renaming from 20060131 interface review, round 2
This commit is contained in:
Chris PeBenito
parent
207c47630c
commit
445522dcb0
@ -34,7 +34,7 @@ can_exec(acct_t,acct_exec_t)
|
||||
|
||||
kernel_list_proc(acct_t)
|
||||
kernel_read_system_state(acct_t)
|
||||
kernel_read_kernel_sysctl(acct_t)
|
||||
kernel_read_kernel_sysctls(acct_t)
|
||||
|
||||
dev_read_sysfs(acct_t)
|
||||
# for SSP
|
||||
|
||||
@ -123,9 +123,9 @@ allow amanda_t amanda_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(amanda_t, amanda_tmp_t, { file dir })
|
||||
|
||||
kernel_read_system_state(amanda_t)
|
||||
kernel_read_kernel_sysctl(amanda_t)
|
||||
kernel_dontaudit_getattr_unlabeled_file(amanda_t)
|
||||
kernel_dontaudit_read_proc_symlink(amanda_t)
|
||||
kernel_read_kernel_sysctls(amanda_t)
|
||||
kernel_dontaudit_getattr_unlabeled_files(amanda_t)
|
||||
kernel_dontaudit_read_proc_symlinks(amanda_t)
|
||||
|
||||
# Added for targeted policy
|
||||
term_use_unallocated_tty(amanda_t)
|
||||
@ -216,7 +216,7 @@ allow amanda_recover_t amanda_tmp_t:fifo_file create_file_perms;
|
||||
files_filetrans_tmp(amanda_recover_t,amanda_tmp_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
kernel_read_system_state(amanda_recover_t)
|
||||
kernel_read_kernel_sysctl(amanda_recover_t)
|
||||
kernel_read_kernel_sysctls(amanda_recover_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(amanda_recover_t)
|
||||
corenet_udp_sendrecv_all_if(amanda_recover_t)
|
||||
|
||||
@ -21,7 +21,7 @@ allow ddcprobe_t self:capability { sys_rawio sys_admin };
|
||||
allow ddcprobe_t self:process execmem;
|
||||
|
||||
kernel_read_system_state(ddcprobe_t)
|
||||
kernel_read_kernel_sysctl(ddcprobe_t)
|
||||
kernel_read_kernel_sysctls(ddcprobe_t)
|
||||
kernel_change_ring_buffer_level(ddcprobe_t)
|
||||
|
||||
bootloader_search_kernel_modules(ddcprobe_t)
|
||||
|
||||
@ -31,7 +31,7 @@ ifdef(`strict_policy',`
|
||||
|
||||
allow dmesg_t self:process signal_perms;
|
||||
|
||||
kernel_read_kernel_sysctl(dmesg_t)
|
||||
kernel_read_kernel_sysctls(dmesg_t)
|
||||
kernel_read_ring_buffer(dmesg_t)
|
||||
kernel_clear_ring_buffer(dmesg_t)
|
||||
kernel_change_ring_buffer_level(dmesg_t)
|
||||
|
||||
@ -46,7 +46,7 @@ files_filetrans_etc(firstboot_t,firstboot_rw_t,file)
|
||||
unconfined_domain_template(firstboot_t)
|
||||
|
||||
kernel_read_system_state(firstboot_t)
|
||||
kernel_read_kernel_sysctl(firstboot_t)
|
||||
kernel_read_kernel_sysctls(firstboot_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(firstboot_t)
|
||||
corenet_raw_sendrecv_all_if(firstboot_t)
|
||||
|
||||
@ -40,12 +40,12 @@ files_filetrans_pid(kudzu_t,kudzu_var_run_t)
|
||||
|
||||
kernel_change_ring_buffer_level(kudzu_t)
|
||||
kernel_list_proc(kudzu_t)
|
||||
kernel_read_device_sysctl(kudzu_t)
|
||||
kernel_read_kernel_sysctl(kudzu_t)
|
||||
kernel_read_device_sysctls(kudzu_t)
|
||||
kernel_read_kernel_sysctls(kudzu_t)
|
||||
kernel_read_proc_symlinks(kudzu_t)
|
||||
kernel_read_network_state(kudzu_t)
|
||||
kernel_read_system_state(kudzu_t)
|
||||
kernel_rw_hotplug_sysctl(kudzu_t)
|
||||
kernel_rw_hotplug_sysctls(kudzu_t)
|
||||
kernel_rw_kernel_sysctl(kudzu_t)
|
||||
|
||||
bootloader_read_kernel_modules(kudzu_t)
|
||||
|
||||
@ -65,7 +65,7 @@ allow logrotate_t logrotate_var_lib_t:file create_file_perms;
|
||||
files_filetrans_var_lib(logrotate_t, logrotate_var_lib_t)
|
||||
|
||||
kernel_read_system_state(logrotate_t)
|
||||
kernel_read_kernel_sysctl(logrotate_t)
|
||||
kernel_read_kernel_sysctls(logrotate_t)
|
||||
|
||||
dev_read_urand(logrotate_t)
|
||||
|
||||
|
||||
@ -34,8 +34,8 @@ allow logwatch_t logwatch_tmp_t:dir create_dir_perms;
|
||||
allow logwatch_t logwatch_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(logwatch_t, logwatch_tmp_t, { file dir })
|
||||
|
||||
kernel_read_fs_sysctl(logwatch_t)
|
||||
kernel_read_kernel_sysctl(logwatch_t)
|
||||
kernel_read_fs_sysctls(logwatch_t)
|
||||
kernel_read_kernel_sysctls(logwatch_t)
|
||||
kernel_read_system_state(logwatch_t)
|
||||
|
||||
corecmd_read_sbin_symlink(logwatch_t)
|
||||
|
||||
@ -135,9 +135,9 @@ template(`portage_compile_domain_template',`
|
||||
kernel_read_system_state($1_t)
|
||||
kernel_read_network_state($1_t)
|
||||
kernel_read_software_raid_state($1_t)
|
||||
kernel_getattr_core($1_t)
|
||||
kernel_getattr_core_if($1_t)
|
||||
kernel_getattr_message_if($1_t)
|
||||
kernel_read_kernel_sysctl($1_t)
|
||||
kernel_read_kernel_sysctls($1_t)
|
||||
|
||||
corecmd_exec_bin($1_t)
|
||||
corecmd_exec_sbin($1_t)
|
||||
|
||||
@ -68,7 +68,7 @@ allow portage_sandbox_t portage_t:process sigchld;
|
||||
can_exec(portage_t,portage_tmp_t)
|
||||
|
||||
# merging baselayout will need this:
|
||||
kernel_write_proc_file(portage_t)
|
||||
kernel_write_proc_files(portage_t)
|
||||
|
||||
domain_dontaudit_read_all_domains_state(portage_t)
|
||||
|
||||
@ -133,7 +133,7 @@ files_filetrans_tmp(portage_fetch_t, portage_fetch_tmp_t, { file dir })
|
||||
dontaudit portage_fetch_t portage_tmp_t:dir search_dir_perms;
|
||||
|
||||
kernel_read_system_state(portage_fetch_t)
|
||||
kernel_read_kernel_sysctl(portage_fetch_t)
|
||||
kernel_read_kernel_sysctls(portage_fetch_t)
|
||||
|
||||
corecmd_exec_bin(portage_fetch_t)
|
||||
corecmd_exec_sbin(portage_fetch_t)
|
||||
|
||||
@ -25,7 +25,7 @@ allow quota_t quota_db_t:file { read write quotaon };
|
||||
|
||||
kernel_list_proc(quota_t)
|
||||
kernel_read_proc_symlinks(quota_t)
|
||||
kernel_read_kernel_sysctl(quota_t)
|
||||
kernel_read_kernel_sysctls(quota_t)
|
||||
|
||||
dev_read_sysfs(quota_t)
|
||||
dev_getattr_all_blk_files(quota_t)
|
||||
|
||||
@ -25,9 +25,9 @@ allow readahead_t readahead_var_run_t:file create_file_perms;
|
||||
allow readahead_t readahead_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(readahead_t,readahead_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(readahead_t)
|
||||
kernel_read_kernel_sysctls(readahead_t)
|
||||
kernel_read_system_state(readahead_t)
|
||||
kernel_dontaudit_getattr_core(readahead_t)
|
||||
kernel_dontaudit_getattr_core_if(readahead_t)
|
||||
|
||||
dev_read_sysfs(readahead_t)
|
||||
dev_getattr_generic_chr_files(readahead_t)
|
||||
|
||||
@ -88,7 +88,7 @@ allow rpm_t rpm_var_lib_t:dir rw_dir_perms;
|
||||
files_filetrans_var_lib(rpm_t,rpm_var_lib_t,dir)
|
||||
|
||||
kernel_read_system_state(rpm_t)
|
||||
kernel_read_kernel_sysctl(rpm_t)
|
||||
kernel_read_kernel_sysctls(rpm_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(rpm_t)
|
||||
corenet_raw_sendrecv_all_if(rpm_t)
|
||||
@ -254,7 +254,7 @@ allow rpm_script_t rpm_t:fd use;
|
||||
allow rpm_script_t rpm_t:fifo_file rw_file_perms;
|
||||
allow rpm_script_t rpm_t:process sigchld;
