piles of fixes for loadable modules
This commit is contained in:
Chris PeBenito
parent
5a3b360db7
commit
12ae7557d3
@ -30,6 +30,11 @@
|
||||
## </param>
|
||||
#
|
||||
template(`gpg_per_userdomain_template',`
|
||||
gen_require(`
|
||||
type gpg_exec_t, gpg_helper_exec_t;
|
||||
type gpg_agent_exec_t, pinentry_exec_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
|
||||
@ -10,10 +10,7 @@
|
||||
#
|
||||
interface(`bootloader_domtrans',`
|
||||
gen_require(`
|
||||
type bootloader_t;
|
||||
class process sigchld;
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
type bootloader_t, bootloader_exec_t;
|
||||
')
|
||||
|
||||
domain_auto_trans($1, bootloader_exec_t, bootloader_t)
|
||||
@ -42,7 +39,6 @@ interface(`bootloader_domtrans',`
|
||||
interface(`bootloader_run',`
|
||||
gen_require(`
|
||||
type bootloader_t;
|
||||
class chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
bootloader_domtrans($1)
|
||||
@ -63,7 +59,6 @@ interface(`bootloader_run',`
|
||||
interface(`bootloader_dontaudit_getattr_boot_dir',`
|
||||
gen_require(`
|
||||
type boot_t;
|
||||
class dir getattr;
|
||||
')
|
||||
|
||||
dontaudit $1 boot_t:dir getattr;
|
||||
@ -80,7 +75,6 @@ interface(`bootloader_dontaudit_getattr_boot_dir',`
|
||||
interface(`bootloader_search_boot',`
|
||||
gen_require(`
|
||||
type boot_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
allow $1 boot_t:dir search;
|
||||
@ -97,7 +91,6 @@ interface(`bootloader_search_boot',`
|
||||
interface(`bootloader_dontaudit_search_boot',`
|
||||
gen_require(`
|
||||
type boot_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
dontaudit $1 boot_t:dir search;
|
||||
@ -115,8 +108,6 @@ interface(`bootloader_dontaudit_search_boot',`
|
||||
interface(`bootloader_rw_boot_symlinks',`
|
||||
gen_require(`
|
||||
type boot_t;
|
||||
class dir r_dir_perms;
|
||||
class lnk_file rw_file_perms;
|
||||
')
|
||||
|
||||
allow $1 boot_t:dir r_dir_perms;
|
||||
@ -134,9 +125,6 @@ interface(`bootloader_rw_boot_symlinks',`
|
||||
interface(`bootloader_create_kernel',`
|
||||
gen_require(`
|
||||
type boot_t;
|
||||
class dir ra_dir_perms;
|
||||
class file { getattr read write create };
|
||||
class lnk_file { getattr read create unlink };
|
||||
')
|
||||
|
||||
allow $1 boot_t:dir ra_dir_perms;
|
||||
@ -155,8 +143,6 @@ interface(`bootloader_create_kernel',`
|
||||
interface(`bootloader_create_kernel_symbol_table',`
|
||||
gen_require(`
|
||||
type boot_t, system_map_t;
|
||||
class dir ra_dir_perms;
|
||||
class file { rw_file_perms create };
|
||||
')
|
||||
|
||||
allow $1 boot_t:dir ra_dir_perms;
|
||||
@ -174,8 +160,6 @@ interface(`bootloader_create_kernel_symbol_table',`
|
||||
interface(`bootloader_read_kernel_symbol_table',`
|
||||
gen_require(`
|
||||
type boot_t, system_map_t;
|
||||
class dir r_dir_perms;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 boot_t:dir r_dir_perms;
|
||||
@ -193,8 +177,6 @@ interface(`bootloader_read_kernel_symbol_table',`
|
||||
interface(`bootloader_delete_kernel',`
|
||||
gen_require(`
|
||||
type boot_t;
|
||||
class dir { r_dir_perms write remove_name };
|
||||
class file { getattr unlink };
|
||||
')
|
||||
|
||||
allow $1 boot_t:dir { r_dir_perms write remove_name };
|
||||
@ -212,8 +194,6 @@ interface(`bootloader_delete_kernel',`
|
||||
interface(`bootloader_delete_kernel_symbol_table',`
|
||||
gen_require(`
|
||||
type boot_t, system_map_t;
|
||||
class dir { r_dir_perms write remove_name };
|
||||
class file { getattr unlink };
|
||||
')
|
||||
|
||||
allow $1 boot_t:dir { r_dir_perms write remove_name };
|
||||
@ -231,7 +211,6 @@ interface(`bootloader_delete_kernel_symbol_table',`
|
||||
interface(`bootloader_read_config',`
|
||||
gen_require(`
|
||||
type bootloader_etc_t;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 bootloader_etc_t:file r_file_perms;
|
||||
@ -249,7 +228,6 @@ interface(`bootloader_read_config',`
|
||||
interface(`bootloader_rw_config',`
|
||||
gen_require(`
|
||||
type bootloader_etc_t;
|
||||
class file rw_file_perms;
|
||||
')
|
||||
|
||||
allow $1 bootloader_etc_t:file rw_file_perms;
|
||||
@ -267,7 +245,6 @@ interface(`bootloader_rw_config',`
|
||||
interface(`bootloader_rw_tmp_file',`
|
||||
gen_require(`
|
||||
type bootloader_tmp_t;
|
||||
class file rw_file_perms;
|
||||
')
|
||||
|
||||
# FIXME: read tmp_t dir
|
||||
@ -286,8 +263,6 @@ interface(`bootloader_rw_tmp_file',`
|
||||
interface(`bootloader_create_runtime_file',`
|
||||
gen_require(`
|
||||
type boot_t, boot_runtime_t;
|
||||
class dir rw_dir_perms;
|
||||
class file { rw_file_perms create unlink };
|
||||
')
|
||||
|
||||
allow $1 boot_t:dir rw_dir_perms;
|
||||
@ -338,8 +313,6 @@ interface(`bootloader_list_kernel_modules',`
|
||||
interface(`bootloader_getattr_kernel_modules',`
|
||||
gen_require(`
|
||||
type modules_object_t;
|
||||
class dir search;
|
||||
class file getattr;
|
||||
')
|
||||
|
||||
allow $1 modules_object_t:dir search;
|
||||
@ -357,9 +330,6 @@ interface(`bootloader_getattr_kernel_modules',`
|
||||
interface(`bootloader_read_kernel_modules',`
|
||||
gen_require(`
|
||||
type modules_object_t;
|
||||
class dir r_dir_perms;
|
||||
class lnk_file r_file_perms;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 modules_object_t:dir r_dir_perms;
|
||||
@ -379,8 +349,6 @@ interface(`bootloader_write_kernel_modules',`
|
||||
gen_require(`
|
||||
attribute rw_kern_modules;
|
||||
type modules_object_t;
|
||||
class dir r_dir_perms;
|
||||
class file { write append };
|
||||
')
|
||||
|
||||
allow $1 modules_object_t:dir r_dir_perms;
|
||||
@ -402,8 +370,6 @@ interface(`bootloader_manage_kernel_modules',`
|
||||
gen_require(`
|
||||
attribute rw_kern_modules;
|
||||
type modules_object_t;
|
||||
class file { getattr create read write setattr unlink };
