fix bugs uncovered from sediff
This commit is contained in:
Chris PeBenito
parent
aa8995afd6
commit
9d3bdc25af
@ -53,7 +53,7 @@ domain_use_wide_inherit_fd(acct_t)
|
||||
files_read_etc_files(acct_t)
|
||||
files_read_etc_runtime_files(acct_t)
|
||||
# for nscd
|
||||
files_dontaudit_getattr_pid_dir(acct_t)
|
||||
files_dontaudit_search_pids(acct_t)
|
||||
|
||||
init_use_fd(acct_t)
|
||||
init_use_script_pty(acct_t)
|
||||
|
||||
@ -18,8 +18,7 @@ role system_r types consoletype_t;
|
||||
#
|
||||
|
||||
allow consoletype_t self:capability sys_admin;
|
||||
|
||||
allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow consoletype_t self:fd use;
|
||||
allow consoletype_t self:fifo_file rw_file_perms;
|
||||
allow consoletype_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
@ -30,7 +30,7 @@ allow logrotate_t self:capability { chown dac_override dac_read_search kill fset
|
||||
# for mailx
|
||||
dontaudit logrotate_t self:capability { setuid setgid };
|
||||
|
||||
allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
|
||||
# Set a context other than the default one for newly created files.
|
||||
allow logrotate_t self:process setfscreate;
|
||||
|
||||
@ -55,8 +55,8 @@ domain_entry_file(rpmbuild_t,rpmbuild_exec_t)
|
||||
# rpm Local policy
|
||||
#
|
||||
|
||||
allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid net_bind_service sys_chroot sys_tty_config mknod };
|
||||
allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid sys_chroot sys_tty_config mknod };
|
||||
allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
|
||||
allow rpm_t self:fd use;
|
||||
allow rpm_t self:fifo_file rw_file_perms;
|
||||
@ -204,7 +204,7 @@ allow rpm_t sysadm_gph_t:fd use;
|
||||
#
|
||||
|
||||
allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
|
||||
allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow rpm_script_t self:fd use;
|
||||
allow rpm_script_t self:fifo_file rw_file_perms;
|
||||
allow rpm_script_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
@ -51,7 +51,7 @@ template(`sudo_per_userdomain_template',`
|
||||
|
||||
# Use capabilities.
|
||||
allow $1_sudo_t self:capability { setuid setgid dac_override sys_resource };
|
||||
allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow $1_sudo_t self:process { setexec setrlimit };
|
||||
allow $1_sudo_t self:fd use;
|
||||
allow $1_sudo_t self:fifo_file rw_file_perms;
|
||||
|
||||
@ -18,6 +18,7 @@ type chfn_exec_t;
|
||||
domain_entry_file(chfn_t,chfn_exec_t)
|
||||
|
||||
type crack_t;
|
||||
domain_type(crack_t)
|
||||
role system_r types crack_t;
|
||||
|
||||
type crack_exec_t;
|
||||
@ -63,7 +64,7 @@ role system_r types useradd_t;
|
||||
#
|
||||
|
||||
allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
|
||||
allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
|
||||
allow chfn_t self:process { setrlimit setfscreate };
|
||||
allow chfn_t self:fd use;
|
||||
allow chfn_t self:fifo_file rw_file_perms;
|
||||
@ -195,7 +196,7 @@ dontaudit crack_t sysadm_home_dir_t:dir { getattr search };
|
||||
|
||||
allow groupadd_t self:capability { dac_override chown kill setuid sys_resource };
|
||||
dontaudit groupadd_t self:capability fsetid;
|
||||
allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
|
||||
allow groupadd_t self:process { setrlimit setfscreate };
|
||||
allow groupadd_t self:fd use;
|
||||
allow groupadd_t self:fifo_file rw_file_perms;
|
||||
@ -279,7 +280,7 @@ dontaudit groupadd_t sysadm_home_dir_t:dir search;
|
||||
#
|
||||
|
||||
allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
|
||||
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow passwd_t self:process { setrlimit setfscreate };
|
||||
allow passwd_t self:fd use;
|
||||
allow passwd_t self:fifo_file rw_file_perms;
|
||||
@ -368,7 +369,7 @@ dontaudit passwd_t var_run_t:dir search;
|
||||
#
|
||||
|
||||
allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
|
||||
allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow sysadm_passwd_t self:process { setrlimit setfscreate };
|
||||
allow sysadm_passwd_t self:fd use;
|
||||
allow sysadm_passwd_t self:fifo_file rw_file_perms;
|
||||
@ -466,7 +467,7 @@ dontaudit sysadm_passwd_t selinux_config_t:dir search;
|
||||
#
|
||||
|
||||
allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
|
||||
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow useradd_t self:process setfscreate;
|
||||
allow useradd_t self:fd use;
|
||||
allow useradd_t self:fifo_file rw_file_perms;
|
||||
|
||||
@ -99,7 +99,7 @@ storage_raw_read_removable_device(bootloader_t)
|
||||
storage_raw_write_removable_device(bootloader_t)
|
||||
|
||||
dev_getattr_all_chr_files(bootloader_t)
|
||||
dev_setattr_all_blk_files(bootloader_t)
|
||||
dev_getattr_all_blk_files(bootloader_t)
|
||||
dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
|
||||
dev_read_rand(bootloader_t)
|
||||
dev_read_urand(bootloader_t)
|
||||
|
||||
@ -51,7 +51,7 @@ files_tmp_file(system_crond_tmp_t)
