Additional interfaces in corecommands, miscfiles, and userdomain from Joy Latten.
This commit is contained in:
parent
8b2d5ca6db
commit
d42c7ede2a
@ -1,3 +1,5 @@
|
||||
- Additional interfaces in corecommands, miscfiles, and userdomain
|
||||
from Joy Latten.
|
||||
- Miscellaneous fixes from Thomas Bleher.
|
||||
- Deprecate module name as first parameter of optional_policy()
|
||||
now that optionals are allowed everywhere.
|
||||
|
@ -39,6 +39,42 @@ interface(`corecmd_bin_alias',`
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Make general progams in bin an entrypoint for
|
||||
## the specified domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The domain for which bin_t is an entrypoint.
|
||||
## </summary>
|
||||
## </param>
|
||||
interface(`corecmd_bin_entry_type',`
|
||||
gen_require(`
|
||||
type bin_t;
|
||||
')
|
||||
|
||||
domain_entry_file($1,bin_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Make general progams in sbin an entrypoint for
|
||||
## the specified domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The domain for which sbin programs are an entrypoint.
|
||||
## </summary>
|
||||
## </param>
|
||||
interface(`corecmd_sbin_entry_type',`
|
||||
gen_require(`
|
||||
type sbin_t;
|
||||
')
|
||||
|
||||
domain_entry_file($1,sbin_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Make the shell an entrypoint for the specified domain.
|
||||
@ -779,4 +815,3 @@ interface(`corecmd_exec_chroot',`
|
||||
can_exec($1,chroot_exec_t)
|
||||
allow $1 self:capability sys_chroot;
|
||||
')
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(corecommands,1.3.4)
|
||||
policy_module(corecommands,1.3.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -303,3 +303,62 @@ interface(`miscfiles_exec_tetex_data',`
|
||||
allow $1 tetex_data_t:dir r_dir_perms;
|
||||
can_exec($1,tetex_data_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Let test files be an entry point for
|
||||
## a specified domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to be entered.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`miscfiles_domain_entry_test_files',`
|
||||
gen_require(`
|
||||
type test_file_t;
|
||||
')
|
||||
|
||||
domain_entry_file($1, test_file_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read test files and directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`miscfiles_read_test_files',`
|
||||
gen_require(`
|
||||
type test_file_t;
|
||||
')
|
||||
|
||||
allow $1 test_file_t:dir r_dir_perms;
|
||||
allow $1 test_file_t:file r_file_perms;
|
||||
allow $1 test_file_t:lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute test files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`miscfiles_exec_test_files',`
|
||||
gen_require(`
|
||||
type test_file_t;
|
||||
')
|
||||
|
||||
allow $1 test_file_t:dir r_dir_perms;
|
||||
allow $1 test_file_t:lnk_file r_file_perms;
|
||||
can_exec($1, test_file_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(miscfiles,1.0.0)
|
||||
policy_module(miscfiles,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -3239,6 +3239,115 @@ interface(`userdom_entry_spec_domtrans_sysadm',`
|
||||
allow sysadm_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow sysadm to execute a generic bin program in
|
||||
## a specified domain. This is an explicit transition,
|
||||
## requiring the caller to use setexeccon().
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow sysadm to execute a generic bin program in
|
||||
## a specified domain.
|
||||
## </p>
|
||||
## <p>
|
||||
## This is a interface to support third party modules
|
||||
## and its use is not allowed in upstream reference
|
||||
## policy.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to execute in.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_sysadm_bin_spec_domtrans_to',`
|
||||
gen_require(`
|
||||
type sysadm_t;
|
||||
')
|
||||
|
||||
corecmd_bin_spec_domtrans(sysadm_t,$1)
|
||||
|
||||
allow sysadm_t $1:fd use;
|
||||
allow $1 sysadm_t:fd use;
|
||||
allow $1 sysadm_t:fifo_file rw_file_perms;
|
||||
allow $1 sysadm_t:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow sysadm to execute a generic sbin program in
|
||||
## a specified domain. This is an explicit transition,
|
||||
## requiring the caller to use setexeccon().
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow sysadm to execute a generic sbin program in
|
||||
## a specified domain.
|
||||
## </p>
|
||||
## <p>
|
||||
## This is a interface to support third party modules
|
||||
## and its use is not allowed in upstream reference
|
||||
## policy.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to execute in.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_sysadm_sbin_spec_domtrans_to',`
|
||||
gen_require(`
|
||||
type sysadm_t;
|
||||
')
|
||||
|
||||
corecmd_sbin_spec_domtrans(sysadm_t, $1)
|
||||
|
||||
allow sysadm_t $1:fd use;
|
||||
allow $1 sysadm_t:fd use;
|
||||
allow $1 sysadm_t:fifo_file rw_file_perms;
|
||||
allow $1 sysadm_t:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow sysadm to execute all entrypoint files
|
||||
## in the specified domain. This is an explicit
|
||||
## transition, requiring the caller to use setexeccon().
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow sysadm to execute all entrypoint files
|
||||
## in the specified domain. This is an explicit
|
||||
## transition, requiring the caller to use setexeccon().
|
||||
## </p>
|
||||
## <p>
|
||||
## This is a interface to support third party modules
|
||||
## and its use is not allowed in upstream reference
|
||||
## policy.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to execute in.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_sysadm_entry_spec_domtrans_to',`
|
||||
gen_require(`
|
||||
type sysadm_t;
|
||||
')
|
||||
|
||||
domain_entry_file_spec_domtrans(sysadm_t, $1)
|
||||
|
||||
allow sysadm_t $1:fd use;
|
||||
allow $1 sysadm_t:fd use;
|
||||
allow $1 sysadm_t:fifo_file rw_file_perms;
|
||||
allow $1 sysadm_t:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the staff users home directory.
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(userdomain,1.3.5)
|
||||
policy_module(userdomain,1.3.6)
|
||||
|
||||
gen_require(`
|
||||
role sysadm_r, staff_r, user_r;
|
||||
|
Loading…
Reference in New Issue
Block a user