|
||||
class dir rw_dir_perms;
|
||||
')
|
||||
|
||||
allow $1 modules_object_t:file { rw_file_perms create setattr unlink };
|
||||
@ -419,7 +385,6 @@ interface(`bootloader_manage_kernel_modules',`
|
||||
interface(`bootloader_create_modules',`
|
||||
gen_require(`
|
||||
type modules_object_t;
|
||||
class dir rw_dir_perms;
|
||||
')
|
||||
|
||||
allow $1 modules_object_t:dir rw_dir_perms;
|
||||
|
||||
@ -200,7 +200,7 @@ optional_policy(`lvm.te',`
|
||||
')
|
||||
|
||||
optional_policy(`modutils.te',`
|
||||
modutils_exec_insmod(insmod_t)
|
||||
modutils_exec_insmod(bootloader_t)
|
||||
modutils_read_mods_deps(bootloader_t)
|
||||
modutils_read_module_conf(bootloader_t)
|
||||
modutils_exec_insmod(bootloader_t)
|
||||
|
||||
@ -59,13 +59,6 @@ interface(`dev_relabel_all_dev_nodes',`
|
||||
gen_require(`
|
||||
attribute device_node;
|
||||
type device_t;
|
||||
class dir { getattr relabelfrom };
|
||||
class file { getattr relabelfrom };
|
||||
class lnk_file { getattr relabelfrom };
|
||||
class fifo_file { getattr relabelfrom };
|
||||
class sock_file { getattr relabelfrom };
|
||||
class blk_file { getattr relabelfrom relabelto };
|
||||
class chr_file { getattr relabelfrom relabelto };
|
||||
')
|
||||
|
||||
allow $1 device_node:dir { getattr relabelfrom };
|
||||
@ -88,8 +81,6 @@ interface(`dev_relabel_all_dev_nodes',`
|
||||
interface(`dev_list_all_dev_nodes',`
|
||||
gen_require(`
|
||||
type device_t;
|
||||
class dir r_dir_perms;
|
||||
class lnk_file { getattr read };
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -107,7 +98,6 @@ interface(`dev_list_all_dev_nodes',`
|
||||
interface(`dev_setattr_dev_dir',`
|
||||
gen_require(`
|
||||
type device_t;
|
||||
class dir setattr;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir setattr;
|
||||
@ -124,7 +114,6 @@ interface(`dev_setattr_dev_dir',`
|
||||
interface(`dev_dontaudit_list_all_dev_nodes',`
|
||||
gen_require(`
|
||||
type device_t;
|
||||
class dir r_dir_perms;
|
||||
')
|
||||
|
||||
dontaudit $1 device_t:dir r_dir_perms;
|
||||
@ -141,7 +130,6 @@ interface(`dev_dontaudit_list_all_dev_nodes',`
|
||||
interface(`dev_create_dir',`
|
||||
gen_require(`
|
||||
type device_t;
|
||||
class dir { ra_dir_perms create };
|
||||
')
|
||||
|
||||
allow $1 device_t:dir { ra_dir_perms create };
|
||||
@ -158,7 +146,6 @@ interface(`dev_create_dir',`
|
||||
interface(`dev_relabel_dev_dirs',`
|
||||
gen_require(`
|
||||
type device_t;
|
||||
class dir { r_dir_perms relabelfrom relabelto };
|
||||
')
|
||||
|
||||
allow $1 device_t:dir { r_dir_perms relabelfrom relabelto };
|
||||
@ -175,8 +162,6 @@ interface(`dev_relabel_dev_dirs',`
|
||||
interface(`dev_rw_generic_file',`
|
||||
gen_require(`
|
||||
type device_t;
|
||||
class dir search;
|
||||
class file rw_file_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir search;
|
||||
@ -194,8 +179,6 @@ interface(`dev_rw_generic_file',`
|
||||
interface(`dev_delete_generic_file',`
|
||||
gen_require(`
|
||||
type device_t;
|
||||
class dir { search write remove_name };
|
||||
class file unlink;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir { search write remove_name };
|
||||
@ -213,7 +196,6 @@ interface(`dev_delete_generic_file',`
|
||||
interface(`dev_dontaudit_getattr_generic_pipe',`
|
||||
gen_require(`
|
||||
type device_t;
|
||||
class fifo_file getattr;
|
||||
')
|
||||
|
||||
dontaudit $1 device_t:fifo_file getattr;
|
||||
@ -230,8 +212,6 @@ interface(`dev_dontaudit_getattr_generic_pipe',`
|
||||
interface(`dev_getattr_generic_blk_file',`
|
||||
gen_require(`
|
||||
type device_t;
|
||||
class dir r_dir_perms;
|
||||
class blk_file getattr;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -249,7 +229,6 @@ interface(`dev_getattr_generic_blk_file',`
|
||||
interface(`dev_dontaudit_getattr_generic_blk_file',`
|
||||
gen_require(`
|
||||
type device_t;
|
||||
class blk_file getattr;
|
||||
')
|
||||
|
||||
dontaudit $1 device_t:blk_file getattr;
|
||||
@ -266,7 +245,6 @@ interface(`dev_dontaudit_getattr_generic_blk_file',`
|
||||
interface(`dev_dontaudit_setattr_generic_blk_file',`
|
||||
gen_require(`
|
||||
type device_t;
|
||||
class blk_file setattr;
|
||||
')
|
||||
|
||||
dontaudit $1 device_t:blk_file setattr;
|
||||
@ -284,7 +262,6 @@ interface(`dev_dontaudit_setattr_generic_blk_file',`
|
||||
interface(`dev_manage_generic_blk_file',`
|
||||
gen_require(`
|
||||
type device_t;
|
||||
class blk_file create_file_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir rw_dir_perms;
|
||||
@ -302,9 +279,6 @@ interface(`dev_manage_generic_blk_file',`
|
||||
interface(`dev_create_generic_chr_file',`
|
||||
gen_require(`
|
||||
type device_t;
|
||||
class dir ra_dir_perms;
|
||||
class chr_file create;
|
||||
class capability mknod;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir ra_dir_perms;
|
||||
@ -324,8 +298,6 @@ interface(`dev_create_generic_chr_file',`
|
||||
interface(`dev_getattr_generic_chr_file',`
|
||||
gen_require(`
|
||||
type device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file getattr;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -343,7 +315,6 @@ interface(`dev_getattr_generic_chr_file',`
|
||||
interface(`dev_dontaudit_getattr_generic_chr_file',`
|
||||
gen_require(`
|
||||
type device_t;
|
||||
class chr_file getattr;
|
||||
')
|
||||
|
||||
dontaudit $1 device_t:chr_file getattr;
|
||||
@ -360,7 +331,6 @@ interface(`dev_dontaudit_getattr_generic_chr_file',`
|
||||
interface(`dev_dontaudit_setattr_generic_chr_file',`
|
||||
gen_require(`
|
||||
type device_t;
|
||||
class chr_file setattr;
|
||||
')
|
||||
|
||||
dontaudit $1 device_t:chr_file setattr;
|
||||
@ -378,7 +348,6 @@ interface(`dev_dontaudit_setattr_generic_chr_file',`
|
||||
interface(`dev_dontaudit_setattr_generic_symlink',`
