diff --git a/livecd.if b/livecd.if index da499d4..c6b2383 100644 --- a/livecd.if +++ b/livecd.if @@ -40,19 +40,12 @@ interface(`livecd_run',` gen_require(` type livecd_t; type livecd_exec_t; - #attribute_role livecd_roles; + attribute_role livecd_roles; ') livecd_domtrans($1) - #roleattribute $2 livecd_roles; - role $2 types livecd_t; + roleattribute $2 livecd_roles; role_transition $2 livecd_exec_t system_r; - - seutil_run_setfiles_mac(livecd_t, system_r) - - optional_policy(` - mount_run(livecd_t, $2) - ') ') ######################################## diff --git a/livecd.te b/livecd.te index 09b5105..06b1661 100644 --- a/livecd.te +++ b/livecd.te @@ -5,14 +5,13 @@ policy_module(livecd, 1.2.1) # Declarations # -#attribute_role livecd_roles; -#roleattribute system_r livecd_roles; +attribute_role livecd_roles; +roleattribute system_r livecd_roles; type livecd_t; type livecd_exec_t; application_domain(livecd_t, livecd_exec_t) -role system_r types livecd_t; -#role livecd_roles types livecd_t; +role livecd_roles types livecd_t; type livecd_tmp_t; files_tmp_file(livecd_tmp_t) @@ -36,6 +35,15 @@ sysnet_etc_filetrans_config(livecd_t) optional_policy(` hal_dbus_chat(livecd_t) ') + +optional_policy(` + mount_run(livecd_t, livecd_roles) +') + +optional_policy(` + seutil_run_setfiles_mac(livecd_t, livecd_roles) +') + optional_policy(` unconfined_domain_noaudit(livecd_t) ') diff --git a/lpd.if b/lpd.if index 628b63c..7826e38 100644 --- a/lpd.if +++ b/lpd.if @@ -18,10 +18,21 @@ # interface(`lpd_role',` gen_require(` + attribute_role lpr_roles; type lpr_t, lpr_exec_t, print_spool_t; ') - role $1 types lpr_t; + ######################################## + # + # Declarations + # + + roleattribute $1 lpr_roles; + + ######################################## + # + # Policy + # # Transition from the user domain to the derived domain. domtrans_pattern($2, lpr_exec_t, lpr_t) @@ -29,6 +40,7 @@ interface(`lpd_role',` ps_process_pattern($2, lpr_t) allow $2 lpr_t:process signal_perms; + tunable_policy(`deny_ptrace',`',` allow $2 lpr_t:process ptrace; ') @@ -217,11 +229,11 @@ interface(`lpd_domtrans_lpr',` # interface(`lpd_run_lpr',` gen_require(` - type lpr_t; + attribute_role lpr_roles; ') lpd_domtrans_lpr($1) - role $2 types lpr_t; + roleattribute $2 lpr_roles; ') ######################################## diff --git a/mozilla.if b/mozilla.if index cccec7e..af119ae 100644 --- a/mozilla.if +++ b/mozilla.if @@ -18,11 +18,10 @@ interface(`mozilla_role',` gen_require(` type mozilla_t, mozilla_exec_t, mozilla_home_t; - #attribute_role mozilla_roles; + attribute_role mozilla_roles; ') - #roleattribute $1 mozilla_roles; - role $1 types mozilla_t; + roleattribute $1 mozilla_roles; domain_auto_trans($2, mozilla_exec_t, mozilla_t) # Unrestricted inheritance from the caller. @@ -262,11 +261,12 @@ interface(`mozilla_domtrans_plugin',` interface(`mozilla_run_plugin',` gen_require(` type mozilla_plugin_t; + attribute_role mozilla_plugin_roles, mozilla_plugin_config_roles; ') mozilla_domtrans_plugin($1) - role $2 types mozilla_plugin_t; - role $2 types mozilla_plugin_config_t; + roleattribute $2 mozilla_plugin_roles; + roleattribute $2 mozilla_plugin_config_roles; ') ####################################### @@ -284,14 +284,11 @@ interface(`mozilla_role_plugin',` gen_require(` type mozilla_plugin_t; type mozilla_plugin_config_t; + attribute_role mozilla_plugin_roles, mozilla_plugin_config_roles; ') - role $1 types mozilla_plugin_t; - role $1 types mozilla_plugin_config_t; - - optional_policy(` - lpd_run_lpr(mozilla_plugin_t, $1) - ') + roleattribute $2 mozilla_plugin_roles; + roleattribute $2 mozilla_plugin_config_roles; ') ######################################## diff --git a/mozilla.te b/mozilla.te index 8247246..d2f985a 100644 --- a/mozilla.te +++ b/mozilla.te @@ -26,15 +26,20 @@ gen_tunable(mozilla_read_content, false) ## gen_tunable(mozilla_plugin_enable_homedirs, false) -#attribute_role mozilla_roles; +attribute_role mozilla_roles; +attribute_role mozilla_plugin_roles; +attribute_role mozilla_plugin_config_roles; + +roleattribute system_r mozilla_roles; +roleattribute system_r mozilla_plugin_roles; +roleattribute system_r mozilla_plugin_config_roles; type mozilla_t; type mozilla_exec_t; typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t }; typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; userdom_user_application_domain(mozilla_t, mozilla_exec_t) -#role mozilla_roles types mozilla_t; -role system_r types mozilla_t; +role mozilla_roles types mozilla_t; type mozilla_conf_t; files_config_file(mozilla_conf_t) @@ -47,8 +52,7 @@ userdom_user_home_content(mozilla_home_t) type mozilla_plugin_t; type mozilla_plugin_exec_t; application_domain(mozilla_plugin_t, mozilla_plugin_exec_t) -#role mozilla_roles types mozilla_plugin_t; -role system_r types mozilla_plugin_t; +role mozilla_roles types mozilla_plugin_t; type mozilla_plugin_tmp_t; userdom_user_tmp_content(mozilla_plugin_tmp_t) @@ -64,8 +68,7 @@ files_type(mozilla_plugin_rw_t) type mozilla_plugin_config_t; type mozilla_plugin_config_exec_t; application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t) -#role mozilla_roles types mozilla_plugin_config_t; -role system_r types mozilla_plugin_config_t; +role mozilla_roles types mozilla_plugin_config_t; type mozilla_tmp_t; userdom_user_tmp_file(mozilla_tmp_t) @@ -503,9 +506,9 @@ optional_policy(` java_exec(mozilla_plugin_t) ') -#optional_policy(` -# lpd_run_lpr(mozilla_plugin_t, mozilla_roles) -#') +optional_policy(` + lpd_run_lpr(mozilla_plugin_t, mozilla_roles) +') optional_policy(` mplayer_exec(mozilla_plugin_t) diff --git a/ncftool.if b/ncftool.if index 96e5824..4309e3d 100644 --- a/ncftool.if +++ b/ncftool.if @@ -39,18 +39,10 @@ interface(`ncftool_domtrans',` interface(`ncftool_run',` gen_require(` type ncftool_t; - #attribute_role ncftool_roles; - ') - - #ncftool_domtrans($1) - #roleattribute $2 ncftool_roles; + attribute_role ncftool_roles; + ') ncftool_domtrans($1) - role $2 types ncftool_t; - - optional_policy(` - brctl_run(ncftool_t, $2) - ') - + roleattribute $2 ncftool_roles; ') diff --git a/ncftool.te b/ncftool.te index 1161ce1..c8baed2 100644 --- a/ncftool.te +++ b/ncftool.te @@ -5,16 +5,15 @@ policy_module(ncftool, 1.1.2) # Declarations # -#attribute_role ncftool_roles; -#roleattribute system_r ncftool_roles; +attribute_role ncftool_roles; +roleattribute system_r ncftool_roles; type ncftool_t; type ncftool_exec_t; application_domain(ncftool_t, ncftool_exec_t) domain_obj_id_change_exemption(ncftool_t) domain_system_change_exemption(ncftool_t) -#role ncftool_roles types ncftool_t; -role system_r types ncftool_t; +role ncftool_roles types ncftool_t; ######################################## # @@ -46,15 +45,12 @@ dev_read_sysfs(ncftool_t) files_manage_system_conf_files(ncftool_t) files_relabelto_system_conf_files(ncftool_t) files_read_etc_runtime_files(ncftool_t) -files_read_usr_files(ncftool_t) term_use_all_inherited_terms(ncftool_t) sysnet_delete_dhcpc_pid(ncftool_t) -sysnet_domtrans_dhcpc(ncftool_t) -sysnet_domtrans_ifconfig(ncftool_t) -#sysnet_run_dhcpc(ncftool_t, ncftool_roles) -#sysnet_run_ifconfig(ncftool_t, ncftool_roles) +sysnet_run_dhcpc(ncftool_t, ncftool_roles) +sysnet_run_ifconfig(ncftool_t, ncftool_roles) sysnet_etc_filetrans_config(ncftool_t) sysnet_manage_config(ncftool_t) sysnet_read_dhcpc_state(ncftool_t) @@ -66,9 +62,9 @@ sysnet_signal_dhcpc(ncftool_t) userdom_use_user_terminals(ncftool_t) userdom_read_user_tmp_files(ncftool_t) -#optional_policy(` -# brctl_run(ncftool_t, ncftool_roles) -#') +optional_policy(` + brctl_run(ncftool_t, ncftool_roles) +') optional_policy(` consoletype_exec(ncftool_t) @@ -86,12 +82,10 @@ optional_policy(` optional_policy(` modutils_list_module_config(ncftool_t) modutils_read_module_config(ncftool_t) - modutils_domtrans_insmod(ncftool_t) - #modutils_run_insmod(ncftool_t, ncftool_roles) + modutils_run_insmod(ncftool_t, ncftool_roles) ') optional_policy(` - netutils_domtrans(ncftool_t) - #netutils_run(ncftool_t, ncftool_roles) + netutils_run(ncftool_t, ncftool_roles) ') diff --git a/usernetctl.if b/usernetctl.if index 325bb57..c542887 100644 --- a/usernetctl.if +++ b/usernetctl.if @@ -40,25 +40,9 @@ interface(`usernetctl_domtrans',` interface(`usernetctl_run',` gen_require(` type usernetctl_t; - #attribute_role usernetctl_roles; + attribute_role usernetctl_roles; ') - #usernetctl_domtrans($1) - #roleattribute $2 usernetctl_roles; - - sysnet_run_ifconfig(usernetctl_t, $2) - sysnet_run_dhcpc(usernetctl_t, $2) - - optional_policy(` - iptables_run(usernetctl_t, $2) - ') - - optional_policy(` - modutils_run_insmod(usernetctl_t, $2) - ') - - optional_policy(` - ppp_run(usernetctl_t, $2) - ') - + usernetctl_domtrans($1) + roleattribute $2 usernetctl_roles; ') diff --git a/usernetctl.te b/usernetctl.te index a2229f7..853e75e 100644 --- a/usernetctl.te +++ b/usernetctl.te @@ -5,14 +5,13 @@ policy_module(usernetctl, 1.6.1) # Declarations # -#attribute_role usernetctl_roles; +attribute_role usernetctl_roles; +roleattribute system_r usernetctl_roles; type usernetctl_t; type usernetctl_exec_t; application_domain(usernetctl_t, usernetctl_exec_t) domain_interactive_fd(usernetctl_t) -#role usernetctl_roles types usernetctl_t; -role system_r types usernetctl_t; ######################################## # @@ -53,32 +52,27 @@ seutil_read_config(usernetctl_t) sysnet_read_config(usernetctl_t) -#sysnet_run_ifconfig(usernetctl_t, usernetctl_roles) -#sysnet_run_dhcpc(usernetctl_t, usernetctl_roles) +sysnet_run_ifconfig(usernetctl_t, usernetctl_roles) +sysnet_run_dhcpc(usernetctl_t, usernetctl_roles) userdom_use_inherited_user_terminals(usernetctl_t) optional_policy(` -# consoletype_run(usernetctl_t, usernetctl_roles) - consoletype_exec(usernetctl_t) + hostname_exec(usernetctl_t) ') optional_policy(` - hostname_exec(usernetctl_t) + iptables_run(usernetctl_t, usernetctl_roles) ') -#optional_policy(` -# iptables_run(usernetctl_t, usernetctl_roles) -#') - -#optional_policy(` -# modutils_run_insmod(usernetctl_t, usernetctl_roles) -#') +optional_policy(` + modutils_run_insmod(usernetctl_t, usernetctl_roles) +') optional_policy(` nis_use_ypbind(usernetctl_t) ') -#optional_policy(` -# ppp_run(usernetctl_t, usernetctl_roles) -#') +optional_policy(` + ppp_run(usernetctl_t, usernetctl_roles) +') diff --git a/vpn.if b/vpn.if index a4e2f60..afedcba 100644 --- a/vpn.if +++ b/vpn.if @@ -37,16 +37,12 @@ interface(`vpn_domtrans',` # interface(`vpn_run',` gen_require(` - #attribute_role vpnc_roles; + attribute_role vpnc_roles; type vpnc_t; ') - #vpn_domtrans($1) - #roleattribute $2 vpnc_roles; - vpn_domtrans($1) - role $2 types vpnc_t; - sysnet_run_ifconfig(vpnc_t, $2) + roleattribute $2 vpnc_roles; ') ######################################## diff --git a/vpn.te b/vpn.te index ddf48c0..83fa097 100644 --- a/vpn.te +++ b/vpn.te @@ -5,15 +5,13 @@ policy_module(vpn, 1.15.0) # Declarations # -#attribute_role vpnc_roles; -#roleattribute system_r vpnc_roles; +attribute_role vpnc_roles; +roleattribute system_r vpnc_roles; type vpnc_t; type vpnc_exec_t; init_system_domain(vpnc_t, vpnc_exec_t) application_domain(vpnc_t, vpnc_exec_t) -#role vpnc_roles types vpnc_t; -role system_r types vpnc_t; type vpnc_tmp_t; files_tmp_file(vpnc_tmp_t) @@ -104,7 +102,7 @@ logging_dontaudit_search_logs(vpnc_t) seutil_use_newrole_fds(vpnc_t) -#sysnet_run_ifconfig(vpnc_t, vpnc_roles) +sysnet_run_ifconfig(vpnc_t, vpnc_roles) sysnet_etc_filetrans_config(vpnc_t) sysnet_manage_config(vpnc_t)