make getattr and setattr interfaces and make naming consistent
This commit is contained in:
parent
33bc0dd994
commit
8a0da1086c
@ -36,6 +36,11 @@ type bootloader_tmp_t;
|
|||||||
files_make_file(bootloader_tmp_t)
|
files_make_file(bootloader_tmp_t)
|
||||||
devices_make_device_node(bootloader_tmp_t)
|
devices_make_device_node(bootloader_tmp_t)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# bootloader local policy
|
||||||
|
#
|
||||||
|
|
||||||
allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown };
|
allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown };
|
||||||
allow bootloader_t self:process { sigkill sigstop signull signal };
|
allow bootloader_t self:process { sigkill sigstop signull signal };
|
||||||
allow bootloader_t self:fifo_file { getattr read write };
|
allow bootloader_t self:fifo_file { getattr read write };
|
||||||
@ -50,6 +55,7 @@ storage_raw_write_fixed_disk(bootloader_t)
|
|||||||
storage_raw_read_removable_device(bootloader_t)
|
storage_raw_read_removable_device(bootloader_t)
|
||||||
storage_raw_write_removable_device(bootloader_t)
|
storage_raw_write_removable_device(bootloader_t)
|
||||||
|
|
||||||
|
devices_get_all_block_device_attributes(bootloader_t)
|
||||||
# for reading BIOS data (cjp: ?)
|
# for reading BIOS data (cjp: ?)
|
||||||
devices_raw_read_memory(bootloader_t)
|
devices_raw_read_memory(bootloader_t)
|
||||||
|
|
||||||
@ -66,7 +72,7 @@ logging_send_system_log_message(bootloader_t)
|
|||||||
#files_create_private_config(bootloader_t,bootloader_etc_t)
|
#files_create_private_config(bootloader_t,bootloader_etc_t)
|
||||||
#allow bootloader_t bootloader_etc_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
#allow bootloader_t bootloader_etc_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
|
|
||||||
filesystem_read_persistent_filesystem_stats(bootloader_t)
|
filesystem_read_persistent_filesystem_attributes(bootloader_t)
|
||||||
|
|
||||||
terminal_use_controlling_terminal(bootloader_t)
|
terminal_use_controlling_terminal(bootloader_t)
|
||||||
|
|
||||||
@ -115,6 +121,10 @@ allow bootloader_t bootloader_tmp_t:lnk_file { create read getattr setattr unlin
|
|||||||
# for tune2fs (cjp: ?)
|
# for tune2fs (cjp: ?)
|
||||||
files_create_private_root_dir_entry(bootloader_t,bootloader_tmp_t)
|
files_create_private_root_dir_entry(bootloader_t,bootloader_tmp_t)
|
||||||
|
|
||||||
|
ifdef(`fsadm.te', `
|
||||||
|
filesystemtools_execute(bootloader_t)
|
||||||
|
')
|
||||||
|
|
||||||
################################################################################
|
################################################################################
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
|
||||||
@ -124,7 +134,6 @@ allow bootloader_t admin_tty_type:chr_file rw_file_perms;
|
|||||||
allow bootloader_t privfd:fd use;
|
allow bootloader_t privfd:fd use;
|
||||||
|
|
||||||
allow bootloader_t { device_type ttyfile }:chr_file getattr;
|
allow bootloader_t { device_type ttyfile }:chr_file getattr;
|
||||||
allow bootloader_t device_type:blk_file getattr;
|
|
||||||
allow bootloader_t initctl_t:fifo_file getattr;
|
allow bootloader_t initctl_t:fifo_file getattr;
|
||||||
|
|
||||||
# no transition from initrc to bootloader,
|
# no transition from initrc to bootloader,
|
||||||
@ -141,10 +150,6 @@ allow bootloader_t sysfs_t:dir getattr;
|
|||||||
allow bootloader_t var_t:dir search;
|
allow bootloader_t var_t:dir search;
|
||||||
allow bootloader_t var_t:file { getattr read };
|
allow bootloader_t var_t:file { getattr read };
|
||||||
|
|
||||||
ifdef(`fsadm.te', `
|
|
||||||
allow bootloader_t fsadm_exec_t:file { rx_file_perms execute_no_trans };
|
|
||||||
')
|
|
||||||
|
|
||||||
# LVM2 / Device Mapper's /dev/mapper/control
|
# LVM2 / Device Mapper's /dev/mapper/control
|
||||||
# maybe we should change the labeling for this
|
# maybe we should change the labeling for this
|
||||||
ifdef(`lvm.te', `
|
ifdef(`lvm.te', `
|
||||||
|
@ -77,6 +77,62 @@ type device_t;
|
|||||||
class dir { getattr search read write add_name remove_name };
|
class dir { getattr search read write add_name remove_name };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# devices_get_all_block_device_attributes(domain,[`optional'])
|
||||||
|
#
|
||||||
|
define(`devices_get_all_block_device_attributes',`
|
||||||
|
requires_block_template(devices_get_all_block_device_attributes_depend,$2)
|
||||||
|
allow $1 device_node:blk_file getattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`devices_get_all_block_device_attributes_depend',`
|
||||||
|
attribute device_node;
|
||||||
|
class blk_file getattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# devices_get_all_character_device_attributes(domain,[`optional'])
|
||||||
|
#
|
||||||
|
define(`devices_get_all_character_device_attributes',`
|
||||||
|
requires_block_template(devices_get_all_character_device_attributes_depend,$2)
|
||||||
|
