From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id D06E6138A1A for ; Sat, 22 Nov 2014 18:24:46 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4B00CE095E; Sat, 22 Nov 2014 18:24:46 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 8A5C8E0958 for ; Sat, 22 Nov 2014 18:24:45 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 70DFF340563 for ; Sat, 22 Nov 2014 18:24:44 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 1D869AB01 for ; Sat, 22 Nov 2014 18:24:43 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1416679478.f65b4a5c66cee88e554361b57195a47e21b90d9d.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/kernel/files.if X-VCS-Directories: policy/modules/kernel/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: f65b4a5c66cee88e554361b57195a47e21b90d9d X-VCS-Branch: master Date: Sat, 22 Nov 2014 18:24:43 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: c47bbbb0-df8b-4674-ae7a-da86c18fcc1c X-Archives-Hash: 39b92188fe67c23bb55a5d36363726c9 commit: f65b4a5c66cee88e554361b57195a47e21b90d9d Author: Sven Vermeulen siphos be> AuthorDate: Sat Nov 22 18:04:38 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Sat Nov 22 18:04:38 2014 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f65b4a5c Reshuffle to better match upstream --- policy/modules/kernel/files.if | 285 ++++++++++++++++++++--------------------- 1 file changed, 142 insertions(+), 143 deletions(-) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index fd1f8e9..dd16f74 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1450,7 +1450,6 @@ interface(`files_relabel_non_auth_files',` # to allow files_relabel_non_auth_files to be an optional setting (tunable). ') - ############################################# ## ## Manage all configuration directories on filesystem @@ -1604,6 +1603,24 @@ interface(`files_setattr_all_mountpoints',` ######################################## ## +## Do not audit attempts to set the attributes on all mount points. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_setattr_all_mountpoints',` + gen_require(` + attribute mountpoint; + ') + + dontaudit $1 mountpoint:dir setattr; +') + +######################################## +## ## Search all mount points. ## ## @@ -1676,11 +1693,11 @@ interface(`files_dontaudit_list_all_mountpoints',` ######################################## ## -## Do not audit write attempts on mount points. +## Do not audit attempts to write to mount points. ## ## ## -## Domain to ignore write attempts from +## Domain to not audit. ## ## # @@ -1694,24 +1711,6 @@ interface(`files_dontaudit_write_all_mountpoints',` ######################################## ## -## Do not audit setattr attempts on mount points. -## -## -## -## Domain to ignore setattr attempts from -## -## -# -interface(`files_dontaudit_setattr_all_mountpoints',` - gen_require(` - attribute mountpoint; - ') - - dontaudit $1 mountpoint:dir setattr; -') - -######################################## -## ## List the contents of the root directory. ## ## @@ -2669,25 +2668,6 @@ interface(`files_manage_etc_dirs',` ######################################## ## -## Do not audit attempts to read files -## in /etc -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_read_etc_files',` - gen_require(` - type etc_t; - ') - - dontaudit $1 etc_t:file { getattr read }; -') - -######################################## -## ## Read generic files in /etc. ## ## @@ -3003,24 +2983,6 @@ interface(`files_dontaudit_setattr_etc_runtime_files',` ######################################## ## -## Do not audit attempts to read etc_runtime resources -## -## -## -## Domain allowed access. -## -## -# -interface(`files_dontaudit_read_etc_runtime',` - gen_require(` - type etc_runtime_t; - ') - - dontaudit $1 etc_runtime_t:file read_file_perms; -') - -######################################## -## ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## @@ -3142,26 +3104,6 @@ interface(`files_manage_etc_runtime_files',` ######################################## ## -## Create, read, write, and delete symbolic links in -## /etc that are dynamically created on boot. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`files_manage_etc_runtime_lnk_files',` - gen_require(` - type etc_t, etc_runtime_t; - ') - - manage_lnk_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) -') - -######################################## -## ## Create, etc runtime objects with an automatic ## type transition. ## @@ -5660,6 +5602,24 @@ interface(`files_manage_mounttab',` ######################################## ## +## Set the attributes of the generic lock directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_setattr_lock_dirs',` + gen_require(` + type var_t, var_lock_t; + ') + + setattr_dirs_pattern($1, var_t, var_lock_t) +') + +######################################## +## ## Search the locks directory (/var/lock). ## ## @@ -5738,11 +5698,11 @@ interface(`files_rw_lock_dirs',` ######################################## ## -## Create lock directories. +## Create lock directories ## ## -## -## Domain allowed access. +## +## Domain allowed access ## ## # @@ -5756,7 +5716,6 @@ interface(`files_create_lock_dirs',` create_dirs_pattern($1, var_lock_t, var_lock_t) ') - ######################################## ## ## Relabel to and from all lock directory types. @@ -5802,24 +5761,6 @@ interface(`files_getattr_generic_locks',` ######################################## ## -## Set the attributes of generic lock directories -## -## -## -## Domain allowed access. -## -## -# -interface(`files_setattr_lock_dirs',` - gen_require(` - type var_t, var_lock_t; - ') - - setattr_dirs_pattern($1, var_t, var_lock_t) -') - -######################################## -## ## Delete generic lock files. ## ## @@ -6101,29 +6042,6 @@ interface(`files_write_generic_pid_pipes',` allow $1 var_run_t:lnk_file read_lnk_file_perms; allow $1 var_run_t:fifo_file write; ') -######################################## -## -## Write dirs in /var/run with the lock file type -## -## -## -## Domain allowed access. -## -## -## -## -## Name of the directory that the file transition will work on -## -## -# -interface(`files_pid_filetrans_lock_dir',` - gen_require(` - type var_t, var_run_t; - ') - - files_pid_filetrans($1, var_lock_t, dir, $2) -') - ######################################## ## @@ -6189,6 +6107,29 @@ interface(`files_pid_filetrans',` ######################################## ## +## Create a generic lock directory within the run directories +## +## +## +## Domain allowed access +## +## +## +## +## The name of the object being created. +## +## +# +interface(`files_pid_filetrans_lock_dir',` + gen_require(` + type var_lock_t; + ') + + files_pid_filetrans($1, var_lock_t, dir, $2) +') + +######################################## +## ## Read and write generic process ID files. ## ## @@ -6291,26 +6232,6 @@ interface(`files_read_all_pids',` ######################################## ## -## Create PID directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_create_pid_dirs',` - gen_require(` - type var_t, var_run_t; - ') - - allow $1 var_t:dir search_dir_perms; - allow $1 var_run_t:lnk_file read_lnk_file_perms; - create_dirs_pattern($1, var_run_t, var_run_t) -') - -######################################## -## ## Delete all process IDs. ## ## @@ -6623,6 +6544,84 @@ interface(`files_unconfined',` # should be in an ifdef distro_gentoo but cannot do so for interfaces +######################################## +## +## Create PID directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_create_pid_dirs',` + gen_require(` + type var_t, var_run_t; + ') + + allow $1 var_t:dir search_dir_perms; + allow $1 var_run_t:lnk_file read_lnk_file_perms; + create_dirs_pattern($1, var_run_t, var_run_t) +') + +######################################## +## +## Create, read, write, and delete symbolic links in +## /etc that are dynamically created on boot. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_manage_etc_runtime_lnk_files',` + gen_require(` + type etc_t, etc_runtime_t; + ') + + manage_lnk_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) +') + +######################################## +## +## Do not audit attempts to read etc_runtime resources +## +## +## +## Domain allowed access. +## +## +# +interface(`files_dontaudit_read_etc_runtime',` + gen_require(` + type etc_runtime_t; + ') + + dontaudit $1 etc_runtime_t:file read_file_perms; +') + +######################################## +## +## Do not audit attempts to read files +## in /etc +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_read_etc_files',` + gen_require(` + type etc_t; + ') + + dontaudit $1 etc_t:file { getattr read }; +') + + ######################################### ## ## List usr/src files From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 1E85D138A1A for ; Sun, 23 Nov 2014 14:06:18 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 81FB9E0841; Sun, 23 Nov 2014 14:06:15 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id ACC36E0841 for ; Sun, 23 Nov 2014 14:06:14 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id A5F5D340100 for ; Sun, 23 Nov 2014 14:06:13 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 0256FABF0 for ; Sun, 23 Nov 2014 14:06:11 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1416679478.f65b4a5c66cee88e554361b57195a47e21b90d9d.