|
||||
gen_require(`
|
||||
type device_t;
|
||||
class lnk_file setattr;
|
||||
')
|
||||
|
||||
dontaudit $1 device_t:lnk_file setattr;
|
||||
@ -395,8 +364,6 @@ interface(`dev_dontaudit_setattr_generic_symlink',`
|
||||
interface(`dev_del_generic_symlinks',`
|
||||
gen_require(`
|
||||
type device_t;
|
||||
class dir { getattr read write remove_name };
|
||||
class lnk_file unlink;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir { getattr read write remove_name };
|
||||
@ -414,8 +381,6 @@ interface(`dev_del_generic_symlinks',`
|
||||
interface(`dev_manage_generic_symlinks',`
|
||||
gen_require(`
|
||||
type device_t;
|
||||
class dir rw_dir_perms;
|
||||
class lnk_file create_lnk_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir rw_dir_perms;
|
||||
@ -433,8 +398,6 @@ interface(`dev_manage_generic_symlinks',`
|
||||
interface(`dev_relabel_generic_symlinks',`
|
||||
gen_require(`
|
||||
type device_t;
|
||||
class dir r_dir_perms;
|
||||
class lnk_file { relabelfrom relabelto };
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -453,11 +416,6 @@ interface(`dev_manage_dev_nodes',`
|
||||
gen_require(`
|
||||
attribute device_node, memory_raw_read, memory_raw_write;
|
||||
type device_t;
|
||||
class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
|
||||
class sock_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
class lnk_file { create read getattr setattr link unlink rename };
|
||||
class chr_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
|
||||
class blk_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
|
||||
')
|
||||
|
||||
allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
|
||||
@ -488,8 +446,6 @@ interface(`dev_manage_dev_nodes',`
|
||||
interface(`dev_dontaudit_rw_generic_dev_nodes',`
|
||||
gen_require(`
|
||||
type device_t;
|
||||
class chr_file { getattr read write ioctl };
|
||||
class blk_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl };
|
||||
@ -506,8 +462,6 @@ interface(`dev_dontaudit_rw_generic_dev_nodes',`
|
||||
interface(`dev_manage_generic_blk_file',`
|
||||
gen_require(`
|
||||
type device_t;
|
||||
class dir rw_dir_perms;
|
||||
class blk_file create_file_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir rw_dir_perms;
|
||||
@ -525,8 +479,6 @@ interface(`dev_manage_generic_blk_file',`
|
||||
interface(`dev_manage_generic_chr_file',`
|
||||
gen_require(`
|
||||
type device_t;
|
||||
class dir rw_dir_perms;
|
||||
class chr_file create_file_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir rw_dir_perms;
|
||||
@ -552,7 +504,6 @@ interface(`dev_manage_generic_chr_file',`
|
||||
interface(`dev_create_dev_node',`
|
||||
gen_require(`
|
||||
type device_t;
|
||||
class dir rw_dir_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir rw_dir_perms;
|
||||
@ -574,8 +525,6 @@ interface(`dev_create_dev_node',`
|
||||
interface(`dev_getattr_all_blk_files',`
|
||||
gen_require(`
|
||||
attribute device_node;
|
||||
class blk_file getattr;
|
||||
class dir r_dir_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -593,7 +542,6 @@ interface(`dev_getattr_all_blk_files',`
|
||||
interface(`dev_dontaudit_getattr_all_blk_files',`
|
||||
gen_require(`
|
||||
attribute device_node;
|
||||
class blk_file getattr;
|
||||
')
|
||||
|
||||
allow $1 device_node:blk_file getattr;
|
||||
@ -610,8 +558,6 @@ interface(`dev_dontaudit_getattr_all_blk_files',`
|
||||
interface(`dev_getattr_all_chr_files',`
|
||||
gen_require(`
|
||||
attribute device_node;
|
||||
class chr_file getattr;
|
||||
class dir r_dir_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -629,7 +575,6 @@ interface(`dev_getattr_all_chr_files',`
|
||||
interface(`dev_dontaudit_getattr_all_chr_files',`
|
||||
gen_require(`
|
||||
attribute device_node;
|
||||
class chr_file getattr;
|
||||
')
|
||||
|
||||
dontaudit $1 device_node:chr_file getattr;
|
||||
@ -646,8 +591,6 @@ interface(`dev_dontaudit_getattr_all_chr_files',`
|
||||
interface(`dev_setattr_all_blk_files',`
|
||||
gen_require(`
|
||||
attribute device_node;
|
||||
class dir r_dir_perms;
|
||||
class blk_file setattr;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -665,8 +608,6 @@ interface(`dev_setattr_all_blk_files',`
|
||||
interface(`dev_setattr_all_chr_files',`
|
||||
gen_require(`
|
||||
attribute device_node;
|
||||
class dir r_dir_perms;
|
||||
class chr_file setattr;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -716,8 +657,6 @@ interface(`dev_dontaudit_read_all_chr_files',`
|
||||
interface(`dev_manage_all_blk_files',`
|
||||
gen_require(`
|
||||
attribute device_node;
|
||||
class dir rw_dir_perms;
|
||||
class blk_file create_file_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir rw_dir_perms;
|
||||
@ -741,8 +680,6 @@ interface(`dev_manage_all_blk_files',`
|
||||
interface(`dev_manage_all_chr_files',`
|
||||
gen_require(`
|
||||
attribute device_node, memory_raw_read, memory_raw_write;
|
||||
class dir rw_dir_perms;
|
||||
class chr_file create_file_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir rw_dir_perms;
|
||||
@ -762,8 +699,6 @@ interface(`dev_manage_all_chr_files',`
|
||||
interface(`dev_rw_agp_dev',`
|
||||
gen_require(`
|
||||
type device_t, agp_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -781,8 +716,6 @@ interface(`dev_rw_agp_dev',`
|
||||
interface(`dev_getattr_apm_bios',`
|
||||
gen_require(`
|
||||
type device_t, apm_bios_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file getattr;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -801,7 +734,6 @@ interface(`dev_getattr_apm_bios',`
|
||||
interface(`dev_dontaudit_getattr_apm_bios',`
|
||||
gen_require(`
|
||||
type apm_bios_t;
|
||||
class chr_file getattr;
|
||||
')
|
||||
|
||||
dontaudit $1 apm_bios_t:chr_file getattr;
|
||||
