move run_init to selinux, as it is part of policycoreutils
This commit is contained in:
parent
914c9f78f0
commit
8623d5b854
@ -41,7 +41,6 @@ ifdef(`distro_gentoo', `
|
|||||||
#
|
#
|
||||||
# /usr
|
# /usr
|
||||||
#
|
#
|
||||||
/usr/sbin/run_init -- system_u:object_r:run_init_exec_t
|
|
||||||
/usr/sbin/open_init_pty -- system_u:object_r:initrc_exec_t
|
/usr/sbin/open_init_pty -- system_u:object_r:initrc_exec_t
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -354,35 +354,3 @@ define(`init_script_ignore_modify_runtime_data_depend',`
|
|||||||
type initrc_var_run_t;
|
type initrc_var_run_t;
|
||||||
class file { getattr read write append };
|
class file { getattr read write append };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
# init_run_init_transition(domain)
|
|
||||||
#
|
|
||||||
define(`init_run_init_transition',`
|
|
||||||
requires_block_template(`$0'_depend)
|
|
||||||
allow $1 run_init_exec_t:file { getattr read execute };
|
|
||||||
allow $1 run_init_t:process transition;
|
|
||||||
type_transition $1 run_init_exec_t:file run_init_t;
|
|
||||||
dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
|
|
||||||
')
|
|
||||||
|
|
||||||
define(`init_run_init_transition_depend',`
|
|
||||||
type run_init_t, run_init_exec_t;
|
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh };
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
# init_run_init_use_file_descriptors(domain)
|
|
||||||
#
|
|
||||||
define(`init_run_init_use_file_descriptors',`
|
|
||||||
requires_block_template(`$0'_depend)
|
|
||||||
allow $1 run_init_t:fd use;
|
|
||||||
')
|
|
||||||
|
|
||||||
define(`init_run_init_use_file_descriptors_depend',`
|
|
||||||
type run_init_t;
|
|
||||||
class fd use;
|
|
||||||
')
|
|
||||||
|
@ -58,12 +58,6 @@ files_make_file(initrc_state_t)
|
|||||||
type initrc_tmp_t;
|
type initrc_tmp_t;
|
||||||
files_make_temporary_file(initrc_tmp_t)
|
files_make_temporary_file(initrc_tmp_t)
|
||||||
|
|
||||||
type run_init_t;
|
|
||||||
domain_make_domain(run_init_t)
|
|
||||||
|
|
||||||
type run_init_exec_t;
|
|
||||||
domain_make_entrypoint_file(run_init_t,run_init_exec_t)
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Init local policy
|
# Init local policy
|
||||||
@ -362,84 +356,3 @@ dontaudit initrc_t mail_spool_t:lnk_file read;
|
|||||||
# for lsof which is used by alsa shutdown
|
# for lsof which is used by alsa shutdown
|
||||||
dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr;
|
dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr;
|
||||||
') dnl end TODO
|
') dnl end TODO
|
||||||
|
|
||||||
#################################
|
|
||||||
#
|
|
||||||
# Run_init local policy
|
|
||||||
#
|
|
||||||
|
|
||||||
kernel_get_selinuxfs_mount_point(run_init_t)
|
|
||||||
kernel_validate_selinux_context(run_init_t)
|
|
||||||
kernel_compute_selinux_access_vector(run_init_t)
|
|
||||||
kernel_compute_selinux_create_context(run_init_t)
|
|
||||||
kernel_compute_selinux_relabel_context(run_init_t)
|
|
||||||
kernel_compute_selinux_reachable_user_contexts(run_init_t)
|
|
||||||
|
|
||||||
tunable_policy(`targeted_policy',`
|
|
||||||
# targeted/unconfined stuff
|
|
||||||
',`
|
|
||||||
allow run_init_t initrc_t:process transition;
|
|
||||||
allow run_init_t initrc_exec_t:file { getattr read execute };
|
|
||||||
dontaudit run_init_t initrc_t : process { noatsecure siginh rlimitinh };
|
|
||||||
|
|
||||||
# for utmp
|
