renaming from 20060131 interface review
This commit is contained in:
parent
1576102e39
commit
207c47630c
@ -56,7 +56,7 @@ dev_read_sysfs(kudzu_t)
|
|||||||
dev_rx_raw_memory(kudzu_t)
|
dev_rx_raw_memory(kudzu_t)
|
||||||
dev_wx_raw_memory(kudzu_t)
|
dev_wx_raw_memory(kudzu_t)
|
||||||
dev_rw_mouse(kudzu_t)
|
dev_rw_mouse(kudzu_t)
|
||||||
dev_rwx_zero_dev(kudzu_t)
|
dev_rwx_zero(kudzu_t)
|
||||||
|
|
||||||
fs_search_auto_mountpoints(kudzu_t)
|
fs_search_auto_mountpoints(kudzu_t)
|
||||||
fs_search_ramfs(kudzu_t)
|
fs_search_ramfs(kudzu_t)
|
||||||
|
@ -30,8 +30,8 @@ kernel_read_system_state(readahead_t)
|
|||||||
kernel_dontaudit_getattr_core(readahead_t)
|
kernel_dontaudit_getattr_core(readahead_t)
|
||||||
|
|
||||||
dev_read_sysfs(readahead_t)
|
dev_read_sysfs(readahead_t)
|
||||||
dev_getattr_generic_chr_file(readahead_t)
|
dev_getattr_generic_chr_files(readahead_t)
|
||||||
dev_getattr_generic_blk_file(readahead_t)
|
dev_getattr_generic_blk_files(readahead_t)
|
||||||
dev_getattr_all_chr_files(readahead_t)
|
dev_getattr_all_chr_files(readahead_t)
|
||||||
dev_getattr_all_blk_files(readahead_t)
|
dev_getattr_all_blk_files(readahead_t)
|
||||||
dev_dontaudit_read_all_blk_files(readahead_t)
|
dev_dontaudit_read_all_blk_files(readahead_t)
|
||||||
|
@ -260,8 +260,8 @@ kernel_read_system_state(rpm_script_t)
|
|||||||
dev_list_sysfs(rpm_script_t)
|
dev_list_sysfs(rpm_script_t)
|
||||||
|
|
||||||
# ideally we would not need this
|
# ideally we would not need this
|
||||||
dev_manage_generic_blk_file(rpm_script_t)
|
dev_manage_generic_blk_files(rpm_script_t)
|
||||||
dev_manage_generic_chr_file(rpm_script_t)
|
dev_manage_generic_chr_files(rpm_script_t)
|
||||||
dev_manage_all_blk_files(rpm_script_t)
|
dev_manage_all_blk_files(rpm_script_t)
|
||||||
dev_manage_all_chr_files(rpm_script_t)
|
dev_manage_all_chr_files(rpm_script_t)
|
||||||
|
|
||||||
|
@ -19,7 +19,7 @@ allow vbetool_t self:process execmem;
|
|||||||
|
|
||||||
dev_wx_raw_memory(vbetool_t)
|
dev_wx_raw_memory(vbetool_t)
|
||||||
dev_read_raw_memory(vbetool_t)
|
dev_read_raw_memory(vbetool_t)
|
||||||
dev_rwx_zero_dev(vbetool_t)
|
dev_rwx_zero(vbetool_t)
|
||||||
dev_read_sysfs(vbetool_t)
|
dev_read_sysfs(vbetool_t)
|
||||||
|
|
||||||
libs_use_ld_so(vbetool_t)
|
libs_use_ld_so(vbetool_t)
|
||||||
|
@ -96,8 +96,8 @@ template(`java_per_userdomain_template',`
|
|||||||
corenet_udp_bind_all_nodes($1_javaplugin_t)
|
corenet_udp_bind_all_nodes($1_javaplugin_t)
|
||||||
corenet_tcp_connect_all_ports($1_javaplugin_t)
|
corenet_tcp_connect_all_ports($1_javaplugin_t)
|
||||||
|
|
||||||
dev_read_snd_dev($1_javaplugin_t)
|
dev_read_sound($1_javaplugin_t)
|
||||||
dev_write_snd_dev($1_javaplugin_t)
|
dev_write_sound($1_javaplugin_t)
|
||||||
dev_read_urand($1_javaplugin_t)
|
dev_read_urand($1_javaplugin_t)
|
||||||
dev_read_rand($1_javaplugin_t)
|
dev_read_rand($1_javaplugin_t)
|
||||||
|
|
||||||
|
@ -110,7 +110,7 @@ dev_getattr_all_blk_files(bootloader_t)
|
|||||||
dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
|
dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
|
||||||
dev_read_rand(bootloader_t)
|
dev_read_rand(bootloader_t)
|
||||||
dev_read_urand(bootloader_t)
|
dev_read_urand(bootloader_t)
|
||||||
dev_getattr_sysfs_dir(bootloader_t)
|
dev_getattr_sysfs_dirs(bootloader_t)
|
||||||
# for reading BIOS data
|
# for reading BIOS data
|
||||||
dev_read_raw_memory(bootloader_t)
|
dev_read_raw_memory(bootloader_t)
|
||||||
|
|
||||||
|
@ -96,7 +96,7 @@ interface(`dev_list_all_dev_nodes',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_setattr_dev_dir',`
|
interface(`dev_setattr_generic_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t;
|
type device_t;
|
||||||
')
|
')
|
||||||
@ -128,7 +128,7 @@ interface(`dev_dontaudit_list_all_dev_nodes',`
|
|||||||
## Domain allowed to create the directory.
|
## Domain allowed to create the directory.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_create_dir',`
|
interface(`dev_create_generic_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t;
|
type device_t;
|
||||||
')
|
')
|
||||||
@ -144,7 +144,7 @@ interface(`dev_create_dir',`
|
|||||||
## Domain allowed to relabel.
|
## Domain allowed to relabel.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_relabel_dev_dirs',`
|
interface(`dev_relabel_generic_dev_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t;
|
type device_t;
|
||||||
')
|
')
|
||||||
@ -160,7 +160,7 @@ interface(`dev_relabel_dev_dirs',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_rw_generic_file',`
|
interface(`dev_rw_generic_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t;
|
type device_t;
|
||||||
')
|
')
|
||||||
@ -177,7 +177,7 @@ interface(`dev_rw_generic_file',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_delete_generic_file',`
|
interface(`dev_delete_generic_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t;
|
type device_t;
|
||||||
')
|
')
|
||||||
@ -194,7 +194,7 @@ interface(`dev_delete_generic_file',`
|
|||||||
## Domain to dontaudit.
|
## Domain to dontaudit.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_dontaudit_getattr_generic_pipe',`
|
interface(`dev_dontaudit_getattr_generic_pipes',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t;
|
type device_t;
|
||||||
')
|
')
|
||||||
@ -210,7 +210,7 @@ interface(`dev_dontaudit_getattr_generic_pipe',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_getattr_generic_blk_file',`
|
interface(`dev_getattr_generic_blk_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t;
|
type device_t;
|
||||||
')
|
')
|
||||||
@ -227,7 +227,7 @@ interface(`dev_getattr_generic_blk_file',`
|
|||||||
## Domain to dontaudit access.
|
## Domain to dontaudit access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_dontaudit_getattr_generic_blk_file',`
|
interface(`dev_dontaudit_getattr_generic_blk_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t;
|
type device_t;
|
||||||
')
|
')
