Fix some names in passenger policy
This commit is contained in:
parent
94820e4290
commit
3034a8d941
@ -38,6 +38,9 @@ fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, file)
|
||||
kernel_read_system_state(chrome_sandbox_t)
|
||||
kernel_read_kernel_sysctls(chrome_sandbox_t)
|
||||
|
||||
fs_manage_cgroup_dirs(chrome_sandbox_t)
|
||||
fs_manage_cgroup_files(chrome_sandbox_t)
|
||||
|
||||
corecmd_exec_bin(chrome_sandbox_t)
|
||||
|
||||
domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
|
||||
|
@ -63,6 +63,8 @@ allow nsplugin_t self:msgq create_msgq_perms;
|
||||
allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
allow nsplugin_t self:unix_dgram_socket create_socket_perms;
|
||||
allow nsplugin_t nsplugin_rw_t:dir list_dir_perms;
|
||||
read_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
|
||||
read_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
|
||||
|
||||
tunable_policy(`allow_nsplugin_execmem',`
|
||||
allow nsplugin_t self:process { execstack execmem };
|
||||
|
@ -724,7 +724,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
passenger_domtrans(httpd_t)
|
||||
passenger_manage_state_content(httpd_t)
|
||||
passenger_manage_pid_content(httpd_t)
|
||||
passenger_read_lib_files(httpd_t)
|
||||
')
|
||||
|
||||
|
@ -5,13 +5,6 @@ policy_module(corosync, 1.0.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow corosync to read and write generic tmpfs files.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(allow_corosync_rw_tmpfs, false)
|
||||
|
||||
type corosync_t;
|
||||
type corosync_exec_t;
|
||||
init_daemon_domain(corosync_t, corosync_exec_t)
|
||||
@ -98,8 +91,13 @@ miscfiles_read_localization(corosync_t)
|
||||
userdom_delete_user_tmpfs_files(corosync_t)
|
||||
userdom_rw_user_tmpfs_files(corosync_t)
|
||||
|
||||
tunable_policy(`allow_corosync_rw_tmpfs',`
|
||||
fs_rw_tmpfs_files(corosync_t)
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
attribute unconfined_services;
|
||||
')
|
||||
|
||||
fs_manage_tmpfs_files(corosync_t)
|
||||
init_manage_script_status_files(corosync_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
@ -1,2 +1,4 @@
|
||||
/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
|
||||
|
||||
/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
|
||||
|
||||
|
@ -13,6 +13,7 @@
|
||||
interface(`passenger_domtrans',`
|
||||
gen_require(`
|
||||
type passenger_t;
|
||||
type passenger_exec_t;
|
||||
')
|
||||
|
||||
allow $1 self:capability { fowner fsetid };
|
||||
@ -26,7 +27,7 @@ interface(`passenger_domtrans',`
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Manage passenger state content.
|
||||
## Manage passenger var_run content.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -34,16 +35,16 @@ interface(`passenger_domtrans',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`passenger_manage_state_content',`
|
||||
interface(`passenger_manage_pid_content',`
|
||||
gen_require(`
|
||||
type passenger_state_t;
|
||||
type passenger_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
manage_dirs_pattern($1, passenger_state_t, passenger_state_t)
|
||||
manage_files_pattern($1, passenger_state_t, passenger_state_t)
|
||||
manage_fifo_files_pattern($1, passenger_state_t, passenger_state_t)
|
||||
manage_sock_files_pattern($1, passenger_state_t, passenger_state_t)
|
||||
manage_dirs_pattern($1, passenger_var_run_t, passenger_var_run_t)
|
||||
manage_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
|
||||
manage_fifo_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
|
||||
manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -18,8 +18,8 @@ files_tmp_file(passenger_tmp_t)
|
||||
type passenger_var_lib_t;
|
||||
files_type(passenger_var_lib_t)
|
||||
|
||||
type passenger_state_t;
|
||||
files_pid_file(passenger_state_t)
|
||||
type passenger_var_run_t;
|
||||
files_pid_file(passenger_var_run_t)
|
||||
|
||||
permissive passenger_t;
|
||||
|
||||
@ -34,15 +34,16 @@ allow passenger_t self:process signal;
|
||||
allow passenger_t self:fifo_file rw_fifo_file_perms;
|
||||
allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
|
||||
manage_dirs_pattern(passenger_t, passenger_state_t, passenger_state_t)
|
||||
manage_files_pattern(passenger_t, passenger_state_t, passenger_state_t)
|
||||
manage_fifo_files_pattern(passenger_t, passenger_state_t, passenger_state_t)
|
||||
manage_sock_files_pattern(passenger_t, passenger_state_t, passenger_state_t)
|
||||
|
||||
files_search_var_lib(passenger_t)
|
||||
manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
|
||||
manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
|
||||
|
||||
manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
|
||||
manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
|
||||
manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
|
||||
manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
|
||||
files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
|
||||
|
||||
kernel_read_system_state(passenger_t)
|
||||
kernel_read_kernel_sysctls(passenger_t)
|
||||
|
||||
|
@ -1539,6 +1539,25 @@ interface(`init_getattr_script_status_files',`
|
||||
getattr_files_pattern($1, initrc_state_t, initrc_state_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage init script
|
||||
## status files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_manage_script_status_files',`
|
||||
gen_require(`
|
||||
type initrc_state_t;
|
||||
')
|
||||
|
||||
manage_files_pattern($1, initrc_state_t, initrc_state_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read init script
|
||||
|
@ -141,6 +141,8 @@ fs_read_tmpfs_symlinks(mount_t)
|
||||
fs_read_fusefs_files(mount_t)
|
||||
fs_manage_nfs_dirs(mount_t)
|
||||
fs_read_nfs_symlinks(mount_t)
|
||||
fs_manage_cgroup_dirs(mount_t)
|
||||
fs_manage_cgroup_files(mount_t)
|
||||
|
||||
mls_file_read_all_levels(mount_t)
|
||||
mls_file_write_all_levels(mount_t)
|
||||
|
Loading…
Reference in New Issue
Block a user