fix up corecommands perm sets, add seutil_manage_config_dirs()
This commit is contained in:
Chris PeBenito
parent
d5ae683e2b
commit
582438054d
@ -133,7 +133,7 @@ interface(`corecmd_search_bin',`
|
||||
type bin_t;
|
||||
')
|
||||
|
||||
allow $1 bin_t:dir search;
|
||||
allow $1 bin_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -151,7 +151,7 @@ interface(`corecmd_list_bin',`
|
||||
type bin_t;
|
||||
')
|
||||
|
||||
allow $1 bin_t:dir r_dir_perms;
|
||||
allow $1 bin_t:dir list_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -187,8 +187,8 @@ interface(`corecmd_read_bin_files',`
|
||||
type bin_t;
|
||||
')
|
||||
|
||||
allow $1 bin_t:dir search;
|
||||
allow $1 bin_t:file r_file_perms;
|
||||
allow $1 bin_t:dir search_dir_perms;
|
||||
allow $1 bin_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -206,8 +206,8 @@ interface(`corecmd_read_bin_symlinks',`
|
||||
type bin_t;
|
||||
')
|
||||
|
||||
allow $1 bin_t:dir search;
|
||||
allow $1 bin_t:lnk_file r_file_perms;
|
||||
allow $1 bin_t:dir search_dir_perms;
|
||||
allow $1 bin_t:lnk_file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -225,8 +225,8 @@ interface(`corecmd_read_bin_pipes',`
|
||||
type bin_t;
|
||||
')
|
||||
|
||||
allow $1 bin_t:dir search;
|
||||
allow $1 bin_t:fifo_file r_file_perms;
|
||||
allow $1 bin_t:dir search_dir_perms;
|
||||
allow $1 bin_t:fifo_file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -244,8 +244,8 @@ interface(`corecmd_read_bin_sockets',`
|
||||
type bin_t;
|
||||
')
|
||||
|
||||
allow $1 bin_t:dir search;
|
||||
allow $1 bin_t:sock_file r_file_perms;
|
||||
allow $1 bin_t:dir search_dir_perms;
|
||||
allow $1 bin_t:sock_file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -264,8 +264,8 @@ interface(`corecmd_exec_bin',`
|
||||
type bin_t;
|
||||
')
|
||||
|
||||
allow $1 bin_t:dir r_dir_perms;
|
||||
allow $1 bin_t:lnk_file r_file_perms;
|
||||
allow $1 bin_t:dir list_dir_perms;
|
||||
allow $1 bin_t:lnk_file read_file_perms;
|
||||
can_exec($1,bin_t)
|
||||
|
||||
')
|
||||
@ -368,7 +368,7 @@ interface(`corecmd_bin_spec_domtrans',`
|
||||
type bin_t;
|
||||
')
|
||||
|
||||
allow $1 bin_t:dir search;
|
||||
allow $1 bin_t:dir search_dir_perms;
|
||||
allow $1 bin_t:lnk_file { getattr read };
|
||||
|
||||
domain_trans($1,bin_t,$2)
|
||||
@ -469,7 +469,7 @@ interface(`corecmd_list_sbin',`
|
||||
type sbin_t;
|
||||
')
|
||||
|
||||
allow $1 sbin_t:dir r_dir_perms;
|
||||
allow $1 sbin_t:dir list_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -524,8 +524,8 @@ interface(`corecmd_read_sbin_files',`
|
||||
type sbin_t;
|
||||
')
|
||||
|
||||
allow $1 sbin_t:dir search;
|
||||
allow $1 sbin_t:file r_file_perms;
|
||||
allow $1 sbin_t:dir search_dir_perms;
|
||||
allow $1 sbin_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -543,8 +543,8 @@ interface(`corecmd_read_sbin_symlinks',`
|
||||
type sbin_t;
|
||||
')
|
||||
|
||||
allow $1 sbin_t:dir search;
|
||||
allow $1 sbin_t:lnk_file r_file_perms;
|
||||
allow $1 sbin_t:dir search_dir_perms;
|
||||
allow $1 sbin_t:lnk_file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -562,8 +562,8 @@ interface(`corecmd_read_sbin_pipes',`
|
||||
type sbin_t;
|
||||
')
|
||||
|
||||
allow $1 sbin_t:dir search;
|
||||
allow $1 sbin_t:fifo_file r_file_perms;
|
||||
allow $1 sbin_t:dir search_dir_perms;
|
||||
allow $1 sbin_t:fifo_file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -581,8 +581,8 @@ interface(`corecmd_read_sbin_sockets',`
