trunk: several MLS enhancements.
This commit is contained in:
parent
9760cbec2d
commit
2d0c9cecaf
@ -1,3 +1,9 @@
|
|||||||
|
- Add make kernel and init ranged interfaces pass the range transition MLS
|
||||||
|
constraints. Also remove calls to mls_rangetrans_target() in modules that use
|
||||||
|
the kernel and init interfaces, since its redundant.
|
||||||
|
- Add interfaces for all MLS attributes except X object classes.
|
||||||
|
- Require all sensitivities and categories for MLS and MCS policies, not just
|
||||||
|
the low and high sensitivity and category.
|
||||||
- Database userspace object manager classes from KaiGai Kohei.
|
- Database userspace object manager classes from KaiGai Kohei.
|
||||||
- Add third-party interface for Apache CGI.
|
- Add third-party interface for Apache CGI.
|
||||||
- Add getserv and shmemserv nscd permissions.
|
- Add getserv and shmemserv nscd permissions.
|
||||||
|
@ -66,6 +66,7 @@ interface(`kernel_ranged_domtrans_to',`
|
|||||||
|
|
||||||
ifdef(`enable_mls',`
|
ifdef(`enable_mls',`
|
||||||
range_transition kernel_t $2:process $3;
|
range_transition kernel_t $2:process $3;
|
||||||
|
mls_rangetrans_target($1)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(kernel,1.7.1)
|
policy_module(kernel,1.7.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -14,7 +14,7 @@
|
|||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Make specified domain MLS trusted
|
## Make specified domain MLS trusted
|
||||||
## for reading from files at higher levels.
|
## for reading from files up to its clearance.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -23,7 +23,53 @@
|
|||||||
## </param>
|
## </param>
|
||||||
## <rolecap/>
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
|
interface(`mls_file_read_to_clearance',`
|
||||||
|
gen_require(`
|
||||||
|
attribute mlsfilereadtoclr;
|
||||||
|
')
|
||||||
|
|
||||||
|
typeattribute $1 mlsfilereadtoclr;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Make specified domain MLS trusted
|
||||||
|
## for reading from files at all levels. (Deprecated)
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Make specified domain MLS trusted
|
||||||
|
## for reading from files at all levels.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This interface has been deprecated, please use
|
||||||
|
## mls_file_read_all_levels() instead.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
interface(`mls_file_read_up',`
|
interface(`mls_file_read_up',`
|
||||||
|
# refpolicywarn(`$0($*) has been deprecated, please use mls_file_read_all_levels() instead.')
|
||||||
|
mls_file_read_all_levels($1)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Make specified domain MLS trusted
|
||||||
|
## for reading from files at all levels.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`mls_file_read_all_levels',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute mlsfileread;
|
attribute mlsfileread;
|
||||||
')
|
')
|
||||||
@ -34,7 +80,7 @@ interface(`mls_file_read_up',`
|
|||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Make specified domain MLS trusted
|
## Make specified domain MLS trusted
|
||||||
## for writing to files at lower levels.
|
## for write to files up to its clearance.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -43,7 +89,53 @@ interface(`mls_file_read_up',`
|
|||||||
## </param>
|
## </param>
|
||||||
## <rolecap/>
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
|
interface(`mls_file_write_to_clearance',`
|
||||||
|
gen_require(`
|
||||||
|
attribute mlsfilewritetoclr;
|
||||||
|
')
|
||||||
|
|
||||||
|
typeattribute $1 mlsfilewritetoclr;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Make specified domain MLS trusted
|
||||||
|
## for writing to files at all levels. (Deprecated)
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Make specified domain MLS trusted
|
||||||
|
## for writing to files at all levels.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This interface has been deprecated, please use
