summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/dev/nodedev.cil6
-rw-r--r--src/dev/nodedev/fbnodedev.cil4
-rw-r--r--src/dev/nodedev/hidrawnodedev.cil4
-rw-r--r--src/dev/nodedev/inputnodedev.cil5
-rw-r--r--src/dev/nodedev/rfkillnodedev.cil4
-rw-r--r--src/dev/nodedev/usbnodedev.cil5
-rw-r--r--src/dev/stordev.cil6
-rw-r--r--src/dev/termdev/ptytermdev.cil2
-rw-r--r--src/dev/termdev/serialtermdev.cil2
-rw-r--r--src/file.cil5
-rw-r--r--src/file/authfile.cil2
-rw-r--r--src/file/datafile/execfile.cil15
-rw-r--r--src/file/secfile.cil2
-rw-r--r--src/file/tmpfile.cil4
-rw-r--r--src/fs.cil2
-rw-r--r--src/fs/noseclabelfs.cil5
-rw-r--r--src/fs/seclabelfs/mqueueseclabelfs.cil4
-rw-r--r--src/invalid.cil2
-rw-r--r--src/misc.cil22
-rw-r--r--src/unlabeled.cil2
20 files changed, 81 insertions, 22 deletions
diff --git a/src/dev/nodedev.cil b/src/dev/nodedev.cil
index b681759..8a01e70 100644
--- a/src/dev/nodedev.cil
+++ b/src/dev/nodedev.cil
@@ -3,14 +3,14 @@
(block nodedev
+ (macro mounton_all_chr_files ((type ARG1))
+ (allow ARG1 typeattr mounton_chr_file))
+
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute typeattr)
- (macro mounton_all_chr_files ((type ARG1))
- (allow ARG1 typeattr mounton_chr_file))
-
(blockinherit .file.all_macro_template_chr_files)
(call .dev.type (typeattr))
diff --git a/src/dev/nodedev/fbnodedev.cil b/src/dev/nodedev/fbnodedev.cil
index 47d670c..b722c33 100644
--- a/src/dev/nodedev/fbnodedev.cil
+++ b/src/dev/nodedev/fbnodedev.cil
@@ -5,4 +5,6 @@
(filecon "/dev/fb([0-9]+)?" char nodedev_context)
- (blockinherit .nodedev.template))
+ (blockinherit .nodedev.template)
+
+ (call .rbacsep.exempt.obj.type (nodedev)))
diff --git a/src/dev/nodedev/hidrawnodedev.cil b/src/dev/nodedev/hidrawnodedev.cil
index 3ca398f..5890de8 100644
--- a/src/dev/nodedev/hidrawnodedev.cil
+++ b/src/dev/nodedev/hidrawnodedev.cil
@@ -5,4 +5,6 @@
(filecon "/dev/hidraw[0-9]+" char nodedev_context)
- (blockinherit .nodedev.template))
+ (blockinherit .nodedev.template)
+
+ (call .rbacsep.exempt.obj.type (nodedev)))
diff --git a/src/dev/nodedev/inputnodedev.cil b/src/dev/nodedev/inputnodedev.cil
index c68115a..3d0572d 100644
--- a/src/dev/nodedev/inputnodedev.cil
+++ b/src/dev/nodedev/inputnodedev.cil
@@ -6,5 +6,8 @@
(filecon "/dev/input/js([0-9]+)?" char nodedev_context)
(filecon "/dev/input/mice" char nodedev_context)
(filecon "/dev/input/mouse([0-9]+)?" char nodedev_context)
+ (filecon "/dev/psaux" char nodedev_context)
- (blockinherit .nodedev.template))
+ (blockinherit .nodedev.template)
+
+ (call .rbacsep.exempt.obj.type (nodedev)))
diff --git a/src/dev/nodedev/rfkillnodedev.cil b/src/dev/nodedev/rfkillnodedev.cil
index 712cb21..4cd67b6 100644
--- a/src/dev/nodedev/rfkillnodedev.cil
+++ b/src/dev/nodedev/rfkillnodedev.cil
@@ -5,4 +5,6 @@
(filecon "/dev/rfkill" char nodedev_context)
- (blockinherit .nodedev.template))
+ (blockinherit .nodedev.template)
+
+ (call .rbacsep.exempt.obj.type (nodedev)))
diff --git a/src/dev/nodedev/usbnodedev.cil b/src/dev/nodedev/usbnodedev.cil
index 2432b6a..ce2c7ab 100644
--- a/src/dev/nodedev/usbnodedev.cil
+++ b/src/dev/nodedev/usbnodedev.cil
@@ -4,5 +4,8 @@
(block usb
(filecon "/dev/bus/usb/.+" char nodedev_context)
+ (filecon "/dev/usb.+" char nodedev_context)
- (blockinherit .nodedev.template))
+ (blockinherit .nodedev.template)
+
+ (call .rbacsep.exempt.obj.type (nodedev)))
diff --git a/src/dev/stordev.cil b/src/dev/stordev.cil
index 8611ec6..f13d9f3 100644
--- a/src/dev/stordev.cil
+++ b/src/dev/stordev.cil
@@ -3,14 +3,14 @@
(block stordev
+ (macro mounton_all_chr_files ((type ARG1))
+ (allow ARG1 typeattr mounton_chr_file))
+
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute typeattr)
