Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy
diff options
context:
space:
mode:
Diffstat (limited to 'policy')
-rw-r--r--policy/modules/kernel/files.if36
-rw-r--r--policy/modules/services/cockpit.if7
-rw-r--r--policy/modules/system/init.if18
3 files changed, 61 insertions, 0 deletions
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 29c8b72f3..e0337d044 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6912,6 +6912,24 @@ interface(`files_rw_runtime_dirs',`
########################################
## <summary>
+## Watch /var/lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_watch_var_lib_dirs',`
+ gen_require(`
+ type var_lib_t;
+ ')
+
+ allow $1 var_lib_t:dir watch;
+')
+
+########################################
+## <summary>
## Watch /var/run directories.
## </summary>
## <param name="domain">
@@ -6930,6 +6948,24 @@ interface(`files_watch_runtime_dirs',`
########################################
## <summary>
+## Watch /var directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_watch_var_dirs',`
+ gen_require(`
+ type var_t;
+ ')
+
+ allow $1 var_t:dir watch;
+')
+
+########################################
+## <summary>
## Read generic runtime files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/services/cockpit.if b/policy/modules/services/cockpit.if
index 494967eb1..7a002b3e5 100644
--- a/policy/modules/services/cockpit.if
+++ b/policy/modules/services/cockpit.if
@@ -56,10 +56,17 @@ template(`cockpit_role_template',`
files_dontaudit_execute_default_files($2)
files_dontaudit_execuite_etc_runtime_files($2)
files_dontaudit_exec_runtime($2)
+ files_watch_etc_files($2)
+ files_watch_root_dirs($2)
+ files_watch_var_dirs($2)
+ files_watch_var_lib_dirs($2)
cockpit_use_ws_fds($2)
cockpit_rw_ws_stream_sockets($2)
+ init_watch_runtime_dirs($2)
+ init_watch_utmp($2)
+
userdom_dontaudit_execute_user_tmpfs_files($2)
')
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 2b8e22f38..f58db6cbd 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -3104,6 +3104,24 @@ interface(`init_manage_utmp',`
########################################
## <summary>
+## Add a watch on init runtime
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_watch_runtime_dirs',`
+ gen_require(`
+ type init_runtime_t;
+ ')
+
+ allow $1 init_runtime_t:dir watch;
+')
+
+########################################
+## <summary>
## Add a watch on utmp.
## </summary>
## <param name="domain">