add aliases

This commit is contained in:
Chris PeBenito 2005-06-08 20:28:45 +00:00
parent 72bdc60860
commit c2c00bee05
7 changed files with 241 additions and 245 deletions

View File

@ -15,10 +15,7 @@
define(`bootloader_domtrans',`
requires_block_template(`$0'_depend)
allow $1 bootloader_exec_t:file { getattr read execute };
allow $1 bootloader_t:process transition;
type_transition $1 bootloader_exec_t:process bootloader_t;
dontaudit $1 bootloader_t:process { noatsecure siginh rlimitinh };
domain_auto_trans($1, bootloader_exec_t, bootloader_t)
allow $1 bootloader_t:fd use;
allow bootloader_t $1:fd use;
@ -60,12 +57,12 @@ define(`bootloader_run',`
bootloader_transition($1)
role $2 types bootloader_t;
allow bootloader_t $3:chr_file { getattr read write ioctl };
allow bootloader_t $3:chr_file rw_file_perms;
')
define(`bootloader_run_depend',`
type bootloader_t;
class chr_file { getattr read write ioctl };
class chr_file rw_file_perms;
')
########################################
@ -107,14 +104,15 @@ define(`bootloader_ignore_search_bootloader_data_directory_depend',`
define(`bootloader_modify_bootloader_data_directory_symbolic_links',`
requires_block_template(`$0'_depend)
allow $1 boot_t:dir { getattr search read };
allow $1 boot_t:lnk_file { getattr read write };
allow $1 boot_t:dir r_dir_perms;
allow $1 boot_t:lnk_file rw_file_perms;
')
define(`bootloader_modify_bootloader_data_directory_symbolic_links_depend',`
type boot_t;
class dir { getattr search read };
class dir r_dir_perms;
class lnk_file rw_file_perms;
')
########################################
@ -124,7 +122,7 @@ define(`bootloader_modify_bootloader_data_directory_symbolic_links_depend',`
define(`bootloader_install_kernel',`
requires_block_template(`$0'_depend)
allow $1 boot_t:dir { getattr search read write add_name };
allow $1 boot_t:dir ra_dir_perms;
allow $1 boot_t:file { getattr read write create };
allow $1 boot_t:lnk_file { getattr read create unlink };
')
@ -132,7 +130,7 @@ define(`bootloader_install_kernel',`
define(`bootloader_install_kernel_depend',`
type boot_t;
class dir { getattr search read write add_name };
class dir ra_dir_perms;
class file { getattr read write create };
class lnk_file { getattr read create unlink };
')
@ -144,7 +142,7 @@ define(`bootloader_install_kernel_depend',`
define(`bootloader_install_initrd',`
requires_block_template(`$0'_depend)
allow $1 boot_t:dir { getattr search read write add_name };
allow $1 boot_t:dir ra_dir_perms;
allow $1 boot_t:file { getattr read write create };
allow $1 boot_t:lnk_file { getattr read create unlink };
')
@ -152,7 +150,7 @@ define(`bootloader_install_initrd',`
define(`bootloader_install_initrd_depend',`
type boot_t;
class dir { getattr search read write add_name };
class dir ra_dir_perms;
class file { getattr read write create };
class lnk_file { getattr read create unlink };
')
@ -164,15 +162,15 @@ define(`bootloader_install_initrd_depend',`
define(`bootloader_install_kernel_symbol_table',`
requires_block_template(`$0'_depend)
allow $1 boot_t:dir { getattr search read write add_name };
allow $1 system_map_t:file { getattr read write create };
allow $1 boot_t:dir ra_dir_perms;
allow $1 system_map_t:file { rw_file_perms create };
')
define(`bootloader_install_kernel_symbol_table_depend',`
type boot_t, system_map_t;
class dir { getattr search read write add_name };
class file { getattr read write create };
class dir ra_dir_perms;
class file { rw_file_perms create };
')
########################################
@ -182,15 +180,15 @@ define(`bootloader_install_kernel_symbol_table_depend',`
define(`bootloader_read_kernel_symbol_table',`
requires_block_template(`$0'_depend)
allow $1 boot_t:dir { getattr search read };
allow $1 system_map_t:file { getattr read };
allow $1 boot_t:dir r_dir_perms;
allow $1 system_map_t:file f_file_perms;
')
define(`bootloader_read_kernel_symbol_table_depend',`
type boot_t, system_map_t;
class dir { getattr search read };
class file { getattr read };
class dir r_dir_perms;
class file r_file_perms;
')
########################################
@ -200,14 +198,14 @@ define(`bootloader_read_kernel_symbol_table_depend',`
define(`bootloader_remove_kernel',`
requires_block_template(`$0'_depend)
allow $1 boot_t:dir { getattr search read write remove_name };
allow $1 boot_t:dir { r_dir_perms write remove_name };
allow $1 boot_t:file { getattr unlink };
')
define(`bootloader_remove_kernel_depend',`
type boot_t;
class dir { getattr search read write remove_name };
class dir { r_dir_perms write remove_name };
class file { getattr unlink };
')
@ -218,14 +216,14 @@ define(`bootloader_remove_kernel_depend',`
define(`bootloader_remove_kernel_symbol_table',`
requires_block_template(`$0'_depend)
allow $1 boot_t:dir { getattr search read write remove_name };