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/kernel/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/kernel/files.if X-VCS-Directories: policy/modules/kernel/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: f65b4a5c66cee88e554361b57195a47e21b90d9d X-VCS-Branch: bitcoin Date: Sun, 23 Nov 2014 14:06:11 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 4de47d2f-28ca-43a8-99d8-fe03192f5fb2 X-Archives-Hash: 3d6d320b58b2cc25a025dbba531951df Message-ID: <20141123140611.8KoGySxrFpCgEm7cmdqypM10P2okEz9P5fPsBxvo5JM@z> commit: f65b4a5c66cee88e554361b57195a47e21b90d9d Author: Sven Vermeulen siphos be> AuthorDate: Sat Nov 22 18:04:38 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Sat Nov 22 18:04:38 2014 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f65b4a5c Reshuffle to better match upstream --- policy/modules/kernel/files.if | 285 ++++++++++++++++++++--------------------- 1 file changed, 142 insertions(+), 143 deletions(-) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index fd1f8e9..dd16f74 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1450,7 +1450,6 @@ interface(`files_relabel_non_auth_files',` # to allow files_relabel_non_auth_files to be an optional setting (tunable). ') - ############################################# ## ## Manage all configuration directories on filesystem @@ -1604,6 +1603,24 @@ interface(`files_setattr_all_mountpoints',` ######################################## ## +## Do not audit attempts to set the attributes on all mount points. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_setattr_all_mountpoints',` + gen_require(` + attribute mountpoint; + ') + + dontaudit $1 mountpoint:dir setattr; +') + +######################################## +## ## Search all mount points. ## ## @@ -1676,11 +1693,11 @@ interface(`files_dontaudit_list_all_mountpoints',` ######################################## ## -## Do not audit write attempts on mount points. +## Do not audit attempts to write to mount points. ## ## ## -## Domain to ignore write attempts from +## Domain to not audit. ## ## # @@ -1694,24 +1711,6 @@ interface(`files_dontaudit_write_all_mountpoints',` ######################################## ## -## Do not audit setattr attempts on mount points. -## -## -## -## Domain to ignore setattr attempts from -## -## -# -interface(`files_dontaudit_setattr_all_mountpoints',` - gen_require(` - attribute mountpoint; - ') - - dontaudit $1 mountpoint:dir setattr; -') - -######################################## -## ## List the contents of the root directory. ## ## @@ -2669,25 +2668,6 @@ interface(`files_manage_etc_dirs',` ######################################## ## -## Do not audit attempts to read files -## in /etc -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_read_etc_files',` - gen_require(` - type etc_t; - ') - - dontaudit $1 etc_t:file { getattr read }; -') - -######################################## -## ## Read generic files in /etc. ## ## @@ -3003,24 +2983,6 @@ interface(`files_dontaudit_setattr_etc_runtime_files',` ######################################## ## -## Do not audit attempts to read etc_runtime resources -## -## -## -## Domain allowed access. -## -## -# -interface(`files_dontaudit_read_etc_runtime',` - gen_require(` - type etc_runtime_t; - ') - - dontaudit $1 etc_runtime_t:file read_file_perms; -') - -######################################## -## ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## @@ -3142,26 +3104,6 @@ interface(`files_manage_etc_runtime_files',` ######################################## ## -## Create, read, write, and delete symbolic links in -## /etc that are dynamically created on boot. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`files_manage_etc_runtime_lnk_files',` - gen_require(` - type etc_t, etc_runtime_t; - ') - - manage_lnk_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) -') - -######################################## -## ## Create, etc runtime objects with an automatic ## type transition. ## @@ -5660,6 +5602,24 @@ interface(`files_manage_mounttab',` ######################################## ## +## Set the attributes of the generic lock directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_setattr_lock_dirs',` + gen_require(` + type var_t, var_lock_t; + ') + + setattr_dirs_pattern($1, var_t, var_lock_t) +') + +######################################## +## ## Search the locks directory (/var/lock). ## ## @@ -5738,11 +5698,11 @@ interface(`files_rw_lock_dirs',` ######################################## ## -## Create lock directories. +## Create lock directories ## ## -## -## Domain allowed access. +## +## Domain allowed access ## ## # @@ -5756,7 +5716,6 @@ interface(`files_create_lock_dirs',` create_dirs_pattern($1, var_lock_t, var_lock_t) ') - ######################################## ## ## Relabel to and from all lock directory types. @@ -5802,24 +5761,6 @@ interface(`files_getattr_generic_locks',` ######################################## ## -## Set the attributes of generic lock directories -## -## -## -## Domain allowed access. -## -## -# -interface(`files_setattr_lock_dirs',` - gen_require(` - type var_t, var_lock_t; - ') - - setattr_dirs_pattern($1, var_t, var_lock_t) -') - -######################################## -## ## Delete generic lock files. ## ## @@ -6101,29 +6042,6 @@ interface(`files_write_generic_pid_pipes',` allow $1 var_run_t:lnk_file read_lnk_file_perms; allow $1 var_run_t:fifo_file write; ') -######################################## -## -## Write dirs in /var/run with the lock file type -## -## -## -## Domain allowed access. -## -## -## -## -## Name of the directory that the file transition will work on -## -## -# -interface(`files_pid_filetrans_lock_dir',` - gen_require(` - type var_t, var_run_t; - ') - - files_pid_filetrans($1, var_lock_t, dir, $2) -') - ######################################## ## @@ -6189,6 +6107,29 @@ interface(`files_pid_filetrans',` ######################################## ## +## Create a generic lock directory within the run directories +## +## +## +## Domain allowed access +## +## +## +## +## The name of the object being created. +## +## +# +interface(`files_pid_filetrans_lock_dir',` + gen_require(` + type var_lock_t; + ') + + files_pid_filetrans($1, var_lock_t, dir, $2) +') + +######################################## +## ## Read and write generic process ID files. ## ## @@ -6291,26 +6232,6 @@ interface(`files_read_all_pids',` ######################################## ## -## Create PID directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_create_pid_dirs',` - gen_require(` - type var_t, var_run_t; - ') - - allow $1 var_t:dir search_dir_perms; - allow $1 var_run_t:lnk_file read_lnk_file_perms; - create_dirs_pattern($1, var_run_t, var_run_t) -') - -######################################## -## ## Delete all process IDs. ## ## @@ -6623,6 +6544,84 @@ interface(`files_unconfined',` # should be in an ifdef distro_gentoo but cannot do so for interfaces +######################################## +## +## Create PID directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_create_pid_dirs',` + gen_require(` + type var_t, var_run_t; + ') + + allow $1 var_t:dir search_dir_perms; + allow $1 var_run_t:lnk_file read_lnk_file_perms; + create_dirs_pattern($1, var_run_t, var_run_t) +') + +######################################## +## +## Create, read, write, and delete symbolic links in +## /etc that are dynamically created on boot. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_manage_etc_runtime_lnk_files',` + gen_require(` + type etc_t, etc_runtime_t; + ') + + manage_lnk_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) +') + +######################################## +## +## Do not audit attempts to read etc_runtime resources +## +## +## +## Domain allowed access. +## +## +# +interface(`files_dontaudit_read_etc_runtime',` + gen_require(` + type etc_runtime_t; + ') + + dontaudit $1 etc_runtime_t:file read_file_perms; +') + +######################################## +## +## Do not audit attempts to read files +## in /etc +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_read_etc_files',` + gen_require(` + type etc_t; + ') + + dontaudit $1 etc_t:file { getattr read }; +') + + ######################################### ## ## List usr/src files From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 6A7841389E2 for ; Fri, 28 Nov 2014 10:04:07 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 6849EE087B; Fri, 28 Nov 2014 10:04:06 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id B8C24E087B for ; Fri, 28 Nov 2014 10:04:05 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 9CCF63403FF for ; Fri, 28 Nov 2014 10:04:04 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 43898B143 for ; Fri, 28 Nov 2014 10:04:03 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1416679478.f65b4a5c66cee88e554361b57195a47e21b90d9d.