patch from dan
This commit is contained in:
parent
59d721e004
commit
a524921aa4
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(alsa,1.0.0)
|
policy_module(alsa,1.0.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -34,6 +34,7 @@ allow alsa_t alsa_etc_rw_t:lnk_file create_lnk_perms;
|
|||||||
files_read_etc_files(alsa_t)
|
files_read_etc_files(alsa_t)
|
||||||
|
|
||||||
term_use_generic_pty(alsa_t)
|
term_use_generic_pty(alsa_t)
|
||||||
|
term_dontaudit_use_unallocated_tty(alsa_t)
|
||||||
|
|
||||||
libs_use_ld_so(alsa_t)
|
libs_use_ld_so(alsa_t)
|
||||||
libs_use_shared_libs(alsa_t)
|
libs_use_shared_libs(alsa_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(kudzu,1.1.0)
|
policy_module(kudzu,1.1.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -73,6 +73,7 @@ storage_read_scsi_generic(kudzu_t)
|
|||||||
storage_read_tape_device(kudzu_t)
|
storage_read_tape_device(kudzu_t)
|
||||||
storage_raw_write_fixed_disk(kudzu_t)
|
storage_raw_write_fixed_disk(kudzu_t)
|
||||||
storage_raw_read_fixed_disk(kudzu_t)
|
storage_raw_read_fixed_disk(kudzu_t)
|
||||||
|
storage_raw_read_removable_device(kudzu_t)
|
||||||
|
|
||||||
term_search_ptys(kudzu_t)
|
term_search_ptys(kudzu_t)
|
||||||
term_dontaudit_use_console(kudzu_t)
|
term_dontaudit_use_console(kudzu_t)
|
||||||
|
@ -3,4 +3,6 @@
|
|||||||
|
|
||||||
/usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0)
|
/usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0)
|
||||||
|
|
||||||
|
/var/lib/misc/prelink\.* -- gen_context(system_u:object_r:prelink_cache_t,s0)
|
||||||
|
|
||||||
/var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0)
|
/var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(prelink,1.0.0)
|
policy_module(prelink,1.0.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -28,6 +28,7 @@ allow prelink_t self:fifo_file rw_file_perms;
|
|||||||
|
|
||||||
allow prelink_t prelink_cache_t:file manage_file_perms;
|
allow prelink_t prelink_cache_t:file manage_file_perms;
|
||||||
files_filetrans_etc(prelink_t, prelink_cache_t, file)
|
files_filetrans_etc(prelink_t, prelink_cache_t, file)
|
||||||
|
files_filetrans_var_lib(prelink_t, prelink_cache_t, file)
|
||||||
|
|
||||||
allow prelink_t prelink_log_t:dir { setattr rw_dir_perms };
|
allow prelink_t prelink_log_t:dir { setattr rw_dir_perms };
|
||||||
allow prelink_t prelink_log_t:file { create ra_file_perms };
|
allow prelink_t prelink_log_t:file { create ra_file_perms };
|
||||||
@ -58,6 +59,7 @@ domain_mmap_all_entry_files(prelink_t)
|
|||||||
files_list_all(prelink_t)
|
files_list_all(prelink_t)
|
||||||
files_getattr_all_files(prelink_t)
|
files_getattr_all_files(prelink_t)
|
||||||
files_write_non_security_dir(prelink_t)
|
files_write_non_security_dir(prelink_t)
|
||||||
|
files_read_etc_files(prelink_t)
|
||||||
files_read_etc_runtime_files(prelink_t)
|
files_read_etc_runtime_files(prelink_t)
|
||||||
|
|
||||||
fs_getattr_xattr_fs(prelink_t)
|
fs_getattr_xattr_fs(prelink_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(readahead,1.1.0)
|
policy_module(readahead,1.1.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -27,7 +27,7 @@ files_filetrans_pid(readahead_t,readahead_var_run_t)
|
|||||||
|
|
||||||
kernel_read_kernel_sysctl(readahead_t)
|
kernel_read_kernel_sysctl(readahead_t)
|
||||||
kernel_read_system_state(readahead_t)
|
kernel_read_system_state(readahead_t)
|
||||||
kernel_getattr_core(readahead_t)
|
kernel_dontaudit_getattr_core(readahead_t)
|
||||||
|
|
||||||
dev_read_sysfs(readahead_t)
|
dev_read_sysfs(readahead_t)
|
||||||
dev_getattr_generic_chr_file(readahead_t)
|
dev_getattr_generic_chr_file(readahead_t)
|
||||||
@ -48,6 +48,7 @@ fs_search_auto_mountpoints(readahead_t)
|
|||||||
fs_getattr_all_pipes(readahead_t)
|
fs_getattr_all_pipes(readahead_t)
