Slocate patch from Dan Walsh.
Locate attempts to look at network sate and does getattr on all blk/chr and noxattr symlinks.
This commit is contained in:
Chris PeBenito
parent
2c207dfa49
commit
eab2cc89b4
|
|
@ -1,4 +1,4 @@
|
||||||
policy_module(slocate, 1.9.0)
|
policy_module(slocate, 1.9.1)
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
#
|
#
|
||||||
|
|
@ -29,6 +29,7 @@ manage_dirs_pattern(locate_t, locate_var_lib_t, locate_var_lib_t)
|
||||||
manage_files_pattern(locate_t, locate_var_lib_t, locate_var_lib_t)
|
manage_files_pattern(locate_t, locate_var_lib_t, locate_var_lib_t)
|
||||||
|
|
||||||
kernel_read_system_state(locate_t)
|
kernel_read_system_state(locate_t)
|
||||||
|
kernel_dontaudit_search_network_state(locate_t)
|
||||||
kernel_dontaudit_search_sysctl(locate_t)
|
kernel_dontaudit_search_sysctl(locate_t)
|
||||||
|
|
||||||
corecmd_exec_bin(locate_t)
|
corecmd_exec_bin(locate_t)
|
||||||
|
|
@ -47,8 +48,11 @@ fs_getattr_all_fs(locate_t)
|
||||||
fs_getattr_all_files(locate_t)
|
fs_getattr_all_files(locate_t)
|
||||||
fs_getattr_all_pipes(locate_t)
|
fs_getattr_all_pipes(locate_t)
|
||||||
fs_getattr_all_symlinks(locate_t)
|
fs_getattr_all_symlinks(locate_t)
|
||||||
|
fs_getattr_all_blk_files(locate_t)
|
||||||
|
fs_getattr_all_chr_files(locate_t)
|
||||||
fs_list_all(locate_t)
|
fs_list_all(locate_t)
|
||||||
fs_list_inotifyfs(locate_t)
|
fs_list_inotifyfs(locate_t)
|
||||||
|
fs_read_noxattr_fs_symlinks(locate_t)
|
||||||
|
|
||||||
# getpwnam
|
# getpwnam
|
||||||
auth_use_nsswitch(locate_t)
|
auth_use_nsswitch(locate_t)
|
||||||
|
|
|
||||||
|
|
@ -4572,6 +4572,44 @@ interface(`fs_dontaudit_getattr_all_sockets',`
|
||||||
dontaudit $1 filesystem_type:sock_file getattr;
|
dontaudit $1 filesystem_type:sock_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Get the attributes of all block device nodes with
|
||||||
|
## a filesystem type.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`fs_getattr_all_blk_files',`
|
||||||
|
gen_require(`
|
||||||
|
attribute filesystem_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
getattr_blk_files_pattern($1, filesystem_type, filesystem_type)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Get the attributes of all character device nodes with
|
||||||
|
## a filesystem type.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`fs_getattr_all_chr_files',`
|
||||||
|
gen_require(`
|
||||||
|
attribute filesystem_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
getattr_chr_files_pattern($1, filesystem_type, filesystem_type)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Unconfined access to filesystems
|
## Unconfined access to filesystems
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
||||||
policy_module(filesystem, 1.13.0)
|
policy_module(filesystem, 1.13.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue