trunk: 14 patches from dan.
This commit is contained in:
Chris PeBenito
parent
244b45d225
commit
8f800d48df
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(corenetwork, 1.11.4)
|
||||
policy_module(corenetwork, 1.11.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -118,6 +118,7 @@ network_port(jabber_interserver, tcp,5269,s0)
|
||||
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
|
||||
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
|
||||
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
|
||||
network_port(kprop, tcp,754,s0)
|
||||
network_port(ktalkd, udp,517,s0, udp,518,s0)
|
||||
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
|
||||
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
|
||||
|
||||
@ -1,8 +1,6 @@
|
||||
/etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
|
||||
')
|
||||
|
||||
/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(apcupsd, 1.5.2)
|
||||
policy_module(apcupsd, 1.5.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -55,6 +55,24 @@ interface(`avahi_kill',`
|
||||
allow $1 avahi_t:process sigkill;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send avahi a signull
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`avahi_signull',`
|
||||
gen_require(`
|
||||
type avahi_t;
|
||||
')
|
||||
|
||||
allow $1 avahi_t:process signull;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive messages from
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(avahi, 1.10.2)
|
||||
policy_module(avahi, 1.10.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -15,6 +15,7 @@
|
||||
/usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
|
||||
/usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
|
||||
|
||||
/usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
|
||||
/usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
|
||||
/usr/sbin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
|
||||
/usr/sbin/hid2hci -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
|
||||
|
||||
@ -173,7 +173,7 @@ interface(`bluetooth_dontaudit_read_helper_state',`
|
||||
interface(`bluetooth_admin',`
|
||||
gen_require(`
|
||||
type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
|
||||
type bluetooth_var_lib_t, bluetooth_var_run_t;
|
||||
type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t;
|
||||
type bluetooth_conf_t, bluetooth_conf_rw_t;
|
||||
type bluetooth_initrc_exec_t;
|
||||
')
|
||||
@ -196,6 +196,9 @@ interface(`bluetooth_admin',`
|
||||
admin_pattern($1, bluetooth_conf_t)
|
||||
admin_pattern($1, bluetooth_conf_rw_t)
|
||||
|
||||
files_list_spool($1)
|
||||
admin_pattern($1, bluetooth_spool_t)
|
||||
|
||||
files_list_var_lib($1)
|
||||
admin_pattern($1, bluetooth_var_lib_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(bluetooth, 3.1.2)
|
||||
policy_module(bluetooth, 3.1.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -93,6 +93,7 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
|
||||
|
||||
kernel_read_kernel_sysctls(bluetooth_t)
|
||||
kernel_read_system_state(bluetooth_t)
|
||||
kernel_read_network_state(bluetooth_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(bluetooth_t)
|
||||
corenet_all_recvfrom_netlabel(bluetooth_t)
|
||||
@ -147,10 +148,10 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
cups_dbus_chat(bluetooth_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(bluetooth_t)
|
||||
hal_dbus_chat(bluetooth_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -15,7 +15,9 @@ interface(`cvs_read_data',`
|
||||
type cvs_data_t;
|
||||
')
|
||||
|
||||
allow $1 cvs_data_t:file { getattr read };
|
||||
list_dirs_pattern($1, cvs_data_t, cvs_data_t)
|
||||
read_files_pattern($1, cvs_data_t, cvs_data_t)
|
||||
read_lnk_files_pattern($1, cvs_data_t, cvs_data_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(cvs, 1.7.2)
|
||||
policy_module(cvs, 1.7.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -4,4 +4,6 @@
|
||||
|
||||
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
|
||||
/var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0)
|
||||
|
||||
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
|
||||
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
|
||||
|
||||
@ -39,6 +39,25 @@ interface(`dnsmasq_signal',`
|
||||
allow $1 dnsmasq_t:process signal;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send dnsmasq a signull
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
#
|
||||
interface(`dnsmasq_signull',`
|
||||
gen_require(`
|
||||
type dnsmasq_t;
|
||||
')
|
||||
|
||||
allow $1 dnsmasq_t:process signull;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send dnsmasq a kill signal.
