add cpucontrol
This commit is contained in:
parent
9dfe4e2b2b
commit
9210553ecb
|
@ -4,6 +4,7 @@
|
||||||
can_portmap() to sysnetwork.
|
can_portmap() to sysnetwork.
|
||||||
- Fix base module compile issues.
|
- Fix base module compile issues.
|
||||||
- Added policies:
|
- Added policies:
|
||||||
|
cpucontrol
|
||||||
ktalk
|
ktalk
|
||||||
portmap
|
portmap
|
||||||
postgresql
|
postgresql
|
||||||
|
|
|
@ -881,6 +881,24 @@ interface(`dev_dontaudit_rw_cardmgr',`
|
||||||
dontaudit $1 cardmgr_dev_t:chr_file { read write };
|
dontaudit $1 cardmgr_dev_t:chr_file { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Get the attributes of the CPU
|
||||||
|
## microcode and id interfaces.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_getattr_cpu',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t, cpu_device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 device_t:dir search;
|
||||||
|
allow $1 cpu_device_t:chr_file getattr;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read the CPU identity.
|
## Read the CPU identity.
|
||||||
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
|
||||||
|
/etc/firmware/.* -- context_template(system_u:object_r:cpucontrol_conf_t,s0)
|
||||||
|
|
||||||
|
/sbin/microcode_ctl -- context_template(system_u:object_r:cpucontrol_exec_t,s0)
|
||||||
|
|
||||||
|
/usr/sbin/cpuspeed -- context_template(system_u:object_r:cpuspeed_exec_t,s0)
|
||||||
|
/usr/sbin/powernowd -- context_template(system_u:object_r:cpuspeed_exec_t,s0)
|
|
@ -0,0 +1,15 @@
|
||||||
|
## <summary>Services for loading CPU microcode and CPU frequency scaling.</summary>
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## CPUcontrol stub interface. No access allowed.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain" optional="true">
|
||||||
|
## N/A
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`cpucontrol_stub',`
|
||||||
|
gen_require(`
|
||||||
|
type cpucontrol_t;
|
||||||
|
')
|
||||||
|
')
|
|
@ -0,0 +1,132 @@
|
||||||
|
|
||||||
|
policy_module(cpucontrol,1.0)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
|
type cpucontrol_t;
|
||||||
|
type cpucontrol_exec_t;
|
||||||
|
init_daemon_domain(cpucontrol_t,cpucontrol_exec_t)
|
||||||
|
|
||||||
|
type cpucontrol_conf_t;
|
||||||
|
files_type(cpucontrol_conf_t)
|
||||||
|
|
||||||
|
type cpuspeed_t;
|
||||||
|
type cpuspeed_exec_t;
|
||||||
|
init_daemon_domain(cpuspeed_t,cpuspeed_exec_t)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# CPU microcode loader local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
allow cpucontrol_t self:capability sys_rawio;
|
||||||
|
dontaudit cpucontrol_t self:capability sys_tty_config;
|
||||||
|
allow cpucontrol_t self:process signal_perms;
|
||||||
|
|
||||||
|
allow cpucontrol_t cpucontrol_conf_t:dir r_dir_perms;
|
||||||
|
allow cpucontrol_t cpucontrol_conf_t:file r_file_perms;
|
||||||
|
allow cpucontrol_t cpucontrol_conf_t:lnk_file { getattr read };
|
||||||
|
|
||||||
|
kernel_list_proc(cpucontrol_t)
|
||||||
|
kernel_read_proc_symlinks(cpucontrol_t)
|
||||||
|
kernel_read_kernel_sysctl(cpucontrol_t)
|
||||||
|
|
||||||
|
dev_read_sysfs(cpucontrol_t)
|
||||||
|
dev_rw_cpu_microcode(cpucontrol_t)
|
||||||
|
|
||||||
|
fs_search_auto_mountpoints(cpucontrol_t)
|
||||||
|
|
||||||
|
term_dontaudit_use_console(cpucontrol_t)
|
||||||
|
|
||||||
|
domain_use_wide_inherit_fd(cpucontrol_t)
|
||||||
|
|
||||||
|
files_list_usr(cpucontrol_t)
|
||||||
|
|
||||||
|
init_use_fd(cpucontrol_t)
|
||||||
|
init_use_script_pty(cpucontrol_t)
|
||||||
|
|
||||||
|
libs_use_ld_so(cpucontrol_t)
|
||||||
|
libs_use_shared_libs(cpucontrol_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg(cpucontrol_t)
|
||||||
|
|
||||||
|
userdom_dontaudit_use_unpriv_user_fd(cpucontrol_t)
|
||||||
|
|
||||||
|
ifdef(`targeted_policy',`
|
||||||
|
term_dontaudit_use_unallocated_tty(cpucontrol_t)
|
||||||
|
term_dontaudit_use_generic_pty(cpucontrol_t)
|
||||||
|
files_dontaudit_read_root_file(cpucontrol_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`selinuxutil.te',`
|
||||||
|
seutil_sigchld_newrole(cpucontrol_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`udev.te', `
|
||||||
|
udev_read_db(cpucontrol_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
ifdef(`TODO',`
|
||||||
|
optional_policy(`rhgb.te',`
|
||||||
|
rhgb_domain(cpucontrol_t)
|
||||||
|
')
|
||||||
|
') dnl end TODO
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# CPU frequency scaling daemons
|
||||||
|
#
|
||||||
|
|
||||||
|
dontaudit cpuspeed_t self:capability sys_tty_config;
|
||||||
|
allow cpuspeed_t self:process { signal_perms setsched };
|
||||||
|
allow cpuspeed_t self:unix_dgram_socket create_socket_perms;
|
||||||
|
|
||||||
|
kernel_read_system_state(cpuspeed_t)
|
||||||
|
kernel_read_kernel_sysctl(cpuspeed_t)
|
||||||
|
|
||||||
|
dev_rw_sysfs(cpuspeed_t)
|
||||||
|
|
||||||
|
fs_search_auto_mountpoints(cpuspeed_t)
|
||||||
|
|
||||||
|
term_dontaudit_use_console(cpuspeed_t)
|
||||||
|
|
||||||
|
domain_use_wide_inherit_fd(cpuspeed_t)
|
||||||
|
|
||||||
|
files_read_etc_files(cpuspeed_t)
|
||||||
|
files_read_etc_runtime_files(cpuspeed_t)
|
||||||
|
files_list_usr(cpuspeed_t)
|
||||||
|
|
||||||
|
init_use_fd(cpuspeed_t)
|
||||||
|
init_use_script_pty(cpuspeed_t)
|
||||||
|
|
||||||
|
libs_use_ld_so(cpuspeed_t)
|
||||||
|
libs_use_shared_libs(cpuspeed_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg(cpuspeed_t)
|
||||||
|
|
||||||
|
miscfiles_read_localization(cpuspeed_t)
|
||||||
|
|
||||||
|
userdom_dontaudit_use_unpriv_user_fd(cpuspeed_t)
|
||||||
|
|
||||||
|
ifdef(`targeted_policy',`
|
||||||
|
term_dontaudit_use_unallocated_tty(cpuspeed_t)
|
||||||
|
term_dontaudit_use_generic_pty(cpuspeed_t)
|
||||||
|
files_dontaudit_read_root_file(cpuspeed_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`selinuxutil.te',`
|
||||||
|
seutil_sigchld_newrole(cpuspeed_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`udev.te', `
|
||||||
|
udev_read_db(cpuspeed_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
ifdef(`TODO',`
|
||||||
|
optional_policy(`rhgb.te',`
|
||||||
|
rhgb_domain(cpuspeed_t)
|
||||||
|
')
|
||||||
|
') dnl end TODO
|
|
@ -9,7 +9,7 @@
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`ntp_stub',`
|
interface(`ntp_stub',`
|
||||||
gen_require(`ntp.te',`
|
gen_require(`
|
||||||
type ntpd_t;
|
type ntpd_t;
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
|
@ -414,6 +414,11 @@ optional_policy(`bind.te',`
|
||||||
|
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`cpucontrol.te',`
|
||||||
|
cpucontrol_stub()
|
||||||
|
dev_getattr_cpu(initrc_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`gpm.te',`
|
optional_policy(`gpm.te',`
|
||||||
gpm_setattr_gpmctl(initrc_t)
|
gpm_setattr_gpmctl(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
Loading…
Reference in New Issue