diff options
| -rw-r--r-- | src/dev/nodedev.cil | 6 | ||||
| -rw-r--r-- | src/dev/nodedev/fbnodedev.cil | 4 | ||||
| -rw-r--r-- | src/dev/nodedev/hidrawnodedev.cil | 4 | ||||
| -rw-r--r-- | src/dev/nodedev/inputnodedev.cil | 5 | ||||
| -rw-r--r-- | src/dev/nodedev/rfkillnodedev.cil | 4 | ||||
| -rw-r--r-- | src/dev/nodedev/usbnodedev.cil | 5 | ||||
| -rw-r--r-- | src/dev/stordev.cil | 6 | ||||
| -rw-r--r-- | src/dev/termdev/ptytermdev.cil | 2 | ||||
| -rw-r--r-- | src/dev/termdev/serialtermdev.cil | 2 | ||||
| -rw-r--r-- | src/file.cil | 5 | ||||
| -rw-r--r-- | src/file/authfile.cil | 2 | ||||
| -rw-r--r-- | src/file/datafile/execfile.cil | 15 | ||||
| -rw-r--r-- | src/file/secfile.cil | 2 | ||||
| -rw-r--r-- | src/file/tmpfile.cil | 4 | ||||
| -rw-r--r-- | src/fs.cil | 2 | ||||
| -rw-r--r-- | src/fs/noseclabelfs.cil | 5 | ||||
| -rw-r--r-- | src/fs/seclabelfs/mqueueseclabelfs.cil | 4 | ||||
| -rw-r--r-- | src/invalid.cil | 2 | ||||
| -rw-r--r-- | src/misc.cil | 22 | ||||
| -rw-r--r-- | src/unlabeled.cil | 2 |
20 files changed, 81 insertions, 22 deletions
diff --git a/src/dev/nodedev.cil b/src/dev/nodedev.cil index b681759..8a01e70 100644 --- a/src/dev/nodedev.cil +++ b/src/dev/nodedev.cil @@ -3,14 +3,14 @@ (block nodedev + (macro mounton_all_chr_files ((type ARG1)) + (allow ARG1 typeattr mounton_chr_file)) + (macro type ((type ARG1)) (typeattributeset typeattr ARG1)) (typeattribute typeattr) - (macro mounton_all_chr_files ((type ARG1)) - (allow ARG1 typeattr mounton_chr_file)) - (blockinherit .file.all_macro_template_chr_files) (call .dev.type (typeattr)) diff --git a/src/dev/nodedev/fbnodedev.cil b/src/dev/nodedev/fbnodedev.cil index 47d670c..b722c33 100644 --- a/src/dev/nodedev/fbnodedev.cil +++ b/src/dev/nodedev/fbnodedev.cil @@ -5,4 +5,6 @@ (filecon "/dev/fb([0-9]+)?" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/hidrawnodedev.cil b/src/dev/nodedev/hidrawnodedev.cil index 3ca398f..5890de8 100644 --- a/src/dev/nodedev/hidrawnodedev.cil +++ b/src/dev/nodedev/hidrawnodedev.cil @@ -5,4 +5,6 @@ (filecon "/dev/hidraw[0-9]+" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/inputnodedev.cil b/src/dev/nodedev/inputnodedev.cil index c68115a..3d0572d 100644 --- a/src/dev/nodedev/inputnodedev.cil +++ b/src/dev/nodedev/inputnodedev.cil @@ -6,5 +6,8 @@ (filecon "/dev/input/js([0-9]+)?" char nodedev_context) (filecon "/dev/input/mice" char nodedev_context) (filecon "/dev/input/mouse([0-9]+)?" char nodedev_context) + (filecon "/dev/psaux" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/rfkillnodedev.cil b/src/dev/nodedev/rfkillnodedev.cil index 712cb21..4cd67b6 100644 --- a/src/dev/nodedev/rfkillnodedev.cil +++ b/src/dev/nodedev/rfkillnodedev.cil @@ -5,4 +5,6 @@ (filecon "/dev/rfkill" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/usbnodedev.cil b/src/dev/nodedev/usbnodedev.cil index 2432b6a..ce2c7ab 100644 --- a/src/dev/nodedev/usbnodedev.cil +++ b/src/dev/nodedev/usbnodedev.cil @@ -4,5 +4,8 @@ (block usb (filecon "/dev/bus/usb/.+" char nodedev_context) + (filecon "/dev/usb.+" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/stordev.cil b/src/dev/stordev.cil index 8611ec6..f13d9f3 100644 --- a/src/dev/stordev.cil +++ b/src/dev/stordev.cil @@ -3,14 +3,14 @@ (block stordev + (macro mounton_all_chr_files ((type ARG1)) + (allow ARG1 typeattr mounton_chr_file)) + (macro type ((type ARG1)) (typeattributeset typeattr ARG1)) (typeattribute typeattr) - (macro mounton_all_chr_files ((type ARG1)) - (allow ARG1 typeattr mounton_chr_file)) - (blockinherit .file.all_macro_template_blk_files) (blockinherit .file.all_macro_template_chr_files) diff --git a/src/dev/termdev/ptytermdev.cil b/src/dev/termdev/ptytermdev.cil index 4fb7d61..97aed95 100644 --- a/src/dev/termdev/ptytermdev.cil +++ b/src/dev/termdev/ptytermdev.cil @@ -98,7 +98,7 @@ (typeattribute typeattr) - (allow typeattr ptytermdev.typeattr (chr_file (not (execmod mounton)))))) + (allow typeattr ptytermdev.typeattr (chr_file (not (audit_access execmod)))))) (in after ptytermdev.appendinherited_all_chr_files (allowx ARG1 typeattr IOCTLCONSOLE) diff --git a/src/dev/termdev/serialtermdev.cil b/src/dev/termdev/serialtermdev.cil index 0f04101..afb7aac 100644 --- a/src/dev/termdev/serialtermdev.cil +++ b/src/dev/termdev/serialtermdev.cil @@ -97,7 +97,7 @@ (typeattribute typeattr) - (allow typeattr serialtermdev.typeattr (chr_file (not (execmod mounton)))))) + (allow typeattr serialtermdev.typeattr (chr_file (not (audit_access execmod)))))) (in after serialtermdev.appendinherited_all_chr_files (allowx ARG1 typeattr IOCTLCONSOLE) diff --git a/src/file.cil b/src/file.cil index 69e92d8..a393021 100644 --- a/src/file.cil +++ b/src/file.cil @@ -3,6 +3,11 @@ (block file + (macro anon_file_type_transition + ((type ARG1)(type ARG2)(class ARG3)(name ARG4)(type ARG5)) + (typetransition ARG1 ARG2 ARG3 ARG4 ARG5) + (allow ARG1 ARG2 addname_dir)) + (macro type ((type ARG1)) (typeattributeset typeattr ARG1)) diff --git a/src/file/authfile.cil b/src/file/authfile.cil index a458691..a18fabd 100644 --- a/src/file/authfile.cil +++ b/src/file/authfile.cil @@ -19,7 +19,7 @@ (typeattribute typeattr) - (call exception.type (typeattr)) + (call file.exception.type (typeattr)) (call .xattr.associate_fs (typeattr)) diff --git a/src/file/datafile/execfile.cil b/src/file/datafile/execfile.cil index e7926a2..36a66bc 100644 --- a/src/file/datafile/execfile.cil +++ b/src/file/datafile/execfile.cil @@ -20,6 +20,15 @@ (macro map_all_files ((type ARG1)) (allow ARG1 typeattr (file (map)))) + (macro subj_range_transition ((type ARG1)(levelrange ARG2)) + (rangetransition ARG1 typeattr process ARG2)) + + (macro subj_role_transition ((role ARG1)(role ARG2)) + (roletransition ARG1 typeattr process ARG2)) + + (macro subj_type_transition ((type ARG1)(type ARG2)) + (typetransition ARG1 typeattr process ARG2)) + (macro type ((type ARG1)) (typeattributeset typeattr ARG1)) @@ -52,6 +61,12 @@ (macro map_file_files ((type ARG1)) (allow ARG1 file (file (map)))) + (macro subj_range_transition ((type ARG1)(levelrange ARG2)) + (rangetransition ARG1 file process ARG2)) + + (macro subj_role_transition ((role ARG1)(role ARG2)) + (roletransition ARG1 file process ARG2)) + (macro subj_type_transition ((type ARG1)(type ARG2)) (typetransition ARG1 file process ARG2)) diff --git a/src/file/secfile.cil b/src/file/secfile.cil index 199ded5..cef5825 100644 --- a/src/file/secfile.cil +++ b/src/file/secfile.cil @@ -19,7 +19,7 @@ (typeattribute typeattr) - (call exception.type (typeattr)) + (call file.exception.type (typeattr)) (call .xattr.associate_fs (typeattr)) diff --git a/src/file/tmpfile.cil b/src/file/tmpfile.cil index 1d84880..a0e91c1 100644 --- a/src/file/tmpfile.cil +++ b/src/file/tmpfile.cil @@ -3,7 +3,9 @@ (in tmp - (blockinherit .file.tmp.template)) + (blockinherit .file.tmp.template) + + (call .rbacsep.exempt.obj.type (file))) (in file @@ -586,7 +586,7 @@ (allow typeattr fs.typeattr (lnk_file (not (audit_access execmod map mounton)))) (allow typeattr fs.typeattr - (sock_file (not (audit_access execmod map mounton)))))) + (sock_file (not (audit_access execmod map)))))) (in invalid.unconfined diff --git a/src/fs/noseclabelfs.cil b/src/fs/noseclabelfs.cil index 6701423..7eccbbe 100644 --- a/src/fs/noseclabelfs.cil +++ b/src/fs/noseclabelfs.cil @@ -8,6 +8,11 @@ (typeattribute typeattr) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_fifo_files) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + (blockinherit .file.all_macro_template_sock_files) (blockinherit .fs.all_macro_template_fs) (allow typeattr self (filesystem (associate))) diff --git a/src/fs/seclabelfs/mqueueseclabelfs.cil b/src/fs/seclabelfs/mqueueseclabelfs.cil index 553389f..e7586b7 100644 --- a/src/fs/seclabelfs/mqueueseclabelfs.cil +++ b/src/fs/seclabelfs/mqueueseclabelfs.cil @@ -7,4 +7,6 @@ (blockinherit .fs.macro_template_dirs) (blockinherit .fs.macro_template_files) - (blockinherit .seclabelfs.template)) + (blockinherit .seclabelfs.template) + + (call .rbacsep.exempt.obj.type (fs))) diff --git a/src/invalid.cil b/src/invalid.cil index b11a4e0..c5c20be 100644 --- a/src/invalid.cil +++ b/src/invalid.cil @@ -434,7 +434,7 @@ (allow typeattr .invalid (lnk_file (not (audit_access execmod map mounton relabelto)))) (allow typeattr .invalid - (sock_file (not (audit_access execmod map mounton relabelto)))))) + (sock_file (not (audit_access execmod map relabelto)))))) (in unconfined diff --git a/src/misc.cil b/src/misc.cil index e9f423c..9e8e796 100644 --- a/src/misc.cil +++ b/src/misc.cil @@ -28,23 +28,40 @@ (in cert + (filecon "/etc/ca-certificates" dir file_context) + (filecon "/etc/ca-certificates/.*" any file_context) + + (filecon "/etc/ca-certificates\.conf" file file_context) + (filecon "/etc/ca-certificates\.conf\..*" file file_context) + (filecon "/etc/pki" dir file_context) (filecon "/etc/pki/.*" any file_context) (filecon "/etc/ssl" dir file_context) (filecon "/etc/ssl/.*" any file_context) + (filecon "/usr/share/ca-certificates" dir file_context) + (filecon "/usr/share/ca-certificates/.*" any file_context) + (filecon "/usr/share/pki" dir file_context) (filecon "/usr/share/pki/.*" any file_context) (macro conf_file_type_transition_file ((type ARG1)) (call .conf.file_type_transition + (ARG1 file dir "ca-certificates")) + (call .conf.file_type_transition (ARG1 file dir "pki")) (call .conf.file_type_transition - (ARG1 file dir "ssl"))) + (ARG1 file dir "ssl")) + (call .conf.file_type_transition + (ARG1 file file "ca-certificates.conf")) + (call .conf.file_type_transition + (ARG1 file file "ca-certificates.conf.dpkg-new"))) (macro data_file_type_transition_file ((type ARG1)) (call .data.file_type_transition + (ARG1 file dir "ca-certificates")) + (call .data.file_type_transition (ARG1 file dir "pki")))) (in cgroup @@ -415,6 +432,7 @@ (in media (filecon "/media" dir file_context) + (filecon "/media/cdrom" symlink file_context) (filecon "/media/.*" any ()) (filecon "/mnt" dir file_context) @@ -694,4 +712,4 @@ (typealias rpm_script_t) (typealiasactual rpm_script_t sys.subj) -(tunable xserver_object_manager false) +(boolean xserver_object_manager false) diff --git a/src/unlabeled.cil b/src/unlabeled.cil index 1703472..bccde44 100644 --- a/src/unlabeled.cil +++ b/src/unlabeled.cil @@ -375,7 +375,7 @@ (allow typeattr .unlabeled (lnk_file (not (audit_access execmod map mounton relabelto)))) (allow typeattr .unlabeled - (sock_file (not (audit_access execmod map mounton relabelto)))))) + (sock_file (not (audit_access execmod map relabelto)))))) (in unconfined |