selinux: Simplify policy for init-storage
As the scope of Aimee OS grows, and other applications are added to it, the `init-storage` command will have an ever-growing list of file and directory types to copy from the rootfs image. Originally, I wanted to explicitly allow it to only copy files that are found in `/var`, but this will become untenable very quickly. As such, to avoid having to constantly update the SELinux policy for every new application that stores anything in `/var` at install time, the `aimee_storinit_t` domain can now manage all "non-security" files, directories, and symbolic links. This covers pretty much everything in `/var` except `/var/log/audit`, while still excluding the most sensitive files (e.g. `/etc/shadow`),gentoo
parent
5e8b69d659
commit
2b40255a61
|
|
@ -71,76 +71,22 @@ seutil_domtrans_setfiles(aimee_storinit_t)
|
|||
|
||||
kernel_manage_unlabeled_dirs(aimee_storinit_t)
|
||||
|
||||
files_manage_non_security_dirs(aimee_storinit_t)
|
||||
files_relabel_non_security_dirs(aimee_storinit_t)
|
||||
files_manage_non_security_files(aimee_storinit_t)
|
||||
files_relabel_non_security_files(aimee_storinit_t)
|
||||
logging_manage_audit_log(aimee_storinit_t)
|
||||
gen_require(`
|
||||
attribute non_security_file_type;
|
||||
')
|
||||
manage_lnk_files_pattern(aimee_storinit_t, non_security_file_type, non_security_file_type)
|
||||
relabel_lnk_files_pattern(aimee_storinit_t, non_security_file_type, non_security_file_type)
|
||||
|
||||
auth_manage_shadow(aimee_storinit_t)
|
||||
auth_relabel_shadow(aimee_storinit_t)
|
||||
|
||||
files_manage_var_dirs(aimee_storinit_t)
|
||||
files_relabel_var_dirs(aimee_storinit_t)
|
||||
files_manage_var_files(aimee_storinit_t)
|
||||
files_manage_var_symlinks(aimee_storinit_t)
|
||||
|
||||
gen_require(`
|
||||
type var_lib_t, var_lock_t, var_run_t;
|
||||
type semanage_store_t;
|
||||
type semanage_read_lock_t, semanage_trans_lock_t;
|
||||
type system_dbusd_var_lib_t;
|
||||
type init_var_lib_t;
|
||||
type auditd_log_t;
|
||||
type tmp_t;
|
||||
type etc_t;
|
||||
type shadow_t;
|
||||
attribute logfile;
|
||||
')
|
||||
manage_dirs_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
|
||||
relabel_dirs_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
|
||||
manage_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
|
||||
relabel_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
|
||||
manage_lnk_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
|
||||
relabel_lnk_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
|
||||
manage_lnk_files_pattern(aimee_storinit_t, var_lock_t, var_lock_t)
|
||||
relabel_lnk_files_pattern(aimee_storinit_t, var_lock_t, var_lock_t)
|
||||
manage_dirs_pattern(aimee_storinit_t, var_run_t, var_run_t)
|
||||
relabel_dirs_pattern(aimee_storinit_t, var_run_t, var_run_t)
|
||||
manage_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
|
||||
relabel_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
|
||||
manage_lnk_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
|
||||
relabel_lnk_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
|
||||
manage_dirs_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
|
||||
relabel_dirs_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
|
||||
manage_files_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
|
||||
relabel_files_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
|
||||
manage_dirs_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
|
||||
relabel_dirs_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
|
||||
manage_files_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
|
||||
relabel_files_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
|
||||
manage_dirs_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
|
||||
relabel_dirs_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
|
||||
manage_files_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
|
||||
relabel_files_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
|
||||
manage_dirs_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
||||
relabel_dirs_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
||||
manage_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
||||
relabel_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
||||
manage_lnk_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
||||
relabel_lnk_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
||||
manage_dirs_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
|
||||
relabel_dirs_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
|
||||
manage_files_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
|
||||
relabel_files_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
|
||||
manage_dirs_pattern(aimee_storinit_t, logfile, logfile)
|
||||
relabel_dirs_pattern(aimee_storinit_t, logfile, logfile)
|
||||
manage_files_pattern(aimee_storinit_t, logfile, logfile)
|
||||
relabel_files_pattern(aimee_storinit_t, logfile, logfile)
|
||||
manage_dirs_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
|
||||
relabel_dirs_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
|
||||
manage_files_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
|
||||
relabel_files_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
|
||||
manage_dirs_pattern(aimee_storinit_t, tmp_t, tmp_t)
|
||||
relabel_dirs_pattern(aimee_storinit_t, tmp_t, tmp_t)
|
||||
manage_files_pattern(aimee_storinit_t, tmp_t, tmp_t)
|
||||
relabel_files_pattern(aimee_storinit_t, tmp_t, tmp_t)
|
||||
manage_dirs_pattern(aimee_storinit_t, etc_t, etc_t)
|
||||
relabel_dirs_pattern(aimee_storinit_t, etc_t, etc_t)
|
||||
allow aimee_storinit_t shadow_t:file mounton;
|
||||
|
||||
########################################
|
||||
|
|
|
|||
Loading…
Reference in New Issue