|
||||||
@ -243,7 +243,7 @@ interface(`dev_dontaudit_getattr_generic_blk_file',`
|
|||||||
## Domain to dontaudit access.
|
## Domain to dontaudit access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_dontaudit_setattr_generic_blk_file',`
|
interface(`dev_dontaudit_setattr_generic_blk_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t;
|
type device_t;
|
||||||
')
|
')
|
||||||
@ -259,7 +259,7 @@ interface(`dev_dontaudit_setattr_generic_blk_file',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_create_generic_chr_file',`
|
interface(`dev_create_generic_chr_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t;
|
type device_t;
|
||||||
')
|
')
|
||||||
@ -278,7 +278,7 @@ interface(`dev_create_generic_chr_file',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_getattr_generic_chr_file',`
|
interface(`dev_getattr_generic_chr_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t;
|
type device_t;
|
||||||
')
|
')
|
||||||
@ -295,7 +295,7 @@ interface(`dev_getattr_generic_chr_file',`
|
|||||||
## Domain to dontaudit access.
|
## Domain to dontaudit access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_dontaudit_getattr_generic_chr_file',`
|
interface(`dev_dontaudit_getattr_generic_chr_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t;
|
type device_t;
|
||||||
')
|
')
|
||||||
@ -311,7 +311,7 @@ interface(`dev_dontaudit_getattr_generic_chr_file',`
|
|||||||
## Domain to dontaudit access.
|
## Domain to dontaudit access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_dontaudit_setattr_generic_chr_file',`
|
interface(`dev_dontaudit_setattr_generic_chr_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t;
|
type device_t;
|
||||||
')
|
')
|
||||||
@ -328,7 +328,7 @@ interface(`dev_dontaudit_setattr_generic_chr_file',`
|
|||||||
## Domain to not audit.
|
## Domain to not audit.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_dontaudit_setattr_generic_symlink',`
|
interface(`dev_dontaudit_setattr_generic_symlinks',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t;
|
type device_t;
|
||||||
')
|
')
|
||||||
@ -344,7 +344,7 @@ interface(`dev_dontaudit_setattr_generic_symlink',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_del_generic_symlinks',`
|
interface(`dev_delete_generic_symlinks',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t;
|
type device_t;
|
||||||
')
|
')
|
||||||
@ -395,7 +395,7 @@ interface(`dev_relabel_generic_symlinks',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_manage_dev_nodes',`
|
interface(`dev_manage_all_dev_nodes',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute device_node, memory_raw_read, memory_raw_write;
|
attribute device_node, memory_raw_read, memory_raw_write;
|
||||||
type device_t;
|
type device_t;
|
||||||
@ -442,7 +442,7 @@ interface(`dev_dontaudit_rw_generic_dev_nodes',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_manage_generic_blk_file',`
|
interface(`dev_manage_generic_blk_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t;
|
type device_t;
|
||||||
')
|
')
|
||||||
@ -459,7 +459,7 @@ interface(`dev_manage_generic_blk_file',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_manage_generic_chr_file',`
|
interface(`dev_manage_generic_chr_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t;
|
type device_t;
|
||||||
')
|
')
|
||||||
@ -484,7 +484,7 @@ interface(`dev_manage_generic_chr_file',`
|
|||||||
## the transition will occur.
|
## the transition will occur.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_filetrans_dev_node',`
|
interface(`dev_filetrans_dev',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t;
|
type device_t;
|
||||||
')
|
')
|
||||||
@ -695,7 +695,7 @@ interface(`dev_getattr_agp_dev',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_rw_agp_dev',`
|
interface(`dev_rw_agp',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t, agp_device_t;
|
type device_t, agp_device_t;
|
||||||
')
|
')
|
||||||
@ -712,7 +712,7 @@ interface(`dev_rw_agp_dev',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_getattr_apm_bios',`
|
interface(`dev_getattr_apm_bios_dev',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t, apm_bios_t;
|
type device_t, apm_bios_t;
|
||||||
')
|
')
|
||||||
@ -730,7 +730,7 @@ interface(`dev_getattr_apm_bios',`
|
|||||||
## Domain to not audit.
|
## Domain to not audit.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_dontaudit_getattr_apm_bios',`
|
interface(`dev_dontaudit_getattr_apm_bios_dev',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type apm_bios_t;
|
type apm_bios_t;
|
||||||
')
|
')
|
||||||
@ -746,7 +746,7 @@ interface(`dev_dontaudit_getattr_apm_bios',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_setattr_apm_bios',`
|
interface(`dev_setattr_apm_bios_dev',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t, apm_bios_t;
|
type device_t, apm_bios_t;
|
||||||
')
|
')
|
||||||
@ -764,7 +764,7 @@ interface(`dev_setattr_apm_bios',`
|
|||||||
## Domain to not audit.
|
## Domain to not audit.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_dontaudit_setattr_apm_bios',`
|
interface(`dev_dontaudit_setattr_apm_bios_dev',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type apm_bios_t;
|
type apm_bios_t;
|
||||||
')
|
')
|
||||||
@ -832,7 +832,7 @@ interface(`dev_dontaudit_rw_cardmgr',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_manage_cardmgr',`
|
interface(`dev_manage_cardmgr_dev',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t, cardmgr_dev_t;
|
type device_t, cardmgr_dev_t;
|
||||||
')
|
')
|
||||||
@ -851,7 +851,7 @@ interface(`dev_manage_cardmgr',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_create_cardmgr',`
|
interface(`dev_create_cardmgr_dev',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t, cardmgr_dev_t;
|
type device_t, cardmgr_dev_t;
|
||||||
')
|
')
|
||||||
@ -870,7 +870,7 @@ interface(`dev_create_cardmgr',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_getattr_cpu',`
|
interface(`dev_getattr_cpu_dev',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t, cpu_device_t;
|
type device_t, cpu_device_t;
|
||||||
')
|
')
|
||||||
@ -939,7 +939,7 @@ interface(`dev_rw_crypto',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_rw_dri_dev',`
|
interface(`dev_rw_dri',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t, dri_device_t;
|
type device_t, dri_device_t;
|
||||||
')
|
')
|
||||||
@ -956,7 +956,7 @@ interface(`dev_rw_dri_dev',`
|
|||||||
## Domain to dontaudit access.
|
## Domain to dontaudit access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_dontaudit_rw_dri_dev',`
|
interface(`dev_dontaudit_rw_dri',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type dri_device_t;
|
type dri_device_t;
|
||||||
')
|
')
|
||||||
@ -1024,7 +1024,7 @@ interface(`dev_rw_input_dev',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_getattr_framebuffer',`
|
interface(`dev_getattr_framebuffer_dev',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t, framebuf_device_t;
|
type device_t, framebuf_device_t;
|
||||||
')
|
')
|
||||||
@ -1041,7 +1041,7 @@ interface(`dev_getattr_framebuffer',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_setattr_framebuffer',`
|
interface(`dev_setattr_framebuffer_dev',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t, framebuf_device_t;
|
type device_t, framebuf_device_t;
|
||||||
')
|
')
