[selinux-policy: 84/3172] add ignore read rootfs file
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:12:25 UTC 2010
commit 9f2f9e6dfe946b40ac9cb9d5ef272e6e8e5c7af1
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon May 2 18:40:42 2005 +0000
add ignore read rootfs file
refpolicy/policy/modules/system/files.if | 32 ++++++++++++++++++++++++++++-
1 files changed, 30 insertions(+), 2 deletions(-)
---
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 8adce40..439e70c 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -80,10 +80,10 @@ class chr_file relabelfrom;
########################################
#
-# files_search_all_directories(type,[`optional'])
+# files_search_all_directories(domain)
#
define(`files_search_all_directories',`
-requires_block_template(files_search_all_directories_depend,$2)
+requires_block_template(files_search_all_directories_depend)
allow $1 file_type:dir search;
')
@@ -94,6 +94,20 @@ class dir search;
########################################
#
+# files_ignore_search_all_directories(domain)
+#
+define(`files_ignore_search_all_directories',`
+requires_block_template(files_ignore_search_all_directories_depend)
+dontaudit $1 file_type:dir search;
+')
+
+define(`files_ignore_search_all_directories_depend',`
+attribute file_type;
+class dir search;
+')
+
+########################################
+#
# files_read_all_directories(type,[`optional'])
#
define(`files_read_all_directories',`
@@ -152,6 +166,20 @@ class dir { getattr search read write add_name };
########################################
#
+# files_ignore_read_rootfs_file(domain)
+#
+define(`files_ignore_read_rootfs_file',`
+requires_block_template(files_ignore_read_rootfs_file_depend)
+dontaudit $1 root_t:file read;
+')
+
+define(`files_ignore_read_rootfs_file_depend',`
+type root_t;
+class file read;
+')
+
+########################################
+#
# files_ignore_modify_rootfs_file(domain,[`optional'])
#
define(`files_ignore_modify_rootfs_file',`
More information about the scm-commits
mailing list