diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 57f66de..4a2865b 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1192,6 +1192,26 @@ interface(`files_relabel_config_dirs',` relabel_dirs_pattern($1, configfile, configfile) ') +######################################## +## <summary> +## Read config files in /etc. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_read_config_files',` + gen_require(` + attribute configfile; + ') + + allow $1 configfile:dir list_dir_perms; + read_files_pattern($1, configfile, configfile) + read_lnk_files_pattern($1, configfile, configfile) +') + ########################################### ## <summary> ## Manage all configuration files on filesystem @@ -1567,6 +1587,25 @@ interface(`files_boot_filetrans',` ######################################## ## <summary> +## read files in the /boot directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`files_read_boot_files',` + gen_require(` + type boot_t; + ') + + manage_files_pattern($1, boot_t, boot_t) +') + +######################################## +## <summary> ## Create, read, write, and delete files ## in the /boot directory. ## </summary> @@ -1795,6 +1834,25 @@ interface(`files_dontaudit_list_default',` ######################################## ## <summary> +## Create, read, write, and delete directories with +## the default file type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_manage_default_dirs',` + gen_require(` + type default_t; + ') + + manage_dirs_pattern($1, default_t, default_t) +') + +######################################## +## <summary> ## Mount a filesystem on a directory with the default file type. ## </summary> ## <param name="domain"> @@ -1869,6 +1927,25 @@ interface(`files_dontaudit_read_default_files',` ######################################## ## <summary> +## Create, read, write, and delete files with +## the default file type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_manage_default_files',` + gen_require(` + type default_t; + ') + + manage_files_pattern($1, default_t, default_t) +') + +######################################## +## <summary> ## Read symbolic links with the default file type. ## </summary> ## <param name="domain"> @@ -3491,6 +3568,24 @@ interface(`files_setattr_all_tmp_dirs',` ######################################## ## <summary> +## List all tmp directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_list_all_tmp',` + gen_require(` + attribute tmpfile; + ') + + allow $1 tmpfile:dir list_dir_perms; +') + +######################################## +## <summary> ## Do not audit attempts to get the attributes ## of all tmp files. ## </summary> @@ -5072,7 +5167,7 @@ interface(`files_polyinstantiate_all',` selinux_compute_member($1) # Need sys_admin capability for mounting - allow $1 self:capability { chown fsetid sys_admin }; + allow $1 self:capability { chown fsetid sys_admin fowner }; # Need to give access to the directories to be polyinstantiated allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index e970d85..d6e85d3 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,5 +1,5 @@ -policy_module(files, 1.12.0) +policy_module(files, 1.12.1) ######################################## # @@ -53,7 +53,7 @@ files_mountpoint(default_t) # # etc_t is the type of the system etc directories. # -type etc_t; +type etc_t, configfile; files_type(etc_t) # compatibility aliases for removed types: typealias etc_t alias automount_etc_t;