@ -818,8 +750,6 @@ interface(`dev_dontaudit_getattr_apm_bios',`
|
||||
interface(`dev_setattr_apm_bios',`
|
||||
gen_require(`
|
||||
type device_t, apm_bios_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file setattr;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -838,7 +768,6 @@ interface(`dev_setattr_apm_bios',`
|
||||
interface(`dev_dontaudit_setattr_apm_bios',`
|
||||
gen_require(`
|
||||
type apm_bios_t;
|
||||
class chr_file setattr;
|
||||
')
|
||||
|
||||
dontaudit $1 apm_bios_t:chr_file setattr;
|
||||
@ -855,8 +784,6 @@ interface(`dev_dontaudit_setattr_apm_bios',`
|
||||
interface(`dev_rw_apm_bios',`
|
||||
gen_require(`
|
||||
type device_t, apm_bios_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -875,7 +802,6 @@ interface(`dev_rw_apm_bios',`
|
||||
interface(`dev_dontaudit_rw_cardmgr',`
|
||||
gen_require(`
|
||||
type cardmgr_dev_t;
|
||||
class chr_file { read write };
|
||||
')
|
||||
|
||||
dontaudit $1 cardmgr_dev_t:chr_file { read write };
|
||||
@ -910,8 +836,6 @@ interface(`dev_getattr_cpu',`
|
||||
interface(`dev_read_cpuid',`
|
||||
gen_require(`
|
||||
type device_t, cpu_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -930,8 +854,6 @@ interface(`dev_read_cpuid',`
|
||||
interface(`dev_rw_cpu_microcode',`
|
||||
gen_require(`
|
||||
type device_t, cpu_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -966,8 +888,6 @@ interface(`dev_rw_crypto',`
|
||||
interface(`dev_getattr_agp_dev',`
|
||||
gen_require(`
|
||||
type device_t, dri_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file getattr;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -985,8 +905,6 @@ interface(`dev_getattr_agp_dev',`
|
||||
interface(`dev_rw_dri_dev',`
|
||||
gen_require(`
|
||||
type device_t, dri_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1004,7 +922,6 @@ interface(`dev_rw_dri_dev',`
|
||||
interface(`dev_dontaudit_rw_dri_dev',`
|
||||
gen_require(`
|
||||
type dri_device_t;
|
||||
class chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
dontaudit $1 dri_device_t:chr_file { getattr read write ioctl };
|
||||
@ -1021,8 +938,6 @@ interface(`dev_dontaudit_rw_dri_dev',`
|
||||
interface(`dev_read_input',`
|
||||
gen_require(`
|
||||
type device_t, event_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1040,8 +955,6 @@ interface(`dev_read_input',`
|
||||
interface(`dev_getattr_framebuffer',`
|
||||
gen_require(`
|
||||
type device_t, framebuf_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file getattr;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1059,8 +972,6 @@ interface(`dev_getattr_framebuffer',`
|
||||
interface(`dev_setattr_framebuffer',`
|
||||
gen_require(`
|
||||
type device_t, framebuf_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file setattr;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1079,7 +990,6 @@ interface(`dev_setattr_framebuffer',`
|
||||
interface(`dev_dontaudit_setattr_framebuffer',`
|
||||
gen_require(`
|
||||
type framebuf_device_t;
|
||||
class chr_file setattr;
|
||||
')
|
||||
|
||||
dontaudit $1 framebuf_device_t:chr_file setattr;
|
||||
@ -1096,8 +1006,6 @@ interface(`dev_dontaudit_setattr_framebuffer',`
|
||||
interface(`dev_read_framebuffer',`
|
||||
gen_require(`
|
||||
type framebuf_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1115,7 +1023,6 @@ interface(`dev_read_framebuffer',`
|
||||
interface(`dev_dontaudit_read_framebuffer',`
|
||||
gen_require(`
|
||||
type framebuf_device_t;
|
||||
class chr_file r_file_perms;
|
||||
')
|
||||
|
||||
dontaudit $1 framebuf_device_t:chr_file { getattr read };
|
||||
@ -1132,8 +1039,6 @@ interface(`dev_dontaudit_read_framebuffer',`
|
||||
interface(`dev_write_framebuffer',`
|
||||
gen_require(`
|
||||
type device_t, framebuf_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1151,8 +1056,6 @@ interface(`dev_write_framebuffer',`
|
||||
interface(`dev_read_lvm_control',`
|
||||
gen_require(`
|
||||
type device_t, lvm_control_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1170,8 +1073,6 @@ interface(`dev_read_lvm_control',`
|
||||
interface(`dev_rw_lvm_control',`
|
||||
gen_require(`
|
||||
type device_t, lvm_control_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1189,8 +1090,6 @@ interface(`dev_rw_lvm_control',`
|
||||
interface(`dev_delete_lvm_control',`
|
||||
gen_require(`
|
||||
type device_t, lvm_control_t;
|
||||
class dir { getattr search read write remove_name };
|
||||
class chr_file unlink;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir { getattr search read write remove_name };
|
||||
@ -1209,9 +1108,6 @@ interface(`dev_read_raw_memory',`
|
||||
gen_require(`
|
||||
type device_t, memory_device_t;
|
||||
attribute memory_raw_read;
|
||||
class dir r_dir_perms;
|
||||
class chr_file r_file_perms;
|
||||
class capability sys_rawio;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1233,9 +1129,6 @@ interface(`dev_write_raw_memory',`
|
||||
gen_require(`
|
||||
type device_t, memory_device_t;
|
||||
attribute memory_raw_write;
|
||||
class dir r_dir_perms;
|
||||
class chr_file write;
|
||||
class capability sys_rawio;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1256,7 +1149,6 @@ interface(`dev_write_raw_memory',`
|
||||
interface(`dev_rx_raw_memory',`
|
||||
gen_require(`
|
||||
type device_t, memory_device_t;
|
||||
class chr_file execute;
|
||||
')
|
||||
|
||||
dev_read_raw_memory($1)
|
||||
@ -1274,7 +1166,6 @@ interface(`dev_rx_raw_memory',`
|
||||
interface(`dev_wx_raw_memory',`
|
||||
gen_require(`
|
||||
type device_t, memory_device_t;
|
||||
class chr_file execute;
|
||||
')
|
||||
|
||||
dev_write_raw_memory($1)
|
||||
@ -1292,8 +1183,6 @@ interface(`dev_wx_raw_memory',`
|
||||
interface(`dev_getattr_misc',`
|
||||
gen_require(`
|
||||
