This commit is contained in:
Chris PeBenito 2005-06-08 21:07:03 +00:00
parent 0350b1dc7f
commit 7edd02d4f1
4 changed files with 40 additions and 51 deletions

View File

@ -15,10 +15,7 @@
define(`sysnetwork_dhcpc_transition',`
requires_block_template(`$0'_depend)
allow $1 dhcpc_exec_t:file { getattr read execute };
allow $1 dhcpc_t:process transition;
type_transition $1 dhcpc_exec_t:process dhcpc_t;
dontaudit $1 dhcpc_t:process { noatsecure siginh rlimitinh };
domain_auto_trans($1, dhcp_exec_t, dhcp_t)
allow $1 dhcpc_t:fd use;
allow dhcpc_t $1:fd use;
@ -49,10 +46,7 @@ define(`sysnetwork_dhcpc_transition_depend',`
define(`sysnetwork_ifconfig_transition',`
requires_block_template(`$0'_depend)
allow $1 ifconfig_exec_t:file { getattr read execute };
allow $1 ifconfig_t:process transition;
type_transition $1 ifconfig_exec_t:process ifconfig_t;
dontaudit $1 ifconfig_t:process { noatsecure siginh rlimitinh };
domain_auto_trans($1, ifconfig_exec_t, ifconfig_t)
allow $1 ifconfig_t:fd use;
allow ifconfig_t $1:fd use;
@ -117,13 +111,13 @@ define(`sysnetwork_read_network_config',`
requires_block_template(`$0'_depend)
files_search_general_system_config_directory($1)
allow $1 net_conf_t:file { getattr read };
allow $1 net_conf_t:file r_file_perms;
')
define(`sysnetwork_read_network_config_depend',`
type net_conf_t;
class file { getattr read };
class file r_file_perms;
')
## </module>

View File

@ -46,11 +46,11 @@ dontaudit dhcpc_t self:capability sys_tty_config;
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
allow dhcpc_t self:tcp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
allow dhcpc_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
allow dhcpc_t self:packet_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow dhcpc_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read };
allow dhcpc_t self:fifo_file { ioctl read getattr lock write append };
allow dhcpc_t self:tcp_socket create_socket_perms;
allow dhcpc_t self:udp_socket create_socket_perms;
allow dhcpc_t self:packet_socket create_socket_perms;
allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read };
allow dhcpc_t self:fifo_file rw_file_perms;
allow dhcpc_t dhcp_etc_t:dir r_dir_perms;
allow dhcpc_t dhcp_etc_t:lnk_file r_file_perms;
@ -61,26 +61,23 @@ allow dhcpc_t dhcpc_state_t:file create_file_perms;
type_transition dhcpc_t dhcp_state_t:file dhcpc_state_t;
# create pid file
allow dhcpc_t dhcpc_var_run_t:file { getattr create read write append setattr unlink };
allow dhcpc_t dhcpc_var_run_t:file create_file_perms;
files_create_daemon_runtime_data(dhcpc_t,dhcpc_var_run_t)
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
# in /etc created by dhcpcd will be labelled net_conf_t.
allow dhcpc_t net_conf_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow dhcpc_t net_conf_t:file create_file_perms;
files_create_private_config(dhcpc_t,net_conf_t,file)
# create temp files
allow dhcpc_t dhcpc_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
allow dhcpc_t dhcpc_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow dhcpc_t dhcpc_tmp_t:dir create_dir_perms;
allow dhcpc_t dhcpc_tmp_t:file create_file_perms;
files_create_private_tmp_data(dhcpc_t, dhcpc_tmp_t, { file dir })
allow dhcpc_t dhcpc_exec_t:file { getattr read execute execute_no_trans };
can_exec(dhcpc_t, dhcpc_exec_t)
# transition to ifconfig
allow dhcpc_t ifconfig_exec_t:file { getattr read execute };
allow dhcpc_t ifconfig_t:process transition;
type_transition dhcpc_t ifconfig_exec_t:process ifconfig_t;
dontaudit dhcpc_t ifconfig_t:process { noatsecure siginh rlimitinh };
domain_auto_trans(dhcp_t, ifconfig_exec_t, ifconfig_t)
allow dhcpc_t ifconfig_t:fd use;
allow ifconfig_t dhcpc_t:fd use;
allow ifconfig_t dhcpc_t:fifo_file rw_file_perms;
@ -244,21 +241,21 @@ allow ifconfig_t self:capability net_admin;
dontaudit ifconfig_t self:capability sys_module;
allow ifconfig_t self:fd use;
allow ifconfig_t self:fifo_file { read getattr lock ioctl write append };
allow ifconfig_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow ifconfig_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
allow ifconfig_t self:fifo_file rw_file_perms;
allow ifconfig_t self:unix_dgram_socket create_socket_perms;
allow ifconfig_t self:unix_stream_socket create_stream_socket_perms;
allow ifconfig_t self:unix_dgram_socket sendto;
allow ifconfig_t self:unix_stream_socket connectto;
allow ifconfig_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
allow ifconfig_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
allow ifconfig_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
allow ifconfig_t self:shm create_shm_perms;
allow ifconfig_t self:sem create_sem_perms;
allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow ifconfig_t self:udp_socket create_socket_perms;
# for /sbin/ip
allow ifconfig_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
allow ifconfig_t self:tcp_socket { create ioctl };
files_read_general_system_config(ifconfig_t);

