diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if index 58b4e9da..ae853de5 100644 --- a/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if @@ -163,7 +163,7 @@ interface(`corecmd_list_bin',` ######################################## ## -## Do not auidt attempts to write bin directories. +## Do not audit attempts to write bin directories. ## ## ## @@ -179,6 +179,24 @@ interface(`corecmd_dontaudit_write_bin_dirs',` dontaudit $1 bin_t:dir write; ') +######################################## +## +## Do not audit attempts to write bin files. +## +## +## +## Domain to not audit. +## +## +# +interface(`corecmd_dontaudit_write_bin_files',` + gen_require(` + type bin_t; + ') + + dontaudit $1 bin_t:file write; +') + ######################################## ## ## Get the attributes of files in bin directories. diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 6c6f684f..69093aa2 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -521,6 +521,7 @@ kernel_stream_connect(xdm_t) corecmd_exec_shell(xdm_t) corecmd_exec_bin(xdm_t) +corecmd_dontaudit_write_bin_files(xdm_t) corenet_all_recvfrom_unlabeled(xdm_t) corenet_all_recvfrom_netlabel(xdm_t) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 00283baa..d17f2bf3 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -375,6 +375,7 @@ files_setattr_pid_dirs(initrc_t) files_read_kernel_symbol_table(initrc_t) files_exec_etc_files(initrc_t) files_manage_etc_symlinks(initrc_t) +files_manage_system_conf_files(initrc_t) fs_manage_tmpfs_dirs(initrc_t) fs_tmpfs_filetrans(initrc_t, initrc_state_t, file)