rename create verb to filetrans for type transitioning ifs
This commit is contained in:
Chris PeBenito
parent
9d594986b7
commit
ce96df7580
@ -819,7 +819,7 @@ dontaudit $1_t self:capability sys_tty_config;
|
|||||||
allow $1_t self:process signal_perms;
|
allow $1_t self:process signal_perms;
|
||||||
allow $1_t $1_var_run_t:file create_file_perms;
|
allow $1_t $1_var_run_t:file create_file_perms;
|
||||||
allow $1_t $1_var_run_t:dir rw_dir_perms;
|
allow $1_t $1_var_run_t:dir rw_dir_perms;
|
||||||
files_create_pid($1_t,$1_var_run_t)
|
files_filetrans_pid($1_t,$1_var_run_t)
|
||||||
kernel_read_kernel_sysctl($1_t)
|
kernel_read_kernel_sysctl($1_t)
|
||||||
kernel_list_proc($1_t)
|
kernel_list_proc($1_t)
|
||||||
kernel_read_proc_symlinks($1_t)
|
kernel_read_proc_symlinks($1_t)
|
||||||
@ -987,10 +987,10 @@ optional_policy(`kerberos',`
|
|||||||
#end for identd
|
#end for identd
|
||||||
allow $1_t $1_tmp_t:dir create_dir_perms;
|
allow $1_t $1_tmp_t:dir create_dir_perms;
|
||||||
allow $1_t $1_tmp_t:file create_file_perms;
|
allow $1_t $1_tmp_t:file create_file_perms;
|
||||||
files_create_tmp_files($1_t, $1_tmp_t, { file dir })
|
files_filetrans_tmp($1_t, $1_tmp_t, { file dir })
|
||||||
allow $1_t $1_var_run_t:file create_file_perms;
|
allow $1_t $1_var_run_t:file create_file_perms;
|
||||||
allow $1_t $1_var_run_t:dir rw_dir_perms;
|
allow $1_t $1_var_run_t:dir rw_dir_perms;
|
||||||
files_create_pid($1_t,$1_var_run_t)
|
files_filetrans_pid($1_t,$1_var_run_t)
|
||||||
kernel_read_kernel_sysctl($1_t)
|
kernel_read_kernel_sysctl($1_t)
|
||||||
kernel_read_system_state($1_t)
|
kernel_read_system_state($1_t)
|
||||||
kernel_read_network_state($1_t)
|
kernel_read_network_state($1_t)
|
||||||
@ -1033,7 +1033,7 @@ libs_legacy_use_ld_so($1_t)
|
|||||||
type $1_lock_t;
|
type $1_lock_t;
|
||||||
files_lock_file($1_lock_t)
|
files_lock_file($1_lock_t)
|
||||||
allow $1_t $1_lock_t:file create_file_perms;
|
allow $1_t $1_lock_t:file create_file_perms;
|
||||||
files_create_lock($1_t,$1_lock_t)
|
files_filetrans_lock($1_t,$1_lock_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# log_domain(): complete
|
# log_domain(): complete
|
||||||
@ -1041,7 +1041,7 @@ files_create_lock($1_t,$1_lock_t)
|
|||||||
type $1_log_t;
|
type $1_log_t;
|
||||||
logging_log_file($1_log_t)
|
logging_log_file($1_log_t)
|
||||||
allow $1_t $1_log_t:file create_file_perms;
|
allow $1_t $1_log_t:file create_file_perms;
|
||||||
logging_create_log($1_t,$1_log_t)
|
logging_filetrans_log($1_t,$1_log_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# logdir_domain(): complete
|
# logdir_domain(): complete
|
||||||
@ -1050,7 +1050,7 @@ type $1_log_t;
|
|||||||
logging_log_file($1_log_t)
|
logging_log_file($1_log_t)
|
||||||
allow $1_t $1_log_t:file create_file_perms;
|
allow $1_t $1_log_t:file create_file_perms;
|
||||||
allow $1_t $1_log_t:dir rw_dir_perms;
|
allow $1_t $1_log_t:dir rw_dir_perms;
|
||||||
logging_create_log($1_t,$1_log_t,{ file dir })
|
logging_filetrans_log($1_t,$1_log_t,{ file dir })
|
||||||
|
|
||||||
#
|
#
|
||||||
# network_home_dir():
|
# network_home_dir():
|
||||||
@ -1060,28 +1060,9 @@ can_exec($1, $2)
|
|||||||
allow $1 $2:{ sock_file fifo_file } { create ioctl read getattr lock write setattr append link unlink rename };
|
allow $1 $2:{ sock_file fifo_file } { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
|
|
||||||
#
|
#
|
||||||
# polyinstantiater():
|
# polyinstantiater(): complete
|
||||||
#
|
#
|
||||||
ifdef(`support_polyinstantiation', `
|
files_polyinstantiate_all($1)
|
||||||
# Need to give access to /selinux/member
|
|
||||||
