rpms/selinux-policy
6
0
Fork 0
Code Issues Pull Requests Releases Activity

additional cleanup for e877913.

Browse Source
This commit is contained in:
Chris PeBenito 2009-11-11 11:28:50 -05:00
parent e8779130bf
commit e6d8fd1e50
8 changed files with 188 additions and 217 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Changelog
View File

@ -19,6 +19,7 @@
kdump (Dan Walsh) kdump (Dan Walsh)
modemmanager(Dan Walsh) modemmanager(Dan Walsh)
nslcd (Dan Walsh) nslcd (Dan Walsh)
puppet (Craig Grube)
rtkit (Dan Walsh) rtkit (Dan Walsh)
seunshare (Dan Walsh) seunshare (Dan Walsh)
shorewall (Dan Walsh) shorewall (Dan Walsh)

12
policy/modules/admin/usermanage.te
View File

@ -243,12 +243,12 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
rpm_use_fds(groupadd_t) puppet_rw_tmp(groupadd_t)
rpm_rw_pipes(groupadd_t)
') ')
optional_policy(` optional_policy(`
puppet_rw_tmp(groupadd_t) rpm_use_fds(groupadd_t)
rpm_rw_pipes(groupadd_t)
') ')
######################################## ########################################
@ -525,10 +525,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
rpm_use_fds(useradd_t) puppet_rw_tmp(useradd_t)
rpm_rw_pipes(useradd_t)
') ')
optional_policy(` optional_policy(`
puppet_rw_tmp(useradd_t) rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
') ')

191
policy/modules/kernel/files.if
View File

@ -1001,83 +1001,6 @@ interface(`files_manage_all_files',`
files_manage_kernel_modules($1) files_manage_kernel_modules($1)
') ')
###########################################
## <summary>
## Manage all configuration files on filesystem
## </summary>
## <param name="domain">
## <summary>
## The type of domain performing this action
## </summary>
## </param>
##
#
interface(`files_manage_config_files',`
gen_require(`
attribute configfile;
')
manage_files_pattern($1, configfile, configfile)
')
#############################################
## <summary>
## Manage all configuration directories on filesystem
## </summary>
## <param name="domain">
## <summary>
## The type of domain performing this action
## </summary>
## </param>
##
#
interface(`files_manage_config_dirs',`
gen_require(`
attribute configfile;
')
manage_dirs_pattern($1, configfile, configfile)
')
#######################################
## <summary>
## Relabel configuration files
## </summary>
## <param name="domain">
## <summary>
## Type of domain performing this action
## </summary>
## </param>
##
#
interface(`files_relabel_config_files',`
gen_require(`
attribute configfile;
')
relabel_files_pattern($1, configfile, configfile)
')
#########################################
## <summary>
## Relabel configuration directories
## </summary>
## <param name="domain">
## <summary>
## Type of domain performing this action
## </summary>
## </param>
##
#
interface(`files_relabel_config_dirs',`
gen_require(`
attribute configfile;
')
relabel_dirs_pattern($1, configfile, configfile)
')
######################################## ########################################
## <summary> ## <summary>
## Search the contents of all directories on ## Search the contents of all directories on
@ -1231,6 +1154,82 @@ interface(`files_unmount_all_file_type_fs',`
allow $1 file_type:filesystem unmount; allow $1 file_type:filesystem unmount;
') ')
#############################################
## <summary>
## Manage all configuration directories on filesystem
## </summary>
## <param name="domain">
## <summary>
## The type of domain performing this action
## </summary>
## </param>
##
#
interface(`files_manage_config_dirs',`
gen_require(`
attribute configfile;
')
manage_dirs_pattern($1, configfile, configfile)
')
#########################################
## <summary>
## Relabel configuration directories
## </summary>
## <param name="domain">
## <summary>
## Type of domain performing this action
## </summary>
## </param>
##
#
interface(`files_relabel_config_dirs',`
gen_require(`
attribute configfile;
')
relabel_dirs_pattern($1, configfile, configfile)
')
###########################################
## <summary>
## Manage all configuration files on filesystem
## </summary>
## <param name="domain">
## <summary>
## The type of domain performing this action
## </summary>
## </param>
##
#
interface(`files_manage_config_files',`
gen_require(`
attribute configfile;
')
manage_files_pattern($1, configfile, configfile)
')
#######################################
## <summary>
## Relabel configuration files
## </summary>
## <param name="domain">
## <summary>
## Type of domain performing this action
## </summary>
## </param>
##
#
interface(`files_relabel_config_files',`
gen_require(`
attribute configfile;
')
relabel_files_pattern($1, configfile, configfile)
')
######################################## ########################################
## <summary> ## <summary>
## Mount a filesystem on all mount points. ## Mount a filesystem on all mount points.
@ -1994,6 +1993,25 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms; allow $1 etc_t:dir rw_dir_perms;
') ')
##########################################
## <summary>
## Manage generic directories in /etc
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
##
#
interface(`files_manage_etc_dirs',`
gen_require(`
type etc_t;
')
manage_dirs_pattern($1, etc_t, etc_t)
')
######################################## ########################################
## <summary> ## <summary>
## Read generic files in /etc. ## Read generic files in /etc.
@ -2074,25 +2092,6 @@ interface(`files_manage_etc_files',`
read_lnk_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t)
') ')
##########################################
## <summary>
## Manage generic directories in /etc
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
##
#
interface(`files_manage_etc_dirs',`
gen_require(`
type etc_t;
')
manage_dirs_pattern($1, etc_t, etc_t)
')
######################################## ########################################
## <summary> ## <summary>
## Delete system configuration files in /etc. ## Delete system configuration files in /etc.

