Navigation

← Previous Changeset
Next Changeset →

Changeset 2678

Timestamp:

05/07/08 13:00:17 (7 months ago)

Author:

pebenito

Message:

rbacsep: add exemptions.

Files:

branches/rbacsep/policy/modules/kernel/rbac.fc (added)
branches/rbacsep/policy/modules/kernel/rbac.if (added)
branches/rbacsep/policy/modules/kernel/rbac.te (added)
branches/rbacsep/policy/rbac (modified) (10 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

branches/rbacsep/policy/rbac

r2677	r2678
27	27
28	28	define(`basic_rbac_conditions',`
29		~~r1 ==~~ r2
30		or r1 == system_r
31		or r2 == system_r
32		or r2 == object_r
	29	r1 dom r2
	30	or r1 == system_r
	31	or r2 == system_r
	32	or r2 == object_r
33	33	')
34	34
…	…
44	44	(
45	45	basic_rbac_conditions
46		or r1 domby $2
	46	# or r1 domby $2
47	47	or t1 == $3
48	48	or t2 == $4
…	…
55	55	#
56	56
57		~~basic_rbac_constraint(dir~~)
58		~~basic_rbac_constraint(file~~)
59		~~basic_rbac_constraint(lnk_file~~)
60		~~basic_rbac_constraint(fifo_file~~)
61		~~basic_rbac_constraint(sock_file~~)
62		~~basic_rbac_constraint(chr_file~~)
63		~~basic_rbac_constraint(blk_file~~)
	57	exempted_rbac_constraint(dir, rbacfilerole, rbacfilesubj, rbacfileobj)
	58	exempted_rbac_constraint(file, rbacfilerole, rbacfilesubj, rbacfileobj)
	59	exempted_rbac_constraint(lnk_file, rbacfilerole, rbacfilesubj, rbacfileobj)
	60	exempted_rbac_constraint(fifo_file, rbacfilerole, rbacfilesubj, rbacfileobj)
	61	exempted_rbac_constraint(sock_file, rbacfilerole, rbacfilesubj, rbacfileobj)
	62	exempted_rbac_constraint(chr_file, rbacfilerole, rbacfilesubj, rbacfileobj)
	63	exempted_rbac_constraint(blk_file, rbacfilerole, rbacfilesubj, rbacfileobj)
64	64
65	65	########################################
…	…
71	71	(
72	72	basic_rbac_conditions
	73	# or r1 domby rbacprocrole
	74	or t1 == rbacprocsubj
	75	or t2 == rbacprocobj
73	76	);
74	77
…	…
110	113	#
111	114
112		~~basic_rbac_constraint(socket~~)
113		~~basic_rbac_constraint(tcp_socket~~)
114		~~basic_rbac_constraint(udp_socket~~)
115		~~basic_rbac_constraint(rawip_socket~~)
116		~~basic_rbac_constraint(netlink_socket~~)
117		~~basic_rbac_constraint(packet_socket~~)
118		~~basic_rbac_constraint(key_socket~~)
119		~~basic_rbac_constraint(unix_stream_socket~~)
120		~~basic_rbac_constraint(unix_dgram_socket~~)
121		~~basic_rbac_constraint(netlink_route_socket~~)
122		~~basic_rbac_constraint(netlink_firewall_socket~~)
123		~~basic_rbac_constraint(netlink_tcpdiag_socket~~)
124		~~basic_rbac_constraint(netlink_nflog_socket~~)
125		~~basic_rbac_constraint(netlink_xfrm_socket~~)
126		~~basic_rbac_constraint(netlink_selinux_socket~~)
127		~~basic_rbac_constraint(netlink_audit_socket~~)
128		~~basic_rbac_constraint(netlink_ip6fw_socket~~)
129		~~basic_rbac_constraint(netlink_dnrt_socket~~)
130		~~basic_rbac_constraint(netlink_kobject_uevent_socket~~)
131		~~basic_rbac_constraint(appletalk_socket~~)
132		~~basic_rbac_constraint(dccp_socket~~)
