add fstools, and more cleanup
This commit is contained in:
parent
80436b9b8f
commit
58c3da55f3
@ -126,6 +126,7 @@ files_read_generic_etc_files(bootloader_t)
|
||||
files_read_etc_runtime_files(bootloader_t)
|
||||
files_read_usr_src(bootloader_t)
|
||||
files_read_usr_files(bootloader_t)
|
||||
files_read_var_file(bootloader_t)
|
||||
# for nscd
|
||||
files_dontaudit_search_pids(bootloader_t)
|
||||
|
||||
@ -145,6 +146,9 @@ ifdef(`distro_debian', `
|
||||
allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
|
||||
allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
|
||||
allow bootloader_t boot_t:file relabelfrom;
|
||||
|
||||
# for /usr/share/initrd-tools/scripts
|
||||
files_exec_usr_files(bootloader_t)
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
@ -157,6 +161,13 @@ ifdef(`distro_redhat', `
|
||||
# mkinitrd mount initrd on bootloader temp dir
|
||||
files_mountpoint(bootloader_tmp_t)
|
||||
|
||||
# new file system defaults to file_t, granting file_t access is still bad.
|
||||
files_manage_isid_type_dir(bootloader_t)
|
||||
files_manage_isid_type_file(bootloader_t)
|
||||
files_manage_isid_type_symlink(bootloader_t)
|
||||
files_manage_isid_type_blk_node(bootloader_t)
|
||||
files_manage_isid_type_chr_node(bootloader_t)
|
||||
|
||||
# for mke2fs
|
||||
mount_domtrans(bootloader_t)
|
||||
')
|
||||
@ -165,8 +176,6 @@ optional_policy(`filesystemtools.te', `
|
||||
filesystemtools_execute(bootloader_t)
|
||||
')
|
||||
|
||||
# LVM2 / Device Mapper's /dev/mapper/control
|
||||
# maybe we should change the labeling for this
|
||||
optional_policy(`lvm.te',`
|
||||
dev_rw_lvm_control(bootloader_t)
|
||||
|
||||
@ -185,8 +194,9 @@ optional_policy(`modutils.te',`
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
allow bootloader_t var_t:dir search;
|
||||
allow bootloader_t var_t:file { getattr read };
|
||||
dontaudit bootloader_t selinux_config_t:dir search;
|
||||
dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
|
||||
dontaudit bootloader_t devpts_t:dir create_dir_perms;
|
||||
|
||||
ifdef(`distro_debian', `
|
||||
allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
|
||||
@ -197,18 +207,6 @@ ifdef(`distro_debian', `
|
||||
allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
|
||||
allow bootloader_t dpkg_var_lib_t:file { getattr read };
|
||||
|
||||
# for /usr/share/initrd-tools/scripts
|
||||
can_exec(bootloader_t, usr_t)
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
# new file system defaults to file_t, granting file_t access is still bad.
|
||||
allow bootloader_t file_t:dir create_dir_perms;
|
||||
allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms;
|
||||
allow bootloader_t file_t:lnk_file create_lnk_perms;
|
||||
')
|
||||
|
||||
dontaudit bootloader_t selinux_config_t:dir search;
|
||||
dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
|
||||
dontaudit bootloader_t devpts_t:dir create_dir_perms;
|
||||
') dnl end TODO
|
||||
|
@ -172,11 +172,11 @@ interface(`kernel_dontaudit_read_ring_buffer',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
##
|
||||
## </desc>
|
||||
## <summary>
|
||||
## Change the level of kernel messages logged to the console.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
##
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_change_ring_buffer_level',`
|
||||
|
@ -88,6 +88,10 @@ fs_search_auto_mountpoints(inetd_t)
|
||||
|
||||
term_dontaudit_use_console(inetd_t)
