try to knock out more of the distro_debian bootloader stuff
This commit is contained in:
parent
21468a6076
commit
5f38a65aab
|
@ -110,6 +110,7 @@ dev_read_raw_memory(bootloader_t)
|
|||
fs_getattr_xattr_fs(bootloader_t)
|
||||
|
||||
term_getattr_all_user_ttys(bootloader_t)
|
||||
term_dontaudit_manage_pty_dir(bootloader_t)
|
||||
|
||||
corecmd_exec_bin(bootloader_t)
|
||||
corecmd_exec_sbin(bootloader_t)
|
||||
|
@ -149,8 +150,18 @@ ifdef(`distro_debian',`
|
|||
allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
|
||||
allow bootloader_t boot_t:file relabelfrom;
|
||||
|
||||
fs_list_tmpfs(bootloader_t)
|
||||
|
||||
files_relabelto_usr_files(bootloader_t)
|
||||
files_search_var_lib(bootloader_t)
|
||||
files_list_script_pids(bootloader_t)
|
||||
# for /usr/share/initrd-tools/scripts
|
||||
files_exec_usr_files(bootloader_t)
|
||||
|
||||
fstools_manage_entry_files(bootloader_t)
|
||||
fstools_relabelto_entry_files(bootloader_t)
|
||||
|
||||
libs_relabelto_lib_files(bootloader_t)
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
|
@ -204,16 +215,15 @@ optional_policy(`userdomain.te',`
|
|||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
dontaudit bootloader_t devpts_t:dir create_dir_perms;
|
||||
ifdef(`distro_debian', `
|
||||
allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
|
||||
allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms;
|
||||
allow bootloader_t tmpfs_t:dir r_dir_perms;
|
||||
allow bootloader_t initrc_var_run_t:dir r_dir_perms;
|
||||
allow bootloader_t var_lib_t:dir search;
|
||||
# cjp: there is no setfscreate or type_transition, and
|
||||
# bootloader_t cannot rw a usr_t or lib_t directory, so
|
||||
# how can this work? This is probably rw_file_perms,
|
||||
# possibly with unlink. Files are probably "created"
|
||||
# by the above relabeling permissions.
|
||||
allow bootloader_t { usr_t lib_t }:file create_file_perms;
|
||||
|
||||
allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
|
||||
allow bootloader_t dpkg_var_lib_t:file { getattr read };
|
||||
|
||||
')
|
||||
|
||||
') dnl end TODO
|
||||
|
|
|
@ -233,7 +233,7 @@ interface(`term_list_ptys',`
|
|||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read the
|
||||
## /dev/pts directory to.
|
||||
## /dev/pts directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process to not audit.
|
||||
|
@ -248,6 +248,24 @@ interface(`term_dontaudit_list_ptys',`
|
|||
dontaudit $1 devpts_t:dir { getattr search read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to create, read,
|
||||
## write, or delete the /dev/pts directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_dontaudit_manage_pty_dir',`
|
||||
gen_require(`
|
||||
type devpts_t;
|
||||
class dir create_dir_perms;
|
||||
')
|
||||
|
||||
dontaudit $1 devpts_t:dir create_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write the generic pty
|
||||
|
|
|
@ -1591,6 +1591,23 @@ interface(`files_read_usr_files',`
|
|||
allow $1 usr_t:{ file lnk_file } r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel a file to the type used in /usr.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_relabelto_usr_files',`
|
||||
gen_require(`
|
||||
type usr_t;
|
||||
class file relabelto;
|
||||
')
|
||||
|
||||
allow $1 usr_t:file relabelto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read symbolic links in /usr.
|
||||
|
|
|
@ -65,3 +65,38 @@ interface(`fstools_exec',`
|
|||
|
||||
can_exec($1,fsadm_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel a file to the type used by the
|
||||
## filesystem tools programs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`fstools_relabelto_entry_files',`
|
||||
gen_require(`
|
||||
type fsadm_exec_t;
|
||||
')
|
||||
|
||||
allow $1 fsadm_exec_t:file relabelto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete a file used by the
|
||||
## filesystem tools programs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`fstools_manage_entry_files',`
|
||||
gen_require(`
|
||||
type fsadm_exec_t;
|
||||
class file create_file_perms;
|
||||
')
|
||||
|
||||
allow $1 fsadm_exec_t:file create_file_perms;
|
||||
')
|
||||
|
|
|
@ -484,6 +484,24 @@ interface(`init_rw_script_tmp_files',`
|
|||
allow $1 initrc_tmp_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## List the contents of an init script
|
||||
## process id directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
##
|
||||
interface(`init_list_script_pids',`
|
||||
gen_require(`
|
||||
type initrc_var_run_t;
|
||||
class dir r_dir_perms;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 initrc_var_run_t:dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# init_read_script_pid(domain)
|
||||
|
|
|
@ -195,6 +195,23 @@ interface(`libs_exec_lib_files',`
|
|||
can_exec($1,lib_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel files to the type used in library directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`libs_relabelto_lib_files',`
|
||||
gen_require(`
|
||||
type lib_t;
|
||||
class file relabelto;
|
||||
')
|
||||
|
||||
allow $1 lib_t:file relabelto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Load and execute functions from shared libraries.
|
||||
|
|
Loading…
Reference in New Issue