Devices rename.
This commit is contained in:
parent
12b559a402
commit
f0c985ca80
@ -434,6 +434,9 @@ clean:
|
|||||||
rm -f $(FC)
|
rm -f $(FC)
|
||||||
|
|
||||||
bare: clean
|
bare: clean
|
||||||
|
find . -name *~ -exec rm -f {} \;
|
||||||
|
find . -name "*#*" -exec rm -f {} \;
|
||||||
|
find . -name ".*#*" -exec rm -f {} \;
|
||||||
rm -f $(POLXML)
|
rm -f $(POLXML)
|
||||||
rm -f $(SUPPORT)/*.pyc
|
rm -f $(SUPPORT)/*.pyc
|
||||||
rm -f $(FCSORT)
|
rm -f $(FCSORT)
|
||||||
|
@ -188,8 +188,8 @@ logging_send_system_log_message(traceroute_t)
|
|||||||
miscfiles_read_localization(traceroute_t)
|
miscfiles_read_localization(traceroute_t)
|
||||||
|
|
||||||
#rules needed for nmap
|
#rules needed for nmap
|
||||||
devices_get_random_data(traceroute_t)
|
dev_read_rand(traceroute_t)
|
||||||
devices_get_pseudorandom_data(traceroute_t)
|
dev_read_urand(traceroute_t)
|
||||||
files_read_general_application_resources(traceroute_t)
|
files_read_general_application_resources(traceroute_t)
|
||||||
|
|
||||||
if (user_ping) {
|
if (user_ping) {
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
## <module name="rpm" layer="system">
|
## <module name="rpm" layer="admin">
|
||||||
## <summary>Policy for the RPM package manager.</summary>
|
## <summary>Policy for the RPM package manager.</summary>
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -113,7 +113,7 @@ corenet_udp_sendrecv_all_ports(rpm_t)
|
|||||||
corenet_tcp_bind_all_nodes(rpm_t)
|
corenet_tcp_bind_all_nodes(rpm_t)
|
||||||
corenet_udp_bind_all_nodes(rpm_t)
|
corenet_udp_bind_all_nodes(rpm_t)
|
||||||
|
|
||||||
devices_get_pseudorandom_data(rpm_t)
|
dev_read_urand(rpm_t)
|
||||||
#devices_manage_all_device_types(rpm_t)
|
#devices_manage_all_device_types(rpm_t)
|
||||||
|
|
||||||
#fs_manage_nfs_dir(rpm_t)
|
#fs_manage_nfs_dir(rpm_t)
|
||||||
@ -254,10 +254,10 @@ kernel_compute_reachable_user_contexts(rpm_script_t)
|
|||||||
kernel_read_system_state(rpm_script_t)
|
kernel_read_system_state(rpm_script_t)
|
||||||
|
|
||||||
# ideally we would not need this
|
# ideally we would not need this
|
||||||
devices_manage_generic_block_devices(rpm_script_t)
|
dev_manage_generic_blk_file(rpm_script_t)
|
||||||
devices_manage_generic_character_devices(rpm_script_t)
|
dev_manage_generic_chr_file(rpm_script_t)
|
||||||
devices_manage_all_block_devices(rpm_script_t)
|
dev_manage_all_blk_files(rpm_script_t)
|
||||||
devices_manage_all_character_devices(rpm_script_t)
|
dev_manage_all_chr_files(rpm_script_t)
|
||||||
|
|
||||||
fs_manage_nfs_files(rpm_script_t)
|
fs_manage_nfs_files(rpm_script_t)
|
||||||
fs_getattr_nfs(rpm_script_t)
|
fs_getattr_nfs(rpm_script_t)
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
## <module name="usermanage" layer="system">
|
## <module name="usermanage" layer="admin">
|
||||||
## <summary>Policy for managing user accounts.</summary>
|
## <summary>Policy for managing user accounts.</summary>
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -90,7 +90,7 @@ term_use_all_user_ptys(chfn_t)
|
|||||||
fs_getattr_xattr_fs(chfn_t)
|
fs_getattr_xattr_fs(chfn_t)
|
||||||
|
|
||||||
# for SSP
|
# for SSP
|
||||||
devices_get_pseudorandom_data(chfn_t)
|
dev_read_urand(chfn_t)
|
||||||
|
|
||||||
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
||||||
# correctly without it. Do not audit write denials to utmp.
|
# correctly without it. Do not audit write denials to utmp.
|
||||||
@ -161,7 +161,7 @@ files_create_private_tmp_data(crack_t, crack_tmp_t, { file dir })
|
|||||||
kernel_read_system_state(crack_t)
|
kernel_read_system_state(crack_t)
|
||||||
|
|
||||||
# for SSP
|
# for SSP
|
||||||
devices_get_pseudorandom_data(crack_t)
|
dev_read_urand(crack_t)
|
||||||
|
|
||||||
fs_getattr_xattr_fs(crack_t)
|
fs_getattr_xattr_fs(crack_t)
|
||||||
|
|
||||||
@ -293,7 +293,7 @@ kernel_compute_relabel_context(passwd_t)
|
|||||||
kernel_compute_reachable_user_contexts(passwd_t)
|
kernel_compute_reachable_user_contexts(passwd_t)
|
||||||
|
|
||||||
# for SSP
|
# for SSP
|
||||||
devices_get_pseudorandom_data(passwd_t)
|
dev_read_urand(passwd_t)
|
||||||
|
|
||||||
fs_getattr_xattr_fs(passwd_t)
|
fs_getattr_xattr_fs(passwd_t)
|
||||||
|
|
||||||
@ -392,7 +392,7 @@ kernel_compute_reachable_user_contexts(sysadm_passwd_t)
|
|||||||
kernel_read_system_state(sysadm_passwd_t)
|
kernel_read_system_state(sysadm_passwd_t)
|
||||||
|
|
||||||
# for SSP
|
# for SSP
|
||||||
devices_get_pseudorandom_data(sysadm_passwd_t)
|
dev_read_urand(sysadm_passwd_t)
|
||||||
|
|
||||||
fs_getattr_xattr_fs(sysadm_passwd_t)
|
fs_getattr_xattr_fs(sysadm_passwd_t)
|
||||||
|
|
||||||
|
@ -76,8 +76,8 @@ define(`gpg_per_userdomain_template',`
|
|||||||
corenet_tcp_bind_all_nodes($1_gpg_t)
|
corenet_tcp_bind_all_nodes($1_gpg_t)
|
||||||
corenet_udp_bind_all_nodes($1_gpg_t)
|
corenet_udp_bind_all_nodes($1_gpg_t)
|
||||||
|
|
||||||
devices_get_random_data($1_gpg_t)
|
dev_read_rand($1_gpg_t)
|
||||||
devices_get_pseudorandom_data($1_gpg_t)
|
dev_read_urand($1_gpg_t)
|
||||||
|
|
||||||
fs_getattr_xattr_fs($1_gpg_t)
|
fs_getattr_xattr_fs($1_gpg_t)
|
||||||
|
|
||||||
@ -186,7 +186,7 @@ define(`gpg_per_userdomain_template',`
|
|||||||
corenet_tcp_bind_all_nodes($1_gpg_helper_t)
|
corenet_tcp_bind_all_nodes($1_gpg_helper_t)
|
||||||
corenet_udp_bind_all_nodes($1_gpg_helper_t)
|
corenet_udp_bind_all_nodes($1_gpg_helper_t)
|
||||||
|
|
||||||
devices_get_pseudorandom_data($1_gpg_helper_t)
|
dev_read_urand($1_gpg_helper_t)
|
||||||
|
|
||||||
files_read_general_system_config($1_gpg_helper_t)
|
files_read_general_system_config($1_gpg_helper_t)
|
||||||
# for nscd
|
# for nscd
|
||||||
|
@ -43,7 +43,7 @@ files_make_file(bootloader_etc_t)
|
|||||||
#
|
#
|
||||||
type bootloader_tmp_t;
|
type bootloader_tmp_t;
|
||||||
files_make_temporary_file(bootloader_tmp_t)
|