|
||||
type sbin_t;
|
||||
')
|
||||
|
||||
allow $1 sbin_t:dir search;
|
||||
allow $1 sbin_t:sock_file r_file_perms;
|
||||
allow $1 sbin_t:dir search_dir_perms;
|
||||
allow $1 sbin_t:sock_file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -601,8 +601,8 @@ interface(`corecmd_exec_sbin',`
|
||||
type sbin_t;
|
||||
')
|
||||
|
||||
allow $1 sbin_t:dir r_dir_perms;
|
||||
allow $1 sbin_t:lnk_file r_file_perms;
|
||||
allow $1 sbin_t:dir list_dir_perms;
|
||||
allow $1 sbin_t:lnk_file read_file_perms;
|
||||
can_exec($1,sbin_t)
|
||||
')
|
||||
|
||||
@ -705,7 +705,7 @@ interface(`corecmd_sbin_domtrans',`
|
||||
type sbin_t;
|
||||
')
|
||||
|
||||
allow $1 sbin_t:dir search;
|
||||
allow $1 sbin_t:dir search_dir_perms;
|
||||
allow $1 sbin_t:lnk_file { getattr read };
|
||||
|
||||
domain_auto_trans($1,sbin_t,$2)
|
||||
@ -752,7 +752,7 @@ interface(`corecmd_sbin_spec_domtrans',`
|
||||
type sbin_t;
|
||||
')
|
||||
|
||||
allow $1 sbin_t:dir search;
|
||||
allow $1 sbin_t:dir search_dir_perms;
|
||||
allow $1 sbin_t:lnk_file { getattr read };
|
||||
|
||||
domain_trans($1,sbin_t,$2)
|
||||
@ -773,8 +773,8 @@ interface(`corecmd_check_exec_shell',`
|
||||
type bin_t, shell_exec_t;
|
||||
')
|
||||
|
||||
allow $1 bin_t:dir r_dir_perms;
|
||||
allow $1 bin_t:lnk_file r_file_perms;
|
||||
allow $1 bin_t:dir list_dir_perms;
|
||||
allow $1 bin_t:lnk_file read_file_perms;
|
||||
allow $1 shell_exec_t:file execute;
|
||||
')
|
||||
|
||||
@ -793,8 +793,8 @@ interface(`corecmd_exec_shell',`
|
||||
type bin_t, shell_exec_t;
|
||||
')
|
||||
|
||||
allow $1 bin_t:dir r_dir_perms;
|
||||
allow $1 bin_t:lnk_file r_file_perms;
|
||||
allow $1 bin_t:dir list_dir_perms;
|
||||
allow $1 bin_t:lnk_file read_file_perms;
|
||||
can_exec($1,shell_exec_t)
|
||||
')
|
||||
|
||||
@ -813,8 +813,8 @@ interface(`corecmd_exec_ls',`
|
||||
type bin_t, ls_exec_t;
|
||||
')
|
||||
|
||||
allow $1 bin_t:dir r_dir_perms;
|
||||
allow $1 bin_t:lnk_file r_file_perms;
|
||||
allow $1 bin_t:dir list_dir_perms;
|
||||
allow $1 bin_t:lnk_file read_file_perms;
|
||||
can_exec($1,ls_exec_t)
|
||||
')
|
||||
|
||||
@ -852,8 +852,8 @@ interface(`corecmd_shell_spec_domtrans',`
|
||||
type bin_t, shell_exec_t;
|
||||
')
|
||||
|
||||
allow $1 bin_t:dir r_dir_perms;
|
||||
allow $1 bin_t:lnk_file r_file_perms;
|
||||
allow $1 bin_t:dir list_dir_perms;
|
||||
allow $1 bin_t:lnk_file read_file_perms;
|
||||
|
||||
domain_trans($1,shell_exec_t,$2)
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(corecommands,1.4.0)
|
||||
policy_module(corecommands,1.4.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -718,6 +718,27 @@ interface(`seutil_manage_selinux_config',`
|
||||
allow $1 selinux_config_t:lnk_file { getattr read };
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete
|
||||
## the general selinux configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`seutil_manage_config_dirs',`
|
||||
gen_require(`
|
||||
type selinux_config_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 selinux_config_t:dir manage_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the policy directory with default_context files.
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(selinuxutil,1.3.1)
|
||||
policy_module(selinuxutil,1.3.2)
|
||||
|
||||
ifdef(`strict_policy',`
|
||||
gen_require(`
|
||||
|
||||
Loading…
Reference in New Issue
Block a user