review of system interfaces
This commit is contained in:
Chris PeBenito
parent
a7c3a1b920
commit
139520a233
@ -31,7 +31,7 @@ term_dontaudit_use_console(dmesg_t)
|
|||||||
|
|
||||||
domain_use_wide_inherit_fd(dmesg_t)
|
domain_use_wide_inherit_fd(dmesg_t)
|
||||||
|
|
||||||
files_read_generic_etc_files_directory(dmesg_t)
|
files_list_etc(dmesg_t)
|
||||||
# for when /usr is not mounted:
|
# for when /usr is not mounted:
|
||||||
files_dontaudit_search_isid_type_dir(dmesg_t)
|
files_dontaudit_search_isid_type_dir(dmesg_t)
|
||||||
|
|
||||||
|
|||||||
@ -34,7 +34,7 @@ define(`authlogin_per_userdomain_template',`
|
|||||||
allow $1_chkpwd_t self:capability setuid;
|
allow $1_chkpwd_t self:capability setuid;
|
||||||
allow $1_chkpwd_t self:process getattr;
|
allow $1_chkpwd_t self:process getattr;
|
||||||
|
|
||||||
files_read_generic_etc_files_directory($1_chkpwd_t)
|
files_list_etc($1_chkpwd_t)
|
||||||
allow $1_chkpwd_t shadow_t:file { getattr read };
|
allow $1_chkpwd_t shadow_t:file { getattr read };
|
||||||
|
|
||||||
# is_selinux_enabled
|
# is_selinux_enabled
|
||||||
@ -276,7 +276,7 @@ define(`auth_dontaudit_getattr_shadow_depend',`
|
|||||||
define(`auth_read_shadow',`
|
define(`auth_read_shadow',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`$0'_depend)
|
||||||
|
|
||||||
files_read_generic_etc_files_directory($1)
|
files_list_etc($1)
|
||||||
allow $1 shadow_t:file r_file_perms;
|
allow $1 shadow_t:file r_file_perms;
|
||||||
typeattribute $1 can_read_shadow_passwords;
|
typeattribute $1 can_read_shadow_passwords;
|
||||||
')
|
')
|
||||||
@ -338,7 +338,7 @@ define(`auth_dontaudit_read_shadow_depend',`
|
|||||||
define(`auth_rw_shadow',`
|
define(`auth_rw_shadow',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`$0'_depend)
|
||||||
|
|
||||||
files_read_generic_etc_files_directory($1)
|
files_list_etc($1)
|
||||||
allow $1 shadow_t:file rw_file_perms;
|
allow $1 shadow_t:file rw_file_perms;
|
||||||
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
|
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
|
||||||
')
|
')
|
||||||
|
|||||||
@ -12,7 +12,11 @@
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`clock_domtrans',`
|
define(`clock_domtrans',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type hwclock_t, hwclock_exec_t;
|
||||||
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
domain_auto_trans($1,hwclock_exec_t,hwclock_t)
|
domain_auto_trans($1,hwclock_exec_t,hwclock_t)
|
||||||
|
|
||||||
@ -22,15 +26,6 @@ define(`clock_domtrans',`
|
|||||||
allow hwclock_t $1:process sigchld;
|
allow hwclock_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`clock_domtrans_depend',`
|
|
||||||
type hwclock_t, hwclock_exec_t;
|
|
||||||
|
|
||||||
class file rx_file_perms;
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
|
||||||
class fd use;
|
|
||||||
class fifo_file rw_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="clock_run">
|
## <interface name="clock_run">
|
||||||
## <description>
|
## <description>
|
||||||
@ -49,19 +44,16 @@ define(`clock_domtrans_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`clock_run',`
|
define(`clock_run',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type hwclock_t;
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
|
')
|
||||||
|
|
||||||
clock_domtrans($1)
|
clock_domtrans($1)
|
||||||
role $2 types hwclock_t;
|
role $2 types hwclock_t;
|
||||||
allow hwclock_t $3:chr_file { getattr read write ioctl };
|
allow hwclock_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`clock_run_depend',`
|
|
||||||
type hwclock_t;
|
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="clock_exec">
|
## <interface name="clock_exec">
|
||||||
## <description>
|
## <description>
|
||||||
@ -73,15 +65,11 @@ define(`clock_run_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`clock_exec',`
|
define(`clock_exec',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type hwclock_exec_t;
|
||||||
can_exec($1,hwclock_exec_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`clock_exec_depend',`
|
can_exec($1,hwclock_exec_t)
|
||||||
type hwclock_exec_t;
|
|
||||||
|
|
||||||
class file { getattr read execute execute_no_trans };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -95,16 +83,13 @@ define(`clock_exec_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`clock_rw_adjtime',`
|
define(`clock_rw_adjtime',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
|
||||||
allow $1 adjtime_t:file rw_file_perms;
|
|
||||||
files_read_generic_etc_files_directory($1)
|
|
||||||
')
|
|
||||||
|
|
||||||
define(`clock_rw_adjtime_depend',`
|
|
||||||
type adjtime_t;
|
type adjtime_t;
|
||||||
|
|
||||||
class file rw_file_perms;
|
class file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
allow $1 adjtime_t:file rw_file_perms;
|
||||||
|
files_list_etc($1)
|
||||||
|
')
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
|||||||
@ -46,7 +46,7 @@ domain_use_wide_inherit_fd(hwclock_t)
|
|||||||
init_use_fd(hwclock_t)
|
init_use_fd(hwclock_t)
|
||||||
init_use_script_pty(hwclock_t)
|
init_use_script_pty(hwclock_t)
|
||||||
|
|
||||||
files_read_generic_etc_files_directory(hwclock_t)
|
files_list_etc(hwclock_t)
|
||||||
# for when /usr is not mounted:
|
# for when /usr is not mounted:
|
||||||
files_dontaudit_search_isid_type_dir(hwclock_t)
|
files_dontaudit_search_isid_type_dir(hwclock_t)
|
||||||
|
|
||||||
|
|||||||
@ -9,13 +9,11 @@
|
|||||||
# corecmd_shell_entry_type(domain)
|
# corecmd_shell_entry_type(domain)
|
||||||
#
|
#
|
||||||
define(`corecmd_shell_entry_type',`
|
define(`corecmd_shell_entry_type',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type shell_exec_t;
|
||||||
domain_entry_file($1,shell_exec_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecmd_shell_entry_type_depend',`
|
domain_entry_file($1,shell_exec_t)
|
||||||
type shell_exec_t;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -23,15 +21,12 @@ define(`corecmd_shell_entry_type_depend',`
|
|||||||
# corecmd_search_bin(domain)
|
# corecmd_search_bin(domain)
|
||||||
#
|
#
|
||||||
define(`corecmd_search_bin',`
|
define(`corecmd_search_bin',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type bin_t;
|
||||||
allow $1 bin_t:dir search;
|
class dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecmd_search_bin_depend',`
|
allow $1 bin_t:dir search;
|
||||||
type bin_t;
|
|
||||||
|
|
||||||
class dir search;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -39,15 +34,12 @@ define(`corecmd_search_bin_depend',`
|
|||||||
# corecmd_list_bin(domain)
|
# corecmd_list_bin(domain)
|
||||||
#
|
#
|
||||||
define(`corecmd_list_bin',`
|
define(`corecmd_list_bin',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type bin_t;
|
||||||
allow $1 bin_t:dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecmd_list_bin_depend',`
|
allow $1 bin_t:dir r_dir_perms;
|
||||||
type bin_t;
|
|
||||||
|
|
||||||
class dir r_dir_perms;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -55,7 +47,11 @@ define(`corecmd_list_bin_depend',`
|
|||||||
# corecmd_exec_bin(domain)
|
# corecmd_exec_bin(domain)
|
||||||
#
|
#
|
||||||
define(`corecmd_exec_bin',`
|
define(`corecmd_exec_bin',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type bin_t;
|
||||||
|
class dir r_dir_perms;
|
||||||
|
class lnk_file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
allow $1 bin_t:dir r_dir_perms;
|
allow $1 bin_t:dir r_dir_perms;
|
||||||
allow $1 bin_t:lnk_file r_file_perms;
|
allow $1 bin_t:lnk_file r_file_perms;
|
||||||
@ -63,28 +59,17 @@ define(`corecmd_exec_bin',`
|
|||||||
|
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecmd_exec_bin_depend',`
|
|
||||||
type bin_t;
|
|
||||||
|
|
||||||
class dir r_dir_perms;
|
|
||||||
class lnk_file r_file_perms;
|
|
||||||
class file { getattr read ioctl lock execute execute_no_trans };
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# corecmd_search_sbin(domain)
|
# corecmd_search_sbin(domain)
|
||||||
#
|
#
|
||||||
define(`corecmd_search_sbin',`
|
define(`corecmd_search_sbin',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type sbin_t;
|
||||||
allow $1 sbin_t:dir search;
|
class dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecmd_search_sbin_depend',`
|
allow $1 sbin_t:dir search;
|
||||||
type sbin_t;
|
|
||||||
|
|
||||||
class dir search;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -92,15 +77,12 @@ define(`corecmd_search_sbin_depend',`
|
|||||||
# corecmd_list_sbin(domain)
|
# corecmd_list_sbin(domain)
|
||||||
#
|
#
|
||||||
define(`corecmd_list_sbin',`
|
define(`corecmd_list_sbin',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type sbin_t;
|
||||||
allow $1 sbin_t:dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecmd_list_sbin_depend',`
|
allow $1 sbin_t:dir r_dir_perms;
|
||||||
type sbin_t;
|
|
||||||
|
|
||||||
class dir r_dir_perms;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -108,15 +90,12 @@ define(`corecmd_list_sbin_depend',`
|
|||||||
# corecmd_dontaudit_getattr_sbin_file(domain)
|
# corecmd_dontaudit_getattr_sbin_file(domain)
|
||||||
#
|
#
|
||||||
define(`corecmd_dontaudit_getattr_sbin_file',`
|
define(`corecmd_dontaudit_getattr_sbin_file',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type sbin_t;
|
||||||
allow $1 sbin_t:file getattr;
|
class file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecmd_dontaudit_getattr_sbin_file_depend',`
|
allow $1 sbin_t:file getattr;
|
||||||
type sbin_t;
|
|
||||||
|
|
||||||
class file getattr;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -124,7 +103,11 @@ define(`corecmd_dontaudit_getattr_sbin_file_depend',`
|
|||||||
# corecmd_exec_sbin(domain)
|
# corecmd_exec_sbin(domain)
|
||||||
#
|
#
|
||||||
define(`corecmd_exec_sbin',`
|
define(`corecmd_exec_sbin',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type sbin_t;
|
||||||
|
class dir r_dir_perms;
|
||||||
|
class lnk_file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
allow $1 sbin_t:dir r_dir_perms;
|
allow $1 sbin_t:dir r_dir_perms;
|
||||||
allow $1 sbin_t:lnk_file r_file_perms;
|
allow $1 sbin_t:lnk_file r_file_perms;
|
||||||
@ -132,54 +115,38 @@ define(`corecmd_exec_sbin',`
|
|||||||
|
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecmd_exec_sbin_depend',`
|
|
||||||
type sbin_t;
|
|
||||||
|
|
||||||
class dir r_dir_perms;
|
|
||||||
class lnk_file r_file_perms;
|
|
||||||
class file { getattr read ioctl lock execute execute_no_trans };
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# corecmd_exec_shell(domain)
|
# corecmd_exec_shell(domain)
|
||||||
#
|
#
|
||||||
define(`corecmd_exec_shell',`
|
define(`corecmd_exec_shell',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type bin_t, shell_exec_t;
|
||||||
|
class dir r_dir_perms;
|
||||||
|
class lnk_file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
allow $1 bin_t:dir r_dir_perms;
|
allow $1 bin_t:dir r_dir_perms;
|
||||||
allow $1 bin_t:lnk_file r_file_perms;
|
allow $1 bin_t:lnk_file r_file_perms;
|
||||||
can_exec($1,shell_exec_t)
|
can_exec($1,shell_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecmd_exec_shell_depend',`
|
|
||||||
type bin_t, shell_exec_t;
|
|
||||||
|
|
||||||
class dir r_dir_perms;
|
|
||||||
class lnk_file r_file_perms;
|
|
||||||
class file { getattr read lock ioctl execute execute_no_trans };
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# corecmd_exec_ls(domain)
|
# corecmd_exec_ls(domain)
|
||||||
#
|
#
|
||||||
define(`corecmd_exec_ls',`
|
define(`corecmd_exec_ls',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type bin_t, ls_exec_t;
|
||||||
|
class dir r_dir_perms;
|
||||||
|
class lnk_file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
allow $1 bin_t:dir r_dir_perms;
|
allow $1 bin_t:dir r_dir_perms;
|
||||||
allow $1 bin_t:lnk_file r_file_perms;
|
allow $1 bin_t:lnk_file r_file_perms;
|
||||||
can_exec($1,ls_exec_t)
|
can_exec($1,ls_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecmd_exec_shell_depend',`
|
|
||||||
type bin_t, ls_exec_t;
|
|
||||||
|
|
||||||
class dir r_dir_perms;
|
|
||||||
class lnk_file r_file_perms;
|
|
||||||
class file { getattr read lock ioctl execute execute_no_trans };
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="corecmd_shell_spec_domtrans">
|
## <interface name="corecmd_shell_spec_domtrans">
|
||||||
## <description>
|
## <description>
|
||||||
@ -196,7 +163,14 @@ define(`corecmd_exec_shell_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`corecmd_shell_spec_domtrans',`
|
define(`corecmd_shell_spec_domtrans',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type bin_t, shell_exec_t;
|
||||||
|
class dir r_dir_perms;
|
||||||
|
class lnk_file r_file_perms;
|
||||||
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
|
class process sigchld;
|
||||||
|
')
|
||||||
|
|
||||||
allow $1 bin_t:dir r_dir_perms;
|
allow $1 bin_t:dir r_dir_perms;
|
||||||
allow $1 bin_t:lnk_file r_file_perms;
|
allow $1 bin_t:lnk_file r_file_perms;
|
||||||
@ -209,17 +183,6 @@ define(`corecmd_shell_spec_domtrans',`
|
|||||||
allow $2 $1:process sigchld;
|
allow $2 $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecmd_shell_spec_domtrans_depend',`
|
|
||||||
type bin_t, shell_exec_t;
|
|
||||||
|
|
||||||
class dir r_dir_perms;
|
|
||||||
class lnk_file r_file_perms;
|
|
||||||
class file rx_file_perms
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
|
||||||
class fd use;
|
|
||||||
class fifo_file rw_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="corecmd_domtrans_shell">
|
## <interface name="corecmd_domtrans_shell">
|
||||||
## <description>
|
## <description>
|
||||||
@ -234,32 +197,26 @@ define(`corecmd_shell_spec_domtrans_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`corecmd_domtrans_shell',`
|
define(`corecmd_domtrans_shell',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type shell_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
corecmd_shell_spec_domtrans($1,$2)
|
corecmd_shell_spec_domtrans($1,$2)
|
||||||
type_transition $1 shell_exec_t:process $2;
|
type_transition $1 shell_exec_t:process $2;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecmd_domtrans_shell_depend',`
|
|
||||||
type shell_exec_t;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# corecmd_chroot_exec_chroot(domain)
|
# corecmd_chroot_exec_chroot(domain)
|
||||||
#
|
#
|
||||||
define(`corecmd_chroot_exec_chroot',`
|
define(`corecmd_chroot_exec_chroot',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
|
||||||
allow $1 chroot_exec_t:file { getattr read execute execute_no_trans };
|
|
||||||
allow $1 self:capability sys_chroot;
|
|
||||||
')
|
|
||||||
|
|
||||||
define(`corecmd_chroot_exec_chroot_depend',`
|
|
||||||
type chroot_exec_t;
|
type chroot_exec_t;
|
||||||
|
|
||||||
class file { getattr read execute execute_no_trans };
|
|
||||||
class capability sys_chroot;
|
class capability sys_chroot;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
can_exec($1,chroot_exec_t)
|
||||||
|
allow $1 self:capability sys_chroot;
|
