rename some selinuxfs interfaces for more clarity
This commit is contained in:
Chris PeBenito
parent
ef373408a6
commit
1786071159
@ -80,10 +80,10 @@ allow chfn_t self:msg { send receive };
|
||||
kernel_read_system_state(chfn_t)
|
||||
kernel_get_selinuxfs_mount_point(chfn_t)
|
||||
kernel_validate_selinux_context(chfn_t)
|
||||
kernel_compute_selinux_av(chfn_t)
|
||||
kernel_compute_create(chfn_t)
|
||||
kernel_compute_relabel(chfn_t)
|
||||
kernel_compute_reachable_user_contexts(chfn_t)
|
||||
kernel_compute_selinux_access_vector(chfn_t)
|
||||
kernel_compute_selinux_create_context(chfn_t)
|
||||
kernel_compute_selinux_relabel_context(chfn_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(chfn_t)
|
||||
|
||||
terminal_use_all_private_physical_terminals(chfn_t)
|
||||
terminal_use_all_private_pseudoterminals(chfn_t)
|
||||
@ -213,10 +213,10 @@ allow groupadd_t self:msg { send receive };
|
||||
# Allow access to context for shadow file
|
||||
kernel_get_selinuxfs_mount_point(groupadd_t)
|
||||
kernel_validate_selinux_context(groupadd_t)
|
||||
kernel_compute_selinux_av(groupadd_t)
|
||||
kernel_compute_create(groupadd_t)
|
||||
kernel_compute_relabel(groupadd_t)
|
||||
kernel_compute_reachable_user_contexts(groupadd_t)
|
||||
kernel_compute_selinux_access_vector(groupadd_t)
|
||||
kernel_compute_selinux_create_context(groupadd_t)
|
||||
kernel_compute_selinux_relabel_context(groupadd_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(groupadd_t)
|
||||
|
||||
filesystem_get_persistent_filesystem_attributes(groupadd_t)
|
||||
|
||||
@ -288,10 +288,10 @@ allow passwd_t self:msg { send receive };
|
||||
|
||||
kernel_get_selinuxfs_mount_point(passwd_t)
|
||||
kernel_validate_selinux_context(passwd_t)
|
||||
kernel_compute_selinux_av(passwd_t)
|
||||
kernel_compute_create(passwd_t)
|
||||
kernel_compute_relabel(passwd_t)
|
||||
kernel_compute_reachable_user_contexts(passwd_t)
|
||||
kernel_compute_selinux_access_vector(passwd_t)
|
||||
kernel_compute_selinux_create_context(passwd_t)
|
||||
kernel_compute_selinux_relabel_context(passwd_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(passwd_t)
|
||||
|
||||
# for SSP
|
||||
devices_get_pseudorandom_data(passwd_t)
|
||||
@ -386,10 +386,10 @@ files_search_system_state_data_directory(sysadm_passwd_t)
|
||||
|
||||
kernel_get_selinuxfs_mount_point(sysadm_passwd_t)
|
||||
kernel_validate_selinux_context(sysadm_passwd_t)
|
||||
kernel_compute_selinux_av(sysadm_passwd_t)
|
||||
kernel_compute_create(sysadm_passwd_t)
|
||||
kernel_compute_relabel(sysadm_passwd_t)
|
||||
kernel_compute_reachable_user_contexts(sysadm_passwd_t)
|
||||
kernel_compute_selinux_access_vector(sysadm_passwd_t)
|
||||
kernel_compute_selinux_create_context(sysadm_passwd_t)
|
||||
kernel_compute_selinux_relabel_context(sysadm_passwd_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(sysadm_passwd_t)
|
||||
# for /proc/meminfo
|
||||
kernel_read_system_state(sysadm_passwd_t)
|
||||
|
||||
@ -478,10 +478,10 @@ allow useradd_t self:msg { send receive };
|
||||
# Allow access to context for shadow file
|
||||
kernel_get_selinuxfs_mount_point(useradd_t)
|
||||
kernel_validate_selinux_context(useradd_t)
|
||||
kernel_compute_selinux_av(useradd_t)
|
||||
kernel_compute_create(useradd_t)
|
||||
kernel_compute_relabel(useradd_t)
|
||||
kernel_compute_reachable_user_contexts(useradd_t)
|
||||
kernel_compute_selinux_access_vector(useradd_t)
|
||||
kernel_compute_selinux_create_context(useradd_t)
|
||||