allow $1 device_node:chr_file getattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`devices_get_all_character_device_attributes_depend',`
|
||||||
|
attribute device_node;
|
||||||
|
class chr_file getattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# devices_set_all_block_device_attributes(domain,[`optional'])
|
||||||
|
#
|
||||||
|
define(`devices_set_all_block_device_attributes',`
|
||||||
|
requires_block_template(devices_set_all_block_device_attributes_depend,$2)
|
||||||
|
allow $1 device_node:blk_file setattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`devices_set_all_block_device_attributes_depend',`
|
||||||
|
attribute device_node;
|
||||||
|
class blk_file setattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# devices_set_all_character_device_attributes(domain,[`optional'])
|
||||||
|
#
|
||||||
|
define(`devices_set_all_character_device_attributes',`
|
||||||
|
requires_block_template(devices_set_all_character_device_attributes_depend,$2)
|
||||||
|
allow $1 device_node:chr_file setattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`devices_set_all_character_device_attributes_depend',`
|
||||||
|
attribute device_node;
|
||||||
|
class chr_file setattr;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# devices_raw_read_memory(domain,[`optional'])
|
# devices_raw_read_memory(domain,[`optional'])
|
||||||
|
@ -91,28 +91,28 @@ class filesystem unmount;
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# filesystem_read_persistent_filesystem_stats(domain,[`optional'])
|
# filesystem_read_persistent_filesystem_attributes(domain,[`optional'])
|
||||||
#
|
#
|
||||||
define(`filesystem_read_persistent_filesystem_stats',`
|
define(`filesystem_read_persistent_filesystem_attributes',`
|
||||||
requires_block_template(filesystem_read_persistent_filesystem_stats_depend,$2)
|
requires_block_template(filesystem_read_persistent_filesystem_attributes_depend,$2)
|
||||||
allow $1 fs_t:filesystem getattr;
|
allow $1 fs_t:filesystem getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`filesystem_read_persistent_filesystem_stats_depend',`
|
define(`filesystem_read_persistent_filesystem_attributes_depend',`
|
||||||
type fs_t;
|
type fs_t;
|
||||||
class filesystem getattr;
|
class filesystem getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# filesystem_ignore_read_persistent_filesystem_stats(domain,[`optional'])
|
# filesystem_ignore_read_persistent_filesystem_attributes(domain,[`optional'])
|
||||||
#
|
#
|
||||||
define(`filesystem_ignore_read_persistent_filesystem_stats',`
|
define(`filesystem_ignore_read_persistent_filesystem_attributes',`
|
||||||
requires_block_template(filesystem_ignore_read_persistent_filesystem_stats_depend,$2)
|
requires_block_template(filesystem_ignore_read_persistent_filesystem_attributes_depend,$2)
|
||||||
dontaudit $1 fs_t:filesystem getattr;
|
dontaudit $1 fs_t:filesystem getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`filesystem_ignore_read_persistent_filesystem_stats_depend',`
|
define(`filesystem_ignore_read_persistent_filesystem_attributes_depend',`
|
||||||
type fs_t;
|
type fs_t;
|
||||||
class filesystem getattr;
|
class filesystem getattr;
|
||||||
')
|
')
|
||||||
@ -161,14 +161,14 @@ class filesystem unmount;
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# filesystem_read_automount_filesystem_stats(domain,[`optional'])
|
# filesystem_read_automount_filesystem_attributes(domain,[`optional'])
|
||||||
#
|
#
|
||||||
define(`filesystem_read_automount_filesystem_stats',`
|
define(`filesystem_read_automount_filesystem_attributes',`
|
||||||
requires_block_template(filesystem_read_automount_filesystem_stats_depend,$2)
|
requires_block_template(filesystem_read_automount_filesystem_attributes_depend,$2)
|
||||||
allow $1 autofs_t:filesystem getattr;
|
allow $1 autofs_t:filesystem getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`filesystem_read_automount_filesystem_stats_depend',`
|
define(`filesystem_read_automount_filesystem_attributes_depend',`
|
||||||
type autofs_t;
|
type autofs_t;
|
||||||
class filesystem getattr;
|
class filesystem getattr;
|
||||||
')
|
')
|
||||||
@ -233,14 +233,14 @@ class filesystem unmount;
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# filesystem_read_windows_network_filesystem_stats(domain,[`optional'])
|
# filesystem_read_windows_network_filesystem_attributes(domain,[`optional'])
|
||||||
#
|
#
|
||||||
define(`filesystem_read_windows_network_filesystem_stats',`
|
define(`filesystem_read_windows_network_filesystem_attributes',`
|
||||||
requires_block_template(filesystem_read_windows_network_filesystem_stats_depend,$2)
|
requires_block_template(filesystem_read_windows_network_filesystem_attributes_depend,$2)
|
||||||
allow $1 cifs_t:filesystem getattr;
|
allow $1 cifs_t:filesystem getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`filesystem_read_windows_network_filesystem_stats_depend',`
|
