Use permission sets where possible.
Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible.
This commit is contained in:
parent
9a0f7994cb
commit
1dfc76f76b
@ -102,8 +102,8 @@ files_create_as_is_all_files(cachefilesd_t)
|
||||
allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;
|
||||
|
||||
# Allow access to cache superstructure
|
||||
allow cachefilesd_t cachefiles_var_t:dir { rw_dir_perms rmdir };
|
||||
allow cachefilesd_t cachefiles_var_t:file { getattr rename unlink };
|
||||
allow cachefilesd_t cachefiles_var_t:dir { rw_dir_perms delete_dir_perms };
|
||||
allow cachefilesd_t cachefiles_var_t:file { rename delete_file_perms};
|
||||
|
||||
# Permit statfs on the backing filesystem
|
||||
fs_getattr_xattr_fs(cachefilesd_t)
|
||||
|
@ -34,7 +34,7 @@ allow canna_t self:unix_dgram_socket create_stream_socket_perms;
|
||||
allow canna_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
manage_files_pattern(canna_t, canna_log_t, canna_log_t)
|
||||
allow canna_t canna_log_t:dir setattr;
|
||||
allow canna_t canna_log_t:dir setattr_dir_perms;
|
||||
logging_log_filetrans(canna_t, canna_log_t, { file dir })
|
||||
|
||||
manage_dirs_pattern(canna_t, canna_var_lib_t, canna_var_lib_t)
|
||||
|
@ -61,7 +61,7 @@ manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
|
||||
manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
|
||||
files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir })
|
||||
|
||||
allow ccs_t ccs_var_log_t:dir setattr;
|
||||
allow ccs_t ccs_var_log_t:dir setattr_dir_perms;
|
||||
manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
|
||||
manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
|
||||
logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })
|
||||
|
@ -182,7 +182,7 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
|
||||
|
||||
# log files (own logfiles only)
|
||||
manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
|
||||
allow freshclam_t freshclam_var_log_t:dir setattr;
|
||||
allow freshclam_t freshclam_var_log_t:dir setattr_dir_perms;
|
||||
read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
|
||||
logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
|
||||
|
||||
|
@ -93,7 +93,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld;
|
||||
allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
|
||||
|
||||
# inherits file handle - should it?
|
||||
allow courier_pop_t courier_var_lib_t:file { read write };
|
||||
allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
|
||||
|
||||
miscfiles_read_localization(courier_pop_t)
|
||||
|
||||
|
@ -128,7 +128,7 @@ files_pid_file(system_cronjob_var_run_t)
|
||||
#
|
||||
|
||||
# Allow our crontab domain to unlink a user cron spool file.
|
||||
allow admin_crontab_t user_cron_spool_t:file { getattr read unlink };
|
||||
allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms };
|
||||
|
||||
# Manipulate other users crontab.
|
||||
selinux_get_fs_mount(admin_crontab_t)
|
||||
@ -351,7 +351,7 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
|
||||
|
||||
# This is to handle /var/lib/misc directory. Used currently
|
||||
# by prelink var/lib files for cron
|
||||
allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabelfrom relabelto };
|
||||
allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
|
||||
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
|
||||
|
||||
allow system_cronjob_t cron_var_run_t:file manage_file_perms;
|
||||
|
@ -149,7 +149,7 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
|
||||
manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
|
||||
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
|
||||
|
||||
allow cupsd_t cupsd_var_run_t:dir setattr;
|
||||
allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms;
|
||||
manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
|
||||
manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
|
||||
manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
|
||||
@ -163,7 +163,7 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
|
||||
allow cupsd_t hplip_var_run_t:file read_file_perms;
|
||||
|
||||
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
|
||||
allow cupsd_t ptal_var_run_t : sock_file setattr;
|
||||
allow cupsd_t ptal_var_run_t : sock_file setattr_sock_file_perms;
|
||||
|
||||
kernel_read_system_state(cupsd_t)
|
||||
kernel_read_network_state(cupsd_t)
|
||||
|
@ -36,7 +36,7 @@ allow fail2ban_t self:unix_dgram_socket create_socket_perms;
|
||||
allow fail2ban_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
# log files
|
||||
allow fail2ban_t fail2ban_log_t:dir setattr;
|
||||
allow fail2ban_t fail2ban_log_t:dir setattr_dir_perms;
|
||||
manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
|
||||
logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
|
||||
|
||||
|
@ -187,7 +187,7 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} )
