move selinux to selinuxutil
This commit is contained in:
parent
8bd6789954
commit
be4a8011d4
@ -1,40 +0,0 @@
|
||||
|
||||
#
|
||||
# /etc
|
||||
#
|
||||
/etc/selinux(/.*)? context_template(system_u:object_r:selinux_config_t,s0)
|
||||
|
||||
/etc/selinux/([^/]*/)?contexts(/.*)? context_template(system_u:object_r:default_context_t,s0)
|
||||
|
||||
/etc/selinux/([^/]*/)?contexts/files(/.*)? context_template(system_u:object_r:file_context_t,s0)
|
||||
|
||||
/etc/selinux/([^/]*/)?policy(/.*)? context_template(system_u:object_r:policy_config_t,s0)
|
||||
|
||||
/etc/selinux/([^/]*/)?src(/.*)? context_template(system_u:object_r:policy_src_t,s0)
|
||||
|
||||
#
|
||||
# /root
|
||||
#
|
||||
/root/\.default_contexts -- context_template(system_u:object_r:default_context_t,s0)
|
||||
|
||||
#
|
||||
# /sbin
|
||||
#
|
||||
/sbin/load_policy -- context_template(system_u:object_r:load_policy_exec_t,s0)
|
||||
/sbin/restorecon -- context_template(system_u:object_r:restorecon_exec_t,s0)
|
||||
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
/usr/bin/checkpolicy -- context_template(system_u:object_r:checkpolicy_exec_t,s0)
|
||||
/usr/bin/newrole -- context_template(system_u:object_r:newrole_exec_t,s0)
|
||||
|
||||
/usr/lib(64)?/selinux(/.*)? context_template(system_u:object_r:policy_src_t,s0)
|
||||
|
||||
/usr/sbin/load_policy -- context_template(system_u:object_r:load_policy_exec_t,s0)
|
||||
/usr/sbin/run_init -- context_template(system_u:object_r:run_init_exec_t,s0)
|
||||
/usr/sbin/setfiles.* -- context_template(system_u:object_r:setfiles_exec_t,s0)
|
||||
|
||||
ifdef(`distro_debian', `
|
||||
/usr/share/selinux(/.*)? context_template(system_u:object_r:policy_src_t,s0)
|
||||
')
|
@ -1,744 +0,0 @@
|
||||
## <module name="selinux" layer="system">
|
||||
## <summary>Policy for SELinux policy and userland applications.</summary>
|
||||
|
||||
#######################################
|
||||
## <interface name="selinux_domtrans_checkpol">
|
||||
## <description>
|
||||
## Execute checkpolicy in the checkpolicy domain.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`selinux_domtrans_checkpol',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 checkpolicy_exec_t:file rx_file_perms;
|
||||
allow $1 checkpolicy_t:process transition;
|
||||
type_transition $1 checkpolicy_exec_t:process checkpolicy_t;
|
||||
dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh };
|
||||
|
||||
allow $1 checkpolicy_t:fd use;
|
||||
allow checkpolicy_t $1:fd use;
|
||||
allow checkpolicy_t $1:fifo_file rw_file_perms;
|
||||
allow checkpolicy_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`selinux_domtrans_checkpol_depend',`
|
||||
type checkpolicy_t, checkpolicy_exec_t;
|
||||
|
||||
class file rx_file_perms
|
||||
class process { transition noatsecure siginh rlimitinh sigchld sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="selinux_run_checkpol">
|
||||
## <description>
|
||||
## Execute checkpolicy in the checkpolicy domain, and
|
||||
## allow the specified role the checkpolicy domain,
|
||||
## and use the caller's terminal.
|
||||
## Has a SIGCHLD signal backchannel.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## <parameter name="role">
|
||||
## The role to be allowed the checkpolicy domain.
|
||||
## </parameter>
|
||||
## <parameter name="terminal">
|
||||
## The type of the terminal allow the checkpolicy domain to use.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`selinux_run_checkpol',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
selinux_domtrans_checkpol($1)
|
||||
role $2 types checkpolicy_t;
|
||||
allow checkpolicy_t $3:chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
define(`selinux_run_checkpol_depend',`
|
||||
type checkpolicy_t;
|
||||
|
||||
class chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# selinux_exec_checkpol(domain)
|
||||
#
|
||||
define(`selinux_exec_checkpol',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
can_exec($1,checkpolicy_exec_t)
|
||||
')
|
||||
|
||||
define(`selinux_exec_checkpol_depend',`
|
||||
type checkpolicy_exec_t;
|
||||
|
||||
class file { rx_file_perms execute_no_trans };
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <interface name="selinux_domtrans_loadpol">
|
||||
## <description>
|
||||
## Execute load_policy in the load_policy domain.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`selinux_domtrans_loadpol',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 load_policy_exec_t:file rx_file_perms;
|
||||
allow $1 load_policy_t:process transition;
|
||||
type_transition $1 load_policy_exec_t:process load_policy_t;
|
||||
dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh };
|
||||
|
||||
allow $1 load_policy_t:fd use;
|
||||
allow load_policy_t $1:fd use;
|
||||
allow load_policy_t $1:fifo_file rw_file_perms;
|
||||
allow load_policy_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`selinux_domtrans_loadpol_depend',`
|
||||
type load_policy_t, load_policy_exec_t;
|
||||
|
||||
class file rx_file_perms;
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="selinux_run_loadpol">
|
||||
## <description>
|
||||
## Execute load_policy in the load_policy domain, and
|
||||
## allow the specified role the load_policy domain,
|
||||
## and use the caller's terminal.
|
||||
## Has a SIGCHLD signal backchannel.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## <parameter name="role">
|
||||
## The role to be allowed the load_policy domain.
|
||||
## </parameter>
|
||||
## <parameter name="terminal">
|
||||
## The type of the terminal allow the load_policy domain to use.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`selinux_run_loadpol',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
selinux_domtrans_loadpol($1)
|
||||
role $2 types load_policy_t;
|
||||
allow load_policy_t $3:chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
define(`selinux_run_loadpol_depend',`
|
||||
type load_policy_t;
|
||||
|
||||
class chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# selinux_exec_loadpol(domain)
|
||||
#
|
||||
define(`selinux_exec_loadpol',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
can_exec($1,load_policy_exec_t)
|
||||
')
|
||||
|
||||
define(`selinux_exec_loadpol_depend',`
|
||||
type load_policy_exec_t;
|
||||
|
||||
class file { rx_file_perms execute_no_trans };
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# selinux_read_loadpol(domain)
|
||||
#
|
||||
define(`selinux_read_loadpol',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 load_policy_exec_t:file r_file_perms;
|
||||
')
|
||||
|
||||
define(`selinux_read_loadpol_depend',`
|
||||
type load_policy_exec_t;
|
||||
|
||||
class file r_file_perms
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <interface name="selinux_domtrans_newrole">
|
||||
## <description>
|
||||
## Execute newrole in the load_policy domain.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`selinux_domtrans_newrole',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 newrole_exec_t:file rx_file_perms;
|
||||
allow $1 newrole_t:process transition;
|
||||
type_transition $1 newrole_exec_t:process newrole_t;
|
||||
dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
|
||||
|
||||
allow $1 newrole_t:fd use;
|
||||
allow newrole_t $1:fd use;
|
||||
allow newrole_t $1:fifo_file rw_file_perms;
|
||||
allow newrole_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`selinux_domtrans_newrole_depend',`
|
||||
type newrole_t, newrole_exec_t;
|
||||
|
||||
class file rx_file_perms;
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="selinux_run_newrole">
|
||||
## <description>
|
||||
## Execute newrole in the newrole domain, and
|
||||
## allow the specified role the newrole domain,
|
||||
## and use the caller's terminal.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## <parameter name="role">
|
||||
## The role to be allowed the newrole domain.
|
||||
## </parameter>
|
||||
## <parameter name="terminal">
|
||||
## The type of the terminal allow the newrole domain to use.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`selinux_run_newrole',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
selinux_domtrans_newrole($1)
|
||||
role $2 types newrole_t;
|
||||
allow newrole_t $3:chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
define(`selinux_run_newrole_depend',`
|
||||
type newrole_t;
|
||||
|
||||
class chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# selinux_exec_newrole(domain)
|
||||
#
|
||||
define(`selinux_exec_newrole',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
can_exec($1,newrole_exec_t)
|
||||
')
|
||||
|
||||
define(`selinux_exec_newrole_depend',`
|
||||
type newrole_t, newrole_exec_t;
|
||||
|
||||
class file { rx_file_perms execute_no_trans };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="selinux_dontaudit_newrole_signal">
|
||||
## <description>
|
||||
## Do not audit the caller attempts to send
|
||||
## a signal to newrole.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`selinux_dontaudit_newrole_signal',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
dontaudit $1 newrole_t:process signal;
|
||||
')
|
||||
|
||||
define(`selinux_dontaudit_newrole_signal_depend',`
|
||||
type newrole_t;
|
||||
|
||||
class process signal;
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# selinux_newrole_sigchld(domain)
|
||||
#
|
||||
define(`selinux_newrole_sigchld',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 newrole_t:process sigchld;
|
||||
')
|
||||
|
||||
define(`selinux_newrole_sigchld_depend',`
|
||||
type newrole_t;
|
||||
|
||||
class process sigchld;
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# selinux_use_newrole_fd(domain)
|
||||
#
|
||||
define(`selinux_use_newrole_fd',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 newrole_t:fd use;
|
||||
')
|
||||
|
||||
define(`selinux_use_newrole_fd_depend',`
|
||||
type newrole_t;
|
||||
|
||||
class fd use;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <interface name="selinux_domtrans_restorecon">
|
||||
## <description>
|
||||
## Execute restorecon in the restorecon domain.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`selinux_domtrans_restorecon',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 restorecon_exec_t:file rx_file_perms;
|
||||
allow $1 restorecon_t:process transition;
|
||||
type_transition $1 restorecon_exec_t:process restorecon_t;
|
||||
dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh };
|
||||
|
||||
allow $1 restorecon_t:fd use;
|
||||
allow restorecon_t $1:fd use;
|
||||
allow restorecon_t $1:fifo_file rw_file_perms;
|
||||
allow restorecon_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`selinux_domtrans_restorecon_depend',`
|
||||
type restorecon_t, restorecon_exec_t;
|
||||
|
||||
class file rx_file_perms;
