1
#DESC LOCATE - Security Enhanced version of the GNU Locate
3
# Author: Dan Walsh <dwalsh@redhat.com>
6
#################################
8
# Rules for the locate_t domain.
10
# locate_exec_t is the type of the locate executable.
12
daemon_base_domain(locate)
14
allow locate_t fs_t:filesystem getattr;
17
system_crond_entry(locate_exec_t, locate_t)
18
allow system_crond_t locate_log_t:dir rw_dir_perms;
19
allow system_crond_t locate_log_t:file { create append getattr };
20
allow system_crond_t locate_etc_t:file { getattr read };
23
allow locate_t { userpty_type admin_tty_type }:chr_file rw_file_perms;
25
allow locate_t { root_dir_type file_type }:dir r_dir_perms;
26
allow locate_t file_type:lnk_file r_file_perms;
27
allow locate_t { root_dir_type file_type -shadow_t }:{ lnk_file sock_file fifo_file file } getattr;
28
dontaudit locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } read;
29
dontaudit locate_t security_t:dir { getattr };
30
dontaudit locate_t shadow_t:file { getattr };
32
allow locate_t { ttyfile device_type device_t }:{ chr_file blk_file } getattr;
33
allow locate_t unlabeled_t:dir_file_class_set getattr;
34
allow locate_t unlabeled_t:dir read;
38
typealias locate_etc_t alias etc_locate_t;
40
type var_lib_locate_t, file_type, sysadmfile;
42
create_dir_file(locate_t, var_lib_locate_t)
43
dontaudit locate_t sysadmfile:file getattr;
45
allow locate_t proc_t:file { getattr read };
46
allow locate_t self:unix_stream_socket create_socket_perms;
48
# Need to be able to exec renice
50
can_exec(locate_t, bin_t)
52
dontaudit locate_t rpc_pipefs_t:dir r_dir_perms;
53
dontaudit locate_t rpc_pipefs_t:file { getattr };
58
allow locate_t etc_runtime_t:file { getattr read };
63
allow locate_t etc_t:file { getattr read };
64
dontaudit locate_t locate_t:capability dac_override;
65
allow locate_t self:capability dac_read_search;
67
# sysadm_t runs locate in his own domain.
68
# We use a type alias to simplify the rest of the policy,
69
# which often refers to $1_locate_t for the user domains.
70
typealias sysadm_t alias sysadm_locate_t;
72
allow locate_t userdomain:fd { use };