||||||
|
')
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
|||||||
@ -206,7 +206,7 @@ define(`files_manage_all_files',`
|
|||||||
allow $1 { file_type $2 }:sock_file create_file_perms;
|
allow $1 { file_type $2 }:sock_file create_file_perms;
|
||||||
|
|
||||||
# satisfy the assertions:
|
# satisfy the assertions:
|
||||||
seutil_write_binary_pol($1)
|
seutil_create_binary_pol($1)
|
||||||
bootloader_manage_kernel_modules($1)
|
bootloader_manage_kernel_modules($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -488,31 +488,25 @@ define(`files_unmount_rootfs_depend',`
|
|||||||
# files_search_etc(domain)
|
# files_search_etc(domain)
|
||||||
#
|
#
|
||||||
define(`files_search_etc',`
|
define(`files_search_etc',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type etc_t;
|
||||||
|
class dir search;
|
||||||
|
')
|
||||||
|
|
||||||
allow $1 etc_t:dir search;
|
allow $1 etc_t:dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`files_search_etc_depend',`
|
|
||||||
type etc_t;
|
|
||||||
|
|
||||||
class dir search;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# files_read_generic_etc_files_directory(domain)
|
# files_list_etc(domain)
|
||||||
#
|
#
|
||||||
define(`files_read_generic_etc_files_directory',`
|
define(`files_list_etc',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type etc_t;
|
||||||
allow $1 etc_t:dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`files_read_generic_etc_files_directory_depend',`
|
allow $1 etc_t:dir r_dir_perms;
|
||||||
type etc_t;
|
|
||||||
|
|
||||||
class dir r_dir_perms;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -12,12 +12,15 @@
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`getty_domtrans',`
|
define(`getty_domtrans',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type getty_t, getty_exec_t;
|
||||||
|
class process sigchld;
|
||||||
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
allow $1 getty_exec_t:file { getattr read execute };
|
corecmd_search_sbin($1)
|
||||||
allow $1 getty_t:process transition;
|
domain_auto_trans($1,getty_exec_t,getty_t)
|
||||||
type_transition $1 getty_exec_t:process getty_t;
|
|
||||||
dontaudit $1 getty_t:process { noatsecure siginh rlimitinh };
|
|
||||||
|
|
||||||
allow $1 getty_t:fd use;
|
allow $1 getty_t:fd use;
|
||||||
allow getty_t $1:fd use;
|
allow getty_t $1:fd use;
|
||||||
@ -25,15 +28,6 @@ define(`getty_domtrans',`
|
|||||||
allow getty_t $1:process sigchld;
|
allow getty_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`getty_domtrans_depend',`
|
|
||||||
type getty_t, getty_exec_t;
|
|
||||||
|
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
|
||||||
class fd use;
|
|
||||||
class fifo_file rw_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="getty_read_log">
|
## <interface name="getty_read_log">
|
||||||
## <description>
|
## <description>
|
||||||
@ -45,15 +39,13 @@ define(`getty_domtrans_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`getty_read_log',`
|
define(`getty_read_log',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type getty_log_t;
|
||||||
allow $1 getty_log_t:file { getattr read };
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`getty_read_log_depend',`
|
logging_search_logs($1)
|
||||||
type getty_log_t;
|
allow $1 getty_log_t:file { getattr read };
|
||||||
|
|
||||||
class file { getattr read };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -67,15 +59,13 @@ define(`getty_read_log_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`getty_read_config',`
|
define(`getty_read_config',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type getty_etc_t;
|
||||||
allow $1 getty_etc_t:file { getattr read };
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`getty_read_config_depend',`
|
files_search_etc($1)
|
||||||
type getty_etc_t;
|
allow $1 getty_etc_t:file { getattr read };
|
||||||
|
|
||||||
class file { getattr read };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -89,15 +79,13 @@ define(`getty_read_config_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`getty_modify_config',`
|
define(`getty_modify_config',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type getty_etc_t;
|
||||||
allow $1 getty_etc_t:file { getattr read write };
|
class file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`getty_modify_config_depend',`
|
files_search_etc($1)
|
||||||
type getty_etc_t;
|
allow $1 getty_etc_t:file rw_file_perms;
|
||||||
|
|
||||||
class file { getattr read write };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
|||||||
@ -13,12 +13,15 @@
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`hostname_domtrans',`
|
define(`hostname_domtrans',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type hostname_t, hostname_exec_t;
|
||||||
|
class process sigchld;
|
||||||
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
allow $1 hostname_exec_t:file rx_file_perms;
|
corecmd_search_bin($1)
|
||||||
allow $1 hostname_t:process transition;
|
domain_auto_trans($1,hostname_exec_t,hostname_t)
|
||||||
type_transition $1 hostname_exec_t:process hostname_t;
|
|
||||||
dontaudit $1 hostname_t:process { noatsecure siginh rlimitinh };
|
|
||||||
|
|
||||||
allow $1 hostname_t:fd use;
|
allow $1 hostname_t:fd use;
|
||||||
allow hostname_t $1:fd use;
|
allow hostname_t $1:fd use;
|
||||||
@ -26,15 +29,6 @@ define(`hostname_domtrans',`
|
|||||||
allow hostname_t $1:process sigchld;
|
allow hostname_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`hostname_domtrans_depend',`
|
|
||||||
type hostname_t, hostname_exec_t;
|
|
||||||
|
|
||||||
class file rx_file_perms;
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
|
||||||
class fd use;
|
|
||||||
class fifo_file rw_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="hostname_run">
|
## <interface name="hostname_run">
|
||||||
## <description>
|
## <description>
|
||||||
@ -54,19 +48,16 @@ define(`hostname_domtrans_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`hostname_run',`
|
define(`hostname_run',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type hostname_t;
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
|
')
|
||||||
|
|
||||||
hostname_domtrans($1)
|
hostname_domtrans($1)
|
||||||
role $2 types hostname_t;
|
role $2 types hostname_t;
|
||||||
allow hostname_t $3:chr_file { getattr read write ioctl };
|
allow hostname_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`hostname_run_depend',`
|
|
||||||
type hostname_t;
|
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="hostname_exec">
|
## <interface name="hostname_exec">
|
||||||
## <description>
|
## <description>
|
||||||
@ -78,21 +69,12 @@ define(`hostname_run_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
#######################################
|
|
||||||
#
|
|
||||||
# hostname_exec(domain)
|
|
||||||
#
|
|
||||||
define(`hostname_exec',`
|
define(`hostname_exec',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type hostname_exec_t;
|
||||||
can_exec($1,hostname_exec_t)
|
|
||||||
|
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`hostname_exec_depend',`
|
can_exec($1,hostname_exec_t)
|
||||||
type hostname_exec_t;
|
|
||||||
|
|
||||||
class file { getattr read execute execute_no_trans };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
|||||||
@ -9,12 +9,15 @@
|
|||||||
# hotplug_domtrans(domain)
|
# hotplug_domtrans(domain)
|
||||||
#
|
#
|
||||||
define(`hotplug_domtrans',`
|
define(`hotplug_domtrans',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type hotplug_t, hotplug_exec_t;
|
||||||
|
class process sigchld;
|
||||||
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
allow $1 hotplug_exec_t:file rx_file_perms;
|
corecmd_search_sbin($1)
|
||||||
allow $1 hotplug_t:process transition;
|
domain_auto_trans($1,hotplug_exec_t,hotplug_t)
|
||||||
type_transition $1 hotplug_exec_t:process hotplug_t;
|
|
||||||
dontaudit $1 hotplug_t:process { noatsecure siginh rlimitinh };
|
|
||||||
|
|
||||||
allow $1 hotplug_t:fd use;
|
allow $1 hotplug_t:fd use;
|
||||||
allow hotplug_t $1:fd use;
|
allow hotplug_t $1:fd use;
|
||||||
@ -22,30 +25,17 @@ define(`hotplug_domtrans',`
|
|||||||
allow hotplug_t $1:process sigchld;
|
allow hotplug_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`hotplug_domtrans_depend',`
|
|
||||||
type hotplug_t, hotplug_exec_t;
|
|
||||||
|
|
||||||
class file rx_file_perms;
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
|
||||||
class fd use;
|
|
||||||
class fifo_file rw_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# hotplug_exec(domain)
|
# hotplug_exec(domain)
|
||||||
#
|
#
|
||||||
define(`hotplug_exec',`
|
define(`hotplug_exec',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type hotplug_t;
|
||||||
can_exec($1,hotplug_exec_t)
|
|
||||||
|
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`hotplug_exec_depend',`
|
corecmd_search_sbin($1)
|
||||||
type hotplug_t;
|
can_exec($1,hotplug_exec_t)
|
||||||
|
|
||||||
class file { getattr read execute execute_no_trans };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -53,15 +43,12 @@ define(`hotplug_exec_depend',`
|
|||||||
# hotplug_use_fd(domain)
|
# hotplug_use_fd(domain)
|
||||||
#
|
#
|
||||||
define(`hotplug_use_fd',`
|
define(`hotplug_use_fd',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type hotplug_t;
|
||||||
allow $1 hotplug_t:fd use;
|
class fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`hotplug_use_fd_depend',`
|
allow $1 hotplug_t:fd use;
|
||||||
type hotplug_t;
|
|
||||||
|
|
||||||
class fd use;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -69,15 +56,12 @@ define(`hotplug_use_fd_depend',`
|
|||||||
# hotplug_dontaudit_use_fd(domain)
|
# hotplug_dontaudit_use_fd(domain)
|
||||||
#
|
#
|
||||||
define(`hotplug_dontaudit_use_fd',`
|
define(`hotplug_dontaudit_use_fd',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type hotplug_t;
|
||||||
dontaudit $1 hotplug_t:fd use;
|
class fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`hotplug_dontaudit_use_fd_depend',`
|
dontaudit $1 hotplug_t:fd use;
|
||||||
type hotplug_t;
|
|
||||||
|
|
||||||
class fd use;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -85,15 +69,12 @@ define(`hotplug_dontaudit_use_fd_depend',`
|
|||||||
# hotplug_dontaudit_search_config(domain)
|
# hotplug_dontaudit_search_config(domain)
|
||||||
#
|
#
|
||||||
define(`hotplug_dontaudit_search_config',`
|
define(`hotplug_dontaudit_search_config',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type hotplug_etc_t;
|
||||||
dontaudit $1 hotplug_etc_t:dir search;
|
class dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`hotplug_dontaudit_search_config_depend',`
|
dontaudit $1 hotplug_etc_t:dir search;
|
||||||
type hotplug_etc_t;
|
|
||||||
|
|
||||||
class dir search;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -107,7 +88,12 @@ define(`hotplug_dontaudit_search_config_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`hotplug_read_config',`
|
define(`hotplug_read_config',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type hotplug_etc_t;
|
||||||
|
class file r_file_perms;
|
||||||
|
class dir r_dir_perms;
|
||||||
|
class lnk_file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
allow $1 hotplug_etc_t:file r_file_perms;
|
allow $1 hotplug_etc_t:file r_file_perms;
|
||||||
@ -115,12 +101,4 @@ define(`hotplug_read_config',`
|
|||||||
allow $1 hotplug_etc_t:lnk_file r_file_perms;
|
allow $1 hotplug_etc_t:lnk_file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`hotplug_read_config_depend',`
|
|
||||||
type hotplug_etc_t;
|
|
||||||
|
|
||||||
class file r_file_perms;
|
|
||||||
class dir r_dir_perms;
|
|
||||||
class lnk_file r_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
|||||||
@ -6,17 +6,20 @@
|
|||||||
# init_domain(domain,entrypointfile)
|
# init_domain(domain,entrypointfile)
|
||||||
#
|
#
|
||||||
define(`init_domain',`
|
define(`init_domain',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type init_t;
|
||||||
|
role system_r;
|
||||||
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
|
class process sigchld;
|
||||||
|
')
|
||||||
|
|
||||||
domain_type($1)
|
domain_type($1)
|
||||||
domain_entry_file($1,$2)
|
domain_entry_file($1,$2)
|
||||||
|
|
||||||
role system_r types $1;
|
role system_r types $1;
|
||||||
|
|
||||||
allow init_t $1:process transition;
|
domain_auto_trans(init_t,$2,$1)
|
||||||
allow init_t $2:file rx_file_perms;
|
|
||||||
dontaudit init_t $1:process { noatsecure siginh rlimitinh };
|
|
||||||
type_transition init_t $2:process $1;
|
|
||||||
|
|
||||||
allow $1 init_t:fd use;
|
allow $1 init_t:fd use;
|
||||||
allow init_t $1:fd use;
|
allow init_t $1:fd use;
|
||||||
@ -31,31 +34,25 @@ define(`init_domain',`
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_domain_depend',`
|
|
||||||
type init_t;
|
|
||||||
class file rx_file_perms;
|
|
||||||
class fd use;
|
|
||||||
class fifo_file rw_file_perms;
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
|
||||||
role system_r;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# init_daemon_domain(domain,entrypointfile)
|
# init_daemon_domain(domain,entrypointfile)
|
||||||
#
|
#
|
||||||
define(`init_daemon_domain',`
|
define(`init_daemon_domain',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type initrc_t;
|
||||||
|
role system_r;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
|
class fd use;
|
||||||
|
class process sigchld;
|
||||||
|
')
|
||||||
|
|
||||||
domain_type($1)
|
domain_type($1)
|
||||||
domain_entry_file($1,$2)
|
domain_entry_file($1,$2)
|
||||||
|
|
||||||
role system_r types $1;
|
role system_r types $1;
|
||||||
|
|
||||||
allow initrc_t $1:process transition;
|
domain_auto_trans(initrc_t,$2,$1)
|
||||||
allow initrc_t $2:file rx_file_perms;
|
|
||||||
dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
|
|
||||||
type_transition initrc_t $2:process $1;
|
|
||||||
|
|
||||||
allow initrc_t $1:fd use;
|
allow initrc_t $1:fd use;
|
||||||
allow $1 initrc_t:fd use;
|
allow $1 initrc_t:fd use;
|
||||||
@ -70,33 +67,25 @@ define(`init_daemon_domain',`
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_daemon_domain_depend',`
|
|
||||||
type initrc_t;
|
|
||||||
|
|
||||||
role system_r;
|
|
||||||
|
|
||||||
class file rx_file_perms;
|
|
||||||
class fifo_file rw_file_perms;
|
|
||||||
class fd use;
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# init_system_domain(domain,entrypointfile)
|
# init_system_domain(domain,entrypointfile)
|
||||||
#
|
#
|
||||||
define(`init_system_domain',`
|
define(`init_system_domain',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type initrc_t;
|
||||||
|
role system_r;
|
||||||
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
|
class process sigchld;
|
||||||
|
')
|
||||||
|
|
||||||
domain_type($1)
|
domain_type($1)
|
||||||
domain_entry_file($1,$2)
|
domain_entry_file($1,$2)
|
||||||
|
|
||||||
role system_r types $1;
|
role system_r types $1;
|
||||||
|
|
||||||
allow initrc_t $1:process transition;
|
domain_auto_trans(initrc_t,$2,$1)