|
||||||
fs_getattr_all_files(readahead_t)
|
fs_getattr_all_files(readahead_t)
|
||||||
fs_search_ramfs(readahead_t)
|
fs_search_ramfs(readahead_t)
|
||||||
|
fs_read_tmpfs_symlinks(readahead_t)
|
||||||
|
|
||||||
term_dontaudit_use_console(readahead_t)
|
term_dontaudit_use_console(readahead_t)
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(tmpreaper,1.1.0)
|
policy_module(tmpreaper,1.1.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -44,6 +44,10 @@ miscfiles_delete_man_pages(tmpreaper_t)
|
|||||||
|
|
||||||
cron_system_entry(tmpreaper_t,tmpreaper_exec_t)
|
cron_system_entry(tmpreaper_t,tmpreaper_exec_t)
|
||||||
|
|
||||||
|
optional_policy(`lpd',`
|
||||||
|
lpd_manage_spool(tmpreaper_t)
|
||||||
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
allow tmpreaper_t { home_type file_t }:notdevfile_class_set { getattr unlink };
|
allow tmpreaper_t { home_type file_t }:notdevfile_class_set { getattr unlink };
|
||||||
')
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(slocate,1.0.0)
|
policy_module(slocate,1.0.1)
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
#
|
#
|
||||||
@ -41,6 +41,11 @@ files_read_etc_files(locate_t)
|
|||||||
|
|
||||||
fs_getattr_xattr_fs(locate_t)
|
fs_getattr_xattr_fs(locate_t)
|
||||||
|
|
||||||
|
libs_use_shared_libs(locate_t)
|
||||||
|
libs_use_ld_so(locate_t)
|
||||||
|
|
||||||
|
miscfiles_read_localization(locate_t)
|
||||||
|
|
||||||
optional_policy(`cron',`
|
optional_policy(`cron',`
|
||||||
cron_system_entry(locate_t, locate_exec_t)
|
cron_system_entry(locate_t, locate_exec_t)
|
||||||
')
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(bootloader,1.1.1)
|
policy_module(bootloader,1.1.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -115,6 +115,7 @@ dev_getattr_sysfs_dir(bootloader_t)
|
|||||||
dev_read_raw_memory(bootloader_t)
|
dev_read_raw_memory(bootloader_t)
|
||||||
|
|
||||||
fs_getattr_xattr_fs(bootloader_t)
|
fs_getattr_xattr_fs(bootloader_t)
|
||||||
|
fs_read_tmpfs_symlinks(bootloader_t)
|
||||||
|
|
||||||
term_getattr_all_user_ttys(bootloader_t)
|
term_getattr_all_user_ttys(bootloader_t)
|
||||||
term_dontaudit_manage_pty_dir(bootloader_t)
|
term_dontaudit_manage_pty_dir(bootloader_t)
|
||||||
|
@ -114,6 +114,11 @@ HOME_ROOT/lost\+found/.* <<none>>
|
|||||||
/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
|
/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
|
||||||
/media/[^/]*/.* <<none>>
|
/media/[^/]*/.* <<none>>
|
||||||
|
|
||||||
|
#
|
||||||
|
# /misc
|
||||||
|
#
|
||||||
|
/misc -d gen_context(system_u:object_r:mnt_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# /mnt
|
# /mnt
|
||||||
#
|
#
|
||||||
|
@ -352,12 +352,11 @@ interface(`files_dontaudit_list_non_security',`
|
|||||||
interface(`files_getattr_all_files',`
|
interface(`files_getattr_all_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute file_type;
|
attribute file_type;
|
||||||
class dir search;
|
|
||||||
class file getattr;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 file_type:dir search;
|
allow $1 file_type:dir search;
|
||||||
allow $1 file_type:file getattr;
|
allow $1 file_type:file getattr;
|
||||||
|
allow $1 file_type:lnk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -2293,6 +2293,23 @@ interface(`fs_rw_tmpfs_file',`
|
|||||||
allow $1 tmpfs_t:file rw_file_perms;
|
allow $1 tmpfs_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read tmpfs link files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`fs_read_tmpfs_symlinks',`
|
||||||
|
gen_require(`
|
||||||
|
type tmpfs_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
fs_search_tmpfs($1)
|
||||||
|
allow $1 tmpfs_t:lnk_file read;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read and write character nodes on tmpfs filesystems.