|
||||||
allow run_init_t initrc_var_run_t:file { getattr read write };
|
|
||||||
|
|
||||||
allow run_init_t self:process setexec;
|
|
||||||
allow run_init_t self:capability setuid;
|
|
||||||
|
|
||||||
allow run_init_t self:fifo_file { getattr read write };
|
|
||||||
|
|
||||||
# often the administrator runs such programs from a directory that is owned
|
|
||||||
# by a different user or has restrictive SE permissions, do not want to audit
|
|
||||||
# the failed access to the current directory
|
|
||||||
dontaudit run_init_t self:capability { dac_override dac_read_search };
|
|
||||||
files_ignore_search_all_directories(run_init_t)
|
|
||||||
|
|
||||||
filesystem_get_persistent_filesystem_attributes(run_init_t)
|
|
||||||
|
|
||||||
devices_ignore_list_device_nodes(run_init_t)
|
|
||||||
|
|
||||||
terminal_ignore_list_pseudoterminals(run_init_t)
|
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(run_init_t)
|
|
||||||
|
|
||||||
corecommands_execute_general_programs(run_init_t)
|
|
||||||
corecommands_execute_shell(run_init_t)
|
|
||||||
|
|
||||||
files_read_general_system_config(run_init_t)
|
|
||||||
|
|
||||||
libraries_use_dynamic_loader(run_init_t)
|
|
||||||
libraries_use_shared_libraries(run_init_t)
|
|
||||||
|
|
||||||
selinux_read_config(run_init_t)
|
|
||||||
selinux_read_default_contexts(run_init_t)
|
|
||||||
|
|
||||||
authlogin_ignore_read_shadow_passwords(run_init_t)
|
|
||||||
|
|
||||||
miscfiles_read_localization(run_init_t)
|
|
||||||
|
|
||||||
logging_send_system_log_message(run_init_t)
|
|
||||||
') dnl end ifdef targeted policy
|
|
||||||
|
|
||||||
|
|
||||||
ifdef(`TODO',`
|
|
||||||
|
|
||||||
tunable_policy(`targeted_policy', `
|
|
||||||
domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
|
|
||||||
allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
|
|
||||||
allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
|
|
||||||
domain_trans(initrc_t, shell_exec_t, unconfined_t)
|
|
||||||
', `
|
|
||||||
domain_auto_trans(sysadm_t, run_init_exec_t, run_init_t)
|
|
||||||
role sysadm_r types run_init_t;
|
|
||||||
domain_auto_trans(run_init_t, chkpwd_exec_t, sysadm_chkpwd_t)
|
|
||||||
allow run_init_t admin_tty_type:chr_file rw_file_perms;
|
|
||||||
') dnl endif targeted policy
|
|
||||||
|
|
||||||
tunable_policy(`distro_gentoo', `
|
|
||||||
# Gentoo integrated run_init+open_init_pty-runscript:
|
|
||||||
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
|
|
||||||
domain_make_entrypoint_file(run_init_t,initrc_exec_t)
|
|
||||||
')
|
|
||||||
') dnl end TODO
|
|
||||||
|
@ -33,6 +33,7 @@
|
|||||||
/usr/lib(64)?/selinux(/.*)? system_u:object_r:policy_src_t
|
/usr/lib(64)?/selinux(/.*)? system_u:object_r:policy_src_t
|
||||||
|
|
||||||
/usr/sbin/load_policy -- system_u:object_r:load_policy_exec_t
|
/usr/sbin/load_policy -- system_u:object_r:load_policy_exec_t
|
||||||
|
/usr/sbin/run_init -- system_u:object_r:run_init_exec_t
|
||||||
/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t
|
/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t
|
||||||
|
|
||||||
ifdef(`distro_debian', `
|
ifdef(`distro_debian', `
|
||||||
|
@ -80,7 +80,7 @@ class file { getattr read };
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# newrole_transition(domain)
|
# selinux_newrole_transition(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_newrole_transition',`
|
