remove lvm_vg_t
This commit is contained in:
parent
9417cb7ad1
commit
017bab0575
|
@ -1,3 +1,4 @@
|
||||||
|
- Remove unused lvm_vg_t.
|
||||||
- Many interface renames to improve naming consistency.
|
- Many interface renames to improve naming consistency.
|
||||||
- Merge xdm into xserver.
|
- Merge xdm into xserver.
|
||||||
- Remove kernel module reversed interfaces.
|
- Remove kernel module reversed interfaces.
|
||||||
|
|
|
@ -242,50 +242,6 @@ interface(`storage_swapon_fixed_disk',`
|
||||||
allow $1 fixed_disk_device_t:blk_file { getattr swapon };
|
allow $1 fixed_disk_device_t:blk_file { getattr swapon };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
|
||||||
## <summary>
|
|
||||||
## Allow the caller to directly read from a logical volume.
|
|
||||||
## This is extremly dangerous as it can bypass the
|
|
||||||
## SELinux protections for filesystem objects, and
|
|
||||||
## should only be used by trusted domains.
|
|
||||||
## </summary>
|
|
||||||
## <param name="domain">
|
|
||||||
## The type of the process performing this action.
|
|
||||||
## </param>
|
|
||||||
#
|
|
||||||
interface(`storage_raw_read_lvm_volume',`
|
|
||||||
gen_require(`
|
|
||||||
attribute fixed_disk_raw_read;
|
|
||||||
type lvm_vg_t;
|
|
||||||
')
|
|
||||||
|
|
||||||
dev_list_all_dev_nodes($1)
|
|
||||||
allow $1 lvm_vg_t:blk_file r_file_perms;
|
|
||||||
typeattribute $1 fixed_disk_raw_read;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
|
||||||
## <summary>
|
|
||||||
## Allow the caller to directly read from a logical volume.
|
|
||||||
## This is extremly dangerous as it can bypass the
|
|
||||||
## SELinux protections for filesystem objects, and
|
|
||||||
## should only be used by trusted domains.
|
|
||||||
## </summary>
|
|
||||||
## <param name="domain">
|
|
||||||
## The type of the process performing this action.
|
|
||||||
## </param>
|
|
||||||
#
|
|
||||||
interface(`storage_raw_write_lvm_volume',`
|
|
||||||
gen_require(`
|
|
||||||
attribute fixed_disk_raw_write;
|
|
||||||
type lvm_vg_t;
|
|
||||||
')
|
|
||||||
|
|
||||||
dev_list_all_dev_nodes($1)
|
|
||||||
allow $1 lvm_vg_t:blk_file { getattr write ioctl };
|
|
||||||
typeattribute $1 fixed_disk_raw_write;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Allow the caller to get the attributes of
|
## Allow the caller to get the attributes of
|
||||||
|
@ -648,12 +604,12 @@ interface(`storage_setattr_tape_dev',`
|
||||||
interface(`storage_unconfined',`
|
interface(`storage_unconfined',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type fixed_disk_device_t, removable_device_t;
|
type fixed_disk_device_t, removable_device_t;
|
||||||
type lvm_vg_t, scsi_generic_device_t, tape_device_t;
|
type scsi_generic_device_t, tape_device_t;
|
||||||
attribute fixed_disk_raw_read, fixed_disk_raw_write;
|
attribute fixed_disk_raw_read, fixed_disk_raw_write;
|
||||||
attribute scsi_generic_read, scsi_generic_write;
|
attribute scsi_generic_read, scsi_generic_write;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 { fixed_disk_device_t removable_device_t lvm_vg_t }:blk_file *;
|
allow $1 { fixed_disk_device_t removable_device_t }:blk_file *;
|
||||||
allow $1 { scsi_generic_device_t tape_device_t }:chr_file *;
|
allow $1 { scsi_generic_device_t tape_device_t }:chr_file *;
|
||||||
|
|
||||||
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
|
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
|
||||||
|
|
|
@ -15,23 +15,12 @@ attribute scsi_generic_write;
|
||||||
# fixed_disk_device_t is the type of
|
# fixed_disk_device_t is the type of
|
||||||
# /dev/hd* and /dev/sd*.
|
# /dev/hd* and /dev/sd*.
|
||||||
#
|
#
|
||||||
type fixed_disk_device_t;
|
type fixed_disk_device_t alias lvm_vg_t;
|
||||||
dev_node(fixed_disk_device_t)
|
dev_node(fixed_disk_device_t)
|
||||||
|
|
||||||
neverallow ~fixed_disk_raw_read fixed_disk_device_t:{ chr_file blk_file } read;
|
neverallow ~fixed_disk_raw_read fixed_disk_device_t:{ chr_file blk_file } read;
|
||||||
neverallow ~fixed_disk_raw_write fixed_disk_device_t:{ chr_file blk_file } { append write };
|
neverallow ~fixed_disk_raw_write fixed_disk_device_t:{ chr_file blk_file } { append write };
|
||||||
|
|
||||||
#
|
|
||||||
# lvm_vg_t is the type of logical volume groups
|
|
||||||
#
|
|
||||||
type lvm_vg_t;
|
|
||||||
dev_node(lvm_vg_t)
|
|
||||||
|
|
||||||
# from the subject's point of view, same as read/writing a regular
|
|
||||||
# fixed disk, so use the same assertions as above
|
|
||||||
neverallow ~fixed_disk_raw_read lvm_vg_t:{ chr_file blk_file } read;
|
|
||||||
neverallow ~fixed_disk_raw_write lvm_vg_t:{ chr_file blk_file } { append write };
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# scsi_generic_device_t is the type of /dev/sg*
|
# scsi_generic_device_t is the type of /dev/sg*
|
||||||
# it gives access to ALL SCSI devices (both fixed and removable)
|
# it gives access to ALL SCSI devices (both fixed and removable)
|
||||||
|
|
Loading…
Reference in New Issue