|
||||
|
||||
kernel_read_kernel_sysctl(rpm_script_t)
|
||||
kernel_read_kernel_sysctls(rpm_script_t)
|
||||
kernel_read_system_state(rpm_script_t)
|
||||
|
||||
dev_list_sysfs(rpm_script_t)
|
||||
|
||||
@ -35,7 +35,7 @@ template(`su_restricted_domain_template', `
|
||||
allow $1_su_t $2:process sigchld;
|
||||
|
||||
kernel_read_system_state($1_su_t)
|
||||
kernel_read_kernel_sysctl($1_su_t)
|
||||
kernel_read_kernel_sysctls($1_su_t)
|
||||
|
||||
# for SSP
|
||||
dev_read_urand($1_su_t)
|
||||
@ -143,7 +143,7 @@ template(`su_per_userdomain_template',`
|
||||
allow $1_su_t $2:process sigchld;
|
||||
|
||||
kernel_read_system_state($1_su_t)
|
||||
kernel_read_kernel_sysctl($1_su_t)
|
||||
kernel_read_kernel_sysctls($1_su_t)
|
||||
|
||||
# for SSP
|
||||
dev_read_urand($1_su_t)
|
||||
|
||||
@ -80,7 +80,7 @@ template(`sudo_per_userdomain_template',`
|
||||
allow $1_sudo_t $2:fifo_file rw_file_perms;
|
||||
allow $1_sudo_t $2:process sigchld;
|
||||
|
||||
kernel_read_kernel_sysctl($1_sudo_t)
|
||||
kernel_read_kernel_sysctls($1_sudo_t)
|
||||
kernel_read_system_state($1_sudo_t)
|
||||
|
||||
dev_read_urand($1_sudo_t)
|
||||
|
||||
@ -21,7 +21,7 @@ allow updfstab_t self:process signal_perms;
|
||||
allow updfstab_t self:fifo_file { getattr read write ioctl };
|
||||
|
||||
kernel_use_fd(updfstab_t)
|
||||
kernel_read_kernel_sysctl(updfstab_t)
|
||||
kernel_read_kernel_sysctls(updfstab_t)
|
||||
kernel_dontaudit_write_kernel_sysctl(updfstab_t)
|
||||
# for /proc/partitions
|
||||
kernel_read_system_state(updfstab_t)
|
||||
|
||||
@ -80,7 +80,7 @@ allow chfn_t self:unix_dgram_socket sendto;
|
||||
allow chfn_t self:unix_stream_socket connectto;
|
||||
|
||||
kernel_read_system_state(chfn_t)
|
||||
kernel_read_kernel_sysctl(chfn_t)
|
||||
kernel_read_kernel_sysctls(chfn_t)
|
||||
|
||||
selinux_get_fs_mount(chfn_t)
|
||||
selinux_validate_context(chfn_t)
|
||||
@ -285,7 +285,7 @@ allow passwd_t self:msg { send receive };
|
||||
allow passwd_t crack_db_t:dir r_dir_perms;
|
||||
allow passwd_t crack_db_t:file r_file_perms;
|
||||
|
||||
kernel_read_kernel_sysctl(passwd_t)
|
||||
kernel_read_kernel_sysctls(passwd_t)
|
||||
|
||||
# for SSP
|
||||
dev_read_urand(passwd_t)
|
||||
@ -372,7 +372,7 @@ allow sysadm_passwd_t sysadm_passwd_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
|
||||
files_search_var(sysadm_passwd_t)
|
||||
|
||||
kernel_read_kernel_sysctl(sysadm_passwd_t)
|
||||
kernel_read_kernel_sysctls(sysadm_passwd_t)
|
||||
# for /proc/meminfo
|
||||
kernel_read_system_state(sysadm_passwd_t)
|
||||
|
||||
@ -461,7 +461,7 @@ selinux_compute_create_context(useradd_t)
|
||||
selinux_compute_relabel_context(useradd_t)
|
||||
selinux_compute_user_contexts(useradd_t)
|
||||
# for getting the number of groups
|
||||
kernel_read_kernel_sysctl(useradd_t)
|
||||
kernel_read_kernel_sysctls(useradd_t)
|
||||
|
||||
fs_search_auto_mountpoints(useradd_t)
|
||||
fs_getattr_xattr_fs(useradd_t)
|
||||
|
||||
@ -45,8 +45,8 @@ files_filetrans_pid(vpnc_t,vpnc_var_run_t)
|
||||
|
||||
kernel_read_system_state(vpnc_t)
|
||||
kernel_read_network_state(vpnc_t)
|
||||
kernel_read_kernel_sysctl(vpnc_t)
|
||||
kernel_rw_net_sysctl(vpnc_t)
|
||||
kernel_read_kernel_sysctls(vpnc_t)
|
||||
kernel_rw_net_sysctls(vpnc_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(vpnc_t)
|
||||
corenet_udp_sendrecv_all_if(vpnc_t)
|
||||
|
||||
@ -75,7 +75,7 @@ template(`java_per_userdomain_template',`
|
||||
allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1_javaplugin_t $2:process signull;
|
||||
|
||||
kernel_read_all_sysctl($1_javaplugin_t)
|
||||
kernel_read_all_sysctls($1_javaplugin_t)
|
||||
kernel_search_vm_sysctl($1_javaplugin_t)
|
||||
kernel_read_network_state($1_javaplugin_t)
|
||||
kernel_read_system_state($1_javaplugin_t)
|
||||
|
||||
@ -94,7 +94,7 @@ template(`screen_per_userdomain_template',`
|
||||
allow $2 $1_screen_ro_home_t:{ dir file lnk_file } { relabelfrom relabelto };
|
||||
|
||||
kernel_read_system_state($1_screen_t)
|
||||
kernel_read_kernel_sysctl($1_screen_t)
|
||||
kernel_read_kernel_sysctls($1_screen_t)
|
||||
|
||||
corecmd_list_bin($1_screen_t)
|
||||
corecmd_read_bin_file($1_screen_t)
|
||||
|
||||
@ -78,7 +78,7 @@ template(`userhelper_per_userdomain_template',`
|
||||
|
||||
dontaudit $2 $1_userhelper_t:process signal;
|
||||
|
||||
kernel_read_all_sysctl($1_userhelper_t)
|
||||
kernel_read_all_sysctls($1_userhelper_t)
|
||||
kernel_getattr_debugfs($1_userhelper_t)
|
||||
kernel_read_system_state($1_userhelper_t)
|
||||
|
||||
|
||||
@ -33,7 +33,7 @@ allow usernetctl_t self:unix_stream_socket connectto;
|
||||
can_exec(usernetctl_t,usernetctl_exec_t)
|
||||
|
||||
kernel_read_system_state(usernetctl_t)
|
||||
kernel_read_kernel_sysctl(usernetctl_t)
|
||||
kernel_read_kernel_sysctls(usernetctl_t)
|
||||
|
||||
corecmd_list_bin(usernetctl_t)
|
||||
corecmd_exec_bin(usernetctl_t)
|
||||
|
||||
@ -56,7 +56,7 @@ allow webalizer_t webalizer_var_lib_t:file create_file_perms;
|
||||
allow webalizer_t webalizer_var_lib_t:dir rw_dir_perms;
|
||||
files_filetrans_var_lib(webalizer_t,webalizer_var_lib_t)
|
||||
|
||||
kernel_read_kernel_sysctl(webalizer_t)
|
||||
kernel_read_kernel_sysctls(webalizer_t)
|
||||
kernel_read_system_state(webalizer_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(webalizer_t)
|
||||
|
||||
@ -95,10 +95,10 @@ allow bootloader_t modules_object_t:dir r_dir_perms;
|
||||
allow bootloader_t modules_object_t:file r_file_perms;
|
||||
allow bootloader_t modules_object_t:lnk_file r_file_perms;
|
||||
|
||||
kernel_getattr_core(bootloader_t)
|
||||
kernel_getattr_core_if(bootloader_t)
|
||||
kernel_read_system_state(bootloader_t)
|
||||
kernel_read_software_raid_state(bootloader_t)
|
||||
kernel_read_kernel_sysctl(bootloader_t)
|
||||
kernel_read_kernel_sysctls(bootloader_t)
|
||||
|
||||
storage_raw_read_fixed_disk(bootloader_t)
|
||||
storage_raw_write_fixed_disk(bootloader_t)
|
||||
|
||||
@ -158,7 +158,7 @@ interface(`kernel_dontaudit_use_fd',`
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_rw_pipe',`
|
||||
interface(`kernel_rw_pipes',`
|
||||
gen_require(`
|
||||
type kernel_t;
|
||||
')
|
||||
@ -174,7 +174,7 @@ interface(`kernel_rw_pipe',`
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_rw_unix_dgram_socket',`
|
||||
interface(`kernel_rw_unix_dgram_sockets',`
|
||||
gen_require(`
|
||||
type kernel_t;
|
||||
')
|
||||
@ -190,7 +190,7 @@ interface(`kernel_rw_unix_dgram_socket',`
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_sendto_unix_dgram_socket',`
|
||||
interface(`kernel_sendto_unix_dgram_sockets',`
|
||||
gen_require(`
|
||||
type kernel_t;
|
||||
')