|
||||||
allow initrc_t $2:file rx_file_perms;
|
|
||||||
dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
|
|
||||||
type_transition initrc_t $2:process $1;
|
|
||||||
|
|
||||||
allow initrc_t $1:fd use;
|
allow initrc_t $1:fd use;
|
||||||
allow $1 initrc_t:fd use;
|
allow $1 initrc_t:fd use;
|
||||||
@ -111,27 +100,19 @@ define(`init_system_domain',`
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_system_domain_depend',`
|
|
||||||
type initrc_t;
|
|
||||||
role system_r;
|
|
||||||
|
|
||||||
class file rx_file_perms;
|
|
||||||
class fd use;
|
|
||||||
class fifo_file rw_file_perms;
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# init_domtrans(domain)
|
# init_domtrans(domain)
|
||||||
#
|
#
|
||||||
define(`init_domtrans',`
|
define(`init_domtrans',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type init_t, init_exec_t;
|
||||||
|
class process sigchld;
|
||||||
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
allow $1 init_exec_t:file rx_file_perms;
|
domain_auto_trans($1,init_exec_t,init_t)
|
||||||
allow $1 init_t:process transition;
|
|
||||||
type_transition $1 init_exec_t:process init_t;
|
|
||||||
dontaudit $1 init_t:process { noatsecure siginh rlimitinh };
|
|
||||||
|
|
||||||
allow $1 init_t:fd use;
|
allow $1 init_t:fd use;
|
||||||
allow init_t $1:fd use;
|
allow init_t $1:fd use;
|
||||||
@ -139,29 +120,17 @@ define(`init_domtrans',`
|
|||||||
allow init_t $1:process sigchld;
|
allow init_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_domtrans_depend',`
|
|
||||||
type init_t, init_exec_t;
|
|
||||||
|
|
||||||
class file rx_file_perms;
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
|
||||||
class fd use;
|
|
||||||
class fifo_file rw_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# init_get_process_group(domain)
|
# init_get_process_group(domain)
|
||||||
#
|
#
|
||||||
define(`init_get_process_group',`
|
define(`init_get_process_group',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type init_t;
|
||||||
allow $1 init_t:process getpgid;
|
class process getpgid;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_get_process_group_depend',`
|
allow $1 init_t:process getpgid;
|
||||||
type init_t;
|
|
||||||
|
|
||||||
class process getpgid;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -169,15 +138,12 @@ define(`init_get_process_group_depend',`
|
|||||||
# init_getattr_initctl(domain)
|
# init_getattr_initctl(domain)
|
||||||
#
|
#
|
||||||
define(`init_getattr_initctl',`
|
define(`init_getattr_initctl',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type initctl_t;
|
||||||
allow $1 initctl_t:fifo_file getattr;
|
class fifo_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_getattr_initctl_depend',`
|
allow $1 initctl_t:fifo_file getattr;
|
||||||
type initctl_t;
|
|
||||||
|
|
||||||
class fifo_file getattr;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -185,15 +151,12 @@ define(`init_getattr_initctl_depend',`
|
|||||||
# init_dontaudit_getattr_initctl(domain)
|
# init_dontaudit_getattr_initctl(domain)
|
||||||
#
|
#
|
||||||
define(`init_dontaudit_getattr_initctl',`
|
define(`init_dontaudit_getattr_initctl',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type initctl_t;
|
||||||
dontaudit $1 initctl_t:fifo_file getattr;
|
class fifo_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_getattr_initctl_depend',`
|
dontaudit $1 initctl_t:fifo_file getattr;
|
||||||
type initctl_t;
|
|
||||||
|
|
||||||
class fifo_file getattr;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -201,32 +164,26 @@ define(`init_getattr_initctl_depend',`
|
|||||||
# init_use_initctl(domain)
|
# init_use_initctl(domain)
|
||||||
#
|
#
|
||||||
define(`init_use_initctl',`
|
define(`init_use_initctl',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type initctl_t;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
dev_list_all_dev_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 initctl_t:fifo_file rw_file_perms;
|
allow $1 initctl_t:fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_use_initctl_depend',`
|
|
||||||
type initctl_t;
|
|
||||||
|
|
||||||
class fifo_file rw_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# init_dontaudit_use_initctl(domain)
|
# init_dontaudit_use_initctl(domain)
|
||||||
#
|
#
|
||||||
define(`init_dontaudit_use_initctl',`
|
define(`init_dontaudit_use_initctl',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type initctl_t;
|
||||||
dontaudit $1 initctl_t:fifo_file { read write };
|
class fifo_file { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_dontaudit_use_initctl_depend',`
|
dontaudit $1 initctl_t:fifo_file { read write };
|
||||||
type initctl_t;
|
|
||||||
|
|
||||||
class fifo_file { read write };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -234,15 +191,12 @@ define(`init_dontaudit_use_initctl_depend',`
|
|||||||
# init_sigchld(domain)
|
# init_sigchld(domain)
|
||||||
#
|
#
|
||||||
define(`init_sigchld',`
|
define(`init_sigchld',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type init_t;
|
||||||
allow $1 init_t:process sigchld;
|
class process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_sigchld_depend',`
|
allow $1 init_t:process sigchld;
|
||||||
type init_t;
|
|
||||||
|
|
||||||
class process sigchld;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -250,15 +204,12 @@ define(`init_sigchld_depend',`
|
|||||||
# init_use_fd(domain)
|
# init_use_fd(domain)
|
||||||
#
|
#
|
||||||
define(`init_use_fd',`
|
define(`init_use_fd',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type init_t;
|
||||||
allow $1 init_t:fd use;
|
class fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_use_fd_depend',`
|
allow $1 init_t:fd use;
|
||||||
type init_t;
|
|
||||||
|
|
||||||
class fd use;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -266,15 +217,12 @@ define(`init_use_fd_depend',`
|
|||||||
# init_dontaudit_use_fd(domain)
|
# init_dontaudit_use_fd(domain)
|
||||||
#
|
#
|
||||||
define(`init_dontaudit_use_fd',`
|
define(`init_dontaudit_use_fd',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type init_t;
|
||||||
dontaudit $1 init_t:fd use;
|
class fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_dontaudit_use_fd_depend',`
|
dontaudit $1 init_t:fd use;
|
||||||
type init_t;
|
|
||||||
|
|
||||||
class fd use;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -282,12 +230,15 @@ define(`init_dontaudit_use_fd_depend',`
|
|||||||
# init_domtrans_script(domain)
|
# init_domtrans_script(domain)
|
||||||
#
|
#
|
||||||
define(`init_domtrans_script',`
|
define(`init_domtrans_script',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type initrc_t, initrc_exec_t;
|
||||||
|
class process sigchld;
|
||||||
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
allow $1 initrc_exec_t:file rx_file_perms;
|
files_list_etc($1)
|
||||||
allow $1 initrc_t:process transition;
|
domain_auto_trans($1,initrc_exec_t,initrc_t)
|
||||||
type_transition $1 initrc_exec_t:process init_t;
|
|
||||||
dontaudit $1 init_t:process { noatsecure siginh rlimitinh };
|
|
||||||
|
|
||||||
allow $1 initrc_t:fd use;
|
allow $1 initrc_t:fd use;
|
||||||
allow initrc_t $1:fd use;
|
allow initrc_t $1:fd use;
|
||||||
@ -295,30 +246,17 @@ define(`init_domtrans_script',`
|
|||||||
allow initrc_t $1:process sigchld;
|
allow initrc_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_domtrans_script_depend',`
|
|
||||||
type initrc_t, initrc_exec_t;
|
|
||||||
|
|
||||||
class file rx_file_perms;
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
|
||||||
class fd use;
|
|
||||||
class fifo_file rw_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# init_exec_script(domain)
|
# init_exec_script(domain)
|
||||||
#
|
#
|
||||||
define(`init_exec_script',`
|
define(`init_exec_script',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type initrc_exec_t;
|
||||||
can_exec($1,initrc_exec_t)
|
|
||||||
|
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_exec_script_depend',`
|
files_list_etc($1)
|
||||||
type initrc_exec_t;
|
can_exec($1,initrc_exec_t)
|
||||||
|
|
||||||
class file { getattr read execute execute_no_trans };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -332,8 +270,15 @@ define(`init_exec_script_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`init_read_script_process_state',`
|
define(`init_read_script_process_state',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type initrc_t;
|
||||||
|
class dir r_dir_perms;
|
||||||
|
class file r_file_perms;
|
||||||
|
class lnk_file r_file_perms;
|
||||||
|
class process { getattr ptrace };
|
||||||
|
')
|
||||||
|
|
||||||
|
#FIXME: search proc dir
|
||||||
allow $1 initrc_t:dir r_dir_perms;
|
allow $1 initrc_t:dir r_dir_perms;
|
||||||
allow $1 initrc_t:{ file lnk_file } r_file_perms;
|
allow $1 initrc_t:{ file lnk_file } r_file_perms;
|
||||||
allow $1 initrc_t:process getattr;
|
allow $1 initrc_t:process getattr;
|
||||||
@ -345,29 +290,17 @@ define(`init_read_script_process_state',`
|
|||||||
dontaudit $1 initrc_t:process ptrace;
|
dontaudit $1 initrc_t:process ptrace;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_read_script_process_state_depend',`
|
|
||||||
type initrc_t;
|
|
||||||
|
|
||||||
class dir r_dir_perms;
|
|
||||||
class file r_file_perms;
|
|
||||||
class lnk_file r_file_perms;
|
|
||||||
class process { getattr ptrace };
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# init_use_script_fd(domain)
|
# init_use_script_fd(domain)
|
||||||
#
|
#
|
||||||
define(`init_use_script_fd',`
|
define(`init_use_script_fd',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type initrc_t;
|
||||||
allow $1 initrc_t:fd use;
|
class fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_use_script_fd_depend',`
|
allow $1 initrc_t:fd use;
|
||||||
type initrc_t;
|
|
||||||
|
|
||||||
class fd use;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -375,15 +308,12 @@ define(`init_use_script_fd_depend',`
|
|||||||
# init_dontaudit_use_script_fd(domain)
|
# init_dontaudit_use_script_fd(domain)
|
||||||
#
|
#
|
||||||
define(`init_dontaudit_use_script_fd',`
|
define(`init_dontaudit_use_script_fd',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type initrc_t;
|
||||||
dontaudit $1 initrc_t:fd use;
|
class fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_dontaudit_use_script_fd_depend',`
|
dontaudit $1 initrc_t:fd use;
|
||||||
type initrc_t;
|
|
||||||
|
|
||||||
class fd use;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -391,15 +321,12 @@ define(`init_dontaudit_use_script_fd_depend',`
|
|||||||
# init_get_script_process_group(domain)
|
# init_get_script_process_group(domain)
|
||||||
#
|
#
|
||||||
define(`init_get_script_process_group',`
|
define(`init_get_script_process_group',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type initrc_t;
|
||||||
allow $1 initrc_t:process getpgid;
|
class process getpgid;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_get_script_process_group_depend',`
|
allow $1 initrc_t:process getpgid;
|
||||||
type initrc_t;
|
|
||||||
|
|
||||||
class process getpgid;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -407,16 +334,13 @@ define(`init_get_script_process_group_depend',`
|
|||||||
# init_use_script_pty(domain)
|
# init_use_script_pty(domain)
|
||||||
#
|
#
|
||||||
define(`init_use_script_pty',`
|
define(`init_use_script_pty',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type initrc_devpts_t;
|
||||||
term_list_ptys($1)
|
class chr_file rw_term_perms;
|
||||||
allow $1 initrc_devpts_t:chr_file { getattr read write ioctl };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_use_script_pty_depend',`
|
term_list_ptys($1)
|
||||||
type initrc_devpts_t;
|
allow $1 initrc_devpts_t:chr_file rw_term_perms;
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -424,15 +348,12 @@ define(`init_use_script_pty_depend',`
|
|||||||
# init_dontaudit_use_script_pty(domain)
|
# init_dontaudit_use_script_pty(domain)
|
||||||
#
|
#
|
||||||
define(`init_dontaudit_use_script_pty',`
|
define(`init_dontaudit_use_script_pty',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type initrc_devpts_t;
|
||||||
dontaudit $1 initrc_devpts_t:chr_file { read write ioctl };
|
class chr_file { read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_dontaudit_use_script_pty_depend',`
|
dontaudit $1 initrc_devpts_t:chr_file { read write ioctl };
|
||||||
type initrc_devpts_t;
|
|
||||||
|
|
||||||
class chr_file { read write ioctl };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -446,16 +367,13 @@ define(`init_dontaudit_use_script_pty_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`init_rw_script_tmp_files',`
|
define(`init_rw_script_tmp_files',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type initrc_var_run_t;
|
||||||
# FIXME: read tmp_t
|
class file rw_file_perms;
|
||||||
allow $1 initrc_tmp_t:file rw_file_perms;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_rw_script_tmp_files_depend',`
|
# FIXME: read tmp_t dir
|
||||||
type initrc_var_run_t;
|
allow $1 initrc_tmp_t:file rw_file_perms;
|
||||||
|
|
||||||
class file rw_file_perms;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -463,32 +381,26 @@ define(`init_rw_script_tmp_files_depend',`
|
|||||||
# init_read_script_pid(domain)
|
# init_read_script_pid(domain)
|
||||||
#
|
#
|
||||||
define(`init_read_script_pid',`
|
define(`init_read_script_pid',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type initrc_var_run_t;
|
||||||
|
class file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
files_list_pids($1)
|
files_list_pids($1)
|
||||||
allow $1 initrc_var_run_t:file r_file_perms;
|
allow $1 initrc_var_run_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_read_script_pid_depend',`
|
|
||||||
type initrc_var_run_t;
|
|
||||||
|
|
||||||
class file r_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# init_dontaudit_write_script_pid(domain)
|
# init_dontaudit_write_script_pid(domain)
|
||||||
#
|
#
|
||||||
define(`init_dontaudit_write_script_pid',`
|
define(`init_dontaudit_write_script_pid',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type initrc_var_run_t;
|
||||||
dontaudit $1 initrc_var_run_t:file { write lock };
|
class file { write lock };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_dontaudit_write_script_pid_depend',`
|
dontaudit $1 initrc_var_run_t:file { write lock };
|
||||||
type initrc_var_run_t;
|
|
||||||
|
|
||||||
class file { write lock };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -496,32 +408,26 @@ define(`init_dontaudit_write_script_pid_depend',`
|
|||||||
# init_rw_script_pid(domain)
|
# init_rw_script_pid(domain)
|
||||||
#
|
#
|
||||||
define(`init_rw_script_pid',`
|
define(`init_rw_script_pid',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type initrc_var_run_t;
|
||||||
|
class file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
files_list_pids($1)
|
files_list_pids($1)
|
||||||
allow $1 initrc_var_run_t:file rw_file_perms;
|
allow $1 initrc_var_run_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_rw_script_pid_depend',`
|
|
||||||
type initrc_var_run_t;
|
|
||||||
|
|
||||||
class file rw_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# init_dontaudit_rw_script_pid(domain)
|
# init_dontaudit_rw_script_pid(domain)
|
||||||
#
|
#
|
||||||
define(`init_dontaudit_rw_script_pid',`
|
define(`init_dontaudit_rw_script_pid',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type initrc_var_run_t;
|
||||||
|
class file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
dontaudit $1 initrc_var_run_t:file { getattr read write append };
|
dontaudit $1 initrc_var_run_t:file { getattr read write append };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_dontaudit_rw_script_pid_depend',`
|
|
||||||
type initrc_var_run_t;
|
|
||||||
|
|
||||||
class file rw_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
|||||||
@ -12,12 +12,15 @@
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`iptables_domtrans',`
|
define(`iptables_domtrans',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type iptables_t, iptables_exec_t;
|
||||||
|
class process sigchld;
|
||||||
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
allow $1 iptables_exec_t:file rx_file_perms;
|
corecmd_search_sbin($1)
|
||||||
allow $1 iptables_t:process transition;
|
domain_auto_trans($1,iptables_exec_t,iptables_t)
|
||||||
type_transition $1 iptables_exec_t:process iptables_t;
|
|
||||||
dontaudit $1 iptables_t:process { noatsecure siginh rlimitinh };
|
|
||||||
|
|
||||||
allow $1 iptables_t:fd use;
|
allow $1 iptables_t:fd use;
|
||||||
allow iptables_t $1:fd use;
|
allow iptables_t $1:fd use;
|
||||||
@ -25,15 +28,6 @@ define(`iptables_domtrans',`
|
|||||||
allow iptables_t $1:process sigchld;
|
allow iptables_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`iptables_domtrans_depend',`
|
|
||||||
type iptables_t, iptables_exec_t;
|
|
||||||
|
|
||||||
class file rx_file_perms;
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
|
||||||
class fd use;
|
|
||||||
class fifo_file rw_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="iptables_run">
|
## <interface name="iptables_run">
|
||||||
## <description>
|
## <description>
|
||||||
@ -52,17 +46,14 @@ define(`iptables_domtrans_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`iptables_run',`
|
define(`iptables_run',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type iptables_t;
|
||||||
|
class chr_file rw_term_perms;
|
||||||
|
')
|
||||||
|
|
||||||
iptables_domtrans($1)
|
iptables_domtrans($1)
|
||||||
role $2 types iptables_t;
|
role $2 types iptables_t;
|
||||||
allow iptables_t $3:chr_file { getattr read write ioctl };
|
allow iptables_t $3:chr_file rw_term_perms;
|
||||||
')
|
|
||||||
|
|
||||||
define(`iptables_run_depend',`
|
|
||||||
type iptables_t;
|
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -76,16 +67,12 @@ define(`iptables_run_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`iptables_exec',`
|
define(`iptables_exec',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type iptables_exec_t;
|
||||||
can_exec($1,iptables_exec_t)
|
|
||||||
|
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`iptables_exec_depend',`
|
corecmd_search_sbin($1)
|
||||||
type iptables_t, iptables_exec_t;
|
can_exec($1,iptables_exec_t)
|
||||||
|
|
||||||
class file { getattr read execute execute_no_trans };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
|||||||
@ -12,8 +12,14 @@
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`libs_domtrans_ldconfig',`
|
define(`libs_domtrans_ldconfig',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type ldconfig_t, ldconfig_exec_t;
|
||||||
|
class process sigchld;
|
||||||
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
corecmd_search_sbin($1)
|
||||||
domain_auto_trans($1,ldconfig_exec_t,ldconfig_t)
|
domain_auto_trans($1,ldconfig_exec_t,ldconfig_t)
|
||||||
|
|
||||||
allow $1 ldconfig_t:fd use;
|
allow $1 ldconfig_t:fd use;
|
||||||
@ -22,15 +28,6 @@ define(`libs_domtrans_ldconfig',`
|
|||||||
allow ldconfig_t $1:process sigchld;
|
allow ldconfig_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`libs_domtrans_ldconfig_depend',`
|
|
||||||
type ldconfig_t, ldconfig_exec_t;
|
|
||||||
|
|
||||||
class file rx_file_perms;
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
|
||||||
class fd use;
|
|
||||||
class fifo_file rw_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="libs_run_ldconfig">
|
## <interface name="libs_run_ldconfig">
|
||||||
## <description>
|
## <description>
|
||||||
@ -48,17 +45,14 @@ define(`libs_domtrans_ldconfig_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`libs_run_ldconfig',`
|
define(`libs_run_ldconfig',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type ldconfig_t;
|
||||||
|
class chr_file rw_term_perms;
|
||||||
|
')
|
||||||
|
|
||||||
libs_domtrans_ldconfig($1)
|
libs_domtrans_ldconfig($1)
|
||||||
role $2 types ldconfig_t;
|
role $2 types ldconfig_t;
|
||||||
allow ldconfig_t $3:chr_file { getattr read write ioctl };
|
allow ldconfig_t $3:chr_file rw_term_perms;
|
||||||
')
|
|
||||||
|
|
||||||
define(`libs_run_ldconfig_depend',`
|
|
||||||
type ldconfig_t;
|
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -73,9 +67,14 @@ define(`libs_run_ldconfig_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`libs_use_ld_so',`
|
define(`libs_use_ld_so',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type lib_t, ld_so_t, ld_so_cache_t;
|
||||||
|
class dir r_dir_perms;
|
||||||
|
class lnk_file r_file_perms;
|
||||||
|
class file rx_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
files_read_generic_etc_files_directory($1)
|
files_list_etc($1)
|
||||||
allow $1 lib_t:dir r_dir_perms;
|
allow $1 lib_t:dir r_dir_perms;
|
||||||
allow $1 lib_t:lnk_file r_file_perms;
|
allow $1 lib_t:lnk_file r_file_perms;
|
||||||
allow $1 ld_so_t:lnk_file r_file_perms;
|
allow $1 ld_so_t:lnk_file r_file_perms;
|
||||||
@ -83,14 +82,6 @@ define(`libs_use_ld_so',`
|
|||||||
allow $1 ld_so_cache_t:file r_file_perms;
|
allow $1 ld_so_cache_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`libs_use_ld_so_depend',`
|
|
||||||
type lib_t, ld_so_t, ld_so_cache_t;
|
|
||||||
|
|
||||||
class dir r_dir_perms;
|
|
||||||
class lnk_file r_file_perms;
|
|
||||||
class file rx_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="libs_legacy_use_ld_so">
|
## <interface name="libs_legacy_use_ld_so">
|
||||||
## <description>
|
## <description>
|
||||||
@ -103,19 +94,16 @@ define(`libs_use_ld_so_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`libs_legacy_use_ld_so',`
|
define(`libs_legacy_use_ld_so',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type ld_so_t, ld_so_cache_t;
|
||||||
|
class file { execute execmod };
|
||||||
|
')
|
||||||
|
|
||||||
libs_use_ld_so($1)
|
libs_use_ld_so($1)
|
||||||
allow $1 ld_so_t:file execmod;
|
allow $1 ld_so_t:file execmod;
|
||||||
allow $1 ld_so_cache_t:file execute;
|
allow $1 ld_so_cache_t:file execute;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`libs_legacy_use_ld_so_depend',`
|
|
||||||
type ld_so_t, ld_so_cache_t;
|
|
||||||
|
|
||||||
class file { execute execmod };
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="libs_exec_ld_so">
|
## <interface name="libs_exec_ld_so">
|
||||||
## <description>
|
## <description>
|
||||||
@ -132,20 +120,16 @@ define(`libs_legacy_use_ld_so_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`libs_exec_ld_so',`
|
define(`libs_exec_ld_so',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type lib_t, ld_so_t;
|
||||||
|
class dir r_dir_perms;
|
||||||
|
class lnk_file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
allow $1 lib_t:dir r_dir_perms;
|
allow $1 lib_t:dir r_dir_perms;
|
||||||
allow $1 lib_t:lnk_file r_file_perms;
|
allow $1 lib_t:lnk_file r_file_perms;
|
||||||
allow $1 ld_so_t:lnk_file r_file_perms;
|
allow $1 ld_so_t:lnk_file r_file_perms;
|
||||||
allow $1 ld_so_t:file { r_file_perms execute execute_no_trans };
|
can_exec($1,ld_so_t)
|
||||||
')
|
|
||||||
|
|
||||||
define(`libs_exec_ld_so_depend',`
|
|
||||||
type lib_t, ld_so_t;
|
|
||||||
|
|
||||||
class dir r_dir_perms;
|
|
||||||
class lnk_file r_file_perms;
|
|
||||||
class file { r_file_perms execute execute_no_trans };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -160,16 +144,32 @@ define(`libs_exec_ld_so_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`libs_rw_ld_so_cache',`
|
define(`libs_rw_ld_so_cache',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type ld_so_cache_t;
|
||||||
|
class file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
files_read_generic_etc_files_directory($1)
|
files_list_etc($1)
|
||||||
allow $1 ld_so_cache_t:file rw_file_perms;
|
allow $1 ld_so_cache_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`libs_rw_ld_so_cache_depend',`
|
########################################
|
||||||
type ld_so_cache_t;
|
## <interface name="libs_search_lib">
|
||||||
|
## <description>
|
||||||
|
## Search lib directories.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## </interface>
|
||||||
|
#
|
||||||
|
define(`libs_search_lib',`
|
||||||
|
gen_require(`
|
||||||
|
type lib_t;
|
||||||
|
class dir search;
|
||||||
|
')
|
||||||
|
|
||||||
class file rw_file_perms;
|
allow $1 lib_t:dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -184,20 +184,18 @@ define(`libs_rw_ld_so_cache_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`libs_read_lib',`
|
define(`libs_read_lib',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
|
||||||
allow $1 lib_t:dir r_dir_perms;
|
|
||||||
allow $1 lib_t:{ file lnk_file } r_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
define(`libs_read_lib_depend',`
|
|
||||||
type lib_t;
|
type lib_t;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
class lnk_file r_file_perms;
|
class lnk_file r_file_perms;
|
||||||
class file r_file_perms;
|
class file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
files_search_usr($1)
|
||||||
|
allow $1 lib_t:dir r_dir_perms;
|
||||||
|
allow $1 lib_t:{ file lnk_file } r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="libs_exec_lib_files">
|
## <interface name="libs_exec_lib_files">
|
||||||
## <description>
|
## <description>
|
||||||
@ -209,19 +207,16 @@ define(`libs_read_lib_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`libs_exec_lib_files',`
|
define(`libs_exec_lib_files',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
|
||||||
allow $1 lib_t:dir r_dir_perms;
|
|
||||||
allow $1 lib_t:lnk_file r_file_perms;
|
|
||||||
allow $1 lib_t:file { getattr read execute execute_no_trans };
|
|
||||||
')
|
|
||||||
|
|
||||||
define(`libs_exec_lib_files_depend',`
|
|
||||||
type lib_t;
|
type lib_t;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
class lnk_file r_file_perms;
|
class lnk_file r_file_perms;
|
||||||
class file { getattr read execute execute_no_trans };
|
')
|
||||||
|
|
||||||
|
files_search_usr($1)
|
||||||
|
allow $1 lib_t:dir r_dir_perms;
|
||||||
|
allow $1 lib_t:lnk_file r_file_perms;
|
||||||
|
can_exec($1,lib_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -235,7 +230,12 @@ define(`libs_exec_lib_files_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`libs_use_shared_libs',`
|
define(`libs_use_shared_libs',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type lib_t, shlib_t, texrel_shlib_t;
|
||||||
|
class dir r_dir_perms;
|
||||||
|
class lnk_file r_file_perms;
|
||||||
|
class file rx_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
files_search_usr($1)
|
files_search_usr($1)
|
||||||
allow $1 lib_t:dir r_dir_perms;
|
allow $1 lib_t:dir r_dir_perms;
|
||||||
@ -244,14 +244,6 @@ define(`libs_use_shared_libs',`
|
|||||||
allow $1 { shlib_t texrel_shlib_t }:file rx_file_perms;
|
allow $1 { shlib_t texrel_shlib_t }:file rx_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`libs_use_shared_libs_depend',`
|
|
||||||
type lib_t, shlib_t, texrel_shlib_t;
|
|
||||||
|
|
||||||
class dir r_dir_perms;
|
|
||||||
class lnk_file r_file_perms;
|
|
||||||
class file rx_dir_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="libs_legacy_use_shared_libs">
|
## <interface name="libs_legacy_use_shared_libs">
|
||||||
## <description>
|
## <description>
|
||||||
@ -264,16 +256,13 @@ define(`libs_use_shared_libs_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`libs_legacy_use_shared_libs',`
|
define(`libs_legacy_use_shared_libs',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type shlib_t, texrel_shlib_t;
|
||||||
|
class file execmod;
|
||||||
|
')
|
||||||
|
|
||||||
libs_use_shared_libs($1)
|
libs_use_shared_libs($1)
|
||||||
allow $1 { shlib_t texrel_shlib_t }:file execmod;
|
allow $1 { shlib_t texrel_shlib_t }:file execmod;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`libs_legacy_use_shared_libs_depend',`
|
|
||||||
type shlib_t, texrel_shlib_t;
|
|
||||||
|
|
||||||
class file execmod;
|
|
||||||
')
|
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
|||||||
@ -12,13 +12,11 @@
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`locallogin_domtrans',`
|
define(`locallogin_domtrans',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type local_login_t;
|
||||||
auth_domtrans_login_program($1,local_login_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`locallogin_domtrans_depend',`
|
auth_domtrans_login_program($1,local_login_t)
|
||||||
type local_login_t;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -31,20 +29,13 @@ define(`locallogin_domtrans_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
########################################
|
|
||||||
#
|
|
||||||
# locallogin_use_fd(domain)
|
|
||||||
#
|
|
||||||
define(`locallogin_use_fd',`
|
define(`locallogin_use_fd',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type local_login_t;
|
||||||
|
class fd use;
|
||||||
|
')
|
||||||
|
|
||||||
allow $1 local_login_t:fd use;
|
allow $1 local_login_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`locallogin_use_fd_depend',`
|
|
||||||
type local_login_t;
|
|
||||||
|
|
||||||
class fd use;
|
|
||||||
')
|
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
|||||||
@ -6,22 +6,23 @@
|
|||||||
# logging_log_file(domain)
|
# logging_log_file(domain)
|
||||||
#
|
#
|
||||||
define(`logging_log_file',`
|
define(`logging_log_file',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
attribute logfile;
|
||||||
|
')
|
||||||
|
|
||||||
files_file_type($1)
|
files_file_type($1)
|
||||||
typeattribute $1 logfile;
|
typeattribute $1 logfile;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`logging_log_file_depend',`
|
|
||||||
attribute logfile;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# logging_create_log(domain,privatetype,[class(es)])
|
# logging_create_log(domain,privatetype,[class(es)])
|
||||||
#
|
#
|
||||||
define(`logging_create_log',`
|
define(`logging_create_log',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type var_log_t;
|
||||||
|
