gentoo testing fixes
This commit is contained in:
parent
cf7af137c0
commit
bf469d7669
@ -40,6 +40,25 @@ interface(`corenet_udp_send_generic_if',`
|
|||||||
allow $1 netif_t:netif udp_send;
|
allow $1 netif_t:netif udp_send;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Dontaudit attempts to send UDP network traffic
|
||||||
|
## on generic interfaces.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain to not audit.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`corenet_dontaudit_udp_send_generic_if',`
|
||||||
|
gen_require(`
|
||||||
|
type netif_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 netif_t:netif udp_send;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Receive UDP network traffic on generic interfaces.
|
## Receive UDP network traffic on generic interfaces.
|
||||||
@ -58,6 +77,25 @@ interface(`corenet_udp_receive_generic_if',`
|
|||||||
allow $1 netif_t:netif udp_recv;
|
allow $1 netif_t:netif udp_recv;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to receive UDP network
|
||||||
|
## traffic on generic interfaces.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain to not audit.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`corenet_dontaudit_udp_receive_generic_if',`
|
||||||
|
gen_require(`
|
||||||
|
type netif_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 netif_t:netif udp_recv;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Send and Receive UDP network traffic on generic interfaces.
|
## Send and Receive UDP network traffic on generic interfaces.
|
||||||
@ -73,6 +111,22 @@ interface(`corenet_udp_sendrecv_generic_if',`
|
|||||||
corenet_udp_receive_generic_if($1)
|
corenet_udp_receive_generic_if($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to send and receive UDP network
|
||||||
|
## traffic on generic interfaces.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain to not audit.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`corenet_dontaudit_udp_sendrecv_generic_if',`
|
||||||
|
corenet_dontaudit_udp_send_generic_if($1)
|
||||||
|
corenet_dontaudit_udp_receive_generic_if($1)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Send raw IP packets on generic interfaces.
|
## Send raw IP packets on generic interfaces.
|
||||||
@ -436,6 +490,25 @@ interface(`corenet_udp_send_all_nodes',`
|
|||||||
allow $1 node_type:node udp_send;
|
allow $1 node_type:node udp_send;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to send UDP network
|
||||||
|
## traffic on any nodes.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain to not audit.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`corenet_dontaudit_udp_send_all_nodes',`
|
||||||
|
gen_require(`
|
||||||
|
attribute node_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 node_type:node udp_send;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Receive UDP network traffic on all nodes.
|
## Receive UDP network traffic on all nodes.
|
||||||
@ -454,6 +527,25 @@ interface(`corenet_udp_receive_all_nodes',`
|
|||||||
allow $1 node_type:node udp_recv;
|
allow $1 node_type:node udp_recv;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to receive UDP
|
||||||
|
## network traffic on all nodes.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain to not audit.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`corenet_dontaudit_udp_receive_all_nodes',`
|
||||||
|
gen_require(`
|
||||||
|
attribute node_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 node_type:node udp_recv;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Send and receive UDP network traffic on all nodes.
|
## Send and receive UDP network traffic on all nodes.
|
||||||
@ -469,6 +561,22 @@ interface(`corenet_udp_sendrecv_all_nodes',`
|
|||||||
corenet_udp_receive_all_nodes($1)
|
corenet_udp_receive_all_nodes($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to send and receive UDP
|
||||||
|
## network traffic on any nodes nodes.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain to not audit.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`corenet_dontaudit_udp_sendrecv_all_nodes',`
|
||||||
|
corenet_dontaudit_udp_send_all_nodes($1)
|
||||||
|
corenet_dontaudit_udp_receive_all_nodes($1)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Send raw IP packets on all nodes.
|
## Send raw IP packets on all nodes.
|
||||||
@ -1310,6 +1418,22 @@ interface(`corenet_non_ipsec_sendrecv',`
|
|||||||
kernel_sendrecv_unlabeled_association($1)
|
kernel_sendrecv_unlabeled_association($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to send and receive
|
||||||
|
## messages on a non-encrypted (no IPSEC) network
|
||||||
|
## session.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain to not audit.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`corenet_dontaudit_non_ipsec_sendrecv',`
|
||||||
|
kernel_dontaudit_sendrecv_unlabeled_association($1)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Send generic client packets.
