trunk: filesystem patch from dan.
This commit is contained in:
Chris PeBenito
parent
e1a70f1dde
commit
c45fdad85b
|
|
@ -645,6 +645,24 @@ interface(`fs_dontaudit_list_cifs',`
|
|||
dontaudit $1 cifs_t:dir list_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mounton a CIFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_mounton_cifs',`
|
||||
gen_require(`
|
||||
type cifs_t;
|
||||
')
|
||||
|
||||
allow $1 cifs_t:dir mounton;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read files on a CIFS or SMB filesystem.
|
||||
|
|
@ -794,6 +812,46 @@ interface(`fs_dontaudit_read_cifs_files',`
|
|||
dontaudit $1 cifs_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Append files
|
||||
## on a CIFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fs_append_cifs_files',`
|
||||
gen_require(`
|
||||
type cifs_t;
|
||||
')
|
||||
|
||||
append_files_pattern($1, cifs_t, cifs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## dontaudit Append files
|
||||
## on a CIFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fs_dontaudit_append_cifs_files',`
|
||||
gen_require(`
|
||||
type cifs_t;
|
||||
')
|
||||
|
||||
dontaudit $1 cifs_t:file append_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read or
|
||||
|
|
@ -1188,6 +1246,25 @@ interface(`fs_search_dos',`
|
|||
allow $1 dosfs_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete dirs
|
||||
## on a DOS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_manage_dos_dirs',`
|
||||
gen_require(`
|
||||
type dosfs_t;
|
||||
')
|
||||
|
||||
manage_dirs_pattern($1, dosfs_t, dosfs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read files on a DOS filesystem.
|
||||
|
|
@ -1284,6 +1361,144 @@ interface(`fs_unmount_fusefs',`
|
|||
allow $1 fusefs_t:filesystem unmount;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search directories
|
||||
## on a FUSEFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fs_search_fusefs',`
|
||||
gen_require(`
|
||||
type fusefs_t;
|
||||
')
|
||||
|
||||
allow $1 fusefs_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete directories
|
||||
## on a FUSEFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fs_manage_fusefs_dirs',`
|
||||
gen_require(`
|
||||
type fusefs_t;
|
||||
')
|
||||
|
||||
allow $1 fusefs_t:dir manage_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to create, read,
|
||||
## write, and delete directories
|
||||
## on a FUSEFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_dontaudit_manage_fusefs_dirs',`
|
||||
gen_require(`
|
||||
type fusefs_t;
|
||||
')
|
||||
|
||||
dontaudit $1 fusefs_t:dir manage_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read, a FUSEFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fs_read_fusefs_files',`
|
||||
gen_require(`
|
||||
type fusefs_t;
|
||||
')
|
||||
|
||||
read_files_pattern($1,fusefs_t,fusefs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete files
|
||||
## on a FUSEFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fs_manage_fusefs_files',`
|
||||
gen_require(`
|
||||
type fusefs_t;
|
||||
')
|
||||
|
||||
manage_files_pattern($1, fusefs_t, fusefs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to create,
|
||||
## read, write, and delete files
|
||||
## on a FUSEFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_dontaudit_manage_fusefs_files',`
|
||||
gen_require(`
|
||||
type fusefs_t;
|
||||
')
|
||||
|
||||
dontaudit $1 fusefs_t:file manage_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read symbolic links on a FUSEFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_read_fusefs_symlinks',`
|
||||
gen_require(`
|
||||
type fusefs_t;
|
||||
')
|
||||
|
||||
allow $1 fusefs_t:dir list_dir_perms;
|
||||
read_lnk_files_pattern($1, fusefs_t, fusefs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write hugetlbfs files.
|
||||
|
|
@ -1586,6 +1801,24 @@ interface(`fs_dontaudit_list_nfs',`
|
|||
dontaudit $1 nfs_t:dir list_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mounton a NFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_mounton_nfs',`
|
||||
gen_require(`
|
||||
type nfs_t;
|
||||
')
|
||||
|
||||
allow $1 nfs_t:dir mounton;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read files on a NFS filesystem.