	115	exempted_rbac_constraint(socket, rbacsockrole, rbacsocksubj, rbacsockobj)
	116	exempted_rbac_constraint(tcp_socket, rbacsockrole, rbacsocksubj, rbacsockobj)
	117	exempted_rbac_constraint(udp_socket, rbacsockrole, rbacsocksubj, rbacsockobj)
	118	exempted_rbac_constraint(rawip_socket, rbacsockrole, rbacsocksubj, rbacsockobj)
	119	exempted_rbac_constraint(netlink_socket, rbacsockrole, rbacsocksubj, rbacsockobj)
	120	exempted_rbac_constraint(packet_socket, rbacsockrole, rbacsocksubj, rbacsockobj)
	121	exempted_rbac_constraint(key_socket, rbacsockrole, rbacsocksubj, rbacsockobj)
	122	exempted_rbac_constraint(unix_stream_socket, rbacsockrole, rbacsocksubj, rbacsockobj)
	123	exempted_rbac_constraint(unix_dgram_socket, rbacsockrole, rbacsocksubj, rbacsockobj)
	124	exempted_rbac_constraint(netlink_route_socket, rbacsockrole, rbacsocksubj, rbacsockobj)
	125	exempted_rbac_constraint(netlink_firewall_socket, rbacsockrole, rbacsocksubj, rbacsockobj)
	126	exempted_rbac_constraint(netlink_tcpdiag_socket, rbacsockrole, rbacsocksubj, rbacsockobj)
	127	exempted_rbac_constraint(netlink_nflog_socket, rbacsockrole, rbacsocksubj, rbacsockobj)
	128	exempted_rbac_constraint(netlink_xfrm_socket, rbacsockrole, rbacsocksubj, rbacsockobj)
	129	exempted_rbac_constraint(netlink_selinux_socket, rbacsockrole, rbacsocksubj, rbacsockobj)
	130	exempted_rbac_constraint(netlink_audit_socket, rbacsockrole, rbacsocksubj, rbacsockobj)
	131	exempted_rbac_constraint(netlink_ip6fw_socket, rbacsockrole, rbacsocksubj, rbacsockobj)
	132	exempted_rbac_constraint(netlink_dnrt_socket, rbacsockrole, rbacsocksubj, rbacsockobj)
	133	exempted_rbac_constraint(netlink_kobject_uevent_socket, rbacsockrole, rbacsocksubj, rbacsockobj)
	134	exempted_rbac_constraint(appletalk_socket, rbacsockrole, rbacsocksubj, rbacsockobj)
	135	exempted_rbac_constraint(dccp_socket, rbacsockrole, rbacsocksubj, rbacsockobj)
133	136
134	137	########################################
…	…
136	139	# SysV IPC rules
137	140
138		~~basic_rbac_constraint(sem~~)
139		~~basic_rbac_constraint(msg~~)
140		~~basic_rbac_constraint(msgq~~)
141		~~basic_rbac_constraint(shm~~)
142		~~basic_rbac_constraint(ipc~~)
	141	exempted_rbac_constraint(sem, rbacipcrole, rbacipcsubj, rbacipcobj)
	142	exempted_rbac_constraint(msg, rbacipcrole, rbacipcsubj, rbacipcobj)
	143	exempted_rbac_constraint(msgq, rbacipcrole, rbacipcsubj, rbacipcobj)
	144	exempted_rbac_constraint(shm, rbacipcrole, rbacipcsubj, rbacipcobj)
	145	exempted_rbac_constraint(ipc, rbacipcrole, rbacipcsubj, rbacipcobj)
143	146
144	147	########################################
…	…
147	150	#
148	151
149		~~basic_rbac_constraint(x_drawable~~)
150		~~basic_rbac_constraint(x_screen~~)
151		~~basic_rbac_constraint(x_gc~~)
152		~~basic_rbac_constraint(x_font~~)
153		~~basic_rbac_constraint(x_colormap~~)
154		~~basic_rbac_constraint(x_property~~)
155		~~basic_rbac_constraint(x_selection~~)
156		~~basic_rbac_constraint(x_cursor~~)
