move modules_object_t back to bootloader
This commit is contained in:
parent
91a7ab6cb3
commit
5f75f56066
@ -144,3 +144,69 @@ type boot_t, boot_runtime_t;
|
||||
class dir { getattr search read write add_name remove_name };
|
||||
class file { getattr create read write append unlink };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# bootloader_list_kernel_modules(domain,[`optional'])
|
||||
#
|
||||
define(`bootloader_list_kernel_modules',`
|
||||
requires_block_template(bootloader_list_kernel_modules_depend,$2)
|
||||
allow $1 modules_object_t:dir { getattr search read };
|
||||
')
|
||||
|
||||
define(`bootloader_list_kernel_modules_depend',`
|
||||
type modules_object_t;
|
||||
class dir { getattr search read };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# bootloader_read_kernel_modules(domain,[`optional'])
|
||||
#
|
||||
define(`bootloader_read_kernel_modules',`
|
||||
requires_block_template(bootloader_read_kernel_modules_depend,$2)
|
||||
allow $1 modules_object_t:dir { getattr search read };
|
||||
allow $1 modules_object_t:{ lnk_file file } { getattr read };
|
||||
')
|
||||
|
||||
define(`bootloader_read_kernel_modules_depend',`
|
||||
type modules_object_t;
|
||||
class dir { getattr search read };
|
||||
class lnk_file { getattr read };
|
||||
class file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# bootloader_modify_kernel_modules(domain,[`optional'])
|
||||
#
|
||||
define(`bootloader_modify_kernel_modules',`
|
||||
requires_block_template(bootloader_modify_kernel_modules_depend,$2)
|
||||
allow $1 modules_object_t:file { getattr create read write setattr unlink };
|
||||
allow $1 modules_object_t:dir { getattr search read write add_name remove_name };
|
||||
')
|
||||
|
||||
define(`bootloader_modify_kernel_modules_depend',`
|
||||
type modules_object_t;
|
||||
class file { getattr create read write setattr unlink };
|
||||
class dir { getattr search read write add_name remove_name };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# bootloader_create_private_module_dir_entry(domain,privatetype,[class(es)],[`optional'])
|
||||
#
|
||||
define(`bootloader_create_private_module_dir_entry',`
|
||||
requires_block_template(bootloader_create_private_module_dir_entry_depend,$2)
|
||||
allow $1 modules_object_t:dir { getattr search read write add_name remove_name };
|
||||
ifelse(`$3',`',`
|
||||
type_transition $1 modules_object_t:file $2;
|
||||
',`
|
||||
type_transition $1 modules_object_t:$3 $2;
|
||||
') dnl end ifelse
|
||||
')
|
||||
|
||||
define(`bootloader_create_private_module_dir_entry_depend',`
|
||||
type modules_object_t;
|
||||
class dir { getattr search read write add_name remove_name };
|
||||
')
|
||||
|
@ -1,10 +1,6 @@
|
||||
# Copyright (C) 2005 Tresys Technology, LLC
|
||||
|
||||
type bootloader_t;
|
||||
domain_make_domain(bootloader_t)
|
||||
|
||||
type bootloader_exec_t;
|
||||
domain_make_entrypoint_file(bootloader_t,bootloader_exec_t)
|
||||
attribute can_modify_kernel_modules;
|
||||
|
||||
#
|
||||
# boot_t is the type for files in /boot
|
||||
@ -12,9 +8,20 @@ domain_make_entrypoint_file(bootloader_t,bootloader_exec_t)
|
||||
type boot_t;
|
||||
files_make_file(boot_t)
|
||||
|
||||
#
|
||||
# boot_runtime_t is the type for /boot/kernel.h,
|
||||
# which is automatically generated at boot time.
|
||||
# only for Red Hat
|
||||
#
|
||||
type boot_runtime_t;
|
||||
files_make_file(boot_runtime_t)
|
||||
|
||||
type bootloader_t;
|
||||
domain_make_domain(bootloader_t)
|
||||
|
||||
type bootloader_exec_t;
|
||||
domain_make_entrypoint_file(bootloader_t,bootloader_exec_t)
