diff options
author | Chris PeBenito <Christopher.PeBenito@microsoft.com> | 2023-02-09 14:44:00 +0000 |
---|---|---|
committer | Kenton Groombridge <concord@gentoo.org> | 2024-03-01 12:05:22 -0500 |
commit | 90c23bf7af6ff003320f8aedd444ed7e381b2b7b (patch) | |
tree | c6941f6aebbd9a6f961928334525061c559d2b0e | |
parent | usermanage: Handle symlinks in /usr/share/cracklib. (diff) | |
download | hardened-refpolicy-90c23bf7af6ff003320f8aedd444ed7e381b2b7b.tar.gz hardened-refpolicy-90c23bf7af6ff003320f8aedd444ed7e381b2b7b.tar.bz2 hardened-refpolicy-90c23bf7af6ff003320f8aedd444ed7e381b2b7b.zip |
unconfined: Add remaining watch_* permissions.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
-rw-r--r-- | policy/modules/kernel/devices.te | 6 | ||||
-rw-r--r-- | policy/modules/kernel/files.te | 14 | ||||
-rw-r--r-- | policy/modules/kernel/filesystem.te | 14 | ||||
-rw-r--r-- | policy/modules/kernel/kernel.te | 24 |
4 files changed, 29 insertions, 29 deletions
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 36bf8ef0a..7946b943b 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -445,6 +445,6 @@ files_associate_tmp(device_node) # allow devices_unconfined_type self:capability sys_rawio; -allow devices_unconfined_type device_node:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton execmod watch }; -allow devices_unconfined_type device_node:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton execmod watch }; -allow devices_unconfined_type mtrr_device_t:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton entrypoint execmod watch }; +allow devices_unconfined_type device_node:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton execmod watch watch_mount watch_reads watch_sb watch_with_perm }; +allow devices_unconfined_type device_node:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton execmod watch watch_mount watch_reads watch_sb watch_with_perm }; +allow devices_unconfined_type mtrr_device_t:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton entrypoint execmod watch watch_mount watch_reads watch_sb watch_with_perm }; diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index e8fe42214..f8258f855 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -227,13 +227,13 @@ fs_associate_tmpfs(tmpfsfile) # # Create/access any file in a labeled filesystem; -allow files_unconfined_type file_type:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton watch }; -allow files_unconfined_type file_type:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms append map execute quotaon mounton open execmod watch }; -allow files_unconfined_type file_type:sock_file { manage_sock_file_perms relabel_sock_file_perms map execute quotaon mounton execmod watch }; -allow files_unconfined_type file_type:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms map execute quotaon mounton execmod watch }; -allow files_unconfined_type file_type:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton execmod watch }; -allow files_unconfined_type file_type:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton watch }; -allow files_unconfined_type file_type:dir { manage_dir_perms relabel_dir_perms append map execute quotaon mounton add_name remove_name reparent search rmdir execmod watch }; +allow files_unconfined_type file_type:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton watch watch_mount watch_reads watch_sb watch_with_perm}; +allow files_unconfined_type file_type:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms append map execute quotaon mounton open execmod watch watch_mount watch_reads watch_sb watch_with_perm }; +allow files_unconfined_type file_type:sock_file { manage_sock_file_perms relabel_sock_file_perms map execute quotaon mounton execmod watch watch_mount watch_reads watch_sb watch_with_perm }; +allow files_unconfined_type file_type:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms map execute quotaon mounton execmod watch watch_mount watch_reads watch_sb watch_with_perm }; +allow files_unconfined_type file_type:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton execmod watch watch_mount watch_reads watch_sb watch_with_perm }; +allow files_unconfined_type file_type:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton watch watch_mount watch_reads watch_sb watch_with_perm }; +allow files_unconfined_type file_type:dir { manage_dir_perms relabel_dir_perms append map execute quotaon mounton add_name remove_name reparent search rmdir execmod watch watch_mount watch_reads watch_sb watch_with_perm }; # Mount/unmount any filesystem with the context= option. allow files_unconfined_type file_type:filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch }; diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index c7b5f990a..7ffac9812 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -351,13 +351,13 @@ allow filesystem_unconfined_type filesystem_type:filesystem { mount remount unmo # Create/access other files. fs_type is to pick up various # pseudo filesystem types that are applied to both the filesystem # and its files. -allow filesystem_unconfined_type filesystem_type:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton entrypoint execmod watch }; -allow filesystem_unconfined_type filesystem_type:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms append map execute quotaon mounton open execmod watch }; -allow filesystem_unconfined_type filesystem_type:sock_file { manage_sock_file_perms relabel_sock_file_perms map execute quotaon mounton execmod watch }; -allow filesystem_unconfined_type filesystem_type:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms map execute quotaon mounton execmod watch }; -allow filesystem_unconfined_type filesystem_type:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton execmod watch }; -allow filesystem_unconfined_type filesystem_type:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton execmod watch }; -allow filesystem_unconfined_type