allow $1 boot_t:dir { r_dir_perms write remove_name };
allow $1 system_map_t:file { getattr unlink };
')
define(`bootloader_remove_kernel_symbol_table_depend',`
type boot_t, system_map_t;
class dir { getattr search read write remove_name };
class dir { r_dir_perms write remove_name };
class file { getattr unlink };
')
@ -236,13 +234,13 @@ define(`bootloader_remove_kernel_symbol_table_depend',`
define(`bootloader_read_config',`
requires_block_template(`$0'_depend)
allow $1 bootloader_etc_t:file { getattr read };
allow $1 bootloader_etc_t:file r_file_perms;
')
define(`bootloader_read_config_depend',`
type bootloader_etc_t;
class file { getattr read };
class file r_file_perms;
')
########################################
@ -252,13 +250,13 @@ define(`bootloader_read_config_depend',`
define(`bootloader_rw_bootloader_config',`
requires_block_template(`$0'_depend)
allow $1 bootloader_etc_t:file { getattr read write append };
allow $1 bootloader_etc_t:file rw_file_perms;
')
define(`bootloader_rw_bootloader_config_depend',`
type bootloader_etc_t;
class file { getattr read write append };
class file rw_file_perms;
')
########################################
@ -269,13 +267,13 @@ define(`bootloader_rw_temp_data',`
requires_block_template(`$0'_depend)
# FIXME: read tmp_t
allow $1 bootloader_tmp_t:file { getattr read write };
allow $1 bootloader_tmp_t:file rw_file_perms;
')
define(`bootloader_rw_temp_data_depend',`
type bootloader_tmp_t;
class file { getattr read write setattr };
class file rw_file_perms;
')
########################################
@ -285,16 +283,16 @@ define(`bootloader_rw_temp_data_depend',`
define(`bootloader_create_runtime_data',`
requires_block_template(`$0'_depend)
allow $1 boot_t:dir { getattr search read write add_name remove_name };
allow $1 boot_runtime_t:file { getattr create read write append unlink };
allow $1 boot_t:dir rw_dir_perms;
allow $1 boot_runtime_t:file { rw_file_perms create unlink };
type_transition $1 boot_t:file boot_runtime_t;
')
define(`bootloader_create_runtime_data_depend',`
type boot_t, boot_runtime_t;
class dir { getattr search read write add_name remove_name };
class file { getattr create read write append unlink };
class dir rw_dir_perms;
class file { rw_file_perms create unlink };
')
########################################
@ -304,13 +302,13 @@ define(`bootloader_create_runtime_data_depend',`
define(`bootloader_list_kernel_modules',`
requires_block_template(`$0'_depend)
allow $1 modules_object_t:dir { getattr search read };
allow $1 modules_object_t:dir r_dir_perms;
')
define(`bootloader_list_kernel_modules_depend',`
type modules_object_t;
class dir { getattr search read };
class dir r_dir_perms;
')
########################################
@ -320,17 +318,17 @@ define(`bootloader_list_kernel_modules_depend',`
define(`bootloader_read_kernel_modules',`
requires_block_template(`$0'_depend)
allow $1 modules_object_t:dir { getattr search read };
allow $1 modules_object_t:lnk_file { getattr read };
allow $1 modules_object_t:file { getattr read lock };
allow $1 modules_object_t:dir r_dir_perms;
allow $1 modules_object_t:lnk_file r_file_perms;
allow $1 modules_object_t:file r_file_perms;
')
define(`bootloader_read_kernel_modules_depend',`
type modules_object_t;
class dir { getattr search read };
class lnk_file { getattr read };
class file { getattr read lock };
class dir r_dir_perms;
class lnk_file r_file_perms;
class file r_file_perms;
')
########################################
@ -340,7 +338,7 @@ define(`bootloader_read_kernel_modules_depend',`
define(`bootloader_write_kernel_modules',`
requires_block_template(`$0'_depend)
allow $1 modules_object_t:dir { getattr search read };
allow $1 modules_object_t:dir r_dir_perms;
allow $1 modules_object_t:file write;
typeattribute $1 can_modify_kernel_modules;
@ -351,7 +349,7 @@ define(`bootloader_write_kernel_modules_depend',`
type modules_object_t;
class dir { getattr search read };
class dir r_dir_perms;
class file write;
')
@ -362,8 +360,8 @@ define(`bootloader_write_kernel_modules_depend',`
define(`bootloader_manage_kernel_modules',`
requires_block_template(`$0'_depend)
allow $1 modules_object_t:file { getattr create read write setattr unlink };
allow $1 modules_object_t:dir { getattr search read write add_name remove_name };
allow $1 modules_object_t:file { rw_file_perms create setattr unlink };
allow $1 modules_object_t:dir rw_dir_perms;
typeattribute $1 can_modify_kernel_modules;
')
@ -374,7 +372,7 @@ define(`bootloader_manage_kernel_modules_depend',`
type modules_object_t;
class file { getattr create read write setattr unlink };
class dir { getattr search read write add_name remove_name };
class dir rw_dir_perms;
')
########################################

