fixes to make base module compilable
This commit is contained in:
parent
2e863f8ad0
commit
712566ee41
@ -156,7 +156,7 @@ M4SUPPORT = $(wildcard $(POLDIR)/support/*.spt)
|
|||||||
APPDIR := $(CONTEXTPATH)
|
APPDIR := $(CONTEXTPATH)
|
||||||
APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media $(INSTALLDIR)/booleans
|
APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media $(INSTALLDIR)/booleans
|
||||||
CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media
|
CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media
|
||||||
USER_FILES := $(POLDIR)/users
|
USER_FILES := $(POLDIR)/systemuser $(POLDIR)/users
|
||||||
|
|
||||||
ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*) -maxdepth 0 -type d))
|
ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*) -maxdepth 0 -type d))
|
||||||
|
|
||||||
@ -178,6 +178,8 @@ MODMOD := module
|
|||||||
BASE_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODBASE)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find -iname $(mod).te)))
|
BASE_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODBASE)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find -iname $(mod).te)))
|
||||||
MOD_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find -iname $(mod).te)))
|
MOD_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find -iname $(mod).te)))
|
||||||
|
|
||||||
|
HOMEDIR_TEMPLATE = tmp/homedir_template
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Load appropriate rules
|
# Load appropriate rules
|
||||||
|
@ -13,7 +13,7 @@ BASE_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_in
|
|||||||
|
|
||||||
BASE_PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls
|
BASE_PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls
|
||||||
BASE_TE_FILES := $(BASE_MODS)
|
BASE_TE_FILES := $(BASE_MODS)
|
||||||
BASE_POST_TE_FILES := $(POLDIR)/users $(POLDIR)/constraints
|
BASE_POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/constraints
|
||||||
BASE_FC_FILES := $(BASE_MODS:.te=.fc)
|
BASE_FC_FILES := $(BASE_MODS:.te=.fc)
|
||||||
|
|
||||||
MOD_MODULES := $(MOD_MODS:.te=.mod)
|
MOD_MODULES := $(MOD_MODS:.te=.mod)
|
||||||
@ -118,7 +118,7 @@ tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_fi
|
|||||||
#
|
#
|
||||||
# Construct base module file contexts
|
# Construct base module file contexts
|
||||||
#
|
#
|
||||||
$(FC): $(M4SUPPORT) tmp/generated_definitions.conf $(BASE_FC_FILES) $(FCSORT)
|
$(BASE_FC): $(M4SUPPORT) tmp/generated_definitions.conf $(BASE_FC_FILES) $(FCSORT)
|
||||||
ifeq ($(BASE_FC_FILES),)
|
ifeq ($(BASE_FC_FILES),)
|
||||||
$(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
|
$(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
|
||||||
endif
|
endif
|
||||||
@ -150,5 +150,6 @@ clean:
|
|||||||
rm -fR tmp
|
rm -fR tmp
|
||||||
rm -f base.conf
|
rm -f base.conf
|
||||||
rm -f *.pp
|
rm -f *.pp
|
||||||
|
rm -f $(BASE_FC)
|
||||||
|
|
||||||
.PHONY: default base modules clean
|
.PHONY: default base modules clean
|
||||||
|
@ -19,12 +19,10 @@ ALL_TE_FILES := $(ALL_MODULES)
|
|||||||
ALL_FC_FILES := $(ALL_MODULES:.te=.fc)
|
ALL_FC_FILES := $(ALL_MODULES:.te=.fc)
|
||||||
|
|
||||||
PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls
|
PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls
|
||||||
POST_TE_FILES := $(POLDIR)/users $(POLDIR)/constraints
|
POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/users $(POLDIR)/constraints
|
||||||
|
|
||||||
POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf
|
POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf
|
||||||
|
|
||||||
HOMEDIR_TEMPLATE = tmp/homedir_template
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# default action: build policy locally
|
# default action: build policy locally
|
||||||
|
@ -569,7 +569,7 @@ interface(`kernel_dontaudit_search_network_state',`
|
|||||||
class dir search;
|
class dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 proc_net_t:dir search;
|
dontaudit $1 proc_net_t:dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1306,3 +1306,230 @@ interface(`kernel_unconfined',`
|
|||||||
|
|
||||||
kernel_rw_all_sysctl($1)