|
||||
@ -58,6 +77,44 @@ interface(`dnsmasq_kill',`
|
||||
allow $1 dnsmasq_t:process sigkill;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Delete dnsmasq pid files
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
#
|
||||
interface(`dnsmasq_delete_pid_files',`
|
||||
gen_require(`
|
||||
type dnsmasq_var_run_t;
|
||||
')
|
||||
|
||||
delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read dnsmasq pid files
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
#
|
||||
interface(`dnsmasq_read_pid_files',`
|
||||
gen_require(`
|
||||
type dnsmasq_var_run_t;
|
||||
')
|
||||
|
||||
read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(dnsmasq, 1.7.1)
|
||||
policy_module(dnsmasq, 1.7.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -69,23 +69,20 @@ domain_use_interactive_fds(dnsmasq_t)
|
||||
|
||||
# allow access to dnsmasq.conf
|
||||
files_read_etc_files(dnsmasq_t)
|
||||
files_read_etc_runtime_files(dnsmasq_t)
|
||||
|
||||
fs_getattr_all_fs(dnsmasq_t)
|
||||
fs_search_auto_mountpoints(dnsmasq_t)
|
||||
|
||||
auth_use_nsswitch(dnsmasq_t)
|
||||
|
||||
logging_send_syslog_msg(dnsmasq_t)
|
||||
|
||||
miscfiles_read_localization(dnsmasq_t)
|
||||
|
||||
sysnet_read_config(dnsmasq_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
|
||||
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(dnsmasq_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(dnsmasq_t)
|
||||
')
|
||||
@ -96,4 +93,5 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
virt_manage_lib_files(dnsmasq_t)
|
||||
virt_read_pid_files(dnsmasq_t)
|
||||
')
|
||||
|
||||
@ -19,6 +19,7 @@
|
||||
|
||||
/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
|
||||
/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
|
||||
/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
|
||||
/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
|
||||
/var/kerberos/krb5kdc/principal\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(kerberos, 1.9.2)
|
||||
policy_module(kerberos, 1.9.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -290,6 +290,7 @@ corenet_tcp_sendrecv_generic_if(kpropd_t)
|
||||
corenet_tcp_sendrecv_generic_node(kpropd_t)
|
||||
corenet_tcp_sendrecv_all_ports(kpropd_t)
|
||||
corenet_tcp_bind_generic_node(kpropd_t)
|
||||
corenet_tcp_bind_kprop_port(kpropd_t)
|
||||
|
||||
dev_read_urand(kpropd_t)
|
||||
|
||||
|
||||
@ -2,6 +2,7 @@
|
||||
# /etc
|
||||
#
|
||||
/etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0)
|
||||
/etc/openvpn/ipp.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0)
|
||||
/etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0)
|
||||
|
||||
#
|
||||
|
||||
@ -44,6 +44,24 @@ interface(`openvpn_run',`
|
||||
role $2 types openvpn_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send OPENVPN clients the kill signal.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`openvpn_kill',`
|
||||
gen_require(`
|
||||
type openvpn_t;
|
||||
')
|
||||
|
||||
allow $1 openvpn_t:process sigkill;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send generic signals to OPENVPN clients.
