more fixing
This commit is contained in:
parent
f13da83f99
commit
4614e83fbb
@ -135,6 +135,10 @@ gen_tunable(ssh_sysadm_login,false)
|
|||||||
## dir and read files (such as ~/.bashrc)
|
## dir and read files (such as ~/.bashrc)
|
||||||
gen_tunable(staff_read_sysadm_file,false)
|
gen_tunable(staff_read_sysadm_file,false)
|
||||||
|
|
||||||
|
## Configure stunnel to be a standalone daemon or
|
||||||
|
## inetd service.
|
||||||
|
gen_tunable(stunnel_is_daemon,false)
|
||||||
|
|
||||||
## Support NFS home directories
|
## Support NFS home directories
|
||||||
gen_tunable(use_nfs_home_dirs,false)
|
gen_tunable(use_nfs_home_dirs,false)
|
||||||
|
|
||||||
|
@ -45,7 +45,7 @@ type amanda_script_exec_t;
|
|||||||
files_type(amanda_script_exec_t)
|
files_type(amanda_script_exec_t)
|
||||||
|
|
||||||
# temp:
|
# temp:
|
||||||
typeattribute amanda_user_exec_t entry_type;
|
typeattribute amanda_script_exec_t entry_type;
|
||||||
|
|
||||||
# type for the shell configuration files
|
# type for the shell configuration files
|
||||||
type amanda_shellconfig_t;
|
type amanda_shellconfig_t;
|
||||||
|
@ -304,6 +304,9 @@ selinux_compute_create_context(passwd_t)
|
|||||||
selinux_compute_relabel_context(passwd_t)
|
selinux_compute_relabel_context(passwd_t)
|
||||||
selinux_compute_user_contexts(passwd_t)
|
selinux_compute_user_contexts(passwd_t)
|
||||||
|
|
||||||
|
term_use_all_user_ttys(passwd_t)
|
||||||
|
term_use_all_user_ptys(passwd_t)
|
||||||
|
|
||||||
auth_manage_shadow(passwd_t)
|
auth_manage_shadow(passwd_t)
|
||||||
|
|
||||||
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
||||||
|
@ -166,6 +166,7 @@ allow kernel_t self:unix_stream_socket create_stream_socket_perms;
|
|||||||
allow kernel_t self:unix_dgram_socket sendto;
|
allow kernel_t self:unix_dgram_socket sendto;
|
||||||
allow kernel_t self:unix_stream_socket connectto;
|
allow kernel_t self:unix_stream_socket connectto;
|
||||||
allow kernel_t self:fifo_file rw_file_perms;
|
allow kernel_t self:fifo_file rw_file_perms;
|
||||||
|
allow kernel_t self:sock_file r_file_perms;
|
||||||
allow kernel_t self:fd use;
|
allow kernel_t self:fd use;
|
||||||
|
|
||||||
# old general_proc_read_access():
|
# old general_proc_read_access():
|
||||||
|
@ -178,6 +178,13 @@ template(`apache_content_template',`
|
|||||||
libs_read_lib(httpd_$1_script_t)
|
libs_read_lib(httpd_$1_script_t)
|
||||||
|
|
||||||
miscfiles_read_localization(httpd_$1_script_t)
|
miscfiles_read_localization(httpd_$1_script_t)
|
||||||
|
|
||||||
|
# added back to make sediff nicer
|
||||||
|
dev_rw_null_dev(httpd_$1_script_t)
|
||||||
|
term_use_controlling_term(httpd_$1_script_t)
|
||||||
|
allow httpd_$1_script_t self:dir r_dir_perms;
|
||||||
|
allow httpd_$1_script_t self:file r_file_perms;
|
||||||
|
allow httpd_$1_script_t self:lnk_file read;
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
|
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
|
||||||
|
@ -289,6 +289,10 @@ ifdef(`targeted_policy',`
|
|||||||
term_dontaudit_use_unallocated_tty(httpd_t)
|
term_dontaudit_use_unallocated_tty(httpd_t)
|
||||||
term_dontaudit_use_generic_pty(httpd_t)
|
term_dontaudit_use_generic_pty(httpd_t)
|
||||||
