diff options
author | Sven Vermeulen <sven.vermeulen@siphos.be> | 2012-04-21 20:07:46 +0200 |
---|---|---|
committer | Sven Vermeulen <sven.vermeulen@siphos.be> | 2012-04-21 20:07:46 +0200 |
commit | 3962a6834f4e7ef04441de4f3134ff329d8602f9 (patch) | |
tree | cae07463edd5b609a97513e00d63e1bd410cc8bb /config/appconfig-mcs | |
parent | Initial commit (diff) | |
download | hardened-refpolicy-3962a6834f4e7ef04441de4f3134ff329d8602f9.tar.gz hardened-refpolicy-3962a6834f4e7ef04441de4f3134ff329d8602f9.tar.bz2 hardened-refpolicy-3962a6834f4e7ef04441de4f3134ff329d8602f9.zip |
Pushing 2.20120215 (current version)
Diffstat (limited to 'config/appconfig-mcs')
20 files changed, 237 insertions, 0 deletions
diff --git a/config/appconfig-mcs/dbus_contexts b/config/appconfig-mcs/dbus_contexts new file mode 100644 index 00000000..116e684f --- /dev/null +++ b/config/appconfig-mcs/dbus_contexts @@ -0,0 +1,6 @@ +<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" + "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> +<busconfig> + <selinux> + </selinux> +</busconfig> diff --git a/config/appconfig-mcs/default_contexts b/config/appconfig-mcs/default_contexts new file mode 100644 index 00000000..801d97b6 --- /dev/null +++ b/config/appconfig-mcs/default_contexts @@ -0,0 +1,15 @@ +system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0 +system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 +system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0 +system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 +system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0 +system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 + +staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 +staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 + +sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 +sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 + +user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 +user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0 diff --git a/config/appconfig-mcs/default_type b/config/appconfig-mcs/default_type new file mode 100644 index 00000000..33528d61 --- /dev/null +++ b/config/appconfig-mcs/default_type @@ -0,0 +1,6 @@ +auditadm_r:auditadm_t +secadm_r:secadm_t +sysadm_r:sysadm_t +staff_r:staff_t +unconfined_r:unconfined_t +user_r:user_t diff --git a/config/appconfig-mcs/failsafe_context b/config/appconfig-mcs/failsafe_context new file mode 100644 index 00000000..999abd9a --- /dev/null +++ b/config/appconfig-mcs/failsafe_context @@ -0,0 +1 @@ +sysadm_r:sysadm_t:s0 diff --git a/config/appconfig-mcs/guest_u_default_contexts b/config/appconfig-mcs/guest_u_default_contexts new file mode 100644 index 00000000..90e52627 --- /dev/null +++ b/config/appconfig-mcs/guest_u_default_contexts @@ -0,0 +1,6 @@ +guest_r:guest_t:s0 guest_r:guest_t:s0 +system_r:crond_t:s0 guest_r:guest_t:s0 +system_r:initrc_su_t:s0 guest_r:guest_t:s0 +system_r:local_login_t:s0 guest_r:guest_t:s0 +system_r:remote_login_t:s0 guest_r:guest_t:s0 +system_r:sshd_t:s0 guest_r:guest_t:s0 diff --git a/config/appconfig-mcs/initrc_context b/config/appconfig-mcs/initrc_context new file mode 100644 index 00000000..30ab971d --- /dev/null +++ b/config/appconfig-mcs/initrc_context @@ -0,0 +1 @@ +system_u:system_r:initrc_t:s0 diff --git a/config/appconfig-mcs/media b/config/appconfig-mcs/media new file mode 100644 index 00000000..81f3463e --- /dev/null +++ b/config/appconfig-mcs/media @@ -0,0 +1,3 @@ +cdrom system_u:object_r:removable_device_t:s0 +floppy system_u:object_r:removable_device_t:s0 +disk system_u:object_r:fixed_disk_device_t:s0 diff --git a/config/appconfig-mcs/removable_context b/config/appconfig-mcs/removable_context new file mode 100644 index 00000000..7fcc56e4 --- /dev/null +++ b/config/appconfig-mcs/removable_context @@ -0,0 +1 @@ +system_u:object_r:removable_t:s0 diff --git a/config/appconfig-mcs/root_default_contexts b/config/appconfig-mcs/root_default_contexts new file mode 100644 index 00000000..7805778a --- /dev/null +++ b/config/appconfig-mcs/root_default_contexts @@ -0,0 +1,11 @@ +system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0 +system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 + +staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 + +# +# Uncomment if you want to automatically login as sysadm_r +# +#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 diff --git a/config/appconfig-mcs/securetty_types b/config/appconfig-mcs/securetty_types new file mode 100644 index 00000000..527d8358 --- /dev/null +++ b/config/appconfig-mcs/securetty_types @@ -0,0 +1 @@ +user_tty_device_t diff --git a/config/appconfig-mcs/sepgsql_contexts b/config/appconfig-mcs/sepgsql_contexts new file mode 100644 index 00000000..f8e9b1cd --- /dev/null +++ b/config/appconfig-mcs/sepgsql_contexts @@ -0,0 +1,40 @@ +# +# Initial security label for SE-PostgreSQL (MCS) +# + +# <databases> +db_database * system_u:object_r:sepgsql_db_t:s0 + +# <schemas> +db_schema *.* system_u:object_r:sepgsql_schema_t:s0 + +# <tables> +db_table *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t:s0 +db_table *.*.* system_u:object_r:sepgsql_table_t:s0 + +# <column> +db_column *.pg_catalog.*.* system_u:object_r:sepgsql_sysobj_t:s0 +db_column *.*.*.* system_u:object_r:sepgsql_table_t:s0 + +# <sequences> +db_sequence *.*.* system_u:object_r:sepgsql_seq_t:s0 + +# <views> +db_view *.*.* system_u:object_r:sepgsql_view_t:s0 + +# <procedures> +db_procedure *.*.* system_u:object_r:sepgsql_proc_exec_t:s0 + +# <tuples> +db_tuple *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t:s0 +db_tuple *.*.* system_u:object_r:sepgsql_table_t:s0 + +# <blobs> +db_blob *.* system_u:object_r:sepgsql_blob_t:s0 + +# <language> +db_language *.sql system_u:object_r:sepgsql_safe_lang_t:s0 +db_language *.plpgsql system_u:object_r:sepgsql_safe_lang_t:s0 +db_language *.pltcl system_u:object_r:sepgsql_safe_lang_t:s0 +db_language *.plperl system_u:object_r:sepgsql_safe_lang_t:s0 +db_language *.* system_u:object_r:sepgsql_lang_t:s0 diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers new file mode 100644 index 00000000..dc5f1e42 --- /dev/null +++ b/config/appconfig-mcs/seusers @@ -0,0 +1,3 @@ +system_u:system_u:s0-mcs_systemhigh +root:root:s0-mcs_systemhigh +__default__:user_u:s0 diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts new file mode 100644 index 00000000..881a292e --- /dev/null +++ b/config/appconfig-mcs/staff_u_default_contexts @@ -0,0 +1,10 @@ +system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 +system_r:remote_login_t:s0 staff_r:staff_t:s0 +system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 +system_r:crond_t:s0 staff_r:cronjob_t:s0 +system_r:xdm_t:s0 staff_r:staff_t:s0 +staff_r:staff_su_t:s0 staff_r:staff_t:s0 +staff_r:staff_sudo_t:s0 staff_r:staff_t:s0 +sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 +sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 + diff --git a/config/appconfig-mcs/unconfined_u_default_contexts b/config/appconfig-mcs/unconfined_u_default_contexts new file mode 100644 index 00000000..106e093d --- /dev/null +++ b/config/appconfig-mcs/unconfined_u_default_contexts @@ -0,0 +1,9 @@ +system_r:crond_t:s0 unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0 +system_r:initrc_t:s0 unconfined_r:unconfined_t:s0 +system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 +system_r:remote_login_t:s0 unconfined_r:unconfined_t:s0 +system_r:rshd_t:s0 unconfined_r:unconfined_t:s0 +system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 +system_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 +system_r:unconfined_t:s0 unconfined_r:unconfined_t:s0 +system_r:xdm_t:s0 unconfined_r:unconfined_t:s0 diff --git a/config/appconfig-mcs/user_u_default_contexts b/config/appconfig-mcs/user_u_default_contexts new file mode 100644 index 00000000..cacbc939 --- /dev/null +++ b/config/appconfig-mcs/user_u_default_contexts @@ -0,0 +1,8 @@ +system_r:local_login_t:s0 user_r:user_t:s0 +system_r:remote_login_t:s0 user_r:user_t:s0 +system_r:sshd_t:s0 user_r:user_t:s0 +system_r:crond_t:s0 user_r:cronjob_t:s0 +system_r:xdm_t:s0 user_r:user_t:s0 +user_r:user_su_t:s0 user_r:user_t:s0 +user_r:user_sudo_t:s0 user_r:user_t:s0 + diff --git a/config/appconfig-mcs/userhelper_context b/config/appconfig-mcs/userhelper_context new file mode 100644 index 00000000..dc37a69b --- /dev/null +++ b/config/appconfig-mcs/userhelper_context @@ -0,0 +1 @@ +system_u:sysadm_r:sysadm_t:s0 diff --git a/config/appconfig-mcs/virtual_domain_context