|
kernel_rw_all_sysctl($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
################################################################################
|
||||||
|
#
|
||||||
|
# Reversed interfaces
|
||||||
|
#
|
||||||
|
# The following are reversed interfaces, meaning the point of view of the caller
|
||||||
|
# of the interface is the object (target) type, rather than the subject (source)
|
||||||
|
# type, like all other interfaces in the policy. These interfaces are here to
|
||||||
|
# decouple policy from the base module, and should not be used anywhere else.
|
||||||
|
#
|
||||||
|
################################################################################
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allow the kernel to send a SIGCHLD
|
||||||
|
## signal to the specified domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain receiving the SIGCHLD.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`kernel_sigchld_from',`
|
||||||
|
gen_require(`
|
||||||
|
type kernel_t;
|
||||||
|
class process sigchld;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow kernel_t $1:process sigchld;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allow unlabeled processes to send a SIGCHLD
|
||||||
|
## signal to the specified domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain receiving the SIGCHLD.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`kernel_sigchld_from_unlabeled',`
|
||||||
|
gen_require(`
|
||||||
|
type unlabeled_t;
|
||||||
|
class process sigchld;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow unlabeled_t $1:process sigchld;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allow the kernel to search the
|
||||||
|
## specified directory.
|
||||||
|
## </summary>
|
||||||
|
## <param name="dir_type">
|
||||||
|
## Directory type to search.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`kernel_search_from',`
|
||||||
|
gen_require(`
|
||||||
|
type kernel_t;
|
||||||
|
class dir search;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow kernel_t $1:dir search;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allow the kernel to read the contents
|
||||||
|
## of the specified directory.
|
||||||
|
## </summary>
|
||||||
|
## <param name="dir_type">
|
||||||
|
## Directory type to list.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`kernel_list_from',`
|
||||||
|
gen_require(`
|
||||||
|
type kernel_t;
|
||||||
|
class dir r_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow kernel_t $1:dir r_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allow the kernel to read the
|
||||||
|
## specified file.
|
||||||
|
## </summary>
|
||||||
|
## <param name="dir_type">
|
||||||
|
## Directory type to list.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`kernel_read_file_from',`
|
||||||
|
gen_require(`
|
||||||
|
type kernel_t;
|
||||||
|
class dir r_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow kernel_t $1:file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allow the kernel to search the
|
||||||
|
## specified directory.
|
||||||
|
## </summary>
|
||||||
|
## <param name="dir_type">
|
||||||
|
## Directory type to search.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`kernel_search_from',`
|
||||||
|
gen_require(`
|
||||||
|
type kernel_t;
|
||||||
|
class dir search;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow kernel_t $1:dir search;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Use the specified types for /lib directory
|
||||||
|
## and use the dynamic link/loader for automatic loading
|
||||||
|
## of shared libraries, and the link/loader
|
||||||
|
## cache.
|
||||||
|
## </summary>
|
||||||
|
## <param name="lib_type">
|
||||||
|
## The type of the lib directories.
|
||||||
|
## </param>
|
||||||
|
## <param name="ld_type">
|
||||||
|
## The type of the dynamic link/loader.
|
||||||
|
## </param>
|
||||||
|
## <param name="cache_type">
|
||||||
|
## The type of the dynamic link/loader cache.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`kernel_use_ld_so_from',`
|
||||||
|
gen_require(`
|
||||||
|
type kernel_t;
|
||||||
|
class dir r_dir_perms;
|
||||||
|
class lnk_file r_file_perms;
|
||||||
|
class file rx_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_list_etc(kernel_t)
|
||||||
|
allow kernel_t $1:dir r_dir_perms;
|
||||||
|
allow kernel_t $1:lnk_file r_file_perms;
|
||||||
|
allow kernel_t $2:lnk_file r_file_perms;
|
||||||
|
allow kernel_t $2:file rx_file_perms;
|
||||||
|
allow kernel_t $3:file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allow the kernel to load and execute