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="selinux_run_restorecon">
|
||||
## <description>
|
||||
## Execute restorecon in the restorecon domain, and
|
||||
## allow the specified role the restorecon domain,
|
||||
## and use the caller's terminal.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## <parameter name="role">
|
||||
## The role to be allowed the restorecon domain.
|
||||
## </parameter>
|
||||
## <parameter name="terminal">
|
||||
## The type of the terminal allow the restorecon domain to use.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`selinux_run_restorecon',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
selinux_domtrans_restorecon($1)
|
||||
role $2 types restorecon_t;
|
||||
allow restorecon_t $3:chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
define(`selinux_run_restorecon_depend',`
|
||||
type restorecon_t;
|
||||
|
||||
class chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# selinux_exec_restorecon(domain)
|
||||
#
|
||||
define(`selinux_exec_restorecon',`
|
||||
gen_require(`$0'_depend)
|
||||
can_exec($1,restorecon_exec_t)
|
||||
')
|
||||
|
||||
define(`selinux_exec_restorecon_depend',`
|
||||
type restorecon_t, restorecon_exec_t;
|
||||
|
||||
class file { rx_file_perms execute_no_trans };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="selinux_domtrans_runinit">
|
||||
## <description>
|
||||
## Execute run_init in the run_init domain.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`selinux_domtrans_runinit',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 run_init_exec_t:file rx_file_perms;
|
||||
allow $1 run_init_t:process transition;
|
||||
type_transition $1 run_init_exec_t:process run_init_t;
|
||||
dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
|
||||
|
||||
allow $1 run_init_t:fd use;
|
||||
allow run_init_t $1:fd use;
|
||||
allow run_init_t $1:fifo_file rw_file_perms;
|
||||
allow run_init_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`selinux_domtrans_runinit_depend',`
|
||||
type run_init_t, run_init_exec_t;
|
||||
|
||||
class file rx_file_perms;
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="selinux_run_runinit">
|
||||
## <description>
|
||||
## Execute run_init in the run_init domain, and
|
||||
## allow the specified role the run_init domain,
|
||||
## and use the caller's terminal.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## <parameter name="role">
|
||||
## The role to be allowed the run_init domain.
|
||||
## </parameter>
|
||||
## <parameter name="terminal">
|
||||
## The type of the terminal allow the run_init domain to use.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`selinux_run_runinit',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
selinux_domtrans_runinit($1)
|
||||
role $2 types run_init_t;
|
||||
allow run_init_t $3:chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
define(`selinux_run_runinit_depend',`
|
||||
type run_init_t;
|
||||
|
||||
class chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# selinux_use_runinit_fd(domain)
|
||||
#
|
||||
define(`selinux_use_runinit_fd',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 run_init_t:fd use;
|
||||
')
|
||||
|
||||
define(`selinux_use_runinit_fd_depend',`
|
||||
type run_init_t;
|
||||
|
||||
class fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="selinux_domtrans_setfiles">
|
||||
## <description>
|
||||
## Execute setfiles in the setfiles domain.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`selinux_domtrans_setfiles',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 setfiles_exec_t:file rx_file_perms;
|
||||
allow $1 setfiles_t:process transition;
|
||||
type_transition $1 setfiles_exec_t:process setfiles_t;
|
||||
dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh };
|
||||
|
||||
allow $1 setfiles_t:fd use;
|
||||
allow setfiles_t $1:fd use;
|
||||
allow setfiles_t $1:fifo_file rw_file_perms;
|
||||
allow setfiles_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`selinux_domtrans_setfiles_depend',`
|
||||
type setfiles_t, setfiles_exec_t;
|
||||
|
||||
class file rx_file_perms;
