fix files_exec_usr_src_files
This commit is contained in:
Chris PeBenito
parent
4f9f30c8df
commit
99505c1c89
@ -1968,6 +1968,25 @@ interface(`files_read_usr_files',`
|
|||||||
allow $1 usr_t:{ file lnk_file } r_file_perms;
|
allow $1 usr_t:{ file lnk_file } r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute generic programs in /usr in the caller domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_exec_usr_files',`
|
||||||
|
gen_require(`
|
||||||
|
type usr_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 usr_t:dir r_dir_perms;
|
||||||
|
allow $1 usr_t:lnk_file r_file_perms;
|
||||||
|
can_exec($1,usr_t)
|
||||||
|
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Relabel a file to the type used in /usr.
|
## Relabel a file to the type used in /usr.
|
||||||
@ -2041,18 +2060,15 @@ interface(`files_create_usr',`
|
|||||||
## The type of the process performing this action.
|
## The type of the process performing this action.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`files_exec_usr_files',`
|
interface(`files_exec_usr_src_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type usr_t, src_t;
|
type usr_t, src_t;
|
||||||
class dir r_dir_perms;
|
|
||||||
class lnk_file r_file_perms;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 usr_t:dir search;
|
allow $1 usr_t:dir search;
|
||||||
allow $1 src_t:dir r_dir_perms;
|
allow $1 src_t:dir r_dir_perms;
|
||||||
allow $1 src_t:lnk_file r_file_perms;
|
allow $1 src_t:lnk_file r_file_perms;
|
||||||
can_exec($1,src_t)
|
can_exec($1,src_t)
|
||||||
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -2060,12 +2076,11 @@ interface(`files_exec_usr_files',`
|
|||||||
# files_dontaudit_search_src(domain)
|
# files_dontaudit_search_src(domain)
|
||||||
#
|
#
|
||||||
interface(`files_dontaudit_search_src',`
|
interface(`files_dontaudit_search_src',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type src_t;
|
type src_t;
|
||||||
class dir search;
|
')
|
||||||
')
|
|
||||||
|
|
||||||
allow $1 src_t:dir search;
|
allow $1 src_t:dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -2075,9 +2090,6 @@ interface(`files_dontaudit_search_src',`
|
|||||||
interface(`files_read_usr_src_files',`
|
interface(`files_read_usr_src_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type usr_t, src_t;
|
type usr_t, src_t;
|
||||||
class dir r_dir_perms;
|
|
||||||
class file r_file_perms;
|
|
||||||
class lnk_file r_file_perms;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 usr_t:dir search;
|
allow $1 usr_t:dir search;
|
||||||
@ -2086,31 +2098,54 @@ interface(`files_read_usr_src_files',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
## <summary>
|
||||||
# files_search_var(domain)
|
## Search the contents of /var.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`files_search_var',`
|
interface(`files_search_var',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type var_t;
|
type var_t;
|
||||||
class dir search;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 var_t:dir search;
|
allow $1 var_t:dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
## <summary>
|
||||||
# files_dontaudit_search_var(domain)
|
## Do not audit attempts to search
|
||||||
|
## the contents of /var.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain to not audit.
|
||||||
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`files_dontaudit_search_var',`
|
interface(`files_dontaudit_search_var',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type var_t;
|
type var_t;
|
||||||
class dir search;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
dontaudit $1 var_t:dir search;
|
dontaudit $1 var_t:dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## List the contents of /var.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_list_var',`
|
||||||
|
gen_require(`
|
||||||
|
type var_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 var_t:dir r_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Create, read, write, and delete directories
|
## Create, read, write, and delete directories
|
||||||
|
|||||||
@ -210,7 +210,6 @@ template(`base_user_template',`
|
|||||||
domain_dontaudit_getsession_all_domains($1_t)
|
domain_dontaudit_getsession_all_domains($1_t)
|
||||||
|
|
||||||
files_exec_etc_files($1_t)
|
files_exec_etc_files($1_t)
|
||||||
files_read_usr_src_files($1_t)
|
|
||||||
files_search_locks($1_t)
|
files_search_locks($1_t)
|
||||||
# old broswer_domain():
|
# old broswer_domain():
|
||||||
files_dontaudit_list_non_security($1_t)
|
files_dontaudit_list_non_security($1_t)
|
||||||
@ -868,7 +867,7 @@ template(`admin_user_template',`
|
|||||||
# for lsof
|
# for lsof
|
||||||
domain_getattr_all_sockets($1_t)
|
domain_getattr_all_sockets($1_t)
|
||||||
|
|
||||||
files_exec_usr_files($1_t)
|
files_exec_usr_src_files($1_t)
|
||||||
|
|
||||||
init_use_initctl($1_t)
|
init_use_initctl($1_t)
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user