|
||||
|
||||
# Run other daemons in the inetd_child_t domain.
|
||||
corecmd_search_bin(inetd_t)
|
||||
corecmd_read_sbin_symlink(inetd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(inetd_t)
|
||||
|
||||
files_read_generic_etc_files(inetd_t)
|
||||
@ -112,8 +116,8 @@ ifdef(`targeted_policy', `
|
||||
files_dontaudit_read_root_file(inetd_t)
|
||||
')
|
||||
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(inetd_t)
|
||||
optional_policy(`mount.te',`
|
||||
mount_send_nfs_client_request(inetd_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
@ -129,17 +133,13 @@ allow inetd_t proc_t:dir r_dir_perms;
|
||||
allow inetd_t proc_t:lnk_file read;
|
||||
dontaudit inetd_t sysadm_home_dir_t:dir search;
|
||||
|
||||
ifdef(`mount.te', `
|
||||
allow inetd_t mount_t:udp_socket rw_socket_perms;
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(inetd_t)
|
||||
')
|
||||
|
||||
# allow any domain to connect to inetd
|
||||
can_tcp_connect(userdomain, inetd_t)
|
||||
|
||||
# Run other daemons in the inetd_child_t domain.
|
||||
allow inetd_t { bin_t sbin_t }:dir search;
|
||||
allow inetd_t sbin_t:lnk_file read;
|
||||
|
||||
# Bind to the telnet, ftp, rlogin and rsh ports.
|
||||
ifdef(`talk.te', `
|
||||
allow inetd_t talk_port_t:tcp_socket name_bind;
|
||||
|
@ -51,7 +51,7 @@ interface(`clock_run',`
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## Execute hwclock
|
||||
## Execute hwclock in the caller domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
|
@ -43,6 +43,7 @@ interface(`corecmd_list_bin',`
|
||||
allow $1 bin_t:dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of files in bin directories.
|
||||
## </summary>
|
||||
@ -58,6 +59,7 @@ interface(`corecmd_getattr_bin_file',`
|
||||
allow $1 bin_t:file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read symbolic links in bin directories.
|
||||
## </summary>
|
||||
@ -144,6 +146,24 @@ interface(`corecmd_dontaudit_getattr_sbin_file',`
|
||||
dontaudit $1 sbin_t:file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read symbolic links in sbin directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
interface(`corecmd_read_sbin_symlink',`
|
||||
gen_require(`
|
||||
type sbin_t;
|
||||
class dir search;
|
||||
class lnk_file read;
|
||||
')
|
||||
|
||||
allow $1 sbin_t:dir search;
|
||||
allow $1 sbin_t:lnk_file read;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# corecmd_exec_sbin(domain)
|
||||
|
@ -591,9 +591,33 @@ interface(`files_create_etc_config',`
|
||||
')
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to search directories on new filesystems
|
||||
## that have not yet been labeled.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
# files_rw_isid_type_dir(domain)
|
||||
interface(`files_dontaudit_search_isid_type_dir',`
|
||||
gen_require(`
|
||||
type file_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
dontaudit $1 file_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write directories on new filesystems
|
||||
## that have not yet been labeled.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_rw_isid_type_dir',`
|
||||
gen_require(`
|
||||
@ -605,29 +629,121 @@ interface(`files_rw_isid_type_dir',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete directories
|
||||
## on new filesystems that have not yet been labeled.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
# files_dontaudit_getattr_isid_type_dir(domain)
|
||||
#
|
||||
interface(`files_dontaudit_getattr_isid_type_dir',`
|
||||
interface(`files_manage_isid_type_dir',`
|
||||
gen_require(`
|
||||
type file_t;
|
||||
class dir search;
|
||||
class dir create_dir_perms;
|
||||
')
|
||||
|
||||
dontaudit $1 file_t:dir search;
|
||||
allow $1 file_t:dir create_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete files
|
||||
## on new filesystems that have not yet been labeled.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
# files_dontaudit_search_isid_type_dir(domain)
|
||||
interface(`files_manage_isid_type_file',`
|
||||
gen_require(`
|
||||
type file_t;
|
||||
class dir rw_dir_perms;
|
||||
class file create_file_perms;
|
||||
')
|
||||
|
||||
allow $1 file_t:dir rw_dir_perms;
|
||||
allow $1 file_t:file create_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete symbolic links
|
||||
