add aliases
This commit is contained in:
parent
72bdc60860
commit
c2c00bee05
@ -15,10 +15,7 @@
|
|||||||
define(`bootloader_domtrans',`
|
define(`bootloader_domtrans',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 bootloader_exec_t:file { getattr read execute };
|
domain_auto_trans($1, bootloader_exec_t, bootloader_t)
|
||||||
allow $1 bootloader_t:process transition;
|
|
||||||
type_transition $1 bootloader_exec_t:process bootloader_t;
|
|
||||||
dontaudit $1 bootloader_t:process { noatsecure siginh rlimitinh };
|
|
||||||
|
|
||||||
allow $1 bootloader_t:fd use;
|
allow $1 bootloader_t:fd use;
|
||||||
allow bootloader_t $1:fd use;
|
allow bootloader_t $1:fd use;
|
||||||
@ -60,12 +57,12 @@ define(`bootloader_run',`
|
|||||||
bootloader_transition($1)
|
bootloader_transition($1)
|
||||||
|
|
||||||
role $2 types bootloader_t;
|
role $2 types bootloader_t;
|
||||||
allow bootloader_t $3:chr_file { getattr read write ioctl };
|
allow bootloader_t $3:chr_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`bootloader_run_depend',`
|
define(`bootloader_run_depend',`
|
||||||
type bootloader_t;
|
type bootloader_t;
|
||||||
class chr_file { getattr read write ioctl };
|
class chr_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -107,14 +104,15 @@ define(`bootloader_ignore_search_bootloader_data_directory_depend',`
|
|||||||
define(`bootloader_modify_bootloader_data_directory_symbolic_links',`
|
define(`bootloader_modify_bootloader_data_directory_symbolic_links',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 boot_t:dir { getattr search read };
|
allow $1 boot_t:dir r_dir_perms;
|
||||||
allow $1 boot_t:lnk_file { getattr read write };
|
allow $1 boot_t:lnk_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`bootloader_modify_bootloader_data_directory_symbolic_links_depend',`
|
define(`bootloader_modify_bootloader_data_directory_symbolic_links_depend',`
|
||||||
type boot_t;
|
type boot_t;
|
||||||
|
|
||||||
class dir { getattr search read };
|
class dir r_dir_perms;
|
||||||
|
class lnk_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -124,7 +122,7 @@ define(`bootloader_modify_bootloader_data_directory_symbolic_links_depend',`
|
|||||||
define(`bootloader_install_kernel',`
|
define(`bootloader_install_kernel',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 boot_t:dir { getattr search read write add_name };
|
allow $1 boot_t:dir ra_dir_perms;
|
||||||
allow $1 boot_t:file { getattr read write create };
|
allow $1 boot_t:file { getattr read write create };
|
||||||
allow $1 boot_t:lnk_file { getattr read create unlink };
|
allow $1 boot_t:lnk_file { getattr read create unlink };
|
||||||
')
|
')
|
||||||
@ -132,7 +130,7 @@ define(`bootloader_install_kernel',`
|
|||||||
define(`bootloader_install_kernel_depend',`
|
define(`bootloader_install_kernel_depend',`
|
||||||
type boot_t;
|
type boot_t;
|
||||||
|
|
||||||
class dir { getattr search read write add_name };
|
class dir ra_dir_perms;
|
||||||
class file { getattr read write create };
|
class file { getattr read write create };
|
||||||
class lnk_file { getattr read create unlink };
|
class lnk_file { getattr read create unlink };
|
||||||
')
|
')
|
||||||
@ -144,7 +142,7 @@ define(`bootloader_install_kernel_depend',`
|
|||||||
define(`bootloader_install_initrd',`
|
define(`bootloader_install_initrd',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 boot_t:dir { getattr search read write add_name };
|
allow $1 boot_t:dir ra_dir_perms;
|
||||||
allow $1 boot_t:file { getattr read write create };
|
allow $1 boot_t:file { getattr read write create };
|
||||||
allow $1 boot_t:lnk_file { getattr read create unlink };
|
allow $1 boot_t:lnk_file { getattr read create unlink };
|
||||||
')
|
')
|
||||||
@ -152,7 +150,7 @@ define(`bootloader_install_initrd',`
|
|||||||
define(`bootloader_install_initrd_depend',`
|
define(`bootloader_install_initrd_depend',`
|
||||||
type boot_t;
|
type boot_t;
|
||||||
|
|
||||||
class dir { getattr search read write add_name };
|
class dir ra_dir_perms;
|
||||||
class file { getattr read write create };
|
class file { getattr read write create };
|
||||||
class lnk_file { getattr read create unlink };
|
class lnk_file { getattr read create unlink };
|
||||||
')
|
')
|
||||||
@ -164,15 +162,15 @@ define(`bootloader_install_initrd_depend',`
|
|||||||
define(`bootloader_install_kernel_symbol_table',`
|
define(`bootloader_install_kernel_symbol_table',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 boot_t:dir { getattr search read write add_name };
|
allow $1 boot_t:dir ra_dir_perms;
|
||||||
allow $1 system_map_t:file { getattr read write create };
|
allow $1 system_map_t:file { rw_file_perms create };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`bootloader_install_kernel_symbol_table_depend',`
|
define(`bootloader_install_kernel_symbol_table_depend',`
|
||||||
type boot_t, system_map_t;
|
type boot_t, system_map_t;
|
||||||
|
|
||||||
class dir { getattr search read write add_name };
|
class dir ra_dir_perms;
|
||||||
class file { getattr read write create };
|
class file { rw_file_perms create };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -182,15 +180,15 @@ define(`bootloader_install_kernel_symbol_table_depend',`
|
|||||||
define(`bootloader_read_kernel_symbol_table',`
|
define(`bootloader_read_kernel_symbol_table',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 boot_t:dir { getattr search read };
|
allow $1 boot_t:dir r_dir_perms;
|
||||||
allow $1 system_map_t:file { getattr read };
|
allow $1 system_map_t:file f_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`bootloader_read_kernel_symbol_table_depend',`
|
define(`bootloader_read_kernel_symbol_table_depend',`
|
||||||
type boot_t, system_map_t;
|
type boot_t, system_map_t;
|
||||||
|
|
||||||
class dir { getattr search read };
|
class dir r_dir_perms;
|
||||||
class file { getattr read };
|
class file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -200,14 +198,14 @@ define(`bootloader_read_kernel_symbol_table_depend',`
|
|||||||
define(`bootloader_remove_kernel',`
|
define(`bootloader_remove_kernel',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 boot_t:dir { getattr search read write remove_name };
|
allow $1 boot_t:dir { r_dir_perms write remove_name };
|
||||||
allow $1 boot_t:file { getattr unlink };
|
allow $1 boot_t:file { getattr unlink };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`bootloader_remove_kernel_depend',`
|
define(`bootloader_remove_kernel_depend',`
|
||||||
type boot_t;
|
type boot_t;
|
||||||
|
|
||||||
class dir { getattr search read write remove_name };
|
class dir { r_dir_perms write remove_name };
|
||||||
class file { getattr unlink };
|
class file { getattr unlink };
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -218,14 +216,14 @@ define(`bootloader_remove_kernel_depend',`
|
|||||||
define(`bootloader_remove_kernel_symbol_table',`
|
define(`bootloader_remove_kernel_symbol_table',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 boot_t:dir { getattr search read write remove_name };
|
allow $1 boot_t:dir { r_dir_perms write remove_name };
|
||||||
allow $1 system_map_t:file { getattr unlink };
|
allow $1 system_map_t:file { getattr unlink };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`bootloader_remove_kernel_symbol_table_depend',`
|
define(`bootloader_remove_kernel_symbol_table_depend',`
|
||||||
type boot_t, system_map_t;
|
type boot_t, system_map_t;
|
||||||
|
|
||||||
class dir { getattr search read write remove_name };
|
class dir { r_dir_perms write remove_name };
|
||||||
class file { getattr unlink };
|
class file { getattr unlink };
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -236,13 +234,13 @@ define(`bootloader_remove_kernel_symbol_table_depend',`
|
|||||||
define(`bootloader_read_config',`
|
define(`bootloader_read_config',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 bootloader_etc_t:file { getattr read };
|
allow $1 bootloader_etc_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`bootloader_read_config_depend',`
|
define(`bootloader_read_config_depend',`
|
||||||
type bootloader_etc_t;
|
type bootloader_etc_t;
|
||||||
|
|
||||||