View File

@ -66,27 +66,27 @@ allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin
allow bootloader_t self:process { sigkill sigstop signull signal };
allow bootloader_t self:fifo_file { getattr read write };
allow bootloader_t boot_t:dir { getattr search read write add_name };
allow bootloader_t boot_t:file { getattr read write create };
allow bootloader_t boot_t:lnk_file { getattr read create unlink };
allow bootloader_t boot_t:dir ra_dir_perms;
allow bootloader_t boot_t:file { rw_file_perms create };
allow bootloader_t boot_t:lnk_file { r_file_perms create unlink };
allow bootloader_t bootloader_etc_t:file { getattr read };
allow bootloader_t bootloader_etc_t:file r_file_perms;
# uncomment the following lines if you use "lilo -p"
#allow bootloader_t bootloader_etc_t:file { create ioctl read getattr lock write setattr append link unlink rename };
#files_create_private_config(bootloader_t,bootloader_etc_t)
allow bootloader_t bootloader_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
allow bootloader_t bootloader_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow bootloader_t bootloader_tmp_t:chr_file { create ioctl read getattr lock write setattr append link unlink rename };
allow bootloader_t bootloader_tmp_t:blk_file { create ioctl read getattr lock write setattr append link unlink rename };
allow bootloader_t bootloader_tmp_t:lnk_file { create read getattr setattr unlink rename };
allow bootloader_t bootloader_tmp_t:dir create_dir_perms;
allow bootloader_t bootloader_tmp_t:file create_file_perms;
allow bootloader_t bootloader_tmp_t:chr_file create_file_perms;
allow bootloader_t bootloader_tmp_t:blk_file create_file_perms;
allow bootloader_t bootloader_tmp_t:lnk_file create_lnk_perms;
files_create_private_tmp_data(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file })
# for tune2fs (cjp: ?)
files_create_private_root_dir_entry(bootloader_t,bootloader_tmp_t)
allow bootloader_t modules_object_t:dir { getattr search read };
allow bootloader_t modules_object_t:file { getattr read };
allow bootloader_t modules_object_t:lnk_file { getattr read };
allow bootloader_t modules_object_t:dir r_dir_perms;
allow bootloader_t modules_object_t:file r_file_perms;
allow bootloader_t modules_object_t:lnk_file r_file_perms;
kernel_get_core_interface_attributes(bootloader_t)
kernel_read_system_state(bootloader_t)
@ -150,7 +150,7 @@ ifdef(`distro_redhat', `
allow bootloader_t self:capability ipc_lock;
# new file system defaults to file_t, granting file_t access is still bad.
allow bootloader_t boot_runtime_t:file { read getattr unlink };
allow bootloader_t boot_runtime_t:file { r_file_perms unlink };
# mkinitrd mount initrd on bootloader temp dir
files_make_mountpoint(bootloader_tmp_t)

