trunk: udev update and brctl module from dan.
This commit is contained in:
parent
016e5c5cdc
commit
8241b538af
@ -16,6 +16,7 @@
|
||||
- Add debian apcupsd binary location, from Stefan Schulze Frielinghaus.
|
||||
- Added modules:
|
||||
application
|
||||
brctl (Dan Walsh)
|
||||
|
||||
* Fri Jun 29 2007 Chris PeBenito <selinux@tresys.com> - 20070629
|
||||
- Fix incorrectly named files_lib_filetrans_shared_lib() interface in the
|
||||
|
1
policy/modules/admin/brctl.fc
Normal file
1
policy/modules/admin/brctl.fc
Normal file
@ -0,0 +1 @@
|
||||
/usr/sbin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0)
|
19
policy/modules/admin/brctl.if
Normal file
19
policy/modules/admin/brctl.if
Normal file
@ -0,0 +1,19 @@
|
||||
## <summary>Utilities for configuring the linux ethernet bridge</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run brctl.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`brctl_domtrans',`
|
||||
gen_require(`
|
||||
type brctl_t, brctl_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($1,brctl_exec_t,brctl_t)
|
||||
')
|
47
policy/modules/admin/brctl.te
Normal file
47
policy/modules/admin/brctl.te
Normal file
@ -0,0 +1,47 @@
|
||||
policy_module(brctl,1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type brctl_t;
|
||||
type brctl_exec_t;
|
||||
domain_type(brctl_t)
|
||||
init_system_domain(brctl_t, brctl_exec_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# brctl local policy
|
||||
#
|
||||
|
||||
allow brctl_t self:capability net_admin;
|
||||
allow brctl_t self:fifo_file rw_file_perms;
|
||||
allow brctl_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow brctl_t self:unix_dgram_socket create_socket_perms;
|
||||
allow brctl_t self:tcp_socket create_socket_perms;
|
||||
|
||||
kernel_load_module(brctl_t)
|
||||
kernel_read_network_state(brctl_t)
|
||||
kernel_read_sysctl(brctl_t)
|
||||
|
||||
dev_rw_sysfs(brctl_t)
|
||||
|
||||
# Init script handling
|
||||
domain_use_interactive_fds(brctl_t)
|
||||
|
||||
files_read_etc_files(brctl_t)
|
||||
|
||||
libs_use_ld_so(brctl_t)
|
||||
libs_use_shared_libs(brctl_t)
|
||||
|
||||
miscfiles_read_localization(brctl_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(brctl_t)
|
||||
term_dontaudit_use_generic_ptys(brctl_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
xen_append_log(brctl_t)
|
||||
')
|
@ -12,6 +12,7 @@
|
||||
/dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||
/dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
|
||||
/dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
@ -53,7 +54,7 @@
|
||||
/dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
|
||||
/dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
/dev/(misc/)?rtc -c gen_context(system_u:object_r:clock_device_t,s0)
|
||||
/dev/(misc/)?rtc[0-9]* -c gen_context(system_u:object_r:clock_device_t,s0)
|
||||
/dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/smpte.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
@ -64,7 +65,9 @@
|
||||
/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
|
||||
/dev/usbmon[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
|
||||
/dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0)
|
||||
/dev/usb[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
|
||||
/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
|
||||
ifdef(`distro_suse', `
|
||||
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
|
||||
@ -110,6 +113,10 @@ ifdef(`distro_suse', `
|
||||
/dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0)
|
||||
/dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
|
||||
|
||||
/etc/udev/devices -d gen_context(system_u:object_r:device_t,s0)
|
||||
|
||||
/lib/udev/devices -d gen_context(system_u:object_r:device_t,s0)
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
# used by udev init script as temporary mount point
|
||||
/lib/udev/devices -d gen_context(system_u:object_r:device_t,s0)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(devices,1.5.0)
|
||||
policy_module(devices,1.5.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(udev,1.7.0)
|
||||
policy_module(udev,1.7.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -68,8 +68,9 @@ allow udev_t udev_etc_t:file read_file_perms;
|
||||
allow udev_t udev_tbl_t:file manage_file_perms;
|
||||
dev_filetrans(udev_t,udev_tbl_t,file)
|
||||
|
||||
manage_dirs_pattern(udev_t,udev_var_run_t,udev_var_run_t)
|
||||
manage_files_pattern(udev_t,udev_var_run_t,udev_var_run_t)
|
||||
files_pid_filetrans(udev_t,udev_var_run_t,file)
|
||||
files_pid_filetrans(udev_t,udev_var_run_t,{ dir file })
|
||||
|
||||
kernel_read_system_state(udev_t)
|
||||
kernel_getattr_core_if(udev_t)
|
||||
@ -83,16 +84,23 @@ kernel_rw_unix_dgram_sockets(udev_t)
|
||||
kernel_dgram_send(udev_t)
|
||||
kernel_signal(udev_t)
|
||||
|
||||
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
|
||||
kernel_rw_net_sysctls(udev_t)
|
||||
kernel_read_network_state(udev_t)
|
||||
|
||||
corecmd_exec_all_executables(udev_t)
|
||||
|
||||
dev_rw_sysfs(udev_t)
|
||||
dev_manage_all_dev_nodes(udev_t)
|
||||
dev_rw_generic_files(udev_t)
|
||||
dev_delete_generic_files(udev_t)
|
||||
dev_search_usbfs(udev_t)
|
||||
dev_relabel_all_dev_nodes(udev_t)
|
||||
|
||||
domain_read_all_domains_state(udev_t)
|
||||
domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
|
||||
|
||||
files_read_usr_files(udev_t)
|
||||
files_read_etc_runtime_files(udev_t)
|
||||
files_read_etc_files(udev_t)
|
||||
files_exec_etc_files(udev_t)
|
||||
@ -144,6 +152,12 @@ seutil_domtrans_setfiles(udev_t)
|
||||
|
||||
sysnet_domtrans_ifconfig(udev_t)
|
||||
sysnet_domtrans_dhcpc(udev_t)
|
||||
sysnet_rw_dhcp_config(udev_t)
|
||||
sysnet_read_dhcpc_pid(udev_t)
|
||||
sysnet_delete_dhcpc_pid(udev_t)
|
||||
sysnet_signal_dhcpc(udev_t)
|
||||
sysnet_manage_config(udev_t)
|
||||
sysnet_etc_filetrans_config(udev_t)
|
||||
|
||||
userdom_use_sysadm_ttys(udev_t)
|
||||
userdom_dontaudit_search_all_users_home_content(udev_t)
|
||||
@ -175,6 +189,10 @@ ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_generic_ptys(udev_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
brctl_domtrans(udev_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
consoletype_exec(udev_t)
|
||||
')
|
||||
@ -183,6 +201,10 @@ optional_policy(`
|
||||
dbus_system_bus_client_template(udev,udev_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
fstools_domtrans(udev_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
hal_dgram_send(udev_t)
|
||||
')
|
||||
@ -193,6 +215,23 @@ optional_policy(`
|
||||
hotplug_search_pids(udev_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
openct_read_pid_files(udev_t)
|
||||
openct_domtrans(udev_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
pcscd_read_pub_files(udev_t)
|
||||
pcscd_domtrans(udev_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
kernel_write_xen_state(udev_t)
|
||||
kernel_read_xen_state(udev_t)
|
||||
xen_manage_log(udev_t)
|
||||
xen_read_image_files(udev_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
xserver_read_xdm_pid(udev_t)
|
||||
')
|
||||
|
Loading…
Reference in New Issue
Block a user