|
||||
@ -571,7 +571,7 @@ interface(`kernel_read_system_state',`
|
||||
# file thats writable in proc should really
|
||||
# have its own label.
|
||||
#
|
||||
interface(`kernel_write_proc_file',`
|
||||
interface(`kernel_write_proc_files',`
|
||||
gen_require(`
|
||||
type proc_t;
|
||||
')
|
||||
@ -606,7 +606,7 @@ interface(`kernel_dontaudit_read_system_state',`
|
||||
## The process type not to audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_dontaudit_read_proc_symlink',`
|
||||
interface(`kernel_dontaudit_read_proc_symlinks',`
|
||||
gen_require(`
|
||||
type proc_t;
|
||||
')
|
||||
@ -656,7 +656,7 @@ interface(`kernel_rw_software_raid_state',`
|
||||
## The process type getting the attibutes.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_getattr_core',`
|
||||
interface(`kernel_getattr_core_if',`
|
||||
gen_require(`
|
||||
type proc_t, proc_kcore_t;
|
||||
')
|
||||
@ -674,7 +674,7 @@ interface(`kernel_getattr_core',`
|
||||
## The process type to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_dontaudit_getattr_core',`
|
||||
interface(`kernel_dontaudit_getattr_core_if',`
|
||||
gen_require(`
|
||||
type proc_kcore_t;
|
||||
')
|
||||
@ -854,7 +854,7 @@ interface(`kernel_read_sysctl',`
|
||||
## The process type to allow to read the device sysctls.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_read_device_sysctl',`
|
||||
interface(`kernel_read_device_sysctls',`
|
||||
gen_require(`
|
||||
type proc_t, sysctl_t, sysctl_dev_t;
|
||||
')
|
||||
@ -873,7 +873,7 @@ interface(`kernel_read_device_sysctl',`
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_rw_device_sysctl',`
|
||||
interface(`kernel_rw_device_sysctls',`
|
||||
gen_require(`
|
||||
type proc_t, sysctl_t, sysctl_dev_t;
|
||||
')
|
||||
@ -909,7 +909,7 @@ interface(`kernel_search_vm_sysctl',`
|
||||
## </param>
|
||||
##
|
||||
#
|
||||
interface(`kernel_read_vm_sysctl',`
|
||||
interface(`kernel_read_vm_sysctls',`
|
||||
gen_require(`
|
||||
type proc_t, sysctl_t, sysctl_vm_t;
|
||||
')
|
||||
@ -927,7 +927,7 @@ interface(`kernel_read_vm_sysctl',`
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_rw_vm_sysctl',`
|
||||
interface(`kernel_rw_vm_sysctls',`
|
||||
gen_require(`
|
||||
type proc_t, sysctl_t, sysctl_vm_t;
|
||||
')
|
||||
@ -978,7 +978,7 @@ interface(`kernel_dontaudit_search_network_sysctl',`
|
||||
## </param>
|
||||
##
|
||||
#
|
||||
interface(`kernel_read_net_sysctl',`
|
||||
interface(`kernel_read_net_sysctls',`
|
||||
gen_require(`
|
||||
type proc_t, sysctl_t, sysctl_net_t;
|
||||
')
|
||||
@ -997,7 +997,7 @@ interface(`kernel_read_net_sysctl',`
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_rw_net_sysctl',`
|
||||
interface(`kernel_rw_net_sysctls',`
|
||||
gen_require(`
|
||||
type proc_t, sysctl_t, sysctl_net_t;
|
||||
')
|
||||
@ -1017,7 +1017,7 @@ interface(`kernel_rw_net_sysctl',`
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_read_unix_sysctl',`
|
||||
interface(`kernel_read_unix_sysctls',`
|
||||
gen_require(`
|
||||
type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
|
||||
')
|
||||
@ -1037,7 +1037,7 @@ interface(`kernel_read_unix_sysctl',`
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_rw_unix_sysctl',`
|
||||
interface(`kernel_rw_unix_sysctls',`
|
||||
gen_require(`
|
||||
type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
|
||||
')
|
||||
@ -1056,7 +1056,7 @@ interface(`kernel_rw_unix_sysctl',`
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_read_hotplug_sysctl',`
|
||||
interface(`kernel_read_hotplug_sysctls',`
|
||||
gen_require(`
|
||||
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
|
||||
')
|
||||
@ -1075,7 +1075,7 @@ interface(`kernel_read_hotplug_sysctl',`
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_rw_hotplug_sysctl',`
|
||||
interface(`kernel_rw_hotplug_sysctls',`
|
||||
gen_require(`
|
||||
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
|
||||
')
|
||||
@ -1094,7 +1094,7 @@ interface(`kernel_rw_hotplug_sysctl',`
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_read_modprobe_sysctl',`
|
||||
interface(`kernel_read_modprobe_sysctls',`
|
||||
gen_require(`
|
||||
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
|
||||
')
|
||||
@ -1113,7 +1113,7 @@ interface(`kernel_read_modprobe_sysctl',`
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_rw_modprobe_sysctl',`
|
||||
interface(`kernel_rw_modprobe_sysctls',`
|
||||
gen_require(`
|
||||
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
|
||||
')
|
||||
@ -1148,7 +1148,7 @@ interface(`kernel_dontaudit_search_kernel_sysctl',`
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_read_kernel_sysctl',`
|
||||
interface(`kernel_read_kernel_sysctls',`
|
||||
gen_require(`
|
||||
type proc_t, sysctl_t, sysctl_kernel_t;
|
||||
')
|
||||
@ -1202,7 +1202,7 @@ interface(`kernel_rw_kernel_sysctl',`
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_read_fs_sysctl',`
|
||||
interface(`kernel_read_fs_sysctls',`
|
||||
gen_require(`
|
||||
type proc_t, sysctl_t, sysctl_fs_t;
|
||||
')
|
||||
@ -1221,7 +1221,7 @@ interface(`kernel_read_fs_sysctl',`
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_rw_fs_sysctl',`
|
||||
interface(`kernel_rw_fs_sysctls',`
|
||||
gen_require(`
|
||||
type proc_t, sysctl_t, sysctl_fs_t;
|
||||
')
|
||||
@ -1240,7 +1240,7 @@ interface(`kernel_rw_fs_sysctl',`
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_read_irq_sysctl',`
|
||||
interface(`kernel_read_irq_sysctls',`
|
||||
gen_require(`
|
||||
type proc_t, sysctl_irq_t;
|
||||
')
|
||||
@ -1259,7 +1259,7 @@ interface(`kernel_read_irq_sysctl',`
|
||||
## </param>
|
||||
##
|
||||
#
|
||||
interface(`kernel_rw_irq_sysctl',`
|
||||
interface(`kernel_rw_irq_sysctls',`
|
||||
gen_require(`
|
||||
type proc_t, sysctl_irq_t;
|
||||
')
|
||||
@ -1271,9 +1271,9 @@ interface(`kernel_rw_irq_sysctl',`
|
||||
|
||||
########################################
|
||||
#
|
||||
# kernel_read_rpc_sysctl(domain)
|
||||
# kernel_read_rpc_sysctls(domain)
|
||||
#
|
||||
interface(`kernel_read_rpc_sysctl',`
|
||||
interface(`kernel_read_rpc_sysctls',`
|
||||
gen_require(`
|
||||
type proc_t, proc_net_t, sysctl_rpc_t;
|
||||
')
|
||||
@ -1286,9 +1286,9 @@ interface(`kernel_read_rpc_sysctl',`
|
||||
|
||||
########################################
|
||||
#
|
||||
# kernel_rw_rpc_sysctl(domain)
|
||||
# kernel_rw_rpc_sysctls(domain)
|
||||
#
|
||||
interface(`kernel_rw_rpc_sysctl',`
|
||||
interface(`kernel_rw_rpc_sysctls',`
|
||||
gen_require(`
|
||||
type proc_t, proc_net_t, sysctl_rpc_t;
|
||||
')
|
||||
@ -1307,7 +1307,7 @@ interface(`kernel_rw_rpc_sysctl',`
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_read_all_sysctl',`
|
||||
interface(`kernel_read_all_sysctls',`
|
||||
gen_require(`
|
||||
attribute sysctl_type;
|
||||
type proc_t, proc_net_t;
|
||||
@ -1328,7 +1328,7 @@ interface(`kernel_read_all_sysctl',`
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_rw_all_sysctl',`
|
||||
interface(`kernel_rw_all_sysctls',`
|
||||
gen_require(`
|
||||
attribute sysctl_type;
|
||||
type proc_t, proc_net_t;
|
||||
@ -1461,7 +1461,7 @@ interface(`kernel_dontaudit_list_unlabeled',`
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_rw_unlabeled_dir',`
|
||||
interface(`kernel_rw_unlabeled_dirs',`
|
||||
gen_require(`
|
||||
type unlabeled_t;
|
||||
')
|
||||
@ -1478,7 +1478,7 @@ interface(`kernel_rw_unlabeled_dir',`
|
||||
## The process type not to audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_dontaudit_getattr_unlabeled_file',`
|
||||
interface(`kernel_dontaudit_getattr_unlabeled_files',`
|
||||
gen_require(`
|
||||
type unlabeled_t;
|
||||
')
|
||||
@ -1495,7 +1495,7 @@ interface(`kernel_dontaudit_getattr_unlabeled_file',`
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_dontaudit_read_unlabeled_file',`
|
||||
interface(`kernel_dontaudit_read_unlabeled_files',`
|
||||
gen_require(`
|
||||
type unlabeled_t;
|
||||
')
|
||||
@ -1563,7 +1563,7 @@ interface(`kernel_dontaudit_getattr_unlabeled_sockets',`
|
||||
## The process type not to audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_dontaudit_getattr_unlabeled_blk_dev',`
|
||||
interface(`kernel_dontaudit_getattr_unlabeled_blk_files',`
|
||||