kernel_compute_selinux_relabel_context(useradd_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(useradd_t)
|
||||
# for getting the number of groups
|
||||
kernel_read_kernel_sysctl(useradd_t)
|
||||
|
||||
|
||||
@ -247,9 +247,9 @@ class security setbool;
|
||||
|
||||
########################################
|
||||
#
|
||||
# kernel_setsecparam(domain)
|
||||
# kernel_set_selinux_security_parameters(domain)
|
||||
#
|
||||
define(`kernel_setsecparam',`
|
||||
define(`kernel_set_selinux_security_parameters',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
allow $1 security_t:file { getattr read write };
|
||||
@ -258,7 +258,7 @@ auditallow $1 security_t:security setsecparam;
|
||||
typeattribute $1 can_setsecparam;
|
||||
')
|
||||
|
||||
define(`kernel_setsecparam_depend',`
|
||||
define(`kernel_set_selinux_security_parameters_depend',`
|
||||
type security_t;
|
||||
attribute can_setsecparam;
|
||||
class dir { read search getattr };
|
||||
@ -286,16 +286,16 @@ class security check_context;
|
||||
|
||||
########################################
|
||||
#
|
||||
# kernel_compute_selinux_av(domain)
|
||||
# kernel_compute_selinux_access_vector(domain)
|
||||
#
|
||||
define(`kernel_compute_selinux_av',`
|
||||
define(`kernel_compute_selinux_access_vector',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
allow $1 security_t:file { getattr read write };
|
||||
allow $1 security_t:security compute_av;
|
||||
')
|
||||
|
||||
define(`kernel_compute_selinux_av_depend',`
|
||||
define(`kernel_compute_selinux_access_vector_depend',`
|
||||
type security_t;
|
||||
class dir { read search getattr };
|
||||
class file { getattr read write };
|
||||
@ -304,16 +304,16 @@ class security compute_av;
|
||||
|
||||
########################################
|
||||
#
|
||||
# kernel_compute_selinux_create(domain)
|
||||
# kernel_compute_selinux_create_context(domain)
|
||||
#
|
||||
define(`kernel_compute_create',`
|
||||
define(`kernel_compute_selinux_create_context',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
allow $1 security_t:file { getattr read write };
|
||||
allow $1 security_t:security compute_create;
|
||||
')
|
||||
|
||||
define(`kernel_compute_create_depend',`
|
||||
define(`kernel_compute_selinux_create_context_depend',`
|
||||
type security_t;
|
||||
class dir { read search getattr };
|
||||
class file { getattr read write };
|
||||
@ -322,16 +322,16 @@ class security compute_create;
|
||||
|
||||
########################################
|
||||
#
|
||||
# kernel_compute_relabel(domain)
|
||||
# kernel_compute_selinux_relabel_context(domain)
|
||||
#
|
||||
define(`kernel_compute_relabel',`
|
||||
define(`kernel_compute_selinux_relabel_context',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
allow $1 security_t:file { getattr read write };
|
||||
allow $1 security_t:security compute_relabel;
|
||||
')
|
||||
|
||||
define(`kernel_compute_relabel_depend',`
|
||||
define(`kernel_compute_selinux_relabel_context_depend',`
|
||||
type security_t;
|
||||
class dir { read search getattr };
|
||||
class file { getattr read write };
|
||||
@ -340,16 +340,16 @@ class security compute_relabel;
|
||||
|
||||
########################################
|
||||
#
|
||||
# kernel_compute_reachable_user_contexts(domain)
|
||||
# kernel_compute_selinux_reachable_user_contexts(domain)
|
||||
#
|
||||
define(`kernel_compute_reachable_user_contexts',`
|
||||
define(`kernel_compute_selinux_reachable_user_contexts',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