files_dontaudit_read_root_file(httpd_t)
|
files_dontaudit_read_root_file(httpd_t)
|
||||||
|
|
||||||
|
tunable_policy(`httpd_enable_homedirs',`
|
||||||
|
userdom_search_generic_user_home_dir(httpd_t)
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`allow_httpd_anon_write',`
|
tunable_policy(`allow_httpd_anon_write',`
|
||||||
@ -335,6 +339,9 @@ tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
|
|||||||
allow httpd_t httpdcontent:dir create_dir_perms;
|
allow httpd_t httpdcontent:dir create_dir_perms;
|
||||||
allow httpd_t httpdcontent:file create_file_perms;
|
allow httpd_t httpdcontent:file create_file_perms;
|
||||||
allow httpd_t httpdcontent:lnk_file create_lnk_perms;
|
allow httpd_t httpdcontent:lnk_file create_lnk_perms;
|
||||||
|
|
||||||
|
# make sediff easier
|
||||||
|
allow httpd_sys_script_t httpdcontent:file { rx_file_perms entrypoint };
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||||
@ -407,17 +414,6 @@ optional_policy(`rhgb.te',`
|
|||||||
|
|
||||||
can_tcp_connect(web_client_domain, httpd_t)
|
can_tcp_connect(web_client_domain, httpd_t)
|
||||||
|
|
||||||
ifdef(`targeted_policy',`
|
|
||||||
if (httpd_enable_homedirs) {
|
|
||||||
allow httpd_t user_home_dir_t:dir { getattr search };
|
|
||||||
}
|
|
||||||
if (httpd_enable_homedirs) {
|
|
||||||
allow httpd_sys_script_t user_home_dir_t:dir { getattr search };
|
|
||||||
}
|
|
||||||
if (httpd_enable_homedirs) {
|
|
||||||
allow httpd_suexec_t user_home_dir_t:dir { getattr search };
|
|
||||||
}
|
|
||||||
')
|
|
||||||
') dnl end TODO
|
') dnl end TODO
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -495,12 +491,17 @@ allow httpd_suexec_t self:capability { setuid setgid };
|
|||||||
allow httpd_suexec_t self:process signal_perms;
|
allow httpd_suexec_t self:process signal_perms;
|
||||||
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
|
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
|
||||||
# cjp: need transitionbool
|
ifdef(`targeted_policy',`
|
||||||
|
gen_tunable(httpd_suexec_disable_trans,false)
|
||||||
|
|
||||||
|
tunable_policy(`httpd_suexec_disable_trans',`',`
|
||||||
domain_auto_trans(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
|
domain_auto_trans(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
|
||||||
allow httpd_t httpd_suexec_t:fd use;
|
allow httpd_t httpd_suexec_t:fd use;
|
||||||
allow httpd_suexec_t httpd_t:fd use;
|
allow httpd_suexec_t httpd_t:fd use;
|
||||||
allow httpd_suexec_t httpd_t:fifo_file rw_file_perms;
|
allow httpd_suexec_t httpd_t:fifo_file rw_file_perms;
|
||||||
allow httpd_suexec_t httpd_t:process sigchld;
|
allow httpd_suexec_t httpd_t:process sigchld;
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
allow httpd_suexec_t httpd_log_t:dir ra_dir_perms;
|
allow httpd_suexec_t httpd_log_t:dir ra_dir_perms;
|
||||||
allow httpd_suexec_t httpd_log_t:file { create ra_file_perms };
|
allow httpd_suexec_t httpd_log_t:file { create ra_file_perms };
|
||||||
@ -534,6 +535,12 @@ logging_send_syslog_msg(httpd_suexec_t)
|
|||||||
|
|
||||||
miscfiles_read_localization(httpd_suexec_t)
|
miscfiles_read_localization(httpd_suexec_t)
|
||||||
|
|
||||||
|
ifdef(`targeted_policy',`
|
||||||
|
tunable_policy(`httpd_enable_homedirs',`
