diff options
Diffstat (limited to 'policy')
-rw-r--r-- | policy/modules/kernel/files.if | 36 | ||||
-rw-r--r-- | policy/modules/services/cockpit.if | 7 | ||||
-rw-r--r-- | policy/modules/system/init.if | 18 |
3 files changed, 61 insertions, 0 deletions
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 29c8b72f3..e0337d044 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -6912,6 +6912,24 @@ interface(`files_rw_runtime_dirs',` ######################################## ## <summary> +## Watch /var/lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_watch_var_lib_dirs',` + gen_require(` + type var_lib_t; + ') + + allow $1 var_lib_t:dir watch; +') + +######################################## +## <summary> ## Watch /var/run directories. ## </summary> ## <param name="domain"> @@ -6930,6 +6948,24 @@ interface(`files_watch_runtime_dirs',` ######################################## ## <summary> +## Watch /var directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_watch_var_dirs',` + gen_require(` + type var_t; + ') + + allow $1 var_t:dir watch; +') + +######################################## +## <summary> ## Read generic runtime files. ## </summary> ## <param name="domain"> diff --git a/policy/modules/services/cockpit.if b/policy/modules/services/cockpit.if index 494967eb1..7a002b3e5 100644 --- a/policy/modules/services/cockpit.if +++ b/policy/modules/services/cockpit.if @@ -56,10 +56,17 @@ template(`cockpit_role_template',` files_dontaudit_execute_default_files($2) files_dontaudit_execuite_etc_runtime_files($2) files_dontaudit_exec_runtime($2) + files_watch_etc_files($2) + files_watch_root_dirs($2) + files_watch_var_dirs($2) + files_watch_var_lib_dirs($2) cockpit_use_ws_fds($2) cockpit_rw_ws_stream_sockets($2) + init_watch_runtime_dirs($2) + init_watch_utmp($2) + userdom_dontaudit_execute_user_tmpfs_files($2) ') diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 2b8e22f38..f58db6cbd 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -3104,6 +3104,24 @@ interface(`init_manage_utmp',` ######################################## ## <summary> +## Add a watch on init runtime +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`init_watch_runtime_dirs',` + gen_require(` + type init_runtime_t; + ') + + allow $1 init_runtime_t:dir watch; +') + +######################################## +## <summary> ## Add a watch on utmp. ## </summary> ## <param name="domain"> |