|
||||
|
|
@ -1664,6 +1897,46 @@ interface(`fs_exec_nfs_files',`
|
|||
exec_files_pattern($1, nfs_t, nfs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Append files
|
||||
## on a NFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fs_append_nfs_files',`
|
||||
gen_require(`
|
||||
type nfs_t;
|
||||
')
|
||||
|
||||
append_files_pattern($1, nfs_t, nfs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## dontaudit Append files
|
||||
## on a NFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fs_dontaudit_append_nfs_files',`
|
||||
gen_require(`
|
||||
type nfs_t;
|
||||
')
|
||||
|
||||
dontaudit $1 nfs_t:file append_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read or
|
||||
|
|
@ -1680,7 +1953,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
|
|||
type nfs_t;
|
||||
')
|
||||
|
||||
dontaudit $1 nfs_t:file { read write };
|
||||
dontaudit $1 nfs_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
@ -1866,6 +2139,24 @@ interface(`fs_read_removable_symlinks',`
|
|||
read_lnk_files_pattern($1, removable_t, removable_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write block nodes on removable filesystems.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_rw_removable_blk_files',`
|
||||
gen_require(`
|
||||
type removable_t;
|
||||
')
|
||||
|
||||
rw_blk_files_pattern($1, removable_t, removable_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read directories of RPC file system pipes.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(filesystem, 1.11.2)
|
||||
policy_module(filesystem, 1.11.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -21,7 +21,7 @@ sid fs gen_context(system_u:object_r:fs_t,s0)
|
|||
|
||||
# Use xattrs for the following filesystem types.
|
||||
# Requires that a security xattr handler exist for the filesystem.
|
||||
fs_use_xattr ecryptfs gen_context(system_u:object_r:fs_t,s0);
|
||||
fs_use_xattr btrfs gen_context(system_u:object_r:fs_t,s0);
|
||||
fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
|
||||
fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
|
||||
fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
|
||||
|
|
@ -33,7 +33,6 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
|
|||
fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
|
||||
fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
|
||||
fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
|
||||
fs_use_xattr btrfs gen_context(system_u:object_r:fs_t,s0);
|
||||
|
||||
# Use the allocating task SID to label inodes in the following filesystem
|
||||
# types, and label the filesystem itself with the specified context.
|
||||
|
|
@ -77,6 +76,11 @@ fs_type(cpusetfs_t)
|
|||
allow cpusetfs_t self:filesystem associate;
|
||||
genfscon cpuset / gen_context(system_u:object_r:cpusetfs_t,s0)
|
||||
|
||||
type ecryptfs_t;
|
||||
fs_noxattr_type(ecryptfs_t)
|
||||
files_mountpoint(ecryptfs_t)
|
||||
genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
|
||||
|
||||
type eventpollfs_t;
|
||||
fs_type(eventpollfs_t)
|
||||
# change to task SID 20060628
|
||||
|
|
@ -142,6 +146,8 @@ type vmblock_t;
|
|||
fs_noxattr_type(vmblock_t)
|
||||
files_mountpoint(vmblock_t)
|
||||
genfscon vmblock / gen_context(system_u:object_r:vmblock_t,s0)
|
||||
genfscon vboxsf / gen_context(system_u:object_r:vmblock_t,s0)
|
||||
genfscon vmhgfs / gen_context(system_u:object_r:vmblock_t,s0)
|
||||
|
||||
type vxfs_t;
|
||||
fs_noxattr_type(vxfs_t)
|
||||
|
|
@ -236,10 +242,12 @@ files_mountpoint(nfs_t)
|
|||
genfscon nfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||
genfscon nfs4 / gen_context(system_u:object_r:nfs_t,s0)
|
||||
genfscon afs / gen_context(system_u:object_r:nfs_t,s0)
|
||||
genfscon dazukofs / gen_context(system_u:object_r:nfs_t,s0)
|
||||
genfscon coda / gen_context(system_u:object_r:nfs_t,s0)
|
||||
genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||
genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
|
||||
genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
|
||||
genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue