Use relabel permission sets where possible.
Signed-off-by: Dominick Grift <domg472@gmail.com>
This commit is contained in:
parent
4ec4a49e8a
commit
83029ff3c5
@ -127,7 +127,7 @@ cron_search_spool(logrotate_t)
|
||||
mta_send_mail(logrotate_t)
|
||||
|
||||
ifdef(`distro_debian', `
|
||||
allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
|
||||
allow logrotate_t logrotate_tmp_t:file relabel_file_perms;
|
||||
# for savelog
|
||||
can_exec(logrotate_t, logrotate_exec_t)
|
||||
|
||||
|
@ -63,7 +63,7 @@ files_search_var_lib(prelink_t)
|
||||
|
||||
# prelink misc objects that are not system
|
||||
# libraries or entrypoints
|
||||
allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };
|
||||
allow prelink_t prelink_object:file { manage_file_perms execute relabel_file_perms };
|
||||
|
||||
kernel_read_system_state(prelink_t)
|
||||
kernel_read_kernel_sysctls(prelink_t)
|
||||
|
@ -336,7 +336,7 @@ interface(`term_relabel_console',`
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 console_device_t:chr_file { relabelfrom relabelto };
|
||||
allow $1 console_device_t:chr_file relabel_chr_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1118,7 +1118,7 @@ interface(`term_relabel_unallocated_ttys',`
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 tty_device_t:chr_file { relabelfrom relabelto };
|
||||
allow $1 tty_device_t:chr_file relabel_chr_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1300,7 +1300,7 @@ interface(`term_relabel_all_ttys',`
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 ttynode:chr_file { relabelfrom relabelto };
|
||||
allow $1 ttynode:chr_file relabel_chr_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -153,7 +153,7 @@ interface(`lpd_relabel_spool',`
|
||||
')
|
||||
|
||||
files_search_spool($1)
|
||||
allow $1 print_spool_t:file { relabelto relabelfrom };
|
||||
allow $1 print_spool_t:file relabel_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -179,21 +179,21 @@ read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
|
||||
allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr };
|
||||
allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr };
|
||||
logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
|
||||
allow puppetmaster_t puppet_log_t:file { relabelfrom relabelto };
|
||||
allow puppetmaster_t puppet_log_t:file relabel_file_perms;
|
||||
|
||||
manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
|
||||
manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
|
||||
allow puppetmaster_t puppet_var_lib_t:dir { relabelfrom relabelto };
|
||||
allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms;
|
||||
|
||||
setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
|
||||
manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
|
||||
files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
|
||||
allow puppetmaster_t puppet_var_run_t:dir { relabelfrom relabelto };
|
||||
allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms;
|
||||
|
||||
manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
|
||||
manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
|
||||
files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
|
||||
allow puppetmaster_t puppet_tmp_t:dir { relabelfrom relabelto };
|
||||
allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms;
|
||||
|
||||
kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
|
||||
kernel_read_system_state(puppetmaster_t)
|
||||
|
@ -434,5 +434,5 @@ interface(`rpc_manage_nfs_state_data',`
|
||||
|
||||
files_search_var_lib($1)
|
||||
manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
|
||||
allow $1 var_lib_nfs_t:file { relabelfrom relabelto };
|
||||
allow $1 var_lib_nfs_t:file relabel_file_perms;
|
||||
')
|
||||
|
@ -238,8 +238,8 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
|
||||
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
|
||||
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
|
||||
manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
|
||||
allow virtd_t virt_image_type:file { relabelfrom relabelto };
|
||||
allow virtd_t virt_image_type:blk_file { relabelfrom relabelto };
|
||||
allow virtd_t virt_image_type:file relabel_file_perms;
|
||||
allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
|
||||
|
||||
manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
|
||||
manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
|
||||
|
@ -741,7 +741,7 @@ interface(`auth_relabel_shadow',`
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 shadow_t:file { relabelfrom relabelto };
|
||||
allow $1 shadow_t:file relabel_file_perms;
|
||||
typeattribute $1 can_relabelto_shadow_passwords;
|
||||
')
|
||||
|
||||
|
@ -1033,8 +1033,8 @@ interface(`logging_admin_syslog',`
|
||||
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
|
||||
|
||||
logging_manage_all_logs($1)
|
||||
allow $1 logfile:dir { relabelfrom relabelto };
|
||||
allow $1 logfile:file { relabelfrom relabelto };
|
||||
allow $1 logfile:dir relabel_dir_perms;
|
||||
allow $1 logfile:file relabel_file_perms;
|
||||
|
||||
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
|
@ -1781,7 +1781,7 @@ interface(`userdom_relabel_user_home_files',`
|
||||
type user_home_t;
|
||||
')
|
||||
|
||||
allow $1 user_home_t:file { relabelto relabelfrom };
|
||||
allow $1 user_home_t:file relabel_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
Loading…
Reference in New Issue
Block a user