add readahead
This commit is contained in:
parent
0e8ec4339e
commit
6f11d6b894
|
@ -7,6 +7,7 @@
|
||||||
ddcprobe
|
ddcprobe
|
||||||
fetchmail
|
fetchmail
|
||||||
openct
|
openct
|
||||||
|
readahead
|
||||||
smartmon
|
smartmon
|
||||||
sysstat
|
sysstat
|
||||||
vbetool (Dan Walsh)
|
vbetool (Dan Walsh)
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
#
|
||||||
|
# /usr
|
||||||
|
#
|
||||||
|
/usr/sbin/readahead -- gen_context(system_u:object_r:readahead_exec_t,s0)
|
|
@ -0,0 +1 @@
|
||||||
|
## <summary>Readahead, read files into page cache for improved performance</summary>
|
|
@ -0,0 +1,72 @@
|
||||||
|
|
||||||
|
policy_module(readahead,1.0.0)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
|
type readahead_t;
|
||||||
|
type readahead_exec_t;
|
||||||
|
init_daemon_domain(readahead_t,readahead_exec_t)
|
||||||
|
|
||||||
|
type readahead_var_run_t;
|
||||||
|
files_pid_file(readahead_var_run_t)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
dontaudit readahead_t self:capability sys_tty_config;
|
||||||
|
allow readahead_t self:process signal_perms;
|
||||||
|
|
||||||
|
allow readahead_t readahead_var_run_t:file create_file_perms;
|
||||||
|
allow readahead_t readahead_var_run_t:dir rw_dir_perms;
|
||||||
|
files_create_pid(readahead_t,readahead_var_run_t)
|
||||||
|
|
||||||
|
kernel_read_kernel_sysctl(readahead_t)
|
||||||
|
kernel_read_system_state(readahead_t)
|
||||||
|
|
||||||
|
dev_read_sysfs(readahead_t)
|
||||||
|
dev_getattr_generic_chr_file(readahead_t)
|
||||||
|
dev_getattr_generic_blk_file(readahead_t)
|
||||||
|
dev_getattr_all_chr_files(readahead_t)
|
||||||
|
dev_getattr_all_blk_files(readahead_t)
|
||||||
|
dev_dontaudit_read_all_blk_files(readahead_t)
|
||||||
|
|
||||||
|
domain_use_wide_inherit_fd(readahead_t)
|
||||||
|
|
||||||
|
files_dontaudit_getattr_all_sockets(readahead_t)
|
||||||
|
files_list_non_security(readahead_t)
|
||||||
|
files_read_non_security_files(readahead_t)
|
||||||
|
|
||||||
|
fs_getattr_all_fs(readahead_t)
|
||||||
|
fs_search_auto_mountpoints(readahead_t)
|
||||||
|
|
||||||
|
term_dontaudit_use_console(readahead_t)
|
||||||
|
|
||||||
|
auth_dontaudit_read_shadow(readahead_t)
|
||||||
|
|
||||||
|
init_use_fd(readahead_t)
|
||||||
|
init_use_script_pty(readahead_t)
|
||||||
|
|
||||||
|
libs_use_ld_so(readahead_t)
|
||||||
|
libs_use_shared_libs(readahead_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg(readahead_t)
|
||||||
|
|
||||||
|
miscfiles_read_localization(readahead_t)
|
||||||
|
|
||||||
|
userdom_dontaudit_use_unpriv_user_fd(readahead_t)
|
||||||
|
userdom_dontaudit_search_sysadm_home_dir(readahead_t)
|
||||||
|
|
||||||
|
ifdef(`targeted_policy',`
|
||||||
|
files_dontaudit_read_root_file(readahead_t)
|
||||||
|
term_dontaudit_use_unallocated_tty(readahead_t)
|
||||||
|
term_dontaudit_use_generic_pty(readahead_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`selinuxutil',`
|
||||||
|
seutil_sigchld_newrole(readahead_t)
|
||||||
|
')
|
|
@ -308,10 +308,26 @@ interface(`files_list_all',`
|
||||||
allow $1 file_type:dir r_dir_perms;
|
allow $1 file_type:dir r_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## List all non-security directories.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_list_non_security',`
|
||||||
|
gen_require(`
|
||||||
|
attribute file_type, security_file_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 { file_type -security_file_type }:dir r_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Do not audit attempts to list all
|
## Do not audit attempts to list all
|
||||||
## non security directories.
|
## non-security directories.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## Domain to not audit.
|
## Domain to not audit.
|
||||||
|
@ -420,6 +436,24 @@ interface(`files_read_all_files',`
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read all non-security files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_read_non_security_files',`
|
||||||
|
gen_require(`
|
||||||
|
attribute file_type, security_file_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 { file_type -security_file_type }:dir search_dir_perms;
|
||||||
|
allow $1 { file_type -security_file_type }:file r_file_perms;
|
||||||
|
allow $1 { file_type -security_file_type }:lnk_file { getattr read };
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read all directories on the filesystem, except
|
## Read all directories on the filesystem, except
|
||||||
|
@ -466,7 +500,7 @@ interface(`files_read_all_files_except',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read all symbloic links on the filesystem, except
|
## Read all symbolic links on the filesystem, except
|
||||||
## the listed exceptions.
|
## the listed exceptions.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
|
|
|
@ -48,7 +48,7 @@ type pam_var_run_t;
|
||||||
files_pid_file(pam_var_run_t)
|
files_pid_file(pam_var_run_t)
|
||||||
|
|
||||||
type shadow_t;
|
type shadow_t;
|
||||||
files_type(shadow_t)
|
files_security_file(shadow_t)
|
||||||
neverallow ~can_read_shadow_passwords shadow_t:file read;
|
neverallow ~can_read_shadow_passwords shadow_t:file read;
|
||||||
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
|
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
|
||||||
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
|
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
|
||||||
|
|
Loading…
Reference in New Issue