start adding infrastructure for the constraint exceptions
This commit is contained in:
Chris PeBenito
parent
c5b5a7479a
commit
18f25afdf6
|
|
@ -10,7 +10,8 @@ policy_module(usermanage,1.0)
|
|||
type admin_passwd_exec_t;
|
||||
files_make_file(admin_passwd_exec_t)
|
||||
|
||||
type chfn_t; #, auth_chkpwd, privowner
|
||||
type chfn_t; #, auth_chkpwd
|
||||
kernel_make_object_identity_change_constraint_exception(chfn_t)
|
||||
domain_make_domain(chfn_t)
|
||||
role system_r types chfn_t;
|
||||
|
||||
|
|
@ -29,27 +30,31 @@ files_make_file(crack_db_t)
|
|||
type crack_tmp_t;
|
||||
files_make_file(crack_tmp_t)
|
||||
|
||||
type groupadd_t; #, privowner, nscd_client_domain;
|
||||
type groupadd_t; #, nscd_client_domain;
|
||||
type groupadd_exec_t;
|
||||
kernel_make_object_identity_change_constraint_exception(groupadd_t)
|
||||
domain_make_system_domain(groupadd_t,groupadd_exec_t)
|
||||
role system_r types groupadd_t;
|
||||
|
||||
type passwd_t; #,auth_write, privowner;
|
||||
type passwd_t; #,auth_write;
|
||||
kernel_make_object_identity_change_constraint_exception(passwd_t)
|
||||
domain_make_domain(passwd_t)
|
||||
role system_r types passwd_t;
|
||||
|
||||
type passwd_exec_t;
|
||||
domain_make_entrypoint_file(passwd_t,passwd_exec_t)
|
||||
|
||||
type sysadm_passwd_t; #, auth_write, privowner;
|
||||
type sysadm_passwd_t; #, auth_write
|
||||
kernel_make_object_identity_change_constraint_exception(sysadm_passwd_t)
|
||||
domain_make_domain(sysadm_passwd_t)
|
||||
domain_make_entrypoint_file(sysadm_passwd_t,admin_passwd_exec_t)
|
||||
|
||||
type sysadm_passwd_tmp_t;
|
||||
files_make_file(sysadm_passwd_tmp_t)
|
||||
|
||||
type useradd_t; #, privowner, nscd_client_domain;
|
||||
type useradd_t; # nscd_client_domain;
|
||||
type useradd_exec_t;
|
||||
kernel_make_object_identity_change_constraint_exception(useradd_t)
|
||||
domain_make_system_domain(useradd_t,useradd_exec_t)
|
||||
role system_r types useradd_t;
|
||||
|
||||
|
|
|
|||
|
|
@ -56,6 +56,45 @@ type kernel_t;
|
|||
class dir mounton;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# kernel_make_process_identity_change_constraint_exception(domain)
|
||||
#
|
||||
define(`kernel_make_process_identity_change_constraint_exception',`
|
||||
requires_block_template(`$0'_depend)
|
||||
typeattribute $1 can_change_process_identity;
|
||||
')
|
||||
|
||||
define(`kernel_make_process_identity_change_constraint_exception_depend',`
|
||||
attribute can_change_process_identity;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# kernel_make_role_change_constraint_exception(domain)
|
||||
#
|
||||
define(`kernel_make_role_change_constraint_exception',`
|
||||
requires_block_template(`$0'_depend)
|
||||
typeattribute $1 can_change_process_role;
|
||||
')
|
||||
|
||||
define(`kernel_make_role_change_constraint_exception_depend',`
|
||||
attribute can_change_process_role;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# kernel_make_object_identity_change_constraint_exception(domain)
|
||||
#
|
||||
define(`kernel_make_object_identity_change_constraint_exception',`
|
||||
requires_block_template(`$0'_depend)
|
||||
typeattribute $1 can_change_object_identity;
|
||||
')
|
||||
|
||||
define(`kernel_make_object_identity_change_constraint_exception_depend',`
|
||||
attribute can_change_object_identity;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# kernel_load_module(domain)
|
||||
|
|
|
|||
|
|
@ -2,12 +2,18 @@
|
|||
|
||||
policy_module(kernel,1.0)
|
||||
|
||||
# assertion related attributes
|
||||
attribute can_load_policy;
|
||||
attribute can_setenforce;
|
||||
attribute can_setsecparam;
|
||||
attribute can_load_kernmodule;
|
||||
attribute can_receive_kernel_messages;
|
||||
|
||||
# constraint related attributes
|
||||
attribute can_change_process_identity;
|
||||
attribute can_change_process_role;
|
||||
attribute can_change_object_identity;
