move make_{daemon,init,system}_domain to init to fix type_transition'ing
This commit is contained in:
parent
24a7ae1a5a
commit
ff31386090
@ -9,8 +9,8 @@ policy_module(consoletype, 1.0)
|
|||||||
|
|
||||||
type consoletype_t;
|
type consoletype_t;
|
||||||
type consoletype_exec_t;
|
type consoletype_exec_t;
|
||||||
domain_make_init_domain(consoletype_t,consoletype_exec_t)
|
init_make_init_domain(consoletype_t,consoletype_exec_t)
|
||||||
domain_make_system_domain(consoletype_t,consoletype_exec_t)
|
init_make_system_domain(consoletype_t,consoletype_exec_t)
|
||||||
role system_r types consoletype_t;
|
role system_r types consoletype_t;
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -9,7 +9,7 @@ policy_module(devices,1.0)
|
|||||||
|
|
||||||
type netutils_t;
|
type netutils_t;
|
||||||
type netutils_exec_t;
|
type netutils_exec_t;
|
||||||
domain_make_system_domain(netutils_t,netutils_exec_t)
|
init_make_system_domain(netutils_t,netutils_exec_t)
|
||||||
role system_r types netutils_t;
|
role system_r types netutils_t;
|
||||||
|
|
||||||
type netutils_tmp_t;
|
type netutils_tmp_t;
|
||||||
@ -17,12 +17,12 @@ files_make_temporary_file(netutils_tmp_t)
|
|||||||
|
|
||||||
type ping_t; #, nscd_client_domain;
|
type ping_t; #, nscd_client_domain;
|
||||||
type ping_exec_t;
|
type ping_exec_t;
|
||||||
domain_make_system_domain(ping_t,ping_exec_t)
|
init_make_system_domain(ping_t,ping_exec_t)
|
||||||
role system_r types ping_t;
|
role system_r types ping_t;
|
||||||
|
|
||||||
type traceroute_t; #, nscd_client_domain;
|
type traceroute_t; #, nscd_client_domain;
|
||||||
type traceroute_exec_t;
|
type traceroute_exec_t;
|
||||||
domain_make_system_domain(traceroute_t,traceroute_exec_t)
|
init_make_system_domain(traceroute_t,traceroute_exec_t)
|
||||||
role system_r types traceroute_t;
|
role system_r types traceroute_t;
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -33,7 +33,7 @@ files_make_temporary_file(crack_tmp_t)
|
|||||||
type groupadd_t; #, nscd_client_domain;
|
type groupadd_t; #, nscd_client_domain;
|
||||||
type groupadd_exec_t;
|
type groupadd_exec_t;
|
||||||
kernel_make_object_identity_change_constraint_exception(groupadd_t)
|
kernel_make_object_identity_change_constraint_exception(groupadd_t)
|
||||||
domain_make_system_domain(groupadd_t,groupadd_exec_t)
|
init_make_system_domain(groupadd_t,groupadd_exec_t)
|
||||||
role system_r types groupadd_t;
|
role system_r types groupadd_t;
|
||||||
|
|
||||||
type passwd_t;
|
type passwd_t;
|
||||||
@ -55,7 +55,7 @@ files_make_file(sysadm_passwd_tmp_t)
|
|||||||
type useradd_t; # nscd_client_domain;
|
type useradd_t; # nscd_client_domain;
|
||||||
type useradd_exec_t;
|
type useradd_exec_t;
|
||||||
kernel_make_object_identity_change_constraint_exception(useradd_t)
|
kernel_make_object_identity_change_constraint_exception(useradd_t)
|
||||||
domain_make_system_domain(useradd_t,useradd_exec_t)
|
init_make_system_domain(useradd_t,useradd_exec_t)
|
||||||
role system_r types useradd_t;
|
role system_r types useradd_t;
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -1,5 +1,23 @@
|
|||||||
# Copyright (C) 2005 Tresys Technology, LLC
|
# Copyright (C) 2005 Tresys Technology, LLC
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# kernel_make_userland_entrypoint(domain,entrypoint)
|
||||||
|
#
|
||||||
|
define(`kernel_make_userland_entrypoint',`
|
||||||
|
requires_block_template(`$0'_depend)
|
||||||
|
allow kernel_t $2:file { getattr read execute };
|
||||||
|
allow kernel_t $1:process transition;
|
||||||
|
type_transition kernel_t $2:process $1;