|
||||||
@ -1059,7 +1059,7 @@ interface(`dev_setattr_framebuffer',`
|
|||||||
## Domain to not audit.
|
## Domain to not audit.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_dontaudit_setattr_framebuffer',`
|
interface(`dev_dontaudit_setattr_framebuffer_dev',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type framebuf_device_t;
|
type framebuf_device_t;
|
||||||
')
|
')
|
||||||
@ -1176,7 +1176,7 @@ interface(`dev_rw_lvm_control',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_delete_lvm_control',`
|
interface(`dev_delete_lvm_control_dev',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t, lvm_control_t;
|
type device_t, lvm_control_t;
|
||||||
')
|
')
|
||||||
@ -1285,7 +1285,7 @@ interface(`dev_wx_raw_memory',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_getattr_misc',`
|
interface(`dev_getattr_misc_dev',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t, misc_device_t;
|
type device_t, misc_device_t;
|
||||||
')
|
')
|
||||||
@ -1303,7 +1303,7 @@ interface(`dev_getattr_misc',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_dontaudit_getattr_misc',`
|
interface(`dev_dontaudit_getattr_misc_dev',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type misc_device_t;
|
type misc_device_t;
|
||||||
')
|
')
|
||||||
@ -1319,7 +1319,7 @@ interface(`dev_dontaudit_getattr_misc',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_setattr_misc',`
|
interface(`dev_setattr_misc_dev',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t, misc_device_t;
|
type device_t, misc_device_t;
|
||||||
')
|
')
|
||||||
@ -1337,7 +1337,7 @@ interface(`dev_setattr_misc',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_dontaudit_setattr_misc',`
|
interface(`dev_dontaudit_setattr_misc_dev',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type misc_device_t;
|
type misc_device_t;
|
||||||
')
|
')
|
||||||
@ -1403,7 +1403,7 @@ interface(`dev_dontaudit_rw_misc',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_getattr_mouse',`
|
interface(`dev_getattr_mouse_dev',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t, mouse_device_t;
|
type device_t, mouse_device_t;
|
||||||
')
|
')
|
||||||
@ -1420,7 +1420,7 @@ interface(`dev_getattr_mouse',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_setattr_mouse',`
|
interface(`dev_setattr_mouse_dev',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t, mouse_device_t;
|
type device_t, mouse_device_t;
|
||||||
')
|
')
|
||||||
@ -1471,7 +1471,7 @@ interface(`dev_rw_mouse',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_getattr_mtrr',`
|
interface(`dev_getattr_mtrr_dev',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t, mtrr_device_t;
|
type device_t, mtrr_device_t;
|
||||||
')
|
')
|
||||||
@ -1537,7 +1537,7 @@ interface(`dev_rw_mtrr',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_rw_null_dev',`
|
interface(`dev_rw_null',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t, null_device_t;
|
type device_t, null_device_t;
|
||||||
')
|
')
|
||||||
@ -1554,7 +1554,7 @@ interface(`dev_rw_null_dev',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_setattr_printer',`
|
interface(`dev_setattr_printer_dev',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t, printer_device_t;
|
type device_t, printer_device_t;
|
||||||
')
|
')
|
||||||
@ -1707,7 +1707,7 @@ interface(`dev_rw_realtime_clock',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_getattr_scanner',`
|
interface(`dev_getattr_scanner_dev',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t, scanner_device_t;
|
type device_t, scanner_device_t;
|
||||||
')
|
')
|
||||||
@ -1725,7 +1725,7 @@ interface(`dev_getattr_scanner',`
|
|||||||
## Domain to not audit.
|
## Domain to not audit.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_dontaudit_getattr_scanner',`
|
interface(`dev_dontaudit_getattr_scanner_dev',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type scanner_device_t;
|
type scanner_device_t;
|
||||||
')
|
')
|
||||||
@ -1741,7 +1741,7 @@ interface(`dev_dontaudit_getattr_scanner',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_setattr_scanner',`
|
interface(`dev_setattr_scanner_dev',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t, scanner_device_t;
|
type device_t, scanner_device_t;
|
||||||
')
|
')
|
||||||
@ -1759,7 +1759,7 @@ interface(`dev_setattr_scanner',`
|
|||||||
## Domain to not audit.
|
## Domain to not audit.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_dontaudit_setattr_scanner',`
|
interface(`dev_dontaudit_setattr_scanner_dev',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type scanner_device_t;
|
type scanner_device_t;
|
||||||
')
|
')
|
||||||
@ -1792,7 +1792,7 @@ interface(`dev_rw_scanner',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_getattr_snd_dev',`
|
interface(`dev_getattr_sound_dev',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t, sound_device_t;
|
type device_t, sound_device_t;
|
||||||
')
|
')
|
||||||
@ -1809,7 +1809,7 @@ interface(`dev_getattr_snd_dev',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_setattr_snd_dev',`
|
interface(`dev_setattr_sound_dev',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t, sound_device_t;
|
type device_t, sound_device_t;
|
||||||
')
|
')
|
||||||
@ -1826,7 +1826,7 @@ interface(`dev_setattr_snd_dev',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_read_snd_dev',`
|
interface(`dev_read_sound',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t, sound_device_t;
|
type device_t, sound_device_t;
|
||||||
')
|
')
|
||||||
@ -1843,7 +1843,7 @@ interface(`dev_read_snd_dev',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_write_snd_dev',`
|
interface(`dev_write_sound',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t, sound_device_t;
|
type device_t, sound_device_t;
|
||||||
')
|
')
|
||||||
@ -1860,7 +1860,7 @@ interface(`dev_write_snd_dev',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_read_snd_mixer_dev',`
|
interface(`dev_read_sound_mixer',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t, sound_device_t;
|
type device_t, sound_device_t;
|
||||||
')
|
')
|
||||||
@ -1877,7 +1877,7 @@ interface(`dev_read_snd_mixer_dev',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_write_snd_mixer_dev',`
|
interface(`dev_write_sound_mixer',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t, sound_device_t;
|
type device_t, sound_device_t;
|
||||||
')
|
')
|
||||||
@ -1894,7 +1894,7 @@ interface(`dev_write_snd_mixer_dev',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_getattr_power_management',`
|
interface(`dev_getattr_power_mgmt_dev',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t, power_device_t;
|
type device_t, power_device_t;
|
||||||
')
|
')
|
||||||
@ -1911,7 +1911,7 @@ interface(`dev_getattr_power_management',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_setattr_power_management',`
|
interface(`dev_setattr_power_mgmt_dev',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t, power_device_t;
|
type device_t, power_device_t;
|
||||||
')
|
')
|
||||||
@ -1945,7 +1945,7 @@ interface(`dev_rw_power_management',`
|
|||||||
## The type of the process performing this action.
|
## The type of the process performing this action.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_getattr_sysfs_dir',`
|
interface(`dev_getattr_sysfs_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type sysfs_t;
|
type sysfs_t;
|
||||||
')
|
')
|
||||||
@ -2111,7 +2111,7 @@ interface(`dev_associate_usbfs',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_getattr_usbfs_dir',`
|
interface(`dev_getattr_usbfs_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type usbfs_t;
|
type usbfs_t;
|
||||||
')
|
')
