fix last loadable module problems
This commit is contained in:
Chris PeBenito
parent
90c3ddefe3
commit
0efe52ae99
@ -30,6 +30,7 @@
|
||||
template(`su_per_userdomain_template',`
|
||||
gen_require(`
|
||||
type su_exec_t;
|
||||
bool secure_mode;
|
||||
')
|
||||
|
||||
type $1_su_t;
|
||||
|
||||
@ -31,6 +31,7 @@ template(`sudo_per_userdomain_template',`
|
||||
|
||||
gen_require(`
|
||||
type sudo_exec_t;
|
||||
bool secure_mode;
|
||||
')
|
||||
|
||||
##############################
|
||||
|
||||
@ -10,10 +10,6 @@
|
||||
## </param>
|
||||
#
|
||||
template(`apache_content_template',`
|
||||
gen_require(`
|
||||
attribute httpdcontent, httpd_script_domains;
|
||||
')
|
||||
|
||||
# allow write access to public file transfer
|
||||
# services files.
|
||||
gen_tunable(allow_httpd_$1_script_anon_write,false)
|
||||
@ -251,6 +247,11 @@ template(`apache_content_template',`
|
||||
## </param>
|
||||
#
|
||||
template(`apache_per_userdomain_template', `
|
||||
gen_require(`
|
||||
attribute httpdcontent, httpd_script_domains;
|
||||
attribute httpd_exec_scripts;
|
||||
type httpd_t, httpd_suexec_t, httpd_log_t;
|
||||
')
|
||||
|
||||
apache_content_template($1)
|
||||
|
||||
|
||||
@ -30,7 +30,7 @@
|
||||
template(`cron_per_userdomain_template',`
|
||||
gen_require(`
|
||||
attribute cron_spool_type;
|
||||
type crontab_exec_t;
|
||||
type crond_t, cron_spool_t, crontab_exec_t;
|
||||
')
|
||||
|
||||
# Type of user crontabs once moved to cron spool.
|
||||
@ -198,7 +198,7 @@ template(`cron_per_userdomain_template',`
|
||||
# create files in /var/spool/cron
|
||||
allow $1_crontab_t $1_cron_spool_t:file create_file_perms;
|
||||
allow $1_crontab_t cron_spool_t:dir rw_dir_perms;
|
||||
type_transition $1_crontab_t $1_cron_spool_t:file system_crond_tmp_t;
|
||||
type_transition $1_crontab_t $1_cron_spool_t:file $1_cron_spool_t;
|
||||
|
||||
# crontab signals crond by updating the mtime on the spooldir
|
||||
allow $1_crontab_t cron_spool_t:dir setattr;
|
||||
@ -270,6 +270,10 @@ template(`cron_per_userdomain_template',`
|
||||
## </param>
|
||||
#
|
||||
template(`cron_admin_template',`
|
||||
gen_require(`
|
||||
attribute cron_spool_type;
|
||||
')
|
||||
|
||||
# Allow our crontab domain to unlink a user cron spool file.
|
||||
allow $1_crontab_t cron_spool_type:file { getattr read unlink };
|
||||
|
||||
|
||||
@ -27,6 +27,12 @@
|
||||
## </param>
|
||||
#
|
||||
template(`dbus_per_userdomain_template',`
|
||||
gen_require(`
|
||||
type system_dbusd_t, dbusd_etc_t;
|
||||
type system_dbusd_exec_t;
|
||||
class dbus { send_msg acquire_svc };
|
||||
')
|
||||
|
||||
##############################
|
||||
#
|
||||
# Delcarations
|
||||
|
||||
@ -42,6 +42,11 @@ interface(`mta_stub',`
|
||||
## </param>
|
||||
#
|
||||
template(`mta_per_userdomain_template',`
|
||||
gen_require(`
|
||||
attribute mailserver_domain, mta_user_agent;
|
||||
type sendmail_exec_t;
|
||||
')
|
||||
|
||||
type $1_mail_t;
|
||||
domain_type($1_mail_t)
|
||||
role $3 types $1_mail_t;
|
||||
|
||||
@ -43,7 +43,7 @@ interface(`portmap_domtrans_helper',`
|
||||
#
|
||||
interface(`portmap_run_helper',`
|
||||
gen_require(`
|
||||
type portmap_helper_t;
|
||||
type portmap_t, portmap_helper_t;
|
||||
class chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
|
||||
@ -29,8 +29,10 @@
|
||||
#
|
||||
template(`ssh_per_userdomain_template',`
|
||||
gen_require(`
|
||||
attribute ssh_server;
|
||||
type ssh_exec_t, ssh_agent_exec_t;
|
||||
type ssh_keysign_exec_t;
|
||||
type sshd_key_t, ssh_keysign_exec_t;
|
||||
type sshd_tmp_t, sshd_t;
|
||||
')
|
||||
|
||||
##############################
|
||||
|
||||
@ -966,9 +966,11 @@ interface(`domain_unconfined',`
|
||||
')
|
||||
|
||||
#
|
||||
# These next macros are not interfaces, but actually are
|
||||
# These next macros are not templates, but actually are
|
||||
# support macros. Due to the domain_ prefix, they
|
||||
# are placed in this module, to try to prevent confusion.
|
||||
# They are called templates since regular m4 defines
|
||||
# wont work here.
|
||||
#
|
||||
|
||||
########################################
|
||||
@ -976,11 +978,6 @@ interface(`domain_unconfined',`
|
||||
# domain_trans(source_domain,entrypoint_file,target_domain)
|
||||
#
|
||||
template(`domain_trans',`
|
||||
gen_require(`
|
||||
class file rx_file_perms;
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
')
|
||||
|
||||
allow $1 $2:file rx_file_perms;
|
||||
allow $1 $3:process transition;
|
||||
dontaudit $1 $3:process { noatsecure siginh rlimitinh };
|
||||
|
||||
@ -240,7 +240,8 @@ ifdef(`targeted_policy',`
|
||||
seutil_run_loadpol(sysadm_t,sysadm_r,admin_terminal)
|
||||
seutil_run_restorecon(sysadm_t,sysadm_r,admin_terminal)
|
||||
seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
|
||||
optional_policy(`targeted_policy',`',`
|
||||
|
||||
ifdef(`targeted_policy',`',`
|
||||
seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
')
|
||||
|
||||
@ -12,7 +12,10 @@ define(`policy_module',`
|
||||
ifdef(`self_contained_policy',`',`
|
||||
module $1 $2;
|
||||
|
||||
require { all_kernel_class_perms }
|
||||
require {
|
||||
role system_r;
|
||||
all_kernel_class_perms
|
||||
}
|
||||
')
|
||||
')
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user