|
||||||
|
dontaudit kernel_t $1:process { noatsecure siginh rlimitinh };
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`kernel_make_userland_entrypoint_depend',`
|
||||||
|
type kernel_t;
|
||||||
|
class process { transition noatsecure siginh rlimitinh };
|
||||||
|
class file { getattr read execute };
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# kernel_share_state(domain)
|
# kernel_share_state(domain)
|
||||||
@ -1069,24 +1087,6 @@ class lnk_file { getattr read };
|
|||||||
# #
|
# #
|
||||||
###################################################################
|
###################################################################
|
||||||
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
# kernel_transition_from(domain,entrypoint)
|
|
||||||
#
|
|
||||||
define(`kernel_transition_from',`
|
|
||||||
requires_block_template(`$0'_depend)
|
|
||||||
allow kernel_t $2:file { getattr read execute };
|
|
||||||
allow kernel_t $1:process transition;
|
|
||||||
type_transition kernel_t $2:process $1;
|
|
||||||
dontaudit kernel_t $1:process { noatsecure siginh rlimitinh };
|
|
||||||
')
|
|
||||||
|
|
||||||
define(`kernel_transition_from_depend',`
|
|
||||||
type kernel_t;
|
|
||||||
class file { getattr read execute };
|
|
||||||
class process transition;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# kernel_sigchld_from(domain)
|
# kernel_sigchld_from(domain)
|
||||||
|
@ -18,7 +18,7 @@ files_make_file(cron_spool_t)
|
|||||||
|
|
||||||
type crond_t; #, privmail, nscd_client_domain
|
type crond_t; #, privmail, nscd_client_domain
|
||||||
type crond_exec_t;
|
type crond_exec_t;
|
||||||
domain_make_daemon_domain(crond_t,crond_exec_t)
|
init_make_daemon_domain(crond_t,crond_exec_t)
|
||||||
domain_make_file_descriptors_widely_inheritable(crond_t)
|
domain_make_file_descriptors_widely_inheritable(crond_t)
|
||||||
|
|
||||||
type crond_log_t;
|
type crond_log_t;
|
||||||
@ -35,7 +35,7 @@ files_make_file(crontab_exec_t)
|
|||||||
|
|
||||||
type system_cron_spool_t;
|
type system_cron_spool_t;
|
||||||
type system_crond_t; #, privmail, nscd_client_domain;
|
type system_crond_t; #, privmail, nscd_client_domain;
|
||||||
domain_make_daemon_domain(system_crond_t,anacron_exec_t)
|
init_make_daemon_domain(system_crond_t,anacron_exec_t)
|
||||||
corecommands_make_shell_entrypoint(system_crond_t)
|
corecommands_make_shell_entrypoint(system_crond_t)
|
||||||
role system_r types system_crond_t;
|
role system_r types system_crond_t;
|
||||||
|
|
||||||
|
@ -142,7 +142,7 @@ define(`mta_per_userdomain_template_depend',`
|
|||||||
#
|
#
|
||||||
define(`mta_make_mailserver_domain',`
|
define(`mta_make_mailserver_domain',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
domain_make_daemon_domain($1,$2)
|
init_make_daemon_domain($1,$2)
|
||||||
typeattribute $1 mailserver_domain;
|
typeattribute $1 mailserver_domain;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -32,7 +32,7 @@ tunable_policy(`targeted_policy',`',`
|
|||||||
optional_policy(`sendmail.te', `
|
optional_policy(`sendmail.te', `
|
||||||
domain_make_entrypoint_file(system_mail_t,sendmail_exec_t)
|
domain_make_entrypoint_file(system_mail_t,sendmail_exec_t)
|
||||||
', `
|
', `
|
||||||
domain_make_system_domain(system_mail_t,sendmail_exec_t)
|
init_make_system_domain(system_mail_t,sendmail_exec_t)
|
||||||
') dnl end if sendmail
|
') dnl end if sendmail
|
||||||
') dnl end targeted_policy
|
') dnl end targeted_policy
|
||||||
|
|
||||||
|
@ -25,7 +25,7 @@ files_make_file(login_exec_t)
|
|||||||
|
|
||||||
type pam_console_t;
|
type pam_console_t;
