diff options
author | Chris PeBenito <chpebeni@linux.microsoft.com> | 2019-12-20 10:44:20 -0500 |
---|---|---|
committer | Jason Zaman <perfinion@gentoo.org> | 2020-02-15 15:29:43 +0800 |
commit | f422457e4f04847b63ee27fe271796f5b117aab3 (patch) | |
tree | ff47187c9e367d6a10d2e19c85293734ff051e90 | |
parent | Remove uneeded types from interfaces where types were added (diff) | |
download | hardened-refpolicy-f422457e4f04847b63ee27fe271796f5b117aab3.tar.gz hardened-refpolicy-f422457e4f04847b63ee27fe271796f5b117aab3.tar.bz2 hardened-refpolicy-f422457e4f04847b63ee27fe271796f5b117aab3.zip |
unconfined: Add watch permission for files.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
-rw-r--r-- | policy/modules/kernel/devices.te | 6 | ||||
-rw-r--r-- | policy/modules/kernel/files.te | 16 | ||||
-rw-r--r-- | policy/modules/kernel/filesystem.te | 16 | ||||
-rw-r--r-- | policy/modules/kernel/kernel.te | 26 |
4 files changed, 32 insertions, 32 deletions
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 03a3cf35..56c30ee8 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -358,6 +358,6 @@ files_associate_tmp(device_node) # allow devices_unconfined_type self:capability sys_rawio; -allow devices_unconfined_type device_node:blk_file { manage_blk_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod }; -allow devices_unconfined_type device_node:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton execmod audit_access }; -allow devices_unconfined_type mtrr_device_t:file { manage_file_perms relabelfrom relabelto map execute quotaon mounton execute_no_trans entrypoint execmod audit_access }; +allow devices_unconfined_type device_node:blk_file { manage_blk_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod watch }; +allow devices_unconfined_type device_node:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton execmod audit_access watch }; +allow devices_unconfined_type mtrr_device_t:file { manage_file_perms relabelfrom relabelto map execute quotaon mounton execute_no_trans entrypoint execmod audit_access watch }; diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 0afaac5f..52a60d88 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -214,16 +214,16 @@ fs_associate_tmpfs(tmpfsfile) # # Create/access any file in a labeled filesystem; -allow files_unconfined_type file_type:file { manage_file_perms relabelfrom relabelto map execute quotaon mounton execute_no_trans audit_access }; -allow files_unconfined_type file_type:lnk_file { manage_lnk_file_perms relabelfrom relabelto append map execute quotaon mounton open audit_access execmod }; -allow files_unconfined_type file_type:sock_file { manage_sock_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod }; -allow files_unconfined_type file_type:fifo_file { manage_fifo_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod }; -allow files_unconfined_type file_type:blk_file { manage_blk_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod }; -allow files_unconfined_type file_type:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton audit_access }; -allow files_unconfined_type file_type:dir { manage_dir_perms relabelfrom relabelto append map execute quotaon mounton add_name remove_name reparent search rmdir audit_access execmod }; +allow files_unconfined_type file_type:file { manage_file_perms relabelfrom relabelto map execute quotaon mounton execute_no_trans audit_access watch }; +allow files_unconfined_type file_type:lnk_file { manage_lnk_file_perms relabelfrom relabelto append map execute quotaon mounton open audit_access execmod watch }; +allow files_unconfined_type file_type:sock_file { manage_sock_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod watch }; +allow files_unconfined_type file_type:fifo_file { manage_fifo_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod watch }; +allow files_unconfined_type file_type:blk_file { manage_blk_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod watch }; +allow files_unconfined_type file_type:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton audit_access watch }; +allow files_unconfined_type file_type:dir { manage_dir_perms relabelfrom relabelto append map execute quotaon mounton add_name remove_name reparent search rmdir audit_access execmod watch }; # Mount/unmount any filesystem with the context= option. -allow files_unconfined_type file_type:filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget }; +allow files_unconfined_type file_type:filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch }; tunable_policy(`allow_execmod',` allow files_unconfined_type file_type:file execmod; diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 87f5feaf..9a0d6562 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -322,18 +322,18 @@ fs_associate_noxattr(noxattrfs) # Unconfined access to this module # -allow filesystem_unconfined_type filesystem_type:filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget }; +allow filesystem_unconfined_type filesystem_type:filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch }; # Create/access other files. fs_type is to pick up various # pseudo filesystem types that are applied to both the filesystem # and its files. -allow filesystem_unconfined_type filesystem_type:file { manage_file_perms relabelfrom relabelto map execute quotaon mounton execute_no_trans entrypoint audit_access execmod }; -allow filesystem_unconfined_type filesystem_type:lnk_file { manage_lnk_file_perms relabelfrom relabelto append map execute quotaon mounton open audit_access execmod }; -allow filesystem_unconfined_type filesystem_type:sock_file { manage_sock_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod }; -allow filesystem_unconfined_type filesystem_type:fifo_file { manage_fifo_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod }; -allow filesystem_unconfined_type filesystem_type:blk_file { manage_blk_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod }; -allow filesystem_unconfined_type filesystem_type:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod }; -allow filesystem_unconfined_type filesystem_type:dir { manage_dir_perms relabelfrom relabelto append map execute quotaon mounton add_name remove_name reparent search rmdir audit_access execmod }; +allow filesystem_unconfined_type filesystem_type:file { manage_file_perms relabelfrom relabelto map execute quotaon mounton execute_no_trans entrypoint audit_access execmod watch }; +allow filesystem_unconfined_type filesystem_type:lnk_file { manage_lnk_file_perms relabelfrom relabelto append map execute quotaon mounton open audit_access execmod watch }; +allow filesystem_unconfined_type filesystem_type:sock_file { manage_sock_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod watch }; +allow filesystem_unconfined_type filesystem_type:fifo_file { manage_fifo_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod watch }; +allow filesystem_unconfined_type filesystem_type:blk_file { manage_blk_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod watch }; +allow filesystem_unconfined_type filesystem_type:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod watch }; +allow filesystem_unconfined_type filesystem_type:dir { manage_dir_perms relabelfrom relabelto append map execute quotaon mounton add_name remove_name reparent search rmdir audit_access execmod watch }; ifdef(`distro_gentoo',` # Fix bug 535986 - Mark configfs_t as file type (and mountpoint probably as well) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index e838b11a..9d0f3bd1 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -505,23 +505,23 @@ if( ! secure_mode_insmod ) { # Rules for unconfined acccess to this module # -allow kern_unconfined proc_type:dir { manage_dir_perms relabelfrom relabelto append map execute quotaon mounton audit_access execmod }; -allow kern_unconfined proc_type:lnk_file { manage_lnk_file_perms relabelfrom relabelto append map execute quotaon mounton open audit_access execmod }; -allow kern_unconfined proc_type:file { manage_file_perms relabelfrom relabelto map execute quotaon mounton execute_no_trans audit_access }; +allow kern_unconfined proc_type:dir { manage_dir_perms relabelfrom relabelto append map execute quotaon mounton audit_access execmod watch }; +allow kern_unconfined proc_type:lnk_file { manage_lnk_file_perms relabelfrom relabelto append map execute quotaon mounton open audit_access execmod watch }; +allow kern_unconfined proc_type:file { manage_file_perms relabelfrom relabelto map execute quotaon mounton execute_no_trans audit_access watch }; -allow kern_unconfined sysctl_type:dir { manage_dir_perms relabelfrom relabelto append map execute quotaon mounton audit_access execmod }; -allow kern_unconfined sysctl_type:file { manage_file_perms relabelfrom relabelto map execute quotaon mounton execute_no_trans audit_access }; +allow kern_unconfined sysctl_type:dir { manage_dir_perms relabelfrom relabelto append map execute quotaon mounton audit_access execmod watch }; +allow kern_unconfined sysctl_type:file { manage_file_perms relabelfrom relabelto map execute quotaon mounton execute_no_trans audit_access watch }; allow kern_unconfined kernel_t:system { ipc_info syslog_read syslog_mod syslog_console module_request module_load halt reboot status start stop enable disable reload }; -allow kern_unconfined unlabeled_t:file { manage_file_perms relabelfrom relabelto map execute quotaon mounton execute_no_trans audit_access }; -allow kern_unconfined unlabeled_t:lnk_file { manage_lnk_file_perms relabelfrom relabelto append map execute quotaon mounton open audit_access execmod }; -allow kern_unconfined unlabeled_t:sock_file { manage_sock_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod }; -allow kern_unconfined unlabeled_t:fifo_file { manage_fifo_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod }; -allow kern_unconfined unlabeled_t:blk_file { manage_blk_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod }; -allow kern_unconfined unlabeled_t:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton audit_access }; -allow kern_unconfined unlabeled_t:dir { manage_dir_perms relabelfrom relabelto append map execute quotaon mounton add_name remove_name reparent search rmdir audit_access execmod }; -allow kern_unconfined unlabeled_t:filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget }; +allow kern_unconfined unlabeled_t:file { manage_file_perms relabelfrom relabelto map execute quotaon mounton execute_no_trans audit_access watch }; +allow kern_unconfined unlabeled_t:lnk_file { manage_lnk_file_perms relabelfrom relabelto append map execute quotaon mounton open audit_access execmod watch }; +allow kern_unconfined unlabeled_t:sock_file { manage_sock_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod watch }; +allow kern_unconfined unlabeled_t:fifo_file { manage_fifo_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod watch }; +allow kern_unconfined unlabeled_t:blk_file { manage_blk_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod watch }; +allow kern_unconfined unlabeled_t:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton audit_access watch }; +allow kern_unconfined unlabeled_t:dir { manage_dir_perms relabelfrom relabelto append map execute quotaon mounton add_name remove_name reparent search rmdir audit_access execmod watch }; +allow kern_unconfined unlabeled_t:filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch }; allow kern_unconfined unlabeled_t:association { sendto recvfrom setcontext polmatch }; allow kern_unconfined unlabeled_t:packet { send recv relabelto forward_in forward_out }; allow kern_unconfined unlabeled_t:process { fork signal_perms ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh setcurrent setkeycreate setsockcreate getrlimit }; |