files_make_temporary_file(bootloader_tmp_t)
|
||||||
devices_make_device_node(bootloader_tmp_t)
|
dev_node(bootloader_tmp_t)
|
||||||
|
|
||||||
# kernel modules
|
# kernel modules
|
||||||
type modules_object_t;
|
type modules_object_t;
|
||||||
@ -98,13 +98,13 @@ storage_raw_write_fixed_disk(bootloader_t)
|
|||||||
storage_raw_read_removable_device(bootloader_t)
|
storage_raw_read_removable_device(bootloader_t)
|
||||||
storage_raw_write_removable_device(bootloader_t)
|
storage_raw_write_removable_device(bootloader_t)
|
||||||
|
|
||||||
devices_get_all_character_device_attributes(bootloader_t)
|
dev_getattr_all_chr_files(bootloader_t)
|
||||||
devices_set_all_block_device_attributes(bootloader_t)
|
dev_setattr_all_blk_files(bootloader_t)
|
||||||
devices_ignore_modify_generic_devices(bootloader_t)
|
dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
|
||||||
devices_get_random_data(bootloader_t)
|
dev_read_rand(bootloader_t)
|
||||||
devices_get_pseudorandom_data(bootloader_t)
|
dev_read_urand(bootloader_t)
|
||||||
# for reading BIOS data
|
# for reading BIOS data
|
||||||
devices_raw_read_memory(bootloader_t)
|
dev_read_raw_memory(bootloader_t)
|
||||||
|
|
||||||
fs_getattr_xattr_fs(bootloader_t)
|
fs_getattr_xattr_fs(bootloader_t)
|
||||||
|
|
||||||
@ -166,7 +166,7 @@ optional_policy(`filesystemtools.te', `
|
|||||||
# LVM2 / Device Mapper's /dev/mapper/control
|
# LVM2 / Device Mapper's /dev/mapper/control
|
||||||
# maybe we should change the labeling for this
|
# maybe we should change the labeling for this
|
||||||
optional_policy(`lvm.te', `
|
optional_policy(`lvm.te', `
|
||||||
devices_use_lvm_control_channel(bootloader_t)
|
dev_rw_lvm_control(bootloader_t)
|
||||||
|
|
||||||
lvm_transition(bootloader_t)
|
lvm_transition(bootloader_t)
|
||||||
lvm_read_config(bootloader_t)
|
lvm_read_config(bootloader_t)
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -15,7 +15,7 @@
|
|||||||
define(`storage_getattr_fixed_disk',`
|
define(`storage_getattr_fixed_disk',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 fixed_disk_device_t:blk_file getattr;
|
allow $1 fixed_disk_device_t:blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -62,7 +62,7 @@ define(`storage_dontaudit_getattr_fixed_disk_depend',`
|
|||||||
define(`storage_setattr_fixed_disk',`
|
define(`storage_setattr_fixed_disk',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 fixed_disk_device_t:blk_file setattr;
|
allow $1 fixed_disk_device_t:blk_file setattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -88,7 +88,7 @@ define(`storage_setattr_fixed_disk_depend',`
|
|||||||
define(`storage_raw_read_fixed_disk',`
|
define(`storage_raw_read_fixed_disk',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 fixed_disk_device_t:blk_file r_file_perms;
|
allow $1 fixed_disk_device_t:blk_file r_file_perms;
|
||||||
typeattribute $1 fixed_disk_raw_read;
|
typeattribute $1 fixed_disk_raw_read;
|
||||||
')
|
')
|
||||||
@ -117,7 +117,7 @@ define(`storage_raw_read_fixed_disk_depend',`
|
|||||||
define(`storage_raw_write_fixed_disk',`
|
define(`storage_raw_write_fixed_disk',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 fixed_disk_device_t:blk_file { getattr write ioctl };
|
allow $1 fixed_disk_device_t:blk_file { getattr write ioctl };
|
||||||
typeattribute $1 fixed_disk_raw_write;
|
typeattribute $1 fixed_disk_raw_write;
|
||||||
')
|
')
|
||||||
@ -144,7 +144,7 @@ define(`storage_create_fixed_disk_dev_entry',`
|
|||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 fixed_disk_device_t:blk_file create_file_perms;
|
allow $1 fixed_disk_device_t:blk_file create_file_perms;
|
||||||
devices_create_dev_entry($1,fixed_disk_device_t,blk_file)
|
dev_create_dev_node($1,fixed_disk_device_t,blk_file)
|
||||||
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
|
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -167,7 +167,7 @@ define(`storage_create_fixed_disk_dev_entry_depend',`
|
|||||||
define(`storage_manage_fixed_disk',`
|
define(`storage_manage_fixed_disk',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 fixed_disk_device_t:blk_file create_file_perms;
|
allow $1 fixed_disk_device_t:blk_file create_file_perms;
|
||||||
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
|
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
|
||||||
')
|
')
|
||||||
@ -196,7 +196,7 @@ define(`storage_manage_fixed_disk_depend',`
|
|||||||
define(`storage_raw_read_lvm_volume',`
|
define(`storage_raw_read_lvm_volume',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 lvm_vg_t:blk_file r_file_perms;
|
allow $1 lvm_vg_t:blk_file r_file_perms;
|
||||||
typeattribute $1 fixed_disk_raw_read;
|
typeattribute $1 fixed_disk_raw_read;
|
||||||
')
|
')
|
||||||
@ -225,7 +225,7 @@ define(`storage_raw_read_lvm_volume_depend',`
|
|||||||
define(`storage_raw_write_lvm_volume',`
|
define(`storage_raw_write_lvm_volume',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 lvm_vg_t:blk_file { getattr write ioctl };
|
allow $1 lvm_vg_t:blk_file { getattr write ioctl };
|
||||||
typeattribute $1 fixed_disk_raw_write;
|
typeattribute $1 fixed_disk_raw_write;
|
||||||
')
|
')
|
||||||
@ -255,7 +255,7 @@ define(`storage_raw_write_lvm_volume_depend',`
|
|||||||
define(`storage_read_scsi_generic',`
|
define(`storage_read_scsi_generic',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 scsi_generic_device_t:blk_file r_file_perms;
|
allow $1 scsi_generic_device_t:blk_file r_file_perms;
|
||||||
typeattribute $1 scsi_generic_read;
|
typeattribute $1 scsi_generic_read;
|
||||||
')
|
')
|
||||||
@ -285,7 +285,7 @@ define(`storage_read_scsi_generic_depend',`
|
|||||||
define(`storage_write_scsi_generic',`
|
define(`storage_write_scsi_generic',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 scsi_generic_device_t:blk_file { getattr write ioctl };
|
