diff options
author | nailyk-fr <nailyk_git@nailyk.fr> | 2017-04-23 21:54:08 +0200 |
---|---|---|
committer | nailyk-fr <nailyk_git@nailyk.fr> | 2017-05-01 22:33:56 +0200 |
commit | b1eee63ebf2a4e7d34922d15a1028bbbdcca9016 (patch) | |
tree | b3e4f18f9b93c32c080dc6b36b6bd1273b4cd8c8 /sepolicy/idd.te | |
parent | eb1087d79581ee5dcc5b2a58cb819a24d1b7ee0a (diff) |
shinano-common: sepolicy: Reorganise policies
* No policies added or removed, only moved between
files to improve se linux management.
Change-Id: Ifa7cb9ce84f75c99f2d96dd0a71ced26f2580ba9
Diffstat (limited to 'sepolicy/idd.te')
-rw-r--r-- | sepolicy/idd.te | 48 |
1 files changed, 17 insertions, 31 deletions
diff --git a/sepolicy/idd.te b/sepolicy/idd.te index 1a59cc4..df2eb1c 100644 --- a/sepolicy/idd.te +++ b/sepolicy/idd.te @@ -1,46 +1,32 @@ -type iddd, domain; +# iddd daemon +type iddd, domain; -type iddd_exec, exec_type, file_type; +type iddd_exec, exec_type, file_type; init_daemon_domain(iddd) +type_transition iddd system_data_file:file iddd_file; + allow iddd self:socket create_socket_perms; +allow iddd iddd_file:sock_file { create setattr unlink write }; + allow iddd iddd_file:fifo_file rw_file_perms; allow iddd iddd_file:file rw_file_perms; -allow iddd iddd_file:dir rw_file_perms; -allow iddd iddd_file:dir { add_name remove_name search }; allow iddd iddd_file:file { create rename unlink }; -allow iddd iddd_file:sock_file { create setattr unlink write }; - - -type_transition iddd system_data_file:file iddd_file; - -type credmgr, domain; -type credmgr_exec, exec_type, file_type; -init_daemon_domain(credmgr); - - -type scd, domain; -type scd_exec, exec_type, file_type; -type scd_data, file_type; -init_daemon_domain(scd) +allow iddd iddd_file:dir rw_file_perms; +allow iddd iddd_file:dir { add_name create remove_name search }; -type wv,domain; -type wv_exec, exec_type, file_type; -init_daemon_domain(wv) +# TODO: label the right way / Allow context change +allow iddd system_file:file execute_no_trans; +allow iddd iddd_exec:file execute_no_trans; -#iddd logd +# Allow iddd send to logd allow iddd logd:unix_stream_socket connectto; allow iddd logdr_socket:sock_file write; -#============= system_server ============== -allow system_server credmgr_exec:dir search; -allow system_server credmgr_exec:file { getattr open read }; -allow system_server iddd_exec:dir search; -allow system_server iddd_exec:file { getattr open read }; +# Allow file system create (we use tmpfs now) allow iddd tmpfs:lnk_file read; -#============= iddd ============== -allow iddd iddd_exec:file execute_no_trans; -allow iddd iddd_file:dir create; +allow iddd tmpfs:dir search; + +# Allow proc socket search allow iddd proc:file { getattr open read }; -allow iddd tmpfs:dir search; |