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/kernel/files.if X-VCS-Directories: policy/modules/kernel/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: f65b4a5c66cee88e554361b57195a47e21b90d9d X-VCS-Branch: next Date: Fri, 28 Nov 2014 10:04:03 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: dc949322-9f54-415d-9d87-1c3f3b910b6b X-Archives-Hash: ca1d0f922ac4df2167a20f3435bda8db Message-ID: <20141128100403.LQl_vPNFH3-GiucjJU_4vd_ajhPkxA1JiX0ZT_EmD34@z> commit: f65b4a5c66cee88e554361b57195a47e21b90d9d Author: Sven Vermeulen siphos be> AuthorDate: Sat Nov 22 18:04:38 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Sat Nov 22 18:04:38 2014 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f65b4a5c Reshuffle to better match upstream --- policy/modules/kernel/files.if | 285 ++++++++++++++++++++--------------------- 1 file changed, 142 insertions(+), 143 deletions(-) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index fd1f8e9..dd16f74 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1450,7 +1450,6 @@ interface(`files_relabel_non_auth_files',` # to allow files_relabel_non_auth_files to be an optional setting (tunable). ') - ############################################# ## ## Manage all configuration directories on filesystem @@ -1604,6 +1603,24 @@ interface(`files_setattr_all_mountpoints',` ######################################## ## +## Do not audit attempts to set the attributes on all mount points. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_setattr_all_mountpoints',` + gen_require(` + attribute mountpoint; + ') + + dontaudit $1 mountpoint:dir setattr; +') + +######################################## +## ## Search all mount points. ## ## @@ -1676,11 +1693,11 @@ interface(`files_dontaudit_list_all_mountpoints',` ######################################## ## -## Do not audit write attempts on mount points. +## Do not audit attempts to write to mount points. ## ## ## -## Domain to ignore write attempts from +## Domain to not audit. ## ## # @@ -1694,24 +1711,6 @@ interface(`files_dontaudit_write_all_mountpoints',` ######################################## ## -## Do not audit setattr attempts on mount points. -## -## -## -## Domain to ignore setattr attempts from -## -## -# -interface(`files_dontaudit_setattr_all_mountpoints',` - gen_require(` - attribute mountpoint; - ') - - dontaudit $1 mountpoint:dir setattr; -') - -######################################## -## ## List the contents of the root directory. ## ## @@ -2669,25 +2668,6 @@ interface(`files_manage_etc_dirs',` ######################################## ## -## Do not audit attempts to read files -## in /etc -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_read_etc_files',` - gen_require(` - type etc_t; - ') - - dontaudit $1 etc_t:file { getattr read }; -') - -######################################## -## ## Read generic files in /etc. ## ## @@ -3003,24 +2983,6 @@ interface(`files_dontaudit_setattr_etc_runtime_files',` ######################################## ## -## Do not audit attempts to read etc_runtime resources -## -## -## -## Domain allowed access. -## -## -# -interface(`files_dontaudit_read_etc_runtime',` - gen_require(` - type etc_runtime_t; - ') - - dontaudit $1 etc_runtime_t:file read_file_perms; -') - -######################################## -## ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## @@ -3142,26 +3104,6 @@ interface(`files_manage_etc_runtime_files',` ######################################## ## -## Create, read, write, and delete symbolic links in -## /etc that are dynamically created on boot. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`files_manage_etc_runtime_lnk_files',` - gen_require(` - type etc_t, etc_runtime_t; - ') - - manage_lnk_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) -') - -######################################## -## ## Create, etc runtime objects with an automatic ## type transition. ## @@ -5660,6 +5602,24 @@ interface(`files_manage_mounttab',` ######################################## ## +## Set the attributes of the generic lock directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_setattr_lock_dirs',` + gen_require(` + type var_t, var_lock_t; + ') + + setattr_dirs_pattern($1, var_t, var_lock_t) +') + +######################################## +## ## Search the locks directory (/var/lock). ## ## @@ -5738,11 +5698,11 @@ interface(`files_rw_lock_dirs',` ######################################## ## -## Create lock directories. +## Create lock directories ## ## -## -## Domain allowed access. +## +## Domain allowed access ## ## # @@ -5756,7 +5716,6 @@ interface(`files_create_lock_dirs',` create_dirs_pattern($1, var_lock_t, var_lock_t) ') - ######################################## ## ## Relabel to and from all lock directory types. @@ -5802,24 +5761,6 @@ interface(`files_getattr_generic_locks',` ######################################## ## -## Set the attributes of generic lock directories -## -## -## -## Domain allowed access. -## -## -# -interface(`files_setattr_lock_dirs',` - gen_require(` - type var_t, var_lock_t; - ') - - setattr_dirs_pattern($1, var_t, var_lock_t) -') - -######################################## -## ## Delete generic lock files. ## ## @@ -6101,29 +6042,6 @@ interface(`files_write_generic_pid_pipes',` allow $1 var_run_t:lnk_file read_lnk_file_perms; allow $1 var_run_t:fifo_file write; ') -######################################## -## -## Write dirs in /var/run with the lock file type -## -## -## -## Domain allowed access. -## -## -## -## -## Name of the directory that the file transition will work on -## -## -# -interface(`files_pid_filetrans_lock_dir',` - gen_require(` - type var_t, var_run_t; - ') - - files_pid_filetrans($1, var_lock_t, dir, $2) -') - ######################################## ## @@ -6189,6 +6107,29 @@ interface(`files_pid_filetrans',` ######################################## ## +## Create a generic lock directory within the run directories +## +## +## +## Domain allowed access +## +## +## +## +## The name of the object being created. +## +## +# +interface(`files_pid_filetrans_lock_dir',` + gen_require(` + type var_lock_t; + ') + + files_pid_filetrans($1, var_lock_t, dir, $2) +') + +######################################## +## ## Read and write generic process ID files. ## ## @@ -6291,26 +6232,6 @@ interface(`files_read_all_pids',` ######################################## ## -## Create PID directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_create_pid_dirs',` - gen_require(` - type var_t, var_run_t; - ') - - allow $1 var_t:dir search_dir_perms; - allow $1 var_run_t:lnk_file read_lnk_file_perms; - create_dirs_pattern($1, var_run_t, var_run_t) -') - -######################################## -## ## Delete all process IDs. ## ## @@ -6623,6 +6544,84 @@ interface(`files_unconfined',` # should be in an ifdef distro_gentoo but cannot do so for interfaces +######################################## +## +## Create PID directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_create_pid_dirs',` + gen_require(` + type var_t, var_run_t; + ') + + allow $1 var_t:dir search_dir_perms; + allow $1 var_run_t:lnk_file read_lnk_file_perms; + create_dirs_pattern($1, var_run_t, var_run_t) +') + +######################################## +## +## Create, read, write, and delete symbolic links in +## /etc that are dynamically created on boot. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_manage_etc_runtime_lnk_files',` + gen_require(` + type etc_t, etc_runtime_t; + ') + + manage_lnk_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) +') + +######################################## +## +## Do not audit attempts to read etc_runtime resources +## +## +## +## Domain allowed access. +## +## +# +interface(`files_dontaudit_read_etc_runtime',` + gen_require(` + type etc_runtime_t; + ') + + dontaudit $1 etc_runtime_t:file read_file_perms; +') + +######################################## +## +## Do not audit attempts to read files +## in /etc +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_read_etc_files',` + gen_require(` + type etc_t; + ') + + dontaudit $1 etc_t:file { getattr read }; +') + + ######################################### ## ## List usr/src files