summaryrefslogtreecommitdiff
path: root/cpp
diff options
context:
space:
mode:
Diffstat (limited to 'cpp')
-rw-r--r--cpp/etc/selinux/Makefile6
-rw-r--r--cpp/etc/selinux/qpidd.te32
-rw-r--r--cpp/etc/selinux/qpiddevel.te27
3 files changed, 39 insertions, 26 deletions
diff --git a/cpp/etc/selinux/Makefile b/cpp/etc/selinux/Makefile
index 440879d1ed..e44ec2224b 100644
--- a/cpp/etc/selinux/Makefile
+++ b/cpp/etc/selinux/Makefile
@@ -4,11 +4,13 @@
POLICIES = qpidd.pp qpiddevel.pp
SOURCES = $(POLICIES:.pp=.te)
-install: $(POLICIES)
- for p in $(POLICIES); do /usr/sbin/semodule -i $$p; done
+all: $(POLICIES)
$(POLICIES): $(SOURCES)
make -f /usr/share/selinux/devel/Makefile
+install: $(POLICIES)
+ for p in $(POLICIES); do /usr/sbin/semodule -i $$p; done
+
clean:
rm -rf *~ *.pp *.fc *.if tmp
diff --git a/cpp/etc/selinux/qpidd.te b/cpp/etc/selinux/qpidd.te
index 05721db812..e830575fd1 100644
--- a/cpp/etc/selinux/qpidd.te
+++ b/cpp/etc/selinux/qpidd.te
@@ -6,19 +6,25 @@
# To install the compiled qpidd.pp
# sudo semodule -i qpidd.pp
-policy_module(qpidd, 1.1)
-require {
+policy_module(qpidd, 1.2)
+
+gen_require(`
type initrc_t;
type ccs_t;
- type aisexec_t;
-}
-#============= ccs_t ==============
+ class sem { write unix_read unix_write associate read destroy };
+ class shm { unix_read write unix_write associate read destroy };
+')
+
fs_rw_tmpfs_files(ccs_t)
-allow ccs_t initrc_t:sem rw_sem_perms;
-allow ccs_t initrc_t:shm rw_shm_perms;
-allow ccs_t self:capability ipc_owner;
-allow aisexec_t initrc_t:sem rw_sem_perms;
-allow aisexec_t initrc_t:shm rw_shm_perms;
-allow aisexec_t initrc_t:sem destroy;
-allow aisexec_t initrc_t:shm destroy;
-allow aisexec_t self:capability { ipc_owner dac_override };
+allow ccs_t initrc_t:sem { read write unix_read unix_write associate destroy };
+allow ccs_t initrc_t:shm { read write unix_read unix_write associate destroy };
+allow ccs_t self:capability { ipc_owner dac_override };
+
+optional_policy(`
+ gen_require(`
+ type aisexec_t;
+ ')
+ allow aisexec_t initrc_t:sem { read write unix_read unix_write associate destroy };
+ allow aisexec_t initrc_t:shm { read write unix_read unix_write associate destroy };
+ allow aisexec_t self:capability { sys_admin ipc_owner dac_override };
+')
diff --git a/cpp/etc/selinux/qpiddevel.te b/cpp/etc/selinux/qpiddevel.te
index 0968f6eeb1..5b280288f7 100644
--- a/cpp/etc/selinux/qpiddevel.te
+++ b/cpp/etc/selinux/qpiddevel.te
@@ -7,20 +7,25 @@
# To install the compiled qpiddevel.pp
# sudo semodule -i qpiddevel.pp
-module qpiddevel 1.0;
+policy_module(qpiddevel, 1.1)
-require {
+gen_require(`
type unconfined_t;
- type aisexec_t;
- type unconfined_execmem_t;
+ type ccs_t;
class capability sys_admin;
class sem { write unix_read unix_write associate read destroy };
class shm { unix_read write unix_write associate read destroy };
-}
+')
-#============= aisexec_t ==============
-allow aisexec_t self:capability sys_admin;
-allow aisexec_t unconfined_t:sem { write unix_read unix_write associate read destroy };
-allow aisexec_t unconfined_t:shm { unix_read write unix_write associate read destroy };
-allow aisexec_t unconfined_execmem_t:sem { write unix_read unix_write associate read destroy };
-allow aisexec_t unconfined_execmem_t:shm { write unix_read unix_write associate read destroy };
+allow ccs_t self:capability sys_admin;
+allow ccs_t unconfined_t:sem { write unix_read unix_write associate read destroy };
+allow ccs_t unconfined_t:shm { unix_read write unix_write associate read destroy };
+
+optional_policy(`
+ gen_require(`
+ type aisexec_t;
+ ')
+ allow aisexec_t self:capability sys_admin;
+ allow aisexec_t unconfined_t:sem { read write unix_read unix_write associate destroy };
+ allow aisexec_t unconfined_t:shm { read write unix_read unix_write associate destroy };
+')
View Lorry Controller Status