allow $1 security_t:file { getattr read write };
|
||||
allow $1 security_t:security compute_user;
|
||||
')
|
||||
|
||||
define(`kernel_compute_reachable_user_contexts_depend',`
|
||||
define(`kernel_compute_selinux_reachable_user_contexts_depend',`
|
||||
type security_t;
|
||||
class dir { read search getattr };
|
||||
class file { getattr read write };
|
||||
|
||||
@ -83,10 +83,10 @@ kernel_read_kernel_sysctl(crond_t)
|
||||
kernel_read_hardware_state(crond_t)
|
||||
kernel_get_selinuxfs_mount_point(crond_t)
|
||||
kernel_validate_selinux_context(crond_t)
|
||||
kernel_compute_selinux_av(crond_t)
|
||||
kernel_compute_create(crond_t)
|
||||
kernel_compute_relabel(crond_t)
|
||||
kernel_compute_reachable_user_contexts(crond_t)
|
||||
kernel_compute_selinux_access_vector(crond_t)
|
||||
kernel_compute_selinux_create_context(crond_t)
|
||||
kernel_compute_selinux_relabel_context(crond_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(crond_t)
|
||||
|
||||
devices_get_pseudorandom_data(crond_t)
|
||||
|
||||
@ -292,10 +292,10 @@ selinux_setfiles_transition(system_crond_t)
|
||||
} else {
|
||||
kernel_get_selinuxfs_mount_point(system_crond_t)
|
||||
kernel_validate_selinux_context(system_crond_t)
|
||||
kernel_compute_selinux_av(system_crond_t)
|
||||
kernel_compute_create(system_crond_t)
|
||||
kernel_compute_relabel(system_crond_t)
|
||||
kernel_compute_reachable_user_contexts(system_crond_t)
|
||||
kernel_compute_selinux_access_vector(system_crond_t)
|
||||
kernel_compute_selinux_create_context(system_crond_t)
|
||||
kernel_compute_selinux_relabel_context(system_crond_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(system_crond_t)
|
||||
selinux_read_file_contexts(system_crond_t)
|
||||
}
|
||||
|
||||
|
||||
@ -46,10 +46,10 @@ kernel_read_system_state(remote_login_t)
|
||||
kernel_read_kernel_sysctl(remote_login_t)
|
||||
kernel_get_selinuxfs_mount_point(remote_login_t)
|
||||
kernel_validate_selinux_context(remote_login_t)
|
||||
kernel_compute_selinux_av(remote_login_t)
|
||||
kernel_compute_create(remote_login_t)
|
||||
kernel_compute_relabel(remote_login_t)
|
||||
kernel_compute_reachable_user_contexts(remote_login_t)
|
||||
kernel_compute_selinux_access_vector(remote_login_t)
|
||||
kernel_compute_selinux_create_context(remote_login_t)
|
||||
kernel_compute_selinux_relabel_context(remote_login_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(remote_login_t)
|
||||
|
||||
# for SSP/ProPolice
|
||||
devices_get_pseudorandom_data(remote_login_t)
|
||||
|
||||
@ -370,10 +370,10 @@ dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket }
|
||||
|
||||
kernel_get_selinuxfs_mount_point(run_init_t)
|
||||
kernel_validate_selinux_context(run_init_t)
|
||||
kernel_compute_selinux_av(run_init_t)
|
||||
kernel_compute_create(run_init_t)
|
||||
kernel_compute_relabel(run_init_t)
|
||||
kernel_compute_reachable_user_contexts(run_init_t)
|
||||
kernel_compute_selinux_access_vector(run_init_t)
|
||||
kernel_compute_selinux_create_context(run_init_t)
|
||||
kernel_compute_selinux_relabel_context(run_init_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(run_init_t)
|
||||
|
||||
tunable_policy(`targeted_policy',`
|
||||
# targeted/unconfined stuff
|
||||
|
||||
@ -57,10 +57,10 @@ kernel_read_system_state(local_login_t)
|
||||
kernel_read_kernel_sysctl(local_login_t)
|
||||
kernel_get_selinuxfs_mount_point(local_login_t)
|
||||
kernel_validate_selinux_context(local_login_t)
|
||||