class file { getattr read };
|
class file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -252,13 +250,13 @@ define(`bootloader_read_config_depend',`
|
|||||||
define(`bootloader_rw_bootloader_config',`
|
define(`bootloader_rw_bootloader_config',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 bootloader_etc_t:file { getattr read write append };
|
allow $1 bootloader_etc_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`bootloader_rw_bootloader_config_depend',`
|
define(`bootloader_rw_bootloader_config_depend',`
|
||||||
type bootloader_etc_t;
|
type bootloader_etc_t;
|
||||||
|
|
||||||
class file { getattr read write append };
|
class file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -269,13 +267,13 @@ define(`bootloader_rw_temp_data',`
|
|||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
# FIXME: read tmp_t
|
# FIXME: read tmp_t
|
||||||
allow $1 bootloader_tmp_t:file { getattr read write };
|
allow $1 bootloader_tmp_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`bootloader_rw_temp_data_depend',`
|
define(`bootloader_rw_temp_data_depend',`
|
||||||
type bootloader_tmp_t;
|
type bootloader_tmp_t;
|
||||||
|
|
||||||
class file { getattr read write setattr };
|
class file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -285,16 +283,16 @@ define(`bootloader_rw_temp_data_depend',`
|
|||||||
define(`bootloader_create_runtime_data',`
|
define(`bootloader_create_runtime_data',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 boot_t:dir { getattr search read write add_name remove_name };
|
allow $1 boot_t:dir rw_dir_perms;
|
||||||
allow $1 boot_runtime_t:file { getattr create read write append unlink };
|
allow $1 boot_runtime_t:file { rw_file_perms create unlink };
|
||||||
type_transition $1 boot_t:file boot_runtime_t;
|
type_transition $1 boot_t:file boot_runtime_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`bootloader_create_runtime_data_depend',`
|
define(`bootloader_create_runtime_data_depend',`
|
||||||
type boot_t, boot_runtime_t;
|
type boot_t, boot_runtime_t;
|
||||||
|
|
||||||
class dir { getattr search read write add_name remove_name };
|
class dir rw_dir_perms;
|
||||||
class file { getattr create read write append unlink };
|
class file { rw_file_perms create unlink };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -304,13 +302,13 @@ define(`bootloader_create_runtime_data_depend',`
|
|||||||
define(`bootloader_list_kernel_modules',`
|
define(`bootloader_list_kernel_modules',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 modules_object_t:dir { getattr search read };
|
allow $1 modules_object_t:dir r_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`bootloader_list_kernel_modules_depend',`
|
define(`bootloader_list_kernel_modules_depend',`
|
||||||
type modules_object_t;
|
type modules_object_t;
|
||||||
|
|
||||||
class dir { getattr search read };
|
class dir r_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -320,17 +318,17 @@ define(`bootloader_list_kernel_modules_depend',`
|
|||||||
define(`bootloader_read_kernel_modules',`
|
define(`bootloader_read_kernel_modules',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 modules_object_t:dir { getattr search read };
|
allow $1 modules_object_t:dir r_dir_perms;
|
||||||
allow $1 modules_object_t:lnk_file { getattr read };
|
allow $1 modules_object_t:lnk_file r_file_perms;
|
||||||
allow $1 modules_object_t:file { getattr read lock };
|
allow $1 modules_object_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`bootloader_read_kernel_modules_depend',`
|
define(`bootloader_read_kernel_modules_depend',`
|
||||||
type modules_object_t;
|
type modules_object_t;
|
||||||
|
|
||||||
class dir { getattr search read };
|
class dir r_dir_perms;
|
||||||
class lnk_file { getattr read };
|
class lnk_file r_file_perms;
|
||||||
class file { getattr read lock };
|
class file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -340,7 +338,7 @@ define(`bootloader_read_kernel_modules_depend',`
|
|||||||
define(`bootloader_write_kernel_modules',`
|
define(`bootloader_write_kernel_modules',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 modules_object_t:dir { getattr search read };
|
allow $1 modules_object_t:dir r_dir_perms;
|
||||||
allow $1 modules_object_t:file write;
|
allow $1 modules_object_t:file write;
|
||||||
|
|
||||||
typeattribute $1 can_modify_kernel_modules;
|
typeattribute $1 can_modify_kernel_modules;
|
||||||
@ -351,7 +349,7 @@ define(`bootloader_write_kernel_modules_depend',`
|
|||||||
|
|
||||||
type modules_object_t;
|
type modules_object_t;
|
||||||
|
|
||||||
class dir { getattr search read };
|
class dir r_dir_perms;
|
||||||
class file write;
|
class file write;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -362,8 +360,8 @@ define(`bootloader_write_kernel_modules_depend',`
|
|||||||
define(`bootloader_manage_kernel_modules',`
|
define(`bootloader_manage_kernel_modules',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 modules_object_t:file { getattr create read write setattr unlink };
|
allow $1 modules_object_t:file { rw_file_perms create setattr unlink };
|
||||||
allow $1 modules_object_t:dir { getattr search read write add_name remove_name };
|
allow $1 modules_object_t:dir rw_dir_perms;
|
||||||
|
|
||||||
typeattribute $1 can_modify_kernel_modules;
|
typeattribute $1 can_modify_kernel_modules;
|
||||||
')
|
')
|
||||||
@ -374,7 +372,7 @@ define(`bootloader_manage_kernel_modules_depend',`
|
|||||||
type modules_object_t;
|
type modules_object_t;
|
||||||
|
|
||||||
class file { getattr create read write setattr unlink };
|
class file { getattr create read write setattr unlink };
|
||||||
class dir { getattr search read write add_name remove_name };
|
class dir rw_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -66,27 +66,27 @@ allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin
|
|||||||
allow bootloader_t self:process { sigkill sigstop signull signal };
|
allow bootloader_t self:process { sigkill sigstop signull signal };
|
||||||
allow bootloader_t self:fifo_file { getattr read write };
|
allow bootloader_t self:fifo_file { getattr read write };
|
||||||
|
|
||||||
allow bootloader_t boot_t:dir { getattr search read write add_name };
|
allow bootloader_t boot_t:dir ra_dir_perms;
|
||||||
allow bootloader_t boot_t:file { getattr read write create };
|
allow bootloader_t boot_t:file { rw_file_perms create };
|
||||||
allow bootloader_t boot_t:lnk_file { getattr read create unlink };
|
allow bootloader_t boot_t:lnk_file { r_file_perms create unlink };
|
||||||
|
|
||||||
allow bootloader_t bootloader_etc_t:file { getattr read };
|
allow bootloader_t bootloader_etc_t:file r_file_perms;
|
||||||
# uncomment the following lines if you use "lilo -p"
|
# uncomment the following lines if you use "lilo -p"
|
||||||
#allow bootloader_t bootloader_etc_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
#allow bootloader_t bootloader_etc_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
#files_create_private_config(bootloader_t,bootloader_etc_t)
|
#files_create_private_config(bootloader_t,bootloader_etc_t)
|
||||||
|
|
||||||
allow bootloader_t bootloader_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
allow bootloader_t bootloader_tmp_t:dir create_dir_perms;
|
||||||
allow bootloader_t bootloader_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
allow bootloader_t bootloader_tmp_t:file create_file_perms;
|
||||||
allow bootloader_t bootloader_tmp_t:chr_file { create ioctl read getattr lock write setattr append link unlink rename };
|
allow bootloader_t bootloader_tmp_t:chr_file create_file_perms;
|
||||||
allow bootloader_t bootloader_tmp_t:blk_file { create ioctl read getattr lock write setattr append link unlink rename };
|
allow bootloader_t bootloader_tmp_t:blk_file create_file_perms;
|
||||||
allow bootloader_t bootloader_tmp_t:lnk_file { create read getattr setattr unlink rename };
|
allow bootloader_t bootloader_tmp_t:lnk_file create_lnk_perms;
|
||||||
files_create_private_tmp_data(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file })
|
files_create_private_tmp_data(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file })