class dir rw_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
allow $1 var_log_t:dir rw_dir_perms;
|
allow $1 var_log_t:dir rw_dir_perms;
|
||||||
|
|
||||||
@ -32,18 +33,18 @@ define(`logging_create_log',`
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`logging_create_log_depend',`
|
|
||||||
type var_log_t;
|
|
||||||
|
|
||||||
class dir rw_dir_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# logging_send_syslog_msg(domain)
|
# logging_send_syslog_msg(domain)
|
||||||
#
|
#
|
||||||
define(`logging_send_syslog_msg',`
|
define(`logging_send_syslog_msg',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type syslogd_t, devlog_t;
|
||||||
|
class lnk_file read;
|
||||||
|
class sock_file rw_file_perms;
|
||||||
|
class unix_dgram_socket { create_socket_perms sendto };
|
||||||
|
class unix_stream_socket { create_socket_perms connectto };
|
||||||
|
')
|
||||||
|
|
||||||
allow $1 devlog_t:lnk_file read;
|
allow $1 devlog_t:lnk_file read;
|
||||||
allow $1 devlog_t:sock_file rw_file_perms;
|
allow $1 devlog_t:sock_file rw_file_perms;
|
||||||
@ -58,14 +59,6 @@ define(`logging_send_syslog_msg',`
|
|||||||
term_use_console($1)
|
term_use_console($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`logging_send_syslog_msg_depend',`
|
|
||||||
type syslogd_t, devlog_t;
|
|
||||||
|
|
||||||
class sock_file rw_file_perms;
|
|
||||||
class unix_dgram_socket { create_socket_perms sendto };
|
|
||||||
class unix_stream_socket { create_socket_perms connectto };
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="logging_search_logs">
|
## <interface name="logging_search_logs">
|
||||||
## <description>
|
## <description>
|
||||||
@ -79,32 +72,26 @@ define(`logging_send_syslog_msg_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`logging_search_logs',`
|
define(`logging_search_logs',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type var_log_t;
|
||||||
|
class dir search;
|
||||||
|
')
|
||||||
|
|
||||||
files_search_var($1)
|
files_search_var($1)
|
||||||
allow $1 var_log_t:dir search;
|
allow $1 var_log_t:dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`logging_search_logs_depend',`
|
|
||||||
type var_log_t;
|
|
||||||
|
|
||||||
class dir search;
|
|
||||||
')
|
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# logging_dontaudit_getattr_all_logs(domain)
|
# logging_dontaudit_getattr_all_logs(domain)
|
||||||
#
|
#
|
||||||
define(`logging_dontaudit_getattr_all_logs',`
|
define(`logging_dontaudit_getattr_all_logs',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
attribute logfile;
|
||||||
dontaudit $1 logfile:file getattr;
|
class file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`logging_dontaudit_getattr_all_logs_depend',`
|
dontaudit $1 logfile:file getattr;
|
||||||
attribute logfile;
|
|
||||||
|
|
||||||
class file getattr;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -112,98 +99,81 @@ define(`logging_dontaudit_getattr_all_logs_depend',`
|
|||||||
# logging_append_all_logs(domain)
|
# logging_append_all_logs(domain)
|
||||||
#
|
#
|
||||||
define(`logging_append_all_logs',`
|
define(`logging_append_all_logs',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
attribute logfile;
|
||||||
|
type var_log_t;
|
||||||
|
class dir r_dir_perms;
|
||||||
|
class file { getattr append };
|
||||||
|
')
|
||||||
|
|
||||||
files_search_var($1)
|
files_search_var($1)
|
||||||
allow $1 var_log_t:dir r_dir_perms;
|
allow $1 var_log_t:dir r_dir_perms;
|
||||||
allow $1 logfile:file { getattr append };
|
allow $1 logfile:file { getattr append };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`logging_append_all_logs_depend',`
|
|
||||||
attribute logfile;
|
|
||||||
|
|
||||||
type var_log_t;
|
|
||||||
|
|
||||||
class dir r_dir_perms;
|
|
||||||
class file { getattr append };
|
|
||||||
')
|
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# logging_read_all_logs(domain)
|
# logging_read_all_logs(domain)
|
||||||
#
|
#
|
||||||
define(`logging_read_all_logs',`
|
define(`logging_read_all_logs',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
attribute logfile;
|
||||||
|
type var_log_t;
|
||||||
|
class dir r_dir_perms;
|
||||||
|
class file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
files_search_var($1)
|
files_search_var($1)
|
||||||
allow $1 var_log_t:dir r_dir_perms;
|
allow $1 var_log_t:dir r_dir_perms;
|
||||||
allow $1 logfile:file r_file_perms;
|
allow $1 logfile:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`logging_read_all_logs_depend',`
|
|
||||||
attribute logfile;
|
|
||||||
|
|
||||||
type var_log_t;
|
|
||||||
|
|
||||||
class dir r_dir_perms;
|
|
||||||
class file r_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# logging_read_generic_logs(domain)
|
# logging_read_generic_logs(domain)
|
||||||
#
|
#
|
||||||
define(`logging_read_generic_logs',`
|
define(`logging_read_generic_logs',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type var_log_t;
|
||||||
|
class dir r_dir_perms;
|
||||||
|
class file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
files_search_var($1)
|
files_search_var($1)
|
||||||
allow $1 var_log_t:dir r_dir_perms;
|
allow $1 var_log_t:dir r_dir_perms;
|
||||||
allow $1 var_log_t:file r_file_perms;
|
allow $1 var_log_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`logging_read_generic_logs_depend',`
|
|
||||||
type var_log_t;
|
|
||||||
|
|
||||||
class dir r_dir_perms;
|
|
||||||
class file r_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# logging_write_generic_logs(domain)
|
# logging_write_generic_logs(domain)
|
||||||
#
|
#
|
||||||
define(`logging_write_generic_logs',`
|
define(`logging_write_generic_logs',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type var_log_t;
|
||||||
|
class dir r_dir_perms;
|
||||||
|
class file { getattr write };
|
||||||
|
')
|
||||||
|
|
||||||
files_search_var($1)
|
files_search_var($1)
|
||||||
allow $1 var_log_t:dir r_dir_perms;
|
allow $1 var_log_t:dir r_dir_perms;
|
||||||
allow $1 var_log_t:file { getattr write };
|
allow $1 var_log_t:file { getattr write };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`logging_write_generic_logs_depend',`
|
|
||||||
type var_log_t;
|
|
||||||
|
|
||||||
class dir r_dir_perms;
|
|
||||||
class file { getattr write };
|
|
||||||
')
|
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# logging_rw_generic_logs(domain)
|
# logging_rw_generic_logs(domain)
|
||||||
#
|
#
|
||||||
define(`logging_rw_generic_logs',`
|
define(`logging_rw_generic_logs',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type var_log_t;
|
||||||
|
class dir r_dir_perms;
|
||||||
|
class file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
files_search_var($1)
|
files_search_var($1)
|
||||||
allow $1 var_log_t:dir r_dir_perms;
|
allow $1 var_log_t:dir r_dir_perms;
|
||||||
allow $1 var_log_t:file rw_file_perms;
|
allow $1 var_log_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`logging_rw_generic_logs_depend',`
|
|
||||||
type var_log_t;
|
|
||||||
|
|
||||||
class dir r_dir_perms;
|
|
||||||
class file rw_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
|||||||
@ -12,8 +12,14 @@
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`lvm_domtrans',`
|
define(`lvm_domtrans',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type lvm_t, lvm_exec_t;
|
||||||
|
class process sigchld;
|
||||||
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
corecmd_search_sbin($1)
|
||||||
domain_auto_trans($1, lvm_exec_t, lvm_t)
|
domain_auto_trans($1, lvm_exec_t, lvm_t)
|
||||||
|
|
||||||
allow $1 lvm_t:fd use;
|
allow $1 lvm_t:fd use;
|
||||||
@ -22,15 +28,6 @@ define(`lvm_domtrans',`
|
|||||||
allow lvm_t $1:process sigchld;
|
allow lvm_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`lvm_domtrans_depend',`
|
|
||||||
type lvm_t, lvm_exec_t;
|
|
||||||
|
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
|
||||||
class fd use;
|
|
||||||
class fifo_file rw_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="lvm_run">
|
## <interface name="lvm_run">
|
||||||
## <description>
|
## <description>
|
||||||
@ -48,17 +45,14 @@ define(`lvm_domtrans_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`lvm_run',`
|
define(`lvm_run',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type lvm_t;
|
||||||
|
class chr_file rw_term_perms;
|
||||||
|
')
|
||||||
|
|
||||||
lvm_domtrans($1)
|
lvm_domtrans($1)
|
||||||
role $2 types lvm_t;
|
role $2 types lvm_t;
|
||||||
allow lvm_t $3:chr_file { getattr read write ioctl };
|
allow lvm_t $3:chr_file rw_term_perms;
|
||||||
')
|
|
||||||
|
|
||||||
define(`lvm_run_depend',`
|
|
||||||
type lvm_t;
|
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -72,17 +66,15 @@ define(`lvm_run_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`lvm_read_config',`
|
define(`lvm_read_config',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
|
||||||
allow $1 lvm_etc_t:dir r_dir_perms;
|
|
||||||
allow $1 lvm_etc_t:file r_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
define(`lvm_read_config_depend',`
|
|
||||||
type lvm_t, lvm_exec_t;
|
type lvm_t, lvm_exec_t;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
class file r_file_perms;
|
class file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
files_search_etc($1)
|
||||||
|
allow $1 lvm_etc_t:dir r_dir_perms;
|
||||||
|
allow $1 lvm_etc_t:file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
|||||||
@ -7,77 +7,69 @@
|
|||||||
## Allow process to create files and dirs in /var/cache/man
|
## Allow process to create files and dirs in /var/cache/man
|
||||||
## and /var/catman/
|
## and /var/catman/
|
||||||
## </description>
|
## </description>
|
||||||
## <securitydesc>
|
|
||||||
## ...
|
|
||||||
## </securitydesc>
|
|
||||||
## <parameter name="domain">
|
## <parameter name="domain">
|
||||||
## Type type of the process performing this action.
|
## Type type of the process performing this action.
|
||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`miscfiles_rw_man_cache',`
|
define(`miscfiles_rw_man_cache',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
|
||||||
# FIXME: search var_t dir
|
|
||||||
allow $1 catman_t:dir create_dir_perms;
|
|
||||||
allow $1 catman_t:file create_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
define(`miscfiles_rw_man_cache_depend',`
|
|
||||||
type catman_t;
|
type catman_t;
|
||||||
|
|
||||||
class dir create_dir_perms;
|
class dir create_dir_perms;
|
||||||
class file create_file_perms;
|
class file create_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
files_search_var($1)
|
||||||
|
allow $1 catman_t:dir create_dir_perms;
|
||||||
|
allow $1 catman_t:file create_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="miscfiles_read_fonts">
|
## <interface name="miscfiles_read_fonts">
|
||||||
## <description>
|
## <description>
|
||||||
## Allow process to read fonts files
|
## Allow process to read fonts files
|
||||||
## </description>
|
## </description>
|
||||||
## <securitydesc>
|
|
||||||
## ...
|
|
||||||
## </securitydesc>
|
|
||||||
## <parameter name="domain">
|
## <parameter name="domain">
|
||||||
## Type type of the process performing this action.
|
## Type type of the process performing this action.
|
||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`miscfiles_read_fonts',`
|
define(`miscfiles_read_fonts',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type fonts_t;
|
||||||
|
class dir r_dir_perms;
|
||||||
|
class file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_usr($1)
|
||||||
|
libs_search_lib($1)
|
||||||
|
|
||||||
# FIXME: search usr_t dir
|
|
||||||
# FIXME: search lib_t dir
|
|
||||||
# cjp: fonts can be in either of the above dirs
|
# cjp: fonts can be in either of the above dirs
|
||||||
allow $1 fonts_t:dir r_dir_perms;
|
allow $1 fonts_t:dir r_dir_perms;
|
||||||
allow $1 fonts_t:file r_file_perms;
|
allow $1 fonts_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`miscfiles_read_fonts_depend',`
|
|
||||||
type fonts_t;
|
|
||||||
|
|
||||||
class dir r_dir_perms;
|
|
||||||
class file r_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="miscfiles_read_localization">
|
## <interface name="miscfiles_read_localization">
|
||||||
## <description>
|
## <description>
|
||||||
## Allow process to read localization info
|
## Allow process to read localization info
|
||||||
## </description>
|
## </description>
|
||||||
## <securitydesc>
|
|
||||||
## ...
|
|
||||||
## </securitydesc>
|
|
||||||
## <parameter name="domain">
|
## <parameter name="domain">
|
||||||
## Type type of the process performing this action.
|
## Type type of the process performing this action.
|
||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`miscfiles_read_localization',`
|
define(`miscfiles_read_localization',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type locale_t;
|
||||||
|
class dir r_dir_perms;
|
||||||
|
class lnk_file r_file_perms;
|
||||||
|
class file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_etc($1)
|
||||||
# FIXME: $1 read etc_t:lnk_file here
|
# FIXME: $1 read etc_t:lnk_file here
|
||||||
# FIXME: $1 search usr_t:dir here
|
files_search_usr($1)
|
||||||
allow $1 locale_t:dir r_dir_perms;
|
allow $1 locale_t:dir r_dir_perms;
|
||||||
allow $1 locale_t:lnk_file r_file_perms;
|
allow $1 locale_t:lnk_file r_file_perms;
|
||||||
allow $1 locale_t:file r_file_perms;
|
allow $1 locale_t:file r_file_perms;
|
||||||
@ -86,68 +78,48 @@ define(`miscfiles_read_localization',`
|
|||||||
libs_read_lib($1)
|
libs_read_lib($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`miscfiles_read_localization_depend',`
|
|
||||||
type locale_t;
|
|
||||||
|
|
||||||
class dir r_dir_perms;
|
|
||||||
class lnk_file r_file_perms;
|
|
||||||
class file r_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="miscfiles_legacy_read_localization">
|
## <interface name="miscfiles_legacy_read_localization">
|
||||||
## <description>
|
## <description>
|
||||||
## Allow process to read legacy time localization info
|
## Allow process to read legacy time localization info
|
||||||
## </description>
|
## </description>
|
||||||
## <securitydesc>
|
|
||||||
## ...
|
|
||||||
## </securitydesc>
|
|
||||||
## <parameter name="domain">
|
## <parameter name="domain">
|
||||||
## Type type of the process performing this action.
|
## Type type of the process performing this action.
|
||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`miscfiles_legacy_read_localization',`
|
define(`miscfiles_legacy_read_localization',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type locale_t;
|
||||||
|
class file execute;
|
||||||
|
')
|
||||||
|
|
||||||
miscfiles_read_localization($1)
|
miscfiles_read_localization($1)
|
||||||
allow $1 locale_t:file execute;
|
allow $1 locale_t:file execute;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`miscfiles_read_localization_depend',`
|
|
||||||
type locale_t;
|
|
||||||
|
|
||||||
class file execute;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="miscfiles_read_man_pages">