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="selinux_run_setfiles">
|
||||
## <description>
|
||||
## Execute setfiles in the setfiles domain, and
|
||||
## allow the specified role the setfiles domain,
|
||||
## and use the caller's terminal.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## <parameter name="role">
|
||||
## The role to be allowed the setfiles domain.
|
||||
## </parameter>
|
||||
## <parameter name="terminal">
|
||||
## The type of the terminal allow the setfiles domain to use.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`selinux_run_setfiles',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
selinux_domtrans_setfiles($1)
|
||||
role $2 types setfiles_t;
|
||||
allow setfiles_t $3:chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
define(`selinux_run_setfiles_depend',`
|
||||
type setfiles_t;
|
||||
|
||||
class chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# selinux_exec_setfiles(domain)
|
||||
#
|
||||
define(`selinux_exec_setfiles',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
can_exec($1,setfiles_exec_t)
|
||||
')
|
||||
|
||||
define(`selinux_exec_setfiles_depend',`
|
||||
type setfiles_exec_t;
|
||||
|
||||
class file { rx_file_perms execute_no_trans };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# selinux_read_config(domain)
|
||||
#
|
||||
define(`selinux_read_config',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 selinux_config_t:dir r_dir_perms;
|
||||
allow $1 selinux_config_t:file r_file_perms;
|
||||
')
|
||||
|
||||
define(`selinux_read_config_depend',`
|
||||
type selinux_config_t;
|
||||
|
||||
class dir r_dir_perms;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# selinux_read_default_contexts(domain)
|
||||
#
|
||||
define(`selinux_read_default_contexts',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 selinux_config_t:dir search;
|
||||
allow $1 default_context_t:dir r_dir_perms;
|
||||
allow $1 default_context_t:file r_file_perms;
|
||||
')
|
||||
|
||||
define(`selinux_read_default_contexts_depend',`
|
||||
type selinux_config_t, default_context_t;
|
||||
|
||||
class dir r_dir_perms;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# selinux_read_file_contexts(domain)
|
||||
#
|
||||
define(`selinux_read_file_contexts',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 selinux_config_t:dir search;
|
||||
allow $1 file_context_t:dir r_dir_perms;
|
||||
allow $1 file_context_t:file r_file_perms;
|
||||
')
|
||||
|
||||
define(`selinux_read_file_contexts_depend',`
|
||||
type selinux_config_t, file_context_t;
|
||||
|
||||
class dir r_dir_perms;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# selinux_read_binary_pol(domain)
|
||||
#
|
||||
define(`selinux_read_binary_pol',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 policy_config_t:dir r_dir_perms;
|
||||
allow $1 policy_config_t:file r_file_perms;
|
||||
')
|
||||
|
||||
define(`selinux_read_binary_pol_depend',`
|
||||
type policy_config_t;
|
||||
|
||||
class dir r_dir_perms;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# selinux_write_binary_pol(domain)
|
||||
#
|
||||
define(`selinux_write_binary_pol',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 policy_config_t:dir rw_dir_perms;
|
||||
allow $1 policy_config_t:file { getattr create write unlink };
|
||||
typeattribute $1 can_write_binary_policy;
|
||||
')
|
||||
|
||||
define(`selinux_write_binary_pol_depend',`
|
||||
attribute can_write_binary_policy;
|
||||
|
||||
type policy_config_t;
|
||||
|
||||
class dir rw_dir_perms;
|
||||
class file { getattr create write unlink };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="selinux_relabelto_binary_pol">
|
||||
## <description>
|
||||
## Allow the caller to relabel a file to the binary policy type.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`selinux_relabelto_binary_pol',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 policy_config_t:file relabelto;
|
||||
typeattribute $1 can_relabelto_binary_policy;
|
||||
')
|
||||
|
||||
define(`selinux_relabelto_binary_pol_depend',`
|
||||
attribute can_relabelto_binary_policy;
|
||||
|
||||
type policy_config_t;
|
||||
|
||||
class file relabelto;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# selinux_manage_binary_pol(domain)
|
||||
#
|
||||
define(`selinux_manage_binary_pol',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
# FIXME: search etc_t:dir
|
||||
allow $1 selinux_config_t:dir search;
|
||||
allow $1 policy_config_t:dir r_dir_perms;
|
||||
allow $1 policy_config_t:file create_file_perms;
|
||||
typeattribute $1 can_write_binary_policy;
|
||||
')
|
||||
|
||||
define(`selinux_manage_binary_pol_depend',`
|
||||
attribute can_write_binary_policy;
|
||||
|
||||
type selinux_config_t, policy_config_t;
|
||||
class dir create_dir_perms;
|
||||
class file create_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# selinux_read_src_pol(domain)
|
||||
#
|
||||
define(`selinux_read_src_pol',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