define(`filesystem_read_windows_network_filesystem_attributes_depend',`
|
||||||
type cifs_t;
|
type cifs_t;
|
||||||
class filesystem getattr;
|
class filesystem getattr;
|
||||||
')
|
')
|
||||||
@ -289,14 +289,14 @@ class filesystem unmount;
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# filesystem_read_dos_filesystem_stats(domain,[`optional'])
|
# filesystem_read_dos_filesystem_attributes(domain,[`optional'])
|
||||||
#
|
#
|
||||||
define(`filesystem_read_dos_filesystem_stats',`
|
define(`filesystem_read_dos_filesystem_attributes',`
|
||||||
requires_block_template(filesystem_read_dos_filesystem_stats_depend,$2)
|
requires_block_template(filesystem_read_dos_filesystem_attributes_depend,$2)
|
||||||
allow $1 dosfs_t:filesystem getattr;
|
allow $1 dosfs_t:filesystem getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`filesystem_read_dos_filesystem_stats_depend',`
|
define(`filesystem_read_dos_filesystem_attributes_depend',`
|
||||||
type dosfs_t;
|
type dosfs_t;
|
||||||
class filesystem getattr;
|
class filesystem getattr;
|
||||||
')
|
')
|
||||||
@ -345,14 +345,14 @@ class filesystem unmount;
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# filesystem_read_cd_filesystem_stats(domain,[`optional'])
|
# filesystem_read_cd_filesystem_attributes(domain,[`optional'])
|
||||||
#
|
#
|
||||||
define(`filesystem_read_cd_filesystem_stats',`
|
define(`filesystem_read_cd_filesystem_attributes',`
|
||||||
requires_block_template(filesystem_read_cd_filesystem_stats_depend,$2)
|
requires_block_template(filesystem_read_cd_filesystem_attributes_depend,$2)
|
||||||
allow $1 iso9660_t:filesystem getattr;
|
allow $1 iso9660_t:filesystem getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`filesystem_read_cd_filesystem_stats_depend',`
|
define(`filesystem_read_cd_filesystem_attributes_depend',`
|
||||||
type iso9660_t;
|
type iso9660_t;
|
||||||
class filesystem getattr;
|
class filesystem getattr;
|
||||||
')
|
')
|
||||||
@ -401,14 +401,14 @@ class filesystem unmount;
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# filesystem_read_nfs_filesystem_stats(domain,[`optional'])
|
# filesystem_read_nfs_filesystem_attributes(domain,[`optional'])
|
||||||
#
|
#
|
||||||
define(`filesystem_read_nfs_filesystem_stats',`
|
define(`filesystem_read_nfs_filesystem_attributes',`
|
||||||
requires_block_template(filesystem_read_nfs_filesystem_stats_depend,$2)
|
requires_block_template(filesystem_read_nfs_filesystem_attributes_depend,$2)
|
||||||
allow $1 nfs_t:filesystem getattr;
|
allow $1 nfs_t:filesystem getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`filesystem_read_nfs_filesystem_stats_depend',`
|
define(`filesystem_read_nfs_filesystem_attributes_depend',`
|
||||||
type nfs_t;
|
type nfs_t;
|
||||||
class filesystem getattr;
|
class filesystem getattr;
|
||||||
')
|
')
|
||||||
@ -457,14 +457,14 @@ class filesystem unmount;
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# filesystem_read_nfsd_filesystem_stats(domain,[`optional'])
|
# filesystem_read_nfsd_filesystem_attributes(domain,[`optional'])
|
||||||
#
|
#
|
||||||
define(`filesystem_read_nfsd_filesystem_stats',`
|
define(`filesystem_read_nfsd_filesystem_attributes',`
|
||||||
requires_block_template(filesystem_read_nfsd_filesystem_stats_depend,$2)
|
requires_block_template(filesystem_read_nfsd_filesystem_attributes_depend,$2)
|
||||||
allow $1 nfsd_fs_t:filesystem getattr;
|
allow $1 nfsd_fs_t:filesystem getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`filesystem_read_nfsd_filesystem_stats_depend',`
|
define(`filesystem_read_nfsd_filesystem_attributes_depend',`
|
||||||
type nfsd_fs_t;
|
type nfsd_fs_t;
|
||||||
class filesystem getattr;
|
class filesystem getattr;
|
||||||
')
|
')
|
||||||
@ -513,14 +513,14 @@ class filesystem unmount;
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# filesystem_read_ram_filesystem_stats(domain,[`optional'])
|
# filesystem_read_ram_filesystem_attributes(domain,[`optional'])
|
||||||
#
|
#
|
||||||
define(`filesystem_read_ram_filesystem_stats',`
|
define(`filesystem_read_ram_filesystem_attributes',`
|
||||||
requires_block_template(filesystem_read_ram_filesystem_stats_depend,$2)
|
requires_block_template(filesystem_read_ram_filesystem_attributes_depend,$2)
|
||||||
allow $1 ramfs_t:filesystem getattr;
|
allow $1 ramfs_t:filesystem getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`filesystem_read_ram_filesystem_stats_depend',`
|
define(`filesystem_read_ram_filesystem_attributes_depend',`
|
||||||
type ramfs_t;
|
type ramfs_t;
|
||||||
class filesystem getattr;
|
class filesystem getattr;
|
||||||
')
|
')
|
||||||
@ -569,14 +569,14 @@ class filesystem unmount;
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# filesystem_read_rom_filesystem_stats(domain,[`optional'])
|
# filesystem_read_rom_filesystem_attributes(domain,[`optional'])
|
||||||
#
|
#
|
||||||
define(`filesystem_read_rom_filesystem_stats',`
|
define(`filesystem_read_rom_filesystem_attributes',`
