Add rtas policy
This commit is contained in:
parent
207905d08a
commit
71bb644a3b
@ -9193,7 +9193,7 @@ index cf04cb5..c8fc903 100644
|
||||
+ ')
|
||||
+')
|
||||
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
|
||||
index c2c6e05..be423a7 100644
|
||||
index c2c6e05..d14e35b 100644
|
||||
--- a/policy/modules/kernel/files.fc
|
||||
+++ b/policy/modules/kernel/files.fc
|
||||
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
|
||||
@ -9390,7 +9390,7 @@ index c2c6e05..be423a7 100644
|
||||
/var/.* gen_context(system_u:object_r:var_t,s0)
|
||||
/var/\.journal <<none>>
|
||||
|
||||
@@ -237,11 +243,22 @@ ifndef(`distro_redhat',`
|
||||
@@ -237,11 +243,24 @@ ifndef(`distro_redhat',`
|
||||
|
||||
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
|
||||
|
||||
@ -9408,13 +9408,15 @@ index c2c6e05..be423a7 100644
|
||||
+/var/lib/openshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
|
||||
+/var/lib/openshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
|
||||
+
|
||||
+/var/lib/servicelog/servicelog.db -- gen_context(system_u:object_r:system_db_t,s0)
|
||||
+
|
||||
+/var/lock -d gen_context(system_u:object_r:var_lock_t,s0)
|
||||
+/var/lock -l gen_context(system_u:object_r:var_lock_t,s0)
|
||||
+/var/lock/.* <<none>>
|
||||
|
||||
/var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
|
||||
/var/log/lost\+found/.* <<none>>
|
||||
@@ -256,12 +273,14 @@ ifndef(`distro_redhat',`
|
||||
@@ -256,12 +275,14 @@ ifndef(`distro_redhat',`
|
||||
/var/run -l gen_context(system_u:object_r:var_run_t,s0)
|
||||
/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
|
||||
/var/run/.*\.*pid <<none>>
|
||||
@ -9429,14 +9431,14 @@ index c2c6e05..be423a7 100644
|
||||
/var/tmp/.* <<none>>
|
||||
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
|
||||
/var/tmp/lost\+found/.* <<none>>
|
||||
@@ -270,3 +289,5 @@ ifndef(`distro_redhat',`
|
||||
@@ -270,3 +291,5 @@ ifndef(`distro_redhat',`
|
||||
ifdef(`distro_debian',`
|
||||
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
|
||||
')
|
||||
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
|
||||
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
|
||||
index 64ff4d7..27c051d 100644
|
||||
index 64ff4d7..4adeb32 100644
|
||||
--- a/policy/modules/kernel/files.if
|
||||
+++ b/policy/modules/kernel/files.if
|
||||
@@ -19,6 +19,136 @@
|
||||
@ -10440,7 +10442,7 @@ index 64ff4d7..27c051d 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4199,14 +4748,141 @@ interface(`files_read_world_readable_sockets',`
|
||||
@@ -4199,14 +4748,178 @@ interface(`files_read_world_readable_sockets',`
|
||||
allow $1 readable_t:sock_file read_sock_file_perms;
|
||||
')
|
||||
|
||||
@ -10577,6 +10579,43 @@ index 64ff4d7..27c051d 100644
|
||||
+ filetrans_pattern($1, etc_t, system_conf_t, file)
|
||||
+')
|
||||
+
|
||||
+######################################
|
||||
+## <summary>
|
||||
+## Manage manageable system db files in /var/lib.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`files_manage_system_db_files',`
|
||||
+ gen_require(`
|
||||
+ type var_lib_t, system_db_t;
|
||||
+ ')
|
||||
+
|
||||
+ manage_files_pattern($1, { var_lib_t system_db_t }, system_db_t)
|
||||
+ files_filetrans_system_db_named_files($1)
|
||||
+')
|
||||
+
|
||||
+#####################################
|
||||
+## <summary>
|
||||
+## File name transition for system db files in /var/lib.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`files_filetrans_system_db_named_files',`
|
||||
+ gen_require(`
|
||||
+ type var_lib_t, system_db_t;
|
||||
+ ')
|
||||
+
|
||||
+ filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db")
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow the specified type to associate
