trunk: 2 patches from dan.
This commit is contained in:
Chris PeBenito
parent
b3eb124654
commit
14c0edc7e9
@ -44,6 +44,8 @@ ifdef(`distro_redhat',`
|
||||
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/etc/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/etc/cron.daily/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/cron.hourly/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/cron.weekly/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -146,6 +148,8 @@ ifdef(`distro_gentoo',`
|
||||
/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/cups(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
@ -183,10 +187,8 @@ ifdef(`distro_gentoo',`
|
||||
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/local/Brother(/.*)?/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/local/Brother(/.*)?/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/local/Printer/[^/]*/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(corecommands, 1.10.0)
|
||||
policy_module(corecommands, 1.10.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -29,6 +29,7 @@ ifdef(`distro_suse',`
|
||||
/boot -d gen_context(system_u:object_r:boot_t,s0)
|
||||
/boot/.* gen_context(system_u:object_r:boot_t,s0)
|
||||
/boot/\.journal <<none>>
|
||||
/boot/efi(/.*)?/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
|
||||
/boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
|
||||
/boot/lost\+found/.* <<none>>
|
||||
/boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
|
||||
|
||||
@ -935,6 +935,32 @@ interface(`files_relabel_all_files',`
|
||||
seutil_relabelto_bin_policy($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## rw all files on the filesystem, except
|
||||
## the listed exceptions.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the domain perfoming this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="exception_types" optional="true">
|
||||
## <summary>
|
||||
## The types to be excluded. Each type or attribute
|
||||
## must be negated by the caller.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`files_rw_all_files',`
|
||||
gen_require(`
|
||||
attribute file_type;
|
||||
')
|
||||
|
||||
rw_files_pattern($1, { file_type $2 }, { file_type $2 })
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage all files on the filesystem, except
|
||||
@ -2742,6 +2768,24 @@ interface(`files_manage_mnt_files',`
|
||||
manage_files_pattern($1, mnt_t, mnt_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## read files in /mnt.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_read_mnt_files',`
|
||||
gen_require(`
|
||||
type mnt_t;
|
||||
')
|
||||
|
||||
read_files_pattern($1, mnt_t, mnt_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete symbolic links in /mnt.
|
||||
@ -3161,6 +3205,24 @@ interface(`files_dontaudit_list_tmp',`
|
||||
dontaudit $1 tmp_t:dir list_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Remove entries from the tmp directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_delete_tmp_dir_entry',`
|
||||
gen_require(`
|
||||
type tmp_t;
|
||||
')
|
||||
|
||||
allow $1 tmp_t:dir del_entry_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read files in the tmp directory (/tmp).
|
||||
@ -3469,6 +3531,42 @@ interface(`files_dontaudit_rw_usr_dirs',`
|
||||
dontaudit $1 usr_t:dir rw_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Delete generic directories in /usr in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_delete_usr_dirs',`
|
||||
gen_require(`
|
||||
type usr_t;
|
||||
')
|
||||
|
||||
allow $1 usr_t:file delete_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Delete generic files in /usr in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_delete_usr_files',`
|
||||
gen_require(`
|
||||
type usr_t;
|
||||
')
|
||||
|
||||
allow $1 usr_t:file delete_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of files in /usr.
|
||||
@ -3527,6 +3625,24 @@ interface(`files_exec_usr_files',`
|
||||
read_lnk_files_pattern($1, usr_t, usr_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## dontaudit write of /usr files
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_dontaudit_write_usr_files',`
|
||||
gen_require(`
|
||||
type usr_t;
|
||||
')
|
||||
|
||||
dontaudit $1 usr_t:file write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete files in the /usr directory.
|
||||
@ -4401,6 +4517,24 @@ interface(`files_list_pids',`
|
||||
list_dirs_pattern($1, var_t, var_run_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read generic process ID files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_read_generic_pids',`
|
||||
gen_require(`
|
||||
type var_t, var_run_t;
|
||||
')
|
||||
|
||||
read_files_pattern($1, { var_t var_run_t }, var_run_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create an object in the process ID directory, with a private
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(files, 1.10.0)
|
||||
policy_module(files, 1.10.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -174,6 +174,7 @@ files_lock_file(var_lock_t)
|
||||
#
|
||||
type var_run_t;
|
||||
files_pid_file(var_run_t)
|
||||
files_mountpoint(var_run_t)
|
||||
|
||||
#
|
||||
# var_spool_t is the type of /var/spool
|
||||
|
||||
Loading…
Reference in New Issue
Block a user