- (macro mounton_all_chr_files ((type ARG1))
- (allow ARG1 typeattr mounton_chr_file))
-
(blockinherit .file.all_macro_template_blk_files)
(blockinherit .file.all_macro_template_chr_files)
diff --git a/src/dev/termdev/ptytermdev.cil b/src/dev/termdev/ptytermdev.cil
index 4fb7d61..97aed95 100644
--- a/src/dev/termdev/ptytermdev.cil
+++ b/src/dev/termdev/ptytermdev.cil
@@ -98,7 +98,7 @@
(typeattribute typeattr)
- (allow typeattr ptytermdev.typeattr (chr_file (not (execmod mounton))))))
+ (allow typeattr ptytermdev.typeattr (chr_file (not (audit_access execmod))))))
(in after ptytermdev.appendinherited_all_chr_files
(allowx ARG1 typeattr IOCTLCONSOLE)
diff --git a/src/dev/termdev/serialtermdev.cil b/src/dev/termdev/serialtermdev.cil
index 0f04101..afb7aac 100644
--- a/src/dev/termdev/serialtermdev.cil
+++ b/src/dev/termdev/serialtermdev.cil
@@ -97,7 +97,7 @@
(typeattribute typeattr)
- (allow typeattr serialtermdev.typeattr (chr_file (not (execmod mounton))))))
+ (allow typeattr serialtermdev.typeattr (chr_file (not (audit_access execmod))))))
(in after serialtermdev.appendinherited_all_chr_files
(allowx ARG1 typeattr IOCTLCONSOLE)
diff --git a/src/file.cil b/src/file.cil
index 69e92d8..a393021 100644
--- a/src/file.cil
+++ b/src/file.cil
@@ -3,6 +3,11 @@
(block file
+ (macro anon_file_type_transition
+ ((type ARG1)(type ARG2)(class ARG3)(name ARG4)(type ARG5))
+ (typetransition ARG1 ARG2 ARG3 ARG4 ARG5)
+ (allow ARG1 ARG2 addname_dir))
+
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
diff --git a/src/file/authfile.cil b/src/file/authfile.cil
index a458691..a18fabd 100644
--- a/src/file/authfile.cil
+++ b/src/file/authfile.cil
@@ -19,7 +19,7 @@
(typeattribute typeattr)
- (call exception.type (typeattr))
+ (call file.exception.type (typeattr))
(call .xattr.associate_fs (typeattr))
diff --git a/src/file/datafile/execfile.cil b/src/file/datafile/execfile.cil
index e7926a2..36a66bc 100644
--- a/src/file/datafile/execfile.cil
+++ b/src/file/datafile/execfile.cil
@@ -20,6 +20,15 @@
(macro map_all_files ((type ARG1))
(allow ARG1 typeattr (file (map))))
+ (macro subj_range_transition ((type ARG1)(levelrange ARG2))
+ (rangetransition ARG1 typeattr process ARG2))
+
+ (macro subj_role_transition ((role ARG1)(role ARG2))
+ (roletransition ARG1 typeattr process ARG2))
+
+ (macro subj_type_transition ((type ARG1)(type ARG2))
+ (typetransition ARG1 typeattr process ARG2))
+
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
@@ -52,6 +61,12 @@
(macro map_file_files ((type ARG1))
(allow ARG1 file (file (map))))
+ (macro subj_range_transition ((type ARG1)(levelrange ARG2))
+ (rangetransition ARG1 file process ARG2))
+
+ (macro subj_role_transition ((role ARG1)(role ARG2))
+ (roletransition ARG1 file process ARG2))
+
(macro subj_type_transition ((type ARG1)(type ARG2))
(typetransition ARG1 file process ARG2))
diff --git a/src/file/secfile.cil b/src/file/secfile.cil
index 199ded5..cef5825 100644
--- a/src/file/secfile.cil
+++ b/src/file/secfile.cil
@@ -19,7 +19,7 @@
(typeattribute typeattr)
- (call exception.type (typeattr))
+ (call file.exception.type (typeattr))
(call .xattr.associate_fs (typeattr))
diff --git a/src/file/tmpfile.cil b/src/file/tmpfile.cil
index 1d84880..a0e91c1 100644
--- a/src/file/tmpfile.cil
+++ b/src/file/tmpfile.cil
@@ -3,7 +3,9 @@
(in tmp
- (blockinherit .file.tmp.template))
+ (blockinherit .file.tmp.template)
+
+ (call .rbacsep.exempt.obj.type (file)))
(in file
diff --git a/src/fs.cil b/src/fs.cil
index da3d942..f8051ce 100644
--- a/src/fs.cil
+++ b/src/fs.cil
@@ -586,7 +586,7 @@
(allow typeattr fs.typeattr
(lnk_file (not (audit_access execmod map mounton))))
(allow typeattr fs.typeattr