|
||||||
type pam_console_exec_t;
|
type pam_console_exec_t;
|
||||||
domain_make_system_domain(pam_console_t,pam_console_exec_t)
|
init_make_system_domain(pam_console_t,pam_console_exec_t)
|
||||||
role system_r types pam_console_t;
|
role system_r types pam_console_t;
|
||||||
|
|
||||||
domain_make_entrypoint_file(pam_console_t,pam_console_exec_t)
|
domain_make_entrypoint_file(pam_console_t,pam_console_exec_t)
|
||||||
|
@ -12,7 +12,7 @@ files_make_file(adjtime_t)
|
|||||||
|
|
||||||
type hwclock_t;
|
type hwclock_t;
|
||||||
type hwclock_exec_t;
|
type hwclock_exec_t;
|
||||||
domain_make_system_domain(hwclock_t,hwclock_exec_t)
|
init_make_system_domain(hwclock_t,hwclock_exec_t)
|
||||||
role system_r types hwclock_t;
|
role system_r types hwclock_t;
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -62,60 +62,6 @@ attribute entry_type;
|
|||||||
class file entrypoint;
|
class file entrypoint;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
# domain_make_init_domain(domain,entrypointfile)
|
|
||||||
#
|
|
||||||
define(`domain_make_init_domain',`
|
|
||||||
requires_block_template(`$0'_depend)
|
|
||||||
domain_make_domain($1)
|
|
||||||
domain_make_entrypoint_file($1,$2)
|
|
||||||
typeattribute $1 init_domain;
|
|
||||||
typeattribute $2 init_domain_entry;
|
|
||||||
role system_r types $1;
|
|
||||||
')
|
|
||||||
|
|
||||||
define(`domain_make_init_domain_depend',`
|
|
||||||
attribute init_domain, init_domain_entry;
|
|
||||||
role system_r;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
# domain_make_daemon_domain(domain,entrypointfile)
|
|
||||||
#
|
|
||||||
define(`domain_make_daemon_domain',`
|
|
||||||
requires_block_template(`$0'_depend)
|
|
||||||
domain_make_domain($1)
|
|
||||||
domain_make_entrypoint_file($1,$2)
|
|
||||||
typeattribute $1 daemon_domain;
|
|
||||||
typeattribute $2 daemon_domain_entry;
|
|
||||||
role system_r types $1;
|
|
||||||
')
|
|
||||||
|
|
||||||
define(`domain_make_daemon_domain_depend',`
|
|
||||||
attribute init_domain, init_domain_entry;
|
|
||||||
role system_r;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
# domain_make_system_domain(domain,entrypointfile)
|
|
||||||
#
|
|
||||||
define(`domain_make_system_domain',`
|
|
||||||
requires_block_template(`$0'_depend)
|
|
||||||
domain_make_domain($1)
|
|
||||||
domain_make_entrypoint_file($1,$2)
|
|
||||||
typeattribute $1 system_domain;
|
|
||||||
typeattribute $2 system_domain_entry;
|
|
||||||
role system_r types $1;
|
|
||||||
')
|
|
||||||
|
|
||||||
define(`domain_make_system_domain_depend',`
|
|
||||||
attribute system_domain, system_domain_entry;
|
|
||||||
role system_r;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# domain_make_file_descriptors_widely_inheritable(domain)
|
# domain_make_file_descriptors_widely_inheritable(domain)
|
||||||
@ -157,60 +103,6 @@ attribute privfd;
|
|||||||
class fd use;
|
class fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
# domain_all_init_domains_transition(domain)
|
|
||||||
#
|
|
||||||
define(`domain_all_init_domains_transition',`
|
|
||||||
requires_block_template(`$0'_depend)
|
|
||||||
allow $1 init_domain:process transition;
|
|
||||||
allow $1 init_domain_entry:file { getattr read execute };
|
|
||||||
dontaudit $1 init_domain:process { noatsecure siginh rlimitinh };
|
|
||||||
')
|
|
||||||
|
|
||||||
define(`domain_all_init_domains_transition_depend',`
|
|
||||||
attribute init_domain, init_domain_entry;
|
|
||||||
class process { transition noatsecure siginh rlimitinh };
|
|
||||||
class file { getattr read execute };
