Kernel patch from Dan Walsh.
Add ability to dontaudit requiests to load kernel modules. If you disable ipv6 every confined app that does ip, tries to get the kernel to load the module. Better handling of unlabeled files by the kernel interfaces
This commit is contained in:
Chris PeBenito
parent
fb7caddb4f
commit
60f04fcb7a
@ -532,6 +532,24 @@ interface(`kernel_request_load_module',`
|
||||
allow $1 kernel_t:system module_request;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit requests to the kernel to load a module.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_dontaudit_request_load_module',`
|
||||
gen_require(`
|
||||
type kernel_t;
|
||||
')
|
||||
|
||||
dontaudit $1 kernel_t:system module_request;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get information on all System V IPC objects.
|
||||
@ -2046,6 +2064,23 @@ interface(`kernel_mount_unlabeled',`
|
||||
allow $1 unlabeled_t:filesystem mount;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Unmount a kernel unlabeled filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_unmount_unlabeled',`
|
||||
gen_require(`
|
||||
type unlabeled_t;
|
||||
')
|
||||
|
||||
allow $1 unlabeled_t:filesystem unmount;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -2193,6 +2228,24 @@ interface(`kernel_rw_unlabeled_dirs',`
|
||||
allow $1 unlabeled_t:dir rw_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write unlabeled files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_rw_unlabeled_files',`
|
||||
gen_require(`
|
||||
type unlabeled_t;
|
||||
')
|
||||
|
||||
allow $1 unlabeled_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts by caller to get the
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(kernel, 1.12.0)
|
||||
policy_module(kernel, 1.12.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
Loading…
Reference in New Issue
Block a user