rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

reorder

Browse Source
This commit is contained in:
Chris PeBenito 2005-06-09 21:07:58 +00:00
parent d6b0f3712f
commit a154cd45f3
2 changed files with 25 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
refpolicy/policy/modules/kernel/kernel.te
View File

@ -193,8 +193,25 @@ allow kernel_t security_t:file rw_file_perms;
allow kernel_t security_t:security load_policy; allow kernel_t security_t:security load_policy;
auditallow kernel_t security_t:security load_policy; auditallow kernel_t security_t:security load_policy;
# Kernel-generated traffic e.g., ICMP replies:
corenet_raw_sendrecv_all_if(kernel_t)
corenet_raw_sendrecv_all_nodes(kernel_t)
# Kernel-generated traffic e.g., TCP resets:
corenet_raw_sendrecv_all_ifaces(kernel_t)
corenet_raw_sendrecv_all_nodes(kernel_t)
terminal_use_console(kernel_t)
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
fs_mount_all_fs(kernel_t)
corecommands_execute_shell(kernel_t) corecommands_execute_shell(kernel_t)
corecommands_read_system_programs_directory(kernel_t) corecommands_read_system_programs_directory(kernel_t)
# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
corecommands_execute_general_programs(kernel_t)
domain_signal_all_domains(kernel_t)
files_read_root_dir(kernel_t) files_read_root_dir(kernel_t)
files_list_home_directories(kernel_t) files_list_home_directories(kernel_t)
@ -205,39 +222,15 @@ init_sigchld(kernel_t)
libraries_use_dynamic_loader(kernel_t) libraries_use_dynamic_loader(kernel_t)
libraries_use_shared_libraries(kernel_t) libraries_use_shared_libraries(kernel_t)
selinux_read_config(kernel_t)
selinux_read_binary_policy(kernel_t)
terminal_use_console(kernel_t)
domain_signal_all_domains(kernel_t)
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
fs_mount_all_fs(kernel_t)
# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
corecommands_execute_general_programs(kernel_t)
logging_send_system_log_message(kernel_t) logging_send_system_log_message(kernel_t)
# Kernel-generated traffic, e.g. ICMP replies. selinux_read_config(kernel_t)
corenetwork_sendrecv_raw_on_all_interfaces(kernel_t) selinux_read_binary_policy(kernel_t)
corenetwork_sendrecv_raw_on_all_nodes(kernel_t)
# Kernel-generated traffic, e.g. TCP resets.
corenetwork_sendrecv_tcp_on_all_interfaces(kernel_t)
corenetwork_sendrecv_tcp_on_all_nodes(kernel_t)
neverallow ~can_load_policy security_t:security load_policy; neverallow ~can_load_policy security_t:security load_policy;
neverallow ~can_setenforce security_t:security setenforce; neverallow ~can_setenforce security_t:security setenforce;
neverallow ~can_setsecparam security_t:security setsecparam; neverallow ~can_setsecparam security_t:security setsecparam;
neverallow ~can_load_kernmodule self:capability sys_module;
# enabling dyntransition breaks process tranquility. If you dont
# know what this means or dont understand the implications of a
# dynamic transition, you shouldnt be using it!!!
neverallow * *:process { setcurrent dyntransition };
neverallow ~can_load_kernmodule *:capability sys_module;
######################################## ########################################
# #

5
refpolicy/policy/modules/system/domain.te
View File

@ -11,3 +11,8 @@ attribute entry_type;
attribute privfd; attribute privfd;
neverallow domain ~domain:process { transition dyntransition }; neverallow domain ~domain:process { transition dyntransition };
# enabling setcurrent breaks process tranquility. If you do not
# know what this means or do not understand the implications of a
# dynamic transition, you should not be using it!!!
neverallow * *:process setcurrent;