Create proc_net type for /proc/sys/net entries.
/proc/sys/net could use its own type to help distinguish among some of the proc access rules. Fix dhcp and netd because of this. Change-Id: I6e16cba660f07bc25f437bf43e1eba851a88d538 Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
This commit is contained in:
Robert Craig
parent
11c48d4c06
commit
529fcbe065
5 changed files with 6 additions and 3 deletions
3
dhcp.te
3
dhcp.te
|
|
@ -13,7 +13,8 @@ allow dhcp self:packet_socket create_socket_perms;
|
|||
allow dhcp self:netlink_route_socket { create_socket_perms nlmsg_write };
|
||||
allow dhcp shell_exec:file rx_file_perms;
|
||||
allow dhcp system_file:file rx_file_perms;
|
||||
allow dhcp proc:file write;
|
||||
# For /proc/sys/net/ipv4/conf/*/promote_secondaries
|
||||
allow dhcp proc_net:file write;
|
||||
allow dhcp system_prop:property_service set ;
|
||||
allow dhcp dhcp_system_file:file rx_file_perms;
|
||||
allow dhcp dhcp_system_file:dir r_dir_perms;
|
||||
|
|
|
|||
|
|
@ -106,6 +106,7 @@ r_dir_file(domain, sysfs)
|
|||
r_dir_file(domain, sysfs_devices_system_cpu)
|
||||
r_dir_file(domain, inotify)
|
||||
r_dir_file(domain, cgroup)
|
||||
r_dir_file(domain, proc_net)
|
||||
|
||||
# debugfs access
|
||||
allow domain debugfs:dir r_dir_perms;
|
||||
|
|
|
|||
1
file.te
1
file.te
|
|
@ -10,6 +10,7 @@ type proc_security, fs_type;
|
|||
type usermodehelper, fs_type, sysfs_type;
|
||||
type qtaguid_proc, fs_type, mlstrustedobject;
|
||||
type proc_bluetooth_writable, fs_type;
|
||||
type proc_net, fs_type;
|
||||
type selinuxfs, fs_type;
|
||||
type cgroup, fs_type, mlstrustedobject;
|
||||
type sysfs, fs_type, mlstrustedobject;
|
||||
|
|
|
|||
|
|
@ -15,6 +15,7 @@ genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
|
|||
genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
|
||||
genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
|
||||
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
|
||||
genfscon proc /sys/net u:object_r:proc_net:s0
|
||||
genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
|
||||
# selinuxfs booleans can be individually labeled.
|
||||
genfscon selinuxfs / u:object_r:selinuxfs:s0
|
||||
|
|
|
|||
3
netd.te
3
netd.te
|
|
@ -16,8 +16,7 @@ allow netd system_file:file x_file_perms;
|
|||
allow netd devpts:chr_file rw_file_perms;
|
||||
|
||||
# For /proc/sys/net/ipv[46]/route/flush.
|
||||
# XXX Split /proc/sys/net into its own type.
|
||||
allow netd proc:file write;
|
||||
allow netd proc_net:file write;
|
||||
|
||||
# For /sys/modules/bcmdhd/parameters/firmware_path
|
||||
# XXX Split into its own type.
|
||||
|
|
|
|||
Loading…
Reference in a new issue