|
||||||
@ -2128,7 +2128,7 @@ interface(`dev_getattr_usbfs_dir',`
|
|||||||
## Domain to not audit.
|
## Domain to not audit.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_dontaudit_getattr_usbfs_dir',`
|
interface(`dev_dontaudit_getattr_usbfs_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type usbfs_t;
|
type usbfs_t;
|
||||||
')
|
')
|
||||||
@ -2316,7 +2316,7 @@ interface(`dev_setattr_xserver_misc_dev',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_rw_xserver_misc_dev',`
|
interface(`dev_rw_xserver_misc',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t, xserver_misc_device_t;
|
type device_t, xserver_misc_device_t;
|
||||||
')
|
')
|
||||||
@ -2333,7 +2333,7 @@ interface(`dev_rw_xserver_misc_dev',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_rw_zero_dev',`
|
interface(`dev_rw_zero',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t, zero_device_t;
|
type device_t, zero_device_t;
|
||||||
')
|
')
|
||||||
@ -2350,12 +2350,12 @@ interface(`dev_rw_zero_dev',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_rwx_zero_dev',`
|
interface(`dev_rwx_zero',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type zero_device_t;
|
type zero_device_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
dev_rw_zero_dev($1)
|
dev_rw_zero($1)
|
||||||
allow $1 zero_device_t:chr_file execute;
|
allow $1 zero_device_t:chr_file execute;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -65,8 +65,8 @@ interface(`domain_type',`
|
|||||||
domain_base_type($1)
|
domain_base_type($1)
|
||||||
|
|
||||||
# Use trusted objects in /dev
|
# Use trusted objects in /dev
|
||||||
dev_rw_null_dev($1)
|
dev_rw_null($1)
|
||||||
dev_rw_zero_dev($1)
|
dev_rw_zero($1)
|
||||||
term_use_controlling_term($1)
|
term_use_controlling_term($1)
|
||||||
|
|
||||||
# read the root directory
|
# read the root directory
|
||||||
|
@ -165,7 +165,7 @@ interface(`storage_create_fixed_disk',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
allow $1 fixed_disk_device_t:blk_file create_file_perms;
|
allow $1 fixed_disk_device_t:blk_file create_file_perms;
|
||||||
dev_filetrans_dev_node($1,fixed_disk_device_t,blk_file)
|
dev_filetrans_dev($1,fixed_disk_device_t,blk_file)
|
||||||
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
|
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -181,7 +181,7 @@ template(`apache_content_template',`
|
|||||||
miscfiles_read_localization(httpd_$1_script_t)
|
miscfiles_read_localization(httpd_$1_script_t)
|
||||||
|
|
||||||
# added back to make sediff nicer
|
# added back to make sediff nicer
|
||||||
dev_rw_null_dev(httpd_$1_script_t)
|
dev_rw_null(httpd_$1_script_t)
|
||||||
term_use_controlling_term(httpd_$1_script_t)
|
term_use_controlling_term(httpd_$1_script_t)
|
||||||
allow httpd_$1_script_t self:dir r_dir_perms;
|
allow httpd_$1_script_t self:dir r_dir_perms;
|
||||||
allow httpd_$1_script_t self:file r_file_perms;
|
allow httpd_$1_script_t self:file r_file_perms;
|
||||||
|
@ -43,7 +43,7 @@ files_filetrans_pid(gpm_t,gpm_var_run_t)
|
|||||||
|
|
||||||
allow gpm_t gpmctl_t:sock_file create_file_perms;
|
allow gpm_t gpmctl_t:sock_file create_file_perms;
|
||||||
allow gpm_t gpmctl_t:fifo_file create_file_perms;
|
allow gpm_t gpmctl_t:fifo_file create_file_perms;
|
||||||
dev_filetrans_dev_node(gpm_t,gpmctl_t,{ sock_file fifo_file })
|
dev_filetrans_dev(gpm_t,gpmctl_t,{ sock_file fifo_file })
|
||||||
|
|
||||||
# cjp: this has no effect
|
# cjp: this has no effect
|
||||||
allow gpm_t gpmctl_t:unix_stream_socket name_bind;
|
allow gpm_t gpmctl_t:unix_stream_socket name_bind;
|
||||||
|
@ -74,7 +74,7 @@ dev_read_mouse(hald_t)
|
|||||||
dev_rw_printer(hald_t)
|
dev_rw_printer(hald_t)
|
||||||
dev_read_lvm_control(hald_t)
|
dev_read_lvm_control(hald_t)
|
||||||
dev_getattr_all_chr_files(hald_t)
|
dev_getattr_all_chr_files(hald_t)
|
||||||
dev_manage_generic_chr_file(hald_t)
|
dev_manage_generic_chr_files(hald_t)
|
||||||
# hal is now execing pm-suspend
|
# hal is now execing pm-suspend
|
||||||
dev_rw_sysfs(hald_t)
|
dev_rw_sysfs(hald_t)
|
||||||
|
|
||||||
|
@ -149,7 +149,7 @@ can_exec(lpd_t, printconf_t)
|
|||||||
|
|
||||||
# Create and bind to /dev/printer.
|
# Create and bind to /dev/printer.
|
||||||
allow lpd_t printer_t:lnk_file create_lnk_perms;
|
allow lpd_t printer_t:lnk_file create_lnk_perms;
|
||||||
dev_filetrans_dev_node(lpd_t,printer_t,lnk_file)
|
dev_filetrans_dev(lpd_t,printer_t,lnk_file)
|
||||||
# cjp: I believe these have no effect:
|
# cjp: I believe these have no effect:
|
||||||
allow lpd_t printer_t:unix_stream_socket name_bind;
|
allow lpd_t printer_t:unix_stream_socket name_bind;
|
||||||
allow lpd_t printer_t:unix_dgram_socket name_bind;
|
allow lpd_t printer_t:unix_dgram_socket name_bind;
|
||||||
|
@ -45,8 +45,8 @@ files_filetrans_tmp(remote_login_t, remote_login_tmp_t, { file dir })
|
|||||||
kernel_read_system_state(remote_login_t)
|
kernel_read_system_state(remote_login_t)
|
||||||
kernel_read_kernel_sysctl(remote_login_t)