type device_t, misc_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file getattr;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1312,7 +1201,6 @@ interface(`dev_getattr_misc',`
|
||||
interface(`dev_dontaudit_getattr_misc',`
|
||||
gen_require(`
|
||||
type misc_device_t;
|
||||
class chr_file getattr;
|
||||
')
|
||||
|
||||
dontaudit $1 misc_device_t:chr_file getattr;
|
||||
@ -1329,8 +1217,6 @@ interface(`dev_dontaudit_getattr_misc',`
|
||||
interface(`dev_setattr_misc',`
|
||||
gen_require(`
|
||||
type device_t, misc_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file setattr;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1349,7 +1235,6 @@ interface(`dev_setattr_misc',`
|
||||
interface(`dev_dontaudit_setattr_misc',`
|
||||
gen_require(`
|
||||
type misc_device_t;
|
||||
class chr_file setattr;
|
||||
')
|
||||
|
||||
dontaudit $1 misc_device_t:chr_file setattr;
|
||||
@ -1366,8 +1251,6 @@ interface(`dev_dontaudit_setattr_misc',`
|
||||
interface(`dev_read_misc',`
|
||||
gen_require(`
|
||||
type device_t, misc_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1385,8 +1268,6 @@ interface(`dev_read_misc',`
|
||||
interface(`dev_write_misc',`
|
||||
gen_require(`
|
||||
type device_t, misc_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1404,8 +1285,6 @@ interface(`dev_write_misc',`
|
||||
interface(`dev_getattr_mouse',`
|
||||
gen_require(`
|
||||
type device_t, mouse_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file getattr;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1423,8 +1302,6 @@ interface(`dev_getattr_mouse',`
|
||||
interface(`dev_setattr_mouse',`
|
||||
gen_require(`
|
||||
type device_t, mouse_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file setattr;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1442,8 +1319,6 @@ interface(`dev_setattr_mouse',`
|
||||
interface(`dev_read_mouse',`
|
||||
gen_require(`
|
||||
type device_t, mouse_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1478,8 +1353,6 @@ interface(`dev_rw_mouse',`
|
||||
interface(`dev_read_mtrr',`
|
||||
gen_require(`
|
||||
type device_t, mtrr_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1497,8 +1370,6 @@ interface(`dev_read_mtrr',`
|
||||
interface(`dev_write_mtrr',`
|
||||
gen_require(`
|
||||
type device_t, mtrr_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1516,8 +1387,6 @@ interface(`dev_write_mtrr',`
|
||||
interface(`dev_rw_null_dev',`
|
||||
gen_require(`
|
||||
type device_t, null_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1535,8 +1404,6 @@ interface(`dev_rw_null_dev',`
|
||||
interface(`dev_setattr_printer',`
|
||||
gen_require(`
|
||||
type device_t, printer_device_t;
|
||||
class dir search;
|
||||
class chr_file setattr;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir search;
|
||||
@ -1554,8 +1421,6 @@ interface(`dev_setattr_printer',`
|
||||
interface(`dev_rw_printer',`
|
||||
gen_require(`
|
||||
type device_t, printer_device_t;
|
||||
class dir search;
|
||||
class chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir search;
|
||||
@ -1573,8 +1438,6 @@ interface(`dev_rw_printer',`
|
||||
interface(`dev_read_rand',`
|
||||
gen_require(`
|
||||
type device_t, random_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1594,8 +1457,6 @@ interface(`dev_read_rand',`
|
||||
interface(`dev_write_rand',`
|
||||
gen_require(`
|
||||
type device_t, random_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1613,8 +1474,6 @@ interface(`dev_write_rand',`
|
||||
interface(`dev_read_realtime_clock',`
|
||||
gen_require(`
|
||||
type device_t, clock_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1632,8 +1491,6 @@ interface(`dev_read_realtime_clock',`
|
||||
interface(`dev_write_realtime_clock',`
|
||||
gen_require(`
|
||||
type device_t, clock_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file { setattr lock write append ioctl };
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1664,8 +1521,6 @@ interface(`dev_rw_realtime_clock',`
|
||||
interface(`dev_getattr_scanner',`
|
||||
gen_require(`
|
||||
type device_t, scanner_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file getattr;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1684,7 +1539,6 @@ interface(`dev_getattr_scanner',`
|
||||
interface(`dev_dontaudit_getattr_scanner',`
|
||||
gen_require(`
|
||||
type scanner_device_t;
|
||||
class chr_file getattr;
|
||||
')
|
||||
|
||||
dontaudit $1 scanner_device_t:chr_file getattr;
|
||||
@ -1701,8 +1555,6 @@ interface(`dev_dontaudit_getattr_scanner',`
|
||||
interface(`dev_setattr_scanner',`
|
||||
gen_require(`
|
||||
type device_t, scanner_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file getattr;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1721,7 +1573,6 @@ interface(`dev_setattr_scanner',`
|
||||
interface(`dev_dontaudit_setattr_scanner',`
|
||||
gen_require(`
|
||||
type scanner_device_t;
|
||||
class chr_file getattr;
|
||||
')
|
||||
|
||||
dontaudit $1 scanner_device_t:chr_file setattr;
|
||||
@ -1738,8 +1589,6 @@ interface(`dev_dontaudit_setattr_scanner',`
|
||||
interface(`dev_rw_scanner',`
|
||||
gen_require(`
|
||||
type device_t, scanner_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1757,8 +1606,6 @@ interface(`dev_rw_scanner',`
|
||||
interface(`dev_getattr_snd_dev',`
|
||||
gen_require(`
|
||||
type device_t, sound_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file getattr;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1776,8 +1623,6 @@ interface(`dev_getattr_snd_dev',`
|
||||
interface(`dev_setattr_snd_dev',`
|
||||
gen_require(`
|
||||
type device_t, sound_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file setattr;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1795,8 +1640,6 @@ interface(`dev_setattr_snd_dev',`
|
||||
