Constrain transitions in MCS so unconfined_t cannot have arbitrary category sets.
This commit is contained in:
parent
d2a9030908
commit
9779f09284
|
@ -1,3 +1,5 @@
|
||||||
|
- Constrain transitions in MCS so unconfined_t cannot have
|
||||||
|
arbitrary category sets.
|
||||||
- Change reiserfs from xattr filesystem to genfscon as it's xattrs
|
- Change reiserfs from xattr filesystem to genfscon as it's xattrs
|
||||||
are currently nonfunctional.
|
are currently nonfunctional.
|
||||||
- Change files module to use its own interfaces to simplify the module.
|
- Change files module to use its own interfaces to simplify the module.
|
||||||
|
|
|
@ -152,6 +152,9 @@ mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfro
|
||||||
mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
|
mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
|
||||||
(( h1 dom h2 ) and ( l2 eq h2 ));
|
(( h1 dom h2 ) and ( l2 eq h2 ));
|
||||||
|
|
||||||
|
mlsconstrain process { transition dyntransition }
|
||||||
|
(( h1 dom h2 ) or ( t1 == mcssetcats ));
|
||||||
|
|
||||||
mlsconstrain process { ptrace }
|
mlsconstrain process { ptrace }
|
||||||
( h1 dom h2 );
|
( h1 dom h2 );
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(kernel,1.3.1)
|
policy_module(kernel,1.3.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -232,6 +232,8 @@ files_list_etc(kernel_t)
|
||||||
files_list_home(kernel_t)
|
files_list_home(kernel_t)
|
||||||
files_read_usr_files(kernel_t)
|
files_read_usr_files(kernel_t)
|
||||||
|
|
||||||
|
mcs_process_set_categories(kernel_t)
|
||||||
|
|
||||||
mls_process_read_up(kernel_t)
|
mls_process_read_up(kernel_t)
|
||||||
mls_process_write_down(kernel_t)
|
mls_process_write_down(kernel_t)
|
||||||
|
|
||||||
|
|
|
@ -21,3 +21,23 @@ interface(`mcs_killall',`
|
||||||
|
|
||||||
typeattribute $1 mcskillall;
|
typeattribute $1 mcskillall;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Make specified domain MCS trusted
|
||||||
|
## for setting any category set for
|
||||||
|
## the processes it executes.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain target for user exemption.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`mcs_process_set_categories',`
|
||||||
|
gen_require(`
|
||||||
|
attribute mcssetcats;
|
||||||
|
')
|
||||||
|
|
||||||
|
typeattribute $1 mcssetcats;
|
||||||
|
')
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(mcs,1.0.0)
|
policy_module(mcs,1.0.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -7,6 +7,7 @@ policy_module(mcs,1.0.0)
|
||||||
#
|
#
|
||||||
|
|
||||||
attribute mcskillall;
|
attribute mcskillall;
|
||||||
|
attribute mcssetcats;
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(getty,1.1.0)
|
policy_module(getty,1.1.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -69,6 +69,8 @@ fs_search_auto_mountpoints(getty_t)
|
||||||
# for error condition handling
|
# for error condition handling
|
||||||
fs_getattr_xattr_fs(getty_t)
|
fs_getattr_xattr_fs(getty_t)
|
||||||
|
|
||||||
|
mcs_process_set_categories(getty_t)
|
||||||
|
|
||||||
mls_file_read_up(getty_t)
|
mls_file_read_up(getty_t)
|
||||||
mls_file_write_down(getty_t)
|
mls_file_write_down(getty_t)
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(init,1.3.2)
|
policy_module(init,1.3.3)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
class passwd rootok;
|
class passwd rootok;
|
||||||
|
@ -123,6 +123,8 @@ kernel_share_state(init_t)
|
||||||
|
|
||||||
dev_read_sysfs(init_t)
|
dev_read_sysfs(init_t)
|
||||||
|
|
||||||
|
mcs_process_set_categories(init_t)
|
||||||
|
|
||||||
mls_process_write_down(init_t)
|
mls_process_write_down(init_t)
|
||||||
|
|
||||||
selinux_set_boolean(init_t)
|
selinux_set_boolean(init_t)
|
||||||
|
@ -368,6 +370,7 @@ miscfiles_read_localization(initrc_t)
|
||||||
miscfiles_read_certs(initrc_t)
|
miscfiles_read_certs(initrc_t)
|
||||||
|
|
||||||
mcs_killall(initrc_t)
|
mcs_killall(initrc_t)
|
||||||
|
mcs_process_set_categories(initrc_t)
|
||||||
|
|
||||||
mls_file_read_up(initrc_t)
|
mls_file_read_up(initrc_t)
|
||||||
mls_file_write_down(initrc_t)
|
mls_file_write_down(initrc_t)
|
||||||
|
|
Loading…
Reference in New Issue