|
||||||
# for tune2fs (cjp: ?)
|
# for tune2fs (cjp: ?)
|
||||||
files_create_private_root_dir_entry(bootloader_t,bootloader_tmp_t)
|
files_create_private_root_dir_entry(bootloader_t,bootloader_tmp_t)
|
||||||
|
|
||||||
allow bootloader_t modules_object_t:dir { getattr search read };
|
allow bootloader_t modules_object_t:dir r_dir_perms;
|
||||||
allow bootloader_t modules_object_t:file { getattr read };
|
allow bootloader_t modules_object_t:file r_file_perms;
|
||||||
allow bootloader_t modules_object_t:lnk_file { getattr read };
|
allow bootloader_t modules_object_t:lnk_file r_file_perms;
|
||||||
|
|
||||||
kernel_get_core_interface_attributes(bootloader_t)
|
kernel_get_core_interface_attributes(bootloader_t)
|
||||||
kernel_read_system_state(bootloader_t)
|
kernel_read_system_state(bootloader_t)
|
||||||
@ -150,7 +150,7 @@ ifdef(`distro_redhat', `
|
|||||||
allow bootloader_t self:capability ipc_lock;
|
allow bootloader_t self:capability ipc_lock;
|
||||||
|
|
||||||
# new file system defaults to file_t, granting file_t access is still bad.
|
# new file system defaults to file_t, granting file_t access is still bad.
|
||||||
allow bootloader_t boot_runtime_t:file { read getattr unlink };
|
allow bootloader_t boot_runtime_t:file { r_file_perms unlink };
|
||||||
|
|
||||||
# mkinitrd mount initrd on bootloader temp dir
|
# mkinitrd mount initrd on bootloader temp dir
|
||||||
files_make_mountpoint(bootloader_tmp_t)
|
files_make_mountpoint(bootloader_tmp_t)
|
||||||
|
@ -61,14 +61,14 @@ define(`devices_list_device_nodes',`
|
|||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 device_t:dir r_dir_perms;
|
allow $1 device_t:dir r_dir_perms;
|
||||||
allow $1 device_t:lnk_file { getattr read };
|
allow $1 device_t:lnk_file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`devices_list_device_nodes_depend',`
|
define(`devices_list_device_nodes_depend',`
|
||||||
type device_t;
|
type device_t;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
class lnk_file { getattr read };
|
class lnk_file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -177,7 +177,7 @@ define(`devices_manage_generic_block_device_depend',`
|
|||||||
define(`devices_add_generic_character_device',`
|
define(`devices_add_generic_character_device',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 device_t:dir { getattr search read write add_name };
|
allow $1 device_t:dir ra_dir_perms;
|
||||||
allow $1 device_t:chr_file create;
|
allow $1 device_t:chr_file create;
|
||||||
|
|
||||||
allow $1 self:capability mknod;
|
allow $1 self:capability mknod;
|
||||||
@ -186,7 +186,7 @@ define(`devices_add_generic_character_device',`
|
|||||||
define(`devices_add_generic_character_device_depend',`
|
define(`devices_add_generic_character_device_depend',`
|
||||||
type device_t;
|
type device_t;
|
||||||
|
|
||||||
class dir { getattr search read write add_name };
|
class dir ra_dir_perms;
|
||||||
class chr_file create;
|
class chr_file create;
|
||||||
class capability mknod;
|
class capability mknod;
|
||||||
')
|
')
|
||||||
@ -239,7 +239,7 @@ define(`devices_ignore_get_generic_character_device_attributes_depend',`
|
|||||||
define(`devices_remove_dev_symbolic_links',`
|
define(`devices_remove_dev_symbolic_links',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 device_t:dir { getattr read write remove_name };
|
allow $1 device_t:dir { r_dir_perms write remove_name };
|
||||||
allow $1 device_t:lnk_file unlink;
|
allow $1 device_t:lnk_file unlink;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -248,7 +248,7 @@ define(`devices_remove_dev_symbolic_links_depend',`
|
|||||||
|
|
||||||
type device_t;
|
type device_t;
|
||||||
|
|
||||||
class dir { getattr read write remove_name };
|
class dir { r_dir_perms write remove_name };
|
||||||
class lnk_file unlink;
|
class lnk_file unlink;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -259,15 +259,15 @@ define(`devices_remove_dev_symbolic_links_depend',`
|
|||||||
define(`devices_manage_dev_symbolic_links',`
|
define(`devices_manage_dev_symbolic_links',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
|
allow $1 device_t:dir create_dir_perms;
|
||||||
allow $1 device_t:lnk_file { create read getattr setattr link unlink rename };
|
allow $1 device_t:lnk_file create_lnk_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`devices_manage_dev_symbolic_links_depend',`
|
define(`devices_manage_dev_symbolic_links_depend',`
|
||||||
type device_t;
|
type device_t;
|
||||||
|
|
||||||
class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
|
class dir create_dir_perms;
|
||||||
class lnk_file { create read getattr setattr link unlink rename };
|
class lnk_file create_lnk_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -277,11 +277,11 @@ define(`devices_manage_dev_symbolic_links_depend',`
|
|||||||
define(`devices_manage_device_nodes',`
|
define(`devices_manage_device_nodes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
|
allow $1 device_t:dir create_dir_perms;
|
||||||
allow $1 device_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
|
allow $1 device_t:sock_file create_file_perms;
|
||||||
allow $1 device_t:lnk_file { create read getattr setattr link unlink rename };
|
allow $1 device_t:lnk_file create_lnk_perms;
|
||||||
allow $1 device_t:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
|
allow $1 device_t:{ chr_file blk_file } create_file_perms;
|
||||||
allow $1 device_node:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
|
allow $1 device_node:{ chr_file blk_file } create_file_perms;