gen_require(`
|
||||
type unlabeled_t;
|
||||
')
|
||||
@ -1579,7 +1579,7 @@ interface(`kernel_dontaudit_getattr_unlabeled_blk_dev',`
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_rw_unlabeled_blk_dev',`
|
||||
interface(`kernel_rw_unlabeled_blk_files',`
|
||||
gen_require(`
|
||||
type unlabeled_t;
|
||||
')
|
||||
@ -1596,7 +1596,7 @@ interface(`kernel_rw_unlabeled_blk_dev',`
|
||||
## The process type not to audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_dontaudit_getattr_unlabeled_chr_dev',`
|
||||
interface(`kernel_dontaudit_getattr_unlabeled_chr_files',`
|
||||
gen_require(`
|
||||
type unlabeled_t;
|
||||
')
|
||||
@ -1615,7 +1615,6 @@ interface(`kernel_dontaudit_getattr_unlabeled_chr_dev',`
|
||||
interface(`kernel_relabel_unlabeled',`
|
||||
gen_require(`
|
||||
type unlabeled_t;
|
||||
gen_require_set({ getattr relabelfrom },dir_file_class_set)
|
||||
')
|
||||
|
||||
kernel_list_unlabeled($1)
|
||||
@ -1682,5 +1681,5 @@ interface(`kernel_unconfined',`
|
||||
typeattribute $1 can_load_kernmodule, can_receive_kernel_messages;
|
||||
typeattribute $1 kern_unconfined;
|
||||
|
||||
kernel_rw_all_sysctl($1)
|
||||
kernel_rw_all_sysctls($1)
|
||||
')
|
||||
|
||||
@ -212,7 +212,7 @@ allow httpd_t squirrelmail_spool_t:dir create_dir_perms;
|
||||
allow httpd_t squirrelmail_spool_t:file create_file_perms;
|
||||
allow httpd_t squirrelmail_spool_t:lnk_file create_lnk_perms;
|
||||
|
||||
kernel_read_kernel_sysctl(httpd_t)
|
||||
kernel_read_kernel_sysctls(httpd_t)
|
||||
kernel_tcp_recvfrom(httpd_t)
|
||||
# for modules that want to access /proc/meminfo
|
||||
kernel_read_system_state(httpd_t)
|
||||
@ -541,7 +541,7 @@ allow httpd_suexec_t httpd_suexec_tmp_t:dir create_dir_perms;
|
||||
allow httpd_suexec_t httpd_suexec_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
|
||||
|
||||
kernel_read_kernel_sysctl(httpd_suexec_t)
|
||||
kernel_read_kernel_sysctls(httpd_suexec_t)
|
||||
kernel_list_proc(httpd_suexec_t)
|
||||
kernel_read_proc_symlinks(httpd_suexec_t)
|
||||
|
||||
@ -663,7 +663,7 @@ allow httpd_sys_script_t squirrelmail_spool_t:dir r_dir_perms;
|
||||
allow httpd_sys_script_t squirrelmail_spool_t:file r_file_perms;
|
||||
allow httpd_sys_script_t squirrelmail_spool_t:lnk_file { getattr read };
|
||||
|
||||
kernel_read_kernel_sysctl(httpd_sys_script_t)
|
||||
kernel_read_kernel_sysctls(httpd_sys_script_t)
|
||||
|
||||
files_search_var_lib(httpd_sys_script_t)
|
||||
files_search_spool(httpd_sys_script_t)
|
||||
|
||||
@ -83,8 +83,8 @@ allow apmd_t apmd_var_run_t:file create_file_perms;
|
||||
allow apmd_t apmd_var_run_t:sock_file create_file_perms;
|
||||
files_filetrans_pid(apmd_t, apmd_var_run_t, { file sock_file })
|
||||
|
||||
kernel_read_kernel_sysctl(apmd_t)
|
||||
kernel_rw_all_sysctl(apmd_t)
|
||||
kernel_read_kernel_sysctls(apmd_t)
|
||||
kernel_rw_all_sysctls(apmd_t)
|
||||
kernel_read_system_state(apmd_t)
|
||||
|
||||
dev_read_realtime_clock(apmd_t)
|
||||
|
||||
@ -45,7 +45,7 @@ allow arpwatch_t arpwatch_var_run_t:file create_file_perms;
|
||||
allow arpwatch_t arpwatch_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(arpwatch_t,arpwatch_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(arpwatch_t)
|
||||
kernel_read_kernel_sysctls(arpwatch_t)
|
||||
kernel_list_proc(arpwatch_t)
|
||||
kernel_read_proc_symlinks(arpwatch_t)
|
||||
|
||||
|
||||
@ -57,8 +57,8 @@ allow automount_t automount_var_run_t:file create_file_perms;
|
||||
allow automount_t automount_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(automount_t,automount_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(automount_t)
|
||||
kernel_read_fs_sysctl(automount_t)
|
||||
kernel_read_kernel_sysctls(automount_t)
|
||||
kernel_read_fs_sysctls(automount_t)
|
||||
kernel_read_proc_symlinks(automount_t)
|
||||
kernel_read_system_state(automount_t)
|
||||
kernel_list_proc(automount_t)
|
||||
|
||||
@ -33,7 +33,7 @@ allow avahi_t avahi_var_run_t:file create_file_perms;
|
||||
allow avahi_t avahi_var_run_t:dir { rw_dir_perms setattr };
|
||||
files_filetrans_pid(avahi_t,avahi_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(avahi_t)
|
||||
kernel_read_kernel_sysctls(avahi_t)
|
||||
kernel_list_proc(avahi_t)
|
||||
kernel_read_proc_symlinks(avahi_t)
|
||||
kernel_read_network_state(avahi_t)
|
||||
|
||||
@ -94,7 +94,7 @@ allow named_t named_zone_t:lnk_file r_file_perms;
|
||||
|
||||
allow named_t ndc_t:tcp_socket { acceptfrom recvfrom };
|
||||
|
||||
kernel_read_kernel_sysctl(named_t)
|
||||
kernel_read_kernel_sysctls(named_t)
|
||||
kernel_read_system_state(named_t)
|
||||
kernel_read_network_state(named_t)
|
||||
kernel_tcp_recvfrom(named_t)
|
||||
@ -236,7 +236,7 @@ allow ndc_t named_var_run_t:sock_file rw_file_perms;
|
||||
|
||||
allow ndc_t named_zone_t:dir search;
|
||||
|
||||
kernel_read_kernel_sysctl(ndc_t)
|
||||
kernel_read_kernel_sysctls(ndc_t)
|
||||
kernel_tcp_recvfrom(ndc_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(ndc_t)
|
||||
@ -274,7 +274,7 @@ ifdef(`distro_redhat',`
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
kernel_dontaudit_read_unlabeled_file(ndc_t)
|
||||
kernel_dontaudit_read_unlabeled_files(ndc_t)
|
||||
|
||||
term_use_unallocated_tty(ndc_t)
|
||||
term_use_generic_pty(ndc_t)
|
||||
|
||||
@ -84,7 +84,7 @@ allow bluetooth_t bluetooth_var_run_t:file create_file_perms;
|
||||
allow bluetooth_t bluetooth_var_run_t:sock_file create_file_perms;
|
||||
files_filetrans_pid(bluetooth_t, bluetooth_var_run_t, { file sock_file })
|
||||
|
||||
kernel_read_kernel_sysctl(bluetooth_t)
|
||||
kernel_read_kernel_sysctls(bluetooth_t)
|
||||
kernel_read_system_state(bluetooth_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(bluetooth_t)
|
||||
@ -177,7 +177,7 @@ allow bluetooth_helper_t bluetooth_helper_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir })
|
||||
|
||||
kernel_read_system_state(bluetooth_helper_t)
|
||||
kernel_read_kernel_sysctl(bluetooth_helper_t)
|
||||
kernel_read_kernel_sysctls(bluetooth_helper_t)
|
||||
|
||||
dev_read_urand(bluetooth_helper_t)
|
||||
|
||||
|
||||
@ -45,7 +45,7 @@ allow canna_t canna_var_run_t:file create_file_perms;
|
||||
allow canna_t canna_var_run_t:sock_file create_file_perms;
|
||||
files_filetrans_pid(canna_t, canna_var_run_t, { file sock_file })
|
||||
|
||||
kernel_read_kernel_sysctl(canna_t)
|
||||
kernel_read_kernel_sysctls(canna_t)
|
||||
kernel_read_system_state(canna_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(canna_t)
|
||||
|
||||
@ -39,7 +39,7 @@ allow comsat_t comsat_var_run_t:file create_file_perms;
|
||||
allow comsat_t comsat_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(comsat_t,comsat_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(comsat_t)
|
||||
kernel_read_kernel_sysctls(comsat_t)
|
||||
kernel_read_network_state(comsat_t)
|
||||
kernel_read_system_state(comsat_t)
|
||||
|
||||
|
||||
@ -32,7 +32,7 @@ allow cpucontrol_t cpucontrol_conf_t:lnk_file { getattr read };
|
||||
|
||||
kernel_list_proc(cpucontrol_t)
|
||||
kernel_read_proc_symlinks(cpucontrol_t)
|
||||
kernel_read_kernel_sysctl(cpucontrol_t)
|
||||
kernel_read_kernel_sysctls(cpucontrol_t)
|
||||
|
||||
dev_read_sysfs(cpucontrol_t)
|
||||
dev_rw_cpu_microcode(cpucontrol_t)
|
||||
@ -83,7 +83,7 @@ allow cpuspeed_t self:process { signal_perms setsched };
|
||||
allow cpuspeed_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
kernel_read_system_state(cpuspeed_t)
|
||||
kernel_read_kernel_sysctl(cpuspeed_t)
|
||||
kernel_read_kernel_sysctls(cpuspeed_t)
|
||||
|
||||
dev_rw_sysfs(cpuspeed_t)
|
||||
|
||||
|
||||
@ -80,7 +80,7 @@ template(`cron_per_userdomain_template',`
|
||||
allow $1_crond_t crond_t:process sigchld;
|
||||
|
||||
kernel_read_system_state($1_crond_t)
|
||||
kernel_read_kernel_sysctl($1_crond_t)
|
||||
kernel_read_kernel_sysctls($1_crond_t)
|
||||
|
||||
# ps does not need to access /boot when run from cron
|
||||
bootloader_dontaudit_search_boot($1_crond_t)
|
||||
|
||||
@ -87,7 +87,7 @@ allow crond_t cron_spool_t:file r_file_perms;
|
||||
allow crond_t system_cron_spool_t:dir r_dir_perms;
|
||||
allow crond_t system_cron_spool_t:file r_file_perms;
|
||||
|
||||
kernel_read_kernel_sysctl(crond_t)
|
||||