|
||||||
|
## mls_file_write_all_levels() instead.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
interface(`mls_file_write_down',`
|
interface(`mls_file_write_down',`
|
||||||
|
# refpolicywarn(`$0($*) has been deprecated, please use mls_file_write_all_levels() instead.')
|
||||||
|
mls_file_write_all_levels($1)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Make specified domain MLS trusted
|
||||||
|
## for writing to files at all levels.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`mls_file_write_all_levels',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute mlsfilewrite;
|
attribute mlsfilewrite;
|
||||||
')
|
')
|
||||||
@ -103,6 +195,7 @@ interface(`mls_file_downgrade',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
interface(`mls_file_write_within_range',`
|
interface(`mls_file_write_within_range',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -122,6 +215,7 @@ interface(`mls_file_write_within_range',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
interface(`mls_socket_read_all_levels',`
|
interface(`mls_socket_read_all_levels',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -142,6 +236,7 @@ interface(`mls_socket_read_all_levels',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
interface(`mls_socket_read_to_clearance',`
|
interface(`mls_socket_read_to_clearance',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -151,6 +246,27 @@ interface(`mls_socket_read_to_clearance',`
|
|||||||
typeattribute $1 mlsnetreadtoclr;
|
typeattribute $1 mlsnetreadtoclr;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Make specified domain MLS trusted
|
||||||
|
## for writing to sockets up to
|
||||||
|
## its clearance.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`mls_socket_write_to_clearance',`
|
||||||
|
gen_require(`
|
||||||
|
attribute mlsnetwritetoclr;
|
||||||
|
')
|
||||||
|
|
||||||
|
typeattribute $1 mlsnetwritetoclr;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Make specified domain MLS trusted
|
## Make specified domain MLS trusted
|
||||||
@ -161,6 +277,7 @@ interface(`mls_socket_read_to_clearance',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
interface(`mls_socket_write_all_levels',`
|
interface(`mls_socket_write_all_levels',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -181,6 +298,7 @@ interface(`mls_socket_write_all_levels',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
interface(`mls_net_receive_all_levels',`
|
interface(`mls_net_receive_all_levels',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -190,6 +308,27 @@ interface(`mls_net_receive_all_levels',`
|
|||||||
typeattribute $1 mlsnetrecvall;
|
typeattribute $1 mlsnetrecvall;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Make specified domain MLS trusted
|
||||||
|
## for reading from System V IPC objects
|
||||||
|
## up to its clearance.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`mls_sysvipc_read_to_clearance',`
|
||||||
|
gen_require(`
|
||||||
|
attribute mlsipcreadtoclr;
|
||||||
|
')
|
||||||
|
|
||||||
|
typeattribute $1 mlsipcreadtoclr;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Make specified domain MLS trusted
|
## Make specified domain MLS trusted
|
||||||
@ -201,6 +340,7 @@ interface(`mls_net_receive_all_levels',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
interface(`mls_sysvipc_read_all_levels',`
|
interface(`mls_sysvipc_read_all_levels',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -210,6 +350,27 @@ interface(`mls_sysvipc_read_all_levels',`
|
|||||||
typeattribute $1 mlsipcread;
|
typeattribute $1 mlsipcread;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Make specified domain MLS trusted
|
||||||
|
## for writing to System V IPC objects
|
||||||
|
## up to its clearance.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`mls_sysvipc_write_to_clearance',`
|
||||||
|
gen_require(`
|
||||||
|
attribute mlsipcwritetoclr;
|
||||||
|
')
|
||||||
|
|
||||||
|
typeattribute $1 mlsipcwritetoclr;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Make specified domain MLS trusted
|
## Make specified domain MLS trusted
|
||||||
@ -221,6 +382,7 @@ interface(`mls_sysvipc_read_all_levels',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
interface(`mls_sysvipc_write_all_levels',`
|
interface(`mls_sysvipc_write_all_levels',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -273,15 +435,63 @@ interface(`mls_rangetrans_target',`
|
|||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Make specified domain MLS trusted
|
## Make specified domain MLS trusted
|
||||||
## for reading from processes at higher levels.
|
## for reading from processes up to
|
||||||
|
## its clearance.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`mls_process_read_to_clearance',`
|
||||||
|
gen_require(`
|
||||||
|
attribute mlsprocreadtoclr;
|
||||||
|
')
|
||||||
|
|
||||||
|
typeattribute $1 mlsprocreadtoclr;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Make specified domain MLS trusted
|
||||||
|
## for reading from processes at all levels. (Deprecated)
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Make specified domain MLS trusted
|
||||||
|
## for reading from processes at all levels.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This interface has been deprecated, please use
