ps/ptrace dontaudit cleanup

This commit is contained in:
Chris PeBenito 2006-08-08 17:49:03 +00:00
parent eb8a2639b4
commit 497da0953c
11 changed files with 0 additions and 75 deletions

View File

@ -64,12 +64,6 @@ template(`cdrecord_per_userdomain_template', `
allow $2 $1_cdrecord_t:dir { search getattr read }; allow $2 $1_cdrecord_t:dir { search getattr read };
allow $2 $1_cdrecord_t:{ file lnk_file } { read getattr }; allow $2 $1_cdrecord_t:{ file lnk_file } { read getattr };
allow $2 $1_cdrecord_t:process getattr; allow $2 $1_cdrecord_t:process getattr;
#We need to suppress this denial because procps
#tries to access /proc/pid/environ and this now
#triggers a ptrace check in recent kernels
# (2.4 and 2.6). Might want to change procps
#to not do this, or only if running in a privileged domain.
dontaudit $2 $1_cdrecord_t:process ptrace;
allow $2 $1_cdrecord_t:process signal; allow $2 $1_cdrecord_t:process signal;
# Transition from the user domain to the derived domain. # Transition from the user domain to the derived domain.

View File

@ -170,11 +170,6 @@ template(`evolution_per_userdomain_template',`
allow $2 $1_evolution_t:dir { search getattr read }; allow $2 $1_evolution_t:dir { search getattr read };
allow $2 $1_evolution_t:{ file lnk_file } { read getattr }; allow $2 $1_evolution_t:{ file lnk_file } { read getattr };
allow $2 $1_evolution_t:process getattr; allow $2 $1_evolution_t:process getattr;
# We need to suppress this denial because procps tries to access
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
# (2.4 and 2.6). Might want to change procps to not do this, or only if
# running in a privileged domain.
dontaudit $2 $1_evolution_t:process ptrace;
#FIXME check to see if really needed #FIXME check to see if really needed
kernel_read_kernel_sysctls($1_evolution_t) kernel_read_kernel_sysctls($1_evolution_t)

View File

@ -96,11 +96,6 @@ template(`irc_per_userdomain_template',`
allow $2 $1_irc_t:dir { search getattr read }; allow $2 $1_irc_t:dir { search getattr read };
allow $2 $1_irc_t:{ file lnk_file } { read getattr }; allow $2 $1_irc_t:{ file lnk_file } { read getattr };
allow $2 $1_irc_t:process getattr; allow $2 $1_irc_t:process getattr;
# We need to suppress this denial because procps tries to access
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
# (2.4 and 2.6). Might want to change procps to not do this, or only if
# running in a privileged domain.
dontaudit $2 $1_irc_t:process ptrace;
kernel_read_proc_symlinks($1_irc_t) kernel_read_proc_symlinks($1_irc_t)

View File

@ -106,11 +106,6 @@ template(`mozilla_per_userdomain_template',`
allow $2 $1_mozilla_t:dir { search getattr read }; allow $2 $1_mozilla_t:dir { search getattr read };
allow $2 $1_mozilla_t:{ file lnk_file } { read getattr }; allow $2 $1_mozilla_t:{ file lnk_file } { read getattr };
allow $2 $1_mozilla_t:process getattr; allow $2 $1_mozilla_t:process getattr;
# We need to suppress this denial because procps tries to access
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
# (2.4 and 2.6). Might want to change procps to not do this, or only if
# running in a privileged domain.
dontaudit $2 $1_mozilla_t:process ptrace;
allow $2 $1_mozilla_t:process signal_perms; allow $2 $1_mozilla_t:process signal_perms;