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
# domain_all_daemon_domains_transition(domain)
|
|
||||||
#
|
|
||||||
define(`domain_all_daemon_domains_transition',`
|
|
||||||
requires_block_template(`$0'_depend)
|
|
||||||
allow $1 daemon_domain:process transition;
|
|
||||||
allow $1 daemon_domain_entry:file { getattr read execute };
|
|
||||||
allow daemon_domain $1:fd use;
|
|
||||||
allow $1 daemon_domain:process { noatsecure siginh rlimitinh };
|
|
||||||
')
|
|
||||||
|
|
||||||
define(`domain_all_daemon_domains_transition_depend',`
|
|
||||||
attribute daemon_domain, daemon_domain_entry;
|
|
||||||
class process { transition noatsecure siginh rlimitinh };
|
|
||||||
class file { getattr read execute };
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
# domain_all_system_domains_transition(domain)
|
|
||||||
#
|
|
||||||
define(`domain_all_system_domains_transition',`
|
|
||||||
requires_block_template(`$0'_depend)
|
|
||||||
allow $1 system_domain:process transition;
|
|
||||||
allow $1 system_domain_entry:file { getattr read execute };
|
|
||||||
allow system_domain $1:fd use;
|
|
||||||
allow $1 system_domain:process { noatsecure siginh rlimitinh };
|
|
||||||
')
|
|
||||||
|
|
||||||
define(`domain_all_system_domains_transition_depend',`
|
|
||||||
attribute system_domain, system_domain_entry;
|
|
||||||
class process { transition noatsecure siginh rlimitinh };
|
|
||||||
class file { getattr read execute };
|
|
||||||
')
|
|
||||||
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# domain_signal_all_domains(domain)
|
# domain_signal_all_domains(domain)
|
||||||
|
@ -8,20 +8,6 @@ attribute domain;
|
|||||||
# entrypoint executables
|
# entrypoint executables
|
||||||
attribute entry_type;
|
attribute entry_type;
|
||||||
|
|
||||||
# processes started by init itself
|
|
||||||
attribute init_domain;
|
|
||||||
attribute init_domain_entry;
|
|
||||||
|
|
||||||
# short running processes started by init scripts,
|
|
||||||
# such as mount, usually for initializing the system
|
|
||||||
attribute system_domain;
|
|
||||||
attribute system_domain_entry;
|
|
||||||
|
|
||||||
# long running application processes started by
|
|
||||||
# init scripts, such as sshd
|
|
||||||
attribute daemon_domain;
|
|
||||||
attribute daemon_domain_entry;
|
|
||||||
|
|
||||||
# widely-inheritable file descriptors
|
# widely-inheritable file descriptors
|
||||||
attribute privfd;
|
attribute privfd;
|
||||||
|
|
||||||
|
@ -4,7 +4,7 @@ policy_module(getty,1.0)
|
|||||||
|
|
||||||
type getty_t;
|
type getty_t;
|
||||||
type getty_exec_t;
|
type getty_exec_t;
|
||||||
domain_make_init_domain(getty_t,getty_exec_t)
|
init_make_init_domain(getty_t,getty_exec_t)
|
||||||
domain_make_file_descriptors_widely_inheritable(getty_t)
|
domain_make_file_descriptors_widely_inheritable(getty_t)
|
||||||
|
|
||||||
type getty_etc_t;
|
type getty_etc_t;
|
||||||
|
@ -9,7 +9,7 @@ policy_module(hostname,1.0)
|
|||||||
|
|
||||||
type hostname_t;
|
type hostname_t;
|
||||||
type hostname_exec_t;
|
type hostname_exec_t;
|
||||||
domain_make_system_domain(hostname_t,hostname_exec_t)
|
init_make_system_domain(hostname_t,hostname_exec_t)
|
||||||
role system_r types hostname_t;
|
role system_r types hostname_t;
|
||||||
|
|
||||||
|
|
||||||
|
@ -9,7 +9,8 @@ policy_module(hotplug, 1.0)
|
|||||||
|
|
||||||
type hotplug_t;
|
type hotplug_t;
|
||||||
type hotplug_exec_t;
|
type hotplug_exec_t;
|
||||||
domain_make_system_domain(hotplug_t,hotplug_exec_t)
|
kernel_make_userland_entrypoint(hotplug_t,hotplug_exec_t)
|
||||||
|