allow $1 scsi_generic_device_t:blk_file { getattr write ioctl };
|
||||||
typeattribute $1 scsi_generic_write;
|
typeattribute $1 scsi_generic_write;
|
||||||
')
|
')
|
||||||
@ -312,7 +312,7 @@ define(`storage_write_scsi_generic_depend',`
|
|||||||
define(`storage_getattr_scsi_generic',`
|
define(`storage_getattr_scsi_generic',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 scsi_generic_device_t:blk_file getattr;
|
allow $1 scsi_generic_device_t:blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -336,7 +336,7 @@ define(`storage_getattr_scsi_generic_depend',`
|
|||||||
define(`storage_set_scsi_generic_attributes',`
|
define(`storage_set_scsi_generic_attributes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 scsi_generic_device_t:blk_file setattr;
|
allow $1 scsi_generic_device_t:blk_file setattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -360,7 +360,7 @@ define(`storage_set_scsi_generic_attributes_depend',`
|
|||||||
define(`storage_getattr_removable_device',`
|
define(`storage_getattr_removable_device',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 removable_device_t:blk_file getattr;
|
allow $1 removable_device_t:blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -407,7 +407,7 @@ define(`storage_dontaudit_getattr_removable_device_depend',`
|
|||||||
define(`storage_set_removable_device_attributes',`
|
define(`storage_set_removable_device_attributes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 removable_device_t:blk_file setattr;
|
allow $1 removable_device_t:blk_file setattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -434,7 +434,7 @@ define(`storage_set_removable_device_attributes_depend',`
|
|||||||
define(`storage_raw_read_removable_device',`
|
define(`storage_raw_read_removable_device',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 removable_device_t:blk_file r_file_perms;
|
allow $1 removable_device_t:blk_file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -461,7 +461,7 @@ define(`storage_raw_read_removable_device_depend',`
|
|||||||
define(`storage_raw_write_removable_device',`
|
define(`storage_raw_write_removable_device',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 removable_device_t:blk_file { getattr write ioctl };
|
allow $1 removable_device_t:blk_file { getattr write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -485,7 +485,7 @@ define(`storage_raw_write_removable_device_depend',`
|
|||||||
define(`storage_read_tape_device',`
|
define(`storage_read_tape_device',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 tape_device_t:blk_file r_file_perms;
|
allow $1 tape_device_t:blk_file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -509,7 +509,7 @@ define(`storage_read_tape_device_depend',`
|
|||||||
define(`storage_write_tape_device',`
|
define(`storage_write_tape_device',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 tape_device_t:blk_file { getattr write ioctl };
|
allow $1 tape_device_t:blk_file { getattr write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -533,7 +533,7 @@ define(`storage_write_tape_device_depend',`
|
|||||||
define(`storage_getattr_tape_device',`
|
define(`storage_getattr_tape_device',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 tape_device_t:blk_file getattr;
|
allow $1 tape_device_t:blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -557,7 +557,7 @@ define(`storage_getattr_tape_device_depend',`
|
|||||||
define(`storage_setattr_tape_device',`
|
define(`storage_setattr_tape_device',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 tape_device_t:blk_file setattr;
|
allow $1 tape_device_t:blk_file setattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -11,7 +11,7 @@ attribute scsi_generic_write;
|
|||||||
# /dev/hd* and /dev/sd*.
|
# /dev/hd* and /dev/sd*.
|
||||||
#
|
#
|
||||||
type fixed_disk_device_t;
|
type fixed_disk_device_t;
|
||||||
devices_make_device_node(fixed_disk_device_t)
|
dev_node(fixed_disk_device_t)
|
||||||
|
|
||||||
neverallow ~fixed_disk_raw_read fixed_disk_device_t:{ chr_file blk_file } read;
|
neverallow ~fixed_disk_raw_read fixed_disk_device_t:{ chr_file blk_file } read;
|
||||||
neverallow ~fixed_disk_raw_write fixed_disk_device_t:{ chr_file blk_file } { append write };
|
neverallow ~fixed_disk_raw_write fixed_disk_device_t:{ chr_file blk_file } { append write };
|
||||||
@ -20,7 +20,7 @@ neverallow ~fixed_disk_raw_write fixed_disk_device_t:{ chr_file blk_file } { app
|
|||||||
# lvm_vg_t is the type of logical volume groups
|
# lvm_vg_t is the type of logical volume groups
|
||||||
#
|
#
|
||||||
type lvm_vg_t;
|
type lvm_vg_t;
|
||||||
devices_make_device_node(lvm_vg_t)
|
dev_node(lvm_vg_t)
|
||||||
|
|
||||||
# from the subject's point of view, same as read/writing a regular
|
# from the subject's point of view, same as read/writing a regular
|
||||||
# fixed disk, so use the same assertions as above
|
# fixed disk, so use the same assertions as above
|
||||||
@ -32,7 +32,7 @@ neverallow ~fixed_disk_raw_write lvm_vg_t:{ chr_file blk_file } { append write }
|
|||||||
# it gives access to ALL SCSI devices (both fixed and removable)
|
# it gives access to ALL SCSI devices (both fixed and removable)
|
||||||
#
|
#
|
||||||
type scsi_generic_device_t;
|
type scsi_generic_device_t;
|
||||||
devices_make_device_node(scsi_generic_device_t)
|
dev_node(scsi_generic_device_t)
|
||||||
|
|
||||||
neverallow ~scsi_generic_read scsi_generic_device_t:{ chr_file blk_file } read;
|
neverallow ~scsi_generic_read scsi_generic_device_t:{ chr_file blk_file } read;
|
||||||
neverallow ~scsi_generic_write scsi_generic_device_t:{ chr_file blk_file } { append write };
|
neverallow ~scsi_generic_write scsi_generic_device_t:{ chr_file blk_file } { append write };
|
||||||
@ -42,10 +42,10 @@ neverallow ~scsi_generic_write scsi_generic_device_t:{ chr_file blk_file } { app