interface(`dev_read_snd_dev',`
|
||||
gen_require(`
|
||||
type device_t, sound_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1814,8 +1657,6 @@ interface(`dev_read_snd_dev',`
|
||||
interface(`dev_write_snd_dev',`
|
||||
gen_require(`
|
||||
type device_t, sound_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1833,8 +1674,6 @@ interface(`dev_write_snd_dev',`
|
||||
interface(`dev_read_snd_mixer_dev',`
|
||||
gen_require(`
|
||||
type device_t, sound_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file { getattr read ioctl };
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1852,8 +1691,6 @@ interface(`dev_read_snd_mixer_dev',`
|
||||
interface(`dev_write_snd_mixer_dev',`
|
||||
gen_require(`
|
||||
type device_t, sound_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1871,8 +1708,6 @@ interface(`dev_write_snd_mixer_dev',`
|
||||
interface(`dev_getattr_power_management',`
|
||||
gen_require(`
|
||||
type device_t, power_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file getattr;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1890,8 +1725,6 @@ interface(`dev_getattr_power_management',`
|
||||
interface(`dev_setattr_power_management',`
|
||||
gen_require(`
|
||||
type device_t, power_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file setattr;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1909,8 +1742,6 @@ interface(`dev_setattr_power_management',`
|
||||
interface(`dev_rw_power_management',`
|
||||
gen_require(`
|
||||
type device_t, power_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -1928,7 +1759,6 @@ interface(`dev_rw_power_management',`
|
||||
interface(`dev_getattr_sysfs_dir',`
|
||||
gen_require(`
|
||||
type sysfs_t;
|
||||
class dir getattr;
|
||||
')
|
||||
|
||||
allow $1 sysfs_t:dir getattr;
|
||||
@ -1945,7 +1775,6 @@ interface(`dev_getattr_sysfs_dir',`
|
||||
interface(`dev_search_sysfs',`
|
||||
gen_require(`
|
||||
type sysfs_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
allow $1 sysfs_t:dir search;
|
||||
@ -1962,7 +1791,6 @@ interface(`dev_search_sysfs',`
|
||||
interface(`dev_dontaudit_search_sysfs',`
|
||||
gen_require(`
|
||||
type sysfs_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
dontaudit $1 sysfs_t:dir search;
|
||||
@ -1979,7 +1807,6 @@ interface(`dev_dontaudit_search_sysfs',`
|
||||
interface(`dev_list_sysfs',`
|
||||
gen_require(`
|
||||
type sysfs_t;
|
||||
class dir r_dir_perms;
|
||||
')
|
||||
|
||||
allow $1 sysfs_t:dir r_dir_perms;
|
||||
@ -1996,9 +1823,6 @@ interface(`dev_list_sysfs',`
|
||||
interface(`dev_read_sysfs',`
|
||||
gen_require(`
|
||||
type sysfs_t;
|
||||
class dir r_dir_perms;
|
||||
class file r_file_perms;
|
||||
class lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 sysfs_t:dir r_dir_perms;
|
||||
@ -2016,9 +1840,6 @@ interface(`dev_read_sysfs',`
|
||||
interface(`dev_rw_sysfs',`
|
||||
gen_require(`
|
||||
type sysfs_t;
|
||||
class dir r_dir_perms;
|
||||
class file rw_file_perms;
|
||||
class lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 sysfs_t:dir r_dir_perms;
|
||||
@ -2037,8 +1858,6 @@ interface(`dev_rw_sysfs',`
|
||||
interface(`dev_read_urand',`
|
||||
gen_require(`
|
||||
type device_t, urandom_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -2057,8 +1876,6 @@ interface(`dev_read_urand',`
|
||||
interface(`dev_write_urand',`
|
||||
gen_require(`
|
||||
type device_t, urandom_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -2076,7 +1893,6 @@ interface(`dev_write_urand',`
|
||||
interface(`dev_mount_usbfs',`
|
||||
gen_require(`
|
||||
type usbfs_t;
|
||||
class filesystem mount;
|
||||
')
|
||||
|
||||
allow $1 usbfs_t:filesystem mount;
|
||||
@ -2093,7 +1909,6 @@ interface(`dev_mount_usbfs',`
|
||||
interface(`dev_getattr_usbfs_dir',`
|
||||
gen_require(`
|
||||
type usbfs_t;
|
||||
class dir getattr;
|
||||
')
|
||||
|
||||
allow $1 usbfs_t:dir getattr;
|
||||
@ -2110,7 +1925,6 @@ interface(`dev_getattr_usbfs_dir',`
|
||||
interface(`dev_search_usbfs',`
|
||||
gen_require(`
|
||||
type usbfs_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
allow $1 usbfs_t:dir search;
|
||||
@ -2127,9 +1941,6 @@ interface(`dev_search_usbfs',`
|
||||
interface(`dev_list_usbfs',`
|
||||
gen_require(`
|
||||
type usbfs_t;
|
||||
class dir r_dir_perms;
|
||||
class file getattr;
|
||||
class lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 usbfs_t:dir r_dir_perms;
|
||||
@ -2149,9 +1960,6 @@ interface(`dev_list_usbfs',`
|
||||
interface(`dev_read_usbfs',`
|
||||
gen_require(`
|
||||
type usbfs_t;
|
||||
class dir r_dir_perms;
|
||||
class file r_file_perms;
|
||||
class lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 usbfs_t:dir r_dir_perms;
|
||||
@ -2169,9 +1977,6 @@ interface(`dev_read_usbfs',`
|
||||
interface(`dev_rw_usbfs',`
|
||||
gen_require(`
|
||||
type usbfs_t;
|
||||
class dir r_dir_perms;
|
||||
class file rw_file_perms;
|
||||
class lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 usbfs_t:dir r_dir_perms;
|
||||
@ -2190,8 +1995,6 @@ interface(`dev_rw_usbfs',`
|
||||
interface(`dev_getattr_video_dev',`
|
||||
gen_require(`
|
||||
type device_t, v4l_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file getattr;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -2210,7 +2013,6 @@ interface(`dev_getattr_video_dev',`
|
||||
interface(`dev_dontaudit_getattr_video_dev',`
|
||||
gen_require(`
|
||||
type v4l_device_t;
|
||||
class chr_file getattr;
|
||||
')
|
||||
|
||||
dontaudit $1 v4l_device_t:chr_file getattr;
|
||||
@ -2227,8 +2029,6 @@ interface(`dev_dontaudit_getattr_video_dev',`
|
||||
interface(`dev_setattr_video_dev',`
|
||||
gen_require(`
|
||||
type device_t, v4l_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file setattr;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -2247,7 +2047,6 @@ interface(`dev_setattr_video_dev',`