b/config/appconfig-mcs/virtual_domain_context new file mode 100644 index 00000000..d387b428 --- /dev/null +++ b/config/appconfig-mcs/virtual_domain_context @@ -0,0 +1 @@ +system_u:system_r:svirt_t:s0 diff --git a/config/appconfig-mcs/virtual_image_context b/config/appconfig-mcs/virtual_image_context new file mode 100644 index 00000000..8ab1e27e --- /dev/null +++ b/config/appconfig-mcs/virtual_image_context @@ -0,0 +1,2 @@ +system_u:object_r:svirt_image_t:s0 +system_u:object_r:virt_content_t:s0 diff --git a/config/appconfig-mcs/x_contexts b/config/appconfig-mcs/x_contexts new file mode 100644 index 00000000..0b320443 --- /dev/null +++ b/config/appconfig-mcs/x_contexts @@ -0,0 +1,105 @@ +# +# Config file for XSELinux extension +# + + +# +## +### Rules for X Clients +## +# + +# +# The default client rule defines a context to be used for all clients +# connecting to the server from a remote host. +# +client * system_u:object_r:remote_t:s0 + + +# +## +### Rules for X Properties +## +# + +# +# Property rules map a property name to a context. A default property +# rule indicated by an asterisk should follow all other property rules. +# +# Properties that normal clients may only read +property _SELINUX_* system_u:object_r:seclabel_xproperty_t:s0 + +# Clipboard and selection properties +property CUT_BUFFER? system_u:object_r:clipboard_xproperty_t:s0 + +# Default fallback type +property * system_u:object_r:xproperty_t:s0 + + +# +## +### Rules for X Extensions +## +# + +# +# Extension rules map an extension name to a context. A default extension +# rule indicated by an asterisk should follow all other extension rules. +# +# Restricted extensions +extension SELinux system_u:object_r:security_xextension_t:s0 + +# Standard extensions +extension * system_u:object_r:xextension_t:s0 + + +# +## +### Rules for X Selections +## +# + +# Selection rules map a selection name to a context. A default selection +# rule indicated by an asterisk should follow all other selection rules. +# +# Standard selections +selection PRIMARY system_u:object_r:clipboard_xselection_t:s0 +selection CLIPBOARD system_u:object_r:clipboard_xselection_t:s0 + +# Default fallback type +selection * system_u:object_r:xselection_t:s0 + + +# +## +### Rules for X Events +## +# + +# +# Event rules map an event protocol name to a context. A default event +# rule indicated by an asterisk should follow all other event rules. +# +# Input events +event X11:KeyPress system_u:object_r:input_xevent_t:s0 +event X11:KeyRelease system_u:object_r:input_xevent_t:s0 +event X11:ButtonPress system_u:object_r:input_xevent_t:s0 +event X11:ButtonRelease system_u:object_r:input_xevent_t:s0 +event X11:MotionNotify system_u:object_r:input_xevent_t:s0 +event XInputExtension:DeviceKeyPress system_u:object_r:input_xevent_t:s0 +event XInputExtension:DeviceKeyRelease system_u:object_r:input_xevent_t:s0 +event XInputExtension:DeviceButtonPress system_u:object_r:input_xevent_t:s0 +event XInputExtension:DeviceButtonRelease system_u:object_r:input_xevent_t:s0 +event XInputExtension:DeviceMotionNotify system_u:object_r:input_xevent_t:s0 +event XInputExtension:DeviceValuator system_u:object_r:input_xevent_t:s0 +event XInputExtension:ProximityIn system_u:object_r:input_xevent_t:s0 +event XInputExtension:ProximityOut system_u:object_r:input_xevent_t:s0 + +# Client message events +event X11:ClientMessage system_u:object_r:client_xevent_t:s0 +event X11:SelectionNotify system_u:object_r:client_xevent_t:s0 +event X11:UnmapNotify system_u:object_r:client_xevent_t:s0 +event X11:ConfigureNotify system_u:object_r:client_xevent_t:s0 + +# Default fallback type +event * system_u:object_r:xevent_t:s0 diff --git a/config/appconfig-mcs/xguest_u_default_contexts b/config/appconfig-mcs/xguest_u_default_contexts new file mode 100644 index 00000000..574363b5 --- /dev/null +++ b/config/appconfig-mcs/xguest_u_default_contexts @@ -0,0 +1,7 @@ +system_r:crond_t:s0 xguest_r:xguest_t:s0 +system_r:initrc_su_t:s0 xguest_r:xguest_t:s0 +system_r:local_login_t:s0 xguest_r:xguest_t:s0 +system_r:remote_login_t:s0 xguest_r:xguest_t:s0 +system_r:sshd_t:s0 xguest_r:xguest_t:s0 +system_r:xdm_t:s0 xguest_r:xguest_t:s0 +xguest_r:xguest_t:s0 xguest_r:xguest_t:s0 |