|
||||||
|
## functions from the specified shared libraries.
|
||||||
|
## </summary>
|
||||||
|
## <param name="lib_dir_type">
|
||||||
|
## The type of the lib directories.
|
||||||
|
## </param>
|
||||||
|
## <param name="shlib_type">
|
||||||
|
## Shared library type.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`kernel_use_shared_libs_from',`
|
||||||
|
gen_require(`
|
||||||
|
type kernel_t;
|
||||||
|
class lnk_file r_file_perms;
|
||||||
|
class file rx_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow kernel_t $1:dir r_dir_perms;
|
||||||
|
allow kernel_t $1:lnk_file r_file_perms;
|
||||||
|
allow kernel_t $2:lnk_file r_file_perms;
|
||||||
|
allow kernel_t $2:file rx_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
## <summary>
|
||||||
|
## Allow the kernel to send a syslog
|
||||||
|
## message to the specified domain,
|
||||||
|
## connecting over the specified named
|
||||||
|
## socket.
|
||||||
|
## </summary>
|
||||||
|
## <param name="socket">
|
||||||
|
## The type of the named socket file.
|
||||||
|
## </param>
|
||||||
|
## <param name="syslog_type">
|
||||||
|
## The domain of the syslog daemon.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`kernel_send_syslog_msg_from',`
|
||||||
|
gen_require(`
|
||||||
|
type syslogd_t, devlog_t;
|
||||||
|
class lnk_file read;
|
||||||
|
class sock_file rw_file_perms;
|
||||||
|
class unix_dgram_socket sendto;
|
||||||
|
class unix_stream_socket connectto;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow kernel_t $1:lnk_file read;
|
||||||
|
allow kernel_t $1:sock_file rw_file_perms;
|
||||||
|
|
||||||
|
# the type of socket depends on the syslog daemon
|
||||||
|
allow kernel_t $2:unix_dgram_socket sendto;
|
||||||
|
allow kernel_t $2:unix_stream_socket connectto;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allow the kernel to send UDP network traffic
|
||||||
|
## the specified domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the receiving domain.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`kernel_udp_sendfrom',`
|
||||||
|
gen_require(`
|
||||||
|
type portmap_t;
|
||||||
|
class udp_socket { sendto recvfrom };
|
||||||
|
')
|
||||||
|
|
||||||
|
allow kernel_t $1:udp_socket sendto;
|
||||||
|
allow $1 kernel_t:udp_socket recvfrom;
|
||||||
|
')
|
||||||
|
@ -10,6 +10,8 @@ policy_module(kernel,1.0)
|
|||||||
attribute can_load_kernmodule;
|
attribute can_load_kernmodule;
|
||||||
attribute can_receive_kernel_messages;
|
attribute can_receive_kernel_messages;
|
||||||
|
|
||||||
|
neverallow ~can_load_kernmodule self:capability sys_module;
|
||||||
|
|
||||||
# domains with unconfined access to kernel resources
|
# domains with unconfined access to kernel resources
|
||||||
attribute kern_unconfined;
|
attribute kern_unconfined;
|
||||||
|
|
||||||
@ -190,32 +192,15 @@ corecmd_exec_bin(kernel_t)
|
|||||||
domain_signal_all_domains(kernel_t)
|
domain_signal_all_domains(kernel_t)
|
||||||
|
|
||||||
files_list_root(kernel_t)
|
files_list_root(kernel_t)
|
||||||
|
files_list_etc(kernel_t)
|
||||||
files_list_home(kernel_t)
|
files_list_home(kernel_t)
|
||||||
files_read_usr_files(kernel_t)
|
files_read_usr_files(kernel_t)
|
||||||
|
|
||||||
init_sigchld(kernel_t)
|
|
||||||
|
|
||||||
libs_use_ld_so(kernel_t)
|
|
||||||
libs_use_shared_libs(kernel_t)
|
|
||||||
|
|
||||||
logging_send_syslog_msg(kernel_t)
|
|
||||||
|
|
||||||
seutil_read_config(kernel_t)
|
|
||||||
seutil_read_binary_pol(kernel_t)
|
|
||||||
|
|
||||||
neverallow ~can_load_kernmodule self:capability sys_module;
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Unlabeled process local policy