|
|||||||
# /dev/scd* and /dev/fd*.
|
# /dev/scd* and /dev/fd*.
|
||||||
#
|
#
|
||||||
type removable_device_t;
|
type removable_device_t;
|
||||||
devices_make_device_node(removable_device_t)
|
dev_node(removable_device_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# tape_device_t is the type of
|
# tape_device_t is the type of
|
||||||
#
|
#
|
||||||
type tape_device_t;
|
type tape_device_t;
|
||||||
devices_make_device_node(tape_device_t)
|
dev_node(tape_device_t)
|
||||||
|
@ -98,8 +98,10 @@ define(`term_tty_depend',`
|
|||||||
define(`term_create_pty',`
|
define(`term_create_pty',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
|
||||||
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 ptmx_t:chr_file rw_file_perms;
|
allow $1 ptmx_t:chr_file rw_file_perms;
|
||||||
|
|
||||||
allow $1 devpts_t:dir r_dir_perms;
|
allow $1 devpts_t:dir r_dir_perms;
|
||||||
allow $1 devpts_t:filesystem getattr;
|
allow $1 devpts_t:filesystem getattr;
|
||||||
dontaudit $1 bsdpty_device_t:chr_file { getattr read write };
|
dontaudit $1 bsdpty_device_t:chr_file { getattr read write };
|
||||||
@ -128,7 +130,7 @@ define(`term_create_pty_depend',`
|
|||||||
define(`term_use_all_terms',`
|
define(`term_use_all_terms',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 devpts_t:dir r_dir_perms;
|
allow $1 devpts_t:dir r_dir_perms;
|
||||||
allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms;
|
allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms;
|
||||||
')
|
')
|
||||||
@ -155,7 +157,7 @@ define(`term_use_all_terms_depend',`
|
|||||||
define(`term_write_console',`
|
define(`term_write_console',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 console_device_t:chr_file write;
|
allow $1 console_device_t:chr_file write;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -177,7 +179,7 @@ define(`term_use_console_depend',`
|
|||||||
define(`term_use_console',`
|
define(`term_use_console',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 console_device_t:chr_file rw_file_perms;
|
allow $1 console_device_t:chr_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -224,7 +226,7 @@ define(`term_dontaudit_use_console_depend',`
|
|||||||
define(`term_setattr_console',`
|
define(`term_setattr_console',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 console_device_t:chr_file setattr;
|
allow $1 console_device_t:chr_file setattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -248,7 +250,7 @@ define(`term_setattr_console_depend',`
|
|||||||
define(`term_list_ptys',`
|
define(`term_list_ptys',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 devpts_t:dir r_dir_perms;
|
allow $1 devpts_t:dir r_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -296,7 +298,7 @@ define(`term_dontaudit_list_ptys_depend',`
|
|||||||
define(`term_use_generic_pty',`
|
define(`term_use_generic_pty',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 devpts_t:chr_file { read write };
|
allow $1 devpts_t:chr_file { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -344,7 +346,7 @@ define(`term_dontaudit_use_generic_pty_depend',`
|
|||||||
define(`term_use_controlling_term',`
|
define(`term_use_controlling_term',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 devtty_t:chr_file { getattr read write ioctl };
|
allow $1 devtty_t:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -391,7 +393,7 @@ define(`term_dontaudit_use_ptmx_depend',`
|
|||||||
define(`term_getattr_all_user_ptys',`
|
define(`term_getattr_all_user_ptys',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 devpts_t:dir r_dir_perms;
|
allow $1 devpts_t:dir r_dir_perms;
|
||||||
allow $1 ptynode:chr_file getattr;
|
allow $1 ptynode:chr_file getattr;
|
||||||
')
|
')
|
||||||
@ -416,7 +418,7 @@ define(`term_getattr_all_ptys_depend',`
|
|||||||
define(`term_use_all_user_ptys',`
|
define(`term_use_all_user_ptys',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 devpts_t:dir r_dir_perms;
|
allow $1 devpts_t:dir r_dir_perms;
|
||||||
allow $1 ptynode:chr_file { getattr read write ioctl };
|
allow $1 ptynode:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
@ -465,7 +467,7 @@ define(`term_dontaudit_use_all_user_ptys_depend',`
|
|||||||
define(`term_getattr_unallocated_ttys',`
|
define(`term_getattr_unallocated_ttys',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 tty_device_t:chr_file getattr;
|
allow $1 tty_device_t:chr_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -489,7 +491,7 @@ define(`term_getattr_unallocated_ttys_depend',`
|
|||||||
define(`term_setattr_unallocated_ttys',`
|
define(`term_setattr_unallocated_ttys',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 tty_device_t:chr_file setattr;
|
allow $1 tty_device_t:chr_file setattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -513,7 +515,7 @@ define(`term_setattr_unallocated_ttys_depend',`
|
|||||||
define(`term_relabel_unallocated_ttys',`
|
define(`term_relabel_unallocated_ttys',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 tty_device_t:chr_file { relabelfrom relabelto };
|
allow $1 tty_device_t:chr_file { relabelfrom relabelto };
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -537,7 +539,7 @@ define(`term_relabel_unallocated_ttys_depend',`
|
|||||||
define(`term_reset_tty_labels',`
|
define(`term_reset_tty_labels',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 ttynode:chr_file relabelfrom;
|
allow $1 ttynode:chr_file relabelfrom;
|
||||||
allow $1 tty_device_t:chr_file relabelto;
|
allow $1 tty_device_t:chr_file relabelto;
|
||||||
')
|
')
|
||||||
@ -562,7 +564,7 @@ define(`term_reset_tty_labels_depend',`
|
|||||||
define(`term_write_unallocated_ttys',`
|
define(`term_write_unallocated_ttys',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 tty_device_t:chr_file { getattr write };
|
allow $1 tty_device_t:chr_file { getattr write };
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -585,7 +587,7 @@ define(`term_write_unallocated_ttys_depend',`
|
|||||||
define(`term_use_unallocated_tty',`
|
define(`term_use_unallocated_tty',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 tty_device_t:chr_file { getattr read write ioctl };
|
allow $1 tty_device_t:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -632,7 +634,7 @@ define(`term_dontaudit_use_unallocated_tty_depend',`
|
|||||||
define(`term_getattr_all_user_ttys',`
|
define(`term_getattr_all_user_ttys',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 ttynode:chr_file getattr;
|
allow $1 ttynode:chr_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -657,6 +659,7 @@ define(`term_getattr_all_user_ttys_depend',`
|
|||||||
define(`term_dontaudit_getattr_all_user_ttys',`
|
define(`term_dontaudit_getattr_all_user_ttys',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
|
dev_list_all_dev_nodes($1)
|
||||||
dontaudit $1 ttynode:chr_file getattr;
|
dontaudit $1 ttynode:chr_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -704,7 +707,7 @@ define(`term_setattr_all_user_ttys_depend',`
|
|||||||
define(`term_relabel_all_user_ttys',`
|
define(`term_relabel_all_user_ttys',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 ttynode:chr_file { relabelfrom relabelto };
|
allow $1 ttynode:chr_file { relabelfrom relabelto };
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -727,7 +730,7 @@ define(`term_relabel_all_user_ttys_depend',`
|
|||||||
define(`term_write_all_user_ttys',`
|
define(`term_write_all_user_ttys',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 ttynode:chr_file { getattr write };
|
allow $1 ttynode:chr_file { getattr write };
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -750,7 +753,7 @@ define(`term_write_all_user_ttys_depend',`
|
|||||||
define(`term_use_all_user_ttys',`
|
define(`term_use_all_user_ttys',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 ttynode:chr_file { getattr read write ioctl };
|
allow $1 ttynode:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -8,13 +8,13 @@ attribute server_ptynode;
|
|||||||
#
|
#
|
||||||
# bsdpty_device_t is the type of /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f]
|
# bsdpty_device_t is the type of /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f]
|
||||||
type bsdpty_device_t;
|
type bsdpty_device_t;
|
||||||
devices_make_device_node(bsdpty_device_t)
|
dev_node(bsdpty_device_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# console_device_t is the type of /dev/console.
|
# console_device_t is the type of /dev/console.
|
||||||
#
|
#
|
||||||
type console_device_t;
|
type console_device_t;
|
||||||
devices_make_device_node(console_device_t)
|
dev_node(console_device_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# devpts_t is the type of the devpts file system and
|
# devpts_t is the type of the devpts file system and
|
||||||
@ -29,22 +29,22 @@ fs_use_trans devpts context_template(system_u:object_r:devpts_t,s0);
|
|||||||
# devtty_t is the type of /dev/tty.
|
# devtty_t is the type of /dev/tty.
|
||||||
#
|
#
|
||||||
type devtty_t;
|
type devtty_t;
|
||||||
devices_make_device_node(devtty_t)
|
dev_node(devtty_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# ptmx_t is the type for /dev/ptmx.