define(`selinux_newrole_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
@ -170,6 +170,38 @@ type restorecon_t, restorecon_exec_t;
|
|||||||
class file { getattr read execute execute_no_trans };
|
class file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# selinux_run_init_transition(domain)
|
||||||
|
#
|
||||||
|
define(`selinux_run_init_transition',`
|
||||||
|
requires_block_template(`$0'_depend)
|
||||||
|
allow $1 run_init_exec_t:file { getattr read execute };
|
||||||
|
allow $1 run_init_t:process transition;
|
||||||
|
type_transition $1 run_init_exec_t:file run_init_t;
|
||||||
|
dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`selinux_run_init_transition_depend',`
|
||||||
|
type run_init_t, run_init_exec_t;
|
||||||
|
class file { getattr read execute };
|
||||||
|
class process { transition noatsecure siginh rlimitinh };
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# selinux_run_init_use_file_descriptors(domain)
|
||||||
|
#
|
||||||
|
define(`selinux_run_init_use_file_descriptors',`
|
||||||
|
requires_block_template(`$0'_depend)
|
||||||
|
allow $1 run_init_t:fd use;
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`selinux_run_init_use_file_descriptors_depend',`
|
||||||
|
type run_init_t;
|
||||||
|
class fd use;
|
||||||
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# selinux_setfiles_transition(domain)
|
# selinux_setfiles_transition(domain)
|
||||||
|
@ -70,6 +70,12 @@ kernel_make_object_identity_change_constraint_exception(restorecon_t)
|
|||||||
init_make_system_domain(restorecon_t,restorecon_exec_t)
|
init_make_system_domain(restorecon_t,restorecon_exec_t)
|
||||||
role system_r types restorecon_t;
|
role system_r types restorecon_t;
|
||||||
|
|
||||||
|
type run_init_t;
|
||||||
|
domain_make_domain(run_init_t)
|
||||||
|
|
||||||
|
type run_init_exec_t;
|
||||||
|
domain_make_entrypoint_file(run_init_t,run_init_exec_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# selinux_config_t is the type applied to
|
# selinux_config_t is the type applied to
|
||||||
# /etc/selinux/config
|
# /etc/selinux/config
|
||||||
@ -353,6 +359,84 @@ allow restorecon_t device_t:file { read write };
|
|||||||
allow restorecon_t kernel_t:fifo_file { read write };
|
allow restorecon_t kernel_t:fifo_file { read write };
|
||||||
') dnl endif TODO
|
') dnl endif TODO
|
||||||
|
|
||||||
|
#################################
|
||||||
|
#
|
||||||
|
# Run_init local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
kernel_get_selinuxfs_mount_point(run_init_t)
|
||||||
|
kernel_validate_selinux_context(run_init_t)
|
||||||
|
kernel_compute_selinux_access_vector(run_init_t)
|
||||||
|
kernel_compute_selinux_create_context(run_init_t)
|
||||||
|
kernel_compute_selinux_relabel_context(run_init_t)
|
||||||
|
kernel_compute_selinux_reachable_user_contexts(run_init_t)
|
||||||
|
|
||||||
|
tunable_policy(`targeted_policy',`
|
||||||
|
# targeted/unconfined stuff
|
||||||
|
',`
|
||||||
|
|
||||||
|
allow run_init_t self:process setexec;
|
||||||
|
allow run_init_t self:capability setuid;
|
||||||
|
|
||||||
|
allow run_init_t self:fifo_file { getattr read write };
|
||||||
|
|
||||||
|
# often the administrator runs such programs from a directory that is owned
|
||||||
|
# by a different user or has restrictive SE permissions, do not want to audit
|
||||||
|
# the failed access to the current directory
|
||||||
|
dontaudit run_init_t self:capability { dac_override dac_read_search };
