more conversion due to new interfaces
This commit is contained in:
parent
3ce6cb4a45
commit
b2e0625ca1
@ -279,6 +279,11 @@ optional_policy(`consoletype.te',`
|
|||||||
consoletype_transition(initrc_t)
|
consoletype_transition(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`modutils.te',`
|
||||||
|
modutils_depmod_transition(initrc_t)
|
||||||
|
modutils_update_modules_transition(initrc_t)
|
||||||
|
')
|
||||||
|
|
||||||
tunable_policy(`distro_redhat',`
|
tunable_policy(`distro_redhat',`
|
||||||
kernel_set_selinux_enforcement_mode(initrc_t)
|
kernel_set_selinux_enforcement_mode(initrc_t)
|
||||||
|
|
||||||
|
@ -75,7 +75,12 @@ files_read_general_system_config(insmod_t)
|
|||||||
files_read_general_application_resources(insmod_t)
|
files_read_general_application_resources(insmod_t)
|
||||||
files_execute_system_config_script(insmod_t)
|
files_execute_system_config_script(insmod_t)
|
||||||
|
|
||||||
|
init_use_file_descriptors(insmod_t)
|
||||||
|
init_script_use_file_descriptors(insmod_t)
|
||||||
|
init_script_use_pseudoterminal(insmod_t)
|
||||||
|
|
||||||
domain_signal_all_domains(insmod_t)
|
domain_signal_all_domains(insmod_t)
|
||||||
|
domain_use_widely_inheritable_file_descriptors(insmod_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(insmod_t)
|
libraries_use_dynamic_loader(insmod_t)
|
||||||
libraries_read_shared_libraries(insmod_t)
|
libraries_read_shared_libraries(insmod_t)
|
||||||
@ -92,22 +97,13 @@ optional_policy(`mount.te',`
|
|||||||
mount_transition(insmod_t)
|
mount_transition(insmod_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
#
|
ifdef(`TODO',`
|
||||||
#
|
|
||||||
# TODO rules:
|
|
||||||
#
|
|
||||||
#
|
|
||||||
ifdef(`TODO_list',`
|
|
||||||
|
|
||||||
# for loading modules at boot time
|
|
||||||
allow insmod_t { init_t initrc_t }:fd use;
|
|
||||||
allow insmod_t initrc_t:fifo_file { getattr read write };
|
allow insmod_t initrc_t:fifo_file { getattr read write };
|
||||||
|
|
||||||
allow insmod_t lib_t:file { getattr read };
|
allow insmod_t lib_t:file { getattr read };
|
||||||
allow insmod_t { var_t var_log_t }:dir search;
|
allow insmod_t { var_t var_log_t }:dir search;
|
||||||
|
|
||||||
allow insmod_t privfd:fd use;
|
|
||||||
|
|
||||||
allow insmod_t apm_bios_t:chr_file { read write };
|
allow insmod_t apm_bios_t:chr_file { read write };
|
||||||
|
|
||||||
allow insmod_t sound_device_t:chr_file { read ioctl write };
|
allow insmod_t sound_device_t:chr_file { read ioctl write };
|
||||||
@ -120,8 +116,7 @@ allow insmod_t sysfs_t:dir search;
|
|||||||
allow insmod_t usbfs_t:dir search;
|
allow insmod_t usbfs_t:dir search;
|
||||||
allow insmod_t usbfs_t:filesystem mount;
|
allow insmod_t usbfs_t:filesystem mount;
|
||||||
|
|
||||||
allow insmod_t { initrc_devpts_t admin_tty_type }:chr_file { getattr read write };
|
allow insmod_t admin_tty_type:chr_file { getattr read write };
|
||||||
allow insmod_t devpts_t:dir { getattr search };
|
|
||||||
|
|
||||||
# for when /var is not mounted early in the boot
|
# for when /var is not mounted early in the boot
|
||||||
dontaudit insmod_t file_t:dir search;
|
dontaudit insmod_t file_t:dir search;
|
||||||
@ -129,7 +124,7 @@ dontaudit insmod_t file_t:dir search;
|
|||||||
# for nscd
|
# for nscd
|
||||||
dontaudit insmod_t var_run_t:dir search;
|
dontaudit insmod_t var_run_t:dir search;
|
||||||
|
|
||||||
') dnl if TODO_list
|
') dnl if TODO
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -142,11 +137,10 @@ allow depmod_t depmod_exec_t:file { getattr read execute execute_no_trans };
|
|||||||
allow depmod_t modules_conf_t:file { getattr read };
|
allow depmod_t modules_conf_t:file { getattr read };
|
||||||
|
|
||||||
allow depmod_t modules_dep_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
allow depmod_t modules_dep_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
|
bootloader_create_private_module_dir_entry(depmod_t,modules_dep_t)
|
||||||
|
|
||||||
kernel_read_system_state(depmod_t)
|
kernel_read_system_state(depmod_t)
|
||||||
|
|
||||||
bootloader_create_private_module_dir_entry(depmod_t,modules_dep_t)
|
|
||||||
|
|
||||||
filesystem_get_persistent_filesystem_attributes(depmod_t)
|
filesystem_get_persistent_filesystem_attributes(depmod_t)
|
||||||
|
|
||||||
terminal_use_console(depmod_t)
|
terminal_use_console(depmod_t)
|
||||||
@ -154,28 +148,27 @@ terminal_use_console(depmod_t)
|
|||||||
bootloader_read_kernel_symbol_table(depmod_t)
|
bootloader_read_kernel_symbol_table(depmod_t)
|
||||||
bootloader_read_kernel_modules(depmod_t)
|
bootloader_read_kernel_modules(depmod_t)
|
||||||
|
|
||||||
|
init_use_file_descriptors(depmod_t)
|
||||||
|
init_script_use_file_descriptors(depmod_t)
|
||||||
|
init_script_use_pseudoterminal(depmod_t)
|
||||||
|
|
||||||
|
domain_use_widely_inheritable_file_descriptors(depmod_t)
|
||||||
|
|
||||||
files_read_runtime_system_config(depmod_t)
|
files_read_runtime_system_config(depmod_t)
|
||||||
files_read_general_system_config(depmod_t)
|
files_read_general_system_config(depmod_t)
|
||||||
|
files_read_system_source_code(depmod_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(depmod_t)
|
libraries_use_dynamic_loader(depmod_t)
|
||||||
libraries_read_shared_libraries(depmod_t)
|
libraries_read_shared_libraries(depmod_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
r_dir_file(depmod_t, src_t)
|
|
||||||
|
|
||||||
domain_auto_trans(initrc_t, depmod_exec_t, depmod_t)
|
|
||||||
allow depmod_t { bin_t sbin_t }:dir search;
|
allow depmod_t { bin_t sbin_t }:dir search;
|
||||||
|
|
||||||
domain_auto_trans(sysadm_t, depmod_exec_t, depmod_t)
|
domain_auto_trans(sysadm_t, depmod_exec_t, depmod_t)
