podsleuth patch from dan.
This commit is contained in:
parent
13306f56b6
commit
5bb5ec1d40
@ -1,2 +1,3 @@
|
|||||||
|
|
||||||
/usr/bin/podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0)
|
/usr/bin/podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0)
|
||||||
|
/usr/libexec/hal-podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0)
|
||||||
|
/var/cache/podsleuth(/.*)? gen_context(system_u:object_r:podsleuth_cache_t,s0)
|
||||||
|
@ -16,4 +16,30 @@ interface(`podsleuth_domtrans',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
domtrans_pattern($1, podsleuth_exec_t, podsleuth_t)
|
domtrans_pattern($1, podsleuth_exec_t, podsleuth_t)
|
||||||
|
allow $1 podsleuth_t:process signal;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute podsleuth in the podsleuth domain, and
|
||||||
|
## allow the specified role the podsleuth domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <param name="role">
|
||||||
|
## <summary>
|
||||||
|
## The role to be allowed the podsleuth domain.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`podsleuth_run',`
|
||||||
|
gen_require(`
|
||||||
|
type podsleuth_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
podsleuth_domtrans($1)
|
||||||
|
role $2 types podsleuth_t;
|
||||||
')
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(podsleuth, 1.1.0)
|
policy_module(podsleuth, 1.1.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -11,25 +11,74 @@ type podsleuth_exec_t;
|
|||||||
application_domain(podsleuth_t, podsleuth_exec_t)
|
application_domain(podsleuth_t, podsleuth_exec_t)
|
||||||
role system_r types podsleuth_t;
|
role system_r types podsleuth_t;
|
||||||
|
|
||||||
|
type podsleuth_cache_t;
|
||||||
|
files_type(podsleuth_cache_t)
|
||||||
|
ubac_constrained(podsleuth_cache_t)
|
||||||
|
|
||||||
|
type podsleuth_tmp_t;
|
||||||
|
files_tmp_file(podsleuth_tmp_t)
|
||||||
|
ubac_constrained(podsleuth_tmp_t)
|
||||||
|
|
||||||
|
type podsleuth_tmpfs_t;
|
||||||
|
files_tmpfs_file(podsleuth_tmpfs_t)
|
||||||
|
ubac_constrained(podsleuth_tmpfs_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# podsleuth local policy
|
# podsleuth local policy
|
||||||
#
|
#
|
||||||
|
allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
|
||||||
allow podsleuth_t self:process { signal getsched execheap execmem };
|
allow podsleuth_t self:process { ptrace signal getsched execheap execmem execstack };
|
||||||
allow podsleuth_t self:fifo_file rw_file_perms;
|
allow podsleuth_t self:fifo_file rw_file_perms;
|
||||||
allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
|
allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
allow podsleuth_t self:sem create_sem_perms;
|
||||||
|
allow podsleuth_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
allow podsleuth_t self:udp_socket create_socket_perms;
|
||||||
|
|
||||||
|
manage_dirs_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t)
|
||||||
|
manage_files_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t)
|
||||||
|
files_var_filetrans(podsleuth_t, podsleuth_cache_t, { file dir })
|
||||||
|
|
||||||
|
allow podsleuth_t podsleuth_tmp_t:dir mounton;
|
||||||
|
manage_dirs_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t)
|
||||||
|
manage_files_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t)
|
||||||
|
files_tmp_filetrans(podsleuth_t, podsleuth_tmp_t, { file dir })
|
||||||
|
|
||||||
|
manage_dirs_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t)
|
||||||
|
manage_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t)
|
||||||
|
manage_lnk_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t)
|
||||||
|
fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file })
|
||||||
|
|
||||||
kernel_read_system_state(podsleuth_t)
|
kernel_read_system_state(podsleuth_t)
|
||||||
|
|
||||||
|
corecmd_exec_bin(podsleuth_t)
|
||||||
|
|
||||||
|
corenet_tcp_connect_http_port(podsleuth_t)
|
||||||
|
|
||||||
dev_read_urand(podsleuth_t)
|
dev_read_urand(podsleuth_t)
|
||||||
|
|
||||||
files_read_etc_files(podsleuth_t)
|
files_read_etc_files(podsleuth_t)
|
||||||
|
|
||||||
|
fs_mount_dos_fs(podsleuth_t)
|
||||||
|
fs_unmount_dos_fs(podsleuth_t)
|
||||||
|
fs_getattr_dos_fs(podsleuth_t)
|
||||||
|
fs_read_dos_files(podsleuth_t)
|
||||||
|
fs_search_dos(podsleuth_t)
|
||||||
|
fs_getattr_tmpfs(podsleuth_t)
|
||||||
|
fs_list_tmpfs(podsleuth_t)
|
||||||
|
|
||||||
miscfiles_read_localization(podsleuth_t)
|
miscfiles_read_localization(podsleuth_t)
|
||||||
|
|
||||||
|
sysnet_dns_name_resolve(podsleuth_t)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
dbus_system_bus_client(podsleuth_t)
|
dbus_system_bus_client(podsleuth_t)
|
||||||
|
|
||||||
mono_exec(podsleuth_t)
|
optional_policy(`
|
||||||
|
|
||||||
hal_dbus_chat(podsleuth_t)
|
hal_dbus_chat(podsleuth_t)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
mono_exec(podsleuth_t)
|
||||||
|
')
|
||||||
|
Loading…
Reference in New Issue
Block a user