View File

@ -61,14 +61,14 @@ define(`devices_list_device_nodes',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 device_t:lnk_file { getattr read };
allow $1 device_t:lnk_file r_file_perms;
')
define(`devices_list_device_nodes_depend',`
type device_t;
class dir r_dir_perms;
class lnk_file { getattr read };
class lnk_file r_file_perms;
')
########################################
@ -177,7 +177,7 @@ define(`devices_manage_generic_block_device_depend',`
define(`devices_add_generic_character_device',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir { getattr search read write add_name };
allow $1 device_t:dir ra_dir_perms;
allow $1 device_t:chr_file create;
allow $1 self:capability mknod;
@ -186,7 +186,7 @@ define(`devices_add_generic_character_device',`
define(`devices_add_generic_character_device_depend',`
type device_t;
class dir { getattr search read write add_name };
class dir ra_dir_perms;
class chr_file create;
class capability mknod;
')
@ -239,7 +239,7 @@ define(`devices_ignore_get_generic_character_device_attributes_depend',`
define(`devices_remove_dev_symbolic_links',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir { getattr read write remove_name };
allow $1 device_t:dir { r_dir_perms write remove_name };
allow $1 device_t:lnk_file unlink;
')
@ -248,7 +248,7 @@ define(`devices_remove_dev_symbolic_links_depend',`
type device_t;
class dir { getattr read write remove_name };
class dir { r_dir_perms write remove_name };
class lnk_file unlink;
')
@ -259,15 +259,15 @@ define(`devices_remove_dev_symbolic_links_depend',`
define(`devices_manage_dev_symbolic_links',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
allow $1 device_t:lnk_file { create read getattr setattr link unlink rename };
allow $1 device_t:dir create_dir_perms;
allow $1 device_t:lnk_file create_lnk_perms;
')
define(`devices_manage_dev_symbolic_links_depend',`
type device_t;
class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
class lnk_file { create read getattr setattr link unlink rename };
class dir create_dir_perms;
class lnk_file create_lnk_perms;
')
########################################
@ -277,11 +277,11 @@ define(`devices_manage_dev_symbolic_links_depend',`
define(`devices_manage_device_nodes',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
allow $1 device_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1 device_t:lnk_file { create read getattr setattr link unlink rename };
allow $1 device_t:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
allow $1 device_node:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
allow $1 device_t:dir create_dir_perms;
allow $1 device_t:sock_file create_file_perms;
allow $1 device_t:lnk_file create_lnk_perms;
allow $1 device_t:{ chr_file blk_file } create_file_perms;
allow $1 device_node:{ chr_file blk_file } create_file_perms;
# these next rules are to satisfy assertions broken by the above lines.
# the permissions hopefully can be cut back a lot
@ -299,11 +299,11 @@ define(`devices_manage_device_nodes_depend',`
type device_t;
class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
class sock_file { create ioctl read getattr lock write setattr append link unlink rename };
class lnk_file { create read getattr setattr link unlink rename };
class chr_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
class blk_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
class dir create_dir_perms;
class sock_file create_file_perms;
class lnk_file create_lnk_perms;
class chr_file create_file_perms;
class blk_file create_file_perms;
')
########################################
@ -818,14 +818,14 @@ define(`devices_read_sound_mixer_levels',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 sound_device_t:chr_file { getattr read ioctl };
allow $1 sound_device_t:chr_file r_file_perms;
')
define(`devices_read_sound_mixer_levels_depend',`
type device_t, sound_device_t;
class dir r_dir_perms;
class chr_file { getattr read ioctl };
class chr_file r_file_perms;
')
########################################
@ -1031,14 +1031,14 @@ define(`devices_use_lvm_control_channel_depend',`
define(`devices_remove_lvm_control_channel',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir { getattr search read write remove_name };
allow $1 device_t:dir { r_dir_perms write remove_name };
allow $1 lvm_control_t:chr_file unlink;
')
define(`devices_remove_lvm_control_channel_depend',`
type device_t, lvm_control_t;
class dir { getattr search read write remove_name };
class dir { r_dir_perms write remove_name };
class chr_file unlink;
')

View File

@ -302,7 +302,7 @@ define(`fs_execute_cifs_files',`
requires_block_template(`$0'_depend)
allow $1 cifs_t:dir r_dir_perms;
allow $1 cifs_t:file { getattr read execute execute_no_trans };
can_exec($1, cifs_t)
')
define(`fs_execute_cifs_files_depend',`
@ -616,7 +616,7 @@ define(`fs_execute_nfs_files',`
requires_block_template(`$0'_depend)
allow $1 nfs_t:dir r_dir_perms;
allow $1 nfs_t:file { getattr read execute execute_no_trans };
can_exec($1, nfs_t)
')
define(`fs_execute_nfs_files_depend',`
@ -692,8 +692,8 @@ define(`fs_manage_nfs_named_pipes',`
define(`fs_manage_nfs_named_pipes_depend',`
type nfs_t;
class dir { getattr search read write add_name remove_name };
class fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
class dir rw_dir_perms;
class fifo_file create_file_perms;
')
########################################

