patch from dan Thu, 18 May 2006 11:56:22 -0400
This commit is contained in:
parent
46fc46cfdd
commit
87eb5c84e7
@ -85,6 +85,14 @@ gen_tunable(allow_java_execstack,false)
|
||||
## </desc>
|
||||
gen_tunable(allow_kerberos,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow nfs servers to modify public files
|
||||
## used for public file transfer services.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(allow_nfsd_anon_write,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow rsync to modify public files
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(consoletype,1.0.0)
|
||||
policy_module(consoletype,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -107,3 +107,10 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
userdom_use_unpriv_users_fds(consoletype_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
kernel_read_xen_state(consoletype_t)
|
||||
kernel_write_xen_state(consoletype_t)
|
||||
xen_append_log(consoletype_t)
|
||||
xen_dontaudit_rw_unix_stream_sockets(consoletype_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(prelink,1.1.1)
|
||||
policy_module(prelink,1.1.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -10,6 +10,7 @@ attribute prelink_object;
|
||||
type prelink_t;
|
||||
type prelink_exec_t;
|
||||
init_system_domain(prelink_t,prelink_exec_t)
|
||||
domain_obj_id_change_exemption(prelink_t)
|
||||
|
||||
type prelink_cache_t;
|
||||
files_type(prelink_cache_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(mls,1.3.0)
|
||||
policy_module(mls,1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -57,6 +57,7 @@ attribute mlsrangetrans;
|
||||
#
|
||||
|
||||
type lvm_exec_t;
|
||||
type run_init_t;
|
||||
type setrans_exec_t;
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
@ -64,4 +65,5 @@ range_transition initrc_t auditd_exec_t s15:c0.c255;
|
||||
range_transition kernel_t init_exec_t s0 - s15:c0.c255;
|
||||
range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
|
||||
range_transition initrc_t setrans_exec_t s15:c0.c255;
|
||||
range_transition run_init_t initrc_exec_t s0 - s15:c0.c255;
|
||||
')
|
||||
|
@ -430,7 +430,7 @@ interface(`term_dontaudit_use_generic_ptys',`
|
||||
type devpts_t;
|
||||
')
|
||||
|
||||
dontaudit $1 devpts_t:chr_file { getattr read write };
|
||||
dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(terminal,1.1.1)
|
||||
policy_module(terminal,1.1.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -8,4 +8,5 @@
|
||||
/var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
|
||||
/var/log/amavisd\.log -- gen_context(system_u:object_r:amavis_var_log_t,s0)
|
||||
/var/run/amavis(/.*)? gen_context(system_u:object_r:amavis_var_run_t,s0)
|
||||
/var/spool/amavisd(/.*)? gen_context(system_u:object_r:amavis_spool_t,s0)
|
||||
/var/virusmails(/.*)? gen_context(system_u:object_r:amavis_quarantine_t,s0)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(amavis,1.0.3)
|
||||
policy_module(amavis,1.0.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -35,12 +35,15 @@ files_tmp_file(amavis_tmp_t)
|
||||
type amavis_quarantine_t;
|
||||
files_type(amavis_quarantine_t)
|
||||
|
||||
type amavis_spool_t;
|
||||
files_type(amavis_spool_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# amavis local policy
|
||||
#
|
||||
|
||||
allow amavis_t self:capability { chown dac_override setgid setuid };
|
||||
allow amavis_t self:capability { kill chown dac_override setgid setuid };
|
||||
dontaudit amavis_t self:capability sys_tty_config;
|
||||
allow amavis_t self:process { signal sigchld signull };
|
||||
allow amavis_t self:fifo_file rw_file_perms;
|
||||
@ -58,6 +61,11 @@ allow amavis_t amavis_quarantine_t:file create_file_perms;
|
||||
allow amavis_t amavis_quarantine_t:sock_file create_file_perms;
|
||||
allow amavis_t amavis_quarantine_t:dir create_dir_perms;
|
||||
|
||||
# Spool Files
|
||||
allow amavis_t amavis_spool_t:dir manage_dir_perms;
|
||||
allow amavis_t amavis_spool_t:file manage_file_perms;
|
||||
files_spool_filetrans(amavis_t,amavis_spool_t,{ dir file })
|
||||
|
||||
# tmp files
|
||||
allow amavis_t amavis_tmp_t:file create_file_perms;
|
||||
allow amavis_t amavis_tmp_t:dir { rw_dir_perms setattr };
|
||||
@ -82,8 +90,10 @@ allow amavis_t amavis_var_run_t:sock_file manage_file_perms;
|
||||
allow amavis_t amavis_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(amavis_t,amavis_var_run_t, { file sock_file })
|
||||
|
||||
kernel_read_kernel_sysctls(amavis_t)
|
||||
# amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
|
||||
kernel_dontaudit_list_proc(amavis_t)
|
||||
kernel_dontaudit_read_system_state(amavis_t)
|
||||
|
||||
# find perl
|
||||
corecmd_exec_bin(amavis_t)
|
||||
@ -115,6 +125,7 @@ auth_dontaudit_read_shadow(amavis_t)
|
||||
|
||||
init_use_fds(amavis_t)
|
||||
init_use_script_ptys(amavis_t)
|
||||
init_stream_connect_script(amavis_t)
|
||||
|
||||
libs_use_ld_so(amavis_t)
|
||||
libs_use_shared_libs(amavis_t)
|
||||
@ -134,8 +145,13 @@ cron_rw_pipes(amavis_t)
|
||||
|
||||
mta_read_config(amavis_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_generic_ptys(amavis_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
clamav_stream_connect(amavis_t)
|
||||
clamav_domtrans_clamscan(amavis_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(bind,1.1.3)
|
||||
policy_module(bind,1.1.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -123,6 +123,8 @@ term_dontaudit_use_console(named_t)
|
||||
|
||||
corecmd_search_sbin(named_t)
|
||||
|
||||
dev_read_urand(named_t)
|
||||
|
||||
domain_use_interactive_fds(named_t)
|
||||
|
||||
files_read_etc_files(named_t)
|
||||
@ -137,6 +139,7 @@ libs_use_shared_libs(named_t)
|
||||
logging_send_syslog_msg(named_t)
|
||||
|
||||
miscfiles_read_localization(named_t)
|
||||
miscfiles_read_certs(named_t)
|
||||
|
||||
sysnet_read_config(named_t)
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(bluetooth,1.2.4)
|
||||
policy_module(bluetooth,1.2.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -211,6 +211,7 @@ sysnet_read_config(bluetooth_helper_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
files_rw_generic_tmp_sockets(bluetooth_helper_t)
|
||||
files_manage_generic_tmp_files(bluetooth_helper_t)
|
||||
|
||||
fs_rw_tmpfs_files(bluetooth_helper_t)
|
||||
|
||||
@ -218,7 +219,7 @@ ifdef(`targeted_policy',`
|
||||
|
||||
unconfined_stream_connect(bluetooth_helper_t)
|
||||
|
||||
userdom_read_all_users_home_content_files(bluetooth_helper_t)
|
||||
userdom_manage_generic_user_home_content_files(bluetooth_helper_t)
|
||||
|
||||
optional_policy(`
|
||||
xserver_stream_connect_xdm(bluetooth_helper_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(cups,1.3.3)
|
||||
policy_module(cups,1.3.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -672,6 +672,7 @@ allow cupsd_lpd_t self:process signal_perms;
|
||||
allow cupsd_lpd_t self:fifo_file rw_file_perms;
|
||||
allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms;
|
||||
allow cupsd_lpd_t self:udp_socket create_socket_perms;