|
||||
|
||||
#
|
||||
# bootloader_etc_t is the configuration file,
|
||||
# grub.conf, lilo.conf, etc.
|
||||
@ -22,12 +29,6 @@ files_make_file(boot_runtime_t)
|
||||
type bootloader_etc_t alias etc_bootloader_t;
|
||||
files_make_file(bootloader_etc_t)
|
||||
|
||||
#
|
||||
# system_map_t is for the system.map files in /boot
|
||||
#
|
||||
type system_map_t;
|
||||
files_make_file(system_map_t)
|
||||
|
||||
#
|
||||
# The temp file is used for initrd creation;
|
||||
# it consists of files and device nodes
|
||||
@ -36,6 +37,19 @@ type bootloader_tmp_t;
|
||||
files_make_file(bootloader_tmp_t)
|
||||
devices_make_device_node(bootloader_tmp_t)
|
||||
|
||||
# kernel modules
|
||||
type modules_object_t;
|
||||
files_make_file(modules_object_t)
|
||||
|
||||
neverallow ~can_modify_kernel_modules modules_object_t:file { create append write };
|
||||
|
||||
#
|
||||
# system_map_t is for the system.map files in /boot
|
||||
#
|
||||
type system_map_t;
|
||||
files_make_file(system_map_t)
|
||||
|
||||
|
||||
########################################
|
||||
#
|
||||
# bootloader local policy
|
||||
@ -92,6 +106,9 @@ devices_ignore_modify_generic_devices(bootloader_t)
|
||||
# mkinitrd policy
|
||||
#
|
||||
|
||||
allow bootloader_t modules_object_t:dir { getattr search read };
|
||||
allow bootloader_t modules_object_t:file { getattr read };
|
||||
|
||||
files_read_general_system_resources(bootloader_t)
|
||||
bootloader_install_initrd(bootloader_t)
|
||||
|
||||
@ -104,7 +121,6 @@ corecommands_execute_shell(bootloader_t)
|
||||
selinux_read_binary_policy(bootloader_t)
|
||||
selinux_read_load_policy_binary(bootloader_t)
|
||||
|
||||
modutils_read_kernel_modules(bootloader_t)
|
||||
modutils_read_kernel_module_dependencies(bootloader_t)
|
||||
modutils_read_kernel_module_loading_config(bootloader_t)
|
||||
modutils_insmod_execute(bootloader_t)
|
||||
|
@ -1,36 +1,20 @@
|
||||
# Copyright (C) 2005 Tresys Technology, LLC
|
||||
|
||||
########################################
|
||||
#
|
||||
# modutils_read_kernel_modules(domain,[`optional'])
|
||||
#
|
||||
define(`modutils_read_kernel_modules',`
|
||||
requires_block_template(modutils_read_kernel_modules_depend,$2)
|
||||
allow $1 modules_object_t:dir { getattr search read };
|
||||
allow $1 modules_object_t:{ lnk_file file } { getattr read };
|
||||
')
|
||||
|
||||
define(`modutils_read_kernel_modules_depend',`
|
||||
type modules_object_t;
|
||||
class dir { getattr search read };
|
||||
class lnk_file { getattr read };
|
||||
class file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# modutils_read_kernel_module_dependencies(domain,[`optional'])
|
||||
#
|
||||
define(`modutils_read_kernel_module_dependencies',`
|
||||
requires_block_template(modutils_read_kernel_module_dependencies_depend,$2)
|
||||
bootloader_list_kernel_modules($1,optional)
|
||||
allow $1 modules_dep_t:file { getattr read };
|
||||
allow $1 modules_object_t:dir { getattr search read };
|
||||
')
|
||||
|
||||
define(`modutils_read_kernel_module_dependencies_depend',`
|
||||
type modules_object_t, modules_dep_t;
|
||||
type modules_dep_t;
|
||||
class file { getattr create read write setattr unlink };
|
||||
class dir { search read write add_name remove_name };
|
||||
bootloader_list_kernel_modules_depend
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -47,22 +31,6 @@ type modules_conf_t;
|
||||
class file { getattr create read write setattr unlink };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# modutils_modify_kernel_modules(domain,[`optional'])
|
||||
#
|
||||
define(`modutils_modify_kernel_modules',`
|
||||
requires_block_template(modutils_modify_kernel_modules_depend,$2)
|
||||
allow $1 modules_object_t:file { getattr create read write setattr unlink };