|
||||
|
||||
#
|
||||
# kernel_t is the domain of kernel threads.
|
||||
# It is also the target type when checking permissions in the system class.
|
||||
|
|
|
|||
|
|
@ -7,7 +7,10 @@ policy_module(authlogin,1.0)
|
|||
# Declarations
|
||||
#
|
||||
|
||||
type remote_login_t; #, privuser, privrole, privlog, auth_chkpwd, privowner, nscd_client_domain;
|
||||
type remote_login_t; #, privlog, auth_chkpwd, nscd_client_domain;
|
||||
kernel_make_object_identity_change_constraint_exception(remote_login_t)
|
||||
kernel_make_process_identity_change_constraint_exception(remote_login_t)
|
||||
kernel_make_role_change_constraint_exception(remote_login_t)
|
||||
domain_make_domain(remote_login_t)
|
||||
domain_make_file_descriptors_widely_inheritable(remote_login_t)
|
||||
authlogin_make_login_program_entrypoint(remote_login_t)
|
||||
|
|
|
|||
|
|
@ -7,7 +7,10 @@ policy_module(locallogin,1.0)
|
|||
# Declarations
|
||||
#
|
||||
|
||||
type local_login_t; #, privuser, privrole, auth_chkpwd, privowner, nscd_client_domain;
|
||||
type local_login_t; #, auth_chkpwd, nscd_client_domain;
|
||||
kernel_make_object_identity_change_constraint_exception(local_login_t)
|
||||
kernel_make_process_identity_change_constraint_exception(local_login_t)
|
||||
kernel_make_role_change_constraint_exception(local_login_t)
|
||||
domain_make_domain(local_login_t)
|
||||
domain_make_file_descriptors_widely_inheritable(local_login_t)
|
||||
authlogin_make_login_program_entrypoint(local_login_t)
|
||||
|
|
|
|||
|
|
@ -38,7 +38,9 @@ role system_r types load_policy_t;
|
|||
type load_policy_exec_t;
|
||||
domain_make_entrypoint_file(load_policy_t,load_policy_exec_t)
|
||||
|
||||
type newrole_t; #, privrole, privowner, privlog, auth_chkpwd, nscd_client_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl $2;
|
||||
type newrole_t; # , privlog, auth_chkpwd, nscd_client_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
|
||||
kernel_make_role_change_constraint_exception(newrole_t)
|
||||
kernel_make_object_identity_change_constraint_exception(newrole_t)
|
||||
domain_make_domain(newrole_t)
|
||||
|
||||
type newrole_exec_t;
|
||||
|
|
@ -61,7 +63,8 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append };
|
|||
type policy_src_t;
|
||||
files_make_file(policy_src_t)
|
||||
|
||||
type restorecon_t, can_relabelto_binary_policy; #, privowner, auth_write, change_context;
|
||||
type restorecon_t, can_relabelto_binary_policy; #, auth_write, change_context;
|
||||
kernel_make_object_identity_change_constraint_exception(restorecon_t)
|
||||
domain_make_domain(restorecon_t)
|
||||
role system_r types restorecon_t;
|
||||
|
||||
|
|
@ -75,7 +78,8 @@ domain_make_entrypoint_file(restorecon_t,restorecon_exec_t)
|
|||
type selinux_config_t;
|
||||
files_make_file(selinux_config_t)
|
||||
|
||||
type setfiles_t, can_relabelto_binary_policy; # privlog, privowner, auth_write, change_context;
|
||||
type setfiles_t, can_relabelto_binary_policy; # privlog, auth_write, change_context;
|
||||
kernel_make_object_identity_change_constraint_exception(setfiles_t)
|
||||
domain_make_domain(setfiles_t)
|
||||
role system_r types setfiles_t;
|
||||
|
||||
|
|
|
|||
|
|
@ -38,7 +38,9 @@ role system_r types load_policy_t;
|
|||
type load_policy_exec_t;
|
||||
domain_make_entrypoint_file(load_policy_t,load_policy_exec_t)
|
||||
|
||||
type newrole_t; #, privrole, privowner, privlog, auth_chkpwd, nscd_client_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl $2;
|
||||
type newrole_t; # , privlog, auth_chkpwd, nscd_client_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
|
||||
kernel_make_role_change_constraint_exception(newrole_t)
|
||||
kernel_make_object_identity_change_constraint_exception(newrole_t)
|
||||
domain_make_domain(newrole_t)
|
||||
|
||||
type newrole_exec_t;
|
||||
|
|
@ -61,7 +63,8 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append };
|
|||
type policy_src_t;
|
||||
files_make_file(policy_src_t)
|
||||
|
||||
type restorecon_t, can_relabelto_binary_policy; #, privowner, auth_write, change_context;
|
||||
type restorecon_t, can_relabelto_binary_policy; #, auth_write, change_context;
|
||||
kernel_make_object_identity_change_constraint_exception(restorecon_t)
|
||||
domain_make_domain(restorecon_t)
|
||||
role system_r types restorecon_t;
|
||||
|
||||
|
|
@ -75,7 +78,8 @@ domain_make_entrypoint_file(restorecon_t,restorecon_exec_t)
|
|||
type selinux_config_t;
|
||||
files_make_file(selinux_config_t)
|
||||
|
||||
type setfiles_t, can_relabelto_binary_policy; # privlog, privowner, auth_write, change_context;
|
||||
type setfiles_t, can_relabelto_binary_policy; # privlog, auth_write, change_context;
|
||||
kernel_make_object_identity_change_constraint_exception(setfiles_t)
|
||||
domain_make_domain(setfiles_t)
|
||||
role system_r types setfiles_t;
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue