fixes pointed out by steve, plus fixes revealed by the added assertions
This commit is contained in:
Chris PeBenito
parent
9ccd96dfc6
commit
2a3478cf15
@ -34,7 +34,7 @@ type rpm_script_exec_t;
|
|||||||
domain_obj_id_change_exempt(rpm_script_t)
|
domain_obj_id_change_exempt(rpm_script_t)
|
||||||
corecmd_shell_entry_type(rpm_script_t)
|
corecmd_shell_entry_type(rpm_script_t)
|
||||||
domain_type(rpm_script_t)
|
domain_type(rpm_script_t)
|
||||||
domain_entry_file(rpm_t,rpm_script_t)
|
domain_entry_file(rpm_t,rpm_script_exec_t)
|
||||||
domain_wide_inherit_fd(rpm_script_t)
|
domain_wide_inherit_fd(rpm_script_t)
|
||||||
role system_r types rpm_script_t;
|
role system_r types rpm_script_t;
|
||||||
|
|
||||||
|
|||||||
@ -43,8 +43,8 @@ interface(`term_user_pty',`
|
|||||||
attribute server_ptynode;
|
attribute server_ptynode;
|
||||||
')
|
')
|
||||||
|
|
||||||
term_pty($1)
|
term_pty($2)
|
||||||
type_change $1 server_ptynode:chr_file $2;
|
type_change $2 server_ptynode:chr_file $1;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -15,9 +15,14 @@ attribute can_change_process_identity;
|
|||||||
attribute can_change_process_role;
|
attribute can_change_process_role;
|
||||||
attribute can_change_object_identity;
|
attribute can_change_object_identity;
|
||||||
|
|
||||||
|
# Transitions only allowed from domains to other domains
|
||||||
neverallow domain ~domain:process { transition dyntransition };
|
neverallow domain ~domain:process { transition dyntransition };
|
||||||
|
|
||||||
# enabling setcurrent breaks process tranquility. If you do not
|
# enabling setcurrent breaks process tranquility. If you do not
|
||||||
# know what this means or do not understand the implications of a
|
# know what this means or do not understand the implications of a
|
||||||
# dynamic transition, you should not be using it!!!
|
# dynamic transition, you should not be using it!!!
|
||||||
neverallow * *:process setcurrent;
|
neverallow * *:process setcurrent;
|
||||||
|
|
||||||
|
# Files with domain types are currently only proc files
|
||||||
|
neverallow * domain:dir ~r_dir_perms;
|
||||||
|
neverallow * domain:file_class_set ~rw_file_perms;
|
||||||
|
|||||||
@ -109,10 +109,7 @@ interface(`libs_legacy_use_ld_so',`
|
|||||||
## <description>
|
## <description>
|
||||||
## Execute the dynamic link/loader in the caller's
|
## Execute the dynamic link/loader in the caller's
|
||||||
## domain. This is commonly needed for the
|
## domain. This is commonly needed for the
|
||||||
## /usr/bin/ldd program. Note: this can be used
|
## /usr/bin/ldd program.
|
||||||
## to execute any binary that the caller can
|
|
||||||
## read, even if the caller does not have execute
|
|
||||||
## permissions.
|
|
||||||
## </description>
|
## </description>
|
||||||
## <parameter name="domain">
|
## <parameter name="domain">
|
||||||
## The type of the process performing this action.
|
## The type of the process performing this action.
|
||||||
|
|||||||
@ -9,7 +9,7 @@ policy_module(logging,1.0)
|
|||||||
attribute logfile;
|
attribute logfile;
|
||||||
|
|
||||||
type auditd_log_t;
|
type auditd_log_t;
|
||||||
logging_log_file(auditd_t,auditd_log_t)
|
logging_log_file(auditd_log_t)
|
||||||
|
|
||||||
type auditd_t;
|
type auditd_t;
|
||||||
type auditd_exec_t;
|
type auditd_exec_t;
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user