|
||||
@ -10588,7 +10627,7 @@ index 64ff4d7..27c051d 100644
|
||||
## Type of the file to associate.
|
||||
## </summary>
|
||||
## </param>
|
||||
@@ -4221,6 +4897,26 @@ interface(`files_associate_tmp',`
|
||||
@@ -4221,6 +4934,26 @@ interface(`files_associate_tmp',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -10615,7 +10654,7 @@ index 64ff4d7..27c051d 100644
|
||||
## Get the attributes of the tmp directory (/tmp).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -4234,17 +4930,37 @@ interface(`files_getattr_tmp_dirs',`
|
||||
@@ -4234,17 +4967,37 @@ interface(`files_getattr_tmp_dirs',`
|
||||
type tmp_t;
|
||||
')
|
||||
|
||||
@ -10654,7 +10693,7 @@ index 64ff4d7..27c051d 100644
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@@ -4271,6 +4987,7 @@ interface(`files_search_tmp',`
|
||||
@@ -4271,6 +5024,7 @@ interface(`files_search_tmp',`
|
||||
type tmp_t;
|
||||
')
|
||||
|
||||
@ -10662,7 +10701,7 @@ index 64ff4d7..27c051d 100644
|
||||
allow $1 tmp_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
@@ -4307,6 +5024,7 @@ interface(`files_list_tmp',`
|
||||
@@ -4307,6 +5061,7 @@ interface(`files_list_tmp',`
|
||||
type tmp_t;
|
||||
')
|
||||
|
||||
@ -10670,7 +10709,7 @@ index 64ff4d7..27c051d 100644
|
||||
allow $1 tmp_t:dir list_dir_perms;
|
||||
')
|
||||
|
||||
@@ -4316,7 +5034,7 @@ interface(`files_list_tmp',`
|
||||
@@ -4316,7 +5071,7 @@ interface(`files_list_tmp',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -10679,7 +10718,7 @@ index 64ff4d7..27c051d 100644
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@@ -4328,6 +5046,25 @@ interface(`files_dontaudit_list_tmp',`
|
||||
@@ -4328,6 +5083,25 @@ interface(`files_dontaudit_list_tmp',`
|
||||
dontaudit $1 tmp_t:dir list_dir_perms;
|
||||
')
|
||||
|
||||
@ -10705,7 +10744,7 @@ index 64ff4d7..27c051d 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Remove entries from the tmp directory.
|
||||
@@ -4343,6 +5080,7 @@ interface(`files_delete_tmp_dir_entry',`
|
||||
@@ -4343,6 +5117,7 @@ interface(`files_delete_tmp_dir_entry',`
|
||||
type tmp_t;
|
||||
')
|
||||
|
||||
@ -10713,7 +10752,7 @@ index 64ff4d7..27c051d 100644
|
||||
allow $1 tmp_t:dir del_entry_dir_perms;
|
||||
')
|
||||
|
||||
@@ -4384,6 +5122,32 @@ interface(`files_manage_generic_tmp_dirs',`
|
||||
@@ -4384,6 +5159,32 @@ interface(`files_manage_generic_tmp_dirs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -10746,7 +10785,7 @@ index 64ff4d7..27c051d 100644
|
||||
## Manage temporary files and directories in /tmp.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -4438,6 +5202,42 @@ interface(`files_rw_generic_tmp_sockets',`
|
||||
@@ -4438,6 +5239,42 @@ interface(`files_rw_generic_tmp_sockets',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -10789,7 +10828,7 @@ index 64ff4d7..27c051d 100644
|
||||
## Set the attributes of all tmp directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -4456,6 +5256,60 @@ interface(`files_setattr_all_tmp_dirs',`
|
||||
@@ -4456,6 +5293,60 @@ interface(`files_setattr_all_tmp_dirs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -10850,7 +10889,7 @@ index 64ff4d7..27c051d 100644
|
||||
## List all tmp directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -4501,7 +5355,7 @@ interface(`files_relabel_all_tmp_dirs',`
|
||||
@@ -4501,7 +5392,7 @@ interface(`files_relabel_all_tmp_dirs',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -10859,7 +10898,7 @@ index 64ff4d7..27c051d 100644
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@@ -4561,7 +5415,7 @@ interface(`files_relabel_all_tmp_files',`
|
||||
@@ -4561,7 +5452,7 @@ interface(`files_relabel_all_tmp_files',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -10868,7 +10907,7 @@ index 64ff4d7..27c051d 100644
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@@ -4593,6 +5447,44 @@ interface(`files_read_all_tmp_files',`
|
||||
@@ -4593,6 +5484,44 @@ interface(`files_read_all_tmp_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -10913,7 +10952,7 @@ index 64ff4d7..27c051d 100644
|
||||
## Create an object in the tmp directories, with a private
|
||||
## type using a type transition.
|
||||
## </summary>
|
||||
@@ -4646,6 +5538,16 @@ interface(`files_purge_tmp',`
|
||||
@@ -4646,6 +5575,16 @@ interface(`files_purge_tmp',`
|
||||
delete_lnk_files_pattern($1, tmpfile, tmpfile)
|
||||
delete_fifo_files_pattern($1, tmpfile, tmpfile)
|
||||
delete_sock_files_pattern($1, tmpfile, tmpfile)
|
||||
@ -10930,14 +10969,17 @@ index 64ff4d7..27c051d 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -5223,6 +6125,24 @@ interface(`files_list_var',`
|
||||
@@ -5223,12 +6162,30 @@ interface(`files_list_var',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Create, read, write, and delete directories
|
||||
-## in the /var directory.
|
||||
+## Do not audit listing of the var directory (/var).