View File

@ -81,11 +81,6 @@ template(`mplayer_per_userdomain_template',`
allow $2 $1_mencoder_t:dir { search getattr read }; allow $2 $1_mencoder_t:dir { search getattr read };
allow $2 $1_mencoder_t:{ file lnk_file } { read getattr }; allow $2 $1_mencoder_t:{ file lnk_file } { read getattr };
allow $2 $1_mencoder_t:process getattr; allow $2 $1_mencoder_t:process getattr;
# We need to suppress this denial because procps tries to access
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
# (2.4 and 2.6). Might want to change procps to not do this, or only if
# running in a privileged domain.
dontaudit $2 $1_mencoder_t:process ptrace;
allow $2 $1_mencoder_t:process signal_perms; allow $2 $1_mencoder_t:process signal_perms;
# Read /proc files and directories # Read /proc files and directories
@ -295,11 +290,6 @@ template(`mplayer_per_userdomain_template',`
allow $2 $1_mplayer_t:dir { search getattr read }; allow $2 $1_mplayer_t:dir { search getattr read };
allow $2 $1_mplayer_t:{ file lnk_file } { read getattr }; allow $2 $1_mplayer_t:{ file lnk_file } { read getattr };
allow $2 $1_mplayer_t:process getattr; allow $2 $1_mplayer_t:process getattr;
# We need to suppress this denial because procps tries to access
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
# (2.4 and 2.6). Might want to change procps to not do this, or only if
# running in a privileged domain.
dontaudit $2 $1_mplayer_t:process ptrace;
allow $2 $1_mplayer_t:process signal_perms; allow $2 $1_mplayer_t:process signal_perms;
kernel_dontaudit_list_unlabeled($1_mplayer_t) kernel_dontaudit_list_unlabeled($1_mplayer_t)

View File

@ -87,11 +87,6 @@ template(`thunderbird_per_userdomain_template',`
allow $2 $1_thunderbird_t:dir { search getattr read }; allow $2 $1_thunderbird_t:dir { search getattr read };
allow $2 $1_thunderbird_t:{ file lnk_file } { read getattr }; allow $2 $1_thunderbird_t:{ file lnk_file } { read getattr };
allow $2 $1_thunderbird_t:process getattr; allow $2 $1_thunderbird_t:process getattr;
# We need to suppress this denial because procps tries to access
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
# (2.4 and 2.6). Might want to change procps to not do this, or only if
# running in a privileged domain.
dontaudit $2 $1_thunderbird_t:process ptrace;
# Access ~/.thunderbird # Access ~/.thunderbird
allow $2 $1_thunderbird_home_t:dir manage_dir_perms; allow $2 $1_thunderbird_home_t:dir manage_dir_perms;

View File

@ -99,11 +99,6 @@ template(`tvtime_per_userdomain_template',`
allow $2 $1_tvtime_t:dir { search getattr read }; allow $2 $1_tvtime_t:dir { search getattr read };
allow $2 $1_tvtime_t:{ file lnk_file } { read getattr }; allow $2 $1_tvtime_t:{ file lnk_file } { read getattr };
allow $2 $1_tvtime_t:process getattr; allow $2 $1_tvtime_t:process getattr;
# We need to suppress this denial because procps tries to access
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
# (2.4 and 2.6). Might want to change procps to not do this, or only if
# running in a privileged domain.
dontaudit $2 $1_tvtime_t:process ptrace;
allow $2 $1_tvtime_t:process signal_perms; allow $2 $1_tvtime_t:process signal_perms;
kernel_read_all_sysctls($1_tvtime_t) kernel_read_all_sysctls($1_tvtime_t)

View File

@ -120,11 +120,6 @@ template(`uml_per_userdomain_template',`
allow $2 $1_uml_t:dir { search getattr read }; allow $2 $1_uml_t:dir { search getattr read };
allow $2 $1_uml_t:{ file lnk_file } { read getattr }; allow $2 $1_uml_t:{ file lnk_file } { read getattr };
allow $2 $1_uml_t:process getattr; allow $2 $1_uml_t:process getattr;
# We need to suppress this denial because procps tries to access
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
# (2.4 and 2.6). Might want to change procps to not do this, or only if
# running in a privileged domain.
dontaudit $2 $1_uml_t:process ptrace;
allow $2 $1_uml_tmp_t:dir create_dir_perms; allow $2 $1_uml_tmp_t:dir create_dir_perms;
allow $2 $1_uml_tmp_t:file create_file_perms; allow $2 $1_uml_tmp_t:file create_file_perms;