|
## Read and write character nodes on tmpfs filesystems.
|
||||||
|
@ -1,5 +1,6 @@
|
|||||||
/etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
|
/etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
|
||||||
|
|
||||||
|
# Sorting does not work correctly if I combine these next two roles
|
||||||
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
|
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
|
||||||
|
/bin/dbus-daemon -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
|
||||||
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
|
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(procmail,1.1.1)
|
policy_module(procmail,1.1.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -66,6 +66,7 @@ miscfiles_read_localization(procmail_t)
|
|||||||
userdom_priveleged_home_dir_manager(procmail_t)
|
userdom_priveleged_home_dir_manager(procmail_t)
|
||||||
# Do not audit attempts to access /root.
|
# Do not audit attempts to access /root.
|
||||||
userdom_dontaudit_search_sysadm_home_dir(procmail_t)
|
userdom_dontaudit_search_sysadm_home_dir(procmail_t)
|
||||||
|
userdom_dontaudit_search_staff_home_dir(procmail_t)
|
||||||
|
|
||||||
mta_manage_spool(procmail_t)
|
mta_manage_spool(procmail_t)
|
||||||
|
|
||||||
|
@ -6,6 +6,9 @@ template(`xserver_common_domain_template',`
|
|||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
gen_require(`
|
||||||
|
type xkb_var_lib_t, xserver_log_t;
|
||||||
|
')
|
||||||
|
|
||||||
type $1_xserver_t;
|
type $1_xserver_t;
|
||||||
domain_type($1_xserver_t)
|
domain_type($1_xserver_t)
|
||||||
@ -202,6 +205,12 @@ template(`xserver_per_userdomain_template',`
|
|||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
gen_require(`
|
||||||
|
type xauth_exec_t;
|
||||||
|
type xserver_exec_t;
|
||||||
|
type iceauth_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
xserver_common_domain_template($1)
|
xserver_common_domain_template($1)
|
||||||
role $3 types $1_xserver_t;
|
role $3 types $1_xserver_t;
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(authlogin,1.2.0)
|
policy_module(authlogin,1.2.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -221,10 +221,6 @@ ifdef(`targeted_policy', `
|
|||||||
files_dontaudit_read_root_file(pam_console_t)
|
files_dontaudit_read_root_file(pam_console_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`alsa',`
|
|
||||||
alsa_domtrans(pam_console_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`gpm',`
|
optional_policy(`gpm',`
|
||||||
gpm_getattr_gpmctl(pam_console_t)
|
gpm_getattr_gpmctl(pam_console_t)
|
||||||
gpm_setattr_gpmctl(pam_console_t)
|
gpm_setattr_gpmctl(pam_console_t)
|
||||||
|
@ -81,6 +81,7 @@ fs_remount_xattr_fs(fsadm_t)
|
|||||||
# for /dev/shm
|
# for /dev/shm
|
||||||
fs_search_tmpfs(fsadm_t)
|
fs_search_tmpfs(fsadm_t)
|
||||||
fs_getattr_tmpfs_dir(fsadm_t)
|
fs_getattr_tmpfs_dir(fsadm_t)
|
||||||
|
fs_read_tmpfs_symlinks(fsadm_t)
|
||||||
|
|
||||||
mls_file_write_down(fsadm_t)
|
mls_file_write_down(fsadm_t)
