add readahead
This commit is contained in:
Chris PeBenito
parent
0e8ec4339e
commit
6f11d6b894
|
|
@ -7,6 +7,7 @@
|
|||
ddcprobe
|
||||
fetchmail
|
||||
openct
|
||||
readahead
|
||||
smartmon
|
||||
sysstat
|
||||
vbetool (Dan Walsh)
|
||||
|
|
|
|||
|
|
@ -0,0 +1,4 @@
|
|||
#
|
||||
# /usr
|
||||
#
|
||||
/usr/sbin/readahead -- gen_context(system_u:object_r:readahead_exec_t,s0)
|
||||
|
|
@ -0,0 +1 @@
|
|||
## <summary>Readahead, read files into page cache for improved performance</summary>
|
||||
|
|
@ -0,0 +1,72 @@
|
|||
|
||||
policy_module(readahead,1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type readahead_t;
|
||||
type readahead_exec_t;
|
||||
init_daemon_domain(readahead_t,readahead_exec_t)
|
||||
|
||||
type readahead_var_run_t;
|
||||
files_pid_file(readahead_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
dontaudit readahead_t self:capability sys_tty_config;
|
||||
allow readahead_t self:process signal_perms;
|
||||
|
||||
allow readahead_t readahead_var_run_t:file create_file_perms;
|
||||
allow readahead_t readahead_var_run_t:dir rw_dir_perms;
|
||||
files_create_pid(readahead_t,readahead_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(readahead_t)
|
||||
kernel_read_system_state(readahead_t)
|
||||
|
||||
dev_read_sysfs(readahead_t)
|
||||
dev_getattr_generic_chr_file(readahead_t)
|
||||
dev_getattr_generic_blk_file(readahead_t)
|
||||
dev_getattr_all_chr_files(readahead_t)
|
||||
dev_getattr_all_blk_files(readahead_t)
|
||||
dev_dontaudit_read_all_blk_files(readahead_t)
|
||||
|
||||
domain_use_wide_inherit_fd(readahead_t)
|
||||
|
||||
files_dontaudit_getattr_all_sockets(readahead_t)
|
||||
files_list_non_security(readahead_t)
|
||||
files_read_non_security_files(readahead_t)
|
||||
|
||||
fs_getattr_all_fs(readahead_t)
|
||||
fs_search_auto_mountpoints(readahead_t)
|
||||
|
||||
term_dontaudit_use_console(readahead_t)
|
||||
|
||||
auth_dontaudit_read_shadow(readahead_t)
|
||||
|
||||
init_use_fd(readahead_t)
|
||||
init_use_script_pty(readahead_t)
|
||||
|
||||
libs_use_ld_so(readahead_t)
|
||||
libs_use_shared_libs(readahead_t)
|
||||
|
||||
logging_send_syslog_msg(readahead_t)
|
||||
|
||||
miscfiles_read_localization(readahead_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(readahead_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(readahead_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
files_dontaudit_read_root_file(readahead_t)
|
||||
term_dontaudit_use_unallocated_tty(readahead_t)
|
||||
term_dontaudit_use_generic_pty(readahead_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinuxutil',`
|
||||
seutil_sigchld_newrole(readahead_t)
|
||||
')
|
||||
|
|
@ -308,10 +308,26 @@ interface(`files_list_all',`
|
|||
allow $1 file_type:dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## List all non-security directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_list_non_security',`
|
||||
gen_require(`
|
||||
attribute file_type, security_file_type;
|
||||
')
|
||||
|
||||
dontaudit $1 { file_type -security_file_type }:dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to list all
|
||||
## non security directories.
|
||||
## non-security directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
|
|
@ -420,6 +436,24 @@ interface(`files_read_all_files',`
|
|||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read all non-security files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_read_non_security_files',`
|
||||
gen_require(`
|
||||
attribute file_type, security_file_type;
|
||||
')
|
||||
|
||||
allow $1 { file_type -security_file_type }:dir search_dir_perms;
|
||||
allow $1 { file_type -security_file_type }:file r_file_perms;
|
||||
allow $1 { file_type -security_file_type }:lnk_file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read all directories on the filesystem, except
|
||||
|
|
@ -466,7 +500,7 @@ interface(`files_read_all_files_except',`
|
|||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read all symbloic links on the filesystem, except
|
||||
## Read all symbolic links on the filesystem, except
|
||||
## the listed exceptions.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
|
|
|
|||
|
|
@ -48,7 +48,7 @@ type pam_var_run_t;
|
|||
files_pid_file(pam_var_run_t)
|
||||
|
||||
type shadow_t;
|
||||
files_type(shadow_t)
|
||||
files_security_file(shadow_t)
|
||||
neverallow ~can_read_shadow_passwords shadow_t:file read;
|
||||
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
|
||||
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
|
||||
|
|
|
|||
Loading…
Reference in New Issue