add userdomain:fd use
This commit is contained in:
parent
490639cd57
commit
26c87e0c42
|
@ -115,14 +115,16 @@ filesystem_get_persistent_filesystem_attributes(checkpolicy_t)
|
|||
|
||||
terminal_use_console(checkpolicy_t)
|
||||
|
||||
domain_use_widely_inheritable_file_descriptors(checkpolicy_t)
|
||||
|
||||
init_use_file_descriptors(checkpolicy_t)
|
||||
init_script_use_pseudoterminal(checkpolicy_t)
|
||||
|
||||
domain_use_widely_inheritable_file_descriptors(checkpolicy_t)
|
||||
|
||||
libraries_use_dynamic_loader(checkpolicy_t)
|
||||
libraries_use_shared_libraries(checkpolicy_t)
|
||||
|
||||
userdomain_use_all_users_file_descriptors(checkpolicy_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
role sysadm_r types checkpolicy_t;
|
||||
domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t)
|
||||
|
@ -138,9 +140,6 @@ ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
|
|||
# Allow users to execute checkpolicy without a domain transition
|
||||
# so it can be used without privilege to write real binary policy file
|
||||
can_exec(unpriv_userdomain, checkpolicy_exec_t)
|
||||
|
||||
allow checkpolicy_t userdomain:fd use;
|
||||
|
||||
') dnl endif TODO
|
||||
|
||||
########################################
|
||||
|
@ -178,6 +177,8 @@ libraries_use_shared_libraries(load_policy_t)
|
|||
|
||||
miscfiles_read_localization(load_policy_t)
|
||||
|
||||
userdomain_use_all_users_file_descriptors(load_policy_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
role sysadm_r types load_policy_t;
|
||||
domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t)
|
||||
|
@ -186,8 +187,6 @@ allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr };
|
|||
|
||||
# directory search permissions for path to binary policy files
|
||||
allow load_policy_t etc_t:dir search;
|
||||
|
||||
allow load_policy_t userdomain:fd use;
|
||||
') dnl endif TODO
|
||||
|
||||
########################################
|
||||
|
@ -327,6 +326,8 @@ libraries_use_shared_libraries(restorecon_t)
|
|||
|
||||
logging_send_system_log_message(restorecon_t)
|
||||
|
||||
userdomain_use_all_users_file_descriptors(restorecon_t)
|
||||
|
||||
optional_policy(`hotplug.te',`
|
||||
hotplug_use_file_descriptors(restorecon_t)
|
||||
')
|
||||
|
@ -343,7 +344,6 @@ ifdef(`TODO',`
|
|||
allow restorecon_t admin_tty_type:chr_file { read write ioctl };
|
||||
domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t)
|
||||
role sysadm_r types restorecon_t;
|
||||
allow restorecon_t userdomain:fd use;
|
||||
|
||||
# for upgrading glibc and other shared objects - without this the upgrade
|
||||
# scripts will put things in a state such that restorecon can not be run!
|
||||
|
@ -478,6 +478,8 @@ logging_send_system_log_message(setfiles_t)
|
|||
|
||||
miscfiles_read_localization(setfiles_t)
|
||||
|
||||
userdomain_use_all_users_file_descriptors(setfiles_t)
|
||||
|
||||
# relabeling rules
|
||||
kernel_relabel_unlabeled_object(setfiles_t)
|
||||
devices_manage_all_devices_labels(setfiles_t)
|
||||
|
@ -491,8 +493,6 @@ ifdef(`TODO',`
|
|||
domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t)
|
||||
role sysadm_r types setfiles_t;
|
||||
|
||||
allow setfiles_t userdomain:fd use;
|
||||
|
||||
# for upgrading glibc and other shared objects - without this the upgrade
|
||||
# scripts will put things in a state such that setfiles can not be run!
|
||||
allow setfiles_t lib_t:file { read execute };
|
||||
|
|
|
@ -115,14 +115,16 @@ filesystem_get_persistent_filesystem_attributes(checkpolicy_t)
|
|||
|
||||
terminal_use_console(checkpolicy_t)
|
||||
|
||||
domain_use_widely_inheritable_file_descriptors(checkpolicy_t)
|
||||
|
||||
init_use_file_descriptors(checkpolicy_t)
|
||||
init_script_use_pseudoterminal(checkpolicy_t)
|
||||
|
||||
domain_use_widely_inheritable_file_descriptors(checkpolicy_t)
|
||||
|
||||
libraries_use_dynamic_loader(checkpolicy_t)
|
||||
libraries_use_shared_libraries(checkpolicy_t)
|
||||
|
||||
userdomain_use_all_users_file_descriptors(checkpolicy_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
role sysadm_r types checkpolicy_t;
|
||||
domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t)
|
||||
|
@ -138,9 +140,6 @@ ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
|
|||
# Allow users to execute checkpolicy without a domain transition
|
||||
# so it can be used without privilege to write real binary policy file
|
||||
can_exec(unpriv_userdomain, checkpolicy_exec_t)
|
||||
|
||||
allow checkpolicy_t userdomain:fd use;
|
||||
|
||||
') dnl endif TODO
|
||||
|
||||
########################################
|
||||
|
@ -178,6 +177,8 @@ libraries_use_shared_libraries(load_policy_t)
|
|||
|
||||
miscfiles_read_localization(load_policy_t)
|
||||
|
||||
userdomain_use_all_users_file_descriptors(load_policy_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
role sysadm_r types load_policy_t;
|
||||
domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t)
|
||||
|
@ -186,8 +187,6 @@ allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr };
|
|||
|
||||
# directory search permissions for path to binary policy files
|
||||
allow load_policy_t etc_t:dir search;
|
||||
|
||||
allow load_policy_t userdomain:fd use;
|
||||
') dnl endif TODO
|
||||
|
||||
########################################
|
||||
|
@ -327,6 +326,8 @@ libraries_use_shared_libraries(restorecon_t)
|
|||
|
||||
logging_send_system_log_message(restorecon_t)
|
||||
|
||||
userdomain_use_all_users_file_descriptors(restorecon_t)
|
||||
|
||||
optional_policy(`hotplug.te',`
|
||||
hotplug_use_file_descriptors(restorecon_t)
|
||||
')
|
||||
|
@ -343,7 +344,6 @@ ifdef(`TODO',`
|
|||
allow restorecon_t admin_tty_type:chr_file { read write ioctl };
|
||||
domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t)
|
||||
role sysadm_r types restorecon_t;
|
||||
allow restorecon_t userdomain:fd use;
|
||||
|
||||
# for upgrading glibc and other shared objects - without this the upgrade
|
||||
# scripts will put things in a state such that restorecon can not be run!
|
||||
|
@ -478,6 +478,8 @@ logging_send_system_log_message(setfiles_t)
|
|||
|
||||
miscfiles_read_localization(setfiles_t)
|
||||
|
||||
userdomain_use_all_users_file_descriptors(setfiles_t)
|
||||
|
||||
# relabeling rules
|
||||
kernel_relabel_unlabeled_object(setfiles_t)
|
||||
devices_manage_all_devices_labels(setfiles_t)
|
||||
|
@ -491,8 +493,6 @@ ifdef(`TODO',`
|
|||
domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t)
|
||||
role sysadm_r types setfiles_t;
|
||||
|
||||
allow setfiles_t userdomain:fd use;
|
||||
|
||||
# for upgrading glibc and other shared objects - without this the upgrade
|
||||
# scripts will put things in a state such that setfiles can not be run!
|
||||
allow setfiles_t lib_t:file { read execute };
|
||||
|
|
Loading…
Reference in New Issue