|
||||
allow cupsd_lpd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
# for identd
|
||||
# cjp: this should probably only be inetd_child rules?
|
||||
@ -731,6 +732,8 @@ miscfiles_read_localization(cupsd_lpd_t)
|
||||
|
||||
sysnet_read_config(cupsd_lpd_t)
|
||||
|
||||
cups_stream_connect(cupsd_lpd_t)
|
||||
|
||||
optional_policy(`
|
||||
inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(hal,1.3.6)
|
||||
policy_module(hal,1.3.7)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -93,6 +93,7 @@ files_read_usr_files(hald_t)
|
||||
# hal is now execing pm-suspend
|
||||
files_create_boot_flag(hald_t)
|
||||
files_getattr_all_dirs(hald_t)
|
||||
files_read_kernel_img(hald_t)
|
||||
|
||||
fs_getattr_all_fs(hald_t)
|
||||
fs_search_all(hald_t)
|
||||
|
@ -5,3 +5,7 @@
|
||||
|
||||
/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0)
|
||||
/var/log/pyzord.log -- gen_context(system_u:object_r:pyzord_log_t,s0)
|
||||
|
||||
ifdef(`strict_policy',`
|
||||
HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:ROLE_pyzor_home_t,s0)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(pyzor,1.0.0)
|
||||
policy_module(pyzor,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(rpc,1.2.3)
|
||||
policy_module(rpc,1.2.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -111,9 +111,17 @@ files_getattr_tmp_dirs(nfsd_t)
|
||||
# cjp: this should really have its own type
|
||||
files_manage_mounttab(rpcd_t)
|
||||
|
||||
# Read access to public_content_t and public_content_rw_t
|
||||
miscfiles_read_public_files(nfsd_t)
|
||||
|
||||
portmap_tcp_connect(nfsd_t)
|
||||
portmap_udp_chat(nfsd_t)
|
||||
|
||||
# Write access to public_content_t and public_content_rw_t
|
||||
tunable_policy(`allow_nfsd_anon_write',`
|
||||
miscfiles_manage_public_files(nfsd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`nfs_export_all_rw',`
|
||||
fs_read_noxattr_fs_files(nfsd_t)
|
||||
auth_manage_all_files_except_shadow(nfsd_t)
|
||||
|
@ -41,3 +41,23 @@ interface(`xfs_stream_connect',`
|
||||
allow $1 xfs_tmp_t:sock_file write;
|
||||
allow $1 xfs_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to execute xfs
|
||||
## in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`xfs_exec',`
|
||||
gen_require(`
|
||||
type xfs_exec_t;
|
||||
')
|
||||
|
||||
can_exec($1,xfs_exec_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(xfs,1.0.1)
|
||||
policy_module(xfs,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -42,19 +42,22 @@ allow xfs_t xfs_tmp_t:unix_stream_socket name_bind;
|
||||
kernel_read_kernel_sysctls(xfs_t)
|
||||
kernel_read_system_state(xfs_t)
|
||||
|
||||
corecmd_list_bin(xfs_t)
|
||||
corecmd_list_sbin(xfs_t)
|
||||
|
||||
dev_read_sysfs(xfs_t)
|
||||
|
||||
fs_getattr_all_fs(xfs_t)
|
||||
fs_search_auto_mountpoints(xfs_t)
|
||||
|
||||
term_dontaudit_use_console(xfs_t)
|
||||
|
||||
domain_use_interactive_fds(xfs_t)
|
||||
|
||||
files_read_etc_files(xfs_t)
|
||||
files_read_etc_runtime_files(xfs_t)
|
||||
files_read_usr_files(xfs_t)
|
||||
|
||||
term_dontaudit_use_console(xfs_t)
|
||||
|
||||
init_use_fds(xfs_t)
|
||||
init_use_script_ptys(xfs_t)
|
||||
|
||||
@ -69,6 +72,8 @@ miscfiles_read_fonts(xfs_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(xfs_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(xfs_t)
|
||||
|
||||
xfs_exec(xfs_t)
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
# for /tmp/.font-unix/fs7100
|
||||
init_script_tmp_filetrans(xfs_t,xfs_tmp_t,sock_file)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(init,1.3.12)
|
||||
policy_module(init,1.3.13)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
@ -374,6 +374,7 @@ mls_file_write_down(initrc_t)
|
||||
mls_process_read_up(initrc_t)
|
||||
