move fs_use and isids to respective modules
This commit is contained in:
parent
ca83afe7e6
commit
cabfa520aa
@ -102,7 +102,7 @@ ALL_LAYERS := $(filter-out tmp CVS $(APPCONF) $(FLASKDIR),$(DETECTED_DIRS))
|
|||||||
PRE_TE_FILES := $(addprefix $(FLASKDIR)/,security_classes initial_sids access_vectors) $(M4SUPPORT) mls
|
PRE_TE_FILES := $(addprefix $(FLASKDIR)/,security_classes initial_sids access_vectors) $(M4SUPPORT) mls
|
||||||
ALL_INTERFACES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.if))
|
ALL_INTERFACES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.if))
|
||||||
ALL_TE_FILES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te))
|
ALL_TE_FILES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te))
|
||||||
POST_TE_FILES := users constraints initial_sid_contexts fs_use
|
POST_TE_FILES := users constraints
|
||||||
|
|
||||||
ALL_FC_FILES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.fc))
|
ALL_FC_FILES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.fc))
|
||||||
|
|
||||||
@ -213,8 +213,12 @@ tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_fi
|
|||||||
$(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true
|
$(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true
|
||||||
$(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
|
$(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
|
||||||
$(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
|
$(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
|
||||||
|
$(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true
|
||||||
|
$(QUIET) egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> tmp/all_post.conf || true
|
||||||
$(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true
|
$(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true
|
||||||
$(QUIET) sed -e /^attribute/d -e '/^type /d' -e /^genfscon/d < tmp/all_te_files.conf > tmp/only_te_rules.conf
|
$(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e /^genfscon/d \
|
||||||
|
-e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \
|
||||||
|
< tmp/all_te_files.conf > tmp/only_te_rules.conf
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -24,6 +24,7 @@ devices_make_device_node(tun_tap_device_t)
|
|||||||
# port_t is the default type of INET port numbers.
|
# port_t is the default type of INET port numbers.
|
||||||
#
|
#
|
||||||
type port_t, port_type;
|
type port_t, port_type;
|
||||||
|
sid port context_template(system_u:object_r:port_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# reserved_port_t is the type of INET port numbers below 1024.
|
# reserved_port_t is the type of INET port numbers below 1024.
|
||||||
@ -94,6 +95,7 @@ portcon udp 1-1023 context_template(system_u:object_r:reserved_port_t, s0)
|
|||||||
# nodes in net_contexts or net_contexts.mls.
|
# nodes in net_contexts or net_contexts.mls.
|
||||||
#
|
#
|
||||||
type node_t, node_type;
|
type node_t, node_type;
|
||||||
|
sid node context_template(system_u:object_r:node_t,s0)
|
||||||
|
|
||||||
network_node(compat_ipv4, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff::)
|
network_node(compat_ipv4, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff::)
|
||||||
network_node(inaddr_any, s0, 0.0.0.0, 255.255.255.255)
|
network_node(inaddr_any, s0, 0.0.0.0, 255.255.255.255)
|
||||||
@ -105,7 +107,6 @@ network_node(multicast, s0, ff00::, ff00::)
|
|||||||
network_node(site_local, s0, fec0::, ffc0::)
|
network_node(site_local, s0, fec0::, ffc0::)
|
||||||
network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
|
network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
|
||||||
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Network Interfaces:
|
# Network Interfaces:
|
||||||
@ -115,6 +116,7 @@ network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
|
|||||||
# netif_t is the default type of network interfaces.
|
# netif_t is the default type of network interfaces.
|
||||||
#
|
#
|
||||||
type netif_t, netif_type;
|
type netif_t, netif_type;
|
||||||
|
sid netif context_template(system_u:object_r:netif_t,s0)
|
||||||
|
|
||||||
network_interface(lo, s0)
|
network_interface(lo, s0)
|
||||||
network_interface(eth0, s0)
|
network_interface(eth0, s0)
|
||||||
|
@ -112,6 +112,7 @@ genfscon proc /mtrr context_template(system_u:object_r:mtrr_device_t,s0)
|
|||||||
type null_device_t, device_node;
|
type null_device_t, device_node;
|
||||||
filesystem_associate(null_device_t)
|
filesystem_associate(null_device_t)
|
||||||
filesystem_tmpfs_associate(null_device_t)
|
filesystem_tmpfs_associate(null_device_t)
|
||||||
|
sid devnull context_template(system_u:object_r:null_device_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# Type for /dev/pmu
|
# Type for /dev/pmu
|
||||||
|
@ -9,6 +9,22 @@ attribute fs_type;
|
|||||||
# filesystems with extended attributes
|
# filesystems with extended attributes
|
||||||
#
|
#
|
||||||
type fs_t, fs_type;
|
type fs_t, fs_type;
|
||||||
|
sid fs context_template(system_u:object_r:fs_t,s0)
