reorder for more consistency

This commit is contained in:
Chris PeBenito 2005-05-11 15:22:28 +00:00
parent dec1686f0b
commit 1832271029

View File

@ -33,17 +33,17 @@ files_make_file(update_modules_tmp_t)
# insmod local policy # insmod local policy
# #
allow insmod_t insmod_exec_t:file { getattr read execute execute_no_trans };
# Read module config and dependency information
allow insmod_t { modules_conf_t modules_dep_t }:file { getattr read };
allow insmod_t self:capability { dac_override net_raw sys_tty_config }; allow insmod_t self:capability { dac_override net_raw sys_tty_config };
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
allow insmod_t self:udp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; allow insmod_t self:udp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow insmod_t self:rawip_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; allow insmod_t self:rawip_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
# Read module config and dependency information
allow insmod_t { modules_conf_t modules_dep_t }:file { getattr read };
allow insmod_t insmod_exec_t:file { getattr read execute execute_no_trans };
kernel_transition_from(insmod_t,insmod_exec_t) kernel_transition_from(insmod_t,insmod_exec_t)
kernel_load_module(insmod_t) kernel_load_module(insmod_t)
@ -192,6 +192,7 @@ dontaudit update_modules_t depmod_t : process { noatsecure siginh rlimitinh };
allow update_modules_t update_modules_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; allow update_modules_t update_modules_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
allow update_modules_t update_modules_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; allow update_modules_t update_modules_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
files_create_private_tmp_data(update_modules_t, update_modules_tmp_t, { file dir })
kernel_read_kernel_sysctl(update_modules_t) kernel_read_kernel_sysctl(update_modules_t)
kernel_read_system_state(update_modules_t) kernel_read_system_state(update_modules_t)
@ -211,7 +212,6 @@ domain_use_widely_inheritable_file_descriptors(depmod_t)
files_read_runtime_system_config(update_modules_t) files_read_runtime_system_config(update_modules_t)
files_read_general_system_config(update_modules_t) files_read_general_system_config(update_modules_t)
files_execute_system_config_script(update_modules_t) files_execute_system_config_script(update_modules_t)
files_create_private_tmp_data(update_modules_t, update_modules_tmp_t, { file dir })
corecommands_execute_general_programs(update_modules_t) corecommands_execute_general_programs(update_modules_t)
corecommands_execute_system_programs(update_modules_t) corecommands_execute_system_programs(update_modules_t)