Files patch from Dan Walsh.
This commit is contained in:
parent
290aa8a020
commit
910b1d8ecb
@ -1192,6 +1192,26 @@ interface(`files_relabel_config_dirs',`
|
|||||||
relabel_dirs_pattern($1, configfile, configfile)
|
relabel_dirs_pattern($1, configfile, configfile)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read config files in /etc.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_read_config_files',`
|
||||||
|
gen_require(`
|
||||||
|
attribute configfile;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 configfile:dir list_dir_perms;
|
||||||
|
read_files_pattern($1, configfile, configfile)
|
||||||
|
read_lnk_files_pattern($1, configfile, configfile)
|
||||||
|
')
|
||||||
|
|
||||||
###########################################
|
###########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Manage all configuration files on filesystem
|
## Manage all configuration files on filesystem
|
||||||
@ -1565,6 +1585,25 @@ interface(`files_boot_filetrans',`
|
|||||||
filetrans_pattern($1, boot_t, $2, $3)
|
filetrans_pattern($1, boot_t, $2, $3)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## read files in the /boot directory.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`files_read_boot_files',`
|
||||||
|
gen_require(`
|
||||||
|
type boot_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
manage_files_pattern($1, boot_t, boot_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Create, read, write, and delete files
|
## Create, read, write, and delete files
|
||||||
@ -1793,6 +1832,25 @@ interface(`files_dontaudit_list_default',`
|
|||||||
dontaudit $1 default_t:dir list_dir_perms;
|
dontaudit $1 default_t:dir list_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete directories with
|
||||||
|
## the default file type.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_manage_default_dirs',`
|
||||||
|
gen_require(`
|
||||||
|
type default_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
manage_dirs_pattern($1, default_t, default_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Mount a filesystem on a directory with the default file type.
|
## Mount a filesystem on a directory with the default file type.
|
||||||
@ -1867,6 +1925,25 @@ interface(`files_dontaudit_read_default_files',`
|
|||||||
dontaudit $1 default_t:file read_file_perms;
|
dontaudit $1 default_t:file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete files with
|
||||||
|
## the default file type.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_manage_default_files',`
|
||||||
|
gen_require(`
|
||||||
|
type default_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
manage_files_pattern($1, default_t, default_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read symbolic links with the default file type.
|
## Read symbolic links with the default file type.
|
||||||
@ -3489,6 +3566,24 @@ interface(`files_setattr_all_tmp_dirs',`
|
|||||||
allow $1 tmpfile:dir { search_dir_perms setattr };
|
allow $1 tmpfile:dir { search_dir_perms setattr };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## List all tmp directories.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_list_all_tmp',`
|
||||||
|
gen_require(`
|
||||||
|
attribute tmpfile;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 tmpfile:dir list_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Do not audit attempts to get the attributes
|
## Do not audit attempts to get the attributes
|
||||||
@ -5072,7 +5167,7 @@ interface(`files_polyinstantiate_all',`
|
|||||||
selinux_compute_member($1)
|
selinux_compute_member($1)
|
||||||
|
|
||||||
# Need sys_admin capability for mounting
|
# Need sys_admin capability for mounting
|
||||||
allow $1 self:capability { chown fsetid sys_admin };
|
allow $1 self:capability { chown fsetid sys_admin fowner };
|
||||||
|
|
||||||
# Need to give access to the directories to be polyinstantiated
|
# Need to give access to the directories to be polyinstantiated
|
||||||
allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
|
allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(files, 1.12.0)
|
policy_module(files, 1.12.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -53,7 +53,7 @@ files_mountpoint(default_t)
|
|||||||
#
|
#
|
||||||
# etc_t is the type of the system etc directories.
|
# etc_t is the type of the system etc directories.
|
||||||
#
|
#
|
||||||
type etc_t;
|
type etc_t, configfile;
|
||||||
files_type(etc_t)
|
files_type(etc_t)
|
||||||
# compatibility aliases for removed types:
|
# compatibility aliases for removed types:
|
||||||
typealias etc_t alias automount_etc_t;
|
typealias etc_t alias automount_etc_t;
|
||||||
|
Loading…
Reference in New Issue
Block a user