trunk: more open perm fixes.
This commit is contained in:
Chris PeBenito
parent
6e68e6bb5e
commit
82d2775c92
@ -228,5 +228,5 @@ interface(`dpkg_lock_db',`
|
|||||||
|
|
||||||
files_search_var_lib($1)
|
files_search_var_lib($1)
|
||||||
allow $1 dpkg_var_lib_t:dir list_dir_perms;
|
allow $1 dpkg_var_lib_t:dir list_dir_perms;
|
||||||
allow $1 dpkg_lock_t:file { getattr create read write append unlink lock };
|
allow $1 dpkg_lock_t:file manage_file_perms;
|
||||||
')
|
')
|
||||||
|
|||||||
@ -111,7 +111,7 @@ interface(`portage_compile_domain',`
|
|||||||
|
|
||||||
# write compile logs
|
# write compile logs
|
||||||
allow $1 portage_log_t:dir setattr;
|
allow $1 portage_log_t:dir setattr;
|
||||||
allow $1 portage_log_t:file { append write setattr };
|
allow $1 portage_log_t:file { write_file_perms setattr };
|
||||||
|
|
||||||
# run scripts out of the build directory
|
# run scripts out of the build directory
|
||||||
can_exec(portage_sandbox_t, portage_tmp_t)
|
can_exec(portage_sandbox_t, portage_tmp_t)
|
||||||
|
|||||||
@ -85,7 +85,7 @@ interface(`prelink_read_cache',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
allow $1 prelink_cache_t:file { getattr read };
|
allow $1 prelink_cache_t:file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -166,9 +166,7 @@ template(`evolution_per_role_template',`
|
|||||||
userdom_search_user_home_dirs($1, $1_evolution_t)
|
userdom_search_user_home_dirs($1, $1_evolution_t)
|
||||||
|
|
||||||
# Allow the user domain to signal/ps.
|
# Allow the user domain to signal/ps.
|
||||||
allow $2 $1_evolution_t:dir { search getattr read };
|
ps_process_pattern($2, $1_evolution_t)
|
||||||
allow $2 $1_evolution_t:{ file lnk_file } { read getattr };
|
|
||||||
allow $2 $1_evolution_t:process getattr;
|
|
||||||
|
|
||||||
domain_dontaudit_read_all_domains_state($1_evolution_t)
|
domain_dontaudit_read_all_domains_state($1_evolution_t)
|
||||||
|
|
||||||
|
|||||||
@ -79,7 +79,7 @@ template(`uml_per_role_template',`
|
|||||||
allow $1_uml_t $2:fifo_file { ioctl read write getattr lock append };
|
allow $1_uml_t $2:fifo_file { ioctl read write getattr lock append };
|
||||||
|
|
||||||
# allow the UML thing to happen
|
# allow the UML thing to happen
|
||||||
allow $1_uml_t $1_uml_devpts_t:chr_file { rw_file_perms setattr };
|
allow $1_uml_t $1_uml_devpts_t:chr_file { rw_chr_file_perms setattr };
|
||||||
term_create_pty($1_uml_t,$1_uml_devpts_t)
|
term_create_pty($1_uml_t,$1_uml_devpts_t)
|
||||||
|
|
||||||
manage_dirs_pattern($1_uml_t, $1_uml_tmp_t, $1_uml_tmp_t)
|
manage_dirs_pattern($1_uml_t, $1_uml_tmp_t, $1_uml_tmp_t)
|
||||||
|
|||||||
@ -180,7 +180,7 @@ interface(`vmware_read_system_config',`
|
|||||||
type vmware_sys_conf_t;
|
type vmware_sys_conf_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 vmware_sys_conf_t:file { getattr read };
|
allow $1 vmware_sys_conf_t:file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -360,8 +360,7 @@ interface(`corecmd_mmap_bin_files',`
|
|||||||
type bin_t;
|
type bin_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 bin_t:dir search_dir_perms;
|
mmap_files_pattern($1, bin_t, bin_t)
|
||||||
allow $1 bin_t:file { getattr read execute };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -1555,7 +1555,7 @@ interface(`corenet_rw_tun_tap_dev',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
dev_list_all_dev_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 tun_tap_device_t:chr_file { getattr read write ioctl lock append };
|
allow $1 tun_tap_device_t:chr_file rw_chr_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1574,7 +1574,7 @@ interface(`corenet_rw_ppp_dev',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
dev_list_all_dev_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 ppp_device_t:chr_file rw_file_perms;
|
allow $1 ppp_device_t:chr_file rw_chr_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -1119,7 +1119,7 @@ interface(`files_mounton_all_mountpoints',`
|
|||||||
attribute mountpoint;
|
attribute mountpoint;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 mountpoint:dir { getattr search mounton };
|
allow $1 mountpoint:dir { search_dir_perms mounton };
|
||||||
allow $1 mountpoint:file { getattr mounton };
|
allow $1 mountpoint:file { getattr mounton };
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -1552,7 +1552,7 @@ interface(`files_create_kernel_img',`
|
|||||||
type boot_t;
|
type boot_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 boot_t:file { getattr read write create };
|
allow $1 boot_t:file { create_file_perms rw_file_perms };
|
||||||
manage_lnk_files_pattern($1, boot_t, boot_t)
|
manage_lnk_files_pattern($1, boot_t, boot_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -1682,7 +1682,7 @@ interface(`files_mounton_default',`
|
|||||||
type default_t;
|
type default_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 default_t:dir { getattr search mounton };
|
allow $1 default_t:dir { search_dir_perms mounton };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -3723,7 +3723,7 @@ interface(`files_create_kernel_symbol_table',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
|
allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
|
||||||
allow $1 system_map_t:file { rw_file_perms create };
|
allow $1 system_map_t:file { create_file_perms rw_file_perms };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -4742,7 +4742,7 @@ interface(`files_polyinstantiate_all',`
|
|||||||
allow $1 self:capability { chown fsetid sys_admin };
|
allow $1 self:capability { chown fsetid sys_admin };
|
||||||
|
|
||||||
# Need to give access to the directories to be polyinstantiated
|
