rpms / fapolicyd

Clone
Source Code
GIT

Blame SOURCES/fapolicyd-selinux.patch

c8 c8-beta c8s c9 c9-beta
  1.   090c79190e10cc888b0b0291960ee3cdbcca8667
  2.   SOURCES
  3.   fapolicyd-selinux.patch
Blob History Raw
090c79 
diff -up ./fapolicyd-selinux-0.4/fapolicyd.if.selinux ./fapolicyd-selinux-0.4/fapolicyd.if
090c79 
--- ./fapolicyd-selinux-0.4/fapolicyd.if.selinux	2021-03-23 10:21:31.000000000 +0100
090c79 
+++ ./fapolicyd-selinux-0.4/fapolicyd.if	2022-06-30 10:52:05.112355159 +0200
5c9578 
@@ -2,6 +2,122 @@
5c9578
5c9578 
 ########################################
5c9578 
 ## <summary>
5c9578 
+##	Watch_mount directories in /boot.
5c9578 
+## </summary>
5c9578 
+## <param name="domain">
5c9578 
+##	<summary>
5c9578 
+##	Domain allowed access.
5c9578 
+##	</summary>
5c9578 
+## </param>
5c9578 
+#
5c9578 
+
5c9578 
+ifndef(`files_watch_mount_boot_dirs',`
5c9578 
+    interface(`files_watch_mount_boot_dirs',`
5c9578 
+        gen_require(`
5c9578 
+            type boot_t;
5c9578 
+	    ')
5c9578 
+
5c9578 
+	        allow $1 boot_t:dir watch_mount_dir_perms;
5c9578 
+    ')
5c9578 
+')
5c9578 
+
5c9578 
+
5c9578 
+########################################
5c9578 
+## <summary>
5c9578 
+##	Watch_mount home directories.
5c9578 
+## </summary>
5c9578 
+## <param name="domain">
5c9578 
+##	<summary>
5c9578 
+##	Domain allowed access.
5c9578 
+##	</summary>
5c9578 
+## </param>
5c9578 
+#
5c9578 
+
5c9578 
+ifndef(`files_watch_mount_home',`
5c9578 
+    interface(`files_watch_mount_home',`
5c9578 
+        gen_require(`
5c9578 
+            type home_root_t;
5c9578 
+	    ')
5c9578 
+
5c9578 
+	    allow $1 home_root_t:dir watch_mount_dir_perms;
5c9578 
+    ')
5c9578 
+')
5c9578 
+
5c9578 
+
5c9578 
+########################################
5c9578 
+## <summary>
5c9578 
+##	Watch_with_perm home directories.
5c9578 
+## </summary>
5c9578 
+## <param name="domain">
5c9578 
+##	<summary>
5c9578 
+##	Domain allowed access.
5c9578 
+##	</summary>
5c9578 
+## </param>
5c9578 
+#
5c9578 
+
5c9578 
+ifndef(`files_watch_with_perm_home',`
5c9578 
+interface(`files_watch_with_perm_home',`
5c9578 
+	gen_require(`
5c9578 
+		type home_root_t;
5c9578 
+	')
5c9578 
+
5c9578 
+	allow $1 home_root_t:dir watch_with_perm_dir_perms;
5c9578 
+')
5c9578 
+')
5c9578 
+
5c9578 
+
5c9578 
+########################################
5c9578 
+## <summary>
5c9578 
+##	Watch_mount dirs on a DOS filesystem.
5c9578 
+## </summary>
5c9578 
+## <param name="domain">
5c9578 
+##	<summary>
5c9578 
+##	Domain allowed access.
5c9578 
+##	</summary>
5c9578 
+## </param>
5c9578 
+#
5c9578 
+
5c9578 
+ifndef(`fs_watch_mount_dos_dirs',`
5c9578 
+interface(`fs_watch_mount_dos_dirs',`
5c9578 
+	gen_require(`
5c9578 
+		type dosfs_t;
5c9578 
+	')
5c9578 
+
5c9578 
+	watch_mount_dirs_pattern($1, dosfs_t, dosfs_t)
5c9578 
+')
5c9578 
+')
5c9578 
+
5c9578 
+
5c9578 
+
5c9578 
+########################################
5c9578 
+## <summary>
5c9578 