|
||||||
|
## mls_process_read_all_levels() instead.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`mls_process_read_up',`
|
interface(`mls_process_read_up',`
|
||||||
|
# refpolicywarn(`$0($*) has been deprecated, please use mls_process_read_all_levels() instead.')
|
||||||
|
mls_process_read_all_levels($1)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Make specified domain MLS trusted
|
||||||
|
## for reading from processes at all levels.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`mls_process_read_all_levels',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute mlsprocread;
|
attribute mlsprocread;
|
||||||
')
|
')
|
||||||
@ -292,15 +502,63 @@ interface(`mls_process_read_up',`
|
|||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Make specified domain MLS trusted
|
## Make specified domain MLS trusted
|
||||||
## for writing to processes at lower levels.
|
## for writing to processes up to
|
||||||
|
## its clearance.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`mls_process_write_to_clearance',`
|
||||||
|
gen_require(`
|
||||||
|
attribute mlsprocwritetoclr;
|
||||||
|
')
|
||||||
|
|
||||||
|
typeattribute $1 mlsprocwritetoclr;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Make specified domain MLS trusted
|
||||||
|
## for writing to processes at all levels. (Deprecated)
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Make specified domain MLS trusted
|
||||||
|
## for writing to processes at all levels.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This interface has been deprecated, please use
|
||||||
|
## mls_process_write_all_levels() instead.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`mls_process_write_down',`
|
interface(`mls_process_write_down',`
|
||||||
|
# refpolicywarn(`$0($*) has been deprecated, please use mls_process_write_all_levels() instead.')
|
||||||
|
mls_process_write_all_levels($1)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Make specified domain MLS trusted
|
||||||
|
## for writing to processes at all levels.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`mls_process_write_all_levels',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute mlsprocwrite;
|
attribute mlsprocwrite;
|
||||||
')
|
')
|
||||||
@ -319,6 +577,7 @@ interface(`mls_process_write_down',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
interface(`mls_process_set_level',`
|
interface(`mls_process_set_level',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -338,6 +597,7 @@ interface(`mls_process_set_level',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
interface(`mls_xwin_read_all_levels',`
|
interface(`mls_xwin_read_all_levels',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -357,6 +617,7 @@ interface(`mls_xwin_read_all_levels',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
interface(`mls_xwin_write_all_levels',`
|
interface(`mls_xwin_write_all_levels',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -376,6 +637,7 @@ interface(`mls_xwin_write_all_levels',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
interface(`mls_colormap_read_all_levels',`
|
interface(`mls_colormap_read_all_levels',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -395,6 +657,7 @@ interface(`mls_colormap_read_all_levels',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
interface(`mls_colormap_write_all_levels',`
|
interface(`mls_colormap_write_all_levels',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -444,6 +707,7 @@ interface(`mls_trusted_object',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
interface(`mls_fd_use_all_levels',`
|
interface(`mls_fd_use_all_levels',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -464,6 +728,7 @@ interface(`mls_fd_use_all_levels',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
interface(`mls_fd_share_all_levels',`
|
interface(`mls_fd_share_all_levels',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -483,6 +748,7 @@ interface(`mls_fd_share_all_levels',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
interface(`mls_context_translate_all_levels',`
|