|
||||||
|
|
||||||
|
# Use xattrs for the following filesystem types.
|
||||||
|
# Requires that a security xattr handler exist for the filesystem.
|
||||||
|
fs_use_xattr ext2 context_template(system_u:object_r:fs_t,s0);
|
||||||
|
fs_use_xattr ext3 context_template(system_u:object_r:fs_t,s0);
|
||||||
|
fs_use_xattr jfs context_template(system_u:object_r:fs_t,s0);
|
||||||
|
fs_use_xattr xfs context_template(system_u:object_r:fs_t,s0);
|
||||||
|
|
||||||
|
# Use the allocating task SID to label inodes in the following filesystem
|
||||||
|
# types, and label the filesystem itself with the specified context.
|
||||||
|
# This is appropriate for pseudo filesystems that represent objects
|
||||||
|
# like pipes and sockets, so that these objects are labeled with the same
|
||||||
|
# type as the creating task.
|
||||||
|
fs_use_task pipefs context_template(system_u:object_r:fs_t,s0);
|
||||||
|
fs_use_task sockfs context_template(system_u:object_r:fs_t,s0);
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -47,6 +63,14 @@ genfscon rpc_pipefs / context_template(system_u:object_r:rpc_pipefs_t,s0)
|
|||||||
type tmpfs_t, fs_type;
|
type tmpfs_t, fs_type;
|
||||||
files_make_file(tmpfs_t)
|
files_make_file(tmpfs_t)
|
||||||
|
|
||||||
|
# Use a transition SID based on the allocating task SID and the
|
||||||
|
# filesystem SID to label inodes in the following filesystem types,
|
||||||
|
# and label the filesystem itself with the specified context.
|
||||||
|
# This is appropriate for pseudo filesystems like devpts and tmpfs
|
||||||
|
# where we want to label objects with a derived type.
|
||||||
|
fs_use_trans tmpfs context_template(system_u:object_r:tmpfs_t,s0);
|
||||||
|
fs_use_trans shm context_template(system_u:object_r:tmpfs_t,s0);
|
||||||
|
|
||||||
allow tmpfs_t self:filesystem associate;
|
allow tmpfs_t self:filesystem associate;
|
||||||
allow tmpfs_t autofs_t:filesystem associate;
|
allow tmpfs_t autofs_t:filesystem associate;
|
||||||
allow tmpfs_t cifs_t:filesystem associate;
|
allow tmpfs_t cifs_t:filesystem associate;
|
||||||
|
@ -20,6 +20,7 @@ attribute can_change_object_identity;
|
|||||||
type kernel_t, can_load_kernmodule, can_load_policy;
|
type kernel_t, can_load_kernmodule, can_load_policy;
|
||||||
role system_r types kernel_t;
|
role system_r types kernel_t;
|
||||||
domain_make_domain(kernel_t)
|
domain_make_domain(kernel_t)
|
||||||
|
sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127)
|
||||||
|
|
||||||
#
|
#
|
||||||
# unlabeled_t is the type of unlabeled objects.
|
# unlabeled_t is the type of unlabeled objects.
|
||||||
@ -27,6 +28,26 @@ domain_make_domain(kernel_t)
|
|||||||
# have labels that are no longer valid are treated as having this type.
|
# have labels that are no longer valid are treated as having this type.
|
||||||
#
|
#
|
||||||
type unlabeled_t;
|
type unlabeled_t;
|
||||||
|
sid unlabeled context_template(system_u:object_r:unlabeled_t,s0)
|
||||||
|
|
||||||
|
# These initial sids are no longer used, and can be removed:
|
||||||
|
sid any_socket context_template(system_u:object_r:unlabeled_t,s0)
|
||||||
|
sid file_labels context_template(system_u:object_r:unlabeled_t,s0)
|
||||||
|
sid icmp_socket context_template(system_u:object_r:unlabeled_t,s0)
|
||||||
|
sid igmp_packet context_template(system_u:object_r:unlabeled_t,s0)
|
||||||
|
sid init context_template(system_u:object_r:unlabeled_t,s0)
|
||||||
|
sid kmod context_template(system_u:object_r:unlabeled_t,s0)
|
||||||
|
sid netmsg context_template(system_u:object_r:unlabeled_t,s0)
|
||||||
|
sid policy context_template(system_u:object_r:unlabeled_t,s0)
|
||||||
|
sid scmp_packet context_template(system_u:object_r:unlabeled_t,s0)
|
||||||
|
sid sysctl_modprobe context_template(system_u:object_r:unlabeled_t,s0)
|
||||||
|
sid sysctl_fs context_template(system_u:object_r:unlabeled_t,s0)
|
||||||
|
sid sysctl_kernel context_template(system_u:object_r:unlabeled_t,s0)
|
||||||
|
sid sysctl_net context_template(system_u:object_r:unlabeled_t,s0)
|
||||||
|
sid sysctl_net_unix context_template(system_u:object_r:unlabeled_t,s0)
|
||||||
|
sid sysctl_vm context_template(system_u:object_r:unlabeled_t,s0)
|
||||||
|
sid sysctl_dev context_template(system_u:object_r:unlabeled_t,s0)
|
||||||
|
sid tcp_socket context_template(system_u:object_r:unlabeled_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# security_t is the target type when checking
|
# security_t is the target type when checking
|
||||||
@ -35,6 +56,7 @@ type unlabeled_t;
|
|||||||
#
|
#
|
||||||
type security_t;
|
type security_t;
|
||||||
filesystem_make_filesystem(security_t)
|
filesystem_make_filesystem(security_t)
|
||||||
|
sid security context_template(system_u:object_r:security_t,s0)
|
||||||
genfscon selinuxfs / context_template(system_u:object_r:security_t,s0)
|
genfscon selinuxfs / context_template(system_u:object_r:security_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -95,6 +117,7 @@ genfscon proc /net/rpc context_template(system_u:object_r:sysctl_rpc_t,s0)
|
|||||||
# /proc/sys directory, base directory of sysctls
|
# /proc/sys directory, base directory of sysctls
|
||||||
type sysctl_t;
|
type sysctl_t;
|
||||||
files_make_mountpoint(sysctl_t)
|
files_make_mountpoint(sysctl_t)
|
||||||
|
sid sysctl context_template(system_u:object_r:sysctl_t,s0)
|
||||||
genfscon proc /sys context_template(system_u:object_r:sysctl_t,s0)
|
genfscon proc /sys context_template(system_u:object_r:sysctl_t,s0)
|
||||||
|
|
||||||
# /proc/sys/fs directory and files
|
# /proc/sys/fs directory and files
|
||||||
|
@ -23,6 +23,7 @@ devices_make_device_node(console_device_t)
|
|||||||
type devpts_t;
|
type devpts_t;
|
||||||
files_make_mountpoint(devpts_t)
|
files_make_mountpoint(devpts_t)
|
||||||
filesystem_make_filesystem(devpts_t)
|
filesystem_make_filesystem(devpts_t)
|
||||||
|
fs_use_trans devpts context_template(system_u:object_r:devpts_t,s0);
|
||||||
|
|
||||||
#
|
#
|
||||||
# devtty_t is the type of /dev/tty.
|
# devtty_t is the type of /dev/tty.
|
||||||
|
@ -40,6 +40,7 @@ type file_t, file_type, mountpoint;
|
|||||||
filesystem_associate(file_t)
|
filesystem_associate(file_t)
|
||||||
filesystem_noxattr_associate(file_t)
|
filesystem_noxattr_associate(file_t)
|
||||||
kernel_make_root_filesystem_mountpoint(file_t)
|
kernel_make_root_filesystem_mountpoint(file_t)
|
||||||
|
sid file context_template(system_u:object_r:file_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# home_root_t is the type for the directory where user home directories
|
# home_root_t is the type for the directory where user home directories
|
||||||
|
Loading…
Reference in New Issue
Block a user