fsnotify: dont append these access_vectors to common_file
authorDominick Grift <dac.override@gmail.com>
Tue, 10 Sep 2019 14:05:37 +0000 (16:05 +0200)
committerDominick Grift <dac.override@gmail.com>
Tue, 10 Sep 2019 14:05:37 +0000 (16:05 +0200)
for compatibility with older selinux code (cron uses old selinux code to compute access to file entrypoint for example)

policy/base/access_vectors.cil

index a1e4d5e5b9c62e471a08f5f04ca16b7d3118e775..a7f486196f3fe5763297f04c597e79bc8c1f18cc 100644 (file)
@@ -12,7 +12,8 @@
 (class bpf (map_create map_read map_write prog_load prog_run))
 (class binder (call impersonate set_context_mgr transfer))
 
-(class blk_file (audit_access execmod open))
+(class blk_file (audit_access execmod open watch watch_mount watch_reads
+                              watch_sb watch_with_perm write))
 (classcommon blk_file common_file)
 
 (class cap_userns ())
 (class capability2 ())
 (classcommon capability2 common_capability2)
 
-(class chr_file (audit_access execmod open))
+(class chr_file (audit_access execmod open watch watch_mount watch_reads
+                              watch_sb watch_with_perm write))
 (classcommon chr_file common_file)
 
 (class dccp_socket (name_connect node_bind))
 (classcommon dccp_socket common_socket)
 
 (class dir
-       (add_name audit_access execmod open remove_name reparent rmdir search))
+       (add_name audit_access execmod open remove_name reparent rmdir search
+                 watch watch_mount watch_reads watch_sb watch_with_perm write))
 (classcommon dir common_file)
 
 (class fd (use))
 
-(class fifo_file (audit_access execmod open))
+(class fifo_file (audit_access execmod open watch watch_mount watch_reads
+                               watch_sb watch_with_perm write))
 (classcommon fifo_file common_file)
 
-(class file (audit_access entrypoint execmod execute_no_trans open))
+(class file
+       (audit_access entrypoint execmod execute_no_trans open watch watch_mount
+                     watch_reads watch_sb watch_with_perm write))
 (classcommon file common_file)
 
 (class filesystem
@@ -60,7 +66,8 @@
 (class key_socket ())
 (classcommon key_socket common_socket)
 
-(class lnk_file (audit_access execmod open))
+(class lnk_file (audit_access execmod open watch watch_mount watch_reads
+                              watch_sb watch_with_perm write))
 (classcommon lnk_file common_file)
 
 (class memprotect (mmap_zero))
 (class shm (lock))
 (classcommon shm common_ipc)
 
-(class sock_file (audit_access execmod open))
+(class sock_file (audit_access execmod open watch watch_mount watch_reads
+                               watch_sb watch_with_perm write))
 (classcommon sock_file common_file)
 
 (class socket ())
         (audit_read block_suspend mac_admin mac_override syslog wake_alarm))
 (common common_file
         (append create execute getattr ioctl lock link map mounton quotaon read
-                relabelfrom relabelto rename setattr unlink watch watch_mount
-                watch_reads watch_sb watch_with_perm write))
+                relabelfrom relabelto rename setattr unlink))
 (common common_ipc
         (associate create destroy getattr read setattr unix_read
                    unix_write write))