init_make_system_domain(hotplug_t,hotplug_exec_t)
|
||||||
|
|
||||||
type hotplug_etc_t; #, usercanread;
|
type hotplug_etc_t; #, usercanread;
|
||||||
files_make_file(hotplug_etc_t)
|
files_make_file(hotplug_etc_t)
|
||||||
@ -46,7 +47,6 @@ kernel_read_kernel_sysctl(hotplug_t)
|
|||||||
kernel_read_hardware_state(hotplug_t)
|
kernel_read_hardware_state(hotplug_t)
|
||||||
kernel_read_network_sysctl(hotplug_t)
|
kernel_read_network_sysctl(hotplug_t)
|
||||||
kernel_read_usb_hardware_state(hotplug_t)
|
kernel_read_usb_hardware_state(hotplug_t)
|
||||||
kernel_transition_from(hotplug_t,hotplug_exec_t)
|
|
||||||
|
|
||||||
bootloader_read_kernel_modules(hotplug_t)
|
bootloader_read_kernel_modules(hotplug_t)
|
||||||
|
|
||||||
|
@ -1,5 +1,77 @@
|
|||||||
# Copyright (C) 2005 Tresys Technology, LLC
|
# Copyright (C) 2005 Tresys Technology, LLC
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# init_make_init_domain(domain,entrypointfile)
|
||||||
|
#
|
||||||
|
define(`init_make_init_domain',`
|
||||||
|
requires_block_template(`$0'_depend)
|
||||||
|
domain_make_domain($1)
|
||||||
|
domain_make_entrypoint_file($1,$2)
|
||||||
|
role system_r types $1;
|
||||||
|
allow init_t $1:process transition;
|
||||||
|
allow init_t $2:file { getattr read execute };
|
||||||
|
dontaudit init_t $1:process { noatsecure siginh rlimitinh };
|
||||||
|
type_transition init_t $2:process $1;
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`init_make_init_domain_depend',`
|
||||||
|
type init_t;
|
||||||
|
class file { getattr read execute };
|
||||||
|
class fd use;
|
||||||
|
class process { transition noatsecure siginh rlimitinh };
|
||||||
|
role system_r;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# init_make_daemon_domain(domain,entrypointfile)
|
||||||
|
#
|
||||||
|
define(`init_make_daemon_domain',`
|
||||||
|
requires_block_template(`$0'_depend)
|
||||||
|
domain_make_domain($1)
|
||||||
|
domain_make_entrypoint_file($1,$2)
|
||||||
|
role system_r types $1;
|
||||||
|
allow initrc_t $1:process transition;
|
||||||
|
allow initrc_t $2:file { getattr read execute };
|
||||||
|
dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
|
||||||
|
allow $1 initrc_t:fd use;
|
||||||
|
type_transition initrc_t $2:process $1;
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`init_make_daemon_domain_depend',`
|
||||||
|
type initrc_t;
|
||||||
|
class file { getattr read execute };
|
||||||
|
class fd use;
|
||||||
|
class process { transition noatsecure siginh rlimitinh };
|
||||||
|
role system_r;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# init_make_system_domain(domain,entrypointfile)
|
||||||
|
#
|
||||||
|
define(`init_make_system_domain',`
|
||||||
|
requires_block_template(`$0'_depend)
|
||||||
|
domain_make_domain($1)
|
||||||
|
domain_make_entrypoint_file($1,$2)
|
||||||
|
role system_r types $1;
|
||||||
|
allow initrc_t $1:process transition;
|
||||||
|
allow initrc_t $2:file { getattr read execute };
|
||||||
|
dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
|
||||||
|
allow $1 initrc_t:fd use;
|
||||||
|
type_transition initrc_t $2:process $1;
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`init_make_system_domain_depend',`
|
||||||
|
type initrc_t;
|
||||||
|
class file { getattr read execute };
|
||||||
|
class fd use;
|
||||||
|
class process { transition noatsecure siginh rlimitinh };
|
||||||
|
role system_r;
|
||||||
|
')
|
||||||
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# init_transition(domain)
|
# init_transition(domain)
|
||||||
|
@ -18,6 +18,7 @@ role system_r types init_t;