|
## Send generic client packets.
|
||||||
|
@ -358,6 +358,25 @@ interface(`corenet_udp_send_$1_port',`
|
|||||||
allow dollarsone $1_$2:udp_socket send_msg;
|
allow dollarsone $1_$2:udp_socket send_msg;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to send UDP traffic on the $1 port.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain to not audit.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <infoflow type="none"/>
|
||||||
|
#
|
||||||
|
interface(`corenet_dontaudit_udp_send_$1_port',`
|
||||||
|
gen_require(`
|
||||||
|
$3 $1_$2;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit dollarsone $1_$2:udp_socket send_msg;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Receive UDP traffic on the $1 port.
|
## Receive UDP traffic on the $1 port.
|
||||||
@ -377,6 +396,25 @@ interface(`corenet_udp_receive_$1_port',`
|
|||||||
allow dollarsone $1_$2:udp_socket recv_msg;
|
allow dollarsone $1_$2:udp_socket recv_msg;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to receive UDP traffic on the $1 port.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain to not audit.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <infoflow type="none"/>
|
||||||
|
#
|
||||||
|
interface(`corenet_dontaudit_udp_receive_$1_port',`
|
||||||
|
gen_require(`
|
||||||
|
$3 $1_$2;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit dollarsone $1_$2:udp_socket recv_msg;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Send and receive UDP traffic on the $1 port.
|
## Send and receive UDP traffic on the $1 port.
|
||||||
@ -393,6 +431,23 @@ interface(`corenet_udp_sendrecv_$1_port',`
|
|||||||
corenet_udp_receive_$1_port(dollarsone)
|
corenet_udp_receive_$1_port(dollarsone)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to send and receive
|
||||||
|
## UDP traffic on the $1 port.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain to not audit.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <infoflow type="none"/>
|
||||||
|
#
|
||||||
|
interface(`corenet_dontaudit_udp_sendrecv_$1_port',`
|
||||||
|
corenet_dontaudit_udp_send_$1_port(dollarsone)
|
||||||
|
corenet_dontaudit_udp_receive_$1_port(dollarsone)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Bind TCP sockets to the $1 port.
|
## Bind TCP sockets to the $1 port.
|
||||||
@ -472,6 +527,25 @@ interface(`corenet_send_$1_packets',`
|
|||||||
allow dollarsone $1_packet_t:packet send;
|
allow dollarsone $1_packet_t:packet send;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to send $1 packets.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain to not audit.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <infoflow type="none"/>
|
||||||
|
#
|
||||||
|
interface(`corenet_dontaudit_send_$1_packets',`
|
||||||
|
gen_require(`
|
||||||
|
type $1_packet_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit dollarsone $1_packet_t:packet send;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Receive $1 packets.
|
## Receive $1 packets.
|
||||||
@ -491,6 +565,25 @@ interface(`corenet_receive_$1_packets',`
|
|||||||
allow dollarsone $1_packet_t:packet recv;
|
allow dollarsone $1_packet_t:packet recv;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to receive $1 packets.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <infoflow type="none"/>
|
||||||
|
#
|
||||||
|
interface(`corenet_dontaudit_receive_$1_packets',`
|
||||||
|
gen_require(`
|
||||||
|
type $1_packet_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit dollarsone $1_packet_t:packet recv;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Send and receive $1 packets.
|
## Send and receive $1 packets.
|
||||||
@ -507,6 +600,22 @@ interface(`corenet_sendrecv_$1_packets',`
|
|||||||
corenet_receive_$1_packets(dollarsone)
|
corenet_receive_$1_packets(dollarsone)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to send and receive $1 packets.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain to not audit.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <infoflow type="none"/>
|
||||||
|
#
|
||||||
|
interface(`corenet_dontaudit_sendrecv_$1_packets',`
|
||||||
|
corenet_dontaudit_send_$1_packets(dollarsone)
|
||||||
|
corenet_dontaudit_receive_$1_packets(dollarsone)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Relabel packets to $1 the packet type.