View File

@ -186,7 +186,6 @@ template(`cron_per_userdomain_template',`
allow $2 $1_crontab_t:dir { search getattr read }; allow $2 $1_crontab_t:dir { search getattr read };
allow $2 $1_crontab_t:{ file lnk_file } { read getattr }; allow $2 $1_crontab_t:{ file lnk_file } { read getattr };
allow $2 $1_crontab_t:process getattr; allow $2 $1_crontab_t:process getattr;
dontaudit $2 $1_crontab_t:process ptrace;
# for ^Z # for ^Z
allow $2 $1_crontab_t:process signal; allow $2 $1_crontab_t:process signal;

View File

@ -174,16 +174,6 @@ template(`xserver_common_domain_template',`
optional_policy(` optional_policy(`
xfs_stream_connect($1_xserver_t) xfs_stream_connect($1_xserver_t)
') ')
ifdef(`TODO',`
ifdef(`distro_redhat',`
ifdef(`rpm.te', `
allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr };
allow $1_xserver_t rpm_tmpfs_t:file { read write };
rpm_use_fds($1_xserver_t)
')
')
') dnl end TODO
') ')
####################################### #######################################
@ -317,8 +307,6 @@ template(`xserver_per_userdomain_template',`
') ')
ifdef(`TODO',` ifdef(`TODO',`
allow $1_t xdm_xserver_t:unix_stream_socket connectto;
ifdef(`xdm.te', ` ifdef(`xdm.te', `
allow $1_t xdm_tmp_t:sock_file unlink; allow $1_t xdm_tmp_t:sock_file unlink;
allow $1_xserver_t xdm_var_run_t:dir search; allow $1_xserver_t xdm_var_run_t:dir search;
@ -352,11 +340,6 @@ template(`xserver_per_userdomain_template',`
allow $2 $1_xauth_t:dir { search getattr read }; allow $2 $1_xauth_t:dir { search getattr read };
allow $2 $1_xauth_t:{ file lnk_file } { read getattr }; allow $2 $1_xauth_t:{ file lnk_file } { read getattr };
allow $2 $1_xauth_t:process getattr; allow $2 $1_xauth_t:process getattr;
# We need to suppress this denial because procps tries to access
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
# (2.4 and 2.6). Might want to change procps to not do this, or only if
# running in a privileged domain.
dontaudit $2 $1_xauth_t:process ptrace;
allow $2 $1_xauth_home_t:file manage_file_perms; allow $2 $1_xauth_home_t:file manage_file_perms;
allow $2 $1_xauth_home_t:file { relabelfrom relabelto }; allow $2 $1_xauth_home_t:file { relabelfrom relabelto };
@ -419,11 +402,6 @@ template(`xserver_per_userdomain_template',`
allow $2 $1_iceauth_t:dir { search getattr read }; allow $2 $1_iceauth_t:dir { search getattr read };
allow $2 $1_iceauth_t:{ file lnk_file } { read getattr }; allow $2 $1_iceauth_t:{ file lnk_file } { read getattr };
allow $2 $1_iceauth_t:process getattr; allow $2 $1_iceauth_t:process getattr;
# We need to suppress this denial because procps tries to access
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
# (2.4 and 2.6). Might want to change procps to not do this, or only if
# running in a privileged domain.
dontaudit $2 $1_iceauth_t:process ptrace;
allow $2 $1_iceauth_home_t:file manage_file_perms; allow $2 $1_iceauth_home_t:file manage_file_perms;
allow $2 $1_iceauth_home_t:file { relabelfrom relabelto }; allow $2 $1_iceauth_home_t:file { relabelfrom relabelto };

View File

@ -620,12 +620,6 @@ interface(`init_read_script_state',`
allow $1 initrc_t:dir r_dir_perms; allow $1 initrc_t:dir r_dir_perms;
allow $1 initrc_t:{ file lnk_file } r_file_perms; allow $1 initrc_t:{ file lnk_file } r_file_perms;
allow $1 initrc_t:process getattr; allow $1 initrc_t:process getattr;
# We need to suppress this denial because procps tries to access
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
# (2.4 and 2.6). Might want to change procps to not do this, or only if
# running in a privileged domain.
dontaudit $1 initrc_t:process ptrace;
') ')
######################################## ########################################