|
|||||||
# init_exec_t is the type of the init program.
|
# init_exec_t is the type of the init program.
|
||||||
#
|
#
|
||||||
type init_exec_t;
|
type init_exec_t;
|
||||||
|
kernel_make_userland_entrypoint(init_t,init_exec_t)
|
||||||
domain_make_entrypoint_file(init_t,init_exec_t)
|
domain_make_entrypoint_file(init_t,init_exec_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -82,7 +83,6 @@ allow init_t initrc_exec_t:file { getattr read execute };
|
|||||||
|
|
||||||
allow init_t self:fifo_file { read write ioctl };
|
allow init_t self:fifo_file { read write ioctl };
|
||||||
|
|
||||||
kernel_transition_from(init_t,init_exec_t)
|
|
||||||
kernel_sigchld_from(init_t)
|
kernel_sigchld_from(init_t)
|
||||||
|
|
||||||
# If you load a new policy that removes active domains, processes can
|
# If you load a new policy that removes active domains, processes can
|
||||||
@ -100,7 +100,6 @@ terminal_use_all_terminals(init_t)
|
|||||||
|
|
||||||
domain_signal_all_domains(init_t)
|
domain_signal_all_domains(init_t)
|
||||||
domain_kill_all_domains(init_t)
|
domain_kill_all_domains(init_t)
|
||||||
domain_all_init_domains_transition(init_t)
|
|
||||||
|
|
||||||
files_modify_system_runtime_data(init_t)
|
files_modify_system_runtime_data(init_t)
|
||||||
|
|
||||||
@ -233,8 +232,6 @@ bootloader_read_kernel_symbol_table(initrc_t)
|
|||||||
|
|
||||||
domain_kill_all_domains(initrc_t)
|
domain_kill_all_domains(initrc_t)
|
||||||
domain_read_all_domains_process_state(initrc_t)
|
domain_read_all_domains_process_state(initrc_t)
|
||||||
domain_all_daemon_domains_transition(initrc_t)
|
|
||||||
domain_all_system_domains_transition(initrc_t)
|
|
||||||
domain_use_widely_inheritable_file_descriptors(initrc_t)
|
domain_use_widely_inheritable_file_descriptors(initrc_t)
|
||||||
|
|
||||||
libraries_modify_dynamic_loader_cache(initrc_t)
|
libraries_modify_dynamic_loader_cache(initrc_t)
|
||||||
|
@ -9,7 +9,7 @@ policy_module(iptables, 1.0)
|
|||||||
|
|
||||||
type iptables_t;
|
type iptables_t;
|
||||||
type iptables_exec_t;
|
type iptables_exec_t;
|
||||||
domain_make_system_domain(iptables_t,iptables_exec_t)
|
init_make_system_domain(iptables_t,iptables_exec_t)
|
||||||
role system_r types iptables_t;
|
role system_r types iptables_t;
|
||||||
|
|
||||||
type iptables_tmp_t;
|
type iptables_tmp_t;
|
||||||
|
@ -24,8 +24,8 @@ type sulogin_exec_t;
|
|||||||
kernel_make_object_identity_change_constraint_exception(sulogin_t)
|
kernel_make_object_identity_change_constraint_exception(sulogin_t)
|
||||||
kernel_make_process_identity_change_constraint_exception(sulogin_t)
|
kernel_make_process_identity_change_constraint_exception(sulogin_t)
|
||||||
kernel_make_role_change_constraint_exception(sulogin_t)
|
kernel_make_role_change_constraint_exception(sulogin_t)
|
||||||
domain_make_init_domain(sulogin_t,sulogin_exec_t)
|
init_make_init_domain(sulogin_t,sulogin_exec_t)
|
||||||
domain_make_system_domain(sulogin_t,sulogin_exec_t)
|
init_make_system_domain(sulogin_t,sulogin_exec_t)
|
||||||
domain_make_file_descriptors_widely_inheritable(sulogin_t)
|
domain_make_file_descriptors_widely_inheritable(sulogin_t)
|
||||||
|
|
||||||
role system_r types sulogin_t;
|
role system_r types sulogin_t;
|
||||||
|
@ -9,7 +9,7 @@ files_make_file(devlog_t)
|
|||||||
|
|
||||||
type klogd_t;
|
type klogd_t;
|
||||||
type klogd_exec_t;
|
type klogd_exec_t;
|
