reorder for more consistency
This commit is contained in:
parent
dec1686f0b
commit
1832271029
|
@ -33,17 +33,17 @@ files_make_file(update_modules_tmp_t)
|
|||
# insmod local policy
|
||||
#
|
||||
|
||||
allow insmod_t insmod_exec_t:file { getattr read execute execute_no_trans };
|
||||
|
||||
# Read module config and dependency information
|
||||
allow insmod_t { modules_conf_t modules_dep_t }:file { getattr read };
|
||||
|
||||
allow insmod_t self:capability { dac_override net_raw sys_tty_config };
|
||||
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
|
||||
|
||||
allow insmod_t self:udp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
allow insmod_t self:rawip_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
|
||||
# Read module config and dependency information
|
||||
allow insmod_t { modules_conf_t modules_dep_t }:file { getattr read };
|
||||
|
||||
allow insmod_t insmod_exec_t:file { getattr read execute execute_no_trans };
|
||||
|
||||
kernel_transition_from(insmod_t,insmod_exec_t)
|
||||
|
||||
kernel_load_module(insmod_t)
|
||||
|
@ -192,6 +192,7 @@ dontaudit update_modules_t depmod_t : process { noatsecure siginh rlimitinh };
|
|||
|
||||
allow update_modules_t update_modules_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
||||
allow update_modules_t update_modules_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
files_create_private_tmp_data(update_modules_t, update_modules_tmp_t, { file dir })
|
||||
|
||||
kernel_read_kernel_sysctl(update_modules_t)
|
||||
kernel_read_system_state(update_modules_t)
|
||||
|
@ -211,7 +212,6 @@ domain_use_widely_inheritable_file_descriptors(depmod_t)
|
|||
files_read_runtime_system_config(update_modules_t)
|
||||
files_read_general_system_config(update_modules_t)
|
||||
files_execute_system_config_script(update_modules_t)
|
||||
files_create_private_tmp_data(update_modules_t, update_modules_tmp_t, { file dir })
|
||||
|
||||
corecommands_execute_general_programs(update_modules_t)
|
||||
corecommands_execute_system_programs(update_modules_t)
|
||||
|
|
Loading…
Reference in New Issue