|
# Unlabeled process local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
# If you load a new policy that removes active domains, processes can
|
|
||||||
# get stuck if you do not allow unlabeled processes to signal init.
|
|
||||||
# If you load an incompatible policy, you should probably reboot,
|
|
||||||
# since you may have compromised system security.
|
|
||||||
init_sigchld(unlabeled_t)
|
|
||||||
|
|
||||||
ifdef(`targeted_policy',`
|
ifdef(`targeted_policy',`
|
||||||
allow unlabeled_t self:filesystem associate;
|
allow unlabeled_t self:filesystem associate;
|
||||||
')
|
')
|
||||||
|
@ -44,6 +44,7 @@ files_create_pid(portmap_t,portmap_var_run_t)
|
|||||||
kernel_read_kernel_sysctl(portmap_t)
|
kernel_read_kernel_sysctl(portmap_t)
|
||||||
kernel_list_proc(portmap_t)
|
kernel_list_proc(portmap_t)
|
||||||
kernel_read_proc_symlinks(portmap_t)
|
kernel_read_proc_symlinks(portmap_t)
|
||||||
|
kernel_udp_sendfrom(portmap_t)
|
||||||
|
|
||||||
corenet_tcp_sendrecv_all_if(portmap_t)
|
corenet_tcp_sendrecv_all_if(portmap_t)
|
||||||
corenet_udp_sendrecv_all_if(portmap_t)
|
corenet_udp_sendrecv_all_if(portmap_t)
|
||||||
|
@ -13,6 +13,7 @@ init_system_domain(hotplug_t,hotplug_exec_t)
|
|||||||
|
|
||||||
type hotplug_etc_t; #, usercanread;
|
type hotplug_etc_t; #, usercanread;
|
||||||
files_type(hotplug_etc_t)
|
files_type(hotplug_etc_t)
|
||||||
|
kernel_search_from(hotplug_etc_t)
|
||||||
|
|
||||||
type hotplug_var_run_t;
|
type hotplug_var_run_t;
|
||||||
files_pid_file(hotplug_var_run_t)
|
files_pid_file(hotplug_var_run_t)
|
||||||
@ -184,8 +185,6 @@ optional_policy(`rhgb.te',`
|
|||||||
rhgb_domain(hotplug_t)
|
rhgb_domain(hotplug_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
allow kernel_t hotplug_etc_t:dir search;
|
|
||||||
|
|
||||||
# for ps
|
# for ps
|
||||||
dontaudit hotplug_t domain:dir { getattr search };
|
dontaudit hotplug_t domain:dir { getattr search };
|
||||||
dontaudit hotplug_t { init_t kernel_t }:file read;
|
dontaudit hotplug_t { init_t kernel_t }:file read;
|
||||||
|
@ -95,6 +95,12 @@ domain_auto_trans(init_t,initrc_exec_t,initrc_t)
|
|||||||
|
|
||||||
kernel_read_system_state(init_t)
|
kernel_read_system_state(init_t)
|
||||||
kernel_share_state(init_t)
|
kernel_share_state(init_t)
|
||||||
|
kernel_sigchld_from(init_t)