View File

@ -15,10 +15,7 @@
define(`udev_transition',`
requires_block_template(`$0'_depend)
allow $1 udev_exec_t:file { getattr read execute };
allow $1 udev_t:process transition;
type_transition $1 udev_exec_t:process udev_t;
dontaudit $1 udev_t:process { noatsecure siginh rlimitinh };
domain_auto_trans($1, udev_exec_t, udev_t)
allow $1 udev_t:fd use;
allow udev_t $1:fd use;
@ -49,13 +46,13 @@ define(`udev_transition_depend',`
define(`udev_read_database',`
requires_block_template(`$0'_depend)
allow $1 udev_tdb_t:file { getattr read };
allow $1 udev_tdb_t:file r_file_perms;
')
define(`udev_read_database_depend',`
type udev_tdb_t;
class file { getattr read };
class file r_file_perms;
')
########################################
@ -72,13 +69,13 @@ define(`udev_read_database_depend',`
define(`udev_modify_database',`
requires_block_template(`$0'_depend)
allow $1 udev_tdb_t:file { getattr read write append };
allow $1 udev_tdb_t:file rw_file_perms;
')
define(`udev_modify_database_depend',`
type udev_tdb_t;
class file { getattr read write append };
class file rw_file_perms;
')
## </module>

View File

@ -38,29 +38,30 @@ allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid
allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
allow udev_t self:fifo_file { read getattr lock ioctl write append };
allow udev_t self:fifo_file rw_file_perms;
allow udev_t self:unix_stream_socket { listen accept };
allow udev_t self:unix_dgram_socket sendto;
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
allow udev_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
allow udev_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
allow udev_t self:shm create_shm_perms;
allow udev_t self:sem create_sem_perms;
allow udev_t self:msgq create_msgq_perms;
allow udev_t self:msg { send receive };
allow udev_t self:rawip_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow udev_t self:rawip_socket create_socket_perms;
allow udev_t udev_exec_t:file { getattr read write ioctl execute execute_no_trans };
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
allow udev_t udev_helper_exec_t:dir { read getattr lock search ioctl };
allow udev_t udev_helper_exec_t:dir r_dir_perms;
# read udev config
allow udev_t udev_etc_t:file { read getattr lock ioctl };
allow udev_t udev_etc_t:file r_file_perms;
# create udev database in /dev/.udevdb
allow udev_t udev_tbl_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow udev_t udev_tbl_t:file create_file_perms;
devices_create_dev_entry(udev_t,udev_tbl_t,file)
allow udev_t udev_var_run_t : dir { read getattr lock search ioctl add_name remove_name write };
allow udev_t udev_var_run_t : file { create ioctl read getattr lock write setattr append link unlink rename };
allow udev_t udev_var_run_t : dir rw_file_perms;
allow udev_t udev_var_run_t : file create_file_perms;
kernel_read_system_state(udev_t)
kernel_get_core_interface_attributes(udev_t)