|
||||||
requires_block_template(filesystem_read_rom_filesystem_stats_depend,$2)
|
requires_block_template(filesystem_read_rom_filesystem_attributes_depend,$2)
|
||||||
allow $1 romfs_t:filesystem getattr;
|
allow $1 romfs_t:filesystem getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`filesystem_read_rom_filesystem_stats_depend',`
|
define(`filesystem_read_rom_filesystem_attributes_depend',`
|
||||||
type romfs_t;
|
type romfs_t;
|
||||||
class filesystem getattr;
|
class filesystem getattr;
|
||||||
')
|
')
|
||||||
@ -625,14 +625,14 @@ class filesystem unmount;
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# filesystem_read_rpc_pipefs_filesystem_stats(domain,[`optional'])
|
# filesystem_read_rpc_pipefs_filesystem_attributes(domain,[`optional'])
|
||||||
#
|
#
|
||||||
define(`filesystem_read_rpc_pipefs_filesystem_stats',`
|
define(`filesystem_read_rpc_pipefs_filesystem_attributes',`
|
||||||
requires_block_template(filesystem_read_rpc_pipefs_filesystem_stats_depend,$2)
|
requires_block_template(filesystem_read_rpc_pipefs_filesystem_attributes_depend,$2)
|
||||||
allow $1 rpc_pipefs_t:filesystem getattr;
|
allow $1 rpc_pipefs_t:filesystem getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`filesystem_read_rpc_pipefs_filesystem_stats_depend',`
|
define(`filesystem_read_rpc_pipefs_filesystem_attributes_depend',`
|
||||||
type rpc_pipefs_t;
|
type rpc_pipefs_t;
|
||||||
class filesystem getattr;
|
class filesystem getattr;
|
||||||
')
|
')
|
||||||
@ -681,14 +681,14 @@ class filesystem unmount;
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# filesystem_read_tmpfs_filesystem_stats(domain,[`optional'])
|
# filesystem_read_tmpfs_filesystem_attributes(domain,[`optional'])
|
||||||
#
|
#
|
||||||
define(`filesystem_read_tmpfs_filesystem_stats',`
|
define(`filesystem_read_tmpfs_filesystem_attributes',`
|
||||||
requires_block_template(filesystem_read_tmpfs_filesystem_stats_depend,$2)
|
requires_block_template(filesystem_read_tmpfs_filesystem_attributes_depend,$2)
|
||||||
allow $1 tmpfs_t:filesystem getattr;
|
allow $1 tmpfs_t:filesystem getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`filesystem_read_tmpfs_filesystem_stats_depend',`
|
define(`filesystem_read_tmpfs_filesystem_attributes_depend',`
|
||||||
type tmpfs_t;
|
type tmpfs_t;
|
||||||
class filesystem getattr;
|
class filesystem getattr;
|
||||||
')
|
')
|
||||||
|
@ -36,6 +36,38 @@ class blk_file { getattr write ioctl };
|
|||||||
devices_list_device_nodes_depend
|
devices_list_device_nodes_depend
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# storage_get_fixed_disk_attributes(domain,[`optional'])
|
||||||
|
#
|
||||||
|
define(`storage_get_fixed_disk_attributes',`
|
||||||
|
requires_block_template(storage_get_fixed_disk_attributes_depend,$2)
|
||||||
|
devices_list_device_nodes($1,optional)
|
||||||
|
allow $1 fixed_disk_device_t:blk_file getattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`storage_get_fixed_disk_attributes_depend',`
|
||||||
|
type fixed_disk_device_t;
|
||||||
|
class blk_file getattr;
|
||||||
|
devices_list_device_nodes_depend
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# storage_set_fixed_disk_attributes(domain,[`optional'])
|
||||||
|
#
|
||||||
|
define(`storage_set_fixed_disk_attributes',`
|
||||||
|
requires_block_template(storage_set_fixed_disk_attributes_depend,$2)
|
||||||
|
devices_list_device_nodes($1,optional)
|
||||||
|
allow $1 fixed_disk_device_t:blk_file setattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`storage_set_fixed_disk_attributes_depend',`
|
||||||
|
type fixed_disk_device_t;
|
||||||
|
class blk_file setattr;
|
||||||
|
devices_list_device_nodes_depend
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# storage_read_scsi_generic(domain,[`optional'])
|
# storage_read_scsi_generic(domain,[`optional'])
|
||||||
@ -72,6 +104,38 @@ class blk_file { getattr write ioctl };
|
|||||||
devices_list_device_nodes_depend
|
devices_list_device_nodes_depend
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# storage_get_scsi_generic_attributes(domain,[`optional'])
|
||||||
|
#
|
||||||
|
define(`storage_get_scsi_generic_attributes',`
|
||||||
|
requires_block_template(storage_get_scsi_generic_attributes_depend,$2)
|
||||||
|
devices_list_device_nodes($1,optional)
|
||||||
|
allow $1 scsi_generic_device_t:blk_file getattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`storage_get_scsi_generic_attributes_depend',`
|
||||||
|
type scsi_generic_device_t;
|
||||||
|
class blk_file getattr;
|
||||||
|
devices_list_device_nodes_depend
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# storage_set_scsi_generic_attributes(domain,[`optional'])
|
||||||
|
#
|
||||||
|
define(`storage_set_scsi_generic_attributes',`
|
||||||
|
requires_block_template(storage_set_scsi_generic_attributes_depend,$2)
|
||||||
|
devices_list_device_nodes($1,optional)
|
||||||
|
