add disable_trans support
This commit is contained in:
parent
1f91e1bfe5
commit
b03f960ece
@ -1,3 +1,4 @@
|
||||
- Add disable_*_trans bool support for targeted policy.
|
||||
- Add MLS module to handle MLS constraint exceptions,
|
||||
such as reading up and writing down.
|
||||
- Fix errors uncovered by sediff.
|
||||
|
@ -57,9 +57,6 @@ interface(`init_daemon_domain',`
|
||||
attribute direct_run_init, direct_init, direct_init_entry;
|
||||
type initrc_t;
|
||||
role system_r;
|
||||
class fifo_file rw_file_perms;
|
||||
class fd use;
|
||||
class process { noatsecure siginh rlimitinh sigchld };
|
||||
')
|
||||
|
||||
domain_type($1)
|
||||
@ -67,14 +64,6 @@ interface(`init_daemon_domain',`
|
||||
|
||||
role system_r types $1;
|
||||
|
||||
domain_auto_trans(initrc_t,$2,$1)
|
||||
|
||||
allow initrc_t $1:fd use;
|
||||
allow initrc_t $1:process { noatsecure siginh rlimitinh };
|
||||
allow $1 initrc_t:fd use;
|
||||
allow $1 initrc_t:fifo_file rw_file_perms;
|
||||
allow $1 initrc_t:process sigchld;
|
||||
|
||||
ifdef(`direct_sysadm_daemon',`
|
||||
domain_auto_trans(direct_run_init,$2,$1)
|
||||
|
||||
@ -95,6 +84,31 @@ interface(`init_daemon_domain',`
|
||||
files_dontaudit_read_root_file($1)
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
# this regex is a hack, since it assumes there is a
|
||||
# _t at the end of the domain type. If there is no _t
|
||||
# at the end of the type, it returns empty!
|
||||
bool regexp($1, `\(\w+\)_t', `disable_\1_trans') false;
|
||||
if(! regexp($1, `\(\w+\)_t', `disable_\1_trans') ) {
|
||||
domain_auto_trans(initrc_t,$2,$1)
|
||||
allow initrc_t $1:fd use;
|
||||
allow initrc_t $1:process { noatsecure siginh rlimitinh };
|
||||
allow $1 initrc_t:fd use;
|
||||
allow $1 initrc_t:fifo_file rw_file_perms;
|
||||
allow $1 initrc_t:process sigchld;
|
||||
} else {
|
||||
can_exec(initrc_t,$2)
|
||||
can_exec(direct_run_init,$2)
|
||||
}
|
||||
',`
|
||||
domain_auto_trans(initrc_t,$2,$1)
|
||||
allow initrc_t $1:fd use;
|
||||
allow initrc_t $1:process { noatsecure siginh rlimitinh };
|
||||
allow $1 initrc_t:fd use;
|
||||
allow $1 initrc_t:fifo_file rw_file_perms;
|
||||
allow $1 initrc_t:process sigchld;
|
||||
')
|
||||
|
||||
optional_policy(`nscd.te',`
|
||||
nscd_use_socket($1)
|
||||
')
|
||||
|
Loading…
Reference in New Issue
Block a user