]>
Commit | Line | Data |
---|---|---|
2c243586 | 1 | |
b0d2243c | 2 | policy_module(prelink,1.0.2) |
2c243586 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | ||
8 | attribute prelink_object; | |
9 | ||
10 | type prelink_t; | |
11 | type prelink_exec_t; | |
12 | init_system_domain(prelink_t,prelink_exec_t) | |
13 | ||
14 | type prelink_cache_t; | |
15 | files_type(prelink_cache_t) | |
16 | ||
17 | type prelink_log_t; | |
18 | logging_log_file(prelink_log_t) | |
19 | ||
20 | ######################################## | |
21 | # | |
22 | # Local policy | |
23 | # | |
24 | ||
25 | allow prelink_t self:capability { chown dac_override fowner fsetid }; | |
26 | allow prelink_t self:process { execheap execmem execstack }; | |
27 | allow prelink_t self:fifo_file rw_file_perms; | |
28 | ||
29 | allow prelink_t prelink_cache_t:file manage_file_perms; | |
9d594986 | 30 | files_filetrans_etc(prelink_t, prelink_cache_t, file) |
a524921a | 31 | files_filetrans_var_lib(prelink_t, prelink_cache_t, file) |
2c243586 CP |
32 | |
33 | allow prelink_t prelink_log_t:dir { setattr rw_dir_perms }; | |
34 | allow prelink_t prelink_log_t:file { create ra_file_perms }; | |
35 | allow prelink_t prelink_log_t:lnk_file read; | |
9d594986 | 36 | logging_filetrans_log(prelink_t, prelink_log_t) |
2c243586 CP |
37 | |
38 | # prelink misc objects that are not system | |
39 | # libraries or entrypoints | |
40 | allow prelink_t prelink_object:file { create_file_perms execute relabelto relabelfrom }; | |
41 | ||
42 | kernel_read_system_state(prelink_t) | |
43 | kernel_dontaudit_search_kernel_sysctl(prelink_t) | |
44 | kernel_dontaudit_search_sysctl(prelink_t) | |
45 | ||
46 | corecmd_manage_bin_files(prelink_t) | |
47 | corecmd_relabel_bin_files(prelink_t) | |
48 | corecmd_mmap_bin_files(prelink_t) | |
49 | corecmd_manage_sbin_files(prelink_t) | |
50 | corecmd_relabel_sbin_files(prelink_t) | |
51 | corecmd_mmap_sbin_files(prelink_t) | |
52 | ||
53 | dev_read_urand(prelink_t) | |
54 | ||
55 | domain_manage_all_entry_files(prelink_t) | |
56 | domain_relabel_all_entry_files(prelink_t) | |
57 | domain_mmap_all_entry_files(prelink_t) | |
58 | ||
59 | files_list_all(prelink_t) | |
60 | files_getattr_all_files(prelink_t) | |
9e04f5c5 | 61 | files_write_non_security_dirs(prelink_t) |
a524921a | 62 | files_read_etc_files(prelink_t) |
2c243586 CP |
63 | files_read_etc_runtime_files(prelink_t) |
64 | ||
65 | fs_getattr_xattr_fs(prelink_t) | |
66 | ||
67 | libs_use_ld_so(prelink_t) | |
b0d2243c | 68 | libs_exec_ld_so(prelink_t) |
2c243586 CP |
69 | libs_manage_ld_so(prelink_t) |
70 | libs_relabel_ld_so(prelink_t) | |
71 | libs_use_shared_libs(prelink_t) | |
72 | libs_manage_shared_libs(prelink_t) | |
73 | libs_relabel_shared_libs(prelink_t) | |
1815bad1 | 74 | libs_use_lib_files(prelink_t) |
2c243586 CP |
75 | libs_manage_lib_files(prelink_t) |
76 | libs_relabel_lib_files(prelink_t) | |
77 | ||
78 | miscfiles_read_localization(prelink_t) | |
79 | ||
80 | optional_policy(`cron',` | |
81 | cron_system_entry(prelink_t, prelink_exec_t) | |
82 | ') |