_file fifo_file }) + +kernel_read_all_sysctls(tvtime_t) +kernel_get_sysvipc_info(tvtime_t) + +dev_read_realtime_clock(tvtime_t) +dev_read_sound(tvtime_t) +dev_read_urand(tvtime_t) + +files_read_usr_files(tvtime_t) + +fs_getattr_all_fs(tvtime_t) +fs_search_auto_mountpoints(tvtime_t) + +auth_use_nsswitch(tvtime_t) + +miscfiles_read_fonts(tvtime_t) +miscfiles_read_localization(tvtime_t) + +userdom_use_user_terminals(tvtime_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(tvtime_t) + fs_manage_nfs_files(tvtime_t) + fs_manage_nfs_symlinks(tvtime_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(tvtime_t) + fs_manage_cifs_files(tvtime_t) + fs_manage_cifs_symlinks(tvtime_t) +') + +optional_policy(` + xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t) +') diff --git a/policy/modules/apps/uml.fc b/policy/modules/apps/uml.fc new file mode 100644 index 00000000..567966e0 --- /dev/null +++ b/policy/modules/apps/uml.fc @@ -0,0 +1,5 @@ +HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:uml_rw_t,s0) + +/usr/bin/uml_switch -- gen_context(system_u:object_r:uml_switch_exec_t,s0) + +/run/uml-utilities(/.*)? gen_context(system_u:object_r:uml_switch_var_run_t,s0) diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if new file mode 100644 index 00000000..ab5c1d0d --- /dev/null +++ b/policy/modules/apps/uml.if @@ -0,0 +1,81 @@ +## <summary>User mode linux tools and services.</summary> + +######################################## +## <summary> +## Role access for uml. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`uml_role',` + gen_require(` + attribute_role uml_roles; + type uml_t, uml_exec_t; + type uml_ro_t, uml_rw_t, uml_tmp_t; + type uml_devpts_t, uml_tmpfs_t; + ') + + roleattribute $1 uml_roles; + + domtrans_pattern($2, uml_exec_t, uml_t) + + dgram_send_pattern($2, uml_tmpfs_t, uml_tmpfs_t, uml_t) + + allow uml_t $2:unix_dgram_socket sendto; + + ps_process_pattern($2, uml_t) + allow $2 uml_t:process { ptrace signal_perms }; + + allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_exec_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_tmpfs_t uml_exec_t }:file { manage_file_perms relabel_file_perms }; + allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; + allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; + allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + userdom_user_home_dir_filetrans($2, uml_rw_t, dir, ".uml") +') + +######################################## +## <summary> +## Set attributes of uml pid sock files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`uml_setattr_util_sockets',` + gen_require(` + type uml_switch_var_run_t; + ') + + allow $1 uml_switch_var_run_t:sock_file setattr_sock_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## uml pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`uml_manage_util_files',` + gen_require(` + type uml_switch_var_run_t; + ') + + manage_files_pattern($1, uml_switch_var_run_t, uml_switch_var_run_t) + manage_lnk_files_pattern($1, uml_switch_var_run_t, uml_switch_var_run_t) +') diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te new file mode 100644 index 00000000..0e2f4c99 --- /dev/null +++ b/policy/modules/apps/uml.te @@ -0,0 +1,185 @@ +policy_module(uml, 2.4.0) + +######################################## +# +# Declarations +# + +attribute_role uml_roles; + +type uml_t; +type uml_exec_t; # customizable +typealias uml_t alias { user_uml_t staff_uml_t sysadm_uml_t }; +typealias uml_t alias { auditadm_uml_t secadm_uml_t }; +userdom_user_application_domain(uml_t, uml_exec_t) +role uml_roles types uml_t; + +type uml_ro_t; # customizable +typealias uml_ro_t alias { user_uml_ro_t staff_uml_ro_t sysadm_uml_ro_t }; +typealias uml_ro_t alias { auditadm_uml_ro_t secadm_uml_ro_t }; +userdom_user_home_content(uml_ro_t) + +type uml_rw_t; +typealias uml_rw_t alias { user_uml_rw_t staff_uml_rw_t sysadm_uml_rw_t }; +typealias uml_rw_t alias { auditadm_uml_rw_t secadm_uml_rw_t }; +userdom_user_home_content(uml_rw_t) + +type uml_tmp_t; +typealias uml_tmp_t alias { user_uml_tmp_t staff_uml_tmp_t sysadm_uml_tmp_t }; +typealias uml_tmp_t alias { auditadm_uml_tmp_t secadm_uml_tmp_t }; +userdom_user_tmp_file(uml_tmp_t) + +type uml_tmpfs_t; +typealias uml_tmpfs_t alias { user_uml_tmpfs_t staff_uml_tmpfs_t sysadm_uml_tmpfs_t }; +typealias uml_tmpfs_t alias { auditadm_uml_tmpfs_t secadm_uml_tmpfs_t }; +userdom_user_tmpfs_file(uml_tmpfs_t) + +type uml_devpts_t; +typealias uml_devpts_t alias { user_uml_devpts_t staff_uml_devpts_t sysadm_uml_devpts_t }; +typealias uml_devpts_t alias { auditadm_uml_devpts_t secadm_uml_devpts_t }; +term_pty(uml_devpts_t) +ubac_constrained(uml_devpts_t) + +type uml_switch_t; +type uml_switch_exec_t; +init_daemon_domain(uml_switch_t, uml_switch_exec_t) + +type uml_switch_var_run_t; +files_pid_file(uml_switch_var_run_t) + +######################################## +# +# Local policy +# + +allow uml_t self:process signal_perms; +allow uml_t self:fifo_file rw_fifo_file_perms; +allow uml_t self:unix_stream_socket create_stream_socket_perms; +allow uml_t self:tcp_socket { accept listen }; +allow uml_t self:tun_socket create; +allow uml_t self:unix_dgram_socket { create_socket_perms sendto }; + +allow uml_t uml_devpts_t:chr_file { rw_file_perms setattr_chr_file_perms }; +term_create_pty(uml_t, uml_devpts_t) + +manage_dirs_pattern(uml_t, uml_tmp_t, uml_tmp_t) +manage_files_pattern(uml_t, uml_tmp_t, uml_tmp_t) +files_tmp_filetrans(uml_t, uml_tmp_t, { file dir }) + +manage_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t) +manage_lnk_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t) +manage_fifo_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t) +manage_sock_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t) +fs_tmpfs_filetrans(uml_t, uml_tmpfs_t, { file lnk_file sock_file fifo_file }) + +allow uml_t uml_ro_t:dir list_dir_perms; +allow uml_t uml_ro_t:file read_file_perms; +allow uml_t uml_ro_t:lnk_file read_lnk_file_perms; + +manage_dirs_pattern(uml_t, uml_rw_t, uml_rw_t) +manage_files_pattern(uml_t, uml_rw_t, uml_rw_t) +manage_lnk_files_pattern(uml_t, uml_rw_t, uml_rw_t) +manage_fifo_files_pattern(uml_t, uml_rw_t, uml_rw_t) +manage_sock_files_pattern(uml_t, uml_rw_t, uml_rw_t) +userdom_user_home_dir_filetrans(uml_t, uml_rw_t, dir, ".uml") + +can_exec(uml_t, { uml_exec_t uml_tmp_t uml_tmpfs_t }) + +kernel_read_system_state(uml_t) +kernel_write_proc_files(uml_t) + +corecmd_exec_bin(uml_t) + +corenet_all_recvfrom_unlabeled(uml_t) +corenet_all_recvfrom_netlabel(uml_t) +corenet_tcp_sendrecv_generic_if(uml_t) +corenet_tcp_sendrecv_generic_node(uml_t) +corenet_tcp_sendrecv_all_ports(uml_t) + +corenet_sendrecv_all_client_packets(uml_t) +corenet_tcp_connect_all_ports(uml_t) + +corenet_rw_tun_tap_dev(uml_t) + +domain_use_interactive_fds(uml_t) + +files_dontaudit_read_etc_runtime_files(uml_t) + +fs_getattr_all_fs(uml_t) +fs_search_auto_mountpoints(uml_t) + +auth_use_nsswitch(uml_t) + +init_read_utmp(uml_t) +init_dontaudit_write_utmp(uml_t) + +libs_exec_lib_files(uml_t) + +userdom_use_user_terminals(uml_t) +userdom_attach_admin_tun_iface(uml_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(uml_t) + fs_manage_nfs_files(uml_t) + fs_manage_nfs_named_pipes(uml_t) + fs_manage_nfs_symlinks(uml_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(uml_t) + fs_manage_cifs_files(uml_t) + fs_manage_cifs_named_pipes(uml_t) + fs_manage_cifs_symlinks(uml_t) +') + +optional_policy(` + seutil_use_newrole_fds(uml_t) +') + +optional_policy(` + virt_attach_tun_iface(uml_t) +') + +######################################## +# +# Switch local policy +# + +dontaudit uml_switch_t self:capability sys_tty_config; +allow uml_switch_t self:process signal_perms; +allow uml_switch_t self:unix_stream_socket { accept listen }; + +manage_files_pattern(uml_switch_t, uml_switch_var_run_t, uml_switch_var_run_t) +manage_sock_files_pattern(uml_switch_t, uml_switch_var_run_t, uml_switch_var_run_t) +files_pid_filetrans(uml_switch_t, uml_switch_var_run_t, file) + +kernel_read_kernel_sysctls(uml_switch_t) +kernel_list_proc(uml_switch_t) +kernel_read_proc_symlinks(uml_switch_t) + +dev_read_sysfs(uml_switch_t) + +domain_use_interactive_fds(uml_switch_t) + +fs_getattr_all_fs(uml_switch_t) +fs_search_auto_mountpoints(uml_switch_t) + +term_dontaudit_use_console(uml_switch_t) + +init_use_fds(uml_switch_t) +init_use_script_ptys(uml_switch_t) + +logging_send_syslog_msg(uml_switch_t) + +miscfiles_read_localization(uml_switch_t) + +userdom_dontaudit_use_unpriv_user_fds(uml_switch_t) +userdom_dontaudit_search_user_home_dirs(uml_switch_t) + +optional_policy(` + seutil_sigchld_newrole(uml_switch_t) +') + +optional_policy(` + udev_read_db(uml_switch_t) +') diff --git a/policy/modules/apps/userhelper.fc b/policy/modules/apps/userhelper.fc new file mode 100644 index 00000000..6a2cd2f0 --- /dev/null +++ b/policy/modules/apps/userhelper.fc @@ -0,0 +1,6 @@ +/etc/security/console\.apps(/.*)? gen_context(system_u:object_r:userhelper_conf_t,s0) + +/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0) +/usr/bin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0) + +/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0) diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if new file mode 100644 index 00000000..2cdbf67e --- /dev/null +++ b/policy/modules/apps/userhelper.if @@ -0,0 +1,231 @@ +## <summary>A wrapper that helps users run system programs.