filesystem_type:dir { manage_dir_perms relabel_dir_perms append map execute quotaon mounton add_name remove_name reparent search rmdir execmod watch }; +allow filesystem_unconfined_type filesystem_type:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton entrypoint execmod watch watch_mount watch_reads watch_sb watch_with_perm }; +allow filesystem_unconfined_type filesystem_type:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms append map execute quotaon mounton open execmod watch watch_mount watch_reads watch_sb watch_with_perm }; +allow filesystem_unconfined_type filesystem_type:sock_file { manage_sock_file_perms relabel_sock_file_perms map execute quotaon mounton execmod watch watch_mount watch_reads watch_sb watch_with_perm }; +allow filesystem_unconfined_type filesystem_type:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms map execute quotaon mounton execmod watch watch_mount watch_reads watch_sb watch_with_perm }; +allow filesystem_unconfined_type filesystem_type:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton execmod watch watch_mount watch_reads watch_sb watch_with_perm }; +allow filesystem_unconfined_type filesystem_type:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton execmod watch watch_mount watch_reads watch_sb watch_with_perm }; +allow filesystem_unconfined_type filesystem_type:dir { manage_dir_perms relabel_dir_perms append map execute quotaon mounton add_name remove_name reparent search rmdir execmod watch watch_mount watch_reads watch_sb watch_with_perm }; ifdef(`distro_gentoo',` # Fix bug 535986 - Mark configfs_t as file type (and mountpoint probably as well) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 5024f3028..a3dbeeeda 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -578,22 +578,22 @@ if(secure_mode_insmod) { # Rules for unconfined access to this module # -allow kern_unconfined proc_type:dir { manage_dir_perms relabel_dir_perms append map execute quotaon mounton execmod watch }; -allow kern_unconfined proc_type:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms append map execute quotaon mounton open execmod watch }; -allow kern_unconfined proc_type:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton watch }; +allow kern_unconfined proc_type:dir { manage_dir_perms relabel_dir_perms append map execute quotaon mounton execmod watch watch_mount watch_reads watch_sb watch_with_perm }; +allow kern_unconfined proc_type:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms append map execute quotaon mounton open execmod watch watch_mount watch_reads watch_sb watch_with_perm }; +allow kern_unconfined proc_type:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton watch watch_mount watch_reads watch_sb watch_with_perm }; -allow kern_unconfined sysctl_type:dir { manage_dir_perms relabel_dir_perms append map execute quotaon mounton execmod watch }; -allow kern_unconfined sysctl_type:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton watch }; +allow kern_unconfined sysctl_type:dir { manage_dir_perms relabel_dir_perms append map execute quotaon mounton execmod watch watch_mount watch_reads watch_sb watch_with_perm }; +allow kern_unconfined sysctl_type:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton watch watch_mount watch_reads watch_sb watch_with_perm }; allow kern_unconfined kernel_t:system { ipc_info syslog_read syslog_mod syslog_console module_request module_load halt reboot status start stop enable disable reload }; #selint-disable:W-001 -allow kern_unconfined unlabeled_t:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton watch }; -allow kern_unconfined unlabeled_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms append map execute quotaon mounton open execmod watch }; -allow kern_unconfined unlabeled_t:sock_file { manage_sock_file_perms relabel_sock_file_perms map execute quotaon mounton execmod watch }; -allow kern_unconfined unlabeled_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms map execute quotaon mounton execmod watch }; -allow kern_unconfined unlabeled_t:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton execmod watch }; -allow kern_unconfined unlabeled_t:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton watch }; -allow kern_unconfined unlabeled_t:dir { manage_dir_perms relabelfrom relabelto append map execute quotaon mounton add_name remove_name reparent search rmdir execmod watch }; +allow kern_unconfined unlabeled_t:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton watch watch_mount watch_reads watch_sb watch_with_perm }; +allow kern_unconfined unlabeled_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms append map execute quotaon mounton open execmod watch watch_mount watch_reads watch_sb watch_with_perm }; +allow kern_unconfined unlabeled_t:sock_file { manage_sock_file_perms relabel_sock_file_perms map execute quotaon mounton execmod watch watch_mount watch_reads watch_sb watch_with_perm }; +allow kern_unconfined unlabeled_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms map execute quotaon mounton execmod watch watch_mount watch_reads watch_sb watch_with_perm }; +allow kern_unconfined unlabeled_t:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton execmod watch watch_mount watch_reads watch_sb watch_with_perm }; +allow kern_unconfined unlabeled_t:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton watch watch_mount watch_reads watch_sb watch_with_perm }; +allow kern_unconfined unlabeled_t:dir { manage_dir_perms relabelfrom relabelto append map execute quotaon mounton add_name remove_name reparent search rmdir execmod watch watch_mount watch_reads watch_sb watch_with_perm }; allow kern_unconfined unlabeled_t:filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch }; allow kern_unconfined unlabeled_t:association { sendto recvfrom setcontext polmatch }; allow kern_unconfined unlabeled_t:packet { send recv relabelto forward_in forward_out }; |