loadable module compile fixes
This commit is contained in:
Chris PeBenito
parent
6e0542eb27
commit
25c6746156
@ -147,10 +147,8 @@ optional_policy(`pcmcia.te',`
|
||||
pcmcia_use_cardmgr_fd(ping_t)
|
||||
')
|
||||
|
||||
optional_policy(`sysnetwork.te',`
|
||||
optional_policy(`hotplug.te',`
|
||||
hotplug_use_fd(ping_t)
|
||||
')
|
||||
optional_policy(`hotplug.te',`
|
||||
hotplug_use_fd(ping_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
@ -1396,7 +1396,7 @@ interface(`kernel_relabel_unlabeled',`
|
||||
#
|
||||
interface(`kernel_unconfined',`
|
||||
gen_require(`
|
||||
type kernel_t, unlabeled_t;
|
||||
type kernel_t, unlabeled_t, sysctl_t;
|
||||
attribute proc_type, sysctl_type;
|
||||
attribute kern_unconfined;
|
||||
attribute can_load_kernmodule, can_receive_kernel_messages;
|
||||
|
||||
@ -74,25 +74,6 @@ interface(`storage_dontaudit_setattr_fixed_disk',`
|
||||
dontaudit $1 fixed_disk_device_t:blk_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts made by the caller to read
|
||||
## fixed disk device nodes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_dontaudit_read_fixed_disk',`
|
||||
gen_require(`
|
||||
type removable_device_t;
|
||||
class blk_file { getattr ioctl read };
|
||||
|
||||
')
|
||||
|
||||
dontaudit $1 fixed_disk_device_t:blk_file { getattr ioctl read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the caller to directly read from a fixed disk.
|
||||
@ -116,6 +97,24 @@ interface(`storage_raw_read_fixed_disk',`
|
||||
typeattribute $1 fixed_disk_raw_read;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts made by the caller to read
|
||||
## fixed disk device nodes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_dontaudit_read_fixed_disk',`
|
||||
gen_require(`
|
||||
type fixed_disk_device_t;
|
||||
|
||||
')
|
||||
|
||||
dontaudit $1 fixed_disk_device_t:blk_file { getattr ioctl read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the caller to directly write to a fixed disk.
|
||||
|
||||
@ -1,6 +1,10 @@
|
||||
|
||||
policy_module(cron, 1.0)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
|
||||
@ -34,6 +34,7 @@ interface(`nscd_domtrans',`
|
||||
interface(`nscd_use_socket',`
|
||||
gen_require(`
|
||||
type nscd_t, nscd_var_run_t;
|
||||
class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
|
||||
')
|
||||
|
||||
allow $1 self:unix_stream_socket create_socket_perms;
|
||||
@ -61,6 +62,7 @@ interface(`nscd_use_socket',`
|
||||
interface(`nscd_use_shared_mem',`
|
||||
gen_require(`
|
||||
type nscd_t, nscd_var_run_t;
|
||||
class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
|
||||
')
|
||||
|
||||
allow $1 nscd_var_run_t:dir r_dir_perms;
|
||||
|
||||
@ -175,10 +175,6 @@ optional_policy(`nis.te',`
|
||||
nis_use_ypbind(postgresql_t)
|
||||
')
|
||||
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(postgresql_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(postgresql_t)
|
||||
')
|
||||
@ -188,6 +184,9 @@ optional_policy(`udev.te', `
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(postgresql_t)
|
||||
')
|
||||
ifdef(`targeted_policy', `', `
|
||||
bool allow_user_postgresql_connect false;
|
||||
|
||||
|
||||
@ -16,8 +16,8 @@ files_pid_file(nmbd_var_run_t)
|
||||
type samba_etc_t; #, usercanread;
|
||||
files_type(samba_etc_t)
|
||||
|
||||
type samba_log_t, logfile;
|
||||
files_type(samba_log_t)
|
||||
type samba_log_t;
|
||||
logging_log_file(samba_log_t)
|
||||
|
||||
type samba_net_t;
|
||||
domain_type(samba_net_t)
|
||||
|
||||
@ -480,22 +480,24 @@ template(`ssh_server_template', `
|
||||