|
||||||
|
|
||||||
# these next rules are to satisfy assertions broken by the above lines.
|
# these next rules are to satisfy assertions broken by the above lines.
|
||||||
# the permissions hopefully can be cut back a lot
|
# the permissions hopefully can be cut back a lot
|
||||||
@ -299,11 +299,11 @@ define(`devices_manage_device_nodes_depend',`
|
|||||||
|
|
||||||
type device_t;
|
type device_t;
|
||||||
|
|
||||||
class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
|
class dir create_dir_perms;
|
||||||
class sock_file { create ioctl read getattr lock write setattr append link unlink rename };
|
class sock_file create_file_perms;
|
||||||
class lnk_file { create read getattr setattr link unlink rename };
|
class lnk_file create_lnk_perms;
|
||||||
class chr_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
|
class chr_file create_file_perms;
|
||||||
class blk_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
|
class blk_file create_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -818,14 +818,14 @@ define(`devices_read_sound_mixer_levels',`
|
|||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 device_t:dir r_dir_perms;
|
allow $1 device_t:dir r_dir_perms;
|
||||||
allow $1 sound_device_t:chr_file { getattr read ioctl };
|
allow $1 sound_device_t:chr_file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`devices_read_sound_mixer_levels_depend',`
|
define(`devices_read_sound_mixer_levels_depend',`
|
||||||
type device_t, sound_device_t;
|
type device_t, sound_device_t;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
class chr_file { getattr read ioctl };
|
class chr_file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1031,14 +1031,14 @@ define(`devices_use_lvm_control_channel_depend',`
|
|||||||
define(`devices_remove_lvm_control_channel',`
|
define(`devices_remove_lvm_control_channel',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 device_t:dir { getattr search read write remove_name };
|
allow $1 device_t:dir { r_dir_perms write remove_name };
|
||||||
allow $1 lvm_control_t:chr_file unlink;
|
allow $1 lvm_control_t:chr_file unlink;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`devices_remove_lvm_control_channel_depend',`
|
define(`devices_remove_lvm_control_channel_depend',`
|
||||||
type device_t, lvm_control_t;
|
type device_t, lvm_control_t;
|
||||||
|
|
||||||
class dir { getattr search read write remove_name };
|
class dir { r_dir_perms write remove_name };
|
||||||
class chr_file unlink;
|
class chr_file unlink;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -302,7 +302,7 @@ define(`fs_execute_cifs_files',`
|
|||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 cifs_t:dir r_dir_perms;
|
allow $1 cifs_t:dir r_dir_perms;
|
||||||
allow $1 cifs_t:file { getattr read execute execute_no_trans };
|
can_exec($1, cifs_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`fs_execute_cifs_files_depend',`
|
define(`fs_execute_cifs_files_depend',`
|
||||||
@ -616,7 +616,7 @@ define(`fs_execute_nfs_files',`
|
|||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 nfs_t:dir r_dir_perms;
|
allow $1 nfs_t:dir r_dir_perms;
|
||||||
allow $1 nfs_t:file { getattr read execute execute_no_trans };
|
can_exec($1, nfs_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`fs_execute_nfs_files_depend',`
|
define(`fs_execute_nfs_files_depend',`
|
||||||
@ -692,8 +692,8 @@ define(`fs_manage_nfs_named_pipes',`
|
|||||||
define(`fs_manage_nfs_named_pipes_depend',`
|
define(`fs_manage_nfs_named_pipes_depend',`
|
||||||
type nfs_t;
|
type nfs_t;
|
||||||
|
|
||||||
class dir { getattr search read write add_name remove_name };
|
class dir rw_dir_perms;
|
||||||
class fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
|
class fifo_file create_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -25,11 +25,7 @@
|
|||||||
define(`kernel_make_userland_entrypoint',`
|
define(`kernel_make_userland_entrypoint',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow kernel_t $2:file { getattr read execute };
|
domain_auto_trans(kernel_t, $2, $1)
|
||||||
allow kernel_t $1:process transition;
|
|
||||||
allow $1 kernel_t:fd use;
|
|
||||||
type_transition kernel_t $2:process $1;
|
|
||||||
dontaudit kernel_t $1:process { noatsecure siginh rlimitinh };
|
|
||||||
|
|
||||||
allow $1 kernel_t:fd use;
|
allow $1 kernel_t:fd use;
|
||||||
allow kernel_t $1:fd use;
|
allow kernel_t $1:fd use;
|
||||||
@ -821,15 +817,15 @@ define(`kernel_ignore_read_system_state_depend',`
|
|||||||
define(`kernel_read_software_raid_state',`
|
define(`kernel_read_software_raid_state',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 proc_t:dir { getattr search read };
|
allow $1 proc_t:dir r_dir_perms;
|
||||||
allow $1 proc_mdstat_t:file { getattr read };
|
allow $1 proc_mdstat_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`kernel_read_software_raid_state_depend',`
|
define(`kernel_read_software_raid_state_depend',`
|
||||||
type proc_t, proc_mdstat_t;
|
type proc_t, proc_mdstat_t;
|
||||||
|
|
||||||
class dir { search getattr read };
|
class dir r_dir_perms;
|
||||||
class file { getattr read };
|
class file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -849,7 +845,7 @@ define(`kernel_read_software_raid_state_depend',`
|
|||||||
define(`kernel_get_core_interface_attributes',`
|
define(`kernel_get_core_interface_attributes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 proc_t:dir { getattr search read };
|
allow $1 proc_t:dir r_dir_perms;
|
||||||
allow $1 proc_kcore_t:file getattr;
|
allow $1 proc_kcore_t:file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -906,7 +902,7 @@ define(`kernel_read_messages',`
|
|||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 proc_t:dir search;
|
allow $1 proc_t:dir search;
|
||||||
allow $1 proc_kmsg_t:file { getattr read };
|
allow $1 proc_kmsg_t:file r_file_perms;
|
||||||
typeattribute $1 can_receive_kernel_messages;
|
typeattribute $1 can_receive_kernel_messages;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -916,7 +912,7 @@ define(`kernel_read_messages_depend',`
|
|||||||
type proc_kmsg_t, proc_t;
|
type proc_kmsg_t, proc_t;
|
||||||
|
|
||||||
class dir search;
|
class dir search;
|
||||||
class file { getattr read };
|
class file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -995,15 +991,15 @@ define(`kernel_read_network_state',`
|
|||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 proc_t:dir search;
|
allow $1 proc_t:dir search;
|
||||||
allow $1 proc_net_t:dir { getattr search read };
|
allow $1 proc_net_t:dir r_dir_perms;
|
||||||
allow $1 proc_net_t:file { getattr read };
|
allow $1 proc_net_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`kernel_read_network_state_depend',`
|
define(`kernel_read_network_state_depend',`
|
||||||
type proc_t, proc_net_t;
|
type proc_t, proc_net_t;
|
||||||
|
|
||||||
class dir { search getattr read };
|
class dir r_dir_perms;
