This commit is contained in:
Miroslav 2012-01-11 21:07:43 +01:00
parent 68079f6d89
commit 9387d2ce08

View File

@ -72307,7 +72307,7 @@ index 94fd8dd..5a52670 100644
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 29a9565..92781d7 100644
index 29a9565..6251491 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@ -72449,7 +72449,7 @@ index 29a9565..92781d7 100644
mcs_process_set_categories(init_t)
mcs_killall(init_t)
@@ -151,10 +201,19 @@ mls_file_read_all_levels(init_t)
@@ -151,34 +201,50 @@ mls_file_read_all_levels(init_t)
mls_file_write_all_levels(init_t)
mls_process_write_down(init_t)
mls_fd_use_all_levels(init_t)
@ -72470,9 +72470,10 @@ index 29a9565..92781d7 100644
# Run init scripts.
init_domtrans_script(init_t)
@@ -162,23 +221,29 @@ init_domtrans_script(init_t)
libs_rw_ld_so_cache(init_t)
+logging_create_devlog_dev(init_t)
logging_send_syslog_msg(init_t)
+logging_send_audit_msgs(init_t)
logging_rw_generic_logs(init_t)
@ -72501,7 +72502,7 @@ index 29a9565..92781d7 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
@@ -186,16 +251,144 @@ tunable_policy(`init_upstart',`
@@ -186,16 +252,141 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@ -72609,9 +72610,6 @@ index 29a9565..92781d7 100644
+ systemd_manage_all_unit_files(init_t)
+ systemd_logger_stream_connect(init_t)
+
+ # needs to remain
+ logging_create_devlog_dev(init_t)
+
+ create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
+
+')
@ -72648,7 +72646,7 @@ index 29a9565..92781d7 100644
')
optional_policy(`
@@ -203,6 +396,17 @@ optional_policy(`
@@ -203,6 +394,17 @@ optional_policy(`
')
optional_policy(`
@ -72666,7 +72664,7 @@ index 29a9565..92781d7 100644
unconfined_domain(init_t)
')
@@ -212,7 +416,8 @@ optional_policy(`
@@ -212,7 +414,8 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -72676,7 +72674,7 @@ index 29a9565..92781d7 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
@@ -241,12 +446,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
@@ -241,12 +444,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -72692,7 +72690,7 @@ index 29a9565..92781d7 100644
init_write_initctl(initrc_t)
@@ -258,20 +466,32 @@ kernel_change_ring_buffer_level(initrc_t)
@@ -258,20 +464,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@ -72729,7 +72727,7 @@ index 29a9565..92781d7 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
@@ -279,6 +499,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
@@ -279,6 +497,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@ -72737,7 +72735,7 @@ index 29a9565..92781d7 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
@@ -289,8 +510,10 @@ dev_write_framebuffer(initrc_t)
@@ -289,8 +508,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@ -72748,7 +72746,7 @@ index 29a9565..92781d7 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
@@ -298,13 +521,13 @@ dev_manage_generic_files(initrc_t)
@@ -298,13 +519,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@ -72764,7 +72762,7 @@ index 29a9565..92781d7 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -316,6 +539,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
@@ -316,6 +537,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@ -72772,7 +72770,7 @@ index 29a9565..92781d7 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
@@ -323,8 +547,10 @@ files_getattr_all_symlinks(initrc_t)
@@ -323,8 +545,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@ -72784,7 +72782,7 @@ index 29a9565..92781d7 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
@@ -340,8 +566,12 @@ files_list_isid_type_dirs(initrc_t)
@@ -340,8 +564,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@ -72798,7 +72796,7 @@ index 29a9565..92781d7 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
@@ -351,8 +581,12 @@ fs_mount_all_fs(initrc_t)
@@ -351,8 +579,12 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@ -72811,7 +72809,7 @@ index 29a9565..92781d7 100644
mcs_ptrace_all(initrc_t)
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
@@ -363,6 +597,7 @@ mls_process_read_up(initrc_t)
@@ -363,6 +595,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@ -72819,7 +72817,7 @@ index 29a9565..92781d7 100644
selinux_get_enforce_mode(initrc_t)
@@ -374,6 +609,7 @@ term_use_all_terms(initrc_t)
@@ -374,6 +607,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@ -72827,7 +72825,7 @@ index 29a9565..92781d7 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
@@ -394,18 +630,17 @@ logging_read_audit_config(initrc_t)
@@ -394,18 +628,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@ -72849,7 +72847,7 @@ index 29a9565..92781d7 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
@@ -458,6 +693,10 @@ ifdef(`distro_gentoo',`