18
policy/modules/services/puppet.fc
View File

@ -1,13 +1,11 @@
/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t, s0) /etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t, s0) /etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmasterd_initrc_exec_t, s0) /etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t, s0)
/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t, s0)
/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t, s0)
/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t, s0)
/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t, s0)
/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)

33
policy/modules/services/puppet.if
View File

@ -1,27 +1,26 @@
## <summary>Puppet client daemon</summary> ## <summary>Puppet client daemon</summary>
## <desc> ## <desc>
## <p> ## <p>
## Puppet is a configuration management system written in Ruby. ## Puppet is a configuration management system written in Ruby.
## The client daemon is responsible for periodically requesting the ## The client daemon is responsible for periodically requesting the
## desired system state from the server and ensuring the state of ## desired system state from the server and ensuring the state of
## the client system matches. ## the client system matches.
## </p> ## </p>
## </desc> ## </desc>
################################################ ################################################
## <summary> ## <summary>
## Read / Write to Puppet temp files. Puppet uses ## Read / Write to Puppet temp files. Puppet uses
## some system binaries (groupadd, etc) that run in ## some system binaries (groupadd, etc) that run in
## a non-puppet domain and redirects output into temp ## a non-puppet domain and redirects output into temp
## files. ## files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
## Domain allowed access ## Domain allowed access
## </summary> ## </summary>
## </param> ## </param>
## #
#
interface(`puppet_rw_tmp', ` interface(`puppet_rw_tmp', `
gen_require(` gen_require(`
type puppet_tmp_t; type puppet_tmp_t;