|
||||||
|
|
||||||
|
filesystem_get_persistent_filesystem_attributes(run_init_t)
|
||||||
|
|
||||||
|
devices_ignore_list_device_nodes(run_init_t)
|
||||||
|
|
||||||
|
terminal_ignore_list_pseudoterminals(run_init_t)
|
||||||
|
|
||||||
|
authlogin_ignore_read_shadow_passwords(run_init_t)
|
||||||
|
|
||||||
|
corecommands_execute_general_programs(run_init_t)
|
||||||
|
corecommands_execute_shell(run_init_t)
|
||||||
|
|
||||||
|
domain_use_widely_inheritable_file_descriptors(run_init_t)
|
||||||
|
|
||||||
|
files_read_general_system_config(run_init_t)
|
||||||
|
files_ignore_search_all_directories(run_init_t)
|
||||||
|
|
||||||
|
init_script_transition(run_init_t)
|
||||||
|
# for utmp
|
||||||
|
init_script_modify_runtime_data(run_init_t)
|
||||||
|
|
||||||
|
libraries_use_dynamic_loader(run_init_t)
|
||||||
|
libraries_use_shared_libraries(run_init_t)
|
||||||
|
|
||||||
|
selinux_read_config(run_init_t)
|
||||||
|
selinux_read_default_contexts(run_init_t)
|
||||||
|
|
||||||
|
miscfiles_read_localization(run_init_t)
|
||||||
|
|
||||||
|
logging_send_system_log_message(run_init_t)
|
||||||
|
') dnl end ifdef targeted policy
|
||||||
|
|
||||||
|
ifdef(`TODO',`
|
||||||
|
|
||||||
|
tunable_policy(`targeted_policy', `
|
||||||
|
domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
|
||||||
|
allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
|
||||||
|
allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
|
||||||
|
domain_trans(initrc_t, shell_exec_t, unconfined_t)
|
||||||
|
', `
|
||||||
|
domain_auto_trans(sysadm_t, run_init_exec_t, run_init_t)
|
||||||
|
role sysadm_r types run_init_t;
|
||||||
|
domain_auto_trans(run_init_t, chkpwd_exec_t, sysadm_chkpwd_t)
|
||||||
|
allow run_init_t admin_tty_type:chr_file rw_file_perms;
|
||||||
|
') dnl endif targeted policy
|
||||||
|
|
||||||
|
tunable_policy(`distro_gentoo', `
|
||||||
|
# Gentoo integrated run_init+open_init_pty-runscript:
|
||||||
|
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
|
||||||
|
domain_make_entrypoint_file(run_init_t,initrc_exec_t)
|
||||||
|
')
|
||||||
|
') dnl end TODO
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Setfiles local policy
|
# Setfiles local policy
|
||||||
|
@ -33,6 +33,7 @@
|
|||||||
/usr/lib(64)?/selinux(/.*)? system_u:object_r:policy_src_t
|
/usr/lib(64)?/selinux(/.*)? system_u:object_r:policy_src_t
|
||||||
|
|
||||||
/usr/sbin/load_policy -- system_u:object_r:load_policy_exec_t
|
/usr/sbin/load_policy -- system_u:object_r:load_policy_exec_t
|
||||||
|
/usr/sbin/run_init -- system_u:object_r:run_init_exec_t
|
||||||
/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t
|
/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t
|
||||||
|
|
||||||
ifdef(`distro_debian', `
|
ifdef(`distro_debian', `
|
||||||
|
@ -80,7 +80,7 @@ class file { getattr read };
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# newrole_transition(domain)
|
# selinux_newrole_transition(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_newrole_transition',`
|
define(`selinux_newrole_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
@ -170,6 +170,38 @@ type restorecon_t, restorecon_exec_t;
|
|||||||
class file { getattr read execute execute_no_trans };
|
class file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# selinux_run_init_transition(domain)
|
||||||
|
#
|
||||||
|
define(`selinux_run_init_transition',`