|
||||||
|
# If you load a new policy that removes active domains, processes can
|
||||||
|
# get stuck if you do not allow unlabeled processes to signal init.
|
||||||
|
# If you load an incompatible policy, you should probably reboot,
|
||||||
|
# since you may have compromised system security.
|
||||||
|
kernel_sigchld_from_unlabeled(init_t)
|
||||||
|
|
||||||
dev_read_sysfs(init_t)
|
dev_read_sysfs(init_t)
|
||||||
|
|
||||||
|
@ -38,6 +38,9 @@ files_type(shlib_t)
|
|||||||
type texrel_shlib_t;
|
type texrel_shlib_t;
|
||||||
files_type(texrel_shlib_t)
|
files_type(texrel_shlib_t)
|
||||||
|
|
||||||
|
kernel_use_ld_so_from(lib_t,ld_so_t,ld_so_cache_t)
|
||||||
|
kernel_use_shared_libs_from(lib_t,{ shlib_t texrel_shlib_t })
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# ldconfig local policy
|
# ldconfig local policy
|
||||||
|
@ -190,6 +190,7 @@ files_create_pid(syslogd_t,syslogd_var_run_t)
|
|||||||
|
|
||||||
kernel_read_kernel_sysctl(syslogd_t)
|
kernel_read_kernel_sysctl(syslogd_t)
|
||||||
kernel_read_proc_symlinks(syslogd_t)
|
kernel_read_proc_symlinks(syslogd_t)
|
||||||
|
kernel_send_syslog_msg_from(devlog_t,syslogd_t)
|
||||||
|
|
||||||
dev_create_dev_node(syslogd_t,devlog_t,sock_file)
|
dev_create_dev_node(syslogd_t,devlog_t,sock_file)
|
||||||
dev_read_sysfs(syslogd_t)
|
dev_read_sysfs(syslogd_t)
|
||||||
|
@ -52,6 +52,8 @@ domain_entry_file(newrole_t,newrole_exec_t)
|
|||||||
#
|
#
|
||||||
type policy_config_t;
|
type policy_config_t;
|
||||||
files_type(policy_config_t)
|
files_type(policy_config_t)
|
||||||
|
kernel_list_from(policy_config_t)
|
||||||
|
kernel_read_file_from(policy_config_t)
|
||||||
|
|
||||||
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
|
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
|
||||||
neverallow ~can_write_binary_policy policy_config_t:file { write append };
|
neverallow ~can_write_binary_policy policy_config_t:file { write append };
|
||||||
@ -81,6 +83,8 @@ domain_entry_file(run_init_t,run_init_exec_t)
|
|||||||
#
|
#
|
||||||
type selinux_config_t;
|
type selinux_config_t;
|
||||||
files_type(selinux_config_t)
|
files_type(selinux_config_t)
|
||||||
|
kernel_list_from(selinux_config_t)
|
||||||
|
kernel_read_file_from(selinux_config_t)
|
||||||
|
|
||||||
type setfiles_t, can_relabelto_binary_policy;
|
type setfiles_t, can_relabelto_binary_policy;
|
||||||
domain_obj_id_change_exempt(setfiles_t)
|
domain_obj_id_change_exempt(setfiles_t)
|
||||||
|
@ -11,6 +11,14 @@
|
|||||||
#
|
#
|
||||||
define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
|
define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# gen_user(username, role_set, mls_defaultlevel, mls_range)
|
||||||
|
#
|
||||||
|
define(`gen_user',`
|
||||||
|
user $1 roles { $2 } ifdef(`enable_mls', `level $3 range $4');
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# gen_con(context,sensitivity)
|
# gen_con(context,sensitivity)
|
||||||
|
22
refpolicy/policy/systemuser
Normal file
22
refpolicy/policy/systemuser
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
##################################
|
||||||
|
#
|
||||||
|
# System User configuration.
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# gen_user(username, role_set, mls_defaultlevel, mls_range)
|
||||||
|
#
|
||||||
|
define(`gen_user',`
|
||||||
|
user $1 roles { $2 } ifdef(`enable_mls', `level $3 range $4');
|
||||||
|
')
|
||||||
|
|
||||||
|
#
|
||||||
|
# system_u is the user identity for system processes and objects.
|
||||||
|
# There should be no corresponding Unix user identity for system,
|
||||||
|
# and a user process should never be assigned the system user
|
||||||
|
# identity.
|
||||||
|
#
|
||||||
|
gen_user(system_u, system_r, s0, s0 - s9:c0.c127)
|
||||||
|
|
||||||
|
# Normal users should not be added to this file,
|
||||||
|
# but instead added to the users file.
|
@ -5,19 +5,8 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# gen_user(username, role_set, defaultlevel, range)
|
# gen_user(username, role_set, mls_defaultlevel, mls_range)
|
||||||
#
|
#
|
||||||
define(`gen_user',`
|
|
||||||
user $1 roles { $2 } ifdef(`enable_mls', `level $3 range $4');
|
|
||||||
')
|
|
||||||
|
|
||||||
#
|
|
||||||
# system_u is the user identity for system processes and objects.
|
|
||||||
# There should be no corresponding Unix user identity for system,
|
|
||||||
# and a user process should never be assigned the system user
|
|
||||||
# identity.
|
|
||||||
#
|
|
||||||
gen_user(system_u, system_r, s0, s0 - s9:c0.c127)
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# user_u is a generic user identity for Linux users who have no
|
# user_u is a generic user identity for Linux users who have no
|
||||||
|
Loading…
Reference in New Issue
Block a user