From 910b1d8ecb896e0c3a11dc0f80e6db3dc6be2264 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Nov 24 2009 13:49:15 +0000 Subject: Files patch from Dan Walsh. --- diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 57f66de..4a2865b 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1192,6 +1192,26 @@ interface(`files_relabel_config_dirs',` relabel_dirs_pattern($1, configfile, configfile) ') +######################################## +## +## Read config files in /etc. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_read_config_files',` + gen_require(` + attribute configfile; + ') + + allow $1 configfile:dir list_dir_perms; + read_files_pattern($1, configfile, configfile) + read_lnk_files_pattern($1, configfile, configfile) +') + ########################################### ## ## Manage all configuration files on filesystem @@ -1567,6 +1587,25 @@ interface(`files_boot_filetrans',` ######################################## ## +## read files in the /boot directory. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_read_boot_files',` + gen_require(` + type boot_t; + ') + + manage_files_pattern($1, boot_t, boot_t) +') + +######################################## +## ## Create, read, write, and delete files ## in the /boot directory. ## @@ -1795,6 +1834,25 @@ interface(`files_dontaudit_list_default',` ######################################## ## +## Create, read, write, and delete directories with +## the default file type. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_default_dirs',` + gen_require(` + type default_t; + ') + + manage_dirs_pattern($1, default_t, default_t) +') + +######################################## +## ## Mount a filesystem on a directory with the default file type. ## ## @@ -1869,6 +1927,25 @@ interface(`files_dontaudit_read_default_files',` ######################################## ## +## Create, read, write, and delete files with +## the default file type. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_default_files',` + gen_require(` + type default_t; + ') + + manage_files_pattern($1, default_t, default_t) +') + +######################################## +## ## Read symbolic links with the default file type. ## ## @@ -3491,6 +3568,24 @@ interface(`files_setattr_all_tmp_dirs',` ######################################## ## +## List all tmp directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_list_all_tmp',` + gen_require(` + attribute tmpfile; + ') + + allow $1 tmpfile:dir list_dir_perms; +') + +######################################## +## ## Do not audit attempts to get the attributes ## of all tmp files. ## @@ -5072,7 +5167,7 @@ interface(`files_polyinstantiate_all',` selinux_compute_member($1) # Need sys_admin capability for mounting - allow $1 self:capability { chown fsetid sys_admin }; + allow $1 self:capability { chown fsetid sys_admin fowner }; # Need to give access to the directories to be polyinstantiated allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index e970d85..d6e85d3 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,5 +1,5 @@ -policy_module(files, 1.12.0) +policy_module(files, 1.12.1) ######################################## # @@ -53,7 +53,7 @@ files_mountpoint(default_t) # # etc_t is the type of the system etc directories. # -type etc_t; +type etc_t, configfile; files_type(etc_t) # compatibility aliases for removed types: typealias etc_t alias automount_etc_t;