|
||||||
|
requires_block_template(`$0'_depend)
|
||||||
|
allow $1 run_init_exec_t:file { getattr read execute };
|
||||||
|
allow $1 run_init_t:process transition;
|
||||||
|
type_transition $1 run_init_exec_t:file run_init_t;
|
||||||
|
dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`selinux_run_init_transition_depend',`
|
||||||
|
type run_init_t, run_init_exec_t;
|
||||||
|
class file { getattr read execute };
|
||||||
|
class process { transition noatsecure siginh rlimitinh };
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# selinux_run_init_use_file_descriptors(domain)
|
||||||
|
#
|
||||||
|
define(`selinux_run_init_use_file_descriptors',`
|
||||||
|
requires_block_template(`$0'_depend)
|
||||||
|
allow $1 run_init_t:fd use;
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`selinux_run_init_use_file_descriptors_depend',`
|
||||||
|
type run_init_t;
|
||||||
|
class fd use;
|
||||||
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# selinux_setfiles_transition(domain)
|
# selinux_setfiles_transition(domain)
|
||||||
|
@ -70,6 +70,12 @@ kernel_make_object_identity_change_constraint_exception(restorecon_t)
|
|||||||
init_make_system_domain(restorecon_t,restorecon_exec_t)
|
init_make_system_domain(restorecon_t,restorecon_exec_t)
|
||||||
role system_r types restorecon_t;
|
role system_r types restorecon_t;
|
||||||
|
|
||||||
|
type run_init_t;
|
||||||
|
domain_make_domain(run_init_t)
|
||||||
|
|
||||||
|
type run_init_exec_t;
|
||||||
|
domain_make_entrypoint_file(run_init_t,run_init_exec_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# selinux_config_t is the type applied to
|
# selinux_config_t is the type applied to
|
||||||
# /etc/selinux/config
|
# /etc/selinux/config
|
||||||
@ -353,6 +359,84 @@ allow restorecon_t device_t:file { read write };
|
|||||||
allow restorecon_t kernel_t:fifo_file { read write };
|
allow restorecon_t kernel_t:fifo_file { read write };
|
||||||
') dnl endif TODO
|
') dnl endif TODO
|
||||||
|
|
||||||
|
#################################
|
||||||
|
#
|
||||||
|
# Run_init local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
kernel_get_selinuxfs_mount_point(run_init_t)
|
||||||
|
kernel_validate_selinux_context(run_init_t)
|
||||||
|
kernel_compute_selinux_access_vector(run_init_t)
|
||||||
|
kernel_compute_selinux_create_context(run_init_t)
|
||||||
|
kernel_compute_selinux_relabel_context(run_init_t)
|
||||||
|
kernel_compute_selinux_reachable_user_contexts(run_init_t)
|
||||||
|
|
||||||
|
tunable_policy(`targeted_policy',`
|
||||||
|
# targeted/unconfined stuff
|
||||||
|
',`
|
||||||
|
|
||||||
|
allow run_init_t self:process setexec;
|
||||||
|
allow run_init_t self:capability setuid;
|
||||||
|
|
||||||
|
allow run_init_t self:fifo_file { getattr read write };
|
||||||
|
|
||||||
|
# often the administrator runs such programs from a directory that is owned
|
||||||
|
# by a different user or has restrictive SE permissions, do not want to audit
|
||||||
|
# the failed access to the current directory
|
||||||
|
dontaudit run_init_t self:capability { dac_override dac_read_search };
|
||||||
|
|
||||||
|
filesystem_get_persistent_filesystem_attributes(run_init_t)
|
||||||
|
|
||||||
|
devices_ignore_list_device_nodes(run_init_t)
|
||||||
|
|
||||||
|
terminal_ignore_list_pseudoterminals(run_init_t)
|
||||||
|
|
||||||
|
authlogin_ignore_read_shadow_passwords(run_init_t)
|
||||||
