rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Add kernel patch from Dan Walsh

Browse Source
This commit is contained in:
Chris PeBenito 2009-11-19 09:25:38 -05:00
parent 53c73dc785
commit e276b8e5d0
2 changed files with 53 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
policy/modules/kernel/kernel.if
View File

@ -57,7 +57,7 @@ interface(`kernel_ranged_domtrans_to',`
type kernel_t; type kernel_t;
') ')
kernel_domtrans_to($1,$2) kernel_domtrans_to($1, $2)
ifdef(`enable_mcs',` ifdef(`enable_mcs',`
range_transition kernel_t $2:process $3; range_transition kernel_t $2:process $3;
@ -483,13 +483,32 @@ interface(`kernel_clear_ring_buffer',`
allow $1 kernel_t:system syslog_mod; allow $1 kernel_t:system syslog_mod;
') ')
########################################
## <summary>
## Allows caller to request the kernel to load a module
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`kernel_request_load_module',`
gen_require(`
type kernel_t;
')
allow $1 kernel_t:system module_request;
')
######################################## ########################################
## <summary> ## <summary>
## Get information on all System V IPC objects. ## Get information on all System V IPC objects.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
## ## Domain allowed access.
## </summary> ## </summary>
## </param> ## </param>
# #
@ -939,6 +958,28 @@ interface(`kernel_dontaudit_getattr_core_if',`
dontaudit $1 proc_kcore_t:file getattr; dontaudit $1 proc_kcore_t:file getattr;
') ')
########################################
## <summary>
## Allows caller to read the core kernel interface.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_read_core_if',`
gen_require(`
type proc_t, proc_kcore_t;
attribute can_dump_kernel;
')
read_files_pattern($1, proc_t, proc_kcore_t)
list_dirs_pattern($1, proc_t, proc_t)
typeattribute $1 can_dump_kernel;
')
######################################## ########################################
## <summary> ## <summary>
## Allow caller to read kernel messages ## Allow caller to read kernel messages

7
policy/modules/kernel/kernel.te
View File

@ -1,5 +1,5 @@
policy_module(kernel, 1.11.0) policy_module(kernel, 1.11.1)
######################################## ########################################
# #
@ -9,6 +9,7 @@ policy_module(kernel, 1.11.0)
# assertion related attributes # assertion related attributes
attribute can_load_kernmodule; attribute can_load_kernmodule;
attribute can_receive_kernel_messages; attribute can_receive_kernel_messages;
attribute can_dump_kernel;
neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module; neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module;
@ -90,7 +91,7 @@ neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~ge
# /proc kcore: inaccessible # /proc kcore: inaccessible
type proc_kcore_t, proc_type; type proc_kcore_t, proc_type;
neverallow ~kern_unconfined proc_kcore_t:file ~getattr; neverallow ~{ can_dump_kernel kern_unconfined } proc_kcore_t:file ~getattr;
genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh) genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
type proc_mdstat_t, proc_type; type proc_mdstat_t, proc_type;
@ -355,7 +356,7 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
unconfined_domain(kernel_t) unconfined_domain_noaudit(kernel_t)
') ')
######################################## ########################################