commit: f65b4a5c66cee88e554361b57195a47e21b90d9d
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 22 18:04:38 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 22 18:04:38 2014 +0000
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f65b4a5c
Reshuffle to better match upstream
---
policy/modules/kernel/files.if | 285 ++++++++++++++++++++---------------------
1 file changed, 142 insertions(+), 143 deletions(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index fd1f8e9..dd16f74 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1450,7 +1450,6 @@ interface(`files_relabel_non_auth_files',`
# to allow files_relabel_non_auth_files to be an optional setting
(tunable).
')
-
#############################################
## <summary>
## Manage all configuration directories on filesystem
@@ -1604,6 +1603,24 @@ interface(`files_setattr_all_mountpoints',`
########################################
## <summary>
+## Do not audit attempts to set the attributes on all mount points.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_setattr_all_mountpoints',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+ dontaudit $1 mountpoint:dir setattr;
+')
+
+########################################
+## <summary>
## Search all mount points.
## </summary>
## <param name="domain">
@@ -1676,11 +1693,11 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
## <summary>
-## Do not audit write attempts on mount points.
+## Do not audit attempts to write to mount points.
## </summary>
## <param name="domain">
## <summary>
-## Domain to ignore write attempts from
+## Domain to not audit.
## </summary>
## </param>
#
@@ -1694,24 +1711,6 @@ interface(`files_dontaudit_write_all_mountpoints',`
########################################
## <summary>
-## Do not audit setattr attempts on mount points.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to ignore setattr attempts from
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_setattr_all_mountpoints',`
- gen_require(`
- attribute mountpoint;
- ')
-
- dontaudit $1 mountpoint:dir setattr;
-')
-
-########################################
-## <summary>
## List the contents of the root directory.
## </summary>
## <param name="domain">
@@ -2669,25 +2668,6 @@ interface(`files_manage_etc_dirs',`
########################################
## <summary>
-## Do not audit attempts to read files
-## in /etc
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_read_etc_files',`
- gen_require(`
- type etc_t;
- ')
-
- dontaudit $1 etc_t:file { getattr read };
-')
-
-########################################
-## <summary>
## Read generic files in /etc.
## </summary>
## <desc>
@@ -3003,24 +2983,6 @@ interface(`files_dontaudit_setattr_etc_runtime_files',`
########################################
## <summary>
-## Do not audit attempts to read etc_runtime resources
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_read_etc_runtime',`
- gen_require(`
- type etc_runtime_t;
- ')
-
- dontaudit $1 etc_runtime_t:file read_file_perms;
-')
-
-########################################
-## <summary>
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
@@ -3142,26 +3104,6 @@ interface(`files_manage_etc_runtime_files',`
########################################
## <summary>
-## Create, read, write, and delete symbolic links in
-## /etc that are dynamically created on boot.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`files_manage_etc_runtime_lnk_files',`
- gen_require(`
- type etc_t, etc_runtime_t;
- ')
-
- manage_lnk_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
-')
-
-########################################
-## <summary>
## Create, etc runtime objects with an automatic
## type transition.
## </summary>
@@ -5660,6 +5602,24 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
+## Set the attributes of the generic lock directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_setattr_lock_dirs',`
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+ setattr_dirs_pattern($1, var_t, var_lock_t)
+')
+
+########################################
+## <summary>
## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
@@ -5738,11 +5698,11 @@ interface(`files_rw_lock_dirs',`
########################################
## <summary>
-## Create lock directories.
+## Create lock directories
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
+## <summary>
+## Domain allowed access
## </summary>
## </param>
#
@@ -5756,7 +5716,6 @@ interface(`files_create_lock_dirs',`
create_dirs_pattern($1, var_lock_t, var_lock_t)
')
-
########################################
## <summary>
## Relabel to and from all lock directory types.
@@ -5802,24 +5761,6 @@ interface(`files_getattr_generic_locks',`
########################################
## <summary>
-## Set the attributes of generic lock directories
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_setattr_lock_dirs',`
- gen_require(`
- type var_t, var_lock_t;
- ')
-
- setattr_dirs_pattern($1, var_t, var_lock_t)
-')
-
-########################################
-## <summary>
## Delete generic lock files.
## </summary>
## <param name="domain">
@@ -6101,29 +6042,6 @@ interface(`files_write_generic_pid_pipes',`
allow $1 var_run_t:lnk_file read_lnk_file_perms;
allow $1 var_run_t:fifo_file write;
')
-########################################
-## <summary>
-## Write dirs in /var/run with the lock file type
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="name" optional="true">
-## <summary>
-## Name of the directory that the file transition will work on
-## </summary>
-## </param>
-#
-interface(`files_pid_filetrans_lock_dir',`
- gen_require(`
- type var_t, var_run_t;
- ')
-
- files_pid_filetrans($1, var_lock_t, dir, $2)
-')
-
########################################
## <summary>
@@ -6189,6 +6107,29 @@ interface(`files_pid_filetrans',`
########################################
## <summary>
+## Create a generic lock directory within the run directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`files_pid_filetrans_lock_dir',`
+ gen_require(`
+ type var_lock_t;
+ ')
+
+ files_pid_filetrans($1, var_lock_t, dir, $2)
+')
+
+########################################
+## <summary>
## Read and write generic process ID files.
## </summary>
## <param name="domain">
@@ -6291,26 +6232,6 @@ interface(`files_read_all_pids',`
########################################
## <summary>
-## Create PID directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_create_pid_dirs',`
- gen_require(`
- type var_t, var_run_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- create_dirs_pattern($1, var_run_t, var_run_t)
-')
-
-########################################
-## <summary>
## Delete all process IDs.
## </summary>
## <param name="domain">
@@ -6623,6 +6544,84 @@ interface(`files_unconfined',`
# should be in an ifdef distro_gentoo but cannot do so for interfaces
+########################################
+## <summary>
+## Create PID directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_pid_dirs',`
+ gen_require(`
+ type var_t, var_run_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ create_dirs_pattern($1, var_run_t, var_run_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete symbolic links in
+## /etc that are dynamically created on boot.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_etc_runtime_lnk_files',`
+ gen_require(`
+ type etc_t, etc_runtime_t;
+ ')
+
+ manage_lnk_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read etc_runtime resources
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_read_etc_runtime',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
+ dontaudit $1 etc_runtime_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read files
+## in /etc
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_read_etc_files',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ dontaudit $1 etc_t:file { getattr read };
+')
+
+
#########################################
## <summary>
## List usr/src files
