1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
policy_module(tmpfiles, 1.0.0)
########################################
#
# Declarations
#
## <desc>
## <p>
## Determine whether tmpfiles can manage
## all non-security sensitive resources.
## Without this, it is only allowed rights towards
## /run, /tmp, /dev and /var/lock.
## </p>
## </desc>
# Enabled by default on Gentoo to fix https://bugs.gentoo.org/667122
gen_tunable(tmpfiles_manage_all_non_security, true)
type tmpfiles_t;
type tmpfiles_exec_t;
init_daemon_domain(tmpfiles_t, tmpfiles_exec_t)
type tmpfiles_conf_t;
files_config_file(tmpfiles_conf_t)
type tmpfiles_var_run_t;
files_pid_file(tmpfiles_var_run_t)
########################################
#
# Local policy
#
allow tmpfiles_t self:capability { mknod chown fowner fsetid };
allow tmpfiles_t self:process { getsched setfscreate };
allow tmpfiles_t self:fifo_file rw_fifo_file_perms;
allow tmpfiles_t self:unix_dgram_socket create_socket_perms;
allow tmpfiles_t tmpfiles_exec_t:file execute_no_trans;
list_dirs_pattern(tmpfiles_t, tmpfiles_conf_t, tmpfiles_conf_t)
read_files_pattern(tmpfiles_t, tmpfiles_conf_t, tmpfiles_conf_t)
manage_files_pattern(tmpfiles_t, tmpfiles_var_run_t, tmpfiles_var_run_t)
manage_dirs_pattern(tmpfiles_t, tmpfiles_var_run_t, tmpfiles_var_run_t)
corecmd_exec_bin(tmpfiles_t)
corecmd_exec_shell(tmpfiles_t)
dev_create_all_blk_files(tmpfiles_t)
dev_create_all_chr_files(tmpfiles_t)
dev_getattr_all_blk_files(tmpfiles_t)
dev_getattr_generic_blk_files(tmpfiles_t)
dev_getattr_generic_chr_files(tmpfiles_t)
dev_relabel_all_dev_nodes(tmpfiles_t)
dev_relabel_generic_dev_dirs(tmpfiles_t)
dev_relabelfrom_generic_chr_files(tmpfiles_t)
dev_setattr_all_blk_files(tmpfiles_t)
dev_setattr_all_chr_files(tmpfiles_t)
dev_setattr_generic_dirs(tmpfiles_t)
files_manage_all_pids(tmpfiles_t)
files_manage_generic_locks(tmpfiles_t)
files_manage_generic_tmp_dirs(tmpfiles_t)
files_manage_generic_tmp_files(tmpfiles_t)
files_manage_var_dirs(tmpfiles_t)
files_manage_var_files(tmpfiles_t)
files_relabel_all_lock_dirs(tmpfiles_t)
files_relabel_all_pidfiles(tmpfiles_t)
files_relabel_all_tmp_dirs(tmpfiles_t)
files_relabel_all_tmp_files(tmpfiles_t)
files_setattr_all_tmp_dirs(tmpfiles_t)
files_setattr_lock_dirs(tmpfiles_t)
files_setattr_pid_dirs(tmpfiles_t)
fs_getattr_all_fs(tmpfiles_t)
fs_getattr_tmpfs_dirs(tmpfiles_t)
fs_manage_cgroup_files(tmpfiles_t)
selinux_get_enforce_mode(tmpfiles_t)
auth_use_nsswitch(tmpfiles_t)
init_exec_rc(tmpfiles_t)
miscfiles_read_localization(tmpfiles_t)
seutil_exec_setfiles(tmpfiles_t)
seutil_libselinux_linked(tmpfiles_t)
seutil_read_file_contexts(tmpfiles_t)
ifdef(`distro_gentoo',`
dev_create_generic_dirs(tmpfiles_t)
# Early at boot, access /dev/console and /dev/tty which is device_t due to kernel-provided devtmpfs
dev_rw_generic_chr_files(tmpfiles_t)
dev_create_generic_chr_files(tmpfiles_t)
dev_create_generic_blk_files(tmpfiles_t)
init_relabelto_script_state(tmpfiles_t)
')
tunable_policy(`tmpfiles_manage_all_non_security',`
files_manage_all_non_security_file_types(tmpfiles_t)
files_manage_non_security_dirs(tmpfiles_t)
files_relabel_all_non_security_file_types(tmpfiles_t)
')
|
GitWeb