kernel_compute_selinux_av(local_login_t)
|
||||
kernel_compute_create(local_login_t)
|
||||
kernel_compute_relabel(local_login_t)
|
||||
kernel_compute_reachable_user_contexts(local_login_t)
|
||||
kernel_compute_selinux_access_vector(local_login_t)
|
||||
kernel_compute_selinux_create_context(local_login_t)
|
||||
kernel_compute_selinux_relabel_context(local_login_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(local_login_t)
|
||||
|
||||
# for SSP/ProPolice
|
||||
devices_get_pseudorandom_data(local_login_t)
|
||||
@ -254,10 +254,10 @@ init_get_process_group(sulogin_t)
|
||||
allow sulogin_t self:process setexec;
|
||||
kernel_get_selinuxfs_mount_point(sulogin_t)
|
||||
kernel_validate_selinux_context(sulogin_t)
|
||||
kernel_compute_selinux_av(sulogin_t)
|
||||
kernel_compute_create(sulogin_t)
|
||||
kernel_compute_relabel(sulogin_t)
|
||||
kernel_compute_reachable_user_contexts(sulogin_t)
|
||||
kernel_compute_selinux_access_vector(sulogin_t)
|
||||
kernel_compute_selinux_create_context(sulogin_t)
|
||||
kernel_compute_selinux_relabel_context(sulogin_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(sulogin_t)
|
||||
#domain_trans(sulogin_t, shell_exec_t, sysadm_t)
|
||||
')
|
||||
|
||||
|
||||
@ -72,10 +72,10 @@ files_create_private_config(lvm_t,lvm_metadata_t,file)
|
||||
kernel_read_system_state(lvm_t)
|
||||
kernel_get_selinuxfs_mount_point(lvm_t)
|
||||
kernel_validate_selinux_context(lvm_t)
|
||||
kernel_compute_selinux_av(lvm_t)
|
||||
kernel_compute_create(lvm_t)
|
||||
kernel_compute_relabel(lvm_t)
|
||||
kernel_compute_reachable_user_contexts(lvm_t)
|
||||
kernel_compute_selinux_access_vector(lvm_t)
|
||||
kernel_compute_selinux_create_context(lvm_t)
|
||||
kernel_compute_selinux_relabel_context(lvm_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(lvm_t)
|
||||
kernel_read_kernel_sysctl(lvm_t)
|
||||
kernel_read_hardware_state(lvm_t)
|
||||
# Read /sys/block. Device mapper metadata is kept there.
|
||||
|
||||
@ -210,10 +210,10 @@ kernel_read_system_state(newrole_t)
|
||||
kernel_read_kernel_sysctl(newrole_t)
|
||||
kernel_get_selinuxfs_mount_point(newrole_t)
|
||||
kernel_validate_selinux_context(newrole_t)
|
||||
kernel_compute_selinux_av(newrole_t)
|
||||
kernel_compute_create(newrole_t)
|
||||
kernel_compute_relabel(newrole_t)
|
||||
kernel_compute_reachable_user_contexts(newrole_t)
|
||||
kernel_compute_selinux_access_vector(newrole_t)
|
||||
kernel_compute_selinux_create_context(newrole_t)
|
||||
kernel_compute_selinux_relabel_context(newrole_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(newrole_t)
|
||||
|
||||
devices_get_pseudorandom_data(newrole_t)
|
||||
|
||||
@ -299,10 +299,10 @@ kernel_use_file_descriptors(restorecon_t)
|
||||
kernel_read_system_state(restorecon_t)
|
||||
kernel_get_selinuxfs_mount_point(restorecon_t)
|
||||
kernel_validate_selinux_context(restorecon_t)
|
||||
kernel_compute_selinux_av(restorecon_t)
|
||||
kernel_compute_create(restorecon_t)
|
||||
kernel_compute_relabel(restorecon_t)
|
||||
kernel_compute_reachable_user_contexts(restorecon_t)
|
||||
kernel_compute_selinux_access_vector(restorecon_t)
|
||||
kernel_compute_selinux_create_context(restorecon_t)
|
||||
kernel_compute_selinux_relabel_context(restorecon_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(restorecon_t)
|
||||
|
||||
filesystem_get_persistent_filesystem_attributes(restorecon_t)
|
||||
|
||||
@ -367,10 +367,10 @@ allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t
|
||||