|
||||
@ -62,6 +80,24 @@ interface(`openvpn_signal',`
|
||||
allow $1 openvpn_t:process signal;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send signulls to OPENVPN clients.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`openvpn_signull',`
|
||||
gen_require(`
|
||||
type openvpn_t;
|
||||
')
|
||||
|
||||
allow $1 openvpn_t:process signull;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to read
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(openvpn, 1.7.2)
|
||||
policy_module(openvpn, 1.7.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -22,6 +22,9 @@ init_daemon_domain(openvpn_t, openvpn_exec_t)
|
||||
type openvpn_etc_t;
|
||||
files_config_file(openvpn_etc_t)
|
||||
|
||||
type openvpn_etc_rw_t;
|
||||
files_config_file(openvpn_etc_rw_t)
|
||||
|
||||
type openvpn_initrc_exec_t;
|
||||
init_script_file(openvpn_initrc_exec_t)
|
||||
|
||||
@ -40,6 +43,7 @@ files_pid_file(openvpn_var_run_t)
|
||||
|
||||
allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
|
||||
allow openvpn_t self:process { signal getsched };
|
||||
allow openvpn_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
@ -47,11 +51,13 @@ allow openvpn_t self:udp_socket create_socket_perms;
|
||||
allow openvpn_t self:tcp_socket server_stream_socket_perms;
|
||||
allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
|
||||
|
||||
allow openvpn_t openvpn_etc_t:dir list_dir_perms;
|
||||
can_exec(openvpn_t, openvpn_etc_t)
|
||||
read_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
|
||||
read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
|
||||
|
||||
manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t)
|
||||
filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
|
||||
|
||||
allow openvpn_t openvpn_var_log_t:file manage_file_perms;
|
||||
logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
|
||||
|
||||
@ -99,6 +105,8 @@ miscfiles_read_certs(openvpn_t)
|
||||
|
||||
sysnet_dns_name_resolve(openvpn_t)
|
||||
sysnet_exec_ifconfig(openvpn_t)
|
||||
sysnet_write_config(openvpn_t)
|
||||
sysnet_etc_filetrans_config(openvpn_t)
|
||||
|
||||
userdom_use_user_terminals(openvpn_t)
|
||||
|
||||
|
||||
@ -1,5 +1,6 @@
|
||||
/var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0)
|
||||
/var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
|
||||
/var/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
|
||||
/var/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0)
|
||||
|
||||
/usr/sbin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(pcscd, 1.4.2)
|
||||
policy_module(pcscd, 1.4.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -27,9 +27,10 @@ allow pcscd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow pcscd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow pcscd_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
|
||||
manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
|
||||
manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
|
||||
files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file })
|
||||
files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir })
|
||||
|
||||
corenet_all_recvfrom_unlabeled(pcscd_t)
|
||||
corenet_all_recvfrom_netlabel(pcscd_t)
|
||||
@ -56,6 +57,14 @@ miscfiles_read_localization(pcscd_t)
|
||||
|
||||
sysnet_dns_name_resolve(pcscd_t)
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(pcscd_t)
|
||||
|
||||
optional_policy(`
|
||||
hal_dbus_chat(pcscd_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
openct_stream_connect(pcscd_t)
|
||||
openct_read_pid_files(pcscd_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(radvd, 1.10.2)
|
||||
policy_module(radvd, 1.10.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -22,7 +22,7 @@ files_config_file(radvd_etc_t)
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
allow radvd_t self:capability { setgid setuid net_raw };
|
||||
allow radvd_t self:capability { setgid setuid net_raw net_admin };
|
||||
dontaudit radvd_t self:capability sys_tty_config;
|
||||
allow radvd_t self:process signal_perms;
|
||||
allow radvd_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(rlogin, 1.8.2)
|
||||
policy_module(rlogin, 1.8.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -90,9 +90,21 @@ userdom_read_user_home_content_files(rlogind_t)
|
||||
remotelogin_domtrans(rlogind_t)
|
||||
remotelogin_signal(rlogind_t)
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_list_nfs(rlogind_t)
|
||||
fs_read_nfs_files(rlogind_t)
|
||||
fs_read_nfs_symlinks(rlogind_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_list_cifs(rlogind_t)
|
||||
fs_read_cifs_files(rlogind_t)
|
||||
fs_read_cifs_symlinks(rlogind_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
kerberos_use(rlogind_t)
|
||||
kerberos_read_keytab(rlogind_t)
|
||||
kerberos_keytab_template(rlogind, rlogind_t)
|
||||
kerberos_manage_host_rcache(rlogind_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(rsync, 1.8.2)
|
||||
policy_module(rsync, 1.8.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -119,5 +119,9 @@ optional_policy(`
|
||||
|
||||
tunable_policy(`rsync_export_all_ro',`
|
||||
fs_read_noxattr_fs_files(rsync_t)
|
||||
auth_read_all_dirs_except_shadow(rsync_t)
|
||||
auth_read_all_files_except_shadow(rsync_t)
|
||||
auth_read_all_symlinks_except_shadow(rsync_t)
|
||||
auth_tunable_read_shadow(rsync_t)
|
||||
')
|
||||
auth_can_read_shadow_passwords(rsync_t)
|
||||
|
||||
@ -1,6 +1,7 @@
|
||||
|
||||
/etc/stunnel(/.*)? gen_context(system_u:object_r:stunnel_etc_t,s0)
|
||||
|
||||
/usr/bin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0)
|
||||
|
||||
/usr/sbin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0)
|
||||
|
||||
/var/run/stunnel(/.*)? gen_context(system_u:object_r:stunnel_var_run_t,s0)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(stunnel, 1.8.2)
|
||||
policy_module(stunnel, 1.8.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -54,6 +54,8 @@ kernel_read_kernel_sysctls(stunnel_t)
|
||||
kernel_read_system_state(stunnel_t)
|
||||
kernel_read_network_state(stunnel_t)
|
||||
|
||||
corecmd_exec_bin(stunnel_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(stunnel_t)
|
||||
corenet_all_recvfrom_netlabel(stunnel_t)
|
||||
corenet_tcp_sendrecv_generic_if(stunnel_t)
|
||||
@ -105,6 +107,7 @@ ifdef(`distro_gentoo', `
|
||||
dev_read_urand(stunnel_t)
|
||||
|
||||
files_read_etc_files(stunnel_t)
|
||||
files_read_etc_runtime_files(stunnel_t)
|
||||
files_search_home(stunnel_t)
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
|
||||
/usr/lib(64)?/atsar/atsa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0)
|
||||
/usr/lib(64)?/sa/sadc -- gen_context(system_u:object_r:sysstat_exec_t,s0)
|
||||
/usr/lib(64)?/sa/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0)
|
||||
/usr/lib(64)?/sysstat/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0)
|
||||
|
||||
/var/log/atsar(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(sysstat, 1.4.0)
|
||||
policy_module(sysstat, 1.4.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -19,13 +19,14 @@ logging_log_file(sysstat_log_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow sysstat_t self:capability sys_resource;
|
||||
allow sysstat_t self:capability { sys_resource sys_tty_config };
|
||||
dontaudit sysstat_t self:capability sys_admin;
|
||||
allow sysstat_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
can_exec(sysstat_t, sysstat_exec_t)
|
||||
|
||||
manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
|
||||
read_lnk_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
|
||||
logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })
|
||||
|
||||
# get info from /proc
|
||||
|
||||
@ -6,4 +6,6 @@
|
||||
/var/spool/uucp(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0)
|
||||
/var/spool/uucppublic(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0)
|
||||
|
||||
/var/lock/uucp(/.*)? gen_context(system_u:object_r:uucpd_lock_t,s0)
|
||||
|
||||
/var/log/uucp(/.*)? gen_context(system_u:object_r:uucpd_log_t,s0)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(uucp, 1.9.2)
|
||||
policy_module(uucp, 1.9.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -10,6 +10,9 @@ type uucpd_exec_t;
|
||||
inetd_tcp_service_domain(uucpd_t, uucpd_exec_t)
|
||||
role system_r types uucpd_t;
|
||||
|
||||
type uucpd_lock_t;
|
||||
files_lock_file(uucpd_lock_t)
|
||||
|
||||
type uucpd_tmp_t;
|
||||
files_tmp_file(uucpd_tmp_t)
|
||||
|
||||
@ -58,6 +61,10 @@ manage_lnk_files_pattern(uucpd_t, uucpd_rw_t, uucpd_rw_t)
|
||||
|
||||
uucp_manage_spool(uucpd_t)
|
||||
|
||||
manage_dirs_pattern(uucpd_t, uucpd_lock_t, uucpd_lock_t)
|
||||
manage_files_pattern(uucpd_t, uucpd_lock_t, uucpd_lock_t)
|
||||
files_search_locks(uucpd_t)
|
||||
|
||||
manage_dirs_pattern(uucpd_t, uucpd_tmp_t, uucpd_tmp_t)
|
||||
manage_files_pattern(uucpd_t, uucpd_tmp_t, uucpd_tmp_t)
|
||||
files_tmp_filetrans(uucpd_t, uucpd_tmp_t, { file dir })
|
||||
|
||||
Loading…
Reference in New Issue
Block a user