|
||||
|
||||
allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice };
|
||||
dontaudit crond_t self:capability { sys_resource sys_tty_config };
|
||||
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow crond_t self:process setexec;
|
||||
allow crond_t self:fd use;
|
||||
allow crond_t self:fifo_file rw_file_perms;
|
||||
|
||||
@ -24,7 +24,7 @@ files_tmp_file(remote_login_tmp_t)
|
||||
#
|
||||
|
||||
allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
|
||||
allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow remote_login_t self:process { setrlimit setexec };
|
||||
allow remote_login_t self:fd use;
|
||||
allow remote_login_t self:fifo_file rw_file_perms;
|
||||
|
||||
@ -49,7 +49,7 @@ template(`ssh_per_userdomain_template',`
|
||||
# $1_ssh_t local policy
|
||||
#
|
||||
allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
|
||||
allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow $1_ssh_t self:fd use;
|
||||
allow $1_ssh_t self:fifo_file { read getattr lock ioctl write append };
|
||||
allow $1_ssh_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
|
||||
@ -70,7 +70,7 @@ logging_log_file(wtmp_t)
|
||||
# PAM local policy
|
||||
#
|
||||
|
||||
allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
dontaudit pam_t self:capability sys_tty_config;
|
||||
|
||||
allow pam_t self:fd use;
|
||||
|
||||
@ -412,7 +412,7 @@ interface(`domain_dontaudit_getsession_all_domains',`
|
||||
class process getsession;
|
||||
')
|
||||
|
||||
allow $1 domain:process getsession;
|
||||
dontaudit $1 domain:process getsession;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -24,7 +24,7 @@ files_type(swapfile_t)
|
||||
|
||||
# ipc_lock is for losetup
|
||||
allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config };
|
||||
allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap };
|
||||
allow fsadm_t self:fd use;
|
||||
allow fsadm_t self:fifo_file rw_file_perms;
|
||||
allow fsadm_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
@ -258,6 +258,7 @@ domain_sigchld_all_domains(initrc_t)
|
||||
domain_read_all_domains_state(initrc_t)
|
||||
domain_getsession_all_domains(initrc_t)
|
||||
domain_use_wide_inherit_fd(initrc_t)
|
||||
domain_exec_all_entry_files(initrc_t)
|
||||
# for lsof which is used by alsa shutdown:
|
||||
domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
|
||||
|
||||
@ -33,8 +33,8 @@ role system_r types sulogin_t;
|
||||
# Local login local policy
|
||||
#
|
||||
|
||||
allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
|
||||
allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
|
||||
allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow local_login_t self:process { setrlimit setexec };
|
||||
allow local_login_t self:fd use;
|
||||
allow local_login_t self:fifo_file rw_file_perms;
|
||||
@ -216,7 +216,7 @@ optional_policy(`locallogin.te',`
|
||||
# Sulogin local policy
|
||||
#
|
||||
|
||||
allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow sulogin_t self:fd use;
|
||||
allow sulogin_t self:fifo_file rw_file_perms;
|
||||
allow sulogin_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
@ -51,7 +51,7 @@ files_type(var_log_t)
|
||||
|
||||
allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
|
||||
dontaudit auditd_t self:capability sys_tty_config;
|
||||
allow auditd_t self:process setsched;
|
||||
allow auditd_t self:process { signal_perms setsched };
|
||||
allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write };
|
||||
|
||||
allow auditd_t var_log_t:dir search;
|
||||
|
||||
@ -174,7 +174,7 @@ userdom_use_all_user_fd(load_policy_t)
|
||||
|
||||
allow newrole_t self:capability { setuid setgid net_bind_service dac_override };
|
||||
|
||||
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
|
||||
allow newrole_t self:process setexec;
|
||||
allow newrole_t self:fd use;
|
||||
allow newrole_t self:fifo_file rw_file_perms;
|
||||
|
||||
@ -217,7 +217,7 @@ dontaudit dhcpc_t domain:dir getattr;
|
||||
# Ifconfig local policy
|
||||
#
|
||||
|
||||
allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
|
||||
allow ifconfig_t self:capability net_admin;
|
||||
dontaudit ifconfig_t self:capability sys_module;
|
||||
|
||||
|
||||
@ -35,7 +35,7 @@ files_pid_file(udev_var_run_t)
|
||||
#
|
||||
|
||||
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin };
|
||||
allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow udev_t self:process { execmem setfscreate };
|
||||
allow udev_t self:fd use;
|
||||
allow udev_t self:fifo_file rw_file_perms;
|
||||
|
||||
@ -60,7 +60,7 @@ template(`base_user_template',`
|
||||
|
||||
allow $1_t self:capability { setgid chown fowner };
|
||||
dontaudit $1_t self:capability { sys_nice fsetid };
|
||||
allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow $1_t self:process { ptrace setfscreate };
|
||||
allow $1_t self:fd use;
|
||||
allow $1_t self:fifo_file rw_file_perms;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user