fs_read_cifs_files($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`inetd.te',`
|
||||
tunable_policy(`run_ssh_inetd',`
|
||||
allow $1_t self:process signal;
|
||||
files_list_pids($1_t)
|
||||
',`
|
||||
corenet_tcp_bind_ssh_port($1_t)
|
||||
init_use_fd($1_t)
|
||||
init_use_script_pty($1_t)
|
||||
')
|
||||
',`
|
||||
# cjp: commenting out until typeattribute works in conditional
|
||||
# and require block in optional else is resolved
|
||||
#optional_policy(`inetd.te',`
|
||||
# tunable_policy(`run_ssh_inetd',`
|
||||
# allow $1_t self:process signal;
|
||||
# files_list_pids($1_t)
|
||||
# ',`
|
||||
# corenet_tcp_bind_ssh_port($1_t)
|
||||
# init_use_fd($1_t)
|
||||
# init_use_script_pty($1_t)
|
||||
# ')
|
||||
#',`
|
||||
# These rules should match the else block
|
||||
# of the run_ssh_inetd tunable directly above
|
||||
corenet_tcp_bind_ssh_port($1_t)
|
||||
init_use_fd($1_t)
|
||||
init_use_script_pty($1_t)
|
||||
')
|
||||
#')
|
||||
|
||||
optional_policy(`kerberos.te',`
|
||||
kerberos_use($1_t)
|
||||
|
||||
@ -592,11 +592,10 @@ interface(`init_dontaudit_use_script_pty',`
|
||||
#
|
||||
interface(`init_rw_script_tmp_files',`
|
||||
gen_require(`
|
||||
type initrc_var_run_t;
|
||||
class file rw_file_perms;
|
||||
type initrc_tmp_t;
|
||||
')
|
||||
|
||||
# FIXME: read tmp_t dir
|
||||
files_search_tmp($1)
|
||||
allow $1 initrc_tmp_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
|
||||
@ -140,7 +140,7 @@ miscfiles_read_localization(dhcpc_t)
|
||||
|
||||
modutils_domtrans_insmod(dhcpc_t)
|
||||
|
||||
userdom_dontaudit_search_staff_home_dir(sysadm_t)
|
||||
userdom_dontaudit_search_staff_home_dir(dhcpc_t)
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
files_exec_etc_files(dhcpc_t)
|
||||
|
||||
@ -104,33 +104,33 @@ define(`optional_policy',`
|
||||
#
|
||||
define(`dflt_or_overr',`ifdef(`$1',$1,$2)')
|
||||
|
||||
##############################
|
||||
#
|
||||
# Extract booleans out of an expression.
|
||||
# This needs to be reworked so expressions
|
||||
# with parentheses can work.
|
||||
|
||||
define(`delcare_required_symbols',`
|
||||
ifelse(regexp($1, `\w'), -1, `', `dnl
|
||||
bool regexp($1, `\(\w+\)', `\1');
|
||||
delcare_required_symbols(regexp($1, `\w+\(.*\)', `\1'))dnl
|
||||
') dnl
|
||||
')
|
||||
|
||||
##############################
|
||||
#
|
||||
# Tunable declaration
|
||||
#
|
||||
define(`gen_tunable',`
|
||||
ifdef(`in_gen_require_block',`
|
||||
ifdef(`self_contained_policy',`
|
||||
bool $1;
|
||||
',`
|
||||
# loadable module tunable
|
||||
# require will go here
|
||||
# instead of bool when
|
||||
# loadable modules support
|
||||
# tunables
|
||||
bool $1;
|
||||
')
|
||||
ifdef(`self_contained_policy',`
|
||||
bool $1 dflt_or_overr(`$1'_conf,$2);
|
||||
',`
|
||||
ifdef(`self_contained_policy',`
|
||||
bool $1 dflt_or_overr(`$1'_conf,$2);
|
||||
',`
|
||||
# loadable module tunable
|
||||
# declaration will go here
|
||||
# instead of bool when
|
||||
# loadable modules support
|
||||
# tunables
|
||||
bool $1 dflt_or_overr(`$1'_conf,$2);
|
||||
')
|
||||
# loadable module tunable
|
||||
# declaration will go here
|
||||
# instead of bool when
|
||||
# loadable modules support
|
||||
# tunables
|
||||
bool $1 dflt_or_overr(`$1'_conf,$2);
|
||||
')
|
||||
')
|
||||
|
||||
@ -150,6 +150,10 @@ define(`tunable_policy',`
|
||||
# will go here instead of a
|
||||
# conditional when loadable
|
||||
# modules support tunables
|
||||
gen_require(`
|
||||
delcare_required_symbols(`$1')
|
||||
')
|
||||
|
||||
if (`$1') {
|
||||
$2
|
||||
} else {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user