trunk: 2 patches from dan.
This commit is contained in:
Chris PeBenito
parent
16fd1fd814
commit
731008ad85
@ -16,6 +16,7 @@
|
|||||||
/dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
/dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||||
/dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0)
|
/dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0)
|
||||||
/dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
|
/dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||||
|
/dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
|
||||||
/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
|
/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||||
/dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
/dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||||
/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||||
@ -91,6 +92,7 @@
|
|||||||
/dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0)
|
/dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||||
/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
|
/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||||
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
|
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||||
|
/dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0)
|
||||||
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
|
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
|
||||||
/dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0)
|
/dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0)
|
||||||
/dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0)
|
/dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0)
|
||||||
@ -113,6 +115,7 @@ ifdef(`distro_suse', `
|
|||||||
|
|
||||||
/dev/bus/usb/.*/[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
|
/dev/bus/usb/.*/[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
|
||||||
|
|
||||||
|
/dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
|
||||||
/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
|
/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
|
||||||
|
|
||||||
/dev/cpu_dma_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0)
|
/dev/cpu_dma_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0)
|
||||||
|
|||||||
@ -3217,7 +3217,7 @@ interface(`dev_read_generic_usb_dev',`
|
|||||||
#
|
#
|
||||||
interface(`dev_rw_generic_usb_dev',`
|
interface(`dev_rw_generic_usb_dev',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type usb_device_t;
|
type device_t, usb_device_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
rw_chr_files_pattern($1, device_t, usb_device_t)
|
rw_chr_files_pattern($1, device_t, usb_device_t)
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(devices, 1.7.1)
|
policy_module(devices, 1.7.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -187,6 +187,12 @@ files_mountpoint(sysfs_t)
|
|||||||
fs_type(sysfs_t)
|
fs_type(sysfs_t)
|
||||||
genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
|
genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
|
||||||
|
|
||||||
|
#
|
||||||
|
# Type for /dev/tpm
|
||||||
|
#
|
||||||
|
type tpm_device_t;
|
||||||
|
dev_node(tpm_device_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# urandom_device_t is the type of /dev/urandom
|
# urandom_device_t is the type of /dev/urandom
|
||||||
#
|
#
|
||||||
|
|||||||
@ -757,6 +757,24 @@ interface(`fs_read_noxattr_fs_files',`
|
|||||||
read_files_pattern($1, noxattrfs, noxattrfs)
|
read_files_pattern($1, noxattrfs, noxattrfs)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Dont audit attempts to write to noxattrfs files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`fs_dontaudit_write_noxattr_fs_files',`
|
||||||
|
gen_require(`
|
||||||
|
attribute noxattrfs;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 noxattrfs:file write;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Create, read, write, and delete all noxattrfs files.
|
## Create, read, write, and delete all noxattrfs files.
|
||||||
@ -2154,6 +2172,7 @@ interface(`fs_rw_removable_blk_files',`
|
|||||||
type removable_t;
|
type removable_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
allow $1 removable_t:dir list_dir_perms;
|
||||||
rw_blk_files_pattern($1, removable_t, removable_t)
|
rw_blk_files_pattern($1, removable_t, removable_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -3624,6 +3643,7 @@ interface(`fs_getattr_all_fs',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
allow $1 filesystem_type:filesystem getattr;
|
allow $1 filesystem_type:filesystem getattr;
|
||||||
|
files_getattr_all_file_type_fs($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(filesystem, 1.11.3)
|
policy_module(filesystem, 1.11.4)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -202,6 +202,8 @@ type dosfs_t;
|
|||||||
fs_noxattr_type(dosfs_t)
|
fs_noxattr_type(dosfs_t)
|
||||||
allow dosfs_t fs_t:filesystem associate;
|
allow dosfs_t fs_t:filesystem associate;
|
||||||
genfscon fat / gen_context(system_u:object_r:dosfs_t,s0)
|
genfscon fat / gen_context(system_u:object_r:dosfs_t,s0)
|
||||||
|
genfscon hfs / gen_context(system_u:object_r:dosfs_t,s0)
|
||||||
|
genfscon hfsplus / gen_context(system_u:object_r:dosfs_t,s0)
|
||||||
genfscon msdos / gen_context(system_u:object_r:dosfs_t,s0)
|
genfscon msdos / gen_context(system_u:object_r:dosfs_t,s0)
|
||||||
genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0)
|
genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0)
|
||||||
genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0)
|
genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0)
|
||||||
@ -244,12 +246,12 @@ genfscon nfs4 / gen_context(system_u:object_r:nfs_t,s0)
|
|||||||
genfscon afs / gen_context(system_u:object_r:nfs_t,s0)
|
genfscon afs / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
genfscon dazukofs / gen_context(system_u:object_r:nfs_t,s0)
|
genfscon dazukofs / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
genfscon coda / gen_context(system_u:object_r:nfs_t,s0)
|
genfscon coda / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
|
|
||||||
genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
|
|
||||||
genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
|
genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
|
genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
|
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
|
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
|
genfscon xenfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
|
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user