|
kernel_read_kernel_sysctl(remote_login_t)
|
||||||
|
|
||||||
dev_getattr_mouse(remote_login_t)
|
dev_getattr_mouse_dev(remote_login_t)
|
||||||
dev_setattr_mouse(remote_login_t)
|
dev_setattr_mouse_dev(remote_login_t)
|
||||||
dev_dontaudit_search_sysfs(remote_login_t)
|
dev_dontaudit_search_sysfs(remote_login_t)
|
||||||
# for SSP/ProPolice
|
# for SSP/ProPolice
|
||||||
dev_read_urand(remote_login_t)
|
dev_read_urand(remote_login_t)
|
||||||
|
@ -247,7 +247,7 @@ corenet_tcp_connect_smbd_port(smbd_t)
|
|||||||
|
|
||||||
dev_read_sysfs(smbd_t)
|
dev_read_sysfs(smbd_t)
|
||||||
dev_read_urand(smbd_t)
|
dev_read_urand(smbd_t)
|
||||||
dev_dontaudit_getattr_usbfs_dir(smbd_t)
|
dev_dontaudit_getattr_usbfs_dirs(smbd_t)
|
||||||
|
|
||||||
fs_getattr_all_fs(smbd_t)
|
fs_getattr_all_fs(smbd_t)
|
||||||
fs_get_xattr_fs_quotas(smbd_t)
|
fs_get_xattr_fs_quotas(smbd_t)
|
||||||
@ -390,7 +390,7 @@ corenet_udp_bind_all_nodes(nmbd_t)
|
|||||||
corenet_udp_bind_nmbd_port(nmbd_t)
|
corenet_udp_bind_nmbd_port(nmbd_t)
|
||||||
|
|
||||||
dev_read_sysfs(nmbd_t)
|
dev_read_sysfs(nmbd_t)
|
||||||
dev_getattr_mtrr(nmbd_t)
|
dev_getattr_mtrr_dev(nmbd_t)
|
||||||
|
|
||||||
fs_getattr_all_fs(nmbd_t)
|
fs_getattr_all_fs(nmbd_t)
|
||||||
fs_search_auto_mountpoints(nmbd_t)
|
fs_search_auto_mountpoints(nmbd_t)
|
||||||
|
@ -52,8 +52,8 @@ corenet_tcp_bind_all_nodes(timidity_t)
|
|||||||
corenet_udp_bind_all_nodes(timidity_t)
|
corenet_udp_bind_all_nodes(timidity_t)
|
||||||
|
|
||||||
dev_read_sysfs(timidity_t)
|
dev_read_sysfs(timidity_t)
|
||||||
dev_read_snd_dev(timidity_t)
|
dev_read_sound(timidity_t)
|
||||||
dev_write_snd_dev(timidity_t)
|
dev_write_sound(timidity_t)
|
||||||
|
|
||||||
fs_search_auto_mountpoints(timidity_t)
|
fs_search_auto_mountpoints(timidity_t)
|
||||||
|
|
||||||
|
@ -98,16 +98,16 @@ template(`xserver_common_domain_template',`
|
|||||||
dev_rw_mouse($1_xserver_t)
|
dev_rw_mouse($1_xserver_t)
|
||||||
dev_rw_mtrr($1_xserver_t)
|
dev_rw_mtrr($1_xserver_t)
|
||||||
dev_rw_apm_bios($1_xserver_t)
|
dev_rw_apm_bios($1_xserver_t)
|
||||||
dev_rw_agp_dev($1_xserver_t)
|
dev_rw_agp($1_xserver_t)
|
||||||
dev_rw_framebuffer($1_xserver_t)
|
dev_rw_framebuffer($1_xserver_t)
|
||||||
dev_manage_dri_dev($1_xserver_t)
|
dev_manage_dri_dev($1_xserver_t)
|
||||||
dev_create_dir($1_xserver_t)
|
dev_create_generic_dirs($1_xserver_t)
|
||||||
dev_setattr_dev_dir($1_xserver_t)
|
dev_setattr_generic_dirs($1_xserver_t)
|
||||||
# raw memory access is needed if not using the frame buffer
|
# raw memory access is needed if not using the frame buffer
|
||||||
dev_read_raw_memory($1_xserver_t)
|
dev_read_raw_memory($1_xserver_t)
|
||||||
dev_write_raw_memory($1_xserver_t)
|
dev_write_raw_memory($1_xserver_t)
|
||||||
# for other device nodes such as the NVidia binary-only driver
|
# for other device nodes such as the NVidia binary-only driver
|
||||||
dev_rw_xserver_misc_dev($1_xserver_t)
|
dev_rw_xserver_misc($1_xserver_t)
|
||||||
# read events - the synaptics touchpad driver reads raw events
|
# read events - the synaptics touchpad driver reads raw events
|
||||||
dev_rw_input_dev($1_xserver_t)
|
dev_rw_input_dev($1_xserver_t)
|
||||||
|
|
||||||
|
@ -117,27 +117,27 @@ corenet_dontaudit_tcp_bind_all_ports(xdm_t)
|
|||||||
dev_read_rand(xdm_t)
|
dev_read_rand(xdm_t)
|
||||||
dev_read_urand(xdm_t)
|
dev_read_urand(xdm_t)
|
||||||
dev_read_sysfs(xdm_t)
|
dev_read_sysfs(xdm_t)
|
||||||
dev_getattr_framebuffer(xdm_t)
|
dev_getattr_framebuffer_dev(xdm_t)
|
||||||
dev_setattr_framebuffer(xdm_t)
|
dev_setattr_framebuffer_dev(xdm_t)
|
||||||
dev_getattr_mouse(xdm_t)
|
dev_getattr_mouse_dev(xdm_t)
|
||||||
dev_setattr_mouse(xdm_t)
|
dev_setattr_mouse_dev(xdm_t)
|
||||||
dev_rw_apm_bios(xdm_t)
|
dev_rw_apm_bios(xdm_t)
|
||||||
dev_setattr_apm_bios(xdm_t)
|
dev_setattr_apm_bios_dev(xdm_t)
|
||||||
dev_rw_dri_dev(xdm_t)
|
dev_rw_dri(xdm_t)
|
||||||
dev_rw_agp_dev(xdm_t)
|
dev_rw_agp(xdm_t)
|
||||||
dev_getattr_xserver_misc_dev(xdm_t)
|
dev_getattr_xserver_misc_dev(xdm_t)
|
||||||
dev_setattr_xserver_misc_dev(xdm_t)
|
dev_setattr_xserver_misc_dev(xdm_t)
|
||||||
dev_getattr_misc(xdm_t)
|
dev_getattr_misc_dev(xdm_t)
|
||||||
dev_setattr_misc(xdm_t)
|
dev_setattr_misc_dev(xdm_t)
|
||||||
dev_dontaudit_rw_misc(xdm_t)
|
dev_dontaudit_rw_misc(xdm_t)
|
||||||
dev_getattr_video_dev(xdm_t)
|
dev_getattr_video_dev(xdm_t)
|
||||||
dev_setattr_video_dev(xdm_t)
|
dev_setattr_video_dev(xdm_t)
|
||||||
dev_getattr_scanner(xdm_t)
|
dev_getattr_scanner_dev(xdm_t)
|
||||||
dev_setattr_scanner(xdm_t)
|
dev_setattr_scanner_dev(xdm_t)
|
||||||
dev_getattr_snd_dev(xdm_t)
|
dev_getattr_sound_dev(xdm_t)
|
||||||
dev_setattr_snd_dev(xdm_t)
|
dev_setattr_sound_dev(xdm_t)
|
||||||
dev_getattr_power_management(xdm_t)
|
dev_getattr_power_mgmt_dev(xdm_t)
|
||||||
dev_setattr_power_management(xdm_t)
|
dev_setattr_power_mgmt_dev(xdm_t)
|
||||||
|
|
||||||
domain_use_wide_inherit_fd(xdm_t)
|
domain_use_wide_inherit_fd(xdm_t)