## on new filesystems that have not yet been labeled.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_dontaudit_search_isid_type_dir',`
|
||||
interface(`files_manage_isid_type_symlink',`
|
||||
gen_require(`
|
||||
type file_t;
|
||||
class dir rw_dir_perms;
|
||||
class lnk_file create_lnk_perms;
|
||||
')
|
||||
|
||||
allow $1 file_t:dir rw_dir_perms;
|
||||
allow $1 file_t:lnk_file create_lnk_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write block device nodes on new filesystems
|
||||
## that have not yet been labeled.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_rw_isid_type_blk_node',`
|
||||
gen_require(`
|
||||
type file_t;
|
||||
class dir search;
|
||||
class blk_file rw_file_perms;
|
||||
')
|
||||
|
||||
dontaudit $1 file_t:dir search;
|
||||
allow $1 file_t:dir search;
|
||||
allow $1 file_t:blk_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete block device nodes
|
||||
## on new filesystems that have not yet been labeled.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_manage_isid_type_blk_node',`
|
||||
gen_require(`
|
||||
type file_t;
|
||||
class dir rw_dir_perms;
|
||||
class blk_file create_file_perms;
|
||||
')
|
||||
|
||||
allow $1 file_t:dir rw_dir_perms;
|
||||
allow $1 file_t:blk_file create_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete character device nodes
|
||||
## on new filesystems that have not yet been labeled.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_manage_isid_type_chr_node',`
|
||||
gen_require(`
|
||||
type file_t;
|
||||
class dir rw_dir_perms;
|
||||
class chr_file create_file_perms;
|
||||
')
|
||||
|
||||
allow $1 file_t:dir rw_dir_perms;
|
||||
allow $1 file_t:chr_file create_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -807,6 +923,25 @@ interface(`files_dontaudit_search_var',`
|
||||
dontaudit $1 var_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read files in the /var directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_read_var_file',`
|
||||
gen_require(`
|
||||
type var_t;
|
||||
class dir search;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 var_t:dir search;
|
||||
allow $1 var_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## Search the /var/lib directory.
|
||||
|
36
refpolicy/policy/modules/system/fstools.fc
Normal file
36
refpolicy/policy/modules/system/fstools.fc
Normal file
@ -0,0 +1,36 @@
|
||||
/sbin/blockdev -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/cfdisk -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/dosfsck -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/dumpe2fs -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/e2fsck -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/e2label -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/fdisk -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/findfs -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/fsck.* -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/hdparm -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/install-mbr -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/jfs_.* -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/losetup.* -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/lsraid -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/mkdosfs -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/mke2fs -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/mkfs.* -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/mkraid -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/mkreiserfs -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/mkswap -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/parted -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/partprobe -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/partx -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/raidstart -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/reiserfs(ck|tune) -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/resize.*fs -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/scsi_info -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/sfdisk -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/swapon.* -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/tune2fs -- system_u:object_r:fsadm_exec_t
|
||||
|
||||
/usr/bin/partition_uuid -- system_u:object_r:fsadm_exec_t
|
||||
/usr/bin/raw -- system_u:object_r:fsadm_exec_t
|
||||
/usr/bin/scsi_unique_id -- system_u:object_r:fsadm_exec_t
|
||||
|
||||
/usr/sbin/smartctl -- system_u:object_r:fsadm_exec_t
|
66
refpolicy/policy/modules/system/fstools.if
Normal file
66
refpolicy/policy/modules/system/fstools.if
Normal file
@ -0,0 +1,66 @@
|
||||
## <summary>Tools for filesystem management, such as mkfs and fsck.</summary>
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## Execute fs tools in the fstools domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`fstools_domtrans',`
|
||||
gen_require(`
|
||||
type fsadm_t, fsadm_exec_t;
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,fsadm_exec_t,fsadm_t)
|
||||
|
||||
allow $1 fsadm_t:fd use;
|
||||
allow fsadm_t $1:fd use;
|
||||
allow fsadm_t $1:fifo_file rw_file_perms;
|
||||
allow fsadm_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## Execute fs tools in the fstools domain, and
|
||||
## allow the specified role the fs tools domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the fs tools domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the fs tools domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`fstools_run',`
|
||||
gen_require(`
|
||||
type fsadm_t;
|
||||
class chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
fstools_domtrans($1)
|
||||
role $2 types fsadm_t;
|
||||
allow fsadm_t $3:chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## Execute fsadm in the caller domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`fstools_exec',`
|
||||
gen_require(`
|
||||
type fsadm_exec_t;
|
||||
')
|
||||
|
||||
can_exec($1,fsadm_exec_t)
|
||||
')
|
143
refpolicy/policy/modules/system/fstools.te
Normal file
143
refpolicy/policy/modules/system/fstools.te
Normal file
@ -0,0 +1,143 @@
|
||||
|
||||
policy_module(fstools,1.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
type fsadm_t;
|
||||
type fsadm_exec_t;
|
||||
init_system_domain(fsadm_t,fsadm_exec_t)
|
||||
role system_r types fsadm_t;
|
||||
|
||||
type fsadm_tmp_t;
|
||||
files_tmp_file(fsadm_tmp_t)
|
||||
|
||||
type swapfile_t;
|
||||
files_file_type(swapfile_t)
|
||||
|
||||
########################################
|
||||
|
||||
# ipc_lock is for losetup
|
||||
allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config };
|
||||
allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
allow fsadm_t self:fd use;
|
||||
allow fsadm_t self:fifo_file rw_file_perms;
|
||||
allow fsadm_t self:unix_dgram_socket create_socket_perms;
|
||||
allow fsadm_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow fsadm_t self:unix_dgram_socket sendto;
|
||||
allow fsadm_t self:unix_stream_socket connectto;
|
||||
allow fsadm_t self:shm create_shm_perms;
|
||||
allow fsadm_t self:sem create_sem_perms;
|
||||
allow fsadm_t self:msgq create_msgq_perms;
|
||||
allow fsadm_t self:msg { send receive };
|
||||
|
||||
can_exec(fsadm_t, fsadm_exec_t)
|
||||
|
||||
allow fsadm_t fsadm_tmp_t:dir create_dir_perms;
|
||||
allow fsadm_t fsadm_tmp_t:file create_file_perms;
|
||||
files_create_tmp_files(fsadm_t, fsadm_tmp_t, { file dir })
|
||||
|
||||
# Enable swapping to files
|
||||
allow fsadm_t swapfile_t:file { getattr swapon };
|
||||
|
||||
kernel_read_system_state(fsadm_t)
|
||||
kernel_read_kernel_sysctl(fsadm_t)
|
||||
# Allow console log change (updfstab)
|
||||
kernel_change_ring_buffer_level(fsadm_t)
|
||||
|
||||
# mkreiserfs and other programs need this for UUID
|
||||
dev_read_rand(fsadm_t)
|
||||
dev_read_urand(fsadm_t)
|
||||
# Recreate /dev/cdrom.
|
||||
dev_manage_generic_symlinks(fsadm_t)
|
||||
# Access to /initrd devices
|
||||
dev_search_usbfs(fsadm_t)
|
||||
|
||||
fs_search_auto_mountpoints(fsadm_t)
|
||||
fs_getattr_xattr_fs(fsadm_t)
|
||||
# remount file system to apply changes
|
||||
fs_remount_xattr_fs(fsadm_t)
|
||||
|
||||
storage_raw_read_fixed_disk(fsadm_t)
|
||||
storage_raw_write_fixed_disk(fsadm_t)
|
||||
storage_raw_read_removable_device(fsadm_t)
|
||||
storage_raw_write_removable_device(fsadm_t)
|
||||
storage_read_scsi_generic(fsadm_t)
|
||||
|
||||
domain_use_wide_inherit_fd(fsadm_t)
|
||||
|
||||
files_list_home(fsadm_t)
|
||||
files_read_usr_files(fsadm_t)
|
||||
files_read_generic_etc_files(fsadm_t)
|
||||
files_list_mnt(fsadm_t)