interface(`mls_context_translate_all_levels',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -502,6 +768,7 @@ interface(`mls_context_translate_all_levels',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
interface(`mls_db_read_all_levels',`
|
interface(`mls_db_read_all_levels',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -521,6 +788,7 @@ interface(`mls_db_read_all_levels',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
interface(`mls_db_write_all_levels',`
|
interface(`mls_db_write_all_levels',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -540,6 +808,7 @@ interface(`mls_db_write_all_levels',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
interface(`mls_db_upgrade',`
|
interface(`mls_db_upgrade',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -559,6 +828,7 @@ interface(`mls_db_upgrade',`
|
|||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
interface(`mls_db_downgrade',`
|
interface(`mls_db_downgrade',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(mls,1.5.1)
|
policy_module(mls,1.5.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(cups,1.7.0)
|
policy_module(cups,1.7.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -169,7 +169,6 @@ mls_fd_use_all_levels(cupsd_t)
|
|||||||
mls_file_downgrade(cupsd_t)
|
mls_file_downgrade(cupsd_t)
|
||||||
mls_file_write_down(cupsd_t)
|
mls_file_write_down(cupsd_t)
|
||||||
mls_file_read_up(cupsd_t)
|
mls_file_read_up(cupsd_t)
|
||||||
mls_rangetrans_target(cupsd_t)
|
|
||||||
mls_socket_write_all_levels(cupsd_t)
|
mls_socket_write_all_levels(cupsd_t)
|
||||||
|
|
||||||
term_use_unallocated_ttys(cupsd_t)
|
term_use_unallocated_ttys(cupsd_t)
|
||||||
|
@ -71,6 +71,7 @@ interface(`init_ranged_domain',`
|
|||||||
|
|
||||||
ifdef(`enable_mls',`
|
ifdef(`enable_mls',`
|
||||||
range_transition init_t $2:process $3;
|
range_transition init_t $2:process $3;
|
||||||
|
mls_rangetrans_target($1)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -171,6 +172,7 @@ interface(`init_ranged_daemon_domain',`
|
|||||||
|
|
||||||
ifdef(`enable_mls',`
|
ifdef(`enable_mls',`
|
||||||
range_transition initrc_t $2:process $3;
|
range_transition initrc_t $2:process $3;
|
||||||
|
mls_rangetrans_target($1)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(init,1.7.1)
|
policy_module(init,1.7.2)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
class passwd rootok;
|
class passwd rootok;
|
||||||
@ -138,7 +138,10 @@ files_dontaudit_rw_root_chr_files(init_t)
|
|||||||
fs_write_ramfs_sockets(init_t)
|
fs_write_ramfs_sockets(init_t)
|
||||||
|
|
||||||
mcs_process_set_categories(init_t)
|
mcs_process_set_categories(init_t)
|
||||||
|
mcs_killall(init_t)
|
||||||
|
|
||||||
|
mls_file_read_up(init_t)
|
||||||
|
mls_file_write_down(init_t)
|
||||||
mls_process_write_down(init_t)
|
mls_process_write_down(init_t)
|
||||||
mls_fd_use_all_levels(init_t)
|
mls_fd_use_all_levels(init_t)
|
||||||
|
|
||||||
@ -156,12 +159,6 @@ libs_rw_ld_so_cache(init_t)
|
|||||||
logging_send_syslog_msg(init_t)
|
logging_send_syslog_msg(init_t)
|
||||||
logging_rw_generic_logs(init_t)
|
logging_rw_generic_logs(init_t)
|
||||||
|
|
||||||
mcs_killall(init_t)
|
|
||||||
|
|
||||||
mls_file_read_up(init_t)
|
|
||||||
mls_file_write_down(init_t)
|
|
||||||
mls_rangetrans_target(init_t)
|
|
||||||
|
|
||||||
seutil_read_config(init_t)
|
seutil_read_config(init_t)
|
||||||
|
|
||||||
miscfiles_read_localization(init_t)
|
miscfiles_read_localization(init_t)
|
||||||
@ -287,6 +284,14 @@ fs_getattr_all_fs(initrc_t)
|
|||||||
|
|
||||||
# initrc_t needs to do a pidof which requires ptrace
|
# initrc_t needs to do a pidof which requires ptrace
|
||||||
mcs_ptrace_all(initrc_t)
|
mcs_ptrace_all(initrc_t)
|
||||||
|
mcs_killall(initrc_t)
|
||||||
|
mcs_process_set_categories(initrc_t)
|
||||||
|
|
||||||
|
mls_file_read_up(initrc_t)
|
||||||
|
mls_file_write_down(initrc_t)
|
||||||
|
mls_process_read_up(initrc_t)
|
||||||
|
mls_process_write_down(initrc_t)
|
||||||
|
mls_rangetrans_source(initrc_t)
|
||||||
|
|
||||||
selinux_get_enforce_mode(initrc_t)
|
selinux_get_enforce_mode(initrc_t)
|