|
# ptmx_t is the type for /dev/ptmx.
|
||||||
#
|
#
|
||||||
type ptmx_t;
|
type ptmx_t;
|
||||||
devices_make_device_node(ptmx_t)
|
dev_node(ptmx_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# tty_device_t is the type of /dev/*tty*
|
# tty_device_t is the type of /dev/*tty*
|
||||||
#
|
#
|
||||||
type tty_device_t;
|
type tty_device_t;
|
||||||
devices_make_device_node(tty_device_t)
|
dev_node(tty_device_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# usbtty_device_t is the type of /dev/usr/tty*
|
# usbtty_device_t is the type of /dev/usr/tty*
|
||||||
#
|
#
|
||||||
type usbtty_device_t;
|
type usbtty_device_t;
|
||||||
devices_make_device_node(usbtty_device_t)
|
dev_node(usbtty_device_t)
|
||||||
|
@ -68,7 +68,7 @@ define(`cron_per_userdomain_template',`
|
|||||||
corenet_tcp_bind_all_nodes($1_crond_t)
|
corenet_tcp_bind_all_nodes($1_crond_t)
|
||||||
corenet_udp_bind_all_nodes($1_crond_t)
|
corenet_udp_bind_all_nodes($1_crond_t)
|
||||||
|
|
||||||
devices_get_pseudorandom_data($1_crond_t)
|
dev_read_urand($1_crond_t)
|
||||||
|
|
||||||
fs_getattr_all_fs($1_crond_t)
|
fs_getattr_all_fs($1_crond_t)
|
||||||
|
|
||||||
|
@ -87,7 +87,7 @@ kernel_compute_create_context(crond_t)
|
|||||||
kernel_compute_relabel_context(crond_t)
|
kernel_compute_relabel_context(crond_t)
|
||||||
kernel_compute_reachable_user_contexts(crond_t)
|
kernel_compute_reachable_user_contexts(crond_t)
|
||||||
|
|
||||||
devices_get_pseudorandom_data(crond_t)
|
dev_read_urand(crond_t)
|
||||||
|
|
||||||
fs_getattr_all_fs(crond_t)
|
fs_getattr_all_fs(crond_t)
|
||||||
|
|
||||||
@ -248,9 +248,9 @@ corenet_udp_sendrecv_all_ports(system_crond_t)
|
|||||||
corenet_tcp_bind_all_nodes(system_crond_t)
|
corenet_tcp_bind_all_nodes(system_crond_t)
|
||||||
corenet_udp_bind_all_nodes(system_crond_t)
|
corenet_udp_bind_all_nodes(system_crond_t)
|
||||||
|
|
||||||
devices_get_all_block_device_attributes(system_crond_t)
|
dev_getattr_all_blk_files(system_crond_t)
|
||||||
devices_get_all_character_device_attributes(system_crond_t)
|
dev_getattr_all_chr_files(system_crond_t)
|
||||||
devices_get_pseudorandom_data(system_crond_t)
|
dev_read_urand(system_crond_t)
|
||||||
|
|
||||||
fs_getattr_all_fs(system_crond_t)
|
fs_getattr_all_fs(system_crond_t)
|
||||||
fs_getattr_all_files(system_crond_t)
|
fs_getattr_all_files(system_crond_t)
|
||||||
|
@ -60,7 +60,7 @@ corenet_raw_sendrecv_all_nodes(system_mail_t)
|
|||||||
corenet_tcp_bind_all_nodes(system_mail_t)
|
corenet_tcp_bind_all_nodes(system_mail_t)
|
||||||
corenet_tcp_sendrecv_all_ports(system_mail_t)
|
corenet_tcp_sendrecv_all_ports(system_mail_t)
|
||||||
|
|
||||||
devices_get_pseudorandom_data(system_mail_t)
|
dev_read_urand(system_mail_t)
|
||||||
|
|
||||||
fs_getattr_xattr_fs(system_mail_t)
|
fs_getattr_xattr_fs(system_mail_t)
|
||||||
|
|
||||||
|
@ -51,7 +51,7 @@ kernel_compute_relabel_context(remote_login_t)
|
|||||||
kernel_compute_reachable_user_contexts(remote_login_t)
|
kernel_compute_reachable_user_contexts(remote_login_t)
|
||||||
|
|
||||||
# for SSP/ProPolice
|
# for SSP/ProPolice
|
||||||
devices_get_pseudorandom_data(remote_login_t)
|
dev_read_urand(remote_login_t)
|
||||||
|
|
||||||
fs_getattr_xattr_fs(remote_login_t)
|
fs_getattr_xattr_fs(remote_login_t)
|
||||||
|
|
||||||
|
@ -54,7 +54,7 @@ corenet_tcp_bind_all_nodes(sendmail_t)
|
|||||||
corenet_udp_bind_all_nodes(sendmail_t)
|
corenet_udp_bind_all_nodes(sendmail_t)
|
||||||
corenet_tcp_bind_smtp_port(sendmail_t)
|
corenet_tcp_bind_smtp_port(sendmail_t)
|
||||||
|
|
||||||
devices_get_pseudorandom_data(sendmail_t)
|
dev_read_urand(sendmail_t)
|
||||||
|
|
||||||
fs_getattr_all_fs(sendmail_t)
|
fs_getattr_all_fs(sendmail_t)
|
||||||
|
|
||||||
|
@ -32,7 +32,7 @@ allow hwclock_t adjtime_t:file { setattr ioctl read getattr lock write append };
|
|||||||
kernel_read_kernel_sysctl(hwclock_t)
|
kernel_read_kernel_sysctl(hwclock_t)
|
||||||
kernel_read_hardware_state(hwclock_t)
|
kernel_read_hardware_state(hwclock_t)
|
||||||
|
|
||||||
devices_modify_realtime_clock(hwclock_t)
|
dev_rw_realtime_clock(hwclock_t)
|
||||||
|
|
||||||
fs_getattr_xattr_fs(hwclock_t)
|
fs_getattr_xattr_fs(hwclock_t)
|
||||||
|
|
||||||
|
@ -36,8 +36,8 @@ define(`domain_make_domain',`
|
|||||||
domain_make_base_domain($1)
|
domain_make_base_domain($1)
|
||||||
|
|
||||||
# Use trusted objects in /dev
|
# Use trusted objects in /dev
|
||||||
devices_use_dev_null($1)
|
dev_rw_null_dev($1)
|
||||||
devices_use_dev_zero($1)
|
dev_rw_zero_dev($1)
|
||||||
term_use_controlling_term($1)
|
term_use_controlling_term($1)
|
||||||
|
|
||||||
# read the root directory
|
# read the root directory
|
||||||
|
@ -59,7 +59,7 @@ corenet_tcp_sendrecv_all_ports(hotplug_t)
|
|||||||
corenet_tcp_bind_all_nodes(hotplug_t)
|
corenet_tcp_bind_all_nodes(hotplug_t)
|
||||||
|
|
||||||
# for SSP
|
# for SSP
|
||||||
devices_get_pseudorandom_data(hotplug_t)
|
dev_read_urand(hotplug_t)
|
||||||
|
|
||||||
fs_getattr_all_fs(hotplug_t)
|
fs_getattr_all_fs(hotplug_t)
|
||||||
|
|
||||||
|
@ -203,7 +203,7 @@ define(`init_get_control_channel_attributes_depend',`
|
|||||||
define(`init_use_control_channel',`
|
define(`init_use_control_channel',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 initctl_t:fifo_file rw_file_perms;
|
allow $1 initctl_t:fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -80,7 +80,7 @@ files_create_daemon_runtime_data(init_t,init_var_run_t)
|
|||||||
|
|
||||||
allow init_t initctl_t:fifo_file { create getattr read append write setattr unlink };
|
allow init_t initctl_t:fifo_file { create getattr read append write setattr unlink };
|
||||||
fs_associate_tmpfs(initctl_t)
|
fs_associate_tmpfs(initctl_t)
|
||||||
devices_create_dev_entry(init_t,initctl_t,fifo_file)
|
dev_create_dev_node(init_t,initctl_t,fifo_file)
