소스 검색

atop: further adapt the policy to the atop version in Debian stretch

Helmut Pozimski 7 년 전
부모
커밋
df5e1e94e1
1개의 변경된 파일5개의 추가작업 그리고 6개의 파일을 삭제
  1. 5 6
      policy/modules/atop.te

+ 5 - 6
policy/modules/atop.te

@@ -1,4 +1,4 @@
-policy_module(atop, 0.1.12)
+policy_module(atop, 0.1.13)
 
 ########################################
 #
@@ -31,11 +31,12 @@ files_type(atop_var_cache_t)
 
 allow atop_t atop_exec_t:file execute_no_trans;
 allow atop_t self:capability { setuid sys_nice sys_resource ipc_lock sys_pacct dac_override net_raw sys_ptrace };
-allow atop_t self:process { setsched sigkill setrlimit setpgid };
+allow atop_t self:process { setsched sigkill setrlimit setpgid signal };
 allow atop_t self:sem { write read create unix_write unix_read };
 allow atop_t self:udp_socket { create ioctl };
 allow atop_t self:sem associate;
 allow atop_t self:rawip_socket { create getopt };
+allow atop_t self:fifo_file { getattr ioctl read write };
 
 manage_dirs_pattern(atop_t, atop_var_log_t, atop_var_log_t)
 append_files_pattern(atop_t, atop_var_log_t, atop_var_log_t)
@@ -51,10 +52,7 @@ manage_dirs_pattern(atop_t, atop_var_run_t, atop_var_run_t)
 manage_files_pattern(atop_t, atop_var_run_t, atop_var_run_t)
 files_pid_filetrans(atop_t, atop_var_run_t, { file dir })
 
-gen_require(`
-	type bin_t;
-')
-allow atop_t bin_t:dir search;
+corecmd_exec_bin(atop_t)
 
 optional_policy(`
 	gen_require(`
@@ -72,6 +70,7 @@ kernel_getattr_proc_files(atop_t)
 kernel_read_proc_symlinks(atop_t)
 kernel_read_system_state(atop_t)
 kernel_get_sysvipc_info(atop_t)
+kernel_read_kernel_sysctls(atop_t)
 
 domain_read_all_domains_state(atop_t)
 corecmd_shell_entry_type(atop_t)