|
||||||
class file { getattr read };
|
class file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1051,16 +1047,16 @@ define(`kernel_read_device_sysctl',`
|
|||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 proc_t:dir search;
|
allow $1 proc_t:dir search;
|
||||||
allow $1 sysctl_t:dir { getattr search read };
|
allow $1 sysctl_t:dir r_dir_perms;
|
||||||
allow $1 sysctl_dev_t:dir { getattr search read };
|
allow $1 sysctl_dev_t:dir r_dir_perms;
|
||||||
allow $1 sysctl_dev_t:file { getattr read };
|
allow $1 sysctl_dev_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`kernel_read_device_sysctl_depend',`
|
define(`kernel_read_device_sysctl_depend',`
|
||||||
type proc_t, sysctl_t, sysctl_dev_t;
|
type proc_t, sysctl_t, sysctl_dev_t;
|
||||||
|
|
||||||
class dir { search getattr read };
|
class dir r_dir_perms;
|
||||||
class file { getattr read };
|
class file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1081,15 +1077,15 @@ define(`kernel_modify_device_sysctl',`
|
|||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 proc_t:dir search;
|
allow $1 proc_t:dir search;
|
||||||
allow $1 sysctl_t:dir { getattr search read };
|
allow $1 sysctl_t:dir r_dir_perms;
|
||||||
allow $1 sysctl_dev_t:file { getattr read write };
|
allow $1 sysctl_dev_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`kernel_modify_device_sysctl_depend',`
|
define(`kernel_modify_device_sysctl_depend',`
|
||||||
type proc_t, sysctl_t, sysctl_dev_t;
|
type proc_t, sysctl_t, sysctl_dev_t;
|
||||||
|
|
||||||
class dir { search getattr read };
|
class dir r_dir_perms;
|
||||||
class file { getattr read write };
|
class file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1111,15 +1107,15 @@ define(`kernel_read_virtual_memory_sysctl',`
|
|||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 proc_t:dir search;
|
allow $1 proc_t:dir search;
|
||||||
allow $1 sysctl_t:dir { getattr search read };
|
allow $1 sysctl_t:dir r_dir_perms;
|
||||||
allow $1 sysctl_vm_t:file { getattr read };
|
allow $1 sysctl_vm_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`kernel_read_virtual_memory_sysctl_depend',`
|
define(`kernel_read_virtual_memory_sysctl_depend',`
|
||||||
type proc_t, sysctl_t, sysctl_vm_t;
|
type proc_t, sysctl_t, sysctl_vm_t;
|
||||||
|
|
||||||
class dir { search getattr read };
|
class dir r_dir_perms;
|
||||||
class file { getattr read };
|
class file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1140,15 +1136,15 @@ define(`kernel_modify_virtual_memory_sysctl',`
|
|||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 proc_t:dir search;
|
allow $1 proc_t:dir search;
|
||||||
allow $1 sysctl_t:dir { getattr search read };
|
allow $1 sysctl_t:dir r_dir_perms;
|
||||||
allow $1 sysctl_vm_t:file { getattr read write };
|
allow $1 sysctl_vm_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`kernel_modify_virtual_memory_sysctl_depend',`
|
define(`kernel_modify_virtual_memory_sysctl_depend',`
|
||||||
type proc_t, sysctl_t, sysctl_vm_t;
|
type proc_t, sysctl_t, sysctl_vm_t;
|
||||||
|
|
||||||
class dir { search getattr read };
|
class dir r_dir_perms;
|
||||||
class file { getattr read write };
|
class file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1197,16 +1193,16 @@ define(`kernel_read_network_sysctl',`
|
|||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 proc_t:dir search;
|
allow $1 proc_t:dir search;
|
||||||
allow $1 sysctl_t:dir { getattr search read };
|
allow $1 sysctl_t:dir r_dir_perms;
|
||||||
allow $1 sysctl_net_t:dir { getattr search read };
|
allow $1 sysctl_net_t:dir r_dir_perms;
|
||||||
allow $1 sysctl_net_t:file { getattr read };
|
allow $1 sysctl_net_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`kernel_read_network_sysctl_depend',`
|
define(`kernel_read_network_sysctl_depend',`
|
||||||
type proc_t, sysctl_t, sysctl_net_t;
|
type proc_t, sysctl_t, sysctl_net_t;
|
||||||
|
|
||||||
class dir { search getattr read };
|
class dir r_dir_perms;
|
||||||
class file { getattr read };
|
class file f_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1228,16 +1224,16 @@ define(`kernel_modify_network_sysctl',`
|
|||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 proc_t:dir search;
|
allow $1 proc_t:dir search;
|
||||||
allow $1 sysctl_t:dir { getattr search read };
|
allow $1 sysctl_t:dir r_dir_perms;
|
||||||
allow $1 sysctl_net_t:dir { getattr search read };
|
allow $1 sysctl_net_t:dir r_dir_perms;
|
||||||
allow $1 sysctl_net_t:file { getattr read write };
|
allow $1 sysctl_net_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`kernel_modify_network_sysctl_depend',`
|
define(`kernel_modify_network_sysctl_depend',`
|
||||||
type proc_t, sysctl_t, sysctl_net_t;
|
type proc_t, sysctl_t, sysctl_net_t;
|
||||||
|
|
||||||
class dir { search getattr read };
|
class dir r_dir_perms;
|
||||||
class file { getattr read write };
|
class file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1258,16 +1254,16 @@ define(`kernel_read_unix_sysctl',`
|
|||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 proc_t:dir search;
|
allow $1 proc_t:dir search;
|
||||||
allow $1 sysctl_t:dir { getattr search read };
|
allow $1 sysctl_t:dir r_dir_perms;
|
||||||
allow $1 sysctl_net_t:dir { getattr search read };
|
allow $1 sysctl_net_t:dir r_dir_perms;
|
||||||
allow $1 sysctl_net_unix_t:file { getattr read };
|
allow $1 sysctl_net_unix_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`kernel_read_net_sysctl_depend',`
|
define(`kernel_read_net_sysctl_depend',`
|
||||||
type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
|
type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
|
||||||
|
|
||||||
class dir { search getattr read };
|
class dir r_dir_perms;
|
||||||
class file { getattr read };
|
class file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1288,16 +1284,16 @@ define(`kernel_modify_unix_sysctl',`
|
|||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 proc_t:dir search;
|
allow $1 proc_t:dir search;
|
||||||
allow $1 sysctl_t:dir { getattr search read };
|
allow $1 sysctl_t:dir r_dir_perms;
|
||||||
allow $1 sysctl_net_t:dir { getattr search read };
|
allow $1 sysctl_net_t:dir r_dir_perms;
|
||||||
allow $1 sysctl_net_unix_t:file { getattr read write };
|
allow $1 sysctl_net_unix_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`kernel_modify_net_sysctl_depend',`
|
define(`kernel_modify_net_sysctl_depend',`
|
||||||
type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
|
type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
|
||||||
|
|
||||||
class dir { search getattr read };
|
class dir r_dir_perms;
|
||||||
class file { getattr read write };
|
class file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1318,16 +1314,16 @@ define(`kernel_read_hotplug_sysctl',`
|
|||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 proc_t:dir search;
|
allow $1 proc_t:dir search;
|
||||||
