fix files_exec_usr_src_files

This commit is contained in:
Chris PeBenito 2005-10-07 18:48:43 +00:00
parent 4f9f30c8df
commit 99505c1c89
2 changed files with 54 additions and 20 deletions

View File

@ -1968,6 +1968,25 @@ interface(`files_read_usr_files',`
allow $1 usr_t:{ file lnk_file } r_file_perms;
')
########################################
## <summary>
## Execute generic programs in /usr in the caller domain.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`files_exec_usr_files',`
gen_require(`
type usr_t;
')
allow $1 usr_t:dir r_dir_perms;
allow $1 usr_t:lnk_file r_file_perms;
can_exec($1,usr_t)
')
########################################
## <summary>
## Relabel a file to the type used in /usr.
@ -2041,18 +2060,15 @@ interface(`files_create_usr',`
## The type of the process performing this action.
## </param>
#
interface(`files_exec_usr_files',`
interface(`files_exec_usr_src_files',`
gen_require(`
type usr_t, src_t;
class dir r_dir_perms;
class lnk_file r_file_perms;
')
allow $1 usr_t:dir search;
allow $1 src_t:dir r_dir_perms;
allow $1 src_t:lnk_file r_file_perms;
can_exec($1,src_t)
')
########################################
@ -2060,12 +2076,11 @@ interface(`files_exec_usr_files',`
# files_dontaudit_search_src(domain)
#
interface(`files_dontaudit_search_src',`
gen_require(`
type src_t;
class dir search;
')
gen_require(`
type src_t;
')
allow $1 src_t:dir search;
allow $1 src_t:dir search;
')
########################################
@ -2075,9 +2090,6 @@ interface(`files_dontaudit_search_src',`
interface(`files_read_usr_src_files',`
gen_require(`
type usr_t, src_t;
class dir r_dir_perms;
class file r_file_perms;
class lnk_file r_file_perms;
')
allow $1 usr_t:dir search;
@ -2086,31 +2098,54 @@ interface(`files_read_usr_src_files',`
')
########################################
#
# files_search_var(domain)
## <summary>
## Search the contents of /var.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`files_search_var',`
gen_require(`
type var_t;
class dir search;
')
allow $1 var_t:dir search;
')
########################################
#
# files_dontaudit_search_var(domain)
## <summary>
## Do not audit attempts to search
## the contents of /var.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`files_dontaudit_search_var',`
gen_require(`
type var_t;
class dir search;
')
dontaudit $1 var_t:dir search;
')
########################################
## <summary>
## List the contents of /var.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`files_list_var',`
gen_require(`
type var_t;
')
allow $1 var_t:dir r_dir_perms;
')
########################################
## <summary>
## Create, read, write, and delete directories

View File

@ -210,7 +210,6 @@ template(`base_user_template',`
domain_dontaudit_getsession_all_domains($1_t)
files_exec_etc_files($1_t)
files_read_usr_src_files($1_t)
files_search_locks($1_t)
# old broswer_domain():
files_dontaudit_list_non_security($1_t)
@ -868,7 +867,7 @@ template(`admin_user_template',`
# for lsof
domain_getattr_all_sockets($1_t)
files_exec_usr_files($1_t)
files_exec_usr_src_files($1_t)
init_use_initctl($1_t)