mls_process_write_down(initrc_t)
|
||||
mls_rangetrans_source(initrc_t)
|
||||
mls_rangetrans_target(initrc_t)
|
||||
|
||||
modutils_read_module_config(initrc_t)
|
||||
modutils_domtrans_insmod(initrc_t)
|
||||
|
@ -36,6 +36,8 @@
|
||||
/usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
|
||||
/usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
|
||||
/usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
|
||||
/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
|
||||
/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
|
||||
/usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
|
||||
|
||||
ifdef(`distro_debian', `
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(selinuxutil,1.2.6)
|
||||
policy_module(selinuxutil,1.2.7)
|
||||
|
||||
gen_require(`
|
||||
bool secure_mode;
|
||||
@ -92,7 +92,11 @@ role system_r types restorecond_t;
|
||||
type restorecond_var_run_t;
|
||||
files_pid_file(restorecond_var_run_t)
|
||||
|
||||
type run_init_t;
|
||||
# real declaration moved to mls until
|
||||
# range transitions work in modules
|
||||
gen_require(`
|
||||
type run_init_t;
|
||||
')
|
||||
type run_init_exec_t;
|
||||
domain_type(run_init_t)
|
||||
domain_entry_file(run_init_t,run_init_exec_t)
|
||||
@ -447,7 +451,7 @@ libs_use_shared_libs(restorecond_t)
|
||||
|
||||
logging_send_syslog_msg(restorecond_t)
|
||||
|
||||
miscfiles_read_localization(run_init_t)
|
||||
miscfiles_read_localization(restorecond_t)
|
||||
|
||||
#################################
|
||||
#
|
||||
@ -461,6 +465,8 @@ selinux_compute_create_context(run_init_t)
|
||||
selinux_compute_relabel_context(run_init_t)
|
||||
selinux_compute_user_contexts(run_init_t)
|
||||
|
||||
mls_rangetrans_source(run_init_t)
|
||||
|
||||
ifdef(`direct_sysadm_daemon',`',`
|
||||
ifdef(`distro_gentoo',`
|
||||
# Gentoo integrated run_init:
|
||||
@ -526,6 +532,8 @@ ifdef(`targeted_policy',`',`
|
||||
#
|
||||
|
||||
allow semanage_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow semanage_t self:unix_dgram_socket create_socket_perms;
|
||||
allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
|
||||
allow semanage_t policy_config_t:file { read write };
|
||||
|
||||
@ -535,6 +543,8 @@ kernel_read_kernel_sysctls(semanage_t)
|
||||
corecmd_exec_bin(semanage_t)
|
||||
corecmd_exec_sbin(semanage_t)
|
||||
|
||||
dev_read_urand(semanage_t)
|
||||
|
||||
files_read_etc_files(semanage_t)
|
||||
files_read_usr_files(semanage_t)
|
||||
files_list_pids(semanage_t)
|
||||
@ -544,6 +554,8 @@ mls_rangetrans_target(semanage_t)
|
||||
mls_file_read_up(semanage_t)
|
||||
|
||||
selinux_get_enforce_mode(semanage_t)
|
||||
# for setsebool:
|
||||
selinux_set_boolean(semanage_t)
|
||||
|
||||
term_use_all_terms(semanage_t)
|
||||
|
||||
@ -551,6 +563,8 @@ libs_use_ld_so(semanage_t)
|
||||
libs_use_shared_libs(semanage_t)
|
||||
libs_use_lib_files(semanage_t)
|
||||
|
||||
logging_send_syslog_msg(semanage_t)
|
||||
|
||||
miscfiles_read_localization(semanage_t)
|
||||
|
||||
seutil_search_default_contexts(semanage_t)
|
||||
@ -565,6 +579,8 @@ seutil_manage_module_store(semanage_t)
|
||||
seutil_get_semanage_trans_lock(semanage_t)
|
||||
seutil_get_semanage_read_lock(semanage_t)
|
||||
|
||||
userdom_search_sysadm_home_dirs(semanage_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
# Handle pp files created in homedir and /tmp
|
||||
files_read_generic_tmp_files(semanage_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(setrans,1.0.0)
|
||||
policy_module(setrans,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -23,7 +23,8 @@ mls_trusted_object(setrans_var_run_t)
|
||||
# setrans local policy
|
||||
#
|
||||
|
||||
allow setrans_t self:process { setcap signal_perms };