- (sock_file (not (audit_access execmod map mounton))))))
+ (sock_file (not (audit_access execmod map))))))
(in invalid.unconfined
diff --git a/src/fs/noseclabelfs.cil b/src/fs/noseclabelfs.cil
index 6701423..7eccbbe 100644
--- a/src/fs/noseclabelfs.cil
+++ b/src/fs/noseclabelfs.cil
@@ -8,6 +8,11 @@
(typeattribute typeattr)
+ (blockinherit .file.all_macro_template_dirs)
+ (blockinherit .file.all_macro_template_fifo_files)
+ (blockinherit .file.all_macro_template_files)
+ (blockinherit .file.all_macro_template_lnk_files)
+ (blockinherit .file.all_macro_template_sock_files)
(blockinherit .fs.all_macro_template_fs)
(allow typeattr self (filesystem (associate)))
diff --git a/src/fs/seclabelfs/mqueueseclabelfs.cil b/src/fs/seclabelfs/mqueueseclabelfs.cil
index 553389f..e7586b7 100644
--- a/src/fs/seclabelfs/mqueueseclabelfs.cil
+++ b/src/fs/seclabelfs/mqueueseclabelfs.cil
@@ -7,4 +7,6 @@
(blockinherit .fs.macro_template_dirs)
(blockinherit .fs.macro_template_files)
- (blockinherit .seclabelfs.template))
+ (blockinherit .seclabelfs.template)
+
+ (call .rbacsep.exempt.obj.type (fs)))
diff --git a/src/invalid.cil b/src/invalid.cil
index b11a4e0..c5c20be 100644
--- a/src/invalid.cil
+++ b/src/invalid.cil
@@ -434,7 +434,7 @@
(allow typeattr .invalid
(lnk_file (not (audit_access execmod map mounton relabelto))))
(allow typeattr .invalid
- (sock_file (not (audit_access execmod map mounton relabelto))))))
+ (sock_file (not (audit_access execmod map relabelto))))))
(in unconfined
diff --git a/src/misc.cil b/src/misc.cil
index e9f423c..9e8e796 100644
--- a/src/misc.cil
+++ b/src/misc.cil
@@ -28,23 +28,40 @@
(in cert
+ (filecon "/etc/ca-certificates" dir file_context)
+ (filecon "/etc/ca-certificates/.*" any file_context)
+
+ (filecon "/etc/ca-certificates\.conf" file file_context)
+ (filecon "/etc/ca-certificates\.conf\..*" file file_context)
+
(filecon "/etc/pki" dir file_context)
(filecon "/etc/pki/.*" any file_context)
(filecon "/etc/ssl" dir file_context)
(filecon "/etc/ssl/.*" any file_context)
+ (filecon "/usr/share/ca-certificates" dir file_context)
+ (filecon "/usr/share/ca-certificates/.*" any file_context)
+
(filecon "/usr/share/pki" dir file_context)
(filecon "/usr/share/pki/.*" any file_context)
(macro conf_file_type_transition_file ((type ARG1))
(call .conf.file_type_transition
+ (ARG1 file dir "ca-certificates"))
+ (call .conf.file_type_transition
(ARG1 file dir "pki"))
(call .conf.file_type_transition
- (ARG1 file dir "ssl")))
+ (ARG1 file dir "ssl"))
+ (call .conf.file_type_transition
+ (ARG1 file file "ca-certificates.conf"))
+ (call .conf.file_type_transition
+ (ARG1 file file "ca-certificates.conf.dpkg-new")))
(macro data_file_type_transition_file ((type ARG1))
(call .data.file_type_transition
+ (ARG1 file dir "ca-certificates"))
+ (call .data.file_type_transition
(ARG1 file dir "pki"))))
(in cgroup
@@ -415,6 +432,7 @@
(in media
(filecon "/media" dir file_context)
+ (filecon "/media/cdrom" symlink file_context)
(filecon "/media/.*" any ())
(filecon "/mnt" dir file_context)
@@ -694,4 +712,4 @@
(typealias rpm_script_t)
(typealiasactual rpm_script_t sys.subj)
-(tunable xserver_object_manager false)
+(boolean xserver_object_manager false)
diff --git a/src/unlabeled.cil b/src/unlabeled.cil
index 1703472..bccde44 100644
--- a/src/unlabeled.cil
+++ b/src/unlabeled.cil
@@ -375,7 +375,7 @@
(allow typeattr .unlabeled
(lnk_file (not (audit_access execmod map mounton relabelto))))
(allow typeattr .unlabeled
- (sock_file (not (audit_access execmod map mounton relabelto))))))
+ (sock_file (not (audit_access execmod map relabelto))))))
(in unconfined
generated by cgit v1.2.3 (git 2.46.0) at 2025-09-20 22:56:23 +0000