||||||
domain_make_daemon_domain(klogd_t,klogd_exec_t)
|
init_make_daemon_domain(klogd_t,klogd_exec_t)
|
||||||
|
|
||||||
type klogd_tmp_t;
|
type klogd_tmp_t;
|
||||||
files_make_temporary_file(klogd_tmp_t)
|
files_make_temporary_file(klogd_tmp_t)
|
||||||
@ -19,7 +19,7 @@ files_make_daemon_runtime_file(klogd_var_run_t)
|
|||||||
|
|
||||||
type syslogd_t;
|
type syslogd_t;
|
||||||
type syslogd_exec_t;
|
type syslogd_exec_t;
|
||||||
domain_make_daemon_domain(syslogd_t,syslogd_exec_t)
|
init_make_daemon_domain(syslogd_t,syslogd_exec_t)
|
||||||
|
|
||||||
type syslogd_tmp_t;
|
type syslogd_tmp_t;
|
||||||
files_make_temporary_file(syslogd_tmp_t)
|
files_make_temporary_file(syslogd_tmp_t)
|
||||||
|
@ -9,7 +9,7 @@ policy_module(lvm,1.0)
|
|||||||
|
|
||||||
type lvm_t;
|
type lvm_t;
|
||||||
type lvm_exec_t;
|
type lvm_exec_t;
|
||||||
domain_make_system_domain(lvm_t,lvm_exec_t)
|
init_make_system_domain(lvm_t,lvm_exec_t)
|
||||||
# needs privowner because it assigns the identity system_u to device nodes
|
# needs privowner because it assigns the identity system_u to device nodes
|
||||||
# but runs as the identity of the sysadmin
|
# but runs as the identity of the sysadmin
|
||||||
kernel_make_object_identity_change_constraint_exception(lvm_t)
|
kernel_make_object_identity_change_constraint_exception(lvm_t)
|
||||||
|
@ -17,17 +17,18 @@ files_make_file(modules_dep_t)
|
|||||||
|
|
||||||
type insmod_t;
|
type insmod_t;
|
||||||
type insmod_exec_t;
|
type insmod_exec_t;
|
||||||
domain_make_system_domain(insmod_t,insmod_exec_t)
|
kernel_make_userland_entrypoint(insmod_t,insmod_exec_t)
|
||||||
|
init_make_system_domain(insmod_t,insmod_exec_t)
|
||||||
role system_r types insmod_t;
|
role system_r types insmod_t;
|
||||||
|
|
||||||
type depmod_t;
|
type depmod_t;
|
||||||
type depmod_exec_t;
|
type depmod_exec_t;
|
||||||
domain_make_system_domain(depmod_t,depmod_exec_t)
|
init_make_system_domain(depmod_t,depmod_exec_t)
|
||||||
role system_r types depmod_t;
|
role system_r types depmod_t;
|
||||||
|
|
||||||
type update_modules_t;
|
type update_modules_t;
|
||||||
type update_modules_exec_t;
|
type update_modules_exec_t;
|
||||||
domain_make_system_domain(update_modules_t,update_modules_exec_t)
|
init_make_system_domain(update_modules_t,update_modules_exec_t)
|
||||||
role system_r types update_modules_t;
|
role system_r types update_modules_t;
|
||||||
|
|
||||||
type update_modules_tmp_t;
|
type update_modules_tmp_t;
|
||||||
@ -49,8 +50,6 @@ allow insmod_t { modules_conf_t modules_dep_t }:file { getattr read };
|
|||||||
|
|
||||||
allow insmod_t insmod_exec_t:file { getattr read execute execute_no_trans };
|
allow insmod_t insmod_exec_t:file { getattr read execute execute_no_trans };
|
||||||
|
|
||||||
kernel_transition_from(insmod_t,insmod_exec_t)
|
|
||||||
|
|
||||||
kernel_load_module(insmod_t)
|
kernel_load_module(insmod_t)
|
||||||
|
|
||||||
# Rules for /proc/sys/kernel/tainted
|
# Rules for /proc/sys/kernel/tainted
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
type mount_t;
|
type mount_t;
|
||||||
type mount_exec_t;
|
type mount_exec_t;
|
||||||
domain_make_system_domain(mount_t,mount_exec_t)
|
init_make_system_domain(mount_t,mount_exec_t)
|
||||||
role system_r types mount_t;
|
role system_r types mount_t;
|
||||||
|
|
||||||
type mount_tmp_t;
|
type mount_tmp_t;
|
||||||
|
@ -67,7 +67,7 @@ files_make_file(policy_src_t)