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(locallogin,1.1.0)
|
policy_module(locallogin,1.1.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -210,13 +210,13 @@ optional_policy(`usermanage',`
|
|||||||
usermanage_read_crack_db(local_login_t)
|
usermanage_read_crack_db(local_login_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`alsa',`
|
||||||
|
alsa_domtrans(local_login_t)
|
||||||
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
# Login can polyinstantiate
|
# Login can polyinstantiate
|
||||||
polyinstantiater(local_login_t)
|
polyinstantiater(local_login_t)
|
||||||
|
|
||||||
ifdef(`alsa.te', `
|
|
||||||
domain_auto_trans($1_login_t, alsa_exec_t, alsa_t)
|
|
||||||
')
|
|
||||||
') dnl endif TODO
|
') dnl endif TODO
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
@ -282,3 +282,7 @@ ifdef(`sulogin_no_pam', `
|
|||||||
optional_policy(`nis',`
|
optional_policy(`nis',`
|
||||||
nis_use_ypbind(sulogin_t)
|
nis_use_ypbind(sulogin_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`nscd',`
|
||||||
|
nscd_use_socket(sulogin_t)
|
||||||
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(logging,1.2.0)
|
policy_module(logging,1.2.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -98,10 +98,12 @@ role sysadm_r types auditctl_t;
|
|||||||
audit_manager_domain(secadm_t)
|
audit_manager_domain(secadm_t)
|
||||||
|
|
||||||
ifdef(`targeted_policy', `', `
|
ifdef(`targeted_policy', `', `
|
||||||
ifdef(`separate_secadm', `', `
|
ifdef(`enable_mls', `
|
||||||
|
audit_manager_domain(secadm_t)
|
||||||
|
', `
|
||||||
audit_manager_domain(sysadm_t)
|
audit_manager_domain(sysadm_t)
|
||||||
allow auditctl_t admin_tty_type:chr_file rw_file_perms;
|
|
||||||
')
|
')
|
||||||
|
allow auditctl_t admin_tty_type:chr_file rw_file_perms;
|
||||||
')
|
')
|
||||||
') dnl end TODO
|
') dnl end TODO
|
||||||
|
|
||||||
@ -272,9 +274,6 @@ allow syslogd_t self:udp_socket { connected_socket_perms connect };
|
|||||||
# Create and bind to /dev/log or /var/run/log.
|
# Create and bind to /dev/log or /var/run/log.
|
||||||
allow syslogd_t devlog_t:sock_file create_file_perms;
|
allow syslogd_t devlog_t:sock_file create_file_perms;
|
||||||
files_filetrans_pid(syslogd_t,devlog_t,sock_file)
|
files_filetrans_pid(syslogd_t,devlog_t,sock_file)
|
||||||
# cjp: I belive these are not needed:
|
|
||||||
allow syslogd_t devlog_t:unix_stream_socket name_bind;
|
|
||||||
allow syslogd_t devlog_t:unix_dgram_socket name_bind;
|
|
||||||
|
|
||||||
# create/append log files.
|
# create/append log files.
|
||||||
allow syslogd_t var_log_t:dir rw_dir_perms;
|
allow syslogd_t var_log_t:dir rw_dir_perms;
|
||||||
@ -325,8 +324,7 @@ corenet_udp_sendrecv_all_ports(syslogd_t)
|
|||||||
corenet_non_ipsec_sendrecv(syslogd_t)
|
corenet_non_ipsec_sendrecv(syslogd_t)
|
||||||
corenet_udp_bind_all_nodes(syslogd_t)
|
corenet_udp_bind_all_nodes(syslogd_t)
|
||||||
corenet_tcp_bind_syslogd_port(syslogd_t)
|
corenet_tcp_bind_syslogd_port(syslogd_t)
|
||||||
#cjp: why?