View File

@ -25,11 +25,7 @@
define(`kernel_make_userland_entrypoint',`
requires_block_template(`$0'_depend)
allow kernel_t $2:file { getattr read execute };
allow kernel_t $1:process transition;
allow $1 kernel_t:fd use;
type_transition kernel_t $2:process $1;
dontaudit kernel_t $1:process { noatsecure siginh rlimitinh };
domain_auto_trans(kernel_t, $2, $1)
allow $1 kernel_t:fd use;
allow kernel_t $1:fd use;
@ -821,15 +817,15 @@ define(`kernel_ignore_read_system_state_depend',`
define(`kernel_read_software_raid_state',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir { getattr search read };
allow $1 proc_mdstat_t:file { getattr read };
allow $1 proc_t:dir r_dir_perms;
allow $1 proc_mdstat_t:file r_file_perms;
')
define(`kernel_read_software_raid_state_depend',`
type proc_t, proc_mdstat_t;
class dir { search getattr read };
class file { getattr read };
class dir r_dir_perms;
class file r_file_perms;
')
########################################
@ -849,7 +845,7 @@ define(`kernel_read_software_raid_state_depend',`
define(`kernel_get_core_interface_attributes',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir { getattr search read };
allow $1 proc_t:dir r_dir_perms;
allow $1 proc_kcore_t:file getattr;
')
@ -906,7 +902,7 @@ define(`kernel_read_messages',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
allow $1 proc_kmsg_t:file { getattr read };
allow $1 proc_kmsg_t:file r_file_perms;
typeattribute $1 can_receive_kernel_messages;
')
@ -916,7 +912,7 @@ define(`kernel_read_messages_depend',`
type proc_kmsg_t, proc_t;
class dir search;
class file { getattr read };
class file r_file_perms;
')
########################################
@ -995,15 +991,15 @@ define(`kernel_read_network_state',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
allow $1 proc_net_t:dir { getattr search read };
allow $1 proc_net_t:file { getattr read };
allow $1 proc_net_t:dir r_dir_perms;
allow $1 proc_net_t:file r_file_perms;
')
define(`kernel_read_network_state_depend',`
type proc_t, proc_net_t;
class dir { search getattr read };
class file { getattr read };
class dir r_dir_perms;
class file r_file_perms;
')
########################################
@ -1051,16 +1047,16 @@ define(`kernel_read_device_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir { getattr search read };
allow $1 sysctl_dev_t:dir { getattr search read };
allow $1 sysctl_dev_t:file { getattr read };
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_dev_t:dir r_dir_perms;
allow $1 sysctl_dev_t:file r_file_perms;
')
define(`kernel_read_device_sysctl_depend',`
type proc_t, sysctl_t, sysctl_dev_t;
class dir { search getattr read };
class file { getattr read };
class dir r_dir_perms;
class file r_file_perms;
')
########################################
@ -1081,15 +1077,15 @@ define(`kernel_modify_device_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir { getattr search read };
allow $1 sysctl_dev_t:file { getattr read write };
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_dev_t:file rw_file_perms;
')
define(`kernel_modify_device_sysctl_depend',`
type proc_t, sysctl_t, sysctl_dev_t;
class dir { search getattr read };
class file { getattr read write };
class dir r_dir_perms;
class file rw_file_perms;
')
########################################
@ -1111,15 +1107,15 @@ define(`kernel_read_virtual_memory_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir { getattr search read };
allow $1 sysctl_vm_t:file { getattr read };
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_vm_t:file r_file_perms;
')
define(`kernel_read_virtual_memory_sysctl_depend',`
type proc_t, sysctl_t, sysctl_vm_t;
class dir { search getattr read };
class file { getattr read };
class dir r_dir_perms;
class file r_file_perms;
')
########################################
@ -1140,15 +1136,15 @@ define(`kernel_modify_virtual_memory_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir { getattr search read };
allow $1 sysctl_vm_t:file { getattr read write };
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_vm_t:file rw_file_perms;
')
define(`kernel_modify_virtual_memory_sysctl_depend',`
type proc_t, sysctl_t, sysctl_vm_t;
class dir { search getattr read };
class file { getattr read write };
class dir r_dir_perms;
class file rw_file_perms;
')
########################################
@ -1197,16 +1193,16 @@ define(`kernel_read_network_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir { getattr search read };
allow $1 sysctl_net_t:dir { getattr search read };
allow $1 sysctl_net_t:file { getattr read };
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_net_t:dir r_dir_perms;
allow $1 sysctl_net_t:file r_file_perms;
')
define(`kernel_read_network_sysctl_depend',`
type proc_t, sysctl_t, sysctl_net_t;
class dir { search getattr read };
class file { getattr read };
class dir r_dir_perms;
class file f_file_perms;
')
########################################
@ -1228,16 +1224,16 @@ define(`kernel_modify_network_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir { getattr search read };
allow $1 sysctl_net_t:dir { getattr search read };
allow $1 sysctl_net_t:file { getattr read write };
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_net_t:dir r_dir_perms;
allow $1 sysctl_net_t:file rw_file_perms;
')
define(`kernel_modify_network_sysctl_depend',`
type proc_t, sysctl_t, sysctl_net_t;
class dir { search getattr read };
class file { getattr read write };
class dir r_dir_perms;
class file rw_file_perms;
')
########################################
@ -1258,16 +1254,16 @@ define(`kernel_read_unix_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir { getattr search read };
allow $1 sysctl_net_t:dir { getattr search read };
allow $1 sysctl_net_unix_t:file { getattr read };
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_net_t:dir r_dir_perms;
allow $1 sysctl_net_unix_t:file r_file_perms;
')
define(`kernel_read_net_sysctl_depend',`