|
## <interface name="miscfiles_read_man_pages">
|
||||||
## <description>
|
## <description>
|
||||||
## Allow process to read manpages
|
## Allow process to read manpages
|
||||||
## </description>
|
## </description>
|
||||||
## <securitydesc>
|
|
||||||
## ...
|
|
||||||
## </securitydesc>
|
|
||||||
## <parameter name="domain">
|
## <parameter name="domain">
|
||||||
## Type type of the process performing this action.
|
## Type type of the process performing this action.
|
||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`miscfiles_read_man_pages',`
|
define(`miscfiles_read_man_pages',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
|
||||||
# FIXME: search usr_t dir
|
|
||||||
allow $1 man_t:dir r_dir_perms;
|
|
||||||
allow $1 man_t:file r_file_perms;
|
|
||||||
allow $1 man_t:lnk_file r_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
define(`miscfiles_read_man_pages_depend',`
|
|
||||||
type man_t;
|
type man_t;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
class file r_file_perms;
|
class file r_file_perms;
|
||||||
class lnk_file r_file_perms;
|
class lnk_file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
files_search_usr($1)
|
||||||
|
allow $1 man_t:dir r_dir_perms;
|
||||||
|
allow $1 man_t:file r_file_perms;
|
||||||
|
allow $1 man_t:lnk_file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
|||||||
@ -12,19 +12,15 @@
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`modutils_read_kernel_module_dependencies',`
|
define(`modutils_read_kernel_module_dependencies',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type modules_dep_t;
|
||||||
|
class file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
bootloader_list_kernel_modules($1)
|
bootloader_list_kernel_modules($1)
|
||||||
allow $1 modules_dep_t:file r_file_perms;
|
allow $1 modules_dep_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`modutils_read_kernel_module_dependencies_depend',`
|
|
||||||
type modules_dep_t;
|
|
||||||
|
|
||||||
class file { getattr create read write setattr unlink };
|
|
||||||
class dir { search read write add_name remove_name };
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="modutils_read_module_conf">
|
## <interface name="modutils_read_module_conf">
|
||||||
## <description>
|
## <description>
|
||||||
@ -37,22 +33,23 @@ define(`modutils_read_kernel_module_dependencies_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`modutils_read_module_conf',`
|
define(`modutils_read_module_conf',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type modules_conf_t;
|
||||||
allow $1 modules_conf_t:file r_file_perms;
|
class file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`modutils_read_module_conf_depend',`
|
# This file type can be in /etc or
|
||||||
type modules_conf_t;
|
# /lib(64)?/modules
|
||||||
|
files_search_etc($1)
|
||||||
|
bootloader_search_boot_dir($1)
|
||||||
|
|
||||||
class file r_file_perms;
|
allow $1 modules_conf_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="modutils_domtrans_insmod">
|
## <interface name="modutils_domtrans_insmod">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute insmod in the insmod domain. Has a
|
## Execute insmod in the insmod domain.
|
||||||
## sigchld backchannel.
|
|
||||||
## </description>
|
## </description>
|
||||||
## <parameter name="domain">
|
## <parameter name="domain">
|
||||||
## The type of the process performing this action.
|
## The type of the process performing this action.
|
||||||
@ -60,8 +57,14 @@ define(`modutils_read_module_conf_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`modutils_domtrans_insmod',`
|
define(`modutils_domtrans_insmod',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type insmod_t, insmod_exec_t;
|
||||||
|
class process sigchld;
|
||||||
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
corecmd_search_sbin($1)
|
||||||
domain_auto_trans($1, insmod_exec_t, insmod_t)
|
domain_auto_trans($1, insmod_exec_t, insmod_t)
|
||||||
|
|
||||||
allow $1 insmod_t:fd use;
|
allow $1 insmod_t:fd use;
|
||||||
@ -70,15 +73,6 @@ define(`modutils_domtrans_insmod',`
|
|||||||
allow insmod_t $1:process sigchld;
|
allow insmod_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`modutils_domtrans_insmod_depend',`
|
|
||||||
type insmod_t;
|
|
||||||
|
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
|
||||||
class fd use;
|
|
||||||
class fifo_file rw_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="modutils_run_insmod">
|
## <interface name="modutils_run_insmod">
|
||||||
## <description>
|
## <description>
|
||||||
@ -99,17 +93,14 @@ define(`modutils_domtrans_insmod_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`modutils_run_insmod',`
|
define(`modutils_run_insmod',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type insmod_t;
|
||||||
|
class chr_file rw_term_perms;
|
||||||
|
')
|
||||||
|
|
||||||
modutils_domtrans_insmod($1)
|
modutils_domtrans_insmod($1)
|
||||||
role $2 types insmod_t;
|
role $2 types insmod_t;
|
||||||
allow insmod_t $3:chr_file { getattr read write ioctl };
|
allow insmod_t $3:chr_file rw_term_perms;
|
||||||
')
|
|
||||||
|
|
||||||
define(`modutils_run_insmod_depend',`
|
|
||||||
type insmod_t;
|
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -117,15 +108,12 @@ define(`modutils_run_insmod_depend',`
|
|||||||
# modutils_exec_insmod(domain)
|
# modutils_exec_insmod(domain)
|
||||||
#
|
#
|
||||||
define(`modutils_exec_insmod',`
|
define(`modutils_exec_insmod',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type insmod_t;
|
||||||
can_exec($1, insmod_exec_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`modutils_exec_insmod_depend',`
|
corecmd_search_sbin($1)
|
||||||
type insmod_t;
|
can_exec($1, insmod_exec_t)
|
||||||
|
|
||||||
class file { getattr read execute execute_no_trans };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -139,8 +127,14 @@ define(`modutils_exec_insmod_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`modutils_domtrans_depmod',`
|
define(`modutils_domtrans_depmod',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type depmod_t, depmod_exec_t;
|
||||||
|
class process sigchld;
|
||||||
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
corecmd_search_sbin($1)
|
||||||
domain_auto_trans($1, depmod_exec_t, depmod_t)
|
domain_auto_trans($1, depmod_exec_t, depmod_t)
|
||||||
|
|
||||||
allow $1 depmod_t:fd use;
|
allow $1 depmod_t:fd use;
|
||||||
@ -149,15 +143,6 @@ define(`modutils_domtrans_depmod',`
|
|||||||
allow depmod_t $1:process sigchld;
|
allow depmod_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`modutils_domtrans_depmod_depend',`
|
|
||||||
type depmod_t;
|
|
||||||
|
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
|
||||||
class fd use;
|
|
||||||
class fifo_file rw_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="modutils_run_depmod">
|
## <interface name="modutils_run_depmod">
|
||||||
## <description>
|
## <description>
|
||||||
@ -175,17 +160,14 @@ define(`modutils_domtrans_depmod_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`modutils_run_depmod',`
|
define(`modutils_run_depmod',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type depmod_t;
|
||||||
|
class chr_file rw_term_perms;
|
||||||
|
')
|
||||||
|
|
||||||
modutils_domtrans_depmod($1)
|
modutils_domtrans_depmod($1)
|
||||||
role $2 types insmod_t;
|
role $2 types insmod_t;
|
||||||
allow insmod_t $3:chr_file { getattr read write ioctl };
|
allow insmod_t $3:chr_file rw_term_perms;
|
||||||
')
|
|
||||||
|
|
||||||
define(`modutils_run_depmod_depend',`
|
|
||||||
type depmod_t;
|
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -193,15 +175,12 @@ define(`modutils_run_depmod_depend',`
|
|||||||
# modutils_exec_depmod(domain)
|
# modutils_exec_depmod(domain)
|
||||||
#
|
#
|
||||||
define(`modutils_exec_depmod',`
|
define(`modutils_exec_depmod',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type depmod_t;
|
||||||
can_exec($1, depmod_exec_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`modutils_exec_depmod_depend',`
|
corecmd_search_sbin($1)
|
||||||
type depmod_t;
|
can_exec($1, depmod_exec_t)
|
||||||
|
|
||||||
class file { getattr read execute execute_no_trans };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -215,8 +194,14 @@ define(`modutils_exec_depmod_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`modutils_domtrans_update_mods',`
|
define(`modutils_domtrans_update_mods',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type update_modules_t, update_modules_exec_t;
|
||||||
|
class process signal;
|
||||||
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
corecmd_search_sbin($1)
|
||||||
domain_auto_trans($1, update_modules_exec_t, update_modules_t)
|
domain_auto_trans($1, update_modules_exec_t, update_modules_t)
|
||||||
|
|
||||||
allow $1 update_modules_t:fd use;
|
allow $1 update_modules_t:fd use;
|
||||||
@ -225,15 +210,6 @@ define(`modutils_domtrans_update_mods',`
|
|||||||
allow update_modules_t $1:process sigchld;
|
allow update_modules_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`modutils_domtrans_update_mods_depend',`
|
|
||||||
type update_modules_t;
|
|
||||||
|
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh signal };
|
|
||||||
class fd use;
|
|
||||||
class fifo_file rw_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="modutils_run_update_mods">
|
## <interface name="modutils_run_update_mods">
|
||||||
## <description>
|
## <description>
|
||||||
@ -251,17 +227,14 @@ define(`modutils_domtrans_update_mods_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`modutils_run_update_mods',`
|
define(`modutils_run_update_mods',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type update_modules_t;
|
||||||
|
class chr_file rw_term_perms;
|
||||||
|
')
|
||||||
|
|
||||||
modutils_domtrans_update_mods($1)
|
modutils_domtrans_update_mods($1)
|
||||||
role $2 types update_modules_t;
|
role $2 types update_modules_t;
|
||||||
allow update_modules_t $3:chr_file rw_file_perms;
|
allow update_modules_t $3:chr_file rw_term_perms;
|
||||||
')
|
|
||||||
|
|
||||||
define(`modutils_run_update_mods_depend',`
|
|
||||||
type update_modules_t;
|
|
||||||
|
|
||||||
class chr_file rw_file_perms;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -269,15 +242,12 @@ define(`modutils_run_update_mods_depend',`
|
|||||||
# modutils_exec_update_mods(domain)
|
# modutils_exec_update_mods(domain)
|
||||||
#
|
#
|
||||||
define(`modutils_exec_update_mods',`
|
define(`modutils_exec_update_mods',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type update_modules_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
corecmd_search_sbin($1)
|
||||||
can_exec($1, update_modules_exec_t)
|
can_exec($1, update_modules_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`modutils_exec_update_mods_depend',`
|
|
||||||
type update_modules_t;
|
|
||||||
|
|
||||||
class file { getattr read execute execute_no_trans };
|
|
||||||
')
|
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
|||||||
@ -12,12 +12,14 @@
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`mount_domtrans',`
|
define(`mount_domtrans',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type mount_t, mount_exec_t;
|
||||||
|
class process sigchld;
|
||||||
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
allow $1 mount_exec_t:file rx_file_perms;
|
domain_auto_trans($1,mount_exec_t,mount_t)
|
||||||
allow $1 mount_t:process transition;
|
|
||||||
type_transition $1 mount_exec_t:process mount_t;
|
|
||||||
dontaudit $1 mount_t:process { noatsecure siginh rlimitinh };
|
|
||||||
|
|
||||||
allow $1 mount_t:fd use;
|
allow $1 mount_t:fd use;
|
||||||
allow mount_t $1:fd use;
|
allow mount_t $1:fd use;
|
||||||
@ -25,15 +27,6 @@ define(`mount_domtrans',`
|
|||||||
allow mount_t $1:process sigchld;
|
allow mount_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`mount_domtrans_depend',`
|
|
||||||
type mount_t, mount_exec_t;
|
|
||||||
|
|
||||||
class file rx_file_perms;
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
|
||||||
class fd use;
|
|
||||||
class fifo_file rw_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="mount_run">
|
## <interface name="mount_run">
|
||||||
## <description>
|
## <description>
|
||||||
@ -53,19 +46,16 @@ define(`mount_domtrans_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`mount_run',`
|
define(`mount_run',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type mount_t;
|
||||||
|
class chr_file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
mount_domtrans($1)
|
mount_domtrans($1)
|
||||||
role $2 types mount_t;
|
role $2 types mount_t;
|
||||||
allow mount_t $3:chr_file rw_file_perms;
|
allow mount_t $3:chr_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`mount_run_depend',`
|
|
||||||
type mount_t;
|
|
||||||
|
|
||||||
class chr_file rw_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="mount_use_fd">
|
## <interface name="mount_use_fd">
|
||||||
## <description>
|
## <description>
|
||||||
@ -77,15 +67,12 @@ define(`mount_run_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`mount_use_fd',`
|
define(`mount_use_fd',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type mount_t;
|
||||||
allow $1 mount_t:fd use;
|
class fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`mount_use_fd_depend',`
|
allow $1 mount_t:fd use;
|
||||||
type mount_t;
|
|
||||||
|
|
||||||
class fd use;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -100,15 +87,12 @@ define(`mount_use_fd_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`mount_send_nfs_client_request',`
|
define(`mount_send_nfs_client_request',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type mount_t;
|
||||||
|
class udp_socket rw_socket_perms;
|
||||||
|
')
|
||||||
|
|
||||||
allow $1 mount_t:udp_socket rw_socket_perms;
|
allow $1 mount_t:udp_socket rw_socket_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`mount_send_nfs_client_request_depend',`
|
|
||||||
type mount_t;
|
|
||||||
|
|
||||||
class udp_socket rw_socket_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
|||||||
@ -12,12 +12,16 @@
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`seutil_domtrans_checkpol',`
|
define(`seutil_domtrans_checkpol',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type checkpolicy_t, checkpolicy_exec_t;
|
||||||
|
class process sigchld;
|
||||||
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
allow $1 checkpolicy_exec_t:file rx_file_perms;
|
files_search_usr($1)
|
||||||
allow $1 checkpolicy_t:process transition;
|
corecmd_search_bin($1)
|
||||||
type_transition $1 checkpolicy_exec_t:process checkpolicy_t;
|
domain_auto_trans($1,checkpolicy_exec_t,checkpolicy_t)
|
||||||
dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh };
|
|
||||||
|
|
||||||
allow $1 checkpolicy_t:fd use;
|
allow $1 checkpolicy_t:fd use;
|
||||||
allow checkpolicy_t $1:fd use;
|
allow checkpolicy_t $1:fd use;
|
||||||
@ -25,15 +29,6 @@ define(`seutil_domtrans_checkpol',`
|
|||||||
allow checkpolicy_t $1:process sigchld;
|
allow checkpolicy_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`seutil_domtrans_checkpol_depend',`
|
|
||||||
type checkpolicy_t, checkpolicy_exec_t;
|
|
||||||
|
|
||||||
class file rx_file_perms
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld sigchld };
|
|
||||||
class fd use;
|
|
||||||
class fifo_file rw_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="seutil_run_checkpol">
|
## <interface name="seutil_run_checkpol">
|
||||||
## <description>
|
## <description>
|
||||||
@ -54,17 +49,14 @@ define(`seutil_domtrans_checkpol_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`seutil_run_checkpol',`
|
define(`seutil_run_checkpol',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type checkpolicy_t;
