remove lvm_vg_t
This commit is contained in:
Chris PeBenito
parent
9417cb7ad1
commit
017bab0575
|
|
@ -1,3 +1,4 @@
|
|||
- Remove unused lvm_vg_t.
|
||||
- Many interface renames to improve naming consistency.
|
||||
- Merge xdm into xserver.
|
||||
- Remove kernel module reversed interfaces.
|
||||
|
|
|
|||
|
|
@ -242,50 +242,6 @@ interface(`storage_swapon_fixed_disk',`
|
|||
allow $1 fixed_disk_device_t:blk_file { getattr swapon };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the caller to directly read from a logical volume.
|
||||
## This is extremly dangerous as it can bypass the
|
||||
## SELinux protections for filesystem objects, and
|
||||
## should only be used by trusted domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_raw_read_lvm_volume',`
|
||||
gen_require(`
|
||||
attribute fixed_disk_raw_read;
|
||||
type lvm_vg_t;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 lvm_vg_t:blk_file r_file_perms;
|
||||
typeattribute $1 fixed_disk_raw_read;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the caller to directly read from a logical volume.
|
||||
## This is extremly dangerous as it can bypass the
|
||||
## SELinux protections for filesystem objects, and
|
||||
## should only be used by trusted domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_raw_write_lvm_volume',`
|
||||
gen_require(`
|
||||
attribute fixed_disk_raw_write;
|
||||
type lvm_vg_t;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 lvm_vg_t:blk_file { getattr write ioctl };
|
||||
typeattribute $1 fixed_disk_raw_write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the caller to get the attributes of
|
||||
|
|
@ -648,12 +604,12 @@ interface(`storage_setattr_tape_dev',`
|
|||
interface(`storage_unconfined',`
|
||||
gen_require(`
|
||||
type fixed_disk_device_t, removable_device_t;
|
||||
type lvm_vg_t, scsi_generic_device_t, tape_device_t;
|
||||
type scsi_generic_device_t, tape_device_t;
|
||||
attribute fixed_disk_raw_read, fixed_disk_raw_write;
|
||||
attribute scsi_generic_read, scsi_generic_write;
|
||||
')
|
||||
|
||||
allow $1 { fixed_disk_device_t removable_device_t lvm_vg_t }:blk_file *;
|
||||
allow $1 { fixed_disk_device_t removable_device_t }:blk_file *;
|
||||
allow $1 { scsi_generic_device_t tape_device_t }:chr_file *;
|
||||
|
||||
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
|
||||
|
|
|
|||
|
|
@ -15,23 +15,12 @@ attribute scsi_generic_write;
|
|||
# fixed_disk_device_t is the type of
|
||||
# /dev/hd* and /dev/sd*.
|
||||
#
|
||||
type fixed_disk_device_t;
|
||||
type fixed_disk_device_t alias lvm_vg_t;
|
||||
dev_node(fixed_disk_device_t)
|
||||
|
||||
neverallow ~fixed_disk_raw_read fixed_disk_device_t:{ chr_file blk_file } read;
|
||||
neverallow ~fixed_disk_raw_write fixed_disk_device_t:{ chr_file blk_file } { append write };
|
||||
|
||||
#
|
||||
# lvm_vg_t is the type of logical volume groups
|
||||
#
|
||||
type lvm_vg_t;
|
||||
dev_node(lvm_vg_t)
|
||||
|
||||
# from the subject's point of view, same as read/writing a regular
|
||||
# fixed disk, so use the same assertions as above
|
||||
neverallow ~fixed_disk_raw_read lvm_vg_t:{ chr_file blk_file } read;
|
||||
neverallow ~fixed_disk_raw_write lvm_vg_t:{ chr_file blk_file } { append write };
|
||||
|
||||
#
|
||||
# scsi_generic_device_t is the type of /dev/sg*
|
||||
# it gives access to ALL SCSI devices (both fixed and removable)
|
||||
|
|
|
|||
Loading…
Reference in New Issue