diff options
Diffstat (limited to 'policy/modules/kernel/files.if')
-rw-r--r-- | policy/modules/kernel/files.if | 131 |
1 files changed, 131 insertions, 0 deletions
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 3fc04875c..b5eeaf877 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1786,6 +1786,25 @@ interface(`files_list_root',` ######################################## ## <summary> +## Delete symbolic links in the +## root directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_delete_root_symlinks',` + gen_require(` + type root_t; + ') + + allow $1 root_t:lnk_file delete_lnk_file_perms; +') + +######################################## +## <summary> ## Do not audit attempts to write to / dirs. ## </summary> ## <param name="domain"> @@ -1914,6 +1933,25 @@ interface(`files_dontaudit_rw_root_chr_files',` ######################################## ## <summary> +## Delete character device nodes in +## the root directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_delete_root_chr_files',` + gen_require(` + type root_t; + ') + + allow $1 root_t:chr_file delete_chr_file_perms; +') + +######################################## +## <summary> ## Delete files in the root directory. ## </summary> ## <param name="domain"> @@ -1932,6 +1970,24 @@ interface(`files_delete_root_files',` ######################################## ## <summary> +## Execute files in the root directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_exec_root_files',` + gen_require(` + type root_t; + ') + + allow $1 root_t:file exec_file_perms; +') + +######################################## +## <summary> ## Remove entries from the root directory. ## </summary> ## <param name="domain"> @@ -1950,6 +2006,43 @@ interface(`files_delete_root_dir_entry',` ######################################## ## <summary> +## Manage the root directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_manage_root_dir',` + gen_require(` + type root_t; + ') + + allow $1 root_t:dir manage_dir_perms; +') + +######################################## +## <summary> +## Get the attributes of a rootfs +## file system. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_getattr_rootfs',` + gen_require(` + type root_t; + ') + + allow $1 root_t:filesystem getattr; +') + +######################################## +## <summary> ## Associate to root file system. ## </summary> ## <param name="file_type"> @@ -3057,6 +3150,44 @@ interface(`files_delete_boot_flag',` ######################################## ## <summary> +## Get the attributes of the +## etc_runtime directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_getattr_etc_runtime_dirs',` + gen_require(` + type etc_runtime_t; + ') + + allow $1 etc_runtime_t:dir getattr; +') + +######################################## +## <summary> +## Mount a filesystem on the +## etc_runtime directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_mounton_etc_runtime_dirs',` + gen_require(` + type etc_runtime_t; + ') + + allow $1 etc_runtime_t:dir mounton; +') + +######################################## +## <summary> ## Do not audit attempts to set the attributes of the etc_runtime files ## </summary> ## <param name="domain"> |