# Need to give access to the directories to be polyinstantiated
|
||||||
allow $1 polydir:dir { create getattr search write add_name setattr mounton rmdir };
|
allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
|
||||||
|
|
||||||
# Need to give access to the polyinstantiated subdirectories
|
# Need to give access to the polyinstantiated subdirectories
|
||||||
allow $1 polymember:dir search_dir_perms;
|
allow $1 polymember:dir search_dir_perms;
|
||||||
@ -4754,8 +4754,8 @@ interface(`files_polyinstantiate_all',`
|
|||||||
# Need to give permission to create directories where applicable
|
# Need to give permission to create directories where applicable
|
||||||
allow $1 self:process setfscreate;
|
allow $1 self:process setfscreate;
|
||||||
allow $1 polymember: dir { create setattr relabelto };
|
allow $1 polymember: dir { create setattr relabelto };
|
||||||
allow $1 polydir: dir { write add_name };
|
allow $1 polydir: dir { write add_name open };
|
||||||
allow $1 polyparent:dir { read write remove_name add_name relabelfrom relabelto };
|
allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
|
||||||
|
|
||||||
# Default type for mountpoints
|
# Default type for mountpoints
|
||||||
allow $1 poly_t:dir { create mounton };
|
allow $1 poly_t:dir { create mounton };
|
||||||
|
|||||||
@ -1936,7 +1936,6 @@ interface(`fs_read_rpc_sockets',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
allow $1 rpc_pipefs_t:sock_file { read write };
|
allow $1 rpc_pipefs_t:sock_file { read write };
|
||||||
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -2706,7 +2705,7 @@ interface(`fs_rw_rpc_named_pipes',`
|
|||||||
type rpc_pipefs_t;
|
type rpc_pipefs_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 rpc_pipefs_t:fifo_file { read write };
|
allow $1 rpc_pipefs_t:fifo_file rw_fifo_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -2147,7 +2147,7 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
|
|||||||
type unlabeled_t;
|
type unlabeled_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 unlabeled_t:dir { getattr search read relabelfrom };
|
allow $1 unlabeled_t:dir { list_dir_perms relabelfrom };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -165,7 +165,7 @@ interface(`selinux_dontaudit_read_fs',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
dontaudit $1 security_t:dir search_dir_perms;
|
dontaudit $1 security_t:dir search_dir_perms;
|
||||||
dontaudit $1 security_t:file { getattr read };
|
dontaudit $1 security_t:file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -186,7 +186,7 @@ interface(`selinux_get_enforce_mode',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
allow $1 security_t:dir list_dir_perms;
|
allow $1 security_t:dir list_dir_perms;
|
||||||
allow $1 security_t:file { getattr read };
|
allow $1 security_t:file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -219,7 +219,7 @@ interface(`selinux_set_enforce_mode',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
allow $1 security_t:dir list_dir_perms;
|
allow $1 security_t:dir list_dir_perms;
|
||||||
allow $1 security_t:file { getattr read write };
|
allow $1 security_t:file rw_file_perms;
|
||||||
typeattribute $1 can_setenforce;
|
typeattribute $1 can_setenforce;
|
||||||
|
|
||||||
if(!secure_mode_policyload) {
|
if(!secure_mode_policyload) {
|
||||||
@ -250,7 +250,7 @@ interface(`selinux_load_policy',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
allow $1 security_t:dir list_dir_perms;
|
allow $1 security_t:dir list_dir_perms;
|
||||||
allow $1 security_t:file { getattr read write };
|
allow $1 security_t:file rw_file_perms;
|
||||||
typeattribute $1 can_load_policy;
|
typeattribute $1 can_load_policy;
|
||||||
|
|
||||||
if(!secure_mode_policyload) {
|
if(!secure_mode_policyload) {
|
||||||
@ -292,7 +292,7 @@ interface(`selinux_set_boolean',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
allow $1 security_t:dir list_dir_perms;
|
allow $1 security_t:dir list_dir_perms;
|
||||||
allow $1 security_t:file { getattr read write };
|
allow $1 security_t:file rw_file_perms;
|
||||||
|
|
||||||
if(!secure_mode_policyload) {
|
if(!secure_mode_policyload) {
|
||||||
allow $1 security_t:security setbool;
|
allow $1 security_t:security setbool;
|
||||||
@ -333,7 +333,7 @@ interface(`selinux_set_parameters',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
allow $1 security_t:dir list_dir_perms;
|
allow $1 security_t:dir list_dir_perms;
|
||||||
allow $1 security_t:file { getattr read write };
|
allow $1 security_t:file rw_file_perms;
|
||||||
allow $1 security_t:security setsecparam;
|
allow $1 security_t:security setsecparam;
|
||||||
auditallow $1 security_t:security setsecparam;
|
auditallow $1 security_t:security setsecparam;
|
||||||
typeattribute $1 can_setsecparam;
|
typeattribute $1 can_setsecparam;
|
||||||
@ -356,7 +356,7 @@ interface(`selinux_validate_context',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
allow $1 security_t:dir list_dir_perms;
|
allow $1 security_t:dir list_dir_perms;
|
||||||
allow $1 security_t:file { getattr read write };
|
allow $1 security_t:file rw_file_perms;
|
||||||
allow $1 security_t:security check_context;
|
allow $1 security_t:security check_context;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -377,7 +377,7 @@ interface(`selinux_dontaudit_validate_context',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
dontaudit $1 security_t:dir list_dir_perms;
|
dontaudit $1 security_t:dir list_dir_perms;
|
||||||
dontaudit $1 security_t:file { getattr read write };
|
dontaudit $1 security_t:file rw_file_perms;