|
||||||
|
|
||||||
# Inherit and use descriptors from init and login programs.
|
|
||||||
allow depmod_t { init_t privfd }:fd use;
|
|
||||||
|
|
||||||
# read system.map
|
|
||||||
allow depmod_t boot_t:file { getattr read };
|
|
||||||
|
|
||||||
# Access terminals.
|
# Access terminals.
|
||||||
allow depmod_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
|
allow depmod_t admin_tty_type:chr_file rw_file_perms;
|
||||||
ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
|
ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
|
||||||
|
|
||||||
# Read System.map from home directories.
|
# Read System.map from home directories.
|
||||||
@ -195,9 +188,12 @@ allow update_modules_t modules_dep_t:file { getattr read write };
|
|||||||
allow update_modules_t insmod_exec_t:file { getattr read execute execute_no_trans };
|
allow update_modules_t insmod_exec_t:file { getattr read execute execute_no_trans };
|
||||||
allow update_modules_t update_modules_exec_t:file { getattr read execute execute_no_trans };
|
allow update_modules_t update_modules_exec_t:file { getattr read execute execute_no_trans };
|
||||||
|
|
||||||
bootloader_create_private_module_dir_entry(update_modules_t,modules_conf_t)
|
# manage module loading configuration
|
||||||
allow update_modules_t modules_conf_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
allow update_modules_t modules_conf_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
|
bootloader_create_private_module_dir_entry(update_modules_t,modules_conf_t)
|
||||||
|
files_create_private_config(update_modules_t,modules_conf_t)
|
||||||
|
|
||||||
|
# transition to depmod
|
||||||
allow update_modules_t depmod_exec_t:file { getattr read execute };
|
allow update_modules_t depmod_exec_t:file { getattr read execute };
|
||||||
type_transition update_modules_t depmod_exec_t:process depmod_t;
|
type_transition update_modules_t depmod_exec_t:process depmod_t;
|
||||||
|
|
||||||
@ -214,6 +210,12 @@ filesystem_get_persistent_filesystem_attributes(update_modules_t)
|
|||||||
terminal_use_console(update_modules_t)
|
terminal_use_console(update_modules_t)
|
||||||
terminal_use_controlling_terminal(update_modules_t)
|
terminal_use_controlling_terminal(update_modules_t)
|
||||||
|
|
||||||
|
init_use_file_descriptors(depmod_t)
|
||||||
|
init_script_use_file_descriptors(depmod_t)
|
||||||
|
init_script_use_pseudoterminal(depmod_t)
|
||||||
|
|
||||||
|
domain_use_widely_inheritable_file_descriptors(depmod_t)
|
||||||
|
|
||||||
files_read_runtime_system_config(update_modules_t)
|
files_read_runtime_system_config(update_modules_t)
|
||||||
files_read_general_system_config(update_modules_t)
|
files_read_general_system_config(update_modules_t)
|
||||||
files_execute_system_config_script(update_modules_t)
|
files_execute_system_config_script(update_modules_t)
|
||||||
@ -232,18 +234,9 @@ miscfiles_read_localization(update_modules_t)
|
|||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
role sysadm_r types update_modules_t;
|
role sysadm_r types update_modules_t;
|
||||||
|
domain_auto_trans(sysadm_t, update_modules_exec_t, update_modules_t)
|
||||||
domain_auto_trans({ initrc_t sysadm_t }, update_modules_exec_t, update_modules_t)
|
allow update_modules_t admin_tty_type:chr_file rw_file_perms;
|
||||||
allow update_modules_t privfd:fd use;
|
|
||||||
allow update_modules_t init_t:fd use;
|
|
||||||
|
|
||||||
allow update_modules_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
|
|
||||||
allow update_modules_t devpts_t:dir search;
|
|
||||||
|
|
||||||
dontaudit update_modules_t sysadm_home_dir_t:dir search;
|
dontaudit update_modules_t sysadm_home_dir_t:dir search;
|
||||||
|
|
||||||
allow update_modules_t lib_t:file { getattr read };
|
allow update_modules_t lib_t:file { getattr read };
|
||||||
|
|
||||||
file_type_auto_trans(update_modules_t, etc_t, modules_conf_t, file)
|
|
||||||
|
|
||||||
') dnl endif TODO
|
') dnl endif TODO
|
||||||
|
Loading…
Reference in New Issue
Block a user