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
-## Domain allowed access.
|
||||
+## Domain to not audit.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
@ -10952,30 +10994,30 @@ index 64ff4d7..27c051d 100644
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Create, read, write, and delete directories
|
||||
## in the /var directory.
|
||||
## </summary>
|
||||
@@ -5578,13 +6498,10 @@ interface(`files_read_var_lib_symlinks',`
|
||||
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
|
||||
')
|
||||
|
||||
-# cjp: the next two interfaces really need to be fixed
|
||||
-# in some way. They really neeed their own types.
|
||||
-
|
||||
########################################
|
||||
## <summary>
|
||||
-## Create, read, write, and delete the
|
||||
-## pseudorandom number generator seed.
|
||||
+## manage generic symbolic links
|
||||
+## in the /var/lib directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -5592,7 +6509,29 @@ interface(`files_read_var_lib_symlinks',`
|
||||
+## Create, read, write, and delete directories
|
||||
+## in the /var directory.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`files_manage_urandom_seed',`
|
||||
@@ -5578,6 +6535,25 @@ interface(`files_read_var_lib_symlinks',`
|
||||
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
|
||||
')
|
||||
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## manage generic symbolic links
|
||||
+## in the /var/lib directory.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`files_manage_var_lib_symlinks',`
|
||||
+ gen_require(`
|
||||
+ type var_lib_t;
|
||||
@ -10984,25 +11026,10 @@ index 64ff4d7..27c051d 100644
|
||||
+ manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
|
||||
+')
|
||||
+
|
||||
+# cjp: the next two interfaces really need to be fixed
|
||||
+# in some way. They really neeed their own types.
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Create, read, write, and delete the
|
||||
+## pseudorandom number generator seed.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`files_manage_urandom_seed',`
|
||||
gen_require(`
|
||||
type var_t, var_lib_t;
|
||||
')
|
||||
@@ -5623,7 +6562,7 @@ interface(`files_manage_mounttab',`
|
||||
# cjp: the next two interfaces really need to be fixed
|
||||
# in some way. They really neeed their own types.
|
||||
|
||||
@@ -5623,7 +6599,7 @@ interface(`files_manage_mounttab',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -11011,7 +11038,7 @@ index 64ff4d7..27c051d 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -5631,12 +6570,13 @@ interface(`files_manage_mounttab',`
|
||||
@@ -5631,12 +6607,13 @@ interface(`files_manage_mounttab',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -11027,7 +11054,7 @@ index 64ff4d7..27c051d 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -5654,6 +6594,7 @@ interface(`files_search_locks',`
|
||||
@@ -5654,6 +6631,7 @@ interface(`files_search_locks',`
|
||||
type var_t, var_lock_t;
|
||||
')
|
||||
|
||||
@ -11035,7 +11062,7 @@ index 64ff4d7..27c051d 100644
|
||||
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
|
||||
search_dirs_pattern($1, var_t, var_lock_t)
|
||||
')
|
||||
@@ -5680,7 +6621,26 @@ interface(`files_dontaudit_search_locks',`
|
||||
@@ -5680,7 +6658,26 @@ interface(`files_dontaudit_search_locks',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -11063,7 +11090,7 @@ index 64ff4d7..27c051d 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -5688,13 +6648,12 @@ interface(`files_dontaudit_search_locks',`
|
||||
@@ -5688,13 +6685,12 @@ interface(`files_dontaudit_search_locks',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -11080,7 +11107,7 @@ index 64ff4d7..27c051d 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -5713,7 +6672,7 @@ interface(`files_rw_lock_dirs',`
|
||||
@@ -5713,7 +6709,7 @@ interface(`files_rw_lock_dirs',`
|
||||
type var_t, var_lock_t;
|
||||
')
|
||||
|
||||
@ -11089,7 +11116,7 @@ index 64ff4d7..27c051d 100644
|
||||
rw_dirs_pattern($1, var_t, var_lock_t)
|
||||
')
|
||||
|
||||
@@ -5746,7 +6705,6 @@ interface(`files_create_lock_dirs',`
|
||||
@@ -5746,7 +6742,6 @@ interface(`files_create_lock_dirs',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
@ -11097,7 +11124,7 @@ index 64ff4d7..27c051d 100644
|
||||
#
|
||||
interface(`files_relabel_all_lock_dirs',`
|
||||
gen_require(`
|
||||
@@ -5761,7 +6719,7 @@ interface(`files_relabel_all_lock_dirs',`
|
||||
@@ -5761,7 +6756,7 @@ interface(`files_relabel_all_lock_dirs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -11106,7 +11133,7 @@ index 64ff4d7..27c051d 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -5769,13 +6727,33 @@ interface(`files_relabel_all_lock_dirs',`
|
||||
@@ -5769,13 +6764,33 @@ interface(`files_relabel_all_lock_dirs',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -11141,7 +11168,7 @@ index 64ff4d7..27c051d 100644
|
||||
