mirror of
https://github.com/containers/udica
synced 2024-05-25 01:56:14 +02:00
09bf6b339f
Cil parser was recently updated to reject the following: (block template1 (type t) ) (block template2 (blockinherit template1)) (block b (blockinherit template1) (blockinherit template2)) Re-declaration of type t Previous declaration of type at /var/lib/selinux/targeted/tmp/modules/400/test/cil:1 Failed to copy block contents into blockinherit Failed to resolve AST semodule: Failed! Remove (blockinherit container) from all templates so that "process" and "socket" are only defined once (by inheriting "container" block in the generated policy). All allow rules referencing "process" and "socket" now need to be enclosed in an optional block. While at it, unify indentation. Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
26 lines
907 B
Plaintext
26 lines
907 B
Plaintext
(block x_container
|
|
(optional x_container_optional
|
|
(allow xserver_t process (shm (getattr read write associate unix_read unix_write lock)))
|
|
|
|
(allow process xserver_t (unix_stream_socket (connectto)))
|
|
|
|
(allow process device_t (dir (getattr search open)))
|
|
|
|
(allow process dri_device_t (chr_file (ioctl read write getattr lock append open map)))
|
|
|
|
(allow process xserver_misc_device_t (chr_file (ioctl read write getattr lock append open map)))
|
|
|
|
(allow process urandom_device_t (chr_file (open read)))
|
|
|
|
(allow process tmpfs_t (dir (getattr search open)))
|
|
|
|
(allow process tmp_t (dir (getattr search open)))
|
|
(allow process tmp_t (lnk_file (read getattr)))
|
|
|
|
(allow process xserver_tmp_t (dir (getattr search open)))
|
|
(allow process xserver_tmp_t (sock_file (write getattr append open)))
|
|
|
|
(allow process xserver_exec_t (file (ioctl read getattr lock map execute execute_no_trans open)))
|
|
)
|
|
)
|