last fixes for cab
This commit is contained in:
parent
d115b24712
commit
1293184998
@ -78,6 +78,20 @@ type device_t;
|
|||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# devices_add_dev_dir(domain)
|
||||||
|
#
|
||||||
|
define(`devices_add_dev_dir',`
|
||||||
|
requires_block_template(`$0'_depend)
|
||||||
|
allow $1 device_t:dir { ra_dir_perms create };
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`devices_add_dev_dir_depend',`
|
||||||
|
type device_t;
|
||||||
|
class dir { ra_dir_perms create };
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# devices_ignore_get_generic_pipe_attributes(domain)
|
# devices_ignore_get_generic_pipe_attributes(domain)
|
||||||
|
@ -621,6 +621,20 @@ type etc_t;
|
|||||||
class dir { getattr search read write add_name remove_name };
|
class dir { getattr search read write add_name remove_name };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# files_modify_isid_type_dir(domain)
|
||||||
|
#
|
||||||
|
define(`files_modify_isid_type_dir',`
|
||||||
|
requires_block_template(`$0'_depend)
|
||||||
|
allow $1 file_t:dir rw_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`files_modify_isid_type_dir_depend',`
|
||||||
|
type file_t;
|
||||||
|
class dir rw_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# files_ignore_get_isid_type_dir_attrib(domain)
|
# files_ignore_get_isid_type_dir_attrib(domain)
|
||||||
|
@ -49,7 +49,10 @@ kernel_read_hardware_state(getty_t)
|
|||||||
filesystem_get_persistent_filesystem_attributes(getty_t)
|
filesystem_get_persistent_filesystem_attributes(getty_t)
|
||||||
|
|
||||||
# Chown, chmod, read and write ttys.
|
# Chown, chmod, read and write ttys.
|
||||||
terminal_use_all_terminals(getty_t)
|
terminal_use_all_private_physical_terminals(getty_t)
|
||||||
|
terminal_use_general_physical_terminal(getty_t)
|
||||||
|
terminal_set_all_private_physical_terminal_attributes(getty_t)
|
||||||
|
terminal_set_general_physical_terminal_attributes(getty_t)
|
||||||
terminal_set_console_attributes(getty_t)
|
terminal_set_console_attributes(getty_t)
|
||||||
|
|
||||||
authlogin_modify_login_records(getty_t)
|
authlogin_modify_login_records(getty_t)
|
||||||
|
@ -313,6 +313,9 @@ tunable_policy(`distro_debian', `
|
|||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`distro_redhat',`
|
tunable_policy(`distro_redhat',`
|
||||||
|
# this is from kmodule, which should get its own policy:
|
||||||
|
allow initrc_t self:capability sys_admin;
|
||||||
|
|
||||||
# Red Hat systems seem to have a stray
|
# Red Hat systems seem to have a stray
|
||||||
# fd open from the initrd
|
# fd open from the initrd
|
||||||
kernel_ignore_use_file_descriptors(initrc_t)
|
kernel_ignore_use_file_descriptors(initrc_t)
|
||||||
@ -327,6 +330,7 @@ tunable_policy(`distro_redhat',`
|
|||||||
|
|
||||||
# These seem to be from the initrd
|
# These seem to be from the initrd
|
||||||
# during device initialization:
|
# during device initialization:
|
||||||
|
devices_add_dev_dir(initrc_t)
|
||||||
devices_legacy_use_dev_zero(initrc_t)
|
devices_legacy_use_dev_zero(initrc_t)
|
||||||
devices_legacy_raw_read_memory(initrc_t)
|
devices_legacy_raw_read_memory(initrc_t)
|
||||||
devices_legacy_raw_write_memory(initrc_t)
|
devices_legacy_raw_write_memory(initrc_t)
|
||||||
@ -339,8 +343,7 @@ tunable_policy(`distro_redhat',`
|
|||||||
|
|
||||||
# readahead asks for these
|
# readahead asks for these
|
||||||
mta_read_mail_aliases(initrc_t)
|
mta_read_mail_aliases(initrc_t)
|
||||||
|
')
|
||||||
') dnl end distro_redhat
|
|
||||||
|
|
||||||
optional_policy(`hotplug.te',`
|
optional_policy(`hotplug.te',`
|
||||||
kernel_read_usb_hardware_state(initrc_t)
|
kernel_read_usb_hardware_state(initrc_t)
|
||||||
|
@ -136,6 +136,11 @@ selinux_read_config(lvm_t)
|
|||||||
selinux_read_file_contexts(lvm_t)
|
selinux_read_file_contexts(lvm_t)
|
||||||
selinux_newrole_sigchld(lvm_t)
|
selinux_newrole_sigchld(lvm_t)
|
||||||
|
|
||||||
|
tunable_policy(`distro_redhat',`
|
||||||
|
# this is from the initrd:
|
||||||
|
files_modify_isid_type_dir(lvm_t)
|
||||||
|
')
|
||||||
|
|
||||||
tunable_policy(`targeted_policy', `
|
tunable_policy(`targeted_policy', `
|
||||||
terminal_ignore_use_general_physical_terminal(lvm_t)
|
terminal_ignore_use_general_physical_terminal(lvm_t)
|
||||||
terminal_ignore_use_general_pseudoterminal(lvm_t)
|
terminal_ignore_use_general_pseudoterminal(lvm_t)
|
||||||
|
Loading…
Reference in New Issue
Block a user