allow $1 sysctl_t:dir { getattr search read };
|
allow $1 sysctl_t:dir r_dir_perms;
|
||||||
allow $1 sysctl_kernel_t:dir { getattr search read };
|
allow $1 sysctl_kernel_t:dir r_dir_perms;
|
||||||
allow $1 sysctl_hotplug_t:file { getattr read };
|
allow $1 sysctl_hotplug_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`kernel_read_hotplug_sysctl_depend',`
|
define(`kernel_read_hotplug_sysctl_depend',`
|
||||||
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
|
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
|
||||||
|
|
||||||
class dir { search getattr read };
|
class dir r_dir_perms;
|
||||||
class file { getattr read };
|
class file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1348,16 +1344,16 @@ define(`kernel_modify_hotplug_sysctl',`
|
|||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 proc_t:dir search;
|
allow $1 proc_t:dir search;
|
||||||
allow $1 sysctl_t:dir { getattr search read };
|
allow $1 sysctl_t:dir r_dir_perms;
|
||||||
allow $1 sysctl_kernel_t:dir { getattr search read };
|
allow $1 sysctl_kernel_t:dir r_dir_perms;
|
||||||
allow $1 sysctl_hotplug_t:file { getattr read write };
|
allow $1 sysctl_hotplug_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`kernel_modify_hotplug_sysctl_depend',`
|
define(`kernel_modify_hotplug_sysctl_depend',`
|
||||||
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
|
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
|
||||||
|
|
||||||
class dir { search getattr read };
|
class dir r_dir_perms;
|
||||||
class file { getattr read write };
|
class file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1378,16 +1374,16 @@ define(`kernel_read_modprobe_sysctl',`
|
|||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 proc_t:dir search;
|
allow $1 proc_t:dir search;
|
||||||
allow $1 sysctl_t:dir { getattr search read };
|
allow $1 sysctl_t:dir r_dir_perms;
|
||||||
allow $1 sysctl_kernel_t:dir { getattr search read };
|
allow $1 sysctl_kernel_t:dir r_dir_perms;
|
||||||
allow $1 sysctl_modprobe_t:file { getattr read };
|
allow $1 sysctl_modprobe_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`kernel_read_modprobe_sysctl_depend',`
|
define(`kernel_read_modprobe_sysctl_depend',`
|
||||||
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
|
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
|
||||||
|
|
||||||
class dir { search getattr read };
|
class dir r_dir_perms;
|
||||||
class file { getattr read };
|
class file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1408,16 +1404,16 @@ define(`kernel_modify_modprobe_sysctl',`
|
|||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 proc_t:dir search;
|
allow $1 proc_t:dir search;
|
||||||
allow $1 sysctl_t:dir { getattr search read };
|
allow $1 sysctl_t:dir r_dir_perms;
|
||||||
allow $1 sysctl_kernel_t:dir { getattr search read };
|
allow $1 sysctl_kernel_t:dir r_dir_perms;
|
||||||
allow $1 sysctl_modprobe_t:file { getattr read write };
|
allow $1 sysctl_modprobe_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`kernel_modify_modprobe_sysctl_depend',`
|
define(`kernel_modify_modprobe_sysctl_depend',`
|
||||||
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
|
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
|
||||||
|
|
||||||
class dir { search getattr read };
|
class dir r_dir_perms;
|
||||||
class file { getattr read write };
|
class file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1438,16 +1434,16 @@ define(`kernel_read_kernel_sysctl',`
|
|||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 proc_t:dir search;
|
allow $1 proc_t:dir search;
|
||||||
allow $1 sysctl_t:dir { getattr search read };
|
allow $1 sysctl_t:dir r_dir_perms;
|
||||||
allow $1 sysctl_kernel_t:dir { getattr search read };
|
allow $1 sysctl_kernel_t:dir r_dir_perms;
|
||||||
allow $1 sysctl_kernel_t:file { getattr read };
|
allow $1 sysctl_kernel_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`kernel_read_kernel_sysctl_depend',`
|
define(`kernel_read_kernel_sysctl_depend',`
|
||||||
type proc_t, sysctl_t, sysctl_kernel_t;
|
type proc_t, sysctl_t, sysctl_kernel_t;
|
||||||
|
|
||||||
class dir { search getattr read };
|
class dir r_dir_perms;
|
||||||
class file { getattr read };
|
class file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1468,16 +1464,16 @@ define(`kernel_modify_kernel_sysctl',`
|
|||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 proc_t:dir search;
|
allow $1 proc_t:dir search;
|
||||||
allow $1 sysctl_t:dir { getattr search read };
|
allow $1 sysctl_t:dir r_dir_perms;
|
||||||
allow $1 sysctl_kernel_t:dir { getattr search read };
|
allow $1 sysctl_kernel_t:dir r_dir_perms;
|
||||||
allow $1 sysctl_kernel_t:file { getattr read write };
|
allow $1 sysctl_kernel_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`kernel_modify_kernel_sysctl_depend',`
|
define(`kernel_modify_kernel_sysctl_depend',`
|
||||||
type proc_t, sysctl_t, sysctl_kernel_t;
|
type proc_t, sysctl_t, sysctl_kernel_t;
|
||||||
|
|
||||||
class dir { search getattr read };
|
class dir r_dir_perms;
|
||||||
class file { getattr read write };
|
class file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1498,16 +1494,16 @@ define(`kernel_read_fs_sysctl',`
|
|||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 proc_t:dir search;
|
allow $1 proc_t:dir search;
|
||||||
allow $1 sysctl_t:dir { getattr search read };
|
allow $1 sysctl_t:dir r_dir_perms;
|
||||||
allow $1 sysctl_fs_t:dir { getattr search read };
|
allow $1 sysctl_fs_t:dir r_dir_perms;
|
||||||
allow $1 sysctl_fs_t:file { getattr read };
|
allow $1 sysctl_fs_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`kernel_read_fs_sysctl_depend',`
|
define(`kernel_read_fs_sysctl_depend',`
|
||||||
type proc_t, sysctl_t, sysctl_fs_t;
|
type proc_t, sysctl_t, sysctl_fs_t;
|
||||||
|
|
||||||
class dir { search getattr read };
|
class dir r_dir_perms;
|
||||||
class file { getattr read };
|
class file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1530,16 +1526,16 @@ define(`kernel_modify_fs_sysctl',`
|
|||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 proc_t:dir search;
|
allow $1 proc_t:dir search;
|
||||||
allow $1 sysctl_t:dir { getattr search read };
|
allow $1 sysctl_t:dir r_dir_perms;
|
||||||
allow $1 sysctl_fs_t:dir { getattr search read };
|
allow $1 sysctl_fs_t:dir r_dir_perms;
|
||||||
allow $1 sysctl_fs_t:file { getattr read write };
|
allow $1 sysctl_fs_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`kernel_modify_fs_sysctl_depend',`
|
define(`kernel_modify_fs_sysctl_depend',`
|
||||||
type proc_t, sysctl_t, sysctl_fs_t;
|
type proc_t, sysctl_t, sysctl_fs_t;
|
||||||
|
|
||||||
class dir { search getattr read };
|
class dir r_dir_perms;
|
||||||
class file { getattr read write };
|
class file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1560,15 +1556,15 @@ define(`kernel_read_irq_sysctl',`
|