type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
class dir { search getattr read };
class file { getattr read };
class dir r_dir_perms;
class file r_file_perms;
')
########################################
@ -1288,16 +1284,16 @@ define(`kernel_modify_unix_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir { getattr search read };
allow $1 sysctl_net_t:dir { getattr search read };
allow $1 sysctl_net_unix_t:file { getattr read write };
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_net_t:dir r_dir_perms;
allow $1 sysctl_net_unix_t:file rw_file_perms;
')
define(`kernel_modify_net_sysctl_depend',`
type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
class dir { search getattr read };
class file { getattr read write };
class dir r_dir_perms;
class file rw_file_perms;
')
########################################
@ -1318,16 +1314,16 @@ define(`kernel_read_hotplug_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir { getattr search read };
allow $1 sysctl_kernel_t:dir { getattr search read };
allow $1 sysctl_hotplug_t:file { getattr read };
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_kernel_t:dir r_dir_perms;
allow $1 sysctl_hotplug_t:file r_file_perms;
')
define(`kernel_read_hotplug_sysctl_depend',`
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
class dir { search getattr read };
class file { getattr read };
class dir r_dir_perms;
class file r_file_perms;
')
########################################
@ -1348,16 +1344,16 @@ define(`kernel_modify_hotplug_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir { getattr search read };
allow $1 sysctl_kernel_t:dir { getattr search read };
allow $1 sysctl_hotplug_t:file { getattr read write };
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_kernel_t:dir r_dir_perms;
allow $1 sysctl_hotplug_t:file rw_file_perms;
')
define(`kernel_modify_hotplug_sysctl_depend',`
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
class dir { search getattr read };
class file { getattr read write };
class dir r_dir_perms;
class file rw_file_perms;
')
########################################
@ -1378,16 +1374,16 @@ define(`kernel_read_modprobe_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir { getattr search read };
allow $1 sysctl_kernel_t:dir { getattr search read };
allow $1 sysctl_modprobe_t:file { getattr read };
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_kernel_t:dir r_dir_perms;
allow $1 sysctl_modprobe_t:file r_file_perms;
')
define(`kernel_read_modprobe_sysctl_depend',`
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
class dir { search getattr read };
class file { getattr read };
class dir r_dir_perms;
class file r_file_perms;
')
########################################
@ -1408,16 +1404,16 @@ define(`kernel_modify_modprobe_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir { getattr search read };
allow $1 sysctl_kernel_t:dir { getattr search read };
allow $1 sysctl_modprobe_t:file { getattr read write };
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_kernel_t:dir r_dir_perms;
allow $1 sysctl_modprobe_t:file rw_file_perms;
')
define(`kernel_modify_modprobe_sysctl_depend',`
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
class dir { search getattr read };
class file { getattr read write };
class dir r_dir_perms;
class file rw_file_perms;
')
########################################
@ -1438,16 +1434,16 @@ define(`kernel_read_kernel_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir { getattr search read };
allow $1 sysctl_kernel_t:dir { getattr search read };
allow $1 sysctl_kernel_t:file { getattr read };
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_kernel_t:dir r_dir_perms;
allow $1 sysctl_kernel_t:file r_file_perms;
')
define(`kernel_read_kernel_sysctl_depend',`
type proc_t, sysctl_t, sysctl_kernel_t;
class dir { search getattr read };
class file { getattr read };
class dir r_dir_perms;
class file r_file_perms;
')
########################################
@ -1468,16 +1464,16 @@ define(`kernel_modify_kernel_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir { getattr search read };
allow $1 sysctl_kernel_t:dir { getattr search read };
allow $1 sysctl_kernel_t:file { getattr read write };
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_kernel_t:dir r_dir_perms;
allow $1 sysctl_kernel_t:file rw_file_perms;
')
define(`kernel_modify_kernel_sysctl_depend',`
type proc_t, sysctl_t, sysctl_kernel_t;
class dir { search getattr read };
class file { getattr read write };
class dir r_dir_perms;
class file rw_file_perms;
')
########################################
@ -1498,16 +1494,16 @@ define(`kernel_read_fs_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir { getattr search read };
allow $1 sysctl_fs_t:dir { getattr search read };
allow $1 sysctl_fs_t:file { getattr read };
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_fs_t:dir r_dir_perms;
allow $1 sysctl_fs_t:file r_file_perms;
')
define(`kernel_read_fs_sysctl_depend',`
type proc_t, sysctl_t, sysctl_fs_t;
class dir { search getattr read };
class file { getattr read };
class dir r_dir_perms;
class file r_file_perms;
')
########################################
@ -1530,16 +1526,16 @@ define(`kernel_modify_fs_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir { getattr search read };
allow $1 sysctl_fs_t:dir { getattr search read };
allow $1 sysctl_fs_t:file { getattr read write };
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_fs_t:dir r_dir_perms;
allow $1 sysctl_fs_t:file rw_file_perms;
')
define(`kernel_modify_fs_sysctl_depend',`
type proc_t, sysctl_t, sysctl_fs_t;
class dir { search getattr read };
class file { getattr read write };
class dir r_dir_perms;
class file rw_file_perms;
')
########################################
@ -1560,15 +1556,15 @@ define(`kernel_read_irq_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
allow $1 sysctl_irq_t:dir { getattr search read };
allow $1 sysctl_irq_t:file { getattr read };