|
||||
# it can stat the socket to perform access control decisions,
|
||||
# since getsockopt with SO_PEERCRED is not available on all
|
||||
# proftpd-supported OSs
|
||||
allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
|
||||
allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
|
||||
|
||||
# Create and modify /var/log/xferlog.
|
||||
manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
|
||||
@ -388,7 +388,7 @@ stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
|
||||
|
||||
# ftpdctl creates a socket so that the daemon can perform
|
||||
# access control decisions (see comments in ftpd_t rules above)
|
||||
allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr };
|
||||
allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms;
|
||||
files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
|
||||
|
||||
# Allow ftpdctl to read config files
|
||||
|
@ -46,7 +46,7 @@ read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t)
|
||||
can_exec(innd_t, innd_exec_t)
|
||||
|
||||
manage_files_pattern(innd_t, innd_log_t, innd_log_t)
|
||||
allow innd_t innd_log_t:dir setattr;
|
||||
allow innd_t innd_log_t:dir setattr_dir_perms;
|
||||
logging_log_filetrans(innd_t, innd_log_t, file)
|
||||
|
||||
manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
|
||||
|
@ -93,9 +93,9 @@ allow kadmind_t krb5_conf_t:file read_file_perms;
|
||||
dontaudit kadmind_t krb5_conf_t:file write;
|
||||
|
||||
read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t)
|
||||
dontaudit kadmind_t krb5kdc_conf_t:file { write setattr };
|
||||
dontaudit kadmind_t krb5kdc_conf_t:file { write_file_perms setattr_file_perms };
|
||||
|
||||
allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr };
|
||||
allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
|
||||
|
||||
allow kadmind_t krb5kdc_principal_t:file manage_file_perms;
|
||||
filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file)
|
||||
@ -197,7 +197,7 @@ can_exec(krb5kdc_t, krb5kdc_exec_t)
|
||||
read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
|
||||
dontaudit krb5kdc_t krb5kdc_conf_t:file write;
|
||||
|
||||
allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr };
|
||||
allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
|
||||
|
||||
allow krb5kdc_t krb5kdc_log_t:file manage_file_perms;
|
||||
logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
|
||||
|
@ -80,7 +80,7 @@ rw_files_pattern(checkpc_t, print_spool_t, print_spool_t)
|
||||
delete_files_pattern(checkpc_t, print_spool_t, print_spool_t)
|
||||
files_search_spool(checkpc_t)
|
||||
|
||||
allow checkpc_t printconf_t:file getattr;
|
||||
allow checkpc_t printconf_t:file getattr_file_perms;
|
||||
allow checkpc_t printconf_t:dir list_dir_perms;
|
||||
|
||||
kernel_read_system_state(checkpc_t)
|
||||
@ -284,8 +284,8 @@ userdom_read_user_tmp_files(lpr_t)
|
||||
|
||||
tunable_policy(`use_lpd_server',`
|
||||
# lpr can run in lightweight mode, without a local print spooler.
|
||||
allow lpr_t lpd_var_run_t:dir search;
|
||||
allow lpr_t lpd_var_run_t:sock_file write;
|
||||
allow lpr_t lpd_var_run_t:dir search_dir_perms;
|
||||
allow lpr_t lpd_var_run_t:sock_file write_sock_file_perms;
|
||||
files_read_var_files(lpr_t)
|
||||
|
||||
# Connect to lpd via a Unix domain socket.
|
||||
|
@ -69,7 +69,7 @@ manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
|
||||
files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
|
||||
|
||||
allow mysqld_t mysqld_etc_t:file read_file_perms;
|
||||
allow mysqld_t mysqld_etc_t:lnk_file { getattr read };
|
||||
allow mysqld_t mysqld_etc_t:lnk_file read_lnk_file_perms;
|
||||
allow mysqld_t mysqld_etc_t:dir list_dir_perms;
|
||||
|
||||
allow mysqld_t mysqld_log_t:file manage_file_perms;
|
||||
|
Loading…
Reference in New Issue
Block a user