trunk: firstboot update from dan.
This commit is contained in:
Chris PeBenito
parent
b4f23e680a
commit
93f445b8c0
@ -142,3 +142,22 @@ interface(`firstboot_dontaudit_rw_pipes',`
|
|||||||
|
|
||||||
dontaudit $1 firstboot_t:fifo_file { read write };
|
dontaudit $1 firstboot_t:fifo_file { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attemps to read and write to a firstboot
|
||||||
|
## unix domain stream socket.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain to not audit.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`firstboot_dontaudit_rw_stream_sockets',`
|
||||||
|
gen_require(`
|
||||||
|
type firstboot_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 firstboot_t:unix_stream_socket { read write };
|
||||||
|
')
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(firstboot, 1.7.0)
|
policy_module(firstboot, 1.7.1)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
class passwd rootok;
|
class passwd rootok;
|
||||||
@ -35,9 +35,6 @@ allow firstboot_t self:passwd rootok;
|
|||||||
|
|
||||||
allow firstboot_t firstboot_etc_t:file { getattr read };
|
allow firstboot_t firstboot_etc_t:file { getattr read };
|
||||||
|
|
||||||
# The big hammer
|
|
||||||
unconfined_domain(firstboot_t)
|
|
||||||
|
|
||||||
kernel_read_system_state(firstboot_t)
|
kernel_read_system_state(firstboot_t)
|
||||||
kernel_read_kernel_sysctls(firstboot_t)
|
kernel_read_kernel_sysctls(firstboot_t)
|
||||||
|
|
||||||
@ -63,7 +60,6 @@ corecmd_exec_all_executables(firstboot_t)
|
|||||||
files_exec_etc_files(firstboot_t)
|
files_exec_etc_files(firstboot_t)
|
||||||
files_manage_etc_files(firstboot_t)
|
files_manage_etc_files(firstboot_t)
|
||||||
files_manage_etc_runtime_files(firstboot_t)
|
files_manage_etc_runtime_files(firstboot_t)
|
||||||
files_etc_filetrans_etc_runtime(firstboot_t, { file dir })
|
|
||||||
files_read_usr_files(firstboot_t)
|
files_read_usr_files(firstboot_t)
|
||||||
files_manage_var_dirs(firstboot_t)
|
files_manage_var_dirs(firstboot_t)
|
||||||
files_manage_var_files(firstboot_t)
|
files_manage_var_files(firstboot_t)
|
||||||
@ -110,6 +106,8 @@ optional_policy(`
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
unconfined_domtrans(firstboot_t)
|
unconfined_domtrans(firstboot_t)
|
||||||
|
# The big hammer
|
||||||
|
unconfined_domain(firstboot_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -131,8 +129,4 @@ ifdef(`userhelper.te', `
|
|||||||
role system_r types sysadm_userhelper_t;
|
role system_r types sysadm_userhelper_t;
|
||||||
domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t)
|
domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`xserver.te', `
|
|
||||||
domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t)
|
|
||||||
')
|
|
||||||
') dnl end TODO
|
') dnl end TODO
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(ntp, 1.6.0)
|
policy_module(ntp, 1.6.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -117,6 +117,7 @@ optional_policy(`
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
firstboot_dontaudit_use_fds(ntpd_t)
|
firstboot_dontaudit_use_fds(ntpd_t)
|
||||||
firstboot_dontaudit_rw_pipes(ntpd_t)
|
firstboot_dontaudit_rw_pipes(ntpd_t)
|
||||||
|
firstboot_dontaudit_rw_stream_sockets(ntpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user