kernel.if renaming

This commit is contained in:
Chris PeBenito 2005-06-09 20:50:17 +00:00
parent eda201efe8
commit 588ffaeb7f
5 changed files with 231 additions and 475 deletions

File diff suppressed because it is too large Load Diff

View File

@ -188,21 +188,25 @@ allow kernel_t sysctl_t:dir r_dir_perms;
allow kernel_t sysctl_kernel_t:dir r_dir_perms;
allow kernel_t sysctl_kernel_t:file r_file_perms;
# old base_file_read_access():
files_list_home_directories(kernel_t)
files_read_general_application_resources(kernel_t)
selinux_read_config(kernel_t)
selinux_read_binary_policy(kernel_t)
allow kernel_t security_t:dir r_dir_perms;
allow kernel_t security_t:file rw_file_perms;
allow kernel_t security_t:security load_policy;
auditallow kernel_t security_t:security load_policy;
corecommands_execute_shell(kernel_t)
corecommands_read_system_programs_directory(kernel_t)
files_read_root_dir(kernel_t)
files_list_home_directories(kernel_t)
files_read_general_application_resources(kernel_t)
init_sigchld(kernel_t)
libraries_use_dynamic_loader(kernel_t)
libraries_use_shared_libraries(kernel_t)
corecommands_execute_shell(kernel_t)
selinux_read_config(kernel_t)
selinux_read_binary_policy(kernel_t)
terminal_use_console(kernel_t)
domain_signal_all_domains(kernel_t)
@ -234,3 +238,14 @@ neverallow ~can_setsecparam security_t:security setsecparam;
neverallow * *:process { setcurrent dyntransition };
neverallow ~can_load_kernmodule *:capability sys_module;
########################################
#
# Unlabeled process local policy
#
# If you load a new policy that removes active domains, processes can
# get stuck if you do not allow unlabeled processes to signal init.
# If you load an incompatible policy, you should probably reboot,
# since you may have compromised system security.
init_sigchld(unlabeled_t)

View File

@ -12,7 +12,6 @@ files_make_file(bin_t)
#
type sbin_t;
files_make_file(sbin_t)
kernel_read_directory_from(sbin_t)
#
# ls_exec_t is the type of the ls program.

View File

@ -82,7 +82,6 @@ fs_noxattr_associate(readable_t)
type root_t, file_type, mountpoint;
fs_associate(root_t)
fs_noxattr_associate(root_t)
kernel_read_directory_from(root_t)
kernel_make_root_fs_mountpoint(root_t)
genfscon rootfs / context_template(system_u:object_r:root_t,s0)

View File

@ -85,20 +85,8 @@ devices_create_dev_entry(init_t,initctl_t,fifo_file)
# Modify utmp.
allow init_t initrc_var_run_t:file rw_file_perms;
# Run init scripts. this is ok since initrc
# is also in this module
allow init_t initrc_t:process transition;
allow init_t initrc_exec_t:file rx_file_perms;
type_transition init_t initrc_exec_t:process initrc_t;
dontaudit init_t initrc_t:process { noatsecure siginh rlimitinh };
kernel_sigchld_from(init_t)
# If you load a new policy that removes active domains, processes can
# get stuck if you do not allow unlabeled processes to signal init
# If you load an incompatible policy, you should probably reboot,
# since you may have compromised system security.
kernel_unlabeled_sigchld_from(init_t)
# Run init scripts.
domain_auto_trans(init_t,initrc_exec_t,initrc_t)
kernel_set_selinux_boolean(init_t)
kernel_read_system_state(init_t)