|
||||
interface(`dev_dontaudit_setattr_video_dev',`
|
||||
gen_require(`
|
||||
type v4l_device_t;
|
||||
class chr_file setattr;
|
||||
')
|
||||
|
||||
dontaudit $1 v4l_device_t:chr_file setattr;
|
||||
@ -2264,8 +2063,6 @@ interface(`dev_dontaudit_setattr_video_dev',`
|
||||
interface(`dev_getattr_xserver_misc_dev',`
|
||||
gen_require(`
|
||||
type device_t, xserver_misc_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file getattr;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -2283,8 +2080,6 @@ interface(`dev_getattr_xserver_misc_dev',`
|
||||
interface(`dev_setattr_xserver_misc_dev',`
|
||||
gen_require(`
|
||||
type device_t, xserver_misc_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file setattr;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -2302,8 +2097,6 @@ interface(`dev_setattr_xserver_misc_dev',`
|
||||
interface(`dev_rw_zero_dev',`
|
||||
gen_require(`
|
||||
type device_t, zero_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
@ -2321,7 +2114,6 @@ interface(`dev_rw_zero_dev',`
|
||||
interface(`dev_rwx_zero_dev',`
|
||||
gen_require(`
|
||||
type zero_device_t;
|
||||
class chr_file execute;
|
||||
')
|
||||
|
||||
dev_rw_zero_dev($1)
|
||||
|
||||
@ -1697,7 +1697,7 @@ interface(`kernel_send_syslog_msg_from',`
|
||||
#
|
||||
interface(`kernel_udp_sendfrom',`
|
||||
gen_require(`
|
||||
type portmap_t;
|
||||
type kernel_t;
|
||||
class udp_socket { sendto recvfrom };
|
||||
')
|
||||
|
||||
|
||||
@ -10,6 +10,9 @@
|
||||
## </param>
|
||||
#
|
||||
template(`apache_content_template',`
|
||||
gen_require(`
|
||||
attribute httpdcontent, httpd_script_domains;
|
||||
')
|
||||
|
||||
# allow write access to public file transfer
|
||||
# services files.
|
||||
|
||||
@ -374,6 +374,8 @@ optional_policy(`mailman.te',`
|
||||
')
|
||||
|
||||
optional_policy(`mta.te',`
|
||||
mta_stub()
|
||||
|
||||
# apache should set close-on-exec
|
||||
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
||||
')
|
||||
|
||||
@ -28,6 +28,10 @@
|
||||
## </param>
|
||||
#
|
||||
template(`cron_per_userdomain_template',`
|
||||
gen_require(`
|
||||
attribute cron_spool_type;
|
||||
type crontab_exec_t;
|
||||
')
|
||||
|
||||
# Type of user crontabs once moved to cron spool.
|
||||
type $1_cron_spool_t, cron_spool_type;
|
||||
|
||||
@ -1,5 +1,19 @@
|
||||
## <summary>Policy common to all email tranfer agents.</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## MTA stub interface. No access allowed.
|
||||
## </summary>
|
||||
## <param name="domain" optional="true">
|
||||
## N/A
|
||||
## </param>
|
||||
#
|
||||
interface(`mta_stub',`
|
||||
gen_require(`
|
||||
type sendmail_exec_t;
|
||||
')
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## The per user domain template for the mta module.
|
||||
@ -109,11 +123,11 @@ template(`mta_per_userdomain_template',`
|
||||
nscd_use_socket($1_mail_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`procmail.te',`
|
||||
procmail_execute($1_mail_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# Read user temporary files.
|
||||
allow $1_mail_t $1_tmp_t:file r_file_perms;
|
||||
dontaudit $1_mail_t $1_tmp_t:file append;
|
||||
|
||||
@ -28,15 +28,16 @@ files_type(sendmail_exec_t)
|
||||
|
||||
type system_mail_t;
|
||||
domain_type(system_mail_t)
|
||||
domain_entry_file(system_mail_t,sendmail_exec_t)
|
||||
role system_r types system_mail_t;
|
||||
|
||||
ifdef(`targeted_policy',`',`
|
||||
optional_policy(`sendmail.te',`
|
||||
domain_entry_file(system_mail_t,sendmail_exec_t)
|
||||
',`
|
||||
init_system_domain(system_mail_t,sendmail_exec_t)
|
||||
')
|
||||
')
|
||||
# cjp: need to resolve this, but require{}
|
||||
# does not work in the else part of the optional
|
||||
#ifdef(`targeted_policy',`',`
|
||||
# optional_policy(`sendmail.te',`',`
|
||||
# init_system_domain(system_mail_t,sendmail_exec_t)
|
||||
# ')
|
||||
#')
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -150,11 +151,9 @@ optional_policy(`nscd.te',`
|
||||
nscd_use_socket(system_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`procmail.te',`
|
||||
procmail_exec(system_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`sendmail.te',`
|
||||
sendmail_stub()
|
||||
|
||||
allow system_mail_t etc_mail_t:dir { getattr search };
|
||||
|
||||
# sendmail -q
|
||||
@ -163,6 +162,10 @@ optional_policy(`sendmail.te',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`procmail.te',`
|
||||
procmail_exec(system_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`sendmail.te',`
|
||||
allow system_mail_t { var_t var_spool_t }:dir getattr;
|
||||
dontaudit system_mail_t userpty_type:chr_file { getattr read write };
|
||||
|
||||
@ -57,10 +57,6 @@ interface(`nis_use_ypbind_uncond',`
|
||||
corenet_dontaudit_tcp_connect_all_reserved_ports($1)
|
||||
|
||||
sysnet_read_config($1)
|
||||
|
||||
optional_policy(`mount.te',`
|
||||
mount_send_nfs_client_request($1)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -10,6 +10,11 @@ gen_require(`
|
||||
# Declarations
|
||||
#
|
||||
|
||||
# cjp: this is out of order because of an
|
||||
# ordering problem with loadable modules
|
||||
type nscd_var_run_t;
|
||||
files_pid_file(nscd_var_run_t)
|
||||
|
||||
# nscd is both the client program and the daemon.
|
||||
type nscd_t;
|
||||
type nscd_exec_t;
|
||||
@ -18,9 +23,6 @@ init_daemon_domain(nscd_t,nscd_exec_t)
|
||||
type nscd_log_t;
|
||||
logging_log_file(nscd_log_t)
|
||||
|
||||
type nscd_var_run_t;
|
||||
files_pid_file(nscd_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
|
||||
@ -1,5 +1,19 @@
|
||||
## <summary>Policy for sendmail.</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Sendmail stub interface. No access allowed.