# FIXME: search etc_t:dir
|
||||
allow $1 selinux_config_t:dir search;
|
||||
allow $1 policy_src_t:dir r_dir_perms;
|
||||
allow $1 policy_src_t:file r_file_perms;
|
||||
')
|
||||
|
||||
define(`selinux_read_src_pol_depend',`
|
||||
type selinux_config_t, policy_src_t;
|
||||
|
||||
class dir r_dir_perms;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# selinux_manage_src_pol(domain)
|
||||
#
|
||||
define(`selinux_manage_src_pol',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
# FIXME: search etc_t:dir
|
||||
allow $1 selinux_config_t:dir search;
|
||||
allow $1 policy_src_t:dir create_dir_perms;
|
||||
allow $1 policy_src_t:file create_file_perms;
|
||||
')
|
||||
|
||||
define(`selinux_manage_src_pol_depend',`
|
||||
type selinux_config_t, policy_src_t;
|
||||
|
||||
class dir create_dir_perms;
|
||||
class file create_file_perms;
|
||||
')
|
||||
|
||||
## </module>
|
@ -1,467 +0,0 @@
|
||||
|
||||
policy_module(selinux,1.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
attribute can_write_binary_policy;
|
||||
attribute can_relabelto_binary_policy;
|
||||
|
||||
type checkpolicy_t, can_write_binary_policy;
|
||||
domain_type(checkpolicy_t)
|
||||
role system_r types checkpolicy_t;
|
||||
|
||||
type checkpolicy_exec_t;
|
||||
domain_entry_file(checkpolicy_t,checkpolicy_exec_t)
|
||||
|
||||
#
|
||||
# default_context_t is the type applied to
|
||||
# /etc/selinux/*/contexts/*
|
||||
#
|
||||
type default_context_t;
|
||||
files_file_type(default_context_t)
|
||||
|
||||
#
|
||||
# file_context_t is the type applied to
|
||||
# /etc/selinux/*/contexts/files
|
||||
#
|
||||
type file_context_t;
|
||||
files_file_type(file_context_t)
|
||||
|
||||
type load_policy_t;
|
||||
domain_type(load_policy_t)
|
||||
role system_r types load_policy_t;
|
||||
|
||||
type load_policy_exec_t;
|
||||
domain_entry_file(load_policy_t,load_policy_exec_t)
|
||||
|
||||
type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
|
||||
domain_role_change_exempt(newrole_t)
|
||||
domain_obj_id_change_exempt(newrole_t)
|
||||
domain_type(newrole_t)
|
||||
domain_wide_inherit_fd(newrole_t)
|
||||
|
||||
type newrole_exec_t;
|
||||
domain_entry_file(newrole_t,newrole_exec_t)
|
||||
|
||||
#
|
||||
# policy_config_t is the type of /etc/security/selinux/*
|
||||
# the security server policy configuration.
|
||||
#
|
||||
type policy_config_t;
|
||||
files_file_type(policy_config_t)
|
||||
|
||||
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
|
||||
neverallow ~can_write_binary_policy policy_config_t:file { write append };
|
||||
|
||||
#
|
||||
# policy_src_t is the type of the policy source
|
||||
# files.
|
||||
#
|
||||
type policy_src_t;
|
||||
files_file_type(policy_src_t)
|
||||
|
||||
type restorecon_t, can_relabelto_binary_policy;
|
||||
type restorecon_exec_t;
|
||||
domain_obj_id_change_exempt(restorecon_t)
|
||||
init_system_domain(restorecon_t,restorecon_exec_t)
|
||||
role system_r types restorecon_t;
|
||||
|
||||
type run_init_t;
|
||||
domain_type(run_init_t)
|
||||
|
||||
type run_init_exec_t;
|
||||
domain_entry_file(run_init_t,run_init_exec_t)
|
||||
|
||||
#
|
||||
# selinux_config_t is the type applied to
|
||||
# /etc/selinux/config
|
||||
#
|
||||
type selinux_config_t;
|
||||
files_file_type(selinux_config_t)
|
||||
|
||||
type setfiles_t, can_relabelto_binary_policy;
|
||||
domain_obj_id_change_exempt(setfiles_t)
|
||||
domain_type(setfiles_t)
|
||||
role system_r types setfiles_t;
|
||||
|
||||
type setfiles_exec_t;
|
||||
domain_entry_file(setfiles_t,setfiles_exec_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Checkpolicy local policy
|
||||
#
|
||||
|
||||
allow checkpolicy_t self:capability dac_override;
|
||||
|
||||
# able to create and modify binary policy files
|
||||
allow checkpolicy_t policy_config_t:dir rw_dir_perms;
|
||||
allow checkpolicy_t policy_config_t:file create_file_perms;
|
||||
|
||||
# allow test policies to be created in src directories
|
||||
allow checkpolicy_t policy_src_t:dir rw_dir_perms;
|
||||
type_transition checkpolicy_t policy_src_t:file policy_config_t;
|
||||
|
||||
# only allow read of policy source files
|
||||
allow checkpolicy_t policy_src_t:dir r_dir_perms;
|
||||
allow checkpolicy_t policy_src_t:file r_file_perms;
|
||||
allow checkpolicy_t policy_src_t:lnk_file r_file_perms;
|
||||
allow checkpolicy_t selinux_config_t:dir search;
|
||||
|
||||
fs_getattr_xattr_fs(checkpolicy_t)
|
||||
|
||||
term_use_console(checkpolicy_t)
|
||||
|
||||
domain_use_wide_inherit_fd(checkpolicy_t)
|
||||
|
||||
# directory search permissions for path to source and binary policy files
|
||||
files_search_etc(checkpolicy_t)
|
||||
|
||||
init_use_fd(checkpolicy_t)
|
||||
init_use_script_pty(checkpolicy_t)
|
||||
|
||||
libs_use_ld_so(checkpolicy_t)
|
||||
libs_use_shared_libs(checkpolicy_t)
|
||||
|
||||
userdom_use_all_user_fd(checkpolicy_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
