From: guido@trentalancia.com (Guido Trentalancia)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH/RFC 6/19]: patch set to update the git reference policy
Date: Mon, 24 Jan 2011 01:44:05 +0100 [thread overview]
Message-ID: <1295829845.3862.65.camel@tesla.lan> (raw)
diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/kernel/files.if refpolicy-git-18012011-new/policy/modules/kernel/files.if
--- refpolicy-git-18012011/policy/modules/kernel/files.if 2011-01-08 19:07:21.203735196 +0100
+++ refpolicy-git-18012011-new/policy/modules/kernel/files.if 2011-01-18 23:13:49.759847386 +0100
@@ -4131,6 +4131,126 @@ interface(`files_purge_tmp',`
########################################
## <summary>
+## Set the attributes of the /bin directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_setattr_bin_dirs',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ allow $1 bin_t:dir setattr;
+')
+
+########################################
+## <summary>
+## Search the content of /bin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_bin',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ allow $1 bin_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of files in /bin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_bin_files',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ getattr_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+## Read generic files in /bin.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read generic
+## files in /bin. These files are various program
+## files that do not have more specific SELinux types.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`files_read_bin_files',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ allow $1 bin_t:dir list_dir_perms;
+ read_files_pattern($1, bin_t, bin_t)
+ read_lnk_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+## Execute generic programs in /bin in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_exec_bin_files',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ allow $1 bin_t:dir list_dir_perms;
+ exec_files_pattern($1, bin_t, bin_t)
+ read_lnk_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+## Read symbolic links in /bin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_bin_symlinks',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ read_lnk_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
## Set the attributes of the /usr directory.
## </summary>
## <param name="domain">
@@ -4149,7 +4269,7 @@ interface(`files_setattr_usr_dirs',`
########################################
## <summary>
-## Search the content of /etc.
+## Search the content of /usr.
## </summary>
## <param name="domain">
## <summary>
@@ -5070,6 +5190,196 @@ interface(`files_manage_mounttab',`
')
########################################
+## <summary>
+## Get the attributes of the /var/log directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_var_log_dirs',`
+ gen_require(`
+ type var_t, var_log_t;
+ ')
+
+ getattr_dirs_pattern($1, var_t, var_log_t)
+')
+
+########################################
+## <summary>
+## Search the /var/log directory.
+## </summary>
+## <desc>
+## <p>
+## Search the /var/log directory. This is
+## necessary to access files or directories under
+## /var/log that have a private type. For example, a
+## domain accessing a private log file in the
+## /var/log directory:
+## </p>
+## <p>
+## allow mydomain_t mylogfile_t:file read_file_perms;
+## files_search_var_log(mydomain_t)
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="5"/>
+#
+interface(`files_search_var_log',`
+ gen_require(`
+ type var_t, var_log_t;
+ ')
+
+ search_dirs_pattern($1, var_t, var_log_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the
+## contents of /var/log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <infoflow type="read" weight="5"/>
+#
+interface(`files_dontaudit_search_var_log',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ dontaudit $1 var_log_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List the contents of the /var/log directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_var_log',`
+ gen_require(`
+ type var_t, var_log_t;
+ ')
+
+ list_dirs_pattern($1, var_t, var_log_t)
+')
+
+###########################################
+## <summary>
+## Read-write /var/log directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_rw_var_log_dirs',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ rw_dirs_pattern($1, var_log_t, var_log_t)
+')
+
+###########################################
+## <summary>
+## Append to files in the /var/log directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_var_log_append',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ append_files_pattern($1, var_log_t, var_log_t)
+')
+
+########################################
+## <summary>
+## Create objects in the /var/log directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## The type of the object to be created
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The object class.
+## </summary>
+## </param>
+#
+interface(`files_var_log_filetrans',`
+ gen_require(`
+ type var_t, var_log_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ filetrans_pattern($1, var_log_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Read generic files in /var/log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_var_log_files',`
+ gen_require(`
+ type var_t, var_log_t;
+ ')
+
+ allow $1 var_log_t:dir list_dir_perms;
+ read_files_pattern($1, { var_t var_log_t }, var_log_t)
+')
+
+########################################
+## <summary>
+## Read generic symbolic links in /var/log
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_var_log_symlinks',`
+ gen_require(`
+ type var_t, var_log_t;
+ ')
+
+ read_lnk_files_pattern($1, { var_t var_log_t }, var_log_t)
+')
+
+########################################
## <summary>
## Search the locks directory (/var/lock).
## </summary>
diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/kernel/kernel.if refpolicy-git-18012011-new/policy/modules/kernel/kernel.if
--- refpolicy-git-18012011/policy/modules/kernel/kernel.if 2011-01-17 19:36:10.808130722 +0100
+++ refpolicy-git-18012011-new/policy/modules/kernel/kernel.if 2011-01-19 18:48:36.830593580 +0100
@@ -1406,6 +1406,26 @@ interface(`kernel_dontaudit_list_all_pro
########################################
## <summary>
+## Allows to search the base
+## directory of sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+##
+#
+interface(`kernel_search_sysctl',`
+ gen_require(`
+ type sysctl_t;
+ ')
+
+ allow $1 sysctl_t:dir search;
+')
+
+########################################
+## <summary>
## Do not audit attempts by caller to search
## the base directory of sysctls.
## </summary>
@@ -1873,6 +1893,24 @@ interface(`kernel_rw_kernel_sysctl',`
')
########################################
+## <summary>
+## Allow caller to search filesystem sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_search_fs_sysctl',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_fs_t;
+ ')
+
+ search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t)
+')
+
+########################################
## <summary>
## Read filesystem sysctls.
## </summary>
next reply other threads:[~2011-01-24 0:44 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-01-24 0:44 Guido Trentalancia [this message]
2011-01-24 14:15 ` [refpolicy] [PATCH/RFC 6/19]: patch set to update the git reference policy Dominick Grift
2011-01-26 17:20 ` Guido Trentalancia
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1295829845.3862.65.camel@tesla.lan \
--to=guido@trentalancia.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.