|
||||||
dontaudit $1 security_t:security check_context;
|
dontaudit $1 security_t:security check_context;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -398,7 +398,7 @@ interface(`selinux_compute_access_vector',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
allow $1 security_t:dir list_dir_perms;
|
allow $1 security_t:dir list_dir_perms;
|
||||||
allow $1 security_t:file { getattr read write };
|
allow $1 security_t:file rw_file_perms;
|
||||||
allow $1 security_t:security compute_av;
|
allow $1 security_t:security compute_av;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -419,7 +419,7 @@ interface(`selinux_compute_create_context',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
allow $1 security_t:dir list_dir_perms;
|
allow $1 security_t:dir list_dir_perms;
|
||||||
allow $1 security_t:file { getattr read write };
|
allow $1 security_t:file rw_file_perms;
|
||||||
allow $1 security_t:security compute_create;
|
allow $1 security_t:security compute_create;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -440,7 +440,7 @@ interface(`selinux_compute_member',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
allow $1 security_t:dir list_dir_perms;
|
allow $1 security_t:dir list_dir_perms;
|
||||||
allow $1 security_t:file { getattr read write };
|
allow $1 security_t:file rw_file_perms;
|
||||||
allow $1 security_t:security compute_member;
|
allow $1 security_t:security compute_member;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -469,7 +469,7 @@ interface(`selinux_compute_relabel_context',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
allow $1 security_t:dir list_dir_perms;
|
allow $1 security_t:dir list_dir_perms;
|
||||||
allow $1 security_t:file { getattr read write };
|
allow $1 security_t:file rw_file_perms;
|
||||||
allow $1 security_t:security compute_relabel;
|
allow $1 security_t:security compute_relabel;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -489,7 +489,7 @@ interface(`selinux_compute_user_contexts',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
allow $1 security_t:dir list_dir_perms;
|
allow $1 security_t:dir list_dir_perms;
|
||||||
allow $1 security_t:file { getattr read write };
|
allow $1 security_t:file rw_file_perms;
|
||||||
allow $1 security_t:security compute_user;
|
allow $1 security_t:security compute_user;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
|||||||
@ -173,7 +173,7 @@ interface(`term_use_all_terms',`
|
|||||||
|
|
||||||
dev_list_all_dev_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 devpts_t:dir list_dir_perms;
|
allow $1 devpts_t:dir list_dir_perms;
|
||||||
allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms;
|
allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -932,7 +932,7 @@ interface(`term_append_unallocated_ttys',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
dev_list_all_dev_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 tty_device_t:chr_file { getattr append };
|
allow $1 tty_device_t:chr_file append_chr_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -951,7 +951,7 @@ interface(`term_write_unallocated_ttys',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
dev_list_all_dev_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 tty_device_t:chr_file { getattr write };
|
allow $1 tty_device_t:chr_file write_chr_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -971,7 +971,7 @@ interface(`term_use_unallocated_ttys',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
dev_list_all_dev_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 tty_device_t:chr_file { rw_term_perms lock append };
|
allow $1 tty_device_t:chr_file rw_chr_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -990,7 +990,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
|
|||||||
type tty_device_t;
|
type tty_device_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
dontaudit $1 tty_device_t:chr_file { rw_term_perms lock append };
|
dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1092,7 +1092,7 @@ interface(`term_write_all_user_ttys',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
dev_list_all_dev_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 ttynode:chr_file { getattr write append };
|
allow $1 ttynode:chr_file write_chr_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1112,7 +1112,7 @@ interface(`term_use_all_user_ttys',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
dev_list_all_dev_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 ttynode:chr_file { rw_term_perms lock append };
|
allow $1 ttynode:chr_file rw_chr_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1131,5 +1131,5 @@ interface(`term_dontaudit_use_all_user_ttys',`
|
|||||||
attribute ttynode;
|
attribute ttynode;
|
||||||
')
|
')
|
||||||
|
|
||||||
dontaudit $1 ttynode:chr_file { read write };
|
dontaudit $1 ttynode:chr_file rw_chr_file_perms;
|
||||||
')
|
')
|
||||||
|
|||||||
@ -37,7 +37,7 @@ interface(`amavis_read_spool_files',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
files_search_spool($1)
|
files_search_spool($1)
|
||||||
allow $1 amavis_spool_t:file { getattr read };
|
allow $1 amavis_spool_t:file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -940,7 +940,7 @@ interface(`apache_read_squirrelmail_data',`
|
|||||||
type httpd_squirrelmail_t;
|
type httpd_squirrelmail_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 httpd_squirrelmail_t:file { getattr read };
|
allow $1 httpd_squirrelmail_t:file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -959,7 +959,7 @@ interface(`apache_append_squirrelmail_data',`
|
|||||||