140
policy/modules/services/puppet.te
View File

@ -1,5 +1,5 @@
policy_module(puppet, 0.0.1) policy_module(puppet, 1.0.0)
######################################## ########################################
# #
@ -14,45 +14,34 @@ policy_module(puppet, 0.0.1)
## </desc> ## </desc>
gen_tunable(puppet_manage_all_files, false) gen_tunable(puppet_manage_all_files, false)
########################################
#
# Puppet personal declarations
#
type puppet_t; type puppet_t;
type puppet_exec_t; type puppet_exec_t;
init_daemon_domain(puppet_t, puppet_exec_t) init_daemon_domain(puppet_t, puppet_exec_t)
type puppet_etc_t;
files_config_file(puppet_etc_t)
type puppet_initrc_exec_t; type puppet_initrc_exec_t;
init_script_file(puppet_initrc_exec_t); init_script_file(puppet_initrc_exec_t)
type puppet_log_t; type puppet_log_t;
logging_log_file(puppet_log_t) logging_log_file(puppet_log_t)
type puppet_tmp_t;
files_tmp_file(puppet_tmp_t)
type puppet_var_lib_t; type puppet_var_lib_t;
files_type(puppet_var_lib_t) files_type(puppet_var_lib_t)
type puppet_var_run_t; type puppet_var_run_t;
files_pid_file(puppet_var_run_t) files_pid_file(puppet_var_run_t)
type puppet_etc_t;
files_config_file(puppet_etc_t)
type puppet_tmp_t;
files_tmp_file(puppet_tmp_t)
########################################
#
# Pupper master personal declarations
#
type puppetmaster_t; type puppetmaster_t;
type puppetmaster_exec_t; type puppetmaster_exec_t;
init_daemon_domain(puppetmaster_t, puppetmaster_exec_t) init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
type puppetmasterd_initrc_exec_t; type puppetmaster_initrc_exec_t;
init_script_file(puppetmasterd_initrc_exec_t) init_script_file(puppetmaster_initrc_exec_t)
type puppetmaster_tmp_t; type puppetmaster_tmp_t;
files_tmp_file(puppetmaster_tmp_t) files_tmp_file(puppetmaster_tmp_t)
@ -63,17 +52,17 @@ files_tmp_file(puppetmaster_tmp_t)
# #
allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config }; allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config };
allow puppet_t self:process { signal signull getsched setsched };
allow puppet_t self:fifo_file rw_fifo_file_perms; allow puppet_t self:fifo_file rw_fifo_file_perms;
allow puppet_t self:netlink_route_socket create_netlink_socket_perms; allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
allow puppet_t self:process { signal signull getsched setsched };
allow puppet_t self:tcp_socket create_stream_socket_perms; allow puppet_t self:tcp_socket create_stream_socket_perms;
allow puppet_t self:udp_socket create_socket_perms; allow puppet_t self:udp_socket create_socket_perms;
search_dirs_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t) read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
manage_dirs_pattern(puppet_t ,puppet_var_lib_t, puppet_var_lib_t) manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
files_search_var_lib(puppet_t)
setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
@ -88,20 +77,22 @@ manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t) manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir }) files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
corenet_sendrecv_puppet_client_packets(puppet_t) kernel_dontaudit_search_sysctl(puppet_t)
corenet_tcp_connect_puppet_port(puppet_t) kernel_dontaudit_search_kernel_sysctl(puppet_t)
kernel_read_system_state(puppet_t)
corenet_all_recvfrom_netlabel(puppet_t) kernel_read_crypto_sysctls(puppet_t)
corenet_all_recvfrom_unlabeled(puppet_t)
corenet_tcp_sendrecv_generic_if(puppet_t)
corenet_tcp_sendrecv_generic_node(puppet_t)
corenet_tcp_bind_generic_node(puppet_t)
