move selinux unconfined to attribute setup, clean up unconfined interface a bit
This commit is contained in:
parent
9d4538024a
commit
41a0f8bf3b
@ -394,20 +394,8 @@ interface(`selinux_compute_user_contexts',`
|
||||
#
|
||||
interface(`selinux_unconfined',`
|
||||
gen_require(`
|
||||
attribute can_load_policy, can_setenforce, can_setsecparam;
|
||||
bool secure_mode_policyload;
|
||||
type security_t;
|
||||
attribute selinux_unconfined_type;
|
||||
')
|
||||
|
||||
# use SELinuxfs
|
||||
allow $1 security_t:dir { getattr search read };
|
||||
allow $1 security_t:file { getattr read write };
|
||||
|
||||
typeattribute $1 can_load_policy, can_setenforce, can_setsecparam;
|
||||
|
||||
if(!secure_mode_policyload) {
|
||||
# Access the security API.
|
||||
allow $1 security_t:security *;
|
||||
auditallow $1 security_t:security { load_policy setenforce setbool };
|
||||
}
|
||||
typeattribute $1 selinux_unconfined_type;
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(selinux,1.1.0)
|
||||
policy_module(selinux,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -9,6 +9,7 @@ policy_module(selinux,1.1.0)
|
||||
attribute can_load_policy;
|
||||
attribute can_setenforce;
|
||||
attribute can_setsecparam;
|
||||
attribute selinux_unconfined_type;
|
||||
|
||||
#
|
||||
# security_t is the target type when checking
|
||||
@ -21,6 +22,23 @@ mls_trusted_object(security_t)
|
||||
sid security gen_context(system_u:object_r:security_t,s15:c0.c255)
|
||||
genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
|
||||
|
||||
neverallow ~can_load_policy security_t:security load_policy;
|
||||
neverallow ~can_setenforce security_t:security setenforce;
|
||||
neverallow ~can_setsecparam security_t:security setsecparam;
|
||||
neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
|
||||
neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
|
||||
neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
|
||||
|
||||
########################################
|
||||
#
|
||||
# Unconfined access to this module
|
||||
#
|
||||
|
||||
# use SELinuxfs
|
||||
allow selinux_unconfined_type security_t:dir { getattr search read };
|
||||
allow selinux_unconfined_type security_t:file { getattr read write };
|
||||
|
||||
# Access the security API.
|
||||
allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool };
|
||||
|
||||
if(!secure_mode_policyload) {
|
||||
allow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
|
||||
auditallow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
|
||||
}
|
||||
|
@ -56,10 +56,6 @@ interface(`unconfined_domain_noaudit',`
|
||||
# Allow making the stack executable via mprotect.
|
||||
allow $1 self:process execstack;
|
||||
# auditallow $1 self:process execstack;
|
||||
', `
|
||||
# These are fairly common but seem to be harmless
|
||||
# caused by using shared libraries built with old tool chains
|
||||
#dontaudit $1 self:process execstack;
|
||||
')
|
||||
|
||||
|
||||
@ -73,6 +69,8 @@ interface(`unconfined_domain_noaudit',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
# this is to handle execmod on shared
|
||||
# libs with text relocations
|
||||
libs_use_shared_libs($1)
|
||||
')
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user