</summary> + +####################################### +## <summary> +## The role template for the userhelper module. +## </summary> +## <param name="userrole_prefix"> +## <summary> +## The prefix of the user role (e.g., user +## is the prefix for user_r). +## </summary> +## </param> +## <param name="user_role"> +## <summary> +## The user role. +## </summary> +## </param> +## <param name="user_domain"> +## <summary> +## The user domain associated with the role. +## </summary> +## </param> +# +template(`userhelper_role_template',` + gen_require(` + attribute userhelper_type, consolehelper_type; + attribute_role userhelper_roles, consolehelper_roles; + type userhelper_exec_t, consolehelper_exec_t, userhelper_conf_t; + ') + + ######################################## + # + # Declarations + # + + type $1_consolehelper_t, consolehelper_type; + userdom_user_application_domain($1_consolehelper_t, consolehelper_exec_t) + + role consolehelper_roles types $1_consolehelper_t; + roleattribute $2 consolehelper_roles; + + type $1_userhelper_t, userhelper_type; + userdom_user_application_domain($1_userhelper_t, userhelper_exec_t) + + domain_role_change_exemption($1_userhelper_t) + domain_obj_id_change_exemption($1_userhelper_t) + domain_interactive_fd($1_userhelper_t) + domain_subj_id_change_exemption($1_userhelper_t) + + role userhelper_roles types $1_userhelper_t; + roleattribute $2 userhelper_roles; + + ######################################## + # + # Consolehelper local policy + # + + allow $1_consolehelper_t $3:unix_stream_socket connectto; + + domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t) + + allow $3 $1_consolehelper_t:process { ptrace signal_perms }; + ps_process_pattern($3, $1_consolehelper_t) + + auth_use_pam($1_consolehelper_t) + + optional_policy(` + dbus_connect_all_session_bus($1_consolehelper_t) + + optional_policy(` + userhelper_dbus_chat_all_consolehelper($3) + ') + ') + + ######################################## + # + # Userhelper local policy + # + + domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t) + + dontaudit $3 $1_userhelper_t:process signal; + + corecmd_bin_domtrans($1_userhelper_t, $3) + + auth_domtrans_chk_passwd($1_userhelper_t) + auth_use_nsswitch($1_userhelper_t) + + userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t) + userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t) + + optional_policy(` + tunable_policy(`! secure_mode',` + sysadm_bin_spec_domtrans($1_userhelper_t) + sysadm_entry_spec_domtrans($1_userhelper_t) + ') + ') +') + +######################################## +## <summary> +## Search userhelper configuration directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`userhelper_search_config',` + gen_require(` + type userhelper_conf_t; + ') + + allow $1 userhelper_conf_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Do not audit attempts to search +## userhelper configuration directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`userhelper_dontaudit_search_config',` + gen_require(` + type userhelper_conf_t; + ') + + dontaudit $1 userhelper_conf_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Send and receive messages from +## consolehelper over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`userhelper_dbus_chat_all_consolehelper',` + gen_require(` + attribute consolehelper_type; + class dbus send_msg; + ') + + allow $1 consolehelper_type:dbus send_msg; + allow consolehelper_type $1:dbus send_msg; +') + +######################################## +## <summary> +## Use userhelper all userhelper file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`userhelper_use_fd',` + gen_require(` + attribute userhelper_type; + ') + + allow $1 userhelper_type:fd use; +') + +######################################## +## <summary> +## Send child terminated signals to all userhelper. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`userhelper_sigchld',` + gen_require(` + attribute userhelper_type; + ') + + allow $1 userhelper_type:process sigchld; +') + +######################################## +## <summary> +## Execute the userhelper program in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`userhelper_exec',` + gen_require(` + type userhelper_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, userhelper_exec_t) +') + +######################################## +## <summary> +## Execute the consolehelper program +## in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`userhelper_exec_consolehelper',` + gen_require(` + type consolehelper_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, consolehelper_exec_t) +') diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te new file mode 100644 index 00000000..bffbc94c --- /dev/null +++ b/policy/modules/apps/userhelper.te @@ -0,0 +1,163 @@ +policy_module(userhelper, 1.11.0) + +######################################## +# +# Declarations +# + +attribute consolehelper_type; +attribute userhelper_type; + +attribute_role consolehelper_roles; +attribute_role userhelper_roles; + +type userhelper_conf_t; +files_config_file(userhelper_conf_t) + +type userhelper_exec_t; +application_executable_file(userhelper_exec_t) + +type consolehelper_exec_t; +application_executable_file(consolehelper_exec_t) + +######################################## +# +# Common consolehelper domain local policy +# + +allow consolehelper_type self:capability { dac_override setgid setuid }; +allow consolehelper_type self:process signal; +allow consolehelper_type self:fifo_file rw_fifo_file_perms; +allow consolehelper_type self:unix_stream_socket create_stream_socket_perms; +allow consolehelper_type self:shm create_shm_perms; + +dontaudit consolehelper_type userhelper_conf_t:file audit_access; +read_files_pattern(consolehelper_type, userhelper_conf_t, userhelper_conf_t) + +domain_use_interactive_fds(consolehelper_type) + +kernel_read_system_state(consolehelper_type) +kernel_read_kernel_sysctls(consolehelper_type) + +corecmd_exec_bin(consolehelper_type) + +dev_getattr_all_chr_files(consolehelper_type) +dev_dontaudit_list_all_dev_nodes(consolehelper_type) + +files_read_config_files(consolehelper_type) +files_read_usr_files(consolehelper_type) + +fs_getattr_all_dirs(consolehelper_type) +fs_getattr_all_fs(consolehelper_type) +fs_search_auto_mountpoints(consolehelper_type) +files_search_mnt(consolehelper_type) + +term_list_ptys(consolehelper_type) + +auth_search_pam_console_data(consolehelper_type) +auth_read_pam_pid(consolehelper_type) + +miscfiles_read_localization(consolehelper_type) +miscfiles_read_fonts(consolehelper_type) + +userhelper_exec(consolehelper_type) + +userdom_use_user_terminals(consolehelper_type) + +# might want to make this consolehelper_tmp_t +userdom_manage_user_tmp_dirs(consolehelper_type) +userdom_manage_user_tmp_files(consolehelper_type) +userdom_tmp_filetrans_user_tmp(consolehelper_type, { dir file }) +userdom_user_runtime_filetrans_user_tmp(consolehelper_type, { dir file }) + +tunable_policy(`use_nfs_home_dirs',` + fs_search_nfs(consolehelper_type) +') + +tunable_policy(`use_samba_home_dirs',` + fs_search_cifs(consolehelper_type) +') + +optional_policy(` + shutdown_run(consolehelper_type, consolehelper_roles) + shutdown_signal(consolehelper_type) +') + +optional_policy(` + xserver_domtrans_xauth(consolehelper_type) + xserver_read_xdm_pid(consolehelper_type) + xserver_stream_connect(consolehelper_type) +') + +######################################## +# +# Common userhelper domain local policy +# + +allow userhelper_type self:capability { chown dac_override net_bind_service setgid setuid sys_tty_config }; +allow userhelper_type self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow userhelper_type self:fd use; +allow userhelper_type self:fifo_file rw_fifo_file_perms; +allow userhelper_type self:shm create_shm_perms; +allow userhelper_type self:sem create_sem_perms; +allow userhelper_type self:msgq create_msgq_perms; +allow userhelper_type self:msg { send receive }; +allow userhelper_type self:unix_dgram_socket sendto; +allow userhelper_type self:unix_stream_socket { accept connectto listen }; + +dontaudit userhelper_type userhelper_conf_t:file audit_access; +read_files_pattern(userhelper_type, userhelper_conf_t, userhelper_conf_t) + +can_exec(userhelper_type, userhelper_exec_t) + +kernel_read_all_sysctls(userhelper_type) +kernel_getattr_debugfs(userhelper_type) +kernel_read_system_state(userhelper_type) + +corecmd_exec_shell(userhelper_type) + +domain_use_interactive_fds(userhelper_type) +domain_sigchld_interactive_fds(userhelper_type) + +dev_read_urand(userhelper_type) +dev_list_all_dev_nodes(userhelper_type) + +files_list_var_lib(userhelper_type) +files_read_var_files(userhelper_type) +files_read_var_symlinks(userhelper_type) +files_search_home(userhelper_type) + +fs_getattr_all_fs(userhelper_type) +fs_search_auto_mountpoints(userhelper_type) + +selinux_get_fs_mount(userhelper_type) +selinux_validate_context(userhelper_type) +selinux_compute_access_vector(userhelper_type) +selinux_compute_create_context(userhelper_type) +selinux_compute_relabel_context(userhelper_type) +selinux_compute_user_contexts(userhelper_type) + +term_list_ptys(userhelper_type) +term_relabel_all_ttys(userhelper_type) +term_relabel_all_ptys(userhelper_type) +term_use_all_ttys(userhelper_type) +term_use_all_ptys(userhelper_type) + +auth_manage_pam_pid(userhelper_type) +auth_manage_var_auth(userhelper_type) +auth_search_pam_console_data(userhelper_type) + +init_use_fds(userhelper_type) +init_manage_utmp(userhelper_type) +init_pid_filetrans_utmp(userhelper_type) + +logging_send_syslog_msg(userhelper_type) + +miscfiles_read_localization(userhelper_type) + +seutil_read_config(userhelper_type) +seutil_read_default_contexts(userhelper_type) + +optional_policy(` + rpm_domtrans(userhelper_type) +') diff --git a/policy/modules/apps/usernetctl.fc b/policy/modules/apps/usernetctl.fc new file mode 100644 index 00000000..72f38b1b --- /dev/null +++ b/policy/modules/apps/usernetctl.fc @@ -0,0 +1,3 @@ +/usr/bin/usernetctl -- gen_context(system_u:object_r:usernetctl_exec_t,s0) + +/usr/sbin/usernetctl -- gen_context(system_u:object_r:usernetctl_exec_t,s0) diff --git a/policy/modules/apps/usernetctl.if b/policy/modules/apps/usernetctl.if new file mode 100644 index 00000000..7deec55c --- /dev/null +++ b/policy/modules/apps/usernetctl.if @@ -0,0 +1,47 @@ +## <summary>User network interface configuration helper.