From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 20 Apr 2012 16:10:53 -0400 Subject: [refpolicy] [PATCH 1/13] Adding dontaudit interfaces for files module In-Reply-To: <20120322200657.GB3387@siphos.be> References: <20120322200229.GA3387@siphos.be> <20120322200657.GB3387@siphos.be> Message-ID: <4F91C2CD.7010502@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 03/22/12 16:06, Sven Vermeulen wrote: > > Signed-off-by: Sven Vermeulen > --- > policy/modules/kernel/files.if | 36 ++++++++++++++++++++++++++++++++++++ > 1 files changed, 36 insertions(+), 0 deletions(-) Merged. There were whitespace errors, please be mindful. Moved the dontaudit_setattr up in the file. > diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if > index deb24b4..7df46ac 100644 > --- a/policy/modules/kernel/files.if > +++ b/policy/modules/kernel/files.if > @@ -1482,6 +1482,42 @@ interface(`files_dontaudit_list_all_mountpoints',` > > ######################################## > ##

> +## Do not audit write attempts on mount points. > +##

> +## > +##

> +## Domain to ignore write attempts from > +##

> +## > +# > +interface(`files_dontaudit_write_all_mountpoints',` > + gen_require(` > + attribute mountpoint; > + ') > + > + dontaudit $1 mountpoint:dir write; > +') > + > +######################################## > +##

> +## Do not audit setattr attempts on mount points. > +##

> +## > +##

> +## Domain to ignore setattr attempts from > +##

> +## > +# > +interface(`files_dontaudit_setattr_all_mountpoints',` > + gen_require(` > + attribute mountpoint; > + ') > + > + dontaudit $1 mountpoint:dir setattr; > +') > + > +######################################## > +##

> ## List the contents of the root directory. > ##

> ## -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com