|
||||
allow setrans_t self:capability sys_resource;
|
||||
allow setrans_t self:process { setrlimit setcap signal_perms };
|
||||
allow setrans_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow setrans_t self:unix_dgram_socket create_socket_perms;
|
||||
allow setrans_t self:netlink_selinux_socket create_socket_perms;
|
||||
@ -57,6 +58,7 @@ selinux_compute_access_vector(setrans_t)
|
||||
term_dontaudit_use_generic_ptys(setrans_t)
|
||||
|
||||
init_use_fds(setrans_t)
|
||||
init_dontaudit_use_script_ptys(setrans_t)
|
||||
|
||||
libs_use_ld_so(setrans_t)
|
||||
libs_use_shared_libs(setrans_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(sysnetwork,1.1.4)
|
||||
policy_module(sysnetwork,1.1.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -247,6 +247,8 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
kernel_read_xen_state(dhcpc_t)
|
||||
kernel_write_xen_state(dhcpc_t)
|
||||
xen_append_log(dhcpc_t)
|
||||
xen_dontaudit_rw_unix_stream_sockets(dhcpc_t)
|
||||
')
|
||||
@ -349,6 +351,8 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
kernel_read_xen_state(ifconfig_t)
|
||||
kernel_write_xen_state(ifconfig_t)
|
||||
xen_append_log(ifconfig_t)
|
||||
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
|
||||
')
|
||||
|
@ -12,6 +12,7 @@
|
||||
/var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
|
||||
|
||||
/var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
|
||||
/var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
|
||||
/var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0)
|
||||
/var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
|
||||
/var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(xen,1.0.3)
|
||||
policy_module(xen,1.0.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -77,7 +77,7 @@ allow xend_t self:packet_socket create_socket_perms;
|
||||
# pid file
|
||||
allow xend_t xend_var_run_t:file manage_file_perms;
|
||||
allow xend_t xend_var_run_t:sock_file manage_file_perms;
|
||||
allow xend_t xend_var_run_t:dir rw_dir_perms;
|
||||
allow xend_t xend_var_run_t:dir { setattr rw_dir_perms };
|
||||
files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file })
|
||||
|
||||
# log files
|
||||
@ -153,10 +153,12 @@ sysnet_dns_name_resolve(xend_t)
|
||||
sysnet_delete_dhcpc_pid(xend_t)
|
||||
sysnet_read_dhcpc_pid(xend_t)
|
||||
|
||||
consoletype_exec(xend_t)
|
||||
|
||||
xen_stream_connect_xenstore(xend_t)
|
||||
|
||||
optional_policy(`
|
||||
consoletype_domtrans(xend_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Xen console local policy
|
||||
@ -180,6 +182,7 @@ kernel_read_xen_state(xenconsoled_t)
|
||||
|
||||
term_create_pty(xenconsoled_t,xen_devpts_t);
|
||||
term_dontaudit_use_generic_ptys(xenconsoled_t)
|
||||
term_use_console(xenconsoled_t)
|
||||
|
||||
init_use_fds(xenconsoled_t)
|
||||
|
||||
@ -198,6 +201,7 @@ xen_stream_connect_xenstore(xenconsoled_t)
|
||||
|
||||
allow xenstored_t self:capability { dac_override mknod ipc_lock };
|
||||
allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow xenstored_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
# pid file
|
||||
allow xenstored_t xenstored_var_run_t:file manage_file_perms;
|
||||
@ -220,12 +224,15 @@ dev_filetrans_xen(xenstored_t)
|
||||
dev_rw_xen(xenstored_t)
|
||||
|
||||
term_dontaudit_use_generic_ptys(xenstored_t)
|
||||
term_dontaudit_use_console(xenconsoled_t)
|
||||
|
||||
init_use_fds(xenstored_t)
|
||||
|
||||
libs_use_ld_so(xenstored_t)
|
||||
libs_use_shared_libs(xenstored_t)
|
||||
|
||||
logging_send_syslog_msg(xenstored_t)
|
||||
|
||||
miscfiles_read_localization(xenstored_t)
|
||||
|
||||
xen_append_log(xenstored_t)
|
||||
|
Loading…
Reference in New Issue
Block a user