allow $1 var_lock_t:dir list_dir_perms;
|
||||
getattr_files_pattern($1, var_lock_t, var_lock_t)
|
||||
')
|
||||
@@ -5791,13 +6769,12 @@ interface(`files_getattr_generic_locks',`
|
||||
@@ -5791,13 +6806,12 @@ interface(`files_getattr_generic_locks',`
|
||||
## </param>
|
||||
#
|
||||
interface(`files_delete_generic_locks',`
|
||||
@ -11159,7 +11186,7 @@ index 64ff4d7..27c051d 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -5816,9 +6793,7 @@ interface(`files_manage_generic_locks',`
|
||||
@@ -5816,9 +6830,7 @@ interface(`files_manage_generic_locks',`
|
||||
type var_t, var_lock_t;
|
||||
')
|
||||
|
||||
@ -11170,7 +11197,7 @@ index 64ff4d7..27c051d 100644
|
||||
manage_files_pattern($1, var_lock_t, var_lock_t)
|
||||
')
|
||||
|
||||
@@ -5860,8 +6835,7 @@ interface(`files_read_all_locks',`
|
||||
@@ -5860,8 +6872,7 @@ interface(`files_read_all_locks',`
|
||||
type var_t, var_lock_t;
|
||||
')
|
||||
|
||||
@ -11180,7 +11207,7 @@ index 64ff4d7..27c051d 100644
|
||||
allow $1 lockfile:dir list_dir_perms;
|
||||
read_files_pattern($1, lockfile, lockfile)
|
||||
read_lnk_files_pattern($1, lockfile, lockfile)
|
||||
@@ -5883,8 +6857,7 @@ interface(`files_manage_all_locks',`
|
||||
@@ -5883,8 +6894,7 @@ interface(`files_manage_all_locks',`
|
||||
type var_t, var_lock_t;
|
||||
')
|
||||
|
||||
@ -11190,7 +11217,7 @@ index 64ff4d7..27c051d 100644
|
||||
manage_dirs_pattern($1, lockfile, lockfile)
|
||||
manage_files_pattern($1, lockfile, lockfile)
|
||||
manage_lnk_files_pattern($1, lockfile, lockfile)
|
||||
@@ -5921,8 +6894,7 @@ interface(`files_lock_filetrans',`
|
||||
@@ -5921,8 +6931,7 @@ interface(`files_lock_filetrans',`
|
||||
type var_t, var_lock_t;
|
||||
')
|
||||
|
||||
@ -11200,7 +11227,7 @@ index 64ff4d7..27c051d 100644
|
||||
filetrans_pattern($1, var_lock_t, $2, $3, $4)
|
||||
')
|
||||
|
||||
@@ -5961,7 +6933,7 @@ interface(`files_setattr_pid_dirs',`
|
||||
@@ -5961,7 +6970,7 @@ interface(`files_setattr_pid_dirs',`
|
||||
type var_run_t;
|
||||
')
|
||||
|
||||
@ -11209,7 +11236,7 @@ index 64ff4d7..27c051d 100644
|
||||
allow $1 var_run_t:dir setattr;
|
||||
')
|
||||
|
||||
@@ -5981,10 +6953,48 @@ interface(`files_search_pids',`
|
||||
@@ -5981,10 +6990,48 @@ interface(`files_search_pids',`
|
||||
type var_t, var_run_t;
|
||||
')
|
||||
|
||||
@ -11258,7 +11285,7 @@ index 64ff4d7..27c051d 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to search
|
||||
@@ -6007,6 +7017,25 @@ interface(`files_dontaudit_search_pids',`
|
||||
@@ -6007,6 +7054,25 @@ interface(`files_dontaudit_search_pids',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -11284,7 +11311,7 @@ index 64ff4d7..27c051d 100644
|
||||
## List the contents of the runtime process
|
||||
## ID directories (/var/run).
|
||||
## </summary>
|
||||
@@ -6021,7 +7050,7 @@ interface(`files_list_pids',`
|
||||
@@ -6021,7 +7087,7 @@ interface(`files_list_pids',`
|
||||
type var_t, var_run_t;
|
||||
')
|
||||
|
||||
@ -11293,7 +11320,7 @@ index 64ff4d7..27c051d 100644
|
||||
list_dirs_pattern($1, var_t, var_run_t)
|
||||
')
|
||||
|
||||
@@ -6040,7 +7069,7 @@ interface(`files_read_generic_pids',`
|
||||
@@ -6040,7 +7106,7 @@ interface(`files_read_generic_pids',`
|
||||
type var_t, var_run_t;
|
||||
')
|
||||
|
||||
@ -11302,7 +11329,7 @@ index 64ff4d7..27c051d 100644
|
||||
list_dirs_pattern($1, var_t, var_run_t)
|
||||
read_files_pattern($1, var_run_t, var_run_t)
|
||||
')
|
||||
@@ -6060,7 +7089,7 @@ interface(`files_write_generic_pid_pipes',`
|
||||
@@ -6060,7 +7126,7 @@ interface(`files_write_generic_pid_pipes',`
|
||||
type var_run_t;
|
||||
')
|
||||
|
||||
@ -11311,7 +11338,7 @@ index 64ff4d7..27c051d 100644
|
||||
allow $1 var_run_t:fifo_file write;
|
||||
')
|
||||
|
||||
@@ -6122,7 +7151,6 @@ interface(`files_pid_filetrans',`
|
||||
@@ -6122,7 +7188,6 @@ interface(`files_pid_filetrans',`
|
||||
')
|
||||
|
||||
allow $1 var_t:dir search_dir_perms;
|
||||
@ -11319,7 +11346,7 @@ index 64ff4d7..27c051d 100644
|
||||
filetrans_pattern($1, var_run_t, $2, $3, $4)
|
||||
')
|
||||
|
||||
@@ -6151,6 +7179,24 @@ interface(`files_pid_filetrans_lock_dir',`
|
||||
@@ -6151,6 +7216,24 @@ interface(`files_pid_filetrans_lock_dir',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -11344,7 +11371,7 @@ index 64ff4d7..27c051d 100644
|
||||
## Read and write generic process ID files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -6164,7 +7210,7 @@ interface(`files_rw_generic_pids',`
|
||||
@@ -6164,7 +7247,7 @@ interface(`files_rw_generic_pids',`
|
||||
type var_t, var_run_t;
|
||||
')
|
||||
|
||||
@ -11353,7 +11380,7 @@ index 64ff4d7..27c051d 100644
|
||||
list_dirs_pattern($1, var_t, var_run_t)
|
||||
rw_files_pattern($1, var_run_t, var_run_t)
|
||||
')
|
||||
@@ -6231,55 +7277,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
|
||||