|||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 proc_t:dir search;
|
allow $1 proc_t:dir search;
|
||||||
allow $1 sysctl_irq_t:dir { getattr search read };
|
allow $1 sysctl_irq_t:dir r_dir_perms;
|
||||||
allow $1 sysctl_irq_t:file { getattr read };
|
allow $1 sysctl_irq_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`kernel_read_irq_sysctl_depend',`
|
define(`kernel_read_irq_sysctl_depend',`
|
||||||
type proc_t, sysctl_irq_t;
|
type proc_t, sysctl_irq_t;
|
||||||
|
|
||||||
class dir { search getattr read };
|
class dir r_dir_perms;
|
||||||
class file { getattr read };
|
class file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1590,15 +1586,15 @@ define(`kernel_modify_irq_sysctl',`
|
|||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 proc_t:dir search;
|
allow $1 proc_t:dir search;
|
||||||
allow $1 sysctl_irq_t:dir { getattr search read };
|
allow $1 sysctl_irq_t:dir r_dir_perms;
|
||||||
allow $1 sysctl_irq_t:file { getattr read write };
|
allow $1 sysctl_irq_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`kernel_modify_irq_sysctl_depend',`
|
define(`kernel_modify_irq_sysctl_depend',`
|
||||||
type proc_t, sysctl_irq_t;
|
type proc_t, sysctl_irq_t;
|
||||||
|
|
||||||
class dir { search getattr read };
|
class dir r_dir_perms;
|
||||||
class file { getattr read write };
|
class file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1610,15 +1606,15 @@ define(`kernel_read_rpc_sysctl',`
|
|||||||
|
|
||||||
allow $1 proc_t:dir search;
|
allow $1 proc_t:dir search;
|
||||||
allow $1 proc_net_t:dir search;
|
allow $1 proc_net_t:dir search;
|
||||||
allow $1 sysctl_rpc_t:dir { getattr search read };
|
allow $1 sysctl_rpc_t:dir r_dir_perms;
|
||||||
allow $1 sysctl_rpc_t:file { getattr read };
|
allow $1 sysctl_rpc_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`kernel_read_rpc_sysctl_depend',`
|
define(`kernel_read_rpc_sysctl_depend',`
|
||||||
type proc_t, proc_net_t, sysctl_rpc_t;
|
type proc_t, proc_net_t, sysctl_rpc_t;
|
||||||
|
|
||||||
class dir { search getattr read };
|
class dir r_dir_perms;
|
||||||
class file { getattr read };
|
class file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1630,15 +1626,15 @@ define(`kernel_modify_rpc_sysctl',`
|
|||||||
|
|
||||||
allow $1 proc_t:dir search;
|
allow $1 proc_t:dir search;
|
||||||
allow $1 proc_net_t:dir search;
|
allow $1 proc_net_t:dir search;
|
||||||
allow $1 sysctl_rpc_t:dir { getattr search read };
|
allow $1 sysctl_rpc_t:dir r_dir_perms;
|
||||||
allow $1 sysctl_rpc_t:file { getattr read write };
|
allow $1 sysctl_rpc_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`kernel_modify_rpc_sysctl_depend',`
|
define(`kernel_modify_rpc_sysctl_depend',`
|
||||||
type proc_t, proc_net_t, sysctl_rpc_t;
|
type proc_t, proc_net_t, sysctl_rpc_t;
|
||||||
|
|
||||||
class dir { search getattr read };
|
class dir r_dir_perms;
|
||||||
class file { getattr read write };
|
class file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1735,16 +1731,16 @@ define(`kernel_search_hardware_state_dir_depend',`
|
|||||||
define(`kernel_read_hardware_state',`
|
define(`kernel_read_hardware_state',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 sysfs_t:dir { getattr search read };
|
allow $1 sysfs_t:dir r_dir_perms;
|
||||||
allow $1 sysfs_t:{ file lnk_file } { getattr read };
|
allow $1 sysfs_t:{ file lnk_file } r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`kernel_read_hardware_state_depend',`
|
define(`kernel_read_hardware_state_depend',`
|
||||||
type sysfs_t;
|
type sysfs_t;
|
||||||
|
|
||||||
class dir { getattr search read };
|
class dir r_dir_perms;
|
||||||
class file { getattr read };
|
class file r_file_perms;
|
||||||
class lnk_file { getattr read };
|
class lnk_file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1764,17 +1760,17 @@ define(`kernel_read_hardware_state_depend',`
|
|||||||
define(`kernel_modify_hardware_config_option',`
|
define(`kernel_modify_hardware_config_option',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 sysfs_t:dir { getattr search read };
|
allow $1 sysfs_t:dir r_dir_perms;
|
||||||
allow $1 sysfs_t:lnk_file { getattr read };
|
allow $1 sysfs_t:lnk_file r_file_perms;
|
||||||
allow $1 sysfs_t:file { getattr read write };
|
allow $1 sysfs_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`kernel_modify_hardware_config_option_depend',`
|
define(`kernel_modify_hardware_config_option_depend',`
|
||||||
type sysfs_t;
|
type sysfs_t;
|
||||||
|
|
||||||
class dir { getattr search read };
|
class dir r_dir_perms;
|
||||||
class file { getattr read write };
|
class file rw_file_perms;
|
||||||
class lnk_file { getattr read };
|
class lnk_file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1937,7 +1933,7 @@ define(`kernel_ignore_get_unlabeled_block_device_attributes_depend',`
|
|||||||
define(`kernel_relabel_unlabeled_object',`
|
define(`kernel_relabel_unlabeled_object',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 unlabeled_t:{ dir file lnk_file fifo_file sock_file chr_file blk_file } { getattr relabelfrom };
|
allow $1 unlabeled_t:dir_file_class_set { getattr relabelfrom };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`kernel_relabel_unlabeled_object_depend',`
|
define(`kernel_relabel_unlabeled_object_depend',`
|
||||||
@ -1992,17 +1988,17 @@ define(`kernel_search_usb_hardware_state_dir_depend',`
|
|||||||
define(`kernel_list_usb_hardware',`
|
define(`kernel_list_usb_hardware',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 usbfs_t:dir { getattr search read };
|
allow $1 usbfs_t:dir r_dir_perms;
|
||||||
allow $1 usbfs_t:lnk_file { getattr read };
|
allow $1 usbfs_t:lnk_file r_file_perms;
|
||||||
allow $1 usbfs_t:file getattr;
|
allow $1 usbfs_t:file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`kernel_list_usb_hardware_depend',`
|
define(`kernel_list_usb_hardware_depend',`
|
||||||
type usbfs_t;
|
type usbfs_t;
|
||||||
|
|
||||||
class dir { getattr search read };
|
class dir r_dir_perms;
|
||||||
class file getattr;
|
class file getattr;
|
||||||
class lnk_file { getattr read };
|
class lnk_file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -2020,16 +2016,16 @@ define(`kernel_list_usb_hardware_depend',`
|
|||||||
define(`kernel_read_usb_hardware_state',`
|
define(`kernel_read_usb_hardware_state',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 usbfs_t:dir { getattr search read };
|
allow $1 usbfs_t:dir r_dir_perms;
|
||||||
allow $1 usbfs_t:{ file lnk_file } { getattr read };
|
allow $1 usbfs_t:{ file lnk_file } r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`kernel_read_usb_hardware_state_depend',`
|
define(`kernel_read_usb_hardware_state_depend',`
|
||||||
type usbfs_t;
|
type usbfs_t;
|
||||||
|
|
||||||
class dir { getattr search read };
|
class dir r_dir_perms;
|
||||||
class file { getattr read };
|
class file r_file_perms;
|
||||||
class lnk_file { getattr read };
|