|
||||||
|
class chr_file rw_term_perms;
|
||||||
|
')
|
||||||
|
|
||||||
seutil_domtrans_checkpol($1)
|
seutil_domtrans_checkpol($1)
|
||||||
role $2 types checkpolicy_t;
|
role $2 types checkpolicy_t;
|
||||||
allow checkpolicy_t $3:chr_file { getattr read write ioctl };
|
allow checkpolicy_t $3:chr_file rw_term_perms;
|
||||||
')
|
|
||||||
|
|
||||||
define(`seutil_run_checkpol_depend',`
|
|
||||||
type checkpolicy_t;
|
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -72,15 +64,13 @@ define(`seutil_run_checkpol_depend',`
|
|||||||
# seutil_exec_checkpol(domain)
|
# seutil_exec_checkpol(domain)
|
||||||
#
|
#
|
||||||
define(`seutil_exec_checkpol',`
|
define(`seutil_exec_checkpol',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type checkpolicy_exec_t;
|
||||||
can_exec($1,checkpolicy_exec_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`seutil_exec_checkpol_depend',`
|
files_search_usr($1)
|
||||||
type checkpolicy_exec_t;
|
corecmd_search_bin($1)
|
||||||
|
can_exec($1,checkpolicy_exec_t)
|
||||||
class file { rx_file_perms execute_no_trans };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -94,12 +84,15 @@ define(`seutil_exec_checkpol_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`seutil_domtrans_loadpol',`
|
define(`seutil_domtrans_loadpol',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type load_policy_t, load_policy_exec_t;
|
||||||
|
class process sigchld;
|
||||||
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
allow $1 load_policy_exec_t:file rx_file_perms;
|
corecmd_search_sbin($1)
|
||||||
allow $1 load_policy_t:process transition;
|
domain_auto_trans($1,load_policy_exec_t,load_policy_t)
|
||||||
type_transition $1 load_policy_exec_t:process load_policy_t;
|
|
||||||
dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh };
|
|
||||||
|
|
||||||
allow $1 load_policy_t:fd use;
|
allow $1 load_policy_t:fd use;
|
||||||
allow load_policy_t $1:fd use;
|
allow load_policy_t $1:fd use;
|
||||||
@ -107,15 +100,6 @@ define(`seutil_domtrans_loadpol',`
|
|||||||
allow load_policy_t $1:process sigchld;
|
allow load_policy_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`seutil_domtrans_loadpol_depend',`
|
|
||||||
type load_policy_t, load_policy_exec_t;
|
|
||||||
|
|
||||||
class file rx_file_perms;
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
|
||||||
class fd use;
|
|
||||||
class fifo_file rw_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="seutil_run_loadpol">
|
## <interface name="seutil_run_loadpol">
|
||||||
## <description>
|
## <description>
|
||||||
@ -136,17 +120,14 @@ define(`seutil_domtrans_loadpol_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`seutil_run_loadpol',`
|
define(`seutil_run_loadpol',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type load_policy_t;
|
||||||
|
class chr_file rw_term_perms;
|
||||||
|
')
|
||||||
|
|
||||||
seutil_domtrans_loadpol($1)
|
seutil_domtrans_loadpol($1)
|
||||||
role $2 types load_policy_t;
|
role $2 types load_policy_t;
|
||||||
allow load_policy_t $3:chr_file { getattr read write ioctl };
|
allow load_policy_t $3:chr_file rw_term_perms;
|
||||||
')
|
|
||||||
|
|
||||||
define(`seutil_run_loadpol_depend',`
|
|
||||||
type load_policy_t;
|
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -154,15 +135,12 @@ define(`seutil_run_loadpol_depend',`
|
|||||||
# seutil_exec_loadpol(domain)
|
# seutil_exec_loadpol(domain)
|
||||||
#
|
#
|
||||||
define(`seutil_exec_loadpol',`
|
define(`seutil_exec_loadpol',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type load_policy_exec_t;
|
||||||
can_exec($1,load_policy_exec_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`seutil_exec_loadpol_depend',`
|
corecmd_search_sbin($1)
|
||||||
type load_policy_exec_t;
|
can_exec($1,load_policy_exec_t)
|
||||||
|
|
||||||
class file { rx_file_perms execute_no_trans };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -170,15 +148,13 @@ define(`seutil_exec_loadpol_depend',`
|
|||||||
# seutil_read_loadpol(domain)
|
# seutil_read_loadpol(domain)
|
||||||
#
|
#
|
||||||
define(`seutil_read_loadpol',`
|
define(`seutil_read_loadpol',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type load_policy_exec_t;
|
||||||
allow $1 load_policy_exec_t:file r_file_perms;
|
class file r_file_perms
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`seutil_read_loadpol_depend',`
|
corecmd_search_sbin($1)
|
||||||
type load_policy_exec_t;
|
allow $1 load_policy_exec_t:file r_file_perms;
|
||||||
|
|
||||||
class file r_file_perms
|
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -192,12 +168,16 @@ define(`seutil_read_loadpol_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`seutil_domtrans_newrole',`
|
define(`seutil_domtrans_newrole',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type newrole_t, newrole_exec_t;
|
||||||
|
class process sigchld;
|
||||||
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
allow $1 newrole_exec_t:file rx_file_perms;
|
files_search_usr($1)
|
||||||
allow $1 newrole_t:process transition;
|
corecmd_search_bin($1)
|
||||||
type_transition $1 newrole_exec_t:process newrole_t;
|
domain_auto_trans($1,newrole_exec_t,newrole_t)
|
||||||
dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
|
|
||||||
|
|
||||||
allow $1 newrole_t:fd use;
|
allow $1 newrole_t:fd use;
|
||||||
allow newrole_t $1:fd use;
|
allow newrole_t $1:fd use;
|
||||||
@ -205,15 +185,6 @@ define(`seutil_domtrans_newrole',`
|
|||||||
allow newrole_t $1:process sigchld;
|
allow newrole_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`seutil_domtrans_newrole_depend',`
|
|
||||||
type newrole_t, newrole_exec_t;
|
|
||||||
|
|
||||||
class file rx_file_perms;
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
|
||||||
class fd use;
|
|
||||||
class fifo_file rw_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="seutil_run_newrole">
|
## <interface name="seutil_run_newrole">
|
||||||
## <description>
|
## <description>
|
||||||
@ -233,17 +204,14 @@ define(`seutil_domtrans_newrole_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`seutil_run_newrole',`
|
define(`seutil_run_newrole',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type newrole_t;
|
||||||
|
class chr_file rw_term_perms;
|
||||||
|
')
|
||||||
|
|
||||||
seutil_domtrans_newrole($1)
|
seutil_domtrans_newrole($1)
|
||||||
role $2 types newrole_t;
|
role $2 types newrole_t;
|
||||||
allow newrole_t $3:chr_file { getattr read write ioctl };
|
allow newrole_t $3:chr_file rw_term_perms;
|
||||||
')
|
|
||||||
|
|
||||||
define(`seutil_run_newrole_depend',`
|
|
||||||
type newrole_t;
|
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -251,15 +219,13 @@ define(`seutil_run_newrole_depend',`
|
|||||||
# seutil_exec_newrole(domain)
|
# seutil_exec_newrole(domain)
|
||||||
#
|
#
|
||||||
define(`seutil_exec_newrole',`
|
define(`seutil_exec_newrole',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type newrole_t, newrole_exec_t;
|
||||||
can_exec($1,newrole_exec_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`seutil_exec_newrole_depend',`
|
files_search_usr($1)
|
||||||
type newrole_t, newrole_exec_t;
|
corecmd_search_bin($1)
|
||||||
|
can_exec($1,newrole_exec_t)
|
||||||
class file { rx_file_perms execute_no_trans };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -274,15 +240,12 @@ define(`seutil_exec_newrole_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`seutil_dontaudit_newrole_signal',`
|
define(`seutil_dontaudit_newrole_signal',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type newrole_t;
|
||||||
dontaudit $1 newrole_t:process signal;
|
class process signal;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`seutil_dontaudit_newrole_signal_depend',`
|
dontaudit $1 newrole_t:process signal;
|
||||||
type newrole_t;
|
|
||||||
|
|
||||||
class process signal;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -290,15 +253,12 @@ define(`seutil_dontaudit_newrole_signal_depend',`
|
|||||||
# seutil_newrole_sigchld(domain)
|
# seutil_newrole_sigchld(domain)
|
||||||
#
|
#
|
||||||
define(`seutil_newrole_sigchld',`
|
define(`seutil_newrole_sigchld',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type newrole_t;
|
||||||
allow $1 newrole_t:process sigchld;
|
class process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`seutil_newrole_sigchld_depend',`
|
allow $1 newrole_t:process sigchld;
|
||||||
type newrole_t;
|
|
||||||
|
|
||||||
class process sigchld;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -306,15 +266,12 @@ define(`seutil_newrole_sigchld_depend',`
|
|||||||
# seutil_use_newrole_fd(domain)
|
# seutil_use_newrole_fd(domain)
|
||||||
#
|
#
|
||||||
define(`seutil_use_newrole_fd',`
|
define(`seutil_use_newrole_fd',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type newrole_t;
|
||||||
allow $1 newrole_t:fd use;
|
class fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`seutil_use_newrole_fd_depend',`
|
allow $1 newrole_t:fd use;
|
||||||
type newrole_t;
|
|
||||||
|
|
||||||
class fd use;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -328,12 +285,15 @@ define(`seutil_use_newrole_fd_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`seutil_domtrans_restorecon',`
|
define(`seutil_domtrans_restorecon',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type restorecon_t, restorecon_exec_t;
|
||||||
|
class process sigchld;
|
||||||
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
allow $1 restorecon_exec_t:file rx_file_perms;
|
corecmd_search_sbin($1)
|
||||||
allow $1 restorecon_t:process transition;
|
domain_auto_trans($1,restorecon_exec_t,restorecon_t)
|
||||||
type_transition $1 restorecon_exec_t:process restorecon_t;
|
|
||||||
dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh };
|
|
||||||
|
|
||||||
allow $1 restorecon_t:fd use;
|
allow $1 restorecon_t:fd use;
|
||||||
allow restorecon_t $1:fd use;
|
allow restorecon_t $1:fd use;
|
||||||
@ -341,15 +301,6 @@ define(`seutil_domtrans_restorecon',`
|
|||||||
allow restorecon_t $1:process sigchld;
|
allow restorecon_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`seutil_domtrans_restorecon_depend',`
|
|
||||||
type restorecon_t, restorecon_exec_t;
|
|
||||||
|
|
||||||
class file rx_file_perms;
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
|
||||||
class fd use;
|
|
||||||
class fifo_file rw_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="seutil_run_restorecon">
|
## <interface name="seutil_run_restorecon">
|
||||||
## <description>
|
## <description>
|
||||||
@ -369,17 +320,14 @@ define(`seutil_domtrans_restorecon_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`seutil_run_restorecon',`
|
define(`seutil_run_restorecon',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type restorecon_t;
|
||||||
|
class chr_file rw_term_perms;
|
||||||
|
')
|
||||||
|
|
||||||
seutil_domtrans_restorecon($1)
|
seutil_domtrans_restorecon($1)
|
||||||
role $2 types restorecon_t;
|
role $2 types restorecon_t;
|
||||||
allow restorecon_t $3:chr_file { getattr read write ioctl };
|
allow restorecon_t $3:chr_file rw_term_perms;
|
||||||
')
|
|
||||||
|
|
||||||
define(`seutil_run_restorecon_depend',`
|
|
||||||
type restorecon_t;
|
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -387,14 +335,12 @@ define(`seutil_run_restorecon_depend',`
|
|||||||
# seutil_exec_restorecon(domain)
|
# seutil_exec_restorecon(domain)
|
||||||
#
|
#
|
||||||
define(`seutil_exec_restorecon',`
|
define(`seutil_exec_restorecon',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
can_exec($1,restorecon_exec_t)
|
type restorecon_t, restorecon_exec_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`seutil_exec_restorecon_depend',`
|
corecmd_search_sbin($1)
|
||||||
type restorecon_t, restorecon_exec_t;
|
can_exec($1,restorecon_exec_t)
|
||||||
|
|
||||||
class file { rx_file_perms execute_no_trans };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -408,12 +354,16 @@ define(`seutil_exec_restorecon_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`seutil_domtrans_runinit',`
|
define(`seutil_domtrans_runinit',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type run_init_t, run_init_exec_t;
|
||||||
|
class process sigchld;
|
||||||
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
allow $1 run_init_exec_t:file rx_file_perms;
|
files_search_usr($1)
|
||||||
allow $1 run_init_t:process transition;
|
corecmd_search_sbin($1)
|
||||||
type_transition $1 run_init_exec_t:process run_init_t;
|
domain_auto_trans($1,run_init_exec_t,run_init_t)
|
||||||
dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
|
|
||||||
|
|
||||||
allow $1 run_init_t:fd use;
|
allow $1 run_init_t:fd use;
|
||||||
allow run_init_t $1:fd use;
|
allow run_init_t $1:fd use;
|
||||||
@ -421,15 +371,6 @@ define(`seutil_domtrans_runinit',`
|
|||||||
allow run_init_t $1:process sigchld;
|
allow run_init_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`seutil_domtrans_runinit_depend',`
|
|
||||||
type run_init_t, run_init_exec_t;
|
|
||||||
|
|
||||||
class file rx_file_perms;
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
|
||||||
class fd use;
|
|
||||||
class fifo_file rw_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="seutil_run_runinit">
|
## <interface name="seutil_run_runinit">
|
||||||
## <description>
|
## <description>
|
||||||
@ -449,17 +390,14 @@ define(`seutil_domtrans_runinit_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`seutil_run_runinit',`
|
define(`seutil_run_runinit',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type run_init_t;
|
||||||
|
class chr_file rw_term_perms;
|
||||||
|
')
|
||||||
|
|
||||||
seutil_domtrans_runinit($1)
|
seutil_domtrans_runinit($1)
|
||||||
role $2 types run_init_t;
|
role $2 types run_init_t;
|
||||||
allow run_init_t $3:chr_file { getattr read write ioctl };
|
allow run_init_t $3:chr_file rw_term_perms;
|
||||||
')
|
|
||||||
|
|
||||||
define(`seutil_run_runinit_depend',`
|
|
||||||
type run_init_t;
|
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -467,15 +405,12 @@ define(`seutil_run_runinit_depend',`
|
|||||||
# seutil_use_runinit_fd(domain)
|
# seutil_use_runinit_fd(domain)
|
||||||
#
|
#
|
||||||
define(`seutil_use_runinit_fd',`
|
define(`seutil_use_runinit_fd',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type run_init_t;
|
||||||
allow $1 run_init_t:fd use;
|
class fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`seutil_use_runinit_fd_depend',`
|
allow $1 run_init_t:fd use;
|
||||||
type run_init_t;
|
|
||||||
|
|
||||||
class fd use;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -489,12 +424,16 @@ define(`seutil_use_runinit_fd_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`seutil_domtrans_setfiles',`
|
define(`seutil_domtrans_setfiles',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type setfiles_t, setfiles_exec_t;
|
||||||
|
class process sigchld;
|
||||||
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
allow $1 setfiles_exec_t:file rx_file_perms;
|
files_search_usr($1)
|
||||||
allow $1 setfiles_t:process transition;
|
corecmd_search_sbin($1)
|
||||||
type_transition $1 setfiles_exec_t:process setfiles_t;
|
domain_auto_trans($1,setfiles_exec_t,setfiles_t)
|
||||||
dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh };
|
|
||||||
|
|
||||||
allow $1 setfiles_t:fd use;
|
allow $1 setfiles_t:fd use;
|
||||||
allow setfiles_t $1:fd use;
|
allow setfiles_t $1:fd use;
|
||||||
@ -502,15 +441,6 @@ define(`seutil_domtrans_setfiles',`
|
|||||||
allow setfiles_t $1:process sigchld;
|
allow setfiles_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`seutil_domtrans_setfiles_depend',`
|
|
||||||
type setfiles_t, setfiles_exec_t;
|
|
||||||
|
|
||||||
class file rx_file_perms;
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
|
||||||
class fd use;
|
|
||||||
class fifo_file rw_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="seutil_run_setfiles">
|
## <interface name="seutil_run_setfiles">
|
||||||
## <description>
|
## <description>
|
||||||
@ -530,17 +460,14 @@ define(`seutil_domtrans_setfiles_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`seutil_run_setfiles',`
|
define(`seutil_run_setfiles',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type setfiles_t;
|
||||||
|
class chr_file rw_term_perms;
|
||||||
|
')
|
||||||
|
|
||||||
seutil_domtrans_setfiles($1)
|
seutil_domtrans_setfiles($1)
|
||||||
role $2 types setfiles_t;
|
role $2 types setfiles_t;
|
||||||
allow setfiles_t $3:chr_file { getattr read write ioctl };
|
allow setfiles_t $3:chr_file rw_term_perms;
|
||||||
')
|
|
||||||
|
|
||||||
define(`seutil_run_setfiles_depend',`
|
|
||||||
type setfiles_t;
|
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -548,15 +475,13 @@ define(`seutil_run_setfiles_depend',`
|
|||||||
# seutil_exec_setfiles(domain)
|
# seutil_exec_setfiles(domain)
|
||||||
#
|
#
|
||||||
define(`seutil_exec_setfiles',`
|
define(`seutil_exec_setfiles',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type setfiles_exec_t;
|
||||||
can_exec($1,setfiles_exec_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`seutil_exec_setfiles_depend',`
|
files_search_usr($1)
|
||||||
type setfiles_exec_t;
|
corecmd_search_sbin($1)
|
||||||
|
can_exec($1,setfiles_exec_t)
|
||||||
class file { rx_file_perms execute_no_trans };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -564,94 +489,85 @@ define(`seutil_exec_setfiles_depend',`
|
|||||||
# seutil_read_config(domain)
|
# seutil_read_config(domain)
|
||||||
#
|
#
|
||||||
define(`seutil_read_config',`
|
define(`seutil_read_config',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
|
||||||
allow $1 selinux_config_t:dir r_dir_perms;
|
|
||||||
allow $1 selinux_config_t:file r_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
define(`seutil_read_config_depend',`
|
|
||||||
type selinux_config_t;
|
type selinux_config_t;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
class file r_file_perms;
|
class file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
files_search_etc($1)
|
||||||
|
allow $1 selinux_config_t:dir r_dir_perms;
|
||||||
|
allow $1 selinux_config_t:file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# seutil_read_default_contexts(domain)
|
# seutil_read_default_contexts(domain)
|
||||||
#
|
#
|
||||||
define(`seutil_read_default_contexts',`
|
define(`seutil_read_default_contexts',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type selinux_config_t, default_context_t;
|
||||||
|
class dir r_dir_perms;
|
||||||
|
class file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_etc($1)
|
||||||
allow $1 selinux_config_t:dir search;
|
allow $1 selinux_config_t:dir search;
|
||||||
allow $1 default_context_t:dir r_dir_perms;
|
allow $1 default_context_t:dir r_dir_perms;
|
||||||
allow $1 default_context_t:file r_file_perms;
|
allow $1 default_context_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`seutil_read_default_contexts_depend',`
|
|
||||||
type selinux_config_t, default_context_t;
|
|
||||||
|
|
||||||
class dir r_dir_perms;
|
|
||||||
class file r_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# seutil_read_file_contexts(domain)
|
# seutil_read_file_contexts(domain)
|
||||||
#
|
#
|
||||||
define(`seutil_read_file_contexts',`
|
define(`seutil_read_file_contexts',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type selinux_config_t, file_context_t;
|
||||||
|
class dir r_dir_perms;
|
||||||
|
class file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_etc($1)
|
||||||
allow $1 selinux_config_t:dir search;
|
allow $1 selinux_config_t:dir search;
|
||||||
allow $1 file_context_t:dir r_dir_perms;
|
allow $1 file_context_t:dir r_dir_perms;
|
||||||
allow $1 file_context_t:file r_file_perms;
|
allow $1 file_context_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`seutil_read_file_contexts_depend',`
|
|
||||||
type selinux_config_t, file_context_t;
|
|
||||||
|
|
||||||
class dir r_dir_perms;
|
|
||||||
class file r_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# seutil_read_binary_pol(domain)
|
# seutil_read_binary_pol(domain)
|
||||||
#
|
#
|
||||||
define(`seutil_read_binary_pol',`
|
define(`seutil_read_binary_pol',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type selinux_config_t, policy_config_t;
|
||||||
allow $1 policy_config_t:dir r_dir_perms;
|
|
||||||
allow $1 policy_config_t:file r_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
define(`seutil_read_binary_pol_depend',`
|
|
||||||
type policy_config_t;
|
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
class file r_file_perms;
|
class file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
files_search_etc($1)
|
||||||
#
|
allow $1 selinux_config_t:dir search;
|
||||||
# seutil_write_binary_pol(domain)
|
allow $1 policy_config_t:dir r_dir_perms;
|
||||||
#
|
allow $1 policy_config_t:file r_file_perms;
|
||||||
define(`seutil_write_binary_pol',`
|
|
||||||
gen_require(`$0'_depend)
|
|
||||||
|
|
||||||
allow $1 policy_config_t:dir rw_dir_perms;
|
|
||||||
allow $1 policy_config_t:file { getattr create write unlink };
|
|
||||||
typeattribute $1 can_write_binary_policy;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`seutil_write_binary_pol_depend',`
|
########################################
|
||||||
|
#
|
||||||
|
# seutil_create_binary_pol(domain)
|
||||||
|
#
|
||||||
|
define(`seutil_create_binary_pol',`
|
||||||
|
gen_require(`
|
||||||
attribute can_write_binary_policy;
|
attribute can_write_binary_policy;
|
||||||
|
type selinux_config_t, policy_config_t;
|
||||||
|
class dir ra_dir_perms;
|
||||||
|
class file { getattr create write };
|
||||||
|
')
|
||||||
|
|
||||||
type policy_config_t;
|
files_search_etc($1)
|
||||||
|
allow $1 selinux_config_t:dir search;
|
||||||
class dir rw_dir_perms;
|
allow $1 policy_config_t:dir ra_dir_perms;
|
||||||
class file { getattr create write unlink };
|
allow $1 policy_config_t:file { getattr create write };
|
||||||
|
typeattribute $1 can_write_binary_policy;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -665,40 +581,33 @@ define(`seutil_write_binary_pol_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`seutil_relabelto_binary_pol',`
|
define(`seutil_relabelto_binary_pol',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
attribute can_relabelto_binary_policy;
|
||||||
|
type policy_config_t;
|
||||||
|
class file relabelto;
|
||||||
|
')
|
||||||
|
|
||||||
allow $1 policy_config_t:file relabelto;
|
allow $1 policy_config_t:file relabelto;
|
||||||
typeattribute $1 can_relabelto_binary_policy;
|
typeattribute $1 can_relabelto_binary_policy;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`seutil_relabelto_binary_pol_depend',`
|
|
||||||
attribute can_relabelto_binary_policy;
|
|
||||||
|
|
||||||
type policy_config_t;
|
|
||||||
|
|
||||||
class file relabelto;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# seutil_manage_binary_pol(domain)
|
# seutil_manage_binary_pol(domain)
|
||||||
#
|
#
|
||||||
define(`seutil_manage_binary_pol',`
|
define(`seutil_manage_binary_pol',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
attribute can_write_binary_policy;
|
||||||
# FIXME: search etc_t:dir
|
type selinux_config_t, policy_config_t;
|
||||||
allow $1 selinux_config_t:dir search;
|
class dir rw_dir_perms;
|
||||||
allow $1 policy_config_t:dir r_dir_perms;
|
class file create_file_perms;
|
||||||
allow $1 policy_config_t:file create_file_perms;
|
|
||||||
typeattribute $1 can_write_binary_policy;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`seutil_manage_binary_pol_depend',`
|
files_search_etc($1)
|
||||||
attribute can_write_binary_policy;
|
allow $1 selinux_config_t:dir search;
|
||||||
|
allow $1 policy_config_t:dir rw_dir_perms;
|
||||||
type selinux_config_t, policy_config_t;
|
allow $1 policy_config_t:file create_file_perms;
|
||||||
class dir create_dir_perms;
|
typeattribute $1 can_write_binary_policy;
|
||||||
class file create_file_perms;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -706,39 +615,33 @@ define(`seutil_manage_binary_pol_depend',`
|
|||||||
# seutil_read_src_pol(domain)
|
# seutil_read_src_pol(domain)
|
||||||
#
|
#
|
||||||
define(`seutil_read_src_pol',`
|
define(`seutil_read_src_pol',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type selinux_config_t, policy_src_t;
|
||||||
|
class dir r_dir_perms;
|
||||||
|
class file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
# FIXME: search etc_t:dir
|
files_search_etc($1)
|
||||||
allow $1 selinux_config_t:dir search;
|
allow $1 selinux_config_t:dir search;
|
||||||
allow $1 policy_src_t:dir r_dir_perms;
|
allow $1 policy_src_t:dir r_dir_perms;
|
||||||
allow $1 policy_src_t:file r_file_perms;
|
allow $1 policy_src_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`seutil_read_src_pol_depend',`
|
|
||||||
type selinux_config_t, policy_src_t;
|
|
||||||
|
|
||||||
class dir r_dir_perms;
|
|
||||||
class file r_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# seutil_manage_src_pol(domain)
|
# seutil_manage_src_pol(domain)
|
||||||
#
|
#
|
||||||
define(`seutil_manage_src_pol',`
|
define(`seutil_manage_src_pol',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type selinux_config_t, policy_src_t;
|
||||||
|
class dir create_dir_perms;
|
||||||
|
class file create_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
# FIXME: search etc_t:dir
|
files_search_etc($1)
|
||||||
allow $1 selinux_config_t:dir search;
|
allow $1 selinux_config_t:dir search;
|
||||||
allow $1 policy_src_t:dir create_dir_perms;
|
allow $1 policy_src_t:dir create_dir_perms;
|
||||||
allow $1 policy_src_t:file create_file_perms;
|
allow $1 policy_src_t:file create_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`seutil_manage_src_pol_depend',`
|
|
||||||
type selinux_config_t, policy_src_t;
|
|
||||||
|
|
||||||
class dir create_dir_perms;
|
|
||||||
class file create_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
|||||||
@ -12,8 +12,14 @@
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`sysnet_domtrans_dhcpc',`
|
define(`sysnet_domtrans_dhcpc',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type dhcpc_t, dhcpc_exec_t;
|
||||||
|
class process sigchld;
|
||||||
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
corecmd_search_sbin($1)
|
||||||
domain_auto_trans($1, dhcpc_exec_t, dhcpc_t)
|
domain_auto_trans($1, dhcpc_exec_t, dhcpc_t)
|
||||||
|
|
||||||
allow $1 dhcpc_t:fd use;
|
allow $1 dhcpc_t:fd use;
|
||||||
@ -22,15 +28,6 @@ define(`sysnet_domtrans_dhcpc',`
|
|||||||
allow dhcpc_t $1:process sigchld;
|
allow dhcpc_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`sysnet_domtrans_dhcpc_depend',`
|
|
||||||
type dhcpc_t, dhcpc_exec_t;
|
|
||||||
|
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
|
||||||
class fd use;
|
|
||||||
class fifo_file rw_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
## <interface name="sysnet_domtrans_ifconfig">
|
## <interface name="sysnet_domtrans_ifconfig">
|
||||||
## <description>
|
## <description>
|
||||||
@ -42,8 +39,14 @@ define(`sysnet_domtrans_dhcpc_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`sysnet_domtrans_ifconfig',`
|
define(`sysnet_domtrans_ifconfig',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type ifconfig_t, ifconfig_exec_t;
|
||||||
|
class process sigchld;
|
||||||
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
corecmd_search_sbin($1)
|
||||||
domain_auto_trans($1, ifconfig_exec_t, ifconfig_t)
|
domain_auto_trans($1, ifconfig_exec_t, ifconfig_t)
|
||||||
|
|
||||||
allow $1 ifconfig_t:fd use;
|
allow $1 ifconfig_t:fd use;
|
||||||
@ -52,15 +55,6 @@ define(`sysnet_domtrans_ifconfig',`
|
|||||||
allow ifconfig_t $1:process sigchld;
|
allow ifconfig_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`sysnet_domtrans_ifconfig_depend',`
|
|
||||||
type ifconfig_t, ifconfig_exec_t;
|
|
||||||
|
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
|
||||||
class fd use;
|
|
||||||
class fifo_file rw_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="sysnet_run_ifconfig">
|
## <interface name="sysnet_run_ifconfig">
|
||||||
## <description>
|
## <description>
|
||||||
@ -80,17 +74,15 @@ define(`sysnet_domtrans_ifconfig_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`sysnet_run_ifconfig',`
|
define(`sysnet_run_ifconfig',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type ifconfig_t;
|
||||||
sysnet_domtrans_ifconfig($1)
|
class chr_file rw_term_perms;
|
||||||
role $2 types ifconfig_t;
|
|
||||||
allow ifconfig_t $3:chr_file { getattr read write ioctl };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`sysnet_run_ifconfig_depend',`
|
corecmd_search_sbin($1)
|
||||||
type ifconfig_t;
|
sysnet_domtrans_ifconfig($1)
|
||||||
|
role $2 types ifconfig_t;
|
||||||
class chr_file { getattr read write ioctl };
|
allow ifconfig_t $3:chr_file rw_term_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -104,16 +96,13 @@ define(`sysnet_run_ifconfig_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`sysnet_read_config',`
|
define(`sysnet_read_config',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type net_conf_t;
|
||||||
|
class file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
allow $1 net_conf_t:file r_file_perms;
|
allow $1 net_conf_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`sysnet_read_config_depend',`
|
|
||||||
type net_conf_t;
|
|
||||||
|
|
||||||
class file r_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
|||||||
@ -12,7 +12,12 @@
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`udev_domtrans',`
|
define(`udev_domtrans',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type udev_t, udev_exec_t;
|
||||||
|
class process sigchld;
|
||||||
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
domain_auto_trans($1, udev_exec_t, udev_t)
|
domain_auto_trans($1, udev_exec_t, udev_t)
|
||||||
|
|
||||||
@ -22,15 +27,6 @@ define(`udev_domtrans',`
|
|||||||
allow udev_t $1:process sigchld;
|
allow udev_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`udev_domtrans_depend',`
|
|
||||||
type udev_t, udev_exec_t;
|
|
||||||
|
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
|
||||||
class fd use;
|
|
||||||
class fifo_file rw_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="udev_read_db">
|
## <interface name="udev_read_db">
|
||||||
## <description>
|
## <description>
|
||||||
@ -42,15 +38,13 @@ define(`udev_domtrans_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`udev_read_db',`
|
define(`udev_read_db',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
type udev_tdb_t;
|
||||||
allow $1 udev_tdb_t:file r_file_perms;
|
class file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`udev_read_db_depend',`
|
dev_list_all_dev_nodes($1)
|
||||||
type udev_tdb_t;
|
allow $1 udev_tdb_t:file r_file_perms;
|
||||||
|
|
||||||
class file r_file_perms;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -64,15 +58,13 @@ define(`udev_read_db_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`udev_rw_db',`
|
define(`udev_rw_db',`
|
||||||
gen_require(`$0'_depend)
|
gen_require(`
|
||||||
|
|
||||||
allow $1 udev_tdb_t:file rw_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
define(`udev_rw_db_depend',`
|
|
||||||
type udev_tdb_t;
|
type udev_tdb_t;
|
||||||
|
|
||||||
class file rw_file_perms;
|
class file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
dev_list_all_dev_nodes($1)
|
||||||
|
allow $1 udev_tdb_t:file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user