|
||||||
|
|
||||||
# Modify utmp.
|
# Modify utmp.
|
||||||
allow init_t initrc_var_run_t:file { rw_file_perms setattr };
|
allow init_t initrc_var_run_t:file { rw_file_perms setattr };
|
||||||
@ -202,19 +202,19 @@ corenet_udp_sendrecv_all_ports(initrc_t)
|
|||||||
corenet_tcp_bind_all_nodes(initrc_t)
|
corenet_tcp_bind_all_nodes(initrc_t)
|
||||||
corenet_udp_bind_all_nodes(initrc_t)
|
corenet_udp_bind_all_nodes(initrc_t)
|
||||||
|
|
||||||
devices_get_random_data(initrc_t)
|
dev_read_rand(initrc_t)
|
||||||
devices_get_pseudorandom_data(initrc_t)
|
dev_read_urand(initrc_t)
|
||||||
devices_add_entropy(initrc_t)
|
dev_write_rand(initrc_t)
|
||||||
devices_set_pseudorandom_seed(initrc_t)
|
dev_write_urand(initrc_t)
|
||||||
devices_read_framebuffer(initrc_t)
|
dev_read_framebuffer(initrc_t)
|
||||||
devices_read_realtime_clock(initrc_t)
|
dev_read_realtime_clock(initrc_t)
|
||||||
devices_read_sound_mixer_levels(initrc_t)
|
dev_read_snd_mixer_dev(initrc_t)
|
||||||
devices_write_sound_mixer_levels(initrc_t)
|
dev_write_snd_mixer_dev(initrc_t)
|
||||||
devices_set_all_character_device_attributes(initrc_t)
|
dev_setattr_all_chr_files(initrc_t)
|
||||||
devices_read_lvm_control_channel(initrc_t)
|
dev_read_lvm_control(initrc_t)
|
||||||
devices_remove_lvm_control_channel(initrc_t)
|
dev_delete_lvm_control(initrc_t)
|
||||||
# Wants to remove udev.tbl:
|
# Wants to remove udev.tbl:
|
||||||
devices_remove_dev_symbolic_links(initrc_t)
|
dev_del_generic_symlinks(initrc_t)
|
||||||
|
|
||||||
fs_register_binary_executable_type(initrc_t)
|
fs_register_binary_executable_type(initrc_t)
|
||||||
# cjp: not sure why these are here; should use mount policy
|
# cjp: not sure why these are here; should use mount policy
|
||||||
@ -317,10 +317,10 @@ ifdef(`distro_redhat',`
|
|||||||
|
|
||||||
# These seem to be from the initrd
|
# These seem to be from the initrd
|
||||||
# during device initialization:
|
# during device initialization:
|
||||||
devices_add_dev_dir(initrc_t)
|
dev_create_dir(initrc_t)
|
||||||
devices_legacy_use_dev_zero(initrc_t)
|
dev_rwx_zero_dev(initrc_t)
|
||||||
devices_legacy_raw_read_memory(initrc_t)
|
dev_rx_raw_memory(initrc_t)
|
||||||
devices_legacy_raw_write_memory(initrc_t)
|
dev_wx_raw_memory(initrc_t)
|
||||||
storage_raw_read_fixed_disk(initrc_t)
|
storage_raw_read_fixed_disk(initrc_t)
|
||||||
storage_raw_write_fixed_disk(initrc_t)
|
storage_raw_write_fixed_disk(initrc_t)
|
||||||
|
|
||||||
@ -344,8 +344,8 @@ optional_policy(`hotplug.te',`
|
|||||||
optional_policy(`lvm.te',`
|
optional_policy(`lvm.te',`
|
||||||
#allow initrc_t lvm_control_t:chr_file unlink;
|
#allow initrc_t lvm_control_t:chr_file unlink;
|
||||||
|
|
||||||
devices_read_lvm_control_channel(initrc_t)
|
dev_read_lvm_control(initrc_t)
|
||||||
devices_add_generic_character_device(initrc_t)
|
dev_create_generic_chr_file(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`rhgb.te',`
|
optional_policy(`rhgb.te',`
|
||||||
|
@ -61,7 +61,7 @@ kernel_compute_relabel_context(local_login_t)
|
|||||||
kernel_compute_reachable_user_contexts(local_login_t)
|
kernel_compute_reachable_user_contexts(local_login_t)
|
||||||
|
|
||||||
# for SSP/ProPolice
|
# for SSP/ProPolice
|
||||||
devices_get_pseudorandom_data(local_login_t)
|
dev_read_urand(local_login_t)
|
||||||
|
|
||||||
term_use_all_user_ttys(local_login_t)
|
term_use_all_user_ttys(local_login_t)
|
||||||
term_use_unallocated_tty(local_login_t)
|
term_use_unallocated_tty(local_login_t)
|
||||||
|
@ -130,7 +130,7 @@ kernel_change_ring_buffer_level(klogd_t)
|
|||||||
|
|
||||||
bootloader_read_kernel_symbol_table(klogd_t)
|
bootloader_read_kernel_symbol_table(klogd_t)
|
||||||
|
|
||||||
devices_raw_read_memory(klogd_t)
|
dev_read_raw_memory(klogd_t)
|
||||||
|
|
||||||
fs_getattr_all_fs(klogd_t)
|
fs_getattr_all_fs(klogd_t)
|
||||||
|
|
||||||
@ -189,7 +189,7 @@ files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t)
|
|||||||
kernel_read_hardware_state(syslogd_t)
|
kernel_read_hardware_state(syslogd_t)
|
||||||
kernel_read_kernel_sysctl(syslogd_t)
|
kernel_read_kernel_sysctl(syslogd_t)
|
||||||
|
|
||||||
devices_create_dev_entry(syslogd_t,devlog_t,sock_file)
|
dev_create_dev_node(syslogd_t,devlog_t,sock_file)
|
||||||
|
|
||||||
term_dontaudit_use_console(syslogd_t)
|
term_dontaudit_use_console(syslogd_t)
|
||||||
# Allow syslog to a terminal
|
# Allow syslog to a terminal
|
||||||
|
@ -84,20 +84,20 @@ kernel_read_kernel_sysctl(lvm_t)
|
|||||||
# it has no reason to need this
|
# it has no reason to need this
|
||||||
kernel_dontaudit_getattr_core(lvm_t)
|
kernel_dontaudit_getattr_core(lvm_t)
|
||||||
|
|
||||||
devices_add_generic_character_device(lvm_t)
|
dev_create_generic_chr_file(lvm_t)
|
||||||
devices_get_random_data(lvm_t)
|
dev_read_rand(lvm_t)
|
||||||
devices_get_pseudorandom_data(lvm_t)
|
dev_read_urand(lvm_t)
|
||||||
devices_use_lvm_control_channel(lvm_t)
|
dev_rw_lvm_control(lvm_t)
|
||||||
devices_manage_dev_symbolic_links(lvm_t)
|
dev_manage_generic_symlinks(lvm_t)
|
||||||
devices_relabel_dev_dirs(lvm_t)
|
devices_relabel_dev_dirs(lvm_t)
|
||||||
devices_manage_generic_block_device(lvm_t)
|
devices_manage_generic_block_device(lvm_t)
|
||||||
|
|
||||||
# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
|
# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
|
||||||
devices_ignore_get_all_character_device_attributes(lvm_t)
|
dev_dontaudit_getattr_all_chr_files(lvm_t)
|
||||||
devices_ignore_get_all_block_device_attributes(lvm_t)
|
dev_dontaudit_getattr_all_blk_files(lvm_t)
|
||||||
devices_ignore_get_generic_character_device_attributes(lvm_t)
|
dev_dontaudit_getattr_generic_chr_file(lvm_t)
|
||||||
devices_ignore_get_generic_block_device_attributes(lvm_t)
|
dev_dontaudit_getattr_generic_blk_file(lvm_t)
|
||||||
devices_ignore_get_generic_pipe_attributes(lvm_t)
|
dev_dontaudit_getattr_generic_pipe(lvm_t)
|
||||||
term_dontaudit_getattr_all_user_ttys(lvm_t)
|
term_dontaudit_getattr_all_user_ttys(lvm_t)
|
||||||
|
|
||||||
fs_getattr_xattr_fs(lvm_t)
|
fs_getattr_xattr_fs(lvm_t)
|
||||||
|
@ -62,9 +62,9 @@ bootloader_read_kernel_modules(insmod_t)