|
## Relabel packets to $1 the packet type.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(corenetwork,1.1.15)
|
policy_module(corenetwork,1.1.16)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -145,6 +145,24 @@ interface(`dev_create_generic_dirs',`
|
|||||||
allow $1 device_t:dir { ra_dir_perms create };
|
allow $1 device_t:dir { ra_dir_perms create };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Delete a directory in the device directory.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed to create the directory.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_delete_generic_dirs',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 device_t:dir { del_entry_dir_perms rmdir };
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Allow full relabeling (to and from) of directories in /dev.
|
## Allow full relabeling (to and from) of directories in /dev.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(devices,1.1.21)
|
policy_module(devices,1.1.22)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -3347,27 +3347,6 @@ interface(`files_usr_filetrans',`
|
|||||||
type_transition $1 usr_t:$3 $2;
|
type_transition $1 usr_t:$3 $2;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
|
||||||
## <summary>
|
|
||||||
## Execute programs in /usr/src in the caller domain.
|
|
||||||
## </summary>
|
|
||||||
## <param name="domain">
|
|
||||||
## <summary>
|
|
||||||
## Domain allowed access.
|
|
||||||
## </summary>
|
|
||||||
## </param>
|
|
||||||
#
|
|
||||||
interface(`files_exec_usr_src_files',`
|
|
||||||
gen_require(`
|
|
||||||
type usr_t, src_t;
|
|
||||||
')
|
|
||||||
|
|
||||||
allow $1 usr_t:dir search;
|
|
||||||
allow $1 src_t:dir r_dir_perms;
|
|
||||||
allow $1 src_t:lnk_file r_file_perms;
|
|
||||||
can_exec($1,src_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Do not audit attempts to search /usr/src.
|
## Do not audit attempts to search /usr/src.
|
||||||
@ -3386,6 +3365,27 @@ interface(`files_dontaudit_search_src',`
|
|||||||
dontaudit $1 src_t:dir search;
|
dontaudit $1 src_t:dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Get the attributes of files in /usr/src.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_getattr_usr_src_files',`
|
||||||
|
gen_require(`
|
||||||
|
type usr_t, src_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 { usr_t src_t }:dir search_dir_perms;
|
||||||
|
|
||||||
|
allow $1 src_t:lnk_file { getattr read };
|
||||||
|
allow $1 src_t:file getattr;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read files in /usr/src.
|
## Read files in /usr/src.
|
||||||
@ -3406,6 +3406,27 @@ interface(`files_read_usr_src_files',`
|
|||||||
allow $1 src_t:{ file lnk_file } r_file_perms;
|
allow $1 src_t:{ file lnk_file } r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute programs in /usr/src in the caller domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_exec_usr_src_files',`
|
||||||
|
gen_require(`
|
||||||
|
type usr_t, src_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 usr_t:dir search;
|
||||||
|
allow $1 src_t:dir r_dir_perms;
|
||||||
|
allow $1 src_t:lnk_file r_file_perms;
|
||||||
|
can_exec($1,src_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Install a system.map into the /boot directory.
|
## Install a system.map into the /boot directory.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(files,1.2.16)
|
policy_module(files,1.2.17)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -2131,6 +2131,39 @@ interface(`kernel_sendrecv_unlabeled_association',`
|
|||||||
allow $1 unlabeled_t:packet { send recv };
|
allow $1 unlabeled_t:packet { send recv };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to send and receive messages
|
||||||
|
## from an unlabeled IPSEC association.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Do not audit attempts to send and receive messages
|
||||||
|
## from an unlabeled IPSEC association. Network
|
||||||
|
## connections that are not protected
|
||||||
|
## by IPSEC have use an unlabeled
|
||||||
|
## assocation.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## The corenetwork interface
|
||||||
|
## corenet_dontaudit_non_ipsec_sendrecv() should
|
||||||
|
## be used instead of this one.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain to not audit.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
|
||||||
|
gen_require(`
|
||||||
|
type unlabeled_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 unlabeled_t:association { sendto recvfrom };
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Send and receive unlabeled packets.