|
||||||
|
userdom_search_generic_user_home_dir(httpd_suexec_t)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
tunable_policy(`httpd_can_network_connect',`
|
tunable_policy(`httpd_can_network_connect',`
|
||||||
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
|
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow httpd_suexec_t self:udp_socket create_socket_perms;
|
allow httpd_suexec_t self:udp_socket create_socket_perms;
|
||||||
@ -555,6 +562,13 @@ tunable_policy(`httpd_can_network_connect',`
|
|||||||
|
|
||||||
tunable_policy(`httpd_enable_cgi',`
|
tunable_policy(`httpd_enable_cgi',`
|
||||||
domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
|
domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
|
||||||
|
allow httpd_suexec_t httpd_unconfined_script_t:fd use;
|
||||||
|
allow httpd_unconfined_script_t httpd_suexec_t:fd use;
|
||||||
|
allow httpd_unconfined_script_t httpd_suexec_t:fifo_file rw_file_perms;
|
||||||
|
allow httpd_unconfined_script_t httpd_suexec_t:process sigchld;
|
||||||
|
|
||||||
|
# make sediff happy
|
||||||
|
allow httpd_unconfined_script_t httpd_unconfined_script_exec_t:file { ioctl read getattr lock execute entrypoint };
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
||||||
@ -619,6 +633,12 @@ ifdef(`distro_redhat',`
|
|||||||
allow httpd_sys_script_t httpd_log_t:file { getattr append };
|
allow httpd_sys_script_t httpd_log_t:file { getattr append };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
ifdef(`targeted_policy',`
|
||||||
|
tunable_policy(`httpd_enable_homedirs',`
|
||||||
|
userdom_search_generic_user_home_dir(httpd_sys_script_t)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`mysql.te',`
|
optional_policy(`mysql.te',`
|
||||||
mysql_stream_connect(httpd_sys_script_t)
|
mysql_stream_connect(httpd_sys_script_t)
|
||||||
mysql_rw_db_socket(httpd_sys_script_t)
|
mysql_rw_db_socket(httpd_sys_script_t)
|
||||||
|
@ -598,8 +598,8 @@ ifdef(`targeted_policy', `
|
|||||||
files_dontaudit_read_root_file(cupsd_config_t)
|
files_dontaudit_read_root_file(cupsd_config_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`nis.te',`
|
optional_policy(`hal.te',`
|
||||||
nis_use_ypbind(cupsd_config_t)
|
hal_domtrans(cupsd_config_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`hostname.te',`
|
optional_policy(`hostname.te',`
|
||||||
@ -610,6 +610,10 @@ optional_policy(`logrotate.te',`
|
|||||||
logrotate_use_fd(cupsd_config_t)
|
logrotate_use_fd(cupsd_config_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`nis.te',`
|
||||||
|
nis_use_ypbind(cupsd_config_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`nscd.te',`
|
optional_policy(`nscd.te',`
|
||||||
nscd_use_socket(cupsd_config_t)
|
nscd_use_socket(cupsd_config_t)
|
||||||
')
|
')
|
||||||
|
@ -1 +1,22 @@
|
|||||||
## <summary>Hardware abstraction layer</summary>
|
## <summary>Hardware abstraction layer</summary>
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute hal in the hal domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`hal_domtrans',`
|
||||||
|
gen_require(`
|
||||||
|
type hald_t, hald_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
domain_auto_trans($1,hald_exec_t,hald_t)
