fix up corecommands perm sets, add seutil_manage_config_dirs()
This commit is contained in:
Chris PeBenito
parent
d5ae683e2b
commit
582438054d
@ -133,7 +133,7 @@ interface(`corecmd_search_bin',`
|
|||||||
type bin_t;
|
type bin_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 bin_t:dir search;
|
allow $1 bin_t:dir search_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -151,7 +151,7 @@ interface(`corecmd_list_bin',`
|
|||||||
type bin_t;
|
type bin_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 bin_t:dir r_dir_perms;
|
allow $1 bin_t:dir list_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -187,8 +187,8 @@ interface(`corecmd_read_bin_files',`
|
|||||||
type bin_t;
|
type bin_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 bin_t:dir search;
|
allow $1 bin_t:dir search_dir_perms;
|
||||||
allow $1 bin_t:file r_file_perms;
|
allow $1 bin_t:file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -206,8 +206,8 @@ interface(`corecmd_read_bin_symlinks',`
|
|||||||
type bin_t;
|
type bin_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 bin_t:dir search;
|
allow $1 bin_t:dir search_dir_perms;
|
||||||
allow $1 bin_t:lnk_file r_file_perms;
|
allow $1 bin_t:lnk_file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -225,8 +225,8 @@ interface(`corecmd_read_bin_pipes',`
|
|||||||
type bin_t;
|
type bin_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 bin_t:dir search;
|
allow $1 bin_t:dir search_dir_perms;
|
||||||
allow $1 bin_t:fifo_file r_file_perms;
|
allow $1 bin_t:fifo_file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -244,8 +244,8 @@ interface(`corecmd_read_bin_sockets',`
|
|||||||
type bin_t;
|
type bin_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 bin_t:dir search;
|
allow $1 bin_t:dir search_dir_perms;
|
||||||
allow $1 bin_t:sock_file r_file_perms;
|
allow $1 bin_t:sock_file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -264,8 +264,8 @@ interface(`corecmd_exec_bin',`
|
|||||||
type bin_t;
|
type bin_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 bin_t:dir r_dir_perms;
|
allow $1 bin_t:dir list_dir_perms;
|
||||||
allow $1 bin_t:lnk_file r_file_perms;
|
allow $1 bin_t:lnk_file read_file_perms;
|
||||||
can_exec($1,bin_t)
|
can_exec($1,bin_t)
|
||||||
|
|
||||||
')
|
')
|
||||||
@ -368,7 +368,7 @@ interface(`corecmd_bin_spec_domtrans',`
|
|||||||
type bin_t;
|
type bin_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 bin_t:dir search;
|
allow $1 bin_t:dir search_dir_perms;
|
||||||
allow $1 bin_t:lnk_file { getattr read };
|
allow $1 bin_t:lnk_file { getattr read };
|
||||||
|
|
||||||
domain_trans($1,bin_t,$2)
|
domain_trans($1,bin_t,$2)
|
||||||
@ -469,7 +469,7 @@ interface(`corecmd_list_sbin',`
|
|||||||
type sbin_t;
|
type sbin_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 sbin_t:dir r_dir_perms;
|
allow $1 sbin_t:dir list_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -524,8 +524,8 @@ interface(`corecmd_read_sbin_files',`
|
|||||||
type sbin_t;
|
type sbin_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 sbin_t:dir search;
|
allow $1 sbin_t:dir search_dir_perms;
|
||||||
allow $1 sbin_t:file r_file_perms;
|
allow $1 sbin_t:file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -543,8 +543,8 @@ interface(`corecmd_read_sbin_symlinks',`
|
|||||||
type sbin_t;
|
type sbin_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 sbin_t:dir search;
|
allow $1 sbin_t:dir search_dir_perms;
|
||||||
allow $1 sbin_t:lnk_file r_file_perms;
|
allow $1 sbin_t:lnk_file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -562,8 +562,8 @@ interface(`corecmd_read_sbin_pipes',`
|
|||||||
type sbin_t;
|
type sbin_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 sbin_t:dir search;
|
allow $1 sbin_t:dir search_dir_perms;
|
||||||
allow $1 sbin_t:fifo_file r_file_perms;
|
allow $1 sbin_t:fifo_file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -581,8 +581,8 @@ interface(`corecmd_read_sbin_sockets',`
|
|||||||
type sbin_t;
|
type sbin_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 sbin_t:dir search;
|
allow $1 sbin_t:dir search_dir_perms;
|
||||||