class lnk_file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -2049,17 +2045,17 @@ define(`kernel_read_usb_hardware_state_depend',`
|
|||||||
define(`kernel_modify_usb_hardware_config_option',`
|
define(`kernel_modify_usb_hardware_config_option',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 usbfs_t:dir { getattr search read };
|
allow $1 usbfs_t:dir r_dir_perms;
|
||||||
allow $1 usbfs_t:lnk_file { getattr read };
|
allow $1 usbfs_t:lnk_file r_file_perms;
|
||||||
allow $1 usbfs_t:file { getattr read write };
|
allow $1 usbfs_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`kernel_modify_usb_hardware_config_option_depend',`
|
define(`kernel_modify_usb_hardware_config_option_depend',`
|
||||||
type usbfs_t;
|
type usbfs_t;
|
||||||
|
|
||||||
class dir { getattr search read };
|
class dir r_dir_perms;
|
||||||
class file { getattr read write };
|
class file rw_file_perms;
|
||||||
class lnk_file { getattr read };
|
class lnk_file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
###################################################################
|
###################################################################
|
||||||
@ -2140,13 +2136,13 @@ define(`kernel_unlabeled_sigchld_from_depend',`
|
|||||||
define(`kernel_read_directory_from',`
|
define(`kernel_read_directory_from',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow kernel_t $1:dir { getattr search read };
|
allow kernel_t $1:dir r_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`kernel_read_directory_from_depend',`
|
define(`kernel_read_directory_from_depend',`
|
||||||
type kernel_t;
|
type kernel_t;
|
||||||
|
|
||||||
class dir { getattr search read };
|
class dir r_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
@ -165,28 +165,28 @@ allow kernel_t self:capability *;
|
|||||||
allow kernel_t unlabeled_t:dir mounton;
|
allow kernel_t unlabeled_t:dir mounton;
|
||||||
|
|
||||||
# old general_domain_access()
|
# old general_domain_access()
|
||||||
allow kernel_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
|
allow kernel_t self:shm create_shm_perms;
|
||||||
allow kernel_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
|
allow kernel_t self:sem create_sem_perms;
|
||||||
allow kernel_t self:msg { send receive };
|
allow kernel_t self:msg { send receive };
|
||||||
allow kernel_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
|
allow kernel_t self:msgq create_msgq_perms;
|
||||||
allow kernel_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
allow kernel_t self:unix_dgram_socket create_socket_perms;
|
||||||
allow kernel_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
|
allow kernel_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
allow kernel_t self:unix_dgram_socket sendto;
|
allow kernel_t self:unix_dgram_socket sendto;
|
||||||
allow kernel_t self:unix_stream_socket connectto;
|
allow kernel_t self:unix_stream_socket connectto;
|
||||||
allow kernel_t self:fifo_file { read getattr lock ioctl write append };
|
allow kernel_t self:fifo_file rw_file_perms;
|
||||||
allow kernel_t self:fd use;
|
allow kernel_t self:fd use;
|
||||||
|
|
||||||
# old general_proc_read_access():
|
# old general_proc_read_access():
|
||||||
allow kernel_t proc_t:dir { getattr search read };
|
allow kernel_t proc_t:dir r_dir_perms;
|
||||||
allow kernel_t proc_t:{ lnk_file file } { getattr read };
|
allow kernel_t proc_t:{ lnk_file file } r_file_perms;
|
||||||
allow kernel_t proc_net_t:dir { getattr search read };
|
allow kernel_t proc_net_t:dir r_dir_perms;
|
||||||
allow kernel_t proc_net_t:file { getattr read };
|
allow kernel_t proc_net_t:file r_file_perms;
|
||||||
allow kernel_t proc_mdstat_t:file { getattr read };
|
allow kernel_t proc_mdstat_t:file r_file_perms;
|
||||||
allow kernel_t proc_kcore_t:file getattr;
|
allow kernel_t proc_kcore_t:file getattr;
|
||||||
allow kernel_t proc_kmsg_t:file getattr;
|
allow kernel_t proc_kmsg_t:file getattr;
|
||||||
allow kernel_t sysctl_t:dir { getattr search read };
|
allow kernel_t sysctl_t:dir r_dir_perms;
|
||||||
allow kernel_t sysctl_kernel_t:dir { getattr search read };
|
allow kernel_t sysctl_kernel_t:dir r_dir_perms;
|
||||||
allow kernel_t sysctl_kernel_t:file { getattr read };
|
allow kernel_t sysctl_kernel_t:file r_file_perms;
|
||||||
|
|
||||||
# old base_file_read_access():
|
# old base_file_read_access():
|
||||||
files_list_home_directories(kernel_t)
|
files_list_home_directories(kernel_t)
|
||||||
@ -194,8 +194,8 @@ files_read_general_application_resources(kernel_t)
|
|||||||
selinux_read_config(kernel_t)
|
selinux_read_config(kernel_t)
|
||||||
|
|
||||||
selinux_read_binary_policy(kernel_t)
|
selinux_read_binary_policy(kernel_t)
|
||||||
allow kernel_t security_t:dir { read search getattr };
|
allow kernel_t security_t:dir r_dir_perms;
|
||||||
allow kernel_t security_t:file { getattr read write };
|
allow kernel_t security_t:file rw_file_perms;
|
||||||
allow kernel_t security_t:security load_policy;
|
allow kernel_t security_t:security load_policy;
|
||||||
auditallow kernel_t security_t:security load_policy;
|
auditallow kernel_t security_t:security load_policy;
|
||||||
|
|
||||||
|
@ -33,6 +33,7 @@ define(`term_make_pty_depend',`
|
|||||||
## <parameter name="pty_type">
|
## <parameter name="pty_type">
|
||||||
## An object type that will applied to a pty.
|
## An object type that will applied to a pty.
|
||||||
## </parameter>
|
## </parameter>
|
||||||
|
## <infoflow type="none"/>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`term_make_user_pty',`
|
define(`term_make_user_pty',`
|
||||||
@ -57,6 +58,7 @@ define(`term_make_user_pty_depend',`
|
|||||||
## <parameter name="object_type">
|
## <parameter name="object_type">
|
||||||
## An object type that will applied to a pty.
|
## An object type that will applied to a pty.
|
||||||
## </parameter>
|
## </parameter>
|
||||||
|
## <infoflow type="none"/>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`term_make_interactive_pty',`
|
define(`term_make_interactive_pty',`
|
||||||
@ -105,7 +107,7 @@ define(`term_create_pty',`
|
|||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
devices_list_device_nodes($1)
|
||||||
allow $1 ptmx_t:chr_file { getattr read write };
|
allow $1 ptmx_t:chr_file rw_file_perms;
|
||||||
allow $1 devpts_t:dir r_dir_perms;
|
allow $1 devpts_t:dir r_dir_perms;
|
||||||
allow $1 devpts_t:filesystem getattr;
|
allow $1 devpts_t:filesystem getattr;
|
||||||
dontaudit $1 bsdpty_device_t:chr_file { getattr read write };
|
dontaudit $1 bsdpty_device_t:chr_file { getattr read write };
|
||||||
@ -117,7 +119,7 @@ define(`term_create_pty_depend',`
|
|||||||
|
|
||||||
class filesystem getattr;
|
class filesystem getattr;
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
class chr_file { getattr read write };
|
class chr_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
Loading…
Reference in New Issue
Block a user