ps/ptrace dontaudit cleanup
This commit is contained in:
Chris PeBenito
parent
eb8a2639b4
commit
497da0953c
@ -64,12 +64,6 @@ template(`cdrecord_per_userdomain_template', `
|
||||
allow $2 $1_cdrecord_t:dir { search getattr read };
|
||||
allow $2 $1_cdrecord_t:{ file lnk_file } { read getattr };
|
||||
allow $2 $1_cdrecord_t:process getattr;
|
||||
#We need to suppress this denial because procps
|
||||
#tries to access /proc/pid/environ and this now
|
||||
#triggers a ptrace check in recent kernels
|
||||
# (2.4 and 2.6). Might want to change procps
|
||||
#to not do this, or only if running in a privileged domain.
|
||||
dontaudit $2 $1_cdrecord_t:process ptrace;
|
||||
allow $2 $1_cdrecord_t:process signal;
|
||||
|
||||
# Transition from the user domain to the derived domain.
|
||||
|
||||
@ -170,11 +170,6 @@ template(`evolution_per_userdomain_template',`
|
||||
allow $2 $1_evolution_t:dir { search getattr read };
|
||||
allow $2 $1_evolution_t:{ file lnk_file } { read getattr };
|
||||
allow $2 $1_evolution_t:process getattr;
|
||||
# We need to suppress this denial because procps tries to access
|
||||
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
|
||||
# (2.4 and 2.6). Might want to change procps to not do this, or only if
|
||||
# running in a privileged domain.
|
||||
dontaudit $2 $1_evolution_t:process ptrace;
|
||||
|
||||
#FIXME check to see if really needed
|
||||
kernel_read_kernel_sysctls($1_evolution_t)
|
||||
|
||||
@ -96,11 +96,6 @@ template(`irc_per_userdomain_template',`
|
||||
allow $2 $1_irc_t:dir { search getattr read };
|
||||
allow $2 $1_irc_t:{ file lnk_file } { read getattr };
|
||||
allow $2 $1_irc_t:process getattr;
|
||||
# We need to suppress this denial because procps tries to access
|
||||
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
|
||||
# (2.4 and 2.6). Might want to change procps to not do this, or only if
|
||||
# running in a privileged domain.
|
||||
dontaudit $2 $1_irc_t:process ptrace;
|
||||
|
||||
kernel_read_proc_symlinks($1_irc_t)
|
||||
|
||||
|
||||
@ -106,11 +106,6 @@ template(`mozilla_per_userdomain_template',`
|
||||
allow $2 $1_mozilla_t:dir { search getattr read };
|
||||
allow $2 $1_mozilla_t:{ file lnk_file } { read getattr };
|
||||
allow $2 $1_mozilla_t:process getattr;
|
||||
# We need to suppress this denial because procps tries to access
|
||||
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
|
||||
# (2.4 and 2.6). Might want to change procps to not do this, or only if
|
||||
# running in a privileged domain.
|
||||
dontaudit $2 $1_mozilla_t:process ptrace;
|
||||
|
||||
allow $2 $1_mozilla_t:process signal_perms;
|
||||
|
||||
|
||||
@ -81,11 +81,6 @@ template(`mplayer_per_userdomain_template',`
|
||||
allow $2 $1_mencoder_t:dir { search getattr read };
|
||||
allow $2 $1_mencoder_t:{ file lnk_file } { read getattr };
|
||||
allow $2 $1_mencoder_t:process getattr;
|
||||
# We need to suppress this denial because procps tries to access
|
||||
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
|
||||
# (2.4 and 2.6). Might want to change procps to not do this, or only if
|
||||
# running in a privileged domain.
|
||||
dontaudit $2 $1_mencoder_t:process ptrace;
|
||||
allow $2 $1_mencoder_t:process signal_perms;
|
||||
|
||||
# Read /proc files and directories
|
||||
@ -295,11 +290,6 @@ template(`mplayer_per_userdomain_template',`
|
||||
allow $2 $1_mplayer_t:dir { search getattr read };
|
||||
allow $2 $1_mplayer_t:{ file lnk_file } { read getattr };
|
||||
allow $2 $1_mplayer_t:process getattr;
|
||||
# We need to suppress this denial because procps tries to access
|
||||
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
|
||||
# (2.4 and 2.6). Might want to change procps to not do this, or only if
|
||||
# running in a privileged domain.
|
||||
dontaudit $2 $1_mplayer_t:process ptrace;
|
||||
allow $2 $1_mplayer_t:process signal_perms;
|
||||
|
||||
kernel_dontaudit_list_unlabeled($1_mplayer_t)
|
||||
|
||||
@ -87,11 +87,6 @@ template(`thunderbird_per_userdomain_template',`
|
||||
allow $2 $1_thunderbird_t:dir { search getattr read };
|
||||
allow $2 $1_thunderbird_t:{ file lnk_file } { read getattr };
|
||||
allow $2 $1_thunderbird_t:process getattr;
