aliasing
This commit is contained in:
parent
0350b1dc7f
commit
7edd02d4f1
@ -15,10 +15,7 @@
|
||||
define(`sysnetwork_dhcpc_transition',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
allow $1 dhcpc_exec_t:file { getattr read execute };
|
||||
allow $1 dhcpc_t:process transition;
|
||||
type_transition $1 dhcpc_exec_t:process dhcpc_t;
|
||||
dontaudit $1 dhcpc_t:process { noatsecure siginh rlimitinh };
|
||||
domain_auto_trans($1, dhcp_exec_t, dhcp_t)
|
||||
|
||||
allow $1 dhcpc_t:fd use;
|
||||
allow dhcpc_t $1:fd use;
|
||||
@ -49,10 +46,7 @@ define(`sysnetwork_dhcpc_transition_depend',`
|
||||
define(`sysnetwork_ifconfig_transition',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
allow $1 ifconfig_exec_t:file { getattr read execute };
|
||||
allow $1 ifconfig_t:process transition;
|
||||
type_transition $1 ifconfig_exec_t:process ifconfig_t;
|
||||
dontaudit $1 ifconfig_t:process { noatsecure siginh rlimitinh };
|
||||
domain_auto_trans($1, ifconfig_exec_t, ifconfig_t)
|
||||
|
||||
allow $1 ifconfig_t:fd use;
|
||||
allow ifconfig_t $1:fd use;
|
||||
@ -117,13 +111,13 @@ define(`sysnetwork_read_network_config',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
files_search_general_system_config_directory($1)
|
||||
allow $1 net_conf_t:file { getattr read };
|
||||
allow $1 net_conf_t:file r_file_perms;
|
||||
')
|
||||
|
||||
define(`sysnetwork_read_network_config_depend',`
|
||||
type net_conf_t;
|
||||
|
||||
class file { getattr read };
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
@ -46,11 +46,11 @@ dontaudit dhcpc_t self:capability sys_tty_config;
|
||||
# for access("/etc/bashrc", X_OK) on Red Hat
|
||||
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
|
||||
|
||||
allow dhcpc_t self:tcp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
|
||||
allow dhcpc_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
|
||||
allow dhcpc_t self:packet_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
allow dhcpc_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read };
|
||||
allow dhcpc_t self:fifo_file { ioctl read getattr lock write append };
|
||||
allow dhcpc_t self:tcp_socket create_socket_perms;
|
||||
allow dhcpc_t self:udp_socket create_socket_perms;
|
||||
allow dhcpc_t self:packet_socket create_socket_perms;
|
||||
allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read };
|
||||
allow dhcpc_t self:fifo_file rw_file_perms;
|
||||
|
||||
allow dhcpc_t dhcp_etc_t:dir r_dir_perms;
|
||||
allow dhcpc_t dhcp_etc_t:lnk_file r_file_perms;
|
||||
@ -61,26 +61,23 @@ allow dhcpc_t dhcpc_state_t:file create_file_perms;
|
||||
type_transition dhcpc_t dhcp_state_t:file dhcpc_state_t;
|
||||
|
||||
# create pid file
|
||||
allow dhcpc_t dhcpc_var_run_t:file { getattr create read write append setattr unlink };
|
||||
allow dhcpc_t dhcpc_var_run_t:file create_file_perms;
|
||||
files_create_daemon_runtime_data(dhcpc_t,dhcpc_var_run_t)
|
||||
|
||||
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
|
||||
# in /etc created by dhcpcd will be labelled net_conf_t.
|
||||
allow dhcpc_t net_conf_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow dhcpc_t net_conf_t:file create_file_perms;
|
||||
files_create_private_config(dhcpc_t,net_conf_t,file)
|
||||
|
||||
# create temp files
|
||||
allow dhcpc_t dhcpc_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
||||
allow dhcpc_t dhcpc_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow dhcpc_t dhcpc_tmp_t:dir create_dir_perms;
|
||||
allow dhcpc_t dhcpc_tmp_t:file create_file_perms;
|
||||
files_create_private_tmp_data(dhcpc_t, dhcpc_tmp_t, { file dir })
|
||||
|
||||
allow dhcpc_t dhcpc_exec_t:file { getattr read execute execute_no_trans };
|
||||
can_exec(dhcpc_t, dhcpc_exec_t)
|
||||
|
||||
# transition to ifconfig
|
||||
allow dhcpc_t ifconfig_exec_t:file { getattr read execute };
|
||||
allow dhcpc_t ifconfig_t:process transition;
|
||||
type_transition dhcpc_t ifconfig_exec_t:process ifconfig_t;
|
||||
dontaudit dhcpc_t ifconfig_t:process { noatsecure siginh rlimitinh };
|
||||
domain_auto_trans(dhcp_t, ifconfig_exec_t, ifconfig_t)
|
||||
allow dhcpc_t ifconfig_t:fd use;
|
||||
allow ifconfig_t dhcpc_t:fd use;
|
||||
allow ifconfig_t dhcpc_t:fifo_file rw_file_perms;
|
||||
@ -244,21 +241,21 @@ allow ifconfig_t self:capability net_admin;
|
||||
dontaudit ifconfig_t self:capability sys_module;
|
||||
|
||||
allow ifconfig_t self:fd use;
|
||||
allow ifconfig_t self:fifo_file { read getattr lock ioctl write append };
|
||||
allow ifconfig_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
allow ifconfig_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
|
||||
allow ifconfig_t self:fifo_file rw_file_perms;
|
||||