</summary> + +######################################## +## <summary> +## Execute usernetctl in the usernetctl domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`usernetctl_domtrans',` + gen_require(` + type usernetctl_t, usernetctl_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, usernetctl_exec_t, usernetctl_t) +') + +######################################## +## <summary> +## Execute usernetctl in the usernetctl +## domain, and allow the specified role +## the usernetctl domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`usernetctl_run',` + gen_require(` + attribute_role usernetctl_roles; + ') + + usernetctl_domtrans($1) + roleattribute $2 usernetctl_roles; +') diff --git a/policy/modules/apps/usernetctl.te b/policy/modules/apps/usernetctl.te new file mode 100644 index 00000000..4ef6f9b2 --- /dev/null +++ b/policy/modules/apps/usernetctl.te @@ -0,0 +1,78 @@ +policy_module(usernetctl, 1.8.0) + +######################################## +# +# Declarations +# + +attribute_role usernetctl_roles; + +type usernetctl_t; +type usernetctl_exec_t; +application_domain(usernetctl_t, usernetctl_exec_t) +domain_interactive_fd(usernetctl_t) +role usernetctl_roles types usernetctl_t; + +######################################## +# +# Local policy +# + +allow usernetctl_t self:capability { dac_override setgid setuid }; +allow usernetctl_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow usernetctl_t self:fd use; +allow usernetctl_t self:fifo_file rw_fifo_file_perms; +allow usernetctl_t self:unix_dgram_socket sendto; +allow usernetctl_t self:unix_stream_socket { accept connectto listen }; + +can_exec(usernetctl_t, usernetctl_exec_t) + +kernel_read_system_state(usernetctl_t) +kernel_read_kernel_sysctls(usernetctl_t) + +corecmd_list_bin(usernetctl_t) +corecmd_exec_bin(usernetctl_t) +corecmd_exec_shell(usernetctl_t) + +domain_dontaudit_read_all_domains_state(usernetctl_t) + +files_exec_etc_files(usernetctl_t) +files_read_etc_runtime_files(usernetctl_t) +files_list_pids(usernetctl_t) +files_list_home(usernetctl_t) +files_read_usr_files(usernetctl_t) + +fs_search_auto_mountpoints(usernetctl_t) + +auth_use_nsswitch(usernetctl_t) + +logging_send_syslog_msg(usernetctl_t) + +miscfiles_read_localization(usernetctl_t) + +seutil_read_config(usernetctl_t) + +sysnet_run_ifconfig(usernetctl_t, usernetctl_roles) +sysnet_run_dhcpc(usernetctl_t, usernetctl_roles) + +userdom_use_user_terminals(usernetctl_t) + +optional_policy(` + consoletype_run(usernetctl_t, usernetctl_roles) +') + +optional_policy(` + hostname_exec(usernetctl_t) +') + +optional_policy(` + iptables_run(usernetctl_t, usernetctl_roles) +') + +optional_policy(` + modutils_run(usernetctl_t, usernetctl_roles) +') + +optional_policy(` + ppp_run(usernetctl_t, usernetctl_roles) +') diff --git a/policy/modules/apps/vlock.fc b/policy/modules/apps/vlock.fc new file mode 100644 index 00000000..f668cde9 --- /dev/null +++ b/policy/modules/apps/vlock.fc @@ -0,0 +1,4 @@ +/usr/bin/vlock -- gen_context(system_u:object_r:vlock_exec_t,s0) +/usr/bin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0) + +/usr/sbin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0) diff --git a/policy/modules/apps/vlock.if b/policy/modules/apps/vlock.if new file mode 100644 index 00000000..d5fc09ac --- /dev/null +++ b/policy/modules/apps/vlock.if @@ -0,0 +1,47 @@ +## <summary>Lock one or more sessions on the Linux console.</summary> + +####################################### +## <summary> +## Execute vlock in the vlock domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`vlock_domtrans',` + gen_require(` + type vlock_t, vlock_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, vlock_exec_t, vlock_t) +') + +######################################## +## <summary> +## Execute vlock in the vlock domain, +## and allow the specified role +## the vlock domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed to access. +## </summary> +## </param> +## <rolecap/> +# +interface(`vlock_run',` + gen_require(` + attribute_role vlock_roles; + ') + + vlock_domtrans($1) + roleattribute $2 vlock_roles; +') diff --git a/policy/modules/apps/vlock.te b/policy/modules/apps/vlock.te new file mode 100644 index 00000000..f025f7c1 --- /dev/null +++ b/policy/modules/apps/vlock.te @@ -0,0 +1,43 @@ +policy_module(vlock, 1.3.0) + +######################################## +# +# Declarations +# + +attribute_role vlock_roles; + +type vlock_t; +type vlock_exec_t; +application_domain(vlock_t, vlock_exec_t) +role vlock_roles types vlock_t; + +######################################## +# +# Local policy +# + +dontaudit vlock_t self:capability { setgid setuid }; +allow vlock_t self:fd use; +allow vlock_t self:fifo_file rw_fifo_file_perms; + +kernel_read_system_state(vlock_t) + +corecmd_list_bin(vlock_t) + +domain_use_interactive_fds(vlock_t) + +files_dontaudit_search_home(vlock_t) + +mls_file_write_all_levels(vlock_t) + +selinux_dontaudit_getattr_fs(vlock_t) + +auth_use_pam(vlock_t) + +init_dontaudit_rw_utmp(vlock_t) + +miscfiles_read_localization(vlock_t) + +userdom_dontaudit_search_user_home_dirs(vlock_t) +userdom_use_user_terminals(vlock_t) diff --git a/policy/modules/apps/vmware.fc b/policy/modules/apps/vmware.fc new file mode 100644 index 00000000..b1557721 --- /dev/null +++ b/policy/modules/apps/vmware.fc @@ -0,0 +1,54 @@ +HOME_DIR/\.vmware(/.*)? gen_context(system_u:object_r:vmware_file_t,s0) +HOME_DIR/\.vmware[^/]*/.*\.cfg -- gen_context(system_u:object_r:vmware_conf_t,s0) +HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:vmware_file_t,s0) + +/etc/vmware.*(/.*)? gen_context(system_u:object_r:vmware_sys_conf_t,s0) + +/usr/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/bin/vmnet-dhcpd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/bin/vmnet-netifup -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/bin/vmnet-sniffer -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/bin/vmware-guest.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/bin/vmware-network -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/bin/vmware-ping -- gen_context(system_u:object_r:vmware_exec_t,s0) +/usr/bin/vmware-serverd -- gen_context(system_u:object_r:vmware_exec_t,s0) +/usr/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0) +/usr/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0) + +/usr/lib/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0) +/usr/lib/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0) +/usr/lib/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0) +/usr/lib/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0) +/usr/lib/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0) + +/usr/lib/vmware-tools/sbin32/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/lib/vmware-tools/sbin64/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) + +/usr/sbin/vmware-guest.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/sbin/vmware-serverd -- gen_context(system_u:object_r:vmware_exec_t,s0) + +/opt/vmware/(workstation|player)/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/opt/vmware/(workstation|player)/bin/vmnet-dhcpd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/opt/vmware/(workstation|player)/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/opt/vmware/(workstation|player)/bin/vmnet-netifup -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/opt/vmware/(workstation|player)/bin/vmnet-sniffer -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/opt/vmware/(workstation|player)/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/opt/vmware/(workstation|player)/bin/vmware-ping -- gen_context(system_u:object_r:vmware_exec_t,s0) +/opt/vmware/(workstation|player)/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/opt/vmware/(workstation|player)/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/opt/vmware/(workstation|player)/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/opt/vmware/(workstation|player)/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0) +/opt/vmware/(workstation|player)/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0) + +/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0) +/var/log/vnetlib.* -- gen_context(system_u:object_r:vmware_log_t,s0) + +/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0) +/run/vmnet.* gen_context(system_u:object_r:vmware_var_run_t,s0) +/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0) diff --git a/policy/modules/apps/vmware.if b/policy/modules/apps/vmware.if new file mode 100644 index 00000000..20a1fb29 --- /dev/null +++ b/policy/modules/apps/vmware.if @@ -0,0 +1,114 @@ +## <summary>VMWare Workstation virtual machines.</summary> + +######################################## +## <summary> +## Role access for vmware. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`vmware_role',` + gen_require(` + type vmware_t, vmware_exec_t, vmware_file_t; + type vmware_conf_t, vmware_tmp_t, vmware_tmpfs_t; + ') + + role $1 types vmware_t; + + domtrans_pattern($2, vmware_exec_t, vmware_t) + + ps_process_pattern($2, vmware_t) + allow $2 vmware_t:process { ptrace signal_perms }; + + allow $2 { vmware_tmp_t vmware_file_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { vmware_conf_t vmware_file_t vmware_tmp_t vmware_tmpfs_t }:file { manage_file_perms relabel_file_perms }; + allow $2 { vmware_tmp_t vmware_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + allow $2 vmware_tmpfs_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; + allow $2 vmware_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; + userdom_user_home_dir_filetrans($2, vmware_file_t, dir, ".vmware") + userdom_user_home_dir_filetrans($2, vmware_file_t, dir, "vmware") +') + +######################################## +## <summary> +## Execute vmware host executables +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vmware_exec_host',` + gen_require(` + type vmware_host_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, vmware_host_exec_t) +') + +######################################## +## <summary> +## Read vmware system configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vmware_read_system_config',` + gen_require(` + type vmware_sys_conf_t; + ') + + files_search_etc($1) + allow $1 vmware_sys_conf_t:file read_file_perms; +') + +######################################## +## <summary> +## Append vmware system configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vmware_append_system_config',` + gen_require(` + type vmware_sys_conf_t; + ') + + files_search_etc($1) + allow $1 vmware_sys_conf_t:file append_file_perms; +') + +######################################## +## <summary> +## Append vmware log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vmware_append_log',` + gen_require(` + type vmware_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, vmware_log_t, vmware_log_t) +') diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te new file mode 100644 index 00000000..441fe9ef --- /dev/null +++ b/policy/modules/apps/vmware.te @@ -0,0 +1,283 @@ +policy_module(vmware, 2.9.0) + +######################################## +# +# Declarations +# + +type vmware_t; +type vmware_exec_t; +typealias vmware_t alias { user_vmware_t staff_vmware_t sysadm_vmware_t }; +typealias vmware_t alias { auditadm_vmware_t secadm_vmware_t }; +userdom_user_application_domain(vmware_t, vmware_exec_t) + +type vmware_conf_t; +typealias vmware_conf_t alias { user_vmware_conf_t staff_vmware_conf_t sysadm_vmware_conf_t }; +typealias vmware_conf_t alias { auditadm_vmware_conf_t secadm_vmware_conf_t }; +userdom_user_home_content(vmware_conf_t) + +type vmware_file_t; +typealias vmware_file_t alias { user_vmware_file_t staff_vmware_file_t sysadm_vmware_file_t }; +typealias vmware_file_t alias { auditadm_vmware_file_t secadm_vmware_file_t }; +userdom_user_home_content(vmware_file_t) + +type vmware_host_t; +type vmware_host_exec_t; +init_daemon_domain(vmware_host_t, vmware_host_exec_t) + +type vmware_host_pid_t alias vmware_var_run_t; +files_pid_file(vmware_host_pid_t) + +type vmware_host_tmp_t; +userdom_user_tmp_file(vmware_host_tmp_t) + +type vmware_log_t; +typealias vmware_log_t alias { user_vmware_log_t staff_vmware_log_t sysadm_vmware_log_t }; +typealias vmware_log_t alias { auditadm_vmware_log_t secadm_vmware_log_t }; +logging_log_file(vmware_log_t) +ubac_constrained(vmware_log_t) + +type vmware_pid_t; +typealias vmware_pid_t alias { user_vmware_pid_t staff_vmware_pid_t sysadm_vmware_pid_t }; +typealias vmware_pid_t alias { auditadm_vmware_pid_t secadm_vmware_pid_t }; +files_pid_file(vmware_pid_t) +ubac_constrained(vmware_pid_t) + +type vmware_sys_conf_t; +files_config_file(vmware_sys_conf_t) + +type vmware_tmp_t; +typealias vmware_tmp_t alias { user_vmware_tmp_t staff_vmware_tmp_t sysadm_vmware_tmp_t }; +typealias vmware_tmp_t alias { auditadm_vmware_tmp_t secadm_vmware_tmp_t }; +userdom_user_tmp_file(vmware_tmp_t) + +type vmware_tmpfs_t; +typealias vmware_tmpfs_t alias { user_vmware_tmpfs_t staff_vmware_tmpfs_t sysadm_vmware_tmpfs_t }; +typealias vmware_tmpfs_t alias { auditadm_vmware_tmpfs_t secadm_vmware_tmpfs_t }; +userdom_user_tmpfs_file(vmware_tmpfs_t) + +ifdef(`enable_mcs',` + init_ranged_daemon_domain(vmware_host_t, vmware_host_exec_t, s0 - mcs_systemhigh) +') + +optional_policy(` + wm_application_domain(vmware_t, vmware_exec_t) +') + +######################################## +# +# Host local policy +# + +allow vmware_host_t self:capability { dac_override kill net_raw setgid setuid sys_nice sys_ptrace sys_time }; +dontaudit vmware_host_t self:capability sys_tty_config; +allow vmware_host_t self:process { execstack execmem signal_perms }; +allow vmware_host_t self:fifo_file rw_fifo_file_perms; +allow vmware_host_t self:unix_stream_socket { accept listen }; +allow vmware_host_t self:rawip_socket create_socket_perms; + +manage_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t) +manage_lnk_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t) + +manage_dirs_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t) +manage_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t) +manage_sock_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t) +files_tmp_filetrans(vmware_host_t, vmware_host_tmp_t, { file dir }) + +manage_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t) +manage_sock_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t) +files_pid_filetrans(vmware_host_t, vmware_var_run_t, { file sock_file }) + +append_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t) +create_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t) +setattr_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t) +logging_log_filetrans(vmware_host_t, vmware_log_t, file) + +can_exec(vmware_host_t, vmware_host_exec_t) + +kernel_read_kernel_sysctls(vmware_host_t) +kernel_read_system_state(vmware_host_t) +kernel_read_network_state(vmware_host_t) + +corenet_all_recvfrom_unlabeled(vmware_host_t) +corenet_all_recvfrom_netlabel(vmware_host_t) +corenet_tcp_sendrecv_generic_if(vmware_host_t) +corenet_udp_sendrecv_generic_if(vmware_host_t) +corenet_raw_sendrecv_generic_if(vmware_host_t) +corenet_tcp_sendrecv_generic_node(vmware_host_t) +corenet_udp_sendrecv_generic_node(vmware_host_t) +corenet_raw_sendrecv_generic_node(vmware_host_t) +corenet_tcp_sendrecv_all_ports(vmware_host_t) + +corenet_sendrecv_all_client_packets(vmware_host_t) +corenet_tcp_connect_all_ports(vmware_host_t) + +corecmd_exec_bin(vmware_host_t) +corecmd_exec_shell(vmware_host_t) + +dev_getattr_all_blk_files(vmware_host_t) +dev_read_sysfs(vmware_host_t) +dev_read_urand(vmware_host_t) +dev_rw_vmware(vmware_host_t) + +domain_use_interactive_fds(vmware_host_t) +domain_dontaudit_read_all_domains_state(vmware_host_t) + +files_list_tmp(vmware_host_t) +files_read_etc_files(vmware_host_t) +files_read_etc_runtime_files(vmware_host_t) +files_read_usr_files(vmware_host_t) + +fs_getattr_all_fs(vmware_host_t) +fs_search_auto_mountpoints(vmware_host_t) + +storage_getattr_fixed_disk_dev(vmware_host_t) + +term_dontaudit_use_console(vmware_host_t) + +init_use_fds(vmware_host_t) +init_use_script_ptys(vmware_host_t) + +libs_exec_ld_so(vmware_host_t) + +logging_send_syslog_msg(vmware_host_t) + +miscfiles_read_localization(vmware_host_t) + +sysnet_dns_name_resolve(vmware_host_t) +sysnet_domtrans_ifconfig(vmware_host_t) + +userdom_dontaudit_use_unpriv_user_fds(vmware_host_t) +userdom_dontaudit_search_user_home_dirs(vmware_host_t) + +netutils_domtrans_ping(vmware_host_t) + +optional_policy(` + hostname_exec(vmware_host_t) +') + +optional_policy(` + modutils_domtrans(vmware_host_t) +') + +optional_policy(` + samba_read_config(vmware_host_t) +') + +optional_policy(` + seutil_sigchld_newrole(vmware_host_t) +') + +optional_policy(` + shutdown_domtrans(vmware_host_t) +') + +optional_policy(` + udev_read_db(vmware_host_t) +') + +optional_policy(` + xserver_read_tmp_files(vmware_host_t) + xserver_read_xdm_pid(vmware_host_t) +') + +######################################## +# +# Guest local policy +# + +allow vmware_t self:capability { chown dac_override setgid setuid sys_admin sys_nice sys_rawio sys_resource }; +dontaudit vmware_t self:capability sys_tty_config; +allow vmware_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition execmem execstack setkeycreate setsockcreate getrlimit }; +allow vmware_t self:fd use; +allow vmware_t self:fifo_file rw_fifo_file_perms; +allow vmware_t self:unix_dgram_socket { create_socket_perms sendto }; +allow vmware_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow vmware_t self:shm create_shm_perms; +allow vmware_t self:sem create_sem_perms; +allow vmware_t self:msgq create_msgq_perms; +allow vmware_t self:msg { send receive }; + +allow vmware_t vmware_conf_t:file manage_file_perms; + +manage_dirs_pattern(vmware_t, vmware_file_t, vmware_file_t) +manage_files_pattern(vmware_t, vmware_file_t, vmware_file_t) +manage_lnk_files_pattern(vmware_t, vmware_file_t, vmware_file_t) +userdom_user_home_dir_filetrans(vmware_t, vmware_file_t, dir, ".vmware") +userdom_user_home_dir_filetrans(vmware_t, vmware_file_t, dir, "vmware") + +manage_dirs_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t) +manage_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t) +manage_sock_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t) +files_tmp_filetrans(vmware_t, vmware_tmp_t, { file dir }) + +manage_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t) +manage_lnk_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t) +manage_fifo_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t) +manage_sock_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t) +fs_tmpfs_filetrans(vmware_t, vmware_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +allow vmware_t vmware_sys_conf_t:dir