|
||||
# We need to suppress this denial because procps tries to access
|
||||
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
|
||||
# (2.4 and 2.6). Might want to change procps to not do this, or only if
|
||||
# running in a privileged domain.
|
||||
dontaudit $2 $1_thunderbird_t:process ptrace;
|
||||
|
||||
# Access ~/.thunderbird
|
||||
allow $2 $1_thunderbird_home_t:dir manage_dir_perms;
|
||||
|
||||
@ -99,11 +99,6 @@ template(`tvtime_per_userdomain_template',`
|
||||
allow $2 $1_tvtime_t:dir { search getattr read };
|
||||
allow $2 $1_tvtime_t:{ file lnk_file } { read getattr };
|
||||
allow $2 $1_tvtime_t:process getattr;
|
||||
# We need to suppress this denial because procps tries to access
|
||||
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
|
||||
# (2.4 and 2.6). Might want to change procps to not do this, or only if
|
||||
# running in a privileged domain.
|
||||
dontaudit $2 $1_tvtime_t:process ptrace;
|
||||
allow $2 $1_tvtime_t:process signal_perms;
|
||||
|
||||
kernel_read_all_sysctls($1_tvtime_t)
|
||||
|
||||
@ -120,11 +120,6 @@ template(`uml_per_userdomain_template',`
|
||||
allow $2 $1_uml_t:dir { search getattr read };
|
||||
allow $2 $1_uml_t:{ file lnk_file } { read getattr };
|
||||
allow $2 $1_uml_t:process getattr;
|
||||
# We need to suppress this denial because procps tries to access
|
||||
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
|
||||
# (2.4 and 2.6). Might want to change procps to not do this, or only if
|
||||
# running in a privileged domain.
|
||||
dontaudit $2 $1_uml_t:process ptrace;
|
||||
|
||||
allow $2 $1_uml_tmp_t:dir create_dir_perms;
|
||||
allow $2 $1_uml_tmp_t:file create_file_perms;
|
||||
|
||||
@ -186,7 +186,6 @@ template(`cron_per_userdomain_template',`
|
||||
allow $2 $1_crontab_t:dir { search getattr read };
|
||||
allow $2 $1_crontab_t:{ file lnk_file } { read getattr };
|
||||
allow $2 $1_crontab_t:process getattr;
|
||||
dontaudit $2 $1_crontab_t:process ptrace;
|
||||
|
||||
# for ^Z
|
||||
allow $2 $1_crontab_t:process signal;
|
||||
|
||||
@ -174,16 +174,6 @@ template(`xserver_common_domain_template',`
|
||||
optional_policy(`
|
||||
xfs_stream_connect($1_xserver_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
ifdef(`distro_redhat',`
|
||||
ifdef(`rpm.te', `
|
||||
allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr };
|
||||
allow $1_xserver_t rpm_tmpfs_t:file { read write };
|
||||
rpm_use_fds($1_xserver_t)
|
||||
')
|
||||
')
|
||||
') dnl end TODO
|
||||
')
|
||||
|
||||
#######################################
|
||||
@ -317,8 +307,6 @@ template(`xserver_per_userdomain_template',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow $1_t xdm_xserver_t:unix_stream_socket connectto;
|
||||
|
||||
ifdef(`xdm.te', `
|
||||
allow $1_t xdm_tmp_t:sock_file unlink;
|
||||
allow $1_xserver_t xdm_var_run_t:dir search;
|
||||
@ -352,11 +340,6 @@ template(`xserver_per_userdomain_template',`
|
||||
allow $2 $1_xauth_t:dir { search getattr read };
|
||||
allow $2 $1_xauth_t:{ file lnk_file } { read getattr };
|
||||
allow $2 $1_xauth_t:process getattr;
|
||||
# We need to suppress this denial because procps tries to access
|
||||
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
|
||||
# (2.4 and 2.6). Might want to change procps to not do this, or only if
|
||||
# running in a privileged domain.
|
||||
dontaudit $2 $1_xauth_t:process ptrace;
|
||||
|
||||
allow $2 $1_xauth_home_t:file manage_file_perms;
|
||||
allow $2 $1_xauth_home_t:file { relabelfrom relabelto };
|
||||
@ -419,11 +402,6 @@ template(`xserver_per_userdomain_template',`
|
||||
allow $2 $1_iceauth_t:dir { search getattr read };
|
||||
allow $2 $1_iceauth_t:{ file lnk_file } { read getattr };
|
||||
allow $2 $1_iceauth_t:process getattr;
|
||||
# We need to suppress this denial because procps tries to access
|
||||
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
|
||||
# (2.4 and 2.6). Might want to change procps to not do this, or only if
|
||||
# running in a privileged domain.
|
||||
dontaudit $2 $1_iceauth_t:process ptrace;
|
||||
|
||||
allow $2 $1_iceauth_home_t:file manage_file_perms;
|
||||
allow $2 $1_iceauth_home_t:file { relabelfrom relabelto };
|
||||
|
||||
@ -620,12 +620,6 @@ interface(`init_read_script_state',`
|
||||
allow $1 initrc_t:dir r_dir_perms;
|
||||
allow $1 initrc_t:{ file lnk_file } r_file_perms;
|
||||
allow $1 initrc_t:process getattr;
|
||||
|
||||
# We need to suppress this denial because procps tries to access
|
||||
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
|
||||
# (2.4 and 2.6). Might want to change procps to not do this, or only if
|
||||
# running in a privileged domain.
|
||||
dontaudit $1 initrc_t:process ptrace;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
Loading…
Reference in New Issue
Block a user