On Tue, 4 May 2004 06:28, Richard Hally <rhallyx@xxxxxxxxxxxxxx> wrote: > Below are some avc denied messages produced from running "fixfiles > restore" in enforcing mode with updated policy-1.11.2-21. The attached policy should fix that. It will be in rawhide in a couple of days. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
#DESC Setfiles - SELinux filesystem labeling utilities # # Authors: Russell Coker <russell@xxxxxxxxxxxx> # X-Debian-Packages: policycoreutils # ################################# # # Rules for the setfiles_t domain. # # setfiles_exec_t is the type of the setfiles executable. # # needs auth_write attribute because it has relabelfrom/relabelto # access to shadow_t type setfiles_t, domain, privlog, privowner, auth_write; type setfiles_exec_t, file_type, sysadmfile, exec_type; role system_r types setfiles_t; role sysadm_r types setfiles_t; allow setfiles_t initrc_devpts_t:chr_file { read write ioctl }; allow setfiles_t { ttyfile ptyfile tty_device_t admin_tty_type }:chr_file { read write ioctl }; domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t) allow setfiles_t { userdomain privfd initrc_t init_t }:fd use; uses_shlib(setfiles_t) allow setfiles_t self:capability { dac_override dac_read_search }; # for upgrading glibc and other shared objects - without this the upgrade # scripts will put things in a state such that setfiles can not be run! allow setfiles_t lib_t:file { read execute }; # Get security policy decisions. can_getsecurity(setfiles_t) r_dir_file(setfiles_t, { policy_src_t policy_config_t }) allow setfiles_t file_type:dir r_dir_perms; allow setfiles_t { file_type unlabeled_t }:dir_file_class_set { getattr relabelfrom }; allow setfiles_t file_type:{ dir file lnk_file sock_file fifo_file } relabelto; allow setfiles_t unlabeled_t:dir read; allow setfiles_t device_type:{ chr_file blk_file } relabelto; allow setfiles_t device_t:{ chr_file blk_file } { getattr relabelfrom read }; allow setfiles_t { ttyfile ptyfile }:chr_file getattr; allow setfiles_t fs_t:filesystem getattr; allow setfiles_t fs_type:dir r_dir_perms; allow setfiles_t etc_runtime_t:file read; allow setfiles_t etc_t:file read; allow setfiles_t proc_t:file { getattr read }; dontaudit setfiles_t proc_t:lnk_file { getattr read }; # for config files in a home directory allow setfiles_t home_type:file r_file_perms; dontaudit setfiles_t sysadm_tty_device_t:chr_file { relabelfrom };