last fixes for cab
This commit is contained in:
parent
d115b24712
commit
1293184998
@ -78,6 +78,20 @@ type device_t;
|
||||
class dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# devices_add_dev_dir(domain)
|
||||
#
|
||||
define(`devices_add_dev_dir',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { ra_dir_perms create };
|
||||
')
|
||||
|
||||
define(`devices_add_dev_dir_depend',`
|
||||
type device_t;
|
||||
class dir { ra_dir_perms create };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# devices_ignore_get_generic_pipe_attributes(domain)
|
||||
|
@ -621,6 +621,20 @@ type etc_t;
|
||||
class dir { getattr search read write add_name remove_name };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_modify_isid_type_dir(domain)
|
||||
#
|
||||
define(`files_modify_isid_type_dir',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 file_t:dir rw_dir_perms;
|
||||
')
|
||||
|
||||
define(`files_modify_isid_type_dir_depend',`
|
||||
type file_t;
|
||||
class dir rw_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_ignore_get_isid_type_dir_attrib(domain)
|
||||
|
@ -49,7 +49,10 @@ kernel_read_hardware_state(getty_t)
|
||||
filesystem_get_persistent_filesystem_attributes(getty_t)
|
||||
|
||||
# Chown, chmod, read and write ttys.
|
||||
terminal_use_all_terminals(getty_t)
|
||||
terminal_use_all_private_physical_terminals(getty_t)
|
||||
terminal_use_general_physical_terminal(getty_t)
|
||||
terminal_set_all_private_physical_terminal_attributes(getty_t)
|
||||
terminal_set_general_physical_terminal_attributes(getty_t)
|
||||
terminal_set_console_attributes(getty_t)
|
||||
|
||||
authlogin_modify_login_records(getty_t)
|
||||
|
@ -313,6 +313,9 @@ tunable_policy(`distro_debian', `
|
||||
')
|
||||
|
||||
tunable_policy(`distro_redhat',`
|
||||
# this is from kmodule, which should get its own policy:
|
||||
allow initrc_t self:capability sys_admin;
|
||||
|
||||
# Red Hat systems seem to have a stray
|
||||
# fd open from the initrd
|
||||
kernel_ignore_use_file_descriptors(initrc_t)
|
||||
@ -327,6 +330,7 @@ tunable_policy(`distro_redhat',`
|
||||
|
||||
# These seem to be from the initrd
|
||||
# during device initialization:
|
||||
devices_add_dev_dir(initrc_t)
|
||||
devices_legacy_use_dev_zero(initrc_t)
|
||||
devices_legacy_raw_read_memory(initrc_t)
|
||||
devices_legacy_raw_write_memory(initrc_t)
|
||||
@ -339,8 +343,7 @@ tunable_policy(`distro_redhat',`
|
||||
|
||||
# readahead asks for these
|
||||
mta_read_mail_aliases(initrc_t)
|
||||
|
||||
') dnl end distro_redhat
|
||||
')
|
||||
|
||||
optional_policy(`hotplug.te',`
|
||||
kernel_read_usb_hardware_state(initrc_t)
|
||||
|
@ -136,6 +136,11 @@ selinux_read_config(lvm_t)
|
||||
selinux_read_file_contexts(lvm_t)
|
||||
selinux_newrole_sigchld(lvm_t)
|
||||
|
||||
tunable_policy(`distro_redhat',`
|
||||
# this is from the initrd:
|
||||
files_modify_isid_type_dir(lvm_t)
|
||||
')
|
||||
|
||||
tunable_policy(`targeted_policy', `
|
||||
terminal_ignore_use_general_physical_terminal(lvm_t)
|
||||
terminal_ignore_use_general_pseudoterminal(lvm_t)
|
||||
|
Loading…
Reference in New Issue
Block a user