@@ -6231,55 +7314,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -11416,7 +11443,7 @@ index 64ff4d7..27c051d 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -6287,42 +7321,35 @@ interface(`files_delete_all_pids',`
|
||||
@@ -6287,42 +7358,35 @@ interface(`files_delete_all_pids',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -11466,7 +11493,7 @@ index 64ff4d7..27c051d 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -6330,18 +7357,18 @@ interface(`files_manage_all_pids',`
|
||||
@@ -6330,18 +7394,18 @@ interface(`files_manage_all_pids',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -11490,7 +11517,7 @@ index 64ff4d7..27c051d 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -6349,37 +7376,40 @@ interface(`files_mounton_all_poly_members',`
|
||||
@@ -6349,37 +7413,40 @@ interface(`files_mounton_all_poly_members',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -11542,7 +11569,7 @@ index 64ff4d7..27c051d 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -6387,18 +7417,17 @@ interface(`files_dontaudit_search_spool',`
|
||||
@@ -6387,18 +7454,17 @@ interface(`files_dontaudit_search_spool',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -11565,7 +11592,7 @@ index 64ff4d7..27c051d 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -6406,18 +7435,18 @@ interface(`files_list_spool',`
|
||||
@@ -6406,18 +7472,18 @@ interface(`files_list_spool',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -11589,7 +11616,7 @@ index 64ff4d7..27c051d 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -6425,19 +7454,18 @@ interface(`files_manage_generic_spool_dirs',`
|
||||
@@ -6425,19 +7491,18 @@ interface(`files_manage_generic_spool_dirs',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -11614,7 +11641,7 @@ index 64ff4d7..27c051d 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -6445,55 +7473,43 @@ interface(`files_read_generic_spool',`
|
||||
@@ -6445,45 +7510,312 @@ interface(`files_read_generic_spool',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -11665,31 +11692,27 @@ index 64ff4d7..27c051d 100644
|
||||
- type var_t, var_spool_t;
|
||||
+ attribute pidfile;
|
||||
+ type var_t, var_run_t;
|
||||
')
|
||||
|
||||
+ ')
|
||||
+
|
||||
+ files_search_pids($1)
|
||||
allow $1 var_t:dir search_dir_perms;
|
||||
- filetrans_pattern($1, var_spool_t, $2, $3, $4)
|
||||
+ allow $1 var_t:dir search_dir_perms;
|
||||
+ allow $1 var_run_t:dir rmdir;
|
||||
+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
|
||||
+ delete_files_pattern($1, pidfile, pidfile)
|
||||
+ delete_fifo_files_pattern($1, pidfile, pidfile)
|
||||
+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Allow access to manage all polyinstantiated
|
||||
-## directories on the system.
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Delete all process ID directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -6501,7 +7517,286 @@ interface(`files_spool_filetrans',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`files_polyinstantiate_all',`
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`files_delete_all_pid_dirs',`
|
||||
+ gen_require(`
|
||||
+ attribute pidfile;
|
||||
@ -11952,28 +11975,10 @@ index 64ff4d7..27c051d 100644
|
||||
+interface(`files_spool_filetrans',`
|
||||
+ gen_require(`
|
||||
+ type var_t, var_spool_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 var_t:dir search_dir_perms;
|
||||
+ filetrans_pattern($1, var_spool_t, $2, $3, $4)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow access to manage all polyinstantiated
|
||||
+## directories on the system.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`files_polyinstantiate_all',`
|
||||
gen_require(`
|
||||
attribute polydir, polymember, polyparent;
|
||||
type poly_t;
|
||||
@@ -6562,3 +7857,491 @@ interface(`files_unconfined',`
|
||||
')
|
||||
|
||||
allow $1 var_t:dir search_dir_perms;
|
||||
@@ -6562,3 +7894,491 @@ interface(`files_unconfined',`
|
||||
|
||||
typeattribute $1 files_unconfined_type;
|
||||
')
|
||||
@ -12466,7 +12471,7 @@ index 64ff4d7..27c051d 100644
|
||||
+ allow $1 etc_t:service status;
|
||||
+')
|
||||
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
|
||||
index 148d87a..822f6be 100644
|
||||
index 148d87a..15e8466 100644
|
||||
--- a/policy/modules/kernel/files.te
|
||||
+++ b/policy/modules/kernel/files.te
|
||||
@@ -5,12 +5,16 @@ policy_module(files, 1.17.5)
|
||||
@ -12486,7 +12491,7 @@ index 148d87a..822f6be 100644
|
||||
|
||||
# For labeling types that are to be polyinstantiated
|
||||
attribute polydir;
|
||||
@@ -48,28 +52,40 @@ attribute usercanread;
|
||||
@@ -48,28 +52,45 @@ attribute usercanread;
|
||||
#
|
||||
type boot_t;
|
||||
files_mountpoint(boot_t)
|
||||
@ -12518,6 +12523,11 @@ index 148d87a..822f6be 100644
|
||||
+files_type(system_conf_t)
|
||||
+# compatibility aliases for removed type:
|
||||
+typealias system_conf_t alias iptables_conf_t;
|
||||
+
|
||||
+# system_db_t is a new type of various
|
||||
+# db files.