allow $1 sbin_t:sock_file r_file_perms;
|
allow $1 sbin_t:sock_file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -601,8 +601,8 @@ interface(`corecmd_exec_sbin',`
|
|||||||
type sbin_t;
|
type sbin_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 sbin_t:dir r_dir_perms;
|
allow $1 sbin_t:dir list_dir_perms;
|
||||||
allow $1 sbin_t:lnk_file r_file_perms;
|
allow $1 sbin_t:lnk_file read_file_perms;
|
||||||
can_exec($1,sbin_t)
|
can_exec($1,sbin_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -705,7 +705,7 @@ interface(`corecmd_sbin_domtrans',`
|
|||||||
type sbin_t;
|
type sbin_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 sbin_t:dir search;
|
allow $1 sbin_t:dir search_dir_perms;
|
||||||
allow $1 sbin_t:lnk_file { getattr read };
|
allow $1 sbin_t:lnk_file { getattr read };
|
||||||
|
|
||||||
domain_auto_trans($1,sbin_t,$2)
|
domain_auto_trans($1,sbin_t,$2)
|
||||||
@ -752,7 +752,7 @@ interface(`corecmd_sbin_spec_domtrans',`
|
|||||||
type sbin_t;
|
type sbin_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 sbin_t:dir search;
|
allow $1 sbin_t:dir search_dir_perms;
|
||||||
allow $1 sbin_t:lnk_file { getattr read };
|
allow $1 sbin_t:lnk_file { getattr read };
|
||||||
|
|
||||||
domain_trans($1,sbin_t,$2)
|
domain_trans($1,sbin_t,$2)
|
||||||
@ -773,8 +773,8 @@ interface(`corecmd_check_exec_shell',`
|
|||||||
type bin_t, shell_exec_t;
|
type bin_t, shell_exec_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 bin_t:dir r_dir_perms;
|
allow $1 bin_t:dir list_dir_perms;
|
||||||
allow $1 bin_t:lnk_file r_file_perms;
|
allow $1 bin_t:lnk_file read_file_perms;
|
||||||
allow $1 shell_exec_t:file execute;
|
allow $1 shell_exec_t:file execute;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -793,8 +793,8 @@ interface(`corecmd_exec_shell',`
|
|||||||
type bin_t, shell_exec_t;
|
type bin_t, shell_exec_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 bin_t:dir r_dir_perms;
|
allow $1 bin_t:dir list_dir_perms;
|
||||||
allow $1 bin_t:lnk_file r_file_perms;
|
allow $1 bin_t:lnk_file read_file_perms;
|
||||||
can_exec($1,shell_exec_t)
|
can_exec($1,shell_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -813,8 +813,8 @@ interface(`corecmd_exec_ls',`
|
|||||||
type bin_t, ls_exec_t;
|
type bin_t, ls_exec_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 bin_t:dir r_dir_perms;
|
allow $1 bin_t:dir list_dir_perms;
|
||||||
allow $1 bin_t:lnk_file r_file_perms;
|
allow $1 bin_t:lnk_file read_file_perms;
|
||||||
can_exec($1,ls_exec_t)
|
can_exec($1,ls_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -852,8 +852,8 @@ interface(`corecmd_shell_spec_domtrans',`
|
|||||||
type bin_t, shell_exec_t;
|
type bin_t, shell_exec_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 bin_t:dir r_dir_perms;
|
allow $1 bin_t:dir list_dir_perms;
|
||||||
allow $1 bin_t:lnk_file r_file_perms;
|
allow $1 bin_t:lnk_file read_file_perms;
|
||||||
|
|
||||||
domain_trans($1,shell_exec_t,$2)
|
domain_trans($1,shell_exec_t,$2)
|
||||||
')
|
')
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(corecommands,1.4.0)
|
policy_module(corecommands,1.4.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
|||||||
@ -718,6 +718,27 @@ interface(`seutil_manage_selinux_config',`
|
|||||||
allow $1 selinux_config_t:lnk_file { getattr read };
|
allow $1 selinux_config_t:lnk_file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete
|
||||||
|
## the general selinux configuration files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`seutil_manage_config_dirs',`
|
||||||
|
gen_require(`
|
||||||
|
type selinux_config_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_etc($1)
|
||||||
|
allow $1 selinux_config_t:dir manage_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Search the policy directory with default_context files.
|
## Search the policy directory with default_context files.
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(selinuxutil,1.3.1)
|
policy_module(selinuxutil,1.3.2)
|
||||||
|
|
||||||
ifdef(`strict_policy',`
|
ifdef(`strict_policy',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user