Add the ability to send audit messages to confined admin policies

Remove permissive domain from cmirrord and dontaudit sys_tty_config
Split out unconfined_domain() calls from other unconfined_ calls so we can disable unconfined.pp and leave unconfineduser
virt needs to be able to read processes to clearance for MLS
This commit is contained in:
Dan Walsh 2010-09-15 11:31:20 -04:00
parent 3b0a9c74bb
commit 9461b60657
8 changed files with 15 additions and 7 deletions

View File

@ -37,6 +37,7 @@ files_list_var(dbadm_t)
selinux_get_enforce_mode(dbadm_t)
logging_send_syslog_msg(dbadm_t)
logging_send_audit_msgs(dbadm_t)
userdom_dontaudit_search_user_home_dirs(dbadm_t)

View File

@ -38,6 +38,7 @@ selinux_get_enforce_mode(webadm_t)
seutil_domtrans_setfiles(webadm_t)
logging_send_syslog_msg(webadm_t)
logging_send_audit_msgs(webadm_t)
userdom_dontaudit_search_user_home_dirs(webadm_t)

View File

@ -9,8 +9,6 @@ type cmirrord_t;
type cmirrord_exec_t;
init_daemon_domain(cmirrord_t, cmirrord_exec_t)
permissive cmirrord_t;
type cmirrord_initrc_exec_t;
init_script_file(cmirrord_initrc_exec_t)
@ -26,6 +24,7 @@ files_pid_file(cmirrord_var_run_t)
#
allow cmirrord_t self:capability { net_admin kill };
dontaudit cmirrord_t self:capability sys_tty_config;
allow cmirrord_t self:process signal;
allow cmirrord_t self:fifo_file rw_fifo_file_perms;

View File

@ -579,10 +579,13 @@ optional_policy(`
')
optional_policy(`
unconfined_dbus_send(crond_t)
unconfined_shell_domtrans(crond_t)
unconfined_domain(crond_t)
unconfined_domain(system_cronjob_t)
')
optional_policy(`
unconfined_shell_domtrans(crond_t)
unconfined_dbus_send(crond_t)
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')

View File

@ -57,6 +57,8 @@ corenet_tcp_bind_generic_node(tgtd_t)
corenet_tcp_bind_iscsi_port(tgtd_t)
corenet_sendrecv_iscsi_server_packets(tgtd_t)
dev_search_sysfs(tgtd_t)
files_read_etc_files(tgtd_t)
fs_read_anon_inodefs_files(tgtd_t)

View File

@ -321,6 +321,7 @@ fs_rw_hugetlbfs_files(virtd_t)
mls_fd_share_all_levels(virtd_t)
mls_file_read_to_clearance(virtd_t)
mls_file_write_to_clearance(virtd_t)
mls_process_read_to_clearance(virtd_t)
mls_process_write_to_clearance(virtd_t)
mls_net_write_within_range(virtd_t)
mls_socket_write_to_clearance(virtd_t)

View File

@ -14,3 +14,4 @@ HOME_DIR/Music(/.*)? gen_context(system_u:object_r:audio_home_t,s0)
HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
HOME_DIR/\.gvfs(/.*)? <<none>>
HOME_DIR/\.debug(/.*)? <<none>>

View File

@ -123,6 +123,9 @@ template(`userdom_base_user_template',`
auth_use_nsswitch($1_usertype)
init_stream_connect($1_usertype)
# The library functions always try to open read-write first,
# then fall back to read-only if it fails.
init_dontaudit_rw_utmp($1_usertype)
libs_exec_ld_so($1_usertype)
@ -886,9 +889,6 @@ template(`userdom_login_user_template', `
auth_dontaudit_write_login_records($1_t)
auth_rw_cache($1_t)
# The library functions always try to open read-write first,
# then fall back to read-only if it fails.
init_dontaudit_rw_utmp($1_usertype)
# Stop warnings about access to /dev/console
init_dontaudit_use_fds($1_usertype)
init_dontaudit_use_script_fds($1_usertype)