|
||||
+type system_db_t;
|
||||
+files_type(system_db_t)
|
||||
+
|
||||
#
|
||||
# etc_runtime_t is the type of various
|
||||
@ -12529,7 +12539,7 @@ index 148d87a..822f6be 100644
|
||||
files_type(etc_runtime_t)
|
||||
#Temporarily in policy until FC5 dissappears
|
||||
typealias etc_runtime_t alias firstboot_rw_t;
|
||||
@@ -81,6 +97,7 @@ typealias etc_runtime_t alias firstboot_rw_t;
|
||||
@@ -81,6 +102,7 @@ typealias etc_runtime_t alias firstboot_rw_t;
|
||||
#
|
||||
type file_t;
|
||||
files_mountpoint(file_t)
|
||||
@ -12537,7 +12547,7 @@ index 148d87a..822f6be 100644
|
||||
kernel_rootfs_mountpoint(file_t)
|
||||
sid file gen_context(system_u:object_r:file_t,s0)
|
||||
|
||||
@@ -89,6 +106,7 @@ sid file gen_context(system_u:object_r:file_t,s0)
|
||||
@@ -89,6 +111,7 @@ sid file gen_context(system_u:object_r:file_t,s0)
|
||||
# are created
|
||||
#
|
||||
type home_root_t;
|
||||
@ -12545,7 +12555,7 @@ index 148d87a..822f6be 100644
|
||||
files_mountpoint(home_root_t)
|
||||
files_poly_parent(home_root_t)
|
||||
|
||||
@@ -96,12 +114,13 @@ files_poly_parent(home_root_t)
|
||||
@@ -96,12 +119,13 @@ files_poly_parent(home_root_t)
|
||||
# lost_found_t is the type for the lost+found directories.
|
||||
#
|
||||
type lost_found_t;
|
||||
@ -12560,7 +12570,7 @@ index 148d87a..822f6be 100644
|
||||
files_mountpoint(mnt_t)
|
||||
|
||||
#
|
||||
@@ -123,6 +142,7 @@ files_type(readable_t)
|
||||
@@ -123,6 +147,7 @@ files_type(readable_t)
|
||||
# root_t is the type for rootfs and the root directory.
|
||||
#
|
||||
type root_t;
|
||||
@ -12568,7 +12578,7 @@ index 148d87a..822f6be 100644
|
||||
files_mountpoint(root_t)
|
||||
files_poly_parent(root_t)
|
||||
kernel_rootfs_mountpoint(root_t)
|
||||
@@ -133,52 +153,63 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
|
||||
@@ -133,52 +158,63 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
|
||||
#
|
||||
type src_t;
|
||||
files_mountpoint(src_t)
|
||||
@ -12632,7 +12642,7 @@ index 148d87a..822f6be 100644
|
||||
files_pid_file(var_run_t)
|
||||
files_mountpoint(var_run_t)
|
||||
|
||||
@@ -186,7 +217,9 @@ files_mountpoint(var_run_t)
|
||||
@@ -186,7 +222,9 @@ files_mountpoint(var_run_t)
|
||||
# var_spool_t is the type of /var/spool
|
||||
#
|
||||
type var_spool_t;
|
||||
@ -12642,7 +12652,7 @@ index 148d87a..822f6be 100644
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -225,10 +258,11 @@ fs_associate_tmpfs(tmpfsfile)
|
||||
@@ -225,10 +263,11 @@ fs_associate_tmpfs(tmpfsfile)
|
||||
# Create/access any file in a labeled filesystem;
|
||||
allow files_unconfined_type file_type:{ file chr_file } ~execmod;
|
||||
allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
|
||||
|
@ -60749,7 +60749,7 @@ index efcb653..ff2c96a 100644
|
||||
+/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0)
|
||||
+/var/log/ppp(/.*)? gen_context(system_u:object_r:pppd_log_t,s0)
|
||||
diff --git a/ppp.if b/ppp.if
|
||||
index cd8b8b9..cde0d62 100644
|
||||
index cd8b8b9..6c73980 100644
|
||||
--- a/ppp.if
|
||||
+++ b/ppp.if
|
||||
@@ -1,110 +1,91 @@
|
||||
@ -61089,7 +61089,13 @@ index cd8b8b9..cde0d62 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -413,37 +388,25 @@ interface(`ppp_manage_pid_files',`
|
||||
@@ -408,42 +383,30 @@ interface(`ppp_manage_pid_files',`
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
- allow $1 pppd_var_run_t:file manage_file_perms;
|
||||
+ manage_files_pattern($1, pppd_var_run_t, pppd_var_run_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -76246,6 +76252,263 @@ index e3e7c96..ec50426 100644
|
||||
- inetd_service_domain(rsync_t, rsync_exec_t)
|
||||
+ swift_manage_data_files(rsync_t)
|
||||
')
|
||||
diff --git a/rtas.fc b/rtas.fc
|
||||
new file mode 100644
|
||||
index 0000000..25d96cb
|
||||
--- /dev/null
|
||||
+++ b/rtas.fc
|
||||
@@ -0,0 +1,13 @@
|
||||
+/usr/lib/systemd/system/rtas_errd.* -- gen_context(system_u:object_r:rtas_errd_unit_file_t,s0)
|
||||
+
|
||||
+/usr/sbin/rtas_errd -- gen_context(system_u:object_r:rtas_errd_exec_t,s0)
|
||||
+
|
||||
+/var/lock/subsys/rtas_errd -- gen_context(system_u:object_r:rtas_errd_var_lock_t)
|
||||
+/var/lock/.*librtas -- gen_context(system_u:object_r:rtas_errd_var_lock_t)
|
||||
+
|
||||
+/var/log/rtas_errd.* -- gen_context(system_u:object_r:rtas_errd_log_t)
|
||||
+/var/log/platform -- gen_context(system_u:object_r:rtas_errd_log_t)
|
||||
+/var/log/epow_status -- gen_context(system_u:object_r:rtas_errd_log_t)
|
||||
+
|
||||
+/var/run/rtas_errd.* -- gen_context(system_u:object_r:rtas_errd_var_run_t,s0)
|
||||
+
|
||||
diff --git a/rtas.if b/rtas.if
|
||||
new file mode 100644
|
||||
index 0000000..9381936
|
||||
--- /dev/null
|
||||
+++ b/rtas.if
|
||||
@@ -0,0 +1,166 @@
|
||||
+
|
||||
+## <summary>rtas_errd - Platform diagnostics report firmware events</summary>
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute TEMPLATE in the rtas_errd domin.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`rtas_errd_domtrans',`
|
||||
+ gen_require(`
|
||||
+ type rtas_errd_t, rtas_errd_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ corecmd_search_bin($1)
|
||||
+ domtrans_pattern($1, rtas_errd_exec_t, rtas_errd_t)
|
||||
+')
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read rtas_errd's log files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`rtas_errd_read_log',`
|
||||
+ gen_require(`
|
||||
+ type rtas_errd_log_t;
|
||||
+ ')
|
||||
+
|
||||
+ logging_search_logs($1)
|
||||
+ read_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Append to rtas_errd log files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`rtas_errd_append_log',`
|
||||
+ gen_require(`
|
||||
+ type rtas_errd_log_t;
|
||||
+ ')
|
||||
+
|
||||
+ logging_search_logs($1)
|
||||
+ append_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Manage rtas_errd log files
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`rtas_errd_manage_log',`
|
||||
+ gen_require(`
|
||||
+ type rtas_errd_log_t;
|
||||
+ ')
|
||||
+
|
||||
+ logging_search_logs($1)
|
||||
+ manage_dirs_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
|
||||
+ manage_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
|
||||
+ manage_lnk_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
|
||||
+')
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read rtas_errd PID files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`rtas_errd_read_pid_files',`
|
||||
+ gen_require(`
|
||||
+ type rtas_errd_var_run_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_pids($1)
|
||||
+ read_files_pattern($1, rtas_errd_var_run_t, rtas_errd_var_run_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute rtas_errd server in the rtas_errd domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`rtas_errd_systemctl',`
|
||||
+ gen_require(`
|
||||
+ type rtas_errd_t;
|
||||
+ type rtas_errd_unit_file_t;
|
||||
+ ')
|
||||
+
|
||||
+ systemd_exec_systemctl($1)
|
||||
+ systemd_read_fifo_file_passwd_run($1)
|
||||
+ allow $1 rtas_errd_unit_file_t:file read_file_perms;
|
||||
+ allow $1 rtas_errd_unit_file_t:service manage_service_perms;
|
||||
+
|
||||
+ ps_process_pattern($1, rtas_errd_t)
|
||||
+')
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## All of the rules required to administrate
|
||||
+## an rtas_errd environment
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="role">
|
||||
+## <summary>
|
||||
+## Role allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`rtas_errd_admin',`
|
||||
+ gen_require(`
|
||||
+ type rtas_errd_t;
|
||||
+ type rtas_errd_log_t;
|
||||
