add disable_trans support
This commit is contained in:
parent
1f91e1bfe5
commit
b03f960ece
@ -1,3 +1,4 @@
|
|||||||
|
- Add disable_*_trans bool support for targeted policy.
|
||||||
- Add MLS module to handle MLS constraint exceptions,
|
- Add MLS module to handle MLS constraint exceptions,
|
||||||
such as reading up and writing down.
|
such as reading up and writing down.
|
||||||
- Fix errors uncovered by sediff.
|
- Fix errors uncovered by sediff.
|
||||||
|
@ -57,9 +57,6 @@ interface(`init_daemon_domain',`
|
|||||||
attribute direct_run_init, direct_init, direct_init_entry;
|
attribute direct_run_init, direct_init, direct_init_entry;
|
||||||
type initrc_t;
|
type initrc_t;
|
||||||
role system_r;
|
role system_r;
|
||||||
class fifo_file rw_file_perms;
|
|
||||||
class fd use;
|
|
||||||
class process { noatsecure siginh rlimitinh sigchld };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
domain_type($1)
|
domain_type($1)
|
||||||
@ -67,14 +64,6 @@ interface(`init_daemon_domain',`
|
|||||||
|
|
||||||
role system_r types $1;
|
role system_r types $1;
|
||||||
|
|
||||||
domain_auto_trans(initrc_t,$2,$1)
|
|
||||||
|
|
||||||
allow initrc_t $1:fd use;
|
|
||||||
allow initrc_t $1:process { noatsecure siginh rlimitinh };
|
|
||||||
allow $1 initrc_t:fd use;
|
|
||||||
allow $1 initrc_t:fifo_file rw_file_perms;
|
|
||||||
allow $1 initrc_t:process sigchld;
|
|
||||||
|
|
||||||
ifdef(`direct_sysadm_daemon',`
|
ifdef(`direct_sysadm_daemon',`
|
||||||
domain_auto_trans(direct_run_init,$2,$1)
|
domain_auto_trans(direct_run_init,$2,$1)
|
||||||
|
|
||||||
@ -95,6 +84,31 @@ interface(`init_daemon_domain',`
|
|||||||
files_dontaudit_read_root_file($1)
|
files_dontaudit_read_root_file($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
ifdef(`targeted_policy',`
|
||||||
|
# this regex is a hack, since it assumes there is a
|
||||||
|
# _t at the end of the domain type. If there is no _t
|
||||||
|
# at the end of the type, it returns empty!
|
||||||
|
bool regexp($1, `\(\w+\)_t', `disable_\1_trans') false;
|
||||||
|
if(! regexp($1, `\(\w+\)_t', `disable_\1_trans') ) {
|
||||||
|
domain_auto_trans(initrc_t,$2,$1)
|
||||||
|
allow initrc_t $1:fd use;
|
||||||
|
allow initrc_t $1:process { noatsecure siginh rlimitinh };
|
||||||
|
allow $1 initrc_t:fd use;
|
||||||
|
allow $1 initrc_t:fifo_file rw_file_perms;
|
||||||
|
allow $1 initrc_t:process sigchld;
|
||||||
|
} else {
|
||||||
|
can_exec(initrc_t,$2)
|
||||||
|
can_exec(direct_run_init,$2)
|
||||||
|
}
|
||||||
|
',`
|
||||||
|
domain_auto_trans(initrc_t,$2,$1)
|
||||||
|
allow initrc_t $1:fd use;
|
||||||
|
allow initrc_t $1:process { noatsecure siginh rlimitinh };
|
||||||
|
allow $1 initrc_t:fd use;
|
||||||
|
allow $1 initrc_t:fifo_file rw_file_perms;
|
||||||
|
allow $1 initrc_t:process sigchld;
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`nscd.te',`
|
optional_policy(`nscd.te',`
|
||||||
nscd_use_socket($1)
|
nscd_use_socket($1)
|
||||||
')
|
')
|
||||||
|
Loading…
Reference in New Issue
Block a user