|
||||||
|
|
||||||
|
allow $1 hald_t:fd use;
|
||||||
|
allow hald_t $1:fd use;
|
||||||
|
allow hald_t $1:fifo_file rw_file_perms;
|
||||||
|
allow hald_t $1:process sigchld;
|
||||||
|
')
|
||||||
|
@ -39,6 +39,7 @@ allow hald_t hald_tmp_t:file create_file_perms;
|
|||||||
files_create_tmp_files(hald_t, hald_tmp_t, { file dir })
|
files_create_tmp_files(hald_t, hald_tmp_t, { file dir })
|
||||||
|
|
||||||
allow hald_t hald_var_run_t:file create_file_perms;
|
allow hald_t hald_var_run_t:file create_file_perms;
|
||||||
|
allow hald_t hald_var_run_t:dir rw_dir_perms;
|
||||||
files_create_pid(hald_t,hald_var_run_t)
|
files_create_pid(hald_t,hald_var_run_t)
|
||||||
|
|
||||||
kernel_read_system_state(hald_t)
|
kernel_read_system_state(hald_t)
|
||||||
|
@ -32,15 +32,18 @@ interface(`inetd_core_service_domain',`
|
|||||||
|
|
||||||
role system_r types $1;
|
role system_r types $1;
|
||||||
|
|
||||||
allow inetd_t $1:process sigkill;
|
|
||||||
|
|
||||||
ifdef(`targeted_policy',`
|
ifdef(`targeted_policy',`
|
||||||
# this regex is a hack, since it assumes there is a
|
# this regex is a hack, since it assumes there is a
|
||||||
# _t at the end of the domain type. If there is no _t
|
# _t at the end of the domain type. If there is no _t
|
||||||
# at the end of the type, it returns empty!
|
# at the end of the type, it returns empty!
|
||||||
bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
|
bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
|
||||||
if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
|
if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
|
||||||
can_exec(inetd_t,$2)
|
# can_exec(inetd_t,$2)
|
||||||
|
# cjp: this must be wrong
|
||||||
|
gen_require(`
|
||||||
|
type initrc_t, unconfined_t;
|
||||||
|
')
|
||||||
|
can_exec({ unconfined_t initrc_t },$2)
|
||||||
} else {
|
} else {
|
||||||
domain_auto_trans(inetd_t,$2,$1)
|
domain_auto_trans(inetd_t,$2,$1)
|
||||||
allow inetd_t $1:fd use;
|
allow inetd_t $1:fd use;
|
||||||
@ -49,6 +52,8 @@ interface(`inetd_core_service_domain',`
|
|||||||
allow $1 inetd_t:process sigchld;
|
allow $1 inetd_t:process sigchld;
|
||||||
dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
|
dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
|
||||||
|
|
||||||
|
allow inetd_t $1:process sigkill;
|
||||||
|
|
||||||
# make sediff happy
|
# make sediff happy
|
||||||
allow $1 $2:file { rx_file_perms entrypoint };
|
allow $1 $2:file { rx_file_perms entrypoint };
|
||||||
}
|
}
|
||||||
@ -60,6 +65,8 @@ interface(`inetd_core_service_domain',`
|
|||||||
allow $1 inetd_t:process sigchld;
|
allow $1 inetd_t:process sigchld;
|
||||||
dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
|
dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
|
||||||
|
|
||||||
|
allow inetd_t $1:process sigkill;
|
||||||
|
|
||||||
# make sediff happy
|
# make sediff happy
|
||||||
allow $1 $2:file { rx_file_perms entrypoint };
|
allow $1 $2:file { rx_file_perms entrypoint };
|
||||||
')
|
')
|
||||||
|
@ -38,7 +38,10 @@ type postfix_map_tmp_t;
|
|||||||
files_tmp_file(postfix_map_tmp_t)
|
files_tmp_file(postfix_map_tmp_t)
|
||||||
|
|
||||||
postfix_domain_template(master)
|