|
|||||||
type restorecon_t, can_relabelto_binary_policy;
|
type restorecon_t, can_relabelto_binary_policy;
|
||||||
type restorecon_exec_t;
|
type restorecon_exec_t;
|
||||||
kernel_make_object_identity_change_constraint_exception(restorecon_t)
|
kernel_make_object_identity_change_constraint_exception(restorecon_t)
|
||||||
domain_make_system_domain(restorecon_t,restorecon_exec_t)
|
init_make_system_domain(restorecon_t,restorecon_exec_t)
|
||||||
role system_r types restorecon_t;
|
role system_r types restorecon_t;
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -67,7 +67,7 @@ files_make_file(policy_src_t)
|
|||||||
type restorecon_t, can_relabelto_binary_policy;
|
type restorecon_t, can_relabelto_binary_policy;
|
||||||
type restorecon_exec_t;
|
type restorecon_exec_t;
|
||||||
kernel_make_object_identity_change_constraint_exception(restorecon_t)
|
kernel_make_object_identity_change_constraint_exception(restorecon_t)
|
||||||
domain_make_system_domain(restorecon_t,restorecon_exec_t)
|
init_make_system_domain(restorecon_t,restorecon_exec_t)
|
||||||
role system_r types restorecon_t;
|
role system_r types restorecon_t;
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -9,7 +9,7 @@ policy_module(sysnetwork,1.0)
|
|||||||
|
|
||||||
type dhcpc_t;
|
type dhcpc_t;
|
||||||
type dhcpc_exec_t;
|
type dhcpc_exec_t;
|
||||||
domain_make_daemon_domain(dhcpc_t,dhcpc_exec_t)
|
init_make_daemon_domain(dhcpc_t,dhcpc_exec_t)
|
||||||
role system_r types dhcpc_t;
|
role system_r types dhcpc_t;
|
||||||
|
|
||||||
type dhcpc_state_t;
|
type dhcpc_state_t;
|
||||||
@ -23,7 +23,7 @@ files_make_daemon_runtime_file(dhcpc_var_run_t)
|
|||||||
|
|
||||||
type ifconfig_t;
|
type ifconfig_t;
|
||||||
type ifconfig_exec_t;
|
type ifconfig_exec_t;
|
||||||
domain_make_system_domain(ifconfig_t, ifconfig_exec_t)
|
init_make_system_domain(ifconfig_t, ifconfig_exec_t)
|
||||||
role system_r types ifconfig_t;
|
role system_r types ifconfig_t;
|
||||||
|
|
||||||
type net_conf_t alias resolv_conf_t;
|
type net_conf_t alias resolv_conf_t;
|
||||||
|
@ -10,8 +10,9 @@ policy_module(udev,1.0)
|
|||||||
type udev_t; # nscd_client_domain
|
type udev_t; # nscd_client_domain
|
||||||
type udev_exec_t;
|
type udev_exec_t;
|
||||||
type udev_helper_exec_t;
|
type udev_helper_exec_t;
|
||||||
|
kernel_make_userland_entrypoint(udev_t,udev_exec_t)
|
||||||
kernel_make_object_identity_change_constraint_exception(udev_t)
|
kernel_make_object_identity_change_constraint_exception(udev_t)
|
||||||
domain_make_daemon_domain(udev_t,udev_exec_t)
|
init_make_daemon_domain(udev_t,udev_exec_t)
|
||||||
domain_make_entrypoint_file(udev_t,udev_helper_exec_t)
|
domain_make_entrypoint_file(udev_t,udev_helper_exec_t)
|
||||||
domain_make_file_descriptors_widely_inheritable(udev_t)
|
domain_make_file_descriptors_widely_inheritable(udev_t)
|
||||||
|
|
||||||
@ -74,7 +75,6 @@ kernel_compute_selinux_av(udev_t)
|
|||||||
kernel_compute_create(udev_t)
|
kernel_compute_create(udev_t)
|
||||||
kernel_compute_relabel(udev_t)
|
kernel_compute_relabel(udev_t)
|
||||||
kernel_compute_reachable_user_contexts(udev_t)
|
kernel_compute_reachable_user_contexts(udev_t)
|
||||||
kernel_transition_from(udev_t,udev_exec_t)
|
|
||||||
|
|
||||||
devices_manage_device_nodes(udev_t)
|
devices_manage_device_nodes(udev_t)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user