list_dir_perms; +read_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t) +read_lnk_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t) + +manage_dirs_pattern(vmware_t, vmware_pid_t, vmware_pid_t) +manage_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t) +manage_lnk_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t) +manage_sock_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t) +files_pid_filetrans(vmware_t, vmware_pid_t, { dir file lnk_file }) + +can_exec(vmware_t, { vmware_tmp_t vmware_exec_t }) + +kernel_read_system_state(vmware_t) +kernel_read_network_state(vmware_t) +kernel_read_kernel_sysctls(vmware_t) + +corecmd_exec_bin(vmware_t) +corecmd_exec_shell(vmware_t) + +dev_read_raw_memory(vmware_t) +dev_write_raw_memory(vmware_t) +dev_read_mouse(vmware_t) +dev_write_sound(vmware_t) +dev_read_realtime_clock(vmware_t) +dev_rwx_vmware(vmware_t) +dev_rw_usbfs(vmware_t) +dev_search_sysfs(vmware_t) + +domain_use_interactive_fds(vmware_t) + +files_read_etc_files(vmware_t) +files_read_etc_runtime_files(vmware_t) +files_read_usr_files(vmware_t) +files_list_home(vmware_t) + +fs_getattr_all_fs(vmware_t) +fs_search_auto_mountpoints(vmware_t) + +storage_raw_read_removable_device(vmware_t) +storage_raw_write_removable_device(vmware_t) + +libs_exec_ld_so(vmware_t) +libs_read_lib_files(vmware_t) + +miscfiles_read_localization(vmware_t) + +userdom_use_user_terminals(vmware_t) +userdom_list_user_home_dirs(vmware_t) + +sysnet_dns_name_resolve(vmware_t) + +xserver_user_x_domain_template(vmware, vmware_t, vmware_tmpfs_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(vmware_t) + fs_manage_nfs_files(vmware_t) + fs_manage_nfs_symlinks(vmware_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(vmware_t) + fs_manage_cifs_files(vmware_t) + fs_manage_cifs_symlinks(vmware_t) +') diff --git a/policy/modules/apps/webalizer.fc b/policy/modules/apps/webalizer.fc new file mode 100644 index 00000000..64baf679 --- /dev/null +++ b/policy/modules/apps/webalizer.fc @@ -0,0 +1,9 @@ +/etc/webalizer\.conf -- gen_context(system_u:object_r:webalizer_etc_t,s0) + +/usr/bin/awffull -- gen_context(system_u:object_r:webalizer_exec_t,s0) +/usr/bin/webalizer -- gen_context(system_u:object_r:webalizer_exec_t,s0) +/usr/bin/webazolver -- gen_context(system_u:object_r:webalizer_exec_t,s0) + +/var/lib/webalizer(/.*)? gen_context(system_u:object_r:webalizer_var_lib_t,s0) + +/var/www/usage(/.*)? gen_context(system_u:object_r:httpd_webalizer_content_t,s0) diff --git a/policy/modules/apps/webalizer.if b/policy/modules/apps/webalizer.if new file mode 100644 index 00000000..cc831b6d --- /dev/null +++ b/policy/modules/apps/webalizer.if @@ -0,0 +1,67 @@ +## <summary>Web server log analysis.</summary> + +######################################## +## <summary> +## Execute webalizer in the webalizer domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`webalizer_domtrans',` + gen_require(` + type webalizer_t, webalizer_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, webalizer_exec_t, webalizer_t) +') + +######################################## +## <summary> +## Execute webalizer in the webalizer +## domain, and allow the specified +## role the webalizer domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`webalizer_run',` + gen_require(` + attribute_role webalizer_roles; + ') + + webalizer_domtrans($1) + roleattribute $2 webalizer_roles; +') + +######################################## +## <summary> +## Manage webalizer usage files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to manage webalizer usage files +## </summary> +## </param> +## <rolecap/> +# +interface(`manage_webalizer_var_lib',` + gen_require(` + type webalizer_var_lib_t; + ') + + allow $1 webalizer_var_lib_t:dir manage_dir_perms; + allow $1 webalizer_var_lib_t:file manage_file_perms; +') diff --git a/policy/modules/apps/webalizer.te b/policy/modules/apps/webalizer.te new file mode 100644 index 00000000..da454655 --- /dev/null +++ b/policy/modules/apps/webalizer.te @@ -0,0 +1,95 @@ +policy_module(webalizer, 1.15.0) + +######################################## +# +# Declarations +# + +attribute_role webalizer_roles; +roleattribute system_r webalizer_roles; + +type webalizer_t; +type webalizer_exec_t; +application_domain(webalizer_t, webalizer_exec_t) +role webalizer_roles types webalizer_t; + +type webalizer_etc_t; +files_config_file(webalizer_etc_t) + +type webalizer_log_t; +logging_log_file(webalizer_log_t) + +type webalizer_tmp_t; +files_tmp_file(webalizer_tmp_t) + +type webalizer_var_lib_t; +files_type(webalizer_var_lib_t) + +######################################## +# +# Local policy +# + +allow webalizer_t self:capability dac_override; +allow webalizer_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow webalizer_t self:fd use; +allow webalizer_t self:fifo_file rw_fifo_file_perms; +allow webalizer_t self:unix_dgram_socket sendto; +allow webalizer_t self:unix_stream_socket { accept connectto listen }; +allow webalizer_t self:tcp_socket { accept listen }; + +allow webalizer_t webalizer_etc_t:file read_file_perms; + +manage_dirs_pattern(webalizer_t, webalizer_log_t, webalizer_log_t) +manage_files_pattern(webalizer_t, webalizer_log_t, webalizer_log_t) + +manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t) +manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t) +files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir }) + +manage_files_pattern(webalizer_t, webalizer_var_lib_t, webalizer_var_lib_t) +files_var_lib_filetrans(webalizer_t, webalizer_var_lib_t, file) + +can_exec(webalizer_t, webalizer_exec_t) + +kernel_read_kernel_sysctls(webalizer_t) +kernel_read_system_state(webalizer_t) + +files_read_etc_runtime_files(webalizer_t) +files_read_usr_files(webalizer_t) + +fs_search_auto_mountpoints(webalizer_t) +fs_getattr_xattr_fs(webalizer_t) +fs_rw_anon_inodefs_files(webalizer_t) + +auth_use_nsswitch(webalizer_t) + +logging_list_logs(webalizer_t) +logging_send_syslog_msg(webalizer_t) + +miscfiles_read_localization(webalizer_t) +miscfiles_read_public_files(webalizer_t) +miscfiles_read_fonts(webalizer_t) + +userdom_use_user_terminals(webalizer_t) +userdom_use_unpriv_users_fds(webalizer_t) +userdom_dontaudit_search_user_home_content(webalizer_t) + +optional_policy(` + apache_read_log(webalizer_t) + apache_content_template(webalizer) + manage_dirs_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t) + manage_files_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t) +') + +optional_policy(` + cron_system_entry(webalizer_t, webalizer_exec_t) +') + +optional_policy(` + ftp_read_log(webalizer_t) +') + +optional_policy(` + squid_read_log(webalizer_t) +') diff --git a/policy/modules/apps/wine.fc b/policy/modules/apps/wine.fc new file mode 100644 index 00000000..786a51e2 --- /dev/null +++ b/policy/modules/apps/wine.fc @@ -0,0 +1,24 @@ +HOME_DIR/\.wine(/.*)? gen_context(system_u:object_r:wine_home_t,s0) +HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0) + +/opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) + +/opt/google/picasa(/.*)?/Picasa3/.*exe -- gen_context(system_u:object_r:wine_exec_t,s0) +/opt/google/picasa(/.*)?/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0) +/opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0) +/opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0) +/opt/google/picasa(/.*)?/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0) +/opt/google/picasa(/.*)?/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0) +/opt/google/picasa(/.*)?/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0) +/opt/google/picasa(/.*)?/bin/wdi -- gen_context(system_u:object_r:wine_exec_t,s0) +/opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) +/opt/teamviewer(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) + +/opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) + +/usr/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0) +/usr/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0) +/usr/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0) +/usr/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0) +/usr/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0) +/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if new file mode 100644 index 00000000..2dba6216 --- /dev/null +++ b/policy/modules/apps/wine.if @@ -0,0 +1,166 @@ +## <summary>Run Windows programs in Linux.</summary> + +######################################## +## <summary> +## Role access for wine. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`wine_role',` + gen_require(` + attribute_role wine_roles; + type wine_exec_t, wine_t, wine_tmp_t; + type wine_home_t; + ') + + roleattribute $1 wine_roles; + + domtrans_pattern($2, wine_exec_t, wine_t) + + allow wine_t $2:unix_stream_socket connectto; + allow wine_t $2:process signull; + + ps_process_pattern($2, wine_t) + allow $2 wine_t:process { ptrace signal_perms }; + + allow $2 wine_t:fd use; + allow $2 wine_t:shm { associate getattr }; + allow $2 wine_t:shm rw_shm_perms; + allow $2 wine_t:unix_stream_socket connectto; + + allow $2 { wine_tmp_t wine_home_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { wine_tmp_t wine_home_t }:file { manage_file_perms relabel_file_perms }; + allow $2 wine_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; + userdom_user_home_dir_filetrans($2, wine_home_t, dir, ".wine") +') + +####################################### +## <summary> +## The role template for the wine module. +## </summary> +## <desc> +## <p> +## This template creates a derived domains which are used +## for wine applications. +## </p> +## </desc> +## <param name="role_prefix"> +## <summary> +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## </summary> +## </param> +## <param name="user_role"> +## <summary> +## The role associated with the user domain. +## </summary> +## </param> +## <param name="user_domain"> +## <summary> +## The type of the user domain. +## </summary> +## </param> +# +template(`wine_role_template',` + gen_require(` + type wine_exec_t; + ') + + type $1_wine_t; + userdom_user_application_domain($1_wine_t, wine_exec_t) + role $2 types $1_wine_t; + + allow $1_wine_t self:process { execmem execstack }; + + allow $3 $1_wine_t:process { ptrace noatsecure signal_perms }; + ps_process_pattern($3, $1_wine_t) + + domtrans_pattern($3, wine_exec_t, $1_wine_t) + + corecmd_bin_domtrans($1_wine_t, $3) + + userdom_manage_user_tmpfs_files($1_wine_t) + + domain_mmap_low($1_wine_t) + + tunable_policy(`wine_mmap_zero_ignore',` + dontaudit $1_wine_t self:memprotect mmap_zero; + ') + + optional_policy(` + xserver_role($1_r, $1_wine_t) + ') +') + +######################################## +## <summary> +## Execute the wine program in the wine domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`wine_domtrans',` + gen_require(` + type wine_t, wine_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, wine_exec_t, wine_t) +') + +######################################## +## <summary> +## Execute wine in the wine domain, +## and allow the specified role +## the wine domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`wine_run',` + gen_require(` + attribute_role wine_roles; + ') + + wine_domtrans($1) + roleattribute $2 wine_roles; +') + +######################################## +## <summary> +## Read and write wine Shared +## memory segments. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`wine_rw_shm',` + gen_require(` + type wine_t; + ') + + allow $1 wine_t:shm rw_shm_perms; +') diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te new file mode 100644 index 00000000..8ec8c969 --- /dev/null +++ b/policy/modules/apps/wine.te @@ -0,0 +1,84 @@ +policy_module(wine, 1.13.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether attempts by +## wine to mmap low regions should +## be silently blocked. +## </p> +## </desc> +gen_tunable(wine_mmap_zero_ignore, false) + +attribute_role wine_roles; +roleattribute system_r wine_roles; + +type wine_t; +type wine_exec_t; +userdom_user_application_domain(wine_t, wine_exec_t) +role wine_roles types wine_t; + +type wine_home_t; +userdom_user_home_content(wine_home_t) + +type wine_tmp_t; +userdom_user_tmp_file(wine_tmp_t) + +optional_policy(` + wm_application_domain(wine_t, wine_exec_t) +') + +######################################## +# +# Local policy +# + +allow wine_t self:process { execstack execmem execheap }; +allow wine_t self:fifo_file manage_fifo_file_perms; + +can_exec(wine_t, wine_exec_t) + +userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine") + +manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t) +manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t) +files_tmp_filetrans(wine_t, wine_tmp_t, { file dir }) + +domain_mmap_low(wine_t) + +files_execmod_all_files(wine_t) + +userdom_use_user_terminals(wine_t) + +tunable_policy(`wine_mmap_zero_ignore',` + dontaudit wine_t self:memprotect mmap_zero; +') + +optional_policy(` + dbus_system_bus_client(wine_t) + + optional_policy(` + hal_dbus_chat(wine_t) + ') + + optional_policy(` + policykit_dbus_chat(wine_t) + ') +') + +optional_policy(` + rtkit_scheduled(wine_t) +') + +optional_policy(` + unconfined_domain(wine_t) +') + +optional_policy(` + xserver_read_xdm_pid(wine_t) + xserver_rw_shm(wine_t) +') diff --git a/policy/modules/apps/wireshark.fc b/policy/modules/apps/wireshark.fc new file mode 100644 index 00000000..7b07a705 --- /dev/null +++ b/policy/modules/apps/wireshark.fc @@ -0,0 +1,3 @@ +HOME_DIR/\.wireshark(/.*)? gen_context(system_u:object_r:wireshark_home_t,s0) + +/usr/bin/wireshark -- gen_context(system_u:object_r:wireshark_exec_t,s0) diff --git a/policy/modules/apps/wireshark.if b/policy/modules/apps/wireshark.if new file mode 100644 index 00000000..9cad4afe --- /dev/null +++ b/policy/modules/apps/wireshark.if @@ -0,0 +1,57 @@ +## <summary>Wireshark packet capture tool.</summary> + +############################################################ +## <summary> +## Role access for wireshark. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`wireshark_role',` + gen_require(` + attribute_role wireshark_roles; + type wireshark_t, wireshark_exec_t, wireshark_home_t; + type wireshark_tmp_t, wireshark_tmpfs_t; + ') + + roleattribute $1 wireshark_roles; + + domtrans_pattern($2, wireshark_exec_t, wireshark_t) + + allow $2 wireshark_t:process { ptrace signal_perms }; + ps_process_pattern($2, wireshark_t) + + allow $2 { wireshark_tmp_t wireshark_home_t wireshark_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { wireshark_tmp_t wireshark_home_t wireshark_tmpfs_t }:file { manage_file_perms relabel_file_perms }; + allow $2 { wireshark_home_t wireshark_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; + allow $2 wireshark_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + allow $2 wireshark_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; + userdom_user_home_dir_filetrans($2, wireshark_home_t, dir, ".wireshark") +') + +######################################## +## <summary> +## Execute wireshark in wireshark domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`wireshark_domtrans',` + gen_require(` + type wireshark_t, wireshark_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, wireshark_exec_t, wireshark_t) +') diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te new file mode 100644 index 00000000..1f2641f4 --- /dev/null +++ b/policy/modules/apps/wireshark.te @@ -0,0 +1,133 @@ +policy_module(wireshark, 2.6.1) + +######################################## +# +# Declarations +# + +attribute_role wireshark_roles; + +type wireshark_t; +type wireshark_exec_t; +typealias wireshark_t alias { user_wireshark_t staff_wireshark_t sysadm_wireshark_t }; +typealias wireshark_t alias { auditadm_wireshark_t secadm_wireshark_t }; +userdom_user_application_domain(wireshark_t, wireshark_exec_t) +role wireshark_roles types wireshark_t; + +type wireshark_home_t; +typealias wireshark_home_t alias { user_wireshark_home_t staff_wireshark_home_t sysadm_wireshark_home_t }; +typealias wireshark_home_t alias { auditadm_wireshark_home_t secadm_wireshark_home_t }; +userdom_user_home_content(wireshark_home_t) + +type wireshark_tmp_t; +typealias wireshark_tmp_t alias { user_wireshark_tmp_t staff_wireshark_tmp_t sysadm_wireshark_tmp_t }; +typealias wireshark_tmp_t alias { auditadm_wireshark_tmp_t secadm_wireshark_tmp_t }; +userdom_user_tmp_file(wireshark_tmp_t) + +type wireshark_tmpfs_t; +typealias wireshark_tmpfs_t alias { user_wireshark_tmpfs_t staff_wireshark_tmpfs_t sysadm_wireshark_tmpfs_t }; +typealias wireshark_tmpfs_t alias { auditadm_wireshark_tmpfs_t secadm_wireshark_tmpfs_t }; +userdom_user_tmpfs_file(wireshark_tmpfs_t) + +optional_policy(` + wm_application_domain(wireshark_t, wireshark_exec_t) +') + +############################## +# +# Local Policy +# + +allow wireshark_t self:capability { net_admin net_raw setgid }; +allow wireshark_t self:process { signal getsched }; +allow wireshark_t self:fifo_file rw_fifo_file_perms; +allow wireshark_t self:shm create_shm_perms; +allow wireshark_t self:packet_socket create_socket_perms; + +manage_dirs_pattern(wireshark_t, wireshark_home_t, wireshark_home_t) +manage_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t) +manage_lnk_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t) +userdom_user_home_dir_filetrans(wireshark_t, wireshark_home_t, dir, ".wireshark") + +manage_dirs_pattern(wireshark_t, wireshark_tmp_t, wireshark_tmp_t) +manage_files_pattern(wireshark_t, wireshark_tmp_t, wireshark_tmp_t) +files_tmp_filetrans(wireshark_t, wireshark_tmp_t, { dir file }) + +manage_dirs_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t) +manage_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t) +manage_lnk_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t) +manage_sock_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t) +manage_fifo_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t) +fs_tmpfs_filetrans(wireshark_t, wireshark_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +can_exec(wireshark_t, wireshark_exec_t) + +kernel_read_kernel_sysctls(wireshark_t) +kernel_read_system_state(wireshark_t) +kernel_read_sysctl(wireshark_t) + +corecmd_exec_bin(wireshark_t) + +corenet_all_recvfrom_unlabeled(wireshark_t) +corenet_all_recvfrom_netlabel(wireshark_t) +corenet_tcp_sendrecv_generic_if(wireshark_t) +corenet_udp_sendrecv_generic_if(wireshark_t) +corenet_raw_sendrecv_generic_if(wireshark_t) +corenet_tcp_sendrecv_generic_node(wireshark_t) +corenet_udp_sendrecv_generic_node(wireshark_t) +corenet_raw_sendrecv_generic_node(wireshark_t) +corenet_tcp_sendrecv_all_ports(wireshark_t) +corenet_udp_sendrecv_all_ports(wireshark_t) + +corenet_sendrecv_generic_client_packets(wireshark_t) +corenet_tcp_connect_generic_port(wireshark_t) + +dev_read_rand(wireshark_t) +dev_read_sysfs(wireshark_t) +dev_read_urand(wireshark_t) + +files_map_usr_files(wireshark_t) +files_read_usr_files(wireshark_t) + +fs_getattr_all_fs(wireshark_t) +fs_list_inotifyfs(wireshark_t) +fs_search_auto_mountpoints(wireshark_t) + +auth_use_nsswitch(wireshark_t) + +libs_read_lib_files(wireshark_t) + +miscfiles_read_fonts(wireshark_t) +miscfiles_read_localization(wireshark_t) + +userdom_use_user_terminals(wireshark_t) + +userdom_user_content_access_template(wireshark, wireshark_t) + +xdg_read_downloads(wireshark_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(wireshark_t) + fs_manage_nfs_files(wireshark_t) + fs_manage_nfs_symlinks(wireshark_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(wireshark_t) + fs_manage_cifs_files(wireshark_t) + fs_manage_cifs_symlinks(wireshark_t) +') + +optional_policy(` + seutil_use_newrole_fds(wireshark_t) +') + +optional_policy(` + userhelper_use_fd(wireshark_t) + userhelper_sigchld(wireshark_t) +') + +optional_policy(` + xserver_user_x_domain_template(wireshark, wireshark_t, wireshark_tmpfs_t) + xserver_create_xdm_tmp_sockets(wireshark_t) +') diff --git a/policy/modules/apps/wm.fc b/policy/modules/apps/wm.fc new file mode 100644 index 00000000..05129fea --- /dev/null +++ b/policy/modules/apps/wm.fc @@ -0,0 +1,5 @@ +/usr/bin/gnome-shell -- gen_context(system_u:object_r:wm_exec_t,s0) +/usr/bin/openbox -- gen_context(system_u:object_r:wm_exec_t,s0) +/usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0) +/usr/bin/mutter -- gen_context(system_u:object_r:wm_exec_t,s0) +/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0) diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if new file mode 100644 index 00000000..260a7b01 --- /dev/null +++ b/policy/modules/apps/wm.if @@ -0,0 +1,252 @@ +## <summary>X Window Managers.