type httpd_squirrelmail_t;
|
type httpd_squirrelmail_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 httpd_squirrelmail_t:file { getattr append };
|
allow $1 httpd_squirrelmail_t:file append_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -55,7 +55,7 @@ interface(`apcupsd_read_log',`
|
|||||||
|
|
||||||
logging_search_logs($1)
|
logging_search_logs($1)
|
||||||
allow $1 apcupsd_log_t:dir list_dir_perms;
|
allow $1 apcupsd_log_t:dir list_dir_perms;
|
||||||
allow $1 apcupsd_log_t:file { read getattr lock };
|
allow $1 apcupsd_log_t:file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -76,7 +76,7 @@ interface(`apcupsd_append_log',`
|
|||||||
|
|
||||||
logging_search_logs($1)
|
logging_search_logs($1)
|
||||||
allow $1 apcupsd_log_t:dir list_dir_perms;
|
allow $1 apcupsd_log_t:dir list_dir_perms;
|
||||||
allow $1 apcupsd_log_t:file { getattr append };
|
allow $1 apcupsd_log_t:file append_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -16,8 +16,8 @@ interface(`bitlbee_read_config',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
allow $1 bitlbee_conf_t:dir { getattr read search };
|
allow $1 bitlbee_conf_t:dir list_dir_perms;
|
||||||
allow $1 bitlbee_conf_t:file { read getattr };
|
allow $1 bitlbee_conf_t:file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -285,7 +285,7 @@ template(`cron_admin_template',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
# Allow our crontab domain to unlink a user cron spool file.
|
# Allow our crontab domain to unlink a user cron spool file.
|
||||||
allow $1_crontab_t cron_spool_type:file { getattr read unlink };
|
allow $1_crontab_t cron_spool_type:file { read_file_perms delete_file_perms };
|
||||||
|
|
||||||
logging_read_generic_logs($1_crond_t)
|
logging_read_generic_logs($1_crond_t)
|
||||||
|
|
||||||
|
|||||||
@ -207,7 +207,7 @@ interface(`cups_read_log',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
logging_search_logs($1)
|
logging_search_logs($1)
|
||||||
allow $1 cupsd_log_t:file { getattr read };
|
allow $1 cupsd_log_t:file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -226,7 +226,7 @@ interface(`cups_write_log',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
logging_search_logs($1)
|
logging_search_logs($1)
|
||||||
allow $1 cupsd_log_t:file write;
|
allow $1 cupsd_log_t:file write_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -36,7 +36,7 @@ interface(`fail2ban_read_log',`
|
|||||||
|
|
||||||
logging_search_logs($1)
|
logging_search_logs($1)
|
||||||
allow $1 fail2ban_log_t:dir list_dir_perms;
|
allow $1 fail2ban_log_t:dir list_dir_perms;
|
||||||
allow $1 fail2ban_log_t:file { read getattr lock };
|
allow $1 fail2ban_log_t:file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -67,7 +67,7 @@ interface(`ftp_read_config',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
allow $1 ftpd_etc_t:file { getattr read };
|
allow $1 ftpd_etc_t:file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -93,9 +93,9 @@ interface(`inn_read_config',`
|
|||||||
type innd_etc_t;
|
type innd_etc_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 innd_etc_t:dir { getattr read search };
|
allow $1 innd_etc_t:dir list_dir_perms;
|
||||||
allow $1 innd_etc_t:file { read getattr };
|
allow $1 innd_etc_t:file read_file_perms;
|
||||||
allow $1 innd_etc_t:lnk_file { getattr read };
|
allow $1 innd_etc_t:lnk_file read_lnk_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -113,9 +113,9 @@ interface(`inn_read_news_lib',`
|
|||||||
type innd_var_lib_t;
|
type innd_var_lib_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 innd_var_lib_t:dir { getattr read search };
|
allow $1 innd_var_lib_t:dir list_dir_perms;
|
||||||
allow $1 innd_var_lib_t:file { read getattr };
|
allow $1 innd_var_lib_t:file read_file_perms;
|
||||||
allow $1 innd_var_lib_t:lnk_file { getattr read };
|
allow $1 innd_var_lib_t:lnk_file read_lnk_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -133,9 +133,9 @@ interface(`inn_read_news_spool',`
|
|||||||
type news_spool_t;
|
type news_spool_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 news_spool_t:dir { getattr read search };
|
allow $1 news_spool_t:dir list_dir_perms;
|
||||||
allow $1 news_spool_t:file { read getattr };
|
allow $1 news_spool_t:file read_file_perms;
|
||||||
allow $1 news_spool_t:lnk_file { getattr read };
|
allow $1 news_spool_t:lnk_file read_lnk_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -73,7 +73,7 @@ interface(`kerberos_use',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
allow $1 krb5_conf_t:file { getattr read };
|
allow $1 krb5_conf_t:file read_file_perms;
|
||||||
dontaudit $1 krb5_conf_t:file write;
|
dontaudit $1 krb5_conf_t:file write;
|
||||||
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
|
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
|
||||||
dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
|
dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
|
||||||
|
|||||||
@ -36,7 +36,7 @@ interface(`ldap_read_config',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
allow $1 slapd_etc_t:file { getattr read };
|
allow $1 slapd_etc_t:file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -114,7 +114,7 @@ template(`mta_base_mail_template',`
|
|||||||
manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
|
manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
|
||||||
files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
|
files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
|
||||||
|
|
||||||
allow $1_mail_t etc_mail_t:dir { getattr search };
|
allow $1_mail_t etc_mail_t:dir search_dir_perms;
|
||||||
|
|
||||||
# Write to /var/spool/mail and /var/spool/mqueue.
|
# Write to /var/spool/mail and /var/spool/mqueue.
|
||||||
manage_files_pattern($1_mail_t, mail_spool_t, mail_spool_t)
|
manage_files_pattern($1_mail_t, mail_spool_t, mail_spool_t)
|
||||||
|
|||||||
@ -74,9 +74,9 @@ interface(`mysql_read_config',`
|
|||||||
type mysqld_etc_t;
|
type mysqld_etc_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 mysqld_etc_t:dir { getattr read search };
|
allow $1 mysqld_etc_t:dir list_dir_perms;
|
||||||
allow $1 mysqld_etc_t:file { read getattr };
|
allow $1 mysqld_etc_t:file read_file_perms;
|
||||||
allow $1 mysqld_etc_t:lnk_file { getattr read };
|
allow $1 mysqld_etc_t:lnk_file read_lnk_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -98,7 +98,7 @@ interface(`mysql_search_db',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
files_search_var_lib($1)
|
files_search_var_lib($1)
|
||||||
allow $1 mysqld_db_t:dir search;
|
allow $1 mysqld_db_t:dir search_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -156,7 +156,7 @@ interface(`mysql_rw_db_sockets',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
files_search_var_lib($1)
|
files_search_var_lib($1)
|
||||||
allow $1 mysqld_db_t:dir search;
|
allow $1 mysqld_db_t:dir search_dir_perms;
|
||||||
allow $1 mysqld_db_t:sock_file rw_sock_file_perms;
|
allow $1 mysqld_db_t:sock_file rw_sock_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -176,5 +176,5 @@ interface(`mysql_write_log',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
logging_search_logs($1)
|
logging_search_logs($1)
|
||||||
allow $1 mysqld_log_t:file { write append setattr ioctl };
|
allow $1 mysqld_log_t:file { write_file_perms setattr };
|
||||||
')
|
')
|
||||||
|
|||||||
@ -223,7 +223,7 @@ interface(`nis_read_ypserv_config',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
allow $1 ypserv_conf_t:file { getattr read };
|
allow $1 ypserv_conf_t:file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -49,7 +49,7 @@ interface(`portmap_run_helper',`
|
|||||||
|
|
||||||
portmap_domtrans_helper($1)
|
portmap_domtrans_helper($1)
|
||||||
role $2 types portmap_helper_t;
|
role $2 types portmap_helper_t;
|
||||||
allow portmap_helper_t $3:chr_file { getattr read write ioctl };
|
allow portmap_helper_t $3:chr_file rw_term_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -208,9 +208,9 @@ interface(`postfix_read_config',`
|
|||||||
type postfix_etc_t;
|
type postfix_etc_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 postfix_etc_t:dir { getattr read search };
|
allow $1 postfix_etc_t:dir list_dir_perms;
|
||||||
allow $1 postfix_etc_t:file { read getattr };
|
allow $1 postfix_etc_t:file read_file_perms;
|
||||||
allow $1 postfix_etc_t:lnk_file { getattr read };
|
allow $1 postfix_etc_t:lnk_file read_lnk_file_perms;
|
||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
|||||||
@ -272,9 +272,9 @@ interface(`postgresql_read_config',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
allow $1 postgresql_etc_t:dir { getattr read search };
|
allow $1 postgresql_etc_t:dir list_dir_perms;
|
||||||
allow $1 postgresql_etc_t:file { read getattr };
|
allow $1 postgresql_etc_t:file read_file_perms;
|
||||||
allow $1 postgresql_etc_t:lnk_file { getattr read };
|
allow $1 postgresql_etc_t:lnk_file read_lnk_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -230,7 +230,7 @@ interface(`ppp_read_rw_config',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
allow $1 pppd_etc_t:dir list_dir_perms;
|
allow $1 pppd_etc_t:dir list_dir_perms;
|
||||||
allow $1 pppd_etc_rw_t:file { getattr read };
|
allow $1 pppd_etc_rw_t:file read_file_perms;
|
||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -250,7 +250,7 @@ interface(`ppp_read_secrets',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
allow $1 pppd_etc_t:dir list_dir_perms;
|
allow $1 pppd_etc_t:dir list_dir_perms;
|
||||||
allow $1 pppd_secret_t:file { getattr read };
|
allow $1 pppd_secret_t:file read_file_perms;
|
||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
|||||||
@ -72,9 +72,9 @@ template(`qmail_child_domain_template',`
|
|||||||
allow $1_t $2:fifo_file rw_file_perms;
|
allow $1_t $2:fifo_file rw_file_perms;
|
||||||
allow $1_t $2:process sigchld;
|
allow $1_t $2:process sigchld;
|
||||||
|
|
||||||
allow $1_t qmail_etc_t:dir { getattr read search };
|
allow $1_t qmail_etc_t:dir list_dir_perms;
|
||||||
allow $1_t qmail_etc_t:file { getattr read };
|
allow $1_t qmail_etc_t:file read_file_perms;
|
||||||
allow $1_t qmail_etc_t:lnk_file { getattr read };
|
allow $1_t qmail_etc_t:lnk_file read_lnk_file_perms;
|
||||||
|
|
||||||
allow $1_t qmail_start_t:fd use;
|
allow $1_t qmail_start_t:fd use;
|
||||||
|
|
||||||
@ -158,9 +158,9 @@ interface(`qmail_read_config',`
|
|||||||
type qmail_etc_t;
|
type qmail_etc_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 qmail_etc_t:dir { getattr read search };
|
allow $1 qmail_etc_t:dir list_dir_perms;
|
||||||
allow $1 qmail_etc_t:file { getattr read };
|
allow $1 qmail_etc_t:file read_file_perms;
|
||||||
allow $1 qmail_etc_t:lnk_file { getattr read };
|
allow $1 qmail_etc_t:lnk_file read_lnk_file_perms;
|
||||||
files_search_var($1)
|
files_search_var($1)
|
||||||
|
|
||||||
ifdef(`distro_debian',`
|
ifdef(`distro_debian',`
|
||||||
|
|||||||
@ -56,7 +56,8 @@ template(`razor_common_domain_template',`
|
|||||||
files_search_var_lib($1_t)
|
files_search_var_lib($1_t)
|
||||||
|
|
||||||
# Razor is one executable and several symlinks
|
# Razor is one executable and several symlinks
|
||||||
allow $1_t razor_exec_t:{ file lnk_file } { getattr read };
|
allow $1_t razor_exec_t:file read_file_perms;
|
||||||
|
allow $1_t razor_exec_t:lnk_file read_lnk_file_perms;
|
||||||
|
|
||||||
kernel_read_system_state($1_t)
|
kernel_read_system_state($1_t)
|
||||||
kernel_read_network_state($1_t)
|
kernel_read_network_state($1_t)
|
||||||
|
|||||||
@ -194,5 +194,5 @@ interface(`rhgb_rw_tmpfs_files',`
|
|||||||
type rhgb_tmpfs_t;
|
type rhgb_tmpfs_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 rhgb_tmpfs_t:file { read write };
|
allow $1 rhgb_tmpfs_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|||||||
@ -263,7 +263,7 @@ interface(`samba_read_secrets',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
allow $1 samba_secrets_t:file { read getattr lock };
|
allow $1 samba_secrets_t:file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -15,7 +15,7 @@ interface(`smartmon_read_tmp_files',`
|
|||||||
type fsdaemon_tmp_t;
|
type fsdaemon_tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 fsdaemon_tmp_t:file { getattr ioctl read };
|
allow $1 fsdaemon_tmp_t:file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -391,7 +391,7 @@ template(`ssh_per_role_template',`
|
|||||||
allow $1_ssh_keysign_t self:capability { setgid setuid };
|
allow $1_ssh_keysign_t self:capability { setgid setuid };
|
||||||
allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
|
allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
|
||||||
|
|
||||||
allow $1_ssh_keysign_t sshd_key_t:file { getattr read };
|
allow $1_ssh_keysign_t sshd_key_t:file read_file_perms;
|
||||||
|
|
||||||
dev_read_urand($1_ssh_keysign_t)
|
dev_read_urand($1_ssh_keysign_t)
|
||||||
|
|
||||||
@ -452,7 +452,7 @@ template(`ssh_server_template', `
|
|||||||
can_exec($1_t, sshd_exec_t)
|
can_exec($1_t, sshd_exec_t)
|
||||||
|
|
||||||
# Access key files
|
# Access key files
|
||||||
allow $1_t sshd_key_t:file { getattr read };
|
allow $1_t sshd_key_t:file read_file_perms;
|
||||||
|
|
||||||
kernel_read_kernel_sysctls($1_t)
|
kernel_read_kernel_sysctls($1_t)
|
||||||
|
|
||||||
|
|||||||
@ -320,7 +320,7 @@ template(`xserver_per_role_template',`
|
|||||||
|
|
||||||
domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
|
domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
|
||||||
|
|
||||||
allow $1_xserver_t $1_xauth_home_t:file { getattr read };
|
allow $1_xserver_t $1_xauth_home_t:file read_file_perms;
|
||||||
|
|
||||||
domtrans_pattern($2, xserver_exec_t, $1_xserver_t)
|
domtrans_pattern($2, xserver_exec_t, $1_xserver_t)
|
||||||
allow $1_xserver_t $2:process signal;
|
allow $1_xserver_t $2:process signal;
|
||||||
@ -539,7 +539,7 @@ template(`xserver_ro_session_template',`
|
|||||||
allow $2 $1_xserver_t:process signal;
|
allow $2 $1_xserver_t:process signal;
|
||||||
|
|
||||||