kernel_read_kernel_sysctls(crond_t)
|
||||
dev_read_sysfs(crond_t)
|
||||
selinux_get_fs_mount(crond_t)
|
||||
selinux_validate_context(crond_t)
|
||||
@ -275,7 +275,7 @@ ifdef(`targeted_policy',`
|
||||
allow system_crond_t cron_spool_t:dir r_dir_perms;
|
||||
allow system_crond_t cron_spool_t:file r_file_perms;
|
||||
|
||||
kernel_read_kernel_sysctl(system_crond_t)
|
||||
kernel_read_kernel_sysctls(system_crond_t)
|
||||
kernel_read_system_state(system_crond_t)
|
||||
kernel_read_software_raid_state(system_crond_t)
|
||||
|
||||
|
||||
@ -119,7 +119,7 @@ allow cupsd_t ptal_var_run_t:sock_file { write setattr };
|
||||
allow cupsd_t ptal_t:unix_stream_socket connectto;
|
||||
|
||||
kernel_read_system_state(cupsd_t)
|
||||
kernel_read_all_sysctl(cupsd_t)
|
||||
kernel_read_all_sysctls(cupsd_t)
|
||||
kernel_tcp_recvfrom(cupsd_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(cupsd_t)
|
||||
@ -305,7 +305,7 @@ allow ptal_t ptal_var_run_t:file create_file_perms;
|
||||
allow ptal_t ptal_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(ptal_t,ptal_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(ptal_t)
|
||||
kernel_read_kernel_sysctls(ptal_t)
|
||||
kernel_list_proc(ptal_t)
|
||||
kernel_read_proc_symlinks(ptal_t)
|
||||
|
||||
@ -393,7 +393,7 @@ allow hplip_t hplip_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(hplip_t,hplip_var_run_t)
|
||||
|
||||
kernel_read_system_state(hplip_t)
|
||||
kernel_read_kernel_sysctl(hplip_t)
|
||||
kernel_read_kernel_sysctls(hplip_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(hplip_t)
|
||||
corenet_udp_sendrecv_all_if(hplip_t)
|
||||
@ -516,7 +516,7 @@ files_filetrans_var(cupsd_config_t,cupsd_rw_etc_t)
|
||||
allow cupsd_config_t cupsd_var_run_t:file { getattr read };
|
||||
|
||||
kernel_read_system_state(cupsd_config_t)
|
||||
kernel_read_kernel_sysctl(cupsd_config_t)
|
||||
kernel_read_kernel_sysctls(cupsd_config_t)
|
||||
kernel_tcp_recvfrom(cupsd_config_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(cupsd_config_t)
|
||||
@ -688,7 +688,7 @@ allow cupsd_lpd_t cupsd_rw_etc_t:dir list_dir_perms;
|
||||
allow cupsd_lpd_t cupsd_rw_etc_t:file r_file_perms;
|
||||
allow cupsd_lpd_t cupsd_rw_etc_t:lnk_file { getattr read };
|
||||
|
||||
kernel_read_kernel_sysctl(cupsd_lpd_t)
|
||||
kernel_read_kernel_sysctls(cupsd_lpd_t)
|
||||
kernel_read_system_state(cupsd_lpd_t)
|
||||
kernel_read_network_state(cupsd_lpd_t)
|
||||
|
||||
|
||||
@ -44,7 +44,7 @@ allow cvs_t cvs_var_run_t:file create_file_perms;
|
||||
allow cvs_t cvs_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(cvs_t,cvs_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(cvs_t)
|
||||
kernel_read_kernel_sysctls(cvs_t)
|
||||
kernel_read_system_state(cvs_t)
|
||||
kernel_read_network_state(cvs_t)
|
||||
|
||||
|
||||
@ -55,9 +55,9 @@ allow cyrus_t cyrus_var_run_t:sock_file create_file_perms;
|
||||
allow cyrus_t cyrus_var_run_t:file create_file_perms;
|
||||
files_filetrans_pid(cyrus_t,cyrus_var_run_t,{ file sock_file })
|
||||
|
||||
kernel_read_kernel_sysctl(cyrus_t)
|
||||
kernel_read_kernel_sysctls(cyrus_t)
|
||||
kernel_read_system_state(cyrus_t)
|
||||
kernel_read_all_sysctl(cyrus_t)
|
||||
kernel_read_all_sysctls(cyrus_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(cyrus_t)
|
||||
corenet_udp_sendrecv_all_if(cyrus_t)
|
||||
|
||||
@ -45,7 +45,7 @@ allow dbskkd_t dbskkd_var_run_t:file create_file_perms;
|
||||
allow dbskkd_t dbskkd_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(dbskkd_t,dbskkd_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(dbskkd_t)
|
||||
kernel_read_kernel_sysctls(dbskkd_t)
|
||||
kernel_read_system_state(dbskkd_t)
|
||||
kernel_read_network_state(dbskkd_t)
|
||||
|
||||
|
||||
@ -100,7 +100,7 @@ template(`dbus_per_userdomain_template',`
|
||||
allow $2 $1_dbusd_t:process { sigkill signal };
|
||||
|
||||
kernel_read_system_state($1_dbusd_t)
|
||||
kernel_read_kernel_sysctl($1_dbusd_t)
|
||||
kernel_read_kernel_sysctls($1_dbusd_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if($1_dbusd_t)
|
||||
corenet_raw_sendrecv_all_if($1_dbusd_t)
|
||||
|
||||
@ -55,7 +55,7 @@ allow system_dbusd_t system_dbusd_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(system_dbusd_t,system_dbusd_var_run_t)
|
||||
|
||||
kernel_read_system_state(system_dbusd_t)
|
||||
kernel_read_kernel_sysctl(system_dbusd_t)
|
||||
kernel_read_kernel_sysctls(system_dbusd_t)
|
||||
|
||||
dev_read_urand(system_dbusd_t)
|
||||
dev_read_sysfs(system_dbusd_t)
|
||||
|
||||
@ -52,7 +52,7 @@ allow dhcpd_t dhcpd_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(dhcpd_t,dhcpd_var_run_t)
|
||||
|
||||
kernel_read_system_state(dhcpd_t)
|
||||
kernel_read_kernel_sysctl(dhcpd_t)
|
||||
kernel_read_kernel_sysctls(dhcpd_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(dhcpd_t)
|
||||
corenet_udp_sendrecv_all_if(dhcpd_t)
|
||||
|
||||
@ -35,7 +35,7 @@ allow dictd_t dictd_var_lib_t:dir r_dir_perms;
|
||||
allow dictd_t dictd_var_lib_t:file r_file_perms;
|
||||
|
||||
kernel_read_system_state(dictd_t)
|
||||
kernel_read_kernel_sysctl(dictd_t)
|
||||
kernel_read_kernel_sysctls(dictd_t)
|
||||
kernel_tcp_recvfrom(dictd_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(dictd_t)
|
||||
|
||||
@ -43,7 +43,7 @@ allow distccd_t distccd_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(distccd_t,distccd_var_run_t)
|
||||
|
||||
kernel_read_system_state(distccd_t)
|
||||
kernel_read_kernel_sysctl(distccd_t)
|
||||
kernel_read_kernel_sysctls(distccd_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(distccd_t)
|
||||
corenet_udp_sendrecv_all_if(distccd_t)
|
||||
|
||||
@ -67,7 +67,7 @@ allow dovecot_t dovecot_var_run_t:sock_file create_file_perms;
|
||||
allow dovecot_t dovecot_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(dovecot_t,dovecot_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(dovecot_t)
|
||||
kernel_read_kernel_sysctls(dovecot_t)
|
||||
kernel_read_system_state(dovecot_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(dovecot_t)
|
||||
@ -157,7 +157,7 @@ allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
|
||||
|
||||
allow dovecot_auth_t dovecot_var_run_t:dir r_dir_perms;
|
||||
|
||||
kernel_read_all_sysctl(dovecot_auth_t)
|
||||
kernel_read_all_sysctls(dovecot_auth_t)
|
||||
kernel_read_system_state(dovecot_auth_t)
|
||||
|
||||
dev_read_urand(dovecot_auth_t)
|
||||
|
||||
@ -40,7 +40,7 @@ allow fetchmail_t fetchmail_var_run_t:file create_file_perms;
|
||||
allow fetchmail_t fetchmail_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(fetchmail_t,fetchmail_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(fetchmail_t)
|
||||
kernel_read_kernel_sysctls(fetchmail_t)
|
||||
kernel_list_proc(fetchmail_t)
|
||||
kernel_getattr_proc_files(fetchmail_t)
|
||||
kernel_read_proc_symlinks(fetchmail_t)
|
||||
|
||||
@ -43,7 +43,7 @@ allow fingerd_t fingerd_etc_t:lnk_file { getattr read };
|
||||
allow fingerd_t fingerd_log_t:file create_file_perms;
|
||||
logging_filetrans_log(fingerd_t,fingerd_log_t)
|
||||
|
||||
kernel_read_kernel_sysctl(fingerd_t)
|
||||
kernel_read_kernel_sysctls(fingerd_t)
|
||||
kernel_read_system_state(fingerd_t)
|
||||
kernel_tcp_recvfrom(fingerd_t)
|
||||
|
||||
|
||||
@ -65,7 +65,7 @@ files_filetrans_pid(ftpd_t,ftpd_var_run_t)
|
||||
allow ftpd_t xferlog_t:file create_file_perms;
|
||||
logging_filetrans_log(ftpd_t,xferlog_t)
|
||||
|
||||
kernel_read_kernel_sysctl(ftpd_t)
|
||||
kernel_read_kernel_sysctls(ftpd_t)
|
||||
kernel_read_system_state(ftpd_t)
|
||||
|
||||
dev_read_sysfs(ftpd_t)
|
||||
|
||||
@ -48,7 +48,7 @@ dev_filetrans_dev(gpm_t,gpmctl_t,{ sock_file fifo_file })
|
||||
# cjp: this has no effect
|
||||
allow gpm_t gpmctl_t:unix_stream_socket name_bind;
|
||||
|
||||
kernel_read_kernel_sysctl(gpm_t)
|
||||
kernel_read_kernel_sysctls(gpm_t)
|
||||
kernel_list_proc(gpm_t)
|
||||
kernel_read_proc_symlinks(gpm_t)
|
||||
|
||||
|
||||
@ -46,9 +46,9 @@ files_filetrans_pid(hald_t,hald_var_run_t)
|
||||
|
||||
kernel_read_system_state(hald_t)
|
||||
kernel_read_network_state(hald_t)
|
||||
kernel_read_kernel_sysctl(hald_t)
|
||||
kernel_read_fs_sysctl(hald_t)
|
||||
kernel_write_proc_file(hald_t)
|
||||
kernel_read_kernel_sysctls(hald_t)
|
||||