corecmd_exec_bin(puppet_t) corecmd_exec_bin(puppet_t)
corecmd_exec_shell(puppet_t) corecmd_exec_shell(puppet_t)
corenet_all_recvfrom_netlabel(puppet_t)
corenet_all_recvfrom_unlabeled(puppet_t)
corenet_tcp_sendrecv_generic_if(puppet_t)
corenet_tcp_sendrecv_generic_node(puppet_t)
corenet_tcp_bind_generic_node(puppet_t)
corenet_tcp_connect_puppet_port(puppet_t)
corenet_sendrecv_puppet_client_packets(puppet_t)
dev_read_rand(puppet_t) dev_read_rand(puppet_t)
dev_read_sysfs(puppet_t) dev_read_sysfs(puppet_t)
dev_read_urand(puppet_t) dev_read_urand(puppet_t)
@ -116,38 +107,31 @@ files_manage_etc_files(puppet_t)
files_read_usr_symlinks(puppet_t) files_read_usr_symlinks(puppet_t)
files_relabel_config_dirs(puppet_t) files_relabel_config_dirs(puppet_t)
files_relabel_config_files(puppet_t) files_relabel_config_files(puppet_t)
files_search_default(puppet_t)
files_search_var_lib(puppet_t)
init_all_labeled_script_domtrans(puppet_t)
init_domtrans_script(puppet_t)
init_read_utmp(puppet_t)
init_signull_script(puppet_t)
kernel_dontaudit_search_sysctl(puppet_t)
kernel_dontaudit_search_kernel_sysctl(puppet_t)
kernel_read_system_state(puppet_t)
kernel_read_crypto_sysctls(puppet_t)
logging_send_syslog_msg(puppet_t)
miscfiles_read_hwdata(puppet_t)
miscfiles_read_localization(puppet_t)
selinux_search_fs(puppet_t) selinux_search_fs(puppet_t)
selinux_set_all_booleans(puppet_t) selinux_set_all_booleans(puppet_t)
selinux_set_generic_booleans(puppet_t) selinux_set_generic_booleans(puppet_t)
selinux_validate_context(puppet_t) selinux_validate_context(puppet_t)
term_dontaudit_getattr_unallocated_ttys(puppet_t)
term_dontaudit_getattr_all_user_ttys(puppet_t)
init_all_labeled_script_domtrans(puppet_t)
init_domtrans_script(puppet_t)
init_read_utmp(puppet_t)
init_signull_script(puppet_t)
logging_send_syslog_msg(puppet_t)
miscfiles_read_hwdata(puppet_t)
miscfiles_read_localization(puppet_t)
seutil_domtrans_setfiles(puppet_t) seutil_domtrans_setfiles(puppet_t)
seutil_domtrans_semanage(puppet_t) seutil_domtrans_semanage(puppet_t)
sysnet_dns_name_resolve(puppet_t) sysnet_dns_name_resolve(puppet_t)
sysnet_run_ifconfig(puppet_t, system_r) sysnet_run_ifconfig(puppet_t, system_r)
term_dontaudit_getattr_unallocated_ttys(puppet_t)
term_dontaudit_getattr_all_user_ttys(puppet_t)
tunable_policy(`puppet_manage_all_files',` tunable_policy(`puppet_manage_all_files',`
auth_manage_all_files_except_shadow(puppet_t) auth_manage_all_files_except_shadow(puppet_t)
') ')
@ -162,7 +146,6 @@ optional_policy(`
optional_policy(` optional_policy(`
files_rw_var_files(puppet_t) files_rw_var_files(puppet_t)
files_var_lib_filetrans(puppet_t, var_lib_t, dir)
rpm_domtrans(puppet_t) rpm_domtrans(puppet_t)
rpm_manage_db(puppet_t) rpm_manage_db(puppet_t)
@ -178,16 +161,15 @@ optional_policy(`
usermanage_domtrans_useradd(puppet_t) usermanage_domtrans_useradd(puppet_t)
') ')
######################################## ########################################
# #
# Pupper master personal policy # Pupper master personal policy
# #
allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config }; allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
allow puppetmaster_t self:fifo_file rw_fifo_file_perms;;
allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
allow puppetmaster_t self:process { signal_perms getsched setsched }; allow puppetmaster_t self:process { signal_perms getsched setsched };
allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
allow puppetmaster_t self:socket create; allow puppetmaster_t self:socket create;
allow puppetmaster_t self:tcp_socket create_stream_socket_perms; allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
