fix kernel_relabel_unlabeled()
This commit is contained in:
Chris PeBenito
parent
cd07eaecf0
commit
c66a3aaf98
@ -1606,19 +1606,86 @@ interface(`kernel_dontaudit_getattr_unlabeled_chr_files',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Allow caller to relabel unlabeled objects.
|
## Allow caller to relabel unlabeled directories.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## The process type relabeling the objects.
|
## The process type relabeling the objects.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`kernel_relabel_unlabeled',`
|
interface(`kernel_relabelfrom_unlabeled_dirs',`
|
||||||
|
gen_require(`
|
||||||
|
type unlabeled_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 unlabeled_t:dir { getattr search read relabelfrom };
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allow caller to relabel unlabeled files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The process type relabeling the objects.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`kernel_relabelfrom_unlabeled_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type unlabeled_t;
|
type unlabeled_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
kernel_list_unlabeled($1)
|
kernel_list_unlabeled($1)
|
||||||
allow $1 unlabeled_t:dir_file_class_set { getattr relabelfrom };
|
allow $1 unlabeled_t:file { getattr relabelfrom };
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allow caller to relabel unlabeled symbolic links.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The process type relabeling the objects.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`kernel_relabelfrom_unlabeled_symlinks',`
|
||||||
|
gen_require(`
|
||||||
|
type unlabeled_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
kernel_list_unlabeled($1)
|
||||||
|
allow $1 unlabeled_t:lnk_file { getattr relabelfrom };
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allow caller to relabel unlabeled named pipes.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The process type relabeling the objects.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`kernel_relabelfrom_unlabeled_pipes',`
|
||||||
|
gen_require(`
|
||||||
|
type unlabeled_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
kernel_list_unlabeled($1)
|
||||||
|
allow $1 unlabeled_t:fifo_file { getattr relabelfrom };
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allow caller to relabel unlabeled named sockets.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The process type relabeling the objects.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`kernel_relabelfrom_unlabeled_sockets',`
|
||||||
|
gen_require(`
|
||||||
|
type unlabeled_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
kernel_list_unlabeled($1)
|
||||||
|
allow $1 unlabeled_t:sock_file { getattr relabelfrom };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -321,7 +321,13 @@ allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_
|
|||||||
kernel_use_fd(restorecon_t)
|
kernel_use_fd(restorecon_t)
|
||||||
kernel_rw_pipes(restorecon_t)
|
kernel_rw_pipes(restorecon_t)
|
||||||
kernel_read_system_state(restorecon_t)
|
kernel_read_system_state(restorecon_t)
|
||||||
|
kernel_relabelfrom_unlabeled_dirs(restorecon_t)
|
||||||
|
kernel_relabelfrom_unlabeled_files(restorecon_t)
|
||||||
|
kernel_relabelfrom_unlabeled_symlinks(restorecon_t)
|
||||||
|
kernel_relabelfrom_unlabeled_pipes(restorecon_t)
|
||||||
|
kernel_relabelfrom_unlabeled_sockets(restorecon_t)
|
||||||
|
|
||||||
|
dev_relabel_all_dev_nodes(restorecon_t)
|
||||||
# cjp: why is this needed?
|
# cjp: why is this needed?
|
||||||
dev_rw_generic_files(restorecon_t)
|
dev_rw_generic_files(restorecon_t)
|
||||||
|
|
||||||
@ -359,10 +365,6 @@ logging_send_syslog_msg(restorecon_t)
|
|||||||
|
|
||||||
userdom_use_all_users_fd(restorecon_t)
|
userdom_use_all_users_fd(restorecon_t)
|
||||||
|
|
||||||
# relabeling rules
|
|
||||||
kernel_relabel_unlabeled(restorecon_t)
|
|
||||||
dev_relabel_all_dev_nodes(restorecon_t)
|
|
||||||
|
|
||||||
files_relabel_all_files(restorecon_t)
|
files_relabel_all_files(restorecon_t)
|
||||||
files_list_all(restorecon_t)
|
files_list_all(restorecon_t)
|
||||||
# this is to satisfy the assertion:
|
# this is to satisfy the assertion:
|
||||||
@ -474,7 +476,13 @@ allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t
|
|||||||
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
|
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
|
||||||
|
|
||||||
kernel_read_system_state(setfiles_t)
|
kernel_read_system_state(setfiles_t)
|
||||||
kernel_list_unlabeled(setfiles_t)
|
kernel_relabelfrom_unlabeled_dirs(setfiles_t)
|
||||||
|
kernel_relabelfrom_unlabeled_files(setfiles_t)
|
||||||
|
kernel_relabelfrom_unlabeled_symlinks(setfiles_t)
|
||||||
|
kernel_relabelfrom_unlabeled_pipes(setfiles_t)
|
||||||
|
kernel_relabelfrom_unlabeled_sockets(setfiles_t)
|
||||||
|
|
||||||
|
dev_relabel_all_dev_nodes(setfiles_t)
|
||||||
|
|
||||||
fs_getattr_xattr_fs(setfiles_t)
|
fs_getattr_xattr_fs(setfiles_t)
|
||||||
fs_list_all(setfiles_t)
|
fs_list_all(setfiles_t)
|
||||||
@ -495,6 +503,9 @@ term_use_all_user_ttys(setfiles_t)
|
|||||||
term_use_all_user_ptys(setfiles_t)
|
term_use_all_user_ptys(setfiles_t)
|
||||||
term_use_unallocated_ttys(setfiles_t)
|
term_use_unallocated_ttys(setfiles_t)
|
||||||
|
|
||||||
|
# this is to satisfy the assertion:
|
||||||
|
auth_relabelto_shadow(setfiles_t)
|
||||||
|
|
||||||
init_use_fd(setfiles_t)
|
init_use_fd(setfiles_t)
|
||||||
init_use_script_fd(setfiles_t)
|
init_use_script_fd(setfiles_t)
|
||||||
init_use_script_ptys(setfiles_t)
|
init_use_script_ptys(setfiles_t)
|
||||||
@ -506,6 +517,8 @@ libs_use_shared_libs(setfiles_t)
|
|||||||
|
|
||||||
files_read_etc_runtime_files(setfiles_t)
|
files_read_etc_runtime_files(setfiles_t)
|
||||||
files_read_etc_files(setfiles_t)
|
files_read_etc_files(setfiles_t)
|
||||||
|
files_list_all(setfiles_t)
|
||||||
|
files_relabel_all_files(setfiles_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(setfiles_t)
|
logging_send_syslog_msg(setfiles_t)
|
||||||
|
|
||||||
@ -515,14 +528,6 @@ userdom_use_all_users_fd(setfiles_t)
|
|||||||
# for config files in a home directory
|
# for config files in a home directory
|
||||||
userdom_read_all_user_files(setfiles_t)
|
userdom_read_all_user_files(setfiles_t)
|
||||||
|
|
||||||
# relabeling rules
|
|
||||||
kernel_relabel_unlabeled(setfiles_t)
|
|
||||||
dev_relabel_all_dev_nodes(setfiles_t)
|
|
||||||
files_list_all(setfiles_t)
|
|
||||||
files_relabel_all_files(setfiles_t)
|
|
||||||
# this is to satisfy the assertion:
|
|
||||||
auth_relabelto_shadow(setfiles_t)
|
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
# for upgrading glibc and other shared objects - without this the upgrade
|
# for upgrading glibc and other shared objects - without this the upgrade
|
||||||
# scripts will put things in a state such that setfiles can not be run!
|
# scripts will put things in a state such that setfiles can not be run!
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user