kernel_read_system_state(setfiles_t)
|
||||
kernel_get_selinuxfs_mount_point(setfiles_t)
|
||||
kernel_validate_selinux_context(setfiles_t)
|
||||
kernel_compute_selinux_av(setfiles_t)
|
||||
kernel_compute_create(setfiles_t)
|
||||
kernel_compute_relabel(setfiles_t)
|
||||
kernel_compute_reachable_user_contexts(setfiles_t)
|
||||
kernel_compute_selinux_access_vector(setfiles_t)
|
||||
kernel_compute_selinux_create_context(setfiles_t)
|
||||
kernel_compute_selinux_relabel_context(setfiles_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(setfiles_t)
|
||||
|
||||
filesystem_get_persistent_filesystem_attributes(setfiles_t)
|
||||
|
||||
|
||||
@ -210,10 +210,10 @@ kernel_read_system_state(newrole_t)
|
||||
kernel_read_kernel_sysctl(newrole_t)
|
||||
kernel_get_selinuxfs_mount_point(newrole_t)
|
||||
kernel_validate_selinux_context(newrole_t)
|
||||
kernel_compute_selinux_av(newrole_t)
|
||||
kernel_compute_create(newrole_t)
|
||||
kernel_compute_relabel(newrole_t)
|
||||
kernel_compute_reachable_user_contexts(newrole_t)
|
||||
kernel_compute_selinux_access_vector(newrole_t)
|
||||
kernel_compute_selinux_create_context(newrole_t)
|
||||
kernel_compute_selinux_relabel_context(newrole_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(newrole_t)
|
||||
|
||||
devices_get_pseudorandom_data(newrole_t)
|
||||
|
||||
@ -299,10 +299,10 @@ kernel_use_file_descriptors(restorecon_t)
|
||||
kernel_read_system_state(restorecon_t)
|
||||
kernel_get_selinuxfs_mount_point(restorecon_t)
|
||||
kernel_validate_selinux_context(restorecon_t)
|
||||
kernel_compute_selinux_av(restorecon_t)
|
||||
kernel_compute_create(restorecon_t)
|
||||
kernel_compute_relabel(restorecon_t)
|
||||
kernel_compute_reachable_user_contexts(restorecon_t)
|
||||
kernel_compute_selinux_access_vector(restorecon_t)
|
||||
kernel_compute_selinux_create_context(restorecon_t)
|
||||
kernel_compute_selinux_relabel_context(restorecon_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(restorecon_t)
|
||||
|
||||
filesystem_get_persistent_filesystem_attributes(restorecon_t)
|
||||
|
||||
@ -367,10 +367,10 @@ allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t
|
||||
kernel_read_system_state(setfiles_t)
|
||||
kernel_get_selinuxfs_mount_point(setfiles_t)
|
||||
kernel_validate_selinux_context(setfiles_t)
|
||||
kernel_compute_selinux_av(setfiles_t)
|
||||
kernel_compute_create(setfiles_t)
|
||||
kernel_compute_relabel(setfiles_t)
|
||||
kernel_compute_reachable_user_contexts(setfiles_t)
|
||||
kernel_compute_selinux_access_vector(setfiles_t)
|
||||
kernel_compute_selinux_create_context(setfiles_t)
|
||||
kernel_compute_selinux_relabel_context(setfiles_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(setfiles_t)
|
||||
|
||||
filesystem_get_persistent_filesystem_attributes(setfiles_t)
|
||||
|
||||
|
||||
@ -71,10 +71,10 @@ kernel_read_kernel_sysctl(udev_t)
|
||||
kernel_read_hardware_state(udev_t)
|
||||
kernel_get_selinuxfs_mount_point(udev_t)
|
||||
kernel_validate_selinux_context(udev_t)
|
||||
kernel_compute_selinux_av(udev_t)
|
||||
kernel_compute_create(udev_t)
|
||||
kernel_compute_relabel(udev_t)
|
||||
kernel_compute_reachable_user_contexts(udev_t)
|
||||
kernel_compute_selinux_access_vector(udev_t)
|
||||
kernel_compute_selinux_create_context(udev_t)
|
||||
kernel_compute_selinux_relabel_context(udev_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(udev_t)
|
||||
|
||||
devices_manage_device_nodes(udev_t)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user