kernel_read_fs_sysctls(hald_t)
|
||||
kernel_write_proc_files(hald_t)
|
||||
|
||||
bootloader_getattr_boot_dir(hald_t)
|
||||
|
||||
|
||||
@ -30,7 +30,7 @@ allow howl_t howl_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(howl_t,howl_var_run_t)
|
||||
|
||||
kernel_read_network_state(howl_t)
|
||||
kernel_read_kernel_sysctl(howl_t)
|
||||
kernel_read_kernel_sysctls(howl_t)
|
||||
kernel_load_module(howl_t)
|
||||
kernel_list_proc(howl_t)
|
||||
kernel_read_proc_symlinks(howl_t)
|
||||
|
||||
@ -34,7 +34,7 @@ files_filetrans_pid(i18n_input_t,i18n_input_var_run_t)
|
||||
|
||||
can_exec(i18n_input_t, i18n_input_exec_t)
|
||||
|
||||
kernel_read_kernel_sysctl(i18n_input_t)
|
||||
kernel_read_kernel_sysctls(i18n_input_t)
|
||||
kernel_read_system_state(i18n_input_t)
|
||||
kernel_tcp_recvfrom(i18n_input_t)
|
||||
|
||||
|
||||
@ -52,7 +52,7 @@ files_filetrans_tmp(inetd_t, inetd_tmp_t, { file dir })
|
||||
allow inetd_t inetd_var_run_t:file create_file_perms;
|
||||
files_filetrans_pid(inetd_t,inetd_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(inetd_t)
|
||||
kernel_read_kernel_sysctls(inetd_t)
|
||||
kernel_list_proc(inetd_t)
|
||||
kernel_read_proc_symlinks(inetd_t)
|
||||
kernel_tcp_recvfrom(inetd_t)
|
||||
@ -181,7 +181,7 @@ allow inetd_child_t inetd_child_var_run_t:file create_file_perms;
|
||||
allow inetd_child_t inetd_child_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(inetd_child_t,inetd_child_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(inetd_child_t)
|
||||
kernel_read_kernel_sysctls(inetd_child_t)
|
||||
kernel_read_system_state(inetd_child_t)
|
||||
kernel_read_network_state(inetd_child_t)
|
||||
|
||||
|
||||
@ -60,7 +60,7 @@ allow innd_t news_spool_t:dir create_dir_perms;
|
||||
allow innd_t news_spool_t:file create_file_perms;
|
||||
allow innd_t news_spool_t:lnk_file create_lnk_perms;
|
||||
|
||||
kernel_read_kernel_sysctl(innd_t)
|
||||
kernel_read_kernel_sysctls(innd_t)
|
||||
kernel_read_system_state(innd_t)
|
||||
|
||||
corenet_raw_sendrecv_all_if(innd_t)
|
||||
|
||||
@ -26,8 +26,8 @@ allow irqbalance_t irqbalance_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(irqbalance_t,irqbalance_var_run_t)
|
||||
|
||||
kernel_read_system_state(irqbalance_t)
|
||||
kernel_read_kernel_sysctl(irqbalance_t)
|
||||
kernel_rw_irq_sysctl(irqbalance_t)
|
||||
kernel_read_kernel_sysctls(irqbalance_t)
|
||||
kernel_rw_irq_sysctls(irqbalance_t)
|
||||
|
||||
dev_read_sysfs(irqbalance_t)
|
||||
|
||||
|
||||
@ -83,7 +83,7 @@ allow kadmind_t kadmind_var_run_t:file create_file_perms;
|
||||
allow kadmind_t kadmind_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(kadmind_t,kadmind_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(kadmind_t)
|
||||
kernel_read_kernel_sysctls(kadmind_t)
|
||||
kernel_list_proc(kadmind_t)
|
||||
kernel_read_proc_symlinks(kadmind_t)
|
||||
|
||||
@ -186,7 +186,7 @@ allow krb5kdc_t krb5kdc_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(krb5kdc_t,krb5kdc_var_run_t)
|
||||
|
||||
kernel_read_system_state(krb5kdc_t)
|
||||
kernel_read_kernel_sysctl(krb5kdc_t)
|
||||
kernel_read_kernel_sysctls(krb5kdc_t)
|
||||
kernel_list_proc(krb5kdc_t)
|
||||
kernel_read_proc_symlinks(krb5kdc_t)
|
||||
|
||||
|
||||
@ -46,7 +46,7 @@ allow ktalkd_t ktalkd_var_run_t:file create_file_perms;
|
||||
allow ktalkd_t ktalkd_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(ktalkd_t,ktalkd_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(ktalkd_t)
|
||||
kernel_read_kernel_sysctls(ktalkd_t)
|
||||
kernel_read_system_state(ktalkd_t)
|
||||
kernel_read_network_state(ktalkd_t)
|
||||
|
||||
|
||||
@ -75,7 +75,7 @@ allow slapd_t slapd_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(slapd_t,slapd_var_run_t)
|
||||
|
||||
kernel_read_system_state(slapd_t)
|
||||
kernel_read_kernel_sysctl(slapd_t)
|
||||
kernel_read_kernel_sysctls(slapd_t)
|
||||
kernel_tcp_recvfrom(slapd_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(slapd_t)
|
||||
|
||||
@ -154,7 +154,7 @@ dev_filetrans_dev(lpd_t,printer_t,lnk_file)
|
||||
allow lpd_t printer_t:unix_stream_socket name_bind;
|
||||
allow lpd_t printer_t:unix_dgram_socket name_bind;
|
||||
|
||||
kernel_read_kernel_sysctl(lpd_t)
|
||||
kernel_read_kernel_sysctls(lpd_t)
|
||||
kernel_tcp_recvfrom(lpd_t)
|
||||
# bash wants access to /proc/meminfo
|
||||
kernel_read_system_state(lpd_t)
|
||||
|
||||
@ -45,7 +45,7 @@ template(`mailman_domain_template', `
|
||||
allow mailman_$1_t mailman_$1_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(mailman_$1_t, mailman_$1_tmp_t, { file dir })
|
||||
|
||||
kernel_read_kernel_sysctl(mailman_$1_t)
|
||||
kernel_read_kernel_sysctls(mailman_$1_t)
|
||||
kernel_read_system_state(mailman_$1_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(mailman_$1_t)
|
||||
|
||||
@ -66,7 +66,7 @@ template(`mta_base_mail_template',`
|
||||
can_exec($1_mail_t, sendmail_exec_t)
|
||||
allow $1_mail_t sendmail_exec_t:lnk_file r_file_perms;
|
||||
|
||||
kernel_read_kernel_sysctl($1_mail_t)
|
||||
kernel_read_kernel_sysctls($1_mail_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if($1_mail_t)
|
||||
corenet_raw_sendrecv_all_if($1_mail_t)
|
||||
|
||||
@ -61,7 +61,7 @@ allow mysqld_t mysqld_var_run_t:file create_file_perms;
|
||||
files_filetrans_pid(mysqld_t,mysqld_var_run_t)
|
||||
|
||||
kernel_list_proc(mysqld_t)
|
||||
kernel_read_kernel_sysctl(mysqld_t)
|
||||
kernel_read_kernel_sysctls(mysqld_t)
|
||||
kernel_read_proc_symlinks(mysqld_t)
|
||||
kernel_read_system_state(mysqld_t)
|
||||
|
||||
|
||||
@ -35,7 +35,7 @@ files_filetrans_pid(NetworkManager_t,NetworkManager_var_run_t)
|
||||
|
||||
kernel_read_system_state(NetworkManager_t)
|
||||
kernel_read_network_state(NetworkManager_t)
|
||||
kernel_read_kernel_sysctl(NetworkManager_t)
|
||||
kernel_read_kernel_sysctls(NetworkManager_t)
|
||||
kernel_load_module(NetworkManager_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(NetworkManager_t)
|
||||
|
||||
@ -63,7 +63,7 @@ files_filetrans_pid(ypbind_t,ypbind_var_run_t)
|
||||
allow ypbind_t var_yp_t:dir rw_dir_perms;
|
||||
allow ypbind_t var_yp_t:file create_file_perms;
|
||||
|
||||
kernel_read_kernel_sysctl(ypbind_t)
|
||||
kernel_read_kernel_sysctls(ypbind_t)
|
||||
kernel_list_proc(ypbind_t)
|
||||
kernel_read_proc_symlinks(ypbind_t)
|
||||
kernel_tcp_recvfrom(ypbind_t)
|
||||
@ -160,7 +160,7 @@ allow yppasswdd_t var_yp_t:lnk_file create_lnk_perms;
|
||||
kernel_list_proc(yppasswdd_t)
|
||||
kernel_read_proc_symlinks(yppasswdd_t)
|
||||
kernel_getattr_proc_files(yppasswdd_t)
|
||||
kernel_read_kernel_sysctl(yppasswdd_t)
|
||||
kernel_read_kernel_sysctls(yppasswdd_t)
|
||||
|
||||
corenet_tcp_sendrecv_generic_if(yppasswdd_t)
|
||||
corenet_udp_sendrecv_generic_if(yppasswdd_t)
|
||||
@ -262,7 +262,7 @@ allow ypserv_t ypserv_var_run_t:dir rw_dir_perms;
|
||||
allow ypserv_t ypserv_var_run_t:file manage_file_perms;
|
||||
files_filetrans_pid(ypserv_t,ypserv_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(ypserv_t)
|
||||
kernel_read_kernel_sysctls(ypserv_t)
|
||||
kernel_list_proc(ypserv_t)
|
||||
kernel_read_proc_symlinks(ypserv_t)
|
||||
|
||||
|
||||
@ -52,7 +52,7 @@ allow nscd_t nscd_var_run_t:sock_file create_file_perms;
|
||||
allow nscd_t nscd_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(nscd_t,nscd_var_run_t,{ file sock_file })
|
||||
|
||||
kernel_read_kernel_sysctl(nscd_t)
|
||||
kernel_read_kernel_sysctls(nscd_t)
|
||||
kernel_list_proc(nscd_t)
|
||||
kernel_read_proc_symlinks(nscd_t)
|
||||
|
||||
|
||||
@ -60,7 +60,7 @@ allow ntpd_t ntpd_var_run_t:file create_file_perms;
|
||||
allow ntpd_t ntpd_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(ntpd_t,ntpd_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(ntpd_t)
|
||||
kernel_read_kernel_sysctls(ntpd_t)
|
||||
kernel_read_system_state(ntpd_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(ntpd_t)
|
||||
|
||||
@ -25,7 +25,7 @@ allow openct_t openct_var_run_t:file create_file_perms;
|
||||
allow openct_t openct_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(openct_t,openct_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(openct_t)
|
||||
kernel_read_kernel_sysctls(openct_t)
|
||||
kernel_list_proc(openct_t)
|
||||