# Read the devpts root directory.
|
||||
ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
|
||||
') dnl endif TODO
|
||||
|
||||
########################################
|
||||
#
|
||||
# Load_policy local policy
|
||||
#
|
||||
|
||||
allow load_policy_t self:capability dac_override;
|
||||
|
||||
# only allow read of policy config files
|
||||
allow load_policy_t policy_src_t:dir search;
|
||||
allow load_policy_t policy_config_t:dir r_dir_perms;
|
||||
allow load_policy_t policy_config_t:notdevfile_class_set r_file_perms;
|
||||
|
||||
allow load_policy_t selinux_config_t:dir r_dir_perms;
|
||||
allow load_policy_t selinux_config_t:file r_file_perms;
|
||||
allow load_policy_t selinux_config_t:lnk_file r_file_perms;
|
||||
|
||||
kernel_get_selinuxfs_mount_point(load_policy_t)
|
||||
kernel_load_policy(load_policy_t)
|
||||
kernel_set_boolean(load_policy_t)
|
||||
|
||||
fs_getattr_xattr_fs(load_policy_t)
|
||||
|
||||
term_use_console(load_policy_t)
|
||||
term_list_ptys(load_policy_t)
|
||||
|
||||
init_use_script_fd(load_policy_t)
|
||||
init_use_script_pty(load_policy_t)
|
||||
|
||||
domain_use_wide_inherit_fd(load_policy_t)
|
||||
|
||||
files_search_etc(load_policy_t)
|
||||
|
||||
libs_use_ld_so(load_policy_t)
|
||||
libs_use_shared_libs(load_policy_t)
|
||||
|
||||
miscfiles_read_localization(load_policy_t)
|
||||
|
||||
userdom_use_all_user_fd(load_policy_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Newrole local policy
|
||||
#
|
||||
|
||||
allow newrole_t self:capability { setuid setgid net_bind_service dac_override };
|
||||
|
||||
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
allow newrole_t self:process setexec;
|
||||
allow newrole_t self:fd use;
|
||||
allow newrole_t self:fifo_file rw_file_perms;
|
||||
allow newrole_t self:unix_dgram_socket sendto;
|
||||
allow newrole_t self:unix_stream_socket connectto;
|
||||
allow newrole_t self:shm create_shm_perms;
|
||||
allow newrole_t self:sem create_sem_perms;
|
||||
allow newrole_t self:msgq create_msgq_perms;
|
||||
allow newrole_t self:msg { send receive };
|
||||
|
||||
allow newrole_t { selinux_config_t default_context_t }:dir r_dir_perms;
|
||||
allow newrole_t { selinux_config_t default_context_t }:file r_file_perms;
|
||||
allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms;
|
||||
|
||||
kernel_read_system_state(newrole_t)
|
||||
kernel_read_kernel_sysctl(newrole_t)
|
||||
kernel_get_selinuxfs_mount_point(newrole_t)
|
||||
kernel_validate_context(newrole_t)
|
||||
kernel_compute_access_vector(newrole_t)
|
||||
kernel_compute_create_context(newrole_t)
|
||||
kernel_compute_relabel_context(newrole_t)
|
||||
kernel_compute_reachable_user_contexts(newrole_t)
|
||||
|
||||
dev_read_urand(newrole_t)
|
||||
|
||||
fs_getattr_xattr_fs(newrole_t)
|
||||
|
||||
term_use_all_user_ttys(newrole_t)
|
||||
term_use_all_user_ptys(newrole_t)
|
||||
|
||||
auth_domtrans_chk_passwd(newrole_t)
|
||||
|
||||
domain_use_wide_inherit_fd(newrole_t)
|
||||
|
||||
# Write to utmp.
|
||||
init_rw_script_pid(newrole_t)
|
||||
|
||||
files_read_generic_etc_files(newrole_t)
|
||||
|
||||
libs_use_ld_so(newrole_t)
|
||||
libs_use_shared_libs(newrole_t)
|
||||
|
||||
logging_send_syslog_msg(newrole_t)
|
||||
|
||||
miscfiles_read_localization(newrole_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(newrole_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
can_ypbind(newrole)
|
||||
ifdef(`automount.te', `
|
||||
allow newrole_t autofs_t:dir { search getattr };
|
||||
')
|
||||
|
||||
# for when the user types "exec newrole" at the command line
|
||||
allow newrole_t privfd:process sigchld;