+##	Watch_with_perm dirs on a DOS filesystem.
5c9578 
+## </summary>
5c9578 
+## <param name="domain">
5c9578 
+##	<summary>
5c9578 
+##	Domain allowed access.
5c9578 
+##	</summary>
5c9578 
+## </param>
5c9578 
+#
5c9578 
+
5c9578 
+ifndef(`fs_watch_with_perm_dos_dirs',`
5c9578 
+interface(`fs_watch_with_perm_dos_dirs',`
5c9578 
+	gen_require(`
5c9578 
+		type dosfs_t;
5c9578 
+	')
5c9578 
+
5c9578 
+	watch_with_perm_dirs_pattern($1, dosfs_t, dosfs_t)
5c9578 
+')
5c9578 
+')
5c9578 
+
5c9578 
+
5c9578 
+###################################################################################################
5c9578 
+
5c9578 
+
5c9578 
+
5c9578 
+
5c9578 
+########################################
5c9578 
+## <summary>
5c9578 
 ##	Execute fapolicyd_exec_t in the fapolicyd domain.
5c9578 
 ## </summary>
5c9578 
 ## <param name="domain">
090c79 
diff -up ./fapolicyd-selinux-0.4/fapolicyd.te.selinux ./fapolicyd-selinux-0.4/fapolicyd.te
090c79 
--- ./fapolicyd-selinux-0.4/fapolicyd.te.selinux	2021-03-23 10:21:31.000000000 +0100
090c79 
+++ ./fapolicyd-selinux-0.4/fapolicyd.te	2022-06-30 10:53:01.693055971 +0200
5c9578 
@@ -1,5 +1,6 @@
5c9578 
 policy_module(fapolicyd, 1.0.0)
5c9578
5c9578 
+
5c9578 
 ########################################
5c9578 
 #
5c9578 
 # Declarations
090c79 
@@ -36,6 +37,12 @@ allow fapolicyd_t self:process { setcap
5c9578 
 allow fapolicyd_t self:unix_stream_socket create_stream_socket_perms;
5c9578 
 allow fapolicyd_t self:unix_dgram_socket create_socket_perms;
5c9578
5c9578 
+gen_require(`
5c9578 
+	attribute file_type;
5c9578 
+')
5c9578 
+allow fapolicyd_t file_type:dir { watch_mount watch_with_perm };
5c9578 
+allow fapolicyd_t file_type:file { watch_mount watch_with_perm };
5c9578 
+
5c9578 
 manage_files_pattern(fapolicyd_t, fapolicyd_log_t, fapolicyd_log_t)
5c9578 
 logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file)
5c9578
090c79 
@@ -61,16 +68,22 @@ corecmd_exec_bin(fapolicyd_t)
5c9578
090c79 
 domain_read_all_domains_state(fapolicyd_t)
090c79
090c79 
-files_mmap_usr_files(fapolicyd_t)
090c79 
+files_mmap_all_files(fapolicyd_t)
5c9578 
 files_read_all_files(fapolicyd_t)
5c9578 
+files_watch_mount_boot_dirs(fapolicyd_t)
5c9578 
+files_watch_with_perm_boot_dirs(fapolicyd_t)
5c9578 
 files_watch_mount_generic_tmp_dirs(fapolicyd_t)
5c9578 
 files_watch_with_perm_generic_tmp_dirs(fapolicyd_t)
5c9578 
+files_watch_mount_home(fapolicyd_t)
5c9578 
+files_watch_with_perm_home(fapolicyd_t)
5c9578 
 files_watch_mount_root_dirs(fapolicyd_t)
5c9578 
 files_watch_with_perm_root_dirs(fapolicyd_t)
5c9578
5c9578 
 fs_getattr_xattr_fs(fapolicyd_t)
5c9578 
 fs_watch_mount_tmpfs_dirs(fapolicyd_t)
5c9578 
 fs_watch_with_perm_tmpfs_dirs(fapolicyd_t)
5c9578 
+fs_watch_mount_dos_dirs(fapolicyd_t)
5c9578 
+fs_watch_with_perm_dos_dirs(fapolicyd_t)
5c9578
5c9578 
 logging_send_syslog_msg(fapolicyd_t)
5c9578 
 dbus_system_bus_client(fapolicyd_t)

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation