more updates
This commit is contained in:
Chris PeBenito
parent
493d6c4adc
commit
8125c93a07
@ -39,6 +39,11 @@ files_file_type($1)
|
|||||||
storage_raw_read_fixed_disk($1)
|
storage_raw_read_fixed_disk($1)
|
||||||
storage_raw_write_fixed_disk($1)
|
storage_raw_write_fixed_disk($1)
|
||||||
|
|
||||||
|
#
|
||||||
|
# nscd_client_domain: complete
|
||||||
|
#
|
||||||
|
nscd_use_socket($1)
|
||||||
|
|
||||||
#
|
#
|
||||||
# privfd: complete
|
# privfd: complete
|
||||||
#
|
#
|
||||||
@ -78,6 +83,21 @@ domain_role_change_exempt($1)
|
|||||||
#
|
#
|
||||||
domain_subj_id_change_exempt($1)
|
domain_subj_id_change_exempt($1)
|
||||||
|
|
||||||
|
#
|
||||||
|
# userspace_objmgr: complete
|
||||||
|
#
|
||||||
|
allow $1 self:process getattr;
|
||||||
|
# Receive notifications of policy reloads and enforcing status changes.
|
||||||
|
allow $1 self:netlink_selinux_socket { create bind read };
|
||||||
|
selinux_get_fs_mount($1)
|
||||||
|
selinux_validate_context($1)
|
||||||
|
selinux_compute_access_vector($1)
|
||||||
|
selinux_compute_create_context($1)
|
||||||
|
selinux_compute_relabel_context($1)
|
||||||
|
selinux_compute_user_contexts($1)
|
||||||
|
seutil_read_config($1)
|
||||||
|
seutil_read_default_contexts($1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Access macros
|
# Access macros
|
||||||
@ -157,10 +177,13 @@ allow $1 sbin_t:dir r_dir_perms;
|
|||||||
allow $1 sbin_t:notdevfile_class_set r_file_perms;
|
allow $1 sbin_t:notdevfile_class_set r_file_perms;
|
||||||
kernel_read_kernel_sysctl($1)
|
kernel_read_kernel_sysctl($1)
|
||||||
seutil_read_config($1)
|
seutil_read_config($1)
|
||||||
if (read_default_t) {
|
tunable_policy(`read_default_t',`
|
||||||
allow $1 default_t:dir r_dir_perms;
|
files_list_default($1)
|
||||||
allow $1 default_t:notdevfile_class_set r_file_perms;
|
files_read_default_files($1)
|
||||||
}
|
files_read_default_symlinks($1)
|
||||||
|
files_read_default_sockets($1)
|
||||||
|
files_read_default_pipes($1)
|
||||||
|
')
|
||||||
|
|
||||||
#
|
#
|
||||||
# base_pty_perms():
|
# base_pty_perms():
|
||||||
@ -219,7 +242,7 @@ libs_exec_ld_so($1)
|
|||||||
libs_exec_lib_files($1)
|
libs_exec_lib_files($1)
|
||||||
|
|
||||||
#
|
#
|
||||||
# can_getcon():
|
# can_getcon(): complete
|
||||||
#
|
#
|
||||||
allow $1 self:process getattr;
|
allow $1 self:process getattr;
|
||||||
kernel_read_system_state($1)
|
kernel_read_system_state($1)
|
||||||
@ -509,6 +532,8 @@ dontaudit $1_t self:capability sys_tty_config;
|
|||||||
allow $1_t $1_var_run_t:file { getattr create read write append setattr unlink };
|
allow $1_t $1_var_run_t:file { getattr create read write append setattr unlink };
|
||||||
files_create_pid($1_t,$1_var_run_t)
|
files_create_pid($1_t,$1_var_run_t)
|
||||||
kernel_read_kernel_sysctl($1_t)
|
kernel_read_kernel_sysctl($1_t)
|
||||||
|
kernel_list_proc($1_t)
|
||||||
|
kernel_read_proc_symlink($1_t)
|
||||||
dev_read_sysfs($1_t)
|
dev_read_sysfs($1_t)
|
||||||
fs_getattr_all_fs($1_t)
|
fs_getattr_all_fs($1_t)
|
||||||
fs_search_auto_mountpoints($1_t)
|
fs_search_auto_mountpoints($1_t)
|
||||||
@ -521,6 +546,7 @@ libs_use_shared_libs($1_t)
|
|||||||
logging_send_syslog_msg($1_t)
|
logging_send_syslog_msg($1_t)
|
||||||
miscfiles_read_localization($1_t)
|
miscfiles_read_localization($1_t)
|
||||||
userdom_dontaudit_use_unpriv_user_fd($1_t)
|
userdom_dontaudit_use_unpriv_user_fd($1_t)
|
||||||
|
userdom_dontaudit_search_sysadm_home_dir($1_t)
|
||||||
ifdef(`targeted_policy', `
|
ifdef(`targeted_policy', `
|
||||||
term_dontaudit_use_unallocated_tty($1_t)
|
term_dontaudit_use_unallocated_tty($1_t)
|
||||||
term_dontaudit_use_generic_pty($1_t)
|
term_dontaudit_use_generic_pty($1_t)
|
||||||
@ -529,15 +555,12 @@ ifdef(`targeted_policy', `
|
|||||||
optional_policy(`rhgb.te',`
|
optional_policy(`rhgb.te',`
|
||||||
rhgb_domain($1_t)
|
rhgb_domain($1_t)
|
||||||
')
|
')
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinuxutils.te',`
|
||||||
seutil_newrole_sigchld($1_t)
|
seutil_sigchld_newrole($1_t)
|
||||||
')
|
')
|
||||||
optional_policy(`udev.te', `
|
optional_policy(`udev.te', `
|
||||||
udev_read_db($1_t)
|
udev_read_db($1_t)
|
||||||
')
|
')
|
||||||
allow $1_t proc_t:dir r_dir_perms;
|
|
||||||
allow $1_t proc_t:lnk_file read;
|
|
||||||
dontaudit $1_t sysadm_home_dir_t:dir search;
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# daemon_sub_domain():
|
# daemon_sub_domain():
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user