# Read /tmp/.X0-lock
|
# Read /tmp/.X0-lock
|
||||||
allow $2 $1_xserver_tmp_t:file { getattr read };
|
allow $2 $1_xserver_tmp_t:file read_file_perms;
|
||||||
|
|
||||||
# Client read xserver shm
|
# Client read xserver shm
|
||||||
allow $2 $1_xserver_t:fd use;
|
allow $2 $1_xserver_t:fd use;
|
||||||
@ -615,8 +615,8 @@ template(`xserver_user_client_template',`
|
|||||||
allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
|
allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||||
|
|
||||||
# Read .Xauthority file
|
# Read .Xauthority file
|
||||||
allow $2 $1_xauth_home_t:file { getattr read };
|
allow $2 $1_xauth_home_t:file read_file_perms;
|
||||||
allow $2 $1_iceauth_home_t:file { getattr read };
|
allow $2 $1_iceauth_home_t:file read_file_perms;
|
||||||
|
|
||||||
# for when /tmp/.X11-unix is created by the system
|
# for when /tmp/.X11-unix is created by the system
|
||||||
allow $2 xdm_t:fd use;
|
allow $2 xdm_t:fd use;
|
||||||
@ -885,13 +885,13 @@ template(`xserver_user_x_domain_template',`
|
|||||||
allow $3 self:unix_stream_socket { connectto create_stream_socket_perms };
|
allow $3 self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||||
|
|
||||||
# Read .Xauthority file
|
# Read .Xauthority file
|
||||||
allow $3 $1_xauth_home_t:file { getattr read };
|
allow $3 $1_xauth_home_t:file read_file_perms;
|
||||||
allow $3 $1_iceauth_home_t:file { getattr read };
|
allow $3 $1_iceauth_home_t:file read_file_perms;
|
||||||
|
|
||||||
# for when /tmp/.X11-unix is created by the system
|
# for when /tmp/.X11-unix is created by the system
|
||||||
allow $3 xdm_t:fd use;
|
allow $3 xdm_t:fd use;
|
||||||
allow $3 xdm_t:fifo_file { getattr read write ioctl };
|
allow $3 xdm_t:fifo_file { getattr read write ioctl };
|
||||||
allow $3 xdm_tmp_t:dir search;
|
allow $3 xdm_tmp_t:dir search_dir_perms;
|
||||||
allow $3 xdm_tmp_t:sock_file { read write };
|
allow $3 xdm_tmp_t:sock_file { read write };
|
||||||
dontaudit $3 xdm_t:tcp_socket { read write };
|
dontaudit $3 xdm_t:tcp_socket { read write };
|
||||||
|
|
||||||
@ -1230,7 +1230,7 @@ interface(`xserver_read_xdm_rw_config',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
allow $1 xdm_rw_etc_t:file { getattr read };
|
allow $1 xdm_rw_etc_t:file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1306,7 +1306,7 @@ interface(`xserver_read_xdm_lib_files',`
|
|||||||
type xdm_var_lib_t;
|
type xdm_var_lib_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 xdm_var_lib_t:file { getattr read };
|
allow $1 xdm_var_lib_t:file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1479,7 +1479,7 @@ interface(`xserver_read_xdm_xserver_tmp_files',`
|
|||||||
type xdm_xserver_tmp_t;
|
type xdm_xserver_tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 xdm_xserver_tmp_t:file { getattr read };
|
allow $1 xdm_xserver_tmp_t:file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -31,7 +31,7 @@ template(`authlogin_common_auth_domain_template',`
|
|||||||
allow $1_chkpwd_t self:process getattr;
|
allow $1_chkpwd_t self:process getattr;
|
||||||
|
|
||||||
files_list_etc($1_chkpwd_t)
|
files_list_etc($1_chkpwd_t)
|
||||||
allow $1_chkpwd_t shadow_t:file { getattr read };
|
allow $1_chkpwd_t shadow_t:file read_file_perms;
|
||||||
|
|
||||||
# is_selinux_enabled
|
# is_selinux_enabled
|
||||||
kernel_read_system_state($1_chkpwd_t)
|
kernel_read_system_state($1_chkpwd_t)
|
||||||
|
|||||||
@ -47,7 +47,7 @@ interface(`clock_run',`
|
|||||||
|
|
||||||
clock_domtrans($1)
|
clock_domtrans($1)
|
||||||
role $2 types hwclock_t;
|
role $2 types hwclock_t;
|
||||||
allow hwclock_t $3:chr_file { getattr read write ioctl };
|
allow hwclock_t $3:chr_file rw_term_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -48,7 +48,7 @@ interface(`fstools_run',`
|
|||||||
|
|
||||||
fstools_domtrans($1)
|
fstools_domtrans($1)
|
||||||
role $2 types fsadm_t;
|
role $2 types fsadm_t;
|
||||||
allow fsadm_t $3:chr_file { getattr read write ioctl };
|
allow fsadm_t $3:chr_file rw_term_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -54,7 +54,7 @@ interface(`getty_read_log',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
logging_search_logs($1)
|
logging_search_logs($1)