|
||||
|
||||
# Execute /sbin/pwdb_chkpwd to check the password.
|
||||
allow newrole_t sbin_t:dir r_dir_perms;
|
||||
|
||||
# Execute shells
|
||||
allow newrole_t bin_t:dir r_dir_perms;
|
||||
allow newrole_t bin_t:lnk_file read;
|
||||
|
||||
# Allow newrole_t to transition to user domains.
|
||||
bool secure_mode false;
|
||||
domain_trans(newrole_t, shell_exec_t, unpriv_userdomain)
|
||||
if(!secure_mode)
|
||||
{
|
||||
# if we are not in secure mode then we can transition to sysadm_t
|
||||
domain_trans(newrole_t, shell_exec_t, sysadm_t)
|
||||
}
|
||||
|
||||
# Read /var.
|
||||
allow newrole_t var_t:dir r_dir_perms;
|
||||
allow newrole_t var_t:notdevfile_class_set r_file_perms;
|
||||
|
||||
# Relabel terminals.
|
||||
allow newrole_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto };
|
||||
|
||||
ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
|
||||
|
||||
# for some PAM modules and for cwd
|
||||
dontaudit newrole_t { home_root_t home_type }:dir search;
|
||||
') dnl ifdef TODO
|
||||
|
||||
########################################
|
||||
#
|
||||
# Restorecon local policy
|
||||
#
|
||||
|
||||
allow restorecon_t self:capability { dac_override dac_read_search fowner };
|
||||
|
||||
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
|
||||
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
|
||||
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
|
||||
|
||||
kernel_use_fd(restorecon_t)
|
||||
kernel_read_system_state(restorecon_t)
|
||||
kernel_get_selinuxfs_mount_point(restorecon_t)
|
||||
kernel_validate_context(restorecon_t)
|
||||
kernel_compute_access_vector(restorecon_t)
|
||||
kernel_compute_create_context(restorecon_t)
|
||||
kernel_compute_relabel_context(restorecon_t)
|
||||
kernel_compute_reachable_user_contexts(restorecon_t)
|
||||
|
||||
fs_getattr_xattr_fs(restorecon_t)
|
||||
|
||||
term_use_unallocated_tty(restorecon_t)
|
||||
|
||||
init_use_fd(restorecon_t)
|
||||
init_use_script_pty(restorecon_t)
|
||||
|
||||
domain_use_wide_inherit_fd(restorecon_t)
|
||||
|
||||
files_read_etc_runtime_files(restorecon_t)
|
||||
files_read_generic_etc_files(restorecon_t)
|
||||
|
||||
libs_use_ld_so(restorecon_t)
|
||||
libs_use_shared_libs(restorecon_t)
|
||||
|
||||
logging_send_syslog_msg(restorecon_t)
|
||||
|
||||
userdom_use_all_user_fd(restorecon_t)
|
||||
|
||||
optional_policy(`hotplug.te',`
|
||||
hotplug_use_fd(restorecon_t)
|
||||
')
|
||||
|
||||
# relabeling rules
|
||||
kernel_relabel_unlabeled(restorecon_t)
|
||||
dev_relabel_all_dev_nodes(restorecon_t)
|
||||
|
||||
files_relabel_all_files(restorecon_t)
|
||||
files_list_all_dirs(restorecon_t)
|
||||
# this is to satisfy the assertion:
|
||||
auth_relabelto_shadow(restorecon_t)
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
fs_use_tmpfs_character_devices(restorecon_t)
|
||||
fs_use_tmpfs_block_devices(restorecon_t)
|
||||
fs_relabel_tmpfs_block_devices(restorecon_t)
|
||||
fs_relabel_tmpfs_character_devices(restorecon_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
