fix files_exec_usr_src_files
This commit is contained in:
parent
4f9f30c8df
commit
99505c1c89
@ -1968,6 +1968,25 @@ interface(`files_read_usr_files',`
|
||||
allow $1 usr_t:{ file lnk_file } r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute generic programs in /usr in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_exec_usr_files',`
|
||||
gen_require(`
|
||||
type usr_t;
|
||||
')
|
||||
|
||||
allow $1 usr_t:dir r_dir_perms;
|
||||
allow $1 usr_t:lnk_file r_file_perms;
|
||||
can_exec($1,usr_t)
|
||||
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel a file to the type used in /usr.
|
||||
@ -2041,18 +2060,15 @@ interface(`files_create_usr',`
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_exec_usr_files',`
|
||||
interface(`files_exec_usr_src_files',`
|
||||
gen_require(`
|
||||
type usr_t, src_t;
|
||||
class dir r_dir_perms;
|
||||
class lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 usr_t:dir search;
|
||||
allow $1 src_t:dir r_dir_perms;
|
||||
allow $1 src_t:lnk_file r_file_perms;
|
||||
can_exec($1,src_t)
|
||||
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -2060,12 +2076,11 @@ interface(`files_exec_usr_files',`
|
||||
# files_dontaudit_search_src(domain)
|
||||
#
|
||||
interface(`files_dontaudit_search_src',`
|
||||
gen_require(`
|
||||
type src_t;
|
||||
class dir search;
|
||||
')
|
||||
gen_require(`
|
||||
type src_t;
|
||||
')
|
||||
|
||||
allow $1 src_t:dir search;
|
||||
allow $1 src_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -2075,9 +2090,6 @@ interface(`files_dontaudit_search_src',`
|
||||
interface(`files_read_usr_src_files',`
|
||||
gen_require(`
|
||||
type usr_t, src_t;
|
||||
class dir r_dir_perms;
|
||||
class file r_file_perms;
|
||||
class lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 usr_t:dir search;
|
||||
@ -2086,31 +2098,54 @@ interface(`files_read_usr_src_files',`
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_search_var(domain)
|
||||
## <summary>
|
||||
## Search the contents of /var.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_search_var',`
|
||||
gen_require(`
|
||||
type var_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
allow $1 var_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_dontaudit_search_var(domain)
|
||||
## <summary>
|
||||
## Do not audit attempts to search
|
||||
## the contents of /var.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_dontaudit_search_var',`
|
||||
gen_require(`
|
||||
type var_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
dontaudit $1 var_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## List the contents of /var.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_list_var',`
|
||||
gen_require(`
|
||||
type var_t;
|
||||
')
|
||||
|
||||
allow $1 var_t:dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete directories
|
||||
|
@ -210,7 +210,6 @@ template(`base_user_template',`
|
||||
domain_dontaudit_getsession_all_domains($1_t)
|
||||
|
||||
files_exec_etc_files($1_t)
|
||||
files_read_usr_src_files($1_t)
|
||||
files_search_locks($1_t)
|
||||
# old broswer_domain():
|
||||
files_dontaudit_list_non_security($1_t)
|
||||
@ -868,7 +867,7 @@ template(`admin_user_template',`
|
||||
# for lsof
|
||||
domain_getattr_all_sockets($1_t)
|
||||
|
||||
files_exec_usr_files($1_t)
|
||||
files_exec_usr_src_files($1_t)
|
||||
|
||||
init_use_initctl($1_t)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user