|
## Send and receive unlabeled packets.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(kernel,1.3.15)
|
policy_module(kernel,1.3.16)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -470,9 +470,10 @@ template(`ssh_server_template', `
|
|||||||
allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
|
allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
|
||||||
allow $1_t self:fifo_file rw_file_perms;
|
allow $1_t self:fifo_file rw_file_perms;
|
||||||
allow $1_t self:process { signal setsched setrlimit setexec };
|
allow $1_t self:process { signal setsched setrlimit setexec };
|
||||||
|
allow $1_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow $1_t self:tcp_socket { listen accept create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
|
allow $1_t self:udp_socket create_socket_perms;
|
||||||
allow $1_t self:udp_socket { connect create ioctl read getattr write setattr append bind getopt setopt shutdown };
|
# ssh agent connections:
|
||||||
|
allow $1_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
|
||||||
allow $1_t $1_devpts_t:chr_file { rw_file_perms setattr getattr relabelfrom };
|
allow $1_t $1_devpts_t:chr_file { rw_file_perms setattr getattr relabelfrom };
|
||||||
term_create_pty($1_t,$1_devpts_t)
|
term_create_pty($1_t,$1_devpts_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(ssh,1.3.10)
|
policy_module(ssh,1.3.11)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(getty,1.1.3)
|
policy_module(getty,1.1.4)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -105,6 +105,20 @@ logging_send_syslog_msg(getty_t)
|
|||||||
|
|
||||||
miscfiles_read_localization(getty_t)
|
miscfiles_read_localization(getty_t)
|
||||||
|
|
||||||
|
ifdef(`distro_gentoo',`
|
||||||
|
# Gentoo default /etc/issue makes agetty
|
||||||
|
# do a DNS lookup for the hostname
|
||||||
|
dontaudit getty_t self:udp_socket create_socket_perms;
|
||||||
|
|
||||||
|
corenet_dontaudit_non_ipsec_sendrecv(getty_t)
|
||||||
|
corenet_dontaudit_udp_sendrecv_generic_if(getty_t)
|
||||||
|
corenet_dontaudit_udp_sendrecv_all_nodes(getty_t)
|
||||||
|
corenet_dontaudit_udp_sendrecv_dns_port(getty_t)
|
||||||
|
corenet_dontaudit_sendrecv_dns_client_packets(getty_t)
|
||||||
|
|
||||||
|
sysnet_dontaudit_read_config(getty_t)
|
||||||
|
')
|
||||||
|
|
||||||
ifdef(`targeted_policy',`
|
ifdef(`targeted_policy',`
|
||||||
term_dontaudit_use_unallocated_ttys(getty_t)
|
term_dontaudit_use_unallocated_ttys(getty_t)
|
||||||
term_dontaudit_use_generic_ptys(getty_t)
|
term_dontaudit_use_generic_ptys(getty_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(init,1.3.23)
|
policy_module(init,1.3.24)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
class passwd rootok;
|
class passwd rootok;
|
||||||
@ -411,6 +411,12 @@ ifdef(`distro_gentoo',`
|
|||||||
dev_create_generic_dirs(initrc_t)
|
dev_create_generic_dirs(initrc_t)
|
||||||
term_create_console_dev(initrc_t)
|
term_create_console_dev(initrc_t)
|
||||||
|
|
||||||
|
# unfortunately /sbin/rc does stupid tricks
|
||||||
|
# with /dev/.rcboot to decide if we are in
|
||||||
|
# early init
|
||||||
|
dev_create_generic_dirs(initrc_t)
|
||||||
|
dev_delete_generic_dirs(initrc_t)
|
||||||
|
|
||||||
# needed until baselayout is fixed to have the
|
# needed until baselayout is fixed to have the
|
||||||
# restorecon on /dev to again be immediately after
|
# restorecon on /dev to again be immediately after
|
||||||
# mounting tmpfs on /dev
|
# mounting tmpfs on /dev
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(modutils,1.1.5)
|
policy_module(modutils,1.1.6)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
bool secure_mode_insmod;
|
bool secure_mode_insmod;
|
||||||
@ -277,6 +277,7 @@ userdom_dontaudit_search_sysadm_home_dirs(update_modules_t)
|
|||||||
|
|
||||||
ifdef(`distro_gentoo',`
|
ifdef(`distro_gentoo',`
|
||||||
files_search_pids(update_modules_t)
|
files_search_pids(update_modules_t)
|
||||||
|
files_getattr_usr_src_files(update_modules_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
consoletype_exec(update_modules_t)
|
consoletype_exec(update_modules_t)
|
||||||
|
Loading…
Reference in New Issue
Block a user