|
||||||
# Do not audit denied probes of /proc.
|
# Do not audit denied probes of /proc.
|
||||||
|
@ -77,7 +77,7 @@ corenet_tcp_bind_zebra_port(zebra_t)
|
|||||||
dev_associate_usbfs(zebra_var_run_t)
|
dev_associate_usbfs(zebra_var_run_t)
|
||||||
dev_list_all_dev_nodes(zebra_t)
|
dev_list_all_dev_nodes(zebra_t)
|
||||||
dev_read_sysfs(zebra_t)
|
dev_read_sysfs(zebra_t)
|
||||||
dev_rw_zero_dev(zebra_t)
|
dev_rw_zero(zebra_t)
|
||||||
|
|
||||||
fs_getattr_all_fs(zebra_t)
|
fs_getattr_all_fs(zebra_t)
|
||||||
fs_search_auto_mountpoints(zebra_t)
|
fs_search_auto_mountpoints(zebra_t)
|
||||||
|
@ -151,20 +151,20 @@ kernel_use_fd(pam_console_t)
|
|||||||
kernel_read_system_state(pam_console_t)
|
kernel_read_system_state(pam_console_t)
|
||||||
|
|
||||||
dev_read_sysfs(pam_console_t)
|
dev_read_sysfs(pam_console_t)
|
||||||
dev_getattr_apm_bios(pam_console_t)
|
dev_getattr_apm_bios_dev(pam_console_t)
|
||||||
dev_setattr_apm_bios(pam_console_t)
|
dev_setattr_apm_bios_dev(pam_console_t)
|
||||||
dev_getattr_framebuffer(pam_console_t)
|
dev_getattr_framebuffer_dev(pam_console_t)
|
||||||
dev_setattr_framebuffer(pam_console_t)
|
dev_setattr_framebuffer_dev(pam_console_t)
|
||||||
dev_getattr_misc(pam_console_t)
|
dev_getattr_misc_dev(pam_console_t)
|
||||||
dev_setattr_misc(pam_console_t)
|
dev_setattr_misc_dev(pam_console_t)
|
||||||
dev_getattr_mouse(pam_console_t)
|
dev_getattr_mouse_dev(pam_console_t)
|
||||||
dev_setattr_mouse(pam_console_t)
|
dev_setattr_mouse_dev(pam_console_t)
|
||||||
dev_getattr_power_management(pam_console_t)
|
dev_getattr_power_mgmt_dev(pam_console_t)
|
||||||
dev_setattr_power_management(pam_console_t)
|
dev_setattr_power_mgmt_dev(pam_console_t)
|
||||||
dev_getattr_scanner(pam_console_t)
|
dev_getattr_scanner_dev(pam_console_t)
|
||||||
dev_setattr_scanner(pam_console_t)
|
dev_setattr_scanner_dev(pam_console_t)
|
||||||
dev_getattr_snd_dev(pam_console_t)
|
dev_getattr_sound_dev(pam_console_t)
|
||||||
dev_setattr_snd_dev(pam_console_t)
|
dev_setattr_sound_dev(pam_console_t)
|
||||||
dev_getattr_video_dev(pam_console_t)
|
dev_getattr_video_dev(pam_console_t)
|
||||||
dev_setattr_video_dev(pam_console_t)
|
dev_setattr_video_dev(pam_console_t)
|
||||||
dev_getattr_xserver_misc_dev(pam_console_t)
|
dev_getattr_xserver_misc_dev(pam_console_t)
|
||||||
|
@ -68,7 +68,7 @@ dev_search_usbfs(fsadm_t)
|
|||||||
# for swapon
|
# for swapon
|
||||||
dev_read_sysfs(fsadm_t)
|
dev_read_sysfs(fsadm_t)
|
||||||
# Access to /initrd devices
|
# Access to /initrd devices
|
||||||
dev_getattr_usbfs_dir(fsadm_t)
|
dev_getattr_usbfs_dirs(fsadm_t)
|
||||||
# Access to /dev/mapper/control
|
# Access to /dev/mapper/control
|
||||||
dev_rw_lvm_control(fsadm_t)
|
dev_rw_lvm_control(fsadm_t)
|
||||||
|
|
||||||
|
@ -66,8 +66,8 @@ corenet_udp_bind_all_nodes(hotplug_t)
|
|||||||
|
|
||||||
dev_rw_sysfs(hotplug_t)
|
dev_rw_sysfs(hotplug_t)
|
||||||
dev_read_usbfs(hotplug_t)
|
dev_read_usbfs(hotplug_t)
|
||||||
dev_setattr_printer(hotplug_t)
|
dev_setattr_printer_dev(hotplug_t)
|
||||||
dev_setattr_snd_dev(hotplug_t)
|
dev_setattr_sound_dev(hotplug_t)
|
||||||
# for SSP:
|
# for SSP:
|
||||||
dev_read_urand(hotplug_t)
|
dev_read_urand(hotplug_t)
|
||||||
|
|
||||||
|
@ -108,7 +108,7 @@ files_filetrans_pid(init_t,init_var_run_t)
|
|||||||
|
|
||||||
allow init_t initctl_t:fifo_file { create getattr read append write setattr unlink };
|
allow init_t initctl_t:fifo_file { create getattr read append write setattr unlink };
|
||||||
fs_associate_tmpfs(initctl_t)
|
fs_associate_tmpfs(initctl_t)
|
||||||
dev_filetrans_dev_node(init_t,initctl_t,fifo_file)
|
dev_filetrans_dev(init_t,initctl_t,fifo_file)
|
||||||
|
|
||||||
# Modify utmp.
|
# Modify utmp.
|
||||||
allow init_t initrc_var_run_t:file { rw_file_perms setattr };
|
allow init_t initrc_var_run_t:file { rw_file_perms setattr };
|
||||||
@ -264,14 +264,14 @@ dev_rw_sysfs(initrc_t)
|
|||||||
dev_list_usbfs(initrc_t)
|
dev_list_usbfs(initrc_t)
|
||||||
dev_read_framebuffer(initrc_t)
|
dev_read_framebuffer(initrc_t)
|
||||||
dev_read_realtime_clock(initrc_t)
|
dev_read_realtime_clock(initrc_t)
|
||||||
dev_read_snd_mixer_dev(initrc_t)
|
dev_read_sound_mixer(initrc_t)
|
||||||
dev_write_snd_mixer_dev(initrc_t)
|
dev_write_sound_mixer(initrc_t)
|
||||||
dev_setattr_all_chr_files(initrc_t)
|
dev_setattr_all_chr_files(initrc_t)
|
||||||
dev_read_lvm_control(initrc_t)
|
dev_read_lvm_control(initrc_t)
|
||||||
dev_delete_lvm_control(initrc_t)
|
dev_delete_lvm_control_dev(initrc_t)
|
||||||
dev_manage_generic_symlinks(initrc_t)
|
dev_manage_generic_symlinks(initrc_t)
|
||||||
# Wants to remove udev.tbl:
|
# Wants to remove udev.tbl:
|
||||||
dev_del_generic_symlinks(initrc_t)
|
dev_delete_generic_symlinks(initrc_t)
|
||||||
|
|
||||||
fs_register_binary_executable_type(initrc_t)
|
fs_register_binary_executable_type(initrc_t)
|
||||||
# rhgb-console writes to ramfs
|
# rhgb-console writes to ramfs
|
||||||
@ -382,7 +382,7 @@ userdom_read_all_user_files(initrc_t)
|
|||||||
userdom_use_sysadm_terms(initrc_t)
|
userdom_use_sysadm_terms(initrc_t)
|
||||||
|
|
||||||
ifdef(`distro_debian',`
|
ifdef(`distro_debian',`
|
||||||
dev_setattr_dev_dir(initrc_t)
|
dev_setattr_generic_dirs(initrc_t)
|
||||||
|
|
||||||
fs_filetrans_tmpfs(initrc_t,initrc_var_run_t,dir)