allow $1 sysctl_irq_t:dir r_dir_perms;
allow $1 sysctl_irq_t:file r_file_perms;
')
define(`kernel_read_irq_sysctl_depend',`
type proc_t, sysctl_irq_t;
class dir { search getattr read };
class file { getattr read };
class dir r_dir_perms;
class file r_file_perms;
')
########################################
@ -1590,15 +1586,15 @@ define(`kernel_modify_irq_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
allow $1 sysctl_irq_t:dir { getattr search read };
allow $1 sysctl_irq_t:file { getattr read write };
allow $1 sysctl_irq_t:dir r_dir_perms;
allow $1 sysctl_irq_t:file rw_file_perms;
')
define(`kernel_modify_irq_sysctl_depend',`
type proc_t, sysctl_irq_t;
class dir { search getattr read };
class file { getattr read write };
class dir r_dir_perms;
class file rw_file_perms;
')
########################################
@ -1610,15 +1606,15 @@ define(`kernel_read_rpc_sysctl',`
allow $1 proc_t:dir search;
allow $1 proc_net_t:dir search;
allow $1 sysctl_rpc_t:dir { getattr search read };
allow $1 sysctl_rpc_t:file { getattr read };
allow $1 sysctl_rpc_t:dir r_dir_perms;
allow $1 sysctl_rpc_t:file r_file_perms;
')
define(`kernel_read_rpc_sysctl_depend',`
type proc_t, proc_net_t, sysctl_rpc_t;
class dir { search getattr read };
class file { getattr read };
class dir r_dir_perms;
class file r_file_perms;
')
########################################
@ -1630,15 +1626,15 @@ define(`kernel_modify_rpc_sysctl',`
allow $1 proc_t:dir search;
allow $1 proc_net_t:dir search;
allow $1 sysctl_rpc_t:dir { getattr search read };
allow $1 sysctl_rpc_t:file { getattr read write };
allow $1 sysctl_rpc_t:dir r_dir_perms;
allow $1 sysctl_rpc_t:file rw_file_perms;
')
define(`kernel_modify_rpc_sysctl_depend',`
type proc_t, proc_net_t, sysctl_rpc_t;
class dir { search getattr read };
class file { getattr read write };
class dir r_dir_perms;
class file rw_file_perms;
')
########################################
@ -1735,16 +1731,16 @@ define(`kernel_search_hardware_state_dir_depend',`
define(`kernel_read_hardware_state',`
requires_block_template(`$0'_depend)
allow $1 sysfs_t:dir { getattr search read };
allow $1 sysfs_t:{ file lnk_file } { getattr read };
allow $1 sysfs_t:dir r_dir_perms;
allow $1 sysfs_t:{ file lnk_file } r_file_perms;
')
define(`kernel_read_hardware_state_depend',`
type sysfs_t;
class dir { getattr search read };
class file { getattr read };
class lnk_file { getattr read };
class dir r_dir_perms;
class file r_file_perms;
class lnk_file r_file_perms;
')
########################################
@ -1764,17 +1760,17 @@ define(`kernel_read_hardware_state_depend',`
define(`kernel_modify_hardware_config_option',`
requires_block_template(`$0'_depend)
allow $1 sysfs_t:dir { getattr search read };
allow $1 sysfs_t:lnk_file { getattr read };
allow $1 sysfs_t:file { getattr read write };
allow $1 sysfs_t:dir r_dir_perms;
allow $1 sysfs_t:lnk_file r_file_perms;
allow $1 sysfs_t:file rw_file_perms;
')
define(`kernel_modify_hardware_config_option_depend',`
type sysfs_t;
class dir { getattr search read };
class file { getattr read write };
class lnk_file { getattr read };
class dir r_dir_perms;
class file rw_file_perms;
class lnk_file r_file_perms;
')
########################################
@ -1937,7 +1933,7 @@ define(`kernel_ignore_get_unlabeled_block_device_attributes_depend',`
define(`kernel_relabel_unlabeled_object',`
requires_block_template(`$0'_depend)
allow $1 unlabeled_t:{ dir file lnk_file fifo_file sock_file chr_file blk_file } { getattr relabelfrom };
allow $1 unlabeled_t:dir_file_class_set { getattr relabelfrom };
')
define(`kernel_relabel_unlabeled_object_depend',`
@ -1992,17 +1988,17 @@ define(`kernel_search_usb_hardware_state_dir_depend',`
define(`kernel_list_usb_hardware',`
requires_block_template(`$0'_depend)
allow $1 usbfs_t:dir { getattr search read };
allow $1 usbfs_t:lnk_file { getattr read };
allow $1 usbfs_t:dir r_dir_perms;
allow $1 usbfs_t:lnk_file r_file_perms;
allow $1 usbfs_t:file getattr;
')
define(`kernel_list_usb_hardware_depend',`
type usbfs_t;
class dir { getattr search read };
class dir r_dir_perms;
class file getattr;
class lnk_file { getattr read };
class lnk_file r_file_perms;
')
########################################
@ -2020,16 +2016,16 @@ define(`kernel_list_usb_hardware_depend',`
define(`kernel_read_usb_hardware_state',`
requires_block_template(`$0'_depend)
allow $1 usbfs_t:dir { getattr search read };
allow $1 usbfs_t:{ file lnk_file } { getattr read };
allow $1 usbfs_t:dir r_dir_perms;
allow $1 usbfs_t:{ file lnk_file } r_file_perms;
')
define(`kernel_read_usb_hardware_state_depend',`
type usbfs_t;
class dir { getattr search read };
class file { getattr read };
class lnk_file { getattr read };
class dir r_dir_perms;
class file r_file_perms;
class lnk_file r_file_perms;
')
########################################
@ -2049,17 +2045,17 @@ define(`kernel_read_usb_hardware_state_depend',`
define(`kernel_modify_usb_hardware_config_option',`
requires_block_template(`$0'_depend)
allow $1 usbfs_t:dir { getattr search read };
allow $1 usbfs_t:lnk_file { getattr read };
allow $1 usbfs_t:file { getattr read write };
allow $1 usbfs_t:dir r_dir_perms;
allow $1 usbfs_t:lnk_file r_file_perms;
allow $1 usbfs_t:file rw_file_perms;
')
define(`kernel_modify_usb_hardware_config_option_depend',`
type usbfs_t;
class dir { getattr search read };
class file { getattr read write };
class lnk_file { getattr read };
class dir r_dir_perms;
class file rw_file_perms;
class lnk_file r_file_perms;
')
###################################################################
@ -2140,13 +2136,13 @@ define(`kernel_unlabeled_sigchld_from_depend',`
define(`kernel_read_directory_from',`
requires_block_template(`$0'_depend)
allow kernel_t $1:dir { getattr search read };
allow kernel_t $1:dir r_dir_perms;
')
define(`kernel_read_directory_from_depend',`
type kernel_t;
class dir { getattr search read };
class dir r_dir_perms;
')
## </module>