allow $1 scsi_generic_device_t:blk_file setattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`storage_set_scsi_generic_attributes_depend',`
|
||||||
|
type scsi_generic_device_t;
|
||||||
|
class blk_file setattr;
|
||||||
|
devices_list_device_nodes_depend
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# storage_raw_read_removable_device(domain,[`optional'])
|
# storage_raw_read_removable_device(domain,[`optional'])
|
||||||
@ -104,6 +168,38 @@ class blk_file { getattr write ioctl };
|
|||||||
devices_list_device_nodes_depend
|
devices_list_device_nodes_depend
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# storage_get_removable_device_attributes(domain,[`optional'])
|
||||||
|
#
|
||||||
|
define(`storage_get_removable_device_attributes',`
|
||||||
|
requires_block_template(storage_get_removable_device_attributes_depend,$2)
|
||||||
|
devices_list_device_nodes($1,optional)
|
||||||
|
allow $1 removable_device_t:blk_file getattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`storage_get_removable_device_attributes_depend',`
|
||||||
|
type removable_device_t;
|
||||||
|
class blk_file getattr;
|
||||||
|
devices_list_device_nodes_depend
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# storage_set_removable_device_attributes(domain,[`optional'])
|
||||||
|
#
|
||||||
|
define(`storage_set_removable_device_attributes',`
|
||||||
|
requires_block_template(storage_set_removable_device_attributes_depend,$2)
|
||||||
|
devices_list_device_nodes($1,optional)
|
||||||
|
allow $1 removable_device_t:blk_file setattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`storage_set_removable_device_attributes_depend',`
|
||||||
|
type removable_device_t;
|
||||||
|
class blk_file setattr;
|
||||||
|
devices_list_device_nodes_depend
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# storage_read_tape_device(domain,[`optional'])
|
# storage_read_tape_device(domain,[`optional'])
|
||||||
@ -135,3 +231,35 @@ type tape_device_t;
|
|||||||
class blk_file { getattr write ioctl };
|
class blk_file { getattr write ioctl };
|
||||||
devices_list_device_nodes_depend
|
devices_list_device_nodes_depend
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# storage_get_tape_device_attributes(domain,[`optional'])
|
||||||
|
#
|
||||||
|
define(`storage_get_tape_device_attributes',`
|
||||||
|
requires_block_template(storage_get_tape_device_attributes_depend,$2)
|
||||||
|
devices_list_device_nodes($1,optional)
|
||||||
|
allow $1 tape_device_t:blk_file getattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`storage_get_tape_device_attributes_depend',`
|
||||||
|
type tape_device_t;
|
||||||
|
class blk_file getattr;
|
||||||
|
devices_list_device_nodes_depend
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# storage_set_tape_device_attributes(domain,[`optional'])
|
||||||
|
#
|
||||||
|
define(`storage_set_tape_device_attributes',`
|
||||||
|
requires_block_template(storage_set_tape_device_attributes_depend,$2)
|
||||||
|
devices_list_device_nodes($1,optional)
|
||||||
|
allow $1 tape_device_t:blk_file setattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`storage_set_tape_device_attributes_depend',`
|
||||||
|
type tape_device_t;
|
||||||
|
class blk_file setattr;
|
||||||
|
devices_list_device_nodes_depend
|
||||||
|
')
|
||||||
|
@ -1,5 +1,29 @@
|
|||||||
# Copyright (C) 2005 Tresys Technology, LLC
|
# Copyright (C) 2005 Tresys Technology, LLC
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# terminal_make_pseudoterminal(domain,ptytype,[`optional'])
|
||||||
|
#
|
||||||
|
define(`terminal_make_pseudoterminal',`
|
||||||
|
requires_block_template(terminal_make_pseudoterminal_depend,$3)
|
||||||
|
devices_list_device_nodes($1,optional)
|
||||||
|
allow $1 ptmx_t:chr_file { getattr read write };
|
||||||
|
allow $1 devpts_t:dir { getattr search read };
|
||||||
|
allow $1 devpts_t:filesystem getattr;
|
||||||
|
allow $2 devpts_t:filesystem associate;
|
||||||
|
type_transition $1 devpts_t:chr_file $2;
|
||||||
|
typeattribute $2 ptynode;
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`terminal_make_pseudoterminal_depend',`
|
||||||
|
attribute ptynode;
|
||||||
|
type ptmx_t, devpts_t;
|
||||||
|
class filesystem { getattr associate };
|
||||||
|
class dir { getattr search read };
|
||||||
|
class chr_file { getattr read write };
|
||||||
|
devices_list_device_nodes_depend
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# terminal_use_console(domain,[`optional'])
|
# terminal_use_console(domain,[`optional'])
|
||||||
@ -32,30 +56,6 @@ class chr_file { read write };
|
|||||||
devices_list_device_nodes_depend
|
devices_list_device_nodes_depend
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
# terminal_make_pty(domain,ptytype,[`optional'])
|
|
||||||
#
|
|
||||||
define(`terminal_make_pty',`
|
|
||||||
requires_block_template(terminal_make_pty_depend,$3)
|
|
||||||
devices_list_device_nodes($1,optional)
|
|
||||||
allow $1 ptmx_t:chr_file { getattr read write };