|
|||||||
# for locking: (cjp: ????)
|
# for locking: (cjp: ????)
|
||||||
bootloader_write_kernel_modules(insmod_t)
|
bootloader_write_kernel_modules(insmod_t)
|
||||||
|
|
||||||
devices_write_mtrr(insmod_t)
|
dev_write_mtrr(insmod_t)
|
||||||
devices_get_pseudorandom_data(insmod_t)
|
dev_read_urand(insmod_t)
|
||||||
devices_direct_agp_access(insmod_t)
|
dev_rw_agp_dev(insmod_t)
|
||||||
|
|
||||||
fs_getattr_xattr_fs(insmod_t)
|
fs_getattr_xattr_fs(insmod_t)
|
||||||
|
|
||||||
@ -189,7 +189,7 @@ files_create_private_tmp_data(update_modules_t, update_modules_tmp_t, { file dir
|
|||||||
kernel_read_kernel_sysctl(update_modules_t)
|
kernel_read_kernel_sysctl(update_modules_t)
|
||||||
kernel_read_system_state(update_modules_t)
|
kernel_read_system_state(update_modules_t)
|
||||||
|
|
||||||
devices_get_pseudorandom_data(update_modules_t)
|
dev_read_urand(update_modules_t)
|
||||||
|
|
||||||
fs_getattr_xattr_fs(update_modules_t)
|
fs_getattr_xattr_fs(update_modules_t)
|
||||||
|
|
||||||
|
@ -24,8 +24,8 @@ kernel_dontaudit_use_fd(mount_t)
|
|||||||
corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
|
corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
|
||||||
corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
|
corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
|
||||||
|
|
||||||
devices_get_all_block_device_attributes(mount_t)
|
dev_getattr_all_blk_files(mount_t)
|
||||||
devices_list_device_nodes(mount_t)
|
dev_list_all_dev_nodes(mount_t)
|
||||||
|
|
||||||
storage_raw_read_fixed_disk(mount_t)
|
storage_raw_read_fixed_disk(mount_t)
|
||||||
storage_raw_write_fixed_disk(mount_t)
|
storage_raw_write_fixed_disk(mount_t)
|
||||||
|
@ -203,7 +203,7 @@ kernel_compute_create_context(newrole_t)
|
|||||||
kernel_compute_relabel_context(newrole_t)
|
kernel_compute_relabel_context(newrole_t)
|
||||||
kernel_compute_reachable_user_contexts(newrole_t)
|
kernel_compute_reachable_user_contexts(newrole_t)
|
||||||
|
|
||||||
devices_get_pseudorandom_data(newrole_t)
|
dev_read_urand(newrole_t)
|
||||||
|
|
||||||
fs_getattr_xattr_fs(newrole_t)
|
fs_getattr_xattr_fs(newrole_t)
|
||||||
|
|
||||||
@ -312,7 +312,8 @@ optional_policy(`hotplug.te',`
|
|||||||
|
|
||||||
# relabeling rules
|
# relabeling rules
|
||||||
kernel_relabel_unlabeled(restorecon_t)
|
kernel_relabel_unlabeled(restorecon_t)
|
||||||
devices_manage_all_devices_labels(restorecon_t)
|
dev_relabel_all_dev_nodes(restorecon_t)
|
||||||
|
|
||||||
files_relabel_all_files(restorecon_t)
|
files_relabel_all_files(restorecon_t)
|
||||||
files_read_all_directories(restorecon_t)
|
files_read_all_directories(restorecon_t)
|
||||||
# this is to satisfy the assertion:
|
# this is to satisfy the assertion:
|
||||||
@ -362,7 +363,7 @@ ifdef(`targeted_policy',`',`
|
|||||||
|
|
||||||
fs_getattr_xattr_fs(run_init_t)
|
fs_getattr_xattr_fs(run_init_t)
|
||||||
|
|
||||||
devices_ignore_list_device_nodes(run_init_t)
|
dev_dontaudit_list_all_nodes(run_init_t)
|
||||||
|
|
||||||
term_dontaudit_list_ptys(run_init_t)
|
term_dontaudit_list_ptys(run_init_t)
|
||||||
|
|
||||||
@ -448,7 +449,8 @@ userdomain_read_all_users_data(setfiles_t)
|
|||||||
|
|
||||||
# relabeling rules
|
# relabeling rules
|
||||||
kernel_relabel_unlabeled(setfiles_t)
|
kernel_relabel_unlabeled(setfiles_t)
|
||||||
devices_manage_all_devices_labels(setfiles_t)
|
dev_relabel_all_dev_nodes(setfiles_t)
|
||||||
|
|
||||||
files_read_all_directories(setfiles_t)
|
files_read_all_directories(setfiles_t)
|
||||||
files_relabel_all_files(setfiles_t)
|
files_relabel_all_files(setfiles_t)
|
||||||
# this is to satisfy the assertion:
|
# this is to satisfy the assertion:
|
||||||
|
@ -203,7 +203,7 @@ kernel_compute_create_context(newrole_t)
|
|||||||
kernel_compute_relabel_context(newrole_t)
|
kernel_compute_relabel_context(newrole_t)
|
||||||
kernel_compute_reachable_user_contexts(newrole_t)
|
kernel_compute_reachable_user_contexts(newrole_t)
|
||||||
|
|
||||||
devices_get_pseudorandom_data(newrole_t)
|
dev_read_urand(newrole_t)
|
||||||
|
|
||||||
fs_getattr_xattr_fs(newrole_t)
|
fs_getattr_xattr_fs(newrole_t)
|
||||||
|
|
||||||
@ -312,7 +312,8 @@ optional_policy(`hotplug.te',`
|
|||||||
|
|
||||||
# relabeling rules
|
# relabeling rules
|
||||||
kernel_relabel_unlabeled(restorecon_t)
|
kernel_relabel_unlabeled(restorecon_t)
|
||||||
devices_manage_all_devices_labels(restorecon_t)
|
dev_relabel_all_dev_nodes(restorecon_t)
|
||||||
|
|
||||||
files_relabel_all_files(restorecon_t)
|
files_relabel_all_files(restorecon_t)
|
||||||
files_read_all_directories(restorecon_t)
|
files_read_all_directories(restorecon_t)
|
||||||
# this is to satisfy the assertion:
|
# this is to satisfy the assertion:
|
||||||
@ -362,7 +363,7 @@ ifdef(`targeted_policy',`',`
|
|||||||
|
|
||||||
fs_getattr_xattr_fs(run_init_t)
|
fs_getattr_xattr_fs(run_init_t)
|
||||||
|
|
||||||
devices_ignore_list_device_nodes(run_init_t)
