Kernel patch from Dan Walsh.

Add ability to dontaudit requiests to load kernel modules.  If you
disable ipv6 every confined app that does ip, tries to get the kernel to
load the module.

Better handling of unlabeled files by the kernel interfaces
This commit is contained in:
Chris PeBenito 2010-06-07 11:08:35 -04:00
parent fb7caddb4f
commit 60f04fcb7a
2 changed files with 54 additions and 1 deletions

View File

@ -532,6 +532,24 @@ interface(`kernel_request_load_module',`
allow $1 kernel_t:system module_request; allow $1 kernel_t:system module_request;
') ')
########################################
## <summary>
## Do not audit requests to the kernel to load a module.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`kernel_dontaudit_request_load_module',`
gen_require(`
type kernel_t;
')
dontaudit $1 kernel_t:system module_request;
')
######################################## ########################################
## <summary> ## <summary>
## Get information on all System V IPC objects. ## Get information on all System V IPC objects.
@ -2046,6 +2064,23 @@ interface(`kernel_mount_unlabeled',`
allow $1 unlabeled_t:filesystem mount; allow $1 unlabeled_t:filesystem mount;
') ')
########################################
## <summary>
## Unmount a kernel unlabeled filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_unmount_unlabeled',`
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:filesystem unmount;
')
######################################## ########################################
## <summary> ## <summary>
@ -2193,6 +2228,24 @@ interface(`kernel_rw_unlabeled_dirs',`
allow $1 unlabeled_t:dir rw_dir_perms; allow $1 unlabeled_t:dir rw_dir_perms;
') ')
########################################
## <summary>
## Read and write unlabeled files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_rw_unlabeled_files',`
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:file rw_file_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Do not audit attempts by caller to get the ## Do not audit attempts by caller to get the

View File

@ -1,5 +1,5 @@
policy_module(kernel, 1.12.0) policy_module(kernel, 1.12.1)
######################################## ########################################
# #