kernel_read_proc_symlinks(openct_t)
|
||||
|
||||
|
||||
@ -61,8 +61,8 @@ allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink };
|
||||
allow pegasus_t pegasus_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(pegasus_t,pegasus_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(pegasus_t)
|
||||
kernel_read_fs_sysctl(pegasus_t)
|
||||
kernel_read_kernel_sysctls(pegasus_t)
|
||||
kernel_read_fs_sysctls(pegasus_t)
|
||||
kernel_read_system_state(pegasus_t)
|
||||
kernel_search_vm_sysctl(pegasus_t)
|
||||
|
||||
|
||||
@ -42,7 +42,7 @@ allow portmap_t portmap_var_run_t:file create_file_perms;
|
||||
allow portmap_t portmap_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(portmap_t,portmap_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(portmap_t)
|
||||
kernel_read_kernel_sysctls(portmap_t)
|
||||
kernel_list_proc(portmap_t)
|
||||
kernel_read_proc_symlinks(portmap_t)
|
||||
kernel_tcp_recvfrom(portmap_t)
|
||||
|
||||
@ -47,7 +47,7 @@ template(`postfix_domain_template',`
|
||||
|
||||
kernel_read_system_state(postfix_$1_t)
|
||||
kernel_read_network_state(postfix_$1_t)
|
||||
kernel_read_all_sysctl(postfix_$1_t)
|
||||
kernel_read_all_sysctls(postfix_$1_t)
|
||||
|
||||
dev_read_sysfs(postfix_$1_t)
|
||||
dev_read_rand(postfix_$1_t)
|
||||
|
||||
@ -132,7 +132,7 @@ allow postfix_master_t postfix_spool_flush_t:lnk_file create_lnk_perms;
|
||||
allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
|
||||
allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr };
|
||||
|
||||
kernel_read_all_sysctl(postfix_master_t)
|
||||
kernel_read_all_sysctls(postfix_master_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(postfix_master_t)
|
||||
corenet_udp_sendrecv_all_if(postfix_master_t)
|
||||
@ -301,7 +301,7 @@ allow postfix_map_t postfix_map_tmp_t:dir create_dir_perms;
|
||||
allow postfix_map_t postfix_map_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(postfix_map_t, postfix_map_tmp_t, { file dir })
|
||||
|
||||
kernel_read_kernel_sysctl(postfix_map_t)
|
||||
kernel_read_kernel_sysctls(postfix_map_t)
|
||||
kernel_dontaudit_list_proc(postfix_map_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(postfix_map_t)
|
||||
|
||||
@ -77,10 +77,10 @@ allow postgresql_t postgresql_var_run_t:file create_file_perms;
|
||||
allow postgresql_t postgresql_var_run_t:sock_file create_file_perms;
|
||||
files_filetrans_pid(postgresql_t,postgresql_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(postgresql_t)
|
||||
kernel_read_kernel_sysctls(postgresql_t)
|
||||
kernel_read_system_state(postgresql_t)
|
||||
kernel_list_proc(postgresql_t)
|
||||
kernel_read_all_sysctl(postgresql_t)
|
||||
kernel_read_all_sysctls(postgresql_t)
|
||||
kernel_read_proc_symlinks(postgresql_t)
|
||||
kernel_tcp_recvfrom(postgresql_t)
|
||||
|
||||
|
||||
@ -107,9 +107,9 @@ allow pppd_t pppd_secret_t:file r_file_perms;
|
||||
# Automatically label newly created files under /etc/ppp with this type
|
||||
type_transition pppd_t pppd_etc_t:file pppd_etc_rw_t;
|
||||
|
||||
kernel_read_kernel_sysctl(pppd_t)
|
||||
kernel_read_kernel_sysctls(pppd_t)
|
||||
kernel_read_system_state(pppd_t)
|
||||
kernel_read_net_sysctl(pppd_t)
|
||||
kernel_read_net_sysctls(pppd_t)
|
||||
kernel_read_network_state(pppd_t)
|
||||
kernel_load_module(pppd_t)
|
||||
|
||||
@ -256,7 +256,7 @@ allow pptp_t pptp_var_run_t:sock_file create_file_perms;
|
||||
files_filetrans_pid(pptp_t,pptp_var_run_t)
|
||||
|
||||
kernel_list_proc(pptp_t)
|
||||
kernel_read_kernel_sysctl(pptp_t)
|
||||
kernel_read_kernel_sysctls(pptp_t)
|
||||
kernel_read_proc_symlinks(pptp_t)
|
||||
|
||||
dev_read_sysfs(pptp_t)
|
||||
@ -322,6 +322,7 @@ optional_policy(`postfix',`
|
||||
postfix_read_config(pppd_t)
|
||||
')
|
||||
|
||||
# FIXME:
|
||||
domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t)
|
||||
allow pppd_t initrc_t:fd use;
|
||||
allow initrc_t pppd_t:fd use;
|
||||
|
||||
@ -38,7 +38,7 @@ allow privoxy_t privoxy_var_run_t:file create_file_perms;
|
||||
allow privoxy_t privoxy_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(privoxy_t,privoxy_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(privoxy_t)
|
||||
kernel_read_kernel_sysctls(privoxy_t)
|
||||
kernel_list_proc(privoxy_t)
|
||||
kernel_read_proc_symlinks(privoxy_t)
|
||||
|
||||
|
||||
@ -26,7 +26,7 @@ allow procmail_t self:tcp_socket create_stream_socket_perms;
|
||||
allow procmail_t self:udp_socket create_socket_perms;
|
||||
|
||||
kernel_read_system_state(procmail_t)
|
||||
kernel_read_kernel_sysctl(procmail_t)
|
||||
kernel_read_kernel_sysctls(procmail_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(procmail_t)
|
||||
corenet_raw_sendrecv_all_if(procmail_t)
|
||||
|
||||
@ -47,7 +47,7 @@ allow radiusd_t radiusd_var_run_t:file create_file_perms;
|
||||
allow radiusd_t radiusd_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(radiusd_t,radiusd_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(radiusd_t)
|
||||
kernel_read_kernel_sysctls(radiusd_t)
|
||||
kernel_read_system_state(radiusd_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(radiusd_t)
|
||||
|
||||
@ -34,8 +34,8 @@ allow radvd_t radvd_var_run_t:file create_file_perms;
|
||||
allow radvd_t radvd_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(radvd_t,radvd_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(radvd_t)
|
||||
kernel_read_net_sysctl(radvd_t)
|
||||
kernel_read_kernel_sysctls(radvd_t)
|
||||
kernel_read_net_sysctls(radvd_t)
|
||||
kernel_read_network_state(radvd_t)
|
||||
kernel_read_system_state(radvd_t)
|
||||
|
||||
|
||||
@ -24,7 +24,7 @@ allow rdisc_t self:rawip_socket create_socket_perms;
|
||||
|
||||
kernel_list_proc(rdisc_t)
|
||||
kernel_read_proc_symlinks(rdisc_t)
|
||||
kernel_read_kernel_sysctl(rdisc_t)
|
||||
kernel_read_kernel_sysctls(rdisc_t)
|
||||
|
||||
corenet_udp_sendrecv_generic_if(rdisc_t)
|
||||
corenet_raw_sendrecv_generic_if(rdisc_t)
|
||||
|
||||
@ -43,7 +43,7 @@ allow remote_login_t remote_login_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(remote_login_t, remote_login_tmp_t, { file dir })
|
||||
|
||||
kernel_read_system_state(remote_login_t)
|
||||
kernel_read_kernel_sysctl(remote_login_t)
|
||||
kernel_read_kernel_sysctls(remote_login_t)
|
||||
|
||||
dev_getattr_mouse_dev(remote_login_t)
|
||||
dev_setattr_mouse_dev(remote_login_t)
|
||||
|
||||
@ -47,7 +47,7 @@ allow rlogind_t rlogind_var_run_t:file create_file_perms;
|
||||
allow rlogind_t rlogind_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(rlogind_t,rlogind_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(rlogind_t)
|
||||
kernel_read_kernel_sysctls(rlogind_t)
|
||||
kernel_read_system_state(rlogind_t)
|
||||
kernel_read_network_state(rlogind_t)
|
||||
|
||||
|
||||
@ -36,7 +36,7 @@ allow roundup_t roundup_var_lib_t:file create_file_perms;
|
||||
allow roundup_t roundup_var_lib_t:dir rw_dir_perms;
|
||||
files_filetrans_var_lib(roundup_t,roundup_var_lib_t)
|
||||
|
||||
kernel_read_kernel_sysctl(roundup_t)
|
||||
kernel_read_kernel_sysctls(roundup_t)
|
||||
kernel_list_proc(roundup_t)
|
||||
kernel_read_proc_symlinks(roundup_t)
|
||||
|
||||
|
||||
@ -44,9 +44,9 @@ template(`rpc_domain_template', `
|
||||
|
||||
kernel_list_proc($1_t)
|
||||
kernel_read_proc_symlinks($1_t)
|
||||
kernel_read_kernel_sysctl($1_t)
|
||||
kernel_read_kernel_sysctls($1_t)
|
||||
# bind to arbitary unused ports
|
||||
kernel_rw_rpc_sysctl($1_t)
|
||||
kernel_rw_rpc_sysctls($1_t)
|
||||
|
||||
dev_read_sysfs($1_t)
|
||||
|
||||
|
||||
@ -21,7 +21,7 @@ allow rshd_t self:process { signal_perms fork setsched setpgid setexec };
|
||||
allow rshd_t self:fifo_file rw_file_perms;
|
||||
allow rshd_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
kernel_read_kernel_sysctl(rshd_t)
|
||||
kernel_read_kernel_sysctls(rshd_t)
|
||||
|
||||
corenet_tcp_sendrecv_generic_if(rshd_t)
|
||||
corenet_udp_sendrecv_generic_if(rshd_t)
|
||||
|
||||
@ -50,7 +50,7 @@ allow rsync_t rsync_var_run_t:file create_file_perms;
|
||||
allow rsync_t rsync_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(rsync_t,rsync_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(rsync_t)
|
||||
kernel_read_kernel_sysctls(rsync_t)
|
||||
kernel_read_system_state(rsync_t)