|
|
||||||
|
corecommands_execute_general_programs(run_init_t)
|
||||||
|
corecommands_execute_shell(run_init_t)
|
||||||
|
|
||||||
|
domain_use_widely_inheritable_file_descriptors(run_init_t)
|
||||||
|
|
||||||
|
files_read_general_system_config(run_init_t)
|
||||||
|
files_ignore_search_all_directories(run_init_t)
|
||||||
|
|
||||||
|
init_script_transition(run_init_t)
|
||||||
|
# for utmp
|
||||||
|
init_script_modify_runtime_data(run_init_t)
|
||||||
|
|
||||||
|
libraries_use_dynamic_loader(run_init_t)
|
||||||
|
libraries_use_shared_libraries(run_init_t)
|
||||||
|
|
||||||
|
selinux_read_config(run_init_t)
|
||||||
|
selinux_read_default_contexts(run_init_t)
|
||||||
|
|
||||||
|
miscfiles_read_localization(run_init_t)
|
||||||
|
|
||||||
|
logging_send_system_log_message(run_init_t)
|
||||||
|
') dnl end ifdef targeted policy
|
||||||
|
|
||||||
|
ifdef(`TODO',`
|
||||||
|
|
||||||
|
tunable_policy(`targeted_policy', `
|
||||||
|
domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
|
||||||
|
allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
|
||||||
|
allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
|
||||||
|
domain_trans(initrc_t, shell_exec_t, unconfined_t)
|
||||||
|
', `
|
||||||
|
domain_auto_trans(sysadm_t, run_init_exec_t, run_init_t)
|
||||||
|
role sysadm_r types run_init_t;
|
||||||
|
domain_auto_trans(run_init_t, chkpwd_exec_t, sysadm_chkpwd_t)
|
||||||
|
allow run_init_t admin_tty_type:chr_file rw_file_perms;
|
||||||
|
') dnl endif targeted policy
|
||||||
|
|
||||||
|
tunable_policy(`distro_gentoo', `
|
||||||
|
# Gentoo integrated run_init+open_init_pty-runscript:
|
||||||
|
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
|
||||||
|
domain_make_entrypoint_file(run_init_t,initrc_exec_t)
|
||||||
|
')
|
||||||
|
') dnl end TODO
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Setfiles local policy
|
# Setfiles local policy
|
||||||
|
@ -257,14 +257,13 @@ filesystem_get_persistent_filesystem_attributes(ifconfig_t)
|
|||||||
terminal_ignore_use_all_private_physical_terminals(ifconfig_t)
|
terminal_ignore_use_all_private_physical_terminals(ifconfig_t)
|
||||||
terminal_ignore_use_all_private_pseudoterminals(ifconfig_t)
|
terminal_ignore_use_all_private_pseudoterminals(ifconfig_t)
|
||||||
|
|
||||||
init_use_file_descriptors(ifconfig_t)
|
|
||||||
init_script_use_pseudoterminal(ifconfig_t)
|
|
||||||
init_run_init_use_file_descriptors(ifconfig_t)
|
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(ifconfig_t)
|
domain_use_widely_inheritable_file_descriptors(ifconfig_t)
|
||||||
|
|
||||||
files_ignore_read_rootfs_file(ifconfig_t)
|
files_ignore_read_rootfs_file(ifconfig_t)
|
||||||
|
|
||||||
|
init_use_file_descriptors(ifconfig_t)
|
||||||
|
init_script_use_pseudoterminal(ifconfig_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(ifconfig_t)
|
libraries_use_dynamic_loader(ifconfig_t)
|
||||||
libraries_use_shared_libraries(ifconfig_t)
|
libraries_use_shared_libraries(ifconfig_t)
|
||||||
|
|
||||||
@ -272,6 +271,8 @@ logging_send_system_log_message(ifconfig_t)
|
|||||||
|
|
||||||
miscfiles_read_localization(ifconfig_t)
|
miscfiles_read_localization(ifconfig_t)
|
||||||
|
|
||||||
|
selinux_run_init_use_file_descriptors(ifconfig_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
|
||||||
can_ypbind(ifconfig_t)
|
can_ypbind(ifconfig_t)
|
||||||
|
Loading…
Reference in New Issue
Block a user