</summary> + +####################################### +## <summary> +## The role template for the wm module. +## </summary> +## <desc> +## <p> +## This template creates a derived domains which are used +## for window manager applications. +## </p> +## </desc> +## <param name="role_prefix"> +## <summary> +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## </summary> +## </param> +## <param name="user_role"> +## <summary> +## The role associated with the user domain. +## </summary> +## </param> +## <param name="user_domain"> +## <summary> +## The type of the user domain. +## </summary> +## </param> +# +template(`wm_role_template',` + gen_require(` + attribute wm_domain; + type wm_exec_t; + ') + + ######################################## + # + # Declarations + # + + type $1_wm_t, wm_domain; + userdom_user_application_domain($1_wm_t, wm_exec_t) + role $2 types $1_wm_t; + + ######################################## + # + # Policy + # + + allow $3 $1_wm_t:fd use; + + allow $1_wm_t $3:unix_stream_socket connectto; + allow $3 $1_wm_t:unix_stream_socket connectto; + + allow $3 $1_wm_t:process { ptrace signal_perms }; + ps_process_pattern($3, $1_wm_t) + + allow $1_wm_t $3:process { signull sigkill }; + + domtrans_pattern($3, wm_exec_t, $1_wm_t) + + corecmd_bin_domtrans($1_wm_t, $3) + corecmd_shell_domtrans($1_wm_t, $3) + + mls_file_read_all_levels($1_wm_t) + mls_file_write_all_levels($1_wm_t) + mls_xwin_read_all_levels($1_wm_t) + mls_xwin_write_all_levels($1_wm_t) + mls_fd_use_all_levels($1_wm_t) + + auth_use_nsswitch($1_wm_t) + + xserver_role($2, $1_wm_t) + xserver_manage_core_devices($1_wm_t) + + wm_write_pipes($1, $3) + + optional_policy(` + dbus_connect_spec_session_bus($1, $1_wm_t) + dbus_spec_session_bus_client($1, $1_wm_t) + dbus_system_bus_client($1_wm_t) + + optional_policy(` + wm_dbus_chat($1, $3) + ') + ') + + optional_policy(` + gnome_stream_connect_all_gkeyringd($1_wm_t) + ') + + optional_policy(` + policykit_run_auth($1_wm_t, $2) + policykit_signal_auth($1_wm_t) + ') + + optional_policy(` + pulseaudio_run($1_wm_t, $2) + ') +') + +######################################## +## <summary> +## Execute wm in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`wm_exec',` + gen_require(` + type wm_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, wm_exec_t) +') + +######################################## +## <summary> +## Send and receive messages from +## specified wm over dbus. +## </summary> +## <param name="role_prefix"> +## <summary> +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## </summary> +## </param> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`wm_dbus_chat',` + gen_require(` + type $1_wm_t; + class dbus send_msg; + ') + + allow $2 $1_wm_t:dbus send_msg; + allow $1_wm_t $2:dbus send_msg; +') + +######################################## +## <summary> +## Do not audit attempts to execute +## files in temporary directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`wm_dontaudit_exec_tmp_files',` + gen_require(` + type wm_tmp_t; + ') + + dontaudit $1 wm_tmp_t:file exec_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to execute +## files in temporary filesystems. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`wm_dontaudit_exec_tmpfs_files',` + gen_require(` + type wm_tmpfs_t; + ') + + dontaudit $1 wm_tmpfs_t:file exec_file_perms; +') + +######################################## +## <summary> +## Create a domain for applications +## that are launched by the window +## manager. +## </summary> +## <desc> +## <p> +## Create a domain for applications that are launched by the +## window manager (implying a domain transition). Typically +## these are graphical applications that are run interactively. +## </p> +## <p> +## The types will be made usable as a domain and file, making +## calls to domain_type() and files_type() redundant. +## </p> +## </desc> +## <param name="target_domain"> +## <summary> +## Type to be used in the domain transition as the application +## domain. +## </summary> +## </param> +## <param name="entry_point"> +## <summary> +## Type of the program to be used as an entry point to this domain. +## </summary> +## </param> +## <param name="source_domain"> +## <summary> +## Type to be used as the source window manager domain. +## </summary> +## </param> +## <infoflow type="none"/> +# +interface(`wm_application_domain',` + gen_require(` + attribute wm_domain; + ') + + userdom_user_application_domain($1, $2) + domtrans_pattern(wm_domain, $2, $1) +') + +######################################## +## <summary> +## Write wm unnamed pipes. +## </summary> +## <param name="role_prefix"> +## <summary> +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## </summary> +## </param> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`wm_write_pipes',` + gen_require(` + type $1_wm_t; + ') + + allow $2 $1_wm_t:fifo_file write; +') diff --git a/policy/modules/apps/wm.te b/policy/modules/apps/wm.te new file mode 100644 index 00000000..4b7e88ad --- /dev/null +++ b/policy/modules/apps/wm.te @@ -0,0 +1,152 @@ +policy_module(wm, 1.8.1) + +######################################## +# +# Declarations +# + +attribute wm_domain; + +type wm_exec_t; +corecmd_executable_file(wm_exec_t) + +type wm_tmp_t; +userdom_user_tmp_file(wm_tmp_t) + +type wm_tmpfs_t; +userdom_user_tmpfs_file(wm_tmpfs_t) + +optional_policy(` + pulseaudio_tmpfs_content(wm_tmpfs_t) +') + +######################################## +# +# Common wm domain local policy +# + +allow wm_domain self:fifo_file rw_fifo_file_perms; +allow wm_domain self:process { setcap setrlimit execmem signal_perms getsched setsched }; +allow wm_domain self:netlink_kobject_uevent_socket create_socket_perms; +allow wm_domain self:shm create_shm_perms; +allow wm_domain self:unix_dgram_socket create_socket_perms; + +manage_dirs_pattern(wm_domain, wm_tmp_t, wm_tmp_t) +manage_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t) +manage_lnk_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t) +files_tmp_filetrans(wm_domain, wm_tmp_t, { dir file lnk_file }) + +manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) +manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) +manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) +fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file }) + +can_exec(wm_domain, wm_exec_t) + +kernel_read_system_state(wm_domain) + +corecmd_getattr_all_executables(wm_domain) + +dev_read_rand(wm_domain) +dev_read_sound(wm_domain) +dev_read_sysfs(wm_domain) +dev_read_urand(wm_domain) +dev_rw_dri(wm_domain) +dev_rw_wireless(wm_domain) +dev_write_sound(wm_domain) + +files_read_etc_runtime_files(wm_domain) +files_map_usr_files(wm_domain) +files_read_usr_files(wm_domain) + +fs_getattr_all_fs(wm_domain) + +kernel_read_fs_sysctls(wm_domain) +kernel_read_proc_symlinks(wm_domain) +kernel_read_sysctl(wm_domain) + +locallogin_dontaudit_use_fds(wm_domain) + +miscfiles_read_fonts(wm_domain) +miscfiles_read_generic_certs(wm_domain) +miscfiles_read_localization(wm_domain) + +selinux_get_enforce_mode(wm_domain) + +seutil_read_config(wm_domain) + +udev_read_pid_files(wm_domain) + +# the following is needed by gnome-shell +userdom_exec_user_home_content_files(wm_domain) + +userdom_manage_user_tmp_sockets(wm_domain) +userdom_tmp_filetrans_user_tmp(wm_domain, sock_file) +userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file) + +# to print error messages +userdom_use_inherited_user_terminals(wm_domain) + +userdom_manage_user_home_content_dirs(wm_domain) +userdom_manage_user_home_content_files(wm_domain) + +userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file }) + +wm_dontaudit_exec_tmp_files(wm_domain) +wm_dontaudit_exec_tmpfs_files(wm_domain) + +optional_policy(` + accountsd_dbus_chat(wm_domain) +') + +optional_policy(` + bluetooth_dbus_chat(wm_domain) +') + +optional_policy(` + consolekit_dbus_chat(wm_domain) +') + +optional_policy(` + devicekit_dbus_chat_power(wm_domain) +') + +optional_policy(` + evolution_dbus_chat(wm_domain) + evolution_alarm_dbus_chat(wm_domain) +') + +optional_policy(` + games_dbus_chat(wm_domain) +') + +optional_policy(` + # gnome-shell + mount_exec(wm_domain) +') + +optional_policy(` + mozilla_dbus_chat(wm_domain) +') + +optional_policy(` + networkmanager_dbus_chat(wm_domain) + networkmanager_read_etc_files(wm_domain) +') + +optional_policy(` + policykit_dbus_chat(wm_domain) +') + +optional_policy(` + telepathy_mission_control_dbus_chat(wm_domain) +') + +optional_policy(` + userhelper_exec_consolehelper(wm_domain) +') + +optional_policy(` + xserver_dbus_chat_xdm(wm_domain) + xserver_rw_xsession_log(wm_domain) +') diff --git a/policy/modules/apps/xscreensaver.fc b/policy/modules/apps/xscreensaver.fc new file mode 100644 index 00000000..70b71a5c --- /dev/null +++ b/policy/modules/apps/xscreensaver.fc @@ -0,0 +1,7 @@ +HOME_DIR/\.xscreensaver -- gen_context(system_u:object_r:xscreensaver_config_t,s0) + +/usr/bin/xscreensaver -- gen_context(system_u:object_r:xscreensaver_exec_t,s0) +/usr/bin/xscreensaver-getimage.