|
dev_dontaudit_list_all_nodes(run_init_t)
|
||||||
|
|
||||||
term_dontaudit_list_ptys(run_init_t)
|
term_dontaudit_list_ptys(run_init_t)
|
||||||
|
|
||||||
@ -448,7 +449,8 @@ userdomain_read_all_users_data(setfiles_t)
|
|||||||
|
|
||||||
# relabeling rules
|
# relabeling rules
|
||||||
kernel_relabel_unlabeled(setfiles_t)
|
kernel_relabel_unlabeled(setfiles_t)
|
||||||
devices_manage_all_devices_labels(setfiles_t)
|
dev_relabel_all_dev_nodes(setfiles_t)
|
||||||
|
|
||||||
files_read_all_directories(setfiles_t)
|
files_read_all_directories(setfiles_t)
|
||||||
files_relabel_all_files(setfiles_t)
|
files_relabel_all_files(setfiles_t)
|
||||||
# this is to satisfy the assertion:
|
# this is to satisfy the assertion:
|
||||||
|
@ -102,7 +102,7 @@ corenet_udp_bind_all_nodes(dhcpc_t)
|
|||||||
corenet_udp_bind_dhcpc_port(dhcpc_t)
|
corenet_udp_bind_dhcpc_port(dhcpc_t)
|
||||||
|
|
||||||
# for SSP
|
# for SSP
|
||||||
devices_get_pseudorandom_data(dhcpc_t)
|
dev_read_urand(dhcpc_t)
|
||||||
|
|
||||||
fs_getattr_all_fs(dhcpc_t)
|
fs_getattr_all_fs(dhcpc_t)
|
||||||
|
|
||||||
|
@ -58,7 +58,7 @@ allow udev_t udev_etc_t:file r_file_perms;
|
|||||||
|
|
||||||
# create udev database in /dev/.udevdb
|
# create udev database in /dev/.udevdb
|
||||||
allow udev_t udev_tbl_t:file create_file_perms;
|
allow udev_t udev_tbl_t:file create_file_perms;
|
||||||
devices_create_dev_entry(udev_t,udev_tbl_t,file)
|
dev_create_dev_node(udev_t,udev_tbl_t,file)
|
||||||
|
|
||||||
allow udev_t udev_var_run_t:dir rw_dir_perms;
|
allow udev_t udev_var_run_t:dir rw_dir_perms;
|
||||||
allow udev_t udev_var_run_t:file create_file_perms;
|
allow udev_t udev_var_run_t:file create_file_perms;
|
||||||
@ -78,7 +78,7 @@ kernel_compute_create_context(udev_t)
|
|||||||
kernel_compute_relabel_context(udev_t)
|
kernel_compute_relabel_context(udev_t)
|
||||||
kernel_compute_reachable_user_contexts(udev_t)
|
kernel_compute_reachable_user_contexts(udev_t)
|
||||||
|
|
||||||
devices_manage_device_nodes(udev_t)
|
dev_manage_dev_nodes(udev_t)
|
||||||
|
|
||||||
fs_getattr_all_fs(udev_t)
|
fs_getattr_all_fs(udev_t)
|
||||||
|
|
||||||
|
@ -123,18 +123,18 @@ define(`base_user_domain',`
|
|||||||
# allow port_t name binding for UDP because it is not very usable otherwise
|
# allow port_t name binding for UDP because it is not very usable otherwise
|
||||||
corenet_udp_bind_generic_port($1_t)
|
corenet_udp_bind_generic_port($1_t)
|
||||||
|
|
||||||
devices_get_input_event($1_t)
|
dev_read_input($1_t)
|
||||||
devices_read_misc($1_t)
|
dev_read_misc($1_t)
|
||||||
devices_write_misc($1_t)
|
dev_write_misc($1_t)
|
||||||
devices_play_sound($1_t)
|
dev_write_snd_dev($1_t)
|
||||||
devices_record_sound_input($1_t)
|
dev_read_snd_dev($1_t)
|
||||||
devices_read_sound_mixer_levels($1_t)
|
dev_read_snd_mixer_dev($1_t)
|
||||||
devices_write_sound_mixer_levels($1_t)
|
dev_write_snd_mixer_dev($1_t)
|
||||||
devices_get_random_data($1_t)
|
dev_read_rand($1_t)
|
||||||
devices_get_pseudorandom_data($1_t)
|
dev_read_urand($1_t)
|
||||||
# open office is looking for the following
|
# open office is looking for the following
|
||||||
devices_get_direct_rendering_interface_attributes($1_t)
|
dev_getattr_agp_dev($1_t)
|
||||||
devices_ignore_use_direct_rendering_interface($1_t)
|
dev_dontaudit_rw_dri_dev($1_t)
|
||||||
|
|
||||||
fs_get_all_fs_quotas($1_t)
|
fs_get_all_fs_quotas($1_t)
|
||||||
fs_getattr_all_fs($1_t)
|
fs_getattr_all_fs($1_t)
|
||||||
@ -198,7 +198,7 @@ define(`base_user_domain',`
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (user_direct_mouse) {
|
if (user_direct_mouse) {
|
||||||
devices_get_mouse_input($1_t)
|
dev_read_mouse($1_t)
|
||||||
}
|
}
|
||||||
|
|
||||||
if (user_ttyfile_stat) {
|
if (user_ttyfile_stat) {
|
||||||
@ -681,10 +681,10 @@ define(`admin_domain_template',`
|
|||||||
|
|
||||||
corenet_tcp_bind_generic_port($1_t)
|
corenet_tcp_bind_generic_port($1_t)
|
||||||
|
|
||||||
devices_get_generic_block_device_attributes($1_t)
|
dev_getattr_generic_blk_file($1_t)
|
||||||
devices_get_generic_character_device_attributes($1_t)
|
dev_getattr_generic_chr_file($1_t)
|
||||||
devices_get_all_block_device_attributes($1_t)
|
dev_getattr_all_blk_files($1_t)
|
||||||
devices_get_all_character_device_attributes($1_t)
|
dev_getattr_all_chr_files($1_t)
|
||||||
|
|
||||||
fs_getattr_all_fs($1_t)
|
fs_getattr_all_fs($1_t)
|
||||||
fs_set_all_quotas($1_t)
|
fs_set_all_quotas($1_t)
|
||||||
@ -861,7 +861,7 @@ define(`userdomain_sysadm_shell_transition_depend',`
|
|||||||
define(`userdomain_use_admin_terminals',`
|
define(`userdomain_use_admin_terminals',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
term_list_ptys($1)
|
term_list_ptys($1)
|
||||||
allow $1 admin_terminal:chr_file { getattr read write ioctl };
|
allow $1 admin_terminal:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
Loading…
Reference in New Issue
Block a user