View File

@ -165,28 +165,28 @@ allow kernel_t self:capability *;
allow kernel_t unlabeled_t:dir mounton;
# old general_domain_access()
allow kernel_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
allow kernel_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
allow kernel_t self:shm create_shm_perms;
allow kernel_t self:sem create_sem_perms;
allow kernel_t self:msg { send receive };
allow kernel_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
allow kernel_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow kernel_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
allow kernel_t self:msgq create_msgq_perms;
allow kernel_t self:unix_dgram_socket create_socket_perms;
allow kernel_t self:unix_stream_socket create_stream_socket_perms;
allow kernel_t self:unix_dgram_socket sendto;
allow kernel_t self:unix_stream_socket connectto;
allow kernel_t self:fifo_file { read getattr lock ioctl write append };
allow kernel_t self:fifo_file rw_file_perms;
allow kernel_t self:fd use;
# old general_proc_read_access():
allow kernel_t proc_t:dir { getattr search read };
allow kernel_t proc_t:{ lnk_file file } { getattr read };
allow kernel_t proc_net_t:dir { getattr search read };
allow kernel_t proc_net_t:file { getattr read };
allow kernel_t proc_mdstat_t:file { getattr read };
allow kernel_t proc_t:dir r_dir_perms;
allow kernel_t proc_t:{ lnk_file file } r_file_perms;
allow kernel_t proc_net_t:dir r_dir_perms;
allow kernel_t proc_net_t:file r_file_perms;
allow kernel_t proc_mdstat_t:file r_file_perms;
allow kernel_t proc_kcore_t:file getattr;
allow kernel_t proc_kmsg_t:file getattr;
allow kernel_t sysctl_t:dir { getattr search read };
allow kernel_t sysctl_kernel_t:dir { getattr search read };
allow kernel_t sysctl_kernel_t:file { getattr read };
allow kernel_t sysctl_t:dir r_dir_perms;
allow kernel_t sysctl_kernel_t:dir r_dir_perms;
allow kernel_t sysctl_kernel_t:file r_file_perms;
# old base_file_read_access():
files_list_home_directories(kernel_t)
@ -194,8 +194,8 @@ files_read_general_application_resources(kernel_t)
selinux_read_config(kernel_t)
selinux_read_binary_policy(kernel_t)
allow kernel_t security_t:dir { read search getattr };
allow kernel_t security_t:file { getattr read write };
allow kernel_t security_t:dir r_dir_perms;
allow kernel_t security_t:file rw_file_perms;
allow kernel_t security_t:security load_policy;
auditallow kernel_t security_t:security load_policy;

View File

@ -33,6 +33,7 @@ define(`term_make_pty_depend',`
## <parameter name="pty_type">
## An object type that will applied to a pty.
## </parameter>
## <infoflow type="none"/>
## </interface>
#
define(`term_make_user_pty',`
@ -57,6 +58,7 @@ define(`term_make_user_pty_depend',`
## <parameter name="object_type">
## An object type that will applied to a pty.
## </parameter>
## <infoflow type="none"/>
## </interface>
#
define(`term_make_interactive_pty',`
@ -105,7 +107,7 @@ define(`term_create_pty',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
allow $1 ptmx_t:chr_file { getattr read write };
allow $1 ptmx_t:chr_file rw_file_perms;
allow $1 devpts_t:dir r_dir_perms;
allow $1 devpts_t:filesystem getattr;
dontaudit $1 bsdpty_device_t:chr_file { getattr read write };
@ -117,7 +119,7 @@ define(`term_create_pty_depend',`
class filesystem getattr;
class dir r_dir_perms;
class chr_file { getattr read write };
class chr_file rw_file_perms;
')
########################################