Additional interfaces in corecommands, miscfiles, and userdomain from Joy Latten.
This commit is contained in:
parent
8b2d5ca6db
commit
d42c7ede2a
@ -1,3 +1,5 @@
|
|||||||
|
- Additional interfaces in corecommands, miscfiles, and userdomain
|
||||||
|
from Joy Latten.
|
||||||
- Miscellaneous fixes from Thomas Bleher.
|
- Miscellaneous fixes from Thomas Bleher.
|
||||||
- Deprecate module name as first parameter of optional_policy()
|
- Deprecate module name as first parameter of optional_policy()
|
||||||
now that optionals are allowed everywhere.
|
now that optionals are allowed everywhere.
|
||||||
|
@ -39,6 +39,42 @@ interface(`corecmd_bin_alias',`
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Make general progams in bin an entrypoint for
|
||||||
|
## the specified domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## The domain for which bin_t is an entrypoint.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
interface(`corecmd_bin_entry_type',`
|
||||||
|
gen_require(`
|
||||||
|
type bin_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
domain_entry_file($1,bin_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Make general progams in sbin an entrypoint for
|
||||||
|
## the specified domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## The domain for which sbin programs are an entrypoint.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
interface(`corecmd_sbin_entry_type',`
|
||||||
|
gen_require(`
|
||||||
|
type sbin_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
domain_entry_file($1,sbin_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Make the shell an entrypoint for the specified domain.
|
## Make the shell an entrypoint for the specified domain.
|
||||||
@ -779,4 +815,3 @@ interface(`corecmd_exec_chroot',`
|
|||||||
can_exec($1,chroot_exec_t)
|
can_exec($1,chroot_exec_t)
|
||||||
allow $1 self:capability sys_chroot;
|
allow $1 self:capability sys_chroot;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(corecommands,1.3.4)
|
policy_module(corecommands,1.3.5)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -303,3 +303,62 @@ interface(`miscfiles_exec_tetex_data',`
|
|||||||
allow $1 tetex_data_t:dir r_dir_perms;
|
allow $1 tetex_data_t:dir r_dir_perms;
|
||||||
can_exec($1,tetex_data_t)
|
can_exec($1,tetex_data_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Let test files be an entry point for
|
||||||
|
## a specified domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain to be entered.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`miscfiles_domain_entry_test_files',`
|
||||||
|
gen_require(`
|
||||||
|
type test_file_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
domain_entry_file($1, test_file_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read test files and directories.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`miscfiles_read_test_files',`
|
||||||
|
gen_require(`
|
||||||
|
type test_file_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 test_file_t:dir r_dir_perms;
|
||||||
|
allow $1 test_file_t:file r_file_perms;
|
||||||
|
allow $1 test_file_t:lnk_file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute test files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`miscfiles_exec_test_files',`
|
||||||
|
gen_require(`
|
||||||
|
type test_file_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 test_file_t:dir r_dir_perms;
|
||||||
|
allow $1 test_file_t:lnk_file r_file_perms;
|
||||||
|
can_exec($1, test_file_t)
|
||||||
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(miscfiles,1.0.0)
|
policy_module(miscfiles,1.0.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -3239,6 +3239,115 @@ interface(`userdom_entry_spec_domtrans_sysadm',`
|
|||||||
allow sysadm_t $1:process sigchld;
|
allow sysadm_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allow sysadm to execute a generic bin program in
|
||||||
|
## a specified domain. This is an explicit transition,
|
||||||
|
## requiring the caller to use setexeccon().
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow sysadm to execute a generic bin program in
|
||||||
|
## a specified domain.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a interface to support third party modules
|
||||||
|
## and its use is not allowed in upstream reference
|
||||||
|
## policy.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain to execute in.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`userdom_sysadm_bin_spec_domtrans_to',`
|
||||||
|
gen_require(`
|
||||||
|
type sysadm_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
corecmd_bin_spec_domtrans(sysadm_t,$1)
|
||||||
|
|
||||||
|
allow sysadm_t $1:fd use;
|
||||||
|
allow $1 sysadm_t:fd use;
|
||||||
|
allow $1 sysadm_t:fifo_file rw_file_perms;
|
||||||
|
allow $1 sysadm_t:process sigchld;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allow sysadm to execute a generic sbin program in
|
||||||
|
## a specified domain. This is an explicit transition,
|
||||||
|
## requiring the caller to use setexeccon().
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow sysadm to execute a generic sbin program in
|
||||||
|
## a specified domain.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a interface to support third party modules
|
||||||
|
## and its use is not allowed in upstream reference
|
||||||
|
## policy.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain to execute in.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`userdom_sysadm_sbin_spec_domtrans_to',`
|
||||||
|
gen_require(`
|
||||||
|
type sysadm_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
corecmd_sbin_spec_domtrans(sysadm_t, $1)
|
||||||
|
|
||||||
|
allow sysadm_t $1:fd use;
|
||||||
|
allow $1 sysadm_t:fd use;
|
||||||
|
allow $1 sysadm_t:fifo_file rw_file_perms;
|
||||||
|
allow $1 sysadm_t:process sigchld;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allow sysadm to execute all entrypoint files
|
||||||
|
## in the specified domain. This is an explicit
|
||||||
|
## transition, requiring the caller to use setexeccon().
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow sysadm to execute all entrypoint files
|
||||||
|
## in the specified domain. This is an explicit
|
||||||
|
## transition, requiring the caller to use setexeccon().
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a interface to support third party modules
|
||||||
|
## and its use is not allowed in upstream reference
|
||||||
|
## policy.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain to execute in.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`userdom_sysadm_entry_spec_domtrans_to',`
|
||||||
|
gen_require(`
|
||||||
|
type sysadm_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
domain_entry_file_spec_domtrans(sysadm_t, $1)
|
||||||
|
|
||||||
|
allow sysadm_t $1:fd use;
|
||||||
|
allow $1 sysadm_t:fd use;
|
||||||
|
allow $1 sysadm_t:fifo_file rw_file_perms;
|
||||||
|
allow $1 sysadm_t:process sigchld;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Search the staff users home directory.
|
## Search the staff users home directory.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(userdomain,1.3.5)
|
policy_module(userdomain,1.3.6)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
role sysadm_r, staff_r, user_r;
|
role sysadm_r, staff_r, user_r;
|
||||||
|
Loading…
Reference in New Issue
Block a user