* -- gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0) +/usr/bin/xscreensaver-gl-helper -- gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0) + +/usr/libexec/xscreensaver(/.*)? -- gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0) diff --git a/policy/modules/apps/xscreensaver.if b/policy/modules/apps/xscreensaver.if new file mode 100644 index 00000000..704c3bdd --- /dev/null +++ b/policy/modules/apps/xscreensaver.if @@ -0,0 +1,41 @@ +## <summary>Modular screen saver and locker for X11.</summary> + +######################################## +## <summary> +## Role access for xscreensaver. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`xscreensaver_role',` + gen_require(` + attribute_role xscreensaver_roles; + attribute_role xscreensaver_helper_roles; + type xscreensaver_t, xscreensaver_exec_t; + type xscreensaver_helper_t; + type xscreensaver_config_t, xscreensaver_tmpfs_t; + ') + + roleattribute $1 xscreensaver_roles; + roleattribute $1 xscreensaver_helper_roles; + + domtrans_pattern($2, xscreensaver_exec_t, xscreensaver_t) + + allow $2 xscreensaver_t:process { ptrace signal_perms }; + ps_process_pattern($2, xscreensaver_t) + + allow $2 xscreensaver_config_t:file { manage_file_perms relabel_file_perms }; + + allow $2 xscreensaver_tmpfs_t:dir { manage_dir_perms relabel_dir_perms }; + allow $2 xscreensaver_tmpfs_t:file { manage_file_perms relabel_file_perms }; + + allow xscreensaver_helper_t $2:fd use; +') diff --git a/policy/modules/apps/xscreensaver.te b/policy/modules/apps/xscreensaver.te new file mode 100644 index 00000000..4e67161c --- /dev/null +++ b/policy/modules/apps/xscreensaver.te @@ -0,0 +1,115 @@ +policy_module(xscreensaver, 1.3.1) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Grant the xscreensaver domains read access to generic user content +## </p> +## </desc> +gen_tunable(`xscreensaver_read_generic_user_content', true) + +attribute_role xscreensaver_roles; +attribute_role xscreensaver_helper_roles; + +type xscreensaver_t; +type xscreensaver_exec_t; +userdom_user_application_domain(xscreensaver_t, xscreensaver_exec_t) +role xscreensaver_roles types xscreensaver_t; + +type xscreensaver_helper_t; +type xscreensaver_helper_exec_t; +userdom_user_application_domain(xscreensaver_helper_t, xscreensaver_helper_exec_t) +role xscreensaver_helper_roles types xscreensaver_helper_t; + +type xscreensaver_config_t; +userdom_user_home_content(xscreensaver_config_t) + +type xscreensaver_tmpfs_t; +userdom_user_tmpfs_file(xscreensaver_tmpfs_t) + +######################################## +# +# Local policy +# + +allow xscreensaver_t self:capability { setgid setuid }; +allow xscreensaver_t self:process { setsched signal sigstop }; +allow xscreensaver_t self:fifo_file rw_fifo_file_perms; + +allow xscreensaver_t xscreensaver_helper_t:process { signal sigstop }; + +allow xscreensaver_t xscreensaver_config_t:file manage_file_perms; + +kernel_read_system_state(xscreensaver_t) + +files_read_usr_files(xscreensaver_t) + +fs_dontaudit_getattr_xattr_fs(xscreensaver_t) + +auth_use_nsswitch(xscreensaver_t) +auth_domtrans_chk_passwd(xscreensaver_t) + +domtrans_pattern(xscreensaver_t, xscreensaver_helper_exec_t, xscreensaver_helper_t) + +init_read_utmp(xscreensaver_t) + +logging_send_audit_msgs(xscreensaver_t) +logging_send_syslog_msg(xscreensaver_t) + +miscfiles_read_localization(xscreensaver_t) + +userdom_use_user_terminals(xscreensaver_t) + +xdg_read_pictures(xscreensaver_t) + +xserver_rw_xsession_log(xscreensaver_t) +xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t) + +tunable_policy(`xscreensaver_read_generic_user_content',` + userdom_list_user_tmp(xscreensaver_t) + userdom_list_user_home_content(xscreensaver_t) + userdom_read_user_home_content_files(xscreensaver_t) + userdom_read_user_home_content_symlinks(xscreensaver_t) + userdom_read_user_tmp_files(xscreensaver_t) +',` + files_dontaudit_list_home(xscreensaver_t) + files_dontaudit_list_tmp(xscreensaver_t) + + userdom_dontaudit_list_user_home_dirs(xscreensaver_t) + userdom_dontaudit_list_user_tmp(xscreensaver_t) + userdom_dontaudit_read_user_home_content_files(xscreensaver_t) + userdom_dontaudit_read_user_tmp_files(xscreensaver_t) +') + +######################################## +# +# Helper local policy +# + +allow xscreensaver_helper_t self:process { execmem signal }; +allow xscreensaver_helper_t self:fifo_file rw_fifo_file_perms; + +allow xscreensaver_helper_t xscreensaver_config_t:file manage_file_perms; + +dev_read_sysfs(xscreensaver_helper_t) + +kernel_read_system_state(xscreensaver_helper_t) + +files_dontaudit_search_home(xscreensaver_helper_t) + +# /etc/drirc +files_read_etc_files(xscreensaver_helper_t) + +files_read_usr_files(xscreensaver_helper_t) + +fs_dontaudit_getattr_xattr_fs(xscreensaver_helper_t) + +miscfiles_read_fonts(xscreensaver_helper_t) +miscfiles_read_localization(xscreensaver_helper_t) + +xserver_rw_xsession_log(xscreensaver_helper_t) +xserver_stream_connect(xscreensaver_helper_t) diff --git a/policy/modules/apps/yam.fc b/policy/modules/apps/yam.fc new file mode 100644 index 00000000..74401d54 --- /dev/null +++ b/policy/modules/apps/yam.fc @@ -0,0 +1,6 @@ +/etc/yam\.conf -- gen_context(system_u:object_r:yam_etc_t,s0) + +/usr/bin/yam -- gen_context(system_u:object_r:yam_exec_t,s0) + +/var/yam(/.*)? gen_context(system_u:object_r:yam_content_t,s0) +/var/www/yam(/.*)? gen_context(system_u:object_r:yam_content_t,s0) diff --git a/policy/modules/apps/yam.if b/policy/modules/apps/yam.if new file mode 100644 index 00000000..ba7c8c88 --- /dev/null +++ b/policy/modules/apps/yam.if @@ -0,0 +1,66 @@ +## <summary>Yum/Apt Mirroring.</summary> + +######################################## +## <summary> +## Execute yam in the yam domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`yam_domtrans',` + gen_require(` + type yam_t, yam_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, yam_exec_t, yam_t) +') + +######################################## +## <summary> +## Execute yam in the yam domain, and +## allow the specified role the yam domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`yam_run',` + gen_require(` + attribute_role yam_roles; + ') + + yam_domtrans($1) + roleattribute $2 yam_roles; +') + +######################################## +## <summary> +## Read yam content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`yam_read_content',` + gen_require(` + type yam_content_t; + ') + + allow $1 yam_content_t:dir list_dir_perms; + read_files_pattern($1, yam_content_t, yam_content_t) + read_lnk_files_pattern($1, yam_content_t, yam_content_t) +') diff --git a/policy/modules/apps/yam.te b/policy/modules/apps/yam.te new file mode 100644 index 00000000..b451e6e8 --- /dev/null +++ b/policy/modules/apps/yam.te @@ -0,0 +1,96 @@ +policy_module(yam, 1.5.0) + +######################################## +# +# Declarations +# + +attribute_role yam_roles; + +type yam_t alias yam_crond_t; +type yam_exec_t; +application_domain(yam_t, yam_exec_t) +role yam_roles types yam_t; + +type yam_content_t; +files_mountpoint(yam_content_t) + +type yam_etc_t; +files_config_file(yam_etc_t) + +type yam_tmp_t; +files_tmp_file(yam_tmp_t) + +######################################## +# +# Local policy +# + +allow yam_t self:capability { chown dac_override fowner fsetid }; +allow yam_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit }; +allow yam_t self:fd use; +allow yam_t self:fifo_file rw_fifo_file_perms; +allow yam_t self:unix_stream_socket { accept connectto listen }; +allow yam_t self:unix_dgram_socket sendto; + +manage_dirs_pattern(yam_t, yam_content_t, yam_content_t) +manage_files_pattern(yam_t, yam_content_t, yam_content_t) +manage_lnk_files_pattern(yam_t, yam_content_t, yam_content_t) + +allow yam_t yam_etc_t:file read_file_perms; + +manage_files_pattern(yam_t, yam_tmp_t, yam_tmp_t) +manage_dirs_pattern(yam_t, yam_tmp_t, yam_tmp_t) +files_tmp_filetrans(yam_t, yam_tmp_t, { file dir }) + +kernel_read_system_state(yam_t) + +corecmd_exec_bin(yam_t) +corecmd_exec_shell(yam_t) + +corenet_all_recvfrom_unlabeled(yam_t) +corenet_all_recvfrom_netlabel(yam_t) +corenet_tcp_sendrecv_generic_if(yam_t) +corenet_tcp_sendrecv_generic_node(yam_t) + +corenet_sendrecv_http_client_packets(yam_t) +corenet_tcp_connect_http_port(yam_t) +corenet_tcp_sendrecv_http_port(yam_t) + +corenet_sendrecv_rsync_client_packets(yam_t) +corenet_tcp_connect_rsync_port(yam_t) +corenet_tcp_sendrecv_rsync_port(yam_t) + +dev_read_urand(yam_t) + +files_read_etc_runtime_files(yam_t) +files_exec_usr_files(yam_t) + +fs_search_auto_mountpoints(yam_t) +fs_read_iso9660_files(yam_t) + +auth_use_nsswitch(yam_t) + +logging_send_syslog_msg(yam_t) + +miscfiles_read_localization(yam_t) + +seutil_read_config(yam_t) + +userdom_use_user_terminals(yam_t) +userdom_use_unpriv_users_fds(yam_t) +userdom_search_user_home_dirs(yam_t) + +apache_search_sys_content(yam_t) + +optional_policy(` + cron_system_entry(yam_t, yam_exec_t) +') + +optional_policy(` + mount_domtrans(yam_t) +') + +optional_policy(` + rsync_exec(yam_t) +') |