|
fs_filetrans_tmpfs(initrc_t,initrc_var_run_t,dir)
|
||||||
|
|
||||||
@ -421,8 +421,8 @@ ifdef(`distro_redhat',`
|
|||||||
|
|
||||||
# These seem to be from the initrd
|
# These seem to be from the initrd
|
||||||
# during device initialization:
|
# during device initialization:
|
||||||
dev_create_dir(initrc_t)
|
dev_create_generic_dirs(initrc_t)
|
||||||
dev_rwx_zero_dev(initrc_t)
|
dev_rwx_zero(initrc_t)
|
||||||
dev_rx_raw_memory(initrc_t)
|
dev_rx_raw_memory(initrc_t)
|
||||||
dev_wx_raw_memory(initrc_t)
|
dev_wx_raw_memory(initrc_t)
|
||||||
storage_raw_read_fixed_disk(initrc_t)
|
storage_raw_read_fixed_disk(initrc_t)
|
||||||
@ -500,7 +500,7 @@ optional_policy(`bluetooth',`
|
|||||||
|
|
||||||
optional_policy(`cpucontrol',`
|
optional_policy(`cpucontrol',`
|
||||||
cpucontrol_stub(initrc_t)
|
cpucontrol_stub(initrc_t)
|
||||||
dev_getattr_cpu(initrc_t)
|
dev_getattr_cpu_dev(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`cups',`
|
optional_policy(`cups',`
|
||||||
@ -576,7 +576,7 @@ optional_policy(`lvm',`
|
|||||||
#allow initrc_t lvm_control_t:chr_file unlink;
|
#allow initrc_t lvm_control_t:chr_file unlink;
|
||||||
|
|
||||||
dev_read_lvm_control(initrc_t)
|
dev_read_lvm_control(initrc_t)
|
||||||
dev_create_generic_chr_file(initrc_t)
|
dev_create_generic_chr_files(initrc_t)
|
||||||
|
|
||||||
lvm_read_config(initrc_t)
|
lvm_read_config(initrc_t)
|
||||||
')
|
')
|
||||||
|
@ -61,25 +61,25 @@ files_filetrans_tmp(local_login_t, local_login_tmp_t, { file dir })
|
|||||||
kernel_read_system_state(local_login_t)
|
kernel_read_system_state(local_login_t)
|
||||||
kernel_read_kernel_sysctl(local_login_t)
|
kernel_read_kernel_sysctl(local_login_t)
|
||||||
|
|
||||||
dev_setattr_mouse(local_login_t)
|
dev_setattr_mouse_dev(local_login_t)
|
||||||
dev_getattr_mouse(local_login_t)
|
dev_getattr_mouse_dev(local_login_t)
|
||||||
dev_getattr_power_management(local_login_t)
|
dev_getattr_power_mgmt_dev(local_login_t)
|
||||||
dev_setattr_power_management(local_login_t)
|
dev_setattr_power_mgmt_dev(local_login_t)
|
||||||
dev_getattr_snd_dev(local_login_t)
|
dev_getattr_sound_dev(local_login_t)
|
||||||
dev_setattr_snd_dev(local_login_t)
|
dev_setattr_sound_dev(local_login_t)
|
||||||
dev_dontaudit_getattr_apm_bios(local_login_t)
|
dev_dontaudit_getattr_apm_bios_dev(local_login_t)
|
||||||
dev_dontaudit_setattr_apm_bios(local_login_t)
|
dev_dontaudit_setattr_apm_bios_dev(local_login_t)
|
||||||
dev_dontaudit_read_framebuffer(local_login_t)
|
dev_dontaudit_read_framebuffer(local_login_t)
|
||||||
dev_dontaudit_setattr_framebuffer(local_login_t)
|
dev_dontaudit_setattr_framebuffer_dev(local_login_t)
|
||||||
dev_dontaudit_getattr_generic_blk_file(local_login_t)
|
dev_dontaudit_getattr_generic_blk_files(local_login_t)
|
||||||
dev_dontaudit_setattr_generic_blk_file(local_login_t)
|
dev_dontaudit_setattr_generic_blk_files(local_login_t)
|
||||||
dev_dontaudit_getattr_generic_chr_file(local_login_t)
|
dev_dontaudit_getattr_generic_chr_files(local_login_t)
|
||||||
dev_dontaudit_setattr_generic_chr_file(local_login_t)
|
dev_dontaudit_setattr_generic_chr_files(local_login_t)
|
||||||
dev_dontaudit_setattr_generic_symlink(local_login_t)
|
dev_dontaudit_setattr_generic_symlinks(local_login_t)
|
||||||
dev_dontaudit_getattr_misc(local_login_t)
|
dev_dontaudit_getattr_misc_dev(local_login_t)
|
||||||
dev_dontaudit_setattr_misc(local_login_t)
|
dev_dontaudit_setattr_misc_dev(local_login_t)
|
||||||
dev_dontaudit_getattr_scanner(local_login_t)
|
dev_dontaudit_getattr_scanner_dev(local_login_t)
|
||||||
dev_dontaudit_setattr_scanner(local_login_t)
|
dev_dontaudit_setattr_scanner_dev(local_login_t)
|
||||||
dev_dontaudit_search_sysfs(local_login_t)
|
dev_dontaudit_search_sysfs(local_login_t)
|
||||||
dev_dontaudit_getattr_video_dev(local_login_t)
|
dev_dontaudit_getattr_video_dev(local_login_t)
|
||||||
dev_dontaudit_setattr_video_dev(local_login_t)
|
dev_dontaudit_setattr_video_dev(local_login_t)
|
||||||
|
@ -301,7 +301,7 @@ kernel_read_messages(syslogd_t)
|
|||||||
kernel_clear_ring_buffer(syslogd_t)
|
kernel_clear_ring_buffer(syslogd_t)
|
||||||
kernel_change_ring_buffer_level(syslogd_t)
|
kernel_change_ring_buffer_level(syslogd_t)
|
||||||
|
|
||||||
dev_filetrans_dev_node(syslogd_t,devlog_t,sock_file)
|
dev_filetrans_dev(syslogd_t,devlog_t,sock_file)
|
||||||
dev_read_sysfs(syslogd_t)
|
dev_read_sysfs(syslogd_t)
|
||||||
|
|
||||||
fs_search_auto_mountpoints(syslogd_t)
|
fs_search_auto_mountpoints(syslogd_t)
|
||||||
|
@ -176,13 +176,13 @@ selinux_compute_create_context(lvm_t)
|
|||||||
selinux_compute_relabel_context(lvm_t)
|
selinux_compute_relabel_context(lvm_t)
|
||||||
selinux_compute_user_contexts(lvm_t)
|
selinux_compute_user_contexts(lvm_t)
|
||||||
|
|
||||||
dev_create_generic_chr_file(lvm_t)
|
dev_create_generic_chr_files(lvm_t)
|
||||||
dev_read_rand(lvm_t)
|
dev_read_rand(lvm_t)
|
||||||
dev_read_urand(lvm_t)
|
dev_read_urand(lvm_t)
|
||||||
dev_rw_lvm_control(lvm_t)
|
dev_rw_lvm_control(lvm_t)
|
||||||
dev_manage_generic_symlinks(lvm_t)
|
dev_manage_generic_symlinks(lvm_t)
|
||||||
dev_relabel_dev_dirs(lvm_t)
|
dev_relabel_generic_dev_dirs(lvm_t)
|
||||||
dev_manage_generic_blk_file(lvm_t)
|
dev_manage_generic_blk_files(lvm_t)