postfix_domain_template(master)
|
||||||
mta_mailserver(postfix_master_t,postfix_master_exec_t)
|
typealias postfix_master_t alias postfix_t;
|
||||||
|
# alias is a hack to make the disable trans bool
|
||||||
|
# generation macro work
|
||||||
|
mta_mailserver(postfix_t,postfix_master_exec_t)
|
||||||
|
|
||||||
postfix_public_domain_template(pickup)
|
postfix_public_domain_template(pickup)
|
||||||
|
|
||||||
|
@ -70,6 +70,10 @@ allow pppd_t self:udp_socket { connect connected_socket_perms };
|
|||||||
allow pppd_t self:packet_socket create_socket_perms;
|
allow pppd_t self:packet_socket create_socket_perms;
|
||||||
|
|
||||||
domain_auto_trans(pppd_t, pptp_exec_t, pptp_t)
|
domain_auto_trans(pppd_t, pptp_exec_t, pptp_t)
|
||||||
|
allow pppd_t pptp_t:fd use;
|
||||||
|
allow pptp_t pppd_t:fd use;
|
||||||
|
allow pptp_t pppd_t:fifo_file rw_file_perms;
|
||||||
|
allow pptp_t pppd_t:process sigchld;
|
||||||
|
|
||||||
allow pppd_t pppd_devpts_t:chr_file { rw_file_perms setattr };
|
allow pppd_t pppd_devpts_t:chr_file { rw_file_perms setattr };
|
||||||
|
|
||||||
@ -179,10 +183,10 @@ ifdef(`targeted_policy', `
|
|||||||
|
|
||||||
optional_policy(`postfix.te',`
|
optional_policy(`postfix.te',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
bool postfix_master_disable_transgre;
|
bool postfix_disable_trans;
|
||||||
')
|
')
|
||||||
|
|
||||||
if(!postfix_master_disable_trans) {
|
if(!postfix_disable_trans) {
|
||||||
postfix_domtrans_master(pppd_t)
|
postfix_domtrans_master(pppd_t)
|
||||||
}
|
}
|
||||||
')
|
')
|
||||||
|
@ -30,6 +30,7 @@ allow privoxy_t privoxy_log_t:dir rw_dir_perms;
|
|||||||
logging_create_log(privoxy_t,privoxy_log_t)
|
logging_create_log(privoxy_t,privoxy_log_t)
|
||||||
|
|
||||||
allow privoxy_t privoxy_var_run_t:file create_file_perms;
|
allow privoxy_t privoxy_var_run_t:file create_file_perms;
|
||||||
|
allow privoxy_t privoxy_var_run_t:dir rw_dir_perms;
|
||||||
files_create_pid(privoxy_t,privoxy_var_run_t)
|
files_create_pid(privoxy_t,privoxy_var_run_t)
|
||||||
|
|
||||||
kernel_read_kernel_sysctl(privoxy_t)
|
kernel_read_kernel_sysctl(privoxy_t)
|
||||||
|
@ -37,6 +37,7 @@ allow stunnel_t self:capability { setgid setuid sys_chroot };
|
|||||||
allow stunnel_t self:process signal_perms;
|
allow stunnel_t self:process signal_perms;
|
||||||
allow stunnel_t self:fifo_file rw_file_perms;
|
allow stunnel_t self:fifo_file rw_file_perms;
|
||||||
allow stunnel_t self:tcp_socket create_stream_socket_perms;
|
allow stunnel_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
allow stunnel_t self:udp_socket create_socket_perms;
|
||||||
|
|
||||||
allow stunnel_t stunnel_etc_t:dir { getattr read search };
|
allow stunnel_t stunnel_etc_t:dir { getattr read search };
|
||||||
allow stunnel_t stunnel_etc_t:file { read getattr };
|
allow stunnel_t stunnel_etc_t:file { read getattr };
|
||||||
@ -138,3 +139,14 @@ ifdef(`distro_gentoo', `
|
|||||||
nscd_use_socket(stunnel_t)
|
nscd_use_socket(stunnel_t)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
tunable_policy(`stunnel_is_daemon',`
|
||||||
|
allow stunnel_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
|
||||||
|
# hack since this port has no interfaces since it doesnt
|