|
||||||
allow $1 getty_log_t:file { getattr read };
|
allow $1 getty_log_t:file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -74,7 +74,7 @@ interface(`getty_read_config',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
allow $1 getty_etc_t:file { getattr read };
|
allow $1 getty_etc_t:file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -47,7 +47,7 @@ interface(`hostname_run',`
|
|||||||
|
|
||||||
hostname_domtrans($1)
|
hostname_domtrans($1)
|
||||||
role $2 types hostname_t;
|
role $2 types hostname_t;
|
||||||
allow hostname_t $3:chr_file { getattr read write ioctl };
|
allow hostname_t $3:chr_file rw_term_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -1394,7 +1394,7 @@ interface(`init_write_utmp',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
files_list_pids($1)
|
files_list_pids($1)
|
||||||
allow $1 initrc_var_run_t:file { getattr write };
|
allow $1 initrc_var_run_t:file { getattr open write };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -48,7 +48,7 @@ interface(`sysnet_run_dhcpc',`
|
|||||||
|
|
||||||
sysnet_domtrans_dhcpc($1)
|
sysnet_domtrans_dhcpc($1)
|
||||||
role $2 types dhcpc_t;
|
role $2 types dhcpc_t;
|
||||||
allow dhcpc_t $3:chr_file { getattr read write ioctl };
|
allow dhcpc_t $3:chr_file rw_term_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -198,7 +198,7 @@ interface(`sysnet_read_dhcpc_state',`
|
|||||||
type dhcpc_state_t;
|
type dhcpc_state_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 dhcpc_state_t:file { getattr read };
|
allow $1 dhcpc_state_t:file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -348,7 +348,7 @@ interface(`sysnet_read_dhcpc_pid',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
files_list_pids($1)
|
files_list_pids($1)
|
||||||
allow $1 dhcpc_var_run_t:file { getattr read };
|
allow $1 dhcpc_var_run_t:file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
|
|||||||
@ -645,5 +645,5 @@ interface(`unconfined_write_tmp_files',`
|
|||||||
type unconfined_tmp_t;
|
type unconfined_tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 unconfined_tmp_t:file { getattr write append };
|
allow $1 unconfined_tmp_t:file write_file_perms;
|
||||||
')
|
')
|
||||||
|
|||||||
@ -57,7 +57,7 @@ template(`userdom_base_user_template',`
|
|||||||
allow $1_t self:context contains;
|
allow $1_t self:context contains;
|
||||||
dontaudit $1_t self:socket create;
|
dontaudit $1_t self:socket create;
|
||||||
|
|
||||||
allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
|
allow $1_t $1_devpts_t:chr_file { setattr rw_chr_file_perms };
|
||||||
term_create_pty($1_t,$1_devpts_t)
|
term_create_pty($1_t,$1_devpts_t)
|
||||||
|
|
||||||
allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
|
allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
|
||||||
@ -5310,7 +5310,7 @@ interface(`userdom_write_unpriv_users_tmp_files',`
|
|||||||
attribute user_tmpfile;
|
attribute user_tmpfile;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 user_tmpfile:file { getattr write append };
|
allow $1 user_tmpfile:file write_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -2,7 +2,7 @@
|
|||||||
# Specified domain transition patterns
|
# Specified domain transition patterns
|
||||||
#
|
#
|
||||||
define(`domain_transition_pattern',`
|
define(`domain_transition_pattern',`
|
||||||
allow $1 $2:file { getattr read execute };
|
allow $1 $2:file { getattr open read execute };
|
||||||
allow $1 $3:process transition;
|
allow $1 $3:process transition;
|
||||||
dontaudit $1 $3:process { noatsecure siginh rlimitinh };
|
dontaudit $1 $3:process { noatsecure siginh rlimitinh };
|
||||||
')
|
')
|
||||||
@ -48,7 +48,8 @@ define(`send_audit_msgs_pattern',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
define(`ps_process_pattern',`
|
define(`ps_process_pattern',`
|
||||||
allow $1 $2:dir { search getattr read };
|
allow $1 $2:dir list_dir_perms;
|
||||||
allow $1 $2:{ file lnk_file } { read getattr };
|
allow $1 $2:file read_file_perms;
|
||||||
|
allow $1 $2:lnk_file read_lnk_file_perms;
|
||||||
allow $1 $2:process getattr;
|
allow $1 $2:process getattr;
|
||||||
')
|
')
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user