allow ifconfig_t self:unix_dgram_socket create_socket_perms;
|
||||
allow ifconfig_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow ifconfig_t self:unix_dgram_socket sendto;
|
||||
allow ifconfig_t self:unix_stream_socket connectto;
|
||||
allow ifconfig_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
|
||||
allow ifconfig_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
|
||||
allow ifconfig_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
|
||||
allow ifconfig_t self:shm create_shm_perms;
|
||||
allow ifconfig_t self:sem create_sem_perms;
|
||||
allow ifconfig_t self:msgq create_msgq_perms;
|
||||
allow ifconfig_t self:msg { send receive };
|
||||
|
||||
# Create UDP sockets, necessary when called from dhcpc
|
||||
allow ifconfig_t self:udp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
allow ifconfig_t self:udp_socket create_socket_perms;
|
||||
|
||||
# for /sbin/ip
|
||||
allow ifconfig_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
|
||||
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
allow ifconfig_t self:tcp_socket { create ioctl };
|
||||
files_read_general_system_config(ifconfig_t);
|
||||
|
||||
|
@ -15,10 +15,7 @@
|
||||
define(`udev_transition',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
allow $1 udev_exec_t:file { getattr read execute };
|
||||
allow $1 udev_t:process transition;
|
||||
type_transition $1 udev_exec_t:process udev_t;
|
||||
dontaudit $1 udev_t:process { noatsecure siginh rlimitinh };
|
||||
domain_auto_trans($1, udev_exec_t, udev_t)
|
||||
|
||||
allow $1 udev_t:fd use;
|
||||
allow udev_t $1:fd use;
|
||||
@ -49,13 +46,13 @@ define(`udev_transition_depend',`
|
||||
define(`udev_read_database',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
allow $1 udev_tdb_t:file { getattr read };
|
||||
allow $1 udev_tdb_t:file r_file_perms;
|
||||
')
|
||||
|
||||
define(`udev_read_database_depend',`
|
||||
type udev_tdb_t;
|
||||
|
||||
class file { getattr read };
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -72,13 +69,13 @@ define(`udev_read_database_depend',`
|
||||
define(`udev_modify_database',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
allow $1 udev_tdb_t:file { getattr read write append };
|
||||
allow $1 udev_tdb_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
define(`udev_modify_database_depend',`
|
||||
type udev_tdb_t;
|
||||
|
||||
class file { getattr read write append };
|
||||
class file rw_file_perms;
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
@ -38,29 +38,30 @@ allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid
|
||||
allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
allow udev_t self:process { execmem setfscreate };
|
||||
allow udev_t self:fd use;
|
||||
allow udev_t self:fifo_file { read getattr lock ioctl write append };
|
||||
allow udev_t self:fifo_file rw_file_perms;
|
||||
allow udev_t self:unix_stream_socket { listen accept };
|
||||
allow udev_t self:unix_dgram_socket sendto;
|
||||
allow udev_t self:unix_stream_socket connectto;
|
||||
allow udev_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
|
||||
allow udev_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
|
||||
allow udev_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
|
||||
allow udev_t self:shm create_shm_perms;
|
||||
allow udev_t self:sem create_sem_perms;
|
||||
allow udev_t self:msgq create_msgq_perms;
|
||||
allow udev_t self:msg { send receive };
|
||||
allow udev_t self:rawip_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
allow udev_t self:rawip_socket create_socket_perms;
|
||||
|
||||
allow udev_t udev_exec_t:file { getattr read write ioctl execute execute_no_trans };
|
||||
allow udev_t udev_exec_t:file write;
|
||||
can_exec(udev_t, udev_exec_t)
|
||||
|
||||
allow udev_t udev_helper_exec_t:dir { read getattr lock search ioctl };
|
||||
allow udev_t udev_helper_exec_t:dir r_dir_perms;
|
||||
|
||||
# read udev config
|
||||
allow udev_t udev_etc_t:file { read getattr lock ioctl };
|
||||
allow udev_t udev_etc_t:file r_file_perms;
|
||||
|
||||
# create udev database in /dev/.udevdb
|
||||
allow udev_t udev_tbl_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow udev_t udev_tbl_t:file create_file_perms;
|
||||
devices_create_dev_entry(udev_t,udev_tbl_t,file)
|
||||
|
||||
allow udev_t udev_var_run_t : dir { read getattr lock search ioctl add_name remove_name write };
|
||||
allow udev_t udev_var_run_t : file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow udev_t udev_var_run_t : dir rw_file_perms;
|
||||
allow udev_t udev_var_run_t : file create_file_perms;
|
||||
|
||||
kernel_read_system_state(udev_t)
|
||||
kernel_get_core_interface_attributes(udev_t)
|
||||
|
Loading…
Reference in New Issue
Block a user