Constrain transitions in MCS so unconfined_t cannot have arbitrary category sets.
This commit is contained in:
Chris PeBenito
parent
d2a9030908
commit
9779f09284
@ -1,3 +1,5 @@
|
||||
- Constrain transitions in MCS so unconfined_t cannot have
|
||||
arbitrary category sets.
|
||||
- Change reiserfs from xattr filesystem to genfscon as it's xattrs
|
||||
are currently nonfunctional.
|
||||
- Change files module to use its own interfaces to simplify the module.
|
||||
|
||||
@ -152,6 +152,9 @@ mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfro
|
||||
mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
|
||||
(( h1 dom h2 ) and ( l2 eq h2 ));
|
||||
|
||||
mlsconstrain process { transition dyntransition }
|
||||
(( h1 dom h2 ) or ( t1 == mcssetcats ));
|
||||
|
||||
mlsconstrain process { ptrace }
|
||||
( h1 dom h2 );
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(kernel,1.3.1)
|
||||
policy_module(kernel,1.3.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -232,6 +232,8 @@ files_list_etc(kernel_t)
|
||||
files_list_home(kernel_t)
|
||||
files_read_usr_files(kernel_t)
|
||||
|
||||
mcs_process_set_categories(kernel_t)
|
||||
|
||||
mls_process_read_up(kernel_t)
|
||||
mls_process_write_down(kernel_t)
|
||||
|
||||
|
||||
@ -21,3 +21,23 @@ interface(`mcs_killall',`
|
||||
|
||||
typeattribute $1 mcskillall;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Make specified domain MCS trusted
|
||||
## for setting any category set for
|
||||
## the processes it executes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain target for user exemption.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`mcs_process_set_categories',`
|
||||
gen_require(`
|
||||
attribute mcssetcats;
|
||||
')
|
||||
|
||||
typeattribute $1 mcssetcats;
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(mcs,1.0.0)
|
||||
policy_module(mcs,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -7,6 +7,7 @@ policy_module(mcs,1.0.0)
|
||||
#
|
||||
|
||||
attribute mcskillall;
|
||||
attribute mcssetcats;
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(getty,1.1.0)
|
||||
policy_module(getty,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -69,6 +69,8 @@ fs_search_auto_mountpoints(getty_t)
|
||||
# for error condition handling
|
||||
fs_getattr_xattr_fs(getty_t)
|
||||
|
||||
mcs_process_set_categories(getty_t)
|
||||
|
||||
mls_file_read_up(getty_t)
|
||||
mls_file_write_down(getty_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(init,1.3.2)
|
||||
policy_module(init,1.3.3)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
@ -123,6 +123,8 @@ kernel_share_state(init_t)
|
||||
|
||||
dev_read_sysfs(init_t)
|
||||
|
||||
mcs_process_set_categories(init_t)
|
||||
|
||||
mls_process_write_down(init_t)
|
||||
|
||||
selinux_set_boolean(init_t)
|
||||
@ -368,6 +370,7 @@ miscfiles_read_localization(initrc_t)
|
||||
miscfiles_read_certs(initrc_t)
|
||||
|
||||
mcs_killall(initrc_t)
|
||||
mcs_process_set_categories(initrc_t)
|
||||
|
||||
mls_file_read_up(initrc_t)
|
||||
mls_file_write_down(initrc_t)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user