||||||
|
|
||||||
@ -363,16 +368,6 @@ miscfiles_read_localization(initrc_t)
|
|||||||
# slapd needs to read cert files from its initscript
|
# slapd needs to read cert files from its initscript
|
||||||
miscfiles_read_certs(initrc_t)
|
miscfiles_read_certs(initrc_t)
|
||||||
|
|
||||||
mcs_killall(initrc_t)
|
|
||||||
mcs_process_set_categories(initrc_t)
|
|
||||||
|
|
||||||
mls_file_read_up(initrc_t)
|
|
||||||
mls_file_write_down(initrc_t)
|
|
||||||
mls_process_read_up(initrc_t)
|
|
||||||
mls_process_write_down(initrc_t)
|
|
||||||
mls_rangetrans_source(initrc_t)
|
|
||||||
mls_rangetrans_target(initrc_t)
|
|
||||||
|
|
||||||
modutils_read_module_config(initrc_t)
|
modutils_read_module_config(initrc_t)
|
||||||
modutils_domtrans_insmod(initrc_t)
|
modutils_domtrans_insmod(initrc_t)
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(logging,1.7.0)
|
policy_module(logging,1.7.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -155,7 +155,6 @@ miscfiles_read_localization(auditd_t)
|
|||||||
|
|
||||||
mls_file_read_up(auditd_t)
|
mls_file_read_up(auditd_t)
|
||||||
mls_file_write_down(auditd_t) # Need to be able to write to /var/run/ directory
|
mls_file_write_down(auditd_t) # Need to be able to write to /var/run/ directory
|
||||||
mls_rangetrans_target(auditd_t)
|
|
||||||
mls_fd_use_all_levels(auditd_t)
|
mls_fd_use_all_levels(auditd_t)
|
||||||
|
|
||||||
seutil_dontaudit_read_config(auditd_t)
|
seutil_dontaudit_read_config(auditd_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(selinuxutil,1.6.1)
|
policy_module(selinuxutil,1.6.2)
|
||||||
|
|
||||||
ifdef(`strict_policy',`
|
ifdef(`strict_policy',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -90,10 +90,9 @@ domain_system_change_exemption(run_init_t)
|
|||||||
role system_r types run_init_t;
|
role system_r types run_init_t;
|
||||||
|
|
||||||
type semanage_t;
|
type semanage_t;
|
||||||
domain_interactive_fd(semanage_t)
|
|
||||||
|
|
||||||
type semanage_exec_t;
|
type semanage_exec_t;
|
||||||
application_domain(semanage_t,semanage_exec_t)
|
application_domain(semanage_t,semanage_exec_t)
|
||||||
|
domain_interactive_fd(semanage_t)
|
||||||
role system_r types semanage_t;
|
role system_r types semanage_t;
|
||||||
|
|
||||||
type semanage_store_t;
|
type semanage_store_t;
|
||||||
@ -474,7 +473,6 @@ files_read_usr_files(semanage_t)
|
|||||||
files_list_pids(semanage_t)
|
files_list_pids(semanage_t)
|
||||||
|
|
||||||
mls_file_write_down(semanage_t)
|
mls_file_write_down(semanage_t)
|
||||||
mls_rangetrans_target(semanage_t)
|
|
||||||
mls_file_read_up(semanage_t)
|
mls_file_read_up(semanage_t)
|
||||||
|
|
||||||
selinux_validate_context(semanage_t)
|
selinux_validate_context(semanage_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(setrans,1.3.0)
|
policy_module(setrans,1.3.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -55,7 +55,6 @@ files_read_etc_runtime_files(setrans_t)
|
|||||||
mls_file_read_up(setrans_t)
|
mls_file_read_up(setrans_t)
|
||||||
mls_file_write_down(setrans_t)
|
mls_file_write_down(setrans_t)
|
||||||
mls_net_receive_all_levels(setrans_t)
|
mls_net_receive_all_levels(setrans_t)
|
||||||
mls_rangetrans_target(setrans_t)
|
|
||||||
mls_socket_write_all_levels(setrans_t)
|
mls_socket_write_all_levels(setrans_t)
|
||||||
mls_process_read_up(setrans_t)
|
mls_process_read_up(setrans_t)
|
||||||
mls_socket_read_all_levels(setrans_t)
|
mls_socket_read_all_levels(setrans_t)
|
||||||
|
@ -17,13 +17,13 @@ define(`policy_module',`
|
|||||||
all_kernel_class_perms
|
all_kernel_class_perms
|
||||||
|
|
||||||
ifdef(`enable_mcs',`
|
ifdef(`enable_mcs',`
|
||||||
sensitivity s0;
|
decl_sens(0,0)
|
||||||
category c0, c`'decr(mcs_num_cats);
|
decl_cats(0,decr(mcs_num_cats))
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`enable_mls',`
|
ifdef(`enable_mls',`
|
||||||
sensitivity s0, s`'decr(mls_num_sens);
|
decl_sens(0,decr(mls_num_sens))
|
||||||
category c0, c`'decr(mls_num_cats);
|
decl_cats(0,decr(mls_num_cats))
|
||||||
')
|
')
|
||||||
}
|
}
|
||||||
')
|
')
|
||||||
|
Loading…
Reference in New Issue
Block a user