allow puppetmaster_t self:udp_socket create_socket_perms; allow puppetmaster_t self:udp_socket create_socket_perms;
@ -195,50 +177,43 @@ allow puppetmaster_t self:udp_socket create_socket_perms;
list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
manage_dirs_pattern(puppetmaster_t ,puppet_var_lib_t, puppet_var_lib_t) allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr };
allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr };
logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir }) files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
rw_dirs_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
setattr_dirs_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
rw_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir }) files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
corenet_sendrecv_puppet_server_packets(puppetmaster_t) kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
corenet_tcp_bind_puppet_port(puppetmaster_t) kernel_read_system_state(puppetmaster_t)
kernel_read_crypto_sysctls(puppetmaster_t)
corenet_all_recvfrom_netlabel(puppetmaster_t)
corenet_all_recvfrom_unlabeled(puppetmaster_t)
corenet_tcp_sendrecv_generic_if(puppetmaster_t)
corenet_tcp_sendrecv_generic_node(puppetmaster_t)
corenet_tcp_bind_generic_node(puppetmaster_t)
corecmd_exec_bin(puppetmaster_t) corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t) corecmd_exec_shell(puppetmaster_t)
files_read_etc_files(puppetmaster_t) corenet_all_recvfrom_netlabel(puppetmaster_t)
files_search_var_lib(puppetmaster_t) corenet_all_recvfrom_unlabeled(puppetmaster_t)
corenet_tcp_sendrecv_generic_if(puppetmaster_t)
corenet_tcp_sendrecv_generic_node(puppetmaster_t)
corenet_tcp_bind_generic_node(puppetmaster_t)
corenet_tcp_bind_puppet_port(puppetmaster_t)
corenet_sendrecv_puppet_server_packets(puppetmaster_t)
dev_read_rand(puppetmaster_t) dev_read_rand(puppetmaster_t)
dev_read_urand(puppetmaster_t) dev_read_urand(puppetmaster_t)
domain_read_all_domains_state(puppetmaster_t) domain_read_all_domains_state(puppetmaster_t)
kernel_dontaudit_search_kernel_sysctl(puppetmaster_t) files_read_etc_files(puppetmaster_t)
kernel_read_system_state(puppetmaster_t) files_search_var_lib(puppetmaster_t)
kernel_read_crypto_sysctls(puppetmaster_t)
logging_send_syslog_msg(puppetmaster_t) logging_send_syslog_msg(puppetmaster_t)
@ -257,4 +232,3 @@ optional_policy(`
rpm_exec(puppetmaster_t) rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t) rpm_read_db(puppetmaster_t)
') ')

2
policy/modules/system/init.if
View File

@ -730,7 +730,7 @@ interface(`init_labeled_script_domtrans',`
## Domain allowed access ## Domain allowed access
## </summary> ## </summary>
## </param> ## </param>
######################################### #
interface(`init_all_labeled_script_domtrans',` interface(`init_all_labeled_script_domtrans',`
gen_require(` gen_require(`
attribute init_script_file_type; attribute init_script_file_type;

8
policy/modules/system/libraries.te
View File

@ -117,13 +117,13 @@ optional_policy(`
apt_use_ptys(ldconfig_t) apt_use_ptys(ldconfig_t)
') ')
optional_policy(`
puppet_rw_tmp(ldconfig_t)
')
optional_policy(` optional_policy(`
# When you install a kernel the postinstall builds a initrd image in tmp # When you install a kernel the postinstall builds a initrd image in tmp
# and executes ldconfig on it. If you dont allow this kernel installs # and executes ldconfig on it. If you dont allow this kernel installs
# blow up. # blow up.
rpm_manage_script_tmp_files(ldconfig_t) rpm_manage_script_tmp_files(ldconfig_t)
') ')
optional_policy(`
puppet_rw_tmp(ldconfig_t)
')