|
|
||||||
allow $1 devpts_t:dir { getattr search read };
|
|
||||||
allow $1 devpts_t:filesystem getattr;
|
|
||||||
allow $2 devpts_t:filesystem associate;
|
|
||||||
type_transition $1 devpts_t:chr_file $2;
|
|
||||||
typeattribute $2 ptynode;
|
|
||||||
')
|
|
||||||
|
|
||||||
define(`terminal_make_pty_depend',`
|
|
||||||
attribute ptynode;
|
|
||||||
type ptmx_t, devpts_t;
|
|
||||||
class filesystem { getattr associate };
|
|
||||||
class dir { getattr search read };
|
|
||||||
class chr_file { getattr read write };
|
|
||||||
devices_list_device_nodes_depend
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# terminal_use_all_terminals(domain,[`optional'])
|
# terminal_use_all_terminals(domain,[`optional'])
|
||||||
@ -95,14 +95,14 @@ kernel_relabeling_privilege_depend
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# terminal_ignore_list_ptys(domain,[`optional'])
|
# terminal_ignore_list_pseudoterminals(domain,[`optional'])
|
||||||
#
|
#
|
||||||
define(`terminal_ignore_list_ptys',`
|
define(`terminal_ignore_list_pseudoterminals',`
|
||||||
requires_block_template(terminal_ignore_list_ptys_depend,$2)
|
requires_block_template(terminal_ignore_list_pseudoterminals_depend,$2)
|
||||||
allow $1 console_device_t:chr_file { read write };
|
dontaudit $1 devpts_t:dir { getattr search read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`terminal_ignore_list_ptys_depend',`
|
define(`terminal_ignore_list_pseudoterminals_depend',`
|
||||||
type devpts_t;
|
type devpts_t;
|
||||||
class dir { getattr search read };
|
class dir { getattr search read };
|
||||||
')
|
')
|
||||||
|
@ -26,7 +26,7 @@ libraries_read_shared_libraries($1_chkpwd_t)
|
|||||||
files_read_general_system_config($1_chkpwd_t)
|
files_read_general_system_config($1_chkpwd_t)
|
||||||
miscfiles_read_localization($1_chkpwd_t)
|
miscfiles_read_localization($1_chkpwd_t)
|
||||||
selinux_read_config($1_chkpwd_t)
|
selinux_read_config($1_chkpwd_t)
|
||||||
filesystem_ignore_read_persistent_filesystem_stats($1_chkpwd_t)
|
filesystem_ignore_read_persistent_filesystem_attributes($1_chkpwd_t)
|
||||||
|
|
||||||
# is_selinux_enabled
|
# is_selinux_enabled
|
||||||
kernel_read_system_state($1_chkpwd_t)
|
kernel_read_system_state($1_chkpwd_t)
|
||||||
|
@ -59,6 +59,19 @@ define(`domain_make_entrypoint_file_depend',`
|
|||||||
class file entrypoint;
|
class file entrypoint;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# domain_make_file_descriptors_widely_inheritable(domain,[`optional'])
|
||||||
|
#
|
||||||
|
define(`domain_make_file_descriptors_widely_inheritable',`
|
||||||
|
requires_block_template(domain_make_file_descriptors_widely_inheritable_depend,$2)
|
||||||
|
typeattribute $1 privfd;
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`domain_make_file_descriptors_widely_inheritable_depend',`
|
||||||
|
attribute privfd;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# domain_signal_all_domains(domain,[`optional'])
|
# domain_signal_all_domains(domain,[`optional'])
|
||||||
|
@ -3,4 +3,7 @@
|
|||||||
# Mark process types as domains
|
# Mark process types as domains
|
||||||
attribute domain;
|
attribute domain;
|
||||||
|
|
||||||
|
# widely-inheritable file descriptors
|
||||||
|
attribute privfd;
|
||||||
|
|
||||||
neverallow domain ~domain:process { transition dyntransition };
|
neverallow domain ~domain:process { transition dyntransition };
|
||||||
|
@ -19,10 +19,10 @@ filesystem_associate_noxattr_depend
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# files_get_all_file_stats(type,[`optional'])
|
# files_get_all_file_attributes(type,[`optional'])
|
||||||
#
|
#
|
||||||
define(`files_get_all_file_stats',`
|
define(`files_get_all_file_attributes',`
|
||||||
requires_block_template(files_get_all_file_stats_depend,$2)
|
requires_block_template(files_get_all_file_attributes_depend,$2)
|
||||||
allow $1 file_type:dir { search getattr };
|
allow $1 file_type:dir { search getattr };
|
||||||
allow $1 file_type:file getattr;
|
allow $1 file_type:file getattr;
|
||||||
allow $1 file_type:lnk_file getattr;
|
allow $1 file_type:lnk_file getattr;
|
||||||
@ -30,7 +30,7 @@ allow $1 file_type:fifo_file getattr;
|
|||||||
allow $1 file_type:sock_file getattr;
|
allow $1 file_type:sock_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`files_get_all_file_stats_depend',`
|
define(`files_get_all_file_attributes_depend',`
|
||||||
attribute file_type;
|
attribute file_type;
|
||||||
class dir { search getattr };
|
class dir { search getattr };
|
||||||
class file getattr;
|
class file getattr;
|
||||||
|
@ -51,7 +51,7 @@ files_read_general_system_config(getty_t)
|
|||||||
miscfiles_read_localization(getty_t)
|
miscfiles_read_localization(getty_t)
|
||||||
|
|
||||||
# for error condition handling
|
# for error condition handling
|
||||||
filesystem_read_persistent_filesystem_stats(getty_t)
|
filesystem_read_persistent_filesystem_attributes(getty_t)