|
||||||
# Read /sys/block. Device mapper metadata is kept there.
|
# Read /sys/block. Device mapper metadata is kept there.
|
||||||
dev_read_sysfs(lvm_t)
|
dev_read_sysfs(lvm_t)
|
||||||
# cjp: this has no effect since LVM does not
|
# cjp: this has no effect since LVM does not
|
||||||
@ -192,9 +192,9 @@ dev_relabel_generic_symlinks(lvm_t)
|
|||||||
# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
|
# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
|
||||||
dev_dontaudit_read_all_chr_files(lvm_t)
|
dev_dontaudit_read_all_chr_files(lvm_t)
|
||||||
dev_dontaudit_read_all_blk_files(lvm_t)
|
dev_dontaudit_read_all_blk_files(lvm_t)
|
||||||
dev_dontaudit_getattr_generic_chr_file(lvm_t)
|
dev_dontaudit_getattr_generic_chr_files(lvm_t)
|
||||||
dev_dontaudit_getattr_generic_blk_file(lvm_t)
|
dev_dontaudit_getattr_generic_blk_files(lvm_t)
|
||||||
dev_dontaudit_getattr_generic_pipe(lvm_t)
|
dev_dontaudit_getattr_generic_pipes(lvm_t)
|
||||||
|
|
||||||
fs_getattr_xattr_fs(lvm_t)
|
fs_getattr_xattr_fs(lvm_t)
|
||||||
fs_search_auto_mountpoints(lvm_t)
|
fs_search_auto_mountpoints(lvm_t)
|
||||||
|
@ -74,9 +74,9 @@ dev_search_sysfs(insmod_t)
|
|||||||
dev_search_usbfs(insmod_t)
|
dev_search_usbfs(insmod_t)
|
||||||
dev_write_mtrr(insmod_t)
|
dev_write_mtrr(insmod_t)
|
||||||
dev_read_urand(insmod_t)
|
dev_read_urand(insmod_t)
|
||||||
dev_rw_agp_dev(insmod_t)
|
dev_rw_agp(insmod_t)
|
||||||
dev_read_snd_dev(insmod_t)
|
dev_read_sound(insmod_t)
|
||||||
dev_write_snd_dev(insmod_t)
|
dev_write_sound(insmod_t)
|
||||||
dev_rw_apm_bios(insmod_t)
|
dev_rw_apm_bios(insmod_t)
|
||||||
# cjp: why is this needed? insmod cannot mounton any dir
|
# cjp: why is this needed? insmod cannot mounton any dir
|
||||||
# and it also transitions to mount
|
# and it also transitions to mount
|
||||||
|
@ -38,7 +38,7 @@ allow cardmgr_t self:unix_dgram_socket create_socket_perms;
|
|||||||
allow cardmgr_t self:unix_stream_socket create_socket_perms;
|
allow cardmgr_t self:unix_stream_socket create_socket_perms;
|
||||||
|
|
||||||
allow cardmgr_t cardmgr_lnk_t:lnk_file create_lnk_perms;
|
allow cardmgr_t cardmgr_lnk_t:lnk_file create_lnk_perms;
|
||||||
dev_filetrans_dev_node(cardmgr_t,cardmgr_lnk_t,lnk_file)
|
dev_filetrans_dev(cardmgr_t,cardmgr_lnk_t,lnk_file)
|
||||||
|
|
||||||
# Create stab file
|
# Create stab file
|
||||||
allow cardmgr_t cardmgr_var_lib_t:file create_file_perms;
|
allow cardmgr_t cardmgr_var_lib_t:file create_file_perms;
|
||||||
@ -55,8 +55,8 @@ kernel_dontaudit_getattr_message_if(cardmgr_t)
|
|||||||
bootloader_search_kernel_modules(cardmgr_t)
|
bootloader_search_kernel_modules(cardmgr_t)
|
||||||
|
|
||||||
dev_read_sysfs(cardmgr_t)
|
dev_read_sysfs(cardmgr_t)
|
||||||
dev_manage_cardmgr(cardmgr_t)
|
dev_manage_cardmgr_dev(cardmgr_t)
|
||||||
dev_create_cardmgr(cardmgr_t)
|
dev_create_cardmgr_dev(cardmgr_t)
|
||||||
dev_getattr_all_chr_files(cardmgr_t)
|
dev_getattr_all_chr_files(cardmgr_t)
|
||||||
dev_getattr_all_blk_files(cardmgr_t)
|
dev_getattr_all_blk_files(cardmgr_t)
|
||||||
# for SSP
|
# for SSP
|
||||||
|
@ -323,7 +323,7 @@ kernel_rw_pipe(restorecon_t)
|
|||||||
kernel_read_system_state(restorecon_t)
|
kernel_read_system_state(restorecon_t)
|
||||||
|
|
||||||
# cjp: why is this needed?
|
# cjp: why is this needed?
|
||||||
dev_rw_generic_file(restorecon_t)
|
dev_rw_generic_files(restorecon_t)
|
||||||
|
|
||||||
fs_getattr_xattr_fs(restorecon_t)
|
fs_getattr_xattr_fs(restorecon_t)
|
||||||
fs_search_auto_mountpoints(restorecon_t)
|
fs_search_auto_mountpoints(restorecon_t)
|
||||||
|
@ -66,7 +66,7 @@ allow udev_t udev_etc_t:file r_file_perms;
|
|||||||
|
|
||||||
# create udev database in /dev/.udevdb
|
# create udev database in /dev/.udevdb
|
||||||
allow udev_t udev_tbl_t:file create_file_perms;
|
allow udev_t udev_tbl_t:file create_file_perms;
|
||||||
dev_filetrans_dev_node(udev_t,udev_tbl_t,file)
|
dev_filetrans_dev(udev_t,udev_tbl_t,file)
|
||||||
|
|
||||||
allow udev_t udev_var_run_t:file create_file_perms;
|
allow udev_t udev_var_run_t:file create_file_perms;
|
||||||
allow udev_t udev_var_run_t:dir rw_dir_perms;
|
allow udev_t udev_var_run_t:dir rw_dir_perms;
|
||||||
@ -85,9 +85,9 @@ kernel_sendto_unix_dgram_socket(udev_t)
|
|||||||
kernel_signal(udev_t)
|
kernel_signal(udev_t)
|
||||||
|
|
||||||
dev_rw_sysfs(udev_t)
|
dev_rw_sysfs(udev_t)
|
||||||
dev_manage_dev_nodes(udev_t)
|
dev_manage_all_dev_nodes(udev_t)
|
||||||
dev_rw_generic_file(udev_t)
|
dev_rw_generic_files(udev_t)
|
||||||
dev_delete_generic_file(udev_t)
|
dev_delete_generic_files(udev_t)
|
||||||
|
|
||||||
fs_getattr_all_fs(udev_t)
|
fs_getattr_all_fs(udev_t)
|
||||||
fs_search_inotifyfs(udev_t)
|
fs_search_inotifyfs(udev_t)
|
||||||
|
@ -176,15 +176,15 @@ template(`base_user_template',`
|
|||||||
dev_read_input($1_t)
|
dev_read_input($1_t)
|
||||||
dev_read_misc($1_t)
|
dev_read_misc($1_t)
|
||||||
dev_write_misc($1_t)
|
dev_write_misc($1_t)
|
||||||
dev_write_snd_dev($1_t)
|
dev_write_sound($1_t)
|
||||||
dev_read_snd_dev($1_t)
|
dev_read_sound($1_t)
|
||||||
dev_read_snd_mixer_dev($1_t)
|
dev_read_sound_mixer($1_t)
|
||||||
dev_write_snd_mixer_dev($1_t)
|
dev_write_sound_mixer($1_t)
|
||||||
dev_read_rand($1_t)
|
dev_read_rand($1_t)
|
||||||
dev_read_urand($1_t)
|
dev_read_urand($1_t)
|
||||||
# open office is looking for the following
|
# open office is looking for the following
|
||||||
dev_getattr_agp_dev($1_t)
|
dev_getattr_agp_dev($1_t)
|
||||||
dev_dontaudit_rw_dri_dev($1_t)
|
dev_dontaudit_rw_dri($1_t)
|
||||||
|
|
||||||
fs_get_all_fs_quotas($1_t)
|
fs_get_all_fs_quotas($1_t)
|
||||||
fs_getattr_all_fs($1_t)
|
fs_getattr_all_fs($1_t)
|
||||||
@ -437,7 +437,7 @@ template(`base_user_template',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`xserver',`
|
optional_policy(`xserver',`
|
||||||
dev_rw_xserver_misc_dev($1_t)
|
dev_rw_xserver_misc($1_t)
|
||||||
xserver_xsession_entry_type($1_t)
|
xserver_xsession_entry_type($1_t)
|
||||||
xserver_dontaudit_write_log($1_t)
|
xserver_dontaudit_write_log($1_t)
|
||||||
xserver_stream_connect_xdm($1_t)
|
xserver_stream_connect_xdm($1_t)
|
||||||
@ -838,8 +838,8 @@ template(`admin_user_template',`
|
|||||||
# allow setting up tunnels
|
# allow setting up tunnels
|
||||||
corenet_use_tun_tap_device($1_t)
|
corenet_use_tun_tap_device($1_t)
|
||||||
|
|
||||||
dev_getattr_generic_blk_file($1_t)
|
dev_getattr_generic_blk_files($1_t)
|
||||||
dev_getattr_generic_chr_file($1_t)
|
dev_getattr_generic_chr_files($1_t)
|
||||||
dev_getattr_all_blk_files($1_t)
|
dev_getattr_all_blk_files($1_t)
|
||||||
dev_getattr_all_chr_files($1_t)
|
dev_getattr_all_chr_files($1_t)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user