|
||||
allow $1 modules_object_t:dir { getattr search read write add_name remove_name };
|
||||
')
|
||||
|
||||
define(`modutils_modify_kernel_modules_depend',`
|
||||
type modules_object_t;
|
||||
class file { getattr create read write setattr unlink };
|
||||
class dir { getattr search read write add_name remove_name };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# modutils_insmod_transition(domain,[`optional'])
|
||||
|
@ -1,12 +1,5 @@
|
||||
# Copyright (C) 2005 Tresys Technology, LLC
|
||||
|
||||
attribute can_modify_kernel_modules;
|
||||
neverallow ~can_modify_kernel_modules modules_object_t:file { create append write };
|
||||
|
||||
# kernel modules
|
||||
type modules_object_t;
|
||||
files_make_file(modules_object_t)
|
||||
|
||||
# module loading config
|
||||
type modules_conf_t;
|
||||
files_make_file(modules_conf_t)
|
||||
@ -49,10 +42,6 @@ allow insmod_t insmod_exec_t:file { getattr read execute execute_no_trans };
|
||||
# Read module config and dependency information
|
||||
allow insmod_t { modules_conf_t modules_dep_t }:file { getattr read };
|
||||
|
||||
# read modules
|
||||
allow insmod_t modules_object_t:dir { getattr search read };
|
||||
allow insmod_t modules_object_t:file { getattr read };
|
||||
|
||||
allow insmod_t self:capability { dac_override net_raw sys_tty_config };
|
||||
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
|
||||
|
||||
@ -68,6 +57,8 @@ kernel_read_kernel_sysctl(insmod_t)
|
||||
kernel_modify_kernel_sysctl(insmod_t)
|
||||
kernel_read_hotplug_sysctl(insmod_t)
|
||||
|
||||
bootloader_read_kernel_modules(insmod_t)
|
||||
|
||||
terminal_use_controlling_terminal(insmod_t)
|
||||
|
||||
devices_write_mtrr(insmod_t)
|
||||
@ -160,22 +151,18 @@ allow depmod_t depmod_exec_t:file { getattr read execute execute_no_trans };
|
||||
# Read conf.modules.
|
||||
allow depmod_t modules_conf_t:file { getattr read };
|
||||
|
||||
# Read module objects.
|
||||
allow depmod_t modules_object_t:dir { getattr search read };
|
||||
allow depmod_t modules_object_t:{ file lnk_file } { getattr read };
|
||||
|
||||
# Create modules.dep.
|
||||
allow depmod_t modules_object_t:dir { read getattr lock search ioctl add_name remove_name write };
|
||||
allow depmod_t modules_dep_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
type_transition depmod_t modules_object_t:file modules_dep_t;
|
||||
|
||||
kernel_read_system_state(depmod_t)
|
||||
|
||||
bootloader_create_private_module_dir_entry(depmod_t,modules_dep_t)
|
||||
|
||||
filesystem_get_persistent_filesystem_attributes(depmod_t)
|
||||
|
||||
terminal_use_console(depmod_t)
|
||||
|
||||
bootloader_read_kernel_symbol_table(depmod_t)
|
||||
bootloader_read_kernel_modules(depmod_t)
|
||||
|
||||
files_read_runtime_system_config(depmod_t)
|
||||
files_read_general_system_config(depmod_t)
|
||||
@ -218,9 +205,8 @@ allow update_modules_t modules_dep_t:file { getattr read write };
|
||||
allow update_modules_t insmod_exec_t:file { getattr read execute execute_no_trans };
|
||||
allow update_modules_t update_modules_exec_t:file { getattr read execute execute_no_trans };
|
||||
|
||||
allow update_modules_t modules_object_t:dir { read getattr lock search ioctl add_name remove_name write };
|
||||
bootloader_create_private_module_dir_entry(update_modules_t,modules_conf_t)
|
||||
allow update_modules_t modules_conf_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
type_transition update_modules_t modules_object_t:file modules_conf_t;
|
||||
|
||||
allow update_modules_t depmod_exec_t:file { getattr read execute };
|
||||
type_transition update_modules_t depmod_exec_t:process depmod_t;
|
||||
|
Loading…
Reference in New Issue
Block a user