# for upgrading glibc and other shared objects - without this the upgrade
|
||||
# scripts will put things in a state such that restorecon can not be run!
|
||||
allow restorecon_t lib_t:file { read execute };
|
||||
|
||||
allow restorecon_t fs_type:dir r_dir_perms;
|
||||
|
||||
allow restorecon_t device_t:file { read write };
|
||||
allow restorecon_t kernel_t:fifo_file { read write };
|
||||
') dnl endif TODO
|
||||
|
||||
#################################
|
||||
#
|
||||
# Run_init local policy
|
||||
#
|
||||
|
||||
kernel_get_selinuxfs_mount_point(run_init_t)
|
||||
kernel_validate_context(run_init_t)
|
||||
kernel_compute_access_vector(run_init_t)
|
||||
kernel_compute_create_context(run_init_t)
|
||||
kernel_compute_relabel_context(run_init_t)
|
||||
kernel_compute_reachable_user_contexts(run_init_t)
|
||||
|
||||
ifdef(`targeted_policy',`',`
|
||||
allow run_init_t self:process setexec;
|
||||
allow run_init_t self:capability setuid;
|
||||
|
||||
allow run_init_t self:fifo_file rw_file_perms;
|
||||
|
||||
# often the administrator runs such programs from a directory that is owned
|
||||
# by a different user or has restrictive SE permissions, do not want to audit
|
||||
# the failed access to the current directory
|
||||
dontaudit run_init_t self:capability { dac_override dac_read_search };
|
||||
|
||||
fs_getattr_xattr_fs(run_init_t)
|
||||
|
||||
dev_dontaudit_list_all_dev_nodes(run_init_t)
|
||||
|
||||
term_dontaudit_list_ptys(run_init_t)
|
||||
|
||||
auth_domtrans_chk_passwd(run_init_t)
|
||||
auth_dontaudit_read_shadow(run_init_t)
|
||||
|
||||
corecmd_exec_bin(run_init_t)
|
||||
corecmd_exec_shell(run_init_t)
|
||||
|
||||
domain_use_wide_inherit_fd(run_init_t)
|
||||
|
||||
files_read_generic_etc_files(run_init_t)
|
||||
files_dontaudit_search_all_dirs(run_init_t)
|
||||
|
||||
init_domtrans_script(run_init_t)
|
||||
# for utmp
|
||||
init_rw_script_pid(run_init_t)
|
||||
|
||||
libs_use_ld_so(run_init_t)
|
||||
libs_use_shared_libs(run_init_t)
|
||||
|
||||
selinux_read_config(run_init_t)
|
||||
selinux_read_default_contexts(run_init_t)
|
||||
|
||||
miscfiles_read_localization(run_init_t)
|
||||
|
||||
logging_send_syslog_msg(run_init_t)
|
||||
') dnl end ifdef targeted policy
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
ifdef(`distro_gentoo', `
|
||||
# Gentoo integrated run_init+open_init_pty-runscript:
|
||||
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
|
||||
domain_entry_file(run_init_t,initrc_exec_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
########################################
|
||||
#
|
||||
# Setfiles local policy
|
||||
#
|
||||
|
||||
allow setfiles_t self:capability { dac_override dac_read_search fowner };
|
||||
|
||||
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
|
||||
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
|
||||
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
|
||||
|
||||
kernel_read_system_state(setfiles_t)
|
||||
kernel_get_selinuxfs_mount_point(setfiles_t)
|
||||
kernel_validate_context(setfiles_t)
|
||||
kernel_compute_access_vector(setfiles_t)
|
||||
kernel_compute_create_context(setfiles_t)
|
||||
kernel_compute_relabel_context(setfiles_t)
|
||||
kernel_compute_reachable_user_contexts(setfiles_t)
|
||||
|
||||
fs_getattr_xattr_fs(setfiles_t)
|
||||
|
||||
term_use_all_user_ttys(setfiles_t)
|
||||
term_use_all_user_ptys(setfiles_t)
|
||||
term_use_unallocated_tty(setfiles_t)
|
||||
|
||||
init_use_fd(setfiles_t)
|
||||
init_use_script_fd(setfiles_t)
|
||||
init_use_script_pty(setfiles_t)
|
||||
|
||||
domain_use_wide_inherit_fd(setfiles_t)
|
||||
|
||||
libs_use_ld_so(setfiles_t)
|
||||
libs_use_shared_libs(setfiles_t)
|
||||
|
||||
files_read_etc_runtime_files(setfiles_t)
|
||||
files_read_generic_etc_files(setfiles_t)
|
||||
|
||||
logging_send_syslog_msg(setfiles_t)
|
||||
|
||||
miscfiles_read_localization(setfiles_t)
|
||||
|
||||
userdom_use_all_user_fd(setfiles_t)
|
||||
# for config files in a home directory
|
||||
userdom_read_all_user_data(setfiles_t)
|
||||
|
||||
# relabeling rules
|
||||
kernel_relabel_unlabeled(setfiles_t)
|
||||
dev_relabel_all_dev_nodes(setfiles_t)
|
||||
files_list_all_dirs(setfiles_t)
|
||||
files_relabel_all_files(setfiles_t)
|
||||
# this is to satisfy the assertion:
|
||||
auth_relabelto_shadow(setfiles_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
# for upgrading glibc and other shared objects - without this the upgrade
|
||||
# scripts will put things in a state such that setfiles can not be run!
|
||||
allow setfiles_t lib_t:file { read execute };
|
||||
|
||||
allow setfiles_t unlabeled_t:dir read;
|
||||
|
||||
allow setfiles_t fs_type:dir r_dir_perms;
|
||||
|
||||
') dnl endif TODO
|
@ -1,3 +1,4 @@
|
||||
# SELinux userland utilities
|
||||
|
||||
#
|
||||
# /etc
|
||||
|
@ -1,4 +1,4 @@
|
||||
## <module name="selinux" layer="system">
|
||||
## <module name="selinuxutil" layer="system">
|
||||
## <summary>Policy for SELinux policy and userland applications.</summary>
|
||||
|
||||
#######################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(selinux,1.0)
|
||||
policy_module(selinuxutil,1.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
Loading…
Reference in New Issue
Block a user