fix dupe interfaces
This commit is contained in:
parent
0176d13988
commit
1470ffb03f
@ -251,24 +251,6 @@ interface(`dev_dontaudit_setattr_generic_blk_file',`
|
||||
dontaudit $1 device_t:blk_file setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow read, write, create, and delete for generic
|
||||
## block files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`dev_manage_generic_blk_file',`
|
||||
gen_require(`
|
||||
type device_t;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir rw_dir_perms;
|
||||
allow $1 device_t:blk_file create_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow read, write, and create for generic character device files.
|
||||
|
@ -300,10 +300,9 @@ interface(`files_search_all',`
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_list_all_dirs',`
|
||||
interface(`files_list_all',`
|
||||
gen_require(`
|
||||
attribute file_type;
|
||||
class dir r_dir_perms;
|
||||
')
|
||||
|
||||
allow $1 file_type:dir r_dir_perms;
|
||||
@ -2044,23 +2043,6 @@ interface(`files_dontaudit_getattr_tmp_dir',`
|
||||
dontaudit $1 tmp_t:dir getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow domain to getattr on /tmp directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_getattr_tmp_dir',`
|
||||
gen_require(`
|
||||
type tmp_t;
|
||||
class dir getattr;
|
||||
')
|
||||
|
||||
allow $1 tmp_t:dir getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the tmp directory (/tmp).
|
||||
|
@ -651,24 +651,6 @@ interface(`fs_execute_cifs_files',`
|
||||
can_exec($1, cifs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read or
|
||||
## write files on a CIFS or SMB filesystems.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_dontaudit_read_cifs_files',`
|
||||
gen_require(`
|
||||
type cifs_t;
|
||||
class file { read write };
|
||||
')
|
||||
|
||||
dontaudit $1 cifs_t:file { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete directories
|
||||
|
@ -1817,24 +1817,6 @@ interface(`kernel_read_file_from',`
|
||||
allow kernel_t $1:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the kernel to search the
|
||||
## specified directory.
|
||||
## </summary>
|
||||
## <param name="dir_type">
|
||||
## Directory type to search.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_search_from',`
|
||||
gen_require(`
|
||||
type kernel_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
allow kernel_t $1:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Use the specified types for /lib directory
|
||||
|
@ -361,24 +361,6 @@ interface(`storage_write_scsi_generic',`
|
||||
typeattribute $1 scsi_generic_write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get attributes of the device nodes
|
||||
## for the SCSI generic inerface.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_getattr_scsi_generic',`
|
||||
gen_require(`
|
||||
type scsi_generic_device_t;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 scsi_generic_device_t:chr_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Set attributes of the device nodes
|
||||
|
@ -640,23 +640,6 @@ interface(`term_reset_tty_labels',`
|
||||
allow $1 tty_device_t:chr_file relabelto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get the attributes
|
||||
## of unallocated ttys.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_dontaudit_getattr_unallocated_ttys',`
|
||||
gen_require(`
|
||||
type tty_device_t;
|
||||
')
|
||||
|
||||
dontaudit $1 tty_device_t:chr_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Write to unallocated ttys.
|
||||
|
@ -35,7 +35,7 @@ interface(`ppp_dontaudit_use_fd',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow domain to send sigchld to parent of PPP domain type.
|
||||
## Send a SIGCHLD signal to PPP.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
@ -66,22 +66,6 @@ interface(`ppp_signal',`
|
||||
allow $1 pppd_t:process signal;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send a SIGCHLD signal to PPP.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`ppp_sigchld',`
|
||||
gen_require(`
|
||||
type pppd_t;
|
||||
')
|
||||
|
||||
allow $1 pppd_t:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute domain in the ppp domain.
|
||||
|
@ -327,23 +327,6 @@ interface(`samba_read_winbind_pid',`
|
||||
allow $1 winbind_var_run_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to read the winbind pid files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`samba_read_winbind_pid',`
|
||||
gen_require(`
|
||||
type winbind_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 winbind_var_run_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to winbind.
|
||||
|
@ -11,9 +11,6 @@
|
||||
interface(`squid_domtrans',`
|
||||
gen_require(`
|
||||
type squid_t, squid_exec_t;
|
||||
class process sigchld;
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
@ -36,34 +33,12 @@ interface(`squid_domtrans',`
|
||||
interface(`squid_read_config',`
|
||||
gen_require(`
|
||||
type squid_conf_t;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 squid_conf_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete
|
||||
## squid logs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`squid_manage_logs',`
|
||||
gen_require(`
|
||||
type squid_log_t;
|
||||
class dir rw_dir_perms;
|
||||
class file create_file_perms;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
allow $1 squid_log_t:dir rw_dir_perms;
|
||||
allow $1 squid_log_t:file create_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Append squid logs.
|
||||
@ -112,8 +87,6 @@ interface(`squid_append_log',`
|
||||
interface(`squid_manage_logs',`
|
||||
gen_require(`
|
||||
type squid_log_t;
|
||||
class dir rw_dir_perms;
|
||||
class file create_file_perms;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
@ -132,7 +105,6 @@ interface(`squid_manage_logs',`
|
||||
interface(`squid_use',`
|
||||
gen_require(`
|
||||
type squid_t;
|
||||
class tcp_socket { connectto acceptfrom recvfrom };
|
||||
')
|
||||
|
||||
allow $1 squid_t:tcp_socket { connectto recvfrom };
|
||||
|
@ -440,40 +440,6 @@ interface(`init_write_script_pipe',`
|
||||
allow $1 initrc_t:fifo_file write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to connect to
|
||||
## init scripts with a unix domain stream socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`init_unix_connect_script',`
|
||||
gen_require(`
|
||||
type initrc_t;
|
||||
')
|
||||
|
||||
allow $1 initrc_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Dont audit the specified domain connecting to
|
||||
## init scripts with a unix domain stream socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`init_dontaudit_unix_connect_script',`
|
||||
gen_require(`
|
||||
type initrc_t;
|
||||
')
|
||||
|
||||
dontaudit $1 initrc_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attribute of init script entrypoint files.
|
||||
@ -690,6 +656,23 @@ interface(`init_unix_connect_script',`
|
||||
allow $1 initrc_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Dont audit the specified domain connecting to
|
||||
## init scripts with a unix domain stream socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`init_dontaudit_unix_connect_script',`
|
||||
gen_require(`
|
||||
type initrc_t;
|
||||
')
|
||||
|
||||
dontaudit $1 initrc_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive messages from
|
||||
|
Loading…
Reference in New Issue
Block a user