|
||||||
|
|
||||||
# Chown, chmod, read and write ttys.
|
# Chown, chmod, read and write ttys.
|
||||||
terminal_use_all_terminals(getty_t)
|
terminal_use_all_terminals(getty_t)
|
||||||
|
@ -129,7 +129,6 @@ allow init_t file_t:dir search;
|
|||||||
# Init script policy
|
# Init script policy
|
||||||
#
|
#
|
||||||
|
|
||||||
|
|
||||||
type initrc_t;
|
type initrc_t;
|
||||||
domain_make_domain(initrc_t)
|
domain_make_domain(initrc_t)
|
||||||
role system_r types initrc_t;
|
role system_r types initrc_t;
|
||||||
@ -138,7 +137,7 @@ type initrc_exec_t;
|
|||||||
domain_make_entrypoint_file(initrc_t,initrc_exec_t)
|
domain_make_entrypoint_file(initrc_t,initrc_exec_t)
|
||||||
|
|
||||||
type initrc_devpts_t;
|
type initrc_devpts_t;
|
||||||
terminal_make_pty(initrc_t,initrc_devpts_t)
|
terminal_make_pseudoterminal(initrc_t,initrc_devpts_t)
|
||||||
|
|
||||||
type initrc_var_run_t;
|
type initrc_var_run_t;
|
||||||
files_make_file(initrc_var_run_t)
|
files_make_file(initrc_var_run_t)
|
||||||
@ -212,6 +211,10 @@ devices_read_framebuffer(initrc_t)
|
|||||||
devices_read_realtime_clock(initrc_t)
|
devices_read_realtime_clock(initrc_t)
|
||||||
devices_read_sound_mixer_levels(initrc_t)
|
devices_read_sound_mixer_levels(initrc_t)
|
||||||
devices_write_sound_mixer_levels(initrc_t)
|
devices_write_sound_mixer_levels(initrc_t)
|
||||||
|
devices_set_all_character_device_attributes(initrc_t)
|
||||||
|
|
||||||
|
storage_set_fixed_disk_attributes(initrc_t)
|
||||||
|
storage_set_removable_device_attributes(initrc_t)
|
||||||
|
|
||||||
terminal_use_all_terminals(initrc_t)
|
terminal_use_all_terminals(initrc_t)
|
||||||
terminal_reset_labels(initrc_t)
|
terminal_reset_labels(initrc_t)
|
||||||
@ -223,7 +226,7 @@ libraries_use_dynamic_loader(initrc_t)
|
|||||||
libraries_read_shared_libraries(initrc_t)
|
libraries_read_shared_libraries(initrc_t)
|
||||||
libraries_execute_library_scripts(initrc_t)
|
libraries_execute_library_scripts(initrc_t)
|
||||||
|
|
||||||
files_get_all_file_stats(initrc_t)
|
files_get_all_file_attributes(initrc_t)
|
||||||
files_remove_all_tmp_data(initrc_t)
|
files_remove_all_tmp_data(initrc_t)
|
||||||
files_remove_all_lock_files(initrc_t)
|
files_remove_all_lock_files(initrc_t)
|
||||||
files_remove_all_daemon_runtime_data(initrc_t)
|
files_remove_all_daemon_runtime_data(initrc_t)
|
||||||
@ -281,7 +284,7 @@ ifdef(`targeted_policy',`
|
|||||||
corecommands_execute_general_programs(run_init_t)
|
corecommands_execute_general_programs(run_init_t)
|
||||||
corecommands_execute_shell(run_init_t)
|
corecommands_execute_shell(run_init_t)
|
||||||
|
|
||||||
filesystem_read_persistent_filesystem_stats(run_init_t)
|
filesystem_read_persistent_filesystem_attributes(run_init_t)
|
||||||
|
|
||||||
files_read_general_system_config(run_init_t)
|
files_read_general_system_config(run_init_t)
|
||||||
|
|
||||||
@ -294,6 +297,8 @@ authlogin_ignore_read_shadow_passwords(run_init_t)
|
|||||||
|
|
||||||
miscfiles_read_localization(run_init_t)
|
miscfiles_read_localization(run_init_t)
|
||||||
|
|
||||||
|
logging_send_system_log_message(run_init_t)
|
||||||
|
|
||||||
allow run_init_t initrc_t:process transition;
|
allow run_init_t initrc_t:process transition;
|
||||||
allow run_init_t initrc_exec_t:file { getattr read execute };
|
allow run_init_t initrc_exec_t:file { getattr read execute };
|
||||||
|
|
||||||
@ -303,9 +308,6 @@ allow run_init_t initrc_var_run_t:file { getattr read write };
|
|||||||
allow run_init_t self:process setexec;
|
allow run_init_t self:process setexec;
|
||||||
allow run_init_t self:capability setuid;
|