|
||||
## </summary>
|
||||
## <param name="domain" optional="true">
|
||||
## N/A
|
||||
## </param>
|
||||
#
|
||||
interface(`sendmail_stub',`
|
||||
gen_require(`
|
||||
type sendmail_t;
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Domain transition to sendmail.
|
||||
|
||||
@ -28,6 +28,11 @@
|
||||
## </param>
|
||||
#
|
||||
template(`ssh_per_userdomain_template',`
|
||||
gen_require(`
|
||||
type ssh_exec_t, ssh_agent_exec_t;
|
||||
type ssh_keysign_exec_t;
|
||||
')
|
||||
|
||||
##############################
|
||||
#
|
||||
# Declarations
|
||||
@ -328,10 +333,10 @@ template(`ssh_per_userdomain_template',`
|
||||
nis_use_ypbind($1_ssh_agent_t)
|
||||
')
|
||||
|
||||
optional_policy(`xdm.te', `
|
||||
# KDM:
|
||||
#xdm_sigchld($1_ssh_agent_t)
|
||||
')
|
||||
# optional_policy(`xdm.te', `
|
||||
# # KDM:
|
||||
# xdm_sigchld($1_ssh_agent_t)
|
||||
# ')
|
||||
|
||||
ifdef(`TODO',`
|
||||
ifdef(`xdm.te',`
|
||||
|
||||
@ -451,9 +451,6 @@ interface(`auth_rw_lastlog',`
|
||||
interface(`auth_domtrans_pam',`
|
||||
gen_require(`
|
||||
type pam_t, pam_exec_t;
|
||||
class process sigchld;
|
||||
class fd
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,pam_exec_t,pam_t)
|
||||
|
||||
@ -11,9 +11,6 @@
|
||||
interface(`lvm_domtrans',`
|
||||
gen_require(`
|
||||
type lvm_t, lvm_exec_t;
|
||||
class process sigchld;
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
@ -42,7 +39,6 @@ interface(`lvm_domtrans',`
|
||||
interface(`lvm_run',`
|
||||
gen_require(`
|
||||
type lvm_t;
|
||||
class chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
lvm_domtrans($1)
|
||||
@ -60,9 +56,7 @@ interface(`lvm_run',`
|
||||
#
|
||||
interface(`lvm_read_config',`
|
||||
gen_require(`
|
||||
type lvm_t, lvm_exec_t;
|
||||
class dir r_dir_perms;
|
||||
class file r_file_perms;
|
||||
type lvm_t, lvm_etc_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
|
||||
@ -11,7 +11,6 @@
|
||||
interface(`modutils_read_mods_deps',`
|
||||
gen_require(`
|
||||
type modules_dep_t;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
bootloader_list_kernel_modules($1)
|
||||
@ -30,7 +29,6 @@ interface(`modutils_read_mods_deps',`
|
||||
interface(`modutils_read_module_conf',`
|
||||
gen_require(`
|
||||
type modules_conf_t;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
# This file type can be in /etc or
|
||||
@ -69,9 +67,6 @@ interface(`modutils_rename_module_conf',`
|
||||
interface(`modutils_domtrans_insmod',`
|
||||
gen_require(`
|
||||
type insmod_t, insmod_exec_t;
|
||||
class process sigchld;
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
@ -103,7 +98,6 @@ interface(`modutils_domtrans_insmod',`
|
||||
interface(`modutils_run_insmod',`
|
||||
gen_require(`
|
||||
type insmod_t;
|
||||
class chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
modutils_domtrans_insmod($1)
|
||||
@ -135,9 +129,6 @@ interface(`modutils_exec_insmod',`
|
||||
interface(`modutils_domtrans_depmod',`
|
||||
gen_require(`
|
||||
type depmod_t, depmod_exec_t;
|
||||
class process sigchld;
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
@ -166,7 +157,6 @@ interface(`modutils_domtrans_depmod',`
|
||||
interface(`modutils_run_depmod',`
|
||||
gen_require(`
|
||||
type depmod_t;
|
||||
class chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
modutils_domtrans_depmod($1)
|
||||
@ -180,7 +170,7 @@ interface(`modutils_run_depmod',`
|
||||
#
|
||||
interface(`modutils_exec_depmod',`
|
||||
gen_require(`
|
||||
type depmod_t;
|
||||
type depmod_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
@ -198,9 +188,6 @@ interface(`modutils_exec_depmod',`
|
||||
interface(`modutils_domtrans_update_mods',`
|
||||
gen_require(`
|
||||
type update_modules_t, update_modules_exec_t;
|
||||
class process signal;
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
@ -229,7 +216,6 @@ interface(`modutils_domtrans_update_mods',`
|
||||
interface(`modutils_run_update_mods',`
|
||||
gen_require(`
|
||||
type update_modules_t;
|
||||
class chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
modutils_domtrans_update_mods($1)
|
||||
@ -243,10 +229,9 @@ interface(`modutils_run_update_mods',`
|
||||
#
|
||||
interface(`modutils_exec_update_mods',`
|
||||
gen_require(`
|
||||
type update_modules_t;
|
||||
type update_modules_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
can_exec($1, update_modules_exec_t)
|
||||
')
|
||||
|
||||
|
||||
@ -1,6 +1,10 @@
|
||||
|
||||
policy_module(selinuxutil,1.0)
|
||||
|
||||
gen_require(`
|
||||
bool secure_mode;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
|
||||
@ -641,7 +641,7 @@ template(`unpriv_user_template', `
|
||||
|
||||
# Need the following rule to allow users to run vpnc
|
||||
optional_policy(`xserver.te', `
|
||||
corenetwork_bind_tcp_on_xserver_port($1_t)
|
||||
corenet_tcp_bind_xserver_port($1_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
Loading…
Reference in New Issue
Block a user