|
corenet_udp_bind_syslogd_port(syslogd_t)
|
||||||
corenet_tcp_connect_rsh_port(syslogd_t)
|
|
||||||
|
|
||||||
fs_getattr_all_fs(syslogd_t)
|
fs_getattr_all_fs(syslogd_t)
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(lvm,1.2.0)
|
policy_module(lvm,1.2.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -198,6 +198,7 @@ dev_dontaudit_getattr_generic_pipe(lvm_t)
|
|||||||
|
|
||||||
fs_getattr_xattr_fs(lvm_t)
|
fs_getattr_xattr_fs(lvm_t)
|
||||||
fs_search_auto_mountpoints(lvm_t)
|
fs_search_auto_mountpoints(lvm_t)
|
||||||
|
fs_read_tmpfs_symlinks(lvm_t)
|
||||||
|
|
||||||
storage_relabel_fixed_disk(lvm_t)
|
storage_relabel_fixed_disk(lvm_t)
|
||||||
# LVM creates block devices in /dev/mapper or /dev/<vg>
|
# LVM creates block devices in /dev/mapper or /dev/<vg>
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(mount,1.2.0)
|
policy_module(mount,1.2.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -46,6 +46,7 @@ fs_remount_all_fs(mount_t)
|
|||||||
fs_relabelfrom_all_fs(mount_t)
|
fs_relabelfrom_all_fs(mount_t)
|
||||||
fs_search_auto_mountpoints(mount_t)
|
fs_search_auto_mountpoints(mount_t)
|
||||||
fs_use_tmpfs_chr_dev(mount_t)
|
fs_use_tmpfs_chr_dev(mount_t)
|
||||||
|
fs_read_tmpfs_symlinks(mount_t)
|
||||||
|
|
||||||
term_use_all_terms(mount_t)
|
term_use_all_terms(mount_t)
|
||||||
|
|
||||||
|
@ -219,7 +219,6 @@ template(`base_user_template',`
|
|||||||
corecmd_exec_sbin($1_t)
|
corecmd_exec_sbin($1_t)
|
||||||
corecmd_exec_ls($1_t)
|
corecmd_exec_ls($1_t)
|
||||||
|
|
||||||
domain_exec_all_entry_files($1_t)
|
|
||||||
domain_use_wide_inherit_fd($1_t)
|
domain_use_wide_inherit_fd($1_t)
|
||||||
# When the user domain runs ps, there will be a number of access
|
# When the user domain runs ps, there will be a number of access
|
||||||
# denials when ps tries to search /proc. Do not audit these denials.
|
# denials when ps tries to search /proc. Do not audit these denials.
|
||||||
@ -533,6 +532,7 @@ template(`unpriv_user_template', `
|
|||||||
|
|
||||||
typeattribute $1_t unpriv_userdomain;
|
typeattribute $1_t unpriv_userdomain;
|
||||||
domain_wide_inherit_fd($1_t)
|
domain_wide_inherit_fd($1_t)
|
||||||
|
domain_exec_all_entry_files($1_t)
|
||||||
|
|
||||||
typeattribute $1_devpts_t user_ptynode;
|
typeattribute $1_devpts_t user_ptynode;
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(userdomain,1.2.2)
|
policy_module(userdomain,1.2.3)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
role sysadm_r, staff_r, user_r, secadm_r;
|
role sysadm_r, staff_r, user_r, secadm_r;
|
||||||
@ -145,6 +145,8 @@ ifdef(`targeted_policy',`
|
|||||||
allow sysadm_t user_home_dir_t:dir create_dir_perms;
|
allow sysadm_t user_home_dir_t:dir create_dir_perms;
|
||||||
files_filetrans_home(sysadm_t,user_home_dir_t)
|
files_filetrans_home(sysadm_t,user_home_dir_t)
|
||||||
|
|
||||||
|
corecmd_exec_shell(sysadm_t)
|
||||||
|
|
||||||
mls_process_read_up(sysadm_t)
|
mls_process_read_up(sysadm_t)
|
||||||
|
|
||||||
logging_read_audit_log(sysadm_t)
|
logging_read_audit_log(sysadm_t)
|
||||||
@ -194,6 +196,10 @@ ifdef(`targeted_policy',`
|
|||||||
certwatach_run(sysadm_t,sysadm_r,admin_terminal)
|
certwatach_run(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`consoletype',`
|
||||||
|
consoletype_exec(sysadm_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`ddcprobe',`
|
optional_policy(`ddcprobe',`
|
||||||
ddcprobe_run(sysadm_t,sysadm_r,admin_terminal)
|
ddcprobe_run(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
|
Loading…
Reference in New Issue
Block a user