selinux_compute_member($1)
|
|
||||||
# Need sys_admin capability for mounting
|
|
||||||
allow $1 self:capability sys_admin;
|
|
||||||
# Need to give access to the directories to be polyinstantiated
|
|
||||||
allow $1 polydir:dir { getattr mounton add_name create setattr write search };
|
|
||||||
# Need to give access to the polyinstantiated subdirectories
|
|
||||||
allow $1 polymember:dir {getattr search };
|
|
||||||
# Need to give access to parent directories where original
|
|
||||||
# is remounted for polyinstantiation aware programs (like gdm)
|
|
||||||
allow $1 polyparent:dir { getattr mounton };
|
|
||||||
# Need to give permission to create directories where applicable
|
|
||||||
allow $1 polymember: dir { create setattr };
|
|
||||||
allow $1 polydir: dir { write add_name };
|
|
||||||
allow $1 self:process setfscreate;
|
|
||||||
allow $1 polyparent:dir { write add_name };
|
|
||||||
# Default type for mountpoints
|
|
||||||
allow $1 poly_t:dir { create mounton };
|
|
||||||
')
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# pty_slave_label():
|
# pty_slave_label():
|
||||||
@ -1172,7 +1153,7 @@ type $1_tmp_t;
|
|||||||
files_tmp_file($1_tmp_t)
|
files_tmp_file($1_tmp_t)
|
||||||
allow $1_t $1_tmp_t:dir create_dir_perms;
|
allow $1_t $1_tmp_t:dir create_dir_perms;
|
||||||
allow $1_t $1_tmp_t:file create_file_perms;
|
allow $1_t $1_tmp_t:file create_file_perms;
|
||||||
files_create_tmp_files($1_t, $1_tmp_t, { file dir })
|
files_filetrans_tmp($1_t, $1_tmp_t, { file dir })
|
||||||
|
|
||||||
#
|
#
|
||||||
# tmp_domain($1,$2,$3): complete
|
# tmp_domain($1,$2,$3): complete
|
||||||
@ -1182,7 +1163,7 @@ files_create_tmp_files($1_t, $1_tmp_t, { file dir })
|
|||||||
type $1_tmp_t $2;
|
type $1_tmp_t $2;
|
||||||
files_tmp_file($1_tmp_t)
|
files_tmp_file($1_tmp_t)
|
||||||
allow $1_t $1_tmp_t:$3 manage_obj_perms;
|
allow $1_t $1_tmp_t:$3 manage_obj_perms;
|
||||||
files_create_tmp_files($1_t, $1_tmp_t, $3)
|
files_filetrans_tmp($1_t, $1_tmp_t, $3)
|
||||||
|
|
||||||
#
|
#
|
||||||
# tmpfs_domain(): complete
|
# tmpfs_domain(): complete
|
||||||
@ -1222,7 +1203,7 @@ type $1_var_lib_t;
|
|||||||
files_type($1_var_lib_t)
|
files_type($1_var_lib_t)
|
||||||
allow $1_t $1_var_lib_t:file create_file_perms;
|
allow $1_t $1_var_lib_t:file create_file_perms;
|
||||||
allow $1_t $1_var_lib_t:dir rw_dir_perms;
|
allow $1_t $1_var_lib_t:dir rw_dir_perms;
|
||||||
files_create_var_lib($1_t,$1_var_lib_t)
|
files_filetrans_var_lib($1_t,$1_var_lib_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# var_run_domain($1): complete
|
# var_run_domain($1): complete
|
||||||
@ -1231,14 +1212,14 @@ type $1_var_run_t;
|
|||||||
files_pid_file($1_var_run_t)
|
files_pid_file($1_var_run_t)
|
||||||
allow $1_t $1_var_run_t:file create_file_perms;
|
allow $1_t $1_var_run_t:file create_file_perms;
|
||||||
allow $1_t $1_var_run_t:dir rw_dir_perms;
|
allow $1_t $1_var_run_t:dir rw_dir_perms;
|
||||||
files_create_pid($1_t,$1_var_run_t)
|
files_filetrans_pid($1_t,$1_var_run_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# var_run_domain($1,$2): complete
|
# var_run_domain($1,$2): complete
|
||||||
#
|
#
|
||||||
type $1_var_run_t;
|
type $1_var_run_t;
|
||||||
files_pid_file($1_var_run_t)
|
files_pid_file($1_var_run_t)
|
||||||
files_create_pid($1_t,$1_var_run_t,$2)
|
files_filetrans_pid($1_t,$1_var_run_t,$2)
|
||||||
# for each object class in $2:
|
# for each object class in $2:
|
||||||
# if dir:
|
# if dir:
|
||||||
allow $1 $1_var_run_t:dir create_dir_perms;
|
allow $1 $1_var_run_t:dir create_dir_perms;
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user