selinuxutil: adjustments
* no negative permission matching for newrole_t:process * do not label /usr/lib/selinux as policy_src_t, otherwise semodule can not run /usr/lib/selinux/hll/pp * reorder label for /run/restorecond.pid * fix systemd related denials
This commit is contained in:
cgzones
parent
d9980666a4
commit
61b72e0796
|
|
@ -3,50 +3,49 @@
|
|||
#
|
||||
# /etc
|
||||
#
|
||||
/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
|
||||
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
|
||||
/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
|
||||
/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
|
||||
/etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
|
||||
/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
|
||||
/etc/selinux/([^/]*/)?modules(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
||||
/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
|
||||
/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
|
||||
/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
|
||||
/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
|
||||
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
|
||||
/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
|
||||
/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
|
||||
/etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
|
||||
/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
|
||||
/etc/selinux/([^/]*/)?modules(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
||||
/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
|
||||
/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
|
||||
/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
|
||||
|
||||
#
|
||||
# /root
|
||||
#
|
||||
/root/\.default_contexts -- gen_context(system_u:object_r:default_context_t,s0)
|
||||
/root/\.default_contexts -- gen_context(system_u:object_r:default_context_t,s0)
|
||||
|
||||
#
|
||||
# /run
|
||||
#
|
||||
/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_run_t,s0)
|
||||
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
/usr/bin/checkpolicy -- gen_context(system_u:object_r:checkpolicy_exec_t,s0)
|
||||
/usr/bin/newrole -- gen_context(system_u:object_r:newrole_exec_t,s0)
|
||||
/usr/bin/checkpolicy -- gen_context(system_u:object_r:checkpolicy_exec_t,s0)
|
||||
/usr/bin/newrole -- gen_context(system_u:object_r:newrole_exec_t,s0)
|
||||
|
||||
/usr/lib/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
|
||||
/usr/lib/systemd/system/restorecond.*\.service -- gen_context(system_u:object_r:restorecond_unit_t,s0)
|
||||
/usr/lib/systemd/system/restorecond.*\.service -- gen_context(system_u:object_r:restorecond_unit_t,s0)
|
||||
|
||||
/usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
|
||||
/usr/sbin/restorecon -- gen_context(system_u:object_r:setfiles_exec_t,s0)
|
||||
/usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
|
||||
/usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
|
||||
/usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
|
||||
/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
|
||||
/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
|
||||
/usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
|
||||
/usr/libexec/selinux/semanage_migrate_store -- gen_context(system_u:object_r:semanage_exec_t,s0)
|
||||
/usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
|
||||
/usr/sbin/restorecon -- gen_context(system_u:object_r:setfiles_exec_t,s0)
|
||||
/usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
|
||||
/usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
|
||||
/usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
|
||||
/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
|
||||
/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
|
||||
/usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
|
||||
/usr/libexec/selinux/semanage_migrate_store -- gen_context(system_u:object_r:semanage_exec_t,s0)
|
||||
|
||||
#
|
||||
# /var/lib
|
||||
#
|
||||
/var/lib/selinux(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
||||
/var/lib/selinux/[^/]+/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
|
||||
/var/lib/selinux/[^/]+/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
|
||||
/usr/lib/selinux/semanage_migrate_store -- gen_context(system_u:object_r:semanage_exec_t,s0)
|
||||
|
||||
#
|
||||
# /var/run
|
||||
#
|
||||
/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0)
|
||||
/var/lib/selinux(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
||||
/var/lib/selinux/[^/]+/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
|
||||
/var/lib/selinux/[^/]+/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
|
||||
/usr/lib/selinux/semanage_migrate_store -- gen_context(system_u:object_r:semanage_exec_t,s0)
|
||||
|
|
|
|||
|
|
@ -88,8 +88,9 @@ role system_r types restorecond_t;
|
|||
type restorecond_unit_t;
|
||||
init_unit_file(restorecond_unit_t)
|
||||
|
||||
type restorecond_var_run_t;
|
||||
files_pid_file(restorecond_var_run_t)
|
||||
type restorecond_run_t;
|
||||
typealias restorecond_run_t alias restorecond_var_run_t;
|
||||
files_pid_file(restorecond_run_t)
|
||||
|
||||
type run_init_t;
|
||||
type run_init_exec_t;
|
||||
|
|
@ -221,7 +222,6 @@ optional_policy(`
|
|||
#
|
||||
|
||||
allow newrole_t self:capability { dac_override fowner setgid setuid };
|
||||
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
|
||||
allow newrole_t self:process setexec;
|
||||
allow newrole_t self:fd use;
|
||||
allow newrole_t self:fifo_file rw_fifo_file_perms;
|
||||
|
|
@ -301,6 +301,21 @@ ifdef(`distro_ubuntu',`
|
|||
')
|
||||
')
|
||||
|
||||
ifdef(`init_systemd',`
|
||||
optional_policy(`
|
||||
systemd_use_logind_fds(newrole_t)
|
||||
systemd_dbus_chat_logind(newrole_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(newrole_t)
|
||||
|
||||
optional_policy(`
|
||||
consolekit_dbus_chat(newrole_t)
|
||||
')
|
||||
')
|
||||
|
||||
# if secure mode is enabled, then newrole
|
||||
# can only transition to unprivileged users
|
||||
if(secure_mode) {
|
||||
|
|
@ -321,8 +336,8 @@ tunable_policy(`allow_polyinstantiation',`
|
|||
allow restorecond_t self:capability { dac_override dac_read_search fowner };
|
||||
allow restorecond_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
allow restorecond_t restorecond_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(restorecond_t, restorecond_var_run_t, file)
|
||||
allow restorecond_t restorecond_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(restorecond_t, restorecond_run_t, file)
|
||||
|
||||
kernel_use_fds(restorecond_t)
|
||||
kernel_rw_pipes(restorecond_t)
|
||||
|
|
|
|||
Loading…
Reference in New Issue