@@ -458,6 +691,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@ -72860,7 +72858,7 @@ index 29a9565..92781d7 100644
alsa_read_lib(initrc_t)
')
@@ -478,7 +717,7 @@ ifdef(`distro_redhat',`
@@ -478,7 +715,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@ -72869,7 +72867,7 @@ index 29a9565..92781d7 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
@@ -493,6 +732,7 @@ ifdef(`distro_redhat',`
@@ -493,6 +730,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@ -72877,7 +72875,7 @@ index 29a9565..92781d7 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
@@ -522,8 +762,34 @@ ifdef(`distro_redhat',`
@@ -522,8 +760,34 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@ -72912,7 +72910,7 @@ index 29a9565..92781d7 100644
')
optional_policy(`
@@ -531,10 +797,22 @@ ifdef(`distro_redhat',`
@@ -531,10 +795,22 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@ -72935,7 +72933,7 @@ index 29a9565..92781d7 100644
')
optional_policy(`
@@ -549,6 +827,39 @@ ifdef(`distro_suse',`
@@ -549,6 +825,39 @@ ifdef(`distro_suse',`
')
')
@ -72975,7 +72973,7 @@ index 29a9565..92781d7 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
@@ -561,6 +872,8 @@ optional_policy(`
@@ -561,6 +870,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@ -72984,7 +72982,7 @@ index 29a9565..92781d7 100644
')
optional_policy(`
@@ -577,6 +890,7 @@ optional_policy(`
@@ -577,6 +888,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@ -72992,7 +72990,7 @@ index 29a9565..92781d7 100644
')
optional_policy(`
@@ -589,6 +903,17 @@ optional_policy(`
@@ -589,6 +901,17 @@ optional_policy(`
')
optional_policy(`
@ -73010,7 +73008,7 @@ index 29a9565..92781d7 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
@@ -605,9 +930,13 @@ optional_policy(`
@@ -605,9 +928,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@ -73024,7 +73022,7 @@ index 29a9565..92781d7 100644
')
optional_policy(`
@@ -632,6 +961,10 @@ optional_policy(`
@@ -632,6 +959,10 @@ optional_policy(`
')
optional_policy(`
@ -73035,7 +73033,7 @@ index 29a9565..92781d7 100644
gpm_setattr_gpmctl(initrc_t)
')
@@ -649,6 +982,11 @@ optional_policy(`
@@ -649,6 +980,11 @@ optional_policy(`
')
optional_policy(`
@ -73047,7 +73045,7 @@ index 29a9565..92781d7 100644
inn_exec_config(initrc_t)
')
@@ -689,6 +1027,7 @@ optional_policy(`
@@ -689,6 +1025,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@ -73055,7 +73053,7 @@ index 29a9565..92781d7 100644
')
optional_policy(`
@@ -706,7 +1045,13 @@ optional_policy(`
@@ -706,7 +1043,13 @@ optional_policy(`
')
optional_policy(`
@ -73069,7 +73067,7 @@ index 29a9565..92781d7 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -729,6 +1074,10 @@ optional_policy(`
@@ -729,6 +1072,10 @@ optional_policy(`
')
optional_policy(`
@ -73080,7 +73078,7 @@ index 29a9565..92781d7 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
@@ -738,10 +1087,20 @@ optional_policy(`
@@ -738,10 +1085,20 @@ optional_policy(`
')
optional_policy(`
@ -73101,7 +73099,7 @@ index 29a9565..92781d7 100644
quota_manage_flags(initrc_t)
')
@@ -750,6 +1109,10 @@ optional_policy(`
@@ -750,6 +1107,10 @@ optional_policy(`
')
optional_policy(`
@ -73112,7 +73110,7 @@ index 29a9565..92781d7 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
@@ -771,8 +1134,6 @@ optional_policy(`
@@ -771,8 +1132,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@ -73121,7 +73119,7 @@ index 29a9565..92781d7 100644
')
optional_policy(`
@@ -781,6 +1142,10 @@ optional_policy(`
@@ -781,6 +1140,10 @@ optional_policy(`
')
optional_policy(`
@ -73132,7 +73130,7 @@ index 29a9565..92781d7 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
@@ -790,10 +1155,12 @@ optional_policy(`
@@ -790,10 +1153,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@ -73145,7 +73143,7 @@ index 29a9565..92781d7 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
@@ -805,7 +1172,6 @@ optional_policy(`
@@ -805,7 +1170,6 @@ optional_policy(`
')
optional_policy(`
@ -73153,7 +73151,7 @@ index 29a9565..92781d7 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
@@ -815,11 +1181,26 @@ optional_policy(`
@@ -815,11 +1179,26 @@ optional_policy(`
')
optional_policy(`
@ -73181,7 +73179,7 @@ index 29a9565..92781d7 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
@@ -829,6 +1210,18 @@ optional_policy(`
@@ -829,6 +1208,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@ -73200,7 +73198,7 @@ index 29a9565..92781d7 100644
')
optional_policy(`
@@ -844,6 +1237,10 @@ optional_policy(`
@@ -844,6 +1235,10 @@ optional_policy(`
')
optional_policy(`
@ -73211,7 +73209,7 @@ index 29a9565..92781d7 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
@@ -854,3 +1251,161 @@ optional_policy(`
@@ -854,3 +1249,161 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')