157		~~basic_rbac_constraint(x_client~~)
158		~~basic_rbac_constraint(x_device~~)
159		~~basic_rbac_constraint(x_server~~)
160		~~basic_rbac_constraint(x_extension~~)
161		~~basic_rbac_constraint(x_resource~~)
162		~~basic_rbac_constraint(x_event~~)
163		~~basic_rbac_constraint(x_synthetic_event~~)
164		~~basic_rbac_constraint(x_application_data~~)
	152	exempted_rbac_constraint(x_drawable, rbacxwinrole, rbacxwinsubj, rbacxwinobj)
	153	exempted_rbac_constraint(x_screen, rbacxwinrole, rbacxwinsubj, rbacxwinobj)
	154	exempted_rbac_constraint(x_gc, rbacxwinrole, rbacxwinsubj, rbacxwinobj)
	155	exempted_rbac_constraint(x_font, rbacxwinrole, rbacxwinsubj, rbacxwinobj)
	156	exempted_rbac_constraint(x_colormap, rbacxwinrole, rbacxwinsubj, rbacxwinobj)
	157	exempted_rbac_constraint(x_property, rbacxwinrole, rbacxwinsubj, rbacxwinobj)
	158	exempted_rbac_constraint(x_selection, rbacxwinrole, rbacxwinsubj, rbacxwinobj)
	159	exempted_rbac_constraint(x_cursor, rbacxwinrole, rbacxwinsubj, rbacxwinobj)
	160	exempted_rbac_constraint(x_client, rbacxwinrole, rbacxwinsubj, rbacxwinobj)
	161	exempted_rbac_constraint(x_device, rbacxwinrole, rbacxwinsubj, rbacxwinobj)
	162	exempted_rbac_constraint(x_server, rbacxwinrole, rbacxwinsubj, rbacxwinobj)
	163	exempted_rbac_constraint(x_extension, rbacxwinrole, rbacxwinsubj, rbacxwinobj)
	164	exempted_rbac_constraint(x_resource, rbacxwinrole, rbacxwinsubj, rbacxwinobj)
	165	exempted_rbac_constraint(x_event, rbacxwinrole, rbacxwinsubj, rbacxwinobj)
	166	exempted_rbac_constraint(x_synthetic_event, rbacxwinrole, rbacxwinsubj, rbacxwinobj)
	167	exempted_rbac_constraint(x_application_data, rbacxwinrole, rbacxwinsubj, rbacxwinobj)
165	168
166	169
…	…
170	173	#
171	174
172		~~basic_rbac_constraint(dbus~~)
	175	exempted_rbac_constraint(dbus, rbacdbusrole, rbacdbussubj, rbacdbusobj)
173	176
174	177	########################################
…	…
177	180	#
178	181
179		~~basic_rbac_constraint(key~~)
	182	exempted_rbac_constraint(key, rbackeyrole, rbackeysubj, rbackeyobj)
180	183
181	184	########################################
…	…
184	187	#
185	188
186		~~basic_rbac_constraint(db_database~~)
187		~~basic_rbac_constraint(db_table~~)
188		~~basic_rbac_constraint(db_procedure~~)
189		~~basic_rbac_constraint(db_column~~)
190		~~basic_rbac_constraint(db_tuple~~)
191		~~basic_rbac_constraint(db_blob~~)
	189	exempted_rbac_constraint(db_database, rbacdbrole, rbacdbsubj, rbacdbobj)
	190	exempted_rbac_constraint(db_table, rbacdbrole, rbacdbsubj, rbacdbobj)
	191	exempted_rbac_constraint(db_procedure, rbacdbrole, rbacdbsubj, rbacdbobj)
	192	exempted_rbac_constraint(db_column, rbacdbrole, rbacdbsubj, rbacdbobj)
	193	exempted_rbac_constraint(db_tuple, rbacdbrole, rbacdbsubj, rbacdbobj)
	194	exempted_rbac_constraint(db_blob, rbacdbrole, rbacdbsubj, rbacdbobj)
192	195
193	196

Download in other formats:

Unified Diff
Zip Disabled

* Generating other formats may take time.