Merge branch 'selinuxutil_module' of git://github.com/cgzones/refpolicy

This commit is contained in:
Chris PeBenito 2017-02-20 10:53:56 -05:00
commit 34cfce5410
2 changed files with 52 additions and 38 deletions

View File

@ -3,50 +3,49 @@
#
# /etc
#
/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
/etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
/etc/selinux/([^/]*/)?modules(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
/etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
/etc/selinux/([^/]*/)?modules(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
#
# /root
#
/root/\.default_contexts -- gen_context(system_u:object_r:default_context_t,s0)
/root/\.default_contexts -- gen_context(system_u:object_r:default_context_t,s0)
#
# /run
#
/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_run_t,s0)
#
# /usr
#
/usr/bin/checkpolicy -- gen_context(system_u:object_r:checkpolicy_exec_t,s0)
/usr/bin/newrole -- gen_context(system_u:object_r:newrole_exec_t,s0)
/usr/bin/checkpolicy -- gen_context(system_u:object_r:checkpolicy_exec_t,s0)
/usr/bin/newrole -- gen_context(system_u:object_r:newrole_exec_t,s0)
/usr/lib/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
/usr/lib/systemd/system/restorecond.*\.service -- gen_context(system_u:object_r:restorecond_unit_t,s0)
/usr/lib/systemd/system/restorecond.*\.service -- gen_context(system_u:object_r:restorecond_unit_t,s0)
/usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
/usr/sbin/restorecon -- gen_context(system_u:object_r:setfiles_exec_t,s0)
/usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
/usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
/usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/libexec/selinux/semanage_migrate_store -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
/usr/sbin/restorecon -- gen_context(system_u:object_r:setfiles_exec_t,s0)
/usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
/usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
/usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/libexec/selinux/semanage_migrate_store -- gen_context(system_u:object_r:semanage_exec_t,s0)
#
# /var/lib
#
/var/lib/selinux(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
/var/lib/selinux/[^/]+/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
/var/lib/selinux/[^/]+/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
/usr/lib/selinux/semanage_migrate_store -- gen_context(system_u:object_r:semanage_exec_t,s0)
#
# /var/run
#
/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0)
/var/lib/selinux(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
/var/lib/selinux/[^/]+/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
/var/lib/selinux/[^/]+/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
/usr/lib/selinux/semanage_migrate_store -- gen_context(system_u:object_r:semanage_exec_t,s0)

View File

@ -88,8 +88,9 @@ role system_r types restorecond_t;
type restorecond_unit_t;
init_unit_file(restorecond_unit_t)
type restorecond_var_run_t;
files_pid_file(restorecond_var_run_t)
type restorecond_run_t;
typealias restorecond_run_t alias restorecond_var_run_t;
files_pid_file(restorecond_run_t)
type run_init_t;
type run_init_exec_t;
@ -221,7 +222,6 @@ optional_policy(`
#
allow newrole_t self:capability { dac_override fowner setgid setuid };
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow newrole_t self:process setexec;
allow newrole_t self:fd use;
allow newrole_t self:fifo_file rw_fifo_file_perms;
@ -301,6 +301,21 @@ ifdef(`distro_ubuntu',`
')
')
ifdef(`init_systemd',`
optional_policy(`
systemd_use_logind_fds(newrole_t)
systemd_dbus_chat_logind(newrole_t)
')
')
optional_policy(`
dbus_system_bus_client(newrole_t)
optional_policy(`
consolekit_dbus_chat(newrole_t)
')
')
# if secure mode is enabled, then newrole
# can only transition to unprivileged users
if(secure_mode) {
@ -321,8 +336,8 @@ tunable_policy(`allow_polyinstantiation',`
allow restorecond_t self:capability { dac_override dac_read_search fowner };
allow restorecond_t self:fifo_file rw_fifo_file_perms;
allow restorecond_t restorecond_var_run_t:file manage_file_perms;
files_pid_filetrans(restorecond_t, restorecond_var_run_t, file)
allow restorecond_t restorecond_run_t:file manage_file_perms;
files_pid_filetrans(restorecond_t, restorecond_run_t, file)
kernel_getattr_debugfs(restorecond_t)
kernel_read_system_state(restorecond_t)