add macro to expand object class sets for use in require blocks
This commit is contained in:
Chris PeBenito
parent
50f6503452
commit
157c69416f
@ -358,6 +358,33 @@ interface(`domain_getsession_all_domains',`
|
||||
allow $1 domain:process getsession;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get the attributes
|
||||
## of all domains sockets, for all socket types.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Do not audit attempts to get the attributes
|
||||
## of all domains sockets, for all socket types.
|
||||
## </p>
|
||||
## <p>
|
||||
## This interface was added for PCMCIA cardmgr
|
||||
## and is probably excessive.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`domain_dontaudit_getattr_all_sockets',`
|
||||
gen_require(`
|
||||
gen_require_set(getattr,socket_class_set)
|
||||
')
|
||||
|
||||
dontaudit $1 domain:socket_class_set getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## Do not audit attempts to get the attributes
|
||||
|
||||
@ -63,8 +63,11 @@ corecmd_exec_sbin(cardmgr_t)
|
||||
|
||||
domain_use_wide_inherit_fd(cardmgr_t)
|
||||
domain_exec_all_entry_files(cardmgr_t)
|
||||
# Read /proc/PID directories for all domains (for fuser).
|
||||
domain_read_all_domains_state(cardmgr_t)
|
||||
# cjp: these look excessive:
|
||||
domain_dontaudit_getattr_all_unnamed_pipes(cardmgr_t)
|
||||
domain_dontaudit_getattr_all_sockets(cardmgr_t)
|
||||
|
||||
files_search_home(cardmgr_t)
|
||||
files_read_etc_runtime_files(cardmgr_t)
|
||||
@ -126,12 +129,7 @@ allow cardmgr_t var_lib_t:file { getattr read };
|
||||
# Create device files in /tmp.
|
||||
file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file })
|
||||
|
||||
# Read /proc/PID directories for all domains (for fuser).
|
||||
can_ps(cardmgr_t, domain)
|
||||
|
||||
dontaudit cardmgr_t ptyfile:chr_file getattr;
|
||||
# cjp: these look excessive:
|
||||
dontaudit cardmgr_t domain:socket_class_set getattr;
|
||||
|
||||
# this goes to apm
|
||||
optional_policy(`pcmcia.te',`
|
||||
|
||||
@ -200,3 +200,26 @@ define(`create_shm_perms', `{ associate getattr setattr create destroy read writ
|
||||
# Use (read and write) terminals
|
||||
#
|
||||
define(`rw_term_perms', `{ getattr read write ioctl }')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Expand object class set macros.
|
||||
#
|
||||
# gen_require_set(permissions,object_class_set)
|
||||
#
|
||||
# the statement:
|
||||
# gen_require_set({ getattr read },{ foo bar tar })
|
||||
#
|
||||
# makes:
|
||||
# class foo { getattr read };
|
||||
# class bar { getattr read };
|
||||
# class tar { getattr read };
|
||||
#
|
||||
# !! This is only used in require blocks. !!
|
||||
|
||||
define(`gen_require_set',`
|
||||
ifelse(regexp($2, `\w'), -1, `', `dnl
|
||||
class regexp($2, `\(\w+\)', `\1') $1;
|
||||
gen_require_set($1, regexp($2, `\w+\(.*\)', `\1'))dnl
|
||||
') dnl
|
||||
')
|
||||
|
||||
Loading…
Reference in New Issue
Block a user