|
||||
kernel_read_network_state(rsync_t)
|
||||
|
||||
|
||||
@ -223,10 +223,10 @@ files_filetrans_pid(smbd_t,smbd_var_run_t)
|
||||
|
||||
allow smbd_t winbind_var_run_t:sock_file { read write getattr };
|
||||
|
||||
kernel_getattr_core(smbd_t)
|
||||
kernel_getattr_core_if(smbd_t)
|
||||
kernel_getattr_message_if(smbd_t)
|
||||
kernel_read_network_state(smbd_t)
|
||||
kernel_read_kernel_sysctl(smbd_t)
|
||||
kernel_read_kernel_sysctls(smbd_t)
|
||||
kernel_read_software_raid_state(smbd_t)
|
||||
kernel_read_system_state(smbd_t)
|
||||
|
||||
@ -369,9 +369,9 @@ allow nmbd_t samba_var_t:file { lock unlink create write setattr read getattr re
|
||||
|
||||
allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
|
||||
|
||||
kernel_getattr_core(nmbd_t)
|
||||
kernel_getattr_core_if(nmbd_t)
|
||||
kernel_getattr_message_if(nmbd_t)
|
||||
kernel_read_kernel_sysctl(nmbd_t)
|
||||
kernel_read_kernel_sysctls(nmbd_t)
|
||||
kernel_read_network_state(nmbd_t)
|
||||
kernel_read_software_raid_state(nmbd_t)
|
||||
kernel_read_system_state(nmbd_t)
|
||||
@ -567,7 +567,7 @@ files_filetrans_pid(swat_t,swat_var_run_t)
|
||||
|
||||
allow swat_t winbind_exec_t:file execute;
|
||||
|
||||
kernel_read_kernel_sysctl(swat_t)
|
||||
kernel_read_kernel_sysctls(swat_t)
|
||||
kernel_read_system_state(swat_t)
|
||||
kernel_read_network_state(swat_t)
|
||||
|
||||
@ -663,7 +663,7 @@ allow winbind_t winbind_var_run_t:sock_file create_file_perms;
|
||||
allow winbind_t winbind_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(winbind_t,winbind_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(winbind_t)
|
||||
kernel_read_kernel_sysctls(winbind_t)
|
||||
kernel_list_proc(winbind_t)
|
||||
kernel_read_proc_symlinks(winbind_t)
|
||||
|
||||
|
||||
@ -31,7 +31,7 @@ allow saslauthd_t saslauthd_var_run_t:sock_file create_file_perms;
|
||||
allow saslauthd_t saslauthd_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(saslauthd_t,saslauthd_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(saslauthd_t)
|
||||
kernel_read_kernel_sysctls(saslauthd_t)
|
||||
kernel_read_system_state(saslauthd_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(saslauthd_t)
|
||||
|
||||
@ -37,7 +37,7 @@ allow sendmail_t sendmail_log_t:file create_file_perms;
|
||||
allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr };
|
||||
logging_filetrans_log(sendmail_t,sendmail_log_t,{ file dir })
|
||||
|
||||
kernel_read_kernel_sysctl(sendmail_t)
|
||||
kernel_read_kernel_sysctls(sendmail_t)
|
||||
# for piping mail to a command
|
||||
kernel_read_system_state(sendmail_t)
|
||||
|
||||
|
||||
@ -41,7 +41,7 @@ allow slrnpull_t slrnpull_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(slrnpull_t,slrnpull_var_run_t)
|
||||
|
||||
kernel_list_proc(slrnpull_t)
|
||||
kernel_read_kernel_sysctl(slrnpull_t)
|
||||
kernel_read_kernel_sysctls(slrnpull_t)
|
||||
kernel_read_proc_symlinks(slrnpull_t)
|
||||
|
||||
dev_read_sysfs(slrnpull_t)
|
||||
|
||||
@ -37,7 +37,7 @@ allow fsdaemon_t fsdaemon_var_run_t:file create_file_perms;
|
||||
allow fsdaemon_t fsdaemon_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(fsdaemon_t,fsdaemon_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(fsdaemon_t)
|
||||
kernel_read_kernel_sysctls(fsdaemon_t)
|
||||
kernel_read_software_raid_state(fsdaemon_t)
|
||||
kernel_read_system_state(fsdaemon_t)
|
||||
|
||||
|
||||
@ -49,8 +49,8 @@ allow snmpd_t snmpd_var_run_t:file create_file_perms;
|
||||
allow snmpd_t snmpd_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(snmpd_t,snmpd_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(snmpd_t)
|
||||
kernel_read_net_sysctl(snmpd_t)
|
||||
kernel_read_kernel_sysctls(snmpd_t)
|
||||
kernel_read_net_sysctls(snmpd_t)
|
||||
kernel_read_proc_symlinks(snmpd_t)
|
||||
kernel_read_system_state(snmpd_t)
|
||||
kernel_read_network_state(snmpd_t)
|
||||
|
||||
@ -89,7 +89,7 @@ template(`spamassassin_per_userdomain_template',`
|
||||
allow $1_spamc_t $2:fifo_file rw_file_perms;
|
||||
allow $1_spamc_t $2:process sigchld;
|
||||
|
||||
kernel_read_kernel_sysctl($1_spamc_t)
|
||||
kernel_read_kernel_sysctls($1_spamc_t)
|
||||
kernel_tcp_recvfrom($1_spamc_t)
|
||||
|
||||
corenet_tcp_sendrecv_generic_if($1_spamc_t)
|
||||
@ -217,7 +217,7 @@ template(`spamassassin_per_userdomain_template',`
|
||||
allow spamd_t $1_spamassassin_home_t:fifo_file create_file_perms;
|
||||
userdom_create_user_home($1,spamd_t,{ dir file lnk_file sock_file fifo_file },$1_spamassassin_home_t)
|
||||
|
||||
kernel_read_kernel_sysctl($1_spamassassin_t)
|
||||
kernel_read_kernel_sysctls($1_spamassassin_t)
|
||||
|
||||
dev_read_urand($1_spamassassin_t)
|
||||
|
||||
|
||||
@ -57,7 +57,7 @@ allow spamd_t spamd_var_run_t:file create_file_perms;
|
||||
allow spamd_t spamd_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(spamd_t,spamd_var_run_t)
|
||||
|
||||
kernel_read_all_sysctl(spamd_t)
|
||||
kernel_read_all_sysctls(spamd_t)
|
||||
kernel_read_system_state(spamd_t)
|
||||
kernel_tcp_recvfrom(spamd_t)
|
||||
|
||||
|
||||
@ -64,7 +64,7 @@ allow squid_t squid_var_run_t:file create_file_perms;
|
||||
allow squid_t squid_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(squid_t,squid_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(squid_t)
|
||||
kernel_read_kernel_sysctls(squid_t)
|
||||
kernel_read_system_state(squid_t)
|
||||
kernel_tcp_recvfrom(squid_t)
|
||||
|
||||
|
||||
@ -118,7 +118,7 @@ template(`ssh_per_userdomain_template',`
|
||||
allow ssh_server $1_home_ssh_t:lnk_file r_file_perms;
|
||||
allow ssh_server $1_home_ssh_t:file r_file_perms;
|
||||
|
||||
kernel_read_kernel_sysctl($1_ssh_t)
|
||||
kernel_read_kernel_sysctls($1_ssh_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if($1_ssh_t)
|
||||
corenet_raw_sendrecv_all_if($1_ssh_t)
|
||||
@ -291,7 +291,7 @@ template(`ssh_per_userdomain_template',`
|
||||
allow $1_ssh_agent_t $2:fifo_file rw_file_perms;
|
||||
allow $1_ssh_agent_t $2:process sigchld;
|
||||
|
||||
kernel_read_kernel_sysctl($1_ssh_agent_t)
|
||||
kernel_read_kernel_sysctls($1_ssh_agent_t)
|
||||
|
||||
dev_read_urand($1_ssh_agent_t)
|
||||
dev_read_rand($1_ssh_agent_t)
|
||||
@ -434,7 +434,7 @@ template(`ssh_server_template', `
|
||||
# Access key files
|
||||
allow $1_t sshd_key_t:file { getattr read };
|
||||
|
||||
kernel_read_kernel_sysctl($1_t)
|
||||
kernel_read_kernel_sysctls($1_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if($1_t)
|
||||
corenet_udp_sendrecv_all_if($1_t)
|
||||
|
||||
@ -219,7 +219,7 @@ ifdef(`targeted_policy',`',`
|
||||
allow ssh_keygen_t sshd_key_t:file create_file_perms;
|
||||
files_filetrans_etc(ssh_keygen_t,sshd_key_t,file)
|
||||
|
||||
kernel_read_kernel_sysctl(ssh_keygen_t)
|
||||
kernel_read_kernel_sysctls(ssh_keygen_t)
|
||||
|
||||
fs_search_auto_mountpoints(ssh_keygen_t)
|
||||
|
||||
|
||||
@ -51,7 +51,7 @@ allow stunnel_t stunnel_var_run_t:file create_file_perms;
|
||||
allow stunnel_t stunnel_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(stunnel_t,stunnel_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(stunnel_t)
|
||||
kernel_read_kernel_sysctls(stunnel_t)
|
||||
kernel_read_system_state(stunnel_t)
|
||||
kernel_read_network_state(stunnel_t)
|
||||
|
||||
|
||||
@ -32,9 +32,9 @@ logging_filetrans_log(sysstat_t,sysstat_log_t,{ file dir })
|
||||
# get info from /proc
|
||||
kernel_read_system_state(sysstat_t)
|
||||
kernel_read_network_state(sysstat_t)
|
||||
kernel_read_kernel_sysctl(sysstat_t)
|
||||
kernel_read_fs_sysctl(sysstat_t)
|
||||
kernel_read_rpc_sysctl(sysstat_t)
|
||||
kernel_read_kernel_sysctls(sysstat_t)
|
||||
kernel_read_fs_sysctls(sysstat_t)
|
||||
kernel_read_rpc_sysctls(sysstat_t)
|
||||
|
||||
corecmd_dontaudit_search_sbin(sysstat_t)
|
||||
corecmd_exec_bin(sysstat_t)
|
||||
|
||||
@ -45,7 +45,7 @@ allow telnetd_t telnetd_var_run_t:file create_file_perms;
|
||||
allow telnetd_t telnetd_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(telnetd_t,telnetd_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(telnetd_t)
|
||||
kernel_read_kernel_sysctls(telnetd_t)
|
||||
kernel_read_system_state(telnetd_t)
|
||||
kernel_read_network_state(telnetd_t)
|
||||
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user