|
||||
# Write to /etc/mtab.
|
||||
files_manage_etc_runtime_files(fsadm_t)
|
||||
# Access to /initrd devices
|
||||
files_rw_isid_type_dir(fsadm_t)
|
||||
files_rw_isid_type_blk_node(fsadm_t)
|
||||
|
||||
init_use_fd(fsadm_t)
|
||||
init_use_script_pty(fsadm_t)
|
||||
|
||||
libs_use_ld_so(fsadm_t)
|
||||
libs_use_shared_libs(fsadm_t)
|
||||
|
||||
logging_send_syslog_msg(fsadm_t)
|
||||
|
||||
miscfiles_read_localization(fsadm_t)
|
||||
|
||||
modutils_read_module_conf(fsadm_t)
|
||||
|
||||
seutil_read_config(fsadm_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(fsadm_t)
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(fsadm_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# for swapon
|
||||
allow fsadm_t sysfs_t:dir { search getattr };
|
||||
|
||||
# for /dev/shm
|
||||
allow fsadm_t tmpfs_t:dir { getattr search };
|
||||
|
||||
allow fsadm_t bin_t:dir r_dir_perms;
|
||||
allow fsadm_t bin_t:notdevfile_class_set r_file_perms;
|
||||
allow fsadm_t sbin_t:dir r_dir_perms;
|
||||
allow fsadm_t sbin_t:notdevfile_class_set r_file_perms;
|
||||
if (read_default_t) {
|
||||
allow fsadm_t default_t:dir r_dir_perms;
|
||||
allow fsadm_t default_t:notdevfile_class_set r_file_perms;
|
||||
}
|
||||
|
||||
# mkreiserfs needs this
|
||||
allow fsadm_t proc_t:filesystem getattr;
|
||||
|
||||
# Access lost+found.
|
||||
allow fsadm_t lost_found_t:dir create_dir_perms;
|
||||
allow fsadm_t lost_found_t:{ file sock_file fifo_file } create_file_perms;
|
||||
allow fsadm_t lost_found_t:lnk_file create_lnk_perms;
|
||||
|
||||
allow fsadm_t file_t:dir { search read getattr rmdir create };
|
||||
|
||||
# Recreate /mnt/cdrom.
|
||||
allow fsadm_t mnt_t:dir { rmdir create };
|
||||
|
||||
# Enable swapping to devices and files
|
||||
allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon };
|
||||
|
||||
# Access terminals.
|
||||
ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
|
||||
|
||||
# for smartctl cron jobs
|
||||
system_crond_entry(fsadm_exec_t, fsadm_t)
|
||||
|
||||
# Access to /initrd devices
|
||||
allow fsadm_t unlabeled_t:dir rw_dir_perms;
|
||||
allow fsadm_t unlabeled_t:blk_file rw_file_perms;
|
||||
allow fsadm_t usbfs_t:dir getattr;
|
||||
|
||||
') dnl end TODO
|
@ -131,6 +131,10 @@ optional_policy(`consoletype.te',`
|
||||
consoletype_domtrans(hotplug_t)
|
||||
')
|
||||
|
||||
optional_policy(`fstools.te',`
|
||||
fstools_domtrans(hotplug_t)
|
||||
')
|
||||
|
||||
optional_policy(`hostname.te',`
|
||||
hostname_exec(hotplug_t)
|
||||
')
|
||||
@ -188,10 +192,6 @@ optional_policy(`hotplug.te',`
|
||||
allow hald_t hotplug_etc_t:file { getattr read };
|
||||
')
|
||||
|
||||
optional_policy(`fsadm.te', `
|
||||
domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t)
|
||||
')
|
||||
|
||||
optional_policy(`lpd.te', `
|
||||
allow hotplug_t printer_device_t:chr_file setattr;
|
||||
')
|
||||
|
@ -138,12 +138,15 @@ fs_getattr_xattr_fs(depmod_t)
|
||||
|
||||
term_use_console(depmod_t)
|
||||
|
||||
corecmd_search_bin(depmod_t)
|
||||
corecmd_search_sbin(depmod_t)
|
||||
|
||||
domain_use_wide_inherit_fd(depmod_t)
|
||||
|
||||
init_use_fd(depmod_t)
|
||||
init_use_script_fd(depmod_t)
|
||||
init_use_script_pty(depmod_t)
|
||||
|
||||
domain_use_wide_inherit_fd(depmod_t)
|
||||
|
||||
files_read_etc_runtime_files(depmod_t)
|
||||
files_read_generic_etc_files(depmod_t)
|
||||
files_read_usr_src(depmod_t)
|
||||
@ -153,8 +156,6 @@ libs_use_shared_libs(depmod_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
allow depmod_t { bin_t sbin_t }:dir search;
|
||||
|
||||
ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
|
||||
|
||||
# Read System.map from home directories.
|
||||
|
@ -84,6 +84,10 @@ optional_policy(`clock.te',`
|
||||
clock_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`fstools.te',`
|
||||
fstools_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`hostname.te',`
|
||||
hostname_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
Loading…
Reference in New Issue
Block a user