some cleanup in the kernel layer
This commit is contained in:
Chris PeBenito
parent
19ebf01d6a
commit
8b9ebd3769
@ -20,14 +20,6 @@ files_type(device_t)
|
||||
files_mountpoint(device_t)
|
||||
files_associate_tmp(device_t)
|
||||
|
||||
# Only directories and symlinks should be labeled device_t.
|
||||
# If there are other files with this type, it is wrong.
|
||||
# Relabelto is allowed for setfiles to function, in case
|
||||
# a device node has no specific type yet, but is for some
|
||||
# reason labeled with a specific type
|
||||
#cjp: want this, but udev policy breaks this
|
||||
#neverallow domain device_t:{ file fifo_file sock_file chr_file blk_file } ~{ getattr setattr relabelfrom relabelto };
|
||||
|
||||
#
|
||||
# Type for /dev/agpgart
|
||||
#
|
||||
@ -206,4 +198,4 @@ files_associate_tmp(device_node)
|
||||
|
||||
allow devices_unconfined_type self:capability sys_rawio;
|
||||
allow devices_unconfined_type device_node:{ blk_file chr_file } *;
|
||||
allow devices_unconfined_type mtrr_device_t:{ dir file } *;
|
||||
allow devices_unconfined_type mtrr_device_t:file *;
|
||||
|
||||
@ -55,7 +55,7 @@ interface(`selinux_search_fs',`
|
||||
type security_t;
|
||||
')
|
||||
|
||||
allow $1 security_t:dir search;
|
||||
allow $1 security_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -73,7 +73,7 @@ interface(`selinux_dontaudit_search_fs',`
|
||||
type security_t;
|
||||
')
|
||||
|
||||
dontaudit $1 security_t:dir search;
|
||||
dontaudit $1 security_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -92,7 +92,7 @@ interface(`selinux_dontaudit_read_fs',`
|
||||
type security_t;
|
||||
')
|
||||
|
||||
dontaudit $1 security_t:dir search;
|
||||
dontaudit $1 security_t:dir search_dir_perms;
|
||||
dontaudit $1 security_t:file { getattr read };
|
||||
')
|
||||
|
||||
@ -112,7 +112,7 @@ interface(`selinux_get_enforce_mode',`
|
||||
type security_t;
|
||||
')
|
||||
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
allow $1 security_t:dir list_dir_perms;
|
||||
allow $1 security_t:file { getattr read };
|
||||
')
|
||||
|
||||
@ -144,7 +144,7 @@ interface(`selinux_set_enforce_mode',`
|
||||
bool secure_mode_policyload;
|
||||
')
|
||||
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
allow $1 security_t:dir list_dir_perms;
|
||||
allow $1 security_t:file { getattr read write };
|
||||
typeattribute $1 can_setenforce;
|
||||
|
||||
@ -171,7 +171,7 @@ interface(`selinux_load_policy',`
|
||||
bool secure_mode_policyload;
|
||||
')
|
||||
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
allow $1 security_t:dir list_dir_perms;
|
||||
allow $1 security_t:file { getattr read write };
|
||||
typeattribute $1 can_load_policy;
|
||||
|
||||
@ -208,8 +208,7 @@ interface(`selinux_set_boolean',`
|
||||
bool secure_mode_policyload;
|
||||
')
|
||||
|
||||
allow $1 security_t:dir search;
|
||||
allow $1 security_t:dir { getattr search read };
|
||||
allow $1 security_t:dir list_dir_perms;
|
||||
allow $1 security_t:file { getattr read write };
|
||||
|
||||
if(!secure_mode_policyload) {
|
||||
@ -249,7 +248,7 @@ interface(`selinux_set_parameters',`
|
||||
attribute can_setsecparam;
|
||||
')
|
||||
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
allow $1 security_t:dir list_dir_perms;
|
||||
allow $1 security_t:file { getattr read write };
|
||||
allow $1 security_t:security setsecparam;
|
||||
auditallow $1 security_t:security setsecparam;
|
||||
@ -271,7 +270,7 @@ interface(`selinux_validate_context',`
|
||||
type security_t;
|
||||
')
|
||||
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
allow $1 security_t:dir list_dir_perms;
|
||||
allow $1 security_t:file { getattr read write };
|
||||
allow $1 security_t:security check_context;
|
||||
')
|
||||
@ -291,7 +290,7 @@ interface(`selinux_compute_access_vector',`
|
||||
type security_t;
|
||||
')
|
||||
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
allow $1 security_t:dir list_dir_perms;
|
||||
allow $1 security_t:file { getattr read write };
|
||||
allow $1 security_t:security compute_av;
|
||||
')
|
||||
@ -311,7 +310,7 @@ interface(`selinux_compute_create_context',`
|
||||
type security_t;
|
||||
')
|
||||
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
allow $1 security_t:dir list_dir_perms;
|
||||
allow $1 security_t:file { getattr read write };
|
||||
allow $1 security_t:security compute_create;
|
||||
')
|
||||
@ -332,7 +331,7 @@ interface(`selinux_compute_member',`
|
||||
type security_t;
|
||||
')
|
||||
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
allow $1 security_t:dir list_dir_perms;
|
||||
allow $1 security_t:file { getattr read write };
|
||||
allow $1 security_t:security compute_member;
|
||||
')
|
||||
@ -361,7 +360,7 @@ interface(`selinux_compute_relabel_context',`
|
||||
type security_t;
|
||||
')
|
||||
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
allow $1 security_t:dir list_dir_perms;
|
||||
allow $1 security_t:file { getattr read write };
|
||||
allow $1 security_t:security compute_relabel;
|
||||
')
|
||||
@ -381,7 +380,7 @@ interface(`selinux_compute_user_contexts',`
|
||||
type security_t;
|
||||
')
|
||||
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
allow $1 security_t:dir list_dir_perms;
|
||||
allow $1 security_t:file { getattr read write };
|
||||
allow $1 security_t:security compute_user;
|
||||
')
|
||||
|
||||
@ -308,7 +308,6 @@ interface(`term_dontaudit_search_ptys',`
|
||||
type devpts_t;
|
||||
')
|
||||
|
||||
dev_dontaudit_list_all_dev_nodes($1)
|
||||
dontaudit $1 devpts_t:dir search;
|
||||
')
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user