+ type rtas_errd_var_run_t;
|
||||
+ type rtas_errd_unit_file_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 rtas_errd_t:process { ptrace signal_perms };
|
||||
+ ps_process_pattern($1, rtas_errd_t)
|
||||
+
|
||||
+ logging_search_logs($1)
|
||||
+ admin_pattern($1, rtas_errd_log_t)
|
||||
+
|
||||
+ files_search_pids($1)
|
||||
+ admin_pattern($1, rtas_errd_var_run_t)
|
||||
+
|
||||
+ rtas_errd_systemctl($1)
|
||||
+ admin_pattern($1, rtas_errd_unit_file_t)
|
||||
+ allow $1 rtas_errd_unit_file_t:service all_service_perms;
|
||||
+ optional_policy(`
|
||||
+ systemd_passwd_agent_exec($1)
|
||||
+ systemd_read_fifo_file_passwd_run($1)
|
||||
+ ')
|
||||
+')
|
||||
diff --git a/rtas.te b/rtas.te
|
||||
new file mode 100644
|
||||
index 0000000..4e6663f
|
||||
--- /dev/null
|
||||
+++ b/rtas.te
|
||||
@@ -0,0 +1,60 @@
|
||||
+policy_module(rtas, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# Declarations
|
||||
+#
|
||||
+
|
||||
+type rtas_errd_t;
|
||||
+type rtas_errd_exec_t;
|
||||
+init_daemon_domain(rtas_errd_t, rtas_errd_exec_t)
|
||||
+
|
||||
+type rtas_errd_log_t;
|
||||
+logging_log_file(rtas_errd_log_t)
|
||||
+
|
||||
+type rtas_errd_var_run_t;
|
||||
+files_pid_file(rtas_errd_var_run_t)
|
||||
+
|
||||
+type rtas_errd_var_lock_t;
|
||||
+files_lock_file(rtas_errd_var_lock_t)
|
||||
+
|
||||
+type rtas_errd_unit_file_t;
|
||||
+systemd_unit_file(rtas_errd_unit_file_t)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# rtas_errd local policy
|
||||
+#
|
||||
+
|
||||
+allow rtas_errd_t self:capability sys_admin;
|
||||
+allow rtas_errd_t self:process fork;
|
||||
+allow rtas_errd_t self:fifo_file rw_fifo_file_perms;
|
||||
+allow rtas_errd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+
|
||||
+manage_dirs_pattern(rtas_errd_t, rtas_errd_log_t, rtas_errd_log_t)
|
||||
+manage_files_pattern(rtas_errd_t, rtas_errd_log_t, rtas_errd_log_t)
|
||||
+manage_lnk_files_pattern(rtas_errd_t, rtas_errd_log_t, rtas_errd_log_t)
|
||||
+logging_log_filetrans(rtas_errd_t, rtas_errd_log_t, { dir file lnk_file })
|
||||
+
|
||||
+manage_files_pattern(rtas_errd_t,rtas_errd_var_lock_t,rtas_errd_var_lock_t)
|
||||
+manage_lnk_files_pattern(rtas_errd_t,rtas_errd_var_lock_t,rtas_errd_var_lock_t)
|
||||
+files_lock_filetrans(rtas_errd_t,rtas_errd_var_lock_t, { dir file } )
|
||||
+
|
||||
+manage_dirs_pattern(rtas_errd_t, rtas_errd_var_run_t, rtas_errd_var_run_t)
|
||||
+manage_files_pattern(rtas_errd_t, rtas_errd_var_run_t, rtas_errd_var_run_t)
|
||||
+manage_lnk_files_pattern(rtas_errd_t, rtas_errd_var_run_t, rtas_errd_var_run_t)
|
||||
+files_pid_filetrans(rtas_errd_t, rtas_errd_var_run_t, { dir file lnk_file })
|
||||
+
|
||||
+kernel_read_system_state(rtas_errd_t)
|
||||
+
|
||||
+auth_use_nsswitch(rtas_errd_t)
|
||||
+
|
||||
+corecmd_exec_bin(rtas_errd_t)
|
||||
+
|
||||
+dev_read_raw_memory(rtas_errd_t)
|
||||
+dev_write_raw_memory(rtas_errd_t)
|
||||
+
|
||||
+files_manage_system_db_files(rtas_errd_t)
|
||||
+
|
||||
+logging_read_generic_logs(rtas_errd_t)
|
||||
+
|
||||
diff --git a/rtkit.if b/rtkit.if
|
||||
index bd35afe..051addd 100644
|
||||
--- a/rtkit.if
|
||||
|
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.12.1
|
||||
Release: 90%{?dist}
|
||||
Release: 91%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -572,6 +572,9 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Oct 17 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-91
|
||||
- Add rtas policy
|
||||
|
||||
* Thu Oct 17 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-90
|
||||
- Allow mailserver_domains to manage and transition to mailman data
|
||||
- Dontaudit attempts by mozilla plugin to relabel content, caused by using mv and cp commands
|
||||
|
Loading…
Reference in New Issue
Block a user