allow run_init_t self:capability setuid;
|
||||||
|
|
||||||
allow run_init_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
|
||||||
allow run_init_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
|
||||||
|
|
||||||
allow run_init_t self:fifo_file { getattr read write };
|
allow run_init_t self:fifo_file { getattr read write };
|
||||||
|
|
||||||
# often the administrator runs such programs from a directory that is owned
|
# often the administrator runs such programs from a directory that is owned
|
||||||
@ -314,7 +316,7 @@ allow run_init_t self:fifo_file { getattr read write };
|
|||||||
dontaudit run_init_t self:capability { dac_override dac_read_search };
|
dontaudit run_init_t self:capability { dac_override dac_read_search };
|
||||||
|
|
||||||
devices_ignore_list_device_nodes(run_init_t)
|
devices_ignore_list_device_nodes(run_init_t)
|
||||||
terminal_ignore_list_ptys(run_init_t)
|
terminal_ignore_list_pseudoterminals(run_init_t)
|
||||||
') dnl end ifdef targeted policy
|
') dnl end ifdef targeted policy
|
||||||
|
|
||||||
|
|
||||||
@ -331,12 +333,7 @@ allow initrc_t privfd:fd use;
|
|||||||
allow initrc_t fixed_disk_device_t:blk_file getattr;
|
allow initrc_t fixed_disk_device_t:blk_file getattr;
|
||||||
|
|
||||||
# Set device ownerships/modes.
|
# Set device ownerships/modes.
|
||||||
allow initrc_t device_type:chr_file setattr;
|
|
||||||
allow initrc_t misc_device_t:{ chr_file blk_file } setattr;
|
|
||||||
allow initrc_t fixed_disk_device_t:blk_file setattr;
|
|
||||||
allow initrc_t removable_device_t:blk_file setattr;
|
|
||||||
allow initrc_t xconsole_device_t:fifo_file setattr;
|
allow initrc_t xconsole_device_t:fifo_file setattr;
|
||||||
allow initrc_t sound_device_t:chr_file setattr;
|
|
||||||
|
|
||||||
# Allow access to the sysadm TTYs. Note that this will give access to the
|
# Allow access to the sysadm TTYs. Note that this will give access to the
|
||||||
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
|
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
|
||||||
|
@ -75,7 +75,7 @@ devices_get_pseudorandom_data(insmod_t)
|
|||||||
devices_direct_agp_access(insmod_t)
|
devices_direct_agp_access(insmod_t)
|
||||||
devices_get_zeros(insmod_t)
|
devices_get_zeros(insmod_t)
|
||||||
|
|
||||||
filesystem_read_persistent_filesystem_stats(insmod_t)
|
filesystem_read_persistent_filesystem_attributes(insmod_t)
|
||||||
|
|
||||||
files_read_runtime_system_config(insmod_t)
|
files_read_runtime_system_config(insmod_t)
|
||||||
files_read_general_system_config(insmod_t)
|
files_read_general_system_config(insmod_t)
|
||||||
@ -171,7 +171,7 @@ type_transition depmod_t modules_object_t:file modules_dep_t;
|
|||||||
|
|
||||||
kernel_read_system_state(depmod_t)
|
kernel_read_system_state(depmod_t)
|
||||||
|
|
||||||
filesystem_read_persistent_filesystem_stats(depmod_t)
|
filesystem_read_persistent_filesystem_attributes(depmod_t)
|
||||||
|
|
||||||
terminal_use_console(depmod_t)
|
terminal_use_console(depmod_t)
|
||||||
|
|
||||||
@ -230,7 +230,7 @@ kernel_read_system_state(update_modules_t)
|
|||||||
|
|
||||||
devices_get_pseudorandom_data(update_modules_t)
|
devices_get_pseudorandom_data(update_modules_t)
|
||||||
|
|
||||||
filesystem_read_persistent_filesystem_stats(update_modules_t)
|
filesystem_read_persistent_filesystem_attributes(update_modules_t)
|
||||||
|
|
||||||
terminal_use_console(update_modules_t)
|
terminal_use_console(update_modules_t)
|
||||||
terminal_use_controlling_terminal(update_modules_t)
|
terminal_use_controlling_terminal(update_modules_t)
|
||||||
|
Loading…
Reference in New Issue
Block a user