||||||
|
# have net_contexts
|
||||||
|
gen_require(`
|
||||||
|
type stunnel_port_t;
|
||||||
|
')
|
||||||
|
allow stunnel_t stunnel_port_t:tcp_socket name_bind;
|
||||||
|
')
|
||||||
|
@ -187,7 +187,8 @@ rhgb_domain(auditd_t)
|
|||||||
#
|
#
|
||||||
|
|
||||||
allow klogd_t klogd_tmp_t:file create_file_perms;
|
allow klogd_t klogd_tmp_t:file create_file_perms;
|
||||||
files_create_tmp_files(klogd_t,klogd_tmp_t)
|
allow klogd_t klogd_tmp_t:dir create_dir_perms;
|
||||||
|
files_create_tmp_files(klogd_t,klogd_tmp_t,{ file dir })
|
||||||
|
|
||||||
allow klogd_t klogd_var_run_t:file create_file_perms;
|
allow klogd_t klogd_var_run_t:file create_file_perms;
|
||||||
|
|
||||||
@ -209,6 +210,8 @@ dev_read_sysfs(klogd_t)
|
|||||||
fs_getattr_all_fs(klogd_t)
|
fs_getattr_all_fs(klogd_t)
|
||||||
fs_search_auto_mountpoints(klogd_t)
|
fs_search_auto_mountpoints(klogd_t)
|
||||||
|
|
||||||
|
term_dontaudit_use_console(klogd_t)
|
||||||
|
|
||||||
domain_use_wide_inherit_fd(klogd_t)
|
domain_use_wide_inherit_fd(klogd_t)
|
||||||
|
|
||||||
files_create_pid(klogd_t,klogd_var_run_t)
|
files_create_pid(klogd_t,klogd_var_run_t)
|
||||||
|
@ -50,6 +50,10 @@ allow insmod_t { modules_conf_t modules_dep_t }:file r_file_perms;
|
|||||||
|
|
||||||
can_exec(insmod_t, insmod_exec_t)
|
can_exec(insmod_t, insmod_exec_t)
|
||||||
|
|
||||||
|
# make sediff happy (no effect)
|
||||||
|
dontaudit insmod_t self:process { noatsecure rlimitinh siginh };
|
||||||
|
type_transition insmod_t insmod_exec_t:process insmod_t;
|
||||||
|
|
||||||
kernel_load_module(insmod_t)
|
kernel_load_module(insmod_t)
|
||||||
kernel_read_system_state(insmod_t)
|
kernel_read_system_state(insmod_t)
|
||||||
kernel_mount_debugfs(insmod_t)
|
kernel_mount_debugfs(insmod_t)
|
||||||
|
@ -273,6 +273,8 @@ dontaudit ifconfig_t self:capability sys_module;
|
|||||||
|
|
||||||
allow ifconfig_t self:fd use;
|
allow ifconfig_t self:fd use;
|
||||||
allow ifconfig_t self:fifo_file rw_file_perms;
|
allow ifconfig_t self:fifo_file rw_file_perms;
|
||||||
|
allow ifconfig_t self:sock_file r_file_perms;
|
||||||
|
allow ifconfig_t self:socket create_socket_perms;
|
||||||
allow ifconfig_t self:unix_dgram_socket create_socket_perms;
|
allow ifconfig_t self:unix_dgram_socket create_socket_perms;
|
||||||
allow ifconfig_t self:unix_stream_socket create_stream_socket_perms;
|
allow ifconfig_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
allow ifconfig_t self:unix_dgram_socket sendto;
|
allow ifconfig_t self:unix_dgram_socket sendto;
|
||||||
|
@ -2126,6 +2126,22 @@ interface(`userdom_create_generic_user_home_dir',`
|
|||||||
files_create_home_dirs($1,user_home_dir_t)
|
files_create_home_dirs($1,user_home_dir_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Search generic user home directories.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`userdom_search_generic_user_home_dir',`
|
||||||
|
gen_require(`
|
||||||
